TommyBs's questions

I'm currently trying to set-up VSFTPD on an ubuntu 16.04 server and I want to use FTPS (Ideally I would use SFTP but unfortunately I'm constrained by a legacy system)

I've managed to set it up using the default config and no TLS and I can connect fine via filezilla.Though for the past 2 days I've been trying to enable TLS and no amount of questions on SE or elsewhere seem to lead to a positive result.

My certificate details in the vsftpd.conf file are like below:

rsa_cert_file=/path/to/fullchain.pem
rsa_private_key_file=/path/to/privkey.pem
allow_anon_ssl=NO
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES

However I can no longer connect with the following shown in the filezilla console:

Status:         Verifying certificate...
Status:         TLS connection established.
Status:         Server does not support non-ASCII characters.
Status:         Logged in
Status:         Retrieving directory listing...
Status:         Server sent passive reply with unroutable address. Using server address instead.
Command:    LIST
Error:      Connection timed out after 20 seconds of inactivity
Error:      Failed to retrieve directory listing

This is my first time configuring VSFTPD so I've been following some tutorials online. They've also involved UFW and I've opened up the ports as shown.

I've also tried adding in the following lines to my vsftpd.conf file

  ssl_tlsv1=YES
  ssl_sslv2=NO
  ssl_sslv3=NO

  require_ssl_reuse=NO
  ssl_ciphers=HIGH

I've seen other posts mentioning the pasv_address option

so I've tried adding this to my config with the external IP of my server - please note it's hosted on Google Compute Engine and I've also updated my firewall rules in Compute to allow the same ports etc. that were specified in the tutorial. This too though does not work.

I can only assume it's something to do with ports/firewalls or other TLS options but I'm completely stumped. I guess it doesn't help that I have the google cloud network firewall and then ufw (though disabling ufw has no effect)

My ufw rules look as follows:

20/tcp                     ALLOW       Anywhere                  
21/tcp                     ALLOW       Anywhere                                   
990/tcp                    ALLOW       Anywhere                  
40000:50000/tcp            ALLOW       Anywhere 

and if anyone wants to know more the tutorial I followed was here: configuring-ftp-access

There doesn't appear to be any logs in vsftpd.log that would indicate an issue but turning on verbose logging in filezilla reveals the following:

Binding data connection source IP to control connection source IP 192.168.1.100

which I presume might be an issue as that looks like a local IP. Though I'm stumped how to fix this especially with as I also have the following in my vsftpd.conf file :

pasv_address=(EXTERNAL GOOGLE COMPUTE IP)

My Google Cloud firewall rules are :

IP ranges: 0.0.0.0/0
tcp:20-21   
Allow
1000
default

pass-ports
sftp    
IP ranges: 0.0.0.0/0
tcp:40000-50000

(these will be locked down IP wise eventually but even testing with all I can't get this working)

And also in my vsftpd.conf file I believe I added those ports as the ones to use via:

port_enable=YES
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=41000

Update

I can now connect to this from the box itself using lftp and the following arguments

set ftp:ssl-force true

I connect via the domain name rather than IP as the cert is mapped to the domain so it won't work with the IP.

I can then create new directories etc via the command line. However if I try to do ls I get ls at 0 [Making data connection...] and it just hangs there. I also get an error via an external FTP client such as filezilla. This just times out at the LIST command

Command:    LIST
Error:          The data connection could not be established: ETIMEDOUT - Connection attempt timed out
Response:   425 Failed to establish connection.
Error:          Failed to retrieve directory listing
Error:          GnuTLS error -15: An unexpected TLS packet was received.
Status:         Disconnected from server: ECONNABORTED - Connection aborted

The only other info that I can think might be relevant is that the domain is port forwarded by NGINX to a node app. But I assume this should only do this for ports 80 and 443 so shouldn't be effecting port 21.

Does anyone have any ideas?

I've noticed recently that Samba is creating a large number of log files on my server which meant I couldn't create any new files as it had used up my inode count.

I cleaned up a large amount of old files and I thought I had set my logs to rotate every 3 days by editing my samba entry in /etc/logrotate.d

/var/log/samba/log.smbd {
        daily
        missingok
        rotate 3
        postrotate
                /etc/init.d/smbd reload > /dev/null
        endscript
        compress
        notifempty
}


/var/log/samba/log.nmbd {
        daily
        missingok
        rotate 3
        postrotate
                [ ! -f /var/run/samba/nmbd.pid ] || kill -HUP `cat /var/run/samba/nmbd.pid`
        endscript
        compress
        notifempty
}

However this doesn't seem to have had any effect and logs are retained until it seems I delete them.

Does Samba have it's own rotation setting somewhere? Am I ok just turning this off completely?

I didn't notice this until I updated from ubuntu 14 to 16.04 - but at the same time one of my web apps has increased in popularity considerably so it could just be I'm getting more traffic.

I recently updated an ubuntu 14 box to version 16.04. Everything appeared to go smoothly, however now I am unable to create any new mysql tables.

I'm signed into the ubuntu box as root and mysql as the root user. The error I receive when trying to create any table is:

ERROR 1005 (HY000): Can't create table 'foo' (errno: 122)

I've done some investigation and I'm lead to believe this is a disk quota error. As much as I understand mysql and some basic webserver bits, I'm not an expert in general ubuntu administration. I've run quota and it returns

Disk quotas for user root (uid 0): none

Is anyone able to advise what I need to do here to fix this? Thanks

Based on a comment I checked my syslog and I see

../../../../lib/isc/unix/file.c:347: unexpected error:
 unable to convert errno to isc_result: 122: Disk quota exceeded
 dumping master file: tmp-jaCquXzkj6: open: unexpected error
 CRON[32105]: (CRON) error (create tmpfile)
 CRON[32104]: (CRON) error (create tmpfile)

update this happened even when creating a simple table such as

  create table foo(id int);

But I've also noticed I get a quota error just trying to create a dir e.g

  mkdir test

  mkdir: cannot create directory 'test': Disk quota exceeded

I ran the df command and I get the following output

Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/vzfs       50000000 6390516  43609484  13% /
devtmpfs         1048576       0   1048576   0% /dev
tmpfs            1048576       0   1048576   0% /dev/shm
tmpfs            1048576  102008    946568  10% /run
tmpfs               5120       0      5120   0% /run/lock
tmpfs            1048576       0   1048576   0% /sys/fs/cgroup
none             1048576       0   1048576   0% /run/shm
tmpfs             209716       0    209716   0% /run/user/0

df -hi shows

df -hi
Filesystem     Inodes IUsed IFree IUse% Mounted on
/dev/vzfs        245K  245K     0  100% /
devtmpfs         256K    56  256K    1% /dev
tmpfs            256K     1  256K    1% /dev/shm
tmpfs            256K   411  256K    1% /run
tmpfs            256K     7  256K    1% /run/lock
tmpfs            256K    10  256K    1% /sys/fs/cgroup
none             256K     1  256K    1% /run/shm
tmpfs            256K     4  256K    1% /run/user/0

and quota -v

Disk quotas for user root (uid 0): 
     Filesystem  blocks   quota   limit   grace   files   quota   limit   grace
      /dev/vzfs 5781580       0       0          218669       0       0  

I then deleted one tar.gz file and now df -ishows

Filesystem Inodes IUsed IFree IUse% Mounted on

/dev/vzfs      18446744069926773888 18446744069414834326 511939562  100% /
devtmpfs                     262144                   56    262088    1% /dev
tmpfs                        262144                    1    262143    1% /dev/shm
tmpfs                        262144                  410    261734    1% /run
tmpfs                        262144                    7    262137    1% /run/lock
tmpfs                        262144                   10    262134    1% /sys/fs/cgroup
none                         262144                    1    262143    1% /run/shm
tmpfs                        262144                    4    262140    1% /run/user/0

Can anyone explain what's going on and how can I fix this. The machine has plenty of space left, but for some reason the quota is full and I don't know enough about inodes to know how to resolve this and stop myself from hitting this error in the future (physical disk space permitting)

* EDIT 2 * Ok so after digging around I've managed to find this command du --inodes -d 3 / | sort -n | tail

which shows the following results

13136   /usr/lib
20145   /proc
26549   /usr/local/lib
29989   /usr/share
30239   /usr/local
78892   /usr
127929  /var/log/samba
128235  /var/log
145269  /var
259479  /

samba seems to be using a lot of space, but does anything else look out of the ordinary? I've removed a large number of node websites where node_modules where obviously using a fair amount of space but it's still not enough. I'm wondering if the update has resulted in a lot of redundant old packages, though apt-get remove hasn't cleared too much up.

