Tuesday, September 24, 2019

Email Spam and Virus Filters

Note: Installation performed on a VPS KVM server
Helpful websites: Postfix Amavis NewMail Filtering.
Excellent article on spam filtering using postfix

Install mail filtering programs and utilities


$ sudo apt install amavisd-new spamassassin clamav-daemon
$ sudo apt-get install libnet-dns-perl libmail-spf-perl pyzor razor
$ sudo apt-get install arj bzip2 cabextract cpio file gzip lhasa liblz4-tool lrzip nomarch pax rar ripole rpm unrar-free lzop unzip zip
Cross add clamav and amvis to each other's group
$ sudo adduser clamav amavis
$ sudo adduser amavis clamav
Amavis is its own spamassassin-daemon (amavis uses the spamassassin libraries). There is no need to configure spamassassin.

Enable pyzor and razor
$ sudo amavis -s /bin/bash
$ sudo razor-admin -create
$ sudo razor-admin -register
Activate spam and antivirus detection in Amavis.  Edit /etc/amavis/conf.d/15-content_filter_mode
$ sudo nano /etc/amavis/conf.d/15-content_filter_mode
Uncomment lines as shown
use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

#
# Default antivirus checking mode
# Uncomment the two lines below to enable it
#

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);


#
# Default SPAM checking mode
# Uncomment the two lines below to enable it
#

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1;  # insure a defined return
To cover multiple domains, edit the following
$ sudo nano /etc/amavis/conf.d/50-user
Edit as follows
$myhostname = 'your-mail-server-domain.com';
@local_domains_acl = ( "your-domain.com", "your-domain.org" );
or configure last line above this way
@local_domains_acl = qw(.);
Restart amavis service
$ sudo systemctl restart amavis

Postfix integration


Run the following command
$ sudo postconf -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'
Edit postfix master.cf
$ sudo nano /etc/postfix/master.cf
Add the following to the end of file
smtp-amavis     unix    -       -       -       -       2       smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
Also add the following to the postfix master.cer file immediately after the pickup transport service.
  -o content_filter=
  -o receive_override_options=no_header_body_checks
Restart postfix service
$ sudo systemctl restart postfix

Testing


Test that amavisd-new is listening
$ telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
^] 22
Review incoming email headers for the presence of X-Virus-Scanned and X-Spam-Status entries.

Get last date clamav virus definitions were updated
$ strings /var/lib/clamav/daily.cld|head -1|cut -c1-2

Website Security with fresh Ubuntu 18.04 install

Note: Installation performed on a VPS KVM server


First update and upgrade

# apt update
# apt upgrade

Update Firewall (ufw)


Firewall needs to be enabled

# ufw enable
Verify firewall is active
# ufw status verbose
Allow access to port 22
# ufw allow 22
Configure firewall to allow the following additional ports:

  • 80
  • 8080
  • 443
Allow access to your ip address / port 3389
# sudo ufw allow from ###.###.###.### to any port 3389
Recheck ufw status
# ufw status verbose
The results should be similar to the following:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To                         Action      From --                         ------      ---- 22                         ALLOW IN    Anywhere 80                         ALLOW IN    Anywhere 8080                       ALLOW IN    Anywhere 443                        ALLOW IN    Anywhere
3389                       ALLOW IN    ###.###.###.### 22 (v6)                    ALLOW IN    Anywhere (v6) 80 (v6)                    ALLOW IN    Anywhere (v6) 8080 (v6)                  ALLOW IN    Anywhere (v6) 443 (v6)                   ALLOW IN    Anywhere (v6)

Set up user

Add a user

# adduser example_user

Add to sudo group (if new user needs root privileges)

# adduser example_user sudo
Exit then log-in with new credentials.

Secure SSH Log-in Using PuTTY

Enable firewall for ssh access

$ sudo ufw allow ssh

Configure the server


Backup the sshd_config file
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Edit the sshd_config file
$ sudo nano /etc/ssh/sshd_config
Uncomment the following lines (remove the leading #):

Port 22
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2

Generate keys with PuTTYgen

  1. Go to Windows Start menu → All Programs → PuTTY→ PuTTYgen
  2. Generate a public/private key pair
    • Parameters (use defaults)
      • Type of key: RSA
      • bits: 2048
    • click Generate
      • Putty uses mouse movements for randomness
      • When key generation is complete enter a passphrase
      • Save public key
      • Save private key
  3. Install public key on server
    • In the users root directory create .ssh folder
      • $ mkdir ~/.ssh
    • Create a new file as follows:
      • $ nano ~/.ssh/authorized_keys
    • Copy/paste the public key created in step 2 in the new file.  The key must be all on one line.
    •  Save the file
  4. Exit

Disable "root" user


Edit the sshd_config file
$ sudo nano /etc/ssh/sshd_config
For security purposes, change PermitRootLogin to no.  Save file. Reboot.

Monday, September 23, 2019

Ubuntu 18.04 email using postfix, dovecot, and opendkim


Most of these steps were taken from linuxbabe.com and modified for my purposes.  If you want more insight visit her website.

The following assumes you have already set up your webserver with apache2 and/or nginx, and secured the website with a Let's Encrypt certificate.

