Generally it depends on what services are running on the server. All the ports which can be used by Plesk/services are listed below:
#20 ftp-data
#21 ftp
#22 ssh
#25 smtp
#53 dns (TCP and UDP)
#80 http
#106 poppassd (for localhost only)
#110 pop3
#113 auth
#143 imap
#443 https
#465 smtps
#990 ftps
#993 imaps
#995 pop3s
#3306 mysql
#5432 postgres
#8443 plesk-https
#9080 tomcat
#5224 (outgoing) plesk-license-update
Wednesday, March 5, 2008
I deleted mail messages in Horde Webmail, but I'm still able to see the deleted messages if I use Outlook to check mail.
Please make sure that you use "Purge Deleted" rather then "Hide Deleted" in Webmail interface. If you don't use "Purge Deleted", messages which were deleted are marked as hidden under webmail, but still available for download through POP3 or IMAP.
How do I restart Plesk for Linux?
To restart Plesk for Linux, issue the following commands via SSH:
# /etc/rc.d/init.d/psa stopall
# /etc/rc.d/init.d/psa start
# /etc/rc.d/init.d/psa stopall
# /etc/rc.d/init.d/psa start
Plesk > How do I login as root in MySQL?
Plesk does not have a root user for MySQL. You will need to login via the following command:
mysql -u admin -p`cat /etc/psa/.psa.shadow`
mysql -u admin -p`cat /etc/psa/.psa.shadow`
Where can I find php.ini configuration file on the Plesk server?
Usually the location of the file is /etc/php.ini. And PHP modules *.ini files are placed in /etc/php.d. Also, you can find which configuration files are used by PHP using a script with phpinfo() function:
phpinfo();
?>
Simply create a phpinfo.php file with the code above, and access that page in your web browser and look for "Configuration File (php.ini) Path", "Scan this dir for additional .ini files" and "additional .ini files parsed" sections at the beginning of the page.
phpinfo();
?>
Simply create a phpinfo.php file with the code above, and access that page in your web browser and look for "Configuration File (php.ini) Path", "Scan this dir for additional .ini files" and "additional .ini files parsed" sections at the beginning of the page.
How to Retrieve Your Plesk Admin Password
If you have forgotten your Plesk password, it can be retrieved with the following command via SSH:
cat /etc/psa/.psa.shadow
Please note that it is imperative for security reasons this file maintains the 0600 file permissions, so you will need to be "root" in order to view the contents of this file. This is also the "admin" login to the MySQL database service, and the contents of this file must always match the "admin" login to MySQL to ensure proper Plesk operation.
cat /etc/psa/.psa.shadow
Please note that it is imperative for security reasons this file maintains the 0600 file permissions, so you will need to be "root" in order to view the contents of this file. This is also the "admin" login to the MySQL database service, and the contents of this file must always match the "admin" login to MySQL to ensure proper Plesk operation.
How to run Qmail on a different port
These steps allow you to setup Qmail on a Plesk server to listen on an alternate port for SMTP as well as the default 25. This is useful if your or your customer’s ISP is blocking outgoing connections to port 25.
Log into the server using SSH.
Edit /etc/services, adding an entry for the alternate SMTP service and its associated port.
>vi /etc/services
For example, if you wanted to use port 9025, you would add the following:
smtp-alt 9025/tcp # Alternate STMP Port
Create a definition for the smtp-alt service in /etc/xinetd.d:
>cd /etc/xinetd.d
>cp smtp_psa smtp_alt_psa
3) Edit smtp_alt_psa:
>vi smtp_alt_psa
Change “service smtp” to “service smtp-alt”. Save the file and quit.
Restart xinetd
>service xinetd restart
Test it out by establishing a telnet connection to the new port. You should see the following:
>telnet localhost PORT
You should see a SMTP banner such as the following:
220 hostname ESMTP
Log into the server using SSH.
Edit /etc/services, adding an entry for the alternate SMTP service and its associated port.
>vi /etc/services
For example, if you wanted to use port 9025, you would add the following:
smtp-alt 9025/tcp # Alternate STMP Port
Create a definition for the smtp-alt service in /etc/xinetd.d:
>cd /etc/xinetd.d
>cp smtp_psa smtp_alt_psa
3) Edit smtp_alt_psa:
>vi smtp_alt_psa
Change “service smtp” to “service smtp-alt”. Save the file and quit.
Restart xinetd
>service xinetd restart
Test it out by establishing a telnet connection to the new port. You should see the following:
>telnet localhost PORT
You should see a SMTP banner such as the following:
220 hostname ESMTP
Enabling Search Engine Friendly URLs in Plesk
Add the following line to your httpd.conf file (located in /etc/httpd/conf/):
AcceptPathinfo On
That's all there is to it! What this does is have Apache check your filesystem for a part of the pathname requested that's actually a file. For instance, if you had the following URL:
http://www.samplewebsite.com/scripts/script.php?option=value
Having AcceptPathinfo set to "On" enables that URL to be requested like this:
http://www.samplewebsite.com/scripts/script.php/option/value
This allows dynamic pages to be passed as static, and therefore more search engine friendly, since search engines will not index the dynamic part of URL's.
AcceptPathinfo On
That's all there is to it! What this does is have Apache check your filesystem for a part of the pathname requested that's actually a file. For instance, if you had the following URL:
http://www.samplewebsite.com/scripts/script.php?option=value
Having AcceptPathinfo set to "On" enables that URL to be requested like this:
http://www.samplewebsite.com/scripts/script.php/option/value
This allows dynamic pages to be passed as static, and therefore more search engine friendly, since search engines will not index the dynamic part of URL's.
Error message: Your Internet Address has changed since the beginning of your Mail session. To protect your security, you must login again.
It means that you are accessing Horde through an ISP that has dynamic proxies. The only solution is to turn 'checkip' feature off in Horde.
To do this you need to edit the "%plesk_vhosts%\webmail\horde\config\conf.php" file. There should be two lines:
$conf['auth']['checkip'] = true;
Both lines must be changed to
$conf['auth']['checkip'] = false;
in order to prevent IP address check upon login and the problem described above.
To do this you need to edit the "%plesk_vhosts%\webmail\horde\config\conf.php" file. There should be two lines:
$conf['auth']['checkip'] = true;
Both lines must be changed to
$conf['auth']['checkip'] = false;
in order to prevent IP address check upon login and the problem described above.
How can I install CDONTS on Windows 2003 Server?
Microsoft Windows Server 2003 does not install Collaboration Data Objects (CDO) for NTS (CDONTS). Therefore, applications that use CDONTS do not function on a Windows Server 2003-based computer.
Windows Server 2003 provides improved alternatives to CDONTS. To make CDONTS functioning on a Windows Server 2003-based computer, use one of the following solutions:
1. Download the attached CDONTS.ZIP file. Once you have downloaded it unzip the CDONTS.DLL and put it into %systemroot%\system32 folder (C:\Windows\system32 by default).
2. Register the CDONTS.DLL component on your server using the following command:
regsvr32 "%systemroot%\system32\cdonts.dll"
For example:
C:\WINDOWS\system32>regsvr32.exe cdonts.dll
3. After you have registered your CDONTS.DLL component you need to check whether your SMTP service is running. Go to Administrative tools > IIS and expand your local machine. If SMTP service is listed then it is installed, else it's necessary to install this service. To install SMTP perform the following operation:
Go to Control Panel > Add/Remove Programs > Add/Remove Windows Components > Application Server > IIS > Check on SMTP service > Click OK.
4. Change the port number for SMTP service. Default port is 25. Use 25 only if you don't have another SMTP service running. If another SMTP service is already running on your server you should switch IIS SMTP port to another, for example to 8025. You can do this through IIS management console:
Control Panel > IIS > expand `local computer` > SMTP > Properties > General tab > click on Advanced button > Edit.
5. Configure SMTP service. The main things are to set a valid full-qualified domain name for SMTP service:
Control Panel > IIS > expand `local computer` > SMTP > Properties > Delivery tab > click on Advanced button
and configure Security for SMTP service. It's necessary to grant permissions to IIS_WPG standard IIS Worker Process Group.
Control Panel > IIS > expand `local computer` > SMTP > Properties > Security tab > click on Add button > cick Object types... button > check on Groups item > click OK > type IIS_WPG as object name to add > click OK.
Additional setting:
Choose Authentication and tick Anonymous Access and Integrated Windows Authentication. Click OK, and then click CONNECTION. Configure RELAY settings as you wish. Click the DELIVERY tab then click ADVANCED. Set the MAX hop count to whatever you like but we recommend at least 20.
Now IIS SMTP service is configured and ready to work.
http://kb.swsoft.com/attachments/560/cdonts.zip
Windows Server 2003 provides improved alternatives to CDONTS. To make CDONTS functioning on a Windows Server 2003-based computer, use one of the following solutions:
1. Download the attached CDONTS.ZIP file. Once you have downloaded it unzip the CDONTS.DLL and put it into %systemroot%\system32 folder (C:\Windows\system32 by default).
2. Register the CDONTS.DLL component on your server using the following command:
regsvr32 "%systemroot%\system32\cdonts.dll"
For example:
C:\WINDOWS\system32>regsvr32.exe cdonts.dll
3. After you have registered your CDONTS.DLL component you need to check whether your SMTP service is running. Go to Administrative tools > IIS and expand your local machine. If SMTP service is listed then it is installed, else it's necessary to install this service. To install SMTP perform the following operation:
Go to Control Panel > Add/Remove Programs > Add/Remove Windows Components > Application Server > IIS > Check on SMTP service > Click OK.
4. Change the port number for SMTP service. Default port is 25. Use 25 only if you don't have another SMTP service running. If another SMTP service is already running on your server you should switch IIS SMTP port to another, for example to 8025. You can do this through IIS management console:
Control Panel > IIS > expand `local computer` > SMTP > Properties > General tab > click on Advanced button > Edit.
5. Configure SMTP service. The main things are to set a valid full-qualified domain name for SMTP service:
Control Panel > IIS > expand `local computer` > SMTP > Properties > Delivery tab > click on Advanced button
and configure Security for SMTP service. It's necessary to grant permissions to IIS_WPG standard IIS Worker Process Group.
Control Panel > IIS > expand `local computer` > SMTP > Properties > Security tab > click on Add button > cick Object types... button > check on Groups item > click OK > type IIS_WPG as object name to add > click OK.
Additional setting:
Choose Authentication and tick Anonymous Access and Integrated Windows Authentication. Click OK, and then click CONNECTION. Configure RELAY settings as you wish. Click the DELIVERY tab then click ADVANCED. Set the MAX hop count to whatever you like but we recommend at least 20.
Now IIS SMTP service is configured and ready to work.
http://kb.swsoft.com/attachments/560/cdonts.zip
Enabling PHP Support in Plesk 8.1 for Windows
Enabling PHP Support in Plesk 8.1 for Windows
To enable PHP support for a domain,navigate tp Domains > domain.com > Setup. On that page you will find a checkbox with the label PHP, select the check box and save the changes. This will enable PHP for that domain.
To enable PHP support for a domain,navigate tp Domains > domain.com > Setup. On that page you will find a checkbox with the label PHP, select the check box and save the changes. This will enable PHP for that domain.
Previewing a Site Before DNS Propogation
If you need to view a website before DNS has propogated to your server, you can modify your computer’s hosts file to accomplish this. This trick is especially useful when you are migrating a site to a new server and wish to test it there before switching the DNS entries over.
On a Windows machine, open C:\WINDOWS\system32\drivers\etc\hosts using notepad. If you are running Linux or Mac OS X, you will need to open /etc/hosts instead.
Once you have the file opened, you will need to add entries for your site:
X.X.X.X domain.com
X.X.X.X www.domain.com
Replace X.X.X.X with the IP address that the site is running on. Save this file and then access the site with your web browser as you would normally. You may need to quit your web browser and open a new one in order for this to take effect.
On a Windows machine, open C:\WINDOWS\system32\drivers\etc\hosts using notepad. If you are running Linux or Mac OS X, you will need to open /etc/hosts instead.
Once you have the file opened, you will need to add entries for your site:
X.X.X.X domain.com
X.X.X.X www.domain.com
Replace X.X.X.X with the IP address that the site is running on. Save this file and then access the site with your web browser as you would normally. You may need to quit your web browser and open a new one in order for this to take effect.
How to install Microsoft DNS
- Open Add/Remove Programs (Start => Settings => Control Panel).
- Click Add/Remove Windows Components. It's a button on the left margin.
- Another window will open. Double-click Networking Services in the list.
- Check the box next to Domain Name System (DNS).
- Click OK.
- Click Next.
That's it .
Restoring ViaRemote Backups in Linux
From the client program you are able to view your backup history and restore files. The client program must be run from a remote shell session. The client program for Linux is called "avtar" and resides in /usr/local/avamar/bin. A symlink is also created at install time and is located at /usr/bin/avatar.
Snapups are the name for the backup set/backup package being taken. Each snapup takes backups of the directories/files that were setup when we started your backup service.
The basic syntax of avtar is:
avtar --command --id=[clientid]@/[clientid] --account=servers/[hostname] (additional options)
A password will also be necessary in order to access the backups. This will be included in the setup email. You will be prompted for this password for every backup operation.
Please note that Client ID will always be the same as your Ubersmith Customer ID. This may also be referred to as your Restore Account User name. For the examples used in this guide, we'll be using a client id of "98765" and a host name of "cftest.fastservers.net" with a password of "changeme".
Restoring Files
Restoring files are handled with the --extract command.
The base syntax for the extract command is:
avtar --extract --id=[clientid]@/[clientid] --account=servers/[hostname] --seq=N
What is a sequence number? :: Sequence numbers refer to the iteration of the backup. VerifyLinuxBackups to retrieve the sequence number you want to restore.
In this section, we’ll discuss the three most common types of manual restore operations:
* Type #1 - Restoring all files and directories to their original locations.
* Type #2 - Restoring all files and directories to an alternate directory.
* Type #3 - Restoring individual files and directories to an alternate directory.
Restoring all files and directories to their original locations
In this type of restore, we’ll be restoring all files contained in the backup set dated 5/23 for our test machine, cftest.fastservers.net, to their original locations. Remember from our previous examples that the backup set from 5/23rd has a Seq number of 1. You can always obtain the Sequence number by pulling up a backup history for the server.
The command line string would be:
avtar --extract --id=98765@/98765 --account=servers/cftest.fastservers.net --seq=1
Restoring all files and directories to an alternate directory
In this type of restore, we’ll be restoring all files contained in the backup set dated 5/23 to our test machine, cftest.fastservers.net, to an alternate directory called /restore. Remember from our previous examples that the backup set from 05/23 has a Seq number of 1. You can always obtain the Sequence number by pulling up a backup history for the server.
The command line string would be:
avtar --extract --id=98765@/98765 --account=servers/cftest.fastservers.net --seq=1 --target=/restore
Restoring individual files and directories to an alternate directory
In this type of restore, we’ll be restoring a specific file contained in the backup set dated 5/23 to an alternate directory called /restore. Remember from our previous examples that the backup set from 5/23 has a Sequence number of 1. You can always obtain the Sequence number by pulling up a backup history for the server.
We’ll be restoring the file “/root/init.txt” from the 05/23 backup set to a directory called /restore. You must specify the full path of the file contained in the backup set. The operation would fail if we passed only “init.txt” to the backup client. You can always obtain the full path of the file within the backup set by listing the contents of the backup set.
The command line string would be:
avtar --extract --id=98765@/98765 --account=servers/cftest.fastservers.net --seq=1 --target=/restore /root/init.txt
The backup client will then begin restoring the file or directory from the backup server. Once this process has been completed, the command will exit.
Please note that if files of the same name already exist in target directory, the client will not restore those files and will skip them instead. This is to prevent accidental file overwrites.
If the requested target directory does not exist, the backup client will create it for you.
Snapups are the name for the backup set/backup package being taken. Each snapup takes backups of the directories/files that were setup when we started your backup service.
The basic syntax of avtar is:
avtar --command --id=[clientid]@/[clientid] --account=servers/[hostname] (additional options)
A password will also be necessary in order to access the backups. This will be included in the setup email. You will be prompted for this password for every backup operation.
Please note that Client ID will always be the same as your Ubersmith Customer ID. This may also be referred to as your Restore Account User name. For the examples used in this guide, we'll be using a client id of "98765" and a host name of "cftest.fastservers.net" with a password of "changeme".
Restoring Files
Restoring files are handled with the --extract command.
The base syntax for the extract command is:
avtar --extract --id=[clientid]@/[clientid] --account=servers/[hostname] --seq=N
What is a sequence number? :: Sequence numbers refer to the iteration of the backup. VerifyLinuxBackups to retrieve the sequence number you want to restore.
In this section, we’ll discuss the three most common types of manual restore operations:
* Type #1 - Restoring all files and directories to their original locations.
* Type #2 - Restoring all files and directories to an alternate directory.
* Type #3 - Restoring individual files and directories to an alternate directory.
Restoring all files and directories to their original locations
In this type of restore, we’ll be restoring all files contained in the backup set dated 5/23 for our test machine, cftest.fastservers.net, to their original locations. Remember from our previous examples that the backup set from 5/23rd has a Seq number of 1. You can always obtain the Sequence number by pulling up a backup history for the server.
The command line string would be:
avtar --extract --id=98765@/98765 --account=servers/cftest.fastservers.net --seq=1
Restoring all files and directories to an alternate directory
In this type of restore, we’ll be restoring all files contained in the backup set dated 5/23 to our test machine, cftest.fastservers.net, to an alternate directory called /restore. Remember from our previous examples that the backup set from 05/23 has a Seq number of 1. You can always obtain the Sequence number by pulling up a backup history for the server.
The command line string would be:
avtar --extract --id=98765@/98765 --account=servers/cftest.fastservers.net --seq=1 --target=/restore
Restoring individual files and directories to an alternate directory
In this type of restore, we’ll be restoring a specific file contained in the backup set dated 5/23 to an alternate directory called /restore. Remember from our previous examples that the backup set from 5/23 has a Sequence number of 1. You can always obtain the Sequence number by pulling up a backup history for the server.
We’ll be restoring the file “/root/init.txt” from the 05/23 backup set to a directory called /restore. You must specify the full path of the file contained in the backup set. The operation would fail if we passed only “init.txt” to the backup client. You can always obtain the full path of the file within the backup set by listing the contents of the backup set.
The command line string would be:
avtar --extract --id=98765@/98765 --account=servers/cftest.fastservers.net --seq=1 --target=/restore /root/init.txt
The backup client will then begin restoring the file or directory from the backup server. Once this process has been completed, the command will exit.
Please note that if files of the same name already exist in target directory, the client will not restore those files and will skip them instead. This is to prevent accidental file overwrites.
If the requested target directory does not exist, the backup client will create it for you.
Verifying ViaRemote Backups for Windows
To view your backup history, double-click the system tray icon for the backup agent. A window will appear that contains a record of your recent backups. This will give you an idea of when you have had successful backups and how large they were as well as the time it took for them to complete.
WHM Pop-up: Hostname A Entry Missing
When you login to WebHost Manager, you may get a pop-up with the following error:
Hostname A Entry Missing!
The server was unable to lookup an an A entry for its hostname (example.hostname.com). This is generally because the entry was never added. However this could also be the result of your nameserver(s) being down. If you would like to attempt to automaticlly add the entry, [Click Here].
If you let WHM try to automatically add the error, it will create a zone file that answers for 'example.hostname.com' with the base IP of your server. This will only solve the problem if this server is the authoritative nameserver for the domain (hostname.com, in this case).
To fix the pop-up for good, just make sure 'example.hostname.com' resolves to an IP. Go to the nameservers for 'hostname.com' and add an A record for 'example.hostname.com' to the 'fastservers.net' zone file. To verify, run a lookup on the hostname from a command prompt:
nslookup example.hostname.com
Hostname A Entry Missing!
The server was unable to lookup an an A entry for its hostname (example.hostname.com). This is generally because the entry was never added. However this could also be the result of your nameserver(s) being down. If you would like to attempt to automaticlly add the entry, [Click Here].
If you let WHM try to automatically add the error, it will create a zone file that answers for 'example.hostname.com' with the base IP of your server. This will only solve the problem if this server is the authoritative nameserver for the domain (hostname.com, in this case).
To fix the pop-up for good, just make sure 'example.hostname.com' resolves to an IP. Go to the nameservers for 'hostname.com' and add an A record for 'example.hostname.com' to the 'fastservers.net' zone file. To verify, run a lookup on the hostname from a command prompt:
nslookup example.hostname.com
cPanel/WHM > How to authorize a remote IP to relay throught Exim
Create a file with your host IP or IPs and named it something like
/etc/privaterelay
Insert the IPs you'd like to give relaying priveleges to:
192.168.0.2
192.168.3.4
Next, located the following entry at the top of the /etc/exim.conf file:
hostlist relay_hosts = lsearch;/etc/relayhosts : \
localhost
and change it to this:
hostlist relay_hosts = lsearch;/etc/relayhosts : \
localhost : lsearch;/etc/privaterelay
That should do it!
/etc/privaterelay
Insert the IPs you'd like to give relaying priveleges to:
192.168.0.2
192.168.3.4
Next, located the following entry at the top of the /etc/exim.conf file:
hostlist relay_hosts = lsearch;/etc/relayhosts : \
localhost
and change it to this:
hostlist relay_hosts = lsearch;/etc/relayhosts : \
localhost : lsearch;/etc/privaterelay
That should do it!
What PHP modules does WHM/cPanel support?
The following PHP Modules are supported by cPanel/WHM at time of writing :
Bc Math
Calendar Support
Curl (Version 7.15.3)
Curl SSL Support (Version 2.8.28)
Dom XSLT
Exif
Flash
FTP
GD (Version 2.0.15)
GetText
Iconv (experimental)
Imap Module (Version 2004g)
Java (must already be installed, or install will fail)
Mb String
Mcrypt (Version 2.5.7)
Memory Limit (experimental)
Mhash (Version 0.8.18)
Ming Support (Not Recommended due to various problems) (Version 0.3beta1)
Magic Quotes
MM Session Module (Version 1.3.1)
Mysql Module
SNMP
Openssl Support
Discard Path
PDFlib (requires license for commerical use; see www.pdflib.com/pdffiles/PDFlib-Lite-license.pdf)
Pear
Postgresql (will break 7.2.x or earlier, please make sure you have 7.3.x or later installed)
Pspell Module
Sablot XSLT [may cause problems with chili!asp]
SafeMode
Sockets
Use System Mysql
Track Vars
Freetype Support
Versioning
WDDX
XML RPC
Zip
Zlib
Bc Math
Calendar Support
Curl (Version 7.15.3)
Curl SSL Support (Version 2.8.28)
Dom XSLT
Exif
Flash
FTP
GD (Version 2.0.15)
GetText
Iconv (experimental)
Imap Module (Version 2004g)
Java (must already be installed, or install will fail)
Mb String
Mcrypt (Version 2.5.7)
Memory Limit (experimental)
Mhash (Version 0.8.18)
Ming Support (Not Recommended due to various problems) (Version 0.3beta1)
Magic Quotes
MM Session Module (Version 1.3.1)
Mysql Module
SNMP
Openssl Support
Discard Path
PDFlib (requires license for commerical use; see www.pdflib.com/pdffiles/PDFlib-Lite-license.pdf)
Pear
Postgresql (will break 7.2.x or earlier, please make sure you have 7.3.x or later installed)
Pspell Module
Sablot XSLT [may cause problems with chili!asp]
SafeMode
Sockets
Use System Mysql
Track Vars
Freetype Support
Versioning
WDDX
XML RPC
Zip
Zlib
cPanel/WHM - Rebuilding Apache with easyapache
A common problem for most webhosts is that the server configuration needs to be changed to fit the needs of their clients. One big example of this is the plethora of PHP modules available that various people use to get things to work for their individual websites. In this article, the art of recompiling Apache web server to include these necessary PHP modules will be explained. Please be advised that Apache webserver will be down while it is recompiling
cPanel has a very handy script that will do all the recompiling for you, you just have to tell it how in a text menu. The script is called easyapache and it is available on your server in the /scripts directory. type in /scripts/easyapache to begin
When the script begins, you will be presented with a menu of what to do to get apache recompiled. Although option 6 is for 'advanced' users, it is the most helpful as you have more control over what PHP modules you will have on your server. After you have selected option 6, you will be presented with a menu with a blue background. Make sure only the following are checked (use enter or the spacebar) before proceeding:
X Expires Modules
X Raise FD_SETSIZE
X Prevent Users.... Webroots
X FrontPage
X Raise HARD_SERVER_LIMIT
X Report Build Errors
X ReWrite Module
X SSL Module
X suEXEC Module
X Verbose Build
Now, you will want to highlight "PHP Modules" and press enter, you will be presented with a bunch of different versions of PHP. Select the newest one for the major release you are currently using (4.4.x versus 5.2.x) and scroll down to select PHP Modules. The following list is fairly comprehensive, be sure not to select any modules labelled as "experimental":
BC Math
Calendar Support
Curl
Curl SSL Support
Dom XSLT
Exif
Flash
FTP
GD
GetText
Imap
MB String
MCrypt
MHash
Magic Quotes
MM
Mysql Module
OpenSSL Support
Discard Path
Pspell
Pear
Sablot XSLT
Sockets
Track Vars
Freetype Support
WDDX
XML RPC
ZLib
After you have selected all of the modules, highlight exit and press enter to get out of the PHP menu, and press enter on exit again. You will be asked if you want the current apache config to be backed up. It is ususally good to say yes here. Then, the script kicks off and begins recompiling apache.
