VPSHELPDESK.COM

Multiple SSL certificates on single IP address

Multiple SSL certificates on single IP address

Create the virtual host ssl inside the sites-available

#cd /etc/apache2/sites-available/
#cp default-ssl.conf web1.com-ssl.conf
#cp default-ssl.conf web2.com-ssl.conf

Make sure link on the /etc/apache2/sites-enable exist, the origin from the sites-available

#cd /etc/apache2/sites-enable
#ln -s /etc/apache2/sites-available/web1.com-ssl.conf
#ln -s /etc/apache2/sites-available/web2.com-ssl.conf
#ls -la /etc/apache2/sites-enabled
total 8
drwxr-xr-x 2 root root 4096 Apr 13 18:49 .
drwxr-xr-x 9 root root 4096 Apr 13 18:39 ..
lrwxrwxrwx 1 root root 35 Feb 15 09:57 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root 58 Apr 13 18:48 web1.com-ssl.conf -> /etc/apache2/sites-available/web1.com-ssl.conf
lrwxrwxrwx 1 root root 54 Apr 13 18:49 web2.com-ssl.conf -> /etc/apache2/sites-available/web2.com-ssl.conf

Debian 9 with old PHP 5.6 and MySQL 5.6, 5.7 or 8.0 and Apache2

Run below commands to upgrade the current packages to the latest version

#apt update
#apt upgrade

Install the Apache2 package

#apt install apache2

Execute the following commands to install the required packages first on your system. Then import packages signing key. After that configure PPA for the PHP packages on your system.

#apt install ca-certificates apt-transport-https
#wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add -
#echo "deb https://packages.sury.org/php/ stretch main" | tee /etc/apt/sources.list.d/php.list

Installing PHP 5.6

Execute the following commands for installing PHP 5.6 on your Debian 9 Stretch system.

#apt update
#apt install php5.6

Also install required php modules.

#apt-get install php5.6-cli php5.6-common php5.6-curl php5.6-mbstring php5.6-mysql php5.6-xml php5.6-gd

Install MYSQL Version 5.6, 5.7 or 8.0, better 5.7 or 8.0

#apt -y install wget
#wget https://repo.mysql.com//mysql-apt-config_0.8.13-1_all.deb
#dpkg -i mysql-apt-config_0.8.13-1_all.deb

During the installation the system will prompt to select MySQL version. Choose which MySQL version, 5.6, 5.7 or 8.0 available to choose then OK

#apt update
#apt -y install mysql-server

Finish up by running the MySQL secure_installation

#mysql_secure_installation

Test php working or not

Create new php file at /var/www/html

#vim info.php

write

<?php phpinfo(); ?>

Open browser http://localhost/info.php

Enable and load mod_rewrite Apache2 on Debian 8

#a2enmod rewrite

Then open and edit /etc/apache2/apache2.conf find

Options Indexes FollowSymLinks
AllowOverride All
Require all granted

Replace “AllowOverride None” to “AllowOverride all”

Enable Apache2 mod_headers & mod_expires on

To increase PageSpeed: Leverage browser caching.

enable mod_headers:

#a2enmod headers

enable mod_expires:

#a2enmod expires

Then restart Apache server to make these changes effective

#service apache2 restart

Set up iptables On Debian 8 Debian 9

Faster way paste this on console

/sbin/iptables -F && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP && /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP && /sbin/iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT && /sbin/iptables -A INPUT -i lo -j ACCEPT && /sbin/iptables -A OUTPUT -o lo -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT && /sbin/iptables -P OUTPUT ACCEPT && /sbin/iptables -P INPUT DROP

New script only open port 80, 443, 25, 465,587

/sbin/iptables -F && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP && /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP && /sbin/iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT && /sbin/iptables -A INPUT -i lo -j ACCEPT && /sbin/iptables -A OUTPUT -o lo -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT && /sbin/iptables -P OUTPUT ACCEPT && /sbin/iptables -P INPUT DROP

IP-Tables are not persistent On Debian 8, save permanent the new rules to the master iptables file:

#iptables-save > /etc/iptables.up.rules

Make sure the iptables rules are started on a reboot we’ll create a new file:

#nano /etc/network/if-pre-up.d/iptables

Add these lines to it:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

The file needs to be executable so change the permissions:

#chmod +x /etc/network/if-pre-up.d/iptables

#iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Error apt-get update upgrade Debian 8 Release file expired

$sudo apt-get update

E: Release file for http://cloudfront.debian.net/debian/dists/jessie-backports/InRelease is expired (invalid since 487d 11h 2min 2s). Updates for this repository will not be applied

Solutions

Add this to the command:

-o Acquire::Check-Valid-Until=false

For example:

sudo apt-get -o Acquire::Check-Valid-Until=false update
sudo apt-get -o Acquire::Check-Valid-Until=false dist-upgrade

then

apt-get install -y software-properties-common
apt-get install apache2
apt-get install php5.6
apt-get install php5.6-cli php5.6-common php5.6-curl php5.6-mbstring php5.6-mysql php5.6-xml php5.6-gd
apt-get install mariadb-server

iptables -L

/sbin/iptables -F && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP && /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP && /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP && /sbin/iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT && /sbin/iptables -A INPUT -i lo -j ACCEPT && /sbin/iptables -A OUTPUT -o lo -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT && /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT && /sbin/iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT && /sbin/iptables -P OUTPUT ACCEPT && /sbin/iptables -P INPUT DROP

iptables -L

apt-get install iptables-persistent

Disable confusing Vim visual mode

Vim visual mode really confusing drives me crazy can not copy something from external clipboard

Solution to disable Vim visual mode, work with the Old one

echo "set mouse-=a" >> ~/.vimrc

No more visual mode, copy paste text from using mouse works again

Sudo user in Debian

Install the “sudo” Command
You need to run this command as root user:

user@debian:~$ su -
Password:
root@debian:~ # apt-get install sudo

Create a new user account.

#/usr/sbin/adduser admin

Add the user to the sudo group; By default on Debian systems, members of the group sudo are granted with sudo access. To add a user to the sudo group use the usermod command:

#usermod -aG sudo admin

Check the sudo access

#id admin
uid=1001(admin) gid=1001(admin) groups=1001(admin),27(sudo)

The user admin a member of sudo group now and to work as a root, every command must start with sudo (sudo reboot, sudo vim, sudo del, sudo mkdir, sudo……)

Error and solutions

admin@debian9:~$ sudo ifconfig
sudo: unable to resolve host (none)

Solutions

Insert hostname to /etc/hostname and /etc/hosts something like:

127.0.0.1    localhost.localdomain localhost
127.0.1.1    debian9

Disable IPv6 Debian 8 / Ubuntu

If can’t remove IPv6 on Debain 8 from hosting admin menu, It can disable through terminal

Debian-based/Ubuntu

sudo bash -c 'cat <<EOF >> /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF'

Configure SSH daemon to only listen over IPv4 by running the following:

echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config

Then Reboot #reboot

SSL test on Qualys SSL Labs Rating A Configuration

**Minimal Debian * Jessie and Apache V 2.4.10**

Fix DNS CAA No to Yes by add CAA record on DNS Server

Clouddns: Add CAA Record, select the Provider (If available : Comodo, Digicert, etc), if manual insert field Answer with 0 (Number 0 -255), Tag with issue and Value with comodoca.com (if Comodo SSL),, letsencrypt.org (If Lets Encrypt SLL) then Save All Changes, wait 1 hour to complete. Then check CAA status at https://caatest.co.uk

Incorrect SNI alerts

Insert below within section VirtualHost conf then #service apache2 restart

nano /etc/apache2/sites-available/default-ssl.conf

Insert at the bottom before closed tag of the VirtualHost “</VirtualHost>”

ServerName example.com
ServerAlias www.example.com example.com

Enable Apache OCSPStapling

Specify cached response location (outside <VirtualHost>, before <VirtualHost _default_:443>

SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)

The placed must before the following text:

## SSL Virtual Host Context
<VirtualHost _default_:443>

**** Optional Activate HTTP/2 protocol on default-ssl.conf

Insert Protocols h2 h2c http/1.1 after <VirtualHost _default_:443> on /etc/apache2/sites-available/default-ssl.conf

Below the configuration on /etc/apache2/sites-enable/default-ssl.conf

** activate Header first in with command #a2enmod headers

SSLEngine on

SSLCipherSUite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"

# This TLSv1.2 only
SSLProtocol TLSv1.2
# To use TLSv1.2 and TLSv1.3 uncomment line below and comment one above. Please read note above.
#SSLProtocol +TLSv1.2 +TLSv1.3

#enable of OCSP stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

#if you want to add DHE (Diffie-Hellman key exchange), HTTPD 2.4.8 later, run openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 uncomment below
#SSLOpenSSLConfCmd Curves secp384r1
#SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

