Using an .htaccess file, the following rule will work:
AddHandler application/x-httpd-php5 .php This will allow .php file extensions to be parsed by the PHP5 engine on the server.
Friday, March 9, 2007
PHP/MySQL FAQ
What versions of PHP are you running?
We are currently supporting PHP 4.4.2 and PHP 5.1.4. PHP4 runs as an apache module, while PHP5 runs as a CGI.
How do I know which PHP modules are installed?
Using the following code within a file with a .php extension:
How can I use PHP 5?
PHP5 is enabled network wide, which you can use with a .php5 extension or you can follow these directions to change .php on your site to use the PHP5 engine: How to enable PHP5 site wide
Will you install specific PHP extensions for my needs?
Yes, so long as it is well documented at php.net, including associated functions provided by this extension.
What version of MySQL do you currently support?
MySQL 4.1.19-standard
What resource limits do you put in place on the mysql services?
We limit each user to 25 simultaneous connections, if you exceed this limit you will begin to receive connection errors.
I am receiving “too many connection” errors with mysql, how do I fix this?
The most common occurence is that you have many sleeping mysql queries with your application. If it gives you the option to disable, or limit persistent connections, this will help alleviate this problem in our shared environments.
How do you define a “slow query?”
This is defined by any query which takes over 10 seconds to complete. We understand that queries can exceed 10 seconds when server loads are high, so we take into account multiple server variables including system load and rows analyzed when parsing through slow query logs.
How do I backup my Databases?
This may merely be done by using the Backup function within cPanel located under Download a MySQL Database Backup.
I am getting an error: “Client cannot support authentication protocol”?
MySQL made a significant change to the password hashing algorithm from 4.0 to 4.1 and PHP 4.x has not caught up with an updated mysql client library. Alterations to the servers have been made to limit the amount this error occurs, however, if you come across this please issue a support ticket and we will resolve it immediately.
I have a Large Database and Need to Restore it
The quickest way for those familiar with a linux command line is to use mysqldump to first dump the database (this will dump structure and data). Then when you wish to restore, use the mysql client, such as: mysql -uUser -p databasename <>
I would also like to know if you support phpsuexec?
We do not, however we do use openbasedir protection on our PHP installation
which protects you from other users reading the contents of your directories.
Alternative to Navacat
http://mysql.org/downloads/gui-tools/5.0.html
SuExec
I thought I would write down my notes on phpsuexec so that it is understood by others. I know that I had a hard time understanding how it was supposed to work. So here goes:
First off, for security, we want to run PHP with suEXEC. Why? Because that way scripts are executed under the username of the domain owner. Making it easier to track what they are doing and emails that are sent. It also limits what they can modify and whether they can view session data in the /tmp folder. OK, you should know the benefits of suEXEC… so I won’t dig any deeper.
The first thing you need to realize is that for PHP to use suEXEC, it must be run as a CGI. This is probably the most secure way of running PHP. This is in contrast to running it as a module (i.e. mod_php).
The problem with running PHP as a CGI is that it would require all PHP scripts to start with an opening spec (just like most UNIX scripts) saying what the interpreter to use is. For example, you would have to change ALL your PHP scripts to have the following first line:
code: #!/usr/bin/php
Now, this is a problem because you would then need to change ALL PHP scripts to have this first line. Of course, this would be out of the question if you had many sites or worse, many servers… Your clients would be upset and it would take a while to implement.
That’s where phpsuexec comes in. It is nothing more than a module loaded into Apache that essentially prepends that line to PHP scripts so that you don’t need to go and edit all of them. THIS IS THE MAGIC!
This that I explained so far was the piece of the puzzle that I needed in my mind to understand it best.
Now, knowing how it worked, I went back and made sure that I had taken these steps to get it working:
1. Make sure you compile PHP as a binary. (In my case, I build my own PHP and not the one with easyapache).
2. Make sure you place the PHP binary into /usr/bin (it must be here since this is where the phpsuexec patch will look for it).
3. Recompile easyapache. In my case, I specify to use phpsuexec and also tell it to NOT compile PHP since I use my own.
4. The easyapache script comments out the PHP module loading from httpd.conf. This is normal because, of course, you are no longer using PHP as a module.
5. Once apache restarts it starts running PHP scripts with the binary PHP.
Now the fun starts. Because PHP is a binary now, and being suEXEC’d, the same rules apply as they do when you suEXEC any other script. That is, the script must abide by the following rules:
1. User executing the wrapper must be a valid user on this system.
2. The command that the request wishes to execute must not contain a /.
3. The command being executed must reside under the user’s web document root..
4. The current working directory must be a directory.
5. The current working directory must not be writable by group or other.
6. The command being executed cannot be a symbolic link.
7. The command being executed cannot be writable by group or other.
8. The command being executed cannot be a setuid or setgid program.
9. The target UID and GID must be a valid user and group on this system.
10. The target UID and GID to execute as, must match the UID and GID of the directory.
11. The target execution UID and GID must not be the privledged ID 0.
12. Group access list is set to NOGROUP and the command is executed.
Once you convert over to phpsuexec, you should probably babysit the suexec_log file (/etc/httpd/logs/suexec_log) to check for any errors. WHM has the nify “Fax script permissions” thingy that will automatically change perms for you so that they are correct.
The other issue you have to deal with are the php_value settings you probably have lying around on your server. php_value settings in .htaccess files are only interpreted by the module version of PHP. The binary version actually chokes on these and you get a Server 500 error.
The way around this is to find all .htaccess files that have php_value in them. Then, copy php.ini into the same directory as the .htaccess file is located and apply the settings in .htaccess to php.ini. Then of course, remove the php_value settings from .htaccess and you are golden.
I imagine I will run into more issues, but for now these are the main ones. I hope this helps others understand the phpsuexec beast. It’s not that complicated once you understand it’s purpose. Once again: It simply makes running PHP as a CGI easier to do by taking away the need to add the #!/usr/bin/php line to your scripts.
How to Secure and Optimize your VPS
Securing cPanel, WHM & Root
These techniques can definitely help you, but remember, use them at your own risk. A VPS is not all Sunshine and Lollipops. If you don’t know what you are doing, it is strongly suggested to do a bit of research before attempting it.
Checking for formmail
Form mail is used by hackers to send out spam email, by relay and injection methods.
Find Form Mails: find / -name "[Ff]orm[mM]ai*"
Find CGIemail: find / -name "[Cc]giemai*"
Disable Form Mails: (this disables all form mail) chmod a-rwx /path/to/filename
(a-rwx translates to all types, no read, write or execute permissions).
If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.
Root kit checker : http://www.chkrootkit.org/
Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify alot of files, possibly causing you to have to reinstall.
1) chrootkit Install
As Root, Type:
cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit-0.44
make sense
2) Running chkrootkit
/root/chkrootkit-0.44/chkrootkit
Make sure you run it on a regular basis, perhaps including it in a cron job.
3) Execution
These 3 Commands appear to be most common.
./chkrootkit
./chkrootkit -q
./chkrootkit -x | more
Install a Root Breach Detector & Email Warning
If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and have knowledge of the situation.
1) Notification Email
This simple yet very useful hack will let you know each time someone gains root shell access on your server, this is a good idea to do, as it can let you know very quickly if your machine has been compromised.
First, you’ll need to edit .bash_profile with your favorite editor. At the end of this file, put this:
echo ‘WARNING – Root Shell Access on:’ `date` `who` | mail -s “Warning: Root Access from `who | awk ‘{print $6}’`” off-site@address.com
Make sure that the e-mail address you use is not hosted on the server, as if it was, a hacker could simply delete the email. If it’s offsite, the email will be sent before the hacker is even able to gain access.
2) Set an SSH Legal Message (Optional)
pico /etc/motd
Enter your message, save and exit. Ex: (The Fallowing Could be Used)
ALERT! You are entering a secured area! Your IP and login information have been recorded. System Administration has been notified. This system is restricted to authorized access only. All activities on this system are recorded and logged. Unauthorized access will be fully investigated and reported to the appropriate authorities if neccessary.
WebHost Manager & cPanel Mods
These are items inside of WHM/Cpanel that should be changed to secure your server.
1) Tweak Settings (Check the following items…)
Domains > Prevent users from parking/adding on common internet domains.
(ie ‘hotmail.com’, ‘aol.com’)
Mail > Attempt to prevent pop3 connection floods Default catch-all/default address behavior for new accounts – blackhole
System > Use jailshell as the default shell for all new accounts and modified accounts
2) Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users
3) Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.
4) Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection
5) Reseller Center (Privileges)
Disable Allow Creation of Packages with Shell Access
Enable Never allow creation of accounts with shell access
Under Root Access disable All Features
6) FTP Configuration
Disable Anonymous FTP
7) Manage Shell Access
Disable Shell Access for all users (except yourself)
8) MySQL Root Password
Change root password for My SQL
9) Security
Scan for Trojan Horses, The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod
More Security Measures
These are measures that can be taken to secure your server, with SSH access.
Update OS, Apache and CPanel to the latest stable versions. This can be done from WHM/CPanel.
1) Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
As root, type:nano /etc/ssh/sshd_config
Locate the section of the file that looks like:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::
Change this section to the following:
Port 43258
Protocol 2
ListenAddress x.x.x.x %{color:red}Note: Replace x.x.x.x with one of your assigned IP addresses%
- Choose your own 4 to 5 digit port number. Choose a number greater than 1024 and less than 65535.
- You may also disable root SSH Login1.
- You can also create a custom nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Disable root SSH Login
1 To disable logging in as root via SSH (direct logins only, you may still become the superuser using the `su` command), locate the following in your /etc/ssh/sshd_config file:
#PermitRootLogin yes Change to:
PermitRootLogin no To apply your changes, restart the SSH Daemon (as root) using:/etc/rc.d/init.d/sshd restart
Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.
If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.
After SSH has been redirected, disable telnet
2) Disable Telnet
As Root, Type: pico -w /etc/xinetd.d/telnet
change disable = no > disable = yes (save & exit)/etc/init.d/xinetd restart
3) Disable Shell Accounts
As Root Type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts
There will be several listings that will be OS/CPanel related.
- Examples:
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
4) Disable Identification Output for Apache
This is to hide version numbers from potential hackers
To disable the version output for proftp As Root, Type:nano /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to ServerSignature Off
Restart Apache /etc/rc.d/init.d/httpd restart
Install BFD (Brute Force Detection – optional)
1) Installation
As Root, Type:
cd /root/
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-0.4
./install.sh
2) Configuration
As Root, Type: pico /usr/local/bfd/conf.bfd
Under Enable brute force hack attempt alerts:
Find
ALERT_USR=”0”
and change it to
ALERT_USR=”1”
Find
EMAIL_USR=”root”
and change it to
EMAIL_USR=”your@email.com”
Save and Exit
3) Start BFD
As Root, Type: /usr/local/sbin/bfd -s
Modify LogWatch
Logwatch is a customizable log analysis system. It parses through your system’s logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.
1) Modification
As Root, Type: pico -w /etc/log.d/conf/logwatch.conf
MailTo = root > Mailto = your@email.com
Set the e-mail address to an offsite account in case you get hacked.
Detail = Low > Medium or High
Detail = 5 or 10
High will give you more detailed logs with all actions.
- Save and exit.
Suggestions to Improve Security
- Use The Latest Software
- Keep the OS and 3rd party software up to date. Always!
- CPanel itself can be updated from the root WHM
- Change up your Root login once a month. Consisting of Randomized Letters & Numbers, Uppercase and Lowercase.
- Disable Telnet, As Root, Type:
pico -w /etc/xinetd.d/telnet - Change the disable = no line to disable = yes
- Exit and Save – Restart xinted:
/etc/rc.d/init.d/xinetd restart - Add the following line to /etc/deny.hosts to flag Telnet access attempts as ‘emergency’ messages.
in.telnetd : ALL : severity emerg
- First backup the file that contains your list of ports with:
cp /etc/services /etc/services.original - Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
On a typical CPanel system it would look something like this:
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
ftp-data 20/tcp
ftp 21/tcp
ssh 22/tcp # SSH Remote Login Protocol
smtp 25/tcp mail
domain 53/tcp # name-domain server
domain 53/udp
http 80/tcp www www-http # \WorldWideWeb HTTP
pop3 110/tcp pop-3 # POP version 3
imap 143/tcp imap2 # Interim Mail Access Proto v2
https 443/tcp # MCom
smtps 465/tcp # SMTP over SSL (TLS)
syslog 514/udp
rndc 953/tcp # rndc control sockets (BIND 9)
rndc 953/udp # rndc control sockets (BIND 9)
imaps 993/tcp # IMAP over SSL
pop3s 995/tcp # POP-3 over SSL
cpanel 2082/tcp
cpanels 2083/tcp
whm 2086/tcp
whms 2087/tcp
webmail 2095/tcp
webmails 2096/tcp
mysql 3306/tcp # \MySQL
?>
- Additional ports are controlled by /etc/rpc. These aren’t generally needed, so get a shot of that file with: mv /etc/rpc /etc/rpc-moved
- Install something like logwatch to keep an eye on your system logs. This will extract anything ‘interesting’ from the logs and e-mail to you on a daily basis.
