Apache server status

Add the following to httpd.conf for resource troubleshooting:

ExtendedStatus On


SetHandler server-status
Order deny,allow
Deny from all
Allow from myipaddress

Too many open files when several hundred domains in Plesk

With more than several hundred domains in plesk, issues can arise with too many open
files. Solution:

echo ‘ulimit -n 32768′ >> /etc/sysconfig/httpd

Enabling piped logging his also helps greatly,:

mysql -uadmin -p$(cat /etc/psa/.psa.shadow) -BAND psa -e ‘REPLACE INTO
misc VALUES (“apache_pipelog”,”true”)’
/usr/local/psa/admin/bin/websrvmng -a

To see the default open file limit per process:

ulimit -n

Too see how many open files are on the system:
ls -1 /proc/$(cat /var/run/httpd.pid)/fd | wc -l

or more accurate:
lsof -p $(cat /var/run/httpd.pid) | wc -l

Allow directory listing in Apache

Simple I know, but I always forget.

# Create a .htaccess file
Options +Indexes

Adding a secondary SMTP port in Plesk

Choose an unused port and add it to the /etc/services file, for example:

smtp_alt 2525/tcp # new SMTP port

Make a copy of /etc/xinetd.d/smtp_psa to /etc/xinetd.d/smtp_psa_alt and correct service line within new file:

service smtp_alt

Restart xinetd `/etc/init.d/xinetd restart`

Edit the firewall, adding port 25025

Adding a second FTP account in Plesk

Sometimes it’s necessary to have two FTP users on a domain with access to the httpdocs and/or subdirectories, which Plesk doesn’t allow by default.

# Create a web user in Plesk
# Change the default directory to the required one and the userid to
the same as the main FTP user
grep ftpuser1 /etc/passwd
usermod -u 1234 -o -d /var/www/vhosts/domain.com/httpdocs/directory ftpuser2

Plesk SQL Queries

A few queries I put together to grab info from the Plesk database for troubleshooting:

#FTP ACCOUNTS
#————
SELECT account_id AS 'ID', login AS 'USERNAME', password AS 'PASSWORD', home AS 'HOMEDIR' FROM sys_users S, accounts A WHERE S.account_id = A.id;

#MAIL ACCOUNTS
#————-
SELECT account_id AS 'ID', mail_name AS 'USERNAME', password AS 'PASSWORD', postbox as 'MAILBOX?', name AS 'DOMAIN', redir_addr as REDIRECT FROM mail M, domains D, accounts A WHERE M.account_id = A.id AND M.dom_id = D.id ORDER BY name;

SELECT account_id AS 'ID', mail_name AS 'USERNAME', password AS 'PASSWORD', postbox as 'MAILBOX?', name AS 'DOMAIN', redir_addr as REDIRECT FROM mail M, domains D, accounts A WHERE M.account_id = A.id AND M.dom_id = D.id AND D.name='domainname.com';

#MySQL ACCOUNTS (Plesk 7)
#—————
SELECT d.name AS DOMAIN, db.name AS DB, du.login as USER, du.passwd as PASS FROM db_users du, data_bases db, domains d WHERE du.db_id = db.id AND db.dom_id=d.id ORDER BY d.name, db.name;

#MySQL ACCOUNTS (Plesk 8+)
#—————
SELECT d.name AS DOMAIN, db.name AS DB, du.login as USER, a.password as PASS FROM db_users du, data_bases db, domains d, accounts a WHERE du.db_id = db.id AND db.dom_id=d.id and du.account_id=a.id ORDER BY d.name, db.name

Plesk for Windows – PCI Compliance

This is somewhat of a work in progress. The only thing flagged by PCI compliance scans so far is the use of SSLv2. This can be disabled in Windows 2003 by adding the following registry entry in:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Protocols\SSL 2.0\Server

create a new DWORD named Enabled with the default value

Also disable weak ciphers:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Ciphers\DES 56/56

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Ciphers\NULL

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Ciphers\RC2 40/128

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Ciphers\RC4 40/128

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Ciphers\RC4 56/128

add a new DWord value to each one of them, The DWord value needs to be named Enabled and needs to have the default value of 0

Depending on the mail server installed, the scans may also flag the use of plain password authentication etc. The resolution to this depends on what your running.

Plesk for Linux – PCI Compliance

Courier

Weak SSL Ciphers and SSLv2

The most common flaw uncovered by a PCI compliance scan is that a service is allowing SSL connections using weak SSL ciphers. Disable SSLv2 in Courier by adding the following line to both /etc/courier-imap/imapd-ssl and /etc/courier-imap/pop3d-ssl:

TLS_CIPHER_LIST="HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"

After restarting Courier, test with openssl to confirm SSLv2 has been disabled properly:

openssl s_client -connect localhost:995 -ssl2

Resync the IIS anonymous username and password on Plesk for Windows

If the domain is prompting for a login, and then gives “HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials”, there might be an issue with the anonymous password that Plesk is holding. First thing to check is that all directory permissions are adequate and that anonymous directory access is ticked in IIS.  If that fails try:

“C:\Program Files\SWsoft\Plesk\admin\bin\websrvmng.exe” –update-anon-password –domain-name=domainname.com

or for all sites:

“C:\Program Files\SWsoft\Plesk\admin\bin\websrvmng.exe” –update-anon-passwords-all

Zeus 301 redirect

Add the following to rewrite.script:

match URL into $ with (.*)
set SCRATCH:COND = %{IN:Host}
match SCRATCH:COND into % with ^domainname\.co\.uk
if not matched then goto RULE_0_END
set URL = http://www.domainname.co.uk$1
set RESPONSE = 301
set OUT:Location = %{URL}
set BODY = Please try <a href=”%{URL}”>here</a> instead\n
RULE_0_END: