OpenSSH Server Best Security Practices

Default Config Files and SSH Port

/etc/ssh/sshd_config – OpenSSH server configuration file.
/etc/ssh/ssh_config – OpenSSH client configuration file.
~/.ssh/ – Users ssh configuration directory.
~/.ssh/authorized_keys or ~/.ssh/authorized_keys – Lists the public keys (RSA or DSA) that can be used to log into the user’s account
/etc/nologin – If this file exists, sshd refuses to let anyone except root log in.
/etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
SSH default port : TCP 22

Only Use SSH Protocol 2

SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:

Protocol 2

Limit Users’ SSH Access

By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn’t in AllowUsers.

Only allow root, sunny and sumi user to use the system via SSH, add the following to sshd_config:

AllowUsers root sumi sunny

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers suraj anuja foo

Configure Idle Log Out Timeout Interval

User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:

ClientAliveInterval 300

ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).

Disable Host-Based Authentication

To disable host-based authentication, update sshd_config with the following option:

HostbasedAuthentication no

Disable root Login via SSH

There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:

PermitRootLogin no

Firewall SSH Port # 22

You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.

Netfilter (Iptables) Configuration

Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT

If you’ve dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:

 -A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT

Replace ipv6network::/ipv6mask with actual IPv6 ranges.

*BSD PF Firewall Configuration

If you are using PF firewall update /etc/pf.conf as follows:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

Change SSH Port and Limit IP Binding

By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:

Port 300
ListenAddress 192.168.1.5
ListenAddress 202.54.1.5

Use Public Key Based Authentication

Use public/private key pair with password protection for the private key. See how to use RSA and DSA key based authentication. Never ever use passphrase free key (passphrase key less) login.

Use Keychain Based Authentication

keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use keychain software.

Chroot SSHD (Lock Down Users To Their Home Directories)

http://www.debian-administration.org/articles/590

Use TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 :

sshd : 192.168.1.2 172.16.23.12

Disable Empty Passwords

You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:

PermitEmptyPasswords no

Thwart SSH Crackers (Brute Force Attack)

Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:

DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
Explains how to setup DenyHosts under RHEL / Fedora and CentOS Linux.
Fail2ban is a similar program that prevents brute force attacks against SSH.
security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf.
security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw.
security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter.
security/sshblock block abusive SSH login attempts.
security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
BlockHosts Automatic blocking of abusive IP hosts.
Blacklist Get rid of those bruteforce attempts.
Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.
IPQ BDB filter May be considered as a fail2ban lite.

Rate-limit Incoming Port # 22 Connections

Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.

Iptables Example

The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:

#!/bin/bash

inet_if=eth1 ssh_port=22

$IPT -I INPUT -p tcp –dport ${ssh_port} -i ${inet_if} -m state –state NEW -m recent —set

$IPT -I INPUT -p tcp –dport ${ssh_port} -i ${inet_if} -m state –state NEW -m recent –update –seconds 60 –hitcount 5 -j DROP

Call above script from your iptables scripts. Another config option:

$IPT -A INPUT -i ${inet_if} -p tcp –dport ${ssh_port} -m state –state NEW -m limit –limit 3/min –limit-burst 3 -j ACCEPT

$IPT -A INPUT -i ${inet_if} -p tcp –dport ${ssh_port} -m state –state ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -o ${inet_if} -p tcp –sport ${ssh_port} -m state –state ESTABLISHED -j ACCEPT

# another one line example

# $IPT -A INPUT -i ${inet_if} -m state –state NEW,ESTABLISHED,RELATED -p tcp –dport 22 -m limit –limit 5/minute –limit-burst 5-j ACCEPT

See iptables man page for more details.

