Posts Tagged ‘CentOS’

Quick Way to Update Fail2ban jail.conf file

September 3rd, 2009
Comments Off

There are plenty of settings in that file, especially if you are running CentOS 5.3 with latest patches and fail2ban from atomic repository. Here is a short list of steps that I follow when setting up new servers:

1. Setup sendmail to start on boot. Make sure it can send emails correctly (Reverse DNS records, hostname config, etc).

2. Make sure that fail2ban starts on boot (I use ntsysv for that).

3. Edit the jail.conf file, type vi /etc/fail2ban/jail.conf

4. Change the time for increased security:

bantime = 86400
findtime = 3600

5. After you save and exit, change all the destination emails to go to root which will then be forwarded to you:

sed -i 's/' /etc/fail2ban/jail.conf

6. Add a forward for all emails to root to your email:

echo "" > ~/.forward

7. Restart fail2ban:

service fail2ban restart

Web Application Hosting ,

Performance Optimized httpd.conf for Magento eCommerce

August 31st, 2009
Comments Off

If you ever run Magento eCommerce on your servers you know that it requires some serious horse power. It is just the nature of the beast, with XML configuration, the usage of the Zend Framework, and MVC design – every page load is not trivial. I realize that there are many lighter and various other forms of web servers, however I always stick to the safest and most reliable which usually happens to be the most popular option out there: httpd. Here is an optimized httpd.conf targeting a dedicated server box for running only httpd (no mysql) and Magento:

A couple of assumptions first:

  • You are running CentOS (I did not test any other distros)
  • You have httpd installed
  • You have lots of RAM (this server has 16GB of RAM)
  • This is a dedicated box
  • You know what you are doing…

Download the file, copy over your httpd.conf, restart httpd:

cp /etc/httpd/conf/httpd.conf ./httpd.conf.old
cat httpd.conf-magento > /etc/httpd/conf/httpd.conf

Once done, you will also need to update the vhosts area of the file near the bottom of it. In case you wanted, here is a direct link to the file:

Web Application Hosting ,

Howto setup iptables for www and db(mysql) on linux

August 24th, 2009
Comments Off

Since I provide fully managed hosting services to my selective clients, I’ve been setting up iptables more than I can count. After a while I have the tendency to automate common tasks. In the case of setting iptables it can easily be done by downloading and running a shell script. So I created these two shell scripts each one targets a specific server usage: one for WWW servers and the other is for dedicated DB servers.

Here is a couple of assumptions:

  • Using a linux server
  • Has iptables installed and running
  • You have root access to the server (or enough privileges to run these commands)
  • Not a must, but I only tested these scripts on a CentOS server (and many of them…)
  • You know what you are doing!

The scripts simply clears the current settings of your iptables, adds open ports as necessary and restarts the iptables service. In the case of WWW it opens the ports 22, 80, and 443 (SSL). In the case of MYSQL it opens the ports 22, and 3306 and if you wish you can uncomment a line in there to restrict access only to a specific set of IPs. In the case of a dedicated server you may only want the corresponding WWW server to be able to access the MYSQL server. Here are the steps, I will divide them by the type of the server:

Setting iptables on a WWW server:

chmod +x iptables-www

Setting iptables on a MySQL server:

chmod +x iptables-mysql

Note: there is absolutely no warranty that this will work, it is provided with the sole hope that it may save you a few minutes or a couple of hours.

Web Application Hosting ,

CentOS 5.3 Install Essentials

August 23rd, 2009
Comments Off

When I setup a new server, I typically install it with nothing checked in the packages list of the installation process. I like using yum update first and then running yum install on the packages that I absolutely need. Clean and mean is my favorite way to run a Linux server. Two main reason are behind this: one is performance, this is a bit obvious: the less you got on the HD and processes running in the background the faster the server. Two is security: the less software you have installed your vulnerability “surface area” is smaller.

While installing it clean is great, I do have a minimum set of tools that I usually need in any server. Most of these tools are small and do not require background services so I install them almost by default. You should check if they suite your needs and use it at your discretion. Hint: the goal here is to copy and paste once a new server is installed.

(correction) Before I can use the next command I need to install wget:

yum install wget

Add the Atomic repository (newer versions of LAMP, some security packages):

wget -q -O - | sh

Install basic packages:

yum install unzip sendmail ntsysv fail2ban logrotate pdns

LAMP: Linux Apache MySQL PHP, Web Application Hosting ,

Block access to your dedicated server automatically if more than 3 failed logins

August 3rd, 2009
Comments Off

Lately I have been noticing high activity of cyberattacks. In fact, a few of our servers got hit and had to be rebuilt. Of course some of these servers were never built with security in mind. We did manage to save all the data and the redo took less than one day total so the end result is great overall with fully patched servers, firewall, email alerts in place, and finally a way to automatically block failed logins. I’ll show you how to setup the last part, it is actually quite easy.

So, I assume you have a CentOS server. I am using CentOS 5.3 fully updated (yum update) and i have the atomicorp repository setup. The atomicorp is not necessary (it seems) but will allow you to use newer versions of PHP and other packages. The package that will do the work is called fail2ban. A simple install seems to take care of it for us:

yum install fail2ban

Lets install the service, in case that we restart the server – the service will automatically start running, I use ntsysv for this:

ntsysv (hit enter, select the service, make sure it has a start inside the brackets, and click 'ok')

Lets start the service:

service fail2ban start

Here is recommend to setup a auto forward on the root emails to you:

echo '' > ~/.forward

You should be all set. Try to check the log files once a week after the install, see if the service actually blocked potential hackers. Let me know if this worked for you or if you are using a better package?

Web Application Hosting ,

Recommended: Visual SVN Server, now with Subversion 1.6

March 27th, 2009
Comments Off

Sometimes we are so busy with our projects that we miss interesting changes, some may influence us positively. Here is a change that I wanted to share with you: new subversion version 1.6 and Visual SVN Server.

In the last three years we have used both VSS that integrates seamlessly with Microsoft’s Visual Studio, of-course and subversion which can be handled simply from the Windows Explorer window under windows or by using the simple but useful subversion client. Through our development years, it was subversion that took over all our source code repositories. It was simple to use, great to manage, and most importantly – reliable.

Just recently I needed to use the ‘merge’ feature and I discovered that it was only available in version 1.5 and on. So, I went on trying to upgrade the subversion binaries to the latest stable on an Ubuntu server. If you have been reading my blog, you already know that I do not like Ubuntu, well this is the only Ubuntu server left in our arsenal. To make a long story short, after trying to upgrade but giving up since it requires a major Ubuntu release upgrade, I decided that I should look somewhere else. This is where I turned to Visual SVN Server.

After purchasing a copy of Visual SVN – which is a great little plugin to Visual Studio that allows you to integrate with your subversion repository seamlessly and efficiently, we noticed that the same company created Visual SVN Server. Hence, I tried it. I can start by saying that it was well worth it. Yes, Linux is great but for the simple stuff that we do with SVN a windows box will do just fine. Not to mention that with Ubuntu it is a nightmare and waiting for CentOS to adopt the latest version of subversion may take some time, Visual SVN Server is very convenient. If you check their download page, the latest download-able version is already using subversion 1.6. Great!

So, if you are looking to build a subversion repository or in need of upgrading due to need of features/bug fixes – I strongly recommend upgrading to Visual SVN Server.

By the way – moving your existing repositories is a no brainer, especially with Visual SVN’s repository import feature.

Web Development , ,

Tightening up iptables for a dedicated DB server (MySQL and CentOS)

March 25th, 2009

In a typical high performing web servers environment I have a few web servers running apache/php and a separate DB server to support them. If the need ever comes to increase the capacity of the DB server it can easily be done via the MySQL clustering configuration. In any case, one of the most redundant tasks before setting up all servers is to tighten the security. In particular, setting the firewall is a repetitive task. Hence I am setting this page as a guide to myself and anyone who cares, Enjoy!

  1. SSH to the server, login as root
  2. type vi myiptables-mysql
  3. Insert the following commands:
    NOTE: you will need to insert the web server’s ip addresses where I placed <ip address#>. These are the ip addresses that MySQL queries will originate from.

    # iptables example configuration script
    # Flush all current rules from iptables
    iptables -F
    # Allow SSH connections on tcp port 22
    # This is essential when working on remote servers via SSH to prevent locking yourself out of the system
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -I INPUT 1 -i lo -p tcp --dport mysql -j ACCEPT
    iptables -I INPUT 2 -i lo -p udp --dport mysql -j ACCEPT
    iptables -I INPUT 3 -i eth0 -p tcp --dport mysql -s <ip address1> -j ACCEPT
    iptables -I INPUT 3 -i eth0 -p tcp --dport mysql -s <ip address2> -j ACCEPT
    # Set default policies for INPUT, FORWARD and OUTPUT chains
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    # Set access for localhost
    iptables -A INPUT -i lo -j ACCEPT
    # Accept packets belonging to established and related connections
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Save settings
    /sbin/service iptables save
    # List rules
    iptables -L -v
  4. save and exit
  5. Allow the file to execute by typing this command: chmod +x myiptables-mysql
  6. Run the file by tying this command: ./myiptables-mysql
  7. Test it and Enjoy!

Security notice: yes, for an even tighter security it is possible to change the ports.

LAMP: Linux Apache MySQL PHP, Web Development ,

pdnsd – Decrease DNS response time and save bandwidth

December 25th, 2008
Comments Off

Sometimes, when you realize that you could have improved the system with so little effort, we blush. This is what happened to me when I realized that most of the neworking delays could have been avoided with this tiny but wity utility. I knew that having a local caching DNS or the like is the answer but I did not want to use a full fletched DNS server. I found pdnsd – a small proxy DNS server with permanent caching. Perfect!

In a nutshel, pdnsd is a small utility that caches DNS translations locally on the HD, hence next time the server queries the address the response time is likely to be minimal. Usually, the server has to query your ISP’s DNS or whatever DNS server you specified in the /etc/resolve.conf file. In a high performing web servers you are constantly competing with other packets on the network or your network resources. This is a great advantage. By installing pdnsd you achieve the following:

  • Decrease the average DNS response time sharply!
  • Increase your server performance, especially if this server needs to communicate externally a lot like an eCommerce server which constantly needs to communicate with shipping and credit card servers.
  • Save on bandwidth.

Here is how you go about setting up pdnsd on a CentOS server:

1. Download the latest stable rpm:
go to pdnsd download page and look for your relevant rpm. For CentOS 5.2 64bit I got the latest version as of yesterday:


2. Install the rpm:

rpm -i pdnsd-1.2.7-par_sl5.x86_64.rpm

3. Configure pdnsd to use your current DNS servers:

vi /etc/pdnsd.conf

Paste the following, of-course you should use your DNS servers instead:

server {
ip =,;

4. Start pdnsd and test that it is actually working

service pdnsd start
 dig @

If you get the IP, it is working. Notice the response time, if you try again you will see a sharp decrease in response time. My servers’ second response time is almost always between 1-0 ms.

5. Set pdnsd to start automatically on boot

vi /etc/default/pdnsd

Enter the following and save:


Also make sure the daemon is set to auto start on boot. I use ‘ntsysv’, you can use chkconfig or whatever you are used to.

6. Set your server to use the pdnsd instead of your DNS servers

vi /etc/resolv.conf

Make sure that the first nameserver line is ’′. Should look like this:


7. Restart your network service:

service network restart

How do you know that it is working? try to use any script that needs to go outside to the network, like ‘yum update’. In most cases, you will notice that the second time is much faster. Enjoy!

LAMP: Linux Apache MySQL PHP, Performance Optimization, Web Application Hosting, Web Development , , , ,

CentOS for Linux Servers: a cut above

November 30th, 2008
Comments Off

It has been almost a year that we are using CentOS for all of our new servers instead of Ubuntu Server, and it is a great success! This article describes the few reasons behind our transition from Ubuntu to CentOS. Of-course, there is always something here and there but 99% of the cases are resolved easily and actually have nothing to do with CentOS. If time will permit we will transition all of our existing Linux boxes to CentOS 5.2. Oh, and yes, if you are looking for a solid Linux server distro – it is CentOS hands down.

We noticed that more and more hosting companies offer CentOS as their default distro and recently CentOS can claim at least 1% of all world supercomputers. The support that is offered for CentOS is abundant at this point and clearly targets the more advanced system administrators out there. All in all it seems like CentOS is maturing as a great distro for Linux server purposes.

If you are curious, we are using CentOS 5.2 64 bit by default with no software installed (at all). If needed we use the LAMP stack and the XEN virtualization software, all from the CentOS default repositories.

So, what is your experience with CentOS out there?

LAMP: Linux Apache MySQL PHP, Web Development , , , , ,

About Linux Distros: Ubuntu and CentOS

April 13th, 2008

A few weeks ago, we setup a new production LAMP server to host a few of our client’s sites, medium size eCommerce websites. I wanted to share our experience as we came across the three big (and free) Linux distributions while we evaluated and setup the machines. We have previously setup Ubuntu Server 7.04 for our development and staging environment while researching the related family of North American Linux distributions: RedHat, Fedora and CentOS.

CentOS vs Ubuntu Install Screenshot

I’ll start with the positive: in the last few years Linux distributions in general have become main stream OS and most of the installation process is user friendly. Almost each distro offers the ‘server’ edition of the OS which comes mostly configured with what a production LAMP server needs to have installed already. The installation packages are clearly labeled for i386 or x64 bit, and most even offer a net install which in CentOS case only requires downloading about 7MB of ISO file and the rest is done on the fly.

Now, let’s delve into the differences that affected our decisions, labeled according to key points and in order of importance to us:

Setup Efficiency: ROI and Learning Curve

I had the experience for setting up both Ubuntu server and CentOS server editions on two different machines. Both machines had similar configurations of two 500GB harddrives mirrored in hardware Raid1 with a 3ware card, and Intel Pro dual NIC. The rest of the hardware setup is pretty much the standard Intel based processors. Both Ubuntu and CentOS had no problem in recognizing all the hardware on the machines and the setup process went pretty smoothly. The differences began showing after the initial setup: while CentOS shows an additional very helpful setup (NIC assignments, firewall, and services setup) Ubuntu had no such thing and showed the login prompt right after boot. What I found surprising is that Ubuntu required additional steps in order to download and install SSH using aptitude – if one chooses a server edition, shouldn’t it be setup for you by default?

Although aptitude is a great package management software, I have found that the server version of Ubuntu is just not mature enough or simply chooses the minimalistic approach which doesn’t fit my understanding of a server distro. Many of the tasks that were performed by CentOS by default or had options for that during the install were missing in Ubuntu. At the end of the day, setting up Ubuntu took days while CentOS took hours. Did I say ROI? CentOS is the clear winner.

Package Management Systems

Ubuntu prides itself on apt-get and aptitude which builds itself on top of the debian package management system while CentOS, Fedora and RedHat, use the rpm and yum package management systems. After using all systems I can clearly say that I favor the yum and rpm package management systems.

First, with apt-get/apt-cache/aptitude I had to constantly refer back to the documentation on Ubuntu’s site and I still cannot remember which one do I use for searching, installing, upgrading, describing, or removing packages – do we really need the separation? With both yum and rpm simply provide a separate option and you are good to go, all the information is flowing into the terminal and it took me only one glance of ‘man yum’ to understand what and where.

Second, in the particular case of apache, vhosts, and extensinos, aptitude allows flexibility at the price of re-arranging the apache.conf and vhosts.conf into a collection of files and folders. Yum does a similar thing as well, however I still found yum’s method to keep the original httpd.conf mostly intact which allowed my familiarity with the basic apache configuration skill to take over and finalize install in no time. In my opinion, the deviation from the standard has no benefit whatsoever. The price of flexibility comes over familiarity but yet yum had the upper hand and ease of use.

Third, setting up a package that requires dependencies is equally good in both systems: they both do a very good job of finding the dependencies, looking their download sources, installing and setting it all up. However, I did find that yum had the best reporting system and after it gathered all the information it showed a useful status report while asking permission to proceed – this is valuable for sys admins and it does save time. Once more, yum feels like a more mature package management system.

Production OS? Stability vs Cutting Edge

Here is where I wanted to introduce a bit of the feeling we all shared after setting it up, plus the feeling of some colleagues of mine who I consider to be Linux Admin Gurus. At the end of the day, when all is setup and configured, the feeling from the CentOS system was much more secure and I knew exactly what is installed and what is not. Conversely, Ubuntu server did not give me that worm fuzzy feeling that ‘all is good’ and if I needed to make a change, I would have to refer to documentation first before I touch the server.

When I ask some Linux Guru colleages who manage production linux clusters on a regular basis, they all point to CentOS or RedHat due to stability and performance record. In other words, you won’t get the latest cutting edge packages like Ubuntu or Fedora – but it is guaranteed to be much less flawed.


The bottom line is that distro preference is a personal decision. Personal to the individual who administers the systems and personal to the organization. We’ve chosen CentOS over Ubuntu, Fedora, and RedHat. The only option I see that might change is adopting RedHat due to the technical support that is offered for a fee. Hands down, CentOS provided the fastest configuration time, lowest learning curve, better ROI, superior package management system, and a good fuzzy feeling of stability. Thanks to CentOS, we can get back to our main passion: Web Development…

LAMP: Linux Apache MySQL PHP, Web Application Hosting , , , , , , , ,