We are happy to announce our participation in GitHub's Student Developer Program. This will give students free access to top-notch development tools from the biggest names in our industry. The beauty of the program is that it gives students a centralized place where they can access all of these great services, free of charge, so they get a hands-on, professional experience that allows them to learn by doing. For every student that signs up for the program, DigitalOcean will provide $100 in hosting credit. The pack itself also includes special student accounts for GitHub, Atom, NameCheap, Sendgrid, and other awesome companies looking to give back in some way. Here at DigitalOcean, our mission is to make developers' lives better and we believe strongly in creating a sense of community. As developers often get their start while in school, where cost can be a limitation, it's a privilege to have the opportunity to provide support for their education. You are entitled to participate in the program if you are 13+ and enrolled in a degree or diploma granting course of study. For more information about the pack, and how to apply, check the GitHub website: https://education.github.com/pack. Love, The DO Team P.S. If you've already applied a credit to your account, just open a support ticket with the promo code and we'll get you set up.

Just to let you know that WeLoveServers will be ending their 6GB Power VPS offer in just 4 days time, so now could be your last chance to order at this very low price. Power VPS 6GB 80 GB Disk Space Storage 10 TB Bandwidth 6GB Guaranteed RAM + 6GB vSwap 1 IPv4 Address SolusVM Access Full Root Access Choice of Linux OS's Self Managed Just $19 P/M or $189 Annually Pay annually get 2 months free! CLICK HERE TO ORDER

We wanted to let you know that today, a critical vulnerability in bash(Bourne-Again-SHell) was disclosed by Stephane Chazelas. This vulnerability is so critical that even if you have Two-Factor Authentication an attacker would be able to by-pass the two-factor verification and execute commands remotely on your server. We recommend you update now. Here's a few things to help you: To test if you are vulnerable you can use the following command: env t='() { :;}; echo You are vulnerable.' bash -c "true" If it prints "You are vulnerable" you need to upgrade as soon as possible. Patches for the major Linux distributions have been already released. If you are using a Ubuntu or Debian type the following commands to apply the security patch:  apt-get update  apt-get upgrade If you are using RedHat, CentOS or Fedora type the following commands to apply the security patch:  yum clean all  yum update bash If you want to know more about this vulnerability please read the following thread on the oss-sec mailing list: http://seclists.org/oss-sec/2014/q3/650

Here is a comprehensive list of default username and passwords for most of the VMware products. If you're like me, you tend to get alot of these confused. If I left any off, please let me know in the comments.   Horizon Application Manager http://IPorDNS/SAAS/login/0 http://IPorDNS   Horizon Connector https://IPorDNS:8443/   vCenter Appliance Configuration https://IPorDNS_of_Server:5480 username: root password: vmware   vCenter Application Discovery Manager http://IPorDNS username: root password: 123456 default ADM management console password is 123456 and the CLI password is ChangeMe   vCenter Chargeback http://IPorDNS:8080/cbmui/ username: root password: vmware   vCenter Infrastructure Navigator: https://IPorDNS_of_Server:5480 username: root password: Supplied during OVA deployment   vCenter Log Insight https:// log_insight-host/ username: admin password: password specified during initial configuration   vCenter MOB https://vcenterIP/mob   vCenter Web Client Configuration https://IPorDNS_of_Server:9443/admin-app username: root password: vmware   vCenter vSphere Web Client Access https://IPorDNS_of_Server:9443/vsphere-client/ username: root password: vmware For vSphere 5.1  = Windows default username: [email protected] For vSphere 5.1 = Linux (Virtual Appliance) default username: [email protected] For vSphere 5.5 = default username: [email protected]   vCenter Single Sign On (SSO) https://IPorDNS_of_Server:7444/lookupservice/sdk For vSphere 5.1 = Windows default username: [email protected] For vSphere 5.1 = Linux (Virtual Appliance) default username: [email protected] password: specified during installation Adding AD authentication to VMware SSO 5.1 For vSphere 5.5 = default username: [email protected]   vCenter Orchestrator Appliance http://orchestrator_appliance_ip Appliance Configuration: change the root password of the appliance Linux user. Otherwise, the first time when you try to log in to the appliance Web console, you will be prompted to change the password. Orchestrator Configuration: username: vmware password:vmware Orchestrator Client: username: vcoadmin password: vcoadmin Web…

