Enforce Password Complexity in Linux Server

You can use PAM to enforce password complexity in Linux Systems. For Debian / Ubuntu you can use the following file:
/etc/pam.d/common-password


First install the package.
apt-get install libpam-cracklib


Edit "/etc/pam.d/common-password" as per your requirement.

password requisite pam_cracklib.so try_first_pass retry=3 minlength=6 lcredit=1 ucredit=1 dcredit=0 ocredit=1 difok=4

** try_first_pass retry=3 [Number of times to password change retry]
** minlength = 6 [Minimum password length is 6]
** lcredit =1 [Minimum lowercase character is 1]
** ucredit = 1 [Minimum uppercase character is 1]
** dcredit = 0 [Minimum number is 0]
** ocredit = 1 [Minimum number of other character / simbols is 1]
** difok = 4 [New password must be different from previous 4 passwords]


Now modify the options as you need. You can omit options like below.
password requisite pam_cracklib.so try_first_pass retry=3 minlength=6 ucredit=1 dcredit=1 


Save the file and you are done.

htaccess apache2 authentication for specific directory

@@ Apache version 2.4 and above. @@

Create .htaccess file in /var/www/html directory and add following lines

********************************
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/html/webmail/.htpasswd
AuthGroupFile /dev/null
Require user webmail
*******************************


Create another file for storing password and save it as blank file
vim /var/www/html/webmail/.htpasswd


Create & store password
htpasswd -m /var/www/html/webmail/.htpasswd webmail


Now enable a module with below command
a2enmod authz_groupfile

Restart apache2 service



Edit apache.conf file with below lines
AccessFileName .htaccess [remove hash (#) in front of this line]

Change below lines from
**********************************
<Directory /var/www>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
*********************************

to
*********************************
<Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>
*********************************


Restart apache2 service and check now. It will prompt you for username and password.

Mikrotik Router BGP Configuration

Today we will learn how to configure BGP routing protocol to ensure auto failover of multiple links from your ISP. Let me describe the scenario first.

Platform: Mikrotik Router
Primary Link IP: 172.17.176.4/27
Secondary Link IP: 172.17.160.6/27
Usable Subnet: 172.17.161.0/30
My ASN: 65503
Remote [ISP] ASN: 203


Here is the connectivity diagram:

So, Let's start the configuration. At first we will assign the primary IP address in ether1, Secondary IP address in ether2 and my usable subnet IP address ether3 interfaces.

Primary IP address assign:

Secondary IP address assign:

My usable IP subnet:

Now we need to create filters to configure BGP. Here is how to do that.

In this case my ISP should send the default route to my router and all other routes should be discarded. Let's see how to create those filters.

A BGP attribute named "local preference" can be used to mark the primary link. Usually BGP uses the default value "local preference = 100" if we don't mention any value for this attribute.



The rule is "Higher local preference will get higher priority". So we set the value to 200 to make a link as Primary link in our configuration.

To discard all other incoming routes do the following.

Do the same thing for Secondary link as well.

We have already finished the configuration of incoming filters. Now we should mention the outgoing filters as well. My ISP should receive the given IP subnet [172.17.161.0/30] from me.

We need to create outgoing filters for Primary and Secondary links as well.

Now start with BGP. Follow the steps below to configure it.

 The final checking for our BGP configuration.

We are done.

 

Live file synchronization across multiple Linux servers using LSYNC

At first please take note I have implemented this in Debian Server.
Perform SSH Login Without Password from Master Server to Slave Server
Master Server:
#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/root/.ssh/id_rsa):[Just press Enter key]
Enter passphrase (empty for no passphrase): [Just Press enter key]
Enter same passphrase again: [Just Pess enter key]
Your identification has been saved in /home/root/.ssh/id_rsa.

