OpenVPN and Virtuozzo VPS

для того, чтобы зароутить трафик через сервер, необходимо добавить правило в iptables
iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j SNAT --to-source real_server_ip

Конфиг сервера может выглядеть так:
mode server
tls-server
daemon
server 10.8.0.0 255.255.255.0
port 1194
proto tcp
dev tun0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
client-config-dir /etc/openvpn
push "redirect-gateway"
push "dhcp-option DNS 87.118.х.х"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
client-to-client
comp-lzo
persist-key
persist-tun
verb 3
log-append openvpn.log

How can I change/repair my Admin account if the password got lost?

Symptomps

If some of the following messages appear:

Unable to connect to database

login.php3: Unable to connect to database: Permission denied

ERROR 1045: Access denied for user: 'admin@localhost' (Using password: YES)

Then you can use the following solutions in order to solve the issue. The example shown below is for RedHat-like operating systems (RedHat, CentOS, FedoraCore). In case of other operating systems, the paths to mysql binaries may differ.

Resolution

1. First try to restart Parallels Plesk Panel:

# /etc/init.d/psa restart

2. Check that the /etc/psa/.psa.shadow file has valid permissions. The right permissions would be

# ls -la /etc/psa/.psa.shadow
-rw------- 1 psaadm psaadm 5 Feb 26 11:22 /etc/psa/.psa.shadow

In case you have any other permission, you should change it using the following command:

# chown psaadm:psaadm /etc/psa/.psa.shadow
# chmod 600 /etc/psa/.psa.shadow

3. Check that Mysql server is running and working properly using the "ps ax | grep mysql" command. For example:

# ps ax | grep mysql
7996 ? S 0:00 /bin/sh /usr/bin/safe_mysqld --defaults-file=/etc/my.cnf
8022 ? S 0:14 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr
--datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking

If you get this output, it means that the Mysql server is already running.

To check that Mysql server is running fine, try to access to the mysql console. For example:

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` -D psa
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 1299 to server version: 3.23.54

Type 'help;' or 'h' for help. Type 'c' to clear the buffer.

mysql>

Usually it will appear the following error message:

ERROR 1045: Access denied for user: 'admin@localhost' (Using password: YES)

If you cannot log into MySQL using the command prompt detailed above, the following solution will help you repair the admin account password.

4. In the newest versions of Parallels Plesk Panel, the password can be restored using the "ch_admin_passwd" utility.

# /usr/local/psa/admin/sbin/ch_admin_passwd --help
/usr/local/psa/admin/sbin/ch_admin_passwd: Utility to set Plesk adminstrator's password
Gets password from the environment variable PSA_PASSWORD
Password should be from 5 to 14 symbols and should not contain login name, whitespace, quotes or national characters

Usage: /usr/local/psa/admin/sbin/ch_admin_passwd

-h, --help
display this help and exit

To change the password, use a command like the following one:

# export PSA_PASSWORD='NEW_PASSWORD' ; /usr/local/psa/admin/sbin/ch_admin_passwd; unset PSA_PASSWORD

Where you have to replace NEW_PASSWORD by the desired password for the Parallels Plesk Panel administrator.

If you do not see this utility in the version of your Parallels Plesk Panel, then the password can be synchronized manually.

a) Load MySQL with 'skip-grant-tables' option, adding skip-grant-tables to the [mysqld] section of /etc/my.cnf file

b) Restart MySQL with the following command prompt:

# /etc/init.d/mysqld restart

c) Add the new password to the /etc/psa/.psa.shadow file.

d) Repair the password using the following command prompt:

# /usr/bin/mysql -D mysql -e"update user set password=PASSWORD('`cat /etc/psa/.psa.shadow`') where User='admin';"

e) Delete skip-grant-tables option from /etc/my.cnf

f) Restart MySQL.

original

Plesk 127.0.0.1:11444 Linux

После установки Plesk при логине в панель браузер радостно сообщает что не может соединиться с 127.0.0.1:11444.
Не буду лезть в лирику:
1. логинимся в Mysql
2. use psa;
3. update misc set val='https://[your_server_name]:11444' where param='sso_relay';
Говорят, без рестарта панели даже должно заработать. Но можно ребутнуть. Да, и не забываем, что беда еще может быть в некорректных записях в /etc/hostst

конечно же ответ был найден на просторах интернета линка

windows 2008 Plesk access denied

Возникла ошибка типа:
"Access to the path 'D:\inetpub\vhosts\somesite.com\httpdocs\UploadedP hotos\25.jpg' is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.UnauthorizedAccessException: Access to the path 'D:\inetpub\vhosts\somesite.com\httpdocs\UploadedP hotos\25.jpg' is denied.

ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS Web Server 5 or Network Service on IIS Web Server 6) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access."

Решение:
добавить в файл disksecurity.xml

строку

< accountype="1" account="Psacln" path="C:\Windows\assembly" aceflags="FilesOnly" accessmask="Read" entryflags="0x0">

затем выполнить:
"%plesk_bin%\applysecurity" --apply

smart and watch

удобнее всего наблюдать за состоянием смарта такой командой:
watch -d -n 1 smartctl -A /dev/sdx
показывает и даже подсвечивает значения, которые изменяются. Если ничего не подсвечивается - можно быть счастливым ;)

securing SSH

Change SSH listening port

By default, SSH listens for connections on port 22. Attackers use port scanner software to see whether hosts are running an SSH service. It's wise to change the SSH port to a number higher than 1024 because most port scanners (including nmap) by default don't scan high ports.

Open the /etc/ssh/sshd_config file and look for the line that says:

Port 22

Change the port number and restart the SSH service:

/etc/init.d/ssh restart

Allow only SSH protocol 2

There are two versions of the SSH protocol. Using SSH protocol 2 only is much more secure; SSH protocol 1 is subject to security issues including man-in-the-middle and insertion attacks. Edit /etc/ssh/sshd_config and look for the line that says:

Protocol 2,1

Change the line so it says only protocol 2.

Allow only specific users to log in via SSH

You should not permit root logins via SSH, because this is a big and unnecessary security risk. If an attacker gains root login for your system, he can do more damage than if he gains normal user login. Configure SSH server so that root user is not allowed to log in. Find the line that says:

PermitRootLogin yes

Change yes to no and restart the service. You can then log in with any other defined user and switch to user root if you want to become a superuser.

It is wise to create a dummy local user with absolutely no rights on the system and use that user to login into SSH. That way no harm can be done if the user account is compromised. When creating this user, make sure it's in the wheel group, so that you can switch to superuser.

If you would like to have a list of users who are the only ones able to log in via SSH, you can specify them in the sshd_config file. For example, let's say I want to allow users anze, dasa, and kimy to log in via SSH. At the end of sshd_config file I would add a line like this:

AllowUsers anze dasa kimy

Create a custom SSH banner

If you would like any user who connects to your SSH service to see a specific message, you can create a custom SSH banner. Simply create a text file (in my example in /etc/ssh-banner.txt) and put any kind of text message in it; for example:

*****************************************************************
*This is a private SSH service. You are not supposed to be here.*
*Please leave immediately. *
*****************************************************************

When done editing, save the file. In the sshd_conf file, find a line that says:

#Banner /etc/issue.net

Uncomment the line and change the path to your custom SSH banner text file.

Using DSA public key authentication

Instead of using login names and passwords for SSH authentication, you can use DSA public keys for authentication. Note that you can have both login names and DSA public key authentication enabled at the same time. Having a DSA public keys authentication enabled makes your system bulletproof against dictionary attacks, because you don't need a login name and password to log in into SSH service. Instead, you need a pair of DSA keys -- one public and one private. You keep the private key on your machine and copy the public key to the server. When you want to log in to an SSH session, the server checks the keys, and if they match, you are dropped into the shell. If the keys don't match, you are disconnected.

In this example the private machine (from which I will connect to the server) is station1 and the server machine is server1. On both machines I have the same home folder; this won't work if the home folders are different on client and server machine. First you need to create a pair of keys on your private machine with the command ~$ ssh-keygen -t dsa. You'll be prompted for a pass-phrase for your private key, but you can leave it blank because this is not a recommended method. A key pair is generated: your private key is located in ~/.ssh/id_dsa and your public key is located in .ssh/id_dsa.pub.

Next, copy the contents of ~/.ssh/id_dsa.pub to server1 into the ~/.ssh/authorized_keys file. The content of ~/.ssh/id_dsa.pub file should look something like this:

~$ cat .ssh/id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAM7K7vkK5C90RsvOhiHDUROvYbNgr7YEqtrdfFCUVwMWcJYDusNG
AIC0oZkBWLnmDu+y6ZOjNPOTtPnpEX0kRoH79maX8NZbBD4aUV91lbG7z604ZTdrLZVSFhCI/Fm4yROH
Ge0FO7FV4lGCUIlqa55+QP9Vvco7qyBdIpDuNV0LAAAAFQC/9ILjqII7nM7aKxIBPDrQwKNyPQAAAIEA
q+OJC8+OYIOeXcW8qcB6LDIBXJV0UT0rrUtFVo1BN39cAWz5puFe7eplmr6t7Ljl7JdkfEA5De0k3WDs
9/rD1tJ6UfqSRc2qPzbn0p0j89LPIjdMMSISQqaKO4m2fO2VJcgCWvsghIoD0AMRC7ngIe6btaNIhBbq
ri10RGL5gh4AAACAJj1/rV7iktOYuVyqV3BAz3JHoaf+H/dUDtX+wuTuJpl+tfDf61rbWOqrARuHFRF0
Tu/Rx4oOZzadLQovafqrDnU/No0Zge+WVXdd4ol1YmUlRkqp8vc20ws5mLVP34fST1amc0YNeBp28EQi
0xPEFUD0IXzZtXtHVLziA1/NuzY= anze@station1.example.com

If the file ~/.ssh/authorized_keys already exists, append the contents of the file ~/.ssh/id_dsa.pub to the file ~/.ssh/authorized_keys on server1. The only thing left to do is to set the correct permissions of ~/.ssh/authorized_keys file on server1:

~$ chmod 600 ~/.ssh/authorized_keys

Now, configure the sshd_conf file to use the DSA keys authentication. Make sure you have the following three lines uncommented:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Restart the service. If you configured everything correctly, you should now be able to SSH to your server and fall directly into your home folder without any interaction.

If you would like to use DSA authentication only, make sure you uncomment and change the PasswordAuthentication line in sshd_config from yes to no:

PasswordAuthentication no

If anyone tries to connect to your SSH service and doesn't have a public key on the server, he will be rejected without even seeing the login prompt with this error:

Permission denied (publickey).

Using TCP wrappers to allow only specific hosts to connect

This approach is useful if you would like to allow only specific hosts on a network to be able to connect to your SSH service, but you don't want to use or mess up your iptables configuration. Instead, you can use TCP wrappers; in this case the sshd TCP wrapper. I will make a rule to allow only hosts on my local subnet 192.168.1.0/24 and remote host 193.180.177.13 to connect to my SSH service.

By default TCP wrappers first look in the /etc/hosts.deny file to see what hosts are denied for what service. Next, TCP wrapper looks in /etc/hosts.allow file to see if there are any rules that would allow hosts to connect to a specific service. I'll create a rule like this in /etc/hosts.deny:

sshd: ALL

This means that by default all hosts are forbidden to access the SSH service. This needs to be here, otherwise all hosts would have access to the SSH service, since TCP wrappers first looks into hosts.deny file and if there is no rule regarding blocking SSH service, any host can connect.

Next, create a rule in /etc/hosts.allow to allow only specific hosts (as defined earlier) to use the SSH service:

sshd: 192.168.1 193.180.177.13

Now only hosts from the 192.168.1.0/24 network and the 193.180.177.13 host can access the SSH service. All other hosts are disconnected before they even get to the login prompt, and receive an error like this:

ssh_exchange_identification: Connection closed by remote host

Using iptables to allow only specific hosts to connect

An alternative to TCP wrappers (although you can use both at the same time) is limiting SSH access with iptables. Here's a simple example of how you can allow only a specific host to connect to your SSH service:

~# iptables -A INPUT -p tcp -m state --state NEW --source 193.180.177.13 --dport 22 -j ACCEPT

And make sure no one else has access to SSH service:

~# iptables -A INPUT -p tcp --dport 22 -j DROP

Save your new rules and you're all done.

SSH time-lock tricks

You can also use different iptables parameters to limit connections to the SSH service for specific time periods. You can use the /second, /minute, /hour, or /day switch in any of the following examples.

In the first example, if a user enters the wrong password, access to the SSH service is blocked for one minute, and the user gets only one login try per minute from that moment on:

~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:

~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP

original post http://www.linux.com/archive/feed/61061 thanks to Anže Vidmar

apt-get gpg error

При попытке выполнить apt-get update получаем:

W: GPG error: http://ftp.de.debian.org etch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B
W: GPG error: http://ftp.de.debian.org etch/updates Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9AA38DCD55BE302B
W: You may want to run apt-get update to correct these problems

следует выполнить следующие операции:

megaserver:~# gpg --keyserver subkeys.pgp.net --recv 9AA38DCD55BE302B
gpg: directory `/root/.gnupg' created
gpg: can't open `/gnupg/options.skel': No such file or directory
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key 55BE302B from hkp server subkeys.pgp.net
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 55BE302B: public key "Debian Archive Automatic Signing Key (5.0/lenny) " imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
megaserver:~# gpg --export --armor 9AA38DCD55BE302B | apt-key add -
OK