iptables -A INPUT -p tcp –dport 22 -s 1.1.1.1 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -s 2.2.2.2 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -j DROP

This will only allow access to SSH from IPs 1.1.1.1 and 2.2.2.2. If you're using a custom SSH port, make sure you adjust the rule for that port.

HTH.

echo "exclude=php*5.3*" >> /etc/yum.conf
rpm -ivh http://www6.atomicorp.com/channels/atomic/centos/5/i386/RPMS/atomic-r$
yum update php* mysql* -y

At the moment, you'd get PHP version 5.2.17 and MySQL 5.5. If you want to upgrade to PHP 5.3.10, you'd skip running the following command from above :

echo "exclude=php*5.3*" >> /etc/yum.conf

If you don't want to install MySQL 5.5, you can add the following line to /etc/yum.conf :

exclude=mysql*5.5*

If you are upgrading MySQL, don't forget to run the following :

mysql_upgrade -uroot -p

HTH

/usr/local/psa/libexec/modules/watchdog/cp/send-report weekly
PHP Fatal error: Class 'OptionalServices_ServicesConfiguration' not found
in /usr/local/psa/admin/plib/common_func.php3 on line 2948

Apparently, Plesk already released a fix for this and the fix can be seen at http://kb.parallels.com/en/9329. The thing is, the attachment is double-zipped so here's how you'd apply the fix :

gunzip send-report.gz
mv send-report send-report.gz
gunzip send-report.gz
cp /usr/local/psa/libexec/modules/watchdog/cp/send-report /usr/local/psa/libexec/modules/watchdog/cp/send-report.backup
mv send-report /usr/local/psa/libexec/modules/watchdog/cp/send-report
chmod 754 /usr/local/psa/libexec/modules/watchdog/cp/send-report

Good luck

find -L /home/user/public_html -type l

find . -type f | xargs ls -ltrhg

openssl x509 -in <certificate.name>.crt -noout -text

Example:

Encrypted certificate

cat /etc/ssl/postfix/server.crt
-----BEGIN CERTIFICATE-----
MIIC1DCCAj2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBrzELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbnRhIEJhcmJhcmExHDAa
BgNVBAoTE1Bvc3RmaXggU01UUCBTZXJ2ZXIxIjAgBgNVBAsTGUZvciBUZXN0aW5n
IFB1cnBvc2VzIE9ubHkxEjAQBgNVBAMTCWxvY2FsaG9zdDEdMBsGCSqGSIb3DQEJ
ARYOcm9vdEBsb2NhbGhvc3QwHhcNMDkwOTE4MTQxMjI5WhcNMTEwOTE4MTQxMjI5
WjCBrzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
DVNhbnRhIEJhcmJhcmExHDAaBgNVBAoTE1Bvc3RmaXggU01UUCBTZXJ2ZXIxIjAg
BgNVBAsTGUZvciBUZXN0aW5nIFB1cnBvc2VzIE9ubHkxEjAQBgNVBAMTCWxvY2Fs
aG9zdDEdMBsGCSqGSIb3DQEJARYOcm9vdEBsb2NhbGhvc3QwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAO8K8RKNDh+YZWWzTMozD94ThTYUheEiXuwY0t3AjuG+
BoftdCQLxDrxEDukNH6DPLFhHvW7GSjAd3iuTmuYbz39vR0PgfLfaNAj5Bn478DA
EL3+bK/ktomOlRJWgfS7MjDXH2qkO+HwZj5mDAGsS8sLvrQcKab0Ez+NIRZ/toEt
AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAokQHek3DBBupTZCw1pMiPxdHZPlTTqRj
7OzahdcyhoruUVs15AzhhHB50ZYoILZWeBJ6h7Xxk/jPSm46JvSII2/bUj5ze2H7
qeNN/tll5cS+0ImjGRKgv081HIDIlYxvsrsgijfOE3EHMtgfo0olXemzHBhm/L2u
RJrOYK2it1c=
-----END CERTIFICATE-----

Content of the certificate decrypted:

