Kernel Upgrade
Following are the steps to upgrade kernel on live dedicated servers: Check current version of kernel on server using command :
# uname -a
or
#uname -r
If its 2.4 then download latest release for 2.4 please do not download 2.6 kernel.
You can download kernel from http://www.kernel.org/pub/linux/kernel/v2.6/ if its 2.4 then
http://www.kernel.org/pub/linux/kernel/v2.4/,
you can check latest stable release from http://www.kernel.org
# wget kernel in /usr/local/src
# untar it using tar -zxvf linux-2.x-xxxx
# cd linux-2.x-x
# make clean
# make mrproper
# If kernel is 2.4 then copy current version of config file from /boot/config-’uname-r’ as .config in /usr/local/src/linux-2.x-xx,
If kernel is 2.6 then you do not need to make .config in current directory
# make menuconfig, select and check if all required modules are selected, also make sure that your kernel supports multiple cpu
you can check it and select from processor type, if it displays support
for more then 2 kernel then you do not need to modify anything there.
# save configuration and exit
# make modules if kernel is 2.4 then need to run make dep before running make modules
# make modules_install
# make
# if 2.4 kernel then need to run make bzImage and then make install, you can directly run make install if kernel is 2.6
# now make sure bootloader and modify default kernel accordingly grubby –bootloader-probe if it displays grub then edit /etc/grub.conf and
if its lilo then edit lilo.conf and make compiled kernel as default kernel
# If your boot loader is lilo then you need to run 9one more command
/sbin/lilo which will update lilo
Now, its time to reboot server using new kernel...............Njoy
Remove Boxtrapper
How to remove Boxtrapper from Linux cpanel server:Please follow the steps to remove boxtrapper completely :-
=========================================================
rm -rf /usr/local/cpanel/base/frontend/x/mail/boxtrapper.cssrm -rf /usr/local/cpanel/base/frontend/x/mail/boxtrapper.htmlrm -rf /usr/local/cpanel/base/frontend/xmail/mail/boxtrapper.htmlrm -rf /usr/local/cpanel/base/frontend/xmail/mail/boxtrapper.cssrm -rf /usr/local/cpanel/base/frontend/x/pro/boxtrapper*rm -rf /usr/local/cpanel/base/webmailboxtrapper.cgirm -rf /usr/local/cpanel/etc/exim/perrm -rf /usr/local/cpanel/etc/exim/perl/boxtrapperrm -rf /usr/local/cpanel/etc/boxtrapperrm -rf /usr/local/cpanel/bin/boxtrapper=========================================================
Go to WHM uncheck the option for boxtrapper in Tweak Settings the go to Feature Manager->Edit default feature option and uncheck it from there as well.
cp /etc/exim.conf /etc/exim_bak.confAnd remove all the instances of it from /etc/exim.conf
Save and restart exim.
#
/etc/init.d/exim restartThats it Boxtrapper is removed from cpanel.
cPanel bugfix: new users can’t access cPanel
This only affects
VPS’s due to mishandling of adding passwords for new users when the VPS environment does not seem to configure
pam to support
MD5 password hashes.
SSH to VPS and do the following:# pico /etc/pam.d/system-auth
find this line:
# password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
add “md5 shadow” to the end of it, so that it looks like this
# password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
ctrl+x, save and tell client to recreate the users that can’t login in cPanel.
Installing/reinstalling Fantastico
How you can Install/reinstall Fantastico on linux cpanel serverBy using the following commands, you can un-install the fantastico :
============================================================================
rm -rf /var/netenberg/
rm -rf /usr/local/cpanel/whostmgr/docroot/cgi/fantastico/
rm -rf /usr/local/cpanel/3rdparty/fantastico*
rm -rf /usr/local/cpanel/base/frontend/*/fantastico
rm -f /usr/local/cpanel/base/frontend/x/cells/fantastico.html
============================================================================
By using the following commands, you can install fantastico :============================================================================
cd /usr/local/cpanel/whostmgr/docroot/cgi
wget -N http://www.netenberg.com/files/free/fantastico_whm_admin.tgz
tar -xzpf fantastico_whm_admin.tgz
rm -rf fantastico_whm_admin.tgz
============================================================================
Now go to WHM, login as root and follow the link# WHM -> Add-Ons -> Fantastico De Luxe WHM Admin (scroll down the left menu).
