1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Web Hosting tunning guide

Discussion in 'Plesk for Linux - 8.x and Older' started by NetNappy, Apr 19, 2006.

  1. NetNappy

    NetNappy Guest

    0
     
    Well,, I'm very new for web administration, but if you guy could guide me on how to tune up the web server stuff, please I am very appreciate your help.

    Coz, I just wonder on my ftp session or ssh session won't be timed out, and it's not only this things that I am finding out, I believe there will be somethings else that I have to tune up, but I just don't know because I am newbie.

    Thanks for your help
     
  2. NightStorm

    NightStorm Guest

    0
     
  3. VIB-host

    VIB-host Guest

    0
     
    This is useless junk to the question

    Go to your OS vendors homepage and/or find a forum that provide good support for you OS and ask there. You will find people out there in the opensource enviroment there will Tune your box for "free" and many of them are actually pretty good at it.

    You can also go to 4psa.com they provite such an service for about 99 dollars, well spended if you ask me.
     
  4. NightStorm

    NightStorm Guest

    0
     
    I must have missed the part about step-by-step walkthroughs on kernel upgrade, securing /tmp, tuning Apache and MySQL, and tweaking to help combat DOS attacks and URL exploits is useless junk.
    Not to mention how to disable direct root login, install mod_security, APF, patching php...
    He asked for info on how to tune the server, and I think he would find a lot of helpful tips at the link. Could you perhaps explain how it's useless?

    Paying someone else to do all the work for you is fine and dandy, but it doesn't help you when something goes wrong and you still have no clue how to navigate your own server. If you're going to be a sysadmin, you need to know where things are, and how things work. Learning how to manage your own server is far from "useless junk".
     
  5. VIB-host

    VIB-host Guest

    0
     
    yep, but sending a guy to a page NOT describing any of the things he ask for is pretty useless.

    he was asking for how to tune his server nt securing etc. of other stuff.
     
  6. phatPhrog

    phatPhrog Guest

    0
     
    If you are running the latest update of Plesk 8/Fedora Core 4 all you need to do is run

    yum update

    For mod_security, just run: yum install mod_security - and 1.9.4 is installed.

    The /etc/httpd/conf.d/mod_security.conf is a default file that needs some work.

    Best to use http://gotroot.com help on mod_security.

    I have a script that updates the rules which comes in quite handy.
     
  7. eWebtricity

    eWebtricity Guest

    0
     
  8. VIB-host

    VIB-host Guest

    0
     
    Thanks

    This was a couple of good links, thanks
     
  9. Highland

    Highland Guest

    0
     
    mod_security is in the ASL channel which requires a subscription ;)
     
  10. phatPhrog

    phatPhrog Guest

    0
     
    With the current FC4/Plesk 8 on Linux mod_security can be installed without adding ART or ASL channels to yum.conf or to an /etc/yum.respos.d/art.repo file.

    The "extras" channel installs it:

    http://download.fedora.redhat.com/pub/fedora/linux/extras/4/SRPMS/

    yum install mod_security

    It installs a default /etc/httpd/conf.d/mod_security.conf that is in real need of tweaking though.

    Again, this holds true for Fedora Core 4 yum channels.

    NOTE: the default is set to the development channels so you will need to add/edit your EXTRAS channel per

    http://download.fedora.redhat.com/pub/fedora/linux/extras/EXTRAS
     
  11. VIB-host

    VIB-host Guest

    0
     
    any one done this on a freebsd yet?
     
  12. gee_fin

    gee_fin Guest

    0
     
    Hi, I've just installed the mod_security and grabbed the current rules from gotroot, their auto script is giving me issues though. I would be really grateful if you could post the script that you are using to gather the rules.

    Cheers,
    Graeme.
     
  13. phatPhrog

    phatPhrog Guest

    0
     
    Code:
    #!/bin/sh
    #
    # Autoupdater for modsec rulesets.
    #
    # This script will attempt to update your rulefiles, and restart apache.
    # If it apache does not start after changing rules, it will roll back to
    # the old ruleset and restart apache again.
    #
    
    APACHESTART="/usr/sbin/apachectl start"
    MODSECPATH="/etc/modsecurity"
    APACHEPID="/var/run/httpd.pid"
    
    ##########################################################################
    ######### you probably don't need to change anything below here ##########
    ##########################################################################
    
    # urls
    BLACKLIST="http://www.gotroot.com/downloads/ftp/mod_security/blacklist.conf"
    BLACKLIST2="http://www.gotroot.com/downloads/ftp/mod_security/blacklist2.conf"
    RULES="http://www.gotroot.com/downloads/ftp/mod_security/rules.conf"
    APACHE2="http://www.gotroot.com/downloads/ftp/mod_security/apache2-rules.conf"
    USERAGENTS="http://www.gotroot.com/downloads/ftp/mod_security/useragents.conf"
    ROOTKITS="http://www.gotroot.com/downloads/ftp/mod_security/rootkits.conf"
    EXCLUDE="http://www.gotroot.com/downloads/ftp/mod_security/exclude.conf"
    PROXY="http://www.gotroot.com/downloads/ftp/mod_security/proxy.conf"
    
    # internal
    PID=`cat ${APACHEPID}`
    UPDATED=0
    
    echo -n "Changing PWD: "
    cd ${MODSECPATH}
    echo `pwd`
    
    # blacklist
    echo -n "Updating blacklist.conf: "
    /usr/bin/wget -t 30 -O blacklist.conf.1 -q ${BLACKLIST}
    if [ `md5sum blacklist.conf | cut -d " " -f1` != `md5sum blacklist.conf.1 | cut -d " " -f1` ] ; then
            /bin/mv blacklist.conf blacklist.conf.bak
            /bin/mv blacklist.conf.1 blacklist.conf
            UPDATED=`expr $UPDATED + 1`
            echo "ok."
    else
            echo "allready up to date."
            /bin/rm -f blacklist.conf.1
    fi
    
    # blacklist2
    echo -n "Updating blacklist2.conf: "
    /usr/bin/wget -t 30 -O blacklist2.conf.1 -q ${BLACKLIST2}
    if [ `md5sum blacklist2.conf | cut -d " " -f1` != `md5sum blacklist2.conf.1 | cut -d " " -f1` ] ; then
            /bin/mv blacklist2.conf blacklist2.conf.bak
            /bin/mv blacklist2.conf.1 blacklist2.conf
            UPDATED=`expr $UPDATED + 1`
            echo "ok."
    else
            echo "allready up to date."
            /bin/rm -f blacklist2.conf.1
    fi
    
    # rules
    echo -n "Updating rules.conf: "
    /usr/bin/wget -t 30 -O rules.conf.1 -q ${RULES}
    if [ `md5sum rules.conf | cut -d " " -f1` != `md5sum rules.conf.1 | cut -d " " -f1` ] ; then
            /bin/mv rules.conf rules.conf.bak
            /bin/mv rules.conf.1 rules.conf
            UPDATED=`expr $UPDATED + 1`
            echo "ok."
    else
            echo "allready up to date."
            /bin/rm -f rules.conf.1
    fi
    
    # apache2 rules
    echo -n "Updating apache2-rules.conf: "
    /usr/bin/wget -t 30 -O apache2-rules.conf.1 -q ${APACHE2}
    if [ `md5sum apache2-rules.conf | cut -d " " -f1` != `md5sum apache2-rules.conf.1 | cut -d " " -f1` ] ; then
            /bin/mv apache2-rules.conf apache2-rules.conf.bak
            /bin/mv apache2-rules.conf.1 apache2-rules.conf
            UPDATED=`expr $UPDATED + 1`
            echo "ok."
    else
            echo "allready up to date."
            /bin/rm -f apache2-rules.conf.1
    fi
    
    # useragents
    echo -n "Updating useragents.conf: "
    /usr/bin/wget -t 30 -O useragents.conf.1 -q ${USERAGENTS}
    if [ `md5sum useragents.conf | cut -d " " -f1` != `md5sum useragents.conf.1 | cut -d " " -f1` ] ; then
            /bin/mv useragents.conf useragents.conf.bak
            /bin/mv useragents.conf.1 useragents.conf
            UPDATED=`expr $UPDATED + 1`
            echo "ok."
    else
            echo "allready up to date."
            /bin/rm -f useragents.conf.1
    fi
    
    # rootkits
    echo -n "Updating rootkits.conf: "
    /usr/bin/wget -t 30 -O rootkits.conf.1 -q ${ROOTKITS}
    if [ `md5sum rootkits.conf | cut -d " " -f1` != `md5sum rootkits.conf.1 | cut -d " " -f1` ] ; then
            /bin/mv rootkits.conf rootkits.conf.bak
            /bin/mv rootkits.conf.1 rootkits.conf
            UPDATED=`expr $UPDATED + 1`
            echo "ok."
    else
            echo "allready up to date."
            /bin/rm -f rootkits.conf.1
    fi
    
    # exclude
    echo -n "Updating exclude.conf: "
    /usr/bin/wget -t 30 -O exclude.conf.1 -q ${EXCLUDE}
    if [ `md5sum exclude.conf | cut -d " " -f1` != `md5sum exclude.conf.1 | cut -d " " -f1` ] ; then
            /bin/mv exclude.conf exclude.conf.bak
            /bin/mv exclude.conf.1 exclude.conf
            UPDATED=`expr $UPDATED + 1`
            echo "ok."
    else
            echo "allready up to date."
            /bin/rm -f exclude.conf.1
    fi
    
    # proxy
    echo -n "Updating proxy.conf: "
    /usr/bin/wget -t 30 -O proxy.conf.1 -q ${EXCLUDE}
    if [ `md5sum proxy.conf | cut -d " " -f1` != `md5sum proxy.conf.1 | cut -d " " -f1` ] ; then
            /bin/mv proxy.conf proxy.conf.bak
            /bin/mv proxy.conf.1 proxy.conf
            UPDATED=`expr $UPDATED + 1`
            echo "ok."
    else
            echo "allready up to date."
            /bin/rm -f proxy.conf.1
    fi
    
            cd /etc/modsecurity
            chmod 0750 *conf
            chmod 0700 *bak
    
    # try restart
    if [ "$UPDATED" -gt "0" ]; then
            echo -n "Restarting apache: "
            /bin/kill -HUP ${PID} 2>/dev/null
            # did it work?
            if `/bin/kill -CHLD ${PID} >/dev/null 2>&1`; then
                    echo "ok."
                    exit 0
            fi
            echo "error. Apache not running."
    
            # blacklist
            echo -n "Rolling back blacklist.conf: "
            /bin/mv blacklist.conf blacklist.conf.new
            /bin/mv blacklist.conf.bak blacklist.conf
            echo "ok."
    
            # blacklist2
            echo -n "Rolling back blacklist2.conf: "
            /bin/mv blacklist2.conf blacklist2.conf.new
            /bin/mv blacklist2.conf.bak blacklist2.conf
            echo "ok."
    
            # rules
            echo -n "Rolling back rules.conf: "
            /bin/mv rules.conf rules.conf.new
            /bin/mv rules.conf.bak rules.conf
            echo "ok."
    
            # apache2 rules
            echo -n "Rolling back apache2-rules.conf: "
            /bin/mv apache2-rules.conf apache2-rules.conf.new
            /bin/mv apache2-rules.conf.bak apache2-rules.conf
            echo "ok."
    
            # useragents
            echo -n "Rolling back useragents.conf: "
            /bin/mv useragents.conf useragents.conf.new
            /bin/mv useragents.conf.bak useragents.conf
            echo "ok."
    
            # rootkits
            echo -n "Rolling back rootkits.conf: "
            /bin/mv rootkits.conf rootkits.conf.new
            /bin/mv rootkits.conf.bak rootkits.conf
            echo "ok."
    
            # exclude
            echo -n "Rolling back exclude.conf: "
            /bin/mv exclude.conf exclude.conf.new
            /bin/mv exclude.conf.bak exclude.conf
            echo "ok."
    
            # proxy
            echo -n "Rolling back proxy.conf: "
            /bin/mv proxy.conf proxy.conf.new
            /bin/mv proxy.conf.bak proxy.conf
            echo "ok."
    
            # try starting httpd again
            `${APACHESTART}`
            PID=`cat ${APACHEPID}`
    
            # did that fix the problem?
            if `/bin/kill -CHLD ${PID} >/dev/null 2>&1`; then
                    echo "That did the trick."
                    exit 0
            fi
    
            echo "Fatal: Apache still not running! Run apachectl -t to find the error."
    
            exit 999
    fi
    
     
  14. Jllynch

    Jllynch Regular Pleskian

    28
     
    Joined:
    Nov 11, 2003
    Messages:
    242
    Likes Received:
    0
    phatPhrog are you basically using the following rules on RHE 4?

    BLACKLIST="http://www.gotroot.com/downloads/ftp/mod_security/blacklist.conf"
    BLACKLIST2="http://www.gotroot.com/downloads/ftp/mod_security/blacklist2.conf"
    RULES="http://www.gotroot.com/downloads/ftp/mod_security/rules.conf"
    APACHE2="http://www.gotroot.com/downloads/ftp/mod_security/apache2-rules.conf"
    USERAGENTS="http://www.gotroot.com/downloads/ftp/mod_security/useragents.conf"
    ROOTKITS="http://www.gotroot.com/downloads/ftp/mod_security/rootkits.conf"
    EXCLUDE="http://www.gotroot.com/downloads/ftp/mod_security/exclude.conf"
    PROXY="http://www.gotroot.com/downloads/ftp/mod_security/proxy.conf"

    If so have you had to tweak them much? That is what I am worried about, I want to add some new rules but don't want to risk breaking a lot of applications. What is a good way of testing new rules?

    Justin
     
Loading...