Has anyone successfully used the version of certbot in jessie-backports
to install https certificates from letsencrypt on Apache?
The reason for asking is that I haven't :)
It doesn't help that the version there is older than the one covered by
the documentation at <https://certbot.eff.org/docs/using.html> - there's
no 'certificates' command, for example.
Ian
Hi all,
I was looking to upgrade my VPS to the latest Ubuntu release this afternoon but ran across a problem. Whenever I try to run "do-release-upgrade” I receive the following error:
Checking for a new Ubuntu release
Get:1 Upgrade tool signature [836 B]
Get:2 Upgrade tool [1,265 kB]
Fetched 1,266 kB in 0s (0 B/s)
authenticate 'xenial.tar.gz' against 'xenial.tar.gz.gpg'
gpg exited 1
Debug information:
gpg: Signature made Wed 07 Dec 2016 09:10:01 GMT using RSA key ID C0B21F32
gpg: /tmp/ubuntu-release-upgrader-r7c80csz/trustdb.gpg: trustdb created
gpg: BAD signature from "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster(a)ubuntu.com<mailto:ftpmaster@ubuntu.com>>"
Authentication failed
Authenticating the upgrade failed. There may be a problem with the network or with the server.
Searching online<http://askubuntu.com/questions/842706/how-to-upgrade-ubuntu-if-i-get-authen…>, this looks like it could be a problem with the xenial.tar.gz file on the local repo cache. Has anyone else had similar problems, and if so, how did you resolve them?
I suppose beyond that, has anyone successfully upgraded their Ubuntu VPS to 16.04? Were there any problems along the way?
Thanks,
Paul
Hi,
I've added an Ubuntu 18.04 LTS installer to our Xen Shell, so it's
now available for self-install. More info about self-install:
<https://tools.bitfolk.com/wiki/Using_the_self-serve_net_installer>
So, the command is "install ubuntu_bionic". If you don't see it,
make sure you are running version v1.48bitfolk46 of the Xen Shell as
the Xen Shell stays running if you connected to it before.
Please note:
- Obviously this is still pre-release for 18.04. I have only tested
it so far as installing it, booting it and connecting to it with
SSH. I would be interested to know of your progress if you use it.
- If you already are running Ubuntu you could just
do-release-upgrade into this as normal.
- As ever, if you'd like to perform a self-install but need to keep
your existing VPS running for a while, we can offer a new account
free for 2 weeks for you to perform your migration:
<https://tools.bitfolk.com/wiki/Migrating_to_a_new_VPS>
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
Having run what appears to be a successful upgrade from Ubuntu 14.04 to
16.04 (yes, yes I know living in the past) I've hit a problem.
My VPS won't reboot.
$ sudo shutdown -r now
Gives:
Failed to start reboot.target: Connection timed out
See system logs and 'systemctl status reboot.target' for details.
Couldn't find an alternative telinit implementation to spawn.
failed to run telinit 6 for upstart fallback
Failed to talk to init daemon.
and trying to shut down via the xen console I get:
xen-shell> shutdown
Shutting down instance: <vpsname>
Shutting down domain <number>
Waiting for 1 domains
and the VPS stays up.
Any suggestions before I hit it with a xen console "destroy"?
Andy
--
Andrew Ransom
<aransom(a)gmail.com>
I have finally set up a server with Debian Stretch rather than Jessie.
The main 'you have to change everything' was around the move from PHP5
to PHP7.
I still want to use the -fpm version of PHP because you don't need to
load an entire PHP interpreter to serve JPEGs.
I still want to stop bots trying to bruteforce WordPress logins.
* Before (Jessie):
Apache calls php-fpm via the fastcgi module in
/etc/apache2/sites-available/example.com.conf -
<IfModule mod_fastcgi.c>
AddType application/x-httpd-fastphp5 .php
Action application/x-httpd-fastphp5 /php5-fcgi
Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi_examplesite
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi_examplesite -socket
/var/run/php5-fpm_exampleuser.sock -pass-header Authorization
</IfModule>
and restricts access to wp-login.php in the site's .htaccess file -
<Files "wp-login.php">
AuthName "Message that Firefox shows but Chromium no longer does!"
AuthType Basic
AuthUserFile /home/exampleuser/.htpasswd
Require valid-user
</Files>
.. and it works! Anyone going to example.com/wp-login.php gets asked for
a username and password by Apache before it will run it.
* After (Stretch):
Because of the changes between the two, Apache now calls php-fpm via the
proxy-fcgi module in /etc/apache2/sites-available/example.com.conf -
ProxyPassMatch ^/(.*\.php(/.*)?)$
unix:/run/php/php7.0-fpm_exampleuser.sock|fcgi://localhost/home/exampleuser/public_html/
and with the same .htaccess file, it *doesn't* trigger on access to
wp-login.php because it's a .php file, ProxyPass gets there first and
just runs it without checking anywhere else if it should.
The method used on Jessie isn't particularly great, but because the
enemy is dumb bots, it doesn't have to be!
For the past few years, it's worked to dramatically reduce the impact of
the endless attempts to bruteforce access to anything running WordPress
- unlike the plugins that do something about the appalling security of a
standard WordPress installation* it didn't need to run PHP or touch the
database at all.
I do also have fail2ban watching wp-login.php and blocking anyone who
hammers it, but the next time there's a WordPress bot storm, it will
affect the server because of all the PHP and database access.
Any suggestions? I don't want to have to rename or move wp-login.php and
I don't want to have compile PHP5.4 from source either...
Ian
* "Allowing infinite attempts to login without blocking the IP address
after so many failures or even notifying the site's owner? What could
/possibly/ be the problem with that?? In fact, let's make it even easier
by allowing hundreds of attempts to be made at once!!!"
Hi,
The current BitFolk rescue VM as described in
<https://tools.bitfolk.com/wiki/Rescue> is based on Debian wheezy
(7.0) and as such is starting to get too old to be useful.
I've set up a newer one based on Debian stretch (9.0), which can be
accessed by using the "rescue-dev" command (instead of just
"rescue").
Next time you have cause to use the rescue environment, if you could
give "rescue-dev" a go and let me know of any issues, that would be
helpful. It should work just the same, except for being newer.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Apologies for the non-Bitfolk/server post, but I'm hoping that people
here have some useful experience to help me decide the best way to set
up virtualisation for home use (local as opposed to remote access).
I've just built myself a Ryzen PC and I understand that in the past few
years things have improved with virtualisation allowing GPU
pass-through. Guidance I've found on the net uses either Xen
(https://wiki.xenproject.org/wiki/Xen_VGA_Passthrough) or Synergy
(http://synergy-project.org/synergy/), but I think you can now do it
with KVM too (not sure if you can with Hyper-V, but I probably wouldn't
want to use it anyway unless there is a noticeable advantage).
I'm planning to run Windows for gaming and a few other tools, and Linux
for day-to-day usage and compiling (probably compiling in a different VM
to the rest). I plan to pass through one GPU for Windows and use a
second for the Linux VM(s). I may have a couple of other VMs for
testing or running programs that have particular
requirements/dependencies, but I'd only start these as needed and stop
them when finished.
What are people's experiences with virtualisation (especially on
desktops), and has anyone done hardware pass-through, particularly with
graphics cards?
Thanks
Gavin
Hi Gavin,
I used to game exclusively on a virtualised Win7 machine using Xen.
I would _highly_ recommend that you use KVM for this as it (usually) just
works out of the box. I would also recommend using an NVIDIA card. My
personal experience with AMD graphics was good until the RX4x0 series. I
just couldn't get this working properly under virtualisation whereas my
HD6700s and such were fine.
Gaming performance was about right give or take a couple of FPS but high
levels of interrupt activity in the dom0/base system caused weird issues. I
found ZFS on dom0 to be espescially guilty of causing frame jitter when
gaming.
