Archiving

Matomo 4 recommends using cron for archiving purposes. First you need to disable in system - general "browser archiving".

Then we can create a new cron job:

sudo vim /etc/cron.d/matomo-archive

Insert and modify where needed:

MAILTO="This email address is being protected from spambots. You need JavaScript enabled to view it."
5 * * * * www-data /usr/bin/php /var/www/html/matomo/console core:archive --url=http://example.com/matomo/ > /var/log/matomo-archive.log

You can test and verify the outcome:

sudo su www-data -s /bin/bash -c "/usr/bin/php /var/www/html/matomo/console core:archive --url=http://example.com/matomo/"

 

File permissions

Sometimes in system check you get errors like:

Try #: LOAD DATA INFILE : SQLSTATE[28000]: Invalid authorization specification: 1045 Access denied for user ‘matomo’@’%’ (using password: YES)[28000]
Try #: LOAD DATA INFILE : SQLSTATE[HY000]: General error: 13 Can't get stat of '/var/www/html/matomo/tmp/assets/matomo_option-d600bef9d230d99e92a7ce3b9541b49c.csv' (OS errno 13 - Permission denied),
Try #: LOAD DATA LOCAL INFILE : SQLSTATE[42000]: Syntax error or access violation: 3948 Loading local data is disabled; this must be enabled on both the client and server sides[42000]

To fix this you need to take the following steps:

First you need to add the global FILE permission to your matomo user

$ mysql> GRANT FILE ON *.* TO 'matomo'@'localhost';

Then you need to edit:

sudo vim /etc/mysql/conf.d/mysql.cnf

# add
[mysql]
local-infile = 1
[mysqld]
local-infile = 1

# restart service
sudo service mysql restart

That should be it.

Since Joomla version 3.10 it is recommended to turn output_buffering off in php.ini

This can be done easily by editing:

sudo vim /etc/php/7.4/apache2/php.ini

# add/modify

output_buffering = off

# restart service
sudo service apache2 restart

Check your PHP version, in this example it's 7.4. Thats it!

In a previous article was described how to install Fail2Ban. Now on a regular basis you'll need to reboot your operating system to finish installing (security) updates. Without extra measures previously banned IP addresses are being lost. To make a ban permanent you'll need to create a new file:

sudo touch /etc/fail2ban/ip.blacklist

Edit the file /etc/fail2ban/action.d/iptables-multiport.conf and search for actionban and add the second line:

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
echo <ip> >> /etc/fail2ban/ip.blacklist

Now search for actionstart and add the fourth line:

actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/ip.blacklist | sort | uniq | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done

Restart your service: sudo service fail2ban restart

Now you'll notice that IP's are being banned, and the ip.blacklist is getting filled with these IP addresses as well. When Fail2Ban service is restarted or your your system is restarted it will import all the IP's listed in the ip.blacklist.

In a previous article was the installation of Fail2Ban described. You'll notice after a few days Fail2Ban stops working. This happens right after logrotation, so it seems. To fix this you'll need to edit /etc/fail2ban/jail.local and change the following line:

#polling = auto
polling = backend