# Upon loading, Fantastico De Luxe WHM Admin will auto-update your existing installation (if existing). All admin files (masterfiles, tarballs, settings etc) will be moved to or created at /var/netenberg.
# After the installation is complete, click on “Settings” and go through the settings. While some settings are not important, some other (marked below with an *) are essential for a proper functioning of Fantastico installations.
# Language: Select the language for the admin backend AND default language for users without a language selected.
# Email notifications: Enter an email address in order to receive notifications when users perform installations using Fantastico.
# Master files settings (*): If you are not an advanced user who modifies the master files, leave this to “Remove”. Change this only if you know what you are doing
# PHPsuexec (*): VERY ESSENTIAL!!! Changing this value will not install or de-install phpsuexec for you. It will only tell Fantastico that you have phpsuexec installed or not installed on your server. Change to “installed” if you perform installations which produce an “Internal Server Error”. Notice: Changes will not apply to existing installations! You have to re-install in order to have working installations.
# Path to netPBM: Enter the full path to the netPBM binaries in order to enable Gallery installations. As long as this field has no value, your users will not be able to install Gallery.
# Select Fantastico licensing and files server: If the Fantastico pages take long to load switch to the server that works best for you. Fantastico will auto-switch if connections time out.
# Update preference: Select latest version (sometimes experimental) or stable version (best working).
# If your users don’t see a Fantastico link in their CPanel: Go to WHM and edit the “default” Features List. Activate Fantastico.
Thus, Fantastico is now ready to use on your server with lots of useful scripts .
How chkrootkit works
Definition of chkrootkit :chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification. The following tests are made: aliens, asp, bindshell, lkm, rexedcs, sniffer, wted, z2, amd, basename, biff, chfn, chsh, cron, date, du, dirname, echo, egrep, env, find, fingerd, gpm, grep, hdparm, su, ifconfig, inetd, inetdconf, identd, killall, login, ls, mail, mingetty, netstat, named, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin, sendmail, sshd, syslogd, tar, tcpd, top, telnetd, timed, traceroute, and write. ifpromisc.c checks whether the interface is in promiscuous mode, chklastlog.c checks for lastlog deletions, chkwtmp.c checks for wtmp deletions, check_wtmpx.c checks for wtmpx deletions (Solaris only), and chkproc.c checks for signs of LKM trojans.
chkrootkit is not installed by default on servers.
To install it:mkdir -p /usr/local/src
cd /usr/local/src
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
gzip -d -c chkrootkit.tar.gz | tar xvf -
cd chkrootkit-0.43
make sense
Then run it
./chkrootkit
Please keep in mind the following:1. If a hacker got in, your safest recourse is to wipe the box, re-install the operating system, and restore from a backup that was made prior to the hack.
2. Security must be done in layers to be the most effective. You should start off with as many layers as you are comfortable managing and monitoring; and then add layers as they either become available, you see the pattern to make one, etc.
3. Security must be an ongoing concern. You don’t just add on the layers (tighten the hatches), and walk away from the ship. You have to manage it several times a day for as long as the server is connected to the Internet.
Setting up SIM (System Integrity Monitor)
How to install SIM (System Integrity Monitor) on server:
Introduction:SIM (System Integrity Monitor) is a useful tool to monitor and ensure that services are running and responding. SIM can also be used to monitor system resources, and setup to send you email alerts.Servers running CPanel already have a service monitoring script running by default, called CHKSERVD. SIM may still be useful for CPanel users for it's monitoring and alert system. You should disable the auto-restart of downed services if you are running CPanel.
Servers running CPanel already have a service monitoring script running by default, called CHKSERVD. SIM may still be useful for CPanel users for it's monitoring and alert system. You should disable the auto-restart of downed services if you are running CPanel.1. Download SIM (System Integrity Monitor) from here: http://www.rfxnetworks.com/sim.php
2. Extract the files.
Ex.
tar -xzvf sim-current.tar.gz
3. Execute the install script 'setup' that was extracted with the '-i' parameter.
Ex.
