Shadow password hash explained
Sat, 07/11/2009 - 00:05 — sandipYou can programmatically generate shadow password hash via:
$ openssl passwd -1 -salt G5cYam5w test.123
$1$G5cYam5w$z0NDUjMRX4xVBKw9 Nb6YL0
-1 means md5
G5cYam5w is a random salt (minimum 8)
test.123 is the password
Here is the breakdown:
The first $1 means that it is an md5 hash.
The second $G5cYam5w is a random salt.
The third $z0NDUjMRX4xVBKw9Nb6YL0 is the md5 hash.
- sandip's blog
- Login or register to post comments
Determine cpu bit
Sat, 07/04/2009 - 19:18 — sandipYou can try this to find out if your CPU/Processor is 32 bit or 64 bit:
cat /proc/cpuinfo | grep flags | grep lm
lm means Long Mode = 64 bit CPU
Also:
getconf LONG_BIT
Should display 32 or 64.
- sandip's blog
- Login or register to post comments
- Read more
suphp-0.7.1 and DirectAdmin
Tue, 06/30/2009 - 16:56 — sandipRecently upgraded server running DirectAdmin to suphp-0.7.1 via the Custombuild. However, got "500 Internal Server Error" on accessing sites running on php5-cgi with log as below:
SecurityException in Application.cpp:511: Unknown Interpreter: php
The solution was to update the suphp.conf file as below:
Edit "/usr/local/suphp/etc/suphp.co
[handlers]
;Handler for php-scripts
x-httpd-php5=php:/usr/local/ php5/bin/php-cgi
;Handler for CGI-scripts
x-suphp-cgi=execute:!self
to:
[handlers]
;Handler for php-scripts
x-httpd-php5="php:/usr/ local/php5/bin/php-cgi"r />
;Handler for CGI-scripts
x-suphp-cgi="execute:!s elf"
Note the double quotes for the variables.
Running `./build rewrite_confs` should fix this issue as well.
- sandip's blog
- Login or register to post comments
Plesk rblsmtpd and smtp authentication
Tue, 06/30/2009 - 11:44 — sandipOn Debian with Plesk-8.2 installed, /etc/inetd.conf show up with:
smtp stream tcp nowait.1000 root /var/qmail/bin/tcp-env tcp-env /usr/sbin/rblsmtpd -r bl.spamcop.net -r zen.spamhaus.org /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
Essentially, when the SMTP connection is made, rblsmtpd is handed the connection and does its DNSBL checking. It’s then responsible for either executing the next program (relaylock) if there’s no match, or handles the connection itself if it does find a match. Thus smtp authentication never takes place if your IP is listed in PBL.
On checking Parallels Forum, I came across this post, which suggested:
If you use an dnsrbl in Plesk that lists the IP of someone trying to connect to your server to send email then they will not be able to use your server for smtp on port 25. The dnsrbl will block their attempts. This is normal and expected behaviour in Plesk.
The instructions you read about using authenticated smtp to get around the problem do not apply to the default installation of Plesk (and other similar setups). The idea of the instructions you read is that by using authenticated smtp you will bypass the dnsrbl, and therefore will not be blocked. This does not happen with the default installation of Plesk so the instructions won't work (they are rather simplistic).
The solution in Plesk 8.4 is a simple one. Enable the "submission" option in Plesk, ask your customers to change to port 587 from port 25 in their email clients and require them to use smtp authentication (remember to open up your firewall for port 587 too). This basically creates a second smtp instance listening on port 587 instead of port 25, does not have any dnsrbl blocking and REQUIRES users to use smtp authentication in order to be able to use it. No spam will come via that port because a) server to server email transfer happens on port 25 and b) it requires authentication.
(A similar solution will work in earlier versions of Plesk but rather than ticking a box in the control panel to get it to happen you have to copy a single file and edit two lines in it, but it works just as well and basically does the same thing)
The other option you can go for is to install spamdyke (search the forum for step by step instructions) which does bypass all dnsrbls when smtp authentication takes place. Note that when you use spamdyke you will not be able to use pop-before-relay authentication, and that you set up dnsrbls within spamdyke's configuration files, not via Plesk. spamdyke does add a whole plethora of additional anti-spam measures, however, and it is well worth installing if you don't need pop-before-relay.
Since version of Plesk is older, I put in the below lines in /etc/inetd.conf and restarted inetd.
# Submission port 587 without dnsblcheck
submission stream tcp nowait.1000 root /var/qmail/bin/tcp-env tcp-env /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
Now on using the port 587 instead of port 25, users are able to autheticate and send email via the SMTP/Submission server.
- sandip's blog
- Login or register to post comments
- Read more
ways to continue run command after shell exit
Tue, 06/30/2009 - 10:46 — sandip-
screen:
screen -dmS <screen_name> <command>
exit
nohup <command> &
exit
echo "<command>" | at now
exit
<command> &
disown -h
exit
Rewriting Sender addresses for Entire Domain in Sendmail
Sun, 06/28/2009 - 23:13 — sandip-
Edit /etc/mail/sendmail.mc and add the below lines replacing domain.tld with the actual domain name:
dnl # BEGIN: Rewriting Sender addresses for Entire Domain
dnl #
dnl # Process login names through the genericstable
FEATURE(`genericstable' , `hash -o /etc/mail/genericstable.db 9;)dnl
dnl # Interpret the value in G as a domain name
FEATURE(generics_entire_doma in)dnl
dnl # masquerade not just the headers, but the envelope as well
FEATURE(masquerade_envelope) dnl
dnl # Load domain.tld into G
GENERICS_DOMAIN(domain.tld)d nl
dnl #
dnl # END: Rewriting Sender addresses for Entire Domain
web1_user1 user1@domain.tld
web1_user2 user2@domain.tld
web1_user3 user3@domain.tld
# makemap -hash /etc/mail/genericstable < /etc/mail/genericstable
Feature "genericstable" tells sendmail to use the generics table.
Feature "generics_entire_domain" allows to add hosts to genericstable without having to rebuild sendmail.cf.
Feature "masquerade_envelope" applies the rewriting process to the mail envelope as well as to the mail header.
"GENERICS_DOMAIN" defines the domains to which you wish to apply the generics table.
- sandip's blog
- Login or register to post comments
- Read more
OpenVZ x86_64 Custom Config
Sun, 06/21/2009 - 00:43 — sandipvzpkgcache seems to have been broken with latest CentOS-5.3 upgrade. Below is notes to fix:
cd /usr/share/vzpkgtools/vzrpm44/ lib/python2.4/site-packages/rp m
cp /usr/lib64/python2.4/site-pack ages/rpm/_rpmmodule.so .
Edit the file /usr/share/vzpkg/cache-os line 154, append:
mkdir -p $VE_ROOT/var/lib/yum/ || abort "Can't create /var/lib/yum"
Edit the file /usr/share/vzpkg/functions line 20, change to:
VZLIB_SCRIPTDIR=/usr/lib64/vzc tl/scripts
Run to updatee the cached template:
vzpkgcache centos-5-x86_64-minimal
- sandip's blog
- Login or register to post comments
- Read more
getent to check user and group
Thu, 06/18/2009 - 17:01 — sandipTo check is user or group exist in passwd and group file:
getent passwd <user_name>
getent group <group_name>
You could also grep the corresponding files, but this is a much cleaner way of getting entries from administrative database where database is one of aliases, ethers, group, hosts, netgroup, networks, passwd, protocols, rpc, services or shadow.
- sandip's blog
- Login or register to post comments
- Read more
uw-imap custom mail folder configuration
Tue, 06/16/2009 - 17:07 — sandipTo allow custom mailbox folder for individual user:
Add/Edit "/etc/c-client.cf":
set allow-user-config 1
Add/Edit "~/.imaprc" for corresponding user:
set mail-subdirectory mail
All corresponding email files will now reside in the ~/mail folder for the corresponding user.
Setup secure ProFTPd
Fri, 06/12/2009 - 14:42 — sandipFtp can be secured using ftps to connect. Below outlines a configuration to support such a setup using TLS/SSL.
I usually use the epel repository to install proftpd:
yum --enablerepo=epel install proftpd
Configure for tls/ssl connection:
<IfModule mod_tls.c>
TLSEngine & nbsp; & nbsp; & nbsp; & nbsp; on
TLSRequired   ;   ;   ;   ; off
TLSRSACertificateFile & nbsp; & nbsp; /etc/pki/tls/proftpd/server.ce rt.pem
TLSRSACertificateKeyFile&nbs p; &nbs p; /etc/pki/tls/proftpd/server.ke y.pem
TLSVerifyClient & nbsp; & nbsp; & nbsp; off
TLSRenegotiate &n bsp; &n bsp; &n bsp; required off
TLSLog &nbs p; &nbs p; &nbs p; &nbs p; &nbs p; /var/log/proftpd/tls.log
</IfModule>
chroot and bindsocket to listen to single IP:
SocketBindTight & nbsp; & nbsp; & nbsp; on
DefaultRoot   ;   ;   ;   ; ~
Setup passive ftp ports:
</Global>
...
...
PassivePorts 50000 51000
</Global>
Create the certs:
mkdir -p /etc/pki/tls/proftpd
cd /etc/pki/tls/proftpd
openssl req -new -x509 -days 9999 -nodes -out server.cert.pem -keyout server.key.pem
Create /etc/pam.d/ftp so PAM can authenticate for proftpd:
#%PAM-1.0
auth required &nbs p; pam_unix.so & nbsp; nullok
account required &nbs p; pam_unix.so
session required &nbs p; pam_unix.so
Add "/bin/false" to "/etc/shells" file and use it as the shell type when creating new users:
useradd -s /bin/false <ftp_user>
- sandip's blog
- Login or register to post comments