Quick server setup #2

For quick run:

wget -N http://www.nat.li/wp-code/104.1.sh&&bash 104.1.sh
 

Explained:

Install lighttpd along with mysql and some other useful applications.

First of all, some useful/mandatory applications and mysql

1. Installs htop, rcconf, aptitude, vim, dos2unix and mysql

apt-get -y --force-yes update
apt-get -y --force-yes install htop aptitude rcconf vim dos2unix mysql-server

Copy this next part to a new file and name it something.sh, upload it to your server. I use the “/var” directory. “dos2unix thefile.sh” first if you uploaded from windows to make sure line endings are correct. After this, chmod u+x thefile.sh and then run it “./thefile.sh”.

2. Installs lighttpd
3. Installs php5-cgi
4. Configures & restarts lighttpd and php
5. change owner for /var/www2 ‘s subfolders to www-data
6. Install phpmyadmin

#!/bin/bash
apt-get -y --force-yes install lighttpd php5-cgi
echo -e "server.modules += ( \"mod_fastcgi\" )\n fastcgi.server = ( \".php\" =>\n                    ( \"localhost\" =>\n                        (\n                            \"host\" => \"127.0.0.1\",\n                            \"port\" => \"9000\"\n                        )\n                    )\n                 )" > /etc/lighttpd/conf-available/10-fastcgi-fpm.conf
lighty-enable-mod fastcgi 
lighty-enable-mod fastcgi-php
/etc/init.d/lighttpd restart
mkdir /var/www2
chmod 777 /var/www2
chown -R www-data /var/www2/*
apt-get -y --force-yes install phpmyadmin
/etc/init.d/lighttpd restart

Other:

squid:
http://www.nat.li/linux/easy-squid-install

php-fpm instead of cgi:
http://www.nat.li/linux/installing-php-fpm-on-debian-6-squeeze
http://www.nat.li/linux/different-php-fpm-for-each-lighttpd-vhost

lua support to lighttpd:
http://www.nat.li/linux/lighttpd-with-lua-support

usenet posting:
http://www.nat.li/linux/fast-mass-usenet-posting-using-both-windows-and-linux-utilizing-winrar-par2-and-newspost-2

pptp vpn:
http://www.nat.li/linux/easily-install-pptpd-on-debian-with-this-bash-script

Set-up redundant MySQL system

Note: Setting up the slave like this, means it can only be used to read.. don’t ever try to write to it because you will break replication. If you want to add writing to it, set replication up both ways and change the auto-increment-increment and auto-increment-offset on both/all servers to ensure the unique keys don’t collide.

#Master and Slave(s)

apt-get install mysql-server –yes

#Master

vim /etc/mysql/my.cnf
#bind-address = 127.0.0.1 #Comment it out

[Replication]
server-id = 1
log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M

mysql -u root --password={pass}
> grant replication slave on *.* to 'replication'@'%' identified by '{some_pass}';
> \q
/etc/init.d/mysql restart
> create database my_application;
> GRANT ALL PRIVILEGES ON my_application.* TO replication;

#Slaves

vim /etc/mysql/my.cnf
#bind-address = 127.0.0.1 #Comment it out

[Replication]
server-id = X # (pick number 2 or over)
master-host = db1.dom.ext
master-user = replication
master-password = some_pass
master-port = 3306
replicate-wild-do-table = my\_application.%

(use the slash in front of an underscore because it’s a wildcard)

/etc/init.d/mysql restart

Additional Notes

#If u ever need to change master settings, run this mysql command on the slave:

CHANGE MASTER TO
                MASTER_HOST='db1.dom.ext',
                MASTER_USER='replication',
                MASTER_PASSWORD='pass',
                MASTER_PORT=3306;

#Check if slave OK
If the Slave_IO_State is “Waiting for master to send event” then you’ve been successful.

mysql -u root --password={pass}
> show slave status \G

#Check if connection to master OK
mysql –host=db1.dom.ext –port=*mysql-port* -u replication –password={pass}

#Check connection to slave OK from master
mysql -h dbX.dom.ext -u root –password={pass}

#Troubleshoot using telnet
telnet dbX.dom.ext *mysql-port*

#Create new user

INSERT INTO mysql.user (Host, User, Password, Select_priv) VALUES ('%', 'username', password('supersecret'), 'Y');

#Change pass

use mysql
update mysql.user set password=PASSWORD("NEW-PASSWORD-HERE") where User='tom';

Add users to vsftpd

Source: linux-hacks.blogspot.nl

#edit /etc/vsftpd.conf or /opt/etc/vsftpd.conf
local_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list or /opt/etc/vsftpd.chroot_list
chroot_list_enable=YES
#You may alsow ant to disable anonymous access
#You may also want to enable write access

#Create vsftpd.chroot_list in /etc/ or /opt/etc/
Add the username you want to export to ftp.
If the user you want to add is not a system user then create that user first before editing the above file.
#adduser
#passwd

Restart the vsftpd server using /etc/init.d/vsftpd restart or service vsftpd restart
Now you can log into ftp using the new user.