./setup -i
You should get something similar to this: (the bolded text is user input, and anything in the square brackets is a description of what is performed)
SIM 2.5-3
Press return, to view the GPL licensing for SIM 2.5-3.
[ENTER]
This is followed by the usual 'GNU General Public License' which you should read over, if you have never before.
If you do not agree with the implied and expressed agreements
in the GNU GPL, please terminate your use of this software.
Press return, to view the SIM 2.5-3 README.
[ENTER]
This is followed by the README file that is included with the program describing the software, installation procedures and configuration.
SIM 2.5-3
Creating installation paths: [##########]
Installing SIM 2.5-3 to /usr/local/sim: [##########]
SIM 2.5-3 installation completed, related notes:
Executable: /usr/local/sim/sim
Executable symlink: /usr/local/sbin/sim
Config file: /usr/local/sim/conf.sim
Autoconf script: /usr/local/sim/autoconf
Autoconf symlink: /usr/local/sbin/sim-autoconf
Cronjob setup: /usr/local/sim/sim -j
SIM 2.5-3 must now be configured for use on this system, Press
return to run the autoconf script (/usr/local/sim/autoconf).
[ENTER]
So far we managed to everything up to this point only using the Enter key, but now comes the configuration part. This is where we will go more in depth.
4. Running the Auto-Config Script. If you are comming from step 3, you do not have to do this, but if you want to redo the configuration later, you can get this script by executing:
/usr/local/sim/autoconf
or
sim-autoconf
Thus, sim is installed on your server and it is ready to
monitor your system resources.
How to Install eAccelerator on server
How to Install eAccelerator on server::::Question: What is eAccelerator ?Answer : eAccelerator is a free open-source PHP accelerator, optimizer, and dynamic content cache. It increases the performance of PHP scripts by caching them in their compiled state, so that the overhead of compiling is almost completely eliminated. It also optimizes scripts to speed up their execution. eAccelerator typically reduces server load and increases the speed of your PHP scripts.
eAccelerator has been reported to compile on Linux, FreeBSD, OpenBSD, Mac OS X, Solaris, AIX and HP-UX.
Requirements :
* php4 or php5
* autoconf
* automake
* libtool
* m4
eAccelerator only works with mod_php or php in fastcgi mode. It can't be used in cgi or cli because eAccelerator needs to set up shared memory, and this can only be done when all php instances that need to access it are forks of the first process.
Following are the steps to install eAccelerator: step 1: Download from http://eaccelerator.net/ and install.
Compiling eAccelerator: You need to run these commands in the eAccelerator source directory. eAccelerator supports multiple php branches so you need to bootstrap eAccelerator first. This can be done with the phpize script. It very important that you use the phpize script of the php version for which you want to compile eAccelerator. The phpize and php-config scripts are available in the development packages of your distro. For fedora this is php-devel, for debian php-dev, other distribution should be similar.
When you have only one php install, it's safe to run these commands in the source directory:
phpize
./configure
make
The phpize and php-config are the ones that are in your path. When you have more then one php install or the phpize and php-config scripts aren't in your path then you should follow this procedure. This example has php installed in /opt/php, this is the path of the --prefix option given to the php configuration script.
export PHP_PREFIX="/opt/php"
$PHP_PREFIX/bin/phpize
./configure --enable-eaccelerator=shared --with-php-config=$PHP_PREFIX/bin/php-config
make
Step 2. Installing eAccelerator :
make install
This will copy the previously created eAccelerator binary to the php extension directory. When this command ends, it will print out the directory in which eAccelerator has been installed.
Step 3. Configuring eAccelerator :
eAccelerator can be installed both as Zend or PHP extension. When you install eAccelerator as a zend_extension you need to give the full path to the eaccelerator.so library.
If you have /etc/php.d directory, you should copy eaccelerator.ini to it and modify the default values. If not, you need to edit your php.ini file (usually /etc/php.ini).
