I stumbled on some posts about scanning a site and detecting a server services versions. Someone pointed out a nmap tool, and I checked it against my own server. The result was not so good - Apache and ProFTPD reveled its versions. So, I was determined to change that - I want the least version information. The NMAP command is:

nmap -sS -sV -O www.yourserver.com

Secure and hide version information:

• Apache, configuration file, usually at /etc/httpd/conf/httpd.conf
  ServerTokens ProductOnly
ServerSignature Off

• ProFTPD, in configuration file, usually at /etc/proftpd.conf
  ServerName "My FTP Server"
ServerIdent on "ProFTPD [version] Server (server name) [hostname]“

  This means, enough is to set, but in Global section:

  <global>
ServerIdent on "Generic FTP Server"
</global>And you can change the port, if you want.

• OpenSSH, tcp/22, not possible to change banner but yous should change the port, disable root login, etc.

• Telnet, tcp/23, I prefer to disable Telnet. If not, use this (change file /etc/issue.net)
  mv /etc/issue.net /etc/issue.net-original
echo "Windows Server 2008 (Microsoft)" > /etc/issue.net

• PHP, disable expose_php for security reasons in /etc/php.ini
  expose_php = 'off'

That’s about it. I believe there is more, and if someone wants to add something, just comment on this post.

You probably found a lot of online tools to check for DNS Poisoning check. For example, here and here. The second one is a site of Dan Kaminsky - the original researcher that discovered the vulnerability. But, these tools check “My DNS Server” - something that is my ISP server, and not DNS that I am hosting/running. So, after some looking around, a found this one-liner here: just find any Linux box, and type there:

dig @ns1.nameserver.com +short porttest.dns-oarc.net TXT

where ns1.nameserver.com is either IP or name of a DNS server. If the result is GOOD - it’s like that - anything else is a big problem.

Download and unpack Postfwd archive to /usr/local/postfwd:

cd /usr/local/
wget http://postfwd.org/postfwd-1.10pre7c.tar.gz
tar -xf postfwd-1.10pre7c.tar.gz
mv postfwd-1.10pre7c postfwd

Copy the configuration file at its place, and copy the startup script to its place

cp /usr/local/postfwd/etc/postfwd.cf /etc/postfix/
cp /usr/local/postfwd/bin/postfwd-script.sh /etc/init.d/postfwd

Then, if I try to set a daemon to be startet at boot time, with:

chkconfig --add postfwd

But I got an error saying: “service postfwd does not support chkconfig”? Ok. There is a statement in a init script that tells the chkconfig command how to add or delete this daemon to the boot process. This statement looks like this:

# chkconfig: 2345 78 32
# description: Postfwd Policy Server

This means that a script should be started in levels 2,3,4,5 and that its start priority should be 78, and stop pririty 32. Priorities present the order / sequence in which the services are either started and stopped. So if you for instance have Postfix starting and a postfwd application, it is essential that the postfwd is started before Postfix. Having Postfix start value of 80 you need a lower value for the Postfwd (78 for example).

After we added this line to /etc/init.d/postfwd file, lets repeat:

chkconfig –add postfwd

Ok. This worked. But, I had a lot of problems in a supplied default init script of policyfwd. I had to change a startup script a lot. After faunding out that init script is somehow strange, I had to rewrite a script based on postgrey’s init script. Here it is ready to download. So copy this one to /etc/init.d.

Now, start it with:

service postfwd start

It should work. Now to make Postfix aware of it. Open your postfix /etc/postfix/main.cf and insert or edit the following.

127.0.0.1:10040_time_limit	= 3600
smtpd_recipient_restrictions	= ...
				  ...
				  check_policy_service inet:127.0.0.1:10040,
				  permit

smtpd_end_of_data_restrictions =
				  check_policy_service inet:127.0.0.1:10040

The last one is needed because you have to call postfwd at end_of_data state for reliable size checks.

Testing it up

If you want to list the rules, just type:

/usr/local/postfwd/sbin/postfwd -f /etc/postfix/postfwd.cf -C

Finally, if you are satisfied, start postfwd and reload postfix. Then, monitor the log file for lines mentioning postfwd with:

tail -f /var/log/maillog | grep postfwd

There is an example policy request distributed with postfwd, called ‘request.sample’. Simply change it to meet your requirements:

nano /usr/local/postfwd/tools/request.sample
/usr/local/postfwd/sbin/postfwd -f /etc/postfix/postfwd.cf </usr/local/postfwd/tools/request.sample

Thats it.

No - it is not!

Really a bug not counted as one

I spent at least an hour just to find out the bug. No! It is not a bug. I just need to read very, very carefully:

From the Doc’s: “Multiple use of the same item is allowed and will compared as logical OR ”

So macro with this content:

&&LIMITEDS { sender=.*@onedomain.com ; sender~=user@seconddomain.com; };

will work, and the following one will not (only first rule will be accounted):

&&LIMITEDS { sender_domain=onedomain.com ; sender~=user@seconddomain.com; };

If you are using ProFTPD, the uploads can not be resumed, by default. Change this by editing the configuration file (/etc/proftpd.conf) and changing-adding following values:

AllowOverwrite on
AllowStoreRestart on

The first one is probably already enabled in config file. Resumed upload is considered the same as a file overwrite (in ProFTPD). Therefore the file overwriting must be enabled.

I am surprised that there are so little open-source solution for this very common need in corporate environment.

The first that slips mind are Postfix’s bcc_maps directives (or similar). Alternative mechanism should be pretty straightforward - thru milter system. If someone reading this post finds some other useful utility (open source only), please post a comment about it.

And, my list f sound open-source solutions is:

• Postfix’s recipient_bcc_maps (mails send to some adresses) or sender_bcc_maps (for mails sent by some user addresses)
• Open Mail Archiver (I really like the straightforward idea)
• Scam-archiver
• MailArchiva (Open Source Edition)
• Or maybe some procmail recipes like here or Æmail

Suddently, on my CentOS the Logwatch mails are very big, with huge Postfix “**Unmatched Entries**” section, mostly about messages dropped because they were in RBLs, similar to this:

Service unavailable; Client host [x.x.x.x] blocked using zen.spamhaus.org; ...

My logwatch package is up to date. Problem is - the service and configuration for postfix in that package are not.

You need to update postfix filter portion of logwatch.
It can be updated either from: http://www.mikecappella.com/logwatch or from latest version of logwatch at: www.logwatch.org

For me, the first link was better because it had a fresher scripts. I downloaded the package, and only two files are needed for me (do not install or anything).

Just rename (remove -logwatch part of filename) files

postfix-logwatch
postfix-logwatch.conf

to

postfix
postfix.conf

and copy them to

       /etc/logwatch/scripts/services/postfix (The Logwatch postfix filter)
       /etc/logwatch/conf/services/postfix.conf (The Logwatch postfix filter configuration file)

Files at this location will override default values. And this should fix the problem.

But, there was a problem with  file services/postfix where I had to remove the first line for logwatch to work. Now, when I execute /etc/cron.daily/0logwatch, I do get an reasonable sized email with email statistics.

I just got tired of looking at lot of these messages in my Apache log (or similar ones in ssh log)

[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/ads
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/thisdoesnotexistahaha.php
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/drupal
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/adserver
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/adxmlrpc.php
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/xmlrpc.php

These robots are constantly trying to exploit vunerabilities. I want to stop them.

There are couple of solutions, but after researching, I concluded that for me the best one is Fail2Ban (compared to DenyHosts or BlockHosts), specially because it can analyze log files for Apache, SSH, FTP and Postfix (and I have it in repository). BTW, there was some vulnerabilities with it, in the past.

All the configuration is done in /etc/fail2ban/jail.conf.

To find out what IP addresses are most active in accessing your webistes, just execute this line against Apache access log.

awk '{print $1}' access_log | sort | uniq -c | sort -n | tail -20 | awk '{print $2,$2,$1}' | logresolve | awk '{printf "%6d %s (%s)\n",$3,$1,$2}'

where access_log is filename for Apache  access log file, and -20 means that I want to see a first 20 addresses. Great resource of information can be found at the-art-of-web.com.

Very good source that I did not use: http://www.howtoforge.com/mail_statistics_mailgraph_pflogsumm

I setup AWStats package on my server using instructions on this DjTremors site.

And everything worked, besides the fact that I must disable suexec in ISPConfig (Management / Server - Settings / Web / suexec Checkbox).

At first, I tried adding this statistics inside a ISPConfig’s http server. Just to remember, whenever I need something to be an option in ISPConfig, under the Tools menu. This is done by creating a subdirectory in  /home/admispconfig/ispconfig/web/tools/tools, and creating a nav.inc.php file there

But the problem arises because Perl can not be enabled without larger modifications in a /root/ispconfig/httpd/conf/httpd.conf. I always got an error

mod_perl.so: undefined symbol: apr_bucket_shared_split

So I made a Tools link, but pointing to a main Apache server (where I have Perl enabled).

File: nav.inc.php

<? if($go_api->auth->check_admin(0,1)) {
/*
   Only Admin can see this
   Copyright (c) 2008, cvladan.com, Vladan Colovic - All rights reserved.
*/
?>
<!-- Mail AWStats for all domains //-->

menuDaten.neu(new LinkEintrag('root','<? echo $go_api->lng("Mail Server Statistics")?>','http://www.duplonucleo.com/ispcstats/awstats.pl?config=mail','_blank','email.gif','Ma
il Server Stats','n',''));

<? } ?>

Let me explain important files in AWStats for ISPConfig. There is /root/ispconfig/scripts/shell/awstats.php file that periodically recreates .conf files in /etc/awstats, based on virtual domains created in web home /var/www. There is no need to change this file. Another important file is/home/admispconfig/ispconfig/web/ispc.awstats/awstats_updateall.pl which is executed periodically too. This file launches update process for all AWStats config files, except awstats.model.conf found in a particular directory (in our case /etc/awstats), so you can easily setup.

As we see, there is no need to change anything. It will automaticly update our mail statistics. So, lets go there…

First, I needed to add a script  maillogconvert.pl  where it sould be in a first place - in: /home/admispconfig/ispconfig/web/ispc.awstats

Then edit the /etc/awstats/awstats.mail.conf and … Not so good link, and much better (original).

And do not be shooked with the amount of mails recieved by admispconfig@. Thats ok. The admispconfig mailbox is a script that generates your mail statistics. The emails that go to admispconfig contain the size of the original email sent to one of your users in bytes.

And, after everything, I just updated AWStats from 6.5 to version 6.8 (latest one)

The easiest way to check if WAN load balancing is working to go to the different sites that show IP, and check that all IP addresses are different. In my case, I had to get 3 different IP’s. So, use these sites: whatismyip.net, whatismyip.org, whatismyip.com, ipnow.org

I am using PuTTY to *remotely* access my server via ssh. Recently, I started using a Norton Commander clone called Midnight Commander, wich is incredibly usefull. But, decorative elements (line drawings) are displayed wrongwith some wierd characters. The solution in PuTTY is to change the folowing options:

Window > Translation >  Received data assumed to be in which character set: UTF-8
Window > Translation >  Handling of line drawing characters: Use Unicode line drawing code points
Connection > Data > Terminal details > Terminal-type string: linux
Terminal > Keyboard > The Function keys and keypad: Linux

The commander is now working as it was supposed to. Source of information.

Besides this, when we are already in PuTTY, to mention couple of configuration settings:

Connection > SSH > Enable compression: on
Connection > SSH > Preffered SSH protocol version: 2 only

If you want PuTTY to open some session when you start it, just create a shortcut and add a suffix

-load "Session-Name"

For example: C:\Program Files\Putty\putty.exe -load "MySession"

Find in history

Don’t search history by grepping ~/.bash_history, or repeatedly hitting the up arrow, instead use CTRL+r (or ‘/’ in vi-mode) for search-as-you type. You can immediately run the command by pressing Enter.

Changing file extensions

Rename replaces string X in a set of file names with string Y.

rename 's/.html$/.php/' *.html

This will change the extension of every .html file in your CWD to .php.Selected Keystrokes:
Ctrl-U - Cuts everything to the left
Ctrl-W - Cuts the word to the left
Ctrl-Y - Pastes what’s in the buffer
Ctrl-A - Go to beginning of line
Ctrl-E - Go to end of line

Use && to run a second command if and only if a first command succeeds:

cd tmp/a/b/c && tar xvf ~/archive.tar

Use || to run a second command if and only if a first command fails:
cd /tmp/a/b || mkdir -p /tmp/a/b

See your favorite commands

Use the following to see the commands you use most often based on your shell history:

history | awk '{print $2}' | sort | uniq -c | sort -rn | head

Sum up your HDD space

Longish oneliner (I actually wrote it in one line first) for giving you somewhat (mount list is never good enough) accurate sum of your file systems’ totals.

df | egrep -v “(Filesystem|\/dev$|shm$|dvd|cdrom)” | awk ‘{totalu += $2 ; totalf += $4} END {print “Total space in devices: ” (totalu/1024/1024) ” GB\nFree space total: ” (totalf/1024/1024) ” GB”}’

Argument list too long

ls -x | xargs rm

Sometime there are so many files in a directory than the rm command doesn’t work

[root@server logs]# rm *
bash: /bin/rm: Argument list too long

On this case the best option is to use ls in conjuntion with xargs

[root@server logs]# ls | xargs rm

http://en.wikipedia.org/wiki/Xargs

Get your IP address

lynx -dump http://whatismyip.com | awk '/^Your/ {print $5}'

Run commands on logout

If a file named $HOME/.logout (a file named .logout in your home directory) exists, and the following trap statement is in your .profile, .logout is executed when you logout.

Add this to .profile:

trap "$HOME/.logout" 0

Remove comments and blank lines

sed ‘/ *#/d; /^ *$/d’ file
Remove comments and blank lines from file

Remove empty directories

To remove empty directories (even if filenames or dirnames contain spaces or weird characters) from a tree you can do:

find . -type d -empty -print0 | xargs -0 rmdir

Duplicate directory tree

The following command creates in the /usr/project directory, a copy of the current working directory structure:

find . -type d -print|sed ’s@^\.\{0,1\}@/usr/project@’ | sed ’s/ /\\ /’ | xargs mkdir -p

I had a problem installing a latest Fedora 9 i386 on some old Compaq Evo (Intel 845 motherboard). The installer does not see any HDD on my system. And the hard disk (WD800, 80Gb Western Digital IDE) is present and visible in BIOS and in DOS (fdisk is working).

The solution and the problem were very stupid. The  HDD was not jumpered properly. It was a single drive, but jumpered as “Master w/ Slave”. The valid jumper position is “Single”.

At first, I spend more than an hour trying various kernel configuration options. But after changing this jumper, it worked like a charm.

I one sentence, these two security functions can be described as:

suPHP is a tool for executing PHP scripts with the permissions of their owners instead of the Apache user.

suEXEC provides Apache users the ability to run CGI and SSI (Server Side Includes) programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.

Translated: suPHP is for PHP what is suEXEC for CGI.

So, I just updated everything at my x86_64 CentOS 5.1 Linux installation. And everything looked fine until I found out that email can not be received, and what’s more - I can not log in at Roundcube webmail anymore. The same was in SquirrelMail - both clients just hang/freeze when trying to login, without any kind of meaningful notification - just waiting indefinitely.

I checked a log files, and saw something like this:

error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory

To fix the issue, open the /etc/dovecot.conf and adjust (uncomment) the following directive:

login_process_size = 64

Stupid as it looks, but thats it.

These ports need to be opened in your firewall for Samba to be functional.

• UDP
  137 / udp / NetBIOS Name Service
  138 / udp / NetBIOS Datagram Service

• TCP
  139 /tcp / NetBIOS Session Service
  445 /tcp / Microsoft Directory Service

• for Samba Web Administration
  901 / tcp / SWAT

If you use ISPConfig Hosting Control Panel, just go to Management / Services / Firewall, and add a firewall rule. One note: Besides the fact that help info said different, the port range can not be used when specifying UDP port - it’s a bug - see this thread)

The structure and a short explanation of it’s content. Read more »

Sharing the directory

mkdir -p /home/shared
chown -R root:users /home/shared
chmod -R 775 /home/shared

Look at the great beginner info on permissions and chmod.

Then, in SWAT (it can be started with http://192.168.0.1:901/, if server IP is 192.168.0.1), create a share with the following data (my example) .

comment = Share for all users
path = /home/shared/
valid users = @users
force group = users
read only = No
create mask = 0660
security mask = 0660
directory mask = 0771
directory security mask = 0771
available = Yes

Adding a Samba user

Probably the best way is to use a SWAT again (under Password menu item). But, if you want it in a command line - to add a user to a system use

useradd myusername -m -G users

Then, add it to a Samba and set a password

smbpasswd -a myusername

Global settings needed for public shares

In advanced SWAT configuration, change the following

security = user (it's default, but just as a reminder)
map to guest = Bad User (because unknown usernames should be mapped to guest account - needed for the public access shares)
null passwords = yes (for allowing a users without a passwords)

And, for the share

guest ok = Yes (which is same as: public = yes)
read only = No (which is same as: writable = yes)
create mask = 0777
directory mask = 0777

and optionally

force user = nobody
force group = nobody

These were some of the worst days I could imagine.
I just wanted to speed up my system, but it ended in very painfull experience.

A had a big problem when trying to install the Vista 32bit OS on my new motherboard with ICH9R SATA controller.

Nothing helped.

Finally, getting the latest Vista DVD ISO with SP1 solved the problem like it never existed.