Category: Uncategorized

Install requirements

sudo apt update && sudo apt upgrade -y
sudo apt install xfce4 xfce4-goodies dbus-x11 -y
sudo apt install tigervnc-standalone-server tigervnc-common -y

Create a user for desktop use. For this example, I will use the username “user1”.

useradd -m -s /bin/bash user1
usermod -aG sudo user1
passwd user1

switch to the user

su - user1

Start vncserver

vncserver :1 -geometry 1920x1080 -depth 24 -localhost no

Stop vncserver

vncserver -kill :1

Create the VNC startup script and make it executable

mkdir -p ~/.vnc
touch ~/.vnc/xstartup && chmod +x ~/.vnc/xstartup
vi ~/.vnc/xstartup

Add

#!/bin/bash
xrdb $HOME/.Xresources
export XDG_SESSION_TYPE=x11
export DISPLAY=:1
vncconfig -nowin &
exec dbus-launch --exit-with-session startxfce4

Save and exit.

Create a service file

sudo vi /etc/systemd/system/vncserver@.service

Add

[Unit]
Description=TigerVNC server
After=syslog.target network.target

[Service]
Type=simple
User=user1
WorkingDirectory=/home/user1
Environment=HOME=/home/user1
Environment=DISPLAY=:%i
Environment=XAUTHORITY=/home/user1/.Xauthority

ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill :%i > /dev/null 2>&1 || true'
ExecStart=/usr/bin/vncserver :%i -geometry 1920x1080 -depth 24 -localhost no -fg
ExecStop=/usr/bin/vncserver -kill :%i

Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

Enable and restart vncserver

sudo systemctl daemon-reload
sudo systemctl enable vncserver@1.service
sudo systemctl start vncserver@1.service

You can restart the server, you will be able to connect to VNC Server on your-server-ip:1

VNC use simple password, to avoid brute force attacks. Protect VNC with a firewall, only allow whitelisted IP’s connect to port 5901, or use SSH tunnel to connect to VNC server.

Stop Ubuntu VNC Server From Suspending

Disable systemd sleep

sudo mkdir -p /etc/systemd/sleep.conf.d
sudo tee /etc/systemd/sleep.conf.d/nosuspend.conf << 'EOF'
[Sleep]
AllowSuspend=no
AllowHibernation=no
AllowSuspendThenHibernate=no
AllowHybridSleep=no
EOF

Disable logind suspend actions

sudo mkdir -p /etc/systemd/logind.conf.d
sudo tee /etc/systemd/logind.conf.d/nosuspend.conf << 'EOF'
[Login]
HandlePowerKey=ignore
HandlePowerKeyLongPress=ignore
HandleSuspendKey=ignore
HandleSuspendKeyLongPress=ignore
HandleHibernateKey=ignore
HandleHibernateKeyLongPress=ignore
HandleLidSwitch=ignore
HandleLidSwitchExternalPower=ignore
HandleLidSwitchDocked=ignore
IdleAction=ignore
EOF

Mask sleep targets

sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target

Restart logind

sudo systemctl restart systemd-logind

Reboot the server

sudo reboot

Back to VNC

DeepSeek-TUI is an open-source command-line coding assistant written in Rust.

https://github.com/Hmbown/DeepSeek-TUI

To install on Ubuntu, just download the latest release

npm install -g deepseek-tui

To run with NVIDIA nim, use

deepseek auth set --provider nvidia-nim --api-key "Your_API_KEY"
deepseek --provider nvidia-nim

Back to AI

When i login to a server, SSH connection take more than 2 minutes.

boby@sok-01:~$ time ssh root@10.10.1.1 -p 3333 exit

real	2m7.288s
user	0m0.120s
sys	0m0.039s
boby@sok-01:~$

Solution:

systemctl daemon-reload
systemctl restart systemd-logind

In the server, I disabled UseDNS in /etc/ssh/sshd_config

UseDNS no

This was AlmaLinux server 9 with GSSAPIAuthentication disabled, DIsabled with GSSAPIAuthentication with

cat > /etc/ssh/sshd_config.d/10-tweaks.conf << 'EOF'
GSSAPIAuthentication no
GSSAPICleanupCredentials no
EOF

systemctl restart sshd

Verified it is disabled with

sshd -T | grep -iE "gssapi|pam|usedns|pubkey|password"

When running

journalctl -u sshd -f

Got the error “PAM Error connecting to /opt/i360_pam_imunify/pam_imunify360.sock: Connection refused”, this is resolved by updating immunify360

wget -O imunify-force-update.sh https://repo.imunify360.cloudlinux.com/defence360/imunify-force-update.sh 
bash imunify-force-update.sh

Once this is done, pam related error disappear, but the login still takes time, I got it resolved by running

systemctl daemon-reload
systemctl restart systemd-logind

To see systemd-logind related logs run

journalctl -u systemd-logind --since "5 minutes ago"

sshd pam config located in

cat /etc/pam.d/sshd

To see the disk quota for a user, run

quota -vs USERNAME

To see disk used by a cpanel user, run

cd /home/USERNAME
du -h --max-depth=1

To see MySQL usage, run

du -sh /var/lib/mysql/USERNAME*

To see list of files for a user

find / -user USERNAME -ls
find / -user USERNAME -type f -size +100M

cpanel scripts

/scripts/fixquotas
/scripts/generate_maildirsize --force --allaccounts

Back to Cpanel Server

SpamAssassin is one of the most widely used open-source spam filtering systems for email servers. It is commonly deployed together with Postfix (mail transfer) and Dovecot (mail delivery / IMAP).

Instead of relying on a single rule, SpamAssassin assigns a spam score to every email based on hundreds of tests, including:

• Header analysis
• Body content checks
• DNS blocklists (RBLs)
• SPF, DKIM and DMARC results
• Bayesian (statistical) analysis

When the score exceeds a configured threshold, the message is marked or delivered as spam.

Teaching SpamAssassin What Is Spam

SpamAssassin provides the sa-learn command to train its Bayesian database.

To teach SpamAssassin that emails in a Junk folder are spam, you run:

sa-learn --spam /home/USER/Maildir/.Junk\ E-mail/{cur,new}

SpamAssassin automatically ignores messages it has already learned, so running this command multiple times is safe.

Teaching SpamAssassin What Is NOT Spam (Ham)

Training spam alone is not enough. For best accuracy, SpamAssassin should also learn from legitimate mail (ham), usually from the Inbox:

sa-learn --ham /home/USER/Maildir/{cur,new}

A healthy Bayesian database contains both spam and ham, ideally at least a few thousand messages of each.

Back to SpamAssassin

iotop shows which process is doing disk I/O.

Shows only tasks doing I/O:

iotop -oPa

-o toggles “only active I/O”
-a accumulates I/O per process
-P shows per-process (not threads)

If you get SWAPIN/IO% warning, run

sysctl -w kernel.task_delayacct=1

Server Load

Alpine Linux is a lightweight, security-focused Linux distribution renowned for its simplicity, small footprint, and performance. Designed for power users, developers, and container environments, Alpine offers a minimal base system and uses the efficient APK package manager to handle software installation and updates.

To install a package, use

apk add PKG_NAME

To list all package, use

apk search PKG_NAME

Example

test-alpine:~# apk search strongswan
aconf-mod-strongswan-0.8.1-r4
strongswan-5.9.14-r0
strongswan-dbg-5.9.14-r0
strongswan-doc-5.9.14-r0
strongswan-logfile-5.9.14-r0
strongswan-openrc-5.9.14-r0
test-alpine:~# 

To start a service

rc-service sshd start

To start a service on boot

rc-update add sshd

Refresh package lists and upgrade all installed packages:

sudo apt update && sudo apt upgrade -y
sudo apt full-upgrade
sudo apt autoremove

Reboot to ensure all updates are properly applied:

reboot

Change repository references in /etc/apt/sources.list from “bullseye” to “bookworm”.

deb http://deb.debian.org/debian/ bookworm main
deb-src http://deb.debian.org/debian/ bookworm main
deb http://security.debian.org/debian-security bookworm-security main contrib
deb-src http://security.debian.org/debian-security bookworm-security main contrib
deb http://deb.debian.org/debian/ bookworm-updates main contrib
deb-src http://deb.debian.org/debian/ bookworm-updates main contrib

Update the package index and commence the upgrade:

sudo apt update
sudo apt upgrade -y
sudo apt full-upgrade

Remove obsolete packages and reboot for changes to take effect:

sudo apt autoremove
sudo reboot

Back to Debian

First upgrade packages on CentOS Stream 8 server to latest version.

dnf update

Download AlmaLinux 8 migration script

curl -O https://raw.githubusercontent.com/AlmaLinux/almalinux-deploy/master/almalinux-deploy.sh

Run the migration script

sudo bash almalinux-deploy.sh -d

To disallow normal linux users from changing environment variable HISTFILE, create a file

vi /etc/profile.d/readonly_history.sh

Add following content to the file:

if [[ -n $BASH_VERSION ]]; then
  HISTTIMEFORMAT="%F %T "
  HISTFILE=~/.bash_history
  HISTCONTROL=
  # append to the hsitory file, don't overwrite it
  shopt -s histappend
  # save all lines of a multiple-line command in the same history entry
  shopt -s cmdhist
  # write commands to .bash_history immediately instead of at session end
  PROMPT_COMMAND="history -a"
  # for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
  HISTSIZE=65536
  HISTFILESIZE=65536
  readonly HISTTIMEFORMAT
  readonly HISTFILE
  readonly HISTCONTROL
  readonly HISTSIZE
  readonly HISTFILESIZE
fi

Back to history

if you run docker inside an LXD container, it will fail with following error message

root@sok-nodejs:~# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
e6590344b1a5: Pull complete 
Digest: sha256:c41088499908a59aae84b0a49c70e86f4731e588a737f1637e73c8c09d995654
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount cgroup:/sys/fs/cgroup (via /proc/self/fd/6), flags: 0xf: permission denied: unknown.
root@sok-nodejs:~# 

To fix this, run following command on the host machine

lxc config set <your-container-name> security.nesting true
lxc restart <your-container-name>

Example

root@ns5028044:~# lxc config set sok-nodejs security.nesting true
root@ns5028044:~# lxc restart sok-nodejs
root@ns5028044:~# 

Back to LXD