Pages

Showing posts with label rhel. Show all posts
Showing posts with label rhel. Show all posts

Wednesday, August 12, 2015

Mysql Cluster Using Mysql NDB


Mysql Cluster using NDB(Network DataBase) provides a self healing mysql Cluster which provides a good performance. Mainly the Mysql Cluster Contains 3 Components ie using Management , SQL and Data parts. 

Here we will be configuring two Management and two Data/SQL (together in One server) for the HA. Once the configuration is completed we will have two end points to connect to te database so we need to keep an Load balancer in front of the SQL end points.




OS used is RHEL7
Selinux Enabed
Firewall Disabled

Management Server## Perform the Following steps in both the Management Server's. 

Install Needed Packages 
=================
yum install glibc.i686  ncurses-libs.i686 libstdc++.i686 libgcc.i686 -y


Make Directories and Download the Cluster Files
====================================

mkdir /usr/src/mysql-mgm
cd /usr/src/mysql-mgm
wget http://cdn.mysql.com/Downloads/MySQL-Cluster-7.4/mysql-cluster-gpl-7.4.7-linux-glibc2.5-i686.tar.gz
tar zxvf mysql-cluster-gpl-7.4.7-linux-glibc2.5-i686.tar.gz

cd mysql-cluster-gpl-7.4.7-linux-glibc2.5-i686
cp bin/ndb_mgm* /usr/bin/
chmod 755 /usr/bin/ndb_mgm*


mkdir /var/lib/mysql-cluster
vi /var/lib/mysql-cluster/config.ini
==========================================
[NDBD DEFAULT]
NoOfReplicas=2
DataMemory=80M
IndexMemory=18M
[MYSQLD DEFAULT]

[NDB_MGMD DEFAULT]
DataDir=/var/lib/mysql-cluster
[TCP DEFAULT]

# Section for the cluster management node
[NDB_MGMD]
NodeId=1
# IP address of the first management node (this system)
HostName=192.168.70.130

[NDB_MGMD]
NodeId=2
#IP address of the second management node
HostName=192.168.70.131

# Section for the storage nodes
[NDBD]
# IP address of the first storage node
HostName=192.168.70.132
DataDir= /var/lib/mysql-cluster
[NDBD]
# IP address of the second storage node
HostName=192.168.70.133
DataDir=/var/lib/mysql-cluster
# one [MYSQLD] per storage node
[MYSQLD]
[MYSQLD]
==========================================

chown mysql. /var/lib/mysql-cluster -R

To start the Management Service
========================
ndb_mgmd -f /var/lib/mysql-cluster/config.ini --configdir=/var/lib/mysql-cluster/

Data And SQL Server#Perform this on both of the Server's
==============================================

Install the needed Packages
====================
yum install libaio.i686 libaio-devel.i686 -y
yum install perl -y
yum -y install perl-Data-Dumper

Download the packages
cd /usr/local/
wget http://cdn.mysql.com/Downloads/MySQL-Cluster-7.4/mysql-cluster-gpl-7.4.7-linux-glibc2.5-i686.tar.gz
tar zxvf mysql-cluster-gpl-7.4.7-linux-glibc2.5-i686.tar.gz
mv /root/mysql-cluster-gpl-7.4.7-linux-glibc2.5-i686.tar.gz mysql
chown mysql. mysql -R
cd mysql

Initializing the database
scripts/mysql_install_db --user=mysql --datadir=/usr/local/mysql/data

cp support-files/mysql.server /etc/init.d/
chmod 755 /etc/init.d/mysql.server

cd /usr/local/mysql/bin
mv * /usr/bin
cd ../

vi /etc/my.cnf
============
[mysqld]
ndbcluster
# IP address of the cluster management node
ndb-connectstring=192.168.70.130,192.168.70.131
[mysql_cluster]
# IP address of the cluster management node
ndb-connectstring=192.168.70.130,192.168.70.131
============

mkdir /var/lib/mysql-cluster

cd /var/lib/mysql-cluster
ndbd --initial
/etc/init.d/mysql.server start

After this, secure the MySQL installation by running the appropriate script:

/usr/local/mysql/bin/mysql_secure_installation


Testing 
In the Management Node check the command ndb_mgm and check the status



Tuesday, September 16, 2014

rsync error: protocol incompatibility

ERROR: rsync error: protocol incompatibility (code 2) at compat.c(171) [sender=3.0.6]

I use rsync with ssh and authorized key files for auto login to mirror a remote system to the local one.The only change I made was on my .bashrc on the remote end I added in some commands to show file system usage. do a du -f and a tail of the log on login for conveniences.

My assumption here is that when rsync executes the ssh to connect it received 'junk'. Once I removed the extra output from the .bashrc file on the remote end, it worked just fine.SO check your remote end for .profile, .bashrc, .bash_profile etc.... any scripts running that add extra output on login.

Wednesday, September 10, 2014

logrotate not working

When default log rotate is not working we need to check its configuration using command

/usr/sbin/logrotate -f /etc/logrotate.conf

and try running a selected configuration using

logrotate -fd /etc/logrotate.d/test

where test is the configuration file name.

Wednesday, July 30, 2014

Iscsi Intiator + Multipath

Install the Packages

yum -y install iscsi-initiator-utils
yum install device-mapper-multipath -y
/etc/init.d/multipathd start
/etc/init.d/iscsid start

chkconfig multipathd on
chkconfig iscsid on

#Discover the target.
iscsiadm -m discovery -t sendtargets -p 192.168.1.100

iscsiadm -m discovery -t sendtargets -p 192.168.0.100

# creating new iscsi interface
iscsiadm -m iface -I iscsi-eth1 -o new

iscsiadm -m iface -I iscsi-eth2 -o new

iscsiadm -m iface -I iscsi-eth1 -o update -n iface.net_ifacename -v eth1

iscsiadm -m iface -I iscsi-eth2 -o update -n iface.net_ifacename -v eth2

#login to all discovered targets
iscsiadm -m node -l
#to Create the multipath config file automatically

#multipath -F
/sbin/mpathconf

#else Create a file /etc/multipath.conf with the following content:

echo "
defaults {
udev_dir /dev
polling_interval 10
path_selector "round-robin 0"
path_grouping_policy multibus
path_checker readsector0
rr_min_io 100
max_fds 8192
rr_weight priorities
failback immediate
no_path_retry fail
user_friendly_names yes
}

" >> /etc/multipath.conf
[root@controller1 ~]# /etc/init.d/multipathd restart
ok
Stopping multipathd daemon: [ OK ]
Starting multipathd daemon: [ OK ]
[root@controller1 ~]# multipath -ll
mpatha (36a4badb00053ae7f0000f49e53d73254) dm-3 DELL,MD3000i
size=250G features='3 queue_if_no_path pg_init_retries 50' hwhandler='1 rdac' wp=rw
|-+- policy='round-robin 0' prio=6 status=active
| |- 4:0:0:2 sdb 8:16 active ready running
| `- 5:0:0:2 sdc 8:32 active ready running
`-+- policy='round-robin 0' prio=1 status=enabled
|- 3:0:0:2 sde 8:64 active ghost running
`- 6:0:0:2 sdd 8:48 active ghost running
[root@controller1 ~]#
#Add Following to /etc/multipath.conf
multipaths {
multipath {
wwid 36a4badb00053ae7f0000f49e53d73254
alias lun0
path_grouping_policy multibus
path_checker readsector0
path_selector "round-robin 0"
failback manual
rr_weight priorities
no_path_retry fail
}
}

[root@controller1 ~]# multipath -ll
Jul 29 07:11:45 | multipath.conf line 20, invalid keyword: path_checker
lun0 (36a4badb00053ae7f0000f49e53d73254) dm-3 DELL,MD3000i
size=250G features='3 queue_if_no_path pg_init_retries 50' hwhandler='1 rdac' wp=rw
|-+- policy='round-robin 0' prio=6 status=active
| |- 4:0:0:2 sdb 8:16 active ready running
| `- 5:0:0:2 sdc 8:32 active ready running
`-+- policy='round-robin 0' prio=1 status=enabled
|- 3:0:0:2 sde 8:64 active ghost running
`- 6:0:0:2 sdd 8:48 active ghost running
[root@controller1 ~]#

#List the All DISK's which will include ISCSI drive
fdisk -l

# Use Mkfs to create the file system and mount it using _netdev option

 

More iscsiadm commands

iscsiadm -m session

iscsiadm -m node -u

targets configuration will be in /var/lib/iscsi

GFS - Global File System from Redhat + Iscsi drive sharing.

# install packages

yum groupinstall -y "High Availability"
yum install -y cman gfs2-utils modcluster ricci luci cluster-snmp iscsi-initiator-utils openais oddjob rgmanager

On each node create a cluster config file

# /etc/cluster/cluster.conf
<?xml version="1.0"?>
<cluster config_version="3" name="cluster1">
<clusternodes>
<clusternode name="node1" nodeid="1"/>
<clusternode name="node2" nodeid="2"/>
</clusternodes>
</cluster>

passwd ricci
chkconfig iptables off
#or configure the Ports to be opened.
chkconfig ip6tables off
chkconfig ricci on
chkconfig cman on
chkconfig rgmanager on
chkconfig modclusterd on
service iptables stop
service ip6tables stop
service ricci start
service cman start
service rgmanager start
service modclusterd start

service ricci restart
service cman restart
service rgmanager restart
service modclusterd restart
# for node1 only
chkconfig luci on
service luci start

[root@controller1 ~]# chkconfig luci on
vice luci start[root@controller1 ~]# service luci start
Adding following auto-detected host IDs (IP addresses/domain names), corresponding to `controller1' address, to the configuration of self-managed certificate `/var/lib/luci/etc/cacert.config' (you can change them by editing `/var/lib/luci/etc/cacert.config', removing the generated certificate `/var/lib/luci/certs/host.pem' and restarting luci):
(none suitable found, you can still do it manually as mentioned above)

Generating a 2048 bit RSA private key
writing new private key to '/var/lib/luci/certs/host.pem'
Start luci... [ OK ]
Point your web browser to https://controller1:8084 (or equivalent) to access luci
[root@controller1 ~]#

Making GFS file system
/sbin/mkfs.gfs2 -j 10 -p lock_dlm -t cluster1:GFS /dev/sdb

Mounting the partion
# edit /etc/fstab and append the following.
/dev/sdb /path_to_mount gfs2 defaults,noatime,nodiratime 0 0

Friday, July 25, 2014

Managing Two Gateway in Linux Environment using routing rules

eth3
Ipaddr=192.168.1.45
Gateway 192.168.1.1

cat /etc/iproute2/rt_tables
echo "# dual nic-gateway below" >> /etc/iproute2/rt_tables
echo "10 routetable15" >> /etc/iproute2/rt_tables
cat /etc/iproute2/rt_tables

echo "
192.168.1.0 dev eth3 src 192.168.1.45 table routetable15
default via 192.168.1.1 dev eth3 table routetable15
" >> /etc/sysconfig/network-scripts/route-eth3
echo "
from 192.168.1.0/24 table routetable15
to 192.168.1.45 table routetable15
" >> /etc/sysconfig/network-scripts/rule-eth3

eth1
Ipaddr 192.168.2.45
gateway 192.168.2.1

cat /etc/iproute2/rt_tables
echo "# dual nic-gateway below" >> /etc/iproute2/rt_tables
echo "11 routetable17" >> /etc/iproute2/rt_tables
cat /etc/iproute2/rt_tables

echo "
192.168.2.0 dev eth1 src 192.168.2.45 table routetable17
default via 192.168.2.1 dev eth1 table routetable17
" >> /etc/sysconfig/network-scripts/route-eth1
echo "
from 192.168.2.0/24 table routetable17
to 192.168.2.45 table routetable17
" >> /etc/sysconfig/network-scripts/rule-eth1

Wednesday, February 27, 2013

Easy cpanel WHM or linux remote backup – SSH pull rsync backups for security and integrity using incremental

$ sudo useradd -d /home/backup -m backup
$ sudo su - backup
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/backup/.ssh/id_rsa):
Created directory '/home/backup/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/backup/.ssh/id_rsa.
Your public key has been saved in /home/backup/.ssh/id_rsa.pub.
The key fingerprint is:
05:8c:df:24:18:a9:9e:22:87:08:49:5b:11:7c:2f:f1 backup@host

You now need to put the public key onto your server for the root user (or if you want, a user with sudo role – its more secure though you will need to change your rsync commands to take account of that)

$ scp .ssh/id_rsa.pub root@your.cpanel.server.com:/root/.ssh/authorized_keys

Now once that done you can test out the key is working by SSH’ing in. If you dont get asked for a password, your SSH key is setup:

$ ssh root@your.cpanel.server.com
root@your.cpanel.server.com:$

Configuring the backup
So now you have SSH key access from your backup machine to the Cpanel/WHM server(s) its just a case of setting up a cron job to grab your data!

$ mkdir /home/backup/server1
$ crontab -e

In crontab, add the following entry (adjust the time the job runs to ensure that your Cpanel/WHM server(s) have enough time to do thier backups. for example, i know my cpanel backups finish around 3:30 am, so I set my rsync to run at 4.30 am). You can adjust bwlimit to something you prefer. I set it to 5000KB/sec (just under 50 mbps, so 50% of my available bandwdith) to ensure my regular users aren’t inconvenienced because something is chewing up all of the servers bandwidth. I also dont backup the spamassasin bloat. This should all be on one line:

30 4 * * * rsync -av --bwlimit=5000 --progress -e ssh --exclude '*spamass*' root@your.cpanel.server.com:/backup/cpbackup /home/backup/server1/ > /home/backup/server1.results.txt 2>&1

Finishing up
That should be all you need. Check back the following day and look look in the /home/backup/server1.results.txt file, it should look something like this:

backup@host:~$ tail server1.results.txt
up 8 100% 0.04kB/s 0:00:00 (xfer#2755, to-check=32/437710)
cpbackup/daily/user/mysql/horde.sql
3156258 100% 4.47MB/s 0:00:00 (xfer#2756, to-check=24/437710)
cpbackup/daily/user/resellerconfig/resellers
0 100% 0.00kB/s 0:00:00 (xfer#2757, to-check=20/437710)
cpbackup/daily/user/resellerconfig/resellers-nameservers
0 100% 0.00kB/s 0:00:00 (xfer#2758, to-check=19/437710)
sent 3351898 bytes received 329706615 bytes 476137.97 bytes/sec
total size is 34722766009 speedup is 104.25

Backup cPanel Account SSH using rsync

#!/bin/bash
#! Script to Backup cPanel Accounts

for x in `awk '{print $2}' /etc/userdomains | sed -e '/nobody/d'`

do
ssh root@xx.xx.xx.xx mkdir -p /backup/$x

rsync -arv /home/$x/* root@xx.xx.xx.xx:/backup/$x/.
done

Saturday, February 16, 2013

Server Hardening

1.)chkrootkit (Check Rootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits
cd /usr/local/src
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
md5sum -c chkrootkit.md5
tar -zxvf chkrootkit.tar.gz
cd chkrootkit-*/
make sense
./chkrootkit
cd ..

Adding program to daily cron job
===============================
You can add a cron entry for running chkrootkit automatically and send a scan report to your mail address.
Create and add the following entries to “/etc/cron.daily/chkrootkit.sh”

#!/bin/sh
(
/usr/local/chkrootkit/chkrootkit
) | /bin/mail -s ‘CHROOTKIT Daily Run (ServerName)’ your@email.com

chmod +x /etc/cron.daily/chkrootkit.sh

2.)RootKit Hunter – A tool which scans for backdoors and malicious softwares present in the server.
cd /usr/local/src
wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
wget http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
tar -zxvf rkhunter*
cd rkhunter*
./installer.sh --install
rkhunter --check
log : /var/log/rkhunter.log

To update it
=========
rkhunter –update
rkhunter –propupd
=========

How to setup a daily scan report
================================
pico /etc/cron.daily/rkhunter.sh

set crontab to scan and email the report
#!/bin/sh
(
/usr/local/bin/rkhunter –versioncheck
/usr/local/bin/rkhunter –update
/usr/local/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run (PutYourServerNameHere)’ your@email.com

chmod +x /etc/cron.daily/rkhunter.sh

3.)    APF or CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.
APF or CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.

CSF
================
cd /usr/local/src
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
echo "CSF successfully installed!"
When your configuration is complete, you need to set the following in /etc/csf/csf.conf to disable “TESTING” mode and enable your firewall:
TESTING = “1?
to
TESTING = “0?

csf -r
===============

APF
===============
cd /usr/local
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf*
./install.sh

in config file

Change the value of USE_AD to
USE_AD=”1?

Change the Value of DEVEL_MODE to
DEVEL_MODE=”1?

Save and quit.
chkconfig –del apf
apf -s
If there are no issues and the firewall gets flushed every five minutes,
You can get into the conf file and edit the value of
DEVEL_MODE="1?
that is, change it to
DEVEL_MODE=”0?
===============

sample
TCP_CPORTS=”21,22,25,26,53,80,110,143,443,465,953,993,995,2082,2083,2086,2087,2095,2096,3306,5666,3000_3500?

4.)  Brute Force Detection – BFD is a shell script for parsing applicable logs and checking for authentication failures and blocks the attackers ip in the firewall

cd /usr/local/src
wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd*
./install.sh

echo -e "Please enter your email:"
read email
echo "You entered: $email"
echo "ALERT_USR="1"" >>  /usr/local/bfd/conf.bfd
echo "EMAIL_USR="$email"" >>  /usr/local/bfd/conf.bfd
echo "Brute Force Detection has been installed!"
echo "Email would be sent to $email"
/usr/local/sbin/bfd -s

5.)    SSH Securing – For a better security of ssh connections.
Disabling Root Login and changing the listening port .

1.create a user for ssh like sshadminz
2.give the user wheel privilage through Whm
3.in /etc/ssh/sshd_config change the entry PermitRootLogin to no
4.in /etc/ssh/sshd_config change the entry #Port to Port xxxx (needed port,make sure that port is open in csf/iprules)
5.restart the sshd service

>ssh sshadmin@***.***.***.*** -p xxxx

Setting an SSH Legal Message

The message is contained within the following file: /etc/motd

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

6.) Host.conf Hardening –Prevents IP spoofing and dns poisoning

The host.conf file resides in /etc/host.conf.
order bind,hosts
multi on
nospoof on

7.)  Sysctl.conf Hardening – Prevents syn-flood attacks and other network abuses.
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1

After you make the changes to the file you need to run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.

The rules were taken from: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html

8.) FTP Hardening – Secure FTP software by upgrading to latest version

FTP: In WHM >> Service Configuration, there is an option to change 2 settings for FTP. By default
the first will be set to use pure-ftpd (this is good) and
the second is to allow anonymous FTP (this is very bad).
turn anonymous OFF.
How many FTP logons you allow each account in your Feature Lists. Up to 3 is fine - anything over 10 is getting silly and simply invites your users to use your server for file sharing.
===
OR
===
“Hardening Pure/Proftpd”
cp -p /etc/pure-ftpd.conf /etc/pure-ftpd.conf.bk
vi /etc/pure-ftpd.conf
AnonymousOnly no
NoAnonymous yes
PassivePortRange 30000 30050

9.)TMP Hardening – Hardening
>/scripts/securetmp

10.) Secure and Optimize Apache – Tweak apache for a better performance, stability and security.

[root@host /] vim /etc/httpd/conf/httpd.conf
This list is a composite of the settings we will be reviewing from fresh install on a cPanel server:

===
OR AT WHM   Home » Service Configuration » Apache Configuration
===
MinSpareServers 5
MaxSpareServers 10
ServerLimit 600
MaxClients 600
MaxRequestsPerChild 0
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 3
Timeout 30
===========

Timeout 300
Usually this value doesn’t require editing and a default of 300 is sufficient. Lowering the ‘Timeout’ value will cause a long running script to terminate earlier than expected.
On virtualized servers like VPS servers, lowering this value to 100 can help improve performance.
KeepAlive On
This setting should be “On” unless the server is getting requests from hundreds of IPs at once.
High volume and/or load balanced servers should have this setting disabled (Off) to increase connection throughput.
MaxKeepAliveRequests 100
This setting limits the number of requests allowed per persistent connection when KeepAlive is on. If it is set to 0, unlimited requests will be allowed.
It is recommended to keep this value at 100 for virtualized accounts like VPS accounts. On dedicated servers it is recommended that this value be modified to 150.
KeepAliveTimeout 15
The number of seconds Apache will wait for another request before closing the connection. Setting this to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.
It is recommended that this value be lowered to 5 on all servers.
MinSpareServers 5
This directive sets the desired minimum number of idle child server processes. An idle process is one which is not handling a request. If there are fewer spareservers idle then specified by this value, then the parent process creates new children at a maximum rate of 1 per second. Setting this parameter to a large number is almost always a bad idea.
Liquidweb recommends adjusting the value for this setting to the following:
Virtualized server, ie VPS 5
Dedicated server with 1-2GB RAM 10
Dedicated server with 2-4GB RAM 20
Dedicated server with 4+ GB RAM 25
===========

11.)WHM Tweaking – Tweak WHM for better security and performance.

Server Setup =>> Tweak Settings
Check the following items...
Under Domains: Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail: Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole

Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection

12.) PHP Tightening – Tweak PHP by changing

Edit php.ini as per need

[root@server ]# nano /usr/local/lib/php.ini
safe_mode = On
allow_url_fopen = off
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd, popen, proc_open, allow_url_fopen, ini_set

13.)PHP Upgarde – Compile PHP to its latest stable version which increases server security.

/scripts/easyapache

14.)Shell Fork Bomb/Memory Hog Protection

Home »  Security Center »  Shell Fork Bomb Protection

15.)ClamAV – Is a cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses
Main >> cPanel >> Manage Plugins
* Install clamav
Tick ClamAV

*********
cd /usr/local/src/

wget http://sourceforge.net/projects/clamav/files/clamav/0.95.2/clamav-0.95.2.tar.gz/download

tar -zxvf clamav-0.95.2.tar.gz

cd clamav-0.95.2

useradd clamav

./configure

make

make install

ldconfig

yum install zlib zlib-devel
*********
* Run the scan
[root@server ]# clamscan -r /home
In WHM -> Plugins -> ClamAV Connector, ensure that "Scan Mail" is checked.

clamscan -ir / -l clamscanreport

15.)System Integrity Monitor – Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more

cd /usr/src/
wget http://www.rfxn.com/downloads/sim-current.tar.gz
tar zxf sim-current.tar.gz
cd sim-3*
./setup -i
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.httpd.*/init.httpd on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.mysqld.*/init.mysql on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.exim.*/init.exim on/" /usr/local/sim/config/mods.control
sim -j

16.)SPRI – Tool for changing the priority of different processess running in the server according to the level of importance and thereby increasing the performance and productivity of the server.

cd /usr/src
wget http://www.rfxn.com/downloads/spri-current.tar.gz
tar zxvf spri-current.tar.gz
cd spri-0*
./install.sh
spri -v

17.)MySQL optimization – Optimize MySQL value for better performance and stability
/usr/local/cpanel/3rdparty/mysqltuner/mysqltuner.pl

#DO NOT MODIFY THE FOLLOWING COMMENTED LINES!
[mysqld]
max_connections = 400
key_buffer = 16M
myisam_sort_buffer_size = 32M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
table_cache = 1024
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 1000
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 16M
query_cache_type = 1
tmp_table_size = 16M
skip-innodb

[mysqld_safe]
open_files_limit = 8192

[mysqldump]
quick
max_allowed_packet = 16M

[myisamchk]
key_buffer = 32M
sort_buffer = 32M
read_buffer = 16M
write_buffer = 16M

MySQL parameters like query_cache_size, key_buffer_size, Table_cache, sort_buffer, read_rnd_buffer_size, thread_cache, tmp_table_size, query_cache_size etc should be altered according to your server status.

18.)Root Loger

Root Login Email alert
2. cd /root
3. vi .bashrc
4. Scroll to the end of the file then add the following:
echo ‘ALERT – Root Shell Access (YourserverName) on:’ `date` `who` | mail -s “Alert:
Root Access from `who | cut -d’(‘ -f2 | cut -d’)’ -f1`” you@yourdomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourdomain.com with your actual email address

19.)MyTOP – A console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL

/scripts/realperlinstaller –force Getopt::Long
/scripts/realperlinstaller –force DBI
/scripts/realperlinstaller –force DBD::mysql
/scripts/realperlinstaller –force Term::ReadKey

wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.6.tar.gz
tar zxpfv mytop-1.6.tar.gz
cd mytop-1.6
perl Makefile.PL && make && make install

Error in option spec: “long|!” error message if you are trying to execute the mytop command. Please do the following to solve this error.
After doing perl Makefile.PL edit the mytop script inside the installation location and Search for the line
“long|!”              => \$config{long_nums},
and comment it to
#”long|!”              => \$config{long_nums},
and then execute make install from the source directory to install the altered mytop script.

After installing mytop you need to create a new file under /root/.mytop (mytop config file for root) with the lines below (mysql root password is found on /root/.my.cnf:
user=root
pass=<your mysql password>
host=localhost
db=mysql
delay=5
port=3306
socket=
batchmode=0
header=1
color=1
idle=1

To
mytop -d mysql

20.)MultiTail – MultiTail is a program for monitoring multiple log files, in the fashion of the original tail program
cd /usr/src/
wget http://www.vanheusden.com/multitail/multitail-5.2.12.tgz
tar zxvf multitail-5.2.12.tgz
cd multitail-*
yum install ncurses ncurses-devel -y
make install
multitail -i /etc/host.conf -i /etc/sysctl.conf

21.)Mod_Security – ModSecurity is an embeddable web application firewall.

To install mod_security, go to WHM => EasyApache (or alternatively via CLI, run /scripts/easyapache). After you select your Apache and PHP versions,
you’ll be brought to the Short Options page. Select mod_security from the list, then proceed with the build.

When the build is done, mod_security will be installed. The files are kept in the following location:
/usr/local/apache/conf/modsec2.user.conf

Mod Security once installed, provides some default rules. The file with the rules resides under /usr/local/apache/conf/
The file modsec2.user.conf.default contains the rules which should be copied over to modsec2.user.conf.

cp -p modsec2.user.conf.default modsec2.user.conf

Restart the httpd service once.
**********
http://www.modsecurity.org/documentation/quick-examples.html
mod_security rules
http://www.webhostingtalk.com/showthread.php?t=1072701
http://www.apachelounge.com/viewtopic.php?t=74
**********
When hack attempts are identified by mod_security, they are logged in /usr/local/apache/logs/audit_log with the IP of the offender and what rule was violated.
Visitors that trigger mod_security rules are greeted with a “406: Not Acceptable” error when doing so.
However, mod_security does occasionally block legitimate website access attempts,
specifically for software that happens to make calls consistent with a specific rule that mod_security is configured to block.
Therefore, you may wish to either disable that rule, or disable mod_security for a specific domain or part of your website.
Doing this is rather easy from command line.

First, open up your httpd.conf (/usr/local/apache/conf/httpd.conf) and locate your domain’s <virtualhost> block.
Under it you’ll see a line like this that is commented out:
# Include "/usr/local/apache/conf/userdata/std/2/$user/$domain/*.conf"
Uncomment this line, then create the folder indicated (note that $user is your username, and $domain is your domain name):
mkdir -p /usr/local/apache/conf/userdata/std/2/$user/$domain/
cd /usr/local/apache/conf/userdata/std/2/$user/$domain/
Create a file called modsec.conf, and insert this line:
SecRuleEngine Off
To apply, restart Apache
====
OR
====
Disabling Mod-Security for a single account
To disable the mod_security for a particular account, just add the following in the users .htaccess file
SecFilterEngine Off
SecFilterScanPOST Off

If mod_security2
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

22.)Mod_Evasive – mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the
event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network
management tool and can be easily configured to talk to ipchains, firewalls, routers, and more.

Download the latest source file from http://www.zdziarski.com
cd /usr/local/src/
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -xvzf mod_evasive_1.10.1.tar.gz
cd mod_evasive/

We also have cPanel running on this box, so, to install, we run the following:

/usr/local/apache/bin/apxs -i -a -c mod_evasive20.c

Now, that will create an entry in the httpd.conf file, and, if we want to retain that after an upgrade/rebuild, we need to tell cPanel not to take it out! Do do this, we now run this:

/usr/local/cpanel/bin/apache_conf_distiller –update

Now, to change the settings for mod_evasive, we need to add them in some place. All we have done so far, is install the actually module into apache, and, even with a restart, it would not be using it. So, I like to add things into my includes files through either WHM, or, directly through the terminal. To do this, we run the following:

vim /usr/local/apache/conf/includes/post_virtualhost_2.conf

Once the file is open, lets add in the following lines to the bottom of the file:

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 3600
DOSEmailNotify root

=====
OR
=====
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSBlockingPeriod 600
</IfModule>

23.)Maldetect -

cd /usr/local/src
wget  http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh
cd ..

To run the maldet

>maldet -a /

Friday, February 15, 2013

DomainKeys (DKIM) and SPF Installations cpanel

DomainKeys (DKIM) and SPF records are becoming a common, and annoying, demand among email providers, mainly Yahoo and Hotmail. In short, both are methods of email authentication designed to verify email integrity, by linking a sender to a specific server or hostname. In other words, DomainKeys and SPF records specify what servers can send email on behalf of a domain name.

/usr/local/cpanel/bin/domain_keys_installer $user
/usr/local/cpanel/bin/spf_installer $user

 

 

# /usr/local/cpanel/bin/dkim_keys_install <CPANELUSER>
# /usr/local/cpanel/bin/spf_installer <CPANELUSER>

for user in `ls -A /var/cpanel/users` ; do /usr/local/cpanel/bin/dkim_keys_installer $user && /usr/local/cpanel/bin/spf_installer $user ; done

To verify an SPF record and/or DomainKey, you can run a DNS check:

dig default._domainkey.$domain TXT
dig $domain TXT

SPF
domain.co 14400 IN TXT "v=spf1 +a +mx +ip4:108.163.165.58 ?all"

%domain%. IN TXT "v=spf1 a mx ptr ~all"

This put
domain.extension. IN TXT "v=spf1 a mx ip4:XXX.XXX.XXX.XXX ?all"

XXX.XXX.XXX.XXX it's primary IP forn netcard interface, and not IP for shared or dedicated hosting.
DKIM

default._domainkey 14400 IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAJXzC1vhEoH7yfJfusEWNkFz6DbcS1Ij/fAGi30HltiprZowdlCKIXq1TIWFjJE2vOOxJCnOSYMjxiLYXBzrDN9jVH8sd8H/ZpVMdvV7PUVPWOlbRYIqLwqBM8dvnxzmEvvrXP1r2nNviWrALARt1kJDr5EI+xzCNvfDxXKGDzwIDAQAB\;"

Root Login Email alert

Root Login Email alert
2. cd /root
3. vi .bashrc
4. Scroll to the end of the file then add the following:
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert:
Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" you@yourdomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourdomain.com with your actual email address

Special permissions on files and directories: SetUID, SetGID and Sticky bit.

Special Permissions

























Special permissions on files and directories: SetUID, SetGID and Sticky bit.
Special Permissionson a Fileon a Directory
SUID or Set User IDA program is executed with the file owner's permissions (rather than with the permissions of the user who executes it).Files created in the directory inherit its UID.
SGID or Set Group IDThe effective group of an executing program is the file owner group.Files created in the directory inherit its GID.
Sticky (bit)A program sticks in memory after execution.Any user can create files, but only the owner of a file can delete it.


































Permissions as output in columns 2 to 10 of
ls -l and their meaning.
PermissionsMeaning
--S------SUID is set, but user (owner) execute is not set.
--s------SUID and user execute are both set.
-----S---SGID is set, but group execute is not set.
-----s---SGID and group execute are both set.
--------TSticky bit is set, bot other execute is not set.
--------tSticky bit and other execute are both set.

Wednesday, February 13, 2013

lsof--List all Open Files with lsof Command

1. List all Open Files with lsof Command

In the below example, it will show long listing of open files some of them are extracted for better understanding which displays the columns like Command, PID, USER, FD, TYPE etc.

# lsof

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd DIR 253,0 4096 2 /

Sections and it’s values are self-explanatory. However, we’ll review FD & TYPE columns more precisely.

FD – stands for File descriptor and may seen some of the values as:

cwd current working directory
rtd root directory
txt program text (code and data)
mem memory-mapped file

Also in FD column numbers like 1u is actual file descriptor and followed by u,r,w of it’s mode as:

r for read access.
w for write access.
u for read and write access.

TYPE – of files and it’s identification.

DIR – Directory
REG – Regular file
CHR – Character special file.
FIFO – First In First Out

2. List User Specific Opened Files

# lsof -u user

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1838 user cwd DIR 253,0 4096 2 /
sshd 1838 user rtd DIR 253,0 4096 2 /

3. Find Processes running on Specific Port

To find out all the running process of specific port, just use the following command with option -i. The below example will list all running process of port 22.

# lsof -i TCP:22

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1471 root 3u IPv4 12683 0t0 TCP *:ssh (LISTEN)
sshd 1471 root 4u IPv6 12685 0t0 TCP *:ssh (LISTEN)

4. List Only IPv4 & IPv6 Open Files

In below example shows only IPv4 and IPv6 network files open with separate commands.

# lsof -i 4

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1203 rpc 6u IPv4 11326 0t0 UDP *:sunrpc
rpcbind 1203 rpc 7u IPv4 11330 0t0 UDP *:954

# lsof -i 6

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1203 rpc 9u IPv6 11333 0t0 UDP *:sunrpc
rpcbind 1203 rpc 10u IPv6 11335 0t0 UDP *:954

5. List Open Files of TCP Port ranges 1-1024

To list all the running process of open files of TCP Port ranges from 1-1024.

# lsof -i TCP:1-1024

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1203 rpc 11u IPv6 11336 0t0 TCP *:sunrpc (LISTEN)

6. Exclude User with ‘^’ Character

Here, we have excluded root user. You can exclude a particular user using ‘^’ with command as shown above.

# lsof -i -u^root

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1203 rpc 6u IPv4 11326 0t0 UDP *:sunrpc
rpcbind 1203 rpc 7u IPv4 11330 0t0 UDP *:954
rpcbind 1203 rpc 8u IPv4 11331 0t0 TCP *:sunrpc (LISTEN)

7. Find Out who’s Looking What Files and Commands?

Below example shows user user is using command like ping and /etc directory .

# lsof -i -u user

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1839 user cwd DIR 253,0 12288 15 /etc
ping 2525 user cwd DIR 253,0 12288 15 /etc

8. List all Network Connections

The following command with option ‘-i’ shows the list of all network connections ‘LISTENING & ESTABLISHED’.

# lsof -i

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1203 rpc 6u IPv4 11326 0t0 UDP *:sunrpc
rpcbind 1203 rpc 7u IPv4 11330 0t0 UDP *:954

9. Search by PID

The below example only shows whose PID is 1 [One].

# lsof -p 1

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd DIR 253,0 4096 2 /
init 1 root rtd DIR 253,0 4096 2 /

10. Kill all Activity of Particular User

Sometimes you may have to kill all the processes for a specific user. Below command will kills all the processes of user user.

# kill -9 `lsof -t -u user`

Tuesday, February 12, 2013

FFMPEG installation along with all support modules

yum install gcc gcc-c++ libgcc gd gd-devel gettext freetype \
freetype-devel ImageMagick ImageMagick-devel libjpeg* libjpeg-devel* \
libpng* libpng-devel* libstdc++* libstdc++-devel* libtiff* \
libtiff-devel* libtool* libungif* libungif-deve* libxml* libxml2* \
libxml2-devel* zlib* zlib-devel* automake* autoconf* samba-common* \
ncurses-devel ncurses patch make -y

 

mkdir  /usr/src/ffmpegscript

mkdir /usr/local/cpffmpeg

==================
libwmf-0.2.8.3.tar.gz
==================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/177e3hskscfvkfa/libwmf-0.2.8.3.tar.gz
tar -zxvf libwmf-0.2.8.3.tar.gz
cd libwmf-0.2.8.3/
./configure --prefix=/usr/local/cpffmpeg
make
make install

====================
ruby-1.8.6.tar.gz
====================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/45q2nalubstz5jk/ruby-1.8.6.tar.gz
tar -zxvf ruby-1.8.6.tar.gz
cd ruby-1.8.6/
./configure --prefix=/usr/local/cpffmpeg
make
make install

=====================
flvtool2_1.0.5_rc6.tgz
=====================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/hppyhpev0ylyi8f/flvtool2_1.0.5_rc6.tgz
tar -zxvf flvtool2_1.0.5_rc6.tgz
cd flvtool2_1.0.5_rc6
/usr/local/cpffmpeg/bin/ruby setup.rb config
/usr/local/cpffmpeg/bin/ruby setup.rb setup
/usr/local/cpffmpeg/bin/ruby setup.rb install
ln -s /usr/local/cpffmpeg/bin/flvtool2 /usr/local/bin/flvtool2
ln -s /usr/local/cpffmpeg/bin/flvtool2 /usr/bin/flvtool2

====================
lame-3.97.tar.gz
====================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/vd99zooleq1rlgv/lame-3.97.tar.gz
tar -zxvf lame-3.97.tar.gz
cd lame-3.97
./configure --prefix=/usr/local/cpffmpeg --enable-mp3x --enable-mp3rtp
make
make install

======================
all-20071007.tar.bz2
======================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/5mvcho608fagu8r/all-20071007.tar.bz2
tar -xvjf all-20071007.tar.bz2
chown -R root.root all-20071007/
mkdir -pv /usr/local/cpffmpeg/lib/codecs/
cp -vrf all-20071007/* /usr/local/cpffmpeg/lib/codecs/
chmod -R 755 /usr/local/cpffmpeg/lib/codecs/

====================
libogg-1.1.3.tar.gz
====================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/1t33o4r1qpx2jv2/libogg-1.1.3.tar.gz
tar -xvzf libogg-1.1.3.tar.gz
cd libogg-1.1.3/
./configure --prefix=/usr/local/cpffmpeg
make
make install

====================
libvorbis-1.1.2.tar.gz
====================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/cc8rb3ikk8zjr37/libvorbis-1.1.2.tar.gz
tar -xvzf libvorbis-1.1.2.tar.gz
cd libvorbis-1.1.2
/configure --prefix=/usr/local/cpffmpeg
make
make install

=====================
vorbis-tools-1.1.1.tar.gz
=====================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/3gif7xywt42e1aa/vorbis-tools-1.1.1.tar.gz
tar -xvzf vorbis-tools-1.1.1.tar.gz
cd vorbis-tools-1.1.1/
./configure --prefix=/usr/local/cpffmpeg
make
make install

========================
libtheora-1.0alpha7.tar.gz
========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/os8jkmj20bppb9t/libtheora-1.0alpha7.tar.gz
tar -xvzf libtheora-1.0alpha7.tar.gz
cd libtheora-1.0alpha7/
./configure --prefix=/usr/local/cpffmpeg --with-ogg=$INSTALL_DDIR --with-vorbis=$INSTALL_DDIR
make
make install

==========================
amrnb-7.0.0.1.tar.bz2
==========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/di95tlyrkip4asw/amrnb-7.0.0.1.tar.bz2
tar -xvjf amrnb-7.0.0.1.tar.bz2
cd amrnb-7.0.0.1/
./configure --prefix=/usr/local/cpffmpeg
make
make install

==========================
amrwb-7.0.0.2.tar.bz2
==========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/xl4utvgikqkwpgl/amrwb-7.0.0.2.tar.bz2
tar -xvjf amrwb-7.0.0.2.tar.bz2
cd amrwb-7.0.0.2/
./configure --prefix=/usr/local/cpffmpeg
make
make install

=========================
a52dec-0.7.4.tar.gz
=========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/eaugb32ppzbmmyo/a52dec-0.7.4.tar.gz
tar -xvzf a52dec-0.7.4.tar.gz
cd a52dec-0.7.4/
./bootstrap
ARCh=`arch`
#64bit processor bug fix
if [[ $ARCh == 'x86_64' ]];then
./configure --prefix=/usr/local/cpffmpeg --enable-shared 'CFLAGS=-fPIC'

else
./configure --prefix=/usr/local/cpffmpeg --enable-shared
fi
make
make install

==========================
faac-1.26.tar.gz
==========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/55y56ud5quqtssa/faac-1.26.tar.gz
tar -xvzf faac-1.26.tar.gz
cd faac/
./bootstrap
./configure --prefix=/usr/local/cpffmpeg --with-mp4v2
make
make install

============================
faad2-2.6.1.tar.gz
============================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/zwk4gcxkk3km0ge/faad2-2.6.1.tar.gz
tar -xvzf faad2-2.6.1.tar.gz
cd faad2/
./bootstrap
./configure --prefix=/usr/local/cpffmpeg --with-mpeg4ip
make
make install

=========================
yasm-0.6.1.tar.gz
=========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/facxu4ofmxdz7cb/yasm-0.6.1.tar.gz
tar -xvzf yasm-0.6.1.tar.gz
cd yasm-0.6.1/
./configure --prefix=/usr/local/cpffmpeg/
make
make install
ln -sf /usr/local/cpffmpeg/bin/yasm /usr/local/bin/yasm
ldconfig

========================
nasm-2.02.tar.gz
========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/a6jkolmxva0jxmv/nasm-2.02.tar_2.gz
tar -xvzf nasm-2.02.tar.gz
cd nasm-2.02/
./configure --prefix=/usr/local/cpffmpeg/
make
make install
ln -sf /usr/local/cpffmpeg/bin/nasm /usr/local/bin/nasm
ldconfig

=======================
xvidcore-1.1.0.tar.gz
=======================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/iqpwt8qkjja6m5f/xvidcore-1.1.0.tar.bz2
tar -xvzf tar -xvzf $_package
cd xvidcore-1.1.0/build/generic/
./configure --prefix=/usr/local/cpffmpeg/
make
make install

========================
x264-snapshot-20080516-2245.tar.gz
========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/wzd3215mvygwy6o/x264-snapshot-20080516-2245.tar.gz
tar -xvzf x264-snapshot-20080516-2245.tar.gz
cd x264-snapshot-20080516-2245/
./configure --enable-shared
make
make install

========================
re2c-0.13.4.tar.gz
========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/7gua46n3t2clvgo/re2c-0.13.5.tar.gz
tar -xvzf re2c-0.13.5.tar.gz
cd re2c-0.13.5/
./configure --prefix=/usr/local/cpffmpeg/
make
make install
ln -s /usr/local/cpffmpeg/bin/re2c /usr/local/bin/re2c

=========================
MPlayer-1.0rc1.tar.bz2
=========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/mxd56u8pgmmdm30/MPlayer-1.0rc1.tar.bz2
tar -xvjf MPlayer-1.0rc1.tar.bz2
cd MPlayer-1.0rc1/
./configure --prefix=/usr/local/cpffmpeg/ --with-codecsdir=/usr/local/cpffmpeg/lib/codecs/ \
--with-extraincdir=/usr/local/cpffmpeg/include --with-extralibdir=/usr/local/cpffmpeg/lib
make
make install
cp -f etc/codecs.conf /usr/local/cpffmpeg/etc/mplayer/codecs.conf
ln -sf /usr/local/cpffmpeg/bin/mplayer /usr/local/bin/mplayer
ln -sf /usr/local/cpffmpeg/bin/mplayer /usr/bin/mplayer
ln -sf /usr/local/cpffmpeg/bin/mencoder /usr/bin/mencoder
ln -sf /usr/local/cpffmpeg/bin/mencoder /usr/local/bin/mencoder

=========================
ffmpeg-SVN-r14473.tar.gz
=========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/lmvpaz0e7hgirab/ffmpeg-SVN-r14473.tar.gz
tar -xvzf ffmpeg-SVN-r14473.tar.gz
cd ffmpeg/
ldconfig
./configure --prefix=/usr/local/cpffmpeg --enable-shared --enable-nonfree \
--enable-gpl --enable-pthreads --enable-liba52 --enable-libamr-nb \
--enable-libamr-wb --enable-libfaac --enable-libfaad --enable-libmp3lame \
--enable-libtheora --enable-libvorbis --enable-libx264 --enable-libxvid \
--extra-cflags=-I/usr/local/cpffmpeg/include/ --extra-ldflags=-L/usr/local/cpffmpeg/lib \
--enable-cross-compile
make
make tools/qt-faststart
make install
cp -vf tools/qt-faststart /usr/local/cpffmpeg/bin/
ln -sf /usr/local/cpffmpeg/bin/ffmpeg /usr/local/bin/ffmpeg
ln -sf /usr/local/cpffmpeg/bin/ffmpeg /usr/bin/ffmpeg
ln -sf /usr/local/cpffmpeg/bin/qt-faststart /usr/local/bin/qt-faststart
ln -sf /usr/local/cpffmpeg/bin/qt-faststart /usr/bin/qt-faststart
ldconfig
/usr/bin/ffmpeg -formats

=============================
=========================
MPlayer-1.0rc1.tar.bz2
=========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/mxd56u8pgmmdm30/MPlayer-1.0rc1.tar.bz2
tar -xvjf MPlayer-1.0rc1.tar.bz2
cd MPlayer-1.0rc1/
./configure --prefix=/usr/local/cpffmpeg/ --with-codecsdir=/usr/local/cpffmpeg/lib/codecs/ \
--with-extraincdir=/usr/local/cpffmpeg/include --with-extralibdir=/usr/local/cpffmpeg/lib
make
make install
cp -f etc/codecs.conf /usr/local/cpffmpeg/etc/mplayer/codecs.conf
ln -sf /usr/local/cpffmpeg/bin/mplayer /usr/local/bin/mplayer
ln -sf /usr/local/cpffmpeg/bin/mplayer /usr/bin/mplayer
ln -sf /usr/local/cpffmpeg/bin/mencoder /usr/bin/mencoder
ln -sf /usr/local/cpffmpeg/bin/mencoder /usr/local/bin/mencoder

=============================

export LD_LIBRARY_PATH=/usr/local/cpffmpeg/lib:/usr/local/lib:/usr/lib:$LD_LIBRARY_PATH
export LIBRARY_PATH=/usr/local/cpffmpeg/lib:/usr/lib:/usr/local/lib:$LIBRARY_PATH
export CPATH=/usr/local/cpffmpeg/include:/usr/include/:usr/local/include:$CPATH

=========================
ffmpeg-php-0.5.3.1.tbz2
=========================
ldconfig
cd /usr/src/ffmpegscript
wget https://www.dropbox.com/s/o5shxs6zsxps7ur/ffmpeg-php-0.5.3.1.tbz2
tar -jxvf ffmpeg-php-0.5.3.1.tbz2
cd ffmpeg-php-0.5.3.1/
phpize
./configure --enable-shared --with-ffmpeg=/usr/local/cpffmpeg
make -
make install

=====================
echo '[PHP]' > $PHP_INI
echo " " >> $PHP_INI
echo "extension_dir = \"$EXTENSION_DIR\" " >> $PHP_INI
echo "post_max_size = 200M " >> $PHP_INI
echo "upload_max_filesize = 200M " >> $PHP_INI
echo "extension=ffmpeg.so" >>$PHP_INI
echo " " >> $PHP_INI
cat $PHP_INI.ffmpeg >> $PHP_INI
=====================

Monday, February 11, 2013

Mod_Evasive – mod_evasive is an evasive maneuvers module for Apache

Mod_Evasive – mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool and can be easily configured to talk to ipchains, firewalls, routers, and more.


Download the latest source file from http://www.zdziarski.com
cd /usr/local/src/
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -xvzf mod_evasive_1.10.1.tar.gz
cd mod_evasive/

We also have cPanel running on this box, so, to install, we run the following:

/usr/local/apache/bin/apxs -i -a -c mod_evasive20.c

Now, that will create an entry in the httpd.conf file, and, if we want to retain that after an upgrade/rebuild, we need to tell cPanel not to take it out! Do do this, we now run this:

/usr/local/cpanel/bin/apache_conf_distiller –update

Now, to change the settings for mod_evasive, we need to add them in some place. All we have done so far, is install the actually module into apache, and, even with a restart, it would not be using it. So, I like to add things into my includes files through either WHM, or, directly through the terminal. To do this, we run the following:

vim /usr/local/apache/conf/includes/post_virtualhost_2.conf

Once the file is open, lets add in the following lines to the bottom of the file:


DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 3600
DOSEmailNotify root

Mod_Security –

Mod_Security – ModSecurity is an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure.


To install mod_security, go to WHM => EasyApache (or alternatively via CLI, run /scripts/easyapache). After you select your Apache and PHP versions, you’ll be brought to the Short Options page. Select mod_security from the list, then proceed with the build.

When the build is done, mod_security will be installed. The files are kept in the following location:
/usr/local/apache/conf/modsec2.user.conf

When hack attempts are identified by mod_security, they are logged in /usr/local/apache/logs/audit_log with the IP of the offender and what rule was violated. Visitors that trigger mod_security rules are greeted with a “406: Not Acceptable” error when doing so. However, mod_security does occasionally block legitimate website access attempts, specifically for software that happens to make calls consistent with a specific rule that mod_security is configured to block. Therefore, you may wish to either disable that rule, or disable mod_security for a specific domain or part of your website. Doing this is rather easy from command line.
First, open up your httpd.conf (/usr/local/apache/conf/httpd.conf) and locate your domain’s block. Under it you’ll see a line like this that is commented out:

# Include "/usr/local/apache/conf/userdata/std/2/$user/$domain/*.conf"

Uncomment this line, then create the folder indicated (note that $user is your username, and $domain is your domain name):

mkdir -p /usr/local/apache/conf/userdata/std/2/$user/$domain/
cd /usr/local/apache/conf/userdata/std/2/$user/$domain/

Create a file called modsec.conf, and insert this line:

SecRuleEngine Off

To apply, restart Apache


mod_security rules
http://www.webhostingtalk.com/showthread.php?t=1072701

MultiTail – MultiTail is a program for monitoring multiple log files, in the fashion of the original tail program

MultiTail – MultiTail is a program for monitoring multiple log files, in the fashion of the original tail program
cd /usr/src/
wget http://www.vanheusden.com/multitail/multitail-5.2.12.tgz
tar zxvf multitail-5.2.12.tgz
cd multitail-*
yum install ncurses ncurses-devel -y
make install
multitail -i /etc/host.conf -i /etc/sysctl.conf

SPRI – Tool for changing the priority

SPRI – Tool for changing the priority of different processess running in the server according to the level of importance and thereby increasing the performance and productivity of the server.

cd /usr/src
wget http://www.rfxn.com/downloads/spri-current.tar.gz
tar zxvf spri-current.tar.gz
cd spri-0*
./install.sh
spri -v

System Integrity Monitor – Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more

System Integrity Monitor – Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more

cd /usr/src/
wget http://www.rfxn.com/downloads/sim-current.tar.gz
tar zxf sim-current.tar.gz
cd sim-3*
./setup -i
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.httpd.*/init.httpd on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.mysqld.*/init.mysql on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.exim.*/init.exim on/" /usr/local/sim/config/mods.control
sim -j

MyTOP – A console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL

MyTOP – A console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL


/scripts/realperlinstaller –force Getopt::Long
/scripts/realperlinstaller –force DBI
/scripts/realperlinstaller –force DBD::mysql
/scripts/realperlinstaller –force Term::ReadKey

wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.6.tar.gz
tar zxpfv mytop-1.6.tar.gz
cd mytop-1.6
perl Makefile.PL && make && make install

Error in option spec: “long|!” error message if you are trying to execute the mytop command. Please do the following to solve this error.
After doing perl Makefile.PL edit the mytop script inside the installation location and Search for the line
“long|!” => \$config{long_nums},
and comment it to
#”long|!” => \$config{long_nums},
and then execute make install from the source directory to install the altered mytop script.


After installing mytop you need to create a new file under /root/.mytop (mytop config file for root) with the lines below (mysql root password is found on /root/.my.cnf:
user=root
pass=
host=localhost
db=mysql
delay=5
port=3306
socket=
batchmode=0
header=1
color=1
idle=1


To
mytop -d mysql