Pages

Thursday, November 29, 2012

Config-Server-Firewall

Installing CSF---config-server-firewall


Downloading the Packages

--------------->wget http://www.configserver.com/free/csf.tgz
--------------->tar zxvf csf.tgz

--------------->cd csf

This is where the paths diverge: cPanel server, or non-cPanel server.

--------------->./install.cpanel.sh

If you are running a non-cpanel redhat server:

--------------->./install.sh

---------------> /etc/init.d/csf restart


First run following command that you have all the required iptables modules available for running CSF full. Don’t worry if you cannot run all the features, so long as the script doesn’t report any FATAL errors
[root@desk csf]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing ipt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
RESULT: csf should function on this server
Looks 100% OK.


Here are the most common commands you will be using:

csf -d IPADDRESS will deny an IP.
csf -a IPADDRESS will allow an IP.
csf -r will reload all rules.
-dr, --denyrm ip    Remove and unblock an IP address in /etc/csf.deny
-t, --temp          Displays the current list of temporary IP bans and their TTL
-tr, --temprm ip    Remove an IP address from the temporary IP ban list


---------------------------
# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
TESTING = "1"

Edit the last line of that block of text so that it reflects testing being disabled:
TESTING = "0"

Finally, restart CSF:
---------------------------


More about csf
##############################
Now edit the /etc/csf/csf.conf
Put your all ports which you want to be open on your server for incoming traffic seperated by comma.
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995″
Also open any port you want for outgoing traffic
TCP_OUT = “20,21,22,25,53,80,110,113,443″
Same goes for UDP_IN and UDP_OUT, be remember if you are running DNS service, so you have to open port 53 in UDP_IN as DNS port 53 runs on udp rather than tcp
UDP_IN = “20,21,53″
To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123,33434:33523″
#############################
SYNFLOOD protection is already enabled and if you want to change the RATE or BURST value you can use following lines to match your traffic.
SYNFLOOD = “0″
SYNFLOOD_RATE = “100/s”
SYNFLOOD_BURST = “150″
currently the RATE is 100/s and BURST can upto 150. This can be varry from server to server.
i.e. if 100 connections are received from an IP/sec for 150 times, block it. Make sure don’t keep it too strict if you are not receiving an attack else it will generate false positives and will block legit connections.
############################
Search for “PORTFLOOD”
PORTFLOOD = “80;tcp;20;300″
This rule will block IPs that connects to port 80 via TCP more than 20 times within 300 seconds.  Once the attack is normal then remove this rule from the csf firewall.
############################
# To disable this feature, set this to 0
CT_LIMIT = Default: 50 (means 50 connections per ip address)
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = Default: 30
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = Default: 1
# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = Default: 0
# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = Default: 1800
# If you don’t want to count the TIME_WAIT state against the connection count
# then set the following to “1″
CT_SKIP_TIME_WAIT = Default: 0
# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT”
#
# Leave this option empty to count all states against CT_LIMIT
CT_STATES =
# If you only want to count specific ports (e.g. 80,443) then add the ports
# to the following as a comma separated list. E.g. “80,443″
#
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = 80,443
############################
CONNLIMIT is a comma separated list of:
port;limit
So, a setting of CONNLIMIT = "22;5,80;20" means:
1. Only allow up to 5 concurrent new connections to port 22 per IP address
2. Only allow up to 20 concurrent new connections to port 80 per IP address
Note: Existing connections are not included in the count, only new SYN packets,
i.e. new connections
############################
If you want to add some spam protection, CSF can help. Look in the configuration for the following:
LF_SCRIPT_ALERT = 0 change this to 1. This will send an email alert to the system administrator when the limit configured below is reached within an hour.
LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any scripts sends out 250 email messages in an hour.
Define email address to which you need to get alerts and define email address to which you want to get.
LF_ALERT_TO = “snipped@google.com”
LF_ALERT_FROM = “csf@google.com”
###########################

