Computer

Buying and building a computer in July 2023 (Australia)

July 18, 2023 by Simon

If you want to build a computer in June 2023, now is a good time. The Bitcoin mining boom is over, and computer hardware is available and quite affordable. However, finding the right bargain and avoiding bad deals is challenging.

Computer Building/Hardware Acronyms

You may encounter several acronyms and terms related to hardware components and technologies when building a PC.

Here are some common PC-building acronyms before you read on

CPU: Central Processing Unit or processor (brain).
GPU: Graphics Processing Unit or Video Card that makes games run faster.
RAM: Random Access Memory is the memory that allows the computer to hold information after the computer is turned on
SSD: Solid-State Drive is where files are read from and written to; SSDs allow the computer to remember things. SSDs are much faster than HDDs
HDD: Hard Disk Drive is a storage device that lets the computer remember information once the power is turned off. HDDs are much cheaper than SSDs
PSU: Power Supply Unit is the component that turns 240V AC to 12V, 5V and 3.3V DC for computer components.
BIOS: Basic Input/Output System is the underlying menu of settings that allow the computer to start in a configured state.
UEFI: Unified Extensible Firmware Interface is a newer BIOS.
VRAM: Video Random Access Memory is the dedicated memory that is used by the graphics card (GPU) to allow it to run faster.
M.2: A form factor for solid-state drives and other devices
AIO: All-in-One (typically refers to liquid cooling solutions)
PSU: Power Supply Unit
MHz is the measurement used to indicate the speed of a computer part. 1Mhz = 1 Million cycles a second, 1Ghz is 1 Billion cycles a second.

Hardware Trends

DDR4 or DDR5 Memory?

Windows computer memory is moving on from DDR4 to DDR5 memory modules. DDR4 memory was introduced in 2014. DD4 memory modules could hold a maximum of 32GB each. Most mainboards have four memory slots maximum, and a 128MB maximum memory was the limit.

DDR5, however, allows 128GB per memory mobile; DDR5 has faster throughput but slower latency.

What are Memory Timings?

Explaining Memory Timings is best left to experts like Buildzoid.

DDR4 v DDR5

RANT: THE CAS LATENCY TIMING DOESN’T MATTER AS MUCH AS YOU THINK IT DOES

DDR5 vs DDR4 vs DDR3 Ram | i9-12900K | RTX 3090 | 4K Gaming Leaked!

What is the Optimal RAM Speed for DDR5?

“Buy DDR5 memory and a DDR5 mainboard unless you can get a bargain on a DDR4 memory and a mainboard.” I am using a DDR4 system.”

Memory Tip

Tip

“If you are buying DDR4, buy as much as you can afford now as it is hard to find memory above 64GB kits. Soon DDR4 will be unavailable.“

Memory Tip

Tip

Memory Timings

What are Memory Timings?

How Do Memory Timings Work?

What Are Memory Timings? CAS Latency, tRCD, tRP, & tRAS (Pt 1)

“Chasing faster memory timings is an area best left to the nerds with too much free time and money. Do not buy memory with the faster or slowest memory timings. Aim for the middle.

Memory Tip

Tip

fyi: About 20 brands sell memory, but only three companies make memory integrated-circuit chips for the brands to sell memory modules.

Image Description: *DDR5 memory module card, 3D rendering isolated on white background – Licenced from stock.adobe.com File 435293182*

The actual memory makers are Samsung Electronics, SK Hynix and Micron Technology.

Image Description: *Silicon monocrystalline wafer with microchips manufacturing used in fabrication of electronic integrated circuits. – Licenced from stock.adobe.com File 553638697*

One memory maker is not generally better; different Motherboards and Processors prefer different memory. Always check for compatible processors and memory with your mainboard manufacturer (here is my mainboard compatibility lists)

DDR Memory History (Official JDEC Standards)

Memory Standard	Year	Max Speed (MT/s)	Pre Fetch	Pins	Volts	Latency ns	Average Timings	Max Bandwidth MB/s	Max GB
DDR1 (200 ~ 400)	2000 ~ 2003	200 ~ 400 MT/s	2ns	240 pins	2.5~2.6v	12.5 ~ 20	2-2-2-20 ~ 3-4-4-15	1,600 ~ 3,200	4GB
DDR2 (400 ~1066)	2003 ~ 2006	200 ~ 533 MT/s	4ms	240 pins	1.8v	10 ~ 20	3-3-3-15 ~ 7-7-7-13	3,200 ~ 8,533	8GB
DDR3 (800 ~ 2133)	2007 ~ 2013	800 ~ 2133 MT/s	8ns	240 pins	1.5 ~ 1.35v	10 ~ 15	5-5-5-5-12.5 ~ 14-14-14-13	6,400 ~ 17,066	32GB
DDR4 (1600 ~ 3200)	2014 ~ 2019	1600 ~ 3200 MT/s	8ns	288 pins	1.2 ~ 1.05v	12.5 ~ 14.3	10-10-10-12.5 ~ 24-24-24-24-15	12,800 ~ 25,600	128GB
DDR5 (3200 ~ 7200)	2020 ~ ?	3200 ~ 7200 MT/s	16ns	288 pins	1.1v	13 ~ 18ns	22-22-22-? ~ 46-46-46-?	25,600 ~ 57,600	512GB

Memory standards over time

Here is a good write-up on why DDR5 is not faster (latency) than DDR3; unless you are after more throughput, then DDR4 is fine.

Processor Cores and Threads

Processors will be marketed as having so many cores or threads. In the olden days, in the year 2000 processors only had one core and one thread.

Snip OpenAI – Processor cores and threads are essential components of a central processing unit (CPU), which is the “brain” of a computer or a similar electronic device.

Processor Cores: A processor core is an independent processing unit within a CPU. It can execute instructions, perform calculations, and handle tasks independently. Modern CPUs typically have multiple cores, often ranging from two to dozens of cores, depending on the model and intended use.

Multiple cores allow for parallel processing, meaning that different cores can work simultaneously on different tasks, leading to increased overall processing power and improved multitasking capabilities.

Threads: A thread, in the context of computing, refers to a sequence of instructions that can be executed independently by a processor core. Threads are the basic units of execution within a program, and they allow for concurrent processing of multiple tasks.

Threads are often used to execute different parts of a program simultaneously, enabling parallelism and efficient utilization of processor resources. For example, in a web browser, one thread can handle user input, while another thread loads content from a web server. By dividing tasks into threads, programs can make better use of available CPU resources and provide a more responsive user experience.

Cores vs. Threads: The relationship between cores and threads is often described in terms of parallelism. Each core within a CPU can handle one thread at a time. However, modern CPUs often incorporate a technology called hyper-threading (Intel) or simultaneous multithreading (SMT) (AMD), which allows a single physical core to handle multiple threads simultaneously.

“A 6 core 12 thread Processor like the AMD 5600X or Intel Core i5 12400F 6 core 12 Thread processor is fine for most people.

Processor Tip

Tip

Intel is now making processors with Fast and slow (efficient) cores

AMD’s Next Processor (Ryzen 8000) will most likely have Performance and Efficiency cores

Pinless Processors

AMD and Intel have transitioned from having pins (PGA) on the bottom of processors.

“Finding a processor with no pins is the last thing on my shopping list. Buy on core/thread count.”

Processor Tip

Tip

Use this site to compare the speed of processors

“The more you spend on a processor, the faster it will be, Try and get newer generation processors over older ones.”

Processor Tip

Tip

Intel ARC Video Cards are an option instead of AMD and nVidia Cards

Intel has started to make Video cards to compete with the AMD and nVidia Monopoly

Intel video cards for gaming are fast for a first generation design

“The more you spend on a video card, the more likely it is a nVidia card. Older generation video cards like the 6750XT may be better value than the Newer 4060 or 4070.”

Video Card Tip

Tip

“If you need ray tracing in games or want to learn 3d game design get a nVidia video card. Get an AMD Radeon Video card if you prefer to save a dollar. Get an Intel ARC video card if you are not a serious gamer.”

Video Card Tip

Tip

Use this site to see how fast one video card is against another

Storage: HDD v SSD v M.2 NVME SSD’s

Snip OpenAI – HDD (Hard Disk Drive), SSD (Solid State Drive), and M.2 (Next Generation Form Factor) are different types of storage devices commonly used in computers. Here are the key differences between them:

HDD (Hard Disk Drive): HDDs are the traditional storage devices found in most computers for many years. They consist of one or more rotating magnetic disks, or platters, that store data. The data is read and written using a mechanical arm with a read/write head that moves across the spinning platters.

Advantages of HDDs:

Cost: HDDs are generally more affordable than SSDs.
Capacity: HDDs offer larger storage capacities, ranging from several hundred gigabytes (GB) to multiple terabytes (TB).
Long-term storage: HDDs are well-suited for long-term storage of large files and data archives.

Disadvantages of HDDs:

Speed: Compared to SSDs, HDDs are slower in terms of data access and transfer speeds due to the mechanical nature of their operation.
Fragility: HDDs are more prone to damage from physical shocks, such as drops or impacts, because of their mechanical components.

SSD (Solid State Drive): SSDs are a newer type of storage device that use flash memory technology to store data. They contain no moving parts, making them faster, more durable, and more energy-efficient than HDDs.

Advantages of SSDs:

Speed: SSDs offer significantly faster data access and transfer speeds than HDDs, resulting in improved system responsiveness and faster file operations.
Durability: Since SSDs have no moving parts, they are less susceptible to damage from physical shock and are more reliable for portable devices.
Energy efficiency: SSDs consume less power than HDDs, leading to longer battery life in laptops and reduced energy costs in desktop systems.

Disadvantages of SSDs:

Cost: SSDs are generally more expensive than HDDs, but prices have decreased over time.
Capacity: While SSDs are available in larger capacities, they tend to be more expensive at higher capacities compared to HDDs.

M.2 Storage: M.2 is a form factor specification for solid-state storage devices that connect directly to the motherboard of a computer. M.2 drives use the SATA or NVMe (Non-Volatile Memory Express) interface to communicate with the system.

Advantages of M.2 storage:

Speed: M.2 drives can leverage the NVMe protocol, which offers even faster data transfer speeds compared to traditional SATA-based SSDs.
Compact size: M.2 drives are small in size and do not require additional power or data cables, making them ideal for compact laptops and mini-PCs.
Versatility: M.2 slots on motherboards can accommodate different types of M.2 drives, including SATA and NVMe SSDs, providing flexibility in choosing storage options.

Disadvantages of M.2 storage:

Cost: M.2 drives tend to be more expensive than their equivalent SATA-based counterparts.
Limited compatibility: Older systems may not have M.2 slots or support the NVMe protocol, restricting the use of M.2 storage devices.

In summary, HDDs offer larger capacities at a lower cost but are slower and less durable compared to SSDs. SSDs, on the other hand, provide faster performance, better durability, and energy efficiency but come at a higher price. M.2 storage represents a form factor for SSDs that offers even faster speeds and compact size but can be more expensive and limited by compatibility with older systems. The choice between these storage options depends on factors such as budget, performance requirements, and storage capacity needs.

PCIE 5

PCIE3 v PCIe 4 v PCIE 5

“Most MainboardS can have multiple hard drives connected. Aim to have at least a 1TB M.2 NVMe SSD drive for Windows C Drive and a larger magnetic drive or SSD for files or games.”

Storage Tip

Tip

Recent Hardware Controversies

Laggy Intel 11th, 12th and 13th Generation Processors during Widnows 2D (non gaming 3D workloads)

Breakdown of the video above

“Windows 11 is faster with Intel 11th, 12th and 13th generation processors (lower latency). AMD are fine.”

Windows Tip

Tip

Melting Nvidia 12VHPWR connector

12 Pin Power connector (melting), measly performance gains (4000 series), Auto Overclock (asus), Nvida Price gouging, Intel power usage, video card crack gate, EVGA exit, cost cutting by 3rd party mo fused on video cards)

Melting Connectors

Buildzoid has a great breakdown of the issues

Cracking PCIe Connectors from large cards

High-end Video cards are now massive; the physical weight is causing stress on the main PCIe connector, and damage can kill the card.

NorthridgeFix and JaysTwoCents summed it up here

The repair of cracked video cards bu experts is pure voodoo

“Always mount your video card vertically or use a supporting bracket to prevent GPU sag and cracked boards.”

Video Card Support

Tip

Bad memory chips from flexing cards

KrisFix from German has a fantastic, technical breakdown of an issue when heavy video cards bend and flex the video cards circuit board and dislodges the memory chips. Manufacturers blame the customer and do not honour the warranty.

“Always mount your video card vertically or use a supporting bracket to prevent GPU sag.”

Video Card Support (Again)

Tip

Exploding AMD Ryzen 7000 Processors

Gamers Nexus did the best coverage of an issuer, with a few AMD Processors that exploded due to too many volts being applied when using the AMD Extended Profiles for Overclocking (EXPO) in the BIOS.

The actual investigative work was second to none.

Intel or AMD

I prefer AMD over Intel Processors. AMD Processors are better value and use a lot less power. The Intel 24 Core, 32 Thread Core i9 13900KS processor consumes 150W to 253W of power. The 16 core 32 thread AMD Ryzen 9 7950X uses 170W. The AMD processor has more PCIe lanes. The Intel 12900KS is about 15% faster, however, but I would not be able to live with the stuttering.

The Intel Processor uses too much power.

Current or last generation?

The nVidia 4000 Series video cards are a bit of a flop (melting power connector, too expensive etc). I switched to an AMD Radeon video card recently 9Radeon 6950XT 12GB) when my RTX 2080 water cooler died.

The Intel 11th, 12th and 13th generation is also a bit of a flop. I am happy with my AMDE Ryzen 5000 system. The AMD Ryzen 7000 series are not that much of a bargain.

Future Proofing

I would not focus on future-proofing your purchase, the best strategy is to buy a strong power supply and mainboard and upgrade your PC over time, keeping it current.

Essential Components

Power Supply

A power supply is possibly the most important component you can choose.

Johnny Gury shares a lot of his knowledge of Power Supplies here

A power supply essentially turns incoming mains AC voltage to 12v DC, 5v DC and or 3.3v DC. It can do this efficiently or not.

You will see these logos when choosing a power supply; some power supplies are more efficient than others.

“Buy a 750W or higher power supply with the highest efficiency you can afford. The power supply will only consume what it needs (not hre maximum)”

Power Supply

Tip

Over the life of a power supply (5 years), that is about 20,000 hours if it is on for 12 hours a day. a 15% power efficiency saving is quite a lot

My power supply allows for remote monitoring, here are my power supply readings.

My Power Supply Efficiency over 1 hour.

Minimum Components/Specifications

32GB memory, 6 core 12 threads, 2TB NVME storage

Part	Minimum	Part
Case	Minimum 6 cores and 12 threads	If you did not want a stock cooler, choose the best air cooler (the earth is not cooling down)
Power Supply	Minimum 750W	Corsair HX850M 850W 80 Plus Platinum
Mainboard	One that supports PCIE4 and has at least 1x M.2 hard drive slot.	ASUS TUF Gaming X570-Plus WiFi, AM4
Processor	Minumin 6 cores and 12 threads	Minimum 6 cores and 12 threads
Memory	G.Skill Trident Z Neo RGB 32GB (2x 16GB) DDR4 3600MHz CL16	F4-3600C16D-32GTZNC
Storage C:\	1TB PCIE4 M.2 NVMe drive	Corsair Force MP600 Core 1TB M.2 NVMe PCIe x4 Gen4 SSD
Storage Media	Any Western Digital Gold Hard Drive (5 Year Warranty, 2.5 Million MTBF)	4TB, 6TB, 8TB, 10TB, 14TB, 16TB, 18TB or 20TB
DVD-ROM	Not Required.	N/A
Processor Cooler	If you did not want a stock cooler choose the best air cooler (the earth is not cooling down)	Noctua NH-D15 Multi-Socket PWM CPU Cooler

Rough Parts I would buy

Australian Computer Component Retailers

When it comes time to purchasing computer parts, here are my favourite computer parts retailers in Australia that I use. I do not get a kickback from any of these retailers.

Scorpion Computers – https://www.scorptec.com.au/. Scorptec has great stock levels, ships fast (if items are in stock), and warranty returns are no problems. But prices can be a bit higher than in other stores. If parts need back ordering from suppliers, the estimated delay is never correct and do add seven days to the ETA.
MWave – https://www.mwave.com.au/ – MWave have reasonable prices, good stock levels and a mobile app. The only problem is shipping boxes are enormous (a small thermal paste was shipped in a 30x20cm box).
UMart – https://www.umart.com.au/ – UMart is honest, and stock and prices are never a problem.
PLE Computers – https://www.ple.com.au/ PLE is based in Western Australia and Victoria and is my go-to if NSW retailers are out of stock.
PC Case Gear – https://www.pccasegear.com/
ITech – https://www.i-tech.com.au/

Price Compare 7/7/2023

I searched site above for 1x AMD Ryzen 9 5950X AM4 Processor (16 core, 32 threads CPU, 3.4Ghz Base, 4.9GHz Boost)

Retailer	Price
https://www.scorptec.com.au/	$749
https://www.pccasegear.com/	$779
https://www.i-tech.com.au/	$779
https://www.mwave.com.au/	$809
https://www.ple.com.au/	$809
https://www.umart.com.au/	$1,239

It pays to shop around for each part.

Australian Retailer Search

To be honest, when I want to buy a part, I head over to https://staticice.com.au/ and search fo the part by name or model number.

Static Ice will show a list of stores that sell the product from cheapest to most expensive.

I then let my eyes scan the stores and bypass the stores I have never dealt with or had bad experiences with.

“When selecting multiple components for a computer, try and stick to one retailer as the delivery fees may add up if you split the order across multiple retailers.”

Lower Delivery Fees

Tip

PC Parts Picker

PC Parts Picker (Australia) is also a great way to monitor prices with less work.

PC Parts Picker have price trends

CPU Price Trend

GPU Price Trend

Pre Built PCs

If building a PC is too much, you can always buy a pre-built gaming PC built by a retailer.

Scorptec: Gaming PC | Best Gaming Computers Australia | Scorptec Computers

MWave: Mwave Gaming PCs | Mwave

PC Case Gear: Best Gaming PC Australia | PC Case Gear Ready to Ship Gaming PCs

PLE: Shop Ready to go | PLE Computers

UMart: Gaming PCs | Desktop Computers | Laptops & Computers (umart.com.au)

This was supposed to be a short post to help some friends. I think I will end now and save some eyeballs.

Fyi, Here are my sytem stats and temps

I am moving away from Apple hardware

February 3, 2019 by Simon

My Late 2012 Mac Book Pro Retina laptop is all but dead, it has many dead pixels and because of the poor cooling and is NOT a joy to use anymore. It does not “JUST WORK” and personally, I do not think “thinner” laptops can handle Australian summers as its hardware cooling it inadequate above 40c air temperatures.

My laptop processor would spend more time thermal throttling (at 104c) in Web Browsers and text editors that at normal speeds. Opening up productivity apps like Photoshop or Premiere Pro would send the laptop into meltdown.

Frequent high temps were common.

Attempted Fixes

Warning Disclaimer: My laptop is out of warranty and I know my way around the inside of computer hardware without zapping it. Do not attempt to open your laptop unless you know what you are doing, have backed up your data and are prepared to brick your computer.

I removed dust from inside the laptop.
I tried to only use the laptop refrigerative air conditioning
I replaced the thermal paste on the CPU and GPU (3 times)
I reinstalled OSX Mojave and reset the SMC and PRAM multiple times.
I ran the fans at 100% (see post here), The fans were operating at full capacity and were not broken.

The stock thermal paste was crusty after 5 years. The plastic CPU/GPU cover was visibly cooked.

I ordered some new Thermal grizzly thermal paste, I had some older silicone paste on hand just in case.

After many reapplications of the Thermal Grizzly, the older silicone paste seemed to work the better???

After a few months, all of the fixes above did not seem to work. OSX Mojave would spin up the CPU and GPU into a frenzy overloading the single heat pipe within minutes.

Time to try some more drastic cooling modifications?

I tried improving the efficiency of the single (copper) heat pipe that is shared between an Intel i7 2.6 GHz and an Nvidia Video Card by removing the black paint by stripping the paint with acetone.

I manually removed paint from in between the heat sink fins with a LED to reveal the metal.

I reinstalled the heat pipe with high hopes? That looks nice 🙂

I removed the old thermal paste and added new paste. First I tried Thermal Grizzly Cryonaut. I re-applied the paste three separate times as each application was not that much better than the old crusty stock paste from Apple. Did I have a bad batch of Thermal Grizzly?, It seemed thick and not very viscous. I ended up using an old tube of silicone paste (the white stuff) as my Arctic Silver was too old to try and I did not want to order more.

With the silicone paste applied and the paint removed temperatures were about 15c lower at max, I still had frequent thermal throttling but at least I had a reserve buffer.

This was all before the Aussie Heatwaves and high temperatures soon returned.

Is there still room for improvement?

How heat pipes work

Heat pipes have an evaporating (hot part) and condensing zone (cool part) on the heat pipe. I noticed Apple’s “stock” condensing fins were small, would improving this zone help?. Time to improve the condensers zones by adding larger copper heat sinks to the bare side of the heat pipe.

I purchased a few copper Xeon/Sun server sized heat sinks and thermal epoxied them to the condensing end of the heat pipe. Yes, they would protrude out the bottom of the case but #Meh. I can fix that by extending the base of the laptop down and making it thicker (old school style).

The server heat sinks arrived

I cut the heat sinks in half.

I packed the fins with paper before cutting to ensure the cut did not damage the fins.

After cutting, I wiped the copper heat sinks with vinegar to restore the surface to a nice copper shine.

I tested the heat sink idea with silicone paste first

Temps were 25c lower, Now it’s time to use Arctic Silver Thermal Epoxy

I applied the Thermal Epoxy to the heat pipe (I temporary had foil strips above the fans so I did not block them while the epoxy dried.

I then stuck the heat sink’s to the heat pipe (with Arctic Silver Thermal Epoxy).

I toyed with a clear case but decided against it for static electricity and stability reasons.

I purchased a second Mac Book base for so I could cut holes for the heat sinks to protrude and use the original base to hide the modification.

I made a 30 mm base wall so I could use it as a wall between the laptop base and the new 30mm lower base.

I added some 5-volt and 12 -volt fans inside the new extended 30mm base.

Finished Product

A normal looking Mac Book except for the 30mm lower base and internal 5V or 12V fans.

External power plugs on the left side, I will add lights at a later stage.

Are the temps lower?

Videos

Video: Mac Book Pro cooling mod, I can now watch 1080p videos without maxing the CPU

Video: Mac Book Pro cooling mod with external powered 5v or 12v fans

Conclusion

50c lower temps are nicer at idle but in Premiere Pro (exporting video) the laptop was still thermal throttling like mad and temps were terrible (100+). Lets not get started when I start some development VM’s

Conclusion 2 weeks later

This is still not a joy to use. I don’t think I have the right to expect a 5-year-old laptop to keep up running a CPU/GPU intensive OS and applications.

Time to buy a new computer, Apple still makes thin and overheating laptops by the looks of it?

Maybe I need to buy a fridge to stick a computer in a fridge to use these days?

YouTube users indicate Apple has a problem with heat.

What computer do I get next?

Not an Apple made one. I will be moving back to Windows for local development and Linux on servers

Dell Alienware has many heat pipes.

Acer Predator 500

I read a few reviews (e.g this one from Ultra book reviews) and Acer have good cooling.

MSI GT Series laptops look the best if cooling is important.

Or should I build a custom desktop with way more cores

CPU: Threadripper 2950X 16C 32T

SSD: M.2 SSD: Samsung 970 PRO 512GB
MOBO: Asus Zenith Extreme
Power: Corsair RM1000x 1000W
MEM: Quad 3600 Mhz
GPU: AMD Radeon VII Navi 3980

Thanks for reading.

v1.3 Added videos

v1.2 Updated alt tag descriptions

v1.1 Added “I will be moving back to Windows for local development and Linux on servers”

1.0 Initial Draft

Run an Ubuntu VM system audit with Lynis

September 11, 2017 by Simon

Following on from my Securing Ubuntu in the cloud blog post I have installed Lynis open source security audit tool to check out to the security of my server in the cloud.

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defences of their Linux and Unix-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners. https://cisofy.com/lynis and https://github.com/CISOfy/lynis.

It is easy to setup a server in the cloud (create a server on Vultr or Digital Ocean here). Guides on setting up servers exist ( setup up a Vultr VM and configure it and digital ocean server) but how about securing it? You can install a LetsEncrypt SSL certificate in minutes or setup Content Security Policy and Public Key Pinning but don’t forget to get an external in-depth review of the security of your server(s).

Lynis Security Auditing Tool

Preparing install location (for Lynis)

cd /
mkdir utils
cd utils/

Install Lynis

sudo git clone https://www.github.com/CISOfy/lynis
Cloning into 'lynis'...
remote: Counting objects: 8357, done.
remote: Compressing objects: 100% (45/45), done.
remote: Total 8357 (delta 28), reused 42 (delta 17), pack-reused 8295
Receiving objects: 100% (8357/8357), 3.94 MiB | 967.00 KiB/s, done.
Resolving deltas: 100% (6121/6121), done.
Checking connectivity... done.

Running a Lynus system scan

./lynis audit system -Q

Lynis Results 1/3 Output (removed sensitive output)

[ Lynis 2.5.5 ]

################################################################################
  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software.

  2007-2017, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
################################################################################


[+] Initializing program
------------------------------------
- Detecting OS...  [ DONE ]
- Checking profiles... [ DONE ]

  ---------------------------------------------------
  Program version:           2.5.5
  Operating system:          Linux
  Operating system name:     Ubuntu Linux
  Operating system version:  16.04
  Kernel version:            4.4.0
  Hardware platform:         x86_64
  Hostname:                  yourservername
  ---------------------------------------------------
  Profiles:                  /linis/lynis/default.prf
  Log file:                  /var/log/lynis.log
  Report file:               /var/log/lynis-report.dat
  Report version:            1.0
  Plugin directory:          ./plugins
  ---------------------------------------------------
  Auditor:                   [Not Specified]
  Test category:             all
  Test group:                all
  ---------------------------------------------------
- Program update status...  [ NO UPDATE ]

[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...

[+] Plugins (phase 1)
------------------------------------
: plugins have more extensive tests and may take several minutes to complete - Plugin pam
    [..]
- Plugin systemd
    [................]

[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ DISABLED ]
- Checking presence GRUB [ OK ]
- Checking presence GRUB2 [ FOUND ]
- Checking for password protection [ OK ]
- Check running services (systemctl) [ DONE ]
: found 24 running services
- Check enabled services at boot (systemctl) [ DONE ]
: found 30 enabled services
- Check startup files (permissions) [ OK ]

[+] Kernel
------------------------------------
- Checking default run level [ RUNLEVEL 5 ]
- Checking CPU support (NX/PAE)
 support: PAE and/or NoeXecute supported [ FOUND ]
- Checking kernel version and release [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
active modules
- Checking Linux kernel configuration file [ FOUND ]
- Checking default I/O kernel scheduler [ FOUND ]
- Checking for available kernel update [ OK ]
- Checking core dumps configuration [ DISABLED ]
- Checking setuid core dumps configuration [ PROTECTED ]
- Check if reboot is needed [ NO ]

[+] Memory and Processes
------------------------------------
- Checking /proc/meminfo [ FOUND ]
- Searching for dead/zombie processes [ OK ]
- Searching for IO waiting processes [ OK ]

[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ OK ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ OK ]
- Query system users (non daemons) [ DONE ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ NOT ENABLED ]
- sudoers file [ FOUND ]
- Check sudoers file permissions [ OK ]
- PAM password strength tools [ OK ]
- PAM configuration files (pam.conf) [ FOUND ]
- PAM configuration files (pam.d) [ FOUND ]
- PAM modules [ FOUND ]
- LDAP module in PAM [ NOT FOUND ]
- Accounts without expire date [ OK ]
- Accounts without password [ OK ]
- Checking user password aging (minimum) [ DISABLED ]
- User password aging (maximum) [ DISABLED ]
- Checking expired passwords [ OK ]
- Checking Linux single user mode authentication [ OK ]
- Determining default umask
- umask (/etc/profile) [ NOT FOUND ]
- umask (/etc/login.defs) [ SUGGESTION ]
- umask (/etc/init.d/rc) [ SUGGESTION ]
- LDAP authentication support [ NOT ENABLED ]
- Logging failed login attempts [ ENABLED ]

[+] Shells
------------------------------------
- Checking shells from /etc/shells
: found 6 shells (valid shells: 6).
- Session timeout settings/tools [ NONE ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ NONE ]
- Checking default umask in /etc/profile [ NONE ]

[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SUGGESTION ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ SUGGESTION ]
- Query swap partitions (fstab) [ NONE ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTION ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- ACL support root file system [ ENABLED ]
- Mount options of / [ NON DEFAULT ]
- Checking Locate database [ FOUND ]
- Disable kernel support of some filesystems
- Discovered kernel modules: cramfs freevxfs hfs hfsplus jffs2 udf 

[+] Storage
------------------------------------
- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
- Checking USB devices authorization [ ENABLED ]
- Checking firewire ohci driver (modprobe config) [ DISABLED ]

[+] NFS
------------------------------------
- Check running NFS daemon [ NOT FOUND ]

[+] Name services
------------------------------------
- Searching DNS domain name [ UNKNOWN ]
- Checking /etc/hosts
- Checking /etc/hosts (duplicates) [ OK ]
- Checking /etc/hosts (hostname) [ OK ]
- Checking /etc/hosts (localhost) [ SUGGESTION ]
- Checking /etc/hosts (localhost to IP) [ OK ]

