Linux, Windows, Software Tips, Articles and Hacks
Removes all but config files:
$ sudo apt-get remove nginx nginx-common
or remove everything:
$ sudo apt-get purge nginx nginx-common
After using any of the above commands, use this in order to remove dependencies used by nginx which are no longer required:
$ sudo apt-get autoremove
At first, let’s update the packages:
# apt update
Next, download MySQL from the offical page or use wget command: Get the repo package
wget https://dev.mysql.com/get/mysql-apt-config_0.8.20-1_all.deb
dpkg -i mysql-apt-config_0.8.20-1_all.deb
apt install gnupg
dpkg -i mysql-apt-config_0.8.20-1_all.deb
When you attempt to install the package, it will ask you what product and version you want to install. Here you can select The MySQL version, Tools, Connectors (like MySQL Workbench), and preview packages. To select the version, hit the first option:
Select the version you will use. Once selected, it will bring you to the previous menu — press Ok button:
apt-get update
Install the MySQL Server using the command:
sudo apt-get install mysql-community-server
When apt finishes downloading, the installer will ask for a root password:
You have two options:
If you set a password, the installer will ask which authentication plugin to use, strongly encrypted password (MySQL 8.x), or legacy method (MySQL 7.x and earlier).
Now, check the service status with systemctl:
systemctl status mysql.service
# systemctl status mysql.service
● mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-11-17 09:57:21 CST; 38s ago
Docs: man:mysqld(8)
http://dev.mysql.com/doc/refman/en/using-systemd.html
Process: 4290 ExecStartPre=/usr/share/mysql-8.0/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
Main PID: 4325 (mysqld)
Status: "Server is operational"
Tasks: 38 (limit: 2341)
Memory: 358.6M
CPU: 736ms
CGroup: /system.slice/mysql.service
└─4325 /usr/sbin/mysqld
Nov 17 09:57:19 redis-004 systemd[1]: Starting MySQL Community Server...
Nov 17 09:57:21 redis-004 systemd[1]: Started MySQL Community Server.
Next, run the command as a root user to safely configure the SQL service:
mysql_secure_installation
Output:
Securing the MySQL server deployment. Enter password for user root: VALIDATE PASSWORD COMPONENT can be used to test passwords and improve security. It checks the strength of password and allows the users to set only those passwords which are secure enough. Would you like to setup VALIDATE PASSWORD component? Press y|Y for Yes, any other key for No: Using existing password for root. Change the password for root ? ((Press y|Y for Yes, any other key for No) : ... skipping. By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? (Press y|Y for Yes, any other key for No) : y Success. Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y Success. By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y - Dropping test database... Success. - Removing privileges on test database... Success. Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y Success. All done!
Login and Check the version
# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 12 Server version: 8.0.27 MySQL Community Server - GPL Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
Installing Nginx
sudo apt update sudo apt install nginx systemctl status nginx
Output:
nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-11-17 10:09:21 CST; 18s ago
Docs: man:nginx(8)
Process: 5735 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 5736 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 5951 (nginx)
Tasks: 2 (limit: 2341)
Memory: 5.9M
CPU: 34ms
CGroup: /system.slice/nginx.service
├─5951 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
└─5954 nginx: worker process
Nov 17 10:09:21 redis-004 systemd[1]: Starting A high performance web server and a reverse proxy server...
Nov 17 10:09:21 redis-004 systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
Nov 17 10:09:21 redis-004 systemd[1]: Started A high performance web server and a reverse proxy server.
Check Nginx by IP address – http://192.168.0.33
When using the Nginx web server, server blocks (similar to virtual hosts in Apache) can be used to encapsulate configuration details and host more than one domain on a single server. We will set up a domain called your_domain.
Install and configure Zabbix server for your platform
Install Zabbix repository
# wget https://repo.zabbix.com/zabbix/5.4/debian/pool/main/z/zabbix-release/zabbix-release_5.4-1+debian11_all.deb # dpkg -i zabbix-release_5.4-1+debian11_all.deb # apt update
Install Zabbix server, frontend, agent
# apt install zabbix-server-mysql zabbix-frontend-php zabbix-nginx-conf zabbix-sql-scripts zabbix-agent2
c. Create initial database
Run the following on your database host.
# mysql -uroot -p password mysql> create database zabbix character set utf8 collate utf8_bin; mysql> create user zabbix@localhost identified by 'Stx12WsaB'; mysql> grant all privileges on zabbix.* to zabbix@localhost; mysql> quit;
On Zabbix server host import initial schema and data. You will be prompted to enter your newly created password.
# zcat /usr/share/doc/zabbix-sql-scripts/mysql/create.sql.gz | mysql -uzabbix -p zabbix
Configure the database for Zabbix server. Edit file /etc/zabbix/zabbix_server.conf
DBPassword=Stx12WsaB
Configure PHP for Zabbix frontend
Edit file /etc/zabbix/nginx.conf, uncomment and set ‘listen’ and ‘server_name’ directives.
nano /etc/zabbix/nginx.conf # listen 80; # server_name example.com;
Start Zabbix server and agent processes and make it start at system boot.
# systemctl restart zabbix-server zabbix-agent2 nginx php7.4-fpm # systemctl enable zabbix-server zabbix-agent2 nginx php7.4-fpm
Configure Zabbix frontend
Connect to your newly installed Zabbix frontend: http://server_ip_or_name
Redis Sentinel is a dedicated process to automate and simplify the Redis replication failover and switchover.
In this article, we will start with 3 Nodes. We will have two Redis instances on two different nodes – 1 master and 1 replica (or slave). Sentinel will be co-located on those 2 nodes, plus an additional node on one of our web servers.
Normally you would co-locate a Redis instance on the web/application server and access it via localhost or through a UNIX socket file. This is the straightforward way to incorporate Redis into the application.
Generate a key:
# openssl rand -hex 32 c68a0164045a04ea2f1d821e3d3275e782d671a166613b3d81c07f99e3b92843
Configuring PSK for server-agent communication
On the hos, edit the zabbix agent file
nano /etc/zabbix/zabbix_agentd.conf
Add:
####### TLS-RELATED PARAMETERS ####### TLSConnect=psk TLSAccept=psk TLSPSKIdentity=PSK 001 TLSPSKFile=/etc/zabbix/zabbix.psk
Create the /etc/zabbix/zabbix.psk file:
echo c68a0164045a04ea2f1d821e3d3275e782d671a166613b3d81c07f99e3b92843 > /etc/zabbix/zabbix.psk
Restart the agent.
systemctl restart zabbix-agent.service
Now you can test the connection using zabbix_get, for example:
$ zabbix_get -s 127.0.0.1 -k "system.cpu.load[all,avg1]" --tls-connect=psk \
--tls-psk-identity="PSK 001" --tls-psk-file=/etc/zabbix/zabbix.psk
Configure PSK encryption for this agent in Zabbix frontend:
Go to: Configuration → Hosts
Select host and click on Encryption tab
Get the package for Debian 10 Buster:
wget https://repo.zabbix.com/zabbix/5.4/debian/pool/main/z/zabbix-release/zabbix-release_5.4-1%2Bdebian10_all.deb
Install the repo for Debian 10 Buster
dpkg -i zabbix-release_5.4-1+debian10_all.deb
Get the package for Debian 11 Bulleye
wget https://repo.zabbix.com/zabbix/5.4/debian/pool/main/z/zabbix-release/zabbix-release_5.4-1%2Bdebian11_all.deb
Install the repo for Debian 11 Bullseye
dpkg -i zabbix-release_5.4-1+debian11_all.deb
apt update apt full-upgrade
For Agent 2
apt install zabbix-agent2
We now need to edit the configuration file to tell the agent where to find the server. Open /etc/zabbix/zabbix_agent2.conf in your preferred text editor and make the following changes to tell the agent which Zabbix servers are allowed to talk to it:
nano /etc/zabbix/zabbix_agent2.conf Server=[IP or hostname of your Zabbix server] ServerActive=[IP or hostname of your Zabbix server]
We also need to tell Zabbix the hostname of the system. This doesn’t have to be the actual hostname, it is the display name we will use within Zabbix for the system. Comment out the default value of Hostname=Zabbix server and replace it with the following:
HostnameItem=system.hostname
This will tell the agent to automatically populate the hostname value with the system hostname. You could just set the hostname within the configuration file. However, automatically populating it allows you to reuse the same configuration file across all your hosts, simplifying automation if you have a lot of hosts to monitor.
Start Agent 2
systemctl enable zabbix-agent2 sudo systemctl start zabbix-agent2
Add FW rule:
ufw allow from [Zabbix server IP] to any port 10050 proto tcp
Installing and configuring an OpenVPN server manually is not a simple task from my experience. For this reason, we will be using a script that lets you set up your own secure OpenVPN server in a matter of seconds.
Before downloading and running the script, note that the script will auto-detect your server’s private IP address. But you need to take note of your server public IP address especially if it is running behind NAT.
To find out your server’s public IP address, run the following wget command or dig command.
wget -qO - icanhazip.comOr Dig.
Install DNSUtils
apt install dnsutils dig +short myip.opendns.com @resolver1.opendns.comNow lets run the script (https://github.com/Nyr/openvpn-install)
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.shOutput:
Welcome to this OpenVPN road warrior installer!
This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [233.xxx.xxx.112]:
Which protocol should OpenVPN use?
