Bill MacKenty
Home Computing Teaching Bushcraft Games Writing About
Everything related to Linux, including system administration. I'm a debian-based admin, quite unlikely to change my tech stack unless there is a compelling reason to change.
Multiple versions of PHP on the same web server
looks like a job for PHP-FPM...
For better or worse I administer my own web server / web-services. I actually quite enjoy this, but I'm not a professional, which means sometimes I learn things the hard way, and sometimes I make mistakes. I recently installed an invoicing system, which needed PHP 8.1+. Most of my web applications run on 7.4, specifically mediawiki. I would prefer it if everything was on 8.1 and I'm slowly getting there.
I learned about a nifty new tech PHP-FPM, which enables (among other things) multiple versions of PHP on a per-site basis. Which is cool. The end goal is to (of course) use only one version of PHP but for now I am enjoying the tinkering.
Linux server with lots of students - assigning individual read / write for students in /var/www
I use (and love) linode for my web hosting, email, database, and other linux needs. I'll be using linode for my web applications class next year (about 15 students). I had a problem thinking how would I enable students to write to a web directory (var/www) without giving them all SUDO access (and allowing them to write into another students directory).
This took me some time to find a solution, and it is beautifully simple (of course). Click here to see the thread.
If you make /var/www writeable by its group and add the user to the group, that user will not have to use sudo.
Try this:
sudo adduser www-data
sudo chown -R www-data:www-data /var/www
sudo chmod -R g+rwX /var/www
The user should then be able to edit /var/www/ files without hassle. The first line adds the user to the www-data group, the second line clears up any files with messed up ownership, and the third makes it so that all users who are members of the www-data group can read and write all files in /var/www. If you are logged in as you need to log out and log back in for the group membership to take effect. I confirm this works.
Reform ECPA: Tell the Government to Get a Warrant
Hey readers!
I've just signed this petition, and I urge you to, as well.
Americans are deeply concerned about NSA surveillance.
But the NSA’s not the only problem. An outdated law says the IRS and hundreds of other agencies can read our communications without a warrant.
That law, known as the Electronic Communications Privacy Act (ECPA), was written over 25 years ago, before the services we use today even existed.
Right now, several bills in Congress would fix this by updating ECPA to require a warrant, but regulatory bodies are blocking reform in order to gain new powers of warrantless access.
We call on the Obama Administration to support ECPA reform and to reject any special rules that would force online service providers to disclose our email without a warrant.
Fab-fi
How can we have internet when the government / corporate tries to shut it off One system, known as fab-fi, can be found here.
I’m putting this in my “mandatory for offline access folders”. I would love to try to build this with some students.
fail2ban
I’m using this fail2ban
Because I was getting tired of this:
Mar 7 17:01:39 grue sshd[8895]: Failed password for invalid user simmons from 82.97.15.30 port 38288 ssh2
Mar 7 18:17:41 grue sshd[9154]: Failed password for invalid user test from 142.58.13.91 port 21637 ssh2
Mar 7 18:17:43 grue sshd[9157]: Failed password for invalid user testuser from 142.58.13.91 port 22497 ssh2
Mar 7 18:17:46 grue sshd[9159]: Failed password for invalid user test1 from 142.58.13.91 port 22851 ssh2
Mar 7 18:17:48 grue sshd[9161]: Failed password for invalid user test from 142.58.13.91 port 23192 ssh2
Mar 7 18:17:50 grue sshd[9163]: Failed password for invalid user test from 142.58.13.91 port 23525 ssh2
Mar 7 18:17:53 grue sshd[9165]: Failed password for invalid user test from 142.58.13.91 port 23890 ssh2
Mar 7 18:17:56 grue sshd[9167]: Failed password for invalid user testing from 142.58.13.91 port 24288 ssh2
Mar 7 18:18:12 grue sshd[9179]: Failed password for invalid user admin from 142.58.13.91 port 26452 ssh2
Mar 7 18:18:15 grue sshd[9181]: Failed password for invalid user admin from 142.58.13.91 port 26827 ssh2
Mar 7 18:18:18 grue sshd[9183]: Failed password for invalid user admin from 142.58.13.91 port 27207 ssh2
Mar 7 18:20:01 grue sshd[9263]: Failed password for invalid user jeep from 142.58.13.91 port 41595 ssh2
Mar 7 18:20:04 grue sshd[9265]: Failed password for invalid user alan from 142.58.13.91 port 41985 ssh2
Mar 7 18:20:07 grue sshd[9267]: Failed password for invalid user jim from 142.58.13.91 port 42397 ssh2
Mar 7 18:20:10 grue sshd[9269]: Failed password for invalid user postgres from 142.58.13.91 port 42803 ssh2
Mar 7 18:20:13 grue sshd[9271]: Failed password for invalid user stuff from 142.58.13.91 port 43217 ssh2
Mar 7 18:20:16 grue sshd[9273]: Failed password for invalid user tom from 142.58.13.91 port 43606 ssh2
Mar 7 18:20:19 grue sshd[9275]: Failed password for invalid user adam from 142.58.13.91 port 8257 ssh2
Mar 7 18:20:28 grue sshd[9281]: Failed password for invalid user gov from 142.58.13.91 port 9349 ssh2
Mar 7 18:20:34 grue sshd[9285]: Failed password for invalid user pgsql from 142.58.13.91 port 10193 ssh2
Mar 7 18:20:37 grue sshd[9287]: Failed password for invalid user adm from 142.58.13.91 port 10562 ssh2
Mar 7 18:20:43 grue sshd[9291]: Failed password for invalid user postgres from 142.58.13.91 port 11167 ssh2
Mar 7 18:20:49 grue sshd[9295]: Failed password for invalid user email from 142.58.13.91 port 11656 ssh2
Mar 7 18:20:52 grue sshd[9297]: Failed password for invalid user oracle from 142.58.13.91 port 11926 ssh2
Mar 7 18:20:55 grue sshd[9299]: Failed password for invalid user users from 142.58.13.91 port 12134 ssh2
Mar 7 18:20:58 grue sshd[9301]: Failed password for invalid user user from 142.58.13.91 port 12436 ssh2
Mar 7 18:21:01 grue sshd[9303]: Failed password for invalid user test from 142.58.13.91 port 12652 ssh2
Mar 7 18:21:04 grue sshd[9305]: Failed password for invalid user david from 142.58.13.91 port 12826 ssh2
Mar 7 18:21:07 grue sshd[9307]: Failed password for invalid user lynx from 142.58.13.91 port 13047 ssh2
Mar 7 18:21:10 grue sshd[9309]: Failed password for invalid user music from 142.58.13.91 port 13200 ssh2
Mar 7 18:21:13 grue sshd[9313]: Failed password for invalid user user from 142.58.13.91 port 13384 ssh2
Mar 7 18:21:16 grue sshd[9315]: Failed password for invalid user user from 142.58.13.91 port 13587 ssh2
Mar 7 18:21:19 grue sshd[9317]: Failed password for invalid user user from 142.58.13.91 port 13704 ssh2
Mar 7 19:12:58 grue sshd[9348]: Failed password for invalid user harvey from 82.97.15.30 port 54299 ssh2
Linux security
Why I love Linux:
I was doing some simple system administration yesterday, and realized someone (most likely a bot) was targeting my server.
1. more /var/log/auth.log revealed several lines that looked like this:
Failed password for invalid user user from 211.155.227.171
2. so I tried grep invalid /var/log/auth.log which revealed this:
Feb 1 20:57:06 grue sshd[5222]: Failed password for invalid user oracle from 211.155.227.171 port 39871 ssh2
Feb 1 20:57:10 grue sshd[5224]: Failed password for invalid user oracle from 211.155.227.171 port 40085 ssh2
Feb 1 20:57:14 grue sshd[5226]: Failed password for invalid user oracle from 211.155.227.171 port 40337 ssh2
Feb 1 20:57:18 grue sshd[5228]: Failed password for invalid user oracle from 211.155.227.171 port 40555 ssh2
Feb 1 20:57:26 grue sshd[5232]: Failed password for invalid user admin from 211.155.227.171 port 40958 ssh2
Feb 1 20:57:30 grue sshd[5234]: Failed password for invalid user admin from 211.155.227.171 port 41160 ssh2
Feb 1 20:57:34 grue sshd[5236]: Failed password for invalid user admin from 211.155.227.171 port 41357 ssh2
Feb 1 20:57:38 grue sshd[5238]: Failed password for invalid user admin from 211.155.227.171 port 41559 ssh2
Feb 1 20:57:41 grue sshd[5240]: Failed password for invalid user admin from 211.155.227.171 port 41749 ssh2
Feb 1 20:57:45 grue sshd[5242]: Failed password for invalid user admin from 211.155.227.171 port 41917 ssh2
Feb 1 20:57:49 grue sshd[5244]: Failed password for invalid user admin from 211.155.227.171 port 42119 ssh2
Feb 1 20:57:53 grue sshd[5246]: Failed password for invalid user admin from 211.155.227.171 port 42321 ssh2
Feb 1 20:57:57 grue sshd[5248]: Failed password for invalid user admin from 211.155.227.171 port 42511 ssh2
Feb 1 20:58:01 grue sshd[5250]: Failed password for invalid user test from 211.155.227.171 port 42721 ssh2
Feb 1 20:58:04 grue sshd[5252]: Failed password for invalid user test from 211.155.227.171 port 42924 ssh2
Feb 1 20:58:08 grue sshd[5254]: Failed password for invalid user test from 211.155.227.171 port 43093 ssh2
Feb 1 20:58:12 grue sshd[5256]: Failed password for invalid user test from 211.155.227.171 port 43291 ssh2
Feb 1 20:58:16 grue sshd[5258]: Failed password for invalid user test from 211.155.227.171 port 43489 ssh2
Feb 1 20:58:20 grue sshd[5260]: Failed password for invalid user test from 211.155.227.171 port 43700 ssh2
Feb 1 20:58:24 grue sshd[5262]: Failed password for invalid user test from 211.155.227.171 port 43889 ssh2
Feb 1 20:58:28 grue sshd[5264]: Failed password for invalid user test from 211.155.227.171 port 44092 ssh2
Feb 1 20:58:32 grue sshd[5266]: Failed password for invalid user anda from 211.155.227.171 port 44295 ssh2
Feb 1 20:58:36 grue sshd[5268]: Failed password for invalid user jb from 211.155.227.171 port 44493 ssh2
Feb 1 20:58:40 grue sshd[5270]: Failed password for invalid user cvsuser from 211.155.227.171 port 44679 ssh2
Feb 1 20:58:45 grue sshd[5272]: Failed password for invalid user cvsuser1 from 211.155.227.171 port 44885 ssh2
Feb 1 20:58:49 grue sshd[5274]: Failed password for invalid user mana from 211.155.227.171 port 45087 ssh2
Feb 1 20:59:01 grue sshd[5280]: Failed password for invalid user vicky from 211.155.227.171 port 45713 ssh2
Feb 1 20:59:05 grue sshd[5282]: Failed password for invalid user setup from 211.155.227.171 port 45927 ssh2
Feb 1 20:59:09 grue sshd[5284]: Failed password for invalid user setup from 211.155.227.171 port 46143 ssh2
Feb 1 20:59:14 grue sshd[5286]: Failed password for invalid user print from 211.155.227.171 port 46359 ssh2
Feb 1 20:59:17 grue sshd[5288]: Failed password for invalid user print from 211.155.227.171 port 46580 ssh2
Feb 1 20:59:21 grue sshd[5290]: Failed password for invalid user raul from 211.155.227.171 port 46773 ssh2
Feb 1 20:59:25 grue sshd[5292]: Failed password for invalid user user1 from 211.155.227.171 port 46983 ssh2
Feb 1 20:59:28 grue sshd[5294]: Failed password for invalid user user from 211.155.227.171 port 47173 ssh2
Feb 1 20:59:33 grue sshd[5296]: Failed password for invalid user user from 211.155.227.171 port 47370 ssh2
Feb 1 20:59:37 grue sshd[5298]: Failed password for invalid user user from 211.155.227.171 port 47584 ssh2
3. Looking at the time stamps, it certainly seems like a normal “guess the user, guess the password” attack. Out of curiosity, I poked around for information about this IP address. Oh look! China!
Location of the IP address
211.155.227.171:
Hangzhou in China.
This IP address is also on several blacklists for brute forcing attacks (of which this is one)
4. Now it simply a matter of blocking this IP address:
iptables -A INPUT -s 211.155.227.171 -j DROP
5. And of course, consistent monitoring and REALLY STRONG PASSWORDS!
virtual private servers: an update
I asked about virtual private servers a few days ago, and after some consideration, I decided to go with Linode. All I can say is, wow! I have:
1. identical copies of all my web projects in one place
2. perfect development and testing sandboxes
3. full root access
4. a dedicated IP address
5. 6 databases
6. full suite of testing and development tools (I was using gcc 15 minutes after partitioning my server!)
7. all the different packages I want to use online
8. ubuntu 9.10
9. command line administration
This is a great deal! I’ve become reacquainted with bash, and now I just need to setup a backup system (simple cron and rsync, really)
Thanks to Tom Hoffman for the idea to try linode. The nice thing about this is the high control and functionality I get for the low price. I’ll be transferring DNS over soon, and soon all my hosting services will be run from this virtual instance. I’ll probably get another slice (and backup to it) and use it for development stuff. I’m convinced.
rebootless updates? Yes please.
Just discovered ksplice (via slashdot). This is perfect. My only concern is the flow of updates stays strong. As I understand ksplice (from here), the ubuntu community fixes a bug and then the ksplice guys turn it into a a rebootless update.
How fast does /that/ process happen, and can I rely on it?
I’ll throw this on my ubuntu test server at work and play with it.
Thank you ksplice people!!!
Why I love Ubuntu and my frustration at work
I’m a long time Linux guy - having played with ancient versions of Red Hat and used ubuntu at home for over a year as my only computer. I’ve long seen the advantages of using Linux in schools (um, free?) and I’ve used it as webserver, squid proxy cache server, print server, and DNS and DHCP server.
Last year, in my current school, we lost 80 computers to a nasty virus. These machines were Windows 2000 boxes, with 128 MB RAM and 20 gig hard disks. Sadly, as Windows 2000 is now in extended support from Microsoft, we were unable to patch our machines. Since they were so old, upgrading them was prohibitively expensive.
This created a massive headache for our school because we had to transfer computers from our student lab to our teachers, and then wait for some computers to come so we could then transfer computers from the teachers back to the students…the long and the short of it is, things are slowly getting back to normal, and we have a bunch of these old windows 2000 computers lying around.
SO I installed the latest version of ubuntu on one of them. Surprise, surprise, the computer works like a charm. Yes, it’s a wee-bit slow, but for web-surfing, email, and word processing, it’s doing a fine job. I’m exploring some lightweight window mangers, to help speed up the gui response time, but these machines are perfect for linux.
When I approached our director of technology about using linux in our lab, the answer was an unqualified “no”.
Why?
She mentioned something about support, which I understand. Like many schools, we are dramatically under-staffed for technology support. As an instructional designer, I spend a healthy amount of time doing technical support, and not doing instructional design (which I love doing). I think she might be concerned that if we add this technology, we won’t be able to properly support it. However, I am certain that we could figure this out if we wanted to. I know of at least 2 students who do a wonderful job of setting up these computers, and I’m certain we could ensure the linux boxes would not constitute a security threat for our school. I am also certain we could create an update server, to push updates to our clients.
I’ll keep pushing for linux!
Linux certification
In my ongoing effort to better prepare myself to be a director of technology, I’m embarking on a Linux certification course.
I looked into some programs here in NYC, and the price was disgusting ($4000.00) So after some googling, I found this lil gem! The good folks at IBM have provided us with very yummy training for the LPI exams. I’ll tell you how I do on the 101 exam, but for now, I’m pretty excited!
PS: my primary machine at home has been running Ubuntu fro almost one year, and I love it.