Letsencrypt Wildcard Certificates, with acme.sh client

Took me a bit of time to figure this out, so I thought I’d make it public. Letsencrypt announced their new wildcard certs, and because I have to add the SSL cert to a load balancer covering many subdomains, I needed to make use of it.

First thing to note is that not all clients support the new v2 API which is required for wildcard certs. I looked at the list of v2 supporting clients on the Letsencrypt site, and chose the acme.sh bash script. Not sure if I’m going to stick with it at this point but it got me going.

First thing you need to do is to run it with the –issue flag. You’ll need to run it with DNS authentication, as that’s the supported method for wildcard certs. You’ll also need to run it with both the root domain AND the wildcard.

Read moreLetsencrypt Wildcard Certificates, with acme.sh client

Switch from UFW and fail2ban to CSF

Having played with CSF for a while on one server, I’ve decided I like it more than UFW and fail2ban. It seems much better at blocking mail bruteforce attacks and SSH as a distributed attack. So anyway, here’s a list of steps to achieve that, as much for my record as anything. The server is running Ubuntu 16.04, but these general steps should work anywhere. In addition the server I did it on is also running VestaCP, so there are a couple more steps for that.

Read moreSwitch from UFW and fail2ban to CSF

Command to find all image files which are not really image files!

Quick one this … so you’ve got a compromised webserver and you want to check the files on it. Many scanning tools will ignore images, but an image might not always be what it seems! Check them all with this command: find /path/to/dir -regex “.*\.\(jpg\|png\|gif\)” -exec file {} \; | grep -i -v “image data” … Read moreCommand to find all image files which are not really image files!

Bash script to clean Bots out of Apache Logs

If you’ve ever spent some time looking at webserver logs, you know how much crap there is in there from crawlers, bots, indexers, and all the bottom feeders of the internet. If you’re looking for a specific problem with the webserver, this stuff can quickly become a nuisance, stopping you from finding the information you … Read moreBash script to clean Bots out of Apache Logs

More Control Over Logwatch Report Dates

I’ve been happily running Logwatch on several servers with the default ‘yesterday’ date range for several years. However I needed to run it for a client with a larger date range to check out a problem. But the options available for logwatch are only ‘today’, ‘yesterday’ and ‘all’. Or so it told me. And even worse, the ‘yesterday’ option takes the date from the previous day, and pulls out all the info on that date. So if you run your logwatch report at 4pm, you’re missing out on 16 hours worth of data! But it turns out logwatch is smarter than that …

Read moreMore Control Over Logwatch Report Dates