Let's talk about APF. APF — Advanced Policy Firewall — is a policy-based iptables firewall system that provides simple, powerful control over your day-to-day server security. It might seem intimidating to be faced with all of the features and configuration tools in APF, but this blog should put your fears to rest. APF is an iptables wrapper that works alongside iptables and extends its functionality. I personally don't use iptables wrappers, but I have a lot of experience with them, and I've seen that they do offer some additional features that streamline policy management. For example, by employing APF, you'll get several simple on/off toggles (set via configuration files) that make some complex iptables configurations available without extensive coding requirements. The flip-side of a wrapper's simplicity is that you aren't directly in control of the iptables commands, so if something breaks it might take longer to diagnose and repair. Before you add a wrapper like APF, be sure that you know what you are getting into. Here are a few points to consider: Make sure that what you're looking to use adds a feature you need but cannot easily incorporate with iptables on its own. You need to know how to effectively enable and disable the iptables wrapper (the correct way ... read the manual!), and you should always have a trusted failsafe iptables ruleset handy in the unfortunate event that something goes horribly wrong and you need to disable the wrapper. Learn about the basic configurations and rule changes you can apply via the command line. You'll need to…

Introduction Config Server Firewall (or CSF) is a free and advanced firewall for most Linux distributions and Linux based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections. CSF includes UI integration for cPanel, DirectAdmin and Webmin, but this tutorial only covers the command line usage. CSF is able to recognize many attacks, such as port scans, SYN floods, and login brute force attacks on many services. It is configured to temporarily block clients who are detected to be attacking the cloud server. The full list of supported operating systems and features can be found on ConfigServer's website. This tutorial is written for Debian based VPS, such as Debian and Ubuntu. The commands should be executed with root permissions, by logging in as root, or initiating a root shell with the following command if sudo is installed: sudo su Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, "iptables" only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called "ip6tables", which can be used to maintain firewall rules for IPv6 network addresses. If your VPS is configured for IPv6, please remember to secure both your IPv4 and IPv6 network interfaces with the appropriate tools. For more information about IPv6 tools, refer to this guide: How To Configure Tools to Use IPv6 on a Linux VPS Features Config Server Firewall offers a wide range of protections for your VPS. Login authentication failure daemon: CSF checks…

Generally, a properly tuned Nginx server on Linux can handle 500,000 - 600,000 requests per second. My Nginx servers consistently handle 904k req/sec, and have sustained high loads like these for the ~12 hours that I tested them. It's important to know that everything listed here was used in a testing environment, and that you might actually want very different settings for your production servers. Install the Nginx package from the EPEL repository or use existing web panels with nginx stack. Back up the original nginx.conf config file, and start hacking away at a config of your own.   # This number should be, at maximum, the number of CPU cores on your system. # (since nginx doesn't benefit from more than one worker per CPU.) worker_processes 4; # Number of file descriptors used for Nginx. This is set in the OS with 'ulimit -n 200000' # or using /etc/security/limits.conf worker_rlimit_nofile 10280; # only log critical errors error_log /var/log/nginx/error.log crit [events] # Determines how many clients will be served by each worker process. # (Max clients = worker_connections * worker_processes) # "Max clients" is also limited by the number of socket connections available on the system (~64k) worker_connections 4000; [events] # essential for linux, optmized to serve many clients with each thread use epoll; [events] # Accept as many connections as possible, after nginx gets notification about a new connection. # May flood worker_connections, if that option is set too low. multi_accept on; [http] # Caches information about open FDs, freqently accessed files. # Changing this setting, in my environment,…

crontab(5) BSD File Formats Manual crontab(5) NAME crontab -- tables for driving cron DESCRIPTION A crontab file contains instructions to the cron(8) daemon of the general form: ``run this command at this time on this date''. Each user has their own crontab, and commands in any given crontab will be executed as the user who owns the crontab. Uucp and News will usually have their own crontabs, eliminating the need for explicitly running su(1) as part of a cron command. (Darwin note: Although crontab(5) are officially supported under Darwin, their functionality has been absorbed into launchd(8), which provides a more flexible way of automatically executing commands. See launchd.plist(5) for more information.) Blank lines and leading spaces and tabs are ignored. Lines whose first non-space character is a pound-sign (#) are comments, and are ignored. Note that comments are not allowed on the same line as cron commands, since they will be taken to be part of the command. Similarly, comments are not allowed on the same line as environment variable settings. An active line in a crontab will be either an environment setting or a cron command. An environment setting is of the form, name = value where the spaces around the equal-sign (=) are optional, and any subse- quent non-leading spaces in value will be part of the value assigned to name. The value string may be placed in quotes (single or double, but matching) to preserve leading or trailing blanks. The name string may also be placed in quote (single or double, but matching) to preserve leading, trailing…

People find unable to get permalink work in Wordpress when use Nginx stack. It's because Nginx rewrite rule for Wordpress has been set up. Follow the instruction below to get this done. At the beginning, I thought the following method was alright till I found out it was generated by Webuzo and gets overwritten by Webuzo every time you make site configuration change. nano /usr/local/apps/nginx/etc/conf.d/webuzoVH.conf Add: if (!-e $request_filename) { rewrite ^(.+)$ /index.php?q=$1 last; } make it look like: server { listen 80; server_name yoursite.com www.yoursite.com; # The Document Root root /home/admin/www/yoursite.com; error_log /usr/local/apps/nginx/var/log/yoursite.com.err; access_log /usr/local/apps/nginx/var/log/yoursite.com.log main; include /usr/local/apps/nginx/etc/conf.d/common; if (!-e $request_filename) { rewrite ^(.+)$ /index.php?q=$1 last; } } restart nginx service nginx restart So, let add the rewrite in /usr/local/apps/nginx/etc/conf.d/common add the following to the file: #For wordpress if (!-e $request_filename) { rewrite ^(.+)$ /index.php?q=$1 last; } Then, restart nginx service nginx restart    

Rewrite rules compatible with WordPress permalinks: # Handle 404 errors server.error-handler-404 = "/index.php" # Rewrite rules url.rewrite-final = ( # Exclude some directories from rewriting "^/(wp-admin|wp-includes|wp-content|gallery2)/(.*)" => "$0", # Exclude .php files at root from rewriting "^/(.*.php)" => "$0", # Handle permalinks and RSS feeds "^/(.*)$" => "/index.php/$1" )  

Step 1:  Use VestaCP built-in tool to generate a CSR Save the gererated CSR file and private key file. Step 2: Hand in the CSR to Comodo and you will receive a zip package containing these four files. The last masked one is the signed SSL Certificate. Input the content of the last file showed in the above picture in to "SSL Certificate" below. Input the content of the private key you saved in Step 1 into "SSL Key" below   Step 3: You need to make my your own bundle file from CRT files The order is: 1->2->3 showed in the picture in Step 2 Command Line: Linux or UNIX-like Operating Systems: cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > yourDomain.ca-bundle Windows or DOS: copy COMODORSADomainValidationSecureServerCA.crt + COMODORSAAddTrustCA.crt + UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt yourDomain.ca-bundle Input the content of yourDomain.ca-bundle you just generated into "SSL Certificate Authority / Intermediate".

  Today, it's been 365 days since VPSDime started its journey. VPSDime's foundation was laid on Low End Talk soil. Fellow members made this brand what it is today. All your patronage is sincerely appreciated. To give back to the community and celebrate our birthday, we have decided to deploy some E3 nodes in our flagship datacenter provider, Incero in Dallas, TX and make a crazy sale. We love you guys! The Plan Specs: OpenVZ Container Virtualization 1 vCPU (E3 1230v2) 512MB Memory 256MB vSwap 7GB Pure SSD Space (RAID1) 1 IP Address (IPv6 to be added this week) 2TB Traffic 1Gbit Port speed The Order Link https://vpsdime.com/cart.php?a=add&pid=43 The Catch Mail ports are blocked. So, you'd need to use a third party API to send emails like Mandrill. Mandrill comes with free 12K emails per month. We do not allow BitTorrent TOR Public VPNs/Open Proxies MineCraft Servers CamFrog Digital Currency Mining Teamspeak IRC Chobots Runescape Bots llegal activity (SPAM, Port Scanning, DoS, etc.) We do allow Other gameservers such as TF2, L4D and other non-resource intensive game servers Private VPN/Proxy ZNC within cloaked IRC networks Legal Adult Content Anything else legal in the US and not listed above.

Vultr is the next provider in my series of surprise posts! They technically have been featured before in the 2014 Q1 Top Provider Poll, where they came in ninth, but I felt they needed to be in the spotlight just a tad more. Vultr has SSD-based cloud servers starting at $5/month in multiple locations across the globe. Last week they got stock back in their London location. In addition to that, they currently offer services out of New Jersey (NJ, USA), Dallas (TX, USA), Los Angeles (CA, USA), Atlanta (GA, USA), Chicago (IL, USA), Tokyo (Japan), and Sydney (Australia). If you think that’s a long list, keep in mind that their Frankfurt (Germany) and Paris (France) are currently out of stock and will be available again in the future. Contrary to some other “cloud” providers, Vultr offers you the option to deploy any distribution you like by uploading your own ISO, which gives this service a real nice edge. Vultr uses modern hardware with latest generation Intel CPU and pure SSD drives. The bandwidth varies per location, but I see a Level3 and an nLayer logo on their website, so I think they are at least used heavily in the USA and Europe! If you give them a shot, or already have, please share your experiences with us! As a limited time promotion, Vultr doubles all the payments you make up to $100! SSD KVM VPS   768MB RAM 1 CPU core 15GB SSD space 1TB bandwith 1Gbps uplink 1x IPv4 address KVM/Custom $5/month USA (New Jersey, Los Angeles, Chicago, Dallas,…

Simply adding a password for root is not enough for Ubuntu 14.04 Server. You need to edit /etc/ssh/sshd_config, and commend out the following line: PermitRootLogin without-password Just below it, add the following line: PermitRootLogin yes Then restart SSH: service ssh restart  

gpg --keyserver keyserver.ubuntu.com --recv 3E5C1192 gpg --export --armor 3E5C1192 | sudo apt-key add -  

Introduction OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices. This informational guide is geared towards application developers, and provides an overview of OAuth 2 roles, authorization grant types, use cases, and flows. Let's get started with OAuth Roles! OAuth Roles OAuth defines four roles: Resource Owner Client Resource Server Authorization Server We will detail each role in the following subsections. Resource Owner: User The resource owner is the user who authorizes an application to access their account. The application's access to the user's account is limited to the "scope" of the authorization granted (e.g. read or write access). Resource / Authorization Server: API The resource server hosts the protected user accounts, and the authorization server verifies the identity of the user then issues access tokens to the application. From an application developer's point of view, a service's API fulfills both the resource and authorization server roles. We will refer to both of these roles combined, as the Service or APIrole. Client: Application The client is the application that wants to access the user's account. Before it may do so, it must be authorized by the user, and the authorization must be validated by the API. Abstract Protocol Flow Now that you have an idea of what the OAuth roles are, let's look at a diagram of how they generally interact with each other: Here…

1. RamNode (139 votes) RamNode wins yet another Top Provider Poll. I must say, they are quite unbeatable having held the top position for quite a while now. Nick and his team have been running a stable business for a while now and have continued to do so the last quarter. They have recently expanded to New York City, bringing their total number of locations up to four. They also recently overhauled their offering, increasing disk space and lowering their prices (and no more coupons). To share his love, though, Nick sent in this new special (or well, regular actually, but it’s special because it’s new) offer which we’re able to feature first: 2 CPU cores 1024MB RAM 256MB vSwap 60GB SSD space 2TB traffic 1Gbps uplink 1x IPv4 16x IPv6 OpenVZ/SolusVM Price: $7/month Order in Atlanta This offer will be available in NYC and Seattle soon! 2. Prometeus (111 votes) Prometeus, who doesn’t know them by now? Or better yet, who doesn’t have a server with them? While they already have various brands that complement each other and iwStack (the affordable cloud), Salvatore added Xen Power to the mix late 2013 to broaden their empire of awesomeness. Another Top Provider Poll with Prometeus in the top 3 means that are doing it right (I can personally attest to that!)! To share some love, Salvatore has sent in this special offer to celebrate their second position in this poll: 2 CPU cores 512MB RAM 25GB SAS2 disk space 2TB traffic 1Gbps uplink 1x IPv4 /64 IPv6 KVM/SolusVM Coupon code: 2Q2014LEB Price…

With the advances in technology, faster data access (SSD), and slimming hardware footprints, legacy technologies are typically the first cuts made to get these devices thinner and lighter while making them more powerful and efficient. Installing OS X has never really been a particularly difficult task, but try doing that on a MacBook Air or a system with a broken optical drive. Not so easy anymore is it? Even downloading the OS from the Mac App Store wouldn't do when the hard drive needs replacing or the Recovery Partition is corrupt. Luckily, Macs have a couple of options, specifically USB booting, and since most have an SD card slot, we can use those as well. Creating a USB Installer for Apple OS X 10.7-10.8 Before proceeding, we'll need the following items to complete the process: 8GB USB Flash Drive (or SD Card) Install OS X Mountain Lion.app (installer downloaded from Mac App Store) Apple computer with Mac App Store (OS X 10.6.8+) User Account with Administrative privileges Follow these steps: 1.     Using a Mac with at least OS X 10.6.8 installed, access the Mac App Store and download the Lion (10.7) or Mountain Lion (10.8) app installer. 2.     Insert the USB drive into the Mac and launch Disk Utility. 3.     Click on the USB drive from the left-hand menu and select the Partition tab. 4.     Click the drop-down menu, selecting 1 partition. 5.     Select Mac OS Extended (Journaled) for the format-type from the drop-down menu. (Figure A) 6.     Click on the Options button and select the radio button for GUID Partition Table and click OK.  (Figure…

Today we are thrilled to announce that developers can now launch Droplets in our newest region, London, United Kingdom. Our community has been requesting a UK region for a while now, and we’re excited to announce that it is now available. It is through our users’ support that we have now been able to expand to five regions globally. London is experiencing a boom in tech and entrepreneurship that looks very similar to NYC’s own tech expansion a few years ago, and we want to provide innovative companies in the United Kingdom with the infrastructure they need to grow and succeed. Additionally, we want to ensure that UK developers can comply with data privacy regulations by having a native facility, this way they can do an online background check in more efficient way. IPv6 and private networking are available for Droplets deployed in the new London region. We are excited to see what is developed in the London datacenter and look forward to offering more DigitalOcean regions around the world as we continue to grow. No more waiting. Spin up a Droplet in LON1!

This is a guide on setting up an IPSEC/L2TP vpn server with Ubuntu 14.04 using Openswan as the IPsec server, xl2tpd as the l2tp provider and ppp or local users / PAM for authentication. It has a detailed explanation with every step. We choose the IPSEC/L2TP protocol stack because of recent vulnerabilities found in pptpd VPNs and because it is supported on all major operating systems by default. Why a VPN? More than ever, your freedom and privacy when online is under threat. Governments and ISPs want to control what you can and can't see while keeping a record of everything you do, and even the shady-looking guy lurking around your coffee shop or the airport gate can grab your bank details easier than you may think. A self hosted VPN lets you surf the web the way it was intended: anonymously and without oversight. A VPN (virtual private network) creates a secure, encrypted tunnel through which all of your online data passes back and forth. Any application that requires an internet connection works with this self hosted VPN, including your web browser, email client, and instant messaging program, keeping everything you do online hidden from prying eyes while masking your physical location and giving you unfettered access to any website or web service no matter where you happen to be at the moment. This tutorial is available for the following platforms: Raspberry Pi with Arch Linux ARM CentOS 6, Scientific Linux 6 or Red Hat Enterprise Linux 6 Ubuntu 14.04 LTS Ubuntu 13.10 Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04…

If you’ve accidentally screwed your /etc/fstab file and rebooted, you might run into some issues while trying to make changes to fix it, i.e. Error writing fstab:Read-only file system   Fixing Error writing fstab: Read-only file system In order to fix this issue, you will need to remount the affected mount-point with read / write options. This can be done by issuing the mount command: mount -o remount,rw /   Where / indicates your root mount point, change accordingly.

CentOS 6.5 [1] Change hostname with a commnad (but if rebooting, it will be back). [[email protected] ~]# hostname # show current hostname srv1.vpsmate.net [[email protected] ~]# hostname srv2.vpsmate.net # change hostname [[email protected] ~]# hostname srv2.vpsmate.net [2] Change hostname permanently. [[email protected] ~]# vi /etc/sysconfig/network # change HOSTNAME=srv2.vpsmate.net [[email protected] ~]# exit CentOS release 6.5 Kernel xxx srv2.vpsmate.net login: # changed   CentOS 7 [1]Change hostname with a commnad (but if rebooting, it will be back). [[email protected] ~]# hostname # show current hostname srv1.vpsmate.net [[email protected] ~]# hostname srv2.vpsmate.net # change hostname [[email protected] ~]# hostname srv2.vpsmate.net [2] Change hostname permanently. [[email protected] ~]# vi /etc/hostname # change srv1.vpsmate.net [[email protected] ~]# exit CentOS Linux 7 Kernel 3.10.0-123.4.2.el7.x86_64 on an x86_64 srv1 login: # just changed