Every time I have to setup a software RAID in Linux using mdadm I forget something, this time I am writing it down once and for all (or at least I hope so). For the sake of simplicity I will use the creation of a RAID1 as example but this very same procedure can be applied for any other kind of RAID. RAID array creation 1. Partition the drives This step must be repeated for each drive of the array (/dev/sdb and /dev/sdc in my case). …

XFS just like EXT4 (I wrote a post about it last year) supports online defragmentation, to manage those volumes on CentOS and Fedora xfsprogs package is needed. Fragmentation level of XFS volumes can be checked with the command: [root@CentOS ~]$ xfs_db -c frag -r /dev/sdb1 actual 4491, ideal 4006, fragmentation factor 10.80% To perform online defragmentation of XFS volumes run the following command: …

DNSCrypt installation process is pretty simple since it is present in the repository, pdnsd on the other hand is missing, luckily compiling from source is not that hard. For the sake of completeness I will also cover the procedure to install DNSCrypt from source, alternatively yum install dnscrypt-proxy. Install the required dependencies and get the source code: [root@CentOS ~]# yum install gcc libsodium-devel libtool-ltdl-dev git wget [root@CentOS ~]# git clone https://github.com/jedisct1/dnscrypt-proxy.git [root@CentOS ~]# wget http://members.home.nl/p.a.rombouts/pdnsd/releases/pdnsd-1.2.9a-par.tar.gz pdnsd Compile and install: …

Fail2ban is a useful tool capable of mitigating brute force attacks performed against a multitude of services (ejabberd in our case). Configuration is split between a multitude of files: jail.conf defines which filters are active while the filters scripts are placed in ./filter.d directory. [root@CentOS ~]# vi /etc/fail2ban/jail.conf --- bantime = 1200 findtime = 1200 maxretry = 10 backend = auto [ejabberd-auth] enabled = true port = 5222,5280,7777 action = iptables-multiport[name=ejabberd, port="5222,5269,5280,777", protocol=tcp] logpath = /var/log/ejabberd/ejabberd.log --- [root@CentOS ~]# vi /etc/fail2ban/filter.d/ejabberd-auth.conf --- [Definition] failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for .+ from IP <HOST> \({{(?:\d+,){3}\d+},\d+}\)$ ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP <HOST>$ ^.* Failed authentication for \S+ from <HOST>$ ^.* from <<"<HOST>">> failed with error: <<"inexistent-account">>$ ^.* from <<"<HOST>">> failed with error: <<"bad-password">>$ ^.* from <<"<HOST>">> failed with error: <<"badformed-jid">>$ ignoreregex = [Init] journalmatch = --- The first two regular expressions are for user authentication while the others are for administration panel login. Other useful commands are: …

EXT4 is usually pretty good at keeping files fragmentation at minimum, but, sometimes, especially if dealing with really huge files, some fragmentation may actually occur. Luckily EXT4 supports online defragmentation, command fsck displays, among other things, fragmentation percentage: [root@fedora ~]$ fsck.ext4 -fvn /dev/sda1 e2fsck 1.42.12 (29-Aug-2014) Warning! /dev/sda1 is mounted. Warning: skipping journal recovery because doing a read-only filesystem check. Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information 429 inodes used (1.31%, out of 32768) **5 non-contiguous files (1.2%)** 1 non-contiguous directory (0.2%) # of inodes with ind/dind/tind blocks: 0/0/0 Extent depth histogram: 420 45161 blocks used (34.46%, out of 131072) 0 bad blocks 1 large file 402 regular files 17 directories 0 character device files 0 block device files 0 fifos 0 links 1 symbolic link (1 fast symbolic link) 0 sockets ------------ 420 files The command e4defrag, which is contained in e2fsprogs, can be used to perform online defragmentation of EXT4 volumes. …

Postfix configuration Install the required software: $ yum install postfix postgrey dovecot fail2ban spamassassin spamass-milter-postfix opendkim Create TLS certificate, key and CA authority (replace mail.domain.tld with a valid domain name): $ mkdir /etc/postfix/ssl $ cd /etc/postfix/ssl $ openssl genrsa -aes256 -out mail.domain.tld.key 4096 $ chmod 600 mail.domain.tld.key $ openssl req -sha256 -new -key mail.domain.tld.key -out mail.domain.tld.csr $ openssl x509 -sha256 -req -days 1825 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt $ openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass $ mv mail.domain.tld.key.nopass mail.domain.tld.key $ openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 -sha256 $ chmod 600 mail.domain.tld.key $ chmod 600 cakey.pem $ openssl dhparam -out dhparams.pem 4096 $ chmod 600 dhparams.pem Edit main.cf file accordingly (the other lines should be ok by default). No SQL database is used, for user authentication postfix relies on Linux users, email data are stored in ~/Maildir. …

I will be keeping this post up to date to keep track on how to configure and mantain an ejabberd server working efficiently and secure. I strongly advise any reader to read carefully what is written here and not just copy-and-paste the configuration file. My blog also contains a bunch of other posts regarding ejabberd that are worth giving a look at, use the search form. Server CentOS 7.5.1804 x86_64 Erlang/OTP 21.1.1-1 x86_64 ejabberd 18.09 Client LineageOS 15.1 (Android Nougat) Conversations 2.3.5+fcr .:. Installation and initial configuration Download and install erlang (release numbers here may not be up to date): …

To password protect a directory xyz and every file and subdirectory in it open the configuration file (nginx.conf or one of the virtual host configuration files) and add the following two lines: location /xyz/ { auth_basic "Restricted Area"; auth_basic_user_file conf.d/htpasswd; } htpasswd file must be encrypted, it can be created using a tool named htpasswd. [root@xenserver ~]# cd /etc/nginx/conf.d/ [root@xenserver ~]# htpasswd -b htpasswd user password