This page looks plain and unstyled because you're using a non-standard compliant browser. To see it in its best form, please upgrade to a browser that supports web standards. It's free and painless.

Blog About Dedicated Servers

Mount /tmp with noexec

Luigi Ramone | 04 September, 2008 15:02

By default, RS servers come with everything lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive.

Recently, I found out it would be worthwhile to give /tmp it's own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.

First off, I want to thank everyone for their help from this thread:

http://forum.rackshack.net/showthread.php?...&threadid=27470

I am simply compiling their advice into a how-to... (More)

Disable Majordomo for all sites

Luigi Ramone | 04 September, 2008 14:59

Watching /var/log/maillog, i noticed a lot of spam sent out from my server through majordomo accounts so i chose to disable it in all my sites.

I did a small HOWTO of how to disable all at the same time. This HOWTO is for Linux/Ensim. (More)

4 Primary Areas For Tuning Your Server

Luigi Ramone | 04 September, 2008 14:57

I just thought I would add my two cents in for everyone. I posted an old howto with some sysctl.conf, but I think that was when I was running on my previous server using and older version of redhat. So here's a fresh howto that is a little more complete.

These configs are based on my server specs, which is a Dual 2.0GHz Xeon with 2GB of RAM running RedHat Enterprise. Depending on your server's RAM you might have to reduce some of the settings, which I'll try make notes with each section. (More)

Redhat ROD/Remote Console How To

Luigi Ramone | 04 September, 2008 14:56

Redhat with Grub:

1. Edit grub.conf with your favorite editor so you can manipulate grub and the boot process via remote console:

CODE
serial --unit=0 --speed=9600

terminal --timeout=10 serial console

 (More)

Debian ROD/Remote Console How To

Luigi Ramone | 04 September, 2008 14:55

Add the following to /etc/lilo.conf:

CODE
append = "console=ttyS0,9600n8"


Run Lilo for the changes to take affect.
CODE
lilo


Then add the following to /etc/securetty:
CODE
ttyS0



edit /etc/inittab - Uncomment the line:
CODE
T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100
 (More)

Windows ROD/Remote Console How To

Luigi Ramone | 04 September, 2008 14:54

Open a command prompt or the run menu and run the following:

CODE
bootcfg.exe /ems ON /port COM1 /baud 9600 /ID 1


To see if this was performed correctly open the boot.ini file and confirm that the following was added:

CODE
redirect=COM1

redirectbaudrate=9600

/redirect


After the server has been rebooted look for the Special Administration Console Helper process to be started. This has to be running for the EMS to be enabled.
 (More)

FBSD ROD/Remote Console How To

Luigi Ramone | 04 September, 2008 14:53

Dual console for boot and kernel:

CODE
echo -Dh >> /boot.config


Add the following to /etc/ttys for shell access:

CODE
ttyd0 "/usr/libexec/getty std.9600" cons25 on secure


Note that this will require a reboot to function properly.

CODE
shutdown –r now
 (More)

PRM (Process Resource Monitor)

Luigi Ramone | 04 September, 2008 14:43

Introduction:
PRM monitors the process table on a given system and matches process id's with set resource limits in the config file or per-process based rules. Process id's that match or exceed the set limits are logged and killed; includes e-mail alerts, kernel logging routine and more...

How it works?:
PRM works on the basis that once a process id is found matching resource limits; there is a corresponding trigger and wait value. The trigger value increments upwards from zero (0) to the defined value, pausing the duration of seconds defined as wait value. There after the status of the flagged pid is checked again, if still above or equal to resource limits the trigger/wait cycle begins again till the max trigger value is reached. When this trigger value is reached the given process is logged/killed.

This all together has the effect that applications with short burst resource spikes (e.g: apache, mysql etc..) are not killed; but rather on applications with prolonged resource consumption. Using the rule system, you can define different wait/trigger/resource values for any application. (More)

Install Mailscanner MRTG

Luigi Ramone | 15 December, 2005 21:55

This will install Mailscanner MRTG on your system. I have tested it on Ensim 3.1.10 and Ensim 3.5.17. Others have also done this on CPanel, but make sure you make the change noted...

Regular, I am not responsible for your box/you are doing this at YOUR OWN RISK... It should not screw anything up, but you are ultimately responsible if it does. I will help out as much as I can, but I am not a genius.

PREREQUISITES
1) MRTG *MUST* be installed (HOW-TO)
2) Mailscanner *MUST* be installed (I use gpans MS/SA/CM HOW-TO, but there is a MS Only HOW-TO too)

INSTRUCTIONS
cd ~
wget http://umn.dl.sourceforge.net/sourc...rtg-0.05.tar.gz
tar -xzvf mailscanner-mrtg-0.05.tar.gz
cd mailscanner-mrtg-0.05
cp mailscanner-mrtg.conf /etc/MailScanner/
cp mailscanner-mrtg.cfg /etc/mrtg/
cp mailscanner-mrtg /usr/sbin/
cp mailscanner-mrtg.include /etc/httpd/conf/
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bk

 (More)

Chkrootkit

Luigi Ramone | 15 December, 2005 21:43

Installing CHKROOTKIT

(Version 0.42b Sep 20 2003)

SSH as admin to your server. DO NOT use telnet

#Change to root
su -

 (More)

Use SFTP (Secure FTP via SSH2) instead of FTP

Luigi Ramone | 15 December, 2005 21:41

NOTE: If you have SSH set up on your server, your server is ready to be an SFTP server. SFTP uses SSH.


What does this How-To show you?

a. How to install, setup and use an SFTP client to connect to your box using SSH2 to download/ upload files rather than FTP.

b. How to block port 21 (the default FTP port) which you don't need anymore.

c. How to uninstall and remove the FTP server from your box (if you don't need it anymore).


Why you should NOT use normal FTP

Most people use normal unsecure FTP do upload and download files to their servers using an FTP client from home.

The problem with this is that YOUR USERNAME AND PASSWORD are sent in PLAIN TEXT - a hacker can easily get this information and use it to gain access to your server.

 (More)

Install/Upgrade ProFTPd

Luigi Ramone | 15 December, 2005 21:22

Ensim
I'm not going to handle Ensim again since gpan made a nice Howto on this issue and even created
rpms for your usage all information can be found here.
After installing it you can also do the proftpd.conf tweak but you have todo pico -w /etc/proftpd.conf
note:
1. that i can't give any support on the rpm made by gpan, so that will have to go through him.
2. Mouse is against upgrading your ProFTPd on Ensim when you run a up to date 3.1.x and 3.5.x

Plesk
Nighthawk just said to me that this is actually a bad idea for Plesk.
Nighthawk has years of experience with Plesk so i fully support what he's saying about Plesk whatsoever .
So your officially warned by me and NightHawk so dont do this howto on your system.
You will destroy it otherwise but you can do the proftpd.conf tweak without a problem, so just skip most of this how-to and usage pico -w /etc/proftpd.conf instead just like Ensim.

 (More)

Tcpdump

Luigi Ramone | 15 December, 2005 21:20

What is tcpdump?

Tcpdump prints out what traffic is going inbound/outbound including headers.

Why should i usage tcpdump?

tcpdump is nice to monitor your network.

Download:

Redhat 9:
wget ftp://rpmfind.net/linux/redhat/9/en....7.2-1.i386.rpm

Redhat 8:
wget ftp://rpmfind.net/linux/redhat/upda....8.0.3.i386.rpm

 (More)

Upgrade kernel on Dual Xeons

Luigi Ramone | 15 December, 2005 21:15

Updated for latest kernel (RH 7.3):

2.4.20-24.7

This is the way I did it - I went to 2.4.20-18.7 first, then went to 2.4.20-20.7. (in any case I am running 2.4.20-20.9 which is the latest for RH 9 - this How-To assumes you are running RH 7.3, but the steps are the same).

This section has 2 parts:

If you are running a kernel that is OLDER THAN 2.4.20-18.7 run PART A first, then PART B.

If you are already running 2.4.20-18.7, go straight to Part B.

 (More)

2.4.22 Kernel upgrade from SOURCE on XEON

Luigi Ramone | 15 December, 2005 21:12

What is new:
1. Quota support
2. ACPI support -> "CONFIG_ACPI_HT_ONLY=y"
( I spent 1.5 hours to find out why we boot without HT )

1) cd /usr/src

2) wget kernel.org/pub/linux/kernel/v2.4/linux-2.4.22.tar.bz2

3) bzcat linux-2.4.22.tar.bz2 | tar xv

4) rm linux

5) ln -s linux-2.4.22 linux

6) cd /usr/src/linux

7)
wget 64.246.63.172/conf2.txt <---- config file
mv conf2.txt .config
make dep
make clean
make bzImage
make modules
make modules_install
cp System.map /boot/System.map-2.4.22
cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.22
cd /boot
ln -sf System.map-2.4.22 System.map
ln -sf vmlinuz-2.4.22 vmlinuz

 (More)

Use RCS for version control when editing system configuration files

Luigi Ramone | 15 December, 2005 21:05

RCS is one of the oldest file revision control systems in use. It works on single files and is very handy for system administration. If you use RCS properly, you will have the ability to roll back a configuration file should you mess up an edit, and you also create an audit trail that shows what you (or others working with you) edited when ... very handy.

When you check a file into RCS, RCS creates a version control file for the file in question .. the version control master file is named the same as the original file with ',v' added to the end of the name.

Example:

/etc/hosts
/etc/hosts,v <-- RCS control file

NOTE 1: Make sure to use ci -u when checking in a file, if you just use ci the working copy will be removed.

NOTE 2: Also be aware that you may have to reset ownership / permissions of the file after checking a revision out!

 (More)

Watchdog - Auto-Reboot your server in case of failures

Luigi Ramone | 15 December, 2005 20:50

Watchdog HowTo
==============
Keywords: software autoreboot, autorebooting, auto-reboot, auto-rebooting, auto rebooting

Watchdog is a program that you can use to reboot your server automatically in a lot of cases.
It has been used succesfully to reboot servers in the "Unexplained Crash" problem, that can have as causes a disk queue starvation problem, or a quota/ext3 filesystem deadlock, crashing the server many times randomly. If downtime due crashes in your system is a problem, probably you must use watchdog to assure you peacefully tranquility back again.

This works in any distribution: Ensim, Plesk, CPanel, etc., in any Linux system.

As documentation in /usr/src/[your-linux-kernel]/Documentation/watchdog.txt, kernel provides watchdog timer interfaces in a device named /dev/watchdog, "which when open must be written to within a timeout or the machine will reboot. Each write delays the reboot time another timeout. In the case of the software watchdog the ability to reboot will depend on the state of the machines and interrupts. The hardware boards physically pull the machine down off their own onboard timers and will reboot from almost anything.". The timeout default is 60 seconds.

The watchdog program simply uses the /dev/watchdog device, activating the softdog module on your system, if you have support in your kernel, and writes in /dev/watchdog within 10 seconds, making several checks in your system. If your system crashes, or watchdog stop to working, or in any case watchdog be supposed not to write in that device in 60 seconds, but kernel remains live, it will reboot within 60 seconds.

 (More)

Upgrade the Linux Kernel

Luigi Ramone | 15 December, 2005 20:46

We've used the following instructions to upgrade our Linux Kernel at Rackshack from 2.4.9-31 to 2.4.18.

There were no problems, and we did not have to get Rackshack technical support installed.

Please note that upgrading the kernel can be dangerious and it is possible to freeze your system bad enough that Rackshack support has to get involved.

I would recommend reading the README file included with the kernel source prior to following these steps. It will provide an outline along with recovery techniques (if needed).

If this is something you want some one with system administration capabilities (for a fee) to do, please contact us. Otherwise, enjoy.

 (More)


Powered by Boonic, Bloogo & pLog
This Blog does not have any affiliation nor relation with the mentioned companies. All the logotipos, trade names and images are property of the companies that registered them.