Just Notes

02/02/2025

Enable Fail2ban on PVE 8.3.2

Enable Fail2ban for SSH jail is quite straightforward on PVE 8.3. However, there are many articles on other websites that are outdated.

To install Fail2ban, login to the PVE web interface, then locate to the Shell under the PVE host:

apt update

apt install fail2ban

Then use nano to create the Fail2ban rule:

nano /etc/fail2ban/jail.local

Paste the following:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = journal
backend = systemd
maxretry = 2
banaction = iptables-allports
bantime = 3600

Restart the Fail2ban service, then check if it’s up and running:

service fail2ban restart
/etc/init.d/fail2ban status
fail2ban-client status sshd

You should now have Fail2ban up and running.

16/04/2024

NGINX config with WordPress and Moodle

By dch1 in Just Notes No Comments Tags: Moodle, Nginx, VPS

Working config for Moodle config:

nginx.conf file:

user www-data;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;

access_log /var/log/nginx/access.log main;

client_max_body_size 20m;
sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

#gzip on;
upstream php {
server unix:/var/run/php/php7.4-fpm.sock;
}
include /etc/nginx/conf.d/*.conf;
}

sites.conf file:

server {
#Version 2.0
#1. IP Restrictions
#allow 14.201.246.57;
#deny all;

client_max_body_size 20M;
access_log /srv/www/lms.dchstudio.com.au/logs/access.log;
error_log /srv/www/lms.dchstudio.com.au/logs/error.log;
server_name www.lms.dchstudio.com.au lms.dchstudio.com.au;# is your website name

root /srv/www/lms.dchstudio.com.au/public_html;

index index.html index.htm index.php;

# We check IP Address against the whitelists
#allow 14.201.246.57;#Testing
#deny all;
# Moodle big fix_rewrite rule
rewrite ^/(.*\.php)(/)(.*)$ /$1?file=/$3 last;
#Exceptions
location = /favicon.ico {
access_log off;
log_not_found off;
expires max;
}
location = /robots.txt {
access_log off;
log_not_found off;
}

# Cache Static Files For As Long As Possible
location ~*\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$
{
access_log off;
log_not_found off;
expires max;
}

# pass the PHP scripts to FPM socket
location ~ [^/]\.php(/|$) {
try_files $uri =404;

fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini

include fastcgi_params;
}

#Error outputs:
# error_page 400 /400;
# error_page 401 /401;
# error_page 403 /403;
# error_page 404 /404;
# error_page 500 502 503 504 /500.shtml;

Working config for WordPress:

server {
#Version 2.0
#1. IP Restrictions
#allow 14.201.246.57;
#deny all;
listen 80;
client_max_body_size 10M;
access_log /srv/www/blog.bjdch.org/logs/access.log;
error_log /srv/www/blog.bjdch.org/logs/error.log;
server_name www.blog.bjdch.org blog.bjdch.org;# is your website name
root /srv/www/blog.bjdch.org/public_html;

# Rocket-Nginx configuration
include rocket-nginx/default.conf;

index index.html index.htm index.php;

#AJAX Script
location /wp-admin {
location ~ /wp-admin/admin-ajax.php$ {

# Php handler
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini
fastcgi_pass php;
fastcgi_param SCRIPT_FILENAME /srv/www/blog.bjdch.org/public_html$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT /srv/www/blog.bjdch.org/public_html;
# send bad requests to 404
fastcgi_intercept_errors on;
include fastcgi_params;

}

location /wp-admin {
location ~ /wp-admin/admin-ajax.php$ {

# Php handler
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini
fastcgi_pass php;
fastcgi_param SCRIPT_FILENAME /srv/www/blog.bjdch.org/public_html$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT /srv/www/blog.bjdch.org/public_html;
# send bad requests to 404
fastcgi_intercept_errors on;
include fastcgi_params;

}

#wp-admin IP and Password Protection

location ~* /wp-admin/.*\.php$ {

# We check IP Address against the whitelists
# allow 14.201.246.57;#Testing
# deny all;

# Then we check the password
auth_basic “All of the user access are recorded. Authorised Personnel Only!”;
auth_basic_user_file /srv/www/blog.bjdch.org/logs/.htpasswd;

