Skill Level : Beginner

In this post, I will explain how to transfer a website from one cPanel server to other.

Pre Requisites

Server Platform : Linux

User requires     : cPanel and SSH access (root) to at-least the Destination server (where the account is restoring)

The Process

From the Target server, Generate a Full cPanel backup of the account using either cPanel or through root shell access.

(i) By cPanel

Login to cPanel. Go to Files -> Backups

Click “Download or Generate a Full Website Backup”. Choose Backup Destination as “Home Directory” (Make sure you’ve enough Disk Space before you proceed) and a valid E-mail address to notify you once the Backup is generated.

Once the Backup is completed, a mail will arrive on the E-mail you’ve mentioned above (if specified) and the ‘Backups Available for Download’ will be populated with the name of the backup file generated like :

Do you know why the backup generated is the form tar.gz ? Its because, in the tar format all files are preserved with their appropriate permissions and then its compressed to gz (gzip) for obtaining the least possible file size.

The process in the Target server is finished. Now login as Root in the server which requires the account to be restored. We’ve to download the backup file generated there to this server. There are number of ways to do this. Some are weird

Method 1

If you have the cPanel details of that server, you can use it for FTP access. And since the Backup is generated on the Home directory there, its all about downloading the backup.

# root@server [/home]# ftp oldserver.com or IP

Connected to oldserver.com.
220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
220-You are user number 3 of 50 allowed.
220-Local time is now 17:28. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (oldserver.com:root): user
331 User user OK. Password required
Password:
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get backup-6.2.2011_06-23-57_account.tar.gz

This will download the backup. You need root access to restore it. Before you restore you need to check whether there is an account or domain which already exists by the name which you intend to restore.

cPanel script to check whether the domain/account name exists

# grep account /etc/userdomains

Method 2

Generating a cPanel backup through Remote FTP (Passive Mode transfer)

It is possible to generate a Remote backup of the account in a server, where the backup has to be restored. Go to cPanel -> Backups -> Download or Generate a Full website backup. Select the Backup Destination as Remote FTP Server (passive mode transfer). Follow the screenshot :

cPanel script to restore the account

# nice -n 19 /scripts/restorepkg –skipres <username>

For the script to run, the backup should be in any of the following locations in the server :  /, /home, /home2, /home3, /misc, /net, /root, /usr, /usr/home, /var/lib/nfs/rpc_pipefs, /var/tmp, /web

This feature will restore full backups, cPanel backups and cPanel move files in one of the following formats:

cpmove-{USER}
cpmove-{USER}.tar
cpmove-{USER}.tar.gz
USER.tar
USER.tar.gz
backup-{BACKUP-DATE_TIME}_{USER}.tar
backup-{BACKUP-DATE_TIME}_{USER}.tar.gz

Download getmail at http://pyropus.ca/software/getmail/old-versions/getmail-4.20.3.tar.gz

wget http://pyropus.ca/software/getmail/old-versions/getmail-4.20.3.tar.gz
tar xzf getmail-4.20.3.tar.gz
cd getmail*
python setup.py install

Now you have to create a getmailrc , the getmail configuration file inside the home folder of the user. getmailrc need not be inside the home directory. You have to create the folder .getmail where getmail keeps a log of the emails retrieved based on each configuration file you may have.You can have multiple destination and retriever sections in one single getmailrc as well.

I must say getmail is so much flexible and rightly coded when the mailsync or imapsync didn’t do their job right or up to the mark. And is an excellent replacement for fetchmail. It supports POP, POP3S, IMAP4 and IMAPS, and also can store the mails retrieved in mbox or maildir format at the destination.

An extremely simple getmailrc file will look like this

[retriever]
type = SimpleIMAPRetriever
server = mail.domain.com
username = direct@domain.com
password = direct

[destination]
type = Maildir
path = /home/cpusername/mail/.direct@domain_com/

The file format should be pretty self-explanatory. You’re telling getmail to fetch your email from server, mail.domain.com by logging to it using the mentioned username and password. The destination section mentions where to store the retrieved email and in which format (Maildir or mbox or mboxrd). Make sure that the cur, new and tmp are there inside those folder though. However getmail may create those folders automatically though.

Finally to get this going, just run “getmail –rcfile getmailrc”

Once you run it, assuming that the getmailrc is properly configured, you will be welcomed by a below output.

getmail version 4.20.3
Copyright (C) 1998-2009 Charles Cazabon.  Licensed under the GNU GPL version 2.
SimpleIMAPRetriever:direct@domain.com@mail.domain.com:143:
 msg    1/3983 (299328 bytes) delivered
 msg    2/3983 (2815 bytes) delivered

Creating the database user to backup only the cPanel databases, means matching the databases with an underscore (_) in its name and that resulted in this particular SQL command to be executed as root user.

GRANT ALL PRIVILEGES ON `%\_%`.* TO `cpdbbackups`@`re.mo.te.ip` IDENTIFIED BY 'p@ssw0Rd' WITH GRANT OPTION;

Read more about the cPanel’s DB mapping at http://www.cpanel.net/blog/integration/2010/05/more-details-about-db-mapping.html

A domain name points to a computer called a “name server”. The name server knows that your domain name corresponds to your web hosting server’s IP address and it routes the person who typed in your domain name to your web hosting server – to your web site. That is how people anywhere in the world can see your web site by typing your domain name.

In 1992, the National Science Foundation granted an exclusive contract to NSI to be the sole registrar of top level domain names. NSI also had a cooperative agreement with United States Department of Commerce (“DoC”). With no competition, consumers were at the mercy of NSI.

