planetbackup has a uid 0 account

cPanel bugs me with this message every day on several servers. Seems its from the tool theplanet.com uses to handle backups.

Though I don’t understand why does it need uid 0 and why the “OwN3D” word. This does not look too professional.

Anyway to get passed this you can run :

 

sed -i ‘s/$user ne “planetbackup”/$user ne “toor” && $user ne “admin”/g’ /scripts/hackcheck; echo “/scripts/hackcheck” >> /etc/cpanelsync.exclude

This is the full email warning:

 

IMPORTANT: Do not ignore this email.
This message is to inform you that the account planetbackup has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should
verify that your system has not been compromised.

Amazon IAM – Identity and Access Management

I found out about IAM (Identity and Access Management) these days while I was searching for a way not to give my email/pass for my AWS account. Seems that IAM is pretty easy to use:

1. You add a group where you define the rights. Here you can select either one or multiple of the default values (Administrator full access, Read only, EC2 full access, EC2 read only…etc) or you can even define custom policies by adding the rules in the Custom profile page. I’ve selected the default EC2 full access that looks like :

{
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
}
]
}

2. Once the group is defined next step is to add users to this group.  Once the user name is defined a Access Key Id and Secret Access Key will be generated. Also here you need to define a password for the newly created account.

3. Final step is to test this by accessing a URL like : https://xxxxxxxxx.signin.aws.amazon.com/console where xxxxxxxxx AWS account ID (you find that in your “Security credentials” page)

 

Qmail SMTP Relay

If you have a Qmail server and you want to allow a specific IP to send emails (relay) through Qmail all you have to do is to add in /etc/tcprules.d/tcp.smtp :

IP:allow,RELAYCLIENT=””,RBLSMTPD=””,NOP0FCHECK=”0″,DKSIGN=”/var/qmail/control/domainkeys/domain.com/dkim1″

Where IP is the IP of your remote email server. You can even specify something like : aaa.bbb.ccc.:allow,RELAYCLIENT=””

After this you have to run :

tcprules /etc/tcprules.d/tcp.smtp.cdb /etc/tcprules.d/tcp.smtp.tmp < /etc/tcprules.d/tcp.smtp

Nginx + php 5.2.17 + php-fpm

Download the needed packages and store them in /usr/src:

http://us.php.net/distributions/php-5.2.17.tar.gz
http://php-fpm.org/downloads/php-5.2.17-fpm-0.5.14.diff.gz
http://nginx.org/download/nginx-1.1.0.tar.gz

Then run :

tar -xvzf php-5.2.17.tar.gz
gzip -cd php-5.2.17-fpm-0.5.14.diff.gz | sudo patch -d php-5.2.17 -p1
cd php-5.2.17
./configure --enable-fastcgi --enable-fpm --with-mcrypt --with-zlib --enable-mbstring --enable-pdo --with-curl --disable-debug --with-pic --disable-rpath --enable-inline-optimization --with-bz2 --enable-xml --with-zlib --enable-sockets --enable-sysvsem --enable-sysvshm --enable-pcntl --enable-mbregex --with-mhash --with-xsl --enable-zip --with-pcre-regex --with-gd --without-pdo-sqlite --with-pdo-mysql --without-sqlite --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --with-mysql --enable-bcmath --enable-calendar --enable-exif --enable-ftp --with-gettext --with-imap --with-mysqli --with-openssl --with-kerberos --with-imap-ssl --enable-dbase --with-gmp --enable-shmop --enable-wddx

make all install

Note that you can add —prefix to install the binaries in a different location than the default one.

After compilation is done :

strip /usr/local/bin/php-cgi
cp sapi/cgi/fpm/php-fpm /etc/init.d/
chmod +x /etc/init.d/php-fpm

cp /usr/src/php-5.2.17/php.ini-recommended /usr/local/lib/php.ini
mkdir /etc/php/
ln -s /usr/local/lib/php.ini /etc/php/php.ini
ln -s /usr/local/etc/php-fpm.conf /etc/php/php-fpm.conf

Make sure you edit /etc/php/php-fpm.conf and set the proper user/group (and permissions if its the case).