# Php handler
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini
fastcgi_pass php;

fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /srv/www/blog.bjdch.org/public_html/$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT /srv/www/blog.bjdch.org/public_html;
# send bad requests to 404
fastcgi_intercept_errors on;
include fastcgi_params;
}
}

#Exceptions
location = /favicon.ico {
access_log off;
log_not_found off;
expires max;
}
location = /robots.txt {
access_log off;
log_not_found off;

fastcgi_param DOCUMENT_ROOT /srv/www/blog.bjdch.org/public_html;
# send bad requests to 404
fastcgi_intercept_errors on;
include fastcgi_params;
}
}

#Exceptions
location = /favicon.ico {
access_log off;
log_not_found off;
expires max;
}
location = /robots.txt {
access_log off;
log_not_found off;
}

# Cache Static Files For As Long As Possible
location ~*\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|$
{
access_log off;
log_not_found off;
expires max;
}
# Security Settings For Better Privacy Deny Hidden Files
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}

# Disallow PHP In Upload Folder
location /wp-content/uploads/ {
location ~ \.php$ {
deny all;
}
}
# Return 403 Forbidden For readme.(txt|html) or license.(txt|html)
if ($request_uri ~* “^.+(readme|license)\.(txt|html)$”) {
return 403;
}

#WP Rewrite
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files $uri $uri/ =404;
#index index.html index.htm index.php;

rewrite ^.*/files/(.*)$ /wp-includes/ms-files.php?file=$1 last;
if (!-e $request_filename) {
rewrite ^.+?(/wp-.*) $1 last;

rewrite ^.+?(/.*\.php)$ $1 last;
rewrite ^ /index.php last;
}
# index index.html index.htm index.php;

}

# pass the PHP scripts to FPM socket
location ~ \.php$ {
try_files $uri =404;

fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have “cgi.fix_pathinfo = 0;” in php.ini

fastcgi_pass php;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /srv/www/blog.bjdch.org/public_html$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT /srv/www/blog.bjdch.org/public_html;

# send bad requests to 404
fastcgi_intercept_errors on;

include fastcgi_params;
}

#Error outputs:
error_page 400 /400;
error_page 401 /401;
error_page 403 /403;
error_page 404 /404;
error_page 500 502 503 504 /500.shtml;

}

04/04/2015

Lenovo ThinkServer TS140 – To be continued

By dch1 in Just Notes No Comments

This is a follow-up post for my last post. The TS140 is definitely worth the money I spent on and it’s really well made in Mexico (why it is not China?).

My old tower PC has just been upgraded from O.C version of E5200 to E8400 but it’s still getting slow. As a result, I bought TWO TS140, one for lab and server machine, the other one for workstation.

Surprise, surprise, surprise! My unit is equipped with the latest version of motherboard (FRU number is 00FC657) which supports Haswell Refresh CPU so I can use some of the latest LGA1150 CPU, including i7-4770 and E3-1231 V3 CPU. Unfortunately, I’ve bought a E3-1245 V3 CPU from eBay and it had been delivered. I am planning to buy another E3-1231 V3 for the 2nd tower.

Currently, one of the TS140 is up and running, and it’s very, very quiet! I could only hear the hard drive clicking in the night.

CPU: E3-1245 V3
Ram: 4GB * 2 ECC Unbuffered RAM (original 2 sticks from two TS140)
HDD: 1TB Segate
System: Windows Small Business Server 2011 (SBS 2011) Standard – One of my clients using this and I am just using it for evaluation purposes only, WILL change to 2012 R2 as soon as experiments is finished.

I am going to sell both of the i3-4330 CPU on eBay to compensate my costs.

So far, so good. I will try to post more screenshots for the system shortly.

12/03/2015

Lenovo ThinkServer TS140 – My Very First Home Server

By dch1 in Just Notes No Comments

Yay! Just moment ago, I made my first step into the whole new world – I bought a Lenovo ThinkServer TS140 70A4 entry level server from eBay. Must mention that the specs seem a bit crap but I will work it out as soon as get this machine delivered.

In fact, I’ve been watching these Home Server for a while now. My first choice was HP ProLiant MicroServer Gen8, a light weight and nice lovely case mini server. I knew that it’s a more advanced version of N54L, which uses AMD CPU. Well, it was one of the option but I wouldn’t be bothered with AMD CPU due to its complexity in server industry (I haven’t known any of the large enterprise uses AMD CPU in their production environment). It’s OK to use N54L as a File Server.

Back to my first choice, I admit that MicroServer will do the job in a home lab as I am planning to use it as a test server or GNS3 server running under Linux (Ubuntu and Debian are my most favourite). However, there are only 2 memory slots (with 16GB of maximum RAM) on the motherboard so it would be a problem if I need to run more than one OS using VMware ESXi virtualised environment (I am keen to give Windows Server 2012 a shot, just for entertainment purposes at this stage).

So I changed my mind to ML310e, which is also Gen8 server from HP. The major difference is, ML310e supports up to 32GB of RAM, which is fantastic. Now the problem is, where to get it? There is very limited source for purchasing a server in Australia, either from eBay, ~~Gumtree~~ (Don’t think it’s a reliable option), or from suppliers. Most of the suppliers are extremely expensive and the local eBay sources are the same, and it’s beyond my budgets (say approximately $1,000 – a very tight budget indeed). As a result, I have tried Amazon and Newegg, but I quickly realised that Amazon does ship most of the server grade product to Australia – it’s a pain. Newegg seems to be better but they only ship parts to Australia (I am planning to buy some ECC RAM from them, and it’s cheaper than Australia resellers.). When I almost made my decisions to build a system myself, I found a cheaper solution – Lenovo TS140!

It’s not the end of the story actually. The problem is, ML310e supports E3-1230 V3 series CPU, but TS140 seems to have biased views of CPU upgrade (some of the motherboards support E3-1230 V3 series but others are not). My idea was, I can buy a lower end server with a low spec of CPU, then I can swap it with “higher end” ones. Due to the natures of the Lenovo TS140, I got quite frustrated quickly. There is a huge performance differences between E3-1225 V3 and E3-1231 V3, also the E3-1231 V3 is a Haswell refreshed CPU, and it can be upgraded to more powerful candidates.

Not until today, I found a deal on eBay, who sells dirty cheap (just $340 in AUD) TS140 server. It comes with i3-4330 dual core processor and 4GB of RAM (will be replaced sooner or later). The TS140 is a solid-built machine. It is said that the gross weight will be exceeded 13KG. My idea is just buying more RAM, a better CPU, and some hard drive (RAID-1 is preferred) to make it work. I could even resell the crappy i3 CPU on eBay to recover some of the upgrade budget. It could be used as a File Server when it’s retired – a much better quality and budget media server!

I have linked the data sheet from Lenovo website and can’t wait the machine to be delivered from States!

06/02/2015

Raspberry Pi 2 Has Arrived

By dch1 in Just Notes No Comments Tags: Raspberry Pi

I Received my Raspberry Pi 2 today from element14. From my first impression of this latest version, everything seems to work much better than before. I am writing this Blog just on the latest version of Raspbian, which is still a bit buggy. In fact, the previous generation – Raspberry Pi B and B+ was quite unusable under business environment, mainly due to the low spec of the CPU.

This version of the Raspberry Pi comes with the Broadcom BCM2836 SoC chip with 1GB DDR2 RAM. It has 4 logic processors with 900Mhz each. It is said that the performance has been boosted for up to 6 times than before and I could definitely feel the difference of the performance. What’s more, it will be the first 3rd-party IoT (Internet of Things) Windows 10 device, becoming THE CHEAPEST Windows 10 PC on this planet ($38 in AUD Excl GST).

I installed an Arduino software on this new board and the compiling time is so quick. As a result, it should be a productive environment for Arduino developments.

