Multi-Factor Authentication (MFA) over ssh

Securing your internet-facing systems and data is of utmost importance. One critical aspect is ensuring secure access to your servers and protecting them from unauthorised access. Multi-Factor Authentication (MFA) adds an additional layer of security by requiring users to provide two or more pieces of evidence to authenticate themselves. In this tutorial, we will explore how to set up MFA for SSH using FreeOTP, an open-source OTP (One-Time Password) authenticator app.

Prerequisites

Before we begin, make sure you have the following:

1. A Linux server (Ubuntu, CentOS, or any other distribution)
2. Administrative access to the server
3. A smartphone (iOS or Android) to install the FreeOTP app

Step 1: Installing FreeOTP

1. On your smartphone, open the respective app store (Google Play Store or Apple App Store).
2. Search for "FreeOTP" and install the app.
3. Once installed, open the FreeOTP app.

Step 2: Configuring SSH for MFA

1. Connect to your server using SSH with administrative privileges.
2. Open the SSH configuration file using a text editor (e.g., nano or vi).
   
   •  sudo vi /etc/ssh/sshd_config


3. Look for the ChallengeResponseAuthentication line and set it to "yes" if not already enabled.
4. Add the following line to enable the use of Google Authenticator-compatible TOTP (Time-based One-Time Password) authentication:
   

   AuthenticationMethods publickey,password publickey,keyboard-interactive
   

5.  Save and exit the SSH configuration file.

Step 3: Configuring the User for MFA

1. In the SSH configuration file, find the Match User or AllowUsers section for the user you want to enable MFA for.
2. Add the following line below the user entry:
   

   AuthenticationMethods publickey,password publickey,keyboard-interactive

3. Save and exit the SSH configuration file.

Step 4: Restarting the SSH Service

1. Restart the SSH service to apply the changes.
   • sudo systemctl restart sshd

Step 5: Enabling MFA for the User

1. On your server, generate a secret key for the user using the following command:
   

   google-authenticator

2. You will be presented with a series of prompts. Answer "y" for each of them to configure MFA.
3. Scan the displayed QR code using the FreeOTP app on your smartphone.
4. FreeOTP will add your server as a new account and start generating one-time passwords.
5. Complete the setup process by following the on-screen instructions.

Step 6: Testing the MFA Setup

1. Attempt to SSH into your server using the user account that has MFA enabled.
2. After entering the username and password, you will be prompted for the verification code.
3. Open the FreeOTP app on your smartphone and find the account associated with your server.
4. Enter the current one-time password generated by FreeOTP.
5. If the authentication is successful, you will gain access to your server.

By implementing MFA for SSH using FreeOTP, you have taken a significant step towards bolstering the security of your server. MFA provides an additional layer of protection against unauthorised access and greatly reduces the risk of compromised user credentials. Remember to enforce strong passwords and regularly update your system to maintain a robust security.

In future tutorials (when I get the time) I will show how to further harden your system with fail2ban and geoblocking.

The Ten Commandments of IT Operations

These have been committed to memory for some time for me. I've finally decided to write them down. There's always been a bit fuzziness arounf the edges for these rules, so I suppose writing them here kinda sets them in stone. Anyway, for better or worse: 

1. What happens in the Server Room stays in the Server Room 

A long time ago when I was a poor Uni student, I had a temp job at "The Roofing Company". On my first day I was told tie a pallet of corrugated iron up using the strapping machine, which used a reel of metal strap. Nobody showed me how to use it and I fed the metal strap into the machine the wrong way round. The whole thing unspooled about 50 metres of strap onto the floor of the warehouse.

Later in the day a manager saw the mess and wanted to know who did it. A colleague looked directly at me and said "It was that bloke from Queensland who was here yesterday, wasn't it?" I nodded my head and the manager stormed away.

The lesson wasn't lost on me. Although I was to blame, the root cause lay in my not being provided training on the equipment.

Most of the time, your boss (or his boss) will be non-technical. Anyone who works in IT knows that the only people in IT who don't make mistakes are those who do no work. So don't throw your colleagues under the bus when they make mistakes. Do a root cause analysis. Discuss it amongst yourselves. Work out what changes need to be made to prevent it in the future. Then report - as a team - the actual root cause (or at least a plausible one). 

If the blame must lie with a person, then it lies with all of you, or the team leader.

2. Always have a second method of access - preferably more 

This applies to anything. If you have an electronic lock, have a physical key somewhere. If you use Citrix, make sure you have VPN as well. This includes having an extra admin account for all systems. Test the other methods of access.

By extension, have a backup internet link for inbound purposes, and out-of-bandwidth access for physical devices (such as ILO and DRAC), including the ability to power cycle them if necessary.

In short, eliminate all SPOF (Single Points Of Failure) for everything.

3. DDUF - Don't Do Updates on Friday 

Unless you like working over the weekend.

4. Take snapshots. Test Backups. 

Take snapshots of virtual machines before making changes. Also test your backups by doing a trial restore from time to time. On occasion, test a DR restore. 

5. ABC - Always Be Coding (or scripting) 

A lot of people who gain a tertiary qualification in IT will never write a line of code after they graduate. I don't care what it's in (BASH, Powershell, Python, C#, VBscript) make some form of coding a regular part of your work week. Don't let your skills atrophy. Sure, you CAN do your job without coding, but you can do it better WITH coding. 

6. A ten minute job takes ten minutes. Five minute jobs take two hours. 

We're all tempted to do something quick. Something that will only take five minutes. Usually we do them when we only have five minutes to spare. 

It's a trap. Those five minute jobs have been sitting there, gathering dust for some time, otherwise you would have done them some time ago. Chances are that your recollection of what really needs to be done has faded and there's more to the job than you remember. Or the conditions have changed. Or someone has done something else in the meantime. By contrast, ten minute jobs are usually on point. You do them regularly and know them well. They take ten minutes to do and that's it.

All of a sudden that five minute job is taking some time, and you can't roll back. You have to plough on through and finish in around two hours - usually after calling home to say you will be late. But that leads us to point 7.

7. Take breaks. Don't start anything new thirty minutes before you leave. 

Sometimes you need to come up for air. Take a break, go for a walk and come back with a fresh set of eyes. You will be way more productive this way than simply having your head down for several hours.

The second part of this is don't start any new work with thirty minutes (or less) to go. Step back, do some documentation, fill out a form, tidy your desk, plan tomorrow, reply to emails, rearrange files. There's always plenty of busy work to do other than starting something you realistically won't be able to finish, or feel pressured by time constraints. Any new work you do now won't be finished before you leave unless you work back late and chances are, you won't remember what you got up to tomorrow.

8. Sanity check everything. Even simple stuff. 

Whether it's code, configuration, deployment, modification etc. Get someone to check your work. You'd be surprised how easy it is for someone else to pick up some mistake you may have made. And if something you do does go south, you can always say you had someone check it out too.

9. Especially simply stuff. 

This particularly applies to 'simple things'. Mistakes are much easier to spot by others, but you can easily be blinded by proximity or familiarity. Forgot to remove a comment tag? Still logging in debug mode? Forget to enable that service?

Rookie mistakes, but we all do them. Not just rookies.

10. It's not yours. It never was.

Work with any system long enough, put enough of your blood, sweat and tears into something and it will feel like you own it. Like it's your baby.

It's not. It never was.

Sometimes, our recommendations will be ignored. We'll be told to do something we don't want to do. We'll be tempted to ignore that instruction because we know better.

Don't. It's not your system. You're just paid to maintain it. If your boss wants to melt it down and make ornaments of it, he can do that. It's his, not yours.

So that's it. Thirty years of wisdom condensed down into ten simple rules. If can add to the list, feel free to comment.

Ubuntu Server Runup Script

Ubuntu Server Post Installation Runup

Following on from my CentOS 7 runup script is a series of Ubuntu scripts I have written over time. They're presented as a "Work in Progress" which may or may not end. 

I started the Ubuntu scripts using the CentOS scripts as a base, however they diverged quickly to become both unique and specialised. With Ubuntu, the goal was to standardise server builds so they could be duplicated by others. So the scripts began to evolve into a partially menu based build system.

But as I said - it's a work in progress, and the comments reflect areas that need improvement. So, for better or worse, here's the best of about two dozen iterations.

Base Ubuntu 20.04 LTS Runup Script

The script follows after the commentary given here. The script was designed to be edited before use. It is divided loosely into several sections. While some parts have been improved to be interactive, the majority requires serious modification before you should even think of running it on a server.

1. Variables

The first section includes many variables. Most should be self-explanatory. Check these carefully and make any modifications you need. Only those variables used in sections you are using need to be used, the rest can be commented out. In particular, make sure the following is properly declared:

MAILFWD IP address of the email relay

EMAILINST Your email address
EMAILADMIN The server administrators email address
SNMPRO The SNMPv2 public community
SNMPRW The SNMPv2 private community
SNMPSRV IP address of the SNMP server

2. Updates & Cockpit

Next updates are applied and cockpit is installed. This will take a few minutes to run. Choose between cockpit and webmin - do not install both. Cockpit has a smaller footprint and is easier to use, but webmin is more versatile.

3. Active Directory Integration

If you are integrating with Active Directory, study this section carefully as it is a little buggy and doesn't trap a lot of exceptions. I'd welcome feedback here!

4. PCP Logging tools & Grafana

This section is very experimental. Use with care. Grafana is a powerful tool that is not utilised enough. However it does take significant time to configure.

5. Firewall & Fail2ban

UFW (Uncomplicated Firewall) is then setup to allow access to ssh and cockpit. Rate limiting is applied to ssh. Fail2ban is also installed.

6. Swap

Default swappiness for Ubuntu server is 60. This is way too high. This section changes it to 20. This is a simple change, but an important one.

7. Tools

Several system utilities are installed here. Comment or uncomment according to what you find useful. The utilities are:

• wget - get files via http

• telnet - telnet client
• bind9utils - utlities for querying dns (such as dig)
• nmap - network analysis tool
• mlocate - Faster and more efficient file locator
• mc - Midnight Commander (XTree like file system interface)
• elinks - Text based broswer (has dependencies)
• systat - Statistical tools such as iostat

8. vm-tools & hyper-V

VMWare tools are installed next. Comment this section if not using vmware. An adjacent section for Hyper-V is provided to enable LIS and enhanced session mode.

9. Mail Relay

This section sets up s-nail for sending email via an email relay defined previously. S-nail is the preferred mailer for Ubuntu and provides the same service that mailx does.

10. SNMP (incomplete)

Install snmpd. This section is not finished. The snmpd.conf file must be manually edited.

11. Unattended updates (incomplete)

Ubuntu server installs updates automatically by default. This section must be configured to provide notification and control over the update process. The config files need to be manually edited afterwards as this section still needs some work.

12. Webmin

Webmin is still the best server application administration tool. There are hundreds of plugins for webmin. Cockpit is the best tool for system administration. If you don’t need webmin, comment out these lines. If you do, you may want to consider commenting out the cockpit installation lines to have just one tool.

Next we have the server applications

13. VSFTP

If you need ftp, this is the version to use. The downside is there is no webmin plugin for it. If you really need to administer ftp via webmin, install proftpd instead. If you don’t need an ftp server, comment out this section.

14. MariaDB (MySQL Server)

This will install mariadb server and client and harden the service. This section is interactive.

15. PERL

PERL is required for many web based applications. If not required, comment this section. This section is highly interactive and takes several minutes to install. As well as installing PERL, it installs cpan, cpan minus and numerous perl modules and keeps them updated as much as possible. Error messages in this section are not unusual. Ignore them.

16. Apache

Installs the Apache 2.4 web server. Configuration of httpd.conf is required. Comment out if installing NGINX.

17. PHP for Apache

Installs basic php modules and PEAR. Other modules can be installed by uncommenting as required.

18. NGINX

Installs NGINX instead of Apache.

19. WordPress

Requires Apache. Some heavy editing foo required here or you will be unhappy with the result...

20. phpMyAdmin

If you don't know what this is for, don't install it. 

21. Security evaluation

This section installs security evaluation and reporting tools and prepares a security report for the system.

22. Finish

Final section cleans up and reboots.

The Future

Plans for updates to the post-installation script include:

1. Make it interactive, so you don’t have to edit the file before running it.

2. Add logging to file.

3. Add auto-document capability. This will be the basis for as-built documentation.

4. Add a silent unattended mode.

The Script

#!/bin/bash
#
# Post installation script for Ubuntu Server 20.04 LTS
#
# Written by Wayne Doust 02 September 2021
#

## Needed for ifconfig to work
apt -y -qq install net-tools

SCTL="/etc/sysctl.conf"
STAMP=`date +%Y%m%d`
SWPP=20
HOST=`hostname -s`
FQDN=`hostname -d`
FQDN=site.local
MAILFWD=<IP of email forwarder>
EMAILINST=installer@$FQDN
EMAILADMIN=admin@$FQDN
SNMPRO=public
SNMPRV=private
SNMPSRV=<IP of SNMP server>
ALLOWFRM="127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10"
ADDOM=ADdomainname
ADFQDN=ADFQDN
ADUSER=Administrator


IP4="`ifconfig | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p'`"
#IP6="`ifconfig | sed -En 's/::1//;s/.*inet6 (addr:)?(([[:xdigit:]]*::){,4}[[:xdigit:]]*::{,4}[[:xdigit:]]*::{,4}[[:xdigit:]]*::{,4}[[:xdigit:]]*).*/\2/p'`"

