Saturday 31 December 2011

Unmetered Bandwidth

Talking about bandwidth it is very crucial to understand what is bandwidth. Bandwidth is basically the amount which you have available to transfer your website data or web pages from web server to the browser of the user who visits your site. Web pages and graphics consume bandwidth or capacity on the web. Bandwidth and disk space cost money. Technically, bandwidth is the data-carrying capacity of a network, indicating the maximum amount of data that can pass from one point to another per unit time.

With the tied and the time web hosting industry is growing rapidly with fast pace and advancements coming in. Web hosting companies have increasingly begun to tout “unlimited bandwidth” or “unmetered bandwidth” as a major selling point of their hosting plans. These claims are generally seen as nothing more than a marketing ploy. Unlimited Bandwidth is a web hosting plan feature that deals with the transfer or traffic your website has. It is useful to both personal and business websites assuming they have sufficient volumes of visitors and do not wish to purchase a dedicated server web hosting. Whereas Unmetered Bandwidth relates with the bandwidth which can not be measured. It generally refers to offering, explicitly mention an initial limit that once reached will be upgraded upon request (no charge). The only reason that a web host is able to make unlimited bandwidth incentives possible is because most websites use only a fraction of the bandwidth available to them.

Both the Unlimited & Unmetred Bandwidth can be said interlinked with each other. In unlimited bandwidth every user who visits your site uses some resources, so with unlimited bandwidth these resources are free. With unlimited bandwidth hosting you can have as much traffic to your website as you want – your hosting account has “unmetered bandwidth”. In unmeterd the system does in fact measure the data traffic consumption. What they don’t do (or claim not to do) is to put a limit to the consumption. In other words we can say that, “Unmetered bandwidth” refers to the speed of data-transfer, whereas on the other hand, “Unlimited bandwidth” ideally means that as far as the amount of data-transfer goes, you can download or upload as much data as you want in a given period of time. With your unmetered server’s unlimited bandwidth plan, you never have to worry about unwanted bandwidth overage fees, plus you can always upgrade your plan to fit your hosting needs.

With the many limitations with your website on the internet user may choose for the unlimited bandwidth as it is one of the attractive options because if it’s unlimited then you never need to worry about running out.

Saturday 26 November 2011

Enabling the slow query log

MySQL reports how much time it took to execute a query.

Step 1: Enable slow log query, set a slow log query log file, and set the log_query_time in my.cnf.
Edit the MySQL configuration file.

vi /etc/my.cnf

In the [mysqld] section add/edit the following variables

long_query_time = 0
slow_query_log = 1
slow_query_log_file=/var/log/mysqld.slow.query.log

We are setting the log_query_time variable to 0. Any MySQL query taking more than 0 seconds will be logged.

Step 2: Create the file /var/log/mysqld.slow.query.log and set the system user mysql as the owner.

touch /var/log/mysqld.slow.query.log
chown mysql.mysql /var/log/mysqld.slow.query.log

Step 3: Restart MySQL server

/etc/init.d/mysqld restart

Step 4: Watch the slow query log using the tail command.

tail -f /var/log/mysqld.slow.query.log

A sample entry on my server looks like this:

[root@localhost ~]# tail -f /var/log/mysqld.slow.query.log 
SET timestamp=1255345490;
SELECT `privilege`.* FROM `privilege` WHERE ( name = 'view service invoices"') LIMIT 1;
# User@Host: biz_1[biz_1] @ localhost []
# Query_time: 0.000273  Lock_time: 0.000104 Rows_sent: 1  Rows_examined: 1
SET timestamp=1255345490;
SELECT * FROM organization_details;
# User@Host: biz_1[biz_1] @ localhost []
# Query_time: 0.000048  Lock_time: 0.000000 Rows_sent: 1  Rows_examined: 1
SET timestamp=1255345490;
# administrator command: Quit;

If you observe the log entry, the last query took 0.000048 seconds.

Enable MySQL General Query

Enabling the general query log

Step 1: Set your log file in /etc/my.cnf

vi /etc/my.cnf

In the [mysqld] section specify the general log file name:

log=/var/log/mysqld.general.log

Step 2: Create the file and make sure it is owned by the system user mysql

touch /var/log/mysqld.general.log
chown mysql.mysql /var/log/mysqld.general.lo

Step 3: Enable the general log in the MySQL client. Connect to the MySQL server using the MySQL client and execute this query.

SET GLOBAL general_log = 'ON';

Step 4: Restart mysqld and watch the logs

/etc/init.d/mysqld restart

To watch the logs use the tail command.

tail -f /var/log/mysqld.general.log

A sample entry in my general query log looks like:

[root@localhost ~]# 
[root@localhost ~]# tail -f /var/log/mysqld.general.log 
091012 13:52:53	    2 Query	SELECT `profile`.* FROM `profile` WHERE (user_id = 1) LIMIT 1
		    2 Query	SELECT `u`.`user_id`, `u`.`email`, `u`.`status`, `u`.`mode`, `u`.`hash`, `u`.`created`, `u`.`alt_email`, `u`.`host_created`, `u`.`ip_created`, `u`.`user_timezone`, `p`.*, `r`.`name` AS `primaryRoleName`, `urp`.`email` AS `reportsToEmail`, `b`.`branch_name` FROM `user` AS `u`
 LEFT JOIN `profile` AS `p` ON p.user_id = u.user_id
 LEFT JOIN `role` AS `r` ON r.role_id = p.primary_role
 LEFT JOIN `user` AS `urp` ON urp.user_id = p.reports_to
 LEFT JOIN `branch` AS `b` ON b.branch_id = p.branch_id WHERE (u.user_id = '1')
		    2 Query	SELECT `profile`.* FROM `profile` WHERE (user_id = 1) LIMIT 1
		    2 Query	SELECT `privilege`.* FROM `privilege` WHERE ( name = 'view service invoices"') LIMIT 1
		    2 Query	SELECT * FROM organization_details
		    2 Quit

Monday 21 November 2011

[FIX] Cannot update domain or sub domain configuration in IIS

APPLIES TO:

Parallels Plesk Panel for Windows

Symptoms

When attemting to reconfigure domain or sub domain configuration in IIS using thewebsrvmng.exe Plesk tool an error message is received. For a domain:

"%plesk_bin%websrvmng.exe" --reconfigure-vhost --vhost-name=domain.com

The system cannot find the file specified. (COM Error 80070002) For a sub domain:

"%plesk_bin%websrvmng.exe" --update-subdomain --vhost-name=domain.com --subdomain=sub

The system cannot find the file specified. (COM Error 80070002) at configSubdomain(sub.domain.com)

Cause

Some default folders for Plesk domain are missing in (sub) domain root folder.

Resolution

The missing folders need restoring using the Plesk reconfigurator. This feature checks files permissions + restores missing folders + creates missing system users for (sub) domain. It can be executed via command line as follows:

reconfigurator.exe /check-permissions=domain.com

or using Plesk Panel.

Plesk, Domains, domain.com, check on problem domain, click `Check permissions`.

This should eliminate the source and the command should running properly. For a subdomain, the parent domain needs to be checked.

Monday 31 October 2011

Linux: /tmp: Read-only file system Error

One of the server that has problem as below when I want to edit some files in crontab:

$ crontab -e
/tmp/crontab.XXXX1ibTLU: Read-only file system

It shows that the /tmp partition is unwriteable. The read-only has been mounted as read-only because file-system facing some error. To fix this, we need to do file system check (fsck) for /tmp partition. Before we do fsck, we need to unmount the directory but following error occurred:

$ umount /tmp
/tmp: Device or resource busy

It seems like /tmp directory is locked to be unmounted due to some files are already in process/being opened/being executed by some other processes. Using lsof, we can list out all the open files:

$ lsof | grep /tmp
mysqld  2599 mysql    5u   REG    7,0    0 6098 /tmp/ibaqFhew (deleted)
mysqld  2599 mysql    6u   REG    7,0    0 6099 /tmp/ibC7Yfbn (deleted)
mysqld  2599 mysql    7u   REG    7,0    0 6100 /tmp/ibJ8AFbe (deleted)
mysqld  2599 mysql   11u   REG    7,0    0 6101 /tmp/ibrLO9t5 (deleted)

As we can see that mysqld is locking some temporary files in /tmp directory. The 2nd column shows PID of the locking process. We need to stop this process using kill command:

$ kill -9 2599

Only then we are able to unmount the /tmp:

$ umount /tmp

Make sure that there is no error being prompt during the unmounting process. Now we can proceed to do fsck with -f (force) and -y (always accept prompt as Yes) to automate the file system check process:

$ fsck -f -y /tmp
fsck 1.39 (29-May-2006)
e2fsck 1.39 (29-May-2006)
/usr/tmpDSK: recovering journal
Pass 1: Checking inodes, blocks, and sizes
Deleted inode 6097 has zero dtime.  Fix? yes

Inodes that were part of a corrupted orphan linked list found.  Fix? yes

Inode 6098 was part of the orphaned inode list.  FIXED.
Inode 6099 was part of the orphaned inode list.  FIXED.
Inode 6100 was part of the orphaned inode list.  FIXED.
Inode 6101 was part of the orphaned inode list.  FIXED.
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
Inode bitmap differences:  -(6097--6101)
Fix? yes

Free inodes count wrong for group #3 (2025, counted=2030).
Fix? yes

Free inodes count wrong (127695, counted=127700).
Fix? yes

/usr/tmpDSK: ***** FILE SYSTEM WAS MODIFIED *****
/usr/tmpDSK: 316/128016 files (3.2% non-contiguous), 66394/512000 blocks

Now the file system has been modified and fixed. We can remount back the partition using following command:

$ mount -a

You should able to use back the /tmp partition at this time, as well as I can do some changes on the crontab!

How to change mail attachment size

To change mail attachment size, we have to change 3 settings.

To change mail attachment size, we have to change 3 settings.

Change mail size in postfix

Postfix is MTA, so we have to change its setting to make it transfer large mail.

If you want to make it allow to transfer mail which size is less than 100Mb, just change 'message_size_limit' setting:

# ---- Run below command in terminal ---- 
# postconf -e message_size_limit='104857600' 
# ---- Restart postfix to make it work ---- 
# /etc/init.d/postfix restart

Note:

104857600 is equal to 100MB x 1024 KB x 1024 Bit.

Normally, mail will be encoded before transferred, so the actual mail size will be larger than 100MB, you can simplily increase to 110Mb or 120Mb to make it work as expected.

----
If you use mail clients such as Outlook, thunderbird to fetch/send mails, it's enough to sent large attachments in mail.
If your users will use webmail as mail client, you have to change two more settings:

Change PHP setting to allow to upload large attachment

You should change 'memory_limit', 'upload_max_filesize' and 'post_max_size' in /etc/php.ini (RHEL/CentOS) or/etc/php5/apache2/php.ini (Debian/Ubuntu).

memory_limit = 200M; 
upload_max_filesize = 100M; 
post_max_size = 100M;

Change Roundcube webmail to allow to upload large attachment

Change same settings in .htaccess which under roundcube root directory, it's /usr/local/cpanel/base/3rdparty/roundcube/ (RHEL/CentOS) or /usr/share/apache2/roundcube/ (Debian/Ubuntu) by default.

php_value upload_max_filesize 100M 
php_value post_max_size 100M

Restart apache web server

# ---- For RHEL/CentOS users ---- 
# /etc/init.d/httpd restart 
# ---- For Debian/Ubuntu users ---- 
# /etc/init.d/apache2 restart

Sunday 30 October 2011

PCI compliance – Vulnerability SSL Version 2 (v2) Protocol Detection linux

Simple enough to fix on apache.

Load the ssl.conf file and add at the bottom the following:

SSLProtocol -ALL +SSLv3 +TLSv1

then restart apache.

To test the connection on the command line type:

openssl s_client -ssl2 -connect google.com:443

Monday 24 October 2011

How to assign a dedicated IP to a Sub-domain OR Add-on/Park domain?

By default, cPanel allows one IP per account, however, in case you wish to assign multiple IPs to an account, say for a sub-domain, you can do so by editing a few files. Follow the below steps:

1) The main configuration file of a domain is stored under the /var/cpanel/userdata/<username>/ directory, so edit the subdomain related file under it

# vi /var/cpanel/userdata/<username>/subdomain.domain.tld

Change the value of “IP” to a dedicated IP and save the file. The add-on and Park domains have their related subdomain files in the same directory.

2) Once the above changes are made, you need to rebuild the Apache configuration for the changes to take affect in the respective VirtualHost entry

# /scripts/rebuildhttpconf

3) To mark the dedicated IP as “used”, edit the file /etc/domainips and enter the sub-domain entry

<dedicated ip>: subdomain.domain.tld

Save the file and rebuild the IP pool

# /scripts/rebuildippool

4) Now, edit the DNS zone file of the main domain (i.e. the domain under which the subdomain is created)

# vi /var/named/domain.tld.db

and set the A record of the sub-domain to point to the new IP. Save the file and restart the ‘named’ service

# service named restart

That’s it.

Note: Rebuilding the IP pool will still list the IP as free under the WHM -> IP Function -> ‘Show IP Address Usage’, however WHM wont allow you to assign that IP to another domain.

Increasing the Size of tmpDSK (/tmp)

You may have noticed that cPanel’s default partition size for /tmp is 512 MB, which in some cases can be way too small. The /tmp partition on cPanel servers, assuming it was the one cPanel created and not one you did yourself, is a file-based partition that can easily be resized.

By default on most servers, /tmp is the temporary dumping place for a lot of things, for example:

PHP session files

PHP temporary file uploads

MySQL temporary files

Cache files for certain Apache modules

Most software that uses temporary files or sessions will automatically prefer to use /tmp – this folder is usually set to 777 permissions and therefore writeable by every user on the server.

When your /tmp partition fills up, it can cause noticeable problems for your users. If you run a larger server, the /tmp folder can fill up quickly and be very annoying as far as maintenance is concerned. Fortunately there is a very easy way to increase the size of this partition on a standalone server.

Stop MySQL, Apache, and cPanel to prevent writing to the /tmp partition

Copy the contents of /tmp to another location, such as /home (cp -rfp /tmp /home)

Unmount /tmp. If you’re unable to, you can do an lsof (lsof |grep /tmp) to see what processes are still writing to it, and kill them off. Or do a lazy unmount (umount -l /tmp) .

Delete /usr/tmpDSK (rm -rf /usr/tmpDSK)

Now open /scripts/securetmp and look for this line:

my $tmpdsksize = 512000; # Must be larger than 250000

And change the “512000? value to your desired size in MB, and save the file. Now run the following script to recreate /tmp:

/scripts/securetmp

This will recreate your /tmp (tmpDSK) partition using the size you specified. While the securetmp script may be overwritten in a cPanel update, the size of /tmp will not be affected one you alter its size.

Nginx compilation : PCRE Library Not Found

The HTTP rewrite module requires the PCRE library during the Nginx compilation. The PCRE package contains Perl Compatible Regular Expression libraries useful for implementing regular expression pattern matching.

If PCRE is not installed on the server, it will result in the following error message during the Nginx compliation

checking for PCRE library ... not found
checking for PCRE library in /usr/local/ ... not found
checking for PCRE library in /usr/include/pcre/ ... not found
./configure: error: the HTTP rewrite module requires the PCRE library.
You can either disable the module by using --without-http_rewrite_module
option, or install the PCRE library into the system, or build the PCRE library
statically from the source with nginx by using --with-pcre=<path> option.

How to Install the PCRE library? SSH to the server as user ‘root’

1) First, goto a temporary directory

 # cd /usr/local/src

2) Download PCRE:

 # wget http://downloads.sourceforge.net/pcre/pcre-8.10.tar.bz2

3) Unpack and change to the pcre directory

 # tar -jxf pcre-8.10.tar.bz2 # cd pcre-8.10

4) Confiure PCRE:

 # ./configure

5) Create the installation files and install PCRE

 # make # make install

Once done, you should be able to install Nginx with the HTTP rewrite module.

Saturday 22 October 2011

How to reset Litespeed password in Linux system

What if you forgot litespeed admin pass? Don’t worry here are the simple steps to reset it on Linux machine.

Login to the server already installed LiteSpeed via SSH access. Go to the directory /admin/misc/; where LiteSpeed installed. If you install LiteSpeed in /usr/local/ then you will find it in /usr/local/admin/misc/

server:~# cd /usr/local/lsws/admin/misc
server:/usr/local/lsws/admin/misc# pwd
/usr/local/lsws/admin/misc
server:/usr/local/lsws/admin/misc#
Change your password by running admpass.sh file which works to change the Litespeed admin password.

Then follow the steps and you’re done.

server:/usr/local/lsws/admin/misc# ./admpass.sh
Please specify the user name of administrator.
This is the user name required to login the administration Web interface.

User name [admin]: admin

Please specify the administrator’s password.
This is the password required to login the administration Web interface.

Password:
Retype password:
Administrator’s username/password is updated successfully!
Done. Now you can log into Litespeed with user and password that you change.

Saturday 15 October 2011

Is it possible to change TTL SOA records in all domain zone files?

Yes, it is possible to change the

- TTL
- Refresh
- Retry
- Expire
- Minimum

records by updating the `dns_recs` table in the psa database:

If these parameters are absent, the default settings are be used.

Example:

UPDATE dns_recs SET val=”900? WHERE type=”SOA” AND host=”TTL”;

After updating the records you will need to rebuild all of the domain zone files by running the following command:

“%plesk_bin%dnsmng” update *
Keywords: SOA TTL DNS records change

Friday 14 October 2011

DNSmng.exe fails during domain creation

DNSmng.exe fails during domain creation.

DNSmng.exe fails during domain creation

[FIX] DNSmng.exe fails during domain creation
SYMPTOMS
When creating a new domain Plesk returns the following error:

dnsmng::update() failed: dnsmng failed: Empty error message from utility.
CAUSE
Most probably configuration files of DNS server are corrupted.
RESOLUTION
You can try fixing it using Plesk command line tool:

“%plesk_bin%defpackagemng.exe” –fix –type=dnsserver

“%plesk_bin%DNSMng.exe” update *

Note: One more possible reason is the memory shortage, so please check server resources as well.

Sunday 9 October 2011

Speed up your site with Caching and cache-control

Caching with .htaccess and Apache will take your website and your web skills to the next level. This is some technical and advanced methods condensed to simple htaccess code examples for you. But you must take the time to understand caching with cache-control and other headers and HTTP options before you implement on a production server.

NOTE: Stay tuned I'm working on the update!

Caching with both mod_expires + mod_headers

# Turn on Expires and set default to 0
ExpiresActive On
ExpiresDefault A0

# Set up caching on media files for 1 year (forever?)
<FilesMatch ".(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav)$">
ExpiresDefault A29030400
Header append Cache-Control "public"
</FilesMatch>

# Set up caching on media files for 1 week
<FilesMatch ".(gif|jpg|jpeg|png|swf)$">
ExpiresDefault A604800
Header append Cache-Control "public"
</FilesMatch>

# Set up 2 Hour caching on commonly updated files
<FilesMatch ".(xml|txt|html|js|css)$">
ExpiresDefault A7200
Header append Cache-Control "proxy-revalidate"
</FilesMatch>

# Force no caching for dynamic files
<FilesMatch ".(php|cgi|pl|htm)$">
ExpiresActive Off
Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
Header set Pragma "no-cache"
</FilesMatch>

Caching with mod_headers

# 1 YEAR
<FilesMatch ".(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav)$">
Header set Cache-Control "max-age=29030400, public"
</FilesMatch>

# 1 WEEK
<FilesMatch ".(jpg|jpeg|png|gif|swf)$">
Header set Cache-Control "max-age=604800, public"
</FilesMatch>

# 3 HOUR
<FilesMatch ".(txt|xml|js|css)$">
Header set Cache-Control "max-age=10800"
</FilesMatch>

# NEVER CACHE
<FilesMatch ".(html|htm|php|cgi|pl)$">
Header set Cache-Control "max-age=0, private, no-store, no-cache, must-revalidate"
</FilesMatch>

Caching with mod_expires

ExpiresActive On
ExpiresDefault A0

# 1 YEAR
<FilesMatch ".(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav)$">
ExpiresDefault A29030400
</FilesMatch>

# 1 WEEK
<FilesMatch ".(jpg|jpeg|png|gif|swf)$">
ExpiresDefault A604800
</FilesMatch>

# 3 HOUR
<FilesMatch ".(txt|xml|js|css)$">
ExpiresDefault A10800"
</FilesMatch>

Saturday 8 October 2011

Display Number of Processors on Linux

Display Number of Processors on Linux.

Display Number of Processors on Linux

If you’ve just upgraded your Linux box, or you are wondering how many processors a remote server has, there’s a quick and dirty command you can use to display the number of processors.

On Linux, /proc/cpuinfo contains all of the processor information for all current processors in your computer. This will include the speed, the amount of on-chip cache, processor type, and how many cores.

Here’s the command:

cat /proc/cpuinfo | grep processor | wc -l

The command just looks in the /proc/cpuinfo file, pulls out the number of lines containing the word “processor” and passes them into wc (word count), which returns a count of the CPUs in the system.

Here’s what it returned on my remote server:

[root@root]# cat /proc/cpuinfo | grep processor | wc -l

16

Note that if you have a dual-core processor, it will return each core as a separate processor. You can look at the full output of cat /proc/cpuinfo to see if the chips are dual-core.

OR

You can get a lot of information by typing “cat /proc/cpuinfo”.
[root@root ~]# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 44
model name : Intel(R) Xeon(R) CPU E5620 @ 2.40GHzstepping : 2
cpu MHz : 2394.063
cache size : 12288 KB
physical id : 1
siblings : 8
core id : 0
cpu cores : 4
apicid : 32
fpu : yes
fpu_exception : yes
cpuid level : 11
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx pdpe1gb rdtscp lm constant_tsc ida nonstop_tsc arat pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 sse4_2 popcnt lahf_lm
bogomips : 4788.12
clflush size : 64
cache_alignment : 64
address sizes : 40 bits physical, 48 bits virtual
power management: [8]

If that’s the entire output then you only have a single processor/core. With multiple processors/cores you should see something like (4 processor/core box):

processor : 0
vendor_id : GenuineIntel
<—SNIP—>
processor : 1
vendor_id : GenuineIntel
<—SNIP—>
processor : 2
vendor_id : GenuineIntel
<—SNIP—>
processor : 3
<—SNIP—>

OR

[root@root~]# cat /proc/cpuinfo | grep ‘model name’ | cut -d: -f2
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz

Friday 7 October 2011

how to Secure Linux server

This article contains configuration information and tips on how to protect your machine. The article is applicable to all popular Linux distributions.

General

Configure and Enable Firewall

The firewall is the front-line defense against remote attacks. It's highly recommended that you enable and configure it. Linux firewall infrastructure is called netfilter/iptables. To configure it, check this Iptables howto, or use a configuration frontend such asm0n0wall (CLI), shorewall (CLI), or FireStarter (GUI).

I suggest that you drop all incoming connections, and then open the ports you need, like SSH or BitTorrent.

Avoid Easy-to-compromise User Accounts

Your machine must not have user accounts with easy-to-guess passwords, especially accounts like test/test or guest/guest. Many Linux worms try to exploit such accounts over SSH. open/etc/passwd and make sure there are no such accounts, if you do have an account like this, delete it:

$ sudo userdel <username>

If you really need such an account for some odd reason, change its shell to /bin/false, so that an attacker cannot login using it:

$ sudo chsh -s /bin/false <username>

Mount /tmp as noexec

Many script kiddies rely on downloading scripts to /tmp and executing them. By mounting /tmp as noexec, scripts located in/tmp will not be executable. This effectively disables exploits that rely on /tmp. Here is the /tmp config line from my /etc/fstab:

/dev/hda5               /tmp            ext2            noatime,noexec 0 0

Protect against Fork Bombs

Fork bombs are programs that keep creating child processes until system resources are all used. They actually aren't remote exploits because they require a local user to execute the bomb; however, users may be tricked into running a fork bomb. For example, the following example may look innocent, but running it on an unprotected system may take the whole system down:

:(){ :|:& }; :

Do not run the above code on an unprotected system!

The above shell script will actually keep forking at an exponential rate until system resources are exhausted.

To protect a system against such attacks, there is a file for limiting the number of processes per user. It is/etc/security/limits.conf. Add the following two lines to it:

@users          soft    nproc  100
@users          hard    nproc  150

These lines prevent anyone in the users group from having more than 150 processes, and issue a warning at 100 processes.

Your system may not have a users group, so you may want to edit the lines to match your needs.

Limit Usage of `su/sudo`

su lets normal users switch to the root account, and sudo enables granting more privileges to users. It's always better to grant only the absolutely necessary privileges to specific users, and limit the usage of su to a specific group.

When the usage of su/sudo is limited, even if the system is compromised through a dummy account (like test as username and password), the attacker will have less options to play with.

Linux Daemons

OpenSSH

Users of machines with broadband connections usually need to remotely connect to their machines through SSH. So even if the workstation is protected by a firewall, the port of SSH needs to be open for inbound connections. Therefore, SSH is a common target for remote attacks.

Here is a list of OpenSSH configuration settings that make it more secure against attacks. SSH settings are usually located in/etc/ssh/sshd_config:

SSH default port is 22, change it through the line below. This will stop many automated attacks.

Port 22

(change the port number)

Notice that when remotely connecting to your machine, the new port number needs to be specified to the SSH client, for example:

$ ssh -p <new-port> <username>@<host>

Make sure the protocol is set to 2. Version 1 is not secure.

Protocol 2

The following config lines protect against brute force attacks.

LoginGraceTime 2m
MaxAuthTries 6

Random attackers will usually try random usernames when trying to break through SSH, and since the root account exists on every machine, it will be on the attack list. The following config line disables root login over SSH and stops such attackers. If root access to a remote machine is needed, login using your regular account and use sudo:

PermitRootLogin no

A username with blank password may be added accidentally. The following config line disables SSH for such accounts.

PermitEmptyPasswords no

In addition to the configuration lines I listed, and in case you login to your machine from the same IP address or range, limit IP addresses that can connect to SSH using /etc/hosts.allow. Use the following format:

sshd : 127.0.0.1 : allow
sshd : IP address here : allow
sshd : IP address here : allow
sshd : ALL : deny

MySQL

if you use MySQL for local development, then it's safer to limit its connections to localhost (among the other things). To do so, run the mysql_secure_installation script, and it will take care of things for you.

Samba

Many need Samba for sharing files over the local network. Here is a list of config lines to secure it. The configuration file is usually located at /etc/samba/smb.conf or /etc/smb.conf:

hosts allow = 127.0.0.1 192.168.0.0/24
hosts deny = 0.0.0.0/0

These config lines limit the hosts that can connect to Samba to localhost and local IP ranges; modify to suit your needs.

security = user

Set security to user. In this case, users connecting to Samba will need to login before continuing. To add Samba user accounts, use the following command:

$ sudo smbpasswd -a <username>

You will be asked to provide a password for the new account.

If you login to your Samba share from a MS Windows machine, you may set your Samba username/password to match those on Windows, and avoid having to enter them every time you connect to the share.

As a final Samba tip, do not share your home directory. If you do so, you are just asking for trouble. Create a directory for sharing, and drop files there when necessary.

General Tips

Keep your system up-to-date, especially when security vulnerabilities appear in packages you use. All major Linux distros have security mailing lists, subscribe to your distro's.

Disable services you don't need. Every open service makes your system more open to attacks.

Regularly monitor the output of the following command for odd entries:

$ sudo less /var/log/messages  # System log.
$ sudo ps aux  # Running processes.
$ sudo netstat -anp  # Active connections.

Thursday 6 October 2011

Manually Override Cache-Control Directives Using ARR

Configure Cache Control Rules

ARR allows for multiple cache control rules, including rules to only cache content based on URL patterns or host names, or to not cache certain content. The cache control rules are processed in the list from top to bottom.

To configure cache control rules

Open IIS Manager.

In the Connections pane, expand the server node.

In the Server pane, double-click Application Request Routing Cache.

On the Application Request Routing Cache page, in the Actions pane, click Cache Control Rules….

On the Cache Control Rules page, in the Actions pane, click Add….

In the Add Cache Control Rule dialog box, follow these steps:
- In the Apply rule list, select when you want to apply the cache control rule:When no cache control directive exists or Always.
- Select Do not cache or Cache.
- If you selected Cache, enter the duration in the Cache duration (minutes) box.
- In the Host name box, optionally enter the name of your host site.
- In the URL box, optionally enter the URL.

Click OK.

How to fix yum install perl-DBI No package perl-DBI available. Nothing to do

I wanted to install perl-DBI which is a dependency of git-1.7.3.4-1.el5.rf.i386.rpm

when I wanted to install git-1.7.3.4-1.el5.rf.i386.rpm by running

yum install git-core
or even running
rpm -i git-1.7.3.4-1.el5.rf.i386.rpm
it prompted me with a notice that

Error: Missing Dependency: perl(DBI) is needed by package git-1.7.3-1.el4.rf.i386 (rpmforge)

THe fix is so easy
just go to the file /etc/yum.conf using a text editor such as nano

nano /etc/yum.conf

then remove perl*
save the file by existing using CTRL+x and confirming to save changes
run yum install git-core again

finally you should see this notification

Total download size: 6.1 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): perl-Git-1.7.3.4-1.el5.rf.i386.rpm | 24 kB 00:00
(2/2): git-1.7.3.4-1.el5.rf.i386.rpm | 6.1 MB 00:01
---------------------------------------------------------------------------------------------------------------
Total 2.3 MB/s | 6.1 MB 00:02
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : git 1/2
Installing : perl-Git 2/2

Installed:
git.i386 0:1.7.3.4-1.el5.rf

Dependency Installed:
perl-Git.i386 0:1.7.3.4-1.el5.rf

Complete!

Email protocols

What is POP3?

Post Office Protocol version 3 (POP3) is a standard mail protocol used to receive emails from a remote server to a local email client. POP3 allows you to download email messages on your local computer and read them even when you are offline.

What is IMAP?

The Internet Message Access Protocol (IMAP) is a mail protocol used for accessing email on a remote web server from a local client. IMAP and POP3 are the two most commonly used Internet mail protocols for retrieving emails. Both protocols are supported by all modern email clients and web servers.

Main difference between IMAP and POP3:

The POP3 protocol assumes that there is only one client connected to the mailbox. In contrast, the IMAP protocol allows simultaneous access by multiple clients. IMAP is suitable for you if your mailbox is about to be managed by multiple users.

What is SMTP?

Simple Mail Transfer Protocol (SMTP) is the standard protocol for sending emails across the Internet. SMTP uses TCP port 25 or 2525 and sometimes you can have problems to send your messages in case your ISP has closed port 25 (How to check if port 25 is open?). To determine the SMTP server for a given domain name, the MX (Mail eXchange) DNS record is used.

How to change my MX record?

How to change my MX record?

It is possible to change the MX records for your domain. For this purpose you should log in cPanel and click on MX Entry.

How to check whether the email ports are open?

You may experience issues with the non-standard http ports Webmail works with. Usually Webmail can be opened from:

https://mydomain.com:2096

http://mydomain.com:2095

http://webmail.servername.com

You may check the name of your server via your Customers Area. Please review the DNS Change article - the server name is the DNS server name without the ns1 infront of it.

Sometimes local firewalls allow access only to sites on port 80. In such cases, please use the 3rd URL. Note that the address "3" is a web based proxy which provides you with the option to access your cPanel via the default http port 80. We have set this extra service for our Customers whose Internet Service Providers have blocked ports 2096 and 2095.

You may check if the ports are blocked executing the following commands:

If you are running Windows do the following:

Click Start

Click Run

Type cmd

Type telnet mydomain.com 2095

Type telnet mydomain.com 2096

If you are running Linux do the following:

Start your Linux/Mac OS console terminal

Type telnet mydomain.com 2095

Type telnet mydomain.com 2096

If the port is not blocked the results should look like the above Trying IP_of_the_server ( 10.10.10.10 for an example )...

Connected to servername.com.
Escape character is '^]'.

Different result will means that the port is blocked and you should use the web proxy link provided above.

Please, find the default POP3, IMAP and SMTP ports values at the POP3, IMAP, SMTP and Email clients article.

How to configure email clients

You can use either the webmail interface or an email client. Check our tutorial on how to use cPanel webmail. If you decide to use an email client, such as Microsoft Outlook Express, MS Outlook, Mozilla Thunderbird and Eudora, here are the settings you need:

Incoming mail server (POP3/IMAP server): mail.yourdomain.com
Outgoing mail server (SMTP server): mail.yourdomain.com Or Host: mail.yourdomain.com
Username: the full e-mail address. Example: you@yourdomain.com instead of you.
Password: Assigned in cPanel -> Email -> Manage/Add/Remove Accounts.
SMTP authentication must be enabled for the login to be successful.*

If you have your domain pointed to an external server and the MX record is resolving to one of the SiteGround servers use the server name as the Incoming/Outgoing mail server.

You can also use secure authentication to your mail server.

Email ports

The POP3 port for inbound emails is 110 (995 if you want to use secured POP3)

And the IMAP port for inbound emails is 143 (993 if you want to use secured IMAP)

The SMTP port for outbound emails is 25 or 2525 (465 if you want to use secured SMTP)

Wednesday 5 October 2011

Protect your /tmp Directory - Tutorial

lately there has been a lot of DOS (Denial of Services) Attacks happening, and one of the main causes of these attacks of because of insecure /tmp directories.

Your /tmp directory is very dangerious, since it allows every single user the ability to write to it, so should you have an upload script on your site that may be exploitable, or even if there is an vulnerability in a program which allows for remote code execution, it will allow the person to upload a file into your /tmp directory or even use remote code execution to take control of something like wget and download something into your /tmp directory (this is usually how DOS trojans and rootkits end up on your server)

But there something you can do to help protect your /tmp directory:
===============================================

Firstly you need to stop all processes that are using your /tmp so you can work with it.

# lsof | grep /tmp

you should see something like this:

root@carine [/]# lsof | grep /tmp
screen     2599      root  cwd       DIR                8,8    2863104          2 /tmp
php        7577  greatpho    3u      REG                8,8          0       1194 /tmp/session_mm_cgi759.sem (deleted)
php        7577  greatpho    5u      REG                8,8          0         59 /tmp/sess_658bbc19e47f720c2210f3f0339ec6dd (deleted)
mysqld    22603     mysql    5u      REG                7,0          0         87 /tmp/ibQZkUsh (deleted)
mysqld    22603     mysql    6u      REG                7,0       1017         90 /tmp/ibE6blca (deleted)
mysqld    22603     mysql    7u      REG                7,0          0         91 /tmp/ibXQhMV2 (deleted)
mysqld    22603     mysql    8u      REG                7,0       8602         92 /tmp/ibbZcCFV (deleted)
mysqld    22603     mysql   12u      REG                7,0          0         93 /tmp/ibvUZEqO (deleted)
php       29509  greatpho    3u      REG                8,8          0         95 /tmp/session_mm_cgi759.sem (deleted)
php       29509  greatpho    5uW     REG                8,8          0         59 /tmp/sess_658bbc19e47f720c2210f3f0339ec6dd (deleted)
php       32685  aclubber    3u      REG                7,0          0      17861 /tmp/session_mm_cgi533.sem
php       32692  salesdna    3u      REG                7,0          0      17858 /tmp/session_mm_cgi3098.sem
php       32692  salesdna    5uW     REG                7,0          0      17918 /tmp/sess_dbc01a315bbdad2eba7d761b94fb3f04
stop those processes which are using your /tmp directory,
then copy and paste the following this into your terminal window:
cd /
dd if=/dev/zero of=/tmpdir bs=1024 count=200000
mkfs.ext3 -F /tmpdir
mv /tmp /tmp.backup
mkdir /tmp
mount -o loop,noexec,nosuid,rw /tmpdir /tmp
chmod 0777 /tmp
if ! grep -qai tmpdir /etc/fstab ; then
echo "/tmpdir /tmp ext3 loop,noexec,nosuid,rw 0 0" >> /etc/fstab
fi
mount -a
cp /bin/ls /tmp/
/tmp/ls
it should return something like this:
-bash: /tmp/ls: Permission denied
If you see that, then you know everything has gone according to plan.

What the above will do, is create a storage medium (so call it) on /tmpdir, and then mount /tmpdir to /tmp, but it will mount it with loop,noexec,nosuid,rw

Still won't stop the rootkits or DOS files from being uploaded or downloaded into ur /tmp directory, but I will sure as hell stop them from being executed.

Hope this helps

Friday 16 September 2011

Installing VMWARE server on CentOS 5 or Red hat enterprise Linux 64 bit version

VMware virtualization software is an excllent choice for x86-compatible computers. They have both commercial and free version. I received few email regarding VMWARE on 64 bit Linux. Installing VMWARE server on CentOS 5 or Red hat enterprise Linux 64 bit version is a tricky business. In this small howto I will explain vmware installation on 64 bit Linux server without facing any dependencies problem.

Following instructions are tested on both RHEL 5 and CentOS 5 running 64 bit Intel / AMD hardware and software. My kernel:

$ uname -mrs
Output:

Linux 2.6.18-8.1.6.el5 x86_64

My RHEL 5 release (same kernel for CentOS):
$ cat /etc/redhat-release
Output:

Red Hat Enterprise Linux Server release 5 (Tikanga)

Make sure you have following software installed:

Full gcc compiler and development environment

Kernel headers and devel packages for current kernel (i.e. kernel-headers and kernel-devel)

Step # 1: Download vmware server

You can download VMWARE server here. Use wget command to download:
$ wget http://download3...

Step # 2: Install vmware server

Once downloaded use RPM command to install vmware sever, enter:
# rpm -ivh VMware-server-1.0.3-44356.i386.rpm
Output:

Preparing...                ########################################### [100%]
   1:VMware-server          ########################################### [100%]

Step # 3:Install required files / libraries

You need to install following development package / files on server:

libXtst-devel : X.Org X11 libXtst development package

libXrender-devel : X.Org X11 libXrender development package

Simply use yum command to install packages:
# yum install libXtst-devel libXrender-devel kernel-devel
Output:

Loading "rhnplugin" plugin
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
rhel-x86_64-server-vt-5   100% |=========================| 1.2 kB    00:00
rhel-x86_64-server-5      100% |=========================| 1.2 kB    00:00
Reading repository metadata in from local files
Parsing package install arguments
...........
....
...
Running Transaction
  Installing: libXtst                      ######################### [1/8]
  Installing: libXau-devel                 ######################### [2/8]
  Installing: xorg-x11-proto-devel         ######################### [3/8]
  Installing: libX11-devel                 ######################### [4/8]
  Installing: libXdmcp-devel               ######################### [5/8]
  Installing: libXtst-devel                ######################### [6/8]
  Installing: libXtst-devel                ######################### [7/8]
  Installing: mesa-libGL-devel             ######################### [8/8] 

Installed: libXtst-devel.x86_64 0:1.0.1-3.1 libXtst-devel.i386 0:1.0.1-3.1
Dependency Installed: libX11-devel.x86_64 0:1.0.3-8.0.1.el5 libXau-devel.x86_64 0:1.0.1-3.1 libXdmcp-devel.x86_64 0:1.0.1-2.1 libXtst.i386 0:1.0.1-3.1 mesa-libGL-devel.x86_64 0:6.5.1-7.2.el5 xorg-x11-proto-devel.x86_64 0:7.1-9.fc6
Complete!

Step # 4: Install xinetd

You need xinetd the extended Internet services daemon / service in order to use VMWARE console from remote computer. Use yum command to install xinetd:
# yum install xinetd

Step # 5: Configure VMWARE server

Use vmware-config.pl script to configure VMWARE networking and other aspects.
# vmware-config.pl
Output (make sure you setup VMWARE as per your requirments, following is just a sample output):

Making sure services for VMware Server are stopped.

Stopping VMware services:
   Virtual machine monitor                                 [  OK  ]

You must read and accept the End User License Agreement to continue.
Press enter to display it.
......
......
will provide you with a copy of our
distribution agreement for your signature.   

Do you accept? (yes/no)    yes

Thank you.

Configuring fallback GTK+ 2.4 libraries.

In which directory do you want to install the mime type icons?
[/usr/share/icons] 

What directory contains your desktop menu entry files? These files have a
.desktop file extension. [/usr/share/applications]
In which directory do you want to install the application's icon?
[/usr/share/pixmaps] 

Trying to find a suitable vmmon module for your running kernel.

None of the pre-built vmmon modules for VMware Server is suitable for your
running kernel.  Do you want this program to try to build the vmmon module for
your system (you need to have a C compiler installed on your system)? [yes] 

Using compiler "/usr/bin/gcc". Use environment variable CC to override.

What is the location of the directory of C header files that match your running
kernel? [/lib/modules/2.6.18-8.1.6.el5/build/include] 

Extracting the sources of the vmmon module.

Building the vmmon module.

Using 2.6.x kernel build system.
make: Entering directory `/tmp/vmware-config0/vmmon-only'
make -C /lib/modules/2.6.18-8.1.6.el5/build/include/.. SUBDIRS=$PWD SRCROOT=$PWD/. modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-8.1.6.el5-x86_64'
  CC [M]  /tmp/vmware-config0/vmmon-only/linux/driver.o
  CC [M]  /tmp/vmware-config0/vmmon-only/linux/hostif.o
  CC [M]  /tmp/vmware-config0/vmmon-only/common/cpuid.o
  CC [M]  /tmp/vmware-config0/vmmon-only/common/hash.o
  CC [M]  /tmp/vmware-config0/vmmon-only/common/memtrack.o
  CC [M]  /tmp/vmware-config0/vmmon-only/common/phystrack.o
  CC [M]  /tmp/vmware-config0/vmmon-only/common/task.o
  CC [M]  /tmp/vmware-config0/vmmon-only/common/vmx86.o
  CC [M]  /tmp/vmware-config0/vmmon-only/vmcore/moduleloop.o
  LD [M]  /tmp/vmware-config0/vmmon-only/vmmon.o
  Building modules, stage 2.
  MODPOST
  CC      /tmp/vmware-config0/vmmon-only/vmmon.mod.o
  LD [M]  /tmp/vmware-config0/vmmon-only/vmmon.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.18-8.1.6.el5-x86_64'
cp -f vmmon.ko ./../vmmon.o
make: Leaving directory `/tmp/vmware-config0/vmmon-only'
The module loads perfectly in the running kernel.

Do you want networking for your virtual machines? (yes/no/help) [yes] 

Configuring a bridged network for vmnet0.

Your computer has multiple ethernet network interfaces available: eth0, eth1.
Which one do you want to bridge to vmnet0? [eth0] eth1

The following bridged networks have been defined:

. vmnet0 is bridged to eth1

Do you wish to configure another bridged network? (yes/no) [no] 

Do you want to be able to use NAT networking in your virtual machines? (yes/no)
[yes] no

Do you want to be able to use host-only networking in your virtual machines?
[no] 

Extracting the sources of the vmnet module.

Building the vmnet module.

Using 2.6.x kernel build system.
make: Entering directory `/tmp/vmware-config0/vmnet-only'
make -C /lib/modules/2.6.18-8.1.6.el5/build/include/.. SUBDIRS=$PWD SRCROOT=$PWD/. modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-8.1.6.el5-x86_64'
  CC [M]  /tmp/vmware-config0/vmnet-only/driver.o
  CC [M]  /tmp/vmware-config0/vmnet-only/hub.o
  CC [M]  /tmp/vmware-config0/vmnet-only/userif.o
  CC [M]  /tmp/vmware-config0/vmnet-only/netif.o
  CC [M]  /tmp/vmware-config0/vmnet-only/bridge.o
  CC [M]  /tmp/vmware-config0/vmnet-only/procfs.o
  CC [M]  /tmp/vmware-config0/vmnet-only/smac_compat.o
  SHIPPED /tmp/vmware-config0/vmnet-only/smac_linux.x86_64.o
  LD [M]  /tmp/vmware-config0/vmnet-only/vmnet.o
  Building modules, stage 2.
  MODPOST
WARNING: could not find /tmp/vmware-config0/vmnet-only/.smac_linux.x86_64.o.cmd for /tmp/vmware-config0/vmnet-only/smac_linux.x86_64.o
  CC      /tmp/vmware-config0/vmnet-only/vmnet.mod.o
  LD [M]  /tmp/vmware-config0/vmnet-only/vmnet.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.18-8.1.6.el5-x86_64'
cp -f vmnet.ko ./../vmnet.o
make: Leaving directory `/tmp/vmware-config0/vmnet-only'
The module loads perfectly in the running kernel.

The default port : 902 is not free. We have selected a suitable alternative
port for VMware Server use. You may override this value now.
Remember to use this port when connecting to this server.
Please specify a port for remote console connections to use [904] 

WARNING: VMware Server has been configured to run on a port different from the
default port. Remember to use this port when connecting to this server.
Stopping xinetd:                                           [  OK  ]
Starting xinetd:                                           [  OK  ]
Configuring the VMware VmPerl Scripting API.

Building the VMware VmPerl Scripting API.

Using compiler "/usr/bin/gcc". Use environment variable CC to override.

Installing the VMware VmPerl Scripting API.

The installation of the VMware VmPerl Scripting API succeeded.

Generating SSL Server Certificate

In which directory do you want to keep your virtual machine files?
[/var/lib/vmware/Virtual Machines] 

The path "/var/lib/vmware/Virtual Machines" does not exist currently. This
program is going to create it, including needed parent directories. Is this
what you want? [yes] 

Please enter your 20-character serial number.

Type XXXXX-XXXXX-XXXXX-XXXXX or 'Enter' to cancel:  XYZZZ-XYZZZ-XYZZZ-ABC91

Starting VMware services:
   Virtual machine monitor                                 [  OK  ]
   Virtual ethernet                                        [  OK  ]
   Bridged networking on /dev/vmnet0                       [  OK  ]

The configuration of VMware Server 1.0.3 build-44356 for Linux for this running
kernel completed successfully.

How to make backups with Linux and Rsync?

1. Purpose

As a web host, we needed an automated mechanism for generating snapshot of server filesystems on the Linux based systems. There are a number of ways to achieve backups on Linux systems including Remote backup using Linux tar/ssh/cron and incremental tar backups on a local file system. One of the drawback of using tar to perform an entire filesystem backup is that some systems do not have an ability to create a compressed tarball greater than 2GB in size.

Rsync offers a reliable mechanism for synchronizing files and directories from one location to another while minimizing data transfer by only transferring deltas. Rsync is included in most Linux distributions, and installation is very easy. Properly configured rsync that performs system backups can protect against hard disk failures and system compromises.

2. What is Rsync?

Rsync is a little Linux utility that synchronizes filesystems from one place to another by only copying diffs (deltas) of files that have changed. Rsync optionally compresses the files ont-the-fly before transfer (to save transfer time) and may be used in conjunction with rsh or ssh to perform remote file transfers. Rsync may be used as a backup or mirroring utility.

The advantage of using rsync over other archive and copy utilities such as tar, dump and rcp are that rsync (1) can use ssh as a secure channel to transfer files over the network, (2) provides an ability to retain ownership and permission of files being transferred, (3) enables files and directories to be synchronized (deleted files are deleted from the last replication), and (4) transfers only "delta" files that are changed from last replication making transfer much faster. If Rysnc is used without the ssh, it uses the TCP port 873.

3. How does Rsync work?

Rsync can be used in standalone or a client/server mode, with client/server mode a little more common.

In a standalone mode, you may use rsync to copy files and directories by running the rsynccommand on the command-line. This is useful when replicating files and directories on a same machine, or replicating between two machines using rsh/ssh channel. By using ssh, you're using TCP port 22 instead of TCP port 873 (rsync). To use ssh without supplying a password (in automated backup), you're required to setup a trusted environment between the two machines by generating private/public pair of keys and installing them on the machines. Instructions on setting up the private/public key pairs is described in Setting up trusted ssh environment with public/private key pair article.

In a client/server mode, one machine becomes a "Rsync Server" by running the rsync in a daemon mode, and one or more client machine(s) may then synchronize the files to and from the server. Setting up a rsync server requires customizing a rsync configuration file, which resides in /etc/rsyncd.conf (or similar location). Running rsync in client/server mode does not require rsh/ssh transport channel, and hence uses the TCP port 873 designated for rsync protocol.

4. Running the Rsync in a standalone mode?

If you intend to replicate a filesystem on a local machine or use rsh/ssh as the secure channel to transfer files from one machine to another, you can use Rsync in standalone mode.

To copy files from one directory structure to another, you may simply run rsync command. The -a switch retains owner and permission information of the files being copied. This must be executed by 'root' user in order to change user and permission data.

bash# rsync -a source destination



The command above is similar to "cp -r from to/, where {to} directory must already exists. Similarly, replicating filesystem from one machine to another may be done by running:

bash# rsync -a -e ssh source username@remote_host:/path/to/destination



It should be noted that rsync does care about trailing slash in the source argument. If trailing slash ("/") is supplied in the source argument, the contents of the directory is copied whereas if no trailing slash ("/") is supplied, the entire directory is copied. The trailing slash in the destination has no significance as it is always expected as a directory. 

For example, "rsync -a a b" copies directory a inside the b and hence the files are copied to the b/a/ directory. If, however, "rsync -a a/ b" is used, the files are stored in b/ directory without the directory a. 

5. Running the Rsync in a client/server mode? 

To use rsync in client/server mode, we must setup a Rsync Server. Setting a rsync server involves two steps (A) customizing /etc/rsyncd.conf configuration file, and (B) running the rsync command in daemon mode. 

A. Configuring /etc/rsyncd.conf configuration file. 

The Rsync configuration file looks very similar to Samba configuration file as the rsync is co-authored by Andrew Tridgell, an author of Simba. The detailed description of rsyncd.conf can be found in Linux manpage. A example of rsync configuration file may look something like this:

motd file = /etc/rsyncd.motd
log file = /var/log/rsyncd.log
secrets file = /etc/rsyncd.screts

[target]
path = /home
comment = User home directories
uid = nobody
gid = nobody
auth users = scott, michael
host allow = 192.168.0.0/24
host deny = *
list = false



Important: It should be noted that Rsync will NOT grant access to a protected share if the secret (password) file noted above (/etc/rsyncd.secrets) is world-readable. 

In the configuration settings worth noting above include "target", a name used to refer a particular rsync target. In a target block, a number of configuration options may be defined. The "path" option specifies the files/directories to be rsync'ed, and "auth users" restricts access to a pre-defined users that are specified in the secrets file. The "uid" and "gid" are user/group pair that will be running the rsync backup. "auth users" need not be system users. "host allow" and "host deny" restricts hosts that can transfer file to/from the server. It is stronly advised that "host allow" and "host deny" options be setup as without those options, the target is world-readable. 

We need to create a secrets file, /etc/rsyncd.secrets, with the contents:

scott:helloworld



The secrets file above contains a user, "scott", with a password "helloworld". Since the password is stored in plain text, the file must be owned by the root, and readable only by the root (permission 400 or 600). Otherwise, the rsync will simply not start at all. 

B. Running rsync daemon 

You may launch rsync daemon in one of two methods: via the xinetd or as a standalone. When ran from the inetd, the following two files need to be edited.

bash# nano /etc/services
...
rsync 873/tcp
...

bash# nano /etc/xinetd.d/rsync
service rsync
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
}

bash# service xinetd restart



The example above allows rsync to be run via the xinetd daemon. To restart rsync daemon, you may restart the xinet daemon. 

Alternatively, you may run rsync in a daemon mode from the command-line.

bash# rsync --daemon



Once we have rsync server setup, we can run rsync client from a client machine. To run a particular target defined in the /etc/rsyncd.conf configuration file, you will run rsync in the following manner:

bash# rsync -a scott@rsync_server::target /opt/rsync/backup

Password: ******



Notice that we do NOT specify a source path in the command above, but instead a target name ("target") is specified after :: separator. The rsync configuration file describes the target with access control in detail. Enter the password defined in the secrets file. 

FAQ: How to you bypass password prompt? 
If you wish to automate rsync with cron, you must bypass password prompt. If you're running rsync on TCP port 873, you may use RSYNC_PASSWORD environment variable. Just write a simple bash script that sets the RSYNC_PASSWORD variable just before invoking the rsync command as shown below. When you're supplying clear-text password in a file, it's important to protect your file with a permission mode of (chmod 600) so that no one except for you (an root) can see it.

#!/bin/bash
RSYNC="/usr/bin/rsync -a --delete"
export RSYNC_PASSWORD=helloworld

$RSYNC scott@192.168.0.2::target /path/to/local/filesystem



If you're using ssh channel, you'll have to setup a trusted environment with public/private key pair. To learn how to setup trusted ssh environment, please review Setting up trusted ssh environment. 


6. Some useful command-line options 

--delete When rsync is used to replicate one filesystem to another, the --delete option can be used to delete the file in destination filesystem if source filesystem file is deleted. Otherwise, the deleted file will continue to reside in the destination filesystem. The default behavior of rsync keeps the deleted copy in the destination filesystem. Some of the rsync examples can be found in http://rsync.samba.org/examples.html.

HOWTO: GRANT privileges in MySQL

Overview

Since Plesk does not allow GRANT privileges to users via the Plesk Control Panel, you will need to create those permissions via the command line.

Requirements

You must have SSH access set up for root or a sudo user.
- Connecting via SSH to your server
- How do I enable root access to my (dv)?
- Disabling SSH login for root user

Instructions

For the purpose of this article, we are going to use the 'SELECT' privilege. All code provided are examples. You will want to make sure that you change:

database to the database name you are using.

username to your database user.

password to a strong password unique to that user. Please read our article: Strong Password Guidelines.

Start by logging into your server via SSH and logging into MySQL entering the following:

 mysql -u admin -p`cat /etc/psa/.psa.shadow`

The prompt should now look like this:

mysql>

Enter the following if the database user already exists.:

 GRANT SELECT ON database.* TO user@'localhost';

If you intend to create a brand new user, then run this:

 GRANT SELECT ON database.* TO user@'localhost' IDENTIFIED BY 'password';

To enable more options, you would separate them with a comma. So to enable SELECT, INSERT, and DELETE your syntax would look like this:

 GRANT SELECT, INSERT, DELETE ON database TO username@'localhost' IDENTIFIED BY 'password';

Once you have given the desired privileges for your user, you will need to run this command within the MySQL command prompt:

 FLUSH PRIVILEGES;

To see a list of the privileges that have been granted to a specific user:

 select * from mysql.user where User='username';

This is a list of privileges that you can grant:

Privilege	Meaning
ALL [PRIVILEGES]	Sets all simple privileges except GRANT OPTION
ALTER	Enables use of ALTER TABLE
CREATE	Enables use of CREATE TABLE
CREATE TEMPORARY TABLES	Enables use of CREATE TEMPORARY TABLE
DELETE	Enables use of DELETE
DROP	Enables use of DROP TABLE
EXECUTE	Not implemented
FILE	Enables use of SELECT ... INTO OUTFILE and LOAD DATA INFILE
INDEX	Enables use of CREATE INDEX and DROP INDEX
INSERT	Enables use of INSERT
LOCK TABLES	Enables use of LOCK TABLES on tables for which you have the SELECT privilege
PROCESS	Enables the user to see all processes with SHOW PROCESSLIST
REFERENCES	Not implemented
RELOAD	Enables use of FLUSH
REPLICATION CLIENT	Enables the user to ask where slave or master servers are
REPLICATION SLAVE	Needed for replication slaves (to read binary log events from the master)
SELECT	Enables use of SELECT
SHOW DATABASES	SHOW DATABASES shows all databases
SHUTDOWN	Enables use of MySQLadmin shutdown
SUPER	Enables use of CHANGE MASTER, KILL, PURGE MASTER LOGS, and SET GLOBAL statements, the MySQLadmin debug command; allows you to connect (once) even if max_connections is reached
UPDATE	Enables use of UPDATE
USAGE	Synonym for privileges
GRANT OPTION	Enables privileges to be granted

How to Block Countries on A Site-by-Site Basis

The Threat Control Panel allows you to block countries across all your CloudFlare-enabled websites by simply typing the name of the country in the "Add custom rule" box. However, at times, you may want to block a particular country for only some of your sites, because some of your sites happen to have legitimate visitors from that country. How to do that?

At the moment (September 2010), you cannot do that through the Threat control Panel. But you can easily implement the feature if you feel comfortable changing your server configuration files, in particular the file called ".htaccess".

When CloudFlare passes on a request to your server, it inserts a variable in the header: "CF-IPCountry". This variable (CF-IPCountry) contains the standard internet two-letter country code: "US" for USA, "CN" for China, and so on.

To block a country only for some of your sites, you can add directives in your Apache files.

The following technique is easy to implement as it touches only one file. Suppose you would like to block countries XX and YY from one of your sites. Edit ".htaccess" at the root of each website where you want to block these countries. At the top of the file, just below the "AddHandler" directives (if any), paste these lines:

SetEnvIf CF-IPCountry XX UnwantedCountry=1

SetEnvIf CF-IPCountry YY UnwantedCountry=1

Order allow,deny

Allow from all

Deny from env=UnwantedCountry

That's all! Remember to change "XX" and "YY" to the internet country codes of your choice. You can see how this is beautifully easy to customize: if you do not want to block YY for one of your sites, leave out the YY line.

You may want to test the set-up by blocking your own country on one of your sites. Just make sure you have a back door to change ".htaccess" back again!

If you have access to your server's httpd.conf file (usually not the case on shared hosts), you have access to a wider range of implementations, such as thecountry-blocking techniques in this article.

Thursday 15 September 2011

Blocking IPs and Visitors by Country

Before we start, one word about orientation. On the right, you will notice links to the multiple pages in this series about website optimization. If you haven't done so yet, I suggest you also visit my main page about website optimization.

Blocking IPs and Visitors by Country

If you inspect your web traffic, you may have noticed a surprising number of visitors from countries such as China, Russia, Poland, India and Brazil. Maybe your website only offers local information about your small town in Louisiana. Can that many people from overseas can be interested in your local news?

The answers hides in your website's error logs. There, you will see that many of these visitors are trying to access files and folders that do not exist, hoping to hack into your site, perhaps to turn your server into a spamming zombie.

Some webmasters decide to block all traffic from a number of handpicked countries, sacrificing the few legitimate visitors from China who were looking at your site because they planned to fly in next week to catch a movie at the community hall.

There are several ways to deny traffic from a particular country. To my knowledge, all these methods rely on matching the visitor's IP address to some kind of IP geolocation table.

None of the solutions are perfect: determined visitors will be able to access your site through proxies.

Method 1: Maintaining a List on Your Server

To preface, let me state that this is by far my least favorite method.

There are several sites with free lists of IPs for specific countries, ready to download, sites such as Okean for Chinese and Korean IPs, Wizcrafts for Chinese, Russian and Nigerian IPs, Country IP Blocks for a full list of countries, and BlockACountry for another huge list of countries. I don't know how well any of these lists is maintained.

Once you have a list, you can block the IPs in htaccess or httpd.conf. In my view, this is a cumbersome way of blocking visitors from certain countries, because IPs change all the time. Do you want to update your IP country table all the time?

If you did want to use this method, you might add lines like these to your .htaccess:

Order allow,deny Allow from all Deny from 58.14.0.0/15 Deny from 58.16.0.0/16 … etc. (huge list of IP addresses or ranges)

Method 2: Custom Rule in CloudFlare

Update: I do not recommend this method anymore. Click the link to read why I no longer use CloudFlare. I will leave this material here for reference.

On my page about how to block traffic from certain IPs, I explain the free CloudFlare service, in Beta as of Q3 2010.

On a CloudFlare-enabled site, you can add custom rules to block specific IPs or even specific countries. It is fast to implement, and it is extremely convenient because you don't need to update the list of IPs for the countries that you want to block. CloudFlare does that for you.

This method is perfect if you want to use the same rules across all sites. However, it may be that you want to block Russia across most sites, but that one of your sites happens to have many legitimate visitors from Russia. For such situations, you can use Method 3.

Method 3: CloudFlare plus Apache Configuration

If you have several sites and need greater control over which countries you block for each site, you can take advantage of a feature of CloudFlare: the CF-IPCountry variable it inserts in request headers, a variable that contains the geolocation data looked up by CloudFlare.

You can then tweak Apache configuration files to block visitors based on CF-IPCountry.

Flavor 1: Simplest Technique on Shared Hosts
For this technique, you only edit the ".htaccess" file at the root of your web pages. Paste the following at the top of htaccess, just below the "AddHandler" line if any:

SetEnvIf CF-IPCountry CN BuzzOff=1
SetEnvIf CF-IPCountry RU BuzzOff=1
SetEnvIf CF-IPCountry IN BuzzOff=1
Order allow,deny
Allow from all
Deny from env=BuzzOff

In this example, notice "CN", "RU" and "IN" in the first three lines. These stand for China, Russia and India. Edit those to suit your needs (and add or remove as many lines as you like) by consulting the list of internet country abbreviations.

Depending on your needs, you can create different htaccess code for each of your sites.

I suggest you test the implementation by blocking your own country on one of your sites (but make sure you have FTP access to remove the block from your htaccess!)

Flavor 2: Simple Technique for Many Countries on Multiple Sites (Private Hosts only)
Here is an implementation that works great when you maintain a large list of countries that you want to block on multiple sites. For this implementation, you need access to httpd.conf, which is rarely the case on shared hosts.

First, in httpd.conf, paste something like the following before the VirtualHost section, editing the example to add whichever countries you want to block and remove whichever countries you do not want to block. To choose which countries to ban, visit a list of country abbreviations.

SetEnvIf CF-IPCountry BD BuzzOff=1
SetEnvIf CF-IPCountry CN BuzzOff=1
SetEnvIf CF-IPCountry HR BuzzOff=1
SetEnvIf CF-IPCountry HU BuzzOff=1
SetEnvIf CF-IPCountry ID BuzzOff=1
SetEnvIf CF-IPCountry IN BuzzOff=1
SetEnvIf CF-IPCountry LU BuzzOff=1
SetEnvIf CF-IPCountry LV BuzzOff=1
SetEnvIf CF-IPCountry PH BuzzOff=1
SetEnvIf CF-IPCountry PK BuzzOff=1
SetEnvIf CF-IPCountry PL BuzzOff=1
SetEnvIf CF-IPCountry RO BuzzOff=1
SetEnvIf CF-IPCountry RU BuzzOff=1
SetEnvIf CF-IPCountry SI BuzzOff=1
SetEnvIf CF-IPCountry SK BuzzOff=1
SetEnvIf CF-IPCountry TH BuzzOff=1
SetEnvIf CF-IPCountry TW BuzzOff=1
SetEnvIf CF-IPCountry UA BuzzOff=1
SetEnvIf CF-IPCountry VN BuzzOff=1

Then, for each of the websites for which you want to block these countries, open your .htaccess and paste these lines near the top, right below the "AddHandler" line if any:

Order allow,deny
Allow from all
Deny from env=BuzzOff

Below, there is a more complex example for situations where a country is not always blocked.

Don't forget to restart Apache! Here's a tutorial on SetEnvIf if you'd like to tweak the code. And here's some reading on the Order allow,deny directive.

Flavor 3: Blocking a Country on All Sites Except One
Let's say you want to block Russia on all sites except one.

Using "Flavor 2" from above, in httpd.conf, instead of the above, you would have something like:

SetEnvIf CF-IPCountry RU IsRussia=1
SetEnvIf CF-IPCountry CN BuzzOff=1
SetEnvIf CF-IPCountry IN BuzzOff=1
… (other countries to be blocked)

For sites where you don't want to block Russia, your .htaccess would look like this:

Order allow,deny
Allow from all
Deny from env=BuzzOff

For sites where you do want to block Russia, your .htaccess would look like this:

Order allow,deny
Allow from all
Deny from env=IsRussia
Deny from env=BuzzOff

This example should give you an idea of how to further customize country blocking for each site.

China (Russia, etc) is Still Showing in my CloudFlare Threats!
If you have used Method 3, it is normal that your blocked countries will still appear in the list of threats of your CloudFlare dashboard. Why? CloudFlare is your first line of defense. Visitors from China first go to the CloudFlare DNS. There, they may be challenged (and show in your Threats Panel).

The visitors that CloudFlare doesn't block are routed to your server, where they should be blocked by the techniques shown above. Therefore, such visitors should not show in stats reports of pages actually seen, such as those produced by Google Analytics.

The dmesg Command

The dmesg command is used to write the kernel messages in Linux and other Unix-like operating systems to standard output(which by default is the display screen).

A kernel is the core of an operating system. It is the first part of the operating system that is loaded into memory when a computer boots up (i.e., starts up), and it controls virtually everything on a system. The numerous messages generated by the kernel that appear on the display screen as a computer boots up show the hardware devices that the kernel detects and indicate whether it is able to configure them.

dmesg obtains its data by reading the kernel ring buffer. A buffer is a portion of a computer's memory that is set aside as a temporary holding place for data that is being sent to or received from an external device, such as a hard disk drive (HDD), printer or keyboard. A ring buffer is a buffer of fixed size for which any new data added to it overwrites the oldest data in it.

dmesg can be very useful when troubleshooting or just trying to obtain information about the hardware on a system. Its basic syntax is

dmesg [options]

Invoking dmesg without any of its options (which are rarely used) causes it to write all the kernel messages to standard output. This usually produces far too many lines to fit into the display screen all at once, and thus only the final messages are visible. However, the output can be redirected to the less command through the use of a pipe (designated by the vertical bar character), thereby allowing the startup messages to be viewed one screenful at a time:

dmesg | less

less allows the output to be moved forward one screenful at a time by pressing the SPACE bar, backward by pressing the b key and removed by pressing the q key. (The more command could have been used here instead of the less command; however, lessis newer than more and has additional functions, including the ability to return to previous pages of the output.)

When a user encounters a problem with the system, it can be convenient to write the output of dmesg to a file and then send that file by e-mail to a system administrator or other knowledgeable person for assistance. For example, the output could be redirected to a file named boot_messages using the output redirection operator (designated by a rightward facing angle bracket) as follows:

dmesg > boot_messages

Because of the length of the output of dmesg, it can be convenient to pipe its output to grep, a filter which searches for any lines that contain the string (i.e., sequence of characters) following it. The -i option can be used to tell grep to ignore the case (i.e.,lower case or upper case) of the letters in the string. For example, the following command lists all references to USB (universal serial bus) devices in the kernel messages:

dmesg | grep -i usb

And the following tells dmesg to show all serial ports (which are represented by the string tty):

dmesg | grep -i tty

The dmesg and grep combination can also be used to show how much physical memory (i.e., RAM) is available on the system:

dmesg | grep -i memory

The following command checks to confirm that the HDD(s) is running in DMA (direct memory access) mode:

dmesg | grep -i dma

The output of dmesg is maintained in the log file /var/log/dmesg, and it can thus also be easily viewed by reading that file with atext editor, such as vi or gedit, or with a command such as cat, e.g.,

cat /var/log/dmesg | less

How to fix the jftp error in joomla JFTP::store: Bad response – Warning! – Failed to move file.

While trying to upload/install some components or modules in Joomla , you may get the following error!

ERROR:

JFTP::store: Bad response. Warning! – Failed to move

Dont get panic!. There is a simple work around for this issue. This happens when the ftp of Joomla doesn’t work properly. You may fix this issue by just disabling the ftp in the file ‘configuration.php’

Open the configuration.php file using an editor like VI

root@ssages [/home/indisage/www]# vi configuration.php

Then search for the following line :

var $ftp_enable = ’1?;

change 1 to 0 to fix the issue.

Alternatevily you can disable it from the global configuration option–> server in Joomla

Wednesday 27 July 2011

Clamscan Script

Often with a compromised web server it’s always nice to set the infected files to be immutable. Here’s my way of doing things.

Starting with an install of clamAV and running an update

yum install clamscan -y

freshclam

Scan to file and send to background

clamscan /var/www/vhosts/ -r > ~/clamscan &

Search for infected files (FOUND) and set them to be immutable

chmod 000 `grep FOUND ~/clamscan.20130319 | awk ‘{print $1}’ | cut -d: -f1`

Saturday 9 July 2011

how to Enable wildcard subdomains

When you install WPMU by default the subdomain option is checked. This is for blogs in the format of username.yourdomain.com.

There are two steps that need to be done to your server in order for this to work.

In Apache, there needs to be a line in the domain’s virtual hosts section as follows:

ServerName yourdomain.com
ServerAlias yourdomain.com *.yourdomain.com
DocumentRoot /your/doc/root/
ServerAdmin webmaster@yourdomain.com

** If you’re running an Nginx server, you’d use:

server {
listen 80;
server_name domain.com *.yourdomain.com;
}

The Server Alias line with the *.yourdomain.com is what controls this. If you do not have access to change this, ask your webhost for support. More and more hosts are enabling this by default.

The second thing that needs to be done is adding the DNS record. Where you add it depends on your domain hosting. Basically, you need to add a line like this:

*. in A YOURIPADDRESS

These wildcards mean that any subdomain request will fall through to the WPMU install, where MU will look up the name in the database. If it finds it, it serves up the blog.

Note: if you choose the subfolder option on installation, you do not have to do either one of these steps.

Wednesday 6 July 2011

Resolving Domain Park Wrapper Errors

If you run a more populated shared hosting server, sooner or later you’ll have received complaints about the dreaded park wrapper errors in cPanel that occur when a user tries to add a parked or addon domain to their cPanel. The errors may look like this:

Error from domain wrapper: domain.com is owned by another user.

Error from domain wrapper: Domain already exists, it was not added.

I’ve never really been able to attribute that error to a specific action, but my assumption is that it occurs as a result of the end user not completely removing the domain from their cPanel (i.e. hitting esc or closing the browser during removal), therefore not allowing cPanel to remove the domain’s entries to allow that domain to be re-added when certain security settings are enabled in WHM > Tweak Settings.

The easy solution to the first error is to enable the option for users to add domains owned by other users via WHM > Tweak Settings. But this is a very bad idea as it essentially allows users to repoint domains that you’re already hosting.

If you’re attempting to re-add a domain to a cPanel account and are getting one of the above errors, first check that the error needs to be corrected. Meaning, make sure that the domain in question isn’t already set up elsewhere. If it is, you would need to remove it from that account before being able to add it to another.

If the error is actually occurring due to an improperly removed domain, follow the below steps until you are able to add the domain back to the server:

run /scripts/killdns on the server to remove the DNS records from the DNS cluster
do grep -r /var/cpanel/users to see if it exists in a user file, and if so, delete the entry and run /scripts/updateuserdomains, make sure it’s remove from /etc/userdomains
grep -r /var/cpanel/userdata to see if the domain appears in a user’s template. If so, remove any files based on the domain name (including .cache files), and remove any subdomain/parked/addon domain entries for that domain from the ‘main’ file located in that user’s folder (i.e. /var/cpanel/templates/username/main), then /scripts/rebuildhttpconf to remove it from httpd.conf .

This should allow you to re-add the domain name to the user’s cPanel without getting the park wrapper error.