Trust Your Technolust

Author: Admin (Page 1 of 2)

Redis sockets in cPanel and CloudLinux CageFS

Install Redis normally

Add the user to the Redis group

usermod -a -G redis YourUserHere

Open up the CageFS mount points file

nano /etc/cagefs/cagefs.mp

Add the Redis folder to the mount points.

/var/run/redis

Enable the socket in the Redis config file

nano /etc/redis.conf

Add the following:

unixsocket /var/run/redis/redis.sock
unixsocketperm 770

Every time you restart Redis the socket will disappear from the CageFS, breaking all the code using the socket, we can add extra commands to the Redis systemd unit to automatically restore it.

This is completely optional if your Redis never crashes/needs restarting, but will save headaches otherwise. The + in the command makes the command run as root, which is needed to update the CageFS skeleton.

nano /etc/systemd/system/redis.service.d/restore.cagefs.socket.conf

Add:

[Service]
ExecStartPost=+cagefsctl --force-update
ExecStartPost=+cagefsctl -M

Reload systemd

systemctl daemon-reload

 

You can now safely restart Redis as you would normally and the users you’ve added to the Redis group will be able to use sockets at /var/run/redis/redis.sock

 

This method was used to make sockets work with the wonderful XenForo Redis Addon from Xon  if you used this guide, you can them enable it by opening src/config.php and adding:

// setup Redis caching
$config['cache']['enabled'] = true;
$config['cache']['provider'] = 'SV\RedisCache\Redis';
$config['cache']['namespace'] = 'SomePrefix';
$config['cache']['config'] = [
    'host' => '/var/run/redis/redis.sock',
    'use_lua' => true,
    'serializer' => 'igbinary', // most CloudLinux installs should have this enabled, if your site presents a white screen after adding this, set to 'php'
    'database' => 1,
];

Can a Raspberry Pi run a TeamSpeak server? How about any ARM CPU?

TL;DR, Yes!

Today’s ingredients:

A Raspberry Pi 4, the older 3B+ should also support 64 bit, this process would work equally well on any ARM64 device that can run a Debian based OS however.
Raspberry Pi OS (64-bit), this will not work directly on the 32 Bit OS, but you can try using box86 as an alternative.
Box64
Needed OS packages : wget/curl tar box64

The Recipe:

We’ll use the box64 emulator for our Raspberry Pi, this is the fastest way to emulate AMD64 binaries on ARM64.

Add the debian repository for box64

wget https://ryanfortner.github.io/box64-debs/box64.list -O /etc/apt/sources.list.d/box64.list

Add the repository key so we can securely download the package

wget -O- https://ryanfortner.github.io/box64-debs/KEY.gpg | gpg –dearmor | tee /usr/share/keyrings/box64-debs-archive-keyring.gpg

Update our package lists to get the package list for box64

apt update

Install our box(64) of magic

apt install box64

This concludes installing box64, on to installing the actual TeamSpeak server.

Download yourself a copy of the TeamSpeak 3 Server from https://teamspeak.com/en/downloads/#server, be sure to get the 64 bit server, box64 can only run on AMD64 executables.

wget https://files.teamspeak-services.com/releases/server/3.13.7/teamspeak3-server_linux_amd64-3.13.7.tar.bz2

Decompress it

tar xf teamspeak3-server_linux_amd64-3.13.7.tar.bz2

Change directory to our new server folder

cd teamspeak3-server_linux_amd64

Now we can actually use box64 to run the TeamSpeak server start script, which will then launch the actual server, this is where the magic happens.

box64 ts3server_startscript.sh start

At this point you should be presented with the login details for your server, fire up your TeamSpeak client and connect to your new server, enter your privilege key and enjoy your shiny new TeamSpeak 3 Server running near natively on Raspberry Pi/ARM64. If you’re happy with your setup, and it’s stable, make sure your server starts on boot/restart, using a crontab or the systemd unit from this reddit wiki page

How’s the speed?

Using box64 is remarkably fast, considering the amount of work that is probably going on behind the scenes when you run an application, thankfully a lot of the overhead seems to be mitigated by the use of “wrapping” libraries with the ARM64 equivalents instead of re-compiling every shared object an application uses.

Reliability?

Using box64 seems to be mostly reliable for the server side of TeamSpeak, the only crashes we’ve experienced so far involved running the TeamSpeak client rather than the server, you did know you can use box64 to run the TeamSpeak client, right?

Also bear in mind that TeamSpeak WILL NOT officially support the use of an emulator to run the client OR the server, so consider using box64 to run a TeamSpeak server or client as an eternal beta.

Enabling the iGPU on an OVH Server running Ubuntu

At least on Ubuntu 22.04 OVH install images you’ll find that the integrated GPU on your CPU is either not detected or your application will report you don’t have the hardware enabled even when you have a CPU with an integrated GPU such as the E-2288G, and it’s enabled in the BIOS.

I have personally tested these motherboards and know the workaround is needed on them, so assume this problem is common to at least all ASRock boards:

ASRock Rack
E3C246D4U2-2L2T
E3C246D4U2-2T

You should not need this fix on the S1200SP motherboards you usually get with the 1245vX servers, these seem to handle the iGPU properly and/or the OVH image did not have the issue in the first place.

Don’t know your current motherboard version? You can query your current motherboard model with the “lshw” command on and Linux system.

Edit the grub default config file (/etc/default/grub) and remove the “nomodeset” option

GRUB_CMDLINE_LINUX="nomodeset iommu=pt"

Will become

GRUB_CMDLINE_LINUX="iommu=pt"

Rebuild the GRUB config file.

sudo grub-mkconfig -o /boot/grub/grub.cfg

Reboot the machine and you should now be able to use the iGPU, you can verify it’s loaded by looking for results when you ls the /dev/dri device.

ls /dev/dri/
by-path card0 card1 renderD128

Extra Credit: if you’re using the iGPU for video transcoding be sure to enable the full feature set on your CPU by installing the “intel-media-va-driver-non-free” package on your Ubuntu/Debian system.

OVH Dedicated server fails to upgrade to VMWare ESXi 7.0

Many people choose OVH for their low prices and relatively good network DDoS protection, and a lot of people probably choose to use ESXi when they got their server, however it seems that OVH added their own customisation when they made the ESXi image, when attempting to upgrade to 7.0 on a RISE NVMe server you may be presented with an error message resembling

VIB INT_bootbank_intel-nvme-vmd_1.*-1OEM.* requires 
vmkapi_2_2_0_0, but the requirement cannot be satisfied within the 
ImageProfile

The fix to this error is simple, but a bit hard to work out where to actually get the updated files:

SSH in to your ESXi host and change to a Datastore directory

# cd /vmfs/volumes/Datastore1/

Download the the new Intel NVMe vib, if your wget version freezes or the download fails you must use the vSphere web client to upload the vib, I’ll use the vib located on the Lenovo website, as I know this version works. By the time you’re reading this there may well be a new version of the driver so feel free to try something newer if you can find it.

# wget https://vmware.lenovo.com/content/2018_12/esxi_670_custom_vibs/esxi-670-vibs/INT_bootbank_intel-nvme-vmd_1.4.0.1016-1OEM.670.0.0.8169922.vib

Actually install the update, be sure to make backups!

# esxcli software vib update -v  "/vmfs/volumes/Datastore1/INT_bootbank_intel-nvme-vmd_1.4.0.1016-1OEM.670.0.0.8169922.vib"

Reboot the machine

# reboot

You should now be able to cleanly upgrade to ESXi 7.0 using the standard esxcli method.

How to get TeamSpeak 3 Dark Mode

Prerequisites

An installed TeamSpeak client, if you don’t have TeamSpeak download it from https://teamspeak.com/en/downloads/

While TeamSpeak 5 does indeed have a dark theme built in by default, those of us still using TeamSpeak 3 do not have that luxury.

There are actually two different ways to install TeamSpeak themes (which are really just plugins, they are both installed the exact same way), we’ll show you both ways. First we need to download a dark mode theme, there are a number of the dark themes but the one I personally use and recommend is DarkenTS – Dissension.

Other honourable mentions include:

NekoSpeak (https://www.myteamspeak.com/addons/30f4df31-7e2e-4d09-9d28-40b1bcfa4db4)

NekoSpeak is nearly a black TeamSpeak theme, minus the small amount of gold included

Darcula (https://www.myteamspeak.com/addons/30f4df31-7e2e-4d09-9d28-40b1bcfa4db4)

Darcula is a theme based on the Dark theme for JetBrains products, so programmers amongst you should be very comfortable with this TeamSpeak theme.

These alternatives can both be installed with the exact same instructions.

Option one (nearly) automatic

Press tools => options in your TeamSpeak menu bar and navigate to the Addons panel, when you’re there press “Browse online”.

TeamSpeak Options Addons List

From this screen you can either search for “dark”, at the time of writing it’s near the very top of the default addons you initially are presented with, so you can easily find it by scrolling down a tiny amount.

Click the theme you’re looking to try out

Once the page has loaded click the “install” button

TeamSpeak Options, Addon Window

The theme should now be installed and automatically set, if not please see below for the manual way of installing themes.

Option 2 (manual install)

https://www.myteamspeak.com/addons/4a834709-3315-4c53-a80d-b09efd03fce2

Press the “Download” button, and allow your browser to download the file

TeamSpeak Addons Download Window Firefox

Open the file and you will be presented with a windows that looks something like this :

TeamSpeak Addon Installer Window

Press Install and restart your TeamSpeak client to complete the install.

After TeamSpeak has opened you press tools => options on the menu bar and navigate to Design, you can then set your preferred theme there, press apply and your client will update with the new theme.

The TeamSpeak 3 Design options Page

I hope that this explains how easy it is to install TeamSpeaak themes, these same methods can also be used to install TeamSpeak plugins. Need someone to talk to while using your shiny new Dark Mode TeamSpeak? Try finding a server on a TeamSpeak Server List.

Basic cPanel Settings You Should Change

The cPanel Control Panel is a graphical interface used to manage your website’s hosting account. It provides all the tools you need to create and manage your website, including a file manager, password manager, and domain manager.

The cPanel Control Panel is easy to use and provides all the features you need to manage your website. You can use the file manager to upload and manage your website’s files, the password manager to create and manage your website’s passwords, and the domain manager to manage your website’s domains.

The cPanel Control Panel also includes a variety of other features, such as a built-in website builder, a one-click installer for popular applications, and a variety of templates you can use to create your website.

When first installing cPanel many users are going to be simply overwhelmed with the amount of options that WHM presents the server administrator, but here are some options and packages that (in our opinion) you should change or install as soon as you install it.

CSF

The CSF firewall is a one stop shop for preventing the worst brute force attacks your server will see, it will protect multiple services on a cPanel server.

Tweak Settings

Tweak settings can be found near the top of the left hand menu on WHM.

Turn OFF “BoxTrapper Spam Trap”, this options sounds good in theory, but will usually end up with you being listed on various mail block lists.

Setting “Max hourly emails per domain” to something like 5000 will at least limit the amount of spam that a single user can send

Apache Configuration > Global Configuration

Disable “Trace”, it’s a little used feature that can give an adversary more information about your server

Set “Server Signature” to Off to hide some version information on error pages

Set “Server Tokens”  to “Product Only” to hide as much information about your server setup easily.

Exim Configuration Manager > Advanced Editor

Make sure the following is set on log_selector, this gives you more data to track spammers using your server

log_selector = +arguments +subject +received_recipients

EasyApache

As a starting point we would recommend the “CloudLinux + All PHP options + OpCache +mod_lsapi” profile if you’re using CloudLinux or “All PHP options + OpCache” if you’re using a CentOS install, these are both great baseliens that should support most things your customers need.

cPanel Addons

There are a vast amount of addons you can get for your cPanel server, however there are some key ones you might want to consider depending on your use case

CloudLinux

CloudLinux is an alternative Linux distribution that is fully focussed on the security of shared systems, this in our opinion is an essential addon for any cPanel server, mainly due to the PHP selector, which allows each user to use their own PHP version, also of great use to us is the ability to separate users in to their own LVE (Lightweight Virtual Environment), this effectively stops users from spying on one anothers files.

LiteSpeed Enterprise

LiteSpeed is a fantastic server for serving high load websites, while that feature sounds great in theory it’s mostly reserved for higher load websites, so if you’re just starting out it may not make much sense to spend the extra money on this.

Imunify360

Imunify is essentially a HIPS and Anti Virus system for your cPanel (and other control panels) server. It is great for detecting malware that users have uploaded to your server in real-time, which is great for a shared hosting envvironment where users and webmasters cannot be trusted fully. This may have more limited use on internal and/or highly controlled systems but it may be worth the piece of mind for some people.

Simple steps you can take to help secure your Linux server

There’s a lot of blog posts around the internet with a lot of steps you can take to “hack proof” your server, while these tips are not going to make your server “hack proof” they will enhance your security profile, especially against automated scanners and exploiters, which rely on some of these simple things to exist on your server.

Your Distribution

Your choice of distribution will affect your baseline security profile, but all systems should be able to apply all the tweaks we’re giving you here, We will be doing these tweaks on a vanilla Ubuntu 20.04 install, this will work for other distributions but config files may be in other locations, you can use the excellent “locate” and/or “find” utilities to find these config files if they’re not in the places we’ve listed.

Firewalls

Consider the excellent iptables script/addon, csf, which you can find here https://www.configserver.com/cp/csf.html

This script will automatically blacklist any IP’s that are detected to be brute-forcing various services on your system, this feature is not enabled by default when you install csf, please ensure the config is working and no errors are printed when you run “csf -r”, after you’re sure everything is working you can then enable csf permanently by changing TESTING = 1 to 0 in /etc/csf/csf.conf

SSH

Configuration location : /etc/ssh/sshd_config

Change your SSH port

Changing your SSH port is one of the easiest ways to deter automated bots from attempting to breach your server, we can change the SSH port by setting one single line in the config

Port 12345

If you do change this port be sure to open the port in your firewall as well when you change this or you will lock yourself out from your server.

X11Forwarding No

X11 forwarding has been used in exploits in the past, if you’re not sure if you’re using this, you probably aren’t.

Nginx

Configuration location : /etc/nginx/nginx.conf

We can remove the exact version number being appended to all the responses by adding the following, this will remove the version number and potentially the Operating System being send in the “server” header of any request, it is possible to completely remove the header if you are willing to compile nginx from source, but that is beyond the scope of “simple steps”.

server_tokens off;

in to the http {} block of the nginx config, note the semi colon at the end of the line, it is needed in nginx configs.

PHP

Configuration location : /etc/php/8.0/apache2/php.ini
This varies based on your PHP version and SAPI (Server API) you are using for PHP, for example nginx will use /fpm/ instead of /apache2/ and the command line PHP interpreter will use /cli/

We can disable the PHP version being appended to every server response by adding the following to php.ini, this will completely remove the x-powered-by header from all responses PHP serves.

expose_php = Off

We can disable some potentially dangerous functions from being used by malicious scripts by adding them to the disable_functions options, some applications may require functions like “exec” and “curl_*” to please be sure to check your application source before you disable these, you could use the useful “grep” program to check your source quickly, for example “grep -iR curl_exec /var/www/html/”

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Disabling the url fopen options will stop functions like fopen from intercepting a URL as a file and downloading this file to execute it, this is a common avenue for hackers to download files on to your server, however a proper code audit should be done on your applications source code to ensure this isn’t exploitable in the first place.

allow_url_fopen = Off

Depending on whether your PHP application needs to accept file uploads you can blanket disable this feature to help cripple any web shells or other programming errors being used to upload malicious content to your server.

file_uploads = Off

Raising limits for the xt_recent iptables module

If you’re a fan of trying to limit the effects of a DDoS on your services you’ve probably tried to limit the amount of connections that can be made to a port, possibly by using the xt_recent iptables module, by default the limits imposed on the module are rather low, which made this module of limited use in our case due to the large amount of connections we have normally. The default of most distributions only store the last 100 IP’s and 20 timestamps of each packet from those IP’s, we can increase this to allow us to track more connections with more granularity, for example with the changes below we can now monitor up to 200 IP’s and the times of the last 255 packets sent by each IP.

nano /etc/modprobe.d/xt_recent.conf

Add the following line to the file

options xt_recent ip_pkt_list_tot=255 ip_list_tot=200

Before we unload the xt_recent module we need to unload all the modules that use the recent module, we can achieve this by simply using the command

service iptables stop

Alternatively if you’re using csf you can unload all the rules it by simply usingthe below command, there was no need to stop iptables when using this method.

csf -x

Now we can unload the xt_recent module

modprobe -r xt_recent

After the module has unload successfully you can then reload the module with

modprobe xt_recent

Now we can restart iptables

service iptables start

Or if you’re using csf

csf -e

 

 

Mullvad Split VPN with SOCKS Proxy

This process should be similar for any other VPN providers that have OpenVPN servers, Private Internet Access and NordVPN are known to have this feature.

Edit your OpenVPN config from Mullvad and add the following line at the end

pull-filter ignore redirect-gateway

Your VPN config will look similar to

client

dev tun

resolv-retry infinite

nobind

persist-key

persist-tun

verb 3

remote-cert-tls server

ping 10

ping-restart 60

sndbuf 524288

rcvbuf 524288

cipher AES-256-CBC

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA

proto udp

auth-user-pass /etc/openvpn/mullvad_userpass.txt

ca /etc/openvpn/mullvad_ca.crt

tun-ipv6

script-security 2

up /etc/openvpn/update-resolv-conf

down /etc/openvpn/update-resolv-conf

fast-io

remote-random

remote ca-mtr-102.mullvad.net 1194

remote ca-mtr-105.mullvad.net 1194

remote ca-mtr-104.mullvad.net 1194

remote ca-tor-103.mullvad.net 1194

remote ca-tor-101.mullvad.net 1194

remote ca-mtr-103.mullvad.net 1194

remote ca-tor-102.mullvad.net 1194

remote ca-van-003.mullvad.net 1194

remote ca-mtr-107.mullvad.net 1194

remote ca-van-002.mullvad.net 1194

remote ca-mtr-101.mullvad.net 1194

remote ca-mtr-108.mullvad.net 1194

remote ca-van-004.mullvad.net 1194

remote ca-mtr-106.mullvad.net 1194

pull-filter ignore redirect-gateway

Mullvad runs it’s SOCKS5 server on 10.8.0.1 so we can now use the VPN by binding a program to use the SOCKS proxy.

For example we can now use curl without sending all our traffic through the VPN, an example curl command would look like this :

curl –socks5-host 10.8.0.1 –keepalive-time 60 -m 1800 https://www.google.com

socks5-host tells curl which IP to bind to while also using the host system to resolve DNS, alternatively you can use –socks5 to bypass resolving DNS by the host.

To make sure the SOCKS5 proxy is still alive we set the timeout with “-m” so that the system does not wait infinitely for a reply.

Ubuntu 18.04 OVH VPS IPv6 Setup

With IPv4 addresses nearly exhausted everywhere the world could really use some more IPv6 adoption so here’s a handy guide for getting IPv6 to work on your OVH Ubuntu VPS’s, although this guide should work equally well on any VPS/Dedicated server host.

At the time of writing this there seems to be a bug in netplan which stops IPv6 working properly when using the official instructions from OVH, this can be fixed by bypassing netplan and doing the configuration straight from systemd-networkd

Open a new file

nano /etc/systemd/network/10-ens3.network

Edit in the required config lines, making sure that you name your network interface correctly.

[Match]

Name=ens3

[Network]

DHCP=ipv4

Gateway=Your IPv6 Gateway Address Here

DNS=2620:119:35::35

[Address]

Address=Your IPv6 Address Here/128

[Route]

Destination=Your IPv6 Gateway Address Here

Scope=link

After you’ve written out the configuration you have two choices for making sure the changes are applied

Either reboot your server entirely

reboot

Or restart the systemd network daemon to apply the change, this is faster of course, but may cause networking to drop for a few seconds.

systemctl restart systemd-networkd

 

« Older posts

© 2024 TL;DR Tips

Theme by Anders NorénUp ↑