A great linux stuff website

Monthly Archives: December 2012

Apache logs location on Plesk
/var/log/httpd/access_log
/var/log/httpd/error_log

Apache Suexec logs location on Plesk
/var/log/httpd/suexec_log

Access and Error logs for a specific account / user / website on Plesk:
/var/www/vhosts/domain.tld/statistics/logs/access_log
/var/www/vhosts/domain.tld/statistics/logs/error_log

Server logs location on Plesk:
/var/log/messages
Named (Bind) logs location on Plesk:
/var/log/messages

Mysql logs location on Plesk:
/var/lib/mysql/server.hostname.err or the path defined at /etc/my.cnf
WatchDog logs location on Plesk:
/usr/local/psa/var/modules/watchdog/log/monit.log

Mail logs including Qmail and Postfix location on Plesk:
/usr/local/psa/var/log/maillog
Ftp logs on location Plesk:
/var/log/messages

SSH logs location on Plesk:
/var/log/secure
Tomcat logs location on Plesk:
/var/log/tomcat5/catalina.out

Mailman logs location on Plesk:
/var/log/mailman/
Cronjob Logs:
/var/log/cron

Horde Logs:
/var/log/psa-horde/psa-horde.log

Plesk Access and Error logs location:
/usr/local/psa/admin/logs/httpsd_access_log
/var/log/sw-cp-server/error_log


Got this error when trying to add addon domains in cPanel accounts. This happens when cPanel doesn’t remove the addon/park domain correctly and then it thinks it’s still there so when you try to add it back on you get an error.

Here’s how to fix it:

1 .Check if there is any park domain entry available for the domain name in question
2 Remove domain.com from /var/cpanel/users/cpanel-username
4. Run /scripts/updateuserdomains as root user on the server because you changed the above file manually, this will create adjusted cache files
5. Remove /var/named/domain.com.db if the file exists (it doesn’t always)
6. Remove the virtualhost for domain.com on /usr/local/apache/conf/httpd.conf
7. Remove domain.com from /etc/named.conf

Now you can add the domain back on in cPanel with no problems.
Try to add addon domain again, this should be resolve your issue.


1. Advanced Policy Firewall — APF Installation

Here we are going to install an awesome firewall onto your server. Advanced Policy Firewall
APF Site Description of the software:
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.
Summary of features:
– global ports configurtion via simple config file
– configurable policies for each ip on the system [global config overrides]
– powerfull postrouting rules for FWMARK and TOS
– plug-in friendly for QoS [CBQ/HTB]
– antidos subsystem to stop attacks before they become a significant threat
– dshield.org block list support to ban networks exhibiting suspicious activity
– advanced set of sysctl parameters for TCP stack hardening
– advanced set of filter rules to remove undesired traffic
– easy to use firewall managment script
– trust based rule files (allow/deny); with advanced syntax support

1. Make /usr/src the current working directory.
cd /usr/src
2. Obtain the most curent verison of APF.
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
3. Expand the APF tar.gz file.
tar -xvzf apf-current.tar.gz
4. Remove the tar.gz file.
rm -f apf-current.tar.gz
5. Locate the APF directory.
ls -la
Look for a directory named apf-#.#/ where #.# represents the version of APF being installed
(APF version 0.8.7 would be in a directory apf-0.8.7/ and version 0.9 would be in a directory named apf-0.9).
6. Make the APF directory the current working directory.
Use the directory name you located in step 5.
Note that the numbers will change as new versions are released.
cd apf-0.9
7. Run the APF install.
sh ./install.sh
8. Make /etc/apf the current working directory.
cd /etc/apf
9. Edit the conf.apf file as desired.
pico -w conf.apf

In order for this firewall to work properly you have to edit/add/delete ports.
These ports will allow services such as mail, ftp, and ssh to come in and out of the server.
If you have changed any ports, please modify them below and add/remove as needed.

# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”20,21,22,25,53,80,110,143,443,465,9 93,995,2082,2083,2086,2087,2095,2096,3306,10000,35 000_35999″
please note that ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in
ensim.

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”20,21,53,1040″

Change:

* RAB=”0″ to RAB=”1″
* RAB_PSCAN_LEVEL=”2″ to RAB_PSCAN_LEVEL=”3″
* TCR_PASS=”1″ to TCR_PASS=”0″
* DLIST_PHP=”0″ to DLIST_PHP=”1″
* DLIST_SPAMHAUS=”0″ to DLIST_SPAMHAUS=”1″
* DLIST_DSHIELD=”0″ to DLIST_DSHIELD=”1″
* DLIST_RESERVED=”0″ to DLIST_RESERVED=”1″

Find IFACE_IN= and IFACE_OUT= in /etc/apf/conf.apf and verify that they match your network interface

Locate HELPER_SSH_PORT=”22″ and change it to your SSH port IF you changed it in your sshd_config

Locate IG_TCP_CPORTS=”22″ and change it to your SSH port IF you changed it in your sshd_config

10. After you have finished editing the ports save the file and test APF.
CTRL-x, y to save enter to confirm
11. Start APF by typing.
./apf –start
or
service apf start
12. If APF is functioning properly and you are not locked out edit the conf.apf again
pico -w conf.apf
13. When your happy with your firewall and everything works fine, Edit /apf.conf find DEVEL_MODE=”1″ and change it to DEVEL_MODE=”0″

14. Once done Exit and save the file.
CTRL-x, y to save enter to confirm
15. Restart APF
service apf restart

Make sure APF starts automatic after restart

chkconfig –add apf
chkconfig –level 345 apf on

Problem: If you get this error apf(xxxxx): {glob} unable to load iptables module (ip_tables), aborting.
Solution: Try changing SET_MONOKERN=”0″ to SET_MONOKERN=”1″ , then apf -r

Problem: If you get this message: apf(xxxxx): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.
Solution: you need to change DEVEL_MODE=1 to DEVEL_MODE=0, make sure your config is working first.

Enabling connections for server monitoring.

Some service providers that offer monitoring need access to your server, and access
without setting off alarms, firewalls etc. is a good thing. Just becareful which IP(s) you put in here.

1. To allow connections from xx.xx.xx.xx/24
pico -w /etc/apf/allow_hosts.rules
2. At the very end of the file add this line
xx.xx.xx.xx/24
Of course replace the xx.xx.xx.xx with the IP address provided to you.

2. BFD (Brute Force Detection)

What is Brute Force Detection? (BFD)
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans.
This How-To will show you how to install BFD on your Linux Server to prevent and monitor brute force hack attempts.
This software like some others has requirements. You must be running APF / Advanced Policy Firewall for Brute Force Detection to work.
1. Login to your server via SSH as Root.
2. Type:
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
3. Type:
tar -xvzf bfd-current.tar.gz
4. Type:
cd bfd*
5. Now let’s install BFD onto the server.
Type:
./install.sh

:: You Should See ::
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
6. Now we need to edit the configuration file, and set some options.
Don’t worry the BFD Configuration isn’t hard to edit or understand!
Type: pico -w /usr/local/bfd/conf.bfd
7. Now we need to find the line to edit:
Press: CTRL-WType: ALERT_USR
Change ALERT_USR=”0″ TO ALERT_USR=”1″
Right below that we need to change the email:
Change EMAIL_USR=”root” TO EMAIL_USR=”you@yoursite.com”
8. That wasn’t to bad let’s save and exit the file
Press: CTRL-X then type Y then hit enter 9. Now we have to prevent locking yourself out of the server.
Type: pico -w /usr/local/bfd/ignore.hosts 10. Add any IP address that you want to be ignored from the rules.
If your server provider is doing monitoring add their IP(s) here.
Since you need these IPs open in APF as well you cancopy the IPs you used in APF
Type: pico -w /etc/apf/allow_hosts.rulesThen scroll down to the bottom and copy those IPs (drag mouse over that’s it)
Press: CTRL-XType: pico -w /usr/local/bfd/ignore.hosts Paste those IPs to the bottom. You should also add your home IP if you hadn’t done so before.
If your home IP is dynamic this is not a good idea, and you should get a static IP.
Press: CTRL-X then Y to save then enter. Now lets run BDF!!!
Type: /usr/local/sbin/bfd -s

3. CHKROOTKIT

Installation How-To :

1. Login to your server as root. (SSH)
2. Type:
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
3. Type:
tar xvzf chkrootkit.tar.gz
4. Change to new directory
cd chkrootkit*
5. Compile It
make sense
6. Now give it a test.
./chkrootkit

Everything should read not found, and/or not infected
This is a GOOD thing!

How-To make chkrootkit e-mail you daily :

1. Login to your server as root. (SSH)
2. Type:
crontab -e
3. Add this line to the top:
0 1 * * * (cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s “chkrootkit output” root)
This will run CHKROOTKIT at 1am every day, and e-mail the output to root.
If you are in PICO
CTRl-X, Y, Enter to save and exit

4. Disabling Direct Root Login (SSH)

If you’re using cPanel make sure you add your anotheruser user to the ‘wheel’ group so that you will be able to ‘su -‘ to root, otherwise you may lock yourself out of root.
Set up anotheruser if you haven’t already got one:
a. Type: groupadd anotheruser
b. Type: useradd anotheruser -ganotheruser
c. Type: passwd anotheruser passwordhere
and add a password for the new account.
On a CPanel system, you can (MUST) now go into root WHM and add anotheruser to the wheel group.
After you do this, you will have to login as anotheruser then you will ‘su -‘ to get to root.

If you need this option send SLHOST an email to support@slhost.com

5. Disabling Telnet Access

Telnet should be disabled, and you should use SSH. Telnet sends password in plain text, and ‘crackers/hackers’ can obtain these passwords easily compared to SSH, and then takeover your dedicated web server.

1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to
disable = yes.
3. CTRL+x, then y then enter to save the file.
Restart xinted with:
/etc/rc.d/init.d/xinetd restart

6. Force the use of SSH protocol 2

SSH Protocol 1 based systems are facing many automated “root kits”.
As a result to step up the security Protcol 2 should be enabled as soon as possible.
The reason to use SSH Protocol 2 on your dedicated webserver is that it is more secure.
1. Type: pico -w /etc/ssh/sshd_config
2. Find the line: #Protocol 2, 1
Uncomment it and change it to look like:
Protocol 2
3. CTRL+x, then y then enter to save the file.
4. Now Restart SSH with
/etc/rc.d/init.d/sshd restart
(If the above restart does not work you will need to login to WHM as root
and restart the service.)

7. How to install mail scanner

How to install mail scanner (Mail Scanner & ClamAV Installation)

This is an addon to Exim. Exim is still the MTA, Mail Scanner scans and clamav is the AV system.
This will help in preventing the spread of virus’s through your webserver. It will deny/block the virus’s
so that they do not reach the recipient. ClamAv can be used at the command line however the main purpose of this
software is the integration with mail servers (attachment scanning). Which is what Mail Scanner & ClamAV do.

1. Login to your server via SSH.
2. Type:
wget http://layer1.cpanel.net/mailscanner…all-1.5.tar.gz
3. Type:
tar zxvf mailscanner-autoinstall-1.5.tar.gz
4. Type:
cd mailscanner*
5. Type:
./install
This make take up to 5 minutes to download, and install all the librarys require for Mail Scanner.
6. If the above Finished and brought you back to prompt goto step #7 if not continue with step 6
Press: CTRL-C
Type: pico -w install
Comment out these lines w/ a #

print “Installing Perl Modules…”;
ssystem(“/scripts/perlinstaller”,”MIME::Base64″,”File::Spec”,”HTML:: Tagset”,”HTML::Parser”,”MIME::Tools”,”File::Temp”, “Convert::TNEF”);
print “Done\n”;

So they look like this:

#print “Installing Perl Modules…”;
#ssystem(“/scripts/perlinstaller”,”MIME::Base64″,”File::Spec”,”HTML:: Tagset”,”HTML::Parser”,”MIME::Tools”,”File::Temp”, “Convert::TNEF”);
#print “Done\n”;

Login to WHM as Root.
Install the above Modules in WHM’s Perl Module Installer.
Type: ./install
Then goto Step #7 when install finishes
7. Type:
killall -9 MailScanner
8. Type:
/usr/mailscanner/bin/check_mailscanner

If you want to look at the Mail Scanner configuration file you can do so by.
Type: pico -w /usr/mailscanner/etc/MailScanner.conf
DO NOT Enable anything to do with SpamAssin.

8. Jail all users

Let’s prevent the users from accessing any directories/files outside of their home directory.
This is a great security precaution and should be done.

1. Login to WHM as root.
2. Account Functions
Manage Shell Access
Jail All Users

If possible it is best to NOT
grant shell access to users at all.

9. Remove Trojan by CHKROOTKIT

*NOTE* This is a HUGE step “INTO” your server. Doing anything wrong can severly damage your server and make it non-responsive. Do this entire how-to at your own risk. This is NOT a substitute for re-installing the OS, this is simply another WAY to remove a rootkit called T0rnkitv8
If you have not already done so do this step first.

Login to WHM as root
Click Tweak Settings
and please remove the tick from
[ ] Allow cPanel users to reset their password via email

1. Login to your server via SSH

2. Run CHKROOTKIT. If you do not have this installed then visit CHKROOTKIT Installation and continue once you do.
You will see some INFECTED lines/files. It should also report hidden processes.
Here’s an example of partial output.
Checking `ifconfig’… INFECTED
Checking `login’… INFECTED
Checking `pstree’… INFECTED
and also:
Checking `lkm’… You have X process hidden for ps command
Warning: Possible LKM Trojan installed

Type: /etc/init.d/syslog restartShutting down kernel logger: [ OK ]

Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]

3. Type: top
You may/will then see:
top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory

4. type: /etc/rc.d/rc.sysinit

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
________________________________________

Configuration files

/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}

Infected Binaries:

top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz

Infected Librairies:

libproc.a,libproc.so.2.0.6,libproc.so

BackDoor: (located at /lib/lblip.tk)

shdc
shhk.pub
shk
shrs

——————————————————–

Now, Lets start the cleaning process:

1. Type: pico /etc/rc.d/rc.sysinit
remove the lines that show
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

2. reboot the system
WARNING: 2 servers got their kernel removed after reboot.

If your’s does this too and that is what the DataCenter complains after reboot, please ask them to do the following:

reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages
that should fix it.

— since already in resuce mode, perhaps also ask them to — force install the following rpm’s

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

3. After the system is up
Type: cd /lib
Type: rm -rf lblip.tk
4. Remove the configuration files given above.
5. Type: cat /etc/redhat-releasenote down your version of redhat, then from
http://www.rpmfind.net
search for the following rpm’s

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

— and rpm –force install them

6. if you see the hosts.h file, it says to hide all IP’s from
Type: cat /usr/include/hosts.h
193.60
If you want, you can block all the IP’s from 193.60 to your server via iptables.
Or if you have APF you can add them to the Deny File.

7. If the above is completed.
Reboot the Server & Run CHKROOTKIT again.

10. Secure /tmp Directory ( Very Important )

Many hackers/malicious users are exploiting the /tmp directory to execute files. This is a huge security problem for dedicated

server owners as it practically leaves your server wide open for a complete takeover.
The following is how to secure your /TMP directory using a cPanel Script.
You MUST have cPanel installed for this to work.

1. Login to your server as root via SSH.
2. Type: /scripts/securetmp That’s it your done. cPanel wrote that script to allow users to secure their /TMP Directory very easily.


Firewall – iptables commands
iptables -I INPUT -s IPADDRESSHERE -j DROP : This command stops any connections from the IP address
iptables -L : List all rules in iptables
iptables -F : Flushes all iptables rules (clears the firewall)
iptables –save : Saves the currenty ruleset in memory to disk
service iptables restart : Restarts iptables

Apache Shell Commands
httpd -v : Outputs the build date and version of the Apache server.
httpd -l : Lists compiled in Apache modules
httpd status : Only works if mod_status is enabled and shows a page of active connections
service httpd restart : Restarted Apache web server

MySQL Shell Commands
mysqladmin processlist : Shows active mysql connections and queries
mysqladmin drop databasenamehere : Drops/deletes the selected database
mysqladmin create databasenamehere : Creates a mysql database

Restore MySQL Database Shell Command
mysql -u username -p password databasename < databasefile.sql : Restores a MySQL database from databasefile.sql

Backup MySQL Database Shell Command
mysqldump -u username -p password databasename > databasefile.sql : Backup MySQL database to databasefile.sql

kill: terminate a system process
kill -9 PID EG: kill -9 431
kill PID EG: kill 10550
Use top or ps ux to get system PIDs (Process IDs)

EG:

PID TTY TIME COMMAND
10550 pts/3 0:01 /bin/csh
10574 pts/4 0:02 /bin/csh
10590 pts/4 0:09 APP

Each line represents one process, with a process being loosely defined as a running instance of a program. The column headed PID (process ID) shows the assigned process numbers of the processes. The heading COMMAND shows the location of the executed process.

Putting commands together
Often you will find you need to use different commands on the same line. Here are some examples. Note that the | character is called a pipe, it takes date from one program and pipes it to another.
> :means create a new file, overwriting any content already there.
>> :means tp append data to a file, creating a newone if it doesn not already exist.
/root/lastlogins.tmp
This will print all the current login history to a file called lastlogins.tmp in /root/

tail -10000 /var/log/exim_mainlog |grep domain.com |more
This will grab the last 10,000 lines from /var/log/exim_mainlog, find all occurances of domain.com (the period represents ‘anything’,
— comment it out with a so it will be interpretted literally), then send it to your screen page by page.

netstat -an |grep :80 |wc -l
Show how many active connections there are to apache (httpd runs on port 80)

mysqladmin processlist |wc -l
Show how many current open connections there are to mysql
New! – Need server help? Hire an Expert
Get professional help with your configuration, script installation or server issue.
Learn how we can help you with any server problem and make your server run like new. Professional staff will contact you, after submitting a quote request, by phone or email.


