Professional Linux & Windows Server Management & Security Services (cPanel, Plesk, DirectAdmin and others)

 We provide a wide range of server management plans. You can completely customize your order or feel free to contact us. All of our experts are highly trained and certified. You can rest assured that you’re always in safe hands.

Our Server Management services:

Linux Server management

Windows Server Management

VPS Node management

Feel free to contact us for any customized or additional requests by clicking here

GHOST: glibc vulnerability (CVE-2015-0235)

Background Information

GHOST is a ‘buffer overflow’ bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.

Impact

The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.

A list of affected Linux distros

  • RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
  • CentOS Linux version 5.x, 6.x & 7.x
  • Ubuntu Linux version 10.04, 12.04 LTS
  • Debian Linux version 7.x
  • Linux Mint version 13.0
  • Fedora Linux version 19 or older
  • SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
  • SUSE Linux Enterprise Software Development Kit 11 SP3
  • SUSE Linux Enterprise Server 11 SP3 for VMware
  • SUSE Linux Enterprise Server 11 SP3
  • SUSE Linux Enterprise Server 11 SP2 LTSS
  • SUSE Linux Enterprise Server 11 SP1 LTSS
  • SUSE Linux Enterprise Server 10 SP4 LTSS
  • SUSE Linux Enterprise Desktop 11 SP3
  • Arch Linux glibc version <= 2.18-1

Resolution

Update the glibc and nscd packages on your system using:

Fix for Centos/RHEL/Fedora 5,6,7:

  •  yum update glibc
  • Restart ALL running services or reboot the server as an alternative.

Fix for Ubuntu:

  • sudo apt-get clean
  • sudo apt-get update
  • sudo reboot

How can I test or preview my website before switching DNS?

 

  1. Locate the HOSTS file on your computer. Typically it is in one of the following locations:
    • Windows NT/2000/XP/2003/Vista/7 – C:\windows\system32\drivers\etc\hosts
    • Windows 95/98/Me – C:\windows\hosts
  2. Open this file with a text editor such as Notepad or Wordpad.
    • Right-click on Notepad and select the option to Run as Administrator – otherwise you may not be able to open this file.Then, open the file. Consider performing a “Save As” so you have an original copy of the file that you can restore later. You will see two columns of information, the first containing IP addresses and the second containing host names. By default, a windows hosts file should be similar to the following:
      (In Windows 7 Press and hold Ctrl+Shift while opening the Notepad/Wordpad).

    • Filename: hosts

      127.0.0.1 localhost


      You can add additional lines to this file that will point requests for a particular domain to your new server’s IP address.

      Example:


      Filename: hosts

      127.0.0.1 localhost
      123.123.123.123 example.com

  3. Save your changes (be sure to save as a host file, not as a text file).
    Windows wants to save it as text (.txt) so you need to

    1. Change save as type to all files and then
    2. Click on host  (the original file).
  4. Restart any currently open browsers.
  5. You may also want to flush your DNS cache. In Windows XP, go to Start, and then Run, then type “cmd” and hit enter.
    Type the following:ipconfig /flushdns
  6. In your web browser you should see your site as it appears on your testing server when typing http://example.com/ but still be able to see the site on its current web server by visiting http://www.example.com/

How to Edit Your Hosts File on an Apple Macintosh Using Mac OSX

Let us assume for this example your testing server has an IP address 123.123.123.123 and you wish to visit that server when you type “http://example.com” into a web browser BUT still wish to still see the site as the rest of World Wide Web does when you enter “http://www.example.com” into your browser instead.

  1. Open Terminal, which is in Applications, then the Utilities folder. To do this go to the Finder (Desktop) and from the main main bar at the top of the screen choose “Go” and then “Utilities”. Find the Terminal application icon and double click.
  2. You may want to first make a backup copy of your existing hosts file:
    sudo cp /private/etc/hosts /private/etc/hosts-orig

    Enter your user password at the prompt.Then type the following command to edit your hosts file:

    sudo nano /private/etc/hosts

    Enter your user password at the prompt if asked.

  3. You will see a file with contents similar to the following:

    Filename: hosts

    ##

    # Host Database

    #

    # localhost is used to configure the loopback interface

    # when the system is booting. Do not change this entry.

    ##

    127.0.0.1 localhost

    255.255.255.255 broadcasthost

    ::1 localhost

    fe80::1%lo0 localhost

    Using the arrow keys on your keyboard, navigate around this file an add your domain and IP address to the bottom of the file. For example:


    Filename: hosts

    ### Host Database## localhost is used to configure the loopback interface# when the system is booting. Do not change this entry.##127.0.0.1 localhost

    255.255.255.255 broadcasthost

    ::1 localhost

    fe80::1%lo0 localhost

    123.123.123.123 example.com


  4. When done editing the hosts file, press the keyboard combination Control+O to save the file.
    Then press the Enter on the filename prompt to confirm the Save operation. Finally press the keyboard combination Control-X to exit the editor.You may also need to grant yourself sudo priveleges, if you got a permission error in Step 2. In your “Help” menu, search for “root” and select the instructions for “Enabling the root user.” Follow those instructions.
  5. Restart any currently open browsers. You may also want to flush your DNS cache.
    Type the following command into your Terminal window:dscacheutil -flushcache
  6. In your web browser you should see your site as it appears on your testing server when typing http://example.com/ but still be able to see the site on its current web server by visiting http://www.example.com/

Updating Apache to the latest version on DirectAdmin

You can check the current version of apache by running

/usr/sbin/httpd -v


CustomBuild – current

If you’re using custombuild (as most new boxes are), run the following

cd /usr/local/directadmin/custombuild
./build update
./build apache
./build php n
./build rewrite_confs


CustomApache – end-of-life

If you are using customapache with the 1.3 version of apache to the most recent, run the following:

cd /usr/local/directadmin/customapache
./build clean
./build update
./build apache_mod_ssl

If you’re using apache 2.x, use “./build apache_2” isntead of apache_mod_ssl.
This should update both the configure options and the version of apache to the most recent version.  Once the update has completed, you’ll need to restart apache:

RedHat:

/sbin/service httpd restart
FreeBSD:

/usr/local/etc/rc.d/httpd restart

 

How to Optimize MySQL

CentOS
There is a default my.cnf that comes with mysql (4+5) that will make mysql run a bit quicker if you have 2+ gig of ram cp -f /usr/share/mysql/my-large.cnf /etc/my.cnfThere is also my-huge.cnf, or my-medium.cnf depending on your hardware setup.   Check the contents of these my*.cnf files for the one that’s right for you.

*NOTE* the log-bin option is enabled  by default.  This will quickly use a lot of disk space.  It’s recommended to comment out the log-bin line from your /etc/my.cnf, if it exists.

 

Remember to restart mysql when you are done with your my.cnf tweaking:

Redhat:/sbin/service mysqld restart

FreeBSD:/usr/local/etc/rc.d/mysqld restart

Increase /tmp partition size in cPanel and secure it

1. Stop cpanel, apache (or whatever webserver you are using), mysql services:

/etc/init.d/cpanel stop
/etc/init.d/httpd stop
/etc/init.d/mysql stop

2. Umount /tmp and /var/tmp:

umount -l /tmp
umount -l /var/tmp

3. Move /usr/tmpDSK file to another location (just in case you’ll need to mount it somewhere else to preserve data):

mv /usr/tmpDSK /usr/tmpDSK_back

4. Modify /scripts/securetmp to set tmpdsksize to desired size:

vi /scripts/securetmp

$tmpdsksize = 2048000

5. Run:

/scripts/securetmp

6. Start cpanel, apache (webserver), mysql services:

/etc/init.d/cpanel start
/etc/init.d/httpd start
/etc/init.d/mysql start

How to generate a Strong Password

Overview

Creating and using strong passwords is an important part of your server security.

NOTE:

If your old password was compromised, make sure that your new password is very different from your old one.

Things to include

  1. At least eight characters.
  2. One or more of each of the following:
    • lower-case letter
    • upper-case letter
    • number
    • punctuation mark
  3. Lookalike characters to protect against password glimpses. Examples:
    • O as in Oscar and the number 0.
    • Lower-case l and upper-case I.
    • The letter S and the $ sign.

Things to avoid

  1. Words you can find in the dictionary.
  2. Passwords shown as “example strong passwords.”
  3. Personal information, such as names and birth dates.
  4. Keyboard patterns, like qwerty or 12345. Particularly avoid sequences of numbers in order.
  5. Common acronyms.
  6. All one type of character – such as all numbers, all upper-case letters, all lower-case letters, etc.
  7. Repeating characters, such as mmmm3333.
  8. The same password you use for another application.

