How to install and configure Certbot in a FreeNAS Jail

بسم الله الرحمن الرحيم

Abstract

• A tutorial to install and configure certbot within a FreeNAS Jail.
• Certbot is 'Electronic Frontier Foundation's ' implementation to issue free automated SSL certificates for webservers that are recognised by popular web browsers.  

Assumptions and Prerequisites

• Domain: example.com
• Hostname: www.example.com
• OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
• Container: Warden Jail
• Jail Name: www
• Private IP: 10.0.0.56
• Subnet Mask: 255.255.255.0/24
• Certbot Version: 0.9.3
• Apache has already been installed.
• Apache Version: 2.4.23
• Apache Webroot directory: /usr/local/www/apache24/data
• SSL Certificate File: /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem
• SSL Key File: /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem 
• Apache is bound to port 80 and 443.
• Port 80 and 443 forwarding is enabled on the router to allow access to Apache webserver from the Internet.
• Email: info@example.com (required to recover lost account details from certbot).

Instructions

- Install certbot
# pkg install py27-certbot

- Configure domain
# certbot certonly
Follow installer instructions
    domain: www.example.com
    webroot: /usr/local/www/apache24/data
    email: info@example.com

- Test certs renewal
# certbot renew --dry-run 

- Renew certs (Renews certs on port 80 for 90 days. Will not renew cert if expiry date of cert is less than 30 days).
# certbot renew --quiet

-  Force cert renewal with current issue date
# certbot renew --quiet --force-renewal

- Renew cert with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096 

-  Force cert renewal on https port 443 with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096 --force-renewal --tls-sni-01-port 443

- Change SSL Cert file paths in Apache to point to the new location of certbot's certificates
# vi /usr/local/etc/apache24/extra/httpd-ssl.conf
   (144)  SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem"
   (154)  SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.example.com/privkey.pem"
   (175)  #SSLCACertificateFile "/usr/local/etc/ssl/certs/ca.pem"

- Reload Apache config after certs renewal
# apachectl -k graceful

- Setup a cron job in FreeNAS to auto renew certs and reload the new apache settings with the following command.
# jexec www certbot renew --quiet --rsa-key-size 4096 && jexec www apachectl -k graceful

- Test the new SSL certs at the SSLABS website. This should give you an A+ on the SSL report.

- Links

• https://certbot.eff.org/
• https://www.ssllabs.com/ssltest/index.html

How to install a secure Wordpress CMS in a FreeNAS Jail

بسم الله الرحمن الرحيم

Abstract 

A tutorial to install a secure Wordpress CMS on a FreeNAS 9.10.1 Jail.

Assumptions and Prerequisites

• Domain: example.com
• Hostname: www.example.com
• OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
• Container: Warden Jail
• Jail Name: www
• Private IP: 10.0.0.56
• Subnet Mask: 255.255.255.0/24
• Database Server Name: db.example.com
• Database Type and Version: MariaDB v10.1.18
• Database Server IP: 10.0.0.57
• Database Username: n7if835 (random generated)
• Database Password: TunTeR3MPzqHy1KD (should be randomly generated)
• Database Name: n7if835 (random generated)
• Database Table Prefix: 24686nj9po7_ (should be randomly generated)
• Database Server has SSL configured and enabled.
• Apache has already been installed.
• php56 and the necessary extensions are already installed.
• Apache Webroot directory: /usr/local/www/apache24/data/
• Apache 'AllowOverride' set to 'All'
• Wordpress Version: 4.6.1

Instructions

Environment Setup

- Create a database 'n7if835' with username 'n7if835' with all privileges (Data, Structure, and Administration) and password 'TunTeR3MPzqHy1KD'

- Enable mod_rewrite module in apache by editing the file /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
   (177)   LoadModule rewrite_module libexec/apache24/mod_rewrite.so

- Install package wget to download wordpress archive
# pkg install wget

Install and Configure Wordpress

- Download wordpress from http://wordpress.org/latest.tar.gz
# cd /tmp
# wget http://wordpress.org/latest.tar.gz
- Unzip archive /tmp/latest.tar.gz
# tar xvf latest.tar.gz

- Copy /tmp/wordpress/ contents to webroot directory /usr/local/www/apache24/data/
# cp -Rfv /tmp/wordpress/* /usr/local/www/apache24/data/

- Goto https://www.example.com/ via web browser and follow the installation instructions.

- Enter the following Database details:
        Database Name: n7if835
        Username: n7if835
        Password: TunTeR3MPzqHy1KD
        Database Host: db.example.com
        Table Prefix: 24686nj9po7_

- Copy the generated code by wordpress installer into the file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php

- Click on the 'Run the Install' button and that will create the necessary database tables.

- Enter the following Site details:
        Site Title: www.exampl.com
        Username: webmin2001 (for security reasons don't use anything like 'admin')
        Password: (Enter strong password)
        Your Email: (your email address for this wordpress admin account)

- Enable Direct File System access by wordpress
# chmod -Rv 775 /usr/local/www/apache24/data/wp-content
- Edit file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
   (40)    /** If you don't want to use FTP to add/delete/update plugins/themes then define this option. **/
   (41)    define('FS_METHOD','direct');

- Test by deleting and adding a plugin or theme.

Securing Wordpress

- Enable DB SSL Connection by Wordpress
Edit File /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
   (43)    /** Force Wordpress to use SSL connection to Database **/
   (44)    define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);

- Goto https://www.example.com/phpmyadmin via web browser and change the following details:
           Username: n7if835 SSL setting from 'REQUIRE NONE' to 'REQUIRE SSL'.
           Remove Administration Privileges for user n7if835

- Disable file editing for editing plugins and themes.
Edit file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
   (46)    /** Disable File Editing **/
   (47)    define('DISALLOW_FILE_EDIT', true);

- Force SSL Logins and SSL Admin Access
# vi /usr/local/www/apache24/data/wp-config.php
   (49)    /** Force SSL Logins **/
   (50)    define('FORCE_SSL_LOGIN', true);
   (51)
   (52)    /** Force SSL Admin Access **/
   (53)    define('FORCE_SSL_ADMIN', true);

- Delete files 'license.txt' and 'readme.html' in the wordpress root directory and also 'install.php' in wp-admin directory because they are possible site security holes.
# rm -v /usr/local/www/apache24/data/license.txt 
# rm -v /usr/local/www/apache24/data/readme.html
# rm -v /usr/local/www/apache24/data/wp-admin/install.php

- Make the file /usr/local/www/apache24/data/wp-config.php only readable by user and group
# chmod 440 /usr/local/www/apache24/data/wp-config.php

- Move the file /usr/local/www/apache24/data/wp-config.php up one directory to prevent web users access.
# mv /usr/local/www/apache24/data/wp-config.php /usr/local/www/apache24/wp-config.php

- Disable php functions that are not needed (good practice if website is on a shared host).
# vi /usr/local/etc/php.ini
    (303)  disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

- Turn off expose_php in php.ini
# vi /usr/local/etc/php.ini
    (363)  expose_php = Off

- Disable opening urls as files
# vi /usr/local/etc/php.ini
    (831)  allow_url_fopen = Off

- Create .htaccess file in the wordpress root directory and write the following to prevent web directory browsing, user enumeration, includes directory access, hotlinking of images, and users from reading the wp-config file.
# vi /usr/local/www/apache24/data/.htaccess
    (1)    Options -Indexes +FollowSymLinks
    (2)  
    (3)    <IfModule mod_rewrite.c>
    (4)    RewriteEngine On
    (5)    RewriteBase /
    (6)
    (7)    # Enable Permalinks to work
    (8)    RewriteRule ^index\.php$ - [L]
    (9)    RewriteCond %{REQUEST_FILENAME} !-f
    (10)   RewriteCond %{REQUEST_FILENAME} !-d
    (11)   RewriteRule . /index.php [L]
    (12)
    (14)   # Prevent user enumeration
    (15)   RewriteCond %{QUERY_STRING} ^author=([0-9]*)
    (16)   RewriteRule .* https://www.example.com/? [L,R=302]
    (17)   RewriteRule ^wp-admin/includes/ - [F,L]
    (18)
    (19)   # Prevent includes directory access
    (20)   RewriteRule !^wp-includes/ - [S=3]
    (21)   RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    (22)   RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    (23)   RewriteRule ^wp-includes/theme-compat/ - [F,L]
    (24)
    (25)   # Disable hotlinking of images with forbidden or custom image option
    (26)   RewriteCond %{HTTP_REFERER} !^$
    (27)   RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
    (28)   RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
    (29)   RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com/example [NC]
    (30)   RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
    (31)
    (32)   # Disable XMLRPC
    (33)   RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]
    (34)
    (35)   # Restrict access to plugins and themes php files from unauthorised users
    (36)   RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
    (37)   RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
    (38)   RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
    (39)   RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
    (40)   RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
    (41)   RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
    (42)
    (43)   # Prevent Script injections
    (44)   RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    (45)   RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    (46)   RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
    (47)   RewriteRule ^(.*)$ index.php [F,L]
    (48)   </IfModule>
    (49)
    (50)   # Protect wp-config.php from user access
    (51)   <files wp-config.php>
    (52)   Require all denied
    (53)   </files>

