To enable unicode support, open and edit the file “pango.aliases” (most likely at “GTK\etc\pango”) and put in the following format, with the example below:

sans = “arial,{unicode font name 1},{unicode font name 2}”
serif = “roman,{unicode font name 1},{unicode font name 2}”
monospace = “courier new,{unicode font name 1},{unicode font name 2}”
{custom font} = “{custom font},{unicode font name 1},{unicode font name 2}”

inp o҉rtb gave me this excellent backup script.
The only problem is that it was russian, so I decided to make an english translation of it.
inp o҉rtb helped me to make the translation in good english (I just did russian to english)
Current version 1.0.8
You can download the english version right here:

http://ztz.110mb.com/dumper.en.zip

http://www.icand.uni.cc/downloads/dumper.en.zip

This is the original russian version:

http://sypex.net/files/SypexDumperLite_108.zip

I did ask the site for permission, and they allowed this:
Quote
We now create the new multilingual version of aSypex Dumper, and english version of our site. But any interested person can freely use your translated version.
so as you can read by yourself, you see that they’re working on an english version too, as soon as it gets released I’ll post it here too
This is the creator’s site: http://sypex.net/
This is the temporary english site: http://www.icand.uni.cc/downloads/dumper/

What’s so good about it?
-> no more problem with interrupted downloads: the script creates a file on you account with the backup (uncompressed, gzipped or bzipped) that you can download by ftp
-> same for restoring
-> you can do it with even the largest database you can imagine

• browse directories & files on the server and
• edit, copy, move, delete files,
• search, upload and download files,
• create and extract archives,
• create new files and directories,
• change file permissions (chmod) and much more…

You can even use eXtplorer to login to the FTP server (like net2ftp) and work as if you were using an FTP client. Access via WebDAV is also possible (requires some extra work and a database!).

eXtplorer is released under a dual-license: You can choose wether you want to use eXtplorer under the Mozilla Public License (MPL 1.1) or under the GNU General Public License (GNU/GPL). Note that if you decide to distribute/use eXtplorer under the MPL, you are not allowed to use the ExtJS Javascript library.

eXtplorer needs at least PHP 4.3 on the server and an up-to-date browser with Javascript enabled to run.

The Main Features of eXtplorer are:

• Copy & Move Files and Directories by Drag&Drop
• Dynamic Directory Tree with on-demand loading of subdirectories
• Edit Files (with Syntax-Highlighting thanks to EditArea)
• Rename, Delete or Create new Files and Directories
• Access Files through FTP or directly (using PHP) to totally overcome permission and file ownership issues
• Upload or Download files just as you like
• Create and Extract Archives (ZIP, Tar, Tar/GZ, Tar/BZ)
• User Management with different permission levels like “View only” or “Edit” and “Admin”
• Available as a component for Joomla! and Mambo.

All these features are packed into an intuitive Layout which makes working with files very easy. Thanks to the great ExtJS Javascript Library you can drag & drop folders and files, filter directories and sort the file list using various criteria.

ou can download eXtplorer from sourceforge.net:
Current Version: 2.0.1 (released 2009-01-15)

New!

You can also still download all older Versions.

Interested in downloading the eXtplorer sources?

+ Cấp 1 : nạp 1.000.000 vnđ được giảm 10%
+ Cấp 2 : nạp 2.000.000 vnđ được giảm 20%
+ Cấp 3 : nạp 3.000.000 vnđ được giảm 30%

Tạo tập tin tên : .htaccess
Nội dung :

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?quochung.net [NC]
RewriteRule !antiddos.phtml http://quochung.net/antiddos.phtml?%{REQUEST_URI} [QSA]

Tiếp tục tạo tập tin antiddos.phtml

<?
$text=$HTTP_SERVER_VARS['QUERY_STRING'];
$text = preg_replace("#php\&#si",'php?',$text);
echo('<center><a href=http://quochung.net'.$text.'>[Click vao day]</a><br>de vao dien dan.</center>');
?>

QHNET Solutions hosting plans come with the option to use Lighttpd as your web server to deliver your static content pages and dynamic web applications like Ruby on Rails.

What is Lighttpd

Lighttpd is a small-footprint web server written with speed and low resource usage in mind. It provides an up-to-date interface to FastCGI, which allows a significant speed increase in applications like Ruby on Rails and Python-based web applications.

Lighttp also supports PHP, virtual hosts, URL-rewriting (in the spirit of mod_rewrite), large file support, gzip/bzip2/deflate compression, basic and digest authentication, SSL, and SSI.

Lighttpd Hosting Support at QHNET Solutions

We can allocate a port for you to run Lighttpd on. Our proxy settings in Apache will let Lighttpd host your content for your entire site, a subdomain, or just a certain part of your site. By running Lighttpd behind Apache, you get the best of both worlds.

If you want to learn more about Lighttpd, please visit the Lighttpd website.

List of things to do to optimize vBulletin and the rest of your site

vBulletin Options

–> General Settings

- Use Forum Jump Menu –> No
- Add Template Name in HTML Comments –> No

–> Cookies and HTTP Header Options

- GZIP HTML Output –> Yes
- GZIP Compression Level –> 1
- Add No-Cache HTTP Headers — No
- Remove Redirection Message Pages — Yes

–> Server Settings and Optimization Options

- Cached Posts Lifespan –> 30
- Update Attachment Views Immediately –> No

–> Style & Language Settings

- Store CSS Stylesheets as Files? –> Yes

–> User Registration Options

- Default Registration Options:

- Display Reputation –> Uncheck
- Automatic Thread Subscription Mode — > Do Not Subsribe
- Message Editor Interface –> Show Standard Editor Toolbar

–> User Reputation Options

- Enable User Reputation system –> No

–> User Listing & Profile Viewing

- Show Last Post on Profile Page –> No

–> Message Posting and Editing Options

- Quick Reply Enabled –> Yes – Show Standard Editor Toolbar

–> Message Posting Interface Options

- Enable Clickable Message Formatting Controls –> Enable Standard Controls

#1: Encrypt Data Communication

All data transmitted over a network is open to monitoring. Encrypt transmitted data whenever possible with password or using keys / certificates.

1. Use scp, ssh, rsync, or sftp for file transfer. You can also mount remote server file system or your own home directory using special sshfs and fuse tools.
2. GnuPG allows to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories.
3. Fugu is a graphical frontend to the commandline Secure File Transfer application (SFTP). SFTP is similar to FTP, but unlike FTP, the entire session is encrypted, meaning no passwords are sent in cleartext form, and is thus much less vulnerable to third-party interception. Another option is FileZilla – a cross-platform client that supports FTP, FