Skip to main content

!The Lazy Admin Club

I'm going to be moving to a dedicated server in the next month or so and am currently planning my setup with regards to PHP-FPM.

As I'll be running various PHP driven sites, I thought it best from a security point of view to use FPM pools properly this time, and having a seperate owner for each website.

This still leaves the potential security issue of the opcache and apcu cache being shared by all sites as it's controlled by the PHP master process.

I've read that the solution is to have multiple PHP master processes - one for each site, which means that each site will have it's own seperate opcache and apcu cache. I'm just wondering if this is still the correct approach as the articles I can find advising this all tend to be a few years old.

Those that are using FPM and are hosting multiple sites, have any of you taken this approach?

This is an example of one of the articles I've been reading:

#php7 #php #fpm #opcache

!The Lazy Admin Club

A shell script to display the status of all your fail2ban jails at once (works fine for me on Ubuntu): #fail2ban #serveradmin #linux #bash


/dev/null Saves the Day

Admittedly, the lazy admin I am, I ignored the email warnings of a rather frequently set cron job. Now my relay provider recommends a special deal for my email log spam on industrial scale...


The moral of the story, my dear fellow admins, always redirect your cron jobs' stdout to somewhere, preferably a log or /dev/null 2>&1.

With that in mind, all that remains to be said: Have a Happy Holiday!

!The Lazy Admin Club


Tweaking Two-Factor Authentication for SSH


I'm using two-factor authentication for remote SSH access.

This also means accessing the SSH server from the local network requires two-factor authentication.

Is there a way to exude specific users from two-factor authentication and than grant them only local access?

At the moment all users seem to require two-factor authentication, regardless whether they have set a second validation level.

!The Lazy Admin Club

@Rebeka Catalina I found the answer. In the pam configuration this line needs to be added auth [success=done default=ignore] accessfile=/etc/security/access-local.conf and then local access defined.

See here:

Nice :-)
Well, I don't understand pam, because I don't use it. I used to compile my operating systems completely without pam support - so I can't really say anything to this solution, but awesome, that you could solve the problem :-)

Oh.. probably not yet solved. Now local access works, but remote doesn't anymore... I'll do some more testing.

Can you use 2FA without pam? Prior to enabling 2FA, I didn't use pam either.

AFAIK pam is needed for 2fa - I don't use 2fa on my machines.

Finally, got it working properly!This is right the pam configuration. Plus Rebeka 's ssh settings.

auth [success=1 default=ignore] accessfile=/etc/security/access.conf
auth sufficient
auth required

Now I understand, why I only received a notification about your comment, but not about my mention in your comment. You mentionend this account of mine.
Could you please drop this account from your contact list? I keep this account only until somebody else will administrate this node, but I do not use this one for active social networking anymore. That's why my profile picture in here is crossed with a red line. I just use the other one actively :-)

Wow, it works! I deleted this contact and your post's avatar changed from the red line to the cat. 😊


Unusual high disk IO on one disk

!The Lazy Admin Club


When looking at my Munin monitoring I see something strange:


All four disks (sda to sdd) are members of the same RAID10 setup, but for some unknown reasons sda has twice as high disk utilization than the other three disks. The same also counts for disk I/O stats:


Does someone has an idea what might cause this?

#debian #server #linux #raid #raid10 #lvm #xen

All are running in ahci mode? Same Io scheduler?

Yes, all AHCI and all the same elevator:

# cat /sys/block/sd[abcd]/queue/scheduler
noop [deadline] cfq 
noop [deadline] cfq 
noop [deadline] cfq 
noop [deadline] cfq 

Well, I don't see similar behaviour on other servers with RAID10 setup.

Anyway, here's iostat output:
Linux 4.9.0-8-amd64 (gate)      11/16/2018      _x86_64_        (12 CPU)

avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           1.18    0.02    1.23    5.80    0.38   91.39

Device:            tps    kB_read/s    kB_wrtn/s    kB_read    kB_wrtn
sdb              36.30       232.01       613.52   38033954  100574597
sdc              40.09       438.52       680.30   71887110  111522209
sdd              35.60       193.00       680.30   31638665  111522209
sda              40.92       463.26       613.52   75943001  100574909
md3              64.34      1779.79      1205.26  291763336  197579238
md2               0.01         0.14         0.00      23672          0
md0               0.02         0.69         0.00     113888        160
md1               3.16        90.85        13.46   14892974    2206726
dm-0              2.67        65.58        26.25   10751068    4303864
dm-1              5.24        31.49       183
... show more



Hi, I’m the admin of my own Pleroma instance, which no one else uses it.

Hallo zusammen, ich beschäftige mich gerade mit dem Thema #Monitoring. Dazu habe ich mir jetzt mal in einer #Proxmox #VM ein #Icinga2 aufgesetzt. Dank dem super #Tutorial hat dies wunderbar funktioniert.
Jetzt die #Frage: Gibt es empfehlenswerte #Tutorials #HowTo s zu dem Thema #Icinga2? Speziell wenn es um das überwachen von #Servern #Dienste #Netzwerke geht.
Wäre um #Tipps echt dankbar.

!The Lazy Admin Club #Admin #Server #Frage #Schwarminteligenz #followerpower


Coming Soon!

!The Lazy Admin Club

OK, I've neglected this for too long! But I'm currently busy documenting my entire adventure of creating my own corner of the internet so there'll be lot's of bits and pieces coming soon... :)

@The Lazy Admin Club @Deutschsprachige Nutzer @Friendica Admins

Hallo Leute, am Wochenende hatte ich meinem Webserver PHP7.2 spendiert und die gesamte Konfig angepasst.
Heute habe ich nun mpm_prefork abgeschaltet und fpm und damit http2 eingeschaltet.

Weil ich gerade dabei war, habe ich die Konfig von LetsEncrypt auch gleich auf RSA=4096 hochgeschraubt.

Das SSL-Lab vergab dafür ein A+ und sowie sausen nun gefühlt doppelt so schnell ;-)


Prosody and file/photo sharing

@The Lazy Admin Club

I have a working Prosody server but nobody using it is able to send files using the conversations client. I'm guessing that it's because I haven't set up the necessary modules. Does anyone know of a clear guide on the net to setting this up? I'm struggling to find anything.

#serveradmin #prosody #xmpp

I don't think you actually need a "real" subdomain for muc, its just something that prosody uses to differentiate the muc in the configs (according to somebody else, so YMMV) personally I created the sub just to be sure, but I didnt create a cert for that and it seems to work just using the cert for the base domain..

Not only that, but you will also need appropriate DNS entries to redirect towards your server. I think the compliance tester is a bit fussy on this point, as it will not accept a wildcard in the DNS (but the specs probably require explicit entries).
As per certificates, note that letsencrypt now allows wildcard certificates, although the drawback is that autorenewal does not work for those...

I guess I could add an extra domain to the list and reissue. Its only a 2 minute job after all :)

This entry was edited (9 months ago)


This entry was edited (10 months ago)