Hi All,
My VPN hosts a small selection of web sites. I have noticed a LOT of
attacks recently.
The errors in the log file is typically something like this.
2020/04/29 11:08:12 [error] 831#831: *99107 FastCGI sent in stderr: "PHP
message: PHP Fatal error: Reseller record not found for
in /var/www/exampleone/htsecure/Classes/ApplicationFactory.php on line
86" while reading response header from upstream, client: 209.17.96.218,
server: exampleone.co.uk, request: "GET / HTTP/1.1", upstream:
"fastcgi://127.0.0.1:9000", host: "exampletwo"
This is very puzzling because exampletwo is any website I host, (except
exampleon) - including a site that DNS points to my server, but I don't
host!
The PHP error is caused because the value in $_SERVER['HTTP_HOST'] is
not something expected. I think it may be "\n" or missing.
It would appear that I have something screwy in my configuration for php
requests to one site to be passed to another - but I can't see it.
The default configuration is:
# Statements for default virtual host
server {
listen 80 default ;
# server name is catch all for unknown names#
server_name _ ;
root /etc/nginx/html;
index index.html;
# access_log /var/www/access_log;
try_files $uri =404;
}
This would be triggered when exampletwo is the domain pointed at my
server, that I don't (yet) host.
The only file in /etc/nginx/html is index.html and reports "the domain
you requested does not exist on this server". There are no php files.
The config for exampleone is (redacted for security).
# Statements for exampleone virtual host
# switched to letsencrypt cert 30/6/2019
server {
listen 80;
server_name exampleone.co.uk www.exampleone.co.uk;
rewrite ^(.*) https://exampleone .co.uk$1 permanent;
}
server {
listen 443 ssl http2;
server_name exampleone.co.uk www.exampleone.co.uk;
## SSL Certs
ssl_certificate
/etc/letsencrypt/live/coachmaster.co.uk-0001/fullchain.pem;
ssl_certificate_key
/etc/letsencrypt/live/coachmaster.co.uk-0001/privkey.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ciphers
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
ssl_session_timeout 10m;
# Aditional Security Headers
# ref:
https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Sec…
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains";
# ref:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options DENY always;
# ref:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Op…
add_header X-Content-Type-Options nosniff always;
# ref:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;
# Enable OCSP stapling
# ref.
http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate
/etc/letsencrypt/live/exampleone.co.uk/fullchain.pem;
root /var/www/exampleone/htsecure;
access_log /var/log/nginx/exampleone.co.uk.access.log;
error_log /var/log/nginx/error.log;
index index.php;
location = / {
rewrite ^ /index.php last;
}
location /easyrtc {
proxy_pass http://localhost:5006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
location /socket.io {
proxy_pass http://localhost:5006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# serve php files via fastcgi if the file exists
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_param CENTRAL_ROOT $document_root;
fastcgi_param RESELLER_ROOT $document_root;
fastcgi_param ENVIRONMENT production;
fastcgi_param HTTPS ON;
}
# serve static files
try_files $uri $uri/ /index.php;
expires 30m;
# now to configure the long polling
location /publish {
nchan_publisher;
nchan_channel_id $arg_id;
nchan_message_buffer_length 10;
nchan_message_timeout 90s;
}
# public long-polling endpoint
location /activity {
nchan_subscriber;
nchan_channel_id $arg_id;
}
}
Sorry about the extra line breaks borking the layout. SNAFU. :)
Any idea why or how, a request to a site that does not exist, gets
switched to exampleone, when default is present?
I am running fail2ban, and that locks them out for an hour at the third
attempt, so it does not matter much, except that my nightly report of
errors is so full of this junk, I can't see any real problems. :(
Thanks for any insights.
Ian
--
Ian Hobson
Tel (+351) 910 418 473
--
This email has been checked for viruses by AVG.
https://www.avg.com
Hello,
I am wanting to upgrade my server from Debian 9 to Debian 10. I have done this on other systems without problems but have a question about the Bitfolk VM and network interface name.
For Debian 10 upgrades the legacy name definition file is not supported [1] :
/etc/udev/rules.d/70-persistent-net.rules
I define eth0 here using MAC i.e.
SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="00:16:3e:1b:b2:db", NAME="eth0"
I have no files in /etc/systemd/network/.
Per [1], using udevadm to find the udev name :
# udevadm test-builtin net_id /sys/class/net/eth0 2>/dev/null
ID_NET_NAME_MAC=enx00163e1bb2db
ID_OUI_FROM_DATABASE=Xensource, Inc.
it is wanting to use "enx00163e1bb2db".
So, to get started I was going to :
1) Disable the 70-persistent-net.rules file
2) Change all occurrences of "eth0" to "enx00163e1bb2db" using :
grep -r eth0 /etc
3) Reboot
Is this correct? Or is their a better way that the Debian 9 to 10 upgrade can cope with (maybe with a nicer interface name)?
Once I am happy all works using this interface name, I can think about the Debian 10 upgrade itself.
Many Thanks,
[1] https://www.debian.org/releases/stable/amd64/release-notes/ch-information.e…
--
Alastair Sherringham
http://www.sherringham.net
Hi folks,
My VPS currently has Ubuntu 18.04 installed on it, and since 20.04 has
just been released, I'm considering when and whether to upgrade it.
However, I've also been looking into NixOS recently, and I thought I
might try running it on my server.
--
Josh Holland
Hi,
Does anyone here use Andrews & Arnold with linux PPPoE and has a
working IPv6 configuration?
(Or a better idea on how to get the public IP on to a linux box without
using pppoe? I do not want "dodgy" NAT on proprietary devices)
Yes...totally off topic for this list :)
Conrad
Hi,
If you do not currently pay us by Direct Debit and have no interest
in doing so then you can ignore this email.
== Short version ==
From 27 April 2020 we're introducing a minimum Direct Debit charge
of £5.00. Any time we would charge you less than £5.00, we are going
to charge you £5.00 and credit your account with the difference.
As there is no BitFolk plan that costs less than £6.49+VAT per month
THIS WILL AFFECT ALMOST NO ONE, unless you somehow get a lot of
credit on your account, or order something small (like 5GiB of
storage) and generate a one-off bill.
If you do not like this, I'm afraid we will have to ask you to
cancel your Direct Debit mandate and pay us by some other method.
You can do that from:
https://panel.bitfolk.com/account/billing/
If you are feeling nice you can also set a higher minimum charge,
which saves us giving fees to our payment provider. You can do that
from the link above.
Or you could switch to quarterly or yearly payments. Please contact
support@ to do that.
That's everything you need to know and you can stop reading now if
you like.
Thanks!
== Long version ==
=== What's happening ===
From 27 April 2020 we'll be introducing a minimum charge of £5.00 on
Direct Debit payments.
=== Background ===
Almost half of you currently pay us by Direct Debit. I previously
mentioned that as of March 2020 our Direct Debit payment provider
(GoCardless) was introducing a £0.20 loading on every transaction,
in addition to their usual 1% transaction fee.
The majority of our customers are on the smallest plan, at £7.79 inc
VAT per month. As an example, pre-March the fees for that charge
were £0.08 (1%). Now they are £0.28. Overall, the £0.20 loading has
resulted in an 83% increase in our transaction fees.
For that reason I asked customers to please consider either
switching to quarterly or yearly payments, or else consenting to a
higher minimum charge, with the remainder being credited to the
account.
A fair few of you did switch and one customer increased their
minimum charge. As only one person had switched I did not actually
implement anything except the ability to choose the charge, and we
carried on charging the exact amount.
Today I have noticed that a Direct Debit payment failed to go
through, because we were trying to charge only £0.83. GoCardless
have obviously altered their API to not support such a small charge,
which I suppose makes sense and gives me the motivation needed to do
the same on BitFolk's side, because otherwise this customer's
service can never be marked as paid for.
=== What we're doing ===
If I am going to implement a minimum charge then I don't see the
point of trying to make it as low as it possibly can be, given that
I still have to do all the work and write this email just to tell
you about whatever value it is. It appears that the minimum charge
is £1.00. I've made the decision that our minimum charge will be
£5.00, which is still well below the regular cost of any plan we
sell, so will affect almost no one.
So, we have no choice but to implement a minimum charge. We could
handle it by batching up your invoices until they are >= £5.00 but
that is a lot of work for a situation that is really rare, and I
also don't want to be billing people in arrears. I'm choosing to set
the minimum at £5.00, not £1.00.
=== What you can do ===
If this upsets you and you never want to be charged potentially
£4.99 extra that sits on your account as credit then I'm afraid you
will have to cancel your Direct Debit mandate before 27 April 2020
and start paying us by some other means. You can do that from:
https://panel.bitfolk.com/account/billing/
Otherwise, thank you for your understanding!
Additionally if you want to be nice you could:
- Set a minimum charge that's higher than £5.00. You can do that
from the link above. The excess will sit on your account as
credit, you can have it back at any time, and it will reduce what
we pay out as fees.
- Change to a quarterly or yearly contract. Please contact support@
if you'd like to do that.
=== We still like GoCardless / Direct Debit ===
Obviously I'm not thrilled that fees for anything have gone up by
83%, but I just want to state factually that even so, the fees for
GoCardless are still less than PayPal and Stripe (credit cards).
We are contractually obliged by various merchant contracts to not
place one payment method above another in terms of favour or
prominence, but hopefully just repeating a fact is okay!
=== What about Direct Debit payments from outside the UK? ===
At the moment in order to pay us by Direct Debit you need a bank
account in GBP and a UK postal address¹.
GoCardless recently opened up their service to those in the Single
European Payments Area, USA, Canada, and probably Australia/NZ too.
This would be charged in your local currency and I am still
grappling with the changes needed for that. It will happen at Some
Point.
=== Further questions? ===
If you have any questions please reply; your reply will go to the
users mailing list and I will answer there, or else if you want to
ask in private please send to support@.
Thanks!
Andy
¹ Some financial providers like TransferWise do provide GBP accounts
with a Direct Debit feature and provide a UK address you can use
to set up Direct Debit mandates no matter where in the world you
live. That works. Also if you have a GBP account with a UK bank
but happen to live outside UK, it works right now to provide your
bank's address.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
Are there any Slackware users at BitFolk who've built a kernel
recently?
We have a customer who is having problems getting our grub to boot
their kernel from an install roughly following the guide at:
https://tools.bitfolk.com/wiki/Installing_Slackware
…so if I could see your kernel config and bootloader setup that
would be useful.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
Effective immediately we have doubled the base plan's data transfer
quota from 1TB/month outbound to 2TB/month for paying customers.
Those on 95th percentile billing have had the base plan doubled from
4Mbit/s to 8Mbit/s.
If you currently pay for extra data transfer quota (or 95th
percentile commitment) and don't need it anymore then you should
check that out and contact support to remove it if necessary.
If you pay by PayPal subscription then your subscription in PayPal
won't have updated its description as these are set at the time they
are created; please check with the Panel² to know what your specs
are and compare them with your running VM.
We've also gone through and had a look at the specs of the sponsored
hosting accounts¹ and standardised most of them to 1.5G memory, 2TB
data transfer as some of these were quite old and were on the lower
defaults of old. Not all of those have had their data transfer quota
doubled, because some were already higher than the base, but
everyone got something!
I absolutely am not going to do a "keep calm" line, so I will just
say take care of yourselves and each other and please use more
bandwidth. Preferably for good, not evil.
Cheers,
Andy
¹ https://tools.bitfolk.com/wiki/Sponsored_hosting
² https://panel.bitfolk.com/account/#toc-vps-plan and
https://panel.bitfolk.com/account/config/
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
Apologies up front that the subject line reads like some sort of
passive-aggressive dodge ("I Am Sorry If You Feel You Have Been
Abused By Us", or "I Could Tell You But Then You Would Have To Be
Destroyed By Me"¹), but I didn't want to use language like
THERE HAS BEEN A COMPROMISE OF YOUR DATA
…because at the heart of this is a miscommunication on my part, of a
situation that has existed forever. Essentially nothing has changed
but it is perhaps surprising to some that things were/are the way
they are.
== The issue ==
If you are logged in to BitFolk's Grafana² to look at the graphs of
your service, then you can look at the queries that the Javascript
is sending, edit some of the placeholders, and look at graphs for
any other BitFolk customer.
This was known by me when I set up our Grafana last
October/November. The possibility of logged-in users sending
arbitrary queries was raised to me at the time by a couple of
people, and my response to that was to set some ACLs such that only
the specific queries that correspond to defined dashboards are
allowed. That is, the things that you can see can also be seen by
any logged in user if they make some trivial effort to do so.
I thought this was acceptable because with our previous solution
(Cacti), all users' graphs were visible by anyone on the Internet,
and that was the case from some time in 2007 up until late last
year. So in fact the current Grafana is more restrictive than Cacti
was.
I thought that this had been adequately communicated to you, the
customer base, including to the people who had raised concerns about
the Prometheus/Grafana security model.
I was wrong. Conrad Wood was one of the people who kindly advised me
when I was setting up Grafana/Prometheus; Conrad did warn me about
this issue as did a couple of other people, and I thought that I had
communicated what my solution was going to be (and that it was
actually stricter than Cacti was), but I might not have.
That suggests that there will be other customers who are unaware of
this, and unhappy about it.
== What we will do about it ==
I don't want customers to be unhappy, so what I will do is work on
tightening up the ACLs such that logged-in users can only use the
label/placeholder values that pertain to them.
I will work on this as a priority but I think it will still take a
couple of weeks to do.
In the mean time, if you are not comfortable with the situation that
any other user can craft a query to look at your CPU / bandwidth /
block IO stats, please drop an email to support(a)bitfolk.com and I
will block all non-admin access to your stats. That will include
your own access.
== Don't shoot the messenger ==
I appreciate that many of you probably will not care that other
customers could with some minor effort look at your graphs. The fact
that Conrad doesn't think it's acceptable, and repeatedly tried to
tell me that (but I failed to communicate and our wires initially
got crossed), probably means that there are some other customers for
whom this is news and who would be unhappy about it.
So I thank Conrad for bringing it to my attention again; I have
adjusted my viewpoint; I will restrict it; it would not be useful
for anyone to comment that they personally don't care. There will be
others who care, and this is for them.
(I did check with Conrad that they wanted to be named here and they
indicated that would be fine. If they'd said no then I'd just have
said, "a customer has brought to my attention…")
Thanks for reading, and I apologise for not making the situation
about visibility of stats clear throughout this long period of time.
Cheers,
Andy
¹ https://www.amazon.com/Could-Tell-Then-Would-Destroyed/dp/193555414X
² https://tools.bitfolk.com/grafana/
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hello,
I know there's a few WordPress experts here. Can I pick your brains?
Say I have a WP site at https://dev.example.com/ and I now want to
copy it and put it live at https://example.com/. Having read:
https://wordpress.org/support/article/changing-the-site-url/
do I just…
- Copy the filesystem structure from one document root to another
- Dump the database and re-insert it into a new database
- Install wp-cli and run
$ wp search-replace 'dev.example.com' 'example.com' --skip-columns=guid
and then it's all switched?
Cheers,
Andy
Hi All,
I need some help. I am out of my depth.
All my Wordpress sites have been infected by a virus that acts as
follows. Non Wordpress sits are not effected.
1) It permits the home page to partially show.
2) Then a pop-up requests authorization to continue (which I have not
clicked).
3) Then in the background the address line changes first to
create-space.com and then to adarath.com, before showing an advert for
gambling or porn, which depends upon your location and not your language
settings.
All google hits claim this is a browser virus, but I don't think it is.
Every check of my system comes up clean. Almost positive it is on the
server.
It only appears on the first visit to the site. If I clear cookies and
cache, then it reappears. My browser does NOT show this virus for any WP
site that is not hosted on my VPS.
Unfortunately I am in Thailand, supposedly having a holiday and meeting
my in-laws' family, and I have no access to my usual tools or the site
backups.
Has anyone any ideas how best to proceed?
Regards
Ian
--
Ian Hobson
Tel (+351) 910 418 473
