Monday, 22 July 2013

LFD


If you installed CSF, (Config Server Firewal), on the server, there is a daemon called Login Failure Daemon (lfd), bundled with CSF, which is a process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time.

Normally called "Brute-force attacks" the daemon process responds quickly to such patterns and blocks the IP's.

To check why 'lfd' has failed look at the end of /var/log/lfd.log

You can see errors as follows :

---------------------------------------------------------------------------------------------------------
/var/log/lfd.log:Jul 15 09:28:33 server lfd[11662]: Error: cannot fork: Cannot allocate memory, at line 2402
/var/log/lfd.log:Jul 15 14:10:09 server lfd[9297]: open3: fork failed: Cannot allocate memory at /usr/sbin/lfd line 1981
/var/log/lfd.log:Jul 16 05:43:22 server lfd[18107]: Error: cannot fork: Cannot allocate memory, at line 5380
/var/log/lfd.log:Jul 16 06:51:08 server lfd[1916]: Error: cannot fork: Cannot allocate memory, at line 5380
/var/log/lfd.log:Jul 16 09:24:53 server lfd[7386]: Error: cannot fork: Cannot allocate memory, at line 5380
/var/log/lfd.log:Jul 16 17:01:15 server lfd[17889]: Error: cannot fork: Cannot allocate memory, at line 5380
/var/log/lfd.log:Jul 16 22:55:31 server lfd[5289]: Error: cannot fork: Cannot allocate memory, at line 5380
/var/log/lfd.log:Jul 17 00:12:06 server lfd[8044]: Error: cannot fork: Cannot allocate memory, at line 5380
/var/log/lfd.log:Jul 17 02:19:15 server lfd[17821]: Error: cannot fork: Cannot allocate memory, at line 5380
/var/log/lfd.log:Jul 17 07:15:43 server lfd[21667]: Error: cannot fork: Cannot allocate memory, at line 5380
/var/log/lfd.log:Jul 17 09:10:10 server lfd[7318]: Error: cannot fork: Cannot allocate memory, at line 5380
/var/log/lfd.log:Jul 17 23:41:36 server lfd[24521]: Error: cannot fork: Cannot allocate memory, at line 6066
/var/log/lfd.log:Jul 18 00:00:11 server lfd[5859]: Error: cannot fork: Cannot allocate memory, at line 2018
/var/log/lfd.log:Jul 18 20:31:45 server lfd[11656]: open3: fork failed: Cannot allocate memory at /usr/sbin/lfd line 1981
/var/log/lfd.log:Jul 19 04:16:15 server lfd[31925]: Error: cannot fork: Cannot allocate memory, at line 6066
/var/log/lfd.log:Jul 19 06:00:07 server lfd[12118]: Error: cannot fork: Cannot allocate memory, at line 2018
/var/log/lfd.log:Jul 19 06:06:03 server lfd[20240]: Error: cannot fork: Cannot allocate memory, at line 5380
/var/log/lfd.log:Jul 19 16:50:16 server lfd[21681]: Error: cannot fork: Cannot allocate memory, at line 5380

-------------------------------------------------------------------------------------------

On further checking I have seen that the plugins installed on the server such as cmm, cmc, cmq, cse, csf, cxs, msinstall, msfe was not properly working which lead to these LFD email alerts to clients email address 

Runing the following command fixed the issue.

curl -s configserver.com/free/csupdate | perl 

CSF error : No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/addon_csf.cgi): subprocess exited with status 2


On checking the Cpanel error log at /usr/local/cpanel/logs/error_log, you can see the errors as :

--------------------------------------------------------------------------------
Can't locate Net/LibIDN.pm in @INC (@INC contains: /usr/local/cpanel /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at /usr/local/cpanel/Cpanel/Encoder/Punycode.pm line 10.
Compilation failed in require at /usr/local/cpanel/Cpanel/DomainTools.pm line 13.
BEGIN failed--compilation aborted at /usr/local/cpanel/Cpanel/DomainTools.pm line 13.
Compilation failed in require at /usr/local/cpanel/Cpanel/CheckData.pm line 8.
BEGIN failed--compilation aborted at /usr/local/cpanel/Cpanel/CheckData.pm line 8.
Compilation failed in require at /usr/local/cpanel/Cpanel/cPanelFunctions.pm line 11.
BEGIN failed--compilation aborted at /usr/local/cpanel/Cpanel/cPanelFunctions.pm line 11.
Compilation failed in require at /usr/local/cpanel/whostmgr/docroot/cgi/addon_csf.cgi line 24.
BEGIN failed--compilation aborted at /usr/local/cpanel/whostmgr/docroot/cgi/addon_csf.cgi line 24.
----------------------------------------------------------------------------------------------

Inorder to fix this issue run the following command :

curl -s configserver.com/free/csupdate | perl

This script will update: cmm, cmc, cmq, cse, csf, cxs, msinstall, msfe
Only those scripts that are already installed will be updated. Those that are updated are done so regardless as to whether they are the same or an older version of those available.


Move all addon domains as a standalone accounts under a reseller


If there so many addon domains under a Cpanel account and we need to change all of these addon domains as a stand alone account under a reseller account, follow these steps:

Backup
------
1. Take a full backup of the user from Cpanel
2. Extract the backup.


Create as stand alone account
-----------------------------
3. Remove one addon domain
4. Create that domain from WHM --> Create new account


Restore web files
-----------------
5. Copy all web files of that addon domain from the backup to the new document root.
6. Change the ownership all files to newuser.newuser


Restore DB's
-----------
7. Make sure the name of DB for each domain.
8. In backup directory there is a mysql directory. All DB's are under that mysql directory.
9. Login to the new cpanel account of that new account.
10. Create a DB, DB user from Cpanel --> Mysql
11. Give all privileges to that mysql user to the corresponding DB from there.
12. Make sure to edit all mysql configuration files in the document root of that domain.
13. Restore the old DB to new DB.


Restore mails
-------------
14. In the backup, we can see a directory named mail. Copy the directory of the domain from that directory to new accounts mail directory /home/newuser/mail/
15. Change the ownership of that directory under /home/newuser/mail/ to newuser.newuser


Restore mail accounts with same password
----------------------------------------
16. In the backup we can see a directory etc. Copy the directory of the domain from that directory to new accounts /home/newuser/etc/
17. Change the ownership of that directory under /home/newuser/etc/ to newuser.mail

Thursday, 11 July 2013

Cpanel plugin to list the number of domains which is not working or not resolving from the server


Installation
-----------

# cd /home
# rm -f latest-accountdnscheck
# wget http://www.ndchost.com/cpanel-whm/plugins/accountdnscheck/download.php
# sh latest-accountdnscheck


Now login to your WHM > plugins > Account DNS Check

Or you can do this by executing command :

/var/cpanel/accountdnscheck/scripts/cli_run.sh

Thursday, 4 July 2013

White List Hostname in CSF


Please follow the steps to white list hostname in CSF for domains using dynamic IPs.


1) Open the file "csf.dyndns" present on your server and add the hostname of your domain.

2) Open the file "csf.conf" present on your server and set DYNDNS = "300" which would would check for IP updates every 5 minutes

3) Open the file "csf.conf" present on your server and set DYNDNS_IGNORE = "1" to always ignore DYNDNS IP addresses in lfd blocking

4) Restart the firewall

FTP Command to Download all Subdirectories and files in a Directory


Please use the command wget -r ftp://username:password@1.2.3.4/dir/* for downloading all the subdirectories and files under a directory.

Wordpress Permlink Showing Blank Page


If you encountered any blank page issue on the permlink on wordpress,please do the following,

Just open the configuration file wp-admin/includes/misc.php
And replace the code of got_mod_rewrite with below

----------------------------------------------------------------------------------
function got_mod_rewrite() {
 //$got_rewrite = apache_mod_loaded('mod_rewrite', true); //old line with false negative;
 $got_rewrite = true;//force the response to true as we know mod_rewite is installed;
 return apply_filters('got_rewrite', $got_rewrite);
}                                            
-------------------------------------------------------------------------------------


Reparing Corrupted Mysql Database


Solution :1

Login to server with root access

Stop mysql using following command

/etc/init.d/mysql stop

Run following command to check all the tables in the database

Run following command to check all the tables in teh database

/usr/bin/myisamchk /var/lib/mysql/databasename/*.MYI

Run following command to repair all the tables in the database

/usr/bin/myisamchk -r /var/lib/mysql/databasename/*.MYI

Then recheck again using following command

/usr/bin/myisamchk /var/lib/mysql/databasename/*.MYI

Restrart MySql service using following command

/etc/init.d/mysql restart

Solution : 2

If you want repair DB using myisamchk, you need to shutdown MySQL service before proceeding otherwise it will corrupt some other databases.

Alternatively, if you do not want to shut down MySQL, you can use mysqlcheck.

mysqlcheck [DBNAME]

To repair the database tables:

mysqlcheck -r [DBNAME]

also we can use the commands

mysqlcheck -u{username} -p{password}  –check –optimize –auto-repair –all-databases

Webmin and Virtualmin Installation in Centos


Webmin installation :
-------------------------

Create a respository :

vi /etc/yum.repos.d/webmin.repo
[Webmin]
name=Webmin Distribution Neutral
#baseurl=http://download.webmin.com/download/yum
mirrorlist=http://download.webmin.com/download/yum/mirrorlist
enabled=1

wq!

wget http://www.webmin.com/jcameron-key.asc
rpm --import jcameron-key.asc

yum install webmin


open port 10000 to access webmin :
iptables -I INPUT -p tcp --dport 10000 -j ACCEPT

To install virtualmin :
------------------------------

make a script below

vi virtualmininstall.sh

curl http://software.virtualmin.com/gpl/scripts/install.sh > install.sh ; chmod 755 ./install.sh ; ./install.sh ;

wq!

make the script executable :  chmod +x virtualmininstall.sh
execute the script :  sh virtualmininstall.sh

After the installation is complete login to server

https://serverip:10000
username :  root
password :

Starting Xen Vm from Backend


First shutdown the Vm via Solusvm, Then issue the command :

 xm create /home/xen/vm441/vm441.cfg

Where vm441 is the VM ID

Clamav Configuration


To install clamav

#yum install clamd

run #freshclam to update the virus definitions

create a file  /home/clamscan  and enter the below :

clamscan -ri --exclude-dir=^/sys\|^/proc\|^/dev / | mail -s "ClamAV Scan Results for `date +%D`" user@domain.com

Save the file and exit. (user@domain.com must be replaced by email address to which scan results are to be mailed)

#crontab -e

0 0 * * * /home/clamscan      

save the file and exit.   The above cron will run everyday at midnight.

Enabling SPF for all accounts in WHM


Command to install spf record on single cPanel account :  
----------------------------------------------------------
/usr/local/cpanel/bin/spf_installer <cPanelusername>


Install spf records for all cPanel accounts :
--------------------------------------------------

cd /var/cpanel/users

for i in `ls /var/cpanel/users` ;do /usr/local/cpanel/bin/spf_installer $i ;done

MYSQL OPTIMIZATION


I'm pasting some parameters which worked for me while optimizing mysql settings in /etc/my.conf file

vi /etc/my.cnf

[mysqld]
socket=/var/lib/mysql/mysql.sock
#skip-locking — disabled by default
#skip-innodb — only when all tables are MyISAM
skip-name-resolve # saves dns resolution time.
query_cache_limit=1M
query_cache_size=64M
query_cache_type=1
max_connections=500
interactive_timeout=75
wait_timeout=25
connect_timeout=10

thread_cache_size=128
key_buffer=256M
sort_buffer_size=2M
read_buffer_size=2M ## sort+read x connections + key = memory usage
join_buffer=2M
max_allowed_packet=16M
table_cache=1024
record_buffer=2M
thread_concurrency=8
myisam_sort_buffer_size=64M
#log-bin
server-id=1

[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/var/lib/mysql/mysql.pid
open_files_limit=8192

[mysqldump]
quick
max_allowed_packet=16M

[mysql]
no-auto-rehash
#safe-updates

[isamchk]
key_buffer=64M
sort_buffer=64M
read_buffer=16M
write_buffer=16M

[myisamchk]
key_buffer=64M
sort_buffer=64M
read_buffer=16M
write_buffer=16M

/etc/init.d/mysql restart

CPanel Log File Locations


cPanel Installation Logs:

/var/log/cpanel-install-thread0.log


Apache :

/usr/local/apache/logs/access_log

/usr/local/apache/logs/error_log


Apache domlogs :

/usr/local/apache/domlogs/example.com


Apache SUEXEC Logs :

/usr/local/apache/logs/suexec_log


MySQL :

/var/lib/mysql/hostname.err


BIND (named) Log:

/var/log/messages


Exim :

/var/log/exim_mainlog

/var/log/exim_paniclog

/var/log/exim_rejectlog


Courier or Dovecot IMAP :

/var/log/maillog


Tomcat Logs :

/usr/local/jakarta/tomcat/logs/catalina.err

/usr/local/jakarta/tomcat/logs/catalina.out


cPanel Access Log :

/usr/local/cpanel/logs/access_log


cPanel Error Log :

/usr/local/cpanel/logs/error_log


cPanel License Log :

/usr/local/cpanel/logs/license_log


Stats Execution Logs :

/usr/local/cpanel/logs/stats_log


ChkServd (cPanel Monitoring Daemon) Logs:

/var/log/chkservd.log


cPHulkd :

/usr/local/cpanel/logs/cphulkd.log


cPanel Backup Logs:

/usr/local/cpanel/logs/cpbackup/*.log


Pure-FTP :

/var/log/messages

/var/log/xferlog (symlinked to /usr/local/apache/domlogs/ftpxferlog)


Cron Logs :

/var/log/cron


SSH Logs :

/var/log/secure


ModSecurity :

/usr/local/apache/logs/modsec_audit.log

/usr/local/apache/logs/modsec_debug_log





How to Stop Open Relay of Exim (Cpanel servers)


An open relay is a smtp server configured in such a way that is allows a third party to relay (send / receive email messages that are neither from nor for local users). Therefore, such servers are usually targets for spam senders.

You can test if a server is an open relay via this link :  http://www.mailradar.com/openrelay/

If the server supports open relay, you can stop it via the following script in Cpanel servers

/scripts/fixrelayd

service exim restart

How to Fix an (errno: 24) in MySQL


Upon checking the mysql logs in /var/lib/mysql/HOSTNAME.err, I got error as :

-----------------------------------------------------------------------------
[ERROR] /usr/sbin/mysqld: Can't open file: './database/table.frm' (errno: 24)
-----------------------------------------------------------------------------

errno: 24 simply means that too many files are open for the given process. There is a read-only mysql variable called open_files_limit that will show how many open files are allowed by the mysqld.

A lot systems set this to something very low, like 1024. When creating a large number of partitions or tables, MySQL may mysteriously stop working and will generate this eeror.

Add the following parameter in /etc/my.cnf file and restart mysql service.

[mysqld]
open_files_limit = 100000







Tuesday, 2 July 2013

Rootkit Hunter Installation in Centos 5,6 using Yum


Update yum repository with epel package:

Centos 5.x

wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-5.rpm
sudo rpm -Uvh remi-release-5*.rpm epel-release-5*.rpm

Centos 6.x

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
sudo rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

Run:
yum update

After update:
yum install rkhunter

Get more details about Rkhunt commands and all.
man rkhunter