Configure Uncomplicated Firewall – UFW on apache web server host

Posted in apache2, Linux, Security, Ubuntu at 6:12 pm by

Uncomplicated Firewall – UFW

This article will introduce to you the concept of the securing your linux environment by setting up a firewall. The firewall I’ll use in this article is the Uncomplicated Firewall, UFW for short. The Uncomplicated FireWall is a front-end for iptables, to make managing a Netfilter firewall easier. It provides a command line interface with syntax similar to OpenBSD’s Packet Filter. It is particularly well-suited as a host-based firewall. In this example I’m doing it on Ubuntu 12.04 although this article probably also works for any debian based system.

Install UFW

First we have to install the package.

#sudo apt-get update
#sudo apt-get install ufw

Configure UFW on apache web server host

This section will show you how to configure UFW on a remote server which hosts an apache2 web server.

Once the installation is done you run ufw status verbose to check the status of UFW.

#sudo ufw status verbose
Status: inactive

It’s quite good that it’s turned off by default as else you might be locked out of your host. Before you turn your firewall on you want to enable the SSH protocol to be able to pass through the firewall as this is the protocol you use to remotely administer your server.

#sudo ufw allow ssh

You now enable UFW:

#sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

We allowed ssh to pass through the firewall, the following command will block all other incoming connections.

#sudo ufw default deny

To allow your Apache server to function as a web server you have to open up extra ports. Apache by default uses port 80 for http and 443 for https.

#sudo ufw allow 80/tcp
Rule added
#sudo ufw allow 443/tcp
Rule added

Voila you have configured your host to allow connections for ssh so you can administer it and it can still serve
web pages. All other traffic gets blocked.

Delete Existing Rule

To delete a rule, you can prefix the original rule with delete. Or you can delete by using numbered rules. Personally I find deleting rules on a number way the easiest and safest way.

First we’ll ask for all the rules in a numbered way.

#sudo ufw status numbered
Status: active

To Action From
-- ------ ----
[ 1] 80/tcp ALLOW IN Anywhere
[ 2] 443/tcp ALLOW IN Anywhere

We want to get rid of the port 80 rule.

You could use the prefix way:
#sudo ufw delete allow 80/tcp

Or you could use the numbered way:

#sudo ufw delete 1

Advanced example.
You have a server on your LAN at home and you want to only allow ssh connections from your LAN. While denying connections from

The syntax for the deny command:

#sudo ufw deny from to port

We put the rules in place to allow our LAN access, while denying

#sudo ufw deny from to any port 22
#sudo ufw allow from to tcp port 23 proto tcp

Check the rules that were created.

#sudo ufw status
Status: active

To Action From
-- ------ ----

The order is in which we add these rules is important, once a rule is matched no other rules will be evaluated. So if we had put the rule for whole subnet first connections from would still succeed as that rule would never be reached.

More information
More detailed information can be retrieved by:
man ufw


Protected: Ticking Watches

Posted in Miscellaneous at 4:33 pm by

This post is password protected. To view it please enter your password below:


Max packet size

Posted in Miscellaneous, windows at 2:04 pm by

When you send a large amount of data over the internet that data is being split up into smaller packets and is reassembled on the receiver side. The maximum size of such an individual packet is called Maximum Transmission Unit (MTU), and refers to the size (in bytes) of the largest packet or frame that a given layer of a communications protocol can pass onwards.

If somewhere on your network a MTU value is changed this can cause havoc for your communications. You could end up with a dead vpn tunnel. A quick way to determine what the largest packet is you can send to an ip is to use ping.

PING google.be -f -l 1472

-f Set Don’t Fragment flag in packet.
-l size Send buffer size.

When you packet size is to big you will get:

Packet needs to be fragmented but DF set.

When the packet size is not to big, it will just ping.

Once you know what the MTU should be you can config this on the application/protocol which is having issues.


Enabling ssl on your apache2 with debian etch

Posted in Debian, Linux at 11:08 pm by

This is in now way the definitive guide to getting ssl to work on your host. This is what worked for me.

First you need to get openssl

apt-get install openssl ssl-cert

Generate a self signed cert. This will protect your traffic however it will give warning in the browser of the user.

If you don’t want these warnings you will have to get a cert from a trusted certificate authority.

openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem

It will ask some questions, you can fill in what you want on most of them, however

Common Name (eg, YOUR name) []: *.yoursite.com

Make sure you give the name of your top level domain there.

Give the pem file the right permissions:

chmod 600 /etc/apache2/apache.pem

You want the server to listen on the ssl port, so you change /etc/apache2/ports.conf to

Listen 80
Listen 443

You add the Listen 443 line.

Now you want have to edit the default file

vi /etc/apache2/sites-available/default

NameVirtualHost *
NameVirtualHost *:80
NameVirtualHost *:443

I looked long for this part, for some reason I have to add this to my default file, else ssl doesn’t work on my

other virtual hosts.

SSLCertificateFile /etc/apache2/apache.pem
SSLEngine On

Then you have to

SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem

to the definition of your host which you want to run with ssl.


ServerName sample.com

#other directives

SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
SSLCertificateKeyFile /etc/apache2/apache.pem

/etc/init.d/apache2 restart
That’s it.


GIT Version system tutorial

Posted in Debian, Linux, Miscellaneous, windows at 3:53 pm by

GIT Version system

Git is a distributed file versioning system. It was initially created by Linus Torvalds. Linus is better known for the creation of linux.

This is some quick guide on getting started with GIT for people with a windows desktop and a linux server.

Download the windows GUI version of git from http://code.google.com/p/msysgit/downloads/list

Install it.

To create a new repository, only needed if you are starting a new project. If you are going to contribute to a existing project skip to the next section

Open a command line. navigate to the place where you want to start a new repository. Create a new directory for the repo.

md init_repo
cd init_repo
git init
cd ..

git clone –bare init_repo repo.git

Now upload the repo.git directory to your webserver. I do this with winscp, but you can use whatever way you like.

SSH into your server. Install git

apt-get install git-core

To get a existing git repo.

Open a command line.
Navigate to the directory where you want to have the repo.

git clone ssh://username@host.com/path_to_git_repo

I’m using ssh instead of the daemon as I don’t really see an option to password protect the repo.


Recursively removing .svn directories

Posted in Linux, Miscellaneous at 12:13 pm by

Use this command
find . -name .svn -print0 | xargs -0 rm -rf
You could also use “svn export”…


Time synchronizing in windows

Posted in Miscellaneous, windows at 4:28 pm by

You can check the current time on your domain by typing in the following

net time

This gives me: Current time at \\s-dc1.mydomain.local is 3/31/2008 1:56 PM

To setup Time synchroniziation type in:

>net time /SETSNTP:\\s-dc1.mydomain.local

s-dc1.mydomain.local Local should be replaced with the servername where your time service is running. Now to check check what time server your pc uses type:

net time /QUERYSNTP


ASP_0131 Disallowed_Parent_Path

Posted in Miscellaneous, windows at 3:38 pm by

IIS 6 has by default parent paths disallowed. These settings are required to use relative paths in virtual includes.

Parent paths allow you to use ‘..’ when browsing directories and MapPaths etc enabling files in the parent directory to be used.

To enable parent paths:

• Start the Internet Services Manager (Start – Programs – Administrative Tools – Internet Services Manager)
• Right click on the web site and select properties
• Select the ‘Home Directory’ tab
• Click the ‘Configuration’ button under the Application Settings
• Select the ‘App Options’ tab
• Check the ‘Enable parent paths’ box and click Apply

You don’t need to restart the service for the change to take effect.


Mass update sql job owners

Posted in DBA, Microsoft Sql server, TSQL at 12:20 pm by

After a domain migration you might find yourself in a position where you have a whole bunch of jobs with dead domain accounts. Then you could use sql server management studio to update the job ownership one by one. Or you could make a script which updates it for you. The next script gives you a the basics to script this. Just change the OLD_ACCOUNT by the account you want to replace and the NEW_ACCOUNT by the account you want to replace it with.
SELECT ‘EXEC MSDB.dbo.sp_update_job ‘ + char(13) +
‘@job_name = ‘ + char(39) + j.[Name] + char(39) + ‘,’ + char(13) +
‘@owner_login_name = ‘ + char(39) + ‘NEW_ACCOUNT’ + char(39) + char(13) + char(13)
FROM MSDB.dbo.sysjobs j
INNER JOIN Master.dbo.syslogins l
ON j.owner_sid = l.sid
WHERE l.[name] = ‘OLD_ACCOUNT’
ORDER BY j.[name]

The output of this script should copy paste and run in the sql server management console.


Deleting huge amounts of records

Posted in DBA, Microsoft Sql server, TSQL at 11:41 am by

When you have to delete a whole bunch of records from a table which has to stay in use. Then you could do it with a cursor. but you can also do it with the following approach. Use top to limit the amount of records deleted and put the deletion in a loop.

Sample code: 

DECLARE @p as int;

DELETE [dbo].[Klanthistoriek]
FROM (SELECT TOP 50000 klh_id
KLH_CreatieDatum between ’2007-09-18 10:47:40.820′ and ’2007-09-20 15:29:32.663′ ) as temptable
Where [dbo].[Klanthistoriek].klh_id = temptable.klh_id;

SET @p= @@rowcount;
WHILE @p <> 0
DELETE [dbo].[Klanthistoriek]
FROM (SELECT TOP 50000 klh_id
KLH_CreatieDatum between ’2007-09-18 10:47:40.820′ and ’2007-09-20 15:29:32.663′ ) as temptable
Where [dbo].[Klanthistoriek].klh_id = temptable.klh_id;

SET @p = @@rowcount;

« Previous entries Next Page » Next Page »