do the Linux!

How to set up SPF records

2010-09-27T22:14:00.000-07:00

SPF is an emerging standard that let’s the owners of domain names tell people who receive email claiming to be from that domain name which SMTP servers are allowed to send email from that domain name. That’s a slightly complex sentence, so let me give you an example. Then I’ll make a note or two about how to add SPF records to your DNS settings. There is a point or two that is quite difficult to figure out from the documentation I’ve found online, but once you figure it out, it’s not that difficult. So, the example of the process:

1) A spammer sends an email with a fake address–let’s say that address is fakeaddress@geckotribe.com.

2) It leaves their email client and goes through their ISP’s SMTP server–let’s say that’s smtp.spammerisp.com (in reality, they probably wouldn’t use thier ISP’s SMTP server, but we’ll ignore that fact).

3) The message arrives at the recipient’s (poor@sucker.com) mail server (mail.sucker.com).

4) Their mail server (mail.sucker.com) checks the sender’s address (fakeaddress@geckotribe.com), extracts the domain name from it (geckotribe.com).

5) mail.sucker.com asks the DNS server for geckotribe.com (ns.geckotribe.com) for a list of SMTP servers that are allowed to send email addressed from geckotribe.com (like fakeaddress@geckotribe.com).

6) ns.geckotribe.com replies that mail.geckotribe.com and mail.myhomeisp.com are allowed to send such email, and no one else.

7) mail.sucker.com notes that smtp.spammerisp.com is not on the list.

8) mail.sucker.com either rejects the message or marks it in some way so that the recipient knows that the SPF check failed, so it’s likely that it’s spam.

There’s the process. How does the administrator for geckotribe.com set up the DNS record to indicate that mail.geckotribe.com and mail.myhomeisp.com are allowed to send email addressed from geckotribe.com? Here are two lines that need to be added to the DNS configuration file, followed by an explanation of them:

geckotribe.com. IN TXT “v=spf1 a:mail.geckotribe.com ?include:myhomeisp.com -all”

mail.geckotribe.com. IN TXT “v=spf1 a:mail.geckotribe.com -all”

On the first line:

• geckotribe.com.: this indicates “mail address from somebody@geckotribe.com. Note the “.” after “.com”. You can either put that dot there, or omit “geckotribe.com.” completely.

• IN TXT: Indicates that this is a text record. Trust me. That’s what you want.

• v=spf1: Indicates that this is an SPF version 1 record. You need this.

• a:: An “A” record (not a CNAME, TXT, MX, NS… or other type of DNS record). IMPORTANT NOTE: “a:” could have been prefixed with a plus sign, ie., this could have been “+a:mail.geckotribe.com”. The plus sign is optional–it is the default prefix. It means that if this rule matches, then the sender is legitimate. I’ll mention other prefixes later.

• mail.geckotribe.com: Lookup the IP address for mail.geckotribe.com–if that’s the IP address you’re getting the mail from, then it’s legitimate.

• ?: The question mark prefix means that if the following rule matches, the sender may or may not be legitimate. I’ll tell you why you’d use a question mark here in a minute.

• include:: This means that I don’t know the IP addresses or fully qulified domain names of the mail servers that I’m going to talk about next, but I’m going to name of the domain that you should ask for that information.

• myhomeisp.com: This is the domain name of the ISP I connect to the internet through when I’m at home. Now to answer the question of why we prefixed this rule with a question mark. It’s because when I send email via my ISP, it’s legitimate, but if somebody else with the same ISP sends mail claiming to be from geckotribe.com, it’s not. The question mark says “don’t rule it out, but it might not be legitimate”.

• -: The minus sign says that if the following rule matches, then sender is not legitimate.

• all: This rule matches anybody who wasn’t already matched by one of the preceding rules.

Briefly, the second line means that if mail claims to be from somebody@mail.geckotribe.com, it’s legit if it came via mail.geckotribe.com, but not if it came from anywhere else.

To recap and point out a few more things:

• You put multiple rules on each line. They are evaluated from left to right until one matches. The rest are ignored.

• “+” means legitimate, “?” means it might be legitimate, and “-” means it’s not legitimate.

• Each rule starts with a prefix (if none is specified, then the default is “+”) followed by “a”, “include”, “ptr”, “mx” or one of a few other things (check the specifications for details) followed by a colon.

• You should end each line with ?all or -all. Use ?all if you want to be able to send email through any ISP (for example, if you send email from your laptop as you travel all over the place). Use -all if you know (and have indicated earlier on the line) every possible SMTP server that you might send email through.

Patching the kernel

2010-08-27T01:42:00.000-07:00

These instructions require having the skills of a sysadmin. Personally, I avoid recompiling any kernel unless absolutely necessary.

Make sure your product is affected

Linux and UNIX source software often comes with security and other patches. You can download them from Internet or project home page. There is a command called patch that apply a diff file or patch to an original source tree.

patch takes a patch file patchfile containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions. Normally the patched versions are put in place of the originals.

he following usage is most commonly used:

$ patch -p1 < {/path/to/patch/file}

To apply a patch, one could run the following command in a shell:

$ patch < /path/to/file

Patches can be undone, or reversed, with the '-R' option:

$ patch -R < /path/to/file

apache/mysql optimization

2010-07-22T05:09:00.000-07:00

Apache Tweaks
------------------------
The apache directive KeepAlive specifies whether a connection has to be established dedicatedly for a request.
If you enable this directive using "on" , you must specify KeepAliveTimeout.The number of seconds Apache will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value specified by the Timeout directive applies.

Setting KeepAliveTimeout to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.
This prevents unused connections from staying open for excessive amounts of time If you are going to leave KeepAlive on you will want to increase MaxKeepAliveRequests. Setting this higher allows more requests per connection and increases efficiency
#Another minor tweak that will give you a small performance boost as well as help reduce the effects of a DOS attack is changing the TimeOut Directive. This directive tells Apache how many seconds to wait while receiving an incoming request, processing it, and sending back a response.

HostnameLookups

This adds latency to every request because it requires a DNS lookup to complete before the request is finished. So it is always better to disable this directive.

MPM

Apache supports Multi-ProcessingModules (MPms). You can choose either Worker or Prefork. THe Prefork consumes higher memory than worker , it is quite famous for its speed of execution. So we normally enable Prefork for servers unless it is quite busy.

Below are the directives used in Prefork

MaxClients - sets a limit on the number of simultaneous connections/requests that will be served.Set this number too low and resources will go to waste. Set this number too high and an influx of connections will bring the server to a stand still. Set this number just right and your server will fully utilize the available resources.

An approximation of this number should be derived by dividing the amount of system memory (physical RAM) available by the maximum size of an apache/httpd process. The default value [ServerLimit 256] will work with 1-2GB of RAM.

Directive MaxRequestsPerChild is used to recycle processes. When this directive is set to 0, an unlimited amount of requests are allowed per process.

# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare

# MaxRequestsPerChild: maximum number of requests a server process serves

So a sample prefork configuration would look like this

StartServers 10
MinSpareServers 5
MaxSpareServers 10

MaxClients 225
MaxRequestsPerChild 4000

In the prefork model, a new process is created per request. Spare processes are kept idle to handle incoming requests, which reduces the start-up latency. The previous configuration starts 10 processes as soon as the Web server comes up and tries to keep between 5 and 10 idle servers running. The hard limit on processes is dictated by MaxClients. Even though a process can handle many consecutive requests, Apache kills off processes after 4,000 connections, which mitigates the risk of memory leaks.

The other apache configuration directives are as follows

Timeout 200
KeepAlive On
MaxKeepAliveRequests 200
KeepAliveTimeout 3

[mysqld]
skip-locking
max_connections=500 #The number of simultaneous clients allowed.

connect_timeout=15 #Number of seconds before timeout connection.

key_buffer = 128M #shared by all threads
key_buffer_size = 128M # key_buffer_size to at least a quarter, but no more than half, of the total amount of memory on the server

join_buffer_size = 3M #The size of the buffer that is used for full joins (joins that do not use indexes).
record_buffer = 1M # Each request doing a sequential scan over a table allocates a read buffer
max_allowed_packet = 16M #Max size of packet client can read from server.

table_cache = 3000 #Each time MySQL accesses a table, it places it in the cache. If the system accesses many tables, it is faster to have these in the cache. You should increase the table_cache if you have enough memory.

max_heap_table_size = 16M #This variable sets the maximum size to which MEMORY tables are allowed to grow.

tmp_table_size = 64M # The maximum size of internal in-memory temporary tables

sort_buffer_size = 4M # Each thread that needs to do a sort allocates a buffer of this size. Increase this value for faster ORDER BY or GROUP BY operations.

read_buffer_size = 2M #Each thread that does a sequential scan allocates a buffer of this size for each table it scans.

myisam_sort_buffer_size = 32M #The buffer that is allocated when sorting the index

query_cache_type=1

query_cache_limit=2M #The query_cache_limit (default 1MB) parameter sets the maximum result sets size stored in the query cache.

query_cache_size=64M # The memory allocated to store results from old queries.

max_user_connections = 25 # The maximum number of active connections for a single user .
max_connect_errors=10000 #If there is more than this number of interrupted connections from a host this host will be blocked from further connections.
safe-show-database

slow_query_log = 1
open_files_limit = 12000 #`open_files_limit' Number of files the system allows mysqld to open.

cPanel Error – error : Invalid maildirsize file!

2010-06-29T10:04:00.000-07:00

Login to your server via SSH. The follow example applies where the email address is sharaf@domain.com, and the account username is “username”. Substitute the values in bold.

cd /home/username/mail/domain.com/sharaf/
rm -f maildirsize

Customize Apache default Success page

2010-06-08T10:53:00.000-07:00

You just have to login to your server via ssh.

Navigate to /usr/local/apache/htdocs

cd /usr/local/apache/htdocs

And finaly edit the file index.html

nano index.html

If you list the content of /usr/local/apache/htdocs you will see that you can also modify the content of other error pages that cpanel’s apache outputs.

MySQL ERROR! Couldn't find MySQL manager (/var/lib/bin/mysqlmanager)

2010-06-04T05:43:00.000-07:00

cpanel server

/etc/init.d/mysql status
ERROR! MySQL is not running
[root@ns2 subsys]# /etc/init.d/mysql restart
ERROR! MySQL manager or server PID file could not be found!
Starting MySQL ERROR! Couldn't find MySQL manager (/var/lib/bin/mysqlmanager) or server (/var/lib/bin/mysqld_safe)
[root@ns2 subsys]# /etc/init.d/mysql stop
ERROR! MySQL manager or server PID file could not be found!

check in /etc/my.cnf ----------whether base_dir is set to /var/lib if so remove it.

Increase max emails per hour for a single domain in cPanel

2010-05-28T02:38:00.000-07:00

You can change the maximum number of emails allowed for a particular domain to a different number than the system default using the file (Other than WHM settings)

/var/cpanel/maxemails
Just add an entry like “domain.com = 100″ . Now 100 is the maximum email per hour limit for domain.com.

But please make sure that you have executed the following script after updating the file /var/cpanel/maxemails.

#/scripts/build_maxemails_config

OpenVZ network down SIOCADDRT: Network is unreachable

2010-05-20T00:34:00.001-07:00

Have you ever come across in a situation where the VPS is running, but network is unreachable? OpenVZ VPS may be up and running, but network service will be down resulting downtime for websites hosted in it. If you try to restart the network, you will get the below error:

====================================

[root@pers ~]# /etc/init.d/network restart

Shutting down interface venet0: [ OK ]

Shutting down loopback interface: [ OK ]

Bringing up loopback interface: [ OK ]

Bringing up interface venet0: SIOCADDRT: Network is unreachable

SIOCADDRT: Network is unreachable

====================================

To fix this, SSH into the main node server and enter into the VPS and then execute the below command:

/etc/sysconfig/network-scripts/ifup-routes venet0:0

open3: fork failed: Cannot allocate memory at cpsrvd-ssl line 6152

2010-05-09T07:38:00.000-07:00

Cpanel Internal Server Error

open3: fork failed: Cannot allocate memory at cpsrvd-ssl line 6152

cpsrvd/11.25 Server at 216.18.214.132

Internal Server Error

Soln: /scripts/upcp --force

2010-05-02T03:42:00.000-07:00

http://gnufreakz.wordpress.com/page/11/

http://kb.mediatemple.net/questions/246/(dv)+HOWTO:+Basic+Apache+performance+tuning+(httpd)

http://www.perlcode.org/tutorials/apache/tuning.html

http://www.devside.net/articles/apache-performance-tuning

http://phplens.com/phpeverywhere/tuning-apache-php

LNMP – A tool to auto-compile & install & manage Nginx+MySQL+PHP on Linux

2010-04-21T03:29:00.000-07:00

LNMP is a tool to auto-compile & install & manage Nginx+MySQL+PHP on Linux.

The current version : 0.3 ,Now support Linux distribution : CentOS 4.8~5.4 32/64bit, Debian 4.0~5.0 32bit/64bit ,Ubuntu.

The programme installed in LNMP:
Nginx:0.7.63
PHP:5.2.10
MySQL:5.1.35
Zend Optimizer:3.3.9
eaccelerator:0.9.5.3

Installation Guide:

wget -c http://soft.vpser.net/lnmp/lnmp0.4-full.tar.gz

1.Install on CentOS
First Download lnmp ,Run the command : wget http://soft.vpser.net/lnmp/lnmp0.3.tar.gz , Then decompress lnmp0.3.tar.gz Run the command : tar zxvf lnmp0.3.tar.gz
Run the command : cd lnmp0.3
Run ./centos.sh then enter the domain name, press Enter key twice. The programme will auto-complie and install Nginx,MySQL,PHP,Zend Optimizer.

2.Install on Debian
First Download lnmp ,Run the command : wget http://soft.vpser.net/lnmp/lnmp0.3.tar.gz , Then decompress lnmp0.3.tar.gz Run the command : tar zxvf lnmp0.3.tar.gz
Run the command : cd lnmp0.3
If you Debian is 32bit please run ./debian.sh else run ./debian64bit.sh. then enter the domain name, press Enter key twice. The programme will auto-complie and install Nginx,MySQL,PHP,Zend Optimizer.

3.Install eaccelerator
If you want to use eaccelerator please run ./eaccelerator.sh the programme will auto-compile and install.

4.VirtualHost Management
1). Add VirtualHost: run ./vhost.sh Prompted to enter the domain name you want to binding, press Enter key, and then enter the directory to be bound (absolute directory, such as /home/wwwroot/lnmp).
2). More feature under development.

Cpanel disk used incorrect showing unlimited or 0MB

2010-04-02T18:42:00.000-07:00

You can fix this by running the script /scripts/fixquotas

is this doesn't work and you are using Virtuozzo or OpenVZ you will need to set the QUOTAUGIDLIMIT perimeter - this allows the system to allocate user IDs (UID)

e.g (openvz)

vzctl set 101 --quotaugidlimit 1000 --save

then run the scrip "/scripts/fixquotas"

and it should all work.

Troubleshooting

If you've done the above and it still doesn't work (or the value still says 0MB) this may be due to cPanel caching the disk usage results. to disable this:

Select the following in your WHM.

WHM >> Tweak Settings >> System >> "Disable Disk Quota display caching (WHM will cache disk usage which may result in the display of disk quotas being up to 15 minutes behind the actual disk usage. Disabling this may result in a large performance degradation.)"

Mysql Database showing 0MB disk usage

2010-04-02T18:40:00.000-07:00

If your Mysql DB are showing 0MB disk usage in cPanel then do the following things.

vi /var/cpanel/cpanel.config

find "disk_usage_include_sqldbs"

change the value from 0 to 1

and run
#

/scripts/update_db_cache

Issue should be fixed :)

mysql

2010-03-06T19:59:00.000-08:00

mysqladmin proc stat

mysqladmin processlist

Error "psa dead but subsys locked" is shown when check status of Parallels Plesk Panel from the command line

2010-02-17T15:45:00.000-08:00

Error "psa dead but subsys locked" is shown when check status of Parallels Plesk Panel from the command line

I get the following error when check status of Parallels Plesk Panel from the command line:

~# /etc/init.d/psa status
psa dead but subsys locked
~#

What does the error mean?

Cause

The error means that Parallels Plesk Panel is stopped but lock file exists.

Another way to check status of Parallels Plesk Panel is using command "netstat". Here is an example of correct output if Parallels Plesk Panel was running:

Parallels Plesk Panel version 7.x, 8.x

~# netstat -antp | grep 8443 tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 9691/httpsd ~#

Parallels Plesk Panel version 9.x

~# netstat -antp | grep 8443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 21856/sw-cp-serverd
~#

Here is result if Parallels Pleks Panel is not running:

~# netstat -antp | grep 8443
~#

Lock file of Parallels Plesk Panel on RedHat-like operating systems is /var/lock/subsys/psa.

Resolution

Remove file /var/lock/subsys/psa manually and start the service usual way:

~# rm -f /var/lock/subsys/psa
~# /etc/init.d/psa start1
Starting Plesk... done
~#

NOTE: Option "start1" allows to start only Parallels Panel Panel without other services.

Error log file is /usr/local/psa/admin/logs/httpsd_error_log for Parallels Plesk Panel version 7.x, 8.5 or /var/log/sw-cp-server/error_log for Parallels Plesk Panel version 9.x.

sysctl hardening

2010-02-01T12:56:00.000-08:00

#Kernel sysctl configuration file for Red Hat Linux

# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and

# sysctl.conf(5) for more details.

# Disables packet forwarding

net.ipv4.ip_forward=0

# Disables IP source routing

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.eth0.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.lo.log_martians = 0

net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.eth0.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key

kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection

net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection

net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling

net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack

net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps

net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).

net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size

net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range

net.ipv4.ip_local_port_range = 16384 65536

Securing Your Server

2010-02-01T12:10:00.002-08:00

1)Never work with root accout.You can create an admin account.

useradd & passwd vpsadmin

add some basic permissions to the account. By adding the user to the wheel group we are giving it some administrative rights.

usermod -a -G wheel vpsadmin

2)SSH security

vim /etc/ssh/sshd_config

Port 12345

PermitRootLogin no

/etc/init.d/sshd restart

3)Install firewall (APF)

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

tar -xvf apf-current.tar.gz

cd apf-current.tar.gz

./install.sh

vim /etc/apf/conf.ap

First look for the line that says

DEVEL_MODE=”1″

Leaving this option as “1″ will disable your firewall after 5 minutes, so make sure to change it to “0″.

