Mujahid Jaleel - My Life, My Blog

Thursday 25 October 2018

How to Setup phpMyAdmin in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup phpMyAdmin in an iocage Jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: test
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Database: MariaDB v10.2.17
Web Server: NGINX v1.14.0_12
Web Directory: /usr/local/www/html
PHP Version: 7.2
phpMyAdmin Version: 4.8.3
Setup iocage Jail
Setup NGINX Web Server
Setup MariaDB

Install phpMyAdmin

Since we are using php72 on the nginx webserver, we will install phpMyAdmin for the php72 version
root@test:~ # pkg install phpMyAdmin-php72

Create a Symbolic Link to the phpMyAdmin directory into the webroot directory
root@test:~ # ln -s /usr/local/www/phpMyAdmin /usr/local/www/html/phpmyadmin

Restart nginx and php-fpm service
root@test:~ # service nginx restart; service php-fpm restart

Configure phpMyAdmin

Edit the /usr/local/www/phpMyAdmin/config.inc.php file and configure phpMyAdmin settings or delete the /usr/local/www/phpMyAdmin/config.inc.php and then go to http://test/phpmyadmin/setup to configure a database server host. For our example, I am going to use the phpMyAdmin setup wizard.

First delete /usr/local/www/phpMyAdmin/config.inc.php file
root@test:~ # rm -v /usr/local/www/phpMyAdmin/config.inc.php

Go to http://test/phpmyadmin/setup and configure a database server host

Copy the text of the generated configuration file and then paste it into the /usr/local/www/phpMyAdmin/config.inc.php file

Paste the config text into /usr/local/www/phpMyAdmin/config.inc.php and Save File
root@test:~ # ee /usr/local/www/phpMyAdmin/config.inc.php

Login to phpMyAdmin

Go to http://test/phpmyadmin in your browser and login using your root username and password.

Resource Links

Wednesday 24 October 2018

How to Setup a MariaDB Server v10.2 in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup MariaDB Database Server v10.2.17 in an iocage Jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: test
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Database: MariaDB
Database Version: 10.2.17
Setup iocage Jail

Install MariaDB

root@test:~ # pkg install mariadb102-server

MariaDB Configuration

Choose the configuration file from template for Database server eg: my-small.cnf, my-medium.cnf, my-large.cnf, or my-huge.cnf

root@test:~ # cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf

Enable MariaDB Server to start on boot

root@test:~ # sysrc mysql_enable="yes"

Start MariaDB Server

root@test:~ # service mysql-server start

Configure and Secure MariaDB Server for production

root@test:~ # mysql_secure_installation

Enter current password for root (enter for none): [Press Enter]

Set root password? [Y/n]: y

Remove anonymous users? [Y/n]: y

Disallow root login remotely? [Y/n]: y

Remove test database and access to it? [Y/n]: y

Reload privilege tables now? [Y/n]: y

Test Login of 'root' user

root@test:~ # mysql -u root -p

Test SQL Queries

MariaDB [(none)]> select user,host,password from mysql.user;

MariaDB [(none)]> show databases;

MariaDB [(none)]> exit;

Helpful Commands

Search for package
root@test:~ # pkg search mariadb

Resource Links

How to Setup NGINX Web Server in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup NGINX Web Server with PHP72 in an iocage Jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: test
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
NGINX Version: 1.14.0_12
Web Directory: /usr/local/www/html
PHP Version: 7.2
Certificate File Name and Location: /usl/local/etc/ssl/test.crt
Certificate Key File Name and Location: /usr/local/etc/ssl/test.key
Setup iocage Jail

NGINX

Install NGINX

root@test:~ # pkg install nginx

Install Output

Enable NGINX to start on boot

root@test:~ # sysrc nginx_enable="yes"

Start NGINX Server

root@test:~ # service nginx start

Check to see what ports NGINX is listening on

root@test:~ # sockstat -4 -6 | grep nginx

NGINX Running Success

NGINX Loads Default Page

PHP72

Install PHP72

root@test:~ # pkg install php72 php72-extensions

Create Web Directory

root@test:~ # mkdir -p /usr/local/www/html

Edit NGINX main configuration file to set php as server side script

root@test:~ # ee /usr/local/etc/nginx/nginx.conf

. . . . . . . . . . . .

02: user www;
. . . . . . . . . . . .

42: server_name test;
. . . . . . . . . . . .

49: root /usr/local/www/html;

50: index index.php index.html index.htm;
. . . . . . . . . . . .

70: location ~ \.php$ {

71: root /usr/local/www/html;

72: fastcgi_pass 127.0.0.1:9000;

73: fastcgi_index index.php;

74: fastcgi_param SCRIPT_FILENAME $request_filename;

75: include fastcgi_params;

76: }
. . . . . . . . . . . .

Create php.ini file from copying the php production file template

root@test:~ # cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Configure php.ini

root@test:~ # ee /usr/local/etc/php.ini

672: post_max_size = 10M

776: cgi.fix_pathinfo=0

825: upload_max_filesize = 10M

939: date.timezone = "Australia/Melbourne"

Enable PHP-FPM to start on boot

root@test:~ # sysrc php_fpm_enable="yes"

Start the PHP-FPM Service

root@test:~ # service php-fpm start

Check to see what ports PHP-FPM is listening on

root@test:~ # sockstat -4 -6| grep php-fpm

PHP-FPM Running Success

Create a php file to check if php works

root@test:~ # echo "<?php phpinfo(); ?>" | tee /usr/local/www/html/phpinfo.php

Restart NGINX

root@test:~ # service nginx restart

Go to http://test/phpinfo.php to check if php script works.

PHP Page Load Success

Setup HTTPS / SSL / TLS Service

In order to enable the HTTPS service on NGINX, we would need a SSL Certificate and Key. There are more than one way to acquire these certificate and key.

Self-Signed Certificate and Key
Webhosting Provider
Let's Encrypt / Certbot / Acme

Once you have acquired the certificate files, then copy them in the following directory.

Certificate File Name and Location: '/usl/local/etc/ssl/test.crt'
Key File Name and Location: '/usr/local/etc/ssl/test.key'

Certificate and Key File Location

Edit '/usr/local/etc/nginx/nginx.conf' file to define the location of those certificates.
root@test:~ # ee /usr/local/etc/nginx/nginx.conf

. . . . . . . . . . .
22: http {
. . . . . . . . . . .
40: server {
. . . . . . . . . . .
84: } # End of http server block
. . . . . . . . . . .
123: # HTTPS Server
124: server {
125: listen 443 ssl;
126: server_name test;
127:
128: ssl_certificate /usr/local/etc/ssl/test.crt;
129: ssl_certificate_key /usr/local/etc/ssl/test.key;
130
131: ssl_session_cache shared:SSL:1m;
132: ssl_session_timeout 5m;
133:
134: ssl_ciphers HIGH:!aNULL:!MD5;
135: ssl_prefer_server_ciphers on;
136:
137: root /usr/local/www/html;
138:
139: location / {
140: index index.php index.html index.htm;
141: }
142:
143: location ~ \.php$ {
144: fastcgi_param HTTPS on;
145: fastcgi_pass 127.0.0.1:9000;
146: fastcgi_index index.php;
147: fastcgi_param SCRIPT_FILENAME $request_filename;
148: include fastcgi_params;
149: }
150: } # End of https server block
. . . . . . . . . . .
153:} # End of http block

HTTPS Server Block

Restart NGINX and PHP-FPM Service
root@test:~ # service nginx restart ; service php-fpm restart

Go to https://test/phpinfo.php to check if the certificate work.

Certificate works

Observations

When using Self-Signed Certificates, make sure your Internet browser recognises the Certificate Authority that issued the certificate and key.

Helpful Commands

Check NGINX configuration settings and syntax

root@test:~# nginx -t

Resource Links

NGINX
PHP

How to Setup Emby Media Server in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup Emby Media Server in an iocage Jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: emby
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Dataset: /mnt/tank/movies
Emby Server Version: 3.5.3.0
Setup iocage Jail

Create a Dataset on FreeNAS and Set Permissions

Create dataset 'movies' on FreeNAS as windows type

Set dataset 'movies' user owner as 'mujahid(uid:1000)' and group owner as 'media(gid:8675309)'. And set these permissions recursively.

Mount Dataset in Emby Jail with Read/Write Permissions

root@fn:~ # iocage fstab -a emby /mnt/tank/movies /mnt/movies nullfs rw 0 0

Installation

Login/Console into Emby Jail

root@fn:~ # iocage console emby

Go to https://emby.media/freebsd-server.html to look up the instructions and release version on how to install the latest emby package.

Install Dependency packages for Emby Server

root@emby:~ # pkg install mono libass fontconfig freetype2 fribidi gnutls iconv opus samba48 sqlite3 libtheora libva libvorbis webp libx264 libzvbi

Install Emby Server

root@emby:~ # pkg add -f https://github.com/MediaBrowser/Emby.Releases/releases/download/3.5.3.0/emby-server-freebsd_3.5.3.0_amd64.txz

Create group 'media' with gid:8675309 in the emby jail. Make sure the gid is the same as the gid on the FreeNAS host for the 'media' group. Then add the 'emby' user to the 'media' group on the emby jail as a member. This will make sure emby has group read/write permissions to the 'movies' dataset on the FreeNAS. Note: The group 'media' on the FreeNAS and the emby jail should have the same gid(8675309), otherwise the permissions won't work properly.

Create group 'media' with gid:8675309

root@emby:~ # pw groupadd -n media -g 8675309

Add user 'emby' to group 'media'

root@emby:~ # pw groupmod media -m emby

Enable Emby to run at boot

root@emby:~ # sysrc emby_server_enable="YES"

Start Emby Service

root@emby:~ # service emby-server start

Run Emby Server Setup Wizard

Open your web browser and visit http://[IP ADDRESS]:8096 to run the Emby Server setup wizard.

