Main Page
Recently restored from google cache!
Contents
- 1 Firewalls/Blocked IPs
- 1.1 APF
- 1.2 CSF
- 1.3 cPHulk
- 1.4 Host Access Control
- 1.5 FTP
- 1.6 cPanel
- 1.7 Chksrvd log
- 1.8 Apache
- 1.9 MySQL
- 1.10 clean out default mail inbox
- 2 list all mailbox users and disk/quotas
- 2.1 diskspace clean up
- 2.1.1 df and du discrepancy
- 2.1.2 inodes
- 2.1.3 Mod sec
- 2.1.4 PHP
- 2.1.5 Custom php.ini
- 2.1.6 suPHP
- 2.1.7 phpinfo.php
- 2.1.8 linzardry
- 2.1.9 =copy
- 2.1.10 rsync
- 2.1.11 Tar .ect
- 2.1.12 Sar
- 2.1.13 park wrapper errors
- 2.1.14 restoring scripts
- 2.1.15 crontab
- 2.1.16 LoadParse
- 2.1.17 wordpress
- 2.1.18 Outlook and now more recently Thunderbird
- 2.1.19 what kernels you can boot from
- 2.1 diskspace clean up
Firewalls/Blocked IPs
APF
Blacklist
vim /etc/apf/deny_hosts.rules
Whitelist
vim /etc/apf/allow_hosts.rules
Config file
vim /etc/apf/conf.apf
Restart
/etc/init.d/apf restart
Flush IP Tables
iptables -F
CSF
Use CSF to grep the current rules for an IP
csf -g ip.add.re.ss
CSF uses maxmind geoip free databass to add Geo info to the logs. You can also manually query what CSf has stored locally, from command line:
csf -i ip.add.re.ss
Blacklist
vim /etc/csf/csf.deny
Whitelist
vim /etc/csf/csf.allow
Restart (both CSF and LFD)
csf -ra
Configuration
vim /etc/csf/csf.conf
login failure log
/var/log/lfd.log
Fun output, IP address and the LFD trigger that got it blocked:
grep "*Blocked in csf*" /var/log/lfd.log | egrep -o '( (([0-9]{1,3}\.){3})[0-9]{1,3}|\[LF_.*)' | sed -e :a -e '$!N;s/\n\[/ \t==blocked for==\> \t\[/;ta' -e 'P;D'
looks like
118.98.66.56 ==blocked for==> [LF_SMTPAUTH] 92.38.233.191 ==blocked for==> [LF_SSHD] 104.167.104.147 ==blocked for==> [LF_SSHD] 73.179.232.255 ==blocked for==> [LF_CPANEL] 118.163.76.38 ==blocked for==> [LF_SMTPAUTH]
cPHulk
Brute Force Protection deny/allow list edited through WHM
Main >> Security Center >> cPHulk Brute Force Protection
command line
Is it running?
/usr/local/cpanel/scripts/restartsrv_cphulkd --status
stop and disable it
/usr/local/cpanel/etc/init/stopcphulkd /usr/local/cpanel/bin/cphulk_pam_ctl --disable
Host Access Control
GUI in WHM (along with syntax/instructions):
Main >> Security Center >> Host Access Control
or edit the file directly:
/etc/hosts.allow
keep in mind that there is
/etc/hosts.deny
which WHM does not not touch, but this is another place IPs can be manually blocked
FTP
Passive mode issues
Determine which ftp service is in use
PureFTPd or proFTPd Then enable the use of passive ports for the FTP service being used.
By default the FTP configs will show/suggest using 30000 to 50000 this is an unnecessarily large range of ports to use open. Determine whether APF or CSF is in use. Then make sure the ports are open in the firewall. Restart the services updated. Make sure that passive mode is open in the ftp config
For PureFTPd
backup the existing conf
cp -va /etc/pure-ftpd.conf{,.$(date +"%m-%d-%Y").bak} vim /etc/pure-ftpd.conf
add or modify to look something like this
#Port range for passive connections replies. - for firewalling. PassivePortRange 30000 35000
xor
For proFTPd
backup the existing conf
cp -va /etc/proftpd.conf{,.$(date +"%m-%d-%Y").bak} vim /etc/proftpd.conf
add or modify to look something like this:
PassivePorts 30000 35000
Open those ports in the firewall
For CSF
backup the existing conf
cp -va /etc/csf/csf.conf{,.$(date +"%m-%d-%Y").bak} vim /etc/csf/csf.conf
add
30000:35000
(CSF's range syntax is a colon)
to the end of
# Allow incoming TCP ports TCP_IN = "ports,moreports,otherports,30000:35000"
xor
For APF
backup the existing conf
cp -va /etc/apf/conf.apf{,.$(date +"%m-%d-%Y").bak} vim /etc/apf/conf.apf
add
30000_35000
(APF's range syntax is an underscore) to the end of
# Common inbound (ingress) TCP ports IG_TCP_CPORTS="ports,moreports,otherports,30000_35000"
check storm server firewall this might be blocking ports as well
restart the services
service pure-ftpd restart
service proftpd restart
As well as APF or CSF
cPanel
Version
/usr/local/cpanel/cpanel -V
or check the top right of WHM \
Restart
/scripts/restartsrv_cpsrvd
force update
/scripts/upcp --force
add spf and dkim server wide
for user in $(\ls -A /var/cpanel/users) ; do /usr/local/cpanel/bin/dkim_keys_install $user; /usr/local/cpanel/bin/spf_installer $user ; done
bypass cpanel security questions:
echo "$(last |grep "still logged in" |awk '{print $3}')" >> /var/cpanel/userhomes/cpanel/.cpanel/securitypolicy/iplist/root
echo "10.20.4.233" >> /var/cpanel/userhomes/cpanel/.cpanel/securitypolicy/iplist/root
Chksrvd log
chekservd fails:
echo -e "\nchekservd fails\n" && egrep '\[\[check command:-\]' /var/log/chkservd.log | egrep -o '(20[0-9]{2}(-[0-9]{2}){2}\ [0-9]{2}(:[0-9]{2}){2}|[a-z]* \[\[check command:-\])'| sed 's/\[\[check command:-\]//'g
how far back does the log go:
egrep -o '20[0-9]{2}(-[0-9]{2}){2}\ [0-9]{2}(:[0-9]{2}){2}' /var/log/chkservd.log |head -n1
Apache
ea3
Restart
/etc/init.d/httpd restart
Tail the Error log
tail -f /usr/local/apache/logs/error_log
Config file on cPanel boxes
vim /usr/local/apache/conf/httpd.conf
Apache's status
service httpd status httpd fullstatus
Check for Max Clients
grep MaxClients /usr/local/apache/logs/error_log ps aux | grep httpd -c; egrep 'MaxClients|ServerLimit' /usr/local/apache/conf/httpd.conf
ea4
Config file
/etc/apache2/conf.d/httpd.conf
Error Log
tail -f /etc/apache2/logs/error_log
connections made per ip
netstat -tn 2>/dev/null | grep ':80space:' | awk '{print $5}' | cut -f1 -d: | sort | uniq -c | sort -rn | head
php-fpm
restart
/scripts/restartsrv_apache_php_fpm
Plesk?
tail /var/www/vhosts/<domain.com>/statistics/logs/error_log
MySQL
handy infos
config file
vim /etc/my.cnf
Error log
tail -f /var/lib/mysql/`hostname`.err
Restart
/systemctl status mysqld.service /etc/init.d/mysql restart
watch -n1 mysqladmin proc stat
Jhayhoe's list frag tables
wget -O /scripts/fragmented.sh http://layer3.liquidweb.com/scripts/jhayhoe/fragmented.sh chmod +x /scripts/fragmented.sh /scripts/fragmented.sh
mysqlcheck
The mysqlcheck client performs table maintenance: It checks, repairs, optimizes, or analyzes tables --all-databases, -A Check all tables in all databases. This is the same as using the --databases option and naming all the databases on the command line. --optimize, -o Optimize the tables. --repair, -r Perform a repair that can fix almost anything except unique keys that are not unique. --auto-repair If a checked table is corrupted, automatically fix it. Any necessary repairs are done after all tables have been checked.
mysqlcheck -Aor
mysqlcheck --auto-repair --optimize --all-databases
other stuff
Shut it down and check tables
killall -9 tailwatchd killall -9 crond service mysql stop find /var/lib/mysql -iname "*.MYI" -exec myisamchk -fUr {} \; service mysql restart service crond restart /scripts/restartsrv_tailwatchd
Optimize each table in a For loop,
for i in $(mysql -e "show databases;" | sed 's/Database//') ; do for each in $(mysql -e "use $i; show tables;" | sed 's/Tables.*//' ;) ; do mysql -e "use $i ; optimize table $each" ; done ; done
MyTop
it's like top for mysql (If it is installed on the server)
http://jeremy.zawodny.com/mysql/mytop/mytop-1.6.tar.gz mytop
innodb
what tables are using innodb
mysql -e "SELECT table_schema, table_name FROM INFORMATION_SCHEMA.TABLES WHERE engine = 'innodb';"
conf
located in
/etc/my.cnf
Mysql Memory settings
echo -e "\n\n================Mysql Mem configured settings================" && awk '/(key|i.*b)_b.*r_(pool_)?(s.*|.*es)/{sub("="," "); print $1,$2}' /etc/my.cnf && echo -e "\n================Mysql Mem current settings================" && mysql -e "show variables" |awk '/(key|innodb)_buffer_(pool_)?(size|.*es)/{if($1~/.*es/)print$1,$2; else print$1,$2/1048576"M"}' && echo -e "\n================Mysql Mem suggested settings================" && mysql -Bse 'show variables like "datadir";'|awk '{print $2}'|xargs -I{} find {} -type f -printf "%s %f\n"|awk -F'[ ,.]' '{print $1, $NF}'|awk '{array[$2]+=$1} END {for (i in array) {printf("%-15s %s\n", sprintf("%.3f MB", array[i]/1048576), i)}}' | awk '{if($3~/MYI/)print"key_buffer_size\t\t",$1"M"};{if($3~/ibd/)a+=$1}END{print "innodb_buffer_pool_size\t",a"M"}'
Plesk
old
restart (notice the d)
/etc/init.d/mysqld restart
This will give you the admin password to Plesk
cat /etc/psa/.psa.shadow; echo -e "\n";
Use this password with:
mysql -u admin -p watch "mysqladmin proc stat -u admin -p`cat /etc/psa/.psa.shadow`"
new
access the plesk db
plesk db
alternatively
MYSQL_PWD=$(cat /etc/psa/.psa.shadow) mysql -uadmin psa
nightly dumps of the plesk db are in
/var/lib/psa/dumps/
restoring from a backup
zcat mysql.daily.dump.0.gz | plesk db
back it up as is
plesk db dump > backup.sql
Screen
ctrl+a +d is keyboard shortcut to detach
Error?
Directory '/var/run/screen' must have mode 777.
no prob:
chmod g+s /usr/bin/screen
all set
List current screens
screen -ls
Create new screen
screen -S [name]
Attach
screen -r [screen name]
Detach
screen -d [screen name]
Join already attached or unattached...
screen -x [screen name]
screen -x by itself, will join the screen if there is only one to join
EasyApache
Do before:
USR=lw.$(date +%s); FILE=/root/preEA.$USR;cp /usr/local/apache/conf/httpd.conf{,.bak.$USR}; cp /usr/local/lib/php.ini{,.bak.$USR}; touch $FILE; cat > $FILE <(echo -e "\n--Current Handler--\n" ; /usr/local/cpanel/bin/rebuild_phpconf --current ; if [ -x /usr/bin/php4 ] ;then echo -e "\n--PHP 4 Version--\n" ; php4 -v 2>&1; echo -e "\n--PHP 4 Modules--\n"; php4 -m 2>&1 ;fi;if [ -x /usr/bin/php5 ] ;then echo -e "\n--PHP 5 Version--\n"; php5 -v ; echo -e "\n--PHP 5 Modules--\n"; php5 -m;fi ;echo -e "\n--Apache Version--\n" ;/usr/local/apache/bin/httpd -V; echo -e "\n--Apache Modules--\n";/usr/local/apache/bin/httpd -l ; echo -e "\n\n--Date Created: $(date +%c)--";echo -e "\n--Configuration files--\n" ; echo "httpd.conf: /usr/local/apache/conf/httpd.conf.bak.$USR"; echo "php.ini: /usr/local/lib/php.ini.bak.$USR";) ; echo -e "\nPreEA configuration stored in \n$FILE"
do it in a screen!
screen -S EA /scripts/easyapache
suPHPfix + suPHP
out dated
Save-state
saves the file permissions of (all|cPuser) in their current state However, This will overwrite the previous save state if done a second time! Save state is a JSON file located in:
/var/cache/suphpfix
backup the appropriate file in this directory if you are going to run this a second time
something like
cp -rfa /var/cache/suphpfix /var/cache/$(date +"%m%d%Y").suphpfix.bak
Check the ticket to see if it was run previously !
suphpfix --save-state (all|cPuser)
Prep all
makes the changes to the permissions suphpfix --prep (all|cPuser)
Restore-state
restores from the current save state in
/var/cache/suphpfix
suphpfix --restore-state (all|cPuser)
switch to suPHP
/usr/local/cpanel/bin/rebuild_phpconf 5 none suphp enabled
SpamAssassin
Disable forwarding for DNSBL queries for SpamAssassin Needs more testing! sed -i.preSAfix.bak -e '1iinclude "/etc/named.disable.DNSBL.fwding.conf"; \' /etc/named.conf touch /etc/named.disable.DNSBL.fwding.conf && chown named: /etc/named.disable.DNSBL.fwding.conf cat <<EOF >> /etc/named.disable.DNSBL.fwding.conf view "DNSBL zones" { //Disable forwarding for DNSBL queries for SpamAssassin // //http://wiki.apache.org/spamassassin/CachingNameserver // //If you have a large ISP or are using large public DNS provider(s) //it is recommended you not forward mail-related DNS traffic through //their DNS servers (though non-mail DNS traffic from your site shouldn't //have problems.) With bind, this means not having any "forwarders" listed. //Or, at a minimum, you could create exemptions by //defining empty forwarders for DNSBL zones, like this: zone "multi.uribl.com" { type forward; forward first; forwarders {}; }; zone "dnsbl.sorbs.net" { type forward; forward first; forwarders {}; }; zone "combined.njabl.org" { type forward; forward first; forwarders {}; }; zone "activationcode.r.mail-abuse.com" { type forward; forward first; forwarders {}; }; zone "nonconfirm.mail-abuse.com" { type forward; forward first; forwarders {}; }; zone "iadb.isipp.com" { type forward; forward first; forwarders {}; }; zone "bl.spamcop.net" { type forward; forward first; forwarders {}; }; zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; }; zone "list.dnswl.org" { type forward; forward first; forwarders {}; }; zone "blackholes.mail-abuse.org" { type forward; forward first; forwarders {}; }; zone "bl.score.senderscore.com" { type forward; forward first; forwarders {}; }; zone "zen.spamhaus.org" { type forward; forward first; forwarders {}; }; }; EOF service named restart
SA-learn script
stolen modified from jpurkis
enable Bayes in the user_conf use_bayes 1 bayes_auto_learn 1 bayes_min_ham_num 50 bayes_min_spam_num 50
su to the cPanel user in question and add a cronjob to run the following script, (placed where the cPanel user can access it).
#!/bin/bash #Find and learn spam find /home/$user/mail/ -type d -name ".Junk" -exec /usr/local/cpanel/3rdparty/bin/sa-learn --no-sync --spam {}/{cur,new}/ \; #Find and learn ham find /home/$user/mail/ -type d -name ".non-spam" -exec /usr/local/cpanel/3rdparty/bin/sa-learn --no-sync --ham {}/{cur,new}/ \; #sync /usr/local/cpanel/3rdparty/bin/sa-learn --sync #clean out learned spam for i in $(find /home/$user/mail/ -type d -name ".Junk" ); do rm -f $i/{cur,new}/* ; done #remove week old spam for i in $(find /home/$user/mail/ -type d -name ".spam") ; do find $i/{cur,new}/ -type f -mtime +7 -exec rm -f \; ; done
exim
Mail queue cleanup
who is 'authing' the mail. This needs to be addressed first. Stop the outgoing mail then clean it up.
find /var/spool/exim/input/ -name '*-H' | xargs egrep 'auth_id'
Subject lines
find /var/spool/exim/input/ -name '*-H' | xargs egrep ' Subject:'
refine the results
is all the spam authed by the same user?
find /var/spool/exim/input/ -name '*-H' | xargs egrep 'auth_id someuser@domain'
or
find /var/spool/exim/input/ -name '*-H' | xargs egrep 'auth_id somecpuser'
or are the subject lines all the same?
find /var/spool/exim/input/ -name '*-H' | xargs egrep ' Subject: Discount spam, free'
then pipe that to:
Regex for pulling out the mail ID
| egrep '([0-9a-zA-Z]{6}\-){2}[0-9a-zA-Z]{2}' -o
then pipe that to the exim command to remove mail by mail id to remove previously determined the mail
Removing the mail by mail ID
| xargs exim -Mrm
clear out bounces ect
find /var/spool/exim/input/ -name '*-H' | xargs egrep 'Subject: (Undelivered Mail|Mail delivery|Mail failure|Delivery Status|Returned mail|Undeliverable|failure notice|Warning: message)'| egrep [0-9a-zA-Z]{6}\-[0-9a-zA-Z]{6}\-[0-9a-zA-Z]{2} -o | xargs exim -Mrm
Babysitting cleanup of a large queue?
Make you notes look nice:
echo -e "#queue $(exim -bpc) @$(date) on $(hostname)"
periodically run that, to get nice output, eg:
#queue 96910 @Fri Feb 27 08:28:48 EST 2015 on host.server.com #queue 96710 @Fri Feb 27 08:28:58 EST 2015 on host.server.com #queue 96595 @Fri Feb 27 08:29:08 EST 2015 on host.server.com
general
restart /etc/init.d/exim restart
what is going on
exiwhat
number of messages in queue
exim -bpc
start the queue
exim -q -v
clean out default mail inbox
find /home/$(cpuser)/mail/{cur,new}/ -type f -exec rm -f \;
where $(cpuser) is the user alternatively add
-mtime +7
to leave stuff newer than one week if the user wants to review.
make cpanel interface report the correct value
/scripts/generate_maildirsize --confirm --allaccounts --verbose $(cpuser)
log location
/var/log/exim_mainlog
cant ping liquidweb.com? check
vim /etc/resolv.conf
try google's resolvers 8.8.8.8
list all mailbox users and disk/quotas
for cPUser in `\ls -A1 /var/cpanel/users|grep -v ^system$` ;do echo \ "${cPUser}"\ ; sudo -u "${cPUser}" /usr/local/cpanel/cpanel-email listpopswithdisk | awk -F"===|/" '{print$1"\n>Used:\t\t\t\t\t\t"$2"\n>Quota: "$3}' |numfmt --to=si --field 2 --invalid=ignore ;done
diskspace clean up
/var yum clean all
checking usage
file system disk usage
df -h
make it fancy
df -Ph| awk '{if(0+$5>=80)print"\033[31m"$0"\033[0m"};{if($1~"Filesystem")print};{if($5<=80)print$0}'
Summarize disk usage of each FILE, recursively for directories.
du -h --max-depth=1
df and du discrepancy
If df and du do not agree, there is one or more processes keeping a deleted file open. df is reading it and du is not find them and kill them! Find it, make sure these can be killed, note, ect.
lsof | grep "deleted"
nice output if the sizer is >0 i.e.
COMMAND PID SIZE NAME
lsof | grep deleted |awk '{if ($7>0) print $1,$2"\t"$7/1024/1024"M\t" $9}'
Kill them:
kill -15 <PID>
inodes
Plenty of open space but but the disk is still full? Check the number of inodes used no inodes = no new files
du -i
purge_dead_comet_files:
/usr/local/cpanel/bin/purge_dead_comet_files
delete files from a list
Make sure you are rm'ing the right stuff
echo it first!
for i in `cat /filepath/to/listtodelete.txt`; do echo "/dir/where/files/live/$i"; done
once you are sure, make sure again, then delete with:
for i in `cat /filepath/to/listtodelete.txt`; do rm -Rf /dir/where/files/live/$i; done
Mod sec
install LW rules
yum install lp-modsec2-rules.noarch
copy old modsec whitelist to new one
cat /usr/local/apache/conf/modsec/00_asl_whitelist.conf > /usr/local/apache/conf/modsec2/whitelist.conf
Modsec finder (in progress)
clear; echo "ModSec tripping"; read -p "enter IP here " IP; DATE=$(date '+%b %d'); echo -e "\n\nModSec rules triped on $DATE\nand what to whitelist:\n\n "; grep "$DATE" /usr/local/apache/logs/error_log |grep modsec |grep $IP |egrep '\[id \"[0-9]*\"\]' | egrep -o '\[id \"[0-9]*\"\]|\[uri "[^"]+"\]' |egrep -o '[0-9]{4,9}|\"((\/[A-Za-z0-9\-]*)*)\.[a-zA-Z]{3,4}\/?\"' |tr '\n' ' '| sed 's/\/\"/&\n/g' |sed 's/[a-z]\"/&\n/g'|egrep -v '^ $' |sort |uniq -c | sort -rn |awk '{print $1" instance(s) of \n\n<LocationMatch "$3">\n SecRuleRemoveById "$2 "\n</LocationMatch> \n\n"}'
Search for modsec errors
grep -i modsec /usr/local/apache/logs/error_log | grep (enter domain here) | sed "s/$/\n/"
grep for cust's ip or domain or whatever then append:
|grep ModSec |grep "\[id "| grep -oP '\[\w{3} \w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}]|\[id "\d+"\]|\[uri "[^"]+"\]' | tr '\n' ' ' |sed 's/alpha:\"\]/&\n/g' |sed 's/\[id \"/\n[id "/g'
regex for grabing out ip uri and id
egrep 'date or ip or whatever' /usr/local/apache/logs/error_log | grep -i modsec |grep -noP '(?:(?<=client )(?:\d{1,3}\.){3}\d{1,3}(?=])|(?<=uri ")[^"]+|(?<=id ")\d+)'
regex for grabing out date, ip, uri, and id.
grep -noP '\w{3}\s\w{3}(?:\s\d{2}){2}(?::\d{2}){2}|(?<=client )(?:\d{1,3}\.){3}\d{1,3}(?=])|(?<=uri ")[^"]+|(?<=id ")\d+'
Only list them once and count multiples
grep modsec /usr/local/apache/logs/error_log |grep (enter domain here) |awk -F] '{$1=$(NF-1)="";print}'| uniq -c | sed "s/$/\n/"
get uri and id
uri is with quotes,
ruleid is just the number Without quotes!
add
<LocationMatch "/URI/From/Error"> SecRuleRemoveById $ruleid </LocationMatch>
to (in most cases)
vim /usr/local/apache/conf/modsec2/whitelist.conf
restart apache
/etc/init.d/httpd restart
Plesk?
grep ModSec /var/www/vhosts/domain.com/statistics/logs/error_log
add
<LocationMatch "/URI/From/Error"> SecRuleRemoveById $ruleid </LocationMatch>
to
vim /var/www/vhosts/<domain.com>/conf/vhost.conf
or if a subdomain
vim /var/www/vhosts/<domain.com>/subdomains/<NameOfSubdomain>/conf/vhost.conf
rebuild plesk
/usr/local/psa/admin/bin/httpdmng --reconfigure-domain then <domain.com> or <sub.domain.com>
like:
/usr/local/psa/admin/bin/httpdmng --reconfigure-domain <sub.domain.com>
restart apache
/etc/init.d/httpd restart
test again:
tail -f /var/www/vhosts/domain.com/statistics/logs/error_log |grep ModSec
Making a new rule
in here define it and assign it a $ruleid
vim /usr/local/apache/conf/modsec2.user.conf
then you can add $ruleid to
<LocationMatch "/URI/From/Error"> SecRuleRemoveById $ruleid </LocationMatch>
like normal
PHP
php.ini
To see where the file is loading from use:
php -i |grep -i loaded
you will get:
Loaded Configuration File => /path/to/php.ini
in general, on cPanel it is:
vim /usr/local/lib/php.ini
common values to change
*memory_limit = <>M *upload_max_filesize = <>M *post_max_size = <>M *upload_max_filesize < post_max_size
Restart apache to have changes take effect
/etc/init.d/httpd restart
php.conf
Another php configuration file. It is used with the fastCGI php handler
/usr/local/apache/conf/php.conf
so far I've only run into "mod_fcgid: HTTP request length" value errors here. add or increase the value of
MaxRequestLen
Restart apache to have changes take effect
/etc/init.d/httpd restart
Plesk?
In Plesk, php.ini lives in the same spot it does on any non-cPanel environment: /etc/php.ini
vim /etc/php.ini
Restart apache to have changes take effect
/etc/init.d/httpd restart
Custom php.ini
cgi and fcgi
Double check which is the current php handler
/usr/local/cpanel/bin/rebuild_phpconf --current
Also Remember to check if the account has CGI Privileges Via WHM In modify an account under Privileges If it is unchecked, this will not work and the error messages are not helpful.
