Archive for the ‘Linux & Unix’ Category

How to enable port 465 (smtps) in postfix mailserver

Wednesday, October 28, 2009 posted by Till

More and more internet access providers are closing port 25 to reduce spam except for connections to their own mailservers. If you run your own mailserver and have problems to connect to it on port 25, you can enable port 465 (smtps) in postfix as a workaround. Edit the /etc/postfix/master.cf file:

vi /etc/postfix/master.cf

and remove the # in front of the smtps line. Example for Debain 5, change the line:

#smtps     inet  n       -       -       -       -       smtpd

to:

smtps     inet  n       -       -       -       -       smtpd

and restart postfix:

/etc/init.d/postfix restart

How to prevent a Linux system user from loggin into the system

Friday, October 23, 2009 posted by Till

If a linux system user is able to login on the shell or with SSH depends on its shell setting in /etc/passwd. If you want to prevent that a certain user is able to login, then set the shell either to /bin/false or /sbin/nologin.

Example for Debian and Ubuntu Linux for the user with the username "otheruser":

usermod -s /bin/false otheruser

For Redhat, Fedora or CentOS use /sbin/nologin:

usermod -s /sbin/nologin otheruser

Warning: Do not set the shell for the root user to /bin/false or /sbin/nologin!

If the root user stores a file in the home directory of another user or any other directory that is owned by another user, this other user is able to delete the file even if the file is owned by root and has 700 permissions.

Example:

root@workstation:/home/otheruser# ls -la
total 8
drwxr-xr-x 2 otheruser otheruser 4096 Oct 23 11:52 .
drwxr-xr-x 3 root      root      4096 Oct 23 11:51 ..
-rwx------ 1 root      root         0 Oct 23 11:52 root_users_file

If I su now to "otheruser", I'am able to delete the file as "otheruser" is the owner of the directory where "root_users_file" is stored:

root@workstation:/home/otheruser# su otheruser
sh-3.2$ rm root_users_file
rm: remove write-protected regular empty file `root_users_file'? y
sh-3.2$

Now to protect the file from beeing deleted, use the command chattr +i:

chattr +i root_users_file

and then try again to delete the file as "otheruser", the action will be denied:

root@workstation:/home/otheruser# su otheruser
sh-3.2$ rm root_users_file
rm: remove write-protected regular empty file `root_users_file'? y
rm: cannot remove `root_users_file': Operation not permitted
sh-3.2$

Now even root is not able to delete or edit the file anymore. With the command chattr -i the protection can be removed:

chattr -i root_users_file

How to reset the MySQL root password

Wednesday, October 21, 2009 posted by Till

The following steps describe the procedure to reset the mysql root password on Linux.

1) Stop the mysql server

/etc/init.d/mysql stop

2) Start the mysql server manually without permission tables which allows us to login as root user without password:

mysqld_safe --skip-grant-tables &

3) Login into mysql as root user without a password and switch to the "mysql" database:

mysql -u root mysql

Then execute this SQL query to set a new password for the mysql root user:

update user set Password=PASSWORD('mynewpassword') WHERE User='root';

(Replace "mynewpassword" with the new root password in the above command).

Then logout from the mysql prompt by typing:

exit

4) Now bring back the running mysql instance into the foreground by typing:

fg

and then press [ctrl] + c to kill the mysql process.

5) Start the mysql server again:

/etc/init.d/mysql start

The cronjobs (crontabs) for all system users in Debian and Ubuntu Linux are stored in the directory /var/spool/cron/crontabs. To make a backup with tar, use this command:

tar pcfz /root/user_crontabs.tar.gz /var/spool/cron/crontabs

The backup file user_crontabs.tar.gz is be stored in the /root/ folder.

How to use a custom php.ini with suphp

Monday, October 19, 2009 posted by Till

To use a custom php.ini file with SuPHP for a website, you can define the path to the php.ini file in a .htaccess file or in the apache vhost like this:

suPHP_ConfigPath /home/websites/domain.tld/

Then add a php.ini file in the directory /home/websites/domain.tld/ which may be a copy of the global php.ini were you just changed a few settings or an empty file were you add only the settings that shall be overridden in the global PHP configuration.

If you use ISPConfig 2 or 3, you can add the suPHP_ConfigPath setting also in the apache directives field of the website  in ISPConfig.

If you want to redirect a subdomain like sub.domain.tld into a subdirectory of the website and keep the original URL in the browser location bar, you may use the following apache directives.

RewriteEngine on
RewriteCond %{HTTP_HOST} ^sub.domain.tld [NC]
RewriteRule ^/(.*)$ /sub/$1 [L]

This rewrite rule can be added into a .htaccess file in the website root or inside the vhost file. If you use ISPConfig 2 or 3, you can add this also into the apache directives field in the website settings.

Replace sub.domain.tld with the subdomain that shall be redirected and /sub/ with the path to the directory were the pages for this subdomain are located.

If hidden files (files that start with a dot like .htaccess, .bash_history, .profile or .ssh) are not displayed in your FTP client, then they are most likely disabled in the FTP server. To enable hidden files in pure-ftpd on Debian and Ubuntu Linux, execute this command:

echo "yes" > /etc/pure-ftpd/conf/DisplayDotFiles

and then restart pureftpd.

If all your visitors shall access your website with a URL like www.domain.com and not without www, use the following apache rewrite rule for redirecting them.

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www
RewriteRule (.*) http://www.%{HTTP_HOST}$1 [L,R]

The apache rewrite rule can be added in a .htaccess file in the website root directory or if you use ISPConfig 2 or 3, you can also add the rwrite rule into the apache directives field of the website.

If you run a firewall on your Linux server and want to use passive FTP connections, you have to define the passive port range in pure-ftpd and your firewall to ensure that the connections dont get blocked. The following example is for pure-ftpd on Debian or Ubuntu Linux and ISPConfig 3:

1) Configure pure-ftpd
echo "40110 40210" > /etc/pure-ftpd/conf/PassivePortRange
/etc/init.d/pure-ftpd-mysql restart

2) Configure the firewall. If you use ISPConfig 3 on my server to configure the bastille firewall, you can add the nescessera port range in the ISPConfig firewall settings.

Change the list of Open TCP ports from:

20,21,22,25,53,80,110,143,443,3306,8080,10000

to:

20,21,22,25,53,80,110,143,443,3306,8080,10000,40110:40210

and then click on "Save".