BFD (Brute Force Detection) is a script that runs on your linux server and checks log files for authentication errors. When it sees recurring authentication failures from a certain IP address it will instruct APF (Advanced Policy Firewall) to block the IP address. It’s simple to configure, just make sure you have APF running before you continue. Let’s download it: [[email protected] ~]# wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz   Now extract it: [[email protected] ~]# tar -xzvf bfd-current.tar.gz   Open the folder: [[email protected] ~]# cd bfd-1.5/   Now we can install it: [[email protected] bfd-1.5]# ./install.sh   After installation we can edit the BFD configuration file: [[email protected] bfd-1.5]# vim /usr/local/bfd/conf.bfd   Make sure you enable e-mail notifications: EMAIL_ALERTS="1"   And configure your e-mail address: EMAIL_ADDRESS="[email protected]"   It’s also a good idea to configure BFD to ignore your own IP address so you don’t lock yourself out. Just add your IP address to the following file: [[email protected] bfd]# vim /usr/local/bfd/ignore.hosts   If you want to run BFD you can do this using the following command: [[email protected] bfd]# bfd -s   It will also run automatically thanks to a cronjob: [[email protected] bfd]# vim /etc/cron.d/bfd */3 * * * * root /usr/local/sbin/bfd -q   By default each 3 minutes it will run the script and check your log files. When BFD finds anything it will instruct APF to block the IP address and you’ll receive an e-mail that looks like this: The following is a summary event for exceeded login failures on VPS1.RMCSHOSTING.NL: SOURCE ADDRESS: 20.20.20.2 TARGET SERVICE: proftpd FAILED LOGINS: 15 EXECUTED COMMAND: /etc/apf/apf -d 20.20.20.2 {bfd.proftpd} SOURCE…

In our last "iptables Tips and Tricks" installment, we talked about Advanced Policy Firewall (APF) configuration, so it should come as no surprise that in this installment, we're turning our attention toConfigServer Security & Firewall (CSF). Before we get started, you should probably run through the list of warnings I include at the top of the APF blog post and make sure you have your Band-Aid ready in case you need it. To get the ball rolling, we need to download CSF and install it on our server. In this post, we're working with a CentOS 6.0 32-bit server, so our (root) terminal commands would look like this to download and install CSF: $ wget http://www.configserver.com/free/csf.tgz #Download CSF using wget. $ tar zxvf csf.tgz #Unpack it. $ yum install perl-libwww-perl #Make sure perl modules are installed ... $ yum install perl-Time-HiRes #Otherwise it will generate an error. $ cd csf $ ./install.sh #Install CSF.   #MAKE SURE YOU HAVE YOUR BAND-AID READY   $ /etc/init.d/csf start #Start CSF. (Note: You can also use '$ service csf start') Once you start CSF, you can see a list of the default rules that load at startup. CSF defaults to a DROP policy: $ iptables -nL | grep policy Chain INPUT (policy DROP) Chain FORWARD (policy DROP) Chain OUTPUT (policy DROP) Don't ever run "iptables -F" unless you want to lock yourself out. In fact, you might want to add "This server is running CSF - do not run 'iptables -F'" to your /etc/motd, just as a reminder/warning to others. CSF loads on…

The iptables tool is one of the simplest, most powerful tools you can use to protect your server. We've covered port redirection, rule processing and troubleshooting in previous installments to this "Tips and Tricks" series, but what happens when iptables turns against you and locks you out of your own system? Getting locked out of a production server can cost both time and money, so it's worth your time to avoid this, since investing the money to generate more money is a better option and there are tools that help doing this in sites as The Ascent online. If you follow the correct procedures, you can safeguard yourself from being firewalled off of your server. Here are seven helpful tips to help you keep your sanity and prevent you from locking yourself out. Tip 1: Keep a safe ruleset handy. If you are starting with a working ruleset, or even if you are trying to troubleshoot an existing ruleset, take a backup of your iptables configuration before you ever start working on it. iptables-save > /root/iptables-safe   Then if you do something that prevents your website from working, you can quickly restore it. iptables-restore   Tip 2: Create a cron script that will reload to your safe ruleset every minute during testing. This was pointed out to my by a friend who swears by this method. Just write a quick bash script and set a cron entry that will reload it back to the safe set every minute. You'll have to test quickly, but it will keep you from getting…

