Today, i’m gonna talk about CSS3 border features.

By using CSS3, you can;

• create rounded borders (it was really a big problem cause we had to use images or junk javascript libraries)
• box shadows (it was also a big problem)
• use image files as border

without using a design program like Adobe Photoshop or some javascript plugins.

CSS3 Rounded Corners

In CSS3 creating rounded borders is a piece of cake. Just apply following css code to your elements.

Usage:

-webkit-border-radius: 5px 5px 3px 3px;

-moz-border-radius: 5px 5px 3px 3px;
-ms-border-radius: 5px 5px 3px 3px;
-o-border-radius: 5px 5px 3px 3px;

border-radius: 5px 5px 3px 3px;

Syntax:

border-radius: top-left-radius, top-right-radius, bottom-right-radius, bottom-left-radius;

You can see there are various codes for each browser.

Briefly,

Mozilla Firefox needs “-moz-” prefix,

Chrome and Safari needs “-webkit-” prefix,

Opera needs “-o-” prefix,

Internet Explorer needs “-ms-” prefix (will be deprecated),

and for last “border-radius” code is used for general CSS3 border styling.

CSS3 Box Shadow

With CSS3 you can use “box-shadow” property to add shadow to boxes.

Usage:

-webkit-box-shadow: 0 0 5px #d5d5d5;
-moz-box-shadow: 0 0 5px #d5d5d5;
box-shadow: 0 0 5px #d5d5d5;

Syntax:

box-shadow: h-shadow v-shadow blur spread color inset;

As you see, you should add “-webkit-” prefix for Safari and Chrome, “-moz-” prefix for Mozilla Firefox and lastly “box-shadow” property for general CSS3 Shadow effects.

Syntax:

box-shadow: (horizontal dimension of shadow, can be a negative value), (vertical dimension of shadow, also can be a negative value), (shadow blur amount), (hex code of shadow color)

CSS3 Border Image

To create border images for your elements, you should use border-image property.

Right now, Internet Explorer does not support border-image property.

For other browsers you should add prefixes just like other border properties(ex. “-moz-”, “-webkit-”, “-o-”)

Usage:

-moz-border-image:url(border.png) 30 30 round;
-webkit-border-image:url(border.png) 30 30 round;
-o-border-image:url(border.png) 30 30 round;
border-image:url(border.png) 30 30 round;

Syntax:

border-image: source slice width outset repeat;

border-image-source: the path to the border image file.

border-image-slice: inward offsets of the border image.

border-image-width: width of border image.

border-image-outset: the amount by which the border image area extends beyond the border box.

border-image-repeat: type of repetition, repeat, round, stretch.

That’s all for now.

I’ll tell more about javascript equivalents of CSS border properties for fallback support  and other CSS3 features later.

Enjoy your CSS3 styles, and have a nice day.

Actually there are a lot of ways you can accomplish this especially with bash, but using the /dev/urandom file seems to be the most clever one.

The /dev/urandom device doesn’t only generate read-friendly characters, so it’s best to filter out the ones we’d like. The best tool for that would be tr.

$ cat /dev/urandom | tr -dc [:alnum:] | head -c 10

This will generate a password from 10 alphanumeric characters.

It will not include some characters though, such as . ! – _ which are useful for passwords. So this line would be a little more “secure”.

$ cat /dev/urandom | tr -cd “[:alnum:]\.\-_\!” | head -c 10

To generate a password in Python, using the string and random module would be a clever touch. Let’s try something like this,

>>> import string, random
>>> def passgen(length) :
… keys = list(string.ascii_letters + string.digits)
… return “”.join(random.choice(keys) for i in range(length)

With this definition of the passgen function, we can generate alphanumeric passwords with whatever length we want. If you’d like to include all characters available, try the one below:

>>> import string, random
>>> def passgen(length) :
… keys = list(string.ascii_letters + string.digits + “.,;:-_()@\”\\[]?!’^+*$%&/=~`<>|”)
… return “”.join(random.choice(keys) for i in range(length)

A sample output :

>>> passgen(16)
‘pP!3p”(-uxdIqpAK’

You can find some methods of password generation using MD5 algorithms. For example for password generation in MySQL some people prefer this method;

>SELECT SUBSTRING(MD5(RAND()) FROM 1 FOR 5)

But this will generate very very weak passwords, no uppercase characters and a lot of characters missing, not even to mention the non-alpha numeric characters. Also you’ll have a limit for maximum character number since the MD5 algorithm has a limit for it. So it’s best to stay away from the md5 approach for password generation. Some people also use it for bash password generation too (which is wrong! due to same reasons)

To understand the background of scanning, we should know some basic thing about the “three-way handshake” that occurs during a network connection. The three-way handshake is another way of describing the SYN/ACK method. When a computer sends a “Hello” signal to a target machine, it actually sends a SYN packet. After receiving this packet, if the target is listening, it will normally respond with a SYN/ACK packet. When the first computer receives this SYN/ACK packet, it will respond back to the target machine with an ACK packet. This way, the three-way handshake is accomplished.

The SYN/ACK handshake is analogously described by talking on the phone (back on the old days when there weren’t caller id’s!). When we dial some number, we basically send a SYN signal, when the target answers the phone saying “Hello?”, it actually is a SYN/ACK packet, meaning “I’m listening?”, after that when we introduce ourselves as in “Hi, I’m calling from VeriTeknik”, then we’re sending the last ACK packet.

