Catégorie : BlogPower

Configuration d’un firewall IPV6 LINUX.

Bonjour à tous,

Etant sur l’implémentation d’IPV6 sur ma plateforme OVH, j’ai eu l’occasion d’installer SHOREWALL6 en complément de SHOREWALL que j’utilise déjà (il gère que l’ipv4).
SHOREWALL6 vient donc ajouter à SHOREWALL le support IPV6, j’ai choisi SHOREWALL car il présente l’avantage d’être très simple et rapide à configurer.
Ce firewall se configure avec des fichiers texte et il est fourni avec de nombreux exemples de configuration.

Dans son mode « avancé » il permet de faire des fonctions avancées comme activer/désactiver une règle sans toucher au service (via un flag kernel),
Activer/désactiver une règle dans une plage horaire UTC spécifique (via le paquet xtables-addons-common).

Sur mon hyperviseur XEN/DEBIAN j’ai ceci d’installé (notez qu’il existe aussi une version « light ») :

ii  shorewall                            5.2.8-2                         all          Shoreline Firewall, netfilter configurator
ii  shorewall-core                       5.2.8-2                         all          Shorewall core components
ii  shorewall6                           5.2.8-2                         all          Shoreline Firewall (IPv6 version), netfilter configurator

Configuration des logs :

Le service ULOG2 présente l’avantage de séparer ici les logs IPV4 et IPV6 (via un groupe dédié).

#/etc/ulogd.conf
[global]
logfile="syslog"
loglevel=3
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_ULOG.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_UNIXSOCK.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2HBIN.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_MARK.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu4:LOGEMU
stack=log6:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu6:LOGEMU

...

[log4]
group=4
numeric_lable=4
[log6]
group=6
numeric_label=6
attach_conntrack=1
bind=1

...

[emu4]
file="/var/log/firewall/nflog4.log"
sync=1
[emu6]
file="/var/log/firewall/nflog6.log"
sync=1

On vient ensuite ajouter la politique de rétention/rotation :

# cat /etc/logrotate.d/ulogd2firewall

/var/log/firewall/*.log {
    rotate 15
    daily
    missingok
    compress
    delaycompress
    sharedscripts
    create 640 ulog adm
    postrotate
        if [ -d /run/systemd/system ] && command systemctl >/dev/null 2>&1 && systemctl is-active --quiet ulogd2.service; then
            systemctl kill --kill-who main --signal=SIGHUP ulogd2.service
        else
            invoke-rc.d ulogd2 reload > /dev/null
        fi
    endscript
}

Configuration de SHOREWALL6 :

Fichier de configuration global, ici on active au boot du serveur et on précise le chemin des logs FW IPV6 :

#/etc/shorewall6/shorewall6.conf

STARTUP_ENABLED=Yes
...
LOG_LEVEL="info"
...
LOGFILE=/var/log/firewall/nflog6.log
...

Ici je précise ces zones :

– Une pour INTERNET
– Une pour le FIREWALL (ici mon hyperviseur XEN)
– Une pour les « serveurs » qui sont les machines virtuelles hébergées dessus.

Chaque zone et rattachée à une interface sur pour la zone « FIREWALL » :

#/etc/shorewall6/zones
#ZONE           TYPE            OPTIONS
zfw6            firewall
znet6           ipv6
zsrv6           ipv6

Ici je vais donc définir mes interfaces que je rattache à mes zones :

#/etc/shorewall6/interfaces
###############################################################################
?FORMAT 2
###############################################################################
#ZONE   INTERFACE       OPTIONS
znet6           eno1            dhcp,tcpflags,nosmurfs,sourceroute=0
zsrv6           xenbr0          dhcp,tcpflags,nosmurfs

Côté politique j’ai ceci :

