Install sSMTP

hint: 

To enable sendmail to use STARTTLS, you need to:
1) Add this line to /etc/mail/sendmail.mc and optionally
to /etc/mail/submit.mc:
include(`/etc/mail/tls/starttls.m4')dnl
2) Run sendmailconfig
3) Restart sendmail

apt-get install phpmailer
/usr/sbin/ssmtp Αυτή η διεύθυνση ηλεκτρονικού ταχυδρομείου προστατεύεται από τους αυτοματισμούς αποστολέων ανεπιθύμητων μηνυμάτων. Χρειάζεται να ενεργοποιήσετε τη JavaScript για να μπορέσετε να τη δείτε.< msg.txt

 

Install sSMTP and setup with Gmail on Ubuntu 16.04

This is a guide on how to install sSMTP and set it up with Gmail on Ubuntu 16.04.
I installed this to allow CSF/LFD to send email to me, as I didn’t want a full mail server.

Step 1:
Login to SSH as root.

Step 2:
Makre sure your Ubuntu Repository, is up to date.

sudo apt-get update

Step 3:
Install sSMTP

sudo apt-get install ssmtp

Step 4:
Configure sSMTP

nano /etc/ssmtp/ssmtp.conf

#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=Αυτή η διεύθυνση ηλεκτρονικού ταχυδρομείου προστατεύεται από τους αυτοματισμούς αποστολέων ανεπιθύμητων μηνυμάτων. Χρειάζεται να ενεργοποιήσετε τη JavaScript για να μπορέσετε να τη δείτε.

# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=smtp.gmail.com:587

AuthUser=Αυτή η διεύθυνση ηλεκτρονικού ταχυδρομείου προστατεύεται από τους αυτοματισμούς αποστολέων ανεπιθύμητων μηνυμάτων. Χρειάζεται να ενεργοποιήσετε τη JavaScript για να μπορέσετε να τη δείτε.
AuthPass=MyPassword
UseTLS=YES
UseSTARTTLS=YES

# Where will the mail seem to come from?
rewriteDomain=gmail.com

# The full hostname
hostname=localhost

# Are users allowed to set their own From: address?
# YES – Allow the user to specify their own From: address
# NO – Use the system generated From: address
FromLineOverride=YES

Step 5:
Add reverse aliases

nano /etc/ssmtp/revaliases

Add the line:
root:Αυτή η διεύθυνση ηλεκτρονικού ταχυδρομείου προστατεύεται από τους αυτοματισμούς αποστολέων ανεπιθύμητων μηνυμάτων. Χρειάζεται να ενεργοποιήσετε τη JavaScript για να μπορέσετε να τη δείτε.:smtp.gmail.com:587

Step 6:
Create a test messae to send

cd /root

nano msg.txt

Add the following lines:
To: Αυτή η διεύθυνση ηλεκτρονικού ταχυδρομείου προστατεύεται από τους αυτοματισμούς αποστολέων ανεπιθύμητων μηνυμάτων. Χρειάζεται να ενεργοποιήσετε τη JavaScript για να μπορέσετε να τη δείτε.
From: Αυτή η διεύθυνση ηλεκτρονικού ταχυδρομείου προστατεύεται από τους αυτοματισμούς αποστολέων ανεπιθύμητων μηνυμάτων. Χρειάζεται να ενεργοποιήσετε τη JavaScript για να μπορέσετε να τη δείτε.
Subject: test email

Hello World!

Step 7:
Test to make sure it all working

cd /root

/usr/sbin/ssmtp Αυτή η διεύθυνση ηλεκτρονικού ταχυδρομείου προστατεύεται από τους αυτοματισμούς αποστολέων ανεπιθύμητων μηνυμάτων. Χρειάζεται να ενεργοποιήσετε τη JavaScript για να μπορέσετε να τη δείτε. < msg.txt

Info:
Be sure to set your Gmail email address where it has:
Αυτή η διεύθυνση ηλεκτρονικού ταχυδρομείου προστατεύεται από τους αυτοματισμούς αποστολέων ανεπιθύμητων μηνυμάτων. Χρειάζεται να ενεργοποιήσετε τη JavaScript για να μπορέσετε να τη δείτε.

Remember to set your Password in the ssmtp.conf file.
If you are using Two-Factor you will need to create an App password, instead.

