Archive

How To Install XCache From Source

XCache is a fast, stable ​PHP opcode cacher that has been proven and is now running on production servers under high load. It is tested (on linux) and supported on all of the latest ​PHP release branches such as PHP_5_1 PHP_5_2 PHP_5_3 PHP_5_4 PHP_5_5. ThreadSafe/Windows is also perfectly supported. XCache overcomes many of the problems found with other opcachers such as being able to run with new ​PHP versions.

CentOS doesn’t come with the Dev tools, so before installing anything from source you should have the development tools, else you’ll face errors.

yum groupinstall "Development Tools"

Now, Just download xCache from the Source :- http://xcache.lighttpd.net

~/src $ wget http://... (the release url)
~/src $ tar -zxf xcache-*.tar.gz
~/src $ cd xcache
~/src/xcache $ phpize
~/src/xcache $ ./configure --enable-xcache
~/src/xcache $ make
~/src/xcache $ su
~/src/xcache # make install
~/src/xcache # cat xcache.ini >> /etc/php.ini
(it's two > not one)

(now edit /etc/php.ini with your favorite editor)
~/src/xcache # $EDITOR /etc/php.ini
(make sure zend_extension=../../xcache.so is the first before any other zend_extension=***)

That's all, it should help to optimise your PHP process and will take care of your server loads. If anyone is facing any issue while installation then just leave us a comment or email us at [email protected], we'll help solving that error.

Tuning Apache for High Traffic

Step 1: Optimize your software

First of all, optimize your software. No LAMP stack setup can repair the damage done by bad database queries, missing caching algorithms, bloated code and bad HTTP headers (client-side caching!). So there is no way to get around this step. When we were confronted with a huge load on the server, the first thing we did was optimizing all queries once again, disabling functions that were not necessary for the user (e.g. statistics).

Step 2: Split servers

The site I was talking about is hosted in the Amazon Cloud. So we used an EC2 instance for the web server, an RDS instance for our MySQL database and S3 storage for static images that were not submitted by the user (e.g. icons). This is an important step since you can reduce load to a third of what it was before. Especially if you consider that simple requests to static files are more likely to kill your LAMP setup than dynamic requests are.

Why is this?

When you use Apache MPM Prefork module, several Apache processes are started in background which then will handle the incoming requests. If your clients are required to load static files like images through your Apache setup it is likely that all processes are locked for simple static file requests rather than dynamic requests like PHP what they are really there for.

Step 3: Setup up MPM Prefork

Default Apache setup uses only one thread to handle all requests. Fine on localhost, but not fine on a production system. You should use MPM Prefork module installed. This module launches several Apache processes which then handle all incoming requests.

Choose the right number of processes

Each Apache process will consume a similar amount of memory on your server, depending on the Apache modules which are loaded (next step) and the tasks you’ll execute. So you have to choose a number of processes which matches your available memory. If there is 1GB of memory available – not at all but for Apache, your OS will use memory too 😉 – and one of your Apache processes uses 20MB of memory, you can launch 50 processes equally. If you choose more, Apache will run in swap which results in huge memory issues.

Find out memory usage:

#ps -FA|grep apache2

To set the maximum number of processes launched open your Apache config (usually /etc/apache2/apache2.conf) and set MaxClients to the correct number.

Step 4: Disable Apache modules

Apache modules will use memory for each process that is launched and this is very expensive. The default Apache setup comes with more than 20 enabled modules which we did not need. You should disable everything that is not necessary for your site to run:

#a2dismod ruby

#a2dismod include

#a2dismod dav

#a2dismod dav_fs

... and so on ...

This will save you memory and allows you to launch more parallel processes.

Step 4: Reduce KeepAliveTimeout

If a client connects to your web server it will keep the connection open for a specific number of seconds for further requests. During this time, the whole Apache process is locked for other requests. You can specify the number of keep-alive seconds in your Apache config using the directive KeepAliveTimeout. You should enable KeepAlive but reduce KeepAlive to a value of 2-3 seconds. Default is 30. We were also confrontend with a lot of processes running in Keep-Alive state when we monitored our server and this solved the issue and we were able to serve three times more visitors with the same server setup!

