Mod-Security Installing Along with - Open Source Rules

Installing the Mod Security.

## For RHEL/CentOS 6.2/6.1/6/5.8 ##

Installing needed Modules

yum install gcc make
yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel\

Installing the Mod-Security

## For RHEL/CentOS 6.2/6.1/6/5.8 ##
cd /usr/src
wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz
tar xzf modsecurity-apache_2.6.6.tar.gz
cd modsecurity-apache_2.6.6
./configure
make install
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

Adding the Mod-security Module to the Apache

# vi /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

[root@54 modsecurity-apache_2.6.6]# httpd -t -D DUMP_MODULES |grep sec
security2_module (shared)
Syntax OK
[root@54 modsecurity-apache_2.6.6]#

<IfModule security2_module>
Include conf.d/modsecurity.conf
</IfModule>

 

Adding new Mod-Security Rules ..

OWASP core rule set

wget http://pkgs.fedoraproject.org/repo/pkgs/mod_security_crs/modsecurity-crs_2.2.5.tar.gz/a
aeaa1124e8efc39eeb064fb47cfc0aa/modsecurity-crs_2.2.5.tar.gz
tar zxvf modsecurity-crs_2.2.5.tar.gz
mv modsecurity-crs_2.2.5 modsecurity-crs

mv modsecurity-crs /etc/httpd/conf.d/

Adding the rules to httpd

<IfModule security2_module>
Include conf.d/modsecurity.conf
Include conf.d/modsecurity-crs/activated_rules/*.conf
Include conf.d/modsecurity-crs/base_rules/*.conf
Include conf.d/modsecurity-crs/optional_rules/*.conf
Include conf.d/modsecurity-crs/slr_rules/*.conf
</IfModule>

More rules are available at

sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

Now the Mod Security is in the detect mode . once we are set we need to move it to on mode

[root@54 conf]# cat /etc/httpd/conf.d/modsecurity.conf |grep SecRuleEngine -i

SecRuleEngine DetectionOnly

# when SecRuleEngine is set to DetectionOnly mode in order to minimize

[root@54 conf]#

Change to

SecRuleEngine on

 

Setting the Mysql into a ReadOnly mode..

whole database to read only mode by this commands:

In the MySQL Prompt

FLUSH TABLES WITH READ LOCK;
SET GLOBAL read_only = 1;

and back to normal mode with:
SET GLOBAL read_only = 0;
UNLOCK TABLES;

OpenStack Installation And Configuring

The OpenStack project is an open source cloud computing platform for all types of clouds, which aims to be simple to implement, massively scalable, and feature rich. Developers and cloud computing technologists from around the world create the OpenStack project.

OpenStack provides an Infrastructure as a Service (IaaS) solution through a set of interrelated services. Each service offers an application programming interface (API) that facilitates this integration. Depending on your needs, you can install some or all services.

Dashboard         ---Horizon
Compute           ---Nova
Networking       ---Neutron
Object Storage  ---Swift
Block Storage   ---Cinder
Identity Service---Keystone
Image Service   ---Glance
Telemetry         ---Ceilometer
Orchestration   ---Heat

Dashboard : Horizon Provides a web-based self-service portal to interact with underlying OpenStack services, such as launching an instance, assigning IP addresses and configuring access controls.

Compute : Nova Manages the lifecycle of compute instances in an OpenStack environment. Responsibilities include spawning, scheduling and decomissioning of machines on demand.

Networking : Neutron Enables network connectivity as a service for other OpenStack services, such as OpenStack Compute. Provides an API for users to define networks and the attachments into them. Has a pluggable architecture that supports many popular networking vendors and technologies.

Storage

Object Storage : Swift Stores and retrieves arbitrary unstructured data objects via a RESTful, HTTP based API. It is highly fault tolerant with its data replication and scale out architecture. Its implementation is not like a file server with mountable directories.

Block Storage : Cinder Provides persistent block storage to running instances. Its pluggable driver architecture facilitates the creation and management of block storage devices.
Shared services

Identity Service : Keystone Provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.

Image Service : Glance Stores and retrieves virtual machine disk images. OpenStack Compute makes use of this during instance provisioning.

Telemetry : Ceilometer Monitors and meters the OpenStack cloud for billing, benchmarking, scalability, and statistical purposes.

Higher-level services

Orchestration : Heat Orchestrates multiple composite cloud applications by using either the native HOT template format or the AWS CloudFormation template format, through both an OpenStack-native REST API and a CloudFormation-compatible Query API.



