ABHIONLINUX
Site useful for linux administration and web hosting

2010/03/27

Compilation of apache and php

Apache 2 source distribution available from http://www.apache.org.
PHP source distribution available from http://www.php.net/.
For the compilation make and gcc must be installed in the server. If it is not installed you can download it and install from  ftp://mirrors.kernel.org/gnu/

Before starting to compile Apache and PHP you must uninstall all previous Apache and PHP related RPMs installed on your system. To uninstall these packages you can use Red Hat Package Manager (rpm) utility. If you are using X Windows you can also use GUI utilities like gnorpm  and kpackge, if installed, to uninstall these RPMs.


Compiling Apache

Using shell, (or open a new virtual console window if working in X Windows) change to directory where you have downloaded Apache 2 source. In my case it is /usr/src.

$ cd /usr/src
$ gunzip httpd-2.0.44.tar.gz or gzip -d httpd-2.0.44.tar.gz
$ tar -zxvf httpd-2.0.44.tar.gz
$ cd /usr/src/httpd-2.0.44
Now we have to configure apache for compilation.

./configure --help

$ ./configure --prefix=/wwwroot --enable-so

First option --prefix tells configure script that we want Apache to be installed in directory /wwwroot. If we don't provide a prefix option than it'll be installed in default location, which is /usr/local/apache2.

I am installing everything in /wwwroot because:

   1. when a new version of PHP and Apache is released, I only have to rename /wwwroot directory to some other name like /wwwrootold and then I can install new versions in /wwwroot directory again. If new installation works properly then I can simply copy configuration files from old directory to /wwwroot.


   2. users new to compiling software from source, after compiling and installing it, try to find a way to uninstall the software. So, benefit of keeping everything at one place is; if someone wants to uninstall Apache and PHP then he just has to delete /wwwroot directory (After stopping Apache, if it is running).

Second option --enable-so tells configure to enable module so, which allows Apache to load shared modules. We need this option because we are compiling PHP as Apache shared module.

Example Apache configure command line looks like this. After configure finishes we have to compile Apache.
make


To compile Apache a utility called make is used. make reads a file named Makefile in the source directory. In the Makefile step by step instructions are written about how to compile the software. Benefit of using make is that if some of the source files are changed and we compile software again, then only files which are changed and files which depend on changed files are recompiled.

To compile Apache source we have to issue this command in the Apache source directory (/usr/src/httpd-2.0.44):

$ make

When you type make It will start compiling Apache. It will take several minutes depending upon the speed of your computer. After make finishes, shell prompt is available. Now source has been compiled. We will use make install command to install Apache

$ make install

This will install Apache to /wwwroot directory. Now test your Apache installation by starting Apache:

$ /wwwroot/bin/apachectl start

If you are returned to shell prompt and no error etc. is displayed then Apache is started.

Now you can open a web browser like lynx and visit Apache homepage:

$ lynx http://localhost

It'll show Apache homepage, where you can read Apache documentation to know more about Apache.

To stop Apache you can use:

$ /wwwroot/bin/apachectl stop


Compiling PHP

Change to directory where you have downloaded PHP source.

$ cd /usr/src

Then we have to extract PHP source files from php-4.3.0.tar.gz file.

To decompress the compressed file use:

$ gunzip php-4.3.0.tar.gz

You will have a file named php-4.3.0.tar in your current directory. Now to extract its contents use:

$ tar -xvf php-4.3.0.tar

Both above steps can be completed by using this command:
$ tar -zxvf php-4.3.0.tar.gz

A new directory php-4.3.0 will be created in your current directory. For me its /usr/src/php-4.3.0.

Now change to this directory:

$ cd /usr/src/php-4.3.0

Now we have to configure PHP for compilation process. There are hundreds of options which can be provided to configure script. These options include the option to specify where PHP should be installed, which functionality should be enabled, like functionality to access mysql databases from PHP and which extensions have to be compiled etc. To see a list of options supported by PHP configure, type:

$ ./configure --help

It'll show a list of all options supported by the version of PHP that you are using.

Extensions provide additional functionality which core PHP doesn't provide. For example to create images --with-gd option can be used. But for these extensions to work, appropriate libraries must have been installed. If you use some --with option and that library isn't installed on your system then configure will fail. So, my advice is, for the first time don't try to use any extension.

To compile PHP as Apache shared module we have to provide path to apache apxs utility, which in our case was installed in /wwwroot/bin/ when we installed Apache. So, in PHP source directory (/usr/src/php-4.3.0) execute this command :

$ ./configure --prefix=/wwwroot/php --with-apxs2=/wwwroot/bin/apxs --with-config-file-path=/wwwroot/php --with-mysql

First option --prefix=/wwwroot/php tells configure script that we want PHP to be installed in /wwwroot/php directory. Otherwise it'll be installed in some default location (/usr/local).

Second option --with-apxs2 specifies that we want to install PHP as Apache 2 shared module.

Third option --with-config-file-path specifies that PHP should look for php.ini file in /wwwroot/php directory. Php.ini file contains various settings, which can be used to configure PHP after it has been installed. Settings like path to directory where php extensions are installed. Options like max_execution_time in php.ini specifies maximum time a script is allowed to run before it is terminated by PHP parser.

    {Note} You don't have to specify name of the php.ini file when using --with-config-file-path option. Only directory path where php.ini file will be stored has to be specified. So, don't use --with-config-file-path=/wwwroot/php/php.ini, but instead use --with-config-file-path=/wwwroot/php.

Fourth option --with-mysql enables support to access mysql databases through PHP. After --with-mysql we can optionally specify directory where mysql is installed like --with-mysql=/usr/local/mysql. To use mysql database functions you must have mysql database installed on your system. If you don't have mysql installed you can remove this option. If this option is not used then library, which is bundled with PHP is used to access mysql databases.

After configure finishes. You have to type make to compile PHP:

$ make

It will take several minutes to compile. After make finishes and, no error etc. is displayed then PHP has been compiled successfully. If any warning is displayed then, normally, you can ignore it.

After this, if Apache is running stop Apache:

$ /wwwroot/bin/apachectl stop

Now you can execute make install from within PHP source directory to install PHP to /wwwroot/php directory:

$ make install

make install will install PHP4 module to Apache's modules sub-directory (/wwwroot/modules) and add a line like this:

LoadModule php4_module modules/libphp4.so

to apache configuration file (/wwwroot/conf/httpd.conf). This line allows Apache to automatically load PHP module when Apache starts. If this line is not added by PHP install, which in my case wasn't,  then you can add it yourself. To add this line yourself, search for a word LoadModule in /wwwroot/conf/httpd.conf file. This word will be somewhere under section "Dynamic Shared Object (DSO) Support". Under this section, on a new line, add the above line.

Now you have to add another line to this httpd.conf file so that Apache invokes PHP parser whenever a file with extension php (.php) is accessed. When PHP parser is invoked by Apache it reads .php file which contains PHP code blocks, html tags and other text. Parser then executes PHP code found inside blocks and then merges PHP code results and other html content (as is). Resulting output is then sent back to Apache which in turn sends it to web browser which requested the file.

The line to be added is:

AddType application/x-httpd-php .php

To add this line search for word AddType in httpd.conf file. There will be a line like this:

AddType application/x-tar .tgz

Below this line add (on a new line):

AddType application/x-httpd-php .php

You can add any file extension in addition to .php if you want to invoke PHP parser for any other file extension also. Like:

AddType application/x-httpd-php .phtml

will invoke PHP parser whenever any file with phtml extension (.phtml) is accessed.

Save this file and then start Apache:

$ /wwwroot/bin/apachectl start



Enabling some PHP extensions:

You can get list of core configure options supported by PHP see http://www.php.net/manual/en/configure.php.

For example if you want to create images using PHP, you first need to install gd library using RPMs or by compiling from source. Then you can use --with-gd option to enable gd support from PHP like this:

$ ./configure --prefix=/wwwroot/php --with-apxs2=/wwwroot/bin/apxs --with-config-file-path=/wwwroot/php --with-gd

    {Note} GD depends on some other libraries to create images in different formats. So, some other libraries like png, jpeg , zlib also have to be installed.