[+] Ports and packages
------------------------------------
- Searching package managers
- Searching dpkg package manager [ FOUND ]
- Querying package manager
- Query unpurged packages [ NONE ]
- Checking security repository in sources.list file [ OK ]
- Checking APT package database [ OK ]
- Checking vulnerable packages [ OK ]
- Checking upgradeable packages [ SKIPPED ]
- Checking package audit tool [ INSTALLED ]

[+] Networking
------------------------------------
- Checking IPv6 configuration [ ENABLED ]
 method [ AUTO ]
 only [ NO ]
- Checking configured nameservers
- Testing nameservers
: 108.xx.xx.xx [ OK ]
: 2001:xxx:xxx:xxx::6 [ OK ]
- Minimal of 2 responsive nameservers [ OK ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
* Found 18 ports
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ NOT ACTIVE ]
- Checking for ARP monitoring software [ NOT FOUND ]

[+] Printers and Spools
------------------------------------
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]

[+] Software: e-mail and messaging
------------------------------------
- Sendmail status [ RUNNING ]

[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
- Checking for empty ruleset [ OK ]
- Checking for unused rules [ FOUND ]
- Checking host based firewall [ ACTIVE ]

[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/sbin/apache2) [ FOUND ]
: No virtual hosts found
* Loadable modules [ FOUND (106) ]
- Found 106 loadable modules 
- anti-DoS/brute force [ OK ]
- web application firewall [ OK ]
- Checking nginx [ FOUND ]
- Searching nginx configuration file [ FOUND ]
- Found nginx includes [ 2 FOUND ]
- Parsing configuration options
- /etc/nginx/nginx.conf
- /etc/nginx/sites-enabled/default
- SSL configured [ YES ]
- Ciphers configured [ YES ]
- Prefer server ciphers [ YES ]
- Protocols configured [ YES ]
- Insecure protocols found [ NO ]
- Checking log file configuration
- Missing log files (access_log) [ NO ]
- Disabled access logging [ NO ]
- Missing log files (error_log) [ NO ]
- Debugging mode on error_log [ NO ]

[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- SSH option: AllowTcpForwarding [ SUGGESTION ]
- SSH option: ClientAliveCountMax [ SUGGESTION ]
- SSH option: ClientAliveInterval [ OK ]
- SSH option: Compression [ SUGGESTION ]
- SSH option: FingerprintHash [ OK ]
- SSH option: GatewayPorts [ OK ]
- SSH option: IgnoreRhosts [ OK ]
- SSH option: LoginGraceTime [ OK ]
- SSH option: LogLevel [ SUGGESTION ]
- SSH option: MaxAuthTries [ SUGGESTION ]
- SSH option: MaxSessions [ SUGGESTION ]
- SSH option: PermitRootLogin [ SUGGESTION ]
- SSH option: PermitUserEnvironment [ OK ]
- SSH option: PermitTunnel [ OK ]
- SSH option: Port [ SUGGESTION ]
- SSH option: PrintLastLog [ OK ]
- SSH option: Protocol [ OK ]
- SSH option: StrictModes [ OK ]
- SSH option: TCPKeepAlive [ SUGGESTION ]
- SSH option: UseDNS [ OK ]
- SSH option: VerifyReverseMapping [ NOT FOUND ]
- SSH option: X11Forwarding [ SUGGESTION ]
- SSH option: AllowAgentForwarding [ SUGGESTION ]
- SSH option: AllowUsers [ NOT FOUND ]
- SSH option: AllowGroups [ NOT FOUND ]

[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]

[+] Databases
------------------------------------
- MySQL process status [FOUND ]

[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]

[+] PHP
------------------------------------
- Checking PHP [ FOUND ]
- Checking PHP disabled functions [ FOUND ]
- Checking expose_php option [ OFF ]
- Checking enable_dl option [ OFF ]
- Checking allow_url_fopen option [ ON ]
- Checking allow_url_include option [ OFF ]
- Checking PHP suhosin extension status [ OK ]
- Suhosin simulation mode status [ OK ]

[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]

[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NOT FOUND ]
- Checking logrotate presence [ OK ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ FILES FOUND ]

[+] Insecure services
------------------------------------
- Checking inetd status [ NOT ACTIVE ]

[+] Banners and identification
------------------------------------
- /etc/issue [ FOUND ]
- /etc/issue contents [ OK ]
- /etc/issue.net [ FOUND ]
- /etc/issue.net contents [ OK ]

[+] Scheduled tasks
------------------------------------
- Checking crontab/cronjob [ DONE ]
- Checking atd status [ RUNNING ]
- Checking at users [ DONE ]
- Checking at jobs [ NONE ]

[+] Accounting
------------------------------------
- Checking accounting information [ NOT FOUND ]
- Checking sysstat accounting data [ NOT FOUND ]
- Checking auditd [ NOT FOUND ]

[+] Time and Synchronization
------------------------------------
- NTP daemon found: ntpd [ FOUND ]
- NTP daemon found: systemd (timesyncd) [ FOUND ]
- Checking for a running NTP daemon or client [ OK ]
- Checking valid association ID's [ FOUND ]
- Checking high stratum ntp peers [ OK ]
- Checking unreliable ntp peers [ FOUND ]
- Checking selected time source [ OK ]
- Checking time source candidates [ OK ]
- Checking falsetickers [ OK ]
- Checking NTP version [ FOUND ]

[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [0/1] [ NONE ]

[+] Virtualization
------------------------------------

[+] Containers
------------------------------------

[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ FOUND ]
- Checking AppArmor status [ ENABLED ]
- Checking presence SELinux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ OK ]

[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- Checking presence integrity tool [ NOT FOUND ]

[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NOT FOUND ]
- Checking presence of Fail2ban [ FOUND ]
- Checking Fail2ban jails [ ENABLED ]
- Checking for IDS/IPS tooling [ FOUND ]

[+] Software: Malware
------------------------------------

[+] File Permissions
------------------------------------
- Starting file permissions check
/root/.ssh [ OK ]

[+] Home directories
------------------------------------
- Checking shell history files [ OK ]

[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ DIFFERENT ]
- kernel.core_uses_pid (exp: 1) [ DIFFERENT ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ]
- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ DIFFERENT ]
- net.ipv4.tcp_timestamps (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]

[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ NOT FOUND ]

[+] Custom Tests
------------------------------------
- Running custom tests...  [ NONE ]

[+] Plugins (phase 2)
------------------------------------
- Plugins (phase 2) [ DONE ]

================================================================================

...

Lynis Results 2/3 – Warnings

  Warnings (1):
  ----------------------------
  ! Found one or more vulnerable packages. [REMOVED-FIXED] 
      https://cisofy.com/controls/REMOVED-FIXED/
...

I resolved the only warning by typing

apt-get update
apt-get upgrade
shutdown -r now

After updating the Lynis system scan I re-ran the text and got

 -[ Lynis 2.5.5 Results ]-

  Great, no warnings

Lynis Results 3/3 – Suggestions

  Suggestions (44):
  ----------------------------
  * Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password) [BOOT-5122] 
      https://cisofy.com/controls/BOOT-5122/

  * Configure minimum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/controls/AUTH-9286/

  * Configure maximum password age in /etc/login.defs [AUTH-9286] 
      https://cisofy.com/controls/AUTH-9286/

  * Default umask in /etc/login.defs could be more strict like 027 [AUTH-9328] 
      https://cisofy.com/controls/AUTH-9328/

  * Default umask in /etc/init.d/rc could be more strict like 027 [AUTH-9328] 
      https://cisofy.com/controls/AUTH-9328/

  * To decrease the impact of a full /home file system, place /home on a separated partition [FILE-6310] 
      https://cisofy.com/controls/FILE-6310/

  * To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310] 
      https://cisofy.com/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310] 
      https://cisofy.com/controls/FILE-6310/

  * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] 
      https://cisofy.com/controls/STRG-1840/

  * Check DNS configuration for the dns domain name [NAME-4028] 
      https://cisofy.com/controls/NAME-4028/

  * Split resolving between localhost and the hostname of the system [NAME-4406] 
      https://cisofy.com/controls/NAME-4406/

  * Install debsums utility for the verification of packages with known good database. [PKGS-7370] 
      https://cisofy.com/controls/PKGS-7370/

  * Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades [PKGS-7392] 
      https://cisofy.com/controls/PKGS-7392/

  * Install package apt-show-versions for patch management purposes [PKGS-7394] 
      https://cisofy.com/controls/PKGS-7394/

  * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] 
      https://cisofy.com/controls/NETW-3032/

  * Check iptables rules to see which rules are currently not used [FIRE-4513] 
      https://cisofy.com/controls/FIRE-4513/

  * Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640] 
      https://cisofy.com/controls/HTTP-6640/

  * Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643] 
      https://cisofy.com/controls/HTTP-6643/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowTcpForwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : ClientAliveCountMax (3 --> 2)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Compression (DELAYED --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : LogLevel (INFO --> VERBOSE)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxAuthTries (2 --> 1)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : MaxSessions (10 --> 2)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : PermitRootLogin (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Port (22 --> )
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : TCPKeepAlive (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : X11Forwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : AllowAgentForwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376] 
      https://cisofy.com/controls/PHP-2376

  * Check what deleted files are still in use and why. [LOGG-2190] 
      https://cisofy.com/controls/LOGG-2190/

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] 
      https://cisofy.com/controls/BANN-7126/

  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] 
      https://cisofy.com/controls/BANN-7130/

  * Enable process accounting [ACCT-9622] 
      https://cisofy.com/controls/ACCT-9622/

  * Enable sysstat to collect accounting (no results) [ACCT-9626] 
      https://cisofy.com/controls/ACCT-9626/

  * Enable auditd to collect audit information [ACCT-9628] 
      https://cisofy.com/controls/ACCT-9628/

  * Check ntpq peers output for unreliable ntp peers and correct/replace them [TIME-3120] 
      https://cisofy.com/controls/TIME-3120/

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] 
      https://cisofy.com/controls/FINT-4350/

  * Determine if automation tools are present for system management [TOOL-5002] 
      https://cisofy.com/controls/TOOL-5002/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] 
      https://cisofy.com/controls/KRNL-6000/

  * Harden compilers like restricting access to root user only [HRDN-7222] 
      https://cisofy.com/controls/HRDN-7222/

  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] 
    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC
      https://cisofy.com/controls/HRDN-7230/

  Follow-up
  ----------------------------
  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data to central system (Lynis Enterprise users)

================================================================================

  Lynis security scan details

  Hardening index : 64 [############        ]
  Tests performed : 255
  Plugins enabled : 2

  Components
  - Firewall               [V]
  - Malware scanner        [X]

  Lynis Modules
  - Compliance Status      [?]
  - Security Audit         [V]
  - Vulnerability Scan     [V]

  Files
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat

================================================================================

  Lynis 2.5.5

  Auditing, system hardening, and compliance for UNIX-based systems
  (Linux, macOS, BSD, and others)

  2007-2017, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)

================================================================================

  [TIP] Enhance Lynis audits by adding your settings to custom.prf (see /linis/lynis/default.prf for all settings)

Installing a Malware Scanner

Install ClamAV

sudo apt-get install clamav

Download virus and malware definitions (this takes about 30 min)

sudo freshclam

Output:

sudo freshclam
> ClamAV Update process started at Wed Nov 15th 20:44:55 2017
> Downloading main.cvd [10%]

I had an issue on some boxes with clamav reporting I could not run freshclam

sudo freshclam
ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

This was fixed by typing

rm -rf /var/log/clamav/freshclam.log
sudo freshclam

Troubleshooting clamav

Clam AV does not like low ram boxes and may produce this error

Downloading main.cvd [100%]
ERROR: Database load killed by signal 9
ERROR: Failed to load new database

It looks like the solution is to increase your total ram.

fyi: Scan with ClamAV

sudo clamscan --max-filesize=3999M --max-scansize=3999M --exclude-dir=/www/* -i -r /

Re-running Lynis gave me the following malware status

- Malware scanner        [V]

Lynis Security rating

Hardening index : 69 [##############      ]

Installed

sudo apt-get install apt-show-versions
sudo apt-get install arpwatch
sudo apt-get install arpon

After re-running the test I got this Lynis security rating score (an improvement of 1)

Hardening index : 70 [#############       ]

Installed and configured debsums and auditd

sudo apt-get install debsums
sudo apt-get install audit

Now I get the following Lynis security rating score.

Hardening index : 71 [##############      ]

Conclusion

Lynis is great at performing an audit and recommending areas of work to allow you to harden your system (brute force protection, firewall, etc)

Security Don’ts

Never think you are done securing a system.

Security Do’s

Update Software (and remove software you do not use.)
Check Lynis Suggestions and try and resolve.
Security is an ongoing process, Do install a firewall, do ban bad IP’s, Do whitelist good IP’s, Do review Logs,
Do limit port access, make backups and keep on securing.

I will keep on securing and try and get remove all issues.

Read my past post on Securing Ubuntu in the cloud.

Scheduling an auto system updates is not enough in Ubuntu (as it is not recommended as the administrator should make decisions, not a scheduled job).

apt-get update
apt-get upgrade

fyi: CISOFY/Lynis do have paid subscriptions to have external scans of your servers: https://cisofy.com/pricing. (why upgrade?)

I will look into this feature soon.

Updating Lynis

I checked the official documentation and ran an update check

./lynis --check-update
This option is deprecated
Use: lynis update info

./lynis update info

 == Lynis ==

  Version            : 2.5.5
  Status             : Outdated
  Installed version  : 255
  Latest version     : 257
  Release date       : 2017-09-07
  Update location    : https://cisofy.com/lynis/


2007-2017, CISOfy - https://cisofy.com/lynis/

Not sure how to update?

./lynis update
Error: Need a target for update

Examples:
lynis update check
lynis update info

./lynis update check
status=outdated

I opened an issue about updating v2.5.5 here. I asked Twiter for help.

Official Response: https://packages.cisofy.com/community/#debian-ubuntu

Waiting..

I ended up deleting Lynis 2.5.5

ls -al
rm -R *
rm -rf *
rm -rf .git
rm -rf .gitignore
rm -rf .travis.yml
cd ..
rm -R lynis/
ls -al

Updated

./lynis update check
status=up-to-date

And reinstalled to v2.5.8

sudo git clone https://www.github.com/CISOfy/lynis

Output:

sudo git clone https://www.github.com/CISOfy/lynis
Cloning into 'lynis'...
remote: Counting objects: 8538, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 8538 (delta 0), reused 0 (delta 0), pack-reused 8534
Receiving objects: 100% (8538/8538), 3.96 MiB | 2.01 MiB/s, done.
Resolving deltas: 100% (6265/6265), done.
Checking connectivity... done.

Securing Ubuntu in the cloud

August 9, 2017 by Simon

It is easy to deploy servers to the cloud within a few minutes, you can have a cloud-based server that you (or others can use). ubuntu has a great guide on setting up basic security issues but what do you need to do.

If you do not secure your server expects it to be hacked into. Below are tips on securing your cloud server.

