How to protect from flood on nginx server

Add next lines into “http” section of nginx.conf file:

limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;

And add next lines into “server” section (wherever it placed):

limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;

Change values as you need, according to documenation:
http://nginx.org/en/docs/http/ngx_http_limit_req_module.html

 9   11 d  
 9   11 d  

How to fix Chromium forgets cookies at reboot

Warn: this topic have hatred.

I had updated Chromium on the other day. You know... some sites didn’t want to show some very useful content like videos of raccoons when you’re using old browser. Even if your browser had updated two months ago. So I had done it. I had updated Chromium and do you know what I had gotten? Nothing bad. It had been continuing its work. But for a while. Did I already said that I like hate flarking updates? After week or two weeks I closed browser and open it again. And it required interference. No, it didn’t frozed up. And it did’t want to hug. It forgot all cookies!

As the matter of fact it is no neccessary to descend deeper than may seem for looking for decision. The solution was on surface.

I dunno why but after flarking updates Chromium decided to change my privacy settings (and may be some options more). In a specific case how browser relates to keeping cookies at reboot.

So only what you need to do it is disable option “Keep local data only until you quit your browser” in Cookies settings which you can find at

chrome://settings/content/cookies
 18   28 d  

Setting up Linux firewall for make more safe web server

Server works in network with opened every ports — sounds not very safety. Let’s protect it by using netfilter firewall which delivered together with Linux. Netfilter, in turn, managed by iptables utility. So, iptables is what we need.

Warning: if you don’t have physical access to real server (working with it remotely e. g. by SSH) first you need find anybody (e. g. supportguy from hosting provider) who could restore SSH access to you or do something else if you accidentally, suddenly or not specially will block yourself.

So, iptables. I should warn you iptables doesn’t save self settings and after server restart, iptables settings will restored to default. Therefore it is possible to use iptables-persistent program which can save iptables settings when you ask about it. Let’s install it:

sudo apt install iptables-persistent

Setup program will ask you would you want to save present rules. Why not? Of course you want to save present rules because you will change it in next steps. Later on you can save your rules anytime by using next command:

sudo dpkg-reconfigure iptables-persistent

The next what you should know that netfilter will process rules in reverse order. If you block packet in some rule it won’t go to rule above last.

Every iptables command neccessary enter into the console. I added comments to every command for you know what it do.

sudo -i # Working with root privileges
iptables -L -n # Will show list of current rules in system
iptables -F # Will delete all current rules 
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Will block null-packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Will drop XMAS packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Will protect from Syn-flood
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # Don't forget allow access to SSH oneself (change 22 port if your SSH working on another port)
iptables -A INPUT -i lo -j ACCEPT # Will allow access to local interface. It is neccessary for database, mail, etc.
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # Will allow 80 port for access to sites by HTTP
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # It will allow 443 port for access to sites by HTTPS (if you have)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow ping our server (if you block it external services will think that our server doesn't work)
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # It is neccessary for server updates
iptables -P OUTPUT ACCEPT # Allow output traffic from our server
iptables -P INPUT DROP # It will close left ports
iptables -L -n # Check set rules

Now you need to exit from ssh connection and relogin it again. Check it. It’s ok? Now check how work sites on 80 or 443 port. Also check disallowed ports e. g. 2525:

telnet your_server_IP 2525

Warning: if you got “Connected” it is mean something wrong.

If all is good save your rules:

sudo dpkg-reconfigure iptables-persistent
 35   1 mon  

How to find IPs with highest count of requests in access.log

First command will show you IPs sorted by number and them count of requests:

cat access.log | awk '{print $1}' | sort | uniq -c

You will be able to find IP masks with highest count of requests:

...
    158 217.115.65.19
    152 217.115.92.114
   3236 217.118.64.107
   8631 217.118.64.115
    640 217.118.64.119
   5122 217.118.64.124
    980 217.118.64.14
     37 217.218.94.2
     41 217.218.164.34
...

Next command will show you IPs sorted by count of requests:

less access.log | cut -d' ' -f1 | sort | uniq -c | sort -bg

For example:

...
   3818 178.207.194.252
   4090 89.169.172.165
   4732 60.47.208.104
   6500 82.146.33.201
   6698 31.200.239.18
   9934 141.8.132.20
  18032 141.8.142.126
...
 32   1 mon  

How to fix wrong javascript after using Tidy

Almost every time when I updating something I become mean! In newest versions of Tidy (newest – 2015, lol) I found disappoint problem that javascript codes stopped working. Because Tidy converted javascript codes in page e. g.:

<script>
    script.onload = () => resolve(script);
</script>

To:

<script>
    <![CDATA[
            script.onload = () => resolve(script);
    ]]>
</script>

Instead of (in early versions):

<script>
    // <![CDATA[
            script.onload = () => resolve(script);
    // ]]>
</script>

If you have the same problem then don’t worry. Most likely Tidy tidying codes to xml or xhtml format default now. I found due solution this problem -- use option “output-html”:

$code = $tidy->repairString($code, [
    ...
    'output-html' => 1,
], 'utf8');
 29   1 mon  

How to fix issue when Munin doesn’t zoom/show graphs by day

For nginx:

sudo apt-get install spawn-fcgi libcgi-fast-perl libapache2-mod-fcgid
sudo spawn-fcgi -s /var/run/munin/fcgi-graph.sock -U www-data -u www-data -g www-data /usr/lib/munin/cgi/munin-cgi-graph

For Apache2:

sudo apt-get install libapache2-mod-fcgid
sudo a2enmod fcgid
sudo service apache2 restart
 32   1 mon  
 27   1 mon  

How to get list all user agents ordered by the number of times they appear from access.log

awk -F\" '{print $6}' access.log | sort | uniq -c | sort -bg

Response example:

...
  46547 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
  89768 API/1.0 (+Legacy)
 104304 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
 133439 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
 149988 Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
 400785 Bad Bot
 32   1 mon  
Earlier Ctrl + ↓