Sunday 29 May 2011

OpenVPN - Installation

Install Script for OpenVZ VPS - CENTOS / DEBIAN / UBUNTU

CENTOS: http://bluemodule.com/

Download Link:
http://bluemodule.com/wp-content/plugins/wp-codebox/wp-codebox.php?p=202&download=ovpn_install_script.sh


DEBIAN / UBUNTU:
http://www.putdispenserhere.com/2011/openvpn-debianubuntu-setup-script-for-openvz/

Download Link:
http://www.putdispenserhere.com/wp-content/uploads/openvpninstall.sh


After running the above scripts surfing/browsing to google.com or other sites will not allow you.

You have to execute the below commands on the VPS

#ifconfig -a | grep P-t-P

inet addr:10.9.0.1 P-t-P:10.9.0.2 Mask:255.255.255.255
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
inet addr:8X.8X.2XX.XX P-t-P:8X.8X.2XX.XX Bcast:8X.8X.2XX.XX Mask:255.255.255.255

Note: P-t-P:10.9.0.2 - For tun0

#iptables -t nat -A POSTROUTING -s 10.9.0.0/32 -o eth0 -j MASQUERADE
#/etc/init.d/iptables save
#/etc/init.d/iptables restart

or

#iptables -A POSTROUTING --table nat -o eth0 -j MASQUERADE
#/etc/init.d/iptables save
#/etc/init.d/iptables restart

Note: Please make sure to enable the TUN / TAP / PPPD / IPTABLES on your VPS

Wednesday 25 May 2011

Rapidleech installation for Ubuntu

Install LAMP Server;
apt-get install -y lamp-server

If you are facing any issue while installing the LAMP, you can refer the below URL
http://www.howtoforge.com/ubuntu_lamp_for_newbies


cd /var/www/
wget http://rapidleech.googlecode.com/files/rapidleech-svn322.zip
unzip rapidleech-svn322.zip
mv r322 leech
cd leech
chmod 777 -R files/ configs/

Run a browser and access the address leech, http://localhost/leech .

On the web Rapidleech content Link to Tranload dialog box with a link that will be downloaded as hotfile or rapidshare, and then click the link to transload;

Sunday 22 May 2011

Installing cPanel & WHM

Installing cPanel & WHM

Make sure you are logged in as root

To begin your installation, use the following commands:

1. Open the /home directory by typing the command cd /home

2. Fetch the latest installation file from the cPanel servers by typing the command

wget -N http://httpupdate.cpanel.net/latest

3. Open and run the installation files by typing the command

sh latest

If licensing has failed (due to a strict firewall or changed IP), execute the following command to activate your license:

* /usr/local/cpanel/cpkeyclt

Note: For FreeBSD, you need to download and untar the latest installer package from www. cpanel.net

Wednesday 11 May 2011

Monitoring/security of Exim

Number of emails in the mail queue:

#exim -bpc


Frozen mails in a Queue

#exim -bp | grep -c frozen

#exim -bpr | grep frozen | wc -l



Removing all frozen messages:

#exiqgrep -z -i | xargs exim -Mrm

or

#exim -bpru | grep “frozen” | awk {‘print $3′} | xargs exim -Mrm


Deliver forcefully emails

#exim -qff -v -C /etc/exim.conf &


Remove mails from sender

#exiqgrep -i -f (mail add here) | xargs exaim -Mrm


Remove mails from Recipient

#exiqgrep -i -r (mail add here) | xargs exaim -Mrm


Below command will display total number of emails send as well receive statistics per domain basis.

#exim -bp | exiqsumm | sort -n


Delete mails for particular domain which is largest email sender you got by previous step

#exiqgrep -i -r domainname.com | xargs exim -Mrm


Number of emails sent by perticular domain greping by date:

#grep “Sept 18″ /var/log/exim_mainlog | grep domainname.com | wc -l


Get the content of an email by message ID

#exim -Mvb messageid

Force delivery of single email

#exim -M email-id


Delete particular message ID

#exim -Mg messageid


Delete the entire mail queue

#exim -bpru | awk {‘print $3′} | xargs exim -Mrm


Check all mails by username

#exigrep -u username /var/log/exim_mainlog


View an email’s header

#exim -Mvh message-id


View an email’s body

#exim -Mvb message-id


Deliver all emails in mailqueue forcefully

#exiqgrep -i | xargs exim -M

How to repair all MySQL Databases on a cPanel/WHM Server

There can be different reasons why one wants to repair a MySQL database. Database corruption maybe due to a lack of disk space or an unexpected server shutdown that caused the database to go bad. Queries that worked before suddenly stopped working and overall the database is not behaving anymore as expected. This guide shall not be a full database troubleshooting guide, but rather give you a hand on doing a MySQL repair on all databases on a cPanel/WHM server (or any other server running MySQL).

The situation: Your server crashed hard and when it is back up the MySQL side of the house is not working anymore. You do your normal troubleshooting. If all other troubleshooting and verifications are done, you come to the conclusion that you will need to run a repair as the next step. A full database restore from a (hopefully existing) good database backup would be your last choice.

Repairing one MySQL database is fairly easy, but how do you do this for an entire server holding20, 30, 50 or over 100 databases? You will need SSH access as the root user to the server running MySQL. So, log in as the root user and then do the following to repair your MySQL databases:

Please be advised that you should backup critical databases before running any of the commands below:

Option #1

Check if you any need DB repair:

#myisamchk –check /var/lib/mysql/*/*.MYI

Then try a ‘safe-recover’ as the first step:

#myisamchk –safe-recover /var/lib/mysql/*/*.MYI

If the ‘safe-recover’ does not work, run a full recover:

#myisamchk –recover /var/lib/mysql/*/*.MYI

Then use the ‘force’ flag to get things back to normal:

#myisamchk –safe-recover –extend-check –force /var/lib/mysql/*/*.MYI
or

#myisamchk –recover –extend-check –force /var/lib/mysql/*/*.MYI


Option #2

Use the mysqlcheck tool to repair your databases.
#mysqlcheck -–all-databases -r #repair

#mysqlcheck -–all-databases -a #analyze

#mysqlcheck -–all-databases -o #optimize

There you have it. By using one of these two options you should be able to repair and recover your databases. Please be advised that you should backup critical databases before running any of the commands above. If something goes wrong you can revert back and try again.

