Thursday, December 18, 2008

What is a RBL?

HowTo: RBL or DNSBL with Exim - Stop Spam with Exim
This is my micro-howto for how I set up RBL using the Exim Configuration Editor
Are you and your clients tired of getting bombarded with spam email? Stop spam before it gets to your inbox with Exim's RBL,realtime blackhole list, confAiguration options, an invaluable tool for any Cpanel admin.

What is a RBL?

Realtime Blackhole List. A list of open mail relays and rogue sites. Subscribers to the RBL reject all mail and/or connection attempts from RBL'd IP addresses, effectively cutting off irresponsible/incompetent domains from the rest of the Internet.


-------------------------------------------
----------------------
Creating lsearch files
These files are used to manually block spammers, ignore certain domains or incoming hosts.
*****************
Create three text files in the /etc directory:

/etc/rblblacklist
/etc/rblbypass
/etc/rblwhitelist

touch /etc/rblblacklist; touch /etc/rblbypass; touch /etc/rblwhitelist


Examples with sample data:

/etc/rblblacklist



Is a manual blacklist, it rejects specific spammer hosts BEFORE they can send more email to your server:


domain1.com
domain2.com
domain3.com


/etc/rblbypass



Bypasses RBL email testing for specific destination (local) domains that don't want RBL filtering or prefer SpamAssassin tagging:


domain1.com
domain2.com
domain3.com


/etc/rblwhitelist



Blocks RBL email testing for listed incoming hosts, (wildcards allowed), in case an important client's mailserver is listed on an RBL you use, also automatically excludes relayhosts:


mail.domain1.com
*.domain2.com
*.domain3.com

-------------------------------
EXIM CONFIGURATION EDITOR
-------------------------------


If you use the WHM-based Exim Configuration Editor, all of your modifications will be reproduced after each update. If you edit exim.conf directly, cPanel updates MAY overwrite your changes! Because of this, the following changes should be entered using the Exim Configuration Editor.


------------------------
Setting up lsearch files
*******************


At the top of the editor, in the window below:
#!!# cPanel Exim 4 Config
Enter these lines:



domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist


----------------------------
RBL entries in ACL Section
*********************


RBL selection depends on many factors, be sure to edit the list below to reflect your priorities... Postmaster and abuse bypass allows blocked users to contact admin.
In the center window of the ACL section, directly below the line:
accept hosts = :
Enter these lines:

#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains
local_parts = postmaster:abuse
#
# Check sending hosts against DNS black lists.
# Accept all locally generated messages
# Reject message if address listed in blacklist.
deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text :
!hosts = +relay_hosts
!authenticated = *
dnslists = dnsbl.njabl.org : bl.spamcop.net : sbl.spamhaus.org : list.dsbl.org : cbl.abuseat.org : relays.ordb.org :
# RBL Bypass Local Domain List
!domains = +rbl_bypass
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist
#**#
#**# RBL List End
#**#

NOTICE: The following below didn't work for my configuration of RHE and WHM 9.4
so I had to remove it. I recommend you try it first to see if it works, if not then come back and remove this.

Scroll down the center window of the ACL section, directly below the line:
accept domains = +local_domains

Enter these lines:

#**#
#**# Reject Email to Invalid Recipient
#**#
endpass
message = unknown user
verify = recipient
#**#

--------------------------------
RBL entries in ROUTERS Section
**************************


In the ROUTERS section window, directly below the line:
# in the "local_domains" setting above.
Enter these lines:

# Deny and send notice to list of rejected domains.
reject_domains:
driver = redirect
# RBL Blacklist incoming hosts
domains = +rbl_blacklist
allow_fail
data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.

-----------------------------
RBL Testing and Verification
***********************


Once your file changes are in place, be sure to keep an eye out for errors... missing files and other errors will be listed here:
If the above NOTICE scares you then you need to check this log file. If you see Exim failed message then go back and remove that.
tail -50 /var/log/exim_paniclog

You can view your spam filtering by reviewing the reject log:
tail -50 /var/log/exim_rejectlog
If your RBL tests include sbl.spamhaus.org, you can test the blacklist and whitelist functions by sending an email, USING THE MAILSERVER YOU WISH TESTED, to:
nelson-sbl-test@crynwr.com
It will attempt to send an email from mailserver sbl.crynwr.com, which is blacklisted in sbl.spamhaus.org


If the blacklist works, you'll get an email that looks something like this:

Subj: Your SBL test report


Testing your SBL block. See Crynwr spam blocking resources for more info.
Please note that this test will not tell you if your server is open for
relaying. Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.
Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so
I use your envelope sender as the To: address.
I connected to 64.246.24.14 and here's the conversation I had:
220-whm.yourserver.com ESMTP Exim 4.24 #1 Thu, 16 Oct 2003 08:23:23 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo sbl.crynwr.com
250 whm.yourserver.com Hello sbl.crynwr.com [192.203.178.107]
mail from:<>
250 OK
rcpt to:<eMtnMan@yourdomain.com>
550-Message rejected because sbl.crynwr.com [192.203.178.107] is blacklisted at
550 sbl.spamhaus.org see The Spamhaus Project - Security
Terminating conversation


If the RBL block fails, you'll receive TWO emails:

Subj: Your SBL test report
Testing your SBL block. See Crynwr spam blocking resources for more info.
Please note that this test will not tell you if your server is open for
relaying. Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.
Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so
I use your envelope sender as the To: address.
I connected to 64.246.24.14 and here's the conversation I had:
220-whm.yourserver.com ESMTP Exim 4.24 #1 Thu, 16 Oct 2003 08:19:44 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo sbl.crynwr.com
250 whm.yourserver.com Hello sbl.crynwr.com [192.203.178.107]
mail from:<>
250 OK
rcpt to:<eMtnMan@yourdomain.com>
250 Accepted
data
354 Enter message, ending with "." on a line by itself
From: nelson-SBL-test@crynwr.com
To: eMtnMan@yourdomain.com
Date: Thu, 16 Oct 2003 15:19:46 -0000
Message-Id: <1066317586@sbl.crynwr.com>
Test message
.
250 OK id=1AA9uj-0005xq-2l
quit
Successful termination. As far as I can tell, the email was delivered.
That might not be what you want.
Subj: (BLANK)
Uh-oh, your SBL block is not working!

----------------
RBL Log Counts
*************


I use this script to count the log hits for various RBL's, you should change it to reflect your RBL's and error syntax. Mine relies on the unique word "blacklisted" in every RBL bounce entry.

Place it anywhere you want to view reports in SSH. Eg: /root/spam

pico /root/spam


SAMPLE SCRIPT:
Copy and paste in the following:

grep "blacklisted" /var/log/exim_mainlog -i > kilme
tail -100 kilme
tail /var/log/exim_paniclog
printf "n"
printf "Spam Count = "
grep "blacklisted" kilme -c -i
printf "njabl.org = "
grep "njabl.org" kilme -c
printf "spamcop = "
grep "bl.spamcop" kilme -c
printf "spamhaus = "
grep "sbl.spamhaus" kilme -c
printf "dsbl.org = "
grep "dsbl" kilme -c
printf "abuseat = "
grep "abuseat.org" kilme -c
printf "ordb.org = "
grep "ordb" kilme -c
printf "Manual = "
grep "manual" kilme -c
printf "verify fail= "
grep "verify fail" /var/log/exim_mainlog -c
printf "No Relay = "
grep "not permitted" /var/log/exim_mainlog -c
printf "n"
printf "All Spam: n"
zgrep -ci "blacklisted" /var/log/exim_mainlog*
printf "n"


Save and exit.
Ctrl + O then Y

Assuming the script is called spam, after you:
chmod 755 spam

... it can be executed with: ./spam

Example Spam Script Output!
Spam Count = 488
njabl.org = 134
spamcop = 278
spamhaus = 9
dsbl.org = 4
abuseat = 63
ordb.org = 0
Manual = 0
verify fail= 697
No Relay = 382

Monday, December 15, 2008

Apache server view performance status with mod_status configuration

The Status module (mod_status) allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form. If required this page can be made to automatically refresh.

The details given are:

* The number of children serving requests.
* The number of idle children.
* The status of each child, the number of requests that child has performed and the total number of bytes served by the child (*)
* A total number of accesses and byte count served (*).
* The time the server was started/restarted and the time it has been running for
* Averages giving the number of requests per second, the number of bytes served per second and the average number of bytes per request (*).
* The current percentage CPU used by each child and in total by Apache (*).
* The current hosts and requests being processed (*).

Details marked "(*)" are only available with ExtendedStatus On.

