Skip to main content


 

Pixelfed federation


Hello !The Lazy Admin Club ,
is anyone successfully running a #Pixelfed instance? I've installed one yesterday but federation doesn't work. I cannot follow my Pixelfed account from Friendica, Mastodon and Pleroma. The contact request stays in 'waiting for approval' mode and there's no indication on Pixelfed that someone is trying to follow me.

Also, I don't know how to find and follow a remote user from another instance on Pixelfed itself.

The config of Pixelfed seems to be ok. When I probe my Pixelfed account from Friendica the result looks good, too. I'm lost. :-)

Pixelfed: https://pixel.libranet.de/
Account: steffen@pixel.libranet.de
Issue on Github: https://github.com/pixelfed/pixelfed/issues/1158

Pixelfed 0.9.0
Installed via composer
PHP 7.2.15
Apache2 2.4.29 PHP-FPM
MariaDB 10.3.14 (with support for json fields)
Redis 4.0.9

Any idea?

Regards,
Steffen



 
Neat, there is a PAM module to secure ssh logins with google authentificator compatible 2FA (e.g. my NitroKey works fine) libpam-google-authenticator. See e.g. this article for a description on how to set it up.

If you already have public key authentication set up, this module seems not to add the 2nd factor as the 2nd factor is only used to harden the response authentication (entering a password).

!The Lazy Admin Club

I have mine set up with both public key and 2fa. It uses both... I have my instructions somewhere....



 

Updating software that was installed using Make Install


!The Lazy Admin Club

If I've installed something using make install (in this case libmodsecurity) and I wish to update at a later date... do I need to do a make uninstall first? And then download the latest source files and go through the process again? Or can I just do another make install - will it just overwrite and update any files previously installed? What's best practice?

#linux #makeinstall #ubuntu #modsecurity

@Mark I dunno, I used to use it a few years ago, nowadays I use the simple method I presented to build proper packages by hand. :)

If you're using Debian it's in the stable main repo, so it works. Then on different distros YMMV.



 
@The Lazy Admin Club

Imagine this scenario:

I have a php driven website (eg wordpresss). The webserver runs as user www-root and a php-fpm pool is set up that runs under user:group site1:site1.

Does www-data still need access to the files or can I set my file permissions for the website directory based purely on user site1?

It depends - is the webserver going to be accessing any of the files directly? In many cases you'll still have some kind of static file access that the webserver is going to need access to.

I was thinking from a security perspective. It doesn't seem good practice to have multiple sites all writable by the same user. So if the webserver still needs read access then maybe a chown site1:www-data and a chmod 640 would be most suitable (unless it needs to be public readable)?

or alternatively, chown site1:site1, chmod 640, and add www-data to the site1 group. I've just read that if it's an upload directory, then the webserver will also need write access. But surely if it's a php driven site, uploads are going to be performed via a php script so its the pool user that requires write permissions?

I would generally try to have as little writable as possible by either the FPM user or the web server. I was going to suggest exactly what you mentioned in your last comment about adding the web server user to the user's group. You could also add the FPM user to the user's group, too.

And I say this in the 'general' sense because in the case of my friendica node, for example, that's the only purpose of the server, so the FPM instance runs as the user who owns all of the Friendica code. nginx doesn't have any special permission or group access, so things have to be world readable for it.



 
!The Lazy Admin Club

I'm going to be moving to a dedicated server in the next month or so and am currently planning my setup with regards to PHP-FPM.

As I'll be running various PHP driven sites, I thought it best from a security point of view to use FPM pools properly this time, and having a seperate owner for each website.

This still leaves the potential security issue of the opcache and apcu cache being shared by all sites as it's controlled by the PHP master process.

I've read that the solution is to have multiple PHP master processes - one for each site, which means that each site will have it's own seperate opcache and apcu cache. I'm just wondering if this is still the correct approach as the articles I can find advising this all tend to be a few years old.

Those that are using FPM and are hosting multiple sites, have any of you taken this approach?

This is an example of one of the articles I've been reading:
https://ma.ttias.be/a-better-way-to-run-php-fpm/

#php7 #php #fpm #opcache



 
!The Lazy Admin Club

A shell script to display the status of all your fail2ban jails at once (works fine for me on Ubuntu): #fail2ban #serveradmin #linux #bash




 

/dev/null Saves the Day


Admittedly, the lazy admin I am, I ignored the email warnings of a rather frequently set cron job. Now my relay provider recommends a special deal for my email log spam on industrial scale...

Image/photo


The moral of the story, my dear fellow admins, always redirect your cron jobs' stdout to somewhere, preferably a log or /dev/null 2>&1.

With that in mind, all that remains to be said: Have a Happy Holiday!


!The Lazy Admin Club



 

Tweaking Two-Factor Authentication for SSH


Hello,

I'm using two-factor authentication for remote SSH access.

This also means accessing the SSH server from the local network requires two-factor authentication.

Is there a way to exude specific users from two-factor authentication and than grant them only local access?

At the moment all users seem to require two-factor authentication, regardless whether they have set a second validation level.

!The Lazy Admin Club

Finally, got it working properly!This is right the pam configuration. Plus Rebeka 's ssh settings.

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access.conf
auth sufficient pam_google_authenticator.so
auth required pam_unix.so



 

Unusual high disk IO on one disk


!The Lazy Admin Club

Hi!

When looking at my Munin monitoring I see something strange:

Image/photo

All four disks (sda to sdd) are members of the same RAID10 setup, but for some unknown reasons sda has twice as high disk utilization than the other three disks. The same also counts for disk I/O stats:

Image/photo

Does someone has an idea what might cause this?

#debian #server #linux #raid #raid10 #lvm #xen

All are running in ahci mode? Same Io scheduler?

Yes, all AHCI and all the same elevator:

# cat /sys/block/sd[abcd]/queue/scheduler
noop [deadline] cfq 
noop [deadline] cfq 
noop [deadline] cfq 
noop [deadline] cfq 

Well, I don't see similar behaviour on other servers with RAID10 setup.

Anyway, here's iostat output:
Linux 4.9.0-8-amd64 (gate)      11/16/2018      _x86_64_        (12 CPU)

avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           1.18    0.02    1.23    5.80    0.38   91.39

Device:            tps    kB_read/s    kB_wrtn/s    kB_read    kB_wrtn
sdb              36.30       232.01       613.52   38033954  100574597
sdc              40.09       438.52       680.30   71887110  111522209
sdd              35.60       193.00       680.30   31638665  111522209
sda              40.92       463.26       613.52   75943001  100574909
md3              64.34      1779.79      1205.26  291763336  197579238
md2               0.01         0.14         0.00      23672          0
md0               0.02         0.69         0.00     113888        160
md1               3.16        90.85        13.46   14892974    2206726
dm-0              2.67        65.58        26.25   10751068    4303864
dm-1              5.24        31.49       183
... show more



 

Introductions


Hi, I’m the admin of my own Pleroma instance, which no one else uses it.



 
Hallo zusammen, ich beschäftige mich gerade mit dem Thema #Monitoring. Dazu habe ich mir jetzt mal in einer #Proxmox #VM ein #Icinga2 aufgesetzt. Dank dem super #Tutorial hat dies wunderbar funktioniert.
Jetzt die #Frage: Gibt es empfehlenswerte #Tutorials #HowTo s zu dem Thema #Icinga2? Speziell wenn es um das überwachen von #Servern #Dienste #Netzwerke geht.
Wäre um #Tipps echt dankbar.

!The Lazy Admin Club #Admin #Server #Frage #Schwarminteligenz #followerpower



 

Coming Soon!


!The Lazy Admin Club

OK, I've neglected this for too long! But I'm currently busy documenting my entire adventure of creating my own corner of the internet so there'll be lot's of bits and pieces coming soon... :)



 
@The Lazy Admin Club @Deutschsprachige Nutzer @Friendica Admins

Hallo Leute, am Wochenende hatte ich meinem Webserver PHP7.2 spendiert und die gesamte Konfig angepasst.
Heute habe ich nun mpm_prefork abgeschaltet und fpm und damit http2 eingeschaltet.

Weil ich gerade dabei war, habe ich die Konfig von LetsEncrypt auch gleich auf RSA=4096 hochgeschraubt.

Das SSL-Lab vergab dafür ein A+ und friendica.a-zwenkau.de sowie hubzilla.a-zwenkau.de sausen nun gefühlt doppelt so schnell ;-)



 

Prosody and file/photo sharing


@The Lazy Admin Club

I have a working Prosody server but nobody using it is able to send files using the conversations client. I'm guessing that it's because I haven't set up the necessary modules. Does anyone know of a clear guide on the net to setting this up? I'm struggling to find anything.

#serveradmin #prosody #xmpp

I don't think you actually need a "real" subdomain for muc, its just something that prosody uses to differentiate the muc in the configs (according to somebody else, so YMMV) personally I created the sub just to be sure, but I didnt create a cert for that and it seems to work just using the cert for the base domain..

Not only that, but you will also need appropriate DNS entries to redirect towards your server. I think the compliance tester is a bit fussy on this point, as it will not accept a wildcard in the DNS (but the specs probably require explicit entries).
As per certificates, note that letsencrypt now allows wildcard certificates, although the drawback is that autorenewal does not work for those...

I guess I could add an extra domain to the list and reissue. Its only a 2 minute job after all :)




 
This entry was edited (11 months ago)