Enable slow query log in Mysql

How to Enable slow query log in Mysql  ?

Check whether the "slow query log" is enabled  in mysql. Access mysql and try to execute the following command.


mysql> show global variables like '%slow%';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| log_slow_queries | OFF   |
| slow_launch_time | 2     |
+------------------+-------+


The command result shows slow query log is currently disabled in the server.  You have add the following entries in the "/etc/my.cnf"  file in-order to enable "slow query log".  Place the entries below the  section "mysqld"

[mysqld]
long_query_time=2
log-slow-queries=/var/log/mysql/log-slow-queries.log

You must create the file manually and change owners this way:

mkdir /var/log/mysql
touch /var/log/mysql/log-slow-queries.log
chown mysql.mysql -R /var/log/mysql

 Restart mysql

Check again  whether the "slow query log" is enabled.

mysql> show global variables like '%slow%';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| log_slow_queries | ON    |
| slow_launch_time | 2     |
+------------------+-------+
2 rows in set (0.00 sec)

This steps will log all Mysql queries that took more than 2 seconds to complete the execution.  

Install SSL manually in Linux

Install  SSL certificate for a doamin/Server manually into Linux Servers



The Entrust SSL Certificate is in the section named "Entrust SSL Certificate".

Example:  

Your certificate will look something like this: (Do not use the code below)

-----BEGIN CERTIFICATE----- 
MIIC4zCCAkygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBFMQs
wCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW
9uMRwwGgYDVQQDExNHVEUgQ3liZXJUcnVzdCBSb290MB4XD
AxMDgyMTIwMDIwOVoXDTA2MDEwMTIzNTkwMFowgcMxCzAJB
gNVBAYTAlVTMRQwEgYDVQQKEwtFbnRydXN0Lm5ldDE7MDkG
1UECxMyd3d3LmVudHJ1c3QubmV0L0NQUyBpbmNvcnAuIGJ5
HJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAx
Tk5IEVudHJ1c3QubmV0IExpbWl0ZWQxOjA4BgNVBAMTMUVu
J1c3QubmV0IFNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvb
BdXRob3JpdHkwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAo
M0ogzRUG4nzD683kTH/rzFgyajoshBo7Z/nkzbxCmS7R/UE
jR03FJxmBJgxUcg2ILdkfmhKfvLNx04AZP0dme4w1KNK5Ct
pzWUHmBelrTN/fCStgpkiZk0eSYbDoAivU0m2X47eMQ//24
coN6COWuBsRYZYblUtuZDAgEDo2YwZDAPBgNVHRMECDAGAQ
EDMA4GA1UdDwEB/wQEAwIBBjBBBgNVHR8EOjA4MDagNKAyh
HRwOi8vY2RwLmJhbHRpbW9yZS5jb20vY2dpLWJpbi9DUkwv
Um9vdC5jZ2kwDQYJKoZIhvcNAQEFBQADgYEAgbZwffFU+Fj
SoUFyRAAysIauOknVaLteQPQJxBGLMhXGdfejVBTWLb1UTF
NCiqm8Co+dYikuVB+0/1habRkb+k4vFe6tn5IvQMnfhZbSJ
5IlGVDWQYlfC0/R1wjfv+U6rzTJbJ7WXX0Ka5jKLKuckXNv
OA4=
-----END CERTIFICATE-----

1. Copy the Entrust SSL Certificate to your clipboard. You must include the "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines.
2. Paste the certificate into a simple text editor, and ensure that the entire text is flushed to the left with no leading or trailing white space. If there are any extra spaces or missing dashes the server will not recognize the format of the file and you will not be able to install the certificate.
3. Save the file as /path/to/your/apacheconf/ssl.crt/servername.crt

You have just installed your Entrust SSL Certificate.
It is strongly recommended that the httpd.conf file is backed up before attempting modifications.
In the section of /path/to/your/apacheconf/httpd.conf ensure that the following entries are correct:

Enable / Disbale SSL for this host
SSLEngine on

Certificate Paths:
SSLCertificateFile /path/to/your/apacheconf/ssl.crt/servername.crt
SSLCertificateKeyFile /path/to/your/apacheconf/ssl.key/servername.pem

Locate PHP configration file in Directadmin

Compile and enable soap on php with DirectAdmin Control Panel Custombuild

Locate PHP configration file  in Directadmin. When you recompile php, make sure you are editing the correct php configuration files. You have to make sure CustomApache or CustomBuild 

 cd /usr/local/directadmin/custombuild

./build used_configs

 Results:

Apache configuration file: /usr/local/directadmin/custombuild/custom/ap2/configure.apache

PHP4 configuration file: /usr/local/directadmin/custombuild/custom/ap2/configure.php4

suPHP configuration file: /usr/local/directadmin/custombuild/custom/suphp/configure.suphp

PHP5 configuration file: /usr/local/directadmin/custombuild/custom/suphp/configure.php5

Edit your php5 config file: (example)

nano /usr/local/directadmin/custombuild/custom/suphp/configure.php5

Add: (Note that only the last rule has no slash!)

