Tuesday, June 11, 2013

PHP-SHELL script to whitelist IP on CSF

I needed a fast way to whitelist my IP on a linux server to be able to login to secure administration page...

I set it up by using a php file + shell file + cronjob

Now I easily open a public website address "mydomain.com/whatis.php" and it automatically whitelist my IP.

"whatis.php" PHP file code :
<?php
echo file_put_contents("/tmp/iplog",$_SERVER["REMOTE_ADDR"]);
?>


"/script/ip" Shell file code :
#!/bin/bash
i=1
while [ $i -le 10 ]
do
        status=`cat /tmp/iplog`
        if [ "$status" != "0" ]; then
                echo $status >> /etc/csf/csf.allow
                echo $status >> /etc/csf/csf.ignore
#                echo "allow from $status" >> /home/DOMAIN/public_html/admin/.htaccess
                echo "0" > /tmp/iplog
                `/etc/csf/csf.pl -r > /tmp/csf.log`
        fi
        sleep 5
        (( i++ ))
done

"/script/ip" Cronjob :
* * * * * /script/ip

Note : I tried to run `csf -r` to reset CSF firewall in shell script but it didn't work ! I don't know why. I found here that we should use `/etc/csf/csf.pl -r` instead. Thanks to that guy !!
at No comments:

Tuesday, June 4, 2013

Running mini_sendmail with php-fpm chroot on Centos 6 , debian 6, ...

Chrooting a website is a good security improvement on a server with multiple websites hosted.
When you set the chroot  of php-fpm you'll not be able to send mails, I fixed this using mini_sendmail. Here's the procedure:

Download and extract your OS template on chroot directory from openvz.  (Don't forget to set the file owners correctly)
Enter chroot directory and run :
chmod 0666 dev/{tty,null,zero}
echo "8.8.8.8" > etc/resolv.conf

Now compile mini_sendmail:
cd /usr/src
wget http://acme.com/software/mini_sendmail/mini_sendmail-1.3.6.tar.gz
tar -zxf mini_sendmail-1.3.6.tar.gz
cd mini_sendmail-1.3.6

If you start compiling mini_sendmail now, you'll receive the following error and mini_sendmail will not work properly :
mini_sendmail.c:(.text+0x5df): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

To fix that edit mini_sendmail.c and in Line #148 replace :
username = getlogin();
with
username = "USERNAME";
where USERNAME is your php-fpm user .
Now compile it :
make

and copy it to usr/sbin/sendmail
/home/USERNAME/usr/sbin/sendmail
chmod 755 /home/USERNAME/usr/sbin/sendmail
chown USERNAME:USERNAME /home/USERNAME/usr/sbin/sendmail

Notes :
- I also tested mini_sendmail on chrooted ssh user, if you don't replace username with getlogin() according to above instructions, mini_sendmail will fail to work with the following error :
mini_sendmail: can't determine username

- The following error can be ignored safely :
mini_sendmail.c:(.text+0xa47): warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

- When I compiled mini_sendmail on debian 6 x64, It didn't work with the following error :
unexpected reloc type in static binarySegmentation fault
I tried to compile it on another OS ( centos 6, debian 6 i686 ) and copy the binary to the server, it worked...

at No comments:
Subscribe to: Posts (Atom)

How to disable Debian 12 sleep on production servers

 Debian 12 has power saver enabled by default which causes your server to go to sleep if there is no mouse / keyboard interaction. To resolv...