5 Tips for any Linux administrator
1) Disable users account quickly.
Every administrator at one point or another needs to quickly remove a users access on their Linux servers. We can do the below
usermod -l Johnny
The above will deny Johnny access to login to your Linux system via sshd, etc. What this does is it adds ! in front of the encrypted password in /etc/shadow. Should Johnny decide to behave, and you’re bored enough to unlock him, issue the below:
usermod -U Johnny
The above will removed the ! and Johnny will be able to login to the system again.
2) Disable ICMP Echo Replies (aka stop your Linux server from replying to pings)
Ping? Pong! So you want to stop replying to ICMP echo (ICMP_ECHO) TCP packets. This is often issued in times of DoS, where replying to every packet with an ICMP_ECHO_REPLY quickly satures the pipe. What we can do is disable replies on the system.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Now ping your system. Get anything back? To re-enable ICMP replies, issue the below.
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
3) Limit your ssh daemon (sshd) to certain IPs.
What we are going to do here is use tcpwrappers to limit access to sshd by certain IP blocks. In this case, we will use your home IP and grant yourself access to sshd. We do this by editing /etc/hosts.allow and /etc/hosts.deny respectively. This is great for stopping brute force attacks, and a general nice bit of security over all.
echo ‘SSHD : YOURIPHERE : ALLOW’ >> /etc/hosts.allow
Now, we’ve granted your home IP access. Make sure this is the correct address!
echo ‘SSHD : ALL : DENY’ >> /etc/hosts.deny
Now you have blocked sshd access to everybody NOT defined in /etc/hosts.allow – be careful!
4) Disabling Trace in Apache. Very common issue of failure in PCI-related scans.
Often times, when doing PCI related webserver scans (or PCI related webserver scams….) you will see that Tracing is enabled in Apache, and now you’ve failed.
echo ‘TraceEnable Off’ >> /etc/httpd/conf/httpd.conf
service httpd restart
You may have to adjust the /etc/httpd/conf/httpd.conf above with your main Apache webserver configuration file. We then reload Apaches configuration so the changes take effect. You can now re-run the test if this is the only issue the scan detected.
5) Disabling SELinux
Bah, SELinux. You want it gone but keeps coming back. Below you will see how to disable SELinux.
Take your favorite Linux text editor (in this case, we will use nano. You can use vi, pico, etc as you wish).
nano /etc/selinux/config
We want to turn “SELINUX=whatever” to SELINUX=disabled – then save changes.
This still isn’t enough. To fully disable SELinux, you need to do one additional step.
echo 0 > /selinux/enforce
reboot
PHP opcode caching
Install APC Caching
One of the most common occurences today of webserver load is the ever-so-needed PHP. PHP is usually a must have – often not a way around it. It’s just too popular and mainstream in todays Internet. How would we reduce load caused by PHP? Well, what we CAN do is install some caching. I prefer APC myself – it’s easy, fast and it plain works. The problem with APC is you cannot run Zend and Ioncube with. This usually crosses it off shared hosting servers.
APC works by caching PHP opcodes and storing them in memory (RAM). This usually significally reduces load caused on your server caused by PHP applications. For this example, we will assume you are running PHP 5.2, Apache webserver and CentOS Linux operating system.
Onto installing APC!
The first way we can do is if you have php-pear installed. Then we can use PECL 
First thing you can try is installing straight from pecl. This won’t work depending on things such as /tmp hardening, SELinux status, etc. I’ll explain how to get around that and install APC for PHP caching in a moment.
pecl install apc
nano /usr/local/lib/php.ini
service httpd restart
Of course, remove the Zend-related lines. If your php.ini is in a different spot, please change the above. If you don’t have nano installed, use vi – or whatever editor you DO have installed.
A lot of times installing APC for PHP caching doesn’t work with the above. These reasons can be /tmp is noexec, SELinux is blocking the C compiler, etc. So, what I do is below:
pecl download apc
cd apc*
phpize
./configure –with-apc
make && make install
Now, if everything worked above – you need to again uncomment the Zend lines in your php.ini (/usr/local/lib/php.ini for cPanel users) and add extension=apc.so to your php.ini as well. Then you can:
service httpd restart
php -i | grep -i apc
Now, APC caching for PHP should be enabled! Congratulations and I hope the PHP induced load on your Linux webserver is now dropping steadily.
Setting up a HTTP load balancer
HAProxy is a TCP load balancing application. It can be used to loadbalance TCP connections (i.e., email(smtp etc)) – not just webservers. Very conveniently, however, HAProxy does in fact have it’s own mode for HTTP specific applications. In this guide, we will setup HAProxy infront of 2 fictional Apache webservers with the HAProxy server running CentOS. If one server goes offline, we will begin serving connections to the other server in a roundrobin fashion.
Important thing to note is all requests will come from the HAProxy server! Awesomely enough, however, we will include the X-Forwarded-For value of the clients IP in our packets. This means you can install mod_rpaf on your Apache webserver, or similar, and log the correct IPs.
Lets start.
Login to your Linux server, and install HAProxy.
wget http://haproxy.1wt.eu/download/1.3/src/haproxy-1.3.23.tar.gz
tar zxvf haproxy-1.3.23.tar.gz
cd haproxy-1.3.23
make
cp haproxy /usr/sbin/haproxy
Now, grab an init file for HAProxy so we can easily start/stop HAProxy. The good guys over at Rack911 have provided a download for you to use.
wget http://layer1.rack911.com/haproxy/haproxy.init -O /etc/init.d/haproxy
chmod +x /etc/init.d/haproxy
Below is what will be your /etc/haproxy.cfg – First thing we want to do is set the maximum connections HAProxy will handle simultaneously. Good thing to note is connections over this limit are queued, and not disregarded. We will set this under the global block. We will also configure the daemon and nbproc settings.
global
maxconn 4096 # Total max connections. Adjust as needed.
daemon # We are going to run HAProxy as a daemon.
nbproc 2 # This HAProxy server is an Atom, so it has 2 cores visible. Set to number of processing cores you have #available.#Next we’re going to set some other HAProxy settings under the defaults block.
defaults
mode http # Run HAProxy in HTTP mode. HAProxy can do a lot more than HTTP!
clitimeout 60000 # Wait 60,000ms or 60s for client to time out on us.
srvtimeout 20000 # We will only wait 30 seconds for server to reply to us.
contimeout 5000 # Server has 4 seconds to answer us initually.
option httpclose # Disable Keepalive. Check your webservers KeepAlive value. Default to off in Apache2.#Finally, the below is the last piece of meat we need. Remember to use an IP not bound to port 80!
listen http_proxy ip:80 # Place your selected IP in the ip spot. IP and port number separated by colon.
balance roundrobin # Load Balancing algorithm
option httpchk # We want to see which servers aren’t working for us. Can also specify URIs for this.
option forwardfor # This sets X-Forwarded-For. Remember to load mod_rpaf or similar to gain anything from this.
## Define your servers to balance
server web1 ip:80 weight 1 maxconn 512 check # 512 max connections.
server web2 ip:80 weight 1 maxconn 512 check # 512 max connections on this server.
We should now be able to start HAProxy. You put the above in /etc/haproxy.cfg – right?
service haproxy start
Lets add HAProxy to start on boot.
chkconfig add haproxy
You should now have a simple configured load balancer. When you visit the selected IP in a web browser, you should be bounced in a roundrobin fashion from web1-web2.
We’d like to thank Rack911 for their assistance with this tutorial.
FastDeploy Install Guide
In this tutorial, we’ll cover how to install the automated operating system loader, FastDeploy.
To begin, you need a LAMP install. Once this is done, you need to install PEAR, which can be done by running the following command:
lynx -source http://pear.php.net/go-pear | php
After this is installed, install the necessary modules:
pear install HTML_QuickForm HTML_QuickForm_advmultiselect File_SearchReplace MDB2 MDB2_Driver_mysql
Now it is time to start installing FastDeploy. Let’s assume you are installing to /var/www/html.
Download this file, and extract its contents to /var/www/html. After this completes, it is time to create the database for FastDeploy.
For the sake of this tutorial, we will create a database named ‘fastdeploy’ with a user ‘fastdeploy’ and the password ‘pa55w0rd’.
mysqladmin -u root –password=chosenrootpassword create fastdeploy
mysql> GRANT SELECT,INSERT,ALTER,UPDATE,DELETE,CREATE,DROP ON fastdeploy.* TO ‘fastdeploy’@'localhost’ IDENTIFIED BY ‘pa55w0rd’;
After this command runs, import the base SQL for fastdeploy:
mysql -u fastdeploy –password=password fastdeploy < /var/www/html/fastdeploy/scripts/sql/fastdeploy.mysql
Edit /var/www/html/fastdeploy/includes/config.php to reflect the proper information for your database, and the appropriate paths to the TFTPd installation on your system.
After its done, visit http://url/fastdeploy/install/ and run the installation.
You’re all set!
Check back soon for a tutorial on how to set up a TFTPd server.
Install ServerStats on Debian
This tutorial will quickly explain how to install and set up ServerStats (http://hostingfu.com/article/server-monitoring-cacti-serverstats) on your server. This will set ServerStats to run on port 9087. Make sure port 9087 is open in your firewall, or adjust the port below to match the port you chose and opened in your firewall. This tutorial MUST be executed as the root user.
Let’s install the dependencies needed to get the script working.
apt-get install libpcre3 libpcre3-dev xinetd build-essential -y
Once this finishes running, it’s time to download the source code of the script and install it on your server, you can do this by running the following steps:
cd /usr/src
wget http://hostingfu.com/files/serverstats/serverstats-0.1.tgz
tar -xf server*
cd server*
make && make install
Once this finishes running (which should only be a few seconds, since it’s one file), it’s time to complete the configuration. This can be done with the following steps:
cd /etc/xinetd.d
echo “service serverstats” > serverstats
echo “{” >> serverstats
echo ” type = UNLISTED” >> serverstats
echo ” socket_type = stream” >> serverstats
echo ” wait = no” >> serverstats
echo ” user = nobody” >> serverstats
echo ” server = /usr/local/bin/serverstats” >> serverstats
echo ” port = 9087″ >> serverstats
echo ” disable = no” >> serverstats
echo “}” >> serverstats
Once this finishes running, all that is left to be done is restart xinetd, and you are set, which can be done by running:
/etc/init.d/xinetd restart
We also have created a shell script to do this for you automatically, available here.
