Posted on

ufw, firewalld, iptables on Amazon Linux

ufw is known as a Debian (and Ubuntu) firewall, which is disabled by default but easy to use. There are some GUI front-ends which make it popular for Linux on the desktop. Coming from a CentOS background (RHEL/Amazon Linux AMI), ufw is not as common (as, say firewalld, or simply iptables, to which both ufw and firewalld are more or less interfaces).

Recall that netfilter is where the actual firewalling takes place, with iptables an interface on top of that, and ufw/firewalld as interfaces on top of iptables. Given this, there is no reason why ufw or firewalld cannot be run on any linux, provided packages (or compiling) are available.

Posted on

Debian on AWS Lightsail

This is a setup of several items, starting with Debian 9 on Amazon AWS Lightsail. This has server basics and apt, and then follows with links to additional articles. In general, after several years of running CentOS on Linode, and then Amazon Linux AMI on EC2 and Lightsail, I find that Debian 9 is simply faster, just as secure, and at least slightly easier to use.

Note: as of Sep 2020, Debian 10 is now available on Lightsail

I will update this soon (mid-2020) to Debian 10 - Bullseye (stable) on AWS and Debian testing on the desktop. I consider this combination to be very good for intermediate users as it keeps them up-to-date on the latest testing build (when things break, that is a learning opportunity), as well as having access to most recent versions of applications, utilities and support libraries. Debian is a huge linux ecosystem which is generally well-supported by a very large community. For one's production desktop environment, Debian testing is an excellent balance of up-to-date application availability and community supportiveness. Together with the extremely stable desktop environment using Openbox/LXDE, very low system requirements are needed.

To be honest, once getting the hang of Openbox/LXDE, I do not see any advantage to Linux Mint or Ubuntu, for that matter (besides the personal repositories). Cinnamon (available on other distributions than Mint) is buggy, memory hungry, and requires a bit of customization. Openbox/LXDE offers nearly the same kind of required customizations, but demands many fewer resources and is nearly crashproof. In my opinion, the good parts of Mint do not include cinnamon, rather applications such as Nemo and Pix, which can of course be installed and run without Mint or Cinnamon.

Continue reading Debian on AWS Lightsail

Posted on

Amazon Lightsail

Amazon Lightsail is a VPS services offered by Amazon that competes with the likes of Rackspace, DigitalOcean, Linode, etc.

Note: As of mid 2018 AWS effectively halved its prices on Lightsail. This means there is a $3.50 USD/mo. option and the $40 option listed below (4gb ram/2 cpu/60gb ssd/4tb xfer) is actually only $20 now.

Compared head-to-head the Lightsail option is a middle-of-the-road offering. However, compared with AWS and including the highly optimized nature of running Amazon Linux AMI (and not overselling with bullshit numbers like some providers), Amazon Lightsail is an extremely attractive VPS.

S3 snapshot backups and other aspects of high reliability make this a go-to package for the VPS market.

Lightsail Specifications

See the Amazon Lightsail FAQs

The various sizes of Lightsail are (as of July 2017):

  • $5/mo. - 512mb ram, 1 core, 20gb ssd, 1tb transfer
  • $10/mo. - 1gb ram, 1 core, 30gb ssd, 2tb transfer
  • $20/mo. - 2gb ram, 1 core, 40gb ssd, 3tb transfer
  • $40/mo. - 4gb ram, 2 core, 60gb ssd, 4tb transfer
  • $80/mo. - 8gb ram, 2 core, 80gb ssd, 5tb transfer

Note that transfer allowances are half of the above, for Mumbai and Sydney currently.

Lightsail vs. EC2 Pricing

The real genius in Lightsail is the pricing. Compared with a 1 year reserved T2.Nano instance, a $5 Lightsail would be as follows:

Total value of $8.13-$98.04 in value (depending mainly on data transfer).

However, if you had only a single zone, a single IP, 8gb of disk (smallest available), and under 1gb of data transfer, then the value is $4.74/mo., which is within 5% of the cost of a $5/mo. Lightsail.

That said, it is not clear how the vcpu works under Lightsail vs. EC2. However, since this is a single infrastructure, likely the performance is similar, and AWS is just going after a different segment of the market (one that is price-conscious).

Lightsail Docs and CLI

Lightsail has docs and a cli.

Lightsail Tasks

  • Create zone(s)
  • Create and download SSH Cert
  • Log in from command prompt with
    • ssh -i /path/to/.ssh/key.pem ec2-user@server.domain.tld
  • Operate under root rights with sudo su

Lightsail Control Panel

Lightsail is not integrated into the rest of AWS, though it is possible to see some aspects of it (perhaps storage?) from the console. Definitely it is managed separately from EC2 and Route53.

This lack of integration is a bit of a pain, but likely it will go away (slowly and partially) over time (perhaps).

Securing Lightsail

Depending upon one's security requirements, it might be useful to create a new user and disable or remove rights to the ec2-user account.

The steps to create a user with the same rights as ec2-user are:

  • create the account useradd username
  • set a password for the account passwd username
  • add the account to the sudo group usermod -aG wheel username
  • log in with the account su - username
  • create a .ssh directory mkdir .ssh
  • set security on the directory chmod 700 .ssh
  • log out of username exit
  • now back in root, copy the authorized_keys file to username
cp /home/ec2-user/.ssh/authorized_keys /home/username/.ssh/authorized_keys

Log all the way out of the system, and try and log in with the username, and same public key.

Once logged in invoke sudo su to ensure it has the correct rights. There should be an error message.

The last step is to replace ec2-user with username in the file: /etc/sudoers.d/cloud-init

If this works, then you have a new account with the same priviledges as the ec2-user (and you have also removed ec2-user from the ability to become root) and can safely delete (or ignore) that account.

Lightsail Limitations

Lightsail has a few limitations, including no tools for transfer or resizing, though in late 2018 an ability to export snapshots to EC2 was added. In addition, Lightsail cannot port filter at the IP address, only at the port level. And for DNS management, CAA records are not supported (as opposed to Route 53 where they are).

Posted on

cron and crontabs on Amazon Linux AMI

Two words time-based automation: cron and crontabs (and other apps such as anacron) are needed for so many things on a server. Here is how to use cron and crontabs on Amazon Linux AMI.

Install crontabs

This will in addition install several dependencies, including cron.

yum -y install crontabs
chkconfig crond on
service crond start
service crond status

Edit the crontabs

Remember to do this with su or root, otherwise there might be access issues with the actual items to run. vi is the default editor, but I like nano better, so:

export VISUAL=nano; crontab -e

Crontab syntax

Essentially there are numbers or asterisks for when things are run. From left to right: - Minute (0-59) - Hour of day (0-23) - Day of month (1-31) - Month (1-12) - Day of week (0-6, 0 = Sunday) An asterisk counts for every possible value, which means: > * * * * * = every minute > 0 1 * * * = 01:00 every day > 0 18 * * 0 = Every Sunday at 18:00 (6pm)

Crontab execution

Crontab executes from home directory of the user. It is best to use full paths for the location of scripts and the like

Example MySQL watchdog script

Crontab entry:

* * * * * /usr/local/bin/rsmy >> /var/log/mysqld.log

Script entry:

#!/bin/bash
UP=$(/etc/init.d/mysqld status | grep running | grep -v not | wc -l);
if [ "$UP" -ne 1 ];
then
    echo "$(date) - MySQL is down - restarting now";
    /sbin/service mysqld start
else
    echo "$(date) - MySQL is running";
    /usr/bin/free -m
fi

References

Posted on

Bash Shell Scripting

Bash being the most common shell, it makes sense to learn bash shell scripting. I didn't think this at first and later came to the conclusion, having spent time with Fish Shell. However, Bash is definitely old and creaky with some frankly ridiculous implementation details. Fish can be installed most everywhere, and is generally superior in many ways. Where it is not, commands can simply be run in Bash.

Continue reading Bash Shell Scripting

Posted on

Linux Kernel on the March

As of early 2018, ChromeOS and Desktop Linux have both crossed the 3% threshold. Android is approaching 50% for OS market share, and is in excess of that in terms of new devices. Heady times for the Linux Kernel indeed. While Android uses the Linux Kernel, nearly everything else in Android is customized, and therefore it doesn't have any distribution linneage to speak of. ChromeOS is derrived from Gentoo Linux, a custom build linux distribution.

Continue reading Linux Kernel on the March

Posted on

Fish Shell – Friendly Interactive SHell

Note: I've replaced Fish Shell with Bash in my personal technology stack, as of March 2018. Ha ha, back on Fish Shell.

Fish Shell is a very useful shell. I use it on OSX and Linux. Provides for some sanity at the command line. For an editor I use Nano. Note that there are some limitations, and a learning curve on getting it set up. However, it does have some limitations, and is definitely newer than other shells. When trying to run a command that won't work in fish, then simply invoke bash and get it done. No real limitations to speak of. For doing shell scripting, it is very straightforward and definitely more modern. Useful docs on the fish shell available.

Continue reading Fish Shell – Friendly Interactive SHell

Posted on

IPA Keyboard Layout

Well, it turns out, there is no such thing, per se, as an IPA Keyboard Layout, at least not in the sense that there are keyboard layouts for various languages and layout styles (e.g., English, Dvorak, etc.). This seems to me to be a tremendous oversight, though it obviously came about because someone thought supporting the entire Unicode space for the IPA was a great idea, and the only idea.

Continue reading IPA Keyboard Layout