Sunday, July 7, 2013

OpenVz Server Setup

Stage 1 :  Server Setup
------------------------------


1 . Add the openVZ repository to  yum.
   
Code: [Select]
 a. cd /etc/yum.repos.d
     b. http://download.openvz.org/openvz.repo
     c. rpm --import  http://download.openvz.org/RPM-GPG-Key-OpenVZ

2. Search  Available kernels
    a.
Code: [Select]
yum  search vzkernel

3 Install  kernel 
    a.
Code: [Select]
yum  install  vzkernel 
         * it will  install  necessary packages for openvz virtualization inludes  vzctl ,vzquota etc
         * 
Code: [Select]
rmp -qa | grep  vzk*
    ---> verification command

4.Configure boot loader
     a . /etc/grub.conf
     b . edit   title  of   vzkernel  as OpenvZ   ( Just for  clarity  )

5. Set Kernel  parameters and disable  SElinux
   
       a.
Code: [Select]
vi  /etc/sysctl.conf
  and  set below parameter 
       

             
Quote
net.ipv4.ip_forward = 1
              net.ipv6.conf.default.forwarding = 1
              net.ipv6.conf.all.forwarding = 1
              net.ipv4.conf.default.proxy_arp = 0
             
Quote
# Enables source route verification
               net.ipv4.conf.all.rp_filter = 1
               # Enables the magic-sysrq key
                kernel.sysrq = 1
               # We do not want all our interfaces to send redirects
                 net.ipv4.conf.default.send_redirects = 1
                 net.ipv4.conf.all.send_redirects = 0
   
           b.
Code: [Select]
vi  /etc/sysconfig/selinux 
  and set 
Code: [Select]
SELINUX=disabled

6. Now rebooting to  OpenVz kernel
7.Check whether  Eth0 detected or not  ,if no refer below link  for  fix .
   
    http://in.myloth.com/forum/index.php?topic=17.0

8. Start OpenVz
     
Code: [Select]
/sbin/service vz start

Stage 2 : Templates
--------------------------


1. Download OS templates to  /vz/template/cache/
     Check http://wiki.openvz.org/Download/template/precreated

Stage 3 :  Setup VMs
---------------------------

 
 1. Create virtual  machines   ( CID --> Container ID )
         
Code: [Select]
vzctl create  CID  --ostemplate   template  --config-basic     
          vzctl set  CID  --onboot yes --save
  ---> To  start Vms on boot
 2. Configure VM
        a. add ip
           
Code: [Select]
 vzctl set  CID --ipadd ip --save
         b. No of sockets
             
Code: [Select]
 vzctl set CID  --numothersock  150 --save
         c. Set name server for  N/w access
               
Code: [Select]
vzctl set CID  --nameserver  IP --save
  ( our case  192.168.1.1 )
         d. Start  VM
               
Code: [Select]
vzctl start  CID 

OpenVZ Commands

1) vzlist –a                                                                                          : To list all VPS.

2) vzlist                                                                                               : To list all Running VPS.

3) vzctl start <VPSID>                                                                         : To Start a VPS.
   
4) vzctl stop <VPSID>                                                                          : To Stop a VPS.

5)  vzctl stop <VPSID> –fast                                                                : To Stop a VPS quickly and forcefully. 

6) vzctl restart <VPSID>                                                                      : To Restart a VPS.

7) vzctl status <VPSID>                                                                       : To view the status of the particular VPS.

8) vzctl enter <VPSID>                                                                        : To enter in a particular VPS.

9) vzcalc -v <VPSID>                                                                            : To view the resources used by the VPS.

10) vzctl exec <VPSID> <COMMAND>                                                  : To execute a commands against the VPS.

12) vzdqcheck [options] <path>                                                          : To counts inodes and disk space used.
  
Options available to the vzdqcheck command are:

              -h:-Usage info.
              -V:- vzquota version info.
              -v:- Verbose mode
              -q:- Quiet mode.


13) vzcpucheck –v                                                                                : To get the CPU usage.

14) vzmemcheck [-v] [-A]                                                                      : Shows the Node memory parameters.

          Options available to the vzmemcheck command are:
               -v:- Display information for each Container.
               -A:- Display absolute values (in megabytes).

15) vzpid <pid>                                                                                    : To display the ID of the Container where the process is running.

16) vzsplit -n <numve> -f <conf_name> -s <swapsize> -v <yes|no>  : To generate a sample VE configuration file.

          -n numv         :- Specify the number of containers.
          -f conf_name :- Specify the configuration sample name to write configuration
          -s swapsize   :-Specify the swap size in Kbytes.
          -v yes|no       :- Whether to generate VSwap enabled configuration.


17) vzcfgvalidate                                                                                  : To catch typical mistakes in the configuration.

                 It can be invoked as follows:

                    # cd /etc/vz/conf

                    # vzcfgvalidate <config_file>

18) vzctl set <VPSID> --hostname <HOSTNAME> --save                      : To set the Hostname of a VPS.

