Install PiHole With SSL On Apache Running Ubuntu Server 20 LTS

This is another quick post to serve as a general note. This post will cover the install of PiHole with SSL on Apache. The guide should work for most Debian-based Linux distributions. We are running PHP7.4 as it’s native to the OS and does not require any PPA addons. You can install PHP8/+ if you like.

Step 1: Bash Into root


1
     sudo bash

Enter your password.

Step 2: Install Apache2


1
     apt-get install apache2 -y

Step 3: Install PHP 7.4


1
2
     apt-get install php -y
     apt-get install php-common php-mysql php-xml php-curl php-cli php-imap php-mbstring php-opcache php-soap php-zip php-intl php-sqlite3 -y

Step 4: Install PiHole


1
     curl -sSL https://install.pi-hole.net | bash

During the course of the install, you will be prompted ~5 times. At the last prompt, you will be asked if you want to install the Lighttpd web server. At this point, you want to select no and complete the install process.

Once completed your PiHole setup should work. and should be accessible via ip/domain.com/admin/

Step 5 Cleanup:

As of today, I have noticed a rare glitch that will cause the folder structure to be odd after the pihole install. This can be easily fixed with the following details.

The default install will create folders like this:


1
2
     pihole folder: /var/www/html/pihole
     admin folder: /var/www/html/admin

Although not a big deal, this causes a problem when trying to access the admin dashboard from the default pihole URL (http://ip/pihole), the link on the page that is supposed to link to the admin page will be broken. At this point, you can update the page link manually in pihole/index.php to forward to the correct URL or you can change/move folders to your liking.

To fix this issue, as root, first we move the folder to the correct directory.


1
     mv /var/www/html/admin /var/www/html/pihole

Second, we update the default pihole root index file links


1
    vim /var/www/www/html/pihole/index.php

We want to edit three lines 77, 81, and 83 to reflect the new URL structure.


1
2
3
4
5
6
7
8
     Line 77:
     <link rel='shortcut icon' href='/pihole/admin/img/favicons/favicon.ico' type='image/x-icon'>

     Line 81:
     <img src='/pihole/admin/img/logo.svg' alt='Pi-hole logo' id="pihole_logo_splash" />

     Line 83:
     <a href='/pihole/admin/'>Did you mean to go to the admin panel?</a>

Once done you can consider the process complete.

Step S: Installing SSL on PiHole:

To keep things classy, if not already, bash into root:


1
     sudo bash

Let’s enable the PHP’s SSL module and make our SSL folder to house our certs.


1
2
     a2enmod ssl
     mkdir /etc/apache2/certs/pihole

Now let’s generate our self-signed cert:


1
     openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/certs/pihole/piholio.key -out /etc/apache2/certs/pihole/piholio.crt

Edit our default SSL virtual hosts config:


1
     vim /etc/apache2/sites-available/default-ssl.conf

Replace lines 32 and 33 with the following lines


1
2
     SSLCertificateFile /etc/apache2/certs/pihole/piholio.crt
     SSLCertificateKeyFile /etc/apache2/certs/pihole/piholio.key

Save and exit.

Next, enable SSL and restart the apache service:


1
     a2ensite default-ssl.conf && systemctl apache2 restart

At this point, you’ve successfully installed PiHole with SSL. We have another issue, by default apache does not reroute to SSL so you will still be able to visit the non-SSL URL. To fix this we need to enable the Rewrite module and enter our conditions into our domain’s virtual host configuration (or .htaccess).

Let’s enable that rewrite module:


1
2
     a2enmod rewrite
     systemctl apache2 restart

Let’s edit our default virtual host file:


1
     vim /etc/apache2/sites-available/000-default.conf

Add the following three lines of code before the </VirtualHost> closing tag. You can replace the * on the second line with your local IP or domain.


1
2
3
     RewriteEngine On
     RewriteCond %{SERVER_NAME} =*
     RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Save the file and restart Apache.


1
     systemctl apache2 restart

Your PiHole install should now be “running in SSL”. If anyone viewing my notes has questions feel free to leave a comment.

Install PHP8 on Ubuntu Server 18 & 20 LTS Running Apache

This post is a quick post to serve as a note, don’t expect long explanations of general LAMP stack design concepts. If you encounter any issues feel free to leave a comment below.

Step 1: Bash Into root User


1
2
    sudo bash
    ("sudo -su" if you prefer)

Enter your password to enter the root superuser account.

