Category Archives: Administration

Speed up PHP with APC on Ubuntu 10.04LTS

Ubuntu 10.04 LTS makes it quite simple to set up a basic LAMP server using tasksel; however, the default PHP set up does not include APC, the Alternative PHP Cache, which speeds up many PHP applications like Drupal. In the past, setting up APC involved using PECL or installing from source, but with Ubuntu Lucid, the process has been simplified using apt-get.

First, let me identify my demo system. It is running Ubuntu 10.04 LTS Lucid and has been patched to the latest version:

$ uname -a
Linux demo 2.6.32-24-generic #43-Ubuntu SMP Thu Sep 16 14:17:33 UTC 2010 i686 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 10.04.2 LTS
Release:	10.04
Codename:	lucid
$ sudo apache2ctl status | grep "Server Version"
Server Version: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.7 with Suhosin-Patch
$ apt-cache show php-apc | grep Version
Version: 3.1.3p1-2

Ubuntu has added a Debian package into universe that allows APC to be added to any system quite easily:

$ sudo apt-get install php-apc
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  php5-gd
The following NEW packages will be installed:
  php-apc
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/77.2kB of archives.
After this operation, 217kB of additional disk space will be used.
Selecting previously deselected package php-apc.
(Reading database ... 28911 files and directories currently installed.)
Unpacking php-apc (from .../php-apc_3.1.3p1-2_i386.deb) ...
Processing triggers for libapache2-mod-php5 ...
 * Reloading web server config apache2
   ...done.
Setting up php-apc (3.1.3p1-2) ...

Note: You must restart the web server to begin using APC

$ sudo apache2ctl graceful

Out of the box (er…package), APC has some sane defaults. If you are “a serious user,” you will want to change your configuration yourself. Seriously, that is what the documentation says:

    …serious users should consider tuning the following parameters…

To tweak your very serious APC installation, you can change the settings manually (using vim):

$ sudo vim /etc/php5/conf.d/apc.ini

The APC configuration file is seriously barren; it is little more than an extension include directive. You can add extra keys after reading the APC’s online documentation related to settings.

Finally, there is a small php script that provides more information on the operation of the APC module. Copy it to your web root and decompress it. You should change the default username and password used to protect the script by changing the username and password variables directly in the PHP code:

$ sudo cp /usr/share/doc/php-apc/apc.php.gz /var/www
$ sudo gzip -d /var/www/apc.php.gz
$ sudo vim /var/www/apc.php

Change credentials near line 41:

defaults('ADMIN_USERNAME','apc'); // Admin Username
defaults('ADMIN_PASSWORD','password'); // Admin Password - CHANGE THIS TO ENABLE!!!

Now, view your APC page (assuming your web server is at 192.168.0.6):

https://192.168.0.6/apc.php

fail2ban on centos 6.x

I just had to install fail2ban on a centOS server with plesk, and thought I write it down as I am going to need it in the future.

Fail2Ban is excellent software as it helps to deter those would brute force attacks on a server.

So first we need to enable the repo called epel, so as the root user:

wget https://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install epel-release-6-8.noarch.rpm

Then in the text editor (I use nano) of your choice edit the repo to disable it (we only want to enable it to download any packages from it, this adds security):

nano /etc/yum.repos.d/epel.repo

and change

enabled=1

to

enabled=0

Now we are going to install fail2ban, we will also need the whois program so fail2ban can query ip whois database:

yum --enablerepo=epel install fail2ban jwhois

now we have our packages installed, we want to copy the config file and use the copy so we have a backup if we mess things up:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

OK we are ready to edit our config file so:

nano /etc/fail2ban/jail.local

I normally leave the the defaults in place. So find the place where ‘[ssh-iptables]‘ is located in the file.
This is already turned on but you will need to alter a few options. A quick review of the basic options are:

enabled : Whether to turn the filter on or off.
filter : Which filter to use located in ‘/etc/fail2ban/filter.d’.
action : The action to take located in ‘/etc/fail2ban/action.d’.
logpath : Where the log to scan is located.
maxretry : the number of times a login attempt can be made before a ban.
bantime : How long the ban will last in seconds.
findtime : The ban is reset if no match is found within “findtime” seconds.

So with that in mind here are some rules for ssh, postfix, courier-imap and proftpd. Change ‘yourdomain.com’ to your actual server domain and ‘user@yourdomain.com’ to your email address you want the whois data sent to.

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=user@yourdomain.com, sender=fail2ban@yourdomain.com]
logpath = /var/log/secure
maxretry = 3
bantime = 43200
findtime = 43200

[postfix-iptables]

enabled = true
filter = postfix
action = iptables[name=Postfix, port=smtp, protocol=tcp]
sendmail-whois[name=Postfix, dest=user@yourdomain.com, sender=fail2ban@yourdomain.com]
logpath = /usr/local/psa/var/log/maillog
maxretry = 6

[courierimap-iptables]

enabled = true
filter = courierlogin
action = iptables-multiport[name=IMAP, port="110,995,143,993"]
sendmail-whois[name=IMAP, dest=user@yourdomain.com, sender=fail2ban@yourdomain.com]
logpath = /usr/local/psa/var/log/maillog
maxretry = 6

[proftpd-iptables]

enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=user@yourdomain.com]
logpath = /var/log/proftpd/auth.log
maxretry = 6

Now edit the following filters:
/etc/fail2ban/filter.d/courierlogin.conf

Change:
LOGIN FAILED, .*, ip=\[\]$

To:
LOGIN FAILED, ip=\[\]$

/etc/fail2ban/filter.d/proftpd.conf. Repalce the failregex with:

failregex = \[\]\s+530$

Because Plesk doesn’t log failed auth attempts in proftpd, we have to make it do so.

/etc/proftpd.conf add:

ExtendedLog /var/log/proftpd/auth.log AUTH auth
LogFormat auth "%v %t \"%r\" [%h] %s"

create ‘proftpd’ directory in ‘/var/log’

mkdir /var/log/proftpd

Create a file in ‘/etc/logrotate.d’

mkdir /etc/logrotate.d/proftpd

and put this in it:

/var/log/proftpd/auth.log
{
weekly
missingok
rotate 7
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
# reload could be not sufficient for all logs, a restart is safer
/usr/bin/kill -HUP `cat /var/run/proftpd.pid 2>/dev/null` 2>/dev/null || true
endscript
}

Now restart fail2ban and proftpd:

service fail2ban restart
/etc/init.d/xinetd restart

Now you should have a more secure server. Enjoy!