Gstreamer-ffmpeg Packages for rhel

1. Download the latest atrpms-repo rpm from

http://dl.atrpms.net/el6-x86_64/atrpms/stable/

2. Install atrpms-repo rpm:

# rpm -Uvh atrpms-repo*rpm

3. Install gstreamer-ffmpeg rpm package:

# yum install gstreamer-ffmpeg

[fusion]
name=fusion
baseurl=http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/
enabled=1
gpgcheck=0

[atrpms]
name=atrpms
baseurl=http://dl.atrpms.net/el6-x86_64/atrpms/stable/
enabled=1
gpgcheck=0

Tuesday, November 27, 2012

Creating a Certificate Authority OR Self Signing

To create the private Certificate Authority we could make one as below..
How the whole thing works

1.First create Certificate Authority with needed credentials as per needed certificate details.To sign a certificate signing request the authority must have a certificate with same credentials as that of certificate signing request . so after configuring /etc/pki/tls/openssl.cnf with needed credential we need to create a private key and a certificate in the certificate authority

2.create the private key and certificate signing request at client side as per needed credential.

3.scp the certificate signing request csr from the client to the server which is the certificate authority and sign the csr with the certificate authority and get the certificate and send the certificate back to client


Signing of the certificate will be successful only if the the credentials in the certificate authorities certificate and that in certificate signing request matches

Packages needed are openssl*

1.
In server where we need to create the certificate authority

cd /etc/pki/tls/openssl.cnf
In that file we need to change the following as per out need
#######
dir             = /etc/pki/CA ----------------------> root directory of Certificate  authority
certificate     = $dir/my-ca.crt  ------------------> Certificate of the CA which is used to check against the csr
crl             = $dir/crl.pem    ------------------> certificate revocation list if the certificate is compromised
private_key     = $dir/private/my-ca.key -----------> private key of Certificate authority used to create the CA's certificate

#######Basic Credentials that should be same in both csr and the certificate in CA

stateOrProvinceName_default     = North Carolina
localityName_default            = Raleigh
0.organizationName_default      = Example, Inc.

#######There are more credentials which are used in certificate creation

#######Make the needed directories in CA

mkdir /etc/pki/CA/{cert,crl,newcerts}
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial

NOW Creating the CA's private key and CERTIFICATE in corresponding places

cd /etc/pki/CA

openssl genrsa -out private/my-ca.key -des3 2048
openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt



2.
Creating privet key and Certificate Signing Request at client side
Creating private key

openssl genrsa -out private.key -des3 2048

Creating certificate sigining request with private key

openssl req -new -key private.key -out certificate.csr

here you will be asked for needed credentials ..Remember if the credentials are different in csr and ca the signing will be failure



3
With certificate.csr in Certificate Authority server we can sign the certificate

openssl ca -in certificatecsr.csr -out certificate.crt

here the ca implies that it will use the configuration from /etc/pki/tls/openssl.cnf to sign the signing request.

Or the other way is to self sign as follow after creating the private key and csr we could do self signing as follows

openssl  x509 -req -days 365 -in  certificate.csr -signkey private.key -out certificate.crt

Tuesday, November 13, 2012

Install Dolphin in Vps / Hosting

Installing Dolphin

We can install dolphin in two ways either as main site or as a sub directory ie a folder inside the main site. The difference between this two are is that to get the dolphin installed as the main site uncompress the tar file in the public_html folder so that we can access the site as following

http://your-domain-name/

and in second type we will be uncompressing the tar file in a directory inside public_html so that we can access the site as follows

http://your-domain-name/<name-we-give>

Downloading Dolphin


Cd /<path-to-root_directory>/public_html

mkdir dolphin

Change to the Dolphin directory by entering the following command:
cd dolphin

Download the latest Dolphin release by entering the following command:
http://www.boonex.com/paymentprovider/payment#download

wget http://get.boonex.com/Dolphin-v.7.0

Unzip the archive by entering the following command:
unzip Dolphin-v.7.0

Adding a MySQL User and Database


We could create the database and user using cpanel mysql window. Normally the database are named as username_databasename and username as username_name

mysql
CREATE USER USER_NAME IDENTIFIED BY PASSWORD
CREATE DATABASE DATABASE_NAME;
GRAND ALL ON DATABASE_NAME TO USER_NAME;
FLUSH PRIVILEGES;
EXIT;

GRANT ALL PRIVILEGES ON db_base.* TO db_user @’%’ IDENTIFIED BY ‘db_passwd’;


Configuring Permissions


Cd /<path-to-root-document>/public_html/dolphin

chmod 777 ./inc ./backup ./cache ./cache_public ./langs ./media/app ./media/images ./media/images/banners ./media/images/blog ./media/images/classifieds ./media/images/membership ./media/images/profile ./media/images/profile_bg ./media/images/promo ./media/images/promo/original ./tmp ./plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer ./plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/HTML ./plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS ./plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/Test ./plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/URI

chmod 777 ./flash/modules/board/files ./flash/modules/chat/files ./flash/modules/photo/files ./flash/modules/im/files ./flash/modules/mp3/files ./flash/modules/video/files ./flash/modules/video_comments/files

chmod 666 inc/prof.inc.php

chmod 666 ./flash/modules/global/data/integration.dat ./flash/modules/board/xml/config.xml ./flash/modules/board/xml/langs.xml ./flash/modules/board/xml/main.xml ./flash/modules/board/xml/skins.xml ./flash/modules/chat/xml/config.xml ./flash/modules/chat/xml/langs.xml ./flash/modules/chat/xml/main.xml ./flash/modules/chat/xml/skins.xml ./flash/modules/desktop/xml/config.xml ./flash/modules/desktop/xml/langs.xml ./flash/modules/desktop/xml/main.xml ./flash/modules/desktop/xml/skins.xml ./flash/modules/global/xml/config.xml ./flash/modules/global/xml/main.xml ./flash/modules/im/xml/config.xml ./flash/modules/im/xml/langs.xml ./flash/modules/im/xml/main.xml ./flash/modules/im/xml/skins.xml ./flash/modules/mp3/xml/config.xml ./flash/modules/mp3/xml/langs.xml ./flash/modules/mp3/xml/main.xml ./flash/modules/mp3/xml/skins.xml ./flash/modules/photo/xml/config.xml ./flash/modules/photo/xml/langs.xml ./flash/modules/photo/xml/main.xml ./flash/modules/photo/xml/skins.xml ./flash/modules/video/xml/config.xml ./flash/modules/video/xml/langs.xml ./flash/modules/video/xml/main.xml ./flash/modules/video/xml/skins.xml ./flash/modules/video_comments/xml/config.xml ./flash/modules/video_comments/xml/langs.xml ./flash/modules/video_comments/xml/main.xml ./flash/modules/video_comments/xml/skins.xml

chmod 777 flash/modules/global/app/ffmpeg.exe


Running the Install Script


Navigate to http://host-name.com/dolphin/install/index.php.

The Dolphin installation page appears,

Click Install to begin.

If any of the file get failed we need to do that manually using chmod 755 for needed files.

All of the files listed should be Writable. Click Next to continue. The Paths Check webpage appears, as shown below.

If we get ImageMagick installed failed we need to install it manually .we could intall that using the cpanel scripts

Check whether ImageMagicK is installed or not:-à/scripts/checkimagemagick

Install ImageMagick :à/scripts/installimagemagick

/usr/bin/convert –version

If we get GD library failed intall it using

/scripts/easyapache

  1. "Start customizing based on profile"

  2. Select the Apache version and click next step.

  3. Select the Major PHP Version and click next step.

  4. Select the PHP Minor Version and click next step.

  5. Scroll down to the bottom and click "Exhaustive Options List". (If the module you are needing isn't listed)

  6. Select the modules you wish to add (GD library) then scroll to the bottom and click "Save and Build".


Even after installing GD library if we get GD library failed we need to edit

Find and edit the php.ini

And add

extension=php_gd2.dll

extension=php_gd.dll

and run the check again.

All of the paths listed should be "found". You should also see a GD library installed message at the bottom of the webpage. Click Next to continue. The Database webpage appears.

Enter the details for the Dolphin database you created earlier in this guide. Click Next to continue. The Configuration webpage appears.

Complete the form by entering the required information for your website, and then click Next to continue. The Cron Jobs webpage appears.

Now you'll need to set up a cron job specified on the webpage. We can also do this from the cpanel in graphical way. To set up your cron job, you'll need to open your crontab for editing by entering the following command:
sudo crontab -e

MAILTO=myemail@gmail.com
* * * * * cd /var/www/periodic; /usr/bin/php -q cron.php

To save the cron job, press Control-X, and then press Y to save.

Back in your web browser, click Next. The Permissions Reversal webpage appears, as shown below.

To reverse your permissions, enter the following commands, one by one.
cd /<path-to-document-root>/public_html/dolphin
find ./ -type d -exec chmod 755 {} \;
sudo find ./ -type f -exec chmod 644 {} \;
chmod 755 flash/modules/global/app/ffmpeg.exe;

Back in your web browser, click Check. The webpage should now indicate that the directory is "Non-writable", as shown below.

Click Next. If the webpage shown below appears its finished

After that copy the languages from the install/lang directory to dolphin/lang that in dolphin.

mv /<path-to-document-root>/public_html/dolphin/install/langs/* /<path-to-document-root>/public_html/dolphin/langs/

Now you'll want to remove the install directory by entering the following commands, one by one:
cd /<path-to-root-document>/public/dolphin
rm -rf install

Change the permissions of the cache, cache_public, langs, and tmp folders by entering the following commands, one by one:
chmod 777 cache
chmod 777 cache_public
chmod 777 tmp

You can now log into your admin panel at http://host-name.com/dolphin/administration/.

Installing Wordpresss in VPS / Hosting places

We can install wordpress in our domain in two ways . Either as main site ie in public_html or as an sub website inside a directory in the public_html..difference between then is just about uncompromising  the tar file in public_html directory or in a sub directory . For doing that in either way all the steps are same .

First we need to download the tar file and we need to uncompress it in the needed directory .

cd /<path-to-document-root>/public_html
wget http://wordpress.org/latest.tar.gz

now decompress the file

tar -xvzf  latest.tar.gz

change the privilage of the folder by

chmod -R 777 *

noramally to make it the main site we copy the tar file and extract the tar file in same public_html directroy so that it can be accessed like

http://your-domain-name

To make it a sub website first we need to make a direcotry with any name inside the public_html and untar the tar file into that it can be accessed by

http://your-domain-name/<name-we-give>

Second thing we need is a database which we can create through the cpanel or through the shell .when creating the databse user throug the cpanel we need to create a database first and later a user and we need to give full permission to that user over that database. All this can be done through

cpanel>>Home>>Mysql databse …Or

by following commands in the shell .To do it through shell we need to get into our server/vps through ssh and run the following command.Normally the databases will be named as username_databasename . And user of that database as username_name.

mysql
CREATE USER USER_NAME IDENTIFIED BY PASSWORD
CREATE DATABASE DATABASE_NAME;
GRAND ALL ON DATABASE_NAME TO USER_NAME;
FLUSH PRIVILEGES;
EXIT;

GRANT ALL PRIVILEGES ON db_base.* TO db_user @'%' IDENTIFIED BY 'db_passwd';

Now go to browser and type “http://your-domain-name/” or “ http://your-domain-name/<name-we-give>” to get the auto install configuration file of the wordpress.There we will be asked for following and we need to fill in the needed details..Remember to give correct database name and user name leave the rest of options as it is

database: database_name
username:user_name
password:password
host:localhost:

and click next

If all things ends correctly it will be done and you will get the welcome page

Wednesday, November 7, 2012

Creating the Cpanel account with WHM

Log into your WHMIn the left menu under "Account Functions", click "Create a New Account"
Fill in the details for the new account. Here's a brief outline of the settings you'll be putting in:

  • Domain Information

    • Enter the main domain name on the account, set a cPanel username and password for it, and then enter the email address to be associated with the account.



  • Package

    • WHM allows you to create packages, which make it easier to manage cPanel accounts. For Example, you may have a "Power Plan" package like InMotion Hosting offers. Within that package you could set limits such as the number of addon domains to associate to the account. If you don't have any packages set, select the "Select Options Manually" option and set those limitations now.



  • Settings

    • Choose the cPanel theme to assign the user (InMotion Hosting currently uses x3) and select the appropriate language for the user.



  • Reseller Settings

    • If you have the access to create a cPanel account, it means that you have reseller permissions. Decide here if this new account you're creating should have WHM access and be able to create accounts themselves.



  • DNS Settings

    • Decide how the domain's nameservers should be configured on the server. If the nameservers specified for this domain name are going to be on another server, choose the option "Use the nameservers specified at the Domain's Regsitrar"



  • Mail Routing Settings

    • Decide how the server handles email for this specific domain. For example, should it attempt to deliver the email locally or should it look at the external MX records and decide? It's recommended to use "Automatically Detect Configuration" if you're not sure about this setting

    • .




After you have filled in all of the details above, click the "Create" button at the bottom of the page.

Congratulations, you have just created a new cPanel account!

Tuesday, November 6, 2012

Installing cPanel manually

In order to install cpanel/WHM on your VPS ,  you will need to log into your server as root first.

ssh root@server-ip

In above server-ip should be your server's  ip. We should install cpanel/whm only in a fresh system ,configured with a proper yum or apt-get system .

From a windows machine we can use putty to log into the server ...

Minimum Requirements as per cpanel's original site















Processor266 MHz
Memory512 MB RAM (1 GB recommended when hosting many accounts)
Disk Space10 GB hard disk


Removing YUM groups


To obtain a list of yum groups, run the command:

yum grouplist


You should make sure these yum groups are not installed:

  • FTP Server

  • GNOME Desktop Environment

  • KDE (K Desktop Environment)

  • Mail Server

  • Mono

  • Web Server

  • X Window System


To remove a yum group, run the command yum groupremove. For example, if you wish to remove Mono and Mail Server, enter:

yum groupremove "Mono" "Mail Server"


Disabling SELinux security features


You should disable SELinux after installing Red Hat Enterprise Linux, CentOS, or CloudLinux. To disable SELinux, you can either:

  • Use the graphical interface while configuring your operating system, or

  • Edit /etc/selinux/config from the command line and set the SELINUX parameter to disabled using a text editor, such as nano or vi.


If you disable SELinux from the command line, the contents of /etc/selinux/config should resemble:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted


Deactivating default firewall and checking for updates


If you are installing a CentOS, Red Hat Enterprise Linux, CloudLinux operating system, you should deactivate the default firewall and check for updates.

To deactivate the firewall, run the commands:

chkconfig iptables off
service iptables stop


To check for updates, run the command:

yum update


change the hostname of the VPS to a valid hostname like "server.domain.com".

Installing cpanel


The installation of cPanel can take a long time and it is better if you install "screen". Depending on your operating system you can install screen running yum or apt-get (yum install screen or apt-get install screen).

Now you will want to download and install cPanel:

screen -S cpanel
cd /home
wget http://layer1.cpanel.net/latest
sh latest

ctrl -A-D ...to detach from screen

screen -ls will list the screens

If you get disconnected, you can ssh back into your server as root, and run: 
screen -r cpanel

After everything is complete, and there are no errors, you should be able to access the WHM control panel by visiting

https://your_ip:2087