To install as Zend extension:
zend_extension="/usr/lib/php4/eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
If you use a thread safe build of PHP you must use "zend_extension_ts" instead of "zend_extension".
To install as PHP extension:
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
Step 4. Creating cache directory :
One last very important step is creating the cache directory that you configured in the previous step. The default value is /tmp/eaccelerator It's easy because it's writable to everyone, but it isn't very smart because on a lot of systems this directory is cleaned on reboot. A better place would be /var/cache/eaccelerator. Create the directory and make sure it's writable for the user eAccelerator runs under (usually the user which you webserver runs as).
A safe bet is making it world writable. A safer and cleaner way would be to change the owner of the directory to the same user PHP runs as (most of the time the same user as Apache or Lighttpd) and set 0644 permissions.
mkdir /tmp/eaccelerator
chmod 0777 /tmp/eaccelerator
You can check after installing using the command :
php -v
PHP 4.4.6 (cli) (built: May 3 2007 19:59:39)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
with eAccelerator v0.9.4, Copyright (c) 2004-2004 eAccelerator, by eAccelerator
with Zend Extension Manager v1.2.0, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.2.8, Copyright (c) 1998-2007, by Zend Technologies
Reply With Quote
Force Secure Login cPanel/WHM
Force Secure Login cPanel/WHM Change /whm and /cpanel aliases to https making all logins encrypted and secure.Step 1: Backup files
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.insecure
Step 2: Edit the file
pico /etc/httpd/conf/httpd.conf
Step 3: Search for the line:
Ctrl+W then ScriptAlias /cpanel /usr/local/cpanel/base/redirect.cgi
Step 4: Edit the line to show the following: ScriptAlias /cpanel /usr/local/cpanel/base/sredirect.cgi (simply change the redirect.cgi to sredirect.cgi)
Step 5: Search for the line:
Ctrl+W then&nbs; ScriptAlias /whm /usr/local/cpanel/base/whmredirect.cgi
Step 6: Edit the line to show the following:
ScriptAlias /whm /usr/local/cpanel/base/swhmredirect.cgi (simply change the whmredirect.cgi to swhmredirect.cgi)
Step 7: Save and exit using the following: Ctrl+X then press Y
Step 8: Restart Apache to have changes take effect:
service httpd restart
Default Index Page with New Accounts cPanel/WHM
With this addon clients will have a default index.html page when they visit their new account instead of a directory listing.
Useful information to put in this index.html page would include a link to your help desk, contact information, tutorial or any FAQ links you may have to help the client get started.
1. Create the Index Page
Take a few minutes and design a friendly html document that new visitors will see when they first get their hosting account setup. Once you’re done creating the document, save it as index.html
2. Upload the Document
FTP to your server and upload the index.html file to the /cpanel3-skel/public_html directory
The reseller has a username, and the home directory is in: /home/username/ so the directory you want would be in: /home/username/cpanel3-skel/public_html copy the index.html there.
3. Create a Test Account
Login to your WHM and create a temporary user account. Once the account is create then visit it and see if your index page shows up. If it doesn’t ensure you copied it into the proper directory and check the above steps.
Thats it ....your WHM is more secure now
How do you create a symlink in the command console
Question :: How do you create a symlink in the command console? Command : ln -s
If the desired link filename is the same as the destination's filename, and the current working directory is the desired location for the link, then you only need:
ln -s
If you are trying to create a link to a directory?
I've got a directory called /usr/local/test/installed. In this dir there is the sub-dir "spf-2.3.4"
I want to create a link in "/usr/local/test/installed" called "spf" to "spf-2.3.4."
cd /usr/local/test/installed
ln -s spf-2.3.4 spf
The syntax is the same whether the link is to a file or a directory.
How to set time on Linux server ?
How to set time on Linux server ? Just install ntp and setup a cronjob to run every hours ro so
Yum install ntp
ok
crontab -e
i
* * * * /usr/sbin/ntpdate -s ... ... ... ...
ZZ to save
Or just run from the command line once ntp is installed
/usr/sbin/ntpdate ... ... ... ...
