OpenVZ is a glorified Linux chroot or BSD jail system that allows you to completely isolate processes from each other, increase security by keeping bits separate, and tightly control resource utilization. OpenVZ refers to these “virtual machines” as containers, virtual private servers (VPS), or virtual environments (VE).

The Installation of  OpenVZ is quite simple. It requires a special kernel to provide the virtualization support it needs, and this can be obtained easily via the OpenVZ project itself. The OpenVZ kernel patch is licensed under GPL license, and the user-level tools are under the QPL license.

The article below explain how to install OpenVZ container in CentOS 5.4. With OpenVZ you can create multiple Virtual Private Servers (VPS) on same hardware machine and running them simultaneously and efficiently.

1, Install OpenVZ

In order to install OpenVZ, we need to add the OpenVZ repository to yum, this would also help us keep the kernel up-to-date:

cd /etc/yum.repos.d
wget http://download.openvz.org/openvz.repo
rpm –import http://download.openvz.org/RPM-GPG-Key-OpenVZ

The repository contains a few different OpenVZ kernels (you can find more details here: http://wiki.openvz.org/Kernel_flavors), or with this command “yum search ovzkernel“.

Pick one of them and install it as follows:

yum install ovzkernel

This should automatically update the GRUB bootloader as well. An example is listed below”

cat /boot/grub/menu.lst
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#all kernel and initrd paths are relative to /boot/, eg.
#root (hd0,0)
#kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
#initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-128.2.1.el5.028stab064.7)
root (hd0,0)
kernel /vmlinuz-2.6.18-128.2.1.el5.028stab064.7 ro root=LABEL=/
initrd /initrd-2.6.18-128.2.1.el5.028stab064.7.img

2, Pre-adjustings before the installation

Now we install some OpenVZ user tools:

yum install vzctl vzquota

Open /etc/sysctl.conf and make sure that you have the following settings in it:

cat /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.default.forwarding=1

The following step is important if the IP addresses of your virtual machines are from a different subnet than the host system’s IP address. If you don’t do this, networking will not work in the virtual machines!

Open /etc/vz/vz.conf and set NEIGHBOUR_DEVS to all, the modified entry is like this “NEIGHBOUR_DEVS=all“. SELinux needs to be disabled, you can do it by making changes on its config file /etc/sysconfig/selinux. Finally, reboot the system, and then your new OpenVZ kernel should show up:

[root@server1 ~]# uname -r
2.6.18-128.2.1.el5.028stab064.7

3, Create a Virutal Server

Before we can create virtual machines with OpenVZ, we need to have a template for the distribution that we want to use in the virtual machines in the /vz/template/cache by default. New virtual machines will be created from these templates. A list of precreated templates is available here.

I want to use CentOS 5 in my virtual machines, so I download a CentOS 5 template:

cd /vz/template/cache
wget http://download.openvz.org/template/precreated/contrib/centos-5-i386-default.tar.gz

To set up a VPS from the default CentOS 5 template, run:

vzctl create 211 –ostemplate centos-5-i386-default –config vps.basic

The 211 must be uniqe and each virtual machine must have its own ID. You can use the last part of the VPS’s IP address for it. For example, if the virtual machine’s IP address is 192.168.0.211, you use 211 as the ID.

4, Common controls on OpenVZ

If you want to have the vm started at boot, run:

vzctl set 211 –onboot yes –save

To set a hostname and IP address for the vm, run:

vzctl set 211 –hostname test.example.com –save
vzctl set 211 –ipadd 192.168.0.211 –save

Next we set the number of sockets to 120 and assign a few nameservers to the vm:

vzctl set 211 –numothersock 120 –save
vzctl set 211 –nameserver 85.17.150.123 –nameserver 83.149.80.123 –nameserver 145.253.2.75 –save

Instead of using the vzctl set commands, you can directly edit vm’s configuration file which is stored in the directory /etc/vz/conf. If the ID of the vm is 211, then the configuration file is /etc/vz/conf/211.conf.

In order to start the vm, run “vzctl start 211″, to set a root password for the vm, run “vzctl exec 211 passwd”. Now You can either connect to the vm via SSH (e.g. with PuTTY), or login through console directly as follows:

vzctl enter 211

To leave the vm’s console, type “exit”, to stop a vm, run “vzctl stop 211“, to restart a vm, run “vzctl restart 211“.

To delete a vm from the hard drive (it must be stopped before you can do this), run “vzctl destroy 211“.

5, Check VM Status

To get a list of your vms and their statuses, run “vzlist -a” like this:

[root@server1 cache]# vzlist -a
VEID      NPROC STATUS  IP_ADDR         HOSTNAME
211         18 running 192.168.0.211   test.example.com

To find out about the resources allocated to a vm, run like follows:

[root@server1 cache]# vzctl exec 211 cat /proc/user_beancounters

The failcnt column is very important, it should be only zeros; if not, means that the vm needs more resources than currently allocated. Open the vm’s configuration file in /etc/vz/conf and raise the appropriate resource, then restart it.

To find out more about the vzctl command, run “man vzctl”.

Article Written By Shahram Azin   http://www.hostingbangkok.com/

ShareThis

1. First of all, you need to define which iptables modules should be available for VEs.

Edit /etc/sysconfig/iptables-config:

IPTABLES_MODULES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

Edit /etc/sysconfig/vz:

IPTABLES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

Please note - iptables modules in IPTABLES parameter in /etc/sysconfig/vz should be placed in one single line, no line breaks is allowed in this parameter.

Restart vz service. All VEs will be restarted.

service vz restart

2. Increase ‘numiptent’ parameter for the VE you need to install APF into. This parameter limits the amount of iptables rules available for a VE. Default APF configuration requires ~200 rules. Let’s set it to 400:

vzctl set 101 –numiptent 400 –save

In VE (VPS),

1. Install APF inside the VE as usual. Edit /etc/apf/conf.apf, set the following parameters:

IFACE_IN=”venet0″ IFACE_OUT=”venet0″ SET_MONOKERN=”1″

2. Start APF inside the VE:

/etc/init.d/apf start

BTW the BFD installation procedure is same as we do in real servers.

ShareThis

Code:

[mysqld]
max_connections = 400
key_buffer = 16M
myisam_sort_buffer_size = 32M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
table_cache = 1024
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 1000
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 16M
query_cache_type = 1
tmp_table_size = 16M
skip-innodb

[mysqld_safe]
open_files_limit = 8192

[mysqldump]
quick
max_allowed_packet = 16M

[myisamchk]
key_buffer = 32M
sort_buffer = 32M
read_buffer = 16M
write_buffer = 16M

ShareThis

=========================================
Checking for formmail
=========================================

Form mail is used by hackers to send out spam email, by relay and injection methods. If you are using matts script or a version of it, you may be in jeopardy.
Command to find pesky form mails:
find / -name “[Ff]orm[mM]ai*”

CGIemail is also a security risk:
find / -name “[Cc]giemai*”

Command to disable form mails:
chmod a-rwx /path/to/filename
(a-rwx translates to all types, no read, write or execute permissions).

(this disables all form mail)

If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.
=========================================
Root kit checker - http://www.chkrootkit.org/
=========================================

Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify *alot* of files, possibly causing you to have to reinstall.
To install chrootkit, SSH into server and login as root.
At command prompt type:

cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit-0.44
make sense
To run chkrootkit

At command prompt type:
/root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.

Execution

I use these three commands the most.
./chkrootkit
./chkrootkit -q
./chkrootkit -x | more
=========================================
Install a root breach DETECTOR and EMAIL WARNING
=========================================

If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.
Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo ‘ALERT - Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com

Save and exit.
Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root.

