We are upgrading to a managed server from a VPS. Our main concern is security as we process customers' confidential personal information but don't have large volumes of traffic. Our application developer is recommending the following config:
Firewall --> Web/App Server --> Firewall --> DB Server
The logic being that if the first firewall is breached at least they don't have access to the DB.
Is this really critical or do you think we can start with:
Firewall --> Web/App/DB server?
Obviously budget is a concern and since we will have low traffic for the next few months it seems silly to pay double if it isn't really needed?
I have just taken delivery of a shiny Windows 2K3 server from a2b2.com and wanted to secure it so that only remote desktop and port number 3306 from certan IP address are allowed to connect to it. I would also like to have NO outgoing connections allowed at all.
My questions are 1) Is this able to be done? and 2) Approximatly how much would it cost.
I am about to sign up for a VPS host which doesn't seem to offer hardware based firewalls which means that I am stuck with software based ones. Perhaps I am being old fashioned, but this do make me a bit nervous, as I have the impression that a hardware based firewall is better (of course assuming correct configuration and such)....should I be worried? Is Windows Firewall to be trusted or should I look for something else? My concern isn't only if the firewall will stop any attacks or not, but also at what cost, considering CPU, memory etc. Any comments and recommendations would be apprechiated. I'm not NASA or anything, so I don' really think that the worlds hacker elite is going to come after me, but from what I see in the logs of my current firewall, there is a lot going on on the internet these days and it isn't all good.
I'd like to know what the current "best practice" thinking is with regard to hardware firewalls. Are they really necessary for a Linux server running a solid iptables-based software firewall? Or do they simply add another potential point of component failure?
What are the pros/cons to deploying a hardware firewall vs. going iptables-only on the server?
Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses.
Firewall also keeps track of each connection passing through it and in certaincases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.
How IP Tables works?
All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain.
There are three tables in total. The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment.
The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules.
a) INPUT Table b) OUTPUT Table c) FORWARD Table
General Syntax of the iptables is as follows:
IPTABLES -A {INPUT,OUTPUT,FORWARD} -p {tcp,udp} --sport(dport) -s {ip} -j {DROP,REJECT,ACCEPT}
To Block the incomming ip: IPTABLES -A OUTPUT -p tcp --sport{1..65535} -s {ipaddress} -j DROP {REJECT} To Block the outcomming ip: IPTABLES -A INPUT -p tcp --sport{1..65535} -s {ipaddress} -j DROP {REJECT}
You can also use --dport instead of --sport & you can use -d instead of -s which specifies source or destination respectively.
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
Code: running a ipb forum site 2.3.4 current stats : Our members have made a total of 245,827 posts We have 14,673 registered members Total number of topics is 75099 with atleast 150 members online + 200guests.
what would be the perfect my.cnf config for this kinda of a server? Im running litespeed.
I have tried to manually setup awstats on a website in Windows 2008 with IIS 7. The problem here is that I have to create two conf files for each website, one named awstats.sitename.conf and the other awstats.www.sitename.conf. If I don't do so, then awstats does not work on either www.sitename.com or sitename.com. I cannot update the stats or view it from the browser. I have a few Hosting controller servers in which awstats is used and I compared the conf file with them and there is no difference. I wonder what could be the issue.
i have a dedicated server without any daily, weekly, monthly backup. please help me (Step by Step)to setup configuration my server to take backup every day within (some account) at (3 AM).
i mean setting for every day about some account (A,B,C...Z) at the 3 AM
Switching from Windows DNS to bind DNS. Slightly different as I have to learn the commands instead of using the GUI. Can you tell me if the below config is correct to run mydomain.net so people can access it from the web? It will also be acting as its own name servers. This is purely for external DNS. The private IPs will be changed to routable ones once its in the DC.
Have I missed anything or is that good enough for deployment to the live environment?
I have this in /etc/bind/zones/mydomain.net.db
; mydomain.net $TTL 604800 @ IN SOA ns0.mydomain.net. admin.mydomain.net. ( 2008012001 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800); Negative Cache TTL
; nameservers mydomain.net IN NS ns0.mydomain.net mydomain.net IN NS ns1.mydomain.net ns0 IN A 192.168.1.15 ns1 IN A 192.168.1.16
;mail mail IN MX 10 mail mail IN A 192.168.1.17
; web IN A 192.168.1.17 www IN A 192.168.1.17
And in /etc/bind I have this in my named.conf.local file
# This is the zone definition for // mydomain.net // zone "mydomain.net" { type master; file "/etc/bind/zones/mydomain.net.db"; };
I have had many dedicated servers in the past but other people managed to configure them up.
I basicly want to host somedomain.com and somedomain2.com on a windows server that is located on XX.XXX.XXX.XX
The server has apache and php installed, which is just what I need. I am having an hard time configuring the domains I want to use on the server in order to make em "work" on the server.
I've installed MRTG, but am having problems making the config file, all I want to do is monitor the in/out bandwidth (2 graphs) on my own server, has anyone got an example file they could paste here?
I've decided to move from managed hosting to colocated hosting and I'm in a bit over my head as far designing the server configuration goes. I'm looking for assistance with setting up a fully redundant configuration with no SPOF (single point of failure).
The colo provider ensures full redundancy to the cabinet, terminating with two network drops from diverse bandwidth providers and HSRP. I need to eliminate all SPOFs inside the cabinet.
Some questions...
1) I'm thinking of using the Cisco 2960 Series switch as the in-cabinet distribution switch. I believe it supports HSRP. From my understanding, the switch will automatically failover from one uplink to the other in case of a network problem on one of the uplinks, and this will all be transparent to any servers connected to the switch. Is this correct?
2) However, this introduces the switch as SPOF. So, I believe what I need to do is ask the colo for a second pair of network drops and deploy a pair of 2960's. Then I would connect each server to both switches via separate NICs. Is this correct?
3) Finally, assuming I am on the right track here, I would like this to all be transparent and automatic with no human intervention required to recover from a switch failure. The servers will be running RHEL 4. How would I configure the network interfaces on the servers so that they can transparently use either (or both) of the switches? Is there some way to assign the same IP address to more than one interface? How does the OS keep from getting confused about where to send the traffic?
Thanks in advance for any insight. I would also be happy to hear recommendations for excellent network consultants that I could hire to design and implement this configuration for me.
I have a problem when i config config.inc.php file in my WHM . I don't know why share accounts can access to phpMyAdmin or create your database from cpanel .
This is a part of config.inc.php file
Quote:
/** * Disable the default warning that is displayed on the DB Details Structure page if * any of the required Tables for the relationfeatures could not be found */ $cfg['PmaNoRelation_DisableWarning'] = FALSE;
/** * The 'cookie' auth_type uses blowfish algorithm to encrypt the password. If * at least one server configuration uses 'cookie' auth_type, enter here a * passphrase that will be used by blowfish. The maximum length seems to be 46 * characters. */ $cfg['blowfish_secret'] = '';
/** * Server(s) configuration */ $i = 0; // The $cfg['Servers'] array starts with $cfg['Servers'][1]. Do not use // $cfg['Servers'][0]. You can disable a server config entry by setting host // to ''. If you want more than one server, just copy following section // (including $i incrementation) serveral times. There is no need to define // full server array, just define values you need to change. $i++; $cfg['Servers'][$i]['host'] = 'localhost'; // MySQL hostname or IP address $cfg['Servers'][$i]['port'] = ''; // MySQL port - leave blank for default port $cfg['Servers'][$i]['socket'] = ''; // Path to the socket - leave blank for default socket $cfg['Servers'][$i]['ssl'] = false; // Use SSL for connecting to MySQL server? $cfg['Servers'][$i]['connect_type'] = 'tcp'; // How to connect to MySQL server ('tcp' or 'socket') $cfg['Servers'][$i]['extension'] = 'mysql'; // The php MySQL extension to use ('mysql' or 'mysqli') $cfg['Servers'][$i]['compress'] = FALSE; // Use compressed protocol for the MySQL connection // (requires PHP >= 4.3.0) $cfg['Servers'][$i]['controluser'] = ''; // MySQL control user settings // (this user must have read-only $cfg['Servers'][$i]['controlpass'] = ''; // access to the "mysql/user" // and "mysql/db" tables). // The controluser is also // used for all relational // features (pmadb) $cfg['Servers'][$i]['auth_type'] = 'config'; // Authentication method (valid choices: config, http, HTTP, signon or cookie) $cfg['Servers'][$i]['user'] = ''; // MySQL user $cfg['Servers'][$i]['password'] = ''; // MySQL password (only needed // with 'config' auth_type) $cfg['Servers'][$i]['SignonSession'] = ''; // Session to use for 'signon' auth method $cfg['Servers'][$i]['SignonURL'] = ''; // URL where to redirect user to login for 'signon' auth method $cfg['Servers'][$i]['LogoutURL'] = ''; // URL where to redirect user after logout $cfg['Servers'][$i]['nopassword'] = FALSE; // Whether to try to connect without password $cfg['Servers'][$i]['only_db'] = ''; // If set to a db-name, only // this db is displayed in left frame // It may also be an array of db-names, where sorting order is relevant. $cfg['Servers'][$i]['hide_db'] = ''; // Database name to be hidden from listings $cfg['Servers'][$i]['verbose'] = ''; // Verbose name for this host - leave blank to show the hostname
$cfg['Servers'][$i]['pmadb'] = ''; // Database used for Relation, Bookmark and PDF Features // (see scripts/create_tables.sql) // - leave blank for no support // DEFAULT: 'phpmyadmin' $cfg['Servers'][$i]['bookmarktable'] = ''; // Bookmark table // - leave blank for no bookmark support // DEFAULT: 'pma_bookmark' $cfg['Servers'][$i]['relation'] = ''; // table to describe the relation between links (see doc) // - leave blank for no relation-links support // DEFAULT: 'pma_relation' $cfg['Servers'][$i]['table_info'] = ''; // table to describe the display fields // - leave blank for no display fields support // DEFAULT: 'pma_table_info' $cfg['Servers'][$i]['table_coords'] = ''; // table to describe the tables position for the PDF schema // - leave blank for no PDF schema support // DEFAULT: 'pma_table_coords' $cfg['Servers'][$i]['pdf_pages'] = ''; // table to describe pages of relationpdf // - leave blank if you don't want to use this // DEFAULT: 'pma_pdf_pages' $cfg['Servers'][$i]['column_info'] = ''; // table to store column information // - leave blank for no column comments/mime types // DEFAULT: 'pma_column_info' $cfg['Servers'][$i]['history'] = ''; // table to store SQL history // - leave blank for no SQL query history // DEFAULT: 'pma_history' $cfg['Servers'][$i]['designer_coords'] = ''; // table to store the coordinates for Designer // - leave blank for no Designer feature // DEFAULT: 'pma_designer_coords' $cfg['Servers'][$i]['verbose_check'] = TRUE; // set to FALSE if you know that your pma_* tables // are up to date. This prevents compatibility // checks and thereby increases performance. $cfg['Servers'][$i]['AllowRoot'] = TRUE; // whether to allow root login $cfg['Servers'][$i]['AllowDeny']['order'] // Host authentication order, leave blank to not use = ''; $cfg['Servers'][$i]['AllowDeny']['rules'] // Host authentication rules, leave blank for defaults = array();
// If you have more than one server configured, you can set $cfg['ServerDefault'] // to any one of them to autoconnect to that server when phpMyAdmin is started, // or set it to 0 to be given a list of servers without logging in // If you have only one server configured, $cfg['ServerDefault'] *MUST* be // set to that server. $cfg['ServerDefault'] = 1; // Default server (0 = no default server)
/** * Other core phpMyAdmin settings */ $cfg['MaxDbList'] = 100; // maximum number of db's displayed in left frame and databaes list $cfg['OBGzip'] = 'auto'; // use GZIP output buffering if possible (TRUE|FALSE|'auto') $cfg['PersistentConnections'] = FALSE; // use persistent connections to MySQL database $cfg['ForceSSL'] = FALSE; // whether to force using https $cfg['ExecTimeLimit'] = 300; // maximum execution time in seconds (0 for no limit) $cfg['MemoryLimit'] = 0; // maximum allocated bytes (0 for no limit) $cfg['SkipLockedTables'] = FALSE; // mark used tables, make possible to show // locked tables (since MySQL 3.23.30) $cfg['ShowSQL'] = TRUE; // show SQL queries as run $cfg['AllowUserDropDatabase'] = FALSE; // show a 'Drop database' link to normal users $cfg['Confirm'] = TRUE; // confirm 'DROP TABLE' & 'DROP DATABASE' $cfg['LoginCookieRecall'] = TRUE; // recall previous login in cookie auth. mode or not $cfg['LoginCookieValidity'] = 1800; // validity of cookie login (in seconds) $cfg['LoginCookieStore'] = 0; // how long login cookie should be stored (in seconds) $cfg['LoginCookieDeleteAll'] = TRUE; // whether to delete all login cookies on logout $cfg['UseDbSearch'] = TRUE; // whether to enable the "database search" feature // or not $cfg['IgnoreMultiSubmitErrors'] = FALSE; // if set to true, PMA continues computing multiple-statement queries // even if one of the queries failed $cfg['VerboseMultiSubmit'] = TRUE; // if set to true, PMA will show the affected rows of EACH statement on // multiple-statement queries. See the libraries/import.php file for // hardcoded defaults on how many queries a statement may contain! $cfg['AllowArbitraryServer'] = FALSE; // allow login to any user entered server in cookie based auth
// Left frame setup $cfg['LeftFrameLight'] = TRUE; // use a select-based menu and display only the // current tables in the left frame. $cfg['LeftFrameDBTree'] = TRUE; // turn the select-based light menu into a tree $cfg['LeftFrameDBSeparator'] = '_'; // the separator to sub-tree the select-based light menu tree $cfg['LeftFrameTableSeparator']= '__'; // Which string will be used to generate table prefixes // to split/nest tables into multiple categories $cfg['LeftFrameTableLevel'] = '1'; // How many sublevels should be displayed when splitting // up tables by the above Separator $cfg['ShowTooltip'] = TRUE; // display table comment as tooltip in left frame $cfg['ShowTooltipAliasDB'] = FALSE; // if ShowToolTip is enabled, this defines that table/db comments $cfg['ShowTooltipAliasTB'] = FALSE; // are shown (in the left menu and db_structure) instead of // table/db names. Setting ShowTooltipAliasTB to 'nested' will only // use the Aliases for nested descriptors, not the table itself.
$cfg['LeftDisplayLogo'] = TRUE; // display logo at top of left frame $cfg['LeftLogoLink'] = 'main.php'; // where should logo link point to // (can also contain an external URL) $cfg['LeftLogoLinkWindow'] = 'main'; // whether to open the linked page // in the main window ('main') // or in a new window ('new') $cfg['LeftDisplayServers'] = FALSE; // display server choice at top of left frame $cfg['DisplayServersList'] = FALSE; // server choice as links $cfg['DisplayDatabasesList'] = FALSE; // database choice in light as links
// In the main frame, at startup... $cfg['ShowStats'] = TRUE; // allow to display statistics and space usage in // the pages about database details and table // properties $cfg['ShowPhpInfo'] = FALSE; // show php info link $cfg['ShowServerInfo'] = TRUE; // show MySQL server information $cfg['ShowChgPassword'] = FALSE; // show change password link $cfg['ShowCreateDb'] = TRUE; // show create database form $cfg['SuggestDBName'] = TRUE; // suggest a new DB name if possible (false = keep empty)
Some questions -------------------------------------------------- $cfg['Servers'][$i]['controluser'] =?
I'm having some SMTP server security issues. I am running Postfix on my Debian VPS and I am trying to disable Postfix from being publically used by anybody except those with webmail.
I read Postfix's configuration at Postfix.org, but I couldn't find anything that I thought to be relevent to this situation. Do any of you have suggestions or ways to fix this? Besides disabling e-mail all together?
As another detail, I'm running Postfix on its original config, not through a MySQL database config.
Mostly it works fine but if there is a 404 then i get a 403 permission denied error instead of the error page. the folder that contains the error page does have a <directory> bit for it and i even tried adding it into the virtual host but i get the same result.
if the file does exist then it loads like normal
can anyone see any problems with my config or do i have to do something diff for 2.2.6?
I had to switch to Apache 2 from Lighttpd and I'm running into a little bit of trouble trying to make it handle all my traffic. I'm using the worker MPM module, which has the following default config:
I was wondering if anyone has a tried and tested suhosin config for an average webhosting box?
I tried the config on the webhostgear article and it caused a few problems with some sites. On my directadmin server I managed to do the patch and the extension. I was wanting to do the same on cpanel server. Has anyone done the patch as well with easyapache?
I figure you would have to go to where it saves the downloaded source and patch it then zip it back up.
I just went to a box for myself, and just realized that my ram is closing in on it's limit.
We have 1gb of ram, yet we have around 50MB left.
We run 2 forums, with around 200 concurrent to 2000 on peaks. ( Currently it's 200 concurrent. )
Just hoping somebody could take a look at my httpd.conf and my my.cnf to see if I should tweak anything.
Ran top shift+m, and find that alot of apache connections is using 5mb per process:
Code: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 3173 apache 15 0 73672 51m 3924 S 0.0 5.1 0:56.63 httpd 4790 apache 15 0 73676 51m 3912 S 0.0 5.1 0:13.36 httpd 4980 apache 15 0 73672 51m 3908 S 0.0 5.1 0:08.21 httpd 3172 apache 15 0 69844 48m 3940 S 0.0 4.8 0:45.93 httpd 5096 apache 15 0 69872 48m 3896 S 0.0 4.8 0:06.21 httpd 4394 apache 15 0 68544 46m 3912 S 8.2 4.6 0:20.24 httpd 4256 apache 15 0 68540 46m 3912 S 0.0 4.6 0:30.12 httpd 3729 mysql 15 0 130m 35m 4968 S 2.0 3.5 147:49.81 mysqld 4003 psaadm 15 0 48212 34m 23m S 0.0 3.5 0:27.61 httpsd 1489 apache 15 0 53056 31m 3928 S 0.0 3.2 1:10.80 httpd 1538 apache 15 0 52692 31m 3928 S 0.0 3.1 1:15.86 httpd 1452 apache 15 0 52636 31m 3932 S 0.0 3.1 1:24.45 httpd 2098 apache 15 0 52576 31m 3976 S 0.0 3.1 1:10.90 httpd 1450 apache 15 0 52556 31m 3940 S 0.0 3.1 1:24.80 httpd 1457 apache 15 0 52484 31m 3964 S 0.0 3.1 1:22.13 httpd 1718 apache 16 0 52444 31m 3964 R 30.7 3.1 1:27.99 httpd
httpd.cnf ( Please tell me if I have missed anything out. )
Code: # # Timeout: The number of seconds before receives and sends time out. # Timeout 60
# # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. # KeepAlive Off
# # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We recommend you leave this number high, for maximum performance. # MaxKeepAliveRequests 100
# # KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection. # KeepAliveTimeout 10
# prefork MPM # StartServers: number of server processes to start # MinSpareServers: minimum number of server processes which are kept spare # MaxSpareServers: maximum number of server processes which are kept spare # ServerLimit: maximum value for MaxClients for the lifetime of the server # MaxClients: maximum number of server processes allowed to start # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule prefork.c> StartServers 8 MinSpareServers 5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 2000 </IfModule>
# worker MPM # StartServers: initial number of server processes to start # MaxClients: maximum number of simultaneous client connections # MinSpareThreads: minimum number of worker threads which are kept spare # MaxSpareThreads: maximum number of worker threads which are kept spare # ThreadsPerChild: constant number of worker threads in each server process # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule worker.c> StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 </IfModule>
my.cnf:
Code: [mysqld] set-variable=local-infile=0 datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock # Default to using old password format for compatibility with mysql 3.x # clients (those using the mysqlclient10 compatibility package). old_passwords=1
I have kind of inherited this server from another person so I'm not totaly sure how it was set up. It is a:
red hat machine running 2.6.9-22.0.2.ELsmp kernel running apache 2.0.52(red hat)
at any rate this server mainly serves up images but also a few video encoded in flash(.swf files). Basically the issue at hand is there are a few domain names that all point to this server but only one domain name will let the .swf files stream correctly. All other domain names will wait for the whole thing to download before playing. I'm pretty new to apache 2, but I do know apache 1 pretty well. I'm not totally sure where to start with all this. The server is set up with no virtual hosting for each domain which I think could a problem.
config.php to not have write permissions for everyone? I am running cpanel 10x with whm/extras Here is full report when i try and load fantastico scripts. You must secure this program. Insecure permissions on config.php While installing CSLH you might of needed to change the permissions of config.php so that it is writable by the web server. config.php no longer needs to be written to so please chmod config.php to not have write permissions for everyone. you can do this by UNCHECKING the box that reads write permissions for the file:
i would like to use Litespeed webserver from my server.i installed and run Litespeed from my server. but i dont know how to config. when i start the Litespeed webserver i have an error to please install Zend. Please help me to install zend and if you know whats my need for install please help me to done.
I use cPanel - Dedicated Server i can control the Litespeed from the cPanel WHM.