Rapidleech installation on VPS Centos 5

Install apache + php5

yum install httpd
yum install php php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpc
service httpd start
chkconfig httpd on

cd /var/www/html
wget http://rapidleech.googlecode.com/files/rapidleech-svn322.zip
unzip *.zip
cp -r r322/* /var/www/html/
rm -r -f r322
chmod 777 files
chmod 777 configs
cd configs
chmod 777 files.lst

Restart

Done

http://Ip_address

Chkrootkit Installation

Chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification.


Installation:– Login to your server as root. (SSH)

cd /usr/local/src
– Down load the chkrootkit.# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
- Unpack the chkrootkit you just downloaded.# tar -xvzf chkrootkit.tar.gz
- Change to new directory# cd chkrootkit*
- Compile chkrootkit# make sense
- Run chkrootkit# ./chkrootkit

How to setup a daily scan report?
- Load crontab# crontab -e
- Add this line to the top:==========================================================================
0 1 * * * (cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s “chkrootkit output” email@domain.com)
==========================================================================

E.G:0 1 * * * (cd /usr/local/src/chkrootkit-0.49; ./chkrootkit | mail -s “chkrootkit output” test@unixnethost.com )

This will run CHKROOTKIT at 1am every day, and e-mail the output to root. (you need change the time whenever you want it to run and the email id according to your needs.)

Save and exit

Install NginX Php5 FastCGI webserver

Nginx (engine x) is an HTTP(S) server, reverse proxy and IMAP/POP3 proxy server written by Igor Sysoev. It is known for its high performance, stability, rich feature set, simple configuration, and low resource consumption.

Configure yum repo for needful packages

# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/$(uname -m)/epel-release-5-3.noarch.rpm

Install Nginx

# yum install nginx

Configuration files of nginx

Default config file: /etc/nginx/nginx.conf
Default SSL config file: /etc/nginx/conf.d/ssl.conf
Default virtual hosting config file: /etc/nginx/conf.d/virtual.conf
Default documentroot: /usr/share/nginx/html
Configure PHP As FastCGI
# yum install php-pear-Net-Socket php-pear php-common php-gd php-devel php php-mbstring php-pear-Mail php-cli php-imap php-snmp php-pdo php-xml php-pear-Auth-SASL php-ldap php-pear-Net-SMTP php-mysql

Install spawn-fcgi simple program for spawning FastCGI processes
# yum install spawn-fcgi
Next, download spawn-fcgi init.d shell script:

# wget http://bash.cyberciti.biz/dl/419.sh.zip
# unzip 419.sh.zip
# mv 419.sh /etc/init.d/php_cgi
# chmod +x /etc/init.d/php_cgi

Start php app server

# /etc/init.d/php_cgi start
# netstat -tulpn | grep :9000

By default php server listens on 127.0.0.1:9000 port. Finally, update /etc/nginx/nginx.conf as follows:

# vi /etc/nginx/nginx.conf

Modify / append as follows:

——————————————————–

location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html$fastcgi_script_name;
include fastcgi_params;
}
——————————————————————–

Save and close the file. Restart nginx:

# service nginx restart

Create /usr/share/nginx/html/test.php as follows:

——————————-


-------------------------

Nginx with Cpanel Apache in proxy mode

This manual is useful for those wishing to install Nginx web server in Cpanel to manage static content using less cpu and ram, so we just loaded PHP to Apache.
tested on ( Cpanel 11.28, CentOS 5 x86_64, PHP 5.2.16 and Apache 2.2 )

Installation:
————————————————————————————————————–
cd /usr/src
wget http://sysoev.ru/nginx/nginx-0.7.63.tar.gz
wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.9.tar.gz
tar xvzf mod_rpaf-0.6.tar.gz
cd mod_rpaf-0.6
/usr/local/apache/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
cd /usr/src
tar xvzf pcre-7.9.tar.gz
cd pcre-7.9
./configure
make
make install
cd /usr/src
tar xvzf nginx-0.7.63.tar.gz
cd nginx-0.7.63
./configure –with-http_ssl_module –with-http_realip_module –with-http_dav_module –with-http_flv_module –with-http_gzip_static_module
make
make install
==================================================

-Login to WHM and look for the following route:

Main >> Service Configuration >> Apache Setup > Include Editor > Pre Main Include
- Add the following configuration and save, LIST_OF_YOUR_IPS changing the IP you occupy in your site:
——————————————————————–
LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
# Enable reverse proxy add forward
RPAFproxy_ips 127.0.0.1 LIST_OF_YOUR_IPS
# which ips are forwarding requests to us
RPAFsethostname On
# let rpaf update vhost settings
# allows to have the same hostnames as in the “real”
# configuration for the forwarding Apache
RPAFheader X-Real-IP
# Allows you to change which header mod_rpaf looks
# for when trying to find the ip the that is forwarding
# our requests
——————————————————————–

