Kill nobody process
ps aux grep nobody awk '{print $2}' xargs kill -9
Kill user process
ps aux grep apache awk '{print $2}' xargs kill -9
Monday, March 10, 2008
Pure FTP timeouts
Error ::
425 Could not open data connection to port 1222: Connection timed out
FIX
Add the ports in pure-ftpd.conf and conf.apf
nano /etc/pure-ftpd.conf
Uncomment and add the port range 30000 50000
PassivePortRange 30000 50000
/etc/init.d/pure-ftpd restart
nano /etc/apf/conf.apf
Add tcp port : 50000_51000
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,161,443,465,623,993,995,2082,2083,2086,2087,2095,2096,3306,3389,6666,8021,50000_51000"
/etc/init.d/apf restart
How do I automate backup operations in Virtuozzo?
How do I automate backup operations in Virtuozzo?
VPS backups can be created using vzbackup utility. It should be run on the backup node. You can restore any backup using vzrestore utility.To configure vzbackup you should do the following:
1. Check global vzbackup configuration file /etc/vzbackup.conf file on the backup node for backup parameters (pay attention to $BACKUP_DIR parameter).
If you are going to make backups using cronjob, set the following parameters:
# Backup directory - where the backups will be stored, e.g
BACKUP_DIR="/vz/backups"
# backup type. Supported types are "full", "initial incremental" and
# "incremental". Default is incremental. If it is impossible to do
# "incremental" then "initial incremental" will be done.
BACKUP_TYPE="i"
# Backup cron mode
CRON_BACKUP="yes"
# List of nodes to backup.
BACKUP_NODES=""
# e-mails to send notifications on backup
BACKUP_NOTIFY_EMAIL=root@myserver.com
2. Create directory
# mkdir /vz/backups
3. Add the following command to the crontab on the backup node:
# vzbackup -i -p -a
4. Make sure root user of the backup node is able to access all hardware nodes without a password (propagate DSA public keys).
How do I create VPS with guaranteed amount of RAM (256M, 512M, etc.)?
Virtuozzo is shipped with sample configuration files which allow to allocate 256, 512, 1024, or 2048 MB of memory for a VPS. These samples can be found in /etc/sysconfig/vz-scripts/ directory on the hardware node (ve-vps.256MB.conf-sample, ve-vps.512MB.conf-sample, ve-vps.1024MB.conf-sample, ve-vps.2048MB.conf-sample).
To create VPS #101 using one of these configuration files, use
# vzctl create 101 --config vps.512MB --pkgset fedora-core-2
To apply some configuration sample to already created VPS, use --applyconfig option of vzctl utility.The same operation can be done using Virtuozzo Management Console or Virtuozzo Control Center.
How do I compile some application from sources inside a VPS? It does not seem to have gcc installed.
How do I compile some application from sources inside a VPS? It does not seem to have gcc installed.
# vzpkgadd 101 devel-fc2
How do I add or remove an IP address to a VPS?
How do I add or remove an IP address to a VPS?
# vzctl set 101 --ipadd ipaddress --save
# vzctl set 101 --ipadd ipaddress --save
How do I perform some action for all VPSes on the hardware node?
How do I perform some action for all VPSes on the hardware node?
vzlist -o veid -H
# for vps in `vzlist -o veid -H` do
vzctl exec $vps ps ax
done
vzlist -o veid -H
# for vps in `vzlist -o veid -H` do
vzctl exec $vps ps ax
done
How do I determine which VPS the process runs on?
How do I determine which VPS the process runs on?
# vzpid 10031
Pid VEID Name
10031 113 httpsd
# vzpid 10031
Pid VEID Name
10031 113 httpsd
My VPS is hacked / compromised. How do I repair or reinstall it?
* Virtuozzo for Linux
There are two ways of restoring a VPS which is hacked or cannot be started for some other reasons. Please make sure that you have created full backup of a VPS before applying any of the following solutions.
Solution #1:
#vzctl recover 101
This command will reinstall OS template and all application templates which were previously installed on a VPS. This action will make it possible to start broken VPS but it does not give any guarantee that all rootkits are removed, if any.
Solution #2:
# vzctl reinstall 101
This command will create brand new VPS on the same OS template as broken one, install the same application templates into it, and restore users' credentials. The contents of the old VPS will be copied into /old directory.
There are two ways of restoring a VPS which is hacked or cannot be started for some other reasons. Please make sure that you have created full backup of a VPS before applying any of the following solutions.
Solution #1:
#vzctl recover 101
This command will reinstall OS template and all application templates which were previously installed on a VPS. This action will make it possible to start broken VPS but it does not give any guarantee that all rootkits are removed, if any.
Solution #2:
# vzctl reinstall 101
This command will create brand new VPS on the same OS template as broken one, install the same application templates into it, and restore users' credentials. The contents of the old VPS will be copied into /old directory.
What does [FAIL] warning in vzstat output mean?
What does [FAIL] warning in vzstat output mean?
Product versions this article applies to:
* Virtuozzo for Linux
Configuration file /etc/vzstat.conf on the hardware node contains thresholds for the following parameters: CPU latency, memory latency, amount of free swapspace, diskspace, etc. You can define your own warning and error levels for any parameter. For example, for swap size:
# Swap free, % limit
# if swap space is heavily used, i.e. swap free < SWAP_FREE_X than
# it's highlighted with yellow (WARN level) or red (ERR level)
SWAP_FREE_WARN=75
SWAP_FREE_ERR=50
Product versions this article applies to:
* Virtuozzo for Linux
Configuration file /etc/vzstat.conf on the hardware node contains thresholds for the following parameters: CPU latency, memory latency, amount of free swapspace, diskspace, etc. You can define your own warning and error levels for any parameter. For example, for swap size:
# Swap free, % limit
# if swap space is heavily used, i.e. swap free < SWAP_FREE_X than
# it's highlighted with yellow (WARN level) or red (ERR level)
SWAP_FREE_WARN=75
SWAP_FREE_ERR=50
How do I regenerate the SSL certificate for VZPP/VZCC (in Service VE)?
APPLIES TO:
- Virtuozzo for Linux
RESOLUTION
You may generate own SSL certificate and install it into Service VE, it will be used by VZPP and VZCC panels.This link http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24 describes how to create certificates.
There is no need to do it inside the Service VE on Virtuozzo node, any machine with OpenSSL installed is good. When you have both certificate and private key, you can either put them to the default files:
/etc/httpd/conf/ssl.key/server.key (private key)
/etc/httpd/conf/ssl.crt/server.crt (certificate)
or you can define your own location for key/certificate pair in the /etc/vzcp/httpd.conf file inside Service VE.
It is needed to restart services for the changes to take effect:
# service httpd restart
# service vzcp restart
Keywords: SSL certificate VZCC VZPP Service VE
Mysql failed to start on :: vps Virtuozzo (cpanel)
Mysql failed to start on :: vps Virtuozzo (cpanel)
Error
-bash-3.00# /etc/init.d/mysql start
Starting MySQL/etc/init.d/mysql: line 159: kill: (11515) - No such process
ERROR!
touch: cannot touch `/var/lock/subsys/mysql': Disk quota exceeded
Fix
Check Inodes of the VPS, increase Inodes.
Then Restart the mysql service
/scripts/restartsrv_mysql
Error
-bash-3.00# /etc/init.d/mysql start
Starting MySQL/etc/init.d/mysql: line 159: kill: (11515) - No such process
ERROR!
touch: cannot touch `/var/lock/subsys/mysql': Disk quota exceeded
Fix
Check Inodes of the VPS, increase Inodes.
Then Restart the mysql service
/scripts/restartsrv_mysql
How do I solve vzquota error: "vzquota : (error) Quota on syscall for 101: Device or resource busy"?
Please make sure there are no open files inside VE root and/or private area (and your current working directory is not inside VE root/private area) by running the following command on the hardware node:
# lsof 2> /dev/null egrep '/vz/root/101/vz/private/101'
If there are any processes which hold a directory inside VE root/private area - kill them.
Keywords: vzquota,mount,umount,start,stop,lsof
Source :: http://kb.swsoft.com/en/671
# lsof 2> /dev/null egrep '/vz/root/101/vz/private/101'
If there are any processes which hold a directory inside VE root/private area - kill them.
Keywords: vzquota,mount,umount,start,stop,lsof
Source :: http://kb.swsoft.com/en/671
How do I change system time or timezone in a VPS?
You cannot change system time in a VPS because all VPSes on the hardware node have the same system time. However, it is possible to change the default system timezone inside a VPS, for example, by replacing /etc/localtime with the file from /usr/share/zoneinfo which contains a description of your timezone.
How do I compile some application from sources inside a VPS? It does not seem to have gcc installed.
How do I compile some application from sources inside a VPS? It does not seem to have gcc installed.
# vzpkgadd 101 devel-fc2
# vzpkgadd 101 devel-fc2
How do I add or remove an IP address to a VPS?
How do I add or remove an IP address to a VPS?
# vzctl set 101 --ipadd 192.168.0.1 --save
What does OFFLINE_MANAGEMENT ('Enable Offline Management') option mean?
What does OFFLINE_MANAGEMENT ('Enable Offline Management') option mean?To simplify the usage of Virtuozzo Power Panel by a VPS owner, VZPP web interface can be accessible on the VPS IP address. By default, port 4643 is used. If the VPS has an IP address 192.168.0.1 assigned the VZPP management interface is accessible by https://192.168.0.1:4643 even if the VPS is stopped. VZPP accessibility on VPS IP address is controlled by OFFLINE_MANAGEMENT per-VPS configuration parameter. By default, it is set to "yes". To enable/disable it for VPS #101 use the followingcommands:
# vzctl set 101 --offline_management=yes --save
# vzctl set 101 --offline_management=no --save
# vzctl set 101 --offline_management=yes --save
# vzctl set 101 --offline_management=no --save
My VPS does not start. What should I check?
1. VPS starts, but then just shuts down in a few minutes.
You don't have valid Virtuozzo license installed. Please check the output of vzlicview command, the status of the license should be ACTIVE. Check /var/log/messages. More information about Virtuozzo licenses can be found in this article.
2. VPS cannot be started because it is locked.
Please follow the instructions from this article.
3. VPS starts but displays an error "/bin/bash: no such file" or similar.
The owner of the VPS could remove some important package such as bash or glibc. The VPS can also be compromised, see below.
4. The VPS starts but Segmentation fault occures very soon after starting.
The VPS can be compromised, please check the corresponding article.
You don't have valid Virtuozzo license installed. Please check the output of vzlicview command, the status of the license should be ACTIVE. Check /var/log/messages. More information about Virtuozzo licenses can be found in this article.
2. VPS cannot be started because it is locked.
Please follow the instructions from this article.
3. VPS starts but displays an error "/bin/bash: no such file" or similar.
The owner of the VPS could remove some important package such as bash or glibc. The VPS can also be compromised, see below.
4. The VPS starts but Segmentation fault occures very soon after starting.
The VPS can be compromised, please check the corresponding article.
How do I determine that my VPS is hacked / compromised?
* Virtuozzo for Linux
VPS can be compromised if its owner uses insecure or out-of-date software. To detect if VPS #101 has any rootkits installed, one can use chkrootkit utility either inside a VPS or (better) on a hardware node, using -r /vz/root/101 parameter. There is also a way to determine which packages were modified on a VPS:
# /usr/share/vzpkgtools/vzrpm/bin/rpm --root=/vz/root/101 --veid 101 -Va egrep '^..5missing'
This command shows files which were modified or removed.
Follow the instructions from the corresponding article to repair hacked VPS.
Installing mod_evasive
Installing mod_evasive (formally known as mod_dosevasive)
Login too your server and execute
cd /usr/local/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -zxvf mod_evasive_1.10.1.tar.gz
cd mod_evasive
For apache 2.0.x
/usr/sbin/apxs -cia mod_evasive20.c
Then add add this too httpd.conf
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
For apache 1.3.x
usr/local/apache/bin/apxs -cia mod_evasive.c
Then add this too httpd.conf
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
Now just restart apache and the installation is complete.
/etc/init.d/httpd restart
Login too your server and execute
cd /usr/local/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -zxvf mod_evasive_1.10.1.tar.gz
cd mod_evasive
For apache 2.0.x
/usr/sbin/apxs -cia mod_evasive20.c
Then add add this too httpd.conf
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
For apache 1.3.x
usr/local/apache/bin/apxs -cia mod_evasive.c
Then add this too httpd.conf
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
Now just restart apache and the installation is complete.
/etc/init.d/httpd restart
First aid for DDOS attack on port 80
First aid for DDOS attack on port 80
We can use the following steps to recover our server from a DDOS attack on the port 80. To do this you must have logged into the server as a root user.
Step 1 : Install/Configure APF firewall
a) If there are no firewalls installed on the server please install the same,you will get the steps and directions from the following site.
http://www.webhostgear.com/61.html
b) Turn on the antidos option (USE_AD) in the APF conf file
# vi /etc/apf/conf.apf
USE_AD = 1
Step 2 : Install/Configure mod_evasive (for Apache 1.3x)
mod_evasive and mod_dosevasive are the same
a) Install mod_evasive
# wget http://www.zdziarski.com/projects/mo..._1.10.1.tar.gz
# tar -xzvf mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# /usr/local/apache/bin/apxs -i -a -c mod_evasive.c
# /etc/init.d/httpd restart
b) Also include the following lines in the apache conf file
# vi /usr/local/apache/conf/httpd.conf
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
c) Restart the webserver
# /etc/init.d/httpd restart
Step 3 : Install mod_security
Normally we can find/install this module from WHM
WHM >> cPanel >> Addon Modules >> Select "modsecurity " >>save
Step 4 : Blocking IPs
a) Find the IPs those have established a connection with the server
(The following command is the better one to get the IPs, as this will sort the IPsaccording to the number of connections).
netstat -ntu awk '{print $5}' cut -d: -f1 sort uniq -c sort -n
b) Block them using IPTABLES
# iptables -I INPUT -s 218.92.207.28 -j DROP
# service iptables save
# service iptables restart
c) Block them on APF too
# vi /etc/apf/deny_hosts.rules
# service apf restart
Step 5 : Optimizing the httpd.conf file
# vi /usr/local/apache/conf/httpd.conf
Change the bellow options as follows, original values are shown in thebracket.
MaxKeepAliveRequests 50 (100)
KeepAliveTimeout 60 (30)
Also edit the following options too, according to the situation.
Timeout
KeepAliv
MinSpareServers
MaxSpareServers
MaxClients
Step 6 : Install/Configure 3rd party DDOS prevention tools
We can also use the most trusting 3rd party script 'DDoS-Deflate' for preventing DDOS attack effectively.Steps to install this script are as follows.
# wget http://www.inetbase.com/scripts/ddos/install.sh
# sh install.sh
Add the script '/usr/local/ddos/ddos.sh' to cron as follows
# crontab -e*/5 * * * * /usr/local/ddos/ddos.sh >/dev/null 2>&1
Step 7 : Suspend websites
Check the bandwidth usage of all the domains and suspend the high bandwidth consuming domains for a while.
PERMANENT WAY TO FIX THE DDOS ATTACK
As we all know the softwares have its own limitations for preventing against DDOS attack, we can follow these steps to cure it permanently.
1. Ask the NOC for attaching Cisco Guard on the server for 24 hours(Normally this service is free from most NOCs)
2. Attach a hardware firewall for the server.
Hope this will help you in such a situation, for more information kindly refer the following URL:http://forums.cpanel.net/showthread.php?t=66952
We can use the following steps to recover our server from a DDOS attack on the port 80. To do this you must have logged into the server as a root user.
