How to find the biggest files or directories on the server?

by WanderingTechy November 15, 2014

Just had a client call me due to the fact all the sites on his server were down.

A quick check on disk space and the hard disk was full. This is always the first thing to check when the server is up but sites are down.

I then check each of the root folders in turn to find out which one is causing the problem. This command is so useful and I have been using it for years or variations that I thought I would post just in case.

du -Sh | sort -rh | head -n 5

I always check /var first as this has logs, mail and lots more in it.

The GPG keys listed for the “CentOS / Red Hat Enterprise Linux 6 – atomicrocketturtle.com” repository are already installed but they are not correct for this package.

by WanderingTechy October 23, 2014

Atomic are moving everything under one key. To fix this error run this command;

rpm --import https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt

Then edit /etc/yum.repos.d/atomic.repo

change the following line

gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt

To

gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt
         file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt

Logging from to and subject in postfix

by WanderingTechy October 22, 2014

We needed to analyse the from, to and subject on one of our servers to deal with a persistent spammer.

Add this to your header_checks

/^subject:/     WARN

Blocking a spammer with firewall on a fresh chain.

by WanderingTechy October 21, 2014

A client uses fail2ban plus a number of other custom scripts to build his firewall to block unwanted access.  The firewall table was getting very confusing for him as he didn’t know which script had blocked the IP at a glance.

I cleaned up his tables and created a chain for each script.  Here is how I did it.

Read the rest of this entry »

Tracking which account is sending spam on a plesk server

by WanderingTechy October 20, 2014

This is not an easy task without knowing a few tricks as the log files are not an awful lot of help.   Providing you have the Plesk grey listing switched on and you know a little SQL and PHP the task is not that hard.

sqlite3 /var/lib/plesk/mail/greylist/data.db 'select * from data'

The above command will provide you with a list of senders, recipients and IP address.  I have written a couple of scripts which monitor this database every 5 minutes and extracts spammer signatures which then get emailed to me.  I usually catch them within 10-15 minutes of starting their run these days.

Here is a list of the columns in the database;

sqlite> PRAGMA table_info(data);
0|remoteIP|VARCHAR(39)|1||0
1|mailFrom|VARCHAR(255)|1||0
2|rcptTo|VARCHAR(255)|1||0
3|blockedCount|INTEGER|1||0
4|passCount|INTEGER|1||0
5|creationTime|INTEGER|1||0
6|lastUpdate|INTEGER|1||0
7|greyExpires|INTEGER|1||0

Using the above and some data from the headers from one of the spam emails you can quickly extract the sender.

If the spammer is changing the from address so it doesn’t match an account on the server you can filter the logs as follows;

Read the rest of this entry »

qmail delete all emails from specific domain in queue

by WanderingTechy September 22, 2014

I installed qmailhandle and tried to delete using wildcards and it didn’t work.

This command however does.

/usr/bin/qmhandle.pl -h'\@domain'

flush the qmail queue

by WanderingTechy September 22, 2014

To retry all the emails in the qmail queue

kill -ALRM `ps ax | grep [q]mail-send | awk '{print $1}'`

smtp auth spam problems with qmail on plesk?

by WanderingTechy June 14, 2014

Recently I have been getting quite a few spam problems where the spammers were using valid smtp auth accounts on my server.  They have either dictionary attacked the account or the password has leaked.

After quite a bit of hacking about I have come up with this single command (long one) which will list any smtp_auth login that has been authorised from more than 10 different IP addresses.  My logs rotate every 24 hours so I didn’t need to filter by date.

THIS WORKS ON:  Centos 6.5 with Plesk 10.x installed using qmail.   Your usage may vary.

cat /usr/local/psa/var/log/maillog | grep "smtp_auth" | awk '/logged in from/ {print $8"\t"$14}' | sort -u -k1 | awk '{ print $1 }' | sort | uniq -c |  sed -e 's/^[ \t]*//' | awk '$1 >= 10'

Before anyone comments that I have unnecessary cats and there are better ways to do this.  I want it done in clear easy to understand stages so that when I come back to it later it is still readable.  Don’t use it if you don’t like it…

Read the rest of this entry »

mod_fcgid: HTTP request length 132330 (so far) exceeds MaxRequestLen (131072)

by WanderingTechy May 27, 2014

If you get unusual errors when uploading a file via http check the error log.  If you see this error message

[Tue May 27 17:55:15 2014] [warn] [client 254.50.232.53] mod_fcgid: HTTP request length 132330 (so far) exceeds MaxRequestLen (131072), referer: http://www.example.com/

Add this to your /etc/httpd/conf.d/fcgid.conf

MaxRequestLen 15728640

This works on Centos 6.X and should work on others.  This can cause problems in software such as forums, WordPress and MediaWiki.

how to extract a list of domains from a plesk server

by WanderingTechy May 7, 2014

I need a list of domains to use in a script for rebuilding a DNS server.

This did the job.

mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -Ns -e "select name from domains" > domains.txt