• Announcements

    • MannDude

      Current state of vpsBoard   02/04/2017

      Dear vpsBoard members and guests:

      Over the last year or two vpsBoard activity and traffic has dwindled. I have had a change of career and interests, and as such am no longer an active member of the web hosting industry.

      Due to time constraints and new interests I no longer wish to continue to maintain vpsBoard. The web site will remain only as an archive to preserve and showcase some of the great material, guides, and industry news that has been generated by members, some of which I remain in contact to this very day and now regard as personal friends.

      I want to thank all of our members who helped make vpsBoard the fastest growing industry forum. In it's prime it was an active and ripe source of activity, news, guides and just general off-topic banter and fun.

      I wish all members and guests the very best, whether it be with your business or your personal projects.

      -MannDude
ZEROF

LHMP - Hiawatha PHP-FPM MariaDB, install and administration

8 posts in this topic

Hi all,

I posted before about this tool,but i didn't have time for updates last few months and in last few weeks few nice people asked when tool will be updated. I took few evenings hours and i made first version to support Devuan and Debian 8.

What this tool is about

1. Easy way to set secure web server
2. Save server setting time
3. Run on Pi 2 and BeagleBone board

What this tool do for you

install_hiawatha_server.png

Where to get your copy

https://gist.github.com/ZEROF/10743343

How to

-Save script as hiawatha.sh

-Set permission chmod +x hiawatha.sh

-Run it ./hiawatha.sh

Use it

If you can, use it on fresh installed servers.

Have fun and send your ideas.

3 people like this

Share this post


Link to post
Share on other sites

Small update folks. Thanks to people asked for fail2ban.

-Install fail2ban (you can set port, you don't need to use 22, because LES and other NAT boxes don't use standard ports)

-This will add SFTP protection as well.

-Remove fail2ban and settings.

Cheers!

2 people like this

Share this post


Link to post
Share on other sites

What machine specs are kind of minimum for this script to run right on?  RAM is the thing I am mainly interested in.

Thanks for the script and the hard work.

Share this post


Link to post
Share on other sites

Hi drmike,

I can say that i have 512mb vm in my home lab running Devuan (jessie). I have BeagleBone (512mb of RAM) and Pi 2 (1gb of ram). My site running on 2gb Atom server, installed with this script as well. I guess all from 512>Xgb ram vps/server will do. I have a lot of clients servers as well but i don't remember if some of them had less then 512mb of ram.

What you need to do, and i will add to script as option, is to disable MySql engine InnoDB. This engine will not perform well on low ram box. If you have some vps with less then 512mb it will be nice if you can test it. I think that this will work with less ram without InnoDB. Hiawatha will only use 50-60mb of ram or less for small site.

To disable InnoDB just add inside your my.cnf, under [mysqld]:

[mysqld]
skip-innodb
default-storage-engine=MyISAM
1 person likes this

Share this post


Link to post
Share on other sites
3 hours ago, ZEROF said:

Hi drmike,

I can say that i have 512mb vm in my home lab running Devuan (jessie). I have BeagleBone (512mb of RAM) and Pi 2 (1gb of ram). My site running on 2gb Atom server, installed with this script as well. I guess all ....

 

Much respect to you.  I'll give the script a spin this week when I am tinkering with my heap of ARM devices and having an install fest to clean my creative mind.

Share this post


Link to post
Share on other sites

Thanks man, i just checked on one small server (not VPS) and this settings use 247Mb of ram, but site is busy one. InnoDB is enabled, i guess if disabled can be even less. Anyway that is good for low end box. But i guess real test will be without InnoDB. I need to check if client use InnoDB if not i will disable and test it.

EDIT:

Tested and server use 40-50Mb less :).

Final test without extra settings give us 200mb of ram is all what you need.

1 person likes this

Share this post


Link to post
Share on other sites

Should those of us who want just Hiawatha and not this whole stack add the Debian repo for Hiawatha and install from there instead?

I am thinking of using Haiawatha to server static content for multiple sites and as a proxy for the app servers behind it (mostly python and Postgres) so the only reason I would want this stack is to run Hiawatha monitor.

Incidentally, do you particualrly like Debian/Devuan as a platform to run Hiawatha on? It has been packaged for a number of distros and OSes including some security focused things like Alpine Linux and BSDs.