#/etc/shorewall6/policy
#-----------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall6-policy"
#
##############################################################################
#SOURCE DEST            POLICY          LOGLEVEL        RATE    CONNLIMIT
$FW     znet6           ACCEPT          $LOG_LEVEL
#$LOG_LEVEL
$FW     zsrv6           ACCEPT          $LOG_LEVEL
#$LOG_LEVEL
znet6   all             DROP            $LOG_LEVEL
zsrv6   all             DROP            $LOG_LEVEL

# The FOLLOWING POLICY MUST BE LAST
all     all             REJECT          $LOG_LEVEL

Côté règles je définis ceci, rien de bien compliqué, je bloque les connexions entrantes, sauf le SSH depuis machine d’administration :

#/etc/shorewall6/interfaces
######################################################################################################################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS         SWITCH          HELPER
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

# Drop packets in the INVALID state / Bloc ping :
Invalid(DROP)           znet6                   $FW             tcp
Ping(DROP)              znet6                   $FW

ACCEPT                  $FW                     znet6           all

ACCEPT:$LOG             znet6:$MGMT_SERVERS     $FW             tcp     22

ACCEPT:$LOG             zsrv6                   $FW             tcp     22

DROP:$LOG               znet6                   $FW             all

Dans les paramètres je défini les variables utilisées par mon FW, ici la configuration LOG et la liste des IP « admins » :

#/etc/shorewall6/params
#
# Assign any variables that you need here.
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall6 programs
#
# Example:
#
#       NET_IF=eth0
#       NET_OPTIONS=dhcp,nosmurfs
#
# Example (/etc/shorewall6/interfaces record):
#
#       net     $NET_IF         -       $NET_OPTIONS
#
# The result will be the same as if the record had been written
#
#       net     eth0            -       dhcp,nosmurfs
#
###############################################################################
MGMT_SERVERS="2a01:zzz:zzz:zzzz::zzzz:zzzz"
LOG="NFLOG(6,,)"

Enfin pour la gestion de SHOREWALL/SHOREWALL6 j’utilise ces commandes :

#contrôle de la configuration
shorewall6 check

#rechargement
shorewall6 restart

#recuperation des infos de configuration
shorewall6 dump > /tmp/debug_shorewall6_dump

Une fois que tout est bon, j’active en complément le service SYSTEMD :

shorewall6 stop

systemctl enable shorewall6.service

systemctl restart shorewall6.service

systemctl status shorewall6.service

A bientôt !


Sources:

Exemples de configuration (debian/ubuntu) :
/usr/share/doc/shorewall6/examples/

https://sourceforge.net/p/shorewall/mailman/shorewall-users/
https://shorewall.org/Documentation_Index.html#Index

https://www.pivert.org/?s=shorewall
https://www.ipsidixit.net/tag/ipv6-networking/

End-Fed-40m setup – part2

Hello to all,

In last article i’ve installed a wire antenna for ham radio called « end-fed 40m», i purpose here an improvement, after the last storm,
(Louis in France) destroyed coaxial line of the end-fed. So i decide to update it, with new balun 64:1 (from BH7JYR change 150 to 400w model).

I don’t change the wire part, simply exchange the balun. I’ve also improved the coaxial line by adding a « ferrite » with 10 turns of coax on it (with ~60cm distance).
I also improved the line by adding a support for the ferrites and the coaxial cable which supports the weight of the assembly which avoids pulling on the coaxial cable.

The last improvement is a « new » system that i’ve discoved is to use a « delta loop » configuration to replace single wire system (4% of 80m band here),
it really improved the antenna system (voir photo).

Here is the results table :

Here is a small photo :

73 to all,

Coupe du REF 2024 Phonie

Bonjour à tous,

Voici un petit CR de ma coupe du REF 2024 avec mon arrivée dans le département 79, étant dans l’apprentissage du morse,
je n’ai participé qu’à la partie phonie. Cette année j’ai décidé de faire la coupe du REF en QRP sans assistance (cluster/internet),
une première en QRP pour moi.

