eth0.us - Server admin info for cPanel, plesk, ensim and linux!

While directly logging into a server as root is certainly easy it is not the best choice from a security standpoint. Disabling direct root logins is not something that instantly makes a server impervious but it does help fight against petty brute force script kiddies. There are two options when disabling direct root login, one is to have them completely disabled and the other is to have it only with an ssh key. Make SURE that you add another user you can ssh into. If you are using cPanel use WHM --> Manage wheel users and add your user. Once logging in you can do "su -" you will gain full root access and be able to do your normal administrative commands. Make sure you use su - and not simply su, without the - you will not be on the root path and not have access to all commands.



First open up the ssh config:

nano /etc/ssh/sshd_config

PermitRootLogin

Along with the many other GUI enhancements that have come with the new version 11 there have been some MAJOR improvements in how spam is handled. While cPanel has always remained an easy to modify system many people do not like to start modifing configuration files. Those people will be happy to learn that now cPanel 11 includes support for RBL support.


To enable it simply login to WHM and click on "Exim Configuration Editor". From here you have your choice of spamhaus and or spamcop, I generally enable both. You can also set lower limits on SpamAssasin in this menu if you would like to be more sensitive. Keep in mind of course as you raise the sensitivity the chances of legit email getting dropped increase.

Overall good job cPanel! This is a feature that has been needed for awhile but is even more important with the recent wave of spam attacks.

I wrote up a quick guide to setting up NFS awhile back but never published it. It is not exactly a nice and clean format but it is exactly what you need to be reading if you want a quick way to setup NFS between two servers. For the purpose of the guide I have added directions for the APF firewall, obviously anything else will work fine.

This is another one of my quick mini-guides for how to install Xcache php optimizer. We have found this to work very nicely on servers and can even work with zend and eaccelerator if you require both. We have found no stability issues with 1.2.1 and run it on several very large and important servers.



Download the source and start to compile:

cd /usr/local/src/
wget http://xcache.lighttpd.net/pub/Releases/1.2.1/xcache-1.2.1.tar.gz
tar -zxf xcache-1.2.1.tar.gz
cd xcache-1.2.1

Next we have to run phpize, if it is not in a standard location you will need to do the full path. The configure may also require additional options if your php-config binary is not on the bin path.


phpize
./configure

make
make install

ln -s /usr/local/lib/php/extensions/no-debug-non-zts-20020429/xcache.so /usr/local/php5//lib/php/extensions/no-debug-non-zts-20060613/xcache.so

Here are some of the links to the latest OpenVZ install files as well as a quick run-down of getting the first VPS up. I got this list when I did a new VPS a few days ago.

Below are a quick set of commands which may be useful to those needing to quickly remove some of the more important limits on a VPS. I have found them extremely valuable when deploying OpenVZ in a load balanced or otherwise very busy environment. Note the --save will save them in the configuration file for when you restart it. If you do not supply the argument then when the VPS is restarted the settings will be lost.

To check the current status and see what, if anything, is being maxed out. IMPORTANT just because I do not list something does not mean it is important. If you see something else that is near the limit use the same syntax as is below to raise the limit.


clear; cat /proc/user_beancounters

While something that most servers already have enabled from time to we encounter servers with a full domlogs directory so I figure it it worth mentioning. To check how large your apache domain logs are on a cPanel server run "du -hs /usr/local/apache/domlogs". If it is a bit higher then you want or you just want as much free space as possible login to WHM and click Tweak Settings. Within that menu will "Delete each domain's access logs after stats run" which you enable and click save. Now at the end of the stats run every night it will wipe out the directory so you should not have the logs grow very large, unless of course your server is very busy.

If a cPanel email user quota does not match what is being reported by the system or a mail client run the following to determine how much space has been used for real:

du -hs /home/username/mail/userdomain.com/user/

then compare it with what cPanel reports for the disk usage, if they are different delete:

/home/username/mail/domain.com/user/maildirsize

finally re-login to cPanel and it should be resolved.

SpamAssassin was failing to deliver emails with the following message:

SMTP connection from USERNAME lost while reading message data (header)
1H4zGX-0000KH-FH == user@domain.com R=virtual_sa_user T=virtual_sa_userdelivery defer (-24): Transport filter process failed (127): unable to execute command

To fix force a reinstall of the perl module:

perl -MCPAN -e shell
clean Mail::SpamAssassin
install Mail::SpamAssassin

***Update*** It took 3 months but I finally received the x60 tablet and love it! While there certainly were a LOT of delays earlier on Lenovo seems to have fixed them and now everything should be going smoothly. I hope they learn from this and in the future do a better job keeping in contact with clients.

I am trying something a bit different for my site with this post. While I normally do some sort of technical article I am going to also do more blog style posts, in this case on a laptop that I am in the process of purchasing.

While I do not think that anybody is going to say that ALL RBL lists for email are a bad thing there are some problems with using them that if you are not careful can cause end users problems. In general they will help a lot but depending on how your mailserver is configured they have the potential to cause just as many heart aches.

The other day we had a few clients complaining that when they sent emails it would take 5-10 seconds most times before they were able to send from their local computer. While not a lot of time it is enough that people were complaining about it. What ended up being the problem was that an RBL list the server was using was having trouble so every time somebody sent an email the RBLs were queried and the 10 seconds was the amount of time it took for the RBL to timeout.

This particular server was Plesk so the /etc/rc.d/init.d/smtp_psa and smtps_psa is where the actual RBLs are stored. The server_args line (shown below) contains all of the lists currently being used to scan email:

While I am not sure why recently I have seen a few cPanel servers with the php rpms installed on them. If you have this problem the following can be done to add php back to the skip list:



up2date --config
20


paste in this:


spamassassin*;httpd*;perl;mysql*;php*;mod_ssl*;courier*;kernel*;exim*;proftpd*;pure-ftpd*;squirrelmail*;


to exit and save

Now go ahead and rpm -qa |grep php and remove the php rpms that are installed. Additionally if you are on a 64bit Redhat Enterprise (RHEL) or CentOS version 3 or 4 you may also need to run:



ln -s /usr/lib64/libmysqlclient.so /usr/lib/libmysqlclient.so


to fix a problem this:

configure: error: Cannot find libmysqlclient library under /usr

This is a very simple guide meant for people unfamiliar with upgrading kernels on a linux system. It is fairly simple to follow and I have done this on many servers so if you take your time and read though it you should have no problem. I take no responsibility if something goes wrong on your server because of this! This guide is formated for a RHEL server but if you understand the concept it can be applied to any rpm kernel.

Updated August with new versions


The kernel versions are constantly changing so this guide may fall out of date from time to time. The important thing to remember is when you are doing the up2date --download simply look at the version that is downloaded. That is going to be the latest version and in turn the version you want to install and boot to. RHEL or CentOS 5 follow the same basic method.

Not 100% sure at this point but some servers are having DNS break tonight after a UPCP running. The only thing we have narrowed it down to at this point is having RHEL 3 and cPanel on the box. When UPCP runs it breaks named and stops it from responding to anything. The fix is simple just do:




up2date -u bind-libs
service named restart

That should be it =-)