Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!

How to install Tomcat6 + Mod_JK

Posted: กันยายน 10, 2010 in Computers and Internet
เริ่มต้นติดตั้ง Java และ jsvc
apt-get update
apt-get install sun-java6-jdk jsvc

ดาวน์โหลด Tomcat6
cd /usr/src
wget http://mirror.kapook.com/apache/tomcat/tomcat-6/v6.0.29/bin/apache-tomcat-6.0.29-deployer.tar.gz

แตกไฟล์ และย้ายไปที่ /usr/share
tar zxvf apache-tomcat-6.0.29.tar.gz
cd apache-tomcat-6.0.29
mv
apache-tomcat-6.0.29 /usr/share/tomcat6

เพิ่ม user และกำหนดสิทธิ์
useradd tomcat6
chown -R tomcat6: /usr/share/tomcat6


สร้างไฟล์เพื่อเรียกใช้งาน
vi /etc/init.d/tomcat6
export JAVA_HOME=/usr/lib/jvm/java-6-sun

case $1 in
start)

sh /usr/share/tomcat6/bin/startup.sh
;;

stop)

sh /usr/share/tomcat6/bin/shutdown.sh
;;

restart)

sh /usr/share/tomcat6/bin/shutdown.sh
sh /usr/share/tomcat6/bin/startup.sh
;;

esac

exit 0

chmod +x /etc/init.d/tomcat6

กำหนดให้ทำงานทุกครั้งที่เปิดเครื่อง
update-rc.d tomcat6 defaults

ลองทดสอบ
/etc/init.d/tomcat6 start

wget http://localhost:8080

ตั้งค่าในไฟล์ server.xml
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListen
er" />
  <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListe
ner"/>
 
  <!– Global JNDI resources –>
  <GlobalNamingResources>
 
    <!– Test entry for demonstration purposes –>
    <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
 
    <!– Editable user database that can also be used by
         UserDatabaseRealm to authenticate users –>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
       description="User database that can be updated and saved"
           factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />
 
  </GlobalNamingResources>
 
 
  <!– Define the Tomcat Stand-Alone Service –>
  <Service name="Catalina">
 
    <!– A "Connector" represents an endpoint by which requests are received
         and responses are returned.  Each Connector passes requests on to the
         associated "Container" (normally an Engine) for processing.
    –>
 
    <!– Define a non-SSL HTTP/1.1 Connector on port 2117 (default 8080) –>
    <!– <Connector port="8080" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="5" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />–>
 
    <!– Define an AJP 1.3 Connector on port 8009 –>
    <Connector port="8009"
               enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
 
    <!– Define a Proxied HTTP/1.1 Connector on port 8082 –>
    <!– See proxy documentation for more information about using this. –>
    <!–
    <Connector port="8082"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" acceptCount="100" connectionTimeout="20000"
               proxyPort="80" disableUploadTimeout="true" />
    –>
 
    <!– An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host). –>
     
    <!– Define the top level container in our container hierarchy –>
    <Engine name="Catalina" defaultHost="localhost">
 
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>
 
      <!– Define the default virtual host –>
      <Host name="www.example.com" appBase="/var/www/example.com/htdocs"
        unpackWARs="true" autoDeploy="true">
 
        <Context path="" docBase="appname" debug="0" reloadable="true"/>
 
        <Valve className="org.apache.catalina.valves.AccessLogValve"
                 directory="logs"  prefix="example.com_access_log." suffix=".txt"
                 pattern="common" resolveHosts="false"/>
      </Host>     
    </Engine>
  </Service>
</Server>
ติดตั้ง mod_jk
apt-get install libapache2-mod-jk


IspCp not support for wildcard domain.
when you try to Add DNS zone’s record name *.yourdomain.com

Cannot validate A record. Reason ‘Use of disallowed char("*") in NAME’.

To Solve this, we need to
Edit function validate_NAME :

vi /var/www/ispcp/gui/client/dns_edit.php

add this :

function validate_NAME($domain, &$err) {
        if($domain[‘name’]=="*"){
                return true;
        }
        if (preg_match(‘~([^-a-z,A-Z,0-9.])~u’, $domain[‘name’], $e)) {
                $err .= sprintf(tr(‘Use of disallowed char("%s") in NAME’), $e[1]);
                return false;
        }
        if (preg_match(‘/\.$/’, $domain[‘name’])) {
                if (!preg_match(‘/’.str_replace(‘.’, ‘\.’, $domain[‘domain’]).’\.$/’, $domain[‘name’])) {
                        $err .= sprintf(tr(‘Record "%s" is not part of domain "%s".’, $domain[‘name’], $domain[‘domain’]));
                        return false;
                }
        }
        return true;
}

Now you can add wildcard domain.

Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

aptitude install ntp ntpdate

Configure Timezone

Find your timezone file under /usr/share/zoneinfo. For example:

/usr/share/zoneinfo/Asia/Bangkok

Create a symbolic link from the appropiate timezone to /etc/localtime.

ln -sf /usr/share/zoneinfo/Asia/Bangkok /etc/localtime

Configure NTP Server

The configuration file for ntpd is located at /etc/ntp.conf. The
default Ubuntu file probably requires some modification for optimal performance.You need to edit the /etc/ntp.conf file using the following command

vi /etc/ntp.conf

server time1.nimt.or.th
server time2.nimt.or.th
server time3.nimt.or.th

Now Restart ntp service using the following command

/etc/init.d/ntp restart

Set the hardware clock to the system time:

/sbin/hwclock –systohc

ปิดโพรเซสทั้งสองเครื่อง
ps -aux | grep ndbd
killall ndbd

เครื่องที่ปกติ
ndbd –initial

เครื่องที่เกิดปัญหา
ndbd

Start Installation

1. Untar or unzip the distribution files to a secure directory:

# cd /root
# wget http://sourceforge.net/projects/ispcp/files/ispCP%20Omega/ispCP%20Omega%201.0.4/ispcp-omega-1.0.4.tar.gz/download
# tar xvzf ispcp-omega-1.0.4.tar.gz

2. Change to the newly created directory:

# cd ./ispcp-omega-1.0.4

3. Install the required modules
First update your system:

For Ubuntu 8.10 and lower :

# apt-get update && apt-get upgrade

For Ubuntu 9.04 and higher :

# aptitude update && aptitude safe-upgrade

Then install all needed packages:

# aptitude install $(cat ./docs/Ubuntu/ubuntu-packages-`lsb_release -cs`)

During the Install process you might encounter some config screens,
here’s what you should fill in there (some screens described here might
not show up anymore in newer versions of the services to be
configured):

On the courier screen select 'no' to web directories.

When you get to the postfix screen select 'internet site', eventually type in 'root'
for mail. If you've set your system up correctly on install your domain should already be
on screen in the next step, otherwise fill in the host domain name of your server.
Eventually select 'no' to force sync updates.

Proftpd should be configured as standalone (i.e. not inetd)

If you get to the rootkithunter screen, select two times 'yes'

4. (optional) Check the ispcp.conf and adapt it to your requirements.

 An overview over the variables you can find in the FAQ on
http://isp-control.net

5. Build the System by using :

# make -f Makefile.ubuntu install

6. Copy all the directories into your system (you may make backups)

# cp -Rv /tmp/ispcp/* /

7. Now it’s time to set up the frontend. Change into the engine directory:

# cd /var/www/ispcp/engine/setup

7a. Set the MySQL password, if not set:

# mysqladmin -u root password YOUR_PASSWORD

8. Start the engine setup:

# perl ispcp-setup

9. Install ispCP ω step-by-step

If you get no error, all went good; if you get one, look at
http://isp-control.net to solve the problem.

10. There is an error in some courier-versions. Courier won’t stop, if you use

/etc/init.d/courier-authdaemon stop, so change it:

# nano /etc/init.d/courier-authdaemon
change: ${libexecdir}/authlib/authdaemon stop
with: killall authdaemond.plain

11. Clean the temporary folders:

# rm -fR /tmp/ispcp

This is how I would enable spamassassin, along with amavis
and clamav. Unlike the amavis configuration with maia or the one that
partially comes with ispcp, this method uses amavis as pre-queue
filter. That makes it possible to reject spam mails instead of only
tagging them…

Code:
apt-get install amavisd-new clamav spamassassin clamav-daemon lzop rpm pax unrar zoo arj p7zip-full lha arc cabextract ripole

add the following lines to /etc/postfix/master.cf after:

Code:
smtp      inet  n       -       -       -       -       smtpd
Code:
-o smtpd_proxy_filter=localhost:10024
    -o content_filter=
localhost:10025 inet n  -       n       -       -       smtpd
    -o content_filter=
    -o smtpd_proxy_filter=
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o reveive_override_options=no_unknown_recipient_checks

remove the following from /etc/postfix/master.cf:

Code:
amavis    unix  -       -       n       -       2       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes

localhost:10025 inet  n -       n       -      -        smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_override_options=no_address_mappings
   -o mynetworks=127.0.0.0/8
   -o strict_rfc821_envelopes=yes

/etc/master.cf will look like:

Code:
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
    -o smtpd_proxy_filter=localhost:10024
    -o content_filter=
localhost:10025 inet n  -       n       -       -       smtpd
    -o content_filter=
    -o smtpd_proxy_filter=
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o reveive_override_options=no_unknown_recipient_checks
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# For AOL-Accounts
587       inet  n       -       -       -       -       smtpd
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
    -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache      unix    -    -    -    -    1    scache
# ====================================================================
# ispCP ω (OMEGA) a Virtual Hosting Control System
#
# @copyright    2001-2006 by moleSoftware GmbH
# @copyright    2006-2008 by ispCP | http://isp-control.net
# @version        SVN: $Id$
# @link            http://isp-control.net
# @author        ispCP Team
# ====================================================================
# AMaViS => Antivir / Antispam

# ispCP autoresponder
ispcp-arpl unix  -      n       n       -       -       pipe
  flags=O user=vmail argv=/var/www/ispcp/engine/messager/ispcp-arpl-msgr

# TLS - Activate, if TLS is avaiable/used
smtps     inet  n       -       -       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
#   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix    -    n    n    -    2    pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

change /etc/amavis/conf.d/01-debian:
uncomment

Code:
#$lha    = 'lha'; #disabled (non-free, no security support)
#$unrar  = ['rar', 'unrar']; #disabled (non-free, no security support)

comment

Code:
$lha    = undef;
$unrar  = undef;

change /etc/amavis/conf.d/20-debian_defaults:

Code:
$sa_tag2_level_deflt = 5.8;
$sa_kill_level_deflt = 6.41;
$final_virus_destiny      = D_REJECT;  # (data not lost, see virus quarantine)
$final_banned_destiny     = D_REJECT;   # D_REJECT when front-end MTA
$final_spam_destiny       = D_REJECT;
$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)

change /etc/amavis/conf.d/15-content_filter_mode:
uncomment

Code:
@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

change /etc/amavis/conf.d/50-user:

Code:
$max_servers = 5;

change in /etc/group:
amavis:x:112:
to
amavis:x:112:clamav

to uid may be different

/etc/init.d/clamav-daemon restart
/etc/init.d/amavis restart
/etc/init.d/postfix restart

Consider using a ramdisk for the amavis temporary directory…
this will boost performance… and let you use a higher $max_servers
count…

Hello …
I did exactly as you told us to do …
But then SMTP didn’t worked (couldn’t send mails … but i could
receive) and in the ispc pannel, at Server Status, SMTP was down…

Make ispCP more Secure

Make ispCP more Secure
Here you can find some stuff to make your Server more Secure.
Absolutely no warranty, use it at your own risk.

1.) Disable the Apache ServerSignature like this one
Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 mod_perl/2.0.2 Perl/v5.8.8
Put only these lines in your httpd.conf (Under Debian Etch you have to put this in your apache2.conf)

# Disable ServerInfo ServerSignature Off ServerTokens Prod
2.) Disable Debugging functions
An attacker may use this flaw to trick your legitimate web users to
give him their credentials. Add the following lines for each virtual
host in your configuration file (/etc/apache2/ispcp/…) or directly in
the template file (/etc/ispcp/apache/parts/custom.conf.tpl) to disable
the Debugging

<IfModule mod_rewrite.c> RewriteEngine on RewriteCond
%{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* – [F] </IfModule>
Reload the Apache configuration and check if your configuration is active:

# /etc/init.d/apache2 reload # telnet yourdomain.com 80 Trying
xxx.yyy.zzz.rrr… Connected to yourdomain.com. Escape character is ‘^]’.
TRACE / HTTP/1.0 Host: foo A: b
HTTP/1.1
301 Moved Permanently Date: … Server: Apache Location:
http://www.yourdomain.com/ Content-Length: … Connection: close
Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head>
<title>301 Moved Permanently</title>
</head><body> <h1>Moved Permanently</h1>
<p>The document has moved <a
href=”http://www.yourdomain.com/”>here</a>.</p>
</body></html> Connection closed by foreign host.
3.) Secure Proftpd a little more
You can add a little more security to Proftp by editing it’s configuration file and adding:

DefaultRoot ~ IdentLookups off
You can also disable displaying of ftp banner.It’s displayed by default when someone connects to Your server like this:

Verbindung mit 62.75.xx.xx wurde hergestellt. 220 ProFTPD 1.3.0 Server (vsxxxxxx) [62.75.xx.xx] Benutzer (62.75.xx.xx:(none)):
Here can you see the ProFTPD Version → 1.3.0 To Disable the Banner add, the following line to the proftpd.conf:

ServerIdent off
You can find more information about it here: http://proftpd.org/localsite/Userguide/linked/userguide.html

4.) Enable SSL in ProFTPD
For a secure File Transfer you can add SSL to your ProFTPD

Create a SSL Certificate:

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl.crt -keyout /etc/proftpd/ssl.key
Open your proftpd.conf to enable SSL

# vi /etc/proftpd/proftpd.conf
enable the last lines like this and set TLSEngine ‘on’

# # SSL via TLS # <IfModule mod_tls.c> TLSEngine on # on for
use of TLS TLSLog /var/log/proftpd/ftp_ssl.log # where to log to
TLSProtocol SSLv23 # SSLv23 or TLSv1 TLSOptions NoCertRequest # either
to request the certificate or not TLSRSACertificateFile
/etc/proftpd/ssl.crt # SSL certfile TLSRSACertificateKeyFile
/etc/proftpd/ssl.key # SSL keyfile TLSVerifyClient off # client
verification </IfModule>
Restart proftpd to bring the effect:

# /etc/init.d/proftpd restart
5.) Change the SMTP-Banner
If you want to change this Postfix SMTP-Banner:

Connected to your-domain.tld. Escape character is ‘^]’. 220 your-domain.tld. ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC3 OMEGA
Open your “/etc/postfix/main.cf” and change the SMTP-Banner here to what you want

smtpd_banner = $ myhostname ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC3 OMEGA
6. Install & Configure fail2ban
Fail2Ban automatic blocks an IP-Address after some failed Logins.
It works with Apache,SSH,FTP and Mail.

Install fail2ban per apt-get

# apt-get install fail2ban
After the installation you can configure fail2ban with these two configs under /etc/fail2ban/

/etc/fail2ban/fail2ban.conf /etc/fail2ban/jail.conf
Open your jail.conf to enable the blocks for some Services.

# vi /etc/fail2ban/jail.conf
Now you can enable or disable the Services you want to protect. By default SSH is enabled.

If you want to enable Apache,
change:

# # HTTP servers # [apache] enabled = false port = http filter = apache-auth logpath = /var/log/apache*/*access.log maxretry = 6
to

# # HTTP servers # [apache] enabled = true port = http filter = apache-auth logpath = /var/log/apache2/users/*access.log maxretry = 6
For FTP (proftpd)

[proftpd] enabled = false port = ftp filter = proftpd logpath = /var/proftpd/proftp.log maxretry = 6
change it to

[proftpd] enabled = true port = ftp filter = proftpd logpath = /var/log/auth.log maxretry = 3
You can change the maximal retry´s before ban with

maxretry = X
If you want to change the bantime,

bantime = 600 (is set in seconds)
Warning: fail2ban use Firewall ruls to block the IP.
A ban is per default for 10 minutes active. After this time the IP is unblocked automatically.

The fail2ban Log is under

/var/log/fail2ban.log
7.) SSL for Mailservice (Courier)
First we need to install the courier-ssl packages.

# apt-get install courier-imap-ssl courier-pop-ssl
A default Certificate will be created during the installation. So we need to change them.

Open the /etc/courier/imapd.cnf

# vi /etc/courier/imapd.cnf
and change the attributes to your needs.
And then the same with /etc/courier/pop3d.cnf

# vi /etc/courier/pop3d.cnf
After these changes, first backup the old Certificate before we generate some new.

# cd /etc/courier/ && mv pop3d.pem pop3d.pem.orig && mv imapd.pem imapd.pem.orig
Now we can generate the new one:

# dpkg-reconfigure courier-pop-ssl && dpkg-reconfigure courier-imap-ssl
Done – your Mailservice is now ready for SSL.
Change your Client to use POP3-SSL on port 995 and IMAP-SSL on port 993

8.) Make SSH safer
Every Scriptkiddy checks your Server for a open Port 22 and test to login with the root account.
We will change these things to the good with an other Port and disable the root login via ssh.

First we need a user on the system for a later login. If there is already one, jump over to the next step. If not, create it:

# adduser new_username
Open your sshd_config to change the settings:

# vi /etc/ssh/sshd_config
Change the Port from

Port 22
to

Port 222
Change this line:

PermitRootLogin yes
to

PermitRootLogin no
Restart the SSH-Server

# /etc/init.d/ssh restart
Close your connection and connect again to your Server on Port 222 with your new Username.
To become root, only do a:

# su
9.) Prevent DOS-Attacks
To prevent simple Denial-of-Service attacks you can use the mod_evasive
module. Download the actual version from
http://www.zdziarski.com/projects/mod_evasive/ and unpack it. Make
sure, that apache2-prefork-dev is installed.

# apt-get install apache2-prefork-dev # wget
http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
# tar -xzf mod_evasive_1.10.1.tar.gz # cd mod_evasive
Install it with Apache Extensions Module (apxs).

# apxs2 -i -a -c mod_evasive20.c
The module will be built and installed into your httpd.conf.

Optionally you can change some specific directives in your
/etc/apache2/apache2.conf file. Just add the following lines and change
them to your needs.

<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount
2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod
10 </IfModule>
ATTENTION: This config may produce “403 Forbidden” Errors on regular sites (to example: typo3, gallery,…)

You can also add the following directives:

DOSEmailNotify you@yourdomain.com DOSSystemCommand “su – someuser -c ‘/sbin/… %s …’” DOSLogDir “/var/lock/mod_evasive”
After all, just restart your Apache to load the module.

# sudo /etc/init.d/apache2 restart
10.) Securing Open DNS server (BIND 9)
After a clean install of a Debian server, dnsstuff.com reports the
server as an open dns server(anyone can query the server about any
domain ⇒ high load and high transfer). 2 steps for fixing this problem:

a. first edit /etc/bind/named.conf.options (or /etc/named/named.conf for other distros, options paragraph) and add:

recursion no; transfer-format many-answers; //this is for speed up the transfer to a secondary dns
b. we need to modify the template used by ISPCP to generate to zone
files, on Debian this is /etc/ispcp/bind/parts/cfg_entry.tpl. The file
after modification should looks like:

zone “{DMN_NAME}” { type master; file “{DB_DIR}/{DMN_NAME}.db”; notify YES; allow-query { any; }; };
Restart BIND:

/etc/init.d/bind9 restart

Authentication will be done by saslauthd. We have to change a few
things to make it work properly. Because Postfix runs chrooted in
/var/spool/postfix we have to do the following:
=================
mkdir -p /var/spool/postfix/var/run/saslauthd
============
Now we have to edit /etc/default/saslauthd in order to activate
saslauthd. Set START to yes and change the line OPTIONS="-c -m
/var/run/saslauthd" to OPTIONS="-c -m
/var/spool/postfix/var/run/saslauthd -r":

vi /etc/default/saslauthd

Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):

adduser postfix sasl
==================
Now restart Postfix and start saslauthd:

/etc/init.d/postfix restart
/etc/init.d/saslauthd start
=====================
To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH PLAIN LOGIN

everything is fine.

The output on my system looks like this:

root@server:/etc/postfix/ssl# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain.
Escape character is ‘^]’.
220 server.example.com ESMTP Postfix (Ubuntu)
ehlo localhost
250-server.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@server:/etc/postfix/ssl#

Type

quit

========
reboot
==========
Sent to any email I tried to hotmail and gmail and proved that I received the email and sent to all Besatp is pleased

references:
http://www.isp-control.net/documentation/doku.php?id=start:installation:ubuntu
http://isp-control.net/forum/thread-5789-page-5.html
http://www.xpv.cn/home/makeispcpmoresecure.html
http://isp-control.net/forum/printthread.php?tid=9283

.htaccess rule to prevent iframe attack

Posted: มีนาคม 17, 2010 in Computers and Internet

RewriteCond %{QUERY_STRING}
^.*(;||’|"|\)|%0A|%0D|%22|%27|%3C|%3E|).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).*
[NC]
RewriteRule .* – [F]

reference:
http://abhionlinux.blogspot.com/2009/08/htaccess-rule-to-prevent-iframe-attack.html