I don't really know much about how mod_security rules work, I've just clicked on default configuration in WHM.
Anyway one user on our vbulletin board has pmed me saying he can't access the board. He gave me his fixed ip. And I noticed it is in CSF denied ip list as:
lfd: 5 (mod_security) login failures from xx.xx....
I've checked mod_security log and it has like twenty entries for this ip saying: ....
After few days of not getting even "one" spam out of average 70 messages a day...the company manager got angry! He thought the mail system is down.
Our provider - a VDS subscriber who rent us shared plan for a website - said: we changed nothing. I confirmed: did you install any new anti-spam software on the site...they said: NO.
In a next conversation with the company manager, they told him they installed a new anti-spam software on the whole server and cannot make it off for our site specifically.
The problem is, they already had a kind of anti-spam software which only "marks" spam-like messages with "**SPAM**" in the subject line, and doesn't mark others. I am afraid some customers' emails get marked and deleted with this new software they claim implemented, based on false positives.
Many times I get my emails in Yahoo and Hotmail go to Spam/Junk folder for some not-widely known reasons, like sending to myself, while putting recipients in CC, and other strange reasons like just using CC in an auto-reply!
something any non-tech person might do.
I am thinking in switching to a new host where we only host mails (mx record), so we don't have "any" email deleted without our check.
I tried a little searching both in Google and on here but this is probably going to be a private or member-based thing anyway.
I've gotten a couple comments that some of my outbound personal mail is ending up in spam folders. I think it's almost completely limited to having Outlook (or Express?) as a client... which I assume doesn't even do network-based lookups. Nonetheless I don't seem to be on any blacklists, and running it through my own spamassassin filter comes up basically zero score. But the fact that more than one person has had the problem concerns me greatly. Also, I haven't seen any significant reason why the content itself would trigger anything.
I realize a public spam test service would basically be a "testing ground" for spammers to evade detection, but there's obviously legitimate uses as well... is there such a tool somewhere? Thanks for any advice. Public information sharing is key to a forum, but PMs are welcome in this case.
[1;33mChecking rkhunter version... [0;39m This version : 1.3.2 Latest version: 1.3.2 [ Rootkit Hunter version 1.3.2 ]
[1;33mChecking rkhunter data files... [0;39m Checking file mirrors.dat [34C[ [1;32mNo update [0;39m ] Checking file programs_bad.dat [29C[ [1;32mNo update [0;39m ] Checking file backdoorports.dat [28C[ [1;32mNo update [0;39m ] Checking file suspscan.dat [33C[ [1;32mNo update [0;39m ] Checking file i18n/cn [38C[ [1;32mNo update [0;39m ] Checking file i18n/en [38C[ [1;32mNo update [0;39m ] Checking file i18n/zh [38C[ [1;32mNo update [0;39m ] Checking file i18n/zh.utf8 [33C[ [1;32mNo update [0;39m ] Warning: Checking for preload file [ Warning ] Warning: Found library preload file: /etc/ld.so.preload Warning: The file properties have changed: File: /bin/ps Current hash: 36f3d8a9fcaebf5838e5e55ebdcac7e355477343 Stored hash : 8f1acf237e562043f8353f4ec5d0c3490c0d0cb3 Current inode: 1228803 Stored inode: 1228857 Current size: 61364 Stored size: 67088 Current file modification time: 1214487892 Stored file modification time : 1195262225 Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable Warning: The file properties have changed: File: /usr/bin/top Current hash: 15f1f743d73d9546a05a15644816139de7708327 Stored hash : 5e78fb7f0a02643a91964081ca03316dbaf01bdd Current inode: 246165 Stored inode: 245920 Current size: 48536 Stored size: 48504 Current file modification time: 1214487892 Stored file modification time : 1195262225 Warning: The file properties have changed: File: /usr/bin/vmstat Current hash: 898351bc3be226caf6915715b23a1c7cc5d35fdd Stored hash : edaa64f3921a0a2d873c14a5eb641ba883f4dcff Current inode: 246561 Stored inode: 246020 Current size: 17872 Stored size: 20444 Current file modification time: 1214487892 Stored file modification time : 1195262225 Warning: The file properties have changed: File: /usr/bin/w Current hash: 480c2c2e4f1048e19fc075f4daebe79fa84e08d1 Stored hash : 87f39eeb583bc7f6622e95fd0266f093ed8b362b Current inode: 246020 Stored inode: 246167 Current size: 9720 Stored size: 11720 Current file modification time: 1214487892 Stored file modification time : 1195262225 Warning: The file properties have changed: File: /usr/bin/watch Current inode: 246167 Stored inode: 245924 Current file modification time: 1214487892 Stored file modification time : 1195262225 Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable Warning: The file properties have changed: File: /sbin/sysctl Current hash: b560099caf18d28bcc0249efaec75dcddb87b219 Stored hash : fa13202ac5897d9f7198e8afbbe7d0c835b07639 Current inode: 589893 Stored inode: 589875 Current size: 9144 Stored size: 11048 Current file modification time: 1214487892 Stored file modification time : 1195262225
I know some of these warnings like /usr/bin/GET - groups -ldd - whatis - ifdown – ifup are normal false positives.
But other warnings are new,
I think they changed after upgrading the cpanel to 11.23 I have cpanel on centos 4.6
I was surprised to see that they had 100% uptime in May according to their logs. I am used to see 99.98%, 98.97% etc. etc. with other hosts. But even 100% is quite possible.
On June 7th the uptime suddenly dropped below 96% with avg. 7 outages. I was really disappoined as I was planning to signup. But after a day or so it again rose to 100% with 0 outages on all of their servers which clearly explained the 100% uptime of May.
According to them they had a attack because of which IPs of nodes had to be changed and subsequently they also changed it on hyperspin.com (their server monitoring service). I immediately signed up on hyperspin to verify this claim. Changing the IP or hostname of a monitored service on hyperspin doesn't reset its log is what i clearly observed. Its quite visible that the logs were reset intensionally to hide the actual server uptime and make it always show 100% percent. When i reverted back to them on this issue, they prefered to close the ticket. I just want to know from other hosts, it this practice common or primaryvps.com is an exception? Well as mentioned on their site, the uptime log is located at:
hyperspin.com/publicreport/30037/20077
But don't expect too much. It has only two figures 0 for outages and 100% for uptime.
Being using the free version of siteuptime.com but this month alone i have had so far 3 false alerts reported, i am always in the putty and does not get interrupted, and i am sure i am around on the site too while supposedly siteuptime reports down (i am guessing firewall blocks their server ip for w/e reason). So am wondering is there any really good public tracking site out there which can do public reports more accurately and not kak out on me?
Whats your experience with siteuptime for monitoring if any ? Sometimes it works "ok" other times its just off the charts.
Every time I log on plesk 11.09 I get an email from admin saying that due to maximum number of failed login attempts for admin, the account was blocked for 30 minutes.
First, I do not get failed login attempts, I log in every time.
Two, the account is not blocked, I can log in, out and back in as many times as I want without problem except that I get this email everytime.
It's been almost 3 weeks, more or less, since I signed up with XenVZ (xenvz.co.uk). Sean does a good job on support whenever I put in a ticket - fast responses, always.
As for network stability, it hasn't disconnected from Quakenet (IRC network) since I've gotten it - signon 17d 20h 40m 25s ago.
As for speed, 19:36:39 (10.80 MB/s) - `100mb.test' saved [104857600/104857600] (from cachefly).
Now I'm about two month with sologigabit.com and want to share some impressions with you.
Sologigabit was extremely helpful to me. I needed server with custom config and they ordered some hardware for me. They take only two month upfront.
While they didn't have hardware required, they set up server for me and made it available, so I could familiarize myself with a system. That helped me a lot when I started to install system later.
They didn't offered FreeBSD as available OS to install but downloaded image for me and put installation media into dvd drive, so I could install it myself. They also were helpful providing information about system while I was installing system, as I encountered some problem with FreeBSD default kernel.
I have dedicated remote APC and KVM, so I could resolve almost all my issues myself. Running for two month with them I didn't encountered any problems, so I probably stay with them for a long time.
I am a current customer of Burst for more than 6 months already and so far I am loving their service. There are very, very minor issues but it gets resolved in a timely manner. I have 7 servers with them and looking forward to expanding more. Their sales support Shawn and Benj are very considerate and their technical support Brian is very helpful, knowledgeable, polite and treats customers the right way.
Burst live chat support (AIM) is also the best I have seen with a host.
I recommend them to everybody who's looking for a reliable network and good support!
Thought I would share my recent experience with VertexHost.
I run a vBulletin forum and I had a VPS for over 2 years through PowerVPS. However, due to irreconcilable differences with them offering my current package at a lower price than what I was paying, then refusing to give it to me at "todays price" unless I canceled my service and transfer my data, I parted with them.
I had a "contacting spree" weekend where I contacted 23 different hosts and talked about what I was looking for (I wanted to move to a dedicated server since I figured with my community growing I might as well select a place that I could grow into)
I needed a managed server with decent specs since VB is a server intense application.
