Category: Linux Toggle Comment Threads | Keyboard Shortcuts

Over 80% is running on some form of Linux – so does your Mac and you iPhone. Sometimes we have to get our hands dirty on the command line – it makes you feel like a proper hacker.

Here are some pointers I picked up on my journey.

  • Jay Versluis 3:34 pm on January 3, 2015 Permalink | Reply
    Tags: dovecot, , ,   

    Categories: Linux, Plesk ( 53 )

    How to install and secure Dovecot in Plesk 12 

    dovecotI’ve just installed the Dovecot Mail Service on one of my Plesk 12 servers. It’s an alternative to the old favourite Courier IMAP/POP and a new addition in Plesk 12.

    Dovecot does more or less the same as Courier (i.e. lets you receive mail), but it’s a bit more configurable and debug friendly. It also offers server-side mail filtering which is accessible via the Plesk Webmail services Roundcube and Horde.

    In this article I’ll show you how to install Dovecot in Plesk 12, and how to add your own SSL certificates for mail. In my previous article I’ve explained how to do this with the standard Courier Mail service.

     

    Installing Dovecot in Plesk 12

    Head over to

    • Tools and Settings (or the Server Tab)
    • under the Plesk heading
    • Updates and Upgrades

    Select Add or Remove Components and under Mail Hosting Features, find the option for Different IMAP/POP3 server:

    Screen Shot 2015-01-03 at 15.14.37

    You can only install either Courier or Dovecot. Switching will automatically uninstall the component you currently have and instead install the other one.

    Note that switching Courier for Dovecot will preserve all mailboxes and will not affect your outgoing mail services. Give Plesk a moment until your see the “installation has finished” message.

    You’re now running Dovecot!

     

    Patching Dovecot SSL Certificates

    As with Courier, Dovecot will use self-signed certificates for secure connections. This means that a nasty window is likely to pop up when clients connect. You can suppress this window by specifying your own SSL Certificates.

    Screen Shot 2015-01-03 at 15.12.08

     

    The default configuration file for Dovecot is in /etc/dovecot/dovecot.conf. However the file states that any changes you make here are wiped when an upgrade comes along. Instead, take a look at the /etc/dovecot/conf.d/ directory in which you’ll find three files by default:

    • 10-plesk-security.conf
    • 15-plesk-auth.conf
    • 90-plesk-sieve.conf

    You can add your own configuration snippets here, each beginning with a number and ending with .conf. The lower the number, the earlier your snippet is loaded. The higher the number, the later it is loaded. You get the picture.

    Let’s create /etc/dovecot/conf.d/5-ssl.conf for our purposes. Because I had already configured my certificates for Courier they are still in /usr/share/imapd.pem – but feel free to place your .pem files anywhere you like. Here’s what my file looks like:

    # SSL Certificates for Dovecot are defined here
    
    ssl = yes
    # Path to your Certificate, preferred permissions: root:root 0444
    ssl_cert = </usr/share/imapd.pem
    # Path to your Private Key, preferred permissions: root:root 0400
    ssl_key = </usr/share/imapd.pem
    

    Dovecot lets you have separate files for the certificate and the private key, something that’s not possible in Courier as far as I know. Dovecot is also happy to keep those in the same file though as in my example, and as in Courier. Easy going I say!

    For the changes to take effect we need to restart the Plesk Mail Service like so:

    /usr/local/psa/admin/sbin/mailmng --restart-service

    That’s it!

     

    How do I add a certificate for outgoing mail?

    Postfix (and QMail) deal with sending mail, Dovecot and Courier only deal with receiving it. I’ve described how to add SSL Certificates to Postfix in my article about Courer.

     

    Further Reading

     





     
    • prupert 2:32 pm on January 18, 2015 Permalink | Reply

      You may want to add the following directives for added security:

      Strong DH params

      ssl_dh_parameters_length = 2048

      Disable insecure SSL protocols

      ssl_protocols = !SSLv2 !SSLv3

      • Jay Versluis 3:35 pm on January 18, 2015 Permalink | Reply

        Thank you for the tip, prupert! Very much appreciated!

  • Jay Versluis 10:04 pm on December 24, 2014 Permalink | Reply  
    Categories: Linux, Plesk, WordPress ( 53 )

    FIXED: The wp-content folder does not show itself via FTP in Plesk 12 and CentOS 7 

    Screen Shot 2014-12-24 at 21.49.49

    I’ve noticed a weird bug in Plesk 12 on CentOS 7: when you connect via FTP, the wp-content folder does not show up – all other folders can be seen as usual. It’s a rather crucial folder for WordPress users.

    At first I had suspected a problem with the ProFTP service which is not the stock version, but a specially compiled version for use with Plesk, and Plesk takes care of this system services (it’s called psa-proftpd in case you’re interested). But ProFTP is not the problem.

    Thanks to the amazing Sergey Lystsev from Parallels for letting me know that the issue is instead with SELinux: when it’s used in Enforcing mode (which is the default), wp-content does not show itself via FTP. Switching it to Permissive mode or disabling SELinux altogether solves the problem.

    The entire issue will be fixed in the next release of Plesk, and it’s already working in the latest update to the Plesk Preview 12.1.13. CentOS 5 and 6 are not affected.

    How do we fix it, Cap’m?

    To disable SELinux on CentOS 7 we can use this:

    setenforce 0
    

    Or, to switch to permissive mode, use this:

    setenforce permissive
    

    Now we’ll need to restart the xinetd service as well as Plesk for the changes to take effect:

    systemctl restart xinetd.service
    service psa stopall
    service psa restart
    

    Connect to your site via FTP and see if the wp-content folder shows itself.

    To permanently change the SELinux configuration so that it survives a server restart, check out my other article here:





     
    • Ronald 7:56 am on January 20, 2015 Permalink | Reply

      Thanks a lot for this post! I was experiencing the exact same problem and this solved it. Thanks.

      • Jay Versluis 9:16 am on January 20, 2015 Permalink | Reply

        You’re very welcome, Ronald!

  • Jay Versluis 8:03 pm on December 8, 2014 Permalink | Reply
    Tags: vi   

    Categories: Linux ( 53 )

    How to quit vi without saving your changes 

    It just occurred to me that even though I know my way around vi fairly well, I never had to quit it without saving my changes. Usually I just go back in and overwrite my mistakes.

    Today I did something though that wasn’t as easy to eliminate: instead of pasting an IP address, I accidentally pasted a 4000+ character stylesheet. Dang!

    So how do we leave vi and NOT save our changes? Here’s how:

    • press ESC to exit editing mode (insert/append/whatever)
    • press : (the colon character)
    • enter q!

    Now you’re back on the command line without any saved changes.

    Remind me: how do we SAVE changes again?

    There are several ways of doing this, but my personal favourite is this:

    • press ESC to exit editing mode (insert/append/whatever)
    • press SHIFT + Z twice

    This will put you back on the command line and your changes are saved.





     
  • Jay Versluis 2:07 pm on December 8, 2014 Permalink | Reply
    Tags: , SELinux   

    Categories: Linux ( 53 )

    How to control SELinux in CentOS 7 

    SELinux – when installed – can take on one of three modes:

    • Enforcing
    • Permissive
    • Disabled

    To check which mode SELinux is running on, we can use either sestatus for a more detailed output, or simply getenforce for a one liner:

    sestatus
    
    SELinux status:                 enabled
    SELinuxfs mount:                /sys/fs/selinux
    SELinux root directory:         /etc/selinux
    Loaded policy name:             targeted
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy MLS status:              enabled
    Policy deny_unknown status:     allowed
    Max kernel policy version:      28
    

    getenforce on the other hand will literally just say a single word, like “Enforcing”.

    To change this mode, edit /etc/selinux/config:

    vi /etc/selinux/config
    
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=enforcing
    # SELINUXTYPE= can take one of these two values:
    #     targeted - Targeted processes are protected,
    #     minimum - Modification of targeted policy. Only selected processes are protected. 
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted
    

    Change the file according to the comments and restart the system for the changes to take effect.

    setenforce command

    If SELinux is running and either set to Enforcing or Permissive, you can change its mode on the fly without restarting the server using the setenforce command like so:

    // switch to permissive
    setenforce permissive
    
    // switch to enforcing
    setenforce enforcing
    
    // disable SELinux
    setenforce 0
    

    You won’t get any feedback if all goes well. Note that if SELinux is disabled, the setenforce command won’t work.

    Find out more about SELinux and what it’s good for here:





     
  • Jay Versluis 3:50 pm on December 3, 2014 Permalink | Reply
    Tags: ,   

    Categories: Linux, Plesk ( 53 )

    How to secure SMTP, POP and IMAP connections in Plesk 

    Plesk-LogoYou’ve installed an SSL Certificate to secure your Plesk Panel, you’ve tested it with an SSL checker and sure enough: the ugly warning window doesn’t bother you or your customers anymore.

    But your email client still says that the server doesn’t have a valid certificate. What gives?

    The secret is this: SMTP, IMAP and POP3 use their own certificates which are not related to the ones you setup in Plesk to secure https connections. By default the mail services use auto-generated self-signed certificates.

    Sadly as of Plesk 12 there is still no way to manage those in the web interface – but it’s relatively easy to fix on the command line. Let’s go through this step by step.

    These instructions are for Plesk 12 on CentOS 6 and CentOS 7, using the default Courier mail service. You can also install an alternative mail service called Dovecot in Plesk 12. I’m discussing how to install Dovecot over here.

     

    Default Certificates

    We need to replace the following three files (default permissions in brackets):

    • /etc/postfix/postfix_default.pem (600)
    • /usr/share/imapd.pem (400)
    • /usr/share/pop3d.pem (400)

    Those are the culprits for SMTP, IMAP and POP3. We need to add our own private key and the certificate of a domain associated with this server and remove the default certificates.

    Before we begin, make a safety copy of them like this:

    mv /etc/postfix/postfix_default.pem /etc/postfix/postfix_default.old
    mv /usr/share/imapd.pem /usr/share/imapd.old
    mv /usr/share/pop3d.pem /usr/share/pop3d.old

    Here we rename the original files to .old files – in case anything goes wrong, simply rename them back into .pem files.

     

    Add your own certificate

    We need the same file three times, so we’ll start by making one for the SMTP service. Create a new file like this:

    vi /etc/postfix/postfix_default.pem
    

    and paste first the private key, followed by your certificate into this file. It will look something like this:

    -----BEGIN PRIVATE KEY-----
    MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
    MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
    YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
    EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
    IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
    l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
    6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
    ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
    N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
    HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
    gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
    St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
    EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
    Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
    JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
    AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
    /torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
    SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
    04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
    knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
    LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
    -----END PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
    MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
    aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
    WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
    AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
    OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
    T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
    JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
    Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
    PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
    aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
    TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
    LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
    BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
    dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
    AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
    NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
    b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
    -----END CERTIFICATE-----
    

    The exact same file can be used for both IMAP and POP3 so we can simply copy it to these two new locations:

    cp /etc/postfix/postfix_default.pem /usr/share/imapd.pem
    cp /etc/postfix/postfix_default.pem /usr/share/pop3d.pem
    

    These two files had 400 permissions by default so that only root can read them, and no one can change them. Let’s adhere to this and apply the same permissions:

    chmod 400 /usr/share/imapd.pem
    chmod 400 /usr/share/pop3d.pem
    

     

    Restart Plesk Mail Services

    For the changes to take effect we’ll need to restart all Plesk mail services:

    /usr/local/psa/admin/sbin/mailmng --restart-service
    

    And that’s it! Now that pesky warning isn’t going to come up anymore when you access Plesk mail with an email client.

     

    Adding CA Certificates

    The above is enough to suppress the usual warning windows in email clients, however if you’re an avid SSL enthusiast you’ll notice that we’ve not added any CA Certificates to the above .pem files. In essence those tell a client that our certificate is valid – otherwise the client would only have our word for it.

    You can add the combined CA Certificate to the end of the three .pem files in addition to the private key and your own certificate. It’s not strictly necessary, but doing this means you will pass strict SSL tests.

    Thanks to Mike Yrabedra for this tip, and the test URL below!

    Testing your mail services

    Mike also found a wonderful service that lets you check an email address which will flag up certificate warnings and exceptions – courtesy of CheckTLS:

    Simply hack in your email address and you’ll see if your certificate is installed properly. Note that to pass the test, your email address must match the domain on the certificate. For example, if your address is you@domain.com, but your certificate is for yourdomain.com then the test will fail the “Cert OK” field.

    Screen Shot 2014-12-04 at 12.49.23

     

    Wait – where do I find my private key and certificate?

    If you’re using the same certificate for mail that you’re using to secure Plesk, simply head over to

    • Tools and Settings (or the Server Tab)
    • Security Settings
    • SSL Certificates
    • click on your certificate from the list
    • scroll down to find plain text sections for your private key and certificate

     

    Wait – where do I find that CA Certificate you speak of?

    Your certificate provider will give that to you. Some providers call it “intermediate CA certificate”. They usually have several versions of the same thing. Look for a combined version. In essence it’s two plain text blocks, very similar to the ones I’ve shown you above.

    For example, the RapidSSL CA certificates can be found here: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548

    Further Reading





     
  • Jay Versluis 3:16 pm on December 1, 2014 Permalink | Reply
    Tags: ,   

    Categories: Linux ( 53 )

    How to start CentOS in Recovery Mode from Parallels Desktop 

    To start your Linux distribution into EFI Recovery Mode you need an installation disk. Even the smallest “minimal” image will do. Shutdown the VM if it’s running. Then mount the ISO image onto your VM (under Configuration – Hardware – CD/DVD1). Make sure the “Connected” box is ticked.

    Screen Shot 2014-12-01 at 15.06.11

    Next you need to tell Parallels Desktop that you want to boot into recovery mode. Head over to Configuration – Hardware – Boot Order and tick the box Use EFI Boot. The boot order does not matter, just make sure CD/DVD is ticked in this list.

    Screen Shot 2014-12-01 at 15.05.56

    Now restart your VM and you’ll boot into the CD image.

    When you’re done here, simply shutdown the VM and untick the EFI Boot option. That’s to make sure you boot into the main installation on your next launch.





     
  • Jay Versluis 11:50 am on November 2, 2014 Permalink | Reply
    Tags:   

    Categories: Linux, Plesk ( 53 )

    How to install Plesk on CentOS 7 

    Plesk-LogoInstalling Plesk on CentOS 7 hasn’t changed drastically from earlier versions, however CentOS is different than its predecessors. I’ve written an article about how to install Plesk on CentOS 6, but that was 3 years ago and thought it’s time for an updated version.

    Well here it is: Plesk 12, meet CentOS 7.

     

    Plesk Documentation

    Much of what I’m telling you and more is documented on the Parallels Plesk website:

    On the left hand side you’ll find a link to the current documentation, as well as handy links to purchase a license if you need to. The link will also answer your questions about the different editions of Plesk and direct you to the Parallels Forum.

     

    One-Click Installer

    The Plesk one-click installer is a script that downloads itself and determines the correct Plesk version for your OS. You won’t accidentally pick the wrong version for your distribution. Paste this and the installer will download the latest version of Plesk (12 at the time of writing):

    wget -O - http://autoinstall.plesk.com/one-click-installer | sh

    If you get an error message, wget may not be installed. Rectify this pitiful situation like this:

    yum install wget

     

    To download older versions of Plesk you can download the one-click-installer file and run it with the option –show-all-releases. This will give you the option to specify your desired Plesk version with –select-release-id. For more information, run the file with the –help option.

    I’ve noticed that the installer is much quicker than on previous versions of Plesk and is finished in under 10 mins (as opposed to half an hour previously). This is presumably due to many packages that are pre-installed with CentOS 7, so not much time is spent downloading stuff. Nice!

    Once finished the installer will give you a URL to login with – usually consisting of your IP, like https://10.1.2.3:8843

     

    Opening Ports for Plesk

    On CentOS 6 and prior the firewall rules were set via iptables. This service is gone and has been replaced with firewalld in CentOS 7. We still need to open ports to speak to Plesk via a browser. The two important ones to open here are 8443 and 8447:

     firewall-cmd --zone=public --add-port=8443/tcp --permanent
     firewall-cmd --zone=public --add-port=8447/tcp --permanent
     firewall-cmd --reload

    The –permanent option makes these rules “stick” upon restart.

    These are not the only ports Plesk needs to function, for a full list please see this KB article:

    There is usually no need to open other ports if you install the Firewall extension in Plesk, as this will manage the underlying service for you (and apply the necessary open ports). To do this, head over to Tools and Settings – Updates and Upgrades and install the Firewall Extension (under Additional Plesk extensions).

    Next head over to Extensions select the Firewall Module. Select “Enable Firewall Rules Management”, followed by another enable button. Now Plesk will manage the firewall for you and open all ports ready for web and email traffic.

     

    Add Atomic Repo Power (optional)

    If you’d like to supercharge your server, now’s a good time to install the Atomic repos. These will give you access to many additional tools such as pre-compiled OSSEC HIDS and additional PHP versions:

    wget -q -O - http://www.atomicorp.com/installers/atomic.sh | sh

     

    Loggin in for the first time

    With your dedicated IP handy, the installer script will have given you something like https://10.1.2.3:8443. Surf there and be presented with the Plesk login screen.

    But what are your credentials? I’m glad you asked: the first time you login to Plesk you can do so with your server root credentials. This even works on subsequent sessions, however Plesk creates an admin user for which you will specify the password during your first session.

    It is strongly recommended that you use that admin user for Plesk administrative tasks. You can also create additional administrators in Plesk once you’re up and running – so there’s no need to share your super secret password with colleagues and clients.

     

    Correcting your IP address (optional)

    It can happen that Plesk does not detect the correct IP address on your server. This was never the case in CentOS 6, but I’ve noticed this in CentOS 7. In my case the Plesk installer thought that the local loopback address was my main one (127.0.0.1) – which of course it was not.

    You can usually correct this on first login, but just in case you need to do this from the command line, check this helpful KB article:

     

    License Key and Additional Components

    You need a license to operate Plesk. You’ll get this either from your server provider (if Plesk is part of your deal), or you can buy one directly from Parallels. You can also run Plesk as a 14 day trial version. If you don’t enter this you can still use the Plesk interface but you’ll be limited to a single domain and several options are unavailable.

    In case you’re missing menu items that you had expected to be there, it’s probably a license issue.

    I find it helpful to head over to Tools and Settings (or the Server Tab) – Plesk – Updates and Upgrades and install several additional components, such as

    • Health Monitor
    • Migration Manager
    • Firewall (under Additional Plesk Extensions)
    • Watchdog (under Additional Plesk Extensions)
    • Spam Assassin (under Mail hosting features)
    • Kapersky Anti Virus (under Mail hosting features)

    You can also install Fail2ban from this menu if you like – I personally rely on OSSEC to deal with intrusion detection and choose not to use Fail2ban at this point.

     

    That’s it! Have fun with Plesk ;-)





     
  • Jay Versluis 12:52 pm on August 26, 2014 Permalink | Reply
    Tags:   

    Categories: Linux ( 53 )

    What is the End-of-Life (EOL) for CentOS Distributions 

    The End-of-Life (EOL) for CentOS Distributions is as follows:

    Screen Shot 2014-08-26 at 12.46.37

    More under Section 21 in this article:





     
  • Jay Versluis 7:12 am on June 28, 2014 Permalink | Reply
    Tags: , ,   

    Categories: Linux ( 53 )

    How to enable Touchpad Taps as Mouse Clicks on your NC10 in CentOS 

    CentOS-LogoThe NC10’s integrated Synaptics Touch Pad works out of the box in CentOS 6, both under GNOME and KDE. No drivers or patches requried.

    But I remember that when it was running Windows XP I could “tap” the pad instead of clicking the dedicated key (that loud CLACK noise annoys the neighbours). How can we bring this behaviour to CentOS?

    A quick serach reveals this post by Russel in the CentOS forum:

    his suggests that a configuration file needs to be created somewhere. However I found that there’s an easier solution which – at least on the NC10 – works with just one click. I assume this will work for other latops too:

    • head over to System – Preferences – Mouse
    • select the Toucpad tab at the top
    • tick the box “enable mouse clicks with touchpad”
    • works instantly

    Tourpad-Taps





     
  • Jay Versluis 11:39 am on June 27, 2014 Permalink
    Tags: , sudo   

    Categories: Linux ( 53 )

    How to add a CentOS user to the sudoers list 

    CentOS-LogoWhen you try to prefix a command with sudo on a fresh CentOS system you may be greeted with a message such as “you are not part of the sudoers list” and that the incident will be reported.

    Not to the FBI, but to a log file. And of course your sudo operation isn’t going to work.

    That’s because individual users to the system need to be granted permission to executer root level commands, even if it’s only temporary. Here’s how to do it.

    PLESE NOTE:
    I seem to be the only person on the planet who did this successfully. Since then, everyone who’s tried to follow these instructions breaks their servers and blames me for it. Thanks to Jason I finally know why.

    There is a better way to do this using VISUDO. Detailed instructions are provided by Roman in the comments. I suggest you follow them and disregard my instructions.

    !!! PROCEED AT YORU OWN RISK!!! Use test systems. Make backup copies of this measly single line file. Check other sources but DO NOT BLAME ME IF YOU BREAK THINGS.

    Thank you!

    Here’s what worked for me without a hitch: In essence, you need to add your user to a file called sudoers which lives in /etc/sudoers on CentOS 6.5. I have not tried this on CentOS 7. This file is read only, even to the root user – so before tweaking it we need to change its permissions, otherwise your edits can’t be saved:

    chmod 666 /etc/sudoers

    Now use your favourite text editor and find the following section:

    vi /etc/sudoers
    
    ...
    
    ## Next comes the main part: which users can run what software on
    ## which machines (the sudoers file can be shared between multiple
    ## systems).
    ## Syntax:
    ##
    ##     user    MACHINE=COMMANDS
    ##
    ## The COMMANDS section may have other options added to it.
    ##
    ## Allow root to run any commands anywhere
    root    ALL=(ALL)     ALL
    youruser ALL=(ALL)  ALL
    

     

    Add your own user name underneath the root user (as shown above), then save the file and exit. Don’t forget to change the file permissions back to 440 just like they were before:

    chmod 440 /etc/sudoers

     





     
    • chicofranchico 10:07 am on September 19, 2014 Permalink

      This way is not a very safe way to edit the sudoers file so you better use visudo instead which is a lot more secure.

      http://www.courtesan.com/sudo/man/1.7.10/visudo.man.html

      • Jay Versluis 11:31 am on September 19, 2014 Permalink

        Thanks for the tip, I hadn’t heard of visudo before – I’ll check it out!

    • Tyler 12:24 pm on November 6, 2014 Permalink

      Hmm. This really screwed up my day thanks. Wish I would have looked at the comment before I did this.

    • David 10:48 am on November 19, 2014 Permalink

      DO NOT FOLLOW THIS…Broke my sudoers file…please for the love of god take it down.

      • Jay Versluis 11:43 am on November 19, 2014 Permalink

        Thanks for your feedback David, I’ll add a warning at the top.

    • Roman Kazmierczak 12:16 am on December 2, 2014 Permalink

      1. Open Terminal
      2. Switch to root user # su (enter password)
      3. # visudo (it is vi editor editing file mentioned in the post, so basic vi skills required here)
      4. in visudo find lines:
      ## Allows people in group wheel to run all commands

      %wheel ALL=(ALL) ALL

      remove # from 2nd line
      5. save changes and quit (:wq)
      6. now add the user to the wheel group:

      usermod -aG wheel USERNAME (“a” is important so you will not remove user from existing groups…)

      7. logout your user and log back in. The sudo command will work now.

      • Jay Versluis 7:53 am on December 2, 2014 Permalink

        Thank you Roman, your detailed instructions are very much appreciated!

    • Jason 1:06 pm on December 11, 2014 Permalink

      You say no one has bothered to tell you why to use visudo rather than the method you say. Here is *exactly* why:

      1. visudo checks the syntax before saving. If you save /etc/sudoers with bad syntax and there is no root account, you are now in a tricky situation. This is the most important reason.

      2. visudo has basic sanity checks for possible non-syntactical errors (such as aliases referencing themself or aliases that are referenced but not defined). This is an important reson.

      2. visudo ensures that the save is atomic, that is nothing else can edit /etc/sudoers while you are in there. This is a minor reason for most users.

      I appreciate you are simply trying to blog about things that interest you in a helpful manner, but this post is quite irresponsible (especially to be so high in Google results and now that it has been explained to you why it is bad advice).

      All of the offending content should be removed, just replace it with the proper way to do it. The warning at the header is not enough, as the sort of user who will follow the advice given here has both a very high chance of goofing up the syntax and a very low chance of being able to recover.

      Plus, forgive my bluntness, it makes you look like you have no idea what you are talking about.

      There is a very good reason that visudo exists. Consider that you *can* do a lot of things that you probably *shouldn’t* do in Linux, and directly editing /etc/sudoers is one of them!

      Peace

      • Jay Versluis 3:35 pm on December 11, 2014 Permalink

        Hi Jason,

        Thank you for taking the time to explain this to me and all of us here, I very much appreciate it. I’m also happy to hear that this post ranks high on Google, I’ve never checked this myself.

        I do not however agree that as a result of good rankings I should change what and how I write on my own personal website. I write these things down for myself – this isn’t Wikipedia or Stackoverflow. I’m glad the site helps others, but at the same time the responsibility of how people use this info is really not up to me.

        PS: Most of the time, I do indeed not know what I’m talking about – but if and when something works, I write down what I did so I remember it for later. Just like I did here. If Linux was a little EASIER and more USER FRIENDLY this would perhaps not be necessary, and torch-fests like this could be avoided ;-)

c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
l
go to login
h
show/hide help
shift + esc
cancel