In 1998, NSI and the DoC amended their cooperative agreement to allow for competing registrars. NSI was forced to provide domain name registration to the competing registrars at wholesale prices, rather than the standard $34.99 annual fee. NSI still charges $34.99 per year.

In late 1998, the DoC assigned the responsibility of overseeing the transition to a competitive market for domain names and accreditation of new registrars to a new organization called the Internet Corporation for Assigned Names and Numbers (ICANN).

In 1999, ICANN began taking applications from companies who wanted to become registrars – and then capitalism took over: companies had to compete for business. Prices came down and service improved, however some are better than others. For a more detailed history of this transition, visit www.icann.org/registrars/accreditation-history.htm.

Even with the positive effects of competition in the domain name marketplace, the process of internet domain name registration remains a mystery for many.

There are a lot of companies that want to charge you hundreds of dollars to do the simple task of domain name registration for you. There are some registration companies who will charge you $35 just to register a domain. And there are web site consultants who charge over $100 to do the work for you. But you can do it yourself in about 15 minutes and it can cost as little as $1.99 for a year. If you do some research, learn a little and work smart, you can save yourself some money – and some headaches.

What is Traceroute ?

Traceroute is the program that shows you the route over the network between two systems, listing all the intermediate routers a connection must pass through to get to its destination. It can help you in analyzing why the connections from your end to a server is poor, and can often help you to spot what exactly is the problem. It always shows you how your machine is connected to ISP and ISP to the rest of the network, collectively the connection between your end and server.

When we initiate Traceroute, it sends a sequence of Internet Control Message Protocol (ICMP) packets addressed to a destination host. It passes through a series of intermediate routers, which involves a TTL (Time-to-Live) value. TTL refers to how many routers your packet can go through before its expires. Routers will discard a packet when the TTL has reached zero, returning an ICMP error message Code 11 (ICMP Time Exceeded) to the sender.

Executing traceroute

The only required parameter is the name or IP address of the destination host . The optional packet length is the total size of the probing packet (default 60 bytes for IPv4 and 80 for IPv6).

In Unix machines : traceroute server-name (traceroute supportsages.com)
In Windows machines : tracert server-name (tracert supportsages.com)

We will be discussing in detail about traceroute in IPv4, Unix environment

In general, traceroute can be found in /usr/sbin. So the traceroute command can be also run as

/usr/sbin/traceroute server-name

You can check where traceroute is located using the command :

root@server:~$ which traceroute
/usr/sbin/traceroute

Traceroute main options

traceroute [-m] [-q] [-w]

-m : Specifies the maximum number of hops (max Time-To-Live value). The default is 30.
-q : Sets the number of UDP packets per hop. The default is 3
-w : Set the time (in seconds) to wait for a response to a probe. Default 5 seconds

Reading the Output

When a traceroute command is executed, generally it will go for a maximum of 30 hops. On the Internet, most data packets need to go through several routers before they reach their final destination. Each time the packet is forwarded to the next router, a Hop occurs. The more hops, the longer it takes for data to go from source to destination. So the fewer hops it takes to get your data, the faster your access will be. Such 30 hops are counted when executing a traceroute command.

Syntax of the result of a traceroute command

linx-1.init7.net (195.66.224.175) 252.199 ms 253.216 ms 253.359 ms
(Target Server) (IP address) (RTT 1) (RTT 2) (RTT 3)

Here is the full result of a traceroute command :

root@server:~$ traceroute supportsages.com
traceroute to supportsages.com (188.40.112.243), 30 hops max, 60 byte packets
1  192.168.1.1 (192.168.1.1)  24.361 ms  24.371 ms  24.394 ms
2  ABTS-KK-dynamic-001.0.172.122.airtelbroadband.in (122.172.0.1)  38.161 ms  39.415 ms  40.911 ms
3  ABTS-KK-Static-093.32.166.122.airtelbroadband.in (122.166.32.93)  43.195 ms  43.587 ms  48.054 ms
4  ABTS-KK-Static-009.32.166.122.airtelbroadband.in (122.166.32.9)  48.304 ms  49.512 ms  51.947 ms
5  122.175.255.29 (122.175.255.29)  53.312 ms  55.444 ms  57.223 ms
6  59.145.36.230 (59.145.36.230)  235.823 ms  212.100 ms  212.298 ms
7  linx-1.init7.net (195.66.224.175)  252.199 ms  253.216 ms  253.359 ms
8  r1ams2.core.init7.net (77.109.128.34)  252.791 ms  253.008 ms  255.776 ms
9  r1ams1.core.init7.net (77.109.128.145)  255.973 ms  256.212 ms  256.592 ms
10  r1fra1.core.init7.net (77.109.128.153)  345.600 ms  345.906 ms  346.151 ms
11  gw-hetzner.init7.net (77.109.135.18)  358.110 ms  358.565 ms  358.808 ms
12  hos-bb1.juniper2.fs.hetzner.de (213.239.240.243)  359.089 ms hos-bb1.juniper1.fs.hetzner.de (213.239.240.242)  233.990 ms hos-bb1.juniper2.fs.hetzner.de (213.239.240.243)  233.347 ms
13  hos-tr4.ex3k10.rz10.hetzner.de (213.239.227.235)  235.315 ms hos-tr2.ex3k10.rz10.hetzner.de (213.239.227.171)  233.554 ms hos-tr4.ex3k10.rz10.hetzner.de (213.239.227.235)  242.239 ms
14  main.supportsages.com (188.40.112.203)  235.676 ms  241.867 ms  242.565 ms
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Analyzing the Output

The first line shows the target server, that server’s IP address, the maximum number of hops that will be allowed, and the size of the packets being sent. The following line for each system or router in the path between your machine and the target server. Each line shows the name of the server (as determined from DNS, if it cannot perform a Reverse DNS, only the IP address is shown), the system’s IP address, and three Round Trip Times (RTTs) in milliseconds. These RTTs shows the time it took a packet to get from your machine to the server and back again, called the latency between the two systems. By default, three packets are sent to each system along the route, so it shows three RTTs.