So replace 1 eith 0 and it look like this:-

DEVEL_MODE=”0″

Next, take a look at the allowed inbound ports. You should see something like

IG_TCP_CPORTS=”22,80,443″

Notice that port 22, the default SSH port is open. We want to change this to the port we gave SSH earlier. You can leave port 80 (HTTP) and 443 (HTTPS) open if you plan on running a website.

If you want to open any port, you have to give an entry in to the above place.

By default, APF will not filter outbound traffic but if would like to change that look for the following line

EGF=”0″

And change this value to “1″. On the line directly below it you should see the allowed outbound ports

EG_TCP_CPORTS=”21,25,80,443″

Change these if you have enabled outbound filtering and save the firewall config. Now we should add the firewall to start when we reboot our VPS and enable it

chkconfig --add apf

chkconfig --level 345 apf on

/etc/init.d/apf start

4)SECURING CPANEL AND WHM

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings

Check the following items...

Under Domains

Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail

Attempt to prevent pop3 connection floods

Default catch-all/default address behavior for new accounts - blackhole

(SET TO FAIL)

Under System

Use jailshell as the default shell for all new accounts and modified accounts

Goto Security =>> Security Center

Enable php open_basedir Protection

Enable mod_userdir Protection

Disabled Compilers for unprivileged users.

Goto Security =>> Manage Wheel Group Users

Remove all users except for root and your main account from the wheel group.

Goto Security =>> Security Center =>> Shell Fork Bomb Protection

Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration

Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access

Disable Shell Access for all users

Goto Mysql =>> MySQL Root Password

Change root password for MySQL (Use a very hard, random password that is not used elsewhere as the chances of actually using it are probably slim and actually using it for databases is a security risk.)

Goto Security and run Quick Security Scan and Scan for Trojan Horses often.

6)INSTALLING CSF

wget http://www.configserver.com/free/csf.tgz

tar -zxf csf.tar.gz

sh /csf/install.sh

If you want to remove apf or any other firewall,

sh /etc/csf/remove_apf_bfd.sh

For starting firewall---

csf -s

restart the firewall---

csf -r

flush the rules or stop the firewall.

csf -f

If you are running a VPS plan,

Open the /etc/csf/csf.conf and look for a line MONOLITHIC_KERNEL = "0" and change to

MONOLITHIC_KERNEL = "1"

Config Files

/etc/csf/csf.conf => CSF Firewall configuration file

/etc/csf/csf.allow => Config file to allow IPs

/etc/csf/csf.deny => Config file to deny IPs

/etc/csf/ => Alert files with TXT extension are stored within this directory

Harden the firewall security by performing the system security check. To do this go to Cpanel WHM > CSF Firewall & Security > Check System Security. There it will list WARNINGS based on your server.

-bash-3.2# chkconfig --add csf

-bash-3.2# chkconfig --level 345 csf on

-bash-3.2# chkconfig --list | grep csf

csf 0:off 1:off 2:on 3:on 4:on 5:on 6:off

-bash-3.2#

Remove the CSF Firewall

sh /etc/csf/uninstall.sh

7)Install a root breach DETECTOR and EMAIL WARNING

vim .bash_profile

add the following line..

echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourdomain.com

Set an SSH Legal Message

----------------------------

To an SSH legal message, SSH into server and login as root.

At command prompt type:

vim /etc/motd

Enter your message, save and exit.

Note: I use the following message…

ALERT! You are entering a secured area! Your IP and login information

have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on

this system are recorded and logged. Unauthorized access will be fully

investigated and reported to the appropriate law enforcement agencies.

=========================================

9)) Securing /tmp

first check whether /tmp is exist or not using df -h

Finally, if you don’t have the ability to create a fresh /tmp partition on existing drives, you can use the loopback capabilities of the Linux kernel by creating a loopback filesystem that will be mounted as /tmp and can use the same restrictive mount options. To create a 1GB loopback filesystem, execute:

# dd if=/dev/zero of=/.tmpfs bs=1024 count=1000000

# mke2fs -j /.tmpfs

# cp -av /tmp /tmp.old

# mount -o loop,noexec,nosuid,rw /.tmpfs /tmp

# chmod 1777 /tmp

# mv -f /tmp.old/* /tmp/

# rmdir /tmp.old

Once this is complete, edit /etc/fstab to have the loopback filesystem mounted automatically at boot:

/.tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0

Little things like ensuring proper permissions and using restrictive mount options will prevent a lot of harm coming to the system. If a bot lands on a filesystem that is unable to execute, that bot is essentially worthless

10)securing /etc/sysctl.conf

------------------------------

vim /etc/sysctl.conf

1)If you're not forwarding traffic between interfaces or if you have only a single interface, its usually a good idea to disable forwarding:

/proc/sys/net/ipv4/ip_forward 0

2)rp_filter can reject incoming packets if their source does not match the networks interface from which they are arriving from. This is a good way to prevent IP spoofing (usually not a good idea if you have several IP addresses on different interfaces or if a single interface has multiple IP addys).

/proc/sys/net/ipv4/conf/all/rp_filter 1

3)Enable TCP SYN Cookie Protection

A "SYN Attack" is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.

To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.tcp_syncookies = 1

4)Disable IP Source Routing

Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems. However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it's not communicating with a trusted server.

To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_source_route = 0

5)Disable ICMP Redirect Acceptance

ICMP redirects are used by routers

to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts's routing table by causing traffic to use a path you didn't intend.

To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_redirects = 0

6)Enable IP Spoofing Protection

IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks. For more information on IP Spoofing, I recommend the article IP Spoofing: Understanding the basics.

To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.rp_filter = 1

7)Enable Ignoring Broadcasts Request

If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.icmp_echo_ignore_broadcasts = 1

8)Enable Bad Error Message Protection

To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.icmp_ignore_bogus_error_responses = 1

9)Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets

To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.log_martians = 1

-----------------------------------------------------------------------

11)Securing /dev/shm

Rename it and create a symbolic link to /tmp:

mv /var/tmp /var/tmp1

ln -s /tmp /var/tmp

vim /etc/fstab

change:

"none /dev/shm tmpfs defaults,rw 0 0" to

"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"

mount -a

-----------------------------------------------------------

12) Harden host.conf

Log into each server as root.

Edit the /etc/host.conf file.

Ensure this file has the following settings:

# Lookup names via DNS first then fall back to etc/hosts.

order bind,hosts

# We have machines with multiple IP addresses.

multi on

# Check for IP address spoofing.

nospoof on

spoofalert on

Save the file.

for details see :--------

http://www.faqs.org/docs/securing/chap5sec39.html

--------------------------

13) Installing rootkit

RKHunter - (RootKit Hunter) Is a security scanning tool which will scan for rootkits, backdoors, and local exploits. RKHunter will ensure you about 99.9% that your dedicated web server is secure.

1. Login to your server via SSH as root.

Then Type: cd /usr/local/src/

2. Download RKHunter Version 1.1.4

Type: wget http://optusnet.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.0.tar.gz

3. Extract files

Type: tar -xzvf rkhunter-1.3.0.tar.gz

4. Type: cd rkhunter-1.3.0.tar.gz

5. Type: ./installer.sh --help

The default should do

./installer.sh --layout /usr/local --install

vi /etc/cron.daily/rkhunter.sh

#!/bin/bash

(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan

Report" email@domain.com)

chmod 700 /etc/cron.daily/rkhunter.sh

rkhunter --update

14)apache OPtimizing

change Timeout 300 to

Timeout 45

# change KeepAlive Off to

KeepAlive On

# MaxKeepAliveRequests: The maximum number of requests to allow

# during a persistent connection. Set to 0 to allow an unlimited amount.

# We recommend you leave this number high, for maximum performance.

# -- change MaxKeepAliveRequests 100 to 500

MaxKeepAliveRequests 500

# KeepAliveTimeout: Number of seconds to wait for the next request from the

# same client on the same connection.

# change KeepAliveTimeout 15 to

KeepAliveTimeout 5

# Increase MaxClients after benchmarking. mine is

MaxClients 200

# Turn off ServerSignature

ServerSignature Off

#ServerTokens Product

ServerTokens ProductOnly

More Details

http://www.mysql-apache-php.com/basic-linux-security.htm

15)APF in lxadmin

This may help, I have modified a tutorial for apf so it will work for LXAdmin. If you see any changes that need to be made let me know.

Important: Be sure Iptables were enabled when the VM was created (openvz)

1. cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3. tar -xvzf apf-current.tar.gz

4. cd apf-0.9.6-2/ or whatever the latest version is.

5. Run the install file: ./install.sh

You will receive a message saying it has been installed

Installing APF 0.9.6-2: Completed.

Installation Details:

Install path: /etc/apf/

Config path: /etc/apf/conf.apf

Executable path: /usr/local/sbin/apf

AntiDos install path: /etc/apf/ad/

AntiDos config path: /etc/apf/ad/conf.antidos

DShield Client Parser: /etc/apf/extras/dshield/

Other Details:

Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,7776,7777,7778, 7779,3306

Listening UDP ports: 53,55880

Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

6. Lets configure the firewall: pico /etc/apf/conf.apf (or nano /etc/apf/conf.apf)

We will go over the general configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

We like to use DShield.org's "block" list of top networks that have exhibited

suspicious activity.

FIND: USE_DS="0"

CHANGE TO: USE_DS="1"

Find the following lines:

IFACE_IN="eth0"

IFACE_OUT="eth0"

and change them to

IFACE_IN="venet0"

IFACE_OUT="venet0"

7. Configuring Firewall Ports:

LxAdmin Servers

We like to use the following on our Cpanel Servers

Common ingress (inbound) ports

# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD

IG_TCP_CPORTS="21,22,25,53,80,110,143,443,7777,7778,7779,3000_3500 "

# Common ingress (inbound) UDP ports

IG_UDP_CPORTS="53"

Common egress (outbound) ports

# Egress filtering [0 = Disabled / 1 = Enabled]

EGF="1"

# Common egress (outbound) TCP ports

EG_TCP_CPORTS="21,25,80,443,43,7777,7778,7779"

# Common egress (outbound) UDP ports

EG_UDP_CPORTS="20,21,53"

Save the changes: Ctrl+X then Y

8. Starting the firewall

/usr/local/sbin/apf -s

Other commands:

usage ./apf [OPTION]

-s|--start ......................... load firewall policies

-r|--restart ....................... flush & load firewall

-f|--flush|--stop .................. flush firewall

-l|--list .......................... list chain rules

-st|--status ....................... firewall status

-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and

immediately load new rule into firewall

-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and

immediately load new rule into firewall

9. After everything is fine, change the DEV option

Stop the firewall from automatically clearing itself every 5 minutes from cron.

We recommend changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.

pico /etc/apf/conf.apf

FIND: DEVM="1"

CHANGE TO: DEVM="0"

10. Configure AntiDOS for APF

Relatively new to APF is the new AntiDOS feature which can be found in: /etc/apf/ad

The log file will be located at /var/log/apfados_log so you might want to make note of it and watch it!

pico /etc/apf/ad/conf.antidos

There are various things you might want to fiddle with but I'll get the ones that will alert you by email.

# [E-Mail Alerts]

Under this heading we have the following:

# Organization name to display on outgoing alert emails

CONAME="Your Company"

Enter your company information name or server name..

# Send out user defined attack alerts [0=off,1=on]

USR_ALERT="0"

Change this to 1 to get email alerts

HyperVM/Kloxo

2010-02-01T12:10:00.001-08:00

http://www.howtoforge.com/managing-openvz-with-hypervm-on-centos-5.2

How to install wordpress!

2010-02-01T12:08:00.000-08:00

WordPress is an open source blog publishing application. WordPress is the official successor of b2\cafelog which was developed by Michel Valdrighi. The latest release of WordPress is version 2.7.1, released on 10 February 2009.WordPress has a templating system, which includes widgets that can be rearranged without editing PHP or HTML code, as well as themes that can be installed and switched between. The PHP and HTML code in themes can also be edited for more advanced customizations. WordPress also features integrated link management; a search engine-friendly, clean permalink structure; the ability to assign nested, multiple categories to articles; multiple author capability; and support for tagging of posts and articles. Automatic filters that provide for proper formatting and styling of text in articles (for example, converting regular quotes to smart quotes) are also included. WordPress also supports the Trackback and Pingback standards for displaying links to other sites that have themselves linked to a post or article. Finally, WordPress has a rich plugin architecture which allows users and developers to extend its functionality beyond the features that come as part of the base install.

The instllation of wordpress is quite simple.

1)Download the latest version of wordpress and extract it.

2)Place the WordPress files in the desired location on your web server,using FTP

* If you want to integrate WordPress into the root of your domain (e.g. http://example.com/), move or upload all contents of the unzipped WordPress directory (but excluding the directory itself) into the root directory of your web server.

* If you want to have your WordPress installation in its own subdirectory on your web site (e.g. http://example.com/blog/), rename the directory wordpress to the name you'd like the subdirectory to have and move or upload it to your web server. For example if you want the WordPress installation in a subdirectory called "blog", you should rename the directory called "wordpress" to "blog" and upload it to the root directory of your web server.

3)Here i am uploading the folder(blog) to public_html, using ftp. Make sure that you upload the folder as a user, not the root.

4)now goto the cpanel,and create a mysql user and a database.please remember the dbname, user and password.

5)then goto filemanager, inside the uploaded folder (blog), edit the file wp-config-sample.php

6)rename the wp-config-sample.php to wp-config.php.

7)edit the wp-config.php and insert the db details of the one which we have created.

Here is the default wp-config-sample.php, you will need to replace the default values in this file with your own specific database settings.

define('DB_NAME', 'putyourdbnamehere'); // The name of the database

define('DB_USER', 'usernamehere'); // Your MySQL username

define('DB_PASSWORD', 'yourpasswordhere'); // ...and password

define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value

usually the DB_HOST must be 'localhost'.if it is not working contact your web hosting provider.

8)Run the WordPress installation script by accessing wp-admin/install.php in your favorite web browser.

* If you installed WordPress in the rootl directory, you should visit: http://example.com/wp-admin/install.php

* If you installed WordPress in its own subdirectory called blog, for example, you should visit: http://example.com/blog/wp-admin/install.php

9)The instllation process will now beging. The screen shots fir the instllation is given below.

10)goto www.yourdomain.com/blog/wp-login.php to login for the next time.

Howto: enable TUN module on a VPS

2010-01-14T10:37:00.000-08:00

TUN module is required to configure VPN tunneling and to configure VPN on a VPS, you need to enable the module from the Hardware node. Login to your Host server and execute the following command:

First check if the TUN module is enabled on the hardware node:

lsmod | grep tun

If not, load the module using modprobe:

modprobe tun

Now, enable the TUN module on a VPS:

vzctl set VEID devices c:10:200:rw save
vzctl exec VEID mkdir -p /dev/net
vzctl exec VEID mknod /dev/net/tun c 10 200
vzctl exec VEID chmod 600 /dev/net/tun

where, VEID is the VPS ID you want to enable the TUN module on.

Fantastico shows error 'You cannot install more than one script in the root directory of a domain'

2010-01-13T16:09:00.000-08:00

1. Login to your cpanel
2. Go to "file manager"
3. click on the ".fantasticodata" folder
4. open up "installed_in_root.php" and edit it.

This is an example of what I mean:

If you open up "installed_in_root.php" you will see something like this:

$installed_in_root["domain.com"] = 1;

This is what you need to delete.

(this is just an example from my "installed_in_root,php" file).

Keep in mind that every install of wordpress you have made will be stored in this file, be very carefull not to delete any of your other wordpress sites out of it.

I hope this makes sense lol, I'm not very good at explaining things.

Change Time Zone for a particular account on cpanel server

2010-01-13T13:38:00.000-08:00

To change the timezone for only a particular account using .htaccess:

SetEnv TZ "TimeZone"
or

php_value date.timezone "TimeZone"

Visit http://php.net/manual/en/timezones.php for various time zones

e.g. SetEnv TZ Australia/Adelaide

php_value date.timezone "Australia/Adelaide"

How To Add DomainKeys and SPF Records on CPanel Servers

2009-12-21T01:37:00.000-08:00

This how to describe how to add domainkeys and SPF (Sender Policy Framework) records on CPanel Servers. Whenever you create a domain on CPanel server using WHM, it wont add domainkeys and SPF records for particular domains. To add domainkeys and SPF records please use following steps.

We consider here we have a domain howtodolinux.com with cpanel username dothelinux

Please note on CPanel servers most of the work is done using cpanel username which then reflect setting on particular domains. If you have several domains / sub domains under one username, it will add domainkeys and SPF records for all domains / subdomains.

Execute the following command on your CPanel server using root.

1 DomainKeys

1.1 Add DomainKeys for single user

/usr/local/cpanel/bin/domain_keys_installer dothelinux

1.2 Add DomainKeys for all CPanel users.

If you wish to add DomainKeys for all Cpanel users on your server, execute following command.

cat /var/cpanel/users | while read a; do
/usr/local/cpanel/bin/domain_keys_installer $a
done

2 SPF (Sender Policy Framework)

2.1 Add SPF for single account.

/usr/local/cpanel/bin/spf_installer dothelinux

2.2 Add SPF for all Cpanel accounts.

If you want to add SPF records for all cpanel accounts exist on your server then use the following command.

cat /var/cpanel/users | while read a; do
/usr/local/cpanel/bin/spf_installer $a
done

3 Enable DomainKeys and SPF for every new CPanel account.

If you want to add DomainKeys and SPF for every new account created on Cpanel, then do the following.

vi /scripts/postwwwacct

postwwwacct is a file which execute after wwwacct (used to create account), paste following lines in the file

#!/usr/bin/perl

my %OPTS = @ARGV;
$ENV{USER} = “$OPTS{’user’}”;
system q(/usr/local/cpanel/bin/domain_keys_installer $USER);
system q(/usr/local/cpanel/bin/spf_installer $USER);

How to Install FFmpeg in Linux

2009-12-12T23:39:00.000-08:00

FFmpeg is a very fast video and audio converter. It can also grab from a live audio/video source. FFmpeg is so important if you are planning to run a video website with streaming with conversion of video files to different video formats. This blog is intended for Centos/Redhat versions of Linux where any novice user can install ffmpeg without compiling the source which is a more traditional way of installing the FFmpeg software on linux servers. In this blog i will show you the easy way to install ffmpeg and ffmpeg-php (php extension) with just yum rather than compiling ffmpeg from source files.

Installation

First you need to add a file in yum repository directory for dag packages installation. For this edit the following file:

Vi /etc/yum.repos.d/dag.repo

add the following contents to the file,

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=0
enabled=1

Then enter the command,

yum install ffmpeg ffmpeg-devel

To check what audi/video formats are supported

ffmpeg -formats > ffmpeg-format.txt

Open the ffmpeg-formats.txt to see the ooutput

D means decode
E means encode
V means video
A means audio
T = Truncated

Installation of FFMPEG-PHP Extension

FFmpeg-php is a very good extension and wrapper for PHP which can pull useful information about video through API interface. Inorder to install it you will need to download the source file and then compile and install extension in your server.
For downloading the source tarball click here

or

wget http://biznetnetworks.dl.sourceforge.net/project/ffmpeg-php/ffmpeg-php/0.6.0/ffmpeg-php-0.6.0.tbz2

Extract the souce tarball.

tar -xjf ffmpeg-php-0.6.0.tbz2

cd ffmpeg-php-0.6.0/

phpize

Some time you will get an error like "Cannot find autoconf. Please check your autoconf installation and the $PHP_AUTOCONF environment variable is set correctly and then rerun this script."

YOU CAN SEE THE FIX OF THIS ERROR UNDER COMMON ERRORS.

./configure

make

make install

Editing PHP.INI

Once you have done that without any problems then you will see the php extension file /usr/local/lib/php/extensions/no-debug-non-zts-20060613/ffmpeg.so and you will need mention that extension in php.ini file

vi /usr/local/lib/php.ini

Put the below two lines at the end of the php.ini file

[ffmpeg]
extension=ffmpeg.so

Then restart the server

service httpd restart
To check whether ffmpeg enabled with php, point your browser to test.php file. It should show the confirmation of installed ffmpeg php extension

// # vi test.php

phpinfo();

?>

Picture.................................................paste here...

If any case the ffmpeg does not show in the phpinfo() test make sure that php.ini path to ffmpeg.so is correct. Still the problem occures, the reason could be you might be using older version of ffmpeg-php which is buggy. just download the latest version of ffmpeg-php sourse then complile it.

Common Errors

1. If you get command not found error for phpize, then you will need to do yum install php-devel

2.

2. If you get error like "ffmpeg headers not found" while configuring the source.

configure: error: ffmpeg headers not found. Make sure ffmpeg is compiled as shared libraries using the --enable-shared option

then it means you have not installed ffmpeg-devel packages.

To Fix: Just install ffmpeg-devel using

yum install ffmpeg-devel

3. If you get an error like shared libraries not found problem and the program halts in the middle, then you must specify the ffmpeg installed path explicitly to the ./configure.

A) configure: error: ffmpeg shared libraries not found. Make sure ffmpeg is compiled as shared libraries using the --enable-shared option

To Fix:

1. First find out the ffmpeg path with ffmpeg --help command. The prefix default path should be like /usr/local/cpffmpeg
2. Conf./configure --with-ffmpeg=/usr/local/cpffmpeg

That should resolve the problem!

B)

Installing Mplayer + Mencoder

Just issue the following yum commands to install the rest of the packages.

yum install mplayer mencoder

Installing FlvTool2

Flvtool2 is a flash video file manipulation tool. It can calculate metadata and can cut and edit cue points for flv files.

yum install flvtool2

Installing LAME MP3 Encoder, Libogg, LIBVORBIS

LAME is a high quality MPEG Audio Layer III (MP3) encoder licensed under the LGPL. Both quality and speed improvements are still happening, probably making LAME the only MP3 encoder still being actively developed.

yum install lame libogg libvorbis

Unable to open pty: No such file or directory

2009-11-01T11:24:00.000-08:00

While trying to SSH or enter into a VPS from the node, you may get the following error :

Unable to open pty: No such file or directory

root@tip~]# vzctl enter 900

enter into VE 900 failed

Unable to open pty: No such file or directory

There is a temporary and permenant fix for this issue.

Temporary Fix :-

Execute the following commands from the node

vzctl exec VEID /sbin/MAKEDEV pty

vzctl exec VEID /sbin/MAKEDEV tty

vzctl enter VEID

Where VEID is the VPS id.

Permanent Fix :-

First temporarly fix the issue and enter into the VPS.

1) vzctl enter VEID

2) Edit the file /etc/rc.sysinit of the VPS

vi /etc/rc.sysini

3) Search for the line /sbin/start_udev and comment it

#/sbin/start_udev

4) Add the following two lines under /sbin/start_udev

#/sbin/start_udev

/sbin/MAKEDEV tty

/sbin/MAKEDEV pty

Logout from your VPS (Ctrl d)

5) Reboot the VPS and you are done!

vzctl restart VEID

scripts

2009-11-01T11:20:00.000-08:00

ls -1A *.tar.gz | cut -d "_" -f 3 | cut -d "." -f 1 > sharaf

for i in `cat sharaf` ; do /scripts/restorepkg --force $i ; done

#cat /etc/trueuserdomains | cut -d ":" -f 2 | cut -d " " -f2

#cat /etc/trueuserdomains | cut -d ":" -f 2 | cut -d " " -f2 > cpusers

(#for i in `cat cpusers` ; do /scripts/pkgacct $i ;

#grep -i nuzkistah /etc/userdomains

# for i in `cat cpusers` ; do /scripts/pkgacct $i ; scp -P 2121 /home/cpmove-$i.tar.gz IP:/home ; ssh -t -p 2121 -q IP /scripts/restorepkg $i ; done

awstats in DA

2009-11-01T11:19:00.000-08:00

http://www.directadmin.com/features.php?id=894

Symlink ownership problem

2009-11-01T11:16:00.000-08:00

ln -s /home/com/public_html/LiveZilla /home/com/public_html/dom.com/LiveZilla

cd /home/com/public_html/LiveZilla/

chown -h getcom.getcom LiveZilla

vnc

2009-11-01T11:15:00.002-08:00

VNCSERVERS="3:root 2:user"

VNCSERVERARGS[3]="-geometry 1024x768 -depth 16"

VNCSERVERARGS[2]="-geometry 1024x768 -depth 16"

#!/bin/sh

# Uncomment the following two lines for normal desktop:

unset SESSION_MANAGER

startkde &

#gnome-session&

#startx &

http://codeghar.wordpress.com/2007/11/28/centos-5-post-install-customization/

# yum groupinstall "X Window System" "GNOME Desktop Environment"

time

2009-11-01T11:15:00.001-08:00

rdate -s rdate.cpanel.ne

php.ini

2009-11-01T11:07:00.002-08:00

php.ini

=========

max_execution_time = 60

max_input_time = 60

memory_limit = 16M

post_max_size = 16M

upload_max_filesize = 16M

.htaccess

=============

php_value upload_max_filesize 20M

php_value post_max_size 20M

php_value max_execution_time 200

php_value max_input_time 200

info.php

=========

SCRIPT Install FFmpeg + FFmpeg-PHP + Mplayer + Mencoder + flv2tool + LAME MP3

2009-11-01T11:07:00.001-08:00

mkdir ~/ffmpeg-packages

cd ~/ffmpeg-packages

wget http://trulymanaged.com/ffmpeg/ffmpeginstall.tar.gz

tar -xvzf ffmpeginstall.tar.gz

cd ffmpeginstall

Change time zone

2009-11-01T11:05:00.000-08:00

cd /usr/share/zoneinfo

cp GMT /etc/localtime

try to change it for example to UCT

try like cp UCT /etc/localtime

How to disable gzip output for lightspeed

2009-11-01T11:02:00.000-08:00

php_flag zlib.output_compression Off

RewriteEngine On

RewriteRule . - [E=no-gzip:1]

RewriteRule ^(.*)$ $1 [E=no-gzip:1]

Native SSL support failed to pass the startup test

2009-11-01T10:58:00.000-08:00

Native SSL support failed to pass the startup test. stunnel was started instead.

The exact error was: [linktest=/usr/local/cpanel/bin/linktest-ssl: error while loading shared libraries: /usr/local/cpanel/perl/Net/SSLeay/SSLeay.so: cannot open shared object file: No such file or directory

] [binary=/usr/local/cpanel/cpsrvd-ssl] [cpsrvd=/usr/local/cpanel/cpsrvd-ssl: error while loading shared libraries: /usr/local/cpanel/perl/Net/SSLeay/SSLeay.so: cannot open shared object file: No such file or directory

]

/usr/local/cpanel/bin/nativessl-install

rvsite builder issue

2009-11-01T10:56:00.002-08:00

Cannot detect your system information, you have to install ionCube loader manually. Please contact your provider.

FIRST, login SSH and run

perl /var/cpanel/rvglobalsoft/rvsitebuilder/panelmenus/cpanel/scripts/autofixphpini.pl

Then restart cPanel service:

/usr/local/cpanel/startup

Now the autofixphpini.pl has fixed the post_max_size and upload_max_filesize, BUT it has messed up your ioncube loader setting, so you need to fix that next. To do this, in SSH type or paste:

pico /usr/local/cpanel/3rdparty/etc/php.ini

Then do CTRL-W to find zend_extension

Add following line at the end of the zend section, before the line where it says Windows extension:

zend_extension="/usr/local/cpanel/3rdparty/fantastico/loaders/ioncube_loader_lin_5.2.so"

CTRL-x to exit, then Y, and Enter to save the file.

Then restart cPanel service again:

/usr/local/cpanel/startup

REF : http://forums.rvskin.com/index.php?showtopic=2920

configure logrotate on cPanel (daily rotation and 7 days retention).

2009-11-01T10:56:00.001-08:00

vi /etc/logrotate.d/httpd

/usr/local/apache/logs/*.log {

daily

rotate 7

compress

missingok

notifempty

sharedscripts

postrotate

/sbin/service httpd reload > /dev/null 2>/dev/null || true

endscript

}

backup list

2009-11-01T10:49:00.002-08:00

ls backup-11.1.2009_0* | cut -d "_" -f 3 | cut -d "." -f 1 > newlist

for i in `cat newlist` ; do /scripts/restorepkg $i ; done

Imagemagic

/scripts/checkimagemagick

root@cpane [/usr/src]# /scripts/installimagemagick

==================

Disable IDENT for exim.

post_max_size = 100M

upload_max_filesize = 100M

Fantastico installation

2009-11-01T10:49:00.001-08:00

1. cd /usr/local/cpanel/whostmgr/docroot/cgi

2. wget -N http://files.betaservant.com/files/free/fantastico_whm_admin.tgz

3. tar -xzpf fantastico_whm_admin.tgz

4. rm -rf fantastico_whm_admin.tgz

5. login to WHM as root and

6. Under Tweak Settings -> PHP - enable ioncube

7. Under Plugins - You will find Fantastico De Luxe WHM Admin

8. Click install

To find a listening port

2009-11-01T10:46:00.000-08:00

To find a listening port

netstat -tlpn | grep

eg:

netstat -tlpn | grep ssh

netstat -tlpn | grep telnet

Creating MySQL Dump

2009-11-01T10:45:00.001-08:00

cd /var/lib/mysql

ls -l | grep

mysqldump |db| > |db|.sql

mysqladmin create |newdb|

mysql |newdb| < |db|.sql

*-------------------------------------------------------------------------------------------------------------------------------------------------*

Get MySQL version

mysql -i;

version.

mysql> select version();

+-----------+

| version() |

+-----------+

| 3.23.58 |

+-----------+

1 row in set (0.02 sec)

*-------------------------------------------------------------------------------------------------------------------------------------------------*

MySQL Error Log

/var/lib/mysql/server.hostname.err

*-------------------------------------------------------------------------------------------------------------------------------------------------*

How to Remove APF firewall

2009-05-01T14:54:00.000-07:00

First stop the apf

/etc/init.d/apf stop

Then, flush ip tables and remove all existing apf files even in cron job

iptables -F
rm -rf /etc/apf
rm -rf /usr/local/sbin/apf
rm -rf /etc/rc.d/init.d/apf
rm -rf /var/log/apf_log
rm -rf /var/log/apfados_log

/sbin/chkconfig --level 345 apf off

Now remove this cron job

vi /etc/cron.daily/fw

Find and Remove this line:
/etc/rc.d/init.d/apf restart >> /dev/null 2>&1

How to Install APF (Advanced Policy Firewall)

2009-05-01T14:31:00.000-07:00

APF is a policy based iptables firewall system designed for ease of use and configuration.When it comes to security, there is no such thing without firewall. when you buy a new dedicated or vps server, atleast make sure you install a firewall to protect your server from various intrusion attacks. Within minutes you can set up your firewall up and running. APF firewall is one of the popular and easy to setup IP tables based firewall for Linux servers. It also has additional features like prevention from DoS attacks.APF is developed and maintained by R-fx Networks: http://www.rfxnetworks.com/apf.php
Be careful on setting up the firewall on what ports to open and what not. If youarent sure, you may lock yourself out.

Installation

1)Login as root user

2)Download the APF Source

For downloading apf source code click here

or in command prompt type the following command,

wget http://www.r-fx.ca/downloads/apf-current.tar.gz

3)Extract the tar.gz

tar -xvf apf-current.tar.gz

4)Enter the APF directory

cd apf-current/

5)Run install code

./install.sh

After installation, you have to manually configure your firewall settings on what ports to open and what to block. You can edit the configuration file located in /etc/apf/conf.apf

Installed paths:

Configuration File: /etc/apf/conf.apf
Binary: /usr/local/sbin/apf
Start/Stop: /etc/init/d/apf (start|stop|restart)
Log: /var/log/apf_log
Antidos conf file: /etc/apf/ad/config.antidos

You can also use commands in the command line

apf -s (start)
apf -r (to restart)
apf -f (to stop)

6)Modify the APF config File

vim /etc/apf/conf.apf

First look for the line that says

Leaving this option as “1″ will disable your firewall after 5 minutes, so make sure to change it to “0″.
So replace 1 eith 0 and it look like this:-
DEVEL_MODE=”0″

Next, take a look at the allowed inbound ports. You should see something like

IG_TCP_CPORTS=”22,80,443″

Notice that port 22, the default SSH port is open. We want to change this to the port we gave SSH earlier. You can leave port 80 (HTTP) and 443 (HTTPS) open if you plan on running a website.

If you want to open any port, you have to give an entry in to the above place.

By default, APF will not filter outbound traffic but if would like to change that look for the following line

EGF=”0″

And change this value to “1″. On the line directly below it you should see the allowed outbound ports

EG_TCP_CPORTS=”21,25,80,443″

Change these if you have enabled outbound filtering and save the firewall config. Now we should add the firewall to start when we reboot our VPS and enable it

chkconfig --add apf
chkconfig --level 345 apf on
/etc/init.d/apf start

APF Firewall for VPS Servers:

If you are running apf firewall in VPS, there is a possibility that you will get "eth0: Device not found". Instead you have to make settings in the configuration file.

Find the following lines and change the values like below.

IFACE_IN = "venet0"
IFACE_OUT = "venet0"
DEVEL_MODE="1"
SET_MONOKERN="1"

SET_MONOKERN="1"
(The above line is important to have "1" if you are in VPS server as otherwise you will get unable to load ip tables module")

How to Install FFmpeg in Linux

2009-04-29T12:57:00.000-07:00

Installation

First you need to add a file in yum repository directory for dag packages installation. For this edit the following file:

Vi /etc/yum.repos.d/dag.repo

add the following contents to the file,

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=0
enabled=1

Then enter the command,

yum install ffmpeg ffmpeg-devel

To check what audi/video formats are supported

ffmpeg -formats > ffmpeg-format.txt

Open the ffmpeg-formats.txt to see the ooutput

D means decode
E means encode
V means video
A means audio
T = Truncated

Installation of FFMPEG-PHP Extension

FFmpeg-php is a very good extension and wrapper for PHP which can pull useful information about video through API interface. Inorder to install it you will need to download the source file and then compile and install extension in your server.

For downloading the source tarball click here

wget http://sourceforge.net/project/downloading.php?group_id=122353&filename=ffmpeg-php-0.6.0.tbz2&a=55737530

Extract the souce tarball.

tar -xjf ffmpeg-php-0.6.0.tbz2

cd ffmpeg-php-0.6.0/

phpize

./configure

make

make install

Editing PHP.INI

Once you have done that without any problems then you will see the php extension file /usr/local/lib/php/extensions/no-debug-non-zts-20060613/ffmpeg.so and you will need mention that extension in php.ini file

vi /usr/local/lib/php.ini

Put the below two lines at the end of the php.ini file

[ffmpeg]
extension=ffmpeg.so

Then restart the server

service httpd restart

To check whether ffmpeg enabled with php, point your browser to test.php file. It should show the confirmation of installed ffmpeg php extension

// #test.php

phpinfo();

If any case the ffmpeg does not show in the phpinfo() test make sure that php.ini path to ffmpeg.so is correct. Still the problem occures, the reason could be you might be using older version of ffmpeg-php which is buggy. just download the latest version of ffmpeg-php sourse then complile it.

Common Errors

1. If you get command not found error for phpize, then you will need to do yum install php-devel

2. If you get error like "ffmpeg headers not found" while configuring the source.

configure: error: ffmpeg headers not found. Make sure ffmpeg is compiled as shared libraries using the --enable-shared option

then it means you have not installed ffmpeg-devel packages.

To Fix: Just install ffmpeg-devel using

yum install ffmpeg-devel

3. If you get an error like shared libraries not found problem and the program halts in the middle, then you must specify the ffmpeg installed path explicitly to the ./configure.

configure: error: ffmpeg shared libraries not found. Make sure ffmpeg is compiled as shared libraries using the --enable-shared option

To Fix:

1. First find out the ffmpeg path with ffmpeg --help command. The prefix default path should be like /usr/local/cpffmpeg
2. Configure the FFmpeg-php with --with-ffmpeg option

./configure --with-ffmpeg=/usr/local/cpffmpeg

That should resolve the problem!

Troubleshooting Nagios

2009-04-26T00:27:00.000-07:00

There may be a number of potential problems while configuring Nagios. If you see an error like this,

1)Connection refused by host:

You get the above error, If you don't put the correct IP address in the nrpe.cfg file on the client, or if you do it correctly but forgot to restart NRPE on the client.

2) NRPE: Command 'check_users' not defined

Indicates that you didn't define the commands you wanted, again on the client, or you didn't restart NRPE on the client after you defined them.

3)NRPE: Unable to read output

Usually means that the path to the plugin to run is incorrect on the client. If you change it, remember to restart NRPE again.

4)The check_nrpe plugin returns "CHECK_NRPE: Socket timeout after 10 seconds" or"Connection refused or timed out"

This error can indicate several things:

The command that the NRPE daemon was asked to run took longer than 10 seconds to execute. This is the most likely cause if the error message was "CHECK_NRPE: Socket timeout after 10 seconds". Use the -t command line option to specify a longer timeout for the check_nrpe plugin. The following example will increase the timeout to 30 seconds:

/usr/local/nagios/check_nrpe -H localhost -c somecommand -t 30

The NRPE daemon is not installed or running on the remote host. Verify that the NRPE daemon is running as standalone daemon or under inetd/xinetd with one of the following commands:

ps axuw | grep nrpe
netstat -at | grep nrpe

There is a firewall that is blocking the communication between the monitoring host (which runs the check_nrpe plugin) and the remote host (which runs the NRPE daemon). Verify that the firewall rules (e.g. iptables) that are running on the remote host allow for communication and make sure there isn't a physical firewall that is located between the monitoring host and the remote host.

5)The check_nrpe plugin returns "CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for an error message."

First thing you should do is check the remote server logs for an error message. Seriously. :-) This error could be due to the following problem:

The check_nrpe plugin was unable to complete an SSL handshake with the NRPE daemon. An error message in the logs should indicate whether or not this was the case. Check the versions of OpenSSL that are installed on the monitoring host and remote host. If you're running a commercial version of SSL on the remote host, there might be some compatibility problems.

6)The check_nrpe plugin returns "NRPE: Command 'x' not defined"

This error means that you didn't define command x in the NRPE configuration fileon the remote host. On the remote host, add the command definition for x. See the existing command definitions in the NRPE configuration file for more information on doing this. If you're running the NRPE daemon as a standalone daemon (and not under inetd or xinetd), you'll need to restart it in order for the new command to be recognized.

7)The check_nrpe plugin returns "NRPE: Command timed out after x seconds"

This error indicates that the command that was run by the NRPE daemon did not finish executing within the specified time. You can increase the timeout for commands by editing the NRPE configuration file and changing the value of the command_timeout variable. If you're running the NRPE daemon as a standalone daemon (and not under inetd or xinetd), you'll need to restart it in order for the new timeout to be recognized.

Adding more services to the Nagios

2009-04-25T22:40:00.000-07:00

Monitoring Host Configuration:

Define the remote host name in client.cfg
Edit /usr/local/nagios/etc/objects/remotehost.cfg and append the following lines:

define host{
use linux-box
host_name remote_host
address ipaddress of remote_host
check_command check-host-alive
contacts nagios admin,cliectcontact
}
Next define contact name and contact goup name inn same file

define contact{
contact_name clientcontact
host_name remote_host
use generic-contact
alias Nagios client
email remotehost@gmail.com
}
define contactgroup{
contactgroup_name groupname
host_name remote_host
alias Nagios group
members clientcontact,membersof remote_host
}

Next add more services to monitor remote host,for this:

define service{
use generic-service
host_name remote_host
service_description CPU Load
check_command check_nrpe!check_load
}
define service{
use generic-service
host_name remote_host
service_description HyperVM
check_command check_nrpe!check_http
}
define service{
use generic-service
host_name remote_host
service_description Procs
check_command check_nrpe!check_procs
}
define service{
use generic-service
host_name remote_host
service_description Zombie Processes
check_command check_nrpe!check_zombie_procs
}
define service{
use generic-service
host_name remote_host
service_description / Partition
check_command check_nrpe!check_disk1
}
define service{
use generic-service
host_name remote_host
service_description /storage partition
check_command check_nrpe!check_disk2
}
define service{
use generic-service
host_name remote_host
service_description Current Users
check_command check_nrpe!check_users
}

define service{
use generic-service
host_name remote_host_name
service_description controlpanel check
check_command check_tcp!-H $HOSTADDRESS$ -p 2082
}
define service{
use generic-service
host_name remote_host
service_description ssl
check_command check_nrpe!check_ssl
}

Restart nagios daemon

/etc/init.d/nagios restart

Remote Host Configuration:

Edit the nrpe configuration file and add the folowing lines:

vi /etc/nrpe.conf

command[check_pop]=/usr/local/nagios/libexec/check_pop -p 110 -4 -w 10 -c 20
command[check_imap]=/usr/local/nagios/libexec/check_imap -p 143 -4 -w 10 -c 20
command[check_smtp]=/usr/local/nagios/libexec/check_smtp -p 25 -4 -w 10 -c 20
command[check_http]=/usr/local/nagios/libexec/check_http -H 127.0.0.1 -w 5 -c 10
command[check_mysql]=/usr/local/nagios/libexec/check_tcp -p 3306 -w 10 -c 20
command[check_dns]=/usr/local/nagios/libexec/check_dns -H www.eglueweb.com
command[check_ftp]=/usr/local/nagios/libexec/check_ftp -w 10 -c 20
command[check_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c 200
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c 200
command[check_ping]=/usr/local/nagios/libexec/check_ping -H $ARG1$ -w $ARG2$ -c $ARG3$ -p 5
command[check_ssl]=/usr/local/nagios/libexec/check_tcp -H 67.228.194.218 -p 443
command[check_mailq]=/usr/local/nagios/libexec/check_exim -w 10 -c -20

restart the nrpe damon

/etc/init.d/nrpe restart

How to install and configure NRPE in Nagios

2009-04-24T19:11:00.000-07:00

The NRPE addon is designed to allow you to execute Nagios plugins on remote Linux/Unix machines. The main reason for doing this is to allow Nagios to monitor "local" resources (like CPU load, memory usage, etc.) on remote machines. Since these public resources are not usually exposed to external machines, an agent like NRPE must be installed on the remote Linux/Unix machines.

The NRPE addon consists of two pieces:
The check_nrpe plugin, which resides on the local monitoring machine
The NRPE daemon, which runs on the remote Linux/Unix machine

INSTALLATION:
Remote Host Setup:
Create a new nagios user account and give it a password.
/usr/sbin/useradd nagios
passwd nagios
Download nrpe and nagios-plugin.

wget http://osdn.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.11.tar.gz

tar xvzf nagios-plugins-1.4.11.tar.gz

cd nagios-plugins-1.4.11/

Compile and install the plugins.
./configure --prefix=/usr/local/nagios
make
make install

The permissions on the plugin directory and the plugins will need to be fixed at this point, so run the following commands.
chown nagios.nagios /usr/local/nagios
chown -R nagios.nagios /usr/local/nagios/libexec

Install the NRPE daemon

Download the source code tarball of the NRPE addon (visit http://www.nagios.org/download/ for links to the latest versions) and execute:

mkdir ~/downloads
cd ~/downloads/
wget http://osdn.dl.sourceforge.net/sourceforge/nagios/nrpe-2.12.tar.gz
tar xzf nrpe-2.12.tar.gz
cd nrpe-2.12/

Compile the NRPE addon.

./configure
make all
Install the NRPE plugin (for testing), daemon, and sample daemon config file.
make install-plugin
make install-daemon
make install-daemon-config

Add the following entry for the NRPE daemon to the/etc/services file.

nrpe 5666/tcp# NRPE

Next we have to add init script for nrpe.For this,

cd nrp-2.12/
cp ./src/nrpe /usr/sbin/
cp ./sample-config/nrpe.cfg /etc /

cat init-script.in > /etc/init.d/nrpe

mod a+x /etc/init.d/nrpe

open the /etc/init.d/nrpe file and edit lines:

NrpeBin=/usr/sbin/nrpe
NrpeCfg=/etc/nrpe.cfg

Then restart nrpe services

/etc/init.d/nrpe restart

Next you have to edit the nrpe configuration file and allow the monitoring of host ipaddress with:
vi /etc/nrpe.cfg

allowed_hosts=127.0.0.1,ipaddress of monitoring host

Then open nrpe port in the remote server firewall. Here I am using apf firewall.

vim /etc/apf/conf.apf
edit the follwing section and add port number 5666

IG_tcp_cports="5666,20...........etc"

restart the services

/etc/init.d/apf restart

Make sure the nrpe daemon is running under xinetd.

netstat -at | grep nrpe

The output of this command should show something like this:

tcp 0 0 *:nrpe *:* LISTEN

Monitoring Host Setup

We have to install nrpe plugin to the monitoring host.

cd ~/downloads
wget http://osdn.dl.sourceforge.net/sourceforge/nagios/nrpe-2.12.tar.gz
tar xzf nrpe-2.12.tar.gz
cd nrpe-2.12/
Compile the NRPE addon.
./configure
make all
Install the NRPE plugin.
make install-plugin

Create a command definition

You'll need to create a command definition in one of your Nagios object configuration files in order to use the check_nrpe plugin. Open the sample commands.cfg file for editing...

vi /usr/local/nagios/etc/commands.cfg

and add the following definition to the file:

define command{
command_name check_nrpe
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}

Now you can add services to your system for monitoring them in the remote system.
You can insert each remote system services in one file.For that you have to edit the configuration file

vim /usr/local/nagios/etc/nagios.cfg

and append the following line.

cfg_file=/usr/local/nagios/etc/objects/remotehost.cfg

Before adding services, create a new template for each different type of host you'll be monitoring. Let's create a new template for linux boxes.
vi /usr/local/nagios/etc/objects/templates.cfg
add the following lines.

define host{
name linux-box ; Name of this template
use generic-host ; Inherit default values
check_period 24x7
check_interval 5
retry_interval 1
max_check_attempts 10
check_command check-host-alive
notification_period 24x7
notification_interval 30
notification_options d,r
contact_groups admins
register 0 ; DONT REGISTER THIS - ITS A TEMPLATE
}

Next you have to edit /usr/local/nagios/etc/objects/remotehost.cfg and add the following definitions and services

Define a new host for the remote Linux/Unix box that references the newly created linux-box host template.
define host{
use linux-box ; Inherit default values from a template
host_name remotehost ; The name we're giving to this server
alias Fedora Core 6 ; A longer name for the server
address 192.168.0.1 ; IP address of the server

}

Then, define a new contact for the remote Linux/Unix box that references the generic-contact template.

define contact{
contact_name remote
use generic-contact
alias Nagios client
email remotehost@gmail.com
}
The following service will monitor the CPU load of the remote host. The "check_load" argument that is passed to the check_nrpe command definition tells the NRPE daemon to run the "check_load" command as defined in the
nrpe.cfg file.
define service{
use generic-service
host_name remotehost
service_description CPU Load
check_command check_nrpe!check_load
}
The following service will monitor the the number of currently logged in users on the remote host.
define service{
use generic-service
host_name remotehost
service_description Current Users
check_command check_nrpe!check_users
}
The following service will monitor the free drive space on /dev/hda1 on the remote host.
define service{
use generic-service
host_name remotehost
service_description /dev/hda1 Free Space
check_command check_nrpe!check_hda1
}
The following service will monitor the total number of processes on the remote host.
define service{
use generic-service
host_name remotehost
service_description Total Processes
check_command check_nrpe!check_total_procs

}

The following service will monitor the number of zombie processes on the remote host.

define service{
use generic-service
host_name remotehost
service_description Zombie Processes
check_command check_nrpe!check_zombie_procs
}

Remote Host Configuration

You have to insert the following command definitions in /etc/nrpe.conf

command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
command[check_hda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda1
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z

Then restart the nrpe daemon

/etc/init.d/nrpe restart

How to setup and configure nagios

2009-04-23T15:24:00.000-07:00

Nagios

Nagios is a popular open source computer system and network monitoring software application. It watches hosts and services, alerting users when things go wrong and again when they get better.It allows you to gain insight into your network and fix problems before customers know they even exist. It's stable, scalable, supported, and extensible. Most importantly, it works.

It will do the Comprehensive Network Monitoring in the following

* Windows
* Linux/Unix
* Routers, Switches, Firewalls
* Printers
* Services
* Applications

Installation of Nagios in localhost

Before installing nagios,you have to install the following packages
* Apache
* GCC compiler
* GD development libraries

if you are using rpm based packages,

yum install httpd
yum install gcc
yum install glibc glibc-common
yum install gd gd-devel

If you are using ubuntu,

sudo apt-get install apache2
sudo apt-get install build-essential
sudo apt-get install libgd2-xpm-dev

1) Create Account Information

Create a new nagios user account and give it a password.

/usr/sbin/useradd -m nagios
passwd nagios

Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.

/usr/sbin/groupadd nagcmd
/usr/sbin/usermod -a -G nagcmd nagios
/usr/sbin/usermod -a -G nagcmd apache(or www-data)

2) Download Nagios and the Plugins
mkdir ~/downloads
cd ~/downloads

for downloading Nagios click here

or in terminal type the following line

wget http://osdn.dl.sourceforge.net/sourceforge/nagios/nagios-3.0.2.tar.gz

Extract the Nagios source code tarball.

tar xvzf nagios-3.0.2.tar.gz

cd nagios-3.0.2

Run the Nagios configure script, passing the name of the group you created earlier like so:

./configure --with-command-group=nagcmd

3) Compile the Nagios source code.

make all

Install binaries, init script, sample config files and set permissions on the external command directory.

make install
make install-init
make install-config
make install-commandmode

4) Configure the Web Interface

Install the Nagios web config file in the Apache conf.d directory.

make install-webconf

Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account - you’ll need it later.

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
If you want to add more users then

htpasswd /usr/local/nagios/etc/htpasswd.users username

Edit the file in /usr/local/apache/conf/includes/pre_virtualhost_global.conf and append the following line in to the virtual host directories
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

/etc/init.d/apache2 restart(or service httpd restart)

5) Download, Compile and Install the Nagios Plugins

For downloading Nagios-plugins click here

or in terminal we can download using the wget command,its shown below:

wget http://osdn.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.11.tar.gz

cd ~/downloads
tar xvzf nagios-plugins-1.4.11.tar.gz
cd nagios-plugins-1.4.11/

Compile and install the plugins.

./configure --with-nagios-user=nagios --with-nagios-group=nagios
make
make install

6) Start Nagios

Configure Nagios to automatically start when the system boots.

ln -s /etc/init.d/nagios /etc/rcS.d/S99nagios

Verify the sample Nagios configuration files.

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

If there are no errors, start Nagios.

/etc/init.d/nagios start (service nagios start)

Add Nagios to the list of system services and have it automatically start when the system boots.

chkconfig --add nagios
chkconfig nagios on

you can check the Nagios in your browser typing the following url:

http://localhost/nagios

You should now be able to access the Nagios web interface at the URL below. You'll be prompted for the username (nagiosadmin) and password you specified earlier.

Installation and configuration of of Nagios with NRPE for both remote hosts and local host will be posted on next session

Let's start with Some Tricks & Tips

2009-04-22T13:32:00.001-07:00

A cat with Twist

We use cat command to view a text file from top to bottom.If you want to read a text file from bottom to top you can use tac command.

How to mount Windows share on Linux

Most of them needs to frequently access windows from your Linux system.Most of you probably manually mount the partition every time you require it.You can mount windows partion permenantly by adding following in /etc/fstab file.

//server/sharename /home/mountpoint smb userrname=user,password=password 1 2

Change the variables in the above line to the real values, the way it is in your case.

It would work in a home environment, where you don't mind putting password in a /etc/fstab file.If you want to be cautious,have a script ask for your password and mount the stuff using the smbmount command.However,if you would like to do this as the non-root user,specify the mount point option in /etc/fstab along with th noauto and user options.

Execute a command at a specific time

The at command is used to run a command at a specific time or date.For example,inorder to remove a directory after one minute, issue the following commands:

#at now+1 min

at>rm -rf dirname

at>updatedb

at>

To remove a directory on a particular day,say on MM/DD/YYYY, use the code below:

#at MM/DD/YYYY

at>rmdir dirname

at>updatedb

at>

Play Music in VLC without a GUI

In your terminal promp, type the following

vlc -I ncurses /home/kingfisher/filename.mp3

Where the -I option is, specify the interface-in our case,it's ncurses.It will open a ncurses interface in the termnal,where you can increase or decrease the volume by using A or Z keys and press H for further options.

Also note that /home/kingfisher/filename.mp3 is an example of a music file.You can open any number of files by using a wild card such as *.mp3.

How to get Server e-mail Alerts on the root login

Append the following line at the end of your ~/.bash_profile

echo ‘ALERT - Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com

Replace your@email.com with the actual email account address that you want to the root access alert notification been sent to.