Script to Create a SFTP User to Access Only Home Directory – Ubuntu 12x, 14x or 16x

Following script will create a SFTP user to access only home directory (Ubuntu 12x, 14x or 16x)

This script will save password in account.txt file.

Go to your home directory

cd /home

Create a account.txt file

sudo touch account.txt

Create a shell script and paste following script

nano createsftp.sh
#!/bin/bash

####
# This script automatically creates SFTP Account and allow only access to Home Directory
#
# Author: Asuk Nath
# Date: 11/20/15
#
###

# Check user name supplied or not
if [ $# -lt 1 ]; then
echo "Please supply a username"
echo "Example: " $0 "john"
exit
fi

# Check if username already exist
if id "$1" >/dev/null 2>&1; then
 echo "Username Exists"
 echo "Use different username"
 exit
fi

# Declare local variable and generate random password for SFTP
newuser=$1
randompw=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)

# Create new user and assign random password.
useradd $newuser
echo $newuser:$randompw | chpasswd

# Setting folder permission
echo "Please wait Applying Permission and setting Incoming folder"

mkdir /home/$newuser
chown root:root /home/$newuser
sleep 2
mkdir /home/$newuser/sftproot
sleep 2
chown $newuser:$newuser /home/$newuser/sftproot

cat <<EOF >> /etc/ssh/sshd_config
Match User $newuser
ChrootDirectory /home/$newuser/
 ForceCommand internal-sftp
 AllowTCPForwarding no
 X11Forwarding no
EOF

sleep 2
service ssh restart

# New Username and Password to account.txt

cat <<EOF >> /home/account.txt
$newuser $randompw
EOF

echo "SFTP Account:" $newuser "has been created with the password:" $randompw

Make this script executable

sudo chmod +x createsftp.sh

Command to create SFTP account

root@sftp:/home# sudo ./createsftp.sh user1
Please wait Applying Permission and setting Incoming folder
SFTP Account: user1 has been created with the password: Jtkxp0ZE

Password is also saved in account.txt file

cat account.txt
user1 6C215q3l

Delete SFTP account

root@sftp:/home# sudo deluser user1
Removing user `user1' ...
Warning: group `user1' has no more members.
Done.

Also you need to delete following lines from sshd_config file

Edit /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Delete following lines

Match User user1
ChrootDirectory /home/user1/
 ForceCommand internal-sftp
 AllowTCPForwarding no
 X11Forwarding no

Delete user’s home directory

sudo rm -rf user1

Clean Ubuntu 14x or 16x for Proxmox VE Template

Bash shell script to clean up Ubuntu for Proxmox VE Template

#!/bin/bash
# Stop rsyslog to clean up logs
service rsyslog stop

# Cleanup all logs
cat /dev/null > /var/log/audit/audit.log
cat /dev/null > /var/log/wtmp
cat /dev/null > /var/log/lastlog

#cleanup persistent udev rules
rm /etc/udev/rules.d/70-persistent-net.rules

#cleanup /tmp directories
rm -rf /tmp/*
rm -rf /var/tmp/*

#cleanup current ssh keys
rm -f /etc/ssh/ssh_host_*
sed -i -e 's|exit 0||' /etc/rc.local
sed -i -e 's|.*test -f /etc/ssh/ssh_host_dsa_key.*||' /etc/rc.local
bash -c 'echo "test -f /etc/ssh/ssh_host_dsa_key || dpkg-reconfigure openssh-server" >> /etc/rc.local'
bash -c 'echo "exit 0" >> /etc/rc.local'

# Clear hostname
cat /dev/null > /etc/hostname

# Cleanup apt
apt-get clean

#cleanup shell history
history -w
history -c

 

Add Let’s Encrypt SSL Certificate to Nagios 4.x running on CentOS 7

The easiest way to install Let’s Encrypt client by cloning github repository. To install git on your system you must enable Epel repositories with the following command

yum -y install epel-release

Install git client

yum -y install git

Change directory and go to /usr/src

cd /usr/src/

Clone Let’s Encrypt Client from Github

git clone https://github.com/letsencrypt/letsencrypt 
cd /usr/src/letsencrypt

Run letsencrypt-auto script with your domain name

./letsencrypt-auto --apache -d FullyQualifiedDomainName

This Script will download and install all necessary packages.

