Main Page

From Wiki.onotech.org
Jump to: navigation, search

Recently restored from google cache!

Contents

Firewalls/Blocked IPs

APF

Blacklist

vim /etc/apf/deny_hosts.rules 

Whitelist

vim /etc/apf/allow_hosts.rules 

Config file

vim /etc/apf/conf.apf 

Restart

/etc/init.d/apf restart 

Flush IP Tables

iptables -F

CSF

Use CSF to grep the current rules for an IP

csf -g ip.add.re.ss

CSF uses maxmind geoip free databass to add Geo info to the logs. You can also manually query what CSf has stored locally, from command line:

csf -i ip.add.re.ss

Blacklist

vim /etc/csf/csf.deny 

Whitelist

vim /etc/csf/csf.allow 

Restart (both CSF and LFD)

csf -ra 

Configuration

vim /etc/csf/csf.conf 

login failure log

/var/log/lfd.log 

Fun output, IP address and the LFD trigger that got it blocked:

grep "*Blocked in csf*" /var/log/lfd.log | egrep -o '( (([0-9]{1,3}\.){3})[0-9]{1,3}|\[LF_.*)' | sed -e :a -e '$!N;s/\n\[/ \t==blocked for==\> \t\[/;ta' -e 'P;D' 


looks like

118.98.66.56    ==blocked for==> [LF_SMTPAUTH]
92.38.233.191   ==blocked for==> [LF_SSHD]
104.167.104.147 ==blocked for==> [LF_SSHD]
73.179.232.255  ==blocked for==> [LF_CPANEL]
118.163.76.38   ==blocked for==> [LF_SMTPAUTH]


cPHulk

Brute Force Protection deny/allow list edited through WHM

 Main >> Security Center >> cPHulk Brute Force Protection 

command line

Is it running?

/usr/local/cpanel/scripts/restartsrv_cphulkd --status 

stop and disable it

/usr/local/cpanel/etc/init/stopcphulkd
/usr/local/cpanel/bin/cphulk_pam_ctl --disable


Host Access Control

GUI in WHM (along with syntax/instructions):

Main >> Security Center >> Host Access Control

or edit the file directly:

/etc/hosts.allow 

keep in mind that there is

/etc/hosts.deny 

which WHM does not not touch, but this is another place IPs can be manually blocked


FTP

Passive mode issues

Determine which ftp service is in use

PureFTPd or proFTPd Then enable the use of passive ports for the FTP service being used.

By default the FTP configs will show/suggest using 30000 to 50000 this is an unnecessarily large range of ports to use open. Determine whether APF or CSF is in use. Then make sure the ports are open in the firewall. Restart the services updated. Make sure that passive mode is open in the ftp config

For PureFTPd

backup the existing conf

cp -va /etc/pure-ftpd.conf{,.$(date +"%m-%d-%Y").bak}
vim /etc/pure-ftpd.conf 

add or modify to look something like this

#Port range for passive connections replies. - for firewalling. 
PassivePortRange 30000 35000 

xor

For proFTPd

backup the existing conf

cp -va /etc/proftpd.conf{,.$(date +"%m-%d-%Y").bak}
vim /etc/proftpd.conf 

add or modify to look something like this:

PassivePorts 30000 35000

Open those ports in the firewall

For CSF

backup the existing conf

cp -va /etc/csf/csf.conf{,.$(date +"%m-%d-%Y").bak}
vim /etc/csf/csf.conf 

add

30000:35000 

(CSF's range syntax is a colon)

to the end of

# Allow incoming TCP ports
TCP_IN = "ports,moreports,otherports,30000:35000" 

xor

For APF

backup the existing conf

cp -va /etc/apf/conf.apf{,.$(date +"%m-%d-%Y").bak}
vim /etc/apf/conf.apf 

add

30000_35000

(APF's range syntax is an underscore) to the end of

# Common inbound (ingress) TCP ports 
IG_TCP_CPORTS="ports,moreports,otherports,30000_35000" 

check storm server firewall this might be blocking ports as well

restart the services

service pure-ftpd restart 
service proftpd restart 

As well as APF or CSF


cPanel

Version

/usr/local/cpanel/cpanel -V 

or check the top right of WHM \

Restart

/scripts/restartsrv_cpsrvd

force update

/scripts/upcp --force 

add spf and dkim server wide

for user in $(\ls -A /var/cpanel/users) ; do /usr/local/cpanel/bin/dkim_keys_install $user; /usr/local/cpanel/bin/spf_installer $user ; done 


bypass cpanel security questions:

echo "$(last |grep "still logged in" |awk '{print $3}')" >> /var/cpanel/userhomes/cpanel/.cpanel/securitypolicy/iplist/root
echo "10.20.4.233" >> /var/cpanel/userhomes/cpanel/.cpanel/securitypolicy/iplist/root

Chksrvd log

chekservd fails:

echo -e "\nchekservd fails\n" && egrep '\[\[check command:-\]' /var/log/chkservd.log | egrep -o '(20[0-9]{2}(-[0-9]{2}){2}\ [0-9]{2}(:[0-9]{2}){2}|[a-z]* \[\[check command:-\])'| sed 's/\[\[check command:-\]//'g 

how far back does the log go:

egrep -o '20[0-9]{2}(-[0-9]{2}){2}\ [0-9]{2}(:[0-9]{2}){2}' /var/log/chkservd.log |head -n1


Apache

ea3

Restart

/etc/init.d/httpd restart 

Tail the Error log

tail -f /usr/local/apache/logs/error_log 

Config file on cPanel boxes

vim /usr/local/apache/conf/httpd.conf 

Apache's status

service httpd status 
httpd fullstatus 

Check for Max Clients

grep MaxClients /usr/local/apache/logs/error_log ps aux | grep httpd -c; egrep 'MaxClients|ServerLimit' /usr/local/apache/conf/httpd.conf 

ea4

Config file

/etc/apache2/conf.d/httpd.conf	

Error Log

tail -f /etc/apache2/logs/error_log	

connections made per ip

netstat -tn 2>/dev/null | grep ':80space:' | awk '{print $5}' | cut -f1 -d: | sort | uniq -c | sort -rn | head

php-fpm

restart

/scripts/restartsrv_apache_php_fpm

Plesk?

tail /var/www/vhosts/<domain.com>/statistics/logs/error_log


MySQL

handy infos

config file

vim /etc/my.cnf 


Error log

tail -f /var/lib/mysql/`hostname`.err 


Restart

/systemctl status mysqld.service

/etc/init.d/mysql restart 


watch -n1 mysqladmin proc stat


Jhayhoe's list frag tables

wget -O /scripts/fragmented.sh http://layer3.liquidweb.com/scripts/jhayhoe/fragmented.sh chmod +x /scripts/fragmented.sh /scripts/fragmented.sh 


mysqlcheck

The mysqlcheck client performs table maintenance: It checks, repairs, optimizes, or analyzes tables
--all-databases, -A  Check all tables in all databases. This is the same as using the --databases option and naming all the databases on the command line.
--optimize, -o       Optimize the tables. 
--repair, -r         Perform a repair that can fix almost anything except unique keys that are not unique.
--auto-repair        If a checked table is corrupted, automatically fix it. Any necessary repairs are done after all tables have been checked. 


mysqlcheck -Aor


mysqlcheck --auto-repair --optimize --all-databases


other stuff

Shut it down and check tables

killall -9 tailwatchd
killall -9 crond
service mysql stop
find /var/lib/mysql -iname "*.MYI" -exec myisamchk -fUr {} \; service mysql restart
service crond restart
/scripts/restartsrv_tailwatchd 


Optimize each table in a For loop,

for i in $(mysql -e "show databases;" | sed 's/Database//') ; do for each in $(mysql -e "use $i; show tables;" | sed 's/Tables.*//' ;) ; do mysql -e "use $i ; optimize table $each" ; done ; done 


MyTop

it's like top for mysql (If it is installed on the server)

http://jeremy.zawodny.com/mysql/mytop/mytop-1.6.tar.gz 

mytop

innodb

what tables are using innodb

mysql -e "SELECT table_schema, table_name FROM INFORMATION_SCHEMA.TABLES WHERE engine = 'innodb';"

conf

located in

/etc/my.cnf 


Mysql Memory settings

echo -e "\n\n================Mysql Mem configured settings================" && awk '/(key|i.*b)_b.*r_(pool_)?(s.*|.*es)/{sub("="," "); print $1,$2}' /etc/my.cnf && echo -e "\n================Mysql Mem current settings================" && mysql -e "show variables" |awk '/(key|innodb)_buffer_(pool_)?(size|.*es)/{if($1~/.*es/)print$1,$2; else print$1,$2/1048576"M"}' && echo -e "\n================Mysql Mem suggested settings================" && mysql -Bse 'show variables like "datadir";'|awk '{print $2}'|xargs -I{} find {} -type f -printf "%s %f\n"|awk -F'[ ,.]' '{print $1, $NF}'|awk '{array[$2]+=$1} END {for (i in array) {printf("%-15s %s\n", sprintf("%.3f MB", array[i]/1048576), i)}}' | awk '{if($3~/MYI/)print"key_buffer_size\t\t",$1"M"};{if($3~/ibd/)a+=$1}END{print "innodb_buffer_pool_size\t",a"M"}'

Plesk

old

restart (notice the d)

/etc/init.d/mysqld restart 


This will give you the admin password to Plesk

cat /etc/psa/.psa.shadow; echo -e "\n"; 


Use this password with:

mysql -u admin -p 

watch "mysqladmin proc stat -u admin -p`cat /etc/psa/.psa.shadow`"

new

access the plesk db

plesk db

alternatively

MYSQL_PWD=$(cat /etc/psa/.psa.shadow) mysql -uadmin psa

nightly dumps of the plesk db are in

/var/lib/psa/dumps/

restoring from a backup

zcat mysql.daily.dump.0.gz | plesk db

back it up as is

plesk db dump > backup.sql

Screen

ctrl+a +d is keyboard shortcut to detach 


Error?

Directory '/var/run/screen' must have mode 777.

no prob:

chmod g+s /usr/bin/screen 

all set

List current screens

screen -ls 

Create new screen

screen -S [name] 

Attach

screen -r [screen name] 

Detach

screen -d [screen name] 

Join already attached or unattached...

screen -x [screen name] 

screen -x by itself, will join the screen if there is only one to join

EasyApache

Do before:

USR=lw.$(date +%s); FILE=/root/preEA.$USR;cp /usr/local/apache/conf/httpd.conf{,.bak.$USR}; cp /usr/local/lib/php.ini{,.bak.$USR}; touch $FILE; cat > $FILE <(echo -e "\n--Current Handler--\n" ; /usr/local/cpanel/bin/rebuild_phpconf --current ; if [ -x /usr/bin/php4 ] ;then echo -e "\n--PHP 4 Version--\n" ; php4 -v 2>&1; echo -e "\n--PHP 4 Modules--\n"; php4 -m 2>&1 ;fi;if [ -x /usr/bin/php5 ] ;then echo -e "\n--PHP 5 Version--\n"; php5 -v ; echo -e "\n--PHP 5 Modules--\n"; php5 -m;fi ;echo -e "\n--Apache Version--\n" ;/usr/local/apache/bin/httpd -V; echo -e "\n--Apache Modules--\n";/usr/local/apache/bin/httpd -l ; echo -e "\n\n--Date Created: $(date +%c)--";echo -e "\n--Configuration files--\n" ; echo "httpd.conf: /usr/local/apache/conf/httpd.conf.bak.$USR"; echo "php.ini: /usr/local/lib/php.ini.bak.$USR";) ; echo -e "\nPreEA configuration stored in \n$FILE" 


do it in a screen!

screen -S EA /scripts/easyapache


suPHPfix + suPHP

out dated

Save-state

saves the file permissions of (all|cPuser) in their current state However, This will overwrite the previous save state if done a second time! Save state is a JSON file located in:

/var/cache/suphpfix 

backup the appropriate file in this directory if you are going to run this a second time

something like

cp -rfa /var/cache/suphpfix /var/cache/$(date +"%m%d%Y").suphpfix.bak

Check the ticket to see if it was run previously !

suphpfix --save-state (all|cPuser) 


Prep all

makes the changes to the permissions suphpfix --prep (all|cPuser)

Restore-state

restores from the current save state in

/var/cache/suphpfix

suphpfix --restore-state (all|cPuser)

switch to suPHP

/usr/local/cpanel/bin/rebuild_phpconf 5 none suphp enabled 

SpamAssassin

Disable forwarding for DNSBL queries for SpamAssassin Needs more testing! sed -i.preSAfix.bak -e '1iinclude "/etc/named.disable.DNSBL.fwding.conf"; \' /etc/named.conf touch /etc/named.disable.DNSBL.fwding.conf && chown named: /etc/named.disable.DNSBL.fwding.conf cat <<EOF >> /etc/named.disable.DNSBL.fwding.conf view "DNSBL zones" { //Disable forwarding for DNSBL queries for SpamAssassin // //http://wiki.apache.org/spamassassin/CachingNameserver // //If you have a large ISP or are using large public DNS provider(s) //it is recommended you not forward mail-related DNS traffic through //their DNS servers (though non-mail DNS traffic from your site shouldn't //have problems.) With bind, this means not having any "forwarders" listed. //Or, at a minimum, you could create exemptions by //defining empty forwarders for DNSBL zones, like this: zone "multi.uribl.com" { type forward; forward first; forwarders {}; }; zone "dnsbl.sorbs.net" { type forward; forward first; forwarders {}; }; zone "combined.njabl.org" { type forward; forward first; forwarders {}; }; zone "activationcode.r.mail-abuse.com" { type forward; forward first; forwarders {}; }; zone "nonconfirm.mail-abuse.com" { type forward; forward first; forwarders {}; }; zone "iadb.isipp.com" { type forward; forward first; forwarders {}; }; zone "bl.spamcop.net" { type forward; forward first; forwarders {}; }; zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; }; zone "list.dnswl.org" { type forward; forward first; forwarders {}; }; zone "blackholes.mail-abuse.org" { type forward; forward first; forwarders {}; }; zone "bl.score.senderscore.com" { type forward; forward first; forwarders {}; }; zone "zen.spamhaus.org" { type forward; forward first; forwarders {}; }; }; EOF service named restart

SA-learn script

stolen modified from jpurkis

enable Bayes in the user_conf
use_bayes 1
bayes_auto_learn 1
bayes_min_ham_num 50
bayes_min_spam_num 50


su to the cPanel user in question and add a cronjob to run the following script, (placed where the cPanel user can access it).

#!/bin/bash 
#Find and learn spam 
find /home/$user/mail/ -type d -name ".Junk" -exec /usr/local/cpanel/3rdparty/bin/sa-learn --no-sync --spam {}/{cur,new}/ \; 
#Find and learn ham
find /home/$user/mail/ -type d -name ".non-spam" -exec /usr/local/cpanel/3rdparty/bin/sa-learn --no-sync --ham {}/{cur,new}/ \; 
#sync /usr/local/cpanel/3rdparty/bin/sa-learn --sync 
#clean out learned spam for i in $(find /home/$user/mail/ -type d -name ".Junk" ); do rm -f $i/{cur,new}/* ; done 
#remove week old spam 
for i in $(find /home/$user/mail/ -type d -name ".spam") ; do find $i/{cur,new}/ -type f -mtime +7 -exec rm -f \; ; done


exim

Mail queue cleanup

who is 'authing' the mail. This needs to be addressed first. Stop the outgoing mail then clean it up.

find /var/spool/exim/input/ -name '*-H' | xargs egrep 'auth_id' 


Subject lines

find /var/spool/exim/input/ -name '*-H' | xargs egrep ' Subject:'


refine the results

is all the spam authed by the same user?

find /var/spool/exim/input/ -name '*-H' | xargs egrep 'auth_id someuser@domain' 


or

find /var/spool/exim/input/ -name '*-H' | xargs egrep 'auth_id somecpuser'


or are the subject lines all the same?

find /var/spool/exim/input/ -name '*-H' | xargs egrep ' Subject: Discount spam, free' 


then pipe that to:

Regex for pulling out the mail ID

| egrep '([0-9a-zA-Z]{6}\-){2}[0-9a-zA-Z]{2}' -o 


then pipe that to the exim command to remove mail by mail id to remove previously determined the mail Removing the mail by mail ID

| xargs exim -Mrm


clear out bounces ect
find /var/spool/exim/input/ -name '*-H' | xargs egrep 'Subject: (Undelivered Mail|Mail delivery|Mail failure|Delivery Status|Returned mail|Undeliverable|failure notice|Warning: message)'| egrep [0-9a-zA-Z]{6}\-[0-9a-zA-Z]{6}\-[0-9a-zA-Z]{2} -o | xargs exim -Mrm 


Babysitting cleanup of a large queue?

Make you notes look nice:

echo -e "#queue $(exim -bpc) @$(date) on $(hostname)" 


periodically run that, to get nice output, eg:

#queue 96910 @Fri Feb 27 08:28:48 EST 2015 on host.server.com
#queue 96710 @Fri Feb 27 08:28:58 EST 2015 on host.server.com
#queue 96595 @Fri Feb 27 08:29:08 EST 2015 on host.server.com 


general

restart /etc/init.d/exim restart 

what is going on

exiwhat 

number of messages in queue

exim -bpc 

start the queue

exim -q -v 


clean out default mail inbox

find /home/$(cpuser)/mail/{cur,new}/ -type f -exec rm -f \;


where $(cpuser) is the user alternatively add

-mtime +7 


to leave stuff newer than one week if the user wants to review. make cpanel interface report the correct value

/scripts/generate_maildirsize --confirm --allaccounts --verbose $(cpuser) 


log location

/var/log/exim_mainlog 


cant ping liquidweb.com? check

vim /etc/resolv.conf 

try google's resolvers 8.8.8.8

list all mailbox users and disk/quotas

for cPUser in `\ls -A1 /var/cpanel/users|grep -v ^system$` ;do echo \  "${cPUser}"\ ; sudo -u "${cPUser}" /usr/local/cpanel/cpanel-email listpopswithdisk | awk -F"===|/" '{print$1"\n>Used:\t\t\t\t\t\t"$2"\n>Quota: "$3}' |numfmt --to=si --field 2  --invalid=ignore ;done

diskspace clean up

/var yum clean all 


checking usage

file system disk usage

df -h

make it fancy

df -Ph| awk '{if(0+$5>=80)print"\033[31m"$0"\033[0m"};{if($1~"Filesystem")print};{if($5<=80)print$0}' 

Summarize disk usage of each FILE, recursively for directories.

du -h --max-depth=1 


df and du discrepancy

If df and du do not agree, there is one or more processes keeping a deleted file open. df is reading it and du is not find them and kill them! Find it, make sure these can be killed, note, ect.

lsof | grep "deleted" 


nice output if the sizer is >0 i.e.

COMMAND PID SIZE NAME 


lsof | grep deleted |awk '{if ($7>0) print $1,$2"\t"$7/1024/1024"M\t" $9}' 


Kill them:

kill -15 <PID>


inodes

Plenty of open space but but the disk is still full? Check the number of inodes used no inodes = no new files

du -i 


purge_dead_comet_files:

/usr/local/cpanel/bin/purge_dead_comet_files


delete files from a list Make sure you are rm'ing the right stuff echo it first!

for i in `cat /filepath/to/listtodelete.txt`; do echo "/dir/where/files/live/$i"; done 


once you are sure, make sure again, then delete with:

for i in `cat /filepath/to/listtodelete.txt`; do rm -Rf /dir/where/files/live/$i; done

Mod sec

install LW rules

yum install lp-modsec2-rules.noarch 


copy old modsec whitelist to new one

cat /usr/local/apache/conf/modsec/00_asl_whitelist.conf > /usr/local/apache/conf/modsec2/whitelist.conf 


Modsec finder (in progress)

clear; echo "ModSec tripping"; read -p "enter IP here " IP; DATE=$(date '+%b %d'); echo -e "\n\nModSec rules triped on $DATE\nand what to whitelist:\n\n "; grep "$DATE" /usr/local/apache/logs/error_log |grep modsec |grep $IP |egrep '\[id \"[0-9]*\"\]' | egrep -o '\[id \"[0-9]*\"\]|\[uri "[^"]+"\]' |egrep -o '[0-9]{4,9}|\"((\/[A-Za-z0-9\-]*)*)\.[a-zA-Z]{3,4}\/?\"' |tr '\n' ' '| sed 's/\/\"/&\n/g' |sed 's/[a-z]\"/&\n/g'|egrep -v '^ $' |sort |uniq -c | sort -rn |awk '{print $1" instance(s) of \n\n<LocationMatch "$3">\n SecRuleRemoveById "$2 "\n</LocationMatch> \n\n"}' 

Search for modsec errors

grep -i modsec /usr/local/apache/logs/error_log | grep (enter domain here) | sed "s/$/\n/" 

grep for cust's ip or domain or whatever then append:

|grep ModSec |grep "\[id "| grep -oP '\[\w{3} \w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}]|\[id "\d+"\]|\[uri "[^"]+"\]' | tr '\n' ' ' |sed 's/alpha:\"\]/&\n/g' |sed 's/\[id \"/\n[id "/g' 

regex for grabing out ip uri and id

egrep 'date or ip or whatever' /usr/local/apache/logs/error_log | grep -i modsec  |grep -noP '(?:(?<=client )(?:\d{1,3}\.){3}\d{1,3}(?=])|(?<=uri ")[^"]+|(?<=id ")\d+)'

regex for grabing out date, ip, uri, and id.

grep -noP '\w{3}\s\w{3}(?:\s\d{2}){2}(?::\d{2}){2}|(?<=client )(?:\d{1,3}\.){3}\d{1,3}(?=])|(?<=uri ")[^"]+|(?<=id ")\d+'

Only list them once and count multiples

grep modsec /usr/local/apache/logs/error_log |grep (enter domain here) |awk -F] '{$1=$(NF-1)="";print}'| uniq -c | sed "s/$/\n/" 


get uri and id uri is with quotes, ruleid is just the number Without quotes! add

<LocationMatch "/URI/From/Error">
SecRuleRemoveById $ruleid 
</LocationMatch> 


to (in most cases)

vim /usr/local/apache/conf/modsec2/whitelist.conf 


restart apache

/etc/init.d/httpd restart 


Plesk?

grep ModSec /var/www/vhosts/domain.com/statistics/logs/error_log 


add

<LocationMatch "/URI/From/Error">
SecRuleRemoveById $ruleid
</LocationMatch> 


to

vim /var/www/vhosts/<domain.com>/conf/vhost.conf 


or if a subdomain

vim /var/www/vhosts/<domain.com>/subdomains/<NameOfSubdomain>/conf/vhost.conf 


rebuild plesk

/usr/local/psa/admin/bin/httpdmng --reconfigure-domain then <domain.com> or <sub.domain.com> 


like:

/usr/local/psa/admin/bin/httpdmng --reconfigure-domain <sub.domain.com> 


restart apache

/etc/init.d/httpd restart 


test again:

tail -f /var/www/vhosts/domain.com/statistics/logs/error_log |grep ModSec 


Making a new rule in here define it and assign it a $ruleid

vim /usr/local/apache/conf/modsec2.user.conf 

then you can add $ruleid to

<LocationMatch "/URI/From/Error"> 
SecRuleRemoveById $ruleid 
</LocationMatch> 

like normal

PHP

php.ini

To see where the file is loading from use:

php -i |grep -i loaded 


you will get:

Loaded Configuration File => /path/to/php.ini 


in general, on cPanel it is:

vim /usr/local/lib/php.ini 


common values to change

*memory_limit = <>M 
*upload_max_filesize = <>M 
*post_max_size = <>M 
*upload_max_filesize < post_max_size 


Restart apache to have changes take effect

/etc/init.d/httpd restart


php.conf Another php configuration file. It is used with the fastCGI php handler

/usr/local/apache/conf/php.conf 


so far I've only run into "mod_fcgid: HTTP request length" value errors here. add or increase the value of

MaxRequestLen

Restart apache to have changes take effect

/etc/init.d/httpd restart 


Plesk? In Plesk, php.ini lives in the same spot it does on any non-cPanel environment: /etc/php.ini

vim /etc/php.ini 


Restart apache to have changes take effect

/etc/init.d/httpd restart


Custom php.ini

cgi and fcgi

Double check which is the current php handler

/usr/local/cpanel/bin/rebuild_phpconf --current


Also Remember to check if the account has CGI Privileges Via WHM In modify an account under Privileges If it is unchecked, this will not work and the error messages are not helpful.

