linux share anti complaints server

note:Maybe your server automatically update，See vulnerability. However, for security，Or if there is Recommendation testing.

This article is suitable for all VPS / dedicated server system update。

A few days agoLinuxOfficial Built Bash newly discovered a very seriousSafetyVulnerability (vulnerability Reference https://access.redhat.com/security/cve/CVE-2014-6271 ），Hackers could exploit the vulnerability Bash complete control of the target system and attack，To avoid having your Linux server Affected，SuggestAs soon as you complete the bug fixes，Repair methods are as follows，Please understand!

[Has been confirmed that the successful use of software andsystem】
All install GNU bash Less than or equal to version 4.3 of the Linux operating system。


[Vulnerability Description
The vulnerability stems from a special bash shell before you call createdsurroundingsvariable，These variables can contain code，SimultaneouslyBash will be executed。


[Vulnerability Detection]

SSH Run:

env t='() { :;}; echo You are vulnerable.’ bash -c “true”
Repair detected before:

If You are vulnerable，Unfortunately，Must be marked immediately security fixes

After use the patch program fixes
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
Special Note：The repair will not have any impact，If your script uses the above manner to define an environment variable，After repair your script execution error。

[Proposed] repair program

Please choose your in need of restoration order under Linux version， In order to prevent accidents from happening，We recommend that you execute the command before the first to make a snapshot of the Linux server system disk，If in case you are affected by upgradeserverUsage，You can roll back the system disk snapshot solve。

2.Fix the vulnerability approach

Ubuntu or Debian do

RedHat, CentOS or Fedora do

If there is no ftp prompt: -bash: ftp: command not found
Please install ftp application: yum install ftp
#ftp 127.0.0.1 21 Enter the remote space FTP IP and port number，Enter
Then follow the prompts to enter a user name and password!
ftp>lcd local working directory
ftp>cd remote directory
ftp>binary binary transmission
ftp> Byte counter tick the open transmission，Execute it again to close
ftp>mput file

FTP> bye (or by) the end and the remote computer linux ftp command parameters in linux in the ftp session and exit the command parameters。

FTP> cd change working directory on the remote computer。

FTP> get to use the current document conversion type remote document copy to the local computer。
format：get remote-file [local-file]

FTP >lcd change local working directory on your computer。by default，Working directory is the starting directory linux in the ftp command parameters。

format：lcd [directory]

FTP >ls display the remote directory files and subdirectories of the abbreviations list。

FTP >mdelete delete a document on the remote computer。
format：mdelete remote-files [ …]
Explanation：remote-files specified to delete the remote document。

FTP >mdir display a list of remote directory files and subdirectories。It can be used to specify multiple documents mdir。
format：mdir remote-files [ …] local-file
Explanation：remote-files you want to view a list of directories。必须指定 remote-files。Type - the current working directory on the remote computer。

1、Ftp server connection

format：ftp [hostname | ip-address]
a)Enter the command line in linux：ftp www.boluo.org
b)Ask your server user name and password，Enter the appropriate user name and password，It can be authenticated by。

2、download file

Download files usually get and mget two commands:

a) get format：get [remote-file] [local-file]
Transfer files from a remote host to the local host.
To get on the server /ftp/1.rar,then
ftp> get /ftp/1.rar 1.rar (Enter)

b) mget format：mget [remote-files]
A number of documents received from the remote host to the local host.
To get all the files on the server / ftp under,then
ftp> cd / ftp
ftp> mget *.* (Enter)

note：Files are downloaded to the current directory under linux host。

3、upload files

a) put format：put local-file [remote-file]
To transfer a local file to the remote host.
Should you local 1.zip sent to the remote host / ftp,And renamed 1.rar
ftp> put 1.zip /ftp1.rar (Enter)

b) mput format：mput local-files
Transferring a number of local host file to the remote host.
Should you local current directory rar files uploaded to the server / ftp under
ftp> cd / ftp (carriage return)
ftp> mput * .rar (Enter)

4、Disconnect

bye：Disconnected from the server。

Here is the tool to use this tool da.cpanel.import。

First of all，On cPanel servers，Download and unzip the tool to any directory you want。

