Author: Yazeed

This tutorial is relatively old, it was done for a friend, native SIP support on android phones has been removed by google, SIP VOIP applications such as ZOIPER, GSWave, ACR, groundwire (And it’s cousin “softphone by Acrobits”), A key for battery life with those apps seems to be push notifications support (You need to allow it)

Basically I need to give a friend of mine who is traveling a VOIP account of a special kind, So to make his experience as simple as possible, I took screenshots of the setup process, but generalized them enough for anyone who wants to setup a SIP account on zoiper.

Step1 : Install zoiper from the google play store, here is a link Install Zoiper , any other SIP CLIENT will do, but this one is the one i made the instructions for.

For iPhone, a nice SIP client seems to be SessionTalk which supports (Push notifications), this is important for your phone’s battery, otherwise it will drain in no time flat!

HINT: From here on, Just look at the pictures, no need to read all this text unless you need to know more things

Step 2: Open zoiper, then go to the config panel, then to accounts.

Step 3: Click the “add account” to add an account to zoiper

Step 4: When asked if you already have a VOIP account, Answer with YES

Step 5: When asked if you want to configure manually, or select a provider, You would want to go with the manual configuration.

Step 6: Now you need to set the account type, zoiper supports both SIP (Session Initiation protocol) which is more or less both a good standard and the defector standard in VOIP, this is the one we want, the other is called IAX (Inter Asterisk Exchange) which is specific to Asterisk, an open source VOIP system

Step 7: Now, we need to give zoiper some settings to know where and how to connect, This data was given to you by your provider,

Account name: Any name you want, for example, the name of the provider, or how you use this account, you can call it my NY number, or TheTech, or any other name you want to use to identify this account

Host: The address of the server, this can be something like voip.example.com or example.com, any internet address whether FQDN or IP address should do.

Username: Self explanatory really
Password: Also self explanatory

In a previous post, i posted how you can put varnish on a virtual machine to cache content for your web server, But there was one small thing that we did not deal with, The IP address in the logs and that the website can see is simply that of the varnish server, not the visitor’s IP, and if you write PHP like me, I use the IP in everything, from securing logins to limiting page views to limiting comments. So, here is how we can work around this problem

First, the mission is as follows, Varnish needs to append something in the request header, that apache needs to consider the Visitor’s IP

To make apache do that, there is already a module (mod-remoteip) to do this

1- Tool to check the IP of the visitor

Create a PHP script to find out if what we are doing actually worked.

<?php
print "Your IP is: {$_SERVER['REMOTE_ADDR']} <br />\n\n";
$headers = apache_request_headers();
foreach($headers as $xheader => $xvalue)
{
print "$xheader : $xvalue <br />\n"; }
?>

and upload it to the website, when accessing this from the internet, you should see the IP as the IP of the varnish server, not your IP (Like it should)

1- Playing with cpanel

First, we must download mod_remoteip from the cpanel website (See here)

Once downloaded, we will upload it to the cpanel server at

/var/cpanel/easy/apache/custom_opt_mods/

Once done, we will now extract it as we would extract any tar.gz file

cd /var/cpanel/easy/apache/custom_opt_mods

tar -C /var/cpanel/easy/apache/custom_opt_mods -xvf custom_opt_mod-remoteip.tgz

Now, this mod should appear in easy apache when rebuilding apache, so go ahead, visit

Home »Software »EasyApache 3

and on the Exhaustive Options List you should be able to see mod_remoteip, be sure to check it.

Now, before coming to configure it, We need to inform Varnish to send us those headers. So add this at the very beginning of the Varnish sub vcl_recv section

NOTE: It seems that for the latest varnish (VCL 4), you no longer need this, if you add this, you will get the header as ( X-Forwarded-For : xxx.105.60.194, xxx.105.60.194) meaning the same IP twice

if (req.restarts == 0) {
  if (req.http.X-Forwarded-For) {
    set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
  } else {
    set req.http.X-Forwarded-For = client.ip;
  }
}

Now, we need to tell apache, what the extra header’s name is (X-Forwarded-For) and what servers this header should be honored for (the varnish server IPs, currently displaying in the script we wrote right after Your IP is:) So start by editing

/usr/local/apache/conf/includes/pre_virtualhost_global.conf

And add this, the IP here is the varnish server IP

<IfModule mod_remoteip.c>
   RemoteIPHeader X-Forwarded-For
   RemoteIPInternalProxy xxx.172.13.208
</IfModule>

Or, Probably the more suitable

/usr/local/apache/conf/includes/pre_virtualhost_global.conf

And add this, the IP here is the varnish server IP

<IfModule mod_remoteip.c>
   RemoteIPHeader X-Forwarded-For
   RemoteIPTrustedProxy xxx.172.13.0/24
   RemoteIPTrustedProxy xxx.172.14.0/24
   RemoteIPTrustedProxy xxx.172.19.0/24
</IfModule>

Now, visit Home >> Restart Services on your cpanel server, and restart apache

There you have it, refresh that PHP script, and your IP address should appear.

Now, the apache logs will still log the Varnish server IP, to fix that, you need to modify the log section in your apache config, changing %h with %a, like so

#LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

Every once in a while (often), something happens and the “Restore session” option in firefox disappears (right now it is june 2016), usually this happens after a crash where i try to re open firefox early or when computer hangs then i do something stupid, if you just opened firefox, keep it open, then go to C:\Users\techg\AppData\Roaming\Mozilla\Firefox\Profiles\8xve5flx.default (Or whatever your profile folder is named), and WITH YOUR FIREFOX STILL OPEN, copy the file sessionstore.js (back it up), Now close firefox, your original might have reset to a small file size as soon as you close firefox, Now, the tabs are all stored in sessionstore.js.bak (or whatever you called the copy), so delete the one you have, and copy this file back in it’s place.

With that done, it is editing time

The bad copy starts like this

{"version":["sessionrestore",1],"windows":[{"tabs":[{"entries":[{"url":"about:home","title":"Mozilla Firefox Start Page","charset":"","ID":716087720,"docshellID":11510,"docIdentifier":13,"persist":true}],"lastAccessed":1465298115431,"hidden":false,"attributes":{},"userContextId":0,"index":1,"image":"chrome://branding/content/icon32.png"}],

delete some text (“version”:[“sessionrestore”,1],) to make it look like this

{"windows":[{"tabs":[{"entries":[{"url":"about:home","title":"Mozilla Firefox Start Page","charset":"","ID":716087720,"docshellID":11510,"docIdentifier":13,"persist":true}],"lastAccessed":1465298115431,"hidden":false,"attributes":{},"userContextId":0,"index":1,"image":"chrome://branding/content/icon32.png"}],

Now, open your firefox browser, and you should see the restore button come back up.

There are many ways to do that, one of which is using the tools provided by vmware to combine the disks into one and then mounting it with

kpartx -av mydisk.vmdk;

Then

mount -o /dev/mapper/loop0p1 /hds/disk

While another method, which is simpler

apt-get install qemu-utils
qemu-img convert disk-s001.vmdk s01.raw
....
qemu-img convert disk-s013.vmdk s13.raw
....
qemu-img convert disk-s032.vmdk s32.raw

The above will be sparse files, so you will not have disk usage as big as the file, a “df -h” should not result in any lost of disk space beyond the data that is used by files in the image

following the above, we need to combine the RAW files like so

cat s01.raw s02.raw s03.raw s04.raw s05.raw s06.raw s07.raw s08.raw s09.raw s10.raw s11.raw s12.raw s13.raw s14.raw s15.raw s16.raw s17.raw s18.raw s19.raw s20.raw s21.raw s22.raw s23.raw s24.raw s25.raw s26.raw s27.raw s28.raw s29.raw s30.raw s31.raw s32.raw > combined.raw

losetup /dev/loop0 combined.raw
kpartx -a /dev/loop0
mount /dev/mapper/loop0p1 /hds/img1

This is not a review in the sense that it explores the drive in every possible aspect, this is better seen as a user review.

I got this drive on 2016-04-06 (6th of april), the first thing that catches your eye about this drive is that every inch of the space a regular hard drive uses (that empty area under the disk) is used, as a consequence, there is no middle screw hole, only in the back and in the front, a bit of a problem for many computer and NAS cases that rely on that hole to fasten the drive in place.

So, formatting the system into ext4 and copying files onto it, the drive seems very fast, how fast exactly remains to be seen in the coming few hours as i can only run the test after ext4lazyinit completes and finalizes the ext4 partition. I also enabled lazy write-back and removed the journal (tune2fs -O ^has_journal /dev/sdb1)

Now, let us take a better look at some parameters that were given to us by seagate

This is not the SMR (Shingled magnetic recording) disk, this is a proper hard drive meant to run as your desktop’s hard drive, the hard drive features 6  1.33TB plates, which is very high density compared to any disk on the market.

Price per gigabyte at the time of writing on this drive is 4 cents, that is pretty good for a desktop hard drive (The archive drive costs less per GB, but is much less of a performer), the archiving drive, with the SMR needs to delete neighbouring bytes and rewrite them whenever it needs to update a certain byte, so it suffers in performance, not to mention that other things are designed with this in mind too.

Sometimes you want to run a process in the background, for that, you have to INCREASE the priority number, to increment that by 10, you do

renice 10 -p 11681
renice 10 -p 12168

where the number is the process ID

Basically, CloudLinux sets limits on hosting accounts, here is what you need

1- Remove limits for a certain user
lvectl set-user techg –unlimited

2- Restore all limits to defaults
lvectl apply all
Or
lvectl delete-user techg

3- Increase speed of website to use 3 cores
lvectl set-user techg –speed=300%

Change the defaults
lvectl set default –speed=100% –pmem=2048m

I am very new to centos (Debian usually), and on my cpanel / whm server, i got this error

Forbidden

You don't have permission to access / on this server.
Server unable to read htaccess file, denying access to be safe

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Something seemed seriously wrong, I had already chowned all the files

chown -R techg:techg public_html

I also even deleted the htaccess file, but still, the server was reporting the error.

The solution turned out to be making the public_html directory executable

I found that out through the apache log files that read

[Sun Mar 06 02:48:10.894154 2016] [core:crit] [pid 1261] (13)Permission denied: [client 46.xxx.216.169:55886] AH00529: /home/techg/public_html/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that ‘/home/techg/public_html/’ is executable

By default, KVM gives your virtual machine a realtek rtl8139 Ethernet adapter, with an ancient 100Mbit/Second speed, we all need gigabit Ethernet adapter for the KVM guest.

The answer is changing the string rtl8139 with virtio in the XML file of the virtual machine, then installing the drivers

The steps i use are

Run virtual machine with the realtek adapter to download the other adapter’s driver
once the adapter is there, shutdown the virtual machine guest (Windows guest), then edit the xml of the guest, and restart libvirtd
start the KVM guest again
open with VNC, start the device manager, install the driver you downloaded.

You are good, the adapter should report the speed of 10Gbit/second (10 gigabit per second)

One annoying thing is that all windows drivers come in a big ISO file, you probably just want the driver you need.

I will add the download links in the coming few days, but you can get them right now if you like from fedora, the fedora windows guest drivers should work on any linux distribution (Debian, ubuntu, etc…)

You probably have protected your dovecot, postfix, exim, dbmail, or any other port opening application that needs to be protected from bruit force and dictionary attacks.

But what about roundcube, the problem with roundcube is that you have to whitelist it (whether it is on the same server or a different server) so that it does not get blocked, so now you have another security issue, this way a hacker can bruit force your server even when fail2ban is monitoring all SMTP and IMAP and POP ports.

The solution to this is to actually protect RoundCube itself against bruit force.

Forget the apache logs, we don’t need to use those as roundcube will log failed attempts in it’s /logs/errors file, this file has something similar to the following line

IMAP Error: Login failed for aaa@bbb.com from xxx.xxx.xxx.xxx. AUTHENTICATE PLAIN: Authentication failed

You should also note that there is a certain roundcube config file in fail2ban, which i am not using because i like to make things as simple as possible but not too simple, the file that comes with fail2ban roundcube-auth.conf seems to account for older installations of roundcube, something i don’t really need.

Now, here is a step by step manual to protect roundcube (Or phpmyadmin or ispconfig or what have you) from bruit force attacks and dictionary attacks.

1- Make sure fail2ban is installed
apt-get install fail2ban

2- add the following two configuration file to fail2ban programs directory (/etc/fail2ban/filter.d/)

1- roundcube.conf

# Fail2Ban configuration file for roundcube webmail
#
# Author: Fabian Wenk 
#
# $Revision$
#
# To have logging information available, it is necessary to adjusting
# the following option in config/main.inc.php from Roundcube:
#
# $rcmail_config['debug_level'] = 1;	// not sure, probably not needed
# $rcmail_config['log_session'] = true;
#
# and point in the fail2ban jail config to the correct logfile,
# or change also the following config to log to syslog:
#
# $rcmail_config['log_driver'] = 'syslog';
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
#	first line is for Cyrus IMAP (2.4.x)
#	second line is for Dovecot (2.1.x)
# Values: TEXT
#
#failregex = roundcube: IMAP Error: Login failed for .* from . AUTHENTICATE PLAIN: authentication failure in .*$
failregex = roundcube: IMAP Error: Login failed for .* from . AUTHENTICATE PLAIN: Authentication failed. in .*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =  

2- roundcube-repeat.conf, this rule inspects the fail2ban log file itself, and if there are repeated bans (repeated violations), imposes a bigger penalty

# roundcube configuration file
#


[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#
failregex = \[roundcube\] Ban 

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

The above is how fail2ban will identify failed logins, now in the /etc/fail2ban/jail.local we need to tell fail2ban 1- Where to look for this rule, 2- what file to look for the logs in !

So, to activate the above, we need to add some rules in /etc/fail2ban/jail.conf

[roundcube]
enabled  = true
port     = http,https
filter   = roundcube
logpath  = /var/sys_ssl/rcmail/logs/errors
maxretry = 5
findtime = 600
bantime = 3600

[roundcube-repeat]
enabled = true
port = http,https
filter = roundcube-repeat
logpath = /var/log/fail2ban.log
maxretry = 3
findtime = 21600
bantime = 86400

Now, to the testing, mind you, if you test, you will be blocked, depending on how you test, you might get blocked for a whole day, so keep that in mind

For those of you on a recent cpanel installation, you should probably know that iptables are disabled by default in favor of firewalld, fail2ban will update the rules, but the rules will not work 😉