VPS? Eh?!
If you already know what a VPS is, you will probably want to skip straight to the tips. If not, do read on..
Introduction..
Okay, so it's been a while since I did any sort of web server setup for the org here. Otherwise busy, I was mostly content to mess around with Plesk and Cpanel hosting; other less-than-optimal solution. But the truth is, they all suck.
In a conversation with my recent temporary host's tech support staff, in answer to my question,
"Why can't I switch that sh*t off?"
He says,
"You need a VPS"
I think, "a what?", which just just goes to show how out of the web hosting loop I had become. My previous host (hope you are okay man!) would just flick the switch. I'm reminiscing... So.. VPS. He was right. It was exactly what I needed. So at least, thanks for that.
Virtual Private Server..
It's like your own dedicated server, except virtual, so the host can slam a few on a box and if all goes to plan, each server has dedicated, guaranteed resources, very much like a dedicated server does, except cheaper.
If you want to have total control over your hosting environment, a VPS, or dedicated server, is for you. With every single hosting company I've used, I've had to make compromises. No more! With a VPS, everything is under your control.
A dedicated server is expensive. A VPS is cheap. Surprisingly so. The hosting company doesn't need to do anything, you see. On an "unmanaged" server, you basically get a net-connected box and an IP and away you go. You can get decent VPS hosting for way cheaper than shitty shared reseller hosting. Word.
Some VPS companies even do free trials, though I suspect it would be simpler and probably cheaper to just head along to LowEndBox and see what's on offer this month. Or last month. Browse around; you may be amazed by just how cheap VPS hosting can be. I was.
The downside is that as it doesn't even come with an operating system installed (though you can usually chose one at purchase time, which will come pre-installed. It might also work right off-the-bat, which none of mine did*), so either a) you pay some company, probably the VPS hosting company, to manage the server for you, which makes it expensive again. Or b) you set it up yourself.
Thing is, setting up a web server is no longer a simple operation, even for advanced Linux users. If you want all the modern, multi-user features one expects from "professional" hosting, it will be a massively complex and tricky operation, taking days or weeks to complete.
Fortunately you don't have to. See here.
*I did this stupid thing twice before I realised my mistake..
I install an OS image. I login to the fresh server, first waiting the ten minutes or so for the firstboot script to do it's updating and what-not. I even checked in top
to ensure it really was finished before rebooting, and kernel panic.
So anyway the third time, I waited longer, watching top.. Aha! yum starts up again for another batch of fun. This time I waited a good half hour, until it had been utterly silent for ten minutes. Tried a yum install (htop
, of course). It worked, so yum was clearly free. Then rebooted.
The point of this story? If your VPS OS install page says to wait ten minutes, make it twenty. Or just go to bed and deal with it tomorrow!
Miscellaneous VPS, tricks and notes for n00bs..
A small selection of tips to save you time and trouble with your VPS.
Two VPS..
Fairly soon after I got my VPS up and running I realised that what I really needed, was a second VPS.
For around a tenner a year (+VAT!), you can get..
- Automated off-site, crazy-fast backups (30GB+ space). This is worth the money alone. But you also get..
- A place to test scripts, apps, sites, (nice)bots and servers safely away from your main VPS.
- A place to host games for your kids.. "Daddy, can we run Minecraft on your server?". The answer is now "Yes!" (so long as your VPS has at least 1.5GB RAM on-board!).
- A place to test the impact of upcoming server OS upgrades.
- A fixed IP that you can permanently allow through an otherwise tight, responsive firewall (see below). If your own (possibly dynamic) IP changes, and for any reason you can't ssh into your server, there is always another path in, with guaranteed access.
- A place to study and learn alternate operating systems (cuz you want Slackware on there, right!).
- A place to compile software for your main server (if the two run the same OS, even better). You probably don't want development tools running on your main server, but here, anything goes!
- I could go on. And don't forget this is in addition to all the marvellous benefits of having a single VPS. But times two.
A net-connected root shell box is always fun. Two is more-than-double-funner. Try it.
Get your firewall under control..
Linux has an excellent firewall: iptables. And the web is stuffed with interesting scripts and tweaks to give you useful firewall features. If you have the time and inclination, that is.