Then we need to create a folder import and export folder

mkdir import export

just now，Copy the user's cpanel backup files to import folder。

Then，Edit this file defaults.conf，Two major changes。They are：

ip=XXX.XXX.XXX.XXX (Your IP address DA panel)
ns1=ns1.paulhost.com （NS1)
ns2=ns2.paulhost.com (NS2)

then，执行 perl da.cpanel.import.pl ， We then follow the prompts to select。

Have you read, understood and applied the above? (y / n) 选 and

[If you are running this tool on the cPanel server]: After this tool is finished, should successfully created DirectAdmin tarballs be transferred to your DirectAdmin reseller user_backups directory?(y / n) 选 and

Next, make sure the panel where the DA server IP，And to transfer to the backup path。

The next step is to wait for completion of the (middle panel enter DA server root password)。

after finishing，Enter DA Panel - Administrator recover the backup。

Use iptables prevent php-ddos Foreign udp contract
Recently php-ddos flood，Especially weaving dreams bunch tunnel，you know，We can use iptables，Foreign prohibited php-ddos contract from the source。

Preferred need to allow UDP port services (such as DNS)

iptables -I OUTPUT -p udp –dport 53 -d 8.8.8.8 -j ACCEPT
iptables -I OUTPUT -p udp –dport 53 -d 8.8.4.4 -j ACCEPT

“53”，The desired UDP port DNS，"8.8.8.8" section of DNS IP，According to set up your server to set，If you do not know your current DNS IP server using，Get to execute the following command in the SSH：

cat /etc/resolv.conf |grep nameserver |awk 'NR == 1{print $2 }’

Inhibit the unit sends out a UDP packet

iptables -A OUTPUT -p udp -j DROP

cd /usr/local/src
wget http://stderr.net/apache/rpaf/downlo…on F-0.6.tar.gz
tar -xzf mod_rpaf-0.6.tar.gz
CD mod_rpaf- *
apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c

2. Once installed, we need to load the module into Apache configuration. Since cPanel already has Include Editor for Apache, we will use that functions. Login to WHM > Service Configuration > Apache Configuration > Include Editor > Pre Main Include > All Versions and paste following text:

LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFproxy_ips 127.0.0.1 123.124.125.88 # replace the value with your server IP
RPAFsethostname On
RPAFheader X-Real-IP

When initial contact OpenVZ VPS is in the selection of，OpenVZ VPS is a lot cheaper than Xen。After getting to know the product found OpenVZ virtual operating system layer，And Xen、KVM、Huper-V and other virtualization products are two completely different levels。OpenVZ provides only a virtual environment (VE)，OpenVZ container called themselves (Container)，Xen、KVM to provide a virtual machine with the Hypervisor，OpenVZ for cheaper low-end VPS is indeed better，Xen and other virtualization products are generally used in the enterprise application center、Cloud computing platform。

Installation OpenVZ

surroundings：Use CentOS5.6_x86_64 operating system is installed on a single PC DELL。

 

Official website (http://wiki.openvz.org/) Gives a source yum to install on CentOS，We adjusted yum source，And for security issues，Support for OpenVZ kernel patch CentOS5 supported kernel version must be greater than or equal 2.6.18.308.8.2.el5，You can go here to see supported kernel versionhttp://wiki.openvz.org/Download/kernel。

[root@openvz yum.repos.d]# cd /etc/yum.repos.d
[root@openvz yum.repos.d]# wget http://download.openvz.org/openvz.repo
[root@openvz yum.repos.d]#uname -r
2.6.18-238.9.1.el5
[root@openvz yum.repos.d]#yum install kernel.x86_64 # upgrade the kernel to 2.6.18.308，
[root@openvz yum.repos.d]#uname -r
2.6.18-308.8.2.el5

[root@openvz yum.repos.d]#cat openvz.repo #修改openvz源，Ensure that the following are selected by default version 6.2

[openvz-utils]
name = OpenVZ utilities
# = Baseurl<a href="http://download.openvz.org/current/">http://download.openvz.org/current/</a>
mirrorlist=<a href="http://download.openvz.org/mirrors-current">http://download.openvz.org/mirrors-current</a>
enabled=1
gpgcheck=1
gpgkey=http://download.openvz.org/RPM-GPG-Key-OpenVZ
[openvz-kernel-rhel5]
name = OpenVZ kernel-based RHEL5
# = Http baseurl://download.openvz.org/kernel/branches/rhel5-2.6.18/current/
mirrorlist=http://download.openvz.org/kernel/mirrors-rhel5-2.6.18
enabled=1
gpgcheck=1
gpgkey=http://download.openvz.org/RPM-GPG-Key-OpenVZ
[root@openvz ~]# yum install ovzkernel -y # kernel installed openvz
[root@openvz ~]# Two common tools yum install vzctl vzquota # installation of openvz

Because we need to access the external network of VE，So here to open the packet forwarding，We will talk later。

[root@openvz ~]# grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@openvz ~]#

See grub.conf default boot kernel settings

default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title OpenVZ (2.6.18-308.8.2.el5.028stab101.1)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-308.8.2.el5.028stab101.1 ro root = LABEL = / selinux = 0 # already closed automatically set up selinux
        initrd /initrd-2.6.18-308.8.2.el5.028stab101.1.img
[root@openvz ~]# init 6

Ensure vz service boot

[root@openvz ~]# service vz status
OpenVZ is running...
[root@openvz ~]# chkconfig --list vz
vz                 0:off    1:off    2:on    3:on    4:on    5:on    6:off
[root@openvz ~]#

Installation Manager VE

OpenVZ is using to manage the VE vzctl，Let's look at the detailed command。

[root@openvz ~]# vzctl
vzctl version 3.3
Copyright (C) 2000-2012, Parallels, Inc.
This program may be distributed under the terms of the GNU GPL License.
Usage: vzctl [options] <command> <ctid> [parameters]
vzctl create <ctid> [--ostemplate <name>] [--config <name>]
   [--layout ploop|simfs] [--hostname <name>] [--name <name>] [--ipadd <addr>]
   [--diskspace <kbytes>] [--private <path>] [--root <path>]#创建VE
vzctl start <ctid> [--force] [--wait]#启动VE
vzctl destroy | mount | umount | stop | restart | status <ctid>#关闭VE
vzctl convert <ctid> [--layout ploop[:mode]] [--diskspace <kbytes>]
vzctl quotaon | quotaoff | quotainit <ctid>#Setting qutoa
vzctl console <ctid> [ttyno]#进入VE
vzctl enter <ctid> [--exec <command> [arg ...]]#进入VE
vzctl exec | exec2 <ctid> <command> [arg ...]#Do not enter under the command VE VE execution
vzctl runscript <ctid> <script>#Execute the script for the VE
vzctl chkpnt <ctid> [--dumpfile <name>]#Save the file to the state of VE
vzctl restore <ctid> [--dumpfile <name>]#Restore from file VE state
vzctl set <ctid> [--save] [--force] [--setmode restart|ignore]
   [--ram <bytes>[Transitional]] [--swap <bytes>[Transitional]]#Setting RAM
   [--ipadd <addr>] [--ipdel <addr>|all] [--hostname <name>]#Adding and deleting IP
   [--nameserver <addr>] [--searchdomain <name>]#指定nameserber和sercherdomain
   [--onboot yes|no] [--bootorder <N>]#Setting the boot
   [--userpasswd <user>:<passwd>]#Modify the user's password VE
   [--cpuunits <N>] [--cpulimit <N>] [--cpus <N>] [--cpumask <cpus>]
   [--diskspace <soft>[:<hard>]] [--diskinodes <soft>[:<hard>]]
   [--quotatime <N>] [--quotaugidlimit <N>]
   [--noatime yes|no] [--capability <name>:on|off ...]
   [--devices b|c:major:minor|all:r|w|rw]
   [--devnodes device:r|w|rw|none]
   [--netif_add <ifname[,mac,host_ifname,host_mac,bridge]]>]#Adding bridging device
   [--netif_del <ifname>]#Remove bridging device
   [--applyconfig <name>] [--applyconfig_map <name>]
   [--features <name:on|off>] [--name <remote>] [--ioprio <N>]
   [--pci_add [<domain>:]<bus>:<slot>.<func>] [--pci_del <d:b:s.f>]
   [--iptables <name>] [--disabled <yes|no>]#VE firewall settings
   [UBC parameters]

Install a Guest，OpenVZ official recommended installation method，Download its optimized operating system archive，To install。OpenVZ operating system stored on the archive location is / vz / template / cache /。OS archive download addresshttp://wiki.openvz.org/Download/template/precreated 。I am here to download the CentOS5_X84_64，For installation testing。

[root@openvz ~]# ll /vz/template/cache/
total 188092
-rw-r--r-- 1 root root 192411846 Jul 19 02:08 centos-5-x86_64.tar.gz
[root@openvz ~]# vzctl create 2 --ostemplate centos-5-x86_64 --hostname centos01
Creating container private area (centos-5-x86_64)
Performing postcreate actions
CT configuration saved to /etc/vz/conf/2.conf#配置文件保存为/etc/vz/下的2.conf
Container private area was created
[root@openvz ~]#

Use OS template centos-5-x86_64 installation ID of the VE 2，Host name centos01，After the installation is complete, you need to modify the default configuration file，Restart VE。

Setting VE boot from the start、Setting IP、DNS settings、RAM、Set the disk size

[root@openvz ~]# vzctl set 2 --onboot yes
WARNING: Settings were not saved to config (use --save flag) #Prompts to save the configuration files need --save
[root@openvz ~]# vzctl set 2 --onboot yes --save
CT configuration saved to /etc/vz/conf/2.conf
[root@openvz ~]# vzctl set 2 --ipadd 10.20.100.146 --save#此时还不能使用
CT configuration saved to /etc/vz/conf/2.conf
[root@openvz ~]# vzctl set 2 --nameserver 10.20.1.6 --save
CT configuration saved to /etc/vz/conf/2.conf
[root@openvz ~]# vzctl set 2 --ram 345 --save
Error: kernel does not support vswap, unable to use --ram/--swap parameters
Error parsing options  #内核不支持
[root@openvz ~]# vzctl set 2 --diskspace 3G:3G --save
CT configuration saved to /etc/vz/conf/2.conf
[root@openvz ~]# vzctl start 2 # to start the ID of VE 2
Starting container ...
Container is mounted
Adding IP address(is): 192.168.221.2
Setting CPU units: 1000
Container start in progress...
[root@openvz ~]#

Use vzlist View VE

[root@openvz ~]# vzlist 2
      CTID      NPROC STATUS    IP_ADDR         HOSTNAME
         2         12 running   192.168.221.2   centos01

Sign VE、退出 VE、Restart the VE、Start VE、Close VE、Off VE

[root@openvz ~]# vzctl enter 2
[root@centos01 /]# exit
[root@openvz ~]# vzctl restart 2
[root@openvz ~]# vzctl start 2
[root@openvz ~]# vzctl stop 2
[root@openvz ~]# vzctl destroy 2

Not landing VE，Excuting an order、Execute scripts

[root@openvz ~]# vzctl  exec 2  ifconfig # View card information without logging VE
[root@openvz ~]# vzctl  runscript 2 Scriptname # script on the server

Calculation of consumption VE

[root@openvz ~]# vzcalc -v 2

VE modify the root password

[root@openvz ~]# vzctl exec 2 passwd # enter the password twice
[root@openvz ~]# vzctl set 2  --userpasswd root:123456#Directly modify the password is 123456

 

VE Network

The method according to the direct addition of IP，VE access the Internet There are two ways to achieve。One is to open the base unit (the term used machine tools，Really better distinguish) packet forwarding function，VE and base unit using the same IP segment，In this way independent of VPS is the use of IP，VE has its own external network IP，Users can log in to manage your VPS；Another is to use the routing forwarding，Source NAT firewalls do snat，VE private IP，In this case，VE can access the Internet,However, the external network can not directly access the internal network VE。

method one：Public IP

Open packet forwarding

[root@openvz ~]# grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1

To take effect

[root@openvz ~]# /sbin/sysctl -p
net.ipv4.ip_forward = 1

VE configure or modify the IP，This IP and machine tools in the same paragraph (VPS is used in public IP)。

