Linux web hosting and server support tips

Category: Linux server Page 1 of 3

How to remove or compress huge MySQL general and query log table

How to remove or compress huge MySQL general and query log table

If you have enabled MySQL general or slow logging, it can create quite big log, depending upon your MySQL usage/queries.
So we may have to periodically clear them to save space.

Please note that MySQL can save logs to either table or files. This document assumes you are using table as log output.

Files: slow_log.CSV and general_log.CSV (The location and the name of the file can be different)

By default, logging is to CSF file.

MYSQL supports run time clearing of these logs. So no need to restart the MySQL service.
Never delete the CSV file directly. It can crash MySQL.

Slow query log

SET GLOBAL slow_query_log='OFF';
DROP TABLE IF EXISTS slow_log2;
CREATE TABLE slow_log2 LIKE slow_log;
RENAME TABLE slow_log TO slow_log_backup, slow_log2 TO slow_log;
gzip /var/db/mysql/mysql/slow_log_backup.CSV 
DROP TABLE  slow_log_backup;
SET GLOBAL slow_query_log = 'ON';

General log

USE mysql;
SET GLOBAL general_log = 'OFF';
DROP TABLE IF EXISTS general_log2;
CREATE TABLE general_log2 LIKE general_log;
RENAME TABLE general_log TO general_log_backup, general_log2 TO general_log;
gzip /var/db/mysql/mysql/general_log_backup.CSV 
DROP TABLE  general_log_backup;

What we did is create new log table, move current log file to a backup copy and compress the backup and remove it.

Password protect phpMyAdmin through CentOS Web panel(CWP)

phpMyAdmin is installed with CentOS Web Panel. By default, it is not protected and there is only MySQL user authentication. This can put your server vulnerable. So it is recommended to add additional layer protection.

phpMyAdmin is available through the following url in a CWP based server.

http:/hostname/phpmyadmin
http:/hostname:2030/pma

CWP panel runs its core services through its own version of Nginx. So normal htaccess based password protection will not work.

Create the Password File

You can do this by using the OpenSSL utilities that may already be available on your server. Alternatively, you can use the purpose-made htpasswd utility included in the apache2-utils package(Debian/ubuntu) or httpd-tools(Redhat/Centos).

Using OpenSSL Utilities

We will create a hidden file called .pma_pass /usr/local/cwpsrv/var/services/ folder. You can use any username. I am using dbadmin here as an example

sudo sh -c "echo -n 'dbadmin:' >> /usr/local/cwpsrv/var/services/.pma_pass"

Next, add an encrypted password entry for the username by typing:

sudo sh -c "openssl passwd -apr1 >> /usr/local/cwpsrv/var/services/.pma_pass"

Using Apache Utilities

This tool is already installed and available on all CWP servers.

/usr/local/apache/bin/htpasswd -c /usr/local/cwpsrv/var/services/.pma_pass dbadmin

Configure Nginx Password Authentication

We will need to configure Nginx to read this file before serving our protected content.
CWP Service Nginx configuration file: /usr/local/cwpsrv/conf/cwp_services.conf

Open the above file add the following to the location block of phpMyAdmin.

auth_basic “Admin Login”;
auth_basic_user_file /usr/local/cwpsrv/var/services/pma_pass;

So the full block should look like this now.

location /pma {
    root /usr/local/cwpsrv/var/services;
    index  index.html index.htm index.php;
    ModSecurityEnabled off;
    ModSecurityConfig /usr/local/cwpsrv/conf/security/conf/pma_rules.conf;

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_read_timeout 600;
        fastcgi_pass    unix:/usr/local/cwp/php71/var/sockets/cwpsvc.sock;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_param   SCRIPT_NAME   $fastcgi_script_name;
        include                 fastcgi_params;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        access_log    off;
        log_not_found    off;
        expires 1M;
    }

       auth_basic "Admin Login";
       auth_basic_user_file /usr/local/cwpsrv/var/services/.pma_pass;
}

Restart CWP nginx service by below commands

systemctl restart cwpsrv.service

Confirm the Password Authentication

To confirm that your content is protected, try to access your restricted content in a web browser. You should be presented with a username and password prompt

How to block Outgoing Port 25 for all VPS/Containers of SolusVM

How to block Outgoing Port 25 for all VPS/Containers of SolusVM(Both OpenVZ/KVM)

Sometimes,when providing VPS service, it is necessary to block mailing service for VPS. Otherwise your IP ranges will be blocked by RBLs and other common mail providers like Gmail, Hotmail, AOL, etc. It is recommended to open ports by case by case for your customers, after establishing trust with your client.

Normally we block the port using the “OUTPUT” chain. However, SolusVM uses the chain “FORWARD” for routing traffic from containers/VPSs.

So by adding following rules, you can block all outgoing mails ports completely for all VPSs.

iptables -I FORWARD -d 0.0.0.0/0 -p tcp -m tcp --dport 25 -j DROP
iptables -I FORWARD -d 0.0.0.0/0 -p tcp -m tcp --dport 465 -j DROP
iptables -I FORWARD -d 0.0.0.0/0 -p tcp -m tcp --dport 587 -j DROP

Then save the iptables by running

service iptables save

Install Ajenti V on Ubuntu 16.04 on Ubuntu 16.04

Install Ajenti v on Ubuntu 16.04

Ajenti is an open source, web-based control panel that can be used for a large variety of server management tasks. Optionally, an add-on package called Ajenti V allows you to manage multiple websites from the same control panel


Step 1: First make sure that all your system packages are up-to-date

sudo apt-get update
sudo apt-get upgrade

Step 2: Installing Ajenti Control Panel.
wget -O- https://raw.github.com/ajenti/ajenti/1.x/scripts/install-ubuntu.sh | sudo sh

Step 3: Start the service:
systemctl start ajenti

Step4: Install Agenti hosting module + nginx+ mail+ftp

If you have Apache installed, but don’t use it, remove it first:
apt-get remove apache2

If you have Sendmail or Postfix installed, remove them too
apt-get remove sendmail postfix

Install Ajenti-v

apt-get install ajenti-v ajenti-v-nginx ajenti-v-mysql ajenti-v-php7.0-fpm php7.0-mysql

# If you need Python
apt-get install ajenti-v-python-gunicorn

# If you want FTP
apt-get install ajenti-v-ftp-pureftpd

# If you want mail
apt-get install ajenti-v-mail

# If you want POP support (for gmail etc.)
apt-get install courier-pop

Step 5: Restart All Services
systemctl restart nginx
systemctl restart php7.0-fpm
systemctl restart mysql
systemctl restart exim4
systemctl restart pure-ftpd
systemctl restart ajenti

Step 6: Accessing Anjeti control panel.

Anjeti will be available on HTTP port 8000 by default. Open your favourite browser and navigate to http://yourdomain.com:8000 or http://server-ip:8000 and enter default username “admin” or “root” and password is “admin”.

Change the password immediately to something secure.

How To Install PHP 7 On A cPanel/WHM Server With EasyApache 3

How To Install PHP 7 On A cPanel/WHM Server With EasyApache 3

Latest versions of cPanel come with EasyApache 4 which provides lots of new features like native support for multiple PHP versions, PHP 7 support, very fast, etc. So it is recommended to migrate to EasyApache 4. However, if you cannot migrate EasyApache 4 because of some reason (Example: Tomcat support), you will have to compile the PHP 7 manually from source.

To migrate to EasyApache for, just run the below command. cPanel will try to build a matching PHP setup using EasyApache 4.

/scripts/migrate_ea3_to_ea4 --run

If anything goes wrong during the upgrade process you can always go back with /scripts/migrate_ea3_to_ea4 –revert –run

Manually install PHP 7

Following steps are tested with cPanel 11.64.0.36 and CentOS 6.9 64 bit. The PHP handler should be suphp to get this working.

cd /usr/local/src/
wget http://php.net/distributions/php-7.0.22.tar.gz #Go to php.net site to find the latest version
tar xvf php-7.0.22.tar.gz

Build it.

 #./configure  --enable-bcmath --enable-calendar --enable-exif --enable-ftp --enable-gd-native-ttf --enable-libxml --enable-mbstring --enable-pdo=shared --enable-sockets --enable-zip --prefix=/usr/local/php70  --with-curl=/opt/curlssl/ --with-freetype-dir=/usr --with-gd --with-gettext --with-imap=/opt/php_with_imap_client/ --with-imap-ssl=/usr --with-jpeg-dir=/usr --with-kerberos --with-libdir=lib64 --with-libxml-dir=/opt/xml2/ --with-mcrypt=/opt/libmcrypt/ --with-mysqli --with-openssl=/usr --with-openssl-dir=/usr --with-pcre-regex=/opt/pcre --with-pdo-mysql=shared --with-pdo-sqlite=shared --with-pic --with-png-dir=/usr --with-xpm-dir=/usr --with-zlib --with-zlib-dir=/usr

You may add any additional parameters required. You can run ./configure --help to see all available options first.
Important: Do not forget to set the "--prefix=/usr/local/php70". Otherwise, your existing PHP installation will be lost.

 make
 make install

If everything is successful, the PHP binaries will be installed in "/usr/local/php70/bin/" directory.

Copy the default php.ini:

 cp -pr /usr/local/src/php-7.0.22/php.ini-production /usr/local/php70/lib/php.ini

Add pdo,opcache, other modules to php.ini file.

 echo "extension=pdo.so" >> /usr/local/php70/lib/php.ini
 echo "extension=pdo_mysql.so" >> /usr/local/php70/lib/php.ini
 echo "zend_extension=opcache.so" >> /usr/local/php70/lib/php.ini

Verify the installation

/usr/local/php70/bin/php -v
PHP 7.0.22 (cli) (built: Aug 5 2017 01:56:23) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
with Zend OPcache v7.0.22, Copyright (c) 1999-2017, by Zend Technologies

Now link our new PHP 7 installation with Apache web server

Generate the PHP config:

cat >  /usr/local/apache/conf/php70.conf << EOF
AddType application/x-httpd-php7 .php7 .php

    suPHP_AddHandler application/x-httpd-php7

EOF

Add new handler to suphp

Edit the /opt/suphp/etc/suphp.conf and add below code, at the end of the handlers list to enable PHP7 handler.

;Handler for php-scripts
#... existing handlers are here ... put yours below them
application/x-httpd-php7="php:/usr/local/php70/bin/php-cgi"

Now add our custom php config file to EasyApache list so that the changes will not be lost future EasyApache builds.

There are two options here. You can either go into WHM and edit the post_virtualhost_global.conf file from there or you just run: vi /usr/local/apache/conf/includes/post_virtualhost_global.conf. Add the line below in that file and you should be all done.

Include /usr/local/apache/conf/php70.conf

Now restart Apache

service httpd restart

Configure a website To Use This new PHP 7
Add following code to .htaccess file(/home/username/public_html/.htaccess)

AddType application/x-httpd-php7 .php7 .php

NRPE installation Ubuntu

NRPE installation installation Ubuntu

Tested: Ubuntu 14.04 64 bit

#Install necessary packages
apt-get install gettext autoconf gcc libc6 libmcrypt-dev make libssl-dev wget automake libtool bc gawk dc build-essential snmp libnet-snmp-perl

#Add icinga user and group
groupadd -g 9000 icinga
useradd -u 9000 -g icinga -d /usr/local/nagios -c "Nagios NRPE" icinga

# Install latest NRPE

cd /usr/local/src/
wget --no-check-certificate -O nrpe.tar.gz https://github.com/NagiosEnterprises/nrpe/archive/nrpe-3.2.0.tar.gz
tar xvf nrpe.tar.gz
cd nrpe-nrpe-3.2.0
./tools/setup
./configure --enable-command-args --with-ssl-lib=/usr/lib/x86_64-linux-gnu/ --with-nrpe-user=icinga --with-nrpe-group=icinga --with-nagios-user=icinga --with-nagios-group=icinga #Ubuntu x86_x64
#For Ubuntu i386
#./configure --enable-command-args --with-ssl-lib=/usr/lib/i386-linux-gnu/ --with-nrpe-user=icinga --with-nrpe-group=icinga --with-nagios-user=icinga --with-nagios-group=icinga
make all
make install
make install-config

#Update Services File
echo “Adding nrpe to running services”
echo “nrpe 5666/tcp # Nagios NRPE” >>/etc/service
s

#Install Service / Daemon
make install-init
#Ubuntu 13.x / 14.x

#systemctl enable nrpe.service #Ubuntu 15.x / 16.x / 17.x

#Open the incoming TCP port 5666 on your firewall. You will have to do this using firewall software, like firewall ufw.

#Update Configuration File
The file nrpe.cfg is where the following settings will be defined. It is located:

/usr/local/nagios/etc/nrpe.cfg

allowed_hosts=

At this point NRPE will only listen to requests from itself (127.0.0.1). If you wanted your nagios server to be able to connect, add it's IP address after a comma (in this example it's 10.25.5.2):

allowed_hosts=127.0.0.1,10.25.5.2

The following commands make the configuration changes described above.

sudo sh -c "sed -i '/^allowed_hosts=/s/$/,10.25.5.2/' /usr/local/nagios/etc/nrpe.cfg"
sudo sh -c "sed -i 's/^dont_blame_nrpe=.*/dont_blame_nrpe=1/g' /usr/local/nagios/etc/nrpe.cfg"

#Start Service / Daemon

Different Linux distributions have different methods of starting NRPE.

Ubuntu 13.x / 14.x

sudo start nrpe

Ubuntu 15.x / 16.x / 17.x

sudo systemctl start nrpe.service

Test NRPE

Now check that NRPE is listening and responding to requests.

/usr/local/nagios/libexec/check_nrpe -H 127.0.0.1

You should see the output similar to the following:
NRPE v3.2.0

If you get the NRPE version number (as shown above), NRPE is installed and configured correctly.

You can also test from your Nagios host by executing the same command above, but instead of 127.0.0.1 you will need to replace that with the IP Address / DNS name of the machine with NRPE running.

Service / Daemon Commands

Different Linux distributions have different methods of starting / stopping / restarting / status NRPE.

Ubuntu 13.x / 14.x

sudo start nrpe
sudo stop nrpe
sudo restart nrpe
sudo status nrpe

Ubuntu 15.x / 16.x / 17.x

sudo systemctl start nrpe.service
sudo systemctl stop nrpe.service
sudo systemctl restart nrpe.service
sudo systemctl status nrpe.service

Installing The Nagios Plugins

NRPE needs plugins to monitor different parameters. T

#Install Latest Nagios plugins

cd /usr/local/src/
wget --no-check-certificate -O nagios-plugins.tar.gz https://github.com/nagios-plugins/nagios-plugins/archive/release-2.2.1.tar.gz
tar zxf nagios-plugins.tar.gz
cd nagios-plugins-release-2.2.1/
./tools/setup
./configure --enable-perl-modules
make
make install

#Test NRPE + Plugins

Using the check_load command to test NRPE:
/usr/local/nagios/libexec/check_nrpe -H 127.0.0.1 -c check_load

You should see the output similar to the following:
OK - load average: 0.01, 0.13, 0.12|load1=0.010;15.000;30.000;0; load5=0.130;10.000;25.000;0; load15=0.120;5.000;20.000;0;

You can also test from your Nagios host by executing the same command above, but instead of 127.0.0.1 you will need to replace that with the IP Address / DNS name of the machine with NRPE running.

Problems logging into Plesk because of IP restrictions

Hello,

If you receive following error while logging to the Plesk panel, that means there is a IP based restriction to access Plesk admin panel and your current IP is not allowed to access.

“Unable to log into Plesk: Access for administrator from address xx.xx.xx.xx is restricted in accordance with IP Access restriction policy currently applied”

Cause
Plesk IP access policy was configured in such a way so that Plesk could not be accessed from the certain IP.

Resolution

Method 1. To enable Plesk access, you need to log into the Plesk from another IP and change the IP access policy:

Tools and Settings > Restrict Administrative Access
Add your IP to the whitelist

Method 2. Updating the database directly

If you cannot login to the panel, then you can connect to the server using SSH and correct this through database queries. Plesk database records regarding the access policy need to be corrected.

To retrieve the current policy and the restricted/allowed IPs, the following commands can be used:

Linux

#MYSQL_PWD=`cat /etc/psa/.psa.shadow` mysql -u admin psa
    mysql> select * from cp_access;
    mysql> select * from misc where param='access_policy';

Windows

"%plesk_bin%\dbclient" --direct-sql --sql="select * from cp_access"
    "%plesk_bin%\dbclient" --direct-sql --sql="select * from misc where param='access_policy'";

If you wish to clear the access policy settings, remove all records from “cp_access” and set the policy to “allow”:

Linux

# MYSQL_PWD=`cat /etc/psa/.psa.shadow` mysql -u admin psa
    mysql> delete from cp_access;
    mysql> update misc set val="allow" where param='access_policy';

Windows

"%plesk_bin%\dbclient" --direct-sql --sql="delete from cp_access";
    "%plesk_bin%\dbclient" --direct-sql --sql="update misc set val='allow' where param='access_policy'";

To whitelist the IP manually

bash# mysql -uadmin -p`cat /etc/psa/.psa.shadow ` psa

insert into cp_access values ("", "deny", "x.x.x.", "255.255.255.255"); //change the IP address to your public IP.

Then you should be able to connect to the Plesk control panel from the new IP address.

URL Monitoring With Nagios

Capabilities

Nagios provides complete URL monitoring of HTTP and HTTPS servers and protocols as well as full URL transaction monitoring.

Benefits

Implementing effective URL monitoring with Nagios offers the following benefits:
* Increased server, services, and application availability
* Fast detection of network outages and protocol failures
* Monitor user experience when accessing URLs
* Web server performance monitoring
* Web transaction monitoring
* URL monitoring

URL monitoring

By using the ‘check_http’ nagios command, we can monitor a specific url rather than checking the Apache service is up or not. This method is helpful to identify if the website is hacked and url is injected with malicious codes or there is some Apache or php errors and page is throwing an error instead. The normal Apache service check will return successful results in the above case.
We can check for a specific keyword string on the webpage. If that string not present, an error will be returned.

Here is an real example

define service{
    use                            urlmonitoring-service
    host_name                      server.linuxwebservertips.in
    service_description            url_check
    check_command                  check_http!-H linuxwebservertips.in -t 30 -R "Cpanel and WHM" -f follow
}

The above will check for the keyword “Cpanel and WHM” on the page “linuxwebservertips.in”. If the keyword is missing or the page is not responding nagios will retun and error.

URL monitoring +SSL

You can refer to below example if the web page has SSL/TLS enabled.

define service{
    use                            urlmonitoring-service
    host_name                      server.linuxwebservertips.in
    service_description            url_check
    check_command                  check_http!-H linuxwebservertips.in -t 30 -R "Cpanel and WHM" -f follow --ssl
}

Here we added the option “–ssl” to the check command

URL monitoring on ht password protected page

Normal method will not work as we need to validate ht password protection first to see the page. You can use the following example for such pages.

define service{
    use                            urlmonitoring-service
    host_name                      server.linuxwebservertips.in
    service_description            url_check_protected
    check_command                  check_http!-H linuxwebservertips.in -a user:password -t 30 -R "Cpanel and WHM" -f follow --ssl 
}

Replace the username and password appropriately.

Run Postfix on multiple ports

Adding additional SMTP listenerports

By default postfix run on port 25 and 587(TLS). However some ISPs block port 25. In that case you can configure the postfix mail server to listen on addional ports too, for example port 26 or some random 5125.

This configuration is done in the master.cf configuration file. Edit it in your editor of choice.

This file is in the following format:

# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================

The first column is the port number that you want to listen on. The default SMTP port 25 line will read as follows:

smtp inet n - - - - smtpd

To add an additional listener port of 5125, insert the the following after the above:

5125 inet n - n - - smtpd

Save the file and restart postfix service

service postfix restart

Now you can use port 25, 587 and 5125 to connect to your mail server.

FTP connectivity problem:: No route to host

FTP connectivity problem

If you are getting following error while FTP directory listing, follow the solution provided below

———-
ftp> ls
227 Entering Passive Mode (108,61,169,245,167,161).
ftp: connect: No route to host
———-

Solution

Edit /etc/sysconfig/iptables-config and add this line:

IPTABLES_MODULES=”ip_conntrack_ftp”

Save it and restart iptables.
That’s because passive mode use non standard ports to communicate, so you need to keep trak of the ftp connections and iptables will allow them when necessary.

However, you will need to do this every time you reboot your RedHat server. Thus as a more permanent solution you can persistently load this module after each reboot by creating executable shell script within /etc/sysconfig/modules/ directory. Create file /etc/sysconfig/modules/iptables.modules with the following content:

#!/bin/sh
exec /sbin/modprobe ip_conntrack_ftp >/dev/null 2>&1

Once you save this file you also need to make it executable:
# chmod +x /etc/sysconfig/modules/iptables.modules

Another solution is specify the passive ports that will be used on FTP server configuration, then open those specific ports on firewall.

Page 1 of 3

Powered by WordPress & Theme by Anders Norén