Tuesday, August 23, 2011

Confgure custom php for a particular domain

php 5.3.6 is currently not available in the easy apache script. So if any user want to use thi version in a shared cpanel server, we can manually compile and then enable this version for that user using an htaccess rule.

==============
cd /usr/src

wget http://in2.php.net/get/php-5.3.7.tar.gz/from/us.php.net/mirror

tar -zxf php-5.3.7.tar.gz

cd php-5.3.7

use the same configure option as of 5.3.6 and give the prefix as say for example /usr/local/jibin/php5.3/

=================
./configure --prefix=/usr/local/jibin/php5.3 --enable-bcmath --enable-calendar --enable-ftp --enable-gd-native-ttf --enable-libxml --enable-mbstring --enable-pdo=shared --enable-sockets --enable-wddx --enable-zend-multibyte --enable-zip --with-curl=/opt/curlssl/ --with-curlwrappers --with-freetype-dir=/usr --with-gd --with-gettext --with-imap=/opt/php_with_imap_client/ --with-imap-ssl=/usr --with-jpeg-dir=/usr --with-kerberos --with-libexpat-dir=/usr --with-libxml-dir=/opt/xml2/ --with-mcrypt=/opt/libmcrypt/ --with-mhash=/opt/mhash/ --with-mysql --with-mysqli --with-openssl=/usr --with-openssl-dir=/usr --with-pcre-regex=/opt/pcre --with-pdo-mysql=shared --with-pdo-sqlite=shared --with-png-dir=/usr --with-pspell --with-sqlite=shared --with-tidy=/opt/tidy/ --with-xmlrpc --with-xpm-dir=/usr --with-xsl=/opt/xslt/ --with-zlib --with-zlib-dir=/usr
=================

make

make install

copy the php.ini file from the location /usr.local/lib/php.ini.

cp /usr/local/lib/php.ini /usr/local/jibin/php5.3/lib/

NOTE: Please edit the file php.ini i.e extensions and change the path to /usr/local/jibin/php5.3/lib/php/extensions

Once compiled you can check the version using the command

/usr/local/php-5.3.7/bin/php-cgi -v

add the following line in the section “handlers” in the suphp.conf file if the default php in the server is compiled as suphp

vi /opt/suphp/etc/suphp.conf

application/x-httpd-php5.3=”php:/usr/local/jibin/php5.3/bin/php-cgi”

Now add the rule to the file “pre_main_2.conf” for enabling this version for any particulkar domain.

vi /usr/local/apache/conf/includes/pre_main_2.conf


Allow from All


suPHP_AddHandler application/x-httpd-php5.3
AddType application/x-httpd-php5.3 .php


To remove first 10 lines

tail -n +11 filename

To change the gateway

to delete the current gateway:sudo route -n del default
to add the new gateway : sudo route add gw default IP

To change env

PATH=$PATH:/usr/local/sbin

cpanel restart error

=============
Starting tailwatchd: Can't locate Getopt/Param/Tiny.pm in @INC (@INC contains: /usr/local/cpanel /usr/local/cpanel/Cpanel/CPAN/overload/__Time /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at /usr/local/cpanel/Cpanel/TailWatch.pm line 17.
BEGIN failed--compilation aborted at /usr/local/cpanel/Cpanel/TailWatch.pm line 17.
Compilation failed in require at /usr/local/cpanel/libexec/tailwatchd line 14.
BEGIN failed--compilation aborted at /usr/local/cpanel/libexec/tailwatchd line 14.
[FAILED]
Starting cPanel Log services: Can't locate Unix/PID.pm in @INC (@INC contains: /usr/local/cpanel/3rdparty/lib/perl/5.8.8/x86_64-linux-thread-multi/auto /usr/local/cpanel/3rdparty/lib/perl/5.8.8/x86_64-linux-thread-multi /usr/local/cpanel/3rdparty/lib/perl/5.8.8 /usr/local/cpanel/3rdparty/lib/perl /usr/local/cpanel /usr/local/cpanel/3rdparty/lib/perl /usr/local/cpanel/Cpanel/CPAN/overload/__Time /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at /usr/local/cpanel/libexec/cpanellogd line 13.
BEGIN failed--compilation aborted at /usr/local/cpanel/libexec/cpanellogd line 13.
================


root@server1 [~]# ls -alh /usr/bin/perl
-rwxr-xr-x 2 root root 19K Jun 13 05:58 /usr/bin/perl*
root@server1 [~]# ls -alh /usr/local/bin/perl
-rwxr-xr-x 2 root root 1.2M Aug 10 18:26 /usr/local/bin/perl*


One should be a binary file, and the other should be a symlink to the binary file. To fix the problem, I moved the perl from /usr/local/bin to /root and created a symlink to /usr/bin/perl in its place:


root@server1 [~]# mv /usr/local/bin/perl /root/
root@server1 [~]# ln -s /usr/bin/perl /usr/local/bin/perl

To check the total running time of proces

ps -eo pid,etime,args

Script to split a column into multiple columns

awk '{a[NR%14+1]=a[NR%14+1]" "$0} END {for (i in a){print a[i]}}

To create a empty test file

It will create an empty file with size

dd if=/dev/zero of=/home/jibin/jibin/testin bs=1M count=1024

Sunday, August 14, 2011

cpanel dnsonly


cPanel DNS ONLY is software that allows you to run a dedicated physical nameserver, which you can then link to your web server(s) using WHM's DNS Clustering feature. This means that any change to your web server's DNS information will automatically be sent to the DNS ONLY server, eliminating the need to run nameserver software on your web server.

The main advantage to DNS ONLY is stability: if your web server has an outage, your DNS information stays accessible, even when your web server is offline. This allows visitors to reach websites on your server more quickly after the web server comes back online. In addition, you can move accounts from one server to another without your customers having to change their DNS records. For these reasons, DNS ONLY is optimal for web hosts running multiple servers.


================

change ssh port via WHM

Log in to WHM as root user and browse following URL.

http://192.168.0.2:2086/scripts2/autofixer

Use your server ip instead of 192.168.0.2 in above URL. To reset the sshd_config file insert "safesshrestart" in following autofixer window.



The safesshrestart autofixer will show you following execution.



If you are using another port before resetting default sshd_config file by using autofixer then first SSH to server by using default SSH port 22 and restart the SSHD service, it will reset your existing SSHD port.

You can find more information regarding autofixer feature at following URL

Index of /autofixer/

http://httpupdate.cpanel.net/autofixer/

Friday, August 12, 2011

Bash History: Display Date And Time For Each Command

How do I display shell command history with date and time under Linux OS?

If the HISTTIMEFORMAT is set, the time stamp information associated with each history entry is written to the history file, marked with the history comment character. Defining the environment variable as follows:
$ HISTTIMEFORMAT=”%d/%m/%y %T “
OR
echo ‘export HISTTIMEFORMAT=”%d/%m/%y %T “‘ >> ~/.bash_profile

Where,
%d – Day
%m – Month
%y – Year
%T – Time

To see history type

# history

Wednesday, August 10, 2011

File structure

-rw-r----- 1 ramesh team-dev 9275204 Jun 13 15:27 mthesaur.txt.gz

Ist character: type of the file
field 1: File Permissions
field 2 : Number of links
field 3 : Owner
field 4 : Group
field 5 : Size
field 6 : Last modified date & time
Field 7 : File name


83427329 drwxrwx---+ 13 99 nisusers 4096 2010-07-19 15:21 public

It indicates an acl is associated with that file.

83427329 drwxrwx---T 13 99 nisusers 4096 2010-07-19 15:21 public

T=stickybit

Monday, August 8, 2011

awk scripting

awk print {'print $column name'}

To print 2 cloumns

ll | awk {'print $2,$3'}

1. Awk FS : Input field separator variable.

syntax: awk -F 'FS' 'commands' inputfilename

cat /etc/passwd |awk -F : {'print $1'}
OR
awk -F : {'print $1'} < /etc/passwd


EXAMPLES:

test file:

[root@drbd1 korion]# cat emplyeet.xt
100 Thomas Manager Sales $5,000
200 Jason Developer Technology $5,500
300 Sanjay Sysadmin Technology $7,000
400 Nisha Manager Marketing $9,500
500 Randy DBA Technology $6,000

a) To print all the contents

awk {'print ;'}
b) Print the lines which matches with the pattern.

awk can accept any number of patterns, but each pattern should be in a new line

awk '/Thomas/
> /Nisha/'
c)Print only specific field.

cat emplyeet.txt | awk {'print $2'}

d)Initialization and Final Action

Syntax:

BEGIN { Actions}
{ACTION} # Action for everyline in a file
END { Actions }

example:

awk 'BEGIN {print "Name\tDesignation\tDepartment\tSalary";} {print $2,"\t",$3,"\t",$4,"\t",$NF;} END{print "Report Generated\n--------------";}'
[root@drbd1 korion]# awk 'BEGIN {print "Name\tDesignation\tDepartment\tSalary";} {print $2,"\t",$3,"\t",$4,"\t",$NF;} END{print "Report Generated\n--------------";}' Name Designation Department Salary
Thomas Manager Sales $5,000
Jason Developer Technology $5,500
Sanjay Sysadmin Technology $7,000
Nisha Manager Marketing $9,500
Randy DBA Technology $6,000
Report Generated

=========================================================
exapmple2:
To print emplyee details having id >200

awk '$1 >200'
[root@drbd1 korion]# awk '$1 >200' 300 Sanjay Sysadmin Technology $7,000
400 Nisha Manager Marketing $9,500
500 Randy DBA Technology $6,000
[root@drbd1 korion]#
=========================================================

example 3:

Print the list of employees in Technology department

awk '/Technology/'
[root@drbd1 korion]# awk '/Technology/' 200 Jason Developer Technology $5,500
300 Sanjay Sysadmin Technology $7,000
500 Randy DBA Technology $6,000


OR

[root@drbd1 korion]# awk '$4 ~/Technology/' 200 Jason Developer Technology $5,500
300 Sanjay Sysadmin Technology $7,000
500 Randy DBA Technology $6,000
[root@drbd1 korion]#


example 4: Print number of emplyees in technology department

awk 'BEGIN {count=0;} $4 ~/Marketing/ {count++;} END {print "The number of emps in Marketing dept is =",count;}'
[root@drbd1 korion]# awk 'BEGIN {count=0;} $4 ~/Marketing/ {count++;} END {print "The number of emps in Marketing dept is =",count;}' The number of emps in Marketing dept is = 2


IMPORTANT:

To print strings start with a particular letter


EXAMPLE: print emplyee names which starts with T

awk '$2 ~ /^T/'
[root@drbd1 korion]# awk '$2 ~ /^T/' 100 Thomas Manager Sales $5,000
600 Tom Admin Marketing $9,000
[root@drbd1 korion]#

EXAMPLE: print emplyee names which not starts with T

awk '$2 !~ /^T/'
[root@drbd1 korion]# awk '$2 !~ /^T/' 200 Jason Developer Technology $5,500
300 Sanjay Sysadmin Technology $7,000
400 Nisha Manager Marketing $9,500
500 Randy DBA Technology $6,000
[root@drbd1 korion]#

=====================================================

awk script to print directories

ll | awk '$1 ~ /^drwxr/'

awk script to print files in a directory

ll | awk '$1 !~ /^drwxr/'

=====================================================

Friday, August 5, 2011

Find user Bandwidth from SSH (CPanel)

Create a new file with following code and chmod +x the file and then execute with 2 parameters viz. month and year.

cd /root

vi bandwidth

#!/bin/bash

cd /var/cpanel/bandwidth/
ls | grep -v "\." | xargs -n 1 -izzz sh -c "echo -n zzz \" = \"; egrep \"^$1\..*\.$2-all\" zzz | awk -F'=' 'START {bytes=0} { bytes+=\$2 } END {print bytes/1024/1024 \" MB\"}'"
cd -

Usage:

./bandwidth month year

Eg To see top 20 BW taking users in April 2009

./bandwidth 3 2009 | sort -nrk 3 | head -20

The above will show the result in the descending order, the highest BW usage account first.