Email

Hostname


You can change your host name.  If you're using  this server as your mail server you might want to use a FQDN like mail.your-domain.com.  I used my domain name without the domain suffix.
$ sudo hostnamectl set-hostname your-domain
To verify changes relog-in and run the following
hostname -f


DNS


If you're using a mail server, set DNS records like the following:
Name: @; Type: MX; Content: mail.your-domain.com
Name:mail.your-domain.com: Type: A; Content: your-ip
Install and configure postfix
$ sudo apt update
$ sudo apt install postfix -y
You will be prompted to answer some questions.
Type:  Internet Site 
System mail name: your-domain.com
Configure postfix.  Review the postfix main config file.
$ sudo nano /etc/postfix/main.cf
Review the following and edit as needed
myhostname = your-domain.com
mydomain = your-domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $mydomain, localhost.$mydomain, localhost;
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
Open the postfix master config file.
$ sudo nano /etc/postfix/master.cf
Add the submission section to the end of the file
submission     inet     n    -    y    -    -    smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_tls_wrappermode=no
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
More edits to the postfix main config file.
$ sudo nano /etc/postfix/main.cf
Add the following to the end of the file
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.your-domain.com/privkey.pem
smtpd_tls_security_level=may 
smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Restart postfix service.
$ sudo systemctl restart postfix

Install and configure dovecot


$ sudo apt install dovecot-core dovecot-imapd
Edit the main dovecot config file.
$ sudo nano /etc/dovecot/dovecot.conf
Add the following to enable imap
protocols = imap
Configure authentication.
$ sudo nano /etc/dovecot/conf.d/10-auth.conf
Uncomment this line to disable plaintext authentication when there’s no SSL/TLS encryption.
disable_plaintext_auth = yes
Configure TLS.
$ sudo nano /etc/dovecot/conf.d/10-ssl.conf
Edit file to require SSL
ssl = required
Provide your SSL certificate addresses.
ssl_cert = </etc/letsencrypt/live/mail.your-domain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.your-domain.com/privkey.pem
SASL Authentication Between Postfix and Dovecot
$ sudo nano /etc/dovecot/conf.d/10-master.conf
Change service auth section.
service auth {
    unix_listener /var/spool/postfix/private/auth {
      mode = 0660
      user = postfix
      group = postfix
    }
}
Auto create folders
$ sudo nano /etc/dovecot/conf.d/15-mailboxes.conf
Add auto = create to folders as you see fit. Example:
mailbox Trash {
    auto = create
    special_use = \Trash
 }
Tell Dovecot to use Maildir.
$ sudo nano /etc/dovecot/conf.d/10-mail.conf 
Replace /etc/dovecot/conf.d/10-mail.conf with the following:
/etc/dovecot/conf.d/10-mail.conf
Restart services.
$ sudo systemctl restart dovecot
$ sudo systemctl restart postfix

Sender Policy Framework - SPF


Add a DNS record for SPF.
Name: @; Type: TXT; Content: v=spf1 mx ~all
There are several SPF tags and mechanisms.
You can invoke SPF checking for incoming email
sudo apt install postfix-policyd-spf-python
Configure.
$ sudo nano /etc/postfix/master.cf
Add to the end of file.
policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf
Save, then open the main config file.
$ sudo nano /etc/postfix/main.cf
Add to the end of file
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_policy_service unix:private/policyd-spf
Save file then restart postfix service
$ sudo systemctl restart postfix

DKIM


Install opendkim.
$ sudo apt install opendkim opendkim-tools
Add postfix to opendkim user group.
$ sudo gpasswd -a postfix opendkim
Configure.
$ sudo nano /etc/opendkim.conf
Uncomment the following lines. Replace simple with relaxed/simple.
Canonicalization   relaxed/simple
Mode               sv
SubDomains         no
Add the following after Subdomains no.
AutoRestart         yes
AutoRestartRate     10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm  rsa-sha256
Add the following to the end of file. Ubuntu may already include the first section for UserID.
#OpenDKIM user
# Remember to add user postfix to group opendkim
UserID             opendkim

# Map domains in From addresses to keys used to sign messages
KeyTable           refile:/etc/opendkim/key.table
SigningTable       refile:/etc/opendkim/signing.table

# Hosts to ignore when verifying signatures
ExternalIgnoreList  /etc/opendkim/trusted.hosts

# A set of internal hosts whose mail should be signed
InternalHosts       /etc/opendkim/trusted.hosts
Save and close file.

Create Signing Table, Key Table and Trusted Hosts Files


Create directory structure.
$ sudo mkdir /etc/opendkim
$ sudo mkdir /etc/opendkim/keys
Change ownership and permissions.
$ sudo chown -R opendkim:opendkim /etc/opendkim
$ sudo chmod go-rw /etc/opendkim/keys
Create signing table.
$ sudo nano /etc/opendkim/signing.table
Add the following line.
*@your-domain.com    default._domainkey.your-domain.com
Save and close.  Create key table.
$ sudo nano /etc/opendkim/key.table
Add the following line.
$ default._domainkey.your-domain.com     your-domain.com:default:/etc/opendkim/keys/your-domain.com/default.private
Save and close.  Create trusted hosts file
$ sudo nano /etc/opendkim/trusted.hosts
Add the following lines.
127.0.0.1
localhost

*.your-domain.com
Create file structure.
$ sudo mkdir /etc/opendkim/keys/your-domain.com
Generate keys.
$ sudo opendkim-genkey -b 2048 -d your-domain.com -D /etc/opendkim/keys/your-domain.com -s default -v
Change ownership of private key.
$ sudo chown opendkim:opendkim /etc/opendkim/keys/your-domain.com/default.private
Add Public Key in DNS Records. Get the key
$ sudo cat /etc/opendkim/keys/your-domain.com/default.txt
The string after the p is the key. Add DNS record and add key string after the p:
Name: default._domainkey.your-domain.com; Type: TXT; Content: v=DKIM1; k=rsa; p=KEYSTRINGHERE
Test.
$ sudo opendkim-testkey -d your-domain.com -s default -vvv
If the setup is good the response should be key OK .