At command prompt type:
pico /etc/motd

Enter your message, save and exit.
Note: I use the following message…

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

=========================================
Web Host manager and CPANEL mods.
=========================================

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings
Check the following items…

Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
(according to ELIX - set this to FAIL, which is what I am going to do to reduce server load)

Under System
Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password
Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod

=========================================
More Security Measures
=========================================

These are measures that can be taken to secure your server, with SSH access.

Update OS, Apache and CPanel to the latest stable versions.
This can be done from WHM/CPanel.
Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.

SSH into server and login as root.
Note: You can download Putty by Clicking Here (http://www.chiark.greenend.org.uk/~s…/download.html). It’s a clean running application that will not require installation on Windows-boxes.

At command prompt type:
pico /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number AND do not use 5678  lol )

Uncomment and change
#Protocol 2, 1
to look like
Protocol 2

Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)

Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.
Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.

Now restart SSH
At command prompt type:
/etc/rc.d/init.d/sshd restart

Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.

Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.

After SSH has been redirected, disable telnet.

Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: pico -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart
Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.
Disable identification output for Apache

(do this to hide version numbers from potentional hackers)

To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to
ServerSignature Off

Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart

=========================================
Install BFD (Brute Force Detection - optional)
=========================================

To install BFD, SSH into server and login as root.

At command prompt type:
cd /root/
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-0.4
./install.sh

After BFD has been installed, you need to edit the configuration file.

At command prompt type:
pico /usr/local/bfd/conf.bfd

Under Enable brute force hack attempt alerts:
Find
ALERT_USR=”0″
and change it to
ALERT_USR=”1″

Find
EMAIL_USR=”root”
and change it to
EMAIL_USR=”your@email.com”

Save the changes then exit.

To start BFD

At command prompt type:
/usr/local/sbin/bfd -s
Modify LogWatch
Logwatch is a customizable log analysis system. It parses through your system’s logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.

To modify LogWatch, SSH into server and login as root.

At command prompt type:
pico -w /etc/log.d/conf/logwatch.conf

Scroll down to
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.

Now scroll down to
Detail = Low
Change that to Medium, or High…
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions.

Save and exit.

A number of suggestions to improve system security. Some of this is specific to CPanel, but much can be applied to most Linux systems.
————————————————–
Use The Latest Software
Keep the OS and 3rd party software up to date. Always!
CPanel itself can be updated from the root WHM.
————————————————–
Change Passwords
Change the root passwords at least once a month and try to make them hard to guess. Yes it’s a pain to have to keep remembering them, but it’s better than being hacked.

————————————————–
Set Up A More Secure SSH Environment As described here.
————————————————–
Disable Telnet
1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to disable = yes.
3. Hit CTRL+X press y and then enter to save the file.
4. Restart xinted with: /etc/rc.d/init.d/xinetd restart
Also, add the following line to /etc/deny.hosts to flag Telnet access attempts as ‘emergency’ messages.

in.telnetd : ALL : severity emerg

————————————————–
Disable Unnecessary Ports (optional)
First backup the file that contains your list of ports with:
cp /etc/services /etc/services.original
Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
On a typical CPanel system it would look something like this:
<?php
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
ftp-data 20/tcp
ftp 21/tcp
ssh 22/tcp # SSH Remote Login Protocol
smtp 25/tcp mail
domain 53/tcp # name-domain server
domain 53/udp
http 80/tcp www www-http # WorldWideWeb HTTP
pop3 110/tcp pop-3 # POP version 3
imap 143/tcp imap2 # Interim Mail Access Proto v2
https 443/tcp # MCom
smtps 465/tcp # SMTP over SSL (TLS)
syslog 514/udp
rndc 953/tcp # rndc control sockets (BIND 9)
rndc 953/udp # rndc control sockets (BIND 9)
imaps 993/tcp # IMAP over SSL
pop3s 995/tcp # POP-3 over SSL
cpanel 2082/tcp
cpanels 2083/tcp
whm 2086/tcp
whms 2087/tcp
webmail 2095/tcp
webmails 2096/tcp
mysql 3306/tcp # MySQL
?>
Additional ports are controlled by /etc/rpc. These aren’t generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved
————————————————–
Watch The Logs
Install something like logwatch to keep an eye on your system logs. This will extract anything ‘interesting’ from the logs and e-mail to you on a daily basis.
Logwatch can be found at: http://www.logwatch.org
Install instructions here.
————————————————–
Avoid CPanel Demo Mode
Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
————————————————–
Jail All Users
Via WHM Account Functions => Manage Shell Access => Jail All Users.
Better still never allow shell access to anyone - no exceptions.
————————————————–
Immediate Notification Of Specific Attackers
If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

