itemprop="text"> I am having a strange problem, my system is exposed to heartbleed, and I am trying to fix it by using: apt-get clean , apt-get update and apt-get upgrade openssl but the response is: Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done openssl is already the newest version. The following packages have been kept back: libncurses5 libncursesw5 libssl-dev 0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded. my openssl version is: openssl version -a OpenSSL 1.0.1f-dev xx XXX xxxx built on: Mon Dec 23 14:23:57 UTC 2013 platform: debian-amd64 options: bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHA...

I am having a strange problem, my system is exposed to heartbleed, and I am trying to fix it by using: apt-get clean , apt-get update and apt-get upgrade openssl but the response is: Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done openssl is already the newest version. The following packages have been kept back: libncurses5 libncursesw5 libssl-dev 0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded. my openssl version is: openssl version -a OpenSSL 1.0.1f-dev xx XXX xxxx built on: Mon Dec 23 14:23:57 UTC 2013 platform: debian-amd64 options: bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_A...

I'm not quite sure how to phrase this question (hence the poor title), so let me provide an example of what I'm trying to do. On my (old) Xen host, I'm able to present LVM filesystems directly to each guest. These filesystems are actually created and formatted on the host, and passed directly through. Eg., for one of my hosts using a separate tmp and swap partitions, I define the storage like this: disk = [ />'phy:/dev/vg1/guest1-swap,sda1,w', />'phy:/dev/vg1/guest1-disk,sda2,w', />'phy:/dev/vg1/guest1-tmp,sda3,w', />] So, guest1-swap is formatted as a swap partition, guest1-disk and guest1-tmp are formatted with ext4, and from the guest's perspective it simply sees them as three formatted partitions under /dev/sda. (This may sound like a lot of work, but there are prov...

I'm not quite sure how to phrase this question (hence the poor title), so let me provide an example of what I'm trying to do. On my (old) Xen host, I'm able to present LVM filesystems directly to each guest. These filesystems are actually created and formatted on the host, and passed directly through. Eg., for one of my hosts using a separate tmp and swap partitions, I define the storage like this: disk = [ 'phy:/dev/vg1/guest1-swap,sda1,w', 'phy:/dev/vg1/guest1-disk,sda2,w', 'phy:/dev/vg1/guest1-tmp,sda3,w', ] So, guest1-swap is formatted as a swap partition, guest1-disk and guest1-tmp are formatted with ext4, and from the guest's perspective it simply sees them as three formatted partitions under /dev/sda. (This may sound like a lot of work, but there are provisioning scripts, such as the awesome xen-tools , that automated pretty much everything). This provides some really useful capabilities, two of which I'm especially interested in fig...

itemprop="text"> I had originally setup my Nginx configuration to automatically redirect HTTP to HTTPS. Due to my work security policy and Cloudflare integration, HTTPS will not resolve inside my network. I'd simply like to remove the forced redirect to HTTPS. But after commenting out the block with the URI rewrite, the server still redirects automatically. Here's my default config for Nginx #HTTPS redirect (if necessary) #server { # listen 80; # server_name example.com; # rewrite ^ https://$server_name$request_uri? permanent; #} server { listen 80; listen [::]:80 default_server ipv6only=on; listen 443 ssl spdy; root /var/www/example/current/public; index index.php index.html index.htm; spdy_chunk_size 8k; spdy_headers_comp 7; server_name example.com; # Point to ssl certificates s...

I had originally setup my Nginx configuration to automatically redirect HTTP to HTTPS. Due to my work security policy and Cloudflare integration, HTTPS will not resolve inside my network. I'd simply like to remove the forced redirect to HTTPS. But after commenting out the block with the URI rewrite, the server still redirects automatically. Here's my default config for Nginx #HTTPS redirect (if necessary) #server { # listen 80; # server_name example.com; # rewrite ^ https://$server_name$request_uri? permanent; #} server { listen 80; listen [::]:80 default_server ipv6only=on; listen 443 ssl spdy; root /var/www/example/current/public; index index.php index.html index.htm; spdy_chunk_size 8k; spdy_headers_comp 7; server_name example.com; # Point to ssl certificates ssl_certificate /root/example.com.crt; ssl_certificate_key /root/example.com.key; # Allow only...

I am trying to understand how giving 777 permission to folders or files works. I did some research and understand that 777 permission is not the best when it comes for security. Referring to Web application directories/files. I do understand first sets of number which are the owners and groups, However I would like to clarify giving 7 permission to others. Who are the others, users within the server? Or anyone (even public users who access the website through the browsers)? And how others and what type of threat can others cause if the website folder/file had 777 permission? And is there certain circumstances where it's ok to give 777 permission to folders/files, such as example of images, anything more out there?

I am trying to understand how giving 777 permission to folders or files works. I did some research and understand that 777 permission is not the best when it comes for security. Referring to Web application directories/files. I do understand first sets of number which are the owners and groups, However I would like to clarify giving 7 permission to others. Who are the others, users within the server? Or anyone (even public users who access the website through the browsers)? And how others and what type of threat can others cause if the website folder/file had 777 permission? And is there certain circumstances where it's ok to give 777 permission to folders/files, such as example of images, anything more out there?

I entered 'service mysqld stop' via SSH and noticed my site was still running. Better yet, it was running faster than ever. "Shutting down MySQL....... SUCCESS!" Anyone know why this is possible?

I entered 'service mysqld stop' via SSH and noticed my site was still running. Better yet, it was running faster than ever. "Shutting down MySQL....... SUCCESS!" Anyone know why this is possible?

itemprop="text"> I've installed Monit on Ubuntu server 12.04 but Im having issues getting mysql monitoring to work at all. Here is what I have done so far. #/etc/default/monit startup=1 #/etc/mysql/my.cnf pid-file = /var/run/mysqld/mysqld.pid #/etc/monit/monitrc set daemon 60 check process mysql with pidfile /var/run/mysqld/mysqld.pid group mysql start program = "/etc/init.d/mysql start" with timeout 30 seconds stop program = "/etc/init.d/mysql stop" if failed host 127.0.0.1 port 3306 then restart if 5 restarts within 5 cycles then timeout The mysqld.pid file is being created as expected but monit cannot access it. Here are the permissions for mysqld.pid -rw-rw---- 1 mysql mysql 6 2014-06-02 11:36 mysqld.pid Here is the status for monit #monit statu...

I've installed Monit on Ubuntu server 12.04 but Im having issues getting mysql monitoring to work at all. Here is what I have done so far. #/etc/default/monit startup=1 #/etc/mysql/my.cnf pid-file = /var/run/mysqld/mysqld.pid #/etc/monit/monitrc set daemon 60 check process mysql with pidfile /var/run/mysqld/mysqld.pid group mysql start program = "/etc/init.d/mysql start" with timeout 30 seconds stop program = "/etc/init.d/mysql stop" if failed host 127.0.0.1 port 3306 then restart if 5 restarts within 5 cycles then timeout The mysqld.pid file is being created as expected but monit cannot access it. Here are the permissions for mysqld.pid -rw-rw---- 1 mysql mysql 6 2014-06-02 11:36 mysqld.pid Here is the status for monit #monit status Process 'mysql' status not monitored monitoring status not monitored data collected Mon Jun 2 23:49:37 2014 And here are the errors Im seeing in the moni...

itemprop="text"> I have a log file: href="http://pastebin.com/raw.php?i=cdUpTqNV" rel="nofollow noreferrer">http://pastebin.com/raw.php?i=cdUpTqNV the first column, before the "ASDF" is the same time, as in the given row, but in unix time [i think it's easier to do this with unix time]. I just need the lines what was in the last 2 minutes: Ending: 07:55:08 - the last time in the logfile Starting: 07:53:09 - at most 2 minutes before the last log line in the logfile The output of the pastebined text would be: /> 1295938389ASDF 01 25 07:53:09 router authpriv.notice dropbear[20673]: password auth succeeded for 'root' from 192.168.1.201:43822 /> 1295938401ASDF 01 25 07:53:21 router daemon.info dnsmasq-dhcp[1140]: DHCPREQUEST(br-lan) 192.168.1.201 01:2c:23:c3:32:f3 /> 1295...

