November 6 2016

Clear your Linux History | Snippet | Linux

There’s only a few times where I’ve decided I needed to clear out my bash history without a trace, typically it was because I needed to test sending to a mail provider but didn’t want to leave my email there, or I saw that the customer pasted his password into the command line with things like “mysql -uroot -pmypassword”.

 

For those jobs where I need to clear out a whole batch of lines:

for i in {1..50}; do history -d $((HISTCMD-1)) && history -d ####; done

That script there will clear out 50 lines, starting from whereever you set ####. So if you run “history” and you see that you need to clear from lines 350 – 380, you’ll run:
for i in {1..30}; do history -d $((HISTCMD-1)) && history -d 350; done

If you just want to delete a certain line:

history -d $((HISTCMD-1)) && history -d ####

August 20 2016

Coming from Shared to a Server

TL;DR : Pay the extra money and get a control panel if you can like Plesk or cPanel.

So you found yourself in needing a server, after years of building up in a WebHosting platform. Maybe you reached the end of the “unlimited” plan, or your business of reselling has grown too fast and you want/need to offer them a control panel, or maybe you’re just tried of sharing resources with other unknown people. Whatever the case may be, you made it here, and I welcome you.

Welcome

I typically spend about 10-15 minutes with a customer on the phone who has one of these fundamental reasons for obtaining a Server contract and it always has to start with me finding out what their experience is. 9/10, the customer has relied on the service provider like 1&1, Godaddy, etc to manage the environment. Things like Linux, Apache, etc are high above them and they just know what their website is…”Wordpress”. Whatever the case may be, it’s these 9/10 people that I inform them to get a Linux server for their PHP sites or Windows for their ASP.Net, and they must get a control panel like Plesk (Windows+Linux) or cPanel (Linux/CentOS).

The reason for this is simple: control panels like these come prepackaged with everything they need. Since they spent their years in a providers control panel, telling them right now to get their hands dirty isn’t exactly the answer.

If they’re the 10% that know their way around a server, then I typically just ask how confident are they at managing everything and if they want to do without the CP. The reason for this is just as simple for them: Pre-packaging everything brings a lot of “fluff” and excess weight that’s not needed. Take Windows for example, all you want is ASP.Net, MSSQL, and a few custom applications, you may not have any need for having PHP binaries, MySQL, SmarterMail, etc taking up space and having the services use resources, but then it’s all on you.

So now you have yourself a server, and something goes wrong…

Well fortunately for those that got a CP, server providers will typically have a support contract with the CP’s vendor so that they can atleast rule out if there’s an issue with the CP itself or any of the services it provides (Apache, MySQL, etc). If in the end the issue is in your code, then you should already know how to fix it. If it was with a service that the vendor was able to resolve, you can request exactly what the issue was, how they found it, and how they fixed it. Knowledge is power. 

If instead you have an issue that the vendor can’t fix, because of something outside of their scope as it doesn’t relate to anything being broken, but instead your configuration is set lower than your requirements, then it’s a good idea to seek guidance and if needed, help.

Google it

Take to google, and type in exactly what the issue is, include things like OS, service, etc. “CentOS increase logical volume”.

Ask experts/support agents

Sometimes while the vendors or maybe even your Service Provider’s tech support can’t support your request due to their policies, there’s good chance they’ve seen the issue and could advise how to go about it. Don’t get frustrated that they can’t do it, and advise them that you’re not asking them to do it, just have them point you in the right direction.

Personal note: I hate when a customer berates me for not doing a service that I can’t provide. I agree that I may know how to do it, or feel confident in doing it, but rules can’t be bent. So instead I try to provide as detailed of guidance as I can.

Hire an Admin

I can’t tell you where to find an admin, or whom to trust. Honestly hiring a full time admin that’s atleast on call for you, would be the best bet. Find someone who can get the server setup from the get-go, will support you during the lifespan of the project, and have the peace of mind of getting it done.

Personal note: While even I have done freelance Admin support for a number of returning customers, I can’t help but cringe at the idea that people would pay someone that they don’t know, to work on a server/project that they didn’t setup, and would just flip flop around until they find the price point they want. It’s your business at stake here.

August 20 2016

Splashtop Free with 1and1 Cloud Server

So you can’t use TeamViewer Free with your Windows Cloudserver as it requires a paid license to do so, which is a shame since we’re more than capable of doing so with our Linux Cloudservers. So if you were in the market for a solution other than Remote Desktop, perhaps you should give Splashtop a try. Atleast at the time of this writing, Splashtop is a free service allowing you to remote connect to any computer that’s in your Network. Please note the emphasis there. Obviously this would throw a wrench into the plan of using Splashtop since your Cloudserver with 1and1 is in a remote network, but fortunately 1and1 provides a free workaround.