19) vzctl set <VPSID> --ipadd <IP> --save                                           : To add a new IP to the hosting VPS

20) vzctl set <VPSID> --ipdel <IP> --save                                            : To delete the IP from VPS

21) vzctl set <VPSID> --userpasswd root:<NEW PASSWORD> --save : To reset root password of a VPS.

22) vzctl set <VPSID> --nameserver <IP> --save                                 : To add the nameserver IP’s to the VPS.

23) exit                                                                                                 : log out from VPS.

24) vzctl destroy <VPSID>                                                                    : To destroy the VPS.

Installing Ioncube loader, EAccelerator, Zendopt, SourceGuardian, PHPSuHosin




To install Ioncubeloader : #/scripts/phpextensionmgr install IonCubeLoader
To install Eaccelerator  : #/scripts/phpextensionmgr install EAccelerator
To install zend optimizer :#/scripts/phpextensionmgr install Zendopt
To install SourceGuardian :#/scripts/phpextensionmgr install SourceGuardian
To install Suhosin        :#/scripts/phpextensionmgr install PHPSuHosin

OR run /scripts/easyapache

How to install VNC server on CentOS 6

To run the VNC Server on CentOS, we have to install these required packages:

Code: [Select]
yum groupinstall Desktop
yum install tigervnc-server
yum install xorg-x11-fonts-Type1
yum install vnc

To start VNC Server on boot

Code: [Select]
chkconfig vncserver on

To setup users’ VNC password:

Code: [Select]
vncpasswd

Edit the /etc/sysconfig/vncservers file:

Code: [Select]
nano /etc/sysconfig/vncservers

Add the following to the end of the file:

Code: [Select]
VNCSERVERS="1:arbab"
VNCSERVERARGS[1]="-geometry 1024x600"

The iptables rules need to be amended to open the VNC ports:
Code: [Select]
iptables -I INPUT 5 -m state --state NEW -m tcp -p tcp -m multiport --dports 5901:5903,6001:6003 -j ACCEPT
service iptables save
service iptables restart
Restart the VNC Server:

Code: [Select]
service vncserver restart

Now kill the VNC Server:

Code: [Select]
vncserver -kill :1

Edit the xstartup file in .vnc directory:
Code: [Select]
nano .vnc/xstartup
Comment the last line and run the Gnome:

Code: [Select]
#twm & 
exec gnome-session &

Restart the service:

Code: [Select]
service vncserver restart

Now, download VNCViewer onto our desktop computer from which we want to access the shared desktop.
Connect using ServerIP/Name:1 (:1 is for the VNC server window)

http://www.realvnc.com/download/viewer/

Enter the password that we created using the vncpasswd command:

Ability to connect for multiple users:
Create a local user, using the following command:

Code: [Select]
adduser ali

Create a password for newly created user:

Code: [Select]
passwd ali

Switch to the newly created user and run vncpasswd command for it:

su ali

Code: [Select]
vncpasswd

Edit the /etc/sysconfig/vncservers file:

Code: [Select]
nano /etc/sysconfig/vncservers

Add these lines for new user:

Code: [Select]
VNCSERVERS="1:arbab 2:ali"
VNCSERVERARGS[1]="-geometry 1024x600"
VNCSERVERARGS[2]="-geometry 1024x600"

Restart the VNC service:

Code: [Select]
service vncserver restart

Kill the vncserver session for new user and edit the xstartup file:

Code: [Select]
su ali
vncserver -kill :2
cd ~
nano .vnc/xstartup
Modify the file so it looks like this:
Code: [Select]
#twm & 
exec gnome-session &
Restart the VNC service:
Code: [Select]
service vncserver restart

Connect with newly created user using centos:2, Where centos is my server name:

Enter the password that we created using the vncpasswd command:

Repairing Unix File system with fsck

                                                                                                                  FSCK  
                                                                                                                          --------
          fsck is a Unix utility for checking and repairing file system inconsistencies . File system can become inconsistent due to several reasons and the most common is abnormal shutdown due to hardware failure , power failure or switching off the system without proper shutdown. Due to these reasons the super-block in a file system is not updated and has mismatched information relating to system data blocks, free blocks and inodes .

fsck – Modes of operation :

Interactive :- fsck examines the file system and stops at each error it finds in the file system and gives the problem description and ask for user response whether to correct the problem or continue without making any change to the file system.

Non interactive :- fsck tries to repair all the problems it finds in a file system without stopping for user response useful in case of a large number of inconsistencies in a file system but has the disadvantage of removing some useful files which are detected to be corrupt .

If file system is found to have problem at the booting time non interactive fsck is run and all errors which are considered safe to correct are corrected. But if still file system has problems the system boots in single user mode asking for user to manually run the fsck to correct the problems in file system.

Running fsck :

         fsck should always be run in a single user mode which ensures proper repair of file system . If it is run in a busy system where the file system is changing constantly fsck may see the changes as inconsistencies and may corrupt the file system .

If the system can not be brought in a single user mode fsck should be run on the partitions ,other than root & user , after unmounting them . Root & user partitions can not be unmounted . If the system fails to come up due to root/user files system corruption the system can be booted with CD and root/user partitions can be repaired using fsck.

fsck phases

fsck checks the file system in a series of 5 pages and checks a specific functionality of file system in each phase.

Code: [Select]
** phase 1 – Check Blocks and Sizes
** phase 2 – Check Pathnames
** phase 3 – Check Connectivity
** phase 4 – Check Reference Counts
** phase 5 – Check Cylinder Groups

Procedure
=======
1) Take system down to runlevel one (make sure you run all command as root user):

Code: [Select]
# init 1

2)Unmount file system, for example if it is /home (/dev/sda3) file system then type command:

Code: [Select]
# umount /home

3) Now run fsck on the partition:

Code: [Select]
# fsck -fyC /dev/sda3

y- Display completion/progress bars for those filesystem checkers (currently only for ext2 and ext3) which support them
C - to fix any detected filesystem corruption automatically

4) Once fsck finished, remount the file system:

Code: [Select]
# mount /home

5) Go to multiuser mode

Code: [Select]
# init 3

Additional examples
----------------------

1. Run through the /etc/fstab file and try to check all file systems in one run.

Code: [Select]
#fsck -A 

How to secure Linux cPanel server

A)Via WHM

WHM >> Security Center

1. Compiler Access >> make sure it is disabled for all users except "root".

2. Configure Security Policies >> Password Strength

3. cPHulk Brute Force Protection >> Enable it. White List known IPs if required (say if customer has static IP from ISP).

4. Traceroute Enable/Disable >> Disable it.

5. Shell Fork Bomb Protection >> Enable.

B) OS and kernel

6. find / ( -perm -a+w ) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.

7. find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.

8. Make Sure No Non-Root Accounts Have UID Set To 0

awk -F: '($3 == "0") {print}' /etc/passwd (you should only see one o/p) like:

root:x:0:0:root:/root:/bin/bash

9. Tripwire – Monitors checksums of files and reports changes.
    http://tripwire.com or http://sourceforge.net/projects/tripwire
   
10. Chrookit – Scans for common rootkits, backdoors, etc.

    http://www.chkrootkit.org

11. Rkhunter – Scans for common rootkits, backdoors, etc.

    http://www.rootkit.nl/projects/rootkit_hunter.html

Now create a cronjob so it will email you with notifications to the root mailbox:
#crontab -e

At the bottom add the following line
16 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet

Press control x to save

12. Logwatch – Monitors and reports on daily system activity.

    http://logwatch.org

13. Linux Kernel /etc/sysctl.conf Hardening at http://in.myloth.com/forum/index.php/topic,112.0.html

14. Change SSH port to non-standard port.

15. Change SSH Protocol 2,1 to Protocol 2

16. Enable Email Alert on root login

cd /root ; vi  .bashrc

Scroll to the end of the file then add the following:

echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" admin@domain.com

C) Firewall and mis security

17. Install CSF firewall and make sure test mode is disabled after opening all used ports.

IMP: Make sure SSH port set in #14 is opened in firewall.

CSF Connection Limit
There is in csf.conf CT option, configure it like this
CT_LIMIT = “100″
It means every IP with more than 100 connections is going to be blocked.
CT_PERMANENT = “1″
IP will blocked permanenty
CT_BLOCK_TIME = “1800″
IP will be blocked 1800 secs(1800 secs = 30 mins)
CT_INTERVAL = “60″
Set this to the the number of seconds between connection tracking scans.
After csf.conf editing, restart csf

18. Tweak LFD and CSF to prevent DOS.

19. Secure /tmp, /dev/shm and /var/tmp

D) PHP security

20. Disable vulnerable PHP functions. Find the disable_functions in php.ini file and

disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd

21. Enable suPHP if the server is for shared hosting.

22. WHM >> Configure PHP and suEXEC > set suPHP handler and suexec

E) Apache

22. Install mod_security and cmc to manage the mod sec rules via WHM. See http://configserver.com/cp/cmc.html

23. Install dos_evasive.

F) FTP

24. WHM >> Service Configuration >> FTP Server Configuration

Make sure Anonymous logins and uploads are disabled.

G) MySQL

25. Disable networking if you don't need anyone to remotely connect to MySQL server.

Add the below line to my.cnf

skip-networking

Migrate SSL certificate from old server to new one

If you have root access to old server:

1. Login as root via SSH.

You will find the cert, CA bundle and the private key at /etc/ssl folder.

root@server [/etc/ssl]# ls
./  ../  certs/  private/

Inside certs folder you will find domain.crt and domain.cabundle. Inside private folder you will see domain.key.

2. Copy those to a notepad.

3. Login to WHM of new server > make sure that the site is on Dedicated IP. If not, >> Change site's IP address and set a dedicated IP.

4. Via WHM >> Install an SSL Certificate and Setup the Domain >> enter the cert, key and cabundle. Make sure the username, IP and domain name is correct in the respective fields.

5. Submit and you are done.

6. Change the IP in your local machine's IP to the new dedicated IP and make sure that https://domain.com works before you update the customer.