If you have two hard drives you can mount second hard drive to be used for (cPanel/WHM) backups or for hosting more sites. The hard drives must not be in any kind of Raid setup. Process of partitioning, formatting and mounting is quite simple.
First check what disk drives do you have. Usually disk drives on Linux are named /dev/sda (first HDD), /dev/sdb (second HDD) or something similar.
You can get a list of disk drives in system using this command
fdisk -l | grep '^Disk'
The output should be something like this:
Disk /dev/sdb: 500.1 GB, 500107862016 bytes
Disk /dev/sda: 500.1 GB, 500107862016 bytes
So those are two 500 GB hard drives…
If you execute command like the one below you’ll get more detailed preview of your hard discs and their partitions:
fdisk -l
Output should looks like this:
Disk /dev/sdb: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x1c7e861c
Disk /dev/sdb doesn't contain a valid partition table
Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00080071
Device Boot Start End Blocks Id System
/dev/sda1 * 1 14 104448 83 Linux
/dev/sda2 14 144 1048576 82 Linux swap / Solaris
/dev/sda3 144 60802 487232512 83 Linux
You should notice that second hard disk (/dev/sdb) has no partition and that probably means that it’s un-partitioned yet.
So let’s make the partition on /dev/sdb by executing
fdisk /dev/sdb
and then use following in the prompt
– “n” for new partion
– “p” for primary partition
– “1” for the first partition
– “Enter” / “Enter” for the first AND last cylinders (automatically use the entire disk)
– “w” to save what I have done
That has created and saved new partition and it will be called /dev/sdb1 (first partition on /dev/sdb). Next step is to format it.
mkfs.ext3 /dev/sdb1
On newer distributions (CentOS 6.3 for eg) use this command to format a new partition.
mkfs -t ext3 /dev/sdb1
If you want to use this hard disk for backup make /backup folder or if you want to use it to store more sites make new home folder called /home2
mkdir /backup
mkdir /home2
Now just mount the backup partition or the new home partition
mount /dev/sdb1 /backup
mount /dev/sdb1 /home2
Now you can use the additional hard drive for cPanel/WHM backups or storing new sites. cPanel should automatically detect /home2 and should ask you whether you like to setup new account on /home or at /home2.
If you want the partition to auto mount on server (re)boot edit fstab file located at /etc/fstab and add one of following lines at the bottom of it depending if you for /backup folder or the line below for /home2 folder:
/dev/sdb1 /backup ext3 defaults 0 0
/dev/sdb1 /home2 ext3 defaults 0 0
Note: After adding one of these lines press add one more empty line below since fstab requires the new line symbol at the end of every config line. Before you issue the following command, be aware that this re-mounts ALL Filesystems, and will more than likely disconnect most other users
To make sure this mounts automatically, issue the following command:
mount -a
If you got no errors – your mount worked, try df -h once more to see if everything is fine.
If your server starts getting more and more traffic you’ll need to lift up number of allowed Apache connections. This guide works only on cPanel/WHM powered servers.
The easy way
Log in at WHM and to go to Service Configuration > Apache Configuration > Global Configuration. In there find ServerLimit and MaxClients and set those to some nice value (eg. 1024 or 2048 depends how much memory you have). Save and that should be it.
The geek way
Edit of httpd.conf (usually located at /usr/local/apache/conf folder). It should look something like this (depending on your server specification):
StartServers 5
MinSpareServers 5
MaxSpareServers 10
ServerLimit 1024
MaxClients 1024
MaxRequestsPerChild 10000
Save, Distill settings, restart Apache:
/usr/local/cpanel/bin/apache_conf_distiller --update
/scripts/rebuildhttpdconf
/etc/init.d/httpd restart
Check
After you do something like this you simply MUST take a look at your Apache error_log file (usually located at /usr/local/apache/logs folder). If you see following line in Apache error_log:
** [warn] WARNING: Attempt to change ServerLimit ignored during restart
You should stop and run the Apache again since ServerLimit can’t be changed by restarting Apache. To do so execute following at SSH:
apachectl stop
apachectl start
The purpose of syctl hardening is to help prevent spoofing and dos attacks. This short guide will show what I have found to be a good configuration for the sysctl.conf configuration file. The most important of the variables listed below is the enabling of syn cookie protection. Only place the bottom two if you do not want your server to respond to ICMP echo, commonly referred to as ICMP ping or just ping requests.
Open /etc/sysctl.conf for editing in your favorite text editor:
pico -w /etc/sysctl.conf
And simply copy/paste this into the file replacing any existing values:
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
After you make the changes to the file you need to run
/sbin/sysctl -p
and
sysctl -w net.ipv4.route.flush=1
to enable the changes without a reboot.
Notes
– Make sure that eth0 is your primary interface. If it is not replace eth0 with eth1 in the code below.
– Make sure you have backup of your original syctl.conf file before making any changes
– These settings might be old (outdated) or wrong for your system setup. Use them at your own risk!
Continue Reading →
After migrating a site to new server I run into a strange problem with big file downloads that just stop/break without any specific reason at anytime. Downloads are not direct than are done using PHP (I’ll write more about that soon and I’ll link to that post from in here when I do) suddenly break without any notice. Browser reports that file has been successfully downloaded, Apache doesn’t report any errors but file is broken and not downloaded entirely.
I was pulling my hair for days, since sometimes downloads were working fine but sometimes they would just stop. Things got worse in case of downloading multiple files at the same time. Sometimes one or two downloads would break, sometimes all, sometimes none. It was driving me mad. Since I have been traveling those days across Northern Europe, I have been able to test the file download from multiple locations/countries and various connection types (ADSL, Cable, WiFi hot spots) and was still experienced same problems.
The setup on that server was bit complex and it used Apache to serve dynamic content, separate web server for static content. Downloads were done using PHP or using mod_xsendfile but either way problem persisted. So I figured out that something must be timing out and that is braking the connection. Since it would happen that out of 4-5 simultaneous downloads one or two would break and few would download normally. Finally, I tried increasing Apache timeout from 10 seconds to 30 seconds and it worked out! I was so pissed of and happy at the same time… The solution was so easy and in front of my nose but I needed so much time to figure it out… I felt so stupid for a second but then I solved the problem and I’ve learned something new…
It turns out that if there were no communication between server and client for 10 seconds the Apache would simply close connection and download would break. Nothing will be reported on both sides since it’s “normal” way to end the communication. This was also going on when mod_xsendfile was used to serve/download files. The problem was even greater when internet connection was worse (WiFi) and when I was downloading more files at once since than the connection would have to be split on few files.
So if you’re making a download server for larger files make sure you setup your Apache timeout to some reasonable value (30 seconds or more). Under term “larger files” I consider everything larger than pictures, but basically 50mb file could be called “larger file” since for it’s download it is required some time and of course open connection.
My IP got banned by CPHulk few times and it is really not a pleasant thing knowing that you need to access your server but you just can’t because CPHulk blacklisted your IP. Great way around it is to white list your IP address in front so you don’t end up in that situation. It’s quite easy, all you need to do is to login at SSH and execute this lines:
cd /scripts
./cphulkdwhitelist xxx.xxx.xxx.xxx
Just don’t forge to replace xxx.xxx.xxx.xxx with your IP address 🙂
