OpenVz Server Setup

Stage 1 :  Server Setup
------------------------------

1 . Add the openVZ repository to  yum.
   

Code: [Select]

 a. cd /etc/yum.repos.d
     b. http://download.openvz.org/openvz.repo
     c. rpm --import  http://download.openvz.org/RPM-GPG-Key-OpenVZ

2. Search  Available kernels
    a.

Code: [Select]

yum  search vzkernel

3 Install  kernel 
    a.

Code: [Select]

yum  install  vzkernel 

         * it will  install  necessary packages for openvz virtualization inludes  vzctl ,vzquota etc
         * 

Code: [Select]

rmp -qa | grep  vzk*

    ---> verification command

4.Configure boot loader
     a . /etc/grub.conf
     b . edit   title  of   vzkernel  as OpenvZ   ( Just for  clarity  )

5. Set Kernel  parameters and disable  SElinux
   
       a.

Code: [Select]

vi  /etc/sysctl.conf

  and  set below parameter 
       

             

Quote

net.ipv4.ip_forward = 1
              net.ipv6.conf.default.forwarding = 1
              net.ipv6.conf.all.forwarding = 1
              net.ipv4.conf.default.proxy_arp = 0

             

Quote

# Enables source route verification
               net.ipv4.conf.all.rp_filter = 1
               # Enables the magic-sysrq key
                kernel.sysrq = 1
               # We do not want all our interfaces to send redirects
                 net.ipv4.conf.default.send_redirects = 1
                 net.ipv4.conf.all.send_redirects = 0

   
           b.

Code: [Select]

vi  /etc/sysconfig/selinux 

  and set 

Code: [Select]

SELINUX=disabled

6. Now rebooting to  OpenVz kernel
7.Check whether  Eth0 detected or not  ,if no refer below link  for  fix .
   
    http://in.myloth.com/forum/index.php?topic=17.0

8. Start OpenVz
     

Code: [Select]

/sbin/service vz start

Stage 2 : Templates
--------------------------

1. Download OS templates to  /vz/template/cache/
     Check http://wiki.openvz.org/Download/template/precreated

Stage 3 :  Setup VMs
---------------------------
 
 1. Create virtual  machines   ( CID --> Container ID )
         

Code: [Select]

vzctl create  CID  --ostemplate   template  --config-basic     
          vzctl set  CID  --onboot yes --save

  ---> To  start Vms on boot
 2. Configure VM
        a. add ip
           

Code: [Select]

 vzctl set  CID --ipadd ip --save

         b. No of sockets
             

Code: [Select]

 vzctl set CID  --numothersock  150 --save

         c. Set name server for  N/w access
               

Code: [Select]

vzctl set CID  --nameserver  IP --save

  ( our case  192.168.1.1 )
         d. Start  VM
               

Code: [Select]

vzctl start  CID 

OpenVZ Commands

1) vzlist –a                                                                                          : To list all VPS.

2) vzlist                                                                                               : To list all Running VPS.

3) vzctl start <VPSID>                                                                         : To Start a VPS.
   
4) vzctl stop <VPSID>                                                                          : To Stop a VPS.

5)  vzctl stop <VPSID> –fast                                                                : To Stop a VPS quickly and forcefully. 

6) vzctl restart <VPSID>                                                                      : To Restart a VPS.

7) vzctl status <VPSID>                                                                       : To view the status of the particular VPS.

8) vzctl enter <VPSID>                                                                        : To enter in a particular VPS.

9) vzcalc -v <VPSID>                                                                            : To view the resources used by the VPS.

10) vzctl exec <VPSID> <COMMAND>                                                  : To execute a commands against the VPS.

12) vzdqcheck [options] <path>                                                          : To counts inodes and disk space used.
  
Options available to the vzdqcheck command are:

              -h:-Usage info.
              -V:- vzquota version info.
              -v:- Verbose mode
              -q:- Quiet mode.


13) vzcpucheck –v                                                                                : To get the CPU usage.

14) vzmemcheck [-v] [-A]                                                                      : Shows the Node memory parameters.

          Options available to the vzmemcheck command are:
               -v:- Display information for each Container.
               -A:- Display absolute values (in megabytes).

15) vzpid <pid>                                                                                    : To display the ID of the Container where the process is running.

16) vzsplit -n <numve> -f <conf_name> -s <swapsize> -v <yes|no>  : To generate a sample VE configuration file.

          -n numv         :- Specify the number of containers.
          -f conf_name :- Specify the configuration sample name to write configuration
          -s swapsize   :-Specify the swap size in Kbytes.
          -v yes|no       :- Whether to generate VSwap enabled configuration.


17) vzcfgvalidate                                                                                  : To catch typical mistakes in the configuration.

                 It can be invoked as follows:

                    # cd /etc/vz/conf

                    # vzcfgvalidate <config_file>

18) vzctl set <VPSID> --hostname <HOSTNAME> --save                      : To set the Hostname of a VPS.

19) vzctl set <VPSID> --ipadd <IP> --save                                           : To add a new IP to the hosting VPS

20) vzctl set <VPSID> --ipdel <IP> --save                                            : To delete the IP from VPS

21) vzctl set <VPSID> --userpasswd root:<NEW PASSWORD> --save : To reset root password of a VPS.

22) vzctl set <VPSID> --nameserver <IP> --save                                 : To add the nameserver IP’s to the VPS.

23) exit                                                                                                 : log out from VPS.

24) vzctl destroy <VPSID>                                                                    : To destroy the VPS.

