Learn about Centmin Mod LEMP Stack today
Register Now

Amazon AWS Amazon LightSail

Discussion in 'Virtual Private Server (VPS) hosting' started by Tracy Perry, Oct 22, 2022.

  1. Tracy Perry

    Tracy Perry Active Member

    276
    115
    43
    Aug 24, 2014
    Texas
    Ratings:
    +205
    Local Time:
    10:43 AM
    1.21.6
    MariaDB 10.3.36
    Anyone have an issue with Amazon LightSail assigning the private IP to ETH0?
    When you try to use LetsEncrypt on host creation in CentMin, it won't work since the IP for the instance is different than the static IP that was assigned to the LightSail instance.
    Do you need to add another IP to ETH0? And if so, where as the script for ETH0 is auto-generated and warns you not to edit it.

    I'm planning on moving off the DO instance the site was running on, and LightSail looked promising as I could keep the mail and stuff under one roof.


    It looks like they map the public IP to the private IP.
     
  2. eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Amazon Lightsail's resource usage/cap/throttle generally wouldn't make it an ideal candidate for hosting/ Or has that changed? If your Centmin Mod Nginx domain is behind Cloudflare orange cloud enabled proxy and you have Cloudflare Full or Full Strict SSL mode enabled, it's recommended you use Cloudflare DNS API domain validation method for issuing Letsencrypt SSL certificates on your Centmin Mod Nginx origin server side. This would bypass any issues for Letsencrypt domain validation using the default webroot authentication method.

    I haven't used Amazon Lightsail myself though
     
  3. Tracy Perry

    Tracy Perry Active Member

    276
    115
    43
    Aug 24, 2014
    Texas
    Ratings:
    +205
    Local Time:
    10:43 AM
    1.21.6
    MariaDB 10.3.36
    Yeah, the hassle isn't going to be worth it. Looking at moving over to Linode or Vultr. Would go RamNode, but since they got bought out I don't know how reliable they are.
     
  4. eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
  5. cloud9

    cloud9 Premium Member Premium Member

    400
    115
    43
    Oct 6, 2015
    England
    Ratings:
    +211
    Local Time:
    4:43 PM
    1.23.2
    10.6.x
    My experience of Vultr wasn't very good, I moved and would not recommend them
     
  6. rdan

    rdan Well-Known Member

    5,426
    1,389
    113
    May 25, 2014
    Ratings:
    +2,172
    Local Time:
    12:43 AM
    Mainline
    10.2
    Why? More info please.
     
  7. cloud9

    cloud9 Premium Member Premium Member

    400
    115
    43
    Oct 6, 2015
    England
    Ratings:
    +211
    Local Time:
    4:43 PM
    1.23.2
    10.6.x
    They say in their terms they will open mail ports on the basis of ask and tell them what you are doing and they will open up the ports if you fit their criteria (or something like that)

    https://www.vultr.com/docs/what-ports-are-blocked/

    I had quite a few VPS with them after shutting down a dedicated server that was costing a fortune, asked vulture to open mail ports and told them why - All I wanted was server errors from CMM mailed to me - so maybe a few mails a week - nothing major at all - all the other mail for the VPS was on Namecheap private email - basically on all my servers all with different tickets - all wanting mail opened just for server errors - A complete NO - I tried everything with them, in the end they told me they dont open the ports at all and if I didnt like it to leave - so I left

    Oh and there support was extremely slow - the mail issue took around a month for them to tell me NO after many emails.....
     
  8. eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Yeah they are trying to keep their IP addresses clean from spam. Unfortunately alot of VPS providers are doing this now so if you want to send mail from server for servers messages, you'd have to setup Postfix SMTP relay to a SMTP transactional email provider like Amazon SES

    But yeah slow support ain't good. I actually have not even used Vultr tech support that much maybe 1or 2 times in 7+ yrs
     
  9. cloud9

    cloud9 Premium Member Premium Member

    400
    115
    43
    Oct 6, 2015
    England
    Ratings:
    +211
    Local Time:
    4:43 PM
    1.23.2
    10.6.x
    A lot are - but they should state they wont open ports for email under any circumstances - Vultr clearly state open a support ticket - thats pointless as they have no intention of opening email ports so they are conning customers.....

    And spam IP - Its a pointless exercise trying to protect there IP from spam as some of the spam listing associations have level 1,2,3 and will list a whole block of IPs as Spam as your in the neighbourhood next to a spammer (spam Rats being one) and then UCE

    I have just spent 2 weeks getting a couple of VPS delisted as no spam (spam rats) as in my neighbourhood /15 there are spammers !

    The worst for this are UCE - who are listing some of my servers as spamming and unless I pay them they will not delist me.....

    This is what Hetzner said when I asked about my IP being blacklisted by UCE

    =========================

    Not many companies use UCEPROTECT (and definitely not providers like Google or Microsoft), so you’ve most likely been made aware of this issue by a blacklist scan(ner), and not because of your emails being rejected. In most cases, you can simply ignore the listing, as it won’t have any affect on your server.

    Having said that, we would like to explain why there are so many listings on UCEPROTECT. In early 2021 they changed their criteria, which has led to many more blacklistings. To understand why, it is necessarry to look at their criteria in some detail. If you simply want to know what this means for you, please skip the following technical part.

    ----- Technical Information -----
    UCEPROTECT is a DNS-based blacklist that can be used by any mail server to filter or even outright reject emails. It has three different levels that can be checked:

    Level 1: lists individual IPs that were observed sending emails to spamtraps, or being involved in network abuse. These are automatically delisted 7 days after the last impact. (impact = a spamtrap hit or network abuse hit).

    Level 2: Lists a /24 range (with 256 IPs) when there have been 4 or more impacts from IPs within that range, or up to a /15 range (with 131,072 IPs) when there have been 141 or more impacts from within that range.

    Level 3: Lists all IPs from a single network (ASN) when there have been a certain amount of impacts within that network. This amount is based on the total amount of IPs the network has.

    In early 2021 the criteria for both level 2 and level 3 were changed. In both cases, the changes have resulted in many more ranges and entire networks being listed.
    Source: http://www.uceprotect.net/en/index.php?m=12&s=0

    * Level 2 Criteria
    For level 2, the criteria used to be that 5 or more single IPs being listed on level 1 would cause a /24 level 2 listing. On February 8th, 2021, that was changed to be 4 or more impacts. This means a single IP that has 4 impacts can cause the entire /24 it is part of to become listed on level 2.

    Due to this change, there are a lot more /24 ranges, and even some /16 or /15 ranges, that are listed on level 2, and it is much harder to prevent that from happening.

    * Level 3 Criteria
    In the past, a level 3 listing would occur when 0.2% or more of all IPs from that network got listed on level 1. This meant that there were few level 3 listings. On January 18th, 2021 that policy was changed to 0.02% (a tenfold decrease in the amount of IPs needed to cause a level 3 listing). Due to this change, a large amount of companies, including many of our competitors, suddenly found themselves listed on level 3.

    Naturally, this caused quite a commotion within the webhosting and anti-abuse communities. On February 8th, 2021, UCEPROTECT decided to again change the criteria for level 3. Now, the important statistic is impacts. If there are more impacts than 0.05% of total IPs, the entire network is listed on level 3.

    For reference, the complete list of networks that are listed on level 3 can be seen here:
    http://www.uceprotect.net/en/l3charts.php

    UCEPROTECT themselves admit that level 3 is "draconic" and "will cause collateral damage to innocent users when used to block email". That is why they recommend using it in a scoring system, and not to outright reject emails.
    Source: http://www.uceprotect.net/en/index.php?m=3&s=5

    ----- Impact for Hetzner -----
    Due to these changes, a single IP can cause an entire /15 (with 131,072 IPs) to become blacklisted on level 2. In fact, a handful of IPs with a lot of impacts can cause our entire network (with over 2 million IPs) to get blacklisted on level 3. This is something we have seen happen, and it goes to show how broken the system is. The amount of false positives is astounding.