User names can be related with domain names from /etc/trueuserdomains

To disable ping request

To disable ping request, please use the following

================
# echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
================

SE linux

SELinux is available in all major distros by default. During the installation of Linux [RedHat/Fedora], you will be prompted to enable or disable SELinux along with the firewall option.

In Fedora/Redhat, SELinux can be enabled or disabled by editing the file “/etc/selinux/config “. There are 3 modes for the parameter SELINUX. They are:

SELINUX = disabled
SELINUX = permissive
SELINUX = enforcing

The values ‘disabled‘ and ‘permissive‘ are mainly used to disable SELinux in a server.

The value “disabled” will completely switch off SELinux. All operations will be allowed to work normally and the policies of security attributes will not have any effect on the services or files.

The value “permissive” will allow all operations, but logs those which can be denied using the policy. All warnings get logged, thereby allowing the audit of each process interaction for creating corresponding policy rules.

IP location

You can find the IP address location from the following


============
http://www.maxmind.com/app/locate_demo_ip
============

sar

Sar
=================
1,root@testserver [~]# sar -u
Linux 2.6.18-92.1.18.el5.028stab060.8 (testserver.com) 08/03/11

00:00:01 CPU %user %nice %system %iowait %steal %idle
00:10:01 all 0.04 0.00 0.02 0.00 0.00 99.94
00:20:01 all 0.04 0.00 0.01 0.00 0.00 99.95
00:30:01 all 0.03 0.00 0.01 0.00 0.00 99.95

%user: Percentage of CPU utilization that occurred while executing at the user level (application).
%nice: Percentage of CPU utilization that occurred while executing at the user level with nice priority.
%system: Percentage of CPU utilization that occurred while executing at the system level (kernel).
%iowait: Percentage of time that the CPU or CPUs were idle during which the system had an outstanding disk I/O request.
%idle: Percentage of time that the CPU or CPUs were idle and the system did not have an outstanding disk I/O request.
==============

2,root@testserver [~]# sar -c
Linux 2.6.18-92.1.18.el5.028stab060.8 (testserver.com) 08/03/11

00:00:01 proc/s
00:10:01 67.49
00:20:01 23.24
00:30:01 14.26
00:40:01 14.31


To view process creation statistics, enter:

==============

3,root@testserver [~]# sar -b
Linux 2.6.18-92.1.18.el5.028stab060.8 (testserver.com) 08/03/11

00:00:01 tps rtps wtps bread/s bwrtn/s
00:10:01 0.00 0.00 0.00 0.00 0.00
00:20:01 0.00 0.00 0.00 0.00 0.00

tps
Total number of transfers per second that were issued to physical devices. A transfer is an I/O request to a physical device. Multiple logical requests can be combined into a single I/O request to the device. A transfer is of indeterminate size.

rtps
Total number of read requests per second issued to physical devices.

wtps
Total number of write requests per second issued to physical devices.

bread/s
Total amount of data read from the devices in blocks per second. Blocks are equivalent to sectors and therefore have a size of 512 bytes.

bwrtn/s
Total amount of data written to devices in blocks per second.
==============
sar -r

The -r argument shows free memory and swap space over time.
00:00:01 kbmemfree kbmemused %memused kbbuffers kbcached kbswpfree kbswpused %swpused kbswpcad
00:10:01 7729888 434288 5.32 0 0 0 0 0.00 0
00:20:01 7731636 432540 5.30 0 0 0 0 0.00 0
00:30:01 7728988 435188 5.33 0 0 0 0 0.00 0
00:40:01 7732808 431368 5.28 0 0 0 0 0.00 0
00:50:01 7734200 429976 5.27 0 0 0 0 0.00 0
Average: 7731504 432672 5.30 0 0 0 0 0.00 0
=====================



cd /var/log/sa/
-rw-r--r-- 1 root root 279024 Aug 1 23:50 sa01
-rw-r--r-- 1 root root 279024 Aug 2 23:50 sa02
-rw-r--r-- 1 root root 17664 Aug 3 01:20 sa03

sar -q -f sa01 | less

====================
root@testserver [~]# sar -P ALL
Linux 2.6.18-92.1.18.el5.028stab060.8 (testserver.com) 08/03/11

00:00:01 CPU %user %nice %system %iowait %steal %idle
00:10:01 all 0.04 0.00 0.02 0.00 0.00 99.94
00:10:01 0 0.02 0.00 0.01 0.00 0.00 99.97
00:10:01 1 0.01 0.00 0.01 0.00 0.00 99.99
00:10:01 2 0.05 0.00 0.02 0.00 0.00 99.94
00:10:01 3 0.04 0.00 0.01 0.00 0.00 99.95
00:10:01 4 0.03 0.00 0.02 0.00 0.00 99.95
00:10:01 5 0.07 0.04 0.02 0.02 0.00 99.85
00:10:01 6 0.08 0.00 0.02 0.01 0.00 99.89
00:10:01 7 0.02 0.00 0.01 0.00 0.00 99.96
====================
root@testserver [~]# sar -R
Linux 2.6.18-92.1.18.el5.028stab060.8 (testserver.com) 08/03/11

00:00:01 frmpg/s bufpg/s campg/s
00:10:01 1.46 0.00 0.00
00:20:01 0.73 0.00 0.00
00:30:01 -1.10 0.00 0.00

-R
Report memory statistics. The following values are displayed:

frmpg/s

Number of memory pages freed by the system per second. A negative value represents a number of pages allocated by the system. Note that a page has a size of 4 kB or 8 kB according to the machine architecture.

bufpg/s

Number of additional memory pages used as buffers by the system per second. A negative value means fewer pages used as buffers by the system.

campg/s

Number of additional memory pages cached by the system per second. A negative value means fewer pages in the cache.
====================
root@testserver [/var/log/sa]# sar -q
Linux 2.6.18-92.1.18.el5.028stab060.8 (testserver.com) 08/03/11

00:00:01 runq-sz plist-sz ldavg-1 ldavg-5 ldavg-15
00:10:01 1 88 0.00 0.00 0.00

This reports the run queue size and load average of last 1 minute, 5 minutes, and 15 minutes. “1 3″ reports for every 1 seconds a total of 3 times.
The “blocked” column displays the number of tasks that are currently blocked and waiting for I/O operation to complete.
====================
sar -w

00:00:01 cswch/s
00:10:01 1958.80

his reports the total number of context switches per second.

===========
root@testserver [/var/log/sa]# sar -v
Linux 2.6.18-92.1.18.el5.028stab060.8 (testserver.com) 08/03/11

00:00:01 dentunusd file-sz inode-sz super-sz %super-sz dquot-sz %dquot-sz rtsig-sz %rtsig-sz
00:10:01 528134 510 196314 0 0.00 0 0.00 0 0.00
00:20:01 531924 1 197341 0 0.00 0 0.00 0 0.00

================

sar -n DEV Report network statistics.

IFACE
Name of the network interface for which statistics are reported.

rxpck/s
Total number of packets received per second.

txpck/s
Total number of packets transmitted per second.

rxbyt/s
Total number of bytes received per second.

txbyt/s
Total number of bytes transmitted per second.

rxcmp/s
Number of compressed packets received per second (for cslip etc.).

txcmp/s
Number of compressed packets transmitted per second.

rxmcst/s
Number of multicast packets received per second.
========================



II: SAR: It dispalys the cpu utility

=========================
From the sar command we will get the following informations:

1. CPU utilization
2. Memory paging and its utilization
3. Network I/O, and transfer statistics
4. Process creation activity
5. All block devices activity
6. Interrupts/sec etc.
=========================

contents of sar command /usr/sbin/sar
symbolic link to the sar command. /bin/sar
log file /var/log/sa
==========================

tcpdump

*. tcpdump command is also called as packet analyzer.
*. TCPdump is a tool we can use for packet analysis.
*. TCP dump is software that allows us to see inside the traffic
activity that occurs on a network. TCPdump is a Unix tool used to gather data from the
network, decipher the bits, and display the output in a human readable format (granted it does
take a little bit of instruction to learn the TCPdump language).


Commands:
====================================
1. To select an interface type:

tcpdump -i eth0

where eth0 is the interface
=====================================

2. To select the type of traffic you want to watch you can just specify after your interface. For
now we want to see TCP traffic.

tcpdump -i etho tcp
====================================

3.TCPdump gives us the option to dump the records into binary format to read later with
TCPdump. We do this using the –w filename option.

TCPdump -i eth0 -F myfilter.txt -w LSOoutput

And to read that file back in we use the –r filename option, gee that makes sense; read = –r
& write = –w.

TCPdump -i eth0 -F myfilter.txt -r LSOoutput

====================================

4.Reading TCPdump Output

Here is an example record:
20:08:41.313149 rootwars.org.1086 > 66.102.9.104.80: S
1192278531:1192278531(0) win 1638
-
a) 20:08:41.313149 This is the time stamp in the format of two digits for hours, two
digits for minutes, two digits for seconds, and six digits for fractional parts of a
second.

b) rootwars.org This is the source host name. The default behavior is to resolve the
hostname but you can turn it off with the TCPdump –n option. If you don’t see a
DNS name the IP will appear. Something like IP COMPUTERNAME.
c) 1086 This is the source port number or port service.
> This is a marker to indicate direction flow going from source to destination.
66.102.9.104 This is the desintation host name or IP address.
d) 80 This is the desination port number or maybe it will be translated ad HTTP.
e) S This is the TCP Flag. The S represents a SYN Flag (see the next section).
f) 1192278531:1192278531(0) This is the beginning TCP sequence number: ending
TCP sequence number (data bytes). Sequence nubers are used by TCP to order the
data received. The initial sequence number (ISN) is selected as a unique number to
mark the first byte of data. The ending sequence number is the beginning sequence
plus the number of bytes being sent with this TCP segment. In this case there were
zero bytes sent, the beginning and ending sequence numbers are the same.
win 1638 This is the receiving buffer size in bytes of rootwars.org for this connection.
======================================

5. TCP Flags in TCPdump


1. SYN - S - Session establishment request which is the first part of any TCP connection (3 way handshake).

2. ACK - ack - Ack flag is generally used to acknowledge the receipt of data from the sender. Might be in conjunction
with other flags.
3. FIN - F - Fin flag is generally used to indicate the sender’s intention to gracefully terminate the sending host’s
connection to the receiving

4. RESET - R - Reset flag is generally used to indicate the sender’s intention to immediately abort the existing
connection wit the receiving

5. PUSH - P - Push flag is generally used to immediately “push” data from the sending host to the receiving host. This is for
applications like telnet

6. URGENT - urg - Urgent flag is generally used to mean that there is “urgent” data that takes precedence over other data.

