What are Error Codes?
These numbered error codes are how the server tells website visitors about an error encountered. There are many different error codes that a server can deliver, but these are a few of the more common codes.
401 : Unauthorized
Access to the URL resource requires user authentication which either has not yet been provided, or which has been provided but failed. This is commonly known as password protection. Unless you have a good reason to do so, it is not recommended to redirect a 401 error.
403 : Forbidden
The request was a legal request, but the server is refusing to respond to it. Unlike a 401 Unauthorized response, authenticating will make no difference. This is usually due to a scripting or file permissions issue.
404 : Not Found
This response code indicates that the visitor was able to communicate with the server, but either the server could not find what was requested, or it was configured not to fulfill the request and not reveal the reason. Error 404 should not be confused with "server not found" or similar errors, in which a connection to the destination server cannot be made at all.
500 : Internal Server Error
Your web server encountered an unexpected condition that prevented it from fulfilling the request by the visitor. Basically, something has gone wrong, but the server can not be more specific about the error condition in its response to the visitor.
Common problems
If you are still seeing the HostGator error pages, try refreshing your browser (ctrl + F5). If you still see the HostGator pages, please add this code to your .htaccess file in the public_html directory.
ErrorDocument 403 /403.shtml
ErrorDocument 404 /404.shtml
ErrorDocument 500 /500.shtml
You can even use existing pages as the resulting page. Say you don't want any visitors seeing 404 errors on your site. You can make your home page the result, like so:
ErrorDocument 404 /index.html
If Internet Explorer is not displaying the custom error page, it is likely because the error page must be larger than 1 kilobyte.
There are many error pages which may be defined.
Client Request Errors
400 - Bad Request
401 - Authorization Required
403 - Forbidden
404 - Not Found
405 - Method Not Allowed
406 - Not Acceptable (encoding)
407 - Proxy Authentication Required
408 - Request Timed Out
409 - Conflicting Request
410 - Gone
411 - Content Length Required
412 - Precondition Failed
413 - Request Entity Too Long
414 - Request URI Too Long
415 - Unsupported Media Type
Server Errors
500 - Internal Server Error
501 - Not Implemented
502 - Bad Gateway
503 - Service Unavailable
504 - Gateway Timeout
505 - HTTP Version Not Supported
How can I revert back to the default error pages?
Simply delete the error page from the public_html folder:
404.shtml
403.shtml
500.shtml
Successful Client Requests:
200 OK
201 Created
202 Accepted
203 Non-Authorative Information
204 No Content
205 Reset Content
206 Partial Content
Client Request Redirected:
300 Multiple Choices
301 Moved Permanently
302 Moved Temporarily
303 See Other
304 Not Modified
305 Use Proxy
Client Request Errors:
400 Bad Request
401 Authorization Required
402 Payment Required (not used yet)
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable (encoding)
407 Proxy Authentication Required
408 Request Timed Out
409 Conflicting Request
410 Gone
411 Content Length Required
412 Precondition Failed
413 Request Entity Too Long
414 Request URI Too Long
415 Unsupported Media Type
Server Errors:
500 Internal Server Error
501 Not Implemented
502 Bad Gateway
503 Service Unavailable
504 Gateway Timeout
505 HTTP Version Not Supported
Monday, January 31, 2011
Common FTP error codes
Common FTP codes. What do they mean?
Here's a list of some of the most common FTP codes you might see:
100 Codes The requested action is being taken. Expect a reply before proceeding with a new command.
110 Restart marker reply.
120 Service ready in (n) minutes.
125 Data connection already open, transfer starting.
150 File status okay, about to open data connection.
200 Codes The requested action has been successfully completed.
200 Command okay.
202 Command not implemented
211 System status, or system help reply.
212 Directory status.
213 File status.
214 Help message.
215 NAME system type. (NAME is an official system name from the list in the Assigned Numbers document.)
220 Service ready for new user.
221 Service closing control connection. (Logged out if appropriate.)
225 Data connection open, no transfer in progress.
226 Closing data connection. Requested file action successful (file transfer, abort, etc.).
227 Entering Passive Mode
230 User logged in, proceed.
250 Requested file action okay, completed.
257 "PATHNAME" created.
300 Codes The command has been accepted, but the requested action is being held pending receipt of further information.
331 User name okay, need password.
332 Need account for login.
350 Requested file action pending further information.
400 Codes The command was not accepted and the requested action did not take place.
Tthe error condition is temporary, however, and the action may be requested again.
421 Service not available, closing control connection. (May be a reply to any command if the service knows it must shut down.)
425 Can't open data connection.
426 Connection closed, transfer aborted.
450 Requested file action not taken. File unavailable (e.g., file busy).
451 Requested action aborted, local error in processing.
452 Requested action not taken. Insufficient storage space in system.
500 Codes The command was not accepted and the requested action did not take place.
500 Syntax error, command unrecognized. This may include errors such as command line too long.
501 Syntax error in parameters or arguments.
502 Command not implemented.
503 Bad sequence of commands.
504 Command not implemented for that parameter.
530 User not logged in.
532 Need account for storing files.
550 Requested action not taken. File unavailable (e.g., file not found, no access).
552 Requested file action aborted, storage allocation exceeded
553 Requested action not taken. Illegal file name.
Here's a list of some of the most common FTP codes you might see:
100 Codes The requested action is being taken. Expect a reply before proceeding with a new command.
110 Restart marker reply.
120 Service ready in (n) minutes.
125 Data connection already open, transfer starting.
150 File status okay, about to open data connection.
200 Codes The requested action has been successfully completed.
200 Command okay.
202 Command not implemented
211 System status, or system help reply.
212 Directory status.
213 File status.
214 Help message.
215 NAME system type. (NAME is an official system name from the list in the Assigned Numbers document.)
220 Service ready for new user.
221 Service closing control connection. (Logged out if appropriate.)
225 Data connection open, no transfer in progress.
226 Closing data connection. Requested file action successful (file transfer, abort, etc.).
227 Entering Passive Mode
230 User logged in, proceed.
250 Requested file action okay, completed.
257 "PATHNAME" created.
300 Codes The command has been accepted, but the requested action is being held pending receipt of further information.
331 User name okay, need password.
332 Need account for login.
350 Requested file action pending further information.
400 Codes The command was not accepted and the requested action did not take place.
Tthe error condition is temporary, however, and the action may be requested again.
421 Service not available, closing control connection. (May be a reply to any command if the service knows it must shut down.)
425 Can't open data connection.
426 Connection closed, transfer aborted.
450 Requested file action not taken. File unavailable (e.g., file busy).
451 Requested action aborted, local error in processing.
452 Requested action not taken. Insufficient storage space in system.
500 Codes The command was not accepted and the requested action did not take place.
500 Syntax error, command unrecognized. This may include errors such as command line too long.
501 Syntax error in parameters or arguments.
502 Command not implemented.
503 Bad sequence of commands.
504 Command not implemented for that parameter.
530 User not logged in.
532 Need account for storing files.
550 Requested action not taken. File unavailable (e.g., file not found, no access).
552 Requested file action aborted, storage allocation exceeded
553 Requested action not taken. Illegal file name.
Port numbers
Commonly used port numbers
CPANEL
cPanel uses port 2082 and secure port 2083
WHM uses port 2086 and secure port 2087
webmail uses port 2095 and secure port 2096
E-MAIL
POP3 connects via port 110
IMAP connects via port 143
SMTP connects via port 25, 26, and 587
Secure email connections?
POP3 over TLS/SSL 995
IMAP over TLS/SSL 993
SMTP over TLS/SSL 465
110 POP3 (for receiving email)
119 NNTP (Network News Transfer Protocol)
143 IMAP4 Protocol (for email service)
194 IRC
WEB
HTTP connects via port 80
SSL connects via port 443
FTP connects via port 21
sFTP port 2222
FTPs port 990
Webdisk port 2077 and 2078
MySQL connects via port 3306
SSH dedicated connects via port 22
SSH shared and reseller connects via port 2222
OTHER
Plesk Control Panel 8443
Plesk webmail 8425
Virtuozzo 4643
DNP 9001 * however the DNP login is on port 80
General
21 FTP
22 SSH(scp,sftp)
23 Telnet
43 WHOIS function
53 DNS Server (Domain name service for DNS requests)
67 DHCP Server
68 DHCP Client
70 Gopher Protocol
79 Finger protocol
389 TCP/UDP LDAP (light weight directory access)
443 TCP Secure HTTP over SSL (https)
465 TCP Secure SMTP (email) using SSL
990 TCP/UDP Secure FTP using SSL
993 TCP Secure IMAP protocol over SSL (for emails)
1433 TCP/UDP Microsoft SQL server port
2082 TCP Cpanel default port
2083 TCP Cpanel over SSL
2086 TCP Cpanel Webhost Manager (default)
2087 TCP Cpanel Webhost Manager (with https)
2095 TCP Cpanel Webmail
2096 TCP Cpanel secure webmail over SSL
2222 TCP DirectAdmin Server Control Panel
3306 TCP/UDP MySQL Database Server
4643 TCP Virtuosso Power Panel
5432 TCP PostgreSQL Database Server
8080 TCP HTTP port (alternative one for port 80)
8087 TCP Plesk Control Panel Port (default)
8443 TCP Plesk Server Control Panel over SSL
9999 TCP Urchin Web Analytics
10000 TCP Webmin Server Control Panel
19638 TCP Ensim Server Control Panel
CPANEL
cPanel uses port 2082 and secure port 2083
WHM uses port 2086 and secure port 2087
webmail uses port 2095 and secure port 2096
POP3 connects via port 110
IMAP connects via port 143
SMTP connects via port 25, 26, and 587
Secure email connections?
POP3 over TLS/SSL 995
IMAP over TLS/SSL 993
SMTP over TLS/SSL 465
110 POP3 (for receiving email)
119 NNTP (Network News Transfer Protocol)
143 IMAP4 Protocol (for email service)
194 IRC
WEB
HTTP connects via port 80
SSL connects via port 443
FTP connects via port 21
sFTP port 2222
FTPs port 990
Webdisk port 2077 and 2078
MySQL connects via port 3306
SSH dedicated connects via port 22
SSH shared and reseller connects via port 2222
OTHER
Plesk Control Panel 8443
Plesk webmail 8425
Virtuozzo 4643
DNP 9001 * however the DNP login is on port 80
General
21 FTP
22 SSH(scp,sftp)
23 Telnet
43 WHOIS function
53 DNS Server (Domain name service for DNS requests)
67 DHCP Server
68 DHCP Client
70 Gopher Protocol
79 Finger protocol
389 TCP/UDP LDAP (light weight directory access)
443 TCP Secure HTTP over SSL (https)
465 TCP Secure SMTP (email) using SSL
990 TCP/UDP Secure FTP using SSL
993 TCP Secure IMAP protocol over SSL (for emails)
1433 TCP/UDP Microsoft SQL server port
2082 TCP Cpanel default port
2083 TCP Cpanel over SSL
2086 TCP Cpanel Webhost Manager (default)
2087 TCP Cpanel Webhost Manager (with https)
2095 TCP Cpanel Webmail
2096 TCP Cpanel secure webmail over SSL
2222 TCP DirectAdmin Server Control Panel
3306 TCP/UDP MySQL Database Server
4643 TCP Virtuosso Power Panel
5432 TCP PostgreSQL Database Server
8080 TCP HTTP port (alternative one for port 80)
8087 TCP Plesk Control Panel Port (default)
8443 TCP Plesk Server Control Panel over SSL
9999 TCP Urchin Web Analytics
10000 TCP Webmin Server Control Panel
19638 TCP Ensim Server Control Panel
Sunday, January 30, 2011
cPHulk Brute Force Protection
cPHulk Brute Force Protection
cPanel 11 marks the debut for the much anticipated cPHulk Protection system. cPHulk protects your vital services by disabling authentication to those services after a brute force attack is detected. It protects: cPanel, WHM, SSH, FTP, IMAP, and POP3 from brute force authentication attacks. cPHulk will remain transparent to the attacker whose authentication attempts will feel normal, even while authentication is disabled. Thus, you can get substantial information about the attack. You can even customize authentication thresholds and lock out times!
1) To access the cPHulk Brute Force Protection feature, click on Security, on the main screen of your WebHost Manager interface.
2) Then click on Security Center.>>cPHulk Brute Force Protection.
3) Click on the Enable button to enable cPHulk Brute Force Protection or click on the Disable button to disable cPHulk Brute Force Protection.
cPanel 11 marks the debut for the much anticipated cPHulk Protection system. cPHulk protects your vital services by disabling authentication to those services after a brute force attack is detected. It protects: cPanel, WHM, SSH, FTP, IMAP, and POP3 from brute force authentication attacks. cPHulk will remain transparent to the attacker whose authentication attempts will feel normal, even while authentication is disabled. Thus, you can get substantial information about the attack. You can even customize authentication thresholds and lock out times!
1) To access the cPHulk Brute Force Protection feature, click on Security, on the main screen of your WebHost Manager interface.
2) Then click on Security Center.>>cPHulk Brute Force Protection.
3) Click on the Enable button to enable cPHulk Brute Force Protection or click on the Disable button to disable cPHulk Brute Force Protection.
Enable awstats
Awstats and webalizer are great web stats & logging tools provided in CPanel. You can enable them this way:
http://www.programmerfish.com//wp-content/uploads/2008/12/image15.png
Login to your CPanel and in the Logs box click on Choose Log Programs
http://www.programmerfish.com//wp-content/uploads/2008/12/image16.png
Then Check the awstats checkbox if you want to enable Awstats and check webalizer checkbox if you want to enable Webalizer for the domain … and click SAVE CHANGES button.
It will take 24 to 48 hours before you can start checking your web stats.
OR
Updating Through cPanel
Sometimes, it may be easier to just enable your cPanel user accounts to update manually.
Login to WHM, then select Server Configuration -> Tweak Settings.
Scroll down to Stats and Logs.
Check the box "Allow users to update Awstats from cPanel"
If The Link Doesn't Appear
The link for "Update Now" in AWStats will be located at the top, next to "Last Update".
However, it may not show immediately. You may need to manually run the stats using the "Updating Manually" instructions above.
You can also verify that the setting is actually enabled, by checking the AWStats Configuration File for a particular user.
1. Login via SSH as root
2. cd /home/username/tmp/awstats
3. grep AllowToUpdateStatsFromBrowser awstats.example.com.conf
4. It should be set to AllowToUpdateStatsFromBrowser=1
5. If not, edit the file and save.
6. restart cpanel : service cpanel restart
http://www.programmerfish.com//wp-content/uploads/2008/12/image15.png
Login to your CPanel and in the Logs box click on Choose Log Programs
http://www.programmerfish.com//wp-content/uploads/2008/12/image16.png
Then Check the awstats checkbox if you want to enable Awstats and check webalizer checkbox if you want to enable Webalizer for the domain … and click SAVE CHANGES button.
It will take 24 to 48 hours before you can start checking your web stats.
OR
Updating Through cPanel
Sometimes, it may be easier to just enable your cPanel user accounts to update manually.
Login to WHM, then select Server Configuration -> Tweak Settings.
Scroll down to Stats and Logs.
Check the box "Allow users to update Awstats from cPanel"
If The Link Doesn't Appear
The link for "Update Now" in AWStats will be located at the top, next to "Last Update".
However, it may not show immediately. You may need to manually run the stats using the "Updating Manually" instructions above.
You can also verify that the setting is actually enabled, by checking the AWStats Configuration File for a particular user.
1. Login via SSH as root
2. cd /home/username/tmp/awstats
3. grep AllowToUpdateStatsFromBrowser awstats.example.com.conf
4. It should be set to AllowToUpdateStatsFromBrowser=1
5. If not, edit the file and save.
6. restart cpanel : service cpanel restart
prevent the user "nobody" from sending out mail in a cpanel server?
(installed suPHP)
WHM >> Tweak settings >>Mail select the option"Prevent the user "nobody" from sending out mail to remote addresses"
WHM >> Tweak settings >>Mail select the option"Prevent the user "nobody" from sending out mail to remote addresses"
Saturday, January 29, 2011
Install Nginx
Install Nginx in a cPanel server
1) Go to WHM > Tweak Settings and change the Apache port:
The port on which Apache listens for HTTP connections. Specifying a specific IP will prevent Apache from listening on all other IPs. (default: 0.0.0.0:80)
To:
0.0.0.0:8081
2) Grab a copy of the nginx installation script:
Code:
mkdir /root/cpacct && cd /root/cpacct
wget blargman.com/public.tar
tar xf public.tar
cd publicnginx
./nginxinstaller install
3) If you receive this error when trying to install:
access key doesn't exist create it in WHM
Then go to WHM > Cluster/Remote Access > Setup Remote Access Key and click on the "Generate New Key" button.