Change the apache port to 81 (tweak settings)
Open whm – tweak settings and find 0.0.0.0:80 and change it to 0.0.0.0.:81
Run SSH console
# /usr/local/cpanel/whostmgr/bin/whostmgr2 –updatetweaksettings
# /scripts/rebuildhttpdconf
# service httpd restart
wget the automated nginx virtual host creator
wget http://www.hikaro.com/files/nginx.sh
- chmod the file and run it
# chmod 755 nginx.sh
# ./nginx.sh
Here you will get error then follows this steps
Edit nginx.sh
Find & replace the line /usr/local/nginx/conf/nginx.conf < to /usr/local/nginx/conf/nginx.conf < Again run the script
# ./nginx.sh
-Now check the configuration
# /usr/local/nginx/sbin/nginx -t
Start nginx
# /usr/local/nginx/sbin/nginx
Until now only the managing nginx connections, but is not serving static content. For the latter you must edit the following file:
/usr/local/nginx/conf/vhost.conf
-Remove the 3 # signs of the following lines, so the final configuration will looks like
————————————————————————————-
location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|js|css)$ {
root /home/myweb/public_html;
}
————————————————————————————–
–Restart nginx in SSH
/usr/local/nginx/sbin/nginx -s reload

APF (Advanced Policy Firewall)

What is APF (Advanced Policy Firewall)?

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.

Requirements:
- Root SSH access to your server

Install

Login to your server through SSH and su to the root user.

cd /root/downloads or another temporary folder where you store your files.

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

tar -xvzf apf-current.tar.gz

cd apf-0.9.5-1/ or whatever the latest version is.

Run the install file: ./install.sh

You will receive a message saying it has been installed

.: APF installed
Install path: /etc/apf
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf

Configure the firewall: (i mostly use nano editor) nano /etc/apf/conf.apf
General configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

You may like to use DShield.org's "block" list of top networks that have exhibited suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"

Configuring Firewall Ports:
Cpanel Servers
recommended settings for Cpanel Servers

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Ensim Servers
recommended settings for Ensim Servers
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Plesk Servers
recommended settings for Plesk Servers
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,3306,4643,5224,8443,8447,10000,
35000_35999"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53,1040"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="0"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,3306,5224,8443,10000,35000_35999"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,37,53,123,1040"
# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
Save your changes! Ctrl + X then y (nano editor)

Starting the firewall
apf -s
Other commands:
usage /usr/local/sbin/apf [OPTION]
-s|--start ............. load firewall policies
-r|--restart ........... flush & load firewall
-f|--flush|--stop ...... flush firewall
-l|--list .............. list chain rules
-st|--status ........... firewall status
-a HOST|--allow HOST ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST|--deny HOST .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall

After everything is fine, change the DEV option
nano /etc/apf/conf.apf
# Set firewall cronjob (devel mode)
# 1 = enabled / 0 = disabled
DEVEL_MODE="0"
It is recommended changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.
Save your changes! Ctrl + X then y
Restart the firewall: apf -r

Make APF Start automatically at boot time
To autostart apf on reboot, run this:
chkconfig --level 2345 apf on
To remove it from autostart, run this:
chkconfig --del apf

Server Monitoring

If the server load is high then do the following tricks:

1) top or top -n1
check for the server load and watch for process

2) free -m
it will display the memory status
# vmstat : (virtual memory status)
# mymem : (which services are consuming memory)

3)if a perticular user is causing a high server laod then use “ps U username”: it will display the process that are running by the user . Then you can take action against that user.

4) netstat -an |grep :80 |wc -l :
Show how many active connections there are to apache (httpd runs on port 80)

5) netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n
it will display the no of connections form a certain ip

6)if there is MYSQL taking cpu usage then check for mysql status
# watch mysqladmin proc
# mysqladmin -u root processlist
check for the databases and suspend that user if any database is using high resources.

7)check /tmp if there is any process taking high resources : chown to root for that process and chmod 000 also if .sh process is running then chown it t0 root:root

8)if exim is taking high resources then check for exim logs : use this command :
replace :blackhole: : fail: — /etc/valiases/*

w : Current users

exim -bp | exiqsumm
ps aux | head -1;ps aux –no-headers| sort -rn +3 | head :

Use below mentioned command to get top memory consuming processes
ps aux | head -1;ps aux –no-headers | sort -rn +2
ps aux | head -1;ps aux –no-headers | sort -rn +2

———————————————————————————————————-

If Exim causes
exim –bpc
shows the total no of email in qmail

eximstats -nr -ne /var/log/exim_mainlog
Total mail server report

pidof exim
shows no of exim pids running

exim -bpr | grep frozen | wc -l
Shows no of frozen emails

exiqgrep -z -i | xargs exim –Mrm
exim -bp | exiqgrep -i | xargs exim -Mrm
it deletes the FROZEN mails from the server

tail -f /var/log/exim_mainlog | grep public_html
check for spamming if anybody is using php script for sending mail through public_html

tail -f /var/log/exim_mainlog | grep /tmp
Used for checking for who is spamming through the /tmp

tail -3000 /var/log/exim_mainlog |grep ‘rejected RCPT’ |awk ‘{print$4}’|awk -F\[ '{print $2} '|awk -F\] ‘{print $1} ‘|sort | uniq -c | sort -k 1 -nr | head -n 5
It will display the IP and no of tries done by the IP to send mail but rejected by the server.

netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
shows the connections from a certain ip to the SMTP server

exim -bp | exiqsumm | more
It shows the domain name and the no of emails sent by that domain

If spamming from outside domain then you can block that domain or email id on the server
pico /etc/antivirus.exim
Add the following lines:
if $header_from: contains “name@domain.com”
then
seen finish
endif

eximstats -nr -ne /var/log/exim_mainlog

Catching spammer

exim -bp | exiqsumm | more

exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” | sort | uniq -c | sort -n
That will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.

exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” |awk -F “@” ‘{ print $2}’ | sort | uniq -c | sort -n
That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.

