TL;DR Tips

Trust Your Technolust

Redis sockets in cPanel and CloudLinux CageFS

Install Redis normally

Add the user to the Redis group

usermod -a -G redis YourUserHere

Open up the CageFS mount points file

nano /etc/cagefs/cagefs.mp

Add the Redis folder to the mount points.

/var/run/redis

Enable the socket in the Redis config file

nano /etc/redis.conf

Add the following:

unixsocket /var/run/redis/redis.sock
unixsocketperm 770

Every time you restart Redis the socket will disappear from the CageFS, breaking all the code using the socket, we can add extra commands to the Redis systemd unit to automatically restore it.

This is completely optional if your Redis never crashes/needs restarting, but will save headaches otherwise. The + in the command makes the command run as root, which is needed to update the CageFS skeleton.

nano /etc/systemd/system/redis.service.d/restore.cagefs.socket.conf

Add:

[Service]
ExecStartPost=+cagefsctl --force-update
ExecStartPost=+cagefsctl -M

Reload systemd

systemctl daemon-reload

 

You can now safely restart Redis as you would normally and the users you’ve added to the Redis group will be able to use sockets at /var/run/redis/redis.sock

 

This method was used to make sockets work with the wonderful XenForo Redis Addon from Xon  if you used this guide, you can them enable it by opening src/config.php and adding:

// setup Redis caching
$config['cache']['enabled'] = true;
$config['cache']['provider'] = 'SV\RedisCache\Redis';
$config['cache']['namespace'] = 'SomePrefix';
$config['cache']['config'] = [
    'host' => '/var/run/redis/redis.sock',
    'use_lua' => true,
    'serializer' => 'igbinary', // most CloudLinux installs should have this enabled, if your site presents a white screen after adding this, set to 'php'
    'database' => 1,
];

Installation and Configuration of Golang 1.21.4 on Debian 12 x64

As the world of software development constantly advances, it’s vital for developers and system administrators to keep their tools up-to-date. This article provides a detailed walkthrough of two scripts designed specifically for Debian 12 x64 systems. The first script covers the download and extraction of Go (Golang) version 1.21.4, and the second script sets up the Go environment for a user named ‘debian’.

Script 1: Downloading and Extracting Golang 1.21.4 on Debian 12 x64

This script is tailored for Debian 12 x64 users. It automatically downloads and extracts Go 1.21.4 to the directory /usr/lib/go-1.21. Execution with root privileges is assumed, achievable either as the root user or using sudo.

#!/bin/bash

# Ensuring wget is installed
apt-get update
apt-get install -y wget

# Downloading Golang 1.21.4
wget https://go.dev/dl/go1.21.4.linux-amd64.tar.gz -P /tmp

# Extracting the tarball to /usr/lib/go-1.21
tar -C /usr/lib -xzf /tmp/go1.21.4.linux-amd64.tar.gz
mv /usr/lib/go /usr/lib/go-1.21

# Cleaning up the downloaded tarball
rm /tmp/go1.21.4.linux-amd64.tar.gz

echo "Golang 1.21.4 has been successfully downloaded and extracted on Debian 12 x64."

This script ensures a clean and conflict-free installation in a dedicated directory, ideal for version management and system stability.

Script 2: Configuring the Go Environment for the ‘debian’ User on Debian 12 x64

The second script is designed to configure the Go environment for a specific user, in this case, ‘debian’. It sets the necessary environment variables and updates the user’s PATH to include the Go binary.

#!/bin/bash

# Target user for Go configuration
TARGET_USER=debian

# Adding Go binary to PATH in .bashrc
echo "export PATH=/usr/lib/go-1.21/bin:\$PATH" | sudo tee -a /home/$TARGET_USER/.bashrc

# Setting Go environment variables
echo "export GOROOT=/usr/lib/go-1.21" | sudo tee -a /home/$TARGET_USER/.bashrc
echo "export GOPATH=/home/$TARGET_USER/go" | sudo tee -a /home/$TARGET_USER/.bashrc
echo "export GOBIN=\$GOPATH/bin" | sudo tee -a /home/$TARGET_USER/.bashrc

# Applying changes
source /home/$TARGET_USER/.bashrc

echo "Golang environment has been successfully set for user 'debian' on Debian 12 x64."

This script makes Go readily accessible for the ‘debian’ user, enabling them to start using Go immediately after the setup. It’s an essential step for maintaining a clean and efficient development environment.


Together, these scripts demonstrate a practical approach to setting up and managing Go environments on Debian 12 x64 systems. They are designed to provide a straightforward and error-free installation and configuration process, enhancing productivity and ensuring consistency across different setups.

Effortlessly Delete Restricted Folders in Windows: A PowerShell Guide for Administrators

TLDR Summary:

This guide provides a step-by-step PowerShell solution for Windows 11 administrators to forcefully delete folders that are otherwise inaccessible due to permission restrictions. It involves taking ownership of the folder, granting full control to the administrator, and then deleting it.

This method is particularly useful when encountering errors like “You require permission from S-1-5-21-xxxx to make changes to this folder.”


Navigating file permissions in Windows 11 can sometimes be a challenging task, especially when trying to delete a folder that denies access. This guide walks administrators through a PowerShell method to bypass these restrictions and delete such folders. It’s particularly helpful when encountering the error “You require permission from S-1-5-21-xxxx to make changes to this folder.”

Opening PowerShell as Administrator:
Start by launching PowerShell with administrative rights. This is crucial for the commands to work, as they require elevated privileges. You can do this by searching for PowerShell in the Start Menu, right-clicking on it, and selecting “Run as administrator”.

Taking Ownership of the Folder:
The first command involves taking ownership of the folder. This is necessary because, without ownership, you cannot change the folder’s permissions. The command takeown is used for this purpose, and it should be executed as follows, replacing Path\To\Folder with the actual path of your folder:

takeown /f "Path\To\Folder" /r /d y

Granting Full Control to the Administrator:
After taking ownership, the next step is to modify the folder’s permissions to grant yourself full control. This step is done using the icacls command. Replace Path\To\Folder with your folder’s path:
icacls "Path\To\Folder" /grant Administrators:F /t
Here, /grant specifies the operation, Administrators:F gives full control to the Administrators group, and /t applies these changes to all items in the folder recursively.

Deleting the Folder Verbosely:
With ownership and permissions set, you can now delete the folder. For this, use the Remove-Item cmdlet in PowerShell with the -Verbose flag for detailed output. The command should be like this:

Remove-Item -Path "Path\To\Folder" -Recurse -Force -Verbose

Script for Automation

For convenience, here’s a script that automates the above steps. Just set the $folderPath variable to the desired folder path:

$folderPath = "Path\To\Folder"  # Replace with your folder path

# Taking ownership
takeown /f $folderPath /r /d y

# Granting full control
icacls $folderPath /grant Administrators:F /t

# Deleting the folder verbosely
Remove-Item -Path $folderPath -Recurse -Force -Verbose

Conclusion
This PowerShell method offers a reliable solution for administrators to handle permission-restricted folders in Windows 11. It’s a valuable tool for system management and troubleshooting, ensuring smooth operation and maintenance.

Creating Custom Swap Space and Adding to FStab on Debian 12

Automating Swap File Creation on Server Images with Insufficient Swap

There are myriad server images available from cloud providers that, while optimized for various tasks, sometimes lack the swap space configurations adequate for personal use-cases. Swap space is essentially a ‘backup’ for RAM. If your system runs out of RAM, it will start using the swap space. This prevents system crashes, but accessing data in swap is slower than RAM.

While adjusting swap space sounds technical, you can automate this process with a simple script. Let’s dive into how this script can be an indispensable tool for setting up your server.

Understanding the Need for Swap

Before diving into the script, it’s important to understand why having a proper swap space matters:

  1. Performance Safety Net: If your applications consume all the available RAM, they can use the swap as an overflow.
  2. Help with Memory Spikes: Temporary spikes in memory usage won’t bring the system to a standstill.
  3. Versatility: Especially crucial for those who juggle multiple applications or workloads on their server.

Prerequisites

  1. Root Access: The script needs elevated privileges to make system-level changes.
  2. Backup: Ensure you’ve backed up any crucial data from your server. While the script is safe to use, it’s always best practice to prepare for unforeseen issues.
  3. Basic Bash Knowledge: Familiarity with Bash is helpful if you want to tweak the script or understand its internals.

The Script: Automating the Process

The heart of the solution is a Bash script. It not only creates the swap file but also sets it up so that the swap file is utilized after a system reboot.

The script performs the following steps:

  1. Allocates a 16GB Swap File: While 16GB is a general recommendation, you can adjust it based on your needs.
  2. Sets Up Proper Permissions: Ensures that the swap file is secure.
  3. Formats and Activates the Swap: Makes it ready for system use.
  4. Ensures Persistence: Adds the swap file to the fstab file, so it’s used after reboots.
  5. Verification: A crucial step to ensure that the swap has been activated and that there are no obvious issues with the fstab entries.

Using the Script

#!/bin/bash

# Ensure script is run as root
if [[ $EUID -ne 0 ]]; then
    echo "This script must be run as root"
    exit 1
fi

# 1. Create a 16GB swap file
fallocate -l 16G /swapfile

# 2. Set the appropriate permissions
chmod 600 /swapfile

# 3. Format the file as swap
mkswap /swapfile

# 4. Activate the swap
swapon /swapfile

# 5. Add to /etc/fstab for persistence after reboot
grep -q "/swapfile" /etc/fstab || echo "/swapfile none swap sw 0 0" >> /etc/fstab

# 6. Verify the swap is active
free -h | grep Swap

# 7. Verify that the fstab file is without syntax errors
echo "Checking /etc/fstab for errors..."
if ! mount -a -O no_netdev,nofail 2>&1 | grep -q "mount:"; then
    echo "/etc/fstab seems to be fine."
else
    echo "There might be an error in /etc/fstab! Please check manually."
fi

Conclusion

Servers are powerful tools, but every tool can benefit from a bit of customization. By leveraging this script, you can ensure that your server is better equipped to handle memory-intensive tasks or unexpected spikes in memory usage. Whether you’re running a personal project or setting up a new server for development, having ample swap space can make a significant difference in performance and stability.

Can a Raspberry Pi run a TeamSpeak server? How about any ARM CPU?

TL;DR, Yes!

Today’s ingredients:

A Raspberry Pi 4, the older 3B+ should also support 64 bit, this process would work equally well on any ARM64 device that can run a Debian based OS however.
Raspberry Pi OS (64-bit), this will not work directly on the 32 Bit OS, but you can try using box86 as an alternative.
Box64
Needed OS packages : wget/curl tar box64

The Recipe:

We’ll use the box64 emulator for our Raspberry Pi, this is the fastest way to emulate AMD64 binaries on ARM64.

Add the debian repository for box64

wget https://ryanfortner.github.io/box64-debs/box64.list -O /etc/apt/sources.list.d/box64.list

Add the repository key so we can securely download the package

wget -O- https://ryanfortner.github.io/box64-debs/KEY.gpg | gpg –dearmor | tee /usr/share/keyrings/box64-debs-archive-keyring.gpg

Update our package lists to get the package list for box64

apt update

Install our box(64) of magic

apt install box64

This concludes installing box64, on to installing the actual TeamSpeak server.

Download yourself a copy of the TeamSpeak 3 Server from https://teamspeak.com/en/downloads/#server, be sure to get the 64 bit server, box64 can only run on AMD64 executables.

wget https://files.teamspeak-services.com/releases/server/3.13.7/teamspeak3-server_linux_amd64-3.13.7.tar.bz2

Decompress it

tar xf teamspeak3-server_linux_amd64-3.13.7.tar.bz2

Change directory to our new server folder

cd teamspeak3-server_linux_amd64

Now we can actually use box64 to run the TeamSpeak server start script, which will then launch the actual server, this is where the magic happens.

box64 ts3server_startscript.sh start

At this point you should be presented with the login details for your server, fire up your TeamSpeak client and connect to your new server, enter your privilege key and enjoy your shiny new TeamSpeak 3 Server running near natively on Raspberry Pi/ARM64. If you’re happy with your setup, and it’s stable, make sure your server starts on boot/restart, using a crontab or the systemd unit from this reddit wiki page

How’s the speed?

Using box64 is remarkably fast, considering the amount of work that is probably going on behind the scenes when you run an application, thankfully a lot of the overhead seems to be mitigated by the use of “wrapping” libraries with the ARM64 equivalents instead of re-compiling every shared object an application uses.

Reliability?

Using box64 seems to be mostly reliable for the server side of TeamSpeak, the only crashes we’ve experienced so far involved running the TeamSpeak client rather than the server, you did know you can use box64 to run the TeamSpeak client, right?

Also bear in mind that TeamSpeak WILL NOT officially support the use of an emulator to run the client OR the server, so consider using box64 to run a TeamSpeak server or client as an eternal beta.

Enabling the iGPU on an OVH Server running Ubuntu

At least on Ubuntu 22.04 OVH install images you’ll find that the integrated GPU on your CPU is either not detected or your application will report you don’t have the hardware enabled even when you have a CPU with an integrated GPU such as the E-2288G, and it’s enabled in the BIOS.

I have personally tested these motherboards and know the workaround is needed on them, so assume this problem is common to at least all ASRock boards:

ASRock Rack
E3C246D4U2-2L2T
E3C246D4U2-2T

You should not need this fix on the S1200SP motherboards you usually get with the 1245vX servers, these seem to handle the iGPU properly and/or the OVH image did not have the issue in the first place.

Don’t know your current motherboard version? You can query your current motherboard model with the “lshw” command on and Linux system.

Edit the grub default config file (/etc/default/grub) and remove the “nomodeset” option

GRUB_CMDLINE_LINUX="nomodeset iommu=pt"

Will become

GRUB_CMDLINE_LINUX="iommu=pt"

Rebuild the GRUB config file.

sudo grub-mkconfig -o /boot/grub/grub.cfg

Reboot the machine and you should now be able to use the iGPU, you can verify it’s loaded by looking for results when you ls the /dev/dri device.

ls /dev/dri/
by-path card0 card1 renderD128

Extra Credit: if you’re using the iGPU for video transcoding be sure to enable the full feature set on your CPU by installing the “intel-media-va-driver-non-free” package on your Ubuntu/Debian system.

OVH Dedicated server fails to upgrade to VMWare ESXi 7.0

Many people choose OVH for their low prices and relatively good network DDoS protection, and a lot of people probably choose to use ESXi when they got their server, however it seems that OVH added their own customisation when they made the ESXi image, when attempting to upgrade to 7.0 on a RISE NVMe server you may be presented with an error message resembling

VIB INT_bootbank_intel-nvme-vmd_1.*-1OEM.* requires 
vmkapi_2_2_0_0, but the requirement cannot be satisfied within the 
ImageProfile

The fix to this error is simple, but a bit hard to work out where to actually get the updated files:

SSH in to your ESXi host and change to a Datastore directory

# cd /vmfs/volumes/Datastore1/

Download the the new Intel NVMe vib, if your wget version freezes or the download fails you must use the vSphere web client to upload the vib, I’ll use the vib located on the Lenovo website, as I know this version works. By the time you’re reading this there may well be a new version of the driver so feel free to try something newer if you can find it.

# wget https://vmware.lenovo.com/content/2018_12/esxi_670_custom_vibs/esxi-670-vibs/INT_bootbank_intel-nvme-vmd_1.4.0.1016-1OEM.670.0.0.8169922.vib

Actually install the update, be sure to make backups!

# esxcli software vib update -v  "/vmfs/volumes/Datastore1/INT_bootbank_intel-nvme-vmd_1.4.0.1016-1OEM.670.0.0.8169922.vib"

Reboot the machine

# reboot

You should now be able to cleanly upgrade to ESXi 7.0 using the standard esxcli method.

How to get TeamSpeak 3 Dark Mode

Prerequisites

An installed TeamSpeak client, if you don’t have TeamSpeak download it from https://teamspeak.com/en/downloads/

While TeamSpeak 5 does indeed have a dark theme built in by default, those of us still using TeamSpeak 3 do not have that luxury.

There are actually two different ways to install TeamSpeak themes (which are really just plugins, they are both installed the exact same way), we’ll show you both ways. First we need to download a dark mode theme, there are a number of the dark themes but the one I personally use and recommend is DarkenTS – Dissension.

Other honourable mentions include:

NekoSpeak (https://www.myteamspeak.com/addons/30f4df31-7e2e-4d09-9d28-40b1bcfa4db4)

NekoSpeak is nearly a black TeamSpeak theme, minus the small amount of gold included

Darcula (https://www.myteamspeak.com/addons/30f4df31-7e2e-4d09-9d28-40b1bcfa4db4)

Darcula is a theme based on the Dark theme for JetBrains products, so programmers amongst you should be very comfortable with this TeamSpeak theme.

These alternatives can both be installed with the exact same instructions.

Option one (nearly) automatic

Press tools => options in your TeamSpeak menu bar and navigate to the Addons panel, when you’re there press “Browse online”.

TeamSpeak Options Addons List

From this screen you can either search for “dark”, at the time of writing it’s near the very top of the default addons you initially are presented with, so you can easily find it by scrolling down a tiny amount.

Click the theme you’re looking to try out

Once the page has loaded click the “install” button

TeamSpeak Options, Addon Window

The theme should now be installed and automatically set, if not please see below for the manual way of installing themes.

Option 2 (manual install)

https://www.myteamspeak.com/addons/4a834709-3315-4c53-a80d-b09efd03fce2

Press the “Download” button, and allow your browser to download the file

TeamSpeak Addons Download Window Firefox

Open the file and you will be presented with a windows that looks something like this :

TeamSpeak Addon Installer Window

Press Install and restart your TeamSpeak client to complete the install.

After TeamSpeak has opened you press tools => options on the menu bar and navigate to Design, you can then set your preferred theme there, press apply and your client will update with the new theme.

The TeamSpeak 3 Design options Page

I hope that this explains how easy it is to install TeamSpeaak themes, these same methods can also be used to install TeamSpeak plugins. Need someone to talk to while using your shiny new Dark Mode TeamSpeak? Try finding a server on a TeamSpeak Server List.

Basic cPanel Settings You Should Change

The cPanel Control Panel is a graphical interface used to manage your website’s hosting account. It provides all the tools you need to create and manage your website, including a file manager, password manager, and domain manager.

The cPanel Control Panel is easy to use and provides all the features you need to manage your website. You can use the file manager to upload and manage your website’s files, the password manager to create and manage your website’s passwords, and the domain manager to manage your website’s domains.

The cPanel Control Panel also includes a variety of other features, such as a built-in website builder, a one-click installer for popular applications, and a variety of templates you can use to create your website.

When first installing cPanel many users are going to be simply overwhelmed with the amount of options that WHM presents the server administrator, but here are some options and packages that (in our opinion) you should change or install as soon as you install it.

CSF

The CSF firewall is a one stop shop for preventing the worst brute force attacks your server will see, it will protect multiple services on a cPanel server.

Tweak Settings

Tweak settings can be found near the top of the left hand menu on WHM.

Turn OFF “BoxTrapper Spam Trap”, this options sounds good in theory, but will usually end up with you being listed on various mail block lists.

Setting “Max hourly emails per domain” to something like 5000 will at least limit the amount of spam that a single user can send

Apache Configuration > Global Configuration

Disable “Trace”, it’s a little used feature that can give an adversary more information about your server

Set “Server Signature” to Off to hide some version information on error pages

Set “Server Tokens”  to “Product Only” to hide as much information about your server setup easily.

Exim Configuration Manager > Advanced Editor

Make sure the following is set on log_selector, this gives you more data to track spammers using your server

log_selector = +arguments +subject +received_recipients

EasyApache

As a starting point we would recommend the “CloudLinux + All PHP options + OpCache +mod_lsapi” profile if you’re using CloudLinux or “All PHP options + OpCache” if you’re using a CentOS install, these are both great baseliens that should support most things your customers need.

cPanel Addons

There are a vast amount of addons you can get for your cPanel server, however there are some key ones you might want to consider depending on your use case

CloudLinux

CloudLinux is an alternative Linux distribution that is fully focussed on the security of shared systems, this in our opinion is an essential addon for any cPanel server, mainly due to the PHP selector, which allows each user to use their own PHP version, also of great use to us is the ability to separate users in to their own LVE (Lightweight Virtual Environment), this effectively stops users from spying on one anothers files.

LiteSpeed Enterprise

LiteSpeed is a fantastic server for serving high load websites, while that feature sounds great in theory it’s mostly reserved for higher load websites, so if you’re just starting out it may not make much sense to spend the extra money on this.

Imunify360

Imunify is essentially a HIPS and Anti Virus system for your cPanel (and other control panels) server. It is great for detecting malware that users have uploaded to your server in real-time, which is great for a shared hosting envvironment where users and webmasters cannot be trusted fully. This may have more limited use on internal and/or highly controlled systems but it may be worth the piece of mind for some people.

Simple steps you can take to help secure your Linux server

There’s a lot of blog posts around the internet with a lot of steps you can take to “hack proof” your server, while these tips are not going to make your server “hack proof” they will enhance your security profile, especially against automated scanners and exploiters, which rely on some of these simple things to exist on your server.

Your Distribution

Your choice of distribution will affect your baseline security profile, but all systems should be able to apply all the tweaks we’re giving you here, We will be doing these tweaks on a vanilla Ubuntu 20.04 install, this will work for other distributions but config files may be in other locations, you can use the excellent “locate” and/or “find” utilities to find these config files if they’re not in the places we’ve listed.

Firewalls

Consider the excellent iptables script/addon, csf, which you can find here https://www.configserver.com/cp/csf.html

This script will automatically blacklist any IP’s that are detected to be brute-forcing various services on your system, this feature is not enabled by default when you install csf, please ensure the config is working and no errors are printed when you run “csf -r”, after you’re sure everything is working you can then enable csf permanently by changing TESTING = 1 to 0 in /etc/csf/csf.conf

SSH

Configuration location : /etc/ssh/sshd_config

Change your SSH port

Changing your SSH port is one of the easiest ways to deter automated bots from attempting to breach your server, we can change the SSH port by setting one single line in the config

Port 12345

If you do change this port be sure to open the port in your firewall as well when you change this or you will lock yourself out from your server.

X11Forwarding No

X11 forwarding has been used in exploits in the past, if you’re not sure if you’re using this, you probably aren’t.

Nginx

Configuration location : /etc/nginx/nginx.conf

We can remove the exact version number being appended to all the responses by adding the following, this will remove the version number and potentially the Operating System being send in the “server” header of any request, it is possible to completely remove the header if you are willing to compile nginx from source, but that is beyond the scope of “simple steps”.

server_tokens off;

in to the http {} block of the nginx config, note the semi colon at the end of the line, it is needed in nginx configs.

PHP

Configuration location : /etc/php/8.0/apache2/php.ini
This varies based on your PHP version and SAPI (Server API) you are using for PHP, for example nginx will use /fpm/ instead of /apache2/ and the command line PHP interpreter will use /cli/

We can disable the PHP version being appended to every server response by adding the following to php.ini, this will completely remove the x-powered-by header from all responses PHP serves.

expose_php = Off

We can disable some potentially dangerous functions from being used by malicious scripts by adding them to the disable_functions options, some applications may require functions like “exec” and “curl_*” to please be sure to check your application source before you disable these, you could use the useful “grep” program to check your source quickly, for example “grep -iR curl_exec /var/www/html/”

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Disabling the url fopen options will stop functions like fopen from intercepting a URL as a file and downloading this file to execute it, this is a common avenue for hackers to download files on to your server, however a proper code audit should be done on your applications source code to ensure this isn’t exploitable in the first place.

allow_url_fopen = Off

Depending on whether your PHP application needs to accept file uploads you can blanket disable this feature to help cripple any web shells or other programming errors being used to upload malicious content to your server.

file_uploads = Off
« Older posts

© 2024 TL;DR Tips

Theme by Anders NorénUp ↑