Mayur's BLOG

What is mod_security or modsecurity?

ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. ModSecurity supports both branches of the Apache web server.
This HOW-TO is for Apache 2.X only.

1.
cd /usr/local/src
2.
mkdir modsecurity2
3.
cd modsecurity2
4.
wget http://www.serverbuddies.com/files/modsecurity-apache_2.5.9.tar.gz
5.
perl -pi -e ’s/ServerTokens Major/ServerTokens Full/’ /etc/httpd/conf/extra/httpd-default.conf
6.
perl -pi -e ’s/ServerSignature Off/ServerSignature On/’ /etc/httpd/conf/extra/httpd-default.conf
7.
perl -pi -e ’s/ServerSignature EMail/ServerSignature On/’ /etc/httpd/conf/extra/httpd-default.conf
8.
tar xzf modsecurity-apache_2.5.9.tar.gz
9.
cd modsecurity-apache_2.5.9
10.
cd apache2
11.
./configure
12.
make
13.
make test
14.
make install

Now we download a pre-defined mod_sec ruleset,

1.
cd /etc/modsecurity2/
2.
wget http://www.serverbuddies.com/files/modsec.v2.rules.conf

Add the new compiled mod_security module into the apache configuration,

vi /etc/httpd/conf/httpd.conf

After:

LoadModule php5_module /usr/lib/apache/libphp5.so

Add:

For 32bit -

1.
LoadFile /usr/lib/libxml2.so
2.
LoadModule security2_module /usr/lib/apache/mod_security2.so

For 64bit -

1.
LoadFile /usr/lib64/libxml2.so
2.
LoadModule security2_module /usr/lib/apache/mod_security2.so

At the botton of the httpd.conf config file we add the following,

1.

2.
# ModSecurity2 config file.
3.
#
4.
Include /etc/modsecurity2/modsec.v2.rules.conf
5.


Restart the webserver.

1.
service httpd restart

Installation should be completed and mod_sec should be now loaded on your Apache webserver.

Any suggestion or questions are welcome.

The default crontab editor is nano on some systems. This is a pain. You can change this by setting the EDITOR environment variable. In BASH:

srv-4 / # set | grep EDITOR
EDITOR=/bin/nano
srv-4 / # which vi
/usr/bin/vi
srv-4 / # export EDITOR=/usr/bin/vi
srv-4 / # set | grep EDITOR
EDITOR=/usr/bin/vi
_=EDITOR
srv-4 / #

To make the change stick, you can add it to the profile script appropriate for your shell. We put it in /etc/profile.

Any suggestions or questions are welcome.

Installing FFMpeg

yum install ffmpeg ffmpeg-devel

If you get package not found, then you will need to add few lines in the yum repository for dag packages installation. Create a file named dag.repo in /etc/yum.repos.d with the following contents on it

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux

baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1

then

yum install ffmpeg ffmpeg-devel

If everything is fine, then the installation should proceed smoothly. If not you will get something like warning GPG public key missing .
Common Errors

To fix rpmforge GPG key warning:

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

For more information refer to this faq depending on Centos version

Missing Dependency Error:

If you get missing dependency error like shown below, in the middle of ffmpeg installation

Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package ffmpeg
Error: Missing Dependency: libtheora.so.0(libtheora.so.1.0) is needed by package ffmpeg
Error: Missing Dependency: rtld(GNU_HASH) is needed by package ffmpeg
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package imlib2
Error: Missing Dependency: rtld(GNU_HASH) is needed by package a52dec
Error: Missing Dependency: rtld(GNU_HASH) is needed by package imlib2
Error: Missing Dependency: rtld(GNU_HASH) is needed by package gsm
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package x264
Error: Missing Dependency: rtld(GNU_HASH) is needed by package xvidcore
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package lame
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package a52dec
Error: Missing Dependency: rtld(GNU_HASH) is needed by package faad2
Error: Missing Dependency: rtld(GNU_HASH) is needed by package x264
Error: Missing Dependency: rtld(GNU_HASH) is needed by package lame
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package xvidcore
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package faac
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package faad2
Error: Missing Dependency: libgif.so.4 is needed by package imlib2
Error: Missing Dependency: rtld(GNU_HASH) is needed by package faac
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package gsm
Error: Missing Dependency: libpng12.so.0(PNG12_0) is needed by package imlib2
Error: Missing Dependency: rtld(GNU_HASH) is needed by package libmp4v2
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package libmp4v2

then most commonly you have GLIB 2.3 installed instead of GLIB 2.4 version. To check the current GLIB version installed on your server. just use

yum list glib*

and it should list the latest GLIB package version.

