Linux System Admin Blog….
Sometimes we may require to remove APF from the server. Here is a guide which shows how to remove APF completely from the server.
Stop the firewall first
service apf stop
/bin/rm -rfv /etc/apf
Remove the cron for APF
/bin/rm -fv /etc/cron.daily/fw
/bin/rm -fv /etc/init.d/apf
lastly disable at startup
chkconfig apf off
This should remove APF completely from the server as we removed the APF daemon, cron and files.
The cPanel user shell access gives error all of a sudden :
root@server [~]# su - user
-bash: fork: Resource temporarily unavailable
The culprit seems to be cPanel and its “Shell Fork Bomb Protection”. Logging into WHM >> Security >> Security Center >> “Shell Fork Bomb Protection” and clicking “Disable Protection” resolves the issue.
Shell Fork bomb Protection will prevent users with terminal access (ssh/telnet) from using up the server’s resources and possibly crashing the server.
Horde login error
Horde Login shows below error :
Warning: Unknown: write failed: Disk quota exceeded (122) in Unknown on line 0
Warning: Unknown: Failed to write session data (files). Please verify that the current setting of
session.save_path is correct (/var/cpanel/userhomes/cpanelhorde/sessions) in Unknown on line 0
Then try this cPanel script :
/scripts/autorepair phpapps_owner_fix
The above cPanel script will reset all the quotas for the cPanel users.
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: http://www.rfxnetworks.com/apf.php
This guide will show you how to install and configure APF firewall, one of the better known Linux firewalls available.10
Requirements:
– Root SSH access to your server
Lets begin!
Login to your server through SSH and su to the root user.
cd /root/downloads or another temporary folder where you store your files.
2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
3. tar -xvzf apf-current.tar.gz
4. cd apf-9.6-5/ or whatever the latest version is.
5. Run the install file: ./install.sh
You will receive a message saying it has been installed
Installing APF 9.6-5: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
Other Details
Listening TCP ports: 53,2086,2087,3306
Listening UDP ports: 53,39437
Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.
6. Lets configure the firewall: nano -w /etc/apf/conf.apf
We will go over the general configuration to get your firewall running. This isn’t a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.
We like to use DShield.org’s “block” list of top networks that have exhibited
suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"
7. Configuring Firewall Ports:
Cpanel Servers
We like to use the following on our Cpanel Servers
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Ensim Servers
We have found the following can be used on Ensim Servers – although we have not tried these ourselves as I don’t run Ensim boxes.
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Save the changes: Ctrl+X then Y
8. Starting the firewall
/usr/local/sbin/apf -s
Other commands:
usage ./apf [OPTION]
-s|--start ......................... load firewall policies
-r|--restart ....................... flush & load firewall
-f|--flush|--stop .................. flush firewall
-l|--list .......................... list chain rules
-st|--status ....................... firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
9. After everything is fine, change the DEV option
Stop the firewall from automatically clearing itself every 5 minutes from cron.
We recommend changing this back to “0” after you’ve had a chance to ensure everything is working well and tested the server out.
nano -w /etc/apf/conf.apf
FIND: DEVM="1"
CHANGE TO: DEVM="0"
10. Checking the APF Log
Will show any changes to allow and deny hosts among other things.
tail -f /var/log/apf_log
The reason for this issue due to missing some lines in httpd.conf.
Fix
====
1) Open the apache configuration file(httpd.conf) in your favorite editor.
2) Add the following lines in the httpd.conf.
===================================================================
ErrorDocument 400 /400.shtml
ErrorDocument 401 /401.shtml
ErrorDocument 403 /403.shtml
ErrorDocument 404 /404.shtml
ErrorDocument 500 /500.shtml
ScriptAlias /cgi-sys/ /usr/local/cpanel/cgi-sys/ Alias /sys_cpanel/ /usr/local/cpanel/sys_cpanel/ Alias /java-sys/ /usr/local/cpanel/java-sys/ Alias /img-sys/ /usr/local/cpanel/img-sys/ Alias /akopia/ /usr/local/cpanel/3rdparty/interchange/share/akopia/
Alias /neo-images/ /usr/local/cpanel/base/neomail/neo-images/
ScriptAliasMatch ^/cpanel/(.*) /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAlias /cpanel /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAlias /whm /usr/local/cpanel/cgi-sys/whmredirect.cgi
ScriptAlias /securewhm /usr/local/cpanel/cgi-sys/swhmredirect.cgi
ScriptAlias /webmail /usr/local/cpanel/cgi-sys/wredirect.cgi
ScriptAliasMatch ^/webmail/(.*) /usr/local/cpanel/cgi-sys/wredirect.cgi
ScriptAliasMatch ^/kpanel/(.*) /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAlias /controlpanel /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAlias /securecontrolpanel /usr/local/cpanel/cgi-sys/sredirect.cgi
Alias /mailman/archives/ /usr/local/cpanel/3rdparty/mailman/archives/public/
ScriptAlias /mailman/ /usr/local/cpanel/3rdparty/mailman/cgi-bin/
Alias /pipermail/ /usr/local/cpanel/3rdparty/mailman/archives/public/
Alias /interchange/ /usr/local/cpanel/3rdparty/interchange/share/interchange/
Alias /interchange-5/ /usr/local/cpanel/3rdparty/interchange/share/interchange-5/
===================================================================
3) Now restart the httpd service in the server.
If a cPanel email user quota does not match what is being reported by the system or a mail client run the following to determine how much space has been used for real:
du -hs /home/username/mail/userdomain.com/user/
then compare it with what cPanel reports for the disk usage, if they are different delete:
/home/username/mail/domain.com/user/maildirsize
finally re-login to cPanel and it should be resolved.
This is usually a bug in the PhpMyAdmin configuration, whenever you receive the following error when accessing PhpMyAdmin either from WHM or cPanel, follow the steps given below for a fix
Manually edit /usr/local/cpanel/3rdparty/etc/phpmyadmin/php.ini file as follow:
1)Login to shell of the server using root login details and open the file “/usr/local/cpanel/3rdparty/etc/phpmyadmin/php.ini” using vi or any other editor.
2) Search for the [Session] variable & underneath it, change the following
Replace:
——————————-
session.save_handler = sqlite
session.save_path =/var/cpanel/userhomes/cpanelphpmyadmin/sessions/phpsess.sdb
——————————-
To:
——————————-
session.save_handler = files
session.save_path = /tmp
——————————-
By default, PhpMyAdmin uses sqlite as as the file handler, but it needs to be changed to files & the location of the session files to be stored needs to be changed to /tmp which is the standard/default place to store temporary files
When trying to restart named process after making modifications may end up in a corrupt rndc.key key and the error will show like this:
Sep 12 03:30:54 server named[23683]: loading configuration: bad base64 encoding
Sep 12 03:30:54 server named[23683]: exiting (due to fatal error)
A simple explanation to this is that the key got modified somehow might me some bug.
What to do about this? Well it is simple just check the /etc/rndc.conf file and copy the key from there(you will see the key in the first lines of the file) and replace the key that it is in /etc/rndc.key file and restart named process.
# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where. Watching your exim_mainlog doesn’t exactly help, you see th email going out but you can’t track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.
If you check out your PHP.ini file you’ll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP – so everything will go through /usr/sbin/sendmail =)
Requirements:
We assume you’re using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we’re only tested it on a Cpanel/WHM Red Hat Enterprise system.
Step 1)
Login to your server and su – to root.
Step 2)
Turn off exim while we do this so it doesn’t freak out.
/etc/init.d/exim stop
Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden
Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail
Paste in the following:
#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, “>>/var/log/spam_log”) || die “Failed to open file ::$!”;
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO “$date – $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n”;
}
else {
print INFO “$date – $PWD – @infon”;
}
my $mailprog = ‘/usr/sbin/sendmail.hidden’;
foreach (@ARGV) {
$arg=”$arg” . ” $_”;
}
open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!n”;
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);
Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail
Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log
chmod 0777 /var/log/spam_log
Step 7)
Start Exim up again.
/etc/init.d/exim start
Step 8)
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function – a message board, a contact script.
tail – f /var/log/spam_log
Sample Log Output
Mon Apr 11 07:12:21 EDT 2005 – /home/username/public_html/directory/subdirectory – nobody x 99 99 Nobody / /sbin/nologin
Log Rotation Details
Your spam_log file isn’t set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.
pico /etc/logrotate.conf
FIND:
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
ADD BELOW:
# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}
Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn’t get overwritten.
Q. How do I verify that my ISP or my own recursive resolvers are free from DNS cache poisoning bug that is promised full disclosure of the flaw by Dan on August 7 at the Black Hat conference? How do I test my dns server for DNS cache pollution or DNS Cache Poisoning bug?
A. DNS cache poisoning (also known as DNS cache pollution) is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources. It occur if DNS “spoofing attack” has been encountered. An attacker will send malicious data / non-secure data in response to a DNS query. For example dns query for www.linuxbabu.net can be redirected to www.redhat.com.
Visit Dan Kaminsky java script page to check your DNS
You can also use following command dig command, enter:$ dig +short @{name-server-ip} porttest.dns-oarc.net txtSample output:
$ dig +short @ns1.example.com porttest.dns-oarc.net txt
$ dig +short @208.67.222.222 porttest.dns-oarc.net txt
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.67.222.222 is GOOD: 26 queries in 0.1 seconds from 26 ports with std dev 17746.18"Another test,$ dig +short @125.22.47.125 porttest.dns-oarc.net txtOutput:
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"125.22.47.139 is POOR: 42 queries in 8.4 seconds from 1 ports with std dev 0.00"FIX :
Run yum updateyum updateOpen named.conf file and comment out following two lines:query-source port 53;Make sure recursion is limited to your LAN only. Set ACL. Restart bind to take effect:
query-source-v6 port 53;rndc reload
service named restart