Thursday, May 04, 2017

HOWTO : OwnCloud 10.0.0 and Hiawatha 10.6 on Ubuntu 16.04 LTS

Step 1 - Update Ubuntu :

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get autoclean
sudo apt-get --purge autoremove


Step 2 - Hiawatha Installation :

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

wget https://cmake.org/files/v3.5/cmake-3.8.1.tar.gz
tar -xvzf cmake-3.8.1.tar.gz
cd cmake-3.8.1
./configure
make
sudo make install


wget https://github.com/hsleisink/hiawatha/archive/v10.6.tar.gz
tar -xzvf v10.6.tar.gz
cd hiawatha-10.6/extra
./make_debian_package
cd ..
sudo dpkg -i hiawatha_10.6_amd64.deb


sudo mkdir /etc/hiawatha/enable-sites

sudo nano /etc/hiawatha/hiawatha.conf

Add "SocketSendTimeout" just before "Binding Setting" :

SocketSendTimeout = 240

Add "MaxRequestSize" to "Binding Settings" :

# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
    Port = 80
    # MaxRequestSize is 100GB
    MaxRequestSize = 104857600
    MaxUploadSize = 2047
    TimeForRequest = 24,100
    MaxKeepAlive = 72000000
}


Append the following line at the end of the file :

Include /etc/hiawatha/enable-sites/

Create "owncloud" file at /etc/hiawatha/enable-sites :

sudo nano /etc/hiawatha/enable-sites/owncloud

VirtualHost {
    Hostname = [your domain or IP address here]
    WebsiteRoot = /var/www/owncloud
    StartFile = index.php
    AccessLogfile = /var/log/hiawatha/owncloud-access.log
    ErrorLogfile = /var/log/hiawatha/owncloud-error.log
    TimeForCGI = 72000000
    WebDAVapp = yes
    UseFastCGI = PHP70
    UseToolkit = denyData
    EnablePathInfo = yes
    AllowDotFiels = yes
    HTTPAuthToCGI = yes
}

UrlToolkit {
    ToolkitID = denyData
    Match ^/data DenyAccess
}

FastCGIserver {
    FastCGIid = PHP70
    ConnectTo = /var/run/php/php7.0-fpm.sock
    Extension = php
    SessionTimeout = 72000000
}


sudo nano /etc/php/7.0/fpm/php-fpm.conf

Append the following lines at the end of the file :

; for OwnCloud
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

[www]
pm=dynamic
pm.max_children=1000
pm.start_servers=50
pm.min_spare_servers=25
pm.max_spare_servers=75


Step 3 - MySQL Setting :

sudo mysql -u root -p

create database owncloud;
GRANT ALL ON owncloud.* TO owncloud@'127.0.0.1' IDENTIFIED BY '[your password here]';
flush privileges;
quit


Step 4 - OwnCloud Installation :

wget -nv https://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/Release.key -O Release.key
sudo apt-key add - < Release.key

rm Release.key

sudo sh -c "echo 'deb http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04/ /' >> /etc/apt/sources.list.d/owncloud.list"
sudo apt-get update
sudo apt-get install owncloud-files


sudo apt-get install exim4 exim4-base exim4-config exim4-daemon-light libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.1-0 s-nail php-common php7.0-cli php7.0-common php7.0-curl php7.0-gd php7.0-imap php7.0-intl php7.0-json php7.0-mbstring php7.0-mcrypt php7.0-mysql php7.0-readline php7.0-xml php7.0-zip php7.0-pgsql php7.0-sqlite3 php7.0-fpm php-apcu mysql-server mysql-client php7.0-cgi

sudo nano /var/www/owncloud/.user.ini

The content of the file may looking like this one :

upload_max_filesize=100G
post_max_size=100G
memory_limit=12G
mbstring.func_overload=0
always_populate_raw_post_data=-1
default_charset='UTF-8'
output_buffering=0
max_input_time=3600
max_execution_time=3600
upload_tmp_dir='/tmp/'
max_file_upload=5000

Open browser and point to http://[your owncloud server IP] and create your admin user and password. Then select database on the same page. Otherwise, it will use SQLite by default.

After that, do the following :

sudo nano /var/www/owncloud/config/config.php

Insert the following line into the end of the block of the code :

'memcache.local' => '\OC\Memcache\APCu',

To restart OwnCloud and Hiawatha services :

sudo /etc/init.d/php7.0-fpm restart
sudo /etc/init.d/hiawatha restart


Then, you can install the desktop sync client to sync your desktop to ownCloud.

Remarks :

If you want to have https connection, you need to generate the private SSL certificate or purchase one. You can also use Let's Encrypt when necessary. If so, the "binding settings" at Hiawatha should be "Port 443".

That's all! See you.

Wednesday, May 03, 2017

[RESEARCH] How Secure of HSBC and DBS Web Sites Are?

Last year, I wrote an article about the SSL certificate grading of banks in Hong Kong. This time, I would like to choose DBS and HSBC for the research. It is because DBS was the highest SSL certificate grading at that time - Grade A while HSBC is the largest bank in Hong Kong even it was Grade C.

The Research

Since pentesting a target without written authorization is illegal, this research is only done on recon phase only. Therefore, it is an incomplete research. Be keep in mind that it is for reference only.

I have written an article about security headers of a web site, such as HSTS, HPKP and XSS Protection. You can refer to it if you do not know what securty headers are. The control web site for this research is my personal site which is consider to be secured.