My original system was based off an i7-3770 with an Asrock motherboard. I
went through several iterations of hardware and the biggest issue was
always motherboard/BIOS support for VT-d passthrough. I ended up moving to
an E5-2690 and supermicro motherboard as the hardware passthrough support
was superior to the consumer gubbins I'd been using before.
Hope my rambling has helped in some way!
Thanks,
Ashley
On Wed, 28 Mar 2018 at 01:00 <users-request(a)lists.bitfolk.com> wrote:
> Send users mailing list submissions to
> users(a)lists.bitfolk.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.bitfolk.com/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> users-request(a)lists.bitfolk.com
>
> You can reach the person managing the list at
> users-owner(a)lists.bitfolk.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of users digest..."
>
>
> Today's Topics:
>
> 1. Virtualisation for gaming/home workstation (Gavin Westwood)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 27 Mar 2018 09:04:05 +0100
> From: Gavin Westwood <bitfolk-lists-2015(a)gavinwestwood.uk>
> To: users(a)lists.bitfolk.com
> Subject: [bitfolk] Virtualisation for gaming/home workstation
> Message-ID: <d703a91e-95d3-bdb8-10af-ce4eb29df438(a)gavinwestwood.uk>
> Content-Type: text/plain; charset=utf-8
>
> Apologies for the non-Bitfolk/server post, but I'm hoping that people
> here have some useful experience to help me decide the best way to set
> up virtualisation for home use (local as opposed to remote access).
>
> I've just built myself a Ryzen PC and I understand that in the past few
> years things have improved with virtualisation allowing GPU
> pass-through. Guidance I've found on the net uses either Xen
> (https://wiki.xenproject.org/wiki/Xen_VGA_Passthrough) or Synergy
> (http://synergy-project.org/synergy/), but I think you can now do it
> with KVM too (not sure if you can with Hyper-V, but I probably wouldn't
> want to use it anyway unless there is a noticeable advantage).
>
> I'm planning to run Windows for gaming and a few other tools, and Linux
> for day-to-day usage and compiling (probably compiling in a different VM
> to the rest). I plan to pass through one GPU for Windows and use a
> second for the Linux VM(s). I may have a couple of other VMs for
> testing or running programs that have particular
> requirements/dependencies, but I'd only start these as needed and stop
> them when finished.
>
> What are people's experiences with virtualisation (especially on
> desktops), and has anyone done hardware pass-through, particularly with
> graphics cards?
>
> Thanks
>
> Gavin
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> users mailing list
> users(a)lists.bitfolk.com
> https://lists.bitfolk.com/mailman/listinfo/users
>
>
> ------------------------------
>
> End of users Digest, Vol 109, Issue 6
> *************************************
>
Hi,
The level of SSH scanning is getting ridiculous.
Here's some stats on the number of Fail2Ban bans across all Xen
Shell hosts in the last 7 days:
# each ∎ represents a count of 46. total 4653
59.63.166.104 [ 2037] ∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ (43.78%)
58.218.198.142 [ 998] ∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ (21.45%)
59.63.166.105 [ 641] ∎∎∎∎∎∎∎∎∎∎∎∎∎ (13.78%)
58.218.198.146 [ 352] ∎∎∎∎∎∎∎ (7.57%)
58.218.198.161 [ 272] ∎∎∎∎∎ (5.85%)
59.63.188.36 [ 145] ∎∎∎ (3.12%)
192.99.138.37 [ 61] ∎ (1.31%)
103.99.0.188 [ 40] (0.86%)
218.65.30.40 [ 15] (0.32%)
202.104.147.26 [ 13] (0.28%)
42.7.26.15 [ 8] (0.17%)
163.172.229.252 [ 8] (0.17%)
42.7.26.91 [ 8] (0.17%)
198.98.57.188 [ 8] (0.17%)
58.242.83.26 [ 8] (0.17%)
58.242.83.27 [ 8] (0.17%)
182.100.67.82 [ 6] (0.13%)
217.99.228.158 [ 5] (0.11%)
218.65.30.25 [ 4] (0.09%)
117.50.14.83 [ 4] (0.09%)
46.148.21.32 [ 4] (0.09%)
178.62.213.66 [ 3] (0.06%)
116.99.255.111 [ 3] (0.06%)
165.124.176.146 [ 1] (0.02%)
101.226.196.136 [ 1] (0.02%)
First three octets only:
# each ∎ represents a count of 61. total 4653
59.63.166.0/24 [ 2678] ∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ (57.55%)
58.218.198.0/24 [ 1622] ∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎∎ (34.86%)
59.63.188.0/24 [ 145] ∎∎ (3.12%)
192.99.138.0/24 [ 61] ∎ (1.31%)
103.99.0.0/24 [ 40] (0.86%)
218.65.30.0/24 [ 19] (0.41%)
42.7.26.0/24 [ 16] (0.34%)
58.242.83.0/24 [ 16] (0.34%)
202.104.147.0/24 [ 13] (0.28%)
163.172.229.0/24 [ 8] (0.17%)
198.98.57.0/24 [ 8] (0.17%)
182.100.67.0/24 [ 6] (0.13%)
217.99.228.0/24 [ 5] (0.11%)
46.148.21.0/24 [ 4] (0.09%)
117.50.14.0/24 [ 4] (0.09%)
116.99.255.0/24 [ 3] (0.06%)
178.62.213.0/24 [ 3] (0.06%)
165.124.176.0/24 [ 1] (0.02%)
101.226.196.0/24 [ 1] (0.02%)
That is with Fail2Ban adding a 10 minute ban after 10 login
failures. If there was no ban this would be 100s of thousands of
login attempts instead of 4,653 bans.
Yes I can send an abuse report to Chinanet's "Jiangxi telecom
network operation support department". Yes I can just firewall it
off. But that relies on periodic log file auditing.
There is already an SSH listening on port 922 that is not subject to
Fail2Ban. I would rather not have SSH on port 22 at all but in the
past I have been told this would not be acceptable because some
people are sometimes on networks where they can't connect to port
922. If that would be fine with you then no need to comment but it
might be interesting to hear from anyone who would still find this a
problem.
What are the feelings about setting port 22 Xen Shell access to
require SSH public key auth (while leaving 922 to allow password
authentication as well)?
Do those of you who've added SSH keys want an option to *require*
SSH keys even on port 922?
At the very least the Fail2Ban ban time is going to have to go up
from 10 minutes to let's say 6 hours.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
Around 04:00Z I received alerts that host "snaps" had unexpectedly
rebooted. Upon investigating it had indeed reset itself for reasons
unknown starting at about 03:51Z. It wasn't a full power cycle nor a
graceful shutdown, it just reset itself with no useful log output.
Whilst all VPSes did seem to boot up okay, unfortunately it soon
became clear that "snaps" had booted into an earlier version of the
hypervisor - one without the recent Spectre/Meltdown (and
other) security fixes that were deployed last week.
At this point customer VPSes on "snaps" were operating normally
again but things could not be left in that insecure state, so after
some time spent investigating things, between 06:17Z and 06:37Z I
did a clean shut down and booted into the correct version of the
hypervisor again.
I have since established why the incorrect boot entry was
automatically chosen¹ and have fixed that problem. I have not
worked out what caused "snaps" to reset itself. We have been having
some stability issues with "snaps" over the last 6 months and I
think we are going to have to decommission it.
I will come up with a plan and contact customers on "snaps" directly
later today, but in the mean time if your VPS is on "snaps" and you
wish for it to be moved to another server as a priority please
contact support(a)bitfolk.com and we'll get that done. It will involve
shutting your VPS down and booting it a few seconds later on the
target server. None of the details of your VPS will change. Please
indicate what sort of time of day would be best for that to happen.
Apologies for the disruption this will have caused you.
Cheers,
Andy
¹ The newer hypervisor package ships an override to make sure that
the server boots into the hypervisor by default at the next boot.
This is meant to make it easier for people, but all it did was
override my actual intentionally-set default boot option with one
that wasn't suitable. This was not noticed in testing because the
testing machines had no other versions of the hypervisor present.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce