ABHIONLINUX
Site useful for linux administration and web hosting

2010/12/23

PGsql database not showing in cpanel

Go to /var/lib/pgsql/data/pg_hba.conf
Change ‘md5′ to ‘trust’.
It should look like :
local all all trust
host all all 127.0.0.1 255.255.255.255 trust

2010/10/22

Error while installin Xdebug pecl module

[root@server ~]#pecl install xdebug

downloading xdebug-2.0.3.tgz …
Starting to download xdebug-2.0.3.tgz (286,325 bytes)
……………………………….done: 286,325 bytes
66 source files, building
running: phpize
Configuring for:
PHP Api Version:         20041225
Zend Module Api No:      20060613
Zend Extension Api No:   220060519
building in /var/tmp/pear-build-root/xdebug-2.0.3
running: /root/tmp/pear/cache/xdebug-2.0.3/configure
checking for egrep… grep -E
checking for a sed that does not truncate output… /bin/sed
checking for gcc… gcc
checking for C compiler default output file name… a.out
checking whether the C compiler works… configure: error: cannot run C compiled programs.
If you meant to cross compile, use `–host’.
See `config.log’ for more details.
ERROR: `/root/tmp/pear/cache/xdebug-2.0.3/configure’ failed

FIX:
Execute the commands:-

[root@server ~]#cd /var/tmp/
[root@server ~]#rm -fr pear pear-build-root
[root@server ~]#ln -s /root/tmp/pear-build-root .
[root@server ~]#mkdir -p /root/tmp/pear/download

Try to install the package now:-

[root@server ~]#pecl install xdebug

It will be installed correctly in the server.

2010/10/20

Change exim interface IP address

We can change the exim interface IP by editing exim.conf.

1. Open exim.conf in the text editor.

vi /etc/exim.conf

2. Check for the following lines in exim.conf
======================
remote_smtp:

driver = smtp

interface=
======================
You need to modify this as given below

*******************
remote_smtp:

driver = smtp

interface=xx.xx.xx.xx

Where  xx.xx.xx.xx with your IP address.
******************

3. You need to restart exim service in the server.

/etc/init.d/exim restart

2010/10/15

How to upload multiple files using ftp in command line mode.

You can use lftp command to upload multiple files

lftp hostname

> user ftpusername ftppassword
> mirror source destination [to download entire directory]
> mirror -R source destination [to upload entire directory]

Uploading Error in WordPress. “Unable to create directory-Is its parent directory writable by the server?"

While uploading files such as plugins and themes, we will get an error “Unable to create directory /home/username/public_html/wp-content/uploads/2010/10. Is its parent directory writable by the server?”

This is due to changes in server, host or upgrading to new version

Firstly, we need to check the upload file path.

1. Login to wp-admin
2. Click on setting --> media --> "Store upload in this folder"
   It will be like /home/username/public_html/wp-content/uploads , change it to wp-contents/upload.

This will fix you issue. If this doesnt fix the issue, you need to check the folder permission. Change the permission of wp-content and uploads to 777 and correct ownership of all the files/folders.

2010/10/03

how to set time zone in VPS node (OpenVZ)

Below is the steps to set the time zone for a particular node in VPS.

1. Login to the main node.(SSH).
2. Stop the node(container) which you want to set time.
   # vzctl stop 777
            777 = Container ID
3.Set the container to have capability to change the time zone.
   # vzctl set 777 --capability sys_time:on --save

4. Start the container and login to it.
   # vzctl start 777
   # vzctl enter 777
5. Change your local timezone.
   # mv /etc/localtime /etc/localtime_bk
   # ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime
6. Set the date
   # date 100318312010
  time has been set to 18.31 on 3rd Oct 2010
  (10-Month, 03-Day, 06-Hours,  31-Minutes,  2010 -Year

2010/09/25

Phpmotion : Uploading video asks .pl-File to download

When we try to upload videos in to phpmotion, it will be asking to download uu_upload.pl.

If you are getting the download an upload script fo video, it means that your site is not executing the script but it is treating as plain text type doc. what we have to do is to make your site to run .pl and .cgi files.

For this, you need to check the permission of cgi-bin folder and files inside it,. it should be 755.

To make your cgi and pl files to be run in your site, you need to add the following lines in your htaccess.
===============================
AddHandler cgi-script .cgi .pl
Options +ExecCGI Options +ExecCGI

Phpmotion : Uploading video asks .pl-File to download

When we try to upload videos in to phpmotion, it will be asking to download uu_upload.pl.

If you are getting the download an upload script fo video, it means that your site is not executing the script but it is treating as plain text type doc. what we have to do is to make your site to run .pl and .cgi files.

For this, you need to check the permission of cgi-bin folder and files inside it,. it should be 755.

To make your cgi and pl files to be run in your site, you need to add the following lines in your htaccess.
===============================
AddHandler cgi-script .cgi .pl

Options +ExecCGI


Options +ExecCGI
===============================

2010/07/01

word-press url change, site not loading correctly

If you wordpress url has changed, while accessing the domain. Your site will not load correctly.
For this you need to change the values in the wordpress database.

First you need to change the siteurl field inthe wp_otions table,

select * from wp_option where option_name="siteurl";

update wp_options SET option_value="http://newdomainname.com" where option_name="siteurl"

Then you need to update the "home" field in the wp_otions table,
select * from wp_options where option_name="home";
update wp_options SET option_value="http://newdomainname.com" where option_name="home";

Queueprocd Failed.

Usually you need to check perlmodules installed in the server /scripts/checkperlmodules
Then /scripts/upcp should fix the issue.

If this does not fix the issue, it may be issue with the perl.
Check whether there are two perl binaries in the server.

For eg :

/usr/bin/perl
/usr/local/bin/perl

Solution :
You need to remove /usr/bin/perl, and created a symlink for it to /usr/local/bin/perl via:
ln -s /usr/local/bin/perl /usr/bin/perl

This is the proper setup to allow for Perl to function properly with cPanel. Once this was fixed, You need to run the following command:


/scripts/checkperlmodules --full
Upon testing, you can see all Perl modules are now properly installed, and Queueprocd is up well.

2010/06/29

How to check the server is Suexec

Login into you server with the root login details and run following command

[root@server]# /usr/local/cpanel/bin/rebuild_phpconf --current

If server is Suexec then result would look like

DEFAULT PHP: 5
PHP4 SAPI: suphp
PHP5 SAPI: suphp
SUEXEC: enabled

If you are not sure about Shell then you can also check the SuExec is enabled or not? from your WHM.Lgin into your WHM and in the menu find Configure PHP and SuExec

Check the drop down box for "PHP 4/5 Handler" - and if beside that it says "suPHP" - Then your sever is SuExec enabled

If you are not having server root login details or WHM access.Then you can create a php file udner your account from cPanel >> File Manager and change the permissions on that file to 777 and open it in a browser. If it gives 500 Internal Server Error, your most probably running suPHP.


As well as you can also create the phpinfo page under your account from your cPanel >> File manager For ex. phpinfo.php with the following code



After creating phpinfo.php page browse it http://yourdomainname.com/phpinfo.php and if it shows

Server API = Apache then server is not running PHP in Suexec mode

And if

Server API = CGI the server is running PHP in Suexec mode  

2010/06/09

limit number of connection to a server using IPTABLES

We can limit number of connections to the server using the command below.

iptables -I INPUT -p tcp --syn --dport 22 -m connlimit --conlimit-above 2 -j REJECT

service iptables save

service iptables restart

2010/06/08

2010/06/05

OpenSSH Public Key Authentication

Public-key authentication is based on the use of digital signatures. Each user creates a pair of 'key' files. One of these key files is the user's public key, and the other is the user's private key. The server knows the user's public key, and only the user has the private key.

When the user tries to authenticate herself, the server checks for matching public keys and sends a challenge to the user end. The user is authenticated by signing the challenge using her private key.
 Remember that your private key file is used to authenticate you. Never expose your private keys. If anyone else can access your private key file, they can attempt to login to the remote host computer as you, and claim to be you. Therefore it is extremely important that you keep your private key file in a secure place and make sure that no one else has access to it.


Public-key authentication is  is based on the use of digital signatures. Each users have to create a pair of keys. ie public key and private key. Private key is owned by user and the public key is given to the server. When the user tries to authenticate, server check for the matching public key and sends a challenge to the user. Private key is used to authenticate the user, so never provide your private keys to others. If anyone got your private key, they can login to the server as you.  So keep your private key file in a secure place and make sure that no one else has access to it.
Secure Shell (SSH) public key authentication is used for clients to acess servers without using passwords.

Steps to configure public key.
OpenSSH is the SSH software installed on the client system. The ssh -V  will show the openssh details in the server.

$ ssh -V
OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090702f

If ssh is running on a non standard port, you need to put the custom port. You can provide the custom port as follows.

$ ssh -p 1111  server.test.com
or
$ ssh -oPort=1111 server.test.com

RSA key pair will be generated in the client system.Public key will be provided to the server that is to be connnected, while the private key should remain in the secured area in the  client system.By default it will be in ~/.ssh/id_rsa
New keys can be generated using the command  ssh-keygen

client$ mkdir ~/.ssh
client$ chmod 700 ~/.ssh
client$ ssh-keygen -t rsa
Enter passphrase
Enter same passphrase again:

File permissions should be protected to prevent other users from being able  to read the key pairs.OpenSSH may refuse to support public key authentication if the file permissions are too open.

$ chmod -R 700 ~/.ssh

Public key must be copied to any servers that will be accesses by the client.Public key information to be copied should be located in the ~/.ssh/id_rsa.pub file on the client. Public key data must be appended into ~/.ssh/authorized_keys file on the servers.

First upload  public key from client to server

Client$ scp ~/.ssh/id_rsa.pub root@server.test.com

Setup the public key in the server

server$ mkdir ~/.ssh
erver$ chmod 700 ~/.ssh
server$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
server$ chmod 600 ~/.ssh/authorized_keys

We should always append new public key data to the authorized_keys file, as multiple public keys may be in use. Each public key entry must be on a different line

 "from" statement can be used before public key entries in the ~/.ssh/authorized_keys file on the servers to limit where the client system is permitted to access the server from. Without a from limit, any client will the appropriate private key data will be able to connect to the server from anywhere. Key pair should only work, if the client connecting to the server is from a host under test.com, set from="*.test.com" before the public key data.

server$ cat ~/.ssh/authorized_keys
from="*.test.com" ssh-rsa AAAAB3NzaC1

Multiple hosts or addresses can be specified as comma separated values.
from="*.test.com,,external.example.com"

2010/05/29

Video uploading throws error -- Failed to find flength file.

This is a well known error with the uploader component (which is commonly used by many scripts like clipshare, phpmotion etc). This is just a cosmetic error and nothing to do with the real uploading process. The best "workaround" for this issue is to disable the error message. To do so, locate the file cgi-bin/uu_ini_status.pl inside your script folder and change the value of my $flength_file_exists from 0 to 1.

The bad news is, you won't see the upload status counter. The good news is, your upload process will work just fine!
 

2010/05/28

PhpMotion Installation

If you want to run PHPmotion you will need either to have a dedicated server with the following required modules installed OR a web hosting provider that already has these features.

Servers - Linux/Unix server


  • PHP 4.3 and above (including support of CLI)
  • MySQL database server
  • LAME MP3 Encoder
  • Libogg + Libvorbis
  • Mencoder and also Mplayer
  • FFMpeg-PHP
  • GD Library 2 or higher
  • CGI-BIN    

PHP Settings


  • open_basedir = (no value)
  • upload_max_filesize = 100M
  • post_max_size = 100M
  • max_execution_time = 1500
  • session.gc_maxlifetime = 14000
  • safe_mode = off
  • enable_dl = On

Apache Web Server


  • .htaccess support
  • mod rewrite 
You will need to have your Mysql Database Information. You can create a Mysql database via your web hosts control panel
- Mysql Database Name
- Mysql Database User Name
- Mysql Database Password

Downloading PHPmotion


You can download phpmotion from the URL
http://phpmotion.com/content/view/1/180/

General Instructions


  • Unzip the download file
  • Upload (the contents) to your website using FTP
  • The following files MUST be uploaded in Binary mode
    • /phpshiled/all files in this folder
    • /classes/config.php
    • /addons/customprofile/pimp.class.php
    • /addons/customprofile/index.php
  • The following files must be CHMOD to 755
    • /cgi-bin/all files and folder in this folder
  • Start the installation wizard by (opening in your broswer) http://www.yourdomain.com/setup (you will be required to chmod a few more files by the setup wizard)
The setup wizard will guide you through the rest of the installation process.

Additional Instructions


Installing to a Sub-Directory

If you are installing to a sub directory (example: http://www.yourdomain.com/**phpmotion**) you should do all the steps above and also the steps below additional steps

Edit the following files to include your subfolder name: (in this example the subfolder name we have inserted is phpmotion )

  • /cgi-bin/uu_default_config.pm
  • /cgi-bin/audio/uu_default_config.pm

    temp_dir                 => $ENV{'DOCUMENT_ROOT'} . '/phpmotion/temp/',
    upload_dir               => $ENV{'DOCUMENT_ROOT'} . '/phpmotion/uploads/avi/',
    redirect_url             => '/phpmotion/uploader_finished.php',
    path_to_upload           => '/phpmotion/uploads/avi/',

  • /audio_uploader_conlib.php
  • /uploader_conlib.php

$path_to_upload_script      = '/phpmotion/cgi-bin/uu_upload.pl';
 $path_to_ini_status_script  = '/phpmotion/cgi-bin/uu_ini_status.pl';


  • /.htaccess


  • #----- if phpmotion is installed in a sub directory edit the RewriteBase as follows -----#
      # EXAMPLE => RewriteBase /phpmotion
      # EXAMPLE => RewriteBase /phpmotion
      RewriteBase /
     
     
    For trouble sooting common errors in phpmotion, 
    http://wiki.phpmotion.com/CommonInstallationErrors

    2010/05/21

    Clipbucket Video error : "This video might not work properly "

