NOT: Hatalar var Dikkatli OL!

Pool Related Commands
# zpool create datapool c0t0d0  - Create a basic pool named datapool
# zpool create -f datapool c0t0d0 - Force the creation of a pool
# zpool create -m /data datapool c0t0d0 - Create a pool with a different mount point than the default.
# zpool create datapool raidz c3t0d0 c3t1d0 c3t2d0 - Create RAID-Z vdev pool
# zpool add datapool raidz c4t0d0 c4t1d0 c4t2d0 - Add RAID-Z vdev to pool datapool
# zpool create datapool raidz1 c0t0d0 c0t1d0 c0t2d0 c0t3d0 c0t4d0 c0t5d0 - Create RAID-Z1 pool
# zpool create datapool raidz2 c0t0d0 c0t1d0 c0t2d0 c0t3d0 c0t4d0 c0t5d0 - Create RAID-Z2 pool
# zpool create datapool mirror c0t0d0 c0t5d0 Mirror c0t0d0 to c0t5d0
# zpool create datapool mirror c0t0d0 c0t5d0 mirror c0t2d0 c0t4d0 - disk c0t0d0 is mirrored with c0t5d0 and disk c0t2d0 is mirrored withc0t4d0
# zpool add datapool mirror c3t0d0 c3t1d0 - Add new mirrored vdev to datapool
# zpool add datapool spare c1t3d0 - Add spare device c1t3d0 to the datapool
# zpool create -n geekpool c1t3d0 - Do a dry run on pool creation

Show file system info
# zfs list - List all ZFS file system
# zfs get all datapool - List all properties of a ZFS file system

Mount/Umount Related Commands
# zfs set mountp oin t=/data datapool/fs1 - Set the mount-point of file system fs1 to /data
# zfs mount datapool /fs1 - Mount fs1 file system
# zfs umount datapool /fs1 - Umount ZFS file system fs1
# zfs mount -a - Mount all ZFS file systems
# zfs umount -a - Umount all ZFS file systems

Import/Export Commands
# zpool import - List pools available for import
# zpool import -a - Imports all pools found in the search directories
# zpool import -d - To search for pools with block devices not located in /dev/dsk
# zpool import -d /zfs datapool - Search for a pool with block devices created in /zfs
# zpool import oldpool newpool - Import a pool originally named oldpool under new name newpool
# zpool import 3987837483 - Import pool using pool ID
# zpool export datapool - Deport a ZFS pool named datapool
# zpool export -f datapool - Force the unmount and deport of a ZFS pool

Clone Commands
# zfs clone datapool/ fs1 @10 jan2014 /clone s/fs1 - Clone an existing snapshot
# zfs destroy datapool/ fs1 @10 jan2014 - Destroy clone

Show Pool Information
# zpool status -x Show pool status
# zpool status -v datapool - Show individual pool status in verbose mode
# zpool list - Show all the pools
# zpool list -o name,size - Show particular properties of all the pools (here, name and size)
# zpool list -Ho name - Show all pools without headers and columns

File-system/Volume related commands
# zfs create datapool /fs1 - Create file-system fs1 under datapool
# zfs create -V 1gb datapool/ vol01 - Create 1 GB volume (Block device) in datapool
# zfs destroy -r datapool - destroy datapool and all datasets under it
# zfs destroy -fr datapool /data - destroy file-system or volume (data) and all related snapshots

Set ZFS file system properties
# zfs set quota=1G datapool /fs1 - Set quota of 1 GB on filesystem fs1
# zfs set reserv ati on=1G datapool /fs1 - Set Reservation of 1 GB on filesystem fs1
# zfs set mountpoint=legacy datapool/ fs1 - Disable ZFS auto mounting and enable mounting through /etc/vfstab.
# zfs set sharen fs=on datapool /fs1 - Share fs1 as NFS
# zfs set compression=on datapool /fs1 - Enable compression on fs1
zfs set record size=[ size] pool/data set /name - 
Set Dataset Record Size (Size should be a value like 16k, 128k, or 1M etc.)
zfs get recordsize pool/data set /name - Get Dataset Record Size

ZFS I/O performance
# zpool iostat 2 - Display ZFS I/O Statistics every 2 seconds
# zpool iostat -v 2 - Display detailed ZFS I/O statistics every 2 seconds

ZFS maintenance commands
# zpool scrub datapool - Run scrub on all file systems under data pool
# zpool offline -t datapool c0t0d0 - Temporarily offline a disk (until next reboot)
# zpool online - Online a disk to clear error count
# zpool clear - Clear error count without a need to the disk

Snapshot Commands
# zfs snapshot datapool/ fs1 @12 jan2014 - Create a snapshot named 12jan2014 of the fs1 filesystem
# zfs list -t snapshot - List snapshots
# zfs rollback -r datapool/ fs1 @10 jan2014 - Roll back to 10jan2014 - (recursively destroy intermediate snapshots)
# zfs rollback -rf datapool/ fs1 @10 jan2014 - Roll back must and force unmount and remount
# zfs destroy datapool/ fs1 @10 jan2014 - Destroy snapshot created earlier
# zfs send datapool/ fs1 @oc t2013 > /geekpool /fs1/oct2013.bak - Take a backup of ZFS snapshot locally
# zfs receive anotherpool/fs1 < /geekpool /fs1/oct2 013.bak - Restore from the snapshot backup backup taken
# zfs send datapool/ fs1 @oct2013 | zfs receive anotherpool/fs1 - Combine the send and receive operation
# zfs send datapool/ fs1 @oct2013 | ssh node02 "zfs receive testpool/ testfs " - Send the snapshot to a remote system node02

The Dovecot configuration is updated to block non-encrypted connections to the POP and IMAP services.

This change protects the clients from accidentally misconfiguring email applications to not use encrypted connections. The connections from localhost (not going over the network) are still allowed to not use encryption.

Backwards compatibility with insecure mode can be managed with a drop-in Dovecot configuration file. Examples:

# Allow plain-text POP/IMAP connections for Dovecot 2.4:
echo 'auth_allow_cleartext = yes' > /etc/dovecot/conf.d/insecure-auth.conf
systemctl restart dovecot

# Allow plain-text POP/IMAP connections for Dovecot 2.3:
echo 'disable_plaintext_auth = no' > /etc/dovecot/conf.d/insecure-auth.conf
systemctl restart dovecot

# Restore original configuration (secure):
rm -f /etc/dovecot/conf.d/insecure-auth.conf
systemctl restart dovecot

plesk icin yazilmis ama olsun

Determine the source IP addresses and numbers of the connections:

ss -tan state established | grep ":80\|:443" | awk '{print $4}'| cut -d':' -f1 | sort -n | uniq -c | sort -nr

Find the domains which are currently under attack:

for log in /var/www/vhosts/system/*/logs/*access*log; do echo -n "$log "; tail -n10000 "$log" | grep -c 203.0.113.2; done | sort -n -k2

Check the number of connections in SYN_RECV state (possible syn-flood):

ss -tan state syn-recv | wc -l

If there are several IP addresses in Plesk, determine the target IP address under attack:

netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk 1

It is possible that there are not many established connections to the web server, however, there might be a lot of requests that were successfully served by nginx and transferred to Apache and at this point, Apache is under attack. To track these requests do the following:

Navigate to /var/www/vhosts/system:

cd /var/www/vhosts/system

Generate a file requests to fetch the number of requests that were made in the last hour using the command below.

Note: As an example, 24/Jan/2022:20 will be used. Here ":20" is 8 p.m.

for i in *;do echo -n "$i "; grep '24/Jan/2022:20' $i/logs/access_ssl_log | awk '{print $1}' | wc -l;done > ~/requests

Check the generated file:

cat ~/requests | sort -k 2 -r -n | head
example.com 24549
example.net 18545
test.com 3

‼️ Block SMTP authentication on port 25 and plain-text connections improved

The Exim configuration is updated to not allow users to perform SMTP authentication on TCP port 25. This means email clients will not be able to use port 25 for sending emails. TCP port 25 will be exclusively used for communication between mail servers, and clients will have to use 587 or 465 ports.

The motivation for this change is to completely separate the mail server-to-server (MTA-to-MTA) communications from client-to-server (MUA-to-MTA) communications. This makes it easier to harden the email submission security. For example:

  • TCP ports 587 and 465 could use custom firewall rules to only allow sending emails from trusted networks.
  • It is no longer possible to brute-force the email credentials over the TCP port 25.

In addition to blocking SMTP authentication on port TCP 25, Exim will no longer allow SMTP authentication over plain-text connections. This change protects the clients from accidentally misconfiguring email applications to not use encrypted connections. Use of encryption is critical because SMTP authentication uses literal user passwords without any hashing. Accessing SMTP over plaintext at least once is enough for the user credentials to be stolen. There is an exception made to allow not using encryption for internal connections over localhost.

This is a big change that might affect servers and clients that relied on authentication always being available. This feature is implemented in a way to allow server administrators to restore the old behaviour in a simple way.

The authentication availability on SMTP ports is controlled by the AUTH_ENABLE_CONDITION macro in the /etc/exim.variables.conf file. The new default policy is:

AUTH_ENABLE_CONDITION = ${if and { {!eq{$interface_port}{25}} { or { {def:tls_in_cipher} {match_ip{$sender_host_address}{<; 127.0.0.1 ; ::1}} } } }}

The policy can be changed by setting it to a different value in the /etc/exim.variables.conf.custom file and rebuilding the Exim configuration with the da build exim_conf command.

Examples:

# Use old (insecure) SMTP authentication policy, authentication always available
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = yes' >> /etc/exim.variables.conf.custom
da build exim_conf

# Block SMTP authentication on plain-text connections, but allow it to work on all TCP ports
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = ${if or { {def:tls_in_cipher} {match_ip{$sender_host_address}{<; 127.0.0.1 ; ::1}} }}' >> /etc/exim.variables.conf.custom
da build exim_conf

# Block SMTP authentication on TCP port 25, but allow it on plain-text connections on on other ports
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
echo 'AUTH_ENABLE_CONDITION = ${if !eq{$interface_port}{25}}' >> /etc/exim.variables.conf.custom
da build exim_conf

# Use the new (secure) DirectAdmin SMTP authentication policy
sed -i '/^AUTH_ENABLE_CONDITION /d' /etc/exim.variables.conf.custom
da build exim_conf

Note: It is highly recommended to use the new default SMTP authentication policy. The mechanism to revert to the old policy should only be used temporarily until all the clients are reconfigured to use SMTP submission ports (587 or 465) and encryption.

#

cok geriden gelen

nano /etc/shells >

/sbin/nologin

root@a~ # usermod -s /sbin/nologin myuser

0- durum nasil su an ? kim ne kullaniyor?
egrep php[1,2,3,4]_select= /usr/local/directadmin/data/users/*/domains/*.conf

1- once bir sey olmasin aman mevcut durumu yedekle
tar czvf ~/domain-conf-backup.tgz /usr/local/directadmin/data/users/**/domains/*.conf

2- Force PHP to be version 1 if no default is set
grep -rF -L php1_select /usr/local/directadmin/data/users/**/domains/*.conf | xargs sed -i.step1 '$ a php1_select=1'

3- /usr/local/directadmin/options duzenle diledigin gibi
cd /usr/local/directadmin/custombuild
./build set php1_release 8.0
./build set php3_release 7.4
./build php

4- Now you want to move all the users who used php1 to use php3, so, you execute this script:
#!/bin/sh
for i in `ls /usr/local/directadmin/data/users/*/domains/*.conf`; do
{
       if ! grep -q ^php1_select $i; then
               echo php1_select=3 >> $i
               continue
       fi

       perl -pi -e "s/^php1_select=1/php1_select=3/" $i
};
done
exit 0

5- Update config files:
cd /usr/local/directadmin/custombuild
./build update
./build rewrite_confs

Adjust the MaxRequestWorkers settings for Apache. The general formula for making the necessary calculation is the following: 

# MaxRequestWorkers = (Total RAM – Memory used for Linux, DB, etc.) / average Apache process size

  • MPM Event: The default ServerLimit value is 16. To increase it, you must also raise MaxRequestWorkers using the following formula: ServerLimit value x 25 = MaxRequestWorkers value. For example, if ServerLimit is set to 20, then MaxRequestWorkers will be 20 x 25 = 500.