DBS Bank (Hong Kong) 星展銀行(香港)

The ebanking login page (https://internet-banking.hk.dbs.com/IB/Welcome) is tested and find out that it is upgraded from A to A+ as HSTS security header is set properly this time. The cookie is also set to be secured. Meanwhile, it is still protected by Akamai (WAF/DDoS).

However, HPKP and XSS protection security headers are missing and setting not properly respectively. The site may be vulnerable to XSS and Man-In-The-Middle (MiTM) attack even HSTS is enforced.

Hongkong and Shanghai Banking Corporation (HSBC) 滙豐銀行

The ebanking login page (https://www.ebanking.hsbc.com.hk/1/2/logon?LANGTAG=en&COUNTRYTAG=US) is tested and find out that the grading is remained unchange - Grade C as TLS 1.2 is not set and RC4 cipher is used for older protocols as well as the VeriSign, Inc / Class 3 Public Primary Certification Authority is not set properly.

Meanwhile, HSTS, HPKP and XSS protection security headers are missing. Cookie is not security set properly. Therefore, it may be vulnerable to MiTM and XSS attacks.

Conclusion

If not set properly, HPKP will cause error when browsing. Therefore, most webmasters will not touch it in order to prevent the downtime. HSTS and XSS protection security headers as well as cookie secure settings are not difficult and there is no side effect. However, most webmasters are ignored those settings due to misconcept.

In my opinion, ebanking sites should be very secured in order to prevent the attacks.

Reference

Qualys SSL Labs
Security Headers
[RESEARCH] SSL Certificate Grading of Banks in Hong Kong
HOWTO : Secure Surfing
Green PadLock is Safe?

That's all! See you.


HOWTO : Highest Secured Hiawatha Web Server 10.6 on Ubuntu Server 16.04 LTS

(A) Introduction

Hiawatha Web Server is designed with security in mind. It already built-in some security features to protect common attacks, such as SQLi, XSS, CSRF. Meanwhile, it can be configured to prevent scanning from vulnerability scanners too.

Hiawatha is a light weight and fast as well as secure web server in the market. Hiawatha is working well with PHP and MySQL. The following guide is showing how to configure Hiawatha in a very high secure way on Ubuntu Server LTS.

(B) Software Prerequisite

The current version as at the time of this writing :
(1) Ubuntu Server 16.04.2 LTS
(2) CMake 3.8.1
(3) Hiawatha 10.6

(C) Installation of PHP7.0 and MySQL

sudo apt-get install php7.0-cgi php7.0 php7.0-cli php7.0-mysql php7.0-curl php7.0-gd php7.0-intl php7.0-imap php7.0-mcrypt php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl apache2-utils php7.0-fpm php-memcache php-imagick php-cache mysql-server mysql-client

(D) Installation of Hiawatha

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

(a) Install CMake

wget https://cmake.org/files/v3.8/cmake-3.8.1.tar.gz
tar -xvzf cmake-3.8.1.tar.gz
cd cmake-3.8.1
./configure
make
sudo make install


(b) Install Hiawatha

wget https://github.com/hsleisink/hiawatha/archive/v10.6.tar.gz
tar -xzvf v10.6.tar.gz

cd hiawatha-10.6/extra

./make_debian_package

cd ..

sudo dpkg -i hiawatha_10.6_amd64.deb


(E) Configuration of PHP7.0

sudo nano /etc/php/7.0/fpm/php.ini

Make changes as is.

allow_url_fopen = Off
session.cookie_httponly = 1
disable_functions = [EXIST_FUNCTION],system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,


* [EXIST_FUNCTION] is the functions that already at "disable_functions" of php.ini

(F) Let's Encrypt on Hiawatha

(a) Configuration of Hiawatha

sudo mkdir -p /etc/hiawatha/enable-sites
sudo mkdir -p /etc/hiawatha/disable-sites


Edit "cgi-wrapper.conf".

sudo nano /etc/hiawatha/cgi-wrapper.conf

Change the following as is.

CGIhandler = /usr/bin/perl
CGIhandler = /usr/sbin/php7.0-fpm
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data


Change the ownership of the log files.

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log
sudo chown www-data:www-data garbage.log
sudo chown root:root system.log


Change the ownership of the web application files.

cd /var/www/mysite
sudo chown -R root:root *


The following are examples of "hiawatha.conf" and "mysite.com".

/etc/hiawatha/hiawatha.conf example :


/etc/hiawatha/enable-sites/mysite.com example :


(b) Self Signed SSL Certificate Generation

To generate SSL certificate for the web root.

openssl genrsa -out default.pem 4096
openssl req -new -x509 -days 3650 -key default.pem -out server.crt
echo "" >> default.pem
cat server.crt >> default.pem
echo "" >> default.pem
rm -f server.crt
sudo mkdir -p /etc/hiawatha/tls
sudo cp default.pem /etc/hiawatha/tls
sudo chown root:root /etc/hiawatha/tls/default.pem
sudo chmod 600 /etc/hiawatha/tls/default.pem
sudo chmod 600 -R /etc/hiawatha/tls


(c) Let's Encrypt Generation and Configuration

(1) First time install Let's Encrypt :

Make sure port 80 is workable as Let's Encrypt script will use it to generate the SSL/TLS certificates.

Change ~/hiawatha-10.6/extra/letsencrypt/letsencrypt.conf :

nano ~/hiawatha-10.6/extra/letsencrypt/letsencrypt.conf

Change "ACCOUNT_EMAIL_ADDRESS" to your email address. Let's Encrypt will alert you when the SSL/TLS certificate is going to expire via this email address.

ACCOUNT_EMAIL_ADDRESS = samiux@gmail.com

Change "CERTIFICATE_RSA_KEY_SIZE" to 4096.

CERTIFICATE_RSA_KEY_SIZE = 4096

Change "RENEWAL_REUSE_KEY" to true. The server private key/public key will be used for the SSL/TLS certificate renewal.

RENEWAL_REUSE_KEY = true

Comment out the "Testing" LE_CA_HOSTNAME and uncomment "Production" LE_CA_HOSTNAME.

LE_CA_HOSTNAME = acme-v01.api.letsencrypt.org # Production
#LE_CA_HOSTNAME = acme-staging.api.letsencrypt.org # Testing


Run the Hiawatha 10.6 letsencrypt script to generate server private key and server certificate as well as Let's Encrypt X3 certificate :

cd ~/hiawatha-10.6/extra/letsencrypt
sudo ./letsencrypt register


A "account.key" will be generated at the ~/hiawatha-10.6/extra/letsencrypt. Make sure keep this "account.key" in a safe space.

Then generate the SSL/TLS certificate of your server :

sudo ./letsencrypt www.mysite.com

A "www.mysite.com.pem" will be generated at /etc/hiawatha/tls/.

Rename the generated file :

sudo -sH
cd /etc/hiawatha/tls
mv www.mysite.com.pem www.mysite.com-privkey.pem
cp www.mysite.com-privkey.pem www.mysite.com.pem


Make sure keep the private key file in a safe space and generate the server public key :

openssl rsa -in www.mysite.com-privkey.pem -pubout -out pubkey.pem

Replace pubkey.pem content to the first block of code "PRIVATE KEY" at www.mysite.com.pem.

Insert Let's Encrypt X4 certificate :

wget https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem.txt
echo "" >> www.mysite.com.pem
cat lets-encrypt-x4-cross-signed.pem.txt >> www.mysite.com.pem


chmod 600 www.mysite.com.pem
chmod 600 www.mysite.com-privkey.pem


Then configure VirtualHost at /etc/hiawatha/enable-sites/mysite.com.

Add the following to the VirtualHost at /etc/hiawatha/enable-sites/mysite.com :

RequireTLS = yes, 180d; includeSubDomains; preload
TLScertFile = /etc/hiawatha/tls/www.mysite.com-privkey.pem
PublicKeyPins = /etc/hiawatha/tls/www.mysite.com.pem,60d


sudo systemctl restart hiawatha

(2) Renew SSL/TLS certificate :

cd ~/hiawatha-10.6/extra/letsencrypt
sudo ./letsencrypt renew restart


* You can consider to write an auto renew script on cronjob for automatically update.

(3) Revoke SSL/TLS certificate : (Optional)

cd ~/hiawatha-10.6/extra/letsencrypt
sudo ./letsencrypt revoke /etc/hiawatha/tls/www.mysite.com.pem


(G) Hardening of Ubuntu Server

(a) sysctl

sudo nano /etc/sysctl.d/60-hiawatha.conf



sudo sysctl /etc/sysctl.d/60-hiawatha.conf -p

(b) Apparmor

sudo apt-get install apparmor-profiles apparmor-utils
sudo nano /etc/apparmor.d/usr.sbin.hiawatha




sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.

sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha


If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha


Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha


It is because the captioned usr.sbin.hiawatha may not 100% work for you.

(c) Linux Malware Detect (Optional)

Linux Malware Detect Installation

* the captioned link may be out-dated and it is for your reference only

(d) MySQL

Create Normal User on MySQL

(e) fail2ban

sudo apt-get install fail2ban

Change the setting at /etc/fail2ban/jail.conf when necessary.

(H) Storage Performance Tuning

It is recommended to use SSD for the storage instead of hard drive for the excellent performance.

(a) SSD

Verify TRIM is supported :

sudo hdparm -I /dev/sda | grep TRIM

If the output is similar to the below which is supported :

* Data Set Management TRIM supported (limit 1 block)

If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :

cat /etc/lvm/lvm.conf | grep issue_discards

If the output is similar to the below which is enabled :

issue_discards = 1

Then set the following to "deadline" if it is not done yet.

cat /sys/block/sda/queue/scheduler

noop [deadline] cfq

If not, set it :

sudo nano /etc/rc.local
Insert the following before "exit 0" :

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 2048 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo bash /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

(b) Hard Drive

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 2048 > /sys/block/sda/queue/nr_requests


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo bash /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

(I) Redis for PHP Session

The PHP sessions are stored in the memory will increase the speed of a web site.

sudo apt-get install php-redis redis-server

sudo nano /etc/php/7.0/fpm/php.ini

Change to following to :

session.save_handler = redis
session.save_path = "tcp://127.0.0.1:6379"


To restart Hiawatha and PHP :

sudo systemctl restart hiawatha
sudo systemctl restart php7.0-fpm


To confirm if it is working or not :

redis-cli
127.0.0.1:6379> keys *


The result will be similar to :

1) "PHPREDIS_SESSION:038gl83953j9bfnf02ksts52q5"
2) "PHPREDIS_SESSION:p53j1t43mbdp49cvaq1nv37o97"
3) "PHPREDIS_SESSION:kuop27qq6g6q265gu29000ee21"
4) "PHPREDIS_SESSION:84n96cba8colp73td8mslnjgq2"

Type "quit" to exit.

(J) Optional

To further hardening Ubuntu Server, you may consider to set up firewall (UFW/iptables) and place the Ubuntu Server behind Unified Threats Management System (UTM) or Intrusion Prevention System (IPS).

Reference
Qualys SSL Labs
High-Tech Bridge
securityheaders.io
URL Rewrite for Hiawatha

That's all! See you.