First, read more on scanning your server with Lynis security scan.

Always use up to date software

Always use update software, malicious users can detect what software you use with sites like shodan.io (or use port scan tools) and then look for weaknesses from well-published lists (e.g WordPress, Windows, MySQL, node, LifeRay, Oracle etc). People can even use Google to search for login pages or sites with passwords in HTML (yes that simple). Once a system is identified by a malicious user they can send automated bots to break into your site (trying millions of passwords a day) or use tools to bypass existing defences (Security researcher Troy Hunt found out it’s child’s play).

Portscan sites like https://mxtoolbox.com/SuperTool.aspx?action=scan are good for knowing what you have exposed.

You can also use local programs like nmap to view open ports

Instal nmap

sudo apt-get install nmap

Find open ports

nmap -v -sT localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-08 23:57 AEST
Initiating Connect Scan at 23:57
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 9101/tcp on 127.0.0.1
Discovered open port 9102/tcp on 127.0.0.1
Discovered open port 9103/tcp on 127.0.0.1
Completed Connect Scan at 23:57, 0.05s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00020s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
9101/tcp open  jetdirect
9102/tcp open  jetdirect
9103/tcp open  jetdirect

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Limit ssh connections

How to upgrade an AWS free tier EC2 t2.micro instance to an on demand t2.medium server

July 9, 2017 by Simon

Amazon Web Services have a great free tier where you can develop with very little cost. The free tier Linux server is a t2.micro server (1 CPU, low to moderate IO, 1GB memory with 750 hours or CPU usage). The free tier limits are listed here. Before you upgrade can you optimize or cache content to limit usage?

When you are ready to upgrade resources you can use this cost calculator to set your region (I am in the Sydney region) and estimate your new costs.

You can also check out the ec2instances.info website for regional prices.

Current Server Usage

I have an NGINX Server with a NodeJS back powering an API that talks to a local MySQL database and Remote MongoDB Cluster ( on AWS via http://www.mongodb.com/cloud/ ). The MongoDB cluster was going to cost about $120 a month (too high for testing an app before launch). The Free tier AWS instance is running below the 20% usage limit so this costs nothing (on the AWS free tier).

You can monitor your instance usage and credit in the Amazon Management Console, keep an eye on the CPU usage and CPU Credit and CPU Credit Balance. If the CPU usage grows and balance drops you may need to upgrade your server to prevent usage charges.

I prefer the optional htop command in Ubuntu to keep track of memory and processes usage.

Basic information from AWS t1.micro (idle)

Older htop screenshot of a dual CPU VM being stressed.

Future Requirements

I plan on moving a non-cluster MongoDB database onto an upgraded AWS free tier instance and develop and test there and when and if a scalable cluster is needed I can then move the database back to http://www.mongodb.com/cloud/.

First I will need to upgrade my Free tier EC2 instance to be able to install MongoDB 3.2 and power more local processing. Upgrading will also give me more processing power to run local scripts (instead of hosting them in Singapore on Digital Ocean).

How to upgrade a t2.micro to t2.medium

The t2.medium server has 2 CPU’s, 4 GB of memory and Low to Moderate IO.

Backup your server in AWS (and manual backup).
Shutdown the server with the command sudo shutdown now
Login to your AWS Management Console and click Instances (note: Your instance will say it is running but it has shut down (test with SSH and connection will be refused)).
Click Actions, Image then Create Image
Name the image (select any volumes you have created) and click Create Image.
You can follow the progress o the snapshot creation under the Snapshots menu.
When the volumes have been snapshoted you can stop the instance.
Now you can change the instance type by right clicking on the stopped instance and selecting Instance Settings then Change Instance Type
Choose the new desired instance type and click apply (double check your cost estimates)
Your can now start your instance.
After a few minutes, you can log in to your server and confirm the cores/memory have increased.
Note: Your servers CPU credits will be reset and your server will start with lower CPU credits. Depending on your server you will receive credits every hour up to your maximum cap.
Note: Don’t forget to configure your software to use more RAM or Cores if required.

Misc

Confirm processors via the command line:

grep ^processor /proc/cpuinfo | wc -l 
>2

My NGINX configuration changes.

worker_processes 2;
worker_cpu_affinity auto;
...
events {
	worker_connections 4096;
	...
}
...

Find the open file limit of your system (for NGINX worker_connections maximum)

ulimit -n

That’s all for now.

Donate and make this blog better

Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.0 DRAFT Initial Post

What to look for when buying a new computer

June 18, 2017 by Simon

This guide is being edited over time (as I have been asked by a few people what to look for when buying a new computer, I will keep updating this guide over time with new information). It can be hard knowing what a person needs from a computer now and into the future (Windows or Mac) so the decision is ultimately yours. This guide will hopefully inform you what internal components (specs (specifications)) to care about and what specs to ignore when buying a new computer.

Choosing an Intel or Advanced Micro Devices (AMD) processor?

In years gone by Intel were the faster and most expensive processors and Advanced Micro Devices (AMD) was the cheaper and slower processors but recently Advanced Micro Devices (AMD) has been matching Intel processors and has been driving the innovation. Generally, an Advanced Micro Devices (AMD) based system will be cheaper and will have the most profit for a retailer. The faster a system the more expensive it will be and the less room for discounts IMHO.

Salespeople.

Most sales people personally prefer a certain brand processor, video card or computer brand but most salespeople will recommend the system with the highest profit margin (and commission for them) so beware of advice from sales people. FYI I am not paid to say anything here.

Cores v MHz.

Computer processors used to have only one processor core and used to run at a certain megahertz all the time (making comparisons of processors and systems easy) but processors these days have multiple cores each core can run at potentially different megahertz (and run at a lower speed by default). Cores can change speed thousands of times a second. Some software programs prefer one processor core or multiple cores (it is very rare that software will use all cores efficiently) so comparisons are hard. Generally, newer generation processors are faster than older processors that run at the same speed, but having a few cores helps the operating system manage background tasks but don’t expect an 8 core system to run software 8x faster.

Cooling, Noise and Thermal Throttling.

A computer processor has embedded temperature sensors that tell it when one core reaches a set temperature the processor will start to slow down the processor to protect itself (by slowing down one or multiple cores). A computer’s internal cooling architecture and ultimately airflow will determine how fast a computer is in the long term. A heavy laptop or computer may, in fact, weigh more because it has better internal cooling (or not) so beware buying light computers. Apple computers are made of light aluminium metal and (some say because they are slower) are lighter, quieter and not as hot (I Agree).

I tend to forget the newer processors codenames and have to review all the latest offering on stores like https://www.scorptec.com.au/product/cpu. Anandtech and TomsHardware are good news sites that will keep you up-to-date with processors and processor trends.

Remember even a fast machine can run slow on hot days or if the cooling is no good.

Software

Windows generally, has more software available but Apples can run Windows software via emulation software called Parallels (cost involved).

A free Ubuntu (Linux) is also available. Read my guide on Ubuntu here.

Apple also has a free operating system and software (with their computers). View more information on macOS here.

Longevity

The golden rule is to spend more than $2k on a computer and get as much memory (RAM) and storage (HDD) as possible. But spending $2,000 on a computer that will last 2 years is silly when a $3,500 computer that lasts 9 years.

Emma Castle from http://shegoes.com.au/ said, “That computer (13″ Apple Mac Book) was exceptional for a very long time!” when her 2009 computer died.

Should I get an Intel i3, i5, i7 or i9 or xx processor?

