dino

“IMPORTANT: do not ignore this email: The hostname resolves to . It should resolve to X.X.X.X”

by

A newly setup cPanel system may have a message such as the following show the first time that you login to WHM.

IMPORTANT: Do not ignore this email.
The hostname (hostname.server.com) resolves to . It should resolve to xx.xx.xx.xx. Please be sure to correct /etc/hosts as well as the 'A' entry in zone file for the domain.

Some are all of these problems can be caused by
/etc/resolv.conf being setup incorrectly. Please check this file if you
believe everything else is correct.


You may be able to automaticly correct this problem by using the 
'Add an A entry for your hostname' under 'Dns Functions' 
in your Web Host Manager

Here are the steps that you should work through to solve this issue.

  1. Follow the instructions that cPanel has provided by checking to see if you can solve this issue using WHM provided tools. Login to your server’s WHM (not cPanel) by going to https://[YOUR SERVER IP]:2087 in your web browser.
  2. You probably see the error now, go ahead and close it for now and scroll down the left hand Functions Menu until you find the heading ‘DNS Functions’. Click on ‘Add an A entry for your hostname’. WHM will try to analyze your hostname and then present you with a button to click that says Add the entry, go ahead and click on that. WHM should automatically try to add the relevant A record for your hostname to the DNS zone present on your system.
  3. Go ahead and logout and then log back in to WHM to see if the message returns. Look to the top of WHM to see the “Logout(root)” link. Optional Tip: If you don’t like logging into and then out of WHM while testing the fixes you can instead login to your server via SSH and whenever you are ready to test simply run the following command:
    root@myserver [~]# /scripts/ipcheck

    This command will send you an email immediately if your settings are still incorrect.

  4. Hopefully that worked, but if not, we should go ahead and edit your /etc/hosts file just in case. Login to your system via SSH. Use your favorite text editor to make sure that your /etc/hosts file looks something like this.
    root@myserver [~]# cat /etc/hosts
127.0.0.1              localhost
xx.xx.xx.xx            myserver.mydomain.com myserver

    If you would like more information on the structure of the hosts file type ‘man hosts’ as the structure of this file is outside of the scope of this document.

  5. Use your preferred method of checking for the message again. Has it returned? Are you sure that your server is using the proper resolvers? Make sure that your /etc/resolv.conf has the correct resolvers. Contact your server provider for the correct resolvers. People who are on Softlayers network can use :
    nameserver 10.0.80.11
nameserver 10.0.80.12
  6. If you are using SoftLayer’s name servers then login to our Portal and go to Public Network > dns and click to edit the domain in question. Simpy add an A record with your server’s main IP Address into the fields.If you are using some other name servers, you will need to contact the Administrator of that system to ask how you may add additional DNS Records.

Error 550 – “The recipient cannot be verified” – cPanel

by

On servers running cPanel, you may find that mail sent to valid users it bounced back by your mail server. The bounce back messages will be similar to the following.

PERM_FAILURE: SMTP Error (state 9): 550-"The recipient cannot be verified. 
Please check all recipients of this550 message to verify they are valid.
If this is occurring, you will need to check your exim_mainlog file for entries 
similar to the following.
H=(nf-out-0910.google.com) [IP] F=<[email protected]> rejected RCPT 
<emailAccount@domainName>: No Such User Here
If you are sure that email account does indeed exist, you will need to run the 
following commands to correct the issue.
/scripts/updateuserdomains
/scripts/mailperm 
You will then also need to check your /etc/localdomains file and verify that the 
domain name is present. Also verify that the DNS line in your 
/var/cpanel/user/username contains the domain as well.

How do I get my mail headers?

by

Retrieving email headers is a very important step in reporting or troubleshooting any email issue. Here are the steps to get email headers from some of the more popular mail programs:

Eudora Pro

Double-click on the message to open it in a separate window.
Click on the button labeled “BLAH BLAH BLAH” at the top of the window. This will show the message headers.
You can then highlight and copy the headers into a new message.

Gmail

While viewing a message, click on “More Options”.
Click on “Show Original”.
This will display the headers for that message in a new window.
You can then highlight and copy the headers into a new message.

