Lets Encrypt with Virtualmin

Virtualmin now supports Let Encrypt, this means you can easily get multiple SSL certificates easily and free if needed.

Here is how you can set that up.
Step 1: Login to your virtualmin, select the domain from the drop down in the top left.

Step 2: Click 'Edit Virtual Server' , under the 'Enabled Features' you will see 'SSL Website Enabled'. check the checkbox and save

snapshot1

Step 3: Expand the left menu under Server Configuration click on Manage SSL certificate. The top Far right should have a tab named 'Let's Encrypt' which you can click on.

Step 4: Change the 'Months between automatic renewal' from Manual to every 12 months or similar and save.

snapshot2

Step 5: Test the domain works with https and you are done.

 

Notes: You will need apache 2.4 to allow multiple SSL certificates on a single IP,

Posted in HOWTO | Tagged , , , , | Leave a comment

ClamAV: mpool_malloc and disk space

ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. The most common use we see is to check emails for bad content.

Some of our users have recently been seeing errors from "freshclam" processes that look like the below entry. These will occur quickly and will often cause log files to grow very fast, to the point your server may have run out of disk space.

Tue Nov  1 00:17:18 2016 -> WARNING: [LibClamAV] mpool_malloc(): Attempt to allocate 8388608 bytes. Please report to http://bugs.clamav.net

Continue reading

Posted in Security | Tagged , , , , | Leave a comment

Using Fail2ban on wordpress wp-login.php and xmlrpc.php

A fair few customer of ours use wordpress and occasionally notice that there are people hammering on a few URLs

This can cause high load, slow websites and a number of issues, espoecuially when you have more than a single IP hammering away at that.

The solution is simple, and it involves using fail2ban. Here are some simple fail2ban recipes that will stop most of that in its tracks.

Create a file /etc/fail2ban/filter.d/wordpress.conf with the following contents

[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
            ^<HOST> .* "POST .*xmlrpc.php
ignoreregex =

You can add as many regex in there as you want on new lines, but these will cover that for now. It opays to check the apache logs to make sure this regex is going to work on your server, and the fail2ban logs after applying to make sure its banning them

Create the file /etc/fail2ban/jail.d/wordpress.conf file add the following rules into that

[wordpress]
enabled = true
port = http,https
filter = wordpress
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/httpd/access_log
          /var/log/apache2/access*log
          /var/log/virtualmin/*log
maxretry = 3
findtime = 120

The log paths i have used in here cover a few places, likely you will need to remove ones you dont need or have. The first log path is redhat/centos based, the next is debian, and the third is for those with virtualmin.
Other potential log paths may be something like the following
eg
Plesk: /var/www/vhost/*/statistics/logs/*log or /var/www/vhost/*/system/logs/*log
CPanel: /home/*/log/*log

Make sure you keep an eye on the fail2ban log, and make sure that the ban is happening. It should look like this

2016-11-01 18:40:50,672 fail2ban.actions[958]: WARNING [wordpress] Unban
2016-11-01 19:47:53,081 fail2ban.actions[958]: WARNING [wordpress] Ban
2016-11-01 19:54:56,550 fail2ban.actions[958]: WARNING [wordpress] Ban
2016-11-01 19:57:53,747 fail2ban.actions[958]: WARNING [wordpress] Unban
2016-11-01 20:04:57,198 fail2ban.actions[958]: WARNING [wordpress] Unban
2016-11-01 20:33:35,094 fail2ban.actions[958]: WARNING [wordpress] Ban
2016-11-01 20:43:35,755 fail2ban.actions[958]: WARNING [wordpress] Unban
Posted in Rimuhosting, Security | Tagged , , | Leave a comment

Using Ansible to manage your VPSs – Part Two

In this post I'm going to introduce playbooks, and show you how to customise the /etc/resolv.conf file on each server.  I assume you have followed Part One of this series and have created a hosts file and files in ~/myansible/host_vars/.

Tasks, playbooks, groups and roles

ansible-pA note on terminology.  A task is something done on a server, like a file created or updated, a user, cron job, or os package added or removed etc.  A task could be done from the command line using the ansible binary, but usually multiple tasks get  grouped together in a yaml file called a playbook.  A playbook might install and configure one specific piece of software, for example.  The image above shows a set of 6 playbooks, each which will have multiple tasks within it (the tasks are not shown)
Continue reading

Posted in Rimuhosting | Leave a comment

Using Ansible to manage your VPSs – Part One

ansibleAnsible is a system to automate the updating of server configurations and other administration tasks.  In this post I'll explain what's necessary to get started with Ansible, creating a configuration structure, telling Ansble about your hosts and running ad-hock commands on multiple hosts.

Ansible is useful when you have 3 or more VPSs and need to keep changes synchronised or updates applied in a consistent manner.  It takes a little more work to do something through a configuration management system, but the reward is that you can apply your configuration change to 3, (or 3000) servers with little extra effort once that is done.
Continue reading

Posted in Clustering, HOWTO, Rimuhosting | Tagged , , , , | Leave a comment

New options for reduced VM pricing!

Not every server needs priority CPU, backups, and 24x7 fully managed support.  We have added a few options on our http://launchtimevps.com ordering interface to let you tweak these settings to enable you to get a lower price for your server if that is appropriate.

  • Option to enable/disable backups.  Less disk space usage costs less.
  • Select the number of CPU cores (1-4).
  • Select the CPU priority (over other VMs on the host).  Get a bit more CPU time when the host is busy (when the host is relatively idle, which is typical, nothing changes).
  • Sysadmin support level required.  Cheaper for self, managed a bit more if you want us to be fully managing your server.
  • Support level priority.  Options for customers needing to get sysadmin assistance 24x7 in emergencies.  Though to options for non-urgent support requests.

Screen Shot 2016-08-15 at 11.57.35 AM Screen Shot 2016-08-15 at 11.57.09 AM

Posted in Rimuhosting | Leave a comment

LXD containers now available for Ubuntu

containersThe latest Ubuntu LTS release, Xenial 16.04 , comes with support for a container system called LXD.  LXD builds on the existing LXC container system, allowing for more convenient management of those containers.

In this post I show how you can test out LXD containers on a Rimu VPS running Ubuntu 16.04.  I assume you already have a Ubuntu 16.04 VPS set up; if not you can grab one at RimuHosting  or launchtimevps.com.

Containers allow further separation between websites running on your VPS, which can be useful for removing dependency problems, for creating test environments for upgrading or developing new sites and perhaps for improving the security of your websites.
Continue reading

Posted in HOWTO, Rimuhosting | Tagged , , , , , | Leave a comment

How to get an A pass SSL rating for your SSL website

qualys-ssl-labs-logoEveryone wants security, and its ideal that your SSL certificates are also secure. With this in mind, websites like SSLLabs have a testing tool that is used to grade the SSL certificate installed on your server.

Often people get a low ranking when its fairly easy to get an A. I could make this post long winded and complex, but ultimately it comes down to adding the following items in your SSL configuration.

    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLHonorCipherOrder on
    SSLProtocol All -SSLv2 -SSLv3

Continue reading

Posted in Security | Tagged , , , | Leave a comment

Monitor sites for exploits

2651852001_36b5df8a0d_z

We dislike dealing with exploited websites. A common cause is "the long forgotten outdated install from a web developer who left years ago. hoping works forever". Public facing services need to be kept updated in order to remain secure, so script-kiddies can't use your server for abuse, like selling dodgy medicinal products.

One would always try to enforce strong permissions and server settings to avoid these from happening, even use something like apparmor (which it is the way to do it), but there are other ways also to strengthen things a bit more. With the inotify feature in newer kernels, it is possible to monitor a file system location for changes and check those quickly with a scanner. We have made a script to help automate rapid notifications when possible issues are detected. This will work with a CMS or tomcat install. We also provide instructions on Maldetect ahead. Continue reading

Posted in HOWTO, Security | Tagged , , , | Comments Off on Monitor sites for exploits

Install ownCloud on a Rimu VPS

owncloud-logoOwncloud is a popular file storage and synchronization system, with many additional features available for it.  It's a self-hosted alternative to systems like dropbox, but with owncloud your files are stored on your own servers.  This allows you to meet requirements to keep data in a certain jurisdiction, for example, or it might give you peace of mind to know where your data is stored and who has access to it.

Running owncloud means you can keep documents organized in the owncloud repository and have access to them from anywhere, including desktop computers, laptops, mobile devices, and even through the web on public computers.  Changes made to those documents will be synchronized so the changes will show up on the other devices automatically.

You can use it as a personal server with a single account or it can be used as an organization's file store with multiple accounts.  Users can be assigned to groups, and different groups can have access to different sets of files.  You can also share files with someone outside your organization who doesn't have an account on owncloud by sending them a special link they can use to access the file.

There are also a number of plugins that can be loaded to enable other functionality; for example you can synchronize calendars and addressbooks between your devices using owncloud.

In this document, I'll explain how to get a recent version of Owncloud running on a new RimuHosting Debian VPS.
Continue reading

Posted in HOWTO, Rimuhosting | Tagged , , , , | Comments Off on Install ownCloud on a Rimu VPS