The iptables tool is one of the simplest, most powerful tools you can use to protect your server. We've covered port redirection, rule processing and troubleshooting in previous installments to this "Tips and Tricks" series, but what happens when iptables turns against you and locks you out of your own system? Getting locked out of a production server can cost both time and money, so it's worth your time to avoid this. If you follow the correct procedures, you can safeguard yourself from being firewalled off of your server. Here are seven helpful tips to help you keep your sanity and prevent you from locking yourself out. Tip 1: Keep a safe ruleset handy. If you are starting with a working ruleset, or even if you are trying to troubleshoot an existing ruleset, take a backup of your iptables configuration before you ever start working on it. iptables-save > /root/iptables-safe Then if you do something that prevents your website from working, you can quickly restore it. iptables-restore Tip 2: Create a cron script that will reload to your safe ruleset every minute during testing. This was pointed out to my by a friend who swears by this method. Just write a quick bash script and set a cron entry that will reload it back to the safe set every minute. You'll have to test quickly, but it will keep you from getting locked out. Tip 3: Have the IPMI KVM ready. SoftLayer-pod servers* are equipped with some sort of remote access device. Most of them have a KVM console. You…

If you encounter this warning message under Linux: 4096 worker_connections are more than open file resource limit: 1024 A solution is to use the command ulimit in nginx start script, just before lunching nginx: ulimit -n 65536        

To find files on a linux system you can use following command: # find / -name xxxx But I prefer to use the locate command. This command is extremely easy to use and it’s faster than the find-command. # locate filename To install the locate package, use yum. # yum install mlocate To update it’s ‘internal database’, run following command. # updatedb To find a file, use following command # locate httpd.conf /etc/httpd/conf/httpd.conf

While working with APF on servers, you might normally get to see the following error, #apf -r apf(2042): {glob} flushing & zeroing chain policies apf(2042): {glob} firewall offline apf(3179): {glob} activating firewall apf(3284): {glob} unable to load iptables module (ip_tables), aborting. apf(3179): {glob} firewall initalized apf(3179): {glob} fast load snapshot saved Your kernel is compiled with iptables statically instead of as a module, to resolve this you will need to change a small configuration in /etc/apf/conf.apf SET_MONOKERN=”0″ Set it to “1″ Once this is done, restart apf to see the error vanishing. SET_MONOKERN # This allows the firewall to work around modular kernel issues by assuming # that the system has all required firewall modules compiled directly into # kernel. This mode of operation is not generally recommended but can be used # scale APF to unique situations.  

Let's talk about APF. APF — Advanced Policy Firewall — is a policy-based iptables firewall system that provides simple, powerful control over your day-to-day server security. It might seem intimidating to be faced with all of the features and configuration tools in APF, but this blog should put your fears to rest. APF is an iptables wrapper that works alongside iptables and extends its functionality. I personally don't use iptables wrappers, but I have a lot of experience with them, and I've seen that they do offer some additional features that streamline policy management. For example, by employing APF, you'll get several simple on/off toggles (set via configuration files) that make some complex iptables configurations available without extensive coding requirements. The flip-side of a wrapper's simplicity is that you aren't directly in control of the iptables commands, so if something breaks it might take longer to diagnose and repair. Before you add a wrapper like APF, be sure that you know what you are getting into. Here are a few points to consider: Make sure that what you're looking to use adds a feature you need but cannot easily incorporate with iptables on its own. You need to know how to effectively enable and disable the iptables wrapper (the correct way ... read the manual!), and you should always have a trusted failsafe iptables ruleset handy in the unfortunate event that something goes horribly wrong and you need to disable the wrapper. Learn about the basic configurations and rule changes you can apply via the command line. You'll need to…

Introduction Config Server Firewall (or CSF) is a free and advanced firewall for most Linux distributions and Linux based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections. CSF includes UI integration for cPanel, DirectAdmin and Webmin, but this tutorial only covers the command line usage. CSF is able to recognize many attacks, such as port scans, SYN floods, and login brute force attacks on many services. It is configured to temporarily block clients who are detected to be attacking the cloud server. The full list of supported operating systems and features can be found on ConfigServer's website. This tutorial is written for Debian based VPS, such as Debian and Ubuntu. The commands should be executed with root permissions, by logging in as root, or initiating a root shell with the following command if sudo is installed: sudo su Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, "iptables" only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called "ip6tables", which can be used to maintain firewall rules for IPv6 network addresses. If your VPS is configured for IPv6, please remember to secure both your IPv4 and IPv6 network interfaces with the appropriate tools. For more information about IPv6 tools, refer to this guide: How To Configure Tools to Use IPv6 on a Linux VPS Features Config Server Firewall offers a wide range of protections for your VPS. Login authentication failure daemon: CSF checks…

