How to add PHP support for jailed SSH users in ISPConfig 3

Jailkit is an easy to use tool to create and maintain jail environments for shell users on Linux. In this guide, I will show you how to move PHP and its dependencies into the jail so that the jailed user can execute PHP scripts inside the jail.
Continue reading How to add PHP support for jailed SSH users in ISPConfig 3

How to Backup OpenVZ Containers with vzdump on CentOS 6

OpenVZ is a Linux based Kernel virtualization technology developed by SWSoft for its commercial product Virtuozzo. The modified Linux Kernel and the system utilities are released under an OpenSource license. Vzdump is a shell based backup program for OpenVZ virtual machines. It is made for containers that use the traditional "simfs" filesystem, it can not be used for containers with "ploop" filesystem.

Continue reading How to Backup OpenVZ Containers with vzdump on CentOS 6

How to use IPTables on CentOS 7

Centos 7 replaced the traditional IPTables Linux Kernel Firewall with the Firewalld service. There are still a lot of scripts available that require the use of IPTables. A common example is the software Fail2ban.

In this guide, I will explain the installation of IPTables on Centos 7.x

The first step is to stop and mask the firewalld service:

systemctl stop firewalld
systemctl mask firewalld

Then install the "iptables-services" package with the yum package installer:

yum install iptables-services

And enable the new service:

systemctl enable iptables

IPTables is now ready to be used on your server. For example you can block an external IP address now with the iptables command:

iptables -A INPUT -s 192.168.0.10 -j DROP

Rules that you set with iptables persist only until the next reboot. To save them permanently use the following command:

service iptables save

How to change the Hostname on CentOS 7

The easiest way to change the hostname on CentOS 7 is to use the hostnamectl command.

First I will check the current hostname by running "hostnamectl status" on the shell of my server:

hostnamectl status

The output on my system is:

[root@server1 ~]# hostnamectl status
   Static hostname: server1.example.com
         Icon name: computer-vm
           Chassis: vm
        Machine ID: d89865d34b5a4637a9a4ff0ce0f6da02
           Boot ID: 56d1685056d743b39e57a7b9cbfe467c
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-123.el7.x86_64
      Architecture: x86_64

Then I change the hostname with the set-hostname option of the hostnamectl command to server2.example.com

hostnamectl set-hostname server2.example.com

Afterward, I check with the command hostname and hostname -f if the hostname change has succeeded.

hostname
hostname -f

The result should be:

[root@server1 ~]# hostname
server2.example.com
[root@server1 ~]# hostname -f
server2.example.com

Instead of the hostname command you could also use the "hostnamectl status" command again to check if the new hostname has been set:

[root@server1 ~]# hostnamectl status
   Static hostname: server2.example.com
         Icon name: computer-vm
           Chassis: vm
        Machine ID: d89865d34b5a4637a9a4ff0ce0f6da02
           Boot ID: 56d1685056d743b39e57a7b9cbfe467c
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-123.el7.x86_64
      Architecture: x86_64

How to Copy Files with SCP between Linux Servers

1.1 SCP Command Line-An Overview

 

The SCP command line is commonly used to copy files over SSH, and between popular Operating systems like Linux, Mac and Windows in a secure fashion. SCP is used to copy files to/from a remote server. It also allows you to copy files from one remote server to another remote server, without passing traffic through your PC.

Continue reading How to Copy Files with SCP between Linux Servers

Solution for dovecot error: /path/ is no longer mounted. If this is intentional, remove it with doveadm mount

Dovecot is watching the whole server filesystem for modifications and removed or added sub filesystems. If you get errors similar to this one on your server:

Aug 30 09:10:23 server1 dovecot: master: Warning: /var/www/clients/client1/web1/log is no longer mounted. If this is intentional, remove it with doveadm mount

 (the directory path may vary), then you can fix it by excluding the path from being watched by dovecot. In my case, dovecot shall not watch my website directories as they do not contain any mailboxes

Run the following command on the shell as root user:

doveadm mount add '/var/www/*' ignore

To exclude all files and folders in /var/www from deovecot monitoring.

 

Solution for amavisd error – TROUBLE in process_request: Error writing a SMTP response to the socket: Broken pipe – on OpenVZ server

If you get error messages from amavisd similar to the one posted below on a server which is virtualized with OpenVZ:

Mar  5 09:09:02 v100 amavis[17378]: (17378-14) (!!)TROUBLE in process_request: Error writing a SMTP response to the socket: Broken pipe at (eval 100) line 987, <GEN44> line 31.

then the issue can be caused by the NUMTCPSOCK value in the openvz limits. Even if the barrier of this limit was never met in /proc/user_beancounters, the above error occurs when more then 25% of all TCP sockets were used. The solution is to set the NUMTCPSOCK barrier and limit to a high value in the openvz container configuration file. Here a value that worked for me on a moderately used mailserver:

NUMTCPSOCK="2000:2000"

Finally restart the OpenVZ VM to apply the new limit value.

 

Apache mod_security settings for WordPress and ModX

If you use the apache mod_security module on your apache server, you might encounter wrong 403 errors for several URL's of the cms systems. Here are some exception rules to avoid that:

For WordPress Blogs

<locationmatch "/wp-admin/admin-ajax.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
</locationmatch>

<locationmatch "/wp-admin/page.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
</locationmatch>

<locationmatch "/wp-admin/post.php">
SecRuleRemoveById 300013
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
</locationmatch>

For the ModX CMS

<LocationMatch "/manager/index.php">
SecRuleRemoveById 300016
</LocationMatch>

<LocationMatch "/connectors/resource/index.php">
SecRuleRemoveById 300013 300014 300015 300016
</LocationMatch>

<LocationMatch "/connectors/element/tv.php">
SecRuleRemoveById 300013 300016
</LocationMatch>

Add these rules inside the vhost file of the website. If you use ISPConfig to manage the server, then add the rules in the apache directives field of the website settings in ispconfig.

Many thanks to PlanetFox for providing the rules.