Category Archives: Linux

Secure Zammad with LetsEncrypt Certıfıcate on Ubuntu 20.4 Apache

The Story

after installing Zammad ticketing system I tried to implement Let’sEncrypt certificate to secure the system but there was nothing available on the internet except an old article about implementing this on Ubuntu 16 with Nginx (see article here).

In my case I was using apache and no Nginx in place, and after installing Zammad it was using pretty fine on Http but needed to redirect http to HTTPS after implementing the certificate.

Solution:

I first Installed Certbot for apache and then I took a backup of all my Zammad configuration and made sure not to alter the default Zammad directory.

So I created a dummy folder called /var/www/support and a file called /var/www/support/index.html within that folder and provided them the appropriate permissions.

sudo apt install certbot python3-certbot-apache

 sudo mkdir /var/www/support

sudo chown -R $USER:$USER /var/www/support

sudo chmod -R 755 /var/www/support

sudo nano /var/www/support/index.html


Edit the index.html file with the following to make sure that it works

<html>
             <head>
                         <title>Welcome to Your_domain!</title>
             </head>
             <body>
                       <h1>Success! The your_domain virtual host is working!</h1>
           </body>
</html>

image

image

Edit Zammad’s Default Config File

Please make sure you take a move the original copy of Zammad file to another location using the following command

sudo mv /etc/apache2/sites-enabled/zammad.conf /etc/apache2/sites-enabled/zammad.bak

Then we’ll replace the file with this configuration but since we moved the original file to .bak then we’ll have to recreate it with our intended configuration.

Edit a new zammad.conf file and copy the configuration below

sudo vi /etc/apache2/sites-enabled/zammad.conf

Configuration starts below this:

#

# this is the apache config for zammad

#

# security – prevent information disclosure about server version

#ServerTokens Prod

<VirtualHost *:8080> # I changed the default port of Zammad to 8080 to allow Letsencrypt to connect on 80 and create the certificate

# replace ‘localhost’ with your fqdn if you want to use zammad from remote

ServerName localhost:8080

## don’t loose time with IP address lookups

HostnameLookups Off

## needed for named virtual hosts

UseCanonicalName Off

## configures the footer on server-generated documents

ServerSignature Off

ProxyRequests Off

ProxyPreserveHost On

<Proxy 127.0.0.1:3000>

Require local

</Proxy>

ProxyPass /assets !

ProxyPass /favicon.ico !

ProxyPass /apple-touch-icon.png !

ProxyPass /robots.txt !

ProxyPass /ws ws://127.0.0.1:6042/

ProxyPass / http://127.0.0.1:3000/

— INSERT — 10,38 Top

DocumentRoot “/opt/zammad/public”

<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>

<Directory “/opt/zammad/public”>

Options FollowSymLinks

Require all granted

</Directory>

</VirtualHost>

<VirtualHost *:80>

ServerName support.cloud-net.tech

DocumentRoot /var/www/support

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

– ————————-

In the above configuration we did two things:

1- Replacing the original Zammad listening port instead of 80 to 8080

2- Created a new virtual host that points to our dummy folder /var/www/support

Save the file and exit from vi

Make sure you restart Apache after this

sudo systemctl restart apache2

Enable the new site configuration

sudo a2ensite zammad.conf

Lets create the certificate

In the below commands , the first one will drive you through the process of getting the certificate.

The second checks the status of the configuration of the auto renewal script certbot and third command tests the renewal of the certificate.

1- sudo certbot –apache

2- sudo systemctl status certbot.timer

3- sudo certbot renew –dry-run

As you can see in the below screenshot the command also asks you if you’d like to redirect all http traffic to HTTPS. You should want to say Y to that.

clip_image001

clip_image001[4]

When you accept creating Redirection rule from HTTP to HTTPs the main Zammad config will get that configuration which wont work in that case because we already changed the default zammad port to 8080.

So you’ll need to get into that zammad.conf that you created again and enter the redirection portion

image

# this is the apache config for zammad
#


# security – prevent information disclosure about server version
#ServerTokens Prod


<VirtualHost *:8080>
     # replace ‘localhost’ with your fqdn if you want to use zammad from remote
     ServerName support.cloud-net.tech:8080


    ## don’t loose time with IP address lookups
     HostnameLookups Off


    ## needed for named virtual hosts
     UseCanonicalName Off


    ## configures the footer on server-generated documents
     ServerSignature Off


    ProxyRequests Off
     ProxyPreserveHost On


    <Proxy 127.0.0.1:3000>
         Require local
     </Proxy>


    ProxyPass /assets !
     ProxyPass /favicon.ico !
     ProxyPass /apple-touch-icon.png !
     ProxyPass /robots.txt !
     ProxyPass /ws ws://127.0.0.1:6042/
     ProxyPass /
http://127.0.0.1:3000/


