Tungsol Filaments

When upgrading to php 5.5.12 (dotdeb)..the /etc/php5/fpm/pool.d/www.conf file is updated. If your running php-fpm as a socket, these lines need to be uncommitted.

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
;                 mode is set to 0660
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

listen = /var/run/php5-fpm.sock

Addressing spam is a complex problem. I recommend postfix with spamassassin for starters. Vigorous use of client, sender, and helo access are recommended. There are many examples of this on how-to websites including postfix and spamassans own websites.

Once you create a spam mailbox (I usually do this with procmail example below), you can examine spam email headers and see where the spam is coming from.

You will find most is coming from 1) countries you have no need to receive mail from, or 2) an IP subnet from hosts that do not monitor their users for spam (a key is an unusual domain-name that resolves but seems meaningless). You can block specific countries with postfix sender_access files or helo_access file. I recommend disallowing spam IP host by brute force blocking the IP or IP range with IPTABLES. If you observer multilple IP’s from a subnet, block the whole subnet.

It is a tedious process however, you can eliminate almost all spam with careful analysis.

MAILDIR= /var/mail
:0fw
* < 256000
| /usr/bin/spamassassin
:0e
EXITCODE==$?
:0
* ^X-Spam-Flag: YES
spambucket

Where spambucket is the spam mailbox you need to create user spambucket (or whatever you want)

Here is a good way to search a text string for an IP address (logs, etc)

cat yourtext | grep -Eo “([0-9]{1,3}.){3}[0-9]{1,3}” | sed ‘s/^[0]*//’

Creating a Simple OPENVPN connection

The simplest openvpn setup is with a static key.
Here is how you set it up.

Install openvpn
apt-get install openvpn or yum install openvpn (depending on your distro).
Then cd /etc/openvpn and create a static key all config files and keys
are in this folder.
Server Configuration generate your static key
openvpn –genkey –secret static.key
Use this config file with your new static key

##tun0.conf##
dev tun0
port 1192
proto udp
ifconfig 10.10.10.1 10.10.10.2
secret /etc/openvpn/static.key
comp-lzo
keepalive 10 60
daemon
Restart openvpn
/etc/init.d/openvpn restart

From the command line run ifconfig

You should see a tun0 listed similar to this:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.10.1 P-t-P:10.10.10.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:8402 errors:0 dropped:0 overruns:0 frame:0
TX packets:7449 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:536155 (523.5 KiB) TX bytes:1033360 (1009.1 KiB)
Remote Client

Set up your remote client using the same static.key and same information
port # and IP addresses ( Note the IP addresses are reversed on the client)

You can either sftp to your client vpn or cut and paste the static key to your
Client.

Your remote config file should look like this:

##tun0.conf##
remote [yourdomain.com or IP address]
port 1192
proto udp ##udp is the preferred protocal
dev tun0
ifconfig 10.10.10.2 10.10.10.1
secret /etc/openvpn/static2.key
comp-lzo
keepalive 10 60
daemon

Testing your connection

After starting both openvpn daemons you should be able to ping the server
From the client..ie

Ping 10.10.10.1

If the ping is successful, you should be able to ssh over
the vpn from the client to the server or ssh (or telnet if you
have that port open) from the server to the client.

Multiple openvpn tunnels

Creating several tunnels is simple. For instance you can create
tunnels from your Server to your laptop, server to server, server
to home, etc. For each tunnel,

create a new config file. The simplest way is to copy your tun0.conf
to tun1.conf and then change the IP address and the port value
(keep things separate). You can generate a new static key for each tunnel.
If you want using openvpn –genkey –secret static1.key (each vpn could use
the same static key which is less secure arrangement)

Here is a sample tun1.conf

##tun1.conf##
dev tun1
port 1194
proto udp
ifconfig 10.10.10.3 10.10.10.4
secret /etc/openvpn/static1.key
comp-lzo
keepalive 10 60
daemon
Firewall considerations

If you are using tcpwrappers (hosts.allow and hosts.deny) you should create an
entry for the tunnel(s). ex

# hosts.allow This file describes the names of the hosts which are

# allowed to use the local INET services, as decided

# by the ‘/usr/sbin/tcpd’ server.

#

ALL : 10.10.10.0/24 : allow

Iptables may also need modified to allow the tunnel(s) or if you want
to forward the tunnel device.

Creating a Simple OPENVPN connection

The simplest openvpn setup is with a static key.
Here is how you set it up.

Install openvpn
apt-get install openvpn or yum install openvpn (depending on your distro).
Then cd /etc/openvpn and create a static key all config files and keys
are in this folder.
Server Configuration generate your static key
openvpn –genkey –secret static.key
Use this config file with your new static key

##tun0.conf##
dev tun0
port 1192
proto udp
ifconfig 10.10.10.1 10.10.10.2
secret /etc/openvpn/static.key
comp-lzo
keepalive 10 60
daemon
Restart openvpn
/etc/init.d/openvpn restart

From the command line run ifconfig

You should see a tun0 listed similar to this:
tun0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.10.1  P-t-P:10.10.10.2  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:8402 errors:0 dropped:0 overruns:0 frame:0
TX packets:7449 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:536155 (523.5 KiB)  TX bytes:1033360 (1009.1 KiB)
Remote Client

Set up your remote client using the same static.key and same information
port # and IP addresses ( Note the IP addresses are reversed on the client)

You can either sftp to your client vpn or cut and paste the static key to your
Client.

Your remote config file should look like this:

##tun0.conf##
remote [yourdomain.com or IP address]
port 1192
proto udp  ##udp is the preferred protocal
dev tun0
ifconfig 10.10.10.2 10.10.10.1
secret /etc/openvpn/static2.key
comp-lzo
keepalive 10 60
daemon

Testing your connection

After starting both openvpn daemons you should be able to ping the server
From the client..ie

Ping 10.10.10.1

If the ping is successful, you should be able to ssh over
the vpn from the client to the server or ssh (or telnet if you
have that port open) from the server to the client.

Multiple openvpn tunnels

Creating several tunnels is simple. For instance you can create
tunnels from your Server to your laptop, server to server, server
to home, etc. For each tunnel,

create a new config file. The simplest way is to copy your tun0.conf
to tun1.conf and then change the IP address and the port value
(keep things separate).  You can generate a new static key for each tunnel.
If you want using openvpn –genkey –secret static1.key (each vpn could use
the same static key which is less secure arrangement)

Here is a sample tun1.conf

##tun1.conf##
dev tun1
port 1194
proto udp
ifconfig 10.10.10.3 10.10.10.4
secret /etc/openvpn/static1.key
comp-lzo
keepalive 10 60
daemon
Firewall considerations

If you are using tcpwrappers (hosts.allow and hosts.deny) you should create an
entry for the tunnel(s). ex

# hosts.allow            This file describes the names of the hosts which are

#                        allowed to use the local INET services, as decided

#                        by the ‘/usr/sbin/tcpd’ server.

#

ALL : 10.10.10.0/24 : allow

Iptables may also need modified to allow the tunnel(s) or if you want
to forward the tunnel device.

Directly from the dotdeb.org site:
apt-get -f install -o Dpkg::Options::=”–force-overwrite”
apt-get update
apt-get dist-upgrade

This should eliminate all the problems mentioned in the previous post.

To upgrade to Wheezy follow the standard instructions. Change all references
in /etc/apt/sources.list from squeeze to wheezy. Pound out any non-standard
sources. I am using dotdeb and used the following per their instructions:

deb http://packages.dotdeb.org wheezy all
deb-src http://packages.dotdeb.org wheezy all

Then do apt-get update, apt-get dist-upgrade.
I have done this on two 64 bit squeeze servers and had a few errors on both.
The errors all involved using dotdeb versions of mysql and php5.
Do not reboot your remote server until you are able to complete the upgrade w/o errors.
I ended up removing mysql-5.5 and the offending php5 packages with aptitude.

I then reinstalled mysql-5.5-server and the php5 packages wheezy packages.
Everything then worked as advertised.

I did have to install dsyslog (replacement for rsyslog) manually in order
to start logging. On one box I had to install ifupdown manually to allow
the network to start.

if your using Dovecot, the dovecot.conf file needs to be updated. When you
restart it you will see the instructions.

You can check your work by doing dpkg –audit after you have completed the upgrade. You should
see any packages that need reinstalling.

To upgrade to Wheezy follow the standard instructions. Change all references
in /etc/apt/sources.list from squeeze to wheezy. Pound out any non-standard
sources. I am using dotdeb and used the following per their instructions:

deb http://packages.dotdeb.org wheezy all
deb-src http://packages.dotdeb.org wheezy all

Then do apt-get update, apt-get dist-upgrade.
I have done this on two 64 bit squeeze servers and had a few errors on both.
The errors all involved using dotdeb versions of mysql and php5.
Do not reboot your remote server until you are able to complete the upgrade w/o errors.
I ended up removing mysql-5.5 and the offending php5 packages with aptitude.

I then reinstalled mysql-5.5-server and the php5 packages wheezy packages.
Everything then worked as advertised.

I did have to install dsyslog (replacement for rsyslog) manually in order
to start logging. On one box I had to install ifupdown manually to allow
the network to start.

if your using Dovecot, the dovecot.conf file needs to be updated. When you
restart it you will see the instructions.

You can check your work by doing dpkg –audit after you have completed the upgrade. You should
see any packages that need reinstalling.

Make sure /etc/apt/sources.list is identical to your the file on the original server.
You may have to rsync /etc/apt from your old server to your new server if you have
installed different apt keys.

First run
dpkg –get-selections | awk ‘{print $1}’ >installed-packages ## on existing server
then sftp the installed-packages file to your new server.
on your new server, make sure you have /etc/apt/sources.list exactly like the
one on your old server.

On your new machine run:
apt-get install `cat installed-packages`

Your new server should now have all the packages your old server has.
You can copy the /etc/*.conf files to your new server (I would make a new place for them)
and add them back as needed to the new server.

First run
dpkg –get-selections * > installed-packages on your old server
then sftp the installed-packages file to your new server.
on your new server, make sure you have /etc/apt/sources.list exactly like the
one on your old server.

On your new machine run:
dpkg –set-selections < installed-packages
and then run
apt-get -u dselect-upgrade –yes

Your new server should now have all the packages your old server has.
You can copy the /etc/*.conf files to your new server (I would make a new place for them)
and add them back as needed to the new server.