When the script is all finished (usually takes about 30 minutes), you can verify the Apache version, PHP version, and installed PHP modules using the following three commands:
/etc/init.d/httpd fullstatus
php -v
php -m
Source: faq.cpanel.net
cPanel has a very handy script that will do all the recompiling for you, you just have to tell it how in a text menu. The script is called easyapache and it is available on your server in the /scripts directory. type in /scripts/easyapache to begin
When the script begins, you will be presented with a menu of what to do to get apache recompiled. Although option 6 is for 'advanced' users, it is the most helpful as you have more control over what PHP modules you will have on your server. After you have selected option 6, you will be presented with a menu with a blue background. Make sure only the following are checked (use enter or the spacebar) before proceeding:
X Expires Modules
X Raise FD_SETSIZE
X Prevent Users.... Webroots
X FrontPage
X Raise HARD_SERVER_LIMIT
X Report Build Errors
X ReWrite Module
X SSL Module
X suEXEC Module
X Verbose Build
Now, you will want to highlight "PHP Modules" and press enter, you will be presented with a bunch of different versions of PHP. Select the newest one for the major release you are currently using (4.4.x versus 5.2.x) and scroll down to select PHP Modules. The following list is fairly comprehensive, be sure not to select any modules labelled as "experimental":
BC Math
Calendar Support
Curl
Curl SSL Support
Dom XSLT
Exif
Flash
FTP
GD
GetText
Imap
MB String
MCrypt
MHash
Magic Quotes
MM
Mysql Module
OpenSSL Support
Discard Path
Pspell
Pear
Sablot XSLT
Sockets
Track Vars
Freetype Support
WDDX
XML RPC
ZLib
After you have selected all of the modules, highlight exit and press enter to get out of the PHP menu, and press enter on exit again. You will be asked if you want the current apache config to be backed up. It is ususally good to say yes here. Then, the script kicks off and begins recompiling apache.
When the script is all finished (usually takes about 30 minutes), you can verify the Apache version, PHP version, and installed PHP modules using the following three commands:
/etc/init.d/httpd fullstatus
php -v
php -m
Source: faq.cpanel.net
Manually Migrating SSL Certificates between Apache and IIS
Usually, the only time when you will have to migrate an SSL certificate for a domain by hand is when one server is running apache and the other is running IIS. In this article, we will cover moving certificates back and forth between the servers. The key point to remember is that Apache ususally keeps the certs in a plaintext file protected by the OS, and IIS uses its own password protection to store a certificate.
In reality a certificate always contains the cert itself, and an associated key called the Private RSA Key. Both are necessary for the certificate as a whole to work properly.
1. Converting a plaintext certificate into a password-protected .pfx file for use in importing into IIS
In order to convert the plaintext password, we will need to combine the key with the cert as I discussed earlier. A good naming convention is www.domain.com.key and www.domain.com.crt. You will want to combine these two files into a .pem file. You can do this using OpenSSL on any Linux server running apache. Enter the following commands
cat www.domain.com.key www.domain.com.crt > www.domain.com.pem <-- this combines the two files
openssl pkcsl2 -export -in www.domain.com.pem -out www.domain.com.pfx
You will be prompted twice to create a password. Rememeber this as you will need it to install the cert in IIS.
You will then have a proper .pfx file IIS can understand. Now you can transfer the certificate to your windows server. I find the best way is to use an application called OpenSCP. It is an SCP (Secure Copy Protocol) client for windows. You can use it to login to your linux server, navigate to the directory the .pfx file is located, and then transfer it.
On your windows server, open up IIS and go to Web Sites > (domain.com) > Right-Click > Properties > Directory Security > Server Certificate > Import from a .pfx file > Locate file > enter password
Your cert should be installed.
2. If you are transferring a .pfx certificate from IIS to plaintext in apache, you will have to make sure that the private key is marked as exportable. The problem is that it does not behave this way on default. I recommend always marking the private key as exportable whenever you install a certificate into IIS. Anyway, you can export the certificate .pfx file in the same manner you imported it in IIS, except the password you type in creates one you will need for later.
You can use OpenSCP again to transfer the .pfx file to the linux server. Once on the linux server, you can convert the .pfx file back into a plaintext .pem file using the proper command with OpenSSL:
openssl pkcsl2 -in www.domain.com.pfx -out www.domain.com.pem --nodes
You will be asked for the password you created when importing from IIS. Now you will have the key and cert in plaintext. Use a text editor to separate them into www.domain.com.key and www.domain.com.crt files, respectively. Then follow your control panel's instructions on how to install the certificate.
In reality a certificate always contains the cert itself, and an associated key called the Private RSA Key. Both are necessary for the certificate as a whole to work properly.
1. Converting a plaintext certificate into a password-protected .pfx file for use in importing into IIS
In order to convert the plaintext password, we will need to combine the key with the cert as I discussed earlier. A good naming convention is www.domain.com.key and www.domain.com.crt. You will want to combine these two files into a .pem file. You can do this using OpenSSL on any Linux server running apache. Enter the following commands
cat www.domain.com.key www.domain.com.crt > www.domain.com.pem <-- this combines the two files
openssl pkcsl2 -export -in www.domain.com.pem -out www.domain.com.pfx
You will be prompted twice to create a password. Rememeber this as you will need it to install the cert in IIS.
You will then have a proper .pfx file IIS can understand. Now you can transfer the certificate to your windows server. I find the best way is to use an application called OpenSCP. It is an SCP (Secure Copy Protocol) client for windows. You can use it to login to your linux server, navigate to the directory the .pfx file is located, and then transfer it.
On your windows server, open up IIS and go to Web Sites > (domain.com) > Right-Click > Properties > Directory Security > Server Certificate > Import from a .pfx file > Locate file > enter password
Your cert should be installed.
2. If you are transferring a .pfx certificate from IIS to plaintext in apache, you will have to make sure that the private key is marked as exportable. The problem is that it does not behave this way on default. I recommend always marking the private key as exportable whenever you install a certificate into IIS. Anyway, you can export the certificate .pfx file in the same manner you imported it in IIS, except the password you type in creates one you will need for later.
You can use OpenSCP again to transfer the .pfx file to the linux server. Once on the linux server, you can convert the .pfx file back into a plaintext .pem file using the proper command with OpenSSL:
openssl pkcsl2 -in www.domain.com.pfx -out www.domain.com.pem --nodes
You will be asked for the password you created when importing from IIS. Now you will have the key and cert in plaintext. Use a text editor to separate them into www.domain.com.key and www.domain.com.crt files, respectively. Then follow your control panel's instructions on how to install the certificate.
Argument list too long
Some commands such as chmod, rm, and grep to name a few, can take multiple filenames as arguments rather than executing the command once per file. This can be very powerful and convenient, but there is a point at which the list of arguments actually becomes too long
There exists a command, xargs, that takes as input a list of items, and passes them individually as arguments to another command. Consider, for example, the following:
find . -name 'cgisess*' | xargs rm
What this does, in relation to the remove command, is it finds, by name (in this case anything beginning with cgisess) and executes the rm command on it. Which is different then building a list of items to remove, then removing them as is done normally with the rm command.
Further complications: Special characters in filenames
The "find | xargs rm" thing only worked correctly because none of the filenames involved had any spaces in them. If the filenames involved have spaces, you will need to do use find's "-print0" option in conjunction with xargs's "-0" option.
find . -name 'spam-*' -print0 | xargs -0 rm
There exists a command, xargs, that takes as input a list of items, and passes them individually as arguments to another command. Consider, for example, the following:
find . -name 'cgisess*' | xargs rm
What this does, in relation to the remove command, is it finds, by name (in this case anything beginning with cgisess) and executes the rm command on it. Which is different then building a list of items to remove, then removing them as is done normally with the rm command.
Further complications: Special characters in filenames
The "find | xargs rm" thing only worked correctly because none of the filenames involved had any spaces in them. If the filenames involved have spaces, you will need to do use find's "-print0" option in conjunction with xargs's "-0" option.
find . -name 'spam-*' -print0 | xargs -0 rm
Redirecting to non-SSL traffic to SSL
To make http:// or http://www. redirect to https:// or https://www. when you have an SSL certificate installed add the following lines in a .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Place the .htaccess in the htdocs directory for the corresponding site. Be careful not to overwite an existing .htaccess file.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Place the .htaccess in the htdocs directory for the corresponding site. Be careful not to overwite an existing .htaccess file.
How to generate an SSL Certificate Signing Request (CSR) in a non-paneled environment
How to generate an SSL Certificate Signing Request (CSR) in a non-paneled environment
NOTE: If you have purchased an SSL Certificate from us, we will handle everything from the certificate signing request to the installation of the signed certificate.
If you are using cPanel or Plesk, please find the proper article that will provide the instructions. If you do no have a panel installed, please continue on.
Edit openssl.cnf which should usually be located in the /usr/share/ssl directory and be sure you set the following:
Name
Company Name
City
State
Country (2 digit country code will be entered into the conf)
Email Address (must be webmaster or hostmaster @domain)
Generate the private key:
# openssl genrsa -out host.key 1024
# chmod 400 host.key
Replace 'host.key' above with domain as specified in the ticket. eg. www..com.
Generate CSR (Cetfificate Signing Request):
# openssl req -new -nodes -key host.key -out host.csr
NOTE: If you have purchased an SSL Certificate from us, we will handle everything from the certificate signing request to the installation of the signed certificate.
If you are using cPanel or Plesk, please find the proper article that will provide the instructions. If you do no have a panel installed, please continue on.
Edit openssl.cnf which should usually be located in the /usr/share/ssl directory and be sure you set the following:
Name
Company Name
City
State
Country (2 digit country code will be entered into the conf)
Email Address (must be webmaster or hostmaster @domain)
Generate the private key:
# openssl genrsa -out host.key 1024
# chmod 400 host.key
Replace 'host.key' above with domain as specified in the ticket. eg. www.
Generate CSR (Cetfificate Signing Request):
# openssl req -new -nodes -key host.key -out host.csr
Increasing the file display limit on pure-ftp
By default, pure-ftp has a file display limit of 2000 files. To change this you need to edit the /etc/pure-ftp.conf file.
Step 1) Log into the machine and gain root access
Step 2) Use your favorite text editor to open /etc/pure-ftp.conf
Step 3) Search for the line (the values 2000 8 below may be different):
LimitRecursion 2000 8
Step 4) The first number after LimitRecursion is the display limit of files pure-ftp will show at anyone time. Change it to whatever values you feel is necessary for your server. The second number is the max subdirectory depth shown. You may change this value if necessary as well.
Step 5) Restart the pure-ftpd service
service pure-ftpd restart
Step 1) Log into the machine and gain root access
Step 2) Use your favorite text editor to open /etc/pure-ftp.conf
Step 3) Search for the line (the values 2000 8 below may be different):
LimitRecursion 2000 8
Step 4) The first number after LimitRecursion is the display limit of files pure-ftp will show at anyone time. Change it to whatever values you feel is necessary for your server. The second number is the max subdirectory depth shown. You may change this value if necessary as well.
Step 5) Restart the pure-ftpd service
service pure-ftpd restart
Disable Apache Directory Listings
How to Disable Apache Directory Listings
The following procedure disables directory listings on an Apache web server using a .htaccess rule.
Go to the folder that you wish to disable directory listings on.
>cd /home/user/folder
Open .htaccess and add the following. If .htaccess doesn’t exist, you can create it.
>vi .htaccess
Insert the following line:
Options –Indexes
Save your modifications to the file and quit.
The following procedure disables directory listings on an Apache web server using a .htaccess rule.
Go to the folder that you wish to disable directory listings on.
>cd /home/user/folder
Open .htaccess and add the following. If .htaccess doesn’t exist, you can create it.
>vi .htaccess
Insert the following line:
Options –Indexes
Save your modifications to the file and quit.
Enable PHP Error Logging
How to Enable PHP Error Logging
To enable error logging edit the /etc/php.ini file and locate the error_log and uncomment it by removing the semi-colon. Next put in the filename of where the errors and warnings should be logged to. Example:
error_log = /var/log/php_error
On production sites it is advisable to have the following options set:
error_reporting = E_ALL
display_errors = Off
display_startup_errors = Off
log_errors = On
This way the errors are logged to a file instead of being displayed on the website. If you prefer to change this, then switch to display_errors = On. Please visit http://us.php.net/manual/en/ref.errorfunc.php to see the error handling and logging section in the php manual for extensive details. Make sure to restart your webserver after making changes to the /etc/php.ini file.
To enable error logging edit the /etc/php.ini file and locate the error_log and uncomment it by removing the semi-colon. Next put in the filename of where the errors and warnings should be logged to. Example:
error_log = /var/log/php_error
On production sites it is advisable to have the following options set:
error_reporting = E_ALL
display_errors = Off
display_startup_errors = Off
log_errors = On
This way the errors are logged to a file instead of being displayed on the website. If you prefer to change this, then switch to display_errors = On. Please visit http://us.php.net/manual/en/ref.errorfunc.php to see the error handling and logging section in the php manual for extensive details. Make sure to restart your webserver after making changes to the /etc/php.ini file.
How to block an IP/netblock using iptables
To block IPs in Linux you use a program called iptables that should already be installed on your server. To issue the neccessary commands you will need to login to your server via SSH as the root user.
Adding Temporary Rules:
To make only temporary rules that will not survive a reboot you can do the following steps. Once the rules are setup correctly they can be made permanent
Step 1) Determine which IPs need to be blocked from accessing your server.
Step 2a) To block a single IP issue the following command at the command prompt
iptables -I INPUT -s -j DROP
Step 2b) To block a range of IPs issue the following command at the command prompt. This will block all ips starting at and incrementing by one until it reaches and includes
iptables -I INPUT -s: -j DROP
Step 2c) To block a Netblock of IPs issue the following command at the command prompt. This will block all ips that fall into the subet by applying the to .
iptables -I INPUT -s/ -j DROP
Removing Temporary Rules:
Step 1) At the command line type the following command to display the list of current rules:
iptables -L
Step 2) The previous command should have displayed "Chain INPUT" followed by a list of rules. The top most rule is considered to be Rule 1. Count down to the rule you wish to remove and note its number. So the first rule is Rule 1, the second is Rule 2, etc.
Step 3) Type in the following command where is the number of the rule you wish to delete
iptables -D INPUT
Making/Adding Permanant Rules:
The above rules will only last until your server is rebooted. There are two ways to make make the rules permant on a RHEL or CENTOS based system. You can setup temporary rules as shown above and then save the current configuration when you are sure all the rules are correct. To do this you type in the following command which will save the rules and make sure they run at the next reboot.
iptables-save > /etc/sysconfig/iptables; chkconfig iptables on
The second method is to add the rules manually to the file /etc/sysconfig/iptables and then restart iptables. The rules themselves remain mostly unchanged as seen below. The only difference is that you do not call the iptables command.
1a) To block a single IP add the following to /etc/sysconfig/iptables.
-I INPUT -s -j DROP
1b) To block a range of IPs add the following to /etc/sysconfig/iptables.
-I INPUT -s: -j DROP
1c) To block a Netblock of IPs add the following to /etc/sysconfig/iptables
-I INPUT -s/ -j DROP
2) Restart iptables by issusing the following command:
service iptables restart
3) Ensure iptables runs at reboot
chkconfig iptables on
Removing Permanant Rules:
1) Delete the rules from the file /etc/sysconfig/iptables
2) Restart iptables by issusing the following command:
service iptables restart
Adding Temporary Rules:
To make only temporary rules that will not survive a reboot you can do the following steps. Once the rules are setup correctly they can be made permanent
Step 1) Determine which IPs need to be blocked from accessing your server.
Step 2a) To block a single IP issue the following command at the command prompt
iptables -I INPUT -s
Step 2b) To block a range of IPs issue the following command at the command prompt. This will block all ips starting at
iptables -I INPUT -s
Step 2c) To block a Netblock of IPs issue the following command at the command prompt. This will block all ips that fall into the subet by applying the
iptables -I INPUT -s
Removing Temporary Rules:
Step 1) At the command line type the following command to display the list of current rules:
iptables -L
Step 2) The previous command should have displayed "Chain INPUT" followed by a list of rules. The top most rule is considered to be Rule 1. Count down to the rule you wish to remove and note its number. So the first rule is Rule 1, the second is Rule 2, etc.
Step 3) Type in the following command where
iptables -D INPUT
Making/Adding Permanant Rules:
The above rules will only last until your server is rebooted. There are two ways to make make the rules permant on a RHEL or CENTOS based system. You can setup temporary rules as shown above and then save the current configuration when you are sure all the rules are correct. To do this you type in the following command which will save the rules and make sure they run at the next reboot.
iptables-save > /etc/sysconfig/iptables; chkconfig iptables on
The second method is to add the rules manually to the file /etc/sysconfig/iptables and then restart iptables. The rules themselves remain mostly unchanged as seen below. The only difference is that you do not call the iptables command.
1a) To block a single IP add the following to /etc/sysconfig/iptables.
-I INPUT -s
1b) To block a range of IPs add the following to /etc/sysconfig/iptables.
-I INPUT -s
1c) To block a Netblock of IPs add the following to /etc/sysconfig/iptables
-I INPUT -s
2) Restart iptables by issusing the following command:
service iptables restart
3) Ensure iptables runs at reboot
chkconfig iptables on
Removing Permanant Rules:
1) Delete the rules from the file /etc/sysconfig/iptables
2) Restart iptables by issusing the following command:
service iptables restart
Manually Password Protecting a Directory in Apache
Password Protecting a Directory in Apache
The following procedure details how to password protect a directory on a *nix server running Apache. If you have a control panel such as Plesk or cPanel, this can be handled from within the panel, but for a plain installation you will need to follow the steps below:
Use cd to move to the directory that you will be protecting.
>cd /home/user/directory
Create a file called .htaccess with the following contents. If .htaccess already exists you can simply add this to the end of the existing file:
>vi .htaccess
AuthName "Login Message"
AuthType Basic
AuthUserFile /home/user/directory/.htpasswd
AuthGroupFile /dev/null
require user user-name
“Login Message” should be replaced with the message that you want to show in the login dialog box that the browser will show. /home/user/directory/ should be the same path that your .htaccess file was created in. user-name needs to be replaced by the user that will be able to access the folder.
The last step is creating a .htpasswd file for the folder. This file stores the password for folder in an encrypted format:
>htpasswd -c .htpasswd user-name
You will be asked to enter and then confirm the password.
The following procedure details how to password protect a directory on a *nix server running Apache. If you have a control panel such as Plesk or cPanel, this can be handled from within the panel, but for a plain installation you will need to follow the steps below:
Use cd to move to the directory that you will be protecting.
>cd /home/user/directory
Create a file called .htaccess with the following contents. If .htaccess already exists you can simply add this to the end of the existing file:
>vi .htaccess
AuthName "Login Message"
AuthType Basic
AuthUserFile /home/user/directory/.htpasswd
AuthGroupFile /dev/null
require user user-name
“Login Message” should be replaced with the message that you want to show in the login dialog box that the browser will show. /home/user/directory/ should be the same path that your .htaccess file was created in. user-name needs to be replaced by the user that will be able to access the folder.
The last step is creating a .htpasswd file for the folder. This file stores the password for folder in an encrypted format:
>htpasswd -c .htpasswd user-name
You will be asked to enter and then confirm the password.
Disable Apache Directory Listings
How to Disable Apache Directory Listings
The following procedure disables directory listings on an Apache web server using a .htaccess rule.
Go to the folder that you wish to disable directory listings on.
>cd /home/user/folder
Open .htaccess and add the following. If .htaccess doesn’t exist, you can create it.
>vi .htaccess
Insert the following line:
Options –Indexes
Save your modifications to the file and quit.
The following procedure disables directory listings on an Apache web server using a .htaccess rule.
Go to the folder that you wish to disable directory listings on.
>cd /home/user/folder
Open .htaccess and add the following. If .htaccess doesn’t exist, you can create it.
>vi .htaccess
Insert the following line:
Options –Indexes
Save your modifications to the file and quit.
How do I determine what version of the Linux kernel my system is running?
How do I determine what version of the Linux kernel my system is running?
The command uname -a will tell you the system defined kernel name, hostname, kernel version, hardware name, processor type, hardware platform and operating system name. Executing a uname -r will tell you just the kernel version. Run a ‘man uname’ for specifics.
The command uname -a will tell you the system defined kernel name, hostname, kernel version, hardware name, processor type, hardware platform and operating system name. Executing a uname -r will tell you just the kernel version. Run a ‘man uname’ for specifics.
How to Log Slow MySQL Queries
Create a log that shows slow MySQL queries
This process will create a log file that will show you any queries taking longer than normal. Read the steps, then copy and paste the commands one at a time.
1) Create the folder /home/mysqllogs. Chown it to mysql:mysql
mkdir /home/mysqllogs
chown mysql:mysql /home/mysqllogs
2) Edit the /etc/my.cnf file.
nano /etc/my.cnf
* Add the following line under the [mysqld] header:
log-slow-queries = /home/mysqllogs/slow_queries.log
3) Restart MySQL? services
service mysql stop
service mysql start
This process will create a log file that will show you any queries taking longer than normal. Read the steps, then copy and paste the commands one at a time.
1) Create the folder /home/mysqllogs. Chown it to mysql:mysql
mkdir /home/mysqllogs
chown mysql:mysql /home/mysqllogs
2) Edit the /etc/my.cnf file.
nano /etc/my.cnf
* Add the following line under the [mysqld] header:
log-slow-queries = /home/mysqllogs/slow_queries.log
3) Restart MySQL? services
service mysql stop
service mysql start
Setting the Time in Linux
Setting the Time in Linux
A consistently accurate server clock is vital to the sanity of many applications that are supported by an Apache webserver environment. Fortunately, there are a number of different ways to set the date/time in any version of linux. The main thing to keep in mind is that linux keeps two separate times - software (system) time, and the hardware clock. Let's take a look at a great way to get everything synced and correct... shall we?
Yes, let's.
Configuration
Copy the file that represents the desired timezone from /usr/share/zoneinfo/ to /etc/localtime.
For example:
cp /usr/share/zoneinfo/GMT /etc/localtime
Modify the settings in /etc/sysconfig/clock using your favourite text editor.
Example:
ZONE="GMT"
UTC=true
ARC=false
Note: You can find all possible ZONEs by listing the contents of /usr/share/zoneinfo/.
Feel free to sync the time against a time server, and add an entry to the crontab to do the same.
Here's an example using cPanel's time server:
/usr/bin/rdate -s httpupdate.cpanel.net
crontab -e
0 0 * * 6 /usr/bin/rdate -s httpupdate.cpanel.net
Now that the system time is correct, sync the hardware clock against the system time:
(Notice the similarities between "systohc" and "system to hardware clock")
/sbin/hwclock --systohc
Testing
You can test the results in a few different ways:
root@server [~]# date
Fri Jul 28 17:05:08 CDT 2006
root@server [~]# clock
Fri 28 Jul 2006 05:05:10 PM CDT -0.033127 seconds
root@server [~]#
You can also test by writing a php script that prints the time:
root@server [~]# cat test.php
print( date("D M j G:i:s Y") . "\n" );
?>
root@server [~]# php test.php
Fri Jul 28 17:08:12 2006
root@server [~]#
A consistently accurate server clock is vital to the sanity of many applications that are supported by an Apache webserver environment. Fortunately, there are a number of different ways to set the date/time in any version of linux. The main thing to keep in mind is that linux keeps two separate times - software (system) time, and the hardware clock. Let's take a look at a great way to get everything synced and correct... shall we?
Yes, let's.
Configuration
Copy the file that represents the desired timezone from /usr/share/zoneinfo/ to /etc/localtime.
For example:
cp /usr/share/zoneinfo/GMT /etc/localtime
Modify the settings in /etc/sysconfig/clock using your favourite text editor.
Example:
ZONE="GMT"
UTC=true
ARC=false
Note: You can find all possible ZONEs by listing the contents of /usr/share/zoneinfo/.
Feel free to sync the time against a time server, and add an entry to the crontab to do the same.
Here's an example using cPanel's time server:
/usr/bin/rdate -s httpupdate.cpanel.net
crontab -e
0 0 * * 6 /usr/bin/rdate -s httpupdate.cpanel.net
Now that the system time is correct, sync the hardware clock against the system time:
(Notice the similarities between "systohc" and "system to hardware clock")
/sbin/hwclock --systohc
Testing
You can test the results in a few different ways:
root@server [~]# date
Fri Jul 28 17:05:08 CDT 2006
root@server [~]# clock
Fri 28 Jul 2006 05:05:10 PM CDT -0.033127 seconds
root@server [~]#
You can also test by writing a php script that prints the time:
root@server [~]# cat test.php
print( date("D M j G:i:s Y") . "\n" );
?>
root@server [~]# php test.php
Fri Jul 28 17:08:12 2006
root@server [~]#
How to find all IPs bound to a machine that are not hosting sites
How to find all IPs bound to a machine that are not hosting sites
This command can be used to find free IPs on a non-panel Linux server.
echo System has $(ifconfig | grep "inet addr:" | grep -v 127.0.0.1 | awk '{print $2}' | sed s/"addr:"// | sort -n > /tmp/boundips && cat /usr/local/apache/conf/httpd.conf | grep ""$// | sed s/">"$// | sort -n | uniq > /tmp/usedips && diff /tmp/boundips /tmp/usedips | sed -n /^"< "/p | sed s/^"< "// | wc -l) free IPs: && diff /tmp/boundips /tmp/usedips | sed -n /^"< "/p | sed s/^"< "// && rm -f /tmp/boundips /tmp/usedips
Note: On a cPanel server, there is a tool called "Rebuild the IP address pool", which performs the same function.
This command can be used to find free IPs on a non-panel Linux server.
echo System has $(ifconfig | grep "inet addr:" | grep -v 127.0.0.1 | awk '{print $2}' | sed s/"addr:"// | sort -n > /tmp/boundips && cat /usr/local/apache/conf/httpd.conf | grep ""$// | sed s/">"$// | sort -n | uniq > /tmp/usedips && diff /tmp/boundips /tmp/usedips | sed -n /^"< "/p | sed s/^"< "// | wc -l) free IPs: && diff /tmp/boundips /tmp/usedips | sed -n /^"< "/p | sed s/^"< "// && rm -f /tmp/boundips /tmp/usedips
Note: On a cPanel server, there is a tool called "Rebuild the IP address pool", which performs the same function.
How to clean Exim's Mail queue
How to clean an Exim queue
* How to clean an Exim queue
o Using WebHost Manager
o Advanced Users
o Very Advanced Users
Using WebHost Manager
1. Login to WHM.
2. On the Main page, click on the email icon:
3. In the mail menu, select "Manage Mail Queue":
* Note: Instead of steps 2 and 3, you can select "Manage Mail Queue from the left margin:
4. Find the message you wish to delete and select "Delete":
Advanced Users
WARNING: The information below is intended for users with advanced knowledge of operating systems, control panels, and other aspects of server management. Do NOT simply copy and paste commands to resolve issues as you may severely harm your server, cause downtime, or incur billable support not covered under your DEFCON plan. Please open a support ticket if you feel uncomfortable with the suggestions provided.
There are many times when a mail queue may become filled with what is essentially junk mail. At extreme levels, this can cause high load and delayed mail delivery.
You can use a variation of the following command via a shell prompt to delete only these junk messages from the mail queue:
grep -lR KEYWORD /var/spool/exim/input/* | xargs rm -f
This will purge the mail queue of any messages that contain KEYWORD.
Any messages deleted in this manner are IRRETRIEVABLE (aka: Gone for good)
Is this dangerous? You bet it CAN be. If you have any doubts, open a support ticket.
Let's look at an example.
Imagine a case in which users are abusing a bad FormMail.pl installation on server.fastservers.net. Almost all of these messages will contain the username "nobody@server.fastservers.net". We want to delete ALL of these messages, so we would insert "nobody@server.fastservers.net" in place of "KEYWORD" in the command above.
This will delete all messages in the exim queue that contain the keyword "nobody@server.fastservers.net".
Very Advanced Users
Grep does regular expressions. This means you can catch tricky spammers with a little mind power. For example:
grep -lRP Vz*Az*Lz*Iz*Uz*M /var/spool/exim/input/* | xargs rm -f
This command will delete any message containing the letters V, A, L, I, U, M, in that order, and with 0 or more "z" characters between them. A few of the keywords it will match are listed:
VALIUM
VzALIUM
VAzLIzUzM
VALzIUM
VzALzIUM
You get the idea.
* How to clean an Exim queue
o Using WebHost Manager
o Advanced Users
o Very Advanced Users
Using WebHost Manager
1. Login to WHM.
2. On the Main page, click on the email icon:
3. In the mail menu, select "Manage Mail Queue":
* Note: Instead of steps 2 and 3, you can select "Manage Mail Queue from the left margin:
4. Find the message you wish to delete and select "Delete":
Advanced Users
WARNING: The information below is intended for users with advanced knowledge of operating systems, control panels, and other aspects of server management. Do NOT simply copy and paste commands to resolve issues as you may severely harm your server, cause downtime, or incur billable support not covered under your DEFCON plan. Please open a support ticket if you feel uncomfortable with the suggestions provided.
There are many times when a mail queue may become filled with what is essentially junk mail. At extreme levels, this can cause high load and delayed mail delivery.
You can use a variation of the following command via a shell prompt to delete only these junk messages from the mail queue:
grep -lR KEYWORD /var/spool/exim/input/* | xargs rm -f
This will purge the mail queue of any messages that contain KEYWORD.
Any messages deleted in this manner are IRRETRIEVABLE (aka: Gone for good)
Is this dangerous? You bet it CAN be. If you have any doubts, open a support ticket.
Let's look at an example.
Imagine a case in which users are abusing a bad FormMail.pl installation on server.fastservers.net. Almost all of these messages will contain the username "nobody@server.fastservers.net". We want to delete ALL of these messages, so we would insert "nobody@server.fastservers.net" in place of "KEYWORD" in the command above.
This will delete all messages in the exim queue that contain the keyword "nobody@server.fastservers.net".
Very Advanced Users
Grep does regular expressions. This means you can catch tricky spammers with a little mind power. For example:
grep -lRP Vz*Az*Lz*Iz*Uz*M /var/spool/exim/input/* | xargs rm -f
This command will delete any message containing the letters V, A, L, I, U, M, in that order, and with 0 or more "z" characters between them. A few of the keywords it will match are listed:
VALIUM
VzALIUM
VAzLIzUzM
VALzIUM
VzALzIUM
You get the idea.
How to Repair MySQL Tables
Symptoms of corrupted tables
Corrupted tables can cause a high load, or cause MySQL to crash fairly often. If you do have a problem with corrupted tables, you should see entries in the MySQL error log indicating this. The error log is usually located at /var/lib/mysql/HOSTNAME.err.
In that filename, "HOSTNAME" indicates the base hostname of your server. You can determine your server's hostname with the following command:
hostname
The most common error message in this log file that indicates you should attempt a repair on the MySQL tables is (errno: 145), but you should also attempt a repair if you see many of the following error codes: 126, 127, 132, 134, 135, 136, 141, 144
The easy way to repair
You may have a tool on your server called "mysqlcheck". If so, you can attempt an automatic repair with the following command:
mysqlcheck -A --auto-repair
The mysqlcheck tool should be run while MySQL is running. Do not stop MySQL before attempting a repair using this method.
The advanced method
WARNING: The information below is intended for users with advanced knowledge of operating systems, control panels, and other aspects of server management. Do NOT simply copy and paste commands to resolve issues as you may severely harm your server, cause downtime, or incur billable support not covered under your DEFCON plan. Please open a support ticket if you feel uncomfortable with the suggestions provided.
Read me first
Myisamchk uses /tmp while repairing, so if a table is larger than the /tmp partition, you can't repair that one with the following steps.
If you /tmp is smaller, you can repair it utilizing a temp tmp folder... something like the following:
myisamchk -r -q database/table.MYI --tmpdir=/home/tmp
Prep work
Before you start modifying tables, you should stop MySQL or you'll get a lot of false positives on the check, and a lot of problems on the repair. So before you go any further, stop MySQL. Even before that, if you have cPanel, you should first stop chkservd:
/etc/init.d/chkservd stop
Chkservd is cPanel's service monitor. It checks every eight (8) minutes to ensure all services are running, and if it detects any problems it will attempt to restart the service.
After chkservd is stopped, or if you do not have cPanel installed, stop MySQL:
/etc/init.d/mysql stop
Potential problem with myisamchk
Myisamchk uses /tmp while repairing, so if a table is larger than the /tmp partition, you can't repair it with the following steps.
If your /tmp partition is smaller than your largest database, you will have to specify a different tmp location. Here's an example:
myisamchk -r -q database/table.MYI --tmpdir=/home/tmp
Analysis and repair
Now we need to analyze the tables to see where the corruption is. The tables are located within /var/lib/mysql/. Every subfolder represents a database. The general idea is to run `myisamchk -s ./[database]/[table]. The -s flag means silent. Without it, you will receive a lot of status information that is irrelevant to the problem at hand. Usually there are a few more than a couple databases, so doing this manually can be a pain. Run a 'for' loop:
cd /var/lib/mysql
for x in `find * | grep .MYI`; do myisamchk -s $x; done
This should print out error reports on all of the corrupt tables. For every corrupt table, run the following command:
myisamchk -r -q [table]
Once the repair has completed, you want to make sure it actually accomplished what you sent it in to do. Run another check:
for x in `find * | grep .MYI | grep -v ".bak" | grep -v ".back"`; do myisamchk -s $x; done
If that reports any problems, it means the previous repair didn't fix everything. That's not a huge deal, because we just used the most simplistic and least invasive repair method. The other methods have a fair chance of causing damage, so you'll want to back things up from here.
Make a copy of any tables you are about to repair:
cp [database]/brokentable.MYI{,.bak}
Now try running a beefier repair against the table. Don't use the -q flag.
myisamchk -r [database]/brokentable.MYI
Once you've tried to repair the tables again, run another check. If it still reports errors, try using -o instead of -r. The -o flag uses an older repair strategy that tries a few more things than the newer, but is slower.
myisamchk -o [database]/brokentable.MYI
Run one more check to be sure you've caught everything.
Wrap-up
When you are done repairing the tables, don't forget to start MySQL again:
/etc/init.d/mysql start
And, if you're running cPanel:
/etc/init.d/chkservd start
Corrupted tables can cause a high load, or cause MySQL to crash fairly often. If you do have a problem with corrupted tables, you should see entries in the MySQL error log indicating this. The error log is usually located at /var/lib/mysql/HOSTNAME.err.
In that filename, "HOSTNAME" indicates the base hostname of your server. You can determine your server's hostname with the following command:
hostname
The most common error message in this log file that indicates you should attempt a repair on the MySQL tables is (errno: 145), but you should also attempt a repair if you see many of the following error codes: 126, 127, 132, 134, 135, 136, 141, 144
The easy way to repair
You may have a tool on your server called "mysqlcheck". If so, you can attempt an automatic repair with the following command:
mysqlcheck -A --auto-repair
The mysqlcheck tool should be run while MySQL is running. Do not stop MySQL before attempting a repair using this method.
The advanced method
WARNING: The information below is intended for users with advanced knowledge of operating systems, control panels, and other aspects of server management. Do NOT simply copy and paste commands to resolve issues as you may severely harm your server, cause downtime, or incur billable support not covered under your DEFCON plan. Please open a support ticket if you feel uncomfortable with the suggestions provided.
Read me first
Myisamchk uses /tmp while repairing, so if a table is larger than the /tmp partition, you can't repair that one with the following steps.
If you /tmp is smaller, you can repair it utilizing a temp tmp folder... something like the following:
myisamchk -r -q database/table.MYI --tmpdir=/home/tmp
Prep work
Before you start modifying tables, you should stop MySQL or you'll get a lot of false positives on the check, and a lot of problems on the repair. So before you go any further, stop MySQL. Even before that, if you have cPanel, you should first stop chkservd:
/etc/init.d/chkservd stop
Chkservd is cPanel's service monitor. It checks every eight (8) minutes to ensure all services are running, and if it detects any problems it will attempt to restart the service.
After chkservd is stopped, or if you do not have cPanel installed, stop MySQL:
/etc/init.d/mysql stop
Potential problem with myisamchk
Myisamchk uses /tmp while repairing, so if a table is larger than the /tmp partition, you can't repair it with the following steps.
If your /tmp partition is smaller than your largest database, you will have to specify a different tmp location. Here's an example:
myisamchk -r -q database/table.MYI --tmpdir=/home/tmp
Analysis and repair
Now we need to analyze the tables to see where the corruption is. The tables are located within /var/lib/mysql/. Every subfolder represents a database. The general idea is to run `myisamchk -s ./[database]/[table]. The -s flag means silent. Without it, you will receive a lot of status information that is irrelevant to the problem at hand. Usually there are a few more than a couple databases, so doing this manually can be a pain. Run a 'for' loop:
cd /var/lib/mysql
for x in `find * | grep .MYI`; do myisamchk -s $x; done
This should print out error reports on all of the corrupt tables. For every corrupt table, run the following command:
myisamchk -r -q [table]
Once the repair has completed, you want to make sure it actually accomplished what you sent it in to do. Run another check:
for x in `find * | grep .MYI | grep -v ".bak" | grep -v ".back"`; do myisamchk -s $x; done
If that reports any problems, it means the previous repair didn't fix everything. That's not a huge deal, because we just used the most simplistic and least invasive repair method. The other methods have a fair chance of causing damage, so you'll want to back things up from here.
Make a copy of any tables you are about to repair:
cp [database]/brokentable.MYI{,.bak}
Now try running a beefier repair against the table. Don't use the -q flag.
myisamchk -r [database]/brokentable.MYI
Once you've tried to repair the tables again, run another check. If it still reports errors, try using -o instead of -r. The -o flag uses an older repair strategy that tries a few more things than the newer, but is slower.
myisamchk -o [database]/brokentable.MYI
Run one more check to be sure you've caught everything.
Wrap-up
When you are done repairing the tables, don't forget to start MySQL again:
/etc/init.d/mysql start
And, if you're running cPanel:
/etc/init.d/chkservd start
Quota Problem
When quotas show as 0 for all the users and /scripts/fixquotas doesn\'t fix the problem, then most likely /home/aquota.users is missing. To fix the problem run the commands: touch /home/aquota.user chmod 744 /home/aquota.user Then, run /scripts/fixquotas again and everything should be fine.
cPanel/WHM > 10 Tips for making your cPanel and WHM servers more secure
10 Tips for making your cPanel and WHM servers more secure
Please note that these tips are suggestions only and cPanel takes no responsibility for modifications to individual servers, or the security practices of individual servers. Server security is a collection of compromises, as any server that allows connections could be insecure. These tips are to be followed at your own risk.
1) Use secure passwords!
Insecure passwords are the most common security vulnerability for most servers. If an account password is insecure and is compromised, client sites can be defaced, infected, or used to spread viruses. Having secure passwords is paramount to having a secure server.
You can edit /etc/login.defs to configure many password options on your system. It is well documented.
Generally, a password utilizing at least 8 characters including alphanumeric and grammatical symbols is sufficient. Never use passwords based upon dictionary words or significant dates. If you are uncertain about the security of a password, then you can test it using JTR cracker. If a password can be broken in a few hours, then it is probably too insecure and should not be used. You can also install tools like pam_passwdqc to check the strength of passwords.
2) Secure SSH
Enable public key authentication for SSH and disable password authentication read more >>
Move SSH access to a different port. People are looking for port 22 as a possible way to access your servers. Moving SSH to a different port will add a simple way to deter those without specific knowledge of your server from easily discovering your SSH port.
You can modify the port that SSH runs on within /etc/ssh/sshd_config. Change the line that says #Port 22 to a different port such as: Port 1653. Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn't work.
You should always use SSHv2 only as SSHv1 is not secure. Make sure to change the line in /etc/ssh/sshd_config that says #Protocol 2,1 to Protocol 2.
You may also wish to set Shell Resource Limits for you users to prevent applications and scripts from using all up your resources and taking down your server. You can configure shell resource limits in /etc/security/limits.conf on most Linux systems.
3) Secure Apache
The most readily available way to access a web server, is of course, the web server application. It is important to take steps to secure your Apache installation.
One of the best tools for preventing malicious Apache use is mod_security. This can be installed in Addon Modules in the cPanel section of WebHost Manager. You can find information about mod_security at http://www.modsecurity.org/.
When compiling Apache, you should include suexec to ensure that CGI applications and scripts run as the user that owns / executes them. This will help identify where malicious scripts are and who is running them. It will also enforce permission and environment controls.
We also recommend compiling Apache + PHP with PHPsuexec. PHPsuexec forces all PHP scripts to run as the user who owns the script. This means that you will be able to identify the owner of all PHP scripts running on your server. If one is malicious, you will be able to find it's owner quickly and resolve the issue. To compile Apache + PHP with PHPsuexec, select the PHPSuexec option in the Apache Upgrade interface in WHM or when running /scripts/easyapache from the command line.
You should enable PHP's open_basedir protection. This protection will prevent users from open files outside of their home directory with PHP. This can be enabled in Tweak Security within WebHost Manager.
You may also wish to include safe_mode for PHP 5.x and below. Safe_mode ensures that the owner of a PHP script matches the owner of any files to be operated on. You can enable safe_mode by changing the safe_mode = line in php.ini to safe_mode = On.
4) Secure your /tmp partition
We recommend that you use a separate partition for /tmp that is mounted with nosetuid. Nosetuid will force a process to run with the privileges of it's executor. You may also wish to mount /tmp with noexec after installing cPanel. Check the mount man page for more information.
Also, Running /scripts/securetmp will mount your /tmp partition to a temporary file for extra security.
5) Upgrade your mail to maildir format
Maildir format adds extra security and speed to your mail system. Newer installs use maildir by default. If you're running an older copy of cPanel, you'll probably want to upgrade using /scripts/convert2maildir. Make sure to back up your current mail before converting to maildir, this can be done within /scripts/convert2maildir. If you see maildir is enabled when running /scripts/convert2maildir, you are already using maildir, and will not need to convert.
6) Lock down your system's compilers
Most users do not require the use of C and C++ compilers. You can use the Compilers Tweak within Tweak Security in WebHost Manager to turn off use of the compilers for all unprivileged users, or to disable them for specific users only. Many pre-packaged exploits require working compilers. Disabling compilers will help protect against many exploits.
7) Turn off unused services and daemons
Any service or daemon that allows a connection to be established to your server is away for hackers to gain access. To reduce security risks, you should disable all services and daemons that are not being used.
For Daemons on Linux:
Check /etc/xinetd.conf for services you are not using. For example, cupsd (printing daemon) and nfs/statd (network file system daemons) are not used on many systems.
For Services:
Go to the Service Manager in the Service Configuration section of WHM and disable any services that you are not using.
8) Monitor your system
It is important to be up to date on what is going on with your system. Make sure that you know when accounts are being created, what software is being installed, when software needs updates, etc.
Check your system frequently to ensure it is functioning in the way you expect. Make sure to check things like:
netstat -anp : Look for programs attached to ports that you did not install / authorize
find / \( -perm -a+w \) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.
find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.
ls /var/log/: There are many different logs on your system which can be valuable resources. Check your system logs, apache logs, mail logs, and other logs frequently to make sure your system is functioning as expected.
There are many readily available utilities to monitor your system and to detect rootkits, backdoors, etc. Here are some commonly available utilities:
Tripwire - Monitors checksums of files and reports changes.
http://tripwire.com or http://sourceforge.net/projects/tripwire
Chrookit - Scans for common rootkits, backdoors, etc.
http://www.chkrootkit.org
Rkhunter - Scans for common rootkits, backdoors, etc.
http://www.rootkit.nl/projects/rootkit_hunter.html
Logwatch - Monitors and reports on daily system activity.
http://logwatch.org
9) Enable a Firewall
Installing a firewall to limit access to your server is useful. Removing all unused software on your system is more useful. Before you have the chance to remove all unused services and daemons, or the chance to figure out which services / daemons are unused, you can enable a firewall to prevent unwanted access.
The following will show the ports cPanel and WHM need open to function properly and what the port is used for:
http://faq.cpanel.net/show.cgi?qa=104689180407630
If you are using APF, see:
http://faq.cpanel.net/show.cgi?qa=108499296901804
Please note that these ports are for all services that can be used by cPanel and WHM, you may or may not be using all of these services or other services and should adjust your rules accordingly.
Remember to set a cron job to disable your firewall every 5 minutes when testing your rules, or you may be locked out of your server.
10) Stay up to date
It is important to make sure that you are running the latest stable versions of the software on your system to ensure that it has been patched of any security issues that past versions may be susceptible to. Make sure to keep on top of updates for:
Kernel
cPanel and WHM*
User Applications (bulletin boards, CMS, blog engines, etc)**
System Software*
*These can be set to automatically update in WebHost Manager under Update Config in the Server Configuration section.
**You can upgrade all cPAddon installations through Manage cPAddons in the cPanel section of WebHost Manager.
Source: http://www.cpanel.net/security/commontips.htm
Please note that these tips are suggestions only and cPanel takes no responsibility for modifications to individual servers, or the security practices of individual servers. Server security is a collection of compromises, as any server that allows connections could be insecure. These tips are to be followed at your own risk.
1) Use secure passwords!
Insecure passwords are the most common security vulnerability for most servers. If an account password is insecure and is compromised, client sites can be defaced, infected, or used to spread viruses. Having secure passwords is paramount to having a secure server.
You can edit /etc/login.defs to configure many password options on your system. It is well documented.
Generally, a password utilizing at least 8 characters including alphanumeric and grammatical symbols is sufficient. Never use passwords based upon dictionary words or significant dates. If you are uncertain about the security of a password, then you can test it using JTR cracker. If a password can be broken in a few hours, then it is probably too insecure and should not be used. You can also install tools like pam_passwdqc to check the strength of passwords.
2) Secure SSH
Enable public key authentication for SSH and disable password authentication read more >>
Move SSH access to a different port. People are looking for port 22 as a possible way to access your servers. Moving SSH to a different port will add a simple way to deter those without specific knowledge of your server from easily discovering your SSH port.
You can modify the port that SSH runs on within /etc/ssh/sshd_config. Change the line that says #Port 22 to a different port such as: Port 1653. Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn't work.
You should always use SSHv2 only as SSHv1 is not secure. Make sure to change the line in /etc/ssh/sshd_config that says #Protocol 2,1 to Protocol 2.
You may also wish to set Shell Resource Limits for you users to prevent applications and scripts from using all up your resources and taking down your server. You can configure shell resource limits in /etc/security/limits.conf on most Linux systems.
3) Secure Apache
The most readily available way to access a web server, is of course, the web server application. It is important to take steps to secure your Apache installation.
One of the best tools for preventing malicious Apache use is mod_security. This can be installed in Addon Modules in the cPanel section of WebHost Manager. You can find information about mod_security at http://www.modsecurity.org/.
When compiling Apache, you should include suexec to ensure that CGI applications and scripts run as the user that owns / executes them. This will help identify where malicious scripts are and who is running them. It will also enforce permission and environment controls.
We also recommend compiling Apache + PHP with PHPsuexec. PHPsuexec forces all PHP scripts to run as the user who owns the script. This means that you will be able to identify the owner of all PHP scripts running on your server. If one is malicious, you will be able to find it's owner quickly and resolve the issue. To compile Apache + PHP with PHPsuexec, select the PHPSuexec option in the Apache Upgrade interface in WHM or when running /scripts/easyapache from the command line.
You should enable PHP's open_basedir protection. This protection will prevent users from open files outside of their home directory with PHP. This can be enabled in Tweak Security within WebHost Manager.
You may also wish to include safe_mode for PHP 5.x and below. Safe_mode ensures that the owner of a PHP script matches the owner of any files to be operated on. You can enable safe_mode by changing the safe_mode = line in php.ini to safe_mode = On.
4) Secure your /tmp partition
We recommend that you use a separate partition for /tmp that is mounted with nosetuid. Nosetuid will force a process to run with the privileges of it's executor. You may also wish to mount /tmp with noexec after installing cPanel. Check the mount man page for more information.
Also, Running /scripts/securetmp will mount your /tmp partition to a temporary file for extra security.
5) Upgrade your mail to maildir format
Maildir format adds extra security and speed to your mail system. Newer installs use maildir by default. If you're running an older copy of cPanel, you'll probably want to upgrade using /scripts/convert2maildir. Make sure to back up your current mail before converting to maildir, this can be done within /scripts/convert2maildir. If you see maildir is enabled when running /scripts/convert2maildir, you are already using maildir, and will not need to convert.
6) Lock down your system's compilers
Most users do not require the use of C and C++ compilers. You can use the Compilers Tweak within Tweak Security in WebHost Manager to turn off use of the compilers for all unprivileged users, or to disable them for specific users only. Many pre-packaged exploits require working compilers. Disabling compilers will help protect against many exploits.
7) Turn off unused services and daemons
Any service or daemon that allows a connection to be established to your server is away for hackers to gain access. To reduce security risks, you should disable all services and daemons that are not being used.
For Daemons on Linux:
Check /etc/xinetd.conf for services you are not using. For example, cupsd (printing daemon) and nfs/statd (network file system daemons) are not used on many systems.
For Services:
Go to the Service Manager in the Service Configuration section of WHM and disable any services that you are not using.
8) Monitor your system
It is important to be up to date on what is going on with your system. Make sure that you know when accounts are being created, what software is being installed, when software needs updates, etc.
Check your system frequently to ensure it is functioning in the way you expect. Make sure to check things like:
netstat -anp : Look for programs attached to ports that you did not install / authorize
find / \( -perm -a+w \) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.
find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.
ls /var/log/: There are many different logs on your system which can be valuable resources. Check your system logs, apache logs, mail logs, and other logs frequently to make sure your system is functioning as expected.
There are many readily available utilities to monitor your system and to detect rootkits, backdoors, etc. Here are some commonly available utilities:
Tripwire - Monitors checksums of files and reports changes.
http://tripwire.com or http://sourceforge.net/projects/tripwire
Chrookit - Scans for common rootkits, backdoors, etc.
http://www.chkrootkit.org
Rkhunter - Scans for common rootkits, backdoors, etc.
http://www.rootkit.nl/projects/rootkit_hunter.html
Logwatch - Monitors and reports on daily system activity.
http://logwatch.org
9) Enable a Firewall
Installing a firewall to limit access to your server is useful. Removing all unused software on your system is more useful. Before you have the chance to remove all unused services and daemons, or the chance to figure out which services / daemons are unused, you can enable a firewall to prevent unwanted access.
The following will show the ports cPanel and WHM need open to function properly and what the port is used for:
http://faq.cpanel.net/show.cgi?qa=104689180407630
If you are using APF, see:
http://faq.cpanel.net/show.cgi?qa=108499296901804
Please note that these ports are for all services that can be used by cPanel and WHM, you may or may not be using all of these services or other services and should adjust your rules accordingly.
Remember to set a cron job to disable your firewall every 5 minutes when testing your rules, or you may be locked out of your server.
10) Stay up to date
It is important to make sure that you are running the latest stable versions of the software on your system to ensure that it has been patched of any security issues that past versions may be susceptible to. Make sure to keep on top of updates for:
Kernel
cPanel and WHM*
User Applications (bulletin boards, CMS, blog engines, etc)**
System Software*
*These can be set to automatically update in WebHost Manager under Update Config in the Server Configuration section.
**You can upgrade all cPAddon installations through Manage cPAddons in the cPanel section of WebHost Manager.
Source: http://www.cpanel.net/security/commontips.htm
Exim mailbox permissions problem
To fix mailbox permissions issues, run the script /scripts/mailperm
on the server, and then check the permissions on the problem mailbox. The permissions should be set to 660.
Begin the forced delivery of the messages in the Exim queue: /usr/bin/exim -qf.
Send a test message to the email address indicated:
mail theaddress@domain.com. -v
Subject: test
.
and watch for delivery.
Finally, view the log at /var/log/exim_mainlog to verify that it was delivered:
tail -20 /var/log/exim_mainlog
on the server, and then check the permissions on the problem mailbox. The permissions should be set to 660.
Begin the forced delivery of the messages in the Exim queue: /usr/bin/exim -qf.
Send a test message to the email address indicated:
mail theaddress@domain.com. -v
Subject: test
.
and watch for delivery.
Finally, view the log at /var/log/exim_mainlog to verify that it was delivered:
tail -20 /var/log/exim_mainlog
Prevent User nobody from Sending Mail
To prevent spammers from sending mail through vulnerable scripts or uploading and running their own scripts to send spam from your server, you may want to prevent the user nobody from sending mail from the server. The users on the server will still be able to have scripts that send to their local addresses. If they want the script to send to an outside address, they can create a forwarder and then have their script send mail to the forwarder.
This security feature is enabled by going to Tweak Settings in the Server Configuration section of the WHM. In the Mail section, check "Prevent the user "nobody" from sending out mail to remote addresses". Finally, scroll to the bottom and click Save.
This security feature is enabled by going to Tweak Settings in the Server Configuration section of the WHM. In the Mail section, check "Prevent the user "nobody" from sending out mail to remote addresses". Finally, scroll to the bottom and click Save.
Tracking Down Spam Scripts in cPanel
Tracking Down Spam Scripts in cPanel
If you're receiving complaints that your cPanel server is sending out spam, there is a fair chance that there is a malicious script somewhere on the server. It can be a little tricky to locate such a script, but here is a trick that may help:
Log into your WHM interface by using the root user and root password.
Click on 'Exim Configuration Editer' under 'Service Configuration'.
Click the box at the top labeled 'Switch to Advanced Mode (Edit Raw Configuration File)'.
Copy the following and paste into the top box:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
Next, scroll down to the bottom and click the 'Save' button.
At this point, you can log out of WHM, and log into your server via SSH.
Now we want to watch the mail program's log files, to see where the messages are comming from on your server. Type the following at the command line:
tail -f /var/log/exim_mainlog | grep cwd
This will show exactly what is being logged by the mail server, but will only display the relevant lines.
The output will be something like the following. 'cwd', in this case stands for 'current working directory', or the place on the server where the messages originate.
cwd=/var/spool/exim --> This one is nothing to worry about; this is normal operation.
cwd=/tmp --> This is the temporary directory. If you see entries with this, you should probably investigate further.
cwd=/home/accountname/public_html/forums/tmp --> This one is definately something that should be investigated.
ls -la /home/accountname/public_html/forums/tmp --> This will list the directory's contents.
By listing the contents of the directory that looks suspicious (in this case, /home/accountname/public_html/forums/tmp), you can discover the name of the script. To check and see if it is currently running, type the following:
ps aux | grep
This will give an output that includes a number known as the process ID. You can stop the script by typing kill. Next, remove the script from the server:
rm /home/accountname/public_html/forums/tmp/
If you're receiving complaints that your cPanel server is sending out spam, there is a fair chance that there is a malicious script somewhere on the server. It can be a little tricky to locate such a script, but here is a trick that may help:
Log into your WHM interface by using the root user and root password.
Click on 'Exim Configuration Editer' under 'Service Configuration'.
Click the box at the top labeled 'Switch to Advanced Mode (Edit Raw Configuration File)'.
Copy the following and paste into the top box:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
Next, scroll down to the bottom and click the 'Save' button.
At this point, you can log out of WHM, and log into your server via SSH.
Now we want to watch the mail program's log files, to see where the messages are comming from on your server. Type the following at the command line:
tail -f /var/log/exim_mainlog | grep cwd
This will show exactly what is being logged by the mail server, but will only display the relevant lines.
The output will be something like the following. 'cwd', in this case stands for 'current working directory', or the place on the server where the messages originate.
cwd=/var/spool/exim --> This one is nothing to worry about; this is normal operation.
cwd=/tmp --> This is the temporary directory. If you see entries with this, you should probably investigate further.
cwd=/home/accountname/public_html/forums/tmp --> This one is definately something that should be investigated.
ls -la /home/accountname/public_html/forums/tmp --> This will list the directory's contents.
By listing the contents of the directory that looks suspicious (in this case, /home/accountname/public_html/forums/tmp), you can discover the name of the script. To check and see if it is currently running, type the following:
ps aux | grep
This will give an output that includes a number known as the process ID. You can stop the script by typing kill
rm /home/accountname/public_html/forums/tmp/
Frozen messages with Exim
What are frozen messages?
Frozen messages are messages that Exim will no longer attempt to deliver. You can thaw the message with:
exim -Mt [ ... ]
To remove all frozen messages:
exiqgrep -z -i | xargs exim -Mrm
To show frozen messages:
exim -bp | grep frozen
Freeze all queued messages from local user:
exiqgrep -i -f luser@localhost | xargs exim -Mf
Frozen messages are messages that Exim will no longer attempt to deliver. You can thaw the message with:
exim -Mt
To remove all frozen messages:
exiqgrep -z -i | xargs exim -Mrm
To show frozen messages:
exim -bp | grep frozen
Freeze all queued messages from local user:
exiqgrep -i -f luser@localhost | xargs exim -Mf
Finding Spam Scripts on cPanel
Finding Spam Scripts On cPanel
If a server is sending lots of spam, and no one knows why, there is a chance that the cause is a malicious script somewhere on the server. It can be a little tricky to locate such a script, but here's a trick that should help.
Log into WHM with root and the root password of the server.
Click on "Exim Configuration Editor" under "Service Configuration".
Click on the box at the top that says "Switch to Advanced Mode (Edit Raw Configuration File)".
Paste this into the top box:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
That line is pretty long, be sure to copy all of it and realize it may span beyond your browser's window. Most web browsers should allow you to "triple click" in the above field and copy all of the text to your clip board but if not simply place your mouse on the far left of "log_selector" and drag the mouse to your right until you have "+tls_peerdn" highlighted.
Once you've copied that into the Exim editor box, scroll all the way down and click the little "Save" button.
Now you're done in WHM. You can close out of the window, or leave it open if you plan on coming back to remove your addition to the Exim.conf. This change will slow Exim a little, so if you have a busy mailserver it's best to remove this modification when you're done.
Login to the server via ssh.
Watch the outgoing message log to see what directory messages are being sent from. This command works wonders:
tail -f /var/log/exim_mainlog | grep cwd
Note: cwd stands for current working directory.
This is quite normal: cwd=/var/spool/exim
This warrants investigation, but might be legit: cwd=/tmp
This is generally bad: cwd=/home/h4x0r/public_html/forums/tmp
If a server is sending lots of spam, and no one knows why, there is a chance that the cause is a malicious script somewhere on the server. It can be a little tricky to locate such a script, but here's a trick that should help.
Log into WHM with root and the root password of the server.
Click on "Exim Configuration Editor" under "Service Configuration".
Click on the box at the top that says "Switch to Advanced Mode (Edit Raw Configuration File)".
Paste this into the top box:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
That line is pretty long, be sure to copy all of it and realize it may span beyond your browser's window. Most web browsers should allow you to "triple click" in the above field and copy all of the text to your clip board but if not simply place your mouse on the far left of "log_selector" and drag the mouse to your right until you have "+tls_peerdn" highlighted.
Once you've copied that into the Exim editor box, scroll all the way down and click the little "Save" button.
Now you're done in WHM. You can close out of the window, or leave it open if you plan on coming back to remove your addition to the Exim.conf. This change will slow Exim a little, so if you have a busy mailserver it's best to remove this modification when you're done.
Login to the server via ssh.
Watch the outgoing message log to see what directory messages are being sent from. This command works wonders:
tail -f /var/log/exim_mainlog | grep cwd
Note: cwd stands for current working directory.
This is quite normal: cwd=/var/spool/exim
This warrants investigation, but might be legit: cwd=/tmp
This is generally bad: cwd=/home/h4x0r/public_html/forums/tmp
Reset MySQL Root Password
1. Log on to your system via RDP as Administrator.
2. Stop the MySQL server if it is running. For a server that is running as a Windows service, go to the Services manager:
Start Menu -> Control Panel -> Administrative Tools -> Services
Then find the MySQL service in the list, and stop it.
If your server is not running as a service, you may need to use the Task Manager to force it to stop.
3. Create a text file and place the following command within it on a single line:
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPassword');
Save the file with any name. For this example the file will be C:\mysql-init.txt.
4. Open a console window to get to the DOS command prompt:
Start Menu -> Run -> cmd
5. Assuming that MySQL is installed to D:\mysql. If MySQL is installed to another location, adjust the following commands accordingly.
At the DOS command prompt, execute this command:
D:\> D:\mysql\bin\mysqld-nt --init-file=C:\mysql-init.txt
The contents of the file named by the --init-file option are executed at server startup, changing the root password. After the server has started successfully, you should delete C:\mysql-init.txt.
If you install MySQL using the MySQL Installation Wizard, you may need to specify a --defaults-file option:
D:\> "D:\MySQL\MySQL Server 5.1\bin\mysqld-nt.exe"
--defaults-file="D:\MySQL\MySQL Server 5.1\my.ini"
--init-file=C:\mysql-init.txt
The appropriate --defaults-file setting can be found using the Services Manager:
Start Menu -> Control Panel -> Administrative Tools -> Services
Find the MySQL service in the list, right-click on it, and choose the Properties option. The Path to executable field contains the --defaults-file setting.
6. Stop the MySQL server, then restart it in normal mode again. If you run the server as a service, start it from the Windows Services window. If you start the server manually, use whatever command you normally use.
7. You should be able to connect using the new password.
2. Stop the MySQL server if it is running. For a server that is running as a Windows service, go to the Services manager:
Start Menu -> Control Panel -> Administrative Tools -> Services
Then find the MySQL service in the list, and stop it.
If your server is not running as a service, you may need to use the Task Manager to force it to stop.
3. Create a text file and place the following command within it on a single line:
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPassword');
Save the file with any name. For this example the file will be C:\mysql-init.txt.
4. Open a console window to get to the DOS command prompt:
Start Menu -> Run -> cmd
5. Assuming that MySQL is installed to D:\mysql. If MySQL is installed to another location, adjust the following commands accordingly.
At the DOS command prompt, execute this command:
D:\> D:\mysql\bin\mysqld-nt --init-file=C:\mysql-init.txt
The contents of the file named by the --init-file option are executed at server startup, changing the root password. After the server has started successfully, you should delete C:\mysql-init.txt.
If you install MySQL using the MySQL Installation Wizard, you may need to specify a --defaults-file option:
D:\> "D:\MySQL\MySQL Server 5.1\bin\mysqld-nt.exe"
--defaults-file="D:\MySQL\MySQL Server 5.1\my.ini"
--init-file=C:\mysql-init.txt
The appropriate --defaults-file setting can be found using the Services Manager:
Start Menu -> Control Panel -> Administrative Tools -> Services
Find the MySQL service in the list, right-click on it, and choose the Properties option. The Path to executable field contains the --defaults-file setting.
6. Stop the MySQL server, then restart it in normal mode again. If you run the server as a service, start it from the Windows Services window. If you start the server manually, use whatever command you normally use.
7. You should be able to connect using the new password.
Blocking IP addresses from accessing your websites in IIS
To block IP addresses from accessing your website you need to block them in IIS's "Directory Security" block lists. You have two options when applying these IP blocks, you can either apply them so that the IPs can not access any of the websites on your server or only specific sites.
Step 1) Remote Desktop into your server using and account with administrator privileges
Step 2) Click Start>Control Panel>Administrative Tools
Step 3) Open Computer Management
Step 4) Scroll Down to and Select Internet Information Services (IIS) Manager
Step 5a) To block an IP from accessing all websites on your server right click on the "Web Sites" entry on the right side of the window.
Step 5b) To block an IP from accessing only a particular website double click on the "Web Sites" entry on the right side of the window. It should now display a list of websites hosted on your server. Right click on the necessary website.
Step 6) After right clicking a popup menu should be displayed, select properties
Step 7) Select the "Directory Security" tab and click edit in the IP address and domain name restrictions section ( It will be the middle section, second button from the top)
Step 8) A new window should open. There should be a black dot next to the "Granted Access" radio which means that all IPs can access your web server. Click the add button which will open a new window that lets you block specific IP addresses.
Step 9a) To block a single IP select the "Single Computer" radio button and type in the IP address in the white box towards the bottom.
Step 9b) To block a group of computers based off their netblock select the "group of computers" radio button and type in the IP address and Subnet mask into their appropriate boxes.
Step 10) Click the "OK" button
Step 11) Repeat steps 8-10 until all IPs are blocked.
Step 12) On the left hand tree, right click on the "Internet Information Services (IIS) Manager" entry and select All Tasks > Restart IIS. Your server should now block access from those IP to your websites.
To removing IP from the block list repeat steps 1-7 from above to get back to the "IP Address and Domain Name Restrictions" window. Once there select the IP rule from the "Except the following:" list and click the remove button. Once all IPs have been removed restart IIS as described in step 12. It should be stated that if you find yourself applying large amounts of rules you might want to consider the purchasing of a firewall solution as your server's performance would suffer less by blocking offending traffic from ever reaching the server in the first place.
Step 1) Remote Desktop into your server using and account with administrator privileges
Step 2) Click Start>Control Panel>Administrative Tools
Step 3) Open Computer Management
Step 4) Scroll Down to and Select Internet Information Services (IIS) Manager
Step 5a) To block an IP from accessing all websites on your server right click on the "Web Sites" entry on the right side of the window.
Step 5b) To block an IP from accessing only a particular website double click on the "Web Sites" entry on the right side of the window. It should now display a list of websites hosted on your server. Right click on the necessary website.
Step 6) After right clicking a popup menu should be displayed, select properties
Step 7) Select the "Directory Security" tab and click edit in the IP address and domain name restrictions section ( It will be the middle section, second button from the top)
Step 8) A new window should open. There should be a black dot next to the "Granted Access" radio which means that all IPs can access your web server. Click the add button which will open a new window that lets you block specific IP addresses.
Step 9a) To block a single IP select the "Single Computer" radio button and type in the IP address in the white box towards the bottom.
Step 9b) To block a group of computers based off their netblock select the "group of computers" radio button and type in the IP address and Subnet mask into their appropriate boxes.
Step 10) Click the "OK" button
Step 11) Repeat steps 8-10 until all IPs are blocked.
Step 12) On the left hand tree, right click on the "Internet Information Services (IIS) Manager" entry and select All Tasks > Restart IIS. Your server should now block access from those IP to your websites.
To removing IP from the block list repeat steps 1-7 from above to get back to the "IP Address and Domain Name Restrictions" window. Once there select the IP rule from the "Except the following:" list and click the remove button. Once all IPs have been removed restart IIS as described in step 12. It should be stated that if you find yourself applying large amounts of rules you might want to consider the purchasing of a firewall solution as your server's performance would suffer less by blocking offending traffic from ever reaching the server in the first place.
Blocking IP addresses from accessing your ftp accounts in IIS
To block IP addresses from accessing your ftp accounts you need to block them in IIS's "Directory Security" block lists. You have two options when applying these IP blocks, you can either apply them so that the IPs can not access any ftp account on your server or only specific ones.
Step 1) Remote Desktop into your server using and account with administrator privileges
Step 2) Click Start>Control Panel>Administrative Tools
Step 3) Open Computer Management
Step 4) Scroll Down to and select Internet Information Services (IIS) Manager
Step 5a) To block an IP from accessing all ftp sites on your server right click on the "FTP Sites" entry on the right side of the window.
Step 5b) To block an IP from accessing only a particular ftp site double click on the "FTP Sites" entry on the right side of the window. It should now display a list of websites hosted on your server. Right click on the necessary ftp account.
Step 6) After right clicking a popup menu should be displayed, select properties
Step 7) Select the "Directory Security" tab. There should be a black dot next to the "Granted Access" radio which means that all IPs can access your ftp accounts. Click the add button which will open a new window that lets you block specific IP addresses.
Step 9a) To block a single IP select the "Single Computer" radio button and type in the IP address in the white box towards the bottom.
Step 9b) To block a group of computers based on their netblock, select the "group of computers" radio button and type in the IP address and Subnet mask.
Step 10) Click the "OK" button
Step 11) Repeat steps 8-10 until all IPs are blocked.
Step 12) On the left hand tree, right click on the "Internet Information Services (IIS) Manager" entry and select All Tasks > Restart IIS. Your server should now block access from those IP to your ftp accounts
To removing IPs from the block list
Step 1) Repeat steps 1-7 from above to get back to the "IP Address and Domain Name Restrictions" window.
Step 2) Select the IP rule from the "Except the following:" list and click the remove button.
Step 3) On the left hand tree, right click on the "Internet Information Services (IIS) Manager" entry and select All Tasks > Restart IIS.
If you find yourself applying large amounts of rules to your server it might be time to consider a true firewall based solution as your server's performance would suffer less by blocking offending traffic from ever reaching the server in the first place.
Step 1) Remote Desktop into your server using and account with administrator privileges
Step 2) Click Start>Control Panel>Administrative Tools
Step 3) Open Computer Management
Step 4) Scroll Down to and select Internet Information Services (IIS) Manager
Step 5a) To block an IP from accessing all ftp sites on your server right click on the "FTP Sites" entry on the right side of the window.
Step 5b) To block an IP from accessing only a particular ftp site double click on the "FTP Sites" entry on the right side of the window. It should now display a list of websites hosted on your server. Right click on the necessary ftp account.
Step 6) After right clicking a popup menu should be displayed, select properties
Step 7) Select the "Directory Security" tab. There should be a black dot next to the "Granted Access" radio which means that all IPs can access your ftp accounts. Click the add button which will open a new window that lets you block specific IP addresses.
Step 9a) To block a single IP select the "Single Computer" radio button and type in the IP address in the white box towards the bottom.
Step 9b) To block a group of computers based on their netblock, select the "group of computers" radio button and type in the IP address and Subnet mask.
Step 10) Click the "OK" button
Step 11) Repeat steps 8-10 until all IPs are blocked.
Step 12) On the left hand tree, right click on the "Internet Information Services (IIS) Manager" entry and select All Tasks > Restart IIS. Your server should now block access from those IP to your ftp accounts
To removing IPs from the block list
Step 1) Repeat steps 1-7 from above to get back to the "IP Address and Domain Name Restrictions" window.
Step 2) Select the IP rule from the "Except the following:" list and click the remove button.
Step 3) On the left hand tree, right click on the "Internet Information Services (IIS) Manager" entry and select All Tasks > Restart IIS.
If you find yourself applying large amounts of rules to your server it might be time to consider a true firewall based solution as your server's performance would suffer less by blocking offending traffic from ever reaching the server in the first place.
How to perform a traceroute using Windows
If you are unable to connect to your server, we may ask you to submit the results of a traceroute from your location to your server.
To perform a traceroute in Windows you need start a command prompt, goto start then run and enter "cmd" as the command. Once you have the command prompt enter "tracert (the ip address or hostname of your server) > C:\tracert.txt" and press enter. Wait for the command prompt to return to signify that the trace has completed. You can open up the file named tracert.txt on the C drive with a text editor to copy and paste the contents as needed.
To perform a traceroute in Windows you need start a command prompt, goto start then run and enter "cmd" as the command. Once you have the command prompt enter "tracert (the ip address or hostname of your server) > C:\tracert.txt" and press enter. Wait for the command prompt to return to signify that the trace has completed. You can open up the file named tracert.txt on the C drive with a text editor to copy and paste the contents as needed.
Binding an IP Address to a Windows Server
Binding an IP Address to a Windows Server
This is the procedure for binding additional IP addresses to a Windows server without a control panel. If you are using the Plesk control panel environment, you should bind the IP address using the panel.
Log into your server using Remote Desktop.
Go to Start->Settings->Control Panel -> Network Connections
Right click on the server’s public interface and go to Properies.
Select TCP/IP and click Properies and to go Advanced. Click the Add button and enter the new IP address and subnet mask. These will be listed in your IP request ticket. Repeat if you are binding multiple addresses.
Once done exit from the Network Properties dialog. The new IP addresses are now ready to use.
This is the procedure for binding additional IP addresses to a Windows server without a control panel. If you are using the Plesk control panel environment, you should bind the IP address using the panel.
Log into your server using Remote Desktop.
Go to Start->Settings->Control Panel -> Network Connections
Right click on the server’s public interface and go to Properies.
Select TCP/IP and click Properies and to go Advanced. Click the Add button and enter the new IP address and subnet mask. These will be listed in your IP request ticket. Repeat if you are binding multiple addresses.
Once done exit from the Network Properties dialog. The new IP addresses are now ready to use.
How to find the uptime of your Windows server ?
How to find the uptime of your Windows server
From the command line (Start -> Run... -> cmd) enter:
systeminfo | find "System Up Time"
From the command line (Start -> Run... -> cmd) enter:
systeminfo | find "System Up Time"
How to block an IP using IIS
To block an IP completely from all websites:
* Right click on Web Sites, select Properties
- In the "Directory Security" tab, click the "Edit" button in the "IP addresses and domain name restrictions" section
- Click on the "Add" button and enter the IP you want to block, then click "OK"
- Click "OK" to exit "IP addresses and domain name restrictions"
- Click "OK" to exit "Web Sites Properties"
- Right click "Internet Information Services", hover over "All Tasks", then select "Restart IIS"
- The offending IP is now completely blocked from accessing any of your websites
To block an IP from just 1 site:
* Right click on Web Sites, select Properties
- In the "Directory Security" tab, click the "Edit" button in the "IP addresses and domain name restrictions" section
- Click the "Add" button and enter the IP you want to block, then click "OK"
- Click "OK" to exit "IP addresses and domain name restrictions"
- Click "OK" to exit "Web Sites Properties"
- Right click on "Internet Information Services", hover over "All Tasks", then click "Restart IIS"
- The offending IP is now completely blocked from accessing this particular site.
* Right click on Web Sites, select Properties
- In the "Directory Security" tab, click the "Edit" button in the "IP addresses and domain name restrictions" section
- Click on the "Add" button and enter the IP you want to block, then click "OK"
- Click "OK" to exit "IP addresses and domain name restrictions"
- Click "OK" to exit "Web Sites Properties"
- Right click "Internet Information Services", hover over "All Tasks", then select "Restart IIS"
- The offending IP is now completely blocked from accessing any of your websites
To block an IP from just 1 site:
* Right click on Web Sites, select Properties
- In the "Directory Security" tab, click the "Edit" button in the "IP addresses and domain name restrictions" section
- Click the "Add" button and enter the IP you want to block, then click "OK"
- Click "OK" to exit "IP addresses and domain name restrictions"
- Click "OK" to exit "Web Sites Properties"
- Right click on "Internet Information Services", hover over "All Tasks", then click "Restart IIS"
- The offending IP is now completely blocked from accessing this particular site.
Is it possible to setup a scheduled task that will run a web page rather having to log into the server each time and run it manually?
Is it possible to setup a scheduled task that will run a web page rather having to log into the server each time and run it manually?
Yes this is possible within Windows scheduled tasks. Follow these instructions for setting this feature up:
1. Log into your server, open Control Panel, and open Scheduled Tasks.
2. Double click on Add Scheduled Task.
3. Click next on the opening screen.
4. The next screen will give you the ability to select an existing registered application. Scroll down and find Internet Explorer, select this and click Next *
5. On the next screen, select how often you wish to have the task run and provide a unique name for the task.
6. After you click next, select the time you want to have your task run each interval that you selected.
7. Click next again and you will have to provide credentials of an account that has the ability to run scheduled tasks (by default this is normally the Administrator account).
8. Click next again, select Advanced Properties and hit Finish. Within Advanced Properties (on the Task tab) the Run line will have the path to Internet Explorer
9. Go to the end of the path and enter in the web page you wish to run with this particular task (http://www.yourdomain.com/pagetorun.asp)
10. Click on the Schedule tab to verify your task interval settings.
11. Click on the Settings tab and you will want to select the check box (Stop the task if it runs for).
12. Enter in 1 hour for a default value – if your task runs every 30 minutes, then in the minutes option, enter 15 minutes.
13. Click OK and supply your security credentials to verify the changes you have made to the scheduled task.
Your scheduled task is now setup and ready to run. Verify that the task if executing properly by reviewing the Scheduled Task manager. If you see a Last Result value of 0x0, your task is running without any issues. Secondly, verify that the task is processing the updates as you want within your application.
*NOTE: for those who setup the scheduled task, if you do not see Internet Explorer in your list of applications, you can enter the path manually with the following: C:\PROGRA~1\INTERN~1\iexplore.exe.
Yes this is possible within Windows scheduled tasks. Follow these instructions for setting this feature up:
1. Log into your server, open Control Panel, and open Scheduled Tasks.
2. Double click on Add Scheduled Task.
3. Click next on the opening screen.
4. The next screen will give you the ability to select an existing registered application. Scroll down and find Internet Explorer, select this and click Next *
5. On the next screen, select how often you wish to have the task run and provide a unique name for the task.
6. After you click next, select the time you want to have your task run each interval that you selected.
7. Click next again and you will have to provide credentials of an account that has the ability to run scheduled tasks (by default this is normally the Administrator account).
8. Click next again, select Advanced Properties and hit Finish. Within Advanced Properties (on the Task tab) the Run line will have the path to Internet Explorer
9. Go to the end of the path and enter in the web page you wish to run with this particular task (http://www.yourdomain.com/pagetorun.asp)
10. Click on the Schedule tab to verify your task interval settings.
11. Click on the Settings tab and you will want to select the check box (Stop the task if it runs for).
12. Enter in 1 hour for a default value – if your task runs every 30 minutes, then in the minutes option, enter 15 minutes.
13. Click OK and supply your security credentials to verify the changes you have made to the scheduled task.
Your scheduled task is now setup and ready to run. Verify that the task if executing properly by reviewing the Scheduled Task manager. If you see a Last Result value of 0x0, your task is running without any issues. Secondly, verify that the task is processing the updates as you want within your application.
*NOTE: for those who setup the scheduled task, if you do not see Internet Explorer in your list of applications, you can enter the path manually with the following: C:\PROGRA~1\INTERN~1\iexplore.exe.
Subscribe to:
Posts (Atom)