An Intel i3 processor has 2 cores (but generally run faster per core than an Intel i5 or Intel i7). An Intel i5 has 4 cores and an Intel i7 also has 4 cores and 4 virtual cores (8 cores) and the 4 real cores handle the work of the 4 virtual cores. Gamers and programmers usually get Intel i7′s over an Intel i5 or an Intel i3. Generally, the higher the number the faster the processor. Intel has just released i9’s but they are not available yet.

Handy CPU Benchmark Chart: http://www.cpubenchmark.net/ Some software likes more cores over more Mhz and vice-versa.

I’d recommend you choose an Intel i5 over an i3. Only get an i7 if money needs spending or performance is required.

Should I get an Advanced Micro Devices (AMD) processor?

Advanced Micro Devices (AMD) has a number of processor ranges (A, FX, Ryzen, Athlon etc). I would consult the processor hierarchy chart here for advice.

CPU Benchmark Chart: http://www.cpubenchmark.net/

If you are looking at an Advanced Micro Devices (AMD) processor aim for a Ryzen processor (as they are brand new and quite fast).

Nvidia or AMD Graphics Card?

A graphics card is like a mini-computer in a computer that is responsible for games and many graphical tasks in software and the operating system. Mac OS and Windows 10 need a fairly good video card.

A video card has its own processor (GPU), memory and has its own cooling. I won’t bore you with details about graphics cards here but video cards are more complex than the rest of the computer. Generally, gamers need expensive video cards where everyone else does not.

Toms hardware has a nice graphics card hierarchy chart that shows where a video card sits on the performance table: http://www.tomshardware.com/reviews/gpu-hierarchy,4388.html

Another good video card comparison chart http://www.videocardbenchmark.net/

A good video card has its own dedicated memory (not shared with the main system memory) avoid on CPU video cards like the Intel Integrated graphics chip as it will heat up the processor.

Price (goldylocks)

Generally don’t get the cheapest or the most expensive computer for obvious reasons.

Power usage.

Generally, The higher the power usage (power brick charger) the faster the computer (or the older a system is). The more electricity a computer uses the more its insides need cooling and the noisier it may be too.

Time to buy.

Tax time is a great time to buy a new computer and many Windows computers will be on special (Apple do not discount much).

Apple tends to update their computers every 500 days, you can use the Mac buyers guide site to determine the best time to buy Apple computer or device. Apple tends to discount when surplus computers are available before new models are launched. All retailers are keen to clear out older stock in June in Australia before the end of the tax year.

Generally, you are looking for an Apple or Windows computer (I cannot decide that for you).

Windows Computers.

Windows computers are cheaper (but in my opinion and experience last far less than Apple computers).

Most people get a Windows computer. Windows computers do have great games available. FYI: I am biased towards Apple computers.

Apple.

Generally, people buy Apple computers if you are an app developer, creative, want a nice computer system or are sick of Windows crashes and viruses.

Apple computers can still run Windows via a separate Windows installation (Bootcamp) or via emulation (Parallels Software) so I’d recommend Apple.

Discounts.

If you search for a brand laptop long enough you will have add banners follow you around the internet so don’t be in a hurry to buy a computer (let the discounts come to you). Don’t be afraid to ask vendors for discounts. All hardware has profit margins and discounts or freebie throw in’s are usually available.

Most brand name computer manufacturers have discounted models all year round. Just use google and browse the retailer’s website.

Durability.

A laptop needs to be durable and last a long time. My metal Apple Mac from mid-2012 still looks as good as the day I purchased it. Avoid plastic computers and computers that run hot (start a computer before buying it).

Configurability and upgradability.

Laptops are less configurable and upgradable over desktop computers. My advice is to buy at least 512GB of solid-state hard drive storage and 16GB of memory.

Memory generations and speeds.

Generally, more memory will add more speed to a computer. Memory comes in various speeds and newer memory generations (e.g DDR2, DDR3, DDR4) are faster overall but are technically slower at smaller tasks (as they add more latency to achieve higher speeds). Read more about memory speeds and timings here.

Try and aim for 16GB memory over 4GB, 8GB. Also the more memory you have the higher chance of system crashes and errors IMHO.

Storage types and sizes.

Olden day hard drives used spinning magnetic disks and have floating read heads, more modern hard drives have faster flash-based solid state drives that use electrical circuits. Solid-state drives are about 10x faster than spinning magnetic drives but may not last as long due to limited lifespans. A mechanical and spinning hard drive is slower but larger in capacity and is more recoverable in the event of a crash and are cheaper. More on hard drive differences and reliability here. Backblaze publish a report of failure rates in large capacity magnetic drives each year, read here. Hybrid drives combine a small flash solid-state drive with a larger spinning hard drive. This is a perfect balance.

Newer Intel-based systems may contain Optane based devices that may boost the performance of a computer. Optane is recent so any Optane compatible system is new.

Get a solid-state if you can afford it but a spinning hard drive is still ok. If you are getting a solid-state drive get at least 512GB in capacity.

Screen sizes and types.

Generally, I ignore the screen technology (LCD, TFT, IPS) and instead focus on the screens resolution (1920×1200 resolution minimum) and colour abilities (6-bit, 8-bit, 10-bit or 12-bit). A good 8-bit TFT or LCD can beat a newer 12-Bit IPS. I’d look for a 1920×1200 resolution screen that is 10bit of higher. A 10-bit monitor can display more colours than a 6-bit monitor. Read more on bits here.

Recently 4K resolution screens have hit the market so if money is no object get a 4K monitor (if it is also 12-bits).

Look for a system that can handle external monitors (via HDMI, Display Port or Air Display (Apple)) to complement your primary monitor. Apple computers can wirelessly beam displays to Apple TV/TV’s or connect to other displays via dongles.

System Noise.

A fast system can potentially be a noisy system so do power up a system before you buy it. Generally, Apple computers will be silent (at the cost of speed, but will spin up noisy fans if needed).

Ask Yourself, What is the noise of a system at Idle and Full Load before buying a computer?

Battery Capacity.

A small battery is no good in a laptop, try and aim for a 15MA battery or higher. 10+ hours of running time is ideal.

Accessories

Almost all laptops and systems come with an SD-CARD slot, USB, Bluetooth, headphone and microphone jacks (except Apple who has moved to USB-C and accessory based dongles).

Tips.

Strongly consider setting up online and automatic cloud backup after purchasing a new computer. I use https://www.backblaze.com/ CrashPlan is also good.

Antivirus is also key (even on Apple), I prefer Bitdefender but any antivirus or antimalware is preferable to none.

Enjoy and good luck.

Donate and make this blog better

Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.5 added info on longevity

Type	Protocol	Port Range	Source	Comment
HTTP	TCP	80	0.0.0.0/0	Opens a web server port for later
All ICMP	ALL	N/A	0.0.0.0/0	Allows you to ping
All traffic	ALL	All	0.0.0.0/0	Not advisable long term but OK for testing today.
SSH	TCP	22	0.0.0.0/0	Not advisable, try and limit this to known IP’s only.
HTTPS	TCP	443	0.0.0.0/0	Opens a secure web server port for later

Computer

Computer Building/Hardware Acronyms

Hardware Trends

Memory Tip

Memory Tip

Memory Tip

Processor Tip

Processor Tip

Processor Tip

Video Card Tip

Video Card Tip

Storage Tip

Recent Hardware Controversies

Windows Tip

Video Card Support

Video Card Support (Again)

Intel or AMD

Current or last generation?

Future Proofing

Essential Components

Power Supply

Minimum Components/Specifications

Australian Computer Component Retailers

Australian Retailer Search

Lower Delivery Fees

PC Parts Picker

Pre Built PCs

Footer

Popular

Security

Code

Tech

Wordpress

General