Linux

Having switched to Nginx a while ago, I was recently forced to use Apache for a client installation. There have been some significant changes in 2.4 from 2.2, include the 'Requires' option.  I also wanted to create a virtualhost entry for Munin on this machine. It took a little while to figure this out, in particular on Apache 2.4. I'm also using the built-in cron task to generate graphs. Here's the complete Virtualhost configuration for Munin on Ubuntu 14.04 and Apache 2.4

Read more 
Category: 
09
Jan
2014

SSH and SFTP Chroot Jail

SSH and SFTP Chroot Jail
Photo by Andrea Schaffer

For a little while now I've wanted to be able to chroot both SFTP and SHH accounts on one of my multi-user VPSs.

SFTP on its own is not so difficult. OpenSSH 4.9p1 and above includes the ChrootDirectory directive. And an SFTP chroot is a little more forgiving in so far as it doesn't actually require any supporting system or userpsace services (a shell, ls, cp, etc.), which is why you often see ChrootDirectory accompanied with ForceCommand internal-sftp which will prevent SSH access altogether.

What I'd like to do is create a restricted environment for both SSH and SFTP.

I spent a little while looking at a very interesting project from Olivier Sessink called Jailkit. Jailkit has most of what I was looking for but, it has quite a few moving parts, including the need to replace a users shell with a special Jailkit shim that hands over to Jailkit. This is okay but it means changes to passwd are required, and editing your /etc/ssh/sshd_config to use Subsystem sftp /usr/lib/openssh/sftp-server and not Subsystem sftp internal-sftp if you want to chroot and jail both SFTP and SHH logins.

It turns out that OpenSSH gets us most of the way there with the ChrootDirectory directive.

And so here are the steps required to create a minimal chroot jail on Ubuntu 12.04 LTS.

Read more 
Category: 
18
Jan
2013

WordPress Bash Upgrade Script

Bash Script

Bash is fun. I mean it's a little weird, but it's fun. I've been reading the Linux Command Line and Shell Scripting Bible which I highly recommend. I also wanted a script I could use to update the multiple WordPress installations I'm now hosting.

I found Liz Quilty's handy WordPress mass update script 3.4.1, but wanted to refactor the script to use functions, curl, and tar (as well as remove support for WordPress MU)

And so here it is, one of a handful of Bash script exercises I've completed to-date. Enjoy, and thanks Liz for the head start.

First, a machine specific configuration file (read the warning in the comments section of the script below). Place the config file next to the script file; that is, place wp-upgrade.conf in the same directory as wp-upgrade.sh.

Read more 
Category: 
Tags: 
11
Dec
2012

A UDP Flood Story

I recently suffered a UDP flood attack on my little virtual private server (VPS), and thought I'd describe the steps I went through to discover and fix the problem.

Symptoms

Periodically, my server would stall and become unresponsive. It was effectively dead, although not down. These 'stalling' events would last from 5-20 minutes, and then the server would come back up. Looking at my Munin charts told me that my public ethernet interface (eth0) was being flooded. Here's a particularly bad day:

eth0

And this was after I had rate limited eth0 to 2mbits/sec using tc (more on tc in a bit). CPU usage and interrupts for eth0 also spiked. So something was flooding eth0, and stalling the server.

Read more 
Category: 
Tags: 

I’ve been experimenting with the development environment of my Linux setup recently. I’m running two virtual machines via VMWare Workstation from my Windows 7 PC. One is an Ubuntu 10.10 install using the Gnome desktop, and the other is openSUSE 11.4 using the KDE Plasma desktop.

Read more 
Category: