Wednesday, 27 October 2010

Introduction about, CPHulk, mod_userdir, open_basedir


cPHulk


cPHulk is a brute force protection system developped by the cPanel team and is exclusive to cPanel / WHM control panels. It has been integrated with cPanel version 11. With cPHulk, you can set a threshold for authentication attempts on services like POP3, cPanel, WHM, FTP, etc. After a certain amount of attempts, the attacker will no longer be able to authenticate


Enabling cPHulk is pretty easy. Simply log into your WHM control panel as root. From the main menu on the left, click on Security Center from the Security section. When you’re done, simply click on the Enable button at the top.


Click on the cPHulk Brute Force Detection link at the top of the page. Now you may want to configure cPHulk before you enable it. The configuration parameters are pretty much self-explanatory. Basically you set the number of failed attempts before an IP or an account is blocked and you set how long you want it to be blocked.


cPanel 11 marks the debut for the much anticipated cPHulk Protection system. cPHulk protects your vital services by disabling authentication to those services after a brute force attack is detected.



It protects:


Cpanel


WHM


SSH


FTP


IMAP, and POP3


from brute force authentication attacks. cPHulk will remain transparent to the attacker whose authentication attempts will feel normal, even while authentication is disabled. Thus, you can get substantial information about the attack.


You can even customize authentication thresholds and lock out times!
mod_userdir


It is an Apache module that allows you to create a separate website for each user on a server. These sites can all be accessed by going to,


http://servername.com/~username


Eg:- http://example.com/~user/


The module is installed on most Apache setups by default, but isn’t necessarily always enabled. Most mass-hosted cPanel servers make extensive use of it for a variety of reasons.


Apache’s mod_userdir allows users to view their sites by entering a tilde(~) and their username as the URL on a specific host. For example http://test.cpanel.net/~test will bring up the user Test’s domain


How To Enable


1. To access the Server Setup Menu, click on Server Setup, on the main screen of your WebHost Manager interface. Then, click on Tweak Security.


2. Click on Configure in the mod_userdir Tweak section.


3. Click on the Checkbox next to Enable mod_userdir Protection to enable mod_userdir Protection.


4. Click on a checkbox next to a domain’s name to allow them to access their domain using ~username, if necessary.


5. Enter the name of any user you wish to be able access the domain using ~username, other than the domain’s owner, in the blank field next to the domain’s name, if necessary.


6. Click on Save.


Disadvantage


The disadvantage of this feature is that any bandwidth usage used by the site will be put on the domain it is accessed under .


Mod_userdir protection prevents access to a domain through domain.com/~user. You may however want to disable it on specific virtual hosts (generally shared SSL hosts).


open_basedir


Enable open_basedir


Set open_basedir to only allow access to required portions of the filesystem, like your web site’s documents and any shared libraries.


You can set open_basedir in the php.ini file:


; Set open_basedir to the


open_basedir = “/var/www/foo.bar/:/usr/local/php/“


The setting can also be applied in apache’s httpd.conf file, or an .htaccess file:


# Set open_basedir to a safe location


php_value open_basedir /var/www/foo.bar/:/usr/local/php


WHM


Steps


1. To access the PHP open_basedir Tweak feature, click on Security, on the main screen of your WebHost Manager interface.


2. Then click on Security Center.


3. Then click on PHP open_basedir Tweak.


4. Click on Configure in the PHP’s open_basedir section.


5. Click on the check box next to Enable PHP open_basedir Protection to enable Enable PHP open_basedir Protection.


6. Click on a check box next to a domain name to allow them to open files outside of their home directory with PHP, if necessary.


7. Click on Save.
Plesk : If you’re using Plesk hosting control panel, you may need to manually edit Apache configuration file of vhost.conf and vhost_ssl.conf, and add in or edit the following php_admin_value open_basedir lines to the following:



php_admin_value open_basedir none




php_admin_value open_basedir /full/path/to/dir:/full/path/to/directory/httpdocs:/tmp



Note: For SSL hosts in the vhost_ssl.conf file, the Directory path will end with “httpsdocs” instead of “httpdocs”


Disable Manually


Open up the httpd.conf file, and search for the lines that starts with the following characters:


php_admin_value open_basedir …..


Replace the whole line under the virtual host for the domain user account


php_admin_value open_basedir none.


Add Additional Directories
You can also opt to allow your PHP scripts to access additional directory instead without disabling the protection.For example, to add /new_directory to the allow list.


php_admin_value open_basedir “/home/user_account/:/usr/lib/php:/usr/local/lib/php:/tmp”


php_admin_value open_basedir “/home/user_account/:/usr/lib/php:/usr/local/lib/php:/tmp:/new_directory”


Restart the Apache after finished editing



How to add SPF record from WHM on a Linux Cpanel Server

Sunday, 24 October 2010

Identifying Open Ports/Services on Linux


Many tools are available to map open network ports to actual processes and files in

Linux. We will take a look at just one example

.

First, we need to look at our listening network ports. We will utilize the ‘-anp –tcp’ flags to the netstat command to list all processes (-a), don’t map port numbers to friendly name (-n), list the process ID associated with the network port (-p) and for this example, wewill limit the output to only TCP listeners (--tcp):


[jklemenc]# netstat -anp --tcp

Active Internet connections (servers and established)

Proto   Recv-Q  Send-Q  Local Address Foreign Address State

PID/Program name

tcp      0 0 0.0.0.0:544 0.0.0.0:* LISTEN          1826/xinetd

tcp      0 0 0.0.0.0:3306 0.0.0.0:* LISTEN           4677/mysqld

tcp      0 0 0.0.0.0:22 0.0.0.0:* LISTEN           16446/sshd

tcp 0 0 0.0.0.0:2105 0.0.0.0:*                                       LISTEN           1826/xinetd

tcp 0 0 127.0.0.1:601 0 0.0.0.0:*                                    LISTEN            841/sshd

tcp 0 0 0.0.0.0:443 0.0.0.0:*                                         LISTEN            1925/httpd


In this example, we are interested in the TCP/443 network listener. The output indicates that httpd is running as process ID 1925 and has TCP/443 open. A quick check using the‘ps’ command with the PID (-p) parameter to display only the PID returned above along with a parameter to display the full path of the file (-f):


[jklemenc]# ps -p 1925 -f

UID PID   PPID C STIME TTY TIME CMD

root                 1925 1 0 2004 ? 00:03:36 /usr/sbin/httpd


We see from above that /usr/sbin/http is running as PID 1925 as user root.

How to check whether FTP port 21 is blocked?

The default TCP port for FTP connection is port 21. Sometimes the local Internet Service Provider blocks this port and this will result in FTP connection issues.

Here's how to, depending on your OS, check whether your ISP blocks port 21:

  • Check port 21 with a Windows OS


Click on the Start menu button, usually located on the left low corner of the screen. There is a tab called "Run". You have to click on it, in order to proceed further. You will notice the appearance of a new small window on the screen. In the text field of this window you need to type "cmd" and then press the "Enter" key. Another window will open. It is the so called "MS-DOS prompt" or "command prompt". Just type the following command in the command prompt window and press "Enter":

telnet my-domain-name.com 21

  • Check port 21 with Apple/Mac


Each Mac OS is delivered with a preinstalled terminal emulator. The terminal is a tool which allows you to execute commands from the command line. Usually, the terminal is located under your Mac HD -> "Applications" directory -> Utilities sub-directory. When the window opens, you will see a command line with a flashing cursor on it so you can start typing right away. Just type the following command and press "Enter":

telnet my-domain-name.com 21

  • Check port 21 with Linux


Open your favorite terminal emulator and execute the following command in order to telnet your website:

telnet my-domain-name.com 21

Results from the 21 port check


If the test is successful, you should receive a message like this:
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 2 of 50 allowed.
220-<<
220-#########################################################
220-Please upload your web files to the public_html directory.
220-Note that letters are case sensitive.
220-#########################################################
220->>
220-Local time is now 03:35. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

If the welcome message above does not appear, you should contact your local ISP and ask them to unblock this port for you.

Get the list of open ports using command prompt

Step 1

1. Start->Run->cmd ( Go to command prompt)

2. Use command as follows to get a list of listening ports in your system.
C:>netstat -an |find /i “listening”

Step 2

So you have the list of listening ports. Now if you wish to have a hard copy of the list or you wish to Store it as a list. Of course you can copy from the windows displayed but that doesn’t seem neat. There is a small command which can help you store this list as a .txt file.
C:>netstat -an |find /i “listening” > c:’openports.txt

Step 3

You can also get a list of established connections by replacing the ‘listening’ by ‘established’ in the earlier command.
C:>netstat -an |find /i “established”

Wednesday, 13 October 2010

Enable FastCGI Support in IIS 7

Windows Server 2008 - Ruslan Yakushev


Go to Server Manager -> Roles -> Add Role Services. On the Select Role Services page, select the CGI check box. This enables both the CGI and FastCGI services.


Windows Vista SP1


Go to Control Panel -> Programs and Features -> Turn Windows features on or off. In the Windows Featuresdialog box, select the CGI check box. This enables both the CGI and FastCGI services.


IMPORTANT: Install the Update for the FastCGI Module


The update for the IIS 7 FastCGI module fixes several known compatibility issues with popular PHP applications. Install the update from one of the following locations:

Install the Administration Pack for IIS 7


NOTE: This step is optional.

Among other useful features, the Administration Pack for IIS 7 has a convenient user interface for configuring FastCGI settings. The Administration Pack can be installed from the following locations:

Install and Configure PHP


It is recommended that you use a non-thread safe build of PHP with IIS 7 FastCGI. A non-thread safe build of PHP provides significant performance gains over the standard build by not doing any thread-safety checks, which are not necessary, since FastCGI ensures a single threaded execution environment.

To install PHP:

  1. Download the latest non-thread safe zip package with binaries of PHP: http://www.php.net/downloads.php.

  2. Unpack the files to the directory of your choice (e.g. C:PHP). Rename the php.ini-recommended file to php.ini.

  3. Open the php.ini file. Uncomment and modify the settings as follows:

    • Set fastcgi.impersonate = 1. FastCGI under IIS supports the ability to impersonate security tokens of the calling client. This allows IIS to define the security context that the request runs under.

    • Set cgi.fix_pathinfo=1. cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. Previously, PHP behavior was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not define PATH_INFO. For more information about PATH_INFO, see the cgi specifications. Setting this value to 1 will cause PHP CGI to fix its paths to conform to the specifications.

    • Set cgi.force_redirect = 0.

    • Set open_basedir to point to the folder or network path where the content of the Web site(s) is located.

    • Set extension_dir to point to the location where the PHP extensions are located. Typically, for PHP 5.2.X the value would be set as extension_dir = "./ext"

    • Enable the required PHP extension by un-commenting the corresponding lines, for example:extension=php_mssql.dll
      extension=php_mysql.dll



  4. Open a command prompt, and run the following command to verify that PHP installed successfully:


C:PHP>php –info

If PHP installed correctly and all its dependencies are available on the machine, this command will output the current PHP configuration information.

Configure IIS 7 to Handle PHP Requests


For IIS 7 to host PHP applications, you must add a handler mapping that tells IIS to pass all PHP-specific requests to the PHP application framework by using the FastCGI protocol.

Configure IIS 7 to handle PHP requests by using IIS Manager


1. Open IIS Manager. At the server level, double-click Handler Mappings.


2. In the Actions pane, click Add Module Mapping.... In the Add Module Mapping dialog box, specify the configuration settings as follows:
  • Request path: *.php

  • Module: FastCgiModule

  • Executable: "C:[Path to your PHP installation]php-cgi.exe"

  • Name: PHP via FastCGI



  • 3. Click OK.



    4. In the Add Module Mapping confirmation dialog box that asks if you want to create a FastCGI application for this executable, click Yes.



    5. Test that the handler mapping works correctly by creating a phpinfo.php file in the C:inetpubwwwroot folder that contains the following code:

    6. Open a browser and navigate to http://localhost/phpinfo.php. If everything was setup correctly, you will see the standard PHP information page.



    NOTE: If you do not see FastCgiModule in the Modules: list, the module is either not registered or not enabled. To check if the FastCGI module is registered, open the IIS configuration file that is located at %windir%windowssystem32configapplicationHost.config and check that the following line is present in the  section:

    In the same file, also check that the FastCGI module is added to the section:


    Configure IIS 7 to handle PHP requests by using the command line


    Alternatively, you can complete the steps above by using the command line tool AppCmd.

    1. Create the FastCGI application process pool by running the following command:

    C:>%windir%system32inetsrvappcmd set config /section:system.webServer/fastCGI /+[fullPath='c:{php_folder}php-cgi.exe']2. Create the handler mapping by running the following command:

    C:>%windir%system32inetsrvappcmd set config /section:system.webServer/handlers /+[name='PHP_via_FastCGI',path='*.php',verb='*',modules='FastCgiModule',scriptProcessor='c:{php_folder}php-cgi.exe',resourceType='Unspecified']Note: If you are using PHP version 4.X, you can use php.exe instead of php-cgi.exe.

    Best Practices for Configuring FastCGI and PHP


    This download contains a summary presentation on Best Practices for hosting PHP in a shared hosting environment.

    Security Isolation for PHP Web Sites


    The recommendation for isolating PHP Web sites in a shared hosting environment is consistent with all general security isolation recommendations for IIS 7. In particular, it is recommended to:

    • Use one application pool per Web site

    • Use a dedicated user account as an identity for the application pool

    • Configure an anonymous user identity to use the application pool identity

    • Ensure that FastCGI impersonation is enabled in the php.ini file (fastcgi.impersonate=1)


    For more details about security isolation in a shared hosting environment, see Ensure Security Isolation for Web Sites.

    PHP Process Recycling Behavior


    Ensure that FastCGI always recycles the php-cgi.exe processes before the native PHP recycling kicks in. The FastCGI process recycling behavior is controlled by the configuration property instanceMaxRequests. This property specifies how many requests the FastCGI process will process before recycling. PHP also has a similar process recycling functionality that is controlled by the environment variable PHP_FCGI_MAX_REQUESTS. By setting instanceMaxRequests to be less than or equal to PHP_FCGI_MAX_REQUESTS, you can ensure that the native PHP process recycling logic will never kick in.

    The FastCGI settings can be configured either by using IIS Manager or by using the command line tool AppCmd.

    Configure FastCGI recycling settings by using IIS Manager


    1. Ensure that the Administration Pack for IIS 7 is installed on your server. Open IIS Manager. On the server level, double-click FastCGI Settings.





    2. Select the FastCGI application that you want to configure. In the Actions pane, click Edit....





    3. In the Edit FastCGI Application dialog box, set the InstanceMaxRequests to 10000. Next to theEnvironmentVariables setting, click the Browse (...) button.



    4. In the EnvironmentVariables Collection Editor dialog box, add the PHP_FCGI_MAX_REQUESTS environment variable and set its value to 10000.



    Note: If you do not configure these settings, the following default settings will be used: instanceMaxRequests = 200,PHP_FCGI_MAX_REQUESTS = 500 (on most PHP builds).

    Configure FastCGI recycling settings by using the command line


    Configure the recycling behavior of FastCGI and PHP by using AppCmd by running the following commands:

    C:>%windir%system32inetsrvappcmd set config -section:system.webServer/fastCgi /[fullPath='c:{php_folder}php-cgi.exe'].instanceMaxRequests:10000

    C:>%windir%system32inetsrvappcmd.exe set config -section:system.webServer/fastCgi /+"[fullPath='C:{php_folder}php-cgi.exe'].environmentVariables.[name='PHP_FCGI_MAX_REQUESTS',value='10000']"

    PHP Versioning


    Many PHP applications rely on functions or features that are available only in certain versions of PHP. If these types of applications are to be hosted on the same server, different PHP versions must be enabled and running side-by-side. The IIS 7 FastCGI handler fully supports running multiple versions of PHP on the same Web server.

    For example, assume that on your Web server you plan to support PHP 4.4.8, PHP 5.2.1, and PHP 5.2.5 non-thread safe. To enable that configuration, you must place corresponding PHP binaries in separate folders on the file system (e.g. C:php448, C:php521 and C:php525nts) and then create FastCGI application process pools for each version:

    C:>%windir%system32inetsrvappcmd set config /section:system.webServer/fastCGI /+[fullPath='c:php448php.exe']

    C:>%windir%system32inetsrvappcmd set config /section:system.webServer/fastCGI /+[fullPath='c:php521php-cgi.exe']

    C:>%windir%system32inetsrvappcmd set config /section:system.webServer/fastCGI /+[fullPath='c:php525ntsphp-cgi.exe']If you have three Web sites (site1, site2, site3) and each site must use a different PHP version, you can now define handler mappings on each of those sites to reference a corresponding FastCGI application process pool.

    Note: Each FastCGI process pool is uniquely identified by a combination of fullPath and arguments properties.

    C:>%windir%system32inetsrvappcmd set config site1 –section:system.webServer/handlers /+”..[name=’PHP448_via_FastCGI’,path=’*.php’,verb=’*’,modules=’FastCgiModule’,scriptProcessor=’c:php448php.exe’,resourceType=’Either’]

    C:>%windir%system32inetsrvappcmd set config site2 –section:system.webServer/handlers /+”..[name=’PHP521_via_FastCGI’,path=’*.php’,verb=’*’,modules=’FastCgiModule’,scriptProcessor=’c:php521php-cgi.exe’,resourceType=’Either’]

    C:>%windir%system32inetsrvappcmd set config site3 –section:system.webServer/handlers /+”..[name=’PHP525nts_via_FastCGI’,path=’*.php’,verb=’*’,modules=’FastCgiModule’,scriptProcessor=’c:php525ntsphp-cgi.exe’,resourceType=’Either’]

    PHP Security Recommendations


    The following settings can be used to tighten the security of a PHP installation. To make the recommended changes, locate and open the php.ini file and edit the configuration settings as described below:











