*BSD PF Example

The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.

sshd_server_ip=“202.54.1.5” table <abusive_ips> persist block in quick from <abusive_ips> pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload <abusive_ips> flush)

Use Port Knocking

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:

$IPT -N stage1 $IPT -A stage1 -m recent –remove –name knock $IPT -A stage1 -p tcp –dport 3456 -m recent —set –name knock2 $IPT -N stage2 $IPT -A stage2 -m recent –remove –name knock2 $IPT -A stage2 -p tcp –dport 2345 -m recent —set –name heaven $IPT -N door $IPT -A door -m recent –rcheck –seconds 5 –name knock2 -j stage2 $IPT -A door -m recent –rcheck –seconds 5 –name knock -j stage1 $IPT -A door -p tcp –dport 1234 -m recent —set –name knock $IPT -A INPUT -m –state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp –dport 22 -m recent –rcheck –seconds 5 –name heaven -j ACCEPT $IPT -A INPUT -p tcp –syn -j doo

fwknop is an implementation that combines port knocking and passive OS fingerprinting.
Multiple-port knocking Netfilter/IPtables only implementation.

Use Log Analyzer

Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:

LogLevel INFO

Patch OpenSSH and Operating Systems

It is recommended that you use tools such as yum, apt-get, freebsd-update and others to keep systems up to date with the latest security patches.

Limit Users’ SSH Access

Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:

AllowUsers root vivek jerry

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers saroj anjali foo

You can also configure Linux PAM allows or deny login via the sshd server. You can allow list of group name to access or deny access to the ssh.

Unable to remove Plesk Domain

When we try to remove domain the following error message is appearing.

Unable to delete hosting: Unable to create SubDomainManager: Unable to create SubDomainPerformance object: WebServerManager::getSubDomainPerformance() failed: Unable to parse current performance.

Also I am not able to remove the subdomains.

When accessing a sub domain management page the following error message is displayed:

Unable to create SubDomainManager object: Unable to create SubDomainPerformance object: WebServerManager::getSubDomainPerformance() failed: Unable to parse current performance.

CAUSE
========
Sub domain is not configured in IIS.

RESOLUTION
========

It’s needed to be re-configured. This can be done using the following command line utility:

“%plesk_bin%\websrvmng.exe” –update-subdomain –vhost-name=<domain> –subdomain=<subdomain>

==========================

If the issue persist try these also :

1. Remove the Registry Key

HKEY_LOCAL_MACHINE -> SOFTWARE -> PLESK -> PSA Config -> Config ->SitesCache

2. The follow your suggestion and remove the domain.

cd %plesk_bin%

websrvmng.exe –remove-vhost –vhost-name=Domainname

3. Then install the domain through the command line:

websrvmng.exe –install-vhost –vhost-name=Domainname

4. Then go to the Plesk Control Panel and delete the domain. It is still in the list, but it will actually delete this time.

change RDP listening port in Windows 2003 server?

How to Change the Listening Port for Remote Desktop

Microsoft has a Knowledge Base article KB306759 that details how to modify and change the Remote Desktop listening port by changing registry value.

Start Registry Editor by clicking on Start -> Run, and type in regedit in the Run text box, and then press Enter or click OK.
Navigate to the following registry branch/subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\TerminalServer\WinStations\RDP-Tcp\
Locate the registry entry PortNumber in the right pane.
Right click on PortNumber and choose Modify (or select PortNumber, then click on Edit menu and select Modify).
On the Edit DWORD Value window, click on Decimal.
Type in the new port number on the Value Data text box.
Click OK when done.

How to use parted for creating patition larger that 2 TB

To create partitions larger than 2TB we need to use GPT labels. Standard fdisk doesn’t understand GPT labels so we need to use parted.

Here we are going to partition the disk /dev/sdb

root@localhost ~> parted /dev/sdb

This will bring up parted. Type help to view the commands in parted prompt.

(parted) help
check NUMBER                             do a simple check on the file system
cp [FROM-DEVICE] FROM-NUMBER TO-NUMBER   copy file system to another partition
help [COMMAND]                           prints general help, or help on COMMAND
mklabel,mktable LABEL-TYPE               create a new disklabel (partition table)
mkfs NUMBER FS-TYPE                      make a FS-TYPE file system on partititon NUMBER
mkpart PART-TYPE [FS-TYPE] START END     make a partition
mkpartfs PART-TYPE FS-TYPE START END     make a partition with a file system
move NUMBER START END                    move partition NUMBER
name NUMBER NAME                         name partition NUMBER as NAME
print [free|NUMBER|all]                  display the partition table, a partition, or all devices
quit                                     exit program
rescue START END                         rescue a lost partition near START and END
resize NUMBER START END                  resize partition NUMBER and its file system
rm NUMBER                                delete partition NUMBER
select DEVICE                            choose the device to edit
set NUMBER FLAG STATE                    change the FLAG on partition NUMBER
toggle [NUMBER [FLAG]]                   toggle the state of FLAG on partition NUMBER
unit UNIT                                set the default unit to UNIT
version                                  displays the current version of GNU Parted and copyright information

root@localhost ~> parted /dev/sdb
GNU Parted 1.8.1
Using /dev/sdb
Welcome to GNU Parted! Type ‘help’ to view a list of commands.
(parted)

To change the label to gpt we run the following command:

(parted) mklabel gpt

Next run the print command: This will list the disk geometry. Please note the size listed:

(parted) print

Model: Adaptec raid5-1 (scsi)
Disk /dev/sdb: 10.7TB
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number Start End Size File system Name Flags

This will tell us where to start and end the partitions. To create one huge partition ( 8 Tb = 8388608 bytes) run the following commands:

(parted) mkpart primary 0 8388607.000

The command reads as make a primary partition, start at 0 and end at 8388607.000

Also, if you are making a partition for a device smaller than the limit from the notes below, you can use the following if the geometry doesn’t show like it does above. Just exit out of parted, and run this from a shell:

root@localhost ~> parted -s — /dev/sdb mkpart primary ext3 0 -1

This will take the whole disk for creating the partition.

The parition has been created and now you can quit parted:
(parted) quit

Now all that has to be done is to format the partition:(the -m swith tells mkfs to only reserve 1% of the blocks for the super block)

root@localhost ~> mkfs.ext3 -m1 /dev/sdb1
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
1024000000 inodes, 2047999751 blocks
20479997 blocks (1.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
62500 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000, 214990848, 512000000, 550731776, 644972544, 1934917632

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 38 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

Mount the disk

root@localhost ~> mount /dev/sdb1 /disk1

root@localhost ~> df -h
Filesystem            Size Used Avail Use% Mounted on
/dev/sda3             240G 2.3G 225G   2% /
/dev/sda1             996M   45M 900M   5% /boot
tmpfs                 2.0G     0 2.0G   0% /dev/shm
/dev/sdb1             7.6T 177M 7.5T   1% /disk1

Now edit /etc/fstab to mount the partiton automatically on boot.

root@localhost ~>vi /etc/fstab

Add the following line in /etc/fstab

/dev/sdb1 /disk1 ext3 defaults 0 0

How to enable PassivePortRange In IIS

For Windows 2003 Server

A) Add Passive port range in IIS

a) To Enable Direct Metabase Edit
1. Open the IIS Microsoft Management Console (MMC).
2. Right-click on the Local Computer node.
3. Select Properties.
4. Make sure the Enable Direct Metabase Edit checkbox is checked.

b) Configure PassivePortRange via ADSUTIL script
1. Click Start, click Run, type cmd, and then click OK.
2. Type cd Inetpub\AdminScripts and then press ENTER.
3. Type the following command from a command prompt.
adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5700″
4. Restart the FTP service.

You’ll see the following output, when you configure via ADSUTIL script:

Microsoft (R) Windows Script Host Version 5.6

B) Add firewall exception in windows firewall

To add a range of ports to Windows Firewall from the Command Line

1. Click Start, click Run, type cmd, and then click OK.
2. Type in the following where the range is specified in ( ) and the name of the firewall entry is in ” “.
FOR /L %I IN (5500,1,5701) DO netsh firewall add portopening TCP %I “Passive FTP”%I
3. Each port in the range will be added with an “OK” confirmation.

Or you can manually add the port exception as follows.

1. Click Start >> Run >> firewall.cpl ( Hit enter) , and select the Exceptions tab.
2. Click the Add Port button.
3. Enter a Name for the Exception and the first number in the port range.
4. Click TCP if not already selected and click OK.
5. Repeat for each port in the range – for large ranges see the end of the document.
6. Enable the Windows Firewall on the General Tab.

For Windows 2008 Server

A) Add Passive port range in IIS

1. Go to IIS 7.0 Manager. In the Connections pane, click the server-level node in the tree.
2. Double-click the FTP Firewall Support icon in the list of features.
3. Enter a range of values for the Data Channel Port Range.
4. Once you have entered the port range for your FTP service, click Apply in the Actions pane to save your configuration settings.

Notes:

1. The valid range for ports is 1024 through 65535. (Ports from 1 through 1023 are reserved for use by system services.)
2. You can enter a special port range of “0-0″ to configure the FTP server to use the Windows TCP/IP dynamic port range. The default dynamic port range in windows 2008 server is from 49152 to 65535.

You can view this details by issuing the folowing command in the server.

C:\Users\Administrator>netsh int ipv4 show dynamicport tcp

3. For additional information, please see the following Microsoft Knowledge Base articles:

* 929851 – http://support.microsoft.com/kb/929851/

4. This port range will need to be added to the allowed settings for your firewall server.

To configure the external IPv4 Address for a Specific FTP Site
1. Go to IIS 7.0 Manager. In the Connections pane, click the FTP site that you created earlier in the tree, Double-click the FTP Firewall Support icon in the list of features.
2. Enter the IPv4 address of the external-facing address of your firewall server for the External IP Address of Firewall setting.
3. Once you have entered the external IPv4 address for your firewall server, click Apply in the Actions pane to save your configuration settings.

B. Add firewall exception in windows firewall

To add a range of ports to Windows Firewall from the Command Line

1. Click Start, click Run, type cmd, and then click OK.
2. Type in the following where the range is specified in ( ) and the name of the firewall entry is in ” “.

3. FOR /L %I IN (49152,1,65535) DO netsh advfirewall firewall add rule name=”Passiveport”%I dir=out action=allow protocol=TCP localport=%I

4. Each port in the range will be added with an “OK” confirmation.

The command to add individual port in exception is pasting below.

C:\Users\Administrator>netsh advfirewall firewall add rule name=”OpenPort65535″ dir=out action=allow protocol=TCP localport=65535

32 bit emulation mode in 64 bit server for IIS and ASP.NET

IIS 6.0 supports both the 32-bit mode and the 64-bit mode. However IIS 6.0 does not support running both modes at the same time on a 64-bit version of Windows. ASP.NET 1.1 runs only in 32-bit mode. ASP.NET 2.0 runs in 32-bit mode or in 64-bit mode. Therefore, if you want to run ASP.NET 1.1 and ASP.NET 2.0 at the same time, you must run IIS in 32-bit mode.

ASP.NET 1.1, 32-bit version

To run the 32-bit version of ASP.NET 1.1, follow these steps:

Click Start, click Run, type cmd, and then click OK.
Type the following command to enable the 32-bit mode:
cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1
Type the following command to install the version of ASP.NET 1.1 and to install the script maps at the IIS root and under:
%SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe -i
Make sure that the status of ASP.NET version 1.1.4322 is set to Allowed in the Web service extension list in Internet Information Services Manager.

ASP.NET 2.0, 32-BIT VERSION

To run the 32-bit version of ASP.NET 2.0, follow these steps:

Click Start, click Run, type cmd, and then click OK.
Type the following command to enable the 32-bit mode:
cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1
Type the following command to install the version of ASP.NET 2.0 (32-bit) and to install the script maps at the IIS root and under:
%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -i
Make sure that the status of ASP.NET version 2.0.50727 (32-bit) is set toAllowed in the Web service extension list in Internet Information Services Manager.

ASP.NET 2.0, 64-BIT VERSION

To run the 64-bit version of ASP.NET 2.0, follow these steps:

Click Start, click Run, type cmd, and then click OK.
Type the following command to disable the 32-bit mode:
cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0
Type the following command to install the version of ASP.NET 2.0 and to install the script maps at the IIS root and under:
%SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe -i
Make sure that the status of ASP.NET version 2.0.50727 is set toAllowed in the Web service extension list in Internet Information Services Manager.

Ref : http://support.microsoft.com/kb/894435

How to make SSH work Faster?

Here are some tricks to boost your productivity when working withSSH.

Auto Login

OpenSSH has a great feature “key-based authorization” which uses RSA/DSA key pair to do authorization instead of password. With the help of it, login can be done automatically.

