1, Security Hardening
-------------------
a, Compare the version of PHP,MySQL,Apache on both servers. Unless there is any special requirement from the client, keep the same version on both servers.Also verify php is running as apache or cgi on both servers
b, Install CSF and do the normal security hardening.
c, Make cpanel to a stable version and run forceful update.
/scripts/upcp --force
d, check the available IPs in the new server and domains having dedicated SSL certs.
Update the client for new additional IPs if required.
e, Check the PHP and Apache modules in the old server and enable them.
2, Migration
Once the configurations are identical, we can start the migration. Enable SSH key access to the new server from the old server so we can avoid prompting password each time.
copy the contents of /root/.ssh/id_dsa.pub and paste it on /root/.ssh/authorized_keys of the new server
If there is no /root/.ssh/id_dsa.pub, create a SSH Key
ssh-keygen -t dsa
Press enter for all options, so SSH key is created with default values. Copy the key and paste on file " /root/.ssh/authorized_keys " of the new server.This will create a passwordless key authentication between the the servers.
Make a list of all the accounts in the old server.
cat /etc/trueuserdomains | awk {'print $2'} > /root/transferlist
Take the backups of the accounts using cpanel's pkgacct method with skip home directory option and copy account to the new server.
for i in `cat /root/transferlist`
do
#echo $i
/scripts/pkgacct --skiphomedir $i >> /home/pkgfile
acc=$(ls /home/cpmove*$1*)
scp -P 2411 $acc root@65.98.85.226:/home
wait
ls -lh $acc
rm -rf $acc
done
Copy the domain list (/root/transferlist) to the new server and start restoring the accounts.
for i in `cat /root/transferlist`; do /scripts/restorepkg $i >> /home/restorefile; done
Rsync the home directories once the restore process is completed. Run the following from the old server,
rsync -avz -e "ssh -p 2411" /home/* root@65.98.85.226:/home/
Migrate all the packages (/var/cpanel/packages) from old server to the new one
3, Post Migration.
Compare whether all the accounts are restored in the new server.
-----------------------------------------------
1. Copy the file /etc/trueuserdomains from the old server to the new server. Eg copy to the location /backup/trueuserdomains.
2. Run this script from the new server to check the domains that are not found in the /etc/trueuserdomains file of the new server.
for i in `cat /backup/trueuserdomains | awk {'print $1'}| cut -d: -f 1`; do if grep -q $i /etc/trueuserdomains; then echo "FOUND $i"; else echo "$i NOT FOUND";fi; done | grep NOT > /root/missingtrueuserdomains
If the above result does not give any output, it means all accounts are copied over from old server to new server.
If we are using rsync of /home, to see if any home directory has failed to copy over to the new server, use the following steps.
1.Make a list of home directories from the OLD server.
ls -d /home/*/ | cut -d/ -f 3 > /root/olddirs
2. scp this to the /backup folder of the NEW server. So the file lies at /backup/olddirs
3. Make a list of current home directory in the NEW server.
ls -d /home/*/ | cut -d/ -f 3 > /root/newdirs
4. Compare from the NEW server
for i in `cat /backup/olddirs`; do if grep -q $i /root/newdirs ; then echo "FOUND $i"; else echo "$i NOT FOUND";fi; done | grep NOT > /root/missinghomedirs
This will give the list of those home directores that are present in the OLD server but absent in the NEW server.
Check if all accounts inside /etc/trueuserdomains are there in httpd.conf file
for i in `cat /etc/trueuserdomains | awk {'print $1'}| cut -d: -f 1`; do if grep -q $i /usr/local/apache/conf/httpd.conf; then echo "FOUND $i"; else echo "$i NOT FOUND";fi; done | grep NOT > /root/missingapacheentries
Check if all accounts inside /etc/trueuserdomains are there in /etc/named.conf file
for i in `cat /etc/trueuserdomains | awk {'print $1'}| cut -d: -f 1`; do if grep -q $i /etc/named.conf ; then echo "FOUND $i"; else echo "$i NOT FOUND";fi; done | grep NOT > /root/missingnamedentries
Assign dedicated IPs to domains that had on the old server and copy SSL cert from the old server.
To check domains have dedicated IPs -- cat /etc/domainips
To check domains have private SSL installed -- cat /etc/ssldomains
Categories for this entry
Thursday, January 20, 2011
Nagios Installation
Nagios Installation
What You'll End Up With
If you follow these instructions, here's what you'll end up with:
* Nagios and the plugins will be installed underneath /usr/local/nagios
* Nagios will be configured to monitor a few aspects of your local system (CPU load, disk usage, etc.)
* The Nagios web interface will be accessible at http://localhost/nagios/
Prerequisites
During portions of the installation you'll need to have root access to your machine.
Make sure you've installed the following packages on your Fedora installation before continuing.
* Apache
* PHP
* GCC compiler
* GD development libraries
You can use yum to install these packages by running the following commands (as root):
yum install httpd php
yum install gcc glibc glibc-common
yum install gd gd-devel
1) Create Account Information
Become the root user.
su -l
Create a new nagios user account and give it a password.
/usr/sbin/useradd -m nagios
passwd nagios
Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.
/usr/sbin/groupadd nagcmd
/usr/sbin/usermod -a -G nagcmd nagios
/usr/sbin/usermod -a -G nagcmd apache
2) Download Nagios and the Plugins
Create a directory for storing the downloads.
cd /usr/src
Download the source code tarballs of both Nagios and the Nagios plugins (visit http://www.nagios.org/download/ for links to the latest versions). These directions were tested with Nagios 3.1.1 and Nagios Plugins 1.4.11.
wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.2.1.tar.gz
wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.11.tar.gz
3) Compile and Install Nagios
Extract the Nagios source code tarball.
cd /usr/src
tar xzf nagios-3.2.1.tar.gz
cd nagios-3.2.1
Run the Nagios configure script, passing the name of the group you created earlier like so:
./configure --with-command-group=nagcmd
Compile the Nagios source code.
make all
Install binaries, init script, sample config files and set permissions on the external command directory.
make install
make install-init
make install-config
make install-commandmode
Don't start Nagios yet - there's still more that needs to be done...
4) Customize Configuration
Sample configuration files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. You'll need to make just one change before you proceed...
Edit the /usr/local/nagios/etc/objects/contacts.cfg config file with your favorite editor and change the email address associated with the nagiosadmin contact definition to the address you'd like to use for receiving alerts.
vi /usr/local/nagios/etc/objects/contacts.cfg
5) Configure the Web Interface
Install the Nagios web config file in the Apache conf.d directory.
make install-webconf
Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account - you'll need it later.
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
Restart Apache to make the new settings take effect.
service httpd restart
Note Note: Consider implementing the ehanced CGI security measures described here to ensure that your web authentication credentials are not compromised.
6) Compile and Install the Nagios Plugins
Extract the Nagios plugins source code tarball.
cd /usr/src
tar xzf nagios-plugins-1.4.11.tar.gz
cd nagios-plugins-1.4.11
Compile and install the plugins.
./configure --with-nagios-user=nagios --with-nagios-group=nagios
make
make install
7) Start Nagios
Add Nagios to the list of system services and have it automatically start when the system boots.
chkconfig --add nagios
chkconfig nagios on
Verify the sample Nagios configuration files.
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
If there are no errors, start Nagios.
service nagios start
8) Modify SELinux Settings
Fedora ships with SELinux (Security Enhanced Linux) installed and in Enforcing mode by default. This can result in "Internal Server Error" messages when you attempt to access the Nagios CGIs.
See if SELinux is in Enforcing mode.
getenforce
Put SELinux into Permissive mode.
setenforce 0
To make this change permanent, you'll have to modify the settings in /etc/selinux/config and reboot.
For information on running the Nagios CGIs under Enforcing mode with a targeted policy, visit the Nagios Support Portal or Nagios Community Wiki.
9) Login to the Web Interface
You should now be able to access the Nagios web interface at the URL below. You'll be prompted for the username (nagiosadmin) and password you specified earlier.
http://server_IP/nagios/
Configure nagios.
The main conf file for nagios is /usr/local/nagios/etc/nagios.cfg
When you take nagios in the browser after this freshinstall, you can see localhost added. The conf fle for this is /usr/local/nagios/etc/objects/localhost.cfg
This has been added to the file usr/local/nagios/etc/nagios.cfg as follows.
[root@localhost objects]# grep localhost.cfg /usr/local/nagios/etc/nagios.cfg
cfg_file=/usr/local/nagios/etc/objects/localhost.cfg
If you need to add another host copy this file in the another name and change the IP, hostname accordingly.
cp
/usr/local/nagios/etc/objects/localhost.cfg /usr/local/nagios/etc/objects/newserver.cfg
Include this cfg file to the nagios.cfg as follows.
cfg_file=/usr/local/nagios/etc/objects/newserver.cfg
Check nagios for errors.
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
If no error restart nagios
service nagios restart
Check in browser, if you can see the new server.
What You'll End Up With
If you follow these instructions, here's what you'll end up with:
* Nagios and the plugins will be installed underneath /usr/local/nagios
* Nagios will be configured to monitor a few aspects of your local system (CPU load, disk usage, etc.)
* The Nagios web interface will be accessible at http://localhost/nagios/
Prerequisites
During portions of the installation you'll need to have root access to your machine.
Make sure you've installed the following packages on your Fedora installation before continuing.
* Apache
* PHP
* GCC compiler
* GD development libraries
You can use yum to install these packages by running the following commands (as root):
yum install httpd php
yum install gcc glibc glibc-common
yum install gd gd-devel
1) Create Account Information
Become the root user.
su -l
Create a new nagios user account and give it a password.
/usr/sbin/useradd -m nagios
passwd nagios
Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.
/usr/sbin/groupadd nagcmd
/usr/sbin/usermod -a -G nagcmd nagios
/usr/sbin/usermod -a -G nagcmd apache
2) Download Nagios and the Plugins
Create a directory for storing the downloads.
cd /usr/src
Download the source code tarballs of both Nagios and the Nagios plugins (visit http://www.nagios.org/download/ for links to the latest versions). These directions were tested with Nagios 3.1.1 and Nagios Plugins 1.4.11.
wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.2.1.tar.gz
wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.11.tar.gz
3) Compile and Install Nagios
Extract the Nagios source code tarball.
cd /usr/src
tar xzf nagios-3.2.1.tar.gz
cd nagios-3.2.1
Run the Nagios configure script, passing the name of the group you created earlier like so:
./configure --with-command-group=nagcmd
Compile the Nagios source code.
make all
Install binaries, init script, sample config files and set permissions on the external command directory.
make install
make install-init
make install-config
make install-commandmode
Don't start Nagios yet - there's still more that needs to be done...
4) Customize Configuration
Sample configuration files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. You'll need to make just one change before you proceed...
Edit the /usr/local/nagios/etc/objects/contacts.cfg config file with your favorite editor and change the email address associated with the nagiosadmin contact definition to the address you'd like to use for receiving alerts.
vi /usr/local/nagios/etc/objects/contacts.cfg
5) Configure the Web Interface
Install the Nagios web config file in the Apache conf.d directory.
make install-webconf
Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account - you'll need it later.
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
Restart Apache to make the new settings take effect.
service httpd restart
Note Note: Consider implementing the ehanced CGI security measures described here to ensure that your web authentication credentials are not compromised.
6) Compile and Install the Nagios Plugins
Extract the Nagios plugins source code tarball.
cd /usr/src
tar xzf nagios-plugins-1.4.11.tar.gz
cd nagios-plugins-1.4.11
Compile and install the plugins.
./configure --with-nagios-user=nagios --with-nagios-group=nagios
make
make install
7) Start Nagios
Add Nagios to the list of system services and have it automatically start when the system boots.
chkconfig --add nagios
chkconfig nagios on
Verify the sample Nagios configuration files.
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
If there are no errors, start Nagios.
service nagios start
8) Modify SELinux Settings
Fedora ships with SELinux (Security Enhanced Linux) installed and in Enforcing mode by default. This can result in "Internal Server Error" messages when you attempt to access the Nagios CGIs.
See if SELinux is in Enforcing mode.
getenforce
Put SELinux into Permissive mode.
setenforce 0
To make this change permanent, you'll have to modify the settings in /etc/selinux/config and reboot.
For information on running the Nagios CGIs under Enforcing mode with a targeted policy, visit the Nagios Support Portal or Nagios Community Wiki.
9) Login to the Web Interface
You should now be able to access the Nagios web interface at the URL below. You'll be prompted for the username (nagiosadmin) and password you specified earlier.
http://server_IP/nagios/
Configure nagios.
The main conf file for nagios is /usr/local/nagios/etc/nagios.cfg
When you take nagios in the browser after this freshinstall, you can see localhost added. The conf fle for this is /usr/local/nagios/etc/objects/localhost.cfg
This has been added to the file usr/local/nagios/etc/nagios.cfg as follows.
[root@localhost objects]# grep localhost.cfg /usr/local/nagios/etc/nagios.cfg
cfg_file=/usr/local/nagios/etc/objects/localhost.cfg
If you need to add another host copy this file in the another name and change the IP, hostname accordingly.
cp
/usr/local/nagios/etc/objects/localhost.cfg /usr/local/nagios/etc/objects/newserver.cfg
Include this cfg file to the nagios.cfg as follows.
cfg_file=/usr/local/nagios/etc/objects/newserver.cfg
Check nagios for errors.
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
If no error restart nagios
service nagios restart
Check in browser, if you can see the new server.
Friday, January 14, 2011
*WARNING* Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module + csf
Getting the following error while trying to restart csf in my VPS .
root@a24uall [/etc/csf]# csf -r
*WARNING* Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. See the csf readme.txt under ‘A note about FTP Connection Issues’ on how to do this if you have not already done so.
root@a24uall [/etc/csf]#
Solution : IF we dont have node access we need to change the settings in VPS itself
Check if its Pure FTP or Pro FTP and add the following line in the conf file.
vi /etc/pure-ftpd.conf
PassivePortRange 30000 35000
vi /etc/proftpd.conf
PassivePortRange 30000 35000
vi /etc/csf/csf.conf
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,30000:35000″
If you see this error while restarting iptables then in place of csf step use :
iptables -A INPUT -p tcp –dport 30000:35000 -j ACCEPT
============
enable module
modprobe ip_conntrack_ftp
root@a24uall [/etc/csf]# csf -r
*WARNING* Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. See the csf readme.txt under ‘A note about FTP Connection Issues’ on how to do this if you have not already done so.
root@a24uall [/etc/csf]#
Solution : IF we dont have node access we need to change the settings in VPS itself
Check if its Pure FTP or Pro FTP and add the following line in the conf file.
vi /etc/pure-ftpd.conf
PassivePortRange 30000 35000
vi /etc/proftpd.conf
PassivePortRange 30000 35000
vi /etc/csf/csf.conf
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,30000:35000″
If you see this error while restarting iptables then in place of csf step use :
iptables -A INPUT -p tcp –dport 30000:35000 -j ACCEPT
============
enable module
modprobe ip_conntrack_ftp
Subscribe to:
Posts (Atom)