Hardening Apache- Disable Directory Traversal

Problem is directory’s such as /wp-includes/ are viewable.
Disable directory traversal by adding this line to the end of your .htaccess file in the root of your website directory:

Options All -Indexes

Then restart:

systemctl restart apache2

Confirm this is disabled by navigating to /wp-includes/

VMWare ESXi setup Syslog through ESXCLI

To setup syslog in ESXi 6.5 I found it easier through the ESXCLI, here are the commands to run:

Allow syslog through the firewall:

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh

Set loghost:

esxcli system syslog config set --loghost='tcp://syslog.server.co:514'
esxcli system syslog reload

Verify Syslog settings:

esxcli system syslog config get

Troubleshooting:
Check connectivity:

nc -z syslog.server.co 514

If you get the following error when setting the loghost its a DNS issue:

No root object set for output. The command did not provide proper output.
Implementation error!  The output of this command does not match the declared output type of this command, see errors above.

To check your name resolution:

nslookup syslog.server.co

Check your DNS servers:

esxcli network ip dns server list

If DNS needs to be set:

esxcli network ip dns server add --server=<server>

Upgrade ESXi 6.5 using the CLI

Here’s an easy procedure to update your ESXi to the latest build using the CLI and WebUI for Client.

Step1- List latest available packages:

esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-6.5

Step2- Select latest, install and reboot:

esxcli software profile update -p ESXi-6.5.0-20171204001-standard -d http://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
reboot

Step3- Verify latest build:

vmware -vl
VMware ESXi 6.5.0 build-7388607
VMware ESXi 6.5.0 Update 1

Step4- Verify latest client build:

Check version in web ui, under help, about

Client version: 1.24.0
Client build number: 7119706
ESXi version: 6.5.0
ESXi build number: 7388607

Step5- If needed upgrade client to latest using WebUI:

http://download3.vmware.com/software/vmw-tools/esxui/esxui-signed-latest.vib

Upgrade ESXi to 6.5 using the CLI

Here’s an easy three step procedure to update your ESXi to the latest build using the CLI.

Step1- SSH into your ESXi host and modify the firewall:

esxcli network firewall ruleset set -e true -r httpClient

Step2- List latest available packages:

esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-6.5

Step3- Select latest, install and reboot:

esxcli software profile update -p ESXi-6.5.0-4564106-standard -d http://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Note I had to run Step3 twice on some hosts.

Upgrade ESXi to 6.5 from a USB Drive

Here’s an easy three step process to update your ESXi host to the latest build using a USB Flash Drive.

Step1- Download latest ISO VMware vSphere Hypervisor(ESXi) 6.5 ISO
https://my.vmware.com/en/group/vmware/evalcenter?p=free-esxi6

Step2- Download and run Rufus
https://rufus.akeo.ie/

Step3- Click the CD icon and point to the ISO you downloaded, leave everything else default and click start
(Note you may get a popup requesting to replace the menu, to avoid issues with the USB key not booting you’ll need to click Yes to download the updated file.)

I have performed this method on versions 5.5 and 6

Boot DBAN from a USB Flash Drive

Here’s a two step process to easily create a bootable DBAN USB dive to permanently erase a hardrive.

Step1- Download the latest ISO from DBAN:
http://www.dban.org/

Step2- Download and run the “Universal USB Installer”, select DBAN from the drop down list:
https://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/

Reference:
https://www.pendrivelinux.com/install-dban-to-a-usb-flash-drive-using-windows/

Postfix send error

Symptom is no email is being received
tail /var/mail/root contains the following error:
Diagnostic-Code: X-Postfix; unknown user:

When you install postfix if your hostname includes your domain then Postfix thinks its receiving mail for the domain, to fix:
vim /etc/postfix/main.cf
remove [yourdomain.com] from mydestination section

restart postfix and retest
postfix stop
postfix start

Reference:
http://stackoverflow.com/questions/32877196/postfix-thinks-the-system-email-is-local