How to Recover SSh Access to Amazon EC2 Instance After UFW firewall Activation But Forgot to Allow SSH

ufw is very good tool. But if you forget to turn on ssh then you would not able to log in to your server. But you forget to enable the ssh in ec2 instance then you have a way to recover it.

  • Stop your instance
  • Attach your EBS volume to another instance. if you don’t have one, create a instance.
  • Create a folder
  • mkdir  recover

    Check if the EBS attached.

    sudo fdisk -l

    If you see /dev/xvdf then EBS successfully attached.

  • Mount your EBS volume in to recover folder
  • mount /dev/xvdf recover
  • Edit recover/etc/ufw/ufw.conf and change enabled=yes to enabled=no
  • Umount the EBS
  • umount -d /dev/xvdf
  • Detach from the temp instance
  • Reattach to the original instance. But remember to name it /dev/sda1
  • Restart the instance
  • Login to server and allow ssh
  • ufw allow ssh

There you have it. Nice and simple

04. October 2014 by Zakir Hyder
Categories: Linux, Ubuntu | Tags: , , , , , , | Comments

Setting Up Varnish Security Firewall

Varnish can add a extra layer of security as well as HTTP accelerator. is a Web Application Firewall (WAF) written using the Varnish Control Language (VCL) and a sprinkling of Varnish Modules (vmods). If you want to know how to install vmod go to

To install Varnish Security Firewall we need to install 4 different

If you varnish version is 3.x.x then use for libvmod-urlcode.

After you setup all 4 vmods then download the I am assuming you are following

git clone

So the path to VSF’s vcl is /root/varnish/VSF/vcl/. now symlink the vcl directory into /etc/varnish/security

cd /etc/varnish && ln -s /root/varnish/VSF/vcl security

then you edit your default.vcl and add this line near the top:

include "/etc/varnish/security/vsf.vcl";

after that restart varnish.

service varnish restart

01. October 2014 by Zakir Hyder
Categories: Ubuntu, Varnish | Tags: , , , , , , | Comments

Building a Varnish VMOD

Building a Varnish VMOD in ubuntu is bit complicated process. we are going to use varnish-3.0.5. For VMOD we are going to use

Lets create a folder and get the varnish’s source code.

mkdir varnish
cd varnish
apt-get source varnish 

Then we will create a make file from the source

cd varnish-3.0.5

Then we will get code from and install the VMOD

cd ..
git clone 
cd libvmod-shield/
./configure VARNISHSRC=../varnish-3.0.5
make install

This will install VMOD shield.

If you see the following error

cannot open shared object file: No such file or directory

then you need to symlink the VMOD in the /usr/local/lib/varnish/vmods/ to /usr/lib/x86_64-linux-gnu/varnish/vmods/

ln -s /usr/local/lib/varnish/vmods/ /usr/lib/x86_64-linux-gnu/varnish/vmods/

Now you can use shield in you vcl.

import shield

28. September 2014 by Zakir Hyder
Categories: Linux, Ubuntu, Varnish | Tags: , , , , , , | Comments

Varnish BackendPolling

BackendPolling can reduce Varnish 503 errors. Varnish poll by opening a new TCP connection to the backend on which we send a preconfigured request, wait for the answer and the connection to be closed by the backend. Only if Varnish get a ‘200’ reply back do we consider the probe good. Any thing other than ‘200’ means backend sick.

While configuring probe be careful of timeout. If backend do not return 200 with in “timeout” then the probe will be marked as sick. Same for .window & .threshold. For example if 4 probe out of 10 marked as sick then the backed will be marked as “Sick“. Then varnish will show 503 error. So its better to keep the .threshold as small as possible.

backend web {
  .host = "";  # IP address of your backend (Apache, nginx, etc.)
  .port = "8000";       # Port your backend is listening on
  .connect_timeout = 600s;
  .first_byte_timeout = 600s;
  .between_bytes_timeout = 600s;
  .probe = {
     .url = "/";
     .timeout = 30s;
     .interval = 20s;
     .window = 10;
     .threshold = 4;

you can check backend health using this commad



16. September 2014 by Zakir Hyder
Categories: Linux, Varnish | Tags: , , , , | Comments

Be careful of MySQL Query Cache

Configuring MySQL server for high traffic site is very hard. You have to consider many things. One of the pitfall for unweary person like me is query_cache_size. I must confess I thought it would make my mysql server would perform better with query_cache_size. So I gave it 400M.

query_cache_limit = 400M

But I was dead wrong.

The problem was when ever you run INSERT/UPDATE sql, MySQL gets rid of all of the cache. It also locks the Table. This is one of the main features which limits query cache effectiveness.

If you see “Waiting for query cache lock” when you run SHOW ENGINE INNODB STATUS\G. Then you know you have to set it 0.

For more details

11. September 2014 by Zakir Hyder
Categories: Linux, MySql, Server Management | Tags: , , | Comments

Prevent cronjobs from overlapping in Linux

Recently while fixing a bug, I found out that there are multiple copies of same cronjob running at the same time. Normally, the task completes in just a few seconds. If the task takes longer than a minute, however, we end up with multiple copies running at once. This situation can make havoc in you app. Its better to introduce some kind of locking mechanism. flock(1) is the right tool for that.

*/1 * * * * /usr/bin/flock -n /tmp/cronjob.lockfile /usr/bin/php /var/www/some.php >> /root/cronjob.txt 

The -n option tells flock not to wait for the lock, but to exit. Simply this one liner made my life way easier.

14. August 2014 by Zakir Hyder
Categories: Linux | Tags: , , , | Comments

Time Synchronisation with NTP in Ubuntu Server

Recently during some bug fixing, I found out that our database server’s time is 5 minutes off. First I thought probably the timezone was correct. Then I found out that for Ubuntu server you have to synchronisation the time. Every time server restarts, it update it’s time using ntpdate. You can do it using following code


You can setup ntp, which will automatically update server’s time.

sudo apt-get install ntp

Then edit /etc/ntp.conf to add/remove server lines. By default these servers are configured:

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See for
# more information.

You can update these server according to your time zone from After you changing the conf file, reload the ntp

sudo /etc/init.d/ntp reload

11. August 2014 by Zakir Hyder
Categories: Linux, Ubuntu | Tags: , , , , | Comments

← Older posts