Answer following questions.

- Enter email address ( Used for urgent renewal and security notices)
- Please read the Terms of Service and Accept it
- Would you be willing to share your email.....
- Select ssl.conf

IMPORTANT NOTES: – Congratulations! Your certificate and chain have been saved at:   /etc/letsencrypt/live/ YourFullDomainName/fullchain.pem   Your key file has been saved at:   /etc/letsencrypt/live/YourFullDomainName /privkey.pem   Your cert will expire on 2017-11-12. To obtain a new or tweaked   version of this certificate in the future, simply run   letsencrypt-auto again with the “certonly” option. To   non-interactively renew *all* of your certificates, run   “letsencrypt-auto renew” – Your account credentials have been saved in your Certbot   configuration directory at /etc/letsencrypt. You should make a   secure backup of this folder now. This configuration directory will   also contain certificates and private keys obtained by Certbot so   making regular backups of this folder is ideal.

Certificate has been installed successfully.

Let’s Encrypt certificate is only valid for 90 days. To renew automatically add following line to your corn job.

0 1 12 * * /usr/src/letsencrypt/certbot-auto renew

How to find out information about a LXC VPS CPU

Find CPU information

cat /proc/cpuinfo

or

[root@server ~]# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 24
On-line CPU(s) list: 0-23
Thread(s) per core: 2
Core(s) per socket: 6
Socket(s): 2
NUMA node(s): 2
Vendor ID: GenuineIntel
CPU family: 6
Model: 44
Model name: Intel(R) Xeon(R) CPU L5640 @ 2.27GHz
Stepping: 2
CPU MHz: 2266.000
BogoMIPS: 4533.49
Virtualization: VT-x
L1d cache: 32K
L1i cache: 32K
L2 cache: 256K
L3 cache: 12288K
NUMA node0 CPU(s): 0,2,4,6,8,10,12,14,16,18,20,22
NUMA node1 CPU(s): 1,3,5,7,9,11,13,15,17,19,21,23

Find out number of Virtual CPU Cores

cat /proc/cpuinfo | grep processor | wc -l

Create Custom CentOS 6x or 7x KVM template for Proxmox VE

Create a KVM with custom HDD, RAM, CPU, etc. using CentOS 6 or 7 minimal
Disable selinux
Edit the /etc/selinux/config

vi /etc/selinux/config

Change SELINUX=enforcing to SELINUX=disabled

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Turn off Firewall
(CentOS 7x)

systemctl stop firewalld
systemctl disable firewalld
yum -y install net-tools

Turn off Firewall
(CentOS 6x)

service iptables save 
service iptables stop 
chkconfig iptables off

Create a bash shell script seal.sh

vi /usr/src/seal.sh

Paste following script in the seal.sh file

#!/bin/bash 
echo "Seal This Centos 6x and 7x Server"
yum clean all
> /etc/machie-id
rm -f /etc/ssh/ssh_host_rm -rf /root/.ssh/
rm -f /root/anaconda-ks.cfg
rm -f /root/.bash_history
unset HISTFILE
rm -f /var/log/boot.log
rm -f /var/log/cron
rm -f /var/log/dmesg
rm -f /var/log/grubby
rm -f /var/log/lastlog
rm -f /var/log/maillog
rm -f /var/log/messages
rm -f /var/log/secure
rm -f /var/log/spooler
rm -f /var/log/tallylog
rm -f /var/log/wpa_supplicant.log
rm -f /var/log/wtmp
rm -f /var/log/yum.log
rm -f /var/log/audit/audit.log
rm -f /var/log/tuned/tuned.logroot

Go to use /usr/src folder and make script executable

cd /usr/src
chmod +x seal.sh

Run seal.sh script

./seal.sh

Clear History

cat /dev/null > ~/.bash_history && history -c && exit

Generalize (seal) a Linux virtual machine using the sys-unconfig command before making it into a template. This prevents conflicts between virtual machines deployed from the template

sys-unconfig

 

Using Proxmox web interface Stop VM

Next right click on the VM and Convert to Template

Your Custom CentOS Template is ready.

How to create a Linux LXC Container in Proxmox VE

Open Proxmox web.

Select Server View then select your Node then click on Create CT

Step: 1 

Enter hostname and Password

Step: 2 

Select Template Storage and then Select OS from Dropdown List and click on Next

Step: 3

Enter Disk Size

Step: 4

Enter Number of CPU Cores

Step: 5

Enter RAM size in MB

Step: 6

Enter Network Details

Step: 7

Enter Name Servers Details

Step: 8

Click on Finish 

Wait for the task to complete.

You Proxmox Container is ready.

Direct query from a specific DNS server

You can use following command both Windows and Linux

nslookup IP_Address/Domain_name DNS_server

nslookup lg.ca.hostfav.com 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
Name: lg.ca.hostfav.com
Address: 104.225.209.xx

Install Let’s Encrypt Certificate on Gitlab CentOS 7

Install epel-release. Epel-release provide you an extended set of packages

yum install epel-release -y

Install certbot

yum install certbot -y

Need to create a folder where the Let’s encrypt verification files will be stored

mkdir -p /var/www/public/letsencrypt

We need to configure Gitlab to pass any /.well-known requests to the desired folder.

Edit following file

vi /etc/gitlab/gitlab.rb

Find following Line below web_server[‘home’]

# web_server['home'] = '/var/opt/gitlab/nginx'
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known {
    root /var/www/public/letsencrypt;
}"

Reconfigure Gitlab

gitlab-ctl reconfigure

Now ready to request Let’s Encrypt Certificate

Use following command to request certificate

certbot certonly --webroot --webroot-path=/var/www/public/letsencrypt -d git.hostfav.com

You will get following message.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/git.hostfav.com/fullchain.pem. Your cert will
 expire on 2017-10-25. To obtain a new or tweaked version of this
 certificate in the future, simply run certbot again. To
 non-interactively renew *all* of your certificates, run "certbot
 renew"
 - Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

 

Configure GitLab for new Certificate

vi /etc/gitlab/gitlab.rb

Change External URL path

external_url 'https://git.hostfav.com'

Uuncomment this line. Change false to true

nginx['redirect_http_to_https'] = true

Change Certificate and Key files’ path

Find following two lines and uncomment them

# nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt"
# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"

Update path

 nginx['ssl_certificate'] = "/etc/letsencrypt/live/git.hostfav.com/fullchain.pem"
 nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/git.hostfav.com/privkey.pem"

Reconfigure GitLab and Apply changes

gitlab-ctl reconfigure

Let’s Encrypt certificate is only valid for 90 days. To renew automatically add following line to your corn job.

0 1 1 * * /usr/bin/certbot renew --quiet --renew-hook "/usr/bin/gitlab-ctl restart nginx"

This corn job will renew your GitLab Certificate every Month.

This improves the security of both the GitLab Server and the users who use it.

Add Let’s Encrypt Certificate to Webmin

Login to Webmin site using https://your-domain-name.com:10000

Once you log in, you will see Webmin Dashboard.

Click on your server’s hostname

You will be presented Hostname and DNS Client page.

Enter a fully qualified Domain Name into hostname filed and click on Save.

Go to Webmin Configuration then select SSL Encryption

Using following screen obtains and renew certificate.

We can setup Webmin to automatically renew certificate.

Hostname for certificate: Make sure you have typed correct Fully Qualified Domain Name

Website root directory for validation file: Enter /var/www/html/

Months between automatic renewal:  Select the radio button to the left of the input box and type 1 in the input box

Click on Request Certificate Button

After a few seconds, you will see a confirmation screen.

Restart Webmin

Reload the Webmin page and you browser will show valid certificate.