Understanding the issues

1) Some times the output may have one or two of the RTTs missing

linx-1.init7.net (195.66.224.175) 252.199 ms * *

In this case, the server is up and responding, but for some reason it did not respond to the second and third packets. This does not necessarily indicate a problem; in fact, it is usually normal, and just means that the system discarded the packet for some reason. These are most often computers, rather than dedicated routers. Systems running Solaris routinely show an asterisk instead of the second RTT.

It’s important to remember that timeouts are not necessarily an indication of packet loss.

2) Sometimes you will see an entry with just an IP address and no server name :

77.109.128.153 255.973 ms 256.212 ms 256.592 ms

This simply means that a reverse DNS lookup on the address failed, so the name of the server could not be determined.

3) If your traceroute ends in all timeouts, like this:

12 gw-hetzner.init7.net (77.109.135.18) 358.110 ms 358.565 ms 358.808 ms
13 * * *
14 * * *
15 * * *

This means that the target host could not be reached. Precisely, it means that the packets could not reach there and back. They may actually be reaching the target system but encountering problems on the return. This is possibly due to some kind of problem, but it may also be an intentional block due to a firewall or other security measures, and the block may affect traceroute but not real server connections.

After the trip time, some additional annotation can be printed

!H Host unreachable

!N Network unreachable

!P Protocol  unreachable

!S  Source  route failed

!F Fragmentation needed

!X Communication administratively prohibited

!V Host precedence violation

!C Precedence  cutoff  in effect

!<num>  ICMP unreachable code <num>.

If almost all the probes result in some kind of unreachable, traceroute will give up  and exit.

How it Works

As mentioned earlier, Routers will discard a packet when the TTL has reached zero, returning an ICMP error message Type 11 (ICMP Time Exceeded) to the sender. This is the basic principle behind Traceroute command. This ICMP error message will give more information about each hop in the path.

root@server:~$ traceroute supportsages.com
traceroute to supportsages.com (188.40.112.243), 30 hops max, 60 byte packets
1  192.168.1.1 (192.168.1.1)  24.361 ms  24.371 ms  24.394 ms
2  ABTS-KK-dynamic-001.0.172.122.airtelbroadband.in (122.172.0.1)  38.161 ms  39.415 ms  40.911 ms
3  ABTS-KK-Static-093.32.166.122.airtelbroadband.in (122.166.32.93)  43.195 ms  43.587 ms  48.054 ms
4  ABTS-KK-Static-009.32.166.122.airtelbroadband.in (122.166.32.9)  48.304 ms  49.512 ms  51.947 ms
5  122.175.255.29 (122.175.255.29)  53.312 ms  55.444 ms  57.223 ms
6  59.145.36.230 (59.145.36.230)  235.823 ms  212.100 ms  212.298 ms
7  linx-1.init7.net (195.66.224.175)  252.199 ms  253.216 ms  253.359 ms
8  r1ams2.core.init7.net (77.109.128.34)  252.791 ms  253.008 ms  255.776 ms
9  r1ams1.core.init7.net (77.109.128.145)  255.973 ms  256.212 ms  256.592 ms
10  r1fra1.core.init7.net (77.109.128.153)  345.600 ms  345.906 ms  346.151 ms
11  gw-hetzner.init7.net (77.109.135.18)  358.110 ms  358.565 ms  358.808 ms
12  hos-bb1.juniper2.fs.hetzner.de (213.239.240.243)  359.089 ms hos-bb1.juniper1.fs.hetzner.de (213.239.240.242)  233.990 ms hos-bb1.juniper2.fs.hetzner.de (213.239.240.243)  233.347 ms
13  hos-tr4.ex3k10.rz10.hetzner.de (213.239.227.235)  235.315 ms hos-tr2.ex3k10.rz10.hetzner.de (213.239.227.171)  233.554 ms hos-tr4.ex3k10.rz10.hetzner.de (213.239.227.235)  242.239 ms
14  main.supportsages.com (188.40.112.203)  235.676 ms  241.867 ms  242.565 ms
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

In the first step, an ICMP request was sent from the router (Here it is 192.168.1.1) to 188.40.112.243 with TTL 1. Since the server was not directly connected to the router, an ICMP Error message, Code 11 (TTL Exceeded) was returned along with it’s source address. It is clear that the very first hop to 188.40.112.243 is from our local router. Thus the router IP (192.168.1.1) is shown along with three RTTs.

Traceroute will always search for a Server Name, if possible. So the server name is displayed along with its IP address (if it cannot perform a Reverse DNS, the IP addres is only shown)

Traceroute will again send 3 more packets, with  TTL 2. The same thing will happen, the next router will respond with its IP address and RTTs. This will go on until the target server or maximum hop count is reached. If the target server is reached, the ICMP Code 0, Echo Reply will be sent and thus Traceroute knows the job is finished. In this case the target server is reached well before the maximum hop counts. So what we saw is a successful traceroute attempt. No issues at all !