    # change this line in an SSO setup
     RequestHeader unset X-Forwarded-User


     DocumentRoot “/opt/zammad/public”


    <Directory />
         Options FollowSymLinks
         AllowOverride None
     </Directory>


    <Directory “/opt/zammad/public”>
         Options FollowSymLinks
         Require all granted
     </Directory>


RewriteEngine on
RewriteCond %{SERVER_NAME} =support.cloud-net.tech
RewriteRule ^
https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
     ServerName support.cloud-net.tech
RewriteEngine on
RewriteCond %{SERVER_NAME} =support.cloud-net.tech
RewriteRule ^
https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

image

Note:

You need to make sure that you have enabled port 443 on your Firewall and changed the main protocol of Zammad to HTTPs

To do so you’ll need to get into the Zammad portal > Settings > System > Http Type and change that to HTTPS.

image

That’s it, my example here worked as expected and now my traffic is automatically getting redirected to https.

image

Hope this helps anyone looking for such configuration.

Please consider donating to this Bitcoin account if you like this article or website.

image

Onboarding Linux Client (DEEPIN) to Microsoft Azure Threat protection ATP using ubuntu repository

Installing Microsoft Azure Threat Protection (ATP) on Linux Devices

While playing with ATP on some windows devices, I was in the mood of trying the new Deepin 20 desktop flavor which is a famous Chinese Linux OS based system.

Microsoft doesn’t indicate anywhere that installation of ATP on a Linux client is possible but Linux server is mentioned in the official ATP installation documents.

How to Install?

After I installed the Deepin OS, I was really impressed by the new beautiful Linux design so I plan to use it and have it secure with ATP.

image

Prerequisites:

  1. Configure the Linux software repository for Ubuntu and Debian
  2. Application Installation
  3. Download the onboarding Package
  4. Client Config

1-Configure the Linux software repository for Ubuntu and Debian

You will need to install the required libraries, install Gpg, apt-transport-https and update repository metadata using the following commands one by one.

  • sudo apt-get install curl

image

  • sudo apt-get install libplist-utils

image

image

  • sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-ubuntu.list
  • sudo apt-get install gpg

image

image

image

After successfully installing all the libraries, I will go ahead and install the application

2- Application Installation

From the Linux client Terminal using sudo power user run the following script

sudo apt-get install mdatp

image

Once finished, You can go back to the ATP portal and download the Linux Onboarding package on the linux server/client you want to onboard

3- Download the onboarding Package

Since I am doing a single deployment not bulk, then I will go to the Microsoft Defender Security Center’s setting page and download the Linux package from the device management section.

image

The steps for the onboarding is already mentioned on that page so after you download the script you’ll know exactly what to do next.

The file is 9kb python in size

image

Copy the file to your Linux Desktop

image

4- Client Config

From the terminal type in chmod a+x MicrosoftDefenderATPOnBoardingLinuxServer.py and hit enter

Note: python must be installed on this linux dervice.

Then type python /MicrosoftDefenderATPOnBoardingLinuxServer.py

image

This will run pretty quick and will assign your Linux server/client with your Organization ID.

To see the Organization ID type:

mdatp –health orgId

image

Few minutes later you’ll be able to see the installation completion and the status through this command

Check if WDATP is functioning as expected

mdatp –health healthy

image

Check if WDATP agent is enabled

mdatp –health realTimeProtectionEnabled

image

Let’s check on our ATP portal and see if the machine is showing there.

Note: It might take 5-15 mins to update the definitions of WDATP when onboarding.

image

Running a detection Test:

curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt

image

In few seconds the file has disappeared

image

Checking for threats

mdatp –threat –list –pretty

image

Let’s see this on the ATP Portal

image

image

This is just a test malware not a real one therefore it wont harm your machine at all.

Hope this helps you with your deployments

Ref:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually

Deepin 20 Beta version

https://www.deepin.org/en/2020/04/15/deepin-20-beta/

Resetting Root Password for FreePBX 14.0.5.1–Sangoma Linux 7

Many people have been through this same problem either due to forgetting the root password, typing it wrong or due to console language conversion issue.

Mine was due to using a remote console which didn’t translate my keyboard properly and caused a wrong password.

So I ended up having access to the GUI screen but not the root. So first thing came to my mind is should I reformat the machine and reinstall it since it doesn’t take long time? but no I like challenges and started digging into how do I reset the password.

Since I do still have the access to console I can try from the Kernel, the default ISO install FreePBX with Sangoma 7 Distro which is based on Centos Kernel 3.10.0-862.2.2.3 el7.x86_64.

So I first attempt I tried was following the same method of resetting root password on Centos through Kernel.

1- Restarting the machine to get into Kernel:

When Restarting Press E to edit the Kernel

image

Once pressed E you will get this screen:

image

2- Edit the Kernel:

Scroll down until you find “rhgb quiet” and replace it with “init=/bin/bash” without quotes.

image

So eventually it’ll look like this

image

3- Resetting Root Password:

Once it’s changed, press ctrl-X to initiate the process of resetting the root password:

You will get Bash cmd prompt, Type the following commands

A- First to check the status of root partition by running following command on the single user mode.

Mount | grep root

In this distro of Linux you might not get anything but normally you should get partition details.

B- To make the partition writable, you’ll have to type in the following command

mount -o remount,rw /

C- To Change the root password type

passwd root

Type your new password and you’ll get a message that all authentication tokens updated successfully

clip_image001

After this restart and try to login, and you’ll see that it works fine

clip_image001[4]

Result:

After restarting the machine, I tried to get into web GUI to start configuring the FreePBX but I received the following error:

Whoops\Exception\ErrorException (E_ERROR)

Class ‘PicoFeed\Reader\Reader’ not found

After doing some research it was obviously an error related to a recent update pushed by FreePBX

clip_image001[6]

Solution:

and the solution was running this cmd

fwconsole ma upgrade dashboard –edge

clip_image001[8]
image
Winking smile

Hope someone would find this useful 

Change WordPress Domain using http://wp-cli.org/





  1. sudo curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar

clip_image001

  1. From User@UbuntuServer:/var/www/html$ I will run the following command to make sure that the command is working

sudo php wp-cli.phar –info

clip_image002

  1. I’ll move the file to a new path and location so I can access it from anywhere using only the command WP.

First I will give the required permissions

moh10ly@Ubunut-Mohammed:/var/www/html$ sudo chmod +x wp-cli.phar

clip_image003

Next I will move the file

sudo mv wp-cli.phar /usr//local/bin/wp

clip_image004

  1. Check if the file is working properly after moving?

clip_image005

  1. Final step is to change the domain of your wordpress site to a new domain.

My previous domain was www.mytechweb.ga and now I changed it to www.moh10ly.website

So I only used two commands to change the domain name to the new one

clip_image006

clip_image007

Now I tested my website and it’s working perfectly…

http://wp-cli.org/

<<wp-cli.phar>>









What to have in your Linux Desktop?





The tools that a Must have on Linux Desktop are

1- Variety

(Automatic desktop wallpaper downloader and customizer), Variety also displays quotes on your desktop along with wallpapers.

clip_image001

2- Cairo dock (shortcut bar to Applications)

clip_image002

3- Shutter (Graphic tool)

Shutter is a graphic tool that can take snapshots, desktop screenshots and edit them or send them to your e-mail.

it’s very powerful and every button on it can be customized with a shortcut by the keyboard. for example if you want to create a shortcut for screen selection (Like the OneNote on Windows) you can simply open the keyboard shortcuts app (mate-keybinding-properties)

clip_image003

Once you have launched the keyboard shortcuts utility, you can customize a new shortcut to take a screenshot for you with Shutter by selection.

clip_image004

You will have to click on Add and create a new shortcut as following

clip_image005

Once you click apply, you can assign the shortcut for this command.

For example, I am using the shortcut CTRL + SHIFT + S

clip_image006

4- Remote Desktop tools

A- NoMachine

NoMachine is a free and very powerful remote desktop utility that works on all Operating systems and supports all kinds of features that are available in other remote desktop utlities like (Radmin, Teamviewer, RDP).

clip_image007

5- OneDrive for Linux.

http://xmodulo.com/sync-microsoft-onedrive-linux.html

Install onedrive-d on Linux

While onedrive-d was originally developed for Ubuntu/Debian, it now supports CentOS/Fedora/RHEL as well.

Installation is as easy as typing the following.

$ git clone https://github.com/xybu92/onedrive-d.git
$ cd onedrive-d
$ ./inst install

First-Time Configuration

After installation, you need to go through one-time configuration which involves granting onedrive-d read/write access to your OneDrive account.

First, create a local folder which will be used to sync against a remote OneDrive account.

$ mkdir ~/onedrive

Then run the following command to start the first-time configuration.

$ onedrive-d

It will pop up a onedrive-d’s Settings window as shown below. In "Location" option, choose the local folder you created earlier. In "Authentication" option, you will see "You have not authenticated OneDrive-d yet" message. Now click on "Connect to OneDrive.com" box.

clip_image008

It will pop up a new window asking you to sign in to OneDrive.com.

clip_image009

After logging in to OneDrive.com, you will be asked to grant access to onedrive-d. Choose "Yes".

clip_image010

Coming back to the Settings window, you will see that the previous status has changed to "You have connected to OneDrive.com". Click on "OK" to finish.

clip_image011

Sync a Local Folder with OneDrive

There are two ways to sync a local folder with your OneDrive storage by using onedrive-d.