SSLCertificateFile /etc/apache2/ssl/example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com.key
SSLCertificateChainFile /etc/apache2/ssl/example.com.ca-bundle

#Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" activate first in with command #a2enmod headers
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

Enable and load mod_rewrite Apache2 on Debian 8

#a2enmod rewrite

Enable Headers

#a2enmod headers

Enable SSL

#a2enmod ssl

** Optional to Activate HTTP/2 module

#a2enmod http2

Apply SSL Module to Site

#a2ensite default-ssl

To activate the new configuration, you need to run:

#service apache2 reload

Other SSL / TLS Settings on /etc/apache2/mods-enabled/ssl.conf

#Turn of SSL Compression & Ensure Ciphers are used in order

SSLCompression off
SSLHonorCipherOrder on

Enable SSL log by add script below the ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog

ErrorLog ${APACHE_LOG_DIR}/ssl_engine.log
LogLevel debug

Sometimes error occurred, example log below

[Mon Nov 25 09:54:07.361518 2019] [ssl:error] [pid 5035] (70007)The timeout specified has expired: [client 84.240.234.36:32844] AH01985: error reading response from OCSP server

Solution

SSLStaplingResponderTimeout 3

When Sectigo’s OCSP Responder servers did not respond fast enough, the OSCP requests failed and the errors noted on this thread were logged to the Apache error log. Disable OCSP Stapling:

SSLUseStapling off

Or, instead of disabling OCSP Stapling, we could increase the default timeout value (11 seconds appeared to be suitable for yesterday’s issue):

SSLStaplingResponderTimeout 11

Upgrade Debian 7 Wheezy to Debian 8 Jessie

Backup the configuration and data first

Check current release

#sudo cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"

Configuration files in the /etc directory

#tar -pczf etc.tar.gz --absolute-names /etc

Backup of the /var/www website directory.

#tar -pczf www.tar.gz --absolute-names /var/www

Backup of the /home directories.

#tar -pczf home.tar.gz --absolute-names /home

For ISPConfig 3 users: Backup of your email server files.

#tar -pczf vmail.tar.gz --absolute-names /var/vmail

Backup MySQL databases

#mysqldump --defaults-file=/etc/mysql/debian.cnf -cCeQ --hex-blob --quote-names --routines --events --triggers --all-databases -r all_databases.sql

Then move the tar.gz and .sql files for safe storage on a backup drive.

Check the apt sources.list file

Before upgrade to Jessie, all available Wheezy must updates first. On some systems the package source is defined as “stable” in the sources.list file instead of “wheezy” or “jessie”. To avoid an accidental early upgrade to Jessie, please check the sources.list now and ensure that it contains “wheezy” and not “stable” as source:

#nano /etc/apt/sources.list

deb http://ftp.us.debian.org/debian wheezy main contrib non-free
deb-src http://ftp.us.debian.org/debian wheezy main contrib non-free
deb http://ftp.us.debian.org/debian wheezy-updates main contrib non-free
deb http://ftp.us.debian.org/debian-security wheezy/updates main contrib non-free

#apt-get update -y && apt-get upgrade -y && apt-get dist-upgrade -y

Update the sources.list for Jessie

Edit the /etc/apt/sources.list file again:

#nano /etc/apt/sources.list

and replace its content with the following lines:

deb http://ftp.us.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.us.debian.org/debian/ jessie main contrib non-free

deb http://httpredir.debian.org/debian jessie-updates main contrib non-free
deb-src http://httpredir.debian.org/debian jessie-updates main contrib non-free

deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free

apt-get update -y && apt-get upgrade -y && apt-get dist-upgrade -y

reboot

To check which Debian version is currently installed on the system, take a look at the file /etc/os-release.

#cat /etc/os-release
#lsb_release -a

Extract all the tar.gz files to the folder (/var/www/html, /etc/)

#tar -xvf www.tar.gz

Move all folder and files

#mv /sourcefolder/{,.[^.]}* /destinationfolder/

Install php7 on Debian 8

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install -y php7.3

Check php version

php -v

Installing PHP 7.3 Extensions

sudo apt install php7.3-cli php7.3-fpm php7.3-json php7.3-pdo php7.3-mysql php7.3-zip php7.3-gd  php7.3-mbstring php7.3-curl php7.3-xml php7.3-bcmath php7.3-json

To install Apache Module for PHP, run:

sudo apt install libapache2-mod-php7.3