Share this post


Link to post
Share on other sites

Hi,

First this tool will add Hiawatha .deb repo, but you can use what you want, just don't run install Hiawatha from menu. But if version change, and config files is not the same, you can get some errors. I use Devuan for some time now and I am happy with it, don't need to deal with some odd systemd issues. Last one was that systemd will try to remove UEFI bios settings or something like that, I didn't go to details

1 person likes this

Share this post


Link to post
Share on other sites

  • Similar Content

    • By graeme
      I have multiple web sites (and a few other processes) I want to run in an environment that is flexible and as low maintenance as possible. This includes my sites and customer sites, production and development. Most share a common platform (Python, Django, Postgres, Linux (mostly Debian)). I need to be able to give
      At the moment they are all running in separate VPSs, and some on shared hosting. The problem with multiple unmanaged VPSs is that it is a lot of stuff to manage.
      I have been experimenting with running the sites on a single VPS with multiple users. It is a "cloud" one so can be scaled up as needed, and there is only one OS and shared libraries to upgrade. The problem is relying on permissions to separate sites from each other, and to give users access to sites is quite fiddly, particularly as I am paranoid enough to run app servers as a different user from the code they exectute. I have not ruled it out as a solution, but it is not as straightforward as expected

      I thought of running my own VPSs on a dedi, which is cost effective, but adds one more component to manage. It gives me a lot of isolation.

      I think some sort of container or jail solution will give me the best of both worlds, but I am not familiar enough with it to pick suggestions? I am willing to consider using any *nix OS, although Debian Linux is what I am most familiar with.
      Resource isolation is not an issue: it will not be running anything I expect to cause problems. Easy admin and security are.
      Any suggestions?
    • By HalfEatenPie
      Article Link: http://krebsonsecurity.com/2016/08/the-reincarnation-of-a-bulletproof-hoster/
      Excerpt: 
      @HostSailor, any comments?  Curious as to what the purpose of this all is. 
    • By wlanboy
      httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:
      RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY HTTP_PROXY is a popular environment variable used to configure an outgoing proxy This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now. Here’s how.
      httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.
      What can happen if my web application is vulnerable?
      If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:
      Proxy the outgoing HTTP requests made by the web application Direct the server to open outgoing connections to an address and port of their choosing Tie up server resources by forcing the vulnerable software to use a malicious proxy httpoxy is extremely easy to exploit in basic form.
      See here: https://httpoxy.org/
      The assigned CVEs so far:
      CVE-2016-5385: PHP CVE-2016-5386: Go CVE-2016-5387: Apache HTTP Server CVE-2016-5388: Apache Tomcat CVE-2016-1000109: HHVM CVE-2016-1000110: Python CloudFlare sites protected from httpoxy: https://blog.cloudflare.com/cloudflare-sites-protected-from-httpoxy/
    • By drmike
      So maybe you live under a rock and avoid news sites, congrats on being a rare creature and happy day to enjoy that quiet by the stream.
      Rest of us have been snorting as the Panama Papers hack job matures and controlled media IV drips bits and pieces (even though they've had the data for a year or three).  Terabytes of data on Panamian offshore / money laundering operations all formed by one incorporator Mossack Fonseca, a Panamanian law firm.Now one site has called out Mossack Fonseca's website security, namely really old versions of open source software.  Most notably, drumroll: Wordpress.  (But Wordpress is soooooooo secure) :)
      Drupal and Wordpress are implicated and both were way way old and insecure versions.
      ... found that the firm’s WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. Since that time WordPress has had numerous critical security updates. The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/. source: http://wptavern.com/outdated-and-vulnerable-wordpress-and-drupal-versions-may-have-contributed-to-the-panama-papers-breach
    • By drmike
      Do we have any resident cobblers / DIY types who are using Linux for CCTV / security related? I mean legit Linux DIY not premade embedded systems.
      I am fussing with some China dump wifi cameras (read cheap).  Quite interesting little units for the price (bound to be more like them). ~ $15 a camera delivered.
      RTSP streaming from these and seems to be a really common software stack they are loading into lots of these China cams from many many brands.  
      Do we have people using the Open Source Zoneminder DVR / CCTV software?  Considering trying to get Zoneminder running on one of my unused ARM boards (yes it exists for ARM also).