Adventures with VPS – Page 3

Give me a Raspberry Pi and I’ll want 12

For quite some time, I avoided acquiring any Rasbperry Pis. I already have four VPS, and I genuinely wanted to avoid expanding the number of Linux instances I was responsible for. My hesitation was for good reason; less than a month after acquiring my first Pi 3, I found a reason to add a second to our home network.

To be clear, I’ve nothing against the Raspberry Pi; I simply knew that my addictive personality would compel me to find ever-more uses for the devices, compelling their multiplication.

Continue reading Give me a Raspberry Pi and I’ll want 12

`chmod` math

As is the case with many things I post, this is mostly a reminder to myself of the math behind chmod.

x = 1 (execute)
w = 2 (write)
r = 4 (read)

Compiling nginx with OpenSSL 1.0.2 to maintain HTTP/2 support

Chrome 51 disabled support for NPN, or Next Protocol Negotiation, the mechanism that millions of nginx servers needed to establish HTTP/2 connections with Chrome users. For anyone running nginx compiled against OpenSSL 1.0.1, Chrome 51 users are still connecting over SSL, but only via the legacy HTTP/1.1 specification, which lacks the performance benefits HTTP/2 imparts.

Both the nginx project, and Mattias Geniar, provide lengthier explanations of what changed in Chrome 51:

For those wondering how to restore HTTP/2 support for Chrome 51 users, there is but one answer: switch nginx to OpenSSL 1.0.2. While OpenSSL 1.0.1 is only receiving security updates (and will stop receiving any updates after December 31, 2016), OpenSSL 1.0.2 is actively maintained and receiving new features, including the successor to NPN, which nginx supports: ALPN, or Application-layer Protocol Negotiation.

Continue reading Compiling nginx with OpenSSL 1.0.2 to maintain HTTP/2 support

`screen` all the things

I recently started a lengthy cpan update, but failed to do so in a screen session. I then updated my router’s firmware. Sadly, I had to start the cpan update again.

I really, really try to start every ssh session with screen, for this very reason.

Unintentionally rate-limiting VaultPress

Several weeks ago, I implemented nginx’s rate-limiting mechanism for all services hosted on my VPS. As a result, any non-GET request is subject to quite-low limits on how many requests can be made in a given timeframe. As I discussed further in “Rate limiting: another way I guard against brute-force logins,” I chose very-strict login limits as I’m the only person regularly authenticating with anything I host.

So far, there’s been only one unintended effect from these changes: VaultPress cannot reliably back up my site. Until recently, I hadn’t enabled any server-level access for VaultPress, which forced it to perform backups via HTTP requests triggered from WP Cron events. This approach was fine when requests weren’t limited, but VaultPress now finds itself blocked on every backup attempt.

Continue reading Unintentionally rate-limiting VaultPress

Restricted SFTP access in Debian

As I’ll elaborate on in a few days¹, when I added rate-limiting to nginx, I unintentionally blocked some legitimate traffic. Rather than make exceptions for these sources, I chose to provide certain services with read-only SFTP access to the specific directories they require.

It’s worth noting that in my case, I needed to grant particular users, not user groups, access to certain directories. Also, I have no need for any of these special users to access the same items. As a result, the following is tailored to user-level access to discrete directories, but can be set up using groups instead. I won’t detail that here, but the following should be sufficient for one to extrapolate how it would work for groups and shared directories.

Continue reading Restricted SFTP access in Debian

That post started as an introduction to this one, then approached 500 words, which called for excision. ↩

Briefly contrasting StartSSL and Let’s Encrypt

I really want to love Let’s Encrypt, but then I turn to StartSSL. In my case, I’ve a Class 2 validation, so I can issue wildcard certificates with two-year validity. While Let’s Encrypt is automated, the three-month duration is still an annoyance when different applications and programming languages use different CSR, key, and leaf formats. Add to that the need to enumerate every subdomain covered, and I’m prone to stick with StartSSL.

Also, StartSSL now has an API, which was one advantage of Let’s Encrypt. While I don’t issue certificates frequently enough to warrant such an integration, it’s a nice feature to consider for other StartSSL applications.

For me, it comes down to this: I use Let’s Encrypt for the fluctuating, random assortment of domains that I register on a whim and redirect elsewhere, while StartSSL is what I use for domains of permanence or significance. This isn’t a slight against Let’s Encrypt, it just doesn’t suit my particular needs.

Rate limiting: another way I guard against brute-force logins

For the last few weeks, the VPS powering this site received an increase in nefarious traffic arriving via IPv6. Perhaps unsurprisingly, much of this traffic came as brute-force login attempts against my WordPress site, and its arrival over IPv6 was key.

As I noted in my post on login monitoring, I already employ fail2ban, in conjunction with Konstantin Kovshenin’s technique for blocking failed WP logins. Unfortunately, fail2ban only supports IPv4, which is the only reason I even noticed this uptick in login attempts or needed to address it.

Continue reading Rate limiting: another way I guard against brute-force logins

One `ssl_protocols` to rule them all

For some time now, I’ve hoped to disable support for TLSv1 and TLSv1.1, and move to Mozilla’s “modern” cipher suite. Unfortunately, due to one application not supporting this combination of protocols and ciphers, I’ve been unable to make the switch.

Continue reading One ssl_protocols to rule them all

Backups volume

Following up on my backups-focused post from January, I wanted to share some statistics from my BackupPC instance.

Pool is 134.45GB comprising 1,211,118 files and 4,369 directories (as of 2016-05-04 00:34)

This pool dates to February 20, 2016.

There are 4 hosts that have been backed up, for a total of:
87 full backups of total size 1,544.40GB (prior to pooling and compression),
231 incr backups of total size 1,141.75GB (prior to pooling and compression).

As I noted in January, my BackupPC configuration takes hourly snapshots of my three production VPS, performing a full backup every three days. The quantity of incremental backups is what it is because each VPS profile retains all of the incremental backups made between each full backup (72 of them, per server).

Fortunately, the VPS hosting my BackupPC service has 750GB of storage, so my relatively-insignificant consumption rate isn’t a concern.