.

2010/03/25

Unable to upload large files via ftp

Add the following lines to  lines to /etc/proftpd.conf
================
AllowRetrieveRestart on
AllowOverwrite on
AllowStoreRestart on
================
Restart ftp and this should fix the issue.

.

2010/03/18

Linux Server Security

Following are the steps for securing cpanel servers:

1. Sysctl Hardening
http://www.eth0.us/sysctl

2.Secure /tmp
http://www.eth0.us/tmp

3.LES Linux Environment Security
Linux Environment Security is intended as a facility to quickly & easily secure RedHat/RPM based environments (i.e: turbo linux, open linux). It does such by enforcing root-only permissions on system binaries (binaries that have no place being
executed by normal users), enforcing root-only path traversal on system paths, enforcing immutable bit on essential rpm package contents (i.e: coreutils), and enforcing immutable bit on shell profile scripts.

4.Removal of Insecure packages

Please check to see the packages that are not needed on a web server. You can use the command rpm -qa to list all the installed rpm packages on the server. From the list remove packages choose the packages that are not required.
Some common examples of unnecessary packages are given below.
 mtools
yp-tools
redhat-config-nfs
redhat-config-samba
tftp-server
ypserv
redhat-config-printer-gui
samba
samba-swat
cups
gmp-devel
ElectricFence
doxygen
Xfree86-xfs
redhat-config-printer
cups-libs
samba-common
samba-client

5.Firewall (CSF + LFD)
6.AIDE (Advanced Intrusion Detection Environment)
http://www.cs.tut.fi/~rammer/aide.html

7. Logwatch Installation and configuration
8. ClamAV (virus scanner) Installation with Exim on cPanel servers
9. Installing chkrootkit
10. LibSafe Installation

Sender Policy Framework (SPF)

Sender Policy Framework (SPF), is an e-mail validation system designed to prevent e-mail spam by addressing a common vulnerability, source address spoofing. SPF allows administrators to specify which hosts are allowed to send e-mail from a given domain by creating a specific DNS SPF record in the public DNS..

example.org. IN SPF "v=spf1 a mx -all"

"v=" defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The "a" and "mx" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected.
[edit] Mechanisms

Eight mechanisms are defined:
ALL     Matches always; used for a default result like -all for all IPs not matched by prior mechanisms.
A     If the domain name has an address record (A or AAAA) that can be resolved to the sender's address, it will match.
IP4     If the sender is in a given IPv4 address range, match.
IP6     If the sender is in a given IPv6 address range, match.
MX     If the domain name has an MX record resolving to the sender's address, it will match (i.e. the mail comes from one of the domain's mail servers).
PTR     If the domain name (PTR record) for the client's address is in the given domain and that domain name resolves to the client's address (forward-confirmed reverse DNS), match.

EXISTS     If the given domain name resolves to any address, match (no matter the address it resolves to). This is rarely used. Along with the SPF macro language it offers more complex matches like DNSBL-queries.

INCLUDE     If the included (a misnomer) policy passes the test this mechanism matches. This is typically used to include policies of more than one ISP.

Ext2 Vs ext3

Ext3 filesystem is nothing but next version of ext2 filesystem with journaling support. Ext3 has been structurally implemented same as ext2 so they have same data structures. he most important difference between Ext2 and Ext3 is that Ext3 supports journaling which allows fast recovery from disk problems. You also get reliability and a better performance with ext3. Ext3 is designed to take care of both metadata and data.

Ext3 is a tiny bit slower than ext2 is, but it holds tremendous advantages. There is really only one difference between ext2 and ext3, and that is that ext3 uses a journal to prevent filesystem corruption in the case of an unclean shutdown (ie. before the filesystem is synced to disk). That makes ext3 a bit slower than ext2 since all metadata changes are written to the journal, and then flushed to disk, but on the other hand you don't risk having the entire filesystem destroyed at power failure or if an unwitted person turns the computer off uncleanly.

Inode

Inode is a unique number given to a file in Unix OS. Every file in Unix has a inode number. Inodes store information of files, such as user and group ownership, access mode (read, write, execute permissions) and type of file. When a file system is created, data structures are created that contain information about files. Each file is associated with an inode that is identified by an inode number

File names and directory implications:

    * Inodes do not contain file names, only file metadata.
    * Unix directories are lists of "link" structures, each of which contains one filename and one inode number.
    * The kernel must search a directory looking for a particular filename and then convert the filename to the correct corresponding inode number if the name is found.


:

Load in the server

Load :  Measure of the amount of work done by a computer systems.
Load average : Average system load over a period of time.


An idle computer has a load number of 0 and each process using or waiting for CPU adds to the load number by 1. Most UNIX systems count only processes in the running (on CPU) or runnable (waiting for CPU) states. However, Linux also includes processes in uninterruptible sleep states (usually waiting for disk activity), which can lead to markedly different results if many processes remain blocked in I/O  due to a busy or stalled I/O system. This, for example, includes processes blocking due to an NFS server failure or to slow media (e.g., USB 1.x storage devices). Such circumstances can result in an elevated load average, which does not reflect an actual increase in CPU use (but still gives an idea on how long users have to wait).

Systems calculate the load average as the exponentially damped/weighted moving average of the load number. The three values of load average refer to the past one, five, and fifteen minutes of system operation.

For single-CPU systems that are CPU-bound, one can think of load average as a percentage of system utilization during the respective time period. For systems with multiple CPUs, one must divide the number by the number of processors in order to get a comparable percentage.

For example, one can interpret a load average of "1.73 0.50 7.98" on a single-CPU system as:

    * during the last minute, the CPU was overloaded by 73% (1 CPU with 1.73 runnable processes, so that 0.73 processes had to wait for a turn)
    * during the last 5 minutes, the CPU was underloaded 50% (no processes had to wait for a turn)
    * during the last 15 minutes, the CPU was overloaded 698% (1 CPU with 7.98 runnable processes, so that 6.98 processes had to wait for a turn)

This means that this CPU could have handled all of the work scheduled for the last minute if it were 1.73 times as fast, or if there were two (1.73 rounded up) times as many CPUs, but that over the last five minutes it was twice as fast as necessary to prevent runnable processes from waiting their turn.

In a system with four CPUs, a load average of 3.73 would indicate that there were, on average, 3.73 processes ready to run, and each one could be scheduled into a CPU.
 
On Linux systems, the load-average is not calculated on each clock tick, but driven by a variable value that is based on the HZ frequency setting and tested on each clock tick. (HZ variable is the pulse rate of particular Linux kernel activity. 1HZ is equal to one clock tick; 10ms by default.) Although the HZ value can be configured in some versions of the kernel, it is normally set to 100. The calculation code uses the HZ value to determine the CPU Load calculation frequency. Specifically, the timer.c:calc_load() function will run the an algorithm every 5 * HZ, or roughly every five seconds. Following is that function in its entirety:
unsigned long avenrun[3];
 
static inline void calc_load(unsigned long ticks)
{
   unsigned long active_tasks; /* fixed-point */
   static int count = LOAD_FREQ;
 
   count -= ticks;
   if (count < 0) {
      count += LOAD_FREQ;
      active_tasks = count_active_tasks();
      CALC_LOAD(avenrun[0], EXP_1, active_tasks);
      CALC_LOAD(avenrun[1], EXP_5, active_tasks);
      CALC_LOAD(avenrun[2], EXP_15, active_tasks);
   }
}
The avenrun array contains 1-minute, 5-minute and 15-minute average. The CALC_LOAD macro and its associated values are defined in sched.h :
define FSHIFT   11  /* nr of bits of precision */
   define FIXED_1  (1<<FSHIFT) /* 1.0 as fixed-point */
   define LOAD_FREQ (5*HZ) /* 5 sec intervals */
   define EXP_1  1884  /* 1/exp(5sec/1min) as fixed-point */
   define EXP_5  2014  /* 1/exp(5sec/5min) */
   define EXP_15 2037  /* 1/exp(5sec/15min) */
 
   define CALC_LOAD(load,exp,n) \
      load *= exp; \
      load += n*(FIXED_1-exp); \
      load >>= FSHIFT;