Blogs

1. Increase the NUMIPTENT values in VE conf file to 1000 on the host:
   
   NUMIPTENT="1000:1000"
2. Edit "/etc/sysconfig/vz" on the host:
   
   IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_owner ipt_length ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_recent"
3. Make sure the above modules are loaded on the host, so it would help if you have APF on the host as well.
   
4. Restart the VE
   
   # vzctl restart <VEID>
5. It is normal to get ipt_recent error as below:
   
   Warning: Unknown iptable module: ipt_recent, skipped

   You can verify the modules loaded via:
   

   # vzctl exec <VEID> grep ipt_recent /proc/net/ip_tables_matches

   Note: ipt_recent is required for passive ftp to work, else... will need to specify passive ftp ports in ftp conf file and open those ports via apf as well.

6. Here is a typical apf config on a VE with CentOS-5 running ISPConfig.
   DEVEL_MODE="0"
IFACE_IN="venet0"
IFACE_OUT="venet0"
IFACE_TRUSTED=""
SET_MONOKERN="1"
IG_TCP_CPORTS="21,22,25,53,80,81,110,143,443"
IG_UDP_CPORTS="53"
EGF="1"
EG_TCP_CPORTS="21,25,80,443,43"
EG_UDP_CPORTS="20,21,53"

I just performed an installation of Zend Optimizer which is a free runtime application that enables php to run files encoded by the Zend Guard running on a server.

You can download it from
http://www.zend.com/en/products/guard/downloads
Selecting the proper Package.

Download it through shell

wget http://downloads.zend.com/optimizer/3.3.3/ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
in my case i m using x86 32 bit version

untar the package

tar -xvzf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz

Go to the directory

Yales' CAS client attempts to verify the service ticket it received from CAS, and when it tries to connect to the CAS server, it encounters SSL handshake error caused by using a self-signed SSL certificate on the CAS server. The Java process running tomcat does not trust the certificate presented by the CAS server. This is part of Java security.

A work around the issue would be to tell Java to trust the self-signed certificate as below:

Use the below command to list:

1. Backup files:
   
      /etc/mail/sendmail.mc
   /etc/mail/sendmail.cf
   /etc/mail/access
   /etc/mail/access.db
   /etc/aliases
2. These changes go in the /etc/mail/sendmail.mc file:

   Security enhancements:

   • Require a HELO or EHLO greeting from the sending SMTP server.
     
   • Put limits on Sendmail forks and other settings to stop a DOS attack from overwhelming server.
     
   • Munge the Sendmail server identification.
     
   • Recipient throttle to identify when an envelope arrives with more than 4 invalid users, presuming that this is a dictionary attack.
     
   • Limit the number of recipients in a single message.
   dnl #
dnl #start security mods
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun,needmailhelo')dnl
define(`confMAX_DAEMON_CHILDREN',20)dnl
define(`confSMTP_LOGIN_MSG',$j Sendmail; $b)dnl
define(`confMIN_FREE_BLOCKS', `4000')dnl
define(`confMAX_HEADERS_LENGTH', `32000')dnl
define(`confMAX_MIME_HEADER_LENGTH', `1024')dnl
define(`confBAD_RCPT_THROTTLE',`4')dnl
define(`confMAX_RCPTS_PER_MESSAGE', `10')
dnl #end security mods
dnl #

   Enable DNS BlockLists:

   dnl #
dnl # Begin Spam Block Enhancement mod
dnl # Start BlockList
FEATURE(`dnsbl', `bl.spamcop.net', `"554 Spam blocked - see http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(`dnsbl', `zen.spamhaus.org', `"554 Rejected - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}')dnl
dnl # sorbs dynamic user list ( not dial up )
FEATURE(`dnsbl', `dul.dnsbl.sorbs.net', `"554 Rejected "$&{client_addr}" - see http://dnsbl.sorbs.net"')dnl
dnl # End BlockList
dnl # Start dont bounce errors back to me
define(`confDOUBLE_BOUNCE_ADDRESS', `dev-null')dnl
dnl # End dont bounce
dnl # Start delay checks, so we see the intended recipient
dnl # Added friend so we can exempt specified local user via access file
FEATURE(`delay_checks',`friend')dnl
dnl # End delay checks
dnl # End Spam Block Enhancement mod
dnl #

   All of the above should go before the line:

   FEATURE(`blacklist_recipients')dnl

   Notes:

   The above Double Bounce Address throws the double bounces into the bit bucket.

   The delay_checks feature causes it to log the sender from address and other info, when it rejects spam.

3. Create an alias in "/etc/aliases" called dev-null and point it to "/dev/null":
   dev-null: /dev/null

4. In file "/etc/mail/access", enter:
   Connect:xxx.xxx.xxx.xxx OK

   where xxx.xxx.xxx.xxx is the server IP. This keeps you from blocking yourself, if you happen to get listed in one of the blocklists used!

5. To apply the configurations, run:
   # newaliases
# makemap hash /etc/mail/access.db < /etc/mail/access
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# /sbin/service sendmail restart

1. Update openssh and openssl packages
   
   # apt-get update
# apt-get install openssh openssl
2. Install openssh-blacklist and openssl-blacklist
   
   # apt-get install openssh-blacklist openssl-blacklist
3. Check all ssh compromised keys via:
   
   # ssh-vulnkeys -a
4. Check all ssl keys and certificates via:
   
   # openssl-vulnkeys *.key *.pem

   Note: Plesk specific ssl certs are stored at "/opt/psa/var/certificates/"

The -b switch instructs sendmail to "Become"/operate in a mode.
The -d0 switch, instructs sendmail to produce debugging information.
The level .11 prints more information than the default level of .1 .
The -bp switch instructs sendmail to print the contents of the queue.

You can verify aliases with the -bv switch:

To run sendmail verbosely, use the -v switch:

If you've installed a different version of python via yum using pyvault repos, then you need to switch the default python back to the systems default to avoid problems with the OS packages.

Install the alternatives first:

where 100 and 24 are the priority numbers (Higher number prevailing).

Remove existing symlinks:

Configure the default:

Or, set it to create automatically, which will use the highest priority:

Check with:

A recent storm surge killed my Belkin wireless router and was quickly replaced by a LinkSys WRT54GS wireless router. But, for some reason my ssh clients would time out due to inactivity of just a couple minutes. A quick fix was to include the below line in "/etc/ssh/ssh_config":

Recently, I've had a client who's had issues with uploading files and general functioning of the ISPConfig hosting control panel.

So the first thing I checked out was "/proc/user_beancounters", and everything seemed normal there.

Quick check with `vzquota` turned out that the inodes were maxed out.

Blocks and Inodes can also be checked/displayed within the container via `df -h` and `df -i`.

Additionally, since he had a lot of users, he was maxed out on the users limits too. Noticed that with `repquota -a` which pulled up a huge number of users.

Increasing the appropriate limits with vzctl on diskspace, diskinodes and quotaugidlimit resolved all issues.

Recently I've had to provide a developer with the makedep tool. It is available via imake rpm. However, it is deprecated and when installing automake and autoconf, it should automatically get installed as it is a required package by autoconf.