Ticket #873 (new maintenance)

Opened 14 months ago

Last modified 13 months ago

New Wordpress site please

Reported by: sam Owned by: chris
Priority: major Milestone: Maintenance
Component: Parrot server Keywords:
Cc: ade Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 1.95

Description

Hi Chris

I couldn't ssh into parrot for some reason, I think you said you created me a 'sam' user on there but I can't get in.

So could you set up a new Wordpress site on there.

wpdev.tn.org or similar, it's only going to be for testing some stuff so URL doesn't really matter.

Thanks

Sam

Attachments

cop21.png (12.3 KB) - added by chris 13 months ago.

Change History

comment:1 Changed 14 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.5
  • Total Hours changed from 0.0 to 0.5

Looking at /var/log/auth.log the reason you couldn't ssh in is because you got the password wrong:

Sep 22 13:20:22 parrot sshd[22277]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=sam
Sep 22 13:20:24 parrot sshd[22277]: Failed password for sam from XX.XX.XX.XX port 60655 ssh2
Sep 22 13:20:31 parrot sshd[22277]: Failed password for sam from XX.XX.XX.XX port 60655 ssh2
Sep 22 13:20:33 parrot sshd[22277]: Failed password for sam from XX.XX.XX.XX port 60655 ssh2
Sep 22 13:20:33 parrot sshd[22277]: Connection closed by XX.XX.XX.XX [preauth]

The server does have your ssh public key installed so you shouldn't need to use a password to login...

Following the notes at wiki:ParrotServer#AddingaNewWordPressSite

curses-create-user
  gpg: no default secret key: unusable secret key
  gpg: [stdin]: clearsign failed: unusable secret key

So the root GPG key has expired and this caused the email notifications to fail, I'll get that sorted for next time.

The transitionnetwork.org zone files was updated to add:

wpdev 3600 IN A 81.95.52.43

And /root/webarch/accounts/sites.txt was edited:

wpdev default wpdev.parrot.webarch.net wpdev.parrot.transitionnetwork.org,wpdev.transitionnetwork.org

The apache config was recreated:

buildapache wpdev

The site URL was updated:

su - wpdev -s /bin/bash
source /etc/bash_completion.d/wp
cd sites/default/
wp search-replace "wpdev.parrot.webarch.net" "wpdev.transitionnetwork.org"

+------------------+-----------------------+--------------+------+
| Table            | Column                | Replacements | Type |
+------------------+-----------------------+--------------+------+
| wp_options       | option_value          | 3            | PHP  |
| wp_posts         | post_content          | 1            | SQL  |
| wp_posts         | guid                  | 2            | SQL  |
+------------------+-----------------------+--------------+------+
Success: Made 6 replacements.

wp search-replace "http://wpdev.transitionnetwork.org" "https://wpdev.transitionnetwork.org"
+------------------+-----------------------+--------------+------+
| Table            | Column                | Replacements | Type |
+------------------+-----------------------+--------------+------+
| wp_options       | option_value          | 2            | PHP  |
| wp_posts         | post_content          | 1            | SQL  |
| wp_posts         | guid                  | 2            | SQL  |
+------------------+-----------------------+--------------+------+
Success: Made 5 replacements.

A ~/sites/default/.htaccess file was created containing:

# Redirect HTTP to HTTPS
# https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</IfModule>
 
# STS Header
# https://stackoverflow.com/questions/24144552/how-to-set-hsts-header-from-htaccess-only-on-https
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

As per https://docs.webarch.net/wiki/HTAccess#Enforcing_HTTPS to ensure that HTTPS is use to access the site.

But we need to wait for the DNS to update before this will work:

Because the wild card entry means that the sub-domain points to PuffinServer not ParrotServer:

dig wpdev.transitionnetwork.org +short
81.95.52.103

This should update soon... but the Gandi servers haven't updated yet:

dig @A.DNS.GANDI.NET wpdev.transitionnetwork.org +short
81.95.52.103

Copying Sam's ssh key to the new wpdev account:

cp -a /home/sam/.ssh/ /home/wpdev/
chown -R wpdev:wpdev -R /home/wpdev/.ssh/

Sam -- you should be able to login via SFTP to the wpdev account and / or your sam account using your ssh private key and then you can get the MySQL password from /home/wpdev/sites/default/wp-config.php for using with phpMyAdmin.

