Archive for the ‘ISPConfig 2’ Category

Apache mod_security settings for WordPress and ModX

Monday, January 7, 2013 posted by Till

If you use the apache mod_security module on your apache server, you might encounter wrong 403 errors for several URL’s of the cms systems. Here are some exception rules to avoid that:

For WordPress Blogs

<locationmatch "/wp-admin/admin-ajax.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
</locationmatch>

<locationmatch "/wp-admin/page.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
</locationmatch>

<locationmatch "/wp-admin/post.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
</locationmatch>

For the ModX CMS

<LocationMatch "/manager/index.php">
SecRuleRemoveById 300016
</LocationMatch>

<LocationMatch “/connectors/resource/index.php”>
SecRuleRemoveById 300013 300014 300015 300016
</LocationMatch>

<LocationMatch “/connectors/element/tv.php”>
SecRuleRemoveById 300013 300016
</LocationMatch>

Add these rules inside the vhost file of the website. If you use ISPConfig to manage the server, then add the rules in the apache directives field of the website settings in ispconfig.

Many thanks to PlanetFox for providing the rules.

If you have a local mail server installed and change your server controlpanel to ISPConfig 3, having used ISPConfig 2 in the past, you may have to change the value that defines the form field observed by all functions in need of the address that mails are supposed to be delivered to (catchalls, etc.) on your mail server preferences since the identifier has changed from X-Delivered-To to Delivered-To in ISPConfig 3; otherwise the system won’t be able to find the necessary information in the mails’ headers.

Restart the server afterwards and you should find it working again.

Thanks to Alexander Fox for this post!

Update to latest Spamassassin filter rules in ISPConfig 2

Thursday, October 27, 2011 posted by Till

The ISPConfig 2 controlpanel installs its own copy of Spamassassin in the folder /home/admispconfig/ispconfig/tools/spamassassin . To update the Spamassassin filter rules in ISPConfig 2, run this command as root user:

/home/admispconfig/ispconfig/tools/spamassassin/usr/bin/sa-update

To test if Spamassassin works with the new ruleset, run this command:

/home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin –lint

If it does not return an error message, then Spamassassin is working correctly.

The webalizer package in Debain 6 has currently small bug as the required package for the  GeoIP database is not installed automatically when webalizer is isntalled. The symptoms are that webalizer statistics are not created and this error message is displayed when webalizer is run:

Error Opening file /usr/share/GeoIP/GeoIP.dat

The solution is to install the missing package manually:

apt-get install geoip-database

Send all outgoing email trough one IP address in postfix

Tuesday, October 25, 2011 posted by Till

When a server has more then one IP address, then postfix will use all IP addresses randomly to send out emails. This can cause your emails to be listed as SPAM on other servers because the sending IP does not match the reverse IP of the server hostname. The solution is to bind postfix to the primary IP address of the server.

Edit the postfix main.cf file:

vi /etc/postfix/main.cf

and add the line:

smtp_bind_address = 192.168.0.1

were 192.168.0.1 has to be replaced with the primary IP address of the server. Then restart postfix:

/etc/init.d/postfix restart

I’ve got the following error message on Debian Linux (6.0) with Courier IMAP server:

Filesystem notification initialization error -- contact your mail
administrator (check for configuration errors with the FAM/Gamin library)

when I tried to access a IMAP share. The resaon for the problem seems to be that the “fam” package was not working correctly. The solution is to install the gamin package which can replace fam in a courier setup:

apt-get install gamin

Dont worry when you get a message from apt that libfam0 gets uninstalled but is required by courier. This had no geative effects on my server.

The following guide explains the installation of the apache module “mod_evasive”. Mod_evasive tracks the number of requests of files at the apache webserver and blocks the delivery in case that a certain limit has been reached.

Installation

apt-get install libapache2-mod-evasive

Create the log directory for mod_evasive

mkdir -p /var/log/apache2/evasive
chown -R www-data:root /var/log/apache2/evasive

Now we add the configuration for the module at the end of the file /etc/apache2/mods-available/mod-evasive.load

vi /etc/apache2/mods-available/mod-evasive.load

so that it looks like this:

LoadModule evasive20_module /usr/lib/apache2/modules/mod_evasive20.so

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 5
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir “/var/log/apache2/evasive”

and restart apache:

/etc/init.d/apache2 restart

How to solve the PHP XCache error: /dev/zero: No space left on device

Wednesday, September 1, 2010 posted by Till

If you get the error “/dev/zero: No space left on device” in the apache error.log on a OpenVZ virtual machine, then the shared memory size in the xcache.ini is too high or the xcache.mm_path is set wrong.

Edit the file /etc/php5/conf.d/xcache.ini

vi /etc/php5/conf.d/xcache.ini

and check the mm_path. On a OpenVZ virtual machine it should be set to “/tmp/xcache” as /dev/zero might not work correctly in a virtual machine:

xcache.mmap_path = “/tmp/xcache”

Then restart apache2:

/etc/init.d/apache2 restart

and check if the error has been resolved.

If the roor still occurs after some time, you will have to reduce the xcache.size.

Edite the xcache.ini file:

vi /etc/php5/conf.d/xcache.ini

and set xcache.size to e.g. 8 MB

xcache.size  =                8M

Then restart apache2:

/etc/init.d/apache2 restart

Secure /tmp and /dev/shm directories in a OpenVZ enviroment

Tuesday, August 31, 2010 posted by Till

The /tmp and /dev/shm directories of a OpenVZ virtual machine shall be mounted without suid and exec permissions. To achieve this, create a a shell script on the host server for every virtual machine which contains the commands to remount the directories. This script will be started automatically by openvz when the VM is started.

I will use VPSID as placeholder for the ID of the virtual machine in the commands and the script. Replace VPSID with the id of the virtual machine that you want to create the script for, e.g. replace VPSID with 101.

Create the script:

vi /etc/vz/conf/VPSID.mount

and insert the following lines:

#!/bin/bash
mount -n –bind -onosuid,noexec /vz/vps/VPSID/tmp /vz/root/VPSID/tmp
mount -n –bind -onosuid,noexec /vz/vps/VPSID/shm /vz/root/VPSID/dev/shm
exit ${?}

now make the sscript executable:

chmod 700 /etc/vz/conf/VPSID.mount

Migrate physical server system to OpenVZ virtual machine

Tuesday, August 31, 2010 posted by Till

In case you plan to virtualize your server infrastructure and migrate physical servers to OpenVZ virtual machines, you may find this tutorial helpful:

http://wiki.openvz.org/Physical_to_container

I used this to migrate a ISPConfig Debian system to OpenVZ successfully.