Monday, April 17, 2017

HOWTO : Secure Surfing

According to OWASP Secure Headers Project, Secure Headers are setting response headers from the web server that can restrict modern browsers from running into easily preventable vulnerabilities.

The following are some of the Secure Headers description that from OWASP Secure Headers Project :

HTTP Strict Transport Security (HSTS)

"HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol."

Public Key Pinning Extension for HTTP (HPKP)

"HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates."

X-XSS-Protection

"This header enables the Cross-site scripting (XSS) filter in your browser."

Content-Security-Policy

"Content Security Policy (CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections."

When secure headers are set in the web servers, it is showing that the sysadmins/developers are concerning about the security of their clients/users. Most attacks, such as XSS and MITM attack, today are via browsers and targetted users.

We can learn more about the web servers response headers setting by using an online tool - Analyse your HTTP response headers. It is recommended to have Grade A or A+ for the testing. However, Grade B may be acceptable.

For the client side, it is recommended to install some add-ons or plugins for the browser security. Firefox is recommended as there are a lot of such kind of add-ons for the purpose. The following are the add-ons that to be recommended.

NoScript

Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.

* You are not required to enable it as it will block the javascript that most modern websites are using. You need to disable it globally to make the XSS attack protection by default.

uBlock Origin

Finally, an efficient blocker. Easy on CPU and memory. (Please refer to the official site for details)

WebRTC Control

Have control over WebRTC (disable or enable) and protect your IP address.

Self-Destructing Cookies

Self-Destructing Cookies automatically removes cookies when they are no longer used by open browser tabs. With the cookies, lingering sessions, as well as information used to spy on you, will be expunged. Websites will only be permitted to identify you while you actually use them and can not stalk you across the entire web. This is the closest you will get to cookieless browsing without breaking every second site or tedious micromanaging.

HTTPS Everywhere

Encrypt the web! HTTPS Everywhere is a Firefox extension to protect your communications by enabling HTTPS encryption automatically on sites that are known to support it, even when you type URLs or follow links that omit the https: prefix.

If you are a Ubnutu user, you can implement the Apparmor for Firefox to further hardening.

When both server side and client side are secured, it is very hard to be attacked by XSS and MITM attack or some other attacks.

Happy surfing!

That's all! See you.


Saturday, April 15, 2017

Green PadLock is Safe?

According to Wikipedia, HTTPS is only to encrypt the communication traffic between browsers and web servers in order to prevent Man-In-The-Middle (MITM) attack. HTTPS is not indicating that the websites are bearing a green padlock being "safe".

Many people are misinterpreted that if a website is bearing a green padlock with HTTPS URL, it is a "safe" website. The "safe" here is referring to the website that not doing any malicious activities against the users.

Recently, I read an article "When the 'S' in HTTPS also stands for shady". That is also showing that even information security guys and gals may misinterpreted the purpose of the HTTPS.

Since users can revoke and regenerate the Let's Encrypt SSL certificates themselves, to revoke the SSL certificate of malicious websites by Let's Encrypt is meaningless. Without Let's Encrypt, malicious hackers can purchase SSL certificate from others sources to complete the task without any problem.

Ten odd years ago, many experts stated that if the the browser is showing a locked padlock, you are "safe" and the website is "safe". It is misleading for sure.

We should educate the users that even the websites are looking legit and bearing a valid SSL certificate, they should think more before clicking any link on the site. It is because most phishing sites are looking legit and have valid SSL certificate. They should check the URL address of the website before going further especially for banking and payment sites. Beware of the website is being redirected to other URL too.

By the way, malicious hackers can impersonate the HTTPS traffic and doing MITM attack at ease today! No system is safe!

That's all! See you.


Wednesday, April 12, 2017

[RESEARCH] Information Security Scammers?

What Attracted Me

Recently, Nexus Guard and Zenedge catch my eyes. They provide similar products/services, such as DDoS Protection by Content Delivery Network (CDN) and Web Application Firewall (WAF).

Nexus Guard website saying that they are the leader in the market :

"As a longtime leader in DDoS defense, Nexusguard is at the forefront of the fight against malicious Internet attacks, protecting organizations worldwide from threats to their websites, services, and reputations."

Zenedge website provides a free vulnerability and threat assessment for their potential clients :

"The report is produced by our team of cybersecurity experts bring a collective 200 years of cybersecurity experience and have been responsible for mitigating some of the largest attacks. Ever."

Basic and Fast Research

I wonder why there are so many CDN providers recently. CDN requires a lot of proxies around the world in order to absorb very large amount of DDoS traffic. They need to invest a lot on the infrastructure. Therefore, I did some basic and fast research on them.

I find out that they both use Let's Encrypt free SSL/TLS certificates on their official websites. Meanwhile, their official websites are hosting (or domains hosting on proxy) on akamaitechnologies.com.

I further find out that akamaitechnologies.com is registered by akamai.com - Akamai. Akamai provides CDN and cloud computing services which is including WAF. She is one of the famous CDN and WAF providers in the market since 1998. I confirmed that akamai.com is hosting (or hosting the domain on the proxy) on akamaitechnologies.com too on different IP address/subnet with Nexus Guard and Zenedge. Meanwhile, Nexus Guard and Zenedge are in the same subnet.

Nexus Guard

Nexus Guard conducted an unprofessional research on Android TV boxes with 3 popular anti-virus programs, such as Dr. Web and ESET in July 2014 and posted on a Hong Kong local magazine - East Week Vol. 568. They just posted the results of the scanning and misled the readers that some Android TV boxes are vulnerable to so-called backdoors. However, they did not confirm if the so-called backdoors are exploitable or not.

