Command Line PHP: Part 3

Posted by Nessa | Posted in uncategorized | Posted on 25-05-2010

4

This is part third and final part in my PHP command line tutorial series. If you didn’t see parts 1 and 2:

Command Line PHP: Part 1

Command Line PHP: Part 2

Command Line PHP: Part 2

Posted by Nessa | Posted in uncategorized | Posted on 21-05-2010

3

This post is continuing on my three-part series on command line PHP programming. Missed part one? It’s right behind you. This part will go over command execution and processes.

Command Line PHP – Part 1

Posted by Nessa | Posted in uncategorized | Posted on 18-05-2010

15

PHP isn’t just for websites anymore. In fact, almost every script I’ve written to perform server-side functions is either written in bash or PHP, rather than Perl or Python as preferred by my colleagues. It’s a common belief that PHP isn’t suited for CLI programming since it’s mainly used in web applications, but PHP has over a hundred functions specifically intended for system management.

These kinds of posts can be rather lengthy, so I’m making this into a series with three parts.  Part 1 will go over the basic filesystem functions. You can find a complete listing here, but I’ll just go over a few of the more important and common ones.

10 Excellent Open Source Alternatives

Posted by Nessa | Posted in uncategorized | Posted on 06-03-2010

1

Those of you who are regular readers of my blog know that I’m a huge fan of open source software. I don’t think it’s smart for people to drop upwards to thousands of dollars on software unless they have that kind of money to waste, or have a need that isn’t being met by the open source community.  And then there are the less legal alternatives, which I’m not against, but then again I can’t promote them here, either =)

So here’s a nice list of open source alternatives for people who want to save money by using open source software.

1) Use Linux instead of Windows

The transition from Windows to Linux is not as hard as you may think it is. When people think Linux, they think of an ugly black and white command prompt. This may be true if you’re thinking of running Linux as a server, but as a desktop you have a GUI similar to Windows and Mac, in the form of KDE or Gnome.  If you have applications that require Windows, you can usually run them by installing a program called Wine.  It can take a little getting used to, but for those buying a new PC or refurbishing an old one, Linux is the route to go if you want to save money and get better performance, security, and stability than you’ll ever get with Windows.  For newbies, I’d recommend Ubuntu or Fedora.

2) Use Gimp instead of Adobe Photoshop

Adobe Photoshop will run you between $700 and $1000, maybe less if you purchase from an independent software distributor. If that’s a little steep for you, consider using Gimp instead. It has a lot of the same functionality of Photoshop, and can read files created in Photoshop (.PSD) as well.  My sister is a photographer and just when she thought she was used to Photoshop, I introduced her to Gimp so she can do her photo editing outside of school, and she said it does as good of a job as Photoshop does. Similarly, I hear that Inkscape makes an excellent alternative to Adobe Illustrator.

3) Use OpenOffice instead of Microsoft Office

My Dad, who has headed the IT department of his company for years, didn’t believe me when I told him that the thousands his company was spending on Microsoft Office licenses every couple years could be a waste of money, since OpenOffice has the same kind of functionality. The base package of OpenOffice contains alternatives to Word, Excel, PowerPoint, and Access, all of which have the same familiar interfaces and support for files created in their proprietary alternatives, but without the expensive licensing costs and resource requirements. The  software in OpenOffice also has a number of features that the other does not.

4) Use Thunderbird or Evolution instead of Outlook

Outlook sucks. I can’t tell you how many calls I got about it when I was in technical support, where email would suddenly stop working and the customer wouldn’t want to believe that their beloved Outlook was the problem. It usually comes bundled as part of the Microsoft Office suite, but you can buy it standalone. Why would you want to? Thunderbird is free, and a lot more efficient, feature-rich, stable, and secure than Outlook. Love the Outlook feel? Evolution is the Linux alternative to Outlook, only it doesn’t suck as much.

5) Use ClamAV or AVG Instead of Norton, TrendMicro, or McAfee

I’ve heard from many people that even though ClamAV is free, it’s better than its leading enterprise alternatives. It also works on Windows (Via ClamWIN) and Linux. Need a firewall too, but don’t want the steep cost of Norton Personal Firewall? Consider APF or Smoothwall.

6) Use Turbocash instead of Quickbooks or Microsoft Money

I personally haven’t used Quickbooks before, but I heard it’s comparable to Turbocash, which is perfect for smaller organizations or individuals needing software for finance management.

7) Use VirtualBox  instead of Microsoft Virtual PC, VMWare, or Parallels Desktop

I generally used Virtual PC in the past to play with other operating systems, but you may find a use for it if you’re a software developer or you have applications that work on one OS but not another. Virtual PC usually ends up being free quite some time after its initial release, but it only runs on Windows. VirtualBox is open source and runs on Linux, Mac, and Windows, and supports a large variety of guest operating systems.

8) Use OpenVZ instead of Virtuozzo

Virtualization with something like Virtuozzo isn’t the same as using something like VirtualBox in terms of mass-management of virtualized servers. If you’re offering VPS hosting or need to run multiple servers on one, you’ll want to use something like Virtuozzo.  Virtuozzo may be the best, but OpenVZ doesn’t fall far behind at all…and it doesn’t carry the multi-thousand dollar licensing costs.

9) Use OpenWorkBench instead of Microsoft Project

I’ve always found web-based software like dotProject to be more effective for project management, but if you need a more local solution for your PC, try Workbench instead of spending dough on Microsoft Project.

10) Use Partimage instead of Norton Ghost

Norton Ghost will generally cost around $70, but Partimate is free and essentially does the same thing. I’ll mention though that Norton Ghost only works on Windows, and Partimage only works on Linux. So Partimage is something you’d consider using if you’re switching from Windows to Linux and can’t use Norton Ghost anymore.

Where Does cPanel Put It?

Posted by Nessa | Posted in uncategorized | Posted on 17-12-2008

5

I can think of a few things that are wrong with that title but in all seriousness…don’t you ever wonder where cPanel stores the config changes that you make in WHM?  Automation is the key nowadays, and lately that’s required me to get a little down and dirty with cPanel to find its deepest secrets. *This information is not official documentation, nor is it backed up by cPanel or set in stone.  In other words, don’t blame me if you mess up your server.

These are files that store the information read and used by WHM (as of 11.23.6)

  • IP addresses: /etc/ips
  • Reserved IPs: /etc/reservedips
  • Reserved IP reasons: /etc/reservedipreasons
  • IP address pool: /etc/ipaddrpool
  • Access hash (WHM remote access key): /home/user/.accesshash or /root/.accesshash
  • cPanel update preferences: /etc/cpupdate.conf
  • Basic cPanel/WHM setup:  /etc/wwwacct.conf
  • System mail preferences: /etc/localaliases
  • Exim open relay list: /etc/alwaysrelay
  • Server-wide max emails per hour: /var/cpanel/maxemailsperhour
  • Tweak settings: /var/cpanel/cpanel.config
  • Packages: /var/cpanel/packages/
  • Features: /var/cpanel/features/
  • User data: /var/cpanel/users/ and /var/cpanel/userdata
  • Apache templates: /var/cpanel/templates/apache(1,2)
  • Exim config template: /etc/exim.conf.localopts
  • Exim mail IPs: /etc/mailips
  • rDNS for mail ips: /etc/mail_reverse_dns
  • Clustering: /var/cpanel/cluster/root/config
  • Service manager: /etc/chkserv.d
  • Users and their domains: /etc/userdomains
  • Users and their main domains: /etc/trueuserdomains
  • Users and their owners: /etc/trueuserowners
  • Main cPanel IP: /var/cpanel/mainip
  • cPanel version: /usr/local/cpanel/version
  • Resellers: /var/cpanel/resellers
  • Reseller nameservers: /var/cpanel/resellers-nameservers

These are a few scripst that you can use to achieve the same  results of their WHM equivalents:

  • Initialize quotes: /scripts/initquotas
  • Compile Apache: /scripts/easyapache  (you can pass additional options – see EasyApache 2 docs)
  • Update cPanel: /scripts/upcp
  • Enable/disable tweak settings: /scripts/smtpmailgidonly on|off
  • Change PHP API and suExec settings: /usr/local/cpanel/bin/rebuild_phpconf
  • Suspend an account: /scripts/suspendacct <user> <reason>
  • Terminate an account: /scripts/killacct <user>

Obviously there are a ton more, and just about anything done in WHM can be done directly on the server.  The main things to remember:

Scripts are mainly stored in /scripts and /usr/local/cpanel/bin

Data files are in /var/cpanel

Config files are in /etc/ and /usr/local/cpanel

daybreakers

How to Add Services to Chkservd

Posted by Nessa | Posted in uncategorized | Posted on 28-06-2008

5

.!.
.!.

Chkservd is the service in cPanel that checks to make sure that services are running, then restarts them if necessary. It’s also responsible for the ‘Service Manager’ section in cPanel, which is an interface where added services can be easily checked on and off.
To add a new service, create a line in /etc/chkserv.d/chkservd.conf in the same format as the others:

service:1

1 means the service should be enabled, 0 means it’s off.
In /etc/chkserv.d each service has its own file. Create a file called as the name of the service you are monitoring. The contents of the file are in the format of:

#SERVICE = PORT, SEND, RESPONSE, RE-START COMMAND

There are two ways that cPanel checks services with chkservd:

  • Connection-based monitoring – By default, cPanel will try to connect to the service’s specified port, issue a command, and if a response is received within 10 seconds it will consider the service to be online. For instance, FTP:
service[ftpd]=21,QUIT,220,/scripts/restartsrv_ftpserver
  • Process-based monitoring – cPanel will check for a specific process to determine whether it is online. For instance, named:
service[named]=x,x,x,/scripts/restartsrvr_bind,named,named|bind

If you have more than one restart command, you can separate them with semicolons in order of preference that they should be run. Output of these commands will be logged to the chkservd.log
After you’ve created the service’s configuration file, restart chkservd:

/etc/init.d/chkservd restart

You should then see the service listed in WebHost Manager in the ‘service manager section’
Chkservd logs are in /var/log/chkservd.log. Checks are done every 8 minutes, and everyone online service gets a +, offline services get a -. If the service is determined to be offline, the restart command(s) specified in that service’s chkservd configuration file is issued and the output is logged.

If you don’t even have chkservd installed, it’s probably missing and you need to install it.

Fedora Chokes on Firefox

Posted by Nessa | Posted in uncategorized | Posted on 17-06-2008

2

.!.

We use Fedora in my Linux classes at school, so I was equally pissed off of when I found out that the stock firefox installation doesn’t support ssl…in other words you can’t get to secure pages. Since the entire schooli ntranet is on a secure connection it pretty much sucks when you can’t access your email and assignments. I was the only person in the class who was able to fix this and be able to finish my shit during class instead of doing it for homework.

The error you get when accessing secure pages in Firefox on Fedora is:

Unexpected response from server
Firefox doesn’t know how to communicate with the server.

You can fix this in three commands:

yum update nss (or yum install nss, if it’s not installed)
yum remove firefox
yum install firefox

The Super-Duper Way to Run Backups

Posted by Nessa | Posted in uncategorized | Posted on 15-06-2008

1

.!.

I often worry about my PC at work — it’s about 3 or 4 years old now and I’ve already crashed it twice by running Ubuntu updates and not letting them finish. Luckily I have my home drive mounted as a separate partition so reinstalling the OS isn’t a huge inconvenience aside from having to reinstall all my apps.

After doing some googling I came across SBackup, which is a simple backup program to back up whatever on your system to wherever you want to keep your backups — without having to configure a script.

First, install sbackup via apt-get, yum, or whatever other package manager you use:

$ sudo apt-get install sbackup

Then open the backup manager under System > Administration > Simple Backup Config

Now, I used the custom backup settings because I didn’t want to back up everything on my system — all I’m concerned about is everything in my home directory, such as my Documents, email, and porn browser settings. To select what you want backed up, go to the Include tab and Add Directory or Add File to include files and folders in your backups.

Naturally there are some files within your selected folders that you don’t want to back up, like your trash and cache. You can add those under the Exclude tab.

Next set your timing — I did ‘precisely’ every day at 5pm when I won’t be here to experience the extreme lag of my 14G home directory being tarred up. As for the Purging options, I chose Logarithmic so that I don’t have old backups that I don’t need — I only need the backups in case my PC crashes and I lose everything, so I don’t care about backups from two weeks ago.

The destination part is where you want your backups to go. The default is /var/backup, but if your PC crashes, that isn’t going to be very convenient for you. Therefore one of the two options should be the one you go with:

- Custom local directory: If you have a floppy disk (which I pray you do not) or a USB drive, you can usually find those in the /media directory and have those mounted to copy your backups

- Remote directory: If you have FTP or SSH access to a remote server, you can have your backups uploaded. The syntax is simple:

ssh://user:password@serverip:/remote/dir

After you have everything configured, save your settings and hit Backup Now! to run a test and make sure everything is working.

Dual Monitor Setup in Ubuntu 7.10, ATI Radeon

Posted by Nessa | Posted in uncategorized | Posted on 12-06-2008

4

The company just bought our department brand hooked up PC’s that include ATI Radeon dual output graphics cards with massive monitors.  This is probably the only time I’d willingly admit that Windows came out ahead, as I spent a good 2 days trying to get my dual monitors to work with Ubuntu.  I finally got it figured out and I’m embarrassed to say that the answer was in front of my the whole time — a fucking GUI!  Anywho, those of you who are having trouble with this as well, here’s what I did to make it work:

My setup:

  • Dell Vostro 200, Dual Core Intel CPUs, 2 Gb RAM
  • ATI Radeon HD 2400 dual output graphics card (both monitors plugged into card)
  • Two Dell 17” monitors

So first, shimmy over to http://ati.amd.com/support/driver.html and select your distro and card model, and download the file to your desktop.

In Terminal, chmod +x ati-driver-installer-<version>.run

Select Linux x86 installation, automatic

After the installation is complete, run:

sudo aticonfig –initial

Reboot.

After reboot, run fglrxinfo and you should get something like this describing your card:

OpenGL vendor string: ATI Technologies Inc.
OpenGL renderer string: ATI Radeon HD 2400 PRO
OpenGL version string: 2.1.7537 Release

At this point you probably see that both monitors are enabled, but are mirroring each other.  If you don’t, you might need to manually active the second:

sudo aticonfig –query-monitor

Use the output of that command and run:

sudo ati-config –enable-monitor=<result1>,<result2>

Replace result1 and result2 with the output of the first command.  Possible results are: none, crt1, crt2, lvds, tv, fmds1, tmds2

If the enable works, make it permanent:

sudo aticonfig –force-monitor=<result1>,<result2>

When both your monitors are up (whether they look how you want or not), in your GNOME gui, go to Applications > ATI Catalyst Control Center. This is where you configure how you want your dual monitors to act.

In Display Manager, set the dropdown to two monitors and change the Display Mode to “Big Desktop” — this will enable both monitors as one long desktop that you can drag your mouse and windows between.  You can also go ahead and set your resolution.

And there you go — easy dual monitor setup for Ubuntu 7.10!

UPDATE: Major issues with graphics after I upgraded to 8.10 – I found these instructions which worked:

http://wiki.cchtml.com/index.php/Ubuntu_Intrepid_Installation_Guide#Installing_the_restricted_drivers_manually

Moving Towards PCI Compliance with cPanel

Posted by Nessa | Posted in uncategorized | Posted on 14-04-2008

14

See also: http://www.thecpaneladmin.com/pci-compliance-package-cpanel-servers/

Those of you who are server admins or use certain merchant services know what I’m taking about — it’s that dreaded security scan that picks apart your server to tell you everything that it thinks is wrong, assuming you have the knowledge or access to fix it: yes, the PCI scan. PCI compliancy is a somewhat new procedure used by security companies and financial institutions to measure the security of a webserver that collects and stores sensitive information. The reasons for getting a scan vary, but are most commonly for legal reasons or just the assurance that your server is subject to certain vulnerabilities.

After dealing with 2-3 PCI scans a week for the last year, I’ve put together a common procedure for how to make your server compliant to current PCI standards. Note that each scan company is different and may report other issues, and if you’re using ControlScan then, well, I feel sorry for you. I’m also assuming that you are on a Linux server running cPanel and LAMP.

Step 1: Make sure you have a firewall

PCI scans are nazis about unjustified open ports, so only open the ones that you need in order for services to run effectively. Manually configuring iptables is a pain in the ass, so I recommend using APF or CSF (if you have cPanel) and then configuring the allow rules to only allow ports for active services.