1) UDP (recommended)
2) TCP
Protocol [1]: 1
What port should OpenVPN listen to?
Port [1194]:
Select a DNS server for the clients:
1) Current system resolvers
2) Google
3) 1.1.1.1
4) OpenDNS
5) Quad9
6) AdGuard
DNS server [1]: 3
Enter a name for the first client:
Name [client]: user1
OpenVPN installation is ready to begin.
Press any key to continue...
Hit:1 http://cdn-aws.deb.debian.org/debian bullseye InRelease
Hit:2 http://cdn-aws.deb.debian.org/debian bullseye-updates InRelease
Hit:3 http://cdn-aws.deb.debian.org/debian bullseye-backports InRelease
Hit:4 http://security.debian.org/debian-security bullseye-security InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
ca-certificates is already the newest version (20210119).
openssl is already the newest version (1.1.1n-0+deb11u3).
openssl set to manually installed.
Suggested packages:
resolvconf openvpn-systemd-resolved
Recommended packages:
easy-rsa
The following NEW packages will be installed:
liblzo2-2 libpkcs11-helper1 openvpn
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 703 kB of archives.
After this operation, 1990 kB of additional disk space will be used.
Get:1 http://cdn-aws.deb.debian.org/debian bullseye/main amd64 liblzo2-2 amd64 2.10-2 [56.9 kB]
Get:2 http://cdn-aws.deb.debian.org/debian bullseye/main amd64 libpkcs11-helper1 amd64 1.27-1 [ 47.5 kB]
Get:3 http://cdn-aws.deb.debian.org/debian bullseye/main amd64 openvpn amd64 2.5.1-3 [599 kB]
Fetched 703 kB in 0s (23.7 MB/s)
Preconfiguring packages ...
Selecting previously unselected package liblzo2-2:amd64.
(Reading database ... 30816 files and directories currently installed.)
Preparing to unpack .../liblzo2-2_2.10-2_amd64.deb ...
Unpacking liblzo2-2:amd64 (2.10-2) ...
Selecting previously unselected package libpkcs11-helper1:amd64.
Preparing to unpack .../libpkcs11-helper1_1.27-1_amd64.deb ...
Unpacking libpkcs11-helper1:amd64 (1.27-1) ...
Selecting previously unselected package openvpn.
Preparing to unpack .../openvpn_2.5.1-3_amd64.deb ...
Unpacking openvpn (2.5.1-3) ...
Setting up liblzo2-2:amd64 (2.10-2) ...
Setting up libpkcs11-helper1:amd64 (1.27-1) ...
Setting up openvpn (2.5.1-3) ...
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /lib/systemd/syst em/openvpn.service.
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for libc-bin (2.31-13+deb11u5) ...
..........................+++++
...............+++++
Generating a RSA private key
....................+++++
.....................................................+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/685ac808/temp.d98e14bd'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/685ac808/temp.ac88dfea
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Nov 14 00:34:28 2032 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Generating a RSA private key
.................................+++++
..........................+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/3e0fbb2b/temp.3a3753f7'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/3e0fbb2b/temp.863607a1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'user1'
Certificate is to be certified until Nov 14 00:34:29 2032 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using configuration from /etc/openvpn/server/easy-rsa/pki/e0fdb7ad/temp.8b5b7aba
2022-11-17 00:34:29 WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secr et filename instead.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service → /etc/sys temd/system/openvpn-iptables.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /li b/systemd/system/openvpn-server@.service.
Finished!
The client configuration is available in: /root/user1.ovpn
New clients can be added by running this script again.
Now that the server is installed, download openVPN.
Download the OPVN file and connect.
Install Wireguard
sudo apt update sudo apt install wireguard
Now that you have WireGuard installed, the next step is to generate a private and public keypair for the server.
Use the following umask command to ensure new directories and files (in your current terminal session only) get created with limited read and write permissions:
umask 077
Now you can proceed and create the private key for WireGuard using the following command:
wg genkey | sudo tee /etc/wireguard/private.key
The next step is to create the corresponding public key, which is derived from the private key. Use the following command to create the public key file:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
When you run the command you will again receive a single line of base64 enpred output, which is the public key for your WireGuard Server. Copy it somewhere for reference, since you will need to distribute the public key to any peer that connects to the server.
Choosing an IPv4 Range
You can choose any range of IP addresses from the following reserved blocks of addresses:
10.0.0.0 to 10.255.255.255 (10/8 prefix)
172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
192.168.0.0 to 192.168.255.255 (192.168/16 prefix)
For the purposes of this tutorial we’ll use 10.8.0.0/24 as a block of IP addresses from the first range of reserved IPs.