GoDaddy Webmail

Click on the message in your Inbox to open it
From the “Apply this Action” drop-down, select “View Full Header
Click “Apply
You can then highlight and copy the headers into a new message.

Hotmail

Once logged into hotmail, click on “Options”
Click “Mail“.
Click on “Mail Display Settings”.
Change the “Message Headers” section to “Advanced”.
Click “OK”.
Now when you read an e-mail, it should show you the full message headers.

Lotus Notes

Lotus Notes 4.6
Open the properties box on the message (in the default installation of the Notes Client, it will be the first smart icon on the left, but you can also right-click on the document and choose properties from that menu).
Choose the second tab on the properties box, which is a list of fields and their contents.
Scroll down to the field “Additional Headers“.
You should then be able to copy/paste the headers into a new message.

If Notes will not permit you to select the contents of the field, you’ll have to manually copy them to a new message – please be very careful in doing so.
Lotus Notes 5.x
Single click on the subject line without opening the document to full screen.
Select “File” (upper left) then select “Export
Name the file
Select “Export
Click on “Selected Documents
Select “OK
You can then attache the file to a new message.

OS X

After opening the “Mail” app, click the on the “Mail” drop-down menu and select “Preferences”.
Click on the “Viewing” icon.
Click on the arrow on the Show header detail and select All.
You will now see the full headers of each message you view.

Thunderbird

Double-click the e-mail you want to view the headers for.
Click on the “View” drop-down menu and select “Headers” and then select “All”.
This will show the headers for any message you view.

Microsoft Outlook

Microsoft Outlook 98, 2000, 2002, 2003

Double-click on the message to open it in a separate window.
Click on “View” and then “Options” on the drop-down menu at the top of the window.
Look for the section titled “Internet Headers” near the bottom of the Options window.
You can now copy/paste content from that section into a new message.

Microsoft Outlook Express 5 & 6

Right-click on the message and select Properties.
Select the Details tab.
You should see a section titled “Internet Headers” for this message.
You can now copy/paste content from that section into a new message.

Yahoo

Once you are logged in, click on “Mail Options”.
Click on “General Preferences”.
Under the “Messages” section, select “Show all headers” on incoming messages for the Headers option.
Click Save.
You should now see the full headers of every message you view.

Installing VMWare on CentOS 5.x (64-bit)

by

Installing is easy.Login to the server with the root user.

VMWare Install Preparation

First, we need to download the VMWare installer.You can get to the download via http://vmware.com/download/server/.Once here, click on the download link, accept the EULA, and download the LinuxTarball (VMware-server-1.0.3-44356.tar.gz in my case):

·Main Download Link: http://vmware.com/download/server/

·# wget –O vmware-server.tar.gz http://download3.vmware.com/software/vmserver/VMware-server-1.0.3-44356.tar.gz

After downloading the software, you will need to get a license key (which is free in the free version of VMWare Server).To register, just fill out the form at the following:

·http://register.vmware.com/content/registration.html

Next, extract the tarball:

·# tar -xzvf vmware-server.tar.gz

Before we actually get rolling on the install, let’s take care of some dependencies first:

·# yum update
# yum install libXtst.i386
# yum install libXrender.i386
# yum install xinetd

Installing VMWare Server

Once completed, now go into the directory:

·# cd vmware-server-distrib/

Next, run the vmware install script:

·# ./vmware-install.pl

Next, the install is going to ask you some basic questions and wanting to know what directories it wants you to create and install certain parts of VMWare into.From here, you would just take the defaults.When it asks you to accept the license agreement, please do so, so that you can proceed on with the install.

You will probably run across this question:

“None of the pre-built vmmon modules for VMware Server is suitable for your running kernel.Do you want this program to try to build the vmmon module for your system (you need to have a C compiler installed on your system)?”

You will need to answer “yes” to this question (which is the default).

VMWare Networking Setup

The next question is “Do you want networking for your virtual machines? (yes/no/help)”.Answer yes, as we want to create a network setup for your public network device, so that you can access the internet on your virtual machines.

The next question you will be asked is “Your computer has multiple ethernet network interfaces available: eth0, eth1. Which one do you want to bridge to vmnet0?”.This is a very important question.Remember, the way all Softlayer servers are setup and run are that the public network runs on eth1 and the private network runs off of eth0.In VMWare, the default bridge device for vmnet0is eth0, which is definaltely not what we are going to want to do, especially if we are wanting to have internet access from the virtual machines.So, instead of pressing enter, type in: eth1.

Bridging the Private Network (Softlayer Style)

The next question can either be answered as yes or no.The question is “Do you wish to configure another bridged network?”. If you plan on running services or other applications off of your private network, then you should probably actually proceed with “yes” to this question.So that everything is covered, go ahead and say “yes” (unless you know you won’t be using the private network), so that we can create a network bridge to your private network.Once, you type in “yes” and press enter, it will automatically use eth0 as the interface, as that is the only one left available (since you only have two network cards in the server).

Other Networking Settings

You will be presented with a few other questions regarding the network setup of VMWare Server.Please proceed with the following recommendations:

“Do you want to be able to use NAT networking in your virtual machines?”

·Proceed with “yes”

“Do you want this program to probe for an unused private subnet?”

·Proceed with “yes”

·Once this completes, make sure you do not configure another NAT network.

“Do you want to be able to use host-only networking in your virtual machines?”

·Proceed with “yes”

“Do you want this program to probe for an unused private subnet?”

·Proceed with “yes”

·Once this completes, make sure you do not configure another host-only network.

Specifying Listening Port

The next question it is going to ask is what port you are wanting VMWare server to listen on, and the default port is 904.Some people change this, but personally I keep it set to the default.

Where To Store The Virtual Machines

The next question that the installer asks is “In which directory do you want to keep your virtual machine files?”.The default place is /var/lib/vmware/Virtual Machines, however, I recommend that you place the virtual machines in a place where you have plenty of disk space, such as a redundant RAID array or a large secondary hard drive.Always make sure that you have enough room for a virtual machine.In this case, you could use a mount point /data/vm, that is mounted to a large disk.

Provide Serial Number for VMWare

The final part of the installation requires you to insert a VMWare license key/serial number.You should already have one, if you followed the instructions in this article.If you have not generated a license key,yet, please do by going to the URL mentioned at the beginning of this article.If you have the serial number for this VMWare server, please insert it into the prompt and then press enter.

You should see something similar to the following:

·“The configuration of VMware Server 1.0.3 build-44356 for Linux for this running kernel completed successfully.”

VMWare is now set up on your server.Now, all that is left to do is download the VMWare Server Console, which is the GUI client for your VMWare server that allows you to set up, configure, and install virtual machines.

Downloading VMWare Server Console

The VMWare Server Console is the client application for VMWare Server.It allows you to literally manage the VMWare server as a whole.You can create,configure, and install virtual machines, just with a click of some buttons. In order to get this installed, you actually have to download the VMware Server Windows client package, which is located on the same that you downloaded VMWare for Linux at the beginning of this article.This package is the .zip file.Once it has downloaded to the system, just extract the package wherever you find it convenient to and install the VMware-console-1.0.3-x file.When this has completed installing, you are done installing the VMWare Server Console and you are ready to configure your VMWare server.

Note: This article does not cover how to configure VMWare server or even set up virtual machines.Setting up virtual machines are somewhat self-explainatory, however, if you want some assistance in doing so, please open a support ticket and we can walk you through a few things, however, we do not currently support VMWare or any Virtualization products.

Logging into the VMWare Console

Open the VMWare Server Console from the computer you installed it on.When it loads you will be prompted with a “Switch Host” (login) screen.Use the following credentials (and use the screenshot for reference).VMWare Server uses the Linux system username/passwords to authenticate users, so you will need to use the usernames (root in particular) to login to VMWare.

Hostname: IP address plus port (e.g. 67.228.160.201:904)
User Name: root
Password: password (use the real root password of the system)

Configuring The Firewall Rules (IPTables)

If you have any issues actually connecting to the VMWare server, and it is not an authentication issue (if you get a username/password error then you have a bad user or password), then your firewall might be blocking you from connecting to the VMWare Server.To resolve this, try adding the following IPTable rule into your /etc/sysconfig/iptables file (and make sure that the naming convention follows your server configuation, as my rule might be slightly wrong if your chain is named differently):

·# -A FWALL-INPUT -p tcp -m tcp -s 0/0 –dport 904 -j ACCEPT

Wrapping Things Up

That just about wraps things up on how to install VMWare and at least get things started.Even though we currently do not yet support VMWare, any one of the Support Technicians will be more than happy to try to assist you and answer any questions you may have.

DoS: looking at open connections

by

Here is a command line to run on your server if you think your server is under attack. It prints our a list of open connections to your server and sorts them by ammount.

RedHat: netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

BSD: netstat -na |awk ‘{print $5}’ |cut -d “.” -f1,2,3,4 |sort |uniq -c |sort -n

You can also check for connections by running the following command.
netstat -plan | grep :80 | awk ‘{print $4 }’ | sort -n | uniq -c | sort

These are few step to be taken when you feel the server is under attack:
——————————————————————————-
Step 1: Check the load using the command “w”.
Step 2: Check which service is utilizing maximum CPU by “nice top”.
Step 3: Check which IP is taking maximum connection by netstat -anpl|grep :80|awk {‘print $5’}|cut -d”:” -f1|sort|uniq -c|sort -n
Step 4: Then block the IP using firewall (APF or iptables “apf -d < IP>” )
——————————————————————————-

You can also implement security features in your server like:

1) Install apache modules like mod_dosevasive and mod_security in your server.
2) Configure APF and IPTABLES to reduce the DDOS
3) Basic server securing steps :
===============================
http://www.linuxdevcenter.com/pub/a/linux/2006/03/23/secure-your-server.html?page=1
===============================
4) Configure sysctl parameters in your server to drop attacks.

You can block the IP which is attacking your server using Ipsec from command prompt.
=========
>> netsh ipsec static add filterlist name=myfilterlist
>> netsh ipsec static add filter filterlist=myfilterlist srcaddr=a.b.c.d dstaddr=Me
>> netsh ipsec static add filteraction name=myaction action=block
>> netsh ipsec static add policy name=mypolicy assign=yes
>> netsh ipsec static add rule name=myrule policy=mypolicy filterlist=myfilterlist filteraction=myaction
========

How do I permit specific users SSH access?

by

We will be primarily working with one configuration file in this article:

  • OpenSSH/etc/ssh/sshd_config

OpenSSH

For locking down which users may or may not access the server you will want to look into one, or more, of the following directives:

User/Group Based Access

AllowGroups

This keyword can be followed by a list of group name patterns, separated by spaces.If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.`*' and `?' can be used as wildcards in the patterns.Only group names are valid; a numerical group ID is not recognized.By default, login is allowed for all groups.

AllowUsers

This keyword can be followed by a list of user name patterns, separated by spaces.If specified, login is allowed only for user names that match one of the patterns.`*' and `?' can be used as wildcards in the patterns.Only user names are valid; a numerical user ID is not recognized.By default, login is allowed for all users.If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.

DenyGroups

This keyword can be followed by a list of group name patterns, separated by spaces.Login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
`*' and `?' can be used as wildcards in the patterns.Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups.

DenyUsers

This keyword can be followed by a list of user name patterns, separated by spaces.Login is disallowed for user names that match one of the patterns.`*' and `?' can be used as wildcards in the patterns.Only user names are valid; a numerical user ID is not recognized.By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.

The first thing to do is backup the original configuration file:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config{,.`date +%s`}

We will now need to edit the configuration file with your favorite editor (vi/vim/ed/joe/nano/pico/emacs.)

An example of only allowing two specific users, admin and bob, to login to the server will be:

/etc/ssh/sshd_config:

AllowUsers admin bob

Ifyou would like to more easily control this for the future then you can create a Group on the server that will be allowed to login to the server, adding individual users as needed (replace username with the actual user):

shell:

groupadd –r sshusers

usermod –a –G sshusers username

With this we will no longer be using AllowUsers but AllowGroups

/etc/ssh/sshd_config:

AllowGroups sshusers

The alternatives to these directives are DenyGroups and DenyUsers which perform the exact opposite of the aforementioned AllowGroups and AllowUsers.
When complete you will want to make sure that sshd will read in the new configuration without breaking.

/usr/sbin/sshd –t

echo $?

We will want to see a 0 following the “echo $?’’ command.Otherwise we should also see an error stating what the erroneous data is:

sshd_config: line 112: Bad configuration option: allowuser
sshd_config: terminating, 1 bad configuration options

After verification we will simply need to restart sshd.This can be performed via many different methods, for which we will assume a sysv-compatible system:

/etc/init.d/sshd restart

Make sure to not disconnect your ssh session but create a new one as a ‘just incase’.
Verify that you can perform any required actions with this user(eg: su into root if you are not allowing root logins.)

Chrootkit help

by

SSH as admin to your server. DO NOT use telnet, it should be disabled anyways.

#Change to root
su –

#Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

# Check the MD5 SUM of the download for security:
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5

md5sum chkrootkit.tar.gz

#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz

#Change to the directory it created
cd chkrootkit*

#Compile by typing
make sense

#To use chkrootkit, just type the command
./chkrootkit

#Everything it outputs should be ‘not found’ or ‘not infected’…

Important Note: If you see ‘Checking `bindshell’… INFECTED (PORTS:  465)’ read on.
I’m running PortSentry/klaxon. What’s wrong with the bindshell test?
If you’re running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test
(ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp,
31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz

Daily Automated System Scan that emails you a report

While in SSH run the following:
pico /etc/cron.daily/chkrootkit.sh

Insert the following to the new file:
#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s “Daily chkrootkit from Servername” [email protected]

Important:
1. Replace ‘yourinstallpath’ with the actual path to where you unpacked Chkrootkit.
2. Change ‘Servername’ to the server your running so you know where it’s coming from.
3. Change ‘[email protected]’ to your actual email address where the script will mail you.

Now save the file in SSH:
Ctrl+X then type Y

Change the file permissions so we can run it
chmod 755 /etc/cron.daily/chkrootkit.sh

Now if you like you can run a test report manually in SSH to see how it looks.
cd /etc/cron.daily/

./chkrootkit.sh

You’ll now receive a nice email with the report! This will now happen everyday so you don’t have to run it manually.

Rootkit help

by

RootKit — Spyware and Junkware detection and removal tool

Go to Rootkit Hunter homepage, and download the latest release. http://www.rootkit.nl/projects/rootkit_hunter.html

## Get the latest source and untar
# cd /usr/src/utils
# wget http://downloads.rootkit.nl/rkhunter-<version>.tar.gz
# tar xfz rkhunter-*.gz
# cd rkhunter
# ./installer.sh
## run rkhunter
# rkhunter -c
Setup automatic protection on System Reboot
## Edit /etc/rc.d/rc.local
##      (or similar file depending on Linux version)
## Add the following lines at the bottom of the file

/usr/local/sbin/apf –start
/usr/local/ddos/ddos.sh -c

URL injections information

by

URL Injection attacks typically mean the server for which the IP address of the attacker is bound is a compromised server.
Please check the server behind the IP address above for suspicious files in /tmp, /var/tmp, /dev/shm, along with checking the process tree (ps -efl or ps -auwx).
You may also want to check out http://www.chkrootkit.org/ and http://www.rootkit.nl/ as tools which should be used in addition to checking the directories and process tree.
Please use “ls -lab” for checking directories as sometimes compromised servers will have hidden files that a regular “ls” will not show.

(see http://en.wikipedia.org/wiki/Remote_File_Inclusion )

1) Installing some apache modules like mod_security and configuring it to prevent $GET requests (this is what happened from your server this time).
2) In order to prevent URL injection you can also :
# Turn off fopen url wrappers
# Disable wget / fetch / lynx binaries
3) Make use of all the utilities provided to you in the Security section of your WHM
4) You can also follow the steps outlined at : http://www.topwebhosts.org/tools/apf-bfd-ddos-rootkit.php
5) Schedule regular security audits on a timely basis – either monthly or weekly – where you can run chkrootkit and rkhunter and scan for vulnerabilities.