Install MySQL 5.6 on CentOS 8

I couldn’t get the various instructions using the MySQL community repo to work, so if you’re in the same boat try this:

Get the 5.6 bundle from


Install some requirements:

dnf -y install libaio ncurses-compat-libs

Unpack and install MySQL:

tar -xvf MySQL-5.6.50-1.el7.x86_64.rpm-bundle.tar
rpm -Uhv MySQL-server-5.6.50-1.el7.x86_64.rpm MySQL-client-5.6.50-1.el7.x86_64.rpm

Then start it off:

systemctl start mysql
systemctl enable mysql

VPS Benchmarks: Amazon EC2 and Lightsail, Azure, DigitalOcean, Google, Hostworld, Linode, OVH, UpCloud, VPSServer,, Vultr

I recently needed to have a look at moving some services to a different VPS provider for redundancy so I decided to benchmark my options to compare them.

The plan selected was whichever had 16GB of RAM (though Google is 15GB). The selected datacenter was always London (Azure only says UK South). The fastest storage options were selected. The OS was CentOS 7 since that was mostly supported (Amazon and do not support CentOS 8).

For Amazon and DigitalOcean I tested 2 options; for Amazon I was curious as to how Lightsail stacked up against vanilla EC2 and I also wondered if the 50% hike in price for DigitalOcean General Purpose was worth it versus the Standard VPSs from them that I’d used in the past.

The test were generally run a few times and averaged out. I used the latest sysbench to measure CPU speed, File I/O and MySQL transaction speed for comparison.

ProviderPlanvCPU coresRAM (GB)CPU Events/sRead MiB/sWrite MiB/sMySQL tran/s
AmazonEC2 t3a.xlarge416514.7918.8412.561099.59
AmazonLightsail 16GB416337.4415.5510.371603.31
DigitalOceanGeneral Purpose 16GB416434.4620.8513.901328.43
DigitalOceanStandard 16GB616304.3710.797.191078.46
Google Cloud Computen1-standard-4415345.2311.897.93976.040
KamateraCustom (Availability)416413.7536.9624.642634.97
LinodeShared 16GB616501.9143.2128.801728.78
OVH CloudElite816267.6731.0020.671729.30
UK2SSD VPS V6-20416254.3323.3715.581317.89
VPSServerStandard 16GB816156.2316.8211.21844.11
VultrCloud Compute 16GB616403.3735.2023.461691.64

For disk I/O UpCloud is the clear winner and Azure and are VERY distant losers – and this is with Azure’s Premium SSD option. Hostworld just wins the CPU crown, but its I/O is less impressive. Of the rest I’d say Linode is a pretty solid performer. There are some distinctly average performances from some of these. I was quite surprised by some of the numbers and ran them a few extra times to make sure (VPSServer’s terrible CPU speed and Azure and’s shocking I/O for example).


Price-wise, the top 4 in terms of speed have very similar pricing (that’s UpCloud, Linode, Kamatera and Vultr in order of read speed), then OVH and Hostworld are both significantly cheaper. Hostworld is actually the cheapest in the list with the fastest CPU but only mid-range disk I/O.

The commands used to benchmark were as follows:

For CPU Events per second:
sysbench cpu --cpu-max-prime=20000 run

For read and write performance in MiB/s (after creating 150GB of files):
sysbench fileio --file-total-size=150G --file-test-mode=rndrw --time=300 --max-requests=0 run

For MySQL transactions per second (after creating a test database with 1 million rows):
sysbench oltp_read_write --table-size=1000000 --db-driver=mysql --mysql-db=test --time=60 --max-requests=0 --threads=8 run

Install OSSIM/OSSEC agent (CentOS 7)

I couldn’t find proper instructions on doing this anywhere so here are mine:

In your OSSIM portal go to Environment -> Assets & Groups -> Add Assets and enter the name/IP of the asset you want to add.

On the agent run:

yum -y install libevent-devel pcre2-devel openssl-devel
tar xzf 3.6.0.tar.gz
cd ossec-hids-3.6.0/

…select the defaults and type in agent when prompted.

Back in OSSIM go to Environment -> Detection -> Agents -> Add Agent

Find the new asset in the dropdown and click ADD. Next to the new agent there is a picture of a key, click that and copy the long key it shows you.

On the agent run:


Choose I to import a key, then paste the key then Q to quit.

Check the file /var/ossec/etc/ossec.conf to make sure it’s monitoring the necessary logs. Then to start the agent run:

/var/ossec/bin/ossec-control start

It can take 10-15 minutes for OSSIM to show the agent as active.

Postfix ban failed logins script

Fail2ban hasn’t been working for me, I still have people running brute force attacks on my Postfix server, so I though I’d rig up something myself.

This consists of a bash script that identifies multiple failures and bans them, run on cron every 10 minutes. It checks for both smtp and pop/imap login failures.

# postfix ban failed login ips
# get all failed ip addresses into files
cat /var/log/maillog | grep "authentication failed" | grep -Eo "([0-9]{1,3}[\.]){3}[0-9]{1,3}" > ~admin/mail_fail_smtp
cat /var/log/maillog | grep "auth failed" | grep -Eo "rip=([0-9]{1,3}[\.]){3}[0-9]{1,3}" > ~admin/mail_fail_imap
find ~admin/mail_fail_imap -type f -exec sed -i 's/rip=//g' {} \;
# only get over 5 fails (change the limit= part to change)
sort ~admin/mail_fail_imap | uniq -cd | awk -v limit=5 '$1 > limit{print $2}' > ~admin/mail_fail_imap_over5
sort ~admin/mail_fail_smtp | uniq -cd | awk -v limit=5 '$1 > limit{print $2}' > ~admin/mail_fail_smtp_over5
# read through files and add IP to hosts.deny if not there already
while read p; do
if grep $p /etc/hosts.deny; then
echo $p " already added"
echo ALL: $p >> /etc/hosts.deny
done < ~admin/mail_fail_smtp_over5
while read p; do
if grep $p /etc/hosts.deny; then
echo $p " already added"
echo ALL: $p >> /etc/hosts.deny
done < ~admin/mail_fail_imap_over5
# clean up
rm -f ~admin/mail_fail_smtp
rm -f ~admin/mail_fail_imap
rm -f ~admin/mail_fail_smtp_over5
rm -f ~admin/mail_fail_imap_over5

Then added to crontab:

*/10 * * * * /home/admin/ > /dev/null

And just in case the localhost fails and is unintentionally blocked (this is quicker than filtering it out above):

echo "ALL:" >> /etc/hosts.allow

Linode Xen to KVM upgrade breaks quotas

On a Linode Virtualmin CentOS 6 the upgrade from Xen to KVM breaks quotas with the following error:

repquota: Cannot stat() mounted device /dev/root: No such file or directory

The issue is that the symbolic link /dev/root is linking to /dev/xvda which has been replaced by /dev/sda so the symlink just needs to be replaced:

# rm /dev/root
# ln -s /dev/sda /dev/root

Then pop into Virtualmin (Webmin, System, Disk Quotas) and turn the quotas back on.

Fix nss-softokn rpm/yum issue in CentOS 6

The recent update to nss-softokn breaks rpm/yum updates in CentOS 6.

To restore functionality run these commands:

For 64-bit:

# wget
# rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv
# cd lib64
# cp libfreeblpriv3.* /lib64
# yum update

For 32-bit:

# wget
# rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm | cpio -idmv
# cd lib
# cp libfreeblpriv3.* /lib
# yum update

Dovecot brute-force blocking with fail2ban

If you are getting any brute force attacks to your dovecot imap/pop3 server, install fail2ban to block the offenders. This works on CentOs 5.7. For other distributions, see the relevant websites.

Firstly, install fail2ban. You should have the rpmforge repo from my previous post. Enable it first to install fail2ban:

# cd /etc/yum.repos.d/
# vi rpmforge.repo

Change it to enabled = 1 and save

Then it’s simple:

# yum install fail2ban

After installation I recommend disabling the repo. Edit the file and change to enabled = 0

Then make sure the service starts up:

# chkconfig --add fail2ban
# chkconfig fail2ban on
# service fail2ban start

Create a new filter file for your dovecot:

# vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf

Paste in the following definition:

failregex = pam.*dovecot.*(?:authentication failure).*rhost=(?:::f{4,6}:)?(?P<host>\S*)
ignoreregex =

Then add the new information to the main config file:

# vi /etc/fail2ban/jail.conf

At the end, add the following:

enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
# optional mail notification
# mail[name=dovecot-pop3imap, dest=root@domain]
# see /etc/fail2ban/action.d/ or Fail2Ban doc
logpath = /var/log/secure
maxretry = 20
findtime = 1200
bantime = 1200

That’s it!

CentOs: Install ffmpeg & ffmpeg-php 0.6

The ffmpeg installed by yum cannot be used with ffmpeg-php, so we need to download and compile it:

cd ~admin/software
tar zxfv ffmpeg-0.6.tar.gz
cd ffmpeg-0.6
./configure --enable-shared
make install

Now we need to download and configure ffmpeg-php:

cd ~admin/software
tar -xjf ffmpeg-php-0.6.0.tbz2
cd ffmpeg-php-0.6.0

There’s an error in this version (0.6) we need to correct or it won’t compile, so run:

vi ffmpeg_frame.c

We need to substitute PIX_FMT_RGBA32 for PIX_FMT_RGB32, so enter this command :%s/PIX_FMT_RGBA32/PIX_FMT_RGB32 and hit return. Now compile and install:

make install
echo "" > /etc/php.d/ffmpeg.ini
service httpd restart

CentOS: Install PHP 5.2 with t1lib support

The first step is to vanilla install PHP 5.2 (to handle any dependency issues) and then recompile it with the t1lib option. So enable the testing repo of CentOS 5. Change to root user first, then create the repo:

su -
vi /etc/yum.repos.d/CentOS-Testing.repo

Enter insert mode (hit i) and paste the following into the new file:

# CentOS-Testing:
# !!!! CAUTION !!!!
# This repository is a proving grounds for packages on their way to CentOSPlus and CentOS Extras.
# They may or may not replace core CentOS packages, and are not guaranteed to function properly.
# These packages build and install, but are waiting for feedback from testers as to
# functionality and stability. Packages in this repository will come and go during the
# development period, so it should not be left enabled or used on production systems without due
# consideration.
name=CentOS-5 Testing

Then update PHP and restart Apache (yum will double-check you want to go ahead):

yum update php*
service httpd restart

PHP is now updated, but the t1lib is not installed or compiled into PHP. So let’s download and install it (you’ll need make and gcc installed):

cd ~admin/software
tar zxfv t1lib-5.1.2.tar.gz
cd t1lib-5.1.2
make && make install

If it exits with a latex error, install latex:

yum -y install tetex-latex

Installing t1lib can also be accomplished if you have the rpmforge repo installed (see previous post step 6) with: yum --enablerepo=rpmforge install t1lib
If you upgrade your software in the future and get an error about then install t1lib again using this method and then service httpd restart

Then run the make commands again. T1lib is now installed. Next step is to recompile PHP. Firstly, set up a build environment (still as root) and install some software that we’ll need to compile:

mkdir -p /usr/src/redhat/{SRPMS,RPMS,SPECS,BUILD,SOURCES}
chmod 777 /usr/src/redhat/{SRPMS,RPMS,SPECS,BUILD,SOURCES}
yum -y install rpm-build re2c bison flex

Now, we need to lose our root privileges to compile the software, so we need to run exit or logout to drop back to the admin user (make sure this is the right version of PHP you have just installed, use rpm -q php to check).

cd ~admin/software
rpm --install php-5.2.10-1.el5.centos.src.rpm
vi /usr/src/redhat/SPECS/php.spec

Technically, we should edit the release line to reflect the changes we are making, but that creates dependency issues, so we’ll ignore that and edit the configure lines. Scroll to where is says %configure with various includes after the line. Remove the line that says --disable-rpath \ which will stop the compile working (this is PHP bug #48172) and add at the end: --with-t1lib \

Exit insert mode, save and exit (hit Esc, then ZZ). Now rebuild the RPM files:

rpmbuild -bb /usr/src/redhat/SPECS/php.spec

It’s highly likely that you will now get a list of failed dependencies. All of them need to be installed. The following is my list – yours may be different. Su to the root user and install them, then logout back to the admin user after this command:

su -
yum -y --skip-broken install bzip2-devel curl-devel db4-devel expat-devel gmp-devel aspell-devel httpd-devel libjpeg-devel libpng-devel pam-devel libstdc++-devel sqlite-devel pcre-devel readline-devel libtool gcc-c++ libc-client-devel cyrus-sasl-devel openldap-devel postgresql-devel unixODBC-devel libxml2-devel net-snmp-devel libxslt-devel libxml2-devel ncurses-devel gd-devel freetype-devel

Then run the rpmbuild command again. If you get a GD error after the T1_StrError line, try running this command as root:

su -
ldconfig /usr/local/lib

Run the rpmbuild command again (as non-root). When it finishes (will take a while), install the resultant RPM files as root user:

su -
cd /usr/src/redhat/RPMS/x86_64/
rpm -Uhv --nodeps --force *.rpm
service httpd restart

Your path to the RPMs may be different depending on your architecture.