System Network Programming Solution - Linux - windows - centos- security- cpanel - plesk -directadmin helm» centos

DirectAdmin 1.391 : pcfg_openfile: unable to check htaccess file, ensure it is readable

admin — Sat, 19 May 2012 21:40:10 +0000

Today, I got a problem with one of my website. Suddenly, I could access my website using Nginx but all themes were gone. I, then, switched back to Apache. It became worse. I can’t access my website at all. The error when access my website using Apache is below :

Forbidden

You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

At first, I thought something is wrong with my configuration but then, I could access DA control panel, Munin, phpmyadmin and any other pages without any problem. Also checked permission but it looks like it’s ok. Nothing is wrong. So, I checked error log and found error like below :

[Thu Dec 29 14:53:01 2011] [crit] [client xx.xx.xx.xx] (13)Permission denied: /home/admin/domains/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

Google and found in DirectAdmin. Basically, it’s something about permission which I may not know what it is. John is kindly provided an updated set_permissions.sh allow us to set permission to specific user. You can get it from here -> http://files.directadmin.com/services/all/set_permissions.sh

Use it by type :

./set_permisions.sh set_user_home username

where username has to changed to the one you want. John said that set_permissions.sh will be included in the future version of DirectAdmin.

Source : http://www.directadmin.com/forum/showthread.php?t=39278

Incoming search terms:

(13)permission denied: / htaccess pcfg_openfile: unable to check htaccess file ensure it is readable cpanel vps (1)

Script to find how many mails sent from an account

admin — Thu, 17 May 2012 09:40:01 +0000

grep xxx@xxx.com /var/log/exim_mainlog | grep “<=” | awk {’print $3′} | wc -l

Ghosting The Machine

admin — Tue, 15 May 2012 21:40:05 +0000

This is a short but potentially extremely handy guide to ghosting one Linux box to another (or simply making a full backup of a desktop/server). Credit goes to ‘topdog’ for this.

You might have a small office where you customise one desktop just how you like it and need to roll this out to N other PC’s or simply want a backup of a server or desktop to another machine or even to an image file.

The main tool here is netcat which is extremely powerful and has a multitude of other great uses that won’t be covered here.

Target Machine:

** Boot to linux rescue mode with networking (CentOS works fine)

Initiate netcat to listen on port 30 – # nc -l -p
| dd of=/dev/sda (assuming the hard drive is sda and not hda):

# nc -l -p 30 | dd of=/dev/sda

Source Machine:

Dump the contents of the disk to the target PC – #dd if=/dev/sda | nc

# dd if=/dev/sda | nc 192.168.0.20 30

Then to check that traffic is flowing, on the source go to another terminal (ALT/F2) and dump the tcp data on the NIC (assuming it’s eth0):

tcpdump -tnli eth0 port 30

If you just want a backup image you could change the above output on the taget to:

# nc -l -p 30 | dd of=mybackup.img

That’s it. Naturally the target PC/disk cannot be smaller than the source:) I hope this saves someone a lot of time.

Incoming search terms:

centos nc and dd (1)

Renaming files with –– at the start

admin — Tue, 15 May 2012 09:39:48 +0000

I’m making a post about this because I ran into this today and I couldn’t remember how to rename a file starting with — (two or double hyphens) in Linux (e.g. –index.html). The customer has obviously used a Windows FTP client to rename index.html to –index.html so it is out of their way, and now me, the server administrator or company sysadmin, has come along with my migration script to relocate it and it has fallen over, crashed, and burned!

When you try and rename it the following is given:

$ mv ––index.html index.html.renamed
mv: unrecognized option `––index.html’
Try `mv ––help’ for more information.

I also tried delimiting it the normal way, but it wouldn’t work either:

    mv \–\–index.html index.html.renamed

The correct way to rename it is:

    mv ./––index.html index.html.renamed

Because –– has special meaning, you can’t delimit it with a simple backslash (\), you have to put a path reference in there to delimit it. So my path working directory (pwd) was /home/user/data/ where the file was located, so I could use ./ to reference the current pwd. The other option is to put the full path in:

    mv /home/user/data/––index.html index.html.renamed

Hopefully this helps out some other Linux server administrator out there who’s mind it has slipped.

Apache2 mod_fastcgi: Connect to External PHP via UNIX Socket or TCP/IP Port

admin — Mon, 14 May 2012 21:40:11 +0000

Now, mod_fastcgi is configured and running. FastCGI supports connection via UNIX sockets or TCP/IP networking. This is useful to spread load among various backends. For example, php will be severed from 192.168.1.10 and python / ruby on rails will be severed from 192.168.1.11. This is only possible with mod_fastcgi.

Required utilities

You can spawn FastCGI processes using a dispatcher script or using spawn-fcgi utility, which is used to spawn remote FastCGI processes. spawn-fcgi included with lighttpd web server. You can grab source code from lighttpd.net or simply install it using lighttpd as follows (you need EPEL repo enabled under RHEL / CentOS / Fedora Linux):
# yum install lighttpd-fastcgi # cp /usr/bin/spawn-fcgi /tmp # yum remove lighttpd-fastcgi # mv /tmp/spawn-fcgi /usr/bin/spawn-fcgi
lighttpd-fastcgi is FastCGI module and spawning helper for lighttpd and PHP configuration.

How do spawning php as TCP/IP remote app?

Use /usr/bin/spawn-fcgi as follows, enter:
# /usr/bin/spawn-fcgi -f /usr/bin/php-cgi -a 192.168.1.10 -p 9000 -P /var/run/php-cgi.fastcgi.pid -u apache -g apache
You can also jail php, using following syntax (make sure /var/run/ and /usr/bin/php-cgi exists inside jail directory):
# /usr/bin/spawn-fcgi -c /httpdjail -a 192.168.1.10 -p 9000 -P /var/run/php-cgi.fastcgi.pid -u apache -g apache -- /usr/bin/php-cgi
Where,

-f /usr/bin/php-cgi: Filename of the fcgi-application
-a 192.168.1.10 : Bind to ip address
-p 9000 : Bind to tcp-port
-P /var/run/php-cgi.fastcgi.pid: Name of PID-file for spawed process
-c /httpdjail : Chroot to directory (security feature)
-u apache : Change to user-id (security feature – drop root user privileges to apache user)
-g apache : Change to group-id (security feature – drop root group privileges to apache group)

Configure Apache 2 mod_fastcgi connect to external PHP fcgi application

Above command will run php fcgi on 192.168.1.10:9000. Here is our sample setup:

192.168.1.10 port 9000 : PHP FastCGI server
192.168.1.11 port 9000 : Python or Ruby on rails cgi process
202.54.1.20 port 80 : Apache 2 running mod_fastcgi (DocumentRoot set to /webroot/http)

Open your httpd.conf on 202.54.1.20, enter:
# vi /etc/httpd/conf/httpd.conf
Locate your domain VirtualHost configuration and append following two directives:

AddHandler php5-fastcgi .php
FastCgiExternalServer /webroot/http -host 192.168.1.10:9000

Here is complete snippet from one my box:


    ServerAdmin webmaster@nixcraft.com
    DocumentRoot /webroot/http
    ServerName nixcraft.com
    ErrorLog logs/nixcraft.com-error_log
    CustomLog logs/nixcraft.com-access_log common
    AddHandler php5-fastcgi .php
    FastCgiExternalServer /webroot/http -host 192.168.1.10:9000

Save and close the file. Restart httpd:
# service httpd restart
Make sure iptables is configured to allow communication between public and private fastcgi server.

How do I configure PHP FastCGI via UNIX sockets?

UNIX sockets are faster as compare to TCP/IP sockets. However, they do not support remote spawning. Create /tmp/php.socket as follows:
# /usr/bin/spawn-fcgi -f /usr/bin/php-cgi -s /tmp/php.socket -u apache -g apache
Add following configuration to your httpd.conf virtual host:

AddHandler php5-fastcgi .php
FastCgiExternalServer /webroot/http -socket /tmp/php.socket

Save and close the file. Restart httpd, type:
# service httpd restart

mod_fastcgi has lots of other options. Please refer to Apache and mod_fastcgi documentation for further information.

A note about mod_fastcgi limitation

You can not load balance between multiple php backend. You need to use lighttpd or nginx or other reverse proxy software.

Using Ketchup to manage your kernel sources

admin — Sun, 13 May 2012 21:40:06 +0000

Today I discovered Ketchup, a little command-line tool to manage your Linux kernel sources. If you’re one of the weirdos, who is still compiling his kernel manually for whatever reason (like I do), I can only recommend it. Ketchup nicely eases up the entire process of checking for updates and applying them to your system.

Let’s not hesitate and look at few usage examples… Want to know what’s the latest version of a particular kernel-tree?

$ ketchup -s 2.6

    2.6.17.7

$ ketchup -s 2.6-mm

    2.6.18-rc1-mm2

Let’s play with your kernel sources a bit. First of all, you surely want to check what version you currently got lying around…

$ cd /usr/src/linux

$ ketchup -m

2.6.17.6

Let’s assume there is a newer kernel version available and you want to download it, bunzip it, revert the old patch and apply the new one. Nothing easier than that:

# cd /usr/src/linux

# ketchup 2.6-tip

2.6.17.6 -> 2.6.17.7

Applying patch-2.6.17.6.bz2 -R

Applying patch-2.6.17.7.bz2

That’s really it. It will download the patches, revert and apply them, so all you will have to do is watch and wait

Switching to an entirely different kernel versions is just as easy:

# cd /usr/src/linux

# ketchup 2.6.16.2

Final note: If Ketchup should abort with a gpg error, then it couldn’t verify the patch’s or kernel’s signature. Either add the 2.6 public key to your keyring (this is the proper solution) or call Ketchup with an additional -G parameter (this will override signature checking). I’d suggest the former, which is really easy to do by downloading it from a public pgp server:

# gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E

Have fun compiling,

CentOS, Apache & mod_fcgid: IPCCommTimeout not working as expected

admin — Sat, 12 May 2012 21:44:02 +0000

If you’re running Apache with the mod_fcgid module to let your PHP scripts be handled in a seperate module, you can run into this annoying little bug in the mod_fcgid 2.2.x implementations.

The problem: mod_fcgid: read data timeout in xx seconds

First, check if you have the mod_fcgid module that is causing these problems.

# rpm -qa |grep -i mod_fcgid
mod_fcgid-2.2-11.el5

Apparently, any 2.2.x branche has this bug.

The problem exists if any VirtualHost does not have the IPCommTimeout value. If there’s a VirtualHost where this setting is not defined, it will reset the configuration globally back to the default of 40 seconds, resulting in the following error you Apache’s error logs.

[warn] mod_fcgid: read data timeout in 40 seconds
Premature end of script headers: php-cgi, referer: [snip]

And they will throw a 500 Internal Server Error in your access logs.

“GET /path/to/url HTTP/1.1″ 500 537

The solution: IPCommTimeout in every virtual host

The solution sucks if you have many (manually controlled) virtual hosts, but you have to define the IPCommTimeout option in every Virtual Host on the server. If one is missing, it will reset the config of that parameter to the default serverwide. So place the following codeblock in every Virtual Host you have.


IPCCommTimeout          360
IPCConnectTimeout       360

The values above are expressed in seconds.

Intrusion Detection With BASE And Snort – Part1

admin — Sat, 12 May 2012 09:40:25 +0000

This tutorial shows how to install and configure BASE (Basic Analysis and Security Engine) and the Snort intrusion detection system (IDS) on a Debian Sarge system. BASE provides a web front-end to query and analyze the alerts coming from a Snort IDS system. With BASE you can perform analysis of intrusions that Snort has detected on your network.

Scenario: A linux server running Debian Sarge 3.1 setup according to Falko’s – The Perfect Setup – Debian Sarge (3.1).
Let’s assume we have one working website (www.example.com) and that the document root is: /var/www/www.example.com/web
The IP of the server is 192.168.0.5 and it’s using eth0 as network interface name.

Needed programs and files

Snort
Snort rules
PCRE (Perl Compatible Regular Expressions)
LIBPCAP
BASE (Basic Analysis and Security Engine)
ADOdb (ADOdb Database Abstraction Library for PHP (and Python).)

Downloading and untaring

We need a temporary place for all the files that we are going to download, and untar.
To keep things simple we will create a directory in the /root named snorttemp. (It’s obvious that this download directory can be any name and in anyplace)

cd /root
mkdir snorttemp
cd snorttemp

Now you need to get Snort.
The latest version at the time of writing this is 2.6.0

wget http://www.snort.org/dl/current/snort-2.6.0.tar.gz

When the download is finished untar the file:

tar -xvzf snort-2.6.0.tar.gz

And letâ€™s remove the tar file:

rm snort-2.6.0.tar.gz

We also need the Snort rules!
Go to: http://www.snort.org/pub-bin/downloads.cgi and scroll down till you see the “Sourcefire VRT Certified Rules – The Official Snort Ruleset (unregistered user release)” rules
(If you are a member of the forum you can also download the – registered user release):

wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map:

mv snortrules-pr-2.4.tar.gz /root/snorttemp/snort-2.6.0

and cd into snort-2.6.0:

cd snort-2.6.0

Untar the snortrules-pr-2.4.tar.gz file:

tar -xvzf snortrules-pr-2.4.tar.gz

Remove the tar file:

rm snortrules-pr-2.4.tar.gz

We are done downloading the files needed to get Snort to work.

To make snort work with BASE, we need more!

PCRE – Perl Compatible Regular Expressions.

Go to: http://www.pcre.org/ and select a download link for the pcre-6.3tar.gz file to download PCRE (at time of writing this it is pcre-6.3.tar.gz)
cd back to the snorttemp map:

cd /root/snorttemp

and download the pcre-6.3.tar.gz file:

wget http://surfnet.dl.sourceforge.net/sourceforge/pcre/pcre-6.3.tar.gz

Untar the file:

tar -xvzf pcre-6.3.tar.gz

Remove the tar:

rm pcre-6.3.tar.gz

Incoming search terms:

snort base apache windows (1)
snort programming (1)

Shell script to create list of backup files in ~/.mybackup file. Use with mybackup shell script

admin — Fri, 11 May 2012 21:40:37 +0000

#!/bin/bash
# mybackupadd - Add file to ~/.mybackup file, then backup and email all
# file as tar.gz to your email a/c.
#
# Usage   : ./mybackupadd ~/public_html/
#
# Copyright (C) 2004 nixCraft project
# Email   : http://cyberciti.biz/fb/
# Date    : Aug-2004
# -------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# -------------------------------------------------------------------------

FILE=~/.mybackup
MYH=~
CWD=`pwd`
SRC=$1

if [ "$SRC" == "" ]; then
  echo "Must supply dir or file name"
  exit 1
fi
# if list $FILE does not exist
[ ! -f $FILE ] && touch $FILE || :

# make sure that file or dir exists to backup
if [ ! -f $SRC ]; then
   if [ ! -d $SRC ]; then
      echo "$SRC does not exists"
      exit 2
   fi
fi
# make sure we don't do add duplicate stuff
cat $FILE | grep -w $SRC > /dev/null
if [ "$?" == "0" ]; then
   echo "$SRC exists in $FILE"
   exit 3
fi
# okay now add that to backup list
echo "$SRC" >> $FILE
echo "$SRC added to $FILE"

Linux Check The Health of Adaptec RAID array

admin — Thu, 03 May 2012 21:39:45 +0000

Q. How do I check the health of Adaptec RAID array under Fedora / CentOS / Red Hat Enterprise Linux / Debian / Ubuntu Linux server from a shell prompt?

A. First, visit official Adaptec web site to download utilities. You can also install utility software from CD / Floppy disk. Install the rpm file.

arcconf command

To view and modify other RAID configuration use arcconf program to view health of RAID array. Simply, login as the root and type the following command at a shell prompt:
# /usr/StorMan/arcconf getconfig 1

Incoming search terms:

vmware arcconf verify (1)