Thursday, 30 September 2010

How to Use Symlinks in Windows

Technology blog Tested goes in depth to explain Windows symlinks (symbolic links that let you do all sorts of cool things like sync files and folders outside your Dropbox folder), detailing what they are and how to use them.

We've talked about how to use symlinks in OS X and Linux in the past, and shown you how to use them for specific things in Windows, but we've never gone in depth on Windows symlinks

How to Use Symlinks in Windows. Tested's guide nicely explains how to create symlinks in Windows and offers suggestions for when you might benefit from a symlink. For example:
mklink /j "c:usersWillMusiciTunesiTunes Music" d:Music - This line makes a symlink that redirects from the folder c:usersWillMusiciTunesiTunes Music to the Music folder on my second hard drive. This type of use is especially handy if you have a small main hard drive and a larger secondary drive.

Granted, in many instances you'll be better off just changing whatever settings you can so that an application is pointing at the right directory and you don't need a symlink, but knowing how to set up and use a good symlink can be really handy in the right circumstances.

lifehacker

How to Create Symbolic Links (Symlink) Using php

On Unix systems,

a symbolic link is a special type of file that contains a reference to another file or directory, any operation (read or write) on the symbolic link will behave as if operating directly on the refererce file.

If you have Unix shell access, creating a symbolic link is quite easy, you can use below command to implement one:

ln -s target_filename symlink_filename
ln -s /home/username/public_html/directory1 /home/username/public_html/directory2

But, here we will discuss about some very special cases in the real world that you need to create a symbolic link without a shell access. Below is one example:

A lot of people host their web site in a shared web hosting environement, and most of the shared web hosting vendors will not give you shell access for security reason. So, how can you create a symbolic link as you need?

The way we use here is to write a simple php script.

Create Symbolic Links via PHP

In php, there is a function call symlink(), which will allow you create a symbolic link. And below are the steps you can follow:

  • Edit, copy & paste the following line of code into a PHP (.php) file and upload it to the root directory on your server (i.e., the directory that contains “public_html”):




Notes: Please replace username, sourcedirectory, and symbolic_link according to your server environment

  • Next, trigger the function by calling the PHP file via your browser. If you see a blank page, you are good to go — the symbolic link has been created according to the specified parameters. To create another symbolic link, simply edit the parameters and repeat the process.3


To Disable the Link :-

Tuesday, 28 September 2010

How to Back Up and Restore Files - Plesk

How to Back Up and Restore Files


When you run a website, you often have a lot of important and complex files that you need to manage in order to keep things running smoothly. This makes it vitally important to back up your files so that a catastrophic meltdown doesn't leave you without any files. In fact, backing up files is a necessity if you are serious about keeping your site up. Luckily, Plesk gives you a web management interface that makes it easy to back up your data on a one-time basis or on a schedule. If you are a little confused about how to back up your website's files using Plesk, this should help you out.

How to backup and restore files Video Tutorial - Plesk

Steps to Backing Up and Restoring Files Using Plesk



  1. Make sure you are logged in to your Plesk account

  2. Click on the "Back Up" icon

  3. This is the main back up page

  4. To schedule a back up, click on the "Schedule Backup" button

  5. Enter the time of day you want the back up to take place

  6. Check frequency

  7. Choose how many files to be stored in repository

  8. Enter a prefix for backed up files

  9. Enter email for notification of the backup

  10. Scroll down

  11. Click on "OK"

  12. Go back in to the "Schedule Backup" area

  13. Enable the scheduled back up with a click on the appropriate option

  14. Return to the back up manager

  15. To immediately back up your files, click "Back Up Now"

  16. Again, click "Back Up Now"

  17. When the back up is done, click "OK"

  18. The backup file is now listed

  19. To download the backup, scroll right and click download icon

  20. Save the backup file to computer

  21. To restore, click on a backup file. If stored on a personal computer, click the appropriate upload button.


Source : http://www.webhostingsearch.com/video-tutorials/how-to-back-up-and-restore-files.php

Error while restarting Qmail from Plesk

“Unable to make action: Unable to manage service by mailmng: mailmng: Service qmail failed to start

0: /usr/local/psa/admin/htdocs/server/restart_services.php:28 psaerror(string “Unable to make action: Unable to manage service by mailmng: mailmng: Service qmail failed to start”)”

This error will occur if the sendmutex log file is missing. This can be resoved by creating this file.

touch /var/qmail/queue/lock/sendmutex
chown qmails:qmail /var/qmail/queue/lock/sendmutex
/etc/init.d/qmail restart

Monday, 27 September 2010

Deleting Email From The Email Server

Postfix Flush the Mail Queue

Traditional "sendmail -q" command flushes mail queue. Under Postfix, just enter the following to flush the mail queue
postfix flush
OR
postfix -f

To see mail queue, enter:
mailq

To remove all mail from the queue, enter:
postsuper -d ALL

To remove all mails in the deferred queue, enter:
postsuper -d ALL deferred

postfix-delete.pl script


Following script deletes all mail from the mailq which matches the regular expression specified as the first argument (Credit: ??? - I found it on old good newsgroup)

#!/usr/bin/perl

$REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*@yahoo.com)!";

@data = qx;
for (@data) {
if (/^(w+)(*|!)?s/) {
$queue_id = $1;
}
if($queue_id) {
if (/$REGEXP/i) {
$Q{$queue_id} = 1;
$queue_id = "";
}
}
}

#open(POSTSUPER,"|cat") || die "couldn't open postsuper" ;
open(POSTSUPER,"|postsuper -d -") || die "couldn't open postsuper" ;

foreach (keys %Q) {
print POSTSUPER "$_n";
};
close(POSTSUPER);


For example, delete all queued messages from or to the domain called fackspamdomain.com, enter:


./postfix-delete.pl fackspamdomain.com

Delete all queued messages that contain the word "xyz" in the e-mail address:


./postfix-delete.pl xyz

Updated for accuracy.

How to clear sendmail queue

If you are using Linux operating system, you can clear the sendmail queue by the following ways -

1. manually: delete /var/spool/mail/*.* files in this dir –> delete /var/mqueue/*.* files all mail will be deleted. then, using mailq command, confirm whether all the mails are cleared

2. using command: use simple command sendmail -v -q in root prompt. it will clear all pending mails. you can also confirm by running mailq command

If you are interested in deleting particular domain or user or recepitience mail, use this command sendmail -qS -v test.com – deletes all mail from *@test.com sendmail -qR -v hotmail.com – deletes all mail from recepient of hotmail

How to install Installatron on a Plesk Windows server


1. Requirements

Check that your server meets the requirements for Installatron.