A la suite de la tempête un arbre s’étant abattu sur mon End-Fed40m j’ai du dans l’urgence intervenir la veille du concours
pour tout remonter, Le voisin est venu pour abattre l’arbre au final plus de peur que de mal.
cdref

Au petit matin je vais pour démarrer et là pb de retour HF/ROS sur l’antenne (uniquement 40/80),
après contrôle, le boitier du balun doit présenter un court circuit ou un faux contact,

Je passe l’antenne au MFJ la descend de quelques mètres / révise les contacts du balun à la frontale.
J’arrive à démarrer enfin !

Du fait de mon changement de département 44/79 beaucoup d’OMs galèrent quand je passe le groupe de contrôle,
surtout en QRP. Je dois dire que c’est ce qui m’a fait perdre le plus de temps cette année (environ 20% du temps/QSO je dirai).

Dans certains cas j’ai même eu un OM qui a tout simplement fait mine de ne plus m’entendre car il ne s’avait/voulait pas corriger son LOG  :/

A part ces petits désagréments de QTH, j’ai pu avancer dans le concours,  les heures s’enchainent à ma plus grande surprise je contact Michel FK8IK
depuis Nouméa, j’avais eu déjà l’occasion de l’entendre sur 20m mais j’avais jamais contacté ce QTH avant !

Je dois dire que le fait de ne pas avoir Internet pendant le concours (donc pas de spots) ne m’a pas beaucoup dérangé, j’ai changé de bandes,
plus à l’instinct qu’à la machine et j’ai trouvé ca très sympa et +intéressant de chasser les QTH à la main et d’écouter plus !

Au final j’ai lancé appel que 2 fois, je me suis rendu compte que face aux stations QRO c’était pas possible d’appeler en QRP.
Donc je n’ai fait que de la chasse tout le long du concours.

Le LIVE-SCORE sur un écran m’a bien motivé, c’est Gérard F6EEQ qui m’a servi de lièvre (pour un opérateur CW principalement je lui tire mon chapeau),
j’ai bataillé tout du long pour passer devant lui, Au final c’est le dimanche en fin d’après midi que j’ai réussi à passer devant,

Du coup j’ai mis le paquet jusqu’à la fin pour terminer à 411 QSOs et j’ai légèrement dépassé du coup car c’est limité à 28H en mono-opérateur,
avec 8H d’arrêt consécutives et j’ai du faire ~37H de trafic avec 6H d’arrêt seulement ( ! note pour l’année prochaine ).

Il me manque au final les départements : 4,5,6 9, 10, 12, 20, 26, 42, 55, 61, 65, 68, 70, 75, FG, FJ, FH, FM, FO, FP, FR, FT,FW.
Je ferai mieux l’année prochaine (surtout pour le nombre QSOs 10/15m ou je n’ai pas fait grand chose).

73 à tous et à l’année prochaine,

 

CDREF 3

CDREF 1 CDREF 2  CDREF 4 CDREF 5

 

 

 

 

 

 

 

End fed 40m setup

Hello to all,

During the month of December I carried out tests around the End-Fed antenna EFHW (made by BH7JYR / 4 bands design by K4EDF improved by BD5IK),
the antenna is made with 2.5mm square wire and is approximately 40m long.

Initially I was able to test the 20m version with a spool for 80m but having the 40m garden,
I switched to the 40m version (8 bands).

Here is the last test :
– I improved the height of the antenna +80cm to 1.5m on all wire (V-shaped configuration, balun at 4.2m, 5.4m – 10m further, the end at 5m).
– I was able to reduce the coaxial from 30m to 23m.
– 10,11,12m are improved (better resonnances and bandwidth).
– Reactance increase a little bit with higher setup here.

Test with two FT240-43 ferrites (one ferrite is placed at the transmitter and the other ~60cm from the balun),
During this test, I was able to achieve agreement over 60m which is improbable for this type of antenna,
you still have to deactivate the counterweight to achieve this (see table on the right) :

– the addition of ferrites reduces the reactance of the antenna (except 80m but the width of the band increases a little).