Please run a 64 bit Os in your compute node, else you will be having issue while creating Vm running 64 bit Os. 

Steps Need to Done on the Controller Server

Networking

service iptables stop
chkconfig iptables off

/etc/sysconfig/network-scripts/ifcfg-eth0
# Internal Network
DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.0.10
NETMASK=255.255.255.0
DEFROUTE=yes
ONBOOT=yes

/etc/sysconfig/network-scripts/ifcfg-eth1
# External Network
DEVICE=eth1
TYPE=Ethernet
BOOTPROTO=static
IPADDR=10.0.0.10
NETMASK=255.255.255.0
DEFROUTE=yes
ONBOOT=yes

service network restart

yum -y install policycoreutils setroubleshoot

setenforce 0

yum install -y euca2ools

yum install -y yum-plugin-priorities gedit curl wget nc

Setting Hostname

echo " HOSTNAME=controller" > /etc/hostname
cat /etc/hostname
echo "\n142.0.42.46 controller" >> /etc/hosts
cat /etc/hosts
hostname controller
hostname
ping -c 3 controller

Installing Ntpd Server

yum -y install ntp
service ntpd start
chkconfig ntpd on

Installing Mysql Server

yum -y install mysql mysql-server MySQL-python
service mysqld start
chkconfig mysqld on
mysql_install_db
mysql_secure_installation

set and remember the mysql root password, it will be needed through out further installation.

Installing OpenStack Yum Repos

rpm -ivUh http://repos.fedorapeople.org/repos/openstack/openstack-havana/rdo-release-havana-6.noarch.rpm
rpm -ivUh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Installing OpenStack Packages

yum -y install openstack-utils
yum -y install openstack-selinux
yum -y install qpid-cpp-server memcached

vi /etc/qpidd.conf
auth=no
service qpidd start
chkconfig qpidd on

Installing And Configuring KeyStone

yum -y install openstack-keystone python-keystoneclient

The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username keystone.

openstack-config --set /etc/keystone/keystone.conf sql connection mysql://keystone:password@controller/keystone

Use the openstack-db command to create the database and tables, as well as a database user called keystone to connect to the database.

openstack-db --init --service keystone --password password

Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file:

ADMIN_TOKEN=$(openssl rand -hex 10)
echo $ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
keystone-manage pki_setup --keystone-user keystone --keystone-group keystone

By default, Keystone uses PKI tokens. Create the signing keys and certificates:

chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log
service openstack-keystone start
chkconfig openstack-keystone on

Define users, tenants, and roles

export OS_SERVICE_TOKEN=$ADMIN_TOKEN
export OS_SERVICE_ENDPOINT=http://142.0.42.46:35357/v2.0

keystone tenant-create --name=admin --description="Admin Tenant"
keystone tenant-create --name=service --description="Service Tenant"
keystone user-create --name=admin --pass=password
keystone role-create --name=admin
keystone user-role-add --user=admin --tenant=admin --role=admin

[root@server ~]# keystone tenant-create --name=admin --description="Admin Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Admin Tenant |
| enabled | True |
| id | 56b2c2009ac4402996df23f85587eb60 |
| name | admin |
+-------------+----------------------------------+
[root@server ~]# keystone tenant-create --name=service --description="Service Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | True |
| id | 48606f4b78024ba5b34f1854154be27e |
| name | service |
+-------------+----------------------------------+
[root@server ~]# keystone user-create --name=admin --pass=password
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 72d9b80b1e464558ab9f563241106a69 |
| name | admin |
+----------+----------------------------------+
[root@server ~]# keystone role-create --name=admin
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | ba0ed19af57f4122b4c43c8868bfb47c |
| name | admin |
+----------+----------------------------------+
[root@server ~]# keystone user-role-add --user=admin --tenant=admin --role=admin

Define services and API endpoints

keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"

keystone endpoint-create --service-id=the_service_id_above --publicurl=http://142.0.42.46:5000/v2.0 --internalurl=http://142.0.42.46:5000/v2.0 --adminurl=http://142.0.42.46:35357/v2.0

[root@server ~]# keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Keystone Identity Service |
| id | 05c8b4bcd2b44b59a5f8a3a8cde43c2e |
| name | keystone |
| type | identity |
+-------------+----------------------------------+