The image explains it all – A series of Routers are skipped for the sake of representation

http://www.mediacollege.com/internet/troubleshooter/traceroute.html

http://www.exit109.com/~jeremy/news/providers/traceroute.html

http://www.akmos.com/support/techsupport/traceroute.html

http://www.ehow.com/how_6468192_understand-traceroute-output.html

http://mellowd.co.uk/ccie/?p=609

The praises can be sung without a pause but its better I stop the boasts here and get down to the original topic.  I’m going to explain, step-by-step, on how to accomplish this task. It’s actually very simple, but it might take quite some time depending on how good a techy you are. To begin with, head on over to Google and sign up for an account. I am siting the link below where you can do this :

http://www.google.com/apps/intl/en/business/index.html

In the above page click on the ‘ Apps Editions ‘ tab and you will be able to view different schemes they offer, from which you will be able to select the one which suits you the most. For most of us, the standard edition offered by Google is more than enough. However, they do offer a “Premier edition” if your needs exceed the services of the free accounts. In addition to the Standard edition and Premier edition there are  Educational schemes, Govermental schemes etc etc. Once you choose the package required you will be directed to a page with a blue colored ‘ Get started ‘ tab on the right most top corner of the page. This is your key, click on it and you are on your way to setting Google apps for your domain. I am going to list  everything step by step from here on in a detailed manner.

Step I : Tell them your registered Domain name.

In the very first step you need to provide your domain name as prompted. Obviously enough you should possess a registered domain or you can buy a new domain name through Google which automatically sets everything up for you. You also need to verify that you own the domain or if you are a member of the domain.

Step II : Tell them who you are.

Fill in all of your contact information. At least make sure that you fill in all the boxes which have an aestrics symbol (*) to the right of the label with proper and valid information. If you don’t provide the required information, you will receive an error when you submit the form.
An important thing that you should be absolutely sure of before filling up the form is that you are able to edit your server’s DNS zone files. If you cannot edit your DNS zone files, do not proceed. You will have to enter MX records pointing to the Google mail servers in your DNS configuration. Signing up for the Google Apps account is useless if you’re not going to be able to modify your server appropriately to have the e-mail go where it’s intended.

The screenshot above was limited by my monitor boundaries, but you will be able to see the ‘ Continue ‘ tab at the bottom of your screen. Click this and you are on step III.

Step III : Create your first administrator account.

Create your first e-mail account. This e-mail account will be used as the administrative account for the Google Apps services.

Below this you will be able to see the terms and conditions, which mostly contains the usual stuff but still worth a read, where you should click on the ‘ I accept. Continue with setup ‘ tab to proceed to the next step.

Step IV : Verify Domain Ownership.

The next step in the process is to prove to Google that you own and have administrative rights to the domain you chose.

Here you will have an option to do it later, but sooner the better. Once you choose the option to continue you will be prompted for the password you chose in the previous step.
You have three options to prove that you own the domain. The first option is to modify your DNS entries to add a unique CNAME record. Next option is to add a meta tag to your site’s home page.  The last option is to simply create and upload an HTML file to your Web server. Okay now there is no reason for you to panic from hearing all the complex terms, all you need to do is click on these options and viola, all the information you need on ‘How to’ gets detailed (or rather spoon fed) right on the screen.

As you can see the screenshot above you will have a drop down menu for a list of domain registrars among which you can choose yours and do as instructed. Otherwise you can simply choose the ‘ Others ‘ option from the drop down menu and follow the simple set of instructions which gets listed.
This will look somewhat like the following :

<<

A TXT record is an entry within the Domain Name System (DNS) that provides supplemental information about your domain. You can create a TXT record that proves to Google that you own the domain.

1. Add the TXT record below to the DNS configuration for your-domain.com.
google-site-verification=Zy5aERjpb4-T1S0Ig36pGuHDOE5MycRBGsVmCtVeTLY
2. Click verify below.
When Google finds this DNS TXT record, we’ll make you a verified owner of the domain. (Note: DNS changes may take some time. If we don’t find the record immediately, we’ll check for it periodically.)
Leave the TXT record in place even after verification succeeds.

>>

For adding the TXT record in the DNS zone log into your domain control panel and choose the edit DNS zone option. The name of the option might vary between control panels, but they provide the same functionalities. I am pasting yet another screenshot which might help you through this simple process.

NOTE : For the rest of the article I will be siting examples and providing screenshots only from, and in reference to, the cPanel. But it will not be difficult to figure out how it is done in other control panels once you get an idea on what we are doing here.

You can see that I simply pasted the text mentioned in the instructions. After doing this you can click on ‘Verify‘ which will, quite obviously, verify if the entry is made and thereby confirming your authority over the domain.

IFS or Internal Field Seperator holds the value which seperates the various entities. This can be file names, values read into a script by read etc. It is the character or characters designated as whitespace by the operating system.

The IFS is set to the newline and space character. The global variable $IFS stores the value. To view the exact value stored in IFS execute:

echo "$IFS" | cat -vTE
 ^I$
$

Running echo “$IFS” will not give you any visible output (after all, you are going to see a space and a newline). cat -vTE displays non printable characters , tabs as ^I and ends each line with a $ sign.

In a script which utilises filenames (with spaces), it is always preferable to change the IFS to include only the newline character opposed to the default space and newline character. Lets check out one such script which accepts filenames wih spaces. This scripts simply prints the file names in your current directory. (Remember to create some files in your currenct directory which has spaces. You may try the same script removing the lines with the IFS variable in reference to see the difference)

#!/bin/bash
OIFS=$IFS # Original IFS

IFS=$(echo -en "\n\b") # New IFS

for fil in $(ls -1 $PWD); do
	echo $fil
done

IFS=$OIFS # Restore earlier IFS

IFS can also be used to read files with lines sepearated by a special character. For example in the /etc/passwd, to store the various entries like username, homedirectory etc.

The following script uses the while construct to determine the users who have the shell portion as /bin/false

#!/bin/bash

OIFS=$IFS
IFS=':'

while read username password userid groupid comments homedir shell_avail
do
	if [[ $shell_avail == /bin/false ]]; then
                echo "$username has no shell"
        fi

done < /etc/passwd
IFS=$OIFS

In the above script each of the 7 portions of the /etc/passwd file is assigned to the 7 variables
username password userid groupid comments homedir shell_avail with the read command. The if portion in the script compares the seventh variable – shell_avail to /bin/false to determine the username and outputs it.

From now on you can use the IFS variable for all those files with spaces and extracting values separated by a special character.

Attackers after getting access to a server, will install a rootkit to hide their identity and run desired scripts anywhere within the server. It makes the life of a hacker easy once installed. Rootkits are not easily detectable. Sometimes, if the rootkit is one of the latest ones without a diagnosis, the server will have to be rebuild from scratch.

A rootkit will have multiple applications for cracking the entire server, some of them are:

Server Access Applications (Back door application)
These applications will create a backdoor to log in to the hacked system without using the exploit again.

Log clearing Applications
These applications clear the logs of the events performed by the hacker or the applications used. They all the associated log files in the server.

Packet sniffing Applications
These applications monitor the data through the various interfaces in the server at particular ports.

Malicious Scripts
Many scripts will be installed like IRC bots, ddos daemons, spam servers, trojans, worms etc.

There are mainly two kinds of root kits. The application rootkit and the kernel rootkit.

Application rootkits
These rootkits mimic a particular application and will hide the attackers files/processes from being revealed by the original application. To illustrate, a rootkit ls application will perform all the task of a normal ls but will not display any of the files of the attacker. Other application rootkits will create backdoors for unauthorised access, packet sniffers etc which go undetected or are hidden by renaming. Application rootkits are the most common.

Kernel rootkits
Kernel rootkits modify the kernel and apply patches to the kernel and device drivers. They also hide the applications and files of the attacker. As antivirus and other applications run beneath the kernel, they are the most undetectable rootkits.

‘Prevention is better than cure’ – as this saying goes, it is always better to keep the system secure and updated when ever possible to stop these installations. There are some applications which help detect any known rootkits running in the system. One such is the chkrootkit.

chkrootkit is one of the popular rootkit detectors (an anti-rootkit) and it is know to detect common rootkits on unix/linux servers. chkrootkit relies on basic string processing techniques to determine the presence of rootkits. It scans specific sytem files and binaries targeted by rootkits for known signatures.

The following are the instructions to install chkrootkit version 0.49 in a server.

cd /usr/local/

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5

md5sum -c chkrootkit.md5 # to check if the downloaded file is intact

tar -xzf chkrootkit.tar.gz

cd chkrootkit-0.49/

make sense

./chkrootkit

chkroootkit will check all the files and display the status of the files analysed. This information may be logged for future reference. For this a cron job may be setup to be run at least once a month.

Inserting an entry like the one below into the systems cron tasks (executed atleast once a month) will send the report of the chkrootkit vulnerabilities to the administrator conserned.

/usr/local/chkrootkit-0.49/chkrootkit | mail -s "chkrootkit report $(date +%d/%m/%y)" "admin@domain.com"

Postgres is one of the best open-source database alternative which is fully object oriented and transactions compliant. It has stored procedures, multiple views and a huge set of datatypes. Some of the other notable features are as follows.

Objects and Inheritance

Database consists of objects and the database administrators can design custom or user-defined objects for the tables. Inheritance is another feature. Tables can be set to inherit their characteristics from a “parent” table.

Functions

Functions can be used in Postgres. These can be written in the postgres’ own procedural language called ‘PL/pgSQL’ which resembles Oracle’s procedural language ‘PL/SQL’ or any other common scripting languages which support posgtres’ procedural language like PL/Perl, plPHP, PL/Python, PL/Ruby etc. Run the following in the psql client to determine if functions is enabled:

SELECT true FROM pg_catalog.pg_language WHERE lanname = 'plpgsql'; 

To create user-defined functions we use the CREATE OR REPLACE FUNCTION command. Example:

CREATE OR REPLACE FUNCTION fib (

fib_for integer

) RETURNS integer AS $$

BEGIN

IF fib_for < 2 THEN

RETURN fib_for;

END IF;

RETURN fib(fib_for - 2) + fib(fib_for - 1);

END;

$$ LANGUAGE plpgsql;

Indexes

An index is like a summary of a certain portion of the table. It is an optimization technique which increases speed of accessing records from a database. PostgreSQL supports indexes like Btree, hash etc. User-defined index methods can also be created. Indexes are created on tables with respect to a particular field (based on which there are a number of queries). As an example for a table:

CREATE TABLE name (

id integer,

fname varchar

lname varchar

);

To create an index on table name with respective to the field id (as there are many queries on this table requesting for firstname or lastname from the id provided), we use the index:

CREATE INDEX name_id_index ON name (id);

Triggers

Triggers are events or functions run upon the action of certain SQL statements which modify data in some records. Depending on the kind of modification we can have multiple triggers in a database. Postgres supports multiple triggers written in PL/PgSQL or it’s scripting counterparts like PL/Python. The trigger function must be defined before the trigger can be created. The trigger function must be declared as a function taking no arguments and returning type trigger. CREATE TRIGGER command is used to declare triggers.

Concurrency

PostgreSQL ensures concurrency with the help of MVCC (Multi-Version Concurrency Control), which gives the database user a “snapshot” of the database, allowing changes to be made without being visible to other users until a transaction is committed.