Installing Ioncube loader, EAccelerator, Zendopt, SourceGuardian, PHPSuHosin

To install Ioncubeloader : #/scripts/phpextensionmgr install IonCubeLoader
To install Eaccelerator  : #/scripts/phpextensionmgr install EAccelerator
To install zend optimizer :#/scripts/phpextensionmgr install Zendopt
To install SourceGuardian :#/scripts/phpextensionmgr install SourceGuardian
To install Suhosin        :#/scripts/phpextensionmgr install PHPSuHosin

OR run /scripts/easyapache

How to install VNC server on CentOS 6

To run the VNC Server on CentOS, we have to install these required packages:

Code: [Select]

yum groupinstall Desktop
yum install tigervnc-server
yum install xorg-x11-fonts-Type1
yum install vnc

To start VNC Server on boot

Code: [Select]

chkconfig vncserver on

To setup users’ VNC password:

Code: [Select]

vncpasswd

Edit the /etc/sysconfig/vncservers file:

Code: [Select]

nano /etc/sysconfig/vncservers

Add the following to the end of the file:

Code: [Select]

VNCSERVERS="1:arbab"
VNCSERVERARGS[1]="-geometry 1024x600"

The iptables rules need to be amended to open the VNC ports:

Code: [Select]

iptables -I INPUT 5 -m state --state NEW -m tcp -p tcp -m multiport --dports 5901:5903,6001:6003 -j ACCEPT
service iptables save
service iptables restart

Restart the VNC Server:

Code: [Select]

service vncserver restart

Now kill the VNC Server:

Code: [Select]

vncserver -kill :1

Edit the xstartup file in .vnc directory:

Code: [Select]

nano .vnc/xstartup

Comment the last line and run the Gnome:

Code: [Select]

#twm & 
exec gnome-session &

Restart the service:

Code: [Select]

service vncserver restart

Now, download VNCViewer onto our desktop computer from which we want to access the shared desktop.
Connect using ServerIP/Name:1 (:1 is for the VNC server window)

http://www.realvnc.com/download/viewer/

Enter the password that we created using the vncpasswd command:

Ability to connect for multiple users:
Create a local user, using the following command:

Code: [Select]

adduser ali

Create a password for newly created user:

Code: [Select]

passwd ali

Switch to the newly created user and run vncpasswd command for it:

su ali

Code: [Select]

vncpasswd

Edit the /etc/sysconfig/vncservers file:

Code: [Select]

nano /etc/sysconfig/vncservers

Add these lines for new user:

Code: [Select]

VNCSERVERS="1:arbab 2:ali"
VNCSERVERARGS[1]="-geometry 1024x600"
VNCSERVERARGS[2]="-geometry 1024x600"

Restart the VNC service:

Code: [Select]

service vncserver restart

Kill the vncserver session for new user and edit the xstartup file:

Code: [Select]

su ali
vncserver -kill :2
cd ~
nano .vnc/xstartup

Modify the file so it looks like this:

Code: [Select]

#twm & 
exec gnome-session &

Restart the VNC service:

Code: [Select]

service vncserver restart

Connect with newly created user using centos:2, Where centos is my server name:

Enter the password that we created using the vncpasswd command:

Repairing Unix File system with fsck

                                                                                                                  FSCK  
                                                                                                                          --------
          fsck is a Unix utility for checking and repairing file system inconsistencies . File system can become inconsistent due to several reasons and the most common is abnormal shutdown due to hardware failure , power failure or switching off the system without proper shutdown. Due to these reasons the super-block in a file system is not updated and has mismatched information relating to system data blocks, free blocks and inodes .

fsck – Modes of operation :

Interactive :- fsck examines the file system and stops at each error it finds in the file system and gives the problem description and ask for user response whether to correct the problem or continue without making any change to the file system.

Non interactive :- fsck tries to repair all the problems it finds in a file system without stopping for user response useful in case of a large number of inconsistencies in a file system but has the disadvantage of removing some useful files which are detected to be corrupt .

If file system is found to have problem at the booting time non interactive fsck is run and all errors which are considered safe to correct are corrected. But if still file system has problems the system boots in single user mode asking for user to manually run the fsck to correct the problems in file system.

Running fsck :

         fsck should always be run in a single user mode which ensures proper repair of file system . If it is run in a busy system where the file system is changing constantly fsck may see the changes as inconsistencies and may corrupt the file system .

If the system can not be brought in a single user mode fsck should be run on the partitions ,other than root & user , after unmounting them . Root & user partitions can not be unmounted . If the system fails to come up due to root/user files system corruption the system can be booted with CD and root/user partitions can be repaired using fsck.

fsck phases

fsck checks the file system in a series of 5 pages and checks a specific functionality of file system in each phase.

Code: [Select]

** phase 1 – Check Blocks and Sizes
** phase 2 – Check Pathnames
** phase 3 – Check Connectivity
** phase 4 – Check Reference Counts
** phase 5 – Check Cylinder Groups

Procedure
=======
1) Take system down to runlevel one (make sure you run all command as root user):

Code: [Select]

# init 1

2)Unmount file system, for example if it is /home (/dev/sda3) file system then type command:

Code: [Select]

# umount /home

3) Now run fsck on the partition:

Code: [Select]

# fsck -fyC /dev/sda3

y- Display completion/progress bars for those filesystem checkers (currently only for ext2 and ext3) which support them
C - to fix any detected filesystem corruption automatically

4) Once fsck finished, remount the file system:

Code: [Select]

# mount /home

5) Go to multiuser mode

Code: [Select]

# init 3

Additional examples
----------------------
1. Run through the /etc/fstab file and try to check all file systems in one run.

Code: [Select]

#fsck -A 

How to secure Linux cPanel server

A)Via WHM

WHM >> Security Center

1. Compiler Access >> make sure it is disabled for all users except "root".

2. Configure Security Policies >> Password Strength

3. cPHulk Brute Force Protection >> Enable it. White List known IPs if required (say if customer has static IP from ISP).

4. Traceroute Enable/Disable >> Disable it.

5. Shell Fork Bomb Protection >> Enable.

B) OS and kernel

6. find / ( -perm -a+w ) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.

7. find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.

8. Make Sure No Non-Root Accounts Have UID Set To 0

awk -F: '($3 == "0") {print}' /etc/passwd (you should only see one o/p) like:

root:x:0:0:root:/root:/bin/bash

9. Tripwire – Monitors checksums of files and reports changes.
    http://tripwire.com or http://sourceforge.net/projects/tripwire
   
10. Chrookit – Scans for common rootkits, backdoors, etc.

    http://www.chkrootkit.org

11. Rkhunter – Scans for common rootkits, backdoors, etc.

    http://www.rootkit.nl/projects/rootkit_hunter.html

Now create a cronjob so it will email you with notifications to the root mailbox:
#crontab -e

At the bottom add the following line
16 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet

Press control x to save

12. Logwatch – Monitors and reports on daily system activity.

    http://logwatch.org

13. Linux Kernel /etc/sysctl.conf Hardening at http://in.myloth.com/forum/index.php/topic,112.0.html

14. Change SSH port to non-standard port.

15. Change SSH Protocol 2,1 to Protocol 2

16. Enable Email Alert on root login

cd /root ; vi  .bashrc

Scroll to the end of the file then add the following:

echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" admin@domain.com

C) Firewall and mis security

17. Install CSF firewall and make sure test mode is disabled after opening all used ports.

IMP: Make sure SSH port set in #14 is opened in firewall.