To get the WordPress password reset (as the email perhaps wan't sent with the password?) you can use this URL once the DNS has updated:

I think that is all I need to do?

comment:2 Changed 14 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.5 to 0.6

The GANDI primary DNS server has now updated:

dig @A.DNS.GANDI.NET wpdev.transitionnetwork.org +short
81.95.52.43

It shouldn't take too long for other DNS servers to also update, but remember that browsers also cache DNS, this Firefox plugin is handy for this:

comment:3 Changed 14 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.15
  • Total Hours changed from 0.6 to 0.75

Oops I forgot to change the SSL/TLS cert sym links:

cd /etc/ssl/wsh
rm wpdev.parrot.webarch.net-cert.pem ; ln -s ../transitionnetwork.org/transitionnetwork.org.crt wpdev.parrot.webarch.net-cert.pem
rm wpdev.parrot.webarch.net-key.pem ; ln -s ../transitionnetwork.org/transitionnetwork.org.key wpdev.parrot.webarch.net-key.pem
rm wpdev.parrot.webarch.net-root.pem ; ln -s ../transitionnetwork.org/gandi.pem wpdev.parrot.webarch.net-root.pem
apache2ctl configtest
  Syntax OK
service apache2 restart
  [....] Restarting web server: apache2 ... waiting ..........(98)Address already in use: make_sock: could not bind to address [::]:80
  (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
  no listening sockets available, shutting down
  Unable to open logs
  Action 'start' failed.
  The Apache error log may have more information.
   failed!
service spache2 start
  [....] Starting web server: apache2(98)Address already in use: make_sock: could not bind to address [::]:80
  (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
  no listening sockets available, shutting down
  Unable to open logs
  Action 'start' failed.
  The Apache error log may have more information.
   failed!
killall -9 apache2
service apache2 start
  [ ok ] Starting web server: apache2.

Phew!

So now the site is available with HTTPS:

comment:4 Changed 14 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.75 to 1.0

Sam has reported that his IP address has been blocked, ParrotServer is running Deny Hosts which adds IP addresses to /etc/hosts.deny if there are too many failed login attempts, however Apache doesn't use /etc/hosts.deny and his IP isn't listed there... Also iptables blocked IP addresses are just for some that have been running brute force attacks against the server (see
ticket:871 ):

iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  217.174.240.254      0.0.0.0/0           
DROP       all  --  185.11.147.17        0.0.0.0/0           
DROP       all  --  23.94.144.162        0.0.0.0/0           
DROP       all  --  185.62.188.91        0.0.0.0/0           
DROP       all  --  212.50.12.41         0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

So, this is puzzling... Sam can you double check your IP address? I have added the one that had all the failed ssh logins earlier to /etc/hosts.allow but as I said Apache doesn't use this and also you are not listed in /etc/hosts.deny... There is this page on ParrotServer for checking your IP (though this won't work if you can't access it..):

I can't see why you can't access the server...

comment:5 follow-up: ↓ 6 Changed 14 months ago by sam

Hi Chris

Access to parrot is fine. It's Puffin I can't access.

Sorry should have been more clear..

Confirming IP is  46.33.157.98

Thanks

Sam

On 22 September 2015 at 17:38, Transition Technology Trac
<trac@tech.transitionnetwork.org> wrote:
> #873: New Wordpress site please
> -------------------------------------+-------------------------------------
>            Reporter:  sam            |                      Owner:  chris
>                Type:  maintenance    |                     Status:  new
>            Priority:  major          |                  Milestone:
>           Component:  Parrot server  |  Maintenance
>            Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0.25           |  Estimated Number of Hours:  0.0
>         Total Hours:  0.75           |                  Billable?:  1
> -------------------------------------+-------------------------------------
> Changes (by chris):
>
>  * hours:  0.0 => 0.25
>  * totalhours:  0.75 => 1.0
>
>
> Comment:
>
>  Sam has reported that his IP address has been blocked, ParrotServer is
>  running Deny Hosts which adds IP addresses to `/etc/hosts.deny` if there
>  are too many failed login attempts, however Apache doesn't use
>  `/etc/hosts.deny` and his IP isn't listed there... Also iptables blocked
>  IP addresses are just for some that have been running brute force attacks
>  against the server (see
>  ticket:871 ):
>
>  {{{
>
>  iptables -L -n
>  Chain INPUT (policy ACCEPT)
>  target     prot opt source               destination
>  DROP       all  --  217.174.240.254      0.0.0.0/0
>  DROP       all  --  185.11.147.17        0.0.0.0/0
>  DROP       all  --  23.94.144.162        0.0.0.0/0
>  DROP       all  --  185.62.188.91        0.0.0.0/0
>  DROP       all  --  212.50.12.41         0.0.0.0/0
>
>  Chain FORWARD (policy ACCEPT)
>  target     prot opt source               destination
>
>  Chain OUTPUT (policy ACCEPT)
>  target     prot opt source               destination
>  }}}
>
>  So, this is puzzling... Sam can you double check your IP address? I have
>  added the one that had all the failed `ssh` logins earlier to
>  `/etc/hosts.allow` but as I said Apache doesn't use this and also you are
>  not listed in `/etc/hosts.deny`... There is this page on ParrotServer for
>  checking your IP (though this won't work if you can't access it..):
>
>  * https://parrot.transitionnetwork.org/myip.shtml
>
>  I can't see why you can't access the server...
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/873#comment:4>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.

Version 0, edited 14 months ago by sam (next)

comment:6 in reply to: ↑ 5 Changed 14 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.35
  • Total Hours changed from 1.0 to 1.35

Replying to sam:

Access to parrot is fine. It's Puffin I can't access.

Sorry should have been more clear..

No it was my fault, your email was clear, I scanned it too quickly and assumed the issues was with ParrotServer due to previous problems.

Following wiki:PuffinServer#Falsepositives :

csf -g XX.XX.XX.XX
 
  Chain            num   pkts bytes target     prot opt in     out     source               destination        
 
  DENYIN           98       0     0 DROP       all  --  !lo    *       XX.XX.XX.XX         0.0.0.0/0
 
  DENYOUT          98       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            XX.XX.XX.XX
 
  csf.deny: XX.XX.XX.XX # lfd: (sshd) Failed SSH login from XX.XX.XX.XX (GB/United Kingdom/-): 5 in the last 300 secs - Tue Sep 22 12:52:06 2015
csf -dr XX.XX.XX.XX
  Removing rule...
  DROP  all opt -- in !lo out *  XX.XX.XX.XX  -> 0.0.0.0/0  
  LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> XX.XX.XX.XX  
csf -dr XX.XX.XX.XX
  Removing rule...
  DROP  all opt -- in !lo out *  XX.XX.XX.XX  -> 0.0.0.0/0  
  LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> XX.XX.XX.XX  
csf -g XX.XX.XX.XX
 
  Chain            num   pkts bytes target     prot opt in     out     source               destination        
  No matches found for XX.XX.XX.XX in iptables

Looking in the auth.log you have had failed passwd attempts:

grep XX.XX.XX.XX /var/log/auth.log
  Sep 22 12:50:55 puffin sshd[29346]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=sam
  Sep 22 12:50:57 puffin sshd[29346]: Failed password for sam from XX.XX.XX.XX port 49332 ssh2
  Sep 22 12:51:08 puffin sshd[29346]: Failed password for sam from XX.XX.XX.XX port 49332 ssh2
  Sep 22 12:51:24 puffin sshd[29346]: Failed password for sam from XX.XX.XX.XX port 49332 ssh2
  Sep 22 12:51:24 puffin sshd[29346]: Connection closed by XX.XX.XX.XX [preauth]
  Sep 22 12:51:24 puffin sshd[29346]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=sam
  Sep 22 12:52:04 puffin sshd[31294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=sam
  Sep 22 12:52:06 puffin sshd[31294]: Failed password for sam from XX.XX.XX.XX port 49336 ssh2

But you have a ssh public key installed, does this need updating?

comment:7 follow-up: ↓ 8 Changed 13 months ago by sam

Hi Chris

I'd like to get SSH working on this box again.

The fingerprint for the key I now have is e7:84:95:0a:5d:30:79:3a:ea:2a:67:2b:f9:bf:2d:7d

Is that the one you have?

It's associated with sam@…

Is there any other info you need to get it working?

Thanks

Sam

comment:8 in reply to: ↑ 7 Changed 13 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.15
  • Total Hours changed from 1.35 to 1.5

Replying to sam:

The fingerprint for the key I now have is e7:84:95:0a:5d:30:79:3a:ea:2a:67:2b:f9:bf:2d:7d

Is that the one you have?

Seems not:

ssh-keygen -lf /home/sam/.ssh/authorized_keys 
2048 d0:73:e1:80:75:62:ab:24:f2:63:95:2d:74:75:d0:3d  sam@bristolwireless.net (RSA)

Can you let me have you new public key please so I can add it to ParrotServer and PuffinServer?

comment:9 Changed 13 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 1.5 to 1.6

I have updated your public keys on both servers:

ssh-keygen -lf /home/sam/.ssh/authorized_keys                   
2048 e7:84:95:0a:5d:30:79:3a:ea:2a:67:2b:f9:bf:2d:7d  sam@bristolwireless.net (RSA)

comment:10 follow-up: ↓ 11 Changed 13 months ago by sam

Hi Chris

This SSH isn't working (Probably my fault)

Could you set up a new Wordpress site please; cop21.transitionnetwork.org

We can try and get SSH working afterwards, but just getting the site up would be great.