However, if you are a busy type, running a busy internet-facing server, I recommend something that can, in a couple of commands, turn your Linux firewall into the firewall-of-death..
ConfigServer Security & Firewall (csf
) is, and I quote, "A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers."
It takes your Linux firewall to the next level. You want to know when processes are running away, or ports are being scanned or login attempts fail and much, much more, this is the firewall appplication you need. The simple instructions even include a section for webmin/virtualmin (basically, install the csf module and go).
csf
can be initially overwhelming, especially the zillion warning emails. But if you take a few minutes with the config file, you will be able to get these and much more under your control. By the way, you can exlclude processes and commands (php cgi, etc) inside /etc/csf/csf.pignore
.
You can even have it automatically allow dynamic domains, so if you have a dyndns/no-ip/diy dynamic domain name for your home/office/workshop/whatever, you can add it to /etc/csf/csf.dyndns
and from then on, when your dynamic IP changes, your firewall will create rules new to match. Nifty.
csf
takes a minute to get under control, but once you do, you won't regret it. Highly recommended.
mc: aka. GNU Midnight Commander
If you are new to the console and Linux in general, and even if you aren't, mc is a superbly useful tool for navigating the filesystem and doing stuff. If it isn't installed, you can get it like this (as root
, or use sudo
)..
#Debian/Ubuntu apt-get install mc #Centos/Redhat yum install mc
Launch mc (by typing mc
<Enter> into your console). Hit F9 (Command menu) > Down arrow > Panel Options > Lynx-like motion (enable). OK. Now you can whiz about the filesystem with the arrow keys, like a ninja.
You will probably also want to enable automatic pull-down of menus (when you hit F9). Hit F9 (Command menu) > Down Arrow (for the last time!)> Configuration > Drop down menus (enabled) so you don't have to hit the down arrow to activate the menus in future. Now you are all set.
MC QuickStart:
- F10 closes anything.
- mc has a built-in editor,
mcedit
. Hit F4 when a file is selected to invoke. mcedit has skins, syntax highlighting and HotKeys like mc itself, and is a handy alternative to the likes of nano, vi and Emacs. - TAB to switch panels. Ctrl+U to swap panels. Ctrl+o to switch to a shell. Carefully explore the menus for lots of other useful HotKeys.
- Ctrl+\ brings up the bookmarks. This gets used a lot.
- The "meta" key menu entries, like "Find Files M-?" you get by doing Alt+? (or Alt+Win+? if you have kde-mover-sizer installed in Windows). The find, by the way, is essentially grep, but without the command-line. Very useful. Be careful searching from root without excluding folders..
- Shortcuts in the menu like "
Symlink C-x s
" mean, Hit Ctrl+x, let go, then hit "s". - Alt+Enter inputs the currently selected item into your current command-line. Very handy. If you have Alt+Enter set to switch you to full screen (KiTTY/PuTTY/etc.) you won't be able to do this. Disable that shit!
- F2 while a file is selected to "do something" to the file. That menu, like everything in mc, is completely configurable. It's also smart enough to pick up any compression tools you might install.
- You can use "Shell link" to open a secure SSH connexion to your second VPS (or another Linux box) using in one of the panels. If you have keys installed (and ports configured), simply do
vps2
in the input and Voila! Now make a bookmark! - You can use your mouse in mc, if you really must. Keyboard is quicker, though.
That should be enough to get you started.
Being Linux, when you login, you get a bash shell. Being a bash shell, it will have a .bashrc
file in your home (root) directory, lovingly known as ~/.bashrc
. If you are smart, you will edit this file and the associated .bash_aliases
, if it exists - yes on Ubuntu, no on CentOS - and pimp your VPS login up to the max, or at least make it useful. A few minutes here could save you hours in the future.
By the way, on CentOS and other Linux that don't use the .bash_aliases
convention, you might want to add that, as it's a nice idea to keep your aliases away from your other login commands. Simply add this to your .bashrc
..
# Aliases..
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
Aliases are shortcuts that you create so instead of typing this:
You can simply do..
Or whatever. You want to create aliases for any commands that you need to perform often in a shell; restarting servers, tailing log files, whatever you need to do, except more quickly.
For example, this creates an alias named "lports
" which displays the currently listening (IPV4) ports..
# current listening ports.. alias lports='lsof -Pni4 | grep LISTEN'
So I can do lports
at any time in the console to see the current listening ports. I also have an lports6
, which I guess you could string together with a ";
".
Over the years, one builds up a collection of login script snippets, from the useful to the downright silly. But once you get a set that works, you will want to replicate those to all your VPS. Yes, they will likely need a wee tweak for different platforms, but not a lot** .
A couple of examples..
If you have csf installed, you could add this..
# Restart ConfigServer Security & Firewall (csf).. alias ssec='systemctl status csf;systemctl status lfd' alias rsec='csf -ra;systemctl restart lfd;ssec'
Notice how I used the first alias in the second command.
syslog
to have a look at the most recent 200 log lines..
alias syslog='journalctl -b -n 200'
fnd
to quickly find a file with a specified name anywhere in the filesystem
fnd
searches from the current location (but returns full paths in the results), bfnd
searches from root "/"
..
# QuickFind (TM) alias fnd='find "$(pwd -P)" -name' alias bfnd="find / -path '/proc' -prune -type f -o -name"
Okay, this is just silly..
alias ff='wget randomfunfacts.com -O - 2>/dev/null | grep \ | sed "s;^.*\(.*\).*$;\1;"'
Instantly update your shell with all your new aliases and functions..
alias rsr='source ~/.bash_profile'
And so on.
CAUTION! Before you add an alias, remember to check their isn't already a system command with that name! Many of the cute two-letter combinations will have already been taken. BE CAREFUL!
csf
installed, there is a useful list of current system binary/log locations at the foot of /etc/csf/csf.conf
.
Why can't I sftp
?
This was a strange one. ssh
worked fine, but sftp
didn't work at all. It would authenticate just fine, but right before the directory listing it would get stuck.
I recall that back in the day, .bashrc
commands printing to the console could do this. Removing all echos and such confirms that this is the issue. But surely these days they both use the same process on the server, right?
Wrong! For some reason, my Centos was setup to use the external sftp-server
binary instead of the internal-sftp
, which among other benefits, doesn't read the .bashrc
or /etc/motd
files.
In /etc/ssh/sshd_config
switch the line that reads..
Subsystem sftp /usr/libexec/openssh/sftp-server
To instead read..
Subsystem sftp internal-sftp
Restart your sshd. Done. Or rather..
The absolutely totally only way to restart your ssh server
- Restart your ssh server and LEAVE THE CONSOLE WINDOW OPEN!
- Test your login in a fresh console.
- If it works, you are good to go. If not, your original console window is open, and you can fix the issue immediately.
- Repeat until sshd is working 100% ALWAYS WITH YOUR ORIGINAL CONSOLE OPEN.
I've made some monumentally stupid mistakes in a live Linux environment over the years, but I've yet to make this one! Being locked out of your own server is no fun**. Fortunately sshd will by default, only apply configuration changes to new connexions, so as long as you keep your original connexion open, you can edit your sshd_config
to your heart's content.
NOTE: If you rely on login shells to prevent certain users from accessing via sftp (or run your sftp binary with sudo), you will need to come up with another solution..
In that case, you could move any command that prints to the console from your .bashrc
to your .bash_profile
, which isn't read during sftp logins or, a nice solution I found at the top of the (now deleted) Ubuntu server .bashrc
..
# If not running interactively, do nothing.. [ -z "$PS1" ] && return
In case you haven't noticed already, many of the above links lead to "man" pages. "man" is short for "manual", as in RTFM.
When you install a program..
# Now this is handy..
yum install tmpwatch
.. you can straight away access its manual page..
man tmpwatch
So that you can learn how to use the program.
All UNIX/Linux/BSD/OSX/etc. operating systems use this convention and if you are new to *nix and aren't using man many times a day, something is wrong.
I like to see my man pages in my browser..
https://autoconfig.corz.org/man
You can put this on your own server for easy access to manuals specific to your own system.
The simple PHP code for this facility is on-site, here.
I'll add more as I go along..