Step 2: Preparation

As root enter


1
     apt-get update -y && apt-get upgrade -y && apt-get dist-upgrade -y && apt-get autoremove -y && apt-get autoclean -y

Step 3: Adding PHP8 Repository


1
     apt-get install ca-certificates apt-transport-https software-properties-common -y

Once the command above completes its process:


1
     add-apt-repository ppa:ondrej/php -y && apt-get update -y

Step 4: Installing PHP8


1
     apt-get install php8.0 libapache2-mod-php8.0 -y && systemctl restart apache2

1
     apt-get install php8.0-fpm libapache2-mod-fcgid

Enable default PHP8 FastCGI manager module and config:


1
2
     a2enmod proxy_fcgi setenvif
     a2enconf php8.0-fpm

Restart Apache:


1
systemctl restart apache2

You might need these as well… MySQL, MBString, and MailParse


1
     apt-get install php8.0-mbstring php8.0-mailparse php8.0-mysql php8.0-xml php8.0-zip -y

WordPress Modules


1
     apt-get install php8.0-imagick -y

*****

To get jiggy with it… (installs all PHP modules, typically reserved for DevOps/Sandboxing)


1
     apt-get install php8.0-dev

*****

Once you’re done with installing any additional modules, although not required, it’s recommended you reboot your machine. Let’s do a little cleanup in case something unnecessary (like previous PHP7 packages) was left behind.


1
     apt-get update -y && apt-get upgrade -y && dist-upgrade -y && apt-get autoclean -y && apt-get autoremove -y && reboot

Step 5 (Optional): Additional Caching Modules

Memcached


1
     apt-get install php8.0-memcached

Redis


1
     apt-get install php8.0-redis

ODROID-C2 Headless Ubuntu 20 Image

This is a quick post for anyone who was looking to get a headless image from HardKernal but couldn’t actually find it (It doesn’t exist). This guide will use their hosted image for general security reasons.

Why would you want to do this? If you don’t plan on using it as a desktop. Also, why not save ~100MB of RAM and have an even more stable system.

If you haven’t already you can download the official HardKernal Odroid-C2 Ubuntu Image for your Odroid-C2 here.

Skipping The Install Process…

It’s 2021, I’m not going over the install process. This guide assumes you already have a clean Ubuntu 20 installed (from the OFFICIAL repository) and running on your C2. If your ODROID starts auto-patching security updates as soon as you connect it to your network, let it complete before starting.

(Optional)

You can install whatever ssh server you like for your C2, it will make the process much easier to copy and paste commands.

1
     sudo apt-get install openssh-server -y

Removing Mate

1
     sudo apt-get purge $(dpkg --://www.php.net/list">list | grep MATE | awk '{print $2}')

Once the command above completes, continue removing additional traces left behind

1
2
3
4
5
6
7
     sudo apt-get purge libmate-sensors-applet-plugin0 -y
     && sudo apt-get purge libmateweather-common libmateweather1:amd64 -y
     && sudo apt-get purge mate-accessibility-profiles -y
     && sudo apt-get purge mate-notification-daemon -y
     && sudo apt-get purge mate-notification-daemon-common -y
     && sudo apt-get purge plymouth-theme-ubuntu-mate-logo -y
     && sudo apt-get purge plymouth-theme-ubuntu-mate-text -y

Finally Remove The LightDM “Screen Greeter”

1
     sudo apt-get remove lightdm -y

Additional Apps You Might Want To Remove

This is what I chose to remove, feel free to remove any apps you also wont be using without any desktop GUI.

1
     sudo apt-get remove firefox -y

Finish cleaning up

1
     sudo apt-get autoclean -y && apt-get autoremove -y && reboot

That should pretty much sum up the process, let me know if you encounter any issues.

sihost exe Hard Error Fix, Windows 10 Derp Edition

We noticed that a lot of customer PC’s where coming in with the same problem after installing a Windows update, specifically the April update. After a few hours of troubleshooting, the only conclusion to fixing the problem was creating a USB Windows 10 installation media and reinitiating the update process from the USB media (It will reinstall windows but download everything via USB update instead of the OS). We tried everything (sfc /scannow, dism…) and this was the ONLY solution that worked. So the solution to your broken windows is simply restarting the updating process through a Windows 10 USB installation media, the process should leave all your old files intact and only fix the broken OS, specifically the Administrative/System accounts which is what caused this problem originally.

Updating To OpenSSL 1.0.2g On Ubuntu Server 12.04 & 14.04 LTS To Stop CVE-2016-0800 (DROWN attack)

It was a bit difficult to find any real information on fixing the latest openSSL CVE-2016-0800 (DROWN attack) so I decided to write this quick post on how to update your Ubuntu Server 12.04/14.04 OpenSSL (or any debian-based distro with apache2) to the latest 1.0.2g build to avoid the DROWN/Heartbleed attacks. I’m not going to go into the details of how the exploit works and how it’s exploited as there are many blogs/sites that already go over this. Instead I will only focus on the fix, I have provided 2 methods, a method using cURL or wget.

