APF installation error on VPS : unable to load iptables module (ip_tables), aborting.

While installing APF on your VPS you get the following error :

# apf -r
apf(28442): {glob} status log not found, created
apf(28463): {glob} flushing & zeroing chain policies
apf(28463): {glob} firewall offline
apf(28500): {glob} activating firewall
apf(28551): {glob} unable to load iptables module (ip_tables), aborting.
apf(28500): {glob} firewall initalized
apf(28500): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.

You need to configure the APF for your VPS.

nano -w /etc/apf/conf.apf

modify
SET_MONOKERN=”0″

to
SET_MONOKERN=”1″

Restart APF

apf -r

Now you will be able to complete apf installation fine 🙂

Mailbox unavailable or not local error messages

If you receive this error when adding a domain:

<coder>Unable to send notification: mail() failed: SMTP server response: 550 Requested action not taken: mailbox unavailable or not local

then you need to add a valid mailbox to your Plesk admin setup. To resolve this issue log into Plesk and click on:

Server
Edit (under personal information)
Replace the email address with a valid, working address.

Keep in mind this error shouldn’t prohibit you from creating a site, it is just notifying you that the “site created” email will not be sent.

When I logging into the Plesk CP and creating a user or domain, this error message appears right after creation: “Internal Plesk error occurred: Unable to send notification: mail() failed:”

APPLIES TO:

* Plesk 7.5.4 Reloaded
* Plesk 8.x for Linux/Unix

SYMPTOMS

Additionally the following errors may be shown:

Failed to connect to mailserver

SMTP server response: 550

Empty error message from utility.

CAUSE
This error means that Plesk failed to send notification for some reasons.
RESOLUTION

First of all make sure that Plesk SMTP server functioning properly as described in 1387.

Also, check Plesk Notifications configuration on the Server->Notification page in Plesk CP. Make sure that all mail addresses notification are configured to sent to are valid and there are no empty Email fields with enabled notifications checkbox.

PhpMyAdmin :: SQLite failed to open/create session database

This is usually a bug in the PhpMyAdmin configuration, whenever you receive the following error when accessing PhpMyAdmin either from WHM or cPanel, follow the steps given below for a fix

Warning: session_write_close() [function.session-write-close]: open(/var/cpanel/userhomes/cpanelphpmyadmin/sessions/sess_uPSQAGVEZx2uuePd7SpsgTHJ6X7, O_RDWR) failed: No such file or directory (2) in /usr/local/cpanel/base/3rdparty/phpMyAdmin/navigation.php on line 85

Manually edit /usr/local/cpanel/3rdparty/etc/phpmyadmin/php.ini file as follow:

1)Login to shell of the server using root login details and open the file “/usr/local/cpanel/3rdparty/etc/phpmyadmin/php.ini” using vi or any other editor.

2) Search for the [Session] variable & underneath it, change the following

Replace:
——————————-
session.save_handler = sqlite
session.save_path =/var/cpanel/userhomes/cpanelphpmyadmin/sessions/phpsess.sdb
——————————-
To:
——————————-
session.save_handler = files
session.save_path = /tmp
——————————-

By default, PhpMyAdmin uses sqlite as as the file handler, but it needs to be changed to files & the location of the session files to be stored needs to be changed to /tmp which is the standard/default place to store temporary files

Authentication token lock busy

This usually happens when you are trying to change a password while the root filesystem (or wherever /etc is) is mounted read-only, for example when you booted up using the init trick, or in some maintenance mode (runlevel, usually).

You can mount a filesystem read-write using:

mount -o remount,rw /


(This can also be useful to remember for remounting read-only, using remount,ro, when you want to fsck a filesystem and the relevant fscker requires the filesystem being read-only)

How to access Plesk database

APPLIES TO:

  • Plesk for Windows

Answer

Plesk Database can be accessed by following steps below depending on the database provider are configured in current Plesk installation.

For MSSQL provider:

Database can be accessed using the following CLI command:

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\osql –E

Or Microsoft SQL Server Management Studio Express utility can be used.

For MySQL DB provider:

Execute the following commands in command prompt:

cd %plesk_dir%\Databases\MySQL\bin


mysql -P8306 -uadmin -p psa

For MS Access DB provider (JET):

You can find and use any utility for viewing MS Access(.mdb) database files:

E.g.

http://www.alexnolan.net/software/mdb_viewer_plus.htm


http://www.softpedia.com/get/Internet/Servers/Database-Utils/MDB-View.shtml

Plesk Database file is located in %plesk_dir%\admin\db\psa.mdb

Named rndc.key error when starting

When trying to restart named process after making modifications may end up in a corrupt rndc.key key and the error will show like this:

Sep 12 03:30:54 server named[23683]: /etc/rndc.key:1: configuring key ‘rndc-key’: bad base64 encoding
Sep 12 03:30:54 server named[23683]: loading configuration: bad base64 encoding
Sep 12 03:30:54 server named[23683]: exiting (due to fatal error)

A simple explanation to this is that the key got modified somehow might me some bug.
What to do about this? Well it is simple just check the /etc/rndc.conf file and copy the key from there(you will see the key in the first lines of the file) and replace the key that it is in /etc/rndc.key file and restart named process.


# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]

Writing Linux firewall rules w/ IPTables

The Linux kernel, since version 2.0, has included the capabilities to act as a firewall. In those days, the kernel module was called ipfwadm and was very simple. With the 2.2 kernel, the firewall module became called ipchains and had greater capabilities than its predecessor. Today, we have IPTables, the firewall module in the kernel since the 2.4 days. IPTables was built to take over ipchains, and includes improvements that now allow it to compete against some of the best commercial products available in the market. This guide will give you some background on IPTables and how to use it to secure your network.

Getting to know some important terminology
IPTables can be used in three main jobs: NAT, Packet Filtering, and Routing.

  • NAT stands Network Address Translation, and it is used to allow the use of one public IP address for many computers.
  • Packet Filteringstateless firewall and the other is stateful firewall. Stateless firewalls do not have the ability to inspect incoming packets to see if the packet is coming from a known connection originating at your computer. Stateful firewalls have the ability to inspect each packet to see if it’s part of a known connection, and if the packet is not part of a known, established connection then the packet is “dropped” or not allowed to pass through the firewall.
  • Routing is used to route various network packets to different ports, which are similar to Airport gates, or different IP addresses depending on what is requested. For example, if you have a web server somewhere in your network that uses port 8080, you can use Linux’s packet routing to route port 80 packets to your server’s port 8080. More on all this this later on.

A word on tables
There are three table types: filter, NAT, and mangle.

  • Filter – this is the default table type and contains most of the chains including input, output, and forward.
  • NAT – this table is used when new connections are created. It contains only three chains: prerouting, output, and postrouting.
  • Mangle – is used to alter packets.

The importance of chains…
There are three built-in chains that are part of IPTables.

  • The INPUT chain is used for packets comming into the Linux box. This chain can be used to stop certain packets from coming into the network or system, so for example, if would prevent another computer from pinging your network.. I will talk more about stopping ping attacks later.
  • The OUTPUT chain is used for packets coming out of your Linux box. This chain can be used to stop certain packets that you do not want to leave your network or system.
  • The FORWARD chain is used for packets passing through the network’s firewall. This chain will be used to set our NAT rules. I will go into the syntax of a basic NAT filter later in this article.
  • The PREROUTING chain is for changing packets as they come in
  • The POSTROUTING chain is for changing packets as they leave

Every chain in IPTables is either user-defined or built-in and will have a default policy, which can be either ACCEPT or DROP. ACCEPT and DROP will be discussed in the next section.

Packet targets
IPTables has targets which denotes what happens to all packets. There are four built-in targets:

  • ACCEPT – denotes if the packet should be allowed to move on.
  • DROP – denotes if the packet should be dropped and ignored.
  • QUEUE – denotes if the packet should be passed to userspace.
  • RETURN – denotes if the packet should be passed to the previous chain. Should this happen, then the packet is governed by the default policy of the previous chain.

For the most part I will be using ACCEPT and DROP targets for the sake of simplicity. These two targets are also more than enough to create your firewall rules. Please note that while there are predefined chains, they can also be a user-defined.

NAT, one IP for them all
NAT is one of the best tricks for networking; it allows one IP address to be used by many computers so they can all access the internet. NAT on your network would work through the rewriting the packet by changing the source IP address to read your internet IP address as it passes out of your network. When a packet needs to return to the source, the packet’s destination IP address is changed back to the computer’s IP address inside your network. For example, if your computer with an IP address of 192.168.1.2 needed to get to Google, whose IP address is 216.239.57.99, the NAT firewall would change 192.168.1.2 to something like 64.199.1.83 and would then be passed throught the internet to Google. When Google sends a response, the IP address is changed from 64.199.1.83 to 192.168.1.2 and is received at your computer inside the network.

To write IPTables rules you will need to open a command prompt, but there are some graphical apps to help you out. One application that makes writing IPTables rules simple is Firestarter for GNOME. KDE users can benefit from an application like knetfilter.



Some notes on IPTables syntax
IPTables chain syntax can be confusing, particularly for beginners, but once you have the basics down, anyone can learn to write their own firewall rules; be patient, it just takes time. It took me about 3 months to figure out how to write a rule to block ICMP packets which are used to ping computers. IPTables syntax looks like this: iptables -t filter -A INPUT -p icmp -i eth0 -j DROP.

  • The -t filter specifies that this rule will go into the filter table. If you wanted to write a NAT rule you would type -t nat.
  • The -A INPUT specifies that the rule is going to be appended to the INPUT chain. Other possible syntax would be -A OUTPUT, -A FORWARD, -A PRETROUTING, and-A POSTROUTING.
  • The -p icmp specifies that the packet has be from the ICMP protocol. The other two options are -p tcp used for TCP packets, and -p udp used for UDP packets.
  • The -i eth0 specifies that the packet has to be coming in via the eth0 interface or your first network device.
  • The -j DROP that if the packet matches it should be dropped. This rule is to stop people from using finger (used to see who else is on the system) , ping (used to check if a server is responding), or other methods to discover your network.

The next two rules are going to do the work of blocking connections not originating from inside your network.

iptables -A FORWARD -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

The -m state –state ESTABLISHED,RELATED was used to match the state of the packet coming in via eth0 (your ethernet device) and if the packet matches, then the packet is accepted. The -m is used to match on a specific option. Some possible options are -m limit –limit which looks for a limited rate, -m tos –tos used to match the TOS IP header field on a packet, -m unclean which is used to match packets that look “suspicious”.

The next rule is going to do source NAT, which will allow your network to connect using one IP address.

iptables -t nat -A POSTROUTING -o eth0

Depending on if you have a Static IP or Dynamic IP you would type: -j SNAT –to-source 1.2.3.4 for Static IP, and -j MASQUERADE for Dynamic IP at the end of the above code. As a bonus, i’ll tell you how to do destination NAT, which will allow you to put a server behind the firewall at the expense of security.

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport www -j DNAT –to-dest 192.168.1.2

The –dport www denotes that the destination port is port 80. You can use text like www (port 80) or ftp (port 21) or simply use port numbers. The -j DNAT part of the rule is the target, similar to -j DROP or -j ACCEPT in previous examples. –to-dest 192.168.1.2 tells IPTables where you want the packet to go. –sport 8080 is just like –dport www.

For three years i have writen my own firewall rules. IPTables saved my computer from MyDoom and Sasser worms/viruses. Hopefully, now you too can write your own firewall rules. IPTables is a usefull tool in the Linux user’s tool belt, for protecting Linux and Windows computers.

How do I Drop or block attackers IP with null routes?

Someone might attack on your system. You can drop attacker IP using IPtables. However one of our sr. sys admin highlighted something new for me. You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system.) stopping various attacks coming from a single IP (read as spammers or hackers):

Suppose that bad IP is 65.21.34.4, type following command at shell:

# route add 70.126.142.72 127.0.0.1

You can verify it with following command:

# netstat -nr

This is cool, as you do not have to play with iptables rules.