Note that both indicate the opening of cPanel ports 2082, 2095, and 2086, but some scans will complain about these being nonsecure. If that is the case you can configure within WHM to only use the secure ports, then remove the nonsecure ones from the firewall so they can’t be accessed. You should also close MySQL port 3306 for external hosts and allow them on a per-IP basis to anyone other than localhost has to be allowed.

Step 2: Update your system

This is an obvious one, but you’d be surprised how many people still have old packages installed on the server. With cPanel, running /scripts/upcp will usually update the vital system software as long as you have your update configuration in WHM set to allow it, but otherwise I would recommend doing a yum update, up2date, or whatever else you use to manage packages to make sure everything is up to date.

Nowadays old versions of MySQL, PHP, and Apache are no longer squeezing through either, so you need to upgrade to at least MySQL 4.1.22, PHP 5.2.5, and Apache 1.3.39 (some scans will want Apache 2.0.x).

Step 3: FIx OpenSSL

If you did a package update this was probably already taken care of, but if you installed via source you need to make sure you’re using at least 0.9.7j, which is the oldest version that most PCI scans allow. You can get your sources from here, and it may require a recompile of Apache and other services that use it. To check your OpenSSL version, type ‘openssl‘ from your SSH prompt and then type ‘version‘.

Note to Redhat/Fedora/CentOS users: If you’re running a somewhat recent version of your OS your openSSL version probably is something like 0.9.7a, but due to Redhat backporting this may be a false-positive. If you’re on any Redhat-based distribution, just tell your scan company and they’ll bypass OpenSSL checks.

Step 4: Check your SSL certificates

In order to pass a PCI scan your server must have at least one SSL certificate signed by a recognized certificate authority, and any services using SSL need to be using a certificate as well. Go cough up $30-$100 and buy a decent 264-bit SSL certificate and install it not just for Apache, but also for all of your active services. WebHost Manager has a section for installing service SSL certificates to make this process easier.

Step 5: Disable SSLv2 and other weak encryption methods

This one always gets me, because there is no way to disable SSLv2 for everything at once, at least not one that I know of. What makes this part the worse is that not all services support the choosing of SSL protocols and ciphers, but luckily unless you are using ControlScan the ones that don’t are probably not going to show up. Here’s how you do it for common services that are reported:

Apache:

Add these lines to your httpd.conf (you may to add them to each secure vhost as well):

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

POP3 and IMAP:

Edit the following files:

/usr/lib/courier-imap/etc/pop3d-ssl
/usr/lib/courier-imap/etc/imapd-ssl

Comment out the existing TLS_CIPHER_LIST line and replace it with the following and restart courier-imap:

TLS_CIPHER_LIST="ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"

Exim:

Add the following to exim.conf:

tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2

For other services that might be on your system, take a look at this guide.

Step 6: Disable mod_userdir (or whatever cPanel is calling it nowadays)

If you are able to go to http://yourserverip/~yourusername, then you have mod_userdir enabled and the scan will probably complain. You can disable this in WHM under Security Center > Apache mod_userdir Tweak, or in httpd.conf add “userdir disabled user1 user2 user3 …etc”

Step 7: Put Apache in incognito mode and disable the bad stuff

If you try to get an Apache error (like a 404 error), the footer of that page probably contains more information that you may want to share about your Apache setup. You can disable this in your httpd.conf by adding these lines:

ServerSignature Off
ServerTokens Prod
FileETag None

You can read more about these here.

Another thing that some scans report is the use of 413 errors. You should add this line to httpd.conf as a workaround:

ErrorDocument 413 /index.php (or any other file)

Just about all scans will complain if the ‘trace’ and ‘track’ apache methods are enabled on your server. You can fix this by adding these lines to your Virtualhost entries or .htaccess files:

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)$ [NC]
RewriteRule ^.*$ - [F]

You should also disable directory indexes, which can be done most easily in your cPanel’s index manager. Directory indexes allow the listing of files inside folders that do not have an index page. You can also disable these in your .htaccess files:

Options All -Indexes

Ending notes

Really, it doesn’t matter how secure your server is if your web application scan is poorly programmed, so your server should not be the ending point in security. Some PCI scan companies are able to detect common vulnerabilities in web applications, but you should take the extra steps to stay ahead of the game and update your site software on a regular basis.