Booservers - All about dedicated servers

Mount /tmp with noexec

Thu, 04 Sep 2008 15:02:44 +0000

By default, RS servers come with everything lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive.

Recently, I found out it would be worthwhile to give /tmp it's own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.

First off, I want to thank everyone for their help from this thread:

http://forum.rackshack.net/showthread.php?...&threadid=27470

I am simply compiling their advice into a how-to...

What we are doing it creating a file that we will use to mount at /tmp.

CODE

cd /dev

Create 100MB file for our /tmp partition. If you need more space, make count size larger.

CODE

dd if=/dev/zero of=tmpMnt bs=1024 count=100000

Make an extended filesystem for our tmpMnt file

CODE

mke2fs /dev/tmpMnt

Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.

CODE

cd /

CODE

cp -R /tmp /tmp_backup

Mount the new /tmp filesystem with noexec

CODE

mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

CODE

chmod 0777 /tmp

Copy everything back to new /tmp and remove backup

CODE

cp -R /tmp_backup/* /tmp/

CODE

rm -rf /tmp_backup

Now we need to add this to fstab so it mounts automatically on reboots.

CODE

pico -w /etc/fstab

You should see something like this:

CODE

/dev/hda3 / ext3 defaults,usrquota 1 1

/dev/hda1 /boot ext3 defaults 1 2

none /dev/pts devpts gid=5,mode=620 0 0

none /proc proc defaults 0 0

none /dev/shm tmpfs defaults 0 0

/dev/hda2 swap swap defaults 0 0

At the bottom add

CODE

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

(Each space is a tab)

Ctrl + X and Y

Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x'ed), it gives the following error:

CODE

bash: ./a.out: Permission denied

Yay! /tmp no longer has execute permissions

Source: http://forums.theplanet.com/index.php?showtopic=27771

Disable Majordomo for all sites

Thu, 04 Sep 2008 14:59:41 +0000

Watching /var/log/maillog, i noticed a lot of spam sent out from my server through majordomo accounts so i chose to disable it in all my sites.

I did a small HOWTO of how to disable all at the same time. This HOWTO is for Linux/Ensim.

HOWTO Begins:

Note: All command must be Logged as root;

1. First of all we have to disable the email alias in all sites.

CODE

ls /home/virtual/ | grep site | while read x; do echo $x; grep -v "majordomo" /home/virtual/$x/fst/etc/aliases > aliases.tmp; mv -f aliases.tmp /home/virtual/$x/fst/etc/aliases; chroot /home/virtual/$x/fst/ newaliases; done;

2. Now we remove user majordomo from site /etc/passwd.

CODE

ls /home/virtual/ | grep site | while read x; do echo $x; grep -v "majordomo" /home/virtual/$x/fst/etc/passwd > passwd.tmp; mv -f passwd.tmp /home/virtual/$x/fst/etc/passwd; done;

3. And now we remove majordomo from site /etc/group

CODE

ls /home/virtual/ | grep site | while read x; do echo $x; grep -v "majordomo" /home/virtual/$x/fst/etc/group > group.tmp; mv -f group.tmp /home/virtual/$x/fst/etc/group; done;

4. Last restart sendmail, I don't know if this is really necessary, but lets do it anyway.

CODE

service sendmail restart

Source: http://forums.theplanet.com/index.php?showtopic=90535

4 Primary Areas For Tuning Your Server

Thu, 04 Sep 2008 14:57:07 +0000

I just thought I would add my two cents in for everyone. I posted an old howto with some sysctl.conf, but I think that was when I was running on my previous server using and older version of redhat. So here's a fresh howto that is a little more complete.

These configs are based on my server specs, which is a Dual 2.0GHz Xeon with 2GB of RAM running RedHat Enterprise. Depending on your server's RAM you might have to reduce some of the settings, which I'll try make notes with each section.

First, is the /etc/sysctl.conf file. Most people overlook tweaking these settings, always thinking it is a mysql or apache problem. You can get a tremendous boost in throughput by adjusting these settings. These are the settings I use on my server, and have come about by constantly adjusting and monitoring performance, and this is what works best for me, your mileage may vary based on server specs and traffic. I suggest finding some guides and reading up about what each seting does before you make changes. (Note: most out there are pretty dated unfortunatly). Also, some people out there like to have tcp_window_scaling, sack, fack, etc, turned off, but I leave them on. I guess it is just a personal preference thing. So don't complain, but feel free to leave your comments, testing, and results.

/etc/sysctl.conf

CODE

# Kernel sysctl configuration file for Red Hat Enterprise Linux

# Controls IP packet forwarding

net.ipv4.ip_forward = 0

# Controls source route verification

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.rp_filter = 1

# Disables IP source routing

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.

# Useful for debugging multi-threaded applications.

kernel.core_uses_pid = 1

# Increase maximum amount of memory allocated to shm

# Only uncomment if needed!

# kernel.shmmax = 67108864

# Disable ICMP Redirect Acceptance

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.default.log_martians = 1

net.ipv4.conf.all.log_martians = 1

# Decrease the time default value for tcp_fin_timeout connection

net.ipv4.tcp_fin_timeout = 25

# Decrease the time default value for tcp_keepalive_time connection

net.ipv4.tcp_keepalive_time = 1200

# Turn on the tcp_window_scaling

net.ipv4.tcp_window_scaling = 1

# Turn on the tcp_sack

net.ipv4.tcp_sack = 1

# tcp_fack should be on because of sack

net.ipv4.tcp_fack = 1

# Turn on the tcp_timestamps

net.ipv4.tcp_timestamps = 1

# Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

# Make more local ports available

# net.ipv4.ip_local_port_range = 1024 65000

# Set TCP Re-Ordering value in kernel to '5'

net.ipv4.tcp_reordering = 5

# Lower syn retry rates

net.ipv4.tcp_synack_retries = 2

net.ipv4.tcp_syn_retries = 3

# Set Max SYN Backlog to '2048'

net.ipv4.tcp_max_syn_backlog = 2048

# Various Settings

net.core.netdev_max_backlog = 1024

# Increase the maximum number of skb-heads to be cached

net.core.hot_list_length = 256

# Increase the tcp-time-wait buckets pool size

net.ipv4.tcp_max_tw_buckets = 360000

# This will increase the amount of memory available for socket input/output queues

net.core.rmem_default = 65535

net.core.rmem_max = 8388608

net.ipv4.tcp_rmem = 4096 87380 8388608

net.core.wmem_default = 65535

net.core.wmem_max = 8388608

net.ipv4.tcp_wmem = 4096 65535 8388608

net.ipv4.tcp_mem = 8388608 8388608 8388608

net.core.optmem_max = 40960

After you make the changes to the file, you can make them effective immediately by typing in /sbin/sysctl -p

Also, you will need to issue /sbin/sysctl -w net.ipv4.route.flush=1 to flush the routing table to make some of these changes happen instantly.

Here's some URLs with useful info, benchmarks, etc... (I believe one was posted from someone below)
http://www.aarnet.edu.au/engineering/netwo.../mtu/local.html
http://sverre.home.cern.ch/sverre/TenGBE_w...er_04232003.pdf
http://www.hep.ucl.ac.uk/~ytl/tcpip/linux/...en/datatag-tcp/
http://www-didc.lbl.gov/TCP-tuning/TCP-tuning.html
http://ipsysctl-tutorial.frozentux.net/chu...html/index.html

-------------------------------------------

Second is the MySQL /etc/my.cnf settings file. A lot of people just leave this file with its default settings until they notice problems with their server performance. Please note that I'm not including the datadir or socket settings since those can vary based on your server setup. Also I'm only including the base [mysqld] section and not any of the [safe_mysqld], [mysqldump], or [myisamchk] sections.

Also, update your MySQL to the latest version, if you are still running 3.x you should be dragged out into the street and beaten with a stick, seriously. Just download the MySQL RPMs from the MySQL website, it takes 30 seconds to upgrade. They usually release a new version every month. Be aware of the difference between 4.0.x and 4.1.x (or higher).

CODE

[mysqld]

connect_timeout=15

interactive_timeout=100

join_buffer_size=1M

key_buffer=256M

max_allowed_packet=16M

max_connections=500

max_connect_errors=10

myisam_sort_buffer_size=64M

read_buffer_size=2M

read_rnd_buffer_size=2M

sort_buffer_size=2M

table_cache=1024

thread_cache_size=100

thread_concurrency=4

wait_timeout=300

query_cache_size=128M

query_cache_limit=1M

query_cache_type=1

skip-innodb

For people with a single CPU be sure to set thread_concurrency to 2 (4 is for Dual CPUs). People with 1GB of RAM, you might want to consider lowering the key_buffer to 64M and the myisam_sort_buffer_size to 32M. This really just depends on how much free memory your system has during peak traffic hours. If you increase these too much and your system runs out of physical RAM and starts swapping to disk, your system is going to eat it hard.