--enable-soap

Save the file and rebuild PHP:

./build php all

For more information, please verify the url:  http://help.directadmin.com/item.php?id=252
    

How to change Nagious Password

root# touch /usr/local/nagios/sbin/.htaccess

root# vi /usr/local/nagios/share/.htaccess

And I wrote the follwing text in the .htaccess file

AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
require valid-user

Then, I did the following:

root# touch /usr/local/nagios/share/.htaccess

root# vi /usr/local/nagios/sbin/.htaccess

And I wrote the same text in that file too. Then, I did the following
 (Which is the command for changing the password ):

 
root# htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

New password:
Re-type new password:
Adding password for user nagiosadmin

root#  ls -l /usr/local/nagios/etc/htpasswd.users
-rwxrwxr--  1 nagios nagios 26 Dec 21 15:54 /usr/local/nagios/etc/htpasswd.usersroot#

root# chmod o+r /usr/local/nagios/etc/htpasswd.users

root# service httpd restart

 

This steps will help you 

NRPE Installation

The NRPE addon is designed to allow you to execute Nagios plugins on remote Linux/Unix machines. This allow Nagios to monitor "local" resources (like CPU load, memory usage, etc.) on remote machines

Nagios NRPE Installation and Configuration

NRPE Installation

 

 Install nagios-nrpe & nagios-plugins using yum.
 Change the "allowed_hosts" value to the IP of nagios server in /etc/nagios/nrpe.cfg

yum install nagios-nrpe nagios-plugin-nrpe
chkconfig nrpe on
/sbin/chkconfig --list
ls /usr/lib/nagios/plugins
nano /etc/nagios/nrpe.cfg

allowed_hosts= local host  -- as the connection need to be established with the server itself

/etc/init.d/nrpe restart 

Port 5666 need to be opened for nagios

/sbin/iptables -I INPUT -p tcp -m tcp --dport 5666 -j ACCEPT

 

I am briefing the  NRPE  motoring with the help of an example.   Assume we are trying to implement a distributed monitoring.   

Master Server :-  Monitoring server          :   A
Remote server :- Server  to be monitored :   Z

Master server is having   Nagios ,  Nagios-nrpe,  nagios-plugin-nrpe, hostgroups,  servers 

Host Group:  A host group definition is used to group one or more hosts together for simplifying configuration   

define hostgroup {
	hostgroup_name	hostgroup_name
	alias	alias
	members	hosts
	hostgroup_members	hostgroups
	notes	note_string
	notes_url	url
	action_url	url

} 

Example of   "/etc/nagios/hostgroups/hostgroup.cfg"

define hostgroup  {
hostgroup_name    Google Linux
alias             Google
members           host1, host2 
} 

Servers:  The servers and the services that are being monitored using the Monitoring server A (main nagios server). 

example:   /etc/nagios/servers/"host1.cfg"

The "host1" file is used to specify which services need to be monitored in the  remote server "host1"

This file contains the definition of the services that need to be checked.

example: /etc/nagios/servers/google.cfg

define service{
        use                             local-service         
        host_name                       google.cfg

service_description             HTTP
        check_command                   check_http
        notifications_enabled           1
        }

check_command: This directive is used to specify the short name of the command that Nagios will run in order to check the status of the service.

The maximum amount of time that the service check command can also mentioned after check_command 

notifications_enabled:  This directive is used to determine whether or not notifications for this host are enabled. Values: 

0 = disable host notifications, 

1 = enable host notifications.

We have to define all the services that need to be checked/ monitored separately ie each  check_command will have separate  definition 

example of check command:  check_mysql -H $HOSTADDRESS$ -u $ARG1$ -p $ARG2$ -d $ARG3$

check_command   check-host-alive

check_mysql!powerdns_services!NmLY6DeM2Zvt2fUW!powerdns

check_mysql is defined in the remote host, ie the service need to monitored

 $ARG1$ is powerdns_services, 

$ARG2$ is NmLY6DeM2Zvt2fUW,

$ARG3$ is powerdns

You can refer the page for more definitions  http://nagioswiki.com/wiki/index.php/Checking_NT_Services_with_Nagios

Monitoring Load

nano /etc/nagios/nrpe.cfgcommand[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,10 -c 30,25,20


/etc/init.d/nrpe restart

Nagios Wiki

Nagios:  is a popular open source computer system and network monitoring software application. It watches hosts and services, alerting.

 Monitoring of network services (SMTP, POP3, HTTP, NNTP, PING, etc.)

 Monitoring of host resources (processor load, disk and memory usage, running processes, log files, etc.)

All the hard work is done by plugins, the nagios daemon «only» schedules them to be executed at the right time with the right parameters and collect results.


The cgi interface is entirely optional, but highly useful.


Nagios Operation

The nagios daemon

• schedules and executes active host and service checks
• accepts asyncronous passive checks
• sends out notifications on host or service state change
• executes event handlers on host or service state change
• writes and rotates log and state files


Nagios Operation Local Plugin Execution


 All active checks involve the local execution of some plugin. Locally executed plugins can just check for some local service or then can go to the network and check some remote host or service. NRPE allows execution of plugins on remote hosts. Remote plugin results are reported to nagios by the locally executed check_nrpe plugin.

Distributed Monitoring

Nagios can be configured to support distributed monitoring of network services and resources. The goal in the distributed monitoring environment that I will describe is to offload the overhead (CPU usage, etc.) of performing service checks from a "central" server onto one or more "distributed" servers. When you want to start monitoring hundreds or even thousands of hosts (and several times that many services) using Nagios, this becomes quite important. A distributed solution is often called a master/slave solution. On the master you have a copy of every service that you want to check on the slaves, but the copy on the master has the active check disabled and notification enabled, while on the slaves both active and passive checks are enabled and notification is disabled.

nagios.cfg – contains options for daemon behaviour
cgi.cfg – controls the web interface
resource.cfg – tells nagios where to look for plugins

Check configuration with nagios -v nagios.cfg

# File locations
log_file=/var/log/nagios.log
cfg_file=/etc/opt/nagios/checkcommands.cfg
cfg_file=/etc/opt/nagios/misccommands.cfg
cfg_file=/etc/opt/nagios/host.cfg
resource_/etc/opt/nagios/resource.cfg
lock_file=/var/run/nagios.lock

The NRPE addon is designed to allow you to execute Nagios plugins on 
remote Linux/Unix machines. This allow Nagios to monitor "local" 
resources (like CPU load, memory usage, etc.) on remote machines

The NRPE addon consists of two pieces:

The check_nrpe plugin, which resides on the local monitoring machine
The NRPE daemon, which runs on the remote Linux/Unix machine

When Nagios needs to monitor a resource of service from a remote Linux/Unix machine:

Nagios will execute the check_nrpe plugin and tell it what service needs to be checked
The check_nrpe plugin contacts the NRPE daemon on the remote host over an (optionally) SSL-protected
connection

The NRPE daemon runs the appropriate Nagios plugin to check the service or resource
The results from the service check are passed from the NRPE daemon back to the check_nrpe plugin, which
then returns the check results to the Nagios process.
Note: The NRPE daemon requires that Nagios plugins be installed on the remote Linux/Unix host. Without these,
the daemon wouldn't be able to monitor anything.

http://www.softpanorama.org/Admin/Monitoring/nagios.shtml

Railo Adminstration

                                     Railo and Flex2gateway


Railo autoinstaller download link:-

http://railo.viviotech.net/


The package install railo/tomcat. You can connect Railo with apache during the railo installation, then mod_jk will be enabled by default. Once the setup has finished successfully, please verify the mod_jk configurations are added to apache configurations. The following configurations are necessary.

 <IfModule !mod_jk.c>
    LoadModule jk_module [modules directory]/mod_jk.so
 </IfModule>

 <IfModule mod_jk.c>
    JkMount /*.cfm ajp13
    JkMount /*.cfc ajp13
    JkMount /*.do ajp13
    JkMount /*.jsp ajp13
    JkMount /*.cfchart ajp13
    JkMount /*.cfm/* ajp13
    JkMount /*.cfml/* ajp13
    Flex Gateway Mappings
    # JkMount /flex2gateway/* ajp13
    JkMount /flashservices/gateway/* ajp13
    JkMount /messagebroker/* ajp13
    JkMountCopy all
    JkLogFile [log directory]/mod_jk.log
 </IfModule>


Starting and Stopping Railo

#/etc/init.d/railo_ctl  start
#/etc/init.d/railo_ctl  stop



Railo administrator

There are two kinds of adminitrations. The Railo Server Administrator and the Railo Web Administrator. The Web Administrator defines local Settings for a web and the Server Administrator the global default values. In addition the Server Administrator allows you to set authorizations for the Web Administrator of all single webs.
In here global services like mappings, customtags, datasources etc. can be defined globally so that all webs have access to them. Each account gets its own web  administrator interface which he can access to turn on debugging / manage datasources / mapping. The following are the URLs for accessing the railo administor page:-

Server Administrator: http://<hostname or IP>/railo-context/admin/server.cfm
Web administrator: http://<hostname or IP>/railo-context/admin/web.cfm


Enabling railo services to new sites

Railo do not allow automatic support for the domain created by control panels kile cpanel and kloxo, You need to edit Tomcat's server.xml file for this. The default location of the file is  /opt/railo/tomcat/conf/server.xml
Add following code in to server.xml file

    <Host name="[ENTER DOMAIN NAME]" appBase="webapps"
             unpackWARs="true" autoDeploy="true"
             xmlValidation="false" xmlNamespaceAware="false">
             <Context path="" docBase="[ENTER SYSTEM PATH]" />
             <Alias>[ALTERNATE DOMAIN NAME]</Alias>
        </Host>

where docBase is the full system path to the webroot of the domain. Once you've updated your server.xml file, restart Tomcat/Railo.


BlazeDS


Railo 3.x comes with BlazeDS 3.2, the Adobe opensource amf engine to communicate from a Flex application to a Java backend. However we may need to modify some tomcat configurations files to get it work.


#1. Updating the web.xml file

/opt/railo/tomcat/conf/web.xml

Uncomment the following the web.xml if present or add the details to web.xml file.

        <!-- Load the MessageBrokerServlet  -->
    <servlet>
        <servlet-name>MessageBrokerServlet</servlet-name>
        <servlet-class>flex.messaging.MessageBrokerServlet</servlet-class>
        <init-param>
            <param-name>services.configuration.file</param-name>
            <param-value>/WEB-INF/flex/services-config.xml</param-value>
        </init-param>
        <init-param>
            <param-name>messageBrokerId</param-name>
            <param-value>MessageBroker</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

          <!-- The mappings for the Flex servlet -->
    <servlet-mapping>
        <servlet-name>MessageBrokerServlet</servlet-name>
        <url-pattern>/flex2gateway/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>MessageBrokerServlet</servlet-name>
        <url-pattern>/flashservices/gateway/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>MessageBrokerServlet</servlet-name>
        <url-pattern>/messagebroker/*</url-pattern>
    </servlet-mapping>


#2. Updating the uriworkermap.properties file

/opt/railo/tomcat/conf/uriworkermap.properties

Uncomment the following the web.xml if present or add the details to web.xml file.