Resource Links

Emby Media Server: https://emby.media
FreeBSD Installation: https://emby.media/freebsd-server.html

Tuesday 23 October 2018

How to Setup an OpenVPN Client with IPFW in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup and configure an OpenVPN Client in an Transmission iocage jail on FreeNAS 11.1 with IPFW to implement a VPN Killswitch.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: transmission
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
VPN Service Provider: Trust Zone VPN (https://trust.zone)
Setup iocage Jail
Firewall: IPFW

OpenVPN Pre-Setup Tasks

Allow Jail To Create TUN Network Devices

OpenVPN Client needs to create a TUN interface in order to establish a secure encrypted connection. According to the default iocage jail security settings (rule 4), it doesn't allow the jail to create a tun network interface device. Because of that, the OpenVPN client won't be able to create and establish a VPN Tunnel to your choice of a VPN Service Provider. So, in order for it to be able to do that, you would need to allow the devfs rule 4 to be able to create a tun device network interface for the OpenVPN. And the way to do that is to create a 'preinit' task on the FreeNAS to run the following command on reboot on the FreeNAS server.

devfs rule -s 4 add path 'tun*' unhide

Reboot FreeNAS.

Download OpenVPN files from your VPN Provider

Download the necessary files from your VPN service provider. I downloaded and copied the *.ovpn and userpass.txt files from my vpn provider (trust.zone) to the (/usr/local/etc/openvpn/) directory, create the directory if it does not exist. Make sure all the certificates, keys and settings are listed in the (trust_zone_vpn.ovpn) file and the 'auth-user-pass' setting in the trust_zone_vpn.ovpn is set to point at 'userpass.txt'.The 'userpass.txt' file has your VPN account's username and password listed in it. You will need this for OpenVPN to auto login when the jail start/restart.

root@transmission:~ # mkdir -p /usr/local/etc/openvpn

Setup OpenVPN Client

Install the openvpn package

root@transmission:~ # pkg install openvpn

Set the location of the openvpn config file

root@transmission:~ # sysrc openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

Enable OpenVPN to start on boot

root@transmission:~ # sysrc openvpn_enable="YES"

Create a symbolic link 'openvpn.conf' to your trustzone.ovpn settings file

root@transmission:~ # ln -s /usr/local/etc/openvpn/trust_zone_vpn.ovpn /usr/local/etc/openvpn/openvpn.conf

Before starting the openvpn service, first check and note down your public IP.

root@transmission:~ # host myip.opendns.com resolver1.opendns.com

Start the openvpn service

root@transmission:~ # service openvpn start

Wait a minute for the openvpn service to start and establish a connection. Check to see if the TUN device has been assigned a different IP.

root@transmission:~ # ifconfig

Then check the public IP again. It should be different to the public IP you checked earlier before you started the openvpn service.

root@transmission:~ # host myip.opendns.com resolver1.opendns.com

If the vpn tunnel is not created or established or the public IP remains the same as before, then something went wrong. Check the messages log file. Look for the line where it says "openvpn[####]: Initialization Sequence Completed". The line "openvpn[####]: Initialization Sequence Completed" indicates the connection was successful and established.

root@transmission:~ # tail -f -n 30 /var/log/messages

Setup VPN Killswitch with IPFW

Create directory to hold the ipfw startup script(s)
root@transmission:~ # mkdir -p /usr/local/etc/ipfw

Create startup script for ipfw rules
root@transmission:~ # ee /usr/local/etc/ipfw/ipfw_rules

---------File "/usr/local/etc/ipfw/ipfw_rules"---------------
#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
vpn="tun0"

# allow all local traffic on the loopback interface
$cmd 00001 allow all from any to any via lo0

# allow any connection to/from VPN interface
$cmd 00010 allow all from any to any via $vpn

# allow connection to/from LAN by Transmission
$cmd 00101 allow all from me to 10.0.0.0/24 uid transmission
$cmd 00102 allow all from 10.0.0.0/24 to me uid transmission

# deny any Transmission connection outside LAN that does not use VPN
$cmd 00103 deny all from any to any uid transmission
--------------End of File-------------------------------------------

Enable IPFW to start on boot
root@transmission:~ # sysrc firewall_enable="YES"

Set the startup script for ipfw rules
root@transmission:~ # sysrc firewall_script="/usr/local/etc/ipfw/ipfw_rules"

Start the IPFW service
root@transmission:~ # service ipfw start

Note: Although, the listed IPFW rules above implements a VPN killswitch. But, the major disadvantage of these rules is that it also prevents the access to the web admin GUI interface of Transmission from the LAN for Torrent administration when VPN tunnel is active. If anyone can write better IPFW rules that would implement a VPN killswitch without losing access to the web interface of Transmission, then let me know.

On my personal setup, instead of placing the OpenVPN and the Firewall rules to implement a VPN killswitch within the Jail itself, I have placed the VPN client on my pfSense router and configured the firewall rules on the pfSense router for my Transmission jail accordingly. I will probably write up a tutorial on how to do that on a separate post.

Helpful Commands

Check your Public IP

root@transmission:~ # host myip.opendns.com resolver1.opendns.com

.....or.....

root@transmission:~ # curl https://wtfismyip.com/text

.....or.....

root@transmission:~ # curl ifconfig.me

Create a Symbolic link

root@transmission:~ # ln -s /path/to/source/file /path/to/new/link/file

Watch/Monitor a log file in real-time up to 30 lines

root@transmission:~ # tail -f -n 30 /var/log/messages

Resource Links

https://forums.freenas.org/index.php?resources/fn11-1-iocage-jails-plex-tautulli-sonarr-radarr-lidarr-jackett-ombi-transmission-organizr.58/
Transmission (https://transmissionbt.com)
Trust Zone VPN (https://trust.zone)

Thursday 11 October 2018

How to Setup BitTorrent Client Transmission iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup and configure a Bit Torrent Transmission Client in an iocage jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: transmission
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Dataset: /mnt/tank/torrents
Setup iocage Jail

Instructions

1. Create an iocage Jail with VNET configured by DHCP

iocage create -n "[Name]" -r [Release] vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet[N]:bridge[N]" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]

root@fn:~ # iocage create -n "transmission" -r 11.1-RELEASE defaultrouter="10.0.0.1" vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet0:bridge0" host_hostname="transmission" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

2. Create Dataset and then mount inside the Jail

Create a user (eg:mujahid) as member of the media (gid:8675309) group that will have group access to the 'torrents' dataset on FreeNAS.

Create a dataset 'torrents' on the FreeNAS volume as type 'Windows'.

Create a torrent watch directory(watch_dir) for transmission within the 'torrents' dataset. When any torrent file is copied into this directory, transmission will read the file and add to its queue for downloading. This is optional if you don't need to create a torrent watch directory.

root@fn:~ # mkdir -p /mnt/tank/torrents/watch_dir

Create a torrent downloads directory(downloads) for transmission within the 'torrents' dataset. This is the directory transmission will use to save the downloaded files.

root@fn:~ # mkdir -p /mnt/tank/torrents/downloads

Set dataset 'torrents' user owner as 'mujahid(uid:1000)' and group owner as 'media(gid:8675309)'. And set these permissions recursively.

Create a windows share for the 'torrents' dataset on FreeNAS, So the FreeNAS user 'mujahid' can access the 'downloads' directory contents.

Mount the dataset '/mnt/tank/torrents/downloads' on FreeNAS into "Transmission" jail with read/write access.

root@fn:~ # iocage fstab -a transmission /mnt/tank/torrents/downloads /mnt/downloads nullfs rw 0 0

Mount dataset '/mnt/tank/torrents/watch_dir' on FreeNAS into transmission jail with read/write access.

root@fn:~ # iocage fstab -a transmission /mnt/tank/torrents/watch_dir /mnt/watch_dir nullfs rw 0 0

3. Install and Configure Transmission client in iocage jail

root@fn:~ # iocage console transmission

Install the transmission package

root@transmission:~ # pkg install transmission-daemon

Create group 'media' with gid:8675309 in the transmission jail. Make sure the gid is the same as the gid on the FreeNAS host for the 'media' group. Then add the 'transmission' user to the 'media' group on the transmission jail as a member. This will make sure transmission has group read/write permissions to the 'torrents' dataset on the FreeNAS. Note: The group 'media' on the FreeNAS and the transmission jail should have the same gid(8675309), otherwise the permissions won't work properly.

Create group 'media' with gid:8675309

root@transmission:~ # pw groupadd -n media -g 8675309

Add user 'transmission' to group 'media'

root@transmission:~ # pw groupmod media -m transmission

Enable transmission to start on boot

root@transmission:~ # sysrc transmission_enable="YES"

Set the transmission auto file permissions and ownership check to 'No'. Because, when the transmission service starts, it resets the user and group ownership of the FreeNAS dataset 'torrents' to the default jail user and group "root:wheel", which we don't want because the user won't be able to access the downloads share directory contents.

root@transmission:~ # sysrc transmission_chown="NO"

Set the download directory for transmission

root@transmission:~ # sysrc transmission_download_dir="/mnt/downloads"

Set the torrents watch directory for transmission.

root@transmission:~ # sysrc transmission_download_dir="/mnt/watch_dir"

Start and then stop the transmission service to create a '/usr/local/etc/transmission/home/settings.json' file with default settings.

root@transmission:~ # service transmission start && service transmission stop

Edit the 'settings.json' file to change the transmission configurations with the following settings

root@transmission:~ # ee /usr/local/etc/transmission/home/settings.json

{

"port-forwarding-enabled": false,

.......

"rpc-whitelist": "127.0.0.1, 10.0.0.*", # Only for internal network clients to access

.......

"speed-limit-up-enabled": true,

.......

"trash-original-torrent-files": false, # Do not save torrent files

"umask": 2, # Make downloads directory group read writable

.......

"watch-dir": "/mnt/watch_dir", # Watch directory for *.torrent files

"watch-dir-enabled": true # Watch directory enabled

}

Start transmission service

root@transmission:~ # service transmission start

Go to http://[IP]:9091/transmission/web to check if the transmission web-gui is accessible.