Initial test (no ferrites) :

Conclusion: I am very happy with this antenna, it is a good compromise between the 8 bands covered and the general efficiency
of the antenna, I still need to improve the ground of the antenna, put a real stake and retouch the counterweight a little.

Here is some photos :
– note that I attached the ferrite to the counterweight to reduce the load on the coaxial cable.

73 to all,

PHP code profiling (debian12/php8.2 + WinCacheGrind).

Hello to all,

Here is my setup for php code profiling for developpement, this is very useful for identifying code calls that take time to load the page,
for example a forgotten memory cache or an SQL query to optimize.

First of all you need the PHP module, here i’m using XDEBUG 3.2.1 debian package for PHP 8.2.
The setup is very simple :

aptitude install php8.2-xdebug

vim /etc/php/8.2/mods-available/xdebug.ini

zend_extension=xdebug.so

xdebug.profiler_enable_trigger = 1
xdebug.output_dir = /your/tmp/
xdebug.start_with_request = trigger
xdebug.mode = profile
xdebug.profiler_output_name = cachegrind.out.%p

/etc/init.d/apache2 restart

To optain the cachegrind file, simple call your URL by adding « XDEBUG_PROFILE=1 » :
http://yoururl/?XDEBUG_PROFILE=1

Then open it into your XDEBUG client, here i’m using the old « WinCacheGrind » program you will optain something like that :
You can now sort all your code by function and loading time :

Good luck for debug session 😉

 

Security hardening in WordPress

Here I suggest you see how to increase the level of security of your WordPress instance. Here I use an APACHE service with NGINX in front for the SSL part and VARNISH for the cache.
From a software point of view there are WP extensions like « WP Hardening » to secure the software part but that’s not all, the application server / reverse proxy part is also very important.


APACHE Configuration  : 

Here we block the call of readme.txt / html from plugins folder, the all of xmlrpc.php for pingback attack and we also block the access of « .git » folder & configuration (yml and gitignore).
We also protect the WP instance from user enumeration attack (via the wp v2 users API call) :

#############################################
# Vhost security
#
# WordPress REST API
# WP REST API block json requests to users and comments
# Block/Forbid Requests to : /wp-json/wp/v2/users and wp-json/wp/v2/comments
# WP REST API request methods : GET, POST, PUT, PATCH, DELETE

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/v2/(users|comments) [NC]
RewriteRule ^(.*)$ - [F]
#
# WordPress XML-RPC Pingback Abuse
#
<Files xmlrpc.php>
    Order deny,allow
    Deny from all
</Files>

#protect access to txt/html readme :
<files readme.txt>
order allow,deny
deny from all
</files>
<files readme.html>
order allow,deny
deny from all
</files>


#
# Dont expose .git folder
#
<Directory /www_root/yoursite/html/.git>
    Order deny,allow
    Deny from all
   <Files "*">
    Order deny,allow
    Deny from all
   </Files>
</Directory>
#
# Dont expose  .gitignore file.
#
<Files .gitignore>
    Order deny,allow
    Deny from all
</Files>
#
# Dont expose  .gitlab-ci.yml file.
#
<Files .gitlab-ci.yml>
    Order deny,allow
    Deny from all
</Files>
#############################################


Access rights on the WP file system :

Another point which is however basic but quite often neglected remains the access rights to WP files/folders.
Here is the setting up of rights (here my user and group are the same, namely www-data):

find /www_root/yoursite/html/ -type f -exec chmod 0644 {} \;
find /www_root/yoursite/html/ -type d -exec chmod 0755 {} \;
find /www_root/yoursite/html/wp-content -type d -exec chmod 0775 {} \;
find /www_root/yoursite/html/wp-content -type f -exec chmod 0664 {} \;
chown -R www-data:www-data /www_root/yoursite/html/


NGINX Configuration :

Here it is the NGINX / VARNISH services that provide the « front/reverse proxy » part,
I add control of the wp-admin URL & access to wp-login.php, with IP filtering.

        location ~ ^/(wp-admin|wp-login\.php) {
                allow [MY IP ADDRESS];
                deny all;
                proxy_set_header Host $host;
                proxy_pass   http://[VARNISH IP]:8090;
                proxy_set_header      X-Real-IP       $remote_addr;
                proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header      X-Forwarded-Proto https;
                proxy_set_header      X-Forwarded-Port 443;
         }

Another important point is to secure the HTTP headers returned by NGINX:

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header 'Referrer-Policy' 'origin';
add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
etag off;

Don’t forget to check the correct configuration via this site: https://securityheaders.com/

Finally a last point concerns the SSL configuration, here I propose a very effective « generic » configuration,
I use it here via an « include » in my VHOST NGINX :      ( DH param is generate via : openssl dhparam -out dhparams.pem 4096 )

#https://ssl-config.mozilla.org
#ssl on;
listen 443 ssl;
listen 80;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_dhparam "/etc/pki/nginx/dhparams.pem";
ssl_session_cache shared:MozSSL:10m;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_tickets off;

For the SSL check, the site https://www.ssllabs.com/ssltest/ is available,
note that to generate an up-to-date configuration the site https://ssl-config.mozilla.org/ is the ideal tool.

For those who want to go even further, I also recommend blocking/filtering user agents via this project:
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/tree/master/conf. d

And also IP filtering with automatic blocking/or by reputation (fail2ban, crowdsec, ipset list etc…).

IP address blocking under LINUX.

I suggest you see here the most effective and efficient method to block an IP under LINUX, namely the use of IPSET.
The blocking is then done dynamically, namely that everything added to the IPSET list is immediately blocked.

The installation is done in single line:

aptitude install ipset

With the SHOREWALL firewall :

First step we create an empty IPSET list named « banthis » :

ipset create banthis hash:net maxelem 6000000

ipset add banthis x.x.x.x

ipset save > /etc/shorewall/ipsets

Now we can enable it into SHOREWALL rules, note that the prefix for IPSET list is the caracter « + » :

File : /etc/shorewall/shorewall.conf
We add : 

SAVE_IPSETS=/etc/shorewall/ipsets


After : 

shorewall check
shorewall reload

File : /etc/shorewall/rules
We add for exemple :

DROP:$LOG       znet:+banthis                   all

Then we reload/apply configuration  :

shorewall check
shorewall reload


With the UFW firewall :

ipset create banthis hash:net maxelem 5000000 

ipset -S > /etc/ufw/ipsets

File : /etc/ufw/after.init
We insert rules for persistence :

chmod 740 /etc/ufw/after.init 

#!/bin/sh
set -e

savefile="/etc/ufw/ipsets"
if [ ! -f "$savefile" ]; then
    echo "Could not find '$savefile'" >&2
    return
fi

IPSET_EXE="/sbin/ipset"



case "$1" in
start)
    # typically required

    # Loading ipsets
    $IPSET_EXE restore < "$savefile"

    # Setting firewall rules
    iptables -I INPUT -m set --match-set banthis src -j DROP
    iptables -I INPUT -m set --match-set banthis src -j LOG --log-prefix "[UFW BLOCK IN bl-ip] "
    iptables -I FORWARD -m set --match-set banthis src -j DROP
    iptables -I FORWARD -m set --match-set banthis src -j LOG --log-prefix "[UFW BLOCK FW bl-ip] "
    iptables -I OUTPUT -m set --match-set banthis src -j DROP
    iptables -I OUTPUT -m set --match-set banthis src -j LOG --log-prefix "[UFW BLOCK IN bl-ip] "
    ;;
stop)
    # typically required

