VPS icon, in greyscale

VPS? Eh?!

If you already know what a VPS is, you will probably want to skip straight to the tips. If not, do read on..

Introduction..

Okay, so it's been a while since I did any sort of web server setup for the org here. Otherwise busy, I was mostly content to mess around with Plesk and Cpanel hosting; other less-than-optimal solution. But the truth is, they all suck.

In a conversation with my recent temporary host's tech support staff, in answer to my question,

"Why can't I switch that sh*t off?"

He says,

"You need a VPS"

I think, "a what?", which just just goes to show how out of the web hosting loop I had become. My previous host (hope you are okay man!) would just flick the switch. I'm reminiscing... So.. VPS. He was right. It was exactly what I needed. So at least, thanks for that.

Virtual Private Server..

It's like your own dedicated server, except virtual, so the host can slam a few on a box and if all goes to plan, each server has dedicated, guaranteed resources, very much like a dedicated server does, except cheaper.

If you want to have total control over your hosting environment, a VPS, or dedicated server, is for you. With every single hosting company I've used, I've had to make compromises. No more! With a VPS, everything is under your control.

A dedicated server is expensive. A VPS is cheap. Surprisingly so. The hosting company doesn't need to do anything, you see. On an "unmanaged" server, you basically get a net-connected box and an IP and away you go. You can get decent VPS hosting for way cheaper than shitty shared reseller hosting. Word.

Some VPS companies even do free trials, though I suspect it would be simpler and probably cheaper to just head along to LowEndBox and see what's on offer this month. Or last month. Browse around; you may be amazed by just how cheap VPS hosting can be. I was.

The downside is that as it doesn't even come with an operating system installed (though you can usually chose one at purchase time, which will come pre-installed. It might also work right off-the-bat, which none of mine did*), so either a) you pay some company, probably the VPS hosting company, to manage the server for you, which makes it expensive again. Or b) you set it up yourself.

Thing is, setting up a web server is no longer a simple operation, even for advanced Linux users. If you want all the modern, multi-user features one expects from "professional" hosting, it will be a massively complex and tricky operation, taking days or weeks to complete.

Fortunately you don't have to. See here.

*I did this stupid thing twice before I realised my mistake..

I install an OS image. I login to the fresh server, first waiting the ten minutes or so for the firstboot script to do it's updating and what-not. I even checked in top to ensure it really was finished before rebooting, and kernel panic.

So anyway the third time, I waited longer, watching top.. Aha! yum starts up again for another batch of fun. This time I waited a good half hour, until it had been utterly silent for ten minutes. Tried a yum install (htop, of course). It worked, so yum was clearly free. Then rebooted.

The point of this story? If your VPS OS install page says to wait ten minutes, make it twenty. Or just go to bed and deal with it tomorrow!

Miscellaneous VPS, tricks and notes for n00bs..

A small selection of tips to save you time and trouble with your VPS.

Two VPS..

Fairly soon after I got my VPS up and running I realised that what I really needed, was a second VPS.

For around a tenner a year (+VAT!), you can get..

A net-connected root shell box is always fun. Two is more-than-double-funner. Try it.

Get your firewall under control..

Linux has an excellent firewall: iptables. And the web is stuffed with interesting scripts and tweaks to give you useful firewall features. If you have the time and inclination, that is.

However, if you are a busy type, running a busy internet-facing server, I recommend something that can, in a couple of commands, turn your Linux firewall into the firewall-of-death..

ConfigServer Security & Firewall (csf) is, and I quote, "A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers."

It takes your Linux firewall to the next level. You want to know when processes are running away, or ports are being scanned or login attempts fail and much, much more, this is the firewall appplication you need. The simple instructions even include a section for webmin/virtualmin (basically, install the csf module and go).

csf can be initially overwhelming, especially the zillion warning emails. But if you take a few minutes with the config file, you will be able to get these and much more under your control. By the way, you can exlclude processes and commands (php cgi, etc) inside /etc/csf/csf.pignore.

You can even have it automatically allow dynamic domains, so if you have a dyndns/no-ip/diy dynamic domain name for your home/office/workshop/whatever, you can add it to /etc/csf/csf.dyndns and from then on, when your dynamic IP changes, your firewall will create rules new to match. Nifty.

csf takes a minute to get under control, but once you do, you won't regret it. Highly recommended.

mc: aka. GNU Midnight Commander

If you are new to the console and Linux in general, and even if you aren't, mc is a superbly useful tool for navigating the filesystem and doing stuff. If it isn't installed, you can get it like this (as root, or use sudo).. 

#Debian/Ubuntu
apt-get install mc

#Centos/Redhat
yum install mc

Launch mc (by typing mc<Enter> into your console). Hit F9 (Command menu) > Down arrow > Panel Options > Lynx-like motion (enable). OK. Now you can whiz about the filesystem with the arrow keys, like a ninja.

You will probably also want to enable automatic pull-down of menus (when you hit F9). Hit F9 (Command menu) > Down Arrow (for the last time!)> Configuration > Drop down menus (enabled) so you don't have to hit the down arrow to activate the menus in future. Now you are all set.

MC QuickStart:

That should be enough to get you started.

bash

Being Linux, when you login, you get a bash shell. Being a bash shell, it will have a .bashrc file in your home (root) directory, lovingly known as ~/.bashrc . If you are smart, you will edit this file and the associated .bash_aliases, if it exists - yes on Ubuntu, no on CentOS - and pimp your VPS login up to the max, or at least make it useful. A few minutes here could save you hours in the future.

By the way, on CentOS and other Linux that don't use the .bash_aliases convention, you might want to add that, as it's a nice idea to keep your aliases away from your other login commands. Simply add this to your .bashrc.. 

# Aliases..
if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi

Aliases are shortcuts that you create so instead of typing this:

dmesg -T|sed -e 's|\(^.*'`date +%Y`']\)\(.*\)|\x1b[0;34m\1\x1b[0m - \2|g'

You can simply do..

dm

Or whatever. You want to create aliases for any commands that you need to perform often in a shell; restarting servers, tailing log files, whatever you need to do, except more quickly.

For example, this creates an alias named "lports" which displays the currently listening (IPV4) ports.. 

# current listening ports..
alias lports='lsof -Pni4 | grep LISTEN'

So I can do lports at any time in the console to see the current listening ports. I also have an lports6, which I guess you could string together with a ";".

Over the years, one builds up a collection of login script snippets, from the useful to the downright silly. But once you get a set that works, you will want to replicate those to all your VPS. Yes, they will likely need a wee tweak for different platforms, but not a lot** .

A couple of examples..

If you have csf installed, you could add this.. 

# Restart ConfigServer Security & Firewall (csf)..
alias ssec='systemctl status csf;systemctl status lfd'
alias rsec='csf -ra;systemctl restart lfd;ssec'

Notice how I used the first alias in the second command.

syslog to have a look at the most recent 200 log lines.. 

alias syslog='journalctl -b -n 200'

fnd to quickly find a file with a specified name anywhere in the filesystem

fnd searches from the current location (but returns full paths in the results), bfnd searches from root "/".. 

# QuickFind (TM)
alias fnd='find "$(pwd -P)" -name'
alias bfnd="find / -path '/proc' -prune -type f -o -name"

Okay, this is just silly.. 

alias ff='wget randomfunfacts.com -O - 2>/dev/null | grep \ | sed "s;^.*\(.*\).*$;\1;"'

Instantly update your shell with all your new aliases and functions.. 

alias rsr='source ~/.bash_profile'

And so on.

CAUTION! Before you add an alias, remember to check their isn't already a system command with that name! Many of the cute two-letter combinations will have already been taken. BE CAREFUL!

** If you have csf installed, there is a useful list of current system binary/log locations at the foot of /etc/csf/csf.conf.

Why can't I sftp?

This was a strange one. ssh worked fine, but sftp didn't work at all. It would authenticate just fine, but right before the directory listing it would get stuck.

I recall that back in the day, .bashrc commands printing to the console could do this. Removing all echos and such confirms that this is the issue. But surely these days they both use the same process on the server, right?

Wrong! For some reason, my Centos was setup to use the external sftp-server binary instead of the internal-sftp, which among other benefits, doesn't read the .bashrc or /etc/motd files.

In /etc/ssh/sshd_config switch the line that reads.. 

Subsystem	sftp	/usr/libexec/openssh/sftp-server

To instead read.. 

Subsystem sftp internal-sftp

Restart your sshd. Done. Or rather..

The absolutely totally only way to restart your ssh server

I've made some monumentally stupid mistakes in a live Linux environment over the years, but I've yet to make this one! Being locked out of your own server is no fun**. Fortunately sshd will by default, only apply configuration changes to new connexions, so as long as you keep your original connexion open, you can edit your sshd_config to your heart's content.

**When you purchase a VPS plan, check your console access. Most KVM control panels have the facility to open a TTY serial console directly on the VPS. If you ever get locked out of your server and can't ssh in, this is a life-saver.

NOTE: If you rely on login shells to prevent certain users from accessing via sftp (or run your sftp binary with sudo), you will need to come up with another solution..

In that case, you could move any command that prints to the console from your .bashrc to your .bash_profile, which isn't read during sftp logins or, a nice solution I found at the top of the (now deleted) Ubuntu server .bashrc.. 

# If not running interactively, do nothing..
[ -z "$PS1" ] && return

man

In case you haven't noticed already, many of the above links lead to "man" pages. "man" is short for "manual", as in RTFM.

When you install a program.. 

# Now this is handy..
yum install tmpwatch

.. you can straight away access its manual page.. 

man tmpwatch

So that you can learn how to use the program.

All UNIX/Linux/BSD/OSX/etc. operating systems use this convention and if you are new to *nix and aren't using man many times a day, something is wrong.

I like to see my man pages in my browser.. 

https://corz.org/man

You can put this on your own server for easy access to manuals specific to your own system.

The simple PHP code for this facility is on-site, here.

I'll add more as I go along..

Welcome to corz.org!

I'm always messing around with the back-end.. See a bug? Wait a minute and try again. Still see a bug? Mail Me!