1. Setup sendmail to start on boot. Make sure it can send emails correctly (Reverse DNS records, hostname config, etc).

2. Make sure that fail2ban starts on boot (I use ntsysv for that).

3. Edit the jail.conf file, type vi /etc/fail2ban/jail.conf

4. Change the time for increased security:

bantime = 86400
findtime = 3600

5. After you save and exit, change all the destination emails to go to root which will then be forwarded to you:

sed -i 's/you@mail.com/root/g' /etc/fail2ban/jail.conf

6. Add a forward for all emails to root to your email:

echo "myemailaddress@mydomain.com" > ~/.forward

7. Restart fail2ban:

service fail2ban restart

Related Posts

• August 31, 2009 -- Performance Optimized httpd.conf for Magento eCommerce (0)
• August 24, 2009 -- Howto setup iptables for www and db(mysql) on linux (0)
• August 23, 2009 -- CentOS 5.3 Install Essentials (0)
• August 3, 2009 -- Block access to your dedicated server automatically if more than 3 failed logins (0)
• March 27, 2009 -- Recommended: Visual SVN Server, now with Subversion 1.6 (1)
• March 25, 2009 -- Tightening up iptables for a dedicated DB server (MySQL and CentOS) (1)
• December 25, 2008 -- pdnsd – Decrease DNS response time and save bandwidth (0)
• November 30, 2008 -- CentOS for Linux Servers: a cut above (0)
• April 13, 2008 -- About Linux Distros: Ubuntu and CentOS (9)

A couple of assumptions first:

• You are running CentOS (I did not test any other distros)
• You have httpd installed
• You have lots of RAM (this server has 16GB of RAM)
• This is a dedicated box
• You know what you are doing…

Download the file, copy over your httpd.conf, restart httpd:

wget http://www.activoinc.com/downloads/httpd.conf-magento
cp /etc/httpd/conf/httpd.conf ./httpd.conf.old
cat httpd.conf-magento > /etc/httpd/conf/httpd.conf

Once done, you will also need to update the vhosts area of the file near the bottom of it. In case you wanted, here is a direct link to the file: http://www.activoinc.com/downloads/httpd.conf-magento

Related Posts

• September 3, 2009 -- Quick Way to Update Fail2ban jail.conf file (0)
• August 24, 2009 -- Howto setup iptables for www and db(mysql) on linux (0)
• August 23, 2009 -- CentOS 5.3 Install Essentials (0)
• August 3, 2009 -- Block access to your dedicated server automatically if more than 3 failed logins (0)
• March 27, 2009 -- Recommended: Visual SVN Server, now with Subversion 1.6 (1)
• March 25, 2009 -- Tightening up iptables for a dedicated DB server (MySQL and CentOS) (1)
• December 25, 2008 -- pdnsd – Decrease DNS response time and save bandwidth (0)
• November 30, 2008 -- CentOS for Linux Servers: a cut above (0)
• April 13, 2008 -- About Linux Distros: Ubuntu and CentOS (9)

Here is a couple of assumptions:

• Using a linux server
• Has iptables installed and running
• You have root access to the server (or enough privileges to run these commands)
• Not a must, but I only tested these scripts on a CentOS server (and many of them…)
• You know what you are doing!

The scripts simply clears the current settings of your iptables, adds open ports as necessary and restarts the iptables service. In the case of WWW it opens the ports 22, 80, and 443 (SSL). In the case of MYSQL it opens the ports 22, and 3306 and if you wish you can uncomment a line in there to restrict access only to a specific set of IPs. In the case of a dedicated server you may only want the corresponding WWW server to be able to access the MYSQL server. Here are the steps, I will divide them by the type of the server:

Setting iptables on a WWW server:

wget http://www.activoinc.com/downloads/iptables-www
chmod +x iptables-www
./iptables-www

Setting iptables on a MySQL server:

wget http://www.activoinc.com/downloads/iptables-mysql
chmod +x iptables-mysql
./iptables-mysql

Note: there is absolutely no warranty that this will work, it is provided with the sole hope that it may save you a few minutes or a couple of hours.

Related Posts

• September 3, 2009 -- Quick Way to Update Fail2ban jail.conf file (0)
• August 31, 2009 -- Performance Optimized httpd.conf for Magento eCommerce (0)
• August 23, 2009 -- CentOS 5.3 Install Essentials (0)
• August 3, 2009 -- Block access to your dedicated server automatically if more than 3 failed logins (0)
• March 27, 2009 -- Recommended: Visual SVN Server, now with Subversion 1.6 (1)
• March 25, 2009 -- Tightening up iptables for a dedicated DB server (MySQL and CentOS) (1)
• December 25, 2008 -- pdnsd – Decrease DNS response time and save bandwidth (0)
• November 30, 2008 -- CentOS for Linux Servers: a cut above (0)
• April 13, 2008 -- About Linux Distros: Ubuntu and CentOS (9)

While installing it clean is great, I do have a minimum set of tools that I usually need in any server. Most of these tools are small and do not require background services so I install them almost by default. You should check if they suite your needs and use it at your discretion. Hint: the goal here is to copy and paste once a new server is installed.

(correction) Before I can use the next command I need to install wget:

yum install wget

Add the Atomic repository (newer versions of LAMP, some security packages):

wget -q -O - http://www.atomicorp.com/installers/atomic.sh | sh

Install basic packages:

yum install unzip sendmail ntsysv fail2ban logrotate pdns

Related Posts

• November 30, 2008 -- CentOS for Linux Servers: a cut above (0)
• September 3, 2009 -- Quick Way to Update Fail2ban jail.conf file (0)
• August 31, 2009 -- Performance Optimized httpd.conf for Magento eCommerce (0)
• August 24, 2009 -- Howto setup iptables for www and db(mysql) on linux (0)
• August 3, 2009 -- Block access to your dedicated server automatically if more than 3 failed logins (0)
• March 27, 2009 -- Recommended: Visual SVN Server, now with Subversion 1.6 (1)
• March 25, 2009 -- Tightening up iptables for a dedicated DB server (MySQL and CentOS) (1)
• December 25, 2008 -- pdnsd – Decrease DNS response time and save bandwidth (0)
• April 13, 2008 -- About Linux Distros: Ubuntu and CentOS (9)

So, I assume you have a CentOS server. I am using CentOS 5.3 fully updated (yum update) and i have the atomicorp repository setup. The atomicorp is not necessary (it seems) but will allow you to use newer versions of PHP and other packages. The package that will do the work is called fail2ban. A simple install seems to take care of it for us:

yum install fail2ban

Lets install the service, in case that we restart the server – the service will automatically start running, I use ntsysv for this:

ntsysv (hit enter, select the service, make sure it has a start inside the brackets, and click 'ok')

Lets start the service:

service fail2ban start

Here is recommend to setup a auto forward on the root emails to you:

echo 'youremail@yourdomain.com' > ~/.forward

You should be all set. Try to check the log files once a week after the install, see if the service actually blocked potential hackers. Let me know if this worked for you or if you are using a better package?

Related Posts

• November 30, 2008 -- CentOS for Linux Servers: a cut above (0)
• April 13, 2008 -- About Linux Distros: Ubuntu and CentOS (9)
• September 3, 2009 -- Quick Way to Update Fail2ban jail.conf file (0)
• August 31, 2009 -- Performance Optimized httpd.conf for Magento eCommerce (0)
• August 24, 2009 -- Howto setup iptables for www and db(mysql) on linux (0)
• August 23, 2009 -- CentOS 5.3 Install Essentials (0)
• March 27, 2009 -- Recommended: Visual SVN Server, now with Subversion 1.6 (1)
• March 25, 2009 -- Tightening up iptables for a dedicated DB server (MySQL and CentOS) (1)
• December 25, 2008 -- pdnsd – Decrease DNS response time and save bandwidth (0)

In the last three years we have used both VSS that integrates seamlessly with Microsoft’s Visual Studio, of-course and subversion which can be handled simply from the Windows Explorer window under windows or by using the simple but useful subversion client. Through our development years, it was subversion that took over all our source code repositories. It was simple to use, great to manage, and most importantly – reliable.

Just recently I needed to use the ‘merge’ feature and I discovered that it was only available in version 1.5 and on. So, I went on trying to upgrade the subversion binaries to the latest stable on an Ubuntu server. If you have been reading my blog, you already know that I do not like Ubuntu, well this is the only Ubuntu server left in our arsenal. To make a long story short, after trying to upgrade but giving up since it requires a major Ubuntu release upgrade, I decided that I should look somewhere else. This is where I turned to Visual SVN Server.

After purchasing a copy of Visual SVN – which is a great little plugin to Visual Studio that allows you to integrate with your subversion repository seamlessly and efficiently, we noticed that the same company created Visual SVN Server. Hence, I tried it. I can start by saying that it was well worth it. Yes, Linux is great but for the simple stuff that we do with SVN a windows box will do just fine. Not to mention that with Ubuntu it is a nightmare and waiting for CentOS to adopt the latest version of subversion may take some time, Visual SVN Server is very convenient. If you check their download page, the latest download-able version is already using subversion 1.6. Great!

