Create a script as allvmshutdown.sh with 755 permissions and add the list of VMs as in the example script:

#!/bin/bash
xe vm-shutdown vm=VM1
xe vm-shutdown vm=VM2
xe vm-shutdown vm=VM3
xe vm-shutdown vm=VM4
xe vm-shutdown vm=VM5
xe vm-shutdown vm=VM6
xe vm-shutdown vm=VM7
xe vm-shutdown vm=VM8
xe vm-shutdown vm=VM9
xe vm-shutdown vm=VM10

To get a list of VMs on the server, run the command #xe vm-list from the command line, which will list the VMs hosted on your Xen host.

Now you just need to add a cron entry to schedule this job. For example, to run script at 02:00 am on Sunday:

crontab -e
*   02 *    *    0           /scripts/allvmshutdown.sh

Note: Do ensure that the script is commented or removed from the crontab, after the maintenance has been completed to prevent this script from recurring.

Configuration for PLesk

verbose=true

Key.Directory=/var/www/key

OS.Type=UNIX

traceLog=/var/log/tomcat5/icici.log

;; -*- mode: Scheme; tab-width:4 -*-

;; A simple php.ini

;; extension_dir is this “cgi” directory

extension_dir=.

;; include php libraries from these directories

include_path=.:/usr/share/pear

java.classpath = /usr/share/tomcat5/webapps/JavaBridge/WEB-INF/lib/cryptix32.jar;/usr/share/tomcat5/webapps/JavaBridge/WEB-INF/lib/jcert.jar;/usr/share/tomcat5/webapps/JavaBridge/WEB-INF/lib/jnet.jar;/usr/share/tomcat5/webapps/JavaBridge/WEB-INF/lib/jsse.jar;/usr/share/tomcat5/webapps/JavaBridge/WEB-INF/lib/servlet.jar;/usr/share/tomcat5/webapps/JavaBridge/WEB-INF/lib/sfa.jar;

include_path=.:/usr/share/pear

CLASSPATH=$CLASSPATH:/usr/share/tomcat5/webapps/JavaBridge/WEB-INF/lib/cryptix32.jar;

CLASSPATH=$CLASSPATH:/usr/share/tomcat5/webapps/JavaBridge/WEB-INF/lib/jnet.jar;

CLASSPATH=$CLASSPATH:/usr/share/tomcat5/webapps/JavaBridge/WEB-INF/lib/servlet.jar;

CLASSPATH=$CLASSPATH:/usr/share/tomcat5/webapps/JavaBridge/WEB-INF/lib/sfa.jar;

CLASSPATH=$CLASSPATH:/usr/share/tomcat5/webapps/JavaBridge/WEB-INF/lib/jcert.jar;

CLASSPATH=$CLASSPATH:/usr/share/tomcat5/webapps/JavaBridge/WEB-INF/lib/jsse.jar;

export include_path

export CLASSPATH

# keytool -import -alias pgIntermediateCA -file ./intermediate.cer -keystore /usr/java/jdk1.6.0_12/jre/lib/security/cacerts -storepass changeit

This might give an error like keytool error: gnu.javax.crypto.keyring.MalformedKeyringException: incorrect magic which can be ignored.

$oMerchant->setMerchantDetails(“0000XXXX”,”0000XXXX”,”0000XXXX”,”193.545.34.33″,rand().”",”Ord123″,”http://10.10.10.147:8756/SFAResponse.php”,”POST”,”INR”,”INV123″,”req.Preauthorization”,”100″,”",”Ext1″,”true”,”Ext3″,”Ext4″,”Ext5″);

Also in SFAResponse.php and “./Sfa/PostLibPHP.php” file on line 2 would also change from

‘ require_once(“java/Java.php”);’ to ‘ require_once(“java/Java.inc”);’

http://www.configserver.com

I have listed the installation steps for CSF / LFD.Login to your server with ‘root’ user and issue below commands :

Change directory to either /root or /usr/local/src , which ever you normally use for such installations

# cd /usr/local/src

[Remove any old source that might be present]

Download and untar the source for installation

# wget http://www.configserver.com/free/csf.tgz
# tar -xzf csf.tgz

Run installation script

# cd csf
# sh install.sh

Once the installation complete, you can run the below scripts provided by vendor to check if your server/vps has required iptables modules available :

# perl /etc/csf/csftest.pl

CSF provides the script to remove the other popular combination I talked about above i.e. apf/bfd, The below script will remove apf/bfd from your server/vps.

# sh /etc/csf/remove_apf_bfd.sh

Common setting for incoming/outgoing TCP/IP and UDP connection.

ETH_DEVICE = “eth1″

ETH_DEVICE_SKIP = “eth0″

# Allow incoming TCP ports
TCP_IN = “20,21,25,53,80,106,110,111,143,443,465,587,865,873,993,995,8443,8880″

# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,80,110,443,43,873,8443″

# Allow incoming UDP ports
UDP_IN = “53,111,123,230,631,859,862,2109,5353″

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,53,113,123,2109″

# Allow incoming PING
ICMP_IN = “1″

# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to “0″
ICMP_IN_RATE = “0″

# Allow outgoing PING
ICMP_OUT = “1″

# Set the per IP address outgoing ICMP packet rate
# To disable rate limiting set to “0″
ICMP_OUT_RATE = “0″

# Enable login failure detection daemon (lfd).
LF_DAEMON = “1″

For allowing Qmail in CSF alter below setting(s)

SMTP_BLOCK = “1″
SMTP_ALLOWLOCAL = “1″
SMTP_PORTS = “25,587″
SMTP_ALLOWUSER = “qmaild,qmaill,qmailp,qmailq,qmailr,qmails”
SMTP_ALLOWGROUP = “qmail,nofiles,mail,mailman”

Set CSF/LFD reporting FROM/TO ID as below [**** Need to set for Plesk]

LF_ALERT_TO = “supportteam@diadem.co.in”
LF_ALERT_FROM = “csf_LFD@diadem.co.in”

Allowing third party block list checking

# Enable IP range blocking using the DShield Block List at
LF_DSHIELD = “86400″

# Enable IP range blocking using the Spamhaus DROP List at
LF_SPAMHAUS = “86400″

# Enable IP range blocking using the BOGON List at
LF_BOGON = “86400″

Now Add the LFD ignore list for qmail/plesk mail user/process in csf.pignore file.

# vim /etc/csf/csf.pignore

#### Custom for Plesk ####
user:admin
exe:/var/qmail/bin/qmail-smtpd
exe:/usr/bin/imapd
exe:/var/qmail/bin/qmail-queue
exe:/usr/bin/pop3d
exe:/var/qmail/bin/qmail-send
cmd:qmail-send
cmd:/usr/bin/pop3d Maildir
cmd:/var/qmail/bin/qmail-queue
cmd:/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
cmd:/usr/bin/imapd Maildir
exe:/var/qmail/bin/qmail-rspawn
cmd:qmail-rspawn
exe:/var/qmail/bin/qmail-clean
cmd:qmail-clean
exe:/usr/sbin/clamd
cmd:clamd
exe:/var/qmail/bin/splogger
cmd:splogger qmail
exe:/var/qmail/bin/qmail-remote.moved
user:qmaill
user:popuser
user:qmaild
user:qmails
user:qmailr
user:qmailq
user:qscand
exe:/usr/sbin/avahi-daemon
user:avahi
exe:/usr/local/sbin/zabbix_agentd
cmd:/usr/local/sbin/zabbix_agentd
user:zabbix
exe:/usr/bin/sw-engine-cgi
cmd:/usr/bin/sw-engine-cgi
user:sso
exe:/usr/sbin/sw-cp-serverd
cmd:/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config
user:sw-cp-server
exe:/usr/bin/sw-engine-cgi
cmd:/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm
user:psaadm
exe:/usr/libexec/mysqld
cmd:/usr/libexec/mysqld –basedir=/usr –datadir=/var/lib/mysql –user=mysql –pid-file=/var/run/mysqld/mysqld.pid –skip-external-locking –socket=/var/lib/mysql/mysql.sock
user:mysql
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
cmd:hald
user:haldaemon
exe:/usr/bin/postgres
user:postgres
exe:/sbin/portmap
cmd:portmap
user:rpc
exe:/usr/bin/xfs
cmd:xfs -droppriv -daemon
user:xfs
exe:/usr/bin/python
cmd:/usr/bin/python /usr/lib/mailman/bin/qrunner –runner=VirginRunner:0:1 -s
user:mailman
exe:/usr/java/jdk1.6.0_20/bin/java
user:tomcat

Note: You may need to add few more process/user as per your requirement.