 ************** for noisyjohn ***********************

mailhub=smtp.gmail.com:587
AuthUser=Αυτή η διεύθυνση ηλεκτρονικού ταχυδρομείου προστατεύεται από τους αυτοματισμούς αποστολέων ανεπιθύμητων μηνυμάτων. Χρειάζεται να ενεργοποιήσετε τη JavaScript για να μπορέσετε να τη δείτε.
AuthPass=CityOfCHaoS1951
UseTLS=YES
UseSTARTTLS=YES
# Where will the mail seem to come from?
#rewriteDomain=
rewriteDomain=gmail.com
# The full hostname
hostname=localhost
FromLineOverride=YES

*************************************************************

how to fix “send-mail: Authorization failed 534 5.7.14 ”
It may take more than one step to fix this issue

Take the step mentioned earlier. Log into your google email account and then go to this link: https://www.google.com/settings/security/lesssecureapps and set "Access for less secure apps" to ON. Test to see if your issue is resolved. If it isn't resolved, as it wasn't for me, continue to Step #2.

Go to https://support.google.com/accounts/answer/6009563 (Titled: "Password incorrect error"). This page says "There are several reasons why you might see a “Password incorrect” error (aka 534-5.7.14) when signing in to Google using third-party apps. In some cases even if you type your password correctly." This page gives 4 suggestions of things to try.

postfix would be an overkill if you just need to send emails from php while developing applications on your home computer.

Use a very simple and lightweight package ssmtp. It will use any smtp server to send outbound emails. Install it by running:

sudo apt-get install ssmtp
Then edit /etc/ssmtp/ssmtp.conf file, comment out existing mailhub line and add the following lines (this example is for gmail smtp server):

mailhub=smtp.gmail.com:587
UseSTARTTLS=YES
AuthUser=@gmail.com
AuthPass=

smtp-auth.forthnet.gr
(Provide your gmail username & password. Of course you can use any other SMTP server).

Now make sure that your php.ini has correct sendmail_path. It should read as:

sendmail_path = /usr/sbin/sendmail -t

Περισσότερα...

AppArmor

AppArmor

is a Linux Security Module implementation of name-based mandatory access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities. AppArmor is installed and loaded by default. It uses profiles of an application to determine what files and permissions the application requires. Some packages will install their own profiles, and additional profiles can be found in the apparmor-profiles package.

To install the apparmor-profiles package from a terminal prompt:

sudo apt install apparmor-profiles
AppArmor profiles have two modes of execution:

Complaining/Learning: profile violations are permitted and logged. Useful for testing and developing new profiles.

Enforced/Confined: enforces profile policy as well as logging the violation.

Using AppArmor
Profiles
References
Using AppArmor
This section is plagued by a bug (LP #1304134) and instructions will not work as advertised.

The apparmor-utils package contains command line utilities that you can use to change the AppArmor execution mode, find the status of a profile, create new profiles, etc.

apparmor_status is used to view the current status of AppArmor profiles.

sudo apparmor_status
aa-complain places a profile into complain mode.

sudo aa-complain /path/to/bin
aa-enforce places a profile into enforce mode.

sudo aa-enforce /path/to/bin
The /etc/apparmor.d directory is where the AppArmor profiles are located. It can be used to manipulate the mode of all profiles.

Enter the following to place all profiles into complain mode:

sudo aa-complain /etc/apparmor.d/*
To place all profiles in enforce mode:

sudo aa-enforce /etc/apparmor.d/*
apparmor_parser is used to load a profile into the kernel. It can also be used to reload a currently loaded profile using the -r option. To load a profile:

cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
To reload a profile:

cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
systemctl can be used to reload all profiles:

sudo systemctl reload apparmor.service
The /etc/apparmor.d/disable directory can be used along with the apparmor_parser -R option to disable a profile.

sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/profile.name
To re-enable a disabled profile remove the symbolic link to the profile in /etc/apparmor.d/disable/. Then load the profile using the -a option.

sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
AppArmor can be disabled, and the kernel module unloaded by entering the following:

sudo systemctl stop apparmor.service
sudo update-rc.d -f apparmor remove
To re-enable AppArmor enter:

sudo systemctl start apparmor.service
sudo update-rc.d apparmor defaults
Replace profile.name with the name of the profile you want to manipulate. Also, replace /path/to/bin/ with the actual executable file path. For example for the ping command use /bin/ping

Profiles
AppArmor profiles are simple text files located in /etc/apparmor.d/. The files are named after the full path to the executable they profile replacing the "/" with ".". For example /etc/apparmor.d/bin.ping is the AppArmor profile for the /bin/ping command.

There are two main type of rules used in profiles:

Path entries: detail which files an application can access in the file system.

Capability entries: determine what privileges a confined process is allowed to use.

As an example, take a look at /etc/apparmor.d/bin.ping:

#include
/bin/ping flags=(complain) {
#include
#include
#include

capability net_raw,
capability setuid,
network inet raw,

/bin/ping mixr,
/etc/modules.conf r,
}
#include : include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file.

/bin/ping flags=(complain): path to the profiled program, also setting the mode to complain.

capability net_raw,: allows the application access to the CAP_NET_RAW Posix.1e capability.

/bin/ping mixr,: allows the application read and execute access to the file.

After editing a profile file the profile must be reloaded. See Using AppArmor for details.

Creating a Profile
Design a test plan: Try to think about how the application should be exercised. The test plan should be divided into small test cases. Each test case should have a small description and list the steps to follow.

Some standard test cases are:

Starting the program.

Stopping the program.

Reloading the program.

Testing all the commands supported by the init script.

Generate the new profile: Use aa-genprof to generate a new profile. From a terminal:

sudo aa-genprof executable
For example:

sudo aa-genprof slapd
To get your new profile included in the apparmor-profiles package, file a bug in Launchpad against the AppArmor package:

Include your test plan and test cases.

Attach your new profile to the bug.

Updating Profiles
When the program is misbehaving, audit messages are sent to the log files. The program aa-logprof can be used to scan log files for AppArmor audit messages, review them and update the profiles. From a terminal:

sudo aa-logprof

Περισσότερα...

Tomcat installation on Ubuntu 16.04

Περισσότερα...

Backup With Rsync and Ssh

Introduction

From the man page:

• Rsync is a fast and extraordinarily versatile file copying tool. It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon. It offers a large number of options that control every aspect of its behavior and permit very flexible specification of the set of files to be copied. It is famous for its delta-transfer algorithm, which reduces the amount of data sent over the network by sending only the differences between the source files and the existing files in the destination. Rsync is widely used for backups and mirroring and as an improved copy command for everyday use.

In other words, rsync is a tool for efficiently copying and backing up data from one location (the source) to another (the destination). It is efficient because it only transfers files which are different between the source and destination directories.

Rsync

Rsync is a command line utility. Users attempting to use it should be familiar with the command line (see Using the Terminal). If you prefer a graphical interface, see the Grsync section of this page.

Installation

Rsync is installed in Ubuntu by default. Be sure to check whether the following packages are installed before starting (see Installing a Package): rsync, xinetd, ssh.

Perform a Simple Backup

The simplest method for backing up over a network is to use rsync via SSH (using the -e ssh option). Alternatively, you can use the rsync daemon (see Rsync Daemon which requires much more configuration. Local backup only requires rsync and read/write access to the folders being synchronized. Below you will find examples of commands that can be used to backup in either case. It should be noted, that a network sync can be performed locally so long as the folder is shared (say by Samba) and then mounted to the machine with folder1. This process gets around having to use ssh but is less secure and should only be used in secure private networks, like at your home.

 

διαβάστε περισσότερα

How To Install Apache Tomcat

How To Install Apache Tomcat 8 on Ubuntu 16.04

 

Introduction

Apache Tomcat is a web server and servlet container that is used to serve Java applications. Tomcat is an open source implementation of the Java Servlet and JavaServer Pages technologies, released by the Apache Software Foundation. This tutorial covers the basic installation and some configuration of the latest release of Tomcat 8 on your Ubuntu 16.04 server.

Prerequisites

Before you begin with this guide, you should have a non-root user with sudo privileges set up on your server. You can learn how to do this by completing our Ubuntu 16.04 initial server setup guide.

Step 1: Install Java

Tomcat requires Java to be installed on the server so that any Java web application code can be executed. We can satisfy that requirement by installing OpenJDK with apt-get.

First, update your apt-get package index:

• sudo apt-get update

Then install the Java Development Kit package with apt-get:

• sudo apt-get install default-jdk

Managing Java

There can be multiple Java installations on one server. You can configure which version is the default for use in the command line by using update-alternatives, which manages which symbolic links are used for different commands.

• sudo update-alternatives --config java

The output will look something like the following. In this case, this is what the output will look like with all Java versions mentioned above installed.

There are 5 choices for the alternative java (providing /usr/bin/java).

  Selection    Path                                            Priority   Status
------------------------------------------------------------
* 0            /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java   1081      auto mode
  1            /usr/lib/jvm/java-6-oracle/jre/bin/java          1         manual mode
  2            /usr/lib/jvm/java-7-oracle/jre/bin/java          2         manual mode
  3            /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java   1081      manual mode
  4            /usr/lib/jvm/java-8-oracle/jre/bin/java          3         manual mode
  5            /usr/lib/jvm/java-9-oracle/bin/java              4         manual mode

Press <enter> to keep the current choice[*], or type selection number:

You can now choose the number to use as a default. This can also be done for other Java commands, such as the compiler (javac), the documentation generator (javadoc), the JAR signing tool (jarsigner), and more. You can use the following command, filling in the command you want to customize.

• sudo update-alternatives --config command

Setting the JAVA_HOME Environment Variable

Many programs, such as Java servers, use the JAVA_HOME environment variable to determine the Java installation location. To set this environment variable, we will first need to find out where Java is installed. You can do this by executing the same command as in the previous section:

• sudo update-alternatives --config java

Copy the path from your preferred installation and then open /etc/environment using nano or your favorite text editor.

• sudo nano /etc/environment

Now that Java is installed, we can create a tomcat user, which will be used to run the Tomcat service.

Step 2: Create Tomcat User

For security purposes, Tomcat should be run as an unprivileged user (i.e. not root). We will create a new user and group that will run the Tomcat service.

First, create a new tomcat group:

• sudo groupadd tomcat

Next, create a new tomcat user. We'll make this user a member of the tomcat group, with a home directory of /opt/tomcat (where we will install Tomcat), and with a shell of /bin/false (so nobody can log into the account):

• sudo useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

Now that our tomcat user is set up, let's download and install Tomcat.

Step 3: Install Tomcat

The best way to install Tomcat 8 is to download the latest binary release then configure it manually.

Find the latest version of Tomcat 8 at the Tomcat 8 Downloads page. At the time of writing, the latest version is 8.5.5, but you should use a later stable version if it is available. Under the Binary Distributionssection, then under the Core list, copy the link to the "tar.gz".

Next, change to the /tmp directory on your server. This is a good directory to download ephemeral items, like the Tomcat tarball, which we won't need after extracting the Tomcat contents:

• cd /tmp

Use curl to download the link that you copied from the Tomcat website:

• curl -O http://apache.mirrors.ionfish.org/tomcat/tomcat-8/v8.5.5/bin/apache-tomcat-8.5.5.tar.gz

We will install Tomcat to the /opt/tomcat directory. Create the directory, then extract the archive to it with these commands:

• sudo mkdir /opt/tomcat
• sudo tar xzvf apache-tomcat-8*tar.gz -C /opt/tomcat --strip-components=1

Next, we can set up the proper user permissions for our installation.

Step 4: Update Permissions

The tomcat user that we set up needs to have access to the Tomcat installation. We'll set that up now.

Change to the directory where we unpacked the Tomcat installation:

• cd /opt/tomcat

Give the tomcat group ownership over the entire installation directory:

• sudo chgrp -R tomcat /opt/tomcat

Next, give the tomcat group read access to the conf directory and all of its contents, and execute access to the directory itself:

• sudo chmod -R g+r conf
• sudo chmod g+x conf

Make the tomcat user the owner of the webapps, work, temp, and logs directories:

• sudo chown -R tomcat webapps/ work/ temp/ logs/

Now that the proper permissions are set up, we can create a systemd service file to manage the Tomcat process.

Step 5: Create a systemd Service File

We want to be able to run Tomcat as a service, so we will set up systemd service file.

Tomcat needs to know where Java is installed. This path is commonly referred to as "JAVA_HOME". The easiest way to look up that location is by running this command:

• sudo update-java-alternatives -l

java-1.8.0-openjdk-amd64       1081       /usr/lib/jvm/java-1.8.0-openjdk-amd64

The correct JAVA_HOME variable can be constructed by taking the output from the last column (highlighted in red) and appending /jre to the end. Given the example above, the correct JAVA_HOME for this server would be:

/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre

Your JAVA_HOME may be different.

