FAQforge provides answers for frequently asked questions for the Linux-, MAC and Windows operating systems.

Secure /tmp and /dev/shm directories in a OpenVZ enviroment

Tuesday, August 31, 2010 - posted by Till

The /tmp and /dev/shm directories of a OpenVZ virtual machine shall be mounted without suid and exec permissions. To achieve this, create a a shell script on the host server for every virtual machine which contains the commands to remount the directories. This script will be started automatically by openvz when the VM is started.

I will use VPSID as placeholder for the ID of the virtual machine in the commands and the script. Replace VPSID with the id of the virtual machine that you want to create the script for, e.g. replace VPSID with 101.

Create the script:

vi /etc/vz/conf/VPSID.mount

and insert the following lines:

#!/bin/bash
mount -n --bind -onosuid,noexec /vz/vps/VPSID/tmp /vz/root/VPSID/tmp
mount -n --bind -onosuid,noexec /vz/vps/VPSID/shm /vz/root/VPSID/dev/shm
exit ${?}

now make the sscript executable:

chmod 700 /etc/vz/conf/VPSID.mount

Migrate physical server system to OpenVZ virtual machine

Tuesday, August 31, 2010 - posted by Till

In case you plan to virtualize your server infrastructure and migrate physical servers to OpenVZ virtual machines, you may find this tutorial helpful:

http://wiki.openvz.org/Physical_to_container

I used this to migrate a ISPConfig Debian system to OpenVZ successfully.

Use separate configurations by network in the Windows 7 firewall

Thursday, July 15, 2010 - posted by Till

The Windows 7 Firewall allows separate configurations by network. This feature makes it possible to configure different firewall rules for the home network , the networkwork or a public network and Windows will apply these rules automatically when the computer gets connected to a different network. To configure the firewall by network, click on Start > Control Panel > System and Security > Windows Firewall

Then Click on "Allow a program or feature trough Windows Firewall" to get the list of open firewall ports for all configured networks.

If the application that shall be able to connect to a specific network is listed there, then allow access by enabling the checkbox in the column of the network. If the application is not in the list, click on "Allow another program" and then select the program in the list that pops up.

How to disable spamfilter- and antivirus functions in ISPConfig 3

Wednesday, July 14, 2010 - posted by Till

If you use a mailserver wil very low ram (< 500 MB) and a slow CPU then it might be nescessary to disable the spam- and antivirus filter functions in ISPConfig 3 as amavisd and clamav might be too heavy for your server hardware. The steps to disable clamav and amavisd are:

Edit postfix main.cf file

vi /etc/postfix/main.cf

and comment out these lines by adding a "#" in front of them:

# content_filter = amavis:[127.0.0.1]:10024
# receive_override_options = no_address_mappings

Then restart postfix:

/etc/init.d/postfix restart

Now stop and disable the services. The following commands are for Debian and Ubuntu, the commands for other Linux distributions may vary

/etc/init.d/clamav-daemon stop
/etc/init.d/clamav-freshclam stop
/etc/init.d/amavis stop

update-rc.d -f clamav-daemon remove
update-rc.d -f clamav-freshclam remove
update-rc.d -f amavis remove

P The normal mail receive and send functions will still work after this modification. But please be aware that disabling amavisd and clamav will disable all spam- and antivirus filtering so that the spamfiltering options that can be configured in the ispconfig interface will have any effect on mail delivery and no spam and viruses will get filtered.

The changes in postfix main.cf will get overwitten by a ispconfig software update when you select to reconfigure services during upadte, so you should comment out the lines again after you install a ispconfig update.

There is a handy Thunderbird extension named "Auto zip" available that compresses email attachments as .zip files automatically, So you dont have to compress the files manually anymore before you attach them to the email.

Thunderbird extension download:

https://addons.mozilla.org/en/thunderbird/addon/4003

Sadly, the official version of the plugin works only for thunderbird 2. But a few users offer already patched versions for Thunderbird 3 (see links in the comments). Please be aware that using such a patched version has the risk that it might contain malicious code.)

https://addons.mozilla.org/de/thunderbird/reviews/display/4003

How to block access to a server by IP address on Linux

Tuesday, July 6, 2010 - posted by Till

Sometimes you might want to block connects to your server by IP address. E.g. when someone tries to attack your system. This can be done in several different ways, e.g. with iptables (firewall) rules or by setting up a reject route. Using iptables sometimes causes conflicts with installed firewalls so that I will use the route command here. The command is:

/sbin/route add -host 192.168.0.123 reject

Replace 192.168.0.123 with the IP address that you want to block and execute the command as root user on the shell.

How to enable the new multisite feature in WordPress 3.0

Sunday, June 20, 2010 - posted by Till

If you recently updated to or installed WordPress 3.0, you might wonder where the menu for Multisite feature is. By default, these new functions are disabled after a WordPress update, to enable them, edit the file wp-config.php and add the line

define(‘WP_ALLOW_MULTISITE’, true);

On your next login, you will see a new menu labeled "Super Admin" which contains the functions to add new sites to wordpress.

The pure-ftpd package that comes with Debian 5.0 (Lenny) does not start in a OpenVZ virtual machine as it is compiled with "capabilities". This tutorial describes the steps to build a pure-ftpd Debian package with capabilities disabled:

Make a temporary directory

mkdir /usr/src/pure-ftpd
cd /usr/src/pure-ftpd

Download the source package for pure-ftpd

apt-get source pure-ftpd
apt-get build-dep pure-ftpd

Edit the rules file and add the switch "--without-capabilities"

cd pure-ftpd-1.0.21/debian
nano rules

Change the line:

optflags=--with-everything --with-largefile --with-pam --with-privsep --with-tls

to (one Line!):

optflags=--with-everything --with-largefile --with-pam --with-privsep --with-tls --without-capabilities

Build the Debian (.deb) package

cd ..
dpkg-buildpackage -uc -b

and install it

cd ..
dpkg -i pure-ftpd-common_1.0.21-11.4_all.deb pure-ftpd-mysql_1.0.21-11.4_i386.deb
/etc/init.d/pure-ftpd-mysql restart

To prevent that apt overwrites these manually compiled packages with the default packages from the Debian repositorys, execute these commands:

echo 'pure-ftpd-common hold' | dpkg --set-selections
echo 'pure-ftpd-mysql hold' | dpkg --set-selections

This tutorial is based on the german tutorial from planet_fox

How to update Spamassassin on ISPConfig 2

Thursday, May 27, 2010 - posted by Till

The spamassassin installation on a ISPConfig 2 server is normally updated together with ISPConfig. Here are the steps iIf you want to update spamassassin manually without updating ISPConfig 2:

Download the latest Spamassassin sources and unpack the tar.gz file

cd /tmp
wget http://ftp.fernuni-hagen.de/ftp-dir/pub/mirrors/\
www.apache.org/spamassassin/source/Mail-SpamAssassin-3.3.1.tar.gz
tar xfz Mail-SpamAssassin-3.3.1.tar.gz

Configure, make and install spamassassin

cd Mail-SpamAssassin-3.3.1
perl Makefile.PL PREFIX=/home/admispconfig/ispconfig/tools/\
spamassassin/usr SYSCONFDIR=/home/admispconfig/ispconfig/\
tools/spamassassin/etc
make
make install

Cleanup

cd ..
rm -f Mail-SpamAssassin-3.3.1.tar.gz
rm -rf Mail-SpamAssassin-3.3.1

How to enable port 587 (submission) in postfix

Monday, April 26, 2010 - posted by Till

Some internet access providers have port 25 disabled in their routers to prevent spam. If you run your own mailserver in a datacenter, you might have to enable the submission port (587) in postfix to be able to send emails from your local email client to your own mailserver.

To enable port 587, edit the file /etc/postfix/master.cf

vi /etc/postfix/master.cf

and remove the # in front of the line:

#submission inet n - n - - smtpd

so that it looks like this:

submission inet n - n - - smtpd

and restart postfix:

/etc/init.d/postfix restart