Virtualmin Changes binding from ip:80 to *:80 and breaks older configs … FIX

We have found some virtualmin installs will change the format of new virtualhosts from ip:80 to *:80 sometimes which breaks virtualhosts as the *:80 overrides the ip:80.
This can result in websites showing another website content, and usually shows up right after you add a new domain in virtualmin.
When you run apachectl -S it will show things like this

*:80                   is a NameVirtualHost
         default server domain1.co.nz (/etc/apache2/sites-enabled/domain1.co.nz.conf:1)
         port 80 namevhost domain1.co.nz (/etc/apache2/sites-enabled/domain1.co.nz.conf:1)
                 alias www.domain1.co.nz
                 alias webmail.domain1.co.nz
                 alias admin.domain1.co.nz
         port 80 namevhost domain2.co.nz (/etc/apache2/sites-enabled/domain2.co.nz.conf:1)
                 alias www.domain2.co.nz
                 alias webmail.domain2.co.nz
                 alias admin.domain2.co.nz
192.168.1.2:80                   is a NameVirtualHost
         port 80 namevhost domain3.co (/etc/apache2/sites-enabled/domain3.co.conf:1)
                 alias www.domain3.co
                 alias webmail.domain3.co
                 alias admin.domain3.co
         port 80 namevhost domain4.nz (/etc/apache2/sites-enabled/domain4.nz.conf:1)
                 alias www.domain4.nz
                 alias webmail.domain4.nz
                 alias admin.domain4.nz

Some showing its under an IP, and others under *:80

The solution is a simple one, set them to all use *:80 by default, and update current virtualhosts to use that format also, heres how to do that

In virtualmin, login
Click System Settings -> Virtualmin Configuration -> Defaults for new domains. Look for 'Address format for Apache virtual hosts' and set that to 'Always use *'

The easy way to do this by editing the config is to edit /etc/webmin/virtual-server/config and change the line apache_star to be

apache_star=2

This sets it up for new virtualhosts to use *:80

To change existing hosts to all use *:80 you can run sed to change the config
eg

sed -i s/ipaddress\:80/\*\:80/g /etc/apache2/sites-enabled/*

Use the following to check the config works

apachectl -S

This should show all domains like this

*:80                   is a NameVirtualHost
         default server domain1.co.nz (/etc/apache2/sites-enabled/domain1.co.nz.conf:1)
         port 80 namevhost domain1.co.nz (/etc/apache2/sites-enabled/domain1.co.nz.conf:1)
                 alias www.domain1.co.nz
                 alias webmail.domain1.co.nz
                 alias admin.domain1.co.nz
         port 80 namevhost domain2.co.nz (/etc/apache2/sites-enabled/domain2.co.nz.conf:1)
                 alias www.domain2.co.nz
                 alias webmail.domain2.co.nz
                 alias admin.domain2.co.nz
         port 80 namevhost domain3.co (/etc/apache2/sites-enabled/domain3.co.conf:1)
                 alias www.domain3.co
                 alias webmail.domain3.co
                 alias admin.domain3.co
         port 80 namevhost domain4.nz (/etc/apache2/sites-enabled/domain4.nz.conf:1)
                 alias www.domain4.nz
                 alias webmail.domain4.nz
                 alias admin.domain4.nz

All under *:80

As a side note: Port 443 or SSL sites usually have the IP in them, so ignore those and leave them as they are.

Posted in Rimuhosting | Leave a comment

Reboot-less Xen patching

Recently there have been two sets of Xen vulnerabilities.  One being disclosed in September, the other earlier today.  Historically we have had to organize host updates which required downtime to reboot VMs.

For these last sets of vulnerabilities we have been able to use a recently introduced live patching feature in Xen to mitigate the vulnerabilities for most of our hosts.  The live patching swaps out an exploitable function, with a patched function.  It can do this without restarting the host or the VM.

Live patching will work for most (but not all) vulnerabilities.  Resulting in fewer VM restarts, and less client disruption.  Taking a little more hassle out of your hosting.

Posted in Rimuhosting | Tagged , , | Leave a comment

DKIM and subaddressing added to 25mail.st

We have added a couple of features to the 25mail.st service.

First, we now support DKIM email signing. This lets our email servers sign outgoing messages so that recipients can verify that the email was sent from an authorized server. You will need to add a DNS entry for each email domain wishing to have their emails signed. Adding a 25mail.st DKIM key will not affect other email servers you may be using. To get it setup see: https://25mail.st/faq.jsp?is_require_login=Y#dns

We have also added subaddressing. So you can invent subaddresses on the fly (e.g. peter+work@example.com or peter+tag@example.com) and by default they will all arrive to that user's mailbox. For more details see https://25mail.st/faq.jsp?is_require_login=Y#subaddressing

Photo credit: cayusa

Posted in Rimuhosting | Tagged , , | Leave a comment

Whitelist your own computer in fail2ban

Fail2ban is a great "dynamic" firewall for servers that is installed by default on many of our VPSs, and we can install it on your VPSs at your request. It protects against brute-force attacks, where an attacker is trying to guess a password or exploit certain classes of vulnerabilities on servers.

One potential problem with fail2ban and similar tools is the false positive problem, that is, banning yourself from your own VPS, particularly if you don't always get your password right. In this post, I'll explain how to fix that problem using fail2ban's whitelist feature.
Continue reading

Posted in HOWTO, Rimuhosting, Security | Tagged , , | Comments Off on Whitelist your own computer in fail2ban

Lets Encrypt with Virtualmin

Virtualmin now supports Let Encrypt, this means you can easily get multiple SSL certificates easily and free if needed.

Here is how you can set that up.
Step 1: Login to your virtualmin, select the domain from the drop down in the top left.

Step 2: Click 'Edit Virtual Server' , under the 'Enabled Features' you will see 'SSL Website Enabled'. check the checkbox and save

snapshot1

Step 3: Expand the left menu under Server Configuration click on Manage SSL certificate. The top Far right should have a tab named 'Let's Encrypt' which you can click on.

Step 4: Change the 'Months between automatic renewal' from Manual to every 2 months or similar and save.

snapshot2

Step 5: Test the domain works with https and you are done.

 

Notes: You will need apache 2.4 to allow multiple SSL certificates on a single IP,

Posted in HOWTO | Tagged , , , , | Comments Off on Lets Encrypt with Virtualmin

ClamAV: mpool_malloc and disk space

ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. The most common use we see is to check emails for bad content.

Some of our users have recently been seeing errors from "freshclam" processes that look like the below entry. These will occur quickly and will often cause log files to grow very fast, to the point your server may have run out of disk space.

Tue Nov  1 00:17:18 2016 -> WARNING: [LibClamAV] mpool_malloc(): Attempt to allocate 8388608 bytes. Please report to http://bugs.clamav.net

Continue reading

Posted in Security | Tagged , , , , | Comments Off on ClamAV: mpool_malloc and disk space

Using Fail2ban on wordpress wp-login.php and xmlrpc.php

A fair few customer of ours use wordpress and occasionally notice that there are people hammering on a few URLs

This can cause high load, slow websites and a number of issues, espoecuially when you have more than a single IP hammering away at that.

The solution is simple, and it involves using fail2ban. Here are some simple fail2ban recipes that will stop most of that in its tracks.

Create a file /etc/fail2ban/filter.d/wordpress.conf with the following contents

[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
            ^<HOST> .* "POST .*xmlrpc.php
ignoreregex =

You can add as many regex in there as you want on new lines, but these will cover that for now. It opays to check the apache logs to make sure this regex is going to work on your server, and the fail2ban logs after applying to make sure its banning them

Create the file /etc/fail2ban/jail.d/wordpress.conf file add the following rules into that

[wordpress]
enabled = true
port = http,https
filter = wordpress
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/httpd/access_log
          /var/log/apache2/access*log
          /var/log/virtualmin/*log
maxretry = 10
findtime = 600

The log paths i have used in here cover a few places, likely you will need to remove ones you dont need or have. The first log path is redhat/centos based, the next is debian, and the third is for those with virtualmin.
Other potential log paths may be something like the following
eg
Plesk: /var/www/vhost//statistics/logs/log or /var/www/vhost//system/logs/log
CPanel: /home//log/log

Make sure you keep an eye on the fail2ban log, and make sure that the ban is happening. It should look like this

2016-11-01 18:40:50,672 fail2ban.actions[958]: WARNING [wordpress] Unban
2016-11-01 19:47:53,081 fail2ban.actions[958]: WARNING [wordpress] Ban
2016-11-01 19:54:56,550 fail2ban.actions[958]: WARNING [wordpress] Ban
2016-11-01 19:57:53,747 fail2ban.actions[958]: WARNING [wordpress] Unban
2016-11-01 20:04:57,198 fail2ban.actions[958]: WARNING [wordpress] Unban
2016-11-01 20:33:35,094 fail2ban.actions[958]: WARNING [wordpress] Ban
2016-11-01 20:43:35,755 fail2ban.actions[958]: WARNING [wordpress] Unban
Posted in Rimuhosting, Security | Tagged , , | Comments Off on Using Fail2ban on wordpress wp-login.php and xmlrpc.php

Using Ansible to manage your VPSs – Part Two

In this post I'm going to introduce playbooks, and show you how to customise the /etc/resolv.conf file on each server.  I assume you have followed Part One of this series and have created a hosts file and files in ~/myansible/host_vars/.

Tasks, playbooks, groups and roles

ansible-pA note on terminology.  A task is something done on a server, like a file created or updated, a user, cron job, or os package added or removed etc.  A task could be done from the command line using the ansible binary, but usually multiple tasks get  grouped together in a yaml file called a playbook.  A playbook might install and configure one specific piece of software, for example.  The image above shows a set of 6 playbooks, each which will have multiple tasks within it (the tasks are not shown)
Continue reading

Posted in Rimuhosting | Comments Off on Using Ansible to manage your VPSs – Part Two

Using Ansible to manage your VPSs – Part One

ansibleAnsible is a system to automate the updating of server configurations and other administration tasks.  In this post I'll explain what's necessary to get started with Ansible, creating a configuration structure, telling Ansble about your hosts and running ad-hock commands on multiple hosts.

Ansible is useful when you have 3 or more VPSs and need to keep changes synchronised or updates applied in a consistent manner.  It takes a little more work to do something through a configuration management system, but the reward is that you can apply your configuration change to 3, (or 3000) servers with little extra effort once that is done.
Continue reading

Posted in Clustering, HOWTO, Rimuhosting | Tagged , , , , | Comments Off on Using Ansible to manage your VPSs – Part One

New options for reduced VM pricing!

Not every server needs priority CPU, backups, and 24x7 fully managed support.  We have added a few options on our http://launchtimevps.com ordering interface to let you tweak these settings to enable you to get a lower price for your server if that is appropriate.

  • Option to enable/disable backups.  Less disk space usage costs less.
  • Select the number of CPU cores (1-4).
  • Select the CPU priority (over other VMs on the host).  Get a bit more CPU time when the host is busy (when the host is relatively idle, which is typical, nothing changes).
  • Sysadmin support level required.  Cheaper for self, managed a bit more if you want us to be fully managing your server.
  • Support level priority.  Options for customers needing to get sysadmin assistance 24x7 in emergencies.  Though to options for non-urgent support requests.

Screen Shot 2016-08-15 at 11.57.35 AM Screen Shot 2016-08-15 at 11.57.09 AM

Posted in Rimuhosting | Comments Off on New options for reduced VM pricing!