FAQforge » Server

Apache mod-security installation on Debian 6.0 (squeeze)

Till — Mon, 02 Jan 2012 11:20:06 +0000

Install the apache mod-security 2 module with apt from the Debian repositories

apt-get install libapache-mod-security

Create the folder for the mod-security configuration files

mkdir /etc/apache2/mod-security
chmod 600 /etc/apache2/mod-security

Download and unpack the mod-security rules

cd /tmp
wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
tar fvx modsecurity-core-rules_2.5-1.6.1.tar.gz
mv *.conf /etc/apache2/mod-security/
ln -s /var/log/apache2 /etc/apache2/logs

Configure apache to load the activated mod-security rules

vi /etc/apache2/conf.d/mod-security.conf

Include /etc/apache2/mod-security/*.conf

To enable mod-security, edit the file

vi /etc/apache2/mod-security/modsecurity_crs_10_config.conf

and remove the # in front of the line:

SecDefaultAction “phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace”

Then reload apache.

/etc/init.d/apache2 force-reload

Mod security will now start to block hack attempts to your websites and log the actions in the file /var/log/apache2/modsec_audit.log.

tail /var/log/apache2/modsec_audit.log

You will see very likely some falsely blocked URL’s. To whitelist them, you can add the ID’s of the rules that should not be used in the whitelist file.

Example:

vi /etc/apache2/mod-security/modsecurity_crs_99_whitelist.conf

SecRuleRemoveById 960015
SecRuleRemoveById 960016

nginx server error: 413 Request Entity Too Large

Till — Mon, 21 Nov 2011 11:34:10 +0000

The nginx webserver has a max. body size limit of 1 MB for requests as default. This might be too low for file uploads in scripts and you will see the following error message when you try to upload a file:

413 Request Entity Too Large

The configuration variable for this option is “client_max_body_size” and it can be set in the http, server and location sections of the nginx configuration file. To set the Limit globally to 25 MB, edit the nginx.conf file and add:

client_max_body_size 20M;

in the http section.

Example for Ubuntu Linux:

user www-data;
worker_processes 4;
pid /var/run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
        geoip_country  /etc/nginx/geoip/GeoIP.dat; # the country IP database
        geoip_city     /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database
        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;

        client_max_body_size 20M;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

Enhanced e-mail SPAM protection in ISPConfig 3

Till — Mon, 21 Nov 2011 10:22:41 +0000

The command below enables a stricter SPAM handling for postfix on ISPConfig 3 servers.

In Detail:

Reject sender hostnames with invalid syntax
Reject sender hostnames that are no fully qualified domains (e.g. reject “server1″ but allow server1.domain.tld)
Reject sender domains that have no DNS records
Check sender IP addresses against realtime blacklists.

First make a backup of the postfix main.cf file in case that you want to reverse the changes later:

cp -pf /etc/postfix/main.cf /etc/postfix/main.cf.bak

Then execute this command to enable the additional spam protection functions (the command is one line!).

postconf -e ‘smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination’

Then restart postfix:

/etc/init.d/postfix restart

How to change the welcome email message text in ISPConfig 3

Till — Thu, 10 Nov 2011 11:00:05 +0000

As of ISPConfig 3.0.4, the text of the welcome email message that is sent to new email accounts is stored in the folder /usr/local/ispconfig/server/conf/mail/.

The message has this format:

————————————————————————
From: ISPConfig
Subject: Welcome to your new email account.

Welcome to your new email account. Your webmaster.
————————————————————————

The first line starts with “From: ” followed by the sender email address. The second line starts with “Subject: ” followed by the email subject. The third line should be empty. All following lines are the email text.

The email text files are named “welcome_email_.txt” where has to be replaced with the system language like “en” for English or “de” for German language, e.g. “welcome_email_en.txt” for the english welcome email.

The customized language file should be stored in the folder /usr/local/ispconfig/server/conf-custom/mail/ so that it does not get overwritten by ISPConfig updates.

