I don't really know much about how mod_security rules work, I've just clicked on default configuration in WHM.
Anyway one user on our vbulletin board has pmed me saying he can't access the board. He gave me his fixed ip. And I noticed it is in CSF denied ip list as:
lfd: 5 (mod_security) login failures from xx.xx....
I've checked mod_security log and it has like twenty entries for this ip saying: ....
After few days of not getting even "one" spam out of average 70 messages a day...the company manager got angry! He thought the mail system is down.
Our provider - a VDS subscriber who rent us shared plan for a website - said: we changed nothing. I confirmed: did you install any new anti-spam software on the site...they said: NO.
In a next conversation with the company manager, they told him they installed a new anti-spam software on the whole server and cannot make it off for our site specifically.
The problem is, they already had a kind of anti-spam software which only "marks" spam-like messages with "**SPAM**" in the subject line, and doesn't mark others. I am afraid some customers' emails get marked and deleted with this new software they claim implemented, based on false positives.
Many times I get my emails in Yahoo and Hotmail go to Spam/Junk folder for some not-widely known reasons, like sending to myself, while putting recipients in CC, and other strange reasons like just using CC in an auto-reply!
something any non-tech person might do.
I am thinking in switching to a new host where we only host mails (mx record), so we don't have "any" email deleted without our check.
Got this error on rkhunter 1.3.2
Quote:
[12:16:24] /usr/bin/wget [ Warning ]
[12:16:24] Warning: File '/usr/bin/wget' has the immutable-bit set.
Is that a concern? What does it mean?
I tried a little searching both in Google and on here but this is probably going to be a private or member-based thing anyway.
I've gotten a couple comments that some of my outbound personal mail is ending up in spam folders. I think it's almost completely limited to having Outlook (or Express?) as a client... which I assume doesn't even do network-based lookups. Nonetheless I don't seem to be on any blacklists, and running it through my own spamassassin filter comes up basically zero score. But the fact that more than one person has had the problem concerns me greatly. Also, I haven't seen any significant reason why the content itself would trigger anything.
I realize a public spam test service would basically be a "testing ground" for spammers to evade detection, but there's obviously legitimate uses as well... is there such a tool somewhere? Thanks for any advice. Public information sharing is key to a forum, but PMs are welcome in this case.
i am getting these error in my shoutcast server...after while the server is in these port is crashing...wha exactly is these
[yp_add] yp.shoutcast.com gave extended error (Please identify this station's genre (in the dsp plugin YP tab).
Rootkit Hunter version 1.3.2 ]
[1;33mChecking rkhunter version... [0;39m
This version : 1.3.2
Latest version: 1.3.2
[ Rootkit Hunter version 1.3.2 ]
[1;33mChecking rkhunter data files... [0;39m
Checking file mirrors.dat [34C[ [1;32mNo update [0;39m ]
Checking file programs_bad.dat [29C[ [1;32mNo update [0;39m ]
Checking file backdoorports.dat [28C[ [1;32mNo update [0;39m ]
Checking file suspscan.dat [33C[ [1;32mNo update [0;39m ]
Checking file i18n/cn [38C[ [1;32mNo update [0;39m ]
Checking file i18n/en [38C[ [1;32mNo update [0;39m ]
Checking file i18n/zh [38C[ [1;32mNo update [0;39m ]
Checking file i18n/zh.utf8 [33C[ [1;32mNo update [0;39m ]
Warning: Checking for preload file [ Warning ]
Warning: Found library preload file: /etc/ld.so.preload
Warning: The file properties have changed:
File: /bin/ps
Current hash: 36f3d8a9fcaebf5838e5e55ebdcac7e355477343
Stored hash : 8f1acf237e562043f8353f4ec5d0c3490c0d0cb3
Current inode: 1228803 Stored inode: 1228857
Current size: 61364 Stored size: 67088
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The file properties have changed:
File: /usr/bin/top
Current hash: 15f1f743d73d9546a05a15644816139de7708327
Stored hash : 5e78fb7f0a02643a91964081ca03316dbaf01bdd
Current inode: 246165 Stored inode: 245920
Current size: 48536 Stored size: 48504
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The file properties have changed:
File: /usr/bin/vmstat
Current hash: 898351bc3be226caf6915715b23a1c7cc5d35fdd
Stored hash : edaa64f3921a0a2d873c14a5eb641ba883f4dcff
Current inode: 246561 Stored inode: 246020
Current size: 17872 Stored size: 20444
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The file properties have changed:
File: /usr/bin/w
Current hash: 480c2c2e4f1048e19fc075f4daebe79fa84e08d1
Stored hash : 87f39eeb583bc7f6622e95fd0266f093ed8b362b
Current inode: 246020 Stored inode: 246167
Current size: 9720 Stored size: 11720
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The file properties have changed:
File: /usr/bin/watch
Current inode: 246167 Stored inode: 245924
Current file modification time: 1214487892
Stored file modification time : 1195262225
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: The file properties have changed:
File: /sbin/sysctl
Current hash: b560099caf18d28bcc0249efaec75dcddb87b219
Stored hash : fa13202ac5897d9f7198e8afbbe7d0c835b07639
Current inode: 589893 Stored inode: 589875
Current size: 9144 Stored size: 11048
Current file modification time: 1214487892
Stored file modification time : 1195262225
I know some of these warnings like /usr/bin/GET - groups -ldd - whatis - ifdown – ifup are normal false positives.
But other warnings are new,
I think they changed after upgrading the cpanel to 11.23
I have cpanel on centos 4.6
I was surprised to see that they had 100% uptime in May according to their logs. I am used to see 99.98%, 98.97% etc. etc. with other hosts. But even 100% is quite possible.
On June 7th the uptime suddenly dropped below 96% with avg. 7 outages. I was really disappoined as I was planning to signup. But after a day or so it again rose to 100% with 0 outages on all of their servers which clearly explained the 100% uptime of May.
According to them they had a attack because of which IPs of nodes had to be changed and subsequently they also changed it on hyperspin.com (their server monitoring service). I immediately signed up on hyperspin to verify this claim. Changing the IP or hostname of a monitored service on hyperspin doesn't reset its log is what i clearly observed. Its quite visible that the logs were reset intensionally to hide the actual server uptime and make it always show 100% percent. When i reverted back to them on this issue, they prefered to close the ticket. I just want to know from other hosts, it this practice common or primaryvps.com is an exception? Well as mentioned on their site, the uptime log is located at:
hyperspin.com/publicreport/30037/20077
But don't expect too much. It has only two figures 0 for outages and 100% for uptime.
Is there any way to avoid getting false name lookups when trying to resolv inexistent domains ? apart from using another nameserver.
I'm sorry if it was posted earlier, tried searching but it didn't help as it gave me large results.
Code:
[root@removed ~]# ping hjkdji284kajgafhj87da778dfsd.com
PING hjkdji284kajgafhj87da778dfsd..com.insertdchere.com (xx.xxx.xxx.xx) 56(84) bytes of data.
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=0 ttl=61 time=1.00 ms
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=1 ttl=61 time=0.952 ms
64 bytes from www.insertdchere.com (xx.xxx.xxx.xx): icmp_seq=2 ttl=61 time=1.34 ms
How can I stop the rootkit hunter false positives?
It is alerting on these, on a fresh OS install:
Checking for prerequisites [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
Being using the free version of siteuptime.com but this month alone i have had so far 3 false alerts reported, i am always in the putty and does not get interrupted, and i am sure i am around on the site too while supposedly siteuptime reports down (i am guessing firewall blocks their server ip for w/e reason). So am wondering is there any really good public tracking site out there which can do public reports more accurately and not kak out on me?
Whats your experience with siteuptime for monitoring if any ? Sometimes it works "ok" other times its just off the charts.
Namecheap.com offers PositiveSSL certificate for free at the moment
[url]
I was wondering what is its encryption ability compared to RapidSSL certificate?
Every time I log on plesk 11.09 I get an email from admin saying that due to maximum number of failed login attempts for admin, the account was blocked for 30 minutes.
First, I do not get failed login attempts, I log in every time.
Two, the account is not blocked, I can log in, out and back in as many times as I want without problem except that I get this email everytime.
It's been almost 3 weeks, more or less, since I signed up with XenVZ (xenvz.co.uk). Sean does a good job on support whenever I put in a ticket - fast responses, always.
As for network stability, it hasn't disconnected from Quakenet (IRC network) since I've gotten it - signon 17d 20h 40m 25s ago.
As for speed, 19:36:39 (10.80 MB/s) - `100mb.test' saved [104857600/104857600] (from cachefly).
I'm a VPS customer of Hostchum.
I found good customer support officers there.
They provide about 20 hours a day live-chat service .
Now I'm about two month with sologigabit.com and want to share some impressions with you.
Sologigabit was extremely helpful to me. I needed server with custom config and they ordered some hardware for me. They take only two month upfront.
While they didn't have hardware required, they set up server for me and made it available, so I could familiarize myself with a system. That helped me a lot when I started to install system later.
They didn't offered FreeBSD as available OS to install but downloaded image for me and put installation media into dvd drive, so I could install it myself. They also were helpful providing information about system while I was installing system, as I encountered some problem with FreeBSD default kernel.
I have dedicated remote APC and KVM, so I could resolve almost all my issues myself.
Running for two month with them I didn't encountered any problems, so I probably stay with them for a long time.
Any one have any thing to share with us regarding the one.com hosting company (located in UK)?
According to their awards page:
"#1 UK Budget Web Hosting Provider - UK Web Host Directory - June 2009"
I am a current customer of Burst for more than 6 months already and so far I am loving their service. There are very, very minor issues but it gets resolved in a timely manner. I have 7 servers with them and looking forward to expanding more. Their sales support Shawn and Benj are very considerate and their technical support Brian is very helpful, knowledgeable, polite and treats customers the right way.
Burst live chat support (AIM) is also the best I have seen with a host.
I recommend them to everybody who's looking for a reliable network and good support!
I did a search on this site, and read a lot of negative things about site5.com
Is it still a 'bad'company or has their service changed?
Is it better to take a hosting with hostgator.com
Because aren't they overselling their packages: 1500 gb (storage) and 15.000 gb (bandwithe)
Thought I would share my recent experience with VertexHost.
I run a vBulletin forum and I had a VPS for over 2 years through PowerVPS. However, due to irreconcilable differences with them offering my current package at a lower price than what I was paying, then refusing to give it to me at "todays price" unless I canceled my service and transfer my data, I parted with them.
I had a "contacting spree" weekend where I contacted 23 different hosts and talked about what I was looking for (I wanted to move to a dedicated server since I figured with my community growing I might as well select a place that I could grow into)
I needed a managed server with decent specs since VB is a server intense application.
Some of the managed server "top players" I talked to were LiquidWeb, AxisHost, and RackSpace. Others were smaller companies that I had saw posted on the dedicated forum offers section.
AH took far too long to get back to me, quite a few days actually. LW would meet at a price for me (my budget was $150- about $170) at $150; however, gave me a very 'downgraded server' compared to what was being offered other places. Finally RS was just way overprices and couldn't come down to my range. Most companies gave me a round-about answer, seemed flaky, or just weren't interested in really helping me.
I had known about VertexHost because I used to host/use Infopop's Eve forum software and they were also on the forums there because they had used UBBThreads before developing their own forum software. Anyway, long story short, I decided to see what they were up to.
Billy from VH was very quick to answer all of my questions and made my sales ticket critical and a top priority. He not only told me what would need to be done in terms of transferring my forum and files (I was coming from Plesk to CPanel) but offered to do it for me.
I agreed that it would be best to have him do it, and he happily did it, free of charge I might add.
Along with transferring my forums over, he also made it so I lost no time while waiting for my domain to propagate. He set it up so the old IP from PowerVPS would send people to the database on my new server with VH.
It was such a seamless transition... my forums were down for only about 2 hours total. I might also mention those 2 hours were from a little before midnight until about 2 AM; a time when the forums are slow any way.
I don't want to get any more long winded than I already have, so in a nutshell VH not only met me on price, but they also transferred everything for me, made sure I had little down time, and were very knowledgeable about any question I had.
I cannot stress enough how highly I recommend them. I'm a loyal customer who likes to stick with what works and who appreciates my business. I do not foresee my leaving VH any time in the future. I can now sleep peacefully knowing my site is in good hands!
In this thread i would like to recommend about this company.
I was looking for a good anualy package in respectable price, and then Host-monkey offered a cheap deal and i said why not.
I just want to say that after i joined i got alot of help, anything i wanted and anything i needed.
The site contain realy good costumer system that provide many services.
After few days i decided to upgrade my plan and it was fast and courteous.
The server is realy strong and fast for me, even that im from far away land from usa.
I hope you will choose it too, you wont dissapoint.
[url]
I desperately need someone to trouble shoot and eventually fix a mySQL/PHP program we had a month ago. The problem was costing the company I do work for nearly $1,000 per day in lost money. I received 15 people contacting me off a post I made on WHT, and elected to work with Dingloo from auroinfotech.com. And what a great decision that was!
Dingloo and his associate from the get go showed great communication skills, professionalism, and most importantly... fixed the problem very fast!
I truly appreciated the work he and his associate did, and the speed in which they completed it. Our PHP script is 100% fixed (and its a very complicated PHP script) and is working great.
I love to give positive reviews, as I feel people who do an excellent job need to received praise. Thanks again Dingloo for your hard work, I truly appreciate it! You've made work around here a lot better, and we all thank you in the office!
We will continue to use your PHP/mySQL/Admin services in the very near future. I put this in the Ded. Server Forum as this included Admin work on 5 of my servers, and other Admin Duties beside programming.
I used Web Hosting Talk to help me choose a shared web server and the choice I made was Hawk Host.
I just want to say I have had nothing but positive experiences with Hawk Host in the two months I have had it. No down times, no slow downs. Nothing.
Today (a Sunday afternoon) I had a problem with a Moodle course I am running on Hawk Host. This turns out to be a problem not with anything at Hawk Host, but with Moodle itself. I didn't know that at the time, though, so I turned in a trouble ticket at Hawk Host.
Within an hour -- remember, it's a *Sunday afternoon*, Tony had not only gotten back to me via e-mail, he had implemented a solution that is going to solve the biggest aspects of the problem until I can get things resolved with Moodle itself.
I had to come back here to share my experience. I don't post a lot of forum messages at any of the forums I visit, but I read a lot. This time, however, I simply had to write about this. I do not think it is possible to provide better customer service than I have received at Hawk Host.
--An extremely positive review of 3DGWebHosting
We now have passed 60 days with 3dgwebhosting (3dgwebhosting.com) and what had started as a VPS only endeavor continues to expand based upon the incredible level of support and technical performance we are receiving.
If you would have asked me three months ago about 3dgwebhosting I would have been unable to respond...I did quite a bit of research when we decided to switch from a shared hosting offering with some large shared hosting providers to a VPS. I contacted close to a dozen providers and inquired regarding performance, packages, support, etc. and at the end of the day there was a level of comfort with 3DG that I did not have with the majority of other VPS Providers. Don't get me wrong...there were some shining stars in the bunch but something about 3dg (beyond the great pricing and flexibility) sold me on giving them a try.
Being a serial entrepreneur I have always been partial to working with smaller (at least those that felt smaller!) customer-centric firms for all of my support services from back office to technical. This was no exception. Performance is obviously critical in the technical space but I also view customer service and attentive vendors as critical factors in vendor selection.
Well the short of it is we have been on board with 3DG for over 60 days. Performance has been top notch and the level of customer support has been unmatched by any technical services provider I have used in the past. In addition, 3DG has become a strategic partner and has provided some great insight into how to globalize our technology and incorporate our clients’ needs into our technology platform (i.e. SharePoint). I truly did not expect to see this level of involvement on a consulting front and level of customization on a technology front from a hosting provider – a pleasant surprise! Kudos to David and the 3dg team. We have many sites on the VPS but our primary is glotegy.com.
If my business provides a level of service that is worthy of praise I always hope that my clients will speak their mind and help me spread the word about what I am trying to do. With that said I cannot recommend 3DG highly enough!
Since the inception of the VPS we have also put in place a dedicated server at 3DG that is running Office SharePoint Server and will be live with a hosted solution of Microsoft Dynamics 4.0 CRM with 3DG sometime next week.
Sorry for the long post but as you can probably tell I get pretty passionate about my business and those firms who help me with my global endeavors! To sum it up...finally...3DG is attentive, customer-centric, and a valued business partner.
[url]
We've been having trouble with uptime and a SQL box through Lunar Pages in the past couple months and we couldn't take anymore trouble. As such, we went looking for a new Windows VPS provider. Given I'm not a Windows person by default, my daily computer is a
Mac, I needed some hand-holding for the transition.
Through the research for a Windows VPS supplier here at WHT, I selected several firms to investigate and communicate with. Principally Host My Site, Liquid Web, and Bird Hosting. After conversations with each via email and phone calls, Michael of Bird Hosting [url] quickly rose to the top.
Michael, once we informed him of our intention to move to him, had our single-domain Windows VPS migrated from LunarPages to Bird Hosting overnight. Even when a SQL access issue rose up, Michael has been quick to respond and get our support system up and running again.
I have been using mod_security 1.9.x since it first release on apache 1.3 and apache 2.0.x, rules are great and they work perfect with no issues at all with any php-mysql website. Do you recommend using mod_security 2.0 or 2.5 ? (I do know that 2.5 does not work with apache 1.3).
View 2 Replies View Relatedusing mod_security, but I believe that I have it installed correctly with some rules that should be generating entries in the security audit log. No matter what I do, I can't seem to get mod_security to generate any sort of log entries.
I am using version 2.1.7. I compiled it with no problems. In my httpd.conf file, I have the following relevant lines:
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf
I don't think there are any problems here, as I know it is running directives from the configuration file I edited. This is the file I'm working with:
modsecurity_crs_10_config.conf
Here are the relevant lines from the config file:
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524288
SecDefaultAction "phase:2,auditlog,log,pass,status:500"
SecAuditEngine On
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
SecAuditLogParts "ABIFHZ"
SecRequestBodyInMemoryLimit 131072
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 3
I know that the config file is being read because when I start apache, the log files (modsec_audit.log and modsec_debug.log) are created. The problem is that the files are empty and remain empty no matter what I do. I have even tried setting permissions on the files to 777.
Here are a couple of rules I created in an attempt to generate log entries:
SecRule REQUEST_BODY "viagra"
SecRule REMOTE_ADDR "^1.1.3.4$" auditlog,phase:1,allow
I put these in the same config file mentioned above. As far as I understand, the first rule should examine the request body (which would include data in POST requests) for the word, "viagra". Since my default action is phase:2,auditlog,log,pass,status:500, such requests should end up in the audit log. However, when I use a form on my site to post the word "viagra", nothing is generated in the log file.
The second rule, as far as I understand, should generate a log entry any time the IP address 1.2.3.4 is sent in the request headers. Instead of 1.2.3.4, of course, I have put in my real IP address. However, when I visit my server and browse pages, nothing is logged. I assume that my requests should generate log entries since I match the IP address.
I am currently running a few small websites that use a CMS. Two are Dragonfly and one is Joomla.
I am getting sporadic errors with both systems that, upon research, seem to be related to Apache and the mod_security module. I am getting the following error:
Code:
Not Acceptable
An appropriate representation of the requested resource /somefolder/index.php could not be found on this server.
Well, I'm no idiot (although some people may tend to disagree ) and after some searching, I found that this most likely points to an Apache error. Most solutions suggest to put the following in my .htacess file for the site:
Code:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
It was noted that "SecFilterScanPOST Off" may or not be necessary. I have added the above to the .htaccess for each site (all 3 sites are subdomains) and have also added it to the .htaccess that is in the root folder for the site. Nothing has worked.
So my question is, is it possible that my webhost can override my .htaacess settings with their own? This is the only explanation that I can think of. But of course, I am no expert, which is why I turn to you good folks for help once again.
I want to add some more rules to to mod_security, however I am unsure if some of them are already being used.
So would it cause any problems if there are duplicate rules for the time being till I can check through all the rules?
I am having lots of problems installing mod_security on RH5 64 w/ Plesk.
mainly related to apr0, subversion, and the headers.
Any reason why everyone recommends to use version 1.94 of mod_security rather than the latest version available on www.modsecurity.org?
I've got this:
mod_security: Access denied with code 406. Error normalising REQUEST_URI: Invalid URL encoding detected: invalid characters used [hostname "www.mydomain.com"] [uri "/search/include/js_suggest/suggest.php?type=query&q=%u062E%u0636%u0631%u0627"]
how to disable/exclude this uri in mentioned host from being catched by mod_security?
how many people are actually using mod_security 2 instead of 1?
And why did you choose the version you did?
