BitFolk Users

users@mailman.bitfolk.com

1123 discussions

by Andy Bennett

Hi users! I've been a happy Bitfolk customer for some time and now I'm looking at adding some more storage to my VPS. In the past I've always taken the 5GiB packages. This time I see that there is now Archival Storage in 50GiB packages. I've read the docs at https://tools.bitfolk.com/wiki/Archive_storage but am writing here to see if anyone has any practical experience with these packages. Whatever I choose, I'll keep all my existing packages: I'm just looking to add new ones. Having been a Bitfolk customer for so long, am I correct in assuming that the disks that power these packages are similar technology to what my entire VPS ran on a few years ago? I'm definitely in two minds. I want the storage for IMAP... and as everyone knows, IMAP and RDBMS are all about the number of spindles. ...but if I only have a small handful of users (albeit ones who all have their phones connected almost all the time), would everything stick nicely in the page cache and spare me noticing the performance of the underlying storage? So, if anyone has any direct experience reports of the performance of Archival Storage, especially under an IMAP workload, I'd love to hear them! Thanks! (If I take the Archival Storage, I'll move my own mailbox first and try it out for a while. If I take the 5GiB package I'll just add it to the existing device and grow the volume.) Best wishes, @ndy -- andyjpb(a)ashurst.eu.org http://www.ashurst.eu.org/ 0x7EBA75FF

5 years, 5 months

Switching to Prometheus+Grafana for graphing (away from Cacti)

by Andy Smith

Hi, A few customers have been testing this for a while now, and it's been a while since the last issues were addressed, so now seems like a good time to announce it. We're going to be retiring our Cacti instance¹ in favour of the new setup which can be found at: https://tools.bitfolk.com/grafana/ You all already have access to it. Those who are familiar with Prometheus and Grafana may be a little disappointed: this is not intended to be a full hosted instance, only a fairly locked-down replacement for what Cacti provides. I'm satisfied that it goes beyond the functionality and usability of Cacti, but it isn't like having your own setup and isn't intended to be. Everyone has a default dashboard exposing graphs similar to those provided by Cacti, plus a few more besides. The offer was always open for more of your metrics to be graphed by Cacti, but as of today only one customer was making use of that. The offer is still open for us to graph extra metrics from you if you wish. To do that you'll first need to install Node Exporter² and then send a support ticket. You'll then get an additional dashboard that looks like a bit like this: https://tools.bitfolk.com/grafana/dashboard/snapshot/fysbHKJGqJm3Fq6KmtqlRJ… Over the next week or two a wiki article for our Grafana will appear and any references to Cacti on our web sites and docs will start to disappear, except for a pointer to historical Cacti graphs. Update of Cacti graphs is going to be disabled very soon. Feedback on the service is still welcome of course, though the general approach is by now pretty much decided. Cheers, Andy ¹ https://tools.bitfolk.com/cacti/ ² Available as your usual kind of single Go binary from here: https://github.com/prometheus/node_exporter but also available in modern Debian (at least) as a package. -- https://bitfolk.com/ -- No-nonsense VPS hosting _______________________________________________ announce mailing list announce(a)lists.bitfolk.com https://lists.bitfolk.com/mailman/listinfo/announce

5 years, 5 months

Wanted: volunteers to play with new graphing setup

by Andy Smith

Hi, I've been working towards replacing our aging and creaky Cacti¹ installation with something more modern, based on Prometheus and Grafana. I think it's nearing the stage of being able to take over from Cacti now, so I would like some volunteers to have a go at using it, give feedback etc. If you would be willing to do so, please drop me an email off-list and I'll enable you to log in to it (with your usual BitFolk credentials). Cacti will continue running in the meantime so there is nothing to lose, only some time spent using it. The goal here is not to offer a full hosted Grafana/Prometheus setup, as that would be rather complicated and there are companies that already do that as their entire paid service offering. I'm just trying to replace the functionality of our Cacti, which for customers basically amounts only to bandwidth and CPU graphs. We can do a little better than this — in particular, block device graphs have been pretty easy to add — but that's the sort of scope I am looking at for right now. Once we're happy with it, Cacti is going to stop gathering any further measurements. After you've had a play for a bit, feedback to this thread is welcome, or to me personally if you'd rather. Cheers, Andy ¹ https://tools.bitfolk.com/cacti/ -- https://bitfolk.com/ -- No-nonsense VPS hosting

5 years, 5 months

Yet another Exim remote execution security bug (CVE-2019-16928)

by Andy Smith

Hi, Another serious bug has been found in Exim, which is installed by default on Debian and some other Linux distributions: https://seclists.org/oss-sec/2019/q3/253 The impact is remote execution as an unprivileged user, although it cannot be ruled out that there might be other routes to the same code running in a privileged context. If your distribution is still under security support then I expect they will push out new packages in the next few days. If not then you will need to upgrade it or rebuild the package. It's quite a simple fix. There's been no embargo this time, so attacks could be out in the wild already. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting _______________________________________________ announce mailing list announce(a)lists.bitfolk.com https://lists.bitfolk.com/mailman/listinfo/announce

5 years, 6 months

Installing CentOS 8 at BitFolk

by Andy Smith

Hi, TL;DR: Read this to learn how to install CentOS 8 https://tools.bitfolk.com/wiki/Installing_CentOS_8 Unabridged edition: Given that CentOS 8 was released a few days ago I had a look at adding its installer. Unfortunately it seems that CentOS 8 has dropped kernel support for PV-mode Xen guests, which are the only type of guests that BitFolk currently supports. It is therefore not possible to use the official CentOS installer or core kernel package at the moment. We are in the process of moving to PVH mode¹ guests, but that's not ready yet. It all works; the main difficulty now is supporting both modes without it being a terribly confusing user experience. In the meantime, it is pretty simple to install CentOS 8 from another Linux. This could be any distribution including an earlier version of CentOS, though I would suggest that doing it from the BitFolk Rescue VM² makes most sense as it's always available and runs from RAM. As the core kernel package of CentOS 8 also does not support PV mode guests, it is also necessary to enable ELRepo³ and install the kernel-ml package. Here is a transcript of me installing CentOS 8 from scratch by this method with full explanation of every step. https://tools.bitfolk.com/wiki/Installing_CentOS_8 Don't be put off by the massive amount of text here; the vast majority of it is command output which I have only included so you know what to expect. The only issue I have found with this method are some odd 1–2 minute pauses around creating initramfs / bootloader config. This only happens inside the install chroot and is probably something trying to probe and timing out. It appears to be harmless, just irritating. If you know what that is about or have any other improvements to make, please do edit the page⁴; it is a wiki. Cheers, Andy ¹ https://wiki.xen.org/wiki/Xen_Project_Software_Overview#PVH_.28x86.29 ² https://tools.bitfolk.com/wiki/Rescue ³ https://elrepo.org/tiki/kernel-ml ⁴ I would suggest refraining from adding purely optional things that are a matter of taste though, as otherwise the page will become incredibly long and opinionated. -- https://bitfolk.com/ -- No-nonsense VPS hosting _______________________________________________ announce mailing list announce(a)lists.bitfolk.com https://lists.bitfolk.com/mailman/listinfo/announce

5 years, 6 months

Another serious Exim security bug - CVE-2019-15846. Make sure you're updated!

by Andy Smith

Another bad one for Exim: http://exim.org/static/doc/security/CVE-2019-15846.txt Please make sure you have updated/patched against this. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting _______________________________________________ announce mailing list announce(a)lists.bitfolk.com https://lists.bitfolk.com/mailman/listinfo/announce

5 years, 6 months

Speaking of security alerts

by Ian Watters

One that caught one server in the past month was webmin's, where one version was hacked with a backdoor would by default let an attacker run code as root, and later versions could also do so, depending on how they'd been set up. http://www.webmin.com/exploit.html It didn't help that it's easy to let webmin update itself rather than using the usual Debian apt / apt-get utilities and, if you don't use it very often, it's easy to miss an update release. What it did was install something listening to port 59000. As that port (and almost all others) has always been blocked by the firewall, it doesn't seem to have done anything bad, but it's rebuild on a fresh VPS and destroy it time. Ian, knowing that Andy has always disliked webmin...

5 years, 6 months

Security incident: Customer SSH password guessed, VPS used for further attacks and cryptocurrency mining

by Andy Smith

Hi, Last week we received abuse reports of SSH dictionary attacks coming from a customer IP. At the time of investigation no attacks were taking place but looking at historical bandwidth use it did seem that something anomalous had happened in a few short bursts. It was also obvious that the VPS had started using 100% of both of its CPU cores around the same time as the first traffic spike: https://imagebin.ca/v/4sqgOQKzxB4r The customer was then informed of the probable compromise. While we were watching the outbound SSH connections a dictionary attack started up again, so we had no option but to disable the customer's network access. The customer later confirmed presence of this malware: https://kindredsec.com/2019/05/31/dota-campaign-analyzing-a-coin-mining-and… They had got in through an SSH dictionary attack against the customer and then installed this to continue attacks and mine cryptocurrency. Unfortunately since the compromised account had full sudo access, the customer had no choice but to completely reinstall. We always recommend that password auth be disabled for SSH. Do note that you can also upload SSH public keys and disable password auth for your Xen Shell access, and/or require two factor auth. This is set via the Panel: https://panel.bitfolk.com/account/security/ About this email: https://tools.bitfolk.com/wiki/Security_incident_postings Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting

5 years, 7 months

Confused XEN says 64 bit, VPS says 32

by Keith Williams

I was too busy to upgrade one of my VPS to Buster the other week. Also the email from Andy reminded me that I have not converted that one to 64 bit. So I decided to kill 2 birds with one stone. First, into Xen shell and type in arch x86_64 That went nice and easy and Xen now tells me that I am operating in 64 bit mode and that the bootloader can only boot x86_64 guests Great. Prepare for upgrade to Buster, the press the go button. Chugging through the upgrade process I see that it is all 32 bit packages being installed. I thought Xen by some internal magic changed what I could download. Well Kernel wise really When all finished and a reboot done (a totally problem free upgrade by the way) I ran lscpu ~# lscpu Architecture: i686 CPU op-mode(s): 32-bit Byte Order: Little Endian OK I should have done some step earlier on in the process which I didn't - maybe install a 64 bit kernel and rebooted, or something. Showing my ignorance here I know, but I seem to remember when doing it on my other VPS it was as simple as do the arch command on xen then just update/upgrade What have I missed, please?