One way is to sync with OneDrive manually from the command line. That is, whenever you want to sync a local folder against your OneDrive account, simply run:

$ onedrive-d

onedrive-d will then scan the content of both a local folder and a OneDrive account, and make the two in sync. This means either uploading newly added files in a local folder, or downloading newly found files from a remote OneDrive account. If you remove any file from a local folder, the corresponding file will automatically be deleted from a OneDrive account after sync. The same thing will happen in the reverse direction as well.

Once sync is completed, you can kill the foreground-running onedrive-d process by pressing Ctrl+C.

clip_image012

Another way is to run onedrive-d as an always-on daemon which launches automatically upon start. In that case, the background daemon will monitor both the local folder and OneDrive account, to keep them in sync. For that, simply add onedrive-d to the auto-start program list of your desktop.

When onedrive-d daemon is running in the background, you will see OneDrive icon in the desktop status bar as shown below. Whenever sync update is triggered, you will see a desktop notification.

clip_image013

6- Evolution Email Client for Exchange accounts.

If you ever thought of using an e-mail client that supports your account on Microsoft Exchange Email server’s protocol which is known as (RPC over HTTP) then you have probably used Mozilla thunderbird or kmail, geary..etc but all those clients don’t support Exchange’s most flexible connectivity which is RPC over HTTP that will sync all your emails, contacts, tasks, calendars ..etc

To Install evolution, all you have to do is open Linux Terminal and type the following

Sudo apt-get install evolution

clip_image014

Since I already have Evolution installed it won’t proceed and will tell me that it’s already installed. but that’s not all!

In order to setup an Exchange account on Evolution you will have to install an Evolution plugin that will support the web services for the RPC over http connectivity which is known as (EWS = Exchange Web Services).

In order to install this plugin you will have to type the following command

Sudo apt-get install Evolution-ews

clip_image015

Once you install the plugin, you can launch the program and setup your account as following.

Click on Add as in the picture

clip_image016

When you click add you should be welcomed by a message saying "Welcome to Evolution wizard ..etd"

Click Continue and then type in your name and email address in the next window

You can skip the automatic configuration as Evolution still doesn’t support Exchange Autodiscover mechanism for auto configuration of the account. so you must manually provide all the configuration of your exchange as following

clip_image017

In the host URL you will have to provide your Exchange server’s EWS URL which usually looks like this

https://mail.domain.com/ews/exchange.asmx

In my case I am using an Office 365 account so instead I’ll use Microsoft’s EWS url.

https://outlook.office365.com/ews/exchange.asmx

For the OAB (Offline Address Book) you also need to provide the configured URL of the OAB on your Exchange Server. which in my case again it’s Microsoft Office 365.

https://outlook.office365.com/OAB

you will need to make sure that the correct authentication method is set (NTLM) in my case, this can vary though on Exchange server’s Outlook Anywhere configuration. it can be Basic as well. so it’s up to your configuration to choose but for Office 365 it’s NTLM.

clip_image018

Once you finish the configuration you can continue and you’ll get prompted to enter your Credentials. as soon as you finish typing your Password hit enter and your e-mails will start syncing. as in the following snapshot

clip_image019

That’s it, you’re setup here either if it’s an exchange on-premises or Office 365 for Linux desktop client.

Here’s another guide for the new mapi connectivity for Evolution, probably the same steps

https://www.linux.com/learn/tutorials/370590:connect-evolution-to-an-exchange-server

7- For Office (Word, Powerpoint ..etc) I prefer to use Kingsoft’s community version along with LibreOffice

Since Libre office provide more tools or the full package I still use it on Linux but Kingsoft’s WPS tools have a user friendly and rich of tools GUI.

clip_image020

In order to download WPS software you will have to navigate to the link below and download the suitable version with your Linux OS. or use the terminal to download latest available version with the following command

sudo apt-get install wps-office

http://wps-community.org/download.html

8- For media there are various available software and tools that you can use on Linux to either listen to music or edit mp3s or convert media types.

A- Audacity (Convert and Edit audio files).

B- Spotify (listen to music online)

C- Clementine (Listen to Music on your computer)

D- VLC (Watch Videos on your PC) or use it as a streaming server.

There are other useful tools and things to do on Linux OS as it’s a very flexible and customizable OS but I’ll end this article here and write a new one about how to decorate your welcome screen and your desktop with beautiful pictures and tools.

Hope you find this useful Smile