Connect opendkim to postfix


Create directory structure.
$ sudo mkdir /var/spool/postfix/opendkim
$ sudo chown opendkim:postfix /var/spool/postfix/opendkim
Open conf file.
$ sudo nano /etc/opendkim.conf
Find this line.
Socket                  local:/var/run/opendkim/opendkim.sock
Replace with this.
Socket                local:/var/spool/postfix/opendkim/opendkim.sock
Save and close file. Open postfix main config file.
$ sudo nano /etc/postfix/main.cf
Add the following after smtpd_recipient_restriction.
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
Save and close the file then restart opendkim and postfix.
$ sudo systemctl restart opendkim
$ sudo systemctl restart postfix
Check your spf and dkim set up by sending an email to the following.
$ [email protected]
You should get a response indicating is your setup has passed the checks

DMARC


Set up a DMARC record in your DNS table similar to the following.
Name: _dmarc.your-domain.com; Type: TXT; Content: v=DMARC1; p=none; pct=100; fo=1; rua=mailto:[email protected]
The parameters are as follows:
v - DMARC version
p - policy (what to do with email that doesn't pass the dmarc test.
pct - The percentage of email the policy should be applied
fo - report preferences:     0 (default): generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result
     1:  generate reports if any mechanisms fail.
     d:  generate report if DKIM signature failed to verify
     s: generate report if SPF failed
rua - the email address dmarc reports should be sent to
Check your dmarc set-up as follows
dig txt +short _dmarc.example.com

Set up aliases

Open alias file
$ sudo nano /etc/aliases
Edit file as needed.
# See man 5 aliases for format postmaster: root abuse: root webmaster: root
admin: root root: account you want root email directed to

Thunderbird

If you choose Thunderbird for email note the first time you open the Thunderbird program you need to change the default where Thunderbird looks for your inbound mail.  To do this, Enable the menu (right click at the top click box for menu bar or enter alt or F10).  Go to Edit>>Preferences>>Advanced. Find the section near the bottom where it says Message Store Type for new accounts click the down arrow and select File per message (maildir) .  Close the menu then proceed with adding new accounts.>

Thursday, September 12, 2019

Ubuntu Remote Desktop


I wanted to be able to access xfce desktop sessions remotely via the browser and via Windows Remote Desktop Connection.  These steps were performed on a clean install of Ubuntu after a user was added with sudo access but before the firewall was enabled.  Your results may differ.

Browser Remote Access By VPS Host 


My host is Interserver. Chances are, your VPS host, like Interserver already provides terminal access to your server. My first attempts failed because my keyboard and mouse were disabled preventing a simple log in in a GUI environment.  I finally figured out the steps to make it work. First step is to install xfce4:
$ sudo apt update
$ sudo apt install xfce4 xfce4-goodies
You need to have a windows manager installed.  I chose lightdm:
$ sudo apt install lightdm
Install kwallet packages
$ sudo apt-get install libpam-kwallet4 libpam-kwallet5
Start the lightdm service
$ sudo systemctl start lightdm 
Now when I access the server through the host's website I get a log-in with both the mouse and keyboard operating properly.  However, the login screen fails when you try to login. You can fix this by telling lightdm which desktop session you want to use. 
# nano /usr/share/lightdm/lightdm.conf.d/50-xfce-greeter.conf
Copy and paste the following into the file
[SeatDefaults]
greeter-session=unity-greeter
user-session=xfce
Save the file.  Restart the lightdm service:
$ sudo systemctl restart lightdm
My only complaint is that the connection is a but sluggish.  The mouse movement is a bit jerky.  But, in a pinch it works.

Windows Remote Desktop Connection


You can access your VPS through the Windows Remote Desktop Connection. To connect you need to install xrdp.
$ sudo apt update
$ sudo apt install xrdp
You'll need to let the server know which desktop session you prefer to use.
$ nano ~/.xsession
Add the following to the file:
xfce4-session
Save the file.
Add xrdp to ssl-cert group:
sudo adduser xrdp ssl-cert
Create .Xauthority file if missing or corrupt.  (Start SSH session with putty - with X11 forwarding enabled and X display location set to localhost)
# Rename the existing .Xauthority file by running the following command
mv .Xauthority old.Xauthority
# xauth with complain unless ~/.Xauthority exists
touch ~/.Xauthority

# only this one key is needed for X11 over SSH
xauth generate :0 . trusted

# generate our own key, xauth requires 128 bit hex encoding
xauth add ${HOST}:0 . $(xxd -l 16 -p /dev/urandom)

# To view a listing of the .Xauthority file, enter the following
xauth list
Reboot the server. Now open the Windows Remote Desktop, enter the ip address in the Computer box, then click connect.  After you connect start an Xorg session by entering your username and password.  You should connect to your desktop. If you have trouble connecting make sure you're not already signed in to another desktop session.

Debian


Connection via Windows Remote Desktop


Debian I was not able to connect.  After editing the following file I was able to connect.
$ sudo nano /etc/X11/Xwrapper.config
Change the following from console to anybody
$ allowed_users = anybody

gtk-warning ** cannot open display 10.0


I installed synaptic and got the cannot open display warning.  The warning did not occur if I logged in as root.  After much research I learned that in Debian, $XAUTHORITY is usually not set explicitly.  To correct for this I edited the .bashrc file in the users root directory
$ nano .bashrc
Add the following line:
XAUTHORITY=~/.Xauthority
Save the file.  In the remote desktop session, I used application finder to locate the synaptic launcher I prefixed sudo the command and checked the box under options to  run in terminal. Now when I click synaptic in the menu the terminal opens for authentication and the program opens as  expected.

NoVNC Remote Access


Desktop remote access through the VPS host was sluggish. You can also access the remote desktop via novnc.   The novnc connection was more responsive for me.  First install novnc, websockify, and python-numpy.
$ sudo apt -y install novnc websockify python-numpy
Then install a vncserver. I chose tightvncserver
$ sudo apt install tightvncserver
Create a self-signed certificate to make the session secure.
$ cd /etc/ssl
$ sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout novnc.pem -out novnc.pem -days 365
$ chmod 644 novnc.pem
Start vncserver.  The first time you will be prompted to enter a new password.
$ vncserver
If successful, vncserver start a session at port 5901.  If you need to end the session use the kill option.  The ':1" stands for port 5901.  A ':2' will stand for port 5902, and so on.
$ vncserver -kill :1
To start a vncsession specifically at port 5901, enter the following.
$ vncserver :1
Now were ready to start a websockify session. The following command assigns port 6080 as a proxy for port 5901 and signs in securely using the ssl certificate you previously established:
$ sudo websockify -D --web=/usr/share/novnc/ --cert=/etc/ssl/novnc.pem 6080 localhost:5901
You should get a session confirmation.
WebSocket server settings:
  - Listen on :6080
  - Flash security policy server
  - Web server. Web root: /usr/share/novnc
  - SSL/TLS support
  - Backgrounding (daemon)
Open the broswer and go to the following url.
http://your-ip-address:608#/vnc.html
If you get a warning that the site is unsecure click the links confirming you accept the risk.  sign in using the vnc password you chose during the initial vncserver setup.  If you get an error message try disabling "encrypt" (click the gear icon).  Once the connected there will be a blue bar at the top that tells you whether or not the connection is secure. If you still have problems connecting:

  • Make sure you are not already signed in the desktop (like through the VPS host or Windows Remote Desktop
  • Verify there is a running vncserver session at the port you're trying to access. 
  • Verify you have started a websockify session.
  • Verify the the port you're trying to access through the browser matches the websockify session.
  • Verify the lightdm service is running (sudo systemctl status lightdm)
  • If all else fails try rebooting.  You will need to start new vnc and websockify sessions.  


Saturday, September 7, 2019

Web host set-up with fresh Ubuntu 18.04 Install - apache2 as webserver with nginx as proxy

Install Apache2


First install Apache2, PHP-FPM, and FastCGI Apache module
$ sudo apt update && sudo apt upgrade
$ sudo apt-get install apache2 php-fpm
$ wget https://mirrors.edge.kernel.org/ubuntu/pool/multiverse/liba/libapache-mod-fastcgi/libapache2-mod-fastcgi_2.4.7~0910052141-1.2_amd64.deb
$ sudo dpkg -i libapache2-mod-fastcgi_2.4.7~0910052141-1.2_amd64.deb
Configure Apache2 to use PHP-FPM.  First change Apache port number to 8080.
$ sudo cp /etc/apache2/ports.conf /etc/apache2/ports.conf.default
$ sudo nano /etc/apache2/ports.conf
Change Listen 80 in the ports.conf file you just opened to Listen 8080. Save file.
Configure hostname.
$ sudo nano /etc/apache2/apache2.conf
Add the following:
ServerName localhost
Open hosts file
$ sudo nano /etc/hosts
Edit as needed:
127.0.0.1 localhost
127.0.1.1 myhostname
Create directory for apache2 logs and change ownership and permissions.
$ sudo mkdir /var/log/apache2
$ sudo chmod 750 /var/log/apache2
$ sudo chown root:adm /var/log/apache2
Apache comes with a default virtual host file called 000-default.conf.  Copy this file for your domain.
$ sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/your-domain.com.conf
Open your-domain.conf file just created.
$ sudo nano /etc/apache2/sites-available/your-domain.com.conf
Change the listening port to 8080
The file contents should look something like this:
<VirtualHost *:8080>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
Disable 000-default.conf and enable the new conf file for your domain as follows:
$ sudo a2dissite 000-default.conf
$ sudo a2ensite your-domain.com.conf
Reload Apache.
$ sudo systemctl reload apache2
Install net-tools if necessary for the netstat command.
$ sudo apt install net-tools
Verify Apache is listening to port 8080.
$ sudo netstat -tlpn
Output:
Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      2204/systemd-resolv
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      21618/sshd
tcp6       0      0 :::8080                 :::*                    LISTEN      7454/apache2
tcp6       0      0 :::22                   :::*                    LISTEN      21618/sshd


Create directory structure:

$ sudo mkdir -p /var/www/your-domain.com/public_html
The above creates directories owned by root.  Change ownership so other users can access.
$ sudo chown -R $USER:$USER /var/www/your-domain.com/public_html
Modify permissions to ensure that read access is permitted to the general web directory and all of the files and folders it contains.
$ sudo chmod -R 755 /var/www
Set up a temporary web page for testing
$ nano /var/www/your-domain.com/public_html/index.html
Add the following contents<
<html>
  <head>
    <title>Welcome!</title>
  </head>
  <body>
    <h1>Welcome to our test page!</h1>
  </body>
</html>

Create New Virtual Host File


Edit the your-domain.conf file created earlier.
$ sudo nano /etc/apache2/sites-available/your-domain.com.conf
Edit the file with the following changes on red.
<VirtualHost *:8080>

        ServerAdmin [email protected]
        ServerName your-domain.com
        ServerAlias *.your-domain.com
        DocumentRoot /var/www/your-domain.com/public_html    
        <Directory /var/www/your-domain.com/public_html>
            AllowOverride All
        </Directory>    
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
The entry AllowOverride All  enables .htaccess support. Save the file.

Enable the New Virtual Host File


Activate each site as follows (should already be activated):
$ sudo a2ensite your-domain.com.conf
You should get a message that confirms the site was enabled.
Output
Enabling site your-domain.com.
To activate the new configuration, you need to run:
  service apache2 reload
Allow port 8080 in the firewall if needed
$ sudo ufw allow 8080
Restart Apache.
$ sudo systemctl restart apache2
The sites are configured.  Verify that you can reach the site (http://your-domain.com:8080.
If you can't reach the site, try running the following.
$ sudo apache2ctl -S
Verify the information is correct.

Next configure support for PHP and FastCGI.


The module mod_fastcgi depends on mod_action.  Enable mod_action:
$ sudo a2enmod actions
Backup the existing fastcgi conf file:
$ sudo cp /etc/apache2/mods-enabled/fastcgi.conf /etc/apache2/mods-enabled/fastcgi.conf.default
Edit the file:
$ sudo nano /etc/apache2/mods-enabled/fastcgi.conf
Replace the contents of the file with the following:
<IfModule mod_fastcgi.c>
  AddHandler fastcgi-script .fcgi
  FastCgiIpcDir /var/lib/apache2/fastcgi
  AddType application/x-httpd-fastphp .php
  Action application/x-httpd-fastphp /php-fcgi
  Alias /php-fcgi /usr/lib/cgi-bin/php-fcgi
  FastCgiExternalServer /usr/lib/cgi-bin/php-fcgi -socket /run/php/php7.2-fpm.sock -pass-header Authorization
  <Directory /usr/lib/cgi-bin>
    Require all granted
  </Directory>
</IfModule>
Save the file and check the configuration
$ sudo apachectl -t
If the syntac is OK, reload apache.
$ sudo systemctl reload apache2
Verify php is working.  Create a info.php file.
$ echo "<?php phpinfo(); ?>" | sudo tee /var/www/your-domain.com/public_html/info.php
Go to http://your_ip:8080\info.php.  Near the top, Server API should say FPM/FastCGI. Find SERVER_SOFTWARE.  It should say is Apache on Ubuntu.

Install nginx


$ sudo apt install nginx
Delete default symlink no longer needed.
$ sudo rm /etc/nginx/sites-enabled/default
Create a virtual host file.
$ sudo nano /etc/nginx/sites-available/your-domain.com
Populate as follows:
server {
    listen 80;

    root /var/www/your-domain.com/public_html;
    index index.php index.html index.htm;

    server_name your-domain.com *.your-domain.com;
    location / {
        try_files $uri $uri/ /index.php;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        include snippets/fastcgi-php.conf;
    }
}
Enable the site by creating a symbolic link to the sites-enabled directory.
$ sudo ln -s /etc/nginx/sites-available/your-domain.com /etc/nginx/sites-enabled/your-domain.com
Test the Nginx configuration.
$ sudo nginx -t
If the test is OK, restart nginx.
$ sudo systemctl reload nginx
Open the browser and try to access the info.php file.
http://your-domain.com/info.php
Once the info.php file is opened find SERVER_SOFTWARE on the page.  It should identify nginx as the server. Also find DOCUMENT_ROOT. Verify the document root is correct.

Proxy nginx domain names to apache


Create nginx virtual host for forwarding requests to apache.
$ sudo nano /etc/nginx/sites-available/apache
Populate file with the following.
server {
    listen 80;
    server_name your-domain.com *.your-domain.com;

    location / {
        proxy_pass http://your_ip:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
Save the file, then enable it by creating a symbolic link.
$ sudo ln -s /etc/nginx/sites-available/apache /etc/nginx/sites-enabled/apache
If you get a file already exists error try this.
$ cd /etc/nginx/sites-enabled/apache
$ sudo ln -s /etc/nginx/sites-available/apache
Test the configuration
$ sudo nginx -t
If no errors reload nginx
$ sudo systemctl reload nginx
Go to http://you-domain.com/info.php. 
Review the php info.  Verify DOCUMENT_ROOT is correct for the apache root.  Verify SERVER_SOFTWARE is apache. Variables HTTP_X_REAL_IP and HTTP_X_FORWARDED_FOR were added by nginx and contain your ip address.

Configure Apache to set the rewrite values for proxy


The apache module mod\_rpaf rewrites values REMOTE_ADDR, HTTPS and HTTP_PORT to the values provided by a reverse proxy. Install the following.
$ sudo apt install unzip build-essential apache2-dev
Download the latest stable rpaf release, unzip, and install the module.
$ cd /tmp
$ wget https://github.com/gnif/mod_rpaf/archive/stable.zip
$ unzip stable.zip
$ cd mod_rpaf-stable
$ make
$ sudo make install
$ sudo apt install libtool.bin
$ libtool --finish /usr/lib/apache2/modules
Create file in the mods-available directory which will load mod_rpaf
$ sudo nano /etc/apache2/mods-available/rpaf.load
Populate the file with the following
LoadModule rpaf_module /usr/lib/apache2/modules/mod_rpaf.so
Save the file.  Create a configuration file in the same directory
$ sudo nano /etc/apache2/mods-available/rpaf.conf
Populate as follows:
    <IfModule mod_rpaf.c>
        RPAF_Enable             On
        RPAF_Header             X-Real-Ip
        RPAF_ProxyIPs           your_ip 
        RPAF_SetHostName        On
        RPAF_SetHTTPS           On
        RPAF_SetPort            On
    </IfModule>
Save the file. Enable the module
$ sudo a2enmod rpaf
Test the configuration
$ sudo apachectl -t
If no errors reload apache2
$ sudo systemctl reload apache2; 
Return to the browser and go to http://your-domain.com/info.php. The REMOTE_ADDR variable should now be your local computer’s public ip address.

Secure Website


You can secure your website with a free Let's Encrypt Certificate.

Install certbot


Add the PPA and install certbot (install software-properties-common if necessary)
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt update
Install certbot packages:
$ sudo apt install python-certbot-nginx 

Configure letsencrypt.conf


When installing certificate Let's Encrypt places a temporary file in the path htttp://your-doman.com/.well-known/acme-challenge. If it doesn't receive a proper response the certificate is rejected.  Here are steps needed to pass the challenge.

Copy the your-domain.com file created earlier in the /etc/nginx/sites-available/ directory to a new your-domain.com.conf file for ssl.
$ sudo cp /etc/nginx/sites-available/your-domain.com /etc/nginx/conf.d/your-domain.com.conf
Edit the new file.
$ sudo nano /etc/nginx/conf.d/your-domain.com.conf
Make changes as shown:
server {
    listen 80;

    root /var/www/your-domain.com/public_html;
    index index.php index.html index.htm;

    server_name your-domain.com *.your-domain.com;
    location / {
        try_files $uri $uri/ /index.php;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        include snippets/fastcgi-php.conf;
    }
    location ~ /.well-known/acme-challenge {
        allow all;
    }
}
When let's encrypt issues the certificate it will add 443 ssl data to the existing service block of the /etc/nginx/conf.d/your-domain.com.conf file.


SSL installation 


Check syntax:
$ sudo nginx -t
If OK, reload nginx
$ sudo systemctl reload nginx
Make sure the https port 443 is included in your firewall configuration. See Install Firewall (ufw).

Install certificate:


If the dry-run passes you can issue the certificate
$ sudo certbot --nginx -d your-domain.com -d www.your-domain.com
Answer any prompts and wait for the confirmation that the certificate has been issued.  If you have problems getting the certificate issue, try visiting the website https://letsdebug.net/.
Since we are using the webroot plugin we need to reload the nginx server at renewal.  To do this, append --renew-hook "systemctl reload nginx" to the /etc/cron.d/certbot file:
$ sudo nano /etc/cron.d/certbot
There is a one-line string of text.  Append so it looks like this
$ 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"
The Let's Encrypt Certificate is only valid for 90 days.  However the certbot installation includes a cron script that auto renews the certificate 30 days before expiration.  The script is located at /etc/cron.d.

You can test the renewal process by running the following command again:
$ sudo certbot renew --dry-run

Sunday, September 1, 2019

Web host set-up with fresh Debian 11 Install

Note: Installation performed on a VPS KVM server

Why install Debian over Ubuntu?  After all Ubuntu is more user friendly and prepackaged with more software. However, disk space is at a premium with the current VPS I'm using.  I chose Debian over Ubuntu because Debian comes bare minimum, not bundled or prepacked with additional software and features like Ubuntu. With Debian I have more control over the software installed making it lighter and faster than Ubuntu.

First update and upgrade

# apt update
# apt upgrade

Install Firewall (ufw)

# apt-get install ufw
Firewall needs to be enabled
# ufw enable
Verify firewall is active
# ufw status verbose
Allow access to port 22
# ufw allow 22
Configure firewall to allow the following additional ports:

  • 80
  • 8080
  • 443
Recheck ufw status
# ufw status verbose
The results should be similar to the following:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To                         Action      From --                         ------      ---- 22                         ALLOW IN    Anywhere 80                         ALLOW IN    Anywhere 8080                       ALLOW IN    Anywhere 443                        ALLOW IN    Anywhere 22 (v6)                    ALLOW IN    Anywhere (v6) 80 (v6)                    ALLOW IN    Anywhere (v6) 8080 (v6)                  ALLOW IN    Anywhere (v6) 443 (v6)                   ALLOW IN    Anywhere (v6)

Set up user

By default sudo is not installed on Debian
# apt install sudo -y
Run visudo to modify sudoers file and add following line into it (if it is missing):

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
# visudo

Add a user

# adduser example_user

Add to sudo group (if new user needs root privileges)

# adduser example_user sudo
Exit then log-in with new credentials.

Secure SSH Log-in Using PuTTY

Fix unable to find host:

Edit host file

$ sudo nano /etc/host

Add the following near the top:

127.0.0.1    actual hostname

Enable firewall for ssh access

$ sudo ufw allow ssh

Configure the server


Backup the sshd_config file
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Edit the sshd_config file
$ sudo nano /etc/ssh/sshd_config
Uncomment the following lines (remove the 
leading #):

Port 22
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2

Generate keys with PuTTYgen

  1. Go to Windows Start menu → All Programs → PuTTY→ PuTTYgen
  2. Generate a public/private key pair
    • Parameters (use defaults)
      • Type of key: RSA
      • bits: 2048
    • click Generate
      • Putty uses mouse movements for randomness
      • When key generation is complete enter a passphrase
      • Save public key
      • Save private key
  3. Install public key on server
    • In the users root directory create .ssh folder
      • $ mkdir ~/.ssh
    • Create a new file as follows:
      • $ nano ~/.ssh/authorized_keys
    • Copy/paste the public key created in step 2 in the new file.  The key must be all on one line.
    •  Save the file
  4. Exit

Disable "root" user


Edit the sshd_config file
$ sudo nano /etc/ssh/sshd_config
For security purposes, change PermitRootLogin to no.  Save file. Reboot.

Install Apache2

$ sudo apt update && sudo apt upgrade
$ sudo apt install apache2
Useful apache commands
## Help ##
$ sudo apache2ctl -h

## List active modules ##
$ sudo apache2ctl -M

## Start ##
$ sudo service apache2 start

## Stop ##
sudo service apache2 stop

## Restart ##
sudo service apache2 restart

Verify apache2 is working by visiting http://your_server_ip. You should reach the Apache2 Debian Default Page.

Install PHP

$ sudo apt update && sudo apt upgrade
$ sudo apt install php libapache2-mod-php php-mysql
Move index.php to the front listing of index files apache will will look for when a directory is requested.
$ sudo nano /etc/apache2/mods-enabled/dir.conf

## Then restart Apache ##
$ sudo systemctl restart apache2

## Verify Apache status ##
$ sudo systemctl status apache2 
Verify your php installation by creat a phpinfo file
## create a new file ##
$ sudo nano /var/www/html/info.php

## Add the following text ##
<?php
phpinfo();
?>
Go to http://your_server_ip/info.php

Upgrade to PHP 7.2


Add PPA
$ sudo apt install apt-transport-https lsb-release ca-certificates
$ sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
$ sudo sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'
$ sudo apt update
Run the following Command
$sudo apachectl -V
If the Server MTM is prefork install PHP 7.2 with the following
$ sudo apt install php7.2 php7.2-common php7.2-cli libapache2-mod-php7.2
Otherwise install PHP 7.2 with the following
$ sudo apt install php7.2 php7.2-common php7.2-cli php7.2-fpms
Review available php modules
$ ls /etc/apache2/mods-available/php*
Review enabled php modules
$ ls /etc/apache2/mods-enabled/php*
To upgrade to PHP 7.2 disable the current enabled module (7.0 in this instance)
$ sudo a2dismod php7.0
Then enable PHP 7.2
$ sudo a2enmod php7.2
Verify the syntax (should say OK)
$ sudo apachectl -t
Restart Apache
$ sudo service apache2 restart
Verify 7.2 is the active module (Note: you can also rerun info.php)
$ ls /etc/apache2/mods-enabled/php*
Remove old php module (7.0 in this case)
sudo apt purge php7.0*

Add Modules to PHP

List specific modules available to your enabled PHP version.  Hit the tab key twice at the end.
$ sudo apt-get install php7.2[tab][tab]
Here's a sample output
php7.2                   php7.2-fpm
php7.2-bcmath            php7.2-fpm-dbgsym
php7.2-bcmath-dbgsym     php7.2-gd
php7.2-bz2               php7.2-gd-dbgsym
php7.2-bz2-dbgsym        php7.2-gmp
php7.2-cgi               php7.2-gmp-dbgsym
php7.2-cgi-dbgsym        php7.2-imap
php7.2-cli               php7.2-imap-dbgsym
php7.2-cli-dbgsym        php7.2-interbase
php7.2-common            php7.2-interbase-dbgsym
php7.2-common-dbgsym     php7.2-intl
php7.2-curl              php7.2-intl-dbgsym
php7.2-curl-dbgsym       php7.2-json
php7.2-dba               php7.2-json-dbgsym
php7.2-dba-dbgsym        php7.2-ldap
php7.2-dev               php7.2-ldap-dbgsym
php7.2-enchant           php7.2-mbstring
php7.2-enchant-dbgsym    php7.2-mbstring-dbgsym
You can add single or multiple modules with the following command
$ sudo apt-get install module_name_1 module_name_2
Here's a good article on the subject.

Install MySQL

Download deb package
$ sudo apt update && sudo apt upgrade
$ wget http://repo.mysql.com/mysql-apt-config_0.8.13-1_all.deb
$ sudo dpkg -i mysql-apt-config_0.8.13-1_all.deb
You will be prompted to select a mysql version. Choose the defaults. Next, Install MySQL
$ sudo apt update
$ sudo apt install mysql-server
You should be prompted to enter a password for root. If you weren't prompted enter the following commands:
$ sudo service mysql stop
$ sudo mkdir /var/run/mysqld; sudo chown mysql /var/run/mysqld
$ sudo mysqld_safe --skip-grant-tables&
You can now log in as root without a password.

Set a password for root
$ sudo mysql --user=root mysql
This will log you into MySQL. If you're using MySQL 5.6 or below enter the following
mysql> update user set Password=PASSWORD('new-password') where user='root';
flush privileges;
If you're using MySQL 5.7 or above enter the following
mysql> update user set authentication_string=PASSWORD('new-password') where user='root';
flush privileges;
From there, quit (kill the running msqld) mysql and start it as normal.

Stop MySQL
$ sudo service mysql stop
Start MySQL (Normal)
$ sudo service mysql start
Kill the temporary mysql safe mode session
$ sudo mysqladmin shutdown
Check the status
$ sudo service mysql status

Set Up Domain (Virtual Host)

Create directory structure:

$ sudo mkdir -p /var/www/your-domain.com/public_html
The above creates directories owned by root.  Change ownership so other users can access.
$ sudo chown -R $USER:$USER /var/www/your-domain.com/public_html
Modify permissions to ensure that read access is permitted to the general web directory and all of the files and folders it contains.
$ sudo chmod -R 755 /var/www
Set up a temporary web page for testing
$ nano /var/www/your-domain.com/public_html/index.html
Add the following contents<
<html>
  <head>
    <title>Welcome!</title>
  </head>
  <body>
    <h1>Welcome to our test page!</h1>
  </body>
</html>

Create New Virtual Host File


Apache comes with a default virtual host file called 000-default.conf.  Copy this file for your domain.
$ sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/your-domain.com.conf
Open your-domain.conf file just created.
$ sudo nano /etc/apache2/sites-available/your-domain.com.conf
The file contents should look something like this:
<VirtualHost *:80>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
Edit the file with the following changes on red.
<VirtualHost *:80>

        ServerAdmin [email protected]
        ServerName your-domain.com
        ServerAlias www.your-domain.com    
        DocumentRoot /var/www/your-domain.com/public_html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
Save the file. Create a second copy of the file just edited for https
$ sudo cp /etc/apache2/sites-available/your-domain.com.conf /etc/apache2/sites-available/your-domain.com-ssl.conf
Open your-domain-ssl.conf file just created.
$ sudo nano /etc/apache2/sites-available/your-domain-ssl.com.conf
Change the port from 80 to 443.
<VirtualHost *:443>

        ServerAdmin [email protected]
        ServerName your-domain.com
        ServerAlias www.your-domain.com   
        DocumentRoot /var/www/your-domain.com/public_html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
Save the file.

Enable the New Virtual Host File


Activate each site as follows:
$ sudo a2ensite your-domain.com.conf
$ sudo a2ensite your-domain-ssl.com.conf
You should get a message that confirms the site was enabled.
Output
Enabling site your-domain.com.
To activate the new configuration, you need to run:
  service apache2 reload
Disable 000-default.conf as follows:
$ sudo a2dissite 000-default.conf
Restart Apache.
$ sudo systemctl restart apache2
The sites are configured.  Verify that you can reach the site.  Note you will not be able to access the https site until you have created a ssl certificate.

Secure Website


You can secure your website with a free Let's Encrypt Certificate. Let's Encrypt Certificate installation was not available on Debian 9.9 by default.  To make it accessible by APT we need to add the backports repository where APT looks for packages.

Install certbot


Open the sources list.
$ sudo nano /etc/apt/sources.list
Add the following to the bottom of the file:
$ deb http://ftp.debian.org/debian stretch-backports main
Perform an update:
$ sudo apt update
Install certbot.  Not the -t option tells apt to search the backports repository.
$ sudo apt install python-certbot-apache -t stretch-backports

SSL installation 


Verify that your your-domain.com.conf file (see Create New Virtual Host File) includes the ServerName line.
$ sudo nano /etc/apache2/sites-available/your-domain.com.conf
## Should Include the following line ##
ServerName your-domain.com;
Check syntax:
$ sudo apache2ctl configtest
Reload apache
$ sudo systemctl reload apache2
Make sure the https port 443 is included in your firewall configuration. See Install Firewall (ufw).

Install certificate:
$ sudo certbot --apache -d your-domain.com -d www.your-domain.com
The Let's Encrypt Certificate is only valid for 90 days.  However the certbot installation includes a cron script that auto renews the certificate 30 days before expiration.  The script is located at /etc/cron.d.  You can test the renewal process by running the following command:
$ sudo certbot renew --dry-run

Email

$ sudo apt install exim4

Set a fully qualified domain name (FQDN) for the server

$ sudo hostnamectl set-hostname mail.your-domain.com

Update /etc/hosts file

$ sudo nano /etc/hosts
Edit the file as follows:
127.0.0.1       mail.your-domain.com localhost
To verify changes relog-in and run the following
hostname -f

Configure Exim4

$ sudo dpkg-reconfigure exim4-config
  1. select Internet Site
  2. system mail name: hostname.domain
  3. IP-addresses to listen on for incoming SMTP connections: default
  4. Other destinations for which mail is accepted: hostname; localhost
  5. Domains to relay mail for: leave blank
  6. Machines to relay mail for: leave blank
  7. Keep number of DNS-queries minimal (Dial-on-Demand)? default (No)
  8. Delivery method for local mail: default (mbox format in /var/mail/)
  9. Split configuration into small files?: default (no)

Check status:

$ sudo systemctl status exim4

Test send email:

$ sudo exim -v [email protected]
From: [email protected]
Subject: Foobar
Text Text Text
Ctl+D to send

Install TLS Certificate


See Secure Website on instructions on installing a Let's Encrypt certificate.  If you already installed a certificate for your website you can append the existing certificate by rerunning the certbot commend with your mail server added at the end. You will be asked if you want to expand your existing certificate.

Install Remote Desktop


Debian includes Gnome desktop by default.  To keep the installation space to a minimum uninstall Gnome.
$ sudo apt purge `dpkg --get-selections | grep gnome | cut -f 1`
$ sudo apt -f install
$ sudo apt purge `dpkg --get-selections | grep deinstall | cut -f 1`
$ sudo apt -f install

Install xfce


Switch to root
$ sudo -i
Use tasksel tool to install desktop environment.
# tasksel
A GUI screen will open.  Select the following then click OK:

  • Debian desktop environment
  • ...xfce
  • SSH Server
Reboot the server

Desktop Remote Login

Add ports 5900 to 5999 to the firewall
$ sudo ufw allow 5900:5999/tcp
$ sudo ufw allow 5900:5999/udp
Install XRDP and TigerVNC server

$ sudo apt-get install xrdp tigervnc-standalone-server
Start and enable XRDP service
$ systemctl start xrdp
$ systemctl enable xrdp
Start a remote desktop session.  Choose Xvnc as the session type.  Log in with your username and password.