named-checkzone

Do you need to check the zone file syntax via command line after making a change. You can run the following:

named-checkzone domain.com /var/named/domain.com.db

Results should be similar to

zone domain.com/IN: loaded serial 20190xxxxx
OK

Linux Kernel Tuning

Do you need help tweaking your Linux operating system for the best performance? Just contact me and I’ll be more than happy to assist you.

Tuning involves I/O scheduler tuning, ACPI power management, networking performance tuning, and even web-site tuning *WordPress/Joomla!*.

Contact me

exim eXploit – cPanel

After some extensive reading and working through an older version of EXIM mail daemon which is commonly used in cPanel, it would appear there is a nasty bug in an older version of EXIM.

READ MORE ABOUT THE EXIM eXploit

You will need to patch any older versions NOW or simply upgrade. There is a worm going around eXploiting the EXIM versions. If you have any issues or need help, I am here to assist. https://tickets.linuxgu.com/open.php – Submit a ticket and I get e-mailed directly.

Cerbot Free SSL

Certbot has finally given instructions for majority of the Linux distros with various web-servers. You can find the all the instructions at this magical link: 

https://certbot.eff.org/all-instructions  

Here is an example of installing Certbot on a NagiosXI server:

[root@nagios ~]# wget https://dl.eff.org/certbot-auto
--2019-04-23 16:32:45-- https://dl.eff.org/certbot-auto
Resolving dl.eff.org… 151.101.0.201, 151.101.64.201, 151.101.128.201, …
Connecting to dl.eff.org|151.101.0.201|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 63564 (62K) [application/octet-stream]
Saving to: `certbot-auto'
100%[================================================================================>] 63,564 --.-K/s in 0.003s
2019-04-23 16:32:45 (17.8 MB/s) - `certbot-auto' saved [63564/63564]
[root@nagios ~]# sudo mv certbot-auto /usr/local/bin/certbot-auto
[root@nagios ~]# sudo chown root /usr/local/bin/certbot-auto
[root@nagios ~]# sudo chmod 0755 /usr/local/bin/certbot-auto
[root@nagios ~]# cert
certbot-auto certutil
[
root@nagios ~]# certbot-auto
Bootstrapping dependencies for RedHat-based OSes that will use Python3… (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
base: mirror.steadfastnet.com
epel: fedora-epel.mirror.lstn.net
extras: mirror.jaleco.com
updates: mirror.hackingand.coffee
Package gcc-4.4.7-23.el6.x86_64 already installed and latest version
Package openssl-1.0.1e-57.el6.x86_64 already installed and latest version
Package openssl-devel-1.0.1e-57.el6.x86_64 already installed and latest version
Package redhat-rpm-config-9.0.3-51.el6.centos.noarch already installed and latest version
Package ca-certificates-2018.2.22-65.1.el6.noarch already installed and latest version
Package 1:mod_ssl-2.2.15-69.el6.centos.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package augeas-libs.x86_64 0:1.0.0-10.el6 will be installed
---> Package libffi-devel.x86_64 0:3.0.5-3.2.el6 will be installed
---> Package python34.x86_64 0:3.4.8-1.el6 will be installed
--> Processing Dependency: python34-libs(x86-64) = 3.4.8-1.el6 for package: python34-3.4.8-1.el6.x86_64
--> Processing Dependency: libpython3.4m.so.1.0()(64bit) for package: python34-3.4.8-1.el6.x86_64
---> Package python34-devel.x86_64 0:3.4.8-1.el6 will be installed
--> Processing Dependency: python-rpm-macros for package: python34-devel-3.4.8-1.el6.x86_64
--> Processing Dependency: python3-rpm-macros for package: python34-devel-3.4.8-1.el6.x86_64
---> Package python34-tools.x86_64 0:3.4.8-1.el6 will be installed
--> Processing Dependency: python34-tkinter = 3.4.8-1.el6 for package: python34-tools-3.4.8-1.el6.x86_64
--> Running transaction check
---> Package python-rpm-macros.noarch 0:3-14.el6 will be installed
--> Processing Dependency: python-srpm-macros for package: python-rpm-macros-3-14.el6.noarch
---> Package python3-rpm-macros.noarch 0:3-14.el6 will be installed
---> Package python34-libs.x86_64 0:3.4.8-1.el6 will be installed
---> Package python34-tkinter.x86_64 0:3.4.8-1.el6 will be installed
--> Processing Dependency: libtcl8.5.so()(64bit) for package: python34-tkinter-3.4.8-1.el6.x86_64
--> Processing Dependency: libtk8.5.so()(64bit) for package: python34-tkinter-3.4.8-1.el6.x86_64
--> Running transaction check
---> Package python-srpm-macros.noarch 0:3-14.el6 will be installed
---> Package tcl.x86_64 1:8.5.7-6.el6 will be installed
---> Package tk.x86_64 1:8.5.7-5.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================================
Package Arch Version Repository Size
Installing:
augeas-libs x86_64 1.0.0-10.el6 base 314 k
libffi-devel x86_64 3.0.5-3.2.el6 base 18 k
python34 x86_64 3.4.8-1.el6 epel 50 k
python34-devel x86_64 3.4.8-1.el6 epel 186 k
python34-tools x86_64 3.4.8-1.el6 epel 426 k
Installing for dependencies:
python-rpm-macros noarch 3-14.el6 epel 6.6 k
python-srpm-macros noarch 3-14.el6 epel 5.8 k
python3-rpm-macros noarch 3-14.el6 epel 5.4 k
python34-libs x86_64 3.4.8-1.el6 epel 8.4 M
python34-tkinter x86_64 3.4.8-1.el6 epel 336 k
tcl x86_64 1:8.5.7-6.el6 base 1.9 M
tk x86_64 1:8.5.7-5.el6 base 1.4 M
Transaction Summary
Install 12 Package(s)
Total download size: 13 M
Installed size: 41 M
Is this ok [y/N]: y
Downloading Packages:
(1/12): augeas-libs-1.0.0-10.el6.x86_64.rpm | 314 kB 00:00
(2/12): libffi-devel-3.0.5-3.2.el6.x86_64.rpm | 18 kB 00:00
(3/12): python-rpm-macros-3-14.el6.noarch.rpm | 6.6 kB 00:00
(4/12): python-srpm-macros-3-14.el6.noarch.rpm | 5.8 kB 00:00
(5/12): python3-rpm-macros-3-14.el6.noarch.rpm | 5.4 kB 00:00
(6/12): python34-3.4.8-1.el6.x86_64.rpm | 50 kB 00:00
(7/12): python34-devel-3.4.8-1.el6.x86_64.rpm | 186 kB 00:00
(8/12): python34-libs-3.4.8-1.el6.x86_64.rpm | 8.4 MB 00:00
(9/12): python34-tkinter-3.4.8-1.el6.x86_64.rpm | 336 kB 00:00
(10/12): python34-tools-3.4.8-1.el6.x86_64.rpm | 426 kB 00:00
(11/12): tcl-8.5.7-6.el6.x86_64.rpm | 1.9 MB 00:00
(12/12): tk-8.5.7-5.el6.x86_64.rpm | 1.4 MB 00:00
Total 11 MB/s | 13 MB 00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : python34-libs-3.4.8-1.el6.x86_64 1/12
Installing : python34-3.4.8-1.el6.x86_64 2/12
Installing : 1:tcl-8.5.7-6.el6.x86_64 3/12
Installing : 1:tk-8.5.7-5.el6.x86_64 4/12
Installing : python34-tkinter-3.4.8-1.el6.x86_64 5/12
Installing : python-srpm-macros-3-14.el6.noarch 6/12
Installing : python-rpm-macros-3-14.el6.noarch 7/12
Installing : python3-rpm-macros-3-14.el6.noarch 8/12
Installing : python34-devel-3.4.8-1.el6.x86_64 9/12
Installing : python34-tools-3.4.8-1.el6.x86_64 10/12
Installing : augeas-libs-1.0.0-10.el6.x86_64 11/12
Installing : libffi-devel-3.0.5-3.2.el6.x86_64 12/12
Verifying : python-rpm-macros-3-14.el6.noarch 1/12
Verifying : 1:tcl-8.5.7-6.el6.x86_64 2/12
Verifying : python34-tkinter-3.4.8-1.el6.x86_64 3/12
Verifying : python34-3.4.8-1.el6.x86_64 4/12
Verifying : python3-rpm-macros-3-14.el6.noarch 5/12
Verifying : python34-libs-3.4.8-1.el6.x86_64 6/12
Verifying : libffi-devel-3.0.5-3.2.el6.x86_64 7/12
Verifying : python-srpm-macros-3-14.el6.noarch 8/12
Verifying : augeas-libs-1.0.0-10.el6.x86_64 9/12
Verifying : 1:tk-8.5.7-5.el6.x86_64 10/12
Verifying : python34-devel-3.4.8-1.el6.x86_64 11/12
Verifying : python34-tools-3.4.8-1.el6.x86_64 12/12
Installed:
augeas-libs.x86_64 0:1.0.0-10.el6 libffi-devel.x86_64 0:3.0.5-3.2.el6 python34.x86_64 0:3.4.8-1.el6
python34-devel.x86_64 0:3.4.8-1.el6 python34-tools.x86_64 0:3.4.8-1.el6
Dependency Installed:
python-rpm-macros.noarch 0:3-14.el6 python-srpm-macros.noarch 0:3-14.el6 python3-rpm-macros.noarch 0:3-14.el6
python34-libs.x86_64 0:3.4.8-1.el6 python34-tkinter.x86_64 0:3.4.8-1.el6 tcl.x86_64 1:8.5.7-6.el6
tk.x86_64 1:8.5.7-5.el6
Complete!
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

(A)gree/(C)ancel: A

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: Y
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): nagios.xxx.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nagios.xxx.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
IMPORTANT NOTES:
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
-------------------------
So at this point I needed to add a <VirtualHost> entry in the /etc/apache/conf.d/nagios.conf to get this to work.
----------------------------

$certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?

1: nagios.xxx.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nagios.xxx.com
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/nagios-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/nagios-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Congratulations! You have successfully enabled https://nagios.xxx.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=nagios.xxx.com

IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nagios.xxx.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nagios.xxx.com/privkey.pem
Your cert will expire on 2019-07-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew all
of your certificates, run "certbot-auto renew"
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
[root@nagios conf.d]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@nagios conf.d]#


Apache Won’t Start

  • Clear out your active semaphores

Semaphores? What the heck is a semaphore? Well, it’s actually an apparatus for conveying information by means of visual signals. But, when it comes to programming, semaphores are used for communicating between the active processes of a certain application. In the case of Apache, they’re used to communicate between the parent and child processes. If Apache can’t write these things down, then it can’t communicate properly with all of the processes it starts.

ipcs -s

If you see a list of semaphores, Apache has not cleaned up after itself, and some semaphores are stuck. Clear them out with this command:

for i in ipcs -s | awk '/httpd/ {print $2}'; do (ipcrm -s $i); done

Now, in almost all cases, Apache should start properly. If it doesn’t, you may just be completely out of available semaphores. You may want to increase your available semaphores, and you’ll need to tickle your kernel to do so. Add this to /etc/sysctl.conf:

kernel.msgmni = 1024
kernel.sem = 250 256000 32 1024
And then run sysctl -p to pick up the new changes.

CSF – Proactive Firewall

There is a saying that goes, “if you leave the door unlocked, they will barge in“.

I believe that saying goes for even Linux Systems. The Firewall is the most important tool you’ll need to avoid intrusion, attacks, and break-ins.

In late 2011 while I was employed for a Shared Hosting company I fell in love with CSF (https://configserver.com/cp/csf.html).

CSF can be configured on almost anything with or without cPanel. I will provide some more information as I update this article. Be safe!