Home Blog Page 2

Install and Configure CSF (Config Server Firewall) on CentOS/Cpanel

CSF : It is the abbreviation of Config Server Security & Firewall. CSF is for configuring or managing your server firewall easily and simply. Here is some useful steps to Install , configure and uninstall csf on server with CentOS.

Installation Process:
SSH to your server and do the following steps as root user.
Step 1: Downloading csf package.

rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz

Step 2: Remove already installed firewall settings
Execute the following command to remove already installed firewall like APF (Advanced Policy Firewall) or BFD (Brute Force Detection) from server.

[[email protected] #] sh /tmp/csf/remove_apf_bfd.sh 

Step 3: Installation

[[email protected] #] tar -xzf csf.tgz 
[[email protected] #] cd csf 
[[email protected] #] sh install.sh 

You will get an output like below pasted if that was a successful installation.

*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
`/etc/csf/csfwebmin.tgz' -> `/usr/local/csf/csfwebmin.tgz'

Installation Completed

Then, check whether your server have required IP tables modules by using the following command.

[[email protected] #] perl /usr/local/csf/bin/csftest.pl 

Step 4: Configure CSF
Once the installation process is completed we need to enable the csf to work it properly. ‘csf -e’[csf -x for disabling csf] command is using to enable csf on server.

[[email protected] csf]# csf -e
Starting lfd:[  OK  ]
csf and lfd have been enabled
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

The ‘csf -e’ output sounds, the csf is configured in testing mode on your server. You need to edit the conf file for enabling it.

[[email protected] #] vim /etc/csf/csf.conf
Then change the value of 'TESTING' from 1 to 0

Important configuration options
All cofiguration options are located under the directory “/etc/csf” . Some usefull and importent configuration files are listed below.

csf.conf : Configuration file for controlling CSF.
csf.allow : Allowed IP’s and CIDR addresses list on the firewall.
csf.deny : Denied IP’s and CIDR addresses list on the firewall.
csf.ignore : Ignored IP’s and CIDR addresses list on the firewall.
csf.*ignore : The list of various ignore files of users, IP’s.

Removing csf and lfd is even more simple:

cd /etc/csf
sh uninstall.sh

Originally posted 2016-02-19 22:55:48.

How to Install MongoDB on CentOS and cPanel

MongoDB is one of those technologies that you should be paying attention to because it’s changing the way that developers interact with databases.

MongoDB is officially a “NoSQL” database. Thanks to its architecture and BSON structure, it can scale more easily than other popular database servers like MySQL.

MongoDB helps you to integrate database information into your apps easier and faster. That’s why it’s becoming the number one NoSQL solution, chosen by many popular websites like eBay, NY Times, SourceForge and many others.

In this guide, you will learn how to install MongoDB on a WHM/cPanel WHM server.

Technical requirements

  • Root access via SSH
  • PHP-pear for full pecl support
  • PHP-devel package installed to compile extension manually

Installing MongoDB via MongoDB Repo

There are lot of RPM repos that offer MongoDB packages. It is recommended to always use the MongoDB official repo to get the latest stable and secure versions.

Install the MongoDB repo:

cd /etc/yum.repos.d

Create mongodb.repo file:

nano -w mongodb.repo

Paste this code inside:

name=MongoDB Repo

Save the file by pressing CTRL + O to write the file, and then CTRL + X to exit.

Install MongoDB using Yum

yum install mongo-10gen mongo-10gen-server

At this point, you should have MongoDB installed on your CentOS + cPanel box.

Configure MongoDB to automatically start after reboot:

chkconfig mongod on

Start MongoDB:

service mongod start

Now, you should have the MongoDB system daemon fully running on your Linux environment. However, that’s not enough for most applications, as addressed by the second part of this tutorial,  installing the MongoDB app support for PHP.

Install MongoDB PHP Extension

Use the powerful PECL command to install your MongoDB PHP extension:

pecl install mongo

Restart Apache to apply changes:

service httpd restart

Verify installation with this command:

php -i | grep mongo -i

If you see the MongoDB extension in the output, then you are all set!

What if you don’t have the PECL command available?

There is an alternative way to install the MongoDB PHP extension by compiling manually. Example:

mkdir $HOME/mongo
cd $HOME/mongo
wget https://github.com/mongodb/mongo-php-driver/zipball/master
unzip master
cd mongodb-mongo-php-driver-07be50e/
make install

Add the extension to your /usr/local/lib/php.ini file:


Restart Apache to ensure that this module is recognized by the web server:

service httpd restart

Again, check against PHP to ensure that it is fully loaded:

php -i | grep mongo -i

What are your experiences working with MongoDB? Do you notice any difference when comparing this software with MySQL or other traditional SQL solutions?

Originally posted 2016-02-18 22:47:49.

Log the Total Number of Connections to a Port From an IP Address

Is there any log entries to find-out directly the total number of connections in server?

In some high connection high load servers, this log would be helpful to monitor and tune the server with number of connections on it. We can simply sort out the total number of connections in a port by using the command netstat. There isn’t any log entries with total number of connections. But, we will get the history of resource usage information by installing sar (Systat) on the server. Then, we can create a cronjob to monitor the server connections. In this post I am explaining the method to create a log for total number of connection to server. Before creating a script and setting cron, you must have the idea to use the command “netstat” to list total number of connections in server.

By considering the service Apache, we can sort it by using the port 80.

netstat -ntlp|grep :80|wc -l


netstat -ntlp|grep :80|wc -l

If you want to monitor the total connection to your Apache service at times, create a cronjob to save this to a file as a log. Here I am using the command “date” to get the time details when the “netstat” taking the connection log. Please do follow these steps to create a log with connection details.

Step 1 : Create a file to get the log.

touch connection.txt

Step 2 : Create a script for the same.

2.1 –> Use the command ‘date’ for time details.
2.2 –> Use ‘echo’ to print your instructions.
2.3 –> Use ‘netstat’ for connection details.


echo "Time"
echo "Total no: of connection in port 80"
netstat -ntlp|grep :80|wc -l
echo ""

Step 3 : Change the file permission as executable.

chmod 755 connections.log

Step 4 : Test the script from the location.

Fri Jul 18 01:11:02 MSD 2014
Total no: of connection in port 80

Step 5 : Create a file to log the connection information.

touch connections.log

Step 6 : Create a cronjob to execute this periodically.

crontab -e

*/30 * * * * /root/connection.txt >> connections.log


This will save the total number of connections to the file connections.log.

Sample output

Originally posted 2016-02-17 22:39:39.

How To Install mod_geoip On a WHM/cPanel Server


mod_geoip is an API module released by MaxMind for Apache (or interchangeably, LiteSpeed) to quickly and easily obtain your website visitors’ geographical information. It offers high performance IP lookup especially when used together with PHP. See benchmark

While instructions to install mod_geoip on Linux with Apache are easily available on the Internet, not much is written on how to install the module on WHM/cPanel servers. This tutorial will walk you through installing mod_geoip on your WHM/cPanel step-by-step.

To be able to install mod_geoip on your WHM/cPanel server, you must have root access and is able to SSH to your Virtual Private Server (VPS) / Hyrbrid Server / Dedicated Server. Note that for Shared or Reseller hosting users, you may have to contact your web host to get the module installed for you (warning: don’t expect it to be easy).

Step 1: Log in to your VPS via SSH and create directory
Open up your SSH client (PuTTY) and log in to your VPS as root user. Then enter the following commands:

mkdir /usr/share/GeoIP
cd /usr/share/GeoIP

Step 2: Download and install GeoIP database
To download and install the GeoIP database provided by MaxMind, enter the following commands:

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
gzip -d GeoIP.dat.gz 

Step 3: Download and install custom mod_geoip module for cPanel
Next we will install the custom mod_geoip cPanel module created by Sohail Riaz. Simply enter the following commands:

wget https://documentation.cpanel.net/download/attachments/2326651/custom_opt_mod-mod_geoip.tar.gz
tar -C /var/cpanel/easy/apache/custom_opt_mods -xzf custom_opt_mod-mod_geoip.tar.gz

Step 4: Rebuild Apache via EasyApache
Now that we have installed the GeoIP database and all the modules required to run mod_geoip with Apache and cPanel, we will need to rebuild Apache in WHM.

WHM -> Software -> EasyApache (Apache Update) -> Start customizing based on profile -> Check 'Mod GeoIP' option (on Short / Exhaustive Options List page) -> Save and Build

Step 5: Load and enable mod_geoip
After Apache has been rebuilt with mod_geoip, we will need to load and enable the module every time Apache runs. First, in WHM, go to:

WHM -> Service Configuration -> Apache Configuration -> Include Editor -> Pre Main Include -> Select the current Apache version 

Second, enter the following codes into the textbox:

LoadModule geoip_module /usr/local/apache/modules/mod_geoip.so
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat MemoryCache 

And that’s it! mod_geoip is now installed on your WHM/cPanel server in just 5 simple steps.

Originally posted 2016-02-16 22:27:25.

How to Change & Set the Default crontab Editor


Most hardcore command line users and unix geeks love vi, but I prefer nano. If you want to change your default crontab editor to nano, here’s how to do this:


For a one time edit, launch the terminal and type:

EDITOR=nano crontab -e

If you want to set nano as your default editor in general, you use this command:

export EDITOR=/usr/bin/nano

Now when you go to edit crontab, nano will be the default editor than vi. You can test this by typing:

crontab -e

Originally posted 2016-02-15 22:20:37.

Linux / Unix: Sed Substitute Multiple Patterns [ Find & Replace ]


I’m using the date +’%D_%T’ to store Unix system date and time in a shell variable called $_now:

_now=”$(date +’%D_%T’)”
echo $_now


I’d like to replace / and : with _. I’m aware of the following sed command:

sed ‘s/\//_/g
> s/:/_/g’ <<<“$_now”


How do I specify two pattern within the same sed command to replace | and : with _ so that I can get output as 01_20_12_16_10_42?

You can use any one of the following sed substitute find and replace multiple patterns:

sed -e 's/Find/Replace/g' -e 's/Find/Replace/g' <<<"$var"
sed -e 's/Find/Replace/g' -e 's/Find/Replace/g' < inputFile > outputFile
out=$(sed -e 's/Find/Replace/g' -e 's/Find/Replace/g' <<<"$var")


sed 's/Find/Replace/g;s/Find/Replace/g' <<<"$var"
sed -e 's/Find/Replace/g;s/Find/Replace/g' <<<"$var"
sed -e 's/Find/Replace/g;s/Find/Replace/g' < inputFile > outputFile
out=$(sed -e 's/Find/Replace/g;s/Find/Replace/g' <<<"$var")

Examples: Find And Replace Sed Substitute Using a Singe Command Line

_now="$(sed -e 's/\//_/g;s/:/_/g' <<<$(date +'%D_%T'))"
echo $_now

Sample outputs:


Here is another version:

_now=$(sed 's/[\/:]/_/g' <<<$(date +'%D_%T'))
echo "$_now"

Sample outputs:


Originally posted 2016-02-14 22:09:36.

Check Spam on EXIM Mail Server


We can simply find out the details spammers from mail queue itself. Some simple exim commands for check spams are below.
First login tho the server via SSH,
ssh [email protected] then run the following commands

exim -bpc

This commands shows the total number of mails in the queue. If the result is high(eg:2000) you can confirm spamming.

[[email protected]]# exim -bpc
exim -bp

This command give some close look of mails in queue. It will give the message ID,sender,Recipient,size and age of mail. From this the message ID is usefull to find out te details like header,body and log. That will discussed in detail later.

[[email protected]]# exim -bp
44h 763 1VGaIo-0002ec-RM <[email protected]>
[email protected]

10h 5.9K 1VH6AW-0001Um-Rz <> *** frozen ***
[email protected]

0m 502 1VHFNl-0003bf-GB <[email protected]>
[email protected]

0m 568 1VHFNl-0003bn-Tq <[email protected]>
[email protected]
1st field: Age
2nd field: Size
3rd field: Message ID
4th field: Sender
5th field: Recipient

By using the ID we can find the header,body and the log of message.

exim -Mvh ID

This command displays the message header. From the output displayed we can check from address, to address, subject, date, script etc.

exim -Mvb ID

Displays the message body

exim -Mvl ID

Displays the log of mail. From this log get the original user details logged in for sending mail.

exim -bpr|grep "<"|awk {'print $4'}|cut -d"<" -f2|cut -d">" -f1|sort -n|uniq -c|sort -n

This command list number of mails and the user who sent the mail.

[[email protected]]# exim -bpr|grep "<"|awk {'print $4'}|cut -d"<" -f2|cut -d">" -f1|sort -n|uniq -c|sort -n
3 [email protected]
exiqgrep -f sendername|grep "<"|wc -l

This command displays the total count of mails that send by a particular user.

[[email protected]]# exiqgrep -f [email protected]|grep "<"|wc -l

Similarly -r switch with exiqgrep is using for recipient.
exiqgrep -f recipient|grep “<”|wc -l

exim -bpr| grep sendername| awk '{print $3}'|xargs exim -Mrm

To delete all mails from queue for a particular sender.

exim -bp|grep frozen|wc -l

Displays the total count of frozen mails in queue.

exim -bp|grep frozen|awk {'print $3'}

Displays the IDs of frozen mails

exim -bp|grep frozen|awk {'print $3'}|xargs exim -Mrm

Command to remove all frozen mails in queue.

exim -bp|exiqsumm

This command will print the summary of mails in queue.

[[email protected]]# exim -bp|exiqsumm
Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
1 6041 11h 11h facebook.com
1 763 45h 45h interia.pl
2 6804 45h 11h TOTAL

It displays, what exim is doing right now.

[[email protected]]# exiwhat
1923 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
exim -Mrm

Is for deleting mails from queue.

[[email protected]]# exim -Mrm will remove that particular mail.

Originally posted 2016-02-13 21:53:00.

Install eAccelerator on cPanel Server – Command line

What is eAccelerator ?

Yes, before going directly to the installation steps, you must have an idea about eAccelerator. As the name indicates, it’s an accelerator for PHP scripts/files on your website. It’s an open source software which is used to increase the loading speed of PHP pages.

eAccelerator is a PHP accelerator derived from the MMCache extension for the PHP programming language. eAccelerator provides a bytecode cache. eAccelerator is open source and thereby free to use and distribute. Old and unmaintained versions also provided an encoder.

Every time a PHP script is accessed, PHP usually parses and compiles scripts to bytecode. Once installed, eAccelerator optimizes the compiled bytecode and caches this to shared memory or disk or both. Upon subsequent accesses to a script, eAccelerator will access cached bytecode if it is available instead of the script being compiled. This avoids the performance overhead of repeated parsing and compilation.

So we can conclude, the eAccelerator helps to improve performance by re-using compiled PHP scripts and optimizing them to speed up their execution.

Installation of eAccelerator on a cPanel server using phpextensionmgr script

Step I : Login to server as root.

Step II : Run the below pasted script:

/scripts/phpextensionmgr install EAccelerator

Un-installation of eAccelerator

/scripts/phpextensionmgr uninstall EAccelerator

How/Command to check whether eAccelerator is installed or not on a cPanel server ?

It’s very simple to check if eAccelerator is installed or not on the server. You can use the command “php -v” to check it from your server commandline. :-)
See the example below:

[email protected] [~]# php -v
PHP 5.4.26 (cli) (built: Mar 14 2014 02:39:49)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
    with eAccelerator v0.9.6.1-ea, Copyright (c) 2004-2012 eAccelerator, by eAccelerator

Alternate method

Installing eAccelerator from its source code.

This method is very helpful to install eAccelerator in a server which hasn’t cPanel. You can download latest version from HERE.

Please do follow the below pasted steps to install eAccelerator from its source file.

wget http://downloads.sourceforge.net/project/eaccelerator/eaccelerator/eAccelerator%
unzip eaccelerator-
cd eaccelerator-
./configure  --enable-eaccelerator=shared  --with-php-config=/usr/local/bin/php-config
make install

Make sure that the eaccelerator.so file available on extensions directory after the eAccelerator installation.


Add the following lines at the end of php.ini


Restart Apache web-server.

service httpd restart

Originally posted 2016-02-12 21:30:14.

Hardening your TCP/IP Stack Against SYN Floods


Denial of service (DoS) attacks launch via SYN floods can be very problematic for servers that are not properly configured to handle them. Proper firewall filtering policies are certainly usually the first line of defense, however the Linux kernel can also be hardened against these types of attacks. This type of hardening is useful for SYN floods that attempt to overload a particular service with requests (such as http) as opposed to one that intends to saturate the server’s network connection, for which a firewall is needed to guard against.

Definition of a SYN Flood

TCP connections are established using a 3-way handshake. Attackers desiring to start a SYN flood will spoof their IP address in the header of the SYN packet sent to the server, so that when the server responds with it’s SYN-ACK packet, it never reaches the destination (from which an ACK would be sent and the connection established). The server leaves these unestablished connections in a queue for a pre-determined period of time after which they are simply discarded. However if enough of these “fake” connections gum up the queue (backlog) , it can prevent new, legitimate requests from being handled. Linux has a relatively small backlog queue by default, and keeps half-open requests in the queue for up to 3 minutes! Thus the need for tweaking the way the Linux kernel handles these requests is born.

Protecting your Server

First, we’ll set the variables to be active immediately:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries

This sets the kernel to use the SYN cookies mechanism, use a backlog queue size of 2048 connections, and the amount of time to keep half-open connections in the queue (3 equates to roughly 45 seconds).

Making the Changes Persist

To make these changes persist over consecutive reboots, we need to tell the sysctl system about these modified parameters. We use the /etc/sysctl.conf file to do so. We will add the following lines to the bottom of the file:

# TCP SYN Flood Protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3

Your changes will now be permanent!

Originally posted 2016-02-10 20:58:37.

How To Install APF Firewall on Cpanel

Advanced Policy Firewall, or APF, is basically an interface to iptables, which is the standard interface to managing network ports on Linux machines. Interacting with iptables can be complex and error-prone, and APF greatly simplifies working with it. However, APF is still only accessible by ssh. There is no way to make changes in APF through WHM or cPanel.

All of the APF configuration files are located in the /etc/apf folder on your server.  Within this folder theallow_hosts.rules file contains all of the IP addresses that are whitelisted for the server and the deny_hosts.rulesfile contains all of the IPs that are being blocked by the firewall.  Within the deny_hosts.rules file each IP that is being blocked should also include a reason behind the block(most of them will be blocked by bfd, which blocks IPs attempting to brute force the server).

To block an IP in the firewall, simply ssh in as root and run the following command:

apf -d
If the IP has previously been whitelisted, that command will give you this error: already exists in /etc/apf/allow_hosts.rules

You’ll need to open /etc/apf/allow_hosts.rules in your preferred text editor and remove the IP before you can block it in the firewall. If your setup is more recent, this command may work to get the IP out of allow_hosts.rules:

apf -u

Starting, stopping, and restarting apf can be easily done via the command line:

apf -s This will start apf if it is not running.

apf -r This will restart apf.

apf -f This will stop apf and flush all rules from the firewall.

White-listing an IP

If you have an IP address that you would like never to be added to the firewall (also known as whitelisting), simply run this command as root:

apf -a

(be sure to replace with the IP address in question)
If the IP address is currently being blocked by the firewall, you will get an error: already exists in /etc/apf/deny_hosts.rules

If that happens, you will need to open /etc/apf/deny_hosts.rules in your favorite text editor and remove the IP address before it can be added to the whitelist. If your setup is more recent, you may be able to run the following to remove the IP address from deny_hosts.rules:

apf -u

Opening a port in the apf firewall

By default apf is configured in such a way that all ports are blocked besides the ones specifically allowed to be open to the world.  To allow access to additional ports, the main apf configuration file needs to be edited.

First open the apf.conf file

vim /etc/apf/conf.apf

Within this file the file that needs to be changed starts with IG_TCP_CPORTS= and looks like this:

Now this line needs to be edited to include the additional port.

  • Within vim hit a to enter insert mode.
  • Within insert mode add the additional port to the current list followed by a comma.
  • Now hit escape(esc) to exit insert mode.
  • To write and save the changes type :wq and hit enter.
  • After these changes have been done restart apf with this command: apf -r

These instructions are for opening a TCP port.  If a UDP port also needs to be opened up the instructions are the same except the line that needs be edited is the IG_UDP_CPORTS line.

Originally posted 2016-02-11 21:20:48.