In case you want to create a LACP-bonded NIC-group use the following powershell-command New-NetLbfoTeam -Name "Team1" -TeamMembers "NIC1","NIC2" -TeamingMode LACP -LoadBalancingAlgorithm Dynamic Remember to configure LACP on the Switch too Reference: https://docs.microsoft.com/en-us/powershell/module/netlbfo/new-netlbfoteam?view=windowsserver2019-ps

If you need to extend your system disk (APFS) type the following in Terminal. You can extend your disk on a live running system diskutil apfs reseizeContainer disk0s2 0

# see https://infosec.mozilla.org/guidelines/openssh.html ########## cp /etc/ssh/moduli /etc/ssh/moduli.orig awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli sed -i -e 's/#HostKey/HostKey/g' /etc/ssh/sshd_config sed -i -e 's/#PubkeyAuthentication/PubkeyAuthentication/g' /etc/ssh/sshd_config sed -i -e 's/#LogLevel INFO/LogLevel VERBOSE/g' /etc/ssh/sshd_config sed -i -e 's/#PrintLastLog yes/PrintLastLog yes/g' /etc/ssh/sshd_config echo KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 >> /etc/ssh/sshd_config echo Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr >> /etc/ssh/sshd_config echo MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]...

Determine which .NET Framework versions are installed https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed The Release REG_DWORD value in the registry represents the version of .NET Framework installed. reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" Exchange Server build numbers and release dates https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019 Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion MSFAQ https://www.msxfaq.de/exchange/update/servicepack2016.htm#exchange_2016_cu7 Exchange Server-Support-Marix https://docs.microsoft.com/de-at/Exchange/plan-and-deploy/supportability-matrix?view=exchserver-2016#microsoft-net-framework -> Compare Exchange-Version to supported .NET-Version Upgrade Paths for CU’s &...

For installing Windows-Updates on servers using command-line here is a two-liner for powershell. Run with elevated privileges 🙂 cd C:\Windows\System32\de-DEcscript.exe .\WUA_SearchDownloadInstall.vbs What i really like on this approach: you can select a single update-package you want to install. As recommended by Microsoft — first install the servicing stack update (SSU): Microsoft strongly recommends you always...

edit ~/.bashrc HISTSIZE=0 >> ~/.bashrcHISTFILESIZE=0 >> ~/.bashrc or for zsh (there is somehow a bug — it seems to me — one entry is still left) HISTSIZE=0 >> ~/.zshrcSAVEHIST=0 >> ~/.zshrc

echo "create a 1GB swapfile"fallocate -l 1G /swapfilechmod 600 /swapfilemkswap /swapfileswapon /swapfileecho "/swapfile swap swap defaults 0 0" >> /etc/fstab

CentOS yum install https://repo.percona.com/yum/percona-release-latest.noarch.rpm -y percona-release setup ps80 yum install -y percona-server-server cat > /root/.my.cnf  << EOF [client] user=root EOF echo password=`grep password /var/log/mysqld.log|cut -d "@" -f 2-|cut -d " " -f2- ` >> /root/.my.cnf mysql_secure_installation -p Debian wget https://repo.percona.com/apt/percona-release_latest.$(lsb_release -sc)_all.deb dpkg -i percona-release_latest.$(lsb_release -sc)_all.deb percona-release setup ps80 apt-get install percona-server-server -y echo -> Add twice...

this is a nice check+recommend-script for your apache configuration download current version of apache2buddy.pl via github documentation of the author

see wikipedia article ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server,...

see https://securityheaders.com/?q=blog.fresel.at&hide=on&followRedirects=on Strict-Transport-Security max-age=15768000; preloadX-Frame-Options DENYX-XSS-Protection 1; mode=blockX-Content-Type-Options nosniffContent-Security-Policy default-src https: 'self' blog.fresel.at public-api.wordpress.com s0.wp.com s01.wp.com s2.wp.com; script-src 'self' 'unsafe-eval' c0.wp.com c01.wp.com s0.wp.com s1.wp.com s2.wp.com stats.wp.com blog.fresel.at 'unsafe-inline'; img-src * 'self' data:; style-src 'self' 'unsafe-inline' c0.wp.com c1.wp.com s0.wp.com s1.wp.com s2.wp.com fonts.googleapis.com; font-src 'self' 'unsafe-inline' data: fonts.gstatic.com c0.wp.com c1.wp.com s0.wp.com s1.wp.comReferrer-Policy same-originFeature-Policy microphone 'none'; payment 'none';...

install module echo "define('WP_FAIL2BAN_AUTH_LOG', LOG_AUTH);" >> /var/www/html/wordpress/wp-config.php cp /var/www/html/wordpress/wp-content/plugins/wp-fail2ban/filters.d/wordpress-* /etc/fail2ban/filter.d/ /etc/fail2ban/jail.d/wordpress.conf[wordpress-hard]enabled = true filter = wordpress-hard logpath = /var/log/messages maxretry = 1 port = http,https bantime = 90 [wordpress-soft] enabled = true filter = wordpress-soft logpath = /var/log/messages maxretry = 3 port = http,https bantime = 90EOF fail2ban-client reload

Roundup: Use either TLS 1.2 or 1.3. In either case use PFS (Perfect Forward Secrecy). Mindeststandard des BSI nach § 8 Abs. 1 Satz 1 BSIG zur Verwendung von Transport Layer Security (TLS) Version 2.0Datum 09.04.2019Dieser Mindeststandard beinhaltet Mindestsicherheitsanforderungen zur Verwendung von TLS in der Bundesverwaltung. Er macht Vorgaben für die Sicherstellung von Vertraulichkeit, Authentizität...

https://www.ssllabs.com/ssltest/analyze.html?d=blog.fresel.at&hideResults=on

AppleTherefore, we are deprecating support for TLS 1.0 and 1.1. Complete support will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020.https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ GoogleTLS 1.0 and 1.1 will be disabled altogether in Chrome 81. This will affect users on early release channels starting January 2020. https://security.googleblog.com/2018/10/modernizing-transport-security.html MicrosoftToday, we’re announcing our...

yum install httpd mod_ssl python-certbot-apache -yfirewall-cmd --add-service=http --permanentfirewall-cmd --add-service=https --permanentsystemctl restart firewalldsystemctl enable httpd/etc/letsencrypt/cli.ini #Use a 4096 bit RSA key instead of 2048 rsa-key-size = 4096 email = letsencrypt@DOMAIN domains = blog.DOMAIN must-staple = True staple-ocsp = True agree-tos = True debug = TrueEOFcertbot certonly --apache --config /etc/letsencrypt/cli.ini /etc/letsencrypt/options-ssl-apache.conf SSLEngine on SSLHonorCipherOrder     on...

usermod -p ! root yum clean all yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y yum install fail2ban -y systemctl enable firewalld systemctl restart firewalld echo "[sshd]" > /etc/fail2ban/jail.d/sshd.local  echo "enabled = true" >> /etc/fail2ban/jail.d/sshd.local  echo "port = ssh" >> /etc/fail2ban/jail.d/sshd.local  echo "logpath = %(sshd_log)s" >> /etc/fail2ban/jail.d/sshd.local  echo "maxretry = 1" >> /etc/fail2ban/jail.d/sshd.local  echo "bantime = 90" >> /etc/fail2ban/jail.d/sshd.local ...

<ifModule mod_gzip.c> mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_include mime ^application/font* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* </ifModule> <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType...