Tuesday, March 26, 2019

New Server For Evlan.Org

My Old Server

So, the server for evlan.org (and fateofio.org, theposse.org, etc.) has been hosted on a cheap-ass FreeBSD dedicated server in Montreal for over five years now.  I need my own machine because the web server is actually written in Evlan, my programming language.  Other than that, there's really no reason the server needs dedicated hosting -- it certainly doesn't get any significant amount of traffic.

Sometime in the last couple months, the machine stopped accepting SSH logins.  The web server was chugging along fine; I just couldn't log in.  I ignored the problem for awhile because I rarely need to log in to my server...  but it is a good idea to make a backup now and then.

Last week, though, my attention was drawn to the server when I noticed that some spammer had registered a few hundred new accounts for the sole purpose of creating spammy profiles for all of them.  WTF?  Why would a spammer take the time to write a script designed specifically to log into *my* server and create dummy profiles?  There are only two servers on the internet running this software.  You'd think it wouldn't be worth their time.  Especially given that it probably took them far longer to write the script than it took me to simply block all profile pages for user IDs over 500 -- so that profiles of original users are still visible, but all the spam users and any new users are gone.

Idiotic Support

So finally I decide that I should probably get the SSH fixed.  The conversation with tech support went something like this...
Me: My server is serving HTTP just fine but won't accept SSH -- it starts the handshake but hangs and then times out before getting to the password prompt. I tried from several different machines on different networks. Rebooting did not help.

Tech support: Did you try rebooting?

Me: ... yeah, that didn't help.

Tech support: What's your root password?

Me: ::grumble:: It's (password1).

Tech support: And the non-root user/password you log in with?

Me: ::sigh:: kentonv/(password2).

Tech support: The login you provided is not working. Is your data backed up? Maybe we should just wipe the machine.
This was obviously going nowhere.

Luckily, my Evlan server happens to feature the ability for me to log in and interactively execute Evlan code.  It doesn't provide any way to execute shell commands, but I was able to read and download all important files from my machine.

In the process, I took a look at /var/log/auth.log, where I saw this:
Jul  9 13:20:13 server013 login: 1 LOGIN FAILURE ON ttyv0
Jul  9 13:20:13 server013 login: 1 LOGIN FAILURE ON ttyv0, kentonv/(password2)
Obviously, auth.log does NOT normally contain plain-text passwords -- only usernames.  The tech guy had actually typed "kentonv/(password2)" as the *username*.
Abandon Ship

So, having rescued my data, I decided to abandon the silly Quebecois server.  Since the thing gets very little traffic anyway, I decided to just move it to my DSL.

One problem:  I didn't have a suitable server machine.  In fact, my main computer is a laptop that sleeps most of the time.  I actually quite like the fact that my electricity bill is $15/mo., not the $50/mo. it was back when I had a big power-hungry alway-on desktop.

So, I headed down to Fry's and picked up:
  • Intel Atom CPU/motherboard (D510M0) $79.99
  • 2GB PC6400 RAM $42.99
  • 30GB SSD $84.99
  • Mini-ITX case w/65W PSU $59.90
Total: $267.87
The best part about this little guy is the power supply.  It's 65W.  As in, the machine is not capable of using more than 65 watts.  That's less than a tenth of a modern gaming rig's power supply.  And the machine probably actually uses much less than 65W, given that it doesn't do video, has no peripherals attached, doesn't even have a CD drive, and uses flash storage.

I installed FreeBSD from a USB memory stick prepared using unetbootin, then set up:
  • DJB's daemontools for service management.
  • DJB's tinydns for my domains' DNS server.
  • stunnel, which takes my HTTPS traffic, decrypts it, and forwards it on to Evlan.  I originally tried using the OpenSSL library directly, but its interface was absolutely horrid.
  • Evlan, of course.
Despite the low power, the machine performs significantly better than the old one (a 5-year-old Celeron).  Overall I'm pretty impressed by how well it works.

UPDATE: Actual Real Ticket History

We begin right after the support people finally figured out how to log in...

Support:
hello,

even on root access we get permission denied why if im root?

i think ssh was disabled and need to be re-enable

thanks
Me:
What do you mean by this? What did you try to do that was denied?

SSH is not disabled -- it is still accepting connections, it just doesn't complete the handshake.
Support:
when i try some commands on root it says permission denied

now i have enable root access but its still doesn't give me a ssh box

thanks
Support (again):
and also when it reboots it gets stuck at

setting date via ntp?

do you have any idea about this?

thanks
Me:
What commands did you try?

Are you really root, or are are you still kentonv?
Support:
i was root all the time

any commande regarding ssh

thanks
Me:
Please be specific. What exact command did you type that said "permission denied"?
Support:
i don't remember i tried so many did you try to connect with PUTTY?

I can't believe I pay these people! (I'm still trying to log in just so that I can wipe the hard drive myself; I obviously don't trust them to do it.)

No comments: