PRESOON.COM

How to install CSF Firewall on virtuozzo – Cannot enter into server after CSF installation VPS

CSF is a powerful Firewall for Linux and cPanel servers are here are the steps to get it working with Virtuozzo VPS

Installation

rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

After the installation you will need to customize CSF to run on VPS:

edit /etc/sysconfig/iptables and add

-A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
-A FORWARD -j ACCEPT -p all -s 0/0 -o venet0
-A INPUT -i venet0 -j ACCEPT
-A OUTPUT -o venet0 -j ACCEPT

create file /etc/csf/csfpre.sh and enter all the extra rules directly into it prefixed with “iptables” so the contents of that file should look something like:

iptables -A INPUT -i venet0 -j ACCEPT
iptables -A OUTPUT -o venet0 -j ACCEPT
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0

edit /etc/csf/csf.conf file and add
and search for

ETH_DEVICE = ""

change to

ETH_DEVICE = "venet+"

Restart

/usr/sbin/csf -r

LOCKOUT ISSUES FOR CSF WHEN INSTALLED IN VPS. or Cannot enter into server after CSF installation on VPS

If the required IP table modules are not properly loaded to the container node, you may lockout yourself after the installation. If you have access to the main Hardware node, you can perform the following to get it up or ask your VPS provider to perform this on the Hardware (main) node.

Before enabling iptables on VPS, it needs to make sure that the iptables modules are enabled on the Hardware Node. In order to enable iptables modules on Hardware Node, edit /etc/sysconfig/iptables-config file on a Virtuozzo hardware node and look for the following parameter value: IPTABLES_MODULES=. Edit it as the following.

IPTABLES_MODULES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

Also edit /etc/sysconfig/vz file on a hardware node and look for the following parameter value: IPTABLES= , change it to the following.

IPTABLES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp” 

Now your Hardware node is fine. You need to enable the iptable modules to the VPS nodes.
(CID — container ID. You can find the value for each node by using the command vzlist -a)

vzctl stop CID

vzctl set CID --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length  --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save

vzctl set CID --numiptent 2000 --save

vzctl start CID

Now try entering into your node and restart CSF. It should start working fine.

Descriptions and Functions

======================

csf+lfd works on all Linux servers on the Operating Systems listed above, with or without cPanel

This suite of scripts provides:

• Straight-forward SPI iptables firewall script
• Daemon process that checks for login authentication failures for:
  • Courier imap, Dovecot, uw-imap, Kerio
  • openSSH
  • cPanel, WHM, Webmail (cPanel servers only)
  • Pure-pftd, vsftpd, Proftpd
  • Password protected web pages (htpasswd)
  • Mod_security failures (v1 and v2)
  • Suhosin failures
  • Exim SMTP AUTH
  • Custom login failures with separate log file and regular expression matching
• POP3/IMAP login tracking to enforce logins per hour
• SSH login notification
• SU login notification
• Excessive connection blocking
• WHM configuration interface (cPanel servers only) or through Webmin
• WHM iptables report log (cPanel servers only)
• Easy upgrade between versions from within WHM (cPanel servers only) or through Webmin
• Easy upgrade between versions from shell
• A standard Webmin Module to configure csf is included in the distribution ready to install into Webmin – csfwebmin.tgz
• Pre-configured to work on a cPanel server with all the standard cPanel ports open (cPanel servers only)
• Auto-configures the SSH port if it’s non-standard on installation
• Block traffic on unused server IP addresses – helps reduce the risk to your server
• Alert when end-user scripts sending excessive emails per hour – for identifying spamming scripts
• Suspicious process reporting – reports potential exploits running on the server
• Excessive user processes reporting
• Excessive user process usage reporting and optional termination
• Suspicious file reporting – reports potential exploit files in /tmp and similar directories
• Directory and file watching – reports if a watched directory or a file changes
• Block traffic on the DShield Block List and the Spamhaus DROP List
• BOGON packet protection
• Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
• Works with multiple ethernet devices
• Server Security Check – Performs a basic security and settings check on the server (cPanel servers only)
• Allow Dynamic DNS IP addresses – always allow your IP address even if it changes whenever you connect to the internet
• Alert sent if server load average remains high for a specified length of time
• mod_security log reporting (if installed)
• Email relay tracking – tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
• IDS (Intrusion Detection System) – the last line of detection alerts you to changes to system and application binaries
• SYN Flood protection
• Ping of death protection
• Port Scan tracking and blocking
• Permanent and Temporary (with TTL) IP blocking
• Exploit checks
• Account modification tracking – sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
• Shared syslog aware
• New in v4: Messenger Service – Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
• New in v4: Country Code blocking – Allows you to deny or allow access by country – Powered by IPDENY.COM IP database
• New in v4: Port Flooding Detection – Per IP, per Port connection flooding detection and mitigation to help block DOS attacks

/sbin/hotplug: no runnable /etc/hotplug/aaaa.agent is installed in /var/log/messages

Hi guys,

You might have been facing the error getting logged in /var/log/messages. Deeper research in Google gave the result that it is the issue with the loaded Kernel.

Before going for and upgrade, just confirm the following.

Check whether the following files are present.

/lib/modules/*/modules.*map      depmod output
/proc/sys/kernel/hotplug         specifies hotplug program path
/sbin/hotplug                    hotplug program (default path name)
/etc/hotplug/*                   hotplug files
/etc/hotplug/NAME.agent          hotplug subsystem-specific agents
/etc/hotplug/NAME*               subsystem-specific files, for agents
/etc/hotplug/usb/                   depmod data for user-mode drivers

chmod 755 /etc/hotplug/*.agent
check tail -f /var/log/messages

Now try the following before kernel upgrade.

The issue should have been fixed by now. If the message is still coming up in /var/log/messages, you will need to go for Kernel upgrade.

Thank you guys..

How to change Mysql database directory to another partition in cPanel. /var patition full

Hi guys,

you might have faced the issue of /var partition gettting full regularly due to database directory. If you have a larger partition with free space, then it is possible to move the database directory to the larger partition.

Here are the steps

Switch off the database server while we are moving the databases.

/etc/rc.d/init.d/mysql stop

I am considering that I have enough space in /home partition. Here goes my new database data directory as /home/mysql

Now it is better to copy the database first, rather than move.

cp -pr /var/lib/mysql /home
mv /var/lib/mysql /var/lib/mysql-bk

We are copying the database to the new location since it is better to revert back the settings with minimum downtime, if anything goes wrong.

move to /tmp

cd /tmp
unlink mysql.sock
ln -s /home/mysql/mysql.sock /tmp/mysql.sock

Take a backup of /etc/my.cnf

Now edit /etc/my.cnf

vi /etc/my.cnf

add the line
datadir=/home/mysql

If the socket file is specified, comment it out.

Now move to /var/lib/mysql and create a symblink

ln -s /home/mysql /var/lib/mysql

(Please note that you don’t specify the socket file location in my.cnf since it causes issues with phpMyadmin)

For, cPanel server, edit the phpMyadmin configuration
take a backup of “/usr/local/cpanel/base/3rdparty/phpMyAdmin/config.inc.php”

edit this file /usr/local/cpanel/base/3rdparty/phpMyAdmin/config.inc.php
vi /usr/local/cpanel/base/3rdparty/phpMyAdmin/config.inc.php

add the following lines. If they already exist, edit as below.
(the connect_type usually exist at “tcp” change it to “socket”)

$cfg['Servers'][$i]['socket'] = ‘/home/mysql/mysql.sock’;
$cfg['Servers'][$i]['connect_type'] = ’socket’;

Now start the database server.

/etc/rc.d/ini.d/mysql start

If it starts fine, you are done. Check the database connections of your site.
You can now remove the directory /var/lib/mysql-bk

Suggestions, questions are welcome.

[Fixed] configure Ubuntu BSNL EVDO connection. Ubuntu 9.04 and 9.10 wvdial missing from Ubuntu.

Hi guys,

I am not sure why did the Ubuntu guys…left out the wvdial package in the latest distributions. In fact, most of the 3G wireless internet connection uses the PPP connection using wvdial. To install wvdial package, you need install some dependencies also.
After some research, I have found out the exact packages and the order to install them. Here are the steps to install wvdial for Ubuntu. You need to download the packages to a thumbdrive so as to copy it to the Ubuntu machine.

Download the wvdial + its dependencies from the following linkDownload.

Copy this package to your thumb drive from the machine which has an internet connection and connect it to the Ubuntu machine.

Assuming that you have copied the package from your thumb drive to the location /usr/local/src of Ubuntu machine. perform the following steps in exact order given below.

sudo su    (type in the admin password)

cd /usr/local/src/
tar -zxvf wvdial-ubuntu-wholepkg.tar.gz
cd wvdial-ubuntu-wholepkg

dpkg -i libxplc0.3.13_0.3.13-1build1_i386.deb
dpkg -i libwvstreams4.4-base_4.4.1-0.2ubuntu2_i386.deb
dpkg -i libwvstreams4.4-extras_4.4.1-0.2ubuntu2_i386.deb
dpkg -i libuniconf4.4_4.4.1-0.2ubuntu2_i386.deb
dpkg -i wvdial_1.60.1+nmu2_i386.deb

Success!  You can run "wvdial" to connect to the internet.
(You can also change your configuration by editing /etc/wvdial.conf)
Processing triggers for man-db ...

For BSNL EVDO users, edit the /etc/wvdial.conf file to add your username password and phone number(also uncomment the line by removing ; from the start of the directive). Also add the following line.

Stupid Mode = 1

to wvdial.conf file.

Use the command “wvdial” to connect to the internet. If the modem is not installed or not detected, you need to fix it first.

Please update me guys, if you need any further help.

Starting sshd:PRNG is not seeded

You might have received this error when restarting SSHD.

#/etc/rc.d/init.d/sshd restart

Stopping sshd: [ OK ]

Starting sshd:PRNG is not seeded

[FAILED]

Here is the fix.

cd /dev/

./MAKEDEV generic

Now try starting SSH. :)

Error : tty device not owned by group ‘tty’

You might receive this error when your try to restart services in CPanel.

This is because the group of the tty devices are not “tty”

Change it to tty.

chgrp tty /dev/ttyp* /dev/ptyp* /dev/vcs* /dev/ptmx /dev/pts/0

as simple as that.:)

How to disable ping… in Linux servers

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Or add the line

net.ipv4.conf.icmp_echo_ignore_all = 1
in /etc/sysclt.conf

To re-enable ping
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Or add the line

net.ipv4.conf.icmp_echo_ignore_all = 0
in /etc/sysclt.conf

Alternatively, we can use IPtables to disable ping
# iptables -A INPUT -p icmp -j DROP

/usr/java/jdkX.X.X_Xbin/java: not found + Install Java on Linux servers

In some cases, the 3rd parts scripts in server requires java to be installed. It may not work properly if the binary of java installed in the server. You need to install JavaSDK

So we present here the installation of Java in Linux server.

Its as easy as you run upcp in a Cpanel server.

Download the installation binary from Sun’s Java site

J2SE for Linux http://java.sun.com/j2se/1.4.2/download.html.( Download J2SE SDK)

You may need to register at the site and then they will send you the download link. Download the non-rpm binary

cd /usr/local/src/

wget thebinary

mv j2sdk-1_4_2_18-linux-i586.bin /usr/local/

cd /usr/local/

chmod 755 j2sdk-1_4_2_18-linux-i586.bin

./j2sdk-1_4_2_18-linux-i586.bin

Now setup the environment variables.

JAVA_HOME=/usr/local/j2sdk1.4.2_18

export JAVA_HOME

Also, you need to add these in the file /etc/profile.

JAVA_HOME=/usr/local/j2sdk1.4.2_18

export JAVA_HOME

How to install BFD

What is BFD (Brute Force Detection)?

BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at: http://www.rfxnetworks.com/bfd.php

This guide will show you how to install and configure BFD to protect your system from brute force hack attempts.

Requirements:
- You MUST have APF Firewall Installed before installing BFD – it works with APF and requires some APF files to operate.
- Root SSH access to your server

Login to your server through SSH and su to the root user.

1. cd /usr/local/src/.

2. wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

3. tar -xvzf bfd-current.tar.gz

4. cd bfd-*

5. Run the install file: ./install.sh
You will receive a message saying it has been installed

.: BFD installed
Install path:    /usr/local/bfd
Config path:     /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

6. Edit the configuration file: vi /usr/local/bfd/conf.bfd

7. Enable brute force hack attempt alerts:

Find: EMAIL_USR=”root” CHANGE TO: EMAIL_USR=”your@yourdomain.com”

Save the changes

8. Prevent locking yourself out!
vi /usr/local/bfd/ignore.hosts and add your own trusted IPs
Save the changes

9. Run the program!
/usr/local/sbin/bfd -s

10. Customize your applicatoins brute force configuration
Check out the rules directory in your /usr/local/bfd

Here you’ll find all kinds of pre-made rules for popular services such as Apache, and ProFTPD w00t!
If you have any clue about shell scripting you can customize them or create new rules for enhanced brute force detection and prevent attacks.

top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: Error 40

This error is received when top command is executed.

top
top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: Error 40

Fix.

locate libncurses.so.5

lib/libncurses.so.5
/usr/lib/libncurses.so.5
/usr/lib/libncurses.so.5.5

create symblinks
ln -s /lib/libncurses.so.5 /lib/libncurses.so.4
ln -s /usr/lib/libncurses.so.5 /usr/lib/libncurses.so.4

the location may be different. Just create symblink from libncurses.so.4 to libncurses.so.5

load the configuration
ldconfig