[root@server ~]# keystone endpoint-create --service-id=05c8b4bcd2b44b59a5f8a3a8cde43c2e --publicurl=http://142.0.42.46:5000/v2.0 --internalurl=http://142.0.42.46:5000/v2.0 --adminurl=http://142.0.42.46:35357/v2.0
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://142.0.42.46:35357/v2.0 |
| id | c91bacef4e0549709109d102d26d940e |
| internalurl | http://142.0.42.46:5000/v2.0 |
| publicurl | http://142.0.42.46:5000/v2.0 |
| region | regionOne |
| service_id | 05c8b4bcd2b44b59a5f8a3a8cde43c2e |
+-------------+----------------------------------+
[root@server ~]#

Verify the Identity Service installation

unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
keystone --os-username=admin --os-password=password --os-auth-url=http://142.0.42.46:35357/v2.0 token-get
keystone --os-username=admin --os-password=password --os-tenant-name=admin --os-auth-url=http://142.0.42.46:35357/v2.0 token-get

export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://142.0.42.46:35357/v2.0

keystone token-get

keystone user-list

+----------------------------------+-------+---------+-------+
| id | name | enabled | email |
+----------------------------------+-------+---------+-------+
| 72d9b80b1e464558ab9f563241106a69 | admin | True | |
+----------------------------------+-------+---------+-------+
[root@server ~]#

Install and Configure the Image Service

openstack-config --set /etc/glance/glance-api.conf sql connection mysql://glance:password@controller/glance
openstack-config --set /etc/glance/glance-registry.conf sql connection mysql://glance:password@controller/glance

openstack-db --init --service glance --password password

keystone user-create --name=glance --pass=password

+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 903ccd5db7da45d9a15a52f37634652f |
| name | glance |
+----------+----------------------------------+

keystone user-role-add --user=glance --tenant=service --role=admin

Configure the Image Service to use the Identity Service for authentication.

Run the following commands and replace Password with the password you chose for the glance user in the Identity Service:

openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_url http://142.0.42.46:5000
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken auth_host controller
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_user glance
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken admin_password password
openstack-config --set /etc/glance/glance-api.conf paste_deploy flavor keystone
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_url http://142.0.42.46:5000

openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken auth_host controller
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_user glance
openstack-config --set /etc/glance/glance-registry.conf keystone_authtoken admin_password password
openstack-config --set /etc/glance/glance-registry.conf paste_deploy flavor keystone

On CentOS
cp /usr/share/glance/glance-api-dist-paste.ini /etc/glance/glance-api-paste.ini
cp /usr/share/glance/glance-registry-dist-paste.ini /etc/glance/glance-registry-paste.ini

Edit each file to set the following options in the [filter:authtoken] section and leave any other existing option as it is.

[filter:authtoken]
paste.filter_factory=keystoneclient.middleware.auth_token:filter_factory
auth_host=controller
admin_user=glance
admin_tenant_name=service
admin_password=GLANCE_PASS

keystone service-create --name=glance --type=image --description="Glance Image Service"
keystone endpoint-create --service-id=the_service_id_above --publicurl=http://142.0.42.46:9292 --internalurl=http://142.0.42.46:9292 --adminurl=http://142.0.42.46:9292

Output

[root@server ~]# keystone service-create --name=glance --type=image --description="Glance Image Service"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Glance Image Service |
| id | 75a7bef17f9b4329bb84aab14e3a01ae |
| name | glance |
| type | image |
+-------------+----------------------------------+
[root@server ~]# keystone endpoint-create --service-id=75a7bef17f9b4329bb84aab14e3a01ae --publicurl=http://142.0.42.46:9292 --internalurl=http://142.0.42.46:9292 --adminurl=http://142.0.42.46:9292
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://142.0.42.46:9292 |
| id | 10fb121e1190488a85341fe34d567c36 |
| internalurl | http://142.0.42.46:9292 |
| publicurl | http://142.0.42.46:9292 |
| region | regionOne |
| service_id | 75a7bef17f9b4329bb84aab14e3a01ae |
+-------------+----------------------------------+
[root@server ~]#

service openstack-glance-api start
service openstack-glance-registry start
chkconfig openstack-glance-api on
chkconfig openstack-glance-registry on

Verify the Image Service installation

mkdir images
cd images/
wget http://cdn.download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img

glance image-create --name="CirrOS 0.3.1" --disk-format=qcow2 --container-format=bare --is-public=true < cirros-0.3.1-x86_64-disk.img
glance image-list

[root@server ~]# cd images/
[root@server images]# wget http://cdn.download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img
--2014-02-27 11:48:30-- http://cdn.download.cirros-cloud.net/0.3.1/cirros-0.3.1-x86_64-disk.img
Resolving cdn.download.cirros-cloud.net... 204.188.136.134, 204.188.136.74, 2001:559:0:5a::1743:3c82, ...
Connecting to cdn.download.cirros-cloud.net|204.188.136.134|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13147648 (13M) [application/octet-stream]
Saving to: “cirros-0.3.1-x86_64-disk.img”

100%[===========================================================================================================>] 13,147,648 10.1M/s in 1.2s

2014-02-27 11:48:32 (10.1 MB/s) - “cirros-0.3.1-x86_64-disk.img” saved [13147648/13147648]

[root@server images]# glance image-create --name="CirrOS 0.3.1" --disk-format=qcow2 --container-format=bare --is-public=true < cirros-0.3.1-x86_64-disk.img
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | d972013792949d0d3ba628fbe8685bce |
| container_format | bare |
| created_at | 2014-02-27T16:50:47 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | 886c9f6a-f38c-491d-a2b4-220cf90bd064 |
| is_public | True |
| min_disk | 0 |
| min_ram | 0 |
| name | CirrOS 0.3.1 |
| owner | 56b2c2009ac4402996df23f85587eb60 |
| protected | False |
| size | 13147648 |
| status | active |
| updated_at | 2014-02-27T16:50:48 |
+------------------+--------------------------------------+
[root@server images]# glance image-list
+--------------------------------------+--------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+--------------+-------------+------------------+----------+--------+
| 886c9f6a-f38c-491d-a2b4-220cf90bd064 | CirrOS 0.3.1 | qcow2 | bare | 13147648 | active |
+--------------------------------------+--------------+-------------+------------------+----------+--------+
[root@server images]#

Install And Configure Compute controller service

yum -y install openstack-glance

openstack-config --set /etc/glance/glance-api.conf sql connection mysql://glance:password@controller/glance
openstack-config --set /etc/glance/glance-registry.conf sql connection mysql://glance:password@controller/glance

openstack-db --init --service glance --password password

Set the my_ip, vncserver_listen, and vncserver_proxyclient_address configuration options to the internal IP address of the controller node:

openstack-config --set /etc/nova/nova.conf DEFAULT my_ip 142.0.42.46
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_listen 142.0.42.46
openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_proxyclient_address 142.0.42.46

keystone user-create --name=nova --pass=password
keystone user-role-add --user=nova --tenant=service --role=admin

Configure Compute to use these credentials with the Identity Service running on the controller. Replace password with your Compute password.

openstack-config --set /etc/nova/nova.conf DEFAULT auth_strategy keystone
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_host controller
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_protocol http
openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_port 35357
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_user nova
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_tenant_name service
openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_password password
Add the credentials to the /etc/nova/api-paste.ini file. Add these options to the [filter:authtoken] section:
You might sometimes have to edit .ini files during initial setup. However, do not edit these files for general configuration tasks.

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = controller
auth_port = 35357
auth_protocol = http
auth_uri = http://controller:5000/v2.0
admin_tenant_name = service
admin_user = nova
admin_password = password

Ensure that the api_paste_config=/etc/nova/api-paste.ini option is set in the /etc/nova/nova.conf file.
keystone service-create --name=nova --type=compute --description="Nova Compute service"

keystone endpoint-create --service-id=the_service_id_above --publicurl=http://controller:8774/v2/%\(tenant_id\)s --internalurl=http://controller:8774/v2/%\(tenant_id\)s --adminurl=http://controller:8774/v2/%\(tenant_id\)s

service openstack-nova-api start
service openstack-nova-cert start
service openstack-nova-consoleauth start
service openstack-nova-scheduler start
service openstack-nova-conductor start
service openstack-nova-novncproxy start
chkconfig openstack-nova-api on
chkconfig openstack-nova-cert on
chkconfig openstack-nova-consoleauth on
chkconfig openstack-nova-scheduler on
chkconfig openstack-nova-conductor on
chkconfig openstack-nova-novncproxy on

nova image-list

+--------------------------------------+--------------+--------+--------+
| ID | Name | Status | Server |
+--------------------------------------+--------------+--------+--------+
| 886c9f6a-f38c-491d-a2b4-220cf90bd064 | CirrOS 0.3.1 | ACTIVE | |
+--------------------------------------+--------------+--------+--------+
[root@server images]#

Installing And Configuring the dashboard

yum -y install memcached python-memcached mod_wsgi openstack-dashboard

Update the ALLOWED_HOSTS in local_settings.py to include the addresses you wish to access the dashboard from.

Edit /etc/openstack-dashboard/local_settings:

ALLOWED_HOSTS = ['localhost', 'my-desktop', '*']
This guide assumes that you are running the Dashboard on the controller node. You can easily run the dashboard on a separate server, by changing the appropriate settings in local_settings.py.

Edit /etc/openstack-dashboard/local_settings and change OPENSTACK_HOST to the hostname of your Identity Service:

OPENSTACK_HOST = "controller"
Start the Apache web server and memcached:

service httpd start
service memcached start
chkconfig httpd on
chkconfig memcached on

You can now access the dashboard at http://controller/dashboard .

Configure a Compute node

yum -y install openstack-nova-compute

Edit the /etc/nova/nova.conf configuration file:

# openstack-config --set /etc/nova/nova.conf database connection mysql://nova:NOVA_DBPASS@controller/nova
# openstack-config --set /etc/nova/nova.conf DEFAULT auth_strategy keystone
# openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_host controller
# openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_protocol http
# openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_port 35357
# openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_user nova
# openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_tenant_name service
# openstack-config --set /etc/nova/nova.conf keystone_authtoken admin_password NOVA_PASS

1. Configure the Compute Service to use the Qpid message broker by setting these configuration keys:
   

   # openstack-config --set /etc/nova/nova.conf \
     DEFAULT rpc_backend nova.openstack.common.rpc.impl_qpid
   # openstack-config --set /etc/nova/nova.conf DEFAULT qpid_hostname controller

Configure Compute to provide remote console access to instances.

# openstack-config --set /etc/nova/nova.conf DEFAULT my_ip 192.168.0.11
# openstack-config --set /etc/nova/nova.conf DEFAULT vnc_enabled True
# openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_listen 0.0.0.0
# openstack-config --set /etc/nova/nova.conf DEFAULT vncserver_proxyclient_address 192.168.0.11
# openstack-config --set /etc/nova/nova.conf \
DEFAULT novncproxy_base_url http://controller:6080/vnc_auto.html

Specify the host that runs the Image Service.

# openstack-config --set /etc/nova/nova.conf DEFAULT glance_host controller

Edit the /etc/nova/api-paste.ini file to add the credentials to the [filter:authtoken] section

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = controller
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = nova
admin_password = NOVA_PASS

Start the Compute service and configure it to start when the system boots.

# service libvirtd start
# service messagebus start
# chkconfig libvirtd on
# chkconfig messagebus on
# service openstack-nova-compute start
# chkconfig openstack-nova-compute on

Migrated from Plesk, Ensim, or DirectAdmin To WHM

Sometimes, moving website accounts from servers like Plesk, Ensim, or DirectAdmin to cPanel using the usual automated tools can hit a snag. This might be due to slow network connections or small software glitches. The good news is that manually migrating an account is straightforward.

---

WHY MANUAL MIGRATION?

Automated migration tools are great, but they can fail if:

• The connection between your old server and the new cPanel server is unreliable, causing the migration to time out.

• There are known issues with the migration scripts that haven't been fixed yet.

In these cases, a simple manual process can save the day.

---

THE MANUAL MIGRATION PROCESS

Manually moving an account involves four main steps:

1. Getting a list of accounts on your old server.

2. Packaging a chosen account into a single file.

3. Copying that packaged file to your new cPanel server.

4. Restoring the account on the cPanel server.

---

STEP-BY-STEP GUIDE

Here’s how to do it:

1. PREPARE THE SOURCE SERVER

On your old server (Plesk, Ensim, or DirectAdmin), you need two scripts: one to list accounts and one to package them.

• Download the account list script: wget http://httpupdate.cpanel.net/cpanelsync/transfers_DEVEL/pkgacct/updateuserdomains-universal

• Download the packaging script (choose one based on your old server type):

  • For Plesk: wget http://httpupdate.cpanel.net/cpanelsync/transfers_DEVEL/pkgacct/pkgacct-pXa

  • For Ensim: wget http://httpupdate.cpanel.net/cpanelsync/transfers_DEVEL/pkgacct/pkgacct-enXim

  • For DirectAdmin: wget http://httpupdate.cpanel.net/cpanelsync/transfers_DEVEL/pkgacct/pkgacct-da

2. MAKE SCRIPTS EXECUTABLE

After downloading, you need to give these scripts permission to run:

• chmod +x updateuserdomains-universal

• chmod +x pkgacct-* (This command makes the specific pkgacct script you downloaded executable).

3. GENERATE THE ACCOUNT LIST

Run the updateuserdomains-universal script to create a list of accounts:

• ./updateuserdomains-universal

This will create a file at /etc/trueuserdomains containing all the accounts that can be packaged.

4. PACKAGE THE ACCOUNT

Now, pick an account you want to move from the /etc/trueuserdomains file. For example, let's say the username is "alice". Run the appropriate packaging script (using pkgacct-pXa for Plesk in this example):

• ./pkgacct-pXa alice

This command will create a single archive file, typically named /home/cpmove-alice.tar.gz. The time this takes depends on the account's size.

• Important Tip: If your /home directory is full, you can specify another location for the packaged file. For example, to save it to /disk1: ./pkgacct-pXa alice /disk1 This would create /disk1/cpmove-alice.tar.gz.

• Stay Connected (Optional but Recommended): Use the screen command before packaging and restoring. This ensures the process continues even if your connection to the server drops. Just type screen before running the packaging command.

5. COPY THE ACCOUNT TO THE NEW SERVER

You can copy the packaged account file (cpmove-alice.tar.gz) to your new cPanel server in two ways:

• From the source server: scp /home/cpmove-alice.tar.gz root@x.x.x.x:/home (Replace x.x.x.x with your cPanel server's IP address)

• From the cPanel server: cd /home scp root@x.x.x.x:/home/cpmove-alice.tar.gz . (Again, replace x.x.x.x with the source server's IP address)

6. RESTORE THE ACCOUNT ON THE CPANEL SERVER

Once the file is on your new cPanel server, navigate to the /home directory and restore the account. Remember to use screen here too if you chose to earlier.

• cd /home

• /scripts/restorepkg cpmove-alice.tar.gz

After a successful restore, you can delete the cpmove-alice.tar.gz file from /home to free up space.

Exim cheat sheet

Exim is a powerful mail transfer agent (MTA) used on many Linux servers. When emails can't be delivered immediately, they get put into a "queue." Managing this queue is crucial for server health and ensuring mail delivery. This guide provides quick commands for common Exim queue tasks.

---

CLEARING THE EXIM MAIL QUEUE

Sometimes, you need to clear out stuck or unwanted emails from the queue.

• Remove All Mails: This command directly deletes all files from the input directory of the Exim spool, effectively clearing the entire queue. rm -rf /var/spool/exim/input/*

• Delete All Frozen Mails: Frozen emails are those that Exim has temporarily stopped trying to deliver due to issues. exim -bpr | grep frozen | awk {'print $3'} | xargs exim -Mrm Alternatively, a more concise command: exiqgrep -z -i | xargs exim -Mrm

• Delete Frozen Mails Older Than a Day: This is useful for clearing old, stalled messages without affecting newer ones. The 86400 represents seconds (1 day). exiqgrep -zi -o 86400 | xargs exim -Mrm You can change 86400 to any number of seconds for a different time frame.

• Clear Spam Mails: If your logs indicate messages are marked as [SPAM]. grep -R -l [SPAM] /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm

• Clear Frozen Mails (Based on Log Entry): grep -R -l '*** Frozen' /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm

• Clear Mails for Unverified Recipients: grep -R -l 'The recipient cannot be verified' /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm

• Remove Mails from a Specific Sender (e.g., 'root'): Replace "" with the sender's email address or username, for example, root@yourhostname. exim -bp |grep ""|awk '{print $3}'|xargs exim -Mrm

• Remove 'nobody' Mails: These often come from scripts. Replace HOSTNAME with your server's hostname.

  • From a specific sender (nobody@HOSTNAME): exiqgrep -i -f nobody@HOSTNAME | xargs exim -Mrm

  • For a specific recipient/domain (nobody@HOSTNAME): exiqgrep -i -r nobody@HOSTNAME | xargs exim -Mrm

• Delete Mails for a Specific Domain: Replace yourdomain.com with the actual domain. exim -bp | grep "yourdomain.com" | awk {'print $3'} | xargs exim -Mrm

---

DELIVERING MAILS FROM THE QUEUE

If emails are stuck but should be delivered, you can force a delivery attempt.

• Force Deliver All Mails: This command attempts to deliver all messages in the queue. The -P 40 option attempts 40 deliveries in parallel. exim -bpru |awk '{print $3}' | xargs -n 1 -P 40 exim -v -M

• Flush the Mail Queue (Force Another Run): This tells Exim to process the queue again. exim -qff Alternatively: /usr/sbin/exim -qff exim -qf

• Force Deliver Mails of a Particular Domain: Replace domain.com with the target domain. exim -v -Rff domain.com

• Force Deliver a Specific Message: Replace MSGID with the message's unique ID. exim -M MSGID To view the transaction during delivery: exim -v -M MSGID

---

CHECKING THE EXIM MAIL QUEUE STATUS

These commands help you monitor the queue and inspect individual messages.

• Exim Queue Summary: Provides details like count, volume, oldest, newest message, and domain breakdown. exim -bp | exiqsumm

• Number of Frozen Mails: exim -bpr | grep frozen | wc -l

• Total Number of Mails in Queue: exim -bpr | grep "<" | wc -l A simpler alternative: exim -bpc

• View Mail in Queue for a User/Sender: Replace $name with the username or email address. exim -bp|grep $name

• Check All Mails in the Queue: This lists all messages and their IDs. exim -bp

• View Log for a Message: Replace message ID with the actual ID. exim -Mvl message ID

• View Message Header: Replace $MSGID with the message ID. exim -Mvh $MSGID

• View Message Body: Replace $MSGID with the message ID. exim -Mvb $MSGID

---

ADVANCED EXIM TOOLS

• Simulate SMTP Transaction: This command helps debug Exim's checks, ACLs (Access Control Lists), and filters without actually sending a mail. Replace 127.0.0.1 with the IP you want to simulate from. exim -bh 127.0.0.1

• Most Used Mailing Script Locations: This can help identify scripts sending a lot of mail. grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

• Check Syntactic Errors in Configuration: Use this when modifying Exim's configuration file. exim -C /config/file.new -bV

Understanding Mod_Security Database Connection Issues

You've encountered an error stating that the Mod_Security plugin can't connect to its database. Specifically, it's an "Access denied" error for the user 'modsec'@'localhost', even though a password was provided. This usually means the password Mod_Security is using to connect to the database is incorrect or the database user doesn't have the right permissions.

---

WHY THIS MATTERS

Mod_Security is a web application firewall that helps protect your website from various attacks. If it can't connect to its database, it might not be able to log security events or function correctly, leaving your website vulnerable.

---

HOW TO FIX IT

There are two main steps to resolve this, focusing on ensuring the 'modsec' user can properly access the 'modsec' database.

1. Find the Correct Password Mod_Security is Using:

   The error indicates Mod_Security is trying to connect with a specific password. You need to find out what password it's actually configured to use.

   • Action: Run the following command in your server's terminal:

     grep dbpassword /etc/cron.hourly/modsecparse.pl
     

   • Explanation: This command searches a common Mod_Security configuration file (modsecparse.pl) for the line containing dbpassword. This line will reveal the password that Mod_Security is currently trying to use for its database connection. Let's say the output of this command shows the password is 'odu6lGYKAIyP'.

2. Grant the Correct Permissions to the Database User:

   Once you know the password Mod_Security is configured with, you need to ensure the 'modsec' database user has the correct password and permissions in MySQL.

   • Action: Log into your MySQL server (as a root user or a user with sufficient privileges) and execute the following command. Replace 'odu6lGYKAIyP' with the actual password you found in the previous step.

     SQL

     GRANT ALL ON modsec.* TO 'modsec'@localhost IDENTIFIED BY 'odu6lGYKAIyP';
     FLUSH PRIVILEGES;
     

   • Explanation:

     • GRANT ALL ON modsec.*: This gives the 'modsec' user all permissions on all tables within the modsec database.

     • TO 'modsec'@localhost: Specifies that these permissions apply to the user 'modsec' when connecting from the 'localhost' (meaning from the same server).

     • IDENTIFIED BY 'odu6lGYKAIyP': Sets or updates the password for the 'modsec' user to 'odu6lGYKAIyP'. It's crucial that this password matches what Mod_Security is configured to use.

     • FLUSH PRIVILEGES;: This command reloads the grant tables in MySQL, applying the new permissions immediately.

Nagios- Setting up

This guide explains how to set up a client server to be monitored by Nagios. We'll cover installing the necessary Nagios plugins and the NRPE (Nagios Remote Plugin Executor) agent, which allows the Nagios server to run checks on the client.

---

PREREQUISITES

Before you start, make sure you have:

• A Linux-based client server.

• Root access or sudo privileges.

• Basic understanding of the Linux command line.

---

INSTALLING NAGIOS PLUGINS

Nagios plugins are scripts that perform checks on various aspects of your server, like disk space, CPU usage, or running services.

