Control mounting a file system
You can have more control on mounting a file system like /home and /tmp partitions with some nifty options like noexec, nodev, and nosuid. This can be setup in the /etc/fstab text file. The fstab file contains descriptive information about the various file systems mount options; each line addresses one file system.
Details regarding to security options in the fstab text are:
defaults: Allow everything quota, read-write, and suid on this partition.
noquota: Do not set users quotas on this partition.
nosuid: Do not set SUID/SGID access on this partition.
nodev: Do not set character or special devices access on this partition.
noexec: Do not set execution of any binaries on this partition.
quota: Allow users quotas on this partition.
ro: Allow read-only on this partition.
rw: Allow read-write on this partition.
suid: Allow SUID/SGID access on this partition.
More information can be found in the mount(8) man pages
Mass IP addresses change in Plesk Control Panel
Solution: Using the special utility reconfigurator.pl in Plesk
#/usr/local/psa/bin/reconfigurator.pl
Plesk reconfigurator - utility to change IP addresses used by
Plesk Server Administrator
usage:
/usr/local/psa/bin/reconfigurator.pl
If doesn’t exists - template will be created, otherwise it will be used to map IP addresses.
There is the special utility reconfigurator.pl in Plesk that allows you to change IPs in Plesk base and reconfigure domain settings with new IPs.
This utility is available in the /usr/local/psa/bin directory.
The new IP addresses must NOT exist in Server > IP Addresses list in Plesk control panel before replacement, they may be added on system level only. If IP addresses do not exist in the system, the utility will add new IPs to the system as well.
Upgrading Your Plesk Control Panel
You can easily install the necessary updates, control panel add-ons, and even upgrade your control panel to the latest available release using Parallels Plesk Panel Updater function within your control panel.
To upgrade your Parallels Plesk Panel or update its components:
1. Go to Home > Updates (in the Help & Support group).
The control panel connects to the Parallels official update server at URL http://autoinstall.plesk.com, retrieves information on the available releases, then analyses the components installed in the system and displays the lists of available releases and component updates. For each release a brief description of available operations is displayed.
Select the release version that you want to update, or upgrade to. A list of available components appears.
Select the check boxes corresponding to the components you wish to install and click Install. A confirmation screen appears.
Specify your e-mail address. You will be sent a notice by e-mail once update is completed. To confirm installation of the selected components, select the check box and click OK. The components/updates you selected will be downloaded and automatically installed in the background mode.
You can check for errors in the autoinstaller.log file located in the /tmp directory on the server hard drive.
Monitoring Connections to Plesk Control Panel
To find out who of your customers is logged in to the control panel at the moment:
Go to Home > Active Sessions (in the Security group). All sessions including yours will be presented and the following details will be displayed:
A type of control panel user who established the session: administrator, reseller or client, Web site owner, mailuser for mailbox owner.
Login. The login name the user is logged in as.
IP address. The IP address from which the control panel is accessed.
Logon time. The date and time when the user logged in to the control panel.
Idle time. The time that user was not doing anything in the control panel while being logged in.
To refresh the list of user sessions, click Refresh.
To end a user session, select the respective check box and click Remove, then confirm removal and click OK.
There are some trojans that scan networks for services on ports from 31337 to 31340.
Since there are no legitimate services that communicate via these non-standard ports, blocking it can effectively diminish the chances that potentially infected nodes on your network independently communicate with their remote master servers.
iptables -A OUTPUT -o eth0 -p tcp –dport 31337 –sport 31337 -j DROP
iptables -A FORWARD -o eth0 -p tcp –dport 31337 –sport 31337 -j DROP
You can also block outside connections that attempt to spoof private IP address ranges to infiltrate your LAN. For example, if your LAN uses the 192.168.1.0/24 range, a rule can set the Internet facing network device (for example, eth0) to drop any packets to that device with an address in your LAN IP range. Because it is recommended to reject forwarded packets as a default policy, any other spoofed IP address to the external-facing device (eth0) is rejected automatically.
iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP
The REJECT target denies access and returns a connection refused error to users who attempt to connect to the service. The DROP target, as the name implies, drops the packet without any warning.