Memorable password tips

While passwords that are easy for you to remember are also less secure than a completely random password, following these tips can help you find the right balance between convenience for you and difficulty for hackers.

  1. Create a unique acronym for a sentence or phrase you like.
  2. Include phonetic replacements, such as ‘Luv 2 Laf’ for ‘Love to Laugh.’
  3. Jumble together some pronounceable syllables, such as ‘iv,mockRek9.’

Keep your password secret

  1. Never tell your password to anyone (this includes significant others, roommates, coworkers, etc.). If you need to grant someone access to your server, set up a separate username and password for that person.
  2. Never write your password down, especially not anywhere near your computer.
  3. Do not store your password in a plain text file on your computer.
  4. Never send your password over an unecrypted connection – including unencrypted email.
  5. Periodically test your current password.
  6. Update your password every six months.

Third-party tools

Password generators

Password strength tests

Password storing tools

Hotlink protection: How-To prevent people from stealing your files

 

Create an .htaccess file in your public_html directory with the following code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?domain.com.*$ [NC]
RewriteRule .(gif|jpg)$ – [F]

Where domain.com is your domain.

 

Setting up DA with an SSL certificate

You can switch DirectAdmin to use SSL instead of plain text. -> https instead of http on port 2222.
Note that this is for the DirectAdmin connection on port 2222, *not* for apache.
If you’re tryting to setup a certificate for your domain through apache, use this guide.

If you do not have your own certificates, you’ll need to create your own:/usr/bin/openssl req -x509 -newkey rsa:2048 -keyout /usr/local/directadmin/conf/cakey.pem -out /usr/local/directadmin/conf/cacert.pem -days 9000 -nodes

chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
chmod 400 /usr/local/directadmin/conf/cakey.pem


This is the old method, use either the one above, or this one.  The end result is the same, but takes more steps.
openssl req -new -x509 -keyout /usr/local/directadmin/conf/cakey.pem.tmp -out /usr/local/directadmin/conf/cacert.pem -days 3653

openssl rsa -in /usr/local/directadmin/conf/cakey.pem.tmp -out /usr/local/directadmin/conf/cakey.pem

rm -f /usr/local/directadmin/conf/cakey.pem.tmp
chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
chmod 400 /usr/local/directadmin/conf/cakey.pem

(Paste these one at a time as the first 2 require user input)


If you already have your own certificate and key, then paste them into the following files:

certificate:  /usr/local/directadmin/conf/cacert.pem
key: /usr/local/directadmin/conf/cakey.pem

Edit the /usr/local/directadmin/conf/directadmin.conf and set SSL=1  (default is 0).  This tells DA to load the certificate and key and to use an SSL connection.
Ensure your directadmin.conf has the values set:cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem

but can be changed as needed.

DirectAdmin needs to be restarted after any changes to the directadmin.conf.

If you also have a CA Root Certificate, this can be specified by adding:carootcert=/usr/local/directadmin/conf/carootcert.pem

into the /usr/local/directadmin/conf/directadmin.conf file (won’t exist by default) and by pasting the contents of the caroot cert into that file.

Note, as of 1.30.2, you can set the value of the SSL redirect should a User connect to an https connection with plaintext http.
http://www.directadmin.com/features.php?id=801

For 1.33.0, you can force DA to redirect to a specific hostname if you wish the host to match the cert installed:
http://www.directadmin.com/features.php?id=917
However, if they connect to https on a different host, they’ll first get the ssl warning (since ssl is established before the host is passed), then they’ll be redirected to the correct host, where the error would not appear (assuming you’ve got a valid cert setup)

As of 1.33.3, you can enable a ssl cipher to force SSLv3, and disable SSLv2:
http://www.directadmin.com/features.php?id=957

How to upgrade mysql with custombuild

To upgrade mysql using the custombuild script, do the following:

cd /usr/local/directadmin/custombuild
./build set mysql 5.1
./build set mysql_inst yes
./build set mysql_backup yes
./build update
./build mysql

Where mysql can be 5.0, 5.1 or 5.5.

A full raw sql backup will be run prior to the upgrade if you have mysql_backup=yes set.  It goes without saying, always make backups, either with this tool, or with other means.

After the mysql update, always recompile php.

./build php n