To disable ipv6 on Linux, add following line to /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
Now apply the change :
sysctl -p
September 1, 2014
August 30, 2014
Backup cPanel accounts to DropBox
Notice : You need root access to cPanel server to be able to use this method.
DropBox is my favorite cloud space provider. Their recent price adjustment (1TB for $10/mo) has made using it a no brainer IMO. It is specially very good for backup purposes because it keeps different versions of your files without using any extra space. The retention period for free accounts is 30 days and for pro accounts is 1 year.
So lets say you take a backup of your website and upload it to DropBox everyday and size of your backup is 100MB. if you keep doing it for 1 year, in fact DropBox is keeping 365 x 100MB of your files which you can retrieve any of them while only 100MB of your space is used! it is crazy good, I know.
In order to be able to backup cPanel accounts directly to DropBox, first we need a method to upload files to DropBox from Linux command line. Fortunately there is a very good solution out there to do it : https://github.com/andreafabrizi/Dropbox-Uploader
Please refer to script documentation on how to install it on your server and link it to your DropBox account. it is fairly easy.
After you linked the script to your DropBox Account, move it to /usr/bin folder.
If you want to test it, run the following command and it should show your DropBox account info :
root@X:[~]: dropbox_uploader.sh info Dropbox Uploader v0.14 > Getting info... Name: X X UID: 012345 Email: email@domain.com Quota: 1021760 Mb Used: 2611 Mb Free: 1019148 Mb
Now create /usr/bin/backup2db with following content and make it executable :
#!/bin/bash for fn in $1; do /scripts/pkgacct $fn /usr/bin/dropbox_uploader.sh upload /home/cpmove-$fn.tar.gz /cpanel-backup/cpmove-$fn.tar.gz rm /home/cpmove-$fn.tar.gz done
Thats it ! We are good to go.
Command to backup cPanel account acct1 :
backup2db 'acct1'
It even support multiple account backup :
backup2db 'acct1 acct2 acct3'
If you need daily backups, you can put it in cron :
0 0 * * * /usr/bin/backup2db 'acct1 acct2 acct3' > /dev/null 2>&1
August 22, 2014
Kill a process with high CPU usage in Linux
Sometimes you may need to kill hanged processes with high CPU usage automatically. the following script can help you to do it :
#!/bin/bash
PROCESSNAME=''
HL=10
IFS=$'\n'
L=$(ps aux | grep $PROCESSNAME)
for fn in $L; do
PID=$(echo $fn | awk '{print $2'})
LOAD=$(echo $fn | awk '{print $3'})
if [ $(echo "$LOAD > $HL" | bc -l ) -eq 1 ]
then
kill -9 $PID
echo "Killed $PID"
fi
done
Set PROCESSNAME to the process name which you want to be checked and HL to high load threshold.
Please note the load is based what ‘ps’ command reports and not what you see inside ‘top’.
August 20, 2014
Force public key authentication on SSH daemon (disable password authentication)
It is a very good security practice to completely disable password authentication on your Linux server and use public key authentication method.
In order to do that you need to create your own public/private key pair and put the public key in ~/.ssh/authorized_keys
mkdir -p ~/.ssh echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHV80zPWjPAwKo8Be0k1ypBRMdYDC0H2eQchu3MFsEp8av2F/18GNuHsbyMWp0p1uovP5LGZ/oPZ1ISJxLxxOBiqv0fOyb8uTDYWUUITgGvq9Fppj3BNYTjnLCUAVMKdP3VJ7IPk69ygYR1nhAXiv3dSfeG74f2eo3ZYhrylsVS2G84DUh47FuEFOsfn5s2wXVjwAgqdKBhiVQZWrptf6TEK3fZTVg4rCiRJ+YiIwTZr/CfFHbdqOiwDlGR5fWo0PHHq31lrQXzkASfi3C+ahQFnHsy4+8LdCq+TjzC3J6PbuXP1wpLdm1iP35f61hU1wX2hwhyxdvE+SBXT/PpSVB' >> ~/.ssh/authorized_keys
DISCLAIMER : The above key is my public key, if you put it on your server, I will be able to login into your server 😀
Now add/change the following config to the BEGINNING of /etc/ssh/sshd_config
ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no PubkeyAuthentication yes
and restart ssh service :
service ssh restart
In order to check that only public key authentication is available run the following command on the server :
ssh -o PreferredAuthentications=none -o NoHostAuthenticationForLocalhost=yes localhost -p 22
and you should get this error :
Permission denied (publickey).
