Linux Servers cPanel webhosting blog » Linux Administrator Interview Questions

How to disable root login and enable key authentication on Dedicated server?

Gunjan — Sun, 11 Jul 2010 23:00:12 +0000

How to disable root login and enable key authentication on Dedicated server?

Refer following steps to disable direct root login.

1. SSH into your server as root user.

2. Open file sshd_config in your favorite editor

pico /etc/ssh/sshd_config

3. Find the line

Protocol 2, 1

4. Uncomment line and change it to look like

Protocol 2

5. Now find the line
PermitRootLogin yes

6. And Uncomment libe and make it look like as
PermitRootLogin no

7. Save the file sshd_config file,

8. Restart SSH service
/etc/rc.d/init.d/sshd restart

Once root login disabled on server generate authentication key by using following steps.

1. Add user for example we will add user support

useradd support

2.Assigne user support in wheel group.

usermod -G wheel support

3. Set correct permission for sudoers files.

chmod 644 /etc/sudoers

4. Now open sudoers file and set followings line in sudoers file.

pico /etc/sudoers

# User privilege specification
root ALL=(ALL) ALL

# Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL

5. Make sure that sudo file binery file is secure.

chmod 4111 /usr/bin/sudo

If you are not sure about sudo binery path then run commamd to confirm the path.

which sudo

6.Now create .ssh directory in support users home directory.

cd /home/support

mkdir .ssh

7. Now generate the key by using PuTTYgen software and save the key on your local machine as support.ppk file.

8. Create authorized_keys file in .ssh directory and copy content from file support.ppk to authorized_keys file.

9. Confirm permission and ownership for files.

cd /home

ll | grep support

The ownership shuold be

drwx—— 7 support support 4096 Jul 10 03:44 support

cd /home/support

ll | grep .ssh

drwxr-xr-x 2 root root 4096 Jul 12 3:34 .ssh/

ll .ssh

The ownership shoud be

drwxr-xr-x 2 root root 4096 Jul 12 03:22 ./
drwx—— 7 support support 4096 Jul 12 03:44 ../
-rw-r–r– 1 root root 224 Jul 12 03:40 authorized_keys

Note : Do not close current Shell until you are able to access server with the support.ppk key.

New subdomain missing cgi-bin directory.

Gunjan — Sun, 11 Jul 2010 02:32:23 +0000

While creating new subdomain from cPanel we are missing cgi-bin directory. At that time refer following steps.

Login in to WHM and check the domains hosting account package allow “CGI Privilege” or not. If not then enable “CGI Privilege” by editing packages.

WHM >> Account Functions >> Modify An Account and select the user from list and check box following option.

CGI Privilege

And save the package. Now you will able to creaet subdomain with the cgi-bin directory.

Note : As well as plesae set “Y” in WHM >> Main >> Server Configuration >> Basic cPanel/WHM Setup >>CGI Script Alias section.

——————

CGI Script Alias * Automatically create a cgi-bin script alias. This setting can be individually overridden during account creation.

y – Yes
n – No

——————

“unauthenticated user” problem in mysql logs?

Gunjan — Wed, 30 Jun 2010 19:54:11 +0000

While running following command.

mysqladmin -i3 pr

We are getting result.

056 | unauthenticated user | localhost | | Connect | | Reading from net |

To avoid such problem add following lines in /etc/my.cnf file to avoid access for unauthenticated user.

root@server [~]# pico /etc/my.cnf

skip-networking
skip-name-resolve
skip-host-cache
skip-locking

Now restart the mysql service and check mysql process logs again.

Secure server from WHM?

Gunjan — Thu, 03 Jun 2010 10:16:02 +0000

We can secure Server from WHM by making following changes from WHM.

Tweak Settings :
Number (or all) of accounts to display per page in list accounts == 30
Disable : Allow users to park subdomains of the server’s hostname main domain
Disable : Allow users to Park/Addon Domains on top of domains owned by other users.
Disable : Allow users to Park/Addon Domains on top of domains owned by other users.
Disable : Allow resellers to create accounts with subdomains of the server’s hostname main domain
Disable : Allow Creation of Parked/Addon Domains that are not registered
Disable : When adding a new domain, automatically create A entries for the registered nameservers if they would be contained in the zone
Enable : Prevent users from parking/adding on common internet domain

Enable : Silently Discard all FormMail-clone requests with a bcc: header in the subject line
Set Default Mail to FAIL.
Disable : Track the origin of messages sent though the mail server by adding the X-Source headers.
The maximum each domain can send out per hour = 300

Prevent the user “nobody” from sending out mail to remote addresses : Disable should enabled on server with phpsuexec.
Disable : BoxTrapper Spam Trap
Disable : Add the mail. prefix for mailman urls

Disable : Send passwords in plaintext over email when creating a new acccount

Disable : Awstats Reverse Dns Resolution
Disable : Analog
Disable : Allow users to update Awstats from cPanel
Number of days between processing log files and bandwidth usage = 1
Enable : Delete each domain’s access logs after stats run
The load average above the number of cpus at which logs file processing should be suspended = 10
Enable : Keep Stats Log between cPanel restarts

Disable : Allow Perl updates from RPM based linux vendors
Enable : Use jailshell as the default shell for all new accounts and modified accounts
Disable : Allow cPanel users to reset their password via email
Enable : Spamassasssin

Tweak Security :
Enable PHP open_basedir Protection.
Enable mod_userdir Protection.
Enable SMTP Tweak
Disable Compilers for unprivileged users.

Basic of SuExec server?

Gunjan — Wed, 12 May 2010 10:05:46 +0000

What is SuExec?

Apache SuExec is a feature of the Apache Web server. It allows users to run CGI and SSI applications as a different user. Normally, all web server processes run as the default web server user (often apache or nobody)

Presently, suExec does not allow ‘root’ user as well as ‘root’ group to execute CGI/SSI programs because SuExec is basically developed to run CGI and SSI based programs under the specific user ids other then common user name like nobody.

When PHP runs as an Apache module, PHP files work under the Apache user/group known as “nobody”. When a PHP script creates or uploads a new file under your account, the new file will be owned by the user “nobody”. If you FTP or cPanel into your account, all files owned by “nobody” will not be available for you to move, rename or delete. In this case the only way to remove the “nobody” owned files would be through a file on the shell by using root user.

When PHP runs as a CGI with Suexec, PHP files work under your user/group. PHP files no longer require loose permissions to function; now they will require strict permissions. Setting your directories or PHP files to 777 will cause them to produce a “500 Internal Server Error”, this happens to protect your PHP files from being abused by outside sources.

How to check SuExec configured value?

You can run suexec -V on server by using root login details. It will give you following result.

-D AP_DOC_ROOT=”/var/www”
-D AP_GID_MIN=100
-D AP_HTTPD_USER=”apache”
-D AP_LOG_EXEC=”/var/log/httpd/suexec.log”
-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX=”public_html”

By default following values are used while configuring SuExec.

–enable-suexec
This option enables the suEXEC feature which is never installed or activated by default. At least one –suexec-xxxxx option has to be provided together with the –enable-suexec option to let APACI accept your request for using the suEXEC feature.

–with-suexec-docroot=DIR
Define as the DocumentRoot set for Apache. This will be the only directory aside from UserDirs that can be used for SuExec behavior. The default directory is the –datadir value with the suffix “/htdocs”, e.g. if you configure with “–datadir=/var/www” the directory “/var/www/” is used as document root for the SuExec wrapper.

–with-suexec-caller=UID
The username under which Apache normally runs. This is the only user allowed to execute this program.

SuExec-gidmin value?

–with-suexec-gidmin=GID

Define this as the lowest GID allowed to be a target group for SuExec. For most servers 100 are common and therefore used as default value. The numerical equivalent of the primary group name which is referenced by the system and applications when determining access privileges. When ever new user accounts are added, the new user accounts are assigned the first available UID and GID starting at 100. The next new user account is assigned UID/GID 101, followed by UID/GID 102, and so on. Because UIDs and GIDs below 100 are reserved for system uses Unlike UID/GID zero (0), UIDs and GIDs below 100 are not treated specially by Server. However, these UIDs/GIDs are never to be assigned to a user, as it is likely that some system component either currently uses or will use these UIDs/GIDs at some point in the future.

SuExec-userdir and SuExec-bin?

–with-suexec-userdir=DIR

Define to be the subdirectory under users’ home directories where SuExec access should be allowed. All executables under this directory will be executable by SuExec as the user so they should be “safe” programs. If you are using a “simple” UserDir directive this should be set to the same value. SuExec will not work properly in cases where the UserDir directive points to a location that is not the same as the user’s home directory as referenced in the passwd file. Default value is “public_html”. If you have virtual hosts with a different UserDir for each, you will need to define them to all reside in one parent directory; then name that parent directory here. If this is not defined properly, “~userdir” cgi requests will not work!

Advantages of SuExec?

This allows processes to run as your own user, rather than the global web server user like nobody.
The advantages are that any files created by your script are owned by your own user, and not a different (web server) user, allowing you to control, remove, add, and edit them via FTP, the control panel, File Manager, web page editor, SSH/shell,
If any abuses, spam, attacks, illicit processes, etc. are easier and more immediately tracked and controlled by using SuExec log files.

Disadvantage of SuExec server?

Security risks involved with allowing users to develop and run private CGI or SSI programs. However, if SuExec is improperly configured, it can cause any number of problems and possibly create new holes in your server’s security
Presently, suExec does not allow root or root group to execute CGI/SSI programs

How to upgrade kernel version?

Gunjan — Tue, 11 May 2010 11:24:08 +0000

First you need to download the latest stable kernel.
You can check it at http://kernel.org/.
Download it :
root@server [~]# cd /usr/local/src/

root@server [~]# wget http://www.kernel.org/pub/linux/kernel/v2.6/
Select latest Kernel and download it

root@server [~]# tar –zxvf linux-2.6.28.tar.gz
root@server [~]#cd linux-2.6.28
root@server [~]# make clean
root@server [~]# make mrproper
root@server [~]# uname -r
root@server [~] # cp /boot/config-’uname -r’ .config
root@server [~] # make oldconfig
root@server [~] # make menuconfig
root@server [~] # make
root@server [~] # make modules_install
root@server [~] # make install
root@server [~] # grubby –bootloader-probe
root@server [~] # pico /etc/grub.conf

Change the default as per the entry for your new kernel.
root@server [~]# reboot

Some time after reboot server it won’t up and running with the new kennel due to that before rebooting server, make following

changes.

root@server [~]#grub

Above command will give you grub prompt.

grub > savedefault –default=0 –once

grub>quit

root@server [~]#reboot

If server is up and running after reboot you can set new kernel as default server in grub.conf file.

root@server [~]#pico /boot/grub/grub.conf

Set

default=1

default=0

Disable php for single hosting account.

Gunjan — Wed, 05 May 2010 12:46:31 +0000

We can disable the php for single hosting account by using following code in .htaccess file.

php_value engine off

How to set E-mail size in exim?

Gunjan — Tue, 09 Mar 2010 11:26:42 +0000

You can set the E-mail size limit from your WHM.

First login into WHM
Second select “Exim Configuration Editor” present unde ” Service Configuration” section.
Third scroll down and click on “Advanced Editor” optoin.

You will see the empty box (remember select first empty box) where you can type (right underneath where you see #!!# cPanel Exim 4 Config), enter in the following:

message_size_limit = 100M

Fourth scroll down to the bottom of that screen and click “Save” option.

Exim configuration will be rebuilt with the new option and your Exim will be restarted.

How to check mysql servers set values?

Gunjan — Sun, 21 Feb 2010 01:59:34 +0000

Most of the time we need to check the mysql value set on server and most of the techs checks /etc/my.cnf file.If you want to check all values set in mysql on server. We can use following simple command.

mysqld –no-defaults –verbose –help

Set cron with password?

Gunjan — Sun, 21 Feb 2010 01:43:14 +0000

Most of the scripts cron run from admin section and we are settings cron without admin section login details due to that cron never be run.We can set the cron with the admin section login details.Mostly we prefer curl to set the authentication cron because most of the servers blocking wget/lynx command.Simply we can set the cron with the following syntax.

/usr/bin/curl http://support:1q2w3e@www.yourdomain.com/test_script/cron.php

If you don’t want to receive cron result in E-mail then refer following sytax

/usr/bin/curl http://support:1q2w3e@www.yourdomain.com/test_script/cron.php > /dev/null 2>&1