Author: The Geek Decoder

Configure Exim to send outgoing mail with each account’s dedicated IP address

January 30, 2015 The Geek Decoder No Comments cPanel, WHM

To enable WHM to automatically configure Exim to send mail from each domain’s dedicated IP address, perform the following steps:
You must have root user privileges on the server to configure Exim in this way.

If you manage the rDNS for your IP addresses, modify the rDNS for the IP address of each domain so that it points to that domain. If you do not manage the rDNS for your IP addresses, contact the owner of the IP addresses and request that they modify the rDNS for each IP address to point to each domain.

An incorrect rDNS configuration may cause mail servers to reject your server’s mail.

Enable the Send mail from account’s dedicated IP address option in WHM’s Exim Configuration Manager interface (Home >> Service Configuration >> Exim Configuration Manager).

If you select this option, cPanel & WHM uses the /usr/local/cpanel/scripts/updateuserdomains script to automatically configure Exim, and overrides any manual changes in the following files:


/etc/mailhelo
/etc/mailips
/etc/mail_reverse_dns

How to manually configure Exim’s outgoing IP addresses

To use a custom Exim configuration, enable the following options in WHM’s Exim Configuration Manager – Basic Editor interface (Home >> Service Configuration >> Exim Configuration Manager):

Reference /etc/mailhelo for outgoing SMTP HELO
Reference /etc/mailips for outgoing SMTP connections
The /etc/mailhelo file

The /etc/mailhelo file contains Exim’s configuration for the HELO command. Exim uses the HELO command to initiate dialog between a mail server and a client. This file governs which domain should send the HELO command.
To create the /etc/mailhelo file, use a text editor such as nano, vi, or vim.
The following is example content of a /etc/mailhelo file:


example.com: example.com
sub.example.com: example.com
example.net: example.net
addon.example.net: example.net
*: hostname.example.com

The /etc/mailips file
This file controls the IP address from which each domain should send mail. Your file should be similar to the following example:


example.com: 192.168.0.2
sub.example.com: 192.168.0.2
example.net: 192.168.0.3
addon.example.net: 192.168.0.3
*: 192.168.0.1

In the example above, the system will use the asterisk (*) entry to direct outbound mail for domains without entries within this file. In this case, this is your server’s main shared IP address. You can set it to another IP address if you ensure that the asterisk entry in the /etc/mailhelo file has the appropriate domain name.

Be sure to use only valid IP addresses that are publicly accessible via the Internet.

The /etc/mail_reverse_dns file
This file controls the domains that are associated with the IP addresses from which mail should send. Your file should be similar to the following example:


192.168.0.2: example.com
192.168.0.2: sub.example.com
192.168.0.3: example.net
192.168.0.3: addon.example.net

Setting up an SSL for a Vhost in CentOS

January 30, 2015 The Geek Decoder No Comments CentOS 6, CentOS 7, SSL Certificates

1. Getting the required software

For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache’s interface to OpenSSL. Use yum to get them if you need them.


# yum install mod_ssl openssl

Yum will either tell you they are installed or will install them for you.

2. Generate a self-signed certificate

Using OpenSSL we will generate a self-signed certificate. If you are using this on a production server you are probably likely to want a key from a Trusted Certificate Authority, but if you are just using this on a personal site or for testing purposes a self-signed certificate is fine. To create the key you will need to be root so you can either su to root or use sudo in front of the commands

# Generate private key 


#openssl genrsa -out ca.key 2048

# Generate CSR

 
# openssl req -new -key ca.key -out ca.csr

# Generate Self Signed Key


# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

# Copy the files to the correct locations


cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr

WARNING: Make sure that you copy the files and do not move them if you use SELinux. Apache will complain about missing certificate files otherwise, as it cannot read them because the certificate files do not have the right SELinux context.
If you have moved the files and not copied them, you can use the following command to correct the SELinux contexts on those files, as the correct context definitions for /etc/pki/* come with the bundled SELinux policy.


restorecon -RvF /etc/pki

Then we need to update the Apache SSL configuration file


Nano /etc/httpd/conf.d/ssl.conf

Change the paths to match where the Key file is stored. If you’ve used the method above it will be


SSLCertificateFile /etc/pki/tls/certs/ca.crt

Then set the correct path for the Certificate Key File a few lines below. If you’ve followed the instructions above it is:


SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Quit and save the file and then restart Apache


/etc/init.d/httpd restart

All being well you should now be able to connect over https to your server and see a default Centos page. As the certificate is self signed browsers will generally ask you whether you want to accept the certificate.