- Prevent execution of php scripts in the uploads directory
# vi /usr/local/www/apache24/data/wp-content/uploads/.htaccess
    (1)    # Disable php file execution
    (2)    <files *.php>
    (3)    Require all denied
    (4)    </files>

How To Batch Convert/Transcode Videos Using VLC Media Player

بسم الله الرحمن الرحيم

In the Name of Allah. The Most gracious, The Most Merciful

Synopsis:

This is a tutorial on how to Transcode and Convert Video Files into MP4 (MPEG-4) format with 1024kbps bitrate using the H.264 Video Codec and the MP3 Audio Codec.

Assumptions and Prerequisites:

• OS: Microsoft Windows 7
• VLC Media Player (Version: 2.0.2) is already installed. 
• Type of Videos: Home Movies.
• User Level: Administrator
• Scripting Language: Visual Basic Script (VBS)
• Working Folder: D:\VLC
• Script File Path and Name: D:\VLC\vlc.batch.transcode.videos.to.mp4.vbs
• Source Folder: D:\VLC\Source
• Target Folder: D:\VLC\Target
• VLC Program Path:  C:\Program Files (x86)\VideoLAN\VLC 
• Video Bitrate: 1024kbps
• Video Container: MP4
• Video Codec: H.264
• Audio Codec: MP3
• Audio Bitrate: 128kbps
• Audio Channels: 2 (Stereo)
• Audio Sample Rate: 44100Hz (CD Quality)

Instructions:

1. Download the VLC Script Directory from here and save it on your Computer.

2. Extract the "VLC.rar" file to any Directory of your choice. eg. "D:"

3. Copy the Videos you want to transcode/convert into the "D:\VLC\Source" Folder.

4. Right-Click on  "D:\VLC\vlc.batch.transcode.videos.to.mp4.vbs" file and select "Run with Command Prompt".

5. The new transcoded files will be saved in the Target Folder.

Conclusion:

When the Transcoding is in progress, the VLC Media player window will stay open but no video output will be available and then close after the video has been transcoded. And this will repeat for each video transcoding.

When the Transcoding has been completed, you should see all the video files converted in the Target Folder. Any non-video files (eg. *.JPG) available in the Source Folder will be copied to the Target Folder without any change. When you have verified the files in the Target Folder, you can then go on and delete everything underneath the Source Folder.

If you aspire for  a better video quality, then increase the Video Bitrate(strBitrate) in the D:\VLC\vlc.batch.transcode.videos.to.mp4.vbs file before Transcoding. If you increase the Video Bitrate more than 1024kbps, then you would end up with a larger file size with no significant increase in Video quality and that would defeat the purpose of Transcoding these video files. For home movies recorded with a typical Sony Cybershot or a Canon DSLR camera, the 1024kbps bitrate strikes the perfect balance between quality and smaller file size for the video.

If this Post made your life a lot easier, then please leave a small donation as a token of your appreciation. :-)

Links:

1. http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/516001349831
2. http://wiki.videolan.org/How_to_Batch_Encode 
3. http://wiki.videolan.org/Transcode
4. http://taylor.veltrop.com/software/transcode%201.1%20release.vbs
5. http://www.jaleeltech.com.au/download/VLC.rar