Network Statistics (netstat)
netstat displays the contents of various network-related data structures in depending on the options selected.
Syntax :
netstat
multiple options can be given at one time.
Options
-a – displays the state of all sockets.
-r – shows the system routing tables
-i – gives statistics on a per-interface basis.
-m – displays information from the network memory buffers.

Example :
$netstat -rnRouting Table: IPv4 Destination Gateway Flags Ref Use Interface——————– ——————– —– —– —— ———192.168.1.0 192.168.1.11 U 1 1444 le0224.0.0.0 192.168.1.11 U 1 0 le0default 192.168.1.1 UG 1 68276 127.0.0.1 127.0.0.1 UH 1 10497 lo0
This shows the output on a Solaris machine who’s IP address is 192.168.1.11 with a default router at 192.168.1.1

Results and Solutions:
A.) Network availability
The command as above is mostly useful in troubleshooting network accessibility issues . When outside network is not accessible from a machine check the following
1. if the default router ip address is correct
2. you can ping it from your machine.
3. If router address is incorrect it can be changed with route add commnad . See man route for more info .

route command examples:$route add default
$route add 192.0.2.32
If the router address is correct but still you can’t ping it there may be some network cable /hub/switch problem and you have to try and eliminate the faulty component .

B.) Network Response
This option is used to diagnose the network problems when the connectivity is there but it is slow in response .
Values to look at:
Collisions (Collis)
Output packets (Opkts)
Input errors (Ierrs)
Input packets (Ipkts)

The above values will give information to workout
i. Network collision rate as follows :
Network collision rate = Output collision counts / Output packets
Network-wide collision rate greater than 10 percent will indicate
Overloaded network,
Poorly configured network,
Hardware problems.
ii. Input packet error rate as follows :
Input Packet Error Rate = Ierrs / Ipkts.

If the input error rate is high (over 0.25 percent), the host is dropping packets. Hub/switch cables etc needs to be checked for potential problems. C. Network socket & TCP Cconnection stateNetstat gives important information about network socket and tcp state . This is very useful in finding out the open , closed and waiting network tcp connection .Network states returned by netstat are following :

CLOSED —- Closed. The socket is not being used.
LISTEN —- Listening for incoming connections.
SYN_SENT —- Actively trying to establish connection.
SYN_RECEIVED —- Initial synchronization of the connection under way.
ESTABLISHED —- Connection has been established.
CLOSE_WAIT —- Remote shut down; waiting for the socket to close.
FIN_WAIT_1 —- Socket closed; shutting down connection.
CLOSING —- Closed, then remote shutdown; awaiting acknowledgement.
LAST_ACK —- Remote shut down, then closed ;awaiting acknowledgement.
FIN_WAIT_2 —- Socket closed; waiting for shutdown from remote.
TIME_WAIT —- Wait after close for remote shutdown retransmission.

Example:
#netstat -a
if you see a lots of connections in FIN_WAIT state tcp/ip parameters have to be tuned because the connections are not being closed and they gets accumulating . After some time system may run out of resource . TCP parameter can be tuned to define a time out so that connections can be released and used by new connection.


Learn to configure a sub-domain to a separate IP address. Very useful for sites with shopping carts who want store.theirsite.com to look like it’s on the same server. Requirements: Cpanel Control Panel and WHM access.
Example: domainame.com is hosted on server A but the shopping cart store is on server B. You need to make it look like domainname.com is also on server B. Setup a sub-domain to point to a different ip address and voila!
1. Edit the Domains DNS Zone
Login to your WHM control panel or manually through SSH and edit a DNS zone, select the domain you wish to modify.
2. Adding the A Record
Create a new record for the sub-domain Eg: Type in store for the name, select A record type and then type in the IP address you need it to mask to.
A Entry
3. Ensure it Works
Make sure there isn’t an actual sub-domain created in the users account that you’re trying to point to a different IP address or the pointer/mask will not work!
New! – Need server help? Hire an Expert


1. To export a mySQL database run:
mysqldump -u username -p database_name > dumpfile.sql

2. To import a mySQL database run:
mysql -u username -p database_name < dumpfile.sql

NOTE:

The dumpfile.sql should point to the path of your backup file.