All posts by Aaron N

05Jan/18

Critical Intel CPU Bug – Meltdown and Spectre Vulnerabilities

Critical Intel CPU Bug – Meltdown and Spectre Vulnerabilities

CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre.Earlier this week, serious security problem – CPU Bug has been found in the Intel/AMD/ARM CPUs. According to various teams including Google Project Zero, CPU data cache timing can be abused efficiently to leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. These vulnerabilities are known by name ‘Meltdown’ and ‘Spectre’.

You can read more about attack from this link

There are 3 known variants for this CPU Bug: Continue reading

14Jan/17

Repair crashed MySQL databases on LINUX servers

How to repair MySQL databases and tables

This article explian about how to repair MySQL database and table. As the mysql is updated time by time. Mysql deals with some tools that we can use it for repairing the databases and tables.

It is common that our database get corrupted due to many reason like it does not get restored properly or server get rebooted while updating database etc. We can repair the table or the corresponding databases through various steps by mysqlcheck command.

First of all before doing mysqlcheck we need to take the current mysql backup so that if any issues occurs we can able to revert it to the stable condition. The specific thing we should consider is that the mysqlcheck commands works on the database engine InnoDB.

Change the directory to mysql as follows,

cd /var/lib/mysql

InnoDB Engines

To use the mysqlcheck for InnoDB engines we have to follow the below steps

For checking all the database,

 mysqlcheck -c -u root -p --all-databases

To check a specific DATABASE

 mysqlcheck -c "DATABASE name" -u root -p

Checks all the tables under the mentioned database name

#mysqlcheck -c "DATABASE name" "TABLE name" -u root -p

Checks the mentioned tables under the DATABASE name

However if a mysql table passes the check it will display the “OK” for the table.

If the database table has displayed any error means we can repair the table by the following command,

 mysqlcheck -r "DATABASE name" "Table name" -u root -p

-Repair and optimization of tables for all databases

There’s a simple command to automatically check, repair and optimize all tables in all databases when running a MySQL server on Linux/Unix/BSD.

 mysqlcheck -u root -p --auto-repair --check --optimize --all-databases

MyISAM Engines

To use the mysqlcheck for MyISAM engines we have to follow the below steps

If we are using MyISAM storage engine for mysql,we can use the myisamchk commands to repair the table.

The myisamchk command only works under the database or the tables using MyISAM engines.It will not be working under Innodb engine.

The mysqlcheck program enables us to check and repair databases while MySQL is running this is useful when we want to work on MySQL without stopping.

Steps for checking all the Mysql tables

myisamchk table name.

To check all the tables under the database,

myisamchk * .MYI

How to repair a table from myisamchk command,

myisamchk --recover "table name"

After the repair please check for the mysql repair and confirm regarding the fix

The above mentioned commands will help you to troubleshoot the mysql database and table repair

05Dec/16

Install and Configure Mod-Pagespeed on Linux servers

Mod-Pagespeed is an Apache/Nginx (web-server) module to speed up your website by applying certain filters that automatically optimize files to reducing number of times the browser has to make to grab web files, to reduce the size of those files and to optimize the length those files are cached. This article we will show you how to install and configure Google‘s mod-pagespeed module for Apache and Nginx web servers in RHEL/CentOS/Fedora and Debian/Ubuntu systems. Continue reading

27Oct/16
cPanel to Plesk Migration

cPanel to Plesk – How to Migrate a hosting account ?

Migration from cPanel to Plesk

Plesk and cPanel have different business models and features, requiring the conversion of migrated objects during deployment on the destination server. I am referring the way to migrate a cPanel hosting account to Plesk

For example: Parked domains in  cPanel converts to domain aliases in Plesk.

Some objects and settings will not migrate due to the technical limitations

For example: Encrypted FTP user’s password in cPanel will not migrate to Plesk.

 Plesk generates new passwords for FTP users during the deployment process and reports them in the migration results report.

This article explains the process of migrating accounts from cPanel to Plesk control panel using the Plesk Migration & Transfer Manager tool.

Plesk’s built-in Migration Manager is available only on latest versions of Plesk like 11.0,11.5,12.0,12.5

Open the Migration & Transfer Manager in the Plesk GUI:

Tools & Settings > Migration & Transfer Manager 
and click the Start New Migration button.

Step 1:

On the first step of the migration wizard, input the source server hostname (or IP address), the SSH server’s port, and the root user password. Then choose the options to migrate the whole server or to perform a selective migration.

Leave the Use rsync transport option enabled — this will improve the speed and reliability of the data transfer, as well as lower the free disk space requirements for both the source and the destination servers.

Migration Settings

untitled

You can specify the location of temporary migration data on the source (Migration & Transfer Agent upload path) and destination (Temporary Files Location) servers. If the source server hosts large databases or the Use rsync transport option has been disabled, it is recommended you to choose paths to locations with enough free disk space

Step 2:

If selective migration was selected in the previous step, the Migration & Transfer Manager wizard will present a screen with a list of accounts on the source server, each with a check-box to select.

Additionally, you can choose the options to transfer all data, mail only, or everything except mail. By default, all data will migrate.

Step 3:

The next step IP address mapping  allows you to choose an IP mapping scheme.(i.e. which IP addresses the domains will have on the destination server, based on the IP addresses they had on the source server)

Two or more shared IP addresses can maps to a single shared IP address on the Plesk server. But mapping of dedicated IP addresses can be done one-to-one.

IP addresses will be changed in domain’s DNS records and hosting setup during deployment.

untitled2

 

Step 4:

After that, your migration will start. Progress can be monitored on the Migration & Transfer Manager screen. Upon completion, the Migration and Transfer Manager will report on the general status of the migration. (Completed or Completed with errors)

untitled3

If the migration finishes with errors, links to view or download the migration results report will be available on the migration process screen. To access it, click on the source server’s hostname in the list of migrations

For migration assistance, you can contact us. Also we will manage cPanel and Plesk servers with lowest rates, you can check our cPanel Server Management for more details.

20Oct/16

Configuring postfix to block all emails except one email accounts

Configuring postfix to block all emails except the specified email accounts.

If you need allow a emailing only from a particular from the postfix email server you can follow the below steps.

Use Transport Mapping

Here we can tell the postfix mail server to sent or disregard the emails. For this we need to edit the postfix configuration file.

Please make sure to take the backup of config files before editing. So that we can restore the original files if any errors occured while editing. You can take the backup like this

#cp -p /etc/postfix/main.cf /etc/postfix/main.cf.original
#vi /etc/postfix/main.cf

add the below line on the configuration

transport_maps = hash:/etc/postfix/transport

Now we need to edit the file /etc/postfix/transport

#vi /etc/postfix/transport

Here add the domain which we need to allow sending mail

example.com :
* discard;

This will simply discard messages to any email address not of the domain example.com. If you wanted to reject with an error you’d use (set the error text to suit your needs)

You can add like this

 
example.com:


* error: Not allowed for all domains

We can add additional domains after example.com (one line per domain).

Save the file.

Now we need to create a hash of the file (unless you used texthash in main.cf)

postmap /etc/postfix/transport

We need to reload postfix to get effect the changes.

/etc/init.d/postfix reload
27Sep/16

Secure your domain with Let’s Encrypt

Introduction

Let’s Encrypt is a new free certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation.

Advantages:  

  • Before Let’s Encrypt was made available to webmasters, obtaining a certificate for https meant spending a fair sum of money through trusted CA (certificate authorities) to gain the ability to encrypt traffic for your website.
  • Let’s Encrypt has completely changed the process of adding a SSL certificate to your website. Not only have they made access to a certificate completely free, they have also made sure both the installation process and the ability to update your certificate is as simple as possible. This means website owners can offer the benefits of https to their site visitors, without the need to spend extra cash in doing so. Meaning that the traffic going to any website using Let’s Encrypt is, in essence, protected.
  • To install and setting up a certificate as simple as possible. On a Linux server, for example, one can rely on the EFF’s Certbot to install a Let’s Encrypt certificate by simply copying and pasting a few lines of code. For installation, simply wget the download and chmod the permissions as prescribed by the Certbot site.
  • Then run Certbot using the appropriate option (apache, for example). For those who are concerned about Certbot making sweeping changes to their server configuration, you can also run the tool to manage certificate only mode to make the server changes manually after the installation.
  • What really makes using Certbot awesome, is that it provides you with the ability to test out automatic certificate renewal in a testing environment instead of doing so “live!” As an added bonus, Cerbot supports both Apache and Nginx on various Linux distributions.

Disadvantages:

  • The biggest problem with Let’s Encrypt is that it democratizes access to https for any website. Yes, on the surface, this should in fact be a positive thing that we’re celebrating. Unfortunately human nature comes into play here. When most people (non-geeks/non-IT) see https, immediate and unwavering trust is implied.
  • Even though Let’s Encrypt is merely providing encryption for your website, most people visiting it will give it the same level of trust as websites with the “green bar” https (Extended Domain Validation), which includes the company name next to the padlock in the address bar.
  • This means that even though identity isn’t actually verified at the same level as a green bar https website, most site visitors won’t really know the difference. This is terrifying and we should be concerned about this. What most people don’t realize is that a secure connection to an untrustworthy website doesn’t mean it’s safe to use.
  • To add further concern, there’s very little preventing malware distributors from using Let’s Encrypt certificates to make malware distribution websites look more official. Not only has it happened already, worse, is the fact that Let’s Encrypt’s stance on this issues quite weak.
  • The initiative is putting far too much trust into the general public’s understanding as to how https actually works. Fun fact folks – most people are clueless about tech. And the reality is merely comparing new registrations with Google’s records won’t be enough.

Let’s Encrypt on cPanel server

Let’s Encrypt for cPanel is a cPanel/WHM plugin for the Let’s Encrypt service, which provides our clients with the ability to instantly issue free trusted SSL certificates for all of their hosted domains. The plugin is distributed in RPM form as part of a yum repository for CentOS 6 and 7.

Login as Root SSH access to server

Save our issued licence file as /etc/letsencrypt-cpanel.licence and chmod to 0400.

Add the letsencrypt package repository:

# cd /etc/yum.repos.d/
# wget https://letsencrypt-for-cpanel.com/static/letsencrypt.repo

Install the plugin using yum

# yum install letsencrypt-cpanel

Once the installation completed we will see the “Let’s Encrypt SSL” icon on the home screen of cPanel.

Certificate Installation process is extremely easy in 3 steps

Step 1:Click on Let’s Encrypt SSL icon

lets-icon

 

Step 2: Choose a domain name you want to install ssl for. Choose if you want to use SSL for SMPTS, POP3S, IMAP SSL and www sub domain and click on Issue

lets12lets-e2

Step 3: Click on ‘issue’ button. Your certificate will auto issue and install for your domain…

letse-working

 

Let’s Encrypt on Plesk server

Let’s Encrypt extension is available for Plesk servers.
Log in to Plesk and install the Let’s Encrypt extension via the Extension Catalog:

le__catalog

le__installation_from_catalog
After the installation, run a shell script . It fetches dependencies (sets up repositories and installs missing packages), creates a virtualenv virtual environment, and installs the Let’s Encrypt console client with the Plesk plugin inside.

Next, click the installed extension, select a website, and install the certificate:

le__list_of_domainle__installationForm
If you have already used the CLI client, you will recognize the interactive mode dialog in this web form. On a “success” message, follow the link

le__success_installed
to open the website and see the green “https” icon in the address bar.

le_real_cert
Check that the certificate renewal task has been added to Tools & Settings > Scheduled tasks:

le__task (1)

Issued certificates are valid for 90 days, but according to the recommendation of the Let’s Encrypt developers, they are renewed on a monthly basis.

 

 

 

 

20Sep/16

Enable additional commands to CageFS users in CloudLinux

Introduction

In CloudLinux, CageFS is a virtualized, per-user file system that uniquely encapsulates each customer, preventing users from seeing each other and viewing sensitive information.

It prevents a large number of attacks, including most privilege escalation and information disclosure attacks.

It is completely transparent to your customers, without any need for them to change their scripts.

After enabling cageFS

  • Users only have access to safe files.
  • They cannot see other users and have no way to detect the presence of other users or user names on the server.
  • They cannot see server configuration files, like Apache config files.
  • And they have a limited view of their own processing file system, and cannot see other users’ processes.

To enable additional commands to cageFS users in CloudLinux

  • Login to server as root using SSH
  • Open the file /etc/cagefs/conf.d/binutils.cfg in vi editor
#vi /etc/cagefs/conf.d/binutils.cfg
  • Add the path of the commands in the line starts with “paths=”.

like this

paths=/bin/arch, /bin/awk, /bin/basename, /bin/cat

You can get the path of a command using the below command

Syntax: which {command-name}

Eg: #which ls

/bin/ls
  • Add the command paths in the file. We can add multiple file paths separated by commas.
  • Save the file and run cagefs update using the below command
#cagefsctl --force-update
Another advantage of CloudLinux is PHP Selector.

PHP Selector is a CloudLinux component that sits on top of cagefs. It allows each user to select PHP version and module based on their needs. PHP Selector requires account to have cageFS enabled to work.

 

To install PHP selector:

Here are the installation steps for PHP Selector which is very easy to follow.

# yum groupinstall alt-php

Next step is to update cagefs and LVE Manager with support for all PHP alternatives

# yum update cagefs lvemanager

In cPanel/WHM server, make sure ‘Select PHP version is enabled‘ in Feature Manager.

Once this is enabled, default location for alt-php will be as follows:

The configuration file (php.ini) path for your PHP (for version 5.3) will be /opt/alt/php53/etc
Loaded configuration file – /opt/alt/php53/etc/php.ini

Once this is enabled, placing custom php.ini files to accounts’ in public_html folder will break your website. To customize  PHP settings go to  “Edit PHP settings” section in your cPanel.

 

19Sep/16

How to manage VirtFS on cPanel server

What is Virtfs in cpanel ? How it is created ?

The /home/virtfs is a file system for the jailshell shell in cPanel servers. A jailed shell  is used for restricting the access for the user. In a normal shell most binaries and libraries are available to user. It can cause security issues on your server. The purpose of jailed shell is to provide limited and restrictive environment to the user which is more secure to the server.

When a user logs in to a jailed shell environment via SSH or SFTP for the first time, the system creates the /home/virtfs/ directory. The user can (only) access the data under these file-systems. The disk usage for the directory will be shown as high but it will not use any disk space on the server because it is a virtual mount point.If you delete any file in this directory it will delete the actual file which is linked to.

The virtfs files are actually  hard-links to the actual files under the user. That means both the files are using the same inode number.  For example

1

The image shows the files (with inode number) under the virtfs directory for the user.  Here the index. php have the inode number 30283170.

The below image shows the files under users public_html directory

2

All the files have the same inode number.  So If you are attempting to delete the files under virtfs directory directly then the actual file also will be removed from the server which may cause issues.

To disable jailed shell access in WHM

 Login to WHM

 WHM >> Account Functions >> Manage Shell Access

Here we can see the option to disable jailed shell access for specific user.

cPanel provides a script to remove the virtfs mounts

#/scripts/clear_orphaned_virtfs_mounts –clearall

You can verify it by using the command

grep -i username /proc/mounts

How to remove virtfs directory

Please do not remove the virtfs files directly since it is a hard-link to the actual file.  Deleting the files may cause issues on the server.

To resolved this issue go through the below steps :

Step 1 : You can check un-realise mount point for that user using below command.

# cat /proc/mounts | grep username

This shows mount point still remain for that user.

Step 2 : Kill the jailshell process related to that user.

# ps aufx |grep username  |grep jailshell

Please make sure that the specified user is not logged in via SSH.

Step 3 : Finally unmount all the files related to that user

# for i in `cat /proc/mounts |grep virtfs |grep username |awk '{print$2}'`; do umount $i; done

Verify once that all mount point for that user are release using the command given in step 1.

Step 4 : If there isn’t any mount point you are free to delete those files.

# rm -rf /home/virtfs/username

We can disable the Jailed shell from WHM if the user doesn’t need it.

21Jun/16

Custom php.ini on LiteSpeed with cPanel

Custom php.ini set up in Cpanel

PHP configuration directives are specified in the php.ini file. We can make immediate changes in the functionality of php through php.ini file. Making changes to the default PHP configuration will effect all the users. So we can create Custom php.ini files for individual users.

To enable custom php.ini in litespeed webserver in cPanel, we need to make changes in the litespeed configuration from WHM

Litespeed server from WHM -> Litespeed configuration -> Admin Console ->configuration -> server -> External App ->lsphp5

Click on edit and make changes to the following sections.

Environment: Adding “PHPRC=$VH_ROOT” in environment section

suEXEC user: In this section add the username of account for that php.ini is enabled and add the group name of account for suEXEC group

Main -> Litespeed web server –> quick configuration of PHP suEXEC settings

Enable PHP suEXEC should be “Yes

Finally we need to restart litespeed webserver from backend(SSH).

# /etc/init.d/lsws restart

Now we can edit the PHP setting for specific user by creating a custom php.ini file on their home directory.

Check it and verify the user using custom php configuration

Test it by putting a info.php file

#vi /home/admin/public_html/info.php
<?

phpinfo();

?>
#chown user:user /home/admin/public_html/info.php

Go to the URL like http://your-domain.com/info.php

Check whether the new path is updated in ‘Loaded configuration file’ shown in info.php page (like below image)

pp