Nexus Guard also released an article about DDoS in May 2016 where they mentioned that DDoS by NTP is on the top of the list of the attacks. However, it seems that they do not know that the NTP attacks at that time is because of the zero day vulnerability on NTP protocol.

Most of their reports, threat advisories and whitepapers are restate the information security news that are all available in the public. Thinking of writing so many reports, threat advisories and whitepapers will make them more looking like a professional information security firm?

Zenedge

Since Zenedge provides free vulnerability and threat assessment on their website, I tried to contact the sales agent on the Zenedge site and he redirect me to contact Nelson Chen who is CISSP, CISA, CISM and Director Security Solutions of Zenedge. I requested a free vulnerability and threat assessment on my personal site on April 10, 2017 via direct email with Nelson. However, I did not have any reply from him since then (3 days at the time of this writing).

That make me thinking that they are pretending to provide free service in order to obtain information of their potential clients for their promotion purpose? Or, Neslon is thinking too much when an infosec (information security) guy is approaching them as they are thinking that their customers should be noob? Or, they do not have any professional infosec guy to do assessment on my personal site? Or, my personal site is too lame that they disdain to do the job?

Questions in Mind

If Nexus Guard and Zenedge have their own CDN and products/services, why their official websites are hosting (or hosting the domains on proxy) on Akamai? They do not believe that their products/services are better than Akamai? Nexus Guard and Zenedge are resellers/Value Added Resellers of Akamai? They are all information security scammers?

Conclusion

Think carefully before you purchase information security services or products. Do more researches on the providers/vendors of infosec before making any decision. Finally, it is difficult to determine professional and unprofessional in general.

Reference

Distributed Denial-of-Service Attack
Content Delivery Network
Web Application Firewall

(a) Nexus Guard - https://www.nexusguard.com/
Domain is registered on Sept 9, 2008
Server common name : secure0009.hubspot.com
Server domain #1 : a184-50-88-78.deploy.static.akamaitechnologies.com (184.50.88.78)
Server domain #2 : a184-50-88-3.deploy.static.akamaitechnologies.com (184.50.88.3)
Server IP : 128.177.173.177:443

(b) Zenedge - https://www.zenedge.com/
Domain is registered on Jan 7, 2013
Server common name : secure0004.hubspot.com
Server domain #1 : a184-50-88-76.deploy.static.akamaitechnologies.com (184.50.88.76)
Server domain #2 : a184-50-88-3.deploy.static.akamaitechnologies.com (184.50.88.3)
Server IP : 69.31.76.226:443

(c) Akamai - https://www.akamai.com/
(Akamai Technologies - akamaitechnologies.com)
Domain is registered on Aug 17, 1998
Server domain : a23-75-36-144.deploy.static.akamaitechnologies.com (23.75.36.144)

That's all! See you.


Sunday, April 09, 2017

Catch Me If You Can 4

It is the fourth article in "Catch Me If You Can" series. The previous three articles were talking about how to prevent from being catch. However, this article is talking about once you have been arrested what can you do to prevent from being charged for hacking.

Once you have been arrested, your digital devices (such as personal computers, laptops, smartphones and other devices) should be seized. The "device" below is applied to Personal Computers and Laptops only. Laws enforcement would conduct digital forensic on all your devices in order to seek any evidence of cyber crime that you have conducted. However, if your devices are still switching on when you are arrested, laws enforcement would not turn your device off and would conduct the digital forensic right away.

You can use Bleachbit to delete all deleted files, logs and backups. However, some valuable files may not be deleted. Therefore, Bleachbit may not be a very good solution even it is good practice to use it for the purpose.

Offense Security's Kali Linux development team ported a Self-Destruction Luks encryption on Kali Linux since version 1.0.6 that allows the hard drive (or SSD) to be encrypted fully with normal and nuke passphrases. Once the nuke passphrase is entered, all the passphrase for the decryption will be deleted and the hard drive (or SSD) cannot be recovered. Therefore, the hard drive (SSD) is safe for being digital forensic. If you are not using Kali Linux for the hacking, you can apply self-destruction Luks encryption for some other Linux distributions.

It is recommended that the self-destruction nuke passphrase is much shorter than the normal passphrase in order to prevent your device from being brute forcing. Meanwhile, it is not recommended to backup your normal passphrases somewhere.

How about the device is still switching on? It is recommended to force turn off the device by long pressing the power button or unplug the power supply if you can while you are being arrested. Make sure you setup your device to turn off when the power button is long pressed instead of suspension.

Difference countries should have difference cyber crime laws. Even laws enforcement cannot get any evidence from your devices but you may be charged for other offences under the laws of your country.

That's all! See you.

Reference

Emergency Sef-destruction Luks in Kali
Luks and Nuke Key Installation on Ubuntu
Bleachbit

See Also

Catch Me If You Can
Catch Me If You Can 2
Catch Me If You Can 3


Wednesday, March 29, 2017

HOWTO : Highest secured Hiawatha Web Server 10.5 on Ubuntu Server 16.04 LTS

(A) Introduction

Hiawatha Web Server is designed with security in mind. It already built-in some security features to protect common attacks, such as SQLi, XSS, CSRF. Meanwhile, it can be configured to prevent scanning from vulnerability scanners too.

Hiawatha is a light weight and fast as well as secure web server in the market. Hiawatha is working well with PHP and MySQL. The following guide is showing how to configure Hiawatha in a very high secure way on Ubuntu Server LTS.