Webalizer: Error Opening file /usr/share/GeoIP/GeoIP.dat on Debian Linux

Till — Tue, 25 Oct 2011 14:06:44 +0000

The webalizer package in Debain 6 has currently small bug as the required package for the GeoIP database is not installed automatically when webalizer is isntalled. The symptoms are that webalizer statistics are not created and this error message is displayed when webalizer is run:

Error Opening file /usr/share/GeoIP/GeoIP.dat

The solution is to install the missing package manually:

apt-get install geoip-database

Send all outgoing email trough one IP address in postfix

Till — Tue, 25 Oct 2011 13:59:05 +0000

When a server has more then one IP address, then postfix will use all IP addresses randomly to send out emails. This can cause your emails to be listed as SPAM on other servers because the sending IP does not match the reverse IP of the server hostname. The solution is to bind postfix to the primary IP address of the server.

Edit the postfix main.cf file:

vi /etc/postfix/main.cf

and add the line:

smtp_bind_address = 192.168.0.1

were 192.168.0.1 has to be replaced with the primary IP address of the server. Then restart postfix:

/etc/init.d/postfix restart

Fix for OpenSuSE error: postfix/master: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype

Till — Thu, 06 Oct 2011 09:00:06 +0000

You might see the error:

postfix/master[5309]: fatal: 0.0.0.0:smtps: Servname not supported for ai_socktype

On a OpenSuSE server when you enable smtps in postfix master.cf file. The reason for the error is that the definition of the smtps port in /etc/services is missing.

Solution

Edit the /etc/services file

vi /etc/services

and add the following lines:

smtps 465/tcp # Secure SMTP
smtps 465/udp # Secure SMTP

Then restart postfix

/etc/init.d/postfix restart

How to connect to an SSH-Server

CSch — Fri, 16 Sep 2011 13:54:08 +0000

To connect to a system’s terminal with a static network IP and an SSH-Server installed, open a terminal and enter following command, exchanging the network IP with the one of your SSH-Server:

ssh root@192.168.0.110

Enter the target SSH-Server’s root password afterwards. To exit the server’s shell, enter

exit

Redirect http requests to a new folder with apache rewrite rules

Till — Fri, 12 Aug 2011 08:21:59 +0000

When you reorganize the structure of a website, you might want to redirect requests to files in a old folder to a new one without loosing the pagerank. In this example, I will redirect all requests from directory “olddir” to directory “newdir”, so that requests like http://www.yourdomain.tld/olddir/page.htm get redirected to http://www.yourdomain.tld/newdir/page.htm without loosing the Google pagerank of the pages.

The following rewrite rules can be added into a .htaccess file in the website directory or in the vhost configuration.

RewriteEngine on
RewriteRule ^olddir/(.*)$ newdir/$1 [R=301,L]

This rewrite rule redirects automatically all requests to pages or subdirectorys of “olddir” to the same page or subdirectory in “newdir”.

Reduce load of backup scripts with nice and ionice

Till — Wed, 10 Aug 2011 11:46:33 +0000

Runing a nightly backup script on a server system like a webhosting server can produce high load and longer latencys for other processes, e.g. HTML or .php pages load slow during backup because the backup script takes too much I/O or CPU resources.

On Linux systems there are two shell utilitys available to set the I/O and CPU Scheduling for a appliaction or script. The utilitys are named nice and ionice.

Reduce the I/O priority of the script “/usr/local/bin/backup.sh” so that it does not disrupt other processes:

/usr/bin/ionice -c2 -n7 /usr/local/bin/backup.sh

The -n parameter must be between 0 and 7, where lower numbers mean higher priority.

To reduce the CPU priority, use the command nice:

/usr/bin/nice -n 19 /usr/local/bin/backup.sh

The -n parameter can range from -20 to 19, where lower numbers mean higher priority

Nice and ionice can also be combined, to run a script at low I/O and CPU priority:

/usr/bin/nice -n 19 /usr/bin/ionice -c2 -n7 /usr/local/bin/backup.sh