delete unnecessary (orphaned) deb packages
If you want to clean up your Linux Mint or Ubuntu or Debian machine and delete unnecessary (orphaned) deb packages you can use utility deborphan. It finds packages that have no packages depending on them. The default operation is to search only within the libs and oldlibs sections to hunt down unused libraries.
Install deborphan with command sudo apt-get install deborphan and then let’s proceed with cleaning up. To delete unnecessary libraries just execute:
sudo deborphan | xargs sudo apt-get -y remove --purge
To delete unnecessary data packages use command:
sudo deborphan --guess-data | xargs sudo apt-get -y remove --purge
To see all packages which aren’t required by any others use command
deborphan --guess-all
There is another tool to delete orphaned packages, it’s GtkOrphan (sudo apt-get install gtkorphan) that does the same as deborphan but is built as graphical application. Once it’s installed go to System –> Administration –> Remove Orphaned Packages, enter your password and proceed with cleaning up.
Another nice tip is to clean partial and orphaned packages by commands:
sudo apt-get autoclean
sudo apt-get autoremove
nginx to cache the results from apache
The way to get better performance is to get nginx to cache the results from apache, by adding the following to your nginx virtual host definition :
proxy_cache one;
proxy_cache_use_stale error timeout invalid_header updating;
proxy_cache_key $scheme$host$request_uri;
proxy_cache_valid 200 301 302 20m;
proxy_cache_valid 404 1m;
proxy_cache_valid any 15m;
where the proxy_cache named one is defined in nginx.conf as such :
proxy_cache_path /usr/local/nginx/proxy levels=1:2 keys_zone=one:15m inactive=7d max_size=1000m;
The proxy_cache_valid entries above define different cache times for various response codes
VPSinfo php application for vps reporting
vpsinfo shows the following output:
Output from top;
Processed /proc/user_beancounters (VPS resources);Output from netstat -nt (current TCP connections);
Output from netstat -ntl (listening TCP ports);
Output from pstree (tree view of running processes);
Output from ls -a /tmp (and ls -al /tmp);
Output from vnstat (an application that monitors traffic at the network interface) using its various commandline switches;
Output from mytop (an application that monitors MySQL) or from mysqlreport (a perl script which generates a mysql status report);
Status monitoring of daemon processes;
Summary section showing:
Values for oomguarpages and privvmpages (or free RAM and swap usage on a dedicated machine);
Data transfer today through the network interface (from vnstat);
Current number of TCP connections;
Current number of Apache and MySQL threads, and MySQL queries (from mytop or mysqlreport)
Disk usage.
Requirements
Linux;
PHP: vpsinfo was initially developed with v. 4.3.10 and should run fine with later releases;
The beanc helper app if running on a Virtuozzo v. 3 or OpenVZ server;
PHP safe mode off. Safe mode disables the ability to run programs outside the script directory (reference).
Optional Third-party Software
These applications are not required to run vpsinfo, but if installed they are used to gather additional information:
vnstat: an application to monitor data transfer at the network interface. Highly recommended!
mytop: an application similar to 'top' but which monitors a MySQL server.
mysqlreport: a perl script that generates an analysis of MySQL performance.
Download:http://www.labradordata.ca/home/13
MyHosting.com special Discount 39% off on shared hosting, and 20% off on VPS hosting
MyHosting.com, an industry leading web hosting service provider, today announced to offer all the visitors from HostUCan.com with special 39% off on shared hosting, and 20% off on VPS hosting.
MyHosting.com, a budget web hosting service provider, today announced to offer all the visitors from HostUCan.com with a special 39% off on its shared hosting or 20% off on VPS hosting.
Myhosting.com is a registered trademark and brand of SoftCom Inc who has data centers in both US and canada. It offers hostings service from shared web hosting, VPS hosting to deidcated server hosting on both Linux and Windows platform.
The list price of Myhosting shared hosting starts from $6.45/month, but now its customer could receive 39% off and get the service at $3.95/month only. Besides the shared linux hosting, Myhosting also promote its VPS hosting at 20% off on the first billing or up to 6 months free when signing up a longer term service with them.
MyHosting now guarantees 30 days money back. And its VPS solution is one of the most affordable one in the industry.
Want to know more about MyHosting and the deal, please www.hostucan.com/company/myhosting.
About HostUCan.com
HostUCan.com is a need-centric web hosting search and review platform. Their powerful products search engine could help webmasters find the best hosting solutions based on their hosting needs. HostUCan is also a place for webmasters to share their hosting experience and to seek information from other experts.
CSF Installation on Webmin/Virtualmin
Installation
============
Installation is quite straightforward:
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Next, test whether you have the required iptables modules:
perl /etc/csf/csftest.pl
Don't worry if you cannot run all the features, so long as the script doesn't
report any FATAL errors
You should not run any other iptables firewall configuration script. For
example, if you previously used APF+BFD you can remove the combination (which
you will need to do if you have them installed otherwise they will conflict
horribly):
sh /etc/csf/remove_apf_bfd.sh
That's it. You can then configure csf and lfd by edit the files
directly in /etc/csf/*
csf auto-configures your SSH port on installation where it's running on a non-
standard port.
csf auto-whitelists your connected IP address where possible on installation.
You should ensure that kernel logging daemon (klogd) is enabled. Typically, openvz VPS
servers have this disabled and you should check /etc/init.d/syslog and make
sure that any klogd lines are not commented out. If you change the file,
remember to restart syslog. Read This : http://linux-server-admin.blogspot.com/2012/06/syslogd-appears-to-be-running-but-not.html
See the readme.txt file for more information.
Webmin Module Installation/Upgrade
==================================
To install or upgrade the csf webmin module:
Install csf as above
Install the csf webmin module in:
Webmin > Webmin Configuration > Webmin Modules >
From local file > /etc/csf/csfwebmin.tgz > Install Module
Uninstallation
==============
Removing csf and lfd is even more simple:
On generic linux servers:
cd /etc/csf
sh uninstall.generic.sh
GD::Graph
=========
This perl module is required for Statistical Graphs available from the csf UI.
It is dependent on garphical libraries being installed for your OS (e.g.
libgd, libpng, etc. which is beyond the scope of this document)
The perl module itself can be installed in a variety of ways, e.g.:
Debian v6:
# apt-get install libgd-graph-perl
Direct from cpan.org:
# perl -MCPAN -e shell
cpan> install GD::Graph
ConfigServer Security Firewall
ConfigServer Security & Firewall
################################
This suite of scripts provides:
1. A straight-forward SPI iptables firewall script
2. A daemon process that checks for Login Authentication
3. A Control Panel configuration interface
4. ... and much more!
The reason we have developed this suite is that we have found over the years of
providing server management services that many of the tools available for the
task are either over-complex, not very friendly, or simply aren't as effective
as they could or should be.
This document contains:
1. Introduction
2. csf Principles
3. lfd Principles
4. csf Command Line Options
5. lfd Command Line Options
6. Login Tracking
7. Script Email Alerts
8. Process Tracking
9. Directory Watching
10. Advanced Allow/Deny Filters
11. Multiple Ethernet Devices
12. Installation on a Generic Linux Server
13. A note about FTP Connection Issues
14. Messenger Service
15. Block Reporting
16. Port Flood Protection
17. External Pre- and Post- Scripts
18. lfd Clustering
19. Watching IP addresses
20. Port Knocking
21. Connection Limit Protection
22. Port/IP address Redirection
23. Integrated User Interface Feature
1. Introduction
###############
ConfigServer Firewall (csf)
===========================
We have developed an SPI iptables firewall that is straight-forward, easy and
flexible to configure and secure with extra checks to ensure smooth operation.
csf can be used on any (supported - see the website) generic Linux OS.
The csf installation includes preconfigured configurations and control panel
UI's for cPanel, DirectAdmin and Webmin
Login Failure Daemon (lfd)
==========================
To complement the ConfigServer Firewall, we have developed a daemon process
that runs all the time and periodically (every X seconds) scans the latest log
file entries for login attempts against your server that continually fail
within a short period of time. Such attempts are often called "Brute-force
attacks" and the daemon process responds very quickly to such patterns and
blocks offending IP's quickly. Other similar products run every x minutes via
cron and as such often miss break-in attempts until after they've finished, our
daemon eliminates such long waits and makes it much more effective at
performing its task.