/*.cfm=ajp13
/*.cfc=ajp13
/*.cfml=ajp13
/*.cfres=ajp13
/*.cfchart=ajp13
/*.cfm/*=ajp13
/*.cfml/*=ajp13
/*.cfc/*=ajp13
/*.jsp=ajp13
/*.do=ajp13
/=ajp13
/flex2gateway/*=ajp13
/flashservices/gateway/*=ajp13
/messagebroker/*=ajp13
/=ajp13


Once you've updated Tomcat configuration files, restart Tomcat/Railo.


Verify the flex connection is working

Browse to  http://<IP ot domain name>/flex2gateway/  you should get a white page, if you get an error message, this would mean that either you server is not running, the MessageBroker Servlet is not running or there are some configuration mistakes.


Troubleshooting 404 error

1. Apache 404 error

Please understand that if the URL you're using is this: http://mydomain/flex2gateway , then all your mappings should look like
/flex2gateway*=ajp13
There must no trailing slash on either of them.

Also verify the server.xml is updated correctly to point the webroot of the domain.

2. Tomcat 404 error

The reason mostly is Tomcat servlet "MessageBrokerServlet" is unavailbale or not loaded. In that case please verify the tomcat configuration files are updated correctly as mentioned above. Also verify tomcat log files to find out why "MessageBrokerServlet" is not loaded. Sometimes you may need to comment "MessageBrokerServlet" in other web.xml.

Tomcat log file location:- /opt/railo/tomcat/logs/

ps: You need to restart railo/tomcat if you made any changes to tomcat configuration files.

 Railo memory configuration file /opt/railo/tomcat/bin/setenv.sh. This file defines the virtual memory limit for railo service. Commenting out the lines will fix the memory issue

http://www.tomcatexpert.com/blog/2011/11/16/setting-measurement-garbage-collection-apache-tomcat

http://www.tomcatexpert.com/blog/2011/11/22/performance-tuning-jvm-running-tomcat

Configuring SES URL's for Railo For Mura / Mango Blog

Railo http://www.viviotech.net/forum/viewtopic.php?f=5&t=588 

ffmpeg Installation

This article describes installation of ffmpeg, flvtool2, mplayer, mencoder, MP4Box, ffmpeg-php and many other video conversion tools on a CentOS cpanel server.


1. Enable RPM Fusion yum repository
 
The CentOS rpm packages of ffmpeg, mplayer, mencoder and MP4Box are available on RPM Fusion YUM repository. RPM Fusion repo depends on packages from EPEL repo. So enable these repositories by installing following

RPM packages:

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uvh http://download1.rpmfusion.org/free/el/updates/testing/5/i386/rpmfusion-free-release-5-0.1.noarch.rpm

rpm -Uvh http://download1.rpmfusion.org/nonfree/el/updates/testing/5/i386/rpmfusion-nonfree-release-5-0.1.noarch.rpm

Note: for following ‘yum‘ commands, use the switch  --exclude “*.i386″ on 64-bit systems so as to avoid installing both 64-bit and 32-bit packages. Of course, DO NOT use this switch on 32-bit systems




2. Install ffmpeg, mplayer and mencoder
Install these packages using following yum command:

yum install ffmpeg mplayer mencoder

This will also install various dependency packages like libtheora, libvorbis, libogg, lame, opencore-amr, x264, xvidcore etc


3. Install flvtool2


This rpm package is available on RPM Fusion repo. But it also requires ruby rpms. However, it is not recommend to install ruby rpms on a cpanel server. Cpanel has its own ruby installer script. So install ruby using following cpanel script

/scripts/installruby

Flvtool2 is available as a Ruby Gems package. Use following gem command to install flvtool2:

gem install flvtool2

4. Install MP4Box


MP4Box is provided by gpac package. Install gpac and its library packages:

yum install gpac gpac-libs

5. Install ffmpeg-php


Ffmpeg-php requires ffmpeg development package. Install this package using yum:

yum install ffmpeg-devel

Now download the latest ffmpeg-php package:

wget http://downloads.sourceforge.net/ffmpeg-php/ffmpeg-php-0.6.0.tbz2

Untar this package, build and install it with following commands:

tar xjf ffmpeg-php-0.6.0.tbz2

cd ffmpeg-php-0.6.0

phpize

./configure

make

make install

Common errors:

Error 1: During ./configure step if you get an error like “ffmpeg headers not found. Make sure ffmpeg is compiled as shared libraries using the --enable-shared option”, then run following three commands and after that re-run
 
./configure:

mkdir /usr/local/include/ffmpeg/

cp -par /usr/include/ffmpeg/* /usr/local/include/ffmpeg/

find /usr/include/ffmpeg/ -name “*.h” -exec cp {} /usr/local/include/ffmpeg/ \;

Error 2: during ‘make’ step, if you get the error “error: ‘PIX_FMT_RGBA32’ undeclared (first use in this function)”,
then run following command in ffmpeg-php source directory and run ‘make’ command again:

sed -i 's/PIX_FMT_RGBA32/PIX_FMT_RGB32/g' ffmpeg_frame.c

The make install command will show PHP extensions path where ffmpeg PHP extension is installed:

root@server [~/ffmpeg-php-0.6.0]# make install

Installing shared extensions:     /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
 

Now edit php.ini file (/usr/local/lib/php.ini) and make sure that value of extension_dir is set to PHP extension directory as given by above ‘make install’ command:

extension_dir = “/usr/local/lib/php/extensions/no-debug-non-zts-20060613″

Add following line just below extension_dir and this will enable ffmpeg PHP extension:

extension=”ffmpeg.so”

 

Restart Apache to make this change effective:

/scripts/restartsrv_httpd

You can verify the status of ffmpeg extension on a PHP info web page or from command line as given below:

root@server [~]# php -i | grep ffmpeg

ffmpeg
ffmpeg-php version => 0.6.0-svn
ffmpeg-php built on => Oct  5 2010 22:14:58
ffmpeg-php gd support  => enabled
ffmpeg libavcodec version => Lavc52.20.1
ffmpeg libavformat version => Lavf52.31.0
ffmpeg swscaler version => SwS0.7.1
ffmpeg.allow_persistent => 0 => 0
ffmpeg.show_warnings => 0 => 0
OLDPWD => /root/ffmpeg-php-0.6.0
_SERVER["OLDPWD"] => /root/ffmpeg-php-0.6.0
_ENV["OLDPWD"] => /root/ffmpeg-php-0.6.0

6. Installation paths


Following are the installation paths of tools that we installed:

ffmpeg -> /usr/bin/ffmpeg
mplayer -> /usr/bin/mplayer
mencoder -> /usr/bin/mencoder
flvtool2 -> /usr/bin/flvtool2
MP4Box -> /usr/bin/MP4Box

Thats all!

Check Curl is working

Save the below codes a php page and try to execute the script by using the command "php -q filename".  If the curl is working a file named " rss.xml" will be created with contents in it.


<?php
/**
* Initialize the cURL session
*/
$ch = curl_init();
/**
* Set the URL of the page or file to download.
*/
curl_setopt($ch, CURLOPT_URL,
'http://news.google.com/news?hl=en&topic=t&output=rss');
/**
* Create a new file
*/
$fp = fopen('rss.xml', 'w');
/**
* Ask cURL to write the contents to a file
*/
curl_setopt($ch, CURLOPT_FILE, $fp);
/**
* Execute the cURL session
*/
curl_exec ($ch);
/**
* Close cURL session and file
*/
curl_close ($ch);
fclose($fp);
?>

Cloud Linux

Cloud Linux  Installation and updating Licence Key

=======================
wget http://repo.cloudlinux.com/cloudlinux/sources/cln/cpanel2cl
sh cpanel2cl -k $key
Replace $key with your license key.
reboot
/scripts/easyapache --build
=======================

More details at http://docs.cpanel.net/twiki/bin/view/AllDocumentation/InstallationGuide/InstallingOs


Updating Licence 

 rhnreg_ks --activationkey=<newkey> --forcev used this command

PHP handler in cpanel

How  to find current  PHP handler in Cpanel server using command?


The following command will let you know the current php core version and php handler.

# /usr/local/cpanel/bin/rebuild_phpconf --current

Here is an example of the output:

Code:

# /usr/local/cpanel/bin/rebuild_phpconf --current
Available handlers: suphp dso fcgi cgi none
DEFAULT PHP: 5
PHP4 SAPI: suphp
PHP5 SAPI: suphp
SUEXEC: enabled

ColdFusion Installation

What is ColdFusion?

ColdFusion is an application server and software language used for Internet application development[1] such as for dynamically-generated web sites.

Advantages:

* Rapid Development Build complex applications quickly and easily.
* Scalable Deployment Deliver reliable, complex sites and applications with load balancing and fail-over.
* Open Integration Use the full range of Internet and enterprise technologies.
* Complete Security Control Access your servers for development and administration and use advanced security features to protect applications during run-time.

You can check the system requirements at Adobe - Adobe ColdFusion 8 : System Requirements
I would suggest to go with the installation on dedicated server and not the VPS OR semi-dedicated server for better performance.

Installing ColdFusion

Download the coldfusion-801-lin.bin file on your server
Grant Execute permission to the coldfusion-801-lin.bin binary file

root@root [~]# chmod +x coldfusion-801-lin.bin

Step 1
************************************************** **

Quote:

root@root [~]# ./coldfusion-801-lin.bin

Step 2
************************************************** **

Quote:

Choose Locale... ---------------- ->1- English CHOOSE LOCALE BY NUMBER:

Select option 1

Step 3
************************************************** **

Quote:

PRESS <ENTER> TO CONTINUE:

Press Enter 28 times.

Step 4
************************************************** **

Quote:

DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N):

Press Y to continue

Step 5
************************************************** **

Quote:

Install Type ------------ If you do not have a serial number, select either 30-day trial or Developer Edition. ->1- Install new version of Adobe ColdFusion 8 with a serial number 2- 30-day trial 3- Developer Edition

Select option 1 if you have the authorized product key
Else proceed with option 2 for 30-day trial

Step 6
************************************************** **

Quote:

Serial Number:

Enter the serial/product key required

Step 7
************************************************** **

Quote:

Installer Configuration ----------------------- What kind of installation do you want? ->1- Server configuration 2- Multiserver configuration 3- J2EE configuration (EAR file) 4- J2EE configuration (WAR file)

Select option 1 to proceed

Step 8
************************************************** **

Quote:

Is Adobe ColdFusion 8 (Server Configuration) Installed? ------------------------------------------------------- You cannot install the server configuration of Adobe ColdFusion 8 if it is already installed on this computer. Is there already a server configuration of Adobe ColdFusion 8 installed? 1- Yes ->2- No ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:

Select option 2

Step 9
************************************************** **

Quote:

Subcomponent installation ------------------------- The following options are available for installation. An option marked with "[X]" in front will be installed and an option with "[ ]" will not. Choosing an option will toggle it on or off [X] 1) ColdFusion 8 Documentation [X] 2) Adobe LiveCycle Data Services ES [X] 3) ColdFusion 8 Search Services [X] 4) Start ColdFusion on system init 5) Continue with installation

Select option 5

Step 10
************************************************** **

Quote:

Choose Install Folder --------------------- Select the directory where you want to install Adobe ColdFusion 8. Directory: Default Install Folder: /opt/coldfusion8 ENTER AN ABSOLUTE PATH, OR PRESS <ENTER> TO ACCEPT THE DEFAULT

Example :: /opt/coldfusion8 OR /usr/local/src

Step 11
************************************************** **

Quote:

INSTALL FOLDER IS: /opt/coldfusion8 IS THIS CORRECT? (Y/N):

Type Y and proceed

Step 12
************************************************** **

Quote:

License Agreement ----------------- Installation and Use of Adobe LiveCycle Data Services ES Requires Acceptance of the Following License Agreement: ADOBE SYSTEMS INCORPORATED ADOBE LIVECYCLE DATA SERVICES SOFTWARE Software License Agreement PRESS <ENTER> TO CONTINUE:

Press Enter 30 times

Step 13
************************************************** **

Quote:

DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N):

Enter Y to proceed

Step 14
************************************************** **

Quote:

If you do not have an Adobe LiveCycle Data Services ES serial number, leave the serial number field blank to install a 120-day trial. After the trial period expires, LCDS becomes Express edition until registered. The Express edition is a free, non-expiring commercial use product for application deployed on a single machine with not more than one CPU. Enter your serial number for Adobe LiveCycle Data Services ES. Example (you can omit the dashes if you prefer): XXXX-XXXX-XXXX-XXXX-XXXX-XXXX Serial Number::

Enter the product key

Step 15
************************************************** **

Quote:

Earlier Versions of Adobe ColdFusion installed? ----------------------------------------------- If you installed an earlier version of ColdFusion on this computer, you can migrate your settings to Adobe ColdFusion 8. Is there an earlier version of ColdFusion installed on this computer (for example, ColdFusion 6 or ColdFusion MX 7)? 1- Yes ->2- No ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:

Select option 2

Step 16
************************************************** **

Quote:

Configure Web Servers --------------------- Please configure your web server(s). If you do not configure a web server the built-in web server will be used on port 8500 or the next available port. 1- Add Web Server Configuration ->2- Continue with installation

Select option 1

Step 17
************************************************** **

Quote:

->1- Apache 2- Sun ONE Web Server (iPlanet) 3- Cancel What kind of web server are you configuring:

Select option 1

Step 18
************************************************** **

Quote:

What directory contains your Apache configuration file (httpd.conf)? (For example, on Red Hat Linux it could be located in the /etc/httpd/conf directory if you installed from an rpm, or for SuSe Linux, it could be in /etc/apache2)

Enter /etc/httpd/conf OR /usr/local/apache/conf

Step 19
************************************************** **

Quote:

Where is the Apache program binary file? (For example, on Red Hat Linux it could be /usr/sbin/httpd if you installed from an rpm, or for SuSE Linux it could be located at /usr/sbin/httpd2) If you have more than one instance of Apache on your computer, enter the binary file location for the Apache web server that will use ColdFusion. (Note: this is not the Apache start and stop script.) File (DEFAULT: /etc/httpd/bin/httpd):

on your server fire the command "which httpd" and enter the output above. Make sure you fire the command in some other terminal
I get /usr/sbin/httpd
Enter /usr/sbin/httpd

Step 20
************************************************** **

Quote:

Where is the control file that you use to start and stop the Apache web server? (For example, this could be /etc/init.d/httpd on Red Hat Linux if you installed from an rpm, /usr/sbin/apache2ctl on SuSe Linux, or it could be /usr/local/apache/bin/apachectl on hand-compiled versions.) File (DEFAULT: /etc/httpd/bin/apachectl):

Enter /etc/init.d/httpd

Step 21
************************************************** **

Quote:

Please configure your web server(s). If you do not configure a web server the built-in web server will be used on port 8500 or the next available port. 1- Add Web Server Configuration 2- Remove Web Server Configuration 3- Edit:Apache : /usr/local/apache/conf ->4- Continue with installation Choice:

If you want to make cany changes with the web server congiguration enter the options from 1 to 3, else proceed with option 4.

Step 22
************************************************** **

Quote:

Choose Adobe ColdFusion 8 Administrator Location ------------------------------------------------ Select the location of the web root for Adobe ColdFusion 8. This is where the installer places the Adobe ColdFusion 8 Administrator. This directory must be the web root for one of the websites to be configured for use with Adobe ColdFusion 8. Directory: (DEFAULT: /usr/local/apache/htdocs):

I would suggest to go with the default diretcory "/usr/local/apache/htdocs".

Step 23
************************************************** **

Quote:

Runtime User ------------ Enter the name of the runtime user. This user must already exist on the system. User Name: (DEFAULT: nobody):

Proceed with the default user "nobody"

Step 24
************************************************** **

Quote:

Administrator Password ---------------------- Enter the password that you will use to restrict access to the ColdFusion Administrator. This field is required. Password: The one you want. Confirm password: Same password as above.

Do keep a record of the password or make copy of the password on your local machine.