I've changed my samba log rotation from weekly to daily so hopefully that will help

I've currently got a function in lambda that when invoked sends a message to a user who invoked it. 2 days later I would like to send a follow up message. All the code to send the actual messaging works fine.

I'm using Lambda due to the auto-scaling abilities, and ideally I want to avoid having to set-up a separate database to store the userId, timestamp of the original interaction (so I can work out the follow up time) and follow up message for 2 days later. The reason for this is due to scaling as I'm not sure when the peaks are going to be. This is a short frame project but it's expecting high engagement, but at unknown,varied times.

I'd initially thought about SNS to call another lambda function with the data, however, I've since discovered that SNS doesn't support scheduled messages. Ideally I'd also like not to involve polling another service. Are there any good solutions for this?

I realise not using a DB is a strong limitation and if I have to use one then I'll use one, but still not having to poll would be useful (I guess I could schedule a lambda function and create an index on the timestamp in dynamodb)

The docs for lightsail suggest that it can be connected to most AWS services.

Is it possible to have a load balancer distribute to different lightsail instances and to automatically launch new lightsail instances if I'm getting high traffic? Or is this purely designed for people testing things out, so if we want scaling we need to go the full EC2 route?

If this is possible can we also use Amazon SSL with the LB to force all traffic to these instances via https?

I recently created an ec2 server using some user-data to install various modules. This was a standalone instance without an associated IAM role and with a bog standard security group (allow port 80), everything about this instance worked fine.

Using exactly the same instance type and user-data I created another instance that used an existing security group associated with a load balancer (though the instance wasn't added to the load balancer) and with an associated IAM role and for the life of me I could not get the httpd service to start on it. Is this expected behaviour? I can't see anything different in how these instances were configured other than the security group and the IAM role. Would it be a case that because the 2nd instance wasn't behind the LB but it had the LBs security group that Apache refused to run, and that if I added it to the LB it would then start working?

I've been using Opsworks recently and am really impressed by the GIT integration to deploy apps across my server estate. But I have a requirement due to an external library to use PHP 5.4 > The Amazon Linux offering has PHP5.3 installed. Now I created a separate ec2 instance based off Amazon Linux and upgraded the PHP version,I actually used custom user data to accomplish this. I then saved this as a custom AMI. When I set this as the AMI to use in opsworks for an instance, there are errors starting the server that arise from conflicting versions of Apache etc. So it looks like my AMI was almost ignored, or that it built my AMI and used the custom data, and then tries to run the CHEF recipes. Then I believe it might actually be the Chef recipes failing to install what they need to hence the error.

I've tried doing the same thing with the Ubuntu AMI which uses PHP 5.5 by default but i've got separate issues with trying to enable mod_rewrite for my app directory on here. Though I am trying to work through this as well as a solution to my problem with the Amazon Linux AMI

So my question is, do the Chef recipes run after my user_data? Or would I in theory be able to uninstall every thing that Chef would install in my custom user_data and then my actual dependencies would be installed after? I'm not familiar enough with Chef at the moment to try and edit the default PHP-APP-Server recipe to do what I need ( I'm also not sure exactly what I need from the AWS GitHub repo to do this)

Or does anyone have any better ideas?

I've tried searching for an answer for this question, but I'm not sure if there is a specific term for it and so far I can't find any information.

If I had a popular app that consumed some web services, I would obviously use a load balancer to distribute the load across my services. In theory the end user is just hitting a hostname and this is resolved to the load balancer which then forwards these requests to a web service instance. If my web services then also made a call to another external/3rd party web service, would this 3rd party see the individual IP from the web server in question?

For example if the 3rd party web service said I had to provide 3 ip addresses and only these 3 could access their services how would this work bearing in mind I could have 6 instances behind my load balancer and any one of these could be required to make the request? As the request is made from an individual web server, I'm guessing it wouldn't 'go out' of the load balancer. Although this is quite a generic question, an example of how this might be set-up on AWS infrastructure would be useful

Thanks