###
### The Following section asks for user input to modify some of the above variables
###
clear
echo
echo Ubuntu Server 20.04 LTS Runup Script
echo =========================================================================
echo
echo Enter parameters of this server. Press enter to accept the default.
echo
printf "Hostname [%s]:" $HOST
read ANSWER
if [ "$ANSWER" != "" ]
then
    HOST=$ANSWER
fi
echo Hostname: $HOST

printf "Domain [%s]:" $FQDN
read ANSWER
if [ "$ANSWER" != "" ]
then
    FQDN=$ANSWER
fi
echo Domain: $FQDN

echo Continuing will commence post-installation work of Ubuntu Server
echo ----------------------------------------------------------------
echo
echo Press any key to continue
read ANSWER

### Set Timezone and hostname
## Should use variables here
timedatectl set-timezone Australia/Melbourne
hostnamectl set-hostname $HOST
echo $HOST.$FQDN > /etc/hostname
sleep 3

### Apply updates and install cockpit & optionally pcp
## Note: Whilst you can install both, pick either Cockpit or webmin
##
echo
echo Apply updates
echo
sleep 3
apt -y -qq update && apt -y -qq upgrade
#echo
#echo Installing cockpit
#echo
#sleep 3
#apt -y -qq install cockpit
#apt -y install cockpit-pcp
#systemctl enable cockpit
#systemctl start cockpit

### (Optional) Add server to Actice Directory Domain
echo "deb http://au.archive.ubuntu.com/ubuntu/ bionic universe" >> /etc/apt/sources.list
echo "deb http://au.archive.ubuntu.com/ubuntu/ bionic-updates universe" >> /etc/apt/sources.list
hostnamectl set-hostname $HOST.$ADFQDN
hostnamectl
echo Check Name servers are correct
cat /etc/resolv.conf | grep nameserver
echo
sleep 10
systemctl disable systemd-resolved
systemctl stop systemd-resolved
apt -y update
apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
echo
echo Discover AD Domain
echo
realm discover $ADDOM
realm join -U $ADUSER $ADDOM
realm list $ADDOM
pam-auth-update --enable mkhomedir
## Do the following if the previous line doesn't work
#cp /usr/share/pam-configs/mkhomedir /usr/share/pam-configs/mkhomedir.org
#echo "Name: activate mkhomedir" > /usr/share/pam-configs/mkhomedir
#echo "Default: yes" >> /usr/share/pam-configs/mkhomedir
#echo "Priority: 900" >> /usr/share/pam-configs/mkhomedir
#echo "Session-Type: Additional" >> /usr/share/pam-configs/mkhomedir
#echo "Session:" >> /usr/share/pam-configs/mkhomedir
#echo "        required                        pam_mkhomedir.so" >> /usr/share/pam-configs/mkhomedir
#echo "umask=0022 skel=/etc/skel" >> /usr/share/pam-configs/mkhomedir
pam-auth-update
systemctl restart sssd
realm permit $ADUSER@$ADFQDN
realm permit 'Domain Admins' 'sysadmins'
echo "$ADUSER@$ADFQDN    ALL=(ALL)    ALL"          > /etc/sudoers.d/domain_admins
echo "%Domain\ Admins@ADFQDN    ALL=(ALL)    ALL"     >> /etc/sudoers.d/domain_admins
echo "%sysadmins@ADFQDN    ALL=(ALL)    ALL"         >> /etc/sudoers.d/domain_admins

### Optional logging tools based around pcp
## Don't install these unless you know what you're doing
# apt -y install pcp
# systemctl enable pmcd
# systemctl start pmcd
# systemctl enable pmlogger
# systemctl start pmlogger
# systemctl enable pmie
# systemctl start pmie
## use 'pcp atop' 'pmstat' 'pmiostat' etc
## Following is for web API for Grafana
# systemctl enable pmproxy
# systemctl start pmproxy
# wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
# add-apt-repository "deb https://packages.grafana.com/oss/deb stable main"
# apt update
# apt -y install grafana
# systemctl enable grafana-server
# systemctl start grafana-server
# ufw allow 3000/tcp
## Securing Grafana using NGINX Reverse Proxy (more here)
## See https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-grafana-on-ubuntu-20-04

    
### Setup ufw
echo
echo Setting up UFW
echo
sleep 3
ufw default deny incoming
## Allow SSH
ufw allow ssh
ufw limit ssh
## Allow cockpit
#ufw allow 9090/tcp
echo y | ufw enable
ufw status

### Install fail2ban
echo
echo Installing fail2ban
echo
sleep 3
apt -y -qq install fail2ban
#configure fail2ban as required

### Change Swappiness from 60 to 20
## Need to add check for current value in config file
## This could be done better
echo
echo Change swappiness to 20
echo
sleep 3
printf "\nCurrent swappiness="
cat /proc/sys/vm/swappiness
cat $SCTL | grep swappiness | sed -e 's/[^0-9]//g'
echo Current setting=$CSWP
echo Swap Details
echo ------------
swapon --show
sleep 3
printf "\n"
echo 20 > /proc/sys/vm/swappiness
if [ -e $SCTL.org ];
then
    cp -p $SCTL $SCTL.$STAMP;
else
    cp -p $SCTL $SCTL.org;
fi
echo "" >> $SCTL
echo "#Set swappiness to $SWPP" >> $SCTL`
echo "vm.swappiness = $SWPP" >> $SCTL`

### Install useful tools
## wget       - get files via http
## telnet     - telnet client
## bind9utils - utlities for querying dns (such as dig)
## nmap       - network analysis tool
## mlocate    - Faster and more efficient file locator
## mc         - Midnight Commander (XTree like file system interface)
## elinks     - Text based broswer (has dependencies)
## systat     - Statistical tools such as iostat
echo
echo Installing tools
echo
sleep 3
apt -y -qq install wget telnet bind9-utils nmap mlocate mc sysstat
apt -y -qq install elinks

### Install VMware tools if running on VMware
apt -y -qq install open-vm-tools
vmware-toolbox-cmd -v

## ALT: Install Hyper-V LIS if running on Hyper-V
#echo -e "hv_vmbus" >> /etc/initramfs-tools/modules
#echo -e "hv_storvsc" >> /etc/initramfs-tools/modules
#echo -e "hv_blkvsc" >> /etc/initramfs-tools/modules
#echo -e "hv_netvsc" >> /etc/initramfs-tools/modules
#apt -y install linux-virtual linux-cloud-tools-virtual linux-tools-virtual
#update-initramfs -u
## ALT: Install Hyper-V Enhanced Session Mode (xRDP)
## See https://www.kali.org/docs/virtualization/install-hyper-v-guest-enhanced-session-mode/
#apt -y install git
#git clone https://github.com/Microsoft/linux-vm-tools.git ~/linux-vm-tools
#cd ~/linux-vm-tools/ubuntu/
#chmod +x install.sh
#./install.sh
##edit /etc/xrdp/xrdp.ini Change port=vsock://-1:3389 to use_vsock=false
#systemctl enable xrdp.service
#systemctl start xrdp.service
## On host in Admin PS: Set-VM -VMName <vmname> -EnhancedSessionTransportType HvSo

### Setup email relay
echo
echo Setup email relay
echo
sleep 3
apt -y -qq install s-nail
ln -s /usr/bin/s-nail /bin/email
## This next bit could be done better
echo -e "set mta=smtp://$MAILFWD " >> /etc/mail.rc
echo -e "set mailx-extra-rc=/etc/mail.rc" >> /etc/s-nail.rc
echo 'Testing Email relay' | s-nail --subject='Email test 1'  -r "$HOST<$HOST@$FQDN>" $EMAILINST

### Setup SNMP (Not finished)
echo
echo Setup SNMP
echo
sleep 3
apt -y install snmpd snmp
ufw allow snmp
ufw status
#add lines for editing /etc/snmp/snmpd.conf
#change rocommunity public ro6community public etc
#SNMPDOPTS='-LS 0-4 d -Lf /dev/null -p /var/run/snmpd.pid'
cp /etc/snmp/snmpd.conf /etc/snmpd.conf.org
systemctl enable snmpd
systemctl restart snmpd
systemctl status snmpd
snmpwalk -v 2c -c $SNMPRO localhost

### Setup Unattended Updates (Not finished)
echo
echo Setup unattended updates
echo
sleep 3
apt -y -qq install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades ### Requires intervention
apt-config dump APT::Periodic::Unattended-Upgrade
cat /etc/apt/apt.conf.d/50unattended-upgrades | grep -v '//' | grep '[A-Aa-z]'
apt -y -qq install apt-listchanges
sed -i "/\b\(Unattended-Upgrade\:\:Mail\)\b/d" /etc/apt/apt.conf.d/50unattended-upgrades
echo -e "Unattended-Upgrade::Mail \"$EMAILADMIN\";" >> /etc/apt/apt.conf.d/50unattended-upgrades

### Install Webmin
## If using cockpit, comment this section out
## This also could be done better
echo
echo Installing Webmin
echo
sleep 3
apt -y install wget apt-transport-https software-properties-common
wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add -
add-apt-repository "deb [arch=amd64] http://download.webmin.com/download/repository sarge contrib"
apt -y install webmin
ufw allow webmin
ufw limit webmin

###
### Application Section
###

### Install, secure and run MySQL
##
#echo
#echo Installing MariaDB (MySQL)
#echo
#sleep 3
#apt -y install mariadb-server mariadb-client
# alternate install in case the above doesn't work
#apt -y install mariadb-client-10.3
#apt -y install mariadb-server-10.3
# Secure MySQL
#ufw allow mysql
#systemctl start mariadb
#mysql_secure_installation
#systemctl enable mariadb.service

### Install CPAN Minus and update PERL modules (some will fail on dependencies)
echo
echo Installing CPAN and PERL modules (This will take a while and requires interaction)
echo
sleep 5
apt -y install make
apt -y install libnet-ssleay-perl perl-IO-Zlib
cpan App::cpanminus
cpanm Net::FTPSSL
cpanm App::cpanoutdated
cpan-outdated -p | cpanm

### Install Apache web server (needs work)
echo
echo Installing Apache web server
echo
sleep 3
apt -y install apache2
apachectl -v
#<change httpd.conf listen to 0.0.0.0:80>
#be sure to set FQDN
ufw allow http
ufw allow https
ufw status
apachectl graceful
apachectl configtest

### Install PHP for Apache, MySQL and PEAR
echo
echo Installing PHP
echo
sleep 3
apt -y install php php-pear php-mysql
## Enable the following as required: Postgres, ODBC (MS SQL), LDAP, SOAP
#apt -y install php-pgsql php-odbc php-ldap php-soap
## Enable the following to install all PHP related development tools (this is a huge list > 60 packages)
## Only install this on test/dev servers. Don't install on stage, canary or prod servers.
#apt -y install pkg-php-tools
##
echo -e "<?php phpinfo(); ?>" > /var/www/html/info.php
# Test with http://server/info.php
systemctl restart httpd.service
## Setup dedicated Apache2 user

### Install NGINX instead of Apache (Needs lots more work)
#echo
#echo Installing NGINX
#echo
#sleep 3
#apt -y install nginx php php-common php-fpm
## Install as required
#apt -y install php-cli php-json php-pdo php-mysql php-zip php-gd php-mbstring php-curl php-xml php-pear php-bcmath
#ufw allow 'nginx http'
#ufw allow 'nginx https'
#ufw reload
#systemctl stop httpd
#systemctl stop apache2
#systemctl disable --now httpd
#systemctl disable --now apache2
#systemctl enable nginx
#systemctl start nginx  
#nginx -v
#nginx -t
#mkdir -p /var/www/<website>/public_html
#mkdir /var/www/<website>/logs
#chown -R nginx:nginx /var/www/<website>
## edit /etc/nginx/sites-available/default

### Install Wordpress (assumes Apache)
#echo
#echo Installing WordPress
#echo
#sleep 3
#apt -y install php-gd
#systemctl restart httpd.service
#wget http://wordpress.org/latest.tar.gz
#tar xzvf latest.tar.gz
#rsync -avP ~/wordpress/ /var/www/html/
#mkdir /var/www/html/wp-content/uploads
#chown -R apache:apache /var/www/html/*
## Setup WordPress Database
#mysql -u root -p <password>
#CREATE DATABASE wordpress;
#CREATE USER wordpressuser@localhost IDENTIFIED BY 'password'
#GRANT ALL PRIVILEGES ON wordpress.* TO wordpressuser@localhost IDENTIFIED BY 'password';
#FLUSH PRIVILEGES;
#exit
## Configure WordPress
#cd /var/www/html
#cat wp-config-sample.php | sed 's/database_name_here/wordpress/g' | sed 's/username_here/wordpressuser/g' | sed 's/password_here/password/g' > wp-config.php

### Installs phpMyAdmin
#echo
#echo Installing phpMyAdmin
#echo
#sleep 3
#apt -y install php-mbstring php-zip php-gd php-json php-myadmin
#cp /etc/phpMyAdmin/config.inc.php /etc/phpMyAdmin/config.inc.php.orig
## Harden PHPMyAdmin
#cat /etc/phpMyAdmin/config.inc.php.orig | sed -e 's/AllowRoot\'\]\ \=\ TRUE/AllowRoot\'\]\ \=\ FALSE/g' > /etc/phpMyAdmin/config.inc.php  
## Test with http://server/phpMyAdmin

###
### Add security compliance scanning to setup Script for Ubuntu 20.04
###
echo
echo Perform Security Evaluation
echo
sleep 3

##
## Apply updates and install openscap
##
apt -y -qq update && apt -y -qq upgrade
apt -y -qq install libopenscap8
apt -y -qq install ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications

##
## Perform default and standard security policy compliance scans for Ubuntu 20.04
##
oscap xccdf eval /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml

##
## Perform CVE scans
##

snap install cvescan
cvescan -p all
cvescan -p all --show-links > cvescan.out
echo >> cvescan.out
touch cvescan.csv
cvescan --csv -p all > cvescan.csv
## Also add open ports to report
netstat -tulpn | grep LISTEN | grep -v 127.0.0. | grep -v ::1
netstat -tulpn | head -n 2 >> cvescan.out
netstat -tulpn | grep LISTEN | grep -v 127.0.0. | grep -v ::1 >> cvescan.out
echo >> cvescan.out
echo Firewall Status >> cvescan.out
echo >> cvescan.out
ufw status >> cvescan.out
echo >> cvescan.out

##
## Perform OVAL scan and generate report
##
wget -c https://security-metadata.canonical.com/oval/com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
bunzip2 com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
oscap oval eval --report report.html com.ubuntu.$(lsb_release -cs).usn.oval.xml
## Email the report
cat cvescan.out | s-nail --subject="Security Report for $HOST" -a report.html -a cvescan.csv -r "$HOST<$HOST@$FQDN>" $EMAILINST

##

## Remove security eval prodcuts
##
echo
echo Removing security scan software
echo
sleep 3
snap remove cvescan
apt -y -qq remove libopenscap8

###
### Finish installation
###
echo
echo Cleanup installation and reboot
echo
sleep 3
apt -y -qq update && apt -y -qq upgrade
apt -y -qq autoremove --purge
echo
echo Rebooting in 60 seconds
echo
sleep 10
shutdown -r +1 Server Rebooting in 1 minute
echo
echo
sleep 60

Configuring Evolution-EWS to connect to Exchange Online

Let me quickly get something off my chest:

I hate MS Exchange. 

I loathe it. There are few things I despise more. 

I would prefer almost any other integrated messaging system than it. The reasons why are far too long to go into here. It really deserves its own blog entry - which I may do some day.

Unfortunately, unless you are the decision maker for the organisation for which you work, or at least hold some good sway with your IT Steering Committee. You are probably stuck with it.

If your organisation is like most, you are probably migrating to Office 365 or have already done so. If Linux is your primary or preferred platform and you want to be able to receive your email, calendar etc. on your Linux desktop, this may be something of a problem. So, here's my explanation of how to use Evolution as your messaging client for Exchange Online using Exchange Web Services via evolution-ews.

What is "Exchange Web Services" (and why should I care)?

Exchange Web Services (EWS) is an application program interface (API) that allows programmers to access Microsoft Exchange items such as calendars, contacts and email. 

EWS first became available in Exchange Server 2007. It provides the ability to store, retrieve, move and modify email and related data for a single user, a group of users or an entire Exchange Server organisation on an Exchange server. EWS can be used to migrate Exchange data on-prem or to a third-party host in the cloud, or simply as an interface for a mail app or messaging client. Previously, if you wanted to do this you had to leverage Outlook Web Access (OWA).

As well as being available for On-prem editions of Exchange, EWS is available for Office 365, however that access is slightly different.

Evolution-EWS

Evolution-ews from 3.27.91 on has had the capability of connecting to office 365 with OAuth2 authentication. The administrator of the account must allow access via this method. Fortunately this is the default, so I suggest you don't mention it to your Exchange administrator as they may decide to block access.

Users of free accounts at live.com/hotmail.com/outlook.com addresses can also configure EWS account with the same Host URL, but they cannot use OAuth2, it's required to create an application specific password. Organisation accounts can use application specific passwords too, but administrators can disable this feature.
There are two existing application IDs, but the organisation administrators can create their own application and have everything under their control.

To be able to use OAuth2 with outlook.office365.com server an Application ID, which identifies the application which requests access to user data, and a Tenant ID, which basically identifies the organisation, are required.

First make sure everything is installed:

Ubuntu/Debian Instructions

sudo apt-get remove evolution
sudo apt-get update
sudo apt-get install evolution
sudo apt-get install evolution-ews

Note that the first line is there to remove the old version - which may not be up to date. This may not be necessary for you but YMMV.

CentOS/RedHat/Rocky instructions

sudo yum update
sudo yum install evolution
sudo yum install evolution-ews

If you are using DNF, replace 'yum' with 'dnf'

Finding your Tenant ID

Each organisation has assigned its directory (tenant) ID, which is used to identify the organisation when authenticating the user. How to find out the tenant ID is described here. A short walk-through is:

1. login to https://portal.azure.com

2. click the View button below Manage Azure Active Directory near the top of the page

3. the Overview section (selected by default) shows a Tenant information where is the Tenant ID

It can be seen also when:

1. login to https://portal.azure.com

2. click the View button below Manage Azure Active Directory near the top of the page

3. pick App registrations subsection

4. click Endpoints at the top of the subsection

It opens a table, where can be seen OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2). Evolution-ews uses

https://login.microsoftonline.com/$TENANT/oauth2/token

and

https://login.microsoftonline.com/$TENANT/oauth2/authorize,

where the $TENANT is replaced with the same value as the Tenant ID from the above.

If you are a normal user and do not have the required permission to check in the portal.azure.com, you might find the tenant ID in your browser history. Search for URLs containing tenantId=........-....-....-....-.............

Copy this Tenant ID, it'll be used together with Application ID when configuring evolution-ews.

Choosing an Application ID

There are two unverified applications (for testing purposes). They are setup in a way that they can be used by the organisations, though, depending on the organisation settings, the administrators may or may not need to approve them first. These applications can be used with the organisation tenant ID or with the common (or left empty) tenant ID. Again, it depends on the actual organisation settings. 

1. 20460e5d-ce91-49af-a3a5-70b6be7486d1 - has both EWS and Microsoft Graph API usages enabled, but the Graph API is not enabled (in evolution-ews 3.38.x) due to its incompleteness. The application identifies itself as GNOME Evolution. It's preferred in case the Graph API would be used in the future, thus the transition to it will be smooth.

2. 751cf8be-ca07-484b-9308-fac4b9d85eff - has only the EWS protocol enabled. The application identifies itself as GNOME Evolution EWS.

3. Users can also try application IDs shown at point 12 of this Microsoft page, like d3590ed6-52b3-4102-aeff-aad2292ab01c or ea5a67f6-b6f3-4338-b240-c655ddc3cc8e, with the Redirect URI set to urn:ietf:wg:oauth:2.0:oob and other values kept empty.

If your organisation has its own Application ID, use that one. If you are the administrator for your organisation, and want to create your own Application ID by following this link.

Evolution Instructions

Launch the Evolution application. If this is a new installation, follow the prompts below to configure your account. Otherwise, select the menu items File -> New -> Mail Account, click Next, then follow the prompts.

• Enter your name and your primary SMTP address, uncheck Look up mail server details… and click Next
• For Server Type, select Exchange Web Services
• For Username, specify your email address
• Change Host URL to https://outlook.office365.com/EWS/Exchange.asmx
  Click the Fetch URL button, providing your EID password when prompted. (If this doesn't work, don't worry, it can be done later). This will result in the OAB URL field being populated, which is the address from which the client can download a copy of the Offline Address Book.
• Change Authentication to OAuth2 (Office365).
• Make sure that Override Office365 OAuth2 settings is checked and populate the Tenant ID and Application ID fields as follows:
  • Tenant ID: your tenant ID
    
  • Application ID: choose from above
    
• Finish the New Mail Account Wizard, and you will then be taken to the University’s login page. Authenticate with your EID credentials and perform Duo multi-factor authentication.

Please note that the initial synchronization with your account may take an extended period of time if you have a large mailbox.

If you've used EWS previously, you would have noticed that credential management is handled by the Gnome settings under online accounts. With O365 this does not happen. I'm not sure why it's different - it may have something to do with how the data is presented via the App ID, but I'm only guessing here. If anyone knows, please enlighten me in the comments.

Acknowledgements

The following links were helpful to me and acted as source material:

https://sites.utexas.edu/glenmark/2021/02/01/how-to-setup-your-office-365-email-using-evolution-ews-linux/

https://wiki.gnome.org/Apps/Evolution/EWS/OAuth2

https://bugzilla.redhat.com/show_bug.cgi?id=972562

Other things this pandemic has taught me

This is not a health blog. 

This is a technical blog with a science/engineering perspective. So, when I post something about health, infectious diseases, vaccinations etc. I post it from that perspective. I make the assumption that the best scientific information we have available that is accepted by peak bodies is true and correct. To that end I post links to primary and secondary sources. If you want to argue the science, go argue it with the actual professionals. I'm not that arrogant that I think I know better than professionals in their field.

It's also not a political blog. In fact, in the extra categories, you won't see anything on politics. You'll see critical thinking, the scientific method... and possibly a few recipes as well as some creative writing and a few personal observations.

I've also posted elsewhere some snarky things about what this pandemic has taught me: particularly with regard to how much people value the lives of others over money and willingness to forgo some temporary discomfort in order to  safeguard other people. It's been sobering to say the least.

There are also some other things that this pandemic has taught me, from a futurist perspective. There are lessons to be learnt. Will we remember them or go back to business as usual?

Many of us are more productive when working from home

I still think offices have a place, but not like they used to. Many employers are champing at the bit to get people 'back to work' when they have been working this entire time, often with much higher productivity. For some reasons, there are inept managers still among us that think that someone working from home is somehow having a holiday. My prediction is that many workplaces will suffer a drop in productivity when workers are forced back into the office.

A long time ago at a previous workplace, I negotiated a 40% work from home. After a trial, it was increased to 60% by my boss because he could see the extra productivity he was getting from me. However, he had problems with his boss. They didn't like it one bit. The reasons they gave were:

 - How will you know he's working?

 - If others find out, they'll want to do it too.

Hopefully, I won't need to explain why these reasons are so ridiculous.

You don't need to go to meetings

Before the pandemic there were more than a dozen meeting collaboration tools around. Now there's basically two: Zoom and Teams. The latter really only exists because it integrates into the MSOffice suite and it can also be your phone system. I'll throw Teamviewer in as a third, but its primary use is for support - plus it's dear as poison. Zoom comes out on top in my books because it runs on literally anything and all you need is a subscription. Teams is only useful in medium to large organisations.

At the start of the pandemic, there were huge teething problems: microphones not working, cameras either not working or people didn't have them. We didn't know the 'rules' of zoom meetings (muting etc). But we're all past that now. Plus we learnt an important thing: Most of the time, we didn't need to be at that meeting. We could have sent an email. Meetings got shorter. People learnt to be concise. If we weren't really involved, we could mute, turn the camera off, and continue working on whatever we were working on - or just look at facebook.

Nobody wants to go back to face to face meetings. Nobody wants to spend time driving across town, parking, paying tolls, waiting for everyone to be free, struggling to setup your notebook to work with the projector, then using up the obligatory one hour in the board room trying to pad out a meeting.

We can do pretty much everything on zoom. Usually we can do it better.

You can be anywhere in the world

This will probably turn out to be a downside. As employers work out the first two points, they will probably decide that employing someone to do your job in India or The Philippines will save a lot of money. So to you, that may make you think you can live anywhere and still keep your job, the reality is that you may be introduced to new members of your 'team' that are offshore and need to be trained by you in all aspects of your job.

Of course, this is just an extension of globalisation. The pros and cons of which are outside of this discussion. How it affects you is the overarching issue. I've already seen this happening with one large company I know transitioning to IT support being offered by an Indian based company. I worked with my counterpart in the handover. His skillset was roughly equal to mine and we held similar positions. However, because he lives in India, his salary was about half that of mine. By Indian standards, that was great - he was paid very well. The point is that this disparity will continue to drive knowledge based jobs offshore to a much greater extent than it will permit you to move to Tasmania.

The CBD will become the place where people live more so than where they work    

Nobody wants commercial real estate in the city anymore. Offices have emptied. Those that are left attract vastly lower rentals than before. For an industry driven by debt, no back will lend at anything near the value of the resource. 

Residential properties in cities, however, have boomed. Restrictions in travel meant that if you wanted to go to the city, you had to live there. As more people move to the cities to live, prices rise and suddenly commercial developments are now being restructured as residential. In fact, the highest value seem s to be in the commercial/residential mix. Where there is a residential building, with shops and cafes at ground floor, and gyms, day care, professional suites, schools, universities, small offices etc. at the lower levels. Some include green space and play grounds creating a fully self contained living environment free from unnecessary commuting. 

In the suburbs, an office is an essential room

Two of the rooms in our house have now been converted to offices. My wife and I worked out we couldn't really share an office with me working full time from home. In house auctions, it has been noticed that homes with a dedicated and separate office command much higher prices than those that don't. Even more so if the office has an external entrance or easy courier access.

I spend way more time in my home office than I do in the loungeroom or bedroom. For me, it has become the most important room in the house.

You don't have to "go" shopping

With home delivery of goods, click and collect, home shopping, that trip to the shopping mall isn't necessary any more. But try and buy local and not from Amazon.

Restaurants and cafes aren't a luxury

Fast Food chains will weather the pandemic. Your local family owned Italian restaurant may not. Many that adapted to the pandemic: with simpler menus, delivery friendly foods, contactless trading etc. seem to have done okay. If you enjoy going to your local restaurant as a treat every couple of months, make sure you patronise them regularly during lockdown. Otherwise, they may not be there afterwards.

Self-care isn't self-indulgent

As a poor uni student, I learnt that if I treated myself to an iced-chocolate once a fortnight, I didn't feel so poor. It was something simple I could look forward two that made me feel just a little bit special.

Pampering is vital to well-being. Activities that once felt indulgent became essential to our health and equilibrium, and that self-care mindset is likely to endure. Whether it is permission to take long bubble baths, tinkering in the shed, planting a tree in the backyard, watching a pay-per-view on netflix, anything that helps you to feel better about yourself will not only help you, it will help those around you.

We don't store enough food and provisions

The big lesson we should have learnt is we must have 1-2 months supply of non-perishable food and provisions: toilet paper, rice, pasta, flour, sugar, long life milk, cleaning products, toiletries, tinned food, water - all of things things can become very scarce in hours if there is panic buying. Perishables don't suffer as much. These things are easy to store, cheap to buy and you suffer if you don't have them. So get them and avoid panic buying.

Some jobs are essential

Every military in the world has reserve forces. The basic idea is to take a young person, train them to be a soldier in peacetime through a very small imposition of their time and give them some money to make a sweet deal. In Australia, the general commitment is one night per week, one weekend a month, two weeks a year. For that, you receive some tax free dollars and training as a soldier. The quid pro quo is that anytime up until twenty years after you leave the reserve you can be activated. This allows the military to keep a small military during peacetime, but rapidly expand it in case of war with already trained soldiers. 

We realise the value of this for ware. We should now realise we need this in case of a long term medical emergency such as a pandemic. The recent bushfires show that we need this for other emergency services as well.

So, we should have reserve paramedics, nurses, orderlies etc. People that have a basic level of training in a profession. Enough to assist the permanent staff during a crisis. Consequently, other emergency services such as fire fighters and police deputies should be included as well.

We won't prepared for the next one

This pandemic was and is pretty bad. But it could be a lot worse. Until Delta, the reproductive factor was relatively low (2.4). Delta changed everything, but at least it didn't start out with Delta's reproductive rate (estimated at 9.0).

The mortality rate (at around 2%-3%) whilst bad, was at least within the realms of manageability. If the mortality rate was 10% or higher, we may have well seen major civilisation changes: civil war, anarchy, financial system collapse. The previous two coronavirus outbreaks (SARS and MERS) had mortality rates of 10% and 90% respectively. Fortunately, both had low reproductive rates. The black plague had a mortality rate of around 50%.

Experts universally agree this isn't the last outbreak. There will be more. Statistically, the next one will be much worse. But we aren't prepared for it. We're still struggling to deal with the current one. We've learnt a lot, yes, and we've developed some incredible medical preventions and treatments.But as this pandemic trails off and either disappears or becomes endemic, the money for further research will disappear very quickly.

Ten Questions for Anti-Vaxers

When I encounter a REAL anti-vaxer, I generally try to ask them the following ten questions.

Now, when I say anti-vaxer, I don't mean the vaccine hesitant or those that are convinced by an anti-vax website or YouTube video. I'm referring to those who run the websites, write the books, make the videos etc.

The one's who should know better.

The one's who actually do know better.

The one's who are anti-vax, not because they don't think vaccines are safe and effective, but because they KNOW they are safe and effective. Well... most of them.

"How can that be?" You say. Well, scratch an anti-vaxer, you'll find a racist eugenicist that Dr Mengele would be proud of. It's that simple.

Image credit: Eugenics Society Poster, 1930s (Wikimedia Commons | CC BY 4.0)

The problem is, they can't admit it. Nobody would listen to them. They would have no followers and no influence. Also no $$$ from the book sales and lecture tours.

The thing is, they're proud of their stance. They'd love to admit it. So, they just need a little encouragement to do so.

Now I did say "most of them". There are some that are - well - nutcases. These will usually have a swag of conspiracy theories: The Earth is flat; Lizardmen control the world; Moon landing hoax; Bill Gates is the anti-Christ; 9/11 truthers; Birthers; 5G. It doesn't matter. Conspiracy theories are like Tim Tams: You can't stop at one. You also can't reason with them, but you can get them to admit to the other conspiracy theories. That's usually enough to discredit them a little. But for some reason Chef Pete is like Teflon when it comes to this. Maybe that says more about his followers than anything else.

The ten questions are all about anti-vaxers outing themselves for what they really are. So, often they will ignore them or avoid answering them directly. Don't let them off the hook. If they say it isn't a simple yes or no, ask why. Keep asking. Don't let them shake you. Get others to ask the same simple questions.

The first two questions are simply a way to separate the wolves from the goats. A conspiracy theorist will usually reject one or both of these, so the others become superfluous. If they reject both, then continuing further is impossible. You simply don't have a common grounding in logic and reality. Any argument will quickly devolve into either solipsism or magical thinking. You may be able to get them to admit to other conspiracy theories, which would be a win of sorts.

1. Do you accept the Scientific Method? 

For some reason, we seem to have a plague of scientific-illiteracy on social media. This is compounded by the illiterate reveling in their illiteracy as though it's something to be proud of.

There's nothing magical about science. In fact "science' isn't a thing, it's a discipline. Science is defined by any field of study governed by the scientific method. Broadly speaking, Science is simply a systematic way for carefully and thoroughly observing nature and using consistent logic to evaluate results.

Ask them: Which part of that do they disagree with? Being thorough? Using careful observation? Being systematic? Or using consistent logic?

The scientific method mandates that all aspects of scientific research must be:
- testable
- reproduceable
- falsifiable

https://www.livescience.com/20896-science-scientific-method.html

The scientific method has been around for over 300 years. Adherence to the scientific method has provided us with every single technological advancement we recognise today and has doubled our life expectancy. If you reject the scientific method, you should forsake the computer you're using right now, your car, electricity, flying, your ready access to food and medicine.

There are some people who like to point to changes in scientific opinions over time as an example of science not working when exactly this is the opposite. Following the scientific method requires you to change your opinions when new data shows that opinion to be incorrect. Sure, science has been proven wrong, but it's always by better science and not because of some fanciful dogmatic idea that someone had. It was because the evidence lead in a different direction and scientists - as a body - moved in that direction.