So, if you are looking to build a subversion repository or in need of upgrading due to need of features/bug fixes – I strongly recommend upgrading to Visual SVN Server.

By the way – moving your existing repositories is a no brainer, especially with Visual SVN’s repository import feature.

Related Posts

• November 30, 2008 -- CentOS for Linux Servers: a cut above (0)
• April 13, 2008 -- About Linux Distros: Ubuntu and CentOS (9)
• September 3, 2009 -- Quick Way to Update Fail2ban jail.conf file (0)
• August 31, 2009 -- Performance Optimized httpd.conf for Magento eCommerce (0)
• August 24, 2009 -- Howto setup iptables for www and db(mysql) on linux (0)
• August 23, 2009 -- CentOS 5.3 Install Essentials (0)
• August 3, 2009 -- Block access to your dedicated server automatically if more than 3 failed logins (0)
• May 12, 2009 -- Cleaning an entire subversion working folder from ‘.svn’ folders (2)
• March 30, 2009 -- Will Visual SVN Server remain a for-Free product? (0)
• March 25, 2009 -- Tightening up iptables for a dedicated DB server (MySQL and CentOS) (1)

1. SSH to the server, login as root
2. type vi myiptables-mysql
3. Insert the following commands:
   NOTE: you will need to insert the web server’s ip addresses where I placed <ip address#>. These are the ip addresses that MySQL queries will originate from.

   #!/bin/bash
   #
   # iptables example configuration script
   #
   # Flush all current rules from iptables
   #
   iptables -F
   #
   # Allow SSH connections on tcp port 22
   # This is essential when working on remote servers via SSH to prevent locking yourself out of the system
   #
   iptables -A INPUT -p tcp --dport 22 -j ACCEPT
   
   iptables -I INPUT 1 -i lo -p tcp --dport mysql -j ACCEPT
   iptables -I INPUT 2 -i lo -p udp --dport mysql -j ACCEPT
   iptables -I INPUT 3 -i eth0 -p tcp --dport mysql -s <ip address1> -j ACCEPT
   iptables -I INPUT 3 -i eth0 -p tcp --dport mysql -s <ip address2> -j ACCEPT
   
   #
   # Set default policies for INPUT, FORWARD and OUTPUT chains
   #
   iptables -P INPUT DROP
   iptables -P FORWARD DROP
   iptables -P OUTPUT ACCEPT
   #
   # Set access for localhost
   #
   iptables -A INPUT -i lo -j ACCEPT
   #
   # Accept packets belonging to established and related connections
   #
   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   #
   # Save settings
   #
   /sbin/service iptables save
   #
   # List rules
   #
   iptables -L -v

4. save and exit
5. Allow the file to execute by typing this command: chmod +x myiptables-mysql
6. Run the file by tying this command: ./myiptables-mysql
7. Test it and Enjoy!

Security notice: yes, for an even tighter security it is possible to change the ports.

Related Posts

• September 3, 2009 -- Quick Way to Update Fail2ban jail.conf file (0)
• August 31, 2009 -- Performance Optimized httpd.conf for Magento eCommerce (0)
• August 24, 2009 -- Howto setup iptables for www and db(mysql) on linux (0)
• August 23, 2009 -- CentOS 5.3 Install Essentials (0)
• August 3, 2009 -- Block access to your dedicated server automatically if more than 3 failed logins (0)
• March 27, 2009 -- Recommended: Visual SVN Server, now with Subversion 1.6 (1)
• December 25, 2008 -- pdnsd – Decrease DNS response time and save bandwidth (0)
• December 3, 2008 -- Securing Joomla! CMS based sites (0)
• November 30, 2008 -- CentOS for Linux Servers: a cut above (0)
• August 19, 2008 -- Hack attempt: SQL Injection Tagreting MS SQL Servers (0)

In a nutshel, pdnsd is a small utility that caches DNS translations locally on the HD, hence next time the server queries the address the response time is likely to be minimal. Usually, the server has to query your ISP’s DNS or whatever DNS server you specified in the /etc/resolve.conf file. In a high performing web servers you are constantly competing with other packets on the network or your network resources. This is a great advantage. By installing pdnsd you achieve the following:

• Decrease the average DNS response time sharply!
• Increase your server performance, especially if this server needs to communicate externally a lot like an eCommerce server which constantly needs to communicate with shipping and credit card servers.
• Save on bandwidth.