*** UPDATED 7/4/2017 ***
Because this is a popular post, I’ve gone ahead and updated it to reflect latest SSL binaries, it’s good practice to check what the latest binaries are regardless of this post.

cURL Method

  1. sudo apt-get install php5-curl (Install cURL library)
  2. sudo apt-get install make (Install compiling library Make)
  3. curl https://www.openssl.org/source/openssl-1.0.2l.tar.gz | tar xz && cd openssl-1.0.2l && sudo ./config && sudo make && sudo make install (single command that will download latest binaries, extract them, cd into the directory, compile configuration and then install the files)
  4. sudo ln -sf /usr/local/ssl/bin/openssl ‘which openssl’ (This will create a sym link to the new binaries)
  5. openssl version -v (Used to check the version of the Current OpenSSL binaries)

wget method

  1. sudo apt-get install make (Install compiling library Make)
  2. wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz (Download the latest OpenSSL 1.0.2g binaries)
  3. tar -xzvf openssl-1.0.2l.tar.gz (Extract the tar ball to the local directory)
  4. cd openssl-1.0.2l (Enter extracted OpenSSL directory)
  5. sudo ./config (Configure binaries for compiling)
  6. sudo make install (install configured binaries)
  7. sudo ln -sf /usr/local/ssl/bin/openssl `which openssl` (This will create a sym link to the new binaries)
  8. openssl version -v (Used to check the version of the Current OpenSSL binaries)

This was tested on both Ubuntu Server 12.04 & 14.04 LTS versions. Questions? Comments?

nVidia Shield Tablet Diagnostic Mode On Android Lollipop

I found the Diagnostic mode for the nvidia shield tablet, you can find it at the following path…

Settings > About Tablet

At this screen you want to scroll down to “Kernal version” and tap it numerous times until it goes into diagnostics.

nvidia shield tablet diagnostic mode

This is what it will looks like…

Screenshot_2015-06-27-23-58-05

 

Hope this helps anyone…

Updating To PHP 5.4 On Ubuntu Server 12.04 LTS

If you use php web applications then your know a lot are now demanding to be updated to php 5.4 or higher. To do this in Ubuntu 12.04LTS simply do the following…

If you haven’t already used ppa then you will have to first install python software properties, make sure you’re the root user… ( sudo bash )

apt-get install python-software-properties

PHP 5.4.x run:

add-apt-repository ppa:ondrej/php5-oldstable

PHP 5.5.x run:

add-apt-repository ppa:ondrej/php5

Once you’ve added the repo simply update and upgrade current packages & distribution packages with one simple command :)

apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

Checking Total Disk Usage in Ubuntu Or Debian From Terminal

If you need to check how much space is used up on all Filesystems/Drives You can simply run

df -h

Don’t forget to sudo or be root.

Adding “client denied by server configuration” Filter To Fail2Ban: Ubuntu 12.04 LTS

Ok so here is another useful filter for fail2ban. Once this plugin is installed it will prevent malicious visitors from trying to brute-force folder and file discovery. After 5 attempts to visit a non existing file/folder the visitor is banned…

like always… BASH IN! :D

sudo bash

First Lets create a new entry in our jail.local file…

vim /etc/fail2ban/jail.local

 

copy the following text after the last apache entry…

[apache-clientd]
enabled = true
port = http,https
filter = apache-client-denied
logpath = /var/log/apache*/*error.log
maxretry = 5

 

Now that we have added the entry into our jail.local we proceed, change to the filter.d directory, in this folder you will see lots of other pre-configured filters

cd /etc/fail2ban/filter.d

 

instead of creating a new filter file simply copy another, this will make the next step easier…

cp /etc/fail2ban/filter.d/apache-auth.conf /etc/fail2ban/filter.d/apache-client-denied.conf

 

find the line identical to the one below (Line 23)

failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$

 

replace it with the following one.

failregex = [[]client <HOST>[]] client denied by server configuration:

 

At this point your pretty much done, close the file and restart fail2ban

service fail2ban restart

 

Comment if you have questions, like my post if you find it helpful :)

 

 

 

 

Adding “File Does Not Exist” Filter To Fail2Ban: Ubuntu 12.04 LTS

Ok so here is a quick post to a common question… adding a filter to fail2ban for bot/scanners searching for files, folders or simply doing recon which can result in exploit discovery, this filter will automatically block a visitor/bot after 4 attempts to scan for a file that does not exist on your domain/server.

like always… BASH IN! (lol…)

sudo bash

First Lets create a new entry in our jail.local file…

vim /etc/fail2ban/jail.local

 

copy the following text after the last apache entry…

[apache-nofile]
enabled = true
port = http,https
filter = apache-nofile
logpath = /var/log/apache*/*error.log
maxretry = 4

 

Now that we have added the entry into our jail.local we proceed, change to the filter.d directory, in this folder you will see lots of other pre-configured filters

cd /etc/fail2ban/filter.d

 

instead of creating a new filter file simply copy another, this will make the next step easier…

cp /etc/fail2ban/filter.d/apache-auth.conf /etc/fail2ban/filter.d/apache-nofile.conf

 

find the line identical to the one below (Line 23)

failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$

 

replace it with the following one.

failregex = [[]client <HOST>[]] File does not exist:

 

At this point your pretty much done, close the file and restart fail2ban

service fail2ban restart

 

Comment if you have questions, like my post if you find it helpful :)