    # Unset firewall rules
    iptables -D INPUT -m set --match-set banthis src -j DROP || true
    iptables -D INPUT -m set --match-set banthis src -j LOG --log-prefix "[UFW BLOCK IN bl-ip] " || true
    iptables -D FORWARD -m set --match-set banthis src -j DROP || true
    iptables -D FORWARD -m set --match-set banthis src -j LOG --log-prefix "[UFW BLOCK FW bl-ip] " || true
    iptables -D OUTPUT -m set --match-set banthis src -j DROP || true
    iptables -D OUTPUT -m set --match-set banthis src -j LOG --log-prefix "[UFW BLOCK IN bl-ip] " || true

    $IPSET_EXE destroy banthis || true
    ;;
status)
    # optional
    ;;
flush-all)
    # optional
    ;;
*)
    echo "'$1' not supported"
    echo "Usage: after.init {start|stop|flush-all|status}"
    ;;
esac
after.ini ufw

Test :

#Block IP : 
ipset add banthis x.x.x.x 

#Persistence test : 
/etc/init.d/ufw restart 

#List ipset rules :
ipset -S

If you want a « test server » you can use :
https://www.thc.org/segfault/

Threat Hunting with PHP and BASH (part 2).

Hello everyone,

After reflection I decided to improve my IPS so that the agents send their alert via an API and that they also update their rules regularly via this API.
I also added a database (mariadb) and a graphical interface, and implemented a whitelist/blacklist system directly from the GUI. Here is a first result.

I’ve add link to usefull tools like :   https://viz.greynoise.io/     https://www.abuseipdb.com/   https://threatbook.io/
I will publish soon source code of the part 2.




 

 

Setup your central rsyslog server

Rsyslog can be configured to receive logs from the network and can then store them in a structured way,
that’s what I suggest you see in this article. Here I am using LINUX DEBIAN machines.

Central server configuration

rsyslog.conf :

– Here we use the rsyslog modules imudp and imtcp which allow the server to listen for rsyslog client connections.
– We will use a template « remote-logs » to create a log file name and its path dynamically.
– We will use « remote-logs » template only if host IP is not the local server ( 127.0.0.1 ).

###################################
# RSYSLOG SERVER CONFIGURATION 
###################################
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html

#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# Remote logs directory : (/var/log/remoteservers/[CLIENT]/)
$template remote-logs,"/var/log/remoteservers/%HOSTNAME%/%PROGRAMNAME%.log"

if not($fromhost-ip == '127.0.0.1') then {
*.* ?remote-logs
& ~
}

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*			/var/log/auth.log
*.*;auth,authpriv.none		-/var/log/syslog
#cron.*				/var/log/cron.log
daemon.*			-/var/log/daemon.log
kern.*				-/var/log/kern.log
lpr.*				-/var/log/lpr.log
mail.*				-/var/log/mail.log
user.*				-/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info			-/var/log/mail.info
mail.warn			-/var/log/mail.warn
mail.err			/var/log/mail.err

#
# Some "catch-all" log files.
#
*.=debug;\
	auth,authpriv.none;\
	mail.none		-/var/log/debug
*.=info;*.=notice;*.=warn;\
	auth,authpriv.none;\
	cron,daemon.none;\
	mail.none		-/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg				:omusrmsg:*

Client server configuration

rsyslog.conf :

###################################
# RSYSLOG CLIENT CONFIGURATION 
###################################
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html

#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
#$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*			/var/log/auth.log
*.*;auth,authpriv.none		-/var/log/syslog
#cron.*				/var/log/cron.log
daemon.*			-/var/log/daemon.log
kern.*				-/var/log/kern.log
lpr.*				-/var/log/lpr.log
mail.*				-/var/log/mail.log
user.*				-/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info			-/var/log/mail.info
mail.warn			-/var/log/mail.warn
mail.err			/var/log/mail.err

#
# Some "catch-all" log files.
#
*.=debug;\
	auth,authpriv.none;\
	mail.none		-/var/log/debug
*.=info;*.=notice;*.=warn;\
	auth,authpriv.none;\
	cron,daemon.none;\
	mail.none		-/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg				:omusrmsg:*

#CLI configuration : 
#Enable sending system logs over UDP to rsyslog server
*.* @[rsyslog_server]:514
#Enable sending system logs over TCP to rsyslog server
*.* @@[rsyslog_server]:514

It is possible to create a dedicated configuration, for example to change the spool folder, which allows not to modify the main configuration file rsyslog.conf,
To do this we add this file:  /etc/rsyslog.d/01-client.conf

– The client sends its logs to the IP [rsyslog_server].
– The spool folder used (apache log for example) is: /var/log/rsyslogspools
– A quota of 1G is set on it.