3. Setting up the virtual hosts

Just as you set VirtualHosts for http on port 80 so you do for https on port 443. A typical VirtualHost for a site on port 80 looks like this


<VirtualHost *:80>
        <Directory /var/www/vhosts/yoursite.com/httpdocs>
        AllowOverride All
        </Directory>
        DocumentRoot /var/www/vhosts/yoursite.com/httpdocs
        ServerName yoursite.com
</VirtualHost>

To add a sister site on port 443 you need to add the following at the top of your file

NameVirtualHost *:443
and then a VirtualHost record something like this:


NameVirtualHost *:443
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/ca.crt
        SSLCertificateKeyFile /etc/pki/tls/private/ca.key
        <Directory /var/www/vhosts/yoursite.com/httpsdocs>
        AllowOverride All
        </Directory>
        DocumentRoot /var/www/vhosts/yoursite.com/httpsdocs
        ServerName yoursite.com
</VirtualHost>

Restart Apache again using


# /etc/init.d/httpd restart

4. Configuring the firewall

You should now have a site working over https using a self-signed certificate. If you can’t connect you may need to open the port on your firewall. To do this amend your iptables rules:


iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/service iptables save
iptables -L -v

Other resources: http://www.rackspace.com/knowledge_center/article/centos-apache-virtual-hosts#NameVirtualHosts

Disabling Recursive DNS in the Plesk Panel and No Panels

January 30, 2015 The Geek Decoder No Comments Administration, CentOS 6, CentOS 7, DNS, Plesk, Windows Server

To Disable Recursive DNS in the Parallels Plesk Panel

  1. Log in to the Parallels Plesk Panel as administrator.
  2. Click Tools & Settings.
  3. From the General Settings area, click DNS Template Settings.
  4. Click DNS Recursion.Select Localnets, and then click Ok.

For Windows Servers:

  1. Log in to your  Server  through a Remote Desktop Connection.
  2. From the Start menu, click Control Panel, Administrative Tools, then DNS.
  3. In the console tree, right-click the appropriate DNS server, and then click Properties.
  4. Click the Advanced tab.
  5. Under Server options, check Disable recursion, and then click OK.
  6. In the console tree, right-click the appropriate DNS server, and then click Clear Cache.

CentOS


# cd /etc
# nano named.conf

Change this line

# recursion yes;

to

# recursion no;

Restart

# service named restart

Ubuntu


# nano /etc/bind/named.conf.options

Set up like this

// global options apply to external clients
options {
    recursion no;
    additional-from-auth no;
    additional-from-cache no;
};

view "local" in {
    // view options enable recursion only for local clients
    match-clients { 172.16.45.80/23; 192.168.12.0/24; 127.0.0.1/8; ::1; };
    recursion yes;
    additional-from-auth yes;
    additional-from-cache yes;

    zone "." in {
            type hint;
            file "/etc/bind/db.root";
    };

    // put definitions for zones like "localhost" and "127.in-addr.arpa" here
}

// put definitions for real authoritative zones here.

Ghost Vulnerability

January 29, 2015 The Geek Decoder No Comments Administration, CentOS 6, CentOS 7, Patches, Security, Ubuntu

A very serious security problem has been found and patched in the GNU C Library called Glibc. It was announced on 27th January 2015.

