Hello,
In the last month I've been looking at improving the performance of
the spamassassin spamd service.
I added two more hosts to the load balancer and that has helped
some, but the bottleneck has now moved to the bayes database.
The servers are connecting to a MySQL bayes database so that they're
all in sync, but the problem comes when the database slows down.
Queries stack up and spamd doesn't seem to have config for giving up
on bayes after (say) 10 seconds, so then those connections back up
until all the servers are full.
Normally I'd look at scaling it by doing multi-master replication,
but the spamassassin docs specifically say this isn't supported and
won't work.
Has anyone scaled a spamassassin bayes DB before?
Is my only option to replicate it to slaves with a MySQL proxy in
front to send writes to the master?
Maybe I could revert to using DB_File databases, but over NFS.
Except it sounds horrible.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
On Sun, March 14, 2010 10:37 am, Duane at e164 dot org wrote:
> Doing semi-complete/complete backups via rsync/rsnapshot is difficult
> using a non-SU account.
Although if that's all you need root SSH access for you can always use the
'PermitRootLogin forced-commands-only' SSHD option.
Mathew
Hi Andy,
On Sun, March 14, 2010 8:51 am, Andy Smith wrote:
> This very long email is about possible pro-active measures I could take
> to prevent customers being compromised by SSH dictionary attacks.
Apt timing for me - I've only just joined and noticed in my logs that from
the very first day of my VPS going live I was receiving 500 login attempts
per hour (not from another Bitfolk customer however).
> 5) Install DenyHosts or Fail2Ban.
I think this approach would be a good start, although note that neither of
those support IPv6 so for those that have it enabled they'd turn a blind
eye to such connections. SSHguard (http://www.sshguard.net) claims to
support it however I've not used it personally.
> (3) is already the case for Ubuntu of course, but not any of the other
> distributions offered. I haven't kept track of how many compromises have
> been of root and not some other user but disabling root access by SSH and
> requiring some other username seems a reasonable starting point, would at
> least limit the damage.
My Ubuntu memories are somewhat hazy however is it not the case that with
the default setup the first user is made part of the admin group? Hence,
if their password is compromised an attacker also has full superuser
rights through sudo... The attacker does of course have to be hitting the
right username so there is still some mitigation however.
Mathew
Hi Andy
Would it be too much administrative overhead for you to have two levels of vps images.
One would be fairly locked down, maybe with ssh on a different port, fail2ban and a basic firewall pre installed.
The second would be the image you currently provide with ssh locked to key authentication only.
If people want a vps provisioned with a password they get the first image. Users who provision with a key can choose either image.
Alex
This email carries a disclaimer, a copy of which may be read at http://learning.longhill.org.uk/disclaimer
Hi all,
Don't know if anyone knows of a more elegant solution than this (or
perhaps an existing solution?) but I've a few Ubuntu boxes that I
admin, and I've never any idea of when there are package updates. Now
I know that Andy has provided a script (see
http://www.bitfolk.com/customer_information.html#toc_3_Keeping_your_VPS_up_…)
that notifies you when updates are available, but it's 'yet another
thing'(c) that you have to run.
I use Logwatch on all my servers, and so I wondered if it was possible
to write an add-on for that that would integrate such information into
the daily report - turns out there is (and it isn't too difficult to
do either!)
Firstly, obtain a copy of Andy's local-apt.pl script and copy it into
/etc/logwatch/scripts/services. At this point, rename the script
'apt-updates' (but you can call it whatever you want). Then create a
file in /etc/logwatch/conf/services and call it apt-updates.conf
(again, you can call this whatever you want, but it must match the
name given to the script). Inside this script, you only need the
following two lines: (title can be customised if you prefer)
Title = "Package Updates"
LogFile = NONE
To test this is working, execute the following line:
sudo logwatch --service apt-updates --debug high
(obviously replace 'apt-updates' bit if you've changed the script name)
Assuming your server requires some updates, the list of packages will
be displayed in the output (and also from now on in your daily
Logwatch report).
Hope this helps :) (and thanks to Andy for providing the above script)
James
Hi Neil,
(cc'd the list back in :)
Might be a good idea to grep the rest of the Apache config files, and
see if you can find anywhere else where it might be disabled. That
config should allow it to work anywhere on your site (assuming it
isn't disabled elsewhere :)
James
On 10 March 2010 20:42, Neil Perry <nperry(a)gmail.com> wrote:
> James,
> Thanks for your reply. I'm using debian, but found the php5.conf.
> Here is its current contents:
> <IfModule mod_php5.c>
> <FilesMatch "\.ph(p3?|tml)$">
> SetHandler application/x-httpd-php
> </FilesMatch>
> </IfModule>
> Nothing about the ifmodule user dir.
> Thanks
> Neil Perry
>
>
> On 10 March 2010 20:38, James Gregory <jgxenite(a)gmail.com> wrote:
>>
>> Hi Neil,
>>
>> If you're using Ubuntu, look in /etc/apache2/mods-available/php5.conf:
>> <IfModule mod_userdir.c>
>> <Directory /home/*/public_html>
>> php_admin_value engine Off
>> </Directory>
>> </IfModule>
>> You need to comment out the above lines - they disable PHP in user
>> directories.
>>
>> Hope that helps!
>>
>> James
>>
>> On 10 March 2010 20:28, Mathew Newton <bitfolklist(a)newtonnet.co.uk> wrote:
>> > Sorry Neil, disregard my advice as I now that I read your e-mail
>> > *properly* I see you were making specific reference to the user dir!
>> >
>> > Apologies for the noise everyone...
>> >
>> > Mathew
>> >
>> > On Wed, March 10, 2010 8:25 pm, Mathew Newton wrote:
>> >> Hi Neil,
>> >>
>> >> On Wed, March 10, 2010 8:16 pm, Neil Perry wrote:
>> >>> When I go to a PHP file in my user dir it downloads the php file. The
>> >>> html
>> >>> index file seems to work fine.
>> >>
>> >> Have you got Apache's PHP module installed and enabled?
>> >>
>> >> As root, the following will sort it (or confirm if they are already):
>> >>
>> >> apt-get install libapache2-mod-php5
>> >> a2enmod php5
>> >>
>> >> (Then restart Apache with /etc/init.d/apache2 restart)
>> >>
>> >> Without this module, Apache just sees them as text files and outputs
>> >> the
>> >> content rather than interprets it.
>> >>
>> >> Mathew
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > users mailing list
>> > users(a)lists.bitfolk.com
>> > https://lists.bitfolk.com/mailman/listinfo/users
>> >
>
>
Hi all,
I am a recent newcomer to Bitfolk, and indeed VPS's in general, and so far
good - far surpassing expectations in fact.
I have been busy migrating several of my services from my home server to
the new VPS and have noticed a slight difference in representation in time
- the use of UTC versus GMT - in areas such as logs, application variables
(Apache date-related SSI's for example).
My question is, can I change the system clock from UTC to GMT and, if so,
how? I am aware that I could tweak most applications (e.g. Apache's config
timefmt command) however I would prefer to change this in only one place
if at all possible.
If this is doable, would I risk breaking anything? I've seen some mention
of time synchronisation issues between the VPS and host system in previous
discussions and so am conscious that this could be a dangerous area for
idle tweaking.
My preference for GMT/BST is largely aesthetic, and perhaps also simply
what I'm used to, with a slight hint of British tradition thrown in also!
Would be grateful for any advice.
Regards,
Mathew
Hi,
Yesterday morning I switched https://panel.bitfolk.com to use a pair
of replicated LDAP servers instead of just the one, so that it would
still work if the LDAP server was down.
Only today I noticed that password changes were being accepted but
not applied because Net::LDAP does not automatically follow
referrals. The consumer (slave) LDAP is read-only and refers updates
to the provider.
I have now reverted configuration so that only the provider server
is used, until I can write the code to manually follow referrals.
If you changed your password via the panel web site in the last
36-ish hours, you may want to check that it's actually taken effect.
Changes from the Xen Shell (ssh
username(a)username.console.bitfolk.com) will have been processed
properly.
Apologies for the confusion.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
>> I have just recently purchased a Feathercraft Big Kahuna kayak
> does it have a heater?
Of course not. Everyone knows you can't have your kayak and heat it.
-- James Fidell
Hello,
BitFolk is proud to be one of the sponsors of OggCamp on May
1st and 2nd in Liverpool, UK:
http://oggcamp.org/
If you're planning to attend OggCamp then do let me know so I can
say hello. :)
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"Xandros's low-level support for the Eee mostly seemed to consist of a pile of
shell scripts made of cheese and failure." -- Matthew Garrett