Trust Your Technolust

Category: Linux

OVH Dedicated server fails to upgrade to VMWare ESXi 7.0

Many people choose OVH for their low prices and relatively good network DDoS protection, and a lot of people probably choose to use ESXi when they got their server, however it seems that OVH added their own customisation when they made the ESXi image, when attempting to upgrade to 7.0 on a RISE NVMe server you may be presented with an error message resembling

VIB INT_bootbank_intel-nvme-vmd_1.*-1OEM.* requires 
vmkapi_2_2_0_0, but the requirement cannot be satisfied within the 
ImageProfile where yo get the files

The fix to this error is simple, but a bit hard to work out where to actually get the updated files:

SSH in to your ESXi host and change to a Datastore directory

# cd /vmfs/volumes/Datastore1/

Download the the new Intel NVMe vib, if your wget version freezes or the download fails you must use the vSphere web client to upload the vib, I’ll use the vib located on the Lenovo website, as I know this version works. By the time you’re reading this there may well be a new version of the driver so feel free to try something newer if you can find it.

# wget https://vmware.lenovo.com/content/2018_12/esxi_670_custom_vibs/esxi-670-vibs/INT_bootbank_intel-nvme-vmd_1.4.0.1016-1OEM.670.0.0.8169922.vib

Actually install the update, be sure to make backups!

# esxcli software vib update -v  "/vmfs/volumes/Datastore1/INT_bootbank_intel-nvme-vmd_1.4.0.1016-1OEM.670.0.0.8169922.vib"

Reboot the machine

# reboot

You should now be able to cleanly upgrade to ESXi 7.0 using the standard esxcli method.

Basic cPanel Settings You Should Change

When first installing cPanel many users are going to be simply overwhelmed with the amount of options that WHM presents the server administrator, but here are some options and packages that (in our opinion) you should change or install as soon as you install it.

CSF

The CSF firewall is a one stop shop for preventing the worst brute force attacks your server will see, it will protect multiple services on a cPanel server.

Tweak Settings

Tweak settings can be found near the top of the left hand menu on WHM.

Turn OFF “BoxTrapper Spam Trap”, this options sounds good in theory, but will usually end up with you being listed on various mail block lists.

Setting “Max hourly emails per domain” to something like 5000 will at least limit the amount of spam that a single user can send

Apache Configuration > Global Configuration

Disable “Trace”, it’s a little used feature that can give an adversary more information about your server

Set “Server Signature” to Off to hide some version information on error pages

Set “Server Tokens”  to “Product Only” to hide as much information about your server setup easily.

Exim Configuration Manager > Advanced Editor

Make sure the following is set on log_selector, this gives you more data to track spammers using your server

log_selector = +arguments +subject +received_recipients

EasyApache

As a starting point we would recommend the “CloudLinux + All PHP options + OpCache +mod_lsapi” profile if you’re using CloudLinux or “All PHP options + OpCache” if you’re using a CentOS install, these are both great baseliens that should support most things your customers need.

cPanel Addons

There are a vast amount of addons you can get for your cPanel server, however there are some key ones you might want to consider depending on your use case

CloudLinux

CloudLinux is an alternative Linux distribution that is fully focussed on the security of shared systems, this in our opinion is an essential addon for any cPanel server, mainly due to the PHP selector, which allows each user to use their own PHP version, also of great use to us is the ability to separate users in to their own LVE (Lightweight Virtual Environment), this effectively stops users from spying on one anothers files.

LiteSpeed Enterprise

LiteSpeed is a fantastic server for serving high load websites, while that feature sounds great in theory it’s mostly reserved for higher load websites, so if you’re just starting out it may not make much sense to spend the extra money on this.

Imunify360

Imunify is essentially a HIPS and Anti Virus system for your cPanel (and other control panels) server. It is great for detecting malware that users have uploaded to your server in real-time, which is great for a shared hosting envvironment where users and webmasters cannot be trusted fully. This may have more limited use on internal and/or highly controlled systems but it may be worth the piece of mind for some people.

Simple steps you can take to help secure your Linux server

There’s a lot of blog posts around the internet with a lot of steps you can take to “hack proof” your server, while these tips are not going to make your server “hack proof” they will enhance your security profile, especially against automated scanners and exploiters, which rely on some of these simple things to exist on your server.

Your Distribution

Your choice of distribution will affect your baseline security profile, but all systems should be able to apply all the tweaks we’re giving you here, We will be doing these tweaks on a vanilla Ubuntu 20.04 install, this will work for other distributions but config files may be in other locations, you can use the excellent “locate” and/or “find” utilities to find these config files if they’re not in the places we’ve listed.

Firewalls

Consider the excellent iptables script/addon, csf, which you can find here https://www.configserver.com/cp/csf.html

This script will automatically blacklist any IP’s that are detected to be brute-forcing various services on your system, this feature is not enabled by default when you install csf, please ensure the config is working and no errors are printed when you run “csf -r”, after you’re sure everything is working you can then enable csf permanently by changing TESTING = 1 to 0 in /etc/csf/csf.conf

SSH

Configuration location : /etc/ssh/sshd_config

Change your SSH port

Changing your SSH port is one of the easiest ways to deter automated bots from attempting to breach your server, we can change the SSH port by setting one single line in the config

Port 12345

If you do change this port be sure to open the port in your firewall as well when you change this or you will lock yourself out from your server.

X11Forwarding No

X11 forwarding has been used in exploits in the past, if you’re not sure if you’re using this, you probably aren’t.

Nginx

Configuration location : /etc/nginx/nginx.conf

We can remove the exact version number being appended to all the responses by adding the following, this will remove the version number and potentially the Operating System being send in the “server” header of any request, it is possible to completely remove the header if you are willing to compile nginx from source, but that is beyond the scope of “simple steps”.

server_tokens off;

in to the http {} block of the nginx config, note the semi colon at the end of the line, it is needed in nginx configs.

PHP

Configuration location : /etc/php/8.0/apache2/php.ini
This varies based on your PHP version and SAPI (Server API) you are using for PHP, for example nginx will use /fpm/ instead of /apache2/ and the command line PHP interpreter will use /cli/

We can disable the PHP version being appended to every server response by adding the following to php.ini, this will completely remove the x-powered-by header from all responses PHP serves.

expose_php = Off

We can disable some potentially dangerous functions from being used by malicious scripts by adding them to the disable_functions options, some applications may require functions like “exec” and “curl_*” to please be sure to check your application source before you disable these, you could use the useful “grep” program to check your source quickly, for example “grep -iR curl_exec /var/www/html/”

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Disabling the url fopen options will stop functions like fopen from intercepting a URL as a file and downloading this file to execute it, this is a common avenue for hackers to download files on to your server, however a proper code audit should be done on your applications source code to ensure this isn’t exploitable in the first place.

allow_url_fopen = Off

Depending on whether your PHP application needs to accept file uploads you can blanket disable this feature to help cripple any web shells or other programming errors being used to upload malicious content to your server.

file_uploads = Off

Raising limits for the xt_recent iptables module

If you’re a fan of trying to limit the effects of a DDoS on your services you’ve probably tried to limit the amount of connections that can be made to a port, possibly by using the xt_recent iptables module, by default the limits imposed on the module are rather low, which made this module of limited use in our case due to the large amount of connections we have normally. The default of most distributions only store the last 100 IP’s and 20 timestamps of each packet from those IP’s, we can increase this to allow us to track more connections with more granularity, for example with the changes below we can now monitor up to 200 IP’s and the times of the last 255 packets sent by each IP.

nano /etc/modprobe.d/xt_recent.conf

Add the following line to the file

options xt_recent ip_pkt_list_tot=255 ip_list_tot=200

Before we unload the xt_recent module we need to unload all the modules that use the recent module, we can achieve this by simply using the command

service iptables stop

Alternatively if you’re using csf you can unload all the rules it by simply usingthe below command, there was no need to stop iptables when using this method.

csf -x

Now we can unload the xt_recent module

modprobe -r xt_recent

After the module has unload successfully you can then reload the module with

modprobe xt_recent

Now we can restart iptables

service iptables start

Or if you’re using csf

csf -e

 

 

Mullvad Split VPN with SOCKS Proxy

This process should be similar for any other VPN providers that have OpenVPN servers, Private Internet Access and NordVPN are known to have this feature.

Edit your OpenVPN config from Mullvad and add the following line at the end

pull-filter ignore redirect-gateway

Your VPN config will look similar to

client

dev tun

resolv-retry infinite

nobind

persist-key

persist-tun

verb 3

remote-cert-tls server

ping 10

ping-restart 60

sndbuf 524288

rcvbuf 524288

cipher AES-256-CBC

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA

proto udp

auth-user-pass /etc/openvpn/mullvad_userpass.txt

ca /etc/openvpn/mullvad_ca.crt

tun-ipv6

script-security 2

up /etc/openvpn/update-resolv-conf

down /etc/openvpn/update-resolv-conf

fast-io

remote-random

remote ca-mtr-102.mullvad.net 1194

remote ca-mtr-105.mullvad.net 1194

remote ca-mtr-104.mullvad.net 1194

remote ca-tor-103.mullvad.net 1194

remote ca-tor-101.mullvad.net 1194

remote ca-mtr-103.mullvad.net 1194

remote ca-tor-102.mullvad.net 1194

remote ca-van-003.mullvad.net 1194

remote ca-mtr-107.mullvad.net 1194

remote ca-van-002.mullvad.net 1194

remote ca-mtr-101.mullvad.net 1194

remote ca-mtr-108.mullvad.net 1194

remote ca-van-004.mullvad.net 1194

remote ca-mtr-106.mullvad.net 1194

pull-filter ignore redirect-gateway

Mullvad runs it’s SOCKS5 server on 10.8.0.1 so we can now use the VPN by binding a program to use the SOCKS proxy.

For example we can now use curl without sending all our traffic through the VPN, an example curl command would look like this :

curl –socks5-host 10.8.0.1 –keepalive-time 60 -m 1800 https://www.google.com

socks5-host tells curl which IP to bind to while also using the host system to resolve DNS, alternatively you can use –socks5 to bypass resolving DNS by the host.

To make sure the SOCKS5 proxy is still alive we set the timeout with “-m” so that the system does not wait infinitely for a reply.

Ubuntu 18.04 OVH VPS IPv6 Setup

With IPv4 addresses nearly exhausted everywhere the world could really use some more IPv6 adoption so here’s a handy guide for getting IPv6 to work on your OVH Ubuntu VPS’s, although this guide should work equally well on any VPS/Dedicated server host.

At the time of writing this there seems to be a bug in netplan which stops IPv6 working properly when using the official instructions from OVH, this can be fixed by bypassing netplan and doing the configuration straight from systemd-networkd

Open a new file

nano /etc/systemd/network/10-ens3.network

Edit in the required config lines, making sure that you name your network interface correctly.

[Match]

Name=ens3

[Network]

DHCP=ipv4

Gateway=Your IPv6 Gateway Address Here

DNS=2620:119:35::35

[Address]

Address=Your IPv6 Address Here/128

[Route]

Destination=Your IPv6 Gateway Address Here

Scope=link

After you’ve written out the configuration you have two choices for making sure the changes are applied

Either reboot your server entirely

reboot

Or restart the systemd network daemon to apply the change, this is faster of course, but may cause networking to drop for a few seconds.

systemctl restart systemd-networkd

 

Installing phpiredis on cPanel and CloudLinux

You may already be familiar with this message if customers have contacted you previously about messages from their Laravel installs

predis/predis suggests installing ext-phpiredis (Allows faster serialization and deserialization of the Redis protocol)

For anyone that uses Laravel you’re probably using the Redis for caching, but for optimal performance Laravel recommends the use of the phpiredis extension from github.com/nrk/phpiredis, which isn’t available on cPanel servers with CloudLinux, so here’s a way to install it so all your customers can benefit.

We’ll install it for PHP 7.3 on our CloudLinux server but the same process applies for all versions of the PHP Selector on CloudLinux.

First clone the Git repository of the extension, at the time of writing this extension isn’t on the PHP PECL website so we’ll have to get it from GitHub instead.

git clone https://github.com/nrk/phpiredis.git

Change directory to the extension folder.

cd phpiredis/

Run phpize on the source.

/opt/alt/php73/usr/bin/phpize

Configure the extension source.

./configure –with-php-config=/opt/alt/php73/usr/bin/php-config

Compile the extension.

make

Install the extension files.

make install

Create a new file for the extension information.

nano /opt/alt/php73//etc/php.d.all/phpiredis.ini

Add the following to the file so PHP Selector can enable it.

; Enable phpiredis extension module

extension=phpiredis.so

Rebuild Cage FS, to include the new extension.

cagefsctl –rebuild-alt-php-ini

Restart Apache to pick up your new extensions.

service httpd restart

At this point you can enable it for all your customers in WHM by going to the CloudLinux LVE Manager in WHM and enabling it for the 7.3 PHP version in the Selector tab, or allow your customers to select whether they want to use it in their cPanel account.

Install the CSF Firewall on Linux

Requirements

  • A Linux server with ip/xtables installed and running.
  • Any of the following distributions installed RedHat/CentOS/CloudLinux 5-7, Fedora, openSUSE, Debian, Ubuntu, Slackware.

What is CSF?

CSF is a set of extension scripts to iptables on Linux, that integrates with various control panels and Linux distribution packages to enhance the security standing of your server, for example CSF can detect brute forcing of your SSH server and automatically ban the offending IP’s at the firewall level, thwarting any brute force attacks easily. It also contains some configuration options that make things like traffic limiting very simple

Change to a different folder to keep it neat.

cd /usr/src

Remove any previous versions you’ve downloaded.

rm -fv csf.tgz

Download the latest version of the firewall.

wget https://download.configserver.com/csf.tgz

Extract the package.

tar -xzf csf.tgz

Change to the package directory.

cd csf

Run the install script.

sh install.sh

 

Install cPanel on a VPS or Dedicated Server

Requirements

  • A VPS or dedicated server with at least 1GB ram and 20GB SSD and a single core.
  • A working SSH client to connect to your shiny new server.
  • A server with either CloudLinux or CentOS installed, version 6 is still supported but we’ll use CloudLinux 7 because it’s far more up to date and has the best security profile, be aware CloudLinux does cost money and you need a license..
  • A cPanel license if you plan to use it for more than the 14 day trial period.

How to install cPanel on your Dedicated Server or VPS

(OPTIONAL) if your connection is unreliable it’s advisable to run your install through the screen program, which will protect you if you disconnect.

yum install screen

screen -S cpanelinstall

Ensure you have Perl install on the system, this should come as standard but some VPS providers will ship slimmed down images.

yum install perl

Ensure you have the correct hsotname set for your server, we’ll use test.tldrtips.com for this example but you should have a fully resolving hostname

hostnamectl set-hostname test.tldrtips.com

Change to your /home directory on your server

cd /home

Download th ecPanel install script

curl -o latest -L https://securedownloads.cpanel.net/latest

Run the install script

sh latest

Allow the script to run, now is a good time to fetch some Irn-Bru while you wait, this process may take up to an hour depending on how fast your server is. If you ran the install in a screen session you can now disconnect from the screen by press Ctrl + D. After the installation you should be able to visit the WHM/cPanel admin interface at https://<your IP address here>:2087

TeamSpeak Server on Linux/BSD

Generic Linux Install Instructions

Create a new user to run the TeamSpeak server under, this is very important so you keep processes separate from each other.

adduser teamspeak

Switch to the teampseak user

su teamspeak

Download the latest Teamspeak server from https://www.teamspeak.com/en/downloads/#server

wget https://files.teamspeak-services.com/releases/server/3.13.6/teamspeak3-server_linux_amd64-3.13.6.tar.bz2

Unpack the archive

tar xvjf teamspeak3-server_linux_amd64-3.8.0.tar.bz2

Change directory to the folder

cd teamspeak3-server_linux_amd64

Run the TeamSpeak server

./ts3server_startscript.sh start

Your console will show a server admin/password and server token, save these in a safe place for later. The server should be started at this point, With your TeamSpeak client connect to the IP of your server, when you connect a windows will pop up asking for the server token, this is the longest random string you were given in the previous step, enter this and you will be given server admin. You can now administrate your TS3 server instance as you like.

Generic BSD Install Instructions

Create a new user to run the TeamSpeak server under.

fetch http://dl.4players.de/ts/releases/3.0.13.8/teamspeak3-server_freebsd_amd64-3.0.13.8.tar.bz2 

Unpack the archive

tar xvjf teamspeak3-server_freebsd_amd64-3.0.13.8.tar.bz2 

Change directory to the folder

cd teamspeak3-server_freebsd_amd64 

Run the TeamSpeak server

./ts3server_startscript.sh start

 

Your console will show a server admin/password and server token, save these in a safe place for later. The server should be started at this point, With your TeamSpeak client connect to the IP of your server, when you connect a windows will pop up asking for the server token, this is the longest random string you were given in the previous step, enter this and you will be given server admin. You can now administrate your TS3 server instance as you like.

Now you have your shiny new server, why not promote it on a TeamSpeak Server List? The extra exposure could help you become the number one server on the planet some day.

© 2021 TL;DR Tips

Theme by Anders NorénUp ↑