11/01/2015

Cisco PIX-515 PIX-515E Unrestricted (UR) License Keygen Algorithm

By dch1 in Just Notes, Life No Comments Tags: ASA, CCNA, Cisco, PIX

=====WARNING: This article is for Academic purposes ONLY and not with intention to make profits or resell.=====

As an engineer myself, I am always curious about how the things work. I could even remember when I was in high school, I used my pocket money to buy a book titled Applied Cryptography, of course it is a Chinese version. I was amazed by the encryption algorithm, such as MD5, RSA, SHA, etc. I bought a DLL plug-in to make my home-brewed software have registration functionality. (I should have studied IT security, shouldn’t I?)

Time flies, I choose Mechanical Engineering to be my major in University but it did not change my ambitious as well as my field of interest. I remembered the first few days I bought my Arduino kit, I was trying to dig some interesting protocols for encryptions using that microcontroller. Well, it’s a 8-bit MCU so it is not likely possible to implement strong algorithms like RSA and MD5. I found someone making CRC32 and SHA on that platform but it will take a few seconds to get the work done.

Anyway, I am talking too much about the past so let’s get into this topic.

Just a couple of days ago, I was given 3 Cisco PIX-515E firewall with Unrestricted (UR) License. To be honest, I had really no idea with these firewalls and only know about the Cisco ISR series during that time (Yes, I am studying CCNA at the moment and the PIX firewalls are unwanted free gift from one eBay seller.). Soon after, I found the ASA could be a very useful equipment in networking as they are capable of doing not only the fire fighters job, but also be NAT/PAT tasks.

I watched a youtube video and the instructor tried to use valid Serial Number and Activation Keys to activate the “virtual” PIX-515E in GNS3 software. As a result, I was getting much more interested in the activation key algorithms than ever! I had a brief look on the eBay.com.au, there were couple of sellers who were selling UR Licenses at a premium price and it looked like a must have (handy) bundle for CCNP students.

I was accidentally got an article on one Russia website, and one of the ‘hacker’ revealed the software algorithm for the UR license key so I would like to write an English version to make it clearer.

======Please ignore above paragraphs if you are above the CCNA level :-).======

I need to grab a working SN and Key to verify the process is all working. So I grabbed a victim on eBay:

Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
Serial Number: 809112952
Running Activation Key: 0x4b7c1873 0x54ce958f 0x7b74b95e 0x569def49

Firstly, we need to convert the Serial Number from DEC to HEX. Just use the calculator to conduct the conversion.

DEC(809112952)=HEX(0x 30 3A 15 78)

Secondly, we need to make the inversion of the digits.

30 3A 15 78 => 78 15 3A 30 => 78153A30

Refer to the original discussion, we need to put inverted value of the license type mark (AES+DES+UR = 0x00000039) to the beginning of the SN we have just converted.

“39000000” + “78153A30” = 3900000078153A30

Then we needs a MD5 conversion using a perl syntax:

If you are running or having a Mac or Linux based O/S, just using the following command:

perl -e ‘use Digest::MD5 qw(md5_hex); print md5_hex(pack(“H*”, “390000006C394E30“))’

If you cannot have access to the Linux or Unix based PC, you can use online compiler, such as: http://www.tutorialspoint.com/execute_perl_online.php. You need to remember that the command will be slightly different:

qw(md5_hex); print md5_hex(pack(“H*”, “390000006C394E30“))

You will get the following result:

73187c4b 8f95ce54 5eb9747b 49ef9d56

Last step, we need to separate the result to 4 groups (shown above), and make the inversion AGAIN to get the final result! You’ll get the same result with our victim’s answer:

0x4b7c1873 0x54ce958f 0x7b74b95e 0x569def49

Not that bad!

03/12/2014

Desert Runners

By dch1 in Just Notes No Comments

http://hulu.com/w/LBFG

You are your worst enemy! This documentary makes the most strongest prove for it.

30/11/2014

祝贺 DANCINGFRIENDS.COM.AU 新版本上线！

By dch1 in Just Notes No Comments Tags: Web Design

墨尔本以舞会友工作室上线！

有需求的请访问官方网站：http://dancingfriends.com.au

22/11/2014

DSLR Project @Flinder Street, Melbourne, Australia

By dch1 in Just Notes, Life No Comments

This may not be the first DSLR for me but it definitely the first post here. Anyway, I admitted that my photographing skills are greatly improved these days and I will definitely continue my photographing journey!