Apache Security Tips - Permissions on ServerRoot Directories
In typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits. As is the case with any command that root executes, you must take care that it is protected from modification by non-root users. Not only must the files themselves be writeable only by root, but so must the directories, and parents of all directories. For example, if you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:
mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs
It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected:
cp httpd /usr/local/apache/bin
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd
You can create an htdocs subdirectory which is modifiable by other users — since root never executes any files out of there, and shouldn’t be creating files in there.
Tags: Apache, Directories, permissions, Security, ServerRoot, tips
How to extract web files, databases etc from Plesk backup manually?
If you have not so big dump file, for example 100-200MB, you can unzip it and open in any local Email client. Paths of the dump will be shown as attachments. Choose and save needed one then unzip it.
Other Way - It can be done using mpack tools to work with MIME files. This packet is included into Debian:
For other Linux systems you can try to use RPM from ALT Linux:
ftp://ftp.pbone.net/mirror/ftp.altlinux.ru/pub/distributions/ALTLinux/Sisyphus/files/i586/RPMS/mpack-1.6-alt1.i586.rpm
or compile mpack from the sources: http://ftp.andrew.cmu.edu/pub/mpack/.
- Create an empty directory to extract the back up file:
# mkdir recover
# cd recover
and copy backup into it.By default Plesk backup is gzipped (if not, use cat), so run zcat to pass data to munpack to extract content of directories from the backup file:
# zcat DUMP_FILE.gz > DUMP_FILE
# cat DUMP_FILE | munpack
In result you get the set of tar and sql files that contain domains’ directories and databases. Untar the needed directory. For example if you need to restore the httpdocs folder for the DOMAIN.TLD domain:
# tar xvf DOMAIN.TLD.htdocs
Reference: http://parallels.com/
Tags: Backups, extract, Files, Manually, plesk
How to protect one Yum repo’s packages from being replaced by packages from another source?
If we use two different repositories, each holding a different version of the same package, only the latest of the two will be installed if you use yum to update that package. This can lead to problems if the third party repository contains a newer version of a core system package than the Red Hat repository.
The yum-protectbase plugin will protect files of the base repository from being replaced by packages from a third party repository.
To install the plugin, use this command:
yum install yum-protectbase
This will install the plugin and its basic configuration file, /etc/yum/pluginconf.d/protectbase.conf
Setting are stored under /etc/yum/pluginconf.d/rhnplugin.conf with a section name matching the repo.id of the channel. You need to add :
To protect a different repository, go to its configuration file in /etc/yum.repos.d/repository.repo and add this line to its configuration
/etc/yum.repos.d/repository.repo
Add
[repository]
…
protect = 1
You will need to add this for each repository which needs to be protected.
Tags: Packages, Protect, Repos, yum
Email notification everytime users run “sudo” on Linux
For Redhat, Centos Systems make sure that sendmail is running on the machine and configured to send out emails.
Run
Add the following configuration in /etc/sudoers
visudo parses the sudoers file after the edit and will not save the changes if there is a syntax error.
Defaults mail_always
Defaults mailerpath=/usr/sbin/sendmail
Defaults mailto=”root@serverbuddies.com”
Defaults mailsub=”*** Command run via sudo on %h ***”
Defaults mailerflags=”-t”
Tags: Email, linux, Notification, sudo, users
Enable Alternate Port other than 25 or 587 (via SSH) in Plesk
Make a copy of /etc/xinetd.d/smtp_psa. For this walkthrough the new filename created is smtp_nonstandard. A command like this should work:
cp /etc/xinetd.d/smtp_psa /etc/xinetd.d/smtp_nonstandard
Add these lines to the copy you just made:
vi /etc/xinetd.d/smtp_nonstandard
type = UNLISTED
port = 2525
and change the service name to match the name of the file. A sample smtp_nonstandard looks like this:
service = smtp_nonstandard
type = UNLISTED
socket_type = stream
protocol = tcp
port = 2525
wait = no
disable = no
user = root
instances = UNLIMITED
server = /var/qmail/bin/tcp-env
server_args = -Rt0 /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
# Restart xinetd:
/etc/init.d/xinetd restart
# You should now be able to send mail through your server on port 2525. You may pick a different port if you use this method. We suggest choosing a high port number to avoid using commonly used ports on the internet.
Tags: Alternate, mail, Port, SMTP
