Modesec Rules

//** Just follow the given instruction Given below //** :--

   **< // make sure that you have compiled apache with mod security // >

--------------------------------********------------------------------------ 

     -  cd /usr/local/apache/conf;mkdir modsecurity;cd modsecurity;

     -  browse the url http://gotroot.com/ and choose tar file "All in one downloads for modsec 2.0-2.1" and wget it.

        It will dowload all rules for mod seurity.

        go to - /usr/local/apache/conf/modsecurity and wget the rules

        wget http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-gotrootrules-modsec2.0-latest.tar.gz

     -  nano /usr/local/apache/conf/modsec.conf 

        search line start with "include"

        delete that line and add line as below-

        Include "/usr/local/apache/conf/modsecurity/*.conf"

     -  service httpd restart .

*************************************************************

While running repairs on the databases, you will getting these types of error messages

While running repairs on the databases, you will  getting these types of error messages:--

***************
user_database
error : Not enough memory (367039) for blob at 2700532
error : Corrupt
***************

Fix :: cpanel >> tweat Settings >> Max Memory

change the limit to 0  ***********------------*************

how to find what causing high load .....

/<  To find out what's causing the high load just fire the below command   >/ :--

----------------------------------

top -b -i -n 20 >> ./top_procs

----------------------------------

And its done........

how to find what causing high load .....

Solutions on Disk usage for domain shows' 0 mb' in plesk linux

**Its very simple just fire the given command** :-

**Just run the statistics manually given below  :--

----------------
cd /usr/local/psa/admin/sbin/
./statistics

---------------

Delete domains in plesk getting any error.

/**Try to do the following from command line**// :--

***********---------------*************

> "%plesk_bin%\mchk.exe" --all --fix=all

***********---------------*************
If this command stop with error then try to do this

1). Backup your <MailEnable-folder>\config folder

2). remove all .tab and .sav files from your Config Folder

3). run "%plesk_bin%\mchk.exe" --all --fix=all 

***********---------------*************

**************************************

To install Fantastico on VPS install and then get the ip licensed

**//Just fire the scripts given below**// :--

------------***************-------------

cd /usr/local/cpanel/whostmgr/docroot/cgi

wget http://www.netenberg.com/files/free/fantastico_whm_admin.tgz

tar -xzpf fantastico_whm_admin.tgz

rm -rf fantastico_whm_admin.tgz

------------***************---------------

<And all done>

To catch the spammer by checking exim_mainlog.

*-* A little bit luck & you should be able to catch the spammer ,by checking exim_mainlog, 
If you fail to catch the spammer from this then he is using some other way of spamming ,
& to catch him you will need to understand all the steps given below >>:--

1>
  Get the message ID from the header of the spam. It should be in format like 1DWJj4-00042i-74 < this is the most important step else all thats given below is crap > 

2>
 grep exim_mainlog with the message ID      < Ex : grep 1DWJj4-00042i-74 /var/log/exim_mainlog > 

3>
      Check the time on which the spam was sent and also check all that is shown after grep. 

4>
      If you find out the domain name or path of the scripts from exim_mainlog then go ahead and suspend the spammer, else proceed to step 5. 

5>
     Use this message ID to check the original message or bounced message in /var/spool/exim/input/. You should see 2 files there, one with -D at end and one with -H at the end. <Ex : /var/spool/exim/input/4/1DWJj4-00042i-74-D & /var/spool/exim/input/4/1DWJj4-00042i-74-H > This 2 files will have all the information that was sent in the spam message and if it was sent using mailing list then you will catch the username of spammer in auth_sender part of this files. If it shows nobody then its your bad luck Proceed to step 6. 

6>
      If exim_mainlog shows the spams originating from /tmp of the server then check the files in /tmp of the server. user of the file will be seen as nobody:nobody. Take down the time of creation of file. This time is what we need to find out who uploaded the script. You will need to convert this time into the time format of /usr/local/apache/logs/error_log & then in the format of the domlogs located at /usr/local/apache/domlogs/* 

7>
      for file in /usr/local/apache/domlogs/*; do cat $file |grep "example"; done; < you cannot do direct grep for the query here as it will give error that the arguement list is too long >

8>  
      If the results in step 2 have shown some domain name or some username in common as sender of the spam but now you dont see that domain name on the server then check /var/cpanel/accounting.log to see if that account has been terminated from the server < Ex : grep ebayspammer.com/var/cpanel/accounting.log >

All that we need to know is importance of /var/log/exim_mainlog, /var/log/formmail.log, /usr/local/apache/logs/error_log, /usr/local/apache/domlogs/*, 
/var/spool/exim/input/*/* and the files uploaded in /tmp of the server. Major spamming issues are caught using the time of sending the spam, You will need to work on your own when you get across such issue and use your logic to convert the time of sending the spams to the time format of respective log files I mentioned above. 

If you fail to catch active spamming on the server in short time then rename /etc/exim.conf and killall -KILL exim. If this has not stopped the process then check the running mysql processes and stop mysql if needed. If no results then stop http service or find the process ID and kill it. 


----------------*************--------------