PostgreSQL’s MVCC keeps all of the versions of the data together in the same partition in the same table. By identifying which rows were added by which transactions, which rows were deleted by which transactions, and which transactions have actually committed, it becomes a straightforward check to see which rows are visible for which transactions.

Inorder to accomplish this, Rows of a table are stored in PostgreSQL as a tuple. Two fields of each tuple are xmin and xmax. Xmin is the transaction ID of the transaction that created the tuple. Xmax is the transaction ID of the transaction that deleted it (if any).

Along with the tuples in each table, a record of each transaction and its current state (in progress, committed, aborted) is kept in a universal transaction log.

When data in a table is selected, only those rows that are created and not destroyed are seen. That is, each row’s xmin is observed. If the xmin is a transaction that is in progress or aborted, then the row is invisible. If the xmin is a transaction that has committed, then the xmax is observed. If the xmax is a transaction that is in progress or aborted and not the current transaction, or if there is no xmax at all, then the row is seen. Otherwise, the row is considered as already deleted.

Insertions are straightforward. The transaction that inserts the tuple simply creates it with the xmax blank and the xmin set to its transaction ID. Deletions are also straightforward. The tuple’s xmax is set to the current transaction. Updates are no more than a concurrent insert and delete.

Views

A view is a table which does not exist in the database. It is a virtual table created from fields in various tables and is joined together based on some criteria. Views can be used in place of tables and will accomplish the task same as that of a table. The CREATE VIEW statement is used to accomplish this eg:

CREATE VIEW best_sellers AS

SELECT * FROM publishers WHERE demand LIKE 'high';

Foreign Keys

The primary key used in one table which is used to refer to the records in a second table is called the foreign key of the second table.

CREATE TABLE products (
    product_no integer PRIMARY KEY,
    name text,
    price numeric
);
CREATE TABLE orders (
    order_id integer PRIMARY KEY,
    product_no integer REFERENCES products (product_no),
    quantity integer
);

Here product_no is the foreign key in the second table created. The foreign key field may have values which are repeated unlike primary keys.

Files Users and Configuration

The main configuration file of Postgres is postgresql.conf. This can be located in the ‘data’ directory. It may be present either in /var/lib (/var/lib/pgsql/data/postgresql.conf) or /usr/local (/usr/local/pgsql/data/postgresql.conf). Temporary changes to the configurations can be made using postmaster command.

The init script that starts the postgres service is /etc/init.d/postgresql . It runs a number of child processes concurrently. The postgres server process is postmaster. These processes and files associated with PosgreSQL are owned by the user/group postgres. The default port used for database connections is 5432

The user postgres is the PostgreSQL database superuser. We can create a number of super users for the database (this accomplished by the create role command ), however, the default super user is postgres. The postgres user has the privilege to access all the databases and files in the server (Unless the user root is created in postgres as a superuser).

Client Authentication is controlled by the file pg_hba.conf in the data directory, e.g., /var/lib/pgsql/data/pg_hba.conf. (HBA stands for host-based authentication.)

Each record specifies a connection type, a client IP address range (if relevant for the connection type), a database name or names, and the authentication method to be used for connections matching these parameters.A record is typically in one of two forms:

local database authentication-method [ authentication-option ]

host database IP-address IP-mask authentication-method [ authentication-option ]

local : This record pertains to connection attempts over Unix domain sockets.

host : This record pertains to connection attempts over TCP/IP networks.

database : Specifies the database that this record applies to. The value all specifies that it applies to all databases, while the value sameuser identifies the database with the same name as the connecting user.

authentication methods

trust: The connection is allowed unconditionally.

reject: The connection is rejected unconditionally.

password: The client is required to supply a password which is required to match the database password that was set up for the user.

md5: Like the password method, but the password is sent over the wire encrypted using a simple challenge-response protocol.

ident: This method uses the “Identification Protocol” as described in RFC 1413. It may be used to authenticate TCP/IP or Unix domain socket connections, but its reccomended use is for local connections only and not remote connections.

Front-ends

The minimalistic front-end for PostgreSQL is the psql command-line. It can be used to enter SQL queries directly, or execute them from a file. phpPgAdmin is a web-portal used for PostgreSQL administration written in PHP and based on the popular phpMyAdmin. Likewise pgAdmin is a graphical front-end administration tool for PostgreSQL, which has support on multiple platforms. The latest stable version of the same is pgAdmin III.

Some administration related commands

Command to login to psql database mydb as user myuser:

psql -d mydb -U myuser

Command to login to psql database mydb as user myuser on a different host myhost:

psql -h myhost -d mydb -U myuser

If the port the server runs is different we use -p [port number] . Upon entering the psql shell the prompt will show the database name currently being used. In the above example it will show

mydb=> (if logged in as an ordinary user )

mydb=# (if logged in as a super user like postgres)

Create a PostgreSQL user

There are two ways to create a postgres database user. The only user initially allowed to create users is postgres. So one has to switch to this user before creating other users with varying privileges.

1. Creating the user in the shell prompt, with createuser command.

switch to the postgres user with:

su - postgres

createuser tom

Shall the new role be a superuser? (y/n) n

Shall the new role be allowed to create databases? (y/n) y

Shall the new role be allowed to create more new roles? (y/n) n

2. Creating the user in the PSQL prompt, with CREATE USER command.

switch to the postgres user with:

su - postgres

create user mary with password 'marypass';

Creating and deleting a PostgreSQL Database

There are two way to create databases.

1. Creating database in the PSQL prompt, with createuser command.

CREATE DATABASE db1 WITH OWNER tom;

2. Creating database in the shell prompt, with createdb command.

createdb db2 -O mary

To delete an entire database from within the psql prompt do :

DROP DATABASE db1;

Determining execution time of a query

Turn on timing with

\timing

Now execute the qery:

SELECT * from db1.employees ;

Time: 0.065 ms

Calculate postgreSQL database size in disk

SELECT pg_database_size('db1');

to get the values in human readable format

SELECT pg_size_pretty(pg_database_size('db1'));

to calculate postgreSQL table size in disk

SELECT pg_size_pretty(pg_total_relation_size(‘big_table’));

Slash commands used in psql

To list all slash commands and thier purpose. Login to psql and issue to the command \? . Some of the most commonly used slash commands are the following:

The below can be used with a specific table/index/view name for description of the specific table/index/view

Useful Bash commands

Bash command to list all the postgresql databases:

psql -l #This can be run as a unix user who is also a super user in postgresql

Indirect bash command to list all the postgresl users:

psql -c '\du' #-c is used to run an internal or sql command in psql shell

Backing up and restoring databases

To dump the database to an sql file use the bash command:

pg_dump mydb > db.out

To restore a database from an sql backup file (via bash)

psql -d newdb -f backupdb.out

or

psql -f backupdb.out newdb

(here the database newdb must be already created and the file backupdb.out must be present in the current directory)

To take the backup of all the Postgres databases in the server:

pg_dumpall > /var/lib/pgsql/backups/dumpall.sql

(Only possible with the postgres or the database superuser )

Resetting database user’s password

To change the password for a database user (say ‘thomas’):

ALTER USER thomas WITH PASSWORD 'newpassword';

This same command can be used to reset the password for the postgresql super user postgres, but in this case, you will have to enable password less login for postgres user by adding the following line to the top of the file pg_hba.conf in the data directory of postgres. Once the password is reset this line can be removed:

local	all	postgres	trust

Next we issue the same command but for the user postgres

ALTER USER postgres WITH PASSWORD 'newpassword';

To create a super user via bash with multiple roles

createuser -sPE mysuperuser

Instead of this we can also use the below psql shell command:

CREATE ROLE mysuperuser2 WITH SUPERUSER CREATEDB CREATEROLE LOGIN ENCRYPTED PASSWORD 'mysuperpass2';

Physical database files in postgres

The files in data/base are named by the oid (Object Identifier) of the database record in

pg_database, like this:

cd /var/lib/pgsql/data/base

ls -l

total 33

drwx------ 22 postgres postgres 4096 Jul 23 20:06 ./

drwx------ 11 postgres postgres 4096 Aug  1 05:59 ../

drwx------  2 postgres postgres 4096 Jun 20 09:32 1/

drwx------  2 postgres postgres 4096 Mar  3 13:36 10792/

drwx------  2 postgres postgres 4096 Jun 20 15:09 10793/

drwx------  2 postgres postgres 4096 May 27 01:40 16497/

drwx------  2 postgres postgres 4096 May 27 01:40 16589/

drwx------  2 postgres postgres 4096 Jun 20 10:28 16702/

drwx------  2 postgres postgres 4096 May 27 01:40 16764/

drwx------  2 postgres postgres 4096 May 27 01:40 16785/

drwx------  2 postgres postgres 4096 Aug  1 04:37 16786/

drwx------  2 postgres postgres 4096 Aug  1 04:36 19992/

drwx------  2 postgres postgres 4096 May 27 01:40 19997/

To obtain the oid, execute the following command in psql prompt

postgres=# select oid,datname from pg_database order by oid;

   oid  |         datname

---------+--------------------------

1 | template1

10792 | template0

10793 | postgres

16497 | gadgetwi_Unable

16589 | vimusicc_filehost

16702 | personea_altissimo

16764 | shopping_businessfinance

16785 | ansonyi_wp2

16786 | ansonyi_wp

19992 | globook_PostgreSQL

In the protocol stack used in the internet. The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP.

The SSL protocol includes two sub-protocols:
1) SSL record protocol
2) SSL handshake protocol

The SSL record protocol defines the format used to transmit data. The SSL handshake protocol involves using the SSL record protocol to exchange a series of messages between an SSL-enabled server and an SSL-enabled client when they first establish an SSL connection.

Now SSL for the layman
SSL basically creates an encrypted communication channel between the two parties involved in the communication. For a third person involved in the middle of this communication channel, the data seems to be garbled.

Suppose Alice (A, the browser) wishes to communicate with Bob (B, the server) then the exact steps that takes place inorder to begin the encrypted communication are:

1) A -> B hello
Alice contacts Bob and requests for a private communication (request for an https link at port 443)

2) B -> A Hi, I’m Bob, bobs-certificate
Bob send back to Alice his certificate. A certificate authenticates that it is Bob who is actually communicating with Alice. It is like a unique ID card displayed.

3) A -> B prove it
Alice requests Bob to prove his identity.

4) B -> A Alice, This Is bob { digest[Alice, This Is Bob] } bobs-private-key
Bob sends back a message and its digest encrypted with his private key. This step can also be like sending a document with a digital signature (when you have Alice’s public key).

5) A -> B ok bob, here is a secret {secret} bobs-public-key
Alice sends back to Bob some secret. Usually a session key encrypted using Bob’s public key obtained from his certificate

6) B -> A {some message,MAC}secret-key
Next Bob generates a secret key from Alice’s secret (earlier step) and sends back to Alice the real message and its MAC encrypted with this secret key. This is actually the encrypted website.