Now start the CSF

# csf -s

Restart LFD

# service lfd restart

Installation is done, now check the website, mail  and other services(s) and disable TESTING mode and restart CSF/LFD

# csf -r
# service lfd restart

I will list below some of very common commands you will need to use/manage csf firewall :

Enabling the firewall

# csf –enable OR
# csf -e

Disabling the firewall

# csf –disable
# csf -x

Starting firewall / applying rules

# csf –start
# csf -s

Stopping firewall / flushing rules

# csf –stop
# csf -f

Adding an IP in firewall

# csf -d 2.3.4.5 “Reason for blocking the IP”
# csf –deny 2.3.4.5 “Reason for blocking the IP”
where 2.3.4.5 is the IP you want to block.

Removing IP from deny list

# csf -dr 2.3.4.5

Zimbra Collaboration Server (www.zimbra.com) is a fully featured open source messaging and collaboration application that supports email messaging,  group calendars, blackberry sync and other features using an advanced Ajax web interface that enables tool tips, drag-and-drop items, advanced searching capabilities and right-click menus in the UI. The software consists of both client and server components. Two versions of Zimbra are available: an open-source version, and a commercially supported version (“Zimbra Network”) with closed-source components such as a proprietary connector to Outlook for calendar synchronization. Zimbra has been bought over from Yahoo by Vmware and they have recently released ver 7 of the Zimbra Open source and Network editions on their website.

The Zimbra Server uses several open source projects e.g. Postfix, MySQL, OpenLDAP, Apache Tomcat (replaced by Jetty since 5.0), ClamAV, SpamAssassin, AMaViS and Amavisd-new, DSPAM, Aspell, etc. It exposes an Application programming interface (API) to all its functionality and also is an IMAP and POP3 server. The server runs on many distributions of Linux as well as on Mac OS X.

Zimbra can synchronize mail, contacts, and calendar items with open-source mail clients such as Novell Evolution and also with proprietary clients such as Microsoft Outlook and Apple Mail, but only through proprietary connectors available exclusively in the commercially supported version (“Zimbra Network Edition”). Zimbra also provides native two-way sync to many mobile devices (Nokia Eseries, BlackBerry, Windows Mobile, iPhone with 2.0 software).

Zimbra can be an ideal mail server for your organization if you are having more than 50 users and if your users require the advanced collobaration features which a groupware can offer (calendaring, shared folders, appointment tracking, web based UI, etc.). As it has full POP3 and IMAP support alongwith a robust spam filter (it segregates the suspected spam mails in a junk folder so that users can review the mails and mark the false positive mails as ‘not junk’), its very useful at organisations who want to stomp out spam mail but need the option to verify the mails which have been tagged as spam (akin to most web based email services). We have successfully implemented Zimbra for several of our clients in a virtualised environemnt and  it works well with just 2 GB RAM and Multicore processor for upto 100 users.

We have also recently migrated one of our client’s 12 GB mail box to the Zimbra Server with a single script as given below.

To migrate the mails, first you need to create all your mailboxes in zimbra server.

And after that move all your messages from Plesk Server to Zimbra server in a same folder structure.

To backup from Plesk server follow the steps.

# cd /var/qmail/mailnames/
# tar -zcvf /your/path/domain.tgz domain.com

Now move the backup file (domain.tgz) to Zimbra server with SCP or Samba share (or any other method) which ever is available. Go to the path where you have copied the backup file and extract the backup file.

# cd /your/path
# tar -zxvf domain.tgz

It will look like something as below when you list the extracted folder.

domain.com/user1
domain.com/user2

Now copy the below script in domain folder as ‘mailexport.sh’ and grant execution permission and run the script. It will add all your mails from Inbox and other custom folder to Zimbra server mailbox.

#!/bin/bash
#
# Maildir to Zimbra import
# Drop in your user root and run as superuser.
#

domain=”domain.com” # change to your domain!

for user in `ls -d1 */|sed s/\\\///`
do
echo
echo “User $user”
echo
#
#
find $user -maxdepth 10 -type d -name cur | while read line;
do
folder=`echo ${line}|cut -f3 -d”/”|sed s/\\\.//`
line2=`echo ${line/%cur/new}`
echo “FOLDER $folder”
if [ "$folder" = "cur" ]
then
/opt/zimbra/bin/zmmailbox -z -m $user@$domain addMessage Inbox $PWD/$user/Maildir/cur
/opt/zimbra/bin/zmmailbox -z -m $user@$domain addMessage Inbox $PWD/$user/Maildir/new
else
if [ "$folder" != "Sent" ] && [ "$folder" != "Drafts" ] && [ "$folder" != "Junk" ] && [ "$folder" != "Trash" ]
then
/opt/zimbra/bin/zmmailbox -z -m $user@$domain createFolder “/$folder”
fi
/opt/zimbra/bin/zmmailbox -z -m $user@$domain addMessage “/$folder” “${PWD}/${line}”
/opt/zimbra/bin/zmmailbox -z -m $user@$domain addMessage “/$folder” “${PWD}/${line2}”
fi
done

done

All done now you can get your old mails within the Zimbra server. If you are looking at an alternative messaging alternative to either Google Apps, MS Exchange or simply need a more robust messaging solution, the Zimbra collaboration suite (open source or network editions) could be a suitable solution to meet your needs.

At Diadem Technologies we take extreme precaution and safeguard of our mailing services to ensure continuous and reliable availability of our mailing services to our clients. We have all our servers located in the world’s leading datacenter which has a very secure environment with various levels of physical and hardware based protection to keep your data safe from different attacks and vulnerabilities. The servers have multi core Xeon processers and have RAID10 array of HDDs for complete data redundancy so that a hard disk crash would not affect the server operations and would not result in any loss of data on the server.

The servers are restricted to be accessed via the Public network so that no unauthorized access to the servers can be made. We use a secure encrypted VPN (virtual private network) connection that connects to the private backend network and hence the servers are only accessible to the legitimate admin users at our end.

For network level protection we have in place perimeter hardware firewalls by CISCO systems to block external threats along with CISCO GUARD DDOS (Distributed Denial of service) and CISCO Tipping point IPS (Intrusion prevention system). CISCO GUARD DDOS protects from requests that make a computer resource unavailable to its intended users and brings down the server to halt. CISCO Tipping point IPS is an advanced Intrusion prevention system that is used extensively in critical networks to monitor network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass.

After passing through the various levels of security mentioned above we have more additional security features on the physical server for protecting the server /server applications and the inbound and outbound mails.

• At the server we have robust software based firewalls that have been customized to add another level of security in the server.
• We have SMTP connection tracking system to check all the connections that are being made to the server for sending or receiving mails. At this level various parameters of a mail are checked like if the IP of the sender is blacklisted in any third party Anti SPAM website, if the sender has a valid mail server, if the reverse DNS of the sender email server is valid.
• We have enabled greylisting on the server to cut down on SPAM mails before they can enter the server. We have advanced content filtering along with anti spam software, antivirus, malware and anti root kit signatures that are updated regularly to block emerging threats immediately.
• Once the mail is scanned with the above filters, we implement a new and unique technique to authorize defined servers only to server your emails through the use of SPF records. Any other servers would not be able to send or receive any mail on behalf of your domain. This will cut down spoofing of your emails.
• At the last stage we have SMTP authentication enabled that allows mails to be relayed through our servers only for those who are intended to send mails hence reducing the unwanted relaying of mails.

The above illustration highlights our commitment to ensure that we provide our clients with the best of breed technologies to ensure spam free, virus free, efficient and continuous availability of our mailing services for their operations.

If you are interested in knowing more about our web hosting services and plan details, you can look us up at www.diadem.co.in.

]]> http://www.diademblogs.com/linux/email-and-server-security-features-with-diadem-servers/feed 0 http://www.diademblogs.com/linux/some-useful-linux-shell-commands http://www.diademblogs.com/linux/some-useful-linux-shell-commands#comments Mon, 13 Sep 2010 06:01:49 +0000 ankur http://www.diademblogs.com/?p=974 Below are some useful commands in Linux (applicable for RedHat Enterprise Linux, Fedora and CentOS) for regular server admin activities.

• To find a word string in the files under a folder(s).

# find . | xargs grep ‘your-string’ -sl

• To get the disk usages for the individual sub-directory run:

# ls -d /your/path/* | xargs du -sH

• Replace a word string with another word string in all files in a folder.

Using ‘sed’ command:
# sed -i ‘s/ string1/ string2/g’ *.html

Using ‘find’ command:
# find ./ -type f -exec sed -i ’s/string1/string2/’ {} \;

• When you deleting huge number of files in a folder, you might receive an error like “/bin/rm: Argument list too long”, do this instead “rm -rf” command:

# find . -name ‘*.ext’ | xargs rm

• If you want to delete 20 days older files in folder, you can use the find command as below for your job.

This commands to list the files older than 20 days:
# find /path/folder1 -mtime +20 -type f -exec ls -d1 {} \;

Delete the files older than 20 days:
# find /path/folder1 -mtime +20 -type f -exec rm -rf {} \;
OR
# find /path/folder1 -mtime +20 -type f -ok rm -rf {} \;

You can change the older days count by increasing or decreasing the number and the file or folder by specify the “-type d” for folder.

• Changing File or folder permission for multiple files and folder with the command
  chmod -R 777 /path/folder1/* is a risky affair, if you miss the path of folder or file the command would applicable to the root (/) folder and that can result a some wrong permission in system file/folder which leads a vulnerable system. Instead of using the “chmod” command directly, you can use it with find command for a safer modification.

For folders permission:
# find . -type d -exec chmod 555 {} \;

For files permission:
# find . -type f -exec chmod 444 {} \;

These are the most frequently used commands in Linux for day to day activities, thank you for your visit and please feel free to share any additional linux commands which you find useful .

Note: There is a rating embedded within this post, please visit this post to rate it.

64 bit web servers are a significant step up in computer architecture and deliver higher performance, security and reliability of hosted web applications on such servers.  Here is the hardware configuration of our new 64 bit Linux (RHEL 5) server:

• Quad Core Intel Xeon 5520 Processor
• 6 GB DDR 1333 Registered RAM
• 64 bit RHEL 5 OS and applications
• Raptor 300 GB 10K RPM HDDs
• RAID 10 Disk Array
• Plesk 9.5 Control Panel

This shiny new 64 bit server is ready to host your website and unleash the power of the 64 bit computing platform for your website, email and hosted apps. You can view our 64-bit Linux Hosting Plans online get in touch with us for any queries on our plan features.

Reference: Wikipedia – 64 bit

Note: There is a rating embedded within this post, please visit this post to rate it.

Follow the below steps redirect to the 80 port.

Login to your Linux server as super user i.e. ‘root’.

Create a file under /etc/xinetd.d/ folder as http_redirector

# vi /etc/xinetd.d/http_redirector

Now add the following entries in the files.

service http_redirector
{
type = UNLISTED
disable = no
socket_type = stream
protocol = tcp
user = root
wait = no
port = 80
redirect = 127.0.0.1 8089
log_type = FILE /tmp/httpredirector.log
}

Restart the xinetd service.

# service xinetd restart

That’s all you are done.

To hide the information, add/change the following two apache directives in Apache configuration file /etc/httpd/conf/httpd.conf

ServerTokens ProductOnly
ServerSignature Off

Now you need to restart your web server using the following command

# service httpd restart

Now the output for apache header looks like below

Server: Apache

Hide PHP Version in Apache from remote user’s requests

In your php.ini (the typical path is /etc/php.ini) locate the line containing “expose_php = On” and set it to Off:

expose_php = Off

Now you need to restart your web server using the following command

# service httpd restart

After making this change PHP will no longer add its signature to the web server header. Though, this step in itself will not make your server more secure, it will prevent remote hosts to easily see that you have PHP installed on the system and what version of Apache you are running on your web server.

Use instructions below to configure an additional alternate SMTP port in a Plesk Server running in Redhat Enterprise Linux Version 4/5 or CentOS version 5 in Qmail Server.

Choose any unused port and add it to the /etc/services file, for example:

smtp_alt        8425/tcp        mail            # Alternate SMTP Port
smtp_alt        8425/udp        mail            # Alternate SMTP Port (optional)

Make a copy of /etc/xinetd.d/smtp_psa to /etc/xinetd.d/smtp_psa_alt and correct service line within new file:

service smtp_alt

Below is a sample of smtp_psa_alt file.

service smtp_alt
{
socket_type     = stream
protocol        = tcp
wait            = no
disable         = no
user            = root
instances       = UNLIMITED
server          = /var/qmail/bin/tcp-env
server_args     = -Rt0 /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var
/qmail/bin/cmd5checkpw /var/qmail/bin/true
}

Restart xinetd and Qmail

service xinetd restart
service qmail restart

SMTP connections will be accepted on the both standard and 8025 ports. You may also need to reconfigure Horde IMP (webmail) settings so it uses the alternative SMTP port too. This can be done editing the following file in Horde webmail:

/etc/psa-horde/imp/servers.php file under smtpport parameter for both IMAP and POP3 servers.