The iptables tool is one of the simplest, most powerful tools you can use to protect your server. We've covered port redirection, rule processing and troubleshooting in previous installments to this "Tips and Tricks" series, but what happens when iptables turns against you and locks you out of your own system? Getting locked out of a production server can cost both time and money, so it's worth your time to avoid this, since investing the money to generate more money is a better option and there are tools that help doing this in sites as The Ascent online. If you follow the correct procedures, you can safeguard yourself from being firewalled off of your server. Here are seven helpful tips to help you keep your sanity and prevent you from locking yourself out. Tip 1: Keep a safe ruleset handy. If you are starting with a working ruleset, or even if you are trying to troubleshoot an existing ruleset, take a backup of your iptables configuration before you ever start working on it. iptables-save > /root/iptables-safe Then if you do something that prevents your website from working, you can quickly restore it. iptables-restore Tip 2: Create a cron script that will reload to your safe ruleset every minute during testing. This was pointed out to my by a friend who swears by this method. Just write a quick bash script and set a cron entry that will reload it back to the safe set every minute. You'll have to test quickly, but it will keep you from getting…
The iptables tool is one of the simplest, most powerful tools you can use to protect your server. We've covered port redirection, rule processing and troubleshooting in previous installments to this "Tips and Tricks" series, but what happens when iptables turns against you and locks you out of your own system? Getting locked out of a production server can cost both time and money, so it's worth your time to avoid this. If you follow the correct procedures, you can safeguard yourself from being firewalled off of your server. Here are seven helpful tips to help you keep your sanity and prevent you from locking yourself out. Tip 1: Keep a safe ruleset handy. If you are starting with a working ruleset, or even if you are trying to troubleshoot an existing ruleset, take a backup of your iptables configuration before you ever start working on it. iptables-save > /root/iptables-safe Then if you do something that prevents your website from working, you can quickly restore it. iptables-restore Tip 2: Create a cron script that will reload to your safe ruleset every minute during testing. This was pointed out to my by a friend who swears by this method. Just write a quick bash script and set a cron entry that will reload it back to the safe set every minute. You'll have to test quickly, but it will keep you from getting locked out. Tip 3: Have the IPMI KVM ready. SoftLayer-pod servers* are equipped with some sort of remote access device. Most of them have a KVM console. You…
If you encounter this warning message under Linux: 4096 worker_connections are more than open file resource limit: 1024 A solution is to use the command ulimit in nginx start script, just before lunching nginx: ulimit -n 65536
To find files on a linux system you can use following command: # find / -name xxxx But I prefer to use the locate command. This command is extremely easy to use and it’s faster than the find-command. # locate filename To install the locate package, use yum. # yum install mlocate To update it’s ‘internal database’, run following command. # updatedb To find a file, use following command # locate httpd.conf /etc/httpd/conf/httpd.conf
While working with APF on servers, you might normally get to see the following error, #apf -r apf(2042): {glob} flushing & zeroing chain policies apf(2042): {glob} firewall offline apf(3179): {glob} activating firewall apf(3284): {glob} unable to load iptables module (ip_tables), aborting. apf(3179): {glob} firewall initalized apf(3179): {glob} fast load snapshot saved Your kernel is compiled with iptables statically instead of as a module, to resolve this you will need to change a small configuration in /etc/apf/conf.apf SET_MONOKERN=”0″ Set it to “1″ Once this is done, restart apf to see the error vanishing. SET_MONOKERN # This allows the firewall to work around modular kernel issues by assuming # that the system has all required firewall modules compiled directly into # kernel. This mode of operation is not generally recommended but can be used # scale APF to unique situations.