(B) Software Prerequisite

The current version as at the time of this writing :
(1) Ubuntu Server 16.04.2 LTS
(2) CMake 3.7.2
(3) Hiawatha 10.5

(C) Installation of PHP7.0 and MySQL

sudo apt-get install php7.0-cgi php7.0 php7.0-cli php7.0-mysql php7.0-curl php7.0-gd php7.0-intl php7.0-imap php7.0-mcrypt php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl apache2-utils php7.0-fpm php-memcache php-imagick php-cache mysql-server mysql-client

(D) Installation of Hiawatha

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

(a) Install CMake

wget https://cmake.org/files/v3.7/cmake-3.7.2.tar.gz
tar -xvzf cmake-3.7.2.tar.gz
cd cmake-3.7.2
./configure
make
sudo make install


(b) Install Hiawatha

wget http://www.hiawatha-webserver.org/files/hiawatha-10.5.tar.gz
tar -xzvf hiawatha-10.5.tar.gz

cd hiawatha-10.5/extra

./make_debian_package

cd ..

sudo dpkg -i hiawatha_10.5_amd64.deb


(E) Configuration of PHP7.0

sudo nano /etc/php/7.0/fpm/php.ini

Make changes as is.

allow_url_fopen = Off
session.cookie_httponly = 1
disable_functions = [EXIST_FUNCTION],system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,


* [EXIST_FUNCTION] is the functions that already at "disable_functions" of php.ini

(F) Let's Encrypt on Hiawatha

(a) Configuration of Hiawatha

sudo mkdir -p /etc/hiawatha/enable-sites
sudo mkdir -p /etc/hiawatha/disable-sites


Edit "cgi-wrapper.conf".

sudo nano /etc/hiawatha/cgi-wrapper.conf

Change the following as is.

CGIhandler = /usr/bin/perl
CGIhandler = /usr/sbin/php7.0-fpm
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi

Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data


Change the ownership of the log files.

cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log
sudo chown www-data:www-data garbage.log
sudo chown root:root system.log


Change the ownership of the web application files.

cd /var/www/mysite
sudo chown -R root:root *


The following are examples of "hiawatha.conf" and "mysite.com".

/etc/hiawatha/hiawatha.conf example :


/etc/hiawatha/enable-sites/mysite.com example :


(b) Self Signed SSL Certificate Generation

To generate SSL certificate for the web root.

openssl genrsa -out default.pem 4096
openssl req -new -x509 -days 3650 -key default.pem -out server.crt
echo "" >> default.pem
cat server.crt >> default.pem
echo "" >> default.pem
rm -f server.crt
sudo mkdir -p /etc/hiawatha/tls
sudo cp default.pem /etc/hiawatha/tls
sudo chown www-data:www-data /etc/hiawatha/tls/default.pem
sudo chmod 400 /etc/hiawatha/tls/default.pem
sudo chmod 400 -R /etc/hiawatha/tls


(c) Let's Encrypt Generation and Configuration

To generate SSL certificate for the www.mysite.com.

wget https://www.hiawatha-webserver.org/files/letsencrypt.tar.gz
tar -xvzf letsencrypt.tar.gz
cd letsencrypt

nano letsencrypt.conf


Change the email "info@example.org" to your email as Let's Encrypt bot will inform you about the expire date of the certificate :
ACCOUNT_EMAIL_ADDRESS = samiux@gmail.com

Change the RSA Key size from "2048" to "4096" :
CERTIFICATE_RSA_KEY_SIZE = 4096

Uncomment "Production" and comment out "Testing" :
LE_CA_HOSTNAME = acme-v01.api.letsencrypt.org # Production
#LE_CA_HOSTNAME = acme-staging.api.letsencrypt.org # Testing


Make sure Port 80 is working and run the following command.

For the first time, you need to register to Let's Encrypt. Make sure keep the generated "account.key" in a safe place. "account.key" should be in the original place when doing SSL certificate renewal.

./letsencrypt register

To generate the SSL certificate.

sudo ./letsencrypt www.mysite.com

To revoke the SSL certificate (Optional).

sudo ./letsencrypt /etc/hiawatha/tls/www.mysite.com.pem

To renew SSL certificate (Optional).

sudo ./letsencrypt renew

To get the Let's Encrypt X3 certificate at https://letsencrypt.org/certificates/ and select :

Let’s Encrypt Authority X3 (IdenTrust cross-signed)
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
echo "" >> www.mysite.com.pem
cat lets-encrypt-x3-cross-signed.pem.txt >> www.mysite.com.pem

echo "" >> default.pem
cat lets-encrypt-x3-cross-signed.pem.txt >> default.pem


To generate sha256 base64 hash of the certificates. The first one is the "mysite.com" SSL certification and the second one is the SSL certification for web root directory.

openssl x509 -in /etc/hiawatha/tls/www.mysite.com.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64

openssl x509 -in /etc/hiawatha/tls/default.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64


Then change "CustomHeaderClient = Public-Key-Pins:" values at "/etc/hiawatha/enable-sites/mysite.com". The first "pin-sha256" is for "mysite.com" and the second "pin-sha256" is for web root. The others "pin-sha256" are get from Qualys SSL Labs Test site (see below).

With the help of Qualys SSL Labs, you can further configure the HPKP and test the grading of your site. The highest grade is A+.

The grade of the site are A+ on both Qualys SSL Labs and High-Tech Bridge SSL certificate testings. Meanwhile, it is also compliance with PCI DSS 3.1 Requirements that reported by High-Tech Bridge.

The Let's Encrypt SSL Certificate will be expired about 28 days and it requires to be renewed. Make sure you update "CustomHeaderClient = Public-key-Pins:" at /etc/hiawatha/enable-sites/mysite.com (as example). The first "pin-sha256" is required to be updated. After that, restart Hiawatha.