Here are the steps:

Create ssh key pair, if you have’t one. Check ~/.ssh. If you find a fine with nameid_dsa.pub or id_rsa.pub, you are done since the key pair is ready to use. Otherwise, create it simply by typing ssh-keygen and following the instructions. Keep in mind that there are two kinds of key pairs, RSA or DSA. I always use RSA. You can choose one on your own. If you choose RSA with other options as default, you will getid_rsa and id_rsa.pub in ~/.ssh. The former file is the private key and latter one is the public key.
Make sure your ~/.ssh is private. I want to emphasize that here that the private key, i.e. id_rsa, is the equivalent with your password since people who can access this file can login the remote machine easily as they got your password! So make it private first.
```
chmod 700 ~/.ssh
```
Transfer your public key to the remote machine which you want to login automatically. SCP may be a preferred way:
```
scp ~/.ssh/id_rsa.pub user@remote.machine.com:~/my_key.pub
```
Append your public key to the ~/.ssh/authorized_keys on the remote machine.
```
cat my_key.pub >> ~/.ssh/authorized_keys
```
Done! Check whether you can login into the remote machine automatically by simply type
```
ssh user@remote.machine.com
```
on your local machine. If it works, remove the public key on the remote machine.

For geekers who’d like to do it in one-line fashion, here it is:

cat ~/.ssh/id_dsa.pub | ssh -l user remote.machine.com ‘cat >> ~/.ssh/authorized_keys’

Even Faster

Even auto login is set up, in some cases you have to wait for several seconds before the shell prompt bombs out. Still frustrating, right? In some worse cases, you have wait more than 10 seconds or even longer! Why? Each time you connect a remote machine, sshd would like to use your IP address to apply reverse DNS lookup to determine your hostname. If the DNS server goes slow, it may take seconds to return the results. The longer the lookup takes, the longer you have to wait.

Two tricks can be applied to solve this problem:

Edit /etc/hosts on the remote machine and add the IP address of your local machine to it with an appropriate hostname. So if you login the system, your IP address is resolved locally, which is definitely faster.
Disable DNS lookup on the remote machine. Edit /etc/ssh/sshd_config and add one line:
```
UseDNS no
```
Restart the sshd server then. If everything goes well, you will see the save of time.

Both tricks require root privilege. If do not have root access, ask your administrator to help you.

Troubleshooting

Use ssh -v or ssh -vvv to output debug information and diagnose the problem.

How ssh works

Ssh works by the exchange and verification of information, using public and private keys, to identify hosts and users. It then provides encryption of subsequent communication, also by the use of public/private key cryptography.

SSH is designed to provide a secure method of authentication and data transport. This is accomplished via three main stages during the connection setup: SSH-TRANS, SSH-AUTH, and SSH-CONN.

As a user, you generate an “identity” on the client system by running the ssh-keygen program. This program creates a subdirectory $HOME/.ssh and inserts in it two files named identity and identity.pub which contain your private and public keys for your account on the client system. This latter file can then be appended to a file $HOME/.ssh/authorized_keys that should reside on any/all servers where you will make ssh connections.

As a system administrator, you generate a public and private key pair for the system itself. By use of this information contained within the system itself, the possibility of someone spoofing the system’s identity by faking IP addresses or munging up DNS records that associate IP addresses and domain names is removed. You would have to break into the system and steal its private key in order to sucessfully pretend to be that system. This is a big improvement in security.

Once you generate your public/private key on your local system you can place your public key in the authorized_keys of the server so you can bypass the login procedure and directly login into the server without the password.

When you ssh to a machine by the following command :

ssh -l admin -p 78 svrxx.domain.com

The first step performed is authentication of the server to the client and client to the server i.e first the server checks whether its publci key is contained in the file $HOME/.ssh/known_hosts this procedure is known as host validation if the key is present in the known_hosts file it will proceed with the subsequent authentication.

Else if it is not matching or not present will display the following message :

The authenticity of host ’svrxx.domain.com (67.75.52.50)’ can’t be established.
RSA key fingerprint is bd:e7:14:30:13:ba:74:77:47:b3:2a:b3:a1:07:2e:7a.
Are you sure you want to continue connecting (yes/no)?