    When we try to play the upoaded video in clipbucket, we will get the error "This video might not work properly " in the top of the video. This is becuase, server is unable to convert that video. To solve this issue, we need to add a cron under the user to convert the video and should verify the converted video.

    vi /var/spool/cron/abhilash
    * * * * * php -q /relative/path/to/clipbucket/actions/video_convert.php
    * * * * * php -q /relative/path/to/clipbucket/actions/verify_converted_videos.php

    Then restart the cron  /etc/init.d/crond restart

    For any further clarification of clipbucket installation you can refer the link:
    http://docs.clip-bucket.com/clipbucket-docs/clipbucket-installation

    2010/05/17

    RVSkin installation in cpanel server

    SSH as root to server that was registered while purchasing the license and run:
    mkdir /root/rvadmin
    cd /root/rvadmin
    wget http://download.rvglobalsoft.com/download.php/download/rvskin-auto/saveto/rvauto.tar.bz2
    bunzip2 -d rvauto.tar.bz2
     tar -xvf rvauto.tar
     perl /root/rvadmin/auto_rvskin.pl

    Answer a couple of questions on your shell, and wait until it finishes. First installation will take 2- 5 minutes to install. Installer will create a new hosting account 'rvadmin'. Don't terminate it. It will be used for internal RVSkin configuration management.

    Log in to RVSkin Manager. Both root and reseller are able to access RVSkin Manager in WHM / Plugins (at the bottom left menu). If you cannot find the RVSkin Manager menu, please close WHM and open it again
    If there is no messages display on the skin, please run this command on your SSH.

    rm -f /usr/local/cpanel/Cpanel/rvversion
    perl /root/rvadmin/auto_rvskin.pl

    In RVSkin Manager:

    • Set global configuration
    • Set default language
    • Create default feature list for user and for reseller
    • Set tweak setting, reseller feature control, body links, top links, help, tutorial links, and etc.
    • Test configuration setting in 2 hosting accounts.
      • rvadmin: this account can consider to be account belong to root
      • reseller's client: this account will reflect setting from reseller skin manager. If it is not configured, it will remain anonymous.

      If you are having any issues in installing rvskin 
      http://www.rvskin.com/index.php?page=public/installation_troubleshooting

    2010/05/12

    Send/Recieve email using Telnet


    Send mail through SMTP using Telnet

    Telnet to the server via port 25.

    1. Type “EHLO example.com” and hit enter.

    2.  “MAIL FROM: sender@domain.com” and hit enter.

    3.  “RCPT TO: recipient@domain.com” and hit enter.

    4.  “DATA” and hit enter.

    5. Type your message body and hit enter.

    6. Key in ” . ” and press enter to exit.

    You will recieve the mail.


    ==============================================
    Example:

    root@test.com]# telnet 192.168.0.25 25
    Trying 192.168.0.25...
    Connected to 192.168.0.25 (192.168.0.25).
    Escape character is '^]'.
    220 test.tt.example.com ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 3 Apr 2008 15:39:17 +0800
    EHLO Vsource.com
    250-smtp11.klk.example.com Hello [192.168.0.192]
    250-AUTH GSSAPI NTLM LOGIN
    250-AUTH=LOGIN
    250-TURN
    250-ATRN
    250-SIZE
    250-ETRN
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-8bitmime
    250-BINARYMIME
    250-CHUNKING
    250-VRFY
    250 OK
    MAIL FROM: abhi@example.com
    250 2.1.0 abhi@example.com....Sender OK
    RCPT TO: abhi_tt@example.com
    250 2.1.5 abhi_tt@example.com
    DATA
    354 Start mail input; end with .
    this is a test over SMTP
    .
    250 2.6.0 Queued mail for delivery
    quit
    221 2.0.0 smtp11.klk.example.com Service closing transmission channel
    Connection closed by foreign host.
    [root@test.com]#

    2010/04/21

    How to set multiple IP addresses using Linux command line

    Go to /etc/sysconfig/network-scripts
    Make multiple copies of ifcfg-eth0 and name them as ifcfg-eth0:0, ifcfg-eth0:1 etc.
    Open each of them and at least change the IPADDR to your chosen IP address and the NETMASK to the subnet mask for that IP address.
    A sample entry would look like this:

    DEVICE=eth0:0
    BOOTPROTO=static
    IPADDR=34.123.111.21
    NETMASK=255.255.255.0
    ONBOOT=yes

    Restart the network:
    /sbin/service network restart
    /etc/init.d/ipaliases restart (for cpanel servers) 

    If you have more than 100's of IP, it is difficult to choose above method. For that  you can try the following method.

    [root@server ~]#d /etc/sysconfig/network-scripts/ – this is where the network settings are being searched for
    [root@server network-scripts]# vi ifcfg-eth0-range0 – this will be the file where we define the new IP class(considering that our main interface is called eth0)
    Add this content to the file:

    IPADDR_START=192.168.0.1
    IPADDR_END=
    192.168.0..28
    CLONENUM_START=1
    NETMASK=255.255.255.240


    Explanation:
    IPADDR_START – the first IP of the class you want to add
    IPADDR_END – last IP of the class you want to add
    CLONENUM_START – the number with which the virtual interface will start, this will create the virtual interfaces eth0:1 to eth0:28.
    If you have more classes that you want to add on the next class CLONENUM will start at 29.
    NETMASK – the mask for the IP class
    After all this was added to the file and edited accordingly just save and restart the network.

    .

    2010/04/20

    Install and Configure Cacti Network Graphing Tool

    Cacti is a complete frontend to RRDTool, it stores all of the necessary information to create graphs and populate them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the data gathering. There is also SNMP support for those used to creating traffic graphs with MRTG.

    Required software(s)

    You need to install the following software on RHEL / Fedora / CentOS Linux:
    1. MySQL Server : Store cacti data.
    2. NET-SNMP server - SNMP (Simple Network Management Protocol) is a protocol used for network management.
    3. PHP with net-snmp module - Access SNMP data using PHP.
    4. Apache / lighttpd / ngnix webserver : Web server to display graphs created with PHP and RRDTOOL
    First, login as root user and type the following command to install mysql, apache and php
    # yum install mysql-server mysql php-mysql php-pear php-common php-gd php-devel php php-mbstring php-cli php-snmp php-pear-Net-SMTP php-mysql httpd


    Configure MySQL server

    First, set root password:
    # mysqladmin -u root password NEWPASSWORD

    Create cacti MySQL database
    Create a database called cacti, enter:
    # mysql -u root -p -e 'create database cacti'

    Create a user called cacti with a password called zYn95ph43zYtq, enter:
    # mysql -u root -p
    mysql> GRANT ALL ON cacti.* TO cacti@localhost IDENTIFIED BY 'zYn95ph43zYtq';
    mysql> FLUSH privileges;
    mysql> \q
     

    Install snmpd

    Type the following command to install net-snmpd
    # yum install net-snmp-utils php-snmp net-snmp-libs
    Configure snmpd, open /etc/snmp/snmpd.conf
    # vi /etc/snmp/snmpd.conf

    Append / modify it as follows (see snmpd.conf man page for details):
    com2sec local     localhost           public
    group MyRWGroup v1         local
    group MyRWGroup v2c        local
    group MyRWGroup usm        local
    view all    included  .1                               80
    access MyRWGroup ""      any       noauth    exact  all    all    none
    syslocation Unknown (edit /etc/snmp/snmpd.conf)
    syscontact Root  (configure /etc/snmp/snmp.local.conf)
    pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
    Save and close the file. Turn on snmpd service:
    # /etc/init.d/snmpd start
    # chkconfig snmpd on


    Make sure you are getting information from snmpd:
    # snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex
    Sample ouptut:
    IP-MIB::ipAdEntIfIndex.10.10.29.68 = INTEGER: 2
    IP-MIB::ipAdEntIfIndex.67.yy.zz.eee = INTEGER: 3
    IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1


    Install cacti

    First, make sure EPEL repo is enabled. Type the following command to install cacti:
    # yum install cacti

    To install EPEL repo
    http://www.cyberciti.biz/faq/rhel-fedora-centos-linux-enable-epel-repo/ 


    Install cacti tables

    Type the following command to find out cacti.sql path:
    # rpm -ql cacti | grep cacti.sql
    Sample output:
    /usr/share/doc/cacti-0.8.7d/cacti.sql
    Type the following command to install cacti tables (you need to type the cacti user password):
    # mysql -u cacti -p cacti < /usr/share/doc/cacti-0.8.7d/cacti.sql

    Configure cacti

    Open /etc/cacti/db.php file, enter:
    # vi /etc/cacti/db.php
    Make changes as follows:
     
    /* make sure these values refect your actual database/host/user/password */
    $database_type = "mysql";
    $database_default = "cacti";
    $database_hostname = "localhost";
    $database_username = "cacti";
    $database_password = "zYn95ph43zYtq";
    $database_port = "3306";
     
    Save and close the file.

    Configure httpd

    Open /etc/httpd/conf.d/cacti.conf file, enter:
    # vi /etc/httpd/conf.d/cacti.conf


    You need to update allow from line. Either set to ALL or your LAN subnet to allow access to cacti:
     
    #
    # Cacti: An rrd based graphing tool
    #
    Alias /cacti    /usr/share/cacti
     
    
            Order Deny,Allow
            Deny from all
            Allow from 10.0.0.0/8
     
    Another option is create /usr/share/cacti/.htaccess file and password protect the directory. Finally, restart httpd:
    # service httpd restart

    Setup cacti cronjob

    Open /etc/cron.d/cacti file, enter:
    # vi /etc/cron.d/cacti
    Uncomment the line:
    */5 * * * *     cacti   /usr/bin/php /usr/share/cacti/poller.php > /dev/null 2>&1
    Save and close the file.

    Run cacti installer

    Now cacti is ready to install. Fire a webbrowser and type the url:
    http://your.example.com/cacti/
    OR
    http://your.server.ip.address/cacti/

    The default username and password for cacti is admin / admin. Upon first login, you will be force to change the default password.


    .



     

    2010/04/10

    Semaphore issue - Unable to start apache.

    Semaphores are used for communicating between the active processes of a certain application. In the case of Apache, they're used to communicate between the parent and child processes. If Apache can't write these things down, then it can't communicate properly with all of the processes it starts.
    I'd assume if you're reading this article, Apache has stopped running. Run this command as root
    # ipcs -s


    If you see a list of semaphores, Apache has not cleaned up after itself, and some semaphores are stuck. Clear them out with this command:
    # for i in `ipcs -s | awk '/httpd/ {print $2}'`; do (ipcrm -s $i); done
    Now, in almost all cases, Apache should start properly.  If it doesn't, 
    you may just be completely out of available semaphores.  You may want to
     increase your available semaphores, and you'll need to tickle your 
    kernel to do so.  Add this to /etc/sysctl.conf:
    kernel.msgmni = 1024
    kernel.sem = 250 256000 32 1024
    And then run sysctl -p to pick up the new changes.

    2010/04/08

    how to know the OS version in linux

    uname -a
    cat /proc/version
    cat /etc/issue

    /etc/redhat-release
    /etc/debian_version
    /etc/SuSE-release
    /etc/slackware-version
    /etc/gentoo-release

    2010/03/27

    Compilation of apache and php

    Apache 2 source distribution available from http://www.apache.org.
    PHP source distribution available from http://www.php.net/.
    For the compilation make and gcc must be installed in the server. If it is not installed you can download it and install from  ftp://mirrors.kernel.org/gnu/

    Before starting to compile Apache and PHP you must uninstall all previous Apache and PHP related RPMs installed on your system. To uninstall these packages you can use Red Hat Package Manager (rpm) utility. If you are using X Windows you can also use GUI utilities like gnorpm  and kpackge, if installed, to uninstall these RPMs.


    Compiling Apache

    Using shell, (or open a new virtual console window if working in X Windows) change to directory where you have downloaded Apache 2 source. In my case it is /usr/src.

    $ cd /usr/src
    $ gunzip httpd-2.0.44.tar.gz or gzip -d httpd-2.0.44.tar.gz
    $ tar -zxvf httpd-2.0.44.tar.gz
    $ cd /usr/src/httpd-2.0.44
    Now we have to configure apache for compilation.

    ./configure --help

    $ ./configure --prefix=/wwwroot --enable-so

    First option --prefix tells configure script that we want Apache to be installed in directory /wwwroot. If we don't provide a prefix option than it'll be installed in default location, which is /usr/local/apache2.

    I am installing everything in /wwwroot because:

       1. when a new version of PHP and Apache is released, I only have to rename /wwwroot directory to some other name like /wwwrootold and then I can install new versions in /wwwroot directory again. If new installation works properly then I can simply copy configuration files from old directory to /wwwroot.


       2. users new to compiling software from source, after compiling and installing it, try to find a way to uninstall the software. So, benefit of keeping everything at one place is; if someone wants to uninstall Apache and PHP then he just has to delete /wwwroot directory (After stopping Apache, if it is running).

    Second option --enable-so tells configure to enable module so, which allows Apache to load shared modules. We need this option because we are compiling PHP as Apache shared module.

    Example Apache configure command line looks like this. After configure finishes we have to compile Apache.
    make


    To compile Apache a utility called make is used. make reads a file named Makefile in the source directory. In the Makefile step by step instructions are written about how to compile the software. Benefit of using make is that if some of the source files are changed and we compile software again, then only files which are changed and files which depend on changed files are recompiled.

    To compile Apache source we have to issue this command in the Apache source directory (/usr/src/httpd-2.0.44):

    $ make

    When you type make It will start compiling Apache. It will take several minutes depending upon the speed of your computer. After make finishes, shell prompt is available. Now source has been compiled. We will use make install command to install Apache

    $ make install

    This will install Apache to /wwwroot directory. Now test your Apache installation by starting Apache:

    $ /wwwroot/bin/apachectl start

    If you are returned to shell prompt and no error etc. is displayed then Apache is started.

    Now you can open a web browser like lynx and visit Apache homepage:

    $ lynx http://localhost

    It'll show Apache homepage, where you can read Apache documentation to know more about Apache.

    To stop Apache you can use:

    $ /wwwroot/bin/apachectl stop


    Compiling PHP

    Change to directory where you have downloaded PHP source.

    $ cd /usr/src

    Then we have to extract PHP source files from php-4.3.0.tar.gz file.

    To decompress the compressed file use:

    $ gunzip php-4.3.0.tar.gz

    You will have a file named php-4.3.0.tar in your current directory. Now to extract its contents use:

    $ tar -xvf php-4.3.0.tar

    Both above steps can be completed by using this command:
    $ tar -zxvf php-4.3.0.tar.gz

    A new directory php-4.3.0 will be created in your current directory. For me its /usr/src/php-4.3.0.

    Now change to this directory:

    $ cd /usr/src/php-4.3.0

    Now we have to configure PHP for compilation process. There are hundreds of options which can be provided to configure script. These options include the option to specify where PHP should be installed, which functionality should be enabled, like functionality to access mysql databases from PHP and which extensions have to be compiled etc. To see a list of options supported by PHP configure, type:

    $ ./configure --help

    It'll show a list of all options supported by the version of PHP that you are using.

    Extensions provide additional functionality which core PHP doesn't provide. For example to create images --with-gd option can be used. But for these extensions to work, appropriate libraries must have been installed. If you use some --with option and that library isn't installed on your system then configure will fail. So, my advice is, for the first time don't try to use any extension.

    To compile PHP as Apache shared module we have to provide path to apache apxs utility, which in our case was installed in /wwwroot/bin/ when we installed Apache. So, in PHP source directory (/usr/src/php-4.3.0) execute this command :

    $ ./configure --prefix=/wwwroot/php --with-apxs2=/wwwroot/bin/apxs --with-config-file-path=/wwwroot/php --with-mysql

    First option --prefix=/wwwroot/php tells configure script that we want PHP to be installed in /wwwroot/php directory. Otherwise it'll be installed in some default location (/usr/local).

    Second option --with-apxs2 specifies that we want to install PHP as Apache 2 shared module.

    Third option --with-config-file-path specifies that PHP should look for php.ini file in /wwwroot/php directory. Php.ini file contains various settings, which can be used to configure PHP after it has been installed. Settings like path to directory where php extensions are installed. Options like max_execution_time in php.ini specifies maximum time a script is allowed to run before it is terminated by PHP parser.

        {Note} You don't have to specify name of the php.ini file when using --with-config-file-path option. Only directory path where php.ini file will be stored has to be specified. So, don't use --with-config-file-path=/wwwroot/php/php.ini, but instead use --with-config-file-path=/wwwroot/php.

    Fourth option --with-mysql enables support to access mysql databases through PHP. After --with-mysql we can optionally specify directory where mysql is installed like --with-mysql=/usr/local/mysql. To use mysql database functions you must have mysql database installed on your system. If you don't have mysql installed you can remove this option. If this option is not used then library, which is bundled with PHP is used to access mysql databases.

    After configure finishes. You have to type make to compile PHP:

    $ make

    It will take several minutes to compile. After make finishes and, no error etc. is displayed then PHP has been compiled successfully. If any warning is displayed then, normally, you can ignore it.

    After this, if Apache is running stop Apache:

    $ /wwwroot/bin/apachectl stop

    Now you can execute make install from within PHP source directory to install PHP to /wwwroot/php directory:

    $ make install

    make install will install PHP4 module to Apache's modules sub-directory (/wwwroot/modules) and add a line like this:

    LoadModule php4_module modules/libphp4.so

    to apache configuration file (/wwwroot/conf/httpd.conf). This line allows Apache to automatically load PHP module when Apache starts. If this line is not added by PHP install, which in my case wasn't,  then you can add it yourself. To add this line yourself, search for a word LoadModule in /wwwroot/conf/httpd.conf file. This word will be somewhere under section "Dynamic Shared Object (DSO) Support". Under this section, on a new line, add the above line.

    Now you have to add another line to this httpd.conf file so that Apache invokes PHP parser whenever a file with extension php (.php) is accessed. When PHP parser is invoked by Apache it reads .php file which contains PHP code blocks, html tags and other text. Parser then executes PHP code found inside blocks and then merges PHP code results and other html content (as is). Resulting output is then sent back to Apache which in turn sends it to web browser which requested the file.

    The line to be added is:

    AddType application/x-httpd-php .php

    To add this line search for word AddType in httpd.conf file. There will be a line like this:

    AddType application/x-tar .tgz

    Below this line add (on a new line):

    AddType application/x-httpd-php .php

    You can add any file extension in addition to .php if you want to invoke PHP parser for any other file extension also. Like:

    AddType application/x-httpd-php .phtml

    will invoke PHP parser whenever any file with phtml extension (.phtml) is accessed.

    Save this file and then start Apache:

    $ /wwwroot/bin/apachectl start



    Enabling some PHP extensions:

    You can get list of core configure options supported by PHP see http://www.php.net/manual/en/configure.php.

    For example if you want to create images using PHP, you first need to install gd library using RPMs or by compiling from source. Then you can use --with-gd option to enable gd support from PHP like this:

    $ ./configure --prefix=/wwwroot/php --with-apxs2=/wwwroot/bin/apxs --with-config-file-path=/wwwroot/php --with-gd

        {Note} GD depends on some other libraries to create images in different formats. So, some other libraries like png, jpeg , zlib also have to be installed.




    .

    2010/03/25

    Unable to upload large files via ftp

    Add the following lines to  lines to /etc/proftpd.conf
    ================
    AllowRetrieveRestart on
    AllowOverwrite on
    AllowStoreRestart on
    ================
    Restart ftp and this should fix the issue.

    .

    2010/03/18

    Linux Server Security

    Following are the steps for securing cpanel servers:

    1. Sysctl Hardening
    http://www.eth0.us/sysctl

    2.Secure /tmp
    http://www.eth0.us/tmp

    3.LES Linux Environment Security
    Linux Environment Security is intended as a facility to quickly & easily secure RedHat/RPM based environments (i.e: turbo linux, open linux). It does such by enforcing root-only permissions on system binaries (binaries that have no place being
    executed by normal users), enforcing root-only path traversal on system paths, enforcing immutable bit on essential rpm package contents (i.e: coreutils), and enforcing immutable bit on shell profile scripts.

    4.Removal of Insecure packages

    Please check to see the packages that are not needed on a web server. You can use the command rpm -qa to list all the installed rpm packages on the server. From the list remove packages choose the packages that are not required.
    Some common examples of unnecessary packages are given below.
     mtools
    yp-tools
    redhat-config-nfs
    redhat-config-samba
    tftp-server
    ypserv
    redhat-config-printer-gui
    samba
    samba-swat
    cups
    gmp-devel
    ElectricFence
    doxygen
    Xfree86-xfs
    redhat-config-printer
    cups-libs
    samba-common
    samba-client

    5.Firewall (CSF + LFD)
    6.AIDE (Advanced Intrusion Detection Environment)
    http://www.cs.tut.fi/~rammer/aide.html

    7. Logwatch Installation and configuration
    8. ClamAV (virus scanner) Installation with Exim on cPanel servers
    9. Installing chkrootkit
    10. LibSafe Installation

    Sender Policy Framework (SPF)

    Sender Policy Framework (SPF), is an e-mail validation system designed to prevent e-mail spam by addressing a common vulnerability, source address spoofing. SPF allows administrators to specify which hosts are allowed to send e-mail from a given domain by creating a specific DNS SPF record in the public DNS..

    example.org. IN SPF "v=spf1 a mx -all"

    "v=" defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The "a" and "mx" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected.
    [edit] Mechanisms

    Eight mechanisms are defined:
    ALL     Matches always; used for a default result like -all for all IPs not matched by prior mechanisms.
    A     If the domain name has an address record (A or AAAA) that can be resolved to the sender's address, it will match.
    IP4     If the sender is in a given IPv4 address range, match.
    IP6     If the sender is in a given IPv6 address range, match.
    MX     If the domain name has an MX record resolving to the sender's address, it will match (i.e. the mail comes from one of the domain's mail servers).
    PTR     If the domain name (PTR record) for the client's address is in the given domain and that domain name resolves to the client's address (forward-confirmed reverse DNS), match.

    EXISTS     If the given domain name resolves to any address, match (no matter the address it resolves to). This is rarely used. Along with the SPF macro language it offers more complex matches like DNSBL-queries.

    INCLUDE     If the included (a misnomer) policy passes the test this mechanism matches. This is typically used to include policies of more than one ISP.

    Ext2 Vs ext3

    Ext3 filesystem is nothing but next version of ext2 filesystem with journaling support. Ext3 has been structurally implemented same as ext2 so they have same data structures. he most important difference between Ext2 and Ext3 is that Ext3 supports journaling which allows fast recovery from disk problems. You also get reliability and a better performance with ext3. Ext3 is designed to take care of both metadata and data.

    Ext3 is a tiny bit slower than ext2 is, but it holds tremendous advantages. There is really only one difference between ext2 and ext3, and that is that ext3 uses a journal to prevent filesystem corruption in the case of an unclean shutdown (ie. before the filesystem is synced to disk). That makes ext3 a bit slower than ext2 since all metadata changes are written to the journal, and then flushed to disk, but on the other hand you don't risk having the entire filesystem destroyed at power failure or if an unwitted person turns the computer off uncleanly.

    Inode

    Inode is a unique number given to a file in Unix OS. Every file in Unix has a inode number. Inodes store information of files, such as user and group ownership, access mode (read, write, execute permissions) and type of file. When a file system is created, data structures are created that contain information about files. Each file is associated with an inode that is identified by an inode number

    File names and directory implications:

        * Inodes do not contain file names, only file metadata.
        * Unix directories are lists of "link" structures, each of which contains one filename and one inode number.
        * The kernel must search a directory looking for a particular filename and then convert the filename to the correct corresponding inode number if the name is found.


    :

    Load in the server

    Load :  Measure of the amount of work done by a computer systems.
    Load average : Average system load over a period of time.


    An idle computer has a load number of 0 and each process using or waiting for CPU adds to the load number by 1. Most UNIX systems count only processes in the running (on CPU) or runnable (waiting for CPU) states. However, Linux also includes processes in uninterruptible sleep states (usually waiting for disk activity), which can lead to markedly different results if many processes remain blocked in I/O  due to a busy or stalled I/O system. This, for example, includes processes blocking due to an NFS server failure or to slow media (e.g., USB 1.x storage devices). Such circumstances can result in an elevated load average, which does not reflect an actual increase in CPU use (but still gives an idea on how long users have to wait).

    Systems calculate the load average as the exponentially damped/weighted moving average of the load number. The three values of load average refer to the past one, five, and fifteen minutes of system operation.

    For single-CPU systems that are CPU-bound, one can think of load average as a percentage of system utilization during the respective time period. For systems with multiple CPUs, one must divide the number by the number of processors in order to get a comparable percentage.

    For example, one can interpret a load average of "1.73 0.50 7.98" on a single-CPU system as:

        * during the last minute, the CPU was overloaded by 73% (1 CPU with 1.73 runnable processes, so that 0.73 processes had to wait for a turn)
        * during the last 5 minutes, the CPU was underloaded 50% (no processes had to wait for a turn)
        * during the last 15 minutes, the CPU was overloaded 698% (1 CPU with 7.98 runnable processes, so that 6.98 processes had to wait for a turn)

    This means that this CPU could have handled all of the work scheduled for the last minute if it were 1.73 times as fast, or if there were two (1.73 rounded up) times as many CPUs, but that over the last five minutes it was twice as fast as necessary to prevent runnable processes from waiting their turn.

    In a system with four CPUs, a load average of 3.73 would indicate that there were, on average, 3.73 processes ready to run, and each one could be scheduled into a CPU.
     
    On Linux systems, the load-average is not calculated on each clock tick, but driven by a variable value that is based on the HZ frequency setting and tested on each clock tick. (HZ variable is the pulse rate of particular Linux kernel activity. 1HZ is equal to one clock tick; 10ms by default.) Although the HZ value can be configured in some versions of the kernel, it is normally set to 100. The calculation code uses the HZ value to determine the CPU Load calculation frequency. Specifically, the timer.c:calc_load() function will run the an algorithm every 5 * HZ, or roughly every five seconds. Following is that function in its entirety:
    unsigned long avenrun[3];
     
    static inline void calc_load(unsigned long ticks)
    {
       unsigned long active_tasks; /* fixed-point */
       static int count = LOAD_FREQ;
     
       count -= ticks;
       if (count < 0) {
          count += LOAD_FREQ;
          active_tasks = count_active_tasks();
          CALC_LOAD(avenrun[0], EXP_1, active_tasks);
          CALC_LOAD(avenrun[1], EXP_5, active_tasks);
          CALC_LOAD(avenrun[2], EXP_15, active_tasks);
       }
    }
    The avenrun array contains 1-minute, 5-minute and 15-minute average. The CALC_LOAD macro and its associated values are defined in sched.h :
    define FSHIFT   11  /* nr of bits of precision */
       define FIXED_1  (1<<FSHIFT) /* 1.0 as fixed-point */
       define LOAD_FREQ (5*HZ) /* 5 sec intervals */
       define EXP_1  1884  /* 1/exp(5sec/1min) as fixed-point */
       define EXP_5  2014  /* 1/exp(5sec/5min) */
       define EXP_15 2037  /* 1/exp(5sec/15min) */
     
       define CALC_LOAD(load,exp,n) \
          load *= exp; \
          load += n*(FIXED_1-exp); \
          load >>= FSHIFT;

    2010/02/26

    How to enable tun/tap device with nat

    OpenVZ supports VPN inside a container via kernel TUN/TAP module and device. To allow container #101 to use the TUN/TAP device the following should be done:

    Make sure the tun module has been already loaded on the hardware node:

    # lsmod | grep tun

    If it is not there, use the following command to load tun module: .
    # modprobe tun

    To make sure that tun module will be automatically loaded on every reboot you can also add it or into /etc/modules.conf (on RHEL see /etc/sysconfig/modules/ directory) or into /etc/sysconfig/vz-scripts/CTID.mount. (echo 'modprobe tun' >> /etc/sysconfig/vz-scripts/CTID.mount)

    Granting container an access to TUN/TAP

    Allow your container to use the tun/tap device by running the following commands on the host node:

    vzctl set 101 --devices c:10:200:rw --save
    vzctl set 101 --capability net_admin:on --save

    And create the character device file inside the container (execute the following on the host node):

    vzctl exec 101 mkdir -p /dev/net
    vzctl exec 101 mknod /dev/net/tun c 10 200
    vzctl exec 101 chmod 600 /dev/net/tun

    Configuring VPN inside container

    After the configuration steps above are done it is possible to use VPN software working with TUN/TAP inside container just like on a usual standalone linux box.

    The following software can be used for VPN with TUN/TAP:

    * Virtual TUNnel (http://vtun.sourceforge.net)
    * OpenVPN (http://openvpn.net)

    If NAT is needed within the VE, this error will occur on attempts to use NAT:

    # iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE

    2010/01/26

    How to add a new hdd to linux server.

    Issue the command  fdisk -l,  you can see the new hard disk connected to the server.

    For example:
    ----------------------------------------------------
    Disk /dev/sda: 1500.3 GB, 1500301910016 bytes
    255 heads, 63 sectors/track, 182401 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes

       Device Boot      Start         End      Blocks   Id  System
    /dev/sda1   *           1          13      104391   83  Linux
    /dev/sda2              14      182401  1465031610   8e  Linux LVM

    Disk /dev/sdb: 1500.3 GB, 1500301910016 bytes
    255 heads, 63 sectors/track, 182401 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes

    Disk /dev/sdb doesn't contain a valid partition table
    -------------------------------------------------------

    Then you need to create a partition in the new server. Using the command 'n', you can create a new partition. Select the partition number and issue the command "w" to write write the partition.

    ------------------------------------------------------
    Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
    Building a new DOS disklabel. Changes will remain in memory only,
    until you decide to write them. After that, of course, the previous
    content won't be recoverable.


    The number of cylinders for this disk is set to 182401.
    There is nothing wrong with that, but this is larger than 1024,
    and could in certain setups cause problems with:
    1) software that runs at boot time (e.g., old versions of LILO)
    2) booting and partitioning software from other OSs
       (e.g., DOS FDISK, OS/2 FDISK)
    Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)


    Command (m for help): n
    Command action
       e   extended
       p   primary partition (1-4)
    e
    Partition number (1-4):
    Value out of range.
    Partition number (1-4): 1
    First cylinder (1-182401, default 1):
    Using default value 1
    Last cylinder or +size or +sizeM or +sizeK (1-182401, default 182401):
    Using default value 182401

    Command (m for help): w
    The partition table has been altered!

    Calling ioctl() to re-read partition table.
    Syncing disks.

    ----------------------------------

    Then you have to create a file system in the new hard disk.
    mkfs -t ext3 /dev/sdb1  or mkfs.ext3 /dev/sdb1

    ------------------------------------------
    [root@localhost ~]# mkfs.ext3 /dev/sdb1
    mke2fs 1.39 (29-May-2006)
    Filesystem label=
    OS type: Linux
    Block size=4096 (log=2)
    Fragment size=4096 (log=2)
    183091200 inodes, 366181585 blocks
    18309079 blocks (5.00%) reserved for the super user
    First data block=0
    Maximum filesystem blocks=0
    11175 block groups
    32768 blocks per group, 32768 fragments per group
    16384 inodes per group
    Superblock backups stored on blocks:
            32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
            4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
            102400000, 214990848

    Writing inode tables: done
    Creating journal (32768 blocks): done
    Writing superblocks and filesystem accounting information:
    done

    This filesystem will be automatically checked every 32 mounts or
    180 days, whichever comes first.  Use tune2fs -c or -i to override.
    ---------------------------------------------

    Then you have to mount the hard disk to the directory /home1


    mount /dev/sdb1 /home1

    2010/01/25

    Exim : 451-The server has reached its limit for processing requests from your host.n451 Please try again later.

    451-The server has reached its limit for processing requests from your host.n451 Please try again later.

    its probably exim's ratelimiting, add your servers IP's to the whitelist in WHM > Exim Configuration

    Also check the value of the 'Maximum Emails a Domain Can Send In 1 Hour' value in WHM > Tweak Settings

    retry time not reached for any host after a long failure period

    exim_tidydb -t 10m /var/spool/exim retry
    exim_tidydb -t 10m /var/spool/exim wait-remote_smtp

    2010/01/24

    How to create a swap file

    To add a swap file:

    1. Determine the size of the new swap file in megabytes and multiply by 1024 to determine the number of blocks. For example, the block size of a 64 MB swap file is 65536.
    2. At a shell prompt as root, type the following command with count being equal to the desired block size:
      dd if=/dev/zero of=/swapfile bs=1024 count=65536
      
    3. Setup the swap file with the command:
      mkswap /swapfile
      
    4. To enable the swap file immediately but not automatically at boot time:
      swapon /swapfile
      
    5. To enable it at boot time, edit /etc/fstab to include the following entry:
      /swapfile swap swap defaults 0 0
      
      The next time the system boots, it enables the new swap file.
    6. After adding the new swap file and enabling it, verify it is enabled by viewing the output of the command cat /proc/swaps or free.

    TCP vs UDP

    TCP:


    Reliability: TCP is connection-oriented protocol. When a file or message send it will get delivered unless connections fails. If connection lost, the server will request the lost part. There is no corruption while transferring a message.

    Ordered: If you send two messages along a connection, one after the other, you know the first message will get there first. You don't have to worry about data arriving in the wrong order.

    Heavyweight: - when the low level parts of the TCP "stream" arrive in the wrong order, resend requests have to be sent, and all the out of sequence parts have to be put back together, so requires a bit of work to piece together.

    Streaming: Data is read as a "stream," with nothing distinguishing where one packet ends and another begins. There may be multiple packets per read call.

    Examples: World Wide Web (Apache TCP port 80), e-mail (SMTP TCP port 25 Postfix MTA), File Transfer Protocol (FTP port 21) and Secure Shell (OpenSSH port 22) etc.

    UDP:

    Reliability: UDP is connectionless protocol. When you a send a data or message, you don't know if it'll get there, it could get lost on the way. There may be corruption while transferring a message.

    Ordered: If you send two messages out, you don't know what order they'll arrive in i.e. no ordered 

    Lightweight: No ordering of messages, no tracking connections, etc. It's just fire and forget! This means it's a lot quicker, and the network card / OS have to do very little work to translate the data back from the packets.

    Datagrams: Packets are sent individually and are guaranteed to be whole if they arrive. One packet per one read call.

    Examples: Domain Name System (DNS UDP port 53), streaming media applications such as IPTV or movies, Voice over IP (VoIP), Trivial File Transfer Protocol (TFTP) and online multiplayer games etc

    Simple steps for SSH Server Hardening.

    SSH Server Hardening in one of the security part to secure your server.Refer following steps to secure SSH.

    root@serevr[~]#pico /etc/ssh/sshd_config
    Uncomment  #Protocol 2, 1
    Change to Protocol 2
    Append these lines to the bottom:
    LoginGraceTime 120
    IgnoreRhosts yes
    X11Forwarding no

    Save file and restart the SSH service.
    root@serevr[~]#/etc/rc.d/init.d/sshd restart

    Note : SSH Protocol one  based servers are facing many automated root kits attacks.As a result to step up the security Protcol 2 should be enabled on server.The reason to use SSH Protocol 2 on any webserver is that it is more secure as compare to protocol 1.

    2010/01/22

    Basic sed tricks

    1. What is sed? - sed is stream editor, a Unix tool for working with streams of text data. See the awful truth about sed.
    2. How do you substitute strings with sed? - Use ’s/old/new’ command, so sed ’s/hello/goodbye/’ would substitute the occurrence of the word hello to goodbye.
    3. How do you inject text with sed? - & in the substitution string defines the pattern found in the search string. As an example, here’s us trying to find a word ‘hello’ and replacing it with ‘hello and how are you’:
           echo ‘hello there’ | sed ’s/^hello/& and how are you/’
    4. Can I find several patterns and refer to them in the replacement string? - Yes, use (pattern) and then refer to your patterns as \1, \2, \3 and so on.
    5. If the string is ‘old old old’ and I run ’s/old/new’, I get ‘new old old’ as the result. I need ‘new new new‘. - You forgot the global modifier, which would replace every occurrence of the pattern with the substitution. ’s/old/new/g‘ will work.
    6. But I want ‘old old new’ from the previous example. - Just use the numeric modifier saying you want the third occurrence to be replaced. ’s/old/new/3‘ will work.
    7. I wrote a rather complex sed script. How do I save and run it? - Assuming that your file is named myscript1.sed, you can invoke sed -f myscript1.sed.
    8. How do I delete trailing whitespaces from each line? - sed ’s/[ \t]*$//’ Here we’re replacing any occurrence of a space or a tab with nothing. Check sed one-liners for more examples.
    9. How do you print just a few first lines of the file? - sed 1q will give you just the first line, sed 10q the first 10 lines.
    10. How do you replace a pattern only if it’s found, so that it’s executed faster? - Nest the replacement statement: sed ‘/old/ s/old/new/g’ file.txt

    How to assign a range of IP's to server

    Create a file /etc/sysconfig/network-scripts/ifcfg-eth0-range0 add the following entries

    IPADDR_START=192.168.0.0
    IPADDR_END=192.168.0.100
    CLONENUM_START=1

    Save it and restart network
    /etc/init.d/network restart

    2010/01/20

    Mbox vs Maildir: Mail Storage Formats

    The Unix world has two ways of storing mail messages, the traditional mbox format and the newer maildir format. Postfix and Dovecot supports the two mail storage format so you can use any format, but I highly recommend you use the maildir format.

    Mbox Format: 

    This is the traditional way of storing mail messages in the Unix world. In this format, a regular text file which serves as the mail user’s mailbox file is created.

    How Mbox works
    Receiving and storing a mail

       1. Lock the mailbox.
       2. Append the header (usually “From [sender's email address] [date and time received]“) and the mail into the mailbox file.
       3. Unlock the mailbox.

    Retrieving a mail

       1. Lock the mailbox.
       2. Locate and read the mail.
       3. Update the mail status flag.
       4. Unlock the mailbox.

    Deleting a mail

       1. Lock the mailbox.
       2. Move the contents of the mailbox, beginning from the position right after the mail to be deleted until the end of the mailbox, into the position of the mail to be deleted.
       3. Reduce the size of the mailbox file by the size of the deleted mail.
       4. Unlock the mailbox.

    Searching a mail

       1. Lock the mailbox.
       2. Search the mailbox.
       3. Unlock the mailbox.


    Advantages

        * Format is universally supported.
        * Appending a new mail into the mailbox file is fast.
        * Searching text inside a single mailbox file is fast.

    Disadvantages

        * Has file locking problems.
        * Has problems when used with network file systems.
        * Format is prone to corruption.

    The Maildir Format

    This is a new way of storing mail messages. In this format, a directory usually named Maildir is created for each mail user.
    Under this directory are three more directories named new, cur and tmp.

    How Maildir works
    Receiving and storing a mail

       1. Create a unique file in the tmp directory.
       2. Write the mail into the newly created file.
       3. Move the completely written mail into the new directory.

    Retrieving a mail

       1. Locate and read the mail.
       2. Move the mail from new into the cur directory and append the mail status flag into the filename.

    Deleting a mail

       1. Delete the file containing the mail.

    Searching a mail

       1. Search each and every mail file.


    Advantages

        * Locating, retrieving and deleting a specific mail is fast.
        * Minimal to no file locking needed.
        * Can be used on network file system.
        * Immune to mailbox corruption (assuming the hardware will not fail).

    Disadvantages

        * Some filesystems may not efficiently handle a large number of small files.
        * Searching text, which requires all mail files to be opened is slow.

    Unable to start apache " pid file /usr/local/apache/logs/httpd.pid overwritten — Unclean shutdown of previous Apache run? semget: No space left on device"

    If you are unable to start apache and you are getting the error log as
    [Sat Oct 10 00:11:01 2008] [warn] pid file /usr/local/apache/logs/httpd.pid overwritten — Unclean shutdown of previous Apache run?
    semget: No space left on device
     
    It means There is no more space left in Semaphore Arrays for Apache.
    semaphore is a location in memory whose value can be tested and set by more than one process.
    you can check the semaphore arrays on your server using the following command

    ipcs -s

    It results

    ------ Semaphore Arrays --------
    key semid owner perms nsems
    0x00000000 360448 nobody 600 1
    0x00000000 393217 nobody 600 1
    0x00000000 425986 nobody 600 1
    0x00000000 458755 nobody 600 1
    0x00000000 524292 nobody 600 1
    0x00000000 1114117 nobody 600 1
    0x00000000 1441798 nobody 600 1
    0x00000000 3604487 nobody 600 1
    0x00000000 3702792 nobody 600 1
    0x00000000 3768329 nobody 600 1
    0x00000000 6422538 nobody 600 1
    0x00000000 7077899 nobody 600 1

    If here you get big list of semaphores it means some semaphores are stuck. You can clear them out with this command:

    for i in `ipcs -s | awk '/nobody/ {print $2}'`; do (ipcrm -s $i); done

     Restart apache
    #/etc/init.d/httpd restart

    2010/01/05

    VPS : tty device is not owned by group `tty’

    If you’re unable to SSH into a VPS server, try accessing the VPS from the OpenVZ hardware node.

    [root@VS ~]# vzctl enter VID
    entered into VE 1022
    mesg: error: tty device is not owned by group `tty’

    Here you can see that there is an error related to tty. This error can be resolved by changing the group of the tty files.

    vzctl exec VIS'chgrp tty /dev/ttyp* /dev/ptyp*'

    There can be many other reasons related to SSH failures.

    You might like check on udev package also (You will normally find this issue on CentOS5)

    Find the udev rpm on the VPS server,

    root@vps1 [/]# rpm -qa | grep udev
    udev-095-14.16.el5

    Remove it from the server
    root@vps1 [/]# rpm -e –nodeps udev

    Once this is done, your SSH should start working fine.