Some of the managed server "top players" I talked to were LiquidWeb, AxisHost, and RackSpace. Others were smaller companies that I had saw posted on the dedicated forum offers section.
AH took far too long to get back to me, quite a few days actually. LW would meet at a price for me (my budget was $150- about $170) at $150; however, gave me a very 'downgraded server' compared to what was being offered other places. Finally RS was just way overprices and couldn't come down to my range. Most companies gave me a round-about answer, seemed flaky, or just weren't interested in really helping me.
I had known about VertexHost because I used to host/use Infopop's Eve forum software and they were also on the forums there because they had used UBBThreads before developing their own forum software. Anyway, long story short, I decided to see what they were up to.
Billy from VH was very quick to answer all of my questions and made my sales ticket critical and a top priority. He not only told me what would need to be done in terms of transferring my forum and files (I was coming from Plesk to CPanel) but offered to do it for me.
I agreed that it would be best to have him do it, and he happily did it, free of charge I might add.
Along with transferring my forums over, he also made it so I lost no time while waiting for my domain to propagate. He set it up so the old IP from PowerVPS would send people to the database on my new server with VH.
It was such a seamless transition... my forums were down for only about 2 hours total. I might also mention those 2 hours were from a little before midnight until about 2 AM; a time when the forums are slow any way.
I don't want to get any more long winded than I already have, so in a nutshell VH not only met me on price, but they also transferred everything for me, made sure I had little down time, and were very knowledgeable about any question I had.
I cannot stress enough how highly I recommend them. I'm a loyal customer who likes to stick with what works and who appreciates my business. I do not foresee my leaving VH any time in the future. I can now sleep peacefully knowing my site is in good hands!
I desperately need someone to trouble shoot and eventually fix a mySQL/PHP program we had a month ago. The problem was costing the company I do work for nearly $1,000 per day in lost money. I received 15 people contacting me off a post I made on WHT, and elected to work with Dingloo from auroinfotech.com. And what a great decision that was!
Dingloo and his associate from the get go showed great communication skills, professionalism, and most importantly... fixed the problem very fast!
I truly appreciated the work he and his associate did, and the speed in which they completed it. Our PHP script is 100% fixed (and its a very complicated PHP script) and is working great.
I love to give positive reviews, as I feel people who do an excellent job need to received praise. Thanks again Dingloo for your hard work, I truly appreciate it! You've made work around here a lot better, and we all thank you in the office!
We will continue to use your PHP/mySQL/Admin services in the very near future. I put this in the Ded. Server Forum as this included Admin work on 5 of my servers, and other Admin Duties beside programming.
I used Web Hosting Talk to help me choose a shared web server and the choice I made was Hawk Host.
I just want to say I have had nothing but positive experiences with Hawk Host in the two months I have had it. No down times, no slow downs. Nothing.
Today (a Sunday afternoon) I had a problem with a Moodle course I am running on Hawk Host. This turns out to be a problem not with anything at Hawk Host, but with Moodle itself. I didn't know that at the time, though, so I turned in a trouble ticket at Hawk Host.
Within an hour -- remember, it's a *Sunday afternoon*, Tony had not only gotten back to me via e-mail, he had implemented a solution that is going to solve the biggest aspects of the problem until I can get things resolved with Moodle itself.
I had to come back here to share my experience. I don't post a lot of forum messages at any of the forums I visit, but I read a lot. This time, however, I simply had to write about this. I do not think it is possible to provide better customer service than I have received at Hawk Host.
We now have passed 60 days with 3dgwebhosting (3dgwebhosting.com) and what had started as a VPS only endeavor continues to expand based upon the incredible level of support and technical performance we are receiving.
If you would have asked me three months ago about 3dgwebhosting I would have been unable to respond...I did quite a bit of research when we decided to switch from a shared hosting offering with some large shared hosting providers to a VPS. I contacted close to a dozen providers and inquired regarding performance, packages, support, etc. and at the end of the day there was a level of comfort with 3DG that I did not have with the majority of other VPS Providers. Don't get me wrong...there were some shining stars in the bunch but something about 3dg (beyond the great pricing and flexibility) sold me on giving them a try.
Being a serial entrepreneur I have always been partial to working with smaller (at least those that felt smaller!) customer-centric firms for all of my support services from back office to technical. This was no exception. Performance is obviously critical in the technical space but I also view customer service and attentive vendors as critical factors in vendor selection.
Well the short of it is we have been on board with 3DG for over 60 days. Performance has been top notch and the level of customer support has been unmatched by any technical services provider I have used in the past. In addition, 3DG has become a strategic partner and has provided some great insight into how to globalize our technology and incorporate our clients’ needs into our technology platform (i.e. SharePoint). I truly did not expect to see this level of involvement on a consulting front and level of customization on a technology front from a hosting provider – a pleasant surprise! Kudos to David and the 3dg team. We have many sites on the VPS but our primary is glotegy.com.
If my business provides a level of service that is worthy of praise I always hope that my clients will speak their mind and help me spread the word about what I am trying to do. With that said I cannot recommend 3DG highly enough!
Since the inception of the VPS we have also put in place a dedicated server at 3DG that is running Office SharePoint Server and will be live with a hosted solution of Microsoft Dynamics 4.0 CRM with 3DG sometime next week.
Sorry for the long post but as you can probably tell I get pretty passionate about my business and those firms who help me with my global endeavors! To sum it up...finally...3DG is attentive, customer-centric, and a valued business partner.
We've been having trouble with uptime and a SQL box through Lunar Pages in the past couple months and we couldn't take anymore trouble. As such, we went looking for a new Windows VPS provider. Given I'm not a Windows person by default, my daily computer is a Mac, I needed some hand-holding for the transition.
Through the research for a Windows VPS supplier here at WHT, I selected several firms to investigate and communicate with. Principally Host My Site, Liquid Web, and Bird Hosting. After conversations with each via email and phone calls, Michael of Bird Hosting [url] quickly rose to the top.
Michael, once we informed him of our intention to move to him, had our single-domain Windows VPS migrated from LunarPages to Bird Hosting overnight. Even when a SQL access issue rose up, Michael has been quick to respond and get our support system up and running again.
I have been using mod_security 1.9.x since it first release on apache 1.3 and apache 2.0.x, rules are great and they work perfect with no issues at all with any php-mysql website. Do you recommend using mod_security 2.0 or 2.5 ? (I do know that 2.5 does not work with apache 1.3).
using mod_security, but I believe that I have it installed correctly with some rules that should be generating entries in the security audit log. No matter what I do, I can't seem to get mod_security to generate any sort of log entries.
I am using version 2.1.7. I compiled it with no problems. In my httpd.conf file, I have the following relevant lines:
LoadFile /usr/lib/libxml2.so LoadModule security2_module modules/mod_security2.so Include conf/modsecurity/*.conf
I don't think there are any problems here, as I know it is running directives from the configuration file I edited. This is the file I'm working with:
modsecurity_crs_10_config.conf
Here are the relevant lines from the config file:
SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524288 SecDefaultAction "phase:2,auditlog,log,pass,status:500" SecAuditEngine On SecAuditLogType Serial SecAuditLog logs/modsec_audit.log SecAuditLogParts "ABIFHZ" SecRequestBodyInMemoryLimit 131072 SecDebugLog logs/modsec_debug.log SecDebugLogLevel 3
I know that the config file is being read because when I start apache, the log files (modsec_audit.log and modsec_debug.log) are created. The problem is that the files are empty and remain empty no matter what I do. I have even tried setting permissions on the files to 777.
Here are a couple of rules I created in an attempt to generate log entries:
I put these in the same config file mentioned above. As far as I understand, the first rule should examine the request body (which would include data in POST requests) for the word, "viagra". Since my default action is phase:2,auditlog,log,pass,status:500, such requests should end up in the audit log. However, when I use a form on my site to post the word "viagra", nothing is generated in the log file.
The second rule, as far as I understand, should generate a log entry any time the IP address 1.2.3.4 is sent in the request headers. Instead of 1.2.3.4, of course, I have put in my real IP address. However, when I visit my server and browse pages, nothing is logged. I assume that my requests should generate log entries since I match the IP address.
I am currently running a few small websites that use a CMS. Two are Dragonfly and one is Joomla.
I am getting sporadic errors with both systems that, upon research, seem to be related to Apache and the mod_security module. I am getting the following error:
Code: Not Acceptable
An appropriate representation of the requested resource /somefolder/index.php could not be found on this server.
Well, I'm no idiot (although some people may tend to disagree ) and after some searching, I found that this most likely points to an Apache error. Most solutions suggest to put the following in my .htacess file for the site:
Code: <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
It was noted that "SecFilterScanPOST Off" may or not be necessary. I have added the above to the .htaccess for each site (all 3 sites are subdomains) and have also added it to the .htaccess that is in the root folder for the site. Nothing has worked.
So my question is, is it possible that my webhost can override my .htaacess settings with their own? This is the only explanation that I can think of. But of course, I am no expert, which is why I turn to you good folks for help once again.