# openssl x509 -in /etc/ssl/postfix/server.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Santa Barbara, O=Postfix SMTP Server, OU=For Testing Purposes Only, CN=localhost/emailAddress=root@localhost
        Validity
            Not Before: Sep 18 14:12:29 2009 GMT
            Not After : Sep 18 14:12:29 2011 GMT
        Subject: C=US, ST=California, L=Santa Barbara, O=Postfix SMTP Server, OU=For Testing Purposes Only, CN=localhost/emailAddress=root@localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ef:0a:f1:12:8d:0e:1f:98:65:65:b3:4c:ca:33:
                    0f:de:13:85:36:14:85:e1:22:5e:ec:18:d2:dd:c0:
                    8e:e1:be:06:87:ed:74:24:0b:c4:3a:f1:10:3b:a4:
                    34:7e:83:3c:b1:61:1e:f5:bb:19:28:c0:77:78:ae:
                    4e:6b:98:6f:3d:fd:bd:1d:0f:81:f2:df:68:d0:23:
                    e4:19:f8:ef:c0:c0:10:bd:fe:6c:af:e4:b6:89:8e:
                    95:12:56:81:f4:bb:32:30:d7:1f:6a:a4:3b:e1:f0:
                    66:3e:66:0c:01:ac:4b:cb:0b:be:b4:1c:29:a6:f4:
                    13:3f:8d:21:16:7f:b6:81:2d
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        a2:44:07:7a:4d:c3:04:1b:a9:4d:90:b0:d6:93:22:3f:17:47:
        64:f9:53:4e:a4:63:ec:ec:da:85:d7:32:86:8a:ee:51:5b:35:
        e4:0c:e1:84:70:79:d1:96:28:20:b6:56:78:12:7a:87:b5:f1:
        93:f8:cf:4a:6e:3a:26:f4:88:23:6f:db:52:3e:73:7b:61:fb:
        a9:e3:4d:fe:d9:65:e5:c4:be:d0:89:a3:19:12:a0:bf:4f:35:
        1c:80:c8:95:8c:6f:b2:bb:20:8a:37:ce:13:71:07:32:d8:1f:
        a3:4a:25:5d:e9:b3:1c:18:66:fc:bd:ae:44:9a:ce:60:ad:a2:
        b7:57

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit
#
    AllowOverride All

As you can see, mine is already set to 'All'. After you have set AllowOverride to All, reload Apache in order for the new changes to be picked up :

/etc/init.d/httpd reload

Secondly, you would need to make sure that you have the following modules loaded in your Apache configuration :
mod_auth_basic
mod_authn_file

You can do so by typing the following command :

httpd -t -D DUMP_MODULES

Sample output :

# httpd -t -D DUMP_MODULES | grep auth_basic_module
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_file_module (shared)
 authn_alias_module (shared)
 authn_anon_module (shared)
 authn_dbm_module (shared)
 authn_default_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 authz_owner_module (shared)
 authz_groupfile_module (shared)
 authz_dbm_module (shared)
 authz_default_module (shared)
 ldap_module (shared)
 authnz_ldap_module (shared)
 include_module (shared)
 log_config_module (shared)
 logio_module (shared)
 env_module (shared)
 ext_filter_module (shared)
 mime_magic_module (shared)
 expires_module (shared)
 deflate_module (shared)
 headers_module (shared)
 usertrack_module (shared)
 setenvif_module (shared)
 mime_module (shared)
 dav_module (shared)
 status_module (shared)
 autoindex_module (shared)
 info_module (shared)
 dav_fs_module (shared)
 vhost_alias_module (shared)
 negotiation_module (shared)
 dir_module (shared)
 actions_module (shared)
 speling_module (shared)
 userdir_module (shared)
 alias_module (shared)
 rewrite_module (shared)
 proxy_module (shared)
 proxy_balancer_module (shared)
 proxy_ftp_module (shared)
 proxy_http_module (shared)
 proxy_connect_module (shared)
 cache_module (shared)
 suexec_module (shared)
 disk_cache_module (shared)
 file_cache_module (shared)
 mem_cache_module (shared)
 cgi_module (shared)
 version_module (shared)
 fcgid_module (shared)
 limitipconn_module (shared)
 log_post_module (shared)
 evasive20_module (shared)
 mono_module (shared)
 perl_module (shared)
 php5_module (shared)
 proxy_ajp_module (shared)
 python_module (shared)
 ssl_module (shared)
Syntax OK

As you can see, the modules are loaded on my server.

Let's say that you have a directory viewable via web – /var/www/html/website/admin. First, we create a .htaccess file in /var/www/html/website/admin with the following content :

AuthUserFile /home/valkyrka/.htpasswd
AuthName EnterPassword
AuthType Basic
require valid-user

We will then need to create users and setup a password for them. They must be created in the .htpasswd file as this was used in the AuthUserFile directive :

# htpasswd -c /home/valkyrka/.htpasswd admin
New password:
Re-type new password:
Adding password for user admin

The -c option will create the .htpasswd file and must only be used for the first time creating a user. Afterwards, simply create users using the following command :

# htpasswd /home/valkyrka/.htpasswd valkyrka
New password:
Re-type new password:
Adding password for user valkyrka

Here is the content of my .htpasswd file :

 # cat /home/valkyrka/.htpasswd
admin:dTTsGDkA5ZHKg
valkyrka:HpLHf68KTZSCs

After you have followed these steps, you should be able to see a login prompt while trying to access the 'admin' directory over the web.

Cyrus 2 Dovecot Migration

In our organization, we have an internal application using a mysql database structure.
We also have some linux boxes with squid and postfix/cyrus MTA/POP-IMAP-MDA using their own databases.
So, you can imagine the mess caused by these applications having separate ways to store the user/password fields.
You can take the following example: a new user is created, he's got only an email account. Some time afterwards, the guy is transferred to another department and he needs to work with the internal application and also needs a squid proxy account. The password is generated, and for easy remembering the password is the same for both. After some time, the user is changing his application password, the PC gets a fresh install of the OS, user doesn't remember the password for the email account, we don't know his password, being encrypted. And guess who is going to sort all the things out …

This it's gonna stop! I said to myself. How ?

And the solution is … going full to mysql \:D/.

I'm not covering in this post how I did it with the proxy server,  it's fairly simple.

Our current configuration of the mail server is using postfix as the MTA and Cyrus as the IMAP/POP3 server. After some time searching for solutions as how to make Cyrus to use MySQL database format, we concluded that this is not feasible or is too difficult to implement, as Cyrus does not natively support authentication from a mysql database.
We had no alternative but to migrate from Cyrus to Dovecot. We considered this migration as an upgrade to the current setup, since Dovecot is a more featured POP3/IMAP server than Cyrus, ultimately having a mail delivery agent (LDA) and our most wanted mysql native support.

Searching the .net for scripts that can do the trick, converting from Cyrus mailbox format to Dovecot maildir++ format I found the following:

1. cyrus2dovecot (by Freie Universität Berlin) allows you to perform a server transition which is fully transparent to both POP and IMAP users, as virtually all available metadata is preserved during the conversion. This includes message UIDs, INTERNALDATEs, IMAP folder subscriptions, the UIDVALIDITY and UIDNEXT values for each folder, as well as all IMAP flags (including the first 26 user-defined keywords). Cyrus2Dovecot is supposed to work with all Cyrus releases up to (at least) version 2.3.x. So far, it has been tested with Cyrus 1.4, 2.1.18, 2.2.12, and 2.3.12p2

2. cyrus2courier is Dovecot-compatible. A non-official v1.6ts release works up to Cyrus v2.3.9. It should be able to preserve message UIDs, INTERNALDATEs, flags and the first 26 keywords. It works only with the supported Cyrus versions, so if Cyrus once again changes its internal formats this tool might break again.

3. cyrus2maildir.py (for Cyrus v2.2) preserves (only) INTERNALDATEs and \Seen flags.

4. cyrus2dovecot (by Trukenmüller) doesn't preserve timestamps or flags.

I've tested all of them, but neither of these can do the things flawlessly.
The most complete and efficient script is cyrus2dovecot by Freie Universität Berlin. BUT, it has a BUG.

All of our email addresses are in this form: firstname.lastname@domain.com – and the BUG comes from the dot – yeah, that little thing.

Cyrus transparently replaces any "." character in folder names with a "^" character so although the account name is firstname.lastname , the mail directory will be firstname^lastname. This includes even the folders or subfolders created by users.

So …

Cyrus:

- maildir location : /var/spool/imap
- .sub (subscription) and .seen (read/new) files : /var/imap/user

Put all the files needed for conversion in the same directory /home/migration

mkdir /home/migration
mkdir /home/migration/dovecot
cp -a /var/spool/imap /home/migration
cp -a /var/imap/user /home/migration

Download the conversion script:

cd /home/migration
wget http://www.cyrus2dovecot.sw.fu-berlin.de/download/cyrus2dovecot

Now, you probably want to run the script, move the result to dovecot maildir and start dovecot to see if it works. It should be that simple, but not in my case, remember the dot(.) ? Watch this :

./cyrus2dovecot --cyrus-inbox /home/migration/imap/%h/user/%u --cyrus-seen /home/migration/user/%h/%u.seen --cyrus-sub /home/migration/user/%h/%u.sub --dovecot-inbox /home/migration/dovecot/%u british.songwriter

Result:

#cyrus2dovecot [british.songwriter]: (error) No Cyrus INBOX at: /home/migration/imap/a/user/british.songwriter

Hmmm … this was expected as the argument containing the user which should be written at the end of the script is not actually the username, but the mailbox name, in this case – british^songwriter.

… and the correct syntax (see documentation page):

./cyrus2dovecot --cyrus-inbox /home/migration/imap/%h/user/%u --cyrus-seen /home/migration/user/%h/%u.seen --cyrus-sub /home/migration/user/%h/%u.sub --dovecot-inbox /home/migration/dovecot/%u british^songwriter

Result:

# cyrus2dovecot [british^songwriter]: (error) Cannot open /home/migration/imap/a/user/british^songwriter//home/migration/imap/a/user/british^songwriter/INBOX^Sent/1.: No such file or directory

Even with debug on, it doesn't output any error that might help. The evident cause for spitting this error is that the script is trying to concatenate the paths from cyrus-mailbox argument and the path for the subfolders.
Although I have some knowledge of perl, I didn't waste time finding the broken chunk of code trying some repairs. I searched for a quick solution and I found out that all I got to do is to rename mailboxes, subscription and .seen file names from british^songwriter to british.songwriter.

Renaming

Renaming folders and files
Dry test run (see what will be renamed):

for i in `find /home/migration -maxdepth 4 -name *^*` ; do echo "$i" "->" "`echo $i | sed -e 's/\^/\./g'`" ; done

Actual renaming:

for i in `find /home/migration -maxdepth 4 -name *^*` ; do mv "$i" "`echo $i | sed -e 's/\^/\./g'`" ; done

I've set maximum depth for a reason. Some users might have subfolders that contains dots (like a date – 12.23.2010). Default dovecot behaviour, if not otherwise specified, is to use Maildir++ folder format, meaning that all folders and subfolders are stored in main mailbox.

Example:
cur – readed emails
new – new emails (unreaded)
tmp – temporary folder
.directory
.directory.another-folder – a subdirectory of directory
.directory.another-folder.my-folder – a subdirectory of another-folder
.directory.another-folder.pictures – a subdirectory of another-folder

You got the point. Also, in this setup, using dots in folder names is illegal, which is frustrating nonetheless.
So I chose FS in dovecot mailbox format (that is using / in folders tree – Maildir/sub/folder).
Doing so, you must rename folders during conversion adding

--edit-foldernames 's/^\.//' --edit-foldernames 's/\./\//g'

as script execution argument.
If maximum depth in previous command was bigger, default cyrus folders like INBOX.Sent, INBOX.Trash will be tranformed in such way that Sent and Trash will be subdirectories of INBOX, and we don't want that.
If users already possess directories with dots in them, you must delete the dots from the names before script execution.

We're using postfix's canonical maps for email accounts, so through a chain of commands, I can get all of our active accounts, passing these as a script argument.

./cyrus2dovecot --cyrus-inbox /home/migration/imap/%h/user/%u --cyrus-seen /home/migration/user/%h/%u.seen --cyrus-sub /home/migration/user/%h/%u.sub --dovecot-inbox /home/migration/dovecot/%u --edit-foldernames 's/^\.//' --edit-foldernames 's/\./\//g' `grep -v "#" /etc/postfix/canonical| awk '{print $1}' |sort -r|cut -d "@" -f 1|tr '\n' ' '`

Another problem encountered after conversion is that all .sub files contained "^" character in folder names.
One solution is to edit subscribed folder names before running the script by issuing:

for i in `find /home/migration/user -maxdepth 2 -name *.sub`; do cat "$i"|sed -e 's/\^/\./g' > `echo "$i"` ; done

Another one, after execution of the script, but subscribing all existing folders:

for i in `grep -v "#" /etc/postfix/canonical| awk '{print $1}' |sort -r|cut -d "@" -f 1` ; do find /home/migration/dovecot/$i -type d |egrep -v '(cur|tmp|new)'|cut -d "/" -f 5,6,7 > /home/migration/dovecot/$i/subscriptions ; done

Enjoy migrating your email accounts!

cat /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -n | awk '{ if ($1 > 1000)print $1,$2}'

Additionally, you can change 1000 to your desired value.

cd /usr/ports/dns/bind96
make config

You will be prompted with a window like the following :

Select the stuff that you need, and hit 'OK'. After this, run the following to begin the installation :

make install distclean

Add the following to /etc/rc.conf :

named_enable="YES"

Now, simply start the named service by issuing the following command :

/etc/rc.d/named start

This will also create the rndc key. Here is a sample output of what I got upon starting named for the first time :

freebsd# /etc/rc.d/named start
wrote key file "/var/named/etc/namedb/rndc.key"
Starting named.