Tag Archives: vps

SSH warning: unprotected private key file!

Recently I tried to playing around with Amazon EC2 server. After subscribing & setup my server, it will give you cert pem key to access the server instead of entering the key manually.

When I try to login, I got this error:
Permissions 0440 for ‘xxx.pem’ are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: xxx.pem

To fix this problem, just run this command:
chmod 0400 xxx.pem

The xxx.pem is your cert key file. After that try to login again. Should be fine. 🙂

How to install ClamAV on Ubuntu Server 12.04

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.

ClamAV also can be use to look if there any malicious code e.g. web shell that has been uploaded into your server. So here I show you on how to install ClamAV on Ubuntu Server 12.04

Step 1. Install ClamAV on Ubuntu Server
[email protected]:~# apt-get install clamav

Step 2: Update antivirus database
[email protected]:~# freshclam

Step 3: Scan virus on your Ubuntu Server
[email protected]:~# clamscan –recursive=yes –cross-fs=yes
/root/vpstest.sh: OK
/root/.php_history: OK
/root/.nano_history: OK
/root/.goaccessrc: OK
/root/.rnd: OK
/root/.bashrc: OK
/root/.viminfo: OK
/root/.ircmotd: Empty file
/root/.mysql_history: OK
/root/test.sh: OK
/root/.profile: OK
/root/.bash_history: OK
/root/bench.sh: OK

———– SCAN SUMMARY ———–
Known viruses: 2533901
Engine version: 0.97.8
Scanned directories: 1
Scanned files: 12
Infected files: 0
Data scanned: 0.11 MB
Data read: 0.05 MB (ratio 1.93:1)
Time: 4.765 sec (0 m 4 s)

w00tw00t.at.blackhats.romanian.anti-sec – WTF!?

One day you may find a bunch of requests in a short period of time with unusual and suspicious user agent in your Apache web server’s logs. Something like Made by ZmEu @ WhiteHat Team – http://www.whitehat.ro or ZmEu and the requests may be made from Russia or China. Search and you’ll find that ZmEu is a bot that tries to find vulnerabilities in phpMyAdmin (usually looks for phpmyadmin/scripts/setup.php file) and other web applications.

It is kind of script attack in which attacker try to find the loopholes in phpmyadmin and php with Apache and try to manipulate through URL. This is how logs looked like:

Log from nginx access.log
[email protected]:~# grep -r w00t /var/log/nginx/*
/var/log/nginx/access.log: – – [23/Jul/2013:08:34:12 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:30 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”

Another log from nginx access.log
[email protected]:~# grep -r ZmEu /var/log/nginx/*
/var/log/nginx/access.log: – – [23/Jul/2013:08:34:12 +0800] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:08:34:12 +0800] “GET /pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:08:34:12 +0800] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:08:34:12 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:08:34:12 +0800] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:08:34:12 +0800] “GET /MyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:30 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:30 +0800] “GET /scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:30 +0800] “GET /admin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:30 +0800] “GET /admin/pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:30 +0800] “GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:31 +0800] “GET /db/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:31 +0800] “GET /dbadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:31 +0800] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:31 +0800] “GET /mysql/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:32 +0800] “GET /mysqladmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:32 +0800] “GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:32 +0800] “GET /phpadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:32 +0800] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin1/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin2/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:33 +0800] “GET /pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:34 +0800] “GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:34 +0800] “GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:34 +0800] “GET /web/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:34 +0800] “GET /php-my-admin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log: – – [23/Jul/2013:10:50:35 +0800] “GET /websql/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”

Dayuumm. You as*h**e run into my server with this so-called script.
You scan me server. Me block you long time. Come. Here I share with you how to mitigate this attack.

First, we install fail2ban on our server. For those who don’t know what is fail2ban, fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.

Fail2ban scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.

Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.

So, to install it, open up your terminal and type:
sudo apt-get install fail2ban

After that, create new file called w00tw00t.conf in /etc/fail2ban/filter.d/
nano /etc/fail2ban/filter.d/w00tw00t.conf

Put this code inside that file:
failregex = ^ .*”GET \/w00tw00t*

ignoreregex =

Edit /etc/fail2ban/jail.conf file:
nano /etc/fail2ban/jail.conf

At the last line of the file, put this code:

enabled = true
action = iptables-allports
sendmail-whois[name=SSH, dest=root, [email protected]]
filter = w00tw00t

##### set the log path ######
logpath = /var/log/nginx/access.log
maxretry = 1

###### ban for 24 hour ######
bantime = 86400

Restart fail2ban service:
/etc/init.d/fail2ban restart

Check fail2ban client status:

[email protected]:~# fail2ban-client status
|- Number of jail: 2
`- Jail list: w00tw00t-scans, ssh

credit to:

VirtualBox ‘/etc/init.d/vboxdrv setup’ issue

Have you encountered this kind of problem when using VirtualBox on Ubuntu?

Kernel driver not installed (rc=-1908)

The VirtualBox Linux kernel driver (vboxdrv) is either not loaded or there is a permission problem with /dev/vboxdrv. Please reinstall the kernel module by executing '/etc/init.d/vboxdrv setup' as root. If it is available in your distribution, you should install the DKMS package first. This package keeps track of Linux kernel changes and recompiles the vboxdrv kernel module if necessary.

If yes, here I share with you the solution.
First, install the linux headers:

sudo apt-get install linux-headers-`uname -r`

Reconfigure dkms and load module:

sudo dpkg-reconfigure virtualbox-dkms  
sudo modprobe vboxdrv

Then VirtualBox works. No computer reboot needed.

WordPress permalinks with Nginx

If you are on Apache(mod_rewrite), WordPress will automatically add the required rewrite rules to your .htaccess file for permalinks to work. Just add code generated by WordPress in .htaccess, and its done. But for nginx, you have to add the rules manually in the nginx conf file.

But the problem is when WordPress detects that mod_rewrite is not loaded (which is this case, nginx), it falls back to using PATHINFO permalinks, which inserts an extra ‘index.php’ in front. This will cause the problem for me as I want to remove the index.php from the permalinks.

Permalink Setting

So you need to edit your nginx configuration file to make the permalinks work. We will use the try_files directive to pass URLs to WordPress’s index.php for them to be internally handled.

If your blog is at the root of the domain (something like www.blog.com), find the location / block inside the configuration file, and add the following line to it.

try_files $uri $uri/ /index.php?q=$uri&$args;

Here, Nginx checks for the existence of a file at the URL ($uri), then for a directory ($uri/). If it doesn’t find a directory or a file, it performs an internal redirect to /index.php passing the URL as PATHINFO.

It should look like this after the edits :

location / {
    index index.php index.html index.htm;
    try_files $uri $uri/ /index.php?q=$uri&$args;

If your blog is in a subfolder (lets say /blog), you’ll have to add an extra location /blog/ block to your configuration file :

location /blog/ {
    try_files $uri $uri/ /blog/index.php?q=$uri&$args;

After you have finished making the changes in the configuration file, reload the nginx configuration:

nginx -s reload

The permalinks should be working fine now.

Install DenyHosts on Ubuntu 12.04

DenyHosts is a security tool written in python that monitors server access logs to prevent brute force attacks on a virtual private server. The program works by banning IP addresses that exceed a certain number of failed login attempts.

1. Install DenyHosts via apt

sudo apt-get install denyhosts

2. Whitelist you IP Addresses
After you install DenyHosts, make sure to whitelist your own IP address. Skipping this step will put you at risk of locking yourself out of your own machine.

To insert you IP, open this file:

sudo nano /etc/hosts.allow

under the description, add in any IP addresses e.g. your IP so that you will not kicked out from the server. You can write each one on a separate line, using this format:


After making any changes, be sure to restart DenyHosts so that the new settings take effect on your virtual private server:

sudo /etc/init.d/denyhosts restart

3. Configure DenyHosts (Optional)
If you want to customize the behavior of DenyHosts on your VPS, you can make the changes within the DenyHost configuration file:

sudo nano /etc/denyhosts.conf

Create subdomain on Nginx + Bind9 on Ubuntu server 12.04

1. Edit you bind & dns config
Insert this to db.domain.net

blog    IN    CNAME    domain.net.

2. Edit /etc/nginx/sites-available/default
Add this:

server {
    listen 80;
    root /usr/share/nginx/www;
    index index.php index.html index.htm;

    server_name domain.net;

server {
    listen 80;
    root /usr/share/nginx/www/blog;              <-- change this if you want
    index index.php index.html index.htm;

    server_name blog.domain.net;

3. Create new folder at /usr/share/nginx/www/blog

4. Put your file accordingly in the folder

5. Test open the URL e.g. blog.domain.net

ssh exchange identification: Connection closed by remote host

This error is caused by problems in your hosts.deny. If you installed all the recommended packages in Ubuntu, you’ll most likely have Denyhosts. If not, /etc/hosts.deny won’t exist, thus this tutorial will not apply to you.

First, ssh to your server via another IP

Open this file:

nano /etc/hosts.deny

Find your IP, and clear the line. It’ll look like:

sshd: [your ip]

You can put # symbol to comment it if you want.

Now lets save and exit out of nano, and restart SSH.

/etc/init.d/ssh restart

Done. Log out, and log back to verify.

If this problem will often repeat itself, so lets fix it so it won’t happen again.
Open this file:

nano /etc/hosts.allow

Scroll to the very bottom, and type this on a new line:

sshd: [your ip]

Save nano, and exit out. Then, restart SSH.

/etc/init.d/ssh restart

Voila, problem solved!

Ubuntu Server 12.04 xrdp error: failed to load session ‘ubuntu’

If you have install Ubuntu Server 12.04 and you install your own desktop environment, e.g: xfce, this can happen when you try to remote your server.

The solution is simple, yet tricky. There is 2 file that you need to take a look.

First: /etc/xrdp/startwm.sh
Search line:

. /etc/X11/xsession

(usually at end of the file)

Change to:


Second: ~/.xsession
If the file is not there, create new.
Put this line:

gnome-session –session-gnome-classic

Restart xrdp:

/etc/init.d/xrdp restart

Then try to connect to your server.