How to set up SPF records

SPF is an emerging standard that let’s the owners of domain names tell people who receive email claiming to be from that domain name which SMTP servers are allowed to send email from that domain name. That’s a slightly complex sentence, so let me give you an example. Then I’ll make a note or two about how to add SPF records to your DNS settings. There is a point or two that is quite difficult to figure out from the documentation I’ve found online, but once you figure it out, it’s not that difficult. So, the example of the process:

1) A spammer sends an email with a fake address–let’s say that address is fakeaddress@geckotribe.com.

2) It leaves their email client and goes through their ISP’s SMTP server–let’s say that’s smtp.spammerisp.com (in reality, they probably wouldn’t use thier ISP’s SMTP server, but we’ll ignore that fact).

3) The message arrives at the recipient’s (poor@sucker.com) mail server (mail.sucker.com).

4) Their mail server (mail.sucker.com) checks the sender’s address (fakeaddress@geckotribe.com), extracts the domain name from it (geckotribe.com).

5) mail.sucker.com asks the DNS server for geckotribe.com (ns.geckotribe.com) for a list of SMTP servers that are allowed to send email addressed from geckotribe.com (like fakeaddress@geckotribe.com).

6) ns.geckotribe.com replies that mail.geckotribe.com and mail.myhomeisp.com are allowed to send such email, and no one else.

7) mail.sucker.com notes that smtp.spammerisp.com is not on the list.

8) mail.sucker.com either rejects the message or marks it in some way so that the recipient knows that the SPF check failed, so it’s likely that it’s spam.

There’s the process. How does the administrator for geckotribe.com set up the DNS record to indicate that mail.geckotribe.com and mail.myhomeisp.com are allowed to send email addressed from geckotribe.com? Here are two lines that need to be added to the DNS configuration file, followed by an explanation of them:

geckotribe.com. IN TXT “v=spf1 a:mail.geckotribe.com ?include:myhomeisp.com -all”

mail.geckotribe.com. IN TXT “v=spf1 a:mail.geckotribe.com -all”

On the first line:

• geckotribe.com.: this indicates “mail address from somebody@geckotribe.com. Note the “.” after “.com”. You can either put that dot there, or omit “geckotribe.com.” completely.

• IN TXT: Indicates that this is a text record. Trust me. That’s what you want.

• v=spf1: Indicates that this is an SPF version 1 record. You need this.

• a:: An “A” record (not a CNAME, TXT, MX, NS… or other type of DNS record). IMPORTANT NOTE: “a:” could have been prefixed with a plus sign, ie., this could have been “+a:mail.geckotribe.com”. The plus sign is optional–it is the default prefix. It means that if this rule matches, then the sender is legitimate. I’ll mention other prefixes later.

• mail.geckotribe.com: Lookup the IP address for mail.geckotribe.com–if that’s the IP address you’re getting the mail from, then it’s legitimate.

• ?: The question mark prefix means that if the following rule matches, the sender may or may not be legitimate. I’ll tell you why you’d use a question mark here in a minute.

• include:: This means that I don’t know the IP addresses or fully qulified domain names of the mail servers that I’m going to talk about next, but I’m going to name of the domain that you should ask for that information.

• myhomeisp.com: This is the domain name of the ISP I connect to the internet through when I’m at home. Now to answer the question of why we prefixed this rule with a question mark. It’s because when I send email via my ISP, it’s legitimate, but if somebody else with the same ISP sends mail claiming to be from geckotribe.com, it’s not. The question mark says “don’t rule it out, but it might not be legitimate”.

• -: The minus sign says that if the following rule matches, then sender is not legitimate.

• all: This rule matches anybody who wasn’t already matched by one of the preceding rules.

Briefly, the second line means that if mail claims to be from somebody@mail.geckotribe.com, it’s legit if it came via mail.geckotribe.com, but not if it came from anywhere else.

To recap and point out a few more things:

• You put multiple rules on each line. They are evaluated from left to right until one matches. The rest are ignored.

• “+” means legitimate, “?” means it might be legitimate, and “-” means it’s not legitimate.

• Each rule starts with a prefix (if none is specified, then the default is “+”) followed by “a”, “include”, “ptr”, “mx” or one of a few other things (check the specifications for details) followed by a colon.

• You should end each line with ?all or -all. Use ?all if you want to be able to send email through any ISP (for example, if you send email from your laptop as you travel all over the place). Use -all if you know (and have indicated earlier on the line) every possible SMTP server that you might send email through.

Patching the kernel

These instructions require having the skills of a sysadmin. Personally, I avoid recompiling any kernel unless absolutely necessary.

Make sure your product is affected

Linux and UNIX source software often comes with security and other patches. You can download them from Internet or project home page. There is a command called patch that apply a diff file or patch to an original source tree.

patch takes a patch file patchfile containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions. Normally the patched versions are put in place of the originals.

he following usage is most commonly used:

$ patch -p1 < {/path/to/patch/file}

To apply a patch, one could run the following command in a shell:

$ patch < /path/to/file

Patches can be undone, or reversed, with the '-R' option:

$ patch -R < /path/to/file

apache/mysql optimization

Apache Tweaks
------------------------
The apache directive KeepAlive specifies whether a connection has to be established dedicatedly for a request.
If you enable this directive using "on" , you must specify KeepAliveTimeout.The number of seconds Apache will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value specified by the Timeout directive applies.

Setting KeepAliveTimeout to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.
This prevents unused connections from staying open for excessive amounts of time If you are going to leave KeepAlive on you will want to increase MaxKeepAliveRequests. Setting this higher allows more requests per connection and increases efficiency
#Another minor tweak that will give you a small performance boost as well as help reduce the effects of a DOS attack is changing the TimeOut Directive. This directive tells Apache how many seconds to wait while receiving an incoming request, processing it, and sending back a response.

HostnameLookups

This adds latency to every request because it requires a DNS lookup to complete before the request is finished. So it is always better to disable this directive.

MPM

Apache supports Multi-ProcessingModules (MPms). You can choose either Worker or Prefork. THe Prefork consumes higher memory than worker , it is quite famous for its speed of execution. So we normally enable Prefork for servers unless it is quite busy.


Below are the directives used in Prefork


MaxClients - sets a limit on the number of simultaneous connections/requests that will be served.Set this number too low and resources will go to waste. Set this number too high and an influx of connections will bring the server to a stand still. Set this number just right and your server will fully utilize the available resources.

An approximation of this number should be derived by dividing the amount of system memory (physical RAM) available by the maximum size of an apache/httpd process. The default value [ServerLimit 256] will work with 1-2GB of RAM.

Directive MaxRequestsPerChild is used to recycle processes. When this directive is set to 0, an unlimited amount of requests are allowed per process.


# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare

# MaxRequestsPerChild: maximum number of requests a server process serves


So a sample prefork configuration would look like this

StartServers 10
MinSpareServers 5
MaxSpareServers 10

MaxClients 225
MaxRequestsPerChild 4000



In the prefork model, a new process is created per request. Spare processes are kept idle to handle incoming requests, which reduces the start-up latency. The previous configuration starts 10 processes as soon as the Web server comes up and tries to keep between 5 and 10 idle servers running. The hard limit on processes is dictated by MaxClients. Even though a process can handle many consecutive requests, Apache kills off processes after 4,000 connections, which mitigates the risk of memory leaks.

The other apache configuration directives are as follows


Timeout 200
KeepAlive On
MaxKeepAliveRequests 200
KeepAliveTimeout 3





[mysqld]
skip-locking
max_connections=500 #The number of simultaneous clients allowed.

connect_timeout=15 #Number of seconds before timeout connection.

key_buffer = 128M #shared by all threads
key_buffer_size = 128M # key_buffer_size to at least a quarter, but no more than half, of the total amount of memory on the server


join_buffer_size = 3M #The size of the buffer that is used for full joins (joins that do not use indexes).
record_buffer = 1M # Each request doing a sequential scan over a table allocates a read buffer
max_allowed_packet = 16M #Max size of packet client can read from server.

table_cache = 3000 #Each time MySQL accesses a table, it places it in the cache. If the system accesses many tables, it is faster to have these in the cache. You should increase the table_cache if you have enough memory.



max_heap_table_size = 16M #This variable sets the maximum size to which MEMORY tables are allowed to grow.





tmp_table_size = 64M # The maximum size of internal in-memory temporary tables


sort_buffer_size = 4M # Each thread that needs to do a sort allocates a buffer of this size. Increase this value for faster ORDER BY or GROUP BY operations.


read_buffer_size = 2M #Each thread that does a sequential scan allocates a buffer of this size for each table it scans.

myisam_sort_buffer_size = 32M #The buffer that is allocated when sorting the index


query_cache_type=1

query_cache_limit=2M #The query_cache_limit (default 1MB) parameter sets the maximum result sets size stored in the query cache.


query_cache_size=64M # The memory allocated to store results from old queries.


max_user_connections = 25 # The maximum number of active connections for a single user .
max_connect_errors=10000 #If there is more than this number of interrupted connections from a host this host will be blocked from further connections.
safe-show-database

slow_query_log = 1
open_files_limit = 12000 #`open_files_limit' Number of files the system allows mysqld to open.

cPanel Error – error : Invalid maildirsize file!

Login to your server via SSH. The follow example applies where the email address is sharaf@domain.com, and the account username is “username”. Substitute the values in bold.

cd /home/username/mail/domain.com/sharaf/
rm -f maildirsize

Customize Apache default Success page

You just have to login to your server via ssh.

Navigate to /usr/local/apache/htdocs

cd /usr/local/apache/htdocs

And finaly edit the file index.html

nano index.html

If you list the content of /usr/local/apache/htdocs you will see that you can also modify the content of other error pages that cpanel’s apache outputs.

MySQL ERROR! Couldn't find MySQL manager (/var/lib/bin/mysqlmanager)

cpanel server

/etc/init.d/mysql status
ERROR! MySQL is not running
[root@ns2 subsys]# /etc/init.d/mysql restart
ERROR! MySQL manager or server PID file could not be found!
Starting MySQL ERROR! Couldn't find MySQL manager (/var/lib/bin/mysqlmanager) or server (/var/lib/bin/mysqld_safe)
[root@ns2 subsys]# /etc/init.d/mysql stop
ERROR! MySQL manager or server PID file could not be found!

check in /etc/my.cnf ----------whether base_dir is set to /var/lib if so remove it.

Increase max emails per hour for a single domain in cPanel

You can change the maximum number of emails allowed for a particular domain to a different number than the system default using the file (Other than WHM settings)

/var/cpanel/maxemails
Just add an entry like “domain.com = 100″ . Now 100 is the maximum email per hour limit for domain.com.

But please make sure that you have executed the following script after updating the file /var/cpanel/maxemails.

#/scripts/build_maxemails_config

OpenVZ network down SIOCADDRT: Network is unreachable

Have you ever come across in a situation where the VPS is running, but network is unreachable? OpenVZ VPS may be up and running, but network service will be down resulting downtime for websites hosted in it. If you try to restart the network, you will get the below error:

====================================

[root@pers ~]# /etc/init.d/network restart

Shutting down interface venet0: [ OK ]

Shutting down loopback interface: [ OK ]

Bringing up loopback interface: [ OK ]

Bringing up interface venet0: SIOCADDRT: Network is unreachable

SIOCADDRT: Network is unreachable

====================================

To fix this, SSH into the main node server and enter into the VPS and then execute the below command:

/etc/sysconfig/network-scripts/ifup-routes venet0:0

open3: fork failed: Cannot allocate memory at cpsrvd-ssl line 6152

Cpanel Internal Server Error

open3: fork failed: Cannot allocate memory at cpsrvd-ssl line 6152

cpsrvd/11.25 Server at 216.18.214.132

Internal Server Error

Soln: /scripts/upcp --force

http://gnufreakz.wordpress.com/page/11/

http://kb.mediatemple.net/questions/246/(dv)+HOWTO:+Basic+Apache+performance+tuning+(httpd)

http://www.perlcode.org/tutorials/apache/tuning.html

http://www.devside.net/articles/apache-performance-tuning


http://phplens.com/phpeverywhere/tuning-apache-php

LNMP – A tool to auto-compile & install & manage Nginx+MySQL+PHP on Linux

LNMP is a tool to auto-compile & install & manage Nginx+MySQL+PHP on Linux.

The current version : 0.3 ,Now support Linux distribution : CentOS 4.8~5.4 32/64bit, Debian 4.0~5.0 32bit/64bit ,Ubuntu.

The programme installed in LNMP:
Nginx:0.7.63
PHP:5.2.10
MySQL:5.1.35
Zend Optimizer:3.3.9
eaccelerator:0.9.5.3

Installation Guide:

 wget -c http://soft.vpser.net/lnmp/lnmp0.4-full.tar.gz

1.Install on CentOS
First Download lnmp ,Run the command : wget http://soft.vpser.net/lnmp/lnmp0.3.tar.gz , Then decompress lnmp0.3.tar.gz Run the command : tar zxvf lnmp0.3.tar.gz
Run the command : cd lnmp0.3
Run ./centos.sh then enter the domain name, press Enter key twice. The programme will auto-complie and install Nginx,MySQL,PHP,Zend Optimizer.

2.Install on Debian
First Download lnmp ,Run the command : wget http://soft.vpser.net/lnmp/lnmp0.3.tar.gz , Then decompress lnmp0.3.tar.gz Run the command : tar zxvf lnmp0.3.tar.gz
Run the command : cd lnmp0.3
If you Debian is 32bit please run ./debian.sh else run ./debian64bit.sh. then enter the domain name, press Enter key twice. The programme will auto-complie and install Nginx,MySQL,PHP,Zend Optimizer.

3.Install eaccelerator
If you want to use eaccelerator please run ./eaccelerator.sh the programme will auto-compile and install.

4.VirtualHost Management
1). Add VirtualHost: run ./vhost.sh Prompted to enter the domain name you want to binding, press Enter key, and then enter the directory to be bound (absolute directory, such as /home/wwwroot/lnmp).
2). More feature under development.

Cpanel disk used incorrect showing unlimited or 0MB

You can fix this by running the script /scripts/fixquotas

is this doesn't work and you are using Virtuozzo or OpenVZ you will need to set the QUOTAUGIDLIMIT perimeter - this allows the system to allocate user IDs (UID)

e.g (openvz)

vzctl set 101 --quotaugidlimit 1000 --save

then run the scrip "/scripts/fixquotas"

and it should all work.

Troubleshooting

If you've done the above and it still doesn't work (or the value still says 0MB) this may be due to cPanel caching the disk usage results. to disable this:

Select the following in your WHM.

WHM >> Tweak Settings >> System >> "Disable Disk Quota display caching (WHM will cache disk usage which may result in the display of disk quotas being up to 15 minutes behind the actual disk usage. Disabling this may result in a large performance degradation.)"

Mysql Database showing 0MB disk usage

If your Mysql DB are showing 0MB disk usage in cPanel then do the following things.

vi /var/cpanel/cpanel.config

find "disk_usage_include_sqldbs"

change the value from 0 to 1

and run
#

/scripts/update_db_cache

Issue should be fixed :)

mysql

mysqladmin proc stat

or

mysqladmin processlist

Error "psa dead but subsys locked" is shown when check status of Parallels Plesk Panel from the command line

Error "psa dead but subsys locked" is shown when check status of Parallels Plesk Panel from the command line

I get the following error when check status of Parallels Plesk Panel from the command line:

~# /etc/init.d/psa status
psa dead but subsys locked
~#

What does the error mean?

Cause

The error means that Parallels Plesk Panel is stopped but lock file exists.

Another way to check status of Parallels Plesk Panel is using command "netstat". Here is an example of correct output if Parallels Plesk Panel was running:

Parallels Plesk Panel version 7.x, 8.x

~# netstat -antp | grep 8443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 9691/httpsd
~#

Parallels Plesk Panel version 9.x

~# netstat -antp | grep 8443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 21856/sw-cp-serverd
~#

Here is result if Parallels Pleks Panel is not running:

~# netstat -antp | grep 8443
~#

Lock file of Parallels Plesk Panel on RedHat-like operating systems is /var/lock/subsys/psa.

Resolution

Remove file /var/lock/subsys/psa manually and start the service usual way:

~# rm -f /var/lock/subsys/psa
~# /etc/init.d/psa start1
Starting Plesk... done
~#

NOTE: Option "start1" allows to start only Parallels Panel Panel without other services.

Error log file is /usr/local/psa/admin/logs/httpsd_error_log for Parallels Plesk Panel version 7.x, 8.5 or /var/log/sw-cp-server/error_log for Parallels Plesk Panel version 9.x.

sysctl hardening

#Kernel sysctl configuration file for Red Hat Linux

#

# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and

# sysctl.conf(5) for more details.

# Disables packet forwarding

net.ipv4.ip_forward=0

# Disables IP source routing

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.eth0.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.lo.log_martians = 0

net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.eth0.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key

kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection

net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection

net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling

net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack

net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps

net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).

net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size

net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range

net.ipv4.ip_local_port_range = 16384 65536

Securing Your Server

1)Never work with root accout.You can create an admin account.

useradd & passwd vpsadmin

add some basic permissions to the account. By adding the user to the wheel group we are giving it some administrative rights.

usermod -a -G wheel vpsadmin

2)SSH security

vim /etc/ssh/sshd_config

Port 12345

PermitRootLogin no

/etc/init.d/sshd restart

3)Install firewall (APF)

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

tar -xvf apf-current.tar.gz

cd apf-current.tar.gz

./install.sh

vim /etc/apf/conf.ap

First look for the line that says

DEVEL_MODE=”1″

Leaving this option as “1″ will disable your firewall after 5 minutes, so make sure to change it to “0″.

So replace 1 eith 0 and it look like this:-

DEVEL_MODE=”0″

Next, take a look at the allowed inbound ports. You should see something like

IG_TCP_CPORTS=”22,80,443″

Notice that port 22, the default SSH port is open. We want to change this to the port we gave SSH earlier. You can leave port 80 (HTTP) and 443 (HTTPS) open if you plan on running a website.

If you want to open any port, you have to give an entry in to the above place.

By default, APF will not filter outbound traffic but if would like to change that look for the following line

EGF=”0″

And change this value to “1″. On the line directly below it you should see the allowed outbound ports

EG_TCP_CPORTS=”21,25,80,443″

Change these if you have enabled outbound filtering and save the firewall config. Now we should add the firewall to start when we reboot our VPS and enable it

chkconfig --add apf

chkconfig --level 345 apf on

/etc/init.d/apf start

4)SECURING CPANEL AND WHM

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings

Check the following items...

Under Domains

Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail

Attempt to prevent pop3 connection floods

Default catch-all/default address behavior for new accounts - blackhole

(SET TO FAIL)

Under System

Use jailshell as the default shell for all new accounts and modified accounts

Goto Security =>> Security Center

Enable php open_basedir Protection

Enable mod_userdir Protection

Disabled Compilers for unprivileged users.

Goto Security =>> Manage Wheel Group Users

Remove all users except for root and your main account from the wheel group.

Goto Security =>> Security Center =>> Shell Fork Bomb Protection

Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration

Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access

Disable Shell Access for all users

Goto Mysql =>> MySQL Root Password

Change root password for MySQL (Use a very hard, random password that is not used elsewhere as the chances of actually using it are probably slim and actually using it for databases is a security risk.)

Goto Security and run Quick Security Scan and Scan for Trojan Horses often.

6)INSTALLING CSF

wget http://www.configserver.com/free/csf.tgz

tar -zxf csf.tar.gz

sh /csf/install.sh

If you want to remove apf or any other firewall,

sh /etc/csf/remove_apf_bfd.sh

For starting firewall---

csf -s

restart the firewall---

csf -r

flush the rules or stop the firewall.

csf -f

If you are running a VPS plan,

Open the /etc/csf/csf.conf and look for a line MONOLITHIC_KERNEL = "0" and change to

MONOLITHIC_KERNEL = "1"

Config Files

/etc/csf/csf.conf => CSF Firewall configuration file

/etc/csf/csf.allow => Config file to allow IPs

/etc/csf/csf.deny => Config file to deny IPs

/etc/csf/ => Alert files with TXT extension are stored within this directory

Harden the firewall security by performing the system security check. To do this go to Cpanel WHM > CSF Firewall & Security > Check System Security. There it will list WARNINGS based on your server.

-bash-3.2# chkconfig --add csf

-bash-3.2# chkconfig --level 345 csf on

-bash-3.2# chkconfig --list | grep csf

csf 0:off 1:off 2:on 3:on 4:on 5:on 6:off

-bash-3.2#

Remove the CSF Firewall

sh /etc/csf/uninstall.sh

7)Install a root breach DETECTOR and EMAIL WARNING

vim .bash_profile

add the following line..

echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourdomain.com

Set an SSH Legal Message

----------------------------

To an SSH legal message, SSH into server and login as root.

At command prompt type:

vim /etc/motd

Enter your message, save and exit.

Note: I use the following message…

ALERT! You are entering a secured area! Your IP and login information

have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on

this system are recorded and logged. Unauthorized access will be fully

investigated and reported to the appropriate law enforcement agencies.

=========================================

9)) Securing /tmp

first check whether /tmp is exist or not using df -h

Finally, if you don’t have the ability to create a fresh /tmp partition on existing drives, you can use the loopback capabilities of the Linux kernel by creating a loopback filesystem that will be mounted as /tmp and can use the same restrictive mount options. To create a 1GB loopback filesystem, execute:

# dd if=/dev/zero of=/.tmpfs bs=1024 count=1000000

# mke2fs -j /.tmpfs

# cp -av /tmp /tmp.old

# mount -o loop,noexec,nosuid,rw /.tmpfs /tmp

# chmod 1777 /tmp

# mv -f /tmp.old/* /tmp/

# rmdir /tmp.old

Once this is complete, edit /etc/fstab to have the loopback filesystem mounted automatically at boot:

/.tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0

Little things like ensuring proper permissions and using restrictive mount options will prevent a lot of harm coming to the system. If a bot lands on a filesystem that is unable to execute, that bot is essentially worthless

10)securing /etc/sysctl.conf

------------------------------

vim /etc/sysctl.conf

1)If you're not forwarding traffic between interfaces or if you have only a single interface, its usually a good idea to disable forwarding:

/proc/sys/net/ipv4/ip_forward 0

2)rp_filter can reject incoming packets if their source does not match the networks interface from which they are arriving from. This is a good way to prevent IP spoofing (usually not a good idea if you have several IP addresses on different interfaces or if a single interface has multiple IP addys).

/proc/sys/net/ipv4/conf/all/rp_filter 1

3)Enable TCP SYN Cookie Protection

A "SYN Attack" is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.

To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.tcp_syncookies = 1

4)Disable IP Source Routing

Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems. However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it's not communicating with a trusted server.

To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_source_route = 0

5)Disable ICMP Redirect Acceptance

ICMP redirects are used by routers

to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts's routing table by causing traffic to use a path you didn't intend.

To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_redirects = 0

6)Enable IP Spoofing Protection

IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks. For more information on IP Spoofing, I recommend the article IP Spoofing: Understanding the basics.

To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.rp_filter = 1

7)Enable Ignoring Broadcasts Request

If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.icmp_echo_ignore_broadcasts = 1

8)Enable Bad Error Message Protection

To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.icmp_ignore_bogus_error_responses = 1

9)Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets

To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.log_martians = 1

-----------------------------------------------------------------------

11)Securing /dev/shm

Rename it and create a symbolic link to /tmp:

mv /var/tmp /var/tmp1

ln -s /tmp /var/tmp

vim /etc/fstab

change:

"none /dev/shm tmpfs defaults,rw 0 0" to

"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"

mount -a

-----------------------------------------------------------

12) Harden host.conf

Log into each server as root.

Edit the /etc/host.conf file.

Ensure this file has the following settings:

# Lookup names via DNS first then fall back to etc/hosts.

order bind,hosts

# We have machines with multiple IP addresses.

multi on

# Check for IP address spoofing.

nospoof on

spoofalert on

Save the file.

for details see :--------

http://www.faqs.org/docs/securing/chap5sec39.html

--------------------------

13) Installing rootkit

RKHunter - (RootKit Hunter) Is a security scanning tool which will scan for rootkits, backdoors, and local exploits. RKHunter will ensure you about 99.9% that your dedicated web server is secure.

1. Login to your server via SSH as root.

Then Type: cd /usr/local/src/

2. Download RKHunter Version 1.1.4

Type: wget http://optusnet.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.0.tar.gz

3. Extract files

Type: tar -xzvf rkhunter-1.3.0.tar.gz

4. Type: cd rkhunter-1.3.0.tar.gz

5. Type: ./installer.sh --help

The default should do

./installer.sh --layout /usr/local --install

vi /etc/cron.daily/rkhunter.sh

#!/bin/bash

(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan

Report" email@domain.com)

chmod 700 /etc/cron.daily/rkhunter.sh

rkhunter --update

14)apache OPtimizing

change Timeout 300 to

Timeout 45

# change KeepAlive Off to

KeepAlive On

# MaxKeepAliveRequests: The maximum number of requests to allow

# during a persistent connection. Set to 0 to allow an unlimited amount.

# We recommend you leave this number high, for maximum performance.

# -- change MaxKeepAliveRequests 100 to 500

MaxKeepAliveRequests 500

# KeepAliveTimeout: Number of seconds to wait for the next request from the

# same client on the same connection.

# change KeepAliveTimeout 15 to

KeepAliveTimeout 5

# Increase MaxClients after benchmarking. mine is

MaxClients 200

# Turn off ServerSignature

ServerSignature Off

#ServerTokens Product

ServerTokens ProductOnly

More Details

http://www.mysql-apache-php.com/basic-linux-security.htm

15)APF in lxadmin

This may help, I have modified a tutorial for apf so it will work for LXAdmin. If you see any changes that need to be made let me know.

Important: Be sure Iptables were enabled when the VM was created (openvz)

1. cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3. tar -xvzf apf-current.tar.gz

4. cd apf-0.9.6-2/ or whatever the latest version is.

5. Run the install file: ./install.sh

You will receive a message saying it has been installed

Installing APF 0.9.6-2: Completed.

Installation Details:

Install path: /etc/apf/

Config path: /etc/apf/conf.apf

Executable path: /usr/local/sbin/apf

AntiDos install path: /etc/apf/ad/

AntiDos config path: /etc/apf/ad/conf.antidos

DShield Client Parser: /etc/apf/extras/dshield/

Other Details:

Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,7776,7777,7778, 7779,3306

Listening UDP ports: 53,55880

Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

6. Lets configure the firewall: pico /etc/apf/conf.apf (or nano /etc/apf/conf.apf)

We will go over the general configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

We like to use DShield.org's "block" list of top networks that have exhibited

suspicious activity.

FIND: USE_DS="0"

CHANGE TO: USE_DS="1"

Find the following lines:

IFACE_IN="eth0"

IFACE_OUT="eth0"

and change them to

IFACE_IN="venet0"

IFACE_OUT="venet0"

7. Configuring Firewall Ports:

LxAdmin Servers

We like to use the following on our Cpanel Servers

Common ingress (inbound) ports

# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD

IG_TCP_CPORTS="21,22,25,53,80,110,143,443,7777,7778,7779,3000_3500 "

#

# Common ingress (inbound) UDP ports

IG_UDP_CPORTS="53"

Common egress (outbound) ports

# Egress filtering [0 = Disabled / 1 = Enabled]

EGF="1"

# Common egress (outbound) TCP ports

EG_TCP_CPORTS="21,25,80,443,43,7777,7778,7779"

#

# Common egress (outbound) UDP ports

EG_UDP_CPORTS="20,21,53"

Save the changes: Ctrl+X then Y

8. Starting the firewall

/usr/local/sbin/apf -s

Other commands:

usage ./apf [OPTION]

-s|--start ......................... load firewall policies

-r|--restart ....................... flush & load firewall

-f|--flush|--stop .................. flush firewall

-l|--list .......................... list chain rules

-st|--status ....................... firewall status

-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and

immediately load new rule into firewall

-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and

immediately load new rule into firewall

9. After everything is fine, change the DEV option

Stop the firewall from automatically clearing itself every 5 minutes from cron.

We recommend changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.

pico /etc/apf/conf.apf

FIND: DEVM="1"

CHANGE TO: DEVM="0"

10. Configure AntiDOS for APF

Relatively new to APF is the new AntiDOS feature which can be found in: /etc/apf/ad

The log file will be located at /var/log/apfados_log so you might want to make note of it and watch it!

pico /etc/apf/ad/conf.antidos

There are various things you might want to fiddle with but I'll get the ones that will alert you by email.

# [E-Mail Alerts]

Under this heading we have the following:

# Organization name to display on outgoing alert emails

CONAME="Your Company"

Enter your company information name or server name..

# Send out user defined attack alerts [0=off,1=on]

USR_ALERT="0"

Change this to 1 to get email alerts

HyperVM/Kloxo

http://www.howtoforge.com/managing-openvz-with-hypervm-on-centos-5.2

How to install wordpress!

WordPress is an open source blog publishing application. WordPress is the official successor of b2\cafelog which was developed by Michel Valdrighi. The latest release of WordPress is version 2.7.1, released on 10 February 2009.WordPress has a templating system, which includes widgets that can be rearranged without editing PHP or HTML code, as well as themes that can be installed and switched between. The PHP and HTML code in themes can also be edited for more advanced customizations. WordPress also features integrated link management; a search engine-friendly, clean permalink structure; the ability to assign nested, multiple categories to articles; multiple author capability; and support for tagging of posts and articles. Automatic filters that provide for proper formatting and styling of text in articles (for example, converting regular quotes to smart quotes) are also included. WordPress also supports the Trackback and Pingback standards for displaying links to other sites that have themselves linked to a post or article. Finally, WordPress has a rich plugin architecture which allows users and developers to extend its functionality beyond the features that come as part of the base install.

The instllation of wordpress is quite simple.

1)Download the latest version of wordpress and extract it.

2)Place the WordPress files in the desired location on your web server,using FTP

* If you want to integrate WordPress into the root of your domain (e.g. http://example.com/), move or upload all contents of the unzipped WordPress directory (but excluding the directory itself) into the root directory of your web server.

* If you want to have your WordPress installation in its own subdirectory on your web site (e.g. http://example.com/blog/), rename the directory wordpress to the name you'd like the subdirectory to have and move or upload it to your web server. For example if you want the WordPress installation in a subdirectory called "blog", you should rename the directory called "wordpress" to "blog" and upload it to the root directory of your web server.

3)Here i am uploading the folder(blog) to public_html, using ftp. Make sure that you upload the folder as a user, not the root.

4)now goto the cpanel,and create a mysql user and a database.please remember the dbname, user and password.

5)then goto filemanager, inside the uploaded folder (blog), edit the file wp-config-sample.php

6)rename the wp-config-sample.php to wp-config.php.

7)edit the wp-config.php and insert the db details of the one which we have created.

Here is the default wp-config-sample.php, you will need to replace the default values in this file with your own specific database settings.

define('DB_NAME', 'putyourdbnamehere'); // The name of the database

define('DB_USER', 'usernamehere'); // Your MySQL username

define('DB_PASSWORD', 'yourpasswordhere'); // ...and password

define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value

usually the DB_HOST must be 'localhost'.if it is not working contact your web hosting provider.

8)Run the WordPress installation script by accessing wp-admin/install.php in your favorite web browser.

* If you installed WordPress in the rootl directory, you should visit: http://example.com/wp-admin/install.php

* If you installed WordPress in its own subdirectory called blog, for example, you should visit: http://example.com/blog/wp-admin/install.php

9)The instllation process will now beging. The screen shots fir the instllation is given below.

10)goto www.yourdomain.com/blog/wp-login.php to login for the next time.

Howto: enable TUN module on a VPS

TUN module is required to configure VPN tunneling and to configure VPN on a VPS, you need to enable the module from the Hardware node. Login to your Host server and execute the following command:

First check if the TUN module is enabled on the hardware node:

lsmod | grep tun

If not, load the module using modprobe:

modprobe tun

Now, enable the TUN module on a VPS:

vzctl set VEID  devices c:10:200:rw  save
vzctl exec VEID mkdir -p /dev/net
vzctl exec VEID mknod /dev/net/tun c 10 200
vzctl exec VEID chmod 600 /dev/net/tun

where, VEID is the VPS ID you want to enable the TUN module on.

Fantastico shows error 'You cannot install more than one script in the root directory of a domain'

1. Login to your  cpanel
2. Go to "file manager"
3. click on the ".fantasticodata" folder
4. open up "installed_in_root.php" and edit it.

This is an example of what I mean:

If you open up "installed_in_root.php" you will see something like this:

$installed_in_root["domain.com"] = 1;

This is what you need to delete.

(this is just an example from my "installed_in_root,php" file).

Keep in mind that every install of wordpress you have made will be stored in this file, be very carefull not to delete any of your other wordpress sites out of it.

I hope this makes sense lol, I'm not very good at explaining things.

Change Time Zone for a particular account on cpanel server

To change the timezone for only a particular account using .htaccess:

SetEnv TZ   "TimeZone" 
or

php_value date.timezone  "TimeZone"

Visit http://php.net/manual/en/timezones.php for various time zones

e.g. SetEnv TZ Australia/Adelaide

php_value date.timezone "Australia/Adelaide"