do-release-upgrade killed my server!

It has been only within the last couple of days the website has been back online. For better or for worse, in October I decided to do a backup and hit the do-release-upgrade button on the box. It didn’t go well.

Nowadays with security holes being flagged left right and centre, being a great advocate of keeping the software updated, I took a stab. Funnily enough, the system decided to use ‘slight of hand’, turned my arm and drove the knife back into me. 100% damage. 1 hit. Didn’t really see that coming.

More annoyingly, my resurrect potion had no affect because the backup was totally rubbish. (I really must play about with backups more…).

Anyway after a nice system admin reset my box, the painstaking task of preparing, installing and configuring started again. But this time, with some interesting revelations! I decided to ditch loads of software thus making this new build a bit more economic.

Lets see, a massive ditch of vsftpd! This has always been a pain in the arse to configure and setup correctly, especially when it comes to permissions. I now use SFTP which is not only a bit less fiddly, but it also allows me to close about 25 ports and relieves F2B on having to monitor the auth logs. Sorted!

I have also come to the conclusion that I may have to understand openvpn a bit more; I decided to ditch openvpn-as because of a few reasons. Mainly because of the juggling needed to effectively secure the web admin interface. It wasn’t worth broadcasting on the internet for just an initial connection setup of 2 devices.
I tried having the pages on a different port which I would manually open/close when needed, also tried .passwd in .htaccess but that could be circumnavigated.

Lastly I decided to remove the training wheels, that is, phpmyadmin. Just like the openvpn-as UI issue, this is the same difference. I really do love phpmyadmin to bits but unless your hosting sites for friends / family etc, it’s not worth having such a security risk left public.

Lastly, WordPress. I decided that for compatibility, Google ReCaptcha must go. However, I have replaced with askimet and fail2ban plugin to hopefully cover my ass. I will be looking at this more closely.

So all in all, It wasn’t such a bad ordeal in the end but it has taken me some time to rethink the situation. I have a few things to check off my list before I can happily say that recovery time is at a low, but atleast for now this build is running really well!

Securing Openvpn Access Server; frontend

Hiding the openvpn-as web interface from the internet was a logical step for security. This is a quick guide about securing openvpn-as webpages in Ubuntu if you tend to use the front-end infrequently.

In Terminal, navigate to your installed openvpn-as directory:
(might be different, depending on how it was installed)

cd /usr/local/openvpn_as/etc

Next we need to edit the as.conf file…. I recommend making a backup just in case! Continue reading “Securing Openvpn Access Server; frontend”