Check if any php script is causing the mass mailing with
cd /var/spool/exim/input
egrep “X-PHP-Script” * -R
Just cat the ID that you get and you will be able to check which script is here causing problem for you.

To Remove particular email account email
exim -bpr |grep “ragnarockradio.org”|awk {‘print $3′}|xargs exim -Mrm

If Mysql causes :
mysqladmin -u root processlist
mysqladmin version
watch mysqladmin proc

If Apache causes :
netstat -ntu | grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n
netstat -an |grep :80 |wc –l
netstat -n | grep :80 | wc -l;uptime ; netstat -n | wc –l
netstat –tupl
netstat -tupl

Other Commands

pidof php
shows the PIDs for php

history | netstat
shows no of connection details

lsof -p pid
shows the details of pid

netstat -na |grep :80 |sort

Use below mentioned command to get top memory consuming processes”

ps aux | head -1;ps aux –no-headers| sort -rn +3 | head

Use below command to get top cpu consuming processes:

ps aux | head -1;ps aux –no-headers | sort -rn +2 |more

You can check if any backup is going on, run the following commands:
# ps aux | grep “pkg”
# ps aux | grep “gzip”
# ps aux | grep “backup”
If any backup process is going on, kill that process.

We can trace the user responsible for high web server resource usage by the folowing command
cat /etc/httpd/logs/access_log | grep mp3
cat /etc/httpd/logs/access_log | grep rar
cat /etc/httpd/logs/access_log | grep wav etc

cat /etc/httpd/logs/access_log | grep 408
Can be used to check for DDOS attacks on the server.

cat /etc/httpd/logs/access_log | grep rar

Port scanning :
root@ [/tmp]# nmap localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-10-04 13:22 MYT
Interesting ports on localhost (127.0.0.1):
Not shown: 1664 closed ports
PORT STATE SERVICE
1/tcp open tcpmux
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
465/tcp open smtps
631/tcp open ipp
783/tcp open spamassassin
953/tcp open rndc
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql

Nmap finished: 1 IP address (1 host up) scanned in 0.125 seconds
root@ [/tmp]#

netstat -anp |grep :3306

DDOS ATTACK :

ps -aux|grep HTTP|wc –l : It will show you no of http connections to the server

netstat -lpn|grep :80 |awk ‘{print $5}’|sort : It will helpful to check the no of connections from a certain ip

Check for the ips and block them with firewalls as apf/csf/iptables

For iptables : iptables -A INPUT -s -j DROP
For apf : apf –d ip_address
For CSF : csf -d ip_adrress

If load due to SPAMD:

Issue
The load issues on a cpanel 11 box (later versions too) because of spamd are quite common, sometimes they may take more than 90% of the CPU. Here are some ways to resolve it.
[edit] Solution
We can use the following steps to resolve the issue in a considerable manner.

1. Edit the /etc/mail/spamassassin/local.cf file

vi /etc/mail/spamassassin/local.cf

then add the following lines to it

a) use_bayes 0 (this will disable some spamassassin functionalities)
b) lock_method flock

(Uncomment these options, if they are commented)

2) Run scripts2/autofixer/spamd_dbm_fix

a) Log into WHM and use another URL as “http://your server IP:2086//scripts2/autofixer”
then type the script name “spamd_dbm_fix” and run

b) Or you can also do the same from server back end as follows.

# wget http://httpupdate.cpanel.net/autofixer/spamd_dbm_fix
# chmod 755 spamd_dbm_fix
# ./spamd_dbm_fix

3) Run the following lines of codes

# rm -f /home/*/.spamassassin/__db.bayes_toks.new
# rm -f /home/*/.spamassassin/*.lock

NOTE : If the load issue is related to a particular user then there is no need for running this,
you can simply enter into the ‘.spamassassin/’ directory for that user and delete the
files ‘__db.bayes_toks.new’ and *.lock.

4) Restart spam assassin (restart Exim)

5) Hope this will help you in such a situation.

: memory usage serverwide.
ps aux | awk ‘{print $4″\t”$11}’ | sort | uniq -c | awk ‘{print $2″ “$1″ “$3}’ | sort –nr

[root@ ~]# mymem
Memory Usage
————
Current: 326.344 MB
Allocated: 492.012 MB
Guaranteed: 512 MB
Burstable: 768 MB

====================

5.1 1 spamd
0.7 1 spamd
0.6 1 /usr/bin/spamd
0.4 1 /usr/sbin/mysqld
0.2 1 cpsrvd
0.1 4 /etc/authlib/authProg
0.1 1 eximstats
0.1 1 cpdavd
0.1 1 cpbandwd
0.1 1 cpanellogd
0.1 1 cPhulkd
0.1 1 /usr/local/cpanel/bin/leechprotect
0.0 6 /usr/libexec/courier-authlib/authdaemond
0.0 4 /usr/sbin/courierlogger
0.0 4 -bash
0.0 3 sshd:
0.0 3 /usr/sbin/exim
0.0 3 /usr/lib/courier-imap/libexec/couriertcpd
0.0 2 sort
0.0 2 awk
0.0 11 /usr/local/apache/bin/httpd
0.0 1 xinetd
0.0 1 uniq
0.0 1 syslogd
0.0 1 pure-ftpd
0.0 1 ps
0.0 1 init
0.0 1 crond
0.0 1 chkservd
0.0 1 antirelayd
0.0 1 /usr/sbin/sshd
0.0 1 /usr/sbin/saslauthd
0.0 1 /usr/sbin/pure-authd
0.0 1 /usr/sbin/portsentry
0.0 1 /usr/sbin/named
0.0 1 /etc/authlib/authProg
0.0 1 /bin/sh
%MEM 1 COMMAND