(G) Hardening of Ubuntu Server

(a) sysctl

sudo nano /etc/sysctl.d/60-hiawatha.conf



sudo sysctl /etc/sysctl.d/60-hiawatha.conf -p

(b) Apparmor

sudo apt-get install apparmor-profiles apparmor-utils
sudo nano /etc/apparmor.d/usr.sbin.hiawatha




sudo aa-enforce hiawatha

If you have change some settings, you should reload the profile.

sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha

If you want to disable this profile.

sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha


If you want to re-enable this profile after it has been disabled.

sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha


Remarks :

If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".

sudo aa-complain hiawatha

After several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".

sudo aa-logprof

sudo aa-enforce hiawatha


It is because the captioned usr.sbin.hiawatha may not 100% work for you.

(c) Linux Malware Detect (Optional)

Linux Malware Detect Installation

* the captioned link may be out-dated and it is for your reference only

(d) MySQL

Create Normal User on MySQL

(e) fail2ban

sudo apt-get install fail2ban

Change the setting at /etc/fail2ban/jail.conf when necessary.

(H) Storage Performance Tuning

It is recommended to use SSD for the storage instead of hard drive for the excellent performance.

(a) SSD

Verify TRIM is supported :

sudo hdparm -I /dev/sda | grep TRIM

If the output is similar to the below which is supported :

* Data Set Management TRIM supported (limit 1 block)

If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :

cat /etc/lvm/lvm.conf | grep issue_discards

If the output is similar to the below which is enabled :

issue_discards = 1

Then set the following to "deadline" if it is not done yet.

cat /sys/block/sda/queue/scheduler

noop [deadline] cfq

If not, set it :

sudo nano /etc/rc.local
Insert the following before "exit 0" :

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 2048 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo bash /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

(b) Hard Drive

sudo nano /etc/rc.local

Insert the following before "exit 0" :

echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 2048 > /sys/block/sda/queue/nr_requests


* make sure your device is sda (or sdb ...)

To reload it or reboot your system :

sudo bash /etc/rc.local

After that, you need to edit the partition table (/etc/fstab) :

To make it looks like the following :

ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1

sudo mount -a
sudo mount -o remount /


If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.

(I) Optional

To further hardening Ubuntu Server, you may consider to set up firewall (UFW/iptables) and place the Ubuntu Server behind Unified Threats Management System (UTM) or Intrusion Prevention System (IPS).

Reference
Qualys SSL Labs
High-Tech Bridge
securityheaders.io
URL Rewrite for Hiawatha

That's all! See you.


Monday, March 06, 2017

HOWTO : Install Go Language 1.8 on Ubuntu 16.04 LTS

The current Go version is 1.6 on Ubuntu 16.04. However, the official Go version is 1.8 as of this writing. We need to install Gophers Ubuntu PPA to complete the task.

Step 1 :

sudo add-apt-repository ppa:gophers/archive
sudo apt-get update
sudo apt-get install golang-1.8


Step 2 :

The workspace is "go" at your working directory by default (such as /home/samiux/go).

nano ~/.profile

Append the following lines at the end of the file :

export PATH=$PATH:/usr/lib/go-1.8/bin

Step 3 :

Log out and re-login.

or

source ~/.profile

Step 4 :

To test if it is working properly :

go version
go env


Step 5 :

Make sure you create the following directories at the "go" workspace :

mkdir -p ~/go/bin
mkdir -p ~/go/src


You build your project, for example "erp", at "~/go/src/erp".

That's all! See you.


Wednesday, March 01, 2017

HOWTO : Watching China and Hong Kong Online TV on Ubuntu Desktop 16.04 LTS

Step 1 :

wget http://archive.getdeb.net/install_deb/getdeb-repository_0.1-1~getdeb1_all.deb
sudo dpkg -i getdeb-repository_0.1-1~getdeb1_all.deb

sudo apt-get update
sudo apt-get install youtube-dl


Step 2 :

sudo add-apt-repository ppa:djcj/vapoursynth
sudo apt-get update
sudo apt-get install mpv


(A1) Watch CCTV (China) [Most Updated Method]

If you select this method, you are NOT required to do the "Step 1" and "Step 2".

The "CNTVLive2 plugin for 64BitLinux v2.0.0.3" is updated on March 3, 2017 and it solved the force close problem. It plays CCTV Online TV smoothly. After the plugin is installed, you need to bypass the signed add-on problem by using the following way.

WARNING : After doing the following steps, you have a RISK to install malicious Firefox add-on by accident!

At the URL field at the Firefox, type :

about:config

Look for the following and double click it to turn it to "false" :

xpinstall.signatures.required

You can click on one of the following links to install the plugin when prompted.

CCTV Live Channel 1
CCTV Live Channel 2
CCTV Live Channel 3
CCTV Live Channel 4
CCTV Live Channel 5
CCTV Live Channel 6
CCTV Live Channel 7
CCTV Live Channel 8
CCTV Live Channel 9
CCTV Live Channel 10
CCTV Live Channel 11
CCTV Live Channel 12
CCTV Live Channel 13
CCTV Live Channel 14
CCTV Live Channel 15
CCTV Live Channel 5+

* make sure Flash is installed and enabled
* some channels are copyrighted and only plays in China Region

(A2) Watch CCTV (China) [Outdated Method]

If you select this method, you need to do "Step 1" and "Step 2".