There are an array of extensive checks that lfd can perform to help alert the
server administrator of changes to the server, potential problems and possible
compromises.
On cPanel servers, lfd is integrated into the WHM > Service Manager, which will
restart lfd if it fails for any reason.
Control Panel Interface
=======================
To help with the ease and flexibility of the suite we have developed a
front-end to both csf and lfd for cPanel, DirectAdmin and Webmin. From there
you can modify the configuration files and stop, start and restart the
applications and check their status. This makes configuring and managing the
firewall very simple indeed.
There is also an abbreviated UI for mobile phone access to Quick Allow, Quick
Deny and Remove Deny. Direct URLs:
cPanel: https://1.2.3.4:2087/cgi/addon_csf.cgi?mobi=1
DA: https://1.2.3.4:2222/CMD_PLUGINS_ADMIN/csf/index.html?mobi=1
Webmin: https://1.2.3.4:10000/csf/?mobi=1
There is, of course, a comprehensive Command Line Interface (CLI) for csf.
2. csf Principles
#################
The idea with csf, as with most iptables firewall configurations, is to block
everything and then allow through only those connections that you want. This is
done in iptables by DROPPING all connections in and out of the server on all
protocols. Then allow traffic in and out from existing connections. Then open
ports up in and outgoing for both TCP and UDP individually.
This way we can control exactly what traffic is allowed in and out of the
server and helps protect the server from malicious attack.
In particular it prevents unauthorised access to network daemons that we want
to restrict access by IP address, and also should a service suffer a
compromise, it can help prevent access to compromise networks daemons, a
typical example being a hackers sshd daemon running on a random open port.
Perhaps the greatest of reasons is to help mitigate the effects of suffering a
root compromise where often they only way to take advantage of such a failure
is to open a daemon for the hacker to access the server on. While this won't
prevent root compromises, it can help slow them down enough for you to notice
and react.
Another way that a port filtering firewall can help is when a user level
compromise occurs and a hacker installs DOS tools to effect other servers. A
firewall configured to block outgoing connections except on specific ports can
help prevent DOS attacks from working and make it immediately apparent to you
from the system logs.
csf has been designed to keep this configuration simple, but still flexible
enough to give you options to suit your server environment. Often firewall
scripts can become cumbersome of complex making it impossible to identify where
problems lie and to easily fix them.
To take advantage of kernel logging of iptables dropped connections you should
ensure that kernel logging daemon (klogd) is enabled. Typically, VPS servers
have this disabled and you should check /etc/init.d/syslog and make sure that
any klogd lines are not commented out. If you change the file, remember to
restart syslog.
3. lfd Principles
#################
One of the best ways to protect the server from inbound attack against network
daemons is to monitor their authentication logs. Invalid login attempts which
happen in a short space of time from the same source can often mean someone is
attempting to brute-force their way into the server, usually by guessing
usernames and passwords and therefore generating authentication and login
failures.
lfd can monitor the most commonly abused protocols, SSHD, POP3, IMAP, FTP and
HTTP password protection. Unlike other applications, lfd is a daemon process
that monitors logs continuously and so can react within seconds of detecting
such attempts. It also monitors across protocols, so if attempts are made on
different protocols in a short space of time, all those attempts will be
counted against the threshold.
Once the number of failed login attempts is reached, lfd immediately forks a
sub-process and uses csf to block the offending IP address from both in and
outgoing connections. Stopping the attack in its tracks in a quick and timely
manner. Other applications that use cron job timings to run usually completely
miss brute force attacks as they run usually every 5 minutes or by which time
the attack could be over, or simply biding its time. In the meantime lfd will
have block the offenders IP address.
By running the block and alert email actions in a sub-process, the main daemon
can continue monitoring the logs without delay.
If you want to know when lfd blocks an IP address you can enable the email
alert (which is on by default) and you should watch the log file in
/var/log/lfd.log. If you use logcheck, you can add it to your log monitoring
by editing logcheck.sh and adding the line:
$LOGTAIL /var/log/lfd.log >> $TMPDIR/check.$$
Add it in amongst the other logs that you have selected.
4. csf Command Line Options
###########################
Before configuring and starting csf for the first time, it is a good idea to
run the script /etc/csf/csftest.pl using:
perl /etc/csf/csftest.pl
This script will test whether the required iptables modules are functioning on
the server. Don't worry if it cannot run all the features, so long as the
script doesn't report any FATAL errors.
You can view the csf command line options by using:
# csf -h
Usage: /usr/sbin/csf [option] [value]
Option Meaning
-h, --help Show this message
-l, --status List/Show iptables configuration
-l6, --status6 List/Show ip6tables configuration
-s, --start Start firewall rules
-f, --stop Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart Restart firewall rules
-q, --startq Quick restart (csf restarted by lfd)
-sf, --startf Force CLI restart regardless of LF_QUICKSTART setting
-a, --add ip Allow an IP and add to /etc/csf.allow
-ar, --addrm ip Remove an IP from /etc/csf.allow and delete rule
-d, --deny ip Deny an IP and add to /etc/csf.deny
-dr, --denyrm ip Unblock an IP and remove from /etc/csf.deny
-df, --denyf Remove and unblock all entries in /etc/csf.deny
-g, --grep ip Search the iptables rules for an IP match (incl. CIDR)
-t, --temp Displays the current list of temp IP entries and their TTL
-tr, --temprm ip Remove an IPs from the temp IP ban and allow list
-td, --tempdeny ip ttl [-p port] [-d direction]
Add an IP to the temp IP ban list. ttl is how long to
blocks for (default:seconds, can use one suffix of h/m/d).
Optional port. Optional direction of block can be one of:
in, out or inout (default:in)
-ta, --tempallow ip ttl [-p port] [-d direction]
Add an IP to the temp IP allow list (default:inout)
-tf, --tempf Flush all IPs from the temp IP entries
-cp, --cping PING all members in an lfd Cluster
-cd, --cdeny ip Deny an IP in a Cluster and add to /etc/csf.deny
-ca, --callow ip Allow an IP in a Cluster and add to /etc/csf.allow
-cr, --crm ip Unblock an IP in a Cluster and remove from /etc/csf.deny
-cc, --cconfig [name] [value]
Change configuration option [name] to [value] in a Cluster
-cf, --cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, --crestart Cluster restart csf and lfd
-m, --mail [addr] Display Server Check in HTML or email to [addr] if present
-lr, --logrun Initiate Log Scanner report via lfd
-c, --check Check for updates to csf but do not upgrade
-u, --update Check for updates to csf and upgrade if available
-uf Force an update of csf
-x, --disable Disable csf and lfd
-e, --enable Enable csf and lfd if previously disabled
-v, --version Show csf version
These options allow you to easily and quickly control and view csf. All the
configuration files for csf are in /etc/csf and include:
csf.conf - the main configuration file, it has helpful comments explaining
what each option does
csf.allow - a list of IP's and CIDR addresses that should always be allowed
through the firewall
csf.deny - a list of IP's and CIDR addresses that should never be allowed
through the firewall
csf.ignore - a list of IP's and CIDR addresses that lfd should ignore and not
not block if detected
csf.*ignore - various ignore files that list files, users, IP's that lfd
should ignore. See each file for their specific purpose and
tax
If you modify any of the files listed above, you will need to restart csf to
have them take effect. If you use the command line options to add or deny IP
addresses, then csf automatically does this for you.
Both csf.allow and csf.deny can have comments after the IP address listed. The
comments must be on the same line as the IP address otherwise the IP rotation
of csf.deny will remove them.
If editing the csf.allow or csf.deny files directly, either from shell or the
WHM UI, you should put a <space>#<space> between the IP address and the comment
like this:
11.22.33.44 # Added because I don't like them
You can also include comments when using the csf -a or csf -d commands, but in
those cases you must not use a # like this:
csf -d 11.22.33.44 Added because I don't like them
If you use the shell commands then each comment line will be timestamped. You
will also find that if lfd blocks an IP address it will add a descriptive
comment plus timestamp.
If you don't want csf to rotate a particular IP in csf.deny if the line limit
is reach you can do so by adding "do not delete" within the comment field,
e.g.:
11.22.33.44 # Added because I don't like them. do not delete
You can also use an Include statement in either csf.allow or csf.deny to
include other files that conform to the above. You must specify the full path
to the included file, e.g. in /etc/csf/csf.allow:
Include /etc/csf/csf.alsoallow
Note: None of the csf commands for adding or removing IP addresses from
csf.allow or csf.deny work on included files, they are treated as read-only.
5. lfd Command Line Options
###########################
lfd doesn't have any command line options of its own but is controlled through
the init script /etc/init.d/lfd which stops and starts the daemon. It is
configured using the /etc/csf/csf.conf file.
The best way to see what lfd is up to is to take a look in /var/log/lfd.log
where its activities are logged.
The various email alert templates follow, care should be taken if you
modify that file to maintain the correct format:
/etc/csf/accounttracking.txt - for account tracking alert emails
/etc/csf/alert.txt - for port blocking emails
/etc/csf/connectiontracking.txt - for connection tracking emails
/etc/csf/cpanelalert.txt - for WHM/cPanel account access emails
/etc/csf/exploitalert.txt - for system exploit alert emails
/etc/csf/filealert.txt - for suspicious file alert emails
/etc/csf/integrityalert.txt - for system integrity alert emails
/etc/csf/loadalert.txt - for high load average alert emails
/etc/csf/logalert.txt - for log scanner report emails
/etc/csf/logfloodalert.txt - for log file flooding alert emails
/etc/csf/netblock.txt - for netblock alert emails
/etc/csf/permblock.txt - for temporary to permanent block alert emails
/etc/csf/portknocking.txt - for Port Knocking alert emails
/etc/csf/portscan.txt - for port scan tracking alert emails
/etc/csf/processtracking.txt - for process tracking alert emails
/etc/csf/queuealert.txt - for email queue alert emails
/etc/csf/relayalert.txt - for email relay alert emails
/etc/csf/resalert.txt - for process resource alert emails
/etc/csf/scriptalert.txt - for script alert emails
/etc/csf/sshalert.txt - for SSH login emails
/etc/csf/sualert.txt - for SU alert emails
/etc/csf/tracking.txt - for POP3/IMAP blocking emails
/etc/csf/uialert.txt - for UI alert emails
/etc/csf/usertracking.txt - for user process tracking alert emails
/etc/csf/watchalert.txt - for watched file and directory change alert emails
6. Login Tracking
#################
Login tracking is an extension of lfd, it keeps track of POP3 and IMAP logins
and limits them to X connections per hour per account per IP address. It uses
iptables to block offenders to the appropriate protocol port only and flushes
them every hour and starts counting logins afresh. All of these blocks are
temporary and can be cleared manually by restarting csf.
There are two settings, one of POP3 and one for IMAP logins. It's generally
not a good idea to track IMAP logins as many clients login each time to perform
a protocol transaction (there's no need for them to repeatedly login, but you
can't avoid bad client programming!). So, if you do have a need to have some
limit to IMAP logins, it is probably best to set the login limit quite high.
If you want to know when lfd temporarily blocks an IP address you can enable
the email tracking alerts option (which is on by default)
You can also add your own login failure tracking using regular expression
matching. Please read /etc/csf/regex.custom.pm for more information
Important Note: To enable successful SSHD login tracking you should ensure that
UseDNS in /etc/ssh/sshd_config is disabled by using:
UseDNS no
and that sshd has then been restarted.
7. Script Email Alerts
######################
(cPanel installations of csf only)
lfd can scan for emails being sent through exim from scripts on the server.
To use this feature you must add an extended email logging line to WHM >
Exim Configuration Editor > Switch to Advanced Mode > in the first textbox
add the following line:
log_selector = +arguments +subject +received_recipients
If you already already use extended exim logging, then you need to either
include +arguments or use +all
This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines
appear with the same cwd= path in them within an hour. This can be useful in
identifying spamming scripts on a server, especially PHP scripts running
under the nobody account. The email that is sent includes the exim log lines
and also attempts to find scripts that send email in the path that may be the
culprit.
This option uses the /etc/csf/scriptalert text file for alert emails.
If you enable the option LF_SCRIPT_ALERT then lfd will disable the path using
chattr +i and chmod 000 so that the user cannot re-enable it. The alert email
also then includes the commands needed to re-enable the offending path.
Any false-positives can be added to /etc/csf/csf.signore and lfd will then
ignore those listed scripts.
8. Process Tracking
###################
This option enables tracking of user and nobody processes and examines them for
suspicious executables or open network ports. Its purpose is to identify
potential exploit processes that are running on the server, even if they are
obfuscated to appear as system services. If a suspicious process is found an
alert email is sent with relevant information.
It is then the responsibility of the recipient to investigate the process
further as the script takes no further action. Processes (PIDs) are only
reported once unless lfd is restarted.
There is an ignore file /etc/csf/csf.pignore which can be used to whitelist
either usernames or full paths to binaries. Care should be taken with ignoring
users or files so that you don't force false-negatives.
You must use the following format:
exe:/full/path/to/file
user:username
cmd:command line
The command line as reported in /proc has the trailing null character removed
and all other occurrences replaced with a space. So, the line you specify in
the file should have space separators for the command line arguments, not null
characters.
It is strongly recommended that you use command line ignores very carefully
as any process can change what is reported to the OS.
Don't list the paths to perl or php as this will prevent detection of
suspicious web scripts.
For more information on the difference between executable and command line, you
should read and understand how the linux /proc pseudo-filesystem works:
man proc
man lsof
It is beyond the scope of this application to explain how to investigate
processes in the linux /proc architecture.
The email alerts are sent using the processtracking.txt email template.
It should be noted that this feature will not pickup a root compromise as root
processes are ignored - you should use established IDS tools for such security
considerations.
*** NOTE *** You _will_ get false-positives with this particular feature. The
reason for the feature is to bring to your attention processes that have either
been running for a long time under a user account, or that have ports open
outside of your server. You should satisfy yourself that they are indeed false-
positives before either ignoring them or trapping them in the csf.pignore file.
We've done our best to minimise false-positives, but there's a balance between
being cautious and the sensitivity needed to pick up exploits.
The script itself cannot distinguish between malicious intent and intended
script function - that's your job as the server administrator ;-)
The setting PT_SKIP_HTTP does reduce the number of false-positives by not
checking scripts running directly or through CGI in Apache. However, disabling
this setting will make a more thorough job of detecting active exploits of all
varieties.
Another alternative might be to disable PT_SKIP_HTTP and increase PT_LIMIT to
avoid picking up web scripts, however this means that real exploits will run
for longer before they're picked up.
You can, of course, turn the feature off too - if you really want to.
9. Directory Watching
#####################
Directory Watching enables lfd to check /tmp and /dev/shm and other pertinent
directories for suspicious files, i.e. script exploits.
If a suspicious file is found an email alert is sent using the template
filealert.txt.
NOTE: Only one alert per file is sent until lfd is restarted, so if you remove
a suspicious file, remember to restart lfd
To remove any suspicious files found during directory watching, enable
corresponding setting the suspicious files will be appended to a tarball in
/etc/csf/suspicious.tar and deleted from their original location. Symlinks are
simply removed.
If you want to extract the tarball to your current location, use:
tar -xpf /etc/csf/suspicious.tar
This will preserver the path and permissions of the original file.
Any false-positives can be added to /etc/csf/csf.fignore and lfd will then
ignore those listed files and directories.
Within csf.fignore is a list of files that lfd directory watching will ignore.
You must specify the full path to the file
You can also use perl regular expression pattern matching, for example:
/tmp/clamav.*
/tmp/.*\.wrk
Remember that you will need to escape special characters (precede them with a
backslash) such as \. \?
Pattern matching will only occur with strings containing an asterisk (*),
otherwise full file path matching will be applied
You can also add entries to ignore files owner by a particular user by
preceding it with user:, for example:
user:bob
Note: files owned by root are ignored
For information on perl regular expressions:
http://www.perl.com/doc/manual/html/pod/perlre.html
The second aspect of Directory Watching is enabled with LF_DIRWATCH_FILE. This
option allows you to have lfd watch a particular file or directory for changes
and should they change and email alert using watchalert.txt is sent. It uses a
simple md5sum match from the output of "ls -laAR" on the entry and so will
traverse directories if specified.
10. Advanced Allow/Deny Filters
###############################
In /etc/csf.allow and /etc/csf.deny you can add more complex port and ip
filters using the following format (you must specify a port AND an IP address):
tcp/udp|in/out|s/d=port|s/d=ip|u=uid
Broken down:
tcp/udp : EITHER tcp OR udp OR icmp protocol
in/out : EITHER incoming OR outgoing connections
s/d=port : EITHER source OR destination port number (or ICMP type)
(use a _ for a port range, e.g. 2000_3000)
s/d=ip : EITHER source OR destination IP address
u/g=UID : EITHER UID or GID of source packet, implies outgoing connections,
s/d=IP value is ignored
Note: ICMP filtering uses the "port" for s/d=port to set the ICMP type.
Whether you use s or d is not relevant as either simply uses the iptables
--icmp-type option. Use "iptables -p icmp -h" for a list of valid ICMP types.
Only one type per filter is supported
Examples:
# TCP connections inbound to port 3306 from IP 11.22.33.44
tcp|in|d=3306|s=11.22.33.44
# TCP connections outbound to port 22 on IP 11.22.33.44
tcp|out|d=22|d=11.22.33.44
Note| If omitted, the default protocol is set to "tcp", the default connection
direction is set to "in", so|
# TCP connections inbound to port 22 from IP 44.33.22.11
d=22|s=44.33.22.11
# TCP connections outbound to port 80 from UID 99
tcp|out|d=80||u=99
# ICMP connections inbound for type ping from 44.33.22.11
icmp|in|d=ping|s=44.33.22.11
# TCP connections inbound to port 22 from Dynamic DNS address
# www.configserver.com (for use in csf.dyndns only)
tcp|in|d=22|s=www.configserver.com
11. Multiple Ethernet Devices
#############################
If you have multiple ethernet NICs that you want to apply all rules to, then
you can set ETH_DEVICE to the interface name immediately followed by a plus
sign. For example, eth+ will apply all iptables rules to eth0, eth1, etc.
That said, if you leave ETH_DEVICE blank all rules will be applied to all
ethernet devices equally.
12. Installation on a Generic Linux Server
##########################################
csf+lfd can be configured to run on a generic Linux server. There are some
changes to the features available:
1. The default port range is for a typical non-cPanel web server and may need
altering to suit the servers environment
2. The Process Tracking ignore file may need expanding in /etc/csf/csf.pignore
to suit the server environment
3. A standard Webmin Module to configure csf is included - see the install.txt
for more information
The codebase is the same for a all installations, the csf.conf file simply has
the cPanel specific options removed and the GENERIC option added
13. A note about FTP Connection Issues
######################################
It is important when using an SPI firewall to ensure FTP client applications
are configured to use Passive (PASV) mode connections to the server.
On servers running Monolithic kernels (e.g. VPS Virtuozzo/OpenVZ and custom
built kernels) ip_conntrack and ip_conntrack_ftp iptables kernel modules may
not be available or fully functional. If this happens, FTP passive mode (PASV)
won't work. In such circumstances you will have to open a hole in your firewall
and configure the FTP server to use that same hole.
For example, with pure-ftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/pure-ftpd.conf and then restart pure-ftpd:
PassivePortRange 30000 35000
For example, with proftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/proftpd.conf and then restart proftpd:
PassivePorts 30000 35000
FTP over SSL/TLS will usually fail when using an SPI firewall. This is because
of the way the FTP protocol established a connection between client and server.
iptables fails to establish a related connection when using FTP over SSL
because the FTP control connection is encrypted and so cannot track the
relationship between the connection and the allocation of an ephemeral port.
If you need to use FTP over SSL, you will have to open up a passive port block
in both csf and your FTP server configuration (see above).
Perversely, this makes your firewall less secure, while trying to make FTP
connections more secure.
14. Messenger Service
#####################
This feature allows the display of a message to a blocked connecting IP address
to inform the user that they are blocked in the firewall. This can help when
users get themselves blocked, e.g. due to multiple login failures. The service
is provided by two daemons running on ports providing either an HTML or TEXT
message.
This services uses the iptables nat table and the associated PREROUTING chain.
The ipt_REDIRECT module is used to redirect the incoming port to the relevant
messenger service server port.
Temporary and/or permanent (csf.deny) IP addresses can be serviced by this
feature.
It does NOT include redirection of any GLOBAL or BLOCK deny lists.
It does require the IO::Socket::INET perl module.
It does NOT work on servers that do not have the iptables module ipt_REDIRECT
loaded. Typically, this will be with Monolithic kernels. VPS server admins
should check with their VPS host provider that the iptables module is included.
If you change any of the files in /etc/csf/messenger/ you must restart lfd as
they are all cached in memory.
HTML Messenger Server
=====================
The HTML message that is displayed is provided by the file:
/etc/csf/messenger/index.html
The HTML server providing this page is very rudimentary but will accept the use
of linked images that are stored in the /etc/csf/messenger/ directory. The
images must be of either jpg, gif or png format. These images are loaded into
memory so you should keep the number and size to a minimum. No other linked
resource files are supported (e.g. .css, .js).
As the HTML server requires interaction with the client, there is a timer on
the connection to prevent port hogging.
The server has a built-in function that will replace the text [IPADDRESS] in
index.html with the IP address that is blocked by the firewall. This will help
the blocked user know what their blocked IP address is. You can also use the
text [HOSTAME] which will be replaced by the servers FQDN hostname.
The HTML server does not support SSL connections, so redirecting port 443 will
not work.
The HTML server port should not be added to the TCP_IN list.
There is a maximum of 15 port allowed in MESSENGER_HTML_IN.
TEXT Messenger Server
=====================
The TEXT message that is displayed is provided by the file:
/etc/csf/messenger.text
This file should only contain text. The TEXT server providing this file simply
sends the contents to the connecting port and no protocol exchange takes place.
this means that it may not be suitable for use with protocols such as POP3.
The server has a built-in function that will replace the text [IPADDRESS] in
index.text with the IP address that is blocked by the firewall. This will help
the blocked user know what their blocked IP address is. You can also use the
text [HOSTAME] which will be replaced by the servers FQDN hostname.
The TEXT server does not support SSL connections, so redirecting port 995 will
not work.
The TEXT server port should not be added to the TCP_IN list.
There is a maximum of 15 port allowed in MESSENGER_TEXT_IN.
Messenger User
==============
You should create a unique user that the messenger services will run under.
This user should be disabled and have no shell access.
For example, you can create such an account (in this example called "csf") from
the root shell using:
useradd csf -s /bin/false
15. Block Reporting
###################
lfd can run an external script when it performs and IP address block following
for example a login failure. This is done by setting the configuration variable
BLOCK_REPORT to a script that must be executable. The following parameters are
passed the the script as arguments:
ARG 1 = IP Address # The IP address or CIDR being blocked
ARG 2 = ports # Port, comma separated list or * for all ports
ARG 3 = permanent # 0=temporary block, 1=permanent block
ARG 4 = inout # Direction of block: in, out or inout
ARG 5 = timeout # If a temporary block, TTL in seconds, otherwise 0
ARG 6 = message # Message containing reason for block
ARG 7 = logs # The logs lines that triggered the block (will contain
# line feeds between each log line)
ARG 8 = trigger # The configuration settings triggered
lfd launches the BLOCK_REPORT in a forked process which terminates after 10
seconds if not completed by then. It runs under the root account, so great care
should be exercised with regard to security of the BLOCK_REPORT script.
16. Port Flood Protection
#########################
This option configures iptables to offer protection from DOS attacks against
specific ports. This option limits the number of connections per time interval
that new connections can be made to specific ports.
This feature does not work on servers that do not have the iptables module
ipt_recent loaded. Typically, this will be with Monolithic kernels. VPS server
admins should check with their VPS host provider that the iptables module is
included.
By default ipt_recent tracks only the last 100 IP addresses. The tracked IP
addresses can be viewed in /proc/net/ipt_recent/* where the port number is the
filename.
Syntax for the PORTFLOOD setting:
PORTFLOOD is a comma separated list of:
port;protocol;hit count*;interval seconds
So, a setting of PORTFLOOD = "22;tcp;5;300,80;tcp;20;5" means:
1. If more than 5 connections to tcp port 22 within 300 seconds, then block
that IP address from port 22 for at least 300 seconds after the last packet is
seen, i.e. there must be a "quiet" period of 300 seconds before the block is
lifted
2. If more than 20 connections to tcp port 80 within 5 seconds, then block
that IP address from port 80 for at least 5 seconds after the last packet is
seen, i.e. there must be a "quiet" period of 5 seconds before the block is
lifted
More information about the ipt_recent module can be found in the iptables man
page and at http://snowman.net/projects/ipt_recent/
Note: Blocked IP addresses do not appear in any of the iptables chains when
using this module. You must manipulate the /proc/net/ipt_recent/* files as per
the module documentation to view and remove IP addresses that are currently
blocked if the blocks have not yet expired.
Restarting csf resets the ipt_recent tables and removes all of its blocks.
Note: There are some restrictions when using ipt_recent:
1. By default it only tracks 100 addresses per table (we try and increase this
to 1000 via modprobe)
2. By default it only counts 20 packets per address remembered
*This means that you need to keep the hit count to below 20.
17. External Pre- and Post- Scripts
###################################
External commands (e.g. iptables rules not covered by csf) can be run before
and/or after csf sets up the iptables chains and rules.
1. To run external commands before csf configures iptables create the file:
/etc/csf/csfpre.sh
Set that file as executable and add an appropriate shebang interpreter line and
then whatever external commands you wish to execute.
For example:
#!/bin/sh
/some/path/to/binary -a -b -c etc
Then chmod +x /etc/csf/csfpre.sh
2. To run external commands after csf configures iptables create the file:
/etc/csf/csfpost.sh
Set that file as executable and add an appropriate shebang interpreter line and
then whatever external commands you wish to execute.
18. lfd Clustering
##################
This new set of options (CLUSTER*) in csf.conf allows the configuration of an
lfd cluster environment where a group of servers can share blocks and, via the
CLI, configuration option changes, allows and removes
In the configuration there are two comma separated lists of IP addresses:
CLUSTER_SENDTO = ""
CLUSTER_RECVFROM = ""
If you want all members of the lfd cluster to send block notifications to each
other then both settings should be them same. You also need to enable
CLUSTER_BLOCK (enabled by default) for lfd to automatically send blocks to all
members in CLUSTER_SENDTO.
However, you can also set up a cluster such that some members only provide
notifications to others and do not accept blocks from others. For example, you
may have a cluster of servers that includes one that hosts a support desk that
you do not want to block clients from accessing. In such an example you might
want to exclude the support desk server from the CLUSTER RECVFROM list, but
include it in the CLUSTER_SENDTO list.
The option CLUSTER_MASTER is the IP address of the master node in the cluster
allowed to send CLUSTER_CONFIG changes to servers listed in the local
CLUSTER_SENDTO list. Only cluster members that have CLUSTER_MASTER set to this
IP address will accept CLUSTER_CONFIG changes.
There is another option, CLUSTER_NAT that should be used if the IP address of
the server does not appear in ifconfig, for example if it is a NAT
configuration. If this is the case, add the IP address of the server that this
configuration is on and used in CLUSTER_SENDTO/CLUSTER_RECVFROM to CLUSTER_NAT.
CLUSTER_LOCALADDR can be set if you do not want to use the servers main IP,
i.e. the first one listed via 0.0.0.0.
The CLUSTER_PORT must be set to the same port on all servers. The port should
NOT be opened in TCP_IN or TCP_OUT as csf will automatically add appropriate in
and out bound rules to allow communication between cluster members.
The CLUSTER_KEY is a secret key used to encrypt cluster communications using
the Blowfish algorithm. It should be between 8 and 56 characters long, longer
is better, and must be the same on all members of the cluster.
This key must be kept secret!
When blocks are sent around the cluster they will maintain their originals
parameters, e.g. permanent/temporary, direction (in/out), ports, etc. All
blocks are traded except for LT_POP3D and LT_IMAPD.
The cluster uses 10 second timeouts in its communications, if the timeout is
reached then that cluster members notification will be lost.
lfd Cluster CLI and UI
======================
See csf --help for the list of new CLI commands. Additional options will
automatically become available in the UI once CLUSTER_SENDTO has been
configured.
Only cluster members listed in CLUSTER_RECVFROM can send out requests to those
members listed in CLUSTER_SENDTO.
Only the server listed in CLUSTER_MASTER will be accepted as the source of
CLUSTER_CONFIG configuration option requests, such as:
--cconfig, --cfile, --crestart
The CLI options --cfile and --cfiler allow you to synchronise csf configuration
files throughout a cluster from the CLUSTER_MASTER server.
There is currently only provision for permanent simple IP denies and allows
from the CLI (i.e. not Allow/Deny Filters).
The cluster PING sends a ping to each CLUSTER_SENDTO member which will report
the request in their respective lfd.log files. This is intended as a test to
confirm that cluster communications are functioning.
The options to change the configuration option in csf.conf in cluster members
should be used with caution to ensure that member specific options are not
overwritten. The intention of the two options is that the --cconfig option be
used if multiple changes are required and the final request is a --cconfigr to
restart csf and lfd to effect the requested changes immediately.
A Note on lfd Cluster Security
==============================
The clustering option is undoubtedly powerful in allowing servers to
pre-emptively block access attempts as one server is hit before the attack can
spread to other members of the cluster.
This communication, however, does introduce a security risk. Since
communications are made over the network, they are open to interception. Also,
there is nothing to stop any local user from accessing the network port and
sending data to it, though it will be discarded unless properly encrypted[*].
There are security measures implemented to help mitigate attacks:
1. csf constructs iptables rules such that only cluster members can communicate
over the cluster port with each other
2. The clustered servers will only accept data from connections from IPs listed
in CLUSTER_RECVFROM or CLUSTER_MASTER
3. [*]All communications are encrypted using the Blowfish symmetric block cipher
through a Pure Perl cpan module using the Cipher Block Chaining module and the
configured CLUSTER_KEY
4. CLUSTER_CONFIG set to 0 prevents the processing of configuration option
requests
5. Only CLUSTER_MASTER will be accepted as the source of CLUSTER_CONFIG
configuration option requests
Should the configured secret key (passphrase) be compromised or guessed or a
flaw found in the encryption modules or their implementation in csf, a
malicious connection could reconfigure the csf firewall and then leverage a
local or remote root escalation. This should be considered if you decide to use
this option.
THERE ARE NO GUARANTEES OR WARRANTIES PROVIDED THAT THIS FACILITY IS SECURE AND
ANY DAMAGE ARISING FROM THE EXPLOITATION OF THIS OPTION IS ENTIRELY AT YOUR OWN
RISK.
19. Watching IP Addresses
#########################
The CLI option csf --watch [ip] (csf -w [ip]) and configuration option
WATCH_MODE logs TCP connection initiation (SYN) packets from a specified source
as they traverse the iptables chains.
This can be extremely useful in tracking where that IP address is being DROPed
or ACCEPTed by iptables.
WATCH_MODE should be used when watching IP addresses, although the csf -w [ip]
option will still work without it but won't necessarily provide conclusive
information on the final destination of the packet.
WATCH_MODE is disabled by default and should be left as such unless actively
watching an IP address as it will add an overhead to all accepted iptables
traffic and increase overall iptables kernel logging through syslog.
WATCH_MODE disables: DROP_NOLOG, PS_INTERVAL, DROP_ONLYRES
WATCH_MODE enabled: DROP_LOGGING, DROP_IP_LOGGING, DROP_PF_LOGGING
WATCH_MODE also logs iptables ACCEPT for watched IP addresses
You should only watch a very small number of IP addresses at a time and for a
very short period of time, otherwise the kernel log (usually /var/log/messages)
will become flooded with entries. Also, any IP address rules added during the
time of the watch will not necessarily be included in the logging rules for the
watched IP addresses.
IP address watches do not survive a csf (iptables) restart.
You can use either an IP address or a CIDR address for csf -w [ip].
Recommended method to use this function:
1. Enable WATCH_MODE
2. Restart csf
3. Restart lfd
4. Use the following to watch an IP:
csf -w 11.22.33.44
5. Watch the kernel iptables log for hits from the watched IP address
Once you have finished watching an IP address you should:
1. Disable WATCH_MODE
2. Restart csf (which will also remove the watched ip rules)
3. Restart lfd
The kernel iptables log lines for watching an IP (usually in /var/log/messages)
contain the direction of the packet in the chain and the chain name, e.g.
I:INPUT is Incoming to the chain INPUT, O:LOCALINPUT is Outgoing from chain
LOCALINPUT.
The following is a trimmed down example log watch of 192.168.254.4 connecting
to port 22:
Firewall: I:INPUT SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: I:LOCALINPUT SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: I:GDENYIN SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: O:GDENYIN SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: I:DSHIELD SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: O:DSHIELD SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: I:SPAMHAUS SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: O:SPAMHAUS SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: O:LOCALINPUT SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: I:INVALID SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: O:INVALID SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: I:LOGACCEPT SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
20. Port Knocking
#################
This option configures iptables to offer port knocking to open sensitive ports
based on a sequence of knocked ports for the connecting IP address.
For mor information on the idea of port knocking see:
http://www.portknocking.org/
The feature requires that you list a random selection of unused ports (at least
3) with a timeout. The ports you choose must not be in use and not appear in
TCP_IN (UDP_IN for udp packets). The port to be opened must also not appear in
TCP_IN (UDP_IN for udp packets).
This feature does not work on servers that do not have the iptables module
ipt_recent loaded. Typically, this will be with Monolithic kernels. VPS server
admins should check with their VPS host provider that the iptables module is
included.
By default ipt_recent tracks only the last 100 IP addresses. The tracked IP
addresses can be viewed in /proc/net/ipt_recent/*
Syntax for the PORTKNOCKING setting:
PORTKNOCKING is a comma separated list of:
openport;protocol;timeout;kport1;kport2;kport3[...;kportN]
So, a setting of PORTKNOCKING = "22;TCP;20;100;200;300;400" means:
Open Port 22 TCP for 20 seconds to the connecting IP address to new connections
once ports 100, 200, 300 and 400 have been accessed (i.e. knocked with a SYN
packet) each knock being less than 20 seconds apart.
Access to port 22 remains active after 20 seconds until the connection is
dropped, however new connections will not be allowed.
More information about the ipt_recent module can be found in the iptables man
page and at http://snowman.net/projects/ipt_recent/
Note: IP addresses do not appear in any of the iptables chains when using this
module. You must view the /proc/net/ipt_recent/* files as per the module
documentation to view IP addresses in the various stages of the knock.
Restarting csf resets the ipt_recent tables and removes all of the knocks.
21. Connection Limit Protection
###############################
This option configures iptables to offer protection from DOS attacks against
specific ports. It can also be used as a way to simply limit resource usage by
IP address to specific server services. This option limits the number of new
concurrent connections per IP address that can be made to specific ports.
This feature does not work on servers that do not have the iptables module
xt_connlimit loaded. Typically, this will be with Monolithic kernels. VPS
server admins should check with their VPS host provider that the iptables
module is included.
Also, although included in some older versions or RedHat/CentOS, it was only
actually available from v5.3+
The protection can only be applied to the TCP protocol.
Syntax for the CONNLIMIT setting:
CONNLIMIT is a comma separated list of:
port;limit
So, a setting of CONNLIMIT = "22;5,80;20" means:
1. Only allow up to 5 concurrent new connections to port 22 per IP address
2. Only allow up to 20 concurrent new connections to port 80 per IP address
Note: Existing connections are not included in the count, only new SYN packets,
i.e. new connections
Note: Run /etc/csf/csftest.pl to check whether this option will function on the
server
22. Port/IP address Redirection
###############################
This feature uses the file /etc/csf/csf.redirect which is a list of port and/or
IP address assignments to direct traffic to alternative ports/IP addresses.
Requirements:
nat tables
ipt_DNAT iptables module
ipt_SNAT iptables module
ipt_REDIRECT iptables module
The following are the allowed redirection formats
DNAT (redirect from one IP address to a different one):
IPx|*|IPy|*|tcp/udp - To IPx redirects to IPy
IPx|portA|IPy|portB|tcp/udp - To IPx to portA redirects to IPy portB
DNAT examples:
192.168.254.62|*|10.0.0.1|*|tcp
192.168.254.62|666|10.0.0.1|25|tcp
REDIRECT (redirect from port to a different one):
IPx|portA|*|portB|tcp/udp - To IPx to portA redirects to portB
*|portA|*|portB|tcp/udp - To portA redirects to portB
REDIRECT examples:
*|666|*|25|tcp
192.168.254.60|666|*|25|tcp
192.168.254.4|666|*|25|tcp
Where a port is specified it cannot be a range, only a single port.
All redirections to another IP address will always appear on the destination
server with the source of this server, not the originating IP address.
This feature is not intended to be used for routing, NAT, VPN, etc tasks
Note: /proc/sys/net/ipv4/ip_forward must be set to 1 for DNAT connections to
work. csf will set this where it can, but if the kernel value cannot be set
then the DNAT redirection many not work.
23. Integrated User Interface Feature
#####################################
Integrated User Interface. This feature provides a HTML UI to the features of
csf and lfd, without requiring a control panel or web server. The UI runs as a
sub process to the lfd daemon.
As it runs under the root account and successful login provides root access
to the server, great care should be taken when configuring and using this
feature. There are additional restrictions to enhance secure access to the
UI:
1. An SSL connection is required
2. Separate ban and allow files are provided to only allow access to listed
IP addresses
3. Local IP addresses cannot connect to the UI (i.e. all IP addresses
configured on the server NICs)
4. Unique sessions, session timeouts, session cookies and browser headers are
used to identify and restrict active sessions
Requirements:
1. openssl
2. Perl modules: Net::SSLeay, IO::Socket::SSL and dependent modules
4. SSL keys
5. Entries in /etc/csf/ui/ui.allow
The SSL server uses the following files:
SSL Key goes into /etc/csf/ui/server.key
SSL Certificate goes into /etc/csf/ui/server.crt
Preferably, real CA signed certificates should be used. You can use an
existing domain and cert for accessing the UI by populating the two files
mentioned. If the cert has a ca bundle, it should be appended to the server.crt
file. lfd must be restarted after making any changes:
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#realcert
Alternatively, you could generate your own self-signed certificate:
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#selfcert
Any keys used must have their pass-phrase removed:
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#removepassphrase
The login URL should use the domain you have listed in the self-signed cert:
https://<yourdomain>:<port>
For example: https://www.somedomain.com:6666
Your browser must accept session cookies to gain access.
UI_ALLOW is enabled by default, so IP addresses (or CIDRs) allowed to use this
UI must be listed in /etc/csf/ui/ui.allow before trying to connect to the UI.
Only IP addresses can be listed/used in /etc/csf/ui/ui.ban - this file should
only be used by the UI to prevent login. Use csf blocks to prevent access to
the configured port and only use Advanced Allow/Deny Filters for access, i.e.
do not list the port in TCP_IN.
Logging for UI events are logged to the lfd /var/log/lfd.log file. Check this
file if you are unable to access the UI.
