Replacing a Host Key

Host keys are used to security log into remote servers (such as Virtual Private Servers – VPS). With Ubuntu if you are using host keys to sign into servers securely and have asked for strict checking, if you make a change (such as rebuilding your VPS) the host key will change and you cannot login and will get a message like:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is

Please contact your system administrator.

RSA host key for 128.0.0.128 has changed and you have requested strict checking.
Host key verification failed.

if that happens you need to remove your local host key. Then you can sign back in and you will be able to save a new copy of the host key. If you don’t know why the key has changed you should figure that out first as it maybe be an indication of an important security problem. To remove you local key, you can use ssh-keygen -R [ip address of server with the bad key] for example: ssh-keygen -R 128.0.0.128

Then when you try to sign in you will get

The authenticity of host '128.0.0.128 (128.0.0.128)' can't be established.

RSA key fingerprint is ed:...:ea.
Are you sure you want to continue connecting (yes/no)?

And if you know why (such as you made changes to the server) you can say yes and connect and save the new known host key.

Managing Users in Ubuntu

add a user: sudo adduser [newuser]

sudo adduser john

then give password, and setup home folder,when prompted

edit the list of super users

visudo

list users

cat /etc/passwd

change password of a user – sudo passwd [username]

sudo passwd john

to change your password you can just use sudo passwd.

delete user

sudo deluser username

This will not delete the home folder (and subfolder) those must be dealt with separately. A new user created with the old user name would have access to those files.

temporarily lock a user account – Simply locking a user account will not prevent a user from logging into your server remotely if they have previously set up RSA public key authentication.

sudo passwd -l username

To unlock the account

sudo passwd -u username

Groups

Groups are used in to control permissions (see file permissions)
add user to a group
usermod -G [group-name] [username]

usermod -G basketball john

using the -G switch ads the group as a supplemental group. Using -g would make the group that users primary group.

see what groups a user is in

id john

add a new group: groupadd [new_group_name]

groupadd ruby_developers

Basic MySQL Performance Monitoring

Basic MySQL Performance Monitoring

regular Ubuntu cli tools

  • mysqladmin status – mysqladmin status -uroot -p

MySQL command line interface tools

mysql -uroot -p

to open the command line.

SHOW GLOBAL STATUS;
SHOW ENGINE INNODB STATUS;
SHOW PROCESSLIST;
SHOW GLOBAL STATUS LIKE 'Qcache_%';

cli tools

  • mytop – top for MySQL. Install using: sudo apt-get install mytop (assuming Ubuntu operating system). There is a very useful setting file that can be used to set parameters instead of having to include them in each command. Save the file as ~/.mytop.
  • MySQLTuner – provides suggestions on performance improvements and my.cnf settings by analyzing data on your mysql database server.

Setting considerations

  • If Open_tables (SHOW GLOBAL STATUS will show this) is equal to your
    table_cache size

    (set in /etc/mysql/my.cnf) that means it is being capped by your setting. The more MySQL has to read the table from disk the more IO and slower response, so if you have available RAM increasing the table_cache size may well make a big difference.

  • Key_reads/Key_read_request ratio should normally be < 0.01 (per MySQL manual, this means that nearly all key requests are taken from RAM). You can get both values using SHOW GLOBAL STATUS and then calculate the ratio. If the ratio is too high, consider increasing the key_buffer (in /etc/mysql/my.sql).
  • key_writes/key_writes_request should normally be near 1 (per MySQL manual)

Phusion Passenger Tips and Troubleshooting Ideas

Some tips and troubleshooting ideas for Phusion Passenger

Phusion Passenger manages resources for rails applications – spawning new instances as needed, etc..

  • passenger-status

    – provide the status of passenger rails processes

Configuring Phusion Passenger

Add lines to /etc/apache2/apache2.conf to change the default settings

  • PassengerMaxPoolSize 10

    – maximum number of total rails application instances, the default is 6

  • PassengerMaxInstancesPerApp 5 – sets the maximum pool size for any 1 rails application to 10 instances (default is no limit).
  • PassengerUseGlobalQueue ON

    – sets globaly queing on, it is off by default. You want globaly queuing on if your requests have large differences in response times (slow and fast responses).

Related: Passenger documentation

Troubleshooting

If you try

sudo passenger-status

and get something like
*** ERROR: Cannot query status for Passenger instance 2280:
Connection refused – /tmp/passenger.2280/info/status.socket
Restarting (not reloading) apache

sudo /etc/init.d/apache2 restart

may fix the problem.

System Monitoring Tools for VPS

Tools for monitoring performance and troubleshooting Ubuntu VPS web servers

  • Munin – graphs of system resources over time. Very nice. Can be a bit difficult to setup.
  • top – system stats
  • iotop – like top, but for io stats. Install
    sudo apt-get install iotop

    Useful setup

    iotop -b -o -d 30 -t

    -b (batch – so you can keep a running tally of results) -o (only those processes with io) -d (delay and seconds – how often to print out stats) -t (include time in printout)

  • vmstat – stats on memory, io, swap, cpu and system. Example:
    vmstat 10

    (prints out stats every ten seconds.

  • iostat

Error logs

  • sudo nano /var/log/apache2/error.log

Apache web server access log statistics

  • Webalizer –
    sudo apt-get install webalizer

    GeoIP is required for webalizer

    sudo apt-get install geoip-bin

    detailed instructions

Linux/Ubuntu File and Directory Permissions

Linux (and therefore Ubuntu) has file permissions on each file and directory for the owner, group and everyone else. Those permissions determine if the file can be viewed, executed or edited.

Only the owner of a file or directory (or a privileged user, root for example) may change its mode.

Ownership of a file

To change the ownership of the file or directory: chown new_owner_username directory

chown john public_html

to change the ownership of directory (and all the files and folders in the directory) and also the group: chown -R new_owner_username:new_groupname directory

chown -R john:developers public_html

to change the ownership of all the files in the current directory and also the group: chown -R new_owner_username:new_groupname *

chown john:developers *

File permissions

The easiest way to set Linux file permissions is using a 3 digit sequence. The first digit designates owner permission; the second, the group permission; and the third, everyone else’s permission.

Read = 4
Write = 2
Execute = 1

The digit is the sum of those. So if you want to grant only read permission you use 4; read and execute 5; read, write and execute = 7.

chmod 775 index.html

That will set the permissions on index.html so the owner, and a user in the group specified can read, write and execute the file and everyone else can read and execute.

chmod -R 755 public_html

That will set the permissions on files and directories (recursively through all subdirectories) so the owner can read, write and execute; members of the group and everyone else can read and execute (but not write).

ls - l

That will give you a list of files and directories, in a directory, with the owner and group settings and the permissions for all 3 (those 2 and everyone else), which will look something like:

-rw-r--r-- 1 root developers   397 2008-05-25 20:33 index.html
-rw-r--r-- 1 mary developers  9177 2010-05-02 22:18 unix_file_permissions.html
...

The lines start with the permissions for the owner, group and then everyone else. There are 9 total characters, 3 for each. Taking the top line above:

rw-r--r--
rw-  (means the owner has read and write permission but not execute)
r--  (means the group has only read permission)
r--  (means everyone else has only read permission)

The next column tells you the number of hard links to the file or directory. Then column tells you the owner, then the group. Then the byte size of the file, the date it was last change and then the file name.

root
means the username of this file is named root

developers
group (means those users in the group named developers have the group permissions indicated)

Related: Ubuntu command line interface syntax examples

Using the Host File in Ubuntu

You can use the host file to have your computer route to whatever addresses you desire (instead of using your nameserver). For example, by putting

sudo nano /etc/hosts

Then add a line to the file with the ip address and the name you will use.

204.11.50.136 wastetime

One useful way to use this is to test out a website on a new host prior to changing the nameserver to point to the new host. In this case, if you want to make sure your host file is being read you can ping wastetime and if it is working it will show the results for a ping to 204.11.50.136

Using scp (secure copy) to Copy Files Between Computers

Copy a file from your local computer to a remote host using secure copy, scp (which uses ssh for data transfer and provides the same security as using ssh).

scp [filename] [username]@remotehost:[location]

scp file_to_copy.txt username@example.net:/some/remote/directory

copy a directory to your home computer from the remote computer.

scp -r directory_to_copy username@example.net:

copy a directory from a remote server to the current directory on your computer.

scp -r folder [username]@remotehost:[location] .

scp -r username@example.net:/some/remote/directory .

If you don’t have automated keys setup you will be asked for the password for that user.

An example for copying a MySQL database. Including the : without a location puts the file in the home folder.

mysqldump database_name -uroot > database_dump.sql
scp database_dump.sql user@example.net:

Then ssh into the remote server and open the mysql prompt

mysql -uroot -p
 mysql> create database database_name;
 mysql> exit

Then run the mysqldump file

mysql database_name -uuser -p < database_dump.sql

Remember to create the database user on the new machine (this has to match what is in the wp-config.php file).

Ubuntu/Linux cli syntax

Command line interface syntax for various actions

Make new directory, make [directory_name]

sudo mkdir new_directory

Remove (file or directory)

rm [name]

rm -i file_to_remove.txt

Using -i prompts you to confirm the deletion.
Remove directory and all of its contents without having to confirm. Obviously be careful.
[/bash]sudo rm -r directory_to_remove[/bash]

Move a file

mv [name] [new_location]

mv file.txt new_sub_directory/file.txt

Rename a file (similar to moving)
mv [name] [new_name]

mv file.txt new_file_name.txt

Copy a fold

cp -r [folder]/* [new_location]

cp -r folder/* /some_place/else/

Keep ssh sessions live

If you want to stop your SSH sessions from being shut down you can add the following line to /etc/ssh/ssh_config on your local machine.

sudo gedit /etc/ssh/ssh_config

Then add:

ServerAliveInterval 30

This does remove the security feature of closing your session in case you leave your computer, but you may decide to take that risk. This sends a SSH package every 30 seconds so your server doesn’t close the connection due to inactivity.

Edit DNS Name Server

Set the DNS name server to use for your machine.

sudo nano /etc/resolv.conf

Then you can use for example (8.8.8.8 is Google public DNS, 208.67.222.222 is OpenDNS):

nameserver 208.67.222.222
nameserver 8.8.8.8
sudo lshw

will provide infor on your system, CPU types, 32 v 64 bit…

Checklist: Moving WordPress site to a New Host

Checklist for moving an existing WordPress site to a new web host

A checklist for moving an existing WordPress site to a new VPS web host, when you have full admin rights over the server.

  1. Set DNS TTL’s down to 5 minutes (a few days prior to the move). This will allow the nameserver update to propagate more quickly.
  2. Set up new domain on the new host (Checklist for setting up a new domain on your VPS)
  3. Install WordPress on new host
  4. Copy old content directory to new WordPress host
  5. Copy old database to new host (how to use secure copy to copy database to new server)
  6. Update wp-config on new host
  7. Enable mod_rewrite in Apache on the new server. From the command line:
  8. a2enmod rewrite

  9. Restart apache
    /etc/init.d/apache2 restart

  10. Test that everything works (you can change your host file to test things out easily)
  11. Update registrar to point domain to the nameservers for the new host

Related: create a new database and run .sql fileDisplay text based on if it is the WordPress blog home page

If WordPress is up to date you could also just copy over everything for steps 1 and 2. I am using this for several sites I have had for years, I figure starting with a clean install of WordPress is a good idea, but it is not necessary.