How to Protect a LAMP Server Against nf_conntrack Flood Attacks

An AWS hosted website went offline at 02:00 this morning. It was running on a t2.nano Debian 9 instance. I was unable to log into the affected server, and a reboot was the only available course of action. Logging in and checking the logs afterwards revealed thousands of errors like this in the kernel log file, from 2:00 AM onward:

nf_conntrack: nf_conntrack: table full, dropping packet

The cause was a denial of service attack, coming from a couple of IP addresses seemingly in Iran. However, it was a little unusual for a couple of reasons. This article explains more about the attack vector and presents a solution to guard against future attacks. (In summary: block IP addresses, tune the kernel).

Continue reading

How to Set Local Search Provider in Android Firefox

In Android Firefox, you can perform a search by typing directly into the address bar (aka the “awesome bar“). Results are provided by the default search engine, usually google.com. That’s fine, but you might prefer the results to come from a more local source, such as google.co.uk, or a completely different provider, such as bing.com.

Use the following procedure to change the default search engine in Android Firefox. “Awesome bar” searches will then be performed by your provider of choice.

Continue reading

Fixing a Corrupted Apache Log File

The Apache access.log file is a good place to look for evidence of hacking activity. Code injections, brute force attacks and excessive crawling all show up in there, along with legitimate hits. While searching recently, I was surprised to see that Linux had started to regard the file as binary data:

$ grep something access.log
Binary file access.log matches
Continue reading

How to Convert a Website from HTTP to HTTPS

An http website is not encrypted. That is to say, the data comprising the site is not encrypted as it flows from the web server to the device (pc, phone, tablet) on which the user is viewing the page. Anyone able to “listen in” on the network could read that data, which is a security risk. An https web site is different. Data is encrypted. The web server encrypts each web page before transmission, and the user’s browser decrypts it, providing end-to-end protection from eavesdropping.

This article explains how to convert an existing basic website to https by obtaining a free digital certificate from Let’s Encrypt. It is based on a Raspberry Pi running the “Apache” web server, but will also work on other Linux systems. It is intended for home users and people running small-scale web sites, and as a learning aid. Continue reading

Ansible: Match Special Characters Without Escaping

Ansible provides a rich pattern matching ability. Modules like lineinfile can match strings based on regular expressions. Similar expressions are used in Python, Perl and older tools such as egrep, grep, sed and awk.

When attempting to match a string containing awkward characters, an escape mechanism can be used. For example, the dollar character ($) has a special meaning within in a regular expression, being the match for end-of-line. So to match a literal dollar, an escape character, usually a backslash (\), is needed. For example, the regular expression “\$1.65” will successfully match $1.65, without treating $ as end of line.

When processing a string that contains many special characters, the escape syntax can become onerous. One solution is to just “blanket” match the special character, rather than trying to match it precisely. In other words: just use a dot. Continue reading

Set Up Your Own Link Shortening Service with a Raspberry Pi

“Link shortening” happens when a short URL, such as http://bit.ly/2bo3XYY, points to the same web page as a longer link, such as https://en.wikipedia.org/wiki/BBC.  Short links are often used where there are a limited number of characters available, such as an SMS text or a Twitter post.  Short links are also quicker to type and neater than the associated full length links.

Two of the main providers of short links are Bitly and Google (Goo.gl).  For example, I used Bitly to create the short link in the above paragraph.  However, if you have a Raspberry Pi (or any kind of Linux server), you don’t need to use a provider.  You can create your own short links.  This article explains how. Continue reading

Using a Domain Name with a Raspberry Pi Web Server

The Raspberry Pi’s low power consumption makes it well suited to the role of always-on web server. This post describes how to use a domain name with your Pi-based web site. Setting up a web site on the Pi is very easy and was explained in an earlier post of mine, just here.

This article explains how to set up a domain name with your web site, so that you can surf to http://your.domain.name instead of http://your.ip.address. It assumes that you have already have an Apache web site running. If not, please read the above post, before coming back here. Continue reading

Simple Nextcloud Installation on Raspberry Pi

This article explains how to install Nextcloud on the Raspberry Pi. It has been tested with the latest version of Nextcloud (16.0.3 at the time of writing), but should work for future versions too.  It has also been tested on the latest Pi hardware, the Raspberry Pi 4, and on earlier Pi versions. Nextcloud is an open source software package providing remote file sharing services, similar to Dropbox. But with Nextcloud, you retain ownership, security and control of the shared data. Nextcloud works well on a Pi 2, Pi 3 and especially a Pi 4 but will run very slowly on a Pi 1.

Note: This is a manual, step-by-step procedure. If you would rather do the installation automatically, please see my recent article Automatic Nextcloud Installation on Raspberry Pi, which explains how to install Nextcloud with 3 commands. It is the quickest and easiest way to get Nextcloud running. Both procedures achieve the same overall result, however.
Continue reading

Simple Picture Gallery on Raspberry Pi

The Raspberry Pi is a small Linux computer designed to help children learn programming. Being a full Linux System, it can also be used as a server or as the basis for various projects. The Pi’s low power consumption makes it particularly suited to the role of always-on web server.

This post describes how to create a simple photo gallery on the Pi, which can be shared over the internet with or without password protection. While not as polished as Flickr, Smugmug or similar services, it allows you to retain ownetship, control and security of the shared images. Continue reading