sandip's blog

Upgrading php on DirectAdmin Servers

Download the source tar.gz file from php.net and place it in "/usr/local/directadmin/customapache"

Edit the "/usr/local/directadmin/customapache/build" file and change the version of php to the version that was downloaded.

Then run:

# cd /usr/local/directadmin/customapache/
# ./build clean
# ./build update
# ./build all

Restart apache when finished.

Sending files as mail attachments via the shell

This article shows how to send e-mails from a shell script, including file attachments. It lists different ways (uuencode, MIME), and explains the advantages and disadvantages of each.

There are other great articles and tips on shell scripts at the site!!

Drupal-4.7.7 Upgrade Notes...

I run the site on the open-source Drupal CMS and recently updated to the latest 4.7.7 version. The site has quite a few customizations and is not a standard install.

The html document root is a symbolic link to the actual drupal gunzipped folder and all other relevant custom modules are also just symbolically linked from the modules folder to keep the updates as simple as possible.

I also use the "bluemarine" theme which has been customized and named as "linuxweblog", so updates don't necessarily override my custom theme.

Pre-Update Preparation:

  1. Backup database and site files.
  2. Login to website as the administrator.
  3. Disable the "Tag Cloud" block as it has some custom php.

Update:

  1. `cd /var/www/`
  2. Download from http://drupal.org/project/releases
  3. Untar the gzip package.
  4. `rm html` -- remove the symbolic link.
  5. `ln -s drupal-* html` -- link to the newly extracted folder.
  6. `cd html`
  7. Edit the "sites/default/settings.php" file
    • Add the correct database, username and password to $db_url
    • Edit the $base_url without trailing slash to http://www.linuxweblog.com
  8. Go to linuxweblog.com/update.php and run the update.

Post-Update Customizations

  1. `cp -a themes/bluemarine themes/linuxweblog
  2. Copy or merge node.tpl.php, page.tpl.php and style.css to the linuxweblog theme folder.
  3. Merge .htaccess file and bring over the old customizations.
  4. `cp -a ../drupal-old-*/{robots.txt,favicon.ico} .`
  5. `ln -s ../site_files/ site_files` -- create the symbolic links to where the cache and other static files are placed.
  6. `ln -s site_files/cache/ cache` -- create the link to the cache.
  7. `ln -s ../../drupal_contribs modules/custom_mods` -- create the link to the custom modules.
  8. Enable the "Tag Cloud" block.
  9. Re-apply the google search hack to the "search.module" .

Security:

  1. `cd /var/www/`
  2. Chown -R user:group drupal-*
  3. Set the directory permissions: `find . -type d -exec chmod 755 {} \;`
  4. Set the file permissions: `find . -type f -exec chmod 644 {} \;`
  5. `chmod 640 sites/default/settings.php`
  6. `chgrp apache sites/default/settings.php`

Turning off safe_mode and open_basedir in Plesk

Create a "vhost.conf" file in "/var/www/vhosts/<DOMAIN.TLD>/conf/"

<Directory /var/www/vhosts/<DOMAIN.TLD>/httpdocs>
php_admin_value safe_mode off
php_admin_value open_basedir none
</Directory>

Rebuild the domain configs for the particular host via:

/usr/local/psa/admin/sbin/websrvmng -u --vhost-name=<DOMAIN.TLD>

or rebuild all via:

# /usr/local/psa/admin/sbin/websrvmng -a

cleanup ftp backups with bash shell script

Here's a small bash code snippet to clean up ftp backups maintained by date. Specifically, if using the SysBK to backup to an external server with just ftp access.

It should be run daily via cron and cleans up folders older than 14 days.

#!/bin/bash
# clean_bak.sh
# Cleans up old backup folders from the remote server.

USR=<user>
PSWD=<password>
HOST=<ftp.domain.tld>
BAK_PATH=</path/to/backups>

LFTP=/usr/bin/lftp
RM_DATE=`/bin/date +%m-%d-%y -d '15 days ago'`

$LFTP << EOF
set ftp:ssl-force true
connect $HOST
user $USR $PSWD
rm -r -f $BAK_PATH/${RM_DATE}
du -h -d 1 $BAK_PATH
quit
EOF

exit 0

The du option will output the space currently being used by the backups.

NOTE: For security reasons, you should use ftps protocol to connect to the remote backup server if possible, and can force it via:

set ftp:ssl-force true

This can also be put in the "~/.lftprc" or "~/.lftp/rc" file.

GalleryRemote on Ubuntu Edgy 6.10

Gallery Remote install kept erroing out with:

Preparing to install...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...
nawk: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory
dirname: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
/bin/ls: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
basename: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
dirname: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
basename: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
hostname: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory

Launching installer...

grep: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
/usr/local/java/bin/java: error while loading shared libraries: libpthread.so.0: cannot open shared object file: No such file or directory

The way around the error was to comment out the assumed kernel.

$ cp GalleryRemote.1.5.Linux.NoVM.bin GalleryRemote.1.5.Linux.NoVM.bin.bak
$ cat GalleryRemote.1.5.Linux.NoVM.bin.bak | \
  sed "s/export LD_ASSUME_KERNEL/#xport LD_ASSUME_KERNEL/" > GalleryRemote.1.5.Linux.NoVM.bin

Once installed Gallery Remote would not run and I had run the same hack for the Gallery_Remote launcher script as well.

$ cp Gallery_Remote Gallery_Remote.bak
$ cat Gallery_Remote.bak | \
  sed "s/export LD_ASSUME_KERNEL/#xport LD_ASSUME_KERNEL/" > Gallery_Remote

services that are not necessary on a web server

These are some services I would normally turn off on web servers.
NOTE: usage may vary.

  1. gpm -- mouse
  2. mdmonitor -- monitor raid devices
  3. netfs -- nfs, samba etc...
  4. autofs -- automount, nfs, cd etc...
  5. kudzu -- detect new hardware
  6. restorecond -- monitor selinux file context
  7. mcstrans -- mandatory access control selinux translation
  8. messagebus -- routes messages between applications
  9. haldaemon -- maintains database of devices connected

There may be more, but if you've cleaned up your rpm packages, it would probably not exist.

rpm packages not necessary for a web server

Below is a list of rpm packages that are not necessary on a web server. Use it as a reference starting point for cleaning up servers. You may also want to make sure not to run services not required by the server.
NOTE: usage may vary and removal should be in the order listed:

  1. redhat-lsb cups system-config-printer-libs system-config-printer paps -- printer support

  2. system-config-soundcard  -- gui for sound setup

  3. system-config-securitylevel-tui -- gui for setting up security

  4. nfs-utils system-config-nfs nfs-utils-lib -- nfs server

  5. portmap -- manage RPC connections
  6. ypbind yp-tools -- NIS client binding
  7. htmlview  -- view webpages via gui

  8. system-config-services system-config-samba pinfo system-config-users system-config-date -- gui configs

  9. samba samba-client samba-common -- samba support

  10. oprofile oprofile-devel oprofile-gui qt
  11. vnc
  12. libglade2 libgnomecanvas usermode-gtk libbonoboui libgnomeui libglade-java pygtk2-libglade system-config-httpd system-config-network gnome-mount libgnome-java gnome-python2-bonobo gnome-python2-canvas gnome-python2 authconfig-gtk system-config-lvm authconfig-gtk pirut gnome-vfs2 gnome-python2-gnomevfs gnome-python2-gconf libgnome libgsf librsvg2 librsvg2
    ImageMagick
  13. gnome-mime-data gnome-keyring  notify-python

  14. GConf2 notification-daemon bluez-gnome libgconf-java libnotify bluez-utils
  15. libgtk-java libvte-java
  16. pygtk2 system-config-language system-config-rootpassword
  17. vte
  18. libwnck
  19. glib-java cairo-java frysk
  20. libwmf
  21. gtk2
  22. cups-libs

  23. ghostscript ghostscript-fonts

  24. avahi avahi-glib
  25. wpa_supplicant NetworkManager
  26. system-config-rootpassword
  27. system-config-language

  28. system-config-keyboard
  29. system-config-network-tui firstboot-tui
  30. system-config-securitylevel-tui
  31. dhcpv6_client dhcdbd dhclient -- dhcp support

  32. irda-utils -- Infra Red communications
  33. isdn4k-utils -- ISDN
  34. apmd -- laptop power management
  35. cpuspeed -- dynamically changing cpu speed
  36. bluez-libs -- bluetooth
  37. irqbalance -- irq load balancing on multi-cpus (remove only in single cpu situation)
  38. rsh -- unsecure remote access
  39. talk -- internet talk protocol
  40. foomatic -- printer driver database
  41. finger -- finger client
  42. eject -- eject removable media
  43. cvs -- concurrent version control

  44. rcs -- revision control system
  45. dosfstools mkbootdisk -- bootdisk
  46. redhat-menus desktop-file-utils startup-notification -- desktop
  47. ppp rp-pppoe wvdial -- dialup
  48. esound -- sound daemon
  49. pcmciautils -- PCMCIA Cardbus
  50. pcsc-lite coolkey ifd-egate ccid
  51. OpenIPMI net-snmp-libs
  52. ImageMagick-devel -- ImageMagick development package
  53. xorg-x11-devel -- X server development package
  54. acpid -- power management (remove if you don't shutdown using power button)

Check your server for rootkits with Chkrootkit

chkrootkit is a tool to locally check your system for signs of a compromise via rootkits. It contains a shell script that checks system binaries for rootkit modification, signs of LKM trojans, interface modes and lastlog, wtmp, utmp deletions.

Install via:

# cd /usr/local
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# tar xvzf chkrootkit.tar.gz
# rm chkrootkit.tar.gz
# ln -s chkrootkit-x.xx chkrootkit
# cd chkrootkit
# make sense

Make sure to check the md5sum of the download as well.

Put the below into "/etc/cron.daily/chkrootkit.sh" to run a daily report:

#!/bin/bash
# chkrootkit.sh
cd /usr/local/chkrootkit/
./chkrootkit 2>&1 |grep "INFECTED\|Vulnerable"| grep -v "Checking \`bindshell'... INFECTED (PORTS:  465)"

The cron script will only output an email if it detects anything suspicious.

Note, that bindshell port 465 infection is a false alarm as in my case EXIM uses port 465 for secure connections. So, you could similarly grep out any such false alarm and adjust the cron script.

Changing Timezones

# rm /etc/localtime
# ln -s /usr/share/zoneinfo/US/Eastern /etc/localtime
# hwclock --systohc

Syndicate content
Comment