Archive for the ‘Ubuntu’ Category
How to enable DKIM email signatures in amavisd-new and ISPConfig 3
DKIM is a system to verify the sender and integrity of emails. ISPConfig 3 uses amavisd-new as content filter for spam and virus scanning and amavisd-new is also able to sign messages with DKIM. The next steps explain how to configure amavisd-new to sign messages for a domain named “example.com” with DKIM. The steps below should work with any amavisd-new setup even if you do not use ISPConfig.
1) Create the domain key:
mkdir /var/db/dkim/
amavisd genrsa /var/db/dkim/example-foo.key.pem
2) Configure amavisd to use this key for the domain example.com. Edit the amavisd configuration file
vi /etc/amavisd/amavisd.conf
and add the following lines:
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key(‘example.com’, ‘foo’, ‘/var/db/dkim/example-foo.key.pem’);
@dkim_signature_options_bysender_maps = (
{ ‘.’ => { ttl => 21*24*3600, c => ‘relaxed/simple’ } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16); # list your internal networks
3) Run the command:
amavisd showkeys
to get the public key that has to be added as TXT record in the DNS server of the example.com DNS server.
4) Thest the setup with the command:
amavisd testkeys
and if it works properly, restart amavisd:
/etc/init.d/amavis restart
Here is a more detailed description in the amavisd-new manual on how to setup DKIM in amavisd-new:
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
How to convert filenames or text to lowercase on the shell
There is no simple tolower command on the bash, but with a little shell script you can convert uppercase characters to lowercase. The script uses the tr command internally for converting the chars.
Create a shell script with the name tolower:
vi /usr/local/bin/tolower
and enter the following content:
#!/bin/sh
echo $1 | tr ‘[:upper:]‘ ‘[:lower:]‘
Then make the script executable:
chmod +x /usr/local/bin/tolower
An test it by executing this command on the shell:
tolower “Thats a Test”
will convert the string to lowercase and show the result on the shell:
thats a test
Blocking .exe attachments with postfix or amavisd-new and ISPConfig 3
If you use postfix and / or amavisd-new on the mail server, you can use the following recipes to block emails with executable (exe, bat, scr) attachments.
Block the attachments with a postfix header filter
In ISPConfig, click on “Email in the upper menu, then on “Content filter” in the left menu and click on the “Add new content filter” button. Enter the following details:
Filter:
MIME-Header Filter
Regexp. Pattern:
/^Content-(Disposition|Type).*name\s*=\s*”?(.*\.(bat|exe|scr))(\?=)?”?\s*(;|$)/x
Data:
File extension is blacklisted on this server
Action:
DISCARD
Use amavisd-new to block the emails with executable attachments.
Edit the amavisd configuration file (/etc/amavisd.conf or /etc/amavisd/amavisd.conf)
vi /etc/amavisd/amavisd.conf
and add the following lines:
$banned_filename_re = new_RE(
qr’.\.(bat|exe|scr)$’i,
qr’^\.(exe|zip|lha|tnef)$’i,
);
then restart amavisd-new:
/etc/init.d/amavis restart
Solve error message: PHP Startup: Unable to load dynamic library htscanner.so
If you get the following error message in Ubuntu when you use PHP based shell scripts:
PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib/php5/20060613+lfs/htscanner.so’ – /usr/lib/php5/20060613+lfs/htscanner.so: cannot open shared object file: No such file or directory in Unknown on line 0
Then edit the file /etc/php5/cli/php.ini:
vi /etc/php5/cli/php.ini
and remove the lines:
[htscanner]
Extension = “htscanner.so”
config_file = “.htaccess”
default_docroot = “/var/www”
As the htscanner module works only for scripts within webservers but not for commandline scripts.
Postfix: “queue file write error”
If you get an error like:
Aug 21 12:41:03 webb4 postfix/sendmail[11234]: fatal: web1_user(12967): queue file write error
in your mail log, then the vale for message_size_limit in postfix main.cf is too low. Edit postfix main.cf:
vi /etc/postfix/main.cf
and set the message size limit to a higher value. E.g.
mesage_size_limit = 900000000
and restart postfix:
/etc/init.d/postfix restart
If there is no message_size_limit set in main.cf, just add the line.
Set stricter PHP settings to secure joomla and wordpress installations
If you run a joomla or wordpress installation with mod_php, the following settings in the vhost configuration file or the “Apache directives” field in ISPConfig can be used to set stricter securitypolicys. This helps limit the impact of a possible hack to this websiteand protect the other sites on the server.
php_admin_value disable_functions “show_source system shell_exec passthru exec phpinfo popen proc_open”
php_admin_flag allow_url_fopen Off
php_admin_value session.save_path “/var/www/webXXX/phptmp/”
php_admin_value open_basedir “/var/www/webXXX/:/tmp”
Explanation
disable_functions disables functions that have a potential security impact e.g. because they allow the execution of external applications.
allow_url_fopen disables the ablity to open files via an URL.
session.save_path sets the path were php stores its session files. For ISPConfig 2, the path is e.g. “/var/www/webXXX/phptmp/” and for ISPConfig 3 the path is like “/var/www/clients/client1/web1/tmp/” If you dont use ISPConfig, set this path to a directory which is writable for the webserver user. the directory should be unique for every website.
open_basedir sets the path were php scripts are allowed to open files. For ISPConfig 2, the path is like “/var/www/webXXX/” and for ISPConfig 3 the path is like “/var/www/clients/client1/web1/” If you dont use ISPConfig, set this path to a the root directory of this vhost. With :/tmp we allow php scripts to use also the /tmp directory of the server.
