Ticket #873 (new maintenance)
New Wordpress site please
| Reported by: | sam | Owned by: | chris |
|---|---|---|---|
| Priority: | major | Milestone: | Maintenance |
| Component: | Parrot server | Keywords: | |
| Cc: | ade | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 1.95 |
Description
Hi Chris
I couldn't ssh into parrot for some reason, I think you said you created me a 'sam' user on there but I can't get in.
So could you set up a new Wordpress site on there.
wpdev.tn.org or similar, it's only going to be for testing some stuff so URL doesn't really matter.
Thanks
Sam
Attachments
Change History
comment:1 Changed 14 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 0.0 to 0.5
comment:2 Changed 14 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.5 to 0.6
The GANDI primary DNS server has now updated:
dig @A.DNS.GANDI.NET wpdev.transitionnetwork.org +short 81.95.52.43
It shouldn't take too long for other DNS servers to also update, but remember that browsers also cache DNS, this Firefox plugin is handy for this:
comment:3 Changed 14 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.15
- Total Hours changed from 0.6 to 0.75
Oops I forgot to change the SSL/TLS cert sym links:
cd /etc/ssl/wsh rm wpdev.parrot.webarch.net-cert.pem ; ln -s ../transitionnetwork.org/transitionnetwork.org.crt wpdev.parrot.webarch.net-cert.pem rm wpdev.parrot.webarch.net-key.pem ; ln -s ../transitionnetwork.org/transitionnetwork.org.key wpdev.parrot.webarch.net-key.pem rm wpdev.parrot.webarch.net-root.pem ; ln -s ../transitionnetwork.org/gandi.pem wpdev.parrot.webarch.net-root.pem apache2ctl configtest Syntax OK service apache2 restart [....] Restarting web server: apache2 ... waiting ..........(98)Address already in use: make_sock: could not bind to address [::]:80 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down Unable to open logs Action 'start' failed. The Apache error log may have more information. failed! service spache2 start [....] Starting web server: apache2(98)Address already in use: make_sock: could not bind to address [::]:80 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down Unable to open logs Action 'start' failed. The Apache error log may have more information. failed! killall -9 apache2 service apache2 start [ ok ] Starting web server: apache2.
Phew!
So now the site is available with HTTPS:
comment:4 Changed 14 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.75 to 1.0
Sam has reported that his IP address has been blocked, ParrotServer is running Deny Hosts which adds IP addresses to /etc/hosts.deny if there are too many failed login attempts, however Apache doesn't use /etc/hosts.deny and his IP isn't listed there... Also iptables blocked IP addresses are just for some that have been running brute force attacks against the server (see
ticket:871 ):
iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 217.174.240.254 0.0.0.0/0 DROP all -- 185.11.147.17 0.0.0.0/0 DROP all -- 23.94.144.162 0.0.0.0/0 DROP all -- 185.62.188.91 0.0.0.0/0 DROP all -- 212.50.12.41 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
So, this is puzzling... Sam can you double check your IP address? I have added the one that had all the failed ssh logins earlier to /etc/hosts.allow but as I said Apache doesn't use this and also you are not listed in /etc/hosts.deny... There is this page on ParrotServer for checking your IP (though this won't work if you can't access it..):
I can't see why you can't access the server...
comment:5 follow-up: ↓ 6 Changed 14 months ago by sam
Hi Chris
Access to parrot is fine. It's Puffin I can't access.
Sorry should have been more clear..
Confirming IP is 46.33.157.98
Thanks
Sam
On 22 September 2015 at 17:38, Transition Technology Trac
<trac@tech.transitionnetwork.org> wrote:
> #873: New Wordpress site please
> -------------------------------------+-------------------------------------
> Reporter: sam | Owner: chris
> Type: maintenance | Status: new
> Priority: major | Milestone:
> Component: Parrot server | Maintenance
> Keywords: | Resolution:
> Add Hours to Ticket: 0.25 | Estimated Number of Hours: 0.0
> Total Hours: 0.75 | Billable?: 1
> -------------------------------------+-------------------------------------
> Changes (by chris):
>
> * hours: 0.0 => 0.25
> * totalhours: 0.75 => 1.0
>
>
> Comment:
>
> Sam has reported that his IP address has been blocked, ParrotServer is
> running Deny Hosts which adds IP addresses to `/etc/hosts.deny` if there
> are too many failed login attempts, however Apache doesn't use
> `/etc/hosts.deny` and his IP isn't listed there... Also iptables blocked
> IP addresses are just for some that have been running brute force attacks
> against the server (see
> ticket:871 ):
>
> {{{
>
> iptables -L -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> DROP all -- 217.174.240.254 0.0.0.0/0
> DROP all -- 185.11.147.17 0.0.0.0/0
> DROP all -- 23.94.144.162 0.0.0.0/0
> DROP all -- 185.62.188.91 0.0.0.0/0
> DROP all -- 212.50.12.41 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> }}}
>
> So, this is puzzling... Sam can you double check your IP address? I have
> added the one that had all the failed `ssh` logins earlier to
> `/etc/hosts.allow` but as I said Apache doesn't use this and also you are
> not listed in `/etc/hosts.deny`... There is this page on ParrotServer for
> checking your IP (though this won't work if you can't access it..):
>
> * https://parrot.transitionnetwork.org/myip.shtml
>
> I can't see why you can't access the server...
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/873#comment:4>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
comment:6 in reply to: ↑ 5 Changed 14 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.35
- Total Hours changed from 1.0 to 1.35
Replying to sam:
Access to parrot is fine. It's Puffin I can't access.
Sorry should have been more clear..
No it was my fault, your email was clear, I scanned it too quickly and assumed the issues was with ParrotServer due to previous problems.
Following wiki:PuffinServer#Falsepositives :
csf -g XX.XX.XX.XX Chain num pkts bytes target prot opt in out source destination DENYIN 98 0 0 DROP all -- !lo * XX.XX.XX.XX 0.0.0.0/0 DENYOUT 98 0 0 LOGDROPOUT all -- * !lo 0.0.0.0/0 XX.XX.XX.XX csf.deny: XX.XX.XX.XX # lfd: (sshd) Failed SSH login from XX.XX.XX.XX (GB/United Kingdom/-): 5 in the last 300 secs - Tue Sep 22 12:52:06 2015 csf -dr XX.XX.XX.XX Removing rule... DROP all opt -- in !lo out * XX.XX.XX.XX -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> XX.XX.XX.XX csf -dr XX.XX.XX.XX Removing rule... DROP all opt -- in !lo out * XX.XX.XX.XX -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> XX.XX.XX.XX csf -g XX.XX.XX.XX Chain num pkts bytes target prot opt in out source destination No matches found for XX.XX.XX.XX in iptables
Looking in the auth.log you have had failed passwd attempts:
grep XX.XX.XX.XX /var/log/auth.log Sep 22 12:50:55 puffin sshd[29346]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX user=sam Sep 22 12:50:57 puffin sshd[29346]: Failed password for sam from XX.XX.XX.XX port 49332 ssh2 Sep 22 12:51:08 puffin sshd[29346]: Failed password for sam from XX.XX.XX.XX port 49332 ssh2 Sep 22 12:51:24 puffin sshd[29346]: Failed password for sam from XX.XX.XX.XX port 49332 ssh2 Sep 22 12:51:24 puffin sshd[29346]: Connection closed by XX.XX.XX.XX [preauth] Sep 22 12:51:24 puffin sshd[29346]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX user=sam Sep 22 12:52:04 puffin sshd[31294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX user=sam Sep 22 12:52:06 puffin sshd[31294]: Failed password for sam from XX.XX.XX.XX port 49336 ssh2
But you have a ssh public key installed, does this need updating?
comment:7 follow-up: ↓ 8 Changed 13 months ago by sam
Hi Chris
I'd like to get SSH working on this box again.
The fingerprint for the key I now have is e7:84:95:0a:5d:30:79:3a:ea:2a:67:2b:f9:bf:2d:7d
Is that the one you have?
It's associated with sam@…
Is there any other info you need to get it working?
Thanks
Sam
comment:8 in reply to: ↑ 7 Changed 13 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.15
- Total Hours changed from 1.35 to 1.5
Replying to sam:
The fingerprint for the key I now have is e7:84:95:0a:5d:30:79:3a:ea:2a:67:2b:f9:bf:2d:7d
Is that the one you have?
Seems not:
ssh-keygen -lf /home/sam/.ssh/authorized_keys 2048 d0:73:e1:80:75:62:ab:24:f2:63:95:2d:74:75:d0:3d sam@bristolwireless.net (RSA)
Can you let me have you new public key please so I can add it to ParrotServer and PuffinServer?
comment:9 Changed 13 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 1.5 to 1.6
I have updated your public keys on both servers:
ssh-keygen -lf /home/sam/.ssh/authorized_keys 2048 e7:84:95:0a:5d:30:79:3a:ea:2a:67:2b:f9:bf:2d:7d sam@bristolwireless.net (RSA)
comment:10 follow-up: ↓ 11 Changed 13 months ago by sam
Hi Chris
This SSH isn't working (Probably my fault)
Could you set up a new Wordpress site please; cop21.transitionnetwork.org
We can try and get SSH working afterwards, but just getting the site up would be great.
Thanks
Sam
comment:11 in reply to: ↑ 10 Changed 13 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 1.6 to 1.85
Replying to sam:
This SSH isn't working (Probably my fault)
You don't appear to be using your ssh private key?
grep sam /var/log/auth.log.1 Oct 15 15:33:14 parrot sshd[24607]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX user=sam Oct 15 15:33:17 parrot sshd[24607]: Failed password for sam from XX.XX.XX.XX port 60744 ssh2
Could you set up a new Wordpress site please; cop21.transitionnetwork.org
We can try and get SSH working afterwards, but just getting the site up would be great.