5 years, 8 months

BIND9 not authorised - Master zone

by Keith Williams

Hi all, sorry it's me with a problem. Last night I did a complete reinstall of the OS. I am running Stretch 64 bit. I had some troubles with Bind not updating slaves, It said it was not authoritative. Googled for remedies, tried them all out (will list what I did in a minute. No luck so purged and reinstalled Bind, then manually entered a single zone, restarted Bind. The logs showed this:- zone keiths-place.co.uk/IN: sending notifies (serial 2019072335) zone 31.172.in-addr.arpa/IN: sending notifies (serial 1) zone 127.in-addr.arpa/IN: sending notifies (serial 2) zone 27.172.in-addr.arpa/IN: sending notifies (serial 1) zone 255.in-addr.arpa/IN: sending notifies (serial 1) zone 0.in-addr.arpa/IN: sending notifies (serial 1) client 85.119.84.35#35865 (keiths-place.co.uk): bad zone transfer request: 'keiths-place.co.uk/IN': non-authoritative zone (NOTAUTH) client 85.119.80.222#59271 (keiths-place.co.uk): bad zone transfer request: 'keiths-place.co.uk/IN': non-authoritative zone (NOTAUTH) client 85.119.80.198#10938 (keiths-place.co.uk): query ' keiths-place.co.uk/SOA/IN' denied client 85.119.80.198#49851 (keiths-place.co.uk): bad zone transfer request: 'keiths-place.co.uk/IN': non-authoritative zone (NOTAUTH) So you will need to see the conf files /etc/bind/named.conf.local // Consider adding the 1918 zones here, if they are not used in your // organization include "/etc/bind/zones.rfc1918"; zone "keiths-place.co.uk" { type master; file "/var/lib/bind/keiths-place.co.uk.hosts"; allow-query { 85.119.84.35; 85.119.80.222; 2001:ba8:1f1:f085::53; 2600:3c01:e000:259::53; 45.33.107.124; 172.104.29.216; 2600:3c03::31:2153; 2001:ba8:1f1:f309::2; 127.0.0.1; }; check-names warn; notify yes; }; in frustration I added all the possible slaves and localhost to allow-query Named.conf acl slaves { 85.119.84.35; 2001:ba8:1f1:f309::2; }; // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; and finally named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 8.8.8.8; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; auth-nxdomain yes; # conform to RFC1035 listen-on-v6 { any; }; check-names master warn; check-names slave warn; allow-query { 85.119.84.35; 2001:ba8:1f1:f309::2; }; also-notify { 85.119.84.35; 2001:ba8:1f1:f309::2; }; notify yes; forward first; }; And just for good measure the zone file $ttl 38400 keiths-place.co.uk. IN SOA ns3.keiths-place.co.uk. keithwilliamsnp.gmail.com. ( 2019072335 10800 3600 604800 38400 ) keiths-place.co.uk. IN A 85.119.82.237 www.keiths-place.co.uk. IN A 85.119.82.237 ns3.keiths-place.co.uk. IN A 85.119.82.237 mail.keiths-place.co.uk. IN A 85.119.84.35 ns1.keiths-place.co.uk. IN A 85.119.84.35 ns2.keiths-place.co.uk. IN A 85.119.82.237 webmail.keiths-place.co.uk. IN A 85.119.82.237 keiths-place.co.uk. IN MX 10 keynesmail.com. keiths-place.co.uk. IN TXT "v=spf1 mx redirect=keynesmail.com" keiths-place.co.uk. IN AAAA 2001:ba8:1f1:f29d::2 mail.keiths-place.co.uk. IN AAAA 2001:ba8:1f1:f309::2 ns1.keiths-place.co.uk. IN AAAA 2001:ba8:1f1:f309::2 ns2.keiths-place.co.uk. IN AAAA 2001:ba8:1f1:f309::2 webmail.keiths-place.co.uk. IN AAAA 2001:ba8:1f1:f309::2 ns3.keiths-place.co.uk. IN AAAA 2001:ba8:1f1:f29d::2 www.keiths-place.co.uk. IN AAAA 2001:ba8:1f1:f29d::2 keiths-place.co.uk. IN NS a.authns.bitfolk.com. keiths-place.co.uk. IN NS b.authns.bitfolk.com. keiths-place.co.uk. IN NS c.authns.bitfolk.com. keiths-place.co.uk. IN NS ns3.keiths-place.co.uk. Following "solutions" on Google, I checked all permissions, checked apparmor (no file for bind there) added all possible slaves to allow-query, checked firewalls. And read all I could find on Bind. Though I have been running the 2 bind servers for years and they always just seemed to work. Sorry, should have said, running Bind 9.11 Keith

5 years, 8 months

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

BitFolk Users