====================================================

kill nobody process
ps aux | grep nobody | awk ‘{print $2}’ | xargs kill -9

To see only the memory resources occupied by each category of processes, such as Apache httpd, MySQL mysqld or Java, use the following command:

ps aux | awk ‘{print $4″\t”$11}’ | sort | uniq -c | awk ‘{print $2″ “$1″ “$3}’ | sort -nr
====================================================

ps -eo pid,%cpu,vsz,args,wchan

Shows every process, their pid, % of cpu, memory size, name, and what syscall they are currently executing. Nifty.

whereis locates source/binary and manuals sections for specified files. The supplied names are first stripped of leading pathname components and any (single) trailing
extension of the form .ext, for example, .c. Prefixes of s. resulting from use of source code control are also dealt with. whereis then attempts to locate the desired program in
a list of standard Linux places. For example find out where is ls command?
$ whereis ls

cd /var/spool/exim/input
egrep “X-PHP-Script” * -R

For netstat
netstat -nap | grep :110 | awk ‘{print $5}’ | cut -d”:” -f1 | sort | uniq -c | sort -nr | head
netstat -nap | grep :25 | awk ‘{print $5}’ | cut -d”:” -f1 | sort | uniq -c | sort -nr | head
netstat -n | grep :80 | wc -l;uptime ; netstat -n | wc –l
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
netstat -nap | grep :80 | awk ‘{print $5}’ | cut -d”:” -f1 | sort | uniq -c | sort -nr | head

root@ [~]# tail -f /var/log/slow.log
# tail -500 /var/log/mysql-slow-queries.log

# How to find Top 10 memomry & cpu consuming processes
ps -eo pcpu,%mem,pid,user,args | sort -k 1 -r | head -10

Thursday 28 April 2011

Delete Frozen Emails

How to check number of emails in the mail queue:

exim -bpc

To check the email ID, sender and receiver of the each email:

exim -bp | more

To delete frozen emails from the mail queue, execute:

exim -bp | grep ‘frozen’ | awk ‘{print $3}’ | xargs exim -Mrm

similarly, to delete emails sent using a script’

exim -bp | grep ‘<>’ | awk ‘{print $3}’ | xargs exim -Mrm

HowTo: Add Additional IPs

How to add multiple IPs on an Ethernet network interface card i.e. eth0? OR

How to add additional IPs on a Linux server?

People find it rather hard to add the IPs manually on a Plain server. Following are the steps you can follow to add a range of IPs on a CentOS server:

1 ) Change directory to /etc/sysconfig/network-scripts/ using the ‘cd’ command:

cd /etc/sysconfig/network-scripts/ (this directory contains Interface configuration files)

2) Create a file ifcfg-eth0-range0 using your favorite text editor like ‘pico’

pico ifcfg-eth0-range0

3) Add the following lines to the file:

IPADDR_START=1.1.1.10
IPADDR_END=1.1.1.20
CLONENUM_START=1

where,

IPADDR_START is the first IP in the range.
IPADDR_END is the last IP in the range.
CLONENUM_START=1, where 1 will start adding IPs from eth0:1

4) Save and exit the file.

5) You now need to execute “ifup-aliases” script for the range of IPs to take affect. Execute the following command:

./ifup-aliases eth0

This will add the IPs on eth0 and will bring all the virtual interfaces up. You can view all the interfaces using the “ifconfig” command.

Tuesday 26 April 2011

How to turn off PHP errors, notices and warnings within .htaccess

PHP errors, notices, and warnings may be turned off by adding the following code within a website’s .htaccess file:

php_flag display_errors off

Besides potentially interfering with a website’s visual appearance, it is generally not a good idea to display errors, notices, and warnings within a production environment for security reasons, since the error messages may provide useful information on a server / website’s configuration, and thus how to circumvent its security measures.

RESET MYSQL Password

To Reset the Password (Forgot Password)

service mysql stop

wait until MySQL shuts down. Then run

mysqld_safe --skip-grant-tables &

then you will be able to login as root with no password.

mysql -u root mysql

In MySQL command line prompt issue the following command:

UPDATE user SET password=PASSWORD("windowsxp123") WHERE user="root";
FLUSH PRIVILEGES;
EXIT

Secure /var/tmp and Resize /tmp

It should be done because some applications use /var/tmp as the temporary folder, and anything that's accessible by all, needs to be secured.

Rename it and create a symbolic link to /tmp:
# mv /var/tmp /var/tmp1

# ln -s /tmp /var/tmp

Copy the old data back:
# cp /var/tmpold/* /tmp/


Resize /tmp from 512MB to 2GB

It’s quite common for a cPanel server to need a larger /tmp partition.

cPanel, by default, creates a loopback device that mounts to /tmp. The default size is only 512MB. This is quite small, especially for shared systems.

Reasons /tmp might become full:

* MySQL operation or Repair requiring temporary space. Keep in mind the /tmp partition must be big enough to support the largest table size on your system. (8GB table would require 8+GB /tmp space)
* PHP sessions consuming space in /tmp
* Rogue scripts living in /tmp

To resize follow these steps:

** Note that this will stop MySQL and will cause service interruption. These commands will resize /tmp to 2GB. If you wish to resize to a greater or smaller size simply change 2048000 to your desired size in bytes.

/etc/init.d/chkservd stop
/etc/init.d/mysql stop
umount /var/tmp
umount /tmp
sed -i -e 's/512000/2048000/g' /scripts/securetmp
rm /usr/tmpDSK
/scripts/securetmp --auto
cd /tmp
ln -s /var/lib/mysql/mysql.sock
/etc/init.d/mysql start
/etc/init.d/chkservd start

If you receive errors stating that /tmp could not be unmounted simply run the following command to identify the PID (Process ID) still using /tmp

lsof /tmp

Next, kill all processes using /tmp using “kill –9

Find the attacks

To find the attacks:

It will show all connections to port 80.

netstat -an|grep :80



It will shows only the synflood entries.

netstat -an|grep SYN_RECV



To see the number of total Apache connections and then the total number of SYN_RECV:

netstat -an|grep :80|wc -l

netstat -an|grep SYN_RECV|wc -l

The lsof to see which existing connections that were not defunct were showing and all of the ones still connecting were those doing SYN_RECV status (You can check the IPs against the SYN_RECV IPs):

lsof -i :80

How to get all the connection to your webserver?
netstat -an | grep :80 | wc -l

as you can see in the above the port that has been specified is 80 that means the port that a webserver is using

so whether it would be apache or lighttpd or lightspeed or all the rest.


How to get all of the ips and number of their conection to the server

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n

Preventing DDOS Attacks Simple Methods

To prevent DDos attacks you should install some kind of third party programs. There are other programs that can Defend against DDOS Attacks such Dos_Deflate that their method is to count the number of total connections of each ip address and preventing them from accessing your server in specific ammount of time.

DOS_Defalte Can Help you protect your Server from DDos Attacks

Dos_Deflate is a shell program that can ban the ips that have reached the specific amount of connections you specified and also they will be banned until the time you have specified in the configuration of Dos_deflate shell program.

Dos_Deflate Installation Guide:

To install first ssh to your server, download it to your server

wget http://www.inetbase.com/scripts/ddos/install.sh

then run this by

sh install.sh

cd /usr/local/ddos/;./ddos.sh

sh /usr/local/ddos/ddos.sh [/cc]

then you can edit the config by

nano /usr/local/ddos/ddos.conf

Dos_Deflate Configration Guide:
Email Notifier

you can configure dos_defalte to email you and make you notified of whicdh ips have been banned or had more connection than limit that you specified.just go down and assign an email infront of the equal sign in quotation.

EMAIL_TO=”your_email@domain.com”

Frequncy Check

you can configure to test ip connections how much in miniute.let say if you had it configured 5 then by dividing 60 to 5 this means that dos_defalte will be ran every 12 seconds.have this variable configured with between 3 to 5 times per minute that is the best configration.

FREQ=5

Specify the number of maximum connection of each ip address
you can specify how many connections will define a bad ip address to be blocked fro myuor server.it depends on your apache timeout and other ports such as ftp that is a connection hungry.I recommend you configure dos_defalte to test only prot 80 that is mostly subject to DDOS attacks and provide between 100 to 200 connections.all the value you would define is mostly depends on your other configration factors of your server.

NO_OF_CONNECTIONS=

APF Ban Variable in Dos_Deflate
If you have APF installd change this value to 1,otherwise to have iptables to drop ips assign this variable the 0 value

APF_BAN=0

Killor Not,Test Mode or Active mode
you can configure to bann those suspicous ips or not, this will help you to have dos_deflate in testing mode for debuging purpuoses .to have it enabled to ban ip addresses have it 1,otherwise change it to 0

KILL=1

Define How much time bad ipaddress to be banned with dos_deflate
with this option you can define the time that an ip addresss that has beenknown as bad ip address to be banned from accessign to the server.Ideal times are between 300 to 1200 miniute period.

BAN_PERIOD=700

Monday 25 April 2011

Steps to migrate a large site from WHM/cPanel

If you are familiar with WHM/cPanel, you sure have this problem while trying to migrate a website more than 2GB and found out the file/folder or any data not updated.

But before that, please understand the command as below.

$ /scripts/pkgacct username

$ rsync

Your site migration will down for minutes(depend on the size).

1. Go to the user root directory.

$ cd /home/username/

2. Move the public_html folder out to /home folder.

$ mv public_html /home

3. Using pkgacct to compress the file with cPanel format where the username is your cPanel username.

$ /scripts/pkgacct username

4. Once done, SCP it to the new server and move the public_html back to the user folder.

$ scp /home/cpmove-username.tar.gz root@newserver.com:/home;mv /home/public_html /home/username

5. From new server, restore it.

$ /scripts/restorepkg username

6. Once done, rsync (xcopy in Windows) from old server to new server, where username is the cPanel username, and IP is the destination IP.

$ rsync -e "ssh" -avz /home/username/public_html/ root@IP:/home/username/public_html

7. Once done, you may proceed to update the DNS.

Manage Linux Bash Shell history

Linux Bash Shell history is useful when you have more than one administrator in your group and you would like to check what action is being done earlier.

To view the history in the bash shell, simply press history
# history

To edit the setting of the history,
# vi ~/.bashrc

Change the setting according to your need.

tailwatchd failed: A restart was attempted automagically

If you have cPanel with your server, you might get the following error.

tailwatchd failed @ Tue Jan 1 00:00:00 2011. A restart was attempted automagically
Service Check Method: [check command] tailwatchd is not running

However, you do not need to worry on it as it might be cPanel services stopped or restarted.

To understand in detail, you may execute the command as below from your Shell.
tail -f /usr/local/cpanel/logs/tailwatchd_log

To fix it, you may try to execute the command as below.
/usr/local/cpanel/libexec/tailwatchd –status

Then restart the cPanel services.
service cpanel restart

If the issue still not fix, may update cPanel,
/scripts/upcp –force

Recovering a cPanel Server From a Crashed Hard Disk using rSync

Rsync is another very powerful command that is used to synchronize 2 directories between servers and only transfer the new files to the server. This is a great method for backing up data as it is low on bandwidth and it is also commonly used to keep clustered servers working together. The ending slashes are very important when using rsync. If you are not familiar with how it works, always make sure to have an ending slash on both the source and the destination and it should be fine.

In case we fail or accidentally destroy our HDD then we can get a new HDD and operating system from the datacentre and restore the data on a new drive. This concept can be used to migrate cPanel Servers from one server to another without loosing any data or creating any sort of downtime for websites hosted on the server.

This is how it will work:

1) Get the partitions from both the drives with:

# fdisk -l

2) Check to see if there are any drives mounted with:

# df -h

3) Let us assume that /dev/hdb3 is our CRASHED old drive and it is mounted as /mnt/old (yours can be different), but keep in mind that you need to know the mount point of the backup drive before we proceed further with the steps below.

Let us mount the CRASHED HDD if not already mounted with:

# mount /dev/hdb3 /oldHD

4) Now that the drive is mounted you can browse any files with:

# ls /oldHD/home

5) We are all set to move our data over to the new drive:

Run these rSync commands to move everything over:

rsync -vrplogDtH /oldHD/usr/local/apache/conf /usr/local/apache
rsync -vrplogDtH /oldHD/var/named /var
rsync -vrplogDtH /oldHD/home/* /home
rsync -vrplogDtH /oldHD/usr/local/cpanel /usr/local
rsync -vrplogDtH /oldHD/var/lib/mysql /var/lib
rsync -vrplogDtH /oldHD/var/cpanel /var
rsync -vrplogDtH /oldHD/usr/share/ssl /usr/share
rsync -vrplogDtH /oldHD/var/ssl /var
rsync -vrplogDtH /oldHD/usr/local/cpanel/3rdparty/mailman /usr/local/cpanel/3rdparty
rsync -vrplogDtH /oldHD/var/log/bandwidth /var/log
rsync -vrplogDtH /oldHD/usr/local/frontpage /usr/local
rsync -vrplogDtH /oldHD/var/spool/cron /var/spool
rsync -vrplogDtH /oldHD/root/.my.cnf /root
rsync -vrplogDtH /oldHD/etc/httpd/conf/httpd.conf /etc/httpd/conf

cd to the old etc directory:

#cd /oldHD/etc

And copy some files from here:

#rsync -vrplogDtH secondarymx domainalias valiases vfilters exim* proftpd* pure-ftpd* passwd* group* *domain* *named* wwwacct.conf cpupdate.conf quota.conf shadow* *rndc* ips* ipaddrpool* ssl hosts /etc

6) We are done with the copying of all the files and cPanel should start recognizing all the old users and their files, but after we do all this it is highly suggested that you run all updates, and run the cPanel fix scripts i.e:

Updating software and restarting services:

#/scripts/upcp
#/scripts/updatenow
#/scripts/sysup
#/scripts/exim4
#/scripts/easyapache
#/scripts/securetmp
# /scripts/fixeverything

7)This is needed to update cpanel information. Please note, sshd might fail and not start after running fix everything. You have to login to whm, and go to the rpm installer and “FORCE” install opensshd-server, opensshd, opensshd-client and then restart sshd from whm.

Restarting services as:

#/scripts/restartsrv httpd
#/scripts/restartsrv cpanel
#/scripts/restartsrv mysql
#/scripts/restartsrv named
#/scripts/restartsrv exim

That is all we need to recover data from a CRASHED HDD.


Procedure to Migrate live cPanel Server to a new cpanel server


Same procedure can be used to migrate one server to another without any data loss or downtime. The following steps will be different in this case and for this particular requirement you will need to go through the following configurations :-

1) Share SSH keys between both servers (only if you have full control of both servers). To share SSH keys you will first need to generate keys on both servers with following command :-

#ssh-keygen -t rsa -b 1024

Run above command only if you dont have any information in ‘/root/.ssh/ directory’. Once the keys are generated you will see the following files in the directory :-
id_rsa id_rsa.pub known_hosts

Now to share the keys you need to copy the contents of id_rsa.pub file and create a new file called authorized_keys in the same directory on the other server. Paste the contents of id_rsa.pub of server1 in server2 and server2 in server1 authorized_keys. Sharing SSH keys in this way will allow you to sync data between both servers without any sort of password authentication. You will need to create this file (authorized_keys) as it won’t be there by default.

Browse to the ‘/etc’ directory on the source server and run following command from that directory :-

#rsync -vrplogDtH secondarymx domainalias valiases vfilters exim* proftpd* pure-ftpd* passwd* group* *domain* *named* wwwacct.conf cpupdate.conf quota.conf shadow* *rndc* ips* ipaddrpool* ssl hosts root@10.10.10.2:/etc

(10.10.10.2 is assumed as the IP of the new server to which we are moving the data.)

Now we need to transfer everything else.

rsync -vrplogDtH /usr/local/apache/conf root@10.10.10.2:/usr/local/apache
rsync -vrplogDtH /var/named root@10.10.10.2:/var
rsync -vrplogDtH /home/* root@10.10.10.2:/home
rsync -vrplogDtH /usr/local/cpanel root@10.10.10.2:/usr/local
rsync -vrplogDtH /var/lib/mysql root@10.10.10.2:/var/lib
rsync -vrplogDtH /var/cpanel root@10.10.10.2:/var
rsync -vrplogDtH /usr/share/ssl root@10.10.10.2:/usr/share
rsync -vrplogDtH /var/ssl root@10.10.10.2:/var
rsync -vrplogDtH /usr/local/cpanel/3rdparty/mailman root@10.10.10.2:/usr/local/cpanel/3rdparty
rsync -vrplogDtH /var/log/bandwidth root@10.10.10.2:/var/log
rsync -vrplogDtH /usr/local/frontpage root@10.10.10.2:/usr/local
rsync -vrplogDtH /var/spool/cron root@10.10.10.2:/var/spool
rsync -vrplogDtH /root/.my.cnf root@10.10.10.2:/root
rsync -vrplogDtH /etc/httpd/conf/httpd.conf root@10.10.10.2:/etc/httpd/conf

One more thing which needs to be done in this case is a mass replace command for changing the IP address in the zone files and httpd.conf. Here’s a command to help you do it in a few seconds :-

replace 10.10.10.1 10.10.10.2 — /var/named/*.db
replace 10.10.10.1 10.10.10.2 — /usr/local/apache/conf/httpd.conf

10.10.10.1 is assumed as the IP of source server.
10.10.10.2 is assumed as the IP of the new destination server which will now run your websites.

If you run this mass replace command on the source server as well then all the websites will start pointing to the new server immediately which will ensure no downtime for your websites. This concept can be used for a Cheap VPS Hosting as well.

cPanel: Install SPF record with command

If you have cPanel server and wish to add SPF record in one shot, there is a command come with cPanel to allow you to done it without modify each of the DNS record.

The command line will be as below where cPanel_username should represent your cPanel’s username.

/usr/local/cpanel/bin/spf_installer cPanel_username

Example,
/usr/local/cpanel/bin/spf_installer unixnethost

It will result the DNS zone added the following line,

"v=spf1 a mx ip4:xxx.xxx.xxx.xxx ?all"

How to install a firewall or CSF

Installing a firewall in linux is just a couple of easy steps

log in as “root” and enter your password

First we thing we type in is;

rm -fv csf.tgz

click enter, and then type

wget http://www.configserver.com/free/csf.tgz

click enter and wait until done , then type

tar -xzf csf.tgz

click enter and then type

cd csf

click enter and then type

sh install.sh

and it will install itself

And you have a firewall on your server/vps and all we need to do turn it on.

Disable the Testing Mode and Start the Firewall

Remember by default the firewall is running in testing mode. You might want to disable the firewall running in testing mode.

nano /etc/csf/csf.conf

//Look for the first line and set testing mode to "0"
TESTING = "0"

//Now restart the firewall!
csf -r


Enable in cPanel or WHM

Go to your Whm panel and scroll down left side on bottom to “ConfigServer Security&Firewall” and click

Then click on “Firewall Configuration”

See on top where it says “TESTING =1″ , change 1 to 0 scroll down to bottom of page and click “Change”

This will start your firewall and you ready to go,we will customize it later.


Hints:

root@server[#] vi /etc/csf/csf.conf

Find TCP

# Allow incoming TCP ports

TCP_IN = “20,21,25,53,80,110,143,443,465,953,993,995,2082,2083,2086,2087,2095, 2096,8090,49226,26,512:65535,5666,3306,3333?

# Allow outgoing TCP ports

TCP_OUT = “20,21,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703,8090,512:65


Config Files

/etc/csf/csf.conf CSF Firewall configuration file
/etc/csf/csf.allow => Config file to allow IPs
/etc/csf/csf.deny => Config file to deny IPs
/etc/csf/ => Alert files with TXT extension are stored within this directory


// start the firewall
csf -s

// restart the firewall
csf -r

// flush the rules or stop the firewall.
csf -f

//Disable firewall
csf -x

//Enable firewall
csf -e

Sunday 24 April 2011

cPanel Ports

How to check whether the cPanel ports are open?

You may experience issues with the non-standard http ports Cpanel works with. Usually Cpanel can be opened from:

* http://yourdomainname.com/cpanel
* http://yourdomainname.com:2082
* http://cpanel.servername.com

Sometimes local firewalls allow only access to sites on port 80. In such cases, use the last URL. Note that the address "3" is a web based proxy which provides you with the option to access your cPanel via the default http port 80. We have set this extra service for our Customers which Internet Service Providers blocked ports 2082 and 2083.

You may check if the ports are blocked executing the following commands:
If you are running Windows do the following:

* Click Start
* Click Run
* Type cmd
* Type telnet yourdomainname.com 2083
* Type telnet yourdomainname.com 2082

If you are running Linux do the following:

* Start your Linux/Mac OS console terminal
* Type telnet yourdomainname.com 2083
* Type telnet yourdomainname.com 2082

If the port is not blocked the results should look like the following one. Trying IP_of_the_server ( 120.120.120.120 for an example )...
Connected to servername.com.
Escape character is '^]'.

Different result will means that the port is blocked and you should use the web proxy link provided above.

How to update cPanel license + cPanel license Verification

Update cPanel License

If you get Invalid License File when you login to cpanel, you need to update your cpanel license file by:

Login to shell as "root" and run the following from command line:

# /usr/local/cpanel/cpkeyclt


cPanel license Verification
visit verify.cpanel.net, enter your IP and check whether the license is active now.
http://www.cpanel.net/apps/verify/



cPanel license logs
/usr/local/cpanel/logs/license_log

VI editor shortcuts

:: VI COMMANDS ::

Cursor movements
h ~ left one character
l ~ right one character
j ~ down one line
k ~ up one line
w ~ right one word
b ~ back one word

Deleting, Yanking, and Pasting
d ~ delete
x ~ delete character cursor is on
r ~ replace one character
y ~ yank (copy into temporary buffer)
Y ~ yank line cursor is on
p ~ paste below cursor line (deleted or copied text)

Saving and Exiting
u ~ undo last editing command
ZZ ~ save and exit (hold down shift and press "z" twice)
:wq! ~ write and quit even if it is read-only.

Linux World

Linux

Linux (often pronounced LIH-nuhks with a short "i") is a Unix-like operating system.

The world's most popular open source (non-proprietary) computer operating system (OS), favored because of its proven efficiency, dependability, and reliability.