قائمة المدونات الإلكترونية

الجمعة، 17 سبتمبر، 2010

Extract or Create RAR Files in Unix by SSH/Shell

Hi All ;)

Now I will tell you how to better manage the bow archives in RAR.

If you download a great game with size several GB from P2P or from where it comes from, we often find the files .r00, .r01, .r02, .r03..
And is to many to download one by one..

So we need extract in the server and manage there.

Connect by SSH, Change Directory where is the archives.

Run this command.
unrar e file-name.r00


And you done.

If you need to archive a big file and split by every Kilobytes or Megabytes, run this command.
rar a -v 4000k file-name-to-compress.rar file-name-uncompressed.avi

Where 4000k is the size of each part of the file. (4MB)

Note: This guide is designed for those who use the service or "Torrent Hosting" and "Leech Hosting" of RV89.
If you do not have one of these services, make sure it is rar and unrar installed on your server.


For see if there are installed or not, run:

RAR
whereis rar
rar: /usr/local/bin/rar /usr/local/man/cat1/rar.1 /usr/ports/archivers/rar

UNRAR
whereis unrar
unrar: /usr/local/bin/unrar /usr/ports/archivers/unrar


Here is installed. If you find anything or nly PortCollection (if use FreeBSD) you must install on your system.

Frist, Login as root or sudo privilage.

For install in Ubuntu/Debian
sudo apt-get install rar unrar


For install in CentOS/Fedora/RedHat
sudo yum install rar unrar


For install in FreeBSD:
cd /usr/ports/archivers/unrar
make install clean
cd /usr/ports/archivers/rar
make install clean
rehash


Thats ALL.

Install and configure Squid with config template and video tutorial

Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS and other computer network lookups for a group of people sharing network resources, to aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including TLS, SSL, Internet Gopher and HTTPS. The development version of Squid (3.1) includes IPv6 and ICAP support.

Now, we install Squid 3.1 in our OS.

- If you are currenty using Debian run apitude:
sudo apr-get install squid3


- If you are currenty using FreeBSD run Ports:
ports/www/squid31/ 
make && make install && clean


- If you are currenty using Gentoo run Emerge:
emerge squid3


For installing Squid from RPM if you are using CentOS, Fedora, RedHat..
64Bit:
http://people.redhat.com/jskala/squid/squid-3.0.STABLE16-1.el5/x86_64/squid-3.0.STABLE16-1.el5.x86_64.rpm

32Bit:
http://people.redhat.com/jskala/squid/squid-3.0.STABLE16-1.el5/i386/squid-3.0.STABLE16-1.el5.i386.rpm


After installing Squid, we need to configure it..

All of require is in /etc/squid/ so open squid.conf

- Frist, we do change the standard port of Squid, 3128 will be change in a different port (i use 8888). Do not forget to open the port in your firewall!!
- Add all IPs of the server (or only the ip that you need/want to use squid)
- Add ACL of users
- Add User
- Done, just to test it.

nano /etc/squid/squid.conf


For add user will do generate password from htpasswd.

root@st [/etc/squid]# htpasswd -n admin
admin:cpDjhqGda7kv


(if you are using cpanel, maybe htpasswd don't run in squid directory so you do fix that problem with "symbolic link")
root@st [/etc/squid]# ln -s /home/cpeasyapache/src/httpd-2.2.13/support/.libs/htpasswd /bin/htpasswd


After generate the password of user add in /etc/squid/passwd file.

After everyting config change or add users, restart squid.

service squid restart



I let you download my configuration of Squid in the Attachment
Attached File  Config-Squid.zip (103.72K)
Number of downloads: 7

In the Attachement there are also a Video Tutorial that let you learn more about caching proxy.
http://mirror1.rv89.net/video/Squid-Proxy.avi

How-To: Installing FFmpeg + FFmpeg-PHP + Mplayer + Mencoder + flv2tool + LAME MP3 Encoder How to install many software for manipolate the video

FFmpeg is so important if you are planning to run a video website with streaming with conversion of video files to different video formats. This tutorial is intended for Centos/Redhat versions of Linux where any novice user can install ffmpeg without compiling the source which is a more traditional way of installing the FFmpeg software on linux servers. In this tutorial i will show you the easy way to install ffmpeg and ffmpeg-php (php extension) with just yum rather than compiling ffmpeg from source files.

In this tutorial i let learn how to install this codecs on Linux/Unix System.

We start connecting to the server shell by ssh (with root or sudo login)


cd /usr/local/src/


DOWNLOAD MODULES

wget www3.mplayerhq.hu/MPlayer/releases/codecs/essential-20061022.tar.bz2
 wget rubyforge.org/frs/download.php/9225/flvtool2_1.0.5_rc6.tgz
 wget easynews.dl.sourceforge.net/sourceforge/lame/lame-3.97.tar.gz
 wget superb-west.dl.sourceforge.net/sourceforge/ffmpeg-php/ffmpeg-php-0.5.1.tbz2
 wget downloads.xiph.org/releases/ogg/libogg-1.1.3.tar.gz
 wget downloads.xiph.org/releases/vorbis/libvorbis-1.1.2.tar.gz
wget mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc2.tar.bz2
wget ffmpeg.org/releases/ffmpeg-0.5.tar.bz2


EXTRACT MODULES

tar zxvf lame-3.97.tar.gz
 tar zxvf libogg-1.1.3.tar.gz
 tar zxvf libvorbis-1.1.2.tar.gz
 tar zxvf flvtool2_1.0.5_rc6.tgz
 tar jxvf essential-20061022.tar.bz2 
 tar jxvf ffmpeg-php-0.5.1.tbz2
tar jxvf MPlayer-1.0rc2.tar.bz2
tar jxvf ffmpeg-0.5.tar.bz2
 
 mkdir /usr/local/lib/codecs/
 
 yum install gcc gmake make libcpp libgcc libstdc++ gcc4 gcc4-c++ gcc4-gfortran subversion ruby ncurses-devel -y


DOWNLOAD FFMPEG and MPLAYER by snv

svn checkout svn://svn.mplayerhq.hu/ffmpeg/trunk ffmpeg
 svn checkout svn://svn.mplayerhq.hu/mplayer/trunk mplayer
 cd /usr/local/src/mplayer
 
 svn update
 
 cd /usr/local/src/
 mv /usr/local/src/essential-20061022/* /usr/local/lib/codecs/
 chmod -R 755 /usr/local/lib/codecs/
 

LAME:

cd /usr/local/src/lame-3.97
 ./configure
 make && make install


LIBOGG

cd /usr/local/src/
 cd /usr/local/src/libogg-1.1.3
 ./configure --enable-shared && make && make install
 PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
 export PKG_CONFIG_PATH


LIBVORBIS
cd /usr/local/src/
 cd /usr/local/src/libvorbis-1.1.2
 ./configure && make && make install


FLVTOOL2

cd /usr/local/src/
 cd /usr/local/src/flvtool2_1.0.5_rc6/
 ruby setup.rb config
 ruby setup.rb setup
 ruby setup.rb install


MPLAYER
cd /usr/local/src/
 cd /usr/local/src/MPlayer-1.0rc2
 ./configure && make && make install
 
 cd /usr/local/src/


FFMPEG:

cd /usr/local/src/ffmpeg-0.5
 ./configure --enable-libmp3lame --enable-libvorbis --disable-mmx --enable-shared
 make
 make install
 
 export LD_LIBRARY_PATH=/usr/local/lib/
 
 ln -s /usr/local/lib/libavformat.so.50 /usr/lib/libavformat.so.50
 ln -s /usr/local/lib/libavcodec.so.51 /usr/lib/libavcodec.so.51
 ln -s /usr/local/lib/libavutil.so.49 /usr/lib/libavutil.so.49
 ln -s /usr/local/lib/libmp3lame.so.0 /usr/lib/libmp3lame.so.0
 ln -s /usr/local/lib/libavformat.so.51 /usr/lib/libavformat.so.51
 

FFMPEG-PHP:

cd /usr/local/src/
 cd /usr/local/src/ffmpeg-php-0.5.1/
 phpize
 ./configure
 make
 make install



NOTICE: Make sure this is the correct php.ini for the box!!

echo 'extension=ffmpeg.so' >> /usr/local/Zend/etc/php.ini


NOTICE: Make sure this is the correct php.ini for the box!!

RESTART APACHE

service httpd restart
You do just edit your php.ini:
(if you can't find your php.ini run the command "locate php.ini" and open the correct php.ini)

Add this extension to php.ini
[i][ffmpeg]
 extension_dir=/usr/local/lib/php/extensions/no-debug-non-zts-20060613/ffmpeg.so
 extension=ffmpeg.so[/i]


After for run and verify:

Restart Apache and check that the module is loaded in PHP:



Test ffmpeg from command line and if you get this errors:

ffmpeg: error while loading shared libraries: libavformat.so.51:…

execute:and reload library cache with
/etc/init.d/httpd restart

/usr/local/lib >>/etc/ld.so.conf

[i]ldconfig -v[/i]



Verify ffmpeg installation:



If you get the folowing results then FFMPEG and all it’s components are installed correctly:





php -r ‘phpinfo();’ | grep ffmpeg

ffmpeg
 ffmpeg support (ffmpeg-php) => enabled
 ffmpeg-php version => 0.5.3.1
 ffmpeg-php gd support  => enabled
 ffmpeg.allow_persistent => 0 => 0
 ffmpeg.show_warnings => 0 => 0

تحسين اداء رام السيرفر How to optimize ram of server Flush cache on the ram using linux system.

Often servers always need more RAM.
For those who have a server lowcost certainly will have little ram.
Cache RAM is certainly very high performance, part of the RAM that the operating system uses to temporarily store a copy of the data just read from storage devices. In this way, if the same data are again, the processor can obtain it more quickly.

You can see in Megabytes usage of the RAM by the command:
free -m


Too bad if you use the whole RAM just for the cache no longer room for other applications.

This command will prevent you reboot the server to clear the ram.
echo 3 > /proc/sys/vm/drop_caches


This command, if put in cronjob every 24 hours for example, can help the servers that have limited RAM and need to use it to run applications that generate operations always different and require no cache.

How to optimize ram of server Flush cache on the ram using linux system.

Often servers always need more RAM.
For those who have a server lowcost certainly will have little ram.
Cache RAM is certainly very high performance, part of the RAM that the operating system uses to temporarily store a copy of the data just read from storage devices. In this way, if the same data are again, the processor can obtain it more quickly.

You can see in Megabytes usage of the RAM by the command:
free -m


Too bad if you use the whole RAM just for the cache no longer room for other applications.

This command will prevent you reboot the server to clear the ram.
echo 3 > /proc/sys/vm/drop_caches


This command, if put in cronjob every 24 hours for example, can help the servers that have limited RAM and need to use it to run applications that generate operations always different and require no cache.

How to Testing the Hard Disk from SSH Using S.M.A.R.T information and testing read/write speed

Not everyone is familiar with the Linux shell.
Although many people use it in their server for economic reasons.

Often have the feeling that the hard disk is damaged.
To test the status of the disk in SSH, here are the various commands.

SMART Disk Monitoring Daemon.

smartd is a the software that use the SMART information to analysis, report and monitorate the disk.

That software can be installed on Linux, Windows, Solaris and *BSD.
Much distro come with smartd alrady installed on it.

To use it;
smartctl -i /dev/sda

With the argument -i we see the information of the version of the smartd, if the disk are compatible, the model of the disk.. (on that case the disk is /dev/sda)

My OutPut:
root@ethel [~]# smartctl -i /dev/hda
smartctl version 5.38 [x86_64-redhat-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

Smartctl open device: /dev/hda failed: No such file or directory
root@ethel [~]# smartctl -i /dev/sda
smartctl version 5.38 [x86_64-redhat-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

=== START OF INFORMATION SECTION ===
Device Model:     WDC WD7500AADS-00M2B0
Serial Number:    WD-WCAV51911761
Firmware Version: 01.00A01
User Capacity:    750,156,374,016 bytes
Device is:        Not in smartctl database [for details use: -P showall]
ATA Version is:   8
ATA Standard is:  Exact ATA specification draft version not indicated
Local Time is:    Tue Dec  8 03:41:36 2009 CET
SMART support is: Available - device has SMART capability.
SMART support is: Enabled


To see if have any errors, run:
smartctl -l error /dev/sda


To test the disk, you can run 2 test, short and long.

the short take only 2min
smartctl -t short /dev/sda


The long test can take also more than 180min..
smartctl -t long /dev/sda


For see health and test result, run that command:
smartctl -Hc /dev/sda


My OutPut:
root@ethel [~]# smartctl -Hc /dev/sda
smartctl version 5.38 [x86_64-redhat-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

General SMART Values:
Offline data collection status:  (0x85) Offline data collection activity
                                        was aborted by an interrupting command from host.
                                        Auto Offline Data Collection: Enabled.
Self-test execution status:      (   0) The previous self-test routine completed
                                        without error or no self-test has ever
                                        been run.
Total time to complete Offline
data collection:                 (15600) seconds.
Offline data collection
capabilities:                    (0x7b) SMART execute Offline immediate.
                                        Auto Offline data collection on/off support.
                                        Suspend Offline collection upon new
                                        command.
                                        Offline surface scan supported.
                                        Self-test supported.
                                        Conveyance Self-test supported.
                                        Selective Self-test supported.
SMART capabilities:            (0x0003) Saves SMART data before entering
                                        power-saving mode.
                                        Supports SMART auto save timer.
Error logging capability:        (0x01) Error logging supported.
                                        General Purpose Logging supported.
Short self-test routine
recommended polling time:        (   2) minutes.
Extended self-test routine
recommended polling time:        ( 181) minutes.
Conveyance self-test routine
recommended polling time:        (   5) minutes.
SCT capabilities:              (0x303f) SCT Status supported.
                                        SCT Feature Control supported.
                                        SCT Data Table supported.


For test write and read speed, run that command:
root@ethel [/home]# dd if=/dev/zero of=fakedisk bs=10k count=1000
1000+0 records in
1000+0 records out
10240000 bytes (10 MB) copied, 0.0188848 seconds, 542 MB/s


And for recive any alert of your disk, that command send you an email when there are any worng test..
/dev/sdb -m you@rv89.eu


For the moment, that's all ;)

How to Limit Bandwidth Speed on cPanel Domain Limit Bandwidth Speed of domain on WHM/cPanel Server

Hello,

I'm writing nothing new.. but i think not all know that.

When we have same user that leech or use full connection speed all the same time, they take slow other site cause the less disponibility of the connection speed used all by they domain.

Can limit the connection speed of each user!
With Bandwidth Module (Mod_bandwidth)

Connecting by shell on ssh, can use that module using the fallow sintax:

/scripts/setbwlimit --domain=rv89.eu --limit=10240000


That command have limit the domain rv89.eu to using max speed 1MB/s (10240000 byte)

*Be sure you have arlady installed Mod Bandwidth on (Main >> Software >> EasyApache (Apache Update))

Recover MySQL root Password

You can recover MySQL database server password with following five easy steps.

Step # 1: Stop the MySQL server process.
Step # 2: Start the MySQL (mysqld) server/daemon process with the --skip-grant-tables option so that it will not prompt for password.
Step # 3: Connect to mysql server as the root user.
Step # 4: Setup new mysql root account password i.e. reset mysql password.
Step # 5: Exit and restart the MySQL server.
Here are commands you need to type for each step (login as the root user):

Step # 1 : Stop mysql service

# /etc/init.d/mysql stopOutput:
Stopping MySQL database server: mysqld.

Step # 2: Start to MySQL server w/o password:

# mysqld_safe --skip-grant-tables &Output:
[1] 5988
Starting mysqld daemon with databases from /var/lib/mysql
mysqld_safe[6025]: started

Step # 3: Connect to mysql server using mysql client:

# mysql -u rootOutput:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.15-Debian_1-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

Step # 4: Setup new MySQL root user password

mysql> use mysql;
mysql> update user set password=PASSWORD("NEW-ROOT-PASSWORD") where User='root';
mysql> flush privileges;
mysql> quit

Step # 5: Stop MySQL Server:

# /etc/init.d/mysql stopOutput:
Stopping MySQL database server: mysqld
STOPPING server from pid file /var/run/mysqld/mysqld.pid
mysqld_safe[6186]: ended

[1]+  Done                    mysqld_safe --skip-grant-tables

Step # 6: Start MySQL server and test it

# /etc/init.d/mysql start
# mysql -u root -p

Setup Nginx as HTTP Deamon with vhosts

Posted Image


nginx [engine x] is a HTTP server and mail proxy server written by me (Igor Sysoev).

Nginx vs Apache2

In this Setup, Nginx is used for replace apache.

Installing by Portsnap
cd /usr/ports/www/nginx-devel/
make install clean


Select this Options
HTTP_MODULE 
HTTP_CACHE_MODULE
HTTP_REWRITE_MODULE
HTTP_SSL_MODULE
HTTP_STATUS_MODULE


Create vhost directory:
mkdir /usr/local/etc/nginx/vhosts


Our config files have been setup to help keep our server secure and prevent people from "snooping" around the server to find exploits and holes. This is just part of a multilayer security setup and will not prevent people from hacking your server. These confg files are rather self explanatory feel free to change as needed.

/usr/local/etc/nginx.conf
user     www www;
worker_processes   8;
pid     /var/run/nginx.pid;
events {
 worker_connections  8192;
}
http {
 include    mime.types;
 default_type   application/octet-stream;
 ## Log Cache
 open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
 ## Log Format
 log_format   main '$remote_addr - $remote_user [$time_local] $request '
      '"$status" $body_bytes_sent "$http_referer" '
      '"$http_user_agent" "$http_x_forwarded_for"';
 ## Logs
 #access_log /var/log/nginx-access.log main;
 #access_log off;
 error_log  /var/log/nginx-error.log debug gzip buffer=32k;
 ## Compression
 gzip   on;
 gzip_min_length 1100;
 gzip_buffers  16 8k;
 gzip_http_version 1.0;
 gzip_comp_level 1;
 gzip_proxied  any;
 gzip_types  text/plain text/css text/javascript text/xml text/php
    application/x-javascript application/xml application/xml+rss;
 ## Size Limits
 client_body_buffer_size   8k;
 client_header_buffer_size 256k;
 client_max_body_size      10m;
 large_client_header_buffers 256 256k;
 ## Timeouts
 client_body_timeout   5;
 client_header_timeout 5;
 keepalive_timeout     75 20;
 send_timeout          5;
 ## General Options
 ignore_invalid_headers   on;
 limit_zone gulag $binary_remote_addr 1m;
 recursive_error_pages    on;
 sendfile                 on;
 server_name_in_redirect off;
 server_tokens           off;
 ## TCP options  
 tcp_nodelay on;
 tcp_nopush  on;
 ## Run all config files in our vhost directory
 include /usr/local/etc/nginx/vhosts/*.conf;
}


Now create a vHost in /usr/local/etc/nginx/vhosts directory.
You must replace the domain rv89.eu to your domain.
server {
 listen  *:80;
 server_name rv89.eu;
 root          /usr/local/www/rv89.eu;
 #access_log /var/log/rv89.eu.access.log main;
 error_log /var/log/rv89.eu.error.log debug;
 #error_page 404 = /error/404.html;
 #error_page 502 503 504 = /error/50x_error.html;
 #location    /error/50x_error.html {
 #    internal;
 #}
 ## directory and index file
 location / {
 root   /usr/local/www/rv89.eu;
 autoindex off;
 index   index.php index.html index.htm;
 }
 ## php-fpm config
 location ~ \.php$ {
  fastcgi_index index.php;
  fastcgi_pass 127.0.0.1:9000;
  include    fastcgi_params;
  fastcgi_param CONTENT_TYPE $content_type;
  fastcgi_param CONTENT_LENGTH $content_length;
  fastcgi_param SCRIPT_NAME $fastcgi_script_name;
  fastcgi_param SCRIPT_FILENAME /usr/local/www/rv89.eu$fastcgi_script_name;
  fastcgi_param REQUEST_URI $request_uri;
  fastcgi_param DOCUMENT_URI $document_uri;
  fastcgi_intercept_errors on;
 }
 ## Cache of images
 location ~* \.(jpg|jpeg|gif|css|png|js|ico)$ {
  root          /usr/local/www/rv89.eu;
  access_log off;
  expires 30d;
  break;
 }
 ## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico
 location = /favicon.ico {
 #empty_gif;
  return 204;
 }
 ## If the file exists as a static file serve it directly without running all the other rewite tests on it
 if (-f $request_filename) { 
  break; 
 }
 ## Only allow GET and HEAD request methods
      if ($request_method !~ ^(GET|HEAD)$ ) {
         return 444;
      }
}


Now edit the file /etc/rc.conf

And add:
nginx_enable="YES"


Run
rehash


Start The WebServer Nginx
/usr/local/etc/rc.d/nginx start


You have install your server. Next guide will be dedicate to installing PHP on Nginx

How to install application with portsnap Installing an application on FreeBSD using Portsnap

Posted Image
Hello All,

This time we learn an easey mode to install same applications on FreeBSD.
BSD use a Portsnap archive, like apt-get for debian/ubuntu, yum for fedore/centos, emerge for gentoo..

Well, frist need to update the archive
portsnap fetch


And Extract it
portsnap extract


Now we have the full archive of applications rady to download and install on /usr/ports/.

To install an application, like nano, just find the directory where are the installation files.
whereis nano


And we find: /usr/ports/editors/nano

Now just go in this directory and install the application.
cd /usr/ports/editors/nano

make install clean


Now the application are installed. After the installation for take effect run:
rehash

How to Add routing IP Add IP Fail-Over configuring an alias on the main IP in FreeBSD

In one server we can have much IP also if have only one network card.
Just buy an additional IP on our datacenter and routing our IP Fail-Over to our server FreeBSD.

We suppose to have 2 network cards and we do add 2 IP Fail-Over to each card.

This is the routing:
94.23.73.101 > 87.98.222.131
94.23.159.44
> 87.98.222.131
94.23.73.41
> 87.98.223.131
94.23.73.42
> 87.98.223.131

em0:87.98.222.131
em1:87.98.223.131

Open /etc/rc.conf;
ifconfig_em0="inet 87.98.222.131 netmask 255.255.255.0 broadcast 87.98.222.255"
 defaultrouter="87.98.222.254"
 ifconfig_em1="inet 87.98.223.131 netmask 255.255.255.0 broadcast 87.98.223.255"


And add:
ifconfig_em0_alias0="inet 94.23.73.101 netmask 255.255.255.255"
 ifconfig_em0_alias1="inet 94.23.159.44 netmask 255.255.255.255"
 ifconfig_em1_alias0="inet 94.23.73.41 netmask 255.255.255.255"
 ifconfig_em1_alias1="inet 94.23.73.42 netmask 255.255.255.255"


Not all configuration are the same, we can have also a different name of network cards. Now we have em but can have also vr.
Before edit, run ifconfig and see what is the name of your network card.

Consider, each alias start from 0.
If you start with another number or the number are not sequential freebsd wont boot.
Each alias from each network card will start from 0.

Install and Configure MySQL Perform the configuration of MySQL after Installing

MySQL is a database storage engine, the most use for php site/script/applications. Here, I will installing an optimized version with more basic security pre-cautions.Installing libpthread
cd /usr/ports/devel/libpthread-stubs/make install clean
Installing MySQL
cd /usr/ports/databases/mysql51-server/make -D BUILD_OPTIMIZED=yes BUILD_STATIC=yes WITH_PROC_SCOPE_PTH=yes install clean
Copyng config file and MySQL files
cp /usr/local/share/mysql/my-large.cnf /etc/my.cnf
This is a template of my.cnf, will help to keep the MySQL secure.Make sure you leave skip-networking and set-variable=local-infile=0 in your config file.
[mysqld]#skip-name-resolvesafe-show-database#old_passwordsback_log = 50skip-innodbmax_connections = 500key_buffer_size = 128Mmyisam_sort_buffer_size = 128Mjoin_buffer_size = 1Mread_buffer_size = 1Msort_buffer_size = 4Mtable_cache = 5000thread_cache_size = 256wait_timeout = 20connect_timeout = 30tmp_table_size = 128Mmax_heap_table_size = 64Mmax_allowed_packet = 64Mnet_buffer_length = 16384max_connect_errors = 10thread_concurrency = 2concurrent_insert = 2table_lock_wait_timeout = 30read_rnd_buffer_size = 786432bulk_insert_buffer_size = 8Mquery_cache_limit = 6Mquery_cache_size = 128Mquery_cache_type = 1query_prealloc_size = 262144query_alloc_block_size = 65536transaction_alloc_block_size = 8192transaction_prealloc_size = 4096default-storage-engine = MyISAMmax_write_lock_count = 16skip-networkingset-variable=local-infile=0[mysqld_safe]nice = -10open_files_limit = 8192[mysqldump]quickmax_allowed_packet = 16M[myisamchk]key_buffer = 384Msort_buffer = 64Mread_buffer = 16Mwrite_buffer = 16M 
Setup the MySQL
mysql_install_db --user=mysqlchown -R mysql /var/db/mysql/chgrp -R mysql /var/db/mysql//usr/local/bin/mysqld_safe -user=mysql &exit 
Open /etc/rc.conf and add
mysql_enable="YES"
Starting MySQL
/usr/local/etc/rc.d/mysql-server start
Change the root password of MySQL
/usr/local/bin/mysqladmin -u root password 'newpassword'
For login as root
mysql -u root -p
Optional: Deleting the test databasemysql>
drop database test;mysql> use mysql;mysql> delete from db;mysql> delete from user where not (host="localhost" and user="root");mysql> flush privileges;
To make more secure the MySQL administration, change the root username for MySQL
mysql> update user set user="sqladmindatabase" where user="root";mysql> flush privileges;
installing the php extensions for open connection between php and mysql
cd /usr/ports/databases/php5-mysql/make install cleancd /usr/ports/databases/php5-mysqli/make install clean
Restarting php-fpm
/usr/local/etc/rc.d/php-fpm restart
Clean last command of MySQL
cat /dev/null > ~/.mysql_history
Now the Database MySQL are correctly installed, configured and Optimized ;)

حماية وتركيب سيرفر cpanel بالكامل من البداية nstallation, configuration and optimization of cPanel WHM Server for prevent Hacker Attacks

If you want to have a a secure web server using cPanel, you must to know same setting to optimize and secure the server for prevent the overloading.
I have post this tutorial for help you to prevent DDoS Attacks and secure your server.


Content of this big tutorials:
  • Intruduction
  • cP/WHM Installation and cP/WHM Configuration
  • The server and it's services | PHP Installation, Optimization & Security
  • Kernel Hardening | Linux Kernel + Grsecurity Patch
  • SSH
  • Firewall | DDoS Protection
  • Mod_Security
  • Anti-Virus - ClamAV
  • Rootkit
  • The Rest of Shits

Introduction

I wrote a step by step paper how to secure linux server with cP/WHM and
Apache installed. By default, linux is not secured enough but you have
to understand there is no such thing as "totally secured server/system".
The purpose of this paper is to understand how to at least provide some
kind of security to the server. I prefer lsws web-server without any
Control Panel at all but for this paper I have used CentOS 5 with cP/WHM
and Apache web-server installed since a lot of hosting companies and
individuals out there are using it.

Let's start :)

So, you bought the server with CentOS 5 installed. If you ordered cP/WHM together with the server you can skip 2.1 step


cP/WHM installation and configuration

  • cP/WHM Installation
To begin your installation, use the following commands into SSH:
root@server [~]# cd /home
 root@server [/home]# wget http://layer1.cpanel.net/latest
 root@server [/home]# ./latest
 

cd /home - Opens /home directory
wget http://layer1.cpanel.net/latest - Fetches the latest installation file from the cPanel servers.
./latest - Opens and runs the installation files.
cP/WHM should be installed now. You should be able to access cP via
it now.

  • cP/WHM Configuration
Login to WHM using root username/passwd

WHM - Server setup - Tweak Security:

Enable open_basedir protection
Disable Compilers for all accounts(except root)
Enable Shell Bomb/memory Protection
Enable cPHulk Brute Force Protection

WHM - Account Functions:

Disable cPanel Demo Mode
Disable shell access for all accounts(except root)

WHM - Service Configuration - FTP Configuration:

Disable anonymous FTP access

WHM - MySQL:

Set some MySQL password(Don't set the same password like for the root access)
-If you didn't set MySQL password someone will be able to login into the DB with
username "root" without password and delete/edit/download any db on the server.

WHM - Service Configuration - Apache Configuration - PHP and SuExec Configuration

Enable suEXEC - suEXEC = On
When PHP runs as an Apache Module it executes as the user/group of the
webserver which is usually "nobody" or "apache". suEXEC changes this so
scripts are run as a CGI. Than means scripts are executed as the user
that created them. With suEXEC script permissions can't be set to
777(read/write/execute at user/group/world level)


The server and it's services | PHP Installation, Optimization & Security


  • Keep all services and scripts up to date and make sure that you running the latest secured version.
On CentOS type this into SSH to upgrade/update services on the server.
[root@server ~]# yum update

and
[root@server ~]# yum upgrade


  • PHP installation/update, configuration and optimization + Suhosin patch
First download what you need, type the following into SSH:
root@server [~]# cd /root
 root@server [~]# wget http://www.php.net/get/php-5.2.9.tar.bz2/from/this/mirror
 root@server [~]# wget http://download.suhosin.org/suhosin-patch-5.2.8-0.9.6.3.patch.gz
 root@server [~]# wget http://download.suhosin.org/suhosin-0.9.27.tgz
 


Untar PHP:
root@server [~]# tar xvjf php-5.2.9.tar.bz2


Patch the source:
root@server [~]# gunzip < suhosin-patch-5.2.8-0.9.6.3.patch.gz | patch -p0


Configure the source. If you want to use the same config as you used for
the last php build it's not a problem but you will have to add:
enable-suhosin to old config. To get an old config type this into SSH:
root@server [~]# php -i | grep ./configure


root@server [~]# cd php-5.2.9
 root@server [~/php-5.2.9]# ./configure --enable-suhosin
 root@server [~/php-5.2.9]# make
 root@server [~/php-5.2.9]# make install
 


Note: If you get an error like make: command not found or patch: Command
not found, you will have to install "make" and "patch". It can be done
easly. Just type this into SSH:
root@server [~]# yum install make
 root@server [~]# yum install patch
 


Now check is everything as you want. Upload php script like this on the server:
<?php
 phpinfo();
 ?>
 


And open it via your browser and you will see your PHP configuration there.

  • Suhosin
We will install Suhosin now, it's an advanced protection system for PHP.
root@server [~]# tar zxvf suhosin-0.9.27.tgz
 root@server [~]# cd suhosin-0.9.27
 root@server [~/suhosin-0.9.27]# phpize
 root@server [~/suhosin-0.9.27]# ./configure
 root@server [~/suhosin-0.9.27]# make
 root@server [~/suhosin-0.9.27]# make install
 


After you installed suhosin you will get something like this: It's installed to /usr/local/lib/php/extensions/no-debug-non-zts-20060613/

Now edit your php.ini. If you don't know where php.ini located is, type this into SSH.
root@server [~]# php -i | grep php.ini


Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini

It means you have to edit /usr/local/lib/php.ini
Type into SHH:
root@server [~]# nano /usr/local/lib/php.ini


If you get an error, nano: Command not found, then:
root@server [~]# yum install nano


Find "extension_dir =" and add:
extension_dir = /usr/local/lib/php/extensions/no-debug-non-zts-20060613/


To save it, CTRL + O and press the enter button on your keyboard.

  • Zend Optimizer
root@server [~]# tar -zxvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
 root@server [~]# cd ZendOptimizer-3.3.3-linux-glibc23-i386
 root@server [~/ZendOptimizer-3.3.3-linux-glibc23-i386]# ./install.sh
 

Welcome to Zend Optimizer installation..... - Press Enter button
Zend licence agreement... - Press Enter button
Do you accept the terms of this licence... - Yes, press Enter button
Location of Zend Optimizer... - /usr/local/Zend, press Enter button
Confirm the location of your php.ini file...- /usr/local/lib, press Enter button
Are you using Apache web-server.. - Yes, press Enter button
Specify the full path to the Apache control utility(apachectl)...-/usr/local/apache/bin/apachectl, press Enter button
The installation has completed seccessfully...- Press Enter button

Now restart apache, type this into SSH:
service httpd restart


  • php.ini & disabled functions
Edit php.ini like this:
root@server [~]# nano /usr/local/lib/php.ini


safe_mode = On
 expose_php = Off
 Enable_dl= Off
 magic_quotes = On
 register_globals = off
 display errors = off
 disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd
 


root@server [~]# service httpd restart


Or you can edit php.ini via WHM:
WHM - Service Configuration - PHP Configuration Editor


[u]Kernel Hardening | Linux Kernel + Grsecurity Patch[/u]


Description : grsecurity is an innovative approach to security utilizing
a multi-layered detection, prevention, and containment model. It is
licensed under the GPL. It offers among many other features:
-An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your
entire system with no configuration
-Change root (chroot) hardening
-/tmp race prevention
-Extensive auditing
-Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
-Prevention of arbitrary code execution in the kernel
-Randomization of the stack, library, and heap bases
-Kernel stack base randomization
-Protection against exploitable null-pointer dereference bugs in the kernel
-Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
-A restriction that allows a user to only view his/her processes
-Security alerts and audits that contain the IP address of the person causing the alert

Downloading and patching kernel with grsecurity

root@server [~]# cd /root
 root@server [~]# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.5.tar.gz
 root@server [~]# wget http://www.grsecurity.com/test/grsecurity-2.1.12-2.6.26.5-200809141715.patch
 root@server [~]# tar xzvf linux-2.6.26.5.tar.gz
 root@server [~]# patch -p0 < grsecurity-2.1.12-2.6.26.5-200809141715.patch
 root@server [~]# mv linux-2.6.26.5 linux-2.6.26.5-grsec
 root@server [~]# ln -s linux-2.6.26.5-grsec/ linux
 root@server [~/linux]# cd linux
 root@server [~/linux]# cp /boot/config-`uname -r` .config
 root@server [~/linux]# make oldconfig
 


Compile the Kernel:
root@server [~/linux]# make bzImage
 root@server [~/linux]# make modules
 root@server [~/linux]# make modules_install
 root@server [~/linux]# make install
 


Check your grub loader config, and make sure default is 0
root@server [~/linux]# nano /boot/grub/grub.conf


Reboot the server
root@server [~/linux]# reboot



[u]SSH - Secure Shell[/u]


In order to change SSH port and protocol you will have to edit sshd_config
root@server [~]# nano /etc/ssh/sshd_config


Change Protocol 2,1 to Protocol 2
Change #Port 22 to some other port and uncomment it
Like, Port 1337, 3535, 8889..

There is a lot of script kiddiez with brute forcers and they will try to crack our ssh pass because they know username is root, port is 22
But we were smarter, we have changed SSH port :)
Also, their "brute forcing" can increase server load, which means our sites(hosted on that server) will be slower.

SSH Legal Message
edit /etc/motd, write in motd something like this:
"alert! That is a secured area. Your IP is logged. Administrator has been notified"

When someone logins into SSH he will see that message:
alert! That is a secured area. Your IP is logged. Administrator has been notified

If you want to recieve an email every time when someone logins into SSH as root, edit .bash_profile(It's located in /root directory) and put this at the end of file:
echo 'alert - Root Shell Access on:' `date` `who` | mail -s "alert: Root Access from `who | awk '{print $6}'`" mail@something.com

And at the end restart SSH, type "service sshd restart" into SSH


[u]Firewall | DDoS Protection[/u]


  • Firewall, CSF Installation
root@server [~]# wget http://www.configserver.com/free/csf.tgz
 root@server [~]# tar -xzf csf.tgz
 root@server [~]# cd csf
 


In order to install csf your server needs to have some ipt modules
enabled. csftest is a perl script and it comes with csf. You can check
those mudules with it.
root@server [~/csf]# ./csftest.pl
 Testing ip_tables/iptable_filter...OK
 Testing ipt_LOG...OK
 Testing ipt_multiport/xt_multiport...OK
 Testing ipt_REJECT...OK
 Testing ipt_state/xt_state...OK
 Testing ipt_limit/xt_limit...OK
 Testing ipt_recent...OK
 Testing ipt_owner...OK
 Testing iptable_nat/ipt_REDIRECT...OK
 

Don't worry if you don't have all those mudules enabled, csf will work if
you didn't get any FATAL errors at the end of the output.

Now, get to installation
root@server [~/csf]# ./install.sh


You will have to edit csf.conf file. It's located here:
/etc/csf/csf.conf

You need to edit it like this:
Testing = "0"


And you need to configure open ports in csf.conf or you won't be able to
access these ports. In most cases it should be configured like this if
you are using cP/WHM. If you are running something on some other port
you will have to enable it here. If you changed SSH port you will have
to add a new port here:
# Allow incoming TCP ports
   TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096"
   # Allow outgoing TCP ports
   TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2087,2089,2703"


CSF Connection Limit
There is in csf.conf CT option, configure it like this
CT_LIMIT = "60"

It means every IP with more than 60 connections is going to be blocked.
CT_PERMANENT = "1"

IP will blocked permanenty
CT_BLOCK_TIME = "1800"

IP will be blocked 1800 secs(1800 secs = 30 mins)
CT_INTERVAL = "60"

Set this to the the number of seconds between connection tracking scans.

After csf.conf editing you need to restart csf
root@server [~# service csf restart


  • SYN Cookies
Edit the /etc/sysctl.conf file and add the following line in order to enable SYN cookies protection:

# Enable TCP SYN Cookie Protection
 net.ipv4.tcp_syncookies = 1
 


root@server [~/]# service network restart


  • CSF as security testing tool
CSF has an option "Server Security Check". Go to WHM - Plugins - CSF -
Test Server Security. You will see additional steps how to secure the
server even more. I'm writing only about most important things here and
I covered most of them in the paper but if you want you can follow steps
provided by CSF to get the server even more secured.

  • Mod_Evasive
ModEvasive module for apache offers protection against DDoS (denial of service attacks) on your server.

To install it login into SSH and type:

root@server [~]# cd /root/
 root@server [~]# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
 root@server [~]# tar zxf mode_evasive-1.10.1.tar.gz
 root@server [~]# cd mod_evasive
 


then type...
root@server [~/mod_evasive]# /usr/local/apache/bin/apxs -i -a -c mod_evasive20.c


When mod_evasive is installed, place the following lines in your httpd.conf (/etc/httpd/conf/httpd.conf)

<IfModule mod_evasive20.c>
 DOSHashTableSize 3097
 DOSPageCount 2
 DOSSiteCount 50
 DOSPageInterval 1
 DOSSiteInterval 1
 DOSBlockingPeriod 10
 </IfModule>
 


  • Random things
csf -d IP - Block an IP with CSF
csf -dr IP - Unblock an IP with CSF
csf -s - Start firewall rules
csf -f - Flush/stop firewall rules
csf -r - Restart firewall rules
csf -x - Disable CSF
csf -e - Enable CSF
csf -c - Check for updates
csf -h - Show help screen

-Block an IP via iptables
iptables -A INPUT -s IP -j DROP

-Unblock an IP via iptables
iptables -A INPUT -s IP -j ACCEPT

-See how many IP addresses are connected to the server and how many connections has each of them.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n


  • Mod_Security

Mod_Security is a web application firewall and he can help us to secure our sites against RFI, LFI, XSS, SQL Injection etc

If you use cP/WHM you can easly enable Mod_security in WHM - Plugins - Enable Mod_Security and save

Now I will explain how to install Mod_security from source.
You can't install Mod_Security if you don't have libxml2 and http-devel libraries.
Also, you need to enable mod_unique_id in apache modules, but don't worry, I will explain how to do it :)

Login into SSH and type...

root@server [~]# yum install libxml2 libxml2-devel httpd-devel


libxml2 libxml2-devel httpd-devel should be installed now

then you need to edit httpd.conf file, you can find it here:
root@server [~]# nano /etc/httpd/conf/httpd.conf


You need to add this in your httpd.conf file
LoadModule unique_id_module modules/mod_unique_id.so

Now download the latest version of mod_security for apache2 from http://www.modsecurity.org/

login into SSH and type...

root@server [~]# cd /root/
  root@server [~]# wget <a rel="nofollow" title="Link esterno " class="bbc_url" href="http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz">http://www.modsecuri...he_2.5.6.tar.gz</a>
   root@server [~]# tar zxf modsecurity-apache_2.5.6.tar.gz
   root@server [~]# cd modsecurity-apache_2.5.6
   root@server [~/modsecurity-apache_2.5.6]# cd apache2
 


then type:
root@server [~/modsecurity-apache_2.5.6/apache2]#  ./configure
   root@server [~/modsecurity-apache_2.5.6/apache2]# make
   root@server [~/modsecurity-apache_2.5.6/apache2]# make install
   


Go at the end of httpd.conf and place an include for our config/rules file...
Include /etc/httpd/conf/modsecurity.conf


# /etc/httpd/conf/httpd.conf
 LoadModule unique_id_module modules/mod_unique_id.so
 LoadFile /usr/lib/libxml2.so
 LoadModule security2_module modules/mod_security2.so
 Include /etc/httpd/conf/modsecurity.conf
 
f

You need to find a good rules for Mod_Security. You can find them at
official Mod_Security site. Also, give a try to gotroot.com rules. When
you find a good rules, just put them in /etc/httpd/conf/modsecurity.conf

And restart httpd at the end, type "service httpd restart" into SSH.

  • Anti-Virus - ClamAV

You need AV protection to protect the server against worms and trojans
invading your mailbox and files! Just install clamav (a free open source
antivirus software for linux). More information can be found on clamav.

In order to install CLamAV login into SSH and type

root@server [~]# yum install clamav


Once you have installed clamav for your CentOS, here are some basic commands you will need:

Update the antivirus database
root@server [~]# freshclam


Run antivirus
root@server [~]# clamscan -r /home


Running as Cron Daily Job
To run antivirus as a cron job (automatically scan daily) just run
crontab -e from your command line. Then add the following line and save
the file.
@daily root clamscan -R /home

It means clamav will be scanning /home directory every day. You can change the folder to whatever you want to scan.


[u]Rootkit[/u]

Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools.
This tool scans for rootkits, backdoors and local exploits by running tests like:
-MD5 hash compare
-Look for default files used by rootkits
-Wrong file permissions for binaries
-Look for suspected strings in LKM and KLD modules
-Look for hidden files
-Optional scan within plaintext and binary files

Instalation:

Login into SSH and type

root@server [~]# cd /root/
   root@server [~]# wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz</a>
   root@server [~]# tar -zxvf rkhunter-1.2.7.tar.gz
   root@server [~]# cd rkhunter
   root@server [~rkhunter]# ./installer.sh
 


Scan the server with rkhunter
root@server [~]# rkhunter -c


[u]The Rest of Shits[/u]

  • Random suggestions

If you use bind DNS server then we need to edit named.conf file
named.conf is located here: /etc/named.conf

and add
recursion no; under Options

Options{
 recursion no;
 


Now restart bind, type into SSH
root@server [~]# service named restart


This will prevent lookups from dnstools.com and similar services and reduce server load

In order to prevent IP spoofing, you need to edit host.conf file like this:
This file is located here: [b]/etc/host.conf[/b]
Add that in host.conf
order bind,hosts
 nospoof on
 


Hide the Apache version number:

edit httpd.conf ([b]/etc/httpd/conf/httpd.conf[/b])

ServerSignature Off


  • [b]Passwords[/b]
Don't use the same password you are using for the server on some other places.
When the Datacenter contacts you via e-mail or phone, always request
more informations. Remember, someone alse could contact you to get some
information or even root passwords.

  • [b]Random thoughts[/b]
No matter what you need to secure the server, don't think you are safe
only because you are not personally involved in any shits with
"hackers". When you are hosting hacking/warez related sites you are the
target. There is no such thing as totally secured server. Most important
things are backups, make sure you will always have an "up-to-date"
offsite backups ^^

Anyhow, this is the end of my paper, I hope it will help you to get some
kind of security to your server.

بروفايل جديد