Note : Before closing your current SSH session, I highly recommend you to test that actually you can login into your server by new method. otherwise you may be locked out of your server.
August 9, 2014
August 7, 2014
Send email alerts if PERC H200 raid fails in Linux
Recently I have bought a Dell PowerEdge R210 server which is equipped by PERC H200 raid controller.
As I have setup a raid 1 on this server, I needed to monitor its raid status, Here is what I did :
First you need “sas2ircu” utility which can be found on following website :
http://hwraid.le-vert.net/wiki/DebianPackages
Running “sas2ircu 0 STATUS” give you following output :
root@x:/# sas2ircu 0 STATUS LSI Corporation SAS2 IR Configuration Utility. Version 16.00.00.00 (2013.03.01) Copyright (c) 2009-2013 LSI Corporation. All rights reserved. Background command progress status for controller 0... IR Volume 1 Volume ID : 79 Current operation : None Volume status : Enabled Volume state : Optimal Volume wwid : xxxxxxxxxxxxxx Physical disk I/Os : Not quiesced SAS2IRCU: Command STATUS Completed Successfully. SAS2IRCU: Utility Completed Successfully.
What we are interested in is “Optimal” status. so if Optimal changes to anything, we want to be notified.
You can use the following script to do that (change MAIL variable to your own email address) :
#!/bin/bash
MAIL=mail@domain.com
RESULT=`sas2ircu 0 STATUS | grep Optimal`
if [ -z "$RESULT" ]; then
echo "RAID ERROR ON SERVER" | mail -s 'Raid Error' "$MAIL"
else echo "Raid is OK"
fi
as always do not forget to test if your server is actually able to send mails and you receive them.
Finally save the script in a file and put it in cronjob. I have chosen to run it every 12 hours :
0 */12 * * * /usr/bin/raidcheck
July 20, 2014
Send email alerts when HP Proliant RAID fails in Linux
As a minimalist person, I am not a fan of running heavy monitoring tools of HP on my server. so I have written a very small bash script to monitor my server RAID status and send me email alerts if it fails.
For this script to work, first you need to install hpacucli (HP Array Configuration Utility) on your server. you can download it from HP website for your Linux distribution.
The script is very easy to understand but you may need to tweak it a little bit to fit your server.
The heart is this line :
hpacucli ctrl slot=1 pd all show
which returns following on my server :
\\ EMPTY LINE
Smart Array P222 in Slot 1
array A
physicaldrive 2I:1:1 (port 2I:box 1:bay 1, SATA, 3 TB, OK)
physicaldrive 2I:1:2 (port 2I:box 1:bay 2, SATA, 3 TB, OK)
physicaldrive 2I:1:3 (port 2I:box 1:bay 3, SATA, 3 TB, OK)
physicaldrive 2I:1:4 (port 2I:box 1:bay 4, SATA, 3 TB, OK)
but we only need lines 6-9 which are showing the drives status. It is where you may need to tweak it as you may have more or less drives.
So it may not be 6-9 for you and you may need to change 6,9 in sed command.
Here is the final script :
#!/bin/bash MAIL=mail@domain.com RESULT=`hpacucli ctrl slot=1 pd all show | sed -n '6,9 p' | grep -v OK` if [ -n "$RESULT" ]; then echo "$RESULT" | mail -s 'Raid Error' "$MAIL" else echo "Raid is OK" fi
Dont forget to change MAIL variable to your own email address.
You may test the script once to make sure your server is able to send emails and you actually receive them.
Finally save the script in a file and put it in cronjob. I have chosen to run it every 12 hours :
0 */12 * * * /usr/bin/raidcheck
May 9, 2014
Auto update Atomicorp mod_security rules script
Here is a very simple script, I have written for my own use to auto update mod_security rules from Atomicorp server. You can use cronjobs to automate the process.
Dont forget to put your Atomicorp subscription username and password in the script.
#!/bin/sh
USER=
PASS=
DIR=/var/cpanel
VER=`wget -q --user=$USER --password=$PASS http://updates.atomicorp.com/channels/rules/subscription/VERSION -O - | grep MODSEC_VERSION | sed -r 's/^.{15}//'`
FILE_NAME=modsec-$VER.tar.bz2
wget -q --user=$USER --password=$PASS http://updates.atomicorp.com/channels/rules/subscription/$FILE_NAME -O - | tar jxf - -C $DIR
/etc/init.d/httpd -k graceful
In this case, the script will install the rules in /var/cpanel/modsec directory and reload the server gracefully.
Apparently you should have the following in your modsec2.user.conf
Include "/var/cpanel/modsec/000000_asl_modreqtimeout.conf" Include "/var/cpanel/modsec/00_asl_0_global.conf" Include "/var/cpanel/modsec/00_asl_rbl.conf" Include "/var/cpanel/modsec/00_asl_z_antievasion.conf" Include "/var/cpanel/modsec/00_asl_zz_strict.conf" Include "/var/cpanel/modsec/01_asl_content.conf" Include "/var/cpanel/modsec/01_asl_rules_special.conf" Include "/var/cpanel/modsec/03_asl_dos.conf" Include "/var/cpanel/modsec/05_asl_exclude.conf" Include "/var/cpanel/modsec/05_asl_scanner.conf" Include "/var/cpanel/modsec/09_asl_rules.conf" Include "/var/cpanel/modsec/09_asl_rules_antievasion.conf" Include "/var/cpanel/modsec/10_asl_antimalware.conf" Include "/var/cpanel/modsec/10_asl_antimalware_output.conf" Include "/var/cpanel/modsec/10_asl_rules.conf" Include "/var/cpanel/modsec/11_asl_adv_rules.conf" Include "/var/cpanel/modsec/11_asl_data_loss.conf" Include "/var/cpanel/modsec/11_asl_rules.conf" Include "/var/cpanel/modsec/12_asl_brute.conf" Include "/var/cpanel/modsec/20_asl_useragents.conf" Include "/var/cpanel/modsec/30_asl_antimalware.conf" Include "/var/cpanel/modsec/30_asl_antispam.conf" Include "/var/cpanel/modsec/30_asl_antispam_referrer.conf" Include "/var/cpanel/modsec/31_asl_urispam.conf" Include "/var/cpanel/modsec/40_asl_apache2-rules.conf" Include "/var/cpanel/modsec/50_asl_rootkits.conf" Include "/var/cpanel/modsec/51_asl_rootkits.conf" Include "/var/cpanel/modsec/60_asl_recons.conf" Include "/var/cpanel/modsec/61_asl_recons_dlp.conf" Include "/var/cpanel/modsec/98_asl_adv_redactor.conf" Include "/var/cpanel/modsec/98_asl_jitp.conf" Include "/var/cpanel/modsec/99_asl_a_redactor.conf" Include "/var/cpanel/modsec/99_asl_exclude.conf" Include "/var/cpanel/modsec/99_asl_jitp.conf" Include "/var/cpanel/modsec/99_asl_redactor.conf" Include "/var/cpanel/modsec/99_asl_redactor_post.conf"
October 24, 2012
The proper way to benchmark disk write performance in Linux
dd bs=1M count=512 if=/dev/zero of=test conv=fdatasync
The result is something like this :
512+0 records in
512+0 records out
536870912 bytes (537 MB) copied, 1.43334 s, 375 MB/s
April 17, 2012
How to create a mirror of a site using wget
First you need to make sure you have the latest version of wget, some distros are still being released with older versions of wget which has some bugs regarding mirroring functionality. currently the latest version is 1.13.4, so if you don’t have the latest version, you can download and build it from following link :
ftp://ftp.gnu.org/gnu/wget/
after building the wget, make sure the latest version is being used :
wget -V
output :
GNU Wget 1.13.4 built on linux-gnu.
+digest +https +ipv6 -iri +large-file +nls -ntlm +opie +ssl/gnutls
Wgetrc:
/usr/local/etc/wgetrc (system)
Locale: /usr/local/share/locale
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
-DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -O2
-Wall
Link: gcc -O2 -Wall -lgnutls -lgcrypt -lgpg-error -lz -lrt ftp-opie.o
gnutls.o ../lib/libgnu.a
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.
OK, you are good to go now, just execute the following command and relax 🙂
wget -mkp -e robots=off http://site