ciplogic.com
Live with grace. Write superb software.

sysadmin

  • Change Your SSH Server Port

    A while back, in November 2014, I was posting an article showing that over the course of a year and a half or so (my blog was rehosted from February 2014), fail2ban blocked 1633 IPs.

    Today I checked again, and to my surprise I got:

    [root@ciplogic ~]# iptables -L -n | grep REJECT | wc -l
    5853

    For the first time segment (273 days period) I averaged 5.98 IP bans a day. From that day to today I got: 5853-1633 = 4220 new bans. The time period from November 2014 to today is 573 days.

    That means in the last year the banning grew to 7.36 bans a day (~20% increase). And we need to remember that this is also with the previous backlist.

    So today, beside applauding fail2ban's relentless work, I changed the port of the SSH server.

    To my surprise from this morning, until now, there is radio silence from the fail2ban new bans. I guess most scanners don't do a port scanning first, and they just try to find default or weirdly configured SSH servers.

    So here's my second tip. Change your SSH server port.

  • Docker With OverlayFS on Ubuntu 14.04

    So if you follow up with Docker, you might have found out that the default storage that is provided with a normal Docker installation, is backed by the mighty aufs, created by the awesome Junjiro Okajima.

    But out there there is another file system that is faster, with smaller footprint, etc. It's named OverlayFS, and was merged in the main kernel. Sounds to good to be true? Well read about it.

    TL;DR Docker With OverlayFS on Ubuntu 14.04:

    apt-get install linux-generic-lts-vivid linux-headers-generic-lts-vivid

    Reboot

    wget get.docker.com -O - | sh
    service docker stop
    echo 'DOCKER_OPTS="-s overlay"' >> /etc/default/docker
    service docker start

    Details

    Now, this file system is available only from kernel version 3.18 and up. If you just installed Ubuntu 14.04, as of this date (10th of November, 2015), you should have 3.19 already installed. If you have an older existing Ubuntu 14.04 you need to update your kernel manually.

  • Docker With OverlayFS on Ubuntu 16.04 LTS

    Since I already wrote an article on having Docker running with OverlayFS on Ubuntu 14.04, I won't go over all of it again. Here is a not so quick link on why it's cool to have it. Basically it's faster, harder, better, stronger, and scales better.

    The only note is that since Ubuntu comes with v4 Kernels, there is no need to install any more packages except docker itself. The commands below must be ran as root.

    TL;DR Docker With OverlayFS on Ubuntu 16.04:

    wget https://get.docker.com -O - | sh
     
    systemctl stop docker
     
    CONFIGURATION_FILE=$(systemctl show --property=FragmentPath docker | cut -f2 -d=)
    cp $CONFIGURATION_FILE /etc/systemd/system/docker.service
     
    perl -pi -e 's/^(ExecStart=.+)$/$1 -s overlay/' /etc/systemd/system/docker.service
     
    systemctl daemon-reload
    systemctl start docker

    Details

    The first step just installs docker, straight from docker.com.

    wget https://get.docker.com -O - | sh

    Awesome. The problem now is that it runs with the aufs driver, so we need to stop docker.

    systemctl stop docker

    The next step is to create a copy of the current configuration file from the system itself. We will override the configuration from the system by copying it as /etc/systemd/system/docker.service .

    CONFIGURATION_FILE=$(systemctl show --property=FragmentPath docker | cut -f2 -d=)
    cp $CONFIGURATION_FILE /etc/systemd/system/docker.service

    Now, we change the ExecStart line by appending the OverlayFS setting:

    perl -pi -e 's/^(ExecStart=.+)$/$1 -s overlay/' /etc/systemd/system/docker.service

    We now tell systemd that the configuration files have updated, and start docker again:

    systemctl daemon-reload
    systemctl start docker

    Done. Enjoy.

     

  • Fail2Ban Doing Real Work

    I see that some people try to access my host, even if they are not me.

    Crazy, right?

    Here is a small statistic in less than a year, on how many attackers fail2ban managed to ban, when trying to bruteforce this website via ssh:

    1
    2
    [root@ciplogic ~]# iptables -L -n | grep REJECT | wc -l
    1633

    Awesome!

    So if you don't have it yet, and run some linux, definitelly install it.

    If you use CentOS just do:

    1
    [root@ciplogic ~]# yum install fail2ban

    Happy admining.

  • How to Downgrade Debian From Stretch to Wheezy

    In case you upgraded by mistake your system from Wheezy, to the latest unstable version Stretch, you have several options:

    1. Reinstall (recommended)

    This is actually the recommended option, since the init scripts have changed across versions. Also it's pretty hard to guarantee that the same packages will be there.

    2. Downgrade Your System

    This option is a bit trickier, fortunately Jules from inspire.me wrote a pretty good article about it.  Note that the tutorial he wrote was to downgrade from Jessie to Wheezy. Since we want to skip Jessie as well, we need to use the oldstable (aka "wheezy" at the time of writing) instead stable. See https://www.debian.org/releases/ for the current Debian releases.

    So since you want now to skip two versions, you need to have the file in /etc/apt/preferences with:

    Package: *
    Pin: release a=oldstable
    Pin-Priority: 1001
  • Linux Automatic Updates

    I generally tend to have quite a bit of virtual machines running Linux. Some of them CentOS, some of them Ubuntu. Probably so do you. Some of them are started more often, some of them lay dormant quite a while, and then when you boot them up for whatever reason, e.g. to test the migration of your blog from apache to nginx, you need to apply whatever updates.

    Super annoying, I know.

    Thus, here's an easy tip. Just add a script in /etc/cron.daily to do the updates. e.g. /etc/cron.daily/update-my-system. For example I set:

    apt-get update -y && apt-get upgrade -y

    if it's Ubuntu/Debian, or

    yum update -y

    if it's CentOS/RHEL.

    I do this also on all the development machines that I have a graphical interface, so I don't get that supper annoying dialog asking me for the updates.

    You boot, it updates.

    It stays up, it updates on a daily basis.

    It's that simple. I know I wrote about it before. But it's important.

    Update for CentOS

    See here: http://blog.ciplogic.com/index.php/blog/104-linux-automatic-updates-on-centos

     

  • Linux Automatic Updates on CentOS

    Here's an update for the automatic updates, geared at CentOS/RHEL only.

    Dumitru Ciobârcianu tells us that there is a package for CentOS that already does that, named yum-cron. Thus instead of editing files inside the /etc/cron.daily, you can get away with:

    yum install yum-cron

    This in turn will create two cron jobs, one daily to do the updates, and one weekly, that will also do cleanup such as:

    # cat /etc/yum/yum-weekly.yum 
    clean packages
    clean expire-cache
    ts run
    exit

    Furthermore it allows configuration for checking packages, and what not. So definitely on CentOS go with yum-cron, since it's the better alternative.

    Thank you Dumitru!

    On Debian/Ubuntu there is also a package named cron-apt, but that one by default will do only the update of the package definitions (apt-get update -y) and not the actual upgrade of the system.

  • Migrate your Apache server to nginx on CentOS

    How do you migrate an existing Apache server, to a brand new nginx installation for several websites that use PHP? This is a simple tutorial into changing an Apache installation into a nginx one, without having to change your existing websites.

    nginx is a server that scales far better compared to apache running on the same hardware. The tutorial is not super CentOS specific, but all the commands were run on a CentOS.

    The Apache server that was migrated, namely this blog, has several virtual hosts, that are all running PHP, some of them Joomla websites. The plan is to take them as they are, and have them available externally the same way as before, using the same virtual host names, the same folder locations, with the same users assigned to them.

    The reason is that if we screw up something in the process, we can just revert to our old proven Apache, by just restarting the Apache service and shutting down nginx. Also we can minimize the downtime, since if done right it should be in the end just shutting down apache and starting nginx, but if it doesn't work we can quickly go back to serving the files with Apache until we figure out what is going on.

    While it is simple, it is a pretty long read, so grab your coffee, and hack away:

     1. Install nginx

    This is as simple as running:

    yum install nginx

    Make sure the /etc/nginx/conf.d/default.conf has the paths pointing to /var/www/html, or whatever was the default site for your Apache configuration. (In my case it was /var/www/blog).

    OK, next

Germanium

The one to rule them all. The browsers that is.

SharpKnight

SharpKnight is an Android chess game.

MagicGroup

MagicGroup is an eclipse plugin.