Helpful Commands

Remove user from group

root@transmission:~ # pw groupmod media -d transmission

Show Group members

root@transmission:~ # pw groupshow media

watch/monitor a log file in real-time up to 30 lines

root@transmission:~ # tail -f -n 30/var/log/messages

Links and Resources

How to Create and Configure an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to create and configure an iocage jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: test
Jail Network Interface: vnet0
Jail Network Config: DHCP | STATIC
Jail IP: 10.0.0.3
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Dataset: /mnt/tank/share

Instructions

List iocage Commands

root@fn:~ # iocage

Activate iocage zpool volume

Set iocage to use the default volume, use the following command.
root@fn:~ # iocage activate
or
Set iocage to use a zpool volume if more than one exist on the FreeNAS
iocage activate [zpool]
root@fn:~ # iocage activate tank

Fetch/Download a Release Image

Fetch a release which will be used to create a jail.

Fetch a release from a list
root@fn:~ # iocage fetch

Fetch a release by name
iocage fetch -r [RELEASE IMAGE NAME]
root@fn:~ # iocage fetch -r 11.1-RELEASE

Create a Jail with VNET/VIMAGE (Virtual Network Interface Stack) and DHCP

Command Example: iocage create -n "[Name]" -r [Release] vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet[N]:bridge[N]" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]

The following command creates a jail "test" from the "11.1-RELEASE" image with the following jail properties enabled, vnet/vimage network stack, Start on boot, and dhcp.

root@fn:~ # iocage create -n "test" -r 11.1-RELEASE vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet0:bridge0" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

Create a Jail with VNET/VIMAGE (Virtual Network Interface Stack) and Static IP Configuration

Command Example: iocage create -n "[Name]" -r [Release] ip4_addr="vnet[N]|[IP]/[Mask]" defaultrouter="[IP]" vnet="on" allow_raw_sockets="1" boot="on" interfaces="vnet[N]:bridge[N]" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]"

root@fn:~ # iocage create -n "test" -r 11.1-RELEASE vnet="on" ip4_addr="vnet0|10.0.0.3/24" defaultrouter="10.0.0.1" vnet="on" allow_raw_sockets="1" boot="on" interfaces="vnet0:bridge0" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

Create a Jail with a Shared IP

Command Example: iocage create -n "[Name]" -r [Release] ip4_addr="[IF]|[IP]/[MASK]" defaultrouter="[IP]" vnet="off" allow_raw_sockets="1" boot="on" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]"

root@fn:~ # iocage create -n "test" -r 11.1-RELEASE ip4_addr="igb0|10.0.0.100/24" defaultrouter="10.0.0.1" vnet="off" allow_raw_sockets="1" boot="on" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

List Jails, Releases, and Plugins

List all Jails
root@fn:~ # iocage list

List all downloaded Releases
root@fn:~ # iocage list -r

List all available Templates
root@fn:~ # iocage list -t

List Remote Plugins
iocage list -PR
or
iocage list --plugins --remote

List Installed Plugins
iocage list -P
or
iocage list --plugins

Start, Stop, or Restart a Jail

Start a Jail

iocage start [JAIL NAME]

root@fn:~ # iocage start test

Stop a Jail

iocage stop [JAIL NAME]

root@fn:~ # iocage stop test

Restart a Jail

iocage restart [JAIL NAME]

root@fn:~ # iocage restart test

Configure a Jail

Set Jail Property

iocage set [PROPERTY]="[ARG]" [JAIL NAME]

root@fn:~ # iocage set notes="This is a test jail." test

Get Jail Property

iocage get [PROPERTY] [JAIL NAME]

root@fn:~ # iocage get notes test

Get All Properties of a Jail

iocage get all [JAIL NAME]

root@fn:~ # iocage get all test

Delete/Destroy a Jail

iocage destroy [JAIL NAME]

root@fn:~ # iocage destroy test

Rename a Jail

iocage rename [OLD JAIL NAME] [NEW JAIL NAME]

root@fn:~ # iocage rename test test2

Log in to a Jail

iocage console [JAIL NAME]

root@fn:~ # iocage console test

Run a command inside a Jail

iocage exec [JAIL NAME] "[COMMAND]"

root@fn:~ # iocage exec test "ls -lfa /etc"

Mount Dataset inside a Jail as Read Only

iocage fstab -a [JAIL NAME] /source/folder /destination/folder/in/jail nullfs ro 0 0

root@fn:~ # iocage fstab -a test /mnt/tank/share /mnt/share nullfs ro 0 0

Mount Dataset inside a Jail as Read and Write

iocage fstab -a [JAIL NAME] /source/folder /destination/folder/in/jail nullfs rw 0 0

root@fn:~ # iocage fstab -a test /mnt/tank/share /mnt/share nullfs rw 0 0

List Jail Mount Entries

iocage fstab -l [JAIL NAME]

root@fn:~ # iocage fstab -l test

Edit Jail Mount Entries

iocage fstab -e [JAIL NAME]

root@fn:~ # iocage fstab -e test

Remove a Jail Mount Entry

iocage fstab -r [JAIL NAME] [INDEX]

root@fn:~ # iocage fstab -r test 0

Create Jail Snapshot

iocage snapshot -n "[SNAPSHOT NAME]" [JAIL]
root@fn:~ # iocage snapshot -n "Recent Upgrade" test

List Jail Snapshots

iocage snaplist [JAIL]
root@fn:~ # iocage snaplist test

Remove/Delete Jail Snapshot

iocage snapremove -n "[SNAPSHOT NAME]" [JAIL]
root@fn:~ # iocage snapremove -n "Recent Upgrade" test

Rollback Jail to a Snapshot

iocage rollback -n "[SNAPSHOT NAME]" [JAIL]
root@fn:~ # iocage rollback -n "Recent Upgrade" test

Observations

DNS Resolver

When you create a Jail in iocage and skip to define the 'resolver' property, the iocage uses the host system's (in this case the FreeNAS host) default DNS settings defined in the '/etc/resolv.conf'.