The reason i was getting this error was my rpmforge packages was pointed to centos 5 versions instead of centos 4.6.

To fix dependency error:

To fix this error, you might need to check your rpmforge packages compatible to the release of your existing CentOS version.
Check the file /etc/yum.repos.d/rpmforge.repo and it should look like for Centos 4.6(Final). If you have lines like http://apt.sw.be/redhat/el5/en/mirrors-rpmforge you might need to make changes to the rpmforge.repos like shown below

Note: Backup the original rpmforge.repo file before you edit its content.

[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
#baseurl = http://apt.sw.be/redhat/el4/en/$basearch/dag
mirrorlist = http://apt.sw.be/redhat/el4/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1

To know what linux type and version you are running

cat /etc/redhat-release

Once this is done, do again yum install ffmpeg.

This trick resolved the problem in my linux box running Centos 4.6 and this is the only way i found to install ffmpeg using yum.
To check the FFmpeg working:

Finally, check the ffmpeg whether it is working or not.

> ffmpeg
> ffmpeg -formats
> ffmpeg --help
// This lists path of mpeg, its modules and other path information


ffmpeg -i Input.file Output.file
To check what audi/video formats are supported

ffmpeg -formats > ffmpeg-format.txt

Open the ffmpeg-formats.txt to see the ooutput

D means decode
E means encode
V means video
A means audio
T = Truncated
Install FFMPEG-PHP Extension

FFmpeg-php is a very good extension and wrapper for PHP which can pull useful information about video through API interface. Inorder to install it you will need to download the source file and then compile and install extension in your server. You can download the source tarball : http://ffmpeg-php.sourceforge.net/

wget /path/to/this/file/ffmpeg-php-0.5.2.1.tbz2

tar -xjf ffmpeg-0.5.2.1.tbz2

phpize

./configure
make
make install
Common Errors

1. If you get command not found error for phpize, then you will need to do yum install php-devel

2. If you get error like "ffmpeg headers not found" while configuring the source.

configure: error: ffmpeg headers not found. Make sure ffmpeg is compiled as shared libraries using the --enable-shared option

then it means you have not installed ffmpeg-devel packages.

To Fix: Just install ffmpeg-devel using

yum install ffmpeg-devel

3. If you get an error like shared libraries not found problem and the program halts in the middle, then you must specify the ffmpeg installed path explicitly to the ./configure.

configure: error: ffmpeg shared libraries not found. Make sure ffmpeg is compiled as shared libraries using the --enable-shared option

To Fix:

1. First find out the ffmpeg path with ffmpeg --help command. The prefix default path should be like /usr/local/cpffmpeg
2. Configure the FFmpeg-php with --with-ffmpeg option

./configure --with-ffmpeg=/usr/local/cpffmpeg

That should resolve the problem!
Editing PHP.INI

Once you have done that without any problems then you will see the php extension file /usr/local/lib/php/extensions/no-debug-non-zts-20060613/ffmpeg.so and you will need mention that extension in php.ini file

nano /usr/local/lib/php.ini

Put the below two lines at the end of the php.ini file

[ffmpeg]
extension=ffmpeg.so

Then restart the server service httpd restart

To check whether ffmpeg enabled with php, point your browser to test.php file. It should show the confirmation of installed ffmpeg php extension

// #test.php


phpinfo()

?>

If any case the ffmpeg does not show in the phpinfo() test make sure that php.ini path to ffmpeg.so is correct. Still the problem occurs, the reason could be you might be using older versions of ffmpeg-php which is buggy. Just download the latest version of ffmpeg-php source then compile it.
Installing Mplayer + Mencoder

Just issue the following yum commands to install the rest of the packages.

yum install mplayer mencoder
Installing FlvTool2

Flvtool2 is a flash video file manipulation tool. It can calculate metadata and can cut and edit cue points for flv files.

If you are on Centos 5 try yum install flvtool2 with dag repository and if you get package not found you will need to manually download and compile the flvtool2. You can download latest version of flvtool2 here: http://rubyforge.org/projects/flvtool2/

wget

ruby setup.rb config
ruby setup.rb setup
sudo ruby setup.rb install

If you get command not found error, it probably means that you dont have ruby installed.

yum install ruby

Thats it! Once ffmpeg works fine with php extension, download a sample video, convert to .flv format in the command line and plug it to flowplayer to see it work on your web browser. Try also to download the video file offline and see whether the converted flv file works well with both audio and video.
Useful Links

FFmpeg (http://ffmpeg.mplayerhq.hu)
Mplayer + Mencoder (http://www.mplayerhq.hu/design7/dload.html)
Flv2tool (http://inlet-media.de/flvtool2)
Libogg + Libvorbis (http://www.xiph.org/downloads)
LAME MP3 Encoder (http://lame.sourceforge.net)
FlowPlayer - A Free Flash Video Player - http://flowplayer.org/

Install FFmpeg from Compiling Source (Tutorial Link)
Nice FFmpeg Installation Tutorial (click here)
Important Audio Codecs
(http://www.mplayerhq.hu/DOCS/HTML/en/audio-codecs.html)
Common Errors & Fixes while Installing FFmpeg (click here)

You can also post comments in my blog.

Back to home

For more information please take a look at:
http://www.mysql-apache-php.com/ffmpeg-install.htm

Any suggestion or questions are welcome.

For some reason you need to downgrade MySQL 5 to MySQL 4.1 to achieve this you will have to do the following:

To check the which all mysql rpm’s are available use the command:

rpm -qa | grep -i mysql-

First of all take a backup of /var/lib/mysql, and also ask the other users to keep a backup it with them. This can also be a .sql file. The command to take a backup is:

cp /var/lib/mysql /var/lib/mysql.bk

Now, you will have to edit the cPanel config file and make manual changes under this, so edit it with the command:

nano /var/cpanel/cpanel.config

And here, find for the line “mysql-version=5.0” and change it to “mysql-version=4.1”

Now, we will forcefully install mysql by the following command:

/scripts/mysqlup --force

You can now check again with the command:

rpm -qa | grep -i mysql-

This is done and worked for me.

Any suggestions or questions are welcome.

if there’s some problems with mail or anything u can go and update python on ur cpanel server

download the least version here : http://www.python.org/download/

the build it and edit cpanel config to match the new version

cd /usr/local/src/
wget http://www.python.org/ftp/python/2.6.4/Python-2.6.4.tgz
tar -xvzf Python-2.4.6.tgz
cd Python-2.4.6/
./configure –prefix=/usr/local/python.2.4.6/
make
make install

now u have install python on ur system as slave version u can edit cpanel config now
vi /var/cpanel/cpanel.config then find python and comment that line # and enter line blow
python=/usr/local/python.2.4.6/bin/python2.4
do force update to ur cpanel

everything is ok

"Daily Process Log" page in WHM, Where it's exactly coming from?

the same information may be accessed via command-line (SSH access) using the following script:

# /usr/local/cpanel/bin/dcpumonview

Simply run this script to update the stats also make sure cron is properly set to update the stats. The information is updated every 5 minutes by an entry in the root crontab, like the following:

# crontab -l -u root | grep dcpumon
*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1

That's it.

1. Login to the server via SSH using as root ID.
2. Ensure that you’re at home directory of root. The open up the .bash_profile for editing using pico or vi by typing one of the following commands at command shell line:

pico .bash_profile
vi .bash_profile
3. Scroll down to the end of the file and add the following line:


echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access
from `who | cut -d"(" -f2 | cut -d")" -f1`" user@example.com

Replace user@email.com with the actual email account
address that you want to the root access alert notification been sent to. Note that you can change the text contains in the email alert too. The text starting with first ALERT is written as email body, and you can add in other info such as host name or change the wordings. The second Alert is the email title which you can change to your own too.

Now logout and login again as root, you should receive an email alert at your inbox. The security trick should works on most popular flavor of Linux such as RedHat, CentOS, Ubuntu, FreeBSD and etc.

I had an issue where I had to disable eAccelerator for a single domain on my VPS.

I've seen instructions that say to put following lines .htaccess file in the site's root directory,

php_flag eaccelerator.enable 0
php_flag eaccelerator.optimizer 0


but when I did that trying to access any pages on that site resulted in a 500 error.

I found that the only way to make this work is to locate the VirtualHost section for the domain in question in /etc/httpd/conf/httpd.conf. Within that VirtualHost section, there should be a section that looks similar to this:



php_admin_value open_basedir "/home/site-name/:/usr/lib/php:/usr/local/lib/php:/tmp"



Add the following lines to this section, before the ""


php_flag eaccelerator.enable 0
php_flag eaccelerator.optimizer 0

Any suggestions or questions are welcome.

This is very known issue between CSF and ftp and it hangs while we change directory through ftp so this is what I tried to get this fixed.

Server the follwoing line in /etc/pure-ftpd.conf

Port range for passive connections replies. - for firewalling.

and simply comment it.

Then restart FTP and CSF and FTP should be working fine now.

Traditionally, the dist upgrade path that many were familiar with from the RH8/9->Fedora or similarly Fedora dist upgrades, have applied more or less to RHEL/CentOS but with the release of 4.5 and early releases of 5.0 the actual dist upgrade path was messy or nearly impossible. The early versions of 5.0 (up to 5.2) had excessive dependency issues with versions later than 4.4 for straight dist upgrades that would often result in a box blowing up on you or forcing a messy downgrade attempt of 4.5+ to 4.4 to try get things to dist upgrade. With more recent release updates the gap has closed and now dist upgrades on are far more reasonable to complete with little in the way of problems.

If you are currently running a version of RHEL/CentOS earlier than 4.8 (cat /etc/redhat-release) then please do a proper ‘yum update’ and get yourself on 4.8. Although this is intended for CentOS it “should” (read: at own risk) work on RHEL systems as well, in the unfortunate situation that something does blow up please post a comment and I will try to assist.

The first thing we must do is make sure none of our core binaries, libraries or other content is set immutable as this will cause a package to fail on installation. If you are running an earlier version of LES or you use immutable bits on system paths (sbin/bin/share/include/libexec/etc) then you should run the following:

wget http://www.rfxn.com/downloads/disable.les.rpmpkg
sh disable.les.rpmpkg

Once that is done we should go ahead and have a quick run through of cleaning up yum cache, double check that any pending updates are installed and rebuild the rpmdb:

rpm --rebuilddb
yum clean all
yum update

If for some reason the rpm rebuild hangs for more than a few minutes then you may need to manually clear the rpmdb files:

rm -f /var/lib/rpm/__db.00*
rpm --rebuilddb

If you run into any minor dependency issues for packages that are not essential, such as syslinux and lftp then you can either exclude them or better yet remove them. If you are not sure what a package does, then you should query it for description details and make an educated choice (rpm -qi PACKAGE):

rpm -e lftp syslinux mkboot

OR (but not recommended)

yum update --exclude=syslinux --exclude=lftp --exclude=mkboot

At this point you should be able to run a ‘yum update’ command with optional exclude and receive no errors (again, I recommend you remove conflicts items instead of using exclusions).

# yum update –exclude=nagios-plugins
Setting up Update Process
Setting up repositories
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
No Packages marked for Update/Obsoletion

Now we are ready to get going, I have put together a small package that contains the needed packages for this upgrade in addition to a few that you might require to resolve dependency conflicts:

wget http://www.rfxn.com/downloads/CentOS-5up.tar.gz
tar xvfz CentOS-5up.tar.gz
cd CentOS-5up

We need to go ahead and setup the centos-release package as follows:

rpm -Uhv centos-release-*

If you see that CentOS-Base.repo was created as /etc/yum.repos.d/CentOS-Base.repo.rpmnew then go ahead and move it into the proper place:

mv /etc/yum.repos.d/CentOS-Base.repo.rpmnew /etc/yum.repos.d/CentOS-Base.repo

Now we are ready to go with kernel changes, this is an important part so pay attention. The key to successful upgrade is that you remove ALL OLD KERNELS as many packages will fail to install during the upgrade if they detect a release 4.x kernel due to minimum kernel version dependency checks. We will start with first installing the new kernel so it preserves grub templating:

rpm -ivh kernel-2.6.18-164.el5.i686.rpm kernel-devel-2.6.18-164.el5.i686.rpm --nodeps

NOTE: release 5.x has smp support integrated into the standard kernel, so no -smp version is required for mp systems

If you are running an older system the chances are you got allot of older kernel packages installed so make sure you get them all out of the way:

rpm -e $(rpm -qa | grep kernel | grep -v 2.6.18 | tr '\n' ' ')

You may end up with a few dependencies coming up such as lm_sensors and net-snmp if the list is fairly small and packages you do not recognize as critical (if unsure always query the package for info ‘rpm -qi PACKAGE’, remember you can reinstall them later):

# rpm -e $(rpm -qa | grep kernel | grep -v 2.6.18)
error: Failed dependencies:
kernel-utils is needed by (installed) lm_sensors-2.8.7-2.40.5.i386

The command the ended up being required on most of my servers to get the kernel packages and related dependencies came out to the following:

rpm -e $(rpm -qa | grep kernel | grep -v 2.6.18 | tr '\n' ' ') lm_sensors net-snmp net-snmp-devel net-snmp-utils

That said and done you should now only have 2 kernel packages installed which are the 2.6.18 release 5.x kernels, DO NOT under any circumstance continue if you still got 2.6.9 release 4.x kernels packages still installed, remove them!

# rpm -qa | grep -i kernel
kernel-2.6.18-164.el5
kernel-devel-2.6.18-164.el5

A cleanup of /etc/grub.conf may be required, though if all went as planned then the rpm command should have done this up for us but review it anyways for good measure. You should find that 2.6.18-164.el5 is the only kernel in the file, if it is not go ahead and clean it by removing all older entries for 2.6.9 kernels.

There is a known bug with python-elementtree package versions which cause yum/rpm to think the release 4.x version is newer than the 5.x version, to get around this without blowing up the entire python installation we need to remove the package from just the rpmdb as follows:

rpm -e --justdb python-elementtree --nodeps

We can now go ahead and use yum to start the upgrade process, this is a dry run and will take a few minutes to compile list of available packages and associated dependency checks. You should carry the exclude options, if any, that you used during the ‘yum update’ process as so to avoid unresolvable dependencies:

yum clean all
yum upgrade --exclude=nagios-plugins

You will end up with a small list of dependency errors, these should be resolved by again evaluating a packages need as a critical system component and either removing it with ‘rpm -e’ or excluding it with ‘–exclude’ (remember to query description with ‘rpm -qi PACKAGE’ if you are unsure what something does). In my case the packages that threw up red flags were stuff I had manually installed over time such as iftop and mrtg in addition to default installed samba, these can all safely be removed or excluded as you prefer (removal always safest to prevent dependency chain issues).

Error: Missing Dependency: libpcap.so.0.8.3 is needed by package iftop
Error: Missing Dependency: perl(Convert::ASN1) is needed by package samba
Error: Missing Dependency: libevent-1.1a.so.1 is needed bypackage nfs-utils
Error: Missing Dependency: perl-Socket6 is needed by package mrtg
Error: Missing Dependency: perl-IO-Socket-INET6 is needed by package mrtg


rpm -e iftop samba nfs-utils mrtg system-config-samba

At this point we should be ready to do a final dry run of with yum and see where we stand on dependencies, rerun the earlier ‘yum upgrade’ while making sure to carry over any exclude options you are using.

yum upgrade --exclude=nagios-plugins

You should now end up with a summary of actions that yum needs to perform, go ahead and kick it off… this will take a bit to complete so go grab some coffee/jolt/redbull and maybe a small snack cause it could be a long night if this blows up on you.

Transaction Summary
=============================================================================
Install 183 Package(s)
Update 327 Package(s)
Remove 0 Package(s)
Total download size: 299 M
Is this ok [y/N]:

Once yum has completed (hopefully without major errors) we need to fix a few things, the first is the rpmdb needs a rebuild due to version changes that will cause any rpm commands to fail:

# rpm -qa
rpmdb: Program version 4.3 doesn’t match environment version
error: db4 error(-30974) from dbenv->open: DB_VERSION_MISMATCH: Database environment version mismatch
error: cannot open Packages index using db3 – (-30974)
error: cannot open Packages database in /var/lib/rpm

This can be fixed by running the following to manually rebuild the rpmdb:

rm -f /var/lib/rpm/__db.00*
rpm --rebuilddb
yum clean all

The next issue on the list is python-elementtree and python-sqlite, one or both of these may have ended up in a broken state that will cause all yum commands to break, so we will go ahead and reinstall both of these for good measure:

rpm -e --justdb python-elementtree --nodeps
rpm -ivh python-elementtree-1.2.6-5.el5.i386.rpm
rpm -ivh python-sqlite-1.1.7-1.2.1.i386.rpm --nodeps --force

The yum command should now work, go ahead and run it with no options, if you do not get any errors you are all sorted.

Hopefully the install went well for you, the only thing left to do is go ahead and reboot the system; this is the last point at which you have to make backups (but we all maintain backups right?). For the sake of avoiding a heart attack if the system goes into an fsck, we will reboot with the -f option to skip fsck:

shutdown -rf now

That’s a wrap, I hope you found this HowTo useful, if you did run into any issues then go ahead and post them into the comments field and I will try to assist but when in doubt typically google is the fastest alternative.

About LimitIPConn
This is the distribution page for the Apache module mod_limitipconn.c, which allows web server administrators to limit the number of simultaneous downloads permitted from a single IP address

Official site: http://dominia.org/djao/limitipconn.html

well does this thing work with Cpanel ?
Answer :: Yes, it does.

Installing mod_limitipconn.c

Installing this was quick and easy. Login to your server through shell as the root user.

# wget http://dominia.org/djao/limit/mod_limitipconn-0.22.tar.gz
# tar -xzvf mod_limitipconn-0.22.tar.gz
# cd mod_limitipconn-0.22
# nano Makefile
Find
APXS = apxs
CHANGE TO:
APXS = /usr/local/apache/bin/apxs
Save

#make
#make install

This adds the module to httpd.conf and backs up the old configuration from httpd.conf.new

# vi /usr/local/apache/conf/httpd.conf
It should have added the following:

LoadModule limitipconn_module libexec/mod_limitipconn.so
and
AddModule mod_limitipconn.c

Now we need to setup the configuration for the site you want to add the limits to. Search the domain you want and go to the configuration for it in httpd.conf

You should be at the part like this:


ServerAlias www.domain.com domain.com

Add the following configuration that you want, this restricts 2 directories I have on my site to prevent users from downloading more than 1 video at a time, I have 2 separate rules.



MaxConnPerIP 1
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
OnlyIPLimit audio/mpeg video



MaxConnPerIP 1
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
OnlyIPLimit audio/mpeg video





So my whole entry for the domain looks like this:


ServerAlias www.domain.com domain.com
ServerAdmin webmaster@domain.com
DocumentRoot /home/domain/public_html
BytesLog domlogs/domain.com-bytes_log
ServerName www.domain.com

php_admin_value open_basedir "/home/domain:/usr/lib/php:/usr/local/lib/php:/tmp"



MaxConnPerIP 1
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
OnlyIPLimit audio/mpeg video



MaxConnPerIP 1
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
OnlyIPLimit audio/mpeg video



User domain
Group domain
CustomLog domlogs/domain.com combined
ScriptAlias /cgi-bin/ /home/domain/public_html/cgi-bin/



Save httpd.conf


Test Apache Configuration
# apachectl configtest start
Make sure it comes back ok without errors

# /scripts/restartsrv_httpd

Apache will restart. Try it out. Go to your limited directory and try to download 2 things (2 depends on your IP limit you set). You should get forwarded to a 503 Temporary Service page. We can customize that as well.

Any suggestions or questions are welcome.

Many of us use online services to monitor web server status, if it goes down, if all services are up and running fine, which send back notification by sms, email or others... Such tools help making server administrator's life easier, but what about taking an action even before that your service goes down ? To be able to take such actions you will need to be informed in-time about your services status, actual server load, ... etc. A solution is System Integrity Monitor (SIM), a system and services monitor for 'SysVinit' systems.

SIM is designed to be intuitive and modular in nature, and to provide a clean and informative status system. It does this by consistently verifying that services are online, load averages are in check, and log files are at reasonable sizes. Many other SIM modules sport different and in-depth features to bring a well rounded tool to your disposal to stop otherwise common issues daunting internet hosts.
SIM Features include :

* Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more
* Event tracking and alert system
* Auto restart ability for downed services
* Checks against network sockets & process list to ensure services are online
* Advanced HTTP service monitoring, to prevent commonly encountered issues
* System load monitor with customizable warnings & actions
* Ability to auto restart system with definable critical load level
* Priority change configurable for services, at warning or critical load level
* Informative command line status display
* Easily customizable configuration file
* Auto configuration script
* Auto cronjob setup feature
* Simple & Informative installation script
* Integrated auto-update feature

Install SIM :

$wget http://www.rfxn.com/downloads/sim-current.tar.gz
$tar xvfz sim-current.tar.gz
$cd sim*
$sudo ./setup -i

Configuration :

After installation, setup will run a configuration script which will guide through features that you would like to enable or disable. The configuration script should be located in /usr/local/sim/autoconf

Most interesting to configure is http, mysql, and server load. You can configure more monitor according to your needs such as FTP, ENSIM, SMTP ... etc.

SIM 2.5-4 Auto-Config Script

All questions default to value in brackets if no answer is given. If you
make a typo during the autoconf process, hit CTRL+C (^C) to abort and
rerun the autoconf script (/usr/local/sim/autoconf).

The below are general configuration options for SIM:
press return to continue...

Where is SIM installed ?
[/usr/local/sim]:

Where should the sim.log file be created ?
[/usr/local/sim/sim.log]:

Max size of sim.log before rotated ? (value in KB)
[128]:

What is the location of your kernel log ?
Found kernel log at /var/log/messages

Where should alerts be emailed to ? (e.g: root, user@domain)
[root]:

Disable alert emails after how many events, to avoid email flood ?
(Note: events stats are cleared daily)
[8]:

The below are configuration options for Service modules:
press return to continue...

Auto-restart services found to be offline ? (true=enable, false=disable)
[true]:

Enforce laxed service checking ? (true=enable, false=disable)
[true]:

Disable auto-restart after how many downed service events ?
(Note: events stats are cleared daily)
[10]:

Enable FTP service monitoring ? (true=enable, false=disable)
[false]:

Enable HTTP service monitoring ? (true=enable, false=disable)
[false]:true

Name of the HTTP service as appears in 'ps' ?
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ
Found service name as httpd

TCP/IP port that HTTP operates on ?
Found service port as 80

Path to HTTP service init script ?
Found service init script at /etc/init.d/httpd

Enable DNS service monitoring ? (true=enable, false=disable)
[false]:

Enable SSH service monitoring ? (true=enable, false=disable)
[false]:

Enable MYSQL service monitoring ? (true=enable, false=disable)
[false]:true

Name of the MYSQL service as appears in 'ps' ?
[mysqld]:

TCP/IP port that MYSQL operates on ?
[3306]:

Path to MYSQL service init script ?
Found service init script at /etc/init.d/mysql

Enable SMTP service monitoring ? (true=enable, false=disable)
[false]:

Enable XINET service monitoring ? (true=enable, false=disable)
[false]:

Enable ENSIM service monitoring ? (true=enable, false=disable)
[false]:

Enable NETWORK monitoring ? (true=enable, false=disable)
[false]:true

interface to monitor ?
[eth0]:

Path to NETWORK init script ?
[/etc/init.d/network]:

Enable LOAD monitor ? (true=enable, false=disable)
[false]:true

Load level before status condition 'warning' ?
[25]:

Load level before status condition 'critical' ?
[45]:

Enable a global (wall) message at status condition 'warning' & 'critical' ?
[false]:

Renice services at status condition 'warning' or 'critical' ?
(3 values - warn, crit, false - false=disabled)
[false]:

Stop nonessential services at status condition 'warning' or 'critical' ?
(3 values - warn, crit, false - false=disabled)
[false]:

Reboot system on status condition 'warning' or 'critical' ?
(3 values - warn, crit, false - false=disabled)
[false]:

Configuration completed, saving conf.sim...
Done, conf.sim saved to /usr/local/sim.

And you are done ! You can already have a look at /usr/local/sim/sim.log to see how your services are actually acting.

Suggestions and questions are welcome.

Is your /tmp directory simply getting overrun with SESS files? If so, try this:

make a file in scripts called cleantmp, put the following in it:

************
# This script cleans out /tmp of empty, root, cpanel
# and nobody session files in /tmp
# rev 2.0b by Darren - 8.19.07

# if --test is passed, we just show the results
if [ "$1" == "--test" ]
then
CMD="-exec ls -la"
echo "$0: test mode"
else
CMD="-exec rm -rf"
fi

if [ "$1" == "--help" ]
then
echo ""
echo "cleantmp will clean out your tmp directory for you"
echo ""
echo "Parameters:"
echo "--test to run in test mode"
echo "--help display this file"
echo "-a accountname to remove all files owned by account name"
echo "-e cleans out all empty (zero length) files"
echo ""
exit 0
fi

if [ "$1" == "-a" ]
then
echo ""
echo "Removing session file for account $2"
find /tmp -name "sess*" -user $2 -maxdepth 1 $CMD {} \;
echo "completed"
echo ""
exit 0
fi

if [ "$1" == "-e" ]
then
echo ""
echo "Cleaning out empty files from /tmp"
find /tmp -name "sess*" -empty -maxdepth 1 $CMD {} \;
echo "completed"
echo ""
exit 0
fi


# remove empty session files that are over 2 hours old
find /tmp -name "sess*" -empty -mmin +120 -maxdepth 1 $CMD {} \;

# remove root owned session files
find /tmp -name "sess*" -user root -maxdepth 1 $CMD {} \;

# remove nobody session files
find /tmp -name "*sess*" -user nobody -maxdepth 1 $CMD {} \;

# remove cpanel owned session files
find /tmp -name "sess*" -user cpanel -maxdepth 1 $CMD {} \;

# remove any session file over 5 hours old
find /tmp -name "sess*" -mmin +300 -maxdepth 1 $CMD {} \;

# remove any spamassassin file over 4 hours old
find /tmp -name ".spamassassin*" -mmin +240 -maxdepth 1 $CMD {} \;
************

Now save, and chmod it so it can be run (use your discretion for perm level):
chmod 755 /scripts/cleantmp

Run it as /scripts/cleantmp --test to view which files will be removed or /scripts/cleantmp -a accountname to remove all files owned by account name. And running it with "-e" will remove all empty session files.

What we do on most boxes is have it run in cron.hourly so that it purges session files. It cleans empties that are over 2 hours old, and normal ones that are over 5 hours old. Keep in mind, this may break software that uses "Keep Me Logged In Indefinitely" option for users. But the script could be easily modified to skip some session files if needed.

So, go to /etc/cron.hourly and create a file called cleantmp. Put this into it:

****************
#!/bin/bash

/scripts/cleantmp -e >/dev/null 2>&1
/scripts/cleantmp >/dev/null 2>&1
****************

and save it, then do the same permissions procedure as above. Now every hour, the script wil clean out empty and older SESS files and keep your sites up. Modify this and the other script as needed.

Hope this helps! Suggestions, questions are welcome.

To avoid the situation and automatically transfer the files so that the FTP session can process unattended, use the prompt command before using the mput or mget commands. The prompt command toggles between prompting on, where ftp will prompt you to choose yes or no before each file is transfered, and prompting off, which will copy all files without prompting. By default, prompting is on. So to continue to FTP transfer all files without asking, remember to issue prompt command before starting the transfer process. Ask it do not prompt before putting or getting the files, make sure that your existing files do have have the same file name as FTP will overwrite the existing files that exists on the destination directory automatically too. The command is simple, just a single word “prompt”:

ftp> prompt

Interactive mode off.

FTP command line utility should return Interactive mode off.

Thanks.