2. Do you accept the Germ Theory of Disease?

Adherence to the Scientific Method lead to one of the greatest scientific discoveries of all time: Louis Pasteur's Germ Theory of disease. It remains one of the greatest scientific lay-down miseres of all time with an overwhelming body of irrefutable proof. Prior to this it was thought that "Miasmas" were responsible for disease. Miasma theory posited that diseases were the product of environmental factors such as contaminated water, foul air, and poor hygienic condition rather than from microorganisms. So, when an antivaxer starts spouting these reasons, then they probably deny Germ Theory as well. This is why they reject vaccines, because if vaccines DID actually work, then they'd have to accept Germ Theory.

If you get a yes to both questions, then you can proceed on. Most likely, you'll have a eugenicist. So the trick is to get a straight answer without sounding dogmatic or manichaean. Don't tell them they have to give a yes or now answer, ask them why they can't. Probe every reason and sub reason. If they get angry or complain, ask them why it's such a big deal. If they still don't, restate the question as "So, you don't know if xxx is true (or false)". They don't like to say they don't know something, so they'll usually say "Yes, I do know" which you follow up with "Well, why didn't you just say so in the first place?"

3. Do you think the Earth is overpopulated?

This one is easy. Most (if not all) will say yes. It means little, but it builds a foundation to follow. One they can't backtrack on or use as an excuse later, because the admitted it. Also, it gets them used to them saying yes and you moving on like it's no big deal - which at this stage it isn't.

4. Do you think the only way to survive as a species is to drastically reduce our population in a short period of time?

This should come easily as well. For most eugenicists, this is THEIR argument. The one THEY own, which they use with their indoctrinated sheep later on.

But they may smell a rat here. So you made need to spend a little time in clarification. Perhaps you may need to reword it to their liking. You may even ask them to reword it. After all, you don't want to create a strawman.

5. Do you agree that the statement "Survival of the fittest?" should apply to humanity as well as the animal kingdom.

This is another eugenicist article of faith. However, at this point they'll probably smell a rat and start looking for the exit. Don't let them. Hang on and reword it to their liking if necessary.

6. Do you think that we are generally weaker and less healthy than we were 200 years ago?

It would be extremely difficult for a anti-vaxer to say no to this question after saying yes to the preceding ones. If they say no, then why are we healthier? because of modern medicine of course!

The answer is actually no. We live twice as long, suffer less and no longer die from simple things. To say we were healthier back then ignores survivor bias.Thing of all the illnesses you've suffered in your life, accidents you had, operations etc. Without modern medicine, would you be alive or dead right now?

7. Do you think that modern medicine has contributed to weakening the gene pool?

Now we are getting to the nitty gritty. At the core of the eugenicist argument is that by culling the weak, those that are left have healthier genes and only they go on to reproduce. This is the crux of their argument. Since eugenicists do have a core of like-minded believers, they can't say no or even prevaricate. Whereas a yes won't mean very much to the sheep, it provides the solid ground for the remaining questions.

8. Do you think that childhood vaccines and other health interventions in children have allowed weaker children that normally would have died to grow up and reproduce?

This question follows from the last as night follows day. But this is the big one that will rock the sheep.

If they say yes, they admit that vaccines actually work. If they didn't, then 'weaker' children wouldn't survive these diseases. This is actually the opposite of what they imply to their followers.

Have fun in this space.

9. Do you think that some racial groups have better, stronger genetics than others?

This simply also follows on Q7. If ALL health is genetic, then some races are naturally healthier, smarter, better than others. It's simply a logical extension of racial theory and eugenics.

Hang around in anti-vax echo chambers for long enough and you will see a lot of casual racism, espcially anti-semitism.It's vile and disgusting, but there for the faithful to see and ignore. 

If you can handle it, and don't call them out on it, they you'll see more and more of it from these cryptofascists.

10 Do you think that allowing children to get childhood diseases (which some may die from) will improve the overall health of the gene pool?

If you've managed to get this far: congratulations! You've done better than me. These oxygen-thieves are smart enough to ignore this question (usually). If you can get them to admit to this question, you have proof they are a eugenicist.

Scratch an anti-vaxer, you'll find a racist eugenicist that wants your children to die.

Wayne's Deadly Toblerone Cheesecake

Firstly, make your favourite biscuit base and place it in a shallow, springform cake dish that is well greased and chill. You can cheat and use a prepared crust if you like. As for me, I use crushed Maria biscuits and butter.

Ingredients: (metric - 1 tablespoon = 40ml, 1 cup = 250 ml)
750g Philadelphia cream cheese (3 blocks) - one can be light Philly if you're a wimp
2 eggs
1 tablespoon of cocoa
1 tablespoon of white rice flour (or plain flour)
1 tablespoon of butter
1 x 100g Toblerone (preferably dark Toblerone)
3/4 metric cup castor sugar
condensed milk
liquid pouring cream (to serve)

Method:
1. Beat cream cheese and sugar together, add some condensed milk to help soften and to add to flavour. Generally no more than 1/4 tin of condensed milk should be added.
2. Melt Toblerone in the microwave with the butter, be careful not to boil it. Use small steps and mix with the butter until smooth and not split. The butter is optional but does aid in the melting and binding and reduces the risk of cracking. The less the better as the more you use the higher the chance of splitting the chocolate.
3. Add the melted Toblerone, flour and cocoa to the cream cheese and mix well. Then add the eggs and mix again.
4. Pour into prepared crust and bake at 160 degrees celsius for 60 minutes.
5. When cooked it should still have a slight wobble in the middle. Leave in oven to cool to avoid cracking. Remove from oven and chill overnight.
6. When serving dust with icing sugar or top with grated Toblerone.

tips:
1 Soften Cream Cheese.
2 Be gentle with the eggs - Overbeating after the eggs are added can result in cracked cheesecakes.
3 No peeking! Opening the oven door during baking can cause cheesecakes to crack.
4 Set the timer. Start with the shortest baking time and add more time only if necessary.
5 You can also cook this in ramekins in a steamer for 10-15 minutes. When cooked, cut a hole in the centre, remove the cheesecake 'hole'. Fill with pouring cream, stir and replace the cheesecake hole prior to serving. Steaming will leave the centre slightly gooey. This will mix with the cream to make a liquid ganache centre. When steaming, do not chill, but serve immediately.
6 I plan to try cooking this in an air fryer sometime to see if it works.

NB: This is VERY rich! I serve it on a plate surrounded by liquid pure cream. The cream is necessary as the cheesecake will soak up the cream so as not to make it too rich. I also make a redcurrant sauce that I boil in the microwave and poor over the top immediately prior to serving.

To date, I have only found one person who can eat a whole slice without turning green.

Nutrional information:
I estimate the fat content to be about 400g of which 300g would be saturated and about 5000 calories. This is about 8 times the daily allowance of fat and enough calories to keep a fit, active adult going for two days.

My favourite part of this dish is watching the face of people when they first take a bite!