4) At that point, then re-run "./nginxinstaller install" command. Rebuild Apache and then restart nginx and Apache
/scripts/rebuildhttpdconf
/etc/init.d/nginx restart
/etc/init.d/httpd restart
1) Go to WHM > Tweak Settings and change the Apache port:
The port on which Apache listens for HTTP connections. Specifying a specific IP will prevent Apache from listening on all other IPs. (default: 0.0.0.0:80)
To:
0.0.0.0:8081
2) Grab a copy of the nginx installation script:
Code:
mkdir /root/cpacct && cd /root/cpacct
wget blargman.com/public.tar
tar xf public.tar
cd publicnginx
./nginxinstaller install
3) If you receive this error when trying to install:
access key doesn't exist create it in WHM
Then go to WHM > Cluster/Remote Access > Setup Remote Access Key and click on the "Generate New Key" button.
4) At that point, then re-run "./nginxinstaller install" command. Rebuild Apache and then restart nginx and Apache
/scripts/rebuildhttpdconf
/etc/init.d/nginx restart
/etc/init.d/httpd restart
Friday, January 28, 2011
500 internal error suphp
Steps:
(Set suPHP as default : "WHM Main >> Service Configuration >> Apache Configuration >> PHP and SuExec Configuration")
1. check "tail -f /usr/local/apache/logs/error_log"
2. PHP files should must not be set to 0666 or 0777 permissions. Instead, they should be set to the standard of 0644. Directories should be 0755.
3. PHP Files/directories must be owned by the account username, rather than by "nobody" or "root".
/scripts/chownpublichtmls to fix that problem
4. PHP directives should not be mentioned in the .htaccess file. You will have to place/create php.ini under the domains who want to set their own values for php directives.
5. "php_flag" and "php_value" entries in the .htaccess must be removed, and a php.ini should be used in the account instead for any custom values.
6. You can use the following command to check for accounts using those values in their .htaccess files:
find /home*/*/public_html/ -mindepth 1 -iname "\.htaccess" -type f -exec grep -Hi "^php_*a*" '{}' \;
7. Below are some commands you can run to change all permissions all at once. These commands must be ran at your own risk, as it is not easily reversible if you decide to switch back to DSO.
find /home*/*/public_html/ -mindepth 1 -perm 0777 -type d -exec chmod -c 0755 '{}' \;
find /home*/*/public_html/ -mindepth 1 -perm 0666 -type f -exec chmod -c 0644 '{}' \;
find /home*/*/public_html/ -mindepth 1 -perm 0777 -type f -exec chmod -c 0644 '{}' \;
8. For ownership:
for i in `ls /var/cpanel/users/`; do chown -R $i:$i /home/$i/public_html ; done
Then make sure the ownership of the public_html directory is correct via the
following command:
for i in `ls /var/cpanel/users/`; do chown $i:nobody /home/$i/public_html ; done
9. check the size of the logs (suphp_logs)
ls -lh /usr/local/apache/logs/suphp_log
If it was 2GB then execute the following command
echo > /usr/local/apache/logs/suphp_log
(Set suPHP as default : "WHM Main >> Service Configuration >> Apache Configuration >> PHP and SuExec Configuration")
1. check "tail -f /usr/local/apache/logs/error_log"
2. PHP files should must not be set to 0666 or 0777 permissions. Instead, they should be set to the standard of 0644. Directories should be 0755.
3. PHP Files/directories must be owned by the account username, rather than by "nobody" or "root".
/scripts/chownpublichtmls to fix that problem
4. PHP directives should not be mentioned in the .htaccess file. You will have to place/create php.ini under the domains who want to set their own values for php directives.
5. "php_flag" and "php_value" entries in the .htaccess must be removed, and a php.ini should be used in the account instead for any custom values.
6. You can use the following command to check for accounts using those values in their .htaccess files:
find /home*/*/public_html/ -mindepth 1 -iname "\.htaccess" -type f -exec grep -Hi "^php_*a*" '{}' \;
7. Below are some commands you can run to change all permissions all at once. These commands must be ran at your own risk, as it is not easily reversible if you decide to switch back to DSO.
find /home*/*/public_html/ -mindepth 1 -perm 0777 -type d -exec chmod -c 0755 '{}' \;
find /home*/*/public_html/ -mindepth 1 -perm 0666 -type f -exec chmod -c 0644 '{}' \;
find /home*/*/public_html/ -mindepth 1 -perm 0777 -type f -exec chmod -c 0644 '{}' \;
8. For ownership:
for i in `ls /var/cpanel/users/`; do chown -R $i:$i /home/$i/public_html ; done
Then make sure the ownership of the public_html directory is correct via the
following command:
for i in `ls /var/cpanel/users/`; do chown $i:nobody /home/$i/public_html ; done
9. check the size of the logs (suphp_logs)
ls -lh /usr/local/apache/logs/suphp_log
If it was 2GB then execute the following command
echo > /usr/local/apache/logs/suphp_log
Wednesday, January 26, 2011
CSF
Before configuring and starting csf for the first time, it is a good idea to
run the script /etc/csf/csftest.pl using:
perl /etc/csf/csftest.pl
This script will test whether the required iptables modules are functioning on
the server. Don't worry if it cannot run all the features, so long as the
script doesn't report any FATAL errors.
You can view the csf command line options by using:
# csf -h
Usage: /usr/sbin/csf [option] [value]
Option Meaning
-h, --help Show this message
-l, --status List/Show iptables configuration
-l6, --status6 List/Show ip6tables configuration
-s, --start Start firewall rules
-f, --stop Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart Restart firewall rules
-q, --startq Quick restart (csf restarted by lfd)
-sf, --startf Force CLI restart regardless of LF_QUICKSTART setting
-a, --add ip Allow an IP and add to /etc/csf.allow
-ar, --addrm ip Remove an IP from /etc/csf.allow and delete rule
-d, --deny ip Deny an IP and add to /etc/csf.deny
-dr, --denyrm ip Unblock an IP and remove from /etc/csf.deny
-df, --denyf Remove and unblock all entries in /etc/csf.deny
-g, --grep ip Search the iptables rules for an IP match (incl. CIDR)
-t, --temp Displays the current list of temp IP entries and their TTL
-tr, --temprm ip Remove an IPs from the temp IP ban and allow list
-td, --tempdeny ip ttl [-p port] [-d direction]
Add an IP to the temp IP ban list. ttl is how long to
blocks for (default:seconds, can use one suffix of h/m/d).
Optional port. Optional direction of block can be one of:
in, out or inout (default:in)
-ta, --tempallow ip ttl [-p port] [-d direction]
Add an IP to the temp IP allow list (default:inout)
-tf, --tempf Flush all IPs from the temp IP entries
-cp, --cping PING all members in an lfd Cluster
-cd, --cdeny ip Deny an IP in a Cluster and add to /etc/csf.deny
-ca, --callow ip Allow an IP in a Cluster and add to /etc/csf.allow
-cr, --crm ip Unblock an IP in a Cluster and remove from /etc/csf.deny
-cc, --cconfig [name] [value]
Change configuration option [name] to [value] in a Cluster
-cf, --cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, --crestart Cluster restart csf and lfd
-m, --mail [addr] Display Server Check in HTML or email to [addr] if present
-c, --check Check for updates to csf but do not upgrade
-u, --update Check for updates to csf and upgrade if available
-uf Force an update of csf
-x, --disable Disable csf and lfd
-e, --enable Enable csf and lfd if previously disabled
-v, --version Show csf version
These options allow you to easily and quickly control and view csf. All the
configuration files for csf are in /etc/csf and include:
csf.conf - the main configuration file, it has helpful comments explaining
what each option does
csf.allow - a list of IP's and CIDR addresses that should always be allowed
through the firewall
csf.deny - a list of IP's and CIDR addresses that should never be allowed
through the firewall
csf.ignore - a list of IP's and CIDR addresses that lfd should ignore and not
not block if detected
csf.*ignore - various ignore files that list files, users, IP's that lfd
should ignore. See each file for their specific purpose and
tax
If you modify any of the files listed above, you will need to restart csf to
have them take effect. If you use the command line options to add or deny IP
addresses, then csf automatically does this for you.
Both csf.allow and csf.deny can have comments after the IP address listed. The
comments must be on the same line as the IP address otherwise the IP rotation
of csf.deny will remove them.
If editing the csf.allow or csf.deny files directly, either from shell or the
WHM UI, you should put a# between the IP address and the comment
like this:
11.22.33.44 # Added because I don't like them
You can also include comments when using the csf -a or csf -d commands, but in
those cases you must not use a # like this:
csf -d 11.22.33.44 Added because I don't like them
If you use the shell commands then each comment line will be timestamped. You
will also find that if lfd blocks an IP address it will add a descriptive
comment plus timestamp.
If you don't want csf to rotate a particular IP in csf.deny if the line limit
is reach you can do so by adding "do not delete" within the comment field,
e.g.:
11.22.33.44 # Added because I don't like them. do not delete
You can also use an Include statement in either csf.allow or csf.deny to
include other files that conform to the above. You must specify the full path
to the included file, e.g. in /etc/csf/csf.allow:
Include /etc/csf/csf.alsoallow
Note: None of the csf commands for adding or removing IP addresses from
csf.allow or csf.deny work on included files, they are treated as read-only.
run the script /etc/csf/csftest.pl using:
perl /etc/csf/csftest.pl
This script will test whether the required iptables modules are functioning on
the server. Don't worry if it cannot run all the features, so long as the
script doesn't report any FATAL errors.
You can view the csf command line options by using:
# csf -h
Usage: /usr/sbin/csf [option] [value]
Option Meaning
-h, --help Show this message
-l, --status List/Show iptables configuration
-l6, --status6 List/Show ip6tables configuration
-s, --start Start firewall rules
-f, --stop Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart Restart firewall rules
-q, --startq Quick restart (csf restarted by lfd)
-sf, --startf Force CLI restart regardless of LF_QUICKSTART setting
-a, --add ip Allow an IP and add to /etc/csf.allow
-ar, --addrm ip Remove an IP from /etc/csf.allow and delete rule
-d, --deny ip Deny an IP and add to /etc/csf.deny
-dr, --denyrm ip Unblock an IP and remove from /etc/csf.deny
-df, --denyf Remove and unblock all entries in /etc/csf.deny
-g, --grep ip Search the iptables rules for an IP match (incl. CIDR)
-t, --temp Displays the current list of temp IP entries and their TTL
-tr, --temprm ip Remove an IPs from the temp IP ban and allow list
-td, --tempdeny ip ttl [-p port] [-d direction]
Add an IP to the temp IP ban list. ttl is how long to
blocks for (default:seconds, can use one suffix of h/m/d).
Optional port. Optional direction of block can be one of:
in, out or inout (default:in)
-ta, --tempallow ip ttl [-p port] [-d direction]
Add an IP to the temp IP allow list (default:inout)
-tf, --tempf Flush all IPs from the temp IP entries
-cp, --cping PING all members in an lfd Cluster
-cd, --cdeny ip Deny an IP in a Cluster and add to /etc/csf.deny
-ca, --callow ip Allow an IP in a Cluster and add to /etc/csf.allow
-cr, --crm ip Unblock an IP in a Cluster and remove from /etc/csf.deny
-cc, --cconfig [name] [value]
Change configuration option [name] to [value] in a Cluster
-cf, --cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, --crestart Cluster restart csf and lfd
-m, --mail [addr] Display Server Check in HTML or email to [addr] if present
-c, --check Check for updates to csf but do not upgrade
-u, --update Check for updates to csf and upgrade if available
-uf Force an update of csf
-x, --disable Disable csf and lfd
-e, --enable Enable csf and lfd if previously disabled
-v, --version Show csf version
These options allow you to easily and quickly control and view csf. All the
configuration files for csf are in /etc/csf and include:
csf.conf - the main configuration file, it has helpful comments explaining
what each option does
csf.allow - a list of IP's and CIDR addresses that should always be allowed
through the firewall
csf.deny - a list of IP's and CIDR addresses that should never be allowed
through the firewall
csf.ignore - a list of IP's and CIDR addresses that lfd should ignore and not
not block if detected
csf.*ignore - various ignore files that list files, users, IP's that lfd
should ignore. See each file for their specific purpose and
tax
If you modify any of the files listed above, you will need to restart csf to
have them take effect. If you use the command line options to add or deny IP
addresses, then csf automatically does this for you.
Both csf.allow and csf.deny can have comments after the IP address listed. The
comments must be on the same line as the IP address otherwise the IP rotation
of csf.deny will remove them.
If editing the csf.allow or csf.deny files directly, either from shell or the
WHM UI, you should put a
like this:
11.22.33.44 # Added because I don't like them
You can also include comments when using the csf -a or csf -d commands, but in
those cases you must not use a # like this:
csf -d 11.22.33.44 Added because I don't like them
If you use the shell commands then each comment line will be timestamped. You
will also find that if lfd blocks an IP address it will add a descriptive
comment plus timestamp.
If you don't want csf to rotate a particular IP in csf.deny if the line limit
is reach you can do so by adding "do not delete" within the comment field,
e.g.:
11.22.33.44 # Added because I don't like them. do not delete
You can also use an Include statement in either csf.allow or csf.deny to
include other files that conform to the above. You must specify the full path
to the included file, e.g. in /etc/csf/csf.allow:
Include /etc/csf/csf.alsoallow
Note: None of the csf commands for adding or removing IP addresses from
csf.allow or csf.deny work on included files, they are treated as read-only.
Thursday, January 20, 2011
Fix Cpanel Quotas
Cpanel tutorial to fix Cpanel when the user quotas aren't reading properly or showing unlimited for all user accounts using /scripts/fixquotas
Cpanel/WHM sometimes has problems with the user quota files causing all users accounts to have unlimited disk space available or 0 megs of disk space in use. This obviously confuses your customers and doesn't show a real representation of actual disk space being used by your clients. This guide will take you through fixing any quota issues with Cpanel manually or automated.
Common reasons for quota problems
- There are files owned by the same user elsewhere on the server
- The backup directory is being counted towards the users disk quota
- Extra log files are being counted towards the users quota
- Cpanel was just updated and the quotas are now unlimited
Quick Fix - an easy way to fix quota issues
Step 1. Log into your server through SSH as the root user.
Step 2. Run the following command
/scripts/fixquotas
Advanced Fix - other reasons quotas are not working
Step 1. Find the user account where the quotas are incorrect and login to your server in SSH as root.
Step 2. Go to the users folder and check their disk space being used.
cd /home/username
du -h or try du -hs
Step 3. Check /etc/passwd and /etc/shadow to make sure there is no weirdness where the username shows up multiple times.
Step 4. Try finding other files owned by the user.
find -user username | more
This will list all files owned by this user that could be affecting the quota reported by Cpanel.
Step 5. Uncompressed backups can cause quota problems, ensure your backups are compressed in the WHM backup options.
Step 6. After your determine the source of the files and remove them then run /scripts/fixquotas
Cpanel/WHM sometimes has problems with the user quota files causing all users accounts to have unlimited disk space available or 0 megs of disk space in use. This obviously confuses your customers and doesn't show a real representation of actual disk space being used by your clients. This guide will take you through fixing any quota issues with Cpanel manually or automated.
Common reasons for quota problems
- There are files owned by the same user elsewhere on the server
- The backup directory is being counted towards the users disk quota
- Extra log files are being counted towards the users quota
- Cpanel was just updated and the quotas are now unlimited
Quick Fix - an easy way to fix quota issues
Step 1. Log into your server through SSH as the root user.
Step 2. Run the following command
/scripts/fixquotas
Advanced Fix - other reasons quotas are not working
Step 1. Find the user account where the quotas are incorrect and login to your server in SSH as root.
Step 2. Go to the users folder and check their disk space being used.
cd /home/username
du -h or try du -hs
Step 3. Check /etc/passwd and /etc/shadow to make sure there is no weirdness where the username shows up multiple times.
Step 4. Try finding other files owned by the user.
find -user username | more
This will list all files owned by this user that could be affecting the quota reported by Cpanel.
Step 5. Uncompressed backups can cause quota problems, ensure your backups are compressed in the WHM backup options.
Step 6. After your determine the source of the files and remove them then run /scripts/fixquotas
Easy Apache
Php Module --> Enter (Select the following options by using the space bar ) >> Version 4.3.11 >> Bc
math
calender support
Curl
Curl SSL support
Dom
XSLT ( If customer requsets you can select it )
Ftp
Gd
GetText
Iconv (experimental)
Imap
Module
MbString
Mcrypt
Mhash
Magicquotes
MysqlModule
Openssl
Support
Discard
Path
Pear
Sockets
Use System
Mysql Track Vars
Freetype Support Versioning
XML
RPC ( If any one ask DomXMl )
Zlib Tab exit (enter) Tab exit (enter) Yes
math
calender support
Curl
Curl SSL support
Dom
XSLT ( If customer requsets you can select it )
Ftp
Gd
GetText
Iconv (experimental)
Imap
Module
MbString
Mcrypt
Mhash
Magicquotes
MysqlModule
Openssl
Support
Discard
Path
Pear
Sockets
Use System
Mysql Track Vars
Freetype Support Versioning
XML
RPC ( If any one ask DomXMl )
Zlib Tab exit (enter) Tab exit (enter) Yes
Cpanel Scripts
In Cpanel servers, cpanel provide usefull scripts on folder /scripts
* adddns - Adds a DNS zone.
* addfpmail - Add frontpage mail extensions to all domains without them.
* addfpmail2 -Add frontpage mail extensions to all domains without them.
* addnetmaskips - Add the netmask 255.255.255.0 to all IPs that have no netmask.
* addnobodygrp - Adds the gorup nobody and activates security.
* addpop - Add a Pop Account.
* addservlets - Add JSP support to an account (requires tomcat).
* addstatus - (Internal use never called by user).
* adduser - Add a user to the system.
* admin - Run WHM Lite.
* apachelimits - Add rlimits to Apache.
* betaexim - Installs the latest version of exim.
* biglogcheck - looks for logs nearing 2 gigabytes in size
* bsdcryptoinstall - Installs crypto on FreeBSD.
* bsdldconfig - Configures the proper lib directories in FreeBSD.
* bsdpkgpingtest - Tests the connection speed for downloading FreeBSD packages.
* buildbsdexpect - Install expect on FreeBSD.
* buildeximconf - Rebuilds exim.conf.
* buildpostgrebsd-dev - Installs postgresql on FreeBSD.
* chcpass - (Internal use)
* checkallowoverride -
* checkbadconf - Checks /usr/local/apache/conf/httpd.conf for bad users.
* checkbsdgroups - Checks and repairs proftpd ownership on FreeBSD.
* checkccompiler - Checks to make sure the C compiler works on your system.
* checkfpkey - Checks for the FrontPage suid key
* checkgd - Checks to see if GD is built.
* checkinterchange - (Internal use).
* checklibssl - Checks to make sure the proper libssl symlinks exist.
* checkmaxclients - Checks to see if apache has reached the maximum clients
allowed.
* checkoldperl - Checks to see if the version of Perl on your system is old.
* checkrsync - Checks to make sure rsync is up to date.
* checksuexecpatch - Checks to see if mailman has been patched for suexec.
* checksuspendpages - Checks to see if suspend pages are properly named.
* checkup2date - Makes sure up2date is set up properly (RedHat)
* checkyum - Makes sure yum is set up properly.
* chkpaths - Makes sure /usr/sbin/chown has a symlink to /bin/chown
* chownpublichtmls - Change ownership of all users web space to them, which is
useful for converting to suexec. Files owned by nobody are deleted.
* chpass - Change password.
* ckillall - Allows you to kill a process (used like killall).
* ckillall2 - Allows you to kill a process.
* cleanbw - Cleans up old bandwidth logs.
* cleandns8 - Clean up named.conf.
* cleangd - Cleans up old GD installs and reinstalls GD
* cleanmd5 - Fix CPAN md5 problems.
* cleanmsglog - cleans exim's msglog
* cleanupmysqlprivs - Cleans up improper mySQL privileges.
* compilers - Disables the usage of compilers for unprivileged users.
* convert2maildir - Converts mail from mbox to maildir format and installs
courier impap and pop (cpimap is removed).
* courierup - Updates/Installs Courier
* cpbackup - Runs backups.
* distupgrade - Upgrades RedHat to the newest version (for testing only)
* dnscluster - Enables DNS clustering.
* dnsqueuecron - Adds a cron job to dump the DNS queue.
* dnstransfer - Only if the server has a DNS master (sync with DNS master).
* dotbuffer - (INTERNAL)
* downgradefp - Downgrades FrontPage Extensions (to 5.0-0)
* dropmysqldb - Drops a mySQL database.
* easyapache - Upgrade Apache
* editquota - Change a users quota.
* enablechkservdwebmail - Enable service checking of webmaild.
* enablefileprotect - Protects home directories if file protection is built in
apache.
* ensurepkg - Installs a FreeBSD package.
* ensurerpm - Installs a rpm.
* exim3 - Installs exim 3.
* exim4 - Installs exim 4.
* exim4-rh73test - Installs exim release #260. (RedHat only)
* eximcron - Creates a cron job for exim_tidy_db.
* eximlocalsend - Enables/Disables exim local sending.
* exim_tidydb - Cleans the exim message log.
* eximup - Installs/Updates exim.
* fetchgd - Includes libg.so.
* findhacks - Search for common Trojan Horses.
* findoddrootprocesses - Lists root processes that may need to be checked out.
* findphpversion - Check to see if your php version file is up to date.
* findtrojans - Exhaustive Trojan Horse search.
* fixallcartswithsuexec - Fixes permissions on carts when using suexec.
* fixallinterchangeperm - Fixes permissions on all users' Interchange Shopping
Carts.
* fixbinpath - Makes sure all bin file paths are correct.
* fixbuggynamed - Updates bind to solve any problems with bugs.
* fixcartwithsuexec - (INTERNAL) - Can be used to fix a cart with suexec.
* fixcommonproblems - Attempt to fix the most common problems.
* fixetchosts - Fixes problems with /etc/hosts
* fixeverything - Fix common problems and quotas.
* fixfpwml - Fix for .wml errors with frontpage.
* fixheaders - Run if nothing compiles errors with .h files on compile.
* fixinterchange - Reinstall interchange Perl modules.
* fixinterchangeperm - fix permissions on a user's interchange cart.
* fixipsnm - Same as addnetmask ips, but Perl though.
* fixlibnet - Reinstall Bundle::libnet (Perl).
* fixlocalhostwithphp - Change /etc/hosts to work better with PHP 4.2.0 + MySQL.
* fixmailman - Updates and restarts mailman.
* fixmysql - Fixes problems with mySQL.
* fixmysqlbsd - Fixes problesm with mySQL on FreeBSD.
* fixnamed - Updates bind to handle many DNS zones (more than 512).
* fixndc - Repair redhat's broken named.conf on 7.2.
* fixoldlistswithsuexec - Run after enabling suexec on the server to change the
URLs that Mailman gives out to ones that don't give a 500 internal server
error.
* fixperl - Symlink /usr/local/bin/perl /usr/bin/perl.
* fixperlscript - Makes sure a perlscript includes all corresponding modules.
* fixpop - Fix a POP account and reset password.
* fixproftpdconf - Fixes problems with /usr/local/etc/proftpd.conf
* fixproftpddupes - Updates proftpd.
* fixquotas - Fix quotas.
* fixrndc - Fixes named.conf to prevent rndc staus failed.
* fixspamassassinfailedupdate - Reinstalls a failed spamassassin update.
* fixsubconf -
* fixsubdomainlogs - Run if subdomain logs don't show up in cPanel.
* fixsuexeccgiscripts - Fix CGI scripts that are broken after suexec installed.
* fixvaliases - Fix permisions on valiases.
* fixwebalizer - Repair a Webalizer that has stopped updating.
* fp3 - Updates the fpexe3 patch.
* fpanonuserpatch - Updates FrontPage extensions to include the anonymous user
patch.
* ftpquaotacheck - Runs quota checking for all ftp users.
* ftpup - Updates your ftp server.
* fullhordereset - Resets Horde and displays the current Horde password.
* futexfix - Fixes problesm with futex.
* futexstartup - Starts futex.
* gcc3 - Installs gcc-3.3.3
* gencrt - Generate a .crt and .csr file.
* grpck - Checks to see if grpck is working properly.
* hackcheck - (INTERNAL)
* hdparmify - Enable dma/irq/32bit HD access, which speeds up IDE drives.
* hdparmon - Turns on hdparm.
* HTTPreq.pm - (INTERNAL)
* httpspamdetect -
* icpanel - (OLD)
* initacls - Mounts your file systems with ACL support (make sure your kernel
supports ACLs)
* initbyteslog - (INTERNAL)
* initfpsuexec - Enable FrontPage suexec support.
* initquotas - Turn on quota support on new drives.
* initsslhttpd - Make sure HTTP starts with SSL.
* initsuexec - Turn on suexec support if suexec is installed.
* installaimicq - (INTERNAL)
* installcgipm - Installs CGI.pm
* installcpbsdpkg -
* installcpgentoopkg -
* installdbi - Install Bundle::DBD::mysql.
* installfpfreebsd - Installs FrontPage 5 Extensions on FreeBSD.
* installfpgentoo - Installs FrontPage on Gentoo.
* installgd - Builds GD.
* installipc - (INTERNAL)
* installpkg - Installs a FreeBSD package.
* installpostgres - Installs PostrgeSQL.
* installrmmods - (OLD)
* installrpm - Installs a rpm.
* installrpm2 - (INTERNAL)
* installspam - Install SpamAssassin.
* installssl - Add a SSL vhost.
* installtree -
* installzendopt - Install zend optimzer.
* installzendopt-freebsd - Install zend optimizer on a freebsd machine.
* ipcheck - (INTERNAL)
* ipusage - (INTERNAL)
* isdedicatedip - Checks an ip to see if it is dedicated.
* kernelcheck - (INTERNAL)
* killacct - Delete an account.
* killbadrpms - Security script that kills insecure RPMs from the server.
* killdns - Delete a DNS zone.
* killdns-dnsadmin -
* killdrrootvhost - Removes the document root for a virtual host.
* killndbm - Remove the broken NDBM_File module from 7.2.
* killpvhost - Removes a virtual host from proftpd.conf.
* killspamkeys - Removes a spam key.
* killsslvhost - Removes a SSL entry for a virtual host.
* killvhost - Delete a vhost.
* listcheck - Checks mailing lists for issues.
* listproblems - Lists common problems.
* listsubdomains - List subdomains.
* mailadmin - (DEAD, OLD)
* maildirmenu - (INTERNAL)
* mailman212 - (INTERNAL)
* mailperm - Fix almost any mail permission problem.
* mailscannerupdate - Updates MailScanner
* mailtroubleshoot - Guided mail fix.
* makecpphp - Installs php.
* makesecondary - Part of DNS transfer.
* manualupcp - Updates cPanel manually.
* md5crypt - Encrypts a password into MD5.
* mkquotas - OLD
* mkwwwacctconf - (INTERNAL)
* mrusersscpcmd -
* mseclocal - Sets up Mandrake's msec to allow exim to run as mailnull.
* mysqladduserdb - Create a MySQL databse and user.
* mysqlconnectioncheck - Attempts to connect to MySQL, restarts SQL if necessary.
* mysqldeluserdb - Delete a MySQL databse and user.
* mysqlinfo - (OLD)
* mysqlpasswd - Change MySQL password.
* mysqlrpmpingtest - Checks your connection speed for downloading mySQL rpms.
* mysqlup - Updates mySQL.
* mysqlup~ - (INTERNAL)
* ndbmcheck - Checks to see if the nbdm module is loaded (kills in RedHat 7.2)
* netftpsslpatch - PAtches FTPSSL.pm.
* newdomains - (OLD)
* newdomains-sendmail - (OLD)
* newexim - Installs the latest version of exim.
* newftpuser - (NOT USED)
* newpop - (NOT USED)
* nofsck - Make fsck always use -y
* nomodattach - Removes mod_attach from httpd.conf.
* nomodauthmysql -Removes mod_auth_mysql from httpd.conf.
* nomodbwprotect - Removes mod_bwportect from httpd.conf.
* nomodgzipconfmods - Removes mod_gzip from httpd.conf.
* nomodperl - Removes mod_perl from httpd.conf.
* oldaddoncgi2xaddon - Updates old addons to X addons.
* park - Parks a domain.
* patcheximconf - Fixes exim.conf.
* pedquota - (INTERNAL) - Part of editquota (for editting quota).
* perlinstaller - Installs perl.
* phpini - Create a php.ini file.
* pingtest - Checks your download time from cPanel mirrors.
* pkgacct - backup an account
* pkgaccount-ala - backs up an Alab*nza account for transfer.
* pkgacct-ciXost - backs up a ci*ost account for transfer.
* pkgacct-dXm - backs up a d*m account for transfer.
* pkgacct-enXim - backs up an en*im account for transfer.
* pkgacct-pXa - backs up a p*a account for transfer.
* proftpd128 - Installs proftpd-1.2.8.
* ptycheck - Fixes permissoins on /dev/ptmx.
* pwck -Verifies the integrity of system authentication information.
* quickkernel - Updates your kernel.
* quicksecure - Quickly kill useless services.
* rebuildcpanelsslcrt - Rebuilds the cPanel SSL Certificate.
* rebuildcpusers - Rebuilds /var/cpanel/users.
* rebuildetcpasswd - Rebuilds /etc/passwd.
* rebuildeximbsd - Rebuilds exim on FreeBSD.
* rebuildhttpdconffromproftpd - Rebuild httpd.conf from the proftpd.conf file.
* rebuildinterchangecfg - Used after moving a domain with Interchange to the
server.
* rebuildippool - (INTERNAL)
* rebuildnamedconf - Restore named.conf from files in /var/named.
* rebuildproftpd - Restore proftpd.conf from httpd.conf.
* reinstallmailman - Reinstalls mailman.
* relocatevartousr - Relocates files from /var to /usr in case of disk space
issues.
* remdefssl - Remove default SSL vhost.
* reseteximtodefaults - Resets exim's default settings.
* resethorde -
* resetimappasswds - Resets all imap passwords.
* resetmailmanurls -
* resetquotas - Change quotas to what they should be .
* restartsrv - Restart a service.
* restartsrv_apache - Restart apache.
* restartsrv_bind - Restart bind.
* restartsrv_clamd - Restart clamd.
* restartsrv_courier - Restart courier imap.
* restartsrv_cppop - Restart cppop.
* restartsrv_entropychat - Restart entropy chat.
* restartsrv_exim - Restart exim.
* restartsrv_eximstats - Restart exim statistics.
* restartsrv_ftpserver - Restart your ftp server.
* restartsrv_httpd - Restart httpd.
* restartsrv_imap - Restart impad.
* restartsrv_inetd - Restart inetd.
* restartsrv_interchange - Restart Interchange Shopping Cart.
* restartsrv_melange - Restart melange chat.
* restartsrv_mysql - Restart mysqld.
* restartsrv_named - Restart named.
* restartsrv_postgres - Restart postgresql.
* restartsrv_postgresql - Restart postgresql.
* restartsrv_proftpd - Restart proftpd.
* restartsrv_pureftpd - Restart pure-ftpd.
* restartsrv_spamd - Restart spamd.
* restartsrv_sshd - Restart sshd.
* restartsrv_syslogd - Restart syslogd.
* restartsrv_tomcat - Restart tomcat.
* restartsrv_xinetd - Restart xinetd.
* restoremail - Restores a user's mail.
* reswhostmgr - Restart whostmgr.
* rpmup - Upgrade redhat/mandrake errata/security.
* rrdtoolinstall - Installs RRD Tool.
* runstatsonce - Runs statistics (should be used from the crontab).
* runweblogs - Run analog/webalizer/etc. for a user.
* safeperlinstaller - Installs perl safely.
* safeup2date - Runs up2date safely.
* safeyum - Runs yum safely.
* secureit - Remove unnecessary suid binaries.
* securemysql - Attempts to secure the MySQL configuration.
* securetmp - Adds securetmp to system startup.
* setupfp - Install FrontPage 3 on an account.
* setupfp4 - Install FrontPage 4 (2000) installer on an account.
* setupfp5 - Install FrontPage 5 (2002) installer on an account.
* setupfp5.nosueuxec - Install FrontPage 5 (2002) installer on an account when
not using suexec.
* setupmakeconf -
* showexelist - Shows exe processes.
* simpleps - Display the process list.
* smartcheck - Checks hard drive integrity.
* smtpmailgdionly - Enables SMTP Mail Protection.
* spamboxdisable - Disables SpamAssassin's spambox delivery for all accounts.
* suspendacct - Suspends an account.
* sysup - update cPanel RPMs.
* unlimitnamed - Installs the latest version of bind patched to support
greater than 512 ips on the server.
* unblockip - Unblocks an IP blocked by portsentry.
* unsetupfp4 - Removes FrontPage 4 or 5 from an account.
* unslavenamedconf - If the user accidentally sets a DNS master as local server,
this will repair named.conf after the loop.
* unsuspendacct - Unsuspends an account.
* upcp - Updates cPanel.
* updated - Updates /scripts.
* updatefrontpage - Updates FrontPage
* updatemysqlquota -
* updatenow - Updates /scripts NOW.
* updatephpconf - Updates PHP configuration files.
* whoowns - Finds out who owns a domain.
* wwwacct - Creates an account.
* xaddonreport - Reports the current addon scripts installed.
* adddns - Adds a DNS zone.
* addfpmail - Add frontpage mail extensions to all domains without them.
* addfpmail2 -Add frontpage mail extensions to all domains without them.
* addnetmaskips - Add the netmask 255.255.255.0 to all IPs that have no netmask.
* addnobodygrp - Adds the gorup nobody and activates security.
* addpop - Add a Pop Account.
* addservlets - Add JSP support to an account (requires tomcat).
* addstatus - (Internal use never called by user).
* adduser - Add a user to the system.
* admin - Run WHM Lite.
* apachelimits - Add rlimits to Apache.
* betaexim - Installs the latest version of exim.
* biglogcheck - looks for logs nearing 2 gigabytes in size
* bsdcryptoinstall - Installs crypto on FreeBSD.
* bsdldconfig - Configures the proper lib directories in FreeBSD.
* bsdpkgpingtest - Tests the connection speed for downloading FreeBSD packages.
* buildbsdexpect - Install expect on FreeBSD.
* buildeximconf - Rebuilds exim.conf.
* buildpostgrebsd-dev - Installs postgresql on FreeBSD.
* chcpass - (Internal use)
* checkallowoverride -
* checkbadconf - Checks /usr/local/apache/conf/httpd.conf for bad users.
* checkbsdgroups - Checks and repairs proftpd ownership on FreeBSD.
* checkccompiler - Checks to make sure the C compiler works on your system.
* checkfpkey - Checks for the FrontPage suid key
* checkgd - Checks to see if GD is built.
* checkinterchange - (Internal use).
* checklibssl - Checks to make sure the proper libssl symlinks exist.
* checkmaxclients - Checks to see if apache has reached the maximum clients
allowed.
* checkoldperl - Checks to see if the version of Perl on your system is old.
* checkrsync - Checks to make sure rsync is up to date.
* checksuexecpatch - Checks to see if mailman has been patched for suexec.
* checksuspendpages - Checks to see if suspend pages are properly named.
* checkup2date - Makes sure up2date is set up properly (RedHat)
* checkyum - Makes sure yum is set up properly.
* chkpaths - Makes sure /usr/sbin/chown has a symlink to /bin/chown
* chownpublichtmls - Change ownership of all users web space to them, which is
useful for converting to suexec. Files owned by nobody are deleted.
* chpass - Change password.
* ckillall - Allows you to kill a process (used like killall).
* ckillall2 - Allows you to kill a process.
* cleanbw - Cleans up old bandwidth logs.
* cleandns8 - Clean up named.conf.
* cleangd - Cleans up old GD installs and reinstalls GD
* cleanmd5 - Fix CPAN md5 problems.
* cleanmsglog - cleans exim's msglog
* cleanupmysqlprivs - Cleans up improper mySQL privileges.
* compilers - Disables the usage of compilers for unprivileged users.
* convert2maildir - Converts mail from mbox to maildir format and installs
courier impap and pop (cpimap is removed).
* courierup - Updates/Installs Courier
* cpbackup - Runs backups.
* distupgrade - Upgrades RedHat to the newest version (for testing only)
* dnscluster - Enables DNS clustering.
* dnsqueuecron - Adds a cron job to dump the DNS queue.
* dnstransfer - Only if the server has a DNS master (sync with DNS master).
* dotbuffer - (INTERNAL)
* downgradefp - Downgrades FrontPage Extensions (to 5.0-0)
* dropmysqldb - Drops a mySQL database.
* easyapache - Upgrade Apache
* editquota - Change a users quota.
* enablechkservdwebmail - Enable service checking of webmaild.
* enablefileprotect - Protects home directories if file protection is built in
apache.
* ensurepkg - Installs a FreeBSD package.
* ensurerpm - Installs a rpm.
* exim3 - Installs exim 3.
* exim4 - Installs exim 4.
* exim4-rh73test - Installs exim release #260. (RedHat only)
* eximcron - Creates a cron job for exim_tidy_db.
* eximlocalsend - Enables/Disables exim local sending.
* exim_tidydb - Cleans the exim message log.
* eximup - Installs/Updates exim.
* fetchgd - Includes libg.so.
* findhacks - Search for common Trojan Horses.
* findoddrootprocesses - Lists root processes that may need to be checked out.
* findphpversion - Check to see if your php version file is up to date.
* findtrojans - Exhaustive Trojan Horse search.
* fixallcartswithsuexec - Fixes permissions on carts when using suexec.
* fixallinterchangeperm - Fixes permissions on all users' Interchange Shopping
Carts.
* fixbinpath - Makes sure all bin file paths are correct.
* fixbuggynamed - Updates bind to solve any problems with bugs.
* fixcartwithsuexec - (INTERNAL) - Can be used to fix a cart with suexec.
* fixcommonproblems - Attempt to fix the most common problems.
* fixetchosts - Fixes problems with /etc/hosts
* fixeverything - Fix common problems and quotas.
* fixfpwml - Fix for .wml errors with frontpage.
* fixheaders - Run if nothing compiles errors with .h files on compile.
* fixinterchange - Reinstall interchange Perl modules.
* fixinterchangeperm - fix permissions on a user's interchange cart.
* fixipsnm - Same as addnetmask ips, but Perl though.
* fixlibnet - Reinstall Bundle::libnet (Perl).
* fixlocalhostwithphp - Change /etc/hosts to work better with PHP 4.2.0 + MySQL.
* fixmailman - Updates and restarts mailman.
* fixmysql - Fixes problems with mySQL.
* fixmysqlbsd - Fixes problesm with mySQL on FreeBSD.
* fixnamed - Updates bind to handle many DNS zones (more than 512).
* fixndc - Repair redhat's broken named.conf on 7.2.
* fixoldlistswithsuexec - Run after enabling suexec on the server to change the
URLs that Mailman gives out to ones that don't give a 500 internal server
error.
* fixperl - Symlink /usr/local/bin/perl /usr/bin/perl.
* fixperlscript - Makes sure a perlscript includes all corresponding modules.
* fixpop - Fix a POP account and reset password.
* fixproftpdconf - Fixes problems with /usr/local/etc/proftpd.conf
* fixproftpddupes - Updates proftpd.
* fixquotas - Fix quotas.
* fixrndc - Fixes named.conf to prevent rndc staus failed.
* fixspamassassinfailedupdate - Reinstalls a failed spamassassin update.
* fixsubconf -
* fixsubdomainlogs - Run if subdomain logs don't show up in cPanel.
* fixsuexeccgiscripts - Fix CGI scripts that are broken after suexec installed.
* fixvaliases - Fix permisions on valiases.
* fixwebalizer - Repair a Webalizer that has stopped updating.
* fp3 - Updates the fpexe3 patch.
* fpanonuserpatch - Updates FrontPage extensions to include the anonymous user
patch.
* ftpquaotacheck - Runs quota checking for all ftp users.
* ftpup - Updates your ftp server.
* fullhordereset - Resets Horde and displays the current Horde password.
* futexfix - Fixes problesm with futex.
* futexstartup - Starts futex.
* gcc3 - Installs gcc-3.3.3
* gencrt - Generate a .crt and .csr file.
* grpck - Checks to see if grpck is working properly.
* hackcheck - (INTERNAL)
* hdparmify - Enable dma/irq/32bit HD access, which speeds up IDE drives.
* hdparmon - Turns on hdparm.
* HTTPreq.pm - (INTERNAL)
* httpspamdetect -
* icpanel - (OLD)
* initacls - Mounts your file systems with ACL support (make sure your kernel
supports ACLs)
* initbyteslog - (INTERNAL)
* initfpsuexec - Enable FrontPage suexec support.
* initquotas - Turn on quota support on new drives.
* initsslhttpd - Make sure HTTP starts with SSL.
* initsuexec - Turn on suexec support if suexec is installed.
* installaimicq - (INTERNAL)
* installcgipm - Installs CGI.pm
* installcpbsdpkg -
* installcpgentoopkg -
* installdbi - Install Bundle::DBD::mysql.
* installfpfreebsd - Installs FrontPage 5 Extensions on FreeBSD.
* installfpgentoo - Installs FrontPage on Gentoo.
* installgd - Builds GD.
* installipc - (INTERNAL)
* installpkg - Installs a FreeBSD package.
* installpostgres - Installs PostrgeSQL.
* installrmmods - (OLD)
* installrpm - Installs a rpm.
* installrpm2 - (INTERNAL)
* installspam - Install SpamAssassin.
* installssl - Add a SSL vhost.
* installtree -
* installzendopt - Install zend optimzer.
* installzendopt-freebsd - Install zend optimizer on a freebsd machine.
* ipcheck - (INTERNAL)
* ipusage - (INTERNAL)
* isdedicatedip - Checks an ip to see if it is dedicated.
* kernelcheck - (INTERNAL)
* killacct - Delete an account.
* killbadrpms - Security script that kills insecure RPMs from the server.
* killdns - Delete a DNS zone.
* killdns-dnsadmin -
* killdrrootvhost - Removes the document root for a virtual host.
* killndbm - Remove the broken NDBM_File module from 7.2.
* killpvhost - Removes a virtual host from proftpd.conf.
* killspamkeys - Removes a spam key.
* killsslvhost - Removes a SSL entry for a virtual host.
* killvhost - Delete a vhost.
* listcheck - Checks mailing lists for issues.
* listproblems - Lists common problems.
* listsubdomains - List subdomains.
* mailadmin - (DEAD, OLD)
* maildirmenu - (INTERNAL)
* mailman212 - (INTERNAL)
* mailperm - Fix almost any mail permission problem.
* mailscannerupdate - Updates MailScanner
* mailtroubleshoot - Guided mail fix.
* makecpphp - Installs php.
* makesecondary - Part of DNS transfer.
* manualupcp - Updates cPanel manually.
* md5crypt - Encrypts a password into MD5.
* mkquotas - OLD
* mkwwwacctconf - (INTERNAL)
* mrusersscpcmd -
* mseclocal - Sets up Mandrake's msec to allow exim to run as mailnull.
* mysqladduserdb - Create a MySQL databse and user.
* mysqlconnectioncheck - Attempts to connect to MySQL, restarts SQL if necessary.
* mysqldeluserdb - Delete a MySQL databse and user.
* mysqlinfo - (OLD)
* mysqlpasswd - Change MySQL password.
* mysqlrpmpingtest - Checks your connection speed for downloading mySQL rpms.
* mysqlup - Updates mySQL.
* mysqlup~ - (INTERNAL)
* ndbmcheck - Checks to see if the nbdm module is loaded (kills in RedHat 7.2)
* netftpsslpatch - PAtches FTPSSL.pm.
* newdomains - (OLD)
* newdomains-sendmail - (OLD)
* newexim - Installs the latest version of exim.
* newftpuser - (NOT USED)
* newpop - (NOT USED)
* nofsck - Make fsck always use -y
* nomodattach - Removes mod_attach from httpd.conf.
* nomodauthmysql -Removes mod_auth_mysql from httpd.conf.
* nomodbwprotect - Removes mod_bwportect from httpd.conf.
* nomodgzipconfmods - Removes mod_gzip from httpd.conf.
* nomodperl - Removes mod_perl from httpd.conf.
* oldaddoncgi2xaddon - Updates old addons to X addons.
* park - Parks a domain.
* patcheximconf - Fixes exim.conf.
* pedquota - (INTERNAL) - Part of editquota (for editting quota).
* perlinstaller - Installs perl.
* phpini - Create a php.ini file.
* pingtest - Checks your download time from cPanel mirrors.
* pkgacct - backup an account
* pkgaccount-ala - backs up an Alab*nza account for transfer.
* pkgacct-ciXost - backs up a ci*ost account for transfer.
* pkgacct-dXm - backs up a d*m account for transfer.
* pkgacct-enXim - backs up an en*im account for transfer.
* pkgacct-pXa - backs up a p*a account for transfer.
* proftpd128 - Installs proftpd-1.2.8.
* ptycheck - Fixes permissoins on /dev/ptmx.
* pwck -Verifies the integrity of system authentication information.
* quickkernel - Updates your kernel.
* quicksecure - Quickly kill useless services.
* rebuildcpanelsslcrt - Rebuilds the cPanel SSL Certificate.
* rebuildcpusers - Rebuilds /var/cpanel/users.
* rebuildetcpasswd - Rebuilds /etc/passwd.
* rebuildeximbsd - Rebuilds exim on FreeBSD.
* rebuildhttpdconffromproftpd - Rebuild httpd.conf from the proftpd.conf file.
* rebuildinterchangecfg - Used after moving a domain with Interchange to the
server.
* rebuildippool - (INTERNAL)
* rebuildnamedconf - Restore named.conf from files in /var/named.
* rebuildproftpd - Restore proftpd.conf from httpd.conf.
* reinstallmailman - Reinstalls mailman.
* relocatevartousr - Relocates files from /var to /usr in case of disk space
issues.
* remdefssl - Remove default SSL vhost.
* reseteximtodefaults - Resets exim's default settings.
* resethorde -
* resetimappasswds - Resets all imap passwords.
* resetmailmanurls -
* resetquotas - Change quotas to what they should be .
* restartsrv - Restart a service.
* restartsrv_apache - Restart apache.
* restartsrv_bind - Restart bind.
* restartsrv_clamd - Restart clamd.
* restartsrv_courier - Restart courier imap.
* restartsrv_cppop - Restart cppop.
* restartsrv_entropychat - Restart entropy chat.
* restartsrv_exim - Restart exim.
* restartsrv_eximstats - Restart exim statistics.
* restartsrv_ftpserver - Restart your ftp server.
* restartsrv_httpd - Restart httpd.
* restartsrv_imap - Restart impad.
* restartsrv_inetd - Restart inetd.
* restartsrv_interchange - Restart Interchange Shopping Cart.
* restartsrv_melange - Restart melange chat.
* restartsrv_mysql - Restart mysqld.
* restartsrv_named - Restart named.
* restartsrv_postgres - Restart postgresql.
* restartsrv_postgresql - Restart postgresql.
* restartsrv_proftpd - Restart proftpd.
* restartsrv_pureftpd - Restart pure-ftpd.
* restartsrv_spamd - Restart spamd.
* restartsrv_sshd - Restart sshd.
* restartsrv_syslogd - Restart syslogd.
* restartsrv_tomcat - Restart tomcat.
* restartsrv_xinetd - Restart xinetd.
* restoremail - Restores a user's mail.
* reswhostmgr - Restart whostmgr.
* rpmup - Upgrade redhat/mandrake errata/security.
* rrdtoolinstall - Installs RRD Tool.
* runstatsonce - Runs statistics (should be used from the crontab).
* runweblogs - Run analog/webalizer/etc. for a user.
* safeperlinstaller - Installs perl safely.
* safeup2date - Runs up2date safely.
* safeyum - Runs yum safely.
* secureit - Remove unnecessary suid binaries.
* securemysql - Attempts to secure the MySQL configuration.
* securetmp - Adds securetmp to system startup.
* setupfp - Install FrontPage 3 on an account.
* setupfp4 - Install FrontPage 4 (2000) installer on an account.
* setupfp5 - Install FrontPage 5 (2002) installer on an account.
* setupfp5.nosueuxec - Install FrontPage 5 (2002) installer on an account when
not using suexec.
* setupmakeconf -
* showexelist - Shows exe processes.
* simpleps - Display the process list.
* smartcheck - Checks hard drive integrity.
* smtpmailgdionly - Enables SMTP Mail Protection.
* spamboxdisable - Disables SpamAssassin's spambox delivery for all accounts.
* suspendacct - Suspends an account.
* sysup - update cPanel RPMs.
* unlimitnamed - Installs the latest version of bind patched to support
greater than 512 ips on the server.
* unblockip - Unblocks an IP blocked by portsentry.
* unsetupfp4 - Removes FrontPage 4 or 5 from an account.
* unslavenamedconf - If the user accidentally sets a DNS master as local server,
this will repair named.conf after the loop.
* unsuspendacct - Unsuspends an account.
* upcp - Updates cPanel.
* updated - Updates /scripts.
* updatefrontpage - Updates FrontPage
* updatemysqlquota -
* updatenow - Updates /scripts NOW.
* updatephpconf - Updates PHP configuration files.
* whoowns - Finds out who owns a domain.
* wwwacct - Creates an account.
* xaddonreport - Reports the current addon scripts installed.
Upgrading Cpanel
Upgrading cpanel can be done with /scripts/upcp
With option --force upcp will upgrade cpanel even if you got latest version of cpanel
/scripts/upcp
/scripts/upcp --force
With option --force upcp will upgrade cpanel even if you got latest version of cpanel
/scripts/upcp
/scripts/upcp --force
Cpanel chkservd
chkservd is a service running on Cpanel servers. chkservd service monitors other service, if any of the service that is monitored by chkservd is found down, chkservd will restart the service and notify server admin
You can start, stop chkservd with following commands
service chkservd start
service chkservd stop
/etc/rc.d/init.d/chkservd start
/etc/rc.d/init.d/chkservd stop
You can start, stop chkservd with following commands
service chkservd start
service chkservd stop
/etc/rc.d/init.d/chkservd start
/etc/rc.d/init.d/chkservd stop
Creating Account with wwwacct
Cpanel provide several usefull scripts in /scripts folder. /scripts/wwwacct is a script used for creating hosting account.
The syntax of wwwacct script is
[root@server10 root]# /scripts/wwwacct
WWWAcct 10.0 (c) 1997-2005 cPanel, Inc.
Please use the this syntax
wwwacct
[root@server10 root]#
To create hosting account for a domain through SSH do
In this example,
bizhat.com is the domain we are going to add.
bizhat is the user name
12345678 is the password
server10# /scripts/wwwacct bizhat.com bizhat 12345678 50 advanced n
WWWAcct 10.0 (c) 1997-2005 cPanel, Inc.
+===================================+
| New Account Info |
+===================================+
| Domain: bizhat.com
| Ip: 69.59.144.184 (n)
| HasCgi: y
| UserName: bizhat
| PassWord: 12345678
| CpanelMod: advanced
| HomeRoot: /usr/home
| Quota: 50 Meg
| NameServer1: NS1.HOSTONNET.COM
| NameServer2: NS2.HOSTONNET.COM
| NameServer3:
| NameServer4:
| Contact Email:
+===================================+
This ok? yes
Keeping Shell Access (y)
Copying skel files from /root/cpanel3-skel/ to /usr/home/bizhat/
Using Quota v1 Support
Added Entries to httpd.conf
Bind reconfiguring on uncle using rndc
Added Named File
Note: Local version of Apache must use the FrontPage Apache patch.
Starting install, port: 80.
Creating web http://www.bizhat.com.
fpfakeout: getpwnam handled
Not chowning content to root in service /.
Install completed.
Setting Password
Frontpage passthough auth enabled!
Restarting apache
Ftp Password Files synced
Vhost Passwords synced
Notifcation => spam@hostonnet.com via EMAIL [level => 3]
Notifcation => spam@flashwebhost.com via PAGER [level => 3]
wwwacct creation finished
server10#
Cpanel Server Tips
The syntax of wwwacct script is
[root@server10 root]# /scripts/wwwacct
WWWAcct 10.0 (c) 1997-2005 cPanel, Inc.
Please use the this syntax
wwwacct
[root@server10 root]#
To create hosting account for a domain through SSH do
In this example,
bizhat.com is the domain we are going to add.
bizhat is the user name
12345678 is the password
server10# /scripts/wwwacct bizhat.com bizhat 12345678 50 advanced n
WWWAcct 10.0 (c) 1997-2005 cPanel, Inc.
+===================================+
| New Account Info |
+===================================+
| Domain: bizhat.com
| Ip: 69.59.144.184 (n)
| HasCgi: y
| UserName: bizhat
| PassWord: 12345678
| CpanelMod: advanced
| HomeRoot: /usr/home
| Quota: 50 Meg
| NameServer1: NS1.HOSTONNET.COM
| NameServer2: NS2.HOSTONNET.COM
| NameServer3:
| NameServer4:
| Contact Email:
+===================================+
This ok? yes
Keeping Shell Access (y)
Copying skel files from /root/cpanel3-skel/ to /usr/home/bizhat/
Using Quota v1 Support
Added Entries to httpd.conf
Bind reconfiguring on uncle using rndc
Added Named File
Note: Local version of Apache must use the FrontPage Apache patch.
Starting install, port: 80.
Creating web http://www.bizhat.com.
fpfakeout: getpwnam handled
Not chowning content to root in service /.
Install completed.
Setting Password
Frontpage passthough auth enabled!
Restarting apache
Ftp Password Files synced
Vhost Passwords synced
Notifcation => spam@hostonnet.com via EMAIL [level => 3]
Notifcation => spam@flashwebhost.com via PAGER [level => 3]
wwwacct creation finished
server10#
Cpanel Server Tips
Cpanel Shows Blank Page After Login FreeBSD
On 5.4-RELEASE FreeBSD 5.4-RELEASE server, After login to cpanel, i get blank page.
I checked log file /usr/local/cpanel/logs/error_log, it shows error
/usr/libexec/ld-elf.so.1: Cannot open "/usr/local/lib/compat/libm.so.2"
I tried following, but do not helped.
# /scripts/upcp --force
# /scripts/fixeverything
Also downloaded perl from cpanel site (http://layer1.cpanel.net) and installed it, but it do not fixed the error.
The problem is solved by upgrading "compat4x-i386-5.3" program.
First i upgrade ports with portsnap
# portsnap fetch
# portsnap extract
Now upgrade compat4x-i386-5.3 with portupgrade command.
# portupgrade compat4x-i386-5.3
Now the cpanel start working.
I checked log file /usr/local/cpanel/logs/error_log, it shows error
/usr/libexec/ld-elf.so.1: Cannot open "/usr/local/lib/compat/libm.so.2"
I tried following, but do not helped.
# /scripts/upcp --force
# /scripts/fixeverything
Also downloaded perl from cpanel site (http://layer1.cpanel.net) and installed it, but it do not fixed the error.
The problem is solved by upgrading "compat4x-i386-5.3" program.
First i upgrade ports with portsnap
# portsnap fetch
# portsnap extract
Now upgrade compat4x-i386-5.3 with portupgrade command.
# portupgrade compat4x-i386-5.3
Now the cpanel start working.
AWStats Error
On Cpanel server, a client told his AWStats not working. I checked his AWStats and it shows following error.
NOTE: I changed clients domain with bizhat.com, cpanel username with bizhat
Error: Couldn't open config file "awstats.bizhat.com.conf" nor "awstats.conf" after searching in path ".,/home/bizhat/tmp/awstats/,/etc/opt/awstats,/etc/awstats,/etc,/usr/local/etc/awstats": No such file or directory
- Did you use the correct URL ?
Example: http://localhost/awstats/awstats.pl?config=mysite
Example: http://127.0.0.1/cgi-bin/awstats.pl?config=mysite
- Did you create your config file 'awstats.bizhat.com.conf' ?
If not, you can run "./../../tools/awstats_configure.pl" from command line, or create it manually.
Check config file, permissions and AWStats documentation (in 'docs' directory).
The error is due to AWStats configuration file "awstats.bizhat.com.conf" missing in folder /home/CPANELUSERNAME/tmp/awstats
The error is fixed by running /scripts/runweblogs as root on SSH prompt.
server20# /scripts/runweblogs bizhat
Log checker loaded ok..
==> cPanel Log Daemon version 22.2
==> Shared RRDTOOL support enabled
Processing bizhat...
Run Logs domain: dpk.in BW Limit: 262144000 Domains: []
Processing exim stats for bizhat.......Done
WEBLANG english
Archive Status: 0
About to fork for bizhat [DOMAIN: bizhat.com]
Complete
server20#
Now AWStats start working.
NOTE: I changed clients domain with bizhat.com, cpanel username with bizhat
Error: Couldn't open config file "awstats.bizhat.com.conf" nor "awstats.conf" after searching in path ".,/home/bizhat/tmp/awstats/,/etc/opt/awstats,/etc/awstats,/etc,/usr/local/etc/awstats": No such file or directory
- Did you use the correct URL ?
Example: http://localhost/awstats/awstats.pl?config=mysite
Example: http://127.0.0.1/cgi-bin/awstats.pl?config=mysite
- Did you create your config file 'awstats.bizhat.com.conf' ?
If not, you can run "./../../tools/awstats_configure.pl" from command line, or create it manually.
Check config file, permissions and AWStats documentation (in 'docs' directory).
The error is due to AWStats configuration file "awstats.bizhat.com.conf" missing in folder /home/CPANELUSERNAME/tmp/awstats
The error is fixed by running /scripts/runweblogs as root on SSH prompt.
server20# /scripts/runweblogs bizhat
Log checker loaded ok..
==> cPanel Log Daemon version 22.2
==> Shared RRDTOOL support enabled
Processing bizhat...
Run Logs domain: dpk.in BW Limit: 262144000 Domains: []
Processing exim stats for bizhat.......Done
WEBLANG english
Archive Status: 0
About to fork for bizhat [DOMAIN: bizhat.com]
Complete
server20#
Now AWStats start working.
Installing Postgres in Cpanel Server
PostgreSQL is a free object-relational database server (database management system), released under the flexible BSD-style license. It offers an alternative to other open-source database systems (such as MySQL and Firebird), as well as to proprietary systems such as Oracle, Sybase, IBM's DB2 and Microsoft SQL Server.
Installing Postgres database on Cpanel server is very easy. Just run following command on SSH prompt as root.
# /scripts/installpostgres
The script will fetch Postgres database and required other programs and install.
root@server1 [~]# /scripts/installpostgres
This script will install Postgres 7.3.x or later
If you have an older version installed you wil need to
Dump your databases to a file and then restore them
after the install as 7.3.x is not backwards compatible.
If you do not have any databases, you can just run:
mv /var/lib/pgsql /var/lib/pgsql.old
/sbin/service postgresql stop
/sbin/service postgresql start
to force creating a 7.3.x style setup. Do not do this if
you have databases that you wish to keep!
Are you sure you wish to proceed? y
Repository base is listed more than once in the configuration
.
.
.
.
Initializing database: [ OK ]
Starting postgresql service: [ OK ]
You should now configure postgresql from WHM!
root@server1 [~]#
Following packages are installed on CentOS server.
root@server1 [~]# rpm -qa | grep postgre
postgresql-libs-7.4.13-2.RHEL4.1
postgresql-7.4.13-2.RHEL4.1
postgresql-devel-7.4.13-2.RHEL4.1
postgresql-server-7.4.13-2.RHEL4.1
root@server1 [~]#
Now login to your WHM, click on Postgres Config under SQL Services. Set a new password for Postgres. You should avoid using any non-alpha numeric charaters as these cause problems.
Go back to the Postgres Config and click on the option to install a postgres pg_hba.conf file.
postgre sql installation on cpanel
Now Postgres SQL is installed on your server, you will be able to see it in Cpanel.
Installing Postgres database on Cpanel server is very easy. Just run following command on SSH prompt as root.
# /scripts/installpostgres
The script will fetch Postgres database and required other programs and install.
root@server1 [~]# /scripts/installpostgres
This script will install Postgres 7.3.x or later
If you have an older version installed you wil need to
Dump your databases to a file and then restore them
after the install as 7.3.x is not backwards compatible.
If you do not have any databases, you can just run:
mv /var/lib/pgsql /var/lib/pgsql.old
/sbin/service postgresql stop
/sbin/service postgresql start
to force creating a 7.3.x style setup. Do not do this if
you have databases that you wish to keep!
Are you sure you wish to proceed? y
Repository base is listed more than once in the configuration
.
.
.
.
Initializing database: [ OK ]
Starting postgresql service: [ OK ]
You should now configure postgresql from WHM!
root@server1 [~]#
Following packages are installed on CentOS server.
root@server1 [~]# rpm -qa | grep postgre
postgresql-libs-7.4.13-2.RHEL4.1
postgresql-7.4.13-2.RHEL4.1
postgresql-devel-7.4.13-2.RHEL4.1
postgresql-server-7.4.13-2.RHEL4.1
root@server1 [~]#
Now login to your WHM, click on Postgres Config under SQL Services. Set a new password for Postgres. You should avoid using any non-alpha numeric charaters as these cause problems.
Go back to the Postgres Config and click on the option to install a postgres pg_hba.conf file.
postgre sql installation on cpanel
Now Postgres SQL is installed on your server, you will be able to see it in Cpanel.
Installing new language in Cpanel Server
By default, Cpanel have language English installed on the server. If you need Cpanel in other languages, you need to download and install language package. This is available from Cpanel web site.
http://lang.cpanel.net/lang.pl
Cpanel Language files are files in .asc extension.
Install Language Through WHM
To install a language file, you have to login to WHM as root.
Languages > Upload a Language File
Then browse the downloaded language file and click upload.
Install Language through SSH
cd /usr/local/cpanel/lang
wget http://www.demontech.net/cplang/lang.tar
tar -xvf lang.tar
mv catalan.asc catalan
mv dutch.asc dutch
mv french.asc french
mv german.asc german
mv polish.asc polish
mv portugues.asc portugues
mv portuguese.asc portuguese
mv romanian.asc romanian
mv russian.asc russian
mv spanish.asc spanish
mv turkish.asc turkish
mv svenska.asc svenska
m -f lang.tar
http://lang.cpanel.net/lang.pl
Cpanel Language files are files in .asc extension.
Install Language Through WHM
To install a language file, you have to login to WHM as root.
Languages > Upload a Language File
Then browse the downloaded language file and click upload.
Install Language through SSH
cd /usr/local/cpanel/lang
wget http://www.demontech.net/cplang/lang.tar
tar -xvf lang.tar
mv catalan.asc catalan
mv dutch.asc dutch
mv french.asc french
mv german.asc german
mv polish.asc polish
mv portugues.asc portugues
mv portuguese.asc portuguese
mv romanian.asc romanian
mv russian.asc russian
mv spanish.asc spanish
mv turkish.asc turkish
mv svenska.asc svenska
m -f lang.tar
Install SSL on Cpanel Server
1. To install SSL on a domain name you need to host it on a Dedicated IP address..
2. After you assiged dedicated IP, you can login to whm and create CSR ( Certificate Signing request) & private key pair.
When you generate it , you might have to give following info. Here is an example.
Mail Address the Cert will be sent to: you@domain.com
Host to make cert for: www.domain.com
Country (2 letter Abbrivation): IN
State: Kerala
City: Kochi
Company Name : FlashWebHost.com
Company Division : Webhosting
Email : you@doman.com
Password : smahost
Note : It depends on the hostname. For the SSL certificate there is different between domain.com & wwww.domain.com.
3. Now, you can go to your SSL venor and order the SSL certificate during the order you may have to give CSR info.
Also you may need to select server type and you can give following info.
"Apache + MOD SSL"
4. After you place the order you will get your SSL bundle via email.
5. Login to WHM again and click on "Install an SSL Cetificate and Setup the domain". After that you will see follwing field.
A. "The crt may already be on the server.
You can try to Fetch it or paste the entire .crt file here:"
In the text area, you can cut and paste your certificate which is .crt file.
B. You an provide the following info.
Domain: domain.com
User: username
IP Address: xx.xx.xx.xxx
C. Private key autamatically will get from server.
"The key may already be on the server.You can try to Fetch it or paste the entire .key file here:
D. You should have got these files via SSL vendo and you can past it in following filed.
"Paste the ca bundle here (optional): "
5. Finally, please click the Do it button on right top corner.
6. You are done, go to https://www.domain.com
2. After you assiged dedicated IP, you can login to whm and create CSR ( Certificate Signing request) & private key pair.
When you generate it , you might have to give following info. Here is an example.
Mail Address the Cert will be sent to: you@domain.com
Host to make cert for: www.domain.com
Country (2 letter Abbrivation): IN
State: Kerala
City: Kochi
Company Name : FlashWebHost.com
Company Division : Webhosting
Email : you@doman.com
Password : smahost
Note : It depends on the hostname. For the SSL certificate there is different between domain.com & wwww.domain.com.
3. Now, you can go to your SSL venor and order the SSL certificate during the order you may have to give CSR info.
Also you may need to select server type and you can give following info.
"Apache + MOD SSL"
4. After you place the order you will get your SSL bundle via email.
5. Login to WHM again and click on "Install an SSL Cetificate and Setup the domain". After that you will see follwing field.
A. "The crt may already be on the server.
You can try to Fetch it or paste the entire .crt file here:"
In the text area, you can cut and paste your certificate which is .crt file.
B. You an provide the following info.
Domain: domain.com
User: username
IP Address: xx.xx.xx.xxx
C. Private key autamatically will get from server.
"The key may already be on the server.You can try to Fetch it or paste the entire .key file here:
D. You should have got these files via SSL vendo and you can past it in following filed.
"Paste the ca bundle here (optional): "
5. Finally, please click the Do it button on right top corner.
6. You are done, go to https://www.domain.com
cPanel install
Installing Cpanel on FreeBSD and Linux servers are easy. Login to server as root and run following commands.
# mkdir /home/cpinstall
# cd /home/cpinstall
# wget http://layer1.cpanel.net/latest
# sh latest
It will start Cpanel installation. You don't have to do anything, just wait until Cpanel install finishes.
# mkdir /home/cpinstall
# cd /home/cpinstall
# wget http://layer1.cpanel.net/latest
# sh latest
It will start Cpanel installation. You don't have to do anything, just wait until Cpanel install finishes.
cPanel Basics
Cpanel server consists of:
* Apache Web Server
* Exim Mail Server
* BIND DNS Server
* cppop - pop3 server by cpanel
* Cpanel Control Panel for users
* WHM Control Panel for resellers and root.
On default Cpanel Installation, you will find
/usr/local/apache - Apache
/usr/local/cpanel - cpanel
/usr/local/apache/conf/httpd.conf - Apache configuration file
/usr/local/apache/domlogs/ - access log for web sites.
/usr/local/cpanel/logs - cpanel log file
/var/log/exim_mainlog - exim mail server log
/var/cpanel/users/ - cpanel user file location
/home - web sites are stored in this folder.
/var/lib/mysql - MySQL data folder.
/var/named/ - bind zone files.
/scripts/ - Cpanel scripts
* Apache Web Server
* Exim Mail Server
* BIND DNS Server
* cppop - pop3 server by cpanel
* Cpanel Control Panel for users
* WHM Control Panel for resellers and root.
On default Cpanel Installation, you will find
/usr/local/apache - Apache
/usr/local/cpanel - cpanel
/usr/local/apache/conf/httpd.conf - Apache configuration file
/usr/local/apache/domlogs/ - access log for web sites.
/usr/local/cpanel/logs - cpanel log file
/var/log/exim_mainlog - exim mail server log
/var/cpanel/users/ - cpanel user file location
/home - web sites are stored in this folder.
/var/lib/mysql - MySQL data folder.
/var/named/ - bind zone files.
/scripts/ - Cpanel scripts
HOWTO Enable AWStats Updating from Cpanel
Processing stats and logs is resource-intensive. Sometimes, if the processor load is high or if there is too much memory usage, the virtualization software will kill off a running process to keep your VPS within it's resource limits.
Updating Manually
You can use SSH to update the stats by issuing the following command:
/scripts/runweblogs [username]]
where [username] is the cPanel username you wish to update.
Updating Through cPanel
Sometimes, it may be easier to just enable your cPanel user accounts to update manually.
Login to WHM, then select Server Configuration -> Tweak Settings.
Scroll down to Stats and Logs.
Check the box "Allow users to update Awstats from cPanel"
If The Link Doesn't Appear
The link for "Update Now" in AWStats will be located at the top, next to "Last Update".
However, it may not show immediately. You may need to manually run the stats using the "Updating Manually" instructions above.
You can also verify that the setting is actually enabled, by checking the AWStats Configuration File for a particular user.
1. Login via SSH as root
2. cd /home/username/tmp/awstats
3. grep AllowToUpdateStatsFromBrowser awstats.example.com.conf
4. It should be set to AllowToUpdateStatsFromBrowser=1
5. If not, edit the file and save.
6. restart cpanel : service cpanel restart
Updating Manually
You can use SSH to update the stats by issuing the following command:
/scripts/runweblogs [username]]
where [username] is the cPanel username you wish to update.
Updating Through cPanel
Sometimes, it may be easier to just enable your cPanel user accounts to update manually.
Login to WHM, then select Server Configuration -> Tweak Settings.
Scroll down to Stats and Logs.
Check the box "Allow users to update Awstats from cPanel"
If The Link Doesn't Appear
The link for "Update Now" in AWStats will be located at the top, next to "Last Update".
However, it may not show immediately. You may need to manually run the stats using the "Updating Manually" instructions above.
You can also verify that the setting is actually enabled, by checking the AWStats Configuration File for a particular user.
1. Login via SSH as root
2. cd /home/username/tmp/awstats
3. grep AllowToUpdateStatsFromBrowser awstats.example.com.conf
4. It should be set to AllowToUpdateStatsFromBrowser=1
5. If not, edit the file and save.
6. restart cpanel : service cpanel restart
Prevent the user nobody from sending email from cPanel server
If you are running PHP script as an Apache user on cPanel server, it is difficult to find the account if someone sends large amount of emails via PHP script. It is due to the fact that all emails will be sent as a nobody user. cPanel provides settings to block emails which are sent via nobody user. To enable this option, follow the below steps:
- Login to your WHM.
- Go to Server Configuration -> Tweak Settings.
- Select option “Prevent the user “nobody” from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)” and save it.
Please note if PHP processes are running as a nobody user and you enable above option, your clients will not be able to send emails outside their domains using PHP mail() function.
- Login to your WHM.
- Go to Server Configuration -> Tweak Settings.
- Select option “Prevent the user “nobody” from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)” and save it.
Please note if PHP processes are running as a nobody user and you enable above option, your clients will not be able to send emails outside their domains using PHP mail() function.
Sunday, January 16, 2011
Install Fantastico
Just SSH to your server and enter following commands (you may also copy/paste):
cd /usr/local/cpanel/whostmgr/docroot/cgi
wget -N http://files.betaservant.com/files/free/fantastico_whm_admin.tgz
tar -xzpf fantastico_whm_admin.tgz
rm -rf fantastico_whm_admin.tgz
NOW GO TO YOUR WHM -> Add-Ons (Plugins on v11.x or higher) -> Fantastico De Luxe WHM Admin (scroll down the left menu).
Follow the on screen instructions.
If you get a Source Guardian error when you go to Fantastico for the first time, just run this command:
chmod -R 0755 /usr/local/cpanel/3rdparty/etc/ixed
After the installation is complete, click on "Settings" and go through the settings. While some settings are not important, some other (marked below with an *) are essential for a proper functioning of Fantastico installations.
Language: Select the language for the admin backend AND default language for users without a language selected.
Email notifications: Enter an email address in order to receive notifications when users perform installations using Fantastico.
Master files settings (*): If you are not an advanced user who modifies the master files, leave this to "Remove". Change this only if you know what you are doing
PHPsuexec (*): VERY ESSENTIAL!!! Changing this value will not install or de-install phpsuexec for you. It will only tell Fantastico that you have phpsuexec installed or not installed on your server. Change to "installed" if you perform installations which produce an "Internal Server Error". Notice: Changes will not apply to existing installations! You have to re-install in order to have working installations.
Path to netPBM: Enter the full path to the netPBM binaries in order to enable Gallery installations. As long as this field has no value, your users will not be able to install Gallery.
Select Fantastico licensing and files server: If the Fantastico pages take long to load switch to the server that works best for you. Fantastico will auto-switch if connections time out.
Update preference: Select latest version (sometimes experimental) or stable version (best working).
If your users don't see a Fantastico link in their CPanel: Go to WHM and edit the "default" Features List. Activate Fantastico.
cd /usr/local/cpanel/whostmgr/docroot/cgi
wget -N http://files.betaservant.com/files/free/fantastico_whm_admin.tgz
tar -xzpf fantastico_whm_admin.tgz
rm -rf fantastico_whm_admin.tgz
NOW GO TO YOUR WHM -> Add-Ons (Plugins on v11.x or higher) -> Fantastico De Luxe WHM Admin (scroll down the left menu).
Follow the on screen instructions.
If you get a Source Guardian error when you go to Fantastico for the first time, just run this command:
chmod -R 0755 /usr/local/cpanel/3rdparty/etc/ixed
After the installation is complete, click on "Settings" and go through the settings. While some settings are not important, some other (marked below with an *) are essential for a proper functioning of Fantastico installations.
Language: Select the language for the admin backend AND default language for users without a language selected.
Email notifications: Enter an email address in order to receive notifications when users perform installations using Fantastico.
Master files settings (*): If you are not an advanced user who modifies the master files, leave this to "Remove". Change this only if you know what you are doing
PHPsuexec (*): VERY ESSENTIAL!!! Changing this value will not install or de-install phpsuexec for you. It will only tell Fantastico that you have phpsuexec installed or not installed on your server. Change to "installed" if you perform installations which produce an "Internal Server Error". Notice: Changes will not apply to existing installations! You have to re-install in order to have working installations.
Path to netPBM: Enter the full path to the netPBM binaries in order to enable Gallery installations. As long as this field has no value, your users will not be able to install Gallery.
Select Fantastico licensing and files server: If the Fantastico pages take long to load switch to the server that works best for you. Fantastico will auto-switch if connections time out.
Update preference: Select latest version (sometimes experimental) or stable version (best working).
If your users don't see a Fantastico link in their CPanel: Go to WHM and edit the "default" Features List. Activate Fantastico.
Installatron install
wget http://data1.liquenox.com/installatron/installatron_setup.sh
chmod 755 installatron_setup.sh
./installatron_setup.sh -f
Installatron is now ready to use in cPanel and WHM.
For WHM11 and later, the Installatron Admin administration tool will be located in the Add-ons portion of the side menu.
For WHM10 or earlier, you can find the Installatron Admin tool here:
https://{your_domain}:2087/installatron/index.php
The users will find the Installatron icon in cPanel.
chmod 755 installatron_setup.sh
./installatron_setup.sh -f
Installatron is now ready to use in cPanel and WHM.
For WHM11 and later, the Installatron Admin administration tool will be located in the Add-ons portion of the side menu.
For WHM10 or earlier, you can find the Installatron Admin tool here:
https://{your_domain}:2087/installatron/index.php
The users will find the Installatron icon in cPanel.
Saturday, January 15, 2011
Kernel Compilation
Linux Kernel Compilation
Steps in compiling a kernel:
* Installing the sources.
* Configuring the kernel (choosing which features and Drivers to compile).
* Compiling the kernel (i.e. typing a single command, and watching...).
* Installing the compiled kernel.
* Updating the boot loader to recognize the new kernel.
* Booting...
* Making the new kernel become the default.
Kernel "Types"
* The Linux kernel comes in two variants - the "vanilla" kernel, and the distribution's kernel.
* The "vanilla" kernel is the kernel officially released by Linus, or by a member of the community appointed by Linus (e.g. kernels version 2.4.X are officially maintained and released by Marcelo Tosatti).
* The distribution's kernel is normally a "vanilla" kernel, with many patches on top of it that either did not get accepted to the "vanilla" kernel, or that the distribution's maker back-ported from newer kernels.
* Thus, normally the latest "vanilla" kernel has more features...
* ... while the distribution's kernel has gone through more orderly testing and could be more stable.
Getting The Source
* The sources of linux kernels are available via the Internet, or on the distribution's CDs.
* Of-course, there are many mirrors, and since we're talking about not-so-small files (around 30MB), we better know our mirrors.
* In Israel, one may try Iglu's mirror, at http://www.iglu.org.il/, or check Hamakor's Israeli mirrors list, at http://mirror.hamakor.org.il/.
The Source Of The Distribution's Kernel
* The source code of the distribution's kernel comes as another package on the installation CDs.
* On RedHat 9, for example, it is stored in a file named 'kernel-source-2.4.20-8.i386.rpm'.
* Installing it is done like installing any other RPM package:
rpm -Uvh /path/to/kernel-source-2.4.20-8.i386.rpm
* If The distribution's maker updated the kernel, the new kernel sources would be found among the updates.
* In RedHat 9, the current file is kernel-2.4.20-28.9.src.rpm, found in the SRPMs (Source-RPMs) directory.
The Source Of The Vanilla Kernel
* The "vanilla" kernel is normally kept at ftp.kernel.org, as a tar.gz (or tar.bz2 - better compressed) file.
* For example, the latest 2.4 kernel for now is found at ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.24.tar.bz2
* Unpack these kernel sources as root:
cd /usr/src/
tar xjf /path/to/linux-2.4.24.tar.bz2
* You will get a new directory named 'linux-2.4.24', containing the sources.
"Readying" The Sources
* Before we do anything with the sources, we should make sure the source tree does not contain any old object files or configuration information...
* ... That got there accidentally.
* This is especially true for distribution kernels - they tend to contain various stale files.
* To do this, go into the source directory and run the command:
make mrproper
Configuring The Kernel
* Before we compile the kernel, we need to configure it.
* This includes telling it which drivers and features to compile ...
* ... and how to compile them (as modules or inside the kernel's main file).
* Several configuration programs are supported by the kernel, to be launched using one of the following commands:
make config
A simple text-mode program, that asks a zillion questions one after the other. Not recommended.
make menuconfig
A full-screen text-mode program. Use it if you don't have X windows running, or if you're connected from a remote location.
make xconfig
A Graphical program. Use this one when you can.
* There is yet another, which will be shown later...
Tips Regarding Configuring The Kernel
* Each item has a help section - read it.
* Each help text contains a suggestion of what to do if you're not sure. Use these suggestions, indeed.
* The first time around, take a tour around the different options, without changing them.
* The configuration process generates a file called ".config" in the top directory of the kernel sources. Keep a backup before making changes.
* Don't configure a kernel when you don't have enough free time - it's a long task (1-2 hours) the first time around.
* Do not despair - eventually, you'll configure kernels in 5 minutes ;)
Compiling The Kernel
* Once configured, Compiling the kernel is easy.
* First, make sure we start afresh (takes a few seconds):
make clean
* Then, prepare the dependencies list (might take a minute):
make depend
Compiling The Kernel (Cont.)
* Then, compile the kernel's main part (might take 5-30 minutes):
make bzImage
After this step, we should have the following new file:
[root@simey linux]# ls -l arch/i386/boot/bzImage
-rw-r--r-- 1 root root 1064017 Jan 16 01:53 arch/i386/boot/bzImage
* Then, compile the kernel modules (might take 5-30 minutes):
make modules
Compilation Errors
* A normal compilation process might result several warnings.
* But errors should not happen, unless you're compiling a non-stable kernel.
* Make sure you started from a fresh compilation (i.e. ran 'make clean').
* Make sure that you have read/write access to the source tree (i.e. if the sources belong to 'root', compile them as user 'root').
Installing The New Kernel
* Installing the kernel is split into two parts:
1. First, installing the kernel itself.
2. Then, installing the kernel modules.
* Before we install the kernel, we want to make sure we do not overrun our current kernel, or a previously existing kernel.
* So we will install the kernel itself manually.
* Avoiding overrunning the kernel modules is more difficult, since the location of the modules is hard-coded into the kernel (its version number) and the module loading tools.
Installing The Kernel's Main File
* Runnable kernels are expected to be in the /boot directory.
* Simple way to install the kernel (assuming it is version 2.4.20-8):
cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.20-8
* Make sure the name is unique, and especially different then the current kernel...
* ... cause if we got a broken kernel, we will want to be able to switch back to the current kernel.
Installing The Kernel Modules
* The kernel modules will normally be placed in /lib/modules/
* If the compiled kernel is of the same version as an existing kernel, we better first back-up the modules library:
cp -rp /lib/modules/2.4.20-8 /lib/modules/2.4.20-8.old
* This assumes that the older kernel can boot into a working system without working loadable modules...
* ... or that we can boot from a rescue CD/floppy to restore the modules.
* And now install the modules:
make modules_install
The "initrd" (Init Ram-Disk) File
* Sometimes, we need to pack modules that are needed before the kernel can access the disk partitions, into the 'initrd' file.
* To do this, we need to use the 'mkinitrd' command:
mkinitrd /boot/initrd-2.4.20-8.img 2.4.20-8
This creates an initrd file named '/boot/initrd-2.4.20-8.img', containing hard-disk and file-system related modules, for kernel version 2.4.20-8.
* The initrd command uses the modules installed under /lib/modules/, so it must be executed after make modules_install.
Updating The Boot Loader
* Once we installed the new kernel and its new modules, we need to tell the boot loader about it.
* Generally, we need to supply the following information:
o Kernel image file path (e.g. /boot/vmlinuz-2.4.20-8).
o Partition of the root directory - copy it from the spec of the current kernel.
o Kernel parameters - may be copied from the current kernel, if it has not changed drastically.
o Optional initrd file path.
o Label.
Instructions For "lilo"
* If your system uses "lilo" as the boot loader, the config file is normally at /etc/lilo.conf
* A normal entry for our example kernel would look like this:
image = /boot/vmlinuz-2.4.20-8
initrd=/boot/initrd-2.4.20-8.img
label = rh9-mykernel
append="hdc=ide-scsi"
root=/dev/hda1
* the 'root' entry may be omitted, if we have 'root=current' in the global section.
* If we do not need initrd, the initrd entry may be omitted.
Instructions For "lilo" (Cont.)
* Finally, run "lilo" to make the actual update of the boot loader:
[root@simey ~]# lilo
Added linux-2.4.18
Added rh9-mykernel
Added dos
MANY people forget this step!
Instructions For "grub"
* For systems with "grub" as their boot loader, the config file is normally at /boot/grub/grub.conf
* An entry for our example kernel would look like this:
title Red Hat Linux (2.4.20-8)
root (hd0,0)
kernel /boot/vmlinuz-2.4.20-8 ro root=/dev/hda1 hdc=ide-scsi
initrd /boot/initrd-2.4.20-8.img
* The disks and partitions are numbered by bus numbers, rather then by letters: hd0,0 means /dev/hda1.
* If we have /boot on its own partitions, the path names should NOT contain /boot, and the "root" entry should point to the /boot partition.
* No need to run anything after updating the config file - grub will read it during system boot.
Booting The New Kernel
* Once everything is set, reboot your machine.
* At the boot loader's prompt/menu, chose the new kernel.
* Watch the boot messages - are they similar to what you are familiar with? Are there any errors or failures?
* If boot fails - reboot again with the previous (working) kernel.
* If boot succeeds, check that everything works (including networking, sound card, modem...).
Troubleshooting The Boot Process
* The boot process logs all its messages into /var/log/messages
* Possibly also in /var/log/dmesg
* Look in those files for error messages, and try to analyze them or look them up on the Internet.
* Sometimes you'll notice a problem resulting from kernel configuration - reconfigure, recompile from scratch (make clean...), re-install and try again.
* If you see that all modules fail to load with unresolved symbols, make sure you compiled and installed the modules.
Boot Problems - No Root Device
* Symptom: you get the message that no root device was found.
* Reboot to the previous kernel.
* Check the exact syntax of your lilo/grub entry for the new kernel. Are you sure you specified the root device entry properly?
* Make sure you compiled the drivers for your hard-disk and the partitions into the kernel image, or you have them in the initrd image.
Boot Problems - "lilo" says "LI"
* Symptom: you get the message "LI" (or a similar message) and then nothing, or an endless loop of garbage.
* Reboot to the previous kernel.
* Check the syntax of the lilo entry for the kernel - something there is terribly wrong.
* If you can't see what is wrong, delete the entry, and create it again. Often mistakes done in the first copy+paste do not occur in the second attempt.
When Installing A Newer Kernel...
* Check the file 'Documentation/Changes' in the source directory, for packages that might need upgrading before booting the new kernel.
* Don't configure the new kernel from scratch - copy your previous kernel's '.config' file to the new kernel's source directory, and run make oldconfig - you will only need to answer questions about new features.
* If you used a distribution's kernel previously, it normally has a config file matching the installed kernel.
* On RedHat, this file is usually under /boot/config-
External Device Drivers
* Various types of hardware might have drivers available not as part of the kernel sources.
* Perhaps this is a new driver, that didn't yet get accepted into the normal kernel.
* Or the driver is maintained by the manufacturer of the hardware...
* ... and possibly delivered in binary-only mode?
* We need to be able to install such drivers on our own, then.
External Device Drivers Formats
* An external device driver might come with full sources, that we need to compile. This is the best scenario.
* An external device driver might come as a binary-only module. In this case we need to get a driver that was compiled specifically for the kernel version we are using.
* If we use a less-commonly-used distribution, we might not find a driver for our distribution's kernel...
* At which time we either dumb the hardware, or take the best "vanilla" kernel for which there is a binary driver available.
* The driver could come as a hybrid - half source, and half binary. the Source-part need to be compiled against our kernel, and it'll make sure the binary part works.
Notes On External Device Drivers Compilation
* You need to have your kernel source tree configured properly, matching your running kernel.
* You don't have to actually compile the kernel source tree in this case.
* Sometimes the driver has a script that will compile the driver for you, hiding the actual compilation process.
* If it thinks your kernel sources are under /lib/modules/2.4.20-8/build, this is ok - this should be a symbolic link pointing to the right location of the sources....
* ... But it does not hurt to make sure.
* Otherwise, read the driver's installation instructions, and follow them carefully.
Steps in compiling a kernel:
* Installing the sources.
* Configuring the kernel (choosing which features and Drivers to compile).
* Compiling the kernel (i.e. typing a single command, and watching...).
* Installing the compiled kernel.
* Updating the boot loader to recognize the new kernel.
* Booting...
* Making the new kernel become the default.
Kernel "Types"
* The Linux kernel comes in two variants - the "vanilla" kernel, and the distribution's kernel.
* The "vanilla" kernel is the kernel officially released by Linus, or by a member of the community appointed by Linus (e.g. kernels version 2.4.X are officially maintained and released by Marcelo Tosatti).
* The distribution's kernel is normally a "vanilla" kernel, with many patches on top of it that either did not get accepted to the "vanilla" kernel, or that the distribution's maker back-ported from newer kernels.
* Thus, normally the latest "vanilla" kernel has more features...
* ... while the distribution's kernel has gone through more orderly testing and could be more stable.
Getting The Source
* The sources of linux kernels are available via the Internet, or on the distribution's CDs.
* Of-course, there are many mirrors, and since we're talking about not-so-small files (around 30MB), we better know our mirrors.
* In Israel, one may try Iglu's mirror, at http://www.iglu.org.il/, or check Hamakor's Israeli mirrors list, at http://mirror.hamakor.org.il/.
The Source Of The Distribution's Kernel
* The source code of the distribution's kernel comes as another package on the installation CDs.
* On RedHat 9, for example, it is stored in a file named 'kernel-source-2.4.20-8.i386.rpm'.
* Installing it is done like installing any other RPM package:
rpm -Uvh /path/to/kernel-source-2.4.20-8.i386.rpm
* If The distribution's maker updated the kernel, the new kernel sources would be found among the updates.
* In RedHat 9, the current file is kernel-2.4.20-28.9.src.rpm, found in the SRPMs (Source-RPMs) directory.
The Source Of The Vanilla Kernel
* The "vanilla" kernel is normally kept at ftp.kernel.org, as a tar.gz (or tar.bz2 - better compressed) file.
* For example, the latest 2.4 kernel for now is found at ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.24.tar.bz2
* Unpack these kernel sources as root:
cd /usr/src/
tar xjf /path/to/linux-2.4.24.tar.bz2
* You will get a new directory named 'linux-2.4.24', containing the sources.
"Readying" The Sources
* Before we do anything with the sources, we should make sure the source tree does not contain any old object files or configuration information...
* ... That got there accidentally.
* This is especially true for distribution kernels - they tend to contain various stale files.
* To do this, go into the source directory and run the command:
make mrproper
Configuring The Kernel
* Before we compile the kernel, we need to configure it.
* This includes telling it which drivers and features to compile ...
* ... and how to compile them (as modules or inside the kernel's main file).
* Several configuration programs are supported by the kernel, to be launched using one of the following commands:
make config
A simple text-mode program, that asks a zillion questions one after the other. Not recommended.
make menuconfig
A full-screen text-mode program. Use it if you don't have X windows running, or if you're connected from a remote location.
make xconfig
A Graphical program. Use this one when you can.
* There is yet another, which will be shown later...
Tips Regarding Configuring The Kernel
* Each item has a help section - read it.
* Each help text contains a suggestion of what to do if you're not sure. Use these suggestions, indeed.
* The first time around, take a tour around the different options, without changing them.
* The configuration process generates a file called ".config" in the top directory of the kernel sources. Keep a backup before making changes.
* Don't configure a kernel when you don't have enough free time - it's a long task (1-2 hours) the first time around.
* Do not despair - eventually, you'll configure kernels in 5 minutes ;)
Compiling The Kernel
* Once configured, Compiling the kernel is easy.
* First, make sure we start afresh (takes a few seconds):
make clean
* Then, prepare the dependencies list (might take a minute):
make depend
Compiling The Kernel (Cont.)
* Then, compile the kernel's main part (might take 5-30 minutes):
make bzImage
After this step, we should have the following new file:
[root@simey linux]# ls -l arch/i386/boot/bzImage
-rw-r--r-- 1 root root 1064017 Jan 16 01:53 arch/i386/boot/bzImage
* Then, compile the kernel modules (might take 5-30 minutes):
make modules
Compilation Errors
* A normal compilation process might result several warnings.
* But errors should not happen, unless you're compiling a non-stable kernel.
* Make sure you started from a fresh compilation (i.e. ran 'make clean').
* Make sure that you have read/write access to the source tree (i.e. if the sources belong to 'root', compile them as user 'root').
Installing The New Kernel
* Installing the kernel is split into two parts:
1. First, installing the kernel itself.
2. Then, installing the kernel modules.
* Before we install the kernel, we want to make sure we do not overrun our current kernel, or a previously existing kernel.
* So we will install the kernel itself manually.
* Avoiding overrunning the kernel modules is more difficult, since the location of the modules is hard-coded into the kernel (its version number) and the module loading tools.
Installing The Kernel's Main File
* Runnable kernels are expected to be in the /boot directory.
* Simple way to install the kernel (assuming it is version 2.4.20-8):
cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.20-8
* Make sure the name is unique, and especially different then the current kernel...
* ... cause if we got a broken kernel, we will want to be able to switch back to the current kernel.
Installing The Kernel Modules
* The kernel modules will normally be placed in /lib/modules/
* If the compiled kernel is of the same version as an existing kernel, we better first back-up the modules library:
cp -rp /lib/modules/2.4.20-8 /lib/modules/2.4.20-8.old
* This assumes that the older kernel can boot into a working system without working loadable modules...
* ... or that we can boot from a rescue CD/floppy to restore the modules.
* And now install the modules:
make modules_install
The "initrd" (Init Ram-Disk) File
* Sometimes, we need to pack modules that are needed before the kernel can access the disk partitions, into the 'initrd' file.
* To do this, we need to use the 'mkinitrd' command:
mkinitrd /boot/initrd-2.4.20-8.img 2.4.20-8
This creates an initrd file named '/boot/initrd-2.4.20-8.img', containing hard-disk and file-system related modules, for kernel version 2.4.20-8.
* The initrd command uses the modules installed under /lib/modules/, so it must be executed after make modules_install.
Updating The Boot Loader
* Once we installed the new kernel and its new modules, we need to tell the boot loader about it.
* Generally, we need to supply the following information:
o Kernel image file path (e.g. /boot/vmlinuz-2.4.20-8).
o Partition of the root directory - copy it from the spec of the current kernel.
o Kernel parameters - may be copied from the current kernel, if it has not changed drastically.
o Optional initrd file path.
o Label.
Instructions For "lilo"
* If your system uses "lilo" as the boot loader, the config file is normally at /etc/lilo.conf
* A normal entry for our example kernel would look like this:
image = /boot/vmlinuz-2.4.20-8
initrd=/boot/initrd-2.4.20-8.img
label = rh9-mykernel
append="hdc=ide-scsi"
root=/dev/hda1
* the 'root' entry may be omitted, if we have 'root=current' in the global section.
* If we do not need initrd, the initrd entry may be omitted.
Instructions For "lilo" (Cont.)
* Finally, run "lilo" to make the actual update of the boot loader:
[root@simey ~]# lilo
Added linux-2.4.18
Added rh9-mykernel
Added dos
MANY people forget this step!
Instructions For "grub"
* For systems with "grub" as their boot loader, the config file is normally at /boot/grub/grub.conf
* An entry for our example kernel would look like this:
title Red Hat Linux (2.4.20-8)
root (hd0,0)
kernel /boot/vmlinuz-2.4.20-8 ro root=/dev/hda1 hdc=ide-scsi
initrd /boot/initrd-2.4.20-8.img
* The disks and partitions are numbered by bus numbers, rather then by letters: hd0,0 means /dev/hda1.
* If we have /boot on its own partitions, the path names should NOT contain /boot, and the "root" entry should point to the /boot partition.
* No need to run anything after updating the config file - grub will read it during system boot.
Booting The New Kernel
* Once everything is set, reboot your machine.
* At the boot loader's prompt/menu, chose the new kernel.
* Watch the boot messages - are they similar to what you are familiar with? Are there any errors or failures?
* If boot fails - reboot again with the previous (working) kernel.
* If boot succeeds, check that everything works (including networking, sound card, modem...).
Troubleshooting The Boot Process
* The boot process logs all its messages into /var/log/messages
* Possibly also in /var/log/dmesg
* Look in those files for error messages, and try to analyze them or look them up on the Internet.
* Sometimes you'll notice a problem resulting from kernel configuration - reconfigure, recompile from scratch (make clean...), re-install and try again.
* If you see that all modules fail to load with unresolved symbols, make sure you compiled and installed the modules.
Boot Problems - No Root Device
* Symptom: you get the message that no root device was found.
* Reboot to the previous kernel.
* Check the exact syntax of your lilo/grub entry for the new kernel. Are you sure you specified the root device entry properly?
* Make sure you compiled the drivers for your hard-disk and the partitions into the kernel image, or you have them in the initrd image.
Boot Problems - "lilo" says "LI"
* Symptom: you get the message "LI" (or a similar message) and then nothing, or an endless loop of garbage.
* Reboot to the previous kernel.
* Check the syntax of the lilo entry for the kernel - something there is terribly wrong.
* If you can't see what is wrong, delete the entry, and create it again. Often mistakes done in the first copy+paste do not occur in the second attempt.
When Installing A Newer Kernel...
* Check the file 'Documentation/Changes' in the source directory, for packages that might need upgrading before booting the new kernel.
* Don't configure the new kernel from scratch - copy your previous kernel's '.config' file to the new kernel's source directory, and run make oldconfig - you will only need to answer questions about new features.
* If you used a distribution's kernel previously, it normally has a config file matching the installed kernel.
* On RedHat, this file is usually under /boot/config-
External Device Drivers
* Various types of hardware might have drivers available not as part of the kernel sources.
* Perhaps this is a new driver, that didn't yet get accepted into the normal kernel.
* Or the driver is maintained by the manufacturer of the hardware...
* ... and possibly delivered in binary-only mode?
* We need to be able to install such drivers on our own, then.
External Device Drivers Formats
* An external device driver might come with full sources, that we need to compile. This is the best scenario.
* An external device driver might come as a binary-only module. In this case we need to get a driver that was compiled specifically for the kernel version we are using.
* If we use a less-commonly-used distribution, we might not find a driver for our distribution's kernel...
* At which time we either dumb the hardware, or take the best "vanilla" kernel for which there is a binary driver available.
* The driver could come as a hybrid - half source, and half binary. the Source-part need to be compiled against our kernel, and it'll make sure the binary part works.
Notes On External Device Drivers Compilation
* You need to have your kernel source tree configured properly, matching your running kernel.
* You don't have to actually compile the kernel source tree in this case.
* Sometimes the driver has a script that will compile the driver for you, hiding the actual compilation process.
* If it thinks your kernel sources are under /lib/modules/2.4.20-8/build, this is ok - this should be a symbolic link pointing to the right location of the sources....
* ... But it does not hurt to make sure.
* Otherwise, read the driver's installation instructions, and follow them carefully.
Friday, January 14, 2011
28 Steps on how to harden your Linux server
If you run your own Linux server here are some tips on server hardening, liberally stolen from the CFS security GUI script for cPanel/WHM, that I have become only too familiar with since yesterday:
1. On your firewall (you do have one don’t you?) check the incoming MySQL port and if 3306 is open, close it. If this port is left open it can pose both a security and server abuse threat since not only can hackers attempt to break into MySQL, any user can host their SQL database on your server and access it from another host and so (ab)use your server resources
2. Check /tmp permissions. /tmp should be chmod 1777
3. Check /tmp ownership /tmp should be owned by root:root
4. Check /etc/cron.daily/logrotate for /tmp noexec workaround. Due to a bug in logrotate if /tmp is mounted with the noexec option, you need to have logrotate use a different temporary directory. If you don’t do this syslog may not restart correctly and will write to the wrong (older) log files. See here for a way to do this
5. Check /var/tmp permissions. /var/tmp should be chmod 1777
6. Check /var/tmp ownership. /var/tmp should be owned by root:root
7. Check /var/tmp is mounted as a filesystem. /var/tmp should either be symlinked to /tmp or mounted as a filesystem
8. Check /var/tmp is mounted noexec,nosuid. /var/tmp isn’t mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /var/tmp with those options
9. Check /usr/tmp permissions. /usr/tmp should be chmod 1777
10. Check /usr/tmp ownership. /usr/tmp should be owned by root:root
11. Check /usr/tmp is mounted as a filesystem or is a symlink to /tmp. /usr/tmp should either be symlinked to /tmp or mounted as a filesystem
Check /etc/resolv.conf for localhost entry. You should not specify 127.0.0.1 or localhost as a nameserver in /etc/resolv.conf - use the servers main IP address instead
12. Check /etc/named.conf for recursion restrictions. If you have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf this is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only. Unrestricted recursive lookups are as good as a DDoS attack against your system. They will eat up all your system resources
13. Check server runlevel. For a secure server environment you should only run the server at runlevel 3. You can fix this by editing /etc/inittab and changing the initdefault line to:
id:3:initdefault: and then rebooting the server
14. Check nobody cron. You have a nobody cron log file - you should check that this has not been created by an exploit
15. Check Operating System support. Make certain that your OS version is still supported by the manufacturer and that upgrades continue to be available
16. Check SSHv1 is disabled. You should disable SSHv1 by editing /etc/ssh/sshd_config and setting: Protocol 2 (remove the hash # from in front of the line and edit out the 1.1)
17. Check SSH on non-standard port. Moving SSH to a non-standard port avoids basic SSH port scans. Edit /etc/ssh/sshd_config and setting: Port nnnn Where nnnn is a port of your choosing. Don’t forget to open the port in the firewall first!
18. Check SSH PasswordAuthentication. For ultimate SSH security, you might want to consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication. For more information read this article and this article
19. Check telnet port 23 is not in use. Close this port in your firewall. Telnet is an insecure protocol and you should disable the telnet daemon if it is running
20. Check shell resource limits. You should enable shell resource limits to prevent shell users from consuming server resources - DOS exploits typically do this. If you are using cPanel/WHM set Shell Fork Bomb Protection.
21. Disable all instances of IRC - BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink. If you are using WHM you can do this in the Background Process Killer.
22. Check apache for mod_security if not installed install it from source
23. Check apache for mod_evasive. You should install the mod_evasive apache module from source to help prevent DOS attacks against apache. Note that this module breaks FrontPage functionality
24. Check apache for RLimitCPU. You should set a value RLimitCPU to prevent runaway scripts from consuming server resources - DOS exploits can typically do this.
25. Check apache for RLimitMEM. You should set a value RLimitMEM to prevent runaway scripts from consuming server resources - DOS exploits can typically do this
26. Check php for enable_dl. You should modify /usr/local/lib/php.ini and set:
enable_dl = off This prevents users from loading php modules that affect everyone on the server. Note that if use dynamic libraries, such as ioncube, you will have to load them directly in php.ini1
27. Check php for disable_functions. You should modify /usr/local/lib/php.ini and disable commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list
28. Check phpsuexec. To reduce the risk of hackers accessing all sites on the server from a compromised PHP web script, you should enable phpsuexec when you build apache/php. Note that there are side effects when enabling phpsuexec on a server and you should be aware of these before enabling it
Read more: http://www.eioba.com/a71018/28_steps_on_how_to_harden_your_linux_server#ixzz1B2Bhxw00
1. On your firewall (you do have one don’t you?) check the incoming MySQL port and if 3306 is open, close it. If this port is left open it can pose both a security and server abuse threat since not only can hackers attempt to break into MySQL, any user can host their SQL database on your server and access it from another host and so (ab)use your server resources
2. Check /tmp permissions. /tmp should be chmod 1777
3. Check /tmp ownership /tmp should be owned by root:root
4. Check /etc/cron.daily/logrotate for /tmp noexec workaround. Due to a bug in logrotate if /tmp is mounted with the noexec option, you need to have logrotate use a different temporary directory. If you don’t do this syslog may not restart correctly and will write to the wrong (older) log files. See here for a way to do this
5. Check /var/tmp permissions. /var/tmp should be chmod 1777
6. Check /var/tmp ownership. /var/tmp should be owned by root:root
7. Check /var/tmp is mounted as a filesystem. /var/tmp should either be symlinked to /tmp or mounted as a filesystem
8. Check /var/tmp is mounted noexec,nosuid. /var/tmp isn’t mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /var/tmp with those options
9. Check /usr/tmp permissions. /usr/tmp should be chmod 1777
10. Check /usr/tmp ownership. /usr/tmp should be owned by root:root
11. Check /usr/tmp is mounted as a filesystem or is a symlink to /tmp. /usr/tmp should either be symlinked to /tmp or mounted as a filesystem
Check /etc/resolv.conf for localhost entry. You should not specify 127.0.0.1 or localhost as a nameserver in /etc/resolv.conf - use the servers main IP address instead
12. Check /etc/named.conf for recursion restrictions. If you have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf this is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only. Unrestricted recursive lookups are as good as a DDoS attack against your system. They will eat up all your system resources
13. Check server runlevel. For a secure server environment you should only run the server at runlevel 3. You can fix this by editing /etc/inittab and changing the initdefault line to:
id:3:initdefault: and then rebooting the server
14. Check nobody cron. You have a nobody cron log file - you should check that this has not been created by an exploit
15. Check Operating System support. Make certain that your OS version is still supported by the manufacturer and that upgrades continue to be available
16. Check SSHv1 is disabled. You should disable SSHv1 by editing /etc/ssh/sshd_config and setting: Protocol 2 (remove the hash # from in front of the line and edit out the 1.1)
17. Check SSH on non-standard port. Moving SSH to a non-standard port avoids basic SSH port scans. Edit /etc/ssh/sshd_config and setting: Port nnnn Where nnnn is a port of your choosing. Don’t forget to open the port in the firewall first!
18. Check SSH PasswordAuthentication. For ultimate SSH security, you might want to consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication. For more information read this article and this article
19. Check telnet port 23 is not in use. Close this port in your firewall. Telnet is an insecure protocol and you should disable the telnet daemon if it is running
20. Check shell resource limits. You should enable shell resource limits to prevent shell users from consuming server resources - DOS exploits typically do this. If you are using cPanel/WHM set Shell Fork Bomb Protection.
21. Disable all instances of IRC - BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink. If you are using WHM you can do this in the Background Process Killer.
22. Check apache for mod_security if not installed install it from source
23. Check apache for mod_evasive. You should install the mod_evasive apache module from source to help prevent DOS attacks against apache. Note that this module breaks FrontPage functionality
24. Check apache for RLimitCPU. You should set a value RLimitCPU to prevent runaway scripts from consuming server resources - DOS exploits can typically do this.
25. Check apache for RLimitMEM. You should set a value RLimitMEM to prevent runaway scripts from consuming server resources - DOS exploits can typically do this
26. Check php for enable_dl. You should modify /usr/local/lib/php.ini and set:
enable_dl = off This prevents users from loading php modules that affect everyone on the server. Note that if use dynamic libraries, such as ioncube, you will have to load them directly in php.ini1
27. Check php for disable_functions. You should modify /usr/local/lib/php.ini and disable commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list
28. Check phpsuexec. To reduce the risk of hackers accessing all sites on the server from a compromised PHP web script, you should enable phpsuexec when you build apache/php. Note that there are side effects when enabling phpsuexec on a server and you should be aware of these before enabling it
Read more: http://www.eioba.com/a71018/28_steps_on_how_to_harden_your_linux_server#ixzz1B2Bhxw00
Install ioncube on cpanel dedicated server
What is IonCube ?
Secure and license your PHP scripts with the ionCube PHP Encoder. Protect files with PHP encoding, encryption, obfuscation and licensing capabilities.
Prepare Webserver and PHPI assume you already have apache webserver and php installed on your server.
Download IonCube and Install it :
Login as root into your server
$wget http://repository.wowtutorial.org/ioncube_loaders_lin_x86.tar.gz
$tar zfx ioncube_loaders_lin_x86.tar.gz
$mv ioncube /usr/local
Find your php.ini
$php -i | grep php.ini
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
Edit your php.ini
$pico /usr/local/lib/php.ini
### add this line in your php.ini
zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.2.so
## save this file
$
Important : if you have zend optimizer and zend manager installed on your php
Please make sure ioncube_loader is on the top of zend list.
Ex php.ini :
[Zend]
zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.2.so
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.3.0
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.0
zend_optimizer.version=3.3.0
zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so
zend_extension_ts=/usr/local/Zend/lib/ZendExtensionManager_TS.so[/code]
Restart Webserver
$service httpd restart
Verify your PHP with phpinfo or php -v
$php -v
PHP 5.2.5 (cli) (built: Mar 17 2008 14:00:52)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
with the ionCube PHP Loader v3.1.32, Copyright (c) 2002-2007, by ionCube Ltd., and
with Zend Extension Manager v1.2.0, Copyright (c) 2003-2007, by Zend Technologies
with Zend Optimizer v3.3.0, Copyright (c) 1998-2007, by Zend Technologies
Installing IonCube in cPanel
To install IonCube loading in cPanel, run the following as root:
# /scripts/phpext
You can then check if ionCube was installed by running:
# php -v
PHP 5.2.9 (cli) (built: May 21 2009 11:27:40)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with eAccelerator v0.9.5.3, Copyright (c) 2004-2006 eAccelerator, by eAccelerator
with the ionCube PHP Loader v3.1.34, Copyright (c) 2002-2009, by ionCube Ltd., and
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
You should see a line that contains, “with the ionCube PHP Loader”.
Install Litespeed on CPanel
# cd /usr/src
# wget http://www.litespeedtech.com/packages/cpanel/lsws_whm_plugin_install.sh
# chmod 700 lsws_whm_plugin_install.sh
# ./lsws_whm_plugin_install.sh
# rm -f lsws_whm_plugin_install.sh
- Login to WHM and click the ‘LiteSpeed Web Server’ button.
- Click ‘Install LiteSpeed’ and let it run through the installation procedure.
- Enter your license information & assign an administrator password (Don’t tick the box to start LiteSpeed immediately)
- Click ‘Build matching PHP Binary’
- Click ‘Switch to LiteSpeed’
- Click ‘Admin Web Console’ and login
Final stages of setup
- Configuration > General > Index Files > Edit
Set the following and save.
Index Files: index.html, index.php, index.php5, index.htm
Auto Index: Yes
Auto Index URI => /_autoindex/default.php
- In SSH Type:
# ln -sf /usr/local/lib/php/autoindex /usr/local/lsws/share/autoindex
- Configuration > Log > Server Log > Edit
Set the following:
Log Level: Info
Debug Level: None
- Now click ‘Actions > Graceful Restart’ to make these changes permanent.
Want your users to be able to use Frontpage Extensions?
Run this command from SSH:
sed -rie ‘s/(safe_)?chmod\(( )?0600,( )?(“\$\{myuid\}”,)?( )?”\$(\{)?homedir(\})?\/public_html\$\{subweb\}\/_vti_pvt\/service.pwd”( )?\);/\1chmod(\20644,\3\4\5″$\6homedir\7\/public_html${subweb}\/_vti_pvt\/service.pwd”\8);/’ /scripts/fp-auth /usr/local/frontpage/version5.0/apache-fp/fp-auth /usr/local/cpanel/bin/convertfppassthrough /scripts/fixfrontpageperm
Then run this command from SSH:
/scripts/fixfrontpageperm
Forgot your LiteSpeed admin pass?
Run this within SSH to reset your LiteSpeed Admin Pass: /usr/local/lsws/admin/misc/admpass.sh
Install Litespeed on Plesk
cd /usr/src/
wget http://www.litespeedtech.com/package...6-linux.tar.gz
tar xzf lsws-3.3.4-ent-i386-linux.tar.gz
cd lsws-3.3.4/
(Upload the key)
sh install.sh
You will be asked a few questions and need to select the following options:
* Do you agree with above license? Yes
* Destination [/opt/lsws]: /opt/lsws [ /usr/local/lsws can also be used]
* User name [admin]: admin
* Password: youradminpassword
* Retype password: youradminpassword
* User [nobody]: nobody [use a non-system user that doesn't have a shell access and home directory]
* Group [nobody]: nobody [group the webserver will be running as]
* HTTP port [8088]: 80 [you can give any port you wish to run lsws. If any other webserver ( httpd ) is running on this port, stop it before starting lsws ie; /etc/init.d/httpd stop then run the command chkconfig httpd off]
* Admin HTTP port [7080]: 7080
* Both these ports should be enabled in the firewall
* Setup up PHP [Y/n]: Y
* Suffix for PHP script(comma separated list) [php]: php
* Would you like to change PHP opcode cache setting [y/N]? N
* Would you like to install AWStats Add-on module [y/N]? N
* Would you like to import Apache configuration [y/N]? N
* Would you like to have LiteSpeed Web Server started automatically when the machine restarts [Y/n]? Y
* Would you like to start it right now [Y/n]? Y
LiteSpeed Web Server started successfully! Have fun!
To check whether litespeed is working use the following command
netstat -apnt |grep lhttpd
server2:~ # netstat -apnt |grep lshttpd
tcp 0 0 0.0.0.0:7080 0.0.0.0:* LISTEN 26256/lshttpd
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 26256/lshttpd
To replace Apache with LSWS :-
Login to admin panel at http://:7080 and with the admin username and password.
Goto Configurations >> Server >> General.
Keeping the cursor against the button along with each option will give you a small definition about the same.
Scroll down to "Using Apache Configuration File"
Load Apache Configuration => Yes
Auto Reload On Changes => Yes (Changes made in WHM/cPanel will be applied automatically)
Apache Configuration File => /usr/local/apache/conf/httpd.conf
Apache Port Offset => 0
Apache IP Offset => 0
PHP suEXEC => Yes (Run PHP in suEXEC mode)
PHP suEXEC Max Conn => 8 (The maximum PHP processor each account can have)
Scroll back up to "Index Files" and set it as follows:
Index Files index.html, index.php, index.php5, index.php4, index.htm
Auto Index Not Set
Auto Index URI Not Set
scroll down to "HT Access"
Allow Override Tick the check box: Limit, Auth, FileInfo, Indexes,
Options Uncheck: None
Access File Name .htaccess
Goto Configurations >> Server >> Listeners
delete all current listeners.
Now restart the webserver
service lsws restart
wget http://www.litespeedtech.com/package...6-linux.tar.gz
tar xzf lsws-3.3.4-ent-i386-linux.tar.gz
cd lsws-3.3.4/
(Upload the key)
sh install.sh
You will be asked a few questions and need to select the following options:
* Do you agree with above license? Yes
* Destination [/opt/lsws]: /opt/lsws [ /usr/local/lsws can also be used]
* User name [admin]: admin
* Password: youradminpassword
* Retype password: youradminpassword
* User [nobody]: nobody [use a non-system user that doesn't have a shell access and home directory]
* Group [nobody]: nobody [group the webserver will be running as]
* HTTP port [8088]: 80 [you can give any port you wish to run lsws. If any other webserver ( httpd ) is running on this port, stop it before starting lsws ie; /etc/init.d/httpd stop then run the command chkconfig httpd off]
* Admin HTTP port [7080]: 7080
* Both these ports should be enabled in the firewall
* Setup up PHP [Y/n]: Y
* Suffix for PHP script(comma separated list) [php]: php
* Would you like to change PHP opcode cache setting [y/N]? N
* Would you like to install AWStats Add-on module [y/N]? N
* Would you like to import Apache configuration [y/N]? N
* Would you like to have LiteSpeed Web Server started automatically when the machine restarts [Y/n]? Y
* Would you like to start it right now [Y/n]? Y
LiteSpeed Web Server started successfully! Have fun!
To check whether litespeed is working use the following command
netstat -apnt |grep lhttpd
server2:~ # netstat -apnt |grep lshttpd
tcp 0 0 0.0.0.0:7080 0.0.0.0:* LISTEN 26256/lshttpd
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 26256/lshttpd
To replace Apache with LSWS :-
Login to admin panel at http://
Goto Configurations >> Server >> General.
Keeping the cursor against the button along with each option will give you a small definition about the same.
Scroll down to "Using Apache Configuration File"
Load Apache Configuration => Yes
Auto Reload On Changes => Yes (Changes made in WHM/cPanel will be applied automatically)
Apache Configuration File => /usr/local/apache/conf/httpd.conf
Apache Port Offset => 0
Apache IP Offset => 0
PHP suEXEC => Yes (Run PHP in suEXEC mode)
PHP suEXEC Max Conn => 8 (The maximum PHP processor each account can have)
Scroll back up to "Index Files" and set it as follows:
Index Files index.html, index.php, index.php5, index.php4, index.htm
Auto Index Not Set
Auto Index URI Not Set
scroll down to "HT Access"
Allow Override Tick the check box: Limit, Auth, FileInfo, Indexes,
Options Uncheck: None
Access File Name .htaccess
Goto Configurations >> Server >> Listeners
delete all current listeners.
Now restart the webserver
service lsws restart
CPanelNginx install & uninstall
Install cPanel Nginx
Downlaod the latest cpanelnginx from http://portal.sysvm.com/downloads.php . The file will be in a gtar format with a name like cpanelnginx.X.Y.tar.gz , where X.Y is the version . Now upload this to your server and install it as follows
# tar -xzf cpanelnginx.X.Y
# cd cpanelnginx/
# sh install.sh
Configure cPanelNginx
You can configure your Nginx sever from WHM -> Plugins -> cPanel Nginx .
From the version 2.0 it is possible to add custom file extensions to add directly to nginx server. So that those files will be directly served from nginx. To do this please go to WHM -> Plugins -> cPanel Nginx -> Edit File Extensions.
How to disable/enable nginx temperately
To disable nginx run the script /scripts/disablenginx .This will disable nginx server and switch apache to port 80 To enable a disabled nginx server run the script /scripts/enablenginx , this will enable nginx on port 80
cpNginx Memory cache control
It is easy to control cache options of your static and dynamic files easily in this nginx plugin. See the details below,
-------------
You can enable caching of static and dynamic files in Nginx plugins easily . It need to do the following two steps .
Step 1: You need to edit Nginx main configuration file from the plugin page and add the following lines.
proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m;
proxy_temp_path /usr/local/nginx/proxy_temp ;
Step 2: Edit the vhost configuration from the plugin page and add the following lines.
proxy_cache my-cache;
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 1m;
Now rebuild nginx vhost and restart . Please note , you need good amount of free space to hold the cache files.
-------------
You can enable caching of static and dynamic files in Nginx plugins easily . It need to do the following two steps .
Step 1: You need to edit Nginx main configuration file from the plugin page and add the following lines.
proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m;
proxy_temp_path /usr/local/nginx/proxy_temp ;
Step 2: Edit the vhost configuration from the plugin page and add the following lines.
proxy_cache my-cache;
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 1m;
Now rebuild nginx vhost and restart . Please note , you need good amount of free space to hold the cache files.
Softaculous install
Note: Before starting the installation make sure ionCube Loaders are enabled. For that go to WHM and click on Tweak Settings. Please make sure that the Ioncube loader is selected for the backend copy of PHP. Now SSH to your server and enter following commands:
cd /usr/local/cpanel/whostmgr/docroot/cgi
wget -N http://www.softaculous.com/ins/addon_softaculous.php
chmod 755 addon_softaculous.php
Now go to : WHM > Plugins (Add-Ons on older versions than 11) > Softaculous - Instant Installs The following webpage will open if the installation was successful:
Now, just wait for the scripts to get downloaded. The download status is shown in the iFRAME.
Thats it the installation of Softaculous is completed!
Different Domains
Parked Domain:
www.google.com www.google.net www.google.net
Need Alias
No need different db file and virtual host
No need different record in named.conf
Addon Domain
www.google.com www.google2.com
Separate db file
Separate VirtualHost
Separate A record
Sub Domain
www.google.com mail.google.com maps.google.com
Separate VirtualHost
Just need entry in named.conf
www.google.com www.google.net www.google.net
Need Alias
No need different db file and virtual host
No need different record in named.conf
Addon Domain
www.google.com www.google2.com
Separate db file
Separate VirtualHost
Separate A record
Sub Domain
www.google.com mail.google.com maps.google.com
Separate VirtualHost
Just need entry in named.conf
Subscribe to:
Posts (Atom)