How To Block All Traffic From China Using iptables and ipset on Amazon Linux

Author: erics, October 24th, 2019

All credit to Matt Wilcox for this excellent article, for which this post is based – thank you, Matt! https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables/ All commands run as root!

yum install -y ipset
vi blockchina (see below for contents)
chmod 755 blockchina
./blockchina

1

2

3

4

yum install -y ipset

vi blockchina (see below for contents)

chmod 755 blockchina

./blockchina

Do this once only:

iptables -A INPUT -p tcp -m set --match-set china src -j DROP; service iptables save

1	iptables -A INPUT -p tcp -m set --match-set china src -j DROP; service iptables save

Then add blockchina to the root cron

#!/bin/sh
#
# blockchina
#
DIR=/etc

# Create the ipset list
ipset -N china hash:net

# remove any old list that might exist from previous runs of this script
rm $DIR/cn.zone

# Pull the latest IP set for China
wget -P $DIR http://www.ipdeny.com/ipblocks/data/countries/cn.zone

# Add each IP address from the downloaded list into the ipset 'china'
for i in $(cat $DIR/cn.zone ); do ipset -A china $i; done

# Update iptables
service iptables restart

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

#!/bin/sh

#

# blockchina

#

DIR=/etc

# Create the ipset list

ipset -N china hash:net

# remove any old list that might exist from previous runs of this script

rm $DIR/cn.zone

# Pull the latest IP set for China

wget -P $DIR http://www.ipdeny.com/ipblocks/data/countries/cn.zone

# Add each IP address from the downloaded list into the ipset 'china'

for i in $(cat $DIR/cn.zone ); do ipset -A china $i; done

# Update iptables

service iptables restart

Categories: How-To's, Technology Tags: Amazon, Amazon Linux, AWS, Block, China, DDOS, dos, Firewall, ipset, IPTables, Linux, root, traffic | No comments

How To Sync Box to S3 Using rclone

Author: erics, October 3rd, 2019

To sync various cloud resources, use the excellent cli tool rclone from https://rclone.org/docs/ For this use case, the need was to sync from Box to an AWS S3 bucket. Install rclone:

curl https://rclone.org/install.sh | sudo bash

1	curl https://rclone.org/install.sh \| sudo bash

Configure both S3 and Box – for remote name labels I just used “S3” and “Box”:

rclone config

1	rclone config

Validate Access and Functionality:

rclone lsd Box:
rclone lsd S3:

1 2	rclone lsd Box: rclone lsd S3:

Perform […]

Categories: How-To's, Technology Tags: Amazon, AWS, AWS S3, Box, Clone, rclone, rsync, S3, Sync | No comments

10 Reasons Why Tungsten Clustering Beats the DIY Approach for Geo-Distributed MySQL Deployments

Author: erics, August 29th, 2019

Why does the DIY approach fail to deliver vs. the Tungsten Clustering solution for geo-distributed MySQL multimaster deployments? Before we dive into the 10 reasons, note why commercially-supported enterprise software is less risky and in fact less costly.

Categories: Connector, Geo-Distributed, Maintenance, Multimaster, Multimaster MySQL, Multisite Tags: AWS, Clustering, Disaster REcovery, High Availability, mysql, proxy, Replicator | Comments Off on 10 Reasons Why Tungsten Clustering Beats the DIY Approach for Geo-Distributed MySQL Deployments

How To Upgrade PHP on AWS Linux

Author: erics, August 22nd, 2019

As root:

PACKAGES=`yum list installed | grep php | awk -F. '{print $1}' | tr "\n\r" " "`
echo $PACKAGES
yum remove -y $PACKAGES

1

2

3

PACKAGES=`yum list installed | grep php | awk -F. '{print $1}' | tr "\n\r" " "`

echo $PACKAGES

yum remove -y $PACKAGES

~or~

yum remove php56 php56-cli php56-common php56-devel php56-gd php56-jsonc php56-jsonc-devel php56-mbstring php56-mcrypt php56-mysqlnd php56-pdo php56-pecl-imagick php56-process php56-xml

1	yum remove php56 php56-cli php56-common php56-devel php56-gd php56-jsonc php56-jsonc-devel php56-mbstring php56-mcrypt php56-mysqlnd php56-pdo php56-pecl-imagick php56-process php56-xml

THEN:

yum install php72 php72-bcmath php72-cli php72-common php72-devel php72-gd php72-imap php72-json php72-mysqlnd php72-pdo php72-pecl-apcu php72-pecl-imagick php72-pecl-imagick-devel php72-pecl-memcache php72-php-bcmath php72-php-common php72-php-json php72-process php72-runtime php72-xml php72-mbstring php72-pecl-mcrypt

1

yum install php72 php72-bcmath php72-cli php72-common php72-devel php72-gd php72-imap php72-json php72-mysqlnd php72-pdo php72-pecl-apcu php72-pecl-imagick php72-pecl-imagick-devel php72-pecl-memcache php72-php-bcmath php72-php-common php72-php-json php72-process php72-runtime php72-xml php72-mbstring php72-pecl-mcrypt

Be sure to restart your web server!!

Categories: How-To's, Technology Tags: Amazon, AWS, Install, Linux, php, php7, upgrade, Yum, yum install, yum list, yum remove, yum search | No comments

How To List Running AWS Instances in all Regions Sorted by LaunchTime and Email in a Monospaced Font

Author: erics, July 1st, 2019

#!/bin/sh

DATE=`date`

(
echo "From: Your Full Name <you@yourdomain.com>"
echo "To: you@yourdomain.com"
echo "Subject: AWS Instances Report for All Customers as of $DATE"
cat <<EOT
MIME-Version: 1.0
Content-Type: text/html
Content-Disposition: inline
<html>
<body>
<pre style="font: monospace">
EOT
for profile in customer1 customer2 customer3; do
	for region in `aws ec2 describe-regions --output text | cut -f3`; do
		echo -e "\nListing Instances for profile $profile in region: '$region'..."
		aws ec2 describe-instances \
		--filters "Name=instance-state-name,Values=running" \
		--query 'Reservations[*].Instances[*].[InstanceId, PublicIpAddress, LaunchTime, InstanceType, Tags[?Key==`Name`] | [0].Value]| sort_by(@, &@[0][2])' \
		--region $region \
		--profile $profile \
		--output table
	done
done
cat <<EOT
</pre>
</body>
</html>
EOT
) | /usr/sbin/sendmail -t

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

#!/bin/sh

DATE=`date`

(

echo "From: Your Full Name <you@yourdomain.com>"

echo "To: you@yourdomain.com"

echo "Subject: AWS Instances Report for All Customers as of $DATE"

cat <<EOT

MIME-Version: 1.0

Content-Type: text/html

Content-Disposition: inline

<html>

<body>

EOT

for profile in customer1 customer2 customer3; do

for region in `aws ec2 describe-regions --output text | cut -f3`; do

echo -e "\nListing Instances for profile $profile in region: '$region'..."

aws ec2 describe-instances \

--filters "Name=instance-state-name,Values=running" \

--query 'Reservations[*].Instances[*].[InstanceId, PublicIpAddress, LaunchTime, InstanceType, Tags[?Key==`Name`] | [0].Value]| sort_by(@, &@[0][2])' \

--region $region \

--profile $profile \

--output table

done

cat <<EOT

</pre>

</body>

</html>

EOT

) | /usr/sbin/sendmail -t

Categories: How-To's, Technology Tags: AWS, aws ec2, Date, EC2, Email, Font, Format, howto, html, LaunchTime, mail, monospace, monospaced, Multiple, Region, Regions, SendMail, sort, Sort By, time, tips | No comments

How To Obtain a Public Key from an AWS .pem Private Key on Linux and Mac

Author: erics, February 4th, 2019

Use the ssh-keygen command on a computer to which you’ve downloaded your private key .pem file; for example: First, ensure permissions will allow ssh-keygen to work: chmod 600 /path/to/the/file/your-key-pair.pem Then generate an RSA public key: ssh-keygen -y -f /path/to/the/file/your-key-pair.pem > your-key-pair.pub

Categories: How-To's, Technology Tags: .pem, .pub, Amazon, apple, AWS, cli, howto, key, key-pair, KeyPair, Linux, Mac, MacOS, macosx, Pubkey, public, Public Key, ssh-keygen, tips | No comments

How To Locate Attached Disk Devices in Linux

Author: erics, April 24th, 2018

https://linux.die.net/man/8/lsblk # lsblk -a

NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
nvme1n1       259:0    0  100G  0 disk /volumes/data
nvme0n1       259:1    0   20G  0 disk 
├─nvme0n1p1   259:2    0   20G  0 part /
└─nvme0n1p128 259:3    0    1M  0 part

1

2

3

4

5

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

nvme1n1 259:0 0 100G 0 disk /volumes/data

nvme0n1 259:1 0 20G 0 disk

├─nvme0n1p1 259:2 0 20G 0 part /

└─nvme0n1p128 259:3 0 1M 0 part

Categories: How-To's, Technology Tags: Amazon, Attached, AWS, Device, Disk, Drive, Find, howto, Linux, Locate, lsblk, tips | No comments

How To Upgrade MySQL to 5.7 on CentOS/AWS Linux

Author: erics, December 7th, 2017

START: Server version: 5.5.54-log MySQL Community Server (GPL) FINISH: Server version: 5.7.20-log MySQL Community Server (GPL)

mysql --execute="SET GLOBAL innodb_fast_shutdown=0;"
service mysqld stop
yum remove mysql mysql-*
yum install mysql57-devel mysql57-server mysql57-test
service mysqld start
mysql_upgrade
service mysqld restart

1

2

3

4

5

6

7

mysql --execute="SET GLOBAL innodb_fast_shutdown=0;"

service mysqld stop

yum remove mysql mysql-*

yum install mysql57-devel mysql57-server mysql57-test

service mysqld start

mysql_upgrade

service mysqld restart

If you do not restart MySQL server at the end, you will get this error:

ERROR 1682 (HY000): Native table 'performance_schema'.'session_variables' has the wrong structure

1	ERROR 1682 (HY000): Native table 'performance_schema'.'session_variables' has the wrong structure

Check and veify your my.cnf ssl entries if you see the following error in the /var/log/mysqld.log file at startup:

Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

1	Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

Categories: How-To's, Technology Tags: 5.5, 5.7, AWS, AWS Linux, CentOS, howto, mysql, MySQL 5.5, MySQL 5.7, tips, upgrade | No comments

How To Block an Entire TLD in Postfix

Author: erics, September 13th, 2016

Step 1. Execute the following two commands: postconf -e smtpd_sender_restrictions=pcre:/etc/postfix/rejected_domains postconf -e reject_unauth_destinations=pcre:/etc/postfix/rejected_domains If that doesn’t work, you may hand-edit main.cf and add/edit these lines:

smtpd_sender_restrictions=pcre:/etc/postfix/rejected_domains
reject_unauth_destinations=pcre:/etc/postfix/rejected_domains

1 2	smtpd_sender_restrictions=pcre:/etc/postfix/rejected_domains reject_unauth_destinations=pcre:/etc/postfix/rejected_domains

Step 2. Create the regex filter file: vim /etc/postfix/rejected_domains

/\.top$/           REJECT No spam allowed from the .top TLD
/\.stream$/           REJECT No spam allowed from the .stream TLD

1 2	/\.top$/ REJECT No spam allowed from the .top TLD /\.stream$/ REJECT No spam allowed from the .stream TLD

Step 3. Signal Postfix to reread the config: postfix reload NOTE: Do NOT use the postmap command for the […]

Categories: How-To's, Technology Tags: Amazon Linux, AWS, Block, Filter, howto, Linux, PostFix, tips, TLD | No comments

How To Install and Use the screen Command on AWS Linux

Author: erics, August 12th, 2016

Install it: yum install screen Start it up: screen Detach from the session: Control-a d Re-attach to the session later on: screen -r This is a good reference guide: https://www.rackaid.com/blog/linux-screen-tutorial-and-how-to/

Categories: How-To's, Technology Tags: AWS, howto, Install, Linux, Screen, tips | No comments

How To Block All Traffic From China Using iptables and ipset on Amazon Linux

How To Sync Box to S3 Using rclone

10 Reasons Why Tungsten Clustering Beats the DIY Approach for Geo-Distributed MySQL Deployments

How To Upgrade PHP on AWS Linux

How To List Running AWS Instances in all Regions Sorted by LaunchTime and Email in a Monospaced Font

How To Obtain a Public Key from an AWS .pem Private Key on Linux and Mac

How To Locate Attached Disk Devices in Linux

How To Upgrade MySQL to 5.7 on CentOS/AWS Linux

How To Block an Entire TLD in Postfix

How To Install and Use the screen Command on AWS Linux

Our Link Network

Business

Client Websites

Fine Dining

Friends & Family

Galleries

Health

Resources

Technology

Travel

The Archives

Latest Ramblings…

Various Topics of No Interest