Required Perl Modules:
For example, on Debian v6 the perl modules can be installed using:
apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \
libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl
For example, on CentOS v6 the perl modules can be installed using:
yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \
perl-IO-Socket-INET6 perl-Socket6
Faster Nginx Tricks
The benchmarks should give nearly the same results, as nginx is waiting for Apache to return it's data before sending it along. What happened in those benchmarks is that cloudflare.com (highly recommended by the way) was caching some results and not others.
When I tried on localhost, the results were effectively the same. So the way to get better performance is to get nginx to cache the results from apache, by adding the following to your nginx virtual host definition :
proxy_cache one;
proxy_cache_use_stale error timeout invalid_header updating;
proxy_cache_key $scheme$host$request_uri;
proxy_cache_valid 200 301 302 20m;
proxy_cache_valid 404 1m;
proxy_cache_valid any 15m;
where the proxy_cache named one is defined in nginx.conf as such :
proxy_cache_path /usr/local/nginx/proxy levels=1:2 keys_zone=one:15m inactive=7d max_size=1000m;
The proxy_cache_valid entries above define different cache times for various response codes
Bash using Perl to Search and Replace words, recursively in the directory
To replace all instances of a string in a directory (subdirectories included) do:
Code:
perl -e "s/FIND/REPLACE/g;" -pi.save $(find path/to/DIRECTORY -type f)
The above will make a backup temp file of your original
If you do not want a temp file with the .save extension then do:
Code:
perl -e "s/FIND/REPLACE/g;" -pi $(find path/to/DIRECTORY -type f)
--------------------
Example:
You want to replace all instances of the word "design" with "dezine" in the directory /public_html/company/info
you can execute the command from document root as
Code:
perl -e "s/design/dezine/g;" -pi.save $(find public_html/company/info -type f)
or you can execute the command from public_html/company/ (a directory above) as:
Code:
perl -e "s/design/dezine/g;" -pi.save $(find info -type f)
------------------------------
The above commands will search all files (.gif, .jpg, .htm, .html, .txt) so you might see some error messages "Can't open *.gif", etc)
Simplified
To search just files of type, .htm without a backup file in the current directory only (no subdirectories) you could use:
Code:
perl -pi -e 's/design/dezine/g' *.htm
-------------
perl -pi -w -e 's/search/replace/g;' *.c
-p loop
-i means edit in-place
-w write warnings
-e means execute the following line of code.
Referensi : http://forums.devshed.com/unix-help-35/unix-find-and-replace-text-within-all-files-within-a-146179.html
Passwordless SSH Login
Just a quick post on a tool I have found handy through the years. Passwordless ssh. Very very quick to implement on all Linux systems regardless of distro. Also works fine on Solaris.
ssh-keygen -t rsa
Pick the default location to store id-rsa and do not enter a password
Enter file in which to save the key (/home/user1/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user1/.ssh/id_rsa.
Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
Now you have created your key pair. If you are doing this from your own network login e.g. user1 and you have your home account on storage somewhere all you need to do is this to achieve passwordless ssh login.
cd ~/.ssh
cat id_rsa.pub > authorized_keys
For a regular user, you are done.
For root , you need to scp this authorized_keys file to all your hosts. A simple enough script can achieve this
scp ~/.ssh/authorized_keys root@remote_server:~/.ssh/
Done!
Why CSF Shows : Suspicious process running under user mysql
Suspicious process running under user mysql
The body of the message is: (Changed server name below for security reasons)
Time: Wed Jun 3 09:04:59 2009 -0500
PID: 18678
Account: mysql
Uptime: 28843 seconds
Executable:
/usr/sbin/mysqld\004a261248\009BrIpQz (deleted)
The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
Command Line (often faked in exploits):
/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/myserver.mydomain.net.pid --skip-external-locking --port=3306 --socket=/var/lib/mysql/mysql.sock
REMEDY : just reboot mysqld server, because it has been upgraded to a newer version by your server configuration. Read : http://forum.configserver.com/showthread.php?t=2059
I had the same issue after sql upgrade and made a full server restart and it got away. If it appears / resurface again, then restarting mysqld is not a solution. See what is eating up mysql.
mysqladmin proc stat
How to compare one region with another using Google Map
How to compare one area region with another using Google Map? Take for instance the territory of the Republic of Indonesia. Comparison of area of Indonesia with other countries. How to compare the area of Indonesia with other countries, through a Google Map, click the following link,
http://mapfrappe.com/index.html?show=5602
on a map of the second box (the bottom), slide it to the right, left, up or down to put an area of Indonesia to the extent of the territory of other countries according to Google Map. You can also zoom the map by clicking on the slider on the left side in the second map box.
Enable Iptables Modules for a VPS
Enable Iptables Modules for a VPS
Below was the typical error while trying to install CSF in one of the OpenVz containers:
----------------------------------error--------------------------------
[root@abc ~]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...FAILED [ 4294967295] - Required for csf to function
Testing ipt_multiport/xt_multiport...FAILED [FATAL Error: iptables: Unknown error 4294967295] - Required for csf to function
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...FAILED [FATAL Error: iptables: Unknown error 4294967295] - Required for csf to function
Testing ipt_limit/xt_limit...FAILED [FATAL Error: iptables: Unknown error 4294967295] - Required for csf to function
Testing ipt_recent...FAILED [Error: iptables: Unknown error 4294967295] - Required for PORTFLOOD and PORTKNOCKING features
Testing xt_connlimit...FAILED [Error: iptables: Unknown error 4294967295] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...FAILED [Error: iptables: Unknown error 4294967295] - Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for MESSENGER feature
Testing iptable_nat/ipt_DNAT...FAILED [Error: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for csf.redirect feature
---------------------------------------------------------------
Enable Iptables Modules for a VPS:-
1 . Before enabling the modules to a VPS , make sure that its enabled in the root node of the VPS. You can check it using the command :
lsmod | grep -i module_name
2. If its not enabled, then it can enable by using the modprobe command :-
modprobe iptables_module
modprobe ipt_helper
modprobe ipt_REDIRECT
modprobe ipt_TCPMSS
modprobe ipt_LOG
modprobe ipt_TOS
modprobe iptable_nat
modprobe ipt_length
modprobe ipt_tcpmss
modprobe iptable_mangle
modprobe ipt_tos
modprobe iptable_filter
modprobe ipt_helper
modprobe ipt_tos
modprobe ipt_ttl
modprobe ipt_SAME
modprobe ipt_REJECT
modprobe ipt_helper
modprobe ipt_owner
modprobe ip_tables
modprobe ipt_MASQUERADE
modprobe ipt_multiport/xt_multiport
modprobe ipt_state/xt_state
modprobe ipt_limit/xt_limit
modprobe ipt_recent
modprobe xt_connlimit
modprobe ipt_owner/xt_owner
modprobe iptable_nat/ipt_DNAT
modprobe iptable_nat/ipt_REDIRECT
3. Stop the container which one you want to enable the module :
# vzctl stop 101
4 . Executing the following command:-
a) By Command:
Execute following command to enable all the modules for the VPS
# vzctl set 101 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save
or
b) Adding Rules manually:
Open the VPS configuration file which exists at /etc/vz/conf/veid.conf and paste following in the last line of the file.
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc"
5. Restart the container.
# vzctl restart 101
syslogd appears to be running, but not klogd which logs kernel firewall messages to syslog. You should ensure that klogd is running
When you run a CSF firewall to check your server's security, sometimes you get below mentioned warning, especially on a VPS running OpenVZ
syslogd appears to be running, but not klogd which logs kernel firewall messages to syslog. You should ensure that klogd is running
Typically, VPS servers have this disabled and you should check and edit /etc/init.d/syslog and make sure that any klogd lines are not commented out.
Do the following steps to resolve the issue.
If VPS edit /etc/init.d/syslog,
1. Root login to the server via WinSCP or if in ssh you can use nano -c /etc/init.d/syslog
2. Edit /etc/init.d/syslog
3. Search the line below, (nearly at line # 42)
passed klogd skipped #daemon klogd $KLOGD_OPTIONS
4. Change it to be lines below,
passed klogd skipped
daemon klogd $KLOGD_OPTIONS
5. Now search 'status klogd' and then un-comment it.
6. Now search '#killproc klogd' and chnage it to be 'killproc klogd'
7. Restart syslog via /etc/init.d/syslog restart
This should fix the issue.
To checks, try this command :
more /etc/init.d/syslog|grep klogd
It now should return output like below :
# syslog Starts syslogd/klogd.
[ -x /sbin/klogd ] || exit 5
passed klogd skipped
daemon klogd $KLOGD_OPTIONS
passed klogd skipped
killproc klogd
status klogd
echo -n "Reloading klogd..."
klog=`cat /var/run/klogd.pid 2>/dev/null`
If you change the file, remember to restart syslog via /etc/init.d/syslog restart
Misleading Tips When You Choose VPS As Your Web Hosting Model
Recent years have seen hacking become a prime concern for the e-commerce industry. Websites of renowned financial and government organizations have even not been spared of hacking in the recent past. That is not it, in the previous year, the official website of the White House, was out for nearly seven days due to hacking attacks. Just imagine the same when that happens to your business website! What if your e-commerce website developed with your precious and valued funding gets hacked? Thankfully, choosing a high security website hosting platform like Linux VPS hosting, will lessen your e-commerce website's chances of being hacked by at least 60- 70%.
There are a lot of companies offering secure web hosting services. However, if you want the highest level of security, opting for a reputed Linux VPS hosting service provider is a wise decision. And now let’s discuss some of the advantages that your linux hosting service can offer.
1. Robust Security: It is known in the world over that Linux has high standards for its security features. So, using a Linux platform for hosting your e-commerce website, it is natural that your website would remain secure against any form of unauthorized intrusions. So, you can keep your e-commerce website protected from malware and phishing attacks as well as keep it safe against hacking.
2. You can have control over the hosting server: Windows platform is more comfortable to work on, but when it comes to working on Linux, more configuration options are available in comparison to Windows. So the scope of customization in Linux platform as compared to Windows operating system, which will enable you to configure your website's visibility for many types of visitors. For example, with Linux hosting, you can impose restrictions on anonymous visitors to sections of your website, which are low in priority.
3. The access is quick access and operation is faster: Experts opine that, since Linux OS consumes fewer CPU clock cycles than Windows operating system, hosting your website on Linux platform would help your e-commerce website to run faster than in a Windows environment. So when opting for a dedicated or Linux VPS service you can speed up your website and the online transactions could be done much faster than in a windows hosting.
Eventually if you're planning to launch an e-commerce website for yourself, make sure to opt for a renowned Linux VPS hosting service provider. There is no dearth of companies around that offer virtual private server hosting services. Always make sure that you do a background research about the service provider before selecting one that suits your requirements.
RDIFF-BACKUP with --force
"Programming is like sex. One mistake and you have to support
it for the rest of your life". (Michael Sinz)Fatal Error: Destination directory
/Volumes/Backup320
exists, but does not look like a rdiff-backup directory. Running
rdiff-backup like this could mess up what is currently in it. If you
want to update or overwrite it, run rdiff-backup with the --force
option.
Creating backups is good, but they are of little use if you can't restore files from them. A restore, at its simplest, is just a backup reversed. In other words, the order of directories on the command line is reversed—the mirror first, the directory to restore to second. There is one important caveat: rdiff-backup, by default, will not restore over an existing file/path. Think of it as sort of a foot/gun safety. You have two options, restore to another path or use the --force switch to override the default behavior.
rdiff-backup gives you two basic methods for restoring a specific version of a file: time-based and number-based.
My reading is that using --force on a restore will overwrite existing
files with the same name - so you may lose previous data at the restore
destination. In general if you are restoring a directory (or a complete
repository) it is logical to use a clean destination, in which case it
shouldn't be a problem.
When you are restoring a directory, "--force" will not only overwrite
existing files (which is probably what you intended, anyway), but it
will also _delete_ any files or even entire subdirectories that were
not present in the backup. It will restore your directory to exactly
the state it was on the backup, nothing more, nothing less. That
might be a nasty surprise.
--force
Authorize a more drastic modification of a directory than usual
(for instance, when overwriting of a destination path, or when
removing multiple sessions with --remove-older-than). rdiff-
backup will generally tell you if it needs this. WARNING: You
can cause data loss if you mis-use this option. Furthermore, do
NOT use this option when doing a restore, as it will DELETE
FILES, unless you absolutely know what you are doing.
SEO Search Term Tagging 2 : The Trick to Add Keyword to Meta Header
Search Term Tagging 2 Trick to Add Keyword to Meta Header
To have the plugin adding the search terms to the Meta Description & Keyword Tags :
Needs a couple of tweaks to get it working:
1) Change this setting to
Text and code before and after each keyword: Before = (blank box) After = (a single comma then a blank space) this will seperate each keyword term with a trailing comma + blank space.
2) You need to edit one line of php code (very easy).
Find this line inside the plugin file (searchterms-tagging-2/searchterms-tagging2.php):
A) define('PK_WATERMARK','<!-- YourDomainNameHere.com -->');
Delete <!-- YourDomainNameHere.com --> (which will be your own domain name), MAKE SURE to leave the single quotes on both sides of the URL.
Settings screenshot
PHP CODE EDIT
php code screenshot
After you make the above edits, add this line to your header.php file.
PHP Code:
<meta name="description" content="<?php if(function_exists('stt_terms_list')) echo stt_terms_list() ;?>" />
PHP Code:
<meta name="keywords" content="<?php if(function_exists('stt_terms_list')) echo stt_terms_list() ;?>" />
Pick what code you want to change (description or keywords).
What I have done is this to just over double my visitors since installing this.
I grab the terms that are finding me and running them thru MS
I pick the most searched for term and write an article with that as the title.
I link to this new post from the original post
I am finding the new article is indexed in literally minutes, not all of them , but most of them are.
One side effect, and I havent decided whether it is good or bad is that you start getting found for terms that are slightly straying away from your target market.
For example, on my fitness blog I am getting many hits for search terms relating to the singer Pink. (Sold 3 dvd's in Feb tho )
From doing this I have many indented listings and in about 7 cases have 1,2 and 3 in big G.
Bottom line is that the plugin has helped me enormously especially on my rowing machine page promoting a $900 rowing machine
Just today I found a term using the plugin.
I ran it through MS and it showed 13 searches a day but what it did do was find me a keyword phrase that gets 730 exacts a day with only 1400 pages competition.
I wrote a 800 word article on it. linked it to the original and was #13 in 3 minutes after posting. That was 7 hours ago. I have had 23 hits to the new post since then with 11 of them cliking thu to amazon.
It is a review on a $48 piece of exercise equipment and the keyword is
Name-Of-2-Word-Product Review
All thanks to this plug in
Just remember to not abused it.
There are 2 possible way this plugin could cause you harm.
1. If you put a lot of keywords under your post. 50 - 100 keyword and that mean keyword stuffing.
2. If you put a lot of keywords and link it to wordpress search page, then it could generated a lot of additional page on google index which is considered as duplicate content. This second technique itself combine with certain script could let to Auto Generated Content sites type. Matt cuts itself said if it is better to at least put "noindex" rel at search result page.
(search for "search result in search result" at google, I can't post link yet )
This plugin is powerful. If you use it well, it would bring good, but if you abused it you will only get harm.
I agree to use only 5-7 keywords and link it back to the original page url.
I setup my STT2 as plain -text that looks exactly like WP-Tags, the styling is the exact same as my WP-tags CSS.
I then place 7 STT2 keywords at the end of my single WP-Tags list on every single internal page.
So in all I have 8 keywords per page max,1 WP-Tag, 7 plain-text.
I haven't found any of my thousands of pages main keywords to drop in the SERPs.
I do heavy on-page seo for each page on all my sites.
All I know is this plugin is working great for me, so I'm not changing anything on the plain-text settings in the plugin Admin.
Subscribe to:
Posts (Atom)