Generally, a properly tuned Nginx server on Linux can handle 500,000 - 600,000 requests per second. My Nginx servers consistently handle 904k req/sec, and have sustained high loads like these for the ~12 hours that I tested them. It's important to know that everything listed here was used in a testing environment, and that you might actually want very different settings for your production servers. Install the Nginx package from the EPEL repository or use existing web panels with nginx stack. Back up the original nginx.conf config file, and start hacking away at a config of your own.   # This number should be, at maximum, the number of CPU cores on your system. # (since nginx doesn't benefit from more than one worker per CPU.) worker_processes 4; # Number of file descriptors used for Nginx. This is set in the OS with 'ulimit -n 200000' # or using /etc/security/limits.conf worker_rlimit_nofile 10280; # only log critical errors error_log /var/log/nginx/error.log crit [events] # Determines how many clients will be served by each worker process. # (Max clients = worker_connections * worker_processes) # "Max clients" is also limited by the number of socket connections available on the system (~64k) worker_connections 4000; [events] # essential for linux, optmized to serve many clients with each thread use epoll; [events] # Accept as many connections as possible, after nginx gets notification about a new connection. # May flood worker_connections, if that option is set too low. multi_accept on; [http] # Caches information about open FDs, freqently accessed files. # Changing this setting, in my environment,…

crontab(5) BSD File Formats Manual crontab(5) NAME crontab -- tables for driving cron DESCRIPTION A crontab file contains instructions to the cron(8) daemon of the general form: ``run this command at this time on this date''. Each user has their own crontab, and commands in any given crontab will be executed as the user who owns the crontab. Uucp and News will usually have their own crontabs, eliminating the need for explicitly running su(1) as part of a cron command. (Darwin note: Although crontab(5) are officially supported under Darwin, their functionality has been absorbed into launchd(8), which provides a more flexible way of automatically executing commands. See launchd.plist(5) for more information.) Blank lines and leading spaces and tabs are ignored. Lines whose first non-space character is a pound-sign (#) are comments, and are ignored. Note that comments are not allowed on the same line as cron commands, since they will be taken to be part of the command. Similarly, comments are not allowed on the same line as environment variable settings. An active line in a crontab will be either an environment setting or a cron command. An environment setting is of the form, name = value where the spaces around the equal-sign (=) are optional, and any subse- quent non-leading spaces in value will be part of the value assigned to name. The value string may be placed in quotes (single or double, but matching) to preserve leading or trailing blanks. The name string may also be placed in quote (single or double, but matching) to preserve leading, trailing…

People find unable to get permalink work in Wordpress when use Nginx stack. It's because Nginx rewrite rule for Wordpress has been set up. Follow the instruction below to get this done. At the beginning, I thought the following method was alright till I found out it was generated by Webuzo and gets overwritten by Webuzo every time you make site configuration change. nano /usr/local/apps/nginx/etc/conf.d/webuzoVH.conf Add: if (!-e $request_filename) { rewrite ^(.+)$ /index.php?q=$1 last; } make it look like: server { listen 80; server_name yoursite.com www.yoursite.com; # The Document Root root /home/admin/www/yoursite.com; error_log /usr/local/apps/nginx/var/log/yoursite.com.err; access_log /usr/local/apps/nginx/var/log/yoursite.com.log main; include /usr/local/apps/nginx/etc/conf.d/common; if (!-e $request_filename) { rewrite ^(.+)$ /index.php?q=$1 last; } } restart nginx service nginx restart So, let add the rewrite in /usr/local/apps/nginx/etc/conf.d/common add the following to the file: #For wordpress if (!-e $request_filename) { rewrite ^(.+)$ /index.php?q=$1 last; } Then, restart nginx service nginx restart    

Rewrite rules compatible with WordPress permalinks: # Handle 404 errors server.error-handler-404 = "/index.php" # Rewrite rules url.rewrite-final = ( # Exclude some directories from rewriting "^/(wp-admin|wp-includes|wp-content|gallery2)/(.*)" => "$0", # Exclude .php files at root from rewriting "^/(.*.php)" => "$0", # Handle permalinks and RSS feeds "^/(.*)$" => "/index.php/$1" )  

Step 1:  Use VestaCP built-in tool to generate a CSR Save the gererated CSR file and private key file. Step 2: Hand in the CSR to Comodo and you will receive a zip package containing these four files. The last masked one is the signed SSL Certificate. Input the content of the last file showed in the above picture in to "SSL Certificate" below. Input the content of the private key you saved in Step 1 into "SSL Key" below   Step 3: You need to make my your own bundle file from CRT files The order is: 1->2->3 showed in the picture in Step 2 Command Line: Linux or UNIX-like Operating Systems: cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > yourDomain.ca-bundle Windows or DOS: copy COMODORSADomainValidationSecureServerCA.crt + COMODORSAAddTrustCA.crt + UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt yourDomain.ca-bundle Input the content of yourDomain.ca-bundle you just generated into "SSL Certificate Authority / Intermediate".