sudo cat /proc/sys/fs/inotify/max_user_watches
sudo sh -c “echo fs.inotify.max_user_watches=524288 >> /etc/sysctl.conf”
sudo sysctl -p
sudo cat /proc/sys/fs/inotify/max_user_watches
分类目录归档:VPS
Upgrage wordpress to version 6.6.2
Tailscale vpn bypass firewall
Sometime, we need to bypass the firewall.
Suppose there are two linux box, a local box and a remote box, the local box unable to access some URL, due to the firewall limitation, while the remote box have no limitation.
We setup one tailscale vpn between these two nodes, as describe in https://tailscale.com/kb/1017/install
Now we config a exit node, to bypass the firewall of the local linux box.
Remore linux: Enable IP forward & Add exit-node:
sudo sed -i “s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/” /etc/sysctl.conf
sudo sed -i “s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/” /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.confsudo tailscale up --advertise-exit-nodeTailscale admin webpage: Approve the exit node
Local linux: Use exit-node:
sudo sed -i "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=2/" /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
sudo tailscale up --accept-routes --exit-node-allow-lan-access --exit-node=RemoteIPWhere RemoteIP is the vpn ip of remote node, say 100.113.189.45
Install DenyHosts on Linux VPS
#!/bin/bash
PKG_VER=2.10
PKG_DIR=denyhosts-${PKG_VER}
PKG_TAR=${PKG_DIR}.tar.gz
PKG_URL=https://sourceforge.net/projects/denyhosts/files/denyhosts/${PKG_VER}
rm ${PKG_TAR}
rm -rf ${PKG_DIR}
wget –no-check-certificate ${PKG_URL}/${PKG_TAR}
tar xvfz ${PKG_TAR}
sudo mv ${PKG_DIR}/ /usr/share/denyhosts
cd /usr/share/denyhosts/
sudo cp denyhosts.conf /etc
CFG=/etc/denyhosts.conf
sudo sed -i “s/DENY_THRESHOLD_ROOT = 1/DENY_THRESHOLD_ROOT = 8/” ${CFG}
sudo sed -i “s/ADMIN_EMAIL = root@localhost/ADMIN_EMAIL = /” ${CFG}
sudo cp denyhosts.py /usr/sbin/denyhosts
sudo mv daemon-control-dist daemon-control
cd /etc/init.d
sudo ln -s /usr/share/denyhosts/daemon-control denyhosts
sudo touch /var/log/auth.log
sudo update-rc.d denyhosts start
sudo /etc/init.d/denyhosts start
Linux Application From Scratch
The new wordpress platform is based on Linux Application From Scratch.
The mysql server, php, nginx (openresty), and all dependency, including gcc and C library, any code in User Space, are build from source code, and installed into /opt/local as root directory.
The benefit of LAFS (LFS for wordpress application):
Could be running on any linux platform, as long as same mode (x86-64), and support the selected basic instruction set (Sandy Bridge). The software is binary compatible,to run it on a new linux machine, just the copy the image to the /opt/local.
Thanks to the linux kernel API backword compability, the kernel version have no side impacts for most of application.
With the help of LAFS implementation, we can build blog platform, modification blog contents locally, and push to the remote public vps with easy:
Just the file level sync (rsync):
Dev Machine ==> Local Production Env ==> Remote Public Production Env
( Intel E3 ) ( Vmware ESXi ) (VPS)
Blog Resume
Blog Resume
Sept 2021
Setup DNS server to resolve my domain
How to setup DNS server on two host to resolve my_domain:
Login into Godaddy account
Goto the Domain Detail of mydomain:
From Host Name:
Register two hosts into mydomain: ns1=host1_ip,. ns2=host2_ip
From Nameservers:
Change Setup Type from Standard to Custom
Add the two Nameservers: ns1.mydomain ns2.mydomain
Login into host1 & host2
Setup DNS server, with the following config:
T-NS record: ns1.mydomain, ns2.mydomain (dns server)
T_MX record: mx1.mydomain, mx2.mydoamin (email server)
T_TXT record: “v=spf1 …” (for email )
“goodle-site-verification=…” (for email, and web server)
SPF record for email:
“v=spf1 a a:host1.domain.net a:host2.domain.net mx ip:11.22.33.44 -all”
Only following host allowed for SMTP delivery”
host1.domain.net, host2.domain.net, 11.22.33.44, all in MX record
Google site notification: (Verify domain by adding a TXT/SPF record)
Refer to:
https://www.google.com/webmasters/verification/home?hl=en
How to Add PTR record for mx server:
PTR record is managed by ISP, not the DNS supplier, such as Godaddy
Some VPS supplier support PTR record modification, such as Hostus, ComfortHost.
Tool for email server check:
setup reverse tunnel with stunnel
Unlike ssh, stunnel dosen’t support the reverse tunnel by it’s self.
With the help of tgcd ( TCP/IP Gender Changer Daemon ), we are able to setup a reverse tunnel by chain the tgcd and stunnel:
For example:
We try to access the corp server from home, but due to the NAT firewall of the corp, only out going 80/443 port are opened:
client ==> tgcd LL node (home server) ==> tgcd CC node (corp agent) ==> corp server:
Home Server:
Launching tgcd daemon in LL mode:
tgcd -L -q 2222 -p 22222
Listen on port 2222 for client access
Listen on port 22222 for tgcd CC access
Launching stunnel in server mode:
/usr/local/bin/stunnel /etc/stunnel/stunnel_server.conf
Listen on port 443 for incoming ssl connection
Forward link with sni=tgcd to port 2222
cat /etc/stunnel/stunnel_server.conf
[tls]
accept = 0.0.0.0:443
connect = 127.0.0.1:1080
[tgcd]
sni = tls:tgcd
connect = 127.0.0.1:2222
Corp Agent Server:
Launching tgcd daemon in CC mode:
tgcd -C -s 127.0.0.1:222 -c 127.0.0.227:2222
Connect to tgcd LL node at: 127.0.0.227:2222
Connect to sshd server at: 127.0.0.1:222
Launching stunnel in client mode:
/usr/local/bin/stunnel /etc/stunnel/stunnel_client.conf
Listen on port 127.0.0.227:2222 from tgcd CC, and
Access Home server via port 443 behind NAT and http proxy
cat /etc/stunnel/stunnel_client.conf
[ssh-tgcd-home]
accept = 127.0.0.227:2222
protocolHost = home.serverip:443
connect = http_proxy_ip:http_proxy_port
protocol = connect
sni = tgcd
******************************************
With such configuration, we can login into the corp server by means of:
ssh -p 22222 home.server.ip
VPS network speed test
wget –no-check-certificate -O speedtest-cli.py https://github.com/sivel/speedtest-cli/raw/master/speedtest_cli.py
python speedtest_cli.py
Chain socks with http proxy upstream
Dante support both socks(socks4/socks5) and http proxy as upstream proxy.
logoutput: /var/log/sockd.log
internal: 0.0.0.0 port=1080
external: eth0
clientmethod: none
socksmethod: none
user.privileged: root
user.notprivileged: nobody
timeout.negotiate: 30
timeout.io: 86400
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
protocol: tcp udp
}
route {
from: 0.0.0.0/0 to: 0.0.0.0/0 via: HTTP_PROXY_IP port = HTTP_PROXY_PORT
proxyprotocol: http
command: connect
protocol: tcp
method: none
}