#ssh-copy-id -i ~/.ssh/id_rsa.pub remote-ip

Now test from master server,
# ssh remote-ip
[It will not ask for password and take you to the remote server]


Now Install Lsync on Master Server:
#apt-get update
#apt-get install -y lua5.1 liblua5.1-dev pkg-config rsync asciidoc

# vim /etc/lsyncd/lsyncd.conf.lua
settings {
logfile = "/var/log/lsyncd/lsyncd.log",
statusFile = "/var/log/lsyncd/lsyncd-status.log",
statusInterval = 10
}
sync {
default.rsync,
source="/home/",
target="remote-ip:/home/",
rsync = {
compress = true,
verbose = true,
owner = true,
group = true,
perms = true,
acls = true,
rsh = "/usr/bin/ssh -p 22 -o StrictHostKeyChecking=no"}
}

sync {
default.rsync,
source="/var/mail/",
target="remote-ip:/var/mail/",
rsync = {
compress = true,
verbose = true,
owner = true,
group = true,
perms = true,
acls = true,
rsh = "/usr/bin/ssh -p 22 -o StrictHostKeyChecking=no"}
}
[Save and Exit]

#mkdir /var/log/lsyncd/

#touch /var/log/lsyncd/lsyncd.log

#touch /var/log/lsyncd/lsyncd-status.log

#service lsyncd start


Slave Server:
#apt-get install rsync



Now test from Master Server:
#cd /home/

#touch test-file


Slave Server:
#cd /home/

#ls -lah


############# End of Lsync Configuration #############




*** Keep in mind if you want to backup a mail server to a secondary one you have to move a copy of /etc/passwd, /etc/shadow, /etc/group file from master server to backup server. Follow below steps to do that once in a day ***



Slave server:
#mkdir /root/user-backup-from-master-server

Master server:
#vim /usr/local/src/backup-users
scp /etc/passwd /etc/group /etc/shadow root@remote-ip:/root/user-backup-from-master-server
[Save and Exit]


#chmod 755 /usr/local/src/backup-users


#vim /etc/crontab
01 15 * * *    root    /usr/local/src/backup-users
[Save and Exit]


#/etc/init.d/cron restart


** This procedure will transfer a copy of /etc/passwd, /etc/group, /etc/shadow files everyday at 3:01PM from Master server to Slave server.

Multiple page redirection from single Linux Server using Apache2

I have a Linux server with Apache2 as its web service. I want to redirect two sites pointed to that server to other two websites. At first I was confused how to do that as I work in networking section. Later I got help anyway and I am going to share the solution with you.

First I have to change default page 'index.html' to 'index.php'.


Then I have given below code to redirect those to two sites to another two websites.


##################################
<?php
 $actual_link = "$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
if($actual_link == "www.xyz.com/")
    $redirect_page = "http://www.anotherone.com/";
if($actual_link == "web2.xyz.com/")
    $redirect_page = http://www.anothertwo.com/;
?>
<html>
    <head>
        <meta http-equiv="refresh" content="3;url=<?php echo $redirect_page ?>" />
    </head>
    <body>
        <h1>Please wait, You are redirecting... </h1>
    </body>
</html>
#################################


I am happy with this simple solution. You??

SMTP Authentication using Dovecot

 

Sometimes we got complain from our clients that they cannot send mails using OutLook form different ISP/Network. To avoid this kind of inconvenience we can configure TLS authentication from server. 

Step: 1

vim /etc/dovecot/conf.d/10-master.conf [Edit / Add the following Lines]

  # Postfix smtp-auth

  unix_listener /var/spool/postfix/private/auth {

    mode = 0666

    user = postfix

    group = postfix

  }

 

 

Step: 2

 

Now come to postfix directory and edit main.cf file like following

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
########## Enable TLS ########
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
######################################
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache 

#Authentication from dovecot

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_helo_required = yes

smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions =  permit_mynetworks, permit_sasl_authenticated, reject
broken_sasl_auth_clients = yes
smtpd_sender_restrictions = permit_sasl_authenticated

 

 

 

Step 3: 
Now we need to enable the required SMTP port. Generally we see many providers do not allow default SMTP port 25 and SMTPS port 465. I usually suggest SMTP Submission port 587 in this cases. But keep in mind do not disable default SMTP port 25 from your server. It is required to SMTP communication between server to server.

SMTP Port 25 disable  and Enable 

To enable port 587, edit the file /etc/postfix/master.cf

vim /etc/postfix/master.cf

and remove the # in front of the line:

#submission inet n – n – – smtpd

so that it looks like this:

submission inet n – n – – smtpd

and restart postfix:

/etc/init.d/postfix restart

​

Step: 4 

Now check all the necessary ports are listening in your server.

#netstat –nat | grep LISTEN

And check for the ports 25 (SMTP), 587 (SMTP Submission), 143 (IMAP), 110 (POP3)

 

 

Step: 5

Modify the outlook email client configuration of users like below image.

You are done.