Let's talk about APF. APF — Advanced Policy Firewall — is a policy-based iptables firewall system that provides simple, powerful control over your day-to-day server security. It might seem intimidating to be faced with all of the features and configuration tools in APF, but this blog should put your fears to rest. APF is an iptables wrapper that works alongside iptables and extends its functionality. I personally don't use iptables wrappers, but I have a lot of experience with them, and I've seen that they do offer some additional features that streamline policy management. For example, by employing APF, you'll get several simple on/off toggles (set via configuration files) that make some complex iptables configurations available without extensive coding requirements. The flip-side of a wrapper's simplicity is that you aren't directly in control of the iptables commands, so if something breaks it might take longer to diagnose and repair. Before you add a wrapper like APF, be sure that you know what you are getting into. Here are a few points to consider: Make sure that what you're looking to use adds a feature you need but cannot easily incorporate with iptables on its own. You need to know how to effectively enable and disable the iptables wrapper (the correct way ... read the manual!), and you should always have a trusted failsafe iptables ruleset handy in the unfortunate event that something goes horribly wrong and you need to disable the wrapper. Learn about the basic configurations and rule changes you can apply via the command line. You'll need to…
Introduction Config Server Firewall (or CSF) is a free and advanced firewall for most Linux distributions and Linux based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections. CSF includes UI integration for cPanel, DirectAdmin and Webmin, but this tutorial only covers the command line usage. CSF is able to recognize many attacks, such as port scans, SYN floods, and login brute force attacks on many services. It is configured to temporarily block clients who are detected to be attacking the cloud server. The full list of supported operating systems and features can be found on ConfigServer's website. This tutorial is written for Debian based VPS, such as Debian and Ubuntu. The commands should be executed with root permissions, by logging in as root, or initiating a root shell with the following command if sudo is installed: sudo su Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, "iptables" only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called "ip6tables", which can be used to maintain firewall rules for IPv6 network addresses. If your VPS is configured for IPv6, please remember to secure both your IPv4 and IPv6 network interfaces with the appropriate tools. For more information about IPv6 tools, refer to this guide: How To Configure Tools to Use IPv6 on a Linux VPS Features Config Server Firewall offers a wide range of protections for your VPS. Login authentication failure daemon: CSF checks…
Generally, a properly tuned Nginx server on Linux can handle 500,000 - 600,000 requests per second. My Nginx servers consistently handle 904k req/sec, and have sustained high loads like these for the ~12 hours that I tested them. It's important to know that everything listed here was used in a testing environment, and that you might actually want very different settings for your production servers. Install the Nginx package from the EPEL repository or use existing web panels with nginx stack. Back up the original nginx.conf config file, and start hacking away at a config of your own. # This number should be, at maximum, the number of CPU cores on your system. # (since nginx doesn't benefit from more than one worker per CPU.) worker_processes 4; # Number of file descriptors used for Nginx. This is set in the OS with 'ulimit -n 200000' # or using /etc/security/limits.conf worker_rlimit_nofile 10280; # only log critical errors error_log /var/log/nginx/error.log crit [events] # Determines how many clients will be served by each worker process. # (Max clients = worker_connections * worker_processes) # "Max clients" is also limited by the number of socket connections available on the system (~64k) worker_connections 4000; [events] # essential for linux, optmized to serve many clients with each thread use epoll; [events] # Accept as many connections as possible, after nginx gets notification about a new connection. # May flood worker_connections, if that option is set too low. multi_accept on; [http] # Caches information about open FDs, freqently accessed files. # Changing this setting, in my environment,…
crontab(5) BSD File Formats Manual crontab(5) NAME crontab -- tables for driving cron DESCRIPTION A crontab file contains instructions to the cron(8) daemon of the general form: ``run this command at this time on this date''. Each user has their own crontab, and commands in any given crontab will be executed as the user who owns the crontab. Uucp and News will usually have their own crontabs, eliminating the need for explicitly running su(1) as part of a cron command. (Darwin note: Although crontab(5) are officially supported under Darwin, their functionality has been absorbed into launchd(8), which provides a more flexible way of automatically executing commands. See launchd.plist(5) for more information.) Blank lines and leading spaces and tabs are ignored. Lines whose first non-space character is a pound-sign (#) are comments, and are ignored. Note that comments are not allowed on the same line as cron commands, since they will be taken to be part of the command. Similarly, comments are not allowed on the same line as environment variable settings. An active line in a crontab will be either an environment setting or a cron command. An environment setting is of the form, name = value where the spaces around the equal-sign (=) are optional, and any subse- quent non-leading spaces in value will be part of the value assigned to name. The value string may be placed in quotes (single or double, but matching) to preserve leading or trailing blanks. The name string may also be placed in quote (single or double, but matching) to preserve leading, trailing…
People find unable to get permalink work in Wordpress when use Nginx stack. It's because Nginx rewrite rule for Wordpress has been set up. Follow the instruction below to get this done. At the beginning, I thought the following method was alright till I found out it was generated by Webuzo and gets overwritten by Webuzo every time you make site configuration change. nano /usr/local/apps/nginx/etc/conf.d/webuzoVH.conf Add: if (!-e $request_filename) { rewrite ^(.+)$ /index.php?q=$1 last; } make it look like: server { listen 80; server_name yoursite.com www.yoursite.com; # The Document Root root /home/admin/www/yoursite.com; error_log /usr/local/apps/nginx/var/log/yoursite.com.err; access_log /usr/local/apps/nginx/var/log/yoursite.com.log main; include /usr/local/apps/nginx/etc/conf.d/common; if (!-e $request_filename) { rewrite ^(.+)$ /index.php?q=$1 last; } } restart nginx service nginx restart So, let add the rewrite in /usr/local/apps/nginx/etc/conf.d/common add the following to the file: #For wordpress if (!-e $request_filename) { rewrite ^(.+)$ /index.php?q=$1 last; } Then, restart nginx service nginx restart
Rewrite rules compatible with WordPress permalinks: # Handle 404 errors server.error-handler-404 = "/index.php" # Rewrite rules url.rewrite-final = ( # Exclude some directories from rewriting "^/(wp-admin|wp-includes|wp-content|gallery2)/(.*)" => "$0", # Exclude .php files at root from rewriting "^/(.*.php)" => "$0", # Handle permalinks and RSS feeds "^/(.*)$" => "/index.php/$1" )
Step 1: Use VestaCP built-in tool to generate a CSR Save the gererated CSR file and private key file. Step 2: Hand in the CSR to Comodo and you will receive a zip package containing these four files. The last masked one is the signed SSL Certificate. Input the content of the last file showed in the above picture in to "SSL Certificate" below. Input the content of the private key you saved in Step 1 into "SSL Key" below Step 3: You need to make my your own bundle file from CRT files The order is: 1->2->3 showed in the picture in Step 2 Command Line: Linux or UNIX-like Operating Systems: cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > yourDomain.ca-bundle Windows or DOS: copy COMODORSADomainValidationSecureServerCA.crt + COMODORSAAddTrustCA.crt + UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt yourDomain.ca-bundle Input the content of yourDomain.ca-bundle you just generated into "SSL Certificate Authority / Intermediate".
Today, it's been 365 days since VPSDime started its journey. VPSDime's foundation was laid on Low End Talk soil. Fellow members made this brand what it is today. All your patronage is sincerely appreciated. To give back to the community and celebrate our birthday, we have decided to deploy some E3 nodes in our flagship datacenter provider, Incero in Dallas, TX and make a crazy sale. We love you guys! The Plan Specs: OpenVZ Container Virtualization 1 vCPU (E3 1230v2) 512MB Memory 256MB vSwap 7GB Pure SSD Space (RAID1) 1 IP Address (IPv6 to be added this week) 2TB Traffic 1Gbit Port speed The Order Link https://vpsdime.com/cart.php?a=add&pid=43 The Catch Mail ports are blocked. So, you'd need to use a third party API to send emails like Mandrill. Mandrill comes with free 12K emails per month. We do not allow BitTorrent TOR Public VPNs/Open Proxies MineCraft Servers CamFrog Digital Currency Mining Teamspeak IRC Chobots Runescape Bots llegal activity (SPAM, Port Scanning, DoS, etc.) We do allow Other gameservers such as TF2, L4D and other non-resource intensive game servers Private VPN/Proxy ZNC within cloaked IRC networks Legal Adult Content Anything else legal in the US and not listed above.
Vultr is the next provider in my series of surprise posts! They technically have been featured before in the 2014 Q1 Top Provider Poll, where they came in ninth, but I felt they needed to be in the spotlight just a tad more. Vultr has SSD-based cloud servers starting at $5/month in multiple locations across the globe. Last week they got stock back in their London location. In addition to that, they currently offer services out of New Jersey (NJ, USA), Dallas (TX, USA), Los Angeles (CA, USA), Atlanta (GA, USA), Chicago (IL, USA), Tokyo (Japan), and Sydney (Australia). If you think that’s a long list, keep in mind that their Frankfurt (Germany) and Paris (France) are currently out of stock and will be available again in the future. Contrary to some other “cloud” providers, Vultr offers you the option to deploy any distribution you like by uploading your own ISO, which gives this service a real nice edge. Vultr uses modern hardware with latest generation Intel CPU and pure SSD drives. The bandwidth varies per location, but I see a Level3 and an nLayer logo on their website, so I think they are at least used heavily in the USA and Europe! If you give them a shot, or already have, please share your experiences with us! As a limited time promotion, Vultr doubles all the payments you make up to $100! SSD KVM VPS 768MB RAM 1 CPU core 15GB SSD space 1TB bandwith 1Gbps uplink 1x IPv4 address KVM/Custom $5/month USA (New Jersey, Los Angeles, Chicago, Dallas,…
Simply adding a password for root is not enough for Ubuntu 14.04 Server. You need to edit /etc/ssh/sshd_config, and commend out the following line: PermitRootLogin without-password Just below it, add the following line: PermitRootLogin yes Then restart SSH: service ssh restart
W: GPG error: http://extras.ubuntu.com trusty Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY
gpg --keyserver keyserver.ubuntu.com --recv 3E5C1192 gpg --export --armor 3E5C1192 | sudo apt-key add -
Introduction OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices. This informational guide is geared towards application developers, and provides an overview of OAuth 2 roles, authorization grant types, use cases, and flows. Let's get started with OAuth Roles! OAuth Roles OAuth defines four roles: Resource Owner Client Resource Server Authorization Server We will detail each role in the following subsections. Resource Owner: User The resource owner is the user who authorizes an application to access their account. The application's access to the user's account is limited to the "scope" of the authorization granted (e.g. read or write access). Resource / Authorization Server: API The resource server hosts the protected user accounts, and the authorization server verifies the identity of the user then issues access tokens to the application. From an application developer's point of view, a service's API fulfills both the resource and authorization server roles. We will refer to both of these roles combined, as the Service or APIrole. Client: Application The client is the application that wants to access the user's account. Before it may do so, it must be authorized by the user, and the authorization must be validated by the API. Abstract Protocol Flow Now that you have an idea of what the OAuth roles are, let's look at a diagram of how they generally interact with each other: Here…
1. RamNode (139 votes) RamNode wins yet another Top Provider Poll. I must say, they are quite unbeatable having held the top position for quite a while now. Nick and his team have been running a stable business for a while now and have continued to do so the last quarter. They have recently expanded to New York City, bringing their total number of locations up to four. They also recently overhauled their offering, increasing disk space and lowering their prices (and no more coupons). To share his love, though, Nick sent in this new special (or well, regular actually, but it’s special because it’s new) offer which we’re able to feature first: 2 CPU cores 1024MB RAM 256MB vSwap 60GB SSD space 2TB traffic 1Gbps uplink 1x IPv4 16x IPv6 OpenVZ/SolusVM Price: $7/month Order in Atlanta This offer will be available in NYC and Seattle soon! 2. Prometeus (111 votes) Prometeus, who doesn’t know them by now? Or better yet, who doesn’t have a server with them? While they already have various brands that complement each other and iwStack (the affordable cloud), Salvatore added Xen Power to the mix late 2013 to broaden their empire of awesomeness. Another Top Provider Poll with Prometeus in the top 3 means that are doing it right (I can personally attest to that!)! To share some love, Salvatore has sent in this special offer to celebrate their second position in this poll: 2 CPU cores 512MB RAM 25GB SAS2 disk space 2TB traffic 1Gbps uplink 1x IPv4 /64 IPv6 KVM/SolusVM Coupon code: 2Q2014LEB Price…