CSF Connection Limit
There is in csf.conf CT option, configure it like this
CT_LIMIT = “100″
It means every IP with more than 100 connections is going to be blocked.
CT_PERMANENT = “1″
IP will blocked permanenty
CT_BLOCK_TIME = “1800″
IP will be blocked 1800 secs(1800 secs = 30 mins)
CT_INTERVAL = “60″
Set this to the the number of seconds between connection tracking scans.
After csf.conf editing, restart csf

18. Tweak LFD and CSF to prevent DOS.

19. Secure /tmp, /dev/shm and /var/tmp

D) PHP security

20. Disable vulnerable PHP functions. Find the disable_functions in php.ini file and

disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd

21. Enable suPHP if the server is for shared hosting.

22. WHM >> Configure PHP and suEXEC > set suPHP handler and suexec

E) Apache

22. Install mod_security and cmc to manage the mod sec rules via WHM. See http://configserver.com/cp/cmc.html

23. Install dos_evasive.

F) FTP

24. WHM >> Service Configuration >> FTP Server Configuration

Make sure Anonymous logins and uploads are disabled.

G) MySQL

25. Disable networking if you don't need anyone to remotely connect to MySQL server.

Add the below line to my.cnf

skip-networking

Migrate SSL certificate from old server to new one

If you have root access to old server:

1. Login as root via SSH.

You will find the cert, CA bundle and the private key at /etc/ssl folder.

root@server [/etc/ssl]# ls
./  ../  certs/  private/

Inside certs folder you will find domain.crt and domain.cabundle. Inside private folder you will see domain.key.

2. Copy those to a notepad.

3. Login to WHM of new server > make sure that the site is on Dedicated IP. If not, >> Change site's IP address and set a dedicated IP.

4. Via WHM >> Install an SSL Certificate and Setup the Domain >> enter the cert, key and cabundle. Make sure the username, IP and domain name is correct in the respective fields.

5. Submit and you are done.

6. Change the IP in your local machine's IP to the new dedicated IP and make sure that https://domain.com works before you update the customer.

SQL Management Studio

SQL management studio
---------------------

This is a useful tool. This is used for configuring, managing, and administering all components within Microsoft SQL Server. The tool includes both script editors and graphical tools which work with objects and features of the server.

An important feature of SQL Server Management Studio is the Object Explorer, which allows the user to browse, select, and act upon any of the objects within the server

This can be used to connect to the SQl server remotely.

To create a SQL user please follow these steps.

1, Connect to the server using RDP
2, Open Microsoft SQL Server Management Studio
Start Menu >> All Programs >> Microsoft SQL Server >> SQL Server Management Studio
3, When prompted to login use Windows Authentication. Make sure the Server Name is localhost. Click on connect.
4, Once you are connected expand the security folder and right click on the logins folder, click new login.
5, Then you will get a window. Fill those fields
Make sure that the SQL server authentication radio button is selected. Fill in your password.
6, Make sure the enforce password policy is not checked for normal use.
7, Make sure that the highlighted area that says master is the name of the database you wish the user to be associated with.
8, Then select the User Mapping option on the left of the window.
9, Scroll down to the database you wish to have this user associated with and place a check mark next to it.
10, Click OK and your SQl user is ready.

Now you can connect the SQLMS with SQL authentication with the password.

To connect the server remotely, Please follow these steps

1, Connect to the SQLserver using windows authentication
2, Right click on the server from object explorer and click on properties.
3, Click the Connections node.
4, Under Remote server connections, select or clear the Allow remote connections to this server check box.

Now open SQL Server Configuration Manager

1, unfold the node "SQL Server Network Configuration" and select "Protocols for MSSQLServer"
2, Make sure that TCP/IP is enabled
3, Open the port 1433 from firewall

Now try connecting the SQL server from remote location with IP name and SQL authentication. Note that "sa" user is the administrator user in SQLMS will all privileges. The password is server administrator password.

Permission issue when deleting a folder In windows (as Administrator)

If you get permission issues when deleting a folder, even if you are logged in as Administrator, use the following fix.

To take control of the folder containing the undeletable create a text file called “delete.bat”(or any name) and add the following lines to it:

Code: [Select]

SET DIRECTORY_NAME="C:\Locked Directory"
TAKEOWN /f %DIRECTORY_NAME% /r /d y
ICACLS %DIRECTORY_NAME% /grant administrators:F /t
PAUSE

You will need to change the directory path to match your requirements.

Right click on the file “delete.bat” select “Run As Administrator” and you should now have full control of the directory and all sub directories meaning you can do whatever you wish with them.

MSSQL database migration

To migrate an MSSQL database on another server, follow the steps given below.

1. Make a backup of the existing database.

  You can do that directly from the control panel or through MSSQL management studio.

 a. Login to MSSQL management studio and select the database
 b. Right click on the database > Task > backup > select the backup destination > click on "ok" button.

2. Copy the backup file to your local system through FTP

3. Upload the .bak file you got to the destination server.

4. Restore the database there.

     a. Create the database on the destination server through control panel or SQL management studio
     b. Login to MSSQL management studio and select the database
     c. Right click on the database > Tasks > Restore > Database
     d. under "Source for restore", select "From device" and browse the location of the file. It will then come under "Select the backup sets to restore"
    e. Select the appropriate backup and then go to the "options" on the top left side. check the button "overwrite existing database" there and click on "ok" button

This will do the restore and you can see a restore status option which shows the percentage of restore done. Once the restore is finished, you will get a message that the restore was successful.
   
PS: MSSQL is backward compatible. So, if the source server's MSSQL version is advanced than the destination server's version, you will probably end up in error.


You can restore the database using the .sql backup(Script). Follow the steps given below to generate a .sql backup.

