The WP Guru

Category: Linux Toggle Comment Threads | Keyboard Shortcuts

• 

  Jay Versluis 3:34 pm on January 3, 2015 Permalink | Reply
  Tags: dovecot, Email ( 8 ), ssl ( 2 ), SSL Certificates ( 2 )   
  Categories: Linux, Plesk ( 53 )

  How to install and secure Dovecot in Plesk 12 

  I’ve just installed the Dovecot Mail Service on one of my Plesk 12 servers. It’s an alternative to the old favourite Courier IMAP/POP and a new addition in Plesk 12.

  Dovecot does more or less the same as Courier (i.e. lets you receive mail), but it’s a bit more configurable and debug friendly. It also offers server-side mail filtering which is accessible via the Plesk Webmail services Roundcube and Horde.

  In this article I’ll show you how to install Dovecot in Plesk 12, and how to add your own SSL certificates for mail. In my previous article I’ve explained how to do this with the standard Courier Mail service.

   

  Installing Dovecot in Plesk 12

  Head over to

  • Tools and Settings (or the Server Tab)
  • under the Plesk heading
  • Updates and Upgrades

  Select Add or Remove Components and under Mail Hosting Features, find the option for Different IMAP/POP3 server:

  

  You can only install either Courier or Dovecot. Switching will automatically uninstall the component you currently have and instead install the other one.

  Note that switching Courier for Dovecot will preserve all mailboxes and will not affect your outgoing mail services. Give Plesk a moment until your see the “installation has finished” message.

  You’re now running Dovecot!

   

  Patching Dovecot SSL Certificates

  As with Courier, Dovecot will use self-signed certificates for secure connections. This means that a nasty window is likely to pop up when clients connect. You can suppress this window by specifying your own SSL Certificates.

  

   

  The default configuration file for Dovecot is in /etc/dovecot/dovecot.conf. However the file states that any changes you make here are wiped when an upgrade comes along. Instead, take a look at the /etc/dovecot/conf.d/ directory in which you’ll find three files by default:

  • 10-plesk-security.conf
  • 15-plesk-auth.conf
  • 90-plesk-sieve.conf

  You can add your own configuration snippets here, each beginning with a number and ending with .conf. The lower the number, the earlier your snippet is loaded. The higher the number, the later it is loaded. You get the picture.

  Let’s create /etc/dovecot/conf.d/5-ssl.conf for our purposes. Because I had already configured my certificates for Courier they are still in /usr/share/imapd.pem – but feel free to place your .pem files anywhere you like. Here’s what my file looks like:

  # SSL Certificates for Dovecot are defined here
  
  ssl = yes
  # Path to your Certificate, preferred permissions: root:root 0444
  ssl_cert = </usr/share/imapd.pem
  # Path to your Private Key, preferred permissions: root:root 0400
  ssl_key = </usr/share/imapd.pem
  

  Dovecot lets you have separate files for the certificate and the private key, something that’s not possible in Courier as far as I know. Dovecot is also happy to keep those in the same file though as in my example, and as in Courier. Easy going I say!

  For the changes to take effect we need to restart the Plesk Mail Service like so:

  /usr/local/psa/admin/sbin/mailmng --restart-service

  That’s it!

   

  How do I add a certificate for outgoing mail?

  Postfix (and QMail) deal with sending mail, Dovecot and Courier only deal with receiving it. I’ve described how to add SSL Certificates to Postfix in my article about Courer.

   

  Further Reading

  • Nikolay explains how to use server-side filtering with Horde and Roundcube on the Plesk Dev Blog
  • More details on Dovecot SSL Configuration
  • Official Dovecot Documentation
  • Wikipedia on Dovecot
  • Check your new mail server with this handy online tool

   

  
  
  
  
  

  Jay Versluis, prupert, and How to secure SMTP, POP and IMAP connections in Plesk | The WP Guru are discussing. Toggle Comments

   
  • 

    prupert 2:32 pm on January 18, 2015 Permalink | Reply

    You may want to add the following directives for added security:

    Strong DH params

    ssl_dh_parameters_length = 2048

    Disable insecure SSL protocols

    ssl_protocols = !SSLv2 !SSLv3

    • 

      Jay Versluis 3:35 pm on January 18, 2015 Permalink | Reply

      Thank you for the tip, prupert! Very much appreciated!

  Add your voice! Cancel reply
• 

  Jay Versluis 10:04 pm on December 24, 2014 Permalink | Reply  
  Categories: Linux, Plesk, WordPress ( 53 )

  FIXED: The wp-content folder does not show itself via FTP in Plesk 12 and CentOS 7 

  

  I’ve noticed a weird bug in Plesk 12 on CentOS 7: when you connect via FTP, the wp-content folder does not show up – all other folders can be seen as usual. It’s a rather crucial folder for WordPress users.

  At first I had suspected a problem with the ProFTP service which is not the stock version, but a specially compiled version for use with Plesk, and Plesk takes care of this system services (it’s called psa-proftpd in case you’re interested). But ProFTP is not the problem.

  Thanks to the amazing Sergey Lystsev from Parallels for letting me know that the issue is instead with SELinux: when it’s used in Enforcing mode (which is the default), wp-content does not show itself via FTP. Switching it to Permissive mode or disabling SELinux altogether solves the problem.

  The entire issue will be fixed in the next release of Plesk, and it’s already working in the latest update to the Plesk Preview 12.1.13. CentOS 5 and 6 are not affected.
  

  How do we fix it, Cap’m?

  To disable SELinux on CentOS 7 we can use this:

  setenforce 0
  

  Or, to switch to permissive mode, use this:

  setenforce permissive
  

  Now we’ll need to restart the xinetd service as well as Plesk for the changes to take effect:

  systemctl restart xinetd.service
  service psa stopall
  service psa restart
  

  Connect to your site via FTP and see if the wp-content folder shows itself.

  To permanently change the SELinux configuration so that it survives a server restart, check out my other article here:

  • http://wpguru.co.uk/2014/12/how-to-control-selinux-in-centos-7/

  
  
  
  
  

  Jay Versluis, Ronald, and FIXED: The wp-content folder does not show itself via FTP in Plesk 12 and CentOS 7 - WP Hubbub are discussing. Toggle Comments

   
  • 

    Ronald 7:56 am on January 20, 2015 Permalink | Reply

    Thanks a lot for this post! I was experiencing the exact same problem and this solved it. Thanks.

    • 

      Jay Versluis 9:16 am on January 20, 2015 Permalink | Reply

      You’re very welcome, Ronald!

• 

  Jay Versluis 8:03 pm on December 8, 2014 Permalink | Reply
  Tags: vi   
  Categories: Linux ( 53 )

  How to quit vi without saving your changes 

  It just occurred to me that even though I know my way around vi fairly well, I never had to quit it without saving my changes. Usually I just go back in and overwrite my mistakes.

  Today I did something though that wasn’t as easy to eliminate: instead of pasting an IP address, I accidentally pasted a 4000+ character stylesheet. Dang!

  So how do we leave vi and NOT save our changes? Here’s how:

  • press ESC to exit editing mode (insert/append/whatever)
  • press : (the colon character)
  • enter q!

  Now you’re back on the command line without any saved changes.

  Remind me: how do we SAVE changes again?

  There are several ways of doing this, but my personal favourite is this:

  • press ESC to exit editing mode (insert/append/whatever)
  • press SHIFT + Z twice

  This will put you back on the command line and your changes are saved.

  • https://kb.iu.edu/d/afcz
  • http://wpguru.co.uk/2012/03/how-to-use-vi-to-edit-files-in-linux/

  
  
  
  
  
   
• 

  Jay Versluis 2:07 pm on December 8, 2014 Permalink | Reply
  Tags: CentOS ( 27 ), SELinux   
  Categories: Linux ( 53 )

  How to control SELinux in CentOS 7 

  SELinux – when installed – can take on one of three modes:

  • Enforcing
  • Permissive
  • Disabled

  To check which mode SELinux is running on, we can use either sestatus for a more detailed output, or simply getenforce for a one liner:

  sestatus
  
  SELinux status:                 enabled
  SELinuxfs mount:                /sys/fs/selinux
  SELinux root directory:         /etc/selinux
  Loaded policy name:             targeted
  Current mode:                   enforcing
  Mode from config file:          enforcing
  Policy MLS status:              enabled
  Policy deny_unknown status:     allowed
  Max kernel policy version:      28
  

  getenforce on the other hand will literally just say a single word, like “Enforcing”.

  To change this mode, edit /etc/selinux/config:

  vi /etc/selinux/config
  
  # This file controls the state of SELinux on the system.
  # SELINUX= can take one of these three values:
  #     enforcing - SELinux security policy is enforced.
  #     permissive - SELinux prints warnings instead of enforcing.
  #     disabled - No SELinux policy is loaded.
  SELINUX=enforcing
  # SELINUXTYPE= can take one of these two values:
  #     targeted - Targeted processes are protected,
  #     minimum - Modification of targeted policy. Only selected processes are protected. 
  #     mls - Multi Level Security protection.
  SELINUXTYPE=targeted
  

  Change the file according to the comments and restart the system for the changes to take effect.

  setenforce command

  If SELinux is running and either set to Enforcing or Permissive, you can change its mode on the fly without restarting the server using the setenforce command like so:

  // switch to permissive
  setenforce permissive
  
  // switch to enforcing
  setenforce enforcing
  
  // disable SELinux
  setenforce 0
  

  You won’t get any feedback if all goes well. Note that if SELinux is disabled, the setenforce command won’t work.

  Find out more about SELinux and what it’s good for here:

  • https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts
  • http://wiki.centos.org/HowTos/SELinux

  
  
  
  
  

  FIXED: The wp-content folder does not show itself via FTP in Plesk 12 and CentOS 7 | The WP Guru is discussing. Toggle Comments

   
• 

  Jay Versluis 3:50 pm on December 3, 2014 Permalink | Reply
  Tags: ssl ( 2 ), SSL Certificates ( 2 )   
  Categories: Linux, Plesk ( 53 )

  How to secure SMTP, POP and IMAP connections in Plesk 

  You’ve installed an SSL Certificate to secure your Plesk Panel, you’ve tested it with an SSL checker and sure enough: the ugly warning window doesn’t bother you or your customers anymore.

  But your email client still says that the server doesn’t have a valid certificate. What gives?

  The secret is this: SMTP, IMAP and POP3 use their own certificates which are not related to the ones you setup in Plesk to secure https connections. By default the mail services use auto-generated self-signed certificates.

  Sadly as of Plesk 12 there is still no way to manage those in the web interface – but it’s relatively easy to fix on the command line. Let’s go through this step by step.

  These instructions are for Plesk 12 on CentOS 6 and CentOS 7, using the default Courier mail service. You can also install an alternative mail service called Dovecot in Plesk 12. I’m discussing how to install Dovecot over here.

   

  Default Certificates

  We need to replace the following three files (default permissions in brackets):

  • /etc/postfix/postfix_default.pem (600)
  • /usr/share/imapd.pem (400)
  • /usr/share/pop3d.pem (400)

  Those are the culprits for SMTP, IMAP and POP3. We need to add our own private key and the certificate of a domain associated with this server and remove the default certificates.

  Before we begin, make a safety copy of them like this:

  mv /etc/postfix/postfix_default.pem /etc/postfix/postfix_default.old
  mv /usr/share/imapd.pem /usr/share/imapd.old
  mv /usr/share/pop3d.pem /usr/share/pop3d.old

  Here we rename the original files to .old files – in case anything goes wrong, simply rename them back into .pem files.

   

  Add your own certificate

  We need the same file three times, so we’ll start by making one for the SMTP service. Create a new file like this:

  vi /etc/postfix/postfix_default.pem
  

  and paste first the private key, followed by your certificate into this file. It will look something like this:

  -----BEGIN PRIVATE KEY-----
  MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
  MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
  YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
  EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
  IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
  l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
  6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
  ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
  N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
  HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
  gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
  St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
  EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
  Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
  JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
  AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
  /torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
  SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
  04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
  knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
  LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
  -----END PRIVATE KEY-----
  -----BEGIN CERTIFICATE-----
  MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
  MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
  aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
  WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
  AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
  CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
  OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
  T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
  JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
  Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
  PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
  aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
  TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
  LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
  BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
  dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
  AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
  NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
  b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
  -----END CERTIFICATE-----
  

  The exact same file can be used for both IMAP and POP3 so we can simply copy it to these two new locations:

  cp /etc/postfix/postfix_default.pem /usr/share/imapd.pem
  cp /etc/postfix/postfix_default.pem /usr/share/pop3d.pem
  

  These two files had 400 permissions by default so that only root can read them, and no one can change them. Let’s adhere to this and apply the same permissions:

  chmod 400 /usr/share/imapd.pem
  chmod 400 /usr/share/pop3d.pem
  

   

  Restart Plesk Mail Services

  For the changes to take effect we’ll need to restart all Plesk mail services:

  /usr/local/psa/admin/sbin/mailmng --restart-service
  

  And that’s it! Now that pesky warning isn’t going to come up anymore when you access Plesk mail with an email client.

   

  Adding CA Certificates

  The above is enough to suppress the usual warning windows in email clients, however if you’re an avid SSL enthusiast you’ll notice that we’ve not added any CA Certificates to the above .pem files. In essence those tell a client that our certificate is valid – otherwise the client would only have our word for it.

  You can add the combined CA Certificate to the end of the three .pem files in addition to the private key and your own certificate. It’s not strictly necessary, but doing this means you will pass strict SSL tests.

  Thanks to Mike Yrabedra for this tip, and the test URL below!

  Testing your mail services

  Mike also found a wonderful service that lets you check an email address which will flag up certificate warnings and exceptions – courtesy of CheckTLS:

  • http://www.checktls.com/perl/TestReceiver.pl

  Simply hack in your email address and you’ll see if your certificate is installed properly. Note that to pass the test, your email address must match the domain on the certificate. For example, if your address is you@domain.com, but your certificate is for yourdomain.com then the test will fail the “Cert OK” field.

  

   

  Wait – where do I find my private key and certificate?

  If you’re using the same certificate for mail that you’re using to secure Plesk, simply head over to

  • Tools and Settings (or the Server Tab)
  • Security Settings
  • SSL Certificates
  • click on your certificate from the list
  • scroll down to find plain text sections for your private key and certificate

   

  Wait – where do I find that CA Certificate you speak of?

  Your certificate provider will give that to you. Some providers call it “intermediate CA certificate”. They usually have several versions of the same thing. Look for a combined version. In essence it’s two plain text blocks, very similar to the ones I’ve shown you above.

  For example, the RapidSSL CA certificates can be found here: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548

  Further Reading

  • http://kb.sp.parallels.com/en/1062
  • http://www.checktls.com/perl/TestReceiver.pl

  
  
  
  
  

  How to install and secure Dovecot in Plesk 12 | The WP Guru is discussing. Toggle Comments

   
• 

  Jay Versluis 3:16 pm on December 1, 2014 Permalink | Reply
  Tags: CentOS ( 27 ), Parallels Desktop ( 4 )   
  Categories: Linux ( 53 )

  How to start CentOS in Recovery Mode from Parallels Desktop 

  To start your Linux distribution into EFI Recovery Mode you need an installation disk. Even the smallest “minimal” image will do. Shutdown the VM if it’s running. Then mount the ISO image onto your VM (under Configuration – Hardware – CD/DVD1). Make sure the “Connected” box is ticked.

  

  Next you need to tell Parallels Desktop that you want to boot into recovery mode. Head over to Configuration – Hardware – Boot Order and tick the box Use EFI Boot. The boot order does not matter, just make sure CD/DVD is ticked in this list.

  

  Now restart your VM and you’ll boot into the CD image.

  When you’re done here, simply shutdown the VM and untick the EFI Boot option. That’s to make sure you boot into the main installation on your next launch.

  
  
  
  
  
   
• 

  Jay Versluis 11:50 am on November 2, 2014 Permalink | Reply
  Tags: CentOS ( 27 )   
  Categories: Linux, Plesk ( 53 )

  How to install Plesk on CentOS 7 

  Installing Plesk on CentOS 7 hasn’t changed drastically from earlier versions, however CentOS is different than its predecessors. I’ve written an article about how to install Plesk on CentOS 6, but that was 3 years ago and thought it’s time for an updated version.

  Well here it is: Plesk 12, meet CentOS 7.

   

  Plesk Documentation

  Much of what I’m telling you and more is documented on the Parallels Plesk website:

  • http://sp.parallels.com/products/plesk/

  On the left hand side you’ll find a link to the current documentation, as well as handy links to purchase a license if you need to. The link will also answer your questions about the different editions of Plesk and direct you to the Parallels Forum.

   

  One-Click Installer

  The Plesk one-click installer is a script that downloads itself and determines the correct Plesk version for your OS. You won’t accidentally pick the wrong version for your distribution. Paste this and the installer will download the latest version of Plesk (12 at the time of writing):

  wget -O - http://autoinstall.plesk.com/one-click-installer | sh

  If you get an error message, wget may not be installed. Rectify this pitiful situation like this:

  yum install wget

   

  To download older versions of Plesk you can download the one-click-installer file and run it with the option –show-all-releases. This will give you the option to specify your desired Plesk version with –select-release-id. For more information, run the file with the –help option.

  I’ve noticed that the installer is much quicker than on previous versions of Plesk and is finished in under 10 mins (as opposed to half an hour previously). This is presumably due to many packages that are pre-installed with CentOS 7, so not much time is spent downloading stuff. Nice!

  Once finished the installer will give you a URL to login with – usually consisting of your IP, like https://10.1.2.3:8843

   

  Opening Ports for Plesk

  On CentOS 6 and prior the firewall rules were set via iptables. This service is gone and has been replaced with firewalld in CentOS 7. We still need to open ports to speak to Plesk via a browser. The two important ones to open here are 8443 and 8447:

   firewall-cmd --zone=public --add-port=8443/tcp --permanent
   firewall-cmd --zone=public --add-port=8447/tcp --permanent
   firewall-cmd --reload

  The –permanent option makes these rules “stick” upon restart.

  These are not the only ports Plesk needs to function, for a full list please see this KB article:

  • http://kb.sp.parallels.com/en/391

  There is usually no need to open other ports if you install the Firewall extension in Plesk, as this will manage the underlying service for you (and apply the necessary open ports). To do this, head over to Tools and Settings – Updates and Upgrades and install the Firewall Extension (under Additional Plesk extensions).

  Next head over to Extensions select the Firewall Module. Select “Enable Firewall Rules Management”, followed by another enable button. Now Plesk will manage the firewall for you and open all ports ready for web and email traffic.

   

  Add Atomic Repo Power (optional)

  If you’d like to supercharge your server, now’s a good time to install the Atomic repos. These will give you access to many additional tools such as pre-compiled OSSEC HIDS and additional PHP versions:

  wget -q -O - http://www.atomicorp.com/installers/atomic.sh | sh

   

  Loggin in for the first time

  With your dedicated IP handy, the installer script will have given you something like https://10.1.2.3:8443. Surf there and be presented with the Plesk login screen.

  But what are your credentials? I’m glad you asked: the first time you login to Plesk you can do so with your server root credentials. This even works on subsequent sessions, however Plesk creates an admin user for which you will specify the password during your first session.

  It is strongly recommended that you use that admin user for Plesk administrative tasks. You can also create additional administrators in Plesk once you’re up and running – so there’s no need to share your super secret password with colleagues and clients.

   

  Correcting your IP address (optional)

  It can happen that Plesk does not detect the correct IP address on your server. This was never the case in CentOS 6, but I’ve noticed this in CentOS 7. In my case the Plesk installer thought that the local loopback address was my main one (127.0.0.1) – which of course it was not.

  You can usually correct this on first login, but just in case you need to do this from the command line, check this helpful KB article:

  • http://kb.sp.parallels.com/943

   

  License Key and Additional Components

  You need a license to operate Plesk. You’ll get this either from your server provider (if Plesk is part of your deal), or you can buy one directly from Parallels. You can also run Plesk as a 14 day trial version. If you don’t enter this you can still use the Plesk interface but you’ll be limited to a single domain and several options are unavailable.

  In case you’re missing menu items that you had expected to be there, it’s probably a license issue.

  I find it helpful to head over to Tools and Settings (or the Server Tab) – Plesk – Updates and Upgrades and install several additional components, such as

  • Health Monitor
  • Migration Manager
  • Firewall (under Additional Plesk Extensions)
  • Watchdog (under Additional Plesk Extensions)
  • Spam Assassin (under Mail hosting features)
  • Kapersky Anti Virus (under Mail hosting features)

  You can also install Fail2ban from this menu if you like – I personally rely on OSSEC to deal with intrusion detection and choose not to use Fail2ban at this point.

   

  That’s it! Have fun with Plesk

  
  
  
  
  

  Jay Versluis and Jason William are discussing. Toggle Comments

   
  • 

    Jason William 3:11 pm on November 3, 2014 Permalink | Reply

    Thanks for sharing the tutorial.

    • 

      Jay Versluis 5:50 pm on November 3, 2014 Permalink | Reply

      You’re welcome, Jason!

• 

  Jay Versluis 12:52 pm on August 26, 2014 Permalink | Reply
  Tags: CentOS ( 27 )   
  Categories: Linux ( 53 )

  What is the End-of-Life (EOL) for CentOS Distributions 

  The End-of-Life (EOL) for CentOS Distributions is as follows:

  

  More under Section 21 in this article:

  • http://wiki.centos.org/FAQ/General

  
  
  
  
  
   
• 

  Jay Versluis 7:12 am on June 28, 2014 Permalink | Reply
  Tags: CentOS ( 27 ), GNOME ( 2 ), NC 10 ( 6 )   
  Categories: Linux ( 53 )

  How to enable Touchpad Taps as Mouse Clicks on your NC10 in CentOS 

  The NC10’s integrated Synaptics Touch Pad works out of the box in CentOS 6, both under GNOME and KDE. No drivers or patches requried.

  But I remember that when it was running Windows XP I could “tap” the pad instead of clicking the dedicated key (that loud CLACK noise annoys the neighbours). How can we bring this behaviour to CentOS?

  A quick serach reveals this post by Russel in the CentOS forum:

  • https://www.centos.org/forums/viewtopic.php?t=4560

  his suggests that a configuration file needs to be created somewhere. However I found that there’s an easier solution which – at least on the NC10 – works with just one click. I assume this will work for other latops too:

  • head over to System – Preferences – Mouse
  • select the Toucpad tab at the top
  • tick the box “enable mouse clicks with touchpad”
  • works instantly

  

  
  
  
  
  
   
• 

  Jay Versluis 11:39 am on June 27, 2014 Permalink
  Tags: CentOS ( 27 ), sudo   
  Categories: Linux ( 53 )

  How to add a CentOS user to the sudoers list 

  When you try to prefix a command with sudo on a fresh CentOS system you may be greeted with a message such as “you are not part of the sudoers list” and that the incident will be reported.

  Not to the FBI, but to a log file. And of course your sudo operation isn’t going to work.

  That’s because individual users to the system need to be granted permission to executer root level commands, even if it’s only temporary. Here’s how to do it.

  PLESE NOTE:
  I seem to be the only person on the planet who did this successfully. Since then, everyone who’s tried to follow these instructions breaks their servers and blames me for it. Thanks to Jason I finally know why.

  There is a better way to do this using VISUDO. Detailed instructions are provided by Roman in the comments. I suggest you follow them and disregard my instructions.

  !!! PROCEED AT YORU OWN RISK!!! Use test systems. Make backup copies of this measly single line file. Check other sources but DO NOT BLAME ME IF YOU BREAK THINGS.

  Thank you!

  Here’s what worked for me without a hitch: In essence, you need to add your user to a file called sudoers which lives in /etc/sudoers on CentOS 6.5. I have not tried this on CentOS 7. This file is read only, even to the root user – so before tweaking it we need to change its permissions, otherwise your edits can’t be saved:

  chmod 666 /etc/sudoers

  Now use your favourite text editor and find the following section:

  vi /etc/sudoers
  
  ...
  
  ## Next comes the main part: which users can run what software on
  ## which machines (the sudoers file can be shared between multiple
  ## systems).
  ## Syntax:
  ##
  ##     user    MACHINE=COMMANDS
  ##
  ## The COMMANDS section may have other options added to it.
  ##
  ## Allow root to run any commands anywhere
  root    ALL=(ALL)     ALL
  youruser ALL=(ALL)  ALL
  

   

  Add your own user name underneath the root user (as shown above), then save the file and exit. Don’t forget to change the file permissions back to 440 just like they were before:

  chmod 440 /etc/sudoers

   

  • http://baylinux.wordpress.com/2011/10/17/how-to-add-an-user-account-to-sudoers-list-in-centos/

  
  
  
  
  

  Jay Versluis, Jason, Roman Kazmierczak, and 3 others are discussing. Toggle Comments

   
  • 

    chicofranchico 10:07 am on September 19, 2014 Permalink

    This way is not a very safe way to edit the sudoers file so you better use visudo instead which is a lot more secure.

    http://www.courtesan.com/sudo/man/1.7.10/visudo.man.html

    • 

      Jay Versluis 11:31 am on September 19, 2014 Permalink

      Thanks for the tip, I hadn’t heard of visudo before – I’ll check it out!

  • 

    Tyler 12:24 pm on November 6, 2014 Permalink

    Hmm. This really screwed up my day thanks. Wish I would have looked at the comment before I did this.

  • 

    David 10:48 am on November 19, 2014 Permalink

    DO NOT FOLLOW THIS…Broke my sudoers file…please for the love of god take it down.

    • 

      Jay Versluis 11:43 am on November 19, 2014 Permalink

      Thanks for your feedback David, I’ll add a warning at the top.

  • 

    Roman Kazmierczak 12:16 am on December 2, 2014 Permalink

    1. Open Terminal
    2. Switch to root user # su (enter password)
    3. # visudo (it is vi editor editing file mentioned in the post, so basic vi skills required here)
    4. in visudo find lines:
    ## Allows people in group wheel to run all commands

    %wheel ALL=(ALL) ALL

    remove # from 2nd line
    5. save changes and quit (:wq)
    6. now add the user to the wheel group:

    usermod -aG wheel USERNAME (“a” is important so you will not remove user from existing groups…)

    7. logout your user and log back in. The sudo command will work now.

    • 

      Jay Versluis 7:53 am on December 2, 2014 Permalink

      Thank you Roman, your detailed instructions are very much appreciated!

  • 

    Jason 1:06 pm on December 11, 2014 Permalink

    You say no one has bothered to tell you why to use visudo rather than the method you say. Here is *exactly* why:

    1. visudo checks the syntax before saving. If you save /etc/sudoers with bad syntax and there is no root account, you are now in a tricky situation. This is the most important reason.

    2. visudo has basic sanity checks for possible non-syntactical errors (such as aliases referencing themself or aliases that are referenced but not defined). This is an important reson.

    2. visudo ensures that the save is atomic, that is nothing else can edit /etc/sudoers while you are in there. This is a minor reason for most users.

    I appreciate you are simply trying to blog about things that interest you in a helpful manner, but this post is quite irresponsible (especially to be so high in Google results and now that it has been explained to you why it is bad advice).

    All of the offending content should be removed, just replace it with the proper way to do it. The warning at the header is not enough, as the sort of user who will follow the advice given here has both a very high chance of goofing up the syntax and a very low chance of being able to recover.

    Plus, forgive my bluntness, it makes you look like you have no idea what you are talking about.

    There is a very good reason that visudo exists. Consider that you *can* do a lot of things that you probably *shouldn’t* do in Linux, and directly editing /etc/sudoers is one of them!

    Peace

    • 

      Jay Versluis 3:35 pm on December 11, 2014 Permalink

      Hi Jason,

      Thank you for taking the time to explain this to me and all of us here, I very much appreciate it. I’m also happy to hear that this post ranks high on Google, I’ve never checked this myself.

      I do not however agree that as a result of good rankings I should change what and how I write on my own personal website. I write these things down for myself – this isn’t Wikipedia or Stackoverflow. I’m glad the site helps others, but at the same time the responsibility of how people use this info is really not up to me.

      PS: Most of the time, I do indeed not know what I’m talking about – but if and when something works, I write down what I did so I remember it for later. Just like I did here. If Linux was a little EASIER and more USER FRIENDLY this would perhaps not be necessary, and torch-fests like this could be avoided