Server

Update SSLCipherSuite

Issue

Clicking the certificate info in chrome, you'll see a message:

"Your connection is encrypted using an obsolete cipher suite."

Solution

vi /etc/httpd/conf/extra/httpd-ssl.conf

Replace SSLCipherSuite with the following:

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"

Restart Apache.

service httpd restart

Optional: Update ssl_cipher in directadmin.conf

vi /usr/local/directadmin/conf/directadmin.conf

Replace or add:

Here's the updated version on how-to install Apache Solr 5.x and get it running with Drupal (WITHOUT Apache Tomcat; as Solr 5.x doesn't support Tomcat anymore).

Install Java 1.8

yum install java-1.8.0-openjdk.x86_64
# or
aptitude install java8-jdk

Create a symlink to wherever your /etc/bashrc or ~/.bashrc has

export JAVA_HOME=/usr/local/jdk

set to.

If you tried using WHM's Transfer Tool on very large sites, you've probably got a timeout error.

To fix this, we'll need to do this through SSH (via root) what the Transfer Tools wasn't able to do itself.

STEP 1.

The Transfer Tool will create a /scripts directory--with all required scripts--at the base of your server, which we will use to create WHM/cPanel compatible backups.

The name of the script will look like the following: /scripts/pkgacct.YOUR_CPANEL_SERVER_NAME

Type the following to get the exact name:

ls -la /scripts/

STEP 2.
Next, go into your /home directory to get a listing of the account names.

If you're experiencing slow mysql performance--top showing mysqld high cpu usage. This command will help you track down what's going on at that specific time.

mysql -e "show processlist"

Of course you should also check your log files:

/var/lib/mysql/mysql-slow.log
/var/lib/mysql/mysql-error.log

You'll also want to optimize your /etc/my.cnf: For a pretty good quick start, you can use this tool, Percona Configuration Wizard for MySQL

In phpMyAdmin, click the "SQL" tab and paste the following in there--changing your_database to the actual database you want to change.

SET @DATABASE_NAME = 'your_database';

SELECT  CONCAT('ALTER TABLE `', table_name, '` ENGINE=InnoDB;') AS sql_statements
FROM    information_schema.tables AS tb
WHERE   table_schema = @DATABASE_NAME
AND     `ENGINE` = 'innodb'
AND     `TABLE_TYPE` = 'BASE TABLE'
ORDER BY table_name DESC;

Or if that doesn't work, do the following under SSH (change your_database to your actual database name)

These are some of the basic things I do when I setup a new server

Get the latest directadmin.conf values

With each version of DirectAdmin, new configuration values are introduced that you may not know about. To see ALL these values do the following:

/usr/local/directadmin/directadmin c | sort -n

You can essentially copy/paste the entire results into your /usr/local/directadmin/conf/directadmin.conf replacing anything else in there.

Setup DirectAdmin with an SSL certificate

source: http://help.directadmin.com/item.php?id=15

If you don't own a certificate, you can create your own with letsencrypt.com:

Block IPs with Brute Force Monitor in DirectAdmin using CSF

Source: https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm

Regular install of CSF

cd /usr/local/src
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
./install.directadmin.sh

Now login as Admin into directadmin or WHM, and click the link ConfigServer Security & Firewall

You'll probably want to add your WAN IP here--you can find out what it is here: http://www.ip-secrets.com/

Then add your WAN IP into Quick Allow column.

Here's a simple command to optimize and auto repair all tables in your MySQL database.


mysqlcheck -uroot -p --auto-repair --optimize --all-databases


This is the same thing as using PHPMyAdmin, however, you don't need to do this one by one for each database, select all tables, and optimize--and not to mention if you wanted to repair a database prior to optimizing, it will take 2x as long.

There are plenty of articles about how to move mysql to another directory or partition by telling you to mess with the my.cnf by changing all the references of datadir and socket to the new location.

Example:


[mysqld]
datadir=/new/location
socket=/new/location/mysql.sock


Don't do this... Not only will it waste your time, but likely won't work for half the server setups. Reason being there are other factors at play when you're changing things, it's not only the my.cnf that you have to worry about. For example, if you're using Ubuntu, you may be using AppArmor and you'll also have to specify the new directory in /etc/apparmor.d/usr.sbin.mysqld

Internet Explorer "compatibility mode" is that dreadful page icon, inconveniently placed right next to the refresh button/icon.

What it does is turn IE 8 or higher into an outdated browser, so it can properly display really old school websites that were, likely, built using invalid and/or outdated HTML code. It's a horrible feature, that I see no practical use for whatsoever. Plus it's easy to accidentally click it, because it's located a few pixels away from the refresh button--talk about non-intuitive...

Anyhow... 

This is how you disable IE compatability mode on your website.

  In your .htaccess insert the following:

Header set X-UA-Compatible "IE=9; IE=8; IE=7;IE=edge"

Woooo! We're done. That dumb IE compatibility mode icon won't show ever again.

Alright... So APC has been pretty unstable for me on 2 separate servers running PHP 5.3.x and PHP 5.4.x. So I figured I'd give XCache a try after reading about similar problems with APC.

Anyhow...

Here's how to install XCache 3.X from source on CentOS

Get the latest version of XCache from here: http://xcache.lighttpd.net/#Downloads

Latest version at the time of this writing is XCache 3.0.1


cd /usr/local/src
wget http://xcache.lighttpd.net/pub/Releases/3.0.3/xcache-3.0.3.tar.gz
tar xvfz xcache-3.0.3.tar.gz
cd xcache-3.0.3
phpize
./configure --enable-xcache
make
make install


Note the installation path. Example here are my paths:


cd /usr/local/src
mount -o remount,exec,suid /tmp
yum install autoconf
yum install php-pear
yum install php-devel
yum install httpd-devel
yum install pcre-devel
wget http://pecl.php.net/get/APC
tar xvfz APC-VERSION.tgz
cd APC-VERSION
phpize
whereis php-config

This will give you the location of php-config, which you will put after --with-php-config=

If your disk is starting to run out of space due to an excess of mysql-bin.XXXXXXXX files here's what to do to fix that.


vi /etc/my.cnf


under 'log-bin=mysql-bin' (the destination could be different in your my.cnf) put:


expire_logs_days = 10


Change 10 to whatever you're comfortable with.

or you can simply disable the binary log files by uncommenting the line:


# log-bin=mysql-bin


You'll also want to remove all the excessive binary log files like so:


mysql -u root -p -e "PURGE BINARY LOGS BEFORE '2012-02-15 09:00:00';"


TROUBLESHOOTING

In case you can't shutdown mysqld do the following:


pidof mysqld
kill -9 NUMBEROFPROCESS

First we'll need to install Java 1.6 JDK, and be on PHP 5.2 or higher (You can check my PHP installation tutorial here. Also I'm on CentOS.

Install Java 1.6 JDK


yum install java-1.6*


Install Apache Solr

We're going to install Apache Solr into /usr/local/share; however you can install it somewhere else if you'd like (e.g. install it in the root dir / )


cd /usr/local/share


Download Apache Solr. We're going to use the latest version at the time of this writing: Apache Solr 3.5. Look for the latest version here: http://www.apache.org/dyn/closer.cgi/lucene/solr/

UPDATE: Current instructions located HERE.
Please ignore the outdated below.

So, you're worried about accidentally wiping out your entire system or important directory by doing something like rm -rf / or rm -rf *

with safe-rm , it won't allow you to do that, you'll get something like:


$ rm -rf /
Skipping /


Here's how to install:

if you try running the following:

and get this error

$PHP_PREFIX/bin/phpize
Configuring for:
PHP Api Version: 20041225
Zend Module Api No: 20060613
Zend Extension Api No: 220060519
Cannot find autoconf. Please check your autoconf installation and the
$PHP_AUTOCONF environment variable. Then, rerun this script.

Then it's because you don't have autoconf installed.

To fix this error, do the following:

or you can install from source (if you want to use the latest version)


cd /usr/local/src/

/* find latest version of m4 here: http://ftp.gnu.org/gnu/m4/ */


If something refuses to run, try:

chattr -R -suSiadAc /usr/sbin

Example: if dovecot doesn't run or install/upgrade, try doing...

whoami
lsattr /usr/sbin/dovecot


Customize your ~/.screenrc

source: http://magazine.redhat.com/2007/09/27/a-guide-to-gnu-screen/

-Add all your ips in directadmin under "IP management"
(and assign 2 ips to admin)
http://xx.xxx.xxx.xxx:2222/CMD_IP_MANAGER

-Register nameserver at registrar
(namecheap.com is my fav; networksolution.com is the worst for this... it's not longer an option you can click on the website, you have to send an email request for this)

-Add nameservers to server:
1. go to user level, and add the new domain you registered (leave default settings, and tweak them after)
2. go back to reseller level, and click "nameserver" and select 2 ips you want to use and click "create" then set the 2 new nameservers for "Set the Nameservers that will be assigned to new users" (it should be added by default)

-Share nameserver ips (so you're able to add other domains to them):

Source

1. IP
/etc/sysconfig/network-scripts/ifcfg-eth0

2. DNS
/etc/resolv.conf
/etc/hosts

3. Router
/etc/sysconfig/network

4. Restart the network
/etc/rc.d/init.d/network restart

Plesk will overwrite any httpd.conf settings unless you include them in...

/home/httpd/vhosts/DOMAIN/conf/vhost.conf

Here's how we do it on RHEL:

Logged in as root:

* Create file at /etc/cron.hourly/clockset
* with these two lines only:

rdate -s time-a.nist.gov > /dev/null
hwclock --systohc > /dev/null

SSL Location:

SSH to the old server and go to /usr/share/ssl/certs/, here you find the www.domain.com.crt (SSL Certificate) and the www.domain.com.cabundle (Cabundle), You will find the key www.domain.com.key at /usr/share/ssl/private/ path.

source: www.eth0.us: How-To: Secure your temp directories

Every system needs temporary folders that any user is able to read and write BUT these directories should not be able to execute programs or scripts. Though this will only protect you from somebody running the script directly it will help with a large portion of the automated rootkits and trojans that script kiddies use. They will still be able to put the files on the system but they will be unable to execute them and create the back door. One of the biggest problems is php injection via apache in which people will have apache download and then run an exploit. Securing the temp directories is probably the single biggest thing you can do towards securing your server.

source: howtoforge.com

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 07/05/2006