1. Generate a .sql backup.

 a. Login to MSSQL management studio and select the database
 b. Right click on the database > Task > Generate Script >  select "Script entire database and database objects' > click next
 c. Select an apropriate location where the backup should be saved and then click the "Advanced" button
 d. Under "General" > "Types of data to script" select "Data only" from the drop down menu > click "ok" > click "next".
 e. Click "next" for summary and the click "finish" to complete the backup procedure.

2. Download the .sql file to the local system

3. Upload it to the target system and then double click on it. That will make the .sql file to get opened in the query editor of MSSQL manager on the destination server. Just execute the query and that will do the task.

DDOS on windows servers.

In Windows servers, we can use the following methods to check DDOS attacks.

Check the connections on port 80 through the command line:

Code: [Select]

netstat -ano | find /i /c ":80"

For eg:

Code: [Select]

C:\Users\Administrator>netstat -ano | find /i /c ":80"
183927

The following command will give you the amount of connections on a specific IP

Code: [Select]

netstat -ano | find /i /c "IP"

Identify all of the connections on the server:

Code: [Select]

netstat -n -p tcp

Export the connections on the server using the command below:

Code: [Select]

netstat -ano > ddosoutput.txt

Another method to find out the domain or IP address on which the attack is targeted is given below.

1. Download and install Wireshark on the affected server

http://www.wireshark.org/

2. Once installed, start the program on the server

3. Under "Capture", click on the "interface list'. Here, you will see the traffic through all the NIC's connected on the server.

4. Click on the interface where you see high traffic and then click on "Start".

5. You can see the source and destination IPs. If it is a DDOS, you can see different source IP's targeting to a single destination.  If the destination IP is the server's shared IP, then you have to find the domain on which the attack is targeted as there will be manu domains configured on the shared IP.

6. For that, go to "View" > "Name resolution" > "enable for network layer". Once it is enabled, you can see the domain names. pick out the domain name where you see high accesses, set loop back on his DNS and suspend him from the server.

But, the DNS changes we make would take some amount of time to be in effect as there would be a propagation delay. If the attack is really crashing the server, you need to contact your data center and if there are any tools available to filter the attack, make use of it.

Server Monitoring (Advanced)

1)

Code: [Select]

ssh root@hostname -p port (default 22)

3) exim

Code: [Select]

exiqgrep -z -i | xargs exim -Mrm - to delete frozen messages
exim -bpc - to know the message count
exim -bp - to list all the messages
exim -bp | exiqsumm - to list all the messages in a group
exim -bp | grep centralph.com - to view mails under a particular user..for eg centralph.com
exim -bp | grep centralph.com | wc -l - to know count of mails under a particular user.for eg. centralph.com
exim -Mvh id - to view a particular message header
exim -Mvb id -to view a particular message body
exiqgrep -f centralph.com -i | xargs exim -Mrm - to remove messages under centralph.com

6)

Code: [Select]

mysqladmin stat proc

- to view mysql connections running

Code: [Select]

mysqladmin stat proc | grep username

- to view mysql connections running for a particular user
If the connections for a particular user is high, then look on whm daily process also
suspend user(/scripts/suspendacct username- in back end)

7)

Code: [Select]

nice top -d 2 -u user

- to view services run by an individual user

\s - to check mysql uptime after getting into mysql using "mysql"

9) to check ddos

a)

Code: [Select]

 pidof httpd

b)

Code: [Select]

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

   -> this can be also used , if more than 100 connections from an IP, then block it.

c) But before blocking any IP, check whether it is server IP. You can check it by the command,

Code: [Select]

ifconfig | grep <ip>

d)

Code: [Select]

csf -d ipaddress

- to block that ip(confirm its not server ip)

e) Also check apache status on whm

11) sites to check website speed and contents(useful when doing server tickets)
a) speed
www.alertra.com
www.tools.pingdom.com
b) contents
http://analyze.websiteoptimization.com/


12) allowing access to particular ip,

Code: [Select]

allow from <ip> 
deny from all

( for allowing access from that particular ip only, enter this on .htaccess file of owners public_html.useful when unsuspending an account by giving access to owner's ip. Owner should provide his local ip from http://www.whatismyip.com/)


13)

Code: [Select]

tracert dotflashop.com

(from windows)

Code: [Select]

traceroute dotflashop.com

(From Mac terminal)


14) when a lot of mails getting frozen for a mailid

Code: [Select]

grep "max emails" /var/log/exim_mainlog |tail

this is the proof, he is sending bulk mails


15)

Code: [Select]

netstat -plan | grep :25

   - to find the connections(mail)

if see anything like

Quote

tcp        0      0 127.0.0.1:45738             127.0.0.1:25                ESTABLISHED 547580/sshd: username
tcp        0      0 127.0.0.1:45737             127.0.0.1:25                ESTABLISHED 547580/sshd: username

ie is a spammer wih script.suspend that account....

16) apache uptime - /usr/local/apache/bin/apachectl status
17) mysql uptime  -

                  mysql(enter mysql)
                  \s
                  exit

DDOS attacks, module install and kernel tweaks

Finding DDOS attacks

Below are some of the useful netstat commands to check during DDOS attack.

To list the connections to the target IPs (server's IP's) use the below command.

Code: [Select]

netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n

To list the connections from source IP's use the below command:

Code: [Select]

netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort |uniq -c | sort -n

Block the IPs with high connection above using CSF or APF firewall.

Code: [Select]

csf -d IP

Code: [Select]

apf -d IP

To see the state of each connection and the value use the below command:

Code: [Select]

netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c

A sample output would look like:

Quote

root@linux [~]# netstat -an|grep ":80"|awk '/tcp/ {print $6}'|sort| uniq -c
      2 CLOSE_WAIT
      1 ESTABLISHED
      4 LISTEN

Install necessary modules

You can use tcpdump to identify the attacker too:


tcpdump -v -n -i eth"x" -p host IP_Address

where x can be 0 or 1. If it is a VPS, it can be venet0 too. Check the Output of ifconfig.



Try installing the below Apache modules to mitigate the attack

Quote

DOS-Deflate
mod_security
mod_dosevasive
Enable anti-DOS for APF

Tweaking the kernel

To prevent SYN floods change the below kernel parameters:

Quote

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=332000

sysctl -w net.ipv4.tcp_fin_timeout=15

sysctl -w net.ipv4.tcp_synack_retries=5

sysctl -w net.ipv4.tcp_fin_timeout=15

sysctl -w net.ipv4.tcp_keepalive_time=1500

sysctl -w net.ipv4.tcp_sack=0

sysctl -w net.ipv4.tcp_max_tw_buckets=1440000

sysctl -w net.ipv4.tcp_max_syn_backlog=2048

sysctl -w net.ipv4.tcp_max_syn_backlog=4096

Also increase Apache's MaxClients limit to 500


Further sysctl tweaks

Original values inside ()

Quote

net.ipv4.tcp_fin_timeout=20 (30)
net.ipv4.tcp_keepalive_time = 1800 (3600)
net.ipv4.tcp_fin_timeout=20 (30)
net.ipv4.tcp_keepalive_time=1800 (3600)
net.ipv4.tcp_keepalive_intvl=40 (75)
net.ipv4.tcp_tw_recycle=1 (0)
net.ipv4.tcp_tw_reuse=1 (0)
net.ipv4.tcp_max_syn_backlog=4096 (2048)

Below are some of the recommended Sysctl tweaks for Web server + Database server

Quote

net.ipv4.inet_peer_gc_maxtime = 240 (120)
net.ipv4.inet_peer_maxttl = 500 (600)
net.ipv4.inet_peer_minttl = 80 (120)

Enable SPF for all cpanel accounts

Command to install spf record on single cPanel account : 
--------------------------------------------------------------------------

/usr/local/cpanel/bin/spf_installer <cPanelusername>


Install spf records for all cPanel accounts :
-----------------------------------------------------

cd /var/cpanel/users

for i in `ls /var/cpanel/users` ;do /usr/local/cpanel/bin/spf_installer $i ;done

Networking issues in centos

Check whether the network interface is there(eg:/etc/sysconfig/network-scripts/ifcfg-eth0). If not create it. The necessary entries in the file are given below.

Code: [Select]

DEVICE=eth0
HWADDR=<value>
IPADDR=<value>
NETMASK=<value>
ONBOOT=yes

Then, you need to check whether the file "/etc/sysconfig/network" is present. If it is not, create it. The necessary entries are given below.

Code: [Select]

NETWORKING=yes
GATEWAYDEV=<value> normally eth0 or venet0
HOSTNAME=<value>

In most cases, if these entries are there, the networking should be up and working when you issue the command "/etc/init.d/network/restart".

If you are still seeing errors, then you should chek whether the respective NIC drivers are loaded. The issue can be caused due to some Kernals where networking is not supported. In such cases, you can try another kernal.

Install clamscan and email scan result

To install clamav

#yum install clamd

run #freshclam to update the virus definitions

create a file  /home/clamscan  and enter the below : 

clamscan -ri --exclude-dir=^/sys\|^/proc\|^/dev / | mail -s "ClamAV Scan Results for `date +%D`" user@domain.com

Save the file and exit. (user@domain.com must be replaced by email address to which scan results are to be mailed)

#crontab -e

0 0 * * * /home/clamscan       

save the file and exit.   The above cron will run everyday at midnight.

Configuring IPv6 networking in Ubuntu server

First backup current network configuration
#cp /etc/network/interfaces /etc/network/interfaces.backup

How to delete an ipv6 address :  #ifconfig eth0 inet6 del 2604:2881::8fe5:27e2/64

How to add an ipv6 address :  #ifconfig eth0 inet6 add 2604:2881::8fe5:27e2/64

Add an IPv6 route through gateway

#route -A inet6 add 2604:2880::8fe5:27e2/64 gw <gateway ip>
OR
#ip -6 route add 2604:2880::8fe5:27e2/64 via <gateway ip>

#/etc/init.d/networking restart

to see the new ipv6 address :
#ip -6 address show eth0

to see ipv6 route :
# ip -6 route show dev eth0

PERMANENTLY ADDING IPV6

Append the below lines in #vi /etc/network/interfaces

iface eth0 inet6 static
pre-up modprobe ipv6
address 2604:2880::8fe5:27e2/64
netmask 64
gateway 2247:f0d0:2001:000a:f0d0:2001::1
dns-nameservers 2001:4860:4860::8888 2001:4860:4860::8844

If ipv6 nameserver IPs are not there in /etc/resolv.conf then add Google Public DNS IPv6 addresses

nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

#route -A inet6 add 2604:2880::8fe5:27e2/64 gw 2247:f0d0:2001:000a:f0d0:2001::1

#/etc/init.d/networking restart

To test ipv6 connectivity :

#ping6 google.com

Resize XEN Lvm

For extending to 40GB,

From the hardware node using the following commands,

lvresize /dev/xen/vm442_img -L +40G  

resize2fs /dev/xen/vm442_img

resize2fs will ask to run e2fsck first so run e2fsck first

e2fsck -f /dev/xen/vm442_img

In case of a Windows server (VM), e2fsck won't work because of its file system (NTFS). So reboot the server and run check disk in the server command prompt.

chkdsk C: (where c is drive)

Run disk management and extend the current disk partition.

How to reset root password of Xen VPS

 If you face root login issue with Xen VPS.Then please do the following steps.

1)First Stop the container using command or through solusvm

2)Secondlyfind the the the Xen image location  of the VPS which is /dev/mapper/xen-vm369_img(example)

3)create a directory name test and then mount the image to it using command mount /dev/mapper/xen-vm369_img /test

4)then change the root environment to test using the command chroot /test

5)Now the root environment will be same as that of Xen VPS which we have mounted

6)Then change the root password of root using passwd command.

7)Then exit from the root environment by typing the command exit and unmount the /test directory using umount /test

8)Reboot the server in solusvm

Tuning Mysql Performance with Mysql tuner

MYSQL Tuner :-  It is a perl script that analyzes the MYSQL performance and based on the statistics , it gathers and give us an idea about the parameters need to be changed in the my.cnf file to increase the MYSQL performance.