CGI
First copy the php.ini over
cd /home/(username)/public_html/cgi-bin cp /usr/local/lib/php.ini php.ini chown (username). php.ini
In the .htaccess in the public_html,
vim /home/(username)/public_html/.htaccess
add the following at the very top of the file before everything:
AddHandler php-cgi .php Action php-cgi /cgi-bin/phpini.cgi
make the phpini.cgi file
vim /home/(username)/public_html/cgi-bin/phpini.cgi
with the following contents:
#!/bin/sh export PHPRC=/home/(username)/public_html/cgi-bin/php.ini exec /usr/local/cpanel/cgi-sys/php5 -c /home/(username)/public_html/
Also make sure that you correct the permissions on the phpini.cgi.
chmod +x /home/(username)/public_html/cgi-bin/phpini.cgi chown (username). /home/(username)/public_html/cgi-bin/phpini.cgi
then, make the phpinfo.php file,load it in a browser, and make sure the new custom php.ini is being loaded:
Loaded Configuration File = /home/(username)/public_html/cgi-bin/php.ini
and not the main php.ini:
Loaded Configuration File = /usr/local/lib/php.ini
FCGI
First copy the php.ini over cd /home/(username)/public_html/cgi-bin cp /usr/local/lib/php.ini php.ini chown (username). php.ini
In the .htaccess in the public_html,
vim /home/(username)/public_html/.htaccess
add the following at the very top of the file before everything:
AddHandler php5-fastcgi .php Action php5-fastcgi /cgi-bin/php.fcgi
Make the php.fcgi file
vim /home/(username)/public_html/cgi-bin/php.fcgi
with the following contents:
#!/bin/sh export PHP_FCGI_CHILDREN=1 export PHP_FCGI_MAX_REQUESTS=10 exec /usr/local/cpanel/cgi-sys/php5
Also make sure that you correct the permissions on the phpini.cgi.
chmod +x /home/(username)/public_html/cgi-bin/php.fcgi chown (username). /home/(username)/public_html/cgi-bin/php.fcgi
then, make the phpinfo.php file,load it in a browser, and make sure the new custom php.ini is being loaded:
Loaded Configuration File = /home/(username)/public_html/cgi-bin/php.ini
and not the main php.ini:
Loaded Configuration File = /usr/local/lib/php.ini
suPHP
copy the global php.ini over as the base for the custom
cd /home/(username)/public_html/ cp /usr/local/lib/php.ini php.ini chown (username). php.ini
In the .htaccess in the public_html,
vim /home/(username)/public_html/.htaccess
add the following at the very top of the file before everything:
suPHP_ConfigPath /home/user/public_html <Files php.ini> order allow,deny deny from all </Files>
then, make the phpinfo.php file,load it in a browser, and make sure the new custom php.ini is being loaded:
Loaded Configuration File = /home/(username)/public_html/php.ini
and not the main php.ini:
Loaded Configuration File = /usr/local/lib/php.ini
phpinfo.php
move to the directory that you want to place the phpinfo.php page then make the it: echo "<?php phpinfo(); ?>" > ./phpinfo.php && chown $(pwd | cut -d/ -f3). ./phpinfo.php
linzardry
OS version
cat /etc/redhat-release
Linux kernel bit
getconf LONG_BIT
load script
wget -O /root/load_chugger.sh http://trippinglizard.com/load_chugger.sh; bash /root/load_chugger.sh
memory
free -m
Nice output of %total Free Physical Memory + cached memory
cat /proc/meminfo | perl -e 'while(<>){ if(m/^(MemTotal|MemFree|Cached)/){ m/(\d+)/; push(@foo, $1); } } printf("%.2f%% Free Physical Memory\n", ( ( $foo[1] + $foo[2]) / $foo[0] ) * 100 ) ;'
grep
grep for != <variable> grep -v <variable>
=copy
keep perms and owners
cp -rfa
Handy bash wizardry for cp
add:
{,<nameofbakfile>} like: {,.bak}
or
{,.lwbak}
to the end of the filepath. i.e.
cp /path/to/file{,<nameofbakfile>}
would create the file:
/path/to/file<nameofbakfile>
example:
cp /usr/local/lib/php.ini{,.lwbak}
creates the file:
/usr/local/lib/php.ini.lwbak
Works with move (mv) also!
Dated backups
cp /path/to/stuff{,.$(date +"%m-%d-%Y").bak}
awk
It is not the size of the awk command, it is how you use it awk is verry help for for manipulating output into handy "Kraft Cop-i-past-a-bles™"
awk '{print <variables> }'
variables
- $column_number *commas <,> denote spaces *echo "strings" *numbers *math operators *"\n" is a new line *"\t" is a tab
NF, The Last field
$NF is the last field Try mathing the "NF" variable! $(NF-n) "n" fields over from the last field *$(NF-0) the last field. $(NF-1) second to last field etcetera!
Example: lets grep out the time and the 1min, 5min, and 15min load averages from every loadwatch log that has triggered today:
cat /root/loadwatch/loadwatch.$(date +"%Y-%m-%d")* |grep "top - " |awk '{print $3"\t"$(NF-2)"\t"$(NF-1)"\t"$NF}'
would give you output similar to:
04:05:04 21.40, 10.52, 4.21 11:52:19 83.74, 50.38, 21.74 11:56:11 109.98, 79.96, 39.31 12:20:14 124.66, 66.60, 28.87 12:23:42 130.51, 103.27, 51.41 12:24:01 93.53, 96.59, 50.32 12:17:42 59.66, 31.55, 13.19
Substring
Sometimes you want to further refine just one column
substr($column_number,Starting_Character,Number_of_Characters_After_the_Starting_Character)
substr($3,1,5)
in the previous example,
lets say you just wanted the time without the seconds. i.e
04:05 11:52 11:56 12:20
not
04:05:04 11:52:19 11:56:11 12:20:14
replace $3 with substr($3,1,5)
still grab the third column '($3),
but just grab five (5) characters,
starting at the first (1).
If statements try using them in front of print!
awk '{if ($5 > 5) print $5,$1,$2}'
if column 5 is greater than 5 print columns 5,1,and 2.
Example: using sar, show anytime the one minute load was above 10 then print that load and what time it happened
sar -q | awk '!/ld|Lin/{if ($5 > 10) print $5"\t"$1,$2}'
will result in nice output like:
13.35 09:30:04 AM 16.07 11:10:17 AM 10.92 11:20:02 AM
try:
sar -q | awk -v cores=$(nproc) '!/ld|Lin|LIN/ {if ($5 > $cores) print $5"\t"$1,$2}'
Field Delimiters
Also you can add the -F<character> flag to specify the are the field delimiters (what separates the columns) i.e.
awk -F@ '{ print $NF }'
this would be, print everything after the last "@"
Sum of every line
Adds each line... you know what sum means.
awk '{a+=$0}END{print a}'
add just column 7
awk '{a+=$7}END{print a}'
First and Last line
This is helpful in finding a time frame.
Pipe the output of a search though
awk 'NR==1;END{print}'
You can also use the sed equivalent as it is shorter:
sed -n '1p;$p'
but lets say you want to just print column 4 (the time stamp) from a domlog
awk 'NR==1{print$4};END{print$4}'
combine the results with the output of wc of the same data and you have helpful information.
cut
cut works similar to awk with the -F flag
cut -d '<character>' -f<column-number>
i.e.
cut -d ':' -f2
Would be the same as
awk -F: '{print $2}'
cut vs awk
Cut is much quicker than awk. But awk is more powerful and has more options. It is an awkward thing to say, but sometime, cut just doesn't cut it. Puns removed for your safety
create/delete user
$user = the username you want
useradd $user userdel -r $user
give that user a password
passwd $user
add user to the sudoer file
run
visudo
and add
$user ALL=(ALL) ALL
$user will be able to use sudo with their own password instead of root's
number of cores
grep -c proc /proc/cpuinfo
nproc
find and change 777 perms
change all directories and files in every user's docroot from 777 to a more appropriate 755 for directories and 644 for files
find /home/*/public_html/ -type d -perm 777 -exec chmod 755 '{}' \; find /home/*/public_html/ -type f -perm 777 -exec chmod 644 '{}' \;
grep ps aux better
ps faux | egrep 'START|<program>' | grep -v grep
quick info dump
lynx -dump -width 500 localhost/whm-server-status > /home/temp/connections.txt
Server stats
This is a super long one liner that shows several bits of handy info.
exec 3<&1 && bash <&3 <(curl -sq http://layer3.liquidweb.com/serverstats)
try it on your vps!
rsync
From current server to remote server
rsync -avH /path/to/file user@(host.domain.com-or-IP):/path/on/remote/domain
within a server
rsync -avH /path/to/file/to/move /path/to/destination/
test it out first! use the flag --dry-run for great success in avoiding tears
--dry-run
Tar .ect
Create a tar
tar -cvf file.tar.gz /path/to/file
Extract a .tar.gz
tar -zxvf filename.tar.gz
Extract a .tar
tar -xvf filename.tar
Extract a .gz
gunzip filename.gz
Preview the contents of a package so you can pick what to pull out
tar -tvzf filename.tar.gz
you can also pipe that to search for a certain folder
tar -tvzf filename.tar.gz | grep (folder or filename)
Extract a certain file from a backup or tar file
tar -xvzf filname.tar.gz /home/mike/public_html
use the exact line that the previous command gave you.
stolen shamelessly from Shooltz
Sar
sar memory % free
sar -r | egrep -v "ld|Ave|Linux" |awk -v v=$(cat /proc/meminfo |grep MemTot |awk '{print $2}') '{print $1,$2"\t"(($3+$7)/v)*100"%" }'
Sar shows the current day's resource usage of since the 12am server time, in ten minute(default) intervals.
CPU utilization report:
sar
%user = Percentage of CPU utilization that occurred while executing at the user level (application). %nice = Percentage of CPU utilization that occurred while executing at the user level with nice priority. %system = Percentage of CPU utilization that occurred while executing at the system level (kernel). %iowait = Percentage of time that the CPU or CPUs were idle during which the system had an outstanding disk I/O request. %idle = Percentage of time that the CPU or CPUs were idle and the system did not have an outstanding disk I/O request.
Memory usage:
sar -r
kbmemfree = Amount of free memory available in kilobytes. kbmemused = Amount of used memory in kilobytes. This does not take into account memory used by the kernel itself. %memused = Percentage of used memory. kbbuffers = Amount of memory used as buffers by the kernel in kilobytes. kbcached = Amount of memory used to cache data by the kernel in kilobytes. kbswpfree = Amount of free swap space in kilobytes. kbswpused = Amount of used swap space in kilobytes. %swpused = Percentage of used swap space. kbswpcad = Amount of cached swap memory in kilobytes. This is memory that once was swapped out, is swapped back in but still also is in the swap area (if memory is needed it doesn't need to be swapped out again because it is already in the swap area. This saves I/O).
Load:
sar -q
runq-sz = Run queue length (number of processes waiting for run time). plist-sz = Number of processes in the process list. ldavg-1 = System load average for the last minute. ldavg-5 = System load average for the past 5 minutes. ldavg-15 = System load average for the past 15 minutes.
Previous Days
To check previous days use the -f flag along with the file path to the data file where <XX> is the day of the month:
sar -f /var/log/sa/sa<XX>
Load averages for the fifth of the month:
sar -q -f /var/log/sa/sa05
park wrapper errors
search for references of the domain. here are some of the places
grep -R <domain.com> /var/{cpanel/{users,bandwidth},named}/ /etc/httpd/conf/httpd.conf /etc/v{aliases,domainaliases,mail}/ /etc/{trueuser{domains,owners},named.conf,{local,user}domains}/
Then remove references to the domain. After that, remember to:
/scripts/rebuilddnsconfig
retry creating the domain.
restoring scripts
Back up current account
/scripts/pkgacct $username
(puts it in /home/ and should be called cpmove-$) mv it out of the way. to cpmove-{USER}.tar.gz.bak
Restore account
backup most be in home move the backup you want to restore from (must be named like one of these):
cpmove-{USER} cpmove-{USER}.tar cpmove-{USER}.tar.gz USER.tar USER.tar.gz backup-{BACKUP-DATE_TIME}_{USER}.tar backup-{BACKUP-DATE_TIME}_{USER}.tar.gz
to one of the places cPanel looks:
/home, /home2, /home3, /root, /usr, /usr/home, /web
restore
/scripts/restorepkg $username
Or
/scripts/restorepkg $username /Path/to/the/userbackup.tar.gz
may need to kill the account if it already exists Or just use the force:
/scripts/restorepkg --force $username /scripts/restorepkg --force $username /Path/to/the/userbackup.tar.gz
Remove current account
/scripts/killacct $username
crontab
Crontab Commands
export EDITOR=vi
to specify a editor to open crontab file. Edit your crontab file, or create one if it doesn’t already exist.
crontab -e
Display your crontab file.
crontab -l
Remove your crontab file.
crontab -r
Display the last time you edited your crontab file. (This option is only available on a few systems.)
crontab -v
min |hour |day o month |month |day o week
30 |0 |1 |1,6,12 |* – 00:30 Hrs on 1st of Jan, June & Dec. 0 |20 |* |10 |1-5 – 8.00 PM every weekday (Mon-Fri) only in Oct. 0 |0 |1,10,15 |* |* – midnight on 1st ,10th & 15th of month 5,10 |0 |10 |* |1 – At 12.05,12.10 every Monday & on 10th of every month
LoadParse
mkdir -p /scripts wget -O /scripts/loadparse http://layer3.liquidweb.com/scripts/loadparse.sh chmod +x /scripts/loadparse
LoadParse One Liners these need loadparse installed Top CPU users in loadwatch logs, logged today
cd /root/loadwatch for i in `ll /root/loadwatch |grep $(date +"%Y-%m-%d") |awk '{print $NF}'`; do /scripts/loadparse $i | head ; done
Top mem users in loadwatch logs, logged today
cd /root/loadwatch for i in `ll /root/loadwatch |grep $(date +"%Y-%m-%d") |awk '{print $NF}'`; do /scripts/loadparse $i | sed -n '14,20p'; done
wordpress
reset password, username, and/or email
get cpuser /scripts/whoown <domain>
get database name
grep DB_NAME /home/<cpuser>/public_html/wp-config.php
mysql oneliner to update all of them on user id 1 (the admin account) remove sections not needed replace everything in <>.
mysql -e "UPDATE <DB_NAME>.wp_users SET user_login = '<admin>', user_pass = MD5('<Password>'), user_email = '<their email address>' WHERE wp_users.ID = 1;"
Outlook and now more recently Thunderbird
Email clients are failing to connect servers using courier and SSL due to the key size being too small dovecot (the new default ) is fine, it is just cPanel never bothered to update courier. per nfuller techstaff email (modified)
echo "QUIT" | openssl s_client -connect `hostname`:995 2> /dev/null | grep 'Server Temp Key'
will result in something like:
Server Temp Key: DH, 768 bits
If the bits is lower than 1024, like above, outlook won't connect. Thankfully this is an easy fix. Run the following one liner:
cp -av /usr/lib/courier-imap/share/dhparams.pem{,.bak_768_bits} && openssl dhparam -out /usr/lib/courier-imap/share/dhparams.pem 2048
That will backup the old key and create one at 2048 bits. Run the first one liner again to check your work:
echo "QUIT" | openssl s_client -connect `hostname`:995 2> /dev/null | grep 'Server Temp Key'
it should result in:
Server Temp Key: DH, 2048 bits
what kernels you can boot from
awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg