Linux: Sudoers


What is it?

Sudoers is a list of users which may execute root commands. A sudoers file is made up of two types of entries, aliases and user specifications

How to set it up?

Do a visudo on command line, then add the user to the list as below.

If you want to enter the user’s password before executing the command:

myuser ALL=(ALL) ALL

And without a password:

myuser ALL=(ALL) NOPASSWD: ALL

 

Read More

Squid Statistics and Info Web Interface


I have been looking for a squid statistics web interface for a long time, and i finally got one. It was fairly easy to install and configure.

The name of the app is SARG and can be downloaded freely from http://sarg.sourceforge.net/sarg.php

Depending on your architecture, the installation command is

rpm -Uvh http://pkgs.repoforge.org/sarg/sarg-2.3.1-1.el6.rft.x86_64.rpm

Before using it, you might wish to configure the output generation of sarg by

vi /etc/sarg/sarg.conf

and change the output_dir /var/www/html/squid/OUT-ONE to your www directory

To use, run the following in a terminal or add it to cron to run it daily

sarg

This command will generate html files for stats in the specified output_dir

That’s all folks.

Screenshot of SARG Generated files:

Read More

How-to: Local Backup with rsync


A backup using the rsync command can be very useful because it:

Takes less time to replicate

rsync will replicate the whole content between the source and the destination directory only once. Consecutive rsync’s will transfer only the changed blocks or bytes, which makes it very fast

uses Less bandwidth usage

rsync will use compression of data block by block at the sending end and decompress at the receiving end

is Secure

rsync uses ssh protocol during transfers and hence allows encryption of data.

The script broken down

I will create a script which will backup my current web directory /data to the same server on a disk mounted at /backup. The script if broken down, can be viewed as:

rsync -azvu –progress /data/ /backup

wher options

  • z is for compress mode
  • v is for verbose mode
  • a is to preserve symbolic links, permissions, timestamp and to be recursive
  • u is to preserve unmodified files at the destination
  • progress is to show the progress during transfer

An extract of the transfer start is:

sending incremental file list
data/
data/log/
data/log/gulshan.beejan.log
8713 100%    0.00kB/s    0:00:00 (xfer#1, to-check=1004/1010)
data/lost+found/

ending with:

sent 284122142 bytes  received 230478 bytes  1914832.46 bytes/sec
total size is 379003084  speedup is 1.33

Now, if I perform a second transfer, the result at the end will be much faster. Here’s a extract of that transfer:

[root@sdb backup]# rsync -avzu –progress /data /backup
sending incremental file list

sent 278200 bytes  received 1778 bytes  50905.09 bytes/sec
total size is 379003084  speedup is 1353.69

 The script

Let’s convert that into a nice and clean script, shall we?

Create a file in

vi /scripts/localrsync.sh

Paste the following:

#!/bin/bash

# declare variables

SOURCE_DIR=/data

DESTINATION_DIR=/backup

#rsync command, make sure the user you run this file as has the required permissions to the source/dest folder

#we dont need progress or verbose, this runs in background mode

rsync -azu  $SOURCE_DIR $DESTINATION_DIR

Chmod 777 the sh file

chmod 777 /scripts/localrsync.sh

Test the file

sh /scripts/localrsync.sh

[root@sdb ~]# sh /scripts/localrsync.sh
sending incremental file list

sent 278200 bytes  received 1778 bytes  62217.33 bytes/sec
total size is 379003084  speedup is 1353.69

Add it to crontab,

 crontab -e

Add this line at the end to run it daily, every 2AM

*    2    *    *    *    sh /scripts/localrsync.sh

 

Read More

5 Steps to Securing your cPanel servers


My web hosting server has been receiving a few brute forcing attacks this past week. So i decided to secure the server a little more than what it already was. None of the bruteforces were successful, but it’s always good to be on your guard.

1. Disable root user login from SSH

On a shell, login as root and do the following:

useradd -g wheel iamtherealroot //You may change iamtherealroot to something else

passwd iamtherealroot //Set a difficult password

visudo //Update the lines

## Allows people in group wheel to run all commands
%wheel        ALL=(ALL)       ALL

Save the file and make sure you can su – root when logged in as iamtherealroot..else you may risk being locked from using root ever!

vi /etc/ssh/sshd_config

Update the lines

PermitRootLogin no

Service sshd restart

2. Change the SSH port to something else other than port 22

Changing the ssh port to something else will help make the attacker have to look for the open port on your server for ssh. It is usually good practice to change it.

vi /etc/ssh/sshd_config

Change port number 🙂

3. Use a more strict cpHulk setting from WHM

4.  Disable your system compilers

Go to Security Center from WHM -> Compiler Access. If your settings are as the screenshot below, you are still good to go 🙂 Why that? It prevents your users to use C compilers which could be used for harmful purposes.

5. Enable a firewall

Always remember not to allow access to any ports of your server, but only to specific ones which are currently being used. For example, if port 80, 21, SSH port, 25, 443, 110.. all that depending on the services that you are running on your machine.

Read More