7. Placeholder - . - If the connections does not have a SYN, FIN, RESET,or PUSH flag set, a
placeholder (a period: .)will be found after the destination port

========================================

When you execute tcpdump command without any option, it will capture all the packets flowing through all the interfaces. -i option with tcpdump command, allows you to filter on a particular ethernet interface.

Some examples for tcpdump command :

1.tcpdump -i eth1 : In this example, tcpdump captured all the packets flows in the interface eth1 and displays in the standard output.

2.tcpdump -c 2 -i eth0 : When you execute tcpdump command it gives packets until you cancel the tcpdump command. Using -c option you can specify the number of packets to capture.This tcpdump command captured only 2 packets from interface eth0.

3.Capture the packets and write into a file using tcpdump -w

: tcpdump allows you to save the packets to a file, and later you can use the packet file for further analysis.
-w option writes the packets into a given file. The file extension should be .pcap, which can be read by any network protocol.

4. Display Captured Packets in ASCII using tcpdump -A

: The following tcpdump syntax prints the packet in ASCII.
$ tcpdump -A -i eth0

5.Display Captured Packets in HEX and ASCII using tcpdump -XX

: Some users might want to analyse the packets in hex values. tcpdump provides a way to print packets in both ASCII and HEX format.
$tcpdump -XX -i eth0

6. Capture packets with IP address using tcpdump -n

: In all the above examples, it prints packets with the DNS address, but not the ip address. The following example captures the packets \ and it will display the IP address of the machines involved.
: $ tcpdump -n -i eth0

7. Capture packets with proper readable timestamp using tcpdump -tttt

: $ tcpdump -n -tttt -i eth0

8. Read packets longer than N bytes

: $ tcpdump -w g_1024.pcap greater 1024

9. Receive only the packets of a specific protocol type

: You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6,arp,rarp, decnet, tcp and udp. The following example captures only arp packets flowing through the eth0 interfac

: $ tcpdump -i eth0 arp

10. Read packets lesser than N bytes

: You can receive only the packets lesser than n number of bytes using a filter ‘less’ through tcpdump command

: $ tcpdump -w l_1024.pcap less 1024

11.Receive packets flows on a particular port using tcpdump port:

: If you want to know all the packets received by a particular port on a machine, you can use tcpdump command as shown below.

: $ tcpdump -i eth0 port 22

12. Capture packets for particular destination IP and Port:

: The packets will have source and destination IP and port numbers. Using tcpdump we can apply filters on source or destination IP and port number. The following command captures packets flows in eth0, with a particular destination ip and port number 22.

: $ tcpdump -w xpackets.pcap -i eth0 dst 10.181.140.216 and port 22

13. Capture TCP communication packets between two hosts

: If two different process from two different machines are communicating through tcp protocol, we can capture those packets using tcpdump as shown below.
: $tcpdump -w comm.pcap -i eth0 dst 16.181.170.246 and port 22

14. tcpdump Filter Packets – Capture all the packets other than arp and rarp

: In tcpdump command, you can give “and”, “or” and “not” condition to filter the packets accordingly.

: $ tcpdump -i eth0 not arp and not rarp
==================

some examples:

tcpdump -npi eth0
9941 2011-08-02 13:58:03 tcpdump -nnpi eth0 not dst port 22
9942 2011-08-02 13:58:47 tcpdump -nnpi eth0 not dst port 22 and src port 22
9943 2011-08-02 13:59:23 tcpdump -nnpi eth0 and not dst port 22 and src port 22
9944 2011-08-02 13:59:31 tcpdump -nnpi eth0 and not dst port 22
9945 2011-08-02 13:59:44 tcpdump -nnp and not dst port 22
9946 2011-08-02 13:59:51 tcpdump -nnp not dst port 22
9947 2011-08-02 14:00:54 tcpdump -nnp not dst port 22 and not src port 22
9948 2011-08-02 14:01:23 tcpdump -nnp -tttt -A not dst port 22 and not src port 22

tcpdump -nnp -tttt -A not dst port 22 and not src port 22 -S

=============================================

tcpdump command examples

tcpdump -nni eth0

tcpdump -nni eth0 host 10.0.0.100

tcpdump -nni eth0 dst host 10.0.0.100 and proto tcp

tcpdump -nni eth0 src net 10.0.0.0/24 and

proto tcp and portrange 1-1024
-nn = don’t use DNS to resolve IPs and display port numbers

-i = interface to watch: lo or eth0 or venet0 (virtual machines)
dst = watch only traffic destined to a net, host, or port
src = watch only traffic whose src is a net, host, or port
net = specifies a network 10.0.0.0/24
host = specifies a host,10.0.0.100
port = specifies a port also portrange
roto = protocol ie tcp udp icmp


tcpdump -s0 -A -nni eth0 dst host 10.0.0.100
tcpdump -s0 -A -nni eth0 dst host 10.0.0.100 and dst port 80

tcpdump -s0 -A -nni eth0 dst host 10.0.0.100 and dst port 80 and

src net 10.100.0/24

tcpdump -s0 -A -nni eth0 dst net 10.0.0.0/24

tcpdump -s0 -A -nni venet0 not port 22 and dst host 10.0.0.100

and not src net 10.20.20.0/24 and not host 10.10.10.10

and src net 10.50.0.0/24
-s0 = Setting snaplen to 0 means use the required length

to catch whole packets.
-A = Print each packet (minus its link level header) in ASCII.


tcpdump -vv -c10000 -s0 -A -w hack3rcon.pcap -nni eth0 not port 22

-c = count of packets to display for exiting

-
vv = displays number of packets captured

-
w = Write the raw packets to file
# you can’t limit the size of the pcap, only the packets count
# use -c & -w together so you don’t fill up your HD.
tcpdump -s0 -A -nn -r hack3rcon.pcap and port 80

-r = read from file

Basic Usage Examples:
View Basic Network communication
tcpdump -nS (Don't resolve DNS names, print the absolute sequence numbers)

View Basic Network communication, with added verbosity
tcpdump -nnvvS (Don't resolve DNS or Port names, be more verbose when printing info, print the absolute sequence numbers)

View Network Communication Payloads in HEX
tcpdump -nnvvXS (Same as above, but this time prints the packets payload in HEX)

View Detailed Packet Information
tcpdmp -nnvvXSs 1514 (Same as above, this time we are specifying a packet length with -s 1514)


As you can see running the above on a busy network will produce loads of network traffic information.
This can be close to impossible to interpret as-is.. Tcpdump has a wonderfull thing called 'expressions'.
Using the tcpdump expressions we can remove all of the traffic we do not wish to see andonly view exactly
what we are looking for.




--------------------------------------.
0xIII TCPDump Expression: /
------------------------------------'

The true network ninja will have mastered these expressions to unleash the true power of tcpdump.
Tcpdump expressions come in three main types, those are as follows: type, dir and proto. The type
options beloging to these types are as follows: host, net and port.

The packet direction is specified by using dir, with this directive you can use the src, dst, src
or dst and src and dst options. Below are some examples of using each of these.

host - Looks for traffic based on the specified IP address, this can also be a valid dns name if the
-n options is not specified.
tcpdump host 192.168.1.1

src,dst - Looks for traffic from a specific source or destination.
tcpdump src 192.168.1.2
tcpdump dst 192.168.1.3

net - Looks for traffic from an entire CIDR range.
tcpdump net 192.168.1.0/24

proto - Looks for the type of traffic specified. proto does not need to be specified.
tcpdump tcp
tcpdump udp
tcpdump icmp

port - Looks for traffic to or from specified port. Port names can be specified by there name or numeric value.
tcpdump port 22 or tcpdump port ssh

src port, dst port - Looks for traffic based on the source or destination ports.
tcpdump src port 1025
tcpdump dst port 22

As you can see tcpdump expressions are fairly powerfull in breaking down the types of traffic we would like to see.
Now we will look into the real funky comadema that lies within tcpdump. Tcpdump has some cool features that will
allow you to combine these expresions to create even more detailed, and specific information related to traffic on
the wire. Tcpdump supports three different combinations to perform these advanced expressions, if your are a c0de
m0nkey then these will be nothing new to see... move along ....

what is loadaverage

It is the average number of processes waiting in queue to be executed by the CPU over the specified period of time.

First off, there are three load averages. From left to right there is, 1 minute load average, 5 minutes load average and 15 minutes load average.

Different Top commands

1. Top : to see the load

2. IfTop : This one will help you know who currently uses the bandwidth of your server. You will see the IP address and hostname of the other party as well as the data transfer rates in and out of these connections. Finally, at the bottom you have peaks, current rates and cummulative data transfers, in and out, and with the 1, 5 and 15 minutes averages…

3. MyTop : This one is fairly simple. It show top SQL requests made to the MySQL server, what the request is exacly (INSERT, UPDATE, DELETE, etc.), who is the user making the request, on which database and for how much time (in seconds) the query has been running.

4. This last one is simply to monitor the number of requests made to Apache, the quantity of data processed by Apache, the files currently being downloaded and such. Once again, it is a great tool to monitor live stats about your apache server.

suspicious process finding

We can use the following command to check the processes that may be using bash shells. When you get a server that seems to be hacked run the below script to check for suspicious porcesses. This will give the path to the scripts that are running curently. This command will give us the currnet working directory of all the process and it will be stored to the file /root/cwd. We can check thsi file for any suspicious process run from the user home directory. Eg given below.

root@navigator [/]# for i in `ps ax | awk {'print $1'} | grep -v PID`; do lsof -p $i | grep cwd; done > /root/cwd

root@navigator [/]# grep home /root/cwd | grep -v mail
bash 1038 root cwd DIR 8,8 4096 15270308 /home/bpcin/public_html
bash 7398 root cwd DIR 8,8 4096 7930070 /home/logger/public_html
crond 21970 madolphi cwd DIR 8,8 4096 95551493 /home/madolphi
php 21973 madolphi cwd DIR 8,8 4096 95551493 /home/madolphi
mysqld 22751 mysql cwd DIR 8,8 69632 78479361 /home/mysql
bash 24774 root cwd DIR 8,8 4096 41418821 /home/bytesil/public_html/images
crond 27996 madolphi cwd DIR 8,8 4096 95551493 /home/madolphi
php 28012 madolphi cwd DIR 8,8 4096 95551493 /home/madolphi
This will also contain the pop process for a mailbox.
eg:
pop3d 4789 morpheww cwd DIR 8,8 4096 8454332 /home/morpheww/mail/morpheusworldwide.com/operations
We can ignore this, so I used "grep -v mail". But you should check the all lines inside the file /root/cwd for a detailed check. If any malicious process is there with name mail, it will be skipped in the above command.


Let me explain some proceeses you see in this output. The processes running below are related to the cronjob of the user madolphi. You can see these processes are using the php and crond binaries. These are not dangerous.
crond 21970 madolphi cwd DIR 8,8 4096 95551493 /home/madolphi
php 21973 madolphi cwd DIR 8,8 4096 95551493 /home/madolphi
root@navigator [/home/bpcin/www]# crontab -lu madolphi
MAILTO="madolphi"
*/15 * * * * /usr/local/bin/php -q /home/madolphi/public_html/followunfollowscript.php
bash 1038 root cwd DIR 8,8 4096 15270308 /home/bpcin/public_html
The above line means a user with root permission has been ssh'ed into the server and is standng in the path /home/bpcin/public_html This could be you itslef.To make sure of this you can run the followng command.

ps aux | grep PID

Suspicious processes finding:
##################################################################
See this entry in the file /root/cwd
php 14362 homerec cwd DIR 8,8 4096 25101348 /home/homerec/public_html/my
root@navigator [/] cd /home/homerec/public_html/my/
root@navigator [/home/homerec/public_html/my]# ps ax | grep homerec
6555 pts/5 R+ 0:00 grep homerec
14362 ? S 0:02 /usr/bin/php /home/homerec/public_html/my/cp3.php
16559 ? S 0:02 /usr/bin/php /home/homerec/public_html/my/cp3.php
23391 ? S 0:02 /usr/bin/php /home/homerec/public_html/my/cp3.php


root@navigator [/home/homerec/public_html/my]# cat /home/homerec/public_html/my/php.ini
safe_mode = OFF
disable_functions = NONE

---> /home/homerec/public_html uses wordpress. php.ini is used to make the safe_mode Off.

root@navigator [/home/homerec/public_html/my]# head /home/homerec/public_html/my/cp3.php

/*||||||||||||||||||||||||||||||||||||||||||||*/
# Coded By Crazy_Hacker |
# Script: Cpanel + FTP Cracker |
# Site: www.0day.com |
# Forums: http://forums.0day.com/index.php |
/*|||||||||||||||||||||||||||||||||||||||||||*/


root@navigator [/home/homerec/public_html/my]# ll | grep php
-rw-r--r-- 1 homerec homerec 13063 May 6 10:47 cp3.php
-rw-r--r-- 1 homerec homerec 73 May 6 10:46 php.ini
-rw-r--r-- 1 homerec homerec 90553 May 6 10:47 phxdomain.php
##################################################################



##################################################################

Another entry:

bash 24774 root cwd DIR 8,8 4096 74842180 /home/amish/public_html

root@navigator [/home/amish/public_html]# lsof -p 24774
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 24774 root cwd DIR 8,8 4096 15305065
/home/uberscap/public_html/cache/high/wunderbar_emporium
bash 24774 root rtd DIR 8,6 4096 2 /
bash 24774 root txt REG 8,6 801512 880457 /bin/bash
##################################################################


##################################################################
bash 24774 root cwd DIR 8,8 4096 41418821 /home/bytesil/public_html/images

root@navigator [/home/waitwhat]# head
/home/bytesil/public_html/images/new.php
GIF89a;
// ketek90@gmail.com
// no malware on this code, you can check it by yourself ;-)
##################################################################

Difference betweeen 0.0.0.0 and 255.255.255.255

0.0.0.0 represents "any address". If you bind a listening socket to 0.0.0.0, you're telling the OS to accept connections on any ip address that the host has network adapters bound to.

255.255.255.255 (INADDR_BROADCAST) is the broadcast address for your LAN segment.

Tuesday, August 2, 2011

Add a module to apache using apxs

To add mod_rewrite.c using apxs. Assuming the apache source file is located at /usr/src/apache/httpd-2.2.14

cd /usr/src/apache/httpd-2.2.14/modules/mappers/

/usr/local/apache/bin/apxs -i -a -c mod_rewrite.c



You will get the message module has been added. Restart apache.

Install mysql

Install mysql

yum list | grep mysql



Choose the mysql you need to install and do the following.

yum install mysql-package




Manual install using rpm:



Download rpms from here and install:

http://httpupdate.cpanel.net/mysqlinstall/

rpm -ivh package-name
Manual install by building from source:

wget http://mysql.he.net/Downloads/MySQL-5.1/mysql-5.1.33.tar.gz
tar xzvf mysql-5.1.33.tar.gz
cd mysql-5.1.33./configure --prefix=/usr/local/mysql
--with-extra-charsets=complex --enable-thread-safe-client
--enable-local-infile --enable-shared --with-plugins=innobase

make

make install

cd /usr/local/mysql
sudo ./bin/mysql_install_db --user=mysql
sudo chown -R mysql ./var

Start mysql

mysql -uroot

Nagios Installation

What You'll End Up With

If you follow these instructions, here's what you'll end up with:

* Nagios and the plugins will be installed underneath /usr/local/nagios
* Nagios will be configured to monitor a few aspects of your local system (CPU load, disk usage, etc.)
* The Nagios web interface will be accessible at http://localhost/nagios/

Prerequisites

During portions of the installation you'll need to have root access to your machine.

Make sure you've installed the following packages on your Fedora installation before continuing.

* Apache
* PHP
* GCC compiler
* GD development libraries

You can use yum to install these packages by running the following commands (as root):

yum install httpd php
yum install gcc glibc glibc-common
yum install gd gd-devel

1) Create Account Information

Become the root user.

su -l

Create a new nagios user account and give it a password.

/usr/sbin/useradd -m nagios
passwd nagios

Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.

/usr/sbin/groupadd nagcmd
/usr/sbin/usermod -a -G nagcmd nagios
/usr/sbin/usermod -a -G nagcmd apache

2) Download Nagios and the Plugins

Create a directory for storing the downloads.

cd /usr/src

Download the source code tarballs of both Nagios and the Nagios plugins (visit http://www.nagios.org/download/ for links to the latest versions). These directions were tested with Nagios 3.1.1 and Nagios Plugins 1.4.11.

wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.2.1.tar.gz
wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.11.tar.gz

3) Compile and Install Nagios

Extract the Nagios source code tarball.

cd /usr/src

tar xzf nagios-3.2.1.tar.gz
cd nagios-3.2.1

Run the Nagios configure script, passing the name of the group you created earlier like so:

./configure --with-command-group=nagcmd

Compile the Nagios source code.

make all

Install binaries, init script, sample config files and set permissions on the external command directory.

make install
make install-init
make install-config
make install-commandmode

Don't start Nagios yet - there's still more that needs to be done...

4) Customize Configuration

Sample configuration files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. You'll need to make just one change before you proceed...

Edit the /usr/local/nagios/etc/objects/contacts.cfg config file with your favorite editor and change the email address associated with the nagiosadmin contact definition to the address you'd like to use for receiving alerts.

vi /usr/local/nagios/etc/objects/contacts.cfg

5) Configure the Web Interface

Install the Nagios web config file in the Apache conf.d directory.

make install-webconf

Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account - you'll need it later.

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

Restart Apache to make the new settings take effect.

service httpd restart

Note Note: Consider implementing the ehanced CGI security measures described here to ensure that your web authentication credentials are not compromised.

6) Compile and Install the Nagios Plugins

Extract the Nagios plugins source code tarball.

cd /usr/src
tar xzf nagios-plugins-1.4.11.tar.gz
cd nagios-plugins-1.4.11

Compile and install the plugins.

./configure --with-nagios-user=nagios --with-nagios-group=nagios
make
make install

7) Start Nagios

Add Nagios to the list of system services and have it automatically start when the system boots.

chkconfig --add nagios
chkconfig nagios on

Verify the sample Nagios configuration files.

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

If there are no errors, start Nagios.

service nagios start

8) Modify SELinux Settings

Fedora ships with SELinux (Security Enhanced Linux) installed and in Enforcing mode by default. This can result in "Internal Server Error" messages when you attempt to access the Nagios CGIs.

See if SELinux is in Enforcing mode.

getenforce

Put SELinux into Permissive mode.

setenforce 0

To make this change permanent, you'll have to modify the settings in /etc/selinux/config and reboot.

For information on running the Nagios CGIs under Enforcing mode with a targeted policy, visit the Nagios Support Portal or Nagios Community Wiki.

9) Login to the Web Interface

You should now be able to access the Nagios web interface at the URL below. You'll be prompted for the username (nagiosadmin) and password you specified earlier.

http://server_IP/nagios/



Configure nagios.

The main conf file for nagios is /usr/local/nagios/etc/nagios.cfg

When you take nagios in the browser after this freshinstall, you can see localhost added. The conf fle for this is /usr/local/nagios/etc/objects/localhost.cfg

This has been added to the file usr/local/nagios/etc/nagios.cfg as follows.

[root@localhost objects]# grep localhost.cfg /usr/local/nagios/etc/nagios.cfg
cfg_file=/usr/local/nagios/etc/objects/localhost.cfg

If you need to add another host copy this file in the another name and change the IP, hostname accordingly.

cp
/usr/local/nagios/etc/objects/localhost.cfg /usr/local/nagios/etc/objects/newserver.cfg

Include this cfg file to the nagios.cfg as follows.

cfg_file=/usr/local/nagios/etc/objects/newserver.cfg

Check nagios for errors.

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

If no error restart nagios

service nagios restart

Check in browser, if you can see the new server.

Lite speed configuration + PHP recompilation

Features of LiteSpeed WebServer

- Runs on almost all platforms like Linux, FreeBSD, Solaris, Mac OS X etc
- It is fully compatible with most of the common control panels like cPanel, Ensim, DirectAdmin, Plesk, etc.
- PHP scripting is up to 50% faster than Apache’s mod_php

1.Litespeed configuration

1.1 Check Litespeed

Take http://IP:7080/ on the browser, you will see a Litespeed welcome page.

Let us check if it is listening to the port we have mentioned.

# netstat -pant | grep lshttpd
tcp 0 192.168.1.19:7080 0.0.0.0:* LISTEN 18718/lshttpd
tcp 0 192.168.1.19:80 0.0.0.0:* LISTEN 18718/lshttpd

1.2 Admin Area

You can manage the admin area at

http://IP:7080/.

Here IP is your server IP

1.3 Log Files are resides under

log :: /usr/local/lsws/.

2. To Integrate with DA

LiteSpeed Web Server works very well with Directadmin managed web sites. The performance will increase up to 10x times by replacing apache with lsws.

To replace Apache with LSWS :-

2.1 Goto admin area

Access admin area at http://IP:7080 and with the admin username and password.

2.2 Goto Configurations >> Server >> General.

Keeping the cursor against the button along with each option will give you a small definition about the same.

2.3 Scroll down to “Using Apache Configuration File”

Load Apache Configuration => Yes
Auto Reload On Changes => Yes (Changes made in WHM/cPanel will be applied automatically)
Apache Configuration File => /usr/local/apache/conf/httpd.conf
Apache Port Offset => 1000 (Try LiteSpeed on port 1080 and 1443 first, change to 0 later)
Apache IP Offset => 0
PHP suEXEC => Yes (Run PHP in suEXEC mode)
PHP suEXEC Max Conn => 8 (The maximum PHP processor each account can have)

2.4 Scroll back up to “Index Files” and set it as follows:

Index Files index.html, index.php, index.php5, index.php4, index.htm
Auto Index Not Set
Auto Index URI Not Set

2.5 Scroll down to “HT Access”

Allow Override Check: Limit, Auth, FileInfo, Indexes, Options Uncheck: None
Access File Name .htaccess

2.6 Goto Configurations >> Server >> Listeners

delete all current listeners.

2.7 Now restart the webserver

service lsws restart

33 PHP recompilation

By default, Litespeed comes with PHP 4.4.x compiled with LSAPI and hence we have to install latest stable version of PHP with LSAPI for our LiteSpeed. With PHP LiteSpeed SAPI, LiteSpeed’s PHP performance is much more efficient than Apache’s mod_php or fast_CGI.

You can easily recompile PHP in the server from the Panel.

3.1 login to admin area.

http://IP:7080/.

3.2 Go to

Admin >> Actions >> Recompile PHP

3.3 Recompile PHP

Compile PHP with LSAPI

3.3.1 Step 1 : Select a PHP version

Here you can select PHP version. Select your desired PHP version and click next.

3.3.2 Step 2 : Choose PHP 5.2.9 Build Options

Here I have selected PHP 5.2.9

a. Load Configuration

- Use configuration from previous Build
- Restore default

b. Install Path Prefix - You can specify installation path

c. Configure Parameters - Configuration command

d. Security Patches Suhosin (General Hardening) Mail Header (Identifies Mail Source)

e. Install Opcode Cache None APC eAccelerator XCache

3.2.4 Click Build PHP

3.4 Here you will get a custom phpbuild command.

If you log in as root, you can directly run the command:

# /usr/local/lsws/phpbuild/buildphp_manual_run.sh

If you log in as a user who has sudo permission, you can run the command with sudo and input root password after prompt.

$ sudo /usr/local/lsws/phpbuild/buildphp_manual_run.sh

To apply changes, please visit Control Panel and execute a Graceful Restart. Apply Changes

Install Configuring Litespeed Webserver

1.1 Features of LiteSpeed WebServer

- Runs on almost all platforms like Linux, FreeBSD, Solaris, Mac OS X etc
- It is fully compatible with most of the common control panels like cPanel, Ensim, DirectAdmin, Plesk, etc.
- PHP scripting is up to 50% faster than Apache's mod_php
- supports CGI, Fast CGI, PHP, Servlet/JSP, Proxy, SSLv2/SSLv3/TLSv1, IPv4 and IPv6
- GZIP compression
- high performance .htaccess implementation, this alone can double the server capacity and reduce server load by 5-10 times against using apache.
- LDAP authentication
- Apache compatible URL rewrite engine
- MS FrontPage Server Extension
- Strictest HTTP request validation
- Deny any buffer-overrun attempt
- Secure against popular DoS attacks
- Chroot support
- Chroot and suexec CGI script
- supports FastCGI suEXEC for improved security
- Small memory footprint
- Thousands of concurrent connections
- Increase scalability of external web applications
- Efficient and high performing CGI daemon and Perl daemon
- SSL Hardware acceleration
- can recover from service failure instantly
- Migration from other webservers is quite quick and easy
- this can also act as a security guard in front of current webserver and hence improving performance, scalability and security.
- can perform up to 50% better during high loads when compared to httpd and lighttpd.
- PHP CGI/FCGI SAPI
- With PHP LiteSpeed SAPI, LiteSpeed's PHP performance is up to 100% better than Apache's mod_php.
- Ruby LSAPI is about 50% faster than Ruby FCGI for the simple "Hello, World" test.


2. Install LiteSpeed

# cd /usr/src


# wget http://litespeedtech.com/packages/3.0/lsws-3.1.1-std-i386-linux.tar.gz


# tar -xvzf lsws-3.1.1-std-i386-linux.tar.gz


# cd lsws-3.1.1


# ./install.sh



You will encounter few questions and need to select the following options:

* Do you agree with above license? Yes
* Destination [/opt/lsws]: /opt/lsws [ /usr/local/lsws can also be used]
* User name [admin]: admin
* Password: youradminpassword
* Retype password: youradminpassword
* User [nobody]: nobody [use a non-system user that doesn't have a shell access and home directory]
* Group [nobody]: nobody [group the webserver will be running as]
* HTTP port [8088]: 1080 [you can give any port you wish to run lsws. If any other webserver is running on this port, stop it before starting lsws]
* Admin HTTP port [7080]: 7080
* Both these ports should be enabled in the firewall
* Setup up PHP [Y/n]: Y
* Suffix for PHP script(comma separated list) [php]: php
* Would you like to change PHP opcode cache setting [y/N]? N
* Would you like to install AWStats Add-on module [y/N]? N
* Would you like to import Apache configuration [y/N]? N
* Would you like to have LiteSpeed Web Server started automatically when the machine restarts [Y/n]? Y
* Would you like to start it right now [Y/n]? Y


LiteSpeed Web Server started successfully! Have fun!


2.1 Check Litespeed

Take http://192.168.1.19:1080/ on the browser, you will see a Litespeed welcome page.

Let us check if it is listening to the port we have mentioned.

# netstat -pant | grep lshttpd
tcp 0 192.168.1.19:7080 0.0.0.0:* LISTEN 18718/lshttpd
tcp 0 192.168.1.19:80 0.0.0.0:* LISTEN 18718/lshttpd


2.2 Admin Area
You can manage the admin area at

http://192.168.1.19:7080/.


Here 192.168.1.19 is my local machine's ip.


2.3 Log Files
The log files are located at /opt/lsws/logs.


3. To Integrate with Cpanel
LiteSpeed Web Server works very well with cPanel managed web sites. The
performance will increase up to 10x times by replacing apache with lsws.


To replace Apache with LSWS :-
3.1 Goto admin area
Access admin area at http://192.168.1.19:7080 and with the admin username and password.


3.2 Goto Configurations >> Server >> General.
Keeping the cursor against the button along with each option will give you a small definition about the same.


3.3 Scroll down to "Using Apache Configuration File"

Load Apache Configuration => Yes
Auto Reload On Changes => Yes (Changes made in WHM/cPanel will be applied automatically)
Apache Configuration File => /usr/local/apache/conf/httpd.conf
Apache Port Offset => 1000 (Try LiteSpeed on port 1080 and 1443 first, change to 0 later)
Apache IP Offset => 0
PHP suEXEC => Yes (Run PHP in suEXEC mode)
PHP suEXEC Max Conn => 8 (The maximum PHP processor each account can have)


3.4 Scroll back up to "Index Files" and set it as follows:


Index Files index.html, index.php, index.php5, index.php4, index.htm
Auto Index Not Set
Auto Index URI Not Set




3.5 scroll down to "HT Access"


Allow Override Check: Limit, Auth, FileInfo, Indexes, Options Uncheck: None
Access File Name .htaccess




3.6 Goto Configurations >> Server >> Listeners
delete all current listeners.


3.7 Now restart the webserver

service lsws restart


4. PHP
By default, Litespeed comes with PHP 4.4.x compiled with LSAPI and hence we have to install latest stable version of PHP with LSAPI for our LiteSpeed. With PHP LiteSpeed SAPI, LiteSpeed's PHP performance is much more efficient than Apache's mod_php or fast_CGI.

# /opt/lsws/fcgi-bin/lsphp -v
PHP 4.4.7 (litespeed) (built: May 30 2007 05:16:33)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies



4.1 Download the latest stable PHP


# wget http://in2.php.net/distributions/php-5.2.3.tar.gz
# tar -zxf php-5.2.3.tar.gz
# cd php-5.2.3
# cd sapi



4.2 Download and expand latest LSAPI for PHP into the “sapi” folder:

# wget http://www.litespeedtech.com/packages/lsapi/php-litespeed-4.0.tgz
# tar -zxf php-litespeed-4.0.tgz


4.3 Change directory to php-5.2.3 and run commands:

# cd ..
# touch ac*
# ./buildconf --force


4.4 Configure/Compile PHP:

4.4.a # php -i | grep configure | sed "s/'//g" | sed "s/'//g"


4.4.b # Remove the "--with-apxs=/usr/local/apache/bin/apxs" part from 6.4.a

and add '--prefix=/php5' '--with-litespeed' '--with-config-file-path=../php'


# ./configure '--prefix=/php5' '--with-litespeed'

'--with-config-file-path=../php' --with-mysql ...[append the full options from

4.4.a]


# make


# make install



Note: You must compile PCRE (Perl Compatible Regular Expressions) support in
order for the default auto-index PHP script to work correctly (at least this
is true for 3.0RC2).


4.5 Replace the lsphp binary in /opt/lsws/fcgi-bin/lsphp with /php-5.2.3/sapi/litespeed/php:

# cd /opt/lsws/fcgi-bin/
# mv lsphp lsphp.old
# cp /php-5.2.3/sapi/litespeed/php lsphp


4.6 To check installation success:

# /opt/lsws/fcgi-bin/lsphp -v

PHP 5.2.3 (litespeed) (built: May 31 2007 14:05:12)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies



4.7 php.ini

The php.ini file will be located at /opt/lsws/php/php.ini

If we want to use the old PHP.ini just copy it here.

# cd /opt/lsws/php
# mv php.ini php.ini.old
# cp /usr/local/ZEND/etc/php.ini .



4.8 Restart Litespeed Webserver

Finally restart LSWS and use our new PHP binary.

/opt/lsws/bin/lswsctrl restart and thats it. You are done !!!


5. Limitations

This webserver comes as Standard version (which is free and it has several limitations) and it comes as an Enterprise version (which is more optimized and it doesn't have much limitations). Few drawbacks of free version are: the Maximum Concurrent Connections is limited to 150, it cannot utilize more than one processor etc. Hence, to utilize the full advantage of LSWS you have to purchase the Enterprise version.

6. Conclusion

We have installed LiteSpeed Webserver and integrated it to use with CPanel. Now the web pages will load fast. At the same time the server load and memory usage will be lower. More web sites can now be hosted on this server and we can feel the speed. In short, LiteSpeed is the best choice for shared hosting service providers in terms of performance, security and server capacity.

Go ahead, give LiteSpeed a try and discover why over 300,000 internet domains are currently powered by LSWS.


References:
http://litespeedtech.com/
http://en.wikipedia.org/wiki/LiteSpeed_Web_Server/
http://creativeflux.co.uk/entry/replacing-apache-with-litespeed/
http://www.usefuljaja.com/litespeed


Downloads:
http://www.php.net/downloads.php
http://www.litespeedtech.com/products/webserver/lsapi/
Categories for this entry

* Technical Bench » Software Installations - General
* Technical Bench » Webserver

Fuser command

fuser is a UNIX command used to show which processes are using a specified file, file system, or socket.

# To list the process numbers of local processes using the /etc/passwd file, enter:

fuser /etc/passwd

# To list the process numbers and user login names of processes using the /etc/filesystems file, enter:

fuser -u /etc/filesystems

# To terminate all of the processes using a given file system, enter:

fuser -k -x -u -c /dev/hd1

or

fuser -kxuc /home

List the content of a tar file

if You need to list the contents of a tar or tar.gz file on screen before extracting the all files.

List the contents of a tar file
$ tar -tvf file.tar

List the contents of a tar.gz file
$ tar -ztvf file.tar.gz

List the contents of a tar.bz2 file
$ tar -jtvf file.tar.bz2

Setup Password protect file via shell

1. Create a file name .htaccess in the folder that you want to password protect with the content below.

AuthType Basic
AuthUserFile /home/username/pass
AuthName "Members Area"
require valid-user

2. In shell, type

/usr/local/apache/bin/htpasswd -c /home/username/pass your_desire_username

You will be prompt for a new password.

3. Enter the password and confirm it.

Once you enter your password, file with name .htpasswd will be created at /home/username directory and now the website folder has been password protected.

4. To add additional users,

/usr/local/apache/bin/htpasswd /home/username/pass your_desire_username

5. To remove users edit /home/username/pass and remove the line contains the username.

More information: http://blog.dreamhosters.com/kbase/index.cgi?area=834

A memory testing tool

cd /usr/local/src

wget http://pyropus.ca/software/memtester/memtester-4.0.5.tar.gz

tar -zxf memtester-4.0.5.tar.gz

cd memtester-4.0.5

make

./memtester 1024 5 for 1gb(1024 mb) RAM .



The test will be run 5 times.

To list only directories

If you want to list only directories you can use this.

ls -d */.

cut command

I have a large text file (its a log file actually) and I need to truncate each line to about 16 characters.

cut -c1-16 /path/to/filename > /path/to/output_filename

output_filename will contain the result.

Some useful sed commands

to remove the first line of a file from our output stream

$ sed -e '1d' filename | more

to delete lines 1-10 of the output

$ sed -e '1,10d' filename | more

to delete lines that start with a "#" from files

$ sed -e '/^#/d' filename | more

to print only virtualHosts in apache conf

$ sed -n '/^ /path/to/httpd.conf

Tuesday, July 26, 2011

Delete a file using Inode number

You can delete a file using it's inode number as follows.
find . -inum 88 -exec rm -i {} \;

This will find the file with inum 88 in the present directory and delete it.

Kernel Compilation

Kernel Compilation
KERNEL DOWNLOAD: Download the latest one
http://www.kernel.org/pub/linux/kernel/v2.6/
linux-2.6.20.tar.bz2
tar jxf linux-2.6.20.tar.bz2
http://www.linuxelectrons.com/News/HowTO/20040315152255759

for i in `lsmod | awk {'print $1'}`; do find /lib/modules/2.4.27-grsec/kernel/ -iname ${i}.o ; done | wc
lsmod | wc

for i in `lsmod | awk {'print $1'}`; do find /lib/modules/2.4.28-grsec/kernel/ -iname ${i}.o ; done |wc

In 2.6 kernel
for i in `lsmod | awk {'print $1'}`; do find /lib/modules/2.6.20/kernel/ -iname ${i}.ko ; done


cd /usr/src/linux-2.6.24
make clean
make mrproper
make menuconfig

in general tab
==> Processor Type and Features
==> High Memory support
==> select 64 bit
go to general
==> Power management
==> Disable Cpu Scaling
go to general
==> Networking
==> Networking option
==> network packet filtering framework -> netfilter
==> enable network packet filtering debugging
==> core net filtering
==> select all as modules
come back
==> IP net filter
==> select All
go to general
==> Decice Drivers
==> Serail ATA LibATA or Serial ATA Parallel ATA
==> Select all INTEL as modules
==> select libata
==> Select Intel ESB|IDH|PIIX3|PATA
go to genral
==> FileSystem
==> make sure ext2/ext3 enabled
go back to general
==> Quota support On

make
make modules_install
make install

To boot once with the currently compiled kernel use below. Further reboots will be done on the existing kernel.

echo "savedefault --default=2 --once" | grub --batch
reboot

Remember to replace "2" to match your own config!

Wednesday, July 6, 2011

remote mysqll connection

1. remote mysqll connection

mysql -u username -h iP

2. Remote mysql dump

mysqldump -u root -h 192.168.28.179 stol3_site > stol3_site.sql

3. remote mysql restore

mysql -u root -h 192.168.28.179 steinbac_site < stol3_site.sql

Unable to delete database from cpanel

1) Edit /var/cpanel/databases/dbindex.db and /var/cpanel/databases/dbindex.db.org and remove lines referencing the databases to be removed
2) Edit /var/cpanel/databases/rasheedb.yaml and /var/cpanel/databases/rasheedb.yaml.org and remove lines referencing the databases to be removed
3) `/usr/local/cpanel/bin/setupdbmap`
4) `/scripts/update_db_cache`

Maldet scan

maldet --scan-all /home?/?/public_html
root@server01 [/home/examisp/public_html] maldet --scan-all ./

scrip to check php functions

Script to check if a php function "fwrite" is enabled or not

if(function_exists('fwrite')) {
echo "fwrite function is enabled";
}
else {
echo "fwrite is not enabled";
}
?>

Saturday, July 2, 2011

Disable ModSec2 per domain per folder

When a client complaints for a modsec error, it is not advisable to turn off a specific rule he has issue with globally. Nor it is not advisable to turn off the modsec completely for that domain. Prior to modsec2, we were able to turn off the modsec completely and per rulewise through .htaccess of a domain. From modsec2 onwards, it is not possible to use .htaccess to disable modsec. We need to add rules inside the file "/usr/local/apache/conf/whitelist.conf" or disable using the modsec rule id.

We can disable modsec for a domain completely using the following rule added to the whitelist.conf.

SecRule SERVER_NAME "domain.com" phase:1,nolog,allow,ctl:ruleEngine=off

So what does these words specify? Some are pretty straight forward:

nolog:Prevents rule matches from appearing in both the error and audit logs.
allow: Stops rule processing on a successful match and allows the transaction to proceed.
ctl: The ctl action allows configuration options to be updated for the transaction. This means what action should be taken to the configuration options. For eg, ruleEngine is "on" by default. We are telling modsec to turn it "off", when the server name matches domain.com. So this means the action to be taken.

Now what is the stuff called phase:1 ?
ModSecurity 2.x allows rules to be placed in one of the following five phases:
Refer for more details here
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.12/modsecurity2-apache-reference.html#processing-phases

I will explain phase:1 now.
Phase 1
Phase Request Headers
Rules in this phase are processed immediately after Apache completes reading the request headers (post-read-request phase). At this point the request body has not been read yet, meaning not all request arguments are available. Rules should be placed in this phase if you need to have them run early (before Apache does something with the request), to do something before the request body has been read, determine whether or not the request body should be buffered, or decide how you want the request body to be processed (e.g. whether to parse it as XML or not).

Modsec applies the rules specified as phase:1 at the first time the apache request is received. Not much would have been done to the request. this time. I will explain with an example now.

Lets come back to the initial situation. We had disabled modsec for a domain completely. But this is not a good practice. It is recommended to disable modsec per domain, per location and per rule wise. Don't you think it is ideal case? How do we do it in modsec2?

In modsec2, we can see there comes a lot of default rules. If you see such a rule, you will notice there is an id attached to the rules. See below.

----
#Generic PHP exploit signatures
SecRule REQUEST_URI "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|
proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|
posix_setsid|posix_setuid)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"
---

We can disable the above modsec rule for a domain using the id by adding the following line inside the file /usr/local/apache/conf/whitelist.conf

SecRule SERVER_NAME "domain.net" phase:1,nolog,allow,ctl:ruleRemoveById=330001

But what we need not disabling fully a rule per domain. But disable per folder or location. How to do this?

In Modsec, there is an option called SecRuleRemoveById. We can use this inside the httpd.conf, virtualhost entry of the domain for which we need to disable a specific modsec rule on a specific folder. If we need to disable the above rule id for the location domain.com/help ie /home/username/public_html/help, we can add these lines to the virtualhost entry of the domain "domain.com". This means domain.com/paypal will give modsec error while domain.com/help/paypal will not show error.


SecRuleRemoveById 330001


The above stuff is useful in cases like below. Here you can see the modsec causes when a page is loaded with an image named paypal.png inside the folder images. You can apply the above entry insdie the VH of domain.com for folder images.

----
[Thu Jun 03 13:53:42 2010] [error] [client 90.210.133.41] ModSecurity: Access denied with code 406 (phase 2). Pattern match "/paypal" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.global.conf"] [line "101"] [hostname "domain.com"] [uri "/image/paypal.png"] [unique_id "TAfsJkJH8oIAAFEcNNwAAAAA"]
----
As the logs says, the rule responsible for this error is in the line 101 inside the file /usr/local/apache/conf/modsec2.global.conf. Lets see that.

SecRule REQUEST_URI "paypal" "deny,log,status:406"

Well did you get the "id" from the above rule? No right? The unique_id seen in the log should not be confused with the "id". unique_id is the unique id created by the modsec for a log message. So, without the id, we cannot disable the specific rule for a domain and location wise. How can we create an id for a specific rule? Modify the rule as follows inside the file /usr/local/apache/conf/modsec2.global.conf

SecRule REQUEST_URI "/paypal" "id:900000,deny,log,status:406"

Now we have created an ID for the specific rule. Now you can block this as explained above.

I will explain the phase:1 and phase:2 a bit more with an example. Imagine I am adding the phase:1 as follows to the above rule.

SecRule REQUEST_URI "/paypal" "phase:1,id:900000,deny,log,status:406"

This means when the request like domain.com/paypal reaches the apache, it ignores the request at the first stage of apache request processing. It will not even check if any is specified in the httpd.conf file.

If we change the rule as follows, ie add phase:2 instead of phase:1

SecRule REQUEST_URI "/paypal" "phase:2,id:900000,deny,log,status:406"

Here, the rule is applied to the request domain.com/paypal, during the later stage of apache request processing, ie not at the first stage. So the apache has got time and checks if there is any for the specific rule id. If it finds the below rule inside the httpd.conf file, the request is not checked again. ie it get whitelisted for the path /home/username/public_html/help.


SecRuleRemoveById 900000

Sunday, June 5, 2011

Super blocks

*. Super blocks are used to store file system informations
*. Each file system has a superblock

A superblock stores the following informations

*. file system type
*. Size
*. Status
*. Information about other metadata structures

Thursday, June 2, 2011

Split command

Split command is used to split a larger file into smaller ones

syntax: split -bytes = 1m path to large files path/prefix

$ split –bytes=1m /path/to/large/file /path/to/output/file/prefix

* You can change the output file size by changing the –bytes=1m to your preference. You can use b, k, or m. b represent bytes, k represent kilobytes, m represent megabytes.

To restore the original file, you can use cat command.
To join all the smaller file to restore the original file type:-

$ cat prefix* > NEWFILENAME


Eg:

split --bytes=1m thetruth_wrdp2.sql thetruth_wrdp2.sql_

Tuesday, May 24, 2011

System log files:

/var/log/messages - system messages
/secure - Logging by PAM of network access attempts
/dmesg - Log of system boot. Also see command dmesg
/boot.log - Log of system init process
/xferlog.1 - File transfer log
/lastlog - Requires the use of the lastlog command to examine contents
/maillog - log from sendmail daemon

find commands

Search and list all files from current directory and down for the string ABC:
find ./ -name "*" -exec grep -H ABC {} \;
find ./ -type f -print | xargs grep -H "ABC" /dev/null
egrep -r ABC *
Find all files of a given type from current directory on down:
find ./ -name "*.conf" -print
Find all user files larger than 5Mb:
find /home -size +5000000c -print
Find all files owned by a user (defined by user id number. see /etc/passwd) on the system: (could take a very long time)
find / -user 501 -print
Find all files created or updated in the last five minutes: (Great for finding effects of make install)
find / -cmin -5
Find all users in group 20 and change them to group 102: (execute as root)
find / -group 20 -exec chown :102 {} \;
Find all suid and setgid executables:
find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -ldb {} \;
find / -type f -perm +6000 -ls

Note: suid executable binaries are programs which switch to root privileges to perform their tasks. These are created by applying a "sticky" bit: chmod +s. These programs should be watched as they are often the first point of entry for hackers. Thus it is prudent to run this command and remove the "sticky" bits from executables which either won't be used or are not required by users. chmod -s filename
Find all world writable directories:
find / -perm -0002 -type d -print
Find all world writable files:
find / -perm -0002 -type f -print
find / -perm -2 ! -type l -ls
Find files with no user:
find / -nouser -o -nogroup -print
Find files modified in the last two days:
find / -mtime 2 -o -ctime 2
Compare two drives to see if all files are identical:
find / -path /proc -prune -o -path /new-disk -prune -o -xtype f -exec cmp {} /new-disk{} \;

wordpress .htaccess file


RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

log rotate.conf

/var/log/process-name.log {
rotate 12
monthly
errors root@localhost
missingok
postrotate
/usr/bin/killall -HUP process-name 2> /dev/null || true
endscript
}

Tuesday, March 15, 2011

"Sorry, it appears that a required library (PDO) for connecting to a MySQL database has not been enabled. Pls ask your web host if your web site can h

1. Rebuild Apache under EasyApache and enable PDO support in you're php configuration.

OR

I just tried the terminal install:

pecl install pdo
pecl install pdo_mysql

and restarted Apache and it works fine.

Sunday, March 13, 2011

How to reset Joomla Admin password

1. Login to cPanel
2. Access the phpMyAdmin
3. Select the database
4. Find the jos_user table, and go to browse
5. Find the Super Administrator user and go to edit
6. Select the password function to MD5, enter your new password, and change the user name to admin, than click GO to proceed.

Wednesday, March 9, 2011

FTP error >>> 421 Sorry, cleartext sessions are not accepted on this server. Login failed

When you receive the above error while trying to connect to FTP then follow the below steps :
Login to WHM
Go To : Service Configuration
Then click on : FTP Server Configuration
and then check that :
TLS Encryption Support : is set to “Optional”
if not then set it to “Optional”
That’s all this will do it.

Configure Outlook?

1.Click on the tools menu then accounts
2. Click Add on the right side at the top and select mail
3. Display Name: Your Name
4. Click Next
5. E-mail Address: address@yourdomain.com
6. Click Next
7. My incoming mail server is a POP3 server.
8. Incoming mail server (POP3): yourdomain.com
9. Outgoing mail server (SMTP): yourdomain.com
10. Click Next
11. Acount Name: address@yourdomain.com; If you are setting up for your Main Account you would use your hosting account user name.
12. Password: This will be the password you set for the email address when you set it up in your hosting account control pan el. If you are setting up for your Main Account, this will be your hosting account password.
13. Check Remember password if you don't want to enter your password each time.
14. DO NOT CHECK \"Log on using Secure Password Authentication (SPA)\"
15. Click Next then Finish
16. Click on the account you just created then click Properties
17. Click the Servers tab
18. CHECK \"My server requires authentication\" at the bottom
19. Click the Advanced tab
20. Under Server Port Numbers Incoming server (POP3): 110
21. Under Server Port Numbers Outgoing server (SMTP): 25; If your ISP blocks access to port 25 you can use port 26.
22. Click OK to close that window. 23. Click Close to close that window.

530 Login authentication failed ? Can access cpanel but not ftp?

The problem was due to demo mode enabled for that domain. Disable it via WHM >> demomode

/usr/bin/curl: Cron error : Permission denied ?

Check the permission of /usr/bin/curl it should be 755 if its correct then check the script files permission

Thursday, January 27, 2011

How to Clear Your /tmp Folder Automatically?

Is your /tmp directory simply getting overrun with SESS files? If so, try this:

make a file in scripts called cleantmp, put the following in it:

************
# This script cleans out /tmp of empty, root, cpanel
# and nobody session files in /tmp
# rev 2.0b by Darren - 8.19.07

# if --test is passed, we just show the results
if [ "$1" == "--test" ]
then
CMD="-exec ls -la"
echo "$0: test mode"
else
CMD="-exec rm -rf"
fi

if [ "$1" == "--help" ]
then
echo ""
echo "cleantmp will clean out your tmp directory for you"
echo ""
echo "Parameters:"
echo "--test to run in test mode"
echo "--help display this file"
echo "-a accountname to remove all files owned by account name"
echo "-e cleans out all empty (zero length) files"
echo ""
exit 0
fi

if [ "$1" == "-a" ]
then
echo ""
echo "Removing session file for account $2"
find /tmp -name "sess*" -user $2 -maxdepth 1 $CMD {} \;
echo "completed"
echo ""
exit 0
fi

if [ "$1" == "-e" ]
then
echo ""
echo "Cleaning out empty files from /tmp"
find /tmp -name "sess*" -empty -maxdepth 1 $CMD {} \;
echo "completed"
echo ""
exit 0
fi


# remove empty session files that are over 2 hours old
find /tmp -name "sess*" -empty -mmin +120 -maxdepth 1 $CMD {} \;

# remove root owned session files
find /tmp -name "sess*" -user root -maxdepth 1 $CMD {} \;

# remove nobody session files
find /tmp -name "*sess*" -user nobody -maxdepth 1 $CMD {} \;

# remove cpanel owned session files
find /tmp -name "sess*" -user cpanel -maxdepth 1 $CMD {} \;

# remove any session file over 5 hours old
find /tmp -name "sess*" -mmin +300 -maxdepth 1 $CMD {} \;

# remove any spamassassin file over 4 hours old
find /tmp -name ".spamassassin*" -mmin +240 -maxdepth 1 $CMD {} \;
************

Now save, and chmod it so it can be run (use your discretion for perm level):
chmod 755 /scripts/cleantmp

Run it as /scripts/cleantmp --test to view which files will be removed or /scripts/cleantmp -a accountname to remove all files owned by account name. And running it with "-e" will remove all empty session files.

What we do on most boxes is have it run in cron.hourly so that it purges session files. It cleans empties that are over 2 hours old, and normal ones that are over 5 hours old. Keep in mind, this may break software that uses "Keep Me Logged In Indefinitely" option for users. But the script could be easily modified to skip some session files if needed.

So, go to /etc/cron.hourly and create a file called cleantmp. Put this into it:

****************
#!/bin/bash

/scripts/cleantmp -e >/dev/null 2>&1
/scripts/cleantmp >/dev/null 2>&1
****************

and save it, then do the same permissions procedure as above. Now every hour, the script wil clean out empty and older SESS files and keep your sites up. Modify this and the other script as needed.

Hope this helps! Suggestions, questions are welcome.

FTP hangs when CSF is on

This is very known issue between CSF and ftp and it hangs while we change directory through ftp so this is what I tried to get this fixed.

Server the follwoing line in /etc/pure-ftpd.conf

Port range for passive connections replies. - for firewalling.

and simply comment it.

Then restart FTP and CSF and FTP should be working fine now.

Disable eAccelerator for one domain

I had an issue where I had to disable eAccelerator for a single domain on my VPS.

I've seen instructions that say to put following lines .htaccess file in the site's root directory,

php_flag eaccelerator.enable 0
php_flag eaccelerator.optimizer 0


but when I did that trying to access any pages on that site resulted in a 500 error.

I found that the only way to make this work is to locate the VirtualHost section for the domain in question in /etc/httpd/conf/httpd.conf. Within that VirtualHost section, there should be a section that looks similar to this:



php_admin_value open_basedir "/home/site-name/:/usr/lib/php:/usr/local/lib/php:/tmp"



Add the following lines to this section, before the ""


php_flag eaccelerator.enable 0
php_flag eaccelerator.optimizer 0

Any suggestions or questions are welcome.

cPanel shows wrong quota for database.

Getting 0.00MB disk quota for databases in cpanel ?

Here is the answer ::

The disk quota for MySQL databases will show 0.00 in cPanel > MySQL Databases area unless this option is selected in WHM's Tweak Settings area:
------------------------
When displaying disk usage in cPanel/WHM include Postgresql and MySQL® disk usage. [Requires MySQL® 5+] (SQL disk usage is only updated every four hours)
------------------------

So go ahead and enable this in Tweak Settings, then manually run the command to update the quotas:

/scripts/update_db_cache

This command will run by cron every 4 hours now that the Tweak Settings option has been enabled.

Thanks

Change Linux timezone

Select the method as per your Linux distribution:
If you are using Fedora / RHEL / Cent OS Linux
Type the redhat-config-date command at the command line to start the time and date properties tool.

# redhat-config-date


OR type setup and select time zone configuration (good for remote ssh text based Linux server sessiob)

# setup

Now, just follow on screen instructions to change timezone

Set timezone using /etc/localtime configuration file [any Linux distro]

Often /etc/localtime is a symlink to the file localtime or to the correct time zone file in the system time zone directory.

Generic procedure to change timezone

Change directory to /etc
# cd /etc

Create a symlink to file localtime:
# ln -sf /usr/share/zoneinfo/EST localtime
OR some distro use /usr/share/zoneinfo/dirname/zonefile format (Red hat and friends)
# ln -sf /usr/share/zoneinfo/EST localtime
OR if you want to set up it to IST (Asia/Calcutta):
# ln -sf /usr/share/zoneinfo/Asia/Calcutta localtime
Please mote that in above example you need to use directory structure i.e. if you want to set the timezone to Calcutta (India) which is located in the Asia directory you will then have to setup using as above.

