When it comes to a personal blog or a small website, the go-to choice for web developers is usually a Content Management System (CMS) like WordPress or Drupal. When we look at how the web has evolved over the past decade or two, is we all started with a static web hosting and then moved to a CMS which usually runs on a LAMP (Linux, Apache, MySQL, PHP) server(s). When you look at a CMS hosting such as a blog, it usually is somewhat cheap however, it comes with it’s own fair share of problems. The main aspect of the problem, in my opinion, is Security. You have to make sure your application such as WordPress and all the plugins are updated at all times. This is where a hacker would try and exploit a WordPress site or any of its plugins as soon as a vulnerability is spotted.

The solution is to implement a number of security measures on the website and manage it yourself. This option would be very cost effective, however, it does require a fair bit of technical knowledge. The other option is to go with a fully managed WordPress hosting, where the provider will manage the security aspect of your website. Even though having a fully managed hosting doesn’t usually guarantee your safety because there are other factors such as third-party plugins. If you have a secured LAMP server with the updated WordPress installation, it is still not guaranteed to be secured, because a hacker will find a way through to your website via a poorly corded or outdated third-party plugin. When it comes to choosing the plugins, make sure you ask yourself whether you really need it and keep the plugin-count as low as possible.
[continue reading…]

It is always best to have Two-factor authentication (2FA) to any method of access control. The following post will guide you to enable 2FA on Debian Linux environment.

It is assumed that we will be using Password Authentication in conjunction with 2FA.

Install Google Authenticator

apt-get install libpam-google-authenticator

Edit /etc/pam.d/sshd and add the following.

# Google Authenticator
auth required pam_google_authenticator.so

Edit the file /etc/ssh/sshd_config and make sure you have the following enabled.

UsePAM yes
ChallengeResponseAuthentication yes

Run Google Authenticator from the account.

google-authenticator

Add the account to your Google Authenticator app and save the emergency codes.

[continue reading…]

When it comes to subnetting most people usually stop at /30. This will give them a netmask of 255.255.255.252 thus resulting in two usable IP address along with one Network and one Broadcast address.

The /31 subnet prefixes was introduced in RFC3021 which defines that it can be used on a point-to-point link. A point-to-point interface does not need broadcast address, therefore we don’t really need to assign a /30 address prefix. On a /31 bit segment, both addresses are interpreted as hosts addresses.

The main advantage of using /32 prefix will enable us to limit the number of network address required on a segment. Therefore, if a company using multiple point-to-point networks using public IP addresses, then they will be able to save half of its allocated IP space.

[continue reading…]

This post will cover the IPv6 configuration on Ubiquiti Edge Router ERPoE-5 running Version 1.9.1. I will be going through the whole process of setting up IPv6 connectivity using Hurricane Electric 6in4 tunnel.

I will not be using the real IP Addresses, however the reader should be able to understand and substitute for their own configuration.

This is a home network, therefore a lot of aspects are not considered in the design!

Overview

• There are three VLANs. (Main (1) , Guest (2) , Automation (3) )
• Since there is no native IPv6 support from my ISP, I am using a 6in4 Tunnel to get IPv6 working.
• The EdgeRouter is the public facing device connected to a vDSL Modem via eth0.
• The Ethernet interfaces eth1, eth2, eth3, eth4 are bridged via bridge interface br0.
• Bridge interface br0 has a 192.168.1.1/24 RFC1918 address assigned to VLAN1 and also used as the management IP.

Part 1

In this part, I will be covering the tunnel creation. You need to head to Hurricane Electric (HE) https://www.tunnelbroker.net and get yourself an IPv6 tunnel. I have used a /48 Routed Prefix for my configuration which you can see below.
[continue reading…]

The Route Distinguisher (RD) and the Route Target (RT) can be somewhat confusing to someone who is trying to learn the concept on MPLS. In this post, I will try and explain what RD and RT are in relation to MPLS.

To answer this question, we will use the following diagram.

[continue reading…]

T he following Exim mail servers error was encountered while sending out mails. The original error was experienced by Gravity Forms WordPress plugin. However, I was able to test it out by using command line to rule out the plugin.

someone@domain.com R=virtual_aliases: No Such User Here

The debug message I received via Gravity Forms is the following. This confirms the mail has been passed on from WordPress to the mail server.

2016-03-25 11:06:04.042599 - DEBUG --> GFCommon::send_email(): Result from wp_mail(): 1
2016-03-25 11:06:04.042748 - DEBUG --> GFCommon::send_email(): Mail was passed from WordPress to the mail server.
2016-03-25 11:06:04.153172 - DEBUG --> GFFormDisplay::handle_confirmation(): Sending confirmation.

Before I go any further, I would like to give some background information on domain.com, which the following aspects are hosted as below.

[continue reading…]

Even though I am a big advocate on promoting IPv6, I have came across Debian’s APT / apt-get stuck with the following message. I believe it is due to an issue on the serve concerning the FQDN
http.debian.net and security.debian.org. The easy way to fix is to force APT to use IPv4 as opposed to IPv6.

0% [Connecting to http.debian.net (2a01:4f8:151:555d::42)] [Connecting to security.debian.org (2610:148:1f10:3::73)]

echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4

On Cisco ASA, You cannot have DHCPd and Relay configured at the same time.

• You can either add a relay server and add the DHCP scopes.
• You can add different DHCP scope to the ASA DHCPd.

Visco VIRL sometimes throw the following error stating KVM acceleration is not available on hosts running ESXi.

KVM acceleration is not available

INFO: Your CPU does not support KVM extensions
KVM acceleration can NOT be used

You can also run the kvm-ok command to find the status of KVM accleration.

This is due to a missing setting on ESXi Guest OS and the following parameter needs to be added VM’s .VMX configuration file.

Please make sure the VM is shut down before making the change.

vhv.enable = “TRUE”

You can also add this parameter to /etc/vmware/config of the host, but it is not imperative you should do it.