ohneconker

建站合集SysAdmin

#建站合集SysAdmin

I tried to set up a sort of soundcloud service today, built using Ruby on Rails for backend with PostgreSQL for the database and ReactJS for the front end.

While I was connected to the vps, “rails server”-ed the server, I had to left my desk for a few minutes, and by the time I was back, the ssh connection was already “reset by peer”.

Then when I was back connected again and tried to relauch the rails server, it gave a warning of “Server is already running in Rails”.

Here is the solution that worked for me:

The following is a copy of the content linked above..

Root Cause:

Because PID is locked in a file and web server thinks that if that file exists then it means it is already running. Normally when a web server is closed that file is deleted, but in some cases, proper deletion doesn't happen so you have to remove the file manually New Solutions

when you run rails server:

  • Booting WEBrick

  • Rails 4.0.4 application starting in development on http://localhost:8080

  • Run rails server -h for more startup options

  • Ctrl-C to shutdown server

A server is already running. Check

/your_project_path/tmp/pids/server.pid.

Exiting

So place your path shown here...

/your_project_path/tmp/pids/server.pid

...and remove this server.pid file:

rm /your_project_path/tmp/pids/server.pid

OR Incase you're server was detached then follow below guidelines:

If you detached you rails server by using command “rails -d” then remove rails detached server by using command

ps -aef | grep rails

OR by this command

sudo lsof -wni tcp:8080

then

kill -9 pID

OR use this command

To find and kill process by port name on which that program is running. For 8080 replace port on which your program is running.

sudo kill -9 $(lsof -i :8080 -t)

#建站合集SysAdmin

Here is a list of elements I often use in this ohneconker blog.

A Colour Filled Textbox with an Absolutely Centered Image in it

Remarque: to make a coloured box one needs html, and the markdown format inside cannot be rendered. Thus the whole thing has to be html

Effet:

💡 1. Mark darts with tailor's tacks, leaving 1/2-in. tails.
Mark darts with tacks

Code:

<div style="background-color: #e8f1e1; color: #000000; padding: 10px;">
💡 1. Mark darts with tailor's tacks, leaving 1/2-in. tails.

<div class="picture_div" style="margin:0px auto; text-align:center;"><img src="https://mstd.dansmonorage.blue/system/media_attachments/files/106/524/635/641/748/966/original/96b0e8622ab2b6b5.png" alt="Mark darts with tacks"></div>

</div>

A Colour-filled Textbox without Image in it

Effet:

💡 1. Mark darts with tailor's tacks, leaving 1/2-in. tails.

Code:

<div style="background-color: #e1bd7d; color: #000000; padding: 10px;">
💡 1. Mark darts with tailor's tacks, leaving 1/2-in. tails.

</div>

Expandable Colour-filled Textbox

Effet:

💡 An optional vent in the back and possible locations for the zipper. In this tuto, a vent is used (see part one section 2) A vent in the back is optional. It will allow you to walk a lot easier than if you make the skirt without it. The vent also influences where the zipper will be located. If you choose to have no vent, the default zipper location is on the side seam, and the back will be cut-on-fold. With the vent, there has to be a seam in the back piece, and the zipper will be located on that seam.

Code:

<div style="background-color: #e8f1e1; color: #000000; padding: 10px;">
<details>
<summary> 💡  An optional vent in the back and possible locations for the zipper. In this tuto, a vent is used (see part one section 2) </summary>
A vent in the back is optional. It will allow you to walk a lot easier than if you make the skirt without it. The vent also influences where the zipper will be located. If you choose to have no vent, the default zipper location is on the side seam, and the back will be cut-on-fold. With the vent, there has to be a seam in the back piece, and the zipper will be located on that seam.
</details>
</div>

Image with caption

Effet:

Mark darts with tacks
Steam-press while gently stretching the fabric lengthwise to ensure that the finished garment will hold its shape.

Code:

<div class="picture_div" style="margin:0px auto; text-align:center;"><img src="https://mstd.dansmonorage.blue/system/media_attachments/files/106/524/950/541/227/244/original/bdd6b08aa3f0e324.png" alt="Mark darts with tacks"><figcaption>Steam-press while gently stretching the fabric lengthwise to ensure that the finished garment will hold its shape.</figcaption></div>

</div>

Giant quotation marks

Effet:

子墨一把火,点燃了自我 从此四海为家

Code:

html part

<div class="container"><blockquote><h3>子墨一把火,点燃了自我

从此四海为家</h3></blockquote>
</div>

css part

/*Giant quotation marks*/
blockquote {
    border:none;
    font-family:Georgia, "Times New Roman", Times, serif;
    margin-bottom:-30px;
    quotes: "\201C""\201D""\2018""\2019";
}

blockquote h3 {
    font-size:15px;
}

blockquote h3:before { 
    content: open-quote;
    font-weight: bold;
    font-size:60px;
    color:#889c0b;
} 
blockquote h3:after { 
    content: close-quote;
    font-weight: bold;
    font-size:60px;
    color:#889c0b;
}

#建站合集SysAdmin

Context

Nope, the gitlab wasn't set up when the upgrade happened, and the git wasn't forked.

All modifications were directly nanoed on the vps.

Database backing up with postgresql in case something goes wrong

sudo mkdir /opt/PGBACKUPS
sudo chown -R postgres:postgres /opt/PGBACKUPS
sudo su - postgres


pg_dump -U postgres -d mastodon_production > /opt/PGBACKUPS/mastodon_production$(date +%Y-%m-%d_%H_%M_%S).sql 

Copy the backup file to another machine in case the whole vps got fucked up.

Upgrade

Stash the modified files and git checkout.

sudo su - mastodon
cd /home/mastodon/live/
git stash 
git fetch --tags
git checkout v3.4.0

Bundle install and yarn install and compile as instructed in the github upgrade guide.

bundle install
yarn install
cd /home/mastodon/live/
SKIP_POST_DEPLOYMENT_MIGRATIONS=true 
RAILS_ENV=production bundle exec rails db:migrate                                                                                                  RAILS_ENV=production bundle exec rails assets:precompile     

Check if everything works.

If that's the case, git stash apply.

git stash apply stash@{0} 

After resolving all the conflicts, compile.

RAILS_ENV=production bundle exec rails assets:precompile 

then

systemctl restart mastodon-sidekiq
systemctl reload mastodon-web
systemctl restart mastodon-streaming

#建站合集SysAdmin

前情提要

被歪站屏蔽的第一天, 想它. 我什么时候才能重温猫叫声?

因为自己作死, 前段时间不光是ssh不上,歪站所有的服务我pc端现在都连不上:毛象、博客、论坛。

被屏蔽得彻彻底底干干净净.


After getting banned whenever I go ssh there would be an error message telling me that “Resource temporarily unavailable” (and 502 bad gateway whenever trying using any of the yyyyy's services.

ssh 域名
ssh: connect to host 域名 port 22: Resource temporarily unavailable  

Restoring access to the services

According to @n@g.***:

  • First:

    iptables -L --line-numbers
    
  • Then find the rule that contains my ip and remove it.

After that is done services are accessible but sshing into the VPS still not possible

Playing around with Denyhosts

Get IP Address
ifconfig -a

ifconfig -a

The loopback device is a special, virtual network interface that your computer uses to communicate with itself.

When the network or wifi is disconnected the loopback exists so applications running on your computer can always connect to servers on the same machine.

Investigate Authentication Failures

Check Debian&Ubuntu auth.log (On CentOS it's secure log)

grep -i "failed password" /var/log/auth.log | grep "我的ip"
How to Unblock a host from Denyhosts
  1. Check the log (on Ubuntu and Debian)
fuser /var/log/auth.log

The command fuser identifies Process IDs (PID)s that have open sockets to a file.

By running the command a couple of numbers would pop up, and we could ps and grep to see what services are using these sockets.

Say PID 6697(denyhosts) currently hasopen sockets to the auth.log file.

ps -eaf | grep -v grep | grep 6697

ps then grep

This is the PID for denyhosts.

service denyhosts stop
fuser /var/log/auth.log

Notice no Process IDs are returned because denyhosts stopped.

fuser is a utility that identifies processes using files or sockets.

  1. Remove the appropriate line from the hosts.deny file
cd /etc
grep -v "我的ip" hosts.deny > hosts.deny.new
grep "我的ip" hosts.deny.new | wc -l
mv hosts.deny hosts.deny.old
mv hosts.deny.new hosts.deny

Note that “grep -v “grep” takes input line by line, and outputs only the lines in which grep does not appear. Without -v, it would output only the lines in which grep does appear....grep -v grep (or grep -v 'grep' or grep -v “grep”) often appears on the right side of a pipe whose left side is a ps command.^1

  1. Remove the appropriate line from the log file
cd /var/log/
grep -v "我的ip" auth.log > auth.log.new
grep "我的ip" auth.log.new | wc -l
mv auth.log auth.log.old
mv auth.log.new auth.log
  1. Remove the appropriate line from the denyhosts files
cd /etc/
grep -v "我的ip" bla> bla.new
grep -v "我的ip" bla.new | wc -l
mv bla bla.old
mv bla.new bla

bla in the above commands be: – hosts.deny – hosts – hosts-restricted – hosts-valid – users-hosts

(root not listed as I disabled root login

完结撒花★,°:.☆( ̄▽ ̄)/$:.°★

#建站合集SysAdmin

Here are a few things happened today that I deem worth mentioning.

