Get Social

Where plesk 17 (onyx) store dkim public key?

How to find postfix public domainkey in plesk server for dkim dns settings?

After plesk dkim activation any services (like opendkim) not required.
The keys store in «/etc/domainkeys/», but public dkim keys do not store.

We can easily generate them:

# openssl rsa -in /etc/domainkeys/somedomain.tld/default -pubout -out /etc/domainkeys/somedomain.tld/public
# writing RSA key

After that you will see:

# cat /etc/domainkeys/somedomain.tld/public
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNP/0esApEWVmQEtjbT8WGJSyPhKpNvxuxHDSf/TChc1ssgO+DWtXOdFyd/jM1L+vtBUOXLewmrWJ+shnAiZOibyR2LtCvmBZ44K08UvC6Xqnz8Jh9BLv9K0KZ/3tX7UU0DMHQ/zWb1Ya6cWHfkfJc4H+DkqAGQhQPZMk3nrwXVwIDAQAB
-----END PUBLIC KEY-----

And than you can set up it in you dns hosting provider, like:
name: default._domainkey
type: TXT
value: "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNP/0esApEWVmQEtjbT8WGJSyPhKpNvxuxHDSf/TChc1ssgO+DWtXOdFyd/jM1L+vtBUOXLewmrWJ+shnAiZOibyR2LtCvmBZ44K08UvC6Xqnz8Jh9BLv9K0KZ/3tX7UU0DMHQ/zWb1Ya6cWHfkfJc4H+DkqAGQhQPZMk3nrwXVwIDAQAB"

For dkim testing you can use this service.

How to unlock an ip address blocked by Fail2ban

Как разблокировать ip-адрес, заблокированый Fail2ban, картинка

As a system administrator, it’s hard for me to imagine a quiet life without Fail2ban.

This service tracks logs of many services, such as a web server, mail server, openssh-server and so on. In case of suspicious activity (as a rule, many unsuccessful authorizations), it automatically blocks (using iptables rules) for some time the ip-address from which these authorizations were. Setting up Fail2ban is a separate topic.

In this article, let’s talk about how to unlock yourself or another user who accidentally entered an incorrect password and was blocked by Fail2ban.

1. You need to log in to ssh under another ip-address to the server as root (or under another user, with sudo rights or then execute the “su -” procedure to get root-rights).

2. To see which IP addresses are blocked, type the following command:
iptables -L -n
If the output of the command is very long, then you can do so:
iptables -L -n | less

3. Next, find the chain fail2ban-ssh (we are talking about locking on ssh, if another service, find the corresponding chain), where our IP should be:
Chain fail2ban-ssh(1 references)
target prot opt source destination
RETURN all - 0.0.0.0/0 0.0.0.0/0

4. To remove the IP address from the Fail2ban lock, you need to run the following command (aa.bb.cc.dd – the IP you want to unlock):
iptables -D fail2ban-ssh -s aa.bb.cc.dd -j DROP

After that, the user will be able to reconnect to the server via ssh.

How to configure Nginx in Vesta CP and get an A+ rating on ssllabs

image - Как настроить Nginx в Vesta CP, чтобы получить A+ рейтинг на ssllabs

Task: setup SSL (https) settings in Nginx config file in order to get grade A+ there: https://www.ssllabs.com/ssltest/

Best way – edit the /usr/local/vesta/data/templates/web/nginx/default.stpl
(the more, so if you will edit something from the panel, than Vesta CP will overwrite any changes made manually in the configuration)

Open in your favorite editor (of course nano :))
nano /usr/local/vesta/data/templates/web/nginx/default.stpl

Add next 4 fragments:

1. Add to field %ip%:%proxy_ssl_port% (in the same line):

ssl http2

2. After server_name:

add_header Strict-Transport-Security "max-age=31536000;" always;
ssl_stapling on;
ssl_stapling_verify on;

3. After ssl_certificate_key %ssl_key%;
ssl_dhparam /home/admin/conf/web/dhparams.pem;
(first you need to generate dhparams.pem and put it in the right folder:
openssl dhparam -out /home/admin/conf/web/dhparams.pem 4096
)

4. (This fragment cannot just be copied from the browser, check for line breaks)

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

we get something like the following:

server {
listen %ip%:%proxy_ssl_port% ssl http2;
server_name %domain_idn% %alias_idn%;
add_header Strict-Transport-Security "max-age=31536000;" always;
ssl_stapling on;
ssl_stapling_verify on;

ssl on;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
# ssl_dhparam /home/admin/conf/web/dhparams.pem;
error_log /var/log/%web_system%/domains/%domain%.error.log error;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

location / {
proxy_pass https://%ip%:%web_ssl_port%;
location ~* ^.+\.(%proxy_extentions%)$ {
root %sdocroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}
}

location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}

location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}

location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}

include %home%/%user%/conf/web/snginx.%domain%.conf*;
}

Pages:1234