For more information about Mysqld variables, please read the following articles as they explain all the settings in-depth and how to fine-tune them: Article 1 and Article 2 and Article 3

-------------------------------------------

Third is Apache. Some people run 1.x, and some run 2.x, me personally I run 2.x because of the better performance. But some people are tied to the older version because of other software packages.

The first thing to do if you are running 1.x is to get mod_gzip and use it. If you are running 2.x then use mod_deflate (it is included). This compresses all your HTML/TXT/XML data before it is sent, saving you bandwidth, and faster load times for your users.

If you are serving up pages + images then you *probably* want to set your keepalive to on, and have your settings something like this:

Timeout 60
KeepAlive On
MaxKeepAliveRequests 1000
KeepAliveTimeout 10

By setting the KeepAliveTimeout low you won't have all those lingering connections. You can probably set it even lower if you like.

If you are only serving up html (or php or whatever) pages, and using another web server for your images (like tux). Then you probably want to set your KeepAlive to Off since the user will only be requesting 1 file at a time.

Most people have the bad habit of instantly increasing their MaxClients to 256. This can be BAD if you don't take into account memory availability. You need to determine how much memory you have free, how much each apache process consumes, then do the math to figure out what you can safely set the MaxClients to. If you exceed your physical memory then once again the server will swap to the HD and the server will take a dive in performance.

Comment out / remove and Dynamic Shared Object (DSO) modules that you do not use! There are a ton loaded by default, most which you will never use. I commented out 20+ personally! Read the apache documentation on what each one does, the apache docs are very detailed.

If possible, set the AllowOverride option to None. This prevents apache from checking for the .htaccess file in every directory whenever a request is made. However if you use .htaccess files then you have to leave the setting there, but if you can limit it down to certain directories, then do it.

Mask your Apache version by using the following settings:
ServerSignature Off
ServerTokens ProductOnly

That's just good practice, you can also hide your PHP info by setting expose_php = Off in your /etc/php.ini file.

Fourth is PHP. One thing to do is use a program like eAccelerator which caches pre-compiled versions of your php files to help reduce overhead and increase performance. It is a free download from sourceforge, but it will require a little know-ho on your part to install. There are plenty of other guides on how to install this. It is very simple and quick.

A lot of people use the redhat PHP RPMs, which can be quite bloated. My libphp4.so module is only 2.07MB in size. (I don't remember what the default redhat one is, but I'm willing to bet it is larger). Also Redhat never seems to keep up to date with the latest PHP (or MySQL) version, I always recommend updating as soon as a new release is published.

Here's my configure line. There's a lot of settings you may not use, and they could be ones that you use that I don't. You can view your current configure line via the phpinfo() function. These include all the big things such as GD, XML, SHM, etc.. Some people maybe want to enable a certain memory-limit to prevent PHP from eating too much memory per process.

Also, I don't use mm simply because I found it would crash apache on an almost daily basis. I had problems with session storage, and also it would not restart after rotating logs...

CODE

./configure

--prefix=/usr

--exec-prefix=/usr

--bindir=/usr/bin

--sbindir=/usr/sbin

--sysconfdir=/etc

--datadir=/usr/share

--includedir=/usr/include

--libdir=/usr/lib

--libexecdir=/usr/libexec

--localstatedir=/var

--sharedstatedir=/usr/com

--mandir=/usr/share/man

--infodir=/usr/share/info

--disable-cgi

--disable-debug

--disable-rpath

--disable-memory-limit

--disable-ipv6

--disable-safe-mode

--enable-pic

--enable-discard-path

--enable-inline-optimization

--enable-gd-native-ttf

--enable-gd-imgstrttf

--enable-magic-quotes

--enable-sysvsem

--enable-sysvshm

--enable-sysvmsg

--enable-shmop

--enable-track-vars

--enable-exif

--enable-wddx

--enable-bcmath

--enable-calendar

--enable-ftp

--enable-inline-optimization

--with-apxs2=/usr/sbin/apxs

--with-mysql=/usr

--with-pear

--with-config-file-path=/etc

--with-exec-dir=/usr/bin

--with-gd

--with-png-dir=/usr

--with-jpeg-dir=/usr

--with-freetype-dir=/usr

--with-gettext

--with-openssl

--with-regex

--with-ttf=/usr

--with-expat-dir=/usr

--with-dom=/usr

--with-dom-xslt=/usr

--with-dom-exslt=/usr

--with-iconv

--with-db4=/usr

--with-gdbm=/usr

--with-zlib=/usr

--with-zlib-dir=/usr

--with-xmlrpc

--with-xml

--with-bz2=/usr

--with-cdb

--enable-mbstring

-------------------------------------------

When compiling programs (like PHP, eaccelerator, etc..), you can fine-tune some of your compile-options to enhance performance for your CPU's capabilities (and remove excess stuff like debug info)

As mentioned before, I run dual xeon's (P4's for all practical purposes). If you are using a different CPU then you might have to go look up the proper flags at the GCC website.

Before compiling a program, you can set the following flags:

CODE

export CFLAGS="-O3 -pipe -mcpu=pentium4 -march=pentium4 -fomit-frame-pointer"

export CXXFLAGS="${CFLAGS}"

export CHOST="i686-pc-linux-gnu"

export MAKEOPTS="-j2"

export LDFLAGS="-Wl,-O1"

These flags are considered "stable" and should enhance performance a little for software that you compile with these options. There are tons of other flags, however some reduce precision for certain math (which can cause problems in certain software) and others may reduce stabililty.

-------------------------------------------

I guess that's about it... Use the information at your own risk. Hopefully it will help some people out, or at least point them in the right direction.

Please don't post questions that are like: "here's my config, can you optimize it for X server?". I don't check these forums that often, so I probably won't reply to your question.

Server tuning is more of an art than just entering X setting to Y number. Before making changes, keep your old configs. Also get a monitoring program so you can graph out your server load and other vitals. That way you can see before & after results. Also, if you run a forum, let your users know that you are going to make changes, and get their feedback on response time and such from them.

Enjoy.

Source: http://forums.theplanet.com/index.php?showtopic=48880

Redhat ROD/Remote Console How To

Thu, 04 Sep 2008 14:56:25 +0000

Redhat with Grub:

1. Edit grub.conf with your favorite editor so you can manipulate grub and the boot process via remote console:

CODE

serial --unit=0 --speed=9600

terminal --timeout=10 serial console

Example:

CODE

# grub.conf generated by anaconda

#

# Note that you do not have to rerun grub after making changes to this file

# NOTICE: You have a /boot partition. This means that

# all kernel and initrd paths are relative to /boot/, eg.

# root (hd0,0)

# kernel /vmlinuz-version ro root=/dev/hda3

# initrd /initrd-version.img

#boot=/dev/hda

serial --unit=0 --speed=9600

terminal --timeout=10 serial console

default=0

timeout=3

You will also need to add options to the kernel line if you want to see the kernel booting and if you need to do file system maintenance via the remote console (IE it is stuck at fsck errors):

CODE

console=tty0 console=ttyS0,9600

Example:

CODE

title Red Hat Enterprise Linux ES (2.4.21-27.EL)

root (hd0,0)

kernel (hd0,0)/vmlinuz-2.4.21-27.EL root=/dev/hda3 console=tty0 console=ttyS0,9600

initrd (hd0,0)/initrd-2.4.21-27.EL.img

NOTE Your kernel line may differ such as Kernel version and root= device. DO NOT CHANGE THESE, simply append the line with console options.

2. If you want shell console access after the boot process you will need to do the following:

Add the following to the bottom of /etc/inittab:

CODE

co:12345:respawn:/sbin/agetty -L 9600 ttyS0 vt100

Add the following to the bottom of /etc/securetty:

CODE

ttyS0

Restart getty to get immediate access to Remote Console:

CODE

telinit q

Source: http://forums.theplanet.com/index.php?showtopic=77085

Debian ROD/Remote Console How To

Thu, 04 Sep 2008 14:55:27 +0000

Add the following to /etc/lilo.conf:

CODE

append = "console=ttyS0,9600n8"

Run Lilo for the changes to take affect.

CODE

lilo

Then add the following to /etc/securetty:

CODE

ttyS0

edit /etc/inittab - Uncomment the line:

CODE

T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100

Reboot

CODE

shutdown -r now

For those who just like to copy and paste:

CODE

echo 'append = "console=ttyS0,9600n8"' >> /etc/lilo.conf

lilo

echo "ttyS0" >> /etc/securetty

echo "T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100" >> /etc/inittab

reboot

Source: http://forums.theplanet.com/index.php?showtopic=78235

Windows ROD/Remote Console How To

Thu, 04 Sep 2008 14:54:35 +0000

Open a command prompt or the run menu and run the following:

CODE

bootcfg.exe /ems ON /port COM1 /baud 9600 /ID 1

To see if this was performed correctly open the boot.ini file and confirm that the following was added:

CODE

redirect=COM1

redirectbaudrate=9600

/redirect

After the server has been rebooted look for the Special Administration Console Helper process to be started. This has to be running for the EMS to be enabled.

Source: http://forums.theplanet.com/index.php?showtopic=77089

FBSD ROD/Remote Console How To

Thu, 04 Sep 2008 14:53:45 +0000

Dual console for boot and kernel:

CODE

echo -Dh >> /boot.config

Add the following to /etc/ttys for shell access:

CODE

ttyd0 "/usr/libexec/getty std.9600" cons25 on secure

Note that this will require a reboot to function properly.

CODE

shutdown �r now

Source: http://forums.theplanet.com/index.php?showtopic=77087

PRM (Process Resource Monitor)

Thu, 04 Sep 2008 14:43:36 +0000

Introduction:
PRM monitors the process table on a given system and matches process id's with set resource limits in the config file or per-process based rules. Process id's that match or exceed the set limits are logged and killed; includes e-mail alerts, kernel logging routine and more...

How it works?:
PRM works on the basis that once a process id is found matching resource limits; there is a corresponding trigger and wait value. The trigger value increments upwards from zero (0) to the defined value, pausing the duration of seconds defined as wait value. There after the status of the flagged pid is checked again, if still above or equal to resource limits the trigger/wait cycle begins again till the max trigger value is reached. When this trigger value is reached the given process is logged/killed.

This all together has the effect that applications with short burst resource spikes (e.g: apache, mysql etc..) are not killed; but rather on applications with prolonged resource consumption. Using the rule system, you can define different wait/trigger/resource values for any application.

Installation:
First we must fetch the package:
# wget http://www.rfxnetworks.com/downloads/prm-c...-current.tar.gz

And extract it:
# tar xvfz prm-current.tar.gz

The current version of prm as of this writing is 0.3, so lets cd to the 0.3 extracted path:
# cd prm-0.3/

And finally run the enclosed install.sh script:
# ./install.sh

Configuration:
The prm installation is located at '/usr/local/prm', and the configuration file is labeled 'conf.prm'.

Open the '/usr/local/prm/conf.prm' file with your preferred editor. There is an array of options in this file but we will only be focusing on the main variables.

Lets skip down to the user e-mail alert's section and set the USR_ALERT value to '1'; enabling alerts.
# enable user e-mail alerts [0=disabled,1=enabled]
USR_ALERT="1"

And configure our e-mail addresses for alerts:
# e-mail address for alerts
USR_ADDR="root, you@domain.com"

Check the 5,10, or 15 minute load average; relative to the later option below for min. load level.
# check 5,10,15 minute load average. [1,2,3 respective of 5,10,15]
LC="1"

PRM optionally has a required load average for running. If the load is not equal to or greater than this value; PRM will not run. Setting this value to zero will force the script to always run but this should not be needed.
# min load level required to run (decimal values unsupported)
MIN_LOAD="1"

This is the introduction described wait value, used for pauses between trigger increments. The value of wait multiplied by the value of kill_trig equal the duration of time before a process is killed (10x3=30seconds).
# seconds to wait before rechecking a flagged pid (pid's noted resource
# intensive but not yet killed).
WAIT="10"

The trigger limit before processes are killed, described in detail in the above 'wait' description and introduction.
# counter limit that a process must reach prior to kill. The counter value
# increases for a process flagged resource intensive on rechecks.
KILL_TRIG="3"

The max percentage of CPU a process should be allowed to use before PRM flags it for killing.
# Max CPU usage readout for a process - % of all cpu resources (decimal values unsupported)
MAXCPU="35"

The max percentage of MEM a process should be allowed to use before PRM flags it for killing.
# Max MEM usage readout for a process - % of system total memory (decimal values unsupported)
MAXMEM="15"

That is it; you should tweak the MAXCPU/MAXMEM limits to your desired needs but the defaults should be fine for most.

Usage:
The executable program resides in '/usr/local/prm/prm' and '/usr/local/sbin/prm'. The prm executable can receive one of two arguments:

-s Standard run
-q Quiet run

The log path for prm is '/usr/local/prm/prm_log', as well pid specific logs are stored in '/usr/local/prm/killed/'.

A default cronjob for PRM is installed to '/etc/cron.d/prm', and is configured to run once every 5 minutes.

There is a provided ignore file, to ignore processes based on string rules. The ignore file is located at '/usr/local/prm/ignore'. This file supports line separated ignore strings. As a default the strings 'root, named and postgre' are ignored by PRM; this script was not intended to monitor root processes but rather user land tasks. It could easily watch root processes by removing the given line in the ignore file but this is strongly discouraged.

Source: http://forums.theplanet.com/index.php?showtopic=25376

Install Mailscanner MRTG

Thu, 15 Dec 2005 21:55:06 +0000

This will install Mailscanner MRTG on your system. I have tested it on Ensim 3.1.10 and Ensim 3.5.17. Others have also done this on CPanel, but make sure you make the change noted...

Regular, I am not responsible for your box/you are doing this at YOUR OWN RISK... It should not screw anything up, but you are ultimately responsible if it does. I will help out as much as I can, but I am not a genius.

PREREQUISITES
1) MRTG *MUST* be installed (HOW-TO)
2) Mailscanner *MUST* be installed (I use gpans MS/SA/CM HOW-TO, but there is a MS Only HOW-TO too)

INSTRUCTIONS
cd ~
wget http://umn.dl.sourceforge.net/sourc...rtg-0.05.tar.gz
tar -xzvf mailscanner-mrtg-0.05.tar.gz
cd mailscanner-mrtg-0.05
cp mailscanner-mrtg.conf /etc/MailScanner/
cp mailscanner-mrtg.cfg /etc/mrtg/
cp mailscanner-mrtg /usr/sbin/
cp mailscanner-mrtg.include /etc/httpd/conf/
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bk

For CPanel Users
mkdir /usr/local/apache/htdocs/mailscanner-mrtg
cp web/* /usr/local/apache/htdocs/mailscanner-mrtg/
pico -w /etc/MailScanner/mailscanner-mrtg.conf
Find the two lines that start with:
Incoming Queue Dir =
Outgoing Queue Dir =
and change it to look like this:
Incoming Queue Dir = /var/spool/exim_incoming/input/
Outgoing Queue Dir = /var/spool/exim/input/

For Ensim/Red Hat/Fedora Users
mkdir /var/www/html/mailscanner-mrtg
cp web/* /var/www/html/mailscanner-mrtg/

Continued... FOR ALL USERS
pico -w /etc/httpd/conf/httpd.conf
Add this line to the very bottom
Include /etc/httpd/conf/mailscanner-mrtg.include
Ctrl + X to quit, y to save

Run this command 3 times. Ignore the errors and wait, it takes a few seconds each time.
mrtg /etc/mrtg/mailscanner-mrtg.cfg
-- IGNORE THE ERRORS (They are normal) --

service httpd restart
If this fails, check that you copied the file mailscanner-mrtg.include to the /etc/httpd/conf folder. Also recheck that you added the Include line above. If all else fails comment out the Include line and post your errors. DO NOT CONTINUE until httpd restarts successfully.

pico -w /etc/crontab
Add this line to the bottom of the file
0-59/5 * * * * root /usr/bin/mrtg /etc/mrtg/mailscanner-mrtg.cfg >> /dev/null
Ctrl + X to quit, y to save

Go to http://hostname.domain.com/mailscanner-mrtg

Chkrootkit

Thu, 15 Dec 2005 21:43:05 +0000

Installing CHKROOTKIT

(Version 0.42b Sep 20 2003)

SSH as admin to your server. DO NOT use telnet

#Change to root
su -

#Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz

#Change to the directory it created
cd chkrootkit*

#Compile by typing
make sense

#To use chkrootkit, just type the command
./chkrootkit

#Everything it outputs should be 'not found' or 'not infected'...

#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz

Credits: http://www.cheetaweb.com/