Hardening SNMP on Debian

Hardening SNMP on Debian by disabling SNMP v1 and v2c, and configuring SNMP v3.

Modify /etc/snmp/snmpd.conf

First we’ll want to open up the /etc/snmp/snmpd.conf file and comment out all lines that begin with

  • rocommunity
  • view
  • rouser authPriv <– “This may be the last line by default, we don’t need it”

Alternatively, you can copy and paste the following sed commands instead of manually editing the file.

sudo sed -i 's/^rocommunity/# rocommunityc/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^view/# view/g' /etc/snmp/snmpd.conf
sudo sed -i 's/^rouser authPriv/# rouser authPriv/g' /etc/snmp/snmpd.conf

Create SNMP v3 User

We can create a SNMP v3 user with the following command. There it will ask you for the username and passwords.

sudo net-snmp-create-v3-user -ro -a SHA-512 -x AES

You may receive an error about not being able to touch /snmp/snmpd.conf. I am not sure why Debian is attempting to create that file. Take the “rouser snmpuser” line and add it to the end of the /etc/snmp/snmpd.conf config.

Debian SNMP Error

Now we can start SNMPD

sudo systemctl start snmpd

Troubleshooting

My created user is not working! This could result from two different issues.

  1. It appears that Debian/SNMP doesn’t like pass phrases with special characters. You can try using a different password or escaping the special characters in “/var/lib/snmp/snmpd.conf” file before starting SNMPD.
  2. The user didn’t get added to /etc/snmp/snmpd.conf To fix, add “rouser snmpuser” (Change snmpuser to your snmp username) to the bottom of the config file.

Adding Email Disclaimer for Entire Domain on WHM/cPanel

Email Disclaimer

Altermime is a small utility that allows you to append a disclaimer to all outbound emails on a cPanel server.

1. Installing altermime

You should be able to copy and paste the following commands in. You’ll need to be root.

cd /usr/local/src/ 
wget pldaniels.com/altermime/altermime-0.3.10.tar.gz 
tar xvfz altermime-0.3.10.tar.gz 
cd altermime-0.3.10 
make 
make install

2. Setup Disclaimer Text

Create two disclaimer files. One is text and the other is for HTML.

Text file

nano /usr/local/etc/exim/textdisclaimer

Add your disclaimer text.

-------------
incredigeek.com

HTML File

Create the HTML disclaimer file with

nano /usr/local/etc/exim/htmldisclaimer

And add your disclaimer HTML to the file. Example:

<p>
-----
<br />
  <a href="http://www.incredigeek.com">incredigeek.com </a>
</p>

3. Modify Exim Configuration

Now that we have the disclaimer files set up, we can move on to configuring Exim so the disclaimer text gets added to every email sent out.

Open up WHM and go to Exim Configuration Editor -> Advanced Editor

Exim Advanced Editor

A. Configuring Routers Configuration

Find the ROUTERS CONFIGURATION section. We will add some configuration in the “Section: PREROUTERS

Add disclaimer to Single Domain

Paste in the following to add the disclaimer to a single domain. Replace “incredigeek.com” with your domain.

disclaimer:
driver = dnslookup
domains = ! +local_domains
transport = ${if eq {$sender_address_domain}{incredigeek.com}{disclaimer_smtp}{remote_smtp}}
no_more
Add Disclaimer to Single Domain

Add Disclaimer to Entire Server (Optional)

If you would rather apply the disclaimer to the entire server, use the following.

disclaimer:
driver = dnslookup
domains = ! +local_domains
transport = disclaimer_smtp
Add Disclaimer to Entire Server

B. Configure Transports Configuration

Once we have that added we can find the “TRANSPORTS CONFIGURATION” section and under the first “Section: TRANSPORTSTART” add

disclaimer_smtp:
driver = smtp
transport_filter = /usr/local/bin/altermime  --input=- --disclaimer=/usr/local/etc/exim/textdisclaimer --disclaimer-html=/usr/local/etc/exim/htmldisclaimer
size_addition = 1
Add Disclaimer to TRANSPOTSTART

That should be everything that you need. Send a test email to an external email account to verify that it works.

Note that it looks like sending an email locally to email addresses on the same domain or to yourself bypass the filter and do not get the disclaimer added.

The following links were helpful for getting this set up.

https://forums.cpanel.net/threads/howto-footer-disclaimer-in-outgoing-mails.98465/

https://pldaniels.com/altermime/

Give Linux user access (Write) to Hard Drives

This is fairly straight forward to resolve. You can run the following command and replace /media/username/drive with the path to your drive.

sudo chmod ugo+wx /media/username/drive

If you need to locate the path to your drive, try running

lsblk

It should show all the hard drives mount points

https://askubuntu.com/questions/90339/how-do-i-set-read-write-permissions-my-hard-drives

Disable Telemetry for DotNet SDK

First option is to open a Power Shell or Command Prompt and type, think it may need to be an admin prompt.

set DOTNET_CLI_TELEMETRY_OPTOUT=1

As a secondary option you should also be able to do this from the GUI by doing the following.

Search for Environment Variables

Windows Environment Variables

Edit Environment Variables

Edit Environment Variables

Create Variable named DOTNET_CLI_TELEMETRY_OPTOUT

with a Variable value of 1

Create Windows Dot Net CLI Telemetry Opt Out variable

Save by Hitting OK and OK again.

WHM/cPanel – Change Main Server IP

Change IP Address from command line

Open up the following file, change eth0 to your primary ethernet adapter. More info here.

 vi /etc/sysconfig/network-scripts/ifcfg-eth0

and under IPADDR set it to the new IP. Update netmask and gateway if needed.

Save file and restart network

systemctl restart network

Update License

You may need to run the following to update the license on the server.

/usr/local/cpanel/cpkeyclt

Change Server IP in WebHost Manager

Change IP for server in Basic WebHost Manager Setup

Other things to do

You may need to migrate IP’s to the new address.
If you are keeping the old address on the server, then you may need to readd it through the IP Functions.

VIM delete all lines not matching pattern

In Vi you can use the following command to search for a pattern and delete all those lines

:%g/pattern-to-search-for/d

To inverse the operation and delete all lines not matching the pattern, change g to v

:%v/pattern-to-search-for/d

Export Saved Firefox logins

https://support.mozilla.org/pt-BR/questions/1253828

Enable Dev Tools

Open up a new tab, go to about:config. Search for “devtools.chrome.enabled” and set to true

Enable Firefox Devtools Browser Console

Now open up the Browser Console with “Ctrl + Shift + J” and past in the following

try {
  signons = Services.logins.getAllLogins();
  var csv = '"Site","Username","Password"';
  for (var i=0; i<signons.length; i++){
    csv += '\n';
    csv += signons[i].httpRealm ? 
      ('"' + signons[i].hostname + ' (' + signons[i].httpRealm + ')","') : 
      '"' + signons[i].hostname + '","';
    csv += signons[i].username + '","' + signons[i].password + '"';
  }
  console.log(csv);
} catch (err) {
  console.log('Problem reading or outputting logins: '+err);
}
Browser Console, Running Script

Hit enter to run the command and return all the saved logins. You can copy and paste them, or export to file.