Show iptable blocks

#!/bin/bash
range="$1 $2"
cntonly="$3"

if  [[ $cntonly == "c" ]] ;
then #Count only
    res=$(grep -c "$range.*iptables denied" /var/log/debug*)
    echo "$res"
else #Get actual lines
    res=$(grep "$range.*iptables denied" /var/log/debug*)
    echo "$res"
fi

exit 1

Example usage:
./scriptname.sh Nov 11
Will show all dropped connections on November the 11th
or
./scriptname.sh Nov 11 c
Will show *amount* of dropped connections on November the 11th

Debian VPS (OpenVZ) Quick Setup

Fix getty processes causing log file growth

Comment out all but the first (tty1) getty entries

vim /etc/inittab
...
# Note that on most Debian systems tty7 is used by the X Window System,
# so if you want to add more getty's go ahead but skip tty7 if you run X.
#
1:2345:respawn:/sbin/getty 38400 tty1
#2:23:respawn:/sbin/getty 38400 tty2
#3:23:respawn:/sbin/getty 38400 tty3
#4:23:respawn:/sbin/getty 38400 tty4
#5:23:respawn:/sbin/getty 38400 tty5
#6:23:respawn:/sbin/getty 38400 tty6
...
telinit q

Set IPTables

$ip=*yourip*
$sshport = 22

#echo to /etc/iptables.rules
...
*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#mysql
-A INPUT -p tcp --dport 3306 -j ACCEPT
#other
-A INPUT -p tcp -m multiport --dport 3128,smtp,9000,submission -j ACCEPT
-A INPUT -p udp -m multiport --dport icpv2,58177 -j ACCEPT

# Allows SSH connections from your home IP
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW -s $ip --dport $sshport -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
...

#echo to /etc/iptables.reload.sh
#Note that this doesn't reset any other tables than the default one (so not NAT etc.)
iptables -F
iptables -X
iptables-restore < /etc/iptables.rules chmod u+x /etc/iptables.reload.sh #echo to /etc/rc.local /etc/iptables.reload.sh

OpenVZ install on Debian 6.0

mkdir /var/openvz-dl
cd /var/openvz-dl

86
wget http://download.openvz.org/kernel/branches/rhel6-2.6.32/042stab062.2/vzkernel-2.6.32-042stab062.2.i686.rpm
wget http://download.openvz.org/kernel/branches/rhel6-2.6.32/042stab062.2/vzkernel-devel-2.6.32-042stab062.2.i686.rpm
wget http://download.openvz.org/utils/vzctl/4.0/vzctl-4.0-1.i386.rpm
wget http://download.openvz.org/utils/vzctl/4.0/vzctl-core-4.0-1.i386.rpm
wget http://download.openvz.org/utils/ploop/1.5/ploop-1.5-1.i386.rpm
wget http://download.openvz.org/utils/ploop/1.5/ploop-lib-1.5-1.x86_64.rpm
wget http://download.openvz.org/utils/vzquota/3.1/vzquota-3.1-1.i386.rpm

64
wget http://download.openvz.org/kernel/branches/rhel6-2.6.32/042stab062.2/vzkernel-2.6.32-042stab062.2.x86_64.rpm
wget http://download.openvz.org/kernel/branches/rhel6-2.6.32/042stab062.2/vzkernel-devel-2.6.32-042stab062.2.x86_64.rpm
wget http://download.openvz.org/utils/vzctl/4.0/vzctl-4.0-1.x86_64.rpm
wget http://download.openvz.org/utils/vzctl/4.0/vzctl-core-4.0-1.x86_64.rpm
wget http://download.openvz.org/utils/ploop/1.5/ploop-1.5-1.x86_64.rpm
wget http://download.openvz.org/utils/ploop/1.5/ploop-lib-1.5-1.x86_64.rpm
wget http://download.openvz.org/utils/vzquota/3.1/vzquota-3.1-1.x86_64.rpm

apt-get install fakeroot alien
fakeroot alien --to-deb --scripts --keep-version vz*.rpm ploop*.rpm
dpkg -i vz*.deb ploop*.deb --force-overwrite
update-grub

update-rc.d vz defaults
update-rc.d vzeventd defaults

reboot

cd /vz/template/cache
wget http://download.openvz.org/template/precreated/debian-6.0-x86_64.tar.gz
---More pre-mades at http://wiki.openvz.org/Download/template/precreated

cp /usr/lib64/libvzctl-4.0.so /usr/lib/libvzctl-4.0.so
apt-get install libcgroup1

#Make new box (with ID 1)
vzctl create 1 --ostemplate debian-6.0-x86_64

#Static IP networking:
vzctl set 1 --nameserver 192.168.1.1 --save
vzctl set 1 --ipadd 192.168.1.103 --save

#Start box
vzctl start 1

Bridged networking

NOT WORKING YET

aptitude install bridge-utils
ifdown eth0
brctl addbr br0
brctl addif br0 eth0
ifconfig eth0 0
dhclient br0

vzctl set 1 --netif_add eth0,,,,br0 --save
----OR----
-----
ifconfig eth0
*write down mac address*
easymac.sh -R
*write down new address*
vzctl set 1 --veth_add veth1.0,08:00:27:42:1e:15,eth0,00:0C:29:22:D7:C1 --save
-----

ifconfig veth1.0 0
brctl addif br0 veth1.0
vzctl enter 1
dhcpcd eth0
dhclient eth0

Copy openvz container to new template

Close the openvz container first!

#Create a file /tmp/excludes.excl with these contents:

.bash_history
/dev/*
/mnt/*
/tmp/*
/proc/*
/sys/*
/usr/src/*

#Then create the tar. But remember, when the system is 'not' using udev, you have to look into /proc/ after creating your container because some devices might not exist. (/dev/ptmx or others)

tar --numeric-owner -cjpf /var/mysystem.tar.bz2 / -X /tmp/excludes.excl

Using mod-cband to limit monthly bandwidth on apache2 vhosts

Install

apt-get install apache2-dev
cd var
wget http://dembol.org/downloads/cband/mod-cband-0.9.7.5.tgz
tar -zxvf mod-cband-0.9.7.5.tgz
cd mod-cband-0.9.7.5
./configure

————————————————————
Now open Makefile and edit the line APXS_OPTS=*
to
APXS_OPTS=-lm -Wc,-Wall -Wc,-DDST_CLASS=3
————————————————————

make
make install

Example vhost

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/dom.ex/public_html/testblog
ServerName testblog.dom.ex

CBandLimit 100G
CBandScoreboard /var/www/scoreboard
CBandPeriod 4W

#<Location /cband-status>
#    SetHandler cband-status
#</Location>
<Location /cband-status-me>
SetHandler cband-status-me
</Location>
</VirtualHost>

More info here

How to install Mono 2.11.2 on Debian Squeeze

At the time of writing 2.11.2 is the newest version for Mono that I could find. If a newer version of Mono has come out by now, you can probably find it here.

Before installing

Before installing version 2.11.2 I actually had 2.6.7 installed (which doesn’t support .NET 4.0). I am not sure if my installation guide will work without you having done this, so in case you run into problems, run this first;

apt-get install mono-complete
apt-get remove mono-complete

After doing this, the command “Mono -V” actually still showed 2.6.7 as being installed so I’m not exactly sure if any of these files were required to get 2.11.2 to run.

Installation guide

Make might take 30-60 minutes, make-install should be fast

Updated for 3.4.0

This release has a bug (missing file) so one of the below commands creates it

apt-get update
apt-get install -y --force-yes gcc libtool bison pkg-config libglib2.0-dev gettext make bzip2 g++ build-essential

mkdir -p /var/mono-install
cd /var/mono-install

wget http://origin-download.mono-project.com/sources/mono/mono-3.4.0.tar.bz2
tar xvjf mono-3.4.*.tar.bz2
cd mono-3.4.*

echo -e '<Project xmlns=<a class="moz-txt-link-rfc2396E" href="http://schemas.microsoft.com/developer/msbuild/2003">"http://schemas.microsoft.com/developer/msbuild/2003">\n    <Import Project="..\Microsoft.Portable.Core.props" />\n    <Import Project="..\Microsoft.Portable.Core.targets" />\n</Project>' > mcs/tools/xbuild/targets/Microsoft.Portable.Common.targets

./configure --prefix=/opt/mono-3.4
make
make install

rm /usr/bin/mono
rm /usr/bin/gmcs
rm /usr/bin/mcs
rm /usr/bin/smcs
rm /usr/bin/dmcs
ln -s /opt/mono-3.4/bin/mono /usr/bin/mono
ln -s /opt/mono-3.4/bin/gmcs /usr/bin/gmcs
ln -s /opt/mono-3.4/bin/mcs /usr/bin/mcs
ln -s /opt/mono-3.4/bin/smcs /usr/bin/smcs
ln -s /opt/mono-3.4/bin/dmcs /usr/bin/dmcs
									

Updated for 3.2.6

apt-get update
apt-get install -y --force-yes gcc libtool bison pkg-config libglib2.0-dev gettext make bzip2 g++ build-essential

mkdir -p /var/mono-install
cd /var/mono-install

wget http://origin-download.mono-project.com/sources/mono/mono-3.2.6.tar.bz2
tar xvjf mono-3.2.*.tar.bz2
cd mono-3.2.*
./configure --prefix=/opt/mono-3.2

make
make install

rm /usr/bin/mono
rm /usr/bin/gmcs
rm /usr/bin/mcs
rm /usr/bin/smcs
rm /usr/bin/dmcs
ln -s /opt/mono-3.2/bin/mono /usr/bin/mono
ln -s /opt/mono-3.2/bin/gmcs /usr/bin/gmcs
ln -s /opt/mono-3.2/bin/mcs /usr/bin/mcs
ln -s /opt/mono-3.2/bin/smcs /usr/bin/smcs
ln -s /opt/mono-3.2/bin/dmcs /usr/bin/dmcs

Updated for 3.0.3

apt-get update
apt-get install gcc libtool bison pkg-config libglib2.0-dev gettext make bzip2 g++

mkdir /var/mono-install
cd /var/mono-install

wget http://origin-download.mono-project.com/sources/mono/mono-3.0.3.tar.bz2
tar xvjf mono-3.0.3.tar.bz2
cd mono-3.0.3
./configure --prefix=/opt/mono-3.0

# Make might take 30-60 minutes, make-install should be fast
make
make install

cd /usr/bin
mv mono mono.old
mv gmcs gmcs.old
ln -s /opt/mono-3.0/bin/mono /usr/bin/mono
ln -s /opt/mono-3.0/bin/gmcs /usr/bin/gmcs

2.11.2 version

apt-get update
apt-get install gcc libtool bison pkg-config libglib2.0-dev gettext make bzip2 g++

mkdir /var/mono-install
cd /var/mono-install

wget http://origin-download.mono-project.com/sources/mono/mono-2.11.2.tar.bz2
tar xvjf mono-2.11.2.tar.bz2
cd mono-2.11.2
./configure --prefix=/opt/mono-2.11

# Make might take 30-60 minutes, make-install should be fast
make
make install

cd /usr/bin
mv mono mono.old
mv gmcs gmcs.old
ln -s /opt/mono-2.11/bin/mono /usr/bin/mono
ln -s /opt/mono-2.11/bin/gmcs /usr/bin/gmcs

Easily install pptpd on Debian with this bash script

—————————————————————————–

#!/bin/bash
username=someUser
password=somePass
externalip=your.servers.ip.adress

apt-get -y --force-yes update
apt-get -y --force-yes install pptpd
cp -R /etc/ppp/pptpd-options /etc/pptpd.conf
echo -e "ms-dns 8.8.8.8\nms-dns 8.8.4.4" >> /etc/pptpd.conf
echo -e "localip 10.0.0.1\nremoteip 10.0.0.10-100" >> /etc/pptpd.conf
echo -e "$username * $password *" >> /etc/ppp/chap-secrets

iptables -t nat -A POSTROUTING -j SNAT -s 10.0.0.0/16 --to-source $externalip

/etc/init.d/pptpd restart

—————————————————————————–

You may also have to execute mknod /dev/ppp c 108 0

Make iptables rule stick on reboot:

Edit /etc/rc.local and add:

iptables -t nat -A POSTROUTING -j SNAT -s 10.0.0.0/16 --to-source your.servers.ip.adress

Replace your.servers.ip.adress with the external IP address of your sever. Make sure to add the line ABOVE exit 0. rc.local must end with that.

Getting Internet to work through the VPN:

Edit /etc/sysctl.conf and uncomment the following line

net.ipv4.ip_forward=1

Execute the sysctl command to enable the new settings in the configuration file

sysctl -p

Other Stuff

You may need to add additional iptables rules to get internet working;

iptables -A FORWARD -s 10.0.0.0/16 -o ppp0 -j ACCEPT
iptables -A FORWARD -d 10.0.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A FORWARD -i ppp0 -j ACCEPT
iptables -A FORWARD -o ppp0 -j ACCEPT

To show the NAT tables as they are atm;

iptables -t nat -L --line-numbers

To remove a rule (#2 in this case);

iptables -t nat -D POSTROUTING 2

Problem? Diagnose it!

If you want to enable debugging follow these steps: Open up /etc/rsyslog.conf (or syslog.conf). Add the line:

daemon.debug /var/log/pptpd.log

Next, kill off the current rsyslogd or syslogd and start a new one:

killall rsyslogd
/usr/sbin/rsyslogd

OR

killall syslogd
/usr/sbin/syslogd

To diagnose faults, enable the options debug dump in /etc/pptpd.conf. The change is effective on the next connection. The debug output goes to /var/log/debug, and the dump output and usual output to /var/log/messages.

After doing these two things, you can probably find the problem here;

/var/log/pptpd.log

A very common error is

PTY read or GRE write failed (pty,gre)=(5,6)

I have yet to find out what it means.

Don’t forget to disble debugging again when you’re done. It eats resources.