    We monitor UCEPROTECT on a daily basis, and we take action against IPs that get multiple impacts. However, we have observed numerous times that even though an IP was locked, and there is no network traffic on it, UCEPROTECT continues to see impacts from it. This should not be possible.

    Unlike most other blacklists where IPs are automatically delisted after a few hours or days, or where IPs can be manually delisted, on UCEPROTECT IPs are listed until a week after their last impact. This means that there are individual listings that have long since been resolved, that are still impacting level 2 and level 3 listings. The only option to delist IPs earlier is to pay UCEPROTECT for express delisting, but we cannot support such a system in good conscience.

    The three issues mentioned above mean we cannot guarantee IPs won’t be blacklisted on level 2 as part of a larger network, or even on level 3 as part of our entire network. It also means we cannot offer an easy or quick solution.

    Not many companies or mail servers use UCEPROTECT. However, if you are having issues with your emails being rejected, please contact those recipients via other means, and advise them of the change in criteria for level 2 and 3, and the recommendation of UCEPROTECT itself not to use level 2 or 3 to outright reject emails.
    =============

    UCE = Gun to head - pay up to get delisted !
     
  10. cloud9

    cloud9 Premium Member Premium Member

    400
    115
    43
    Oct 6, 2015
    England
    Ratings:
    +211
    Local Time:
    4:43 PM
    1.23.2
    10.6.x
    Not sure why but that posted twice - please delete second one @eva2000
     
  11. Tracy Perry

    Tracy Perry Active Member

    276
    115
    43
    Aug 24, 2014
    Texas
    Ratings:
    +205
    Local Time:
    10:43 AM
    1.21.6
    MariaDB 10.3.36
    I got to looking around... and was impressed with what I saw of Hetzner... currently I've moved my site over to it from a DO 2vCPU/2GB VPS to a 3vCPU/4GB VPS with 30GB more storage available and for $4 less a month (Atlanta based). Don't know how it's going to work, and I keep regular backups of the site in case I need to move, but so far, I'm liking it. The only REAL headache was getting the multiple IPv6 addresses to recognize. The standard method of manually adding them to the ifcfg-eth0 is not assured, as it is a system generated file and you are told not to edit/change it.
    You have to do a
    Code:
    ip address add ipv6.addres.here dev eth0
    to get it listed.

    Hetzner also blocks ports 25/465 by default and you have to ask to have it opened.
    Screen Shot 2022-10-24 at 1.26.42 PM.png

    The Hetzner VPS HTop return running 2 sites

    Screen Shot 2022-10-24 at 1.36.55 PM.png

    And the DO HTop running 1 site that is a simple redirect (no mySQL or anything needed) to another domain.

    Screen Shot 2022-10-24 at 1.38.45 PM.png
     
    Last edited: Oct 25, 2022
  12. cloud9

    cloud9 Premium Member Premium Member

    400
    115
    43
    Oct 6, 2015
    England
    Ratings:
    +211
    Local Time:
    4:43 PM
    1.23.2
    10.6.x
    Yep, Hetzner block email ports, think you need 1 invoice to have been paid and then you can open a ticket for unblocking the port - unlike Vultr I explained what I wanted and all ports opened no problem - and there support (in my experience) is very quick and they know what they are talking about when they reply unlike some
     
    Last edited: Oct 25, 2022
  13. eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Same whenever I do tests on Hetzner and definitely happy with the whole experience from spinning up to running a server and bang for the buck it's good with explicit guarantees of knowing if you're getting an Intel or AMD preferred CPU :) Wish Linode would do that!

    Haven't dealt with IPv6 side so might have to look at that too.

    As to Hetzner ports blocks, yeah after my first paid invoice, I requested an unblock without issue.
     
  14. Tracy Perry

    Tracy Perry Active Member

    276
    115
    43
    Aug 24, 2014
    Texas
    Ratings:
    +205
    Local Time:
    10:43 AM
    1.21.6
    MariaDB 10.3.36
    I'm more and more impressed with Hetzner for a simple web server (don't know about mail) the more I play with it. I'm really tempted to roll out a 4vCPU/8GB/160GB instance with AlmaLinux/CentMinMod on it and run the WordPress site for a bit and if no issues moving the forum over to it.

    I made a simple script up to run entries for :10-:50 upon reboot since they are not static and put it in /etc/init.d and set the appropriate runlevels.
    Code:
    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 5.161.128.82  netmask 255.255.255.255  broadcast 5.161.128.82
            inet6 fe80::9400:1ff:fe9d:c395  prefixlen 64  scopeid 0x20<link>
            inet6 2a01:4ff:f0:c00c::50  prefixlen 128  scopeid 0x0<global>
            inet6 2a01:4ff:f0:c00c::40  prefixlen 128  scopeid 0x0<global>
            inet6 2a01:4ff:f0:c00c::30  prefixlen 128  scopeid 0x0<global>
            inet6 2a01:4ff:f0:c00c::20  prefixlen 128  scopeid 0x0<global>
            inet6 2a01:4ff:f0:c00c::10  prefixlen 128  scopeid 0x0<global>
            inet6 2a01:4ff:f0:c00c::1  prefixlen 64  scopeid 0x0<global>
            ether 96:00:01:9d:c3:95  txqueuelen 1000  (Ethernet)
            RX packets 1005  bytes 187988 (183.5 KiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 615  bytes 137519 (134.2 KiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    
     
  15. duderuud

    duderuud Active Member

    176
    60
    28
    Dec 5, 2020
    The Netherlands
    Ratings:
    +132
    Local Time:
    5:43 PM
    1.25 x
    10.6
    Running my big board @ Hetzner for quite a while now. First I used VPS but I wanted even more power (more memory specifically) so I rented a dedicated server. Great experience so far.

    What Eva said, best bang for your buck.
     
  16. Tracy Perry

    Tracy Perry Active Member

    276
    115
    43
    Aug 24, 2014
    Texas
    Ratings:
    +205
    Local Time:
    10:43 AM
    1.21.6
    MariaDB 10.3.36
    Just grabbed a 4vCPU/8GB/160GB instance... and having fun with AlmaLinux on it. Just figured out it is yet another that creates you a separate /home and / directory structure. I realize the usefulness of it... but honestly for a smaller VPS like this I prefer to have everything on one mount point/drive to maximize the space.
     
  17. eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Oh it does? Which other host does that for VPS builds?
     
  18. Tracy Perry

    Tracy Perry Active Member

    276
    115
    43
    Aug 24, 2014
    Texas
    Ratings:
    +205
    Local Time:
    10:43 AM
    1.21.6
    MariaDB 10.3.36
    It's the apparently the default ISO image for AlmaLinux that Hetzner uses. You have to mount that image then boot into it and then begin the install process. If you use the default partitioning format with that ISO image, it creates a /home and a / partition, split about 50/50 on available space.

    Screen Shot 2022-11-12 at 4.35.13 PM.png
     
  19. eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Cheers. Not the best process especially for folks not expected it!
     
  20. Tracy Perry

    Tracy Perry Active Member

    276
    115
    43
    Aug 24, 2014
    Texas
    Ratings:
    +205
    Local Time:
    10:43 AM
    1.21.6
    MariaDB 10.3.36
    Yep, ergo the fact I had to re-install everything... but I did get the fun of seeing how fast CentMin installed on it! Honestly probably the fastest of any VPS (other than ones I had set up on my own dedicated server) I've done.