Author Archives: Joel T Abraham

ip_conntrack: table full, dropping packet !!

Facing an issue with the kernel module, ‘ip_conntrack’ ?

Checking /var/log/messages gives something like this ?

==========

Nov 13 14:45:23 host kernel: ip_conntrack: VPS xxx table full, dropping packet.
Nov 13 14:45:43 host kernel: ip_conntrack: VPS xxx table full, dropping packet.
Nov 13 14:45:48 host kernel: ip_conntrack: VPS xxx table full, dropping packet.

==========

If you run an iptables firewall, and have rules that act upon the state of a packet,
then the kernel uses ip_conntrack to keep track of what state what connections are in so that
the firewall rule logic can be applied against them. If you have a system that’s getting a lot
of network activity then the table will accumulate entries.

* Increase ip_conntrack to a higher value by editing /etc/sysctl.conf

Add/edit this line,

net.ipv4.ip_conntrack_max=xxxx

Run , #sysctl -p after making the changes.

Check the current value using the command,

# sysctl net.ipv4.netfilter.ip_conntrack_max

Dont keep on increasing the above value (ip_conntrack_max) beyond a limit, if you still see the error after the increase. This error might indicate the start of something more destructive attack on your servers network, something like a DDoS attacks. The amount of packets sent/received during this period would be on the higher side and as a result the kernel module isnt able to process them all, which results in the above error.

So check for the server traffic using commands like iftop or tcpdump and isolate if the
issue is related to any attacks.

Dovecot issue – dovecot.index file broken ?

Dovecot issue – dovecot.index file corrupted?

Any email user not able to access via his webmail? Does it show
logins failed, even if you are cent percent sure logins are correct?

Check /var/log/maillog.

# tailf /var/log/maillog

If you find anything like dis,

=============

Nov 12 20:59:02 host dovecot: imap(zzzz@yyyy.com): Error: Transaction log file /home/xxxx/mail/yyyy.com/zzzz/dovecot.index.log seq 302:

Nov 12 20:59:02 host dovecot: imap(zzzz@yyyy.com): Error: broken sync positions in index file /home/xxxx/mail/yyyy.com/zzzz/dovecot.index

Nov 12 20:59:02 host dovecot: imap(zzzz@yyyy.com): Warning: fscking index file /home/xxxx/mail/yyyy.com/zzzz/dovecot.index

Nov 12 20:59:02 host dovecot: imap(zzzz@yyyy.com) Error: Fixed index file /home/xxxx/mail/yyyy.com/zzzz/dovecot.index log_file_tail_offset 1184 -> 988

Nov 12 20:59:02 host dovecot: imap(zzzz@yyyy.com): Panic: file mail-transaction-log.c: line 350 (mail_transaction_log_set_mailbox_sync_pos): assertion failed: (file_offset >= log->head->saved_tail_offset)

=============

As indicated in the logs, there seems to be an issue with the dovecot index file for the user ‘zzzz’. The basic idea behind Dovecot’s index files is that it makes reading the mailboxes a lot faster.

This happens to be a long term issue with dovecot.

The solution to fix this issue is to delete dovecot.index file.

 

Out of memory error in PHP scripts?

Facing the following error when running any PHP scripts ?

=========
PHP Fatal error: Out of memory (allocated xxxxx (tried to allocate xxxx bytes)
=========

Tried increasing the memory limit from php.ini file and still getting the above error ?

Initially, we might think this issue is with the memory limit factor seen in php.ini file.
But if we analyze the error we get we can see that the issue was not with
the PHP.ini configuration settings.

Usually, when a PHP script does not have enough memory to execute itself,
the error message seen is as below :

=========
Fatal error: Allowed memory size of xxxx bytes exhausted (tried to allocate xxxxxx bytes)
=========

In this case, the error seen is not the usual one, which suggests its not directly related to the PHP configuration.

When we analyse things further, we could see that the real issue lies within
the Apache configuration. Apache have memory limits of its own set in the configuration
files. This value is referred to as ‘RLimitMEM’

Explanation of RLimitMEM from the official documentation of Apache :

===============

RLimitMEM Directive

It sets the soft resource limit for all processes and the second parameter sets the maximum resource limit. It indicate to the server that the limit should be set to the maximum allowed by the operating system configuration. Raising the maximum resource limit requires that the server is running as root, or in the initial startup phase.

This applies to processes forked off from Apache children servicing requests, not the Apache children themselves. This includes CGI scripts and SSI exec commands, but not any processes forked off from the Apache parent such as piped logs.

Memory resource limits are expressed in bytes per process.

===========

So, increase this value/limit from your httpd configuration file, to get around this issue.

Want PHP4 and PHP5 in same cPanel server ?

Want PHP4 and PHP5 running in the same cPanel server ?

Kindly keep in mind, PHP4 is no longer supported (1st released in 2000) Not preferred to do this unless you absolutely need it. Since it’s not supported anymore, it could leave your server more vulnerable than it would be without it.

To install, do the following steps:

* Download the PHP4 custom module for EasyApache from,

http://docs.cpanel.net/twiki/pub/EasyApache/EasyApacheCustomModules/custom_opt_mod-PHP449.tar.gz

* Extract the tarball to the folder, /var/cpanel/easy/apache/cusom_opt_mods

# tar -C /var/cpanel/easy/apache/custom_opt_mods -zxvf custom_opt_mod-PHP449.tar.gz

* Run EasyApache ( from WHM or # /scripts/easyapache )

* Enable the PHP4.4.9 support module in the short options list.

* Complete the steps of EasyApache

* Verify both PHP versions are present

# php4 -v & # php -v

* Configure apache to run both versions of php***

# /usr/local/cpanel/bin/rebuild_phpconf 5 cgi dso 1
(The syntax is rebuild_phpconf <Default PHP Major Version> <PHP4 Handler> <PHP5 Handler> <Suexec>)

–> So in the above case, php5 is default PHP Major version
CGI is PHP4 handler and DSO is PHP5 handler and suexec is enabled.

* If the PHP4 script requires the extension to be .php instead of .php4, you can set the handler for the one site using a .htaccess with the following contents:

AddType application/x-httpd-php4 .php

Exim cheatsheet !!

# cat /var/log/exim_paniclog :info abt the exim program itself
# cat /var/log/exim_mainlog :logs every single transaction that the server handles
# cat /var/log/exim_rejectlog :this logs delivery rejections
# exim -bp :show mails on the queue
# exim -bpc :This option counts the number of messages on the queue
# exim -bpr :This option operates like -bp, but the output is not sorted into
chronological order of message arrival.
# exim -bp | exiqsumm : generate a summary table for all the messages in the queue
# eximstats /var/log/exim_mainlog :  Display Exim stats using the default log file

==================

# eximstats -ne -nr -nt /path/to/exim_mainlog : More concise info from the log

ne : display error info

nr : display relaying info

nt : display transport info that matches

–bydomain:show results by sending domain

–byemail:show results by sender email id

–byhost:show results by sending host

==================

# fgrep YYYY-MM-DD /path/to/exim_mainlog | eximstats : Narrow down Exim stats
generation to a particular day

# exiwhat : show what is exim doing at the moment

# exim -bt [user]@domain : Test how Exim's configuration will handle mail
sent to the specified address

# exiqgrep -f [user]@domain: Find messages from a particular sender in the queue

# exiqgrep -r [user]@domain: Find messages to a particular addressee on your server

# exim -Mrm <message-id> [ <message-id> ... ]: Remove a specific
message(s) from the queue

# exiqgrep -o 36000 -i | xargs exim -Mrm: Remove all messages older than
ten hours (36000 seconds)

# exiqgrep -y 3600 [...] : Use -y to print messages that are younger than the
specified number of seconds. For example, messages less than an hour old

# exim -Mvh <message-id>: View a specific messages full headers

# exim -Mvb <message-id>: View a specific messages body

# exim -Mvl <message-id>: View a specific messages Exim log

# exim -qf : Force another queue run

# exim -qff : Force another queue run and attempt to flush frozen messages

# exim -Mar <message ID> "rcpt address" : Add recipient

# exim -Mes <message ID> "to address" : Edit sender

# exim -bv <address> :Verify an address

# exim -bp | grep frozen | wc -l : To check frozen emails in the queue

# exiqgrep -z -i | xargs exim -Mrm : Delete frozen mails

How to customize SpamAssassin!!

SpamAssassin can be configured from cPanel of each domain. It can be customized further by
adding rules or filters.

In order to specify custom rules for a domain, you need to create the file
~/.spamassassin/user_prefs’ for each domain.

For eg, for the domain letushare.com under the account letushare, you need to create a file /home/letushare/.spamassassin/user_prefs and add the custom rules.

A simple rule,

body LOCAL_DEMONSTRATION_RULE /test/
score LOCAL_DEMONSTRATION_RULE 0.1
describe LOCAL_DEMONSTRATION_RULE

This rule does a simple case-sensitive search of the body of the email for the string 
“test” and adds a 0.1 to the score of the email if it finds it. It will match “test”
but also “testing” and “attest”. The describe statement contains the text which will
be placed into the verbose report, if verbose reports are used.

 

Changing Exim interface IP !!

In order to change the exim interface IP, do the following :

Editing /etc/mailips : This file controls the IP address from which each domains
should send mail. You will need to create and open the /etc/mailips file for editing using
your preferred text editor. You will need to configure this file in the following way:

*: 192.168.0.1 (<- desired IP )

Disable this option,

From WHM »Service Configuration »Exim Configuration Manager>>
Domain and IPs>> Send mail from account’s dedicated IP address "on"

And enable this option,

Reference /etc/mailips for outgoing SMTP connections.

And now, restart the exim service.

Virtuozzo – Basics

Virtuozzo is a software application for enterprise server virtualization that allows an administrator to create virtual environments on a host computer at the operating system (OS) layer. Instead of having one physical machine run multiple operating systems simultaneously, as the virtual machine model used by VMware, Virtuozzo approaches virtualization by running a single OS kernel as its core and exporting that core functionality to various partitions on the host.

Each of the partitions effectively becomes a stand-alone entity called a virtual private server (VPS)

Installation in a CentOS box:
Before proceeding to the installation of virtuzzo make sure you have the partition /vz or
create it if you are installing on a fresh server

/vz contains all container data and parallels virtuzzo containers templates

INSTALLATION
Download the vzinstall-linux-x86_64.bin utilty from the oficial site.
Make the script executable by # chmod a+x vzinstall-linux-x86_64.bin
Run the script by # ./vzinstall-linux-x86_64.bin

You will get the following wizard :
Either you can download and install or install for future or on any other computer.
The configure options allow you to configure the various parameters that the virtuozzo
containers use during the execution. If you select the option download only, after the download is over, go the download directory (root/virtuzzo/Download ) and copy the content of this directory to the system where you are planning to install virtuzzo and execute the following script:

# ./virtuozzo-4.7.0-<build_version>-x86_64.sfx

If you select the option download and install you can either do it in 3 ways:
Default: Select this radio button to download and install the Parallels Virtuozzo Containers program files and one OS template—CentOS 5 (you will need this OS template to create Containers on its basis).

Full: Select this radio button to download all available OS templates to the server and install them there.

Custom: Select this radio button to customize the set of OS templates to download to and install on the server. In this case, once you click the Next button, you will see the Select Templates window where you can choose the necessary OS templates for downloading

In the next step of wizard, click download to start download paralells virtuzzo containers and selected templates to the server.

In the next step you would be asked for the license key.

Install a valid Parallels license by entering the license key number in the field provided and clicking Next. If you plan to activate Parallels Virtuozzo Containers with an activation code,make sure that your server is connected to the Internet

Finally, the installation program displays the Congratulations window.

Leave the Install PVA Agent and Install PVA Management Node check boxes selected to set up the Parallels Virtual Automation application and its components on the server once you restart it. With Parallels Virtual Automation, you can connect to the server and manage Containers using your favorite browser. If you select both check boxes, the installer does the following after restarting the server:

1. Downloads the installation packages for Parallels Virtual Automation from the Parallels website.

2. Install the PVA Agent component on the server. PVA Agent ensures the interaction between your server, the Management Node (see below), and Parallels Virtual Automation. Without this component installed, you will not be able to connect to your server using Parallels Virtual Automation.

3. Creates a special Container on the server and installs the PVA Management Node
component inside it. PVA Management Node (also called Master Server) ensures the
communication between the server running Parallels Virtuozzo Containers (known as Slave
Server) and the Parallels Virtual Automation application. The Master Server keeps a
database with the information about all registered Slave Servers.

If you have already set up a Master Server, you can skip this step (clear Install PVA Management Node check box).

After this step you will be asked for the IP address and hostname and DNS of the container which

will act as the PVA management node.

To log in to Parallels Virtual Automation, launch a Web browser compatible with PVA

The list of currently supported Web browsers is given below:

• Internet Explorer 6.0 and above
• Firefox 2.x and above
• Safari 3.x and above

On the Master Server or any other computer, open your favorite Web browser and log in to Parallels Virtual Automation by typing the Master Server IP address or hostname and TCP port 4648 in the address bar.

http://ipaddressofpvm:4648
Login using the username and password of the container which acts as the PVM

Manually setting up PVA and management node
Create the container : vzctl create CTID –ostemplate centos-6-x86_64 –hostname “hostname”
Set the ip address and nameserver for the created container which will act as the MN

# vzctl start CTID
# vzpkg install CTID -p perl-DBI

Download PVA Management Node installer

# wget http://download.pa.parallels.com/pva/pv ... loy.x86_64
# chmod a+x pva-setup-deploy.x86_64
# ./pva-setup-deploy.x86_64 -d /vz/root/CTID/root/ --extract
# vzctl enter CTID
# cd /root
# ./pva-setup --install

.htaccess files – Basics

A small note on .htaccess file.

What is .htaccess?

.htaccess is a configuration file for use on web servers running the Apache Web Server. When an .htaccess file is placed in a directory it is detected by the web server and gets exectued.These .htaccess files are used to alter the configuration of the Apache Web Server to enable/disable additional functionality and features that the Apache Web Server software has to offer.

A sample .htaccess file :

AuthName "security check"
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
require valid-user
ErrorDocument 401 /error_pages/401.html

As per the above .htaccess file, it enables password protection on the directory; it offers redirection to a custom error page if a user fails to login correctly.

This is just a basic example.

.htaccess files are very powerful and they can be extremely fine tuned to meet your needs.

An alias to a subdomain ? — Plesk

Need a domain alias for a sub-domain?
Plesk had a direct option to do this from the front end, which was
taken out in newer versions of Plesk.

You can configure a .com alias to a subdomain by :
create a file in the subdomains conf directly like this:
# vi /var/www/vhost/yoursite.com/subdomains/foo/conf/vhost.conf

contents:
ServerAlias "newaliasname.com"
ServerAlias "www.newaliasname.com"

then rebuild apache config like:
# /opt/psa/admin/sbin/httpdmng --reconfigure-all

Named service failing in Plesk ?

Issue with named service :

When trying to restart named, you get an error stating some parameter is not given correctly in a zone file.

It would be a reverse PTR zone file with name something like this:
x.x.x.in-addr.arpa

Open the zone file using vim ,

# vim /var/named/run-root/var/72.200.xx.in-addr.arpa.db

When you check the file you can see a mis-configuration in a particular line
when compared with other lines. You can easily spot that with your naked eye.

Edit that misconfigured line (check how other lines are written ) and save it and restart
named service.

This is a bug which is seen in some older versions of Plesk.

Install SSL for a domain in Plesk

Note that for installing SSL certificate, the domain should be assigned a dedicated IP address.

Both setting up IP address and installing SSL certificate can be done from the Plesk panel. Steps to install certificate is as given:

– Log in to Parallels Plesk Panel.
– From the menu on the left, select Domains.
– Click on the domain name that the certificate is issued for.
– Click SSL Certificates.
– Click Browse and locate your signed SSL certificate.
– Select it, then select Send File. This uploads and installs the certificate against the corresponding private key.
– Click the name of the certificate.
– Open the certificate bundle in a text editor and copy and paste its contents into the box labeled CA Certificate.
– Click Send Text.

 

Find the source of Spamming – Plesk !!

Check how many messages are in the queue with Qmail

# /var/qmail/bin/qmail-qstat

If mail is being sent by an authorized user but not from the PHP script, you can run the command below to find the user that has sent the most messages :

// Note that you must have the ‘SMTP authorization’ activated on the server to see these records //

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk ‘{print $11}’ |sort |uniq -c |sort -n

The next step is to use “qmail-qread,” which can be used to read the message headers:

# /var/qmail/bin/qmail-qread

This shows the senders and recipients of messages. If the message contains too many recipients, probably this is spam. Now try to find this message in the queue by its ID
# find /var/qmail/queue/mess/ -name 2996948 ( <- Message ID )

Examine the message and find the line “Received” to find out from where it was sent for the first time. For example, if you find:

Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700

It means that this message was sent via a CGI by user with UID 10003. Using this UID, it is possible to find the domain:

# grep 10003 /etc/passwd

Now, to determine from what folder the PHP script that sends mail was run :

Create a /var/qmail/bin/sendmail-wrapper script with the following content:

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

Create a log file /var/tmp/mail.send and grant it “a+rw” rights; make the wrapper executable; rename old sendmail; and link it to the new wrapper:
~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /var/qmail/bin/sendmail-wrapper
~# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
~# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

Now wait for some time for logs to be generated, then :

~# rm -f /var/qmail/bin/sendmail
~# mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Examine the /var/tmp/mail.send file. There should be lines starting with “X-Additional-Header:” pointing to domain folders where the scripts                                      which sent the mail are located.

You can see all the folders from where mail PHP scripts were run with the following command:

~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

# Another case of spamming

When checking the qmail maillogs (usr/local/psa/var/log/maillog) if we find something
similar to this :

Oct 8 00:17:00 xxxx smtp_auth: SMTP connect from (null)@(null) [xx.xx.xx.xx]
Oct 8 00:17:00 xxxx smtp_auth: smtp_auth: SMTP user xxxxx: logged in from (null)@(null) [xx.xx.xx.xx]

We can confirm that  spamming is being done by brute forcing Plesk
email passwords and then authenticating using base 64 encoding on the username.

The built in qmail logging cannot handle this encoding and as a result the logs will just show (null) instead of the username used.

From parallels forums :
http://forum.parallels.com/showthread.p ... il-logging
http://forum.parallels.com/pda/index.php/t-82043.html

The only solution would be to upgrade Plesk to a more stable version.

 

Configure log rotation in Plesk

Configuration of Log rotation of Plesk system logs >> /etc/psa/logrotate.conf 

Configuration of Log rotation of Domain logs >> /usr/local/psa/etc/logrotate.d/

You can also configure in the front end :

Select domains>>select the option “open in control panel” for any particular domain.
Look for the option advanced options towards the end and select log rotation.

Welcome to Plesk – The basics

Login to the Plesk control panel :
➡ http(s)://IP : port 8442 or 8443

Create domain from
➡ hosting services>>customers>>add new customers

Login to end user side of plesk
➡ hosting services>>domains>>click open in control panel

To create mail accounts
➡ mail>>create email address

To create ftp accounts
➡ websites and domains>>ftp access>>create additional ftp account

To upload file
➡ websites and domains>>file manager

To check the dns records
➡ websites and domains>>dns settings

To add subdomain, add-on-domain and parked domains
➡ websites & domains –> bottom you have options for adding new domain (you need to be reseller)
➡ add a new subdomain
➡ add a new domain alias which is same as parked domain
➡ In order to give addon domain give as new domain alias and create a vhost entry for it

To create mysql user and other database related stuffs
➡ websites & domain>>databases>>add new database
➡ once the db has been created the user can be created
➡ click on the db>>add new database user
➡ db can be managed by the web interface “webadmin” from tools which is similar to phpmyadmin in cpanel
to grant all privilages, select the user and set it default for the db

To add spf
➡ website & domain>>dns settings>>add record>> and record type as txt
now add txt record and update the setting

To set cronjob
➡ websites & domains>>show advanced operations>>scheduled tasks

Forwarding and spam filter
➡ mail>>either create or modify new email address
in that u see two tabs as “forwarding” and “spam filter”

To change the password
➡ users>>click on the users and change settings

To take backup
➡ websites & domains>>backup manager

Backend files

➡ Plesk root directory : /usr/local/psa
➡ Version : /usr/local/psa/version
➡ Admin password is stored : /etc/psa/.psa.shadow
➡ Plesk configuration file : /etc/psa/psa.conf
➡ Restart Plesk : /etc/rc.d/init.d/plesk restart
➡ Main httpd configuration file : /etc/httpd/conf/httpd.conf
➡ Plesk httpd : /etc/httpd/conf.d/zz010_psa_httpd.conf
➡ Include conf files are under : /etc/httpd/conf.d
➡ Startup script for plesk apache : /usr/local/psa/admin/bin/httpsdctl start
➡ Apache main log files under : /var/log/httpd
➡ Php configuration file : /etc/php.ini
➡ Php extension modules are taken from : /etc/php.d
➡ Named Conf file located : /var/named/run-root/etc/named.conf
➡ DB record : /var/named/run-root/var/domain.com
➡ Log file : /var/log/messages
➡ Service to restart : /etc/init.d/named restart
➡ FTP Conf file : /etc/proftpd.conf
➡ Databases are located at : /var/lib/mysql
➡ Configuration file : /etc/my.cnf
➡ Mysql log : /var/log/mysqld.log
➡ Location of qmail directory : /var/qmail
➡ Mail directory of a domain : /var/qmail/mailnames/domain.com
➡ Mail log : /var/log/maillog or /usr/local/psa/var/log/maillog
➡ Home directory : /var/www/vhosts/domain.com
➡ Document root directory of a domain : /var/www/vhosts/domain.com/httpdocs
➡ Document root directory of secure website : /var/www/vhosts/domain.com/httpdsdocs
➡ Subdomains are created under : /var/www/vhosts/domain.com/subdomains
➡ Domain specific logs are under : /var/www/vhosts/domain.com/statistics/logs

Protect your server from DDoS attacks – Part 1 !!

What is a DDoS attack ?

DDoS, short for Distributed Denial of Service, is a type of DOS attack where multiple compromised systems — which are usually infected with a Trojan (70% of the time)– are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.

In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address.

Honestly, it would be so difficult to protect against a DDoS attack. But we can follow some steps to make our servers more watchful against them.

=====================================

CSF ( WHM default firewall ) can be fine tuned as follows :

ConfigServer Security & Firewall from WHM >> Firewall Configuration

Connection Tracking : This option enables tracking of all connections from IP
addresses to the server. If the total number of connections is greater than
this value then the offending IP address is blocked. This can be used to help
prevent some types of DOS attack.

Care should be taken with this option. It’s entirely possible that you will
see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
and HTTP so it could be quite easy to trigger, especially with a lot of
closed connections in TIME_WAIT. However, for a server that is prone to DOS
attacks this may be very useful. A reasonable setting for this option might
be around 300.

=====================================
If you see your server is a bit on the slower side, check the number of connections to it using the following command.

# netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

As a preliminary step, block the IPs which doesn look valid and are offending ones using csf commands.

Another option is to go for the the MOD_EVASIVE module in the httpd configuration.

Mod_evasive is an evasive maneuvers module for Apache to provide evasive
action in the event of an HTTP DoS or DDoS attack or brute force attack.
It is also designed to be a detection tool and can be easily configured to talk
to ipchains, firewalls.

Mod_evasive have got many many options to gun down our requirements to handle the
IPs connecting to our server.

Steps to install mod_evasive is given below :

# cd /usr/local/src/

# wget http://www.zdziarski.com/blog/ wpcontent/uploads/2010/02/mod_evasive_1.10.1.tar.gz

# tar -xvzf mod_evasive_1.10.1.tar.gz

# cd mod_evasive/

# /usr/local/apache/bin/apxs -cia mod_evasive20.c

Now create a file named /usr/local/apache/conf/mod_evasive.conf and add your custom settings.

For eg :

# cat /usr/local/apache/conf/mod_evasive.conf

LoadModule evasive20_module modules/mod_evasive20.so
<IfModule mod_evasive20.c>

DOSHashTableSize 3097

((The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. You should increase this if you have a busy web server. The value you specify will automatically be tiered up to the next prime number in the primes list))

DOSPageCount 2

((This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list))

DOSSiteCount 50

((This is the threshhold for the total number of requests for any object by the same client on the same listener per site interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list))

DOSPageInterval 1

((The interval for the page count threshhold; defaults to 1 second intervals))

DOSSiteInterval 1

((The interval for the site count threshhold; defaults to 1 second intervals))

DOSBlockingPeriod 10

((The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset))

</IfModule>

Now include the above file inside /usr/local/apache/conf/includes/pre_main_global.conf

Include “/usr/local/apache/conf/mod_evasive.conf

Now rebuild httpd.conf
# /scripts/rebuildhttpdconf

Now restart apache
# /scripts/restartsrv httpd

Steps in hardening your mail service :

Some of the things which can be done from WHM to harden your mail service :

=========================
From WHM Main >> Server Configuration >> Tweak Settings:
* POP3 connection limit option prevents lots of POP3 connections.
* POP3 flood prevention option.
* Prevent “nobody” from sending mail : This will ensure that PHP
scripts user the ownership of user “nobody” will not be able send any mails.
* In service manager you can find the option “antirelay” . Turn
this off so that each time POP3 connects authentication would be required.

=========================

Try to use Secure protocols and related ports

POP3S 995
IMAPS 993
SMTPS 465

These are just basics in hardening the mail system. More ones to follow……

404 Not found error along with the original 404 error_document ?

Issue is, do you get an additional 404 Not Found error when trying to access a non-existent file which should actually be redirected to an ErrorDocument.

For eg, when I try to access the following (noactualfile) :
Not Found

The requested URL /~joelta/noactualfile was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

How to remove the above error log for the error document ?

Fix : Use the following lines in the .htaccess of the domains in question

=============

ErrorDocument 400 default
ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 410 default
ErrorDocument 500 default

=============

 

Not able to unpark a domain from WHM ?

Issue : A domain created as parked from cPanel can be deleted from cPanel, but fails to be unparked from WHM, with the following error message shown :

“The system cannot determine the base domain site cpanel”

Reason : On checking, we can see that the parked domain does not have any entry in DNS records nor in httpd config

Solution : # /scripts/upcp –force , it would update and fix any issue at cpanel for which DNS is found missing for park domains

Receving email to upgrade WP-scripts ?

An email notifying to update WP-scripts is shown to be directed to the server contact email id.

It would look like this :
Subject: Software Security Notice – Script Installs need upgrading

In order to protect the security of your users’ website, we recommend that you upgrade the following scripts that were installed via the “Scripts Library” in your cPanel interface:

Issue: If the user removed the script by deleting the directory
it was installed into, he probably did not remove the database.

Fix :
# ls /home/*/.cpaddon
# ls /home/*/.cpaddons
# ls -al /home/xxx/.cpaddons
# ls -al /home/xxx/.cpaddons -h
# cat /home/xxx/.cpaddons/cPanel::Blogs::WordPress.0.yaml ((whichever script is mentioned))
# rm -rf /home/xxx/.cpaddons/cPanel::Blogs::WordPress.0.yaml