Posted inLinux Security

Mount the /tmp partition with ‘noexec’ and ‘nosuid’ options

On Linux servers (especially web servers) it is recommended to create /tmp as separate partition and mount it with ‘noexec’ and ‘nosuid’ options. ‘noexec’ disables the executable file attribute within an entire filesystem, effectively preventing any files within that filesystem from being executed. ‘nosuid’ disables the SUID file-attribute within an entire filesystem. This prevents SUID attacks on the /tmp filesystem.

WARNING: Various services such as MySQL, Postgres, Plesk and Zend use /tmp as temporary storage. You must STOP these services before carrying out the procedure below. Failing to disable these services may cause major InnoDB database corruption.

1. Stop all services including Plesk, MySQL, Apache, Postgres, SpamAssassin and any other service utilizing the /tmp file system.

2. Copy all of the files in /tmp to a holding directory:

# cp -Rp /tmp /tmp-backup

June 16, 2010
Posted inLinux Security

How to change the default Plesk Control Panel port

By default Plesk uses TCP port 8443 to allow access to the control panel, for example: http://server1.domain.net:8443. For security reasons, its recommended to change the default port to a non-standard port number such as 6677.

Parallels Plesk Panel versions 7.x – 8.x use the Apache service with configuration file $PRODUCT_ROOT_D/admin/conf/httpsd.conf. To change the control panel port you need to modify directives Port, Listen and <VirtualHost *:PORT> in the Apache configuration file for the control panel. Once edited you must restart the Plesk control panel:

~# /etc/init.d/psa restart
Stopping Plesk...                                                     done
Starting Plesk...                                                     done
~#

Please note that none of the ports (21, 22, 23, 25, 53, 80, 110, 443, etc…) used for the standard web hosting services (Apache, POP, SMTP, mySQL, ProFTPd, BIND) can be used.

Parallels Plesk Panel version 9.x uses sw-cp-server instead of Apache. Configuration file of Parallels Plesk Panel is /etc/sw-cp-server/applications.d/plesk.conf. Find the following line in the file and change the port:

May 23, 2010
Posted inDevelopment Linux

Installing PHP 5.2.x on CentOS

At the time of writing, PHP 5.1.6 is the “current” version shipped with CentOS 5.4. While I’m sure there is valid (?) reason for CentOS still distributing 5.1, many web developers need 5.2 functionality in their applications to run correctly.

There are two common ways to upgrade CentOs 5.4 to PHP 5.2:

  1. Download, compile and install Apache and PHP from source.
  2. Use yum with the CentOS Testing Repository

Compiling From Source

If you want to install from source, the standard ./configure; make; make install process will work in most cases (actually, if you want to do anything productive, it will be a bit more complicated than this).

While this process affords you the ability to fine-tune your configuration, you loose automatic updates and any future modifications to the Apache or PHP configuration will most likely require recompilation.

Using yum

Since we’re using CentOS, the best approach is to just go with the native package manager. Like it or not, RPM is a solid package manager which really makes life easy if used correctly. Yum is the fronted for RPM management in CentOS.

April 19, 2010