If your FreeNAS has been configured as a Domain Controller, it resets the DNS setting in the '/etc/resolv.conf' to point to itself. Example: "nameserver 127.0.0.1". Incidentally, the iocage jail DNS is also set to 127.0.0.1. As a result, all the DNS queries within the jail fail because the jail points to itself as a nameserver where a name service does not exits. So, in order for the jail's DNS to work, we will need to manually define the resolver property for the jail.

And if you have a complicated network setup, like a switch with multiple VLANs. You will also need to define the 'defaultrouter' and 'interfaces' property so that the vnet interface is linked to the correct bridge interface and the bridge interface is link to the correct VLAN interface.

Helpful Commands

Check iocage version
root@fn:~ # iocage -v

iocage Help command
root@fn:~ # iocage --help

List all zpools on the FreeNAS
root@fn:~ # zpool list

Delete Release
iocage destroy -r [RELEASE NAME]
root@fn:~ # iocage destroy -r 11.0-RELEASE

Links and Resources

Friday 11 November 2016

How to Install and Setup Samba4 DC in a FreeNAS 9.10 Jail

بسم الله الرحمن الرحيم

Abstract

A tutorial to install Samba 4.3 as an Active Directory Domain Controller in a FreeNAS 9.10 Jail.
Configure and enable SSL for Samba's LDAP backend.

Assumptions and Prerequisites

Domain: example.com
Hostname: dc.example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: dc
Private IP: 10.0.0.58
Subnet Mask: 255.255.255.0/24
Main Router IP: 10.0.0.1
DNS Forwarder IP: 10.0.0.1 (main router)
Service: Samba 4.3.11
DNS: Internal Samba DNS
NTP Host IP: 10.0.0.1 (main router)
CA Certificate File: /usr/local/etc/ssl/certs/ca.pem
SSL Certificate File: /usr/local/etc/ssl/certs/dc.example.com.crt
SSL Key File: /usr/local/etc/ssl/private/dc.example.com.key

Instructions

Pre-installation setup

- Edit file /etc/rc.conf and change hostname to dc.example.com.
# vi /etc/rc.conf
(7) hostname="dc.example.com"

- Edit file /etc/hosts file and change the 10.0.0.58 -> dc.example.com dc
# vi /etc/hosts
(14) 127.0.0.1 localhost localhost.localdomain dc
(15) 10.0.0.58 dc.example.com dc

Installation

- Install samba43. Don't install samba44 or a newer version of samba than 4.3 because the newer versions doesn't come with ntvfs option anymore. i.e no --use-ntvfs option for zfs.
# pkg install samba43

- Provision Samba as an Active Directory Domain Controller
# samba-tool domain provision --use-ntvfs --use-rfc2307 --interactive
Realm [EXAMPLE.COM]: (press Enter)
Domain [EXAMPLE]: (press Enter)
Server Role (dc, member, standalone) [dc]: (press Enter)
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (press Enter)
DNS forwarder IP address (write 'none' to disable forwarding) [10.0.0.1]: (press Enter)
Administrator password: (enter password)
Retype password: (re-enter password)

Query Result:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dc
NetBIOS Domain: EXAMPLE
DNS Domain: example.com
DOMAIN SID: S-1-5-21-458877043-2880298934-1173284452

- Edit the /etc/resolv.conf file for host dns to point to the samba DNS.
# vi /etc/resolv.conf
(1) search example.com
(2) domain example.com
(3) nameserver 127.0.0.1

- Create symbolic links for the kerberos keytab and config files in the /usr/local/etc directory.
# ln -s /var/db/samba4/private/krb5.conf /usr/local/etc/krb5.conf
# ln -s /var/db/samba4/private/dns.keytab /usr/local/etc/krb5.keytab

- Enable samba to run and also start at boot
# sysrc samba_server_enable="YES"

- Start samba server
# service samba_server start

Test Samba Server

- Verify LDAP Service DNS Record
# host -t SRV _ldap._tcp.example.com
Query Result: _ldap._tcp.example.com has SRV record 0 100 389 dc.example.com.

- Verify Kerberos Service DNS Record
# host -t SRV _kerberos._udp.example.com
Query Result: _kerberos._udp.example.com has SRV record 0 100 88 dc.example.com.

- Verify Domain Controller DNS Record
# host -t A dc.example.com
Query Result: dc.example.com has address 10.0.0.58

- Test Kerberos Authentication
# kinit administrator@EXAMPLE.COM
# klist
Query Result:
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@EXAMPLE.COM

Issued Expires Principal
Nov 6 21:16:46 2016 Nov 7 07:16:46 2016 krbtgt/EXAMPLE.COM@EXAMPLE.COM

- Test Samba File Server
# smbclient -L localhost -U%
Query Result:
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.3.11]

Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.3.11]
Server Comment
--------- -------

Workgroup Master
--------- -------

- Test Samba User Logon
# smbclient //localhost/netlogon -Uadministrator
Query Result:
Enter administrator's password:
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.3.11]
smb: \>

- List Domain Users
# wbinfo -u | sort

- List Domain Groups
# wbinfo -g | sort

Enable SSL for LDAP Backend

- Generate Self-Signed Certificate Authority, Server Certificate and Key.

- Edit file /usr/local/etc/smb4.conf to configure SSL certs
# vi /usr/local/etc/smb4.conf
(13) tls enabled = yes
(14) tls cafile = /usr/local/etc/ssl/certs/ca.pem
(15) tls certfile = /usr/local/etc/ssl/certs/dc.example.com.crt
(16) tls keyfile = /usr/local/etc/ssl/private/dc.example.com.key

- Restart samba server
# service samba_server restart

Samba Administration

- Download and Install Remote Server Administration Tools (RSAT) for Administration for Windows

Sunday 30 October 2016

How to install and configure Certbot in a FreeNAS Jail

بسم الله الرحمن الرحيم

Abstract

A tutorial to install and configure certbot within a FreeNAS Jail.
Certbot is 'Electronic Frontier Foundation's ' implementation to issue free automated SSL certificates for webservers that are recognised by popular web browsers.

Assumptions and Prerequisites

Domain: example.com
Hostname: www.example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: www
Private IP: 10.0.0.56
Subnet Mask: 255.255.255.0/24
Certbot Version: 0.9.3
Apache has already been installed.
Apache Version: 2.4.23
Apache Webroot directory: /usr/local/www/apache24/data
SSL Certificate File: /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem
SSL Key File: /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem
Apache is bound to port 80 and 443.
Port 80 and 443 forwarding is enabled on the router to allow access to Apache webserver from the Internet.
Email: info@example.com (required to recover lost account details from certbot).

Instructions

- Install certbot
# pkg install py27-certbot

- Configure domain
# certbot certonly
Follow installer instructions
domain: www.example.com
webroot: /usr/local/www/apache24/data
email: info@example.com

- Test certs renewal
# certbot renew --dry-run

- Renew certs (Renews certs on port 80 for 90 days. Will not renew cert if expiry date of cert is less than 30 days).
# certbot renew --quiet

- Force cert renewal with current issue date
# certbot renew --quiet --force-renewal

- Renew cert with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096

- Force cert renewal on https port 443 with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096 --force-renewal --tls-sni-01-port 443

- Change SSL Cert file paths in Apache to point to the new location of certbot's certificates
# vi /usr/local/etc/apache24/extra/httpd-ssl.conf
(144) SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem"
(154) SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.example.com/privkey.pem"
(175) #SSLCACertificateFile "/usr/local/etc/ssl/certs/ca.pem"

- Reload Apache config after certs renewal
# apachectl -k graceful

- Setup a cron job in FreeNAS to auto renew certs and reload the new apache settings with the following command.
# jexec www certbot renew --quiet --rsa-key-size 4096 && jexec www apachectl -k graceful

- Test the new SSL certs at the SSLABS website. This should give you an A+ on the SSL report.

- Links

Friday 28 October 2016

How to install a secure Wordpress CMS in a FreeNAS Jail

بسم الله الرحمن الرحيم

Abstract

A tutorial to install a secure Wordpress CMS on a FreeNAS 9.10.1 Jail.

Assumptions and Prerequisites

Domain: example.com
Hostname: www.example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: www
Private IP: 10.0.0.56
Subnet Mask: 255.255.255.0/24
Database Server Name: db.example.com
Database Type and Version: MariaDB v10.1.18
Database Server IP: 10.0.0.57
Database Username: n7if835 (random generated)
Database Password: TunTeR3MPzqHy1KD (should be randomly generated)
Database Name: n7if835 (random generated)
Database Table Prefix: 24686nj9po7_ (should be randomly generated)
Database Server has SSL configured and enabled.
Apache has already been installed.
php56 and the necessary extensions are already installed.
Apache Webroot directory: /usr/local/www/apache24/data/
Apache 'AllowOverride' set to 'All'
Wordpress Version: 4.6.1

Instructions

Environment Setup

- Create a database 'n7if835' with username 'n7if835' with all privileges (Data, Structure, and Administration) and password 'TunTeR3MPzqHy1KD'

- Enable mod_rewrite module in apache by editing the file /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(177) LoadModule rewrite_module libexec/apache24/mod_rewrite.so

- Install package wget to download wordpress archive
# pkg install wget

Install and Configure Wordpress

- Download wordpress from http://wordpress.org/latest.tar.gz
# cd /tmp
# wget http://wordpress.org/latest.tar.gz
- Unzip archive /tmp/latest.tar.gz
# tar xvf latest.tar.gz

- Copy /tmp/wordpress/ contents to webroot directory /usr/local/www/apache24/data/
# cp -Rfv /tmp/wordpress/* /usr/local/www/apache24/data/

- Goto https://www.example.com/ via web browser and follow the installation instructions.

- Enter the following Database details:
Database Name: n7if835
Username: n7if835
Password: TunTeR3MPzqHy1KD
Database Host: db.example.com
Table Prefix: 24686nj9po7_

- Copy the generated code by wordpress installer into the file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php

- Click on the 'Run the Install' button and that will create the necessary database tables.

- Enter the following Site details:
Site Title: www.exampl.com
Username: webmin2001 (for security reasons don't use anything like 'admin')
Password: (Enter strong password)
Your Email: (your email address for this wordpress admin account)

- Enable Direct File System access by wordpress
# chmod -Rv 775 /usr/local/www/apache24/data/wp-content
- Edit file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
(40) /** If you don't want to use FTP to add/delete/update plugins/themes then define this option. **/
(41) define('FS_METHOD','direct');

- Test by deleting and adding a plugin or theme.

Securing Wordpress

- Enable DB SSL Connection by Wordpress
Edit File /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
(43) /** Force Wordpress to use SSL connection to Database **/
(44) define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);

- Goto https://www.example.com/phpmyadmin via web browser and change the following details:
Username: n7if835 SSL setting from 'REQUIRE NONE' to 'REQUIRE SSL'.
Remove Administration Privileges for user n7if835

- Disable file editing for editing plugins and themes.
Edit file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
(46) /** Disable File Editing **/
(47) define('DISALLOW_FILE_EDIT', true);

- Force SSL Logins and SSL Admin Access
# vi /usr/local/www/apache24/data/wp-config.php
(49) /** Force SSL Logins **/
(50) define('FORCE_SSL_LOGIN', true);
(51)
(52) /** Force SSL Admin Access **/
(53) define('FORCE_SSL_ADMIN', true);

- Delete files 'license.txt' and 'readme.html' in the wordpress root directory and also 'install.php' in wp-admin directory because they are possible site security holes.
# rm -v /usr/local/www/apache24/data/license.txt
# rm -v /usr/local/www/apache24/data/readme.html
# rm -v /usr/local/www/apache24/data/wp-admin/install.php

- Make the file /usr/local/www/apache24/data/wp-config.php only readable by user and group
# chmod 440 /usr/local/www/apache24/data/wp-config.php

- Move the file /usr/local/www/apache24/data/wp-config.php up one directory to prevent web users access.
# mv /usr/local/www/apache24/data/wp-config.php /usr/local/www/apache24/wp-config.php

- Disable php functions that are not needed (good practice if website is on a shared host).
# vi /usr/local/etc/php.ini
(303) disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

- Turn off expose_php in php.ini
# vi /usr/local/etc/php.ini
(363) expose_php = Off

- Disable opening urls as files
# vi /usr/local/etc/php.ini
(831) allow_url_fopen = Off

- Create .htaccess file in the wordpress root directory and write the following to prevent web directory browsing, user enumeration, includes directory access, hotlinking of images, and users from reading the wp-config file.
# vi /usr/local/www/apache24/data/.htaccess
(1) Options -Indexes +FollowSymLinks
(2)
(3) <IfModule mod_rewrite.c>
(4) RewriteEngine On
(5) RewriteBase /
(6)
(7) # Enable Permalinks to work
(8) RewriteRule ^index\.php$ - [L]
(9) RewriteCond %{REQUEST_FILENAME} !-f
(10) RewriteCond %{REQUEST_FILENAME} !-d
(11) RewriteRule . /index.php [L]
(12)
(14) # Prevent user enumeration
(15) RewriteCond %{QUERY_STRING} ^author=([0-9]*)
(16) RewriteRule .* https://www.example.com/? [L,R=302]
(17) RewriteRule ^wp-admin/includes/ - [F,L]
(18)
(19) # Prevent includes directory access
(20) RewriteRule !^wp-includes/ - [S=3]
(21) RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
(22) RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
(23) RewriteRule ^wp-includes/theme-compat/ - [F,L]
(24)
(25) # Disable hotlinking of images with forbidden or custom image option
(26) RewriteCond %{HTTP_REFERER} !^$
(27) RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
(28) RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
(29) RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com/example [NC]
(30) RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
(31)
(32) # Disable XMLRPC
(33) RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]
(34)
(35) # Restrict access to plugins and themes php files from unauthorised users
(36) RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
(37) RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
(38) RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
(39) RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
(40) RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
(41) RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
(42)
(43) # Prevent Script injections
(44) RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
(45) RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
(46) RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
(47) RewriteRule ^(.*)$ index.php [F,L]
(48) </IfModule>
(49)
(50) # Protect wp-config.php from user access
(51) <files wp-config.php>
(52) Require all denied
(53) </files>

- Prevent execution of php scripts in the uploads directory
# vi /usr/local/www/apache24/data/wp-content/uploads/.htaccess
(1) # Disable php file execution
(2) <files *.php>
(3) Require all denied
(4) </files>