#/etc/rsyslog.d/01-client.conf
$WorkDirectory /var/log/rsyslogspools
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

In the case of an APACHE service, you will have to tell rsyslog where to fetch the data and then send it to the remote rsyslog server : [rsyslog_server]

#/etc/rsyslog.d/02-apache-defaultlog.conf.j2

$ModLoad imfile

# Default Apache Error Log
$InputFileName /var/log/apache2/error.log
$InputFileTag apache-error-default:
$InputFileStateFile apache-error-default
$InputRunFileMonitor

# Default Apache Access Log
$InputFileName /var/log/apache2/access.log
$InputFileTag apache-access-default:
$InputFileStateFile apache-access-default
$InputRunFileMonitor
$InputFilePollInterval 30

if $programname == "apache-error-default" then @@[rsyslog_server]:514
if $programname == "apache-error-default" then ~

if $programname == "apache-access-default" then @@[rsyslog_server]:514
if $programname == "apache-access-default" then ~

And There you go !

 

Update Debian PHP distribution ( 8.2 ).

PHP8.2 is now available, i describe here how to update the debian server with this version.

First i need a list of php install package ( here 8.0 ) :

dpkg -l | grep php8.0 | cut -d ' ' -f 3 > list.txt

I create this script using to convert the list of packages to list of packages to install on the target server :

<?php
#create list of package to upgrade version
#ex:    php up.php --currentversion="php8.0" --newversion="php8.2"
$short_options = "cur:new:";
$long_options = ["currentversion:", "newversion:"];
$options = getopt($short_options, $long_options);

if(empty($options) || !isset($options['currentversion']) || !isset($options['newversion']) ){
        echo "Params:\n";
        print_r($long_options);
        echo "\n";
        return;
}

$fh = fopen('list.txt','r');
while ($line = fgets($fh)) {
  $line=str_replace("\n","",$line);
  $line=str_replace($options['currentversion'],$options['newversion'],$line);

  echo $line." ";


}
fclose($fh);


?>
up.php

Now i create a list of php packages for the target :

# php up.php --currentversion="php8.0" --newversion="php8.2"
libapache2-mod-php8.2 php8.2 php8.2-bcmath php8.2-bz2 php8.2-cli php8.2-common php8.2-curl php8.2-dev php8.2-fpm php8.2-gd php8.2-igbinary php8.2-imagick php8.2-imap php8.2-intl php8.2-ldap php8.2-mbstring php8.2-memcache php8.2-memcached php8.2-msgpack php8.2-mysql php8.2-opcache php8.2-readline php8.2-soap php8.2-sqlite3 php8.2-tidy php8.2-xml php8.2-xmlrpc php8.2-zip

I remove all of old php packages :