Step 5: Have a look at server-status!

Enable the mod_status module (#a2enmod status) and enable ExtendedStatus directive (“ExtendedStatus On”) in /etc/apache2/mods-enabled/status.conf! Then have a look at /server-status which will tell you how many Apache processes are running and in which state (e.g. to find out if Keep-Alive is killing your setup) and which files are requested. Maybe you can find out which files to move to S3 storage using this technique.

What else to do?

If you are using PHP you should enable eAccelerator or something similar. You could use Memcached for sessions and caching algorithms and so on. There is a lot to do when optimizing your site for high traffic and it costs time. Nothing to do about that 😉

How To Install Linux, Lighttpd, MySQL, and PHP5 (LLMP Stack) on Centos 6

Introduction


Lighttpd is an open source web server originally written by Jan Kneschke as an alternative to Apache, it has a low memory footprint and numerous websites such as YouTube and Wikimedia run Lighttpd servers. MySQL is a popular database solution for use in web applications (such as WordPress) and is generally combined with a server side scripting language, PHP.

This tutorial will show you the steps required to install Lighttpd, PHP and MySQL on CentOs 6 so that you can get up and running with your Server.

Step One – Prerequisites


Update your system:

sudo yum update

You will need to install wget, a package for retrieving files using HTTP, HTTPS and FTP:

sudo yum install wget

Notice that the command starts with “sudo”. This will allow you to run the instructions with root privileges.

Step Two – Installing MySQL


To install MySQL, login into your VPS and type:

sudo yum install mysql-server

Create a system start-up link for MySQL to enable the services to run at boot:

sudo chkconfig --levels 235 mysqld on

This might seem silly, but it is a good idea to verify that the MySQL server is running, otherwise you will come up with a MySQL ERROR 2002 (HY000) when executing the mysql_secure_installation command:

sudo service mysqld status

If the VPS is not running type:

sudo service mysqld start

Create a password for the MySQL user root and perform some initial configurations:

sudo mysql_secure_installation
Enter current password for root (enter for none):_

Since a MySQL root password has not been configured we can just press ENTER and continue with the process of setting up MySQL:

Set root password? [Y/n] y
New password: SQL.ROOT.PASSWORD.EXAMPLE
Re-enter new password: SQL.ROOT.PASSWORD.EXAMPLE
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y

Step Three – Installing Lighttpd


Lighttpd and PHP-FPM are not supported from the official CentOS repositories, let’s go ahead and add the Remi RPM and the EPEL repositories to CentOS:

sudo rpm --import https://fedoraproject.org/static/0608B895.txt
sudo wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
sudo rpm -ivh epel-release-6-8.noarch.rpm

Then run the following command to install Lighttpd:

sudo yum install lighttpd

Create a system start-up link for Lighttpd to enable the service to run at boot:

sudo chkconfig --levels 235 lighttpd on

Start the service and check that it is running:

sudo service lighttpd start
sudo service lighttpd status

Open your browser and type your VPS’ IP http://123.456.789.10, you can run the following command to reveal your VPS’ IP address:

ifconfig

The Lighttpd welcome page should be displayed:

Typical Errors – Lighttpd Troubleshooting


ERROR 1: Lighttpd fails to start: “socket failed: Address family not supported by protocol” or“please use server.use-ipv6 only for hostnames, not without server.bind…” , open Lighttpd.conf:

sudo nano /etc/lighttpd/lighttpd.conf

And disable IPv6:

##
server.use-ipv6 = "disable"
##

ERROR 2: Warning “can’t have more connections than fds/2: 1024 1024”, open Lighttpd.conf:

sudo nano /etc/lighttpd/lighttpd.conf

Uncomment #server.max-fds = 2048:

##
server.max-fds = 2048
##

Restart Lighttpd:

sudo service lighttpd restart
Stopping lighttpd [OK]
Starting lighttpd [OK]

Step Four – Installing PHP


Install PHP5 (FPM):

sudo yum install php-fpm lighttpd-fastcgi

Open www.conf:

sudo nano /etc/php-fpm.d/www.conf

Add lighttpd to the user and group:

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
user = lighttpd
; RPM: Keep a group allowed to write in log dir.
group = lighttpd

Create a system start-up link for PHP-FPM to enable the service to run at boot:

sudo chkconfig --levels 235 php-fpm on

Start the service and check that it is running:

sudo service php-fpm start
sudo service php-fpm status

Once the installation is complete, we have to enable PHP5 in Lighttpd. Let’s find your php.ini file:

sudo nano /etc/php.ini

And uncomment the required line:

;
cgi.fix_pathinfo=1
;

Open fastcgi.conf:

sudo nano /etc/lighttpd/modules.conf

And uncomment this line:

##
include "conf.d/fastcgi.conf"
##

Open fastcgi.conf

sudo nano /etc/lighttpd/conf.d/fastcgi.conf

and add the following lines:

## for the php-num-procs example it means you will get 17*5 = 85 php
## processes. you always should need this high number for your very
## busy sites. And if you have a lot of RAM. :)
## ADD YOUR LINES HERE
fastcgi.server += ( ".php" =>
        ((
                "host" => "127.0.0.1",
                "port" => "9000",
                "broken-scriptfilename" => "enable"
        ))
)
## GOOD JOB
#fastcgi.server = ( ".php" =>

Install MySQL PHP module:

sudo yum install php-mysql

Restart Lighttpd and PHP-FPM:

sudo service php-fpm restart
sudo service lighttpd restart

Step Six (Optional) – Testing PHP using info.php


Create info.php:

sudo nano /var/www/lighttpd/info.php

Add the following lines:

<?php
phpinfo();
?>

Open your browser and go to your server’s IP http://123.456.789.10/info.php .We can see that PHP is working through FPM/FastCGI:

And that the MySQL module is listed, therefore working:

And that is all; congratulations!

 

Adding Secondary IP Addresses On Centos

There are plenty of reasons you would need an additional IP address (and everyone agrees that SEO is not one of them). Getting a secondary IP address is a simple process if it is done for the right reasons and done correctly. You do NOT need additional NIC cards but you will be creating virtual adapters as the secondary IP will be routing through the primary IP.

Also, this is a great thing to do at home as I’ve done it to run multiple internal IP addresses on one server to run multiple applications across the same ports (for KISS** sake). Please note that I am doing this is in a virtual testing environment so your settings will definitely be different.

** KISS = Keep It Stupid Simple **

You will need to be the root user and navigate to your /etc/sysconfig/network-scripts

# cd /etc/sysconfig/network-scripts

When getting a list of files in the directory you will see “ifcfg-eth0” (or eth1 if you’re doing it for a different adapter)

# ls -l | grep ifcfg-eth
-rw-r--r-- 1 root root   119 Jan 11 19:16 ifcfg-eth0
-rw-r--r-- 1 root root   119 Jan  3 08:45 ifcfg-eth0.bak
-rw-r--r-- 1 root root   119 Feb 24 04:34 ifcfg-eth1
-rw-r--r-- 1 root root   128 Jan 19 18:20 ifcfg-eth1.bak

Now adding the virtual adapters is easy. Basically if the main adapter is called “eth0” you have to call the next (virtual) adapter in a sequential order like so:

  • ifcfg-eth0 (primary adapter, physical)
  • ifcfg-eth0:1 (first virtual adapter to the physical primary adapter)
  • ifcfg-eth0:2 (second virtual adapter to the physical primary adapter)
  • and so on…

That being said, lets go ahead and copy our primary adapter configuration file and name it to be the first virtual adapter for the physical primary:

# cp ifcfg-eth0 ifcfg-eth0:1
# ls -l | grep ifcfg-eth
-rw-r--r-- 1 root root   119 Jan 11 19:16 ifcfg-eth0
-rw-r--r-- 1 root root   119 Feb 24 08:53 ifcfg-eth0:1
-rw-r--r-- 1 root root   119 Jan  3 08:45 ifcfg-eth0.bak
-rw-r--r-- 1 root root   119 Feb 24 04:34 ifcfg-eth1
-rw-r--r-- 1 root root   128 Jan 19 18:20 ifcfg-eth1.bak

Now, we have to configure this virtual adapter to be: a static IP (of course), no hardware address (MAC), configure netmask and of course rename the device.

