Troubleshooting: Locked Out of RDP

Reading Time: 3 minutes

How Do I Get Back Into RDP?

You may be working from a local machine that has an IP that is not scoped on that RDP port, making it impossible for you to gain remote access to add the IP address to the RDP rule’s scope. Do not fret; there is a simple and quick way to add your IP to the RDP scoping (or any others entities such as MySQL or MSSQL) right through your Plesk interface in your local browser.

For security purposes, it is always recommended that you scope off your Remote Desktop Protocol (RDP) connection on your server. Putting a scope on the RDP rule in the Windows Firewall will allow only the indicated  IP addresses to gain access to the server through Remote Desktop Protocol. The issue is that many of us do not have static IP addresses, but rather Dynamic IP addresses. This means that while at one time our IP address may be 120.32.111.01, it may change to something like 95.42.121.01 later. So if you were to add 120.32.111.01 to the RDP firewall for a customer or a system administrator, then you may need to add another rule for a different IP address.

 

Adding Your IP in Plesk

Step 1: Log in to Plesk

First, we need to make sure we know how to get to that Plesk login page. By default, the Plesk login page is https://<YourServerIP>:8443. For example https://124.0.0.1:8443

We should arrive on a page with this in the center. Go ahead and type in Admin for the username and your password for Plesk. Usually, that password is set up by our team and is the default Server Administrator Password. Sometimes the username is Administrator, depending on a few variables. But one of the two user names should be fine.

If you are locked out of RDP you can enter Plesk by using the default admin user.

Step 2: Tools & Settings

The first thing we need to do after we log into Plesk through the previous page is to navigate to the Firewall Rules. Go ahead and click on Tools & Settings. It will be located in the right sidebar near the bottom as shown below.

If you are locked out of RDP log into Plesk and navigate Tools & Settings.

Step 3: Firewall

Once we pull up Tools & Settings go ahead and click on our destination, Firewall. You will find that option under the Security section. It will be the second option, just under Security Policy.

If you are locked out of RDP log into Plesk and navigate Tools & Settings >>> Firewall.

Step 4: Firewall Rules

After we are in the Firewall management, go ahead and click on Firewall Rules. This is where we will add the rule to allow a certain IP address to gain RDP access.

Step 5: Add a Firewall Rule

Under Tools, after going into the Firewall Rules, we will see the option labeled Add Firewall Rule. Go ahead and click on that, bringing us to our next step.

Step 6: Details of the New Rule

This is the page that we see after clicking on Add Firewall Rule. It can seem to be complicated and intimidating for some beginner level System Administrators, but it is quite simple.

When Adding a New Rule in Plesk you'll be asked for the following details.

If you or your client are not sure what that IP address that needs RDP access is, Liquid Web has a great site to visit that will only display your IP address here.

Note:

Here is an example of what you will find at https://ip.liquidweb.com.

While this particular example IP will not be the one that the customer or the System Administrator will see, (when visited on the local machine) the page will display the IP address that needs to be added to the rule for this RDP session to connect. That will be the only information that will be displayed on this page. Simply copy that IP address and use it in the instructions below.

To get back into your server, enter in your IP into the Remote addresses field.

Once you enter the IP address into the text box under Remote addresses, you do need to click the ADD button before clicking on OK.

To add your IP into the firewall you must click Add and OK.

As mentioned above, after clicking the ADD button while the IP address is entered into the Add an IP address or a network text box, it will be placed into the left text box. After that step, you will then be able to click OK to apply this rule to the firewall for the server.

Step 7: Connect to RDP

The individual at that IP address can now access the server via RDP. If you would like more information on how to use Remote Desktop Connection, you can find a help article explaining exactly how to do that here.

We regain control of connecting to RDP by adding our IP in Plesk.Congratulations! You now know how to add an IP address to an RDP rule that will allow a user to connect if the RDP is scoped off to the public. This can be done many times. Although Plesk does not allow you to edit the rule, you will have to create a new one each time. But this shouldn’t cause any issues. Also, keep in mind that this method can be used for any port, including MySQL and MSSQL.

If you ever have any trouble with your Liquid Web server, feel free to contact us through our chats system, by submitting a ticket, or by calling 800-580-4985. We’d love to help!

Using a Cron Wrapper Script

Reading Time: 4 minutes

This tutorial is intended to do two things: to expand on the Cron Troubleshooting article; and to give an overview of a simple scripting concept that uses the creation of a file as a flag to signify something is running. This is primarily useful when you need to run something continuously, but not more than one copy at a time. You can create a file as a flag to check if a job is already running, , and in turn, check for that flag before taking further action.

The direct application of this is when you have a cron job that runs every minute, or every few minutes. With a rapidly repeating cron, if the previous job takes any longer than the scheduled time, these tasks can pile up causing load on the server, or exacerbating other issues. To avoid this, a simple script can be set up in the crontab (in place of the intended cron task). When the cron is run, it only runs the actual task if there is not a competing process already running.

Why Use a Cron Wrapper?

A cron wrapper is used when you have a cron job that needs to run back to back but needs to not step on itself. This is good for tasks that you want to setup to run continuously. Jobs that should be run anywhere between every minute and every five minutes should be utilizing a wrapper like this.

If you do not use a wrapper on a cron job that runs too frequently, you can get multiple jobs running at the same time trying to do the same thing. These competing tasks slow down the whole works. These “stacking cron jobs” can even get so out of hand that it overloads a server and causes the server to stop responding normally.

What is a Cron Wrapper?

The reason this is called a cron wrapper is that it is a script that wraps around the cron job, and checks if another instance of the cron is already running. If there is another copy running, the wrapper will make the cron skip this run, and wait until the next run to check again. There are a few ways that the cron wrappers ensures no overlap.

 

Process Check Method

One way is to check all the running processes for the user and double checks that there isn’t already another process with the same name or attributes as the one you want to run. This is how Magento’s cron.sh file works, it checks for another instance of cron.php being run as the user, and if there is one running, it exits. This can be complicated to do reliably, and so is not something that we would recommend for just starting out.

 

Lockfile Method

A straightforward method is to use what is called a lockfile. The cron wrapper checks if the lockfile (any file with a specific name/location) exists at the start of the run. If the lockfile is missing, the script creates that file and continues. The creation of the lockfile signals the start of the cron job. When the cron job completes the wrapper script then removes the lock file.

So long as the lockfile exists, a new wrapper will not run the rest of the cron job while another one is running. Once the first run completes and the lock is removed another wrapper will be able to create a new lock file again and process normally.

 

A Wrapper Script Example

To start, we want to create a simple bash script. Within a file we state the script to be interpreted by the program /bin/bash

#!/bin/bash

Then we want to define the name and location of the lockfile we’ll be using as our flag.

# Set lockfile name and location
lockfile="~/tmp/cronwrapper.lock"

 

Next, the script needs to check if that lockfile exists. If it does exist, then another copy of the script is already running, and we should exit the script.

# Check if the lockfile exists
if [[ -f $lockfile ]]; then
# If the lockfile exists quit
exit;

Else, if the lockfile does not exist, then we should create a new lock file to signify that we are continuing with the rest of the script. Creating the lockfile also tells any future copies that might be run to hold off until the lockfile is removed. We also want to include the actual job to be run, whether that’s a call to a URL through the web, running a PHP file on the command line, or anything else.

# If the lockfile is missing continue
else
# Create the lockfile
touch $lockfile
# Insert cron task here/code>

Once the intended job is run and completes, we want to clean up our lockfile, so that the next run of the cron job knows that the last run completed and everything is ready to go again.

# Cleanup the lockfile
rm -f $lockfile
fi

In the example above, it is convenient to define the lock file as a variable ($lockfile) so that it can be referenced easily later on. Also if you want to change the location, you only have to change it one place in the script.

This example also uses a “~” in the path to the lock file as a shortcut. This tells the shell to assume the user’s home directory. As such, the full path would look something more like this: /home/username/tmp/cron.lock.

However, by using the “~” you can use copies of the same script for many users on the same server, and not have to modify the full path for each user. The shell will automatically use the home directory for each user when the wrapper script is run.

Putting It All Together (cronwrapper.sh)

You can copy and paste the following into your text editor of choice on your server. You can name it whatever you want, but here are all the parts put together.

#!/bin/bash
lockfile="~/tmp/cronwrapper.lock"
if [[ -f $lockfile ]]; then
exit;
else
touch $lockfile
# Insert cron task here
rm -f $lockfile
fi

This is a very simple example and could be expanded much further. Ideally, you might add a check  to ignore a lock file older than an hour and to run a new instance of cron job anyway. This would account for an interrupted job that failed to clean up after itself. Another extension might be to confirm that the previous job completed cleanly,. Or yet another suggestion, would check for errors from the cron job being run and make decisions or send alerts based on those errors.  The world is your oyster when it comes to cron wrappers! Take a look at our Liquid Web’s VPS servers, for tasks like these to run smoothly.

Configure Nginx to Read PHP on Ubuntu 16.04

Reading Time: 4 minutes

Nginx is an open source Linux web server that accelerates content while utilizing low resources. Known for its performance and stability Nginx has many other uses such as load balancing, reverse proxy, mail proxy, and HTTP cache. Nginx, by default, does not execute PHP scripts and must be configured to do so.  In this tutorial, we will show you how to enable and test PHP capabilities with your server.

Continue reading “Configure Nginx to Read PHP on Ubuntu 16.04”

How to Use Ansible

Reading Time: 8 minutes

Ansible symbolAnsible is an easy to use automation software that can update a server, configure tasks, manage daily server functions and deploys jobs as needed on a schedule of your choosing. It is usually administered from a single location or control server and uses SSH to connect to the remote servers. Because it employs SSH to connect, it is very secure and, there is no software to install on the servers being managed. It can be run from your desktop, laptop or other platforms to assist with automating the tedious tasks which every server owner faces.

Continue reading “How to Use Ansible”

Troubleshooting: Cron Jobs

Reading Time: 4 minutes

Cron is a service for Linux servers that automatically executes scheduled commands. A cron job can be a series of shell commands, scripts, or other programs. Cron tasks or jobs can perform a variety of functions and once ran can send out an e-mail message to inform you of its completion or errors. If you receive an error, there are many ways to troubleshoot the cron task.  Use this article for troubleshooting assistance or a tutorial on the basics of cron jobs. If you would like to learn more about creating a cron job check out our Knowledge Base tutorials on the subject. Continue reading “Troubleshooting: Cron Jobs”

Apache Performance Tuning: Swap Memory

Reading Time: 3 minutes

Before we get into the nitty-gritty of Apache tuning, we need to understand what happens when servers go unresponsive due to a poorly optimized configuration. An over-tuned server is one that is configured to allow Continue reading “Apache Performance Tuning: Swap Memory”

Remote Desktop Troubleshooting

Reading Time: 6 minutes

Remote Desktop Protocol (or RDP) is the most common method of gaining administrative access to a Windows server. RDP is available on all versions of Windows server and a client (called Remote Desktop Connection) is included with all versions of Windows desktop operating systems. Clients are also available for Macintosh operating systems from Microsoft in the iTunes store and for Linux desktops with applications like FreeRDP. Connecting to your server via RDP allows you full control of the server desktop environment, just as if you were sitting in front of the server’s monitor and keyboard. Depending on your permissions and settings, you can copy and delete files, change file permissions or settings, and even print documents from the server.

Pre-Flight Check

Using Remote Desktop Protocol to manage a Windows server generally requires a few basic settings and information about the server.

  • First, the Remote Desktop Service must be running on the server to which you would like to connect (RDP uses port 3389 by default).
  • Second, you need to know the IP address of the server.  
  • Third, you must have a username and password that is allowed to connect to the server remotely (often, this is the primary administrator account, but can also be a secondary account set up specifically for remote access purposes).
  • Finally, the Windows firewall (and any other hardware or software firewalls) needs to be configured to allow Remote Connections from your location.

 

Once you have all of the correct settings enabled, IP address and user account details, you can connect RDP to your server! Just launch the RDP client, enter the IP address of the server and the user credentials, and log in to the server using what looks like the standard Windows desktop environment.

Image of Remote Desktop Connection

As helpful as the Remote Desktop Protocol can be when it comes to managing your Windows server, there are also times when the connection fails, which can be very frustrating as the error message is generally not very helpful (often just the window shown below).         

RDP Connection Error Pop Up

 

The error shown above means that for some reason, your client was unable to make a connection to the Windows server via the Remote Desktop Protocol. When you are experiencing connectivity issues, there are many items that you can check to try to resolve the problem.

 

  1. Ensure you can reach the server via ICMP (or Ping). Most desktop operating systems will allow you to send small bits of information to the computer to verify connectivity and connection speeds. Generally, you just need to open a terminal window (on a Windows desktop, press the Window key, then type cmd and press enter) and enter the following command: ping IP or ping domain.tld. Normally, you’ll receive an output that is similar:Ping Results
  2. This output shows the pings were successful to the destination and took between 50 ms and 150 ms to complete. These pings indicate a successful connection to the server as desired (at least over ICMP). If the output for the command shows a failure to respond, we know there is some network interference.
  3. If the ping test fails (indicated by repeating asterisks), check your internet connectivity to guarantee that you can reach other resources on the internet. If not, you may need to contact your local service provider to restore your internet access.
  4. Reaching other internet sites but not your server indicates your server is refusing connections from your IP address (due to security software or firewall settings). You may need to contact your hosting company to verify there is not an IP address blocked by your server. You can find your current public IP address by going to http://ip.liquidweb.com.
  5. Can you ping your server, but still can’t connect over RDP? It is likely an issue with the RDP service or your firewall. You’ll need to contact your hosting company to get assistance with the service or firewall.

Firewall Issues

Best practices in configuring a firewall is to allow the least amount of access necessary for the various connections to the server. Limiting the connections to a particular service like RDP is called “scoping” the access for that service. If your configured Windows firewall scopes traffic on RDP, it’s possible that a user may not be able to connect due to their IP address not being included in the rule. Access to the server via RDP from one user but another user is not, check the firewall; their IP address may not be included in the allowed list of IPs for Remote Desktop Access.

  1. Log in to the server, click on the Windows icon, and type Windows Firewall into the search bar.Firewall Settings
  2. Click on Windows Firewall with Advanced Security.
  3. Click on Inbound Rules
  4. Scroll down to find a rule labeled RDP (or using port 3389).
  5. Double-click on the rule, then click the Scope tab.Scope Tab
  6. Make sure the user’s current IP address is included in the list of allowed Remote IPs.

If you are unable to connect to the server from your location, contact your hosting company for help in checking the firewall rule for RDP access.

User Connectivity Problems

Can you connect to RDP using the administrator account, but one or more of the other accounts cannot? There may be a problem with the user account permissions.

  1. Make certain the user is a member of the Remote Desktop Users group. Log in to the server with the administrator account, then go to the Local Users and Groups control panel (Open Administrative Tools, then open Computer Management).Local Users and Groups
  2. Navigate to the Remote Desktop Users group and verify that the user is a member of the group. If they are not a member of the group, add them as a member of the group.
    remote desktop users group
  3. Go to the username under the Users tab. Make sure that the user account is not locked out. Accounts can get locked out due to too many attempts to log in with an incorrect password (either by the user or by a brute force attack on the server).
    account lockout screen
  4. Double check the firewall for the IP address of the user and add to the scope of the RDP rule.

No Available Connections/Sessions

By default, Windows server only allows two users to connect via RDP simultaneously. If both sessions are already in use, you will receive an error indicating that no additional users are allowed to connect at this time. Too Many Users Error

To resolve this issue, you will need to wait until one of the other users logs out or you’ll require to purchase additional RDP user licenses from your hosting provider (assuming that you regularly need access for more than two users at a time).

Failed login attempts during a brute force attack can sometimes take up RDP licenses, even though the session isn’t connecting. If you are experiencing unavailable sessions even when no one is logged in to the server, it’s possibly the result of a malicious login. The best remedy for this situation is to scope the firewall rule to prevent access attempts from unauthorized IP addresses.

Data Encryption Errors

If you are using an out of date Remote Desktop Client or are connecting to an older Windows server, you may receive an error that there is a problem with the TLS settings for the connection. Generally, you can resolve this issue by updating your RDP client software on your workstation. It may also be possible to set the client to ignore these errors, but that could leave your workstation and your server vulnerable to malicious attacks.

Sudden Disconnection

If you are using RDP and suddenly lose the connection, the issue is almost always related to your internet connection. Check to make sure that you can stay connected to other services (like running a ping command in the background). If you are not losing internet connectivity, it’s possible that the server is running out of memory or the RDP service may be experiencing an active attacked in a brute force attack. If you’ve confirmed that your internet connection is stable, contact your hosting company to make sure that the server is not the cause of the lost connection.

Slow Connection Issues

If the connection between your location and your server is slow your Remote Desktop Session may not function as smoothly as you would like. However, you may be able to adjust the Desktop Environment settings of the connection before you connect to simplify and speed up the connection.

  1. Open the Remote Desktop Client application (these directions are for the Windows built-in client, but most RDP clients have similar settings available).
  2. Click on the Experience tab to see the various items you can choose to enable or disable to improve your connection speeds. Change the drop-down to select a specific connection speed or select/deselect the various items to optimize performance.Remote Desktop Connection Settings

         

Windows 10 Update Issues

Oddly enough, Microsoft updates often cause problems with RDP connectivity. As recent as April 2018, an update on both the server operating system and the Windows 10 desktop operating system caused connectivity issues for many users. Generally, the best policy is to update both the server and workstation, as connectivity issues most often arise when the two systems are not on the same update cycle. You may be able to resolve a new connectivity issue by removing a recent Windows update (either on the server or the desktop). Many users also reported that disabling the Printer option from the local resources setting resolved the most recent connectivity issue.         

Local Resources

 

While RDP is a great tool for managing your Windows server, connectivity issues can be frustrating. By working through the possible causes of the connection problem, you will generally be able to get reconnected and working again in no time!

Configuring and Troubleshooting WHMCS Crons

Reading Time: 3 minutes

Over the years WHMCS has made some changes to where it stores certain directories, specifically directories outside of public_html. The goal of this is to increase overall security by moving sensitive files to a more protected location. While this change does help to improve WHMCS security, it also adds a few steps of complexity.

This article is meant to help simplify this complexity, or at least provide a reference configuration that you can use to troubleshoot cron issues, or gain a better understanding of WHMCS crons in general. I used WHMCS 7.3 for this article, but the general concept and instructions should apply for any 7.0 version of WHMCS.
Continue reading “Configuring and Troubleshooting WHMCS Crons”

How to Install Logwatch on Fedora 21

Reading Time: 1 minute

Logwatch is a Perl-based log management tool for analyzing, summarizing, and reporting on a server’s log files. It is most often used to send a short digest of server’s log activity to a system administrator.

What are log files? Logs are application-generated files useful for tracking down and understanding what has happened in the past.

Pre-Flight Check

  • These instructions are intended specifically for installing the Logwatch on Fedora 21.
  • I’ll be working from a Liquid Web Self Managed Fedora 21 server, and I’ll be logged in as root.

Continue reading “How to Install Logwatch on Fedora 21”