PHP Cache

Written by Pravin on October 18, 2008 – 10:23 am -

If your sites are using php as the major scripting & the server load is highly around 10+, PHP Cachers like APC , Xcache or Eaccelerator can are really help to minimize the load to 1-2.

APC: The Alternative PHP Cache (APC) is a free and open opcode cache for PHP. It was conceived of to provide a free, open, and robust framework for caching and optimizing PHP intermediate code.

XCache: XCache is a open-source opcode cacher, which means that it accelerates the performance of PHP on servers. It optimizes performance by removing the compilation time of PHP scripts by caching the compiled state of PHP scripts into the shm (RAM) and uses the compiled version straight from the RAM. This will increase the rate of page generation time by up to 5 times as it also optimizes many other aspects of php scripts and reduce serverload.

Eaccelerator: It is a free open-source PHP accelerator, optimizer, and dynamic content cache. It increases the performance of PHP scripts by caching them in their compiled state, so that the overhead of compiling is almost completely eliminated. It also optimizes scripts to speed up their execution. eAccelerator typically reduces server load and increases the speed of your PHP code by 1-10 times.


Tags: , , , ,
Posted in Dedicated Server Hosting, linux, Linux VPS Hosting, Plesk For Linux, VPS hosting, Windows VPS | 1 Comment »

Enable Pear (php) for a Domain on Plesk

Written by Pravin on October 10, 2008 – 4:02 am -

Installing php-pear

First we will have to install the php-pear module on the server. This can be done using yum.

yum install php-pear*

We must also configure pear in php config at /etc/php.ini.

include_path=”.:/usr/share/pear:/local/PEAR/”

Restart apache on the server.

/etc/init.d/httpd stop
/etc/init.d/httpd start

Enable PEAR for a domain.

Create a file called vhost.conf in /var/www/vhosts/domain.com/conf with the following contents:

<Directory /var/www/vhosts/domain.com/httpdocs>
php_admin_value include_path “/var/www/vhosts/domain.com/httpdocs/:/usr/share/pear/”
php_admin_value open_basedir “none”
</Directory>

Reconfigure your webserver so it will look for your new vhost.conf file by doing this:

/usr/local/psa/admin/sbin/websrvmng –reconfigure-vhost –vhost-name=domain.com

Finally  restart apache service:

/etc/init.d/httpd stop
/etc/init.d/httpd start


Tags: , , , ,
Posted in linux, Linux VPS Hosting, Plesk For Linux, VPS hosting | 3 Comments »

Steps to secure VPS?

Written by Jahangir on September 20, 2008 – 9:02 pm -

1.) Firewall Installation
Installing firewall and various other related tools such as CSF, sim. These will prevent unauthorized access to your server and from brute force attacks.
CSF (ConfigServer Firewall) http://www.configserver.com/free/csf/install.txt
SIM (System Integrity Monitor) http://www.rfxnetworks.com/sim.php
NSIV (Network Socket Inode Validation) http://www.rfxnetworks.com/nsiv.php
LES (Linux Environment Security) http://www.rfxnetworks.com/les.php
these do not prevent exploits of services which you run on your VPS server. Also need to be aware of the installed firewall and you need to open up the additional ports as needed if you add new services/program.

2.) Securing /tmp partition
Most of the attacks and exploits use /tmp to work out of any propagate themselves. By mounting /tmp with noexec and nosuid (meaning executables cannot be run from /tmp nor with escalated privileges), this stops many of these exploits from being able to do any harm.
You can do it by adding following entry in “/etc/fstab
====
none /tmp tmpfs nodev,nosuid,noexec 0 0
====
save the file and reboot the VPS, now vps get mounted with “nosuid” and “noexec”

3.) Installing Rkhunter (RootKit Hunter)
Rkhunter is a very useful security scanning tool that is used to scan for trojans, rootkits, backdoors, local exploits and other security problems. It can be useful to detect any failures in your layers of defense. It’s a cron job that scans your server for security problems.
You can install rootkit using following steps.
====
1. Login to your server via SSH as root.
Then Type: cd /usr/local/src/

2. Download RKHunter Version 1.1.4
Type: wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz

3. Extract files
Type: tar -xzvf rkhunter-1.1.4.tar.gz

4. Type: cd rkhunter

5. Type: ./installer.sh

6. Now setup RKHunter to e-mail you daily scan reports.
Type: pico /etc/cron.daily/rkhunter.sh
Add The Following:
#!/bin/bash
(/usr/local/bin/rkhunter –update && /usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “RKhunter Scan Details” supp0rt@trulymanage.com) Replace the e-mail above with your e-mail. It is best to send the e-mail to an e-mail off-site so that if the server is compromised then hacker can’t erase the scan reports.
Type: chmod 700 /etc/cron.daily/rkhunter.sh
====
Please refer the following URL for more details on rootkit

http://www.rootkit.nl/projects/rootkit_hunter.html

4.) Securing MySQL Database
MySQL is one of the most popular databases on the Internet and it is often used in conjunction with PHP. Besides its undoubted advantages such as easy of use and relatively high performance, MySQL offers simple but very effective security mechanisms. Unfortunately, the default installation of MySQL, and in particular the empty root password and the potential vulnerability to buffer overflow attacks, makes the database an easy target for attacks. You can secure the Mysql using the tutorial.

5.) Upgrade Apache/PHP, MySQL to latest version
make sure your running the latest secure versions of commons software components. This is the important step in preventing your server getting cracked by common exploits. There will be no problem in up-gradation, but if you have specific version requirements for particular applications, some upgrades should be made with caution.

6.) Installing Mod_Security
ModSecurity is an open source intrusion detection and prevention engine for web applications and helps in preventing attacks on programs that would be vulnerable; it acts as a powerful shielding application from attacks. ModSecurity supports both branches of the Apache web server.
This can be fine tuned, but you may limit some “power” user customers (easily rectified).

http://www.modsecurity.org/

7.) Disable non-root access to unsafe binaries.
Many exploits use well known executables already on your system as part of their bag of tools. By allowing only privileges to root to these files, you can avoid many attacks to not function.
You may find some binaries like “wget, lynx, scp etc ” too useful to limit access to root only, despite being useful to crackers too.

8.) Enabling PHP suEXEC
When PHP runs as an Apache Module it executes as the user/group of the webserver which is usually “nobody” or “apache”. Suexec is a mechanism supplied with Apache that allows to execute CGI scripts as the user they belong to, rather than Apache’s user. This improves security in situations where multiple mutually distrusting users have the possibility to put CGI content on the server.

This means the scripts are executed as the user that created them. If user “supp0rt” uploaded a PHP script, you would see it was “supp0rt” running the script when looking at the running processes on your server. It also provides an additional layer of security where script permissions can’t be set to 777 (read/write/execute at user/group/world level).

Switching to the PHP Suexec module on the servers affects the users that depended on the configuration in the .htaccess file are panicking because their site not works anymore. This is not really a reason to be panic, what can you do in this situation is simple. Try to move as much configurations from your .htaccess file to the php.ini file. The php.ini is a simple text file that can be places in every directory from your server. It will affect only that directory and not the entire site. In addition, there could be some performance loss (also known as seeing a higher server load) as a result of all php scripts being ran as a separate CGI instead of as part of the Apache module.

9.) Disable SSH root access
Allowing the root user to login directly is a major security issue, because a brute force attack can use the known username ‘root’ and concentrate on password variations. By using a unique username (not something like admin) you can reduce the chance of a successful brute force attack. This will force a hacker to have to guess 2 separate passwords to gain root access (you do have 2 separate passwords for unique user’s and root right?)

10.) Changing SSH Port
One common security precaution that system admins use is to set ssh to listen on a non-standard port (e.g. port 9989, 9898, etc). It is common for hackers to attempt ssh daemon exploits that tend to be very specific to the version of openssh that is running. By having sshd listen to a different port, instead, then you are reducing the risk of a general port 22 scan and hack. Changing port is an additional layer of security. Although this is a kin to security by obscurity, it can let you completely avoid many script attacks.


Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Dedicated Server Hosting, Linux VPS Hosting | 1 Comment »
RSS

  • Subscribe Me

  • Tag Cloud

  • Archives