Download Mysql Tuner script as follows:

# wget http://mysqltuner.com/mysqltuner.pl

Then, make the script executable by running

# chmod +x mysqltuner.pl

Run the script

# ./mysqltuner.pl

This is how you can run the mysql tuner script. Then, you will obtain the output as:

------------------------------------------


General recommendations:
    Run OPTIMIZE TABLE to defragment tables for better performance
    MySQL started within last 24 hours - recommendations may be inaccurate
    Enable the slow query log to troubleshoot bad queries
    When making adjustments, make tmp_table_size/max_heap_table_size equal
    Reduce your SELECT DISTINCT queries without LIMIT clauses
    Set thread_cache_size to 4 as a starting value
    Increase table_cache gradually to avoid file descriptor limits
    Your applications are not closing MySQL connections properly
Variables to adjust:
    query_cache_size (>= 8M)
    sort_buffer_size (> 8M)
    read_rnd_buffer_size (> 256K)
    tmp_table_size (> 20M)
    max_heap_table_size (> 20M)
    thread_cache_size (start at 4)
    table_cache (> 64)
    innodb_buffer_pool_size (>= 29M)

------------------------------------------------------

By adjusting the parameters listed in " Variables to adjust ", we can increase the performance of mysql

PHP Handlers

PHP Handlers

PHP handlers are the programs that interpret the PHP code in your web application and process it to be sent as HTML (or another static format) by your web server. Out of the box none of the major web servers can handle PHP by themselves so they need another program to do it for them. This program, known as a PHP handler takes all of your PHP code and generates the output which is then sent to the web server which forwards it on to the user.

Currently there are 4 major PHP handlers available on Apache. These include mod_php (AKA DSO), CGI, FastCGI, and suPHP. If you’re using another web server your options may be different (for example, nginx requires FastCGI). Each of these handle memory, CPU, and file permissions in a different way which can then manifest itself in your web app in everything from performance to important features of your application. Here’s a breakdown of each of the options

mod_php (DSO)

DSO (which is short for Dynamic Shared Object) or mod_php is the oldest and, some would say, the fastest PHP handler available. It essentially makes PHP a part of Apache by having the Apache server interpret the PHP code itself through use of an Apache module known as mod_php. This is the default handler typically installed when installing a web server package on your server.

On the plus side mod_php is fast, in fact very fast as it runs directly in the same process as your Apache server. Running it together with Apache also means that it has a very low CPU and memory requirement which may be beneficial in situations where computing resources are limited.

The major drawback of mod_php is that it runs as part of Apache which means that it runs as the same user that your Apache process runs as (if you’re on Ubuntu this would www-data). This means that all work on files will be done as the Apache user which therefore must have permissions to all of your files. In most cases when you upload files to your server you do so as a different user that has login rights to the machine. This means that all the files and folders you upload are “owned” by the user that you used to upload them. If you don’t give permissions to them to the Apache user the web server will not be able to read or write to the files, but if you do give access to them to the Apache user and your machine is compromised by an attacker that attacker could have access to much more than just the files in the website they used to get in to your system potentially creating problems for every site hosted on your machine.

The file permission issue is also the biggest source of headache for users of content management systems such as WordPress or Drupal. Because the files of your site are often owned by an account other than that which they are running as, users of mod_php are often unable to upload or modify files from within their CMS without substantial work arounds. Not only could this prevent an administrator from adding pictures and other media to their site easily, but it could also lead to security patches not being installed due to the added complexity of doing so which causes another security hole in your site.

CGI

CGI is the fallback in most servers when mod_php is not available. Instead of running the PHP code within Apache it is now run as it’s own CGI process, that is, in a program outside of your Apache server.

By default CGI will be called by the Apache server meaning that it will run as the Apache user with all the problems of doing so that mod_php encountered. Unlike mod_php however CGI has the ability to see the PHP as another user (presumably the user that owns the files) using another Apache module known as suexec.

For performance CGI is not nearly as fast as mod_php and requires more CPU time. It is however still soft on memory usage which may be a benefit to some users.

suPHP

suPHP runs PHP outside of the Apache script as CGI. Unlike CGI however it will run the scripts as a user other than the Apache user (presumably the user that owns the files). This means that if you are using a CMS you will be able to upload files from within your web application using suPHP. In addition, because your PHP is being run as a different user any vulnerability in your site can be restricted to only the files of your website thereby providing substantial security benefits particularly on servers that run multiple websites.

The cost of the upload ability and security of suPHP is not cheap. suPHP is slow and requires quite a bit of CPU to process all the files. In addition, as it must process the file each and every time it is called, suPHP cannot use any OPCode caching such as APC or memcached resulting in even higher CPU usage by your application. If you are running on a low-end VPS or other server with an application such as WordPress this configuration can easily push you passed any CPU limits you might have whenever traffic starts to climb.

FastCGI

FastCGI is the last major PHP handler. It offers the security benefits of suPHP by executing files as the owner of the file. Unlike suPHP however it keeps open a session for the file when the processing is done resulting in significant memory use but also allowing for the use of OPCode caching such as APC or memcached.

                                  mod_php CGI suPHP FastCGI

Memory usage             Low         Low    Low     High

CPU Usage                 Low          High    High Low

Security                       Low          Low    High High

Run as file owner         No            No     Yes      Yes

Overall Performance     Fast         Slow   Slow Fast


To determine the PHP Handler used in Cpanel servers :

/usr/local/cpanel/bin/rebuild_phpconfig --current

To determine the PHP version :

php -v

To determine the PHP modules currently enabled :

php -m

To create a phpinfo file, open a plain text file, add the following lines and save :

<?php // Show all information, defaults to INFO_ALL phpinfo(); ?>

Migrating SSL certificate from old server to new one

1 .Login as root via SSH

You Will find the cert,CA bundle and the private key at /etc/ssl folder.

root@server[/etc/ssl]ls
./ ../ certs private/

Inside certs folder you will find domain.crt and domain.cabundle.
Inside private folder you will see the domain key.

2 .Copy those to a notepad.

3 .Login to WHM of new server > make sure that the site is on dedicated Ip.

If not, >> change site Ip address to dedicated Ip.

4 .Via WHM >> Install an SSL certificate and Setup the Domain >> enter the cert,key and bundle.

Make sure that the username, Ip and Domain name is in the respective fields.

5 .Submit and you are done.

6 .Make sure that https://domain.com works before updating the customer.

Securing Linux Cpanel server

                   Securing Linux Cpanel server

WHM

WHM >> Security Center

1. Compiler Access >> make sure it is disabled for all users except "root".

2. Configure Security Policies >> Password Strength

3. cPHulk Brute Force Protection >> Enable it. White List known IPs if required (say if customer has static IP from ISP).

4. Traceroute Enable/Disable >> Disable it.

5. Shell Fork Bomb Protection >> Enable.

 OS and kernel

6. find / ( -perm -a+w ) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.

7. find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.

8. Make Sure No Non-Root Accounts Have UID Set To 0

    awk -F: '($3 == "0") {print}' /etc/passwd (you should only see one o/p) like:

    root:x:0:0:root:/root:/bin/bash

9. Tripwire – Monitors checksums of files and reports changes.
    http://tripwire.com or http://sourceforge.net/projects/tripwire
 
10. Chrookit – Scans for common rootkits, backdoors, etc.

    http://www.chkrootkit.org

11. Rkhunter – Scans for common rootkits, backdoors, etc.

    http://www.rootkit.nl/projects/rootkit_hunter.html

  Now create a cronjob so it will email you with notifications to the root mailbox:
  #crontab -e

    At the bottom add the following line
   16 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet

   Press control x to save

12. Logwatch – Monitors and reports on daily system activity.

    http://logwatch.org

13. Change SSH port to non-standard port.

14. Change SSH Protocol 2,1 to Protocol 2

15. Enable Email Alert on root login

    cd /root ; vi  .bashrc

   Scroll to the end of the file then add the following:

   echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" admin@domain.com

 Firewall and mis security

17. Install CSF firewall and make sure test mode is disabled after opening all used ports.

   IMP: Make sure SSH port set in #14 is opened in firewall.

   CSF Connection Limit
   There is in csf.conf CT option, configure it like this
   CT_LIMIT = “100″
   It means every IP with more than 100 connections is going to be blocked.
   CT_PERMANENT = “1″
   IP will blocked permanenty
   CT_BLOCK_TIME = “1800″
   IP will be blocked 1800 secs(1800 secs = 30 mins)
   CT_INTERVAL = “60″
   Set this to the the number of seconds between connection tracking scans.
   After csf.conf editing, restart csf

18. Tweak LFD and CSF to prevent DOS.

19. Secure /tmp, /dev/shm and /var/tmp

 PHP security

20. Disable vulnerable PHP functions. Find the disable_functions in php.ini file and

    disable_functions = system, show_source, symlink, exec, dl,
    shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd

21. Enable suPHP if the server is for shared hosting.

22. WHM >> Configure PHP and suEXEC > set suPHP handler and suexec

Apache

22. Install mod_security and cmc to manage the mod sec rules via WHM. See http://configserver.com/cp/cmc.html

23. Install dos_evasive.

FTP

24. WHM >> Service Configuration >> FTP Server Configuration

   Make sure Anonymous logins and uploads are disabled.

MySQL

25. Disable networking if you don't need anyone to remotely connect to MySQL server.

     Add the below line to my.cnf

    skip-networking

Webmin and virtualmin installation centOS

 Webmin installation :

Create a respository :

vi /etc/yum.repos.d/webmin.repo

[Webmin]
name=Webmin Distribution Neutral
#baseurl=http://download.webmin.com/download/yum
mirrorlist=http://download.webmin.com/download/yum/mirrorlist
enabled=1

wq!

wget http://www.webmin.com/jcameron-key.asc
 

rpm --import jcameron-key.asc

yum install webmin

Open port 10000 to access webmin :

iptables -I INPUT -p tcp --dport 10000 -j ACCEPT

To install virtualmin :
 

Make a script below

vi virtualmininstall.sh

curl http://software.virtualmin.com/gpl/scripts/install.sh > install.sh ; chmod 755 ./install.sh ; ./install.sh ;

wq!

Make the script executable : 

 chmod +x virtualmininstall.sh
 

Execute the script :  

sh virtualmininstall.sh

After the installation is complete login to server using :

https://serverip:10000
username :  root
password :

 

Screen commands..

Screen commands:
=============

screen -ls :  This will list screen name and state
screen -ls  will show whether screen is in "detached" or "attached" state

To reattach "detached" screen : screen -r <screen name>

Leaving screen :   Press down ctrl + A together and type D (ctrl A + D)

When u type screen -ls if the screen is attached, then do the below

screen -D <screen name>
screen -r <screen name>

To enter a name for the screen : Screen -S test

Network card issue in OpenVz kernel

Network card issue in OpenVz kernel 

1. Install  OenvenVz kernel devel pakage
     

     Code: [Select]

        yum install vzkernel-devel

2.First download AR81Family Linux Driver  and install

    Code: [Select]

         cd /usr/local/src
         wget http://app.jamshi.com/AR81Family-linux-v1.0.1.14%20%281%29.tar.gz
         tar -zxvf  AR81Family-linux-v1.0.1.14%20%281%29.tar.gz
         cd src/

     Code: [Select]

         make install
         modprobe atl1e

3.Configure N/w

     Code: [Select]

          vi /etc/sysconfig/network-scripts/ifcfg-eth0

                    and set parameters

     Quote

DEVICE=eth0
IPADDR=
NETMASK=
GATEWAY=

Save and exit.

System-config-network

Change the dns

192.168.1.1 (name server )
Save and exit

          Code: [Select]

         Ifup eth0

          Code: [Select]

          service network restart

OpenVZ Server Setup

OpenVZ Server Setup:

Stage 1 :  Server Setup
------------------------------

1 . Add the openVZ repository to  yum.
   

Code: [Select]

 a. cd /etc/yum.repos.d
 b. http://download.openvz.org/openvz.repo
 c. rpm --import  http://download.openvz.org/RPM-GPG-Key-OpenVZ

2. Search  Available kernels

 a. Code: [Select]

   yum  search vzkernel

3 Install  kernel   
 
 a. Code: [Select]

   yum  install  vzkernel 

     
 * it will  install  necessary packages for openvz virtualization inludes  vzctl ,vzquota etc*

 b.Code: [Select]

   rmp -qa | grep  vzk*

    ---> verification command

4.Configure boot loader
   
     a . /etc/grub.conf
     b . edit   title  of   vzkernel  as OpenvZ   ( Just for  clarity  )

5. Set Kernel  parameters and disable  SElinux
   
     a. Code: [Select]

     vim  /etc/sysctl.conf

          and  set below parameter 
       

             

Quote

net.ipv4.ip_forward = 1
              net.ipv6.conf.default.forwarding = 1
              net.ipv6.conf.all.forwarding = 1
              net.ipv4.conf.default.proxy_arp = 0

             

Quote

# Enables source route verification
               net.ipv4.conf.all.rp_filter = 1
               # Enables the magic-sysrq key
                kernel.sysrq = 1
               # We do not want all our interfaces to send redirects
                 net.ipv4.conf.default.send_redirects = 1
                 net.ipv4.conf.all.send_redirects = 0

   
          b. Code: [Select]

         vi  /etc/sysconfig/selinux 

  and set 

              Code: [Select]

         SELINUX=disabled

6. Now rebooting to  OpenVz kernel


7.Check whether  Eth0 detected or not  ,if no refer below link  for  fix .

          http://linuxshadow.blogspot.in/2013/04/network-card-issue-in-openvz-kernel.html
   
8. Start OpenVz
     

    Code: [Select]

    /sbin/service vz start

Stage 2 : Templates
--------------------------

1. Download OS templates to  /vz/template/cache/
     Check http://wiki.openvz.org/Download/template/precreated

Stage 3 :  Setup VMs
---------------------------
 
 1. Create virtual  machines   ( CID --> Container ID )
         

 Code: [Select]

      vzctl create  CID  --ostemplate   template  --config-basic     
          vzctl set  CID  --onboot yes --save

---> To  start Vms on boot

 2. Configure VM
     
       a. add ip
           

        Code: [Select]

       vzctl set  CID --ipadd ip --save

       
        b. No of sockets
             

        Code: [Select]

       vzctl set CID  --numothersock  150 --save

       
        c. Set name server for  N/w access
               

        Code: [Select]

       vzctl set CID  --nameserver  IP --save

                                                   ( our case  192.168.1.1 )
       
         d. Start  VM
               

        Code: [Select]

       vzctl start  CID 

Linux virtualization:

                           The  Linux virtualization refers to running one or more virtual machines on a physical computer that's operated by an "opensource Linux Operating System". It  can be used for isolating specific apps, programming code or even an operating system itself, as well as for security and performance testing purposes.

                            Today's more powerful computers and hardware have made virtualization more practical and feasible for both desktop and server environments, helping to save power by consolidating several workspaces on one system as well as maximizing the workload that the compute can handle. We can make linux virtualization in  the "open source linux system"  by using any of Open source Linux Virtualization Softwares.  Popular Linux virtualization solutions include Xen, KVM, QEMU, VirtualBox and VMware.

Why we need to go for virtualization?

• Consolidation - It means combining multiple software workloads on one computer system. we can run various virtual machines in order to save money and power (electricity).
• Testing - We can test various configurations, we can check various operating systems.
• Security and Isolation - If mail server or any other app gets cracked, only that VM will be under control of the attacker. Also, isolation means in virtualization the operating systems or the containers are logically seperated so misbehaving apps (e.g. memory leaks) cannot bring down whole server.

Open Source Linux Virtualization Softwares:

1. OpenVZ is an operating system-level virtualization technology based on the Linux kernel and operating system.
2. Xen is a virtual machine monitor for 32 / 64 bit Intel / AMD (IA 64) and PowerPC 970 architectures. It allows several guest operating systems to be executed on the same computer hardware concurrently. XEN is included with most popular Linux distributions such as Debian, Ubuntu, CentOS, RHEL, Fedora and many others.
3. Kernel-based Virtual Machine (KVM) is a Linux kernel virtualization infrastructure. KVM currently supports native virtualization using Intel VT or AMD-V. A wide variety of guest operating systems work with KVM, including many flavours of Linux, BSD, Solaris, and Windows etc. KVM is included with Debian, OpenSuse and other Linux distributions.
4. Linux-VServer is a virtual private server implementation done by adding operating system-level virtualization capabilities to the Linux kernel.
5. VirtualBox is an x86 virtualization software package, developed by Sun Microsystems as part of its Sun xVM virtualization platform. Supported host operating systems include Linux, Mac OS X, OS/2 Warp, Windows XP or Vista, and Solaris, while supported guest operating systems include FreeBSD, Linux, OpenBSD, OS/2 Warp, Windows and Solaris.
6. Bochs is a portable x86 and AMD64 PC emulator and debugger. Many guest operating systems can be run using the emulator including DOS, several versions of Microsoft Windows, BSDs, Linux, AmigaOS, Rhapsody and MorphOS. Bochs can run on many host operating systems, like Windows, Windows Mobile, Linux and Mac OS X.
7. User Mode Linux (UML) was the first virtualization technology for Linux. User-mode Linux is generally considered to have lower performance than some competing technologies, such as Xen and OpenVZ. Future work in adding support for x86 virtualization to UML may reduce this disadvantage.

Proprietary Linux Virtualization Softwares:

1. VMware ESX Server and VMWare Server - VMware Server (also known as GSX Server) is an entry-level server virtualization software. VMware ESX Server is an enterprise-level virtualization product providing data center virtualization. It can run various guest operating systems such as FreeBSD, Linux, Solaris, Windows and others.
2. Commercial implementations of XEN available with various features and support.
   • Citrix XenServer : XenServer is based on the open source Xen hypervisor, an exceptionally lean technology that delivers low overhead and near-native performance.
   • Oracle VM : Oracle VM is based on the open-source Xen hypervisor technology, supports both Windows and Linux guests and includes an integrated Web browser based management console. Oracle VM features fully tested and certified Oracle Applications stack in an enterprise virtualization environment.
   • Sun xVM : The xVM Server uses a bare-metal hypervisor based on the open source Xen under a Solaris environment on x86-64 systems. On SPARC systems, xVM is based on Sun's Logical Domains and Solaris. Sun plans to support Microsoft Windows (on x86-64 systems only), Linux, and Solaris as guest operating systems.
3. Parallels Virtuozzo Containers - It is an operating system-level virtualization product designed for large-scale homegenous server environments and data centers. Parallels Virtuozzo Containers is compatible with x86, x86-64 and IA-64 platforms. You can run various Linux distributions inside Parallels Virtuozzo Containers.