Blogs

Shadow password hash explained

You can programmatically generate shadow password hash via:

$ openssl passwd -1 -salt G5cYam5w test.123
$1$G5cYam5w$z0NDUjMRX4xVBKw9Nb6YL0

-1 means md5
G5cYam5w is a random salt (minimum 8)
test.123 is the password

Here is the breakdown:

The first $1 means that it is an md5 hash.
The second $G5cYam5w is a random salt.
The third $z0NDUjMRX4xVBKw9Nb6YL0 is the md5 hash.

Determine cpu bit

You can try this to find out if your CPU/Processor is 32 bit or 64 bit:

cat /proc/cpuinfo | grep flags | grep lm

lm means Long Mode = 64 bit CPU

Also:

getconf LONG_BIT

Should display 32 or 64.

suphp-0.7.1 and DirectAdmin

Recently upgraded server running DirectAdmin to suphp-0.7.1 via the Custombuild. However, got "500 Internal Server Error" on accessing sites running on php5-cgi with log as below:

SecurityException in Application.cpp:511: Unknown Interpreter: php

The solution was to update the suphp.conf file as below:

Edit "/usr/local/suphp/etc/suphp.conf" and change from:

[handlers]
;Handler for php-scripts
x-httpd-php5=php:/usr/local/php5/bin/php-cgi

;Handler for CGI-scripts
x-suphp-cgi=execute:!self

to:

[handlers]
;Handler for php-scripts
x-httpd-php5="php:/usr/local/php5/bin/php-cgi"

;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

Note the double quotes for the variables.

Running `./build rewrite_confs` should fix this issue as well.

Plesk rblsmtpd and smtp authentication

On Debian with Plesk-8.2 installed, /etc/inetd.conf show up with:

smtp stream tcp nowait.1000 root /var/qmail/bin/tcp-env tcp-env  /usr/sbin/rblsmtpd  -r bl.spamcop.net -r zen.spamhaus.org /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

Essentially, when the SMTP connection is made, rblsmtpd is handed the connection and does its DNSBL checking. It’s then responsible for either executing the next program (relaylock) if there’s no match, or handles the connection itself if it does find a match. Thus smtp authentication never takes place if your IP is listed in PBL.

On checking Parallels Forum, I came across this post, which suggested:

If you use an dnsrbl in Plesk that lists the IP of someone trying to connect to your server to send email then they will not be able to use your server for smtp on port 25. The dnsrbl will block their attempts. This is normal and expected behaviour in Plesk.

The instructions you read about using authenticated smtp to get around the problem do not apply to the default installation of Plesk (and other similar setups). The idea of the instructions you read is that by using authenticated smtp you will bypass the dnsrbl, and therefore will not be blocked. This does not happen with the default installation of Plesk so the instructions won't work (they are rather simplistic).

The solution in Plesk 8.4 is a simple one. Enable the "submission" option in Plesk, ask your customers to change to port 587 from port 25 in their email clients and require them to use smtp authentication (remember to open up your firewall for port 587 too). This basically creates a second smtp instance listening on port 587 instead of port 25, does not have any dnsrbl blocking and REQUIRES users to use smtp authentication in order to be able to use it. No spam will come via that port because a) server to server email transfer happens on port 25 and b) it requires authentication.

(A similar solution will work in earlier versions of Plesk but rather than ticking a box in the control panel to get it to happen you have to copy a single file and edit two lines in it, but it works just as well and basically does the same thing)

The other option you can go for is to install spamdyke (search the forum for step by step instructions) which does bypass all dnsrbls when smtp authentication takes place. Note that when you use spamdyke you will not be able to use pop-before-relay authentication, and that you set up dnsrbls within spamdyke's configuration files, not via Plesk. spamdyke does add a whole plethora of additional anti-spam measures, however, and it is well worth installing if you don't need pop-before-relay.

Since version of Plesk is older, I put in the below lines in /etc/inetd.conf and restarted inetd.

# Submission port 587 without dnsblcheck
submission stream tcp nowait.1000 root /var/qmail/bin/tcp-env tcp-env  /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

Now on using the port 587 instead of port 25, users are able to autheticate and send email via the SMTP/Submission server.

ways to continue run command after shell exit

  1. screen:
    screen -dmS <screen_name> <command>
    exit
  2. nohup:
    nohup <command> &
    exit
  3. at:
    echo "<command>" | at now
    exit
  4. disown:
    <command> &
    disown -h
    exit

Rewriting Sender addresses for Entire Domain in Sendmail

  1. Edit /etc/mail/sendmail.mc and add the below lines replacing domain.tld with the actual domain name:

    dnl # BEGIN: Rewriting Sender addresses for Entire Domain
    dnl #
    dnl # Process login names through the genericstable
    FEATURE(`genericstable', `hash -o /etc/mail/genericstable.db')dnl
    dnl # Interpret the value in G as a domain name
    FEATURE(generics_entire_domain)dnl
    dnl # masquerade not just the headers, but the envelope as well
    FEATURE(masquerade_envelope)dnl
    dnl # Load domain.tld into G
    GENERICS_DOMAIN(domain.tld)dnl
    dnl #
    dnl # END: Rewriting Sender addresses for Entire Domain

  2. Create /etc/mail/genericstable, which is very similar to an /etc/aliases, two columns separated by whitespace:

    web1_user1    user1@domain.tld
    web1_user2    user2@domain.tld
    web1_user3    user3@domain.tld

  3. Create the db:

    # makemap -hash /etc/mail/genericstable < /etc/mail/genericstable

  4. Restart sendmail.

Feature "genericstable" tells sendmail to use the generics table.

Feature "generics_entire_domain" allows to add hosts to genericstable without having to rebuild sendmail.cf.

Feature "masquerade_envelope" applies the rewriting process to the mail envelope as well as to the mail header.

"GENERICS_DOMAIN" defines the domains to which you wish to apply the generics table.

OpenVZ x86_64 Custom Config

vzpkgcache seems to have been broken with latest CentOS-5.3 upgrade. Below is notes to fix:

cd /usr/share/vzpkgtools/vzrpm44/lib/python2.4/site-packages/rpm
cp /usr/lib64/python2.4/site-packages/rpm/_rpmmodule.so .

Edit the file /usr/share/vzpkg/cache-os line 154, append:

mkdir -p $VE_ROOT/var/lib/yum/ || abort "Can't create /var/lib/yum"

Edit the file /usr/share/vzpkg/functions line 20, change to:

VZLIB_SCRIPTDIR=/usr/lib64/vzctl/scripts

Run to updatee the cached template:

vzpkgcache centos-5-x86_64-minimal

getent to check user and group

To check is user or group exist in passwd and group file:

getent passwd <user_name>
getent group <group_name>

You could also grep the corresponding files, but this is a much cleaner way of getting entries from administrative database where database is one of aliases, ethers, group, hosts, netgroup, networks, passwd, protocols, rpc, services or shadow.

uw-imap custom mail folder configuration

To allow custom mailbox folder for individual user:

Add/Edit "/etc/c-client.cf":

set allow-user-config 1

Add/Edit "~/.imaprc" for corresponding user:

set mail-subdirectory mail

All corresponding email files will now reside in the ~/mail folder for the corresponding user.

Setup secure ProFTPd

Ftp can be secured using ftps to connect. Below outlines a configuration to support such a setup using TLS/SSL.

I usually use the epel repository to install proftpd:

yum --enablerepo=epel install proftpd

Configure for tls/ssl connection:


<IfModule mod_tls.c>
TLSEngine                       on
TLSRequired                     off
TLSRSACertificateFile           /etc/pki/tls/proftpd/server.cert.pem
TLSRSACertificateKeyFile        /etc/pki/tls/proftpd/server.key.pem
TLSVerifyClient                 off
TLSRenegotiate                  required off
TLSLog                          /var/log/proftpd/tls.log
</IfModule>

chroot and bindsocket to listen to single IP:


SocketBindTight                 on
DefaultRoot                     ~

Setup passive ftp ports:

</Global>
...
...
PassivePorts 50000 51000
</Global>

Create the certs:

mkdir -p /etc/pki/tls/proftpd
cd /etc/pki/tls/proftpd
openssl req -new -x509 -days 9999 -nodes -out server.cert.pem -keyout server.key.pem

Create /etc/pam.d/ftp so PAM can authenticate for proftpd:

#%PAM-1.0
auth    required        pam_unix.so     nullok
account required        pam_unix.so
session required        pam_unix.so

Add "/bin/false" to "/etc/shells" file and use it as the shell type when creating new users:

useradd -s /bin/false <ftp_user>

Syndicate content
Comment