I have added the sub-domain at Gandi, run:
curses-create-user
Edited /root/webarch/accounts/sites.txt to:
cop21 default cop21.parrot.webarch.net cop21.parrot.transitionnetwork.org,cop21.transitionnetwork.org
Run:
buildapache cop21
Change the domain name for the site:
su - cop21 -s /bin/bash cd sites/default wp search-replace "cop21.parrot.webarch.net" "cop21.transitionnetwork.org" +------------------+-----------------------+--------------+------+ | Table | Column | Replacements | Type | +------------------+-----------------------+--------------+------+ | wp_options | option_value | 3 | PHP | | wp_posts | post_content | 1 | SQL | | wp_posts | guid | 3 | SQL | +------------------+-----------------------+--------------+------+ Success: Made 7 replacements.
Change the SSL key / cert for the site:
cd /etc/ssl/wsh/ rm cop21.parrot.webarch.net-cert.pem ; ln -s ../transitionnetwork.org/transitionnetwork.org.crt cop21.parrot.webarch.net-cert.pem rm cop21.parrot.webarch.net-key.pem ; ln -s ../transitionnetwork.org/transitionnetwork.org.key cop21.parrot.webarch.net-key.pem apache2ctl configtest apache2ctl restart
So once the DNS has updated it is all up and running (you can test it before this via a ssh tunnel to ParrotServer or by editing your /etc/hosts file).
Sam -- I could setup Piwik stats for this site if you would like?
Anything else need doing?
comment:12 Changed 13 months ago by chris
The Gandi DNS servers have updated now:
dig @a.dns.gandi.net cop21.transitionnetwork.org +short 81.95.52.43
comment:13 follow-up: ↓ 14 Changed 13 months ago by sam
Thanks Chris.
I'm not getting access to the Admin interface on that URL:
http://cop21.transitionnetwork.org/wp-admin
Thanks
Sam
On 20 October 2015 at 12:56, Transition Technology Trac
<trac@tech.transitionnetwork.org> wrote:
> #873: New Wordpress site please
> -------------------------------------+-------------------------------------
> Reporter: sam | Owner: chris
> Type: maintenance | Status: new
> Priority: major | Milestone:
> Component: Parrot server | Maintenance
> Keywords: | Resolution:
> Add Hours to Ticket: 0 | Estimated Number of Hours: 0.0
> Total Hours: 1.85 | Billable?: 1
> -------------------------------------+-------------------------------------
>
> Comment (by chris):
>
> The Gandi DNS servers have updated now:
>
> {{{
> dig @a.dns.gandi.net cop21.transitionnetwork.org +short
> 81.95.52.43
> }}}
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/873#comment:12>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
comment:14 in reply to: ↑ 13 Changed 13 months ago by chris
Replying to sam:
I'm not getting access to the Admin interface on that URL:
Login here (assuming your DNS servers have updated):
comment:15 Changed 13 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 1.85 to 1.95
The site appears like this for me:
So I tried adding this to a ~/sites/default.htaccess file:
# Redirect HTTP to HTTPS
# https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</IfModule>
# STS Header
# https://stackoverflow.com/questions/24144552/how-to-set-hsts-header-from-htaccess-only-on-https
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
But that hasn't solved it, so I ran this update on the database:
su - cop21 -s /bin/bash cd sites/default wp search-replace "http://cop21.transitionnetwork.org" "https://cop21.transitionnetwork.org" +------------------+-----------------------+--------------+------+ | Table | Column | Replacements | Type | +------------------+-----------------------+--------------+------+ | wp_options | option_value | 3 | PHP | | wp_posts | post_content | 1 | SQL | | wp_posts | guid | 5 | SQL | +------------------+-----------------------+--------------+------+ Success: Made 9 replacements.
And now the site displays with images -- sorry not to have fixed that sooner.
Looking at /var/log/auth.log the reason you couldn't ssh in is because you got the password wrong:
The server does have your ssh public key installed so you shouldn't need to use a password to login...
Following the notes at wiki:ParrotServer#AddingaNewWordPressSite
So the root GPG key has expired and this caused the email notifications to fail, I'll get that sorted for next time.
The transitionnetwork.org zone files was updated to add:
And /root/webarch/accounts/sites.txt was edited:
The apache config was recreated:
The site URL was updated:
A ~/sites/default/.htaccess file was created containing:
# Redirect HTTP to HTTPS # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] </IfModule> # STS Header # https://stackoverflow.com/questions/24144552/how-to-set-hsts-header-from-htaccess-only-on-https Header set Strict-Transport-Security "max-age=31536000" env=HTTPSAs per https://docs.webarch.net/wiki/HTAccess#Enforcing_HTTPS to ensure that HTTPS is use to access the site.
But we need to wait for the DNS to update before this will work:
Because the wild card entry means that the sub-domain points to PuffinServer not ParrotServer:
This should update soon... but the Gandi servers haven't updated yet:
Copying Sam's ssh key to the new wpdev account:
Sam -- you should be able to login via SFTP to the wpdev account and / or your sam account using your ssh private key and then you can get the MySQL password from /home/wpdev/sites/default/wp-config.php for using with phpMyAdmin.
To get the WordPress password reset (as the email perhaps wan't sent with the password?) you can use this URL once the DNS has updated:
I think that is all I need to do?