Step 25
************************************************** **

Quote:

Enable RDS ---------- The ColdFusion Remote Development Service (RDS) lets developers using Adobe tools remotely connect to this server for development purposes. RDS is required for Line Debugging, Report Builder, and DreamWeaver Extensions. If this is a production server, Adobe recommends that you disable RDS. Note, however, that disabling RDS also disables debugging, the directory browsing applets in the ColdFusion Administrator and some of the functionality in the Report Builder. Enable RDS (Y/N):

If you want to Enable RDS press Y. Lets proceed with enabling RDS.

Quote:

Password: The one you want. Confirm password: Same password as above.

Step 26
************************************************** **

Quote:

Installation Confirmation ------------------------- Installation Type: Server configuration Licensing: Enterprise edition Serial Number: XXXX-XXXX-XXXX-XXXX-XXXX-XXXX Installation Directories: Product: /opt/coldfusion8 Web root: /usr/local/apache/htdocs Server Information: Web Server: Apache (/usr/local/apache/conf) Port: Search Services: installed Adobe LiveCycle Data Services ES: installed Documentation: installed RDS: enabled Disk Space Information (for Installation Target): Required: 923,564,250 bytes Available: 205,550,153,728 bytes You will get the overview/summary of the details you have entered for installation PRESS <ENTER> TO CONTINUE:

Hit Enter to continue

Step 27
************************************************** **

Quote:

Installation Complete --------------------- You have successfully completed the first step in installing Adobe ColdFusion 8. To continue with your installation, go to /opt/coldfusion8/bin and type "./coldfusion start" to start your server. Once the server, is started log in to the Configuration Wizard at http://[machinename]/CFIDE/administrator/index.cfm Press Enter to exit the installer:

Hit Enter

You are done ! Congratulations !!


To start/stop coldfusion on the server you can follow the steps below

root@root# cd /opt/coldfusion8/bin

root@root[/opt/coldfusion8/bin]# ./coldfusion start

root@root[/opt/coldfusion8/bin]# ./coldfusion stop

To access the admin control panel please browse the URL http://[machinename]/CFIDE/administrator
Enter the password used while the installation and proceed further.

Note :: Make sure you have libstdc++.so.5 installed on your server. If you have already installed it ignore the below step

root@root [~]# yum install libstdc++.so.5

Exim cheatsheet

 

Print a count of the messages in the queue

exim -bpc

Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient)

exim -bp

Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals)

exim -bp | exiqsumm

Remove all frozen messages in queue

exim -bpr | grep frozen | awk {'print $3'} | xargs exim -Mrm

Remove all mails that has a certains string in it

grep -lr 'search string' /var/spool/exim/input/ | sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm

Remove mails with more than 10 recipients

exipick -i '$recipients_count > 10' |  xargs exim -Mrm

View a message's log

exim -Mvl <message-id>

Remove all mails in queue

exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash

Remove all mails sent from nobody

for i in `exim -bpr | grep nobody | awk {'print $3'}`; do exim -Mrm $i; done

Get list of scripts which sends out mails

for i in `exim -bp | awk '{print $3}' | sort | uniq `; do exim -Mvh $i | grep "X-PHP-Script"; done | awk '{print $3}' | sort | uniq

Find the authenticated user involved in mails in queue

for i in `exim -bp | awk '{print $3}' | sort | uniq `; do exim -Mvh $i | grep "auth"; done

Check out more on

http://bradthemad.org/tech/notes/exim_cheatsheet.php

 

DDOS finding scripts

DDOS Number of connections

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

netstat -plan |grep :80 | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

netstat -plan |grep :80 | grep -i esta | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

netstat -plan |grep :80 | cut -d: -f8 | sort | uniq -c | sort -n

netstat -plan |grep :80 | wc -l

netstat -plant | awk ' gsub(":"," ") $5 ~ /80/  {print $6}'  | sort | uniq -c | sort -n

Hourly hits from apache logs 

awk '{print $4,$5}' /var/log/httpd/access_log  | cut -d: -f1,2 | sort | uniq -c

CPU Usage in Linux Servers

Server Hardening Steps

Steps for security hardening 

The steps usually I follow:

1. Firewall Installation(APF/CSF).

2. Firewall Configuration   CSF Installation steps 

rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
Next, test whether you have the required iptables modules: perl
/etc/csf/csftest.pl
sh install.sh

/etc/csf/csf.conf

MONOLITHIC_KERNEL = "0" and change to MONOLITHIC_KERNEL = "1"

Specify which ports you want to allow
# Allow incoming TCP ports
TCP_IN =
"20,21,22,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2087"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"
# Allow incoming UDP ports
UDP_IN = "20,21,53,953"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123,873,953,6277"
21 => FTP

22 => SSH

23 => Telnet

25 => SMTP Mail Transfer

43 => WHOIS

53 => name server (DNS)
80 => HTTP (Web server)
110 => POP protocol (for email)
443 => HTTP Secure (SSL for https:// )
995 => POP over SSL/TLS
9999 => Urchin
3306 = > MysQL Server
2082 => CPANEL Default
2083 => CPANEL - Secure/SSL
2086 => CPANEL WHM
2087 => CPANEL WHM - Secure/SSL
2095 => cpanel webmail
2096 => cpanel webmail - secure/SSL

Plesk Control Panel => 8443
DirectAdmin Control Panel => 2222
Webmin Control Panel => 10000

Disable the Testing Mode and Start the Firewall

nano /etc/csf/csf.conf
//Look for the first line and set testing mode to "0"
TESTING = "0"
//Now restart the firewall!

csf -r

SSHD Hardening: 

/etc/ssh/sshd_config

1. edit /etc/ssh/sshd_config
2. Look for the following line: #Port 22
3. Change the line so it looks like this Port no
4. Save and close the file
5. Load the new configuration service sshd reload

disable direct root logins at the SSH

Check SSH on non-standard port. Moving SSH to a non-standard port avoids basic SSH port scans.
Edit /etc/ssh/sshd_config and setting: Port nnnn Where nnnn is a port of your choosing. Don't
forget to open the port in the firewall first!

Before doing this create the user: admin with password and add the user to wheel group

1. Edit /etc/ssh/sshd_config
2. Replace "Protocol 2, 1" to "Protocol 2" and uncomment
3. Replace "PermitRootLogin yes" to "PermitRootLogin no"
Restart SSH

1. /etc/rc.d/init.d/sshd restart

This will prevent a "root" user to login directly through SSH or other way and also we can easily
trace the log file to find out who is doing what process. Check SSH PasswordAuthentication. For
ultimate SSH security, you might want to consider disabling PasswordAuthentication and only
allow access using PubkeyAuthentication.

Temporary Space hardening

In cpanel server this can be done by using the script /scripts/securetmp
Check /tmp permissions. /tmp should be chmod 1777
Check /tmp ownership /tmp should be owned by root:root
Check /var/tmp permissions. /var/tmp should be chmod 1777
Check /var/tmp ownership. /var/tmp should be owned by root:root
Check /var/tmp is mounted as a filesystem. /var/tmp should either be symlinked to /tmp or mounted
as a filesystem

Tmp hardening in VPS

OpenVZ does not support 'BINDMOUNT' option, so I created mount an umount scripts which
automatically mounts /tmp and /var/tmp on VE start and umount on stop.
Here are the scripts:

$VEID.mount: /etc/vz/conf/ dir
============================================================================
#!/bin/bash
[ -d /vz/private/$VEID/var/rtmp ] || mkdir /vz/private/$VEID/var/rtmp
[ -d /vz/private/$VEID/var/rvtmp ] || mkdir /vz/private/$VEID/var/rvtmp
mount --bind /vz/root/$VEID/var/rtmp /vz/root/$VEID/tmp -o nosuid,noexec,nodev
mount --bind /vz/root/$VEID/var/rvtmp /vz/root/$VEID/var/tmp -o
nosuid,noexec,nodev
=============================================================================

$VEID.umount: /etc/vz/conf/ dir

=============================================================================
#!/bin/bash
mount|grep "/vz/root/$VEID/tmp" 2>/dev/null 1>&2 && umount /vz/root/$VEID/tmp
mount|grep "/vz/root/$VEID/var/tmp" 2>/dev/null 1>&2 && umount /vz/root/
$VEID/var/tmp
exit 0
==============================================================================

They should be placed as $VEID.mount and $VEID.umount into /etc/vz/conf/ dir.
It will take an effect after VE restart.

CHMOD the TMP directory to 777 in the VE.

Installing mod evasive

cd /usr/local/src
wget http://www.zdziarski.com/blog/wp-
content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
tar xfz mod_evasive_1.10.1.tar.gz
cd mod_evasive

For cpanel server with apache 2.x
/usr/local/apache/bin/apxs -cia mod_evasive20.c
nano /usr/local/apache/conf/httpd.conf
Add the below codes in httpd.conf

==========================================
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 300
</IfModule>
===========================================

/usr/local/cpanel/bin/apache_conf_distiller --update

Hosts.conf hardening

To "harden" your /etc/host.conf file just put the following into the file:
order bind,hosts
multi on
nospoof on

Hide apache software version

To hide the information, add the following two apache directives in Apache configuration file.
ServerTokens ProductOnly
ServerSignature Off

/usr/local/cpanel/bin/apache_conf_distiller --update

Hide BIND DNS Sever Version

Open your named.conf file, find out options { ... }; section, version "YOUR
Message"; 

Save and close the file. 

Restart named, enter: # service named restart

Cpanel/WHm Tweak

Disable all instances of IRC – BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink. If you are using WHM you can do this in the
Background Process Killer.
 

cPanel/WHM set Shell Fork Bomb Protection.

Server Setup =>> Tweak Settings

Check the following items...
Under Domains: Prevent users from parking/adding on common internet domains. (ie
hotmail.com, aol.com)
Under Mail: Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
Under System: Use jailshell as the default shell for all new accounts and
modified accounts
Goto Server Setup =>> Tweak Security

Enable php open_basedir Protection

Enable mod_userdir Protection
Goto Server Setup =>> Manage Wheel Group Users

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges
always disable Allow Creation of Packages with Shell Access and enable Never allow creation of
accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Reject nobody from sending mails.

Compact Hardening Steps 

SSHD hardening ( Change root password, Disable direct root login, ssh port changing. etc )
Software upgrade
Installing and configuring firewall ( CSF and LFD )
MySQL optimization
Installing and scanning with rkhunter
Installing and scanning with clamav
Installing and scanning with Lynis ( Fixing security issues reported by it )
Installing mod evasive
Hardening sysctl.conf
Hide Apache Version
Hide Bind Version

Things to take care during hardening

Check for web applications which use proc_open, popen, disk_free_space, diskfreespace, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru. If no applications use these function, disable it in php.ini
Checking for programs with suid

 Checking for programs with suid

find / -perm -2000 2>/dev/null 

 Checking for programs with sgid

find / -perm -2000 2>/dev/null

For further Reference:

 

http://kevin.hatfieldfamilysite.com/?p=147

http://www.puschitz.com/SecuringLinux.shtml#SecuringSSH