Hello Guys,

We just installed turnkey lamp stack on amazon ec2 hosting. all is running well at the moment, except for sometimes mysql just shuts down.

I checked the servers mysql server should be started on boot/reboot.

I searched on it, some says there is a memory limit issue. but were just new and have many memory to spare.

I found out that the root access is being attacked, so I need to change it.

but when I try changing the root access, I cannot access the webmin anymore using the new username.

I need help on this guys.

Thanks

Forum: 
OnePressTech's picture

If your site is under attack and your Apache is getting loaded, the OOM killer process will kill your MySQL. You can search the TKL site for discussions of this issue. Solution is to adjust configuration so Apache can't chew up all your RAM.

To protect Root, first set your firewall to block all port 22, 12320-12322 access other than from your IP address. That should block the current attack. You then have two choices 1) switch off Root password login and enable cert access and leave ROOT active or 2) create an alternate user with ROOT permissions and disable ROOT login. The former approach has the fewest side-effects but ROOT is still easily attacked. The latter option makes it virtually impossible to attack the new "root" especially if you use a long random account name but the the new account does not gain all ROOT privileges. You will need to "su" into root via a terminal to complete certain actions. SFTP tools become useless since they can't execute a post-su root login they can view but not alter files on the file system. You would need to use the WebMin File Manager to manipulate files.

Webmin login...before you change ROOT access you first need to create an alternate user with ROOT capabilities then login to Webmin as ROOT and add that new user to Webmin and make it the new primary Webmin account. You would also need to do this for Postfix and MySQL. Recommendation...leave ROOT alone and disable password login and enable cert login.

 

 

Cheers,

Tim (Managing Director - OnePressTech)

Hi Tim,

First I want to thank you for your response and I will take a look into it.

Second, now I cannot load the webmin using <my.ip>:12321 but I can load the pages <my.ip>:12320 and :12322

So if I cannot access webmin, how can I do the fix?

Thanks,

Arthur

Arthur

Webneeds Senior Developer

OnePressTech's picture

Depending on how hard it would be to start over, that is what I would recommend as the first option. The beauty of Virtual Appliances is...you can start over.

If for some reason you do not want to start over, I would re-enable the ROOT account and go from there.

Hope that helps.

Cheers,

Tim (Managing Director - OnePressTech)

at the moment, the root access is not disabled.

and the webmin is not loading.

when I try to load the webmin login page it says this:

http://prntscr.com/6xuqb9

BTW: This is hosted on amazon EC2

Arthur

Webneeds Senior Developer

OnePressTech's picture

You said that you have a LAMP stack installed on EC2. How much configuration time have you invested in it? The simplest solution is to just launch a new LAMP appliance. Is that an option?

Cheers,

Tim (Managing Director - OnePressTech)

we can do that if there will be no additional cost, does launching a new LAMP need to pay for a new instance?
 

Arthur

Webneeds Senior Developer

OnePressTech's picture

Stop the current instance. Launch a new instance. Once it's running terminate the old stopped instance. You only pay for running instances and you pay for the EBS disk by the GB-month. You can even re-use the previous elastic IP if you want. NOTE: You pay for unattached elastic IP addresses so attach them or release them.

There have been a number of times I have launched an instance, had issues with a custom configuration and started over. Sometimes it's faster than trying to debug an issue or back out a configuration change that doesn't go as planned.

Cheers,

Tim (Managing Director - OnePressTech)

How do I install turnkey with the new onstance?

Can I also retain the dns I've set for the domains (subfoldered) on the instance?

Arthur

Webneeds Senior Developer

OnePressTech's picture

I am not sure what your first question means...you already installed a TKLX LAMP appliance on AWS. Just do it again.

Regarding DNS...if you used an elastic IP address you can attach it to the new instance.

Cheers,

Tim (Managing Director - OnePressTech)

Jeremy Davis's picture

Now would be a good time to do it; because assuming that you used your domain host to configure your DNS (and not HubDNS/Amazon Route 53); if you haven't used an elastic IP it will come back to bite you (when your instance IP changes).

Okay I get it, create a new instance, attach the lamp stack security to it then install turnkey.

Question still remains, how do I change root username (or disable root access and create a new root access) without affecting the new webmin username and password.

since ssh access is the root access and the webmin access is also the root access. when I changed the ssh username to a new username, I cannot access the webmin with the new username.

Arthur

Webneeds Senior Developer

OnePressTech's picture

It is not clear from your emails how technical you are. To change root account is a non-trivial exercise with some non-obvious side-effects (i.e non-root account with ROOT privileges does NOT have the same power as the ROOT account).

My recommendation is to set your firewall to restrict access to your ports 22, 12320-12322 to your IP address and use a 64 character random password for the ROOT account. This is the simplest non-technical protection for the ROOT account. Other options have technical risk.

Cheers,

Tim (Managing Director - OnePressTech)

BTW I already have elastic IP for the current instance, so that we will always have static IP, since the created instance's IP i think is dynamic, so I had to do this already. so I understand when I create the new instance, wget all the content from the current instance, install everything, point the elastic IP to the new instance, everything will be OKAY (browse wise) since the DNS is pointed to the elastic IP correct?

Arthur

Webneeds Senior Developer

OnePressTech's picture

You are correct. An elastic IP address once allocated to you will persist. You can attach it and detach it from any running instance.

Note that the elastic IP will disassociate from an instance when it is stopped and it will need to be manually re-associated when the instance is restarted if you use the default EC2-classic VPC to contain your instances. If you want auto-association of elastic IP addresses you need to use a EC2-VPC to contain your instances and bind the elastic IP address to the VPC rather than the instance. If you do this, the elastic IP will automatically be re-associated with the instance if it is stopped and restarted.

Cheers,

Tim (Managing Director - OnePressTech)

I am really a server guy, I am a developer, and most of the time, there are server guys who handles this work. but for this project, its me.

:(
 

Arthur

Webneeds Senior Developer

OnePressTech's picture

I suspected you were new to the server configuration side of the business :-)

There is a lot to properly securing a server...redirecting access logs to remote server, long random account names & passwords, 2-factor authentication, certificates, brute force protection on login, intrusion detection, application-level firewalling, VPNs / tunnels are some of the techniques. You will just need to tackle these one at a time and improve your security incrementally.

For now if you use your firewall to restrict access to your admin ports and use a 64 character random password for the root account you should be ok. If your application includes sensitive data you will need to put more extensive security in place up front. You don't need fort-knox security if there is only 1 cent in the bank...your security can be proportional to the impact of a security breach and the interest someone might have in trying to breach your site. Political, health, and finance sites need high security...a personal blog can probably get by with basic sensible security.

Cheers,

Tim (Managing Director - OnePressTech)

Is there a reason why I cannot access the webmin port on my current instance?

I can access ssh root

I can access phpmyadmin port

Just not the webmin port

Arthur

Webneeds Senior Developer

OnePressTech's picture

Please outline the exact steps you are taking. Launching a TKLX LAMP stack on AWS should just work.

Cheers,

Tim (Managing Director - OnePressTech)

I havent created the new instance yet. I just want to know the possible reasons why I cannot access it on the current instance so that it will not happen again on the new instance that I will create

Arthur

Webneeds Senior Developer

OnePressTech's picture

Hi Arthur,

Sometimes you just have to admit defeat and move on. Forget the old world of debugging everything. In the new disposable computing world if it's broken throw it away and start again with a new one (where commercially sensible to do so of course). This is one of those times.

Create a new instance. Determine your security level required. If you only require basic security then restrict port access on your firewall, set a long random password and improve security incrementally.

Get the appliance running then take a snapshot before making any further refinements so you can restore the snapshot if things don't work out. Improve your appliance security incrementally.

Cheers,

Tim (Managing Director - OnePressTech)

simon's picture

For the record...

When you change the root username in order to login again to webmin you have to modify

- /etc/webmin/miniserv.users

- /etc/webmin/webmin.acl

 

change your old root username to the new one.

Add new comment