# vim ifcfg-eth0:1
DEVICE=eth0:1
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.1.1.2
NETMASK=255.255.255.0

There is no need to specify a MAC address as it is a virtual adapter and there is also no need to specify a default gateway as it is already routed through the primary adapter. Basically there are only four things that you will need to change:

  • File name for the adapter itself
  • DEVICE=<device name> (should correspond with the file name)
  • IPADDR=<ip address>
  • NETMASK=<netmask>

Afterwards, just restart the networking service:

# service network restart

That’s it; lets check ifconfig to make sure the virtual adapter is there and working:

# ifconfig eth0:1
eth0:1    Link encap:Ethernet  HWaddr 08:00:27:ED:05:B7
inet addr:10.1.1.2  Bcast:10.1.1.255  Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.073 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.042 ms
64 bytes from 10.1.1.2: icmp_seq=3 ttl=64 time=0.029 ms
64 bytes from 10.1.1.2: icmp_seq=4 ttl=64 time=0.029 ms
--- 10.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.029/0.043/0.073/0.018 ms

Securing DNS against DDOS Amplification Attacks

When you run a DNS server on your dedicated server, it will be the target DNS amplification attacks.  To prevent these attacks from succeeding and using up your bandwidth (which you will pay for), you need to configure your DNS server not to answer recursive queries.

Check if your server is vulnerable

You can send a DNS query to your server, e.g. “thatserver.dedicated.com” using dig or nslookup.

dig @thatserver.dedicated.com www.isc.org

Alternatively:

nslookup
> server thatserver.dedicated.com
> isc.org
Non-authoritative answer:
Name:    isc.org
Address: 1.1.1.1

If you receive an answer that includes an answer of the IP address of www.isc.org, then your server is vulnerable, because it did the work of finding out the answer and presenting it to you.

Simple solutions

Often enough, if you are running a DNS server, you probably don’t need it.  Turn it off: stop the service, remove the software.

You only need a DNS server on your system for one of the following purposes:

  • Your DNS server is configured with zone files for domains that you are hosting, and you have asked a DNS registrar (e.g. enom.com) to point domains to your DNS server.  You will recognise these terms if you have done this.  You do not need DNS recursion for this function.
  • You are unhappy with the quality of the DNS resolver you are using and would rather implement this function yourself.  If this is why you have a DNS server, you do not need to answer external queries.  You can protect the server with a firewall.
  • You are providing zone files for a private domain, e.g. as some part of Active Directory.  In this case you can limit your responses to only those systems that have an interest in that private domain, i.e. members of the Active Directory system.
  • You are competing with OpenDNS and Google’s DNS recursor.  If you are doing this, you must implement appropriate rate limits, which is an exercise to the reader.

Secure named (bind) on Linux

Add this to the “options” section of /etc/named.conf :

    recursion no;
    additional-from-auth no;
    additional-from-cache no;

Then restart named so that it will use the new secure options:

    /etc/init.d/named restart

For detailed information see http://www.cymru.com/Documents/secure-bind-template.html

Secure Microsoft DNS server

If you have installed or enabled Exchange then you have implicitly turned on DNS, which by default runs as a recursive service and can be horribly attacked.  Usually you can just firewall the DNS service.

Run this command:

    dnscmd . /Config /NoRecursion 1

Or follow this procedure:

    Start | Administrative Tools | DNS (DNS manager)
    Right click DNS server | 
        Properties | 
        Advanced | 
        Server options | 
        Disable recursion -> Yes, OK

Unfortunately, it is not possible to prevent the Microsoft DNS server from replying with cached values, so your non-recursive DNS server will provide a small amount of useful traffic amplification for attackers.  Where possible, add a firewall rule that blocks incoming traffic from unauthorised clients towards port 53/UDP (and port 53/TCP for good measure).

IPtables rules for Linux

If your DNS server is used only by the machine on which you are running it, you can block external queries as follows:

iptables -A  INPUT -p udp -m udp --dport 53 -i ! lo -j DROP

These iptables firewall rules will to prohibit excessive ANY queries to a non-recursive DNS:

iptables -A  INPUT -p udp -m udp --dport 53 \
   -m string --hex-string "|0000ff0001|"  --algo bm --from 48 --to 65535 \
   -m recent --set --name dnsanyquery  --rsource
iptables -A INPUT -p udp -m udp --dport 53 \
    -m string --hex-string  "|0000ff0001|" --algo bm --from 48 --to 65535 \
   -m recent --rcheck  --seconds 60 --hitcount 5 --name dnsanyquery --rsource \
   -j DROP

If you for some reason have to run an open DNS resolver, you can limit rate limit the rate at which you will accept queries:

iptables -A INPUT -p udp --dport 53 -m hashlimit \
--hashlimit-name DNS --hashlimit-above 20/second --hashlimit-mode srcip \
--hashlimit-burst 100 --hashlimit-srcmask 28 -j DROP

If you know what the above means you can install these rules in your system.

Reference information

You can read more about this here:

IPtables Blacklists

Many of you already use online blacklists to fight spam. Recently I’ve dicovered http://www.openbl.org/ and started using their lists on my firewall to prevent attacks from hosts that are known to be preforming attacks. It works in a very similar way to all the spam blacklists out there, and this is how I’ve implemented them on my Firewall.

First of all you’ll need to  have some packages installed:

sudo apt-get install iptables ipset wget

now create an ipset to store all the abusing IP addresses and use iptables to block them:

#!/bin/bash
BLOCKDB=”block.txt”
WORKDIR=”/tmp”
pwd=$(pwd)
cd $WORKDIR
#List of ips to block
ipset –create blackips iphash
## Obtain List of badguys from openbl.org
wget -q -c –output-document=$BLOCKDB http://www.openbl.org/lists/base.txt
if [ -f $BLOCKDB ]; then
IPList=$(grep -Ev “^#” $BLOCKDB | sort -u)
for i in $IPList
do
ipset –add blackips $i
done
fi
rm $BLOCKDB
## Obtain List of badguys from ciarmy.com
wget -q -c –output-document=$BLOCKDB http://www.ciarmy.com/list/ci-badguys.txt
if [ -f $BLOCKDB ]; then
IPList=$(grep -Ev “^#” $BLOCKDB | sort -u)
for i in $IPList
do
ipset –add blackips $i
done
fi
rm $BLOCKDB
## Obtain List of badguys from dshield.org
wget -q -c –output-document=$BLOCKDB http://feeds.dshield.org/top10-2.txt
if [ -f $BLOCKDB ]; then
IPList=$(grep -E “^[1-9]” $BLOCKDB | cut -f1 | sort -u)
for i in $IPList
do
ipset –add blackips $i
done
fi
rm $BLOCKDB
#List of networks to block
ipset –create blacknets nethash
## Obtain List of badguys from dshield.org
wget -q -c –output-document=$BLOCKDB http://feeds.dshield.org/block.txt
if [ -f $BLOCKDB ]; then
IPList=$(grep -E “^[1-9]” $BLOCKDB | cut -f1,3 | sed “s/\t/\//g” | sort -u)
for i in $IPList
do
ipset –add blacknets $i
done
fi
rm $BLOCKDB
## Obtain List of badguys from spamhaus.org
wget -q -c –output-document=$BLOCKDB http://www.spamhaus.org/drop/drop.lasso
if [ -f $BLOCKDB ]; then
IPList=$(grep -E “^[1-9]” $BLOCKDB | cut -d” ” -f1 | sort -u)
for i in $IPList
do
ipset –add blacknets $i
done
fi
rm $BLOCKDB
#Drop blacklisted ips
iptables -A FORWARD -m set –match-set blackips src -j DROP
iptables -A FORWARD -m set –match-set blacknets src -j DROP
cd $pwd

In the above script I’ve used two ipsets, one for storing IP addresses and another to store network addresses, you can add this scritp to your existing firewall and start taking advantage of the blacklists.

How To Stop DDoS Using Mod_Evasive

What is mod_evasive?

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:

  • Requesting the same page more than a few times per second
  • Making more than 50 concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted (on a blocking list)

This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it’s a good idea to integrate this with your firewalls and routers for maximum protection.

This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on ‘reload’ should not be affected unless they do it maliciously. mod_evasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use.

Downloads: mod_evasive_1.10.1.tar.gz

CVS Access

The mod_evasive source tree is available via CVS by using the following commands:

cvs -d :pserver:[email protected]:/usr/local/cvsroot login
cvs -d :pserver:[email protected]:/usr/local/cvsroot checkout mod_evasive

Linux RPMs

The following links are not official RPMs, but have been submitted as freely downloadable.

http://checksuite.sourceforge.net/dl/

Install Linux Malware Detect (LMD) in RHEL, CentOS and Fedora

What is Malware?

Malware is called malicious software, script or code which is created and used by hackers to retrieve information of private data or gain access to any private computer systems. Malware can be trojans, viruses, spyware, adware, rootkits or any other malicious programs which can be very harmful to any computer user.

What is Linux Malware Detect (LMD)?

Linux Malware Detect (LMD) is an open source and free malware scanner and detector for Unix/Linux based operating systems, released under GNU GPLv2. It is designed to figure out threats faced by shared hosting environments. For more information and features visit athttp://www.rfxn.com/projects/linux-malware-detect/.

Install Linux Malware Detect (LMD) in RHEL 6.3/6.2/6.1/6/5.8,CentOS 6.3/6.2/6.1/6/5.8 and Fedora 12,13,14,15,16,17

Installing Linux Malware Detect (LMD) in RHEL, CentOS and Fedora

Step 1: Downloading Linux Malware Detect (LMD)

Downloading latest LMD package using following wget command.

# cd /tmp
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Step 2: Installing LMD

Installation and Configuration of LMD is a bit easy task, just follow below steps as root user.

# tar xfz maldetect-current.tar.gz
# cd maldetect-*
# ./install.sh

Sample Output

Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks 
            (C) 2011, Ryan MacDonald 
inotifywait (C) 2007, Rohan McGovern 
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(3092): {sigup} performing signature update check...
maldet(3092): {sigup} local signature set is version 201205035915
maldet(3092): {sigup} new signature set (2012071115632) available
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/md5.dat
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/hex.dat
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.ndb
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/rfxn.hdb
maldet(3092): {sigup} downloaded http://www.rfxn.com/downloads/maldet-clean.tgz
maldet(3092): {sigup} signature set update completed
maldet(3092): {sigup} 9649 signatures (7782 MD5 / 1867 HEX)

Step 3: Configuring LMD

By default all options are fully commented in the configuration file, so configure it according to your needs. But before making any changes let’s have a detailed review of each option below.

  1. email_alert : If you would like to receive email alerts, then it should be set to 1.
  2. email_subj : Set your email subject here.
  3. email_addr : Add your email address to receive malware alerts.
  4. quar_hits : The default quarantine action for malware hits, it should be set 1.
  5. quar_clean : Cleaing detected malware injections, must set to 1.
  6. quar_susp : The default suspend action for users wih hits, set it as per your requirements.
  7. quar_susp_minuid : Minimum userid that can be suspended.

Open file /usr/local/maldetect/conf.maldet and make changes according to your needs.

# vi /usr/local/maldetect/conf.maldet

Sample Configuration

Here is the my sample configuration file.

# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="[email protected]"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=0

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
# minimum userid that can be suspended
quar_susp_minuid=500

Step 4: Manual Scans and Usage

If you would like to scan user’s Home directory, then simply issue following command.

# maldet --scan-all /home

You performed a scan but failed to turn on the quarantine option, don’t worry just use the following command to turn on and quarantine all previous malware scan results.

# maldet --quarantine SCANID
OR
# maldet --clean SCANID

Step 5: Daily Scans

By default installation keeps LMD script under /etc/cron.daily/maldet and it is used to perform a daily scans, update of signatures, quarantine etc, and sends a daily report of malware scan to your specified emails. If you need to add additional paths to be scanned, then you should edit this file accordingly to your requirements.

# vi /etc/cron.daily/maldet

If you like this article, please share with your friends and do leave comments.

WHMCS – Security Advisory Announcement (19-10-13)

========================================

WHMCS Security Advisory for 5.x

http://blog.whmcs.com/?t=80223

========================================

 

WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates

provide targeted changes to address security concerns with the WHMCS product.

You are highly encouraged to update immediately.

 

WHMCS has rated these updates as having critical security impacts. Information

on security ratings is available at http://docs.whmcs.com/Security_Levels

 

== Releases ==

 

The following patch release versions of WHMCS have been published to address a

specific SQL Injection vulnerability:

v5.2.9

v5.1.11

 

== Security Issue Information ==

 

This resolves the security issue that was publicly disclosed by

“localhost” on October 18th, 2013.

This also includes some additional changes to protect against potential SQL

injection vectors and additional security measures for admin account

management.

 

== Mitigation ==

 

=== WHMCS Version 5.2 ===

 

Download and apply the appropriate patch files to protect against these

vulnerabilities.

 

Patch files for affected versions of the 5.2 series are located on the WHMCS

site as itemized below.

 

v5.2.9 (full version) – Downloadable from the WHMCS Members Area

v5.2.9 (patch only; for 5.2.8 ) – http://go.whmcs.com/238/v529_Incremental

 

To apply a patch, download the files indicated above and replace the files

within your installation.

No upgrade process is required.

 

=== WHMCS Version 5.1 ===

 

Download and apply the appropriate patch files to protect against these

vulnerabilities.

 

Patch files for affected versions of the 5.1 series are located on the WHMCS

site as itemized below.

 

v5.1.11 (patch only; for 5.1.10) – http://go.whmcs.com/234/v5111_Incremental

 

To apply a patch, download the files indicated above and replace the files

within your installation.

No upgrade process is required.

 

 

========================================

What is the .htaccess file and what do I use it for?

Htaccess files are hidden plain text files that are on the server to help control how your visitors interact with your website. The htaccess file is also used to block specific traffic from being able to view your website. If you look for your .htaccess file you’ll see that there’s no filename. The extension is .htaccess which tells the server what type of file it is. In cPanel you can see if you have a current .htaccess file using file manager but you will need to make sure you have selected to view hidden files. If you are not familiar with using file manager please read our article.  To view hidden files in file manager, select the ‘file manager‘ icon in cPanel and make sure the box is checked next to ‘Show Hidden Files.’ Then click ‘OK‘ and you will be able to view hidden files.

What can you do with a .htaccess file?

You might have a private area of your website you wish to keep password protected. This password protection is actually set up in the .htaccess file. Most of the functions of the htaccess file, you do not have to concern yourself with as they will be automatically written through cPanel. This is the case of password protecting directories. While you set it up in cPanel, it actually writes a directive to your htaccess file.

Other functions of the htaccess file include, prohibiting hotlinks, rewriting URLs, creating redirects, reconfiguring account settings, and much more. It’s really important to realize how the htaccess file can affect your entire account. Changing something in the htaccess file can alter how your website functions so it’s really important BEFORE making changes to your htaccess to backup your current htaccess file.

Troubleshooting Errors caused by the .htaccess File

If you are getting errors on your website, the .htaccess file can often be the culprit. This is easily tested by renaming your current htaccess file. Often, during troubleshooting I’ll simply rename the .htaccess to .htaccess.old and now I’ll reload the website. If the site loads I then know the issue resides in my configuration of the .htaccess file. If it does not fix the issue I was having, I’ll rename the htaccess by removing the .old I added to the end. That way, it won’t affect my website after I resolve the issue.