You need to install Firefox add-ons, namely watch-with-mpv.

https://addons.mozilla.org/en-US/firefox/addon/watch-with-mpv/

CCTV Live Channel 1
CCTV Live Channel 2
CCTV Live Channel 3
CCTV Live Channel 4
CCTV Live Channel 5
CCTV Live Channel 6
CCTV Live Channel 7
CCTV Live Channel 8
CCTV Live Channel 9
CCTV Live Channel 10
CCTV Live Channel 11
CCTV Live Channel 12
CCTV Live Channel 13
CCTV Live Channel 14
CCTV Live Channel 15
CCTV Live Channel 5+

Optional settings :
Preferences -- Additional playr parameters
--buffer-size 2048 --no-check-certificate --skip-unavailable-fragments --sleep-interval 0.05 --max-sleep-interval 0.5 --limit-rate 2M

* make sure Flash is installed and enabled
* some channels are copyrighted and only plays in China Region

(B) Watch ViuTV (Hong Kong)

If you select this option, you need to do "Step 2" only.

nano viutv

Append with the following content and save it.



To run :

./viutv

Enjoy!!!

That's all! See you.


Friday, February 10, 2017

HOWTO : Ajenti 1.x on Ubuntu Server 16.04 LTS

Ajenti is an Admin Control Panel for your Linux server. However, Ajenti 2.x is buggy and it is not working properly when I am testing it. Fortunately, Ajenti 1.x still working for Ubuntu 16.04 LTS even it's documentation is written for Ubuntu 12.04.

You can access your Linux server via web browser instead of SSH.

Step 1 :

wget http://repo.ajenti.org/debian/key -O- | sudo apt-key add -

Step 2 :

sudo touch /etc/apt/sources.list.d/ajenti.list
echo "deb http://repo.ajenti.org/ng/debian main main ubuntu" | sudo tee -a /etc/apt/sources.list.d/ajenti.list


Step 3 :

sudo apt-get update && sudo apt-get install ajenti

sudo systemctl restart ajenti

Step 4 :

To access Ajenti, you open the broswer and point it to your server IP. Username is "root" and password is "admin".

https://[server_ip]:8000

That's all! See you.


Tuesday, February 07, 2017

HOWTO : Optimize Ubuntu 16.04 LTS and Kali Linux 2016.2 with jemalloc

jemalloc is a general purpose malloc(3) implementation that emphasizes fragmentation avoidance and scalable concurrency support. It is the best allocators for a broad range of demanding applications, and eliminating/mitigating weaknesses that have practical repercussions for real world applications.

Step 1 :

Option 1 : Compile from source (latest version)

*** This option is not recommended for Ubuntu 16.04 LTS Desktop and Kali Linux 2016.2. When using in Ubuntu 16.04 LTS Desktop, Firefox will be crashed when 2 or more instances are opened. Meanwhile, Kali Linux 2016.2 requires redis-server which is using stock version of libjemalloc1 by default. redis-server for Ubuntu 16.04 also requires stock version of libjemalloc1.

git clone https://github.com/jemalloc/jemalloc.git
cd jemalloc
./autogen.sh
make dist
make
sudo make install


The final files "libjemalloc.*" are located at "/usr/local/lib/".

touch /etc/ld.so.preload

echo "/usr/local/lib/libjemalloc.so" | sudo tee --append /etc/ld.so.preload

Option 2 : Install package (usually older version)

This option is recommended for Ubuntu 16.04 LTS and Kali Linux 2016.2.

sudo apt-get install libjemalloc1 libjemalloc-dev

The final files "libjemalloc.*" are located at "/usr/lib/x86_64-linux-gnu/".

touch /etc/ld.so.preload

echo "/usr/lib/x86_64-linux-gnu/libjemalloc.so" | sudo tee --append /etc/ld.so.preload

sudo ln -s /usr/lib/x86_64-linux-gnu/libjemalloc.so.1 /usr/lib/x86_64-linux-gnu/libjemalloc.so

Step 2 :

Reboot your box.

Step 3 :

To confirm it is running properly (for example, firefox is running with it) :

sudo lsof -E | grep libjemalloc | grep firefox

That's all! See you.


Thursday, January 26, 2017

HOWTO : Configure Network Interface For Better Performance on Ubuntu 16.04 LTS

Intel network interface card is configurable. Some other brands can but Realtek do not.

(0) You need to install ethtool if it is not :

sudo apt-get install ethtool

(1) List out the available network interface on your system :

ls /sys/class/net

enp1s0f0 enp1s0f1 enp7s0 enp8s0 lo

(2) To see if the network interface can pause the transmission when neccessary or not in order to prevent packet drop :

ethtool -a enp1s0f0

Pause parameters for enp1s0f0:
Autonegotiate: on
RX: on
TX: on


If the values are not "on", you can set it to :

sudo ethtool -A enp1s0f0 rx on tx on

(3) To see if the buffer is at the maximum value or not :

ethtool -g enp1s0f0

Ring parameters for enp1s0f0:
Pre-set maximums:
RX: 4096
RX Mini: 0
RX Jumbo: 0
TX: 4096
Current hardware settings:
RX: 4096
RX Mini: 0
RX Jumbo: 0
TX: 4096


If the current hardware settings values are not as the Pre-set maximums, you can set them to be :

sudo ethtool -G enp1s0fo rx 4096 tx 4096

(4) If your network interface cannot be configure like Intel, you may see the following result :

ls /sys/class/net

enp2s0 enp3s0 lo wlp4s0

ethtool -a enp2s0

Pause parameters for enp2s0:
Cannot get device pause settings: Operation not supported


(5) Finally, you can put those commands at /etc/rc.local and run the following command to activate the values :

sudo bash /etc/rc.local

That's all! See you.