Creating a WireGuard Server Configuration
Once you have the required private key and IP address(es), create a new configuration file using nano or your preferred editor by running the following command:
sudo nano /etc/wireguard/wg0.conf
Add the following lines to the file, substituting your private key in place of the highlighted base64_enpred_private_key_goes_here value, and the IP address(es) on the Address line. You can also change the ListenPort line if you would like WireGuard to be available on a different port:
nano /etc/wireguard/wg0.conf [Interface] PrivateKey = base64_enpred_private_key_goes_here Address = 10.8.0.1/24, fd0d:86fa:c3bc::1/64 ListenPort = 51820 SaveConfig = true
Starting the WireGuard Server
sudo systemctl enable wg-quick@wg0.service
Now start the service:
sudo systemctl start wg-quick@wg0.service
Double check that the WireGuard service is active with the following command. You should see active (running) in the output:
sudo systemctl status wg-quick@wg0.service
Configuring a WireGuard Peer
You can add as many peers as you like to your VPN by generating a key pair and configuration using the following steps. If you add multiple peers to the VPN be sure to keep track of their private IP addresses to prevent collisions.
To configure the WireGuard Peer, ensure that you have the WireGuard package installed using the following apt commands. On the WireGuard peer run:
sudo apt update sudo apt install wireguard
Creating the WireGuard Peer’s Key Pair
umask 077
create the private key for the peer using the following command:
wg genkey | sudo tee /etc/wireguard/private.key
Next use the following command to create the public key file:
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
Copy it somewhere for reference, since you will need to distribute the public key to the WireGuard Server in order to establish an encrypted connection.
Creating the WireGuard Peer’s Configuration File
sudo nano /etc/wireguard/wg0.conf
[Interface] PrivateKey = base64_enpred_peer_private_key_goes_here Address = 10.8.0.2/24 [Peer] PublicKey = The base64 enpred public key from the WireGuard Server. AllowedIPs = 10.8.0.0/24 Endpoint = 159.65.164.142:51820
Adding the Peer’s Public Key to the WireGuard Server
Ensure that you have a copy of the base64 enpred public key for the WireGuard Peer by running:
sudo cat /etc/wireguard/public.key 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI=
Now log into the WireGuard server, and run the following command:
sudo wg set wg0 peer 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI= allowed-ips 10.8.0.2
If you would like to update the allowed-ips for an existing peer, you can run the same command again, but change the IP addresses. Multiple IP addresses are supported. For example, to change the WireGuard Peer that you just added to add an IP like 10.8.0.100 to the existing 10.8.0.2, you would run the following:
sudo wg set wg0 peer 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI= allowed-ips 10.8.0.2,10.8.0.100
Once you have run the command to add the peer, check the status of the tunnel on the server using the wg command:
sudo wg interface: wg0 public key: 2KOvl8HbUz1rxTJ/l46o/Yz4G34Q6rfFsmvOROu9HAY= private key: (hidden) listening port: 51820
peer: 7ybiQ/5mQijU87xa2ozd0a73Ix5ABQ9mzwCGX2OPrkI=
endpoint: 70.112.179.47:49999
allowed ips: 10.8.0.2/32
latest handshake: 10 minutes, 58 seconds ago
transfer: 20.80 KiB received, 25.17 KiB sent
Connecting the WireGuard Peer to the Tunnel
To start the tunnel, run the following on the WireGuard Peer:
sudo wg-quick up wg0
You will receive output like the following:
[#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.8.0.2/24 dev wg0 [#] ip link set mtu 1420 up dev wg0
You can check the status of the tunnel on the peer using the wg command:
sudo wg
You can also check the status on the server again, and you will receive similar output.
Verify that your peer is using the VPN by using the ip route command.
ip route get 10.8.0.1 10.8.0.1 via 167.99.48.1 dev eth0 src 167.99.62.37 uid 0 cache
If your peer has a browser installed, you can also visit ipleak.net and ipv6-test.com to confirm that your peer is routing its traffic over the VPN.
Once you are ready to disconnect from the VPN on the peer, use the wg-quick command:
sudo wg-quick down wg0
Re:
https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04
https://www.wireguard.com/install/
https://linuxize.com/post/how-to-set-up-wireguard-vpn-on-debian-10/
Training Videos
A Technical Introduction To IPFS
IPFS Simply Explained. Let’s take a look at how IPFS works, how it can solve issue’s like censorship and if it would really work across multiple planets!
DEVCON1: IPFS – Juan Batiz-Benet
Run the following to install a .deb package:
sudo dpkg -i /absolute/path/to/deb/file
How to remove a package:
sudo dpkg --remove /absolute/path/to/deb/file
Create a New User
Open the root user terminal and run the following command:
# adduser username
Add a user to the sudoers file
# usermod -a -G sudo rogerp
Add with visudo
Login as root.
Run
# visudo
Add the user with:
username ALL=(ALL:ALL) ALL
Save file.
Ready to Go!