Then compile Nginx:

tar zxvf nginx-1.1.0.tar.gz
./configure --sbin-path=/usr/local/sbin --with-http_ssl_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module
make && sudo make install

The same you can modify the –prefix here.

Plesk 10 nginx reverse proxy configuration in front of Apache

Plesk 10 nginx reverse proxy configuration

On older Plesk version (

websrvmng –set-http-port –port=8080

Starting with Plesk 10 this is not so easy since you have to edit a php file called /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.php. In my case instead of :

domain->physicalHosting->ipAddress->address ?>:server->webserver->httpsPort : $VAR->server->webserver->httpPort ?>>
ServerName "domain->asciiName ?>:server->webserver->httpsPort : $VAR->server->webserver->httpPort ?>"

I’ve set :

 

<VirtualHost <?php echo $OPT[‘ipAddress’]->escapedAddress ?>:<?php echo $OPT[‘ssl’] ? 8043 : 8080 ?>>
ServerName “<?php echo $VAR->domain->asciiName ?>:<?php echo $OPT[‘ssl’] ? 8043 : 8080 ?>”


Where 8043 will be the new https port and 8080 will be the http port.

After this change I had to run :

/usr/local/psa/admin/bin/httpdmng –reconfigure-all

Note that this is only for Plesk 10.x. On 9.x we used to have

/usr/local/psa/admin/sbin/websrvmng –reconfigure-all

After this make sure that the Apache server has set in its configuration files (/etc/httpd/conf/httpd.conf) Listen 8080 instead of Listen 80. Same thing for the /etc/httpd/conf.d/ssl.conf file, Listen 8043 instead of Listen 443.

Then you need to install nginx (yum install nginx) and download this zip file that these guys provided http://www.grafxsoftware.com/download/nginx/nginx_setup.zip. Furthermore you can check their http://www.grafxsoftware.com/faq.php/HOW-TO-configure-PLESK-with-NGinx-proxy-reverse/1/1/.

Once downloaded run:

sh generate_nginx_conf.sh

Verify with “nginx -t” that there isn’t any error and finally restart the involved services :

service httpd restart
service nginx restart

Make sure that 8043 and 8080 accept connections. (Note that its not necessary to change the https port).

Puppet howto Ubuntu

I’m using 2 Ubuntu Lucid 10.10 for this setup.

On the server run:

apt-get install puppetmaster

At the time I’m writing this in the repos version 2.6.1 is available.

On the client run :

apt-get install puppet

Note that /etc/hosts needs to contain the IP and host of both client and server, e.g:

10.0.0.30 depot.server.org depot
10.0.0.31 n1.server.org n1

Create a default manifest file (/etc/puppet/manifests/site.pp) and put in it :


class test_class {
file { "/tmp/test":
ensure => present,
mode => 644,
owner => root,
group => root
}
}

# tell puppet on which client to run the class
node n1 {
include test_class
}

Then on the server run :

/etc/init.d/puppetmaster start

and on client :

puppetd –server depot.server.org –waitforcert 60 –test

After this you should see on the server a new host when running :

puppetca –list

In order to sign this host on the server side you need to run :

puppetca –sign n1.server.org

After this on the client side /tmp/test should be created.

Centos 6.0 XenServer templates

To add templates for CentOS 6.0 you can use the RHEL 6.0 templates:

For CentOS 32 bit run:

xe vm-clone uuid=xe template-list name-label=Red Hat Enterprise Linux 6 (32-bit) --minimal new-name-label=”CentOS 6.0 (32-bit)”

For CentOS 64 bit run:

xe vm-clone uuid=xe template-list name-label=Red Hat Enterprise Linux 6 (64-bit) --minimal new-name-label=”CentOS 6.0 (64-bit)”