ALL : nnn.nnn.nnn.nnn : spawn /bin/ ‘date’ %c %d | mail -s”Access attempt by nnn.nnn.nnn.nnn on for hostname” notify@mydomain.com
Replacing nnn.nnn.nnn.nnn with the attacker’s IP address.
Replacing hostname with your hostname.
Replacing notify@mydomain.com with your e-mail address.
This will deny access to the attacker and e-mail the sysadmin about the access attempt.
————————————————–
Check Open Ports
From time to time it’s worth checking which ports are open to the outside world. This can be done with:
nmap -sT -O localhost
If nmap isn’t installed, it can be selected from root WHM’s Install an RPM option.
————————————————–
Set The MySQL Root Password
This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.
Make it different to your root password!
————————————————–
Tweak Security (CPanel)
From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:
- php open_basedir Tweak.
- SMTP tweak.
You may want to enable:
- mod_userdir Tweak. But that will disable domain preview.
————————————————–
Use SuExec (CPanel)
From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel’s decription of what it does:
“suexec allows cgi scripts to run with the user’s id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. ”
Even if you don’t use phpsuexec (which often causes more problems), SuExec should be considered.
————————————————–
Use PHPSuExec (CPanel)
This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
————————————————–
Disable Compilers
This will prevent hackers from compiling worms, root kits and the like on your machine.
To disable them, do the following:

chmod 000 /usr/bin/perlcc
chmod 000 /usr/bin/byacc
chmod 000 /usr/bin/yacc
chmod 000 /usr/bin/bcc
chmod 000 /usr/bin/kgcc
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/i386*cc
chmod 000 /usr/bin/*c++
chmod 000 /usr/bin/*g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

You will need to enable them again when you need to perform system updates. To do this, run:

chmod 755 /usr/bin/perlcc
chmod 755 /usr/bin/byacc
chmod 755 /usr/bin/yacc
chmod 755 /usr/bin/bcc
chmod 755 /usr/bin/kgcc
chmod 755 /usr/bin/cc
chmod 755 /usr/bin/gcc
chmod 755 /usr/bin/i386*cc
chmod 755 /usr/bin/*c++
chmod 755 /usr/bin/*g++
chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

————————————————–
Obfuscate The Apache Version Number
1. Type: pico /etc/httpd/conf/httpd.conf
2. Change the line that begins ServerSignature to:

ServerSignature Off

3. Add a line underneath that which reads:

ServerTokens ProductOnly

4. Hit CTRL+X, they y, the enter to save the file.
5. Restart Apache with: /etc/rc.d/init.d/httpd restart
——————–

COMMON COMMANDS I USE
System Information
who
List the users logged in on the machine. –

rwho -a
List all users logged in on your network. The rwho service must be enabled for this command to work.

finger user_name
System info about a user. Try: finger root last. This lists the users last logged-in on your system.

history | more
Show the last (1000 or so) commands executed from the command line on the current account. The | more causes the display to stop after each screen fill.

pwd
Print working directory, i.e. display the name of your current directory on the screen.

hostname
Print the name of the local host (the machine on which you are working).

whoami
Print your login name.

id username
Print user id (uid) and his/her group id (gid), effective id (if different than the real id) and the supplementary groups.

date
Print or change the operating system date and time. E.g., change the date and time to 2000-12-31 23:57 using this command

date 123123572000
To set the hardware clock from the system clock, use the command (as root)
setclock

time
Determine the amount of time that it takes for a process to complete+ other info. Don’t confuse it with date command. For e.g. we can find out how long it takes to display a directory content using time ls

uptime
Amount of time since the last reboot

ps
List the processes that are have been run by the current user.

ps aux | more
List all the processes currently running, even those without the controlling terminal, together with the name of the user that owns each process.

top
Keep listing the currently running processes, sorted by cpu usage (top users first).

uname -a
Info on your server.

free
Memory info (in kilobytes).

df -h
Print disk info about all the file systems in a human-readable form.

du / -bh | more
Print detailed disk usage for each subdirectory starting at root (in a human readable form).

lsmod
(as root. Use /sbin/lsmod to execute this command when you are a non-root user.) Show the kernel modules currently loaded.

set|more
Show the current user environment.

echo $PATH
Show the content of the environment variable PATH. This command can be used to show other environment variables as well. Use set to see the full environment.

dmesg | less
Print kernel messages (the current content of the so-called kernel ring buffer). Press q to quit less. Use less /var/log/dmesg to see what dmesg dumped into the file right after bootup. - only works on dedciated systems

Commands for Process control
ps
Display the list of currently running processes with their process IDs (PID) numbers. Use ps aux to see all processes currently running on your system (also those of other users or without a controlling terminal),
each with the name of the owner. Use top to keep listing the processes currently running.

fg
PID Bring a background or stopped process to the foreground.

bg
PID Send the process to the background. This is the opposite of fg. The same can be accomplished with Ctrl z

any_command &
Run any command in the background (the symbol ‘&’ means run the command in the background?).

kill PID
Force a process shutdown. First determine the PID of the process to kill using ps.

killall -9 program_name
Kill program(s) by name.

xkill
(in an xwindow terminal) Kill a GUI-based program with mouse. (Point with your mouse cursor at the window of the process you want to kill and click.)

lpc
(as root) Check and control the printer(s). Type ??? to see the list of available commands.

lpq
Show the content of the printer queue.

lprm job_number
Remove a printing job job_number from the queue.

nice program_name
Run program_name adjusting its priority. Since the priority is not specified in this example, it will be adjusted by 10 (the process will run slower), from the default value (usually 0). The lower the number (of niceness to other users on the system), the higher the priority. The priority value may be in the range -20 to 19. Only root may specify negative values. Use top to display the priorities of the running processes.

renice -1 PID
(as root) Change the priority of a running process to -1. Normal users can only adjust processes they own, and only up from the current value (make them run slower).
Optimizing your VPS server (help it run more efficiently)

ShareThis

Many webhosting companies create affiliate programs to get hold of more customers. Depends on this web hosting program, you will make money online when you refer a customer who buys a hosting plan. These affiliate programs are the easiest way to make money for webmasters, bloggers and internet marketers.

You may have seen many ads in many sites. These web hosting affiliate programs works good for all the websites particularly if you are offering a website consultation service for clients. It offers high commission, thus by Just referring a single customer, you can make more money.

There are numerous techniques of making money with web hosting affiliate programs. You can include the affiliate links on your websites or blogs. Blogs take up very little disk space and bandwidth allowance. You can host many blogs and you can charge a fine price for your services. It take slight technical assist on your part thus by you can develop your business faster. Posting in forums with answers will bring you a lot of qualified business.

You can also create a pre-sell page as an alternative of linking directly to the web host. You can pull traffic from your website to send targeted visitors to any specific webpage. The ultimate aim is to get as many individuals to click through on your affiliate links.

Reseller hosting is another way to make money online with web hosting. It allows you to sell the services of a web hosting company as your own. It consists of buying a web hosting package and reselling it for a larger price. To do this task, webmasters must need huge amount of space to divide it up among other people. Check out several resellers that offer varying amounts of space and storage when building an Internet host business.

Some companies offering reseller web hosting may do all the technical work for you, and also manage your servers, so all you have to do is to sell their products. You can buy a reseller hosting easily for just $30 per month. With this small investment, you will make your way to make money.

ShareThis

One of the biggest benefits that Microsoft Exchange Server provides to its users in the enhance security features included in the software package. There are many different threats that can compromise the security of a software package today and Microsoft Exchange Server works to neutralize those threats, leaving the users less vulnerable to hackers, viruses, and spam. It also works to ensure that emails remain confidential and are not compromised by outside sources. This enhanced security allows companies to feel confident that their email system is protected at all times and allows employees and customers to utilize the email system to its full potential.

Companies that use Microsoft Exchange Server can allow their employees to access their email from anywhere in the world. Whether the employee is in the office or on the road, they will be able to access all of their important documents and can respond to any important inquiry at a moments notice. The email platform used by Microsoft Exchange Server is Microsoft Office Outlook which has many different features designed to make email and contact management simple and trouble-free. Some of the features that can be used with Microsoft Office Outlook and Microsoft Exchange Server include calendar features, scheduling features, voice mail storage, and contact management programs.
Microsoft Exchange Server also allows businesses to be more efficient, by making it a great deal easier to find and fix any issues that may arise. It also has improved monitoring capabilities so that any issues that do occur can be detected quickly before it disrupts business by a great amount. Many tasks that are needed to keep Microsoft Exchange Server operating properly have been automated, allowing the administrators more time to deal with more pressing issues. There are many benefits to using Microsoft Exchange Server and many businesses are discovering that this is a program that they cannot do without.

ShareThis

Latest edit: rsyncable option is now included in cpbackup by cPanel, so all the instructions below are moot for version 11 and up.

Edits: The simplified version after much testing and trial is provided below. Thanks to Chirpy for finding the exact method that works so simply! Also added a simple rotation script.

Modify the root crontab changing the line shown as follows:

Quote:
0 1 * * * /scripts/cpbackup

to:

0 1 * * * export GZIP=”–rsyncable” ; /scripts/cpbackup 

That’s it!

Here’s a simple script to rotate the backups:
Code:
#!/bin/sh

# This script rotates the backup files daily, keeping 7 days worth.

DATEFORMAT=$(date +%a)
BACKUPSOURCE=/backup
BACKUPDEST=/Data/backup/rotation/

rm -Rf $BACKUPDEST/$DATEFORMAT
mkdir $BACKUPDEST/$DATEFORMAT
cp -R $BACKUPSOURCE/* $BACKUPDEST/$DATEFORMAT
The original post is below.

******** Original Post ************
Note: This post may become obsolete if it turns out that setting a permanent environment variable fixes the issue. If so, this will get updated to reflect that.

Using the Full Backup feature built into WHM is nice, because it grabs pretty much everything and creates stand-alone backups. The problem with this backup, however, is that because it uses gzip compression, it isn’t rsync-friendly.

Rsync is a nifty file transfer tool that only transfers the changes in a file. So, once you have downloaded a backup once, rather than download the whole backup again to update it, it only sends the changes to the file and incorporates them into the existing file. In the case of files that have been compressed using the default gzip settings, almost the entire file is transferred again because of the adaptive compression algorithm.
Ok, seriously, the good news is that later versions of gzip have the capability of playing nice with rysnc by way of the ‘–rsyncable’ switch. With an rsyncable gzip file, rsync can process it much more efficiently. (You can check your version of gzip to see if it will handle rsync by looking at the help: ‘gzip –help’)

So how do we make that happen? The good news is it’s a simple, one-line modification to the ‘cpbackup’ script located in the /scripts directory. The bad news is that cpanel will overwrite this file every time it runs the ‘upcp’ script. This means we have to protect it somehow. Another nifty script will take care of that.

So, first, let’s modify the ‘cpbackup’ script:

1) make a copy of the script and call it ‘cpbackupunedited’

Quote:
cp /scripts/cpbackup /scripts/cpbackupunedited 

2) Open the ‘cpbackup’ script and add the following line just after the remarks at the top, but before the ‘BEGIN’ statement
Quote:
$ENV{’GZIP’} .= “–rsyncable”; 

3) Save the script. Now, make another copy of the file, this time calling it ‘cpbackupedited’
Quote:
cp /scripts/cpbackup /scripts/cpbackupedited 

Your backups are now going to work with rsync rather nicely! For instance, on the first test I made using a 1.5gig set of gzip files, 35 megs were transferred, in contrast to the 1.2gigs transferred without the –rsyncable switch. That speeds up transfer times quite a bit!

Now, we need to protect our cpbackup file. While we could ‘chattr’ so that it can’t be overwritten, there is another, more refined method that will let us know if there are changes in the script that need to be looked at. This is a modification of the ‘watchwwwacct’ script you can read more about elsewhere on the forum. I’ll post just the modified script for sake of brevity:

Quote:
#!/usr/bin/perl
# You may need to change this path to /usr/local/bin/perl

$mailprog = “/usr/sbin/sendmail”;

#************************************************* *************
#
# Script to monitor cpbackup script customizations: watchcpbackup V1.1
#
#
# Set a few variables below and upload this script to anywhere on your server,
# then set a cron job to run the script every hour. I put mine in a subfolder
# of the servers scripts folder. (/scripts/custom)
#
# To set the cronjob, in shell, type crontab -e, then enter what’s between the quotes
# on the following line as a new line in your cron listings:
# “0 * * * * /scripts/custom/watchcpbackup.cgi”
#
# Ownership and permissions of the script should be root:root, and 0700.
#
# This script only needs to run after a cpanel upgrade, so you could set
# the cron job to run it 1 hour after upcp runs, but then if you change
# when upcp runs, you will need to change this also. This script is fast,
# so it’s easier to just run it every hour.
#
# **** Using this script ****
# ————————————————————————————–
# To use this script, you need to make a copy of the real cpbackup script and call it
# cpbackupunedited, then after your customizations, make a copy of your custom one and
# call it cpbackupedited. These copies need to be in the same directory as cpbackup.
# What this script does is compare your custom cpbackup script to a copy of it.
# If a cpanel update changes the cpbackup script, this script will notice the change.
# Now the fun part. Many upgrades only change the cpbackup script back to what it was
# originally. If it’s changed, this script compares the new cpbackup to a copy of the
# original one. If the update merely wrote the original one back, it would match the
copy. This script would then take the copy of your custom one and reuse it. Now, if
# the update altered the script, you would be emailed and told that your customizations
# are lost and that you will need to redo them. The script does tell you where changes
# were made to help with reapplying your customizations.
# customized my cpbackup script over a year ago and have only had to redo the changes
# maybe half a dozen times.
# ————————————————————————————–
#
#
# Registered users of this script will be notified of any future updates.
# If you registered this copy with me, put your email here for future reference.
# This copy is registered to:
#
#************************************************* *************
# This is where the email will be sent when a change is detected.
# If you use spamassassin, you should include a name, like this:
# $sendto_email = ‘YourName <you@youremail.com>’;
$sendto_email = ‘YourName <you@youremail.com>’;

# This is the sender for the email message.
# Change it if you wish.
$sender_email = ‘YourName <you@youremail.com>’;

# This is where your cpbackup file is located.
# It shouldn’t need to be changed.
$path = “/scripts”;

$diff1 = system(”cmp $path/cpbackup $path/cpbackupedited”);

if ($diff1 eq “0″) {
exit;
}
else {
$diff2 = system(”cmp $path/cpbackup $path/cpbackupunedited”);
}

if ($diff2 eq “0″) {
system(”cp -f $path/cpbackupedited $path/cpbackup”);

# Open The Mail Program
open(MAIL,”|$mailprog -t”);
print MAIL “Content-Type: text/html; charset=iso-8859-1\n”;

print MAIL “To: $sendto_email\n”;
print MAIL “From: $sender_email\n”;

print MAIL “Subject: cpbackup file changed and restored\n”;

print MAIL “<b>The cpbackup file was changed back to the original and has been automatically replaced with the edited version.</b><br><br>\n\n”;

close (MAIL);

}

if ($diff2 ne “0″) {

# Open The Mail Program
open(MAIL,”|$mailprog -t”);
print MAIL “Content-Type: text/html; charset=iso-8859-1\n”;

print MAIL “To: $sendto_email\n”;
print MAIL “From: $sender_email\n”;

print MAIL “Subject: cpbackup file changed\n”;

print MAIL “<b>The cpbackup file has been changed and no longer matches the original file. You will need to redo your custom work.</b><br><br>\n\n”;

close (MAIL);

} 

Lastly, we need to setup our crontab to run this watcher script *after* ‘upcp’ runs, but *before* the cpbackup script runs. Edit the crontab (as root, obviously):

Quote:
crontab -e 

Look for the line with ‘/scripts/upcp’ and change it:
Quote:
40 0 * * * /scripts/upcp

becomes

40 0 * * * /scripts/upcp; /scripts/watchcpbackup 

Save it, and you’re done!
If you want to automate the rsyncing of your files, take a peek at the following HOW-TO, which is clear and works great:

ShareThis

Before we discuss the different options for backing up and recovering your dedicated server, we should mention that the server hardware, data center, and fiber connection are all critical to reliability. This article is specifically focused on strategies to backup and recover your server’s data.
At a minimum, you can create a partition in your hard drive and backup your server weekly or monthly. There is no cost to this kind of solution, but the downsides are obvious. If your hard drive crashes, you will lose your backup as well. This kind of solution is only recommended if you can afford to lose all of your data, which most web hosting companies cannot.
Next, you can contract a remote backup service to set up offsite backups. These backups can be run daily, weekly, or monthly. The cost of this solution is around $30-$50/month depending on the web hosting provider. This option gives you a solid backup in case your hard drive crashes. The downside is that recovery time will take 6-12 hours or more depending on how much data you have. The data has to be manually copied over, and this is a slow process. If you can afford the cost, this solution is part of an overall backup system, but it is not recommended as your only solution.
The next backup option is to have a second hard drive installed on your server and have it set up to do daily, weekly, or monthly backups. Most web hosting companies that provide dedicated servers will charge between $15-$30 for a second hard drive. This is a nice compliment to the previous solution if you have the budget for both. The recovery time is faster then a remote backup. But unlike a remote backup, if your dedicated server or the datacenter are down, then you cannot access the backup. For most small web hosting companies this is not a problem. If their entire server or datacenter are down, they have larger issues to worry about. We recommend this as a complimentary option with a remote backup.
Next, a web hosting company can use mirrored RAID drives. This option will cost $50-$80/month more, but it provides the fastest possible recovery in case of a hard drive crash. You can just reboot using the mirrored drive, and you are back in business. The cost is a little higher, but this is a nice luxury. The downside of this option is that if your server is unavailable, then you still cannot reach your data. Additionally, if the hard drive becomes corrupted it will also corrupt your backup. This is why we recommend mirrored drives as part of a larger solution that includes other backup systems.
Finally, there are mirrored servers. This entails the largest cost and is really not necessary, except for those web hosting companies that can tolerate no downtime at all. In this scenario, if the server itself dies you can have another server ready to take the load. In fact, if your company is large enough, you might already need this kind of solution for performance. Some websites require multiple servers to handle the performance, and it is load balanced across them. In this case, if a server dies the system still runs. This is the best solution but it is not always necessary.  And, of course it is costly.
We recommend a weekly remote backup to provide you with a fail safe version. Even if the datacenter burns down, you will have a copy of your data. To this we would add either mirrored RAID drives or a second hard drive, depending on your hosting company’s needs. If you are more worried about recovery time from hard drive crashes, which is the most frequent hardware problem with dedicated servers, then go with the RAID drives. If you are more worried about the hard drive getting corrupted, go with the second hard drive.

We hope this article provides you with the information you need to adequately back up your dedicated server!

ShareThis