1. Prepare the Environment:

   • Navigate to a temporary directory: cd /usr/local/src/

   • Create a directory for Nagios files: mkdir nagios

   • Move into the new directory: cd nagios

   • Create a nagios user: useradd nagios

2. Download and Extract Plugins:

   • Download the plugins: wget http://pkgs.fedoraproject.org/repo/pkgs/nagios-plugins/nagios-plugins-1.4.16.tar.gz/862f5e44fb5bc65ce7e5d86d654d4da0/nagios-plugins-1.4.16.tar.gz

   • Extract the downloaded file: tar -xzf nagios-plugins-1.4.16.tar.gz

   • Change into the extracted directory: cd nagios-plugins-1.4.16

3. Compile and Install Plugins:

   • Set a required environment variable: export LDFLAGS=-ldl

   • Configure the installation: ./configure --with-nagios-user=nagios --with-nagios-group=nagios --enable-redhat-pthread-workaround --enable-ssl

   • Compile the plugins: make

   • Install them: make install

   • Go back to the parent directory: cd ..

---

INSTALLING NRPE (NAGIOS REMOTE PLUGIN EXECUTOR)

NRPE allows your Nagios server to execute the plugins you just installed on this client.

1. Download and Extract NRPE:

   • Download NRPE: wget http://sourceforge.net/projects/nagios/files/nrpe-2.x/nrpe-2.13/nrpe-2.13.tar.gz/download

   • Extract the file: tar -xzf nrpe-2.13.tar.gz

   • Change into the extracted directory: cd nrpe-2.13

2. Compile and Install NRPE:

   • Configure NRPE: ./configure

   • Compile all components: make all

   • Install the NRPE plugin for the Nagios server (even though this is a client, it's good practice): make install-plugin

   • Install the NRPE daemon (the service that runs on the client): make install-daemon

   • Install the default NRPE configuration file: make install-daemon-config

   • Install NRPE to run under xinetd (a service that manages other services): make install-xinetd

---

CONFIGURE XINETD AND NRPE

NRPE often runs through xinetd, which listens for incoming connections and starts the NRPE daemon when needed.

1. Install and Restart Xinetd:

   • Install xinetd if it's not already present: yum install xinetd (or apt-get install xinetd for Debian/Ubuntu)

   • Restart xinetd to apply changes: service xinetd restart

2. Add NRPE Service to System Services:

   • Add the NRPE service and its default port (5666) to the /etc/services file: echo "nrpe 5666/tcp # NRPE" >> /etc/services

---

FIREWALL CONFIGURATION

You need to open port 5666 on the client's firewall so the Nagios server can communicate with NRPE.

• For CSF (Config Server Firewall) Users:

  • Edit the CSF configuration file: /etc/csf/csf.conf

  • Find the TCP_IN section and add 5666 to the list of allowed incoming TCP ports.

  • Restart CSF: This usually involves csf -r or service csf restart.

---

NRPE CONFIGURATION AND SECURITY

You must specify which Nagios servers are allowed to connect to this NRPE agent.

• Allow Nagios Server IP:

  • Edit the xinetd configuration for NRPE: /etc/xinetd.d/nrpe

  • Edit the main NRPE configuration file: /usr/local/nagios/etc/nrpe.cfg

  • In both files, locate the allowed_hosts directive and add the IP address of your Nagios monitoring server. For example: allowed_hosts = 127.0.0.1, <YOUR_NAGIOS_SERVER_IP>

---

SETTING A PASSWORD FOR THE NAGIOS USER (Optional but Recommended)

It's good practice to set a password for the nagios user created earlier.

• Set password: passwd nagios

---

NAGIOS SERVER CONFIGURATION EXAMPLE (for MySQL Monitoring)

This section shows an example of how you would configure a service check on your Nagios server to monitor a MySQL database on this client. This is done on the Nagios server, not the client.

define service{
    use                     local-service       ; Name of service template to use
    host_name               sample.example.com  ; The hostname of your client server
    service_description     mySQL               ; A description of the service being monitored
    is_volatile             0
    check_period            24x7
    max_check_attempts      20
    normal_check_interval   5                   ; Check every 5 minutes
    retry_check_interval    1                   ; Retry every 1 minute on failure
    notification_options    w,u,c,r             ; Notify on warning, unknown, critical, recovery
    notification_interval   960                 ; Notify every 960 minutes (16 hours)
    notification_period     24x7
    check_command           check_mysql!nagios!password@666# ; The command to run, 

                    ;including username and password
}

Note: Replace sample.example.com with your client's hostname and adjust nagios and password@666# if your MySQL user or password differs.