Now since we understand what SYN, SYN/ACK and ACK means, we can start digging around with nmap and see what it uses these information for.
By the way, for what it’s worth, SYN stands for synchronize and ACK stands for acknowledge.

The TCP Scan

Like we’ve discussed earlier in our target specification post, nmap executes a TCP scan with the -sT option. A TCP scan is accomplished with the full three-way handshake, meaning that when we ask nmap to execute a TCP scan on a port on some target, it will send a SYN, wait for the SYN/ACK and send back the ACK, after these, it will tell us that the port is open (or closed). Since we’re going all the way through with the three-way handshake in this method, even though it seems the most reliable one on standard targets (not behind firewall etc.) it has the slightest possibility to flood the target.

Here’s is the basic command to perform one.

$ nmap -sT 10.20.30.40

The SYN Scan

This is the most popular scan type of nmap. In fact, it is also the default option on nmap, meaning if you don’t specify any scan type, nmap will use the default SYN scan method.

The SYN scan is popular because it is faster. This comes from the fact that it doesn’t complete the three-way handshake. It only goes through the two steps of the handshake, first sending the SYN packet, waiting for a SYN/ACK packet, after this, instead of sending an ACK packet, it sends an RST (reset) packet, which tells the target to disregard any previous packets and close the connection between the two machines. The advantage of this is that the RST packet is much smaller than the ACK packet. Even though it may sound like one tiny packet won’t change much, when you add up hundreds (or thousands) of ports on multiple hosts, tiny packets do matter! Also, sending less information to the target always means less possibility to flood it.

$ nmap -sS 10.20.30.40
$ nmap 10.20.30.40

The UDP Scan

Overlooking the UDP scanning technique is a common rookie mistake. Even though most services use the TCP ports today, UDP ports are still essential and cause security vulnerabilities. Also, UDP ports are as useful as TCP ports for getting information on the system.

Note that both TCP and SYN scanning use the TCP method of connection. There are basically two methods for computers to communicate, either the TCP (Transmission Control Protocol) or the UDP (User Datagram Protocol). TCP ensures that the packets sent from one computer to another arrive at the receiver intact and in the order they were sent. But, UDP has no such mechanism, it just sends the data and we never know whether it arrived to the target or not. There are many advantages and disadvantages between the two technologies including speed, reliability, error checking etc. The important thing is to know which one to use under your case.

Comparing the UDP scan to our analogous example of the phone call, it is often described with a mailing system. It is like when we write a mail (not an e-mail, the regular ones!), put a stamp on it, no return address and put it in the mailbox. Maybe sometime the post officer will pick it up, deliver it to the address. You’ll never know if the mail reached its destination or not, and the receiver might not know the origin.

$ nmap -sU 10.20.30.40

Don’t forget that even though people tend to think that services run on TCP ports, a lot of them still stick with the UDP ones, such as DNS, DHCP, SNMP, or TFTP.

The Xmas Scan

This scan method is based on the technical descriptions on the RFC 793 (page 65) of TCP. If the target operating system is bound to the RFC, then when dealing with TCP connections it should obey the following two rules.

* If a closed port receives a packet that doesn’t have a SYN, ACK or RST flag, the port should respond with an RST packet of its own.
* If an open port receieves a packet that doesn’t have a SYN, ACK or RST flag, the packet should be ignored.

So, according to these rules, if a send a packet that doesn’t contain any one of SYN, ACK and RST, and if the relevant port does not answer back, that port should be open. So when we tell Nmap to perform a Xmas scan on a target, it simply sends FIN, PSH and URG packet flags on. The name Xmas comes from the fact that it has so many flags set to “on” as if it lights like a Christmas tree!

The problem with this scan type is that we assume the target operating system fully complies with the RFC standard of the TCP. Linux and Unix operating systems do, but Microsoft operating systems don’t. Ironically this makes Linux systems vulnerable to this scan type.

$ nmap -sX -p- -PN 10.20.30.40

Null Scan

This type of scanning is almost the same with the Xmas scanning method. Instead of switching some of the flags “on”, with the Null scan, Nmap switches everything “off”. This way, the closed ports will respond with a RST flag. (if the operating system complies with the RFC standards)

These type of scans are important when scanning a system behind firewalls. Some firewalls block communication establishment by filtering SYN packets. Since our scanning packets with the Xmas and Null scans don’t have a SYN packet, the firewall won’t filter it. Well, bear in mind that since we don’t have a SYN packet, it is not possible to establish a connection, but the point is scanning for ports, and that is possible without a SYN packet!

$ nmap -sN -p- -PN 10.20.30.40

FIN Scan

This is also almost the same with Xmas and Null scans, this time, nmap only sends the packet with the FIN flag “on”.

$ nmap -sF -p- -PN 10.20.30.40

ACK Scan

This scan type does not directly look for open ports. Instead it tests whether our ACK packets reach the ports or not. By default, it only has the ACK flag set. An unfiltered (ex. no firewall) system would return with RST packets when an ACK packet reaches it, regardless of the port state being open or closed. If a port doesn’t respond, or it responds with ICMP error messages, nmap will label it as filtered, if the port responds with an RST packet, it will be labeled as “reachable”. Detecting if reachable ports are open or not, is not checked by this scan. This type of scan is very useful to check the security of a target.

$ nmap -sA -p- -PN 10.20.30.40

Window Scan

This one is similar to the ACK scan, but categorizes the port filtered or unfiltered depending on the value the returning package’s RST flag is. On some systems open ports have a positive window size, but the closed ports have a window size equal to zero. So when a port replies RST, instead of labeling it as unfiltered (like it does in ACK scan), nmap will read the TCP Window value of the RST package. If the value is zero, the port is filtered, if it has a positive value, it is labeled as unfiltered. This type of scan does not work on most of the systems. In fact, if most of the ports you scan from 1000 ports are open, and only a few are closed, it is possible that the values are incorrect, the few closed ones might be the open ports and the open labeled ones might be the closed ones.
So, things can get the other-way around, use the feedback with caution!

$ nmap -sW -p- -PN 10.20.30.40

Additional Options for Detailed Information

Lastly, there are a few options to remember that can give us great detail about the target system.

Version detection : The -sV switch tries to determine what version of a service is running on a detected open port. This is great when scanning either UDP ports or unusual ports. If you find an unusual port number to be open, a version scan might tell you whether it is an SSH service running or an HTTP.

Operating System detection : The -O switch is for determining the operating system of the target. This does not 100% work but it does give some clues. It also tries to determine the kernel version, if it fails to get the kernel version, it sometimes reports possibilities in percentages.

Another option for Operating System and Version detection is the -A switch. This does not provide as much detail as the -O option but is still useful.

The Speed : You can choose the speed of each scan with the -T switch. The timing switch ranges on a numeric scale from 0 to 5, with 0 being the slowest scan.

It is important to know the backgrounds of a scan when executing it. Otherwise the results would seem meaningless to the scanner. Go ahead and try scanning your own systems. Don’t forget that if you have multiple servers, nmap also has a nice way of dealing with target specification.

To export the private key ( .pem ) from the PFX file and save it to a PEM file :

$openssl pkcs12 -in /path/to/file_name.pfx -nocerts -out private_key_name.pem

If you want to remove the password from the private key file :

$openssl rsa -in private_key_name.pem -out new_private.pem

[zimbra@ck]$ zmcontrol start
Host mail.plugged.in
Starting ldap…Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger…Failed.
Starting logswatch…ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
zimbra logger service is not enabled! failed.

The usual reason for this error is expired an SSL certificate.

This error usually happens if your SSL certificate has expired. There are two solutions for this problem.

The first solution is renewing your certificate and deploying it with the following command :

[zimbra@ck]$ /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/your_new_ssl.crt /path/to/ca_bundle.crt

After this you need to restart zmcontrol.

The second solution is regenerating self-signed certificate.

[zimbra@ck]$ su – zimbra -c ‘zmcontrol stop’
[zimbra@ck]$ rm -rf /opt/zimbra/ssl/*
[zimbra@ck]$ rm -rf /opt/zimbra/ssl/.rnd
[zimbra@ck]$ /opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
[zimbra@ck]$ /opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su – zimbra -c ‘zmlocalconfig -s -m nokey mailboxd_keystore_password’`

Then you need to edit  /opt/zimbra/bin/zmcertmgr file ( you can use ‘vi’ )

Find validation_days=365 and change to validation_days=3650

And save /opt/zimbra/bin/zmcertmgr

[zimbra@ck]$ /opt/zimbra/bin/zmcertmgr createca -new
[zimbra@ck]$ /opt/zimbra/bin/zmcertmgr deployca -localonly
[zimbra@ck]$ /opt/zimbra/bin/zmcertmgr createcrt self -new
[zimbra@ck]$ /opt/zimbra/bin/zmcertmgr deploycrt self

[zimbra@ck]$ su – zimbra -c ‘zmcontrol start’

[zimbra@ck]$ /opt/zimbra/bin/zmcertmgr deploycrt self
[zimbra@ck]$ /opt/zimbra/bin/zmcertmgr deployca

[zimbra@ck]$ su – zimbra -c ‘zmupdateauthkeys’
[zimbra@ck]$ /opt/zimbra/bin/zmcertmgr viewdeployedcrt

There are several methods to scan ports. One of them is the “TCP” scanning method. With this method, nmap will try to establish a TCP connection with each of the port to be scanned on the target. If we don’t specify any ports, nmap will scan these. This speeds up the process a lot! Below, you’ll find an example of TCP scan on every port on the target machine.

$ nmap -sT -p- -PN 10.20.30.40

When we break down the arguments, things will get clearer.

-sT : The -s there indicates what method to use to scan, so the following T says its a TCP scan.
-p- : With this we tell nmap to scan every port on the target. Normally, nmap has a predefined list of 1000 ports that are widely used. To scan only the default 1000 ports, just don’t use this flag. Alternately you can tell which specific range of ports to scan. For example to scan the ports 21,23 and 25, we specify it as -p21,23,25 or to scan every port between 21 and 25, -p21-25. If we want to scan everything between 21 and 25 plus the 80′th port, it goes like this : -p21-25,80
-PN : This options tells nmap to skip the host discovery, which means it’ll assume that every target we specify are online. Use this if you’re only sure that the host is online, when we specify a lot of targets, and a lot of ports on these targets, host discovery will come in as a handy time saver.

Target specification in a clever way is very important if you’re willing to scan multiple targets. Below, we’ll talk about how detailed we can specify targets on nmap.

The simplest way for telling nmap to scan 2 targets,

$ nmap -sT -p21-25,80,8080 10.20.30.40-60 192.168.16.4 192.168.16.5

The above will do the same thing with the notation below,

$ nmap -sT -p21-25,80,8080 10.20.30.40-60 192.168.16.4,5

Nmap can also understand various notations at the same time when specifying target addresses. For example we can specify a network with it’s CIDR notation, and use partial definitions on different subnet blocks. Take a look at this example :

$ nmap -sT -p- -PN 192.168.1.0/16 10.20.30,31.40

Note that you cannot use the comma notation and the CIDR notation at the same time. So target specification such as 192.168.1,2.0/16 is NOT allowed.

You can also specify IPv6 using the -6 options. Below we’re scanning for the website my-ip6.com

$ nmap -sT -p21-25,80 -6 2a00:7300:1::4

Also note that with the IPv6 scanning, nmap does NOT support CIDR notation.

Needless to, we can also specify the target with its domain name.

$ nmap -sT -p- -PN plugged.in

Nmap can also get the targets from a text file if you can’t specify them in a sequential order. Just type your targets’ IP addresses line by line on a file and run it like this:

$ nmap -sT -p- -PN -iL my_targets_text_file

When you specify a range of addresses, it sometimes is crutial to NOT SCAN some members of that network. For this, nmap allows you to exclude addresses. This time we specify multiple “excluded targets” as comma separated, and as usual, it supports all the syntax supported for target specification. (hostnames, CIDR, netblocks, octet ranges, etc.)

$ nmap -sT -p- -PN 192.168.1.0/16 –exclude 192.168.16.30,192.168.1.10-15

Here’s a problem with this syntax of nmap, since the excluded targets are specified with commas, we can’t use commas to define subnets within the exclusion. For example we can specify targets such as 192.168.1,2.1 but this is not allowed within the exclusion since nmap will use the comma as a target exclusion delimiter.

The good thing is, just like specifying your targets in a text file, you can also specify you exclusion list too!

$ nmap -sT -p- -PN 192.168.1.0/16 –excludefile my_exclusion_text_file

And the last but not least, nmap has an option to scan random addresses. This is built specifically for research (and fun!) yet you should always use this option at your own risk, since some networks might detect you as a possible break-in attempt for scanning their system. It is also a good idea to you exclusion lists with this option.

$ nmap -sT -p80 -PN -iR 5

The number 5 above means that nmap will be scanning 5 addresses. So it will generate 5 random IP addresses. To generate infinate numbers of addresses, use the -iR option with the value 0.

Let’s end this post with a quoat from the man page of nmap,

“If you find yourself really bored one rainy afternoon, try the command nmap -sS -PS80 -iR 0 -p 80 to locate random web servers for browsing.”

Below I’ll describe how to achieve this in Debian based and Red Hat based distros seperately.

Using Debian based distros (Ubuntu, Mint etc.), setting multiple IP addresses on a single network interface is simple.

What we will do is to edit the /etc/network/interfaces file.
If you are using DHCP, then your file should look similar to this,

auto eth0
iface eth0 inet dhcp

auto eth0:0
iface eth0:0 inet dhcp
iface eth0:0 inet6 dhcp

Here, the eth0:0 is how we get the secondary IP address on the eth0 device.

If you’re using a static IP address instead of DHCP, then your interfaces file should be like,

auto eth0
iface eth0 inet static
address 10.20.30.40
netmask 255.255.255.0
network 10.20.30.0
broadcast 10.20.30.255
gateway 10.20.30.1
dns-nameservers 8.8.8.8

iface eth0 inet6 static
address 2f00:7300:100::10
netmask 64

auto eth0:0
iface eth0:0 inet static
address 10.20.30.41
netmask 255.255.255.0

iface eth0:0 inet6 static
address 2f00:7300:100::11
netmask 64

You can add as many as you want, such as eth0:1, eth0:2 …

Sometimes when adding multiple IPv6 addresses on Debian systems, it is possible that you get an error. The current workaround for that is to enable and disable the device a couple of times. You can find the solution to that problem here.

In Red Hat based distros (CentOS, Fedora etc.), the interfaces are edited through the directory /etc/sysconfig/network-scritps. Here we have multiple files, each pointing for a device. For instance, to have 2 additional IP’s on a single ethernet device (totaling 3 addresses) we should have 3 files as follows,

/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-eth0:1
/etc/sysconfig/network-scripts/ifcfg-eth0:2

The main device file would be just a standard one, we don’t have to change anything with it.
On the other hand, the ifcfg-eth0:1 file should be similar to this,

NAME=”"
BOOTPROTO=static
MACADDR=”"
IPV6INIT=no
DEVICE=eth0:1
NETMASK=255.255.255.0
MTU=”"
BROADCAST=10.20.30.255
ONPARENT=yes
IPADDR=10.20.30.41
NETWORK=10.20.30.0
IPV6INIT=yes
IPV6ADDR=2f00:7300:100::11
IPV6_DEFAULTGW=2f00:7300:100::1
ONBOOT=yes

This would suffice. Don’t forget to restart your network services after adding the lines (or files) to with your appropriate settings.

For Debian : $ /etc/init.d/networking stop && /etc/init.d/networking start
For Red Hat : $ service network restart

For additional IPv6 addresses you should need to add IPV6ADDR_SECONDARIES=”" line to /etc/sysconfig/network-scripts/ifcfg-eth0 file

IPV6INIT=yes
IPV6ADDR=2f00:7300:1::2/64
IPV6ADDR_SECONDARIES=”2f00:7300:1::3/64 2f00:7300:1::4/64 2f00:7300:1::fff4/64 2f00:7300:1::fff5/64″

.

You don’t need to uncompress them in the first place. You can use zgrep on compressed or gzipped files.

To search in compressed file, execute the command :
root@ck [~]#zgrep ‘put-your-text-here’ /your-file-path-here/file.gz
Example : I want to grep ‘plugged’ in all of my exim_paniclog archived files.
root@ck [~]# zgrep ‘plugged’ /var/log/exim_paniclog.*
 

Step 1: Login into account via SSH ( as root ).
Step 2: Find mailman directory. ( Default Location : /usr/local/cpanel/3rdparty/mailman/bin )
$ cd /usr/local/cpanel/3rdparty/mailman/bin
Step 3: Execute the following command to export subscribers to a text file:
$ ./list_members yourlistname > ./export_mail_list.txt
Example Mailman List Name : maillist_plugged.in  ( If the subscriber list is maillist@plugged.in, the listname would be maillist_plugged.in )

This command will export my email subscribers into a file ( export_mail_list.txt ).

Right, you should use InnoDB. But how to change storage engine for your previous tables ?

As far as i know, changing the storage engine for tables is easy by alter command.

But there’s one flaw. You should do it one by one.

On the other hand, you could either write complex SQL queries, or you could write a php code for bulk changes.

Today i’m gonna show you how to change your storage engine with a tiny code.

Please notice that if you decide to use my code it is your responsibility.

$db = ‘your_database_name_here’;

$dsn = “mysql:host=localhost;dbname=$db”;

$username = “your_MySQL_username”;

$password = “your_password”;

$current = ‘MyISAM’; // Current storage engine

$target = ‘INNODB’; // Target storage engine

 

try {

$pdo = new PDO($dsn, $username, $password);

}

catch(PDOException $e) {

die(“Could not connect to the database\n”);

}

$result = $pdo->query(“SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = ‘$db’ AND ENGINE = ‘$current’”);

foreach($result as $row) {

$success = $pdo->exec(“ALTER TABLE {$row['TABLE_NAME']} ENGINE = $target”);

if($success) {

echo “{$row['TABLE_NAME']} – success\n”;

} else {

$info = $pdo->errorInfo();

echo “{$row['TABLE_NAME']} – failed: $info[2]\n”;

}

}

That’s all.

If you see “failed” messages, there’s probably a permission issue with information_schema table.

In that case you should enter MySQL command line, and repeat the procedure there.

To list storage engines for tables, you should execute;

SELECT TABLE_NAME, ENGINE FROM information_schema.TABLES WHERE TABLE_SCHEMA = ‘your_database_name’;

This will show you which tables are using which storage engine.

After that you should execute;

USE your_database_name;

When you see “Database changed” message, you should execute;

ALTER TABLE your_table_name ENGINE = INNODB;

Have a nice life with your magnificent database storage engine InnoDB !

Please check out other articles about InnoDB and Transactions.

But there are much more simple alternatives.

You can use echo method.

To empty a file just enter the command below. I use my php_error.log file for example.

echo -n > /home/base/logs/php_error.log

That’s it. Your file is empty now.

You can use VI Editor.

First, open the file that you want to empty with vi editor. I use my php_error.log file for example.

vi /home/base/logs/php_error.log

On the first line, type “dG” without quotes. It means delete globally on VI Editor.

Then quit with “:wq” without quotes of course

The main goal is to check whether we get any response from the FTP server while we try to connect anonymously. Don’t forget that this script probably won’t work if the FTP server allows anonymous connections.

We simply use the ftplib module to establish the FTP connection. After the successful (or failed) connection, we can report the status of the server via email, to achieve this we use the smtplib module.

The first lines seem simple,

#!/usr/bin/python

import ftplib, smtplib

server_ip=’10.20.30.40′

sender=’sender@email.com’
receivers=['john@email.com','doe@email.com']

Above, after importing our modules, we’ve defined the ip address of our FTP server. After that, the sender email address is defined, and then a list containing the receivers.
Now we can define our messages. We’ll have two messages, one for the UP status, and one for the DOWN.

message_up=”"”
From: FTP Status DAEMON
To: John , Doe
Subject: FTP Service Running

The FTP Service on %s is running.
“”" % server_ip

message_down=”"”
From: FTP Status DAEMON
To: John , Doe
Subject: FTP Service DOWN!

The FTP Service on %s is DOWN!!!
“”" % server_ip

Now we can actually start the checking. The first try clause is checking if we can establish any kind of connection with the server. If the server is somehow down, or if only the FTP service is shut down, this will return some sort of error, which we will catch with the except clause, handle it with our smtp commands, then raise a system exit.

try : ftp=ftplib.FTP(server_ip)
except :
print “FTP DOWN !!!”
smtpObj = smtplib.SMTP(‘localhost’)
smtpObj.sendmail(sender,receivers,message_down)
raise SystemExit

And here’s the second check, if we somehow get to this line, it means that we’ve passed the system exit above, so our connection attempt with the server worked, but we’re not sure if the FTP service is actually running without a login attempt. When we try to login, and if anonymous connection isn’t allowed, we’ll get a permission error, handling it with an exception we can email the recievers that the server is running.

try : ftp.login()
except ftplib.error_perm :
print “FTP Up, Permission Denied.”
smtpObj = smtplib.SMTP(‘localhost’)
smtpObj.sendmail(sender,receivers,message_up)

Now simply connect the dots and add the whole script to your crontab, then you’re good to go!

Update your server as necessary

As its nature, Linux is a multi-developer operating system and you might see an update on any package everyday, an updater like YUM if you don’t change it’s default behavior hosts the most recent stable versions of each package that you install on your server.

Compared to other operating systems, updating Linux is easy as writing a command to terminal, the rest will be automated by YUM. Yum can be extended by independent software repositories like Repoforge. RPMforge is a collaboration of Dag and other packagers. They provide over 5000 packages for CentOS, including wine, vlc, mplayer, xmms-mp3, and other popular media tools. It is not part of Red Hat or CentOS but is designed to work with those distributions.

To install Rpmforge, run;

 rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.rf.src.rpm

If you get an error with the command, check the web site for a recent version. If you are using a control panel like Directadmin you better exclude the packages below from yum as they are maintained by the control panel updater;

exclude=apache* httpd* mod_* mysql* MySQL* da_* *ftp* exim* sendmail* php* bind-chroot*

and the last thing you should do is to type

yum upgrade

We suggest you to run the update at least every once a month.

Disable Telnet

Nowadays, Telnet is mostly given its role to SSH; more secure remote shell client, because Telnet is sending the passwords in readable clear text. Also SSH have many abilities that you can use such as private-keys that you can use to log in to the server without writing down a password. Public key is mostly used when you need root access even you don’t know the root password (root password might be changed by the system administrator or by your client which you install the system for).

Connect to the server and edit /etc/xinetd.d/telnet by typing;

vi /etc/xinetd.d/telnet

if exists disable = no change to disable = yes

save & exit (SHIFT + ZZ)

Restrict Access to applications that can directly connect to the Internet

Even an attacker leak into your server, it is better to give him no chance to download his applications to the server, don’t give run permission to following applications except root user by typing;

chmod 700 /usr/bin/wget
chmod 700 /usr/bin/telnet
chmod 700 /usr/local/bin/lynx
chmod 700 /usr/bin/links
chmod 700 /usr/bin/bcc
chmod 700 /usr/bin/byacc
chmod 700 /usr/bin/cc
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/perlcc
chmod 700 /usr/bin/yacc
chmod 0700 /usr/bin/curl
chmod 700 /usr/bin/lwp-*
chmod 700 /usr/bin/*ncftp*

Also please note that, if you are taking backups of your domains/dbs to the same server, be aware that a directory created without explicit permission will be readable by all users, to make the directory readable only by root, type;

chmod 600 /backups

Restrict OS level function calling to PHP

In a shared hosting environment, even a customer of yours may try to explore your server. If you don’t have any reason to call the functions below, restrict them;

edit /etc/php.ini (or whereever it is, for directadmin you can check /usr/local/lib/php.ini) and find the line disable_functions and replace with the below line:

disable_functions = “apache_get_modules,apache_get_version,apache_getenv,apache_note, apache_setenv,disk_free_space,diskfreespace,dl, highlight_file,ini_alter,ini_restore,openlog,passthru,phpinfo, proc_nice,shell_exec,show_source,symlink,system, exec,popen,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_ put,fpassthru”

 Block executing commands on the /tmp Partition

Several script languages like PHP, holds temporary files like session,upload and cache on the /tmp partition on Linux systems. İf the attacker has an access to this folder then those scripts can be run from this point so with this way, all system files can be reached or accessed by root. To block running of files which are in the /tmp partition, it must not be given run permission while mounting /tmp partition.

To do this process, you have to choose /tmp partition as seperate partition while installaing the system. Enter this command in the command line to check this setting:

df -h # or
mount

Enter this command:

[root@xxx ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00 2.9G  820M  1.9G  30% /
/dev/mapper/VolGroup00-LogVol02 2.9G  288M  2.4G  11% /tmp
/dev/mapper/VolGroup00-LogVol04 7.8G  3.8G  3.7G  51% /var
/dev/mapper/VolGroup00-LogVol05 44G   35G  6.6G  85% /hsphere
/dev/mapper/VolGroup00-LogVol03 4.8G  908M  3.6G  20% /usr
/dev/sda1              99M   36M   58M  39% /boot
tmpfs                 2.0G     0  2.0G   0% /dev/shm

If you can not see a seperate  /tmp partition like in the example, create a new 3 GB /tmp partition by applying steps below. If there is a /tmp partition then follow with the step 2:

Step 1:

cd /dev/
dd if=/dev/zero of=Tmp bs=1024 count=3000000
mkfs -t ext3 /dev/Tmp
cd /
cp -aR  /tmp  /tmp_backup
mount  -o  loop,noexec,nosuid,rw  /dev/Tmp  /tmp
cp -aR /tmp_backup/* /tmp/
chmod 0777 /tmp
chmod +t  /tmp

Add information of the newly created partition into the /etc/fstab in order to make it available after next boot.

/dev/Tmp          /tmp          ext3          loop,rw,nosuid,noexec     0 0

If you already have  /tmp partition, please apply the below steps.

Step 2:

change “defaults” in the line starting with /tmp in /etc/fstab to restrict running applications such as

/dev/VolGroup00/LogVol02 /tmp                    ext3    defaults 1 2

to

/dev/VolGroup00/LogVol02 /tmp                    ext3     rw,nosuid,noexec 1 2

Change defaults region as rw,nosuid,noexec then save and exit. Remount /tmp partition in order to make changes available immediately by typing;

mount -oremount loop,rw,nosuid,noexec /tmp

..

As it turns out, it’s a very simple task limiting the file size you want with the output of the find tool.

The -size argument will define the borders of your output. Let’s say you want to find the files smaller than 50 MB on your server,

$ find / -type f -size -50M

Well, this will print out the full path and the file names, you won’t know which file is at what size. So to improve this, we can execute an ls command on each output,

$ find / -type f -size -50M -exec ls -lh {} \;

On this command, the {} refers to the output of each find command, and the \; is mandatory since we need to tell find where our -exec line ends, hence the escape character. (\)

Even though this looks good, we can keep improving by printing out the file size all in the same units. (Let’s say, megabytes) The problem with that is, the ls command can printout with the specified block size limit but it will take that block size quantised, meaning the output will only be the exact multiplicands of that block size. So if our block size is set to 1 MB and a file is 900 KB, ls will output it as 1 MB.

Although this is not so accurate, we can always work it around using awk to calculate the numeric values for us. Since ls normally prints out the file size in bytes, we can divide them to become actual megabytes. The line below will printout ls with actual megabytes.

$ ls -l | awk ‘{print $1 ” ” $2 ” ” $3 ” ” $4 ” ” $5/1048576 ” ” $6 ” ” $7 ” ” $8 ” ” $9}’

Well, we only need the 5th column and the 9th column which are the size and the path respectively, so the command below will suffice :

$ ls -l | awk ‘{ print $5/1048576 ” ” $9 }’

As you can see, we had to use a pipe to get things done here. So we need to use this pipe in our exec part of our find command, which is another problem. Well, the work around for this is to -exec a shell instance and pass the whole ls and awk line including the pipes so that new shell instance will handle things for us.

$ find / -type f -size -50M -size +20M -exec sh -c “ls -l ‘{}’|awk ‘{print \$5/1048576 ” MB: ” \$9}’” \;

Ok, let’s have a look at the command above. As you can see we narrowed our limits further, by getting only the files smaller than 50 MB and larger than 20 MB. We also passed our whole command with a shell instance. On this instance, the argument for ls was passed with the {} method. We apostrophized it (”) due to the possibility of having spaces in the filename, which would have caused a problem. After that, we’ve piped our output to awk, divided the bytes, and added a string ” MB: ” right before printing the 9th column which is the file path. Don’t forget that we should escape the $5 and $9 using the escape character \ since we don’t want the whole find line to process it before our awk does.

Well, the good thing is we have necessary output, the bad thing is that, it isn’t in order! So let’s make things even prettier and sort them, while making the output of each “MB:” bold to get some eye candy.

$ find / -type f -size -50M -size +20M -exec sh -c “ls -l ‘{}’|awk ‘{print \$5/1048576 \” \033[1mMB:\033[0;0m \” \$9}’” \; | sort -nr -k1

As you can see here, we’ve piped the find command to the sort, not the shell instance that we invoked in the find command, that’s why the pipe is right after our \; character.

Hope this helps.

less /usr/local/directadmin/scripts/setup.txt

adminpass= you can find admin password here, and if you didn’t change it after installing you should be able to log in to your admin interface

to change admin password by ssh or console, write:

passwd admin

and enter your new password.

less /usr/local/directadmin/scripts/setup.txt

your password is stored in the line starting with mysql=

If you want to access mysql from ssh or console directly without typing password, create a file in /root/ dir called .my.cnf:

touch /root/.my.cnf

and edit this file with the vi editor:

vi /root/.my.cnf

Add the lines below:

[client]
user=root
password=XXXXXX

Fill the password with the pass you got from setup.txt, save the file with SHIFT+ZZ or :wq and exit. After this step just write mysql to enter MySQL console directly without password.

[root@test ~]# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 169833
Server version: 5.0.77-log MySQL Community Edition (GPL)

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql>

..

1. Add an additional IP for the second DNS Server, to do so, click to the “IP Management” link in the “Admin Level”. While adding IP address, pay attention to SUBNET value and be sure to assign the same subnet as the IP address or you network may hang, after adding process is complete, choose 2 IP adresses and click to the “Assign to admin” button.
2. In the second step, Click “user level” link located at the right-top side of the page. Click “Domain Setup” link and click “add new domain”. enter the main site name without www.
3. Switch to reseller level, below the title “Extra Features” click “nameservers” link. Use the IP addresses just added to create the name servers of the default domain. Select both IP addresses and click “Create” button. With this step finished you set-up basic operation of DirectAdmin. Further, you can create your reseller plans and you can edit your main site’s settings through “User Level” menu.
4. You can update your system any time using “yum upgrade -y” via ssh or terminal and your control panel through a terminal using “custombuild”
5. http://www.directadmin.com/forum/ includes various information about your control panel.

You must download the setup file from DirectAdmin site:

Download DirectAdmin setup file & run:

mkdir /root/DA
cd /root/DA
wget http://www.directadmin.com/setup.sh
sh setup.sh

Steps to follow:

DirectAdmin setup will ask you your account number & your license number, if you mistype accidentally just press CTRL+C to quit and restart setup. You need to wait ten seconds after restarting setup.

After that step the setup will ask you your domain name (hostname) bare in mind that wirte your hostname as subdomain + domain + tld as we offer the subdomain part should better be “mail”. Such that your domain name is myserver.com then write your hostname as “mail.myserver.com”, this way your mail server inside DirectAdmin should work better.

After that step, follow the directives, (we offer apache 2, php5 installation and “yes” to all questions) and finish the installation. Always consider selecting the second option,

You should better restart the server but restarting DirectAdmin is enough with the command:

service directadmin restart

After the installation you can enter to your admin site by typing http://SERVERIP:2222 to your favorite browser. Don’t panic if some of the services is not responding after setup, this is because you need to make some DNS configurations and you need to enter your master domain name to the control panel(cp).

DirectAdmin setup creates a log file called setup.txt where all your passwords for your server is present:

less /usr/local/directadmin/scripts/setup.txt

Go to Step three for making post installation tasks.

• Easy to install, can be installed on a VPS or VDS also
• Less overhead, minimal code
• Easy to maintain & upgrade
• Easy to modify wtihout breking the continuity
• Huge fans and great forum that you can find your solutions

Operating System Setup (RedHat Enterprise Linux, CentOS or CloudLinux is recomended)

In order to make your system more secure to attacks, trojans and backdoors you should make a seprate partition for /tmp and restrict execute rights for all users. size between 4 to 6 GB is enough for the /tmp partition. Follow our directives on howto make tmp partition more secure in Linux Security Documents and disable execute permissions in /etc/fstab.

For more secure installation do not blindly install default packages or any Desktop environment. You should remove all selected groups and belonging packages from the installation, be aware that CentOS could be installed with the first CD, if the setup asks for additional CDs, you most probably forgot to uncheck some packages. With this method you should only need the first CD of CentOS distro.

We recommend using YUM as an updater/package installer for Linux.

Close firewall with CHKCONFIG

You might enable it after installing DirectAdmin or you should better install csf

chkconfig  iptables off
chkconfig ip6tables off

service iptables stop
service ip6tables stop

Disable SELINUX

SELINUX is enabled default in LINUX and if you don’t disable or modify you cannot access some of the services from the outside such as httpd (apache). Open the config file with the following command:

sed -i ‘s/SELINUX=.*/SELINUX=disabled/’ /etc/sysconfig/selinux
/usr/sbin/setenforce 0

 Install Prerequisities & Updates:

DirectAdmin requires some additional packages before entering the setup. Use YUM to upgrade your system:

yum upgrade -y

Install additional packages required by DirectAdmin:

CentOS 5.x #yum install gcc gcc-c++ make vixie-cron flex wget quota perl gd
CentOS 6.x #yum install gcc gcc-c++ flex bison make bind bind-libs bind-utils openssl openssl-devel perl quota libaio libcom_err-devel libcurl-dev which bc wget gd

If you get a conflict error with perl, perl was already installed before, please remove it from the above code and re-try.

Set hostname to “mail.yourservername.tld” before starting setup, using mail. saves you from confusions & mail transmission problems:

hostname mail.yourserver.tld

Go to step two: DirectAdmin Setup

But adding a job in your bash script is not that simple, because what you have to do is, to get the entire list of the jobs, append your new job and save them as a whole.

Here’s a snippet of how to do that. Here, we assume that we want to run a script called “myscript.sh” every 5 minutes and the full path of the script is “$my_path/myscript.sh”. Don’t forget that in everycase, adding a job to crontab you have to specify the full path!

So basically, add these lines to your script.

command="$my_path/myscript.sh" > /dev/null 2>&1"
job="* /5 * * * * $command"
cat <(grep -i -v "$command" <(crontab -l)) <(echo "$job") | crontab -


Note that this is for BASH, not SH, since the syntax with the brackets is only available in BASH.

As you can see, the last line is the critical one. In the first brackets using the grep tool, we catch everything currently in the crontab "except our command", so this will prevent from adding the $command even if it is already in crontab. After that, we echo our job to the end of the current jobs, and redirect it to cat as a standart input. Since the standart output of cat will be the whole crontab list "with our new job", we can use crontab with its "-" option to get the arguments from the stadart output.

Hope this helps.