Audience and Prerequisites
Skip to scenario if you want to jump into the main article.
This is for anyone who currently host their WordPress or ClassicPress in a virtual private server such as DigitalOcean, Linode, or any other VPS providers. Any Linux user with knowledge of command line can perform backups and restoration tasks. You must be familiar with Linux and you know how to connect to your production server via SSH.
Plus, this article assumes that you have installed and configured WordPress in your VPS server. In addition, this article assumes you can perform basic database administration tasks such as adding a new database along with creating a new user for WordPress or ClassicPress. If your hosting provider provides managed WordPress or ClassicPress hosting, then this article may not apply to you. And because this article is for those who currently run a VPS server, I am going to have to assume that you have some hands-on experience with the Linux command line. This article need not apply to non-technical Linux, Mac, and Windows users. When I say non-technical Linux users, I’m talking about those who wanted to get away from Windows or Mac and simply wanted to use Linux just to browse the Internet and not deal with the command line.
Last, but not least, I am also going to assume that you know how to configure your Apache server as well. Both Apache and NGINX (pronounced Engine-X) configurations won’t be covered here, including backing up and copying certificates that you get from your hosting provider.
If you are interested in learning Linux, a tutorial from Guru99 will help get you started on learning Linux.
Are you ready? Then let’s get started!
You have your own VPS server that is running ClassicPress. Your domain name is exmaple.com and your SSH port number is (insert your TCP port number here). You have a development server for developing your own custom ClassicPress theme and you want to use your development server to backup everything from your production server.
If you promoted your server to a domain controller, you won’t be able to change the hostname for Windows Server Domain Controller without inputting commands in the command prompt. Basically, you need to open the command prompt, add a new alternate hostname, make the domain controller your primary hostname, reboot your server, and then remove the old hostname. This is useful if the server’s hostname was not changed before the server gets promoted as a domain controller. The order of commands along with the syntax is as follows:
netdom computername oldcomputername.yourlocaldomain.lan /add:newcomputername.yourlocaldomain.lan
netdom computername oldcomputername.yourlocaldomain.lan /makeprimary:newcomputername.yourlocaldomain.lan
shutdown /r /t 0
netdom computername newcomputername.yourlocaldomain.lan /remove:oldcomputername.yourlocaldomain.lan
- The command to execute.
- Old hostname (example:
- Local domain name (example:
- New hostname (example:
- Adds a new hostname to the domain controller as an alternate hostname. For this example,
newcomputername will be added as an alternate hostname for the domain controller.
- Makes a hostname a primary name for the domain controller.
newcomputername will be the primary name for the domain controller and the
oldcomputername will be the alternate hostname for the domain controller.
- Deletes the hostname from the domain controller. In this case, the
/remove flag removes the
oldcomputername from the domain controller.
- Although not shown in the order of commands above this list of commands, parameters, and flags, this will enumerate the list of hostnames assigned to the domain controller. This flag does not require a parameter, so the colon after the enumerate flag is not needed.
shutdown /r /t 0
- This command reboots the server (hence,
/r) immediately (
/t 0. The
/t 0 flag and parameter is a timer.
- Not shown in the list of commands above. This command runs a diagnostic for the domain controller to make sure everything in the domain controller is working fine. There might be some errors and warnings, but if computers can login to the domain controller, it should be fine.
Because I did not know the commands myself, I must give credit to “The ICT Guy” (Twitter profile) for writing an article titled Correctly renaming a Domain Controller for a seamless easy migration. That article has been of great help to me since I am testing Windows Server 2016 Essentials edition as part of my virtual homelab setup. For example, I wanted to test the domain joining functionality in macOS and test an Active Directory integration in Nextcloud using an LDAP/AD integration app. LDAP stands for Lightweight Directory Access Protocol and is used for managing users and groups.
I hope I can be of help to Windows administrators.
When creating Linux containers for the purpos of joining them to an Active Directory Domain Controller, make sure the checkbox after the “Unprivileged Container” is unchecked. The “unprivileged container” checkbox is after the “Hostname” edit box. Unprivileged Linux containers won’t be able to join to an Active Directory. Essentially, I forgot to uncheck the “Unprivileged Container” and wasted hours of my time, but I consider time well spent when learning the hard way.
Proxmox has “Unprivileged Container” checked by default when creating a new Linux container. That option cannot be changed once a Linux container is created, so the Linux container will have to be deleted in order to start from scratch with “Unprivileged Container” unchecked.
Skip ahead to Long Version section for more details.
Who Is This Article For?
This article is for anyone who has experience with Proxmox. Proxmox is a Linux distribution and it comes with a web interface for running and managing virtual machines and Linux containers. This link will take you to the web page that explains how virtual machines and Linux containers work. The “long version” also mentions SSSD when I was troubleshooting issues while attempting to log into an Active Directory. System Security Services Daemon (SSSD, for short) is what enrolls a Linux client to an Active Directory. A “daemon” in Linux is another name for “services” in Windows that runs in the background. This article is intended for advanced Linux users only.
I wanted to see if I can implement Active Directory functionality without needing Windows Server operating system. A software called “Samba” lets me do just that, so I followed instructions on getting Samba’s Active Directory Domain Controller (AD-DC, for short) up and running. I set this up in a privileged Linux container. The reason why Linux containers need to have privileges is because when I did a search for “setresgid failed [Invalid argument]” (without quotes) in StartPage, I came across a page in GitHub titled Cannot log in with Active Directory users via SSSD on Proxmox #3153. That was when I created a new Linux container and I forgot to uncheck the “Unprivileged Container” checkbox. I did a lot of troubleshooting when I looked into
graysonpeddie.lan is my local domain name for my home network. This web page explains how to setup a Linux client for joining to a Samba domain. From what I have learned, if I execute an
id command in my Linux client:
uid=1451201106(gpeddie) gid=1451201104(grayson peddie) groups=1451201104(grayson peddie),1451200513(domain users)
According to the GitHub page that I linked earlier, the maximum user ID and group ID (UID and GID for short) is 65536 for an unprivileged Linux container. Within the issue page, the max UID and GID can be changed to 1000000000 or something higher. However, as this is for experienced Linux users who know the inner workings of Linux containers, the moral of the story is that “Unprivileged Container” needs to be unchecked in order for domain joining to work.
Bear in mind that privileged containers are not safe for businesses when it comes to attackers exploiting privileged Linux containers. And yes, it’s all about vulnerabilities and exploits when it comes to escaping Linux containers and causing damage to the host; however, for homelab purposes, a privileged Linux container is fine for my needs. If you are concerned about the security of Linux containers, spin up virtual machines instead of Linux containers in Proxmox. Of course, depending on your security hygiene, virtual machines can be as unsafe as privileged and unprivileged Linux containers if you do not have security precautions in place. For more details, learn more about privileged and unprivileged containers.
Update as of Thursday, October 27, 2022 at 10:00 AM EST
Ah… Just one small mistake. I forgot to properly close a heading-level 4 tag (H4) in the “Long Version” section. Yikes. Fixed.
I watched the video about whether the ransomware can be stopped and I scrolled down through the comment section. While reading comments, some people are suggesting that we switch to Linux because Linux is more secure compared to Windows. That is true that Linux is inherently secure compared to Windows and Mac; however, what if I were to tell you that if you are running Arch Linux, Fedora, Ubuntu, Solaris, FreeBSD, OpenBSD, Haiku OS, or just about any other operating systems in our planet that you can still fall victim to phishing attacks? If we all switch to a different operating system on a basis that one is more secure compared to other operating systems, then we are forgetting about our weakest link.
Let me ask you again. Who or what is the weakest link in the cybersecurity chain? It’s not Windows; we are the ones that need education so we can protect ourselves online.
No anti-malware, anti-virus, and anti-ransomware programs will protect you against ransomware attacks. And Linux and BSD operating systems won’t protect you from phishing emails either. What we need is cybersecurity awareness training. Businesses should establish cybersecurity awareness training. Here’s one example that shows a video about cybersecurity awareness training from Burgi Technologies. The video starts with email, which talks about safeguarding your email such as phishing, email attachments, and spam. Do note though that an email address can be spoofed, so if you receive a phishing email and the email address in the From field ends in
@paypal.com and the email claims to be from PayPal, you should simply go to PayPal’s website and check what is going on in your PayPal account. Plus, the security awareness training talks about passwords, malware (don’t forget that malware can target Linux computers as well), public Wi-Fi, and even IoT, such as thermostats, Google Nest cameras, and even light bulbs. Even a router needs to be protected as well. And don’t forget about social engineering as well.
Remember what I mentioned about PayPal? Phishing attacks is one of them. They can even call you over the phone by impersonating that someone is your employer. They might say it’s urgent and they need access to the username and password so they can access the network resources so they can do harm. In other words, they can manipulate you into disclosing confidential or sensitive information.
Regarding security question and answers, it’s convenient if you forget your password, but put in your correct information and once an attacker can scour the Internet tin order to look for information, they can click the “reset password” link, fill in the answers to questions, and once everything is correct, they can then reset the password so you cannot access your account any longer. This is where a password manager comes in. Your password manager of choice can remember gibberish answers to questions. For example:
Question: What is your boyfriend’s name?
Answer: I would like to say thank you to my friend 68dagbbzpTmR5.
Question: What is your first car you owned?
Answer: My beautiful-looking car is my bicycle and I love jverw89.TmZr
Question: What is your mother’s maiden name?
A lack of honesty can safeguard your account against information gathering so they can do harm to your account. That’s why a password manager such as Bitwarden can come in handy so that a password manager can help remember your gibberish answers to security questions. And no, security questions is not a security feature. If I know so much about you and I know your email address, I can gather information about you and reset your password by answering security questions without your knowledge. I know this is scary, but don’t let that scare you if you are using a password manager.
To take it a step further, I also make use of unique email addresses as aliases. I do not use plus addressing or catchall because I can create email addresses for my own domain name. I use different email addresses for different sites that I sign up for. For example, I gave pizzahut(at)example(dot)com to Pizza Hut, uber(at)example(dot)com for Uber, walmart(at)example(dot)com for Wal-Mart, bestbuy(at)example(dot)com, and so on and so forth. Not only is this good for security, unique email addresses enhances my privacy. Sure, this is not part of cybersecurity awareness training as employees may not have the luxury of having more than 1 email addresses, but I did this in order to take security into my own hands so that I won’t become a weakest link in the cybersecurity chain. Even if businesses said that they took security seriously, if one of my unique email addresses have been compromised in a breach and ends up in Have I Been Pwned, not only should I change the password using my password manager, I can change my email address right away. Why? I did this in order to dodge spam and phishing emails. Because I make use of unique email addresses, I get very little to no spam each month. If I do get spam email messages that lands in my spam or inbox folder and one of my unique email addresses were listed in the To field, I can consider my email address compromised and can track who sold or give away my email address and change my email address or stop doing business with them at any time, immediately delete my compromised email address, and move on with my life.
Don’t let Linux users tell you that you should switch to Linux no matter how inherently secure Linux is. At the end of the day, no matter how much we need to keep our operating systems and software up to date, we still are the weakest link in the cybersecurity chain. We still need to educate everyone in order to stay safe online. Linux is not a be-all-end-all solution to our security problems.