You're looking to change a client's domain name? Just click on their username, click the domain name, go to Domain Administrator, change the field at the top, and click ok. :) I hope that is what you were looking for.
Dec 29, 2009
Install Shockvoice with Mono
Get the latest version of Mono from here:
Download todays latest from:
shell> tar xjf libgdiplus-2.6.tar.bz2
shell> cd libgdiplus-2.6
shell> ./configure
shell> make
shell> make install
shell> tar xjf mono-2.6.1.tar.bz2
shell> cd mono-2.6.1
see the README for more compiling informations
shell> ./configure --prefix=/opt/mono
shell> make
shell> make install
Download the latest version from the Shockvoice downloadserver:
http://www.shockvoice.net/page/getsv
Create the directory where you want to install Shockvoice.
shell> mkdir -p /usr/share/shockvoice
Unpack the package into the newly created directory:
shell> tar -C /usr/share/shockvoice -xvzf svserver-0.9.0beta-linux-community.tar.gz
Create the database:
shell> mysqladmin -uroot -p create shockvoice
Now import the tables to the database.
shell> mysql -uroot -p shockvoice < /usr/share/shockvoice/shockvoice.mysql.sql Now we need to create a database user (we will name him svuser) and grant him permissions to use the Shockvoice database. shell> mysql -uroot -p Enter Password:
mysql> GRANT USAGE ON shockvoice.* TO svuser@localhost IDENTIFIED BY '';
mysql> GRANT ALL ON shockvoice.* TO svuser@localhost IDENTIFIED BY "";
mysql> FLUSH PRIVILEGES;
Change to the directory and start the install.sh script.
shell> cd /usr/share/shockvoice && ./install.sh
Installation script will ask you few questions.
You have done
http://www.go-mono.com/mono-downloads/download.html
Download todays latest from:
wget http://ftp.novell.com/pub/mono/sources/libgdiplus/libgdiplus-2.6.tar.bz2
http://ftp.novell.com/pub/mono/sources/mono/mono-2.6.1.tar.bz2
shell> tar xjf libgdiplus-2.6.tar.bz2
shell> cd libgdiplus-2.6
shell> ./configure
shell> make
shell> make install
shell> tar xjf mono-2.6.1.tar.bz2
shell> cd mono-2.6.1
see the README for more compiling informations
shell> ./configure --prefix=/opt/mono
shell> make
shell> make install
Download the latest version from the Shockvoice downloadserver:
http://www.shockvoice.net/page/getsv
Create the directory where you want to install Shockvoice.
shell> mkdir -p /usr/share/shockvoice
Unpack the package into the newly created directory:
shell> tar -C /usr/share/shockvoice -xvzf svserver-0.9.0beta-linux-community.tar.gz
Create the database:
shell> mysqladmin -uroot -p create shockvoice
Now import the tables to the database.
shell> mysql -uroot -p shockvoice < /usr/share/shockvoice/shockvoice.mysql.sql Now we need to create a database user (we will name him svuser) and grant him permissions to use the Shockvoice database. shell> mysql -uroot -p Enter Password:
mysql> GRANT USAGE ON shockvoice.* TO svuser@localhost IDENTIFIED BY '
mysql> GRANT ALL ON shockvoice.* TO svuser@localhost IDENTIFIED BY "
mysql> FLUSH PRIVILEGES;
Change to the directory and start the install.sh script.
shell> cd /usr/share/shockvoice && ./install.sh
Installation script will ask you few questions.
You have done
Install Asterisk/FreePBX on an OpenVZ/Virtuozzo Virtual Private Server (VPS)
Once the OpenVZ/Virtuozzo container is created install the CentOS 5-x86_64 template into the container. Log into the VPS as root with an SSH client such as PuTTy. Another handy tool is WinSCP for browsing directories and editing files in a more intuitive Graphical environment.
If using 64bit get rid of all 32bit packages in the 64bit VPS. They are not necessary and may cause hard to find conflicts.
yum remove *.i?86
Clean out yum to ensure all cached packages and mirrored server references are removed.
yum clean all
Get rid of all installed groups except 'Yum Utilities' so we are starting with a clean slate. Check the delete list before entering 'y' to make sure none of these remove 'sshd' or 'yum' (they don't but check just in case things change with newer revisions).
yum grouplist installed
Installed Groups:
DNS Name Server
Editors
Legacy Network Server
Mail Server
Network Servers
System Tools
Text-based Internet
Web Server
Windows File Server
Yum Utilities
yum groupremove 'DNS Name Server'
yum groupremove 'Editors'
yum groupremove 'Legacy Network Server'
yum groupremove 'Mail Server'
yum groupremove 'Network Servers'
yum groupremove 'System Tools'
yum groupremove 'Text-based Internet'
yum groupremove 'Web Server'
yum groupremove 'Windows File Server'
If installing 64bit VPS edit yum.conf to prevent 32bit packages from being installed. If that happens it may have unintended consequences.
yum install -y nano
nano /etc/yum.conf
Add the following line.
exclude=*.i?86
(Ctrl-x> y >Enter)
Now update the base install
yum -y update
Install Asterisk/FreePBX required packages, other useful packages, and their dependencies
yum groupinstall core
yum groupinstall base
yum install gcc gcc-c++ wget bison mysql-devel mysql-server php php-mysql php-pear php-pear-DB php-mbstring nano tftp-server httpd make ncurses-devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel php-gd audiofile-devel gtk2-devel
Get rid of some unnecessary packages. I have no doubt there are many other packages that could be added to this list. These are the ones I found that are resident in memory by default. Since memory is at a premium on a VPS, removing these will help reduce the memory footprint.
yum remove yum-updatesd cups cups-lpd redhat-lsb autofs pcsc-lite smartmontools cpuspeed avahi
To prevent common udev problems in OpenVZ VPS do the following
nano +346 /etc/rc.d/rc.sysinit
Search for the following line and comment (#) it out and add the 2 lines immediately after
#/sbin/start_udev
/sbin/MAKEDEV tty
/sbin/MAKEDEV pty
(Ctrl-x> y >Enter)
Selinux is not compatible with OpenVZ. Create the following file and copy paste the contents indicated here just to be sure selinux never runs.
nano /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
(Ctrl-x> y >Enter)
Make sure selinux is turned off for this session
setenforce 0
Enable the tftp server on startup if required (for configuring phones on LAN or VPN)
nano /etc/xinetd.d/tftp
change “disable=yes” to “disable=no”
(Ctrl-X>y>ENTER)
Download and untar source files. Since this is a shared kernel environment we cannot make use of zaptel/dahdi hardware in the physical server and cannot install the zaptel/dahdi kernel module inside the virtual servers. The zaptel/dahdi kernel module must be installed on the host server kernel with some special configurations and sharing of files for each virtual server. This is only required for enabling meetme conferencing during Asterisk installation as of Asterisk 1.6.1 and will not be required at all eventually. This is all beyond the scope of this document. If you require meetme conferencing and have access to the host operating system you can complete this procedure in the VPS first and then return after zaptel/dahdi is installed on the host system and re-compile Asterisk with meetme conferencing enabled.
Install lame mp3 encoder (not recommended) if you plan to make use of mp3's for MOH. This is now a legacy feature as the default behaviour of Asterisk/Freepbx is to NOT use mp3's for anything. Freepbx by default now automatically converts uploaded mp3's to wav.
rpm -ivh http://apt.sw.be/redhat/el5/en/x86_64/RPMS.dag/lame-3.98.2-1.el5.rf.x86_64.rpm
Get FreePBX. Check if this is the latest released version.
cd /usr/src
wget http://mirror.freepbx.org/freepbx-2.6.0RC2.tar.gz
tar zxvf freepbx-2.6.0RC2.tar.gz
Get Asterisk and addons. Check if this is the latest released version of Asterisk and Asterisk addons
wget http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-1.6.0.17.tar.gz
tar zxvf asterisk-1.6.0.17.tar.gz
wget http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-addons-1.6.0.3.tar.gz
tar zxvf asterisk-addons-1.6.0.3.tar.gz
Configure and compile Asterisk
cd /usr/src/asterisk-1.6.0.17
make clean
./configure; make menuselect
select the core sounds you want. Same with addon sounds. I suggest ulaw as they sound better than gsm.
At menu press "x" to save
make
make install
Do NOT run "make samples". I have found it causes problems down the line with FreePBX. Not insurmountable but just more things to have to deal with that you probably don't want to.
Create users and set permissions
useradd -c "Asterisk PBX" -d /var/lib/asterisk asterisk
mkdir /var/run/asterisk
chown -R asterisk /var/run/asterisk
chown -R asterisk /var/log/asterisk
chown -R asterisk /var/lib/asterisk/moh
chown -R asterisk /var/lib/php/session
Music on Hold
Since the Asterisk default moh directory (/moh) and the Freepbx default moh directory (/mohmp3) are different we need to create a symbolic link so moh files are where FreePBX expect them to be.
ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3
The new default behaviour for Asterisk and Freepbx is to only use wav files for moh due to transcoding overhead and Asterisk stability issues with mp3's. So we want to install mpg123 for converting uploaded mp3's to wav automagically. If you won't be uploading or streaming mp3's or won't be using FreePBX (new) default behaviour then you probably don't need to install mpg123.
cd /usr/src
wget http://sourceforge.net/projects/mpg123/files/mpg123/1.9.1/mpg123-1.9.1.tar.bz2/download
tar -xjvf mpg123-1.9.1.tar.bz2
cd mpg123-1.9.1
make clean
./configure
make
make install
Freepbx php script cannot find mpg123 by default so we need to create a symbolic link.
ln -s /usr/local/bin/mpg123 /usr/bin/mpg123
Change User apache and Group apache to User asterisk and Group asterisk.
sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf
sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf
You can choose to change the default AllowOverride All to AllowOverride None to prevent .htaccess permission problems which can be frustrating to troubleshoot.
sed -i "s/AllowOverride All/AllowOverride None/" /etc/httpd/conf/httpd.conf
Before you can do anything to MySQL, you need to make sure it's running:
/etc/init.d/mysqld start
Initializing MySQL database: [ OK ]
Starting MySQL: [ OK ]
Now, to configure the databases for freePBX:
Note: If mysql admin password is already configured, add "-p" after the command and enter password when asked. For example, "mysqladmin -p create asterisk"
cd /usr/src/freepbx-2.6.0RC2
mysqladmin create asterisk
mysqladmin create asteriskcdrdb
mysql asterisk < SQL/newinstall.sql mysql asteriskcdrdb < SQL/cdr_mysql_table.sql They also need to be secured. FreePBX will prompt you for a database username/password when you do the install. You need to pick that now. We'll assume that you've picked 'asteriskuser' and 'amp109' - you probably shouldn't use these, as they are well known passwords for Freepbx. MySQL only listens to localhost by default so I would not get too paranoid about using these defaults. mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 to server version: 4.1.16 Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> \q
Bye
Now, after all of this, you need to pick a root 'mysql' password. We'll make it 'abcdef' just for this example. You should use a reasonably strong password. If you need to do anything else with mysql, you'll need to provide this password.
mysqladmin -u root password 'abcdef'
Build the cdr_mysql module for Asterisk
cd /usr/src/asterisk-addons-1.6.0.3
make clean
./configure; make menuselect
You can check options but should leave all at default selections. At menu press "x"
make; make install
edit /usr/sbin/safe_asterisk and comment out TTY=9 to prevent errors in OpenVZ VPS
nano +5 /usr/sbin/safe_asterisk
#TTY=9
Prioritize Asterisk Process
Increase Asterisk process priority. You can experiment with different values and see what works best. I wouldn't go too high as it could cause other problems. From the command 'top' the PR column shows absolute priority and NI column is the relative number we add here. Default is 0 which gives Asterisk about the same default priority as httpd and mysql. 5-10 should give top priority without crippling critical background tasks. I believe you can go as high as 20. This is only a prioritization recommendation setting. The process scheduler still has ultimate authority so actual priority will vary from system to system depending on what else is installed.
nano +22 /usr/sbin/safe_asterisk
PRIORITY=10
(Ctl-x > y >ENTER)
Install FreePBX
/usr/sbin/safe_asterisk
If you didn't 'run make samples' when you installed asterisk you will probably get some warning messages saying no modules will be loaded. Just ignore and press 'ENTER' to get a command prompt.
cd /usr/src/freepbx-2.6.0RC2
./install_amp
If you get any warnings or errors in the last part of the output, they're usually not traumatic.
Leave AMPWEBADDRESS=xx.xx.xx.xx blank
nano /etc/amportal.conf
AMPWEBADDRESS=
To enable password protection of the Web GUI set:
AUTHTYPE=database
Default username is: admin
Default pw is: admin
Edit /etc/asterisk/cdr_mysql.conf and add 'loguniqueid=yes' to the global section
nano /etc/asterisk/cdr_mysql.conf
loguniqueid=yes
set FreePBX to start on boot
echo /usr/local/sbin/amportal start >> /etc/rc.local
Enable Apache and mysql to start on boot
chkconfig httpd on
chkconfig mysqld on
Now reboot at which point you should be able to access freePBX with your web browser. The very first thing you need to do when you enter the FreePBX Admin GUI for the first time is "Apply Configuration Changes" so all the *.conf files are created then reboot again or 'amportal restart' from command prompt.
To change the password for administrator "recordings" GUI (access to extension voicemail, call monitoring, recording etc.)
nano +73 /var/www/html/recordings/includes/main.conf.php
$ARI_ADMIN_PASSWORD ="password"
change the “max filesize” from 2M to 20M to allow larger music on hold files
nano +582 /etc/php.ini
Edit Apache web server for GUI access using a port other than 80 (optional):
nano /etc/httpd/conf/httpd.conf
change "Listen 80" to "Listen 8888" or whatever port you want
/etc/rc.d/init.d/httpd restart
Instead of accessing FreePBX by http://xxx.xxx.xxx.xxx
You now access it by http://xxx.xxx.xxx.xxx:8888
setup external sip extensions if going through NAT
nano /etc/asterisk/sip_nat.conf
nat=yes
externip= or
;externhost=yourdns.com
localnet=192.168.1.0/255.255.255.0
externrefresh=10
(Ctrl-X>y>ENTER)
Also, when adding the external SIP extension in FreePBX, make sure to change the nat=never default in the configuration to nat=yes for the extension that will be external.
logger.conf setup
By default, Asterisk/Freepbx installs with full (debug and verbose) logging enabled. This generates a significant amount of extra write activity to the hard drives and creates a very large "var/log/asterisk/full" log file in a short amount of time. After the initial settling in period when debug logging is no longer required it is a good idea to disable this to reduce the stress on the drives and extend their life.
nano /etc/asterisk/logger.conf
change
full => notice,warning,error,debug,verbose
to
full => notice,warning,error,verbose
you will need to restart Asterisk or type LOGGER ROTATE at the CLI to get this change to take effect (reload doesn't do it apparently).
logrotate setup
Set up configuration to rotate log files otherwise they get too big after a short while. Create the following file.
nano /etc/logrotate.d/asterisk
Now add the following to make sure the asterisk log files are rotated weekly along with all the other log files.
/var/log/asterisk/messages /var/log/asterisk/*log /var/log/asterisk/full {
missingok
notifempty
sharedscripts
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}
Sendmail configuration
Edit /etc/aliases file and add a “root: username_to_forward_to” to forward all ‘root’ messages to your personal email address. Put in the full email address if it is not on the asterisk system itself.
Then run
/usr/bin/newaliases
to restart the service.
If emails are not received you must set up masquerading in sendmail. These still may be rejected if the email server requires the source of the email to also resolve to the same DNS that sendmail is masquerading as.
To enable this, add the following lines to the /etc/mail/sendmail.mc file:
MASQUERADE_AS(domain.com)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(domain.com)dnl
Put a “dnl” in front of the line ”EXPOSED_USER (`root’) dnl”. This enables host masquerading for root as well which is disabled by default.
Update the Sendmail configuration files using the m4 macro processor to generate a new sendmail.cf file by executing the following command:
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
To get the Sendmail macro file, the sendmail-cf package must be installed on the system.
After creating a new /etc/mail/sendmail.cf file, restart Sendmail for the changes to take effect. To do this, use the following command:
# service sendmail restart
nano /etc/asterisk/vm_general.inc
change serveremail=vm@asterisk to whom ever you want it to appear voicemail emails are coming from.
NOTE: If you are installing on a LAN or do not have a domain resolving to the IP of the VPS, Sendmail will hang for a couple minutes everytime you reboot. To prevent this your VPS hostname should end with .local or .localhost. So, for example, instead of naming the VPS hostname 'powerpbx' it should be named 'powerpbx.local'. The manual method is to edit your /etc/hosts file. There should be 2 lines.
127.0.0.1 localhost.localdomain localhost
yourIPaddress yourhostname.local yourhostname yourhostname
MySQL performance tuning for low memory
This will reduce memory usage significantly without affecting performance.
nano /etc/my.cnf
[mysqld]
.
.
.
skip-innodb
skip-bdb
(Ctl-x > y > ENTER)
From command prompt:
service mysqld restart
Bit of housekeeping
Asterisk installs *.sln sound files to the moh directory. FreePBX does not see *.sln files (yet) so they will not show up in the FreePBX moh GUI even though they will still play when people are put on hold. It's best to just delete these files to avoid confusion. Also, there is a bug in asterisk 1.6.1.x where MOH tries to play some text files in that directory that are just license information etc.. The result is MOH will intermittently stop working. If you are still running 1.6.1.x delete these text files as well.
rm /var/lib/asterisk/moh/*.sln
If using 64bit get rid of all 32bit packages in the 64bit VPS. They are not necessary and may cause hard to find conflicts.
yum remove *.i?86
Clean out yum to ensure all cached packages and mirrored server references are removed.
yum clean all
Get rid of all installed groups except 'Yum Utilities' so we are starting with a clean slate. Check the delete list before entering 'y' to make sure none of these remove 'sshd' or 'yum' (they don't but check just in case things change with newer revisions).
yum grouplist installed
Installed Groups:
DNS Name Server
Editors
Legacy Network Server
Mail Server
Network Servers
System Tools
Text-based Internet
Web Server
Windows File Server
Yum Utilities
yum groupremove 'DNS Name Server'
yum groupremove 'Editors'
yum groupremove 'Legacy Network Server'
yum groupremove 'Mail Server'
yum groupremove 'Network Servers'
yum groupremove 'System Tools'
yum groupremove 'Text-based Internet'
yum groupremove 'Web Server'
yum groupremove 'Windows File Server'
If installing 64bit VPS edit yum.conf to prevent 32bit packages from being installed. If that happens it may have unintended consequences.
yum install -y nano
nano /etc/yum.conf
Add the following line.
exclude=*.i?86
(Ctrl-x> y >Enter)
Now update the base install
yum -y update
Install Asterisk/FreePBX required packages, other useful packages, and their dependencies
yum groupinstall core
yum groupinstall base
yum install gcc gcc-c++ wget bison mysql-devel mysql-server php php-mysql php-pear php-pear-DB php-mbstring nano tftp-server httpd make ncurses-devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel php-gd audiofile-devel gtk2-devel
Get rid of some unnecessary packages. I have no doubt there are many other packages that could be added to this list. These are the ones I found that are resident in memory by default. Since memory is at a premium on a VPS, removing these will help reduce the memory footprint.
yum remove yum-updatesd cups cups-lpd redhat-lsb autofs pcsc-lite smartmontools cpuspeed avahi
To prevent common udev problems in OpenVZ VPS do the following
nano +346 /etc/rc.d/rc.sysinit
Search for the following line and comment (#) it out and add the 2 lines immediately after
#/sbin/start_udev
/sbin/MAKEDEV tty
/sbin/MAKEDEV pty
(Ctrl-x> y >Enter)
Selinux is not compatible with OpenVZ. Create the following file and copy paste the contents indicated here just to be sure selinux never runs.
nano /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
(Ctrl-x> y >Enter)
Make sure selinux is turned off for this session
setenforce 0
Enable the tftp server on startup if required (for configuring phones on LAN or VPN)
nano /etc/xinetd.d/tftp
change “disable=yes” to “disable=no”
(Ctrl-X>y>ENTER)
Download and untar source files. Since this is a shared kernel environment we cannot make use of zaptel/dahdi hardware in the physical server and cannot install the zaptel/dahdi kernel module inside the virtual servers. The zaptel/dahdi kernel module must be installed on the host server kernel with some special configurations and sharing of files for each virtual server. This is only required for enabling meetme conferencing during Asterisk installation as of Asterisk 1.6.1 and will not be required at all eventually. This is all beyond the scope of this document. If you require meetme conferencing and have access to the host operating system you can complete this procedure in the VPS first and then return after zaptel/dahdi is installed on the host system and re-compile Asterisk with meetme conferencing enabled.
Install lame mp3 encoder (not recommended) if you plan to make use of mp3's for MOH. This is now a legacy feature as the default behaviour of Asterisk/Freepbx is to NOT use mp3's for anything. Freepbx by default now automatically converts uploaded mp3's to wav.
rpm -ivh http://apt.sw.be/redhat/el5/en/x86_64/RPMS.dag/lame-3.98.2-1.el5.rf.x86_64.rpm
Get FreePBX. Check if this is the latest released version.
cd /usr/src
wget http://mirror.freepbx.org/freepbx-2.6.0RC2.tar.gz
tar zxvf freepbx-2.6.0RC2.tar.gz
Get Asterisk and addons. Check if this is the latest released version of Asterisk and Asterisk addons
wget http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-1.6.0.17.tar.gz
tar zxvf asterisk-1.6.0.17.tar.gz
wget http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-addons-1.6.0.3.tar.gz
tar zxvf asterisk-addons-1.6.0.3.tar.gz
Configure and compile Asterisk
cd /usr/src/asterisk-1.6.0.17
make clean
./configure; make menuselect
select the core sounds you want. Same with addon sounds. I suggest ulaw as they sound better than gsm.
At menu press "x" to save
make
make install
Do NOT run "make samples". I have found it causes problems down the line with FreePBX. Not insurmountable but just more things to have to deal with that you probably don't want to.
Create users and set permissions
useradd -c "Asterisk PBX" -d /var/lib/asterisk asterisk
mkdir /var/run/asterisk
chown -R asterisk /var/run/asterisk
chown -R asterisk /var/log/asterisk
chown -R asterisk /var/lib/asterisk/moh
chown -R asterisk /var/lib/php/session
Music on Hold
Since the Asterisk default moh directory (/moh) and the Freepbx default moh directory (/mohmp3) are different we need to create a symbolic link so moh files are where FreePBX expect them to be.
ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3
The new default behaviour for Asterisk and Freepbx is to only use wav files for moh due to transcoding overhead and Asterisk stability issues with mp3's. So we want to install mpg123 for converting uploaded mp3's to wav automagically. If you won't be uploading or streaming mp3's or won't be using FreePBX (new) default behaviour then you probably don't need to install mpg123.
cd /usr/src
wget http://sourceforge.net/projects/mpg123/files/mpg123/1.9.1/mpg123-1.9.1.tar.bz2/download
tar -xjvf mpg123-1.9.1.tar.bz2
cd mpg123-1.9.1
make clean
./configure
make
make install
Freepbx php script cannot find mpg123 by default so we need to create a symbolic link.
ln -s /usr/local/bin/mpg123 /usr/bin/mpg123
Change User apache and Group apache to User asterisk and Group asterisk.
sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf
sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf
You can choose to change the default AllowOverride All to AllowOverride None to prevent .htaccess permission problems which can be frustrating to troubleshoot.
sed -i "s/AllowOverride All/AllowOverride None/" /etc/httpd/conf/httpd.conf
Before you can do anything to MySQL, you need to make sure it's running:
/etc/init.d/mysqld start
Initializing MySQL database: [ OK ]
Starting MySQL: [ OK ]
Now, to configure the databases for freePBX:
Note: If mysql admin password is already configured, add "-p" after the command and enter password when asked. For example, "mysqladmin -p create asterisk"
cd /usr/src/freepbx-2.6.0RC2
mysqladmin create asterisk
mysqladmin create asteriskcdrdb
mysql asterisk < SQL/newinstall.sql mysql asteriskcdrdb < SQL/cdr_mysql_table.sql They also need to be secured. FreePBX will prompt you for a database username/password when you do the install. You need to pick that now. We'll assume that you've picked 'asteriskuser' and 'amp109' - you probably shouldn't use these, as they are well known passwords for Freepbx. MySQL only listens to localhost by default so I would not get too paranoid about using these defaults. mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 to server version: 4.1.16 Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> \q
Bye
Now, after all of this, you need to pick a root 'mysql' password. We'll make it 'abcdef' just for this example. You should use a reasonably strong password. If you need to do anything else with mysql, you'll need to provide this password.
mysqladmin -u root password 'abcdef'
Build the cdr_mysql module for Asterisk
cd /usr/src/asterisk-addons-1.6.0.3
make clean
./configure; make menuselect
You can check options but should leave all at default selections. At menu press "x"
make; make install
edit /usr/sbin/safe_asterisk and comment out TTY=9 to prevent errors in OpenVZ VPS
nano +5 /usr/sbin/safe_asterisk
#TTY=9
Prioritize Asterisk Process
Increase Asterisk process priority. You can experiment with different values and see what works best. I wouldn't go too high as it could cause other problems. From the command 'top' the PR column shows absolute priority and NI column is the relative number we add here. Default is 0 which gives Asterisk about the same default priority as httpd and mysql. 5-10 should give top priority without crippling critical background tasks. I believe you can go as high as 20. This is only a prioritization recommendation setting. The process scheduler still has ultimate authority so actual priority will vary from system to system depending on what else is installed.
nano +22 /usr/sbin/safe_asterisk
PRIORITY=10
(Ctl-x > y >ENTER)
Install FreePBX
/usr/sbin/safe_asterisk
If you didn't 'run make samples' when you installed asterisk you will probably get some warning messages saying no modules will be loaded. Just ignore and press 'ENTER' to get a command prompt.
cd /usr/src/freepbx-2.6.0RC2
./install_amp
If you get any warnings or errors in the last part of the output, they're usually not traumatic.
Leave AMPWEBADDRESS=xx.xx.xx.xx blank
nano /etc/amportal.conf
AMPWEBADDRESS=
To enable password protection of the Web GUI set:
AUTHTYPE=database
Default username is: admin
Default pw is: admin
Edit /etc/asterisk/cdr_mysql.conf and add 'loguniqueid=yes' to the global section
nano /etc/asterisk/cdr_mysql.conf
loguniqueid=yes
set FreePBX to start on boot
echo /usr/local/sbin/amportal start >> /etc/rc.local
Enable Apache and mysql to start on boot
chkconfig httpd on
chkconfig mysqld on
Now reboot at which point you should be able to access freePBX with your web browser. The very first thing you need to do when you enter the FreePBX Admin GUI for the first time is "Apply Configuration Changes" so all the *.conf files are created then reboot again or 'amportal restart' from command prompt.
To change the password for administrator "recordings" GUI (access to extension voicemail, call monitoring, recording etc.)
nano +73 /var/www/html/recordings/includes/main.conf.php
$ARI_ADMIN_PASSWORD ="password"
change the “max filesize” from 2M to 20M to allow larger music on hold files
nano +582 /etc/php.ini
Edit Apache web server for GUI access using a port other than 80 (optional):
nano /etc/httpd/conf/httpd.conf
change "Listen 80" to "Listen 8888" or whatever port you want
/etc/rc.d/init.d/httpd restart
Instead of accessing FreePBX by http://xxx.xxx.xxx.xxx
You now access it by http://xxx.xxx.xxx.xxx:8888
setup external sip extensions if going through NAT
nano /etc/asterisk/sip_nat.conf
nat=yes
externip=
;externhost=yourdns.com
localnet=192.168.1.0/255.255.255.0
externrefresh=10
(Ctrl-X>y>ENTER)
Also, when adding the external SIP extension in FreePBX, make sure to change the nat=never default in the configuration to nat=yes for the extension that will be external.
logger.conf setup
By default, Asterisk/Freepbx installs with full (debug and verbose) logging enabled. This generates a significant amount of extra write activity to the hard drives and creates a very large "var/log/asterisk/full" log file in a short amount of time. After the initial settling in period when debug logging is no longer required it is a good idea to disable this to reduce the stress on the drives and extend their life.
nano /etc/asterisk/logger.conf
change
full => notice,warning,error,debug,verbose
to
full => notice,warning,error,verbose
you will need to restart Asterisk or type LOGGER ROTATE at the CLI to get this change to take effect (reload doesn't do it apparently).
logrotate setup
Set up configuration to rotate log files otherwise they get too big after a short while. Create the following file.
nano /etc/logrotate.d/asterisk
Now add the following to make sure the asterisk log files are rotated weekly along with all the other log files.
/var/log/asterisk/messages /var/log/asterisk/*log /var/log/asterisk/full {
missingok
notifempty
sharedscripts
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}
Sendmail configuration
Edit /etc/aliases file and add a “root: username_to_forward_to” to forward all ‘root’ messages to your personal email address. Put in the full email address if it is not on the asterisk system itself.
Then run
/usr/bin/newaliases
to restart the service.
If emails are not received you must set up masquerading in sendmail. These still may be rejected if the email server requires the source of the email to also resolve to the same DNS that sendmail is masquerading as.
To enable this, add the following lines to the /etc/mail/sendmail.mc file:
MASQUERADE_AS(domain.com)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(domain.com)dnl
Put a “dnl” in front of the line ”EXPOSED_USER (`root’) dnl”. This enables host masquerading for root as well which is disabled by default.
Update the Sendmail configuration files using the m4 macro processor to generate a new sendmail.cf file by executing the following command:
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
To get the Sendmail macro file, the sendmail-cf package must be installed on the system.
After creating a new /etc/mail/sendmail.cf file, restart Sendmail for the changes to take effect. To do this, use the following command:
# service sendmail restart
nano /etc/asterisk/vm_general.inc
change serveremail=vm@asterisk to whom ever you want it to appear voicemail emails are coming from.
NOTE: If you are installing on a LAN or do not have a domain resolving to the IP of the VPS, Sendmail will hang for a couple minutes everytime you reboot. To prevent this your VPS hostname should end with .local or .localhost. So, for example, instead of naming the VPS hostname 'powerpbx' it should be named 'powerpbx.local'. The manual method is to edit your /etc/hosts file. There should be 2 lines.
127.0.0.1 localhost.localdomain localhost
yourIPaddress yourhostname.local yourhostname yourhostname
MySQL performance tuning for low memory
This will reduce memory usage significantly without affecting performance.
nano /etc/my.cnf
[mysqld]
.
.
.
skip-innodb
skip-bdb
(Ctl-x > y > ENTER)
From command prompt:
service mysqld restart
Bit of housekeeping
Asterisk installs *.sln sound files to the moh directory. FreePBX does not see *.sln files (yet) so they will not show up in the FreePBX moh GUI even though they will still play when people are put on hold. It's best to just delete these files to avoid confusion. Also, there is a bug in asterisk 1.6.1.x where MOH tries to play some text files in that directory that are just license information etc.. The result is MOH will intermittently stop working. If you are still running 1.6.1.x delete these text files as well.
rm /var/lib/asterisk/moh/*.sln
Dec 21, 2009
How to repair corrupt MySQL tables?
1] Check the permission and ownership of database i.e. it should be same below
Code: Select all
drwx-- 2 MySQL Server mysql cpanelusername_dbname.
2] If the permission are corrects but some error occurs then it seems that your database table may be corrupts then there are following way to repair the DB
a) Go to whm >>SQL Services >> Repair a Database >> select database name and click Repair Database.
b) Go to cpanel >> MySQL Server section MySQL Account Maintenance >> search database then click on Repair.
3] You can repair it though shell when mysqld server is running
i) login in MySQL Server to that particular user by using following command
Code: Select all
mysql>mysql -u databaseusername -p databasename
ii) select particular database
Code: Select all
mysql> use databasename;
iii) Check whether database table is corrupted or not if following command output shows null value then it should be corrupts otherwise it is fine
Code: Select all
mysql>show table status like table name \G; Or
mysql>check table tablename ;
iv)If it is corrupts then use the following command to repair that particular database table.
Code: Select all
mysql>repair table tablename;
4] You can repair it though shell when mysqld server is not running
Repairing MyISAM mySQL Tables/Databases:
Code: Select all
# cd /var/lib/mysql/DBNAME
# myisamchk tablename.MYI
Repairing ISAM mySQL Tables/Databases:
Code: Select all
# cd /var/lib/mysql/DBNAME
isamchk tablename.MYI
where
-c -> check database is corrupted or not
-r -> recorver
-o -> optimise the database
Code: Select all
drwx-- 2 MySQL Server mysql cpanelusername_dbname.
2] If the permission are corrects but some error occurs then it seems that your database table may be corrupts then there are following way to repair the DB
a) Go to whm >>SQL Services >> Repair a Database >> select database name and click Repair Database.
b) Go to cpanel >> MySQL Server section MySQL Account Maintenance >> search database then click on Repair.
3] You can repair it though shell when mysqld server is running
i) login in MySQL Server to that particular user by using following command
Code: Select all
mysql>mysql -u databaseusername -p databasename
ii) select particular database
Code: Select all
mysql> use databasename;
iii) Check whether database table is corrupted or not if following command output shows null value then it should be corrupts otherwise it is fine
Code: Select all
mysql>show table status like table name \G; Or
mysql>check table tablename ;
iv)If it is corrupts then use the following command to repair that particular database table.
Code: Select all
mysql>repair table tablename;
4] You can repair it though shell when mysqld server is not running
Repairing MyISAM mySQL Tables/Databases:
Code: Select all
# cd /var/lib/mysql/DBNAME
# myisamchk tablename.MYI
Repairing ISAM mySQL Tables/Databases:
Code: Select all
# cd /var/lib/mysql/DBNAME
isamchk tablename.MYI
where
-c -> check database is corrupted or not
-r -> recorver
-o -> optimise the database
Dec 16, 2009
Installing Ubersmith on cPanel server
This document will guide you through the process of installing
Ubersmith on a server running cPanel.
Ensure that the required PHP4 modules are installed:
* php4-mysql
* php4-gd
* php4-curl
* php4-mcrypt
You may need to recompile Apache and PHP with the required modules.
Optionally install htmldoc, html2text, unrtf and catdoc
htmldoc is required to generate PDF invoices
html2text, unrtf and catdoc are required to extract text from incoming
tickets/attachments
Download the latest ubersmith tarball and extract it, then copy the
contents of the www directory to your web root, eg.
cd ~
wget http://download.ubersmith.com/ubersmith.tar.gz
tar zxvfp ubersmith.tar.gz
cd ubersmith/www
cp -a * .htaccess ~/yourdomain.com/public_html
Please ensure that the .htaccess file is copied correctly from the www
directory to your apache web root.
Copy the config.ini.php and token.xml.php files to the directory above
your web root and allow ubersmith to modify them, eg.
cd ..
cp token.xml.php config.ini.php ~/yourdomain.com
cd ~/yourdomain.com
chgrp nobody token.xml.php config.ini.php
Open http://yourdomain.com/ in your web browser, and you will be see
the Ubersmith setup wizard. Follow the directions in the wizard to
configure your Ubersmith instance.
Once finished, you must remove the setup directory before ubersmith
will run, eg.
rm -r ~/yourdomain.com/public_html/setup
Ubersmith on a server running cPanel.
Ensure that the required PHP4 modules are installed:
* php4-mysql
* php4-gd
* php4-curl
* php4-mcrypt
You may need to recompile Apache and PHP with the required modules.
Optionally install htmldoc, html2text, unrtf and catdoc
htmldoc is required to generate PDF invoices
html2text, unrtf and catdoc are required to extract text from incoming
tickets/attachments
Download the latest ubersmith tarball and extract it, then copy the
contents of the www directory to your web root, eg.
cd ~
wget http://download.ubersmith.com/ubersmith.tar.gz
tar zxvfp ubersmith.tar.gz
cd ubersmith/www
cp -a * .htaccess ~/yourdomain.com/public_html
Please ensure that the .htaccess file is copied correctly from the www
directory to your apache web root.
Copy the config.ini.php and token.xml.php files to the directory above
your web root and allow ubersmith to modify them, eg.
cd ..
cp token.xml.php config.ini.php ~/yourdomain.com
cd ~/yourdomain.com
chgrp nobody token.xml.php config.ini.php
Open http://yourdomain.com/ in your web browser, and you will be see
the Ubersmith setup wizard. Follow the directions in the wizard to
configure your Ubersmith instance.
Once finished, you must remove the setup directory before ubersmith
will run, eg.
rm -r ~/yourdomain.com/public_html/setup
Dec 15, 2009
Directory structure of Cpanel
Directory Structure of Cpanel
=======================
Apache
=======
/usr/local/apache
+ bin- apache binaries are stored here – httpd, apachectl, apxs
+ conf – configuration files – httpd.conf
+ cgi-bin
+ domlogs – domain log files are stored here
+ htdocs
+ include – header files
+ libexec – shared object (.so) files are stored here – libphp4.so,mod_rewrite.so
+ logs – apache logs – access_log, error_log, suexec_log
+ man – apache manual pages
+ proxy -
+ icons -
Init Script :/etc/rc.d/init.d/httpd – apache start script
Cpanel script to restart apache – /scripts/restartsrv_httpd
Exim
=====
Conf : /etc/exim.conf – exim main configuration file
/etc/localdomains – list of domains allowed to relay mail
Log : /var/log/exim_mainlog – incoming/outgoing mails are logged here
/var/log/exim_rejectlog – exim rejected mails are reported here
/var/log/exim_paniclog – exim errors are logged here
Mail queue: /var/spool/exim/input
Cpanel script to restart exim – /scripts/restartsrv_exim
Email forwarders and catchall address file – /etc/valiases/domainname.com
Email filters file – /etc/vfilters/domainname.com
POP user authentication file – /home/username/etc/domainname/passwd
catchall inbox – /home/username/mail/inbox
POP user inbox – /home/username/mail/domainname/popusername/inbox
POP user spambox – /home/username/mail/domainname/popusername/spam
Program : /usr/sbin/exim (suid – -rwsr-xr-x 1 root root )
Init Script: /etc/rc.d/init.d/exim
ProFTPD
========
Program :/usr/sbin/proftpd
Init Script :/etc/rc.d/init.d/proftpd
Conf: /etc/proftpd.conf
Log: /var/log/messages, /var/log/xferlog
FTP accounts file – /etc/proftpd/username – all ftp accounts for the domain are listed here
Pure-FTPD
=========
Program : /usr/sbin/pure-ftpd
Init Script :/etc/rc.d/init.d/pure-ftpd
Conf: /etc/pure-ftpd.conf
Anonymous ftp document root – /etc/pure-ftpd/ip-address
Frontpage Extensions
=================
Program – (Install): /usr/local/frontpage/version5.0/bin/owsadm.exe
Uninstall and then install for re-installations
FP files are found as _vti-bin, _vti-pvt, _vti-cnf, vti-log inside the public_html
Mysql
=======
Program : /usr/bin/mysql
Init Script : /etc/rc.d/init.d/mysql
Conf : /etc/my.cnf, /root/.my.cnf
Data directory – /var/lib/mysql – Where all databases are stored.
Database naming convention – username_dbname (eg: john_sales)
Permissions on databases – drwx 2 mysql mysql
Socket file – /var/lib/mysql/mysql.sock, /tmp/ mysql.sock
SSHD
======
Program :/usr/local/sbin/sshd
Init Script :/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
Log: /var/log/messages
Perl
====
Program :/usr/bin/perl
Directory :/usr/lib/perl5/5.6.1/
PHP
====
Program :/usr/local/bin/php, /usr/bin/php
ini file: /usr/local/lib/php.ini – apache must be restarted after any change to this file
php can be recomplied using /scripts/easyapache
Named(BIND)
============
Program: /usr/sbin/named
Init Script: /etc/rc.d/init.d/named
/etc/named.conf
db records:/var/named/
/var/log/messages
————————————————————————————————————————————–
Cpanel installation directory structure
=============================
/usr/local/cpanel
+ 3rdparty/ – tools like fantastico, mailman files are located here
+ addons/ – AdvancedGuestBook, phpBB etc
+ base/ – phpmyadmin, squirrelmail, skins, webmail etc
+ bin/ – cpanel binaries
+ cgi-sys/ – cgi files like cgiemail, formmail.cgi, formmail.pl etc
+ logs/ – cpanel access log and error log
+ whostmgr/ – whm related files
WHM related files
===============
/var/cpanel – whm files
+ bandwidth/ – rrd files of domains
+ username.accts – reseller accounts are listed in this files
+ packages – hosting packages are listed here
+ root.accts – root owned domains are listed here
+ suspended – suspended accounts are listed here
+ users/ – cpanel user file – theme, bwlimit, addon, parked, sub-domains all are listed in this files
+ zonetemplates/ – dns zone template files are taken from here
Common CPanel scripts
===================
cpanel/whm Scripts are located in /scripts/
+ addns – add a dns zone
+ addfpmail – Add frontpage mail extensions to all domains without them
+ addfpmail2 -Add frontpage mail extensions to all domains without them
+ addnetmaskips – Add the netmask 255.255.255.0 to all IPs that have no netmask
+ addnobodygrp – Adds the gorup nobody and activates security
+ addpop – add a pop account
+ addservlets – Add JSP support to an account (requires tomcat)
+ addstatus – (Internal use never called by user)
+ adduser – Add a user to the system
+ bandwidth – (OLD)
+ betaexim – Installs the latest version of exim
+ biglogcheck – looks for logs nearing 2 gigabytes in size
+ bsdcryptoinstall – Installs crypto on FreeBSD
+ bsdldconfig – Configures the proper lib directories in FreeBSD
+ bsdpkgpingtest – Tests the connection speed for downloading FreeBSD packages
+ buildbsdexpect – Install expect on FreeBSD
+ builddomainaddr – (OLD)
+ buildeximconf – Rebuilds exim.conf
+ buildpostgrebsd-dev – Installs postgresql on FreeBSD.
+ chcpass – change cpanel passwords
+ easyapache – recompile/upgrade apache and/or php
+ exim4 – reinstall exim and fix permissions
+ fixcommonproblems – fixes most common problems
+ fixfrontpageperm – fixes permission issues with Front Page
+ fixmailman – fixes common mailman issues
+ fixnamed – fixes common named issues
+ fixndc – fixes rndc errors with named
+ fixquotas – fixes quota problems
+ fullhordereset – resets horde database to a fresh one – all previous user data are lost
+ initquotas – initializes quotas
+ installzendopt – installs zend optimizer
+ killacct – terminate an account – make sure you take a backup of the account first
+ mailperm – fixes permission problems with inboxes
+ park – to park a domain
+ pkgacct – used to backup an account
+ restartsrv – restart script for services
+ restorepkg – restores an account from a backup file ( pkgacct file)
+ runlogsnow – update logs of all users
+ runweblogs – update stats for a particular user
+ securetmp – secures /tmp partition with options nosuexec and nosuid
+ suspendacct – suspends an account
+ unsuspendacct – unsuspends a suspended account
+ upcp – updates cpanel to the latest version
+ updatenow – updates the cpanel scripts
+ updateuserdomains – updates userdomain entries
Important cpanel/whm files
====================
/etc/httpd/conf/httpd.conf – apache configuration file
/etc/exim.conf – mail server configuration file
/etc/named.conf – name server (named) configuration file
/etc/proftpd.conf – proftpd server configuration file
/etc/pure-ftpd.conf – pure-ftpd server configuration file
/etc/valiases/domainname – catchall and forwarders are set here
/etc/vfilters/domainname – email filters are set here
/etc/userdomains – all domains are listed here – addons, parked,subdomains along with their usernames
/etc/localdomains – exim related file – all domains should be listed here to be able to send mails
/var/cpanel/users/username – cpanel user file
/var/cpanel/cpanel.config – cpanel configuration file ( Tweak Settings )*
/etc/cpbackup-userskip.conf -
/etc/sysconfig/network – Networking Setup*
/etc/hosts -
/var/spool/exim -
/var/spool/cron -
/etc/resolv.conf – Networking Setup–> Resolver Configuration
/etc/nameserverips – Networking Setup–> Nameserver IPs ( FOr resellers to give their nameservers )
/var/cpanel/resellers – For addpkg, etc permissions for resellers.
/etc/chkserv.d – Main >> Service Configuration >> Service Manager *
/var/run/chkservd – Main >> Server Status >> Service Status *
/var/log/dcpumon – top log process
/root/cpanel3-skel – skel directory. Eg: public_ftp, public_html. (Account Functions–>Skeleton Directory )*
/etc/wwwacct.conf – account creation defaults file in WHM (Basic cPanel/WHM Setup)*
/etc/cpupdate.conf – Update Config *
/etc/cpbackup.conf – Configure Backup*
/etc/clamav.conf – clamav (antivirus configuration file )
/etc/my.cnf – mysql configuration file
/usr/local/Zend/etc/php.ini OR /usr/local/lib/php.ini – php configuration file
/etc/ips – ip addresses on the server (except the shared ip) (IP Functions–>Show IP Address Usage )*
/etc/ipaddrpool – ip addresses which are free
/etc/ips.dnsmaster – name server ips
/var/cpanel/Counters – To get the counter of each users.
/var/cpanel/bandwidth – To get bandwith usage of domai
=======================
Apache
=======
/usr/local/apache
+ bin- apache binaries are stored here – httpd, apachectl, apxs
+ conf – configuration files – httpd.conf
+ cgi-bin
+ domlogs – domain log files are stored here
+ htdocs
+ include – header files
+ libexec – shared object (.so) files are stored here – libphp4.so,mod_rewrite.so
+ logs – apache logs – access_log, error_log, suexec_log
+ man – apache manual pages
+ proxy -
+ icons -
Init Script :/etc/rc.d/init.d/httpd – apache start script
Cpanel script to restart apache – /scripts/restartsrv_httpd
Exim
=====
Conf : /etc/exim.conf – exim main configuration file
/etc/localdomains – list of domains allowed to relay mail
Log : /var/log/exim_mainlog – incoming/outgoing mails are logged here
/var/log/exim_rejectlog – exim rejected mails are reported here
/var/log/exim_paniclog – exim errors are logged here
Mail queue: /var/spool/exim/input
Cpanel script to restart exim – /scripts/restartsrv_exim
Email forwarders and catchall address file – /etc/valiases/domainname.com
Email filters file – /etc/vfilters/domainname.com
POP user authentication file – /home/username/etc/domainname/passwd
catchall inbox – /home/username/mail/inbox
POP user inbox – /home/username/mail/domainname/popusername/inbox
POP user spambox – /home/username/mail/domainname/popusername/spam
Program : /usr/sbin/exim (suid – -rwsr-xr-x 1 root root )
Init Script: /etc/rc.d/init.d/exim
ProFTPD
========
Program :/usr/sbin/proftpd
Init Script :/etc/rc.d/init.d/proftpd
Conf: /etc/proftpd.conf
Log: /var/log/messages, /var/log/xferlog
FTP accounts file – /etc/proftpd/username – all ftp accounts for the domain are listed here
Pure-FTPD
=========
Program : /usr/sbin/pure-ftpd
Init Script :/etc/rc.d/init.d/pure-ftpd
Conf: /etc/pure-ftpd.conf
Anonymous ftp document root – /etc/pure-ftpd/ip-address
Frontpage Extensions
=================
Program – (Install): /usr/local/frontpage/version5.0/bin/owsadm.exe
Uninstall and then install for re-installations
FP files are found as _vti-bin, _vti-pvt, _vti-cnf, vti-log inside the public_html
Mysql
=======
Program : /usr/bin/mysql
Init Script : /etc/rc.d/init.d/mysql
Conf : /etc/my.cnf, /root/.my.cnf
Data directory – /var/lib/mysql – Where all databases are stored.
Database naming convention – username_dbname (eg: john_sales)
Permissions on databases – drwx 2 mysql mysql
Socket file – /var/lib/mysql/mysql.sock, /tmp/ mysql.sock
SSHD
======
Program :/usr/local/sbin/sshd
Init Script :/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
Log: /var/log/messages
Perl
====
Program :/usr/bin/perl
Directory :/usr/lib/perl5/5.6.1/
PHP
====
Program :/usr/local/bin/php, /usr/bin/php
ini file: /usr/local/lib/php.ini – apache must be restarted after any change to this file
php can be recomplied using /scripts/easyapache
Named(BIND)
============
Program: /usr/sbin/named
Init Script: /etc/rc.d/init.d/named
/etc/named.conf
db records:/var/named/
/var/log/messages
————————————————————————————————————————————–
Cpanel installation directory structure
=============================
/usr/local/cpanel
+ 3rdparty/ – tools like fantastico, mailman files are located here
+ addons/ – AdvancedGuestBook, phpBB etc
+ base/ – phpmyadmin, squirrelmail, skins, webmail etc
+ bin/ – cpanel binaries
+ cgi-sys/ – cgi files like cgiemail, formmail.cgi, formmail.pl etc
+ logs/ – cpanel access log and error log
+ whostmgr/ – whm related files
WHM related files
===============
/var/cpanel – whm files
+ bandwidth/ – rrd files of domains
+ username.accts – reseller accounts are listed in this files
+ packages – hosting packages are listed here
+ root.accts – root owned domains are listed here
+ suspended – suspended accounts are listed here
+ users/ – cpanel user file – theme, bwlimit, addon, parked, sub-domains all are listed in this files
+ zonetemplates/ – dns zone template files are taken from here
Common CPanel scripts
===================
cpanel/whm Scripts are located in /scripts/
+ addns – add a dns zone
+ addfpmail – Add frontpage mail extensions to all domains without them
+ addfpmail2 -Add frontpage mail extensions to all domains without them
+ addnetmaskips – Add the netmask 255.255.255.0 to all IPs that have no netmask
+ addnobodygrp – Adds the gorup nobody and activates security
+ addpop – add a pop account
+ addservlets – Add JSP support to an account (requires tomcat)
+ addstatus – (Internal use never called by user)
+ adduser – Add a user to the system
+ bandwidth – (OLD)
+ betaexim – Installs the latest version of exim
+ biglogcheck – looks for logs nearing 2 gigabytes in size
+ bsdcryptoinstall – Installs crypto on FreeBSD
+ bsdldconfig – Configures the proper lib directories in FreeBSD
+ bsdpkgpingtest – Tests the connection speed for downloading FreeBSD packages
+ buildbsdexpect – Install expect on FreeBSD
+ builddomainaddr – (OLD)
+ buildeximconf – Rebuilds exim.conf
+ buildpostgrebsd-dev – Installs postgresql on FreeBSD.
+ chcpass – change cpanel passwords
+ easyapache – recompile/upgrade apache and/or php
+ exim4 – reinstall exim and fix permissions
+ fixcommonproblems – fixes most common problems
+ fixfrontpageperm – fixes permission issues with Front Page
+ fixmailman – fixes common mailman issues
+ fixnamed – fixes common named issues
+ fixndc – fixes rndc errors with named
+ fixquotas – fixes quota problems
+ fullhordereset – resets horde database to a fresh one – all previous user data are lost
+ initquotas – initializes quotas
+ installzendopt – installs zend optimizer
+ killacct – terminate an account – make sure you take a backup of the account first
+ mailperm – fixes permission problems with inboxes
+ park – to park a domain
+ pkgacct – used to backup an account
+ restartsrv – restart script for services
+ restorepkg – restores an account from a backup file ( pkgacct file)
+ runlogsnow – update logs of all users
+ runweblogs – update stats for a particular user
+ securetmp – secures /tmp partition with options nosuexec and nosuid
+ suspendacct – suspends an account
+ unsuspendacct – unsuspends a suspended account
+ upcp – updates cpanel to the latest version
+ updatenow – updates the cpanel scripts
+ updateuserdomains – updates userdomain entries
Important cpanel/whm files
====================
/etc/httpd/conf/httpd.conf – apache configuration file
/etc/exim.conf – mail server configuration file
/etc/named.conf – name server (named) configuration file
/etc/proftpd.conf – proftpd server configuration file
/etc/pure-ftpd.conf – pure-ftpd server configuration file
/etc/valiases/domainname – catchall and forwarders are set here
/etc/vfilters/domainname – email filters are set here
/etc/userdomains – all domains are listed here – addons, parked,subdomains along with their usernames
/etc/localdomains – exim related file – all domains should be listed here to be able to send mails
/var/cpanel/users/username – cpanel user file
/var/cpanel/cpanel.config – cpanel configuration file ( Tweak Settings )*
/etc/cpbackup-userskip.conf -
/etc/sysconfig/network – Networking Setup*
/etc/hosts -
/var/spool/exim -
/var/spool/cron -
/etc/resolv.conf – Networking Setup–> Resolver Configuration
/etc/nameserverips – Networking Setup–> Nameserver IPs ( FOr resellers to give their nameservers )
/var/cpanel/resellers – For addpkg, etc permissions for resellers.
/etc/chkserv.d – Main >> Service Configuration >> Service Manager *
/var/run/chkservd – Main >> Server Status >> Service Status *
/var/log/dcpumon – top log process
/root/cpanel3-skel – skel directory. Eg: public_ftp, public_html. (Account Functions–>Skeleton Directory )*
/etc/wwwacct.conf – account creation defaults file in WHM (Basic cPanel/WHM Setup)*
/etc/cpupdate.conf – Update Config *
/etc/cpbackup.conf – Configure Backup*
/etc/clamav.conf – clamav (antivirus configuration file )
/etc/my.cnf – mysql configuration file
/usr/local/Zend/etc/php.ini OR /usr/local/lib/php.ini – php configuration file
/etc/ips – ip addresses on the server (except the shared ip) (IP Functions–>Show IP Address Usage )*
/etc/ipaddrpool – ip addresses which are free
/etc/ips.dnsmaster – name server ips
/var/cpanel/Counters – To get the counter of each users.
/var/cpanel/bandwidth – To get bandwith usage of domai
Dec 10, 2009
How to install the phpSHIELD Loaders on Linux-Windows server
How to install the phpSHIELD Loaders on Linux-Windows server?
The phpSHIELD is a software which is used to encode the php pages, It is an excellent product for encoding php files if you don’t require any time limiting, IP/Domain locking or the powerful licensing features contained within SourceGuardian . phpSHIELD protects your PHP Source Code with a powerful, easy to use encoder, which creates a native byte code version of the script and then encrypts it.
Most of application require the phpSHIELD loaders like the phpmotion …
How to install the phpSHIELD Loaders on Linux server?
• Download the appropriate OS version phpSHIELD Loaders though
http://www.phpshield.com/loaders/index.php URL
1.For Linux server
#cd /usr/src/
#wget http://www.phpshield.com/loaders/phpshield.loaders.linux.zip
2. For Windows Server
http://www.phpshield.com/loaders/phpshield.loaders.windows.zip
• uncompress the phpSHIELD loader zip file
• You will need to determine the path to your php “extensions library” use a phpinfo() file to check this. It will look something like this /usr/local/lib/php/extensions/no-debug-non-zts-20060613(example only)
Or
you can use following command on ssh shell to check extension library path
#php –i |grep extension_dir
• check the php version then you will then need to copy 1 file to this “extension library” folder. If php 5.2.X version is running on server then copy the phpshield.5.2.lin (for Linux server) OR phpshield.5.2.win (for Windows server) file to the “extensions library” location.
E.g.
cp -a phpshield.5.2.lin /usr/local/lib/php/extensions/no-debug-non-zts-20060613
• Open the php.ini configuration file (located in /usr/local/lib/ or you can use php -i |grep php.ini command to find exact running php.ini file location ), and add the following line below extension_dir line
extension="phpshield.5.2.lin" (for Linux server)
OR
extension="phpshield.5.2.win" (for Windows server)
That’s it , phpSHIELD Loaders is successfully installed on your server, You can verify it by creating php info file under your public_html folder,if it is sucessfully installed you will see following phpSHILED information in php info file.
phpshield How to install the phpSHIELD Loaders on Linux Windows server?
The phpSHIELD is a software which is used to encode the php pages, It is an excellent product for encoding php files if you don’t require any time limiting, IP/Domain locking or the powerful licensing features contained within SourceGuardian . phpSHIELD protects your PHP Source Code with a powerful, easy to use encoder, which creates a native byte code version of the script and then encrypts it.
Most of application require the phpSHIELD loaders like the phpmotion …
How to install the phpSHIELD Loaders on Linux server?
• Download the appropriate OS version phpSHIELD Loaders though
http://www.phpshield.com/loaders/index.php URL
1.For Linux server
#cd /usr/src/
#wget http://www.phpshield.com/loaders/phpshield.loaders.linux.zip
2. For Windows Server
http://www.phpshield.com/loaders/phpshield.loaders.windows.zip
• uncompress the phpSHIELD loader zip file
• You will need to determine the path to your php “extensions library” use a phpinfo() file to check this. It will look something like this /usr/local/lib/php/extensions/no-debug-non-zts-20060613(example only)
Or
you can use following command on ssh shell to check extension library path
#php –i |grep extension_dir
• check the php version then you will then need to copy 1 file to this “extension library” folder. If php 5.2.X version is running on server then copy the phpshield.5.2.lin (for Linux server) OR phpshield.5.2.win (for Windows server) file to the “extensions library” location.
E.g.
cp -a phpshield.5.2.lin /usr/local/lib/php/extensions/no-debug-non-zts-20060613
• Open the php.ini configuration file (located in /usr/local/lib/ or you can use php -i |grep php.ini command to find exact running php.ini file location ), and add the following line below extension_dir line
extension="phpshield.5.2.lin" (for Linux server)
OR
extension="phpshield.5.2.win" (for Windows server)
That’s it , phpSHIELD Loaders is successfully installed on your server, You can verify it by creating php info file under your public_html folder,if it is sucessfully installed you will see following phpSHILED information in php info file.
phpshield How to install the phpSHIELD Loaders on Linux Windows server?
Dec 7, 2009
PEAR:Crypt_Blowfish
Sometime we get following error:
Error:
PROTX DIRECT: Your PHP installation does NOT have access to PEAR:Crypt_Blowfish on your server!
It would appear that the PEAR:Crypt_Blowfish package is not on your include path. Please check that Crypt_Blowfish is installed in your PEAR library.
Alternatively, your server may have more than one PEAR installation and the PEAR:Crypt_Blowfish package may not have been installed in the “correct” PEAR library folder - please check that you are using the correct PEAR library if you have more than one on your server.
Current Include Path: .:/usr/lib/php:/usr/local/lib/php
Safe mode in use?: no
open_basedir restricted directories
Solution:
pear install Crypt_Blowfish
It works fine for me.
Error:
PROTX DIRECT: Your PHP installation does NOT have access to PEAR:Crypt_Blowfish on your server!
It would appear that the PEAR:Crypt_Blowfish package is not on your include path. Please check that Crypt_Blowfish is installed in your PEAR library.
Alternatively, your server may have more than one PEAR installation and the PEAR:Crypt_Blowfish package may not have been installed in the “correct” PEAR library folder - please check that you are using the correct PEAR library if you have more than one on your server.
Current Include Path: .:/usr/lib/php:/usr/local/lib/php
Safe mode in use?: no
open_basedir restricted directories
Solution:
pear install Crypt_Blowfish
It works fine for me.
Dec 4, 2009
Secure SSH
Any reference to editing the config file is refering to the file located at
/etc/ssh/sshd_config
and to edit this I recommend
pico /etc/ssh/sshd_config
Before you do any thing, you should back your config up. This can be done by:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
##Different Ports and IPs##
If your clients do not have SSH access (web hosting for example), a good way to secure your box is to run SSH on an unknown port and IP, so that people do not know your SSH port, so can't brute force it.
Your current config file will look something like this (you will scroll down and see this)
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
They are all commented out with the #, You should change the port number away from port 22, This port will be used in future to access the server. A random port which has significance to you but one which people won't guess is a good one. For this tutorial I will use the port 2202 (the time of writing this tutorial). You want to remove the hash to make the line uncommented and change 22 to the new port. Your config at this point of the file willl now look like this:
Port 2202
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
This means from now on you will connect to ssh on port 2202. Another good way of making your SSH more secure is for it to bind on a different IP. Your best bet is to request an IP from FDC and ask for it to be in a different IP range to your current IPs. They should give you this. For the sake of the tutorial this ip will be 1.2.3.4. You do the same as before, but this time with listen address. So your config file (just under where it says
# default value
)
should now look like:
Port 2202
#Protocol 2,1
ListenAddress 1.2.3.4
#ListenAddress ::
##Disable Root Log In##
If you disable root log in, it means if someone is brute forcing your server, they have to find and crack a user accountbefore they can access the root account.
If we had of performed this root log in already on this server and made an ssh connection to the server but not yet logged in, but it had root SSH disabled, You would log in as a user account e.g. admin, onceyou had logged in you would get to your favourate shell screen:
admin@localhost [~]#
You would then issue this following command:
admin@localhost [~]# su -
You would then be asked for your root password which you would enter. You can try this without having root SSH disabled. In cPanel you have to add the user you are using before accessing the root account to the wheel in web host manager. This will allow only users in the wheel to be able to access SSH.
To disable root SSH login, return to editing the file, and scroll down to
# Authentication:
#LoginGraceTime 120
#PermitRootLogin yes
#StrictModes yes
And change it to
# Authentication:
#LoginGraceTime 120
PermitRootLogin no
#StrictModes yes
This has now disabled root ssh access. Before you do this, make sure you can log in as a normal user and then use su - to log in to root, if you cant then do not perform this step.
##Force SSHv2##
As the internet evolves, so do the protocols and programs that use them, as such SSHv2 was born. You can force clients to use SSHv2 for greater security. This is simple to do, edit the file and find the line:
#Protocol 2,1
and simply change it to
Protocol 2
Save the sshd_config file
issue the command:
service sshd restart
It should show:
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
If it errors on starting sshd, you can restore the original config file by typing:
mv /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
it will ask you if you want to overwrite, click yes then type:
service sshd start
and now you will get:
Starting sshd: [ OK ]
/etc/ssh/sshd_config
and to edit this I recommend
pico /etc/ssh/sshd_config
Before you do any thing, you should back your config up. This can be done by:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
##Different Ports and IPs##
If your clients do not have SSH access (web hosting for example), a good way to secure your box is to run SSH on an unknown port and IP, so that people do not know your SSH port, so can't brute force it.
Your current config file will look something like this (you will scroll down and see this)
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
They are all commented out with the #, You should change the port number away from port 22, This port will be used in future to access the server. A random port which has significance to you but one which people won't guess is a good one. For this tutorial I will use the port 2202 (the time of writing this tutorial). You want to remove the hash to make the line uncommented and change 22 to the new port. Your config at this point of the file willl now look like this:
Port 2202
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
This means from now on you will connect to ssh on port 2202. Another good way of making your SSH more secure is for it to bind on a different IP. Your best bet is to request an IP from FDC and ask for it to be in a different IP range to your current IPs. They should give you this. For the sake of the tutorial this ip will be 1.2.3.4. You do the same as before, but this time with listen address. So your config file (just under where it says
# default value
)
should now look like:
Port 2202
#Protocol 2,1
ListenAddress 1.2.3.4
#ListenAddress ::
##Disable Root Log In##
If you disable root log in, it means if someone is brute forcing your server, they have to find and crack a user accountbefore they can access the root account.
If we had of performed this root log in already on this server and made an ssh connection to the server but not yet logged in, but it had root SSH disabled, You would log in as a user account e.g. admin, onceyou had logged in you would get to your favourate shell screen:
admin@localhost [~]#
You would then issue this following command:
admin@localhost [~]# su -
You would then be asked for your root password which you would enter. You can try this without having root SSH disabled. In cPanel you have to add the user you are using before accessing the root account to the wheel in web host manager. This will allow only users in the wheel to be able to access SSH.
To disable root SSH login, return to editing the file, and scroll down to
# Authentication:
#LoginGraceTime 120
#PermitRootLogin yes
#StrictModes yes
And change it to
# Authentication:
#LoginGraceTime 120
PermitRootLogin no
#StrictModes yes
This has now disabled root ssh access. Before you do this, make sure you can log in as a normal user and then use su - to log in to root, if you cant then do not perform this step.
##Force SSHv2##
As the internet evolves, so do the protocols and programs that use them, as such SSHv2 was born. You can force clients to use SSHv2 for greater security. This is simple to do, edit the file and find the line:
#Protocol 2,1
and simply change it to
Protocol 2
Save the sshd_config file
issue the command:
service sshd restart
It should show:
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
If it errors on starting sshd, you can restore the original config file by typing:
mv /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
it will ask you if you want to overwrite, click yes then type:
service sshd start
and now you will get:
Starting sshd: [ OK ]
Install Teampeak Server
Login into server using root...
Step 1:
cd to The directory You want teampeak Installed I installed to /
Step 2:
wget The TS server from this URL
ftp://ftp.freenet.de/pub/4players/teamspeak.org/releases/ts2_server_rc2_20201.tar.bz2
Step 3:
Use the Following Command To Extract from bz2
bunzip2 ts2_server_rc2_20201.tar.bz2
Step 4:
Use the tar xvf command to Untar Your Server.
Step 5:
cd to tss2_rc2 directory
Step 6:
Use this Command to Start Your Server
./teamspeak2-server_startscript start
Step 7:
This Final Step Is used to View Your Teamspeak Passwords.
./teamspeak2-server_startscript passwords
You Should See something Like the Following.
superadmin = "password"
admin = "password"
You may Now Use Your Teamspeak Server To use the teamspeak Server Web Administration go to this URL
http://YOUR IP:14534/
Step 1:
cd to The directory You want teampeak Installed I installed to /
Step 2:
wget The TS server from this URL
ftp://ftp.freenet.de/pub/4players/teamspeak.org/releases/ts2_server_rc2_20201.tar.bz2
Step 3:
Use the Following Command To Extract from bz2
bunzip2 ts2_server_rc2_20201.tar.bz2
Step 4:
Use the tar xvf command to Untar Your Server.
Step 5:
cd to tss2_rc2 directory
Step 6:
Use this Command to Start Your Server
./teamspeak2-server_startscript start
Step 7:
This Final Step Is used to View Your Teamspeak Passwords.
./teamspeak2-server_startscript passwords
You Should See something Like the Following.
superadmin = "password"
admin = "password"
You may Now Use Your Teamspeak Server To use the teamspeak Server Web Administration go to this URL
http://YOUR IP:14534/
Dec 1, 2009
Nobody Check
) Login to your server as the root user through shell
2) wget http://www.webhostgear.com/projects/nobodycheck/install.sh
3) chmod +x install.sh
4) ./install.sh
Wait for the installer to finish
5) rm -f install.sh
6) Open the /usr/local/nobody_check/nc.conf and put in your email address and select your options
CentOS
Fedora
Red Hat and Red Hat Enterprise systems
2) wget http://www.webhostgear.com/projects/nobodycheck/install.sh
3) chmod +x install.sh
4) ./install.sh
Wait for the installer to finish
5) rm -f install.sh
6) Open the /usr/local/nobody_check/nc.conf and put in your email address and select your options
CentOS
Fedora
Red Hat and Red Hat Enterprise systems
Nov 27, 2009
Install ffmpeg
Please use following steps on your risk, I won't be responsible for any damage...
OS/ Fedora Core 5
download and install:
libffac
libffad2
xvid
libogg,libvorbis
mp3lame
ffmpeg
Setting Up Install Folder, Logging and download Packages
1)Log into ssh
2) cd /usr/src && mkdir install && cd install
3) Download faad2 and faac
from http://faac.sourceforge.net/oldsite/download.php get Faad2 and faac (new versions
)
wget http://prdownloads.sourceforge.net/f...ar.gz?download
wget http://prdownloads.sourceforge.net/f...ar.gz?download
4) Verify that you have these components are installed
rpm -qa automake
rpm -qa autoconf
rpm -qa libtool
rpm -qa m4
rpm -qa gcc-c++
If any are missing than simply yum install (packagename), if you dont have a package manager than get one, it will save you alot of time
and headaches.
Installing Faac
5)tar -zxvf faac-1.24.tar.gz && cd faac
6) sh bootstrap
7) ./configure
8) make
9) make install
10) cd ..
Installing Faad2
11) tar -zxvf faad2-2.0.tar.gz
12) cd faad2 && less README.linux
13) There is 2 bugs with this package, so need to manually edit these files
14) nano Makefile.am
Edit the file to look like this
SUBDIRS = libfaad common frontend plugins
EXTRA_DIST = faad2.spec
15) cd common/mp4ff && nano mp4ffint.h
16) Comment out this line
//void mp4ff_track_add(mp4ff_t *f);
17)Save file and cd ../..
18)autoreconf -vif
19) ./configure
20) make
21) make install
Installing Libogg and Libvorbis
22)cd .. and then Check to see if libogg and libvorbs
rpm -qa libogg-devel
rpm -qa libvorbis-devel
rpm -qa libncurses-devel
If not installed then simply Package Install (replace yum and install settings with your package manager)
yum install libogg-devel
yum install libvorbis-devel
yum install libncurses-devel
Installing LAME (for audio)
23)go into lame sourceforge - http://sourceforge.net/project/showf...package_id=309
24)wget http://mesh.dl.sourceforge.net/sourc...me-3.97.tar.gz
25)tar -zxvf lame-3.97.tar.gz
26)cd lame*
27) ./configure; make;make install
Installing Xvid
28) cd .. && wget http://downloads.xvid.org/downloads/...e-1.1.2.tar.gz
29)tar -zxvf xvidcore-1.1.2.tar.gz && cd xvid*/build/generic/
30) ./configure; make; make install;
31) cd ../../..
Installing ffmpeg
32) rpm -q subversion If not install, then install subversion
33)svn checkout svn://svn.mplayerhq.hu/ffmpeg/trunk ffmpeg && cd ffmpeg
34) ./configure --enable-shared --enable-xvid --enable-vorbis --enable-libogg --enable-mp3lame --enable-gpl --enable-faad --enable-faac --enable-a52
35)make
36)make install
If Installation went ok, run
ldd ./ffmpeg
If Path to Lib Libraries are not ok
37)Check to see if /usr/local/lib exists on this file
cat /etc/ld.so.conf
If not
echo /usr/local/lib >>/etc/ld.so.conf
38) cat/etc/ld.so.conf Now check to see if (/usr/local/lib exist)
39) save file
40) ldconfig
41) run ldd ./ffmpeg
FFmpeg should be complete and installed. On some servers you may need to add Disable Shared and enable flags.
For anyone having problems with faac and faad2, these older versions should work nicely:
wget http://dfn.dl.sourceforge.net/source...ac-1.24.tar.gz
tar zxvf faac-1.24.tar.gz
cd faac
chmod 777 bootstrap
./bootstrap
./configure
make
make install
cd ../
make install
cd ../
rm -rf faac
wget http://dfn.dl.sourceforge.net/source...2.0-rc3.tar.gz
tar zxvf faad2-2.0-rc3.tar.gz
cd faad2
chmod 777 bootstrap
./bootstrap
./configure
make
make install
cd ../
rm -rf faad2
OS/ Fedora Core 5
download and install:
libffac
libffad2
xvid
libogg,libvorbis
mp3lame
ffmpeg
Setting Up Install Folder, Logging and download Packages
1)Log into ssh
2) cd /usr/src && mkdir install && cd install
3) Download faad2 and faac
from http://faac.sourceforge.net/oldsite/download.php get Faad2 and faac (new versions
)
wget http://prdownloads.sourceforge.net/f...ar.gz?download
wget http://prdownloads.sourceforge.net/f...ar.gz?download
4) Verify that you have these components are installed
rpm -qa automake
rpm -qa autoconf
rpm -qa libtool
rpm -qa m4
rpm -qa gcc-c++
If any are missing than simply yum install (packagename), if you dont have a package manager than get one, it will save you alot of time
and headaches.
Installing Faac
5)tar -zxvf faac-1.24.tar.gz && cd faac
6) sh bootstrap
7) ./configure
8) make
9) make install
10) cd ..
Installing Faad2
11) tar -zxvf faad2-2.0.tar.gz
12) cd faad2 && less README.linux
13) There is 2 bugs with this package, so need to manually edit these files
14) nano Makefile.am
Edit the file to look like this
SUBDIRS = libfaad common frontend plugins
EXTRA_DIST = faad2.spec
15) cd common/mp4ff && nano mp4ffint.h
16) Comment out this line
//void mp4ff_track_add(mp4ff_t *f);
17)Save file and cd ../..
18)autoreconf -vif
19) ./configure
20) make
21) make install
Installing Libogg and Libvorbis
22)cd .. and then Check to see if libogg and libvorbs
rpm -qa libogg-devel
rpm -qa libvorbis-devel
rpm -qa libncurses-devel
If not installed then simply Package Install (replace yum and install settings with your package manager)
yum install libogg-devel
yum install libvorbis-devel
yum install libncurses-devel
Installing LAME (for audio)
23)go into lame sourceforge - http://sourceforge.net/project/showf...package_id=309
24)wget http://mesh.dl.sourceforge.net/sourc...me-3.97.tar.gz
25)tar -zxvf lame-3.97.tar.gz
26)cd lame*
27) ./configure; make;make install
Installing Xvid
28) cd .. && wget http://downloads.xvid.org/downloads/...e-1.1.2.tar.gz
29)tar -zxvf xvidcore-1.1.2.tar.gz && cd xvid*/build/generic/
30) ./configure; make; make install;
31) cd ../../..
Installing ffmpeg
32) rpm -q subversion If not install, then install subversion
33)svn checkout svn://svn.mplayerhq.hu/ffmpeg/trunk ffmpeg && cd ffmpeg
34) ./configure --enable-shared --enable-xvid --enable-vorbis --enable-libogg --enable-mp3lame --enable-gpl --enable-faad --enable-faac --enable-a52
35)make
36)make install
If Installation went ok, run
ldd ./ffmpeg
If Path to Lib Libraries are not ok
37)Check to see if /usr/local/lib exists on this file
cat /etc/ld.so.conf
If not
echo /usr/local/lib >>/etc/ld.so.conf
38) cat/etc/ld.so.conf Now check to see if (/usr/local/lib exist)
39) save file
40) ldconfig
41) run ldd ./ffmpeg
FFmpeg should be complete and installed. On some servers you may need to add Disable Shared and enable flags.
For anyone having problems with faac and faad2, these older versions should work nicely:
wget http://dfn.dl.sourceforge.net/source...ac-1.24.tar.gz
tar zxvf faac-1.24.tar.gz
cd faac
chmod 777 bootstrap
./bootstrap
./configure
make
make install
cd ../
make install
cd ../
rm -rf faac
wget http://dfn.dl.sourceforge.net/source...2.0-rc3.tar.gz
tar zxvf faad2-2.0-rc3.tar.gz
cd faad2
chmod 777 bootstrap
./bootstrap
./configure
make
make install
cd ../
rm -rf faad2
Nov 25, 2009
Enable Tun/Tap in vps
In order to enable Tun/Tap in vps, you will have to run following commands from hardware node where 201 is nothing but the vps in which you have to enable those modules.
# lsmod | grep tun
# modprobe tun
vzctl set 201 --devices c:10:200:rw --save
vzctl set 201 --capability net_admin:on --save
vzctl exec 201 mkdir -p /dev/net
vzctl exec 201 mknod /dev/net/tun c 10 200
vzctl exec 201 chmod 600 /dev/net/tun
-------------------------------------------------------
#!/usr/bin/perl -w
use strict;
if (-e "/etc/sysconfig/vz-scripts/$ARGV[0].conf") {
system("vzctl set $ARGV[0] --devices c:10:200:rw --save");
system("vzctl exec $ARGV[0] mkdir -p /dev/net");
system("vzctl exec $ARGV[0] mknod /dev/net/tun c 10 200");
system("vzctl exec $ARGV[0] chmod 600 /dev/net/tun");
print "Done setting up /dev/net/tun for VE $ARGV[0]\n";
} else {
die "VE $ARGV[0] not found ..";
}
# lsmod | grep tun
# modprobe tun
vzctl set 201 --devices c:10:200:rw --save
vzctl set 201 --capability net_admin:on --save
vzctl exec 201 mkdir -p /dev/net
vzctl exec 201 mknod /dev/net/tun c 10 200
vzctl exec 201 chmod 600 /dev/net/tun
-------------------------------------------------------
#!/usr/bin/perl -w
use strict;
if (-e "/etc/sysconfig/vz-scripts/$ARGV[0].conf") {
system("vzctl set $ARGV[0] --devices c:10:200:rw --save");
system("vzctl exec $ARGV[0] mkdir -p /dev/net");
system("vzctl exec $ARGV[0] mknod /dev/net/tun c 10 200");
system("vzctl exec $ARGV[0] chmod 600 /dev/net/tun");
print "Done setting up /dev/net/tun for VE $ARGV[0]\n";
} else {
die "VE $ARGV[0] not found ..";
}
Nov 24, 2009
Error establishing a database connection
Warning: mysql_connect(): Access denied for user: 'user1_name1@localhost' (Using password: YES) in /home/joe123/public_html/catalog/includes/functions/database.php on line 19
What this means is that your database now exists in cPanel, but your website cannot communicate with it. Now is time to assign a database username and reconfigure your website's database settings.
1. Login to your cPanel and click the "MySQL Databases" icon.
2. Scroll down till you see MySQL Users > NewUser.
3. The username can be anything you want. For this example, we will choose gatorboy.
4. Pick any random password. You won't need to commit this to memory, so go nuts. For this example, nvGHdCC0dCMz can be our database password. Copy the password and keep it ready. Now enter the password twice and then press the "Create User" button.
The user has now been added, but it has not been assigned to a database.
1. In the same area under MySQL Users you will see a second section called Add User To Database.
2. Choose the username you just created from the drop down. (Notice that cPanel will automatically prepend your database name with your cPanel username. For this example, we get joe123_gatorboy.) Copy this username and keep it ready.
3. Next, choose the name of your database and click the "Submit" button. If you don't know which database name to use, skip this step for now.
Now you need to locate your database configuration file.
* If you have a general error message like the first example, then use our config files article to determine the location.
* If you have a specific error message like the second example, then the error tells us the location. In our example the error says "in /home/joe123/public_html/catalog/includes/functions/database.php on line 19". That is where you need to go.
It is finally time to reconfigure your website's database settings.
1. Go to the configuration file and choose to Edit.
2. Look in the code for a place where your database name is defined. Here is the example of what we see:
define('DB_NAME', 'user1_wrdp1');
define('DB_USER', 'user1_name1');
define('DB_PASSWORD', '5Jmfde%53L');
define('DB_HOST', 'localhost');
3. The database name is very important; it must have your new cPanel name in the first part. Update the part before the underscore, but change nothing after the underscore. Example:
define('DB_NAME', 'joe123_wrdp1');
If you skipped step 3 while assigning the user to the database, you must go back and complete that step. The value you have for your database name is the correct name to choose in the second drop down. (Don't forget to click Submit.)
4. Next, get the database username and password you set aside and replace the ones in the file. Example:
define('DB_USER', 'joe123_gatorboy');
define('DB_PASSWORD', 'nvGHdCC0dCMz');
This is the last time you will need this username and password, so you don't need to keep a copy anymore.
5. The host name is always 'localhost', so make that change if needed.
6. Save the file and you are done! Refresh your webpage to see if it works.
What this means is that your database now exists in cPanel, but your website cannot communicate with it. Now is time to assign a database username and reconfigure your website's database settings.
1. Login to your cPanel and click the "MySQL Databases" icon.
2. Scroll down till you see MySQL Users > NewUser.
3. The username can be anything you want. For this example, we will choose gatorboy.
4. Pick any random password. You won't need to commit this to memory, so go nuts. For this example, nvGHdCC0dCMz can be our database password. Copy the password and keep it ready. Now enter the password twice and then press the "Create User" button.
The user has now been added, but it has not been assigned to a database.
1. In the same area under MySQL Users you will see a second section called Add User To Database.
2. Choose the username you just created from the drop down. (Notice that cPanel will automatically prepend your database name with your cPanel username. For this example, we get joe123_gatorboy.) Copy this username and keep it ready.
3. Next, choose the name of your database and click the "Submit" button. If you don't know which database name to use, skip this step for now.
Now you need to locate your database configuration file.
* If you have a general error message like the first example, then use our config files article to determine the location.
* If you have a specific error message like the second example, then the error tells us the location. In our example the error says "in /home/joe123/public_html/catalog/includes/functions/database.php on line 19". That is where you need to go.
It is finally time to reconfigure your website's database settings.
1. Go to the configuration file and choose to Edit.
2. Look in the code for a place where your database name is defined. Here is the example of what we see:
define('DB_NAME', 'user1_wrdp1');
define('DB_USER', 'user1_name1');
define('DB_PASSWORD', '5Jmfde%53L');
define('DB_HOST', 'localhost');
3. The database name is very important; it must have your new cPanel name in the first part. Update the part before the underscore, but change nothing after the underscore. Example:
define('DB_NAME', 'joe123_wrdp1');
If you skipped step 3 while assigning the user to the database, you must go back and complete that step. The value you have for your database name is the correct name to choose in the second drop down. (Don't forget to click Submit.)
4. Next, get the database username and password you set aside and replace the ones in the file. Example:
define('DB_USER', 'joe123_gatorboy');
define('DB_PASSWORD', 'nvGHdCC0dCMz');
This is the last time you will need this username and password, so you don't need to keep a copy anymore.
5. The host name is always 'localhost', so make that change if needed.
6. Save the file and you are done! Refresh your webpage to see if it works.
Custom error pages
To create a custom error page for your account, please login to cPanel and click Error Pages, under Advanced. Select the domain or subdomain you want and click the page you want to edit. Insert your own custom page code (in HTML or SHTML). The changes will be applied after you click Save.
But I don't know any HTML
Never fear. If you use a design program like Sitebuilder, simply publish a page which you would want to use. Next, visit your website online and pull up that new page you want. At the top of your browser, go to View and choose "Source" or "Page Source". Copy everything from the pop-up window (right click, Select All, right click, Copy) and now you can paste where the HTML code belongs.
Afterward, you may want to remove that extra page from your site builder program.
Common problems
If Internet Explorer is not displaying the custom error page, it is likely because the error page must be larger than 1 kilobyte.
There are many error pages which may be defined.
Client Request Errors
400 - Bad Request
401 - Authorization Required
403 - Forbidden
404 - Not Found
405 - Method Not Allowed
406 - Not Acceptable (encoding)
407 - Proxy Authentication Required
408 - Request Timed Out
409 - Conflicting Request
410 - Gone
411 - Content Length Required
412 - Precondition Failed
413 - Request Entity Too Long
414 - Request URI Too Long
415 - Unsupported Media Type
Server Errors
500 - Internal Server Error
501 - Not Implemented
502 - Bad Gateway
503 - Service Unavailable
504 - Gateway Timeout
505 - HTTP Version Not Supported
How can I revert back to the default error pages?
Simply delete the error page from the public_html folder:
404.shtml
403.shtml
500.shtml
But I don't know any HTML
Never fear. If you use a design program like Sitebuilder, simply publish a page which you would want to use. Next, visit your website online and pull up that new page you want. At the top of your browser, go to View and choose "Source" or "Page Source". Copy everything from the pop-up window (right click, Select All, right click, Copy) and now you can paste where the HTML code belongs.
Afterward, you may want to remove that extra page from your site builder program.
Common problems
If Internet Explorer is not displaying the custom error page, it is likely because the error page must be larger than 1 kilobyte.
There are many error pages which may be defined.
Client Request Errors
400 - Bad Request
401 - Authorization Required
403 - Forbidden
404 - Not Found
405 - Method Not Allowed
406 - Not Acceptable (encoding)
407 - Proxy Authentication Required
408 - Request Timed Out
409 - Conflicting Request
410 - Gone
411 - Content Length Required
412 - Precondition Failed
413 - Request Entity Too Long
414 - Request URI Too Long
415 - Unsupported Media Type
Server Errors
500 - Internal Server Error
501 - Not Implemented
502 - Bad Gateway
503 - Service Unavailable
504 - Gateway Timeout
505 - HTTP Version Not Supported
How can I revert back to the default error pages?
Simply delete the error page from the public_html folder:
404.shtml
403.shtml
500.shtml
Apache error logs
Logs are very importatnt while troublseshooting any problem. I have listed here some apache logs which are very useful in order to debug any issue related with apache on cpanel server
Some things you can ignore:
File does not exist: home/somtin/public_html/robots.txt
File does not exist: home/somwon/public_html/favicon.ico
File does not exist: home/somwer/public_html/500.shtml
Some things you can fix:
File does not exist: /home/yousir/public_html/gallery/pic.jpg
The file is either in the wrong place or needs to be republished. Be sure that all of your files and folders are uploaded inside the public_html.
(13)Permission denied: file permissions deny server access: /home/sumuser/public_html/index.html
This is the most common 403 error. We can help you fix this.
error: file is writable by others: (/home/sumwon/public_html/index.php)
This is the most common 500 error. We can help you fix this.
error: file has no execute permission: (/home/inono/public_html/cgi-bin/img2txt.cgi)
This can be fixed by adding executable permissions [755] to the file.
perhaps mis-spelled or defined by a module not included in the server configuration
This means there is something bad in the .htaccess file. Perhaps there is a php_flag line needs to be deleted.
Premature end of script headers: /home/gyms/public_html/cgi-bin/index.pl
Possibly this is a perl script and needs to say #!/usr/bin/perl -w on the first line.
Some things you can ignore:
File does not exist: home/somtin/public_html/robots.txt
File does not exist: home/somwon/public_html/favicon.ico
File does not exist: home/somwer/public_html/500.shtml
Some things you can fix:
File does not exist: /home/yousir/public_html/gallery/pic.jpg
The file is either in the wrong place or needs to be republished. Be sure that all of your files and folders are uploaded inside the public_html.
(13)Permission denied: file permissions deny server access: /home/sumuser/public_html/index.html
This is the most common 403 error. We can help you fix this.
error: file is writable by others: (/home/sumwon/public_html/index.php)
This is the most common 500 error. We can help you fix this.
error: file has no execute permission: (/home/inono/public_html/cgi-bin/img2txt.cgi)
This can be fixed by adding executable permissions [755] to the file.
perhaps mis-spelled or defined by a module not included in the server configuration
This means there is something bad in the .htaccess file. Perhaps there is a php_flag line needs to be deleted.
Premature end of script headers: /home/gyms/public_html/cgi-bin/index.pl
Possibly this is a perl script and needs to say #!/usr/bin/perl -w on the first line.
Nov 20, 2009
Reset mysql password
/etc/init.d/mysqld stop
mysqld_safe --skip-grant-tables &
mysql -u root
mysql> use mysql;
mysql> update user set password=PASSWORD("newrootpassword") where User='root';
mysql> flush privileges;
mysql> quit
/etc/init.d/mysqld stop
/etc/init.d/mysqld start
mysqld_safe --skip-grant-tables &
mysql -u root
mysql> use mysql;
mysql> update user set password=PASSWORD("newrootpassword") where User='root';
mysql> flush privileges;
mysql> quit
/etc/init.d/mysqld stop
/etc/init.d/mysqld start
Nov 18, 2009
Secure /tmp
Secure /tmp
Please take backup of files before changing configuration, I won't be responsible for any damage.
Secure /tmp:
Step 1: Backup your /etc/fstab file
cp /etc/fstab /etc/fstab.bak
Step 2: Make a 1GB file for /tmp parition and an ext3 filesystem for tmp:
dd if=/dev/zero of=/var/tempFS bs=1024 count=1000000
/sbin/mkfs.ext3 /var/tempFS
Step 3: Create a backup copy of your current /tmp drive:
cp -Rpf /tmp /tmpbackup
Step 4: Mount our new tmp parition and change permissions:
mount -o loop,noexec,nosuid,rw /var/tempFS /tmp
chmod 1777 /tmp
Step 5: Copy the old data:
cp -Rpf /tmp.bak/* /tmp/
* If your /tmp was empty earlier, you might get this error : cp: cannot stat `/tmp.bak/*’: No such file or directory
Step 6: Edit /etc/fstab and add this:
nano -w /etc/fstab
And ADD this line:
/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0
Step 7: Test your fstab entry:
mount -o remount /tmp
Step 8: Verify that your /tmp mount is working:
df -h
Should look something like this:
/var/tempFS 962M 18M 896M 2% /tmp
Secure /var/tmp:
Step 1: Use /tmp as /var/tmp.
mv /var/tmp /var/vartmp
ln -s /tmp /var/tmp
Step 2: Copy the old data back
cp /var/vartmp/* /tmp/
* If your /var/tmp was empty earlier, you might get this error : cp: cannot stat `/var/vartmp/*’: No such file or directory
Secure /dev/shm:
Step 1: Edit your /etc/fstab:
nano -w /etc/fstab
Locate:
none /dev/shm tmpfs defaults,rw 0 0
Change it to:
none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
Step 2: Remount /dev/shm:
mount -o remount /dev/shm
Please take backup of files before changing configuration, I won't be responsible for any damage.
Secure /tmp:
Step 1: Backup your /etc/fstab file
cp /etc/fstab /etc/fstab.bak
Step 2: Make a 1GB file for /tmp parition and an ext3 filesystem for tmp:
dd if=/dev/zero of=/var/tempFS bs=1024 count=1000000
/sbin/mkfs.ext3 /var/tempFS
Step 3: Create a backup copy of your current /tmp drive:
cp -Rpf /tmp /tmpbackup
Step 4: Mount our new tmp parition and change permissions:
mount -o loop,noexec,nosuid,rw /var/tempFS /tmp
chmod 1777 /tmp
Step 5: Copy the old data:
cp -Rpf /tmp.bak/* /tmp/
* If your /tmp was empty earlier, you might get this error : cp: cannot stat `/tmp.bak/*’: No such file or directory
Step 6: Edit /etc/fstab and add this:
nano -w /etc/fstab
And ADD this line:
/var/tempFS /tmp ext3 loop,nosuid,noexec,rw 0 0
Step 7: Test your fstab entry:
mount -o remount /tmp
Step 8: Verify that your /tmp mount is working:
df -h
Should look something like this:
/var/tempFS 962M 18M 896M 2% /tmp
Secure /var/tmp:
Step 1: Use /tmp as /var/tmp.
mv /var/tmp /var/vartmp
ln -s /tmp /var/tmp
Step 2: Copy the old data back
cp /var/vartmp/* /tmp/
* If your /var/tmp was empty earlier, you might get this error : cp: cannot stat `/var/vartmp/*’: No such file or directory
Secure /dev/shm:
Step 1: Edit your /etc/fstab:
nano -w /etc/fstab
Locate:
none /dev/shm tmpfs defaults,rw 0 0
Change it to:
none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
Step 2: Remount /dev/shm:
mount -o remount /dev/shm
Nov 17, 2009
Some Basic vps commands
vzctl create 102 --ostemplate centos-4-i386-default
vzctl destroy 102 :
vzctl create 102 --ostemplate centos-4-i386-default --config vps.basic
vzctl set 102 --onboot yes --save:
vzctl set 102 --hostname ace.316x.net --save
vzctl set 102 --ipadd 208.76.110.211 --save
vzctl set 102 --nameserver 208.76.110.194 --save
vzctl start 102
vzctl exec 102 service sshd status
vzctl exec 102 service sshd start
vzctl exec 102 service sshd status
vzctl start 102
vzctl set 102 --userpasswd root:elite99x
vzctl start 102
vzlist -a | grep 102
vzctl exec 102 df
vzctl 102 stop
vzctl stop 102
vzctl start 102
vzctl restart 102
grep DISK_QUOTA /etc/sysconfig/vz
grep DISKSPACE /etc/sysconfig/vz-scripts/102.conf
grep DISKINODES /etc/sysconfig/vz-scripts/102.conf
grep QUOTATIME /etc/sysconfig/vz-scripts/102.conf
vzctl set 102 --diskspace 35000000000:36000000000 --save
vzctl set 102 --diskspace 34000000000:35000000000 --save
vzctl set 102 --diskspace 3500000000:3600000000 --save
vzctl set 102 --diskspace 35000000:36000000 --save
vzctl exec 102 df -vzctl set 102 --diskspace 36000000:37000000 --save
vzctl exec 102 df -h
vzctl set 102 --vmguarpages 5130000:5140000 --save
vzctl --help
vzctl exec 102 --help
vzctl exec 102 df --help
vzctl set 105 --privvmpages 2G:3G --save
vzctl set 102 --diskinodes 3400000:3500000 --save
vzctl set 102 --quotatime 600 --save
vsyum 102 install yum
vzyum 102 install yum
vzctl enter 102
vzctl destroy 102 :
vzctl create 102 --ostemplate centos-4-i386-default --config vps.basic
vzctl set 102 --onboot yes --save:
vzctl set 102 --hostname ace.316x.net --save
vzctl set 102 --ipadd 208.76.110.211 --save
vzctl set 102 --nameserver 208.76.110.194 --save
vzctl start 102
vzctl exec 102 service sshd status
vzctl exec 102 service sshd start
vzctl exec 102 service sshd status
vzctl start 102
vzctl set 102 --userpasswd root:elite99x
vzctl start 102
vzlist -a | grep 102
vzctl exec 102 df
vzctl 102 stop
vzctl stop 102
vzctl start 102
vzctl restart 102
grep DISK_QUOTA /etc/sysconfig/vz
grep DISKSPACE /etc/sysconfig/vz-scripts/102.conf
grep DISKINODES /etc/sysconfig/vz-scripts/102.conf
grep QUOTATIME /etc/sysconfig/vz-scripts/102.conf
vzctl set 102 --diskspace 35000000000:36000000000 --save
vzctl set 102 --diskspace 34000000000:35000000000 --save
vzctl set 102 --diskspace 3500000000:3600000000 --save
vzctl set 102 --diskspace 35000000:36000000 --save
vzctl exec 102 df -vzctl set 102 --diskspace 36000000:37000000 --save
vzctl exec 102 df -h
vzctl set 102 --vmguarpages 5130000:5140000 --save
vzctl --help
vzctl exec 102 --help
vzctl exec 102 df --help
vzctl set 105 --privvmpages 2G:3G --save
vzctl set 102 --diskinodes 3400000:3500000 --save
vzctl set 102 --quotatime 600 --save
vsyum 102 install yum
vzyum 102 install yum
vzctl enter 102
Useful command to stop httpd ddos
If you are getting ddos. To stop it temporarily, you can use following commands. These commands will work if you have csf firewall installed on your server. It will block those ip's having number of connection to server. It is not always good practice to block Ip's, it can be used when your server is flooded with httpd connections and syn attack.
for i in `netstat -plan | grep :80 |awk '{print $5}' | cut -f1 -d:| sort | uniq |sort -n | tail -3`; do csf -d $i; done;
for i in `netstat -anp | grep SYN* |awk '{print $5}' | cut -f1 -d:| sort | uniq |sort -n | tail -5`; do csf -d $i; done;
for i in `netstat -plan | grep :80 |awk '{print $5}' | cut -f1 -d:| sort | uniq |sort -n | tail -3`; do csf -d $i; done;
for i in `netstat -anp | grep SYN* |awk '{print $5}' | cut -f1 -d:| sort | uniq |sort -n | tail -5`; do csf -d $i; done;
Setup Memory in VPS :-
Setup Memory in VPS :-
========================================================================================
To make things a bit simpler, let's look at setting a VPS with a minimum of 256MB of RAM, and up to 1GB. To do that, set the vmguarpages (that's the memory that's guaranteed to the VPS) and privvmpages (that's the maximum amount of memory that will be granted) parameters:
========================================================================================
vzctl set vpsid --vmguarpages 65536 --save --> 256 MB RAM
vzctl set vpsid --privvmpages 262144 --save --> 1GB burstable RAM
========================================================================================
384MB
vzctl set vpsid --vmguarpages $((384 * 256)) --save
2GB
vzctl set vpsid --privvmpages (262144 * 2) --save = vzctl set vpsid --privvmpages 524288 --save
========================================================================================
512MB
vzctl set vpsid --vmguarpages $((384 * 256)) --save
4GB
vzctl set vpsid --privvmpages (262144 * 4) --save = vzctl set vpsid --privvmpages 1048576 --save
========================================================================================
========================================================================================
Total Memory usage :-
# vzcalc -v vpsid
========================================================================================
To make things a bit simpler, let's look at setting a VPS with a minimum of 256MB of RAM, and up to 1GB. To do that, set the vmguarpages (that's the memory that's guaranteed to the VPS) and privvmpages (that's the maximum amount of memory that will be granted) parameters:
========================================================================================
vzctl set vpsid --vmguarpages 65536 --save --> 256 MB RAM
vzctl set vpsid --privvmpages 262144 --save --> 1GB burstable RAM
========================================================================================
384MB
vzctl set vpsid --vmguarpages $((384 * 256)) --save
2GB
vzctl set vpsid --privvmpages (262144 * 2) --save = vzctl set vpsid --privvmpages 524288 --save
========================================================================================
512MB
vzctl set vpsid --vmguarpages $((384 * 256)) --save
4GB
vzctl set vpsid --privvmpages (262144 * 4) --save = vzctl set vpsid --privvmpages 1048576 --save
========================================================================================
========================================================================================
Total Memory usage :-
# vzcalc -v vpsid
Useful command for server auditing
You can audit your server using following command which will list a lot stuff and their versions. You should run whole command at a time.
uname -a; php -i | grep -E "PHP Version|allow_url|disable_f|register_globals.*="; php4 -i | grep -E "PHP Version|allow_url|disable_f|register_globals.*=" ; grep mod.*sec /etc/httpd/conf/httpd.conf;ls -lha /etc/cron.daily/mod*sec* ; csf -v; apf |grep version ; rkhunter -V | grep "Rootkit Hunter" | grep -Ev "development|WARRANTY"; rpm -q udev; /usr/local/cpanel/bin/rebuild_phpconf --current; lsmod | grep -E "pppox|hidp|l2cap|bluetooth|sctp"; yum check-update bind | grep bind
uname -a; php -i | grep -E "PHP Version|allow_url|disable_f|register_globals.*="; php4 -i | grep -E "PHP Version|allow_url|disable_f|register_globals.*=" ; grep mod.*sec /etc/httpd/conf/httpd.conf;ls -lha /etc/cron.daily/mod*sec* ; csf -v; apf |grep version ; rkhunter -V | grep "Rootkit Hunter" | grep -Ev "development|WARRANTY"; rpm -q udev; /usr/local/cpanel/bin/rebuild_phpconf --current; lsmod | grep -E "pppox|hidp|l2cap|bluetooth|sctp"; yum check-update bind | grep bind
Open port using Iptables
Hello Friends,
Following are the commands to open tcp or udp ports on the server.
Before using commands for opening the port please make sure the specific port is already opend and what is the use of that port.
you can verify the port with
netstat -nap | grep :
Say here we have to open port 25
1.you can open TCp port with
iptables -A INPUT -p tcp –dport 25 -j ACCEPT
2. You can open UDP port with
iptables -A INPUT -p udp –sport -j ACCEPT
after that
3 service iptables save
and for flushhing iptables us
iptables -F
iptables -A INPUT -s 210.0.143.122 -j DROP
203.162.3.147
iptables -L
service iptables save
Following are the commands to open tcp or udp ports on the server.
Before using commands for opening the port please make sure the specific port is already opend and what is the use of that port.
you can verify the port with
netstat -nap | grep :
iptables -A INPUT -p tcp –dport 25
2. You can open UDP port with
iptables -A INPUT -p udp –sport
after that
3 service iptables save
and for flushhing iptables us
iptables -F
iptables -A INPUT -s 210.0.143.122 -j DROP
203.162.3.147
iptables -L
service iptables save
Directadmin License Error :-
Login to the server with root.
1. Go to the /usr/lcoal/directadmin/scripts
2. Run cat setup.txt
Grab the uid and lid from that
3. Then run /usr/lcoal/directadmin/scripts/getLicense.sh
4. Restart the directadmin service.
1. Go to the /usr/lcoal/directadmin/scripts
2. Run cat setup.txt
Grab the uid and lid from that
3. Then run /usr/lcoal/directadmin/scripts/getLicense.sh
4. Restart the directadmin service.
Nov 15, 2009
Email problem in Plesk
mail logs
tail -f /usr/local/psa/var/log/maillog
Q : error > domain not listed in rcpthosts
Sol > check the entry of domain in /var/qmail/control/rcpthosts and virtualdomains
tail -f /usr/local/psa/var/log/maillog
Q : error > domain not listed in rcpthosts
Sol > check the entry of domain in /var/qmail/control/rcpthosts and virtualdomains
Qmail in plesk
flush qmail in plesk
1.To check qmail in plesk:
/var/qmail/bin/qmail-qstat
2.To send qmail in plesk:
/var/qmail/bin/qmail-send
3.To flush qmail in plesk:
/var/qmail/bin/qmail-clean
mails that are send from any user are stored in the following path
/var/qmail/mailnames/rhys-white.org/rhys/Maildir/.sent-mail/cur
Mail that are received are stored at:
/var/qmail/mailnames/rhys-white.org/rhys/Maildir/new
Delete mails from queue:
go to /var/qmail/queue/mess
In mess folder delete all the folders
Mails not being delivered to outside domains:
rm maillog
mv maillog.old maillog
wall we tried stopping qmail and inetd servers to remove maillog but this does seem to have worked
service xinetd stop
service qmail stop
ls
mv maillog maillog.old
touch maillog
service xinetd start
service qmail start
If you send ALRM signal to the qmail-send process, Qmail will try to process all messages in queue again immediately.
# ps ax | grep qmail-send
# kill -ALRM
hold time for mails in queue: to set in /var/qmail/control
http://forum.plesk.com/showthread.php?s=&threadid=11003&highlight=temporary+URL
Block mail from particular address : add the domain in /var/qmail/control/badmailfrom
mail logs:
tail -f /usr/local/psa/var/log/maillog
logfile:/usr/local/psa/var/log/maillog
ignorefile:/usr/local/etc/spam-ignore.txt
badmailfile:/var/qmail/control/badmailfrom
statfile:/usr/local/etc/spamguard.stat
warning count:30
block count:50
paranoid count:100
hostname: web5.3essentials.com
Spammers:
No spammer found yet
Sponsored link
1.To check qmail in plesk:
/var/qmail/bin/qmail-qstat
2.To send qmail in plesk:
/var/qmail/bin/qmail-send
3.To flush qmail in plesk:
/var/qmail/bin/qmail-clean
mails that are send from any user are stored in the following path
/var/qmail/mailnames/rhys-white.org/rhys/Maildir/.sent-mail/cur
Mail that are received are stored at:
/var/qmail/mailnames/rhys-white.org/rhys/Maildir/new
Delete mails from queue:
go to /var/qmail/queue/mess
In mess folder delete all the folders
Mails not being delivered to outside domains:
rm maillog
mv maillog.old maillog
wall we tried stopping qmail and inetd servers to remove maillog but this does seem to have worked
service xinetd stop
service qmail stop
ls
mv maillog maillog.old
touch maillog
service xinetd start
service qmail start
If you send ALRM signal to the qmail-send process, Qmail will try to process all messages in queue again immediately.
# ps ax | grep qmail-send
# kill -ALRM
hold time for mails in queue: to set in /var/qmail/control
http://forum.plesk.com/showthread.php?s=&threadid=11003&highlight=temporary+URL
Block mail from particular address : add the domain in /var/qmail/control/badmailfrom
mail logs:
tail -f /usr/local/psa/var/log/maillog
logfile:/usr/local/psa/var/log/maillog
ignorefile:/usr/local/etc/spam-ignore.txt
badmailfile:/var/qmail/control/badmailfrom
statfile:/usr/local/etc/spamguard.stat
warning count:30
block count:50
paranoid count:100
hostname: web5.3essentials.com
Spammers:
No spammer found yet
Sponsored link
Add new Domain in Plesk
Please follow these steps to add another domain into your control panel :
1. Login into your control panel and click on your main domain.
2. Then click on the limits and set all the limits to half of existing. (eg: if space is set to 500 make it 250).
The above steps will divide all your limits in to two parts, one for each domain.
3. Click on OK.
4. Again go on the main page by clicking on "Up Level" on top right corner.
5. Click on Add New Domain and enter the new domainname.
6. Select template as : Create domain without tamplate and click Ok
7. Select Physical hosting and click Ok
8. Add your FTP details and click Ok
9. Goto the limits of your newly added domain and set the limits to same as your main domain.
1. Login into your control panel and click on your main domain.
2. Then click on the limits and set all the limits to half of existing. (eg: if space is set to 500 make it 250).
The above steps will divide all your limits in to two parts, one for each domain.
3. Click on OK.
4. Again go on the main page by clicking on "Up Level" on top right corner.
5. Click on Add New Domain and enter the new domainname.
6. Select template as : Create domain without tamplate and click Ok
7. Select Physical hosting and click Ok
8. Add your FTP details and click Ok
9. Goto the limits of your newly added domain and set the limits to same as your main domain.
Log file in Plesk
Where are the log files for each domain located in plesk
Each domain's log files are located in the /statistics/logs/ directory in the each domain's home directory
Activate logrotation in plesk from the log manager in control panel.
you can check the entry in shell from here.
log rotation config files for each domain located in /usr/local/psa/etc/logrotate.d/ and the main config file located in /etc/psa/logrotate.conf.
Now the main config file has one include directive for the /usr/local/psa/etc/logrotate.d/ directory.
mail logs
tail -f /usr/local/psa/var/log/maillog
Each domain's log files are located in the /statistics/logs/ directory in the each domain's home directory
Activate logrotation in plesk from the log manager in control panel.
you can check the entry in shell from here.
log rotation config files for each domain located in /usr/local/psa/etc/logrotate.d/ and the main config file located in /etc/psa/logrotate.conf.
Now the main config file has one include directive for the /usr/local/psa/etc/logrotate.d/ directory.
mail logs
tail -f /usr/local/psa/var/log/maillog
Install ClientExec
If you purchased ClientExec or if your hosting package qualifies you for a free instance, you will need to follow these steps;
Obtain the ClientExec from our Download section.
Please note: you will need to be logged in to have access to the downloads.
1) Unzip the contents of your compressed ClientExec file
2) FTP to your server and upload all the content files from the ClientExec zip file.
3) Visit http://yourceurl/install.php and click on Install. Follow the steps until the installer prompts your for a license key. Stop at this point and do not try to continue.
4) Login and submit a ticket in our Support department and include a url to your installation path and we will finish the install for you.
5) Delete install.php and enjoy.
Any ClientExec licenses must remain on ResellerWays's network wiether it be free or paid and must retain a valid hosting account.
The "free" or discounted offering is only valid to the main account holder upon signing up.
Obtain the ClientExec from our Download section.
Please note: you will need to be logged in to have access to the downloads.
1) Unzip the contents of your compressed ClientExec file
2) FTP to your server and upload all the content files from the ClientExec zip file.
3) Visit http://yourceurl/install.php and click on Install. Follow the steps until the installer prompts your for a license key. Stop at this point and do not try to continue.
4) Login and submit a ticket in our Support department and include a url to your installation path and we will finish the install for you.
5) Delete install.php and enjoy.
Any ClientExec licenses must remain on ResellerWays's network wiether it be free or paid and must retain a valid hosting account.
The "free" or discounted offering is only valid to the main account holder upon signing up.
Server Monitoring
Following are few commands used for the Linux server load monitoring and maintenance
Commands:
top: - used for the viewing current process going on the server. You will get a dynamic table of running process as a output .The table content following columns.
For example using more option with the top command you can get a better output
For example: -
top c PID USER Page Ranking NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
PID: - process id
User: - owner of that process
We omit the Page Ranking NI VIRT RES SHR
%CPU: - CPU usage of the process
%MEM : - memory usage of the proces TIME+ :- the process is running form.
COMMAND: - the actual command
You can kill or renice the process is causing high load on the using the kill command
Format:-
1. Kill -9 PID
-9 is special Kill signal, which will kill the process.
2. Killall process name
killall -9 lighttpd
Another command to view process going on the server,
ps aufx
Usage :-
ps aufx | grep processname
example :-
ps aufx | grep nobody
ps -aux | grep ftp >> used for checking ftp action taken by user like uploading /downloading files
Log files :-
tail -f /usr/local/apache/logs/access_log :-
tail -f /usr/local/apache/logs/error_log :- site access error logs
tail -f /var/log/exim_mainlog :- mail logs.
usr/local/apache/logs :: access log, error log, if configured php logs, domain logs(domlogs),module logs, httpd pid
tail -f /usr/local/apache/logs/access_log fro httpd
/var/log/
* /var/log/message: Genreal message and system releated stuff
* /var/log/auth.log: Authenication logs
* /var/log/kern.log: Kernel logs
* /var/log/cron.log: Crond logs
* /var/log/maillog: Mail logs
* /var/log/qmail/ : Qmail log directory (more files inside this directory)
* /var/log/httpd/: Apache access and error logs directory
* /var/log/lighttpd: Lighttpd access and error logs directory
* /var/log/boot.log : System boot log
* /var/log/mysqld.log: MySQL database server log file
* /var/log/secure: Authentication log
* /var/log/utmp or /var/log/wtmp : Login records file
* /var/log/yum.log: Yum log files
For spamming issue or high mail queue you can check the logs
tail -f /var/log/exim_mainlog | grep sendmail, public_html, tmp
MYSQL:-
mysqladmin processlist :- shows current mysql database usage
watch mysqladmin processlist :- dynamic usage of mysql process .
Service restart commands- /scripts/restartsrv_servicename
restartsrv_entropychat*
restartsrv_exim*
restartsrv_eximstats*
restartsrv_ftpserver*
restartsrv_httpd*
restartsrv_imap*
restartsrv_inetd*
restartsrv_interchange*
restartsrv_ipaliases*
restartsrv_melange*
restartsrv_mysql*
restartsrv_named*
restartsrv_nsd*
restartsrv_postgres*
restartsrv_postgresql*
restartsrv_proftpd*
restartsrv_pureftpd*
restartsrv_rsyslogd*
restartsrv_spamd*
restartsrv_sshd*
restartsrv_syslogd*
restartsrv_tailwatchd*
restartsrv_tomcat*
restartsrv_xinetd*
Commands:
top: - used for the viewing current process going on the server. You will get a dynamic table of running process as a output .The table content following columns.
For example using more option with the top command you can get a better output
For example: -
top c PID USER Page Ranking NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
PID: - process id
User: - owner of that process
We omit the Page Ranking NI VIRT RES SHR
%CPU: - CPU usage of the process
%MEM : - memory usage of the proces TIME+ :- the process is running form.
COMMAND: - the actual command
You can kill or renice the process is causing high load on the using the kill command
Format:-
1. Kill -9 PID
-9 is special Kill signal, which will kill the process.
2. Killall process name
killall -9 lighttpd
Another command to view process going on the server,
ps aufx
Usage :-
ps aufx | grep processname
example :-
ps aufx | grep nobody
ps -aux | grep ftp >> used for checking ftp action taken by user like uploading /downloading files
Log files :-
tail -f /usr/local/apache/logs/access_log :-
tail -f /usr/local/apache/logs/error_log :- site access error logs
tail -f /var/log/exim_mainlog :- mail logs.
usr/local/apache/logs :: access log, error log, if configured php logs, domain logs(domlogs),module logs, httpd pid
tail -f /usr/local/apache/logs/access_log fro httpd
/var/log/
* /var/log/message: Genreal message and system releated stuff
* /var/log/auth.log: Authenication logs
* /var/log/kern.log: Kernel logs
* /var/log/cron.log: Crond logs
* /var/log/maillog: Mail logs
* /var/log/qmail/ : Qmail log directory (more files inside this directory)
* /var/log/httpd/: Apache access and error logs directory
* /var/log/lighttpd: Lighttpd access and error logs directory
* /var/log/boot.log : System boot log
* /var/log/mysqld.log: MySQL database server log file
* /var/log/secure: Authentication log
* /var/log/utmp or /var/log/wtmp : Login records file
* /var/log/yum.log: Yum log files
For spamming issue or high mail queue you can check the logs
tail -f /var/log/exim_mainlog | grep sendmail, public_html, tmp
MYSQL:-
mysqladmin processlist :- shows current mysql database usage
watch mysqladmin processlist :- dynamic usage of mysql process .
Service restart commands- /scripts/restartsrv_servicename
restartsrv_entropychat*
restartsrv_exim*
restartsrv_eximstats*
restartsrv_ftpserver*
restartsrv_httpd*
restartsrv_imap*
restartsrv_inetd*
restartsrv_interchange*
restartsrv_ipaliases*
restartsrv_melange*
restartsrv_mysql*
restartsrv_named*
restartsrv_nsd*
restartsrv_postgres*
restartsrv_postgresql*
restartsrv_proftpd*
restartsrv_pureftpd*
restartsrv_rsyslogd*
restartsrv_spamd*
restartsrv_sshd*
restartsrv_syslogd*
restartsrv_tailwatchd*
restartsrv_tomcat*
restartsrv_xinetd*
Secure and harden Linux server
====================================
1. Advanced Policy Firewall -- APF Installation
====================================
Here we are going to install an awesome firewall onto your server. Advanced Policy Firewall
APF Site Description of the software:
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.
Summary of features:
- global ports configurtion via simple config file
- configurable policies for each ip on the system [global config overrides]
- powerfull postrouting rules for FWMARK and TOS
- plug-in friendly for QoS [CBQ/HTB]
- antidos subsystem to stop attacks before they become a significant threat
- dshield.org block list support to ban networks exhibiting suspicious activity
- advanced set of sysctl parameters for TCP stack hardening
- advanced set of filter rules to remove undesired traffic
- easy to use firewall managment script
- trust based rule files (allow/deny); with advanced syntax support
________________________________________
1. Make /usr/src the current working directory.
cd /usr/src
2. Obtain the most curent verison of APF.
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
3. Expand the APF tar.gz file.
tar -xvzf apf-current.tar.gz
4. Remove the tar.gz file.
rm -f apf-current.tar.gz
5. Locate the APF directory.
ls -la
Look for a directory named apf-#.#/ where #.# represents the version of APF being installed
(APF version 0.8.7 would be in a directory apf-0.8.7/ and version 0.9 would be in a directory named apf-0.9).
6. Make the APF directory the current working directory.
Use the directory name you located in step 5.
Note that the numbers will change as new versions are released.
cd apf-0.9
7. Run the APF install.
sh ./install.sh
8. Make /etc/apf the current working directory.
cd /etc/apf
9. Edit the conf.apf file as desired.
pico -w conf.apf
In order for this firewall to work properly you have to edit/add/delete ports.
These ports will allow services such as mail, ftp, and ssh to come in and out of the server.
If you have changed any ports, please modify them below and add/remove as needed.
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,9 93,995,2082,2083,2086,2087,2095,2096,3306,10000,35 000_35999"
please note that ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in
ensim.
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53,1040"
Change:
* RAB="0" to RAB="1"
* RAB_PSCAN_LEVEL="2" to RAB_PSCAN_LEVEL="3"
* TCR_PASS="1" to TCR_PASS="0"
* DLIST_PHP="0" to DLIST_PHP="1"
* DLIST_SPAMHAUS="0" to DLIST_SPAMHAUS="1"
* DLIST_DSHIELD="0" to DLIST_DSHIELD="1"
* DLIST_RESERVED="0" to DLIST_RESERVED="1"
Find IFACE_IN= and IFACE_OUT= in /etc/apf/conf.apf and verify that they match your network interface
Locate HELPER_SSH_PORT=”22″ and change it to your SSH port IF you changed it in your sshd_config
Locate IG_TCP_CPORTS=”22″ and change it to your SSH port IF you changed it in your sshd_config
10. After you have finished editing the ports save the file and test APF.
CTRL-x, y to save enter to confirm
11. Start APF by typing.
./apf --start
or
service apf start
12. If APF is functioning properly and you are not locked out edit the conf.apf again
pico -w conf.apf
13. When your happy with your firewall and everything works fine, Edit /apf.conf find DEVEL_MODE=”1″ and change it to DEVEL_MODE=”0″
14. Once done Exit and save the file.
CTRL-x, y to save enter to confirm
15. Restart APF
service apf restart
Make sure APF starts automatic after restart
chkconfig --add apf
chkconfig --level 345 apf on
Problem: If you get this error apf(xxxxx): {glob} unable to load iptables module (ip_tables), aborting.
Solution: Try changing SET_MONOKERN=”0″ to SET_MONOKERN=”1″ , then apf -r
Problem: If you get this message: apf(xxxxx): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.
Solution: you need to change DEVEL_MODE=1 to DEVEL_MODE=0, make sure your config is working first.
Enabling connections for server monitoring.
Some service providers that offer monitoring need access to your server, and access
without setting off alarms, firewalls etc. is a good thing. Just becareful which IP(s) you put in here.
1. To allow connections from xx.xx.xx.xx/24
pico -w /etc/apf/allow_hosts.rules
2. At the very end of the file add this line
xx.xx.xx.xx/24
Of course replace the xx.xx.xx.xx with the IP address provided to you.
====================================
2. BFD (Brute Force Detection)
====================================
What is Brute Force Detection? (BFD)
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans.
This How-To will show you how to install BFD on your Linux Server to prevent and monitor brute force hack attempts.
This software like some others has requirements. You must be running APF / Advanced Policy Firewall for Brute Force Detection to work.
1. Login to your server via SSH as Root.
2. Type:
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
3. Type:
tar -xvzf bfd-current.tar.gz
4. Type:
cd bfd*
5. Now let's install BFD onto the server.
Type:
./install.sh
:: You Should See ::
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
6. Now we need to edit the configuration file, and set some options.
Don't worry the BFD Configuration isn't hard to edit or understand!
Type: pico -w /usr/local/bfd/conf.bfd
7. Now we need to find the line to edit:
Press: CTRL-WType: ALERT_USR
Change ALERT_USR="0" TO ALERT_USR="1"
Right below that we need to change the email:
Change EMAIL_USR="root" TO EMAIL_USR="you@yoursite.com"
8. That wasn't to bad let's save and exit the file
Press: CTRL-X then type Y then hit enter 9. Now we have to prevent locking yourself out of the server.
Type: pico -w /usr/local/bfd/ignore.hosts 10. Add any IP address that you want to be ignored from the rules.
If your server provider is doing monitoring add their IP(s) here.
Since you need these IPs open in APF as well you cancopy the IPs you used in APF
Type: pico -w /etc/apf/allow_hosts.rulesThen scroll down to the bottom and copy those IPs (drag mouse over that's it)
Press: CTRL-XType: pico -w /usr/local/bfd/ignore.hosts Paste those IPs to the bottom. You should also add your home IP if you hadn't done so before.
If your home IP is dynamic this is not a good idea, and you should get a static IP.
Press: CTRL-X then Y to save then enter. Now lets run BDF!!!
Type: /usr/local/sbin/bfd -s
====================================
3. CHKROOTKIT
====================================
Installation How-To :
1. Login to your server as root. (SSH)
2. Type:
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
3. Type:
tar xvzf chkrootkit.tar.gz
4. Change to new directory
cd chkrootkit*
5. Compile It
make sense
6. Now give it a test.
./chkrootkit
Everything should read not found, and/or not infected
This is a GOOD thing!
How-To make chkrootkit e-mail you daily :
1. Login to your server as root. (SSH)
2. Type:
crontab -e
3. Add this line to the top:
0 1 * * * (cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" root)
This will run CHKROOTKIT at 1am every day, and e-mail the output to root.
If you are in PICO
CTRl-X, Y, Enter to save and exit
====================================
4. Disabling Direct Root Login (SSH)
====================================
If you're using cPanel make sure you add your anotheruser user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.
Set up anotheruser if you haven't already got one:
a. Type: groupadd anotheruser
b. Type: useradd anotheruser -ganotheruser
c. Type: passwd anotheruser passwordhere
and add a password for the new account.
On a CPanel system, you can (MUST) now go into root WHM and add anotheruser to the wheel group.
After you do this, you will have to login as anotheruser then you will 'su -' to get to root.
If you need this option send SLHOST an email to support@slhost.com
====================================
5. Disabling Telnet Access
====================================
Telnet should be disabled, and you should use SSH. Telnet sends password in plain text, and 'crackers/hackers' can obtain these passwords easily compared to SSH, and then takeover your dedicated web server.
1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to
disable = yes.
3. CTRL+x, then y then enter to save the file.
Restart xinted with:
/etc/rc.d/init.d/xinetd restart
====================================
6. Force the use of SSH protocol 2
====================================
SSH Protocol 1 based systems are facing many automated "root kits".
As a result to step up the security Protcol 2 should be enabled as soon as possible.
The reason to use SSH Protocol 2 on your dedicated webserver is that it is more secure.
1. Type: pico -w /etc/ssh/sshd_config
2. Find the line: #Protocol 2, 1
Uncomment it and change it to look like:
Protocol 2
3. CTRL+x, then y then enter to save the file.
4. Now Restart SSH with
/etc/rc.d/init.d/sshd restart
(If the above restart does not work you will need to login to WHM as root
and restart the service.)
====================================
7. How to install mail scanner
====================================
How to install mail scanner (Mail Scanner & ClamAV Installation)
This is an addon to Exim. Exim is still the MTA, Mail Scanner scans and clamav is the AV system.
This will help in preventing the spread of virus's through your webserver. It will deny/block the virus's
so that they do not reach the recipient. ClamAv can be used at the command line however the main purpose of this
software is the integration with mail servers (attachment scanning). Which is what Mail Scanner & ClamAV do.
1. Login to your server via SSH.
2. Type:
wget http://layer1.cpanel.net/mailscanner...all-1.5.tar.gz
3. Type:
tar zxvf mailscanner-autoinstall-1.5.tar.gz
4. Type:
cd mailscanner*
5. Type:
./install
This make take up to 5 minutes to download, and install all the librarys require for Mail Scanner.
6. If the above Finished and brought you back to prompt goto step #7 if not continue with step 6
Press: CTRL-C
Type: pico -w install
Comment out these lines w/ a #
print "Installing Perl Modules...";
ssystem("/scripts/perlinstaller","MIME::Base64","File::Spec","HTML:: Tagset","HTML::Parser","MIME::Tools","File::Temp", "Convert::TNEF");
print "Done\n";
So they look like this:
#print "Installing Perl Modules...";
#ssystem("/scripts/perlinstaller","MIME::Base64","File::Spec","HTML:: Tagset","HTML::Parser","MIME::Tools","File::Temp", "Convert::TNEF");
#print "Done\n";
Login to WHM as Root.
Install the above Modules in WHM's Perl Module Installer.
Type: ./install
Then goto Step #7 when install finishes
7. Type:
killall -9 MailScanner
8. Type:
/usr/mailscanner/bin/check_mailscanner
If you want to look at the Mail Scanner configuration file you can do so by.
Type: pico -w /usr/mailscanner/etc/MailScanner.conf
DO NOT Enable anything to do with SpamAssin.
====================================
8. Jail all users
====================================
Let's prevent the users from accessing any directories/files outside of their home directory.
This is a great security precaution and should be done.
1. Login to WHM as root.
2. Account Functions
Manage Shell Access
Jail All Users
If possible it is best to NOT
grant shell access to users at all.
====================================
9. Remove Trojan by CHKROOTKIT
====================================
*NOTE* This is a HUGE step "INTO" your server. Doing anything wrong can severly damage your server and make it non-responsive. Do this entire how-to at your own risk. This is NOT a substitute for re-installing the OS, this is simply another WAY to remove a rootkit called T0rnkitv8
If you have not already done so do this step first.
Login to WHM as root
Click Tweak Settings
and please remove the tick from
[ ] Allow cPanel users to reset their password via email
1. Login to your server via SSH
2. Run CHKROOTKIT. If you do not have this installed then visit CHKROOTKIT Installation and continue once you do.
You will see some INFECTED lines/files. It should also report hidden processes.
Here's an example of partial output.
Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `pstree'... INFECTED
and also:
Checking `lkm'... You have X process hidden for ps command
Warning: Possible LKM Trojan installed
Type: /etc/init.d/syslog restartShutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]
3. Type: top
You may/will then see:
top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory
4. type: /etc/rc.d/rc.sysinit
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
________________________________________
Configuration files
/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}
Infected Binaries:
top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz
Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so
BackDoor: (located at /lib/lblip.tk)
shdc
shhk.pub
shk
shrs
--------------------------------------------------------
Now, Lets start the cleaning process:
1. Type: pico /etc/rc.d/rc.sysinit
remove the lines that show
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
2. reboot the system
WARNING: 2 servers got their kernel removed after reboot.
If your's does this too and that is what the DataCenter complains after reboot, please ask them to do the following:
reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages
that should fix it.
-- since already in resuce mode, perhaps also ask them to -- force install the following rpm's
procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm
3. After the system is up
Type: cd /lib
Type: rm -rf lblip.tk
4. Remove the configuration files given above.
5. Type: cat /etc/redhat-releasenote down your version of redhat, then from
www.rpmfind.net
search for the following rpm's
procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm
-- and rpm --force install them
6. if you see the hosts.h file, it says to hide all IP's from
Type: cat /usr/include/hosts.h
193.60
If you want, you can block all the IP's from 193.60 to your server via iptables.
Or if you have APF you can add them to the Deny File.
7. If the above is completed.
Reboot the Server & Run CHKROOTKIT again.
====================================
10. Secure /tmp Directory ( Very Important )
====================================
Many hackers/malicious users are exploiting the /tmp directory to execute files. This is a huge security problem for dedicated server owners as it practically leaves your server wide open for a complete takeover.
The following is how to secure your /TMP directory using a cPanel Script.
You MUST have cPanel installed for this to work.
1. Login to your server as root via SSH.
2. Type: /scripts/securetmp That's it your done. cPanel wrote that script to allow users to secure their /TMP Directory very easily.
Don't miss it
1. Advanced Policy Firewall -- APF Installation
====================================
Here we are going to install an awesome firewall onto your server. Advanced Policy Firewall
APF Site Description of the software:
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.
Summary of features:
- global ports configurtion via simple config file
- configurable policies for each ip on the system [global config overrides]
- powerfull postrouting rules for FWMARK and TOS
- plug-in friendly for QoS [CBQ/HTB]
- antidos subsystem to stop attacks before they become a significant threat
- dshield.org block list support to ban networks exhibiting suspicious activity
- advanced set of sysctl parameters for TCP stack hardening
- advanced set of filter rules to remove undesired traffic
- easy to use firewall managment script
- trust based rule files (allow/deny); with advanced syntax support
________________________________________
1. Make /usr/src the current working directory.
cd /usr/src
2. Obtain the most curent verison of APF.
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
3. Expand the APF tar.gz file.
tar -xvzf apf-current.tar.gz
4. Remove the tar.gz file.
rm -f apf-current.tar.gz
5. Locate the APF directory.
ls -la
Look for a directory named apf-#.#/ where #.# represents the version of APF being installed
(APF version 0.8.7 would be in a directory apf-0.8.7/ and version 0.9 would be in a directory named apf-0.9).
6. Make the APF directory the current working directory.
Use the directory name you located in step 5.
Note that the numbers will change as new versions are released.
cd apf-0.9
7. Run the APF install.
sh ./install.sh
8. Make /etc/apf the current working directory.
cd /etc/apf
9. Edit the conf.apf file as desired.
pico -w conf.apf
In order for this firewall to work properly you have to edit/add/delete ports.
These ports will allow services such as mail, ftp, and ssh to come in and out of the server.
If you have changed any ports, please modify them below and add/remove as needed.
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,9 93,995,2082,2083,2086,2087,2095,2096,3306,10000,35 000_35999"
please note that ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in
ensim.
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53,1040"
Change:
* RAB="0" to RAB="1"
* RAB_PSCAN_LEVEL="2" to RAB_PSCAN_LEVEL="3"
* TCR_PASS="1" to TCR_PASS="0"
* DLIST_PHP="0" to DLIST_PHP="1"
* DLIST_SPAMHAUS="0" to DLIST_SPAMHAUS="1"
* DLIST_DSHIELD="0" to DLIST_DSHIELD="1"
* DLIST_RESERVED="0" to DLIST_RESERVED="1"
Find IFACE_IN= and IFACE_OUT= in /etc/apf/conf.apf and verify that they match your network interface
Locate HELPER_SSH_PORT=”22″ and change it to your SSH port IF you changed it in your sshd_config
Locate IG_TCP_CPORTS=”22″ and change it to your SSH port IF you changed it in your sshd_config
10. After you have finished editing the ports save the file and test APF.
CTRL-x, y to save enter to confirm
11. Start APF by typing.
./apf --start
or
service apf start
12. If APF is functioning properly and you are not locked out edit the conf.apf again
pico -w conf.apf
13. When your happy with your firewall and everything works fine, Edit /apf.conf find DEVEL_MODE=”1″ and change it to DEVEL_MODE=”0″
14. Once done Exit and save the file.
CTRL-x, y to save enter to confirm
15. Restart APF
service apf restart
Make sure APF starts automatic after restart
chkconfig --add apf
chkconfig --level 345 apf on
Problem: If you get this error apf(xxxxx): {glob} unable to load iptables module (ip_tables), aborting.
Solution: Try changing SET_MONOKERN=”0″ to SET_MONOKERN=”1″ , then apf -r
Problem: If you get this message: apf(xxxxx): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.
Solution: you need to change DEVEL_MODE=1 to DEVEL_MODE=0, make sure your config is working first.
Enabling connections for server monitoring.
Some service providers that offer monitoring need access to your server, and access
without setting off alarms, firewalls etc. is a good thing. Just becareful which IP(s) you put in here.
1. To allow connections from xx.xx.xx.xx/24
pico -w /etc/apf/allow_hosts.rules
2. At the very end of the file add this line
xx.xx.xx.xx/24
Of course replace the xx.xx.xx.xx with the IP address provided to you.
====================================
2. BFD (Brute Force Detection)
====================================
What is Brute Force Detection? (BFD)
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans.
This How-To will show you how to install BFD on your Linux Server to prevent and monitor brute force hack attempts.
This software like some others has requirements. You must be running APF / Advanced Policy Firewall for Brute Force Detection to work.
1. Login to your server via SSH as Root.
2. Type:
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
3. Type:
tar -xvzf bfd-current.tar.gz
4. Type:
cd bfd*
5. Now let's install BFD onto the server.
Type:
./install.sh
:: You Should See ::
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
6. Now we need to edit the configuration file, and set some options.
Don't worry the BFD Configuration isn't hard to edit or understand!
Type: pico -w /usr/local/bfd/conf.bfd
7. Now we need to find the line to edit:
Press: CTRL-WType: ALERT_USR
Change ALERT_USR="0" TO ALERT_USR="1"
Right below that we need to change the email:
Change EMAIL_USR="root" TO EMAIL_USR="you@yoursite.com"
8. That wasn't to bad let's save and exit the file
Press: CTRL-X then type Y then hit enter 9. Now we have to prevent locking yourself out of the server.
Type: pico -w /usr/local/bfd/ignore.hosts 10. Add any IP address that you want to be ignored from the rules.
If your server provider is doing monitoring add their IP(s) here.
Since you need these IPs open in APF as well you cancopy the IPs you used in APF
Type: pico -w /etc/apf/allow_hosts.rulesThen scroll down to the bottom and copy those IPs (drag mouse over that's it)
Press: CTRL-XType: pico -w /usr/local/bfd/ignore.hosts Paste those IPs to the bottom. You should also add your home IP if you hadn't done so before.
If your home IP is dynamic this is not a good idea, and you should get a static IP.
Press: CTRL-X then Y to save then enter. Now lets run BDF!!!
Type: /usr/local/sbin/bfd -s
====================================
3. CHKROOTKIT
====================================
Installation How-To :
1. Login to your server as root. (SSH)
2. Type:
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
3. Type:
tar xvzf chkrootkit.tar.gz
4. Change to new directory
cd chkrootkit*
5. Compile It
make sense
6. Now give it a test.
./chkrootkit
Everything should read not found, and/or not infected
This is a GOOD thing!
How-To make chkrootkit e-mail you daily :
1. Login to your server as root. (SSH)
2. Type:
crontab -e
3. Add this line to the top:
0 1 * * * (cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" root)
This will run CHKROOTKIT at 1am every day, and e-mail the output to root.
If you are in PICO
CTRl-X, Y, Enter to save and exit
====================================
4. Disabling Direct Root Login (SSH)
====================================
If you're using cPanel make sure you add your anotheruser user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.
Set up anotheruser if you haven't already got one:
a. Type: groupadd anotheruser
b. Type: useradd anotheruser -ganotheruser
c. Type: passwd anotheruser passwordhere
and add a password for the new account.
On a CPanel system, you can (MUST) now go into root WHM and add anotheruser to the wheel group.
After you do this, you will have to login as anotheruser then you will 'su -' to get to root.
If you need this option send SLHOST an email to support@slhost.com
====================================
5. Disabling Telnet Access
====================================
Telnet should be disabled, and you should use SSH. Telnet sends password in plain text, and 'crackers/hackers' can obtain these passwords easily compared to SSH, and then takeover your dedicated web server.
1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to
disable = yes.
3. CTRL+x, then y then enter to save the file.
Restart xinted with:
/etc/rc.d/init.d/xinetd restart
====================================
6. Force the use of SSH protocol 2
====================================
SSH Protocol 1 based systems are facing many automated "root kits".
As a result to step up the security Protcol 2 should be enabled as soon as possible.
The reason to use SSH Protocol 2 on your dedicated webserver is that it is more secure.
1. Type: pico -w /etc/ssh/sshd_config
2. Find the line: #Protocol 2, 1
Uncomment it and change it to look like:
Protocol 2
3. CTRL+x, then y then enter to save the file.
4. Now Restart SSH with
/etc/rc.d/init.d/sshd restart
(If the above restart does not work you will need to login to WHM as root
and restart the service.)
====================================
7. How to install mail scanner
====================================
How to install mail scanner (Mail Scanner & ClamAV Installation)
This is an addon to Exim. Exim is still the MTA, Mail Scanner scans and clamav is the AV system.
This will help in preventing the spread of virus's through your webserver. It will deny/block the virus's
so that they do not reach the recipient. ClamAv can be used at the command line however the main purpose of this
software is the integration with mail servers (attachment scanning). Which is what Mail Scanner & ClamAV do.
1. Login to your server via SSH.
2. Type:
wget http://layer1.cpanel.net/mailscanner...all-1.5.tar.gz
3. Type:
tar zxvf mailscanner-autoinstall-1.5.tar.gz
4. Type:
cd mailscanner*
5. Type:
./install
This make take up to 5 minutes to download, and install all the librarys require for Mail Scanner.
6. If the above Finished and brought you back to prompt goto step #7 if not continue with step 6
Press: CTRL-C
Type: pico -w install
Comment out these lines w/ a #
print "Installing Perl Modules...";
ssystem("/scripts/perlinstaller","MIME::Base64","File::Spec","HTML:: Tagset","HTML::Parser","MIME::Tools","File::Temp", "Convert::TNEF");
print "Done\n";
So they look like this:
#print "Installing Perl Modules...";
#ssystem("/scripts/perlinstaller","MIME::Base64","File::Spec","HTML:: Tagset","HTML::Parser","MIME::Tools","File::Temp", "Convert::TNEF");
#print "Done\n";
Login to WHM as Root.
Install the above Modules in WHM's Perl Module Installer.
Type: ./install
Then goto Step #7 when install finishes
7. Type:
killall -9 MailScanner
8. Type:
/usr/mailscanner/bin/check_mailscanner
If you want to look at the Mail Scanner configuration file you can do so by.
Type: pico -w /usr/mailscanner/etc/MailScanner.conf
DO NOT Enable anything to do with SpamAssin.
====================================
8. Jail all users
====================================
Let's prevent the users from accessing any directories/files outside of their home directory.
This is a great security precaution and should be done.
1. Login to WHM as root.
2. Account Functions
Manage Shell Access
Jail All Users
If possible it is best to NOT
grant shell access to users at all.
====================================
9. Remove Trojan by CHKROOTKIT
====================================
*NOTE* This is a HUGE step "INTO" your server. Doing anything wrong can severly damage your server and make it non-responsive. Do this entire how-to at your own risk. This is NOT a substitute for re-installing the OS, this is simply another WAY to remove a rootkit called T0rnkitv8
If you have not already done so do this step first.
Login to WHM as root
Click Tweak Settings
and please remove the tick from
[ ] Allow cPanel users to reset their password via email
1. Login to your server via SSH
2. Run CHKROOTKIT. If you do not have this installed then visit CHKROOTKIT Installation and continue once you do.
You will see some INFECTED lines/files. It should also report hidden processes.
Here's an example of partial output.
Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `pstree'... INFECTED
and also:
Checking `lkm'... You have X process hidden for ps command
Warning: Possible LKM Trojan installed
Type: /etc/init.d/syslog restartShutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]
3. Type: top
You may/will then see:
top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory
4. type: /etc/rc.d/rc.sysinit
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
________________________________________
Configuration files
/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}
Infected Binaries:
top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz
Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so
BackDoor: (located at /lib/lblip.tk)
shdc
shhk.pub
shk
shrs
--------------------------------------------------------
Now, Lets start the cleaning process:
1. Type: pico /etc/rc.d/rc.sysinit
remove the lines that show
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
2. reboot the system
WARNING: 2 servers got their kernel removed after reboot.
If your's does this too and that is what the DataCenter complains after reboot, please ask them to do the following:
reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages
that should fix it.
-- since already in resuce mode, perhaps also ask them to -- force install the following rpm's
procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm
3. After the system is up
Type: cd /lib
Type: rm -rf lblip.tk
4. Remove the configuration files given above.
5. Type: cat /etc/redhat-releasenote down your version of redhat, then from
www.rpmfind.net
search for the following rpm's
procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm
-- and rpm --force install them
6. if you see the hosts.h file, it says to hide all IP's from
Type: cat /usr/include/hosts.h
193.60
If you want, you can block all the IP's from 193.60 to your server via iptables.
Or if you have APF you can add them to the Deny File.
7. If the above is completed.
Reboot the Server & Run CHKROOTKIT again.
====================================
10. Secure /tmp Directory ( Very Important )
====================================
Many hackers/malicious users are exploiting the /tmp directory to execute files. This is a huge security problem for dedicated server owners as it practically leaves your server wide open for a complete takeover.
The following is how to secure your /TMP directory using a cPanel Script.
You MUST have cPanel installed for this to work.
1. Login to your server as root via SSH.
2. Type: /scripts/securetmp That's it your done. cPanel wrote that script to allow users to secure their /TMP Directory very easily.
Don't miss it
Mysql, apche and firewall commands
Firewall - iptables commands
iptables -I INPUT -s IPADDRESSHERE -j DROP : This command stops any connections from the IP address
iptables -L : List all rules in iptables
iptables -F : Flushes all iptables rules (clears the firewall)
iptables --save : Saves the currenty ruleset in memory to disk
service iptables restart : Restarts iptables
Apache Shell Commands
httpd -v : Outputs the build date and version of the Apache server.
httpd -l : Lists compiled in Apache modules
httpd status : Only works if mod_status is enabled and shows a page of active connections
service httpd restart : Restarted Apache web server
MySQL Shell Commands
mysqladmin processlist : Shows active mysql connections and queries
mysqladmin drop databasenamehere : Drops/deletes the selected database
mysqladmin create databasenamehere : Creates a mysql database
Restore MySQL Database Shell Command
mysql -u username -p password databasename < databasefile.sql : Restores a MySQL database from databasefile.sql
Backup MySQL Database Shell Command
mysqldump -u username -p password databasename > databasefile.sql : Backup MySQL database to databasefile.sql
kill: terminate a system process
kill -9 PID EG: kill -9 431
kill PID EG: kill 10550
Use top or ps ux to get system PIDs (Process IDs)
EG:
PID TTY TIME COMMAND
10550 pts/3 0:01 /bin/csh
10574 pts/4 0:02 /bin/csh
10590 pts/4 0:09 APP
Each line represents one process, with a process being loosely defined as a running instance of a program. The column headed PID (process ID) shows the assigned process numbers of the processes. The heading COMMAND shows the location of the executed process.
Putting commands together
Often you will find you need to use different commands on the same line. Here are some examples. Note that the | character is called a pipe, it takes date from one program and pipes it to another.
> :means create a new file, overwriting any content already there.
>> :means tp append data to a file, creating a newone if it doesn not already exist.
< :send input from a file back into a command.
grep User /usr/local/apache/conf/httpd.conf |more
This will dump all lines that match User from the httpd.conf, then print the results to your screen one page at a time.
last -a > /root/lastlogins.tmp
This will print all the current login history to a file called lastlogins.tmp in /root/
tail -10000 /var/log/exim_mainlog |grep domain.com |more
This will grab the last 10,000 lines from /var/log/exim_mainlog, find all occurances of domain.com (the period represents 'anything',
-- comment it out with a so it will be interpretted literally), then send it to your screen page by page.
netstat -an |grep :80 |wc -l
Show how many active connections there are to apache (httpd runs on port 80)
mysqladmin processlist |wc -l
Show how many current open connections there are to mysql
New! - Need server help? Hire an Expert
Get professional help with your configuration, script installation or server issue.
Learn how we can help you with any server problem and make your server run like new. Professional staff will contact you, after submitting a quote request, by phone or email.
Subscribe to:
Comments (Atom)