# apt-get purge `dpkg -l | grep php| awk '{print $2}' |tr "\n" " "`
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  apache2 apache2-bin apache2-data apache2-utils debhelper dh-autoreconf dh-strip-nondeterminism dwz fonts-droid-fallback fonts-noto-mono ghostscript gsfonts imagemagick-6-common
  intltool-debian libaom0 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libarchive-cpio-perl libarchive-zip-perl libc-client2007e libdav1d4 libde265-0 libdebhelper-perl
  libfftw3-double3 libfile-stripnondeterminism-perl libgs9 libgs9-common libheif1 libijs-0.35 libjbig2dec0 liblqr-1-0 liblua5.3-0 libmagickcore-6.q16-6 libmagickwand-6.q16-6
  libmail-sendmail-perl libmemcached11 libmemcachedutil2 libnuma1 libonig5 libopenjp2-7 libpaper-utils libpaper1 libpcre2-16-0 libpcre2-32-0 libpcre2-dev libpcre2-posix2 libsodium23
  libssl-dev libsub-override-perl libsys-hostname-long-perl libtidy5deb1 libwebpdemux2 libwebpmux3 libx265-192 libxmlrpc-epi0 libxslt1.1 libzip4 mlock pkg-config po-debconf poppler-data
  shtool ttf-dejavu-core
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  libapache2-mod-php7.4* libapache2-mod-php8.0* libapache2-mod-php8.1* php-common* php-imagick* php-memcache* php-memcached* php-msgpack* php-pear* php5.6-memcache* php7.0-memcache*
  php7.1-memcache* php7.2-memcache* php7.3-memcache* php7.4* php7.4-bcmath* php7.4-bz2* php7.4-cli* php7.4-common* php7.4-curl* php7.4-dev* php7.4-fpm* php7.4-gd* php7.4-igbinary*
  php7.4-imap* php7.4-intl* php7.4-json* php7.4-mbstring* php7.4-memcache* php7.4-mysql* php7.4-opcache* php7.4-readline* php7.4-soap* php7.4-tidy* php7.4-xml* php7.4-xmlrpc* php7.4-zip*
  php8.0* php8.0-bcmath* php8.0-bz2* php8.0-cli* php8.0-common* php8.0-curl* php8.0-dev* php8.0-fpm* php8.0-gd* php8.0-igbinary* php8.0-imagick* php8.0-imap* php8.0-intl* php8.0-ldap*
  php8.0-mbstring* php8.0-memcache* php8.0-memcached* php8.0-msgpack* php8.0-mysql* php8.0-opcache* php8.0-readline* php8.0-soap* php8.0-tidy* php8.0-xml* php8.0-xmlrpc* php8.0-zip*
  php8.1-cli* php8.1-common* php8.1-memcache* php8.1-opcache* php8.1-phpdbg* php8.1-readline* php8.1-sqlite3* pkg-php-tools*
0 upgraded, 0 newly installed, 71 to remove and 21 not upgraded.
After this operation, 95.1 MB disk space will be freed.
Do you want to continue? [Y/n]

I can now install the new version, via the list of packages ( return by up.php ) :

# apt-get install libapache2-mod-php8.2 php8.2 php8.2-bcmath php8.2-bz2 php8.2-cli php8.2-common php8.2-curl php8.2-dev php8.2-fpm php8.2-gd php8.2-igbinary php8.2-imagick php8.2-imap php8.2-intl php8.2-ldap php8.2-mbstring php8.2-memcache php8.2-memcached php8.2-msgpack php8.2-mysql php8.2-opcache php8.2-readline php8.2-soap php8.2-sqlite3 php8.2-tidy php8.2-xml php8.2-xmlrpc php8.2-zip
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
  ttf-dejavu-core
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
  php-common php-pear pkg-php-tools
Suggested packages:
  dh-php dh-make
The following NEW packages will be installed:
  libapache2-mod-php8.2 php-common php-pear php8.2 php8.2-bcmath php8.2-bz2 php8.2-cli php8.2-common php8.2-curl php8.2-dev php8.2-fpm php8.2-gd php8.2-igbinary php8.2-imagick php8.2-imap
  php8.2-intl php8.2-ldap php8.2-mbstring php8.2-memcache php8.2-memcached php8.2-msgpack php8.2-mysql php8.2-opcache php8.2-readline php8.2-soap php8.2-sqlite3 php8.2-tidy php8.2-xml
  php8.2-xmlrpc php8.2-zip pkg-php-tools
0 upgraded, 31 newly installed, 0 to remove and 21 not upgraded.
Need to get 8343 kB/8377 kB of archives.
After this operation, 39.9 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y

That all !