ColdFusion Installation

What is ColdFusion?

ColdFusion is an application server and software language used for Internet application development[1] such as for dynamically-generated web sites.

Advantages:

* Rapid Development Build complex applications quickly and easily.
* Scalable Deployment Deliver reliable, complex sites and applications with load balancing and fail-over.
* Open Integration Use the full range of Internet and enterprise technologies.
* Complete Security Control Access your servers for development and administration and use advanced security features to protect applications during run-time.

You can check the system requirements at Adobe - Adobe ColdFusion 8 : System Requirements
I would suggest to go with the installation on dedicated server and not the VPS OR semi-dedicated server for better performance.

Installing ColdFusion

Download the coldfusion-801-lin.bin file on your server
Grant Execute permission to the coldfusion-801-lin.bin binary file

root@root [~]# chmod +x coldfusion-801-lin.bin

Step 1
************************************************** **

Quote:

root@root [~]# ./coldfusion-801-lin.bin

Step 2
************************************************** **

Quote:

Choose Locale... ---------------- ->1- English CHOOSE LOCALE BY NUMBER:

Select option 1

Step 3
************************************************** **

Quote:

PRESS <ENTER> TO CONTINUE:

Press Enter 28 times.

Step 4
************************************************** **

Quote:

DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N):

Press Y to continue

Step 5
************************************************** **

Quote:

Install Type ------------ If you do not have a serial number, select either 30-day trial or Developer Edition. ->1- Install new version of Adobe ColdFusion 8 with a serial number 2- 30-day trial 3- Developer Edition

Select option 1 if you have the authorized product key
Else proceed with option 2 for 30-day trial

Step 6
************************************************** **

Quote:

Serial Number:

Enter the serial/product key required

Step 7
************************************************** **

Quote:

Installer Configuration ----------------------- What kind of installation do you want? ->1- Server configuration 2- Multiserver configuration 3- J2EE configuration (EAR file) 4- J2EE configuration (WAR file)

Select option 1 to proceed

Step 8
************************************************** **

Quote:

Is Adobe ColdFusion 8 (Server Configuration) Installed? ------------------------------------------------------- You cannot install the server configuration of Adobe ColdFusion 8 if it is already installed on this computer. Is there already a server configuration of Adobe ColdFusion 8 installed? 1- Yes ->2- No ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:

Select option 2

Step 9
************************************************** **

Quote:

Subcomponent installation ------------------------- The following options are available for installation. An option marked with "[X]" in front will be installed and an option with "[ ]" will not. Choosing an option will toggle it on or off [X] 1) ColdFusion 8 Documentation [X] 2) Adobe LiveCycle Data Services ES [X] 3) ColdFusion 8 Search Services [X] 4) Start ColdFusion on system init 5) Continue with installation

Select option 5

Step 10
************************************************** **

Quote:

Choose Install Folder --------------------- Select the directory where you want to install Adobe ColdFusion 8. Directory: Default Install Folder: /opt/coldfusion8 ENTER AN ABSOLUTE PATH, OR PRESS <ENTER> TO ACCEPT THE DEFAULT

Example :: /opt/coldfusion8 OR /usr/local/src

Step 11
************************************************** **

Quote:

INSTALL FOLDER IS: /opt/coldfusion8 IS THIS CORRECT? (Y/N):

Type Y and proceed

Step 12
************************************************** **

Quote:

License Agreement ----------------- Installation and Use of Adobe LiveCycle Data Services ES Requires Acceptance of the Following License Agreement: ADOBE SYSTEMS INCORPORATED ADOBE LIVECYCLE DATA SERVICES SOFTWARE Software License Agreement PRESS <ENTER> TO CONTINUE:

Press Enter 30 times

Step 13
************************************************** **

Quote:

DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N):

Enter Y to proceed

Step 14
************************************************** **

Quote:

If you do not have an Adobe LiveCycle Data Services ES serial number, leave the serial number field blank to install a 120-day trial. After the trial period expires, LCDS becomes Express edition until registered. The Express edition is a free, non-expiring commercial use product for application deployed on a single machine with not more than one CPU. Enter your serial number for Adobe LiveCycle Data Services ES. Example (you can omit the dashes if you prefer): XXXX-XXXX-XXXX-XXXX-XXXX-XXXX Serial Number::

Enter the product key

Step 15
************************************************** **

Quote:

Earlier Versions of Adobe ColdFusion installed? ----------------------------------------------- If you installed an earlier version of ColdFusion on this computer, you can migrate your settings to Adobe ColdFusion 8. Is there an earlier version of ColdFusion installed on this computer (for example, ColdFusion 6 or ColdFusion MX 7)? 1- Yes ->2- No ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:

Select option 2

Step 16
************************************************** **

Quote:

Configure Web Servers --------------------- Please configure your web server(s). If you do not configure a web server the built-in web server will be used on port 8500 or the next available port. 1- Add Web Server Configuration ->2- Continue with installation

Select option 1

Step 17
************************************************** **

Quote:

->1- Apache 2- Sun ONE Web Server (iPlanet) 3- Cancel What kind of web server are you configuring:

Select option 1

Step 18
************************************************** **

Quote:

What directory contains your Apache configuration file (httpd.conf)? (For example, on Red Hat Linux it could be located in the /etc/httpd/conf directory if you installed from an rpm, or for SuSe Linux, it could be in /etc/apache2)

Enter /etc/httpd/conf OR /usr/local/apache/conf

Step 19
************************************************** **

Quote:

Where is the Apache program binary file? (For example, on Red Hat Linux it could be /usr/sbin/httpd if you installed from an rpm, or for SuSE Linux it could be located at /usr/sbin/httpd2) If you have more than one instance of Apache on your computer, enter the binary file location for the Apache web server that will use ColdFusion. (Note: this is not the Apache start and stop script.) File (DEFAULT: /etc/httpd/bin/httpd):

on your server fire the command "which httpd" and enter the output above. Make sure you fire the command in some other terminal
I get /usr/sbin/httpd
Enter /usr/sbin/httpd

Step 20
************************************************** **

Quote:

Where is the control file that you use to start and stop the Apache web server? (For example, this could be /etc/init.d/httpd on Red Hat Linux if you installed from an rpm, /usr/sbin/apache2ctl on SuSe Linux, or it could be /usr/local/apache/bin/apachectl on hand-compiled versions.) File (DEFAULT: /etc/httpd/bin/apachectl):

Enter /etc/init.d/httpd

Step 21
************************************************** **

Quote:

Please configure your web server(s). If you do not configure a web server the built-in web server will be used on port 8500 or the next available port. 1- Add Web Server Configuration 2- Remove Web Server Configuration 3- Edit:Apache : /usr/local/apache/conf ->4- Continue with installation Choice:

If you want to make cany changes with the web server congiguration enter the options from 1 to 3, else proceed with option 4.

Step 22
************************************************** **

Quote:

Choose Adobe ColdFusion 8 Administrator Location ------------------------------------------------ Select the location of the web root for Adobe ColdFusion 8. This is where the installer places the Adobe ColdFusion 8 Administrator. This directory must be the web root for one of the websites to be configured for use with Adobe ColdFusion 8. Directory: (DEFAULT: /usr/local/apache/htdocs):

I would suggest to go with the default diretcory "/usr/local/apache/htdocs".

Step 23
************************************************** **

Quote:

Runtime User ------------ Enter the name of the runtime user. This user must already exist on the system. User Name: (DEFAULT: nobody):

Proceed with the default user "nobody"

Step 24
************************************************** **

Quote:

Administrator Password ---------------------- Enter the password that you will use to restrict access to the ColdFusion Administrator. This field is required. Password: The one you want. Confirm password: Same password as above.

Do keep a record of the password or make copy of the password on your local machine.

Step 25
************************************************** **

Quote:

Enable RDS ---------- The ColdFusion Remote Development Service (RDS) lets developers using Adobe tools remotely connect to this server for development purposes. RDS is required for Line Debugging, Report Builder, and DreamWeaver Extensions. If this is a production server, Adobe recommends that you disable RDS. Note, however, that disabling RDS also disables debugging, the directory browsing applets in the ColdFusion Administrator and some of the functionality in the Report Builder. Enable RDS (Y/N):

If you want to Enable RDS press Y. Lets proceed with enabling RDS.

Quote:

Password: The one you want. Confirm password: Same password as above.

Step 26
************************************************** **

Quote:

Installation Confirmation ------------------------- Installation Type: Server configuration Licensing: Enterprise edition Serial Number: XXXX-XXXX-XXXX-XXXX-XXXX-XXXX Installation Directories: Product: /opt/coldfusion8 Web root: /usr/local/apache/htdocs Server Information: Web Server: Apache (/usr/local/apache/conf) Port: Search Services: installed Adobe LiveCycle Data Services ES: installed Documentation: installed RDS: enabled Disk Space Information (for Installation Target): Required: 923,564,250 bytes Available: 205,550,153,728 bytes You will get the overview/summary of the details you have entered for installation PRESS <ENTER> TO CONTINUE:

Hit Enter to continue

Step 27
************************************************** **

Quote:

Installation Complete --------------------- You have successfully completed the first step in installing Adobe ColdFusion 8. To continue with your installation, go to /opt/coldfusion8/bin and type "./coldfusion start" to start your server. Once the server, is started log in to the Configuration Wizard at http://[machinename]/CFIDE/administrator/index.cfm Press Enter to exit the installer:

Hit Enter

You are done ! Congratulations !!


To start/stop coldfusion on the server you can follow the steps below

root@root# cd /opt/coldfusion8/bin

root@root[/opt/coldfusion8/bin]# ./coldfusion start

root@root[/opt/coldfusion8/bin]# ./coldfusion stop

To access the admin control panel please browse the URL http://[machinename]/CFIDE/administrator
Enter the password used while the installation and proceed further.

Note :: Make sure you have libstdc++.so.5 installed on your server. If you have already installed it ignore the below step

root@root [~]# yum install libstdc++.so.5

Exim cheatsheet

 

Print a count of the messages in the queue

exim -bpc

Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient)

exim -bp

Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals)

exim -bp | exiqsumm

Remove all frozen messages in queue

exim -bpr | grep frozen | awk {'print $3'} | xargs exim -Mrm

Remove all mails that has a certains string in it

grep -lr 'search string' /var/spool/exim/input/ | sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm

Remove mails with more than 10 recipients

exipick -i '$recipients_count > 10' |  xargs exim -Mrm

View a message's log

exim -Mvl <message-id>

Remove all mails in queue

exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash

Remove all mails sent from nobody

for i in `exim -bpr | grep nobody | awk {'print $3'}`; do exim -Mrm $i; done

Get list of scripts which sends out mails

for i in `exim -bp | awk '{print $3}' | sort | uniq `; do exim -Mvh $i | grep "X-PHP-Script"; done | awk '{print $3}' | sort | uniq

Find the authenticated user involved in mails in queue

for i in `exim -bp | awk '{print $3}' | sort | uniq `; do exim -Mvh $i | grep "auth"; done

Check out more on

http://bradthemad.org/tech/notes/exim_cheatsheet.php

 

DDOS finding scripts

DDOS Number of connections

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

netstat -plan |grep :80 | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

netstat -plan |grep :80 | grep -i esta | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

netstat -plan |grep :80 | cut -d: -f8 | sort | uniq -c | sort -n

netstat -plan |grep :80 | wc -l

netstat -plant | awk ' gsub(":"," ") $5 ~ /80/  {print $6}'  | sort | uniq -c | sort -n

Hourly hits from apache logs 

awk '{print $4,$5}' /var/log/httpd/access_log  | cut -d: -f1,2 | sort | uniq -c

CPU Usage in Linux Servers

Server Hardening Steps

Steps for security hardening 

The steps usually I follow:

1. Firewall Installation(APF/CSF).

2. Firewall Configuration   CSF Installation steps 

rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
Next, test whether you have the required iptables modules: perl
/etc/csf/csftest.pl
sh install.sh

/etc/csf/csf.conf

MONOLITHIC_KERNEL = "0" and change to MONOLITHIC_KERNEL = "1"

Specify which ports you want to allow
# Allow incoming TCP ports
TCP_IN =
"20,21,22,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2087"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"
# Allow incoming UDP ports
UDP_IN = "20,21,53,953"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123,873,953,6277"
21 => FTP

22 => SSH

23 => Telnet

25 => SMTP Mail Transfer

43 => WHOIS

53 => name server (DNS)
80 => HTTP (Web server)
110 => POP protocol (for email)
443 => HTTP Secure (SSL for https:// )
995 => POP over SSL/TLS
9999 => Urchin
3306 = > MysQL Server
2082 => CPANEL Default
2083 => CPANEL - Secure/SSL
2086 => CPANEL WHM
2087 => CPANEL WHM - Secure/SSL
2095 => cpanel webmail
2096 => cpanel webmail - secure/SSL

Plesk Control Panel => 8443
DirectAdmin Control Panel => 2222
Webmin Control Panel => 10000

Disable the Testing Mode and Start the Firewall

nano /etc/csf/csf.conf
//Look for the first line and set testing mode to "0"
TESTING = "0"
//Now restart the firewall!

csf -r

SSHD Hardening: 

/etc/ssh/sshd_config

1. edit /etc/ssh/sshd_config
2. Look for the following line: #Port 22
3. Change the line so it looks like this Port no
4. Save and close the file
5. Load the new configuration service sshd reload

disable direct root logins at the SSH

Check SSH on non-standard port. Moving SSH to a non-standard port avoids basic SSH port scans.
Edit /etc/ssh/sshd_config and setting: Port nnnn Where nnnn is a port of your choosing. Don't
forget to open the port in the firewall first!

Before doing this create the user: admin with password and add the user to wheel group

1. Edit /etc/ssh/sshd_config
2. Replace "Protocol 2, 1" to "Protocol 2" and uncomment
3. Replace "PermitRootLogin yes" to "PermitRootLogin no"
Restart SSH

1. /etc/rc.d/init.d/sshd restart

This will prevent a "root" user to login directly through SSH or other way and also we can easily
trace the log file to find out who is doing what process. Check SSH PasswordAuthentication. For
ultimate SSH security, you might want to consider disabling PasswordAuthentication and only
allow access using PubkeyAuthentication.

Temporary Space hardening

In cpanel server this can be done by using the script /scripts/securetmp
Check /tmp permissions. /tmp should be chmod 1777
Check /tmp ownership /tmp should be owned by root:root
Check /var/tmp permissions. /var/tmp should be chmod 1777
Check /var/tmp ownership. /var/tmp should be owned by root:root
Check /var/tmp is mounted as a filesystem. /var/tmp should either be symlinked to /tmp or mounted
as a filesystem

Tmp hardening in VPS

OpenVZ does not support 'BINDMOUNT' option, so I created mount an umount scripts which
automatically mounts /tmp and /var/tmp on VE start and umount on stop.
Here are the scripts:

$VEID.mount: /etc/vz/conf/ dir
============================================================================
#!/bin/bash
[ -d /vz/private/$VEID/var/rtmp ] || mkdir /vz/private/$VEID/var/rtmp
[ -d /vz/private/$VEID/var/rvtmp ] || mkdir /vz/private/$VEID/var/rvtmp
mount --bind /vz/root/$VEID/var/rtmp /vz/root/$VEID/tmp -o nosuid,noexec,nodev
mount --bind /vz/root/$VEID/var/rvtmp /vz/root/$VEID/var/tmp -o
nosuid,noexec,nodev
=============================================================================

$VEID.umount: /etc/vz/conf/ dir

=============================================================================
#!/bin/bash
mount|grep "/vz/root/$VEID/tmp" 2>/dev/null 1>&2 && umount /vz/root/$VEID/tmp
mount|grep "/vz/root/$VEID/var/tmp" 2>/dev/null 1>&2 && umount /vz/root/
$VEID/var/tmp
exit 0
==============================================================================

They should be placed as $VEID.mount and $VEID.umount into /etc/vz/conf/ dir.
It will take an effect after VE restart.

CHMOD the TMP directory to 777 in the VE.

Installing mod evasive

cd /usr/local/src
wget http://www.zdziarski.com/blog/wp-
content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
tar xfz mod_evasive_1.10.1.tar.gz
cd mod_evasive

For cpanel server with apache 2.x
/usr/local/apache/bin/apxs -cia mod_evasive20.c
nano /usr/local/apache/conf/httpd.conf
Add the below codes in httpd.conf

==========================================
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 300
</IfModule>
===========================================

/usr/local/cpanel/bin/apache_conf_distiller --update

Hosts.conf hardening

To "harden" your /etc/host.conf file just put the following into the file:
order bind,hosts
multi on
nospoof on

Hide apache software version

To hide the information, add the following two apache directives in Apache configuration file.
ServerTokens ProductOnly
ServerSignature Off

/usr/local/cpanel/bin/apache_conf_distiller --update

Hide BIND DNS Sever Version

Open your named.conf file, find out options { ... }; section, version "YOUR
Message"; 

Save and close the file. 

Restart named, enter: # service named restart

Cpanel/WHm Tweak

Disable all instances of IRC – BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink. If you are using WHM you can do this in the
Background Process Killer.
 

cPanel/WHM set Shell Fork Bomb Protection.

Server Setup =>> Tweak Settings

Check the following items...
Under Domains: Prevent users from parking/adding on common internet domains. (ie
hotmail.com, aol.com)
Under Mail: Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
Under System: Use jailshell as the default shell for all new accounts and
modified accounts
Goto Server Setup =>> Tweak Security

Enable php open_basedir Protection

Enable mod_userdir Protection
Goto Server Setup =>> Manage Wheel Group Users

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges
always disable Allow Creation of Packages with Shell Access and enable Never allow creation of
accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Reject nobody from sending mails.

Compact Hardening Steps 

SSHD hardening ( Change root password, Disable direct root login, ssh port changing. etc )
Software upgrade
Installing and configuring firewall ( CSF and LFD )
MySQL optimization
Installing and scanning with rkhunter
Installing and scanning with clamav
Installing and scanning with Lynis ( Fixing security issues reported by it )
Installing mod evasive
Hardening sysctl.conf
Hide Apache Version
Hide Bind Version

Things to take care during hardening

Check for web applications which use proc_open, popen, disk_free_space, diskfreespace, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru. If no applications use these function, disable it in php.ini
Checking for programs with suid

 Checking for programs with suid

find / -perm -2000 2>/dev/null 

 Checking for programs with sgid

find / -perm -2000 2>/dev/null

For further Reference:

 

http://kevin.hatfieldfamilysite.com/?p=147

http://www.puschitz.com/SecuringLinux.shtml#SecuringSSH