Confiure Apache mod_status

Open your httpd.conf file:
# vi httpd.conf
Append / modify (or uncomment) directives as follows:

SetHandler server-status
Order Deny,Allow
Deny from all
Allow from 192.168.1.5

Replace 192.168.1.5 with your workstation IP address. Save and close the file. Restart httpd server:
# /etc/init.d/httpd restart
For full status report type:
# /etc/init.d/httpd fullstatus

To view status report type url - http://your.com/server-status.

You can now access server statistics by using a Web browser to access the page http://your.server.name/server-status

Sunday, December 14, 2008

How to install yum on a VPS

Please follow the following commands to install yum on your Virtuozzo container . The follwoing commands are to be run from the hardware node .

————————

[root@vps1 ~]# vzlist -a
CTID NPROC STATUS IP_ADDR HOSTNAME
1 91 running 192.168.46.242 ServiceCT
105 49 running 69.72.234.148 asdf
107 49 running 69.72.234.150 test.test.com2

————————

This will list all the configured containers and their container ID (CTID) which is of importance to us

Assume you have to install yum on container 107

————————

[root@vps1 ~]# vzpkg install -p 107 yum

————————

!please note that If there is no yum available in the template repository it will fail.

Tuesday, December 9, 2008

email error : 110 Can't open SMTP stream

Hello,

If you are getting following error while sending emails from squirrelmail.


===========================
Message not sent. Server replied:

Connection timed out
110 Can't open SMTP stream.

===========================

If above case if you are having shell access then login to your server with root user, then edit
config file and do the changes as given below.


#vi /usr/local/cpanel/base/3rdparty/squirrelmail/config/config.php

$useSendmail = false;

to:

$useSendmail = true;


restart cpanel and exim service।

Sylesh

Thursday, December 4, 2008

Getting multiple copies of e-mail

Getting multiple copies of e-mail

Q. I have Microsoft Office Outlook 2003. Most e-mails I get are duplicated several times. I get an e-mail from my niece and it is there 3-4 times. Same thing with e-mails from other people. Some e-mails I've noticed from Amazon.com or others like it only are showing up once. Do you know why that is?

A. The most common cause of multiple e-mails is leaving copies of your e-mail on the mail server.

Every time your e-mail program checks for new messages it make a connection to your mail server and has look at what is there and compares it to what you already have on your computer.

After it makes that check it is supposed to download only the new messages. However, if the mail headers stored on your computer become malformed or corrupt your mail program does not know you already have the message and downloads it again.

There is a quick check you can perform to see if this is the case. If you have Web access to your mail (most Internet providers do) then you can go to the Web and log into your e-mail. If you only see one copy of the message in Web mail but you see multiple copies in your e-mail program you can be sure that the problem is with your mail program.

The quick fix for this is to change the setting that causes your mail program to leave a copy of mail on the server.

In Outlook 2003 you do this by selecting Tools, E-mail Accounts and choosing "View or change existing e-mail accounts" and clicking Next.

Highlight the entry for your mail account and select Change then click More Settings. Under the Advanced tab there is a check box next to Leave a copy of messages on the server. If you uncheck it and then click OK, Next and Finish this will fix the problem.

The steps for Outlook Express are very similar.

The next time you check mail your messages will be removed from the server and each time you check mail you will pull down the new messages only once.

Most Internet providers prefer that you set your e-mail program to do this anyway so as to keep from filling their server to overflowing with customer e-mail messages. Roadrunner imposes a 10 megabyte limit and you will stop receiving e-mail altogether if you go over that limit.

I recognize that there are situations where having your mail stored on the server is useful. If you need to leave a copy of your e-mail on the server you can try creating a new folder in Outlook under your Inbox and move all of your Inbox messages to that folder and then check your e-mail. This might clear up the problem.

Thursday, November 27, 2008

10 Tips for making your cPanel and WHM servers more secure

10 Tips for making your cPanel and WHM servers more secure


Server security is a collection of compromises, as any server that allows connections could be insecure. These tips are to be followed at your own risk.

1) Use secure passwords!

Insecure passwords are the most common security vulnerability for most servers. If an account password is insecure and is compromised, client sites can be defaced, infected, or used to spread viruses. Having secure passwords is paramount to having a secure server.

You can edit /etc/login.defs to configure many password options on your system. It is well documented.

Generally, a password utilizing at least 8 characters including alphanumeric and grammatical symbols is sufficient. Never use passwords based upon dictionary words or significant dates. If you are uncertain about the security of a password, then you can test it using JTR cracker. If a password can be broken in a few hours, then it is probably too insecure and should not be used. You can also install tools like pam_passwdqc to check the strength of passwords.



2) Secure SSH

Enable public key authentication for SSH and disable password authentication read more >>

Move SSH access to a different port. People are looking for port 22 as a possible way to access your servers. Moving SSH to a different port will add a simple way to deter those without specific knowledge of your server from easily discovering your SSH port.

You can modify the port that SSH runs on within /etc/ssh/sshd_config. Change the line that says #Port 22 to a different port such as: Port 1653. Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn’t work.

You should always use SSHv2 only as SSHv1 is not secure. Make sure to change the line in /etc/ssh/sshd_config that says #Protocol 2,1 to Protocol 2.

You may also wish to set Shell Resource Limits for you users to prevent applications and scripts from using all up your resources and taking down your server. You can configure shell resource limits in /etc/security/limits.conf on most Linux systems.



3) Secure Apache

The most readily available way to access a web server, is of course, the web server application. It is important to take steps to secure your Apache installation.

One of the best tools for preventing malicious Apache use is mod_security. This can be installed in Addon Modules in the cPanel section of WebHost Manager. You can find information about mod_security at http://www.modsecurity.org/.

When compiling Apache, you should include suexec to ensure that CGI applications and scripts run as the user that owns / executes them. This will help identify where malicious scripts are and who is running them. It will also enforce permission and environment controls.

We also recommend compiling Apache + PHP with PHPsuexec. PHPsuexec forces all PHP scripts to run as the user who owns the script. This means that you will be able to identify the owner of all PHP scripts running on your server. If one is malicious, you will be able to find it’s owner quickly and resolve the issue. To compile Apache + PHP with PHPsuexec, select the PHPSuexec option in the Apache Upgrade interface in WHM or when running /scripts/easyapache from the command line.

You should enable PHP’s open_basedir protection. This protection will prevent users from open files outside of their home directory with PHP. This can be enabled in Tweak Security within WebHost Manager.

You may also wish to include safe_mode for PHP 5.x and below. Safe_mode ensures that the owner of a PHP script matches the owner of any files to be operated on. You can enable safe_mode by changing the safe_mode = line in php.ini to safe_mode = On.



4) Secure your /tmp partition

We recommend that you use a separate partition for /tmp that is mounted with nosetuid. Nosetuid will force a process to run with the privileges of it’s executor. You may also wish to mount /tmp with noexec after installing cPanel. Check the mount man page for more information.

Also, Running /scripts/securetmp will mount your /tmp partition to a temporary file for extra security.



5) Upgrade your mail to maildir format

Maildir format adds extra security and speed to your mail system. Newer installs use maildir by default. If you’re running an older copy of cPanel, you’ll probably want to upgrade using /scripts/convert2maildir. Make sure to back up your current mail before converting to maildir, this can be done within /scripts/convert2maildir. If you see maildir is enabled when running /scripts/convert2maildir, you are already using maildir, and will not need to convert.



6) Lock down your system’s compilers

Most users do not require the use of C and C++ compilers. You can use the Compilers Tweak within Tweak Security in WebHost Manager to turn off use of the compilers for all unprivileged users, or to disable them for specific users only. Many pre-packaged exploits require working compilers. Disabling compilers will help protect against many exploits.



7) Turn off unused services and daemons

Any service or daemon that allows a connection to be established to your server is away for hackers to gain access. To reduce security risks, you should disable all services and daemons that are not being used.

For Daemons on Linux:

Check /etc/xinetd.conf for services you are not using. For example, cupsd (printing daemon) and nfs/statd (network file system daemons) are not used on many systems.

For Services:

Go to the Service Manager in the Service Configuration section of WHM and disable any services that you are not using.



8) Monitor your system

It is important to be up to date on what is going on with your system. Make sure that you know when accounts are being created, what software is being installed, when software needs updates, etc.

Check your system frequently to ensure it is functioning in the way you expect. Make sure to check things like:

netstat -anp : Look for programs attached to ports that you did not install / authorize

find / \( -perm -a+w \) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.

find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.

ls /var/log/: There are many different logs on your system which can be valuable resources. Check your system logs, apache logs, mail logs, and other logs frequently to make sure your system is functioning as expected.

There are many readily available utilities to monitor your system and to detect rootkits, backdoors, etc. Here are some commonly available utilities:

* Tripwire - Monitors checksums of files and reports changes.
http://tripwire.com or http://sourceforge.net/projects/tripwire
* Chrookit - Scans for common rootkits, backdoors, etc.
http://www.chkrootkit.org
* Rkhunter - Scans for common rootkits, backdoors, etc.
http://www.rootkit.nl/projects/rootkit_hunter.html
* Logwatch - Monitors and reports on daily system activity.
http://logwatch.org



9) Enable a Firewall

Installing a firewall to limit access to your server is useful. Removing all unused software on your system is more useful. Before you have the chance to remove all unused services and daemons, or the chance to figure out which services / daemons are unused, you can enable a firewall to prevent unwanted access.

The following will show the ports cPanel and WHM need open to function properly and what the port is used for:

http://faq.cpanel.net/show.cgi?qa=104689180407630

If you are using APF, see:

http://faq.cpanel.net/show.cgi?qa=108499296901804

Please note that these ports are for all services that can be used by cPanel and WHM, you may or may not be using all of these services or other services and should adjust your rules accordingly.

Remember to set a cron job to disable your firewall every 5 minutes when testing your rules, or you may be locked out of your server.



10) Stay up to date

It is important to make sure that you are running the latest stable versions of the software on your system to ensure that it has been patched of any security issues that past versions may be susceptible to. Make sure to keep on top of updates for:

* Kernel
* cPanel and WHM*
* User Applications (bulletin boards, CMS, blog engines, etc)**
* System Software*



*These can be set to automatically update in WebHost Manager under Update Config in the Server Configuration section.

**You can upgrade all cPAddon installations through Manage cPAddons in the cPanel section of WebHost Manager.

Tuesday, November 25, 2008

MRTG thoughts!!

MRTG is wonderful tool. You can use it to monitor traffic on your router or leased server located at remote IDC. Since it is written in Perl and some code in C language, it is portable and high performance tool.

"The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links. MRTG generates HTML pages containing GIF images which provide a LIVE visual representation of this traffic."

What is SNMP and why should I care?

SNMP is Simple Network Management Protocol. It is use to manage IP network devices such as servers, routers, switches etc. Administrator can find or manage network performance, solve problem or even optimize it further. For more information on official UNIX/Linux SNMP please see UCD-SNMP/NET-SNMP Tutorials and an excellent resource at Snmplink.org


: Make sure snmp server installed

Please note that snmpd configuration does not require using mrtg with remote network devices such as Routers and switches. If you just want mrtg graphs for router

Run rpm commands query option to find out snmp server installed or not:

# rpm -qa | grep snmp

If snmp installed then please refer step # 2; otherwise snmp server and utils were not present and your need to install them using following steps (login as a root user):

(a) Visit rpmfind.net to get snmp server and utilities rpms. If you are fedora user then use yum command as follows to install it:

# yum install net-snmp-utils net-snmp

(b) If you are RHEL subscriber then use up2date command as follows to install:

#up2date -v -i net-snmp-utils net-snmp


: Determine if snmp server is running or not

Run 'ps' command to see if snmp server is running or not:

# ps -aux | grep snmp

Output:

root   5512  0.0  2.3  5872 3012 pts/0    S    22:04   0:00 /usr/sbin/snmpd

Alternatively, you can try any of the following two commands as well:

# lsof -i :199

Output:

COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
snmpd 5512 root 4u IPv4 34432 TCP *:smux (LISTEN)

OR try out netstat command:

# netstat -natv | grep ':199'

Output:

tcp        0      0 0.0.0.0:199             0.0.0.0:*               LISTEN

If you found service is running or listing on port 199 then please see step #3; otherwise start service using following command:

# service snmpd start

Make sure snmpd service starts automatically, when linux comes us (add snmpd service):

# chkconfig --add snmpd
----------------------------------------------
Install MRTG
We've put together a RPM for MRTG based off the various how-to's
posted. This RPM is for Fedora and RHEL systems and will work on Ensim
3.7/4.0 out of the box, cPanel versions will be posted shortly



Fedora 1

mrtg-2.10.5-1.0.rhfc1.ct.i386.rpm



RHEL3 based servers

mrtg-2.10.5-1.0.rhel3.ct.i386.rpm



Installation:



rpm -Uvh rpmname

rm -f /etc/cron.d/mrtg



You will need to edit /etc/httpd/conf.d/mrtg.conf if you wish to
allow access to more than just localhost - by default this is a
security measure.



After installing, make sure you don't have a cron line in /etc/crontab for mrtg. You may do this via



pico -w /etc/crontab



Then



service mrtg start


By
Sylesh

Saturday, November 8, 2008

Linux Screen Command

Linux Screen Command

GNU Screen enables you to run many shell processes in a single terminal. So in one e.g. xterm you can have many bash instances like layers in GIMP or Adobe Photoshop. Even better, you can split your terminal into different regions.

Steps
—–
1)Create a screen using the command
#screen -S sylesh

2)Close the shell without logout

3)Open a new shell

4)Type screen -ls

[root@sylesh ~]# screen -ls
There are screens on:
16921.sds (Dead ???)
3981.name (Attached)
5002.sylesh(Attached)
Remove dead screens with ’screen -wipe’.
3 Sockets in /tmp/screens/S-root.

5)You can login to that screen using the command screen -r ’screen name’

[root@sylesh ~]# screen -r 5002.sylesh
There is a screen on:
5002.sylesh(Attached)

Exim Commands

To print a count of the messages in the queue
root@localhost# exim -bpc

Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient)
root@localhost# exim -bp

Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals):
root@localhost# exim -bp | exiqsumm

Generate and display Exim stats from a logfile:
root@localhost# eximstats /var/log/exim_mainlog

Same as above, with less verbose output:
root@localhost# eximstats -ne -nr -nt /var/log/exim_mainlog

Same as above, for one particular day:
root@localhost# fgrep YYYY-MM-DD /var/log/exim_mainlog | eximstats

Print what Exim is doing right now:
root@localhost# exiwhat

Searching the queue

Search the queue for messages from a specific sender:
root@localhost# exiqgrep -f [luser]@domain

Search the queue for messages for a specific recipient/domain:
root@localhost# exiqgrep -r [luser]@domain

To Print just the message-id of the entire queue:
root@localhost# exiqgrep -i

Managing the queue

Start a queue run:
root@localhost# exim -q -v

Start a queue run for just local deliveries:
root@localhost# exim -ql -v

Remove a message from the queue:
root@localhost# exim -Mrm

Freeze a message:
root@localhost# exim -Mf

Deliver a specific message:
root@localhost# exim -M

Force a message to fail and bounce:
root@localhost# exim -Mg

Remove all frozen messages:
root@localhost# exiqgrep -z -i | xargs exim -Mrm

Freeze all queued mail from a given sender:
root@localhost# exiqgrep -i -f luser@example.tld | xargs exim -Mf

View a message’s headers:
root@localhost# exim -Mvh

View a message’s body:
root@localhost# exim -Mvb

View a message’s logs:
root@localhost# exim -Mvl

Sunday, October 19, 2008

Apache fails!!Semaphores???

Semaphore, it is a lot like a locking mechanism. In any server there is an order of precedence in which tasks must be accomplished. The semaphore is used to maintain that precedence order; more to the point, the precedence order is maintained by the semaphores. A succeeding task may not start until it has received the semaphores from all of it’s predecessors. Likewise child processes of services gets killed or removed before it passes information to its succeeding processes. So it leads them to a hung state because of this incomplete transaction. This will result to failure of these services until we remove the Sem-ids manually from their arrays. Given below is a small script to remove these arrays:-




for semid in `ipcs -s | grep nobody | cut -f2 -d" "`; do ipcrm -s $semid; done

Tuesday, September 16, 2008

How to Kill user in Linux

How to Kill user in Linux


Greetings Guys..!!
Well if you want to kill some users process ( in unix/linux hosting) or if you want to terminate from the shell then you can use the following commands.
If you want the user jasons process details

ps -aux |grep jason

from the output just kill the process id of that user and that user will be out from the shell without any wall message for him/her.

By other way you can do following.

Task: How to halt/stop user called jason

Type the skill command as follows:
# skill -STOP -u jason

You muse be root to stop other users.
Task: How to resume already halted user called jason

Send CONT single to user jason, type the following command:
# skill -CONT -u jason
Task: How to kill and logout user called jason

You can send KILL single, type the following command:
# skill -KILL -u jason
Task: Kill and logout all users

The ultimate command to kill and logout all users, type the following command:
# skill -KILL -v /dev/pts/*

Please note that you should send users a warning message ora logout notice using the wall command to avoid data loss.

Enjoy..

Fix Cpanel Quotas

Fix Cpanel Quotas

Cpanel/WHM sometimes has problems with the user quota files causing all users accounts to have unlimited disk space available or 0 megs of disk space in use. This obviously confuses your customers and doesn't show a real representation of actual disk space being used by your clients. This guide will take you through fixing any quota issues with Cpanel manually or automated.

Common reasons for quota problems
- There are files owned by the same user elsewhere on the server
- The backup directory is being counted towards the users disk quota
- Extra log files are being counted towards the users quota
- Cpanel was just updated and the quotas are now unlimited

Quick Fix - an easy way to fix quota issues

Step 1. Log into your server through SSH as the root user.

Step 2. Run the following command
/scripts/fixquotas


Advanced Fix - other reasons quotas are not working

Step 1. Find the user account where the quotas are incorrect and login to your server in SSH as root.

Step 2. Go to the users folder and check their disk space being used.
cd /home/username
du -h or try du -hs

Step 3. Check /etc/passwd and /etc/shadow to make sure there is no weirdness where the username shows up multiple times.

Step 4. Try finding other files owned by the user.
find -user username | more
This will list all files owned by this user that could be affecting the quota reported by Cpanel.

Step 5. Uncompressed backups can cause quota problems, ensure your backups are compressed in the WHM backup options.

Step 6. After your determine the source of the files and remove them then run /scripts/fixquotas

We've covered the common ways accounts report invalid disk quotas with Cpanel. If the Quick Fix doesn't work then you'll need to do some digging through our Advanced Fix. Ask any questions in our forums!

Find n block IPs with max connections

SSH to the server and run The following command to see the IPs with most concurrent connections:

/bin/netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n |more

Block un-wanted IPs using IPTables

/sbin/iptables -I INPUT -s 12.34.56.78 -j DROP
/sbin/service iptables save
/sbin/service iptables restart

Can't connect to local MySQL server through socket '/tmp/mysql.sock

Can't connect to local MySQL server through socket '/tmp/mysql.sock

If you get this error message:

/usr/local/bin/mysqladmin: connect to server at 'localhost' failed
error: 'Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)'
Check that mysqld is running and that the socket: '/tmp/mysql.sock' exists!

Run the following commands:

ln -s /var/lib/mysql/mysql.sock /tmp/mysql.sock
/scripts/mysqlup --force

Spamd keeps failing. How can I fix it?

Spamd keeps failing. How can I fix it?

SSH to the server and run the following commands (in that order):
ps auxfww | grep spamd
kill -9 PID

/scripts/perlinstaller --force Digest::SHA1
/scripts/fixspamassassinfailedupdate
/etc/init.d/chkservd restart

MySQL deeper!

Description Command
To login (from unix shell) use -h only if needed. [mysql dir]/bin/mysql -h hostname -u root -p
Create a database on the sql server. create database [databasename];
List all databases on the sql server. show databases;
Switch to a database. use [db name];
To see all the tables in the db. show tables;
To see database's field formats. describe [table name];
To delete a db. drop database [database name];
To delete a table. drop table [table name];
Show all data in a table. SELECT * FROM [table name];
Returns the columns and column information pertaining to the designated table. show columns from [table name];
Show certain selected rows with the value "whatever". SELECT * FROM [table name] WHERE [field name] = "whatever";
Show all records containing the name "Bob" AND the phone number '3444444'. SELECT * FROM [table name] WHERE name = "Bob" AND phone_number = '3444444';
Show all records not containing the name "Bob" AND the phone number '3444444' order by the phone_number field. SELECT * FROM [table name] WHERE name != "Bob" AND phone_number = '3444444' order by phone_number;
Show all records starting with the letters 'bob' AND the phone number '3444444'. SELECT * FROM [table name] WHERE name like "Bob%" AND phone_number = '3444444';
Use a regular expression to find records. Use "REGEXP BINARY" to force case-sensitivity. This finds any record beginning with a. SELECT * FROM [table name] WHERE rec RLIKE "^a$";
Show unique records. SELECT DISTINCT [column name] FROM [table name];
Show selected records sorted in an ascending (asc) or descending (desc). SELECT [col1],[col2] FROM [table name] ORDER BY [col2] DESC;
Return number of rows. SELECT COUNT(*) FROM [table name];
Sum column. SELECT SUM(*) FROM [table name];
Join tables on common columns. select lookup.illustrationid, lookup.personid,person.birthday from lookup
left join person on lookup.personid=person.personid=statement to join birthday in person table with primary illustration id;
Switch to the mysql db. Create a new user. INSERT INTO [table name] (Host,User,Password) VALUES('%','user',PASSWORD('password'));
Change a users password.(from unix shell). [mysql dir]/bin/mysqladmin -u root -h hostname.blah.org -p password 'new-password'
Change a users password.(from MySQL prompt). SET PASSWORD FOR 'user'@'hostname' = PASSWORD('passwordhere');
Allow the user "bob" to connect to the server from localhost using the password "passwd" grant usage on *.* to bob@localhost identified by 'passwd';
Switch to mysql db.Give user privilages for a db.

INSERT INTO [table name] (Host,Db,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv) VALUES ('%','databasename','username','Y','Y','Y','Y','Y','N');
or

grant all privileges on databasename.* to username@localhost;
To update info already in a table. UPDATE [table name] SET Select_priv = 'Y',Insert_priv = 'Y',Update_priv = 'Y' where [field name] = 'user';
Delete a row(s) from a table. DELETE from [table name] where [field name] = 'whatever';
Update database permissions/privilages. FLUSH PRIVILEGES;
Delete a column. alter table [table name] drop column [column name];
Add a new column to db. alter table [table name] add column [new column name] varchar (20);
Change column name. alter table [table name] change [old column name] [new column name] varchar (50);
Make a unique column so you get no dupes. alter table [table name] add unique ([column name]);
Make a column bigger. alter table [table name] modify [column name] VARCHAR(3);
Delete unique from table. alter table [table name] drop index [colmn name];
Load a CSV file into a table. LOAD DATA INFILE '/tmp/filename.csv' replace INTO TABLE [table name] FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' (field1,field2,field3);
Dump all databases for backup. Backup file is sql commands to recreate all db's. [mysql dir]/bin/mysqldump -u root -ppassword --opt >/tmp/alldatabases.sql
Dump one database for backup. [mysql dir]/bin/mysqldump -u username -ppassword --databases databasename >/tmp/databasename.sql
Dump a table from a database. [mysql dir]/bin/mysqldump -c -u username -ppassword databasename tablename > /tmp/databasename.tablename.sql
Restore database (or database table) from backup. [mysql dir]/bin/mysql -u username -ppassword databasename < /tmp/databasename.sql
Create Table Example 1. CREATE TABLE [table name] (firstname VARCHAR(20), middleinitial VARCHAR(3), lastname VARCHAR(35),suffix VARCHAR(3),
officeid VARCHAR(10),userid VARCHAR(15),username VARCHAR(8),email VARCHAR(35),phone VARCHAR(25), groups
VARCHAR(15),datestamp DATE,timestamp time,pgpemail VARCHAR(255));
Create Table Example 2. create table [table name] (personid int(50) not null auto_increment primary key,firstname varchar(35),middlename varchar(50),lastname varchar(50) default 'bato');

MYSQL Statements and clauses

ALTER DATABASE
ALTER TABLE
ALTER VIEW
ANALYZE TABLE
BACKUP TABLE
CACHE INDEX
CHANGE MASTER TO
CHECK TABLE
CHECKSUM TABLE
COMMIT
CREATE DATABASE
CREATE INDEX
CREATE TABLE
CREATE VIEW
DELETE
DESCRIBE
DO
DROP DATABASE
DROP INDEX
DROP TABLE
DROP USER
DROP VIEW
EXPLAIN
FLUSH
GRANT
HANDLER
INSERT
JOIN
KILL
LOAD DATA FROM MASTER
LOAD DATA INFILE
LOAD INDEX INTO CACHE
LOAD TABLE...FROM MASTER
LOCK TABLES
OPTIMIZE TABLE
PURGE MASTER LOGS
RENAME TABLE
REPAIR TABLE
REPLACE
RESET
RESET MASTER
RESET SLAVE
RESTORE TABLE
REVOKE
ROLLBACK
ROLLBACK TO SAVEPOINT
SAVEPOINT
SELECT
SET
SET PASSWORD
SET SQL_LOG_BIN
SET TRANSACTION
SHOW BINLOG EVENTS
SHOW CHARACTER SET
SHOW COLLATION
SHOW COLUMNS
SHOW CREATE DATABASE
SHOW CREATE TABLE
SHOW CREATE VIEW
SHOW DATABASES
SHOW ENGINES
SHOW ERRORS
SHOW GRANTS
SHOW INDEX
SHOW INNODB STATUS
SHOW LOGS
SHOW MASTER LOGS
SHOW MASTER STATUS
SHOW PRIVILEGES
SHOW PROCESSLIST
SHOW SLAVE HOSTS
SHOW SLAVE STATUS
SHOW STATUS
SHOW TABLE STATUS
SHOW TABLES
SHOW VARIABLES
SHOW WARNINGS
START SLAVE
START TRANSACTION
STOP SLAVE
TRUNCATE TABLE
UNION
UNLOCK TABLES
USE

String Functions

AES_DECRYPT
AES_ENCRYPT
ASCII
BIN
BINARY
BIT_LENGTH
CHAR
CHAR_LENGTH
CHARACTER_LENGTH
COMPRESS
CONCAT
CONCAT_WS
CONV
DECODE
DES_DECRYPT
DES_ENCRYPT
ELT
ENCODE
ENCRYPT
EXPORT_SET
FIELD
FIND_IN_SET
HEX
INET_ATON
INET_NTOA
INSERT
INSTR
LCASE
LEFT
LENGTH
LOAD_FILE
LOCATE
LOWER
LPAD
LTRIM
MAKE_SET
MATCH
AGAINST
MD5
MID
OCT
OCTET_LENGTH
OLD_PASSWORD
ORD
PASSWORD
POSITION
QUOTE
REPEAT
REPLACE
REVERSE
RIGHT
RPAD
RTRIM
SHA
SHA1
SOUNDEX
SPACE
STRCMP
SUBSTRING
SUBSTRING_INDEX
TRIM
UCASE
UNCOMPRESS
UNCOMPRESSED_LENGTH
UNHEX
UPPER

Date and Time Functions

ADDDATE
ADDTIME
CONVERT_TZ
CURDATE
CURRENT_DATE
CURRENT_TIME
CURRENT_TIMESTAMP
CURTIME
DATE
DATE_ADD
DATE_FORMAT
DATE_SUB
DATEDIFF
DAY
DAYNAME
DAYOFMONTH
DAYOFWEEK
DAYOFYEAR
EXTRACT
FROM_DAYS
FROM_UNIXTIME
GET_FORMAT
HOUR
LAST_DAY
LOCALTIME
LOCALTIMESTAMP
MAKEDATE
MAKETIME
MICROSECOND
MINUTE
MONTH
MONTHNAME
NOW
PERIOD_ADD
PERIOD_DIFF
QUARTER
SEC_TO_TIME
SECOND
STR_TO_DATE
SUBDATE
SUBTIME
SYSDATE
TIME
TIMEDIFF
TIMESTAMP
TIMESTAMPDIFF
TIMESTAMPADD
TIME_FORMAT
TIME_TO_SEC
TO_DAYS
UNIX_TIMESTAMP
UTC_DATE
UTC_TIME
UTC_TIMESTAMP
WEEK
WEEKDAY
WEEKOFYEAR
YEAR
YEARWEEK

Mathematical and Aggregate Functions

ABS
ACOS
ASIN
ATAN
ATAN2
AVG
BIT_AND
BIT_OR
BIT_XOR
CEIL
CEILING
COS
COT
COUNT
CRC32
DEGREES
EXP
FLOOR
FORMAT
GREATEST
GROUP_CONCAT
LEAST
LN
LOG
LOG2
LOG10
MAX
MIN
MOD
PI
POW
POWER
RADIANS
RAND
ROUND
SIGN
SIN
SQRT
STD
STDDEV
SUM
TAN
TRUNCATE
VARIANCE

Flow Control Functions

CASE
IF
IFNULL
NULLIF


Command-Line Utilities

comp_err
isamchk
make_binary_distribution
msql2mysql
my_print_defaults
myisamchk
myisamlog
myisampack
access
admin
binlog
bug
check
dump
dumpslow
hotcopy
import
show
perror


Perl API - using functions and methods built into the Perl DBI with MySQL

available_drivers
begin_work
bind_col
bind_columns
bind_param
bind_param_array
bind_param_inout
can
clone
column_info
commit
connect
connect_cached
data_sources
disconnect
do
dump_results
err
errstr
execute
execute_array
execute_for_fetch
fetch
fetchall_arrayref
fetchall_hashref
fetchrow_array
fetchrow_arrayref
fetchrow_hashref
finish
foreign_key_info
func
get_info
installed_versions
last_insert_id
looks_like_number
neat
neat_list
parse_dsn
parse_trace_flag
parse_trace_flags
ping
prepare
prepare_cached
primary_key
primary_key_info
quote
quote_identifier
rollback
rows
selectall_arrayref
selectall_hashref
selectcol_arrayref
selectrow_array
selectrow_arrayref
selectrow_hashref
set_err
state
table_info
table_info_all
tables
trace
trace_msg
type_info
type_info_all
Attributes for Handles


PHP API - using functions built into PHP with MySQL

mysql_affected_rows
mysql_change_user
mysql_client_encoding
mysql_close
mysql_connect
mysql_create_db
mysql_data_seek
mysql_db_name
mysql_db_query
mysql_drop_db
mysql_errno
mysql_error
mysql_escape_string
mysql_fetch_array
mysql_fetch_assoc
mysql_fetch_field
mysql_fetch_lengths
mysql_fetch_object
mysql_fetch_row
mysql_field_flags
mysql_field_len
mysql_field_name
mysql_field_seek
mysql_field_table
mysql_field_type
mysql_free_result
mysql_get_client_info
mysql_get_host_info
mysql_get_proto_info
mysql_get_server_info
mysql_info
mysql_insert_id
mysql_list_dbs
mysql_list_fields
mysql_list_processes
mysql_list_tables
mysql_num_fields
mysql_num_rows
mysql_pconnect
mysql_ping
mysql_query
mysql_real_escape_string
mysql_result
mysql_select_db
mysql_stat
mysql_tablename
mysql_thread_id
mysql_unbuffered_query

Using fuser to Identify Users and Processes

Using fuser to Identify Users and Processes
UNIX IN THE ENTERPRISE --- 07/20/2006

Sandra Henry-Stocker

The fuser (pronounced "ef-user") command is a very handy command for determining who is currently using a particular file or directory. If one user can't access a file because another user has it locked in some way, the fuser command can help you determine who that user is so that you can decide how to resolve the apparent conflict.

Who is Using My File?

When you ask fuser about a file, it can tell you both who is using it and how the particular file is being used. For example, if we were to ask fuser who is using the file /var/log/syslog, we would get response like this:

% fuser -u /var/log/syslog
/var/log/syslog: 247o(root)

That string, "247o(root)", in fuser's response tells us that root is using the file, what the particular root process ID happens to be (247) and that this process has the file open (o).

Without the -u (show user) option, the fuser command would not have added "(root)" to this output.

If we track down the process using ps or ptree (i.e., ptree 247), we aren't likely to be startled. The process is the syslog daemon, syslogd, Syslogd opens /var/log/syslog so that it can append system messages. The ptree command identifies the process easily:

$ ptree 247
247 /usr/sbin/syslogd

Further, if we are inclined to verify that syslogd has the syslog file open, we can display the inode for the /var/log/syslog file and then (as root) find it in the open files (pfiles) listing for the process:

# ls -i /var/log/syslog
102337 /var/log/syslog

# pfiles 102337
... 7: S_IFREG mode:0644 dev:102,3 ino:102337 uid:0 gid:1 size:807186 O_WRONLY|O_APPEND|O_LARGEFILE ...

So, if one of your users complains that a file is busy, you can use the fuser command to see who has the file tied up like this:

# fuser -u /data/src/project1/myfile
/data/src/project1/myfile: 10336o(shs)

If the best course of action is to terminate the process that is using the file, you can use the fuser command for that, too, using the -k option:

# fuser -k /data/src/project1/myfile

In fact, you could terminate the process without first looking to see who owns it and what they are doing, but that generally isn't a good idea.

Who is Using this File System?

If you were trying to unmount a file system and found it busy, fuser would be a useful tool for determining why you are unable to unmount it. Let's say you wanted to unmount /data and saw this:

# umount /data
umount: /data busy # fuser -u /data /data: 24271c(shs)

This time, we notice that the character following the process ID is a "c". What can this mean?

Well, there are a number of reasons why a file system might be considered busy. As we have seen, a file system is considered busy if a program has a file open. A file system is also busy if it's shared. In addition, a file system is busy if someone has issued a cd command and moved into one of its directories. The "c" in the output above means that /data is shs's current working directory.

When you see a "c" in the fuser output, you can change the file system's busy status by getting the user to cd to a directory in some other file system or log off. If necessary, you can kill the user process that is keeping the file system busy, though its always better to give the user some warning if you can.

If the file system is busy because it is being shared, you can un-share the file system and then unmount it.

The various file system uses that fuser reports about include a process that is:

using the file as its current directory -- c
mapping the file with mmap -- m having the file open (i.e., for reading or writing) -- o using the file as its root directory -- r using the file as its text file -- t using the file as it controlling terminal -- y

There is one complication, however, to "fuser -u". You might try to find out why you cannot unmount a file system, like /data, and get a response from "fuser -u" that is not entirely satisfactory. For example, let's say you get this output:

# umount /data
umount: /data busy # fuser -u /data /data:

What's going on here? Basically, fuser isn't telling us anything about why /data is busy because /data is not itself the directory that is in use. Just as "fuser -u /var/log" would not have told us that the /var/log/syslog file was open, "fuser -u /data" won't tell use if someone has moved into some directory further down in the /data file system, like /data/src or /data/project/accts. Another fuser option than comes in handy in situations like this is -c. Let's see what it will show us.

# fuser -cu /data
/data: 24271c(shs)

NOTE: The -c option only works with mount points.

With the -c option, fuser reports the process and the user occupying the /data directory even though the /data isn't the user's current directory. The "c" at the end of the string "24271c" tells us that the file system is busy because of a current working directory issue. It just doesn't tell us which directory is in use. If, for some reason, you need to know this, you could check every directory within the file system using as many "fuser -c" commands as it took. But, since the user could be currently located in any subdirectory and might move while you are checking, this process could be both slow and problematical.

You might try looping through all the subdirectories in the file system using a loop and an embedded find command like that shown below, but you would soon discover that the find command, in accessing each subdirectory, also ends up "using" it and, therefore, reporting itself in the process. In fact, every directory would be listed in the output of this command.

for dir in `find /data -type d -print`
do fuser -u $dir done

If you wanted to ignore the effect of fuser's accessing the directories, you could elect to only look at directories with more than one reported use or you could create a directory list using find and then separately run fuser against each directory (after find has finished using the directories) as this script does:

#!/bin/bash

if [ $# == 0 ]; then
echo "Usage: $0 start-location" exit 1 else START=$1 fi

TEMP=/tmp/findbusy$$

# make a list of directories in the file system
find $START -type d -exec fuser -u {} \; 2>$TEMP 1>&2

# ------------------------------------------
# Begin awk script to print busy directories # ------------------------------------------ awk '

{ if (NF > 2) {
print $0 } } END { print "done" }

' "$TEMP"
# --------------- # End awk script. # ---------------

rm $TEMP

If you don't care which directory the user happens to be using, you can simply ask that the user log off or kill the user's login process. While I don't advocate tossing users off systems without due courtesy, I have often found that users who are keeping a file system busy have been idle for hours. Interestingly, editing a file does not, by itself, keep a file system busy.

The -k option doesn't work on a mount point. In other words, you can't type "fuser -k /data" and kill the processes keeping /data busy. Once you identify a process that is using a particular directory or file, you can terminate the process using the kill command. Alternately, if you identify the particular file or directory that is being used, you can use fuser's -k command to kill it.

If a file system is busy because of user activity, the most expedient way to make the file system non-busy is to list the processes keeping it busy and terminate each process with a kill -9. In the commands below, I have verified that the user is not actively working before terminating his or her process, but you will have to weigh the interests of your users' processing needs against your need to unmount the file system.

boson:/ # fuser -cu /data
/data: 10149co(shs) 10140c(shs) boson:/ # finger -i Login TTY When Idle shs pts/1 Sun Jul 16 14:55 15 hours 2 minutes root pts/4 Sun Jul 16 14:07 boson:/ # kill -9 10149 10140

Where will you find the fuser command?

Linux systems also include the fuser command, but with different options than Solaris. If you are administering Linux systems, you should

Error reloading bind on server rndc: subdomain creation error

Error reloading bind on server rndc: subdomain creation error

No Comments

If you are getting following error while creating the subdomain

Error reloading bind on ServerName: rndc:

Then you need to check the named configuration file that is /etc/named.conf something is messed up there.

Try to reload the named and if its giving you any error lke
Error reloading bind then run this script

/scripts/fixrndc

If its that even gives you any error then

!! /var/named/domain.com.db does not exist, unable to locate.
!! Run /scripts/cleandns to remove zone without corresponding files.
!! Or locate the proper zone file and place in /var/named and rerun
!! This script with the following options: /script/fixndc -fv

Then run /scripts/cleandns and reload named that will solve your problem. )

Creating SPF records

Creating SPF records

Sender Policy Framework (SPF) is a method by which the administrator of a domain explicitly specifies which mailservers are allowed to send mail for his domain. As this is just a TXT record that is put into the domains DNS zone file, the setup is fairly straightforward. A very basic SPF for mydomain.com might look like this:

mydomain.com IN TXT "v=spf1 a mx ~all"

The above specifes that this is an SPF record for mydomain.com:
v=spf1: a required header that indicates this is an spf record
a: the A record for mydomain.com is allowed to send email
mx: the MX record for mydomain.com is allowed to send email
~all all other mailservers trying to send mail will return a code of "softfail". The mail will still go through, however it will be a suspect message

If you wished to allow another server to send mail through that had the hostname of mail2.mydomain.com, you would modify the record thusly:

mydomain.com IN TXT "v=spf1 a mx a:mail2.mydomain.com ~all"

Also, if you wish to give a hard fail, and only allow those servers to send mail, the record would look like:

mydomain.com IN TXT "v=spf1 a mx a:mail2.mydomain.com -all"

Clear exim Queu

exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm
grep -lr 'nobody@' /var/spool/exim/input/ | \sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
grep -rl 'From: Mail Delivery System' /var/spool/exim/input/ | \sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
grep -rl 'X-Spam-Status: Yes' /var/spool/exim/input/ | \sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
grep -rl 'Subject: Mail delivery failed' /var/spool/exim/input/ | \sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
grep -rl 'Message rejected' /var/spool/exim/input/ | \sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
grep -rl 'retry time not reached for any host' /var/spool/exim/input/ | \sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
grep -lr 'Cialis' /var/spool/exim/input/ | \sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
grep -lr 'viagra' /var/spool/exim/input/ | \sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
grep -lr 'Pharmaceutical' /var/spool/exim/input/ | \sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
grep -lr '***SPAM***' /var/spool/exim/input/ | \sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm

Bash shortcuts

Bash is a default shell on most of the Linux operating system, you should be aware of all the keyboard to avoid typo mistakes.

Following is the list of shortcuts which will save your precious time;
#) Using Ctrl combination :

ctrl+a : jump to begning of line you are typing on ;

ctrl+b : moving back a character ;

ctrl+c : terminate the command;

ctrl+d:delete character at cursor;

ctrl+D : exit the current shell;

ctrl+h : delete character before cursor ;

ctrl+e : jump to end of line you are typing on ;

ctrl+f : move forward by one character ;

ctrl+l : clear the screen :

ctrl+K : clear the line after cursor ;

ctrl+H : works as backspace ;

ctrl+t : transpose 2 characters ;

ctrl+xx : move between end-of-line and current cursor position ;

ctrl+r : search the history backwords ;

ctrl+w : erase word before cursor ;

ctrl+x@ : shows possible hostname completions;

ctrl+y : recover previous deleation ;

ctrl+z : suspend/stop the command which is running ;

#) UsingAlt combination :

Alt + > - Move to the last line in the history ;

Alt + ? - Show current completion list ;

Alt + * - Insert all possible completions ;

Alt + / - Attempt to complete filename ;

Alt + . - Yank last argument to previous command ;

Alt + b - Move backward ;

Alt + c - Capitalize the word ;

Alt + d - Delete word ;

Alt + f - Move word forward ;

Alt + l - Make word lowercase ;

Alt + n - Search the history forwards non-incremental ;

Alt + p - Search the history backwards non-incremental ;

Alt + r - Recall command ;

Alt + t - Move words around ;

Alt + u - Make word uppercase ;

Alt + back-space - Delete backward from cursor ;

#) Using Esc combination :

esc+d : delete word ;

esc+f : move forward a word ;

esc+b : mmove backward a word ;

esc+t : transpose two adjacent words ;

#) Using Tab combination :

*)Press tab twice to see all available commands;

*)Press tab twice after a word to view all commands starting with that word ;

*)Pressing ~along with hitting tab 2 times will give you list of all user on system from /etc/passwd;

*)Pressing $along with hitting tab 2 times will show you all sys variables ;

*)Pressing / along with hitting tab 2 times will give you entire directory structure including hidden ;

#) Some extras :

*) To complete a command you can hit the tab key after typing one or more letters of a command.

*) you can use ! along with first few character of previous command to get previous command fired;

If Apache won't start

If Apache won't start for any of the following reasons:

Invalid command 'BytesLog', perhaps mis-spelled or defined by a module not included in the server configuration
/usr/local/apache/bin/apachectl start: httpd could not be started

OR

Cannot load /usr/local/apache/libexec/mod_bwlimited.so into server:
/usr/local/apache/libexec/mod_bwlimited.so: cannot open shared object file: No such file or directory
/usr/local/apache/bin/apachectl start: httpd could not be started

OR

Cannot load /usr/local/apache/libexec/mod_log_bytes.so into server:
/usr/local/apache/libexec/mod_log_bytes.so: cannot open shared object file: No such file or directory
/usr/local/apache/bin/apachectl start: httpd could not be started

The problem with this kind of symptom is most likely due to the cause that the mod_belimited.so, mod_log_bytes.so, or mod_bandwidth.so are deleted or corrupted. These 3 files are unique to cPanel-powered web hosting service and are used to control, monitor or restrict the bandwidth usage limit.

The resolution and solution to the error is to recompile and redeploy the missing or unable to find shared library modules. You can easily compile these cPanel modules for Apache by using the following commands:

cd /usr/local/cpanel/apache /usr/local/apache/bin/apxs -iac mod_log_bytes.c
/usr/local/apache/bin/apxs -iac mod_bwlimited.c
/usr/local/apache/bin/apxs -iac mod_bandwidth.c /scripts/restartsrv httpd

After compilation, the .so files will automatically copied to libexec directory for Apache HTTPD web server.

Apache fixes

Starting Apache

Sometimes Apache refuses to start. When this happens sweat instantly appears on your forehead because without apache running none of your website's are available. Here are some things you can try based on problems we've come across. Hitting the reset switch isn't the solution and not something you should do when you come across a problem like this.

The correct way to start, stop or restart apache is by using the apachectl program. Such as:

* /sbin/service httpd graceful
* /sbin/service httpd stop
* /sbin/service httpd restart

Checking Apache configuration
Apachectl can also be used to check the apache configuration, such as:

* /sbin/service httpd configtest
This will return warnings and errors.

Check the Apache error logs
Take a look at the error logs (usually "/var/log/httpd/") and see if you can find what's causing the problem.

1) ---------- Error ----------

(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down

---------- Solution ----------
This is caused by one or more processes running on the 443 (secure socket) port. To fix this problem first find the process ID's that are running on port 443:

* /sbin/fuser 443/tcp

This will return results which look something like:

443/tcp: xxxx yyyy zzzz <- processes using 443

Where xxxx yyyy & zzzz are numbers for the process ID's. Now kill the processes with:

* Kill -9 xxxx yyyy & zzzz

Apache will not start. Error log contains:

2) ---------- Error ----------

(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
[emerg] (28)No space left on device: Couldn't create accept lock

OR

[crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock Configuration Failed

Now, checking your disk shows that you have plenty of space. The problem is that apache didn't shut down properly, and it's left myriads of semaphore-arrays left, owned by my apache-user. Run:

---------- Solution ----------
Run the following commands (in that order):

* /usr/bin/ipcs -s | grep nobody

Removing these semaphores immediately should solve the problem and allow apache to start:

* usr/bin/ipcs -s | grep nobody | perl -e 'while () { @a=split(/\s+/); print `ipcrm sem $a[1]`}'

Thursday, September 4, 2008

php as CGI interpreter and PHP AS AN APACHE MODULE


PHP Secure Installation



As we know that the vulnerabilities in PHP are increasing day by day there comes the need to secure the PHP installation to the highest level. Due to its popularity and its wide usage most of the developers and the administrators will be in trouble if they don't take appropriate steps on security issues during the installation.

First comes the question of choosing the platform for PHP! I have choosen Linux OS and Apache Web server to explain this because of its performance and security aspects. It depends on the developer's need whether he is going to install it as an Apache module or a CGI interpreter. When choosing to build PHP in either of the two ways, you should consider the advantages and drawbacks of each method.

Building as a shared object will mean that you can compile apache separately, and you don't have to recompile everything as you add to, or change PHP. Building PHP into apache staticly means that PHP will load and run faster.

Advantages

  1. Server is more flexible. It can be run as SSL, mod_perl, or php with only one installation.
  2. Servers can be extended with other modules even after installation.
  3. Easier module development and testing as the compiling apache source is not required each time the module is changed.

Disadvantages

  1. DSO is not supported on all platforms.
  2. Startup of the server is 20% slower due to symbol resolving.
  3. The server is approximately 5% slower at execution time under some platforms because position independent code (PIC) sometimes needs complicated assembler tricks for relative addressing which are not necessarily as fast as absolute addressing.
  4. DSO can produce a slightly slower server depending on platform and address resolutioning.
  5. DSO modules cannot be linked with other DSO modules. For example a.out-based platforms usually don't provide this functionality while ELF-based platforms do. You cannot use the DSO mechanism for all types of modules. This requires either the code be referenced directly through the Apache core, or that you compile Apache with chaining available.
  6. Some platforms cannot force the linker to export all global symbols for linking DSO and Apache executables. This is overcome using the SHARED_CORE feature of Apache and is used by default on such platforms.

Advantages/Disadvantages of compiling PHP as a CGI interpreter

  1. PHP can be compiled as a CGI binary, this allows a user to separate PHP from their web server entirely. Each PHP script that is written will need to contain a statement that points to the path of the PHP binary just as in PERL.
    #!/usr/local/bin/php
  2. CERT Advisory CA-96.11 advises against placing any type of interpreter in the CGI-BIN so it is a good idea to create an isolated directory where PHP can be run.
  3. PHP has built in security measure to prevent malicious attacks of this type as well. In the configuration file for PHP, you can specify the following security features:
    • doc_root This options only works when PHP is installed in Safe Mode. This specifies where the root document directory of PHP is. Scripts outside of this directory will not be interpreted.
    • User_dir This option only works when PHP is installed in Safe Mode. This variable specifies user directories so that scripts outside of this directory cannot be executed.
    • --enable-force-CGI-redirect This allows you to force redirection so that scripts cannot be access directly from the internet. Scripts are redirected to a URL, hiding their full path names.
      http://yoursite/test.php#test.cgi

Building as a CGI Binary means efficiency could be improved by having only a single Perl interpreter running in memory, and passing it the Perl scripts. This is where mod_perl comes in to the picture. It provides a single embedded Perl interpreter within the Apache web server. This can be either statically linked, or as a DSO module.

Some of the advantages of mod_perl are:

  • Able to write Apache modules entirely in Perl.
  • Having a persistent interpreter in the server saves on overheads due to starting a perl interpreter for each script.
  • Offers code caching, where the modules and scripts are being loaded and compiled only once.
  • Increased power and speed.
  • Full access to the web server.
  • Allows customized processing of URI to filename translation, authentication, response generation and logging practically no run-time overhead.
  • Improved performance of %200 - %2000 is apparently obtained.

One of the major drawbacks of a CGI interpreter is when PHP is compiled as a CGI. This means a lack of effieciency in handling high traffic applications.

PHP installation is very easy but installing PHP in a secured manner depends on your platform, installation type selection, and configuration options considered. Whatever method you choose please remember to follow the recommended PHP Configuration Options.

There are various options that can be set in PHP to increase the overall security of your server. We will discuss some of the most common and useful options.

Safe_mode
Safe mode is required for nearly all of the following options, safe mode allows PHP to impose more security restrictions than a normal configuration.
Safe_mode_exec_dir
Setting this variable helps you in forceing PHP to only execute scripts from a specified directory.
Open_basedir
This option allows you to control which directories PHP scripts are allowed to access files from. By default PHP will allow a script to access a file from anywhere so it is recommended that is option be set. By predefining valid directories, data can be protected.
Max_execution_time
This variable enables you to set a maximum execution time that a script can have. If a script runs longer than the allocated execution time, it will be terminated. This option will allow you to prevent attackers from tying up your web server with malicious scripts that could cause denial of service.
Memory_limit
This allows you to control the maximum amount of memory that a script can use. Using this will help to prevent buffer overflows which may lead to more serious threats.
Upload_tmp_dir
This designates where PHP will place files that are being uploaded.

We will discuss both cases here.

PHP AS AN APACHE MODULE:

Here Apache should run as an ordinary user with least privileges. Never run apache as a root user. Try to run Apache in a root jail. If you are running PHP as an Apache Module it is fine, means it provides maximum security. Following are the steps to install and configure the same.
  1. gunzip apache_xxx.tar.gz
  2. tar -xvf apache_xxx.tar
  3. gunzip php-xxx.tar.gz
  4. tar -xvf php-xxx.tar
  5. cd apache_xxx
  6. ./configure --prefix=/www --enable-module=so
  7. make
  8. make install
  9. cd ../php-xxx
  10. ./configure --with-mysql --with-apxs=/www/bin/apxs
  11. make
  12. make install

    If you decide to change your configuration options after installation, you just have to repeat the last three steps. You also have to restart apache for the new module to take effect. A recompile of Apache is not needed.

  13. cp php.ini-dist /usr/local/lib/php.ini

    You can edit your .ini file to set PHP options. If you prefer this file in another location, use --with-config-file-path=/path in step 8.

  14. Edit your httpd.conf or srm.conf file and check that these lines are present and not commented out:
    AddType application/x-httpd-php .php
    LoadModule php4_module libexec/libphp4.so

The path on the right hand side of the LoadModule statement must point to the path of the PHP module on your system. The above statement is correct for the steps shown above.

Different examples of compiling PHP for apache are as follows:

./configure --with-apxs --with-pgsql

This will create a libmodphp4.a library, a mod_php4.c and some accompanying files and copy this into the src/modules/php4 directory in the Apache source tree. Then you compile Apache using --activate-module=src/modules/php4/libphp4.a and the Apache build system will create libphp4.a and link it statically into the httpd binary. The PostgreSQL support is included directly into this httpd binary, so the final result here is a single httpd binary that includes all of Apache and all of PHP.

./configure --with-apache=/path/to/apache_source --with-pgsql=shared
./confgure --enable-debug=no Note: Will not disclose the physical path if some error occurs.
./confgure --enable-safe-mode

Banner Off in apache's configuration file httpd.conf, will not disclose the server's banner information. This makes attacks more difficult for would-be intruders.

Lets consider the second case...

PHP AS A CGI INTERPRETER:

Download the latest version of PHP from http://www.php.net/downloads.php.
  1. Extract the package
    # tar zxvf php-x.x.x.tar.gz Where x.x.x. is the version number.
  2. Change to the PHP directory
    # cd php-x.x.x
  3. Configure it with the various options present
    #./configure --without-apache --without-apxs --enable-force-cgi-redirect

This is to tell PHP that it isis built without Apache support and as a CGI binary. You should get the binary in /usr/local/bin/php.

Now you know why it is compiled with the --enable-force-cgi-redirect option.

The CGI binary isn't compiled within Apache, it runs under a separate process and user. Hence the question comes of placing the CGI binary in a proper location. I would suggest that the CGI binary should be placed outside the web directory, as the risk would be greatly reduced and also make sure that you have enabled safe mode in the php.ini configuration file.

Most commonly attacks arise in the form of getting access to files. Therefore you can prevent the user from calling the CGI binary directly by forcing a CGI to redirect within Apache. For this, just add the following directives in Apache's httpd.conf file:

Action php-script /cgi-bin/php.cgi
AddHandler php-script .php

Now you will see that URL is rewritten

http;//test.com/application/test.htm
into:
http://test.com/cgi-bin/php/application/test.htm
Note: Ensure that you perform permission checks on the application/directory in the process.

This gives you the added benefit of making the URL a little shorter. Lastly, change your doc_root and user_dir options in the php.ini appropriately.

SUMMARY:

Here we have discussed the issues on how best the user can secure PHP installation considering both cases and I hope this will be helpful to all those who are keen in securing PHP and thus eliminating the many of the security risks involved.

Thursday, August 7, 2008

Using your VPS's /proc/user_beancounters

Using your VPS's /proc/user_beancounters
Solution

If you are having trouble running or installing applications on your VPS, one good way to find the source of the problem is to use the special file /proc/user_beancounters which shows the resource control information about running virtual environments.

To view /proc/user_beancounters on your VPS, login to your VPS via SSH.
In the SSH Terminal you will type:

cat /proc/user_beancounters

Then hit Enter.

After you hit Enter, you should see something that looks similar to the following:

root@srv1 [~]# cat /proc/user_beancounters
Version: 2.5
uid resource held maxheld barrier limit failcnt
10039: kmemsize 5125208 5128321 40098656 44108521 129
lockedpages 0 0 881 881 0
privvmpages 77431 77666 750000 825000 0
shmpages 9051 9051 33324 33324 0
dummy 0 0 0 0 0
numproc 67 67 440 440 0
physpages 44243 44371 0 2147483647 0
vmguarpages 0 0 125000 2147483647 0
oomguarpages 59239 59367 125000 2147483647 0
numtcpsock 37 38 440 440 0
numflock 3 3 704 704 0
numpty 1 1 44 44 0
numsiginfo 0 1 1024 1024 0
tcpsndbuf 79920 88800 4212558 6014798 0
tcprcvbuf 2220 4440 4212558 6014798 0
othersockbuf 19552 91280 2106279 3908519 0
dgramrcvbuf 0 2220 2106279 2106279 0
numothersock 18 20 440 440 0
dcachesize 406435 410022 8750726 9013248 0
numfile 1080 1081 7040 7040 0
dummy 0 0 0 0 0
dummy 0 0 0 0 0
dummy 0 0 0 0 0
numiptent 71 71 512 512 0

That is your /proc/user_beancounters file.

If you look at the top line where you see uid to the left of it, that line is the field that displays the numeric identifier of the Virtual Environment.

The field held shows the current counter for the Virtual Environment (resource "usage").
The field maxheld shows the counter's maximum for the lifetime of the Virtual Environment. The lifetime of the Virtual Environment is usually just the time between the start and stop of your VPS.
The barrier and limit fields are resource control settings. For some parameters only one of them may be used, for others, both. These fields may display resource limits or guarantees, and the exact meaning of them is parameter-specific.
The field failcnt shows the number of refused "resource allocations" for the lifetime of the Virtual Environment. Failcnt counter is increased only for accounting parameters.The field failcnt is the field you will be looking at for errors.

If you look at the example above, you will see that the parameter kmemsize has a failcnt of 129. That is because in this example, the VPS did not have enough memory available to install an application. Therefore, the failcnt counter recorded the 129 memory failures, next to the parameter kmemsize in it's /proc/user_beancounters file. We know the problem was memory since the failcnt next to kmemsize increased after trying to install the application.

In this article, we will concentrate on the following parameters:

  • kmemsize
    This is the parameter that shows the size of unswappable memory, allocated by the operating system kernel. If the failcnt value increases on this parameter, most likely there is not a sufficient amount of memory available to run the application.
  • lockedpages
    This is process pages not allowed to be swapped out. The size of these pages is also accounted into kmemsize. Note that typical server applications like Web, FTP, and mail servers do not use memory locking features. If the failcnt value increases on this parameter, most likely there is not a sufficient amount of memory available to run the application.
  • privvmpages
    This is the memory allocation limit. This parameter allows controlling the amount of memory allocated by applications. If the failcnt value increases on this parameter, most likely there is not a sufficient amount of memory available to run the application.
  • shmpages
    This is the total size of the shared memory (IPC, shared anonymous mappings and tmpfs objects). These pages are also accounted into privvmpages. Its configuration affects functionality and resource shortage reaction of the applications in the given Virtual Environments only. Again, If the failcnt value increases on this parameter, most likely there is not a sufficient amount of memory available to run the application.
  • physpages
    This is the total number of RAM pages used by processes in this virtual environment. Unlike other accounting methods, the sum of physpages usage for all Virtual Environments yields to the total number of pages used in the system by all Virtual Environments. This is currently an accounting-only parameter. It does not set any limits or barriers. If the failcnt value increases on this parameter, most likely there is not a sufficient amount of memory available to run the application.
  • vmguarpages
    This parameter controls how much memory is available to the Virtual Environment. The vmguarpages parameter does not have its own accounting. The current amount of allocated memory is accounted into another parameter (privvmpages). If the failcnt value increases on this parameter, most likely there is not a sufficient amount of memory available to run the application.
  • oomguarpages
    This is the guaranteed amount of memory in case the memory is "over-booked" (out-of-memory kill guarantee). The failcnt counter of oomguarpages parameter increases when a process in this Virtual Environment is killed because of an out-of-memory situation, but not when the barrier is reached. Again, If the failcnt value increases on this parameter, most likely there is not a sufficient amount of memory available to run the application.
  • numfile
    This is the number of "files" in use, including real files, sockets and pipes. The configuration of this parameter affects functionality and resource shortage reaction of applications in the given Virtual Environment only. If the failcnt value increases on this parameter, you are trying to have too many files open at once.

Wednesday, August 6, 2008

Passwordless ssh[ssh tunneling]

ssh-keygen -d
[hit enter three times]
[Replacing "username" and "ipaddress" with yours,
copy&paste/type:]
ssh username@ipaddress 'test -d .ssh || mkdir -m 0700 .ssh ;
cat >> .ssh/authorized_keys && chmod 0600 .ssh/*' < ~/.ssh/id_dsa.pub

Tuesday, August 5, 2008

aPaChe ApAcHe

This summary is not available. Please click here to view the post.