Use date command to verify that your timezone is changed:
$ date
Output:

Tue Aug 27 14:46:08 EST 2006

Use of environment variable
You can use TZ environment variable to display date and time according to your timezone:
$ export TZ=America/Los_Angeles
$ date

WGET with FTP

Here are some useful commands to download data from an account which is exist on different server.

wget ftp://username:password@ftp.domainname.com * -r

For exa : wget ftp://test:celita0201@ftp.domainname.com * -r

OR

wget ftp://ftp.domainname.com/* --ftp-user=username --ftp-pass=password -r

wget ftp://ftp.domainname.com/* --ftp-user=test@domainname.com --ftp-pass=neHGyxhjr -r

How to Check Memory Usage on Linux Servers.

Memory is one of the most important resource components on a server to ensure that process run smooth and fast. Thus, the availability of physical memory for any server is very important, especially for high load web host server which runs database server such as Oracle or MySQL, which require high memory utilization for smooth running. Linux [CentOS] which is popular on cPanel and Plesk web hosting server, comes with several commands and tools to check memory usage on server

1. meminfo
"/proc/meminfo" contain all your memory usage information when you type:
cat /proc/meminfo
you will get an out of your server memory info, below is an example of meminfo.



2. Using free Command
free displays the total amount of free and used physical and swap memory in the system, as well as the buffers used by the kernel.

free -m
The command will display information about physical memory in MB.

free -m -t
Same with “free -m”, but -t switch will display a line containing the totals of physical memory and swap space.

free -m -s 10
The command will display memory status in megabytes on terminal with continuous polling delay at 10 seconds,You can specify any number for delay.




3. Using vmstat Command

vmstat reports information about processes, memory, paging, block IO, traps, and cpu activity. The command will display report based on averages since last reboot.

Syntax of vmstat

vmstat -[options] [delay count]

vmstat 10
The command will pool average system resources usage level for a sampling period of 10 seconds at interval of 10 seconds, except the first result that is averages since the last reboot.
If no delay is specified, only one report is printed with the average values since boot.



4. Using top Command

Syntax of top

top
Using top is very simple, Just type "top" at command shell [without ""], it constantly update stats page will be shown.

top -d 2
Same as "top", but "-d" used to Specifies the delay between screen updates after 2 sec.

5. Using ps Command

Syntax of ps aux

ps -aux
aux is the options for ps command to see every process on the system.

To see only the memory resources occupied by each category of processes, such as Apache httpd, MySQL mysqld or Java, use the following command:

ps aux | awk '{print $4"\t"$11}' | sort | uniq -c | awk '{print $2" "$1" "$3}' | sort -nr

Configuring a Cpanel Counter

A counter counts the number of visitors on your site. If you refresh the page counter will get increased by one.

Follow the steps given below to configure a Cpanel counter.

1. Go to counter option in your cpanel. Cpanel >> CGI center >> counters.
2. Click on counter radio button.
3. Edit/Reset a counter
Counter name:-> generally it is account username. It creates file with .dat extension on server.
New Count:-> Enter number from where you want to setup counter generally start from 0.
If you want to reset counter you have to edit both features and click on “select commit changes”. You are also able to view
counters preview through option preview.
4. Click on 'Make HTML', this will display a line.
5. On server go to following path
# cd /var/cpanel/Counters
Check file is created with the name countername.dat. Changes file permission to 777.
6. # vi countername.dat
Add the line which is created by clicking 'Make HTML' in cpanel to countername.dat file.

Spamd Failing

If you find the "spamd" failing error on an exim restart.

root@server [~]# /etc/init.d/exim restart

Shutting down exim: [ OK ]

Shutting down antirelayd: [ OK ]

Shutting down spamd: [ FAILED ]

Starting exim-26: [ OK ]

Starting exim: [ OK ]

Starting exim-smtps: [ OK ]

Starting antirelayd: [ OK ]

Then use he following steps

When disabling "spamd", the Cpanel create a file named "/etc/spamdisable" which may not get deleted on enabling the "spamd" feature again. Check the presence of the above said file.

The issue may also arise due to unavailability of the perl module "Mail::SpamAssassin" by installing the the same and on restarting the exim, the issue will be fixed.

# /scripts/perlinstaller --force Mail::SpamAssassin

#/etc/init.d/exim restart

disable the the stats services in a cpanel

You can disable Analog or Awstats or Webalizer stats in a cpanel server via backend by editing the file "/var/cpanel/cpanel.config".

# Check for the variables skipanalog, skipawstats, skipwebalizer in the file and change the values
of the variables to one. Now the variables should look like as follows:

skipanalog=1
skipawstats=1
skipwebalizer=1

# Save the changes and restart the cpanel service in the server.

/etc/init.d/cpanel restart

# Now the all the three stats will be disabled server wide.

The recipient cannot be verified. Please check all recipients of this 550 message to verify they are valid

If you are receiving the following error;

PERM_FAILURE: SMTP Error (state 13): 550-"The recipient cannot be verified. Please check all recipients of this
550 message to verify they are valid."

SOLUTION:

First you need to check the corresponding Domain name in the file '/etc/valiases'.

root@f ~] cat /etc/valiases/domainname
*: username@domainname

Here 'username@domainname' indicates an added email account.

You need to change the username only instead of giving 'username@domainname'. That is;

root@f ~] cat /etc/valiases/domainname
*: username

Here the entry username (without the domain name) indicates the default account.

Then Restart the exim mail service.

root@f ~] /etc/init.d/exim restart

IMAP Error (Connection dropped by IMAP server)

To troubleshoot the IMAP error(Inbox lock errors) while accessing mailbox via any webmail clients(Horde, SquirrelMail, NeoMail, Round Cube etc.):

The error will be shown as below,

Connection dropped by IMAP server

ERROR: Connection dropped by IMAP server.
Query: SELECT "INBOX"
Reason Given: Unable to open this mailbox.

The error usually occurs when there is inbox.lock file in the mailbox.
Here the inbox gets locked and hence the mailbox can't be accessed and
you will get the above said error.

1. Remove the "inbox.lock" file from the particular mailbox.

Eventhough the "inbox.lock" file is deleted, it will be created when
the mailbox is accessed again. Hence after removing the file, we need
to copy the inbox to a new file name so as to fix the issue which can
be done as follows,

2. cat inbox > inbox.new
3. rm inbox
4. mv inbox.new inbox
5. Then fix ownership and permissions.

This fixes the issue.

How to avoid overwrite option with cp, scp command ?

senario : Copy all files from the folder which contains around 20,000 files to the folder where 10,000 same files are already exist.

Now what ? Dont worry simply fire the following command:

# unalias cp

Reason - because cp has an alias which is (alias cp='cp -i')
-i, --interactive which menas prompt before overwrite

Note: Make sure you will revert the changes once you are done with cp

also You can overwrite files without [ y/n ] prompt by using following syntax.

# /bin/cp -pafrH /home/user/source/* /home/user/destination/

Cpanel hardning from shell

Cpanel hardning from shell

Posted by Mayur's BLOG

From Shell prompt

Applicable : Centos/RedhatEnterprise/FedoraCore

check the hardware

cat /proc/cpuinfo
cat /etc/redhat-release
uname -a
cat /proc/meminfo
==========================

SSH Server Hardening

nano -w /etc/ssh/sshd_config

Uncomment #Protocol 2, 1

Change to Protocol 2

Append these lines to the bottom:

LoginGraceTime 120
IgnoreRhosts yes
X11Forwarding no

/etc/rc.d/init.d/sshd restart

============================

cd /etc

mv /etc/host.conf /etc/host.conf.bak

wget http://www.indiageeks.net/myscripts//host.conf

============================

mv /etc/sysctl.conf /etc/sysctl.conf.bak

cd /etc

wget http://www.indiageeks.net/myscripts/sysctl.conf

/sbin/sysctl -p

sysctl -w net.ipv4.route.flush=1

/sbin/ifconfig eth0 txqueuelen 1000

echo /dev/null > /proc/sys/kernel/core_pattern

=============================

cp /etc/fstab /etc/fstab.bak

First check to see that no /tmp partition is present.

df

If no /tmp partition is present, use this guide:

cd /usr

dd if=/dev/zero of=/usr/tmpMnt bs=1024 count=1000000

mke2fs -j /usr/tmpMnt
cd /

cp -R /tmp /tmp_backup

mount -o loop,noexec,nosuid,rw /usr/tmpMnt /tmp

chmod 0777 /tmp

/bin/cp -R /tmp_backup/* /tmp/

rm -rf /tmp_backup

nano -w /etc/fstab

At the bottom add

/usr/tmpMnt /tmp ext3 loop,noexec,nosuid,rw 0 0

If “df” shows a /usr/tmpDSK partition,

Then leave it!

If a standard /tmp partition is already present,

nano -w /etc/fstab

change “defaults” to loop,noexec,nosuid,rw

mount /tmp

/tmp should always have this: loop,noexec,nosuid,rw

/tmp and /var/tmp should be symlinked on EVERY server.

rm -rf /var/tmp

ln -s /tmp /var/tmp

/dev/shm

nano -w /etc/fstab

in /dev/shm line, change 'defaults' to noexec,nosuid

umount /dev/shm

mount /dev/shm

rm -rf /etc/httpd/proxy

rm -rf /var/spool/vbox

mount -o remount,noexec,nosuid /proc

Modify /etc/fstab, add options “noexec,nosuid” to the /proc line:
none /proc proc defaults,noexec,nosuid 0 0

=====================================

php -i | grep php.ini



disable_functions = dl,passthru,proc_open,proc_close,shell_exec,system

/etc/rc.d/init.d/httpd restart

=========================================

Logwatch

cd /root/

wget http://www.indiageeks.net/myscripts//logwatch-7.3.1-1.noarch.rpm

rpm -Uvh logwatch-7.3.1-1.noarch.rpm

rm -rf /etc/logwatch/conf/logwatch.conf

cd /etc/logwatch/conf

wget http://www.indiageeks.net/myscripts//logwatch.conf

=====================

chmod 750 /usr/bin/GET
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/gcc
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp

history -c

=====================

From WHM:

Tweak Settings (Check all these options)

--------------

Allow Creation of Parked/Addon Domains that are not registered

Prevent users from parking/adding on common internet domains

E-mail users when they have reached 80% of bandwidth

Each domain can send out per hour: 500

Pop 3 in hour: 180

Allow Sharing Nameserver IPs

Use Jailshell as default

Set Default catch-all to FAIL

Delete each domain's access logs after stats run

Things to Uncheck

Boxtrapper

** When adding a new domain, if the domain is already registered, ignore the configured nameservers, and set the NS line to the authoritative (registered) ones.

** FormMail-clone cgi

Change:

The load average above the number of cpus at which logs file processing should be suspended (default 0):

To 10

** Number of minutes between mail server queue runs (default is 60).:

To 180

=================================================================================================

Tweak Security

--------------

open_basedir: Enable php open_basedir

Compilers disable

==========================

System Health - Background Process Killer

Check all of them

==========================

Please read carefully and make sure that you are aware of all the commands & settings and their effect.