Thanks

Sam

comment:11 in reply to: ↑ 10 Changed 13 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 1.6 to 1.85

Replying to sam:

This SSH isn't working (Probably my fault)

You don't appear to be using your ssh private key?

grep sam /var/log/auth.log.1 
Oct 15 15:33:14 parrot sshd[24607]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=sam
Oct 15 15:33:17 parrot sshd[24607]: Failed password for sam from XX.XX.XX.XX port 60744 ssh2

Could you set up a new Wordpress site please; cop21.transitionnetwork.org

We can try and get SSH working afterwards, but just getting the site up would be great.

I have added the sub-domain at Gandi, run:

curses-create-user

Edited /root/webarch/accounts/sites.txt to:

cop21 default cop21.parrot.webarch.net cop21.parrot.transitionnetwork.org,cop21.transitionnetwork.org

Run:

buildapache cop21

Change the domain name for the site:

su - cop21 -s /bin/bash
cd sites/default
wp search-replace "cop21.parrot.webarch.net" "cop21.transitionnetwork.org"
+------------------+-----------------------+--------------+------+
| Table            | Column                | Replacements | Type |
+------------------+-----------------------+--------------+------+
| wp_options       | option_value          | 3            | PHP  |
| wp_posts         | post_content          | 1            | SQL  |
| wp_posts         | guid                  | 3            | SQL  |
+------------------+-----------------------+--------------+------+
Success: Made 7 replacements.

Change the SSL key / cert for the site:

cd /etc/ssl/wsh/
rm cop21.parrot.webarch.net-cert.pem ; ln -s ../transitionnetwork.org/transitionnetwork.org.crt cop21.parrot.webarch.net-cert.pem
rm cop21.parrot.webarch.net-key.pem ; ln -s ../transitionnetwork.org/transitionnetwork.org.key cop21.parrot.webarch.net-key.pem
apache2ctl configtest
apache2ctl restart 

So once the DNS has updated it is all up and running (you can test it before this via a ssh tunnel to ParrotServer or by editing your /etc/hosts file).

Sam -- I could setup Piwik stats for this site if you would like?

Anything else need doing?

comment:12 Changed 13 months ago by chris

The Gandi DNS servers have updated now:

dig @a.dns.gandi.net cop21.transitionnetwork.org +short
81.95.52.43

comment:13 follow-up: ↓ 14 Changed 13 months ago by sam

Thanks Chris.

I'm not getting access to the Admin interface on that URL:

http://cop21.transitionnetwork.org/wp-admin

Thanks

Sam

On 20 October 2015 at 12:56, Transition Technology Trac
<trac@tech.transitionnetwork.org> wrote:
> #873: New Wordpress site please
> -------------------------------------+-------------------------------------
>            Reporter:  sam            |                      Owner:  chris
>                Type:  maintenance    |                     Status:  new
>            Priority:  major          |                  Milestone:
>           Component:  Parrot server  |  Maintenance
>            Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0              |  Estimated Number of Hours:  0.0
>         Total Hours:  1.85           |                  Billable?:  1
> -------------------------------------+-------------------------------------
>
> Comment (by chris):
>
>  The Gandi DNS servers have updated now:
>
>  {{{
>  dig @a.dns.gandi.net cop21.transitionnetwork.org +short
>  81.95.52.43
>  }}}
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/873#comment:12>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.

comment:14 in reply to: ↑ 13 Changed 13 months ago by chris

Replying to sam:

I'm not getting access to the Admin interface on that URL:

http://cop21.transitionnetwork.org/wp-admin

Login here (assuming your DNS servers have updated):

Changed 13 months ago by chris

comment:15 Changed 13 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 1.85 to 1.95

The site appears like this for me:


So I tried adding this to a ~/sites/default.htaccess file:

# Redirect HTTP to HTTPS
# https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</IfModule>

# STS Header
# https://stackoverflow.com/questions/24144552/how-to-set-hsts-header-from-htaccess-only-on-https
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

But that hasn't solved it, so I ran this update on the database:

su - cop21 -s /bin/bash
cd sites/default
wp search-replace "http://cop21.transitionnetwork.org" "https://cop21.transitionnetwork.org"
+------------------+-----------------------+--------------+------+
| Table            | Column                | Replacements | Type |
+------------------+-----------------------+--------------+------+
| wp_options       | option_value          | 3            | PHP  |
| wp_posts         | post_content          | 1            | SQL  |
| wp_posts         | guid                  | 5            | SQL  |
+------------------+-----------------------+--------------+------+
Success: Made 9 replacements.

And now the site displays with images -- sorry not to have fixed that sooner.

Note: See TracTickets for help on using tickets.