- Logwatch can be found at: http://www.logwatch.org
- Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
- Via WHM Account Functions => Manage Shell Access => Jail All Users.
Better still never allow shell access to anyone – no exceptions.
- If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny
- ALL : nnn.nnn.nnn.nnn : spawn /bin/ ‘date’ %c %d | mail -s”Access attempt by nnn.nnn.nnn.nnn on for hostname” notify@mydomain.com
Replacing nnn.nnn.nnn.nnn with the attacker’s IP address.
Replacing hostname with your hostname.
Replacing notify@mydomain.com with your e-mail address.
This will deny access to the attacker and e-mail the sysadmin about the access attempt.
- From time to time it’s worth checking which ports are open to the outside world. This can be done with:
nmap -sT -O localhost
If nmap isn’t installed, it can be selected from root WHM’s Install an RPM option.
- This can be done in CPanel from the root WHM Server Setup → Set My SQL Root Password.
- Make it different from your root password!
- From the root WHM, Server Setup → Tweak Security, you will most likely want to enable the Fallowing.
- php open_basedir Tweak
SMTP tweak
mod_userdir Tweak (But this will disable domain preview)
- From root WHM, Server Setup → Enable/Disable Su Exec. This is CPanel’s decription of what it does:
“suexec allows cgi scripts to run with the user’s id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. ”
Even if you don’t use phpsuexec (which often causes more problems), Su Exec should be considered.
- This needs to built into Apache (Software → Update Apache from the root WHM) and does the same as Su Exec but for PHP scripts.
Wisth PHPSu Exec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
13) Disable Compilers
This will prevent hackers from compiling worms, root kits and the like on your machine. To disable them, do the following:
chmod 000 /usr/bin/perlcc
chmod 000 /usr/bin/byacc
chmod 000 /usr/bin/yacc
chmod 000 /usr/bin/bcc
chmod 000 /usr/bin/kgcc
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gccchmod 000 /usr/bin/i386*ccchmod 000 /usr/bin/\*c++chmod 000 /usr/bin/\*g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
You will need to enable them again when you need to perform system updates. To do this, run:
chmod 755 /usr/bin/perlcc
chmod 755 /usr/bin/byacc
chmod 755 /usr/bin/yacc
chmod 755 /usr/bin/bcc
chmod 755 /usr/bin/kgcc
chmod 755 /usr/bin/cc
chmod 755 /usr/bin/gccchmod 755 /usr/bin/i386*ccchmod 755 /usr/bin/*c++chmod 755 /usr/bin/*g++
chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
- As Root, Type:
pico /etc/httpd/conf/httpd.conf - Change the line that begins
ServerSignatureto:ServerSignature Off - Add a line underneath that which reads:
ServerTokens ProductOnly - Save and Exit
- Restart Apache, Using:
/etc/rc.d/init.d/httpd restart
VPS/Dedicated
What is a Virtual Private Server?
Consider it a slice of a server, dedicated entirely to your resources and processes. You’ll have your own base installation of Linux, your own dedicated services over a dedicated IP address with full root access.
What Hardware are your VPS Solutions Running on?
Our VPS Solutions are running Dual 3.0Ghz Intel Xeon processors and 4GB of ECC DDR2 memory.
Was Fantastico removed from my Cpanel installation?
You can purchase a Fantastico license through netenberg.com, unfortunately it
does not get bundled with cPanel.
Passwordless SSH authentication
Login via SSH without a password (How To)
How can I be Alerted if my Server Goes Down?
The following may be of interest as they are free:
Montastic.com
Mon.itor.us
SSH Guide
Complete SSH Guide
SSH FAQs
What is SSH
SSH FAQs
What is SSH
A packet-based binary protocol that provides encrypted connections to remote hosts or servers. Shell access allows you to run command line programs, copy/edit/delete files, and more.
I can’t conncet with my login
You must first have SSH Enabled by a System Admin. (Contact Support)
”stdin: is not a tty”
This is merely the bash sessions echoing back
that the standard input is not a tty (console) rather a pty.
Shell is continuously becoming disabled?
Anytime an account and/or package associated with an account is Modified SSH is not carried over and in turn will need to be re-enabled.
Am I able to Enable SSH for my Clients (Reseller)
No, SSH is enabled on a per account basis and Done so by Network Redux.
System Information
who
List the users logged in on the machine.
rwho -a
List all users logged in on your network. The rwho service must be enabled for this command to work.
finger user_name
System info about a user. Try: finger root last. This lists the users last logged-in on your system.
history | more
Show the last (1000 or so) commands executed from the command line on the current account. The | more causes the display to stop after each screen fill.
pwd
Print working directory, i.e. display the name of your current directory on the screen.
hostname
Print the name of the local host (the machine on which you are working).
whoami
Print your login name.
id username
Print user id (uid) and his/her group id (gid), effective id (if different than the real id) and the supplementary groups.
date
Print or change the operating system date and time. E.g., change the date and time to 2000-12-31 23:57 using this command
date 123123572000
To set the hardware clock from the system clock, use the command (as root)
setclock
time
Determine the amount of time that it takes for a process to complete+ other info. Don’t confuse it with date command. For e.g. we can find out how long it takes to display a directory content using time ls
uptime
Amount of time since the last reboot and load average of system.
ps
List the processes that are have been run by the current user.
ps aux | more
List all the processes currently running, even those without the controlling terminal, together with the name of the user that owns each process.
top
Keep listing the currently running processes, sorted by cpu usage (top users first).
uname -a
Info on your server’s kernel version.
free
Memory info (in kilobytes).
df -h
Print disk info about all the file systems in a human-readable form.
du / -bh | more
Print detailed disk usage for each subdirectory starting at root (in a human readable form).
lsmod
(as root. Use /sbin/lsmod to execute this command when you are a non-root user.) Show the kernel modules currently loaded.
set | more
Show the current user environment.
echo $PATH
Show the content of the environment variable PATH. This command can be used to show other environment variables as well. Use set to see the full environment.
dmesg | less
Print kernel messages (the current content of the so-called kernel ring buffer). Press q to quit less. Use less /var/log/dmesg to see what dmesg dumped into the file right after bootup. – only works on dedciated systems
cat /proc/cpu
Shows information about all the CPUs installed on the running system.
Commands for Process control
ps
Display the list of currently running processes with their process IDs (PID) numbers. Use ps aux to see all processes currently running on your system (also those of other users or without a controlling terminal),
each with the name of the owner. Use top to keep listing the processes currently running.
fg
PID Bring a background or stopped process to the foreground.
bg
PID Send the process to the background. This is the opposite of fg. The same can be accomplished with Ctrl+Z.
any_command &
Run any command in the background (the symbol ‘&’ means run the command in the background?).
kill PID
Force a process shutdown. First determine the PID of the process to kill using ps.
killall -9 program_name
Kill program(s) by name.
xkill
(in an X-windows terminal) Kill a GUI-based program with mouse. (Point with your mouse cursor at the window of the process you want to kill and click.)
lpc
(as root) Check and control the printer(s). Type ??? to see the list of available commands.
lpq
Show the content of the printer queue.
lprm job_number
Remove a printing job job_number from the queue.
nice program_name
Run program_name adjusting its priority. Since the priority is not specified in this example, it will be adjusted by 10 (the process will run slower), from the default value (usually 0). The lower the number (of niceness to other users on the system), the higher the priority. The priority value may be in the range -20 to 19. Only root may specify negative values. Use top to display the priorities of the running processes.
renice -1 PID
(as root) Change the priority of a running process to -1. Normal users can only adjust processes they own, and only up from the current value (make them run slower).
Useful commands
screen
This command will start a multi-terminal emulator. Once started you can press Ctrl+A ? for more information
cPanel/Browser
- Slect the ‘SSH/Shell Access’ Function.
- You are now logged into the command line of the server that your site is on.
- You are logged in as the main user on your account. You can now access the files that are a part of your account.
Terminal/Client
There are multiple options when using SSH. 1 of which being the above (browser) and secondly a Terminal.
If you are on Windows, PuTTY is an open-source implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator.
PuTTY can be downloaded at this website.
ssh username@domain.com
Shell must first be enabled by a system admin.
Subscribe to:
Posts (Atom)