If you are able to do so, setup and configure one of the VPNs offered in your Cloud Panel at 1and1 by following the guides posted in the Cloud Panel help documents here. Once you’re setup and connect, you are now local on your CloudPanel’s network making all of your servers appear local to you! Now once you open up Splashtop, you’ll be able to connect to your Windows Cloudserver without an issue for free!

Another benefit of using this VPN: All of your traffic to and from your server is encrypted regardless of whether or not the traffic was encrypted to begin with. So if you use RDP, Splashtop, or just pull up your sites or other services hosted in your Cloud Panel, you’ll know that it’s tunneled and secured.

May 31 2016

Get SPF/TXT using the DIG command

Getting a TXT or an SPF record helps for you to see and verify if you’ve set up your Sender Policy Framework (SPF) record or if you have any unformatted TeXT record set. TXT’s are a great place to place your SPF value so that older servers, that are updated to look for SPF Records can use what they always used in the past. TXT is also used for other services like DomainKeys, LDap records, etc.

For setting up the SPF record, it’s recommended to set both a TXT and SPF record with the same value. That knocks out both old and current servers to get the needed record.

# dig txt diyserver.guide

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> txt diyserver.guide
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52076
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;diyserver.guide. IN TXT

# dig spf diyserver.guide

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> spf diyserver.guide
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49309
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;diyserver.guide. IN SPF
May 13 2016

Cloud Beta | VM Controller – DIY CloudPanel Prototype update

As mentioned in the original release announcement of the Early Beta, https://diyserver.guide/cloud-panel-prototype-early-beta/ , I’ve updated the framework and functionality to have a better glimpse of what’s to come. Check out the new update and use the “Trial” function which only requires using your API Key to see the system in action:

http://cloud-beta.diyserver.guide/auth/trial

As you can see, I used the official 1&1 CloudPanel as my inspiration for design and functionality but will look to change things up as functionality becomes more complete. For now, it’s more to just limit the learning curve.

The endgoal will be to create a system that you can host on your own, sell servers to your clients, and the hope will be that your clients will never have to know or worry about whom your vendor is. Currently that vendor will be 1&1, but as time goes on, I’ll create a modular design to allow you to choose between the different companies like DigitalOcean, Linode, and AWS. Unfortunately, most providers don’t provide the same features that 1&1 provides like Firewalls and Load Balancers.

Business logic proposal

Currently 1&1 shows all servers to every API users, but allows ACL control to limit who can create/delete. For this reason, our users =/= API users, as we don’t want our users to be able to see other users’ servers.

In the future, you would assign our CloudController to have a number of API Keys for provisioning, each API key relates to a different 1&1 Cloud Contract which has a 99Server limit. We can then set up rules about how many users can be assign to each Provisioning server, and how many servers each user can have. From there, it’s simply like having Shared Hosting accounts, but each user owns their own server, and the “Host” is our Provisioning contract

Say we have 3 “Tiers” we sell:

  • Small: 5 server limit per user
  • Medium: 10 server limit
  • Large: 20 server limit

Small limitations

  • 18-9 users per Small Provisioning Contract
  • 5-10 servers reserved for shared MySQL DB servers, a DHCP server, exceptions

Medium limitations

  • 9 users per Small Provisioning Contract
  • <10 servers reserved for shared MySQL DB servers, a DHCP server, exceptions

Large limitations

  • 4 users per Small Provisioning Contract
  • <10 servers reserved for shared MySQL DB servers, a DHCP server, exceptions

Overall Limitations

  • Once they’re placed on a contract, they can’t be taken off. There’s no way to move a VM between contracts at the moment with 1&1
  • To overcome, you must price the tiers accordingly. Customers who know they won’t need more than 5 will choose Small Tier for the price, while others will get the Large because they know they’ll need it. (In Theory)
April 4 2016

Cloud Panel Prototype | Early Beta

So I’ve spent a lot of time working with the 1&1 Cloud Server API, and have started to put it into production by trying to build my own Cloud Panel. For quite a while I was building it as a WordPress Plugin, which is still a goal, but even better, I was thinking of a stand alone product and service: A Brandable CloudPanel.

Why your own Cloud Panel?

