Joel G Mathew's questions

After a messy installation of php7.1 on Debian 8 (used the ppa for Ubuntu), I managed to revert to the correct package of php7.1. However, I believe I am missing perhaps a few key modules.

The problem is that a wordpress site that worked fine before the upgrade from php5 fails with http error 500. Yes, wordpress seems to supports php7.1. The virtualservers are managed by virtualmin.

My apache2 log shows:

require_once(/home/example/public_html/wp-config.php): failed to open stream: Permission denied in /home/example/public_html/wp-load.php on line 37

Right now, php files are being downloaded on this server, instead of processing them.

However I hadnt changed the permissions, and the permissions are still correct. The user and group is example.example. In /cat/passwd, this user exists. Other sites seem to work fine. I have installed the following modules:

php7.1-curl php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-xml php7.1-xmlrpc

which are the dependencies documented in wordpress docs.

I should add that only the ssl version doesnt work. The http version shows the default apache page.

My virtualhost configuration (It's a bit messy probably because its generated by virtualmin).

<VirtualHost *:80>
SuexecUserGroup "#1003" "#1003"
ServerName example.com
ServerAlias www.example.com
ServerAlias webmail.example.com
ServerAlias admin.example.com
ServerAlias *.example.com
DocumentRoot /home/example/public_html
ErrorLog /var/log/virtualmin/example.com_error_log
CustomLog /var/log/virtualmin/example.com_access_log combined
ScriptAlias /cgi-bin/ /home/example/cgi-bin/
ScriptAlias /awstats/ /home/example/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/example/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php7.1
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/example/fcgi-bin/php7.1.fcgi .php7.1
</Directory>
<Directory /home/example/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.example.com
RewriteRule ^(.*) https://example.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.example.com
RewriteRule ^(.*) https://example.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php7.1
FcgidMaxRequestLen 1073741824
Alias /dav /home/example/public_html
Alias /pipermail /var/lib/mailman/archives/public
<Location /dav>
DAV on
AuthType Basic
AuthName "example.com"
AuthUserFile /home/example/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RemoveHandler .php
RemoveHandler .php5
RewriteEngine off
</Location>
<Files awstats.pl>
AuthName "example.com statistics"
AuthType Basic
AuthUserFile /home/example/.awstats-htpasswd
require valid-user
</Files>
RedirectMatch /cgi-bin/mailman/([^/\.]*)(.cgi)?(.*) https://example.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$3
RedirectMatch /mailman/([^/\.]*)(.cgi)?(.*) https://example.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$3
IPCCommTimeout 41
php_admin_value engine Off
</VirtualHost>
<VirtualHost 5.196.66.43:443>
SuexecUserGroup "#1003" "#1003"
ServerName example.com
ServerAlias www.example.com
ServerAlias webmail.example.com
ServerAlias admin.example.com
ServerAlias *.example.com
DocumentRoot /home/example/public_html
ErrorLog /var/log/virtualmin/example.com_error_log
CustomLog /var/log/virtualmin/example.com_access_log combined
ScriptAlias /cgi-bin/ /home/example/cgi-bin/
ScriptAlias /awstats/ /home/example/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/example/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php7.1
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/example/fcgi-bin/php7.1.fcgi .php7.1
</Directory>
<Directory /home/example/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.example.com
RewriteRule ^(.*) https://example.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.example.com
RewriteRule ^(.*) https://example.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php7.1
FcgidMaxRequestLen 1073741824
Alias /dav /home/example/public_html
Alias /pipermail /var/lib/mailman/archives/public
<Location /dav>
DAV on
AuthType Basic
AuthName "example.com"
AuthUserFile /home/example/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RemoveHandler .php
RemoveHandler .php5
RewriteEngine off
</Location>
<Files awstats.pl>
AuthName "example.com statistics"
AuthType Basic
AuthUserFile /home/example/.awstats-htpasswd
require valid-user
</Files>
RedirectMatch /cgi-bin/mailman/([^/\.]*)(.cgi)?(.*) https://example.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$3
RedirectMatch /mailman/([^/\.]*)(.cgi)?(.*) https://example.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$3
SSLEngine on
SSLCertificateFile /home/example/ssl.cert
SSLCertificateKeyFile /home/example/ssl.key
IPCCommTimeout 41
SSLCACertificateFile /home/example/ssl.ca
php_admin_value engine Off
</VirtualHost>

Please help me get to the root of this. I tried removing the php7.1 lines, but didnt do anything.

The .htaccess files:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^blog.example.com$ [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://blog.example.com/$1 [R,L]
RewriteCond %{HTTP_HOST} ^supernova.example.com$ [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://supernova.example.com/$1 [R,L]
RewriteCond %{HTTP_HOST} ^(.*)example.com$ [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R,L]
</IfModule>
<ifModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options: "nosniff”
</ifModule>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# uploaded files
RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule . index.php [L]

Debian 8
apache2
php 7.1, and 5.6

Is it possible to edit the command line of a process sent to background, or to chain another command to execute after the first command has exited?

Eg: I start mirroring a site with wget -m site.com but later realize that I want to be notified by email when the job executed. The job is running in the background (bg). How can I add a && sendmail to the command, or execute it when the first command has completed execution?

Is there a program which can display the power on hours of a hard disk from a *nix shell? I'm rewriting a server benchmark program, and this would be a useful value to compare.

I'm trying to block access to my website depending on whether a visitor had visited the site through another website. The latter has been using up my traffic by using an iframe to display content through his site, masking my site's identity.

I have mod_env_if activated in apache2.

ErrorDocument 403 /error403.html
SetEnv noaccess=0
SetEnvIf Referer "^http://sitetoblock\.tk/" noaccess=1
SetEnvIf Referer "^http://www\.sitetoblock\.tk/" noaccess=1


<FilesMatch "\.(gif|png|jpe?g|php|html)$">
Order Allow,Deny
Deny from env=noaccess

</FilesMatch>

The problem is that this directive is blocking all traffic including direct visitors to the site. What am I doing wrong?

As part of installing proxmox on a dedicated server running Debian, it installed a new kernel. As part of the install instructions, I am supposed to choose the new kernel in grub. However I dont have a virtual console for accessing the server at the time of boot. The only thing I can do, is to run an ssh console to the server after it boots. How can I select the pv kernel as default for boot time?

I am running Debian Wheezy on the server, and installed proxmox 3.

I know my question may be a big ambiguous, but I'll strive to explain in the description.

The scenario is this. I have three nameservers, which are Debian VPSes which just run bind9 on a Debian 6 32 bit minimal system. These provide DNS service for 6 different sites.

I have set the following A entries for my main domain, whose name provides the FQDN for all three nameservers:

ns1.mydomain.com -> A -> IP of ns1 server
ns2.mydomain.com -> A -> IP of ns2 server
ns3.mydomain.com -> A -> IP of ns3 server

The DNS entries for mydomain.com have so far been set on a third party server, dnsever.com. Having my own nameservers, I'd like to drop dnsever and use these three servers to provide DNS for my primary domain too, if it's possible.

However, when I setup nameserver entries on my domain registrar, for my primary domain (whose name qualifies the nameservers), it asks for FQDNs for the nameservers from which it determines their IP addresses, and I'm sure that setting ns1.mydomain.com, ns2.mydomain.com there is wrong, since before making ns1.mydomain.com resolve to the IP of the nameserver, I cant use the DNS name. It seems sort of a chicken and egg situation here, unless I'm totally missing the point.

Without using a third party DNS service, how can I use my own three servers to provide independent service to resolve even the FQDNs of themselves?

How do nameservers do failover? What decides the order in which nameservers are queried when the primary nameserver is not reachable?

To illustrate, here's part of my zonefile:

$TTL 3m;
site.com.       IN      SOA     ns1.sitese.com. admin.site.com. (
                   2007010403           ; Serial
                         1800           ; Refresh [1h=3600] 1800=30m
                          600           ; Retry   [10m]
                        86400           ; Expire  [2weeks] 86400=1day
                          180 )         ; Negative Cache TTL [1h]
;
site.com.      IN     NS      ns1.sitese.com.
site.com.      IN     NS      ns2.sitese.com.
site.com.      IN     NS      ns3.sitese.com.   
ns1.sitese.com.  IN     A       199.168.35.23
ns2.sitese.com.  IN     A       38.124.113.106
ns3.sitese.com.  IN     A       38.128.98.213   

Obviously the primary nameserver is ns1.sitese.com as it is listed in the SOA record. But which one becomes the secondary nameserver if the primary is unreachable? Is it ns2, or ns3? What decides the order in which secondary nameservers are queried? Is it the order in which they appear in the zonefile? Is it something else?

Problem: I need to setup zonefiles so that I can setup email users: Both [email protected], and [email protected], where there are two different users and not aliases. Emails from users @mysite.com utilizes a different mail server from the one used by users @email.mysite.com.

I have setup the following zone file:

    mysite.com.       IN      SOA     ns1.nsserver.co.in. admin.mysite.com. (
                   2007010403           ; Serial
                         1800           ; Refresh [1h=3600] 1800=30m
                          600           ; Retry   [10m]
                        86400           ; Expire  [2weeks] 86400=1day
                          180 )         ; Negative Cache TTL [1h]
;
mysite.com.      IN     NS      ns1.nsserver.co.in.
mysite.com.      IN     NS      ns2.nsserver.co.in.
mysite.com.      IN     NS      ns3.nsserver.co.in.
mysite.com.      IN     MX      10 hermes.mailserver.co.in.
mail.mysite.com. IN     MX      10 apollo.drmailserver.info.
mail.mysite.com. IN     A       172.25.31.173
mysite.com.      IN     A       198.21.221.223
www.mysite.com.  IN     A       198.21.221.223
ns1.mysite.com.  IN     A       199.188.75.23
ns2.mysite.com.  IN     A       38.114.103.106
ns3.mysite.com.  IN     A       38.127.98.233
mysite.com.     3501    IN     TXT   "v=spf1 a:hermes.mailserver.co.in mx:hermes.mailserver.co.in mx:apollo.drmailserver.info ip4:198.23.228.223 ~all"
*.mysite.com.   3600    IN      CNAME   mysite.com.

Am I doing this properly? Is the A record to the IP of the mailserver required?

I've done a named-checkzone, which has found no errors. When I do a dig for MX records, the second MX record is not displayed. But I'm unsure whether this is because the record are not live yet.

I need to test various DNS changes on my domain which require that the zone file changes I make are updated quickly.

I'm a bit confused between Refresh, Retry, Expire and TTL values. Which is the one I need to set to a minimum, to "propogate DNS changes" (if I may use the term) without much latency? I'm rather new to nameservers, but have three nameservers set to rsync their zone files every 2 minutes. The first server (ns1.mydomain) has the following setup:

mydomain.com.       IN      SOA     ns1.mainnameserver.co.in. admin.mydomain.com. (
                   2007010401           ; Serial
                         1800           ; Refresh [1h=3600] 1800=30m
                          600           ; Retry   [10m]
                        86400           ; Expire  [2weeks] 86400=1day
                          600 )         ; Negative Cache TTL [1h]
;
$TTL 3m;
mydomain.com.      IN     NS      ns1.mainnameserver.co.in.
mydomain.com.      IN     NS      ns2.mainnameserver.co.in.
mydomain.com.      IN     NS      ns3.mainnameserver.co.in.
mydomain.com.      IN     MX      10 her.mainnameserver.co.in.
mydomain.com.      IN     A       198.13.18.223
www.mydomain.com.  IN     A       198.13.18.223
ns1.mydomain.com.  IN     A       197.18.72.23
ns2.mydomain.com.  IN     A       36.124.102.106
ns3.mydomain.com.  IN     A       36.117.98.133
mydomain.com.     3501    IN     TXT   "v=spf1 a:her.mainnameserver.co.in mx:hermes.mainnameserver.co.in mx: ip4:191.21.218.223 ~all"
*.mydomain.com.   3600    IN      CNAME   mydomain.com.

I've assumed that TTL is the value I need, and have set it as above, to 3 minutes. Is it the right way to do it?

On a related note..With the above zonefile, when I do a named-checkzone, I get /var/lib/bind/db.mydomain.com:1: no TTL specified; using SOA MINTTL instead. Why is this message shown? How do I avoid the warning and do it properly?

As part of running a backup script for a linux server, I have commands like mysqldump within a bash script which contain the mysql root password, and certain ftp server passwords. Are these retrievable by a malicious user, from the server logs?

I know that while the script is being run, processes like mysqldump can be viewed with the command line parameters, on invoking a ps ax. Do these get logged to server logs? If so, how can I cleanup after script execution? Is it at all possible to avoid these issues altogether?

Addendum: My question is not specifically regarding mysqldump. There are other binaries like lftp and mysqldump that require passwords as an argument. I am aware that mysqldump accepts file inputs, as does lftp. However, is it possible to generically protect commands invoked in a bash script, which may contain sensitive information, from snooping?

I have installed bind9 on a Debian VPS, and use it as nameserver for one of my domains. It works well. dig reports correct entries.

I now wish to use this nameserver for four more domains, and am a bit confused about certain configuration parameters.

The primary domain I used is drjoel.in, for which I have set up the following in master zone file

cat /etc/bind/named.conf.local
zone "drjoel.in" {
     type master;
     file "/var/lib/bind/db.drjoel.in";
     allow-update { key rndc-key; };
};
zone "31.167.199.in-addr.arpa" {
     type master;
     file "/etc/bind/zones/rev.14.31.167.199.in-addr.arpa";
};

I have added this:

zone "relsoft.in" {
     type master;
     file "/var/lib/bind/db.relsoft.in";
     allow-update { key rndc-key; };
};

for my second domain, and the following in /var/lib/bind/db.relsoft.in:

relsoft.in.       IN      SOA     ns1.joel.co.in. admin.relsoft.in. (
                   2007010401           ; Serial
                         3600           ; Refresh [1h]
                          600           ; Retry   [10m]
                        86400           ; Expire  [1d]
                          600 )         ; Negative Cache TTL [1h]
;
relsoft.in.     IN      NS      ns1.joel.co.in.
relsoft.in.      IN      NS      ns2.joel.co.in.
relsoft.in.      IN      MX      10 aspmx.l.google.com. 
relsoft.in.     IN      A       198.23.228.223
www.            IN      A       198.23.228.223
ns1.            IN      A       199.167.31.14
ns2.            IN      A       38.114.103.106
mail.relsoft.in.        3600    IN      CNAME   ghs.google.com
*.relsoft.in.   3600    IN      CNAME   relsoft.in.

My /etc/resolv.conf currently looks like this:

#cat /etc/resolv.conf
search drjoel.in
nameserver 199.167.31.14

My questions are:

1. What should my resolv.conf be, to allow me to use this server as nameserver for both domains?
2. Am I correct in assuming that I shouldnt add a reverse DNS (PTR) for the second domain, since I already have one for the first domain?
3. Other than editing /etc/bind/named.conf.local and adding /var/lib/bind/db.relsoft.in, are there any additional steps to do?

My problem is that I need to set a few variables, and output a few lines every time I login to the ssh shell, and at the same time I have to be able to use sftp to tarnsfer files via Filezilla.

Now, as per the openssh FAQ at http://www.openssh.org/faq.html, if your startup scripts echo any kind of output, it messes up with sftp. So it either delays indefinitely, or errors out with a "Connection closed by server with exit code 128".

I have tried solutions like moving .bashrc to .bash_profile, or using the following code in .bashrc:

if [ "$TERM" != "dumb" ]
then
   source .bashc_real
fi

And:

if [ "$TERM" = "xterm" ]
then
   source .bashc_real
fi

However, nothing works. My shell terminal is bash, and I connect to sftp with filezilla.