Symlink and permissions

Suppose there is a symlink named "softlink" pointing to a target directory named "target-folder" as shown below,

==========================

:~> ll softlink lrwxrwxrwx 1 liju users 13 Mar 16 03:29 softlink -> target-folder
:~> ll -ld target-folder drwxr-xr-x 2 liju users 4096 Mar 16 03:29 target-folder

==========================

You can see the permission of "softlink" as 777 while the "target-folder" permission is 755, I tried to change the permission of "softlink" to 000 by executing the following command,

****************************
chmod 000 softlink
****************************

On checking the permission of softlink again, i could see the permission remains unchanged,

########################

:~> ll softlink lrwxrwxrwx 1 liju users 13 Mar 16 03:29 softlink -> target-folder

########################
and actually resulted in changing the permission of the target directory "target-folder",

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

:~> ll -ld target-folder drwxr-xr-x 2 liju users 4096 Mar 16 03:29 target-folder
 :~> ll -ld target-folder d--------- 2 liju users 4096 Mar 16 03:29 target-folder

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
So, my conclusions are the symbolic link has only 777 permission which is unchangeable and any change in the symlink will affect the target-file.

How to tweak upload limit of cPanel file manager?


WHM>> Home >> Server Configuration>> Tweak Settings

Max HTTP submission size (minimum: 1; maximum: 10,240)

The maximum file size allowed for upload. This setting applies to all uploads and form submissions in all web interfaces throughout cPanel and WHM.

CSF country code blocking


Under section  "# SECTION:Country Code Lists and Settings" in csf.conf, locate for below and add the country code,

CC_DENY = "ID"

Where ID- Country code of  INDONESIA

Check for country codes here,

http://www.ipdeny.com/ipblocks/

How to disabe/enable awstats for a particular cPanel account?


For disabling/enabling awstats for a particular cPanel account, add the following line into the file /var/cpanel/users/YOUR_CPANEL_USER

FEATURE-AWSTATS=0 (to disable awstats)
FEATURE-AWSTATS=1(to enable awstats)

DDOS Attack Fix

1. Track which IP address in the server is targeted by the ddos attack
—————————————
netstat -plan | grep :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c
—————————————
2. Detect from which IPs, the attack is coming
—————————————
netstat -plan | grep :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c
—————————————
3. Edit /etc/csf/csf.conf
* SYNFLOOD
SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules like
—————————————
SYNFLOOD = “1″
SYNFLOOD_RATE = “30/s”
SYNFLOOD_BURST = “10″
—————————————
i.e. if 30 connections are received from an IP/sec for 10 times, block it. Make sure don’t keep it too strict if you are not receiving an attack else it will generate false positives and will block legit connections.
*PORTFLOOD
—————————————
PORTFLOOD = 80;tcp;100;5,22;tcp;5;300
—————————————
ie, If an IP makes 100 connections in 5 sec to port 80 (tcp), then it will be blocked from the server and if 5 connections in 300 sec to 22 port.
4. Edit /etc/sysctl.conf
Paste the following into the file, you can overwrite the current information.
—————————————
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
—————————————
Run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.
* TCP Syncookies
—————————————
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
—————————————
5. In addition to the above you can also add Some IPTABLES Rules:
—————————————
iptables -A INPUT -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j RETURN
iptables -A INPUT -p tcp –syn -m state –state ESTABLISHED,RELATED –dport 80 -m limit –limit 1/s –limit-burst 2 -j ACCEPT
—————————————

Bash script to determine MaxClients value in apache


#!/bin/bash
echo "This is intended as a guideline only!"
if [ -e /etc/debian_version ]; then
  APACHE="apache2"
elif [ -e /etc/redhat-release ]; then
   APACHE="httpd" fi
RSS=$(ps -aylC $APACHE |grep "$APACHE" |awk '{print $8'} |sort -n |tail -n 1)
RSS=$(expr $RSS / 1024)
echo "Stopping $APACHE to calculate free memory"
/etc/init.d/$APACHE stop &> /dev/null
MEM=$(free -m |head -n 2 |tail -n 1 |awk '{free=($4); print free}')
echo "Starting $APACHE again"
/etc/init.d/$APACHE start &> /dev/null
echo "MaxClients should be around" $(expr $MEM / $RSS)

Command to correct all the web files/directories permission in cPanel

Command to correct all the files permission to 644
=================================
find /home/*/public_html/* -type f -exec chmod 644 {} \;

Command to correct all the directories permission to 755
=================================
find /home/*/public_html/* -type d -exec chmod 755 {} \;