Step 1 : Install/Configure APF firewall
a) If there are no firewalls installed on the server please install the same,you will get the steps and directions from the following site.
http://www.webhostgear.com/61.html
b) Turn on the antidos option (USE_AD) in the APF conf file
# vi /etc/apf/conf.apf
USE_AD = 1
Step 2 : Install/Configure mod_evasive (for Apache 1.3x)
mod_evasive and mod_dosevasive are the same
a) Install mod_evasive
# wget http://www.zdziarski.com/projects/mo..._1.10.1.tar.gz
# tar -xzvf mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# /usr/local/apache/bin/apxs -i -a -c mod_evasive.c
# /etc/init.d/httpd restart
b) Also include the following lines in the apache conf file
# vi /usr/local/apache/conf/httpd.conf
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
c) Restart the webserver
# /etc/init.d/httpd restart
Step 3 : Install mod_security
Normally we can find/install this module from WHM
WHM >> cPanel >> Addon Modules >> Select "modsecurity " >>save
Step 4 : Blocking IPs
a) Find the IPs those have established a connection with the server
(The following command is the better one to get the IPs, as this will sort the IPsaccording to the number of connections).
netstat -ntu awk '{print $5}' cut -d: -f1 sort uniq -c sort -n
b) Block them using IPTABLES
# iptables -I INPUT -s 218.92.207.28 -j DROP
# service iptables save
# service iptables restart
c) Block them on APF too
# vi /etc/apf/deny_hosts.rules
# service apf restart
Step 5 : Optimizing the httpd.conf file
# vi /usr/local/apache/conf/httpd.conf
Change the bellow options as follows, original values are shown in thebracket.
MaxKeepAliveRequests 50 (100)
KeepAliveTimeout 60 (30)
Also edit the following options too, according to the situation.
Timeout
KeepAliv
MinSpareServers
MaxSpareServers
MaxClients
Step 6 : Install/Configure 3rd party DDOS prevention tools
We can also use the most trusting 3rd party script 'DDoS-Deflate' for preventing DDOS attack effectively.Steps to install this script are as follows.
# wget http://www.inetbase.com/scripts/ddos/install.sh
# sh install.sh
Add the script '/usr/local/ddos/ddos.sh' to cron as follows
# crontab -e*/5 * * * * /usr/local/ddos/ddos.sh >/dev/null 2>&1
Step 7 : Suspend websites
Check the bandwidth usage of all the domains and suspend the high bandwidth consuming domains for a while.
PERMANENT WAY TO FIX THE DDOS ATTACK
As we all know the softwares have its own limitations for preventing against DDOS attack, we can follow these steps to cure it permanently.
1. Ask the NOC for attaching Cisco Guard on the server for 24 hours(Normally this service is free from most NOCs)
2. Attach a hardware firewall for the server.
Hope this will help you in such a situation, for more information kindly refer the following URL:http://forums.cpanel.net/showthread.php?t=66952
Securing tmp
What we are doing it creating a file that we will use to mount at /tmp.
CODE
cd /dev
Create 100MB file for our /tmp partition. If you need more space, make count size larger.
CODE
dd if=/dev/zero of=tmpMnt bs=1024 count=100000
Make an extended filesystem for our tmpMnt file
CODE
mke2fs /dev/tmpMnt
Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.
CODE
cd /
CODE
cp -R /tmp /tmp_backup
Mount the new /tmp filesystem with noexec
CODE
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
CODE
chmod 0777 /tmp
Copy everything back to new /tmp and remove backup
CODE
cp -R /tmp_backup/* /tmp/
CODE
rm -rf /tmp_backup Now we need to add this to fstab so it mounts automatically on reboots.
CODE
pico -w /etc/fstab You should see something like this:
CODE
/dev/hda3 / ext3 defaults,usrquota 1 1
/dev/hda1 /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda2 swap swap defaults 0 0
At the bottom add
CODE
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
(Each space is a tab)
Ctrl + X and Y
Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x'ed), it gives the following error:
CODE
bash: ./a.out: Permission denied
YEAH! /tmp no longer has execute permissions
CODE
cd /dev
Create 100MB file for our /tmp partition. If you need more space, make count size larger.
CODE
dd if=/dev/zero of=tmpMnt bs=1024 count=100000
Make an extended filesystem for our tmpMnt file
CODE
mke2fs /dev/tmpMnt
Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.
CODE
cd /
CODE
cp -R /tmp /tmp_backup
Mount the new /tmp filesystem with noexec
CODE
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
CODE
chmod 0777 /tmp
Copy everything back to new /tmp and remove backup
CODE
cp -R /tmp_backup/* /tmp/
CODE
rm -rf /tmp_backup Now we need to add this to fstab so it mounts automatically on reboots.
CODE
pico -w /etc/fstab You should see something like this:
CODE
/dev/hda3 / ext3 defaults,usrquota 1 1
/dev/hda1 /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda2 swap swap defaults 0 0
At the bottom add
CODE
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
(Each space is a tab)
Ctrl + X and Y
Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x'ed), it gives the following error:
CODE
bash: ./a.out: Permission denied
YEAH! /tmp no longer has execute permissions
How to Install Root kit hunter
tar -zxvf rkhunter-1.3.0.tar.gz
cd rkhunter-1.3.0
chmod 755 installer.sh
./installer.sh --layout default --install.
rkhunter --propupd
rkhunter --check
Issue the install command as root:
./installer.sh --layout default --install
Then update file property database:
Then update file property database:
rkhunter --propupd
To do root kit checks:
rkhunter --check
To check for updates:
rkhunter --update
Hopefully you don't find any rootkits on your system :)
How to setup a daily scan report?
pico /etc/cron.daily/rkhunter.sh
add the following replacing your email address:
#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 mail -s "Daily Rkhunter Scan Report" email@domain.com)
chmod +x /etc/cron.daily/rkhunter.sh
Updating rkhunter
gets the latest database updates from their central server and matches your OS better to prevent false positives.
rkhunter --update
I just got a false positive!! What do i do?
False positives are warnings which indicates there is a problem, but aren't really a problem. Example: some Linux distro updated a few common used binaries like `ls` and `ps`. You (as a good sysadmin) update the new packages and run (ofcourse) daily Rootkit Hunter. Rootkit Hunter isn't yet aware of these new files and while scanning it resports some "bad" files. In this case we have a false positive. You could always have your datacenter or a system administrator check out the server to verify that it is not compromised.
More information on rkhunter can be found here: http://www.rootkit.nl
How to disable mod_security for a single account
Introduction:
Having Mod_security enabled for servers prevents commonly used methods to hack websites. Common examples are: outdated software, unpatched and so on.
Symptoms:
If you are receiving access denied message with error code 403 when you check the error logs for any account, it means mod_security rules are triggered.
Minor issues:
It’s applied for the entire server, so all websites are affected, even if there’s a secure software which doesn’t require security restrictions.
Fix :
You can disable the mod_security for that account by adding a simple code in its .htaccess
SecFilterEngine Off
SecFilterScanPOST Off
Solution by
http://howto4life.com/disable-mod_security-for-an-account/12/
Having Mod_security enabled for servers prevents commonly used methods to hack websites. Common examples are: outdated software, unpatched and so on.
Symptoms:
If you are receiving access denied message with error code 403 when you check the error logs for any account, it means mod_security rules are triggered.
Minor issues:
It’s applied for the entire server, so all websites are affected, even if there’s a secure software which doesn’t require security restrictions.
Fix :
You can disable the mod_security for that account by adding a simple code in its .htaccess
SecFilterEngine Off
SecFilterScanPOST Off
Solution by
http://howto4life.com/disable-mod_security-for-an-account/12/
How to Edit RDP properties
start->run->tscc.msc
double click RDP-Tcp
Network Adapter tab
select the required
double click RDP-Tcp
Network Adapter tab
select the required
Web Based MSSQL manager not working
Web Based MSSQL manager not working
Error
Web Based MSSQL manager is not working when I goes to http://mssql.domain.com after opening when click on any links it is not taking me to login page.
FIX
The problem with SQL admin has been caused by disabled ASP.NET 1.1 as web service extension. I went to IIS > Web service extensions > Allow ASP.NET 1.1. After that I got sql admin working
Error
Web Based MSSQL manager is not working when I goes to http://mssql.domain.com after opening when click on any links it is not taking me to login page.
FIX
The problem with SQL admin has been caused by disabled ASP.NET 1.1 as web service extension. I went to IIS > Web service extensions > Allow ASP.NET 1.1. After that I got sql admin working
Detect and Clean a Hacked Server T0rnkit Tutorial
Tornkit is a rootkit, a set of programs that is used by an intruder to have unrestricted access to a compromised Linux system.
Tornkit is also attempts to hide its presence.The t0rn rootkit is designed for speed. By that I mean that it was designed to install quickly on Linux machines. T0rn can do this because it takes very little skill to install and run. All of the binaries that the attacker would need come pre-compiled and the installation process is as simple as ./t0rn. T0rn comes standard with a log cleaner called t0rnsb, a sniffer named t0rns and a log parser called t0rnp.
I am including this so that you all diag and clean up your hacked server.
First of all,
Login to WHM as root
Click Tweak Settings
and please remove the tick fromAllow cPanel users to reset their password via email
Step 1. run chkrootkit, and you will see some INFECTED lines. It will also report that some process are hidden from the ps
chkrootkit
Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `pstree'... INFECTED
and also:
Checking `lkm'... You have X process hidden for ps command
Warning: Possible LKM Trojan installed
Step 2. /etc/init.d/syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]
Step 3. top
top: Error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory
Step 4. tail /etc/rc.d/rc.sysinit
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
OK.. looks like someone got to your server as well. Since we know what rootkit it is, let us investigate further.
Configuration files
/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)/lib/lblip.tk/
(backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}
Infected Binaries:
top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,tks,tksb,top,tkpnetstat,pg,syslogd,sz
Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so
BackDoor: (located at /lib/lblip.tk)
shdc
shhk.pub
shk
shrs
Now, Lets start the cleaning process:
Step 1.
pico /etc/rc.d/rc.sysinit
remove the lines that show
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
Step 2.
reboot the system
WARNING: 2 servers got their kernel removed after reboot.If your's is the case and that is what the DataCenter complains after reboot, please ask them to do the following:
reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages
that should fix it.
-- since already in resuce mode, perhaps also ask them to --force install the following rpm's
procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm
Step 3.
After the system is up
cd /lib
rm -rf lblip.tk
Step 4.
remove the configuration files given above.
Step 5.
cat /etc/redhat-release
note down your version of redhat,
then fromwww.rpmfind.netsearch for the following rpm's
procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm
-- and rpm --force install them
Step 6.
if you see the hosts.h file, it says to hide all IP's from
cat /usr/include/hosts.h
193.60
thus, if you want, you can block all the IP's from 193.60 to your server via iptables.
Step 7.
If all goes OK,please reboot the server, and run chkrootkit again..
Thats it......................
When I check my logs, I see a lot of messages about lame servers. What is that, and how do I fix it?
A lame server, is one that is specifed at the registrar to be authoritative for a domain, but the server itself is not setup in this manner. This is not a configuration issue on your end, but simply an informational message. If you do not want to see these notifications, you may put the following into your named.conf file at the top and restart Bind:
logging {
category lame-servers { null; };
};
What is round robin DNS?
Round robin DNS is a method by which a DNS record has more than one value. When a request is made to the DNS server which serves this record, the answer it gives alternates for each request. For instance, if you had a two webserver that you wished to distribute requests between, you could setup your DNS zone thusly:
www IN A 1.2.3.4
IN A 2.3.4.5
When a query is made to the DNS server it will first give the IP of 1.2.3.4 for the www host. The next time a request is made for the IP of www, it will serve 2.3.4.5. This will alternate back and forth on each subsequent query.
While this is a form of load balancing, it should be noted that if one of the hosts becomes unavailable, the DNS server does not know this, and will still continue to give out the IP of the downed server.
What is a reverse DNS record?
A reverse DNS record (also know as a PTR record), is a reverse mapping from IP to name. For instance, when a lookup is made on the IP of 1.2.3.4, it should come back with host.mydomain.com. It is a very good idea to have the hostname of your server match the PTR record assigned to it's IP. This can only be changed by the owner of the IP address.
How do I change the DNS servers for the network interfaces on my Windows server
In Network Connections, right-click the local area connection, and then click Properties.
In Local Area Connection Properties, select Internet Protocol (TCP/IP), and then click Properties.
Click Use the following DNS server addresses, and in Preferred DNS server and Alternate DNS server, type the IP addresses of the preferred and alternate DNS servers.
To add more DNS servers, click the Advanced button.
How do I setup DNS for my domain?
There are three options available for DNS.
1. Resolve the DNS using dynamic services on your server. All you need to do is change the A record IP address to point to the IP address where you have setup the domain name. In this case, you can handle this all on your own without needing to contact us.
2. Setup your own nameservers. You can do this through your registrar. This is a bit more complicated and not recommended unless you thoroughly understand DNS.
3. Use our existing nameservers. Add the domain and setup web site for domain in question. Simply go to your registrars control panel and enter in ns1.nameservers.com and ns2.nameservers.com for the domains nameservers. Once this has been completed open a ticket with the domain you wish to enter in to our nameservers. We will also need the IP address to point the domain to.
Highly recommend number 1. It's the easiest of the three and also provides you a point outside of the network to resolve domains. If your registrar is GoDaddy for example, they make it very easy to accomplish number 1 in the list above.
1. Resolve the DNS using dynamic services on your server. All you need to do is change the A record IP address to point to the IP address where you have setup the domain name. In this case, you can handle this all on your own without needing to contact us.
2. Setup your own nameservers. You can do this through your registrar. This is a bit more complicated and not recommended unless you thoroughly understand DNS.
3. Use our existing nameservers. Add the domain and setup web site for domain in question. Simply go to your registrars control panel and enter in ns1.nameservers.com and ns2.nameservers.com for the domains nameservers. Once this has been completed open a ticket with the domain you wish to enter in to our nameservers. We will also need the IP address to point the domain to.
Highly recommend number 1. It's the easiest of the three and also provides you a point outside of the network to resolve domains. If your registrar is GoDaddy for example, they make it very easy to accomplish number 1 in the list above.
Error : "Fatal, neither ndc or rndc was found on this server"
If when adding a entry for a hostname you get the following error "Fatal, neither ndc or rndc was found on this server"
SSH into your server as and su to root. Then check your /etc/rndc.key file if it should have around 3 lines in it if not you will need to open your named.conf file and copy the 3 lines from the top pertaining to the rndc key they should look like the following:
key "rndc-key" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
and copy that into the rndc.key file. Once you have done that you will need to
run /scripts/fixndc
once you have done that you should beable to run rndc -s localhost status and see basic information such as:
number of zones: 6
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0
/1000tcp clients: 0
/100server is up and running
If you get a error about file not found in /usr/local/etc/ you will need to create a symbolic like
ln -s /etc/rndc.key /usr/local/etc/rndc.key
Rebuild Apache for Cpanel
First login as 'root' via ssh to your server. Then run the following commands.
cd /scripts
./updatenow
./easyapache
You should then see a menu appear asking you which options you would like built into your apache install. Select number 1 - 4 and then wait a few minutes while the script downloads and rebuilds your apache. Once it has completed it will automatically restart Apache for you and you will then be able to use the new features.
Subscribe to:
Posts (Atom)