Here are the affected Linux distros:

  • RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
  • CentOS Linux version 5.x, 6.x & 7.x
  • Ubuntu Linux version 10.04, 12.04 LTS
  • Debian Linux version 7.x
  • Linux Mint version 13.0
  • Fedora Linux version 19 or older
  • SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
  • SUSE Linux Enterprise Software Development Kit 11 SP3
  • SUSE Linux Enterprise Server 11 SP3 for VMware
  • SUSE Linux Enterprise Server 11 SP3
  • SUSE Linux Enterprise Server 11 SP2 LTSS
  • SUSE Linux Enterprise Server 11 SP1 LTSS
  • SUSE Linux Enterprise Server 10 SP4 LTSS
  • SUSE Linux Enterprise Desktop 11 SP3
  • Arch Linux glibc version <= 2.18-1

Read More to Fix the GHOST vulnerability on a CentOS/RHEL/Fedora/Ubuntu Linux

Read More

UTF-8, but your server is reporting US-ASCII

January 28, 2015 The Geek Decoder No Comments Administration

I get this warning message( Your feed appears to be encoded as “UTF-8”, but your server is reporting “US-ASCII” ) when I try to validate my xml under http://validator.w3.org/feed/check.cgi?url=http%3A%2F%2Fwww.domain.com%2Frss.xml

You should be able to set the charset in .htaccess. This should work:


# AddCharset UTF-8 .xml

How to Setup networking on centos 7

January 28, 2015 The Geek Decoder No Comments CentOS 7, Networking

Source: http://www.krizna.com/centos/setup-network-centos-7/

When installing Centos 7, You may not able to connect network in that machine. This will happen because Ethernet interfaces are not enabled by default and need additional configuration.

Type “nmcli d” command in your terminal

# nmcli d

Recommended for beginners
Step 1 » Type this command “nmtui” to open Network manager and press enter after choosing ” Edit a connection” ( Use TAB for choosing options ) .

Command Line

Network interface config files are located in /etc/sysconfig/network-scripts/ directory. Open ifcfg-en…


nano /etc/sysconfig/network-scripts/ifcfg-en

Find


BOOTPROTO=none
ONBOOT=no

and replace with


BOOTPROTO=static
ONBOOT=yes

And add the below lines at the end of the file.


IPADDR=172.27.0.32
NETMASK=255.255.255.0
GATEWAY=172.27.0.1
DNS1=172.27.0.5File will look like below after changes.
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp0s17
UUID=f0c5b37d-299a-43cb-b74b-618bb252d129
ONBOOT=yes
HWADDR=00:0C:29:A1:B5:CC
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPADDR=192.168.1.10
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DNS1=192.168.1.5



# systemctl restart network

Additionally you can use /etc/sysconfig/network file for hostname and DNS.
[bash]

HOSTNAME=server.krizna.com
DNS1=192.168.1.5
DNS2=8.8.8.8
SEARCH=domain.com

Install Plesk CentOS 7

January 28, 2015 The Geek Decoder No Comments CentOS 7, Plesk

The Plesk one-click installer is a script that downloads itself and determines the correct Plesk version for your OS. You won’t accidentally pick the wrong version for your distribution.

# wget -O - http://autoinstall.plesk.com/one-click-installer | sh

If you get an error message, wget may not be installed. Rectify this pitiful situation like this:

# yum install wget

Opening Ports for Plesk

On CentOS 6 and prior the firewall rules were set via iptables. This service is gone and has been replaced with firewalld in CentOS 7. We still need to open ports to speak to Plesk via a browser. The two important ones to open here are 8443 and 8447:

# firewall-cmd --zone=public --add-port=8443/tcp --permanent
# firewall-cmd --zone=public --add-port=8447/tcp --permanent
# firewall-cmd --reload

Add Atomic Repo Power (optional)

Now’s a good time to install the Atomic repos. These will give you access to many additional tools such as pre-compiled OSSEC HIDS and additional PHP versions:

# wget -q -O - http://www.atomicorp.com/installers/atomic.sh | sh

Other Options

Obtain the installer script. Download the installer script:


# wget https://installer.plesk.com/plesk-installer

Enable execution mode for the downloaded installer script:


# chmod +x ./plesk-installer

Make sure port 8447 is open
Port 8447 is used for accessing the installer GUI. Make sure, this port is open.

Launch the installer with GUI
Run the script with option –web-interface to launch the interactive installer with web interface for the latest stable Plesk version:


# ./plesk-installer --web-interface

From Plesk Trial Signup:
Welcome aboard!

Linux console command:

You also can download your Plesk license for Linux directly from your console interface by running the following command:

# sh <(curl http://autoinstall.plesk.com/plesk-installer) [/bash] After install: Congratulations! The installation has been finished. Plesk is now running on your server. To complete the configuration process, browse either of URLs: * https://216.55.169.209:8443/login?secret=5bwVKsGqv7nDQS9AjQrVhWRY72yjsAthTEr5Ll4r%2Ff0%3D * https://plesk.geekdecoder.com:8443/login?secret=5bwVKsGqv7nDQS9AjQrVhWRY72yjsAthTEr5Ll4r%2Ff0%3D Use the username 'admin' to log in. To log in as 'admin', use the 'plesk login' command. You can also log in as 'root' using your 'root' password. Use the 'plesk' command to manage the server. Run 'plesk help' for more info. Use the following commands to start and stop the Plesk web interface: 'service psa start' and 'service psa stop' respectively. If you would like to migrate your subscriptions from other hosting panel or older Plesk version to this server, please check out our assistance options: https://www.plesk.com/professional-services/

Wowza Media server

January 27, 2015 The Geek Decoder No Comments Applications

With wowza, sometimes java gets stuck and you can even run service WowzaMediaServer stop and start after it remain stuck until you properly kill java ( as you might know wowza it is running under java).

This being said here we go ( tested on 2 ubuntu 12.04 environment with both wowza 3.6 and 4.0.3 versions)

# touch restart.sh <-- create the restart script # chmod 755 <-- make it writable # nano restart.sh < write commands to run it it [/bash] This is based on java we would like to kill java and not Wowza. Wowza 2.2 up to 3.6.X version 1 [bash] # nano restart.sh # kill -9 $(pidof java) # sleep 5 # service WowzaMediaServer start [/bash] Press control + X and Y and enter to save the file. If you are using Wowza 4.X or higher you should run this. Wowza 4.X and higher version 2 [bash] # kill -9 $(pidof java) # sleep 5 # service WowzaStreamingEngine start # sleep 5 # service WowzaStreamingEngineManager start [/bash] Press control + X and Y and enter to save the file. From wowza 4.0 you know they also have the browser interface which is based also on java so that's why you need to start both EngineManager and Engine. Now each time when you want to restart wowza you can use the script like this : [bash] # ./restart.sh [/bash] Make a restart every night at 00:00 automatically ( i would do this to reset the garbage collector of java and free memory usage). Assuming you have the script in root create here we go. [bash] # crontab -e ( this will open crontab in your favorite editor) [/bash] If you never use crontab this will let you chose your editor. If you before used an editor and now you want to change it you should type this for example for nano in ssh. [bash] # export EDITOR=nano [/bash] Now you should type this on cron: [bash] # 00 00 * * * /root/restart.sh [/bash] Save it and restart your cron service. [bash] # service crond restart [/bash] Now you should be good about wowza restart.

How to Create a MySQL User: Remove a MySQL User, Show a MySQL User

January 27, 2015 The Geek Decoder No Comments MySQL

This article shows how to create a MySQL user, remove a MySQL user and to show a list of MySQL users.

Read more: How to Create a MySQL User: Remove a MySQL User, Show a MySQL User

Grant all privileges on a database to a single user:

</p>
<p>mysql&gt; CREATE USER 'new_user'@'localhost' IDENTIFIED BY 'new_password';</p>
<p>

<br>
mysql&gt; GRANT ALL ON my_db.* TO 'new_user'@'localhost';<br>

Or…

<br>
mysql&gt; GRANT ALL PRIVILEGES ON database_name.* to 'new_user'@'localhost' IDENTIFIED BY 'password';<br>

Remove a USer from Mysql

Review a List of MySQL Users

</p>
<p>mysql&gt; SELECT User,Host FROM mysql.user;</p>
<p>

Remove a MySQL User
To remove a user from MySQL, we again use the DROP command.

It only takes one simple command to delete a user in MySQL, but BEWARE; dropping a user can not be undone! The command is as follows:

</p>
<p>mysql&gt; DROP USER 'testuser'@'localhost';</p>
<p>

If a user of the name testuser does not exist, then you’ll receive this error:

</p>
<p>mysql&gt; ERROR 1396 (HY000): Operation DROP USER failed for 'testuser'@'localhost'</p>
<p>