    SettingDescription
    allow_url_fopen=Off
    allow_url_include=Off
    Disable remote URLs for file handling functions, which may cause code injection vulnerabilities.
    register_globals=OffDisable register_globals.
    open_basedir="c:inetpub"Restrict where PHP processes can read and write on a file system.
    safe_mode=Off
    safe_mode_gid=Off
    Disable safe mode.
    max_execution_time=30
    max_input_time=60
    Limit script execution time.
    memory_limit=16M
    upload_max_filesize=2M
    post_max_size=8M
    max_input_nesting_levels=64
    Limit memory usage and file sizes.
    display_errors=Off
    log_errors=On
    error_log="C:pathofyourchoice"
    Configure error messages and logging.
    fastcgi.logging=0The IIS FastCGI module will fail the request when PHP sends any data on stderr by using the FastCGI protocol. Disable FastCGI logging to prevent PHP from sending error information over stderr and generating 500 response codes for the client.
    expose_php=OffHide the presence of PHP.

    Enabling per-site PHP configuration


    This section describes the recommended way of enabling per-site PHP configuration. This recommendation was discovered and validated by Radney Jasmin with hosting provider GoDaddy.com who now offers PHP hosting on Windows Server 2008 by using FastCGI.

    Per-site PHP Process Pools


    When each Web site has its own application pool, which is a recommended practice on IIS 7, it is possible to associate a dedicated FastCGI process pool with each Web site. A FastCGI process pool is uniquely identified by the combination offullPath and arguments attributes. If you need to create several FastCGI process pools for the same process executable, such as php-cgi.exe, you can use the arguments attribute to distinguish the process pool definitions. With php-cgi.exe processes, you can also use the command line switch "-d" to define an INI entry for a PHP process. You can use this switch to set a PHP setting that makes the arguments string unique.

    For example, if there are two Web sites "website1" and "website2" that must have their own set of PHP settings, the FastCGI process pools can be defined as follows:


    <application fullPath="C:PHPphp-cgi.exe" arguments="-d open_basedir=C:WebsitesWebsite1" />
    <application fullPath="C:PHPphp-cgi.exe" arguments="-d open_basedir=C:WebsitesWebsite2" />
    In this example the PHP setting open_basedir is used to distinguish between the process pool definitions. The setting also enforces that the PHP executable for each process pool can perform file operations only within the root folder of the corresponding Web site.

    Then website1 can have the PHP handler mapping as follows:



    <add name="PHP via FastCGI" path="*.php" verb="*" modules="FastCgiModule" scriptProcessor="C:PHPphp-cgi.exe|-dopen_basedir=C:WebsitesWebsite1" resourceType="Unspecified" requireAccess="Script" />

    and website2 can have the PHP handler mapping as follows:



    <add name="PHP via FastCGI" path="*.php" verb="*" modules="FastCgiModule" scriptProcessor="C:PHPphp-cgi.exe|-dopen_basedir=C:WebsitesWebsite2" resourceType="Unspecified" requireAccess="Script" />


    Specifying php.ini location


    When the PHP process starts, it determines the location of the configuration php.ini file by using various settings. The PHP documentation provides a detailed description of the PHP startup process. One of the places where the PHP process searches for the php.ini location is the PHPRC environment variable. If the PHP process finds a php.ini file in the path that is specified in this environment variable, it will use it; otherwise, the PHP process will revert to using the default location of the php.ini file. This environment variable can be used to allow hosting customers to use their own versions of php.ini files.

    For example if there are two Web sites "website1" and "website2" that are located at the following file paths: C:WebSiteswebsite1 and C:WebSiteswebsite2, you can configure the php-cgi.exe process pools in the section of the applicationHost.config file as follows:












    This way website1 can have its own version of the php.ini file that is located in the C:WebSiteswebsite1, while website2 can have its own version of the php.ini file that is located in C:WebSiteswebsite2. This configuration also ensures that if a php.ini file cannot be found in the location that is specified by the PHPRC environment variable, then PHP will use the default php.ini file that is located in the same folder where the php-cgi.exe is located.

    Provide URL Rewriting Functionality for PHP Applications


    The majority of popular PHP applications rely on the URL rewriting functionality in Web servers to enable user-friendly and search engine-friendly URLs. IIS 7 provides URL rewriting capabilities by using the URL rewrite module.

    For more information about how to use the URL Rewrite module, see the following articles:

    Sunday, 10 October 2010

    Simple Bash Script to Fix Account Permissions

    This is a simple bash script I wrote to fix the permissions and ownership of files within a cpanel account. To use, simply copy the script your server, chmod 755, and pass the usernames as arguments:
    ./fixperms user1 user2 user3

    You can also run a server-wide loop like this:
    for i in `ls -A /var/cpanel/users` ; do ./fixperms $i ; done

    Below is the script, but I recommend downloading it from here to ensure that the formatting is correct.