Once you say yes then the public key of the server will be placed in the known_hosts file and you will not see this message again.

And once the host validation is complete the subsequent communcication will be encrypted using the private key that was generated from ssh-keygen command.

Apache Graceful Restart Requested Every Two Hours

Apache by default logs data directly to log files. While this isn’t a bad thing, it is not your only option. Both Apache 1.x and Apache 2.x bring with them the option of enabling something called “Piped Logging”, though cPanel will only allow you to enable it for version 2.x.

Piped logging is extremely powerful when used correctly, and has far more flexibility than what we are using here. The way it is described here, we will be attempting to negate the memory hungry apache processes that creep up when a server is hosting very low traffic websites (less than 1 request per second) with traditional Apache log configurations.

The restart notices were appearing in the log 12 times a day along with any other scheduled or manual restarts. This is an excerpt of yesterday’s error log.

# grep 'Aug 13' /usr/local/apache/logs/error_log | grep 'Graceful'
[Fri Aug 13 01:12:46 2010] [notice] Graceful restart requested, doing restart
[Fri Aug 13 03:10:53 2010] [notice] Graceful restart requested, doing restart
[Fri Aug 13 05:08:28 2010] [notice] Graceful restart requested, doing restart
[Fri Aug 13 07:05:49 2010] [notice] Graceful restart requested, doing restart
[Fri Aug 13 08:05:13 2010] [notice] Graceful restart requested, doing restart
[Fri Aug 13 09:11:05 2010] [notice] Graceful restart requested, doing restart
[Fri Aug 13 11:08:16 2010] [notice] Graceful restart requested, doing restart
[Fri Aug 13 13:05:19 2010] [notice] Graceful restart requested, doing restart
[Fri Aug 13 15:02:23 2010] [notice] Graceful restart requested, doing restart
[Fri Aug 13 17:16:05 2010] [notice] Graceful restart requested, doing restart
[Fri Aug 13 19:13:09 2010] [notice] Graceful restart requested, doing restart
[Fri Aug 13 21:10:11 2010] [notice] Graceful restart requested, doing restart
[Fri Aug 13 23:07:14 2010] [notice] Graceful restart requested, doing restart

The Fix!

Enter Piped logging. Enabling piped logging in this way has a few different effects, but the one we are primarily concerned with is preventing Apache from initiating that graceful restart request every two hours.

Pre-implementation:

Note: You will need to have root access to the server in order to implement piped logging.

Software Requirements:
Cpanel Version: 11.25.0-R43471 or later
Apache Version 2 or later

You can check your versions with the following commands:
cPanel:
[host - root]: cat /usr/local/cpanel/versionFor Apache:
[host - root]: /usr/local/apache/bin/httpd -v

Implementation

There are two possible ways to implement this fix, one is via the command line, the other is through the WHM.

Method 1: All Command Line

Make a backup of the Apache config:

[host:root]: cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.prepipedlogging

Edit /var/cpanel/cpanel.config:

[host:root]: vi /var/cpanel/cpanel.config

Add the following

enable_piped_logs=1

Make cPanel aware of the change:

[host:root]: /usr/local/cpanel/whostmgr/bin/whostmgr2 --updatetweaksettings

Rebuild the Apache config:

[host:root]: /scripts/rebuildhttpdconf

Stop and Start Apache:

/etc/init.d/httpd stop /etc/init.d/httpd start

Method 2: Allow cPanel/WHM to do the hard parts

Make a backup of the Apache config:
[host:root]: cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.prepipedlogging

Log into WHM, and follow this sequence to the right place:
Service Configuration >> Apache Configuration >> Piped Log Configuration
Enable piped Apache logging, save it and let it rebuild the configuration.

[FIX] Tables are not displayed in MSSQL DB Webadmin.

Symptoms

When browsing MSSQL database as domain user using MSSQL DB Webadmin no tables are displayed. But they can be seen when logged in as sa.

Cause

Plesk uses DB user that is created in a database to establish connection to MSSQL using DB Webadmin. It’s the first user listed in users list for a database. Actually all users in this database should have db_owner role on the database. The most likely reason of the is that the user has db_denydatareader role enabled.