/etc/ntpd.conf
crontab -e
0 * * * * /usr/sbin/ntpdate -s 204.123.2.72 204.34.198.40 128.252.19.1 192.5.41.40
Thats it .....your server time has been set now ......Njoy
How to install APF Firewall ?
Question : What is APF Firewall ?Definition : APF means Advanced Policy FirewallAPF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks:
http://www.rfxnetworks.com/apf.phpThis guide will show you how to install and configure APF firewall, one of the better known Linux firewalls available.10
Requirements:
- Root SSH access to your server
1. cd /root/downloads or another temporary folder where you store your files.
2. wget
http://www.rfxnetworks.com/downloads/apf-current.tar.gz3. tar -xvzf apf-current.tar.gz
4. cd apf-0.9.5-1/ or whatever the latest version is.
5. Run the install file: ./install.sh
You will receive a message saying it has been installed
Installing APF 0.9.5-1: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
Other Details:
Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306
Listening UDP ports: 53,55880
Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.
6. Lets configure the firewall: pico /etc/apf/conf.apf
We will go over the general configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.
We like to use DShield.org's "block" list of top networks that have exhibited
suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"
7. Configuring Firewall Ports:
Cpanel Servers
We like to use the following on our Cpanel Servers
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Ensim Servers
We have found the following can be used on Ensim Servers - although we have not tried these ourselves as I don't run Ensim boxes.
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Save the changes: Ctrl+X then Y
8. Starting the firewall
/usr/local/sbin/apf -s
Other commands:
usage ./apf [OPTION]
-s|--start ......................... load firewall policies
-r|--restart ....................... flush & load firewall
-f|--flush|--stop .................. flush firewall
-l|--list .......................... list chain rules
-st|--status ....................... firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
9. After everything is fine, change the DEV option
Stop the firewall from automatically clearing itself every 5 minutes from cron.
We recommend changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.
pico /etc/apf/conf.apf
FIND: DEVM="1"
CHANGE TO: DEVM="0"
10. Configure AntiDOS for APF
Relatively new to APF is the new AntiDOS feature which can be found in: /etc/apf/ad
The log file will be located at /var/log/apfados_log so you might want to make note of it and watch it!
pico /etc/apf/ad/conf.antidos
There are various things you might want to fiddle with but I'll get the ones that will alert you by email.
# [E-Mail Alerts]
Under this heading we have the following:
# Organization name to display on outgoing alert emails
CONAME="Your Company"
Enter your company information name or server name..
# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="0"
Change this to 1 to get email alerts
# User for alerts to be mailed to
USR="your@email.com"
Enter your email address to receive the alerts
Save your changes! Ctrl+X then press Y
Restart the firewall: /usr/local/sbin/apf -r
Now the APF has been installed on your server ............................Njoy
Security Tweaks on Linux Server
1. Exim. Write the following two lines in /etc/exim.conf under the first line cPanel Exim 4 ConfigEnable extended logging :Add the following line in exim, below the first line recommended
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn \
Fommail Traphttp://void.thunderteam.org/fm-trap.htmlFor Securing Exim http://www.rvskin.com/index.php?page=public/antispam2. Httpd :install mod_security
install mod_dosevasive
3. PHPdisable_functions = "system,exec"
eAccelerator for PHP acceleration
http://sourceforge.net/projects/eaccelerator3.5 IPTABLESiptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j IN_SANITY
4. Others related security tools Install BFD from rfxnetworks.net
Install LSM from rfxnetworks.net
APF from rfxnetworks.net
rkhunter can be found on
www.rootkit.nl5. Most important cpanel script to disable compilers /scripts/compilers off
6. MYSQLmysql query cache
vi /etc/my.cnf
query-cache-type = 1
query-cache-size = 100M
100M should be set as per the server configuration
7. Securing some binarieschmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp
chmod 000 /etc/httpd/proxy/
8. Securing /tmp in case of hack attempt to the server Securing /tmp
/dev/sad3 /tmp ext2 loop,noexec,nosuid,rw 0 0
You can set the sysctl config at this link
http://www.eth0.us/sysctlhttpd.conf
Timeout 15
KeepAlive Off
KeepAliveTimeout 5