Archive for the ‘ISPConfig 3’ Category
Debugging of ISPConfig 3 server actions in case of a failure
The follwing article describes the steps that can be taken to debug the ISPConfig 3 server scripts.
Enable the debug Loglevel in ISPConfig
Login to the ISPConfig intterface and set the log level to Debug under System > System > Server Config (see also chapter 4.9.2.2 of the ISPConfig 3 manual) for the affected server. After one or two minutes, there should be more detailed messages in ISPConfig’s system log (Monitor > System State (All Servers) > Show System-Log).
Disable the server.sh cronjob
Go to the command line of the server on which the error happens (on multiserver systems, it is often the slave and not the master) and run (as root):
crontab -e
Comment out the server.sh cron job:
#* * * * * /usr/local/ispconfig/server/server.sh > /dev/null >> /var/log/ispconfig/cron.log
Run the server script manually to get detailed debug output
Then run the command:
/usr/local/ispconfig/server/server.sh
This will display any errors directly on the command line which should help you to fix the error. If you have fixed
the error, please don’t forget to uncomment the server.sh cron job again.
Apache mod-security installation on Debian 6.0 (squeeze)
Install the apache mod-security 2 module with apt from the Debian repositories
apt-get install libapache-mod-security
Create the folder for the mod-security configuration files
mkdir /etc/apache2/mod-security
chmod 600 /etc/apache2/mod-security
Download and unpack the mod-security rules
cd /tmp
wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
tar fvx modsecurity-core-rules_2.5-1.6.1.tar.gz
mv *.conf /etc/apache2/mod-security/
ln -s /var/log/apache2 /etc/apache2/logs
Configure apache to load the activated mod-security rules
vi /etc/apache2/conf.d/mod-security.conf
Include /etc/apache2/mod-security/*.conf
To enable mod-security, edit the file
vi /etc/apache2/mod-security/modsecurity_crs_10_config.conf
and remove the # in front of the line:
SecDefaultAction “phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace”
Then reload apache.
/etc/init.d/apache2 force-reload
Mod security will now start to block hack attempts to your websites and log the actions in the file /var/log/apache2/modsec_audit.log.
tail /var/log/apache2/modsec_audit.log
You will see very likely some falsely blocked URL’s. To whitelist them, you can add the ID’s of the rules that should not be used in the whitelist file.
Example:
vi /etc/apache2/mod-security/modsecurity_crs_99_whitelist.conf
SecRuleRemoveById 960015
SecRuleRemoveById 960016
nginx server error: 413 Request Entity Too Large
The nginx webserver has a max. body size limit of 1 MB for requests as default. This might be too low for file uploads in scripts and you will see the following error message when you try to upload a file:
413 Request Entity Too Large
The configuration variable for this option is “client_max_body_size” and it can be set in the http, server and location sections of the nginx configuration file. To set the Limit globally to 25 MB, edit the nginx.conf file and add:
client_max_body_size 20M;
in the http section.
Example for Ubuntu Linux:
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
geoip_city /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048; client_max_body_size 20M;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}Enhanced e-mail SPAM protection in ISPConfig 3
The command below enables a stricter SPAM handling for postfix on ISPConfig 3 servers.
In Detail:
- Reject sender hostnames with invalid syntax
- Reject sender hostnames that are no fully qualified domains (e.g. reject “server1″ but allow server1.domain.tld)
- Reject sender domains that have no DNS records
- Check sender IP addresses against realtime blacklists.
First make a backup of the postfix main.cf file in case that you want to reverse the changes later:
cp -pf /etc/postfix/main.cf /etc/postfix/main.cf.bak
Then execute this command to enable the additional spam protection functions (the command is one line!).
postconf -e ‘smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination’
Then restart postfix:
/etc/init.d/postfix restart
How to change the welcome email message text in ISPConfig 3
As of ISPConfig 3.0.4, the text of the welcome email message that is sent to new email accounts is stored in the folder /usr/local/ispconfig/server/conf/mail/.
The message has this format:
————————————————————————
From: ISPConfig <postmaster@localhost.localdomain>
Subject: Welcome to your new email account.
Welcome to your new email account. Your webmaster.
————————————————————————
The first line starts with “From: ” followed by the sender email address. The second line starts with “Subject: ” followed by the email subject. The third line should be empty. All following lines are the email text.
The email text files are named “welcome_email_<language>.txt” where <language> has to be replaced with the system language like “en” for English or “de” for German language, e.g. “welcome_email_en.txt” for the english welcome email.
The customized language file should be stored in the folder /usr/local/ispconfig/server/conf-custom/mail/ so that it does not get overwritten by ISPConfig updates.
Webalizer: Error Opening file /usr/share/GeoIP/GeoIP.dat on Debian Linux
The webalizer package in Debain 6 has currently small bug as the required package for the GeoIP database is not installed automatically when webalizer is isntalled. The symptoms are that webalizer statistics are not created and this error message is displayed when webalizer is run:
Error Opening file /usr/share/GeoIP/GeoIP.dat
The solution is to install the missing package manually:
apt-get install geoip-database
Send all outgoing email trough one IP address in postfix
When a server has more then one IP address, then postfix will use all IP addresses randomly to send out emails. This can cause your emails to be listed as SPAM on other servers because the sending IP does not match the reverse IP of the server hostname. The solution is to bind postfix to the primary IP address of the server.
Edit the postfix main.cf file:
vi /etc/postfix/main.cf
and add the line:
smtp_bind_address = 192.168.0.1
were 192.168.0.1 has to be replaced with the primary IP address of the server. Then restart postfix:
/etc/init.d/postfix restart
Fix for Courier IMAP Error: check for configuration errors with the FAM/Gamin library
I’ve got the following error message on Debian Linux (6.0) with Courier IMAP server:
Filesystem notification initialization error -- contact your mail administrator (check for configuration errors with the FAM/Gamin library)
when I tried to access a IMAP share. The resaon for the problem seems to be that the “fam” package was not working correctly. The solution is to install the gamin package which can replace fam in a courier setup:
apt-get install gamin
Dont worry when you get a message from apt that libfam0 gets uninstalled but is required by courier. This had no geative effects on my server.
Prevent DOS attacks on apache webserver for DEBIAN linux with mod_evasive
The following guide explains the installation of the apache module “mod_evasive”. Mod_evasive tracks the number of requests of files at the apache webserver and blocks the delivery in case that a certain limit has been reached.
Installation
apt-get install libapache2-mod-evasive
Create the log directory for mod_evasive
mkdir -p /var/log/apache2/evasive
chown -R www-data:root /var/log/apache2/evasive
Now we add the configuration for the module at the end of the file /etc/apache2/mods-available/mod-evasive.load
vi /etc/apache2/mods-available/mod-evasive.load
so that it looks like this:
LoadModule evasive20_module /usr/lib/apache2/modules/mod_evasive20.so
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 5
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir “/var/log/apache2/evasive”
and restart apache:
/etc/init.d/apache2 restart
How to change the language of AWStats statistics on Debian Linux (ISPConfig 3)
To change the language of the website statistics generated by AWStats on a Debian Linux server to e.g. german (de), edit the /etc/awstats/awstats.conf file:
nano /etc/awstats/awstats.conf
and change the value of the “Lang” variable. To change the languge to e.g. German, cahnge:
Lang=”auto”
to
Lang=”de”
The website statistics are generated nightly on a ISPConfig 3 server, so it may take up to 24 hours until the statistics will show up in German language.
Thanks to PlaNet Fox for this FAQ.