With this piece of information, we can create the systemd service file. Open a file called tomcat.servicein the /etc/systemd/system directory by typing:

• sudo nano /etc/systemd/system/tomcat.service

Paste the following contents into your service file. Modify the value of JAVA_HOME if necessary to match the value you found on your system. You may also want to modify the memory allocation settings that are specified in CATALINA_OPTS:

[Unit]
Description=Apache Tomcat Web Application Container
After=network.target

[Service]
Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target

When you are finished, save and close the file.

Next, reload the systemd daemon so that it knows about our service file:

• sudo systemctl daemon-reload

Start the Tomcat service by typing:

• sudo systemctl start tomcat

Double check that it started without errors by typing:

• sudo systemctl status tomcat

Step 6: Adjust the Firewall and Test the Tomcat Server

Now that the Tomcat service is started, we can test to make sure the default page is available.

Before we do that, we need to adjust the firewall to allow our requests to get to the service. If you followed the prerequisites, you will have a ufw firewall enabled currently.

Tomcat uses port 8080 to accept conventional requests. Allow traffic to that port by typing:

• sudo ufw allow 8080

With the firewall modified, you can access the default splash page by going to your domain or IP address followed by :8080 in a web browser:

http://server_domain_or_IP:8080

You will see the default Tomcat splash page, in addition to other information. However, if you click the links for the Manager App, for instance, you will be denied access. We can configure that access next.

If you were able to successfully accessed Tomcat, now is a good time to enable the service file so that Tomcat automatically starts at boot:

• sudo systemctl enable tomcat

Step 7: Configure Tomcat Web Management Interface

In order to use the manager web app that comes with Tomcat, we must add a login to our Tomcat server. We will do this by editing the tomcat-users.xml file:

• sudo nano /opt/tomcat/conf/tomcat-users.xml

You will want to add a user who can access the manager-gui and admin-gui (web apps that come with Tomcat). You can do so by defining a user, similar to the example below, between the tomcat-users tags. Be sure to change the username and password to something secure:

<tomcat-users . . .>
    <user username="admin" password="password" roles="manager-gui,admin-gui"/>
</tomcat-users>

Save and close the file when you are finished.

By default, newer versions of Tomcat restrict access to the Manager and Host Manager apps to connections coming from the server itself. Since we are installing on a remote machine, you will probably want to remove or alter this restriction. To change the IP address restrictions on these, open the appropriate context.xml files.

For the Manager app, type:

• sudo nano /opt/tomcat/webapps/manager/META-INF/context.xml

For the Host Manager app, type:

• sudo nano /opt/tomcat/webapps/host-manager/META-INF/context.xml

Inside, comment out the IP address restriction to allow connections from anywhere. Alternatively, if you would like to allow access only to connections coming from your own IP address, you can add your public IP address to the list:

<Context antiResourceLocking="false" privileged="true" >
  <!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->
</Context>

Save and close the files when you are finished.

To put our changes into effect, restart the Tomcat service:

• sudo systemctl restart tomcat

Step 8: Access the Web Interface

Now that we have create a user, we can access the web management interface again in a web browser. Once again, you can get to the correct interface by entering your server's domain name or IP address followed on port 8080 in your browser:

http://server_domain_or_IP:8080

The page you see should be the same one you were given when you tested earlier:

 

Let's take a look at the Manager App, accessible via the link or http://server_domain_or_IP:8080/manager/html. You will need to enter the account credentials that you added to the tomcat-users.xml file. Afterwards, you should see a page that looks like this:

 

The Web Application Manager is used to manage your Java applications. You can Start, Stop, Reload, Deploy, and Undeploy here. You can also run some diagnostics on your apps (i.e. find memory leaks). Lastly, information about your server is available at the very bottom of this page.

Now let's take a look at the Host Manager, accessible via the link or http://server_domain_or_IP:8080/host-manager/html/:

From the Virtual Host Manager page, you can add virtual hosts to serve your applications from.

Conclusion

Your installation of Tomcat is complete! Your are now free to deploy your own Java web applications!

Currently, your Tomcat installation is functional, but entirely unencrypted. This means that all data, including sensitive items like passwords, are sent in plain text that can be intercepted and read by other parties on the internet. In order to prevent this from happening, it is strongly recommended that you encrypt your connections with SSL. You can find out how to encrypt your connections to Tomcat by following this guide.

 

Περισσότερα...