分类: VPS

  • Increasing the amount of inotify watchers for debian

    sudo cat /proc/sys/fs/inotify/max_user_watches

    sudo sh -c “echo fs.inotify.max_user_watches=524288 >> /etc/sysctl.conf”

    sudo sysctl -p

    sudo cat /proc/sys/fs/inotify/max_user_watches

  • Upgrage wordpress to version 6.6.2

  • Tailscale vpn bypass firewall

    Sometime, we need to bypass the firewall.

    Suppose there are two linux box, a local box and a remote box, the local box unable to access some URL, due to the firewall limitation, while the remote box have no limitation.

    We setup one tailscale vpn between these two nodes, as describe in https://tailscale.com/kb/1017/install

    Now we config a exit node, to bypass the firewall of the local linux box.

    Remore linux: Enable IP forward & Add exit-node:

    sudo sed -i “s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/” /etc/sysctl.conf

    sudo sed -i “s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/” /etc/sysctl.conf 

    sudo sysctl -p /etc/sysctl.conf
    sudo tailscale up --advertise-exit-node

    Tailscale admin webpage: Approve the exit node

    Local linux:  Use exit-node:

sudo sed -i "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=2/"  /etc/sysctl.conf


sudo sysctl -p /etc/sysctl.conf

sudo tailscale up --accept-routes --exit-node-allow-lan-access --exit-node=RemoteIP

    Where RemoteIP is the vpn ip of remote node, say 100.113.189.45

  • Install DenyHosts on Linux VPS

    #!/bin/bash
    PKG_VER=2.10
    PKG_DIR=denyhosts-${PKG_VER}
    PKG_TAR=${PKG_DIR}.tar.gz
    PKG_URL=https://sourceforge.net/projects/denyhosts/files/denyhosts/${PKG_VER}

    rm ${PKG_TAR}
    rm -rf ${PKG_DIR}
    wget –no-check-certificate  ${PKG_URL}/${PKG_TAR}
    tar xvfz ${PKG_TAR}

    sudo mv ${PKG_DIR}/ /usr/share/denyhosts

    cd /usr/share/denyhosts/
    sudo cp denyhosts.conf /etc

    CFG=/etc/denyhosts.conf
    sudo sed -i “s/DENY_THRESHOLD_ROOT = 1/DENY_THRESHOLD_ROOT = 8/” ${CFG}
    sudo sed -i “s/ADMIN_EMAIL = root@localhost/ADMIN_EMAIL = /” ${CFG}

    sudo cp denyhosts.py /usr/sbin/denyhosts
    sudo mv daemon-control-dist daemon-control

    cd /etc/init.d
    sudo ln -s /usr/share/denyhosts/daemon-control denyhosts
    sudo touch /var/log/auth.log
    sudo update-rc.d denyhosts start
    sudo /etc/init.d/denyhosts start

     

     

  • Linux Application From Scratch

    The new wordpress platform is based on Linux Application From Scratch.

    The mysql server, php, nginx (openresty), and all dependency, including gcc and C library, any code in User Space, are build from source code, and installed into /opt/local as root directory.

    The benefit of LAFS (LFS for wordpress application):

    Could be running on any linux platform, as long as same mode (x86-64),  and support the selected basic instruction set (Sandy Bridge). The software is binary compatible,to run it on a new linux machine,  just the copy the image to the /opt/local.

    Thanks to the linux kernel API backword compability,  the kernel version have no side impacts for most of application.

     

    With the help of LAFS implementation, we can build blog platform, modification blog contents locally, and push to the remote public vps with easy:

          Just the file level sync (rsync):

     

    Dev Machine   ==>   Local Production Env   ==>  Remote Public Production Env

      ( Intel E3 )                  ( Vmware ESXi )                         (VPS)      

     

     

     

     

     

  • Blog Resume

    Blog   Resume

            Sept 2021

  • Setup DNS server to resolve my domain

    How to setup DNS server on two host  to resolve my_domain:

    Login into Godaddy account

    Goto the Domain Detail of mydomain:

    From Host Name:

             Register two hosts into mydomain:   ns1=host1_ip,. ns2=host2_ip

    From Nameservers:

            Change Setup Type from Standard to Custom

           Add the two Nameservers:  ns1.mydomain  ns2.mydomain

     

    Login into host1 & host2

    Setup DNS server, with the following config:

    T-NS record:       ns1.mydomain, ns2.mydomain  (dns server)

    T_MX record:     mx1.mydomain,  mx2.mydoamin  (email server)

    T_TXT record:  “v=spf1 …”       (for email  )

    “goodle-site-verification=…”    (for email, and web server)

     

    SPF record for email:

    “v=spf1 a a:host1.domain.net a:host2.domain.net mx ip:11.22.33.44 -all”

    Only following host allowed for SMTP delivery”

    host1.domain.net, host2.domain.net, 11.22.33.44, all in MX record

     

    Google site notification:  (Verify domain by adding a TXT/SPF record)

    Refer to:

    https://www.google.com/webmasters/verification/home?hl=en

     

     How to Add PTR record for mx server:

    PTR record is managed by ISP,  not the DNS supplier, such as Godaddy

    Some VPS supplier support PTR record modification, such as Hostus, ComfortHost.

     

     Tool for email server check:

    https://mxtoolbox.com/

  • setup reverse tunnel with stunnel

    Unlike ssh,  stunnel dosen’t support the reverse tunnel by it’s self.

    With the help of tgcd ( TCP/IP Gender Changer Daemon ), we are able to setup a reverse tunnel by chain the tgcd and stunnel:

    For example:

    We try to access the corp server from home,  but due to the NAT firewall of the corp, only out going 80/443 port are opened:

    client  ==> tgcd LL node (home server)  ==> tgcd CC node (corp agent) ==> corp server:

    Home Server:

    Launching tgcd daemon in LL mode:

       tgcd -L -q 2222 -p 22222

    Listen on port 2222 for client access

    Listen on port 22222 for tgcd CC access

     

    Launching stunnel in server mode:

           /usr/local/bin/stunnel /etc/stunnel/stunnel_server.conf

    Listen on port 443 for incoming ssl connection

    Forward link with sni=tgcd to port 2222

    cat /etc/stunnel/stunnel_server.conf

    [tls]
    accept = 0.0.0.0:443
    connect = 127.0.0.1:1080

    [tgcd]
    sni = tls:tgcd
    connect = 127.0.0.1:2222

     

    Corp Agent Server:

    Launching tgcd daemon in CC mode:

    tgcd -C -s 127.0.0.1:222 -c 127.0.0.227:2222

    Connect to tgcd LL node at:   127.0.0.227:2222

    Connect to sshd server at:     127.0.0.1:222

    Launching stunnel in client mode:

    /usr/local/bin/stunnel /etc/stunnel/stunnel_client.conf

    Listen on port 127.0.0.227:2222 from tgcd CC, and

    Access Home server via port 443 behind NAT and http proxy

    cat /etc/stunnel/stunnel_client.conf

     

    [ssh-tgcd-home]
    accept = 127.0.0.227:2222
    protocolHost = home.serverip:443

    connect = http_proxy_ip:http_proxy_port
    protocol = connect
    sni = tgcd

     

    ******************************************

    With such configuration, we can login into the corp server by means of:

    ssh -p 22222   home.server.ip

  • VPS network speed test

    wget –no-check-certificate -O speedtest-cli.py https://github.com/sivel/speedtest-cli/raw/master/speedtest_cli.py

    python speedtest_cli.py

  • Chain socks with http proxy upstream

    Dante support both socks(socks4/socks5) and http proxy as upstream proxy.

    logoutput: /var/log/sockd.log

    internal: 0.0.0.0 port=1080
    external: eth0

    clientmethod: none
    socksmethod: none

    user.privileged: root
    user.notprivileged: nobody

    timeout.negotiate: 30
    timeout.io: 86400

    client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect error
    }

    socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect error
    protocol: tcp udp
    }

    route {
    from: 0.0.0.0/0 to: 0.0.0.0/0 via: HTTP_PROXY_IP port = HTTP_PROXY_PORT
    proxyprotocol: http
    command: connect
    protocol: tcp
    method: none
    }