CNAME and SSL

Some context: I have multiple vp-asses, and all my services hosted on them. Each vps gets a funny subdomain name to make ssh-ing into them less annoying.

Uptil now whenever I set up a new service, I always add an A field entry in my DNS Zone pointing to the VPS on which the service locates.

While I was setting up one of my new services yesterday, an “what-if” came across my mind: will I still get that ssl green lock if instead of an A entry it's a CNAME I put?

Apparently yes.

Though “You might want to use 301 redirects instead of CNAME redirect, this will pass on the ranking power/juice from abc.example.com to xyz.example.com.^1

Configure Postfix Send Mail Using an External SMTP Server

To set up gitlab, one needs to install Postfix to send notification emails.

The installation guide goes: “If you want to use another solution to send emails please skip this step and configure an external SMTP server after GitLab has been installed.”

But apparently I could still stick to postfix and integrate it with an external SMTP provider to deliver emails^2.

...But I guess I will uninstall this postfix thing and configure the SMTP server later.

#建站合集SysAdmin Mostly the same as mainstream mastodon setting up as instructed here and here2.

Mostly except rbenv and git. And nginx, if you are as shit at it as I.

ruby

joinmastodon.org:

RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install 2.7.2
rbenv global 2.7.2

for glitch

RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install 2.7.3
rbenv global 2.7.3

git clone & git checkout

joinmastodon.org:

git clone https://github.com/tootsuite/mastodon.git live && cd live
git checkout $(git tag -l | grep -v 'rc[0-9]*$' | sort -V | tail -n 1)

for glitch^3

git remote add glitch-soc https://github.com/glitch-soc/mastodon
git checkout glitch-soc/main

Updating the mastodon-glitch config

nano .env.production
systemctl daemon-reload
systemctl enable --now mastodon-web mastodon-sidekiq mastodon-streaming

For taking changed configurations and regenerating dependency trees.

systemctl daemon-reload

Updating glitch from v3.3.0 to v3.4.0

Database backing up with postgresql in case something goes wrong (same as mastodon upstream)

sudo mkdir /opt/PGBACKUPS
sudo chown -R postgres:postgres /opt/PGBACKUPS
sudo su - postgres


pg_dump -U postgres -d mastodon_production > /opt/PGBACKUPS/mastodon_production$(date +%Y-%m-%d_%H_%M_%S).sql 

Upgrade

sudo su - mastodon  
cd /home/mastodon/live/
git stash 
git fetch glitch-soc
git checkout glitch-soc/main
git pull glitch-soc main

RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install 2.7.2
rbenv global 2.7.2
bundle install
yarn install
SKIP_POST_DEPLOYMENT_MIGRATIONS=true
RAILS_ENV=production bundle exec rails db:migrate
RAILS_ENV=production bundle exec rails assets:precompile
npx browserslist@latest --update-db 

systemctl restart mastodon-sidekiq
systemctl reload mastodon-web
systemctl restart mastodon-streaming

#建站合集SysAdmin

Malheureusement il n'y a pas de DenyHosts pour Ubuntu 20.04 via apt install.

Just download and set it up manually.

Site: https://github.com/denyhosts/denyhosts

cd /tmp/ && wget https://github.com/denyhosts/denyhosts/archive/refs/tags/v2.10.tar.gz

tar xzf *.tar.gz

cd denyHosts*

sudo python setup.py install

sudo cp /usr/local/bin/daemon-control-dist /etc/init.d/denyhosts

sudo nano /etc/init.d/denyhosts

Check if:

DENYHOSTS_BIN = “/usr/local/bin/denyhosts.py” 
DENYHOSTS_LOCK = “/run/denyhosts.pid” 
DENYHOSTS_CFG = “/etc/denyhosts.conf”
PYTHON_BIN = “/usr/bin/env python”
nano /etc/denyhosts.conf
# after choosing the right settings
sudo /etc/init.d/denyhosts start

The rest is the same as https://yyyyy.life/ohneconker/a-three-step-guide-on-how-to-secure-your-vps-even-further-with-denyhosts

#建站合集SysAdmin

Ubuntu 18.04 This post is. For Ubuntu 20.04, see the github page: https://github.com/denyhosts/denyhosts.

If installation fails with error messages the following lines might be useful

sudo apt-get install python3-distutils
sudo apt install python-pip
#or
sudo apt install python3-pip

And apparently more could be done besides ssh public key authentication This security measure is recommanded by Ocnys of pinkorange.red. She went for fail2ban and I denyhosts.


If you haven't secured your ssh login go and do it now. There is a tutorial on that at this yyyyy.life.

Technically that tutorial is enough, but well if checking the logfiles, they would be full of traces left by those fuckers who have nothing better to do in their lives than to release automated SSH attacks.

How annoying.

Let's head them off before they could even make it to the logs.

Step 1: Installing Denyhosts

sudo apt update
sudo apt install denyhosts

Step 2: Configure Denyhosts

  • Edit file denyhosts.conf
sudo nano /etc/denyhosts.conf
  • Find and change the following settings to no:
BLOCK_SERVICE=sshd
DENY_THRESHOLD_INVALID=2
DENY_THRESHOLD_VALID=5
DENY_THRESHOLD_ROOT=1
AGE_RESET_VALID=5d
AGE_RESET_INVALID=

Click me if you want these settings explained. The following is an excerpt from: Linux Networking Cookbook by Carla Schroder, Chapter 7. Secure Remote Administration with SSH

You may use DenyHosts to protect SSH. Or all services with BLOCK_SERVICE = ALL.

BLOCK_SERVICE=sshd

Login attempts on nonexistent accounts get two chances before they are blocked. Because the accounts do not exist, blocking them won’t hurt anything.

DENY_THRESHOLD_INVALID=2

Login attempts on legitimate accounts get five chances. Adjust as needed for fatfingered users.

DENY_THRESHOLD_VALID=5

Root logins get one chance. You should log in as an unprivileged user anyway, then su or sudo if you need rootly powers.

DENY_THRESHOLD_ROOT=1

Allowed users are unblocked after 5 days, if they went all fat-fingered and got locked out.

AGE_RESET_VALID=5d

Invalid blocked users are never unblocked.

AGE_RESET_INVALID=

Step 3: Restart Denyhosts Service

sudo systemctl restart denyhosts.service
sudo systemctl enable denyhosts.service

Consult Blocked IPs and Log Events for DenyHosts

  • To list all blocked ip addresses:

    sudo cat /etc/hosts.deny
    
  • To list the events

    sudo tail -f /var/log/denyhosts
    

Optional: Enable Centralized Synchronization Support

  • Edit file denyhosts.conf
sudo nano /etc/denyhosts.conf
  • Find and change the following settings
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
  • Save and Restart
sudo systemctl restart denyhosts.service

#建站合集SysAdmin

Why am I writing this?

Because the vps of someone in the fediverse just got hacked, and it's super scary.

SSH up, people!


  • Why should you set up a passwordless SSH authentification? Because there are some bad people out there having nothing to do but to dictionary SSH attack people.

  • It is recommanded to avoid using mundane and guessable login usernames such as 'root', or 'ubuntu'.


3# OH GOD WHY DIGITALOCEAN WHY?

Apparently root is the only superuser some people have chez DigitalOcean. How annoying.

If this applies to you, here is what to do on your VPS:

  • type adduser followed by the username you want to create
adduser username

The terminal will ask you to enter a password for this new user. You don’t have to answer those questions. Pressing Enter for everything is fine.

  • grant sudo permissions
usermod -aG sudo username
  • Delete the commoner username
userdel -r username

Step 1: Go to your terminal and generate keys

Where to type the commands?

  • For Mac Users: Spotlight search for “Terminal”, then type the command “ssh-keygen”

  • For Windows Users: Windows Menu search “cmd”, then type bash in it, then “ssh-keygen”

ssh-keygen
  • Go 'Enter' for everything.

Step 2: Send the Generated Key to Your VPS

ssh-copy-id username@yourdomain

Step 3: Connect

Then you just enter your password after the command to make sure everything works

ssh username@yourdomain

Now: Disable password logins

The disabling is optional but recommended.

  • Edit the file “/etc/ssh/sshd_config” on your vps machine to disable SSH password and root login:
sudo nano /etc/ssh/sshd_config
  • Find and change the following settings to no:
Port 36
PermitRootLogin no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
  • Save and exit the file with ctrl-X
  • Reload the configuration of the SSH server with the following command:
sudo service sshd reload