ABHIONLINUX
Site useful for linux administration and web hosting

2013/03/09

NginxCP – SyntaxError: ‘yield’ not allowed in a ‘try’ block with a ‘finally’ clause

When you install cpnginx cpanel plugin, you can get the following error.

====================================
root@localhost [/usr/local/src/publicnginx]# ./nginxinstaller install
/usr/local/src/publicnginx
Welcome to the Nginx Admin installer......Starting Install
Generating vhosts...
Traceback (most recent call last):
File "/scripts/createvhosts.py", line 2, in ?
import yaml
File "/usr/lib/python2.4/site-packages/PyYAML-3.10-py2.4-linux-x86_64.egg/yaml/__init__.py", line 26
SyntaxError: 'yield' not allowed in a 'try' block with a 'finally' clause
Installing WHM interface...
deploying booster rockets
Traceback (most recent call last):
File "/usr/local/src/publicnginx/nginxinstaller2", line 9, in ?
import createvhosts
File "/usr/local/src/publicnginx/createvhosts.py", line 2, in ?
import yaml
File "/usr/lib/python2.4/site-packages/PyYAML-3.10-py2.4-linux-x86_64.egg/yaml/__init__.py", line 26
SyntaxError: 'yield' not allowed in a 'try' block with a 'finally' clause
root@localhost [/usr/local/src/publicnginx]#
====================================

You can fix it by running pythonfix

/usr/local/src/publicnginx]# ./pythonfix


2013/03/03

CpNginx as reverse proxy in cpanel servers

We all know that nginx is very faster than apache to handle static pages/image. In this section, I would like to demonstrate to configure nginx as reverse proxy to handle static pages/images and apache will be handling dynamic pages. This will really improve the high traffic server performance.

CpNginx is a cpanel plugin to manage nginx web service in cpanel server. Since nginx is vcry good in procession static files, we will configure nginx to run on port 80 and will forward dynamic request to apache on port 8081. Apache module mod_rpaf is the module that will be helping to configure this. First we need to install mod_rpaf. Following are the steps to install mod_rpaf to apache module directory.
===========

Login as root:
# cd /usr/local/src
# wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
# tar xvzf mod_rpaf-0.6.tar.gz
# cd mod_rpaf-0.6
# /usr/local/apache/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
===========

Following are the steps to install cpnginx in cpanel servers.
============
cd /usr/local/src
wget http://nginxcp.com/latest/nginxadmin.tar
tar xf nginxadmin.tar
cd publicnginx
./nginxinstaller install
=============

Before we install nginx, we need to change the apache port to 8081 from the tweak settings

WHM > Server Configuration > Tweak Settings > Apache non-SSL IP/port

Once this has been done, we need to run the commands given below to permanently save the apache configuration.


#  /usr/local/cpanel/whostmgr/bin/whostmgr2 –updatetweaksettings
#  /usr/local/cpanel/bin/apache_conf_distiller –update –main
#  /scripts/rebuildhttpdconf

Now you need to convert apache virtualhost to nginx virtualhosts. For that you can use the script given below and name it as nginx.sh and give the executable permission. Before that you need to create an empty file /usr/local/nginx/conf/vhost.conf

touch /usr/local/nginx/conf/vhost.conf 

Script to convert apache virtualhost
=============================
#!/bin/sh
 
cat > "/usr/local/nginx/conf/nginx.conf" <
user  nobody;
# no need for more workers in the proxy mode
worker_processes  1;
 
error_log  logs/error.log info;
 
worker_rlimit_nofile  8192;
 
events {
 worker_connections  512; # you might need to increase this setting for busy servers
 use epoll; #  Linux kernels 2.4.x  change to rtsig
}
 
http {
 server_names_hash_max_size 2048;
 
 include    mime.types;
 default_type  application/octet-stream;
 
 sendfile on;
 tcp_nopush on;
 tcp_nodelay on;
 
 keepalive_timeout  10;
 
 gzip on;
 gzip_min_length  1100;
 gzip_buffers  4 32k;
 gzip_types    text/plain application/x-javascript text/xml text/css;
 ignore_invalid_headers on;
 
 client_header_timeout  3m;
 client_body_timeout 3m;
 send_timeout     3m;
 connection_pool_size  256;
 client_header_buffer_size 4k;
 large_client_header_buffers 4 32k;
 request_pool_size  4k;
 output_buffers   4 32k;
 postpone_output  1460;
 
 include "/usr/local/nginx/conf/vhost.conf";
}
 
EOF
 
/bin/cp /dev/null /usr/local/nginx/conf/vhost.conf
 
cd /var/cpanel/users
for USER in *; do
 for DOMAIN in `cat $USER | grep ^DNS | cut -d= -f2`; do
  IP=`cat $USER|grep ^IP|cut -d= -f2`;
  ROOT=`grep ^$USER: /etc/passwd|cut -d: -f6`;
  echo "Converting $DOMAIN for $USER";
 
  cat >> "/usr/local/nginx/conf/vhost.conf" <
   server {
  access_log off;
 
  error_log  logs/vhost-error_log warn;
  listen    80;
  server_name  $DOMAIN www.$DOMAIN;
 
  # uncomment location below to make nginx serve static files instead of Apache
  # NOTE this will cause issues with bandwidth accounting as files wont be logged
  #location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|js|css)$ {
  # root   $ROOT/public_html;
  #}
 
  location / {
   proxy_send_timeout   90;
   proxy_read_timeout   90;
 
   proxy_buffer_size    4k;
   # you can increase proxy_buffers here to suppress "an upstream response
   #  is buffered to a temporary file" warning
   proxy_buffers     16 32k;
   proxy_busy_buffers_size 64k;
   proxy_temp_file_write_size 64k;
 
   proxy_connect_timeout 30s;
 
   proxy_redirect  http://www.$DOMAIN:81   http://www.$DOMAIN;
   proxy_redirect  http://$DOMAIN:81   http://$DOMAIN;
 
   proxy_pass   http://$IP:81/;
 
   proxy_set_header   Host   \$host;
   proxy_set_header   X-Real-IP  \$remote_addr;
   proxy_set_header   X-Forwarded-For \$proxy_add_x_forwarded_for;
  }
 }
EOF
 done
done
==================================================

# chmod 755 nginx.sh
# ./nginx.sh

Now you can test the nginx configuration using 

# root@server [~]# /usr/local/sbin/nginx -t
# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# nginx: configuration file /etc/nginx/nginx.conf test is successful

now you can start nginx using 
# /etc/init.d/nginx start






2013/03/02

Vzmigrate : vzrst module is not loaded on the destination node


When you try to do live migration of openvz vps using vzmigrate,
you may get this error



==============
[root@server ]# vzmigrate --online 192.162.0.1 101
Starting live migration of CT 1141 to 192.162.0.1
Error: vzrst module is not loaded on the destination node
Error: Can't continue live migration
===============

192.162.0.1 : IP address of the destination hardware node.
101              : VID of the vps that is going to transfer.

Cause : vzrst is not loaded in the destination server which is causing the issue.
You can check the modules loaded in the server using the following command.

[root@server ]# lsmod | grep vz

Fix: 
To this this issue, you need to load the required module. You can load the modules using the following commands

[root@server ]# modprobe vzrst
[root@server ]# modprobe vzcpt


2013/03/01

SSHD Exploit

SSH exploit

We are aware of the recent SSHD expliot that is effecting cpanel with cloudlinux and centos servers. It is also reported that plesk, DA and non RHEL distributions are also effected.

These exploits are done via SSH server.  In 64 bit and 32 bit servers, rootkits will deposit /lib64/libkeyutils.so.1.9 and /lib/libkeyutils.so.1.9 respectively and will change the link /lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1) to point to that library.

For non-effected servers, it will be as given below.
===============

root@server [~]# ls -ld /lib64/libkeyutils.so*
lrwxrwxrwx 1 root root 18 Apr 23  2012 /lib64/libkeyutils.so.1 -> libkeyutils-1.2.so*
================

This expoit may results in stealing the passwords, ssh key, /etc/shadow , spamming or can act as a backdoor to your server.

Cloudlinux had released the following script to test whether your servers is infected or not.

You can see if your server is infected by running:

$ wget -qq -O - http://www.cloudlinux.com/sshd-hack/check.sh |/bin/bash


To clean up libkeyutils library.
USE IT AT YOUR OWN RISK, THE SCRIPT WASN'T FULLY TESTED
$ wget -qq -O - http://www.cloudlinux.com/sshd-hack/clean.sh |/bin/bash
and reboot the server

There is a chance to re-infect the servers again. In order to prevent this, you will have to block ssh from public and allow only to the IP's that are needed. Also you need to update the passwords and ssh keys which will prevent it from happening again.