[root@openvz ~]# ifconfig # IP machine tools
eth0 Link encap:Ethernet  HWaddr 00:0C:29:FD:E4:AA 
          inet addr:10.20.100.141  Bcast:10.20.100.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:35535 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8399 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3534995 (3.3 MiB)  TX bytes:934525 (912.6 KiB)
          Interrupt:59 Base address:0x2000
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          Loopback UP RUNNING MAN:16436  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:784 (784.0 b)  TX bytes:784 (784.0 b)
venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:494 errors:0 dropped:0 overruns:0 frame:0
          TX packets:283 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:37807 (36.9 KiB)  TX bytes:23312 (22.7 KiB)
[root@openvz ~]# vzctl set 2 --ipadd 10.20.100.146 --save # modify or set of IP VE，

Test VE Network

[root@openvz ~]# vzctl exec 2 ifconfig
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          Loopback UP RUNNING MAN:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:224 errors:0 dropped:0 overruns:0 frame:0
          TX packets:292 errors:0 dropped:53 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:18572 (18.1 KiB)  TX bytes:23106 (22.5 KiB)
venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.20.100.146  P-t-P:10.20.100.146  Bcast:10.20.100.146  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
[root@openvz ~]# vzctl exec 2 ping www.baidu.com
PING www.a.shifen.com (220.181.111.147) 56(84) bytes of data.
64 bytes from 220.181.111.147: icmp_seq=1 ttl=54 time=35.2 ms
64 bytes from 220.181.111.147: icmp_seq=2 ttl=54 time=34.9 ms

Second way：Private IP，Sanat

Open packet forwarding

[root@openvz ~]# grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1

To take effect

[root@openvz ~]# /sbin/sysctl -p
net.ipv4.ip_forward = 1

VE modify the IP，This IP is private IP

[root@openvz ~]# vzctl set 2 --ipdel 10.20.100.146 --100 paragraph deleted before the IP save #
[root@openvz ~]# vzctl set 2 --ipadd 10.20.102.146 --save # modify or set the IP，Machine tools and IP segments different

Open SNAT

[root@openvz ~]# /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

or

[root@openvz ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.20.100.141
[root@openvz ~]# iptables -t nat -L # Check NAT Policy
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
SNAT       all  --  anywhere             anywhere            to:10.20.100.141
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

View VE Network

[root@openvz ~]# vzctl exec 2 ifconfig
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          Loopback UP RUNNING MAN:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:330 errors:0 dropped:0 overruns:0 frame:0
          TX packets:407 errors:0 dropped:53 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:26810 (26.1 KiB)  TX bytes:33397 (32.6 KiB)
venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.20.102.146  P-t-P:10.20.102.146  Bcast:10.20.102.146  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
[root@openvz ~]#

VE Network Testing

[root@openvz ~]# vzctl exec 2 ping www.baidu.com
PING www.a.shifen.com (220.181.111.147) 56(84) bytes of data.
64 bytes from 220.181.111.147: icmp_seq=1 ttl=54 time=35.0 ms
64 bytes from 220.181.111.147: icmp_seq=2 ttl=54 time=34.9 ms
[root@openvz ~]#

If you are buying a US LINUX VPS Xen or Xen other countries LINUX VPS，Then，Preferred view and you need to set the time zone：

How to view Xen LINUX VPS time zone?
date -R

Get results similar to the following：
Mon, 05 Sep 2011 16:29:08 +0800

If the rearmost section is not +800，So what do you like to set the time zone，When setting up Xen LINUX district follows：

rm -rf /etc/localtime
ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

So your Linux VPS time zone has been set to Chinese Shanghai - the 8th time zone。

sometimes，Buy Xen Linux VPS not only time zone，And the system time is also a big difference，Sometimes related hours。
How to modify Xen Linux VPS time? You need to use ntp time synchronization software to synchronize system time VPS。(If you are Xen VPS or dedicated server，Then you can modify，If OpenVZ VPS，You can not be modified,Modify the server room can only be called the mother of time。）

The method of command is as follows：

yum install -y ntp

vi /etc/sysctl.conf

xen.independent_wallclock = 1 # and the increase in the file save and exit

sysctl -p # we must remember that this step，Otherwise, do not take effect。

ntpdate us.pool.ntp.org

reuse

date -R confirm whether the time is corrected.