Terminologies

Certificate
This is actually bobs public key containing document which is digitally signed by a certificate issuer’s private key (like Verisign). In this process Verisign gets all the necessary documents to verify that Bob’s identity is correct and it gets Bob’s public key (and some other data like certificate expiry period, Bobs identity) and encrypts it with its own private key. Now Verisign’s public key comes built-in along with every browser (so that the browser can get bobs public key from within it).

Digest
Digest or more appropriately Message Digest is like a summary of the actual message or a portion of the message. The digest of a message is is unique for every unique message, it is a one way function such that obtaining the digest, it is never possible to recover the original message (This does not involve using any key in the process). Message Digest always appears with the original message. Upon reception of this Message and its digest at the receiver’s end, the receiver can once again calculate the digest from the original message and verify the integrity of the message.

Digital signature
Let Bob send a document to Alice which is digitally signed. For this Bob must have Alice’s public key and Alice must have Bob’s public key.Bob takes the document, encrypts it first with Alice’s public key and next with its own private key(Bob’s)

B -> A [{message}alices-public-key ]bobs-public-key

Session Key
The only secret which is communicated using public key encryption is a session key. Now the session key is chosen from the ‘secret’ that the parties accept. the session key could be the secret itself or a portion of the secret or the result when the secret is passed through a previously agreed algorithm. The SSL encrypted communication does’t necessary have to be created using a public key encryption technique (This uses a lot of overhead, i.e. processing and time), it may be simple symmetric cypher(less overhead) using this session key once agreed upon. There are a variety of cypher suites available (IDEA Blow-fish RSA DES MD5 KEA) and both the parties may choose some encryption technique based on the protocol used (SSL1.0 SSL2.0 TLS etc)

MAC
MAC or Message Authentication Code is similar to the Message Digest we have discussed. It is used to verify the integrity of the Message.

MAC := Digest[ some message, secret ]

Files associated with SSL

CSR
CSR or Certificate Signing Request is a string of text generated by the server. This file is sent to the SSL vendor while purchasing an SSL. In the process of generating your CSR, you provide a number of details regarding the domain being registered. Excerpts of text from all these are taken to generate your private key. This private key is present only within the server and nowhere else. The content of the CSR basically contains the public key along with all the details you have used. You get this as domain.com.csr or domain_com.csr.

CA bundle
CA (Certificate Authority) bundle file is one which contains the public key of the Certificate Issuer (Like Verisign’s public key). Usually this is not required while installing the SSL and most browsers will have this detail in advance to decrypt the SSL certificate (the CRT file) from the server. You get this as domain.com.cabundle or domain_com.ca-bundle.

CRT
This is the actuall SSL certificate as obtained from the SSL vendor. It is a file (containing the public key of the domain secured with SSL and other details like the expiry date, owner information, address etc of the SSL) which is encrypted with the private key of the SSL vendor (Digitaly signed by the SSL vendor). You get this as domain.com.crt or domain_com.crt .

Key file
This is the file which holds your private key (strictly confidential material). The file will have the RSA private key as generated by your server software. You get this as customcardsplus.com.key or customcardsplus_com.key. This file is not usually send to your SSL vendor unlike the CSR. You get this as domain.com.key or domain_com.key .

SSL in a cPanel server
Any service can be secured in a communication channel which is encrypted with SSL. Each of this service on the encrypted channel will be on a different port. Some of them are as follows:

A domain served as a secure webpage will require a dedicated IP (in a shared environment). SSL protocol is designed to use IP-based mapping. SSL does not support host headers. Therefore, you should have a unique IP address assigned to your secure site. These pages are served from the port 443. Let us examine the configuration of such a website in the apache’s config file /usr/local/apache/conf/httpd.conf.

Every website (in our example domain.com with username: doma) enabled with SSL has a unique set of directives in the VirtualHost section for the 443 port as:

<VirtualHost 266.11.208.293:443\> Dedicated IP of the domain

ServerName domain.com #Domain name secured with SSL
ServerAlias www.domain.com

DocumentRoot /home/doma/public_html

ServerAdmin webmaster@domain.com
UseCanonicalName off
CustomLog /usr/local/apache/domlogs/domain.com combined

CustomLog /usr/local/apache/domlogs/domain.com-bytes_log "%{%s}t %I .\n%{%s}t %O ."
ScriptAlias /cgi-bin/ /home/doma/public_html/cgi-bin/
SSLEngine on #This directive enables the SSL on this domain
SSLCertificateFile /etc/ssl/certs/www.domain.com.crt #Location of CRT file
SSLCertificateKeyFile /etc/ssl/private/www.doma.com.key #Location of Private key
SSLCACertificateFile /etc/ssl/certs/www.domain.com.cabundle #Location of CAbundle file
CustomLog /usr/local/apache/domlogs/domain.com-ssl_log combined #Log specific for the SSL served webpage
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

<Directory "/home/doma/public_html/cgi-bin">
SSLOptions +StdEnvVars #This directive will pass mod_ssl environment variables to the server scripts.
</Directory>

</VirtualHost>

Some times the directive SSLCertificateChainFile is used in place of SSLCACertificateFile. The minimal addition you will have to make to enable SSL in your httpd.conf file is:

<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

There are two locations where you are likely to find the SSL related files in your cPanel server. Usually the crt, key and the ca bundle are present in the home directory of the user in /home/username/ssl/, if it was installed using the client’s cpanel. However if the WHM was used instead to install the same, you will find it in /etc/ssl/. In either of these locations you will find two directories: certs/ and private/. certs contain the crt and cabundle while the private contains the keys.

Now you know how ssl works in your server, Any more questions? just comment!