2. Install Installatron

Download and run the below Windows installation wizard. Windows Administrative privileges will be required.

http://data1.liquenox.com/installatron/installatron_setup.exe

If you experience any errors, see troubleshooting.

3. Use Installatron

Installatron is now ready to use in Plesk for Windows.

The admin login will find the administration tool in Server > Installatron Admin.

Client logins will find the reseller administration tool in Clients > Installatron Admin.

Domain logins will find the script installer tool under Installatron.


Thursday, 23 September 2010

Exporting/Importing SSL Certificates Between Windows Servers

Installing DNS server on CentOS 5

In the first time, you must download core software of this service, that are

  1. bind

  2. caching-nameserver

  3. bind-chroot


You can download this software by this command,

# yum -y install bind caching-nameserver bind-chroot

After you downloaded , you can setup follow this instruction :

1. Check your hostname by this command :

# uname -n
dns.aoddy.com

2. Edit /etc/named.conf

options {
directory “/var/named”;
forwarders {WWW.XXX.YYY.ZZZ;}; // IP of ISP // query-source address * port 53;
allow-query { localhost; 192.168.0.0/24;};
// query range
allow-transfer { localhost; 192.168.0.0/24;};
// transfer range
allow-recursion { localhost; 192.168.0.0/24;};
// recursion range
};controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};// here is the section for internal informationsview “internal” {
match-clients {
localhost;
192.168.0.0/24;
}; zone “.” IN {
type hint;
file “named.ca”;
}; zone “mysite.com” IN {
// for common resolving
type master;
file “mysite.com.fwd”;
allow-update { none; };
}; zone “0.168.192.in-addr.arpa” IN {
// for reverse resolving *note
type master;
file “mysite.com.rev”;
allow-update { none; };
}; zone “localdomain” IN {
type master;
file “localdomain.zone”;
allow-update { none; };
};


zone “localhost” IN {
type master;
file “localhost.zone”;
allow-update { none; };
};


zone “0.0.127.in-addr.arpa” IN {
type master;
file “named.local”;
allow-update { none; };
};


zone “255.in-addr.arpa” IN {
type master;
file “named.broadcast”;
allow-update { none; };
};


zone “0.in-addr.arpa” IN {
type master;
file “named.zero”;
allow-update { none; };
};


};


// here is the section for external informations
view “external” {
match-clients {
any;
};


zone “.” IN {
type hint;
file “named.ca”;
};


zone “server-linux.info” IN {
// for common resolvin
type master;
file “server-linux.info.wan”;
allow-update { none; };


};


zone “80.0.16.172.in-addr.arpa” IN {
// for reverse resolving *note
type master;
file “80.0.16.172.db”;
allow-update { none; };
};
};
include “/etc/rndc.key”;


2. Create /var/named/mysite.com.fwd

$TTL 86400
@ IN SOA dns.mysite.com. root.aoddy.com.(
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS dns.mysite.com.
IN MX 10 dns.mysite.com.
IN MX 20 web.mysite.com.
IN A 192.168.0.2
dns IN A 192.168.0.2
web IN A 192.168.0.3


3. Create file /var/named/aoddy.com.rev

$TTL 86400
@ IN SOA dns.aoddy.com. root.mysite.com.(
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS dns.aoddy.com.
IN MX 10 dns.mysite.com.
IN MX 20 web.mysite.com
IN PTR dns.mysite.com.
2 IN PTR dns.mysite.com.
3 IN PTR web.mysite.com.


4. Start service

# service named restart

5. Test this server can resolve domain&ip

[root@dns named]# nslookup
> dns.mysite.com
Server: 192.168.0.2
Address: 192.168.0.2#53Name: dns.mysite.com
Address: 192.168.0.2> 192.168.0.2
Server: 192.168.0.2
Address: 192.168.0.2#53


2.0.168.192.in-addr.arpa name = dns.mysite.com.
>


6. If your service can’t resolve , you can check on your file config by this command :

# named-checkconf

[FIX[ Zone file and corresponding record in named.conf are missed for particular domain

DNS not working for a domain in a plesk panel (Windows)

Symptom:
When you are in dedicated Box of windows and using a plesk and you are getting a page not found for a domain name while other domains are working fine in a same box.
All the setting you think are fine and even name server are pointing well then there is a chance of DNS misconfig

Resolution: Editing the Plesk DNS zone database

When the DNS zone for a domain is managed via Plesk, the status for this domain in the dns_zone table of the database is temporarily set to a value of 2 (to lock it for any further changes) and is then set back to a value of 0 value when the changes are processed. If for some reason the process is interrupted (Plesk restarts for example) the status field value may not get changed back to 0 and stays as 2. Therefore any changes are no longer recorded until the status is changed back to 0.

Please note: to isolate database issues with Plesk and your own web services (MySQL or MS SQL), we recommend and setup Plesk to use MS Access databases. If you have setup Plesk to use MySQL or MS SQL databases you will need to use your preferred database viewer to find the necessary DNS zone table. You can view MS SQL instructions below.

  1. To view and edit the Plesk DNS zone database you will need to use an MS Access database viewer such as MDBPlus, and then open up the pleskmain.db located at:C:Program Files (x86)ParallelsPleskadmindb – Note: password is the same as Plesk admin login.

  2. Check dns_zone records for the problem domain’s entry (domain.com for example):

    1. if there are multiple entries for the same domain; remove the entry that has the incorrect setting of 2;

    2. if there is only one entry for the domain, adjust the value in the “status” column from 2 back to 0.



  3. Save the database.

  4. Go back into Plesk and navigate to the DNS zone settings tab for the affected domain.

  5. Select “Restore Defaults” to rebuild the appropriate entries for the domain


You should now be able to resolve the domain correctly.

For Plesk installations setup to use MS SQL as the default Plesk database:

  1. Login via MSSQL Server Management Studio Express or your preferred MS SQL management tool.

  2. Expand the Plesk database.

  3. Expand the “tables” section.

  4. Scroll down to “dbo.dns_zone“, right-click on this and choose “open table”

  5. Delete or modify the erroneous entry as in Step 2. above.

Wednesday, 22 September 2010

Top 20 Nginx WebServer Best Security Practices

Nginx is a lightweight, high performance web server/reverse proxy and e-mail (IMAP/POP3) proxy. It runs on UNIX, GNU/Linux, BSD variants, Mac OS X, Solaris, and Microsoft Windows. According to Netcraft, 6% of all domains on the Internet use nginx webserver. Nginx is one of a handful of servers written to address the C10K problem. Unlike traditional servers, Nginx doesn't rely on threads to handle requests. Instead it uses a much more scalable event-driven (asynchronous) architecture. Nginx powers several high traffic web sites, such as WordPress, Hulu, Github, and SourceForge. This page collects hints how to improve the security of nginx web servers running on Linux or UNIX like operating systems.
Default Config Files and Nginx Port

* /usr/local/nginx/conf/ - The nginx server configuration directory and /usr/local/nginx/conf/nginx.conf is main configuration file.
* /usr/local/nginx/html/ - The default document location.
* /usr/local/nginx/logs/ - The default log file location.
* Nginx HTTP default port : TCP 80
* Nginx HTTPS default port : TCP 443

You can test nginx configuration changes as follows:
# /usr/local/nginx/sbin/nginx -t
Sample outputs:

the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
configuration file /usr/local/nginx/conf/nginx.conf test is successful

To load config changes, type:
# /usr/local/nginx/sbin/nginx -s reload
To stop server, type:
# /usr/local/nginx/sbin/nginx -s stop
#1: Turn On SELinux

Security-Enhanced Linux (SELinux) is a Linux kernel feature that provides a mechanism for supporting access control security policies which provides great protection. It can stop many attacks before your system rooted. See how to turn on SELinux for CentOS / RHEL based systems.
Do Boolean Lockdown

Run the getsebool -a command and lockdown system:

getsebool -a | less
getsebool -a | grep off
getsebool -a | grep o

To secure the machine, look at settings which are set to 'on' and change to 'off' if they do not apply to your setup with the help of setsebool command. Set correct SE Linux booleans to maintain functionality and protection. Please note that SELinux adds 2-8% overheads to typical RHEL or CentOS installation.
#2: Allow Minimal Privileges Via Mount Options

Server all your webpages / html / php files via separate partitions. For example, create a partition called /dev/sda5 and mount at the /nginx. Make sure /nginx is mounted with noexec, nodev and nosetuid permissions. Here is my /etc/fstab entry for mounting /nginx:

LABEL=/nginx /nginx ext3 defaults,nosuid,noexec,nodev 1 2

Note you need to create a new partition using fdisk and mkfs.ext3 commands.
#3: Linux /etc/sysctl.conf Hardening

You can control and configure Linux kernel and networking settings via /etc/sysctl.conf.


# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1

# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# Tuen IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535

# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536

# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000

# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608

# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1


See also:

* Linux Tuning The VM (memory) Subsystem
* Linux Tune Network Stack (Buffers Size) To Increase Networking Performance

#4: Remove All Unwanted Nginx Modules

You need to minimizes the number of modules that are compiled directly into the nginx binary. This minimizes risk by limiting the capabilities allowed by the webserver. You can configure and install nginx using only required modules. For example, disable SSI and autoindex module you can type:
# ./configure --without-http_autoindex_module --without-http_ssi_module
# make
# make install
Type the following command to see which modules can be turn on or off while compiling nginx server:
# ./configure --help | less
Disable nginx modules that you don't need.
(Optional) Change Nginx Version Header

Edit src/http/ngx_http_header_filter_module.c, enter:
# vi +48 src/http/ngx_http_header_filter_module.c
Find line


static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;


Change them as follows:


static char ngx_http_server_string[] = "Server: Ninja Web Server" CRLF;
static char ngx_http_server_full_string[] = "Server: Ninja Web Server" CRLF;


Save and close the file. Now, you can compile the server. Add the following in nginx.conf to turn off nginx version number displayed on all auto generated error pages:

server_tokens off

#5: Use mod_security (only for backend Apache servers)

mod_security provides an application level firewall for Apache. Install mod_security for all backend Apache web servers. This will stop many injection attacks.
#6: Install SELinux Policy To Harden The Nginx Webserver

By default SELinux will not protect the nginx web server. However, you can install and compile protection as follows. First, install required SELinux compile time support:
# yum -y install selinux-policy-targeted selinux-policy-devel
Download targeted SELinux policies to harden the nginx webserver on Linux servers from the project home page:
# cd /opt
# wget 'http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.gz?use_mirror=nchc'
Untar the same:
# tar -zxvf se-ngix_1_0_10.tar.gz
Compile the same
# cd se-ngix_1_0_10/nginx
# make
Sample outputs:

Compiling targeted nginx module
/usr/bin/checkmodule: loading policy configuration from tmp/nginx.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 6) to tmp/nginx.mod
Creating targeted nginx.pp policy package
rm tmp/nginx.mod.fc tmp/nginx.mod

Install the resulting nginx.pp SELinux module:
# /usr/sbin/semodule -i nginx.pp
#7: Restrictive Iptables Based Firewall

The following firewall script blocks everything and only allows:

* Incoming HTTP (TCP port 80) requests
* Incoming ICMP ping requests
* Outgoing ntp (port 123) requests
* Outgoing smtp (TCP port 25) requests

#!/bin/bash
IPT="/sbin/iptables"

#### IPS ######
# Get server public ip
SERVER_IP=$(ifconfig eth0 | grep 'inet addr:' | awk -F'inet addr:' '{ print $2}' | awk '{ print $1}')
LB1_IP="204.54.1.1"
LB2_IP="204.54.1.2"

# Do some smart logic so that we can use damm script on LB2 too
OTHER_LB=""
SERVER_IP=""
[[ "$SERVER_IP" == "$LB1_IP" ]] && OTHER_LB="$LB2_IP" || OTHER_LB="$LB1_IP"
[[ "$OTHER_LB" == "$LB2_IP" ]] && OPP_LB="$LB1_IP" || OPP_LB="$LB2_IP"

### IPs ###
PUB_SSH_ONLY="122.xx.yy.zz/29"

#### FILES #####
BLOCKED_IP_TDB=/root/.fw/blocked.ip.txt
SPOOFIP="127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24"
BADIPS=$( [[ -f ${BLOCKED_IP_TDB} ]] && egrep -v "^#|^$" ${BLOCKED_IP_TDB})

### Interfaces ###
PUB_IF="eth0" # public interface
LO_IF="lo" # loopback
VPN_IF="eth1" # vpn / private net

### start firewall ###
echo "Setting LB1 $(hostname) Firewall..."

# DROP and close everything
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Unlimited lo access
$IPT -A INPUT -i ${LO_IF} -j ACCEPT
$IPT -A OUTPUT -o ${LO_IF} -j ACCEPT

# Unlimited vpn / pnet access
$IPT -A INPUT -i ${VPN_IF} -j ACCEPT
$IPT -A OUTPUT -o ${VPN_IF} -j ACCEPT

# Drop sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP

# Drop Fragments
$IPT -A INPUT -i ${PUB_IF} -f -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP

# Drop NULL packets
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " NULL Packets "
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Drop XMAS
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " XMAS Packets "
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Drop FIN packet scans
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " Fin Packets Scan "
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Log and get rid of broadcast / multicast and invalid
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j LOG --log-prefix " Broadcast "
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j DROP

$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j LOG --log-prefix " Multicast "
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j DROP

$IPT -A INPUT -i ${PUB_IF} -m state --state INVALID -j LOG --log-prefix " Invalid "
$IPT -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP

# Log and block spoofed ips
$IPT -N spooflist
for ipblock in $SPOOFIP
do
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix " SPOOF List Block "
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
done
$IPT -I INPUT -j spooflist
$IPT -I OUTPUT -j spooflist
$IPT -I FORWARD -j spooflist

# Allow ssh only from selected public ips
for ip in ${PUB_SSH_ONLY}
do
$IPT -A INPUT -i ${PUB_IF} -s ${ip} -p tcp -d ${SERVER_IP} --destination-port 22 -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -d ${ip} -p tcp -s ${SERVER_IP} --sport 22 -j ACCEPT
done

# allow incoming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 30/sec -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow incoming HTTP port 80
$IPT -A INPUT -i ${PUB_IF} -p tcp -s 0/0 --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# allow outgoing ntp
$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT

# allow outgoing smtp
$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

### add your other rules here ####

#######################
# drop and log everything else
$IPT -A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " DEFAULT DROP "
$IPT -A INPUT -j DROP

exit 0

#8: Controlling Buffer Overflow Attacks

Edit nginx.conf and set the buffer size limitations for all clients.
# vi /usr/local/nginx/conf/nginx.conf
Edit and set the buffer size limitations for all clients as follows:


## Start: Size Limits & Buffer Overflows ##
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
## END: Size Limits & Buffer Overflows ##


Where,

1. client_body_buffer_size 1k - (default is 8k or 16k) The directive specifies the client request body buffer size.
2. client_header_buffer_size 1k - Directive sets the headerbuffer size for the request header from client. For the overwhelming majority of requests a buffer size of 1K is sufficient. Increase this if you have a custom header or a large cookie sent from the client (e.g., wap client).
3. client_max_body_size 1k- Directive assigns the maximum accepted body size of client request, indicated by the line Content-Length in the header of request. If size is greater the given one, then the client gets the error "Request Entity Too Large" (413). Increase this when you are getting file uploads via the POST method.
4. large_client_header_buffers 2 1k - Directive assigns the maximum number and size of buffers for large headers to read from client request. By default the size of one buffer is equal to the size of page, depending on platform this either 4K or 8K, if at the end of working request connection converts to state keep-alive, then these buffers are freed. 2x1k will accept 2kB data URI. This will also help combat bad bots and DoS attacks.

You also need to control timeouts to improve server performance and cut clients. Edit it as follows:


## Start: Timeouts ##
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
## End: Timeouts ##


1. client_body_timeout 10; - Directive sets the read timeout for the request body from client. The timeout is set only if a body is not get in one readstep. If after this time the client send nothing, nginx returns error "Request time out" (408). The default is 60.
2. client_header_timeout 10; - Directive assigns timeout with reading of the title of the request of client. The timeout is set only if a header is not get in one readstep. If after this time the client send nothing, nginx returns error "Request time out" (408).
3. keepalive_timeout 5 5; - The first parameter assigns the timeout for keep-alive connections with the client. The server will close connections after this time. The optional second parameter assigns the time value in the header Keep-Alive: timeout=time of the response. This header can convince some browsers to close the connection, so that the server does not have to. Without this parameter, nginx does not send a Keep-Alive header (though this is not what makes a connection "keep-alive").
4. send_timeout 10; - Directive assigns response timeout to client. Timeout is established not on entire transfer of answer, but only between two operations of reading, if after this time client will take nothing, then nginx is shutting down the connection.

#9: Control Simultaneous Connections

You can use NginxHttpLimitZone module to limit the number of simultaneous connections for the assigned session or as a special case, from one IP address. Edit nginx.conf:


### Directive describes the zone, in which the session states are stored i.e. store in slimits. ###
### 1m can handle 32000 sessions with 32 bytes/session, set to 5m x 32000 session ###
limit_zone slimits $binary_remote_addr 5m;

### Control maximum number of simultaneous connections for one session i.e. ###
### restricts the amount of connections from a single ip address ###
limit_conn slimits 5;


The above will limits remote clients to no more than 5 concurrently "open" connections per remote ip address.
#10: Allow Access To Our Domain Only

If bot is just making random server scan for all domains, just deny it. You must only allow configured virtual domain or reverse proxy requests. You don't want to display request using an IP address:

## Only requests to our Host are allowed i.e. nixcraft.in, images.nixcraft.in and www.nixcraft.in
if ($host !~ ^(nixcraft.in|www.nixcraft.in|images.nixcraft.in)$ ) {
return 444;
}
##

#11: Limit Available Methods

GET and POST are the most common methods on the Internet. Web server methods are defined in RFC 2616. If a web server does not require the implementation of all available methods, they should be disabled. The following will filter and only allow GET, HEAD and POST methods:

## Only allow these request methods ##
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
## Do not accept DELETE, SEARCH and other methods ##

More About HTTP Methods

* The GET method is used to request document such as http://www.cyberciti.biz/index.php.
* The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response.
* The POST method may involve anything, like storing or updating data, or ordering a product, or sending E-mail by submitting the form. This is usually processed using the server side scripting such as PHP, PERL, Python and so on. You must use this if you want to upload files and process forms on server.

#12: How Do I Deny Certain User-Agents?

You can easily block user-agents i.e. scanners, bots, and spammers who may be abusing your server.

## Block download agents ##
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
##

Block robots called msnbot and scrapbot:

## Block some robots ##
if ($http_user_agent ~* msnbot|scrapbot) {
return 403;
}

#12: How Do I Block Referral Spam?

Referer spam is dengerouns. It can harm your SEO ranking via web-logs (if published) as referer field refer to their spammy site. You can block access to referer spammers with these lines.

## Deny certain Referers ###
if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) )
{
# return 404;
return 403;
}
##

#13: How Do I Stop Image Hotlinking?

Image or HTML hotlinking means someone makes a link to your site to one of your images, but displays it on their own site. The end result you will end up paying for bandwidth bills and make the content look like part of the hijacker's site. This is usually done on forums and blogs. I strongly suggest you block and stop image hotlinking at your server level itself.

# Stop deep linking or hot linking
location /images/ {
valid_referers none blocked www.example.com example.com;
if ($invalid_referer) {
return 403;
}
}

Example: Rewrite And Display Image

Another example with link to banned image:

valid_referers blocked www.example.com example.com;
if ($invalid_referer) {
rewrite ^/images/uploads.*.(gif|jpg|jpeg|png)$ http://www.examples.com/banned.jpg last
}

See also:

* HowTo: Use nginx map to block image hotlinking. This is useful if you want to block tons of domains.

#14: Directory Restrictions

You can set access control for a specified directory. All web directories should be configured on a case-by-case basis, allowing access only where needed.
Limiting Access By Ip Address

You can limit access to directory by ip address to /docs/ directory:

location /docs/ {
## block one workstation
deny 192.168.1.1;

## allow anyone in 192.168.1.0/24
allow 192.168.1.0/24;

## drop rest of the world
deny all;
}

Password Protect The Directory

First create the password file and add a user called vivek:
# mkdir /usr/local/nginx/conf/.htpasswd/
# htpasswd -c /usr/local/nginx/conf/.htpasswd/passwd vivek
Edit nginx.conf and protect the required directories as follows:

### Password Protect /personal-images/ and /delta/ directories ###
location ~ /(personal-images/.*|delta/.*) {
auth_basic "Restricted";
auth_basic_user_file /usr/local/nginx/conf/.htpasswd/passwd;
}

Once a password file has been generated, subsequent users can be added with the following command:
# htpasswd -s /usr/local/nginx/conf/.htpasswd/passwd userName
#15: Nginx SSL Configuration

HTTP is a plain text protocol and it is open to passive monitoring. You should use SSL to to encrypt your content for users.
Create an SSL Certificate

Type the following commands:
# cd /usr/local/nginx/conf
# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Edit nginx.conf and update it as follows:

server {
server_name example.com;
listen 443;
ssl on;
ssl_certificate /usr/local/nginx/conf/server.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
access_log /usr/local/nginx/logs/ssl.access.log;
error_log /usr/local/nginx/logs/ssl.error.log;
}

Restart the nginx:
# /usr/local/nginx/sbin/nginx -s reload
See also:

* For more information, read the Nginx SSL documentation.

#16: Nginx And PHP Security Tips

PHP is one of the popular server side scripting language. Edit /etc/php.ini as follows:


# Disallow dangerous functions
disable_functions = phpinfo, system, mail, exec

## Try to limit resources ##

# Maximum execution time of each script, in seconds
max_execution_time = 30

# Maximum amount of time each script may spend parsing request data
max_input_time = 60

# Maximum amount of memory a script may consume (8MB)
memory_limit = 8M

# Maximum size of POST data that PHP will accept.
post_max_size = 8M

# Whether to allow HTTP file uploads.
file_uploads = Off

# Maximum allowed size for uploaded files.
upload_max_filesize = 2M

# Do not expose PHP error messages to external users
display_errors = Off

# Turn on safe mode
safe_mode = On

# Only allow access to executables in isolated directory
safe_mode_exec_dir = php-required-executables-path

# Limit external access to PHP environment
safe_mode_allowed_env_vars = PHP_

# Restrict PHP information leakage
expose_php = Off

# Log all errors
log_errors = On

# Do not register globals for input data
register_globals = Off

# Minimize allowable PHP post size
post_max_size = 1K

# Ensure PHP redirects appropriately
cgi.force_redirect = 0

# Disallow uploading unless necessary
file_uploads = Off

# Enable SQL safe mode
sql.safe_mode = On

# Avoid Opening remote files
allow_url_fopen = Off


See also:

* PHP Security: Limit Resources Used By Script
* PHP.INI settings: Disable exec, shell_exec, system, popen and Other Functions To Improve Security

#17: Run Nginx In A Chroot Jail (Containers) If Possible

Putting nginx in a chroot jail minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can use traditional chroot kind of setup with nginx. If possible use FreeBSD jails, XEN, or OpenVZ virtualization which uses the concept of containers.
#18: Limits Connections Per IP At The Firewall Level

A webserver must keep an eye on connections and limit connections per second. This is serving 101. Both pf and iptables can throttle end users before accessing your nginx server.
Linux Iptables: Throttle Nginx Connections Per Second

The following example will drop incoming connections if IP make more than 15 connection attempts to port 80 within 60 seconds:


/sbin/iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 15 -j DROP
service iptables save


BSD PF: Throttle Nginx Connections Per Second

Edit your /etc/pf.conf and update it as follows. The following will limits the maximum number of connections per source to 100. 15/5 specifies the number of connections per second or span of seconds i.e. rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.

webserver_ip="202.54.1.1"
table persist
block in quick from
pass in on $ext_if proto tcp to $webserver_ip port www flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload flush)

Please adjust all values as per your requirements and traffic (browsers may open multiple connections to your site). See also:

1. Sample PF firewall script.
2. Sample Iptables firewall script.

#19: Configure Operating System to Protect Web Server

Turn on SELinux as described above. Set correct permissions on /nginx document root. The nginx runs as a user named nginx. However, the files in the DocumentRoot (/nginx or /usr/local/nginx/html) should not be owned or writable by that user. To find files with wrong permissions, use:
# find /nginx -user nginx
# find /usr/local/nginx/html -user nginx
Make sure you change file ownership to root or other user. A typical set of permission /usr/local/nginx/html/
# ls -l /usr/local/nginx/html/
Sample outputs:

-rw-r--r-- 1 root root 925 Jan 3 00:50 error4xx.html
-rw-r--r-- 1 root root 52 Jan 3 10:00 error5xx.html
-rw-r--r-- 1 root root 134 Jan 3 00:52 index.html

You must delete unwated backup files created by vi or other text editor:
# find /nginx -name '.?*' -not -name .ht* -or -name '*~' -or -name '*.bak*' -or -name '*.old*'
# find /usr/local/nginx/html/ -name '.?*' -not -name .ht* -or -name '*~' -or -name '*.bak*' -or -name '*.old*'

Pass -delete option to find command and it will get rid of those files too.
#20: Restrict Outgoing Nginx Connections

The crackers will download file locally on your server using tools such as wget. Use iptables to block outgoing connections from nginx user. The ipt_owner module attempts to match various characteristics of the packet creator, for locally generated packets. It is only valid in the OUTPUT chain. In this example, allow vivek user to connect outside using port 80 (useful for RHN access or to grab CentOS updates via repos):

/sbin/iptables -A OUTPUT -o eth0 -m owner --uid-owner vivek -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

Add above rule to your iptables based shell script. Do not allow nginx web server user to connect outside.
Bounce Tip: Watching Your Logs & Auditing

Check the Log files. They will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present or not.
# grep "/login.php??" /usr/local/nginx/logs/access_log
# grep "...etc/passwd" /usr/local/nginx/logs/access_log
# egrep -i "denied|error|warn" /usr/local/nginx/logs/error_log
The auditd service is provided for system auditing. Turn it on to audit service SELinux events, authetication events, file modifications, account modification and so on. As usual disable all services and follow our "Linux Server Hardening" security tips.
Conclusion

Your nginx server is now properly harden and ready to server webpages. However, you should be consulted further resources for your web applications security needs. For example, wordpress or any other third party apps has its own security requirements.
References:

* HowTo: Setup nginx reverse proxy and HA cluser with the help of keepalived.
* nginx wiki - The official nginx wiki.
* OpenBSD specific Nginx installation and security how to.

Monday, 20 September 2010

How do I repair/rebuild all mail configuration files and restore settings for all mailboxes?

Resolution

This can be done with Plesk mchk utility:

# /usr/local/psa/admin/sbin/mchk --help
Synopsis:
mchk [OPTION]
--without-spam - restore all settings except for SpamAssassin configuration
--with-spam - restore all settings
--spam-only - restore only SpamAssassin settings


This utility rebuilds in line with Plesk database Qmail control files in the /var/qmail/control, /var/qmail/users directories and mail users’ settings. Also, it sets proper ownership/permissions for all mailboxes (/var/qmail/mailnames/*).

Example:
# /usr/local/psa/admin/sbin/mchk --with-spam

Virtuozzo : How do I get amount of network traffic consumed by a Container?

f you have Service Container running on a hardware node then you may use the utility ‘vza_ve_stat’ to obtain amount of network traffic consumed by any container on a node.

Usage:
vza_ve_stat user@host ctid start_time [end_time]

where:
user – vzagent0
host – IP address of Service Container on a hardware node
ctid – ID of container in question
start_time and end_time define period you want to get traffic for.

Please note that start_time and end_time should be entered in the following format: 2000-01-01T12:00:00+0400

You may need to install the package ‘perl-XML-Parser’ (e.g. using ‘yum install perl-XML-Parser’ command on a server) if you get the error “Can’t locate XML/Parser.pm in @INC”.

For example, to obtain traffic of the container #101 for the period from 01 Jan 2010 up to the current moment the command would be:
# vza_ve_stat vzagent0@10.55.40.1 101 2010-01-01T00:00:00+0000
vzagent0@10.55.40.1's password:
bytes in = 69447065 packets in = 385929 bytes out = 755800760 packets out = 649168

You may also get information about network traffic using PMC (Parallels Management Console):
1. double click on the needed container
2. in the opened window go to Monitor > Traffic Summary
3. Choose needed period of time and click ‘Download’

The same can be done in PIM (Parallels Infrastructure Manager):
1. Open PIM
2. Go to Infrastructure manager > Virtual Private Servers > choose needed container > Network > Traffic Usage

How to place /vz partition to external storage (NAS, NFS)

Sometimes it is need to place /vz partition on external storage.

How to perform this procedure on Parallels Virtuozzo Containers system?

Here are exact steps:

1. Make sure that external storage is available as device in /dev/ directory (via e.g. NFS or ISCSI layer)

2. Mount this storage under e.g. mount point /vzs using required options and filesystem type:
# mount /dev/ext_storage_dev_name /vzs

3. Stop Virtuozzo:
# service vz stop

4. Copy all content from /vz to /vzs:
# cp -a /vz/* /vzs/

5. Unmount old /vz directory and /vzs directory:
# umount /vz
# umount /vzs


6. Edit in the file /etc/fstab line for /vz entry to mount external storage under /vz mount point.

7. mount /vz again:
# mount /vz

8. Start Virtuozzo:
# service vz start

fatal error: call to undefined function wp()

Fatal error: Call to undefined function wp() in /home/web82/public_html/blog/wp-blog-header.php on line 14

you need to be sure you have a file called:

wp-config.php

if you already have it, make sure you have the permissions to 777

or if you dont have one, there is one example:
wp-config-sample.php

change the name of that file to wp-config.php and change the database connection configures

ok, as a last resort, if you dont have one, you can copy and paste this code and create the file with your settings

How to connect to the MySQL server remotely

Note: If connecting from your home computer, you need a MySQL client like Navicat, phpMyAdmin, or Dreamweaver.

Configuration Settings:


Host = (use the server IP address)
Database name = (cpanelusername_databasename)
Database username = (cpanelusername_databaseuser)
Database password = (******)
MySQL Connection Port = 3306
TCP or UDP, either is fine.

Before you can connect:


Our firewall blocks port 3306, so please submit an email to support@hostgator.com requesting that we open port 3306 for

-or-
  • When using X, login to cPanel and click the MySQL Databases icon, under Databases.

  • Scroll all the way to the bottom and type in the connecting IP address where it says "Host (% wildcard is allowed):", and click the Add Host button.

  • All done, try connecting remotely.
  • How to connect to the MySQL database

    Configuration Settings:


    Host = localhost (really, put localhost)
    Database name = (cpanelusername_databasename)
    Database username = (cpanelusername_databaseusername)
    Database password = (******)

    Note: When you move databases to our servers, the database name and username may change. This change must be updated in your script code. (The database name and username is clearly displayed in cPanel, in the MySQL area.)

    On shared servers, the database user name cannot be changed to something without the cPanel user name in it.

    It is possible for someone to use their cPanel username and password to connect to the database. However, we NEVER recommend doing this because the first time you change or reset your cPanel password, then your databases will stop working.

    Dreamweaver settings

    How to publish with Dreamweaver:



    1. Open your Dreamweaver and look in the top menus. Click "Sites" and choose "New Site".

    2. In the pop-up window, choose the "Advanced" tab.

    3. Select "Remote Info" and then enter the FTP settings on the right hand side.


    (For FTP settings, please refer to the Related Article.)

    More tips:
    Try passive mode with both on and off.
    Try with Use Firewall on.
    Try with path/directory: /public_html/



    Connecting to root:


    If you want to connect to your home directory on a shared server, or your root directory on a VPS or dedicated server, then you can use these tips.

    Try with path/directory: /
    Try connecting with Secure FTP

    Sunday, 19 September 2010

    Installing Joomla

    What is Joomla?

    Joomla! is a free open source content management system for publishing content on the World Wide Web and intranets. Many aspects, including its ease-of-use and extensibility, have made Joomla the most popular Web site software available. Best of all, Joomla is an open source solution that is freely available to everyone.

    Wednesday, 15 September 2010

    Fatal error - [Plugin Akismet] Error when activating plugin Akismet on WP 3.0

    When activated, the page plugin gives error:
    Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 7680 bytes) in /home/improv/public_html/wp-includes/kses.php(550) : runtime-created function on line 1

    Solution:-

    First, try installing the Memory Bump plugin.

    If that doesn't work, here are four more ways to increase PHP's memory allocation:
    1. If you have access to your PHP.ini file, change the line in PHP.ini
    If your line shows 32M try 64M:
    memory_limit = 64M ; Maximum amount of memory a script may consume (64MB)

    2. If you don't have access to PHP.ini try adding this to an .htaccess file:
    php_value memory_limit 64M

    3. Try adding this line to your wp-config.php file:
    Increasing memory allocated to PHP
    define('WP_MEMORY_LIMIT', '64M');

    4. Talk to your host.


    Tuesday, 14 September 2010

    Publishing Problems - RVSiteBuilder

    Error:-

    ----------------------------------------------------------------------------------------------

    Warning: require_once(/home/mkrailus/public_html/testsite2/../seagull/lib/SGL/FrontController.php) [function.require-once]: failed to open stream: No such file or directory in /home/mkrailus/public_html/testsite2/setup.php on line 98

    Fatal error: require_once() [function.require]: Failed opening required '/home/mkrailus/public_html/testsite2/../seagull/lib/SGL/FrontController.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/mkrailus/public_html/testsite2/setup.php on line 98

    ----------------------------------------------------------------------------------------------

    Solution:-

    Please contact your server provider to force update RVSiteBuilder. Mostly the issue occurs because it cannot install Pear library.

    Please force update using the following instruction.
    1. SSH to the server as root and run this command.

    rm -f /var/cpanel/rvglobalsoft/rvsitebuilder/var/INSTALL_COMPLETE.php
    rm -f /var/cpanel/rvglobalsoft/rvsitebuilder/rvsitebuilderversion.txt
    perl /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/autoinstaller.cgi

    2. Go to root WHM/RVSiteBuilder, it will automatically rebuild the database for you.

    To force update both steps need to be done. It still keeps your previous data, configuration and translation (given that you do not edit files directly but edit from RVSiteBuilder Manager). If doesn't work, please submit me the login information to the account in question or attach me the snapshot of what you did and its result.

    Monday, 13 September 2010

    Configuring DNS for Internet access in Windows Server 2003

    The stand-alone server running Windows Server 2003 becomes a DNS server for your network. In the first step, you assign this server a static Internet Protocol (IP) address. DNS servers must not use dynamically assigned IP addresses because a dynamic change of address could cause clients to lose contact with the DNS server.

    Step 1: Configure TCP/IP



    1. Click Start, point to Control Panel, point to Network Connections, and then click Local Area Connection.

    2. Click Properties.

    3. Click Internet Protocol (TCP/IP), and then click Properties.

    4. Click the General tab.

    5. Click Use the following IP address, and then type the IP address, subnet mask, and default gateway address in the appropriate boxes.

    6. Click Advanced, and then click the DNS tab.

    7. Click Append primary and connection specific DNS suffixes.

    8. Click to select the Append parent suffixes of the primary DNS suffix check box.

    9. Click to select the Register this connection's addresses in DNS check box.Note that DNS servers running Windows Server 2003 must point to themselves for DNS. If this server needs to resolve names from its Internet service provider (ISP), you must configure a forwarder. Forwarders are discussed in the How to Configure Forwarders section later in this article.

    10. Click OK three times.


    NOTE: If you receive a warning from the DNS Caching Resolver service, click OKto dismiss the warning. The caching resolver is trying to contact the DNS server, but you have not finished configuring the server.

    Step 2: Install Microsoft DNS Server



    1. Click Start, point to Control Panel, and then click Add or Remove Programs.

    2. Click Add or Remove Windows Components.

    3. In the Components list, click Networking Services (but do not select or clear the check box), and then click Details.

    4. Click to select the Domain Name System (DNS) check box, and then click OK.

    5. Click Next.

    6. When you are prompted, insert the Windows Server 2003 CD-ROM into the computer's CD-ROM or DVD-ROM drive.

    7. On the Completing the Windows Components Wizard page, click Finish when Setup is complete.

    8. Click Close to close the Add or Remove Programs window.


    Step 3: Configure the DNS Server


    To configure DNS by using the DNS snap-in in Microsoft Management Console (MMC), follow these steps:

    1. Click Start, point to Programs, point to Administrative Tools, and then clickDNS.

    2. Right-click Forward lookup zones, and then click New Zone

    3. When the New Zone Wizard starts, click Next.You are prompted for a zone type. The zone types include:

      • Primary zone: Creates a copy of a zone that can be updated directly on this server. This zone information is stored in a .dns text file.

      • Secondary zone: A standard secondary zone copies all of the information from its master DNS server. A master DNS server can be an Active Directory, primary, or secondary zone that is configured for zone transfers. Note that you cannot modify the zone data on a secondary DNS server. All of its data is copied from its master DNS server.

      • Stub zone: A Stub zone contains only those resource records that are necessary to identify the authoritative DNS servers for that zone. Those resource records include Name Server (NS), Start of Authority (SOA), and possibly glue Host (A) records.


      There is also an option to the store zone in Active Directory. This option is only available if the DNS server is a Domain controller.

    4. The new forward lookup zone must be a primary or an Active Directory-integrated zone so that it can accept dynamic updates. Click Primary, and then click Next.

    5. The new zone contains the locator records for this Active Directory-based domain. The name of the zone must be the same as the name of the Active Directory-based domain, or be a logical DNS container for that name. For example, if the Active Directory-based domain is named "support.microsoft.com", valid zone names are "support.microsoft.com" only.Accept the default name for the new zone file. Click Next.NOTE: Experienced DNS administrators may want to create a reverse lookup zone, and are encouraged to explore this branch of the wizard. A DNS server can resolve two basic requests: a forward lookup and a reverse lookup. A forward lookup is more common. A forward lookup resolves a host name to an IP address with an "A" or Host Resource record. A reverse lookup resolves an IP address to a host name with a PTR or Pointer Resource record. If you have your reverse DNS zones configured, you can automatically create associated reverse records when you create your original forward record.

    Sunday, 12 September 2010

    How to Change Time Zones on Servers

    Linux Server:

    1. Login as a Root.

    2. The time zones are located on server in the directory /usr/share/zoneinfo, so change the directory to that one.

    #  cd /usr/share/zoneinfo



    3. Copy or move the current local time zone so that you will be able to set the time zone as per requirement.

    #  cp -p /etc/localtime  /etc/localtime-back

    #  mv /etc/localtime  /etc/localtime-back

    4. Now say for example, if you want to set the BST [British Summer Time] time zone for your server then, you will need to create a symbolic link for the same. The command is as follows.

    #  ln -s /usr/share/zoneinfo/BST  /etc/localtime

    Verify the changes done by "date" command.

    #  date

    Sun Sep 12 23:16:53  BST 2010




    Friday, 10 September 2010

    /var patition full, How to change Mysql database directory to another partition in cPanel

    Switch off the database server while we are moving the databases.

    /etc/rc.d/init.d/mysql stop

    I am considering that I have enough space in /home partition. Here goes my new database data directory as /home/mysql

    Now it is better to copy the database first, rather than move.

    cp -pr /var/lib/mysql /home
    mv /var/lib/mysql /var/lib/mysql-bk

    We are copying the database to the new location since it is better to revert back the settings with minimum downtime, if anything goes wrong.

    move to /tmp

    cd /tmp
    unlink mysql.sock
    ln -s /home/mysql/mysql.sock /tmp/mysql.sock

    Take a backup of /etc/my.cnf

    Now edit /etc/my.cnf

    vi /etc/my.cnf

    add the line
    datadir=/home/mysql

    If the socket file is specified, comment it out.

    Now move to /var/lib/mysql and create a symblink

    ln -s /home/mysql /var/lib/mysql

    (Please note that you don’t specify the socket file location in my.cnf since it causes issues with phpMyadmin)

    For, cPanel server, edit the phpMyadmin configuration
    take a backup of “/usr/local/cpanel/base/3rdparty/phpMyAdmin/config.inc.php”

    edit this file /usr/local/cpanel/base/3rdparty/phpMyAdmin/config.inc.php
    vi /usr/local/cpanel/base/3rdparty/phpMyAdmin/config.inc.php

    add the following lines. If they already exist, edit as below.
    (the connect_type usually exist at “tcp” change it to “socket”)

    $cfg['Servers'][$i]['socket'] = ‘/home/mysql/mysql.sock’;
    $cfg['Servers'][$i]['connect_type'] = ’socket’;

    Now start the database server.

    /etc/rc.d/ini.d/mysql start

    If it starts fine, you are done. Check the database connections of your site.
    You can now remove the directory /var/lib/mysql-bk

    Taking long time to connect to MySql server remotely.

    When trying to connect from remote host to mysql server with command like this

    mysql -h MySqlServerIP -u mysqlusername -p[password]

    if it is taking long time. Give the following entry in /etc/my.cnf of the server

    skip-name-resolve

    in the [mysqld] section.

    This will fix the issue. It will disable dns resolving.

    Perl upgradation in cPanel servers




    Perl can be upgraded in cPanel severs using the following steps.

    perl -MCPAN -e ‘autobundle’

    cd /root

    wget http://layer1.cpanel.net/perl588installer.tar.gz



    tar -zxf perl588installer.tar.gz

    cd perl588installer

    ./install

    /usr/local/cpanel/bin/checkperlmodules

    /usr/local/cpanel/startup


    Determine if a server is hacked

    This summary is not available. Please click here to view the post.

    phpMyAdmin, ‘Error #2002 - The server is not responding’, and OS X 10.4.4

    Trying to install phpMyAdmin on a fresh OS X 10.4.4 install this afternoon was an incredible exercise in frustration. No matter what I did I kept getting the dreaded ‘Error 2002 - The server is not responding‘ error. Turns out the the location of mysql.sock has changed in this version of OS X; if you had all this working before upgrading then the OS was smart enough to detect it and create a sym link to the new location. However new installs, not so much.

    Worked for me:

    Open a terminal, type in

    # ls -al /etc/php.ini*


    If a php.ini does not exist copy over the default php.ini,

    # cp /etc/php.ini.default /etc/php.ini


    Now edit the php.ini

    # nano /etc/php.ini (or use your prefered editor)

    Find “mysql.default_socket” (you can search using [Ctrl]+[w] in nano)

    Enter “/tmp/mysql.sock” after the equals sign.


    Don’t forget to save the file ([Ctrl]+[o] [Enter] in nano)

    Now restart Apache

    # apachectl graceful

    Saturday, 4 September 2010

    Horde Error…….Could not connect to database for SQL SessionHandler.

    cd /usr/local/cpanel/base/horde/config

    vi conf.php

    Change the following two lines from:
    $conf['sql']['hostspec'] = ‘localhost’;
    $conf['sessionhandler']['params']['hostspec'] = ‘localhost’;

    to:
    $conf['sql']['hostspec'] = ‘localhost:/var/lib/mysql/mysql.sock’;
    $conf['sessionhandler']['params']['hostspec'] = ‘localhost:/var/lib/mysql/mysql.sock’;