Such a good time synchronization。

CentOS iptables firewall configuration of a key
Hands several VPS too complicated to configure iptables，Zhu brother LNMP saw a script to automatically configure iptables firewall script，Borrowed changed a bit，To those who need to use；
Only common port settings，If you have special needs or simply add their own to reduce the corresponding port；

how to use：

wget -c http://ph4ntasy.googlecode.com/files/iptables.sh
chmod +x iptables.sh
./iptables.sh
Setting iptables at startup：

chkconfig –level 345 iptables on
Complete Shell：

#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
function support_distro(){
if [ -from “`egrep -i “centos” /etc/issue`” ];then
echo “Sorry,iptables script only support centos system now.”
exit 1
be
}
support_distro
echo “============================iptables configure============================================”
# Created by Centos.bz Modified by ph4ntasy.com
# Only support CentOS system
# Get SSH port
if grep “^Port” /etc/ssh/sshd_config>/dev/null;then
sshdport=`grep “^Port” /etc/ssh/sshd_config | but “s/Ports//g” `
else
sshdport = 22
be
# Obtain DNS server IP
if [ -s /etc/resolv.conf ];then
nameserver1=`cat /etc/resolv.conf |grep nameserver |awk 'NR == 1{print $2 }’`
nameserver2=`cat /etc/resolv.conf |grep nameserver |awk 'NR == 2{print $2 }’`
be
IPT=”/sbin/iptables”
# Delete an existing rule
$IPT –delete-chain
$IPT –flush
# Feed ban,Allow the,Allow loopback adapter
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# Allow the passage of established or related connections
$IPT -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
# Limit a single IP port 80 the maximum number of connections to 10
$IPT -I INPUT -p tcp –dport 80 -m connlimit –connlimit-above 10 -j DROP
# Allow 80(HTTP)/873(RSYNC)/443(HTTPS)/20,21(FTP)/25(SMTP)Connection port
$IPT -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 873 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 20 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
# Allow SSH port connection,Script automatically detects the current SSH port,Otherwise, the default is 22 port
$IPT -A INPUT -p tcp -m tcp –dport $sshdport -j ACCEPT
# Allow ping
$IPT -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
$IPT -A INPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
# Allow DNS
[ ! -from “$nameserver1” ] && $IPT -A OUTPUT -p udp -m udp -d $nameserver1 –dport 53 -j ACCEPT
[ ! -from “$nameserver2” ] && $IPT -A OUTPUT -p udp -m udp -d $nameserver2 –dport 53 -j ACCEPT
# Save the rule and restart IPTABLES
service iptables save
service iptables restart
echo “============================iptables configure completed============================================”

Use iptables prevent php-ddos Foreign udp contract
Recently php-ddos flood，Especially weaving dreams bunch tunnel，you know，We can use iptables，Foreign prohibited php-ddos contract from the source。

Preferred need to allow UDP port services (such as DNS)

iptables -I OUTPUT -p udp –dport 53 -d 8.8.8.8 -j ACCEPT
iptables -I OUTPUT -p udp –dport 53 -d 8.8.4.4 -j ACCEPT
“53”，The desired UDP port DNS，"8.8.8.8" section of DNS IP，According to set up your server to set，If you do not know your current DNS IP server using，Get to execute the following command in the SSH：

cat /etc/resolv.conf |grep nameserver |awk 'NR == 1{print $2 }’
Inhibit the unit sends out a UDP packet

iptables -A OUTPUT -p udp -j DROP

Installation Directadmin encounter

*** Cannot find /usr/include/et/com_err.h. (yum install libcom_err-devel) ***
Installation didn’t pass, halting install.
Once requirements are met, run the following to continue the install:
cd /usr/local/directadmin/scripts
./install.sh
Common pre-install commands:

http://help.directadmin.com/item.php?id=354

==================
yum install libcom_err-devel
==================
Total 972 kB / s | 116 MB 02:02
Running rpm_check_debug
ERROR with rpm_check_debug vs depsolve:
keyutils-libs-devel is needed by krb5-devel-1.10.3-10.el6_4.1.i686
libselinux-devel is needed by krb5-devel-1.10.3-10.el6_4.1.i686
zlib-devel is needed by openssl-devel-1.0.0-27.el6_4.2.i686
** Found 7 pre-existing rpmdb problem(s), ‘yum check’ output follows:
e2fsprogs-devel-1.41.12-3.el6.i686 has missing requires of e2fsprogs-libs = (’0′, ’1.41.12′, '3.el6')
e2fsprogs-devel-1.41.12-3.el6.i686 has missing requires of libcom_err-devel
e2fsprogs-devel-1.41.12-3.el6.i686 has missing requires of pkgconfig(com_err)
krb5-devel-1.8.2-3.el6.i686 has missing requires of keyutils-libs-devel
krb5-devel-1.8.2-3.el6.i686 has missing requires of libcom_err-devel
krb5-devel-1.8.2-3.el6.i686 has missing requires of libselinux-devel
openssl-devel-1.0.0-4.el6.i686 has missing requires of zlib-devel

carried out

yum -y install zlib-devel
yum -y install e2fsprogs*

Can be solved

Zen Tell a friend send e-mail function cart is hateful people use the，Tell a friend borrow automatically mass-mailing their Zen cart web site by means of the program，Message content is actually very discordant，Khan, a，But still I admire the creativity of this guy，It is also conceivable。
Closer to home，Or put under third-party use Zen cart tell a friend feature to send spam right solution

Zen cart station using its own domain mail，Tied Gmail account。Since Gmail's spam blocking well，The domain name has not been noticed mailbox spam。Yesterday, when I saw there actually have 2000 + failure notice message， I got up and looked at specifically，More than 500 letters out。Only think of it in recent antecedents website directly enter the URL to access actually accounted for most，Perhaps related thereto。of course，This is a digression。Today, Zen cart to the official forum to find a moment，Discovery encountered a similar situation is also a lot of site owners，Therefore severe closed by ISP station。Tell a friend feature I always think of little use，I did not expect not to use small
In such cases，There are solutions available：
1. 后台-Configuration-Email Options里找到Allow Guest To Tell A Friend，Close tourists recommendation function。
2. Spam filtering plug-in to download zen cart Form Armor Module，The third-party plug-ins designed for use Contact us, Tell a friend send spam problem。Unfortunately，Form Armor is a term fee-based services，Cost is not low，19 knives per month。Download here：http://www.zen-cart.com /index.php?main_page=product_contrib_info&products_id=1202.
I simply follow steps 1 visitors recommend closed function，Useful or not there two days after the results。Fill：useless!
If you're like me you think Tell a friend did a Birds，Then the following file is renamed，You can completely remove this feature：
templates/YOUR_TEMPLATE/templates/tpl_tell_a_friend_default
includes/languages/english/tell_a_friend.php
includes/modules/pages/tell_a_friend.php
then，Open all types of products on the website set up in the background catalog-product types which，找到Show Product Tell a Friend button，Close it。

Unable to connect FTP client configuration KLOXO panel recently helped found the time to install the Kloxo. After some agonizing finally found a solution in Google ~!

Here is the solution
SSH server login account input ROOT
netstat -an | grep LISTEN
not found 21 port,No wonder the servers will not connect..

Now we only need to configure the next pureftp
Edit pureftp

Restart ftp

The restart later to login FTP will find that can be a normal landing ~!

Configure a new IP control panel by Kloxo。

Suppose you need to add ip is 74.82.180.226 Subnet mask 255.255.255.224

After logging kloxo point

服务器->localhost->IP地址->Add IP 地址

然后在设备名那里保持默认
ip地址那里输入

74.82.180.226

Enter the subnet mask there

255.255.255.224

Then be determined。

This tutorial from online

service httpd restart 问题，Temporary failure in name resolution: Failed to resolve server name solution

problem：Starting httpd: [Wed Jul 25 16:09:56 2012] [error] (WHAT'S UP 3)Temporary failure in name resolution: Failed to resolve server name for 192.168.1.2 (check DNS) — or specify an explicit ServerName

This is generally vps or above server has multiple ip caused，Solutions are as follows：

In the / etc / hosts and add the following：

192.168.1.2 localhost
192.168.1.3 localhost if more can be added

vgcreate volume indicates that the partition name vgcreate vg001 / dev / sda3