Here is how you go about setting up pdnsd on a CentOS server:

1. Download the latest stable rpm:
go to pdnsd download page and look for your relevant rpm. For CentOS 5.2 64bit I got the latest version as of yesterday:

wget http://www.phys.uu.nl/~rombouts/pdnsd/releases/pdnsd-1.2.7-par_sl5.x86_64.rpm

2. Install the rpm:

rpm -i pdnsd-1.2.7-par_sl5.x86_64.rpm

3. Configure pdnsd to use your current DNS servers:

vi /etc/pdnsd.conf

Paste the following, of-course you should use your DNS servers instead:

server {
label="opendns";
ip = 208.67.222.222,208.67.220.220;
}

4. Start pdnsd and test that it is actually working

service pdnsd start

 dig @127.0.0.1 yahoo.com

If you get the IP, it is working. Notice the response time, if you try again you will see a sharp decrease in response time. My servers’ second response time is almost always between 1-0 ms.

5. Set pdnsd to start automatically on boot

vi /etc/default/pdnsd

Enter the following and save:

START_DAEMON=yes

Also make sure the daemon is set to auto start on boot. I use ‘ntsysv’, you can use chkconfig or whatever you are used to.

6. Set your server to use the pdnsd instead of your DNS servers

vi /etc/resolv.conf

Make sure that the first nameserver line is ‘127.0.0.1′. Should look like this:

nameserver 127.0.0.1

7. Restart your network service:

service network restart

How do you know that it is working? try to use any script that needs to go outside to the network, like ‘yum update’. In most cases, you will notice that the second time is much faster. Enjoy!

Related Posts

• September 3, 2009 -- Quick Way to Update Fail2ban jail.conf file (0)
• August 31, 2009 -- Performance Optimized httpd.conf for Magento eCommerce (0)
• August 24, 2009 -- Howto setup iptables for www and db(mysql) on linux (0)
• August 23, 2009 -- CentOS 5.3 Install Essentials (0)
• August 3, 2009 -- Block access to your dedicated server automatically if more than 3 failed logins (0)
• July 16, 2009 -- Speed Optimized Websites Rank Higher with Search Engines (0)
• March 27, 2009 -- Recommended: Visual SVN Server, now with Subversion 1.6 (1)
• March 25, 2009 -- Tightening up iptables for a dedicated DB server (MySQL and CentOS) (1)
• November 30, 2008 -- CentOS for Linux Servers: a cut above (0)
• November 5, 2008 -- Understanding MySQL Query Caching Process (1)

We noticed that more and more hosting companies offer CentOS as their default distro and recently CentOS can claim at least 1% of all world supercomputers. The support that is offered for CentOS is abundant at this point and clearly targets the more advanced system administrators out there. All in all it seems like CentOS is maturing as a great distro for Linux server purposes.

If you are curious, we are using CentOS 5.2 64 bit by default with no software installed (at all). If needed we use the LAMP stack and the XEN virtualization software, all from the CentOS default repositories.

So, what is your experience with CentOS out there?

Related Posts

• April 13, 2008 -- About Linux Distros: Ubuntu and CentOS (9)
• August 23, 2009 -- CentOS 5.3 Install Essentials (0)
• August 3, 2009 -- Block access to your dedicated server automatically if more than 3 failed logins (0)
• March 27, 2009 -- Recommended: Visual SVN Server, now with Subversion 1.6 (1)
• September 3, 2009 -- Quick Way to Update Fail2ban jail.conf file (0)
• August 31, 2009 -- Performance Optimized httpd.conf for Magento eCommerce (0)
• August 24, 2009 -- Howto setup iptables for www and db(mysql) on linux (0)
• March 25, 2009 -- Tightening up iptables for a dedicated DB server (MySQL and CentOS) (1)
• December 25, 2008 -- pdnsd – Decrease DNS response time and save bandwidth (0)
• September 5, 2008 -- Joomla vs Ektron (2)

I’ll start with the positive: in the last few years Linux distributions in general have become main stream OS and most of the installation process is user friendly. Almost each distro offers the ’server’ edition of the OS which comes mostly configured with what a production LAMP server needs to have installed already. The installation packages are clearly labeled for i386 or x64 bit, and most even offer a net install which in CentOS case only requires downloading about 7MB of ISO file and the rest is done on the fly.

Now, let’s delve into the differences that affected our decisions, labeled according to key points and in order of importance to us:

Setup Efficiency: ROI and Learning Curve

I had the experience for setting up both Ubuntu server and CentOS server editions on two different machines. Both machines had similar configurations of two 500GB harddrives mirrored in hardware Raid1 with a 3ware card, and Intel Pro dual NIC. The rest of the hardware setup is pretty much the standard Intel based processors. Both Ubuntu and CentOS had no problem in recognizing all the hardware on the machines and the setup process went pretty smoothly. The differences began showing after the initial setup: while CentOS shows an additional very helpful setup (NIC assignments, firewall, and services setup) Ubuntu had no such thing and showed the login prompt right after boot. What I found surprising is that Ubuntu required additional steps in order to download and install SSH using aptitude – if one chooses a server edition, shouldn’t it be setup for you by default?

Although aptitude is a great package management software, I have found that the server version of Ubuntu is just not mature enough or simply chooses the minimalistic approach which doesn’t fit my understanding of a server distro. Many of the tasks that were performed by CentOS by default or had options for that during the install were missing in Ubuntu. At the end of the day, setting up Ubuntu took days while CentOS took hours. Did I say ROI? CentOS is the clear winner.

Package Management Systems

Ubuntu prides itself on apt-get and aptitude which builds itself on top of the debian package management system while CentOS, Fedora and RedHat, use the rpm and yum package management systems. After using all systems I can clearly say that I favor the yum and rpm package management systems.

First, with apt-get/apt-cache/aptitude I had to constantly refer back to the documentation on Ubuntu’s site and I still cannot remember which one do I use for searching, installing, upgrading, describing, or removing packages – do we really need the separation? With both yum and rpm simply provide a separate option and you are good to go, all the information is flowing into the terminal and it took me only one glance of ‘man yum’ to understand what and where.

Second, in the particular case of apache, vhosts, and extensinos, aptitude allows flexibility at the price of re-arranging the apache.conf and vhosts.conf into a collection of files and folders. Yum does a similar thing as well, however I still found yum’s method to keep the original httpd.conf mostly intact which allowed my familiarity with the basic apache configuration skill to take over and finalize install in no time. In my opinion, the deviation from the standard has no benefit whatsoever. The price of flexibility comes over familiarity but yet yum had the upper hand and ease of use.

Third, setting up a package that requires dependencies is equally good in both systems: they both do a very good job of finding the dependencies, looking their download sources, installing and setting it all up. However, I did find that yum had the best reporting system and after it gathered all the information it showed a useful status report while asking permission to proceed – this is valuable for sys admins and it does save time. Once more, yum feels like a more mature package management system.

Production OS? Stability vs Cutting Edge

Here is where I wanted to introduce a bit of the feeling we all shared after setting it up, plus the feeling of some colleagues of mine who I consider to be Linux Admin Gurus. At the end of the day, when all is setup and configured, the feeling from the CentOS system was much more secure and I knew exactly what is installed and what is not. Conversely, Ubuntu server did not give me that worm fuzzy feeling that ‘all is good’ and if I needed to make a change, I would have to refer to documentation first before I touch the server.

When I ask some Linux Guru colleages who manage production linux clusters on a regular basis, they all point to CentOS or RedHat due to stability and performance record. In other words, you won’t get the latest cutting edge packages like Ubuntu or Fedora – but it is guaranteed to be much less flawed.

Conclusion

The bottom line is that distro preference is a personal decision. Personal to the individual who administers the systems and personal to the organization. We’ve chosen CentOS over Ubuntu, Fedora, and RedHat. The only option I see that might change is adopting RedHat due to the technical support that is offered for a fee. Hands down, CentOS provided the fastest configuration time, lowest learning curve, better ROI, superior package management system, and a good fuzzy feeling of stability. Thanks to CentOS, we can get back to our main passion: Web Development…

Related Posts

• November 30, 2008 -- CentOS for Linux Servers: a cut above (0)
• August 3, 2009 -- Block access to your dedicated server automatically if more than 3 failed logins (0)
• March 27, 2009 -- Recommended: Visual SVN Server, now with Subversion 1.6 (1)
• September 3, 2009 -- Quick Way to Update Fail2ban jail.conf file (0)
• August 31, 2009 -- Performance Optimized httpd.conf for Magento eCommerce (0)
• August 24, 2009 -- Howto setup iptables for www and db(mysql) on linux (0)
• August 23, 2009 -- CentOS 5.3 Install Essentials (0)
• March 25, 2009 -- Tightening up iptables for a dedicated DB server (MySQL and CentOS) (1)
• December 25, 2008 -- pdnsd – Decrease DNS response time and save bandwidth (0)