    #!/bin/bash
    # Script to fix permissions of accounts
    # Written by: Vanessa Vasile 5/13/10
    # http://thecpaneladmin.com


    if [ "$#" -lt "1" ];then
    echo "Must specify user"
    exit;
    fi


    USER=$@

    for user in $USER
    do

    HOMEDIR=$(grep $user /etc/passwd | cut -d: -f6)


    if [ ! -f /var/cpanel/users/$user ]; then
    echo "$user user file missing, likely an invalid user"

    elif [ "$HOMEDIR" == "" ];then
    echo "Couldn't determine home directory for $user"


    else

    echo "Setting ownership for user $user"

    chown -R $user:$user $HOMEDIR
    chmod 711 $HOMEDIR
    chown $user:nobody $HOMEDIR/public_html $HOMEDIR/.htpasswds
    chown $user:mail $HOMEDIR/etc $HOMEDIR/etc/*/shadow $HOMEDIR/etc/*/passwd


    echo "Setting permissions for user $USER"

    find $HOMEDIR -type f -exec chmod 644 {} ; -print
    find $HOMEDIR -type d -exec chmod 755 {} ; -print
    find $HOMEDIR -type d -name cgi-bin -exec chmod 755 {} ; -print
    find $HOMEDIR -type f ( -name "*.pl" -o -name "*.perl" ) -exec chmod 755 {} ; -print
    fi
    done

    Localdomains vs. Remotedomains

    Have you ever dealt with a user that pointed their MX records to another server but email from their website or other users on the same server isn’t going there?  This is because Exim on is configured to use files called localdomains and remotedomains, which tell Exim whether a domain’s email is hosted locally or remotely.

    The most common symptoms of a mis-configured local/remote domain setup are:-

    • Errors such as “lowest numbers MX record points to localhost” – you need to add the domain to localdomains

    • Email bouncing stating the user does not exist (this may also mean that the user really does not exist!) – you need to add the domain to remotedomains

    • Email from the user’s site (such as a contact form) is not being delivered to their outside mail server, but external email is – you need to add the domain to remotedomains


    The files controlling these actions are:

    /etc/localdomains: Contain a list of domains that have email hosted locally

    /etc/remotedomains: Contain a list of domains that have email hosted remotely

    The remotedomains file takes precedence, so if a domain is located in both files, the mail server should use remotedomains. However, I’ve heard that on some servers, Exim will do a DNS lookup anyway and make the decision based on where the domain is actually pointed. I haven’t personally reproduced that situation, so assume the former – remotedomains takes preference over localdomains if a domain is listed in both files.

    When editing zones in cPanel or WHM, there is an option to select local/remote mail delivery or to have cPanel choose for you. Checking the corresponding boxes will update the local and remote domain files.

    Never users error list for email

    When having trouble with email I got the following error in the exim_paniclog on a cpanel server:

    User 0 set for local_delivery transport is on the never_users list

    The issue appears to be with some of the libraries the following commands should fix it:

    ln -s libdb2.so.3 libdb.so.3
    /scripts/eximup --force
    /etc/rc.d/init.d/exim restart

    Friday, 8 October 2010

    How to set email attachment max size



    I think there are many ways to achieve that setting, two of those methods which I am aware of at this moment are:

    1. Add this in the first part of your exim.conf file

    message_size_limit = 10M

    AFAIK this setting would restrict incoming as well as outgoing at 10MB.

    2. If you want to restrict size of message per domain basis, you could follow the given steps as below:

    :CAUTION: The following solution has NOT BEEN TESTED in a real environment

    a. Create a file to store the size limits for each domain that you wish to limit the message size. Use wildcard (*) for limiting the message size for all the domains not contained in the file.

    Code:

    root@srv [~]# cat > /etc/mail/msg-size-limits
    domain1.tld: 10M
    domain2.tld: 20M
    *: 5M


    As per the above, we are restricting domain1 at 10MB, domain2 at 20MB and all other domains at 5MB

    b. Create another file and store the messages which should return to the sender of the large message.

    Code:

    root@srv [~]# cat > /etc/mail/msg-size-limit-messages
    domain2.tld: You are trying to send a message which is $message_size
    in size. This is larger than your maximum message size limit
    of ${expand:${lookup{$domain}lsearch*@{/etc/mail/msg-size-limits}}}.
    *: The largest acceptable message size for $domain is
    ${expand:${lookup{$domain}lsearch*@{/etc/mail/msg-size-limits}}}.
    Your message size was $message_size. Please revise your message so it
    does not exceed this maximum file size and resend. If this is not
    possible, contact the recipient in another way.


    Note that domain names contained in first file maybe omitted in the second file and vice-versa. The omitted domains will be taken care by the wildcard (*) entry.

    c. Add the following code in the Routers section of your Exim configuration file.
    (Please note that ORDER in which you place your routers in this section DOES matter and that is exactly what needs to be tested practically and thoroughly even). I think it will go in the 7th box in the WHM editor of Exim config file.

    Code:

    large_messages:
    driver = redirect
    domains = +local_domains :
    +relay_domains
    condition = ${if >{$message_size}{${expand:${lookup{$domain}lsearch*@{/etc/mail/msg-size-limits}}}} {yes}{no}}
    data = :fail:
    ${expand:${lookup{$domain}lsearch*@{/etc/mail/msg-size-limit-messages}}}


    Hope that works 



    Wednesday, 6 October 2010

    How to Restart a Mac in Target Disk Mode

    In target disk mode, your Mac computer can serve as an external hard drive that can be viewed and modified from another system. When you restart your computer in target disk mode and connect it to another computer with a Firewire cable, your Mac's hard drive will open in the second computer, where you can copy, delete and manage files. Target disk mode provides a quick way to transfer large files between computers and can also be helpful in troubleshooting system issues. This article explains how to restart a Mac in target disk mode.


    • Log on to your computer with an administrator account.

    • Open System Preferences by clicking on the icon in the dock.

    • Go to the “Startup Disk” control panel under the “System” category.

    • Click on the “Target Disk Mode” button and click “Restart” to confirm your decision.

    • Connect your computer to another computer with a Firewire cable. When your computer restarts, it will enter target disk mode and will appear as an external hard drive on the second computer.


    How to create custom error pages



    Resolution


    If it is necessary to use .php., .asp, etc applications on the domain.

    First of all make sure that this extension is allowed in IIS and for the domain.

    In Plesk Control Panel create a virtual directory for custom error document files: Domains, domain.name, Web Directories, AddNewVirtualDirectory (it will be created on the server in %plesk_vhosts%domain.namehttpdocs)

    Create a new file (script that will be run on this error):

    Domains, File Manager, httpdocs, Created Virtual Directory, Add new File

    Choose created file to be processed for the needed error:

    Domains, domain.name, Web Directories, Error Documents, needed error , Location.
    It needs to specify it in the following manner:

    Type: URl

    Location: /Created_Virtual_Directory/file.name

    Note: Do not create custom files in %plesk_vhosts%domain.nameerror_docs directiry, it will not be processed, because %plesk_vhosts%domain.namehttpdocs used as home directory for custom files.


    Tuesday, 5 October 2010

    Running Classic ASP Applications on IIS 7.0 and IIS 7.5

    Classic ASP Script Error Messages No Longer Shown in Web Browser by Default

    In earlier versions of IIS, error messages from classic ASP scripts were sent to a Web browser, by default. Because these error messages might reveal sensitive information to malicious users, IIS 7 disables this feature by default. When your classic ASP scripts encounter an error in IIS 7, you receive the following error message by default:
    An error occurred on the server when processing the URL. Please contact the system administrator.

    If you are the system administrator please click here to find out more about this error.

    You can customize the ASP script error message, and also determine whether to return the script errors to a Web browser. Note: As a best practice for security, you should only enable sending ASP script error messages to a Web browser on a development or test computer; returning script error messages to a Web browser can unintentionally expose more information than you intended to show.

    Working with User Access Control


    You need to make sure that you follow the steps in this document by using an account that has full administrative permissions. This is best accomplished by using one of two methods:

    • Log in to your computer by using the local administrator account.

    • If you are logged in using an account with administrative permissions but that is not the local administrator account, open all applications and all command prompt sessions by using the "Run as Administrator" option.


    These above conditions are required because the User Account Control (UAC) security component in Windows Vista andWindows Server 2008 will prevent administrative access to IIS 7’s configuration settings. For more information about UAC, see the following documentation:

    Customizing Classic ASP Error Messages


    The configuration settings that you use to customize these settings are in the following list:
    scriptErrorMessage
    This is an optional string attribute that specifies the error message that will be sent to the browser when specific debugging errors are not sent to the client.
    scriptErrorSentToBrowser
    This is an optional Boolean attribute that specifies whether the writing of debugging specifics to the client browser is enabled.

    You can configure these settings by using IIS Manager. To do so, open IIS Manager and navigate to the site or application where you want to enable or disable script messages, and then double-click the ASP feature.

    In the list of ASP features, configure the Script Error Message and Send Errors To Browser options.

    You can also configure these settings by using the command-line tool AppCmd.exe with the following syntax:
    appcmd.exe set config "Default Web Site" -section:system.webServer/asp /scriptErrorMessage:"An error occurred."
    appcmd.exe set config "Default Web Site" -section:system.webServer/asp /scriptErrorSentToBrowser:"False"

    Monday, 4 October 2010

    How to add nameservers from shell


    Most of the time on cPanel dedicated server we add nameservers from WHM but some time we are not able to access WHM. In that case we can add nameservers from shell by using root login details.


    Login in to server as root user and run following commands.

    root@server[~]#/scripts/adddns –domain ns1.your_domain.com –ip=174.222.222.1


    root@server[~]#/scripts/adddns –domain ns2.your_domain.com –ip=174.222.222.2


    You can use your domain name instead of your_domain.com in above command with the respective ips which you want to use for your nameservers.


    root@server[~]#service named restart

    or

    root@server[~]#/etc/init.d/named restart

    GnuPG: “decryption failed: secret key not available”

    I just tried importing GnuPG keys from one account to another on my system. After that I was unable to encrypt or decrypt any messages. Here is the error which was found to be bailing out:
    GnuPG: “decryption failed: secret key not available”

    It is resulted because I just imported only the public keys from backup. Private keys are very much essential in-case you want GPG keys to work for encrypting and decrypting messages.

    To ensure private keys are also copied into your existing account, use –allow-secret-key-import option along with –import as shown below.
    gpg –allow-secret-key-import –import

    Once this is done, you will be able to smoothly encrypt and decrypt the messages just like earlier. While taking backups of GnuPG keys etc, you must keep this point in mind.

    Fix: Broken gnome-shell due to missing libmozjs.so

    Unable use Gnome-shell due to broken libmozjs.so on Ubuntu 10.04?

    error while loading shared libraries: libmozjs.so: cannot open shared object file: No such file or directory

    Here is a quick fix, locate libmozjs.so and create a symlink in /usr/lib and run ldconfig

    Here is a bug report at launchpad.

    How to Enable mod_deflate GZIP Compression on CPanel Web Hosts

    How to Enable GZIP Compress on PHP Websites

    Compressing a web page been serving it to web browser which requested the web page can save and reduce bandwidthusage. With lesser bytes to transmit and transfer over Internet, a web page request can be fulfilled and transferred faster, freeing up process and resources to handle other requests. The end result is faster website, which improves visitors’ experience and potentially improves search engine ranking.

    Most modern web browsers accept web pages encoded in GZIP or Deflate encoding method, with GZIP as the more popular compression format. Webmasters and system administrators are also encouraged to implement GZIP compression.

    There are many ways to implement and enable GZIP compression on a website. For example, enable GZIP compress by configuration mod_deflate on Apache HTTPD server (Note: mod_deflate is for Apache 2.x only, while mod_gzip is used in Apache 1.x). However, for users who can’t modify the Apacheconfiguration file, or unfamiliar with various syntax and directives of mod_deflate and mod_gzip modules, there is a simple way to turn on and enable GZIP compression, specifically for PHP scripts.

    PHP can compress the content output by the PHP scripts, including HTML, JavaScript and CSS codes which are included inside the PHP files. GZIP compression is supported by default on PHP version 4.3 or newer.

    To enable PHP GZIP compression, edit the php.ini (example locations such as in /etc/ or /usr/local/lib) with any text editor such as vi, and locate the following directive:

    zlib.output_compression

    The default value is Off, change the setting to On to make the line looks like below:

    zlib.output_compression = On

    Restart Apache HTTPD server after the change. Every web pages produced by PHP will now be compressed before sending over Internet to the web browser to decode.

    PHP also has a directive which can be used to adjust the compression level. To set the compress level, use the following line in php.ini, with valid values between 1 and 9, where 1 is least compress and 9 is most compress. Default compression level is 6, which provides the best compression without degrading server performance.

    zlib.output_compression_level = 6

    Previously, PHP compression is achieved by entering code at the beginning of each PHP scripts. The method is not recommended as each and every scripts have to be changed. zlib enabling in php.ini will apply to all PHP scripts on the web server without exclusion.

    If it’s impossible to modify php.ini file, or does not have control over php.ini especially on a shared hosting, the PHP GZIP compression can also be setup via .htaccess file, typically located on the root of the website. To enable PHP GZIP compression via Zlib, just add the following line to the .htaccess file. Note that each website has to be changed individually.

    php_flag zlib.output_compression on

    The disadvantage of enabling GZIP compression via PHP is that only web pages generated by PHP scripts will be compressed by GZIP encoding. All external CSS or JavaScript files will not be compressed. For the ability to enable GZIP compression on all file types, uses mod_deflate or mod_gzip on HTTPD web server instead.

    Do check and verify that GZIP compression is running properly.