• Automatically clearing old emails using CPanel

    Depending on the setup of your system, old emails can be a bane. If you forward a copy of all emails to a single account for retrieval by the MS Exchange POP3 connector, you'll experience issues when the other mailboxes become full (a lot of servers won't accept a wildcard redirect for email addresses!).

    It's actually fairly simple to solve so let's take a look at a sample setup;

  • Automounting Samba Shares over OpenVPN

    So you've got a working OpenVPN setup, but now you want to be able to access the Samba shares hosted on the remote network.

    It's very easy to do manually, but most users don't want to have to learn to map network drives (or shudder use some of that commandline black magic). Thankfully, they don't need to as you can tell OpenVPN to do the legwork for them;

     

  • Avoiding BCC Leaks with Exim

    This issue is, by no means, Joomla specific - but Joomla's mass mail functionality provides a good example of what can go wrong.

    The expectation that most users have, is that the list of recipients BCC'd on an email will never be visible to any of those recipients.

    Unfortunately, whether or not that's the case may well depend on the Mail Transport Agent (MTA) that you are using.

    Those familiar with Joomla's Mass Mail feature will know that by default, recipients are BCC'd - unfortunately, if you're using Exim (which most CPanel servers, for example, are) then you may in fact find that those receiving your message can see exactly who it was sent to.

    Whether or not this BCC Leak is visible to the recipients will depend on what mail client they use (assuming they're not in the habit of looking at the mail headers anyway....), but those using Google Apps/Google Mail will have the list clearly presented to them when viewing the mail.

  • CentOS: Using NGinx to serve static files and Apache for dynamic

    Apache is a great web-server, but it has a pretty heavy memory footprint. It can get quite restrictive quite quickly, especially if you're on a system will limited resources (given how many people now run on a VPS, and the poor disk IO of these systems it's all the more important - swapping is slow).

    The way around it, is to configure your system to use NGinx as a reverse-proxy. Depending how many virtualhosts you have, you can make the changes almost completely transparently within about 10 minutes.

  • Checking for Outdated Joomla Extensions on your server

    When you're managing Joomla sites it's reasonably easy to keep track of updates, especially if you use something like Watchful to help you. When you're running a server and only managing some (or none) of those sites, it becomes a little more difficult (especially on a busy shared hosting server).

    It's quite easy to shrug and say 'Not my site, not my problem', but the simple fact is that it is. The second someone manages to compromise one of the sites you host, they're going to try and find a way to run arbitrary code, once they've done that they'll try to run an auto-rooter. If they succeed, it's game over for everyone you host!

    The extension that always comes to mind, is the Joomla Content Editor (JCE) as they had a nasty vulnerability involving spoofed GIFs some time back. You'd hope that everyone would have updated by now, but there still seem to be a lot of sites running versions older than 2.1.1!

    In this post, we'll be creating a script designed to automatically check every one of the sites you host for a version of JCE older than the latest. Adjusting it to check other extensions is easy, so long as that extension has an update stream.

  • Configuring NGinx to act as a Reverse Proxy for PHPMyAdmin

    In a previous post, I detailed how to Use NGinx to serve static files and Apache for dynamic as well as the minor tweaks you need to make to have it work nicely with Joomla.

    One thing I didn't cover, though, is setting up PHPMyAdmin. This documentation isn't going to go into the detail of installing and configuring PHPMyAdmin as there's plenty of that available elsewhere on the web. What we will discuss, though, is the NGinx configuration changes you need to make to have the connection reverse proxied to Apache.

    These steps only really apply if you've gone for a system-wide installation of PMA. If you've unpacked into a web-accessible directory then you probably don't need to make any changes!

  • Configuring Postfix to automatically forward mail for one address to another

    There seem to be a number of people searching for how to do this, and from what I can see there's very little quick and easy documentation on the net. You've got a server, hosting a website (for example) for example.com.

    You want the server to accept mail for example.com but to automatically pass the mail onto a different address.

    Assuming you're running Postfix, it's as simple as the steps below

  • Copying a Linux Kernel From One System to Another

    There may be occasions where, for testing purposes, you want to copy a kernel from one machine to another.

    There are some fairly self-explanatory caveats:

    • The donor and target system must be running on the same architecture
    • The target machine shouldn't have any (important) hardware that's unsupported by your donor kernel

    Obviously, you'll ideally want to make sure that the hardware is as close to identical as possible (otherwise your testing may be invalid) so the above should be considered a minimum

  • Creating a virtual Network Interface in CentOS 6

    Sometimes you need to assign more than one IP to a server, even if it only has one NIC. To do so, you create a virtual (or aliased) interface, attached to the physical NIC.

    This documentation details how to do this in CentOS5 / CentOS 6 (this also applies to CentOS7 if you're not using Network Manager).

  • Darkleech Apache attacks on the rise, but is it really that hard to detect?

    Reports of CDorked.A infections are still on the rise by the looks of things. The attack is reported as 'hard-to-detect', but this should only be true for the more naive sysadmins out there.

    Whilst it's true that CDorked changes nothing on disk, except the HTTPD binary, this change alone should be triggering alerts. On a production server, you should be storing checksums of known good files and comparing these regularly to see if anything's changed.

    As some obviously aren't following this basic step, in this post we'll look at what you need to do to at least be made aware if CDorked gets onto your system - it'd be nice to be able to do a post on avoiding it, but the attack vector is still unknown!

  • Disk automatically unmounts immediately after mounting

    When it happens, it's incredibly frustrating - you've had a disk replaced on a linux box, the disk has shown up with a different name in /dev, so you edit /etc/fstab and then try to mount the disk.

    The command runs, without error, but the disk isn't mounted, and doesn't appear in df

    This documentation details the likely cause, and how to resolve it

  • Enabling SRS on a CPanel Server

    The default MTA on a CPanel server (Exim) has supported both the Sender Policy Framework (SPF) and the Sender Rewriting Scheme (SRS) for quite some time. Unfortunately, whilst CPanel provides configuration options allowing you to enable and configure SPF, the same cannot be said for SRS.

    This can cause a major headache if you have set-up mail forwarders on your system. This documentation details how to go about configuring SRS.

  • Falling Out Of Love With Siteground

    In the past, I've really rated Siteground Hosting very highly, and recommended them to anyone asking about US Based dedicated servers (Heart would be my first choice for UK Based Dedicated Servers or VPS). Unfortunately experience has worn me down.

    To be clear, I'm not, and never have been, a Siteground customer. However, some of the people I do some work for are, so I occasionally have to escalate things to Siteground, or step in when Siteground have asked their customer to take some action.

    I've been quietly sitting on some of these frustrations for a little while, but in the last week some have been added, tipping the balance in my mind.

  • Is your SPF Record Complete?

    The Sender Policy Framework (SPF) is becoming increasingly important as more and more hosts enable it. Chances are that your domain has a SPF record, but is it complete and correct? If not then your mail is likely to end up in the recipients spam folder, or worse bounce completely.

  • Keeping Hitcounts accurate when using an NGinx Caching Proxy

    In previous documentation, we've configured sites to use NGinx as a Reverse Caching Proxy, leading to hugely improved response times on popular content. We've also implemented a custom configuration so that we can refresh the cache periodically, ensuring that dynamic content (such as Twitter modules) updates.

    One thing we haven't done as yet, though, is to address the issue of internal hitcounts. We've looked specifically at using NGinx with Joomla, and noted that a side effect would be inaccurate hitcounts displayed within Joomla (which remains true even when using the internal page caching).

    In this documentation, we'll be implementing a small script to ensure that hits served from the cache are still recorded within Joomla (or Wordpress, Drupal - whatever you happen to be using), albeit a little while after they happen.

  • My Own Little HeartBleed Headache

    When the HeartBleed bug was unveiled, I checked all of my servers to see whether they were running vulnerable versions. They weren't, but once the patched versions were released it seemed a good juncture to test and roll out the update to one server.

    What followed was something of a headache, initially with all the markings of a serious compromise.

    Having now identified and resolved the root cause, I thought I'd write a post about it so that others seeing similar behaviour can get something of a headstart.

    In response to threats such as CDorked, I run PHP Changed Binaries on all my servers, so any file in PATH is checked (daily) for changes, based on a cryptographic checksum. If any changes are detected, an alert is raised so that I can investigate the cause of the change.

    The day after I updated OpenSSL, I started receiving alerts for a wide variety of files (I'd updated hashes following the update of OpenSSL)

  • NGinx and Apache with Joomla!

    I recently published a guide to configuring NGinx as a reverse proxy to Apache on CentOS. It works well with Joomla! 2.5 and 3.x but doesn't always play quite so nicely with Joomla! 1.5.

    Having had to configure a system today, I thought I'd document what I had to do differently.

  • OpenVPN on Debian

    Setting up OpenVPN on Debian is as straight forward as on CentOS, though some of the file locations differ slightly.

    This documentation details how to install and configure OpenVPN on a Debian server.

  • OpenVPN on Windows 2003

    We all know that Microsoft probably couldn't organise an orgy in a brothel, so I'm not sure why I was so surprised that their "Routing and Remote Access" service was interfering with other applications that may wish to add a route (in this case OpenVPN).

    This tutorial will show you how to install and configure OpenVPN on Microsoft Windows 2003 (including Small Business Server).

  • PHP Changed Binaries

    PHPChangedBinaries is a simple server monitoring script. It's designed and exists to do one thing - detect and notify when system files change. 

    I've been running a very similar script for years, but in the wake of CDorked/DarkLeech decided it needed a refresh. The script works by generating checksums for all files within pre-configured paths (you can add more through the configuration file). These are then checked against a stored hash to see if anything has changed - if it has, the system admin is alerted.