Thursday, June 16, 2016

Mysql User Base access for whole Subnet

Posted by Arun Sawant at 9:40 PM

GRANT ALL ON *.* to root@'10.50.249.%' IDENTIFIED BY 'your-root-password';

FLUSH PRIVILEGES;
 
db server:  10.50.249.51
web server: 10.50.249.52


If you have a user defined in mysql.user as 'user'@'10.50.249.52' with password1 and another 'user'@'10.50.249.%' with password2, then, if you try to connect to the db server from the web server as 'user' with password2, it will result in an 'Access denied' error because the single IP 'user'@'10.50.249.52' authentication is used over the wildcard 'user'@'10.50.249.%' authentication.
0 comments
Tuesday, June 14, 2016
Posted by Arun Sawant at 12:39 AM
For High CPU Utilization Process

ps -eo pcpu,pid,user,args | sort -k1 -r | head -10

ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10


For Used Memory

free | awk 'FNR == 3 {print $3/($3+$4)*100}'

free -m|awk 'FNR == 2 {print $3*100/$2}'


For Free memory

free | awk 'FNR == 3 {print $4/($3+$4)*100}'


For High Memmory Utilization Process

ps aux --sort -rss | head


 For avarage load on Server

uptime | sed 's/.*load average: //'


For Zomebee process

ps axo stat,ppid,pid,comm | grep -w defunct

ps aux --sort -rss| grep -w defunct

ps aux | grep 'Z'

For strace PID

strace -p PID -o output.file

For Sleeping process list

ps -eo pid,cmd,etime | sort -k 1 -r | head -10


For Only Cpu Utilization

mpstat 1 1 | awk '$3 ~ /CPU/ { for(i=1;i<=NF;i++) { if ($i ~ /%idle/) field=i } } $3 ~ /all/ { printf("%d",100 - $field) }'


Server Resource Monitor Script

#!/bin/bash
#This script will moniter the server load and if pne minute load avg. on the server is more that 30 if will collect the information of Last 3 Login, Current Users Login, CPU consuming processes, Memory consuming processes And mail to the provided email address
#NOTE : This will only mail if one minute load average is more than 30
EMAIL="arvindrsawant@gmail.com"
#EMAIL1="2ndemail id"
LIMIT=30
HOSTNAME=$(hostname)
TIMESTAMP=$(date "+%Y.%m.%d")
TIME=$(date "+%H%M")
REPORT_DIR="/home/load/$TIMESTAMP"
REPORT="$REPORT_DIR/load-"$TIME".log"
SUBJECT="Alert: Heavy Load on Server "$HOSTNAME" "
mkdir -p $REPORT_DIR
echo -e "Current Load on "$HOSTNAME" : \n" >> $REPORT
uptime | sed 's/.*load average: //' >> $REPORT
currnetload=$(uptime | sed 's/.*load average: //' | awk -F, '{print $1}' | cut -f1 -d".")
if [[ $currnetload -gt $LIMIT ]];
        then
echo -e "\n Free Memory On "$HOSTNAME" : \n">> "$REPORT"
free -m >> $REPORT
echo -e "\n Last 3 Login Users On "$HOSTNAME" : \n">> "$REPORT"
last -a |head -3 >> $REPORT
echo -e "\n Current Login Users On "$HOSTNAME" : \n" >> $REPORT
w | tail -n +2 >> "$REPORT"
echo -e "\n CPU consuming processes on "$HOSTNAME" : \n" >> $REPORT
ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10 >> "$REPORT"
echo -e "\n Memory consuming processes on "$HOSTNAME" : \n" >> $REPORT
ps aux --sort -rss | head >> "$REPORT"
echo -e "\n Disk consuming  on "$HOSTNAME" : \n" >> $REPORT
df -h >> "$REPORT"
echo -e "\n Used Memory  on "$HOSTNAME" : \n" >> $REPORT
free | awk 'FNR == 3 {print $3/($3+$4)*100}' >> "$REPORT"
echo -e "\n free Memory  on "$HOSTNAME" : \n" >> $REPORT
free | awk 'FNR == 3 {print $4/($3+$4)*100}' >> "$REPORT"
echo -e "\n Zombie Process  on "$HOSTNAME" : \n" >> $REPORT
ps aux --sort -rss| grep -w defunct >> "$REPORT"
echo -e "\n Sleeping Process list  on "$HOSTNAME" : \n" >> $REPORT
ps -eo pid,cmd,etime | sort -k 1 -r | head -10 >> "$REPORT"
cat $REPORT | mail -s "$SUBJECT" "$EMAIL" "$EMAIL1" "$EMAIL2" "$EMAIL3"
fi

0 comments
Thursday, June 9, 2016

WHM Setting & Wordpress prevent securities settings suggestions

Posted by Arun Sawant at 10:32 PM
Current : Hide login password from cgi scripts   Off need to make On
This setting allows you to hide the REMOTE_PASSWORD environment variable from scripts that the cpsrvd daemon's CGI handler executes.

Currently : Referrer safety check      Off need to make On
Only permit cpanel/whm/webmail to execute functions when the browser provided referrer (Domain/IP and Port) exactly matches the destination URL. This will help prevent XSRF attacks but may break integration with other systems, login applications, and billing software. Cookies are required with this option enabled.

Currently Verify signatures of 3rdparty cPaddons. Off need to make On
When this option is enabled, cPanel will verify GPG signatures of all 3rdparty cPaddons. This setting is only available if Signature Validation is enabled.

Currently Prevent “nobody” from sending mail     Off need to make On
Prevent the user “nobody” from sending out mail to remote addresses (PHP and CGI scripts generally run as “nobody” if you are using mod_php or have Suexec disabled.)

Currently Enable SPF on domains for newly created accounts    Off need to make On
Enable this option to deny spammers the ability to send email when they forge your domain’s name as the sender (spoofing).

Currently  :  Proxy subdomains   On need to make Off
Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk, cpcalendars, cpcontacts, and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)

Currently : Proxy subdomain creation   On need to make Off
Automatically create cpanel, webmail, webdisk, cpcalendars, cpcontacts, and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)

Currently Password Strength Configuration         0  need to make 8
This feature allows you to specify a minimum password strength for accounts that your server hosts. hosted by your server.
Currently Compiler Access    Enable need to make Disable          
This option disables compiler access for unspecified users in order to help prevent attacks on your server.

Currently Shell Fork Bomb Protection  Disable need to make Enable
This option limits the amount of server resources that users with terminal access may use

Currently FTP Server Configuration   Allow Anonymous Uploads  is Yes need to make No
Allowing anonymous FTP uploads in generally considered to weaken the security of the server. Setting this option to "No" is recommended

Currently Manage Shell Access  is Enable for all need to make off exclude root user
This interface allows you to select which users will have shell access on your server and whether that shell access is Normal or Jailed.

Currently File ETag   its For ALL need to make none
This directive configures the file attributes that are used to create the ETag response header field when the request is file based.
Note: “None” means that if a document is file based, no ETag field will be included in the response.

Currently expose_php is on need to make off

From Developer End

Upto Date Wordpress Version and Plugin version too

Two way authentications is required for website Admin panel or Wp-login.php Admin panel access from limited IP

Change table prefix or don’t use default table prefix for new website.

Use wordpress keysgenrater for wp-config.php

Prevent WordPress Hack by Blocking Search Engine Spiders from Indexing the Admin Section
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

 Secure wp-config.php
# protect wp-config.php

Order deny,allow
Deny from all

2.       Limit Access to the Wp-Content Directory 
     Order deny,allow
Deny from all
Allow from all


3.       Prevent script injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Protect your .htaccess file
# STRONG HTACCESS PROTECTION
<file>
order allow,deny
deny from all
satisfy all

</file>

2 comments

wordpress xml-rpc ddos attack or avoid heavy load on server / recover from high load

Posted by Arun Sawant at 10:24 PM
After implemented this third party & mobile post stop to working

To disable xmlrpc.php file server wide you need to update your pre-VirtualHost Include file with the following code. You can update this file through WHM

Order Deny,Allow
Deny from all


Block WordPress xmlrpc.php requests with .htaccess
         
I want to send WordPress XML-RPC requests from my fictional IP address.
        
So I can deny all requests to the xmlrpc.php file, except for that IP, using the following .htaccess rules:
           
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
allow from IP Address

Add Entry in httpd.conf for all wordpress website.

Files ~"xmlrpc.php"



  Order allow,deny



  Deny from all



Files












Order Deny,Allow



Deny from all
0 comments
Subscribe to: Posts (Atom)