Configure fail2ban to use route instead of iptables to block connections
Fail2ban uses iptables by default to block incoming connections when they exceed the max. login retrys. The iptables rules used by fail2ban might conflict with the firewall rules, so it might be nescessary to reconfigure fail2ban to use the route command for blocking incoming connections.
To reconfigure fail2ban for using the route command instead of iptables, edit or create the route.conf file:
vi /etc/fail2ban/action.d/route.conf
And insert the following lines:
# Fail2Ban configuration file
[Definition]
actionban = ip route add unreachable <ip>
actionunban = ip route del unreachable <ip>
Then add or change the banaction in the jail.local file in the [DEFAULT] section to “route”:
vi /etc/fail2ban/jail.local
And add or edit these lines:
# Fail2Ban configuration file
[DEFAULT]
banaction = route
Backup and restore mysql databases on the shell
One way to create a backup of a mysql database on the shell is to use the mysqldump command. Mysqldump creates a dump of the database in form of sql commands.
Backup
mysqldump -u root -p mydatabase > /tmp/backup_mydatabase.sql
This command creates a backup of the database with the name “mydatabase” in the file /tmp/backup_mydatabase.sql
Restore
To restore the backup, use the command:
mysql -u root -p mydatabase < /tmp/backup_mydatabase.sql
Linux: Get detailed information about server hardware and partitions on the shell
To get detailed information on the CPU, use this command:
cat /proc/cpuinfo
The output will look similar to this:
cat /proc/cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 15
model : 107
model name : AMD Athlon(tm) 64 X2 Dual Core Processor 5600+
stepping : 2
cpu MHz : 2900.171
cache size : 512 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 2
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt lm 3dnowext 3dnow pni cx16 lahf_lm cmp_legacy svm cr8legacy ts fid vid ttp tm stc [6]
bogomips : 5945.45
Get detailted information on memory usage:
cat /proc/meminfo
MemTotal: 4116112 kB
MemFree: 470164 kB
Buffers: 154592 kB
Cached: 1658332 kB
SwapCached: 488 kB
Active: 2304500 kB
Inactive: 1017644 kB
HighTotal: 3243840 kB
HighFree: 183672 kB
LowTotal: 872272 kB
LowFree: 286492 kB
SwapTotal: 4200888 kB
SwapFree: 4197128 kB
Dirty: 4764 kB
Writeback: 0 kB
AnonPages: 1378960 kB
Mapped: 135580 kB
Slab: 289720 kB
PageTables: 16680 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
CommitLimit: 6258944 kB
Committed_AS: 3779921956 kB
VmallocTotal: 118776 kB
VmallocUsed: 11892 kB
VmallocChunk: 106628 kB
Information about disk usage
df -h
df -h
Filesystem Size Used Avail Use% Mounted on
/dev/md2 375G 41G 315G 12% /
tmpfs 2.0G 0 2.0G 0% /lib/init/rw
udev 10M 52K 10M 1% /dev
tmpfs 2.0G 0 2.0G 0% /dev/shm
/dev/md1 510M 37M 448M 8% /boot
And the partitions:
fdisk -l
Disk /dev/sda: 85.8 GB, 85899345920 bytes
255 heads, 63 sectors/track, 10443 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x000d6430
Device Boot Start End Blocks Id System
/dev/sda1 * 1 10255 82373256 83 Linux
/dev/sda2 10256 10443 1510110 5 Extended
/dev/sda5 10256 10443 1510078+ 82 Linux swap / Solaris
Linux: How to view log files on the shell?
Many linux servers are administered on the commandline e.g. with a SSH connection. In the following article, I will explain several shell commands that make it easy to view logfiles.
The most important command is “tail”. Tail can be used to read the last lines from a file. Examples:
Get the last 100 lines from the Debian mail log file:
tail -n 100 /var/log/mail.log
To get all newly added lines from a log file in realtime on the shell, use the command:
tail -f /var/log/mail.log
to quit tail and go back to the commanline press the keys [ctrl] + [c]
If you want to get the last 1000 lines from a log file and they do not fit into your shell window, you can use the command “more” to be able to view them line by line.
tail -n 1000 /var/log/mail.log | more
press [space] to go to the next line or [ctrl] + [c] to quit.
If you want to search for a specific term in a large file, the command “grep” comes in handy. Example: We search for the email address “tom@anydomain.tld” in the mail log file:
grep “tom@anydomain.tld” /var/log/mail.log
If you want to view the whole content of file on the shell, use the command “cat”. Example:
cat /proc/cpuinfo
will show you detailed info about the CPU of your computer.