CGI

First copy the php.ini over

cd /home/(username)/public_html/cgi-bin
cp /usr/local/lib/php.ini php.ini
chown (username). php.ini 


In the .htaccess in the public_html,

vim /home/(username)/public_html/.htaccess 


add the following at the very top of the file before everything:

AddHandler php-cgi .php Action php-cgi /cgi-bin/phpini.cgi 


make the phpini.cgi file

vim /home/(username)/public_html/cgi-bin/phpini.cgi 


with the following contents:

#!/bin/sh 
export PHPRC=/home/(username)/public_html/cgi-bin/php.ini 
exec /usr/local/cpanel/cgi-sys/php5 -c /home/(username)/public_html/ 


Also make sure that you correct the permissions on the phpini.cgi.

chmod +x /home/(username)/public_html/cgi-bin/phpini.cgi
chown (username). /home/(username)/public_html/cgi-bin/phpini.cgi 


then, make the phpinfo.php file,load it in a browser, and make sure the new custom php.ini is being loaded:

Loaded Configuration File = /home/(username)/public_html/cgi-bin/php.ini 


and not the main php.ini:

Loaded Configuration File = /usr/local/lib/php.ini


FCGI

First copy the php.ini over cd /home/(username)/public_html/cgi-bin cp /usr/local/lib/php.ini php.ini chown (username). php.ini


In the .htaccess in the public_html,

vim /home/(username)/public_html/.htaccess 


add the following at the very top of the file before everything:

AddHandler php5-fastcgi .php Action php5-fastcgi /cgi-bin/php.fcgi 


Make the php.fcgi file

vim /home/(username)/public_html/cgi-bin/php.fcgi 


with the following contents:

#!/bin/sh 
export PHP_FCGI_CHILDREN=1 
export PHP_FCGI_MAX_REQUESTS=10 
exec /usr/local/cpanel/cgi-sys/php5 


Also make sure that you correct the permissions on the phpini.cgi.

chmod +x /home/(username)/public_html/cgi-bin/php.fcgi
chown (username). /home/(username)/public_html/cgi-bin/php.fcgi 


then, make the phpinfo.php file,load it in a browser, and make sure the new custom php.ini is being loaded:

Loaded Configuration File = /home/(username)/public_html/cgi-bin/php.ini 


and not the main php.ini:

Loaded Configuration File = /usr/local/lib/php.ini


suPHP

copy the global php.ini over as the base for the custom

cd /home/(username)/public_html/ cp /usr/local/lib/php.ini php.ini
chown (username). php.ini 


In the .htaccess in the public_html,

vim /home/(username)/public_html/.htaccess 


add the following at the very top of the file before everything:

suPHP_ConfigPath /home/user/public_html 
<Files php.ini>
order allow,deny deny from all
</Files> 


then, make the phpinfo.php file,load it in a browser, and make sure the new custom php.ini is being loaded:

Loaded Configuration File = /home/(username)/public_html/php.ini 


and not the main php.ini:

Loaded Configuration File = /usr/local/lib/php.ini


phpinfo.php

move to the directory that you want to place the phpinfo.php page then make the it:
echo "<?php phpinfo(); ?>" > ./phpinfo.php && chown $(pwd | cut -d/ -f3). ./phpinfo.php


linzardry

OS version

cat /etc/redhat-release 


Linux kernel bit

getconf LONG_BIT 


load script

wget -O /root/load_chugger.sh http://trippinglizard.com/load_chugger.sh; bash /root/load_chugger.sh 


memory

free -m 


Nice output of %total Free Physical Memory + cached memory

cat /proc/meminfo | perl -e 'while(<>){ if(m/^(MemTotal|MemFree|Cached)/){ m/(\d+)/; push(@foo, $1); } } printf("%.2f%% Free Physical Memory\n", ( ( $foo[1] + $foo[2]) / $foo[0] ) * 100 ) ;'


grep

grep for != <variable>
grep -v <variable> 


=copy

keep perms and owners

cp -rfa 


Handy bash wizardry for cp

add:

{,<nameofbakfile>} like: {,.bak}


or

{,.lwbak}


to the end of the filepath. i.e.

cp /path/to/file{,<nameofbakfile>}


would create the file:

/path/to/file<nameofbakfile> 


example:

cp /usr/local/lib/php.ini{,.lwbak} 


creates the file:

/usr/local/lib/php.ini.lwbak 


Works with move (mv) also!

Dated backups

cp /path/to/stuff{,.$(date +"%m-%d-%Y").bak} 


awk

It is not the size of the awk command, it is how you use it awk is verry help for for manipulating output into handy "Kraft Cop-i-past-a-bles™"

awk '{print <variables> }' 


variables

  • $column_number *commas <,> denote spaces *echo "strings" *numbers *math operators *"\n" is a new line *"\t" is a tab


NF, The Last field

$NF is the last field Try mathing the "NF" variable!
$(NF-n) "n" fields over from the last field *$(NF-0) the last field.
$(NF-1) second to last field etcetera!

Example: lets grep out the time and the 1min, 5min, and 15min load averages from every loadwatch log that has triggered today:

cat /root/loadwatch/loadwatch.$(date +"%Y-%m-%d")* |grep "top - " |awk '{print $3"\t"$(NF-2)"\t"$(NF-1)"\t"$NF}' 


would give you output similar to:

04:05:04  21.40,  10.52,  4.21 
11:52:19  83.74,  50.38,  21.74 
11:56:11  109.98, 79.96,  39.31 
12:20:14  124.66, 66.60,  28.87 
12:23:42  130.51, 103.27, 51.41 
12:24:01  93.53,  96.59,  50.32 
12:17:42  59.66,  31.55,  13.19


Substring Sometimes you want to further refine just one column

substr($column_number,Starting_Character,Number_of_Characters_After_the_Starting_Character)
substr($3,1,5)

in the previous example,

lets say you just wanted the time without the seconds. i.e

04:05
11:52
11:56
12:20 


not

04:05:04
11:52:19
11:56:11
12:20:14


replace $3 with substr($3,1,5) still grab the third column '($3), but just grab five (5) characters, starting at the first (1).

If statements try using them in front of print!

awk '{if ($5 > 5) print $5,$1,$2}'

if column 5 is greater than 5 print columns 5,1,and 2.

Example: using sar, show anytime the one minute load was above 10 then print that load and what time it happened

sar -q | awk '!/ld|Lin/{if ($5 > 10) print $5"\t"$1,$2}' 


will result in nice output like:

13.35 09:30:04 AM 
16.07 11:10:17 AM
10.92 11:20:02 AM

try:

sar -q | awk -v cores=$(nproc) '!/ld|Lin|LIN/ {if ($5 > $cores) print $5"\t"$1,$2}'

Field Delimiters

Also you can add the -F<character> flag to specify the are the field delimiters (what separates the columns) i.e.

awk -F@ '{ print $NF }' 


this would be, print everything after the last "@" Sum of every line Adds each line... you know what sum means.

awk '{a+=$0}END{print a}'


add just column 7

awk '{a+=$7}END{print a}'


First and Last line This is helpful in finding a time frame. Pipe the output of a search though

awk 'NR==1;END{print}' 


You can also use the sed equivalent as it is shorter:

sed -n '1p;$p' 


but lets say you want to just print column 4 (the time stamp) from a domlog

awk 'NR==1{print$4};END{print$4}' 


combine the results with the output of wc of the same data and you have helpful information.

cut

cut works similar to awk with the -F flag

cut -d '<character>' -f<column-number> 


i.e.

cut -d ':' -f2 


Would be the same as

awk -F: '{print $2}'


cut vs awk

Cut is much quicker than awk. But awk is more powerful and has more options. It is an awkward thing to say, but sometime, cut just doesn't cut it. Puns removed for your safety

create/delete user

$user = the username you want

useradd $user
userdel -r $user 


give that user a password

passwd $user 


add user to the sudoer file run

visudo


and add

$user ALL=(ALL) ALL 


$user will be able to use sudo with their own password instead of root's

number of cores

grep -c proc /proc/cpuinfo 
nproc 


find and change 777 perms

change all directories and files in every user's docroot from 777 to a more appropriate 755 for directories and 644 for files

find /home/*/public_html/ -type d -perm 777 -exec chmod 755 '{}' \; find /home/*/public_html/ -type f -perm 777 -exec chmod 644 '{}' \;


grep ps aux better

ps faux | egrep 'START|<program>' | grep -v grep 


quick info dump

lynx -dump -width 500 localhost/whm-server-status > /home/temp/connections.txt 


Server stats

This is a super long one liner that shows several bits of handy info.

exec 3<&1 && bash <&3 <(curl -sq http://layer3.liquidweb.com/serverstats) 


try it on your vps!

rsync

From current server to remote server

rsync -avH /path/to/file user@(host.domain.com-or-IP):/path/on/remote/domain 


within a server

rsync -avH /path/to/file/to/move /path/to/destination/ 


test it out first! use the flag --dry-run for great success in avoiding tears

--dry-run


Tar .ect

Create a tar

tar -cvf file.tar.gz /path/to/file 


Extract a .tar.gz

tar -zxvf filename.tar.gz


Extract a .tar

tar -xvf filename.tar 


Extract a .gz

gunzip filename.gz 


Preview the contents of a package so you can pick what to pull out

tar -tvzf filename.tar.gz


you can also pipe that to search for a certain folder

tar -tvzf filename.tar.gz | grep (folder or filename) 


Extract a certain file from a backup or tar file

tar -xvzf filname.tar.gz /home/mike/public_html 


use the exact line that the previous command gave you. stolen shamelessly from Shooltz

Sar

sar memory % free

sar -r | egrep -v "ld|Ave|Linux" |awk -v v=$(cat /proc/meminfo |grep MemTot |awk '{print $2}') '{print $1,$2"\t"(($3+$7)/v)*100"%" }' 


Sar shows the current day's resource usage of since the 12am server time, in ten minute(default) intervals.

CPU utilization report:

sar

%user = Percentage of CPU utilization that occurred while executing at the user level (application).
%nice = Percentage of CPU utilization that occurred while executing at the user level with nice priority.
%system = Percentage of CPU utilization that occurred while executing at the system level (kernel).
%iowait = Percentage of time that the CPU or CPUs were idle during which the system had an outstanding disk I/O request.
%idle = Percentage of time that the CPU or CPUs were idle and the system did not have an outstanding disk I/O request.

Memory usage:

sar -r 
kbmemfree = Amount of free memory available in kilobytes.
kbmemused = Amount of used memory in kilobytes. This does not take into account memory used by the kernel itself.
%memused = Percentage of used memory.
kbbuffers = Amount of memory used as buffers by the kernel in kilobytes.
kbcached = Amount of memory used to cache data by the kernel in kilobytes.
kbswpfree = Amount of free swap space in kilobytes.
kbswpused = Amount of used swap space in kilobytes.
%swpused = Percentage of used swap space.
kbswpcad = Amount of cached swap memory in kilobytes. This is memory that once was swapped out, is swapped back in but still also is in the swap area (if memory is needed it doesn't need to be swapped out again because it is already in the swap area. This saves I/O).

Load:

sar -q 
runq-sz = Run queue length (number of processes waiting for run time).
plist-sz = Number of processes in the process list.
ldavg-1 = System load average for the last minute.
ldavg-5 = System load average for the past 5 minutes.
ldavg-15 = System load average for the past 15 minutes.

Previous Days

To check previous days use the -f flag along with the file path to the data file where <XX> is the day of the month:

sar -f /var/log/sa/sa<XX> 


Load averages for the fifth of the month:

sar -q -f /var/log/sa/sa05


park wrapper errors

search for references of the domain. here are some of the places

grep -R <domain.com> /var/{cpanel/{users,bandwidth},named}/ /etc/httpd/conf/httpd.conf /etc/v{aliases,domainaliases,mail}/ /etc/{trueuser{domains,owners},named.conf,{local,user}domains}/


Then remove references to the domain. After that, remember to:

/scripts/rebuilddnsconfig 

retry creating the domain.

restoring scripts

Back up current account

/scripts/pkgacct $username 

(puts it in /home/ and should be called cpmove-$) mv it out of the way. to cpmove-{USER}.tar.gz.bak

Restore account

backup most be in home move the backup you want to restore from (must be named like one of these):

cpmove-{USER}
cpmove-{USER}.tar
cpmove-{USER}.tar.gz
USER.tar
USER.tar.gz
backup-{BACKUP-DATE_TIME}_{USER}.tar
backup-{BACKUP-DATE_TIME}_{USER}.tar.gz 


to one of the places cPanel looks:

/home, /home2, /home3, /root, /usr, /usr/home, /web 


restore

/scripts/restorepkg $username 


Or

/scripts/restorepkg $username /Path/to/the/userbackup.tar.gz 


may need to kill the account if it already exists Or just use the force:

/scripts/restorepkg --force $username
/scripts/restorepkg --force $username /Path/to/the/userbackup.tar.gz 


Remove current account

/scripts/killacct $username  


crontab

Crontab Commands

export EDITOR=vi 

to specify a editor to open crontab file. Edit your crontab file, or create one if it doesn’t already exist.

crontab -e 


Display your crontab file.

crontab -l 


Remove your crontab file.

crontab -r 

Display the last time you edited your crontab file. (This option is only available on a few systems.)

crontab -v 


min  |hour |day o month |month  |day o week


30   |0    |1	        |1,6,12 |*	         – 00:30 Hrs on 1st of Jan, June & Dec.
0    |20   |*	        |10     |1-5	         – 8.00 PM every weekday (Mon-Fri) only in Oct. 
0    |0    |1,10,15     |*      |*	         – midnight on 1st ,10th & 15th of month 
5,10 |0    |10	        |*      |1	         – At 12.05,12.10 every Monday & on 10th of every month


LoadParse

mkdir -p /scripts
wget -O /scripts/loadparse http://layer3.liquidweb.com/scripts/loadparse.sh
chmod +x /scripts/loadparse 


LoadParse One Liners these need loadparse installed Top CPU users in loadwatch logs, logged today

cd /root/loadwatch
for i in `ll /root/loadwatch |grep $(date +"%Y-%m-%d") |awk '{print $NF}'`; do /scripts/loadparse $i | head ; done 


Top mem users in loadwatch logs, logged today

cd /root/loadwatch
for i in `ll /root/loadwatch |grep $(date +"%Y-%m-%d") |awk '{print $NF}'`; do /scripts/loadparse $i | sed -n '14,20p'; done

wordpress

reset password, username, and/or email

get cpuser
/scripts/whoown <domain> 


get database name

grep DB_NAME /home/<cpuser>/public_html/wp-config.php 


mysql oneliner to update all of them on user id 1 (the admin account) remove sections not needed replace everything in <>.

mysql -e "UPDATE <DB_NAME>.wp_users SET user_login = '<admin>', user_pass = MD5('<Password>'), user_email = '<their email address>' WHERE wp_users.ID = 1;" 


Outlook and now more recently Thunderbird

Email clients are failing to connect servers using courier and SSL due to the key size being too small dovecot (the new default ) is fine, it is just cPanel never bothered to update courier. per nfuller techstaff email (modified)

echo "QUIT" | openssl s_client -connect `hostname`:995 2> /dev/null | grep 'Server Temp Key' 


will result in something like:

Server Temp Key: DH, 768 bits 


If the bits is lower than 1024, like above, outlook won't connect. Thankfully this is an easy fix. Run the following one liner:

cp -av /usr/lib/courier-imap/share/dhparams.pem{,.bak_768_bits} && openssl dhparam -out /usr/lib/courier-imap/share/dhparams.pem 2048 


That will backup the old key and create one at 2048 bits. Run the first one liner again to check your work:

echo "QUIT" | openssl s_client -connect `hostname`:995 2> /dev/null | grep 'Server Temp Key' 


it should result in:

Server Temp Key: DH, 2048 bits


what kernels you can boot from

awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg