Issue with clamd after the latest cPanel update ( 11.44.x )

After the recent update of cPanel to 11.44.x, most of the users are able to see that clamd is getting hung and consuming the server resources excessively.

On checking the processes running, we can see that clamav-cpanel plugin is consuming a lot of resources scanning the file /etc/password and spawning them without terminating.

 

Part of # top -c will show the following :

=========================

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7761 root 25 0 35872 1704 1312 R 27.3 0.2 11:47.14 /usr/local/cpanel/3rdparty/bin/clamdscan --quiet --no-summary /etc/passwd


9714 root 25 0 35872 1708 1312 R 25.4 0.2 0:09.75 /usr/local/cpanel/3rdparty/bin/clamdscan –quiet –no-summary /etc/passwd


5982 root 25 0 35872 1704 1312 R 23.4 0.2 22:39.74 /usr/local/cpanel/3rdparty/bin/clamdscan –quiet –no-summary /etc/passwd

……

========================

Even if you kill the service, the issue reproduces after a while. As of now, cPanel is yet to release a fix for this bug. 

As a temporary fix, you can try the following :

===================

# Remove the clamAV plugin from WHM ( Home »cPanel »Manage Plugins ) – Uninstall it

# Update cPanel from backend ( # /scripts/upcp --force )

# Re-install the plugin ( Home »cPanel »Manage Plugins ) – Install it

===================

This seems to have cleared the issue for the ones which faced this bug. Give it a try !

How Do I get the functionality of CTRL+ALT+DELETE shortcut to a guest OS

When dealing with Microsoft Virtual Server, there might be situations in which you would need to pass CTRL+ALT+DELETE to the underlying VM.

However, pressing them do not work within a virtual machine because of the interaction between the host operating system and the guest operating system and you will be taken to the output related to the host machine.

To get over this and other special keys, you can use the Remote control menu of the VMRC ( Virtual Machine Remote Control ) as shown in the image below :

vmrc-client

 

As simple as a mouse click 🙂

MySQL server not starting !

When trying to start MySQL server, are you facing this error :

“Timeout error occurred trying to start”

Check for the MySQL logs to see if you can track something.

# /var/log/mysqld.log or /var/lib/mysql/hostname.err

( whichever is the log location ) and see if you can trace :

==============

[ERROR] /usr/libexec/mysqld: Disk is full writing ‘ (Errcode: 122). Waiting for someone to free space… Retry in 60 secs
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..

==============

Check for the server disk-space # df -h.

Clear any unwanted logs/files and make sure there is enough free space and restart your service.

Error when flashing Samsung Note 2 with CyanogenMod?

CyanogenMod

When trying to flash your phone with CyanogenMod are you facing this error :

Error executing updater binary in zip (path to zip)

I got this error when trying to flash my Samsung Note 2 n7100 with Cyano 11. Was trying this on TWRP 2.6 recovery tool. I wasn’t able to flash successfully neither was able to get out of the bootloop.

It was some issue with TWRP, as it was not able to execute the binaries in the downloaded image.

If you receive this error, try flashing using ClockworkMod recovery tool. Using Odin, you can flash in ClockworkMod to your device, just like how you did it for TWRP.

Once your phone is connected via USB, run Odin as administrator and select the PDA archive and give the path to CWM file which you have downloaded.

odin-menu

 

Find this link useful to download CWM for note 2 :

http://downloadandroidrom.com/file/GalaxyNote2/CWM/Note2-CWM-6.0.4.3-GT-N7100.tar

Once the archive is selected click on start and wait till the installation is complete. Now you will be able to boot into CWM recovery instead of TWRP and you can flash CyanogenMod without any issues.

joee

🙂

Mount an NTFS partition on CentOS !

Whenever you try to access an NTFS partition in CentOS/RHEL for the first time, you might get the following message ( as of now ) :

Filesystem driver is not installed

To get over this, you might want to install the ntfs driver for the partitions to mount up.

If you are on a centOS box, give in the following :

# yum install fuse-ntfs-3g 

( You might need an  rpmforge repo for ^  package to be installed )

 
# wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6 1.el5.rf.i386.rpm (select the repo file for the correct system architecture )

# rpm -ivh rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Once the repo is installed, install the driver using yum.

How can I secure my mail service – cPanel

Mail servers are exploited a lot these days to flood out spam mails from the ones which have been compromised.

Securing your mail service is very much important. There are some tweaks which can be carried out from WHM panel.

–> In Home >> Server Configuration >> Tweak Settings

Prevent “nobody” from sending mail – This will ensure that PHP
scripts running under the ownership ‘nobody’ will not be able to send mails. Most of the times, any of the vulnerable PHP script will be the culprit for sending out spams from your account.

Restrict outgoing SMTP to root, exim, and mailman – This prevents users from bypassing your mail server to send mail. Only the ones mentioned here are authorized to connect to remote SMTP servers.

// If you get an error while trying to enable SMTP restrictions, then you probably are missing an iptables module required for the proper functioning. Ask your provider to enable it for you, or if you have the ways to do it, give-in the following :

modprobe ipt_owner

// 

–> In Home >> Service Configuration >> Service Manager,  you can find the option Antirelayd. Keep this disabled, so that each time POP3 connects authentication would be required.

–> If you are facing any issues related to IMAP getting restarted numerous times,  check

# grep 'LOGIN FAILED' /var/log/maillog|awk '{print $9}'|sort|uniq -c | sort -n

to see if you have many authentication failures from any IPs.  If so, your account is being brute-force attacked. Block the offending IPs in your server firewall.

–> Use secure passwords for your email accounts. Check out the various domains and make sure there are no test accounts created. Under normal cases, test email accounts are created with insecure passwords, which can easily be guessed by the attacker.

Securing your SSH server !

SSH is the most powerful tool with which you can access your server. As Uncle Ben says in Spiderman —

Remember, with great power, comes great responsibility.

If your service is not hardened, it can be exploited to a level directly proportional to the power of SSH. Let us now consider some of the ways in which you can secure/harden your SSH server.

–> Use  key based authentication instead of passwords. There are a lot of botnets trying brute force attacks against your SSH server. Using a password authentication system at the first place, gives them more opportunities. If you use password authentication system, it would mean any machine can connect to your server, if they are aware/have successfully brute forced the password. On the other hand, if you use public/private key based authentication system, not every machine around the world can get in access. Only the ones for which the private/public key pairs match can get-in. And brute-forcing such a system is currently impossible.

To set up key-based authentication, follow the steps given below :

ClientMachine # ssh-keygen

Generate a passphrase-protected SSH key 

ssh-keygen

 

Once this is complete, the private key gets stored to /root/.ssh/id_rsa and public key to /root/.ssh/id_rsa.pub.

Now you need to copy paste the contents of /root/.ssh/id_rsa.pub to your server or transfer this to your server. You can transfer this using :

# ssh-copy-id SERVERIP ( will prompt for root password as well )

or copy paste the contents of /root/.ssh/id_rsa.pub ( from ClientMachine) to the file /root/.ssh/authorized_keys found in the server.

Once this is complete, open your SSH configuration file ( /etc/ssh/sshd_config ) and give-in the below line and restart the service :

PasswordAuthentication no ( If its already commented, uncomment and make sure the argument passed is ‘no’

Now you can SSH from your ClientMachine without passing any passwords ( you might have to type your passphrase if it was given )

–> For a server with user’s around the world having to SSH in and the machines which they use are subject to changes, key based authentication can become a real headache.

Even when we are using Password based authentication, we can make it more secure. Disabling root login can be a big plus-point. Most of the brute force attacks are carried out with the username as ‘root’ in perpective. We can change that root user to be able to login, allow a system user and then sudo in to get the root privilages.

$  First create a system user for this purpose ( Ingnore this step if you already have one user in mind )

# adduser newusername
# passwd newusername

$ Now, we want to edit the sudo rights and grant administrative privilages to this user.

# visudo or # vi /etc/sudoers

Add the username which we just created, below the space

## Allow root to run any commands anywhere
root ALL=(ALL) ALL

root-etcsudo

 

After adding, it would look like :

newusername

 

Now save and close this file. Go to your ssh configuration file and give the setting :

PermitRootLogin no

This will make sure, root login is disabled and you can SSH as the newusercreated, then sudo in to get as root

newuser

 

–> You can also consider about changing the custom SSH port from 22 to any other.

–> If you have multiple IP’s, you can think about binding SSH server to just one IP.

^ These 2 options can be found from /etc/ssh/sshd_config file

portsip

–> If you have a defined networking environment, you can provide the range of IPs which can access the SSH service and deny all others. This can be done using TCP_Wrapper. Using the files /etc/hosts.deny and /etc/hosts.allow

=====================

/etc/hosts.deny
sshd:  ALL

/etc/hosts.allow
sshd: Trusted IPs/subnet

=====================

So, try these methods out !

Issue with parsing of PHP pages !

Are you facing the scenario in which the PHP page is getting downloaded to your local machine, instead of showing it ?

For example, when www.domain.com/index.php is  given in browser, the file index.php gets downloaded rather than displaying it.

This is an issue where PHP files are not properly parsed by the web-server.

To fix this issue :

— > Make sure the  php module is loaded.

 ‘LoadModule php5_module' must be passed in httpd.conf file

–> Make sure the proper PHP interpreter to handle files with a .php extension is mentioned. Something like,

'AddType application/x-httpd-php .php' is given in httpd.conf

If these lines are not found within your httpd configuration, PHP parsing can be an issue.

Too much denied named queries ?

When you have setup a production box, running with a DNS server ( named service, in this matter ), you get tones of queries. If you have disabled recursion, lesser the number of DNS workload.

While going through your /var/log/messages, have you found lots of query ( cache ) denied messages ? Something like this ?

Date host named[28251]: client IP#xxxxx: view external: query (cache) 'domain.com/A/IN' denied

Check whether the domains to which these queries are directed are present in the server or not.

If you find that these domains once existed in the server and not now, we can conclude that domains are still pointed to the DNS servers even though the sites went out of business or went offline. 

In other words, they no longer have a DNS or HTTP entry, but the domains still exists and have their DNS records pointed here.

Resolution to this issue is

Add the following lines to /etc/named.conf ( named config file )
( Add under the section ‘options’

additional-from-auth no;
additional-from-cache no;

Once these settings are given, BIND will not follow out-of-zone records even if it is in the cache.

How do I clear my DNS cache !

The local DNS cache in your machine will store the locations  of web-servers/websites that contain pages which you have recently viewed.

If the location of these pages have  changed, you will be unable to access them due to the local DNS cache ( the one cached by your local machine, which you use to access the webpages )

Following shows you on how to clear DNS cache on different platforms :

* On a system running in windows, navigate to cmd and run the following :

# ipconfig/flushdns

* On a system running on OS X Mountain Lion, type in the following from terminal :

# sudo killall -HUP mDNSResponder

* On a system running on linux distro’s, run the following :

# sudo /etc/init.d/nscd restart

Install nscd ( name service cache daemon ) if not present :

# sudo apt-get install nscd or yum install nscd