server – Derek Demuro

The perfect server.

ddemuro — Tue, 21 Oct 2014 06:39:16 +0000

The basics:

Virtualmin is a powerful and flexible web hosting control panel for Linux and UNIX systems based on the well-known Open Source web-based systems management GUI, Webmin. Manage your virtual domains, mailboxes, databases, applications, and the entire server, from one comprehensive and friendly interface.

I recommend using Virtualmin; it made my life so EASY!, managing mail accounts, FTP, websites, Nginx, firewall… everything!.

But like every tool, it doesn’t cover everything. And that’s the idea of this guide. Yes, I just made your life way more comfortable! But how about the “under the hood side”?.

Installing Virtualmin and ntpdate:

wget https://software.virtualmin.com/gpl/scripts/install.sh
chmod 755 *
./install.sh
apt-get install ntpdate

Configuring Virtualmin:

The firewall:

If you want some sort of security and active connections to your ftp, you’ll need:

modprobe ip_conntrack_ftp
echo "IPTABLES_MODULES="ip_conntrack_ftp"" >> /etc/sysconfig/iptables-config

Getting your server “secure”

➜  ~ cat iptables.save 
# Generated by iptables-save v1.4.14 on Mon Jun  6 02:31:37 2016
*filter
:INPUT DROP [19:1020]
:FORWARD ACCEPT [513:37370]
:OUTPUT ACCEPT [6333:10196027]
:LDAP - [0:0]
:fail2ban-default - [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-default
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m tcp --dport 389 -j LDAP
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT
-A INPUT -p udp -m udp --dport 25565 -j ACCEPT
-A INPUT -s 10.254.3.0/24 -j ACCEPT
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4949 -j ACCEPT
-A INPUT -p udp -m udp --dport 1196 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 25,587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 143,220,993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3001 -j ACCEPT
-A LDAP -s 206.72.202.59/32 -j ACCEPT
-A LDAP -s 66.45.250.235/32 -j ACCEPT
-A LDAP -s 206.72.192.67/32 -j ACCEPT
-A LDAP -s 10.254.3.0/24 -j ACCEPT
-A LDAP -s 10.254.4.0/24 -j ACCEPT
-A LDAP -p tcp -m tcp --dport 3001 -j ACCEPT
-A fail2ban-default -j RETURN
-A fail2ban-ssh -s 222.186.21.217/32 -j DROP
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Mon Jun  6 02:31:37 2016
# Generated by iptables-save v1.4.14 on Mon Jun  6 02:31:37 2016
*mangle
:PREROUTING ACCEPT [49100981:39900927740]
:INPUT ACCEPT [47328481:39740284733]
:FORWARD ACCEPT [1408050:121664223]
:OUTPUT ACCEPT [32033396:88711307234]
:POSTROUTING ACCEPT [33441446:88832971457]
COMMIT
# Completed on Mon Jun  6 02:31:37 2016
# Generated by iptables-save v1.4.14 on Mon Jun  6 02:31:37 2016
*nat
:PREROUTING ACCEPT [1273587:85952983]
:INPUT ACCEPT [1201232:81100796]
:OUTPUT ACCEPT [587430:41574154]
:POSTROUTING ACCEPT [1110814:78989544]
-A PREROUTING -d 66.45.250.236/32 -j DNAT --to-destination 10.254.3.2
-A POSTROUTING -s 10.254.3.0/24 -j SNAT --to-source 66.45.250.236
COMMIT
# Completed on Mon Jun  6 02:31:37 2016

Configuring postfix:

General setup:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
 
# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
 
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
 
# appending .domain is the MUA's job.
append_dot_mydomain = no
 
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
 
readme_directory = no
 
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
 
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Add the networks used by you, that are safe.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:10023
allow_percent_hack = no
# Allow 40 MB message size.
message_size_limit = 40000000

Master Configuration (master.cf)

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp    inet    n       -       -       -       -       smtpd -o smtpd_sasl_auth_enable=yes
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
 
submission      inet    n       -       -       -       -       smtpd -o smtpd_sasl_auth_enable=yes

OhMyZSH / ZSH:

#Debian
apt-get install zsh curl
 
sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"

MySQL:

Usually, I’d suggest using persona’s utility to figure out these values; I’ll post mine. https://tools.percona.com/

# Generated by Percona Configuration Wizard (https://tools.percona.com/) version REL5-20120208
# Configuration name sec02.takelan.com generated for ddemuro@gmail.com at 2015-04-11 05:31:01
 
[mysql]
 
# CLIENT #
port                           = 3306
socket                         = /var/run/mysqld/mysqld.sock
 
[mysqld]
 
# GENERAL #
user                           = mysql
default-storage-engine         = InnoDB
socket                         = /var/run/mysqld/mysqld.sock
pid-file                       = /var/run/mysqld/mysqld.pid
 
# MyISAM #
key-buffer-size                = 64M
myisam-recover                 = FORCE,BACKUP
 
# SAFETY #
max-allowed-packet             = 64M
max-connect-errors             = 1000000
skip-name-resolve
sql-mode                       = STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE
sysdate-is-now                 = 1
innodb                         = FORCE
innodb-strict-mode             = 1
 
# DATA STORAGE #
datadir                        = /var/lib/mysql/
 
 
# BINARY LOGGING #
log-bin                        = /var/lib/mysql/mysql-bin
expire-logs-days               = 14
sync-binlog                    = 1
 
# CACHES AND LIMITS #
tmp-table-size                 = 512M
max-heap-table-size            = 512M
query-cache-type               = 1
query-cache-size               = 512M
query_cache_limit              = 16M
max-connections                = 500
thread-cache-size              = 80
open-files-limit               = 65535
table-definition-cache         = 4096
table-open-cache               = 10240
 
# INNODB #
innodb-flush-method            = O_DIRECT
innodb-log-files-in-group      = 2
#innodb-log-file-size           = 512M
innodb-flush-log-at-trx-commit = 1
innodb-file-per-table          = 1
innodb-buffer-pool-size        = 1G
 
# LOGGING #
log-error                      = /var/lib/mysql/mysql-error.log
log-queries-not-using-indexes  = 1
slow-query-log                 = 1
slow-query-log-file            = /var/lib/mysql/mysql-slow.log

PostGrey:

# postgrey whitelist for mail client hostnames
# --------------------------------------------
# put this file in /etc/postgrey or specify its path
# with --whitelist-clients=xxx
#
# postgrey version: 1.34, build date: 2011-05-04
 
# Debian-specific additions
# I *know* they run real mail queues, so greylisting only creates
# bigger load for them.
debconf.org
debian.org
spi-inc.org
 
# greylisting.org: Southwest Airlines (unique sender, no retry)
southwest.com
# greylisting.org: isp.belgacom.be (wierd retry pattern)
isp.belgacom.be
# greylisting.org: Ameritrade (no retry)
ameritradeinfo.com
# greylisting.org: Amazon.com (unique sender with letters)
amazon.com
# 2004-05-20: Linux kernel mailing-list (unique sender with letters)
vger.kernel.org
# 2004-06-02: karger.ch, no retry
karger.ch
# 2004-06-02: lilys.ch, (slow: 4 hours)
server-x001.hostpoint.ch
# 2004-06-09: roche.com (no retry)
gw.bas.roche.com
# 2004-06-09: newsletter (no retry)
mail.hhlaw.com
# 2004-06-09: no retry (reported by Ralph Hildebrandt)
prd051.appliedbiosystems.com
# 2004-06-17: swissre.com (no retry)
swissre.com
# 2004-06-17: dowjones.com newsletter (unique sender with letters)
returns.dowjones.com
# 2004-06-18: switch.ch (works but personnel is confused by the error)
domin.switch.ch
# 2004-06-23: accor-hotels.com (slow: 6 hours)
accor-hotels.com
# 2004-06-29: rr.com (no retry, reported by Duncan Hill)
/^ms-smtp.*\.rr\.com$/
# 2004-06-29: cox.net (no retry, reported by Duncan Hill)
/^lake.*mta.*\.cox\.net$/
# 2004-06-29: motorola.com (no retry)
mot.com
# 2004-07-01: nic.fr (address verification, reported by Arnaud Launay)
nic.fr
# 2004-07-01: verizon.net (address verification, reported by Bill Moran and Eric, adapted by Adam C. Mathews)
/^s[cv]\d+pub\.verizon\.net$/
# 2004-07-02: cs.columbia.edu (no retry)
cs.columbia.edu
# 2004-07-02: papersinvited.com (no retry)
66.216.126.174
# 2004-07-02: telekom.de (slow: 6 hours)
/^mail\d+\.telekom\.de$/
# 2004-07-04: tiscali.dk (slow: 12 hours, reported by Klaus Alexander Seistrup)
/^smtp\d+\.tiscali\.dk$/
# 2004-07-04: freshmeat.net (address verification)
freshmeat.net
# 2004-07-11: zd-swx.com (unique sender with letters, reported by Bill Landry)
zd-swx.com
# 2004-07-11: lockergnome.wc09.net (unique sender with letters, reported by Bill Landry)
lockergnome.wc09.net
# 2004-07-19: mxlogic.net (no retry, reported by Eric)
p01m168.mxlogic.net
p02m169.mxlogic.net
# 2004-09-08: intel.com (pool on different subnets) 
/^fmr\d+\.intel\.com$/
# 2004-09-17: cox-internet.com (no retry, reported by Rod Roark)
/^fe\d+\.cox-internet\.com$/
# 2004-10-11: logismata.ch (no retry)
logismata.ch
# 2004-11-25: brief.cw.reum.de (no retry, reported by Manuel Oetiker)
brief.cw.reum.de
# 2004-12-03: ingeno.ch (no retry)
qmail.ingeno.ch
# 2004-12-06: rein.ch (no retry)
mail1.thurweb.ch
# 2005-01-26: tu-ilmenau.de (no retry)
piggy.rz.tu-ilmenau.de
# 2005-04-06: polymed.ch (no retry)
mail.polymed.ch
# 2005-06-08: hu-berlin.de (slow: 6 hours, reported by Joachim Schoenberg)
rz.hu-berlin.de
# 2005-06-17: gmail.com (big pool, reported by Beat Mueller)
proxy.gmail.com
# 2005-06-23: cacert.org (address verification, reported by Martin Lohmeier)
cacert.org
# 2005-07-27: polytech.univ-mrs.fr (no retry, reported by Giovanni Mandorino)
polytech.univ-mrs.fr
# 2005-08-05: gnu.org (address verification, reported by Martin Lohmeier)
gnu.org
# 2005-08-17: ciphirelabs.com (needs fast responses, reported by Sven Mueller)
cs.ciphire.net
# 2005-11-11: lufthansa (no retry, reported by Peter Bieringer)
/^gateway\d+\.np4\.de$/
# 2005-11-23: arcor-online.net (slow: 12 hours, reported by Bernd Zeimetz)
/^mail-in-\d+\.arcor-online\.net$/
# 2005-12-29: netsolmail.com (no retry, reported by Gareth Greenaway)
netsolmail.com
# mail.likopris.si (no retry, reported by Vito Robar)
193.77.153.67
# jcsw.nato.int (several servers, no retry, reported by Vito Robar)
195.235.39
# tesla.vtszg.hr (no retry, reported by Vito Robar)
tesla.vtszg.hr
# mailgw*.iai.co.il (pool of several servers, reported by Vito Robar)
/^mailgw.*\.iai\.co\.il$/
# gw.stud-serv-mb.si (no retry, reported by Vito Robar)
gw.stud-serv-mb.si
# mail.commandtech.com (no retry, reported by Vito Robar)
216.238.112.99
# duropack.co.at (no retry, reported by Vito Robar)
193.81.20.195
# mail.esimit-tech.si (no retry, reported by Vito Robar)
193.77.126.208
# mail.resotel.be (ocasionally no retry, reported by Vito Robar)
80.200.249.216
# mail2.alliancefr.be (ocasionally no retry, reported by Vito Robar)
mail2.alliancefr.be
# webserver.turboinstitut.si (no retry, reported by Vito Robar)
webserver.turboinstitut.si
# mil.be (pool of different servers, reported by Vito Robar)
193.191.218.141
193.191.218.142
193.191.218.143
194.7.234.141
194.7.234.142
194.7.234.143
# mail*.usafisnews.org (no retry, reported by Vito Robar)
/^mail\d+\.usafisnews\.org$/
# odk.fdv.uni-lj.si (no retry, reported by Vito Robar)
/^odk.fdv.uni-lj.si$/
# rak-gentoo-1.nameserver.de (no retry, reported by Vito Robar)
rak-gentoo-1.nameserver.de
# dars.si (ocasionally no retry, reported by Vito Robar)
mx.dars.si
# cosis.si (no retry, reported by Vito Robar)
213.143.66.210
# mta?.siol.net (sometimes no or slow retry; they use intermail, reported by Vito Robar)
/^mta[12].siol.net$/
# pim-N-N.quickinspirationsmail.com (unique sender, reported by Vito Robar)
/^pim-\d+-\d+\.quickinspirationsmail\.com$/
# flymonarch (no retry, reported by Marko Djukic)
flymonarch.com
# wxs.nl (no retry, reported by Johannes Fehr)
/^p?smtp.*\.wxs\.nl$/
# ibm.com (big pool, reported by Casey Peel)
ibm.com
# messagelabs.com (big pool, reported by John Tobin)
/^mail\d+\.messagelabs\.com$/
# ptb.de (slow, reported by Joachim Schoenberg)
berlin.ptb.de
# registrarmail.net (unique sender names, reported by Simon Waters)
registrarmail.net
# google.com (big pool, reported by Matthias Dyer, Martin Toft)
google.com
# orange.fr (big pool, reported by Lo�c Le Loarer)
/^smtp\d+\.orange\.fr$/
# citigroup.com (slow retry, reported by Michael Monnerie)
/^smtp\d+.citigroup.com$/
# cruisingclub.ch (no retry)
mail.ccs-cruising.ch
# digg.com (no retry, Debian #406774)
diggstage01.digg.com
# liberal.ca (retries only during 270 seconds, Debian #406774)
smtp.liberal.ca
# pi.ws (pool + long retry, Debian #409851)
/^mail[12]\.pi\.ws$/
# rambler.ru (big pool, reported by Michael Monnerie)
rambler.ru
# free.fr (big pool, reported by Denis Sacchet)
/^smtp[0-9]+-g[0-9]+\.free\.fr$/
/^postfix[0-9]+-g[0-9]+\.free\.fr$/
# thehartford.com (pool + long retry, reported by Jacob Leifman)
/^netmail\d+\.thehartford\.com$/
# abb.com (only one retry, reported by Roman Plessl)
/^nse\d+\.abb\.com$/
# 2007-07-27: sourceforge.net (sender verification)
lists.sourceforge.net
# 2007-08-06: polytec.de (no retry, reported by Patrick McLean)
polytec.de
# 2007-09-06: qualiflow.com (no retry, reported by Alex Beckert)
/^mail\d+\.msg\.oleane\.net$/
# 2007-09-07: nrl.navy.mil (no retry, reported by Axel Beckert)
nrl.navy.mil
# 2007-10-18: aliplast.com (long retry, reported by Johannes Feigl)
mail.aliplast.com
# 2007-10-18: inode.at (long retry, reported by Johannes Feigl)
/^mx\d+\..*\.inode\.at$/
# 2008-02-01: bol.com (no retry, reported by Frank Breedijk)
/^.*?.server.arvato-systems.de$/
# 2008-06-05: registeredsite.com (no retry, reported by Fred Kilbourn)
/^(?:mail|fallback-mx)\d+.atl.registeredsite.com$/
# 2008-07-17: mahidol.ac.th (no retry, reported by Alex Beckert)
saturn.mahidol.ac.th
# 2008-07-18: ebay.com (big pool, reported by Peter Samuelson)
ebay.com
# 2008-07-22: yahoo.com (big pool, reported by Juan Alonso)
yahoo.com
# 2008-11-07: facebook (no retry, reported by Tim Freeman)
/^outmail\d+\.sctm\.tfbnw\.net$/
# 2009-02-10: server14.cyon.ch (long retry, reported by Alex Beckert)
server14.cyon.ch
# 2009-08-19: 126.com (big pool)
/^m\d+-\d+\.126\.com$/
# 2010-01-08: tifr.res.in (no retry, reported by Alex Beckert)
home.theory.tifr.res.in
# 2010-01-08: 1blu.de (long retry, reported by Alex Beckert)
ms4-1.1blu.de
# 2010-03-17: chello.at (big pool, reported by Jan-willem van Eys)
/^viefep\d+-int\.chello\.at$/
# 2010-05-31: nic.nu (long retry, reported by Ivan Sie)
mx.nic.nu
# 2010-06-10: Microsoft servers (long/no retry, reported by Roy McMorran)
bigfish.com
frontbridge.com
microsoft.com
# 2010-06-18: Google/Postini (big pool, reported by Warren Trakman)
postini.com
# 2011-02-04: evanzo-server.de (no retry, reported by Andre Hoepner)
/^mx.*\.evanzo-server\.de$/
# 2011-05-02: upcmail.net (big pool, reported by Michael Monnerie)
upcmail.net

# postgrey whitelist for mail recipients
# --------------------------------------
# put this file in /etc/postgrey or specify its path
# with --whitelist-recipients=xxx
 
postmaster@
abuse@

Spamassassin:

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################
 
#   Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****
 
 
#   Save spam messages as a message/rfc822 MIME attachment instead of
#   modifying the original message (0: off, 2: use text/plain instead)
#
# report_safe 1
 
 
#   Set which networks or hosts are considered 'trusted' by your mail
#   server (i.e. not spammers)
#
# trusted_networks 212.17.35.
 
 
#   Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock
 
 
#   Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0
 
 
#   Use Bayesian classifier (default: 1)
#
# use_bayes 1
 
 
#   Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 1
 
 
#   Set headers which may provide inappropriate cues to the Bayesian
#   classifier
#
# bayes_ignore_header X-Bogosity
# bayes_ignore_header X-Spam-Flag
# bayes_ignore_header X-Spam-Status
 
 
#   Some shortcircuiting, if the plugin is enabled
# 
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
#   default: strongly-whitelisted mails are *really* whitelisted now, if the
#   shortcircuiting plugin is active, causing early exit to save CPU load.
#   Uncomment to turn this on
#
# shortcircuit USER_IN_WHITELIST       on
# shortcircuit USER_IN_DEF_WHITELIST   on
# shortcircuit USER_IN_ALL_SPAM_TO     on
# shortcircuit SUBJECT_IN_WHITELIST    on
 
#   the opposite; blacklisted mails can also save CPU
#
# shortcircuit USER_IN_BLACKLIST       on
# shortcircuit USER_IN_BLACKLIST_TO    on
# shortcircuit SUBJECT_IN_BLACKLIST    on
 
#   if you have taken the time to correctly specify your "trusted_networks",
#   this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED             on
 
#   and a well-trained bayes DB can save running rules, too
#
# shortcircuit BAYES_99                spam
# shortcircuit BAYES_00                ham
 
endif # Mail::SpamAssassin::Plugin::Shortcircuit

Fail2Ban:

jail.conf

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko 
#
# $Revision$
#
 
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
 
[DEFAULT]
 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
bantime  = 600
maxretry = 3
 
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = auto
 
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
 
#
# ACTIONS
#
 
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
 
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
 
# Default protocol
protocol = tcp
 
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
 
#
# Action shortcuts. To be used to define action parameter
 
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
 
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
 
#
# JAILS
#
 
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
 
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
 
[ssh]
 
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6
 
[dropbear]
 
enabled  = false
port     = ssh
filter   = sshd
logpath  = /var/log/dropbear
maxretry = 6
 
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
 
enabled  = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter   = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port     = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6
 
[xinetd-fail]
 
enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2
 
 
[ssh-ddos]
 
enabled  = false
port     = ssh
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6
 
#
# HTTP servers
#
 
[apache]
 
enabled  = false
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6
 
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
 
enabled   = false
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6
 
[apache-noscript]
 
enabled  = false
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache*/*error.log
maxretry = 6
 
[apache-overflows]
 
enabled  = false
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache*/*error.log
maxretry = 2
 
#
# FTP servers
#
 
[vsftpd]
 
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
 
 
[proftpd]
 
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6
 
 
[pure-ftpd]
 
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = pure-ftpd
logpath  = /var/log/auth.log
maxretry = 6
 
 
[wuftpd]
 
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6
 
 
#
# Mail servers
#
 
[postfix]
 
enabled  = false
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
 
 
[couriersmtp]
 
enabled  = false
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log
 
 
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
 
[courierauth]
 
enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log
 
 
[sasl]
 
enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log
 
[dovecot]
 
enabled = false
port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log
 
# DNS Servers
 
 
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging
 
# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    https://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled  = false
#port     = domain,953
#protocol = udp
#filter   = named-refused
#logpath  = /var/log/named/security.log
 
[named-refused-tcp]
 
enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log
@onerussian.com>

fail2ban.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#
 
[Definition]
 
# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 3
 
# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log
 
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

Optimizing server for APC, and PHP.

ddemuro — Fri, 10 Oct 2014 06:52:01 +0000

Many times our servers struggle to answer to connections in time, this is why we need to optimize.

First we assume we have installed Virtualmin on Debian 7.

Second, we assume you know some of PHP and common Linux utilities.

We’ll install memcached and php5-memcache [Memcache plugin for memcached].

php5-memcache and memcached

apt-get install memcached php5-memcache

We are assuming you’ll use Memcached on the local server, so just restart the service as follows:

/etc/init.d/memcached restart

Now we restart apache… to load up everything correctly including PHP.

/etc/init.d/apache2 restart

Now lets get dirty with APC!

apt-get install php-pear

This will allow us to build new modules into php.

Now we need some dependencies to be able to compile APC.

apt-get install php5-dev apache2-prefork-dev build-essential

A long list of dependencies you’ll receive, accept them, they are GCC and others.

Now lets build APC!

pecl install apc

As I don’t have the rest on my terminal right now…

server2:~# pecl install apc
downloading APC-3.0.17.tgz ...
Starting to download APC-3.0.17.tgz (116,058 bytes)
.........................done: 116,058 bytes
47 source files, building
running: phpize
Configuring for:
PHP Api Version:         20041225
Zend Module Api No:      20060613
Zend Extension Api No:   220060519
Use apxs to set compile flags (if using APC with Apache)? [yes] : <-- ENTER

[...]

----------------------------------------------------------------------
Libraries have been installed in:
   /var/tmp/pear-build-root/APC-3.0.17/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------

Build complete.
(It is safe to ignore warnings about tempnam and tmpnam).

running: make INSTALL_ROOT="/var/tmp/pear-build-root/install-APC-3.0.17" install
Installing shared extensions:     /var/tmp/pear-build-root/install-APC-3.0.17/usr/lib/php5/20060613+lfs/
running: find "/var/tmp/pear-build-root/install-APC-3.0.17" -ls
998152    4 drwxr-xr-x   3 root     root         4096 Mar 28 15:23 /var/tmp/pear-build-root/install-APC-3.0.17
998214    4 drwxr-xr-x   3 root     root         4096 Mar 28 15:23 /var/tmp/pear-build-root/install-APC-3.0.17/usr
998215    4 drwxr-xr-x   3 root     root         4096 Mar 28 15:23 /var/tmp/pear-build-root/install-APC-3.0.17/usr/lib
998216    4 drwxr-xr-x   3 root     root         4096 Mar 28 15:23 /var/tmp/pear-build-root/install-APC-3.0.17/usr/lib/php5
998217    4 drwxr-xr-x   2 root     root         4096 Mar 28 15:23 /var/tmp/pear-build-root/install-APC-3.0.17/usr/lib/php5/20060613+lfs
998213  416 -rwxr-xr-x   1 root     root       418822 Mar 28 15:23 /var/tmp/pear-build-root/install-APC-3.0.17/usr/lib/php5/20060613+lfs/apc.so

Build process completed successfully
Installing '/var/tmp/pear-build-root/install-APC-3.0.17//usr/lib/php5/20060613+lfs/apc.so'
install ok: channel://pecl.php.net/APC-3.0.17
You should add "extension=apc.so" to php.ini
server2:~#

[FROM https://www.howtoforge.com/apc-php5-apache2-debian-etch](link is external)

If this didn’t go well, just go with apt-get install php-apc !
Now its when everything goes fuzzy… as we use virtualservers, you’ll need to configure each virtualserver APC individually and decide how much cache etc.

In our case, lets go with a client.

This should be good enough for you to start enjoying APC.

At your php.ini add this information: [if using vhosts with virtualmin…] cd /home/user/etc/->Php.ini in here.

[APC]
extension=apc.so
apc.enabled=1
apc.shm_segments=1
apc.shm_size=256M ===> This value depends on kernel.shmmax in our case would read 268435456 that would be around 256M.
;cat /proc/sys/kernel/shmmax => to read the size
apc.optimization=0
;Control TTL of Cache
apc.ttl=108000
apc.user_ttl=108000
apc.gc_ttl=108000
apc.cache_by_default=1
apc.filters="-/home/user/public_html/apc/apc\.php$"
apc.slam_defense=0
apc.use_request_time=1
apc.mmap_file_mask=/tmp/apc-user.XXXXXX
;apc.mmap_file_mask=/dev/zero
apc.file_update_protection=2
apc.enable_cli=1
apc.max_file_size=5M
;WARNING => APC.STAT checks if file changed every time b4 opening.
apc.stat=0
apc.write_lock=1
apc.report_autofilter=0
apc.include_once_override=0
apc.rfc1867=0
apc.rfc1867_prefix=upload_
apc.rfc1867_name=APC_UPLOAD_PROGRESS
apc.rfc1867_freq=0
apc.rfc1867_ttl=3600
apc.lazy_classes=0
apc.lazy_functions=0

I’d also recommend you changing the swappiness of the server to a low value, remember IO is a killer… and it’s better to max out the ram, and leave the swap for emergencies.

Normally it would be set to 60.

My test’s proven for my configurations its best to have it ~15 – ~30.

To check the actual value:

cat /proc/sys/vm/swappiness

That should print: 60 on the screen.

To change it on the fly and test it:

sysctl vm.swappiness=[value]

On reboot that will reset to default, to make it stick:

edit /etc/sysctl.conf

and add at the end of the file:

vm.swappiness=[value]

Now that will stick on every restart.

Stay tuned, i’ll keep expanding my guide into getting the best out of your servers.

Simple Bash script to monitor temperature changes in a PC.

ddemuro — Mon, 09 Dec 2013 23:21:00 +0000

Temperature monitoring script. -Find out what it mainly does.-

Overview: After having a high temperature in one of our servers and not being able to notice it as a ‘heat wave’ came in… I thought about adding to our monitoring stack a simple script to monitor the temperature and notify us in case something goes wrong.

Basically, the script will run SENSORS and parse the output from it to let us know if something goes wrong, and leave a simple logline to check the average temperatures.

So packages you’ll need : sensors.

To install install sensors and be able to run this script:

Install the lm-sensors package.
Run sudo sensors-detect and choose YES to all YES/no questions.
At the end of sensors-detect, a list of modules that needs to be loaded will displayed. Type “yes” to have sensors-detect insert those modules into /etc/modules, or edit /etc/modules yourself.
Next, run sudo service module-init-tools restart This will read the changes you made to /etc/modules in step 3, and insert the new modules into the kernel.
Copy this script to ~ (root folder), add permissions to execute chmod u+x (scriptname).sh
crontab -e add the line “@reboot /root/(scriptname).sh

#!/bin/bash
######################################################################################
# Derek Demuro, this script is given as is, CopyLEFT                                 #
######################################################################################
######################################################################################
# README                              LEAME                                          #
######################################################################################
# This script will run and check the temperature, in case of being high, MAIL!
#
############################To Set Up#################################################
#
# To set this script up, you'll need to add it to a cronjob to run on boot
# Most linux distros will allow a param @reboot /(path)/servermon.sh
# So... crontab -e
# At the bottom add: @reboot /(path)/servermon.sh
# REMEMBER TO ADD EXECUTABLE BIT TO THE FILE (777 Permissions)
######################################################################################
# SCRIPT CONFIGURATION                                                               #
######################################################################################
### Where should the log be saved?
readonly LOGNAME='servertemp.log'
### Who should we mail on error
readonly MAILTO='mail@derekdemuro.me (link sends e-mail)'
### How much time between check's?
readonly SLEEPTIME=30
###Alert if temp Above
readonly MAXTEMP=75
###ServName
readonly SERVNAME='UYMF1DEB'
##How long to sleep after message sent
readonly SLEEPERROR=216000
### How many records to keep
readonly CLEARLOGTMS=1000
######################################################################################
#################################FUNCTIONS START################################
 
###Function to clear the log
function clearLog() {
  echo 'Log cleared' > $LOGNAME
  echo 'Script will run ' $1 ' times then will clear itself'>> $LOGNAME
  return 0
}
 
#################################FUNCTIONS FINISH################################
#################################MAIN SCRIPT FUNC################################
while [ TRUE ]; do
    #add 1 to times
    times=`expr $times + 1`
    ##CLEAR THE LOG
    if [ $times -eq $CLEARLOGTMS ]; then
        clearlog
        $times=0
    fi
    ##Run script for every line in serverList
    currentTemp=`sensors|grep Core|awk '{print $3}'|cut -b2,3,3|tail -1`
    if [ $currentTemp -gt  $MAXTEMP ]; then
        echo -e "\e[00;31m`date +'%Y-%m-%d %H:%M:%S'` ALERT: Current temperature: $currentTemp, at server: $SERVNAME \e[39m"
        mail -s "ALERT: Temperature above umbral" $MAILTO -a "Reply-To: " <<< "`date +'%Y-%m-%d %H:%M:%S'` ALERT: Current temperature: $currentTemp, at server: $SERVNAME"
        sleep $SLEEPERROR
    else
        echo -e "\033[38;5;148m `date +'%Y-%m-%d %H:%M:%S'` All good: $currentTemp at server: $SERVNAME \033[39m"
    fi
  ##We sleep till new run
  sleep $SLEEPTIME
done

Bind and its glue records for FQDN.

ddemuro — Tue, 01 Oct 2013 07:14:24 +0000

Finally, it’s done! Up, working, and propagated, AT LAST, no more modifications, time to implement it to grow!

Okay, so after I’ve been fighting for a while with this zone to work, I noticed what the error was, and it was stupid.

For each ns1 zone I had at my name server, I had an equivalent IN NS ns1 (change the number for the number of DNS servers), making it recursive as crap.

It took me a while… but I finally nailed it!, my neurons made synapsis, and ITS WORKING. Such a silly error…

Removed those extra ns1/2/3/4… IN NS ns1/2/3/4 and its just working.

As through I navigated through the pages, I didn’t find a straight out answer, here it’s my solution, and FINALLY working.

Enjoy, and post any questions you may have, I’m making my zone public.

$ORIGIN .
$TTL 30 ; 30 seconds
takelan.com     IN SOA  ns1.takelan.com. admin.takelan.com. (
                2013093010 ; serial
                1200       ; refresh (20 minutes)
                120        ; retry (2 minutes)
                604800     ; expire (1 week)
                300        ; minimum (5 minutes)
                )
            NS  ns1.takelan.com.
            NS  ns2.takelan.com.
            NS  ns3.takelan.com.
            NS  ns4.takelan.com.
            NS  ns5.takelan.com.
            A   206.72.202.59
            MX  5 mail.takelan.com.
            TXT "v=spf1 +a +mx +ip4:206.72.202.59?all"
$ORIGIN takelan.com.
cdn         NS  ns1.cdn
$ORIGIN cdn.takelan.com.
ns1         NS  ns1
            A   206.72.202.59
ns2         NS  ns2.
            A   199.231.186.220
$ORIGIN takelan.com.
ftp         A   206.72.202.59
lax01           NS  ns1.lax01
            NS  ns2.lax01
            A   173.214.160.220
$ORIGIN lax01.takelan.com.
ns1         NS  ns1
            A   173.214.160.220
ns2         NS  ns2
            A   173.214.160.248
$ORIGIN takelan.com.
localhost       A   206.72.202.59
m           A   206.72.202.59
mail            A   206.72.202.59
mvd01           NS  ns1.mvd01
            NS  ns2.mvd01
            NS  ns3.mvd01
$ORIGIN mvd01.takelan.com.
ns1         NS  ns1
            A   206.72.202.59
ns2         NS  ns2
            A   199.231.186.220
ns3         NS  ns3
            A   173.214.160.248
$ORIGIN takelan.com.
natipns1        TXT "199.231.186.220"
ns1         A   206.72.202.59
ns2         A   173.214.160.220
ns3         A   174.37.196.55
ns4         A   199.231.186.220
ns5         A   173.214.160.248
sec01           NS  ns1.sec01
            NS  ns2.sec01
$ORIGIN sec01.takelan.com.
ns1         NS  ns1
            A   206.72.202.59
ns2         NS  ns2
            A   199.231.186.220
$ORIGIN takelan.com.
sec02           NS  ns1.sec02
            NS  ns2.sec02
$ORIGIN sec02.takelan.com.
ns1         NS  ns1.
            A   173.214.165.115
ns2         NS  ns2.
            A   173.214.165.116
$ORIGIN takelan.com.
webmail         A   206.72.202.59
www         A   206.72.202.59

Simple Bash script to monitor temperature changes in a PC.

ddemuro — Fri, 30 Aug 2013 03:59:51 +0000

#!/bin/bash
#######################################################################
# Read dnsServ.lst                                                    #
#  Query for all records in domain.lst for each dnsServ.lst           #
# Used for domain caching at ISPS                                     #                                                                                   #######################################################################
##Server list location
readonly servList='dnsServ.lst'
##Domains to be checked
readonly domainQ='domain.lst'
##Where to log the output
readonly outputFile='dnsCheck.log'
 
echo "" > $outputFile
 
cat $servList | while read servL
do
                cat $domainQ | while read dom
                do
                                echo "Quering $servL for domain: $dom"
                                digOutput=`dig ANY +noadditional +noquestion +nocomments +nocmd +nostats $dom. @$servL`
                                echo "$digOutput"
                                echo "$digOutput" >> $outputFile
                done
done

So there you have the script, now if you want a list of DNS’s to check your domains against…

8.8.8.8
8.8.4.4
156.154.70.1
156.154.71.1
208.67.222.222
208.67.220.220
198.153.192.1
198.153.194.1
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6
67.138.54.100
207.225.209.66
85.88.19.10
85.88.19.11
87.118.100.175
94.75.228.28
62.141.58.13
85.25.251.254
85.214.73.63
212.82.225.7
212.82.226.212
213.73.91.35
58.6.115.42
58.6.115.43
119.31.230.42
200.252.98.162
217.79.186.148
82.229.244.191
216.87.84.211
66.244.95.20
204.152.184.76
194.150.168.168
80.237.196.2
194.95.202.198
88.198.130.211
78.46.89.147
129.206.100.126
79.99.234.56
208.67.220.220
208.67.222.222
156.154.70.22
156.154.71.22
85.25.149.144
87.106.37.196
8.8.8.8
8.8.4.4
88.198.24.111
58.6.115.42
202.83.95.227
119.31.230.42
217.79.186.148
178.63.26.173
178.63.26.174
27.110.120.30
89.16.173.11
210.80.60.1
210.80.60.2
199.166.24.253
199.166.27.253
199.166.28.10
199.166.29.3
199.166.31.3
195.117.6.25
204.57.55.100
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6
64.129.67.101
64.129.67.102
64.129.67.103
151.197.0.38
151.197.0.39
151.202.0.84
151.202.0.85
151.202.0.85
151.203.0.84
151.203.0.85
199.45.32.37
199.45.32.38
199.45.32.40
199.45.32.43
192.76.85.133
206.124.64.1
67.138.54.100
220.233.167.31
199.166.31.3
66.93.87.2
216.231.41.2
216.254.95.2
64.81.45.2
64.81.111.2
64.81.127.2
64.81.79.2
64.81.159.2
66.92.64.2
66.92.224.2
66.92.159.2
64.81.79.2
64.81.159.2
64.81.127.2
64.81.45.2
216.27.175.2
66.92.159.2
66.93.87.2
199.2.252.10
204.97.212.10
204.117.214.10
64.102.255.44
128.107.241.185

Server Monitor little dirty script.

ddemuro — Fri, 02 Aug 2013 04:25:28 +0000

#!/bin/bash
################################################################################
# Derek Demuro, this script is given as is, CopyLEFT                           #
################################################################################
################################################################################
# README                              LEAME                                    #
################################################################################
# This script will keep checking load, and log it.
# Once the log hits the high load, its time to shutdown services and recall
# memory, this way we avoid running into a kernel panic.
# If we had DDOS attack, as services are down, the server won't be killed
# Once the attack ends, the load will come down, and the services will load up 
# again
#
# The script will be modified later on to use functions, but not for now.
############################To Set Up###########################################
#
# To set this script up, you'll need to add it to a cronjob to run on boot
# Most linux distros will allow a param @reboot (link is external) /(path)/servermon.sh
# So... crontab -e
# At the bottom add: @reboot (link is external) /(path)/servermon.sh
# REMEMBER TO ADD EXECUTABLE BIT TO THE FILE (777 Permissions)
################################################################################
# SCRIPT CONFIGURATION                                                         #
################################################################################
 
#Initialize counter
times=0
  
#How many times to run before clearing log
linestoclear=$1
#Critical load to stop everything and restart
highload=$2
#Wait till load gets to this load
lowload=$3
  
#Wait for highload
high=$4
#Wait for midload
mid=$5
#Wait more for lowload
low=$6
################################################################################
#Log how many lines to log
echo 'Script will run ' $1 ' times then will clear itself, High load: ' $highload 'Will wait to: ' $lowload "HighWait: $high, MidWait: $mid, LowWait: $low"
  
while [ 0 ]
do
    #add 1 to times
    times=`expr $times + 1`
    #check = load at the moment
    check=`cat /proc/loadavg | sed 's/\./ /' | awk '{print $1}'`
    date=`date`
    #Print of the time the cron started.
    echo 'Load at the moment' $check 'at date ' $date 'script ran: ' $times ' times'
    #How many times did it run?
    if [ $times -eq $linestoclear ]
    then
        #Clean the log!
        echo 'Log cleared' > hsysmon.log
        echo 'Script will run ' $1 ' times then will clear itself'
        times=0
    fi
    #If load > 10
    if [ $check -gt $highload ]
    then
        #Apache STOP
        var=`service apache2 stop`
        #Moment of shutdown
        date=`date`
        msg='Highload autorestart did run and load average was: '
        echo 'At: ' $date 'With load: ' $check 'services shutted down successfoully'
        #Sleep while HIGH LOAD
            while [ $check -gt $lowload ]
            do
                if [ $check -gt $high ]
                then
                    sleep $high
                else
                    if [ $check -gt $mid ]
                    then
                        sleep $mid
                    else
                        if [ $check -gt $low ]
                        then
                            sleep $low
                        else
                            sleep 3                     
                        fi                
                    fi
                fi            
                #New check
                check=`cat /proc/loadavg | sed 's/\./ /' | awk '{print $1}'`
            done
        #Continue
        echo 'Restarting on load: ' $check
        #Apache START
        apacheres=`service apache2 start`
        #Prints
        echo '#######################Apache Restart Log###########################'
        echo  $apacheres
        echo '#######################Apache Restart Log###########################'
        echo '###########-----------------------------------------################'
     fi
#Keep checking load
sleep 3
done

TakeLAN Connector- Administration to the next level

ddemuro — Sun, 14 Apr 2013 06:00:19 +0000

The idea behind MultiAll.

Abstract:

The problem of managing multiple servers that do similar stuff and are used to host in house applications. Avoiding configuration time hogs and automation of server configuration, allowing fast deployments with no scaling limit.

The problem:

The problem with MultiAll is having all the servers on sync when they are indifferent “Farms or Grids” and the fact that one server can provide services to more than one purpose. This is why we invent the “Pool system” where all the servers respond or act for a defined pool.

If a server responds to multiple pools the aggregation of every pool is the server.

Understanding how we can make it work:

It’s possible to merge more than one server to work for a common goal under our research, making some modifications to the typical database-driven apps to have a cache table. When that server is unable to communicate to others under the same pool, they save the changes they have to make to their brother servers, and later on, when they are back online, deploy the changes.

On the file system side, every server is responsible for keeping others from the same pool up to date, bi partitioning the problem as every server is responsible for others and themselves. We’re doing similar to how Rsync works, and we would only push differences between servers under a secure connection IE: (VPN).

By this moment we would have a DB Layer abstraction for multiple servers responding to a DB and file system.

Next is the Domain Name Server problem. We don’t want clients to reach servers offline due to maintenance or issues; for this, we’re developing on BIND 9 an abstraction layer that every server in a pool must be “Network-Aware” of others of his kind. If he’s unable to reach others, he must change the DNS registry to reflect the changes.

How MultiAll solves the problem:

MultiAll will work as a service provider inside the server, as a global abstraction layer. Once the application is provided with a bridge or connection layer to it, it would take advantage of the system. MultiAll has as key features:

Topology-Aware Neighboring System (TNS): provides a topology discovery service for the servers (or “nodes”), which may eventually “recalculate” the topology in case of unexpected downtime (such as network, power or hardware failures, among others) or instances of planned downtime (such as server maintenance, hardware upgrades or migrations). The different synchronization agents of the “Multi All” depend on information learned through TNS; therefore, it is considered a critical component of the “Multi All” system.
System Baseline Monitor (SBM, formerly known as “checker”): provides a 24/7 server health monitoring, locally on each server (or “node”) using “Baseline Rules.” These rules are defined on a “per pool” or “per server” basis, allowing the configuration to be as granular as needed, making exceptions if the need arises. The health status is published via TNS using standardized codes known as “SBM Statuses.” It is also considered a critical component of the “Multi All” system.
File System Synchronization Agent (FS-SA): lets you define structures inside your filesystem to keep synchronized across a pool of servers. FS-SA, used in combination with the rest of the “Multi All’s” Synchronization Agents (SA’s), provides you with high availability, data redundancy, and server load balancing on your pool of servers.
Software and Libraries Synchronization Agent (SL-SA): especially useful for large-scale unattended deployments, the SL-SA keeps all your software packages, services, and libraries consistent across the pool, raising awareness to the system administrators when possible conflicts, incompatibilities or other issues arise.
Database Synchronization Agent (DB-SA): keeps the different database servers of the pool synchronized. Depending on the needs of the underlying applications, the DB-SA may keep the DBs in perfect sync, or you could define your database synchronization policies.
Domain Name System Synchronization Agent (DNS-SA): keeps the DNS zones up to date with the pool’s topology either via a pull-push synchronization mechanism (handled by the FS-SA) or by rebuilding the DNS zone according to the topology discovered by the TNS.

The project has gotten a bit more ambitious… so here is how its changed!

Okay, so some research has been going on, and the project has been growing quite a bit. Among the changes that have been happening around, it has gotten bigger, now all the things stated before, are part of a much larger system.
TakeConnector will now be the daemon that will keep our infrastructure.