In the end, it should be able to allow service providers and DIY resellers, to allow their customers access to a Cloud Panel, using the company’s 1&1 account, but provide Access Control in house. Currently the 1&1 Cloud Panel doesn’t take into account ownership when they create users. Each Cloud Panel user can see servers of other users which is bad for a business. 1&1 Cloud Panel is also already branded, by 1and1.com themselves.

What’s ready?

So far, not much functionality is built in, though the API is in place and running great. I’m using a simple free Template, ugly JS-PHP bridging, and doesn’t allow for any manipulation of the VMs (that’ll come later after the Beta). Currently you only login via your API Token, I recommend creating a new user with no creation abilities to just test the function. Until the final product and source code is available (planned, not guaranteed as I weigh pros/cons), I wouldn’t ask anyone to trust putting a Admin level API into anything they personally trust. I’ll win that trust with upcoming releases! Until then, you can use my guest

Can I try?

http://cloud-beta.diyserver.guide/

API: e1e32b2d4abd65521aec8d06de3c240e  (guest role on my account)

What’s to come?

  • User Management for the Application and linkage to API Users
    • Each user on the application will be linked to an API User
    • Objects (VMs, Images, etc) created by a User will be hidden by other users by default
    • Groups will be created to share amongst users
  • SSH Console / RDP client integration
    • There are many free 3rd party libraries that allow HTML5 clients to do such tasks.
    • This is the closest we can get to the KVM until they give some sort of access to it.
  • Emulate all functions of the Cloud Panel
  • Allow custom branding to be done
    • I want more than just “change Logo”, but for now, it’s just a few select themes and the Logo is planned.

Suggestions?

Let me know in the comments what you’d like to see most.

March 28 2016

CentOS 7 | Reset Root Password | Grub Method

Imagine the situation where your Administrator is fired/quits, and with him takes the root password of the server and need access to the server right now. Fortunately, Linux makes the process incredibly easy since you have local access, at least in the eyes of the Linux OS. All this method requires is the ability to manipulate GRUB, so if you have a way of seeing the grub menu and working with it, then this method is for you.

Let’s Get Started

  1. Reboot the server and get to the Grub Menu
  2. Go to the line that says “linux16”.
    1. There’s going to be a few more lines compared to CentOS6‘s method, just scroll slowly, it’s there.
  3. Using the Right arrow, go into the “linux16” line and find the word “ro”.
    1. This is telling the server to boot into Read Only. The server boots that and then upon login/mounting you get a Read/Write access. We want to bypass that.
  4. Change “ro” to “rw” and follow it up with “init=/sysroot/bin/sh”
    1. “ro” becomes “rw init=/sysroot/bin/sh”
  5. Press Ctrl-X to boot with this configuration
    1. Note that this doesn’t save the configuration, just lets you boot into it for this Session
  6. Now you should have Root access, type the “passwd” command to change the password.
  7. Reboot the server and use your new password to login.

This method is great for 1&1’s Dedicated Servers using the Serial Console, 1&1’s Cloud Servers using either the KVM/VNC console, and Digitalocean’s KVM console. As long as you can see GRUB, you can change the root password.

February 28 2016

[WIP]Configure Active Directory tutorial

[Best_Wordpress_Gallery id=”1″ gal_title=”Active Directory Tutorial”]

This is still a work in progress. However I’ve included the above slideshow of a successful run through. I’ll be translating my screenshots into the tutorial below.

Domain: dankedonuts.lan

1 server : AD Controller (10.0.0.2)

1 Server : DNS/DHCP Server (10.0.0.1)

1 Server : AD Client (10.0.0.100)

Private networking (using 10.0.0.0/24)

 

On AD Controller:

Go to the Control Panel > System > Change name of computer. Call computer “addc” for AD Domain Controller. For now we won’t mess with the Domain yet. Close, reboot server.

Go to Server Manager > Manage > Add Roles > install the Active Directory.

After installation, it may take some time, the Flag in SErver Manager should appear for “Post Deployment”. You have to Promote this computer to becoming a Domain Controller.

Select Add new Forest

Root domain: “dankedonuts.lan”

Set a Directory Services Restore Mode password.

Our new NetBIOS name is “dankedonuts”
Follow prompts and click install when prompted.

The server will reboot again to confirm all changes.


 

Now we have an Active Directory, but it’s useless unless we can get others to join. Let’s get the DNS server running.

Set the name for this server as “dns” so we can figure it out in AD later. Use WorkGroup rather than domain for now.

For Active Directory domains to work, your main domain needs to have an SRV record like _ldap._tcp.dc._msdcs.mydomain.com. For our case, it’ll be _ldap._tcp.dc._msdcs.dankedonuts.lan.

Lets get the Roles. By default, DNS roles are installed, but if you go to Server Manager > Tools and you do NOT see DNS, then you’re missing some features. Click Manage > Remove Role and uninstall the DNS Role. After it’s done, you do NOT have to reboot, just go ahead and re-add the DNS role. Once that completes, reboot.

Now we can configure the DNS Manager. I’m not going to lie, Windows DNS is a PoS compared to Linux, so I have screenshots of my configuration. Basically:

-Server Manager > Tools > DNS
-Expand DNS, Expand Forward Lookup Zones.
-Right click on Forward Lookup Zones > New Zone > Primary > set the domain as "dankedonuts.lan"
-When complete, rightclick on dankedonuts.lan > New Domains > "dc._msdcs" as the name.
-Expand "dankedonuts.lan" > expand "_msdcs" > right click "dc"
-Click "Other New Records..." > choose SRV > Protocol = ldap > Click OK.

Go back to dankedonuts.lan's level and add Host(A) records for dns, addc, and (same as parent folder).

Now we should have the records we need, but since we’re the Nameserver, and this is a “fake” domain, lets change our Preferred DNS Provider to being either 127.0.0.1 or 10.0.0.1. Either way, we want to be able to do an “nslookup dankedonuts.lan” and we should get 10.0.0.2. Also do a “ping -a 10.0.0.2” and ensure that addc responds.

If so, then we’re ready to go back to the Control Panel > System  and change the Domain to “dankedonuts.lan”. If all is successful, it should ask you for an Active Directory username. By default, the Administrator of the ActiveDirectory server should work, but instead, let’s create a user for this server.

 


Back on AD Server, go to Server Manager > Tools > “Active Directory Users and Computers”.

Expand “dankedonuts.lan” > goto Users > right click in the blank area to create a new user. Name it “dnsadmin”, give it a password, and click okay.

Go back to the DNS server


Now we can input the new credentials and successfully join the Domain.

Yay!

Now let’s start taking care of the DHCP side of things. One of the first tasks of a Network Administrator is to really think about how he’s going to assign IP Addresses. For this example, we’re going to use just a small sample of 10.0.0.100 – 10.0.0.254 for clients. Later we can expand to include more and make our PNetwork even larger.

Server Manager > Tools > DHCP
Expand “dns.dankedonuts.lan”Right click “IPv4” and click “New Scope”
Name it whatever you want, set the range 10.0.0.100 to 10.0.0.254
Don’t exclude anything
Set all the router/wins/ etc IP to 10.0.0.1 (our DHCP server’s IP) and remove any public IPs.

When you’re done, rightclick “dns.dankedonuts.lan” and click “Authorize”.

Now we’re ready to assign our first client!


On the Client Server, configure the Ethernet1 to use the following:

Click “Advanced…”
Add 10.0.0.1 to “Default Gateway”
Add 10.0.0.1 to “DNS server addresses”
Add 10.0.0.1 to WINS addresses

Open up Powershell/CMD and do “ipconfig /release Ethernet1”

Verify that Ethernet1 has been assigned to a 10.0.0.100-254 address.

 

Now go to Control Panel > set any name for this computer and join the domain. Nothing special to do.


 

By now, everything is set up and good to go.

In the AD Controller, go to Server Manager > Tools > Active Directory Users …

Go to Computers and you should see our Client and DNS server.

February 17 2016

Let’s Encrypt, Free SSL provider extension available in Plesk

We all know the struggles of wanting an SSL to secure our sites, but also want to be recognized as not being a danger to our users. Unfortunately for that last part, that rules out the ability to operate with a Self Signed SSL, and for good reason. In my typical conversation with customers, I try to explain “You wouldn’t trust a bank with your money, just because they say they’re trust worthy? Or just because the building owns a vault?” That’s the basic premise of a self-signed SSL, you have all the encryption, sure, but you don’t have the 3rd Party saying that anyone should take you at your word.

That basically leaves us to have to get a Premium SSL, like the Comodo SSL that secures DIYServer.Guide, or the AlphaSSLs that secure TimGarrity.Me or AIOXperts.com. They’re effective in securing the data, they are recognized as safe by the industry at large, and they come with a nice Price Tag that makes you ask “is it worth it?” The SSL business is a bit out of control, imho, and costs way too much.

Enter “Let’s Encrypt”, which is a Free SSL Provider https://letsencrypt.org/. It’s slowly becoming more and more recongized by the industry at large, and allows you to register and order your own SSLs. Thankfully, there’s also a Plesk Extension available that allows you to quickly and effortless register and setup an SSL.

All you have to do is, go to Plesk, click “Extensions”, “Extension Catalog”, search for “Lets Encrypt”, then follow the prompts for install and setting up your SSL.

You can see an example of the SSL by going to https://hurricane.hosting which is a parody site of a fictitious Hosting Company. Unfortunately, the validity of “Let’s Encrypt” SSLs are only 3months long, but that’s a price to pay for free I suppose.

December 14 2015

SSH Keys and VPN for Extended Security on 1&1 CloudServers

The plot

You have your Database server hosted inside the 1&1 Cloud and your Boss wants you to lock it down from everything except MySQL, and we mean really lock it down so we already know the Cloud Panel’s Firewall is coming into play and SSH is basically out the window. So you set up the Firewall, add only port 3306 and call it a day. Then the phone rings and your boss is sitting on the other line saying “Wow….I don’t want to use the KVM, I like Putty”. Obviously this is a fictional Boss, our boss can’t turn on the monitor without help, but in this fictional world, your boss wants to SSH.

So you say, “Okay, what’s your IP, I’ll add an exception to the Firewall for your IP to be allowed.

2015-12-14 00_01_10-1&1 Control Panel

Your Boss, being the busy guy he is tells you that not only doesn’t he know it, he wants to be able to connect from any location long as he has a computer he controls. He’s also tired of typing in the long password, and he’d rather get rid of it for sake of security convenience, instead wants to use one of those “key things” he read about somewhere.

The Technical Breakdown

So we have 1 Linux server (CentOS6) running our MySQL Database. We’re going to configure the username “Boss” to SSH into the server via SSH Keys, but we’re going to keep the Firewall in place to block port 22. To circumvent the firewall, we’re going to create a VPN connection in our server’s Data Center (USA).

Supplies Needed

  • DB Server
  • Firewall Policy
  • VPN Created
  • openVPN client

Firewall Creation

This is probably the simpliest part, just go into your CloudPanel and choose “Network” => “Firewall Policies” => Click “Create” and add only 1 rule for port 3306. Then go to “Infrastructure” => “Servers” => Choose your DB Server => Scroll down the “Features” until you reach “Firewall” => Click the Firewall and change it to our new Firewall Policy.

2015-12-14 00_00_44-1&1 Control Panel

VPN Creation

Similarly, creating a VPN is just as easy as the Firewall. “Network” => “VPN” => “Create”. After it’s processed, you can download the Configuration file as seen in the referenced image below. With it, you’ll follow 1&1’s Guide here https://whstatic.1and1.com/help/CloudServer/EN-US/d851538.html for downloading and configuring openVPN.

2015-12-14 00_12_40-1&1 Control Panel

 

CONNECT TO THE VPN BEFORE CONTINUING!!!

SSH Key Generation and Assignment

There’s plenty of guides and ways to create your SSH Keys. Rather than re-create the wheel, here’s a guide from hostgator which is pretty generic (outside of their “Reseller port 2222”).

https://support.hostgator.com/articles/specialized-help/technical/ssh-keying-through-putty-on-windows-or-linux

The main take-away is to use PuttyGen if you’re on a Windows local machine, generate your SSH Key, and upload it to your server. For our tutorial, we’re adding it to the user “Boss”, so do the following inliu of HostGator’s step 5:

[email protected]# mkdir /home/Boss/.ssh
[email protected]# chmod 700 /home/Boss/.ssh
[email protected]# vi /home/Boss/.ssh/authorized_keys2

IN THE VI EDITOR
Press the key i for INSERT mode
Shift + Insert to paste your SSH Key
Press ESC, then the keys :wq so that's : and wq

Why it works

So the VPN, as discussed here: https://timgarrity.me/1and1-ngcs-free-vpn/ , the VPN puts you in the relative area of your Servers, directly past the Firewall. You’re not connected to any one server, but instead each server in that datacenter that’s assigned to you has been added to your IP Routing Table in such a way that traffic to them gets tunneled through the Data Center and towards your server. Since we’re using this VPN, we don’t need port 22 open at all on the Hardware Firewall in the CloudPanel. Because of this, the only way we can SSH into this server with this Firewall the way it is, is activate the VPN every time we want a connection, or configure an additional component by adding a Private Network. The Private Network would then open up the benefit of Nested SSH connections (SSH into Webserver, then SSH from Webserver to DB Server).