|
1 2 3 4 5 |
# openssl rsa -modulus -noout -in private_key.key | openssl md5 (stdin)= b650539so2020gwoge778b6981a38c # openssl x509 -modulus -noout -in mysite_certificate.crt | openssl md5 (stdin)= b650539so2020gwoge778b6981a38c |
the outputs must match 🙂
|
1 2 3 |
<?php printf($_SERVER['HTTPS']) ?> |
|
1 2 3 4 5 |
# openssl rsa -modulus -noout -in private_key.key | openssl md5 (stdin)= jhg557dd83jdlki93de778b69ojg536 # openssl x509 -modulus -noout -in certificate.crt | openssl md5 (stdin)= jhg557dd83jdlki93de778b69ojg536 |
|
1 2 3 |
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto |
If this command doesn’t work, you can try the following manual way
|
1 |
./letsencrypt-auto certonly --email youremail@domain.com --webroot -w /var/www/vhosts/yourdomain.com -d yourdomain.com -d www.yourdomain.com |
You can add multiple domains under the same certificate
|
1 |
./letsencrypt-auto certonly --email youremail@domain.com --webroot -w /var/www/vhosts/yourdomain.com -d yourdomain.com -d www.yourdomain.com -w /var/www/vhosts/yourdomain2.com -d yourdomain2.com -d www.yourdomain2.com |
Update your Apache configuration to use the new certificate:
|
1 2 3 4 |
SSLEngine on SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem |
Check domain:
https://crt.sh/?q=%25yourdomain.com
Renew the certificate with a script set in a cron (set every 2 months – certificate expires every 3)
|
1 2 |
# run on the 1st of Odd Months at midnight | Renew certificates 0 0 1 1-11/2 * root /root/letsencrypt/renew.sh >/dev/null 2>&1 |
renew.sh script:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
#!/bin/bash MAIL=youremail@domain.com LOG=/var/log/letsencrypt/renew.log SENDMAIL=/usr/sbin/sendmail CMD="renew" /root/letsencrypt/letsencrypt-auto $CMD > $LOG 2>&1 if [ $? -eq 0 ] ; then service httpd graceful else echo -e "Subject: [letsencrypt] SSL automatic renewal FAILED\n$(cat $LOG)" | $SENDMAIL $MAIL exit 1 fi |
Sources:
https://letsencrypt.org/getting-started/
https://www.a2hosting.com/kb/security/ssl/securing-your-site-with-a-lets-encrypt-ssl-certificate
I found this handy plugin to backup my blog:Â BackWPup
It has also an interesting feature which is the ability to backup remotely, for example on a FTP server.
So… here we go! 🙂
Few notes:
allow_writeable_chroot=yes does NOT work on vsftpd version 2.3.5.Install required packets:
|
1 |
apt-get install vsftpd apache2-utils libpam-pwdfile |
Create SSL certificate:
|
1 2 |
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem chmod 600 /etc/ssl/certs/vsftpd.pem |
Add a local user with limited access (like no console) that vsfpd will use to run virtual users:
|
1 |
useradd --home /home/vsftpd --gid nogroup -m --shell /bin/false vsftpd |
Create directory structures for the virtual users:
|
1 2 3 4 5 |
mkdir -p /space/ftpusers/ chmod a-w /space/ftpusers/ mkdir -p /space/ftpusers/ftp01/rw chmod a-w /space/ftpusers/ftp01 chown -R vsftpd:nogroup /space/ftpusers/ftp01 |
Please note that all new virtual users added need its home directory manually created as per above. Also, due to the chroot option and the current limitation on vsftpd, if you want a user to be able to write in its home directory, you need to create an extra folder. Its root home folder has to be -w. This is a workaround that works 🙂
Setup PAM authentication
Create a new file /etc/pam.d/vsftpd.virtual and add the following:
|
1 2 |
auth required pam_pwdfile.so pwdfile /etc/vsftpd/vsftpd.users account required pam_permit.so |
Now, let’s reorder a bit vsftp files in a directory:
|
1 2 3 4 |
mkdir -p /etc/vsftpd cd /etc/ mv vsftpd.conf vsftpd ln -s /etc/vsftpd/vsftpd.conf . |
Add new users (password max 8 characters):
|
1 |
htpasswd -c -d -b /etc/vsftpd/vsftpd.users ftp01 ftp01password |
Use the flag -c only the first time to create the file. If you re-use it, the file will be overwritten!
Also the -d flag is required because vsftpd is unable to read MD5 hashed password (default if -d is not used). The downside of this is a password limited to 8 characters.
Openssl could be used to produce a MD5 based BSD password with algorithm 1 using# openssl passwd -1(not tested)
Let’s configure vsftpd
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
vi /etc/vsftpd.conf # Main Settings listen=YES listen_port=21 connect_from_port_20=NO ftpd_banner=Welcome to my FTP :-) use_localtime=YES force_dot_files=YES # FTP Passive settings pasv_enable=YES pasv_min_port=1100 pasv_max_port=1150 pasv_addr_resolve=YES pasv_enable=YES pasv_addr_resolve=YES pasv_address=<span style="color: #ff0000;"><EXTERNAL IP or DYN DNS></span> # Virtual user settings local_enable=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty virtual_use_local_privs=YES guest_enable=YES guest_username=vsftpd pam_service_name=vsftpd.virtual user_sub_token=$USER local_root=/space/ftpusers/$USER hide_ids=YES # Anonymous settings anonymous_enable=NO anon_upload_enable=NO no_anon_password=NO anon_other_write_enable=NO anon_mkdir_write_enable=NO # Write permissions write_enable=YES local_umask=022 async_abor_enable=YES # SSL ssl_enable=YES force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH rsa_cert_file=/etc/ssl/certs/vsftpd.pem # Logging xferlog_enable=YES log_ftp_protocol=NO syslog_enable=NO vsftpd_log_file=/var/log/vsftpd.log |
Now, on your router, make sure that the module ip_conntrack_ftp is loaded using lsmod command.
This is required for FTP PASSIVE mode to work.
I’ve realised that this can be called also nf_conntrack_ftp.
A good way to check all the alias associated to that netfilter module is using the following command:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# modinfo nf_conntrack_ftp filename: /lib/modules/3.3.7/kernel/net/netfilter/nf_conntrack_ftp.ko alias: nfct-helper-ftp alias: <span style="color: #ff0000;">ip_conntrack_ftp</span> description: ftp connection tracking helper author: Rusty Russell <rusty@rustcorp.com.au> license: GPL depends: nf_conntrack intree: Y vermagic: 3.3.7 mod_unload MIPS32_R1 32BIT parm: ports:array of ushort parm: loose:bool |
Also, make sure to setup a port forwarding like as below:
|
1 2 3 4 |
$IPT -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport 21 -j DNAT --to $FTPIP:21 # FTP connection port $IPT -t nat -A PREROUTING -d $EXTIP -p tcp -m tcp --dport 1100:1150 -j DNAT --to-destination $FTPI # FTP PASS ports $IPT -A FORWARD -i $EXTIF -d $FTPI -p tcp --dport 21 -j ACCEPT $IPT -A FORWARD -i $EXTIF -d $FTPI -p tcp --dport 1100:1150 -j ACCEPT |