I have a log file: http://pastebin.com/raw.php?i=cdUpTqNV the first column, before the "ASDF" is the same time, as in the given row, but in unix time [i think it's easier to do this with unix time]. I just need the lines what was in the last 2 minutes: Ending: 07:55:08 - the last time in the logfile Starting: 07:53:09 - at most 2 minutes before the last log line in the logfile The output of the pastebined text would be: 1295938389ASDF 01 25 07:53:09 router authpriv.notice dropbear[20673]: password auth succeeded for 'root' from 192.168.1.201:43822 1295938401ASDF 01 25 07:53:21 router daemon.info dnsmasq-dhcp[1140]: DHCPREQUEST(br-lan) 192.168.1.201 01:2c:23:c3:32:f3 1295938401ASDF 01 25 07:53:21 router daemon.info dnsmasq-dhcp[1140]: DHCPACK(br-lan) 192.168.1.201 01:2c:23:c3:32:f3 1295938508ASDF 01 25 07:55:08 router daemon.info dnsmasq-dhcp[1140]: DHCPREQUEST(br-lan) 192.168.1.201 01:2c:23:c3:32:f3 1295938508ASDF 01 25 07:55:08 router daemon.info dnsmasq-dhcp[114...

Is there any way on linux to alias a group of hostnames (group specified by wildcards/regex) starting i.e c-* to fully qualified domain names i.e c-hostname -> c-hostname.domain.com Thank you, J.

Is there any way on linux to alias a group of hostnames (group specified by wildcards/regex) starting i.e c-* to fully qualified domain names i.e c-hostname -> c-hostname.domain.com Thank you, J.

itemprop="text"> The other day, we notice a terrible burning smell coming out of the server room. Long story short, it ended up being one of the battery modules that was burning up in the UPS unit, but it took a good couple of hours before we were able to figure it out. The main reason we were able to figure it out is that the UPS display finally showed that the module needed to be replaced. Here was the problem: the whole room was filled with the smell. Doing a sniff test was very difficult because the smell had infiltrated everything (not to mention it made us light headed). We almost mistakenly took our production database server down because it's where the smell was the strongest. The vitals appeared to be ok (CPU temps showed 60 degrees C, and fan speeds ok), but we weren't sure. It just so happened that the battery module that bu...

The other day, we notice a terrible burning smell coming out of the server room. Long story short, it ended up being one of the battery modules that was burning up in the UPS unit, but it took a good couple of hours before we were able to figure it out. The main reason we were able to figure it out is that the UPS display finally showed that the module needed to be replaced. Here was the problem: the whole room was filled with the smell. Doing a sniff test was very difficult because the smell had infiltrated everything (not to mention it made us light headed). We almost mistakenly took our production database server down because it's where the smell was the strongest. The vitals appeared to be ok (CPU temps showed 60 degrees C, and fan speeds ok), but we weren't sure. It just so happened that the battery module that burnt up was about the same height as the server on the rack and only 3 ft away. Had this been a real emergency, we would have failed miserably. Realistically, the ...

New Mac OS X Server setup, when i send mail to gmail it goes straight to Spam. Why is that? My setup: DNS - done (A records PTR are ok) Mail Setup - done Webmail - done Also there seems to be a naming problem. They all come from me@server.domain.com instead of me@domain.com. I must be missing an alias somewhere. I've read an entire book on setting this up so don't throw stones :) The GUI is masking a lot of this up for me, so explanations via GUI are appreciated. /> The headers look like this: Delivered-To: MYACCOUNT@gmail.com Received: by 10.142.252.19 with SMTP id z19cs476033wfh; Mon, 3 Jan 2011 01:37:09 -0800 (PST) Received: by 10.204.64.208 with SMTP id f16mr8853543bki.61.1294047428115; Mon, 03 Jan 2011 01:37:08 -0800 (PST) Return-Pat...

New Mac OS X Server setup, when i send mail to gmail it goes straight to Spam. Why is that? My setup: DNS - done (A records PTR are ok) Mail Setup - done Webmail - done Also there seems to be a naming problem. They all come from me@server.domain.com instead of me@domain.com. I must be missing an alias somewhere. I've read an entire book on setting this up so don't throw stones :) The GUI is masking a lot of this up for me, so explanations via GUI are appreciated. The headers look like this: Delivered-To: MYACCOUNT@gmail.com Received: by 10.142.252.19 with SMTP id z19cs476033wfh; Mon, 3 Jan 2011 01:37:09 -0800 (PST) Received: by 10.204.64.208 with SMTP id f16mr8853543bki.61.1294047428115; Mon, 03 Jan 2011 01:37:08 -0800 (PST) Return-Path: Received: from server.DOMAIN.com ([94.x.x.x]) by mx.google.com with ESMTP id c20si50831332bkc.48.2011.01.03.01.37.07; Mon, 03 Jan 2011 01:37:07 -0800 (PST) Received-SPF: neutral (google.com: 94.x.x.x is neither permitted nor den...

We have a 24 disk SAN, currently configured in RAID 50, with a RAID 0 stripe across two RAID 5 arrays with 11 disks in each RAID 5. The two remaining disks are allocated as hot spares, one for each RAID 5. src="https://i.stack.imgur.com/dG55N.png" alt="Initial RAID 5 setup with two RAID 5 arrays"> I'd like to move this setup to use RAID 50 with three RAID 5 arrays inside the RAID 0 stripe. This increases the amount of disks that can fail before the array is lost, as well as decreases the chance that two disks fail in the same RAID 5 array. It may also have performance benefits. src="https://i.stack.imgur.com/zihyq.png" alt="Desired RAID 50 setup with three RAID 5 arrays"> What disadvantages does moving to a greater number of RAID 5 arrays in a RAID 50 setup have? Obviously, you are sacrificing ...

We have a 24 disk SAN, currently configured in RAID 50, with a RAID 0 stripe across two RAID 5 arrays with 11 disks in each RAID 5. The two remaining disks are allocated as hot spares, one for each RAID 5. I'd like to move this setup to use RAID 50 with three RAID 5 arrays inside the RAID 0 stripe. This increases the amount of disks that can fail before the array is lost, as well as decreases the chance that two disks fail in the same RAID 5 array. It may also have performance benefits. What disadvantages does moving to a greater number of RAID 5 arrays in a RAID 50 setup have? Obviously, you are sacrificing usable capacity for increased resiliency, but are there any other disadvantages going from a RAID 50 with two larger RAID 5 arrays to a RAID 50 with three (or more) smaller RAID 5 arrays?

itemprop="text"> We run a shared hosting webserver with the usual LAMP stack. It is up and running since many years ago (uhm, Apache-1.3 and PHP-3 days?) and went through many iterations. We strive to have good sysadmin policies, like keeping all the stack up-to-date, checking for weak passwords, minimizing the attack surface, using suhosin, keeping an eye on systems logs, and so on. Of course every virtual host is confined to its directory (both for FTP access and as php open_basedir). But at the end of the day it's always a webserver running untrusted PHP crap uploaded by customers (read: unknown and mostly-stupid users without any IT experience) with HTTP exposed to the world (web forms and whatnot)... these scenarios are not too uncommon: user gives its password to too many people and its site gets compromised u...

We run a shared hosting webserver with the usual LAMP stack. It is up and running since many years ago (uhm, Apache-1.3 and PHP-3 days?) and went through many iterations. We strive to have good sysadmin policies, like keeping all the stack up-to-date, checking for weak passwords, minimizing the attack surface, using suhosin, keeping an eye on systems logs, and so on. Of course every virtual host is confined to its directory (both for FTP access and as php open_basedir). But at the end of the day it's always a webserver running untrusted PHP crap uploaded by customers (read: unknown and mostly-stupid users without any IT experience) with HTTP exposed to the world (web forms and whatnot)... these scenarios are not too uncommon: user gives its password to too many people and its site gets compromised user's PC gets compromised and the FTP / web app / whatever password stolen from there user installs crappy PHP stuff and it gets compromised user installs good PHP stuff (does it eve...

I'm getting stuck with user permissions on a LAMP stack (using Digital Ocean if it matters). Here's my setup. User dev has the following groups: dev www-data The /var/www folder has been set so that the owner is www-data:www-data , it looks like this: drwxrwxr-x 3 www-data www-data 4096 Mar 30 17:41 www If I use the dev user to sftp in, everything looks good, but if I then upload a file, the new file has the ownership of dev:dev . This becomes a problem when I have a new user called dev2 that is also working in the same directory as they can't delete or overwrite the files that belong to dev . My experience with users is unfortunately limited to using cPanel, where I can create multiple FTP users that don't have this access/overlap issue. How can I do this via term...

I'm getting stuck with user permissions on a LAMP stack (using Digital Ocean if it matters). Here's my setup. User dev has the following groups: dev www-data The /var/www folder has been set so that the owner is www-data:www-data , it looks like this: drwxrwxr-x 3 www-data www-data 4096 Mar 30 17:41 www If I use the dev user to sftp in, everything looks good, but if I then upload a file, the new file has the ownership of dev:dev . This becomes a problem when I have a new user called dev2 that is also working in the same directory as they can't delete or overwrite the files that belong to dev . My experience with users is unfortunately limited to using cPanel, where I can create multiple FTP users that don't have this access/overlap issue. How can I do this via terminal?

itemprop="text"> I am new to this whole topic and I try for days now to figure out how to assign multiple public ip-addresses to KVM-guests through a KVM host. I found tons of examples howto get such a setup with 1 public IP running. Here is my setup: The Server has only one NIC/MAC and runs 2 KVM-Guests with apache(and other stuff). Both guest-environments are ubuntu server 11.10 and must run in separate VMs. The 5 public ip-addresses are used to handle SSL-certificates and other stuff. The first VM should use 3 of the 5 addresses/certificates. The second VM gets the rest. The apache-stuff is configured correctly. I have tried a number of differend ways via iptables to route the traffic from the hosts NIC to the guest-NICs. In spite of the fact that one way was the right one but only wrong implemented, I leave the details untold t...

I am new to this whole topic and I try for days now to figure out how to assign multiple public ip-addresses to KVM-guests through a KVM host. I found tons of examples howto get such a setup with 1 public IP running. Here is my setup: The Server has only one NIC/MAC and runs 2 KVM-Guests with apache(and other stuff). Both guest-environments are ubuntu server 11.10 and must run in separate VMs. The 5 public ip-addresses are used to handle SSL-certificates and other stuff. The first VM should use 3 of the 5 addresses/certificates. The second VM gets the rest. The apache-stuff is configured correctly. I have tried a number of differend ways via iptables to route the traffic from the hosts NIC to the guest-NICs. In spite of the fact that one way was the right one but only wrong implemented, I leave the details untold to leave you unprepossessed. The question is: Whats the ideal way it should be done? The following conditions should be met: Apache must get the original ip-address of the vis...

itemprop="text"> A Debian Server having eth0 , eth1 . eth2 , ppp0 devices: 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether xx:yy:zz:yy:xx:yy brd ff:ff:ff:ff:ff:ff 3: eth1: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether xx:yy:zz:yy:xx:yy brd ff:ff:ff:ff:ff:ff 4: eth2: mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 link/ether xx:yy:zz:yy:xx:yy brd ff:ff:ff:ff:ff:ff 63: ppp0: mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3 link/ppp forwarding is enabled everywhere: /proc/sys/net/ipv6/conf ~ all/forwarding=1 default/forwarding=1 eth0/forwarding=1 eth1/forwarding=1 eth2/forwarding=1 ppp0/forwarding=1 and autoconf is activated too: /proc/sys/net/ipv6/conf ~ all/autoconf=1 default/autoconf=1 eth0...

A Debian Server having eth0 , eth1 . eth2 , ppp0 devices: 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether xx:yy:zz:yy:xx:yy brd ff:ff:ff:ff:ff:ff 3: eth1: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether xx:yy:zz:yy:xx:yy brd ff:ff:ff:ff:ff:ff 4: eth2: mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 link/ether xx:yy:zz:yy:xx:yy brd ff:ff:ff:ff:ff:ff 63: ppp0: mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3 link/ppp forwarding is enabled everywhere: /proc/sys/net/ipv6/conf ~ all/forwarding=1 default/forwarding=1 eth0/forwarding=1 eth1/forwarding=1 eth2/forwarding=1 ppp0/forwarding=1 and autoconf is activated too: /proc/sys/net/ipv6/conf ~ all/autoconf=1 default/autoconf=1 eth0/autoconf=0 eth1/autoconf=1 eth2/autoconf=1 ppp0/autoconf=1 further RA (=Router Advertisement) is accepted on any device but setting accept_ra=2 for at leat ppp0 and eth1 : /proc/sys/net/ipv6/conf ~ all/accept_ra=1 ...