Error when booting a Virtuozzo VPS !

Are you facing the following error when you try to boot up a Virtuozzo VPS ?

 
mv: cannot move `/etc/resolv.conf.xxxx' to /etc/resolv.conf': Operation not permitted
ERROR: Can't change file /etc/resolv.conf
File resolv.conf was modified

This might be if you have set an immutable flag on the file
/etc/resolv.conf.

This file is automatically generated at boot based on the VPS conf.
So, remove/rename the file /etc/resolv.conf ( for the respective VPS )
from the Virtuozzo node and reboot the VPS in question.

How Do I get the functionality of CTRL+ALT+DELETE shortcut to a guest OS

When dealing with Microsoft Virtual Server, there might be situations in which you would need to pass CTRL+ALT+DELETE to the underlying VM.

However, pressing them do not work within a virtual machine because of the interaction between the host operating system and the guest operating system and you will be taken to the output related to the host machine.

To get over this and other special keys, you can use the Remote control menu of the VMRC ( Virtual Machine Remote Control ) as shown in the image below :

vmrc-client

 

As simple as a mouse click 🙂

Mount an NTFS partition on CentOS !

Whenever you try to access an NTFS partition in CentOS/RHEL for the first time, you might get the following message ( as of now ) :

Filesystem driver is not installed

To get over this, you might want to install the ntfs driver for the partitions to mount up.

If you are on a centOS box, give in the following :

# yum install fuse-ntfs-3g 

( You might need an  rpmforge repo for ^  package to be installed )

 
# wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6 1.el5.rf.i386.rpm (select the repo file for the correct system architecture )

# rpm -ivh rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Once the repo is installed, install the driver using yum.

Securing your SSH server !

SSH is the most powerful tool with which you can access your server. As Uncle Ben says in Spiderman —

Remember, with great power, comes great responsibility.

If your service is not hardened, it can be exploited to a level directly proportional to the power of SSH. Let us now consider some of the ways in which you can secure/harden your SSH server.

–> Use  key based authentication instead of passwords. There are a lot of botnets trying brute force attacks against your SSH server. Using a password authentication system at the first place, gives them more opportunities. If you use password authentication system, it would mean any machine can connect to your server, if they are aware/have successfully brute forced the password. On the other hand, if you use public/private key based authentication system, not every machine around the world can get in access. Only the ones for which the private/public key pairs match can get-in. And brute-forcing such a system is currently impossible.

To set up key-based authentication, follow the steps given below :

ClientMachine # ssh-keygen

Generate a passphrase-protected SSH key 

ssh-keygen

 

Once this is complete, the private key gets stored to /root/.ssh/id_rsa and public key to /root/.ssh/id_rsa.pub.

Now you need to copy paste the contents of /root/.ssh/id_rsa.pub to your server or transfer this to your server. You can transfer this using :

# ssh-copy-id SERVERIP ( will prompt for root password as well )

or copy paste the contents of /root/.ssh/id_rsa.pub ( from ClientMachine) to the file /root/.ssh/authorized_keys found in the server.

Once this is complete, open your SSH configuration file ( /etc/ssh/sshd_config ) and give-in the below line and restart the service :

PasswordAuthentication no ( If its already commented, uncomment and make sure the argument passed is ‘no’

Now you can SSH from your ClientMachine without passing any passwords ( you might have to type your passphrase if it was given )

–> For a server with user’s around the world having to SSH in and the machines which they use are subject to changes, key based authentication can become a real headache.

Even when we are using Password based authentication, we can make it more secure. Disabling root login can be a big plus-point. Most of the brute force attacks are carried out with the username as ‘root’ in perpective. We can change that root user to be able to login, allow a system user and then sudo in to get the root privilages.

$  First create a system user for this purpose ( Ingnore this step if you already have one user in mind )

# adduser newusername
# passwd newusername

$ Now, we want to edit the sudo rights and grant administrative privilages to this user.

# visudo or # vi /etc/sudoers

Add the username which we just created, below the space

## Allow root to run any commands anywhere
root ALL=(ALL) ALL

root-etcsudo

 

After adding, it would look like :

newusername

 

Now save and close this file. Go to your ssh configuration file and give the setting :

PermitRootLogin no

This will make sure, root login is disabled and you can SSH as the newusercreated, then sudo in to get as root

newuser

 

–> You can also consider about changing the custom SSH port from 22 to any other.

–> If you have multiple IP’s, you can think about binding SSH server to just one IP.

^ These 2 options can be found from /etc/ssh/sshd_config file

portsip

–> If you have a defined networking environment, you can provide the range of IPs which can access the SSH service and deny all others. This can be done using TCP_Wrapper. Using the files /etc/hosts.deny and /etc/hosts.allow

=====================

/etc/hosts.deny
sshd:  ALL

/etc/hosts.allow
sshd: Trusted IPs/subnet

=====================

So, try these methods out !

Issue with parsing of PHP pages !

Are you facing the scenario in which the PHP page is getting downloaded to your local machine, instead of showing it ?

For example, when www.domain.com/index.php is  given in browser, the file index.php gets downloaded rather than displaying it.

This is an issue where PHP files are not properly parsed by the web-server.

To fix this issue :

— > Make sure the  php module is loaded.

 ‘LoadModule php5_module' must be passed in httpd.conf file

–> Make sure the proper PHP interpreter to handle files with a .php extension is mentioned. Something like,

'AddType application/x-httpd-php .php' is given in httpd.conf

If these lines are not found within your httpd configuration, PHP parsing can be an issue.

Too much denied named queries ?

When you have setup a production box, running with a DNS server ( named service, in this matter ), you get tones of queries. If you have disabled recursion, lesser the number of DNS workload.

While going through your /var/log/messages, have you found lots of query ( cache ) denied messages ? Something like this ?

Date host named[28251]: client IP#xxxxx: view external: query (cache) 'domain.com/A/IN' denied

Check whether the domains to which these queries are directed are present in the server or not.

If you find that these domains once existed in the server and not now, we can conclude that domains are still pointed to the DNS servers even though the sites went out of business or went offline. 

In other words, they no longer have a DNS or HTTP entry, but the domains still exists and have their DNS records pointed here.

Resolution to this issue is

Add the following lines to /etc/named.conf ( named config file )
( Add under the section ‘options’

additional-from-auth no;
additional-from-cache no;

Once these settings are given, BIND will not follow out-of-zone records even if it is in the cache.

Investigating your Linux box for vulnerabilities

A server in a live environment is always susceptible to malware attacks, code vulnerabilities, hacking, rootkits and what not else !

Analyzing your server for these back-doors and pin-pointing the exact issue always poise a big problem to the server owners or their administrators. Thankfully Linux can provide you with many results, logs and statistics which can help you in a great way. Lets look at some of the things which you can do when you feel like your system is compromised..

  • Unintended processes running can at-times increase the server load. Using the command # top -c,  check the current server load and analyze if you can find any unfamiliar processes or process paths running.
  •  Check for the process tree in your server and see if you can spot any unusual process/paths.  Use the command # pstree -p. If you find an unsual process get the PID of it and alanyze using lsof command, which will lead to current working directory ( cwd ) of the process.

Just for an example, consider you find lots of Perl process running, the root perl process has got the PID ‘9905’. Use the command # lsof PID to check more about this.

=================

# lsof -p 9905
COMMAND  PID USER   FD   TYPE     DEVICE    SIZE      NODE NAME
perl    9905 root  cwd    DIR       x,xx  6770688  33825697 /tmp
perl    9905 root  rtd    DIR       x,xx    4096  33465149 /
perl    9905 root  txt    REG       x,xx   13696  41518574 /usr/bin/perl

=================

Checking this shows you something, an invalid/malicious Perl script is running from /tmp, which should not happen at all.  Analyze the files in /tmp and make sure you clean up the unwanted ones.

  • Use # ls -al /tmp ( followed by grep arguments ) to check for the files in /tmp.
  • Another recently noted process in # pstree -p, is lots of hosts commands being carried out. Capture the PID of one of the process with the name ‘hosts’ and run an lsof on it. Probably you might see something like :

================

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

host 7909 nobody cwd DIR 0,32 4096 117770255 /home/domain/public_html/blog/wp-content/uploads

================

The host command, which is used for resolving DNS, is being executed and some scripts is coercing it to do HTTP requests, which is seen as the issue here. Blocking the scripts found in the location ( cwd ) will help in this case. Analyze if it was uploaded via any unsecured plugins ( mostly happens with WordPress )

  • Check the IP’s making connections to you server.  Use the command given below to find the number of tcp/udp flow :

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

If you find the connections from an IP is not on the normal side, check for what it is trying to access :

# netstat -plan | grep IP

And block ’em in the firewall if it looks invalid.

  • If you are using a cPanel server, you can find what exactly it is trying to access if its to the web-server.

# grep -i -r IP /usr/local/apache/domlogs*

There are many occasions in which the IP would be trying to brute-force attack the logins such as WP-login.php. In those cases, you can find that IP is ‘POST’ ing the logins to the login.php page.

  • Changing the username of WordPress from the default ‘admin’ to a stronger one can also help.  These sort of attacks can increase the server load as well as compromise the server security, if the brute-force attack is successful.
  • Find out the most accessed domain for a particular day by giving the following command :

grep -r '14/Dec/2014' /usr/local/apache/domlogs* |awk {'print $1'}|cut -d: -f1|sort -n|uniq -c|sort -n

^ Date is to be given in this format.

  • Find out the most accessed IP for the domain which you get from the above result :

# grep -r '14/Dec/2014' /usr/local/apache/domlogs/domain.tld |awk {'print $1'}|cut -d: -f1|sort -n|uniq -c|sort -n

  • Checking the root history ( cat /root/.bash_history ) can help you to see if your server is root hacked. Also check # last command to see if you can spot any unfamiliar IPs, which tried to login to your box.
  • You can use rkhunter to scan for possible rootkits and local exploits in your linux based box.  It also performs checks to see if commands/paths have been altered , if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.

Once rkhunter is installed, you can scan the system using the command # rkhunter --check and find if it returns any negative result.

So, let the Sherlock Holmes investigation start !

Control panels for production servers

When it comes to selecting a control panel for your hosting server, you might be in a perplexed stage. The industries hit-list items are cPanel, DirectAdmin and Parallels Plesk. I have played with these 3 and most of the times when I play longer, they screw me up. The one I’m comfortable with is cPanel and let me explain WHY !

cPanel :

Most colorful, most graphical user-interfaced and easy to understand/use — cPanel offers stuffs more than any other control panels has to.

They have many many custom Apps tied to their interfaces and are highly configurable by the users. This is a serious plus-point when compared with Plesk or DirectAdmin. Yes, its true, more features means more bugs. However, there will be a workaround/fix for them at the earliest. Newer versions with new fixes/features get released in the blink of an eye, while you have to wait for long for DirectAdmin or Plesk.

cPanel is very widespread, their forums answer about 99% of your questions/issues. If not their support ( the quickest among the lot ) will do it for you.

Upgrading your services ( like PHP or MySQL ) are very much simple when it comes to cPanel. The tool integrated to provide these upgrading tasks can include custom modules and you can run your server with 2 versions of PHP, set both of them with different PHP handlers. Cant imagine something like this in Plesk/DirectAdmin Yes, it is possible, but 90% of the time, things break leaving you with no option other than restoring the entire system. I still remember me sitting hours to install 2 versions of PHP in Plesk.

Quick installation setup’s using scripts is a great feature of cPanel, while you have to depend on yum commands in Plesk or DirectAdmin. Just take the example of PHP modules. How much headache’s it can cause in Plesk/DirectAdmin when you do not have the required versions of modules in the repo’s.

When it comes to emailing,  creating email accounts, tieing them with SpamAssasin or BoxTrapper , changing the mail server port, even the interface IP and so on… they are very much simple and time saving. On the other hand, when you attempt to do these stuffs in Plesk or DirectAdmin, it will present you with lots of issues and time-loss.

Creating a reseller account, assigning permissions to them, creating different packages to meet your needs — these are presented to you using a simple UI in cPanel/WHM. You would not have to worry about searching online for help on this. For a person who is not so acquainted with shell environment, cPanel will do you great heavens.

The Bandwidth statistics, raw access logs and much more logs, which can be viewed from the front-end give you a clear picture on the traffic/data with respect to your accounts.

One of the things which I like about cPanel is its system of Backup/restore websites. Either you can manually backup the required accounts or allow cPanel to do it automatically. When you have a backup file, suppose your developers screws off the entire site, you can quickly restore – without any headaches.. Something that’s missing in other panels ( ‘I meant the term – without any headches’ )

Also, migrating your domains b/w cPanel-based systems is quite wonderful and I guarantee you 99% success all time time. With others, I cant recollect the pains i go through with.

Upgrading your cPanel version is as simple as # /scripts/upcp.   With DirectAdmin too it is quite easy with the custom scripts located in # /usr/local/directadmin/custombuild/.. Plesk too has got a script,   # /usr/local/psa/admin/sbin/autoinstaller. But with plesk, you will have to answer a 100 questions before upgrading and higher the chances to fail.

cPanel has two interfaces, the WHM ( Web Host Manager ) for the root account as well as resellers accounts and the usual cPanel interface for the domain owners. These two are very very different in looks, with different login pages. On the other hand, Plesk and DirectAdmin, got single login for Admins and users ( with different menu’s )

Plesk – runs in both LINUX/WIN server’s. Its more of like a windows control panel ( what you see in desktop versions ), less features and might take more time for you to get acquainted with it. For Plesk, as features are less, bugs are less and things move on stable until you try to alter the usual builds. Not much help you will find in online forums.  Plesk support can be messy at times. They require you to have your server build only from the OS repo’s. If you install any 3rd Party repo or if you Plesk version is quite old, then its a goner. Forget about getting your issue fixed.

Plesk is for light-hearted guys, still living with black & white frames and quiet ones.

cPanel and Plesk are on the expensive side, whereas DirectAdmin is cheap. If you are thinking of running a small hosting environment, with not much screamers, you can go with DirectAdmin — Quite simple, efficient, not much features ( less bugs ) and stable.

So, I prefer cPanel over Plesk for real production environments and DirectAdmin over cPanel and Plesk for a startup environment !

Try their demo’s  at :

cPanel demo : http://cpanel.net/demo/

Plesk demo : http://www.parallels.com/products/plesk/hands-on-demos/

DirectAdmin demo : http://www.directadmin.com/demo.html