14Nov/16

How to harden wordpress

[huge_it_share]Almost 75% of websites and blogs are built in wordpress which is the mostly used CMS(Content Management System) . But unfortunately websites that use wordpress are mostly prone to attacks and vulnerabilities .So lets see how we can harden wordpress to resist the attacks .

As we know wordpress is a free tool .So anyone can try installing it .The same thing is the reason for most of the wordpress attack since anyone can install it everyone know the basic settings that we are going to use in our wordpress including the hackers .This is one of the main reasons hackers get into the because they know the default settings we are going to use .So one main thing we should do is change everything as possible from default settings in wordpress .Here I will be pointing some of the main things you can do to protect your wordpress sites . Continue reading

02Nov/16

Monit how to install & Configure on CentOS 7/RHEL 7

Monit is utility or package we usually used in Linux machines for managing and monitoring service running in the Linux machines. For example services like HTTPD, MySQL etc. Monit can start a process if it does not run, restart a process if it does not respond and stop a process if it uses too much resources. The monit also has user friendly web interface where you can directly view the system status and setup up processes using native HTTP(S) web server or via the command line interface.  In this blog we disscussing how we can implement monit on a Centos7 server. The Centos version I am using CentOS Linux release 7.2.1511

[root@server ~]# cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core)

At this moment monit is not available in the base repository of Centos 7. So I used EPEL repository to install monit using yum.

wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm

rpm -ivh epel-release-7-8.noarch.rpm
yum install monit

Monit configuration
Now we are going to enable monit web interface by configuring the monit conf file. After enabling we will be having a nice web interface of monit that shows status of services we are monitoring, how long it was up in the server etc. We have added a screenshot for the same at the end of this article. You are refer the same for how exactly it look like.

open  /etc/monitrc using vi editer and make below changes.

originally it was like

set httpd port 2812 and
 use address localhost # only accept connection from localhost
 allow localhost # allow localhost to connect to the server and
 allow admin:monit # require user 'admin' with password 'monit'

After changes it will look like

set httpd port 2812 and
 use address x.x.x.x(server IP) # only accept connection from localhost
 allow y.y.y.y(Your IP) # allow localhost to connect to the server and
 allow admin:monit # require user 'admin' with password 'monit'

Restart service using below command

service monit restart

Allow port 2812 in the firewall and verify its listening from outside using telnet commands. In my case I was using csf firewall. So I just need to add port in the csf conf file under TCP_IN and TCP_OUT section.

After that access the monit web interface using the url like http://x.x.x.x:2812

If you need us to setup the sever with nginx or php-fpm with high performance, you can contact us for the setup. Either you can subscribe for our Server Management or use our Hourly server management

Service Configuration

In this section we are going to monitor our server mySQL service by monit and restart it if its failed. Below are the changes.

Create a file named mysql.conf under directory /etc/monit.d/.

Add below entries and make necessary changes as per your server and pid file name and location.

check process mysqld with pidfile /var/lib/mysql/server.namemysql.pid
group mysql
start program = "/usr/bin/systemctl start mysql.service"
stop program = "/usr/bin/systemctl stop mysql.service"
if failed host 127.0.0.1 port 3306 then restart
if 5 restarts within 5 cycles then timeout

Once added check the syntax using command “monit -t” and you will get result like below.

monit -t
Control file syntax OK

restart monit service using below command.

service monit restart

After that refresh the monit web panel and you will see MySQL is monitored by Monit.

In centos 7 we can see monit log from the location tail -f /var/log/monit.log

monit-server

 

 

27Oct/16
cPanel to Plesk Migration

cPanel to Plesk – How to Migrate a hosting account ?

Migration from cPanel to Plesk

Plesk and cPanel have different business models and features, requiring the conversion of migrated objects during deployment on the destination server. I am referring the way to migrate a cPanel hosting account to Plesk

For example: Parked domains in  cPanel converts to domain aliases in Plesk.

Some objects and settings will not migrate due to the technical limitations

For example: Encrypted FTP user’s password in cPanel will not migrate to Plesk.

 Plesk generates new passwords for FTP users during the deployment process and reports them in the migration results report.

This article explains the process of migrating accounts from cPanel to Plesk control panel using the Plesk Migration & Transfer Manager tool.

Plesk’s built-in Migration Manager is available only on latest versions of Plesk like 11.0,11.5,12.0,12.5

Open the Migration & Transfer Manager in the Plesk GUI:

Tools & Settings > Migration & Transfer Manager 
and click the Start New Migration button.

Step 1:

On the first step of the migration wizard, input the source server hostname (or IP address), the SSH server’s port, and the root user password. Then choose the options to migrate the whole server or to perform a selective migration.

Leave the Use rsync transport option enabled — this will improve the speed and reliability of the data transfer, as well as lower the free disk space requirements for both the source and the destination servers.

Migration Settings

untitled

You can specify the location of temporary migration data on the source (Migration & Transfer Agent upload path) and destination (Temporary Files Location) servers. If the source server hosts large databases or the Use rsync transport option has been disabled, it is recommended you to choose paths to locations with enough free disk space

Step 2:

If selective migration was selected in the previous step, the Migration & Transfer Manager wizard will present a screen with a list of accounts on the source server, each with a check-box to select.

Additionally, you can choose the options to transfer all data, mail only, or everything except mail. By default, all data will migrate.

Step 3:

The next step IP address mapping  allows you to choose an IP mapping scheme.(i.e. which IP addresses the domains will have on the destination server, based on the IP addresses they had on the source server)

Two or more shared IP addresses can maps to a single shared IP address on the Plesk server. But mapping of dedicated IP addresses can be done one-to-one.

IP addresses will be changed in domain’s DNS records and hosting setup during deployment.

untitled2

 

Step 4:

After that, your migration will start. Progress can be monitored on the Migration & Transfer Manager screen. Upon completion, the Migration and Transfer Manager will report on the general status of the migration. (Completed or Completed with errors)

untitled3

If the migration finishes with errors, links to view or download the migration results report will be available on the migration process screen. To access it, click on the source server’s hostname in the list of migrations

For migration assistance, you can contact us. Also we will manage cPanel and Plesk servers with lowest rates, you can check our cPanel Server Management for more details.

27Oct/16

Secure and Fix dirty COW Linux Vulnerability

What is Dirty COW Vulnerability and why its called so ?

Dirty COW vulnerability allows attackers to gain root access to servers and take control over the whole system.A rare condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

What is the CVE-2016-5195 ?

CVE-2016-5195 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE.

Who found the Dirty COW vulnerability?

Phil Oester

How to check if vulnerability is affected on your server

Ubuntu/Debian

To find out if your server is affected, check your kernel version.

# uname -rv

You’ll see output like this:

Output
4.4.0-42-generic #62-Ubuntu SMP Wed Oct 26 22:10:20 IST 2016

If your version is earlier than the following, you are affected:
– 4.8.0-26.28 for Ubuntu 16.10
– 4.4.0-45.66 for Ubuntu 16.04 LTS
– 3.13.0-100.147 for Ubuntu 14.04 LTS
– 3.2.0-113.155 for Ubuntu 12.04 LTS
– 3.16.36-1+deb8u2 for Debian 8
– 3.2.82-1 for Debian 7
– 4.7.8-1 for Debian unstable

CentOS

Some versions of CentOS can use this script provided by RedHat for RHEL to test your server’s vulnerability. To try it, first download the script.

# wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

Then run it with bash.

# sh rh-cve-2016-5195_1.sh

If you’re vulnerable, you’ll see output like this:

Output

Your kernel is 3.10.0-327.36.1.el7.x86_64 which IS vulnerable.
Red Hat recommends that you update your kernel. Alternatively, you can apply partial
mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .
Standard Resolution

The easiest way to protect your computers running Linux is to update your Linux distro to the latest version. You can use the following commands to update your Debian/Ubuntu/Centos and RHEL systems,also you need to reboot after updating it.

Debian/Ubuntu:
# sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

RHEL:
# sudo yum update
# sudo reboot

CentOS:

To update your kernel on CentOS 7, run:
# sudo yum update

There is still no official update of the CentOS 5 and 6 kernel.we’re still waiting on a fix for CentOS 5 and 6. You can use this workaround from the Red Hat bug tracker.

You can find more technical details about the Dirty COW vulnerability and exploit on the bug’s official website dirtycowRedHat site and GitHub page.

 

20Oct/16

Configuring postfix to block all emails except one email accounts

Configuring postfix to block all emails except the specified email accounts.

If you need allow a emailing only from a particular from the postfix email server you can follow the below steps.

Use Transport Mapping

Here we can tell the postfix mail server to sent or disregard the emails. For this we need to edit the postfix configuration file.

Please make sure to take the backup of config files before editing. So that we can restore the original files if any errors occured while editing. You can take the backup like this

#cp -p /etc/postfix/main.cf /etc/postfix/main.cf.original
#vi /etc/postfix/main.cf

add the below line on the configuration

transport_maps = hash:/etc/postfix/transport

Now we need to edit the file /etc/postfix/transport

#vi /etc/postfix/transport

Here add the domain which we need to allow sending mail

example.com :
* discard;

This will simply discard messages to any email address not of the domain example.com. If you wanted to reject with an error you’d use (set the error text to suit your needs)

You can add like this

 
example.com:


* error: Not allowed for all domains

We can add additional domains after example.com (one line per domain).

Save the file.

Now we need to create a hash of the file (unless you used texthash in main.cf)

postmap /etc/postfix/transport

We need to reload postfix to get effect the changes.

/etc/init.d/postfix reload
20Oct/16

MongoDB install in cPanel

During these days the request for MongoDB installation on Linux servers is high because the developers are really like the same.MongoDB is officially a “NoSQL” database. NoSQL refers to a database with a data model other than the tabular format used in relational databases such as MySQL, PostgreSQL, and Microsoft SQL. MongoDB features include: full index support, replication, high availability, and auto-sharding. MongoDb is usually used to store large amount of data. MongoDB helps you to integrate database information into your apps easier and faster.

MongoDB officially still not supported on cPanel servers but there is a way to install MogoDB on cPanel server and there are many users using them. The install is possible because actually cPanel server is a Linux server itself. Only problem we have is we need to create the mongo databases from shell and the users and administer it so as well.

Today we are going to install MongoDB in a cPanel server powered by Centos 6

Technical requirements

root access
PHP-pear for full pecl support
PHP-devel package installed to compile extension manually

Now we are performing the MongoDB install via MongoDB Repo

  • Login to the server via ssh as root user.
  • create a file named /etc/yum.repos.d/mongodb.repo
vim /etc/yum.repos.d/mongodb.repo
  • In my case I am using a 64bit operating system. So need to add below lines.
[mongodb]
name=MongoDB Repository
baseurl=http://downloads-distro.mongodb.org/repo/redhat/os/x86_64/
gpgcheck=0
enabled=1
  • use below lines if you are using a 32 bit operating system.
[mongodb]
name=MongoDB Repository
baseurl=http://downloads-distro.mongodb.org/repo/redhat/os/i686/
gpgcheck=0
enabled=1
  • Save the file in the vim editor.
  • Install MongoDB using Yum
yum install mongo-10gen mongo-10gen-server

imgpsh_fullsize

  • At this point, we have installed MongoDB on our server + cPanel box.
  • Configure MongoDB to start on boot and manually start the service.
chkconfig mongod on
service mongod start
  • Check MongoDB Service Status
service mongod status
  • Summary List of Status Statistics
mongostat
  • Enter the MongoDB Command Line
mongo
  • By default, running this command will look for a MongoDB server listening on port 27017 on the localhost interface.if you wanted to connect to a local MongoDB server listening on port 435984
mongo --port 22222
  • Install MongoDB PHP Extension, so php code can interact with MongoDB
pecl install mongo
/scripts/restartsrv_httpd
  • Once installed we can verify the same using below command.
    php -i | grep mongo -i

So now we completed the initial setup needed for MongoDB install on a cPanel server. Please post your comments below.

10Oct/16

Removing and adding files to existing tar archive

1) How to remove a single file from tar file

We need to create a tar file, for that first we need to touch some files

# touch  textfile{1..4}.txt

Now we can create tar file using tar command

# tar -cvf nixtree.tar textfile{1..4}.txt

Which creates the tar file “nixtree.tar” with the files file1.txt to file4.txt
To test the files in a tar file you can use “-t” switch with tar command.

# tar -tf nixtree.tar
textfile1.txt
textfile2.txt
textfile3.txt
textfile4.txt

We can use the “–delete” switch with tar command to remove files from already created tar file.

# tar --delete -f nixtree.tar  textfile1.txt

This command will remove “textfile1.txt” from the tar archive “nixtree.tar”

now see that tar file again

# tar -tf nixtree.tar
textfile2.txt
textfile3.txt
textfile4.txt

Also we can remove file from tar file using pattern matching .see below

2) Pattern match – Removing files using “–wildcards” options

# tar --wildcards --delete -f nixtree.tar 'textfile*'

This will remove all files starting with textfile. Which means the above tar file will be empty

3) Adding a file or directory to the existing tar file

You can add a file to a existing tar file  with ‘r’ option

# tar -rvf nixtree.tar newfile.txt

4) Adding directory to the existing tar file also the same

# tar -rvf nixtree.tar /new-directory

5) Extracting specific files  and directory from tar file

You can now extract the file  ‘textfile4.txt’ from the archive file ‘nixtree.tar’ like this:

# tar --extract --file=nixtree.tar  textfile4.txt

6) Extract a directory  from nixtree.tar:

# tar --extract --file=nixtree.tar directoryname

7) Compressing a folder (tar) without its containing directory in the foldername

# tar -zcvf nixtree.tar.gz -C /path/to/foldername_tocompress

8) Untar tar file to specific location

# tar -xvf nixtree.tar -C /path/to/untar/files/to/specific/directory

Tar Usage and Options

c – create a archive file.
x – extract a archive file.
v – show the progress of archive file.
f – filename of archive file.
t – viewing content of archive file.
r – append or update files or directories to existing archive file.
wildcards – Specify pattern in unix tar command.
27Sep/16

Secure your domain with Let’s Encrypt

Introduction

Let’s Encrypt is a new free certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation.

Advantages:  

  • Before Let’s Encrypt was made available to webmasters, obtaining a certificate for https meant spending a fair sum of money through trusted CA (certificate authorities) to gain the ability to encrypt traffic for your website.
  • Let’s Encrypt has completely changed the process of adding a SSL certificate to your website. Not only have they made access to a certificate completely free, they have also made sure both the installation process and the ability to update your certificate is as simple as possible. This means website owners can offer the benefits of https to their site visitors, without the need to spend extra cash in doing so. Meaning that the traffic going to any website using Let’s Encrypt is, in essence, protected.
  • To install and setting up a certificate as simple as possible. On a Linux server, for example, one can rely on the EFF’s Certbot to install a Let’s Encrypt certificate by simply copying and pasting a few lines of code. For installation, simply wget the download and chmod the permissions as prescribed by the Certbot site.
  • Then run Certbot using the appropriate option (apache, for example). For those who are concerned about Certbot making sweeping changes to their server configuration, you can also run the tool to manage certificate only mode to make the server changes manually after the installation.
  • What really makes using Certbot awesome, is that it provides you with the ability to test out automatic certificate renewal in a testing environment instead of doing so “live!” As an added bonus, Cerbot supports both Apache and Nginx on various Linux distributions.

Disadvantages:

  • The biggest problem with Let’s Encrypt is that it democratizes access to https for any website. Yes, on the surface, this should in fact be a positive thing that we’re celebrating. Unfortunately human nature comes into play here. When most people (non-geeks/non-IT) see https, immediate and unwavering trust is implied.
  • Even though Let’s Encrypt is merely providing encryption for your website, most people visiting it will give it the same level of trust as websites with the “green bar” https (Extended Domain Validation), which includes the company name next to the padlock in the address bar.
  • This means that even though identity isn’t actually verified at the same level as a green bar https website, most site visitors won’t really know the difference. This is terrifying and we should be concerned about this. What most people don’t realize is that a secure connection to an untrustworthy website doesn’t mean it’s safe to use.
  • To add further concern, there’s very little preventing malware distributors from using Let’s Encrypt certificates to make malware distribution websites look more official. Not only has it happened already, worse, is the fact that Let’s Encrypt’s stance on this issues quite weak.
  • The initiative is putting far too much trust into the general public’s understanding as to how https actually works. Fun fact folks – most people are clueless about tech. And the reality is merely comparing new registrations with Google’s records won’t be enough.

Let’s Encrypt on cPanel server

Let’s Encrypt for cPanel is a cPanel/WHM plugin for the Let’s Encrypt service, which provides our clients with the ability to instantly issue free trusted SSL certificates for all of their hosted domains. The plugin is distributed in RPM form as part of a yum repository for CentOS 6 and 7.

Login as Root SSH access to server

Save our issued licence file as /etc/letsencrypt-cpanel.licence and chmod to 0400.

Add the letsencrypt package repository:

# cd /etc/yum.repos.d/
# wget https://letsencrypt-for-cpanel.com/static/letsencrypt.repo

Install the plugin using yum

# yum install letsencrypt-cpanel

Once the installation completed we will see the “Let’s Encrypt SSL” icon on the home screen of cPanel.

Certificate Installation process is extremely easy in 3 steps

Step 1:Click on Let’s Encrypt SSL icon

lets-icon

 

Step 2: Choose a domain name you want to install ssl for. Choose if you want to use SSL for SMPTS, POP3S, IMAP SSL and www sub domain and click on Issue

lets12lets-e2

Step 3: Click on ‘issue’ button. Your certificate will auto issue and install for your domain…

letse-working

 

Let’s Encrypt on Plesk server

Let’s Encrypt extension is available for Plesk servers.
Log in to Plesk and install the Let’s Encrypt extension via the Extension Catalog:

le__catalog

le__installation_from_catalog
After the installation, run a shell script . It fetches dependencies (sets up repositories and installs missing packages), creates a virtualenv virtual environment, and installs the Let’s Encrypt console client with the Plesk plugin inside.

Next, click the installed extension, select a website, and install the certificate:

le__list_of_domainle__installationForm
If you have already used the CLI client, you will recognize the interactive mode dialog in this web form. On a “success” message, follow the link

le__success_installed
to open the website and see the green “https” icon in the address bar.

le_real_cert
Check that the certificate renewal task has been added to Tools & Settings > Scheduled tasks:

le__task (1)

Issued certificates are valid for 90 days, but according to the recommendation of the Let’s Encrypt developers, they are renewed on a monthly basis.