Dominic's Blog

02/02/2025

Enable Fail2ban on PVE 8.3.2

Enable Fail2ban for SSH jail is quite straightforward on PVE 8.3. However, there are many articles on other websites that are outdated.

To install Fail2ban, login to the PVE web interface, then locate to the Shell under the PVE host:

apt update

apt install fail2ban

Then use nano to create the Fail2ban rule:

nano /etc/fail2ban/jail.local

Paste the following:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = journal
backend = systemd
maxretry = 2
banaction = iptables-allports
bantime = 3600

Restart the Fail2ban service, then check if it’s up and running:

service fail2ban restart
/etc/init.d/fail2ban status
fail2ban-client status sshd

You should now have Fail2ban up and running.

16/04/2024

NGINX config with WordPress and Moodle

By dch1 in Just Notes No Comments Tags: Moodle, Nginx, VPS

Working config for Moodle config:

nginx.conf file:

user www-data;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;

access_log /var/log/nginx/access.log main;

client_max_body_size 20m;
sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

#gzip on;
upstream php {
server unix:/var/run/php/php7.4-fpm.sock;
}
include /etc/nginx/conf.d/*.conf;
}

sites.conf file:

server {
#Version 2.0
#1. IP Restrictions
#allow 14.201.246.57;
#deny all;

client_max_body_size 20M;
access_log /srv/www/lms.dchstudio.com.au/logs/access.log;
error_log /srv/www/lms.dchstudio.com.au/logs/error.log;
server_name www.lms.dchstudio.com.au lms.dchstudio.com.au;# is your website name

root /srv/www/lms.dchstudio.com.au/public_html;

index index.html index.htm index.php;

# We check IP Address against the whitelists
#allow 14.201.246.57;#Testing
#deny all;
# Moodle big fix_rewrite rule
rewrite ^/(.*\.php)(/)(.*)$ /$1?file=/$3 last;
#Exceptions
location = /favicon.ico {
access_log off;
log_not_found off;
expires max;
}
location = /robots.txt {
access_log off;
log_not_found off;
}

# Cache Static Files For As Long As Possible
location ~*\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$
{
access_log off;
log_not_found off;
expires max;
}

# pass the PHP scripts to FPM socket
location ~ [^/]\.php(/|$) {
try_files $uri =404;

fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini

include fastcgi_params;
}

#Error outputs:
# error_page 400 /400;
# error_page 401 /401;
# error_page 403 /403;
# error_page 404 /404;
# error_page 500 502 503 504 /500.shtml;

Working config for WordPress:

server {
#Version 2.0
#1. IP Restrictions
#allow 14.201.246.57;
#deny all;
listen 80;
client_max_body_size 10M;
access_log /srv/www/blog.bjdch.org/logs/access.log;
error_log /srv/www/blog.bjdch.org/logs/error.log;
server_name www.blog.bjdch.org blog.bjdch.org;# is your website name
root /srv/www/blog.bjdch.org/public_html;

# Rocket-Nginx configuration
include rocket-nginx/default.conf;

index index.html index.htm index.php;

#AJAX Script
location /wp-admin {
location ~ /wp-admin/admin-ajax.php$ {

# Php handler
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini
fastcgi_pass php;
fastcgi_param SCRIPT_FILENAME /srv/www/blog.bjdch.org/public_html$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT /srv/www/blog.bjdch.org/public_html;
# send bad requests to 404
fastcgi_intercept_errors on;
include fastcgi_params;

}

location /wp-admin {
location ~ /wp-admin/admin-ajax.php$ {

# Php handler
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini
fastcgi_pass php;
fastcgi_param SCRIPT_FILENAME /srv/www/blog.bjdch.org/public_html$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT /srv/www/blog.bjdch.org/public_html;
# send bad requests to 404
fastcgi_intercept_errors on;
include fastcgi_params;

}

#wp-admin IP and Password Protection

location ~* /wp-admin/.*\.php$ {

# We check IP Address against the whitelists
# allow 14.201.246.57;#Testing
# deny all;

# Then we check the password
auth_basic “All of the user access are recorded. Authorised Personnel Only!”;
auth_basic_user_file /srv/www/blog.bjdch.org/logs/.htpasswd;

# Php handler
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini
fastcgi_pass php;

fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /srv/www/blog.bjdch.org/public_html/$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT /srv/www/blog.bjdch.org/public_html;
# send bad requests to 404
fastcgi_intercept_errors on;
include fastcgi_params;
}
}

#Exceptions
location = /favicon.ico {
access_log off;
log_not_found off;
expires max;
}
location = /robots.txt {
access_log off;
log_not_found off;

fastcgi_param DOCUMENT_ROOT /srv/www/blog.bjdch.org/public_html;
# send bad requests to 404
fastcgi_intercept_errors on;
include fastcgi_params;
}
}

#Exceptions
location = /favicon.ico {
access_log off;
log_not_found off;
expires max;
}
location = /robots.txt {
access_log off;
log_not_found off;
}

# Cache Static Files For As Long As Possible
location ~*\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|$
{
access_log off;
log_not_found off;
expires max;
}
# Security Settings For Better Privacy Deny Hidden Files
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}

# Disallow PHP In Upload Folder
location /wp-content/uploads/ {
location ~ \.php$ {
deny all;
}
}
# Return 403 Forbidden For readme.(txt|html) or license.(txt|html)
if ($request_uri ~* “^.+(readme|license)\.(txt|html)$”) {
return 403;
}

#WP Rewrite
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files $uri $uri/ =404;
#index index.html index.htm index.php;

rewrite ^.*/files/(.*)$ /wp-includes/ms-files.php?file=$1 last;
if (!-e $request_filename) {
rewrite ^.+?(/wp-.*) $1 last;

rewrite ^.+?(/.*\.php)$ $1 last;
rewrite ^ /index.php last;
}
# index index.html index.htm index.php;

}

# pass the PHP scripts to FPM socket
location ~ \.php$ {
try_files $uri =404;

fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini

fastcgi_pass php;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /srv/www/blog.bjdch.org/public_html$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT /srv/www/blog.bjdch.org/public_html;

# send bad requests to 404
fastcgi_intercept_errors on;

include fastcgi_params;
}

#Error outputs:
error_page 400 /400;
error_page 401 /401;
error_page 403 /403;
error_page 404 /404;
error_page 500 502 503 504 /500.shtml;

}

03/05/2015

搭建NGINX简易纯HTML临时环境

By dch1 in Life No Comments Tags: Nginx

最近开了一台美国VPS专门用于文件转储下载，主机空间是VULTR的存储套餐，一个月只要$5 USD。但问题来了，在下载了近百G之后，用SFTP下载速度太慢，所以寻求简单暴力的方式挂到本地。

HTTP协议是比较好的解决方案，而且施加IP限制也很方便。

nginx安装方法很简单，在此不再赘述。就是 apt-get install nginx。

由于该主机只有一个网站，所以直接修改默认文件实现 /etc/nginx/sites-available/default

server {
allow YOUR_CLIENT_IP;
deny all;
listen 80;
server_name SERVER_IP;
access_log /root/access.log;

error_log /root/error.log;

location / {
root /root;
index index.html index.htm;
}
}

注意：

1. 别忘了使用ln -s命令创建Symbolic的副本到 /etc/nginx/sites-enabled ，不过貌似default文件已经生效了。

2. 记得修改文件权限，也就是把root文件夹下的所有权改为www-root，命令是：

chown -R www-data:www-data /root

26/04/2015

Free Dynamic DNS Service from NameCheap

By dch1 in Life No Comments

The title is a bit misleading and I don’t think it’s a complete free service from NameCheap as you might need an active domain name, such as .com, .org, or .info etc.

Background: I am seeking for a stable DDNS service for my home ISP in China. I was using free 3322.org DDNS years ago but they stopped working all of sudden and I changed to DyNS for a while. Unfortunately, it’s very unstable so I need to find alternatives.

I was trying to get a paid DynDNS service which is a popular option for end users. However, given the fact that it’s quite expensive – about $30 USD a year, I have to find a cheaper solution.

Finally, I found NameCheap. It is said that they provides free DDNS services if you are using their name server so I used one of my domain name to conduct the experiment.

I will be a good idea to have a transferred / registered domain name from NameCheap and they provide great service. I am trying to transfer all of my domain away from Godaddy to NameCheap (However, I have no affiliation with NameCheap at the time I am writing this blog).

1. Go and find drop down menu –> Manage Domains, then choose your domain name you wish to have DDNS service enabled.

2. Click All Host Records, create an A Record under SUB-DOMAIN SETTINGS for your DDNS service. For example, if you wish to create dynamic.YOURDOMAIN.COM, you can just type dynamic in the first text box under SUB-DOMAIN SETTINGS. You can then type some random IP address in the IP ADDRESS/ URL area and it will be replaced by real IP address for your DDNS host.

3. Click Dynamic DNS link and enable DDNS Service. Grab that password system has generated.

4. We can use wget or any browser to update our DDNS address. It will be very useful for some open source router and possibly Cisco ISR DDNS.

The wget format will be provide as follows:

http://dynamicdns.park-your-domain.com/update?domain=bjdch.org&password=PASSWORD&host=dynamic

where bjdch.org will be your domain name, PASSWORD is your DDNS password you have just grabbed, and dynamic would be your A record you wish to update.

As a successful request, the server will return some information:

SETDNSHOSTengYOURIP00true

YOURIP is your real local IP address and you can double check that IP address in NameCheap control panel.

There you have it! You saved nearly $20 to use elsewhere and you own a very special domain yourself. It is definitely a better deal!

04/04/2015

Lenovo ThinkServer TS140 – To be continued

By dch1 in Just Notes No Comments

This is a follow-up post for my last post. The TS140 is definitely worth the money I spent on and it’s really well made in Mexico (why it is not China?).

My old tower PC has just been upgraded from O.C version of E5200 to E8400 but it’s still getting slow. As a result, I bought TWO TS140, one for lab and server machine, the other one for workstation.

Surprise, surprise, surprise! My unit is equipped with the latest version of motherboard (FRU number is 00FC657) which supports Haswell Refresh CPU so I can use some of the latest LGA1150 CPU, including i7-4770 and E3-1231 V3 CPU. Unfortunately, I’ve bought a E3-1245 V3 CPU from eBay and it had been delivered. I am planning to buy another E3-1231 V3 for the 2nd tower.

Currently, one of the TS140 is up and running, and it’s very, very quiet! I could only hear the hard drive clicking in the night.

CPU: E3-1245 V3
Ram: 4GB * 2 ECC Unbuffered RAM (original 2 sticks from two TS140)
HDD: 1TB Segate
System: Windows Small Business Server 2011 (SBS 2011) Standard – One of my clients using this and I am just using it for evaluation purposes only, WILL change to 2012 R2 as soon as experiments is finished.

I am going to sell both of the i3-4330 CPU on eBay to compensate my costs.

So far, so good. I will try to post more screenshots for the system shortly.

12/03/2015

Lenovo ThinkServer TS140 – My Very First Home Server

By dch1 in Just Notes No Comments

Yay! Just moment ago, I made my first step into the whole new world – I bought a Lenovo ThinkServer TS140 70A4 entry level server from eBay. Must mention that the specs seem a bit crap but I will work it out as soon as get this machine delivered.

In fact, I’ve been watching these Home Server for a while now. My first choice was HP ProLiant MicroServer Gen8, a light weight and nice lovely case mini server. I knew that it’s a more advanced version of N54L, which uses AMD CPU. Well, it was one of the option but I wouldn’t be bothered with AMD CPU due to its complexity in server industry (I haven’t known any of the large enterprise uses AMD CPU in their production environment). It’s OK to use N54L as a File Server.

Back to my first choice, I admit that MicroServer will do the job in a home lab as I am planning to use it as a test server or GNS3 server running under Linux (Ubuntu and Debian are my most favourite). However, there are only 2 memory slots (with 16GB of maximum RAM) on the motherboard so it would be a problem if I need to run more than one OS using VMware ESXi virtualised environment (I am keen to give Windows Server 2012 a shot, just for entertainment purposes at this stage).

So I changed my mind to ML310e, which is also Gen8 server from HP. The major difference is, ML310e supports up to 32GB of RAM, which is fantastic. Now the problem is, where to get it? There is very limited source for purchasing a server in Australia, either from eBay, ~~Gumtree~~ (Don’t think it’s a reliable option), or from suppliers. Most of the suppliers are extremely expensive and the local eBay sources are the same, and it’s beyond my budgets (say approximately $1,000 – a very tight budget indeed). As a result, I have tried Amazon and Newegg, but I quickly realised that Amazon does ship most of the server grade product to Australia – it’s a pain. Newegg seems to be better but they only ship parts to Australia (I am planning to buy some ECC RAM from them, and it’s cheaper than Australia resellers.). When I almost made my decisions to build a system myself, I found a cheaper solution – Lenovo TS140!

It’s not the end of the story actually. The problem is, ML310e supports E3-1230 V3 series CPU, but TS140 seems to have biased views of CPU upgrade (some of the motherboards support E3-1230 V3 series but others are not). My idea was, I can buy a lower end server with a low spec of CPU, then I can swap it with “higher end” ones. Due to the natures of the Lenovo TS140, I got quite frustrated quickly. There is a huge performance differences between E3-1225 V3 and E3-1231 V3, also the E3-1231 V3 is a Haswell refreshed CPU, and it can be upgraded to more powerful candidates.

Not until today, I found a deal on eBay, who sells dirty cheap (just $340 in AUD) TS140 server. It comes with i3-4330 dual core processor and 4GB of RAM (will be replaced sooner or later). The TS140 is a solid-built machine. It is said that the gross weight will be exceeded 13KG. My idea is just buying more RAM, a better CPU, and some hard drive (RAID-1 is preferred) to make it work. I could even resell the crappy i3 CPU on eBay to recover some of the upgrade budget. It could be used as a File Server when it’s retired – a much better quality and budget media server!

I have linked the data sheet from Lenovo website and can’t wait the machine to be delivered from States!

06/02/2015

Raspberry Pi 2 Has Arrived

By dch1 in Just Notes No Comments Tags: Raspberry Pi

I Received my Raspberry Pi 2 today from element14. From my first impression of this latest version, everything seems to work much better than before. I am writing this Blog just on the latest version of Raspbian, which is still a bit buggy. In fact, the previous generation – Raspberry Pi B and B+ was quite unusable under business environment, mainly due to the low spec of the CPU.

This version of the Raspberry Pi comes with the Broadcom BCM2836 SoC chip with 1GB DDR2 RAM. It has 4 logic processors with 900Mhz each. It is said that the performance has been boosted for up to 6 times than before and I could definitely feel the difference of the performance. What’s more, it will be the first 3rd-party IoT (Internet of Things) Windows 10 device, becoming THE CHEAPEST Windows 10 PC on this planet ($38 in AUD Excl GST).

I installed an Arduino software on this new board and the compiling time is so quick. As a result, it should be a productive environment for Arduino developments.

11/01/2015

Cisco PIX-515 PIX-515E Unrestricted (UR) License Keygen Algorithm

By dch1 in Just Notes, Life No Comments Tags: ASA, CCNA, Cisco, PIX

=====WARNING: This article is for Academic purposes ONLY and not with intention to make profits or resell.=====

As an engineer myself, I am always curious about how the things work. I could even remember when I was in high school, I used my pocket money to buy a book titled Applied Cryptography, of course it is a Chinese version. I was amazed by the encryption algorithm, such as MD5, RSA, SHA, etc. I bought a DLL plug-in to make my home-brewed software have registration functionality. (I should have studied IT security, shouldn’t I?)

Time flies, I choose Mechanical Engineering to be my major in University but it did not change my ambitious as well as my field of interest. I remembered the first few days I bought my Arduino kit, I was trying to dig some interesting protocols for encryptions using that microcontroller. Well, it’s a 8-bit MCU so it is not likely possible to implement strong algorithms like RSA and MD5. I found someone making CRC32 and SHA on that platform but it will take a few seconds to get the work done.

Anyway, I am talking too much about the past so let’s get into this topic.

Just a couple of days ago, I was given 3 Cisco PIX-515E firewall with Unrestricted (UR) License. To be honest, I had really no idea with these firewalls and only know about the Cisco ISR series during that time (Yes, I am studying CCNA at the moment and the PIX firewalls are unwanted free gift from one eBay seller.). Soon after, I found the ASA could be a very useful equipment in networking as they are capable of doing not only the fire fighters job, but also be NAT/PAT tasks.

I watched a youtube video and the instructor tried to use valid Serial Number and Activation Keys to activate the “virtual” PIX-515E in GNS3 software. As a result, I was getting much more interested in the activation key algorithms than ever! I had a brief look on the eBay.com.au, there were couple of sellers who were selling UR Licenses at a premium price and it looked like a must have (handy) bundle for CCNP students.

I was accidentally got an article on one Russia website, and one of the ‘hacker’ revealed the software algorithm for the UR license key so I would like to write an English version to make it clearer.

======Please ignore above paragraphs if you are above the CCNA level :-).======

I need to grab a working SN and Key to verify the process is all working. So I grabbed a victim on eBay:

Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
Serial Number: 809112952
Running Activation Key: 0x4b7c1873 0x54ce958f 0x7b74b95e 0x569def49

Firstly, we need to convert the Serial Number from DEC to HEX. Just use the calculator to conduct the conversion.

DEC(809112952)=HEX(0x 30 3A 15 78)

Secondly, we need to make the inversion of the digits.

30 3A 15 78 => 78 15 3A 30 => 78153A30

Refer to the original discussion, we need to put inverted value of the license type mark (AES+DES+UR = 0x00000039) to the beginning of the SN we have just converted.

“39000000” + “78153A30” = 3900000078153A30

Then we needs a MD5 conversion using a perl syntax:

If you are running or having a Mac or Linux based O/S, just using the following command:

perl -e ‘use Digest::MD5 qw(md5_hex); print md5_hex(pack(“H*”, “390000006C394E30“))’

If you cannot have access to the Linux or Unix based PC, you can use online compiler, such as: http://www.tutorialspoint.com/execute_perl_online.php. You need to remember that the command will be slightly different:

qw(md5_hex); print md5_hex(pack(“H*”, “390000006C394E30“))

You will get the following result:

73187c4b 8f95ce54 5eb9747b 49ef9d56

Last step, we need to separate the result to 4 groups (shown above), and make the inversion AGAIN to get the final result! You’ll get the same result with our victim’s answer:

0x4b7c1873 0x54ce958f 0x7b74b95e 0x569def49

Not that bad!

07/01/2015

WordPress Permalinks on LEMP

By dch1 in Life No Comments Tags: LEMP, Linode, Nginx, VPS

最近一个工程项目涉及到网站搬迁，从虚拟主机搬到VPS上，当然使用的是我最喜爱的LEMP精简方案（LAMP太吃内存，多占的内存都可以够我装一个主机控制面板了），虽然LEMP功能实用稳定，美中不足便是设置极为繁琐（想完美不容易）。

这不，主机假设轻车熟路，解决了一系列的小问题，网站上线之后发现伪静态协议失效，只有主页能够显示。

首先，想到了可以更新网站静态链接格式（变成类似本网站的?p=xxx的格式），但这属于避开问题，而且会影响收录，所以放弃。

之后就开始想办法手动解决伪静态的问题，终于在一个网站找到一篇非常详细的设置文章，经过实际测试成功！

下面只粘贴认为最核心的代码，phpmyadmin之类的设置可以参考以前的文章。

server {
listen 80;
server_name www.bjdch.org bjdch.org;
access_log /srv/www/bjdch.org/logs/access.log;
error_log /srv/www/bjdch.org/logs/error.log;
root /srv/www/bjdch.org/public_html;
index index.html index.htm index.php;

#PHP Settings
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
if ($uri !~ “^/uploads/”) {
fastcgi_pass 127.0.0.1:9000;
}
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /srv/www/bjdch.org/public_html$fastcgi_script_name;
}

location / {
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}

# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
{
return 444;
}
#nocgi
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
#disallow
location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) {
return 444;
}

location ~ /(\.|wp-config.php|readme.html|license.txt) { deny all; }

# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;

try_files $uri $uri/ /index.php?q=$request_uri;
}

#Error outputs:
error_page 400 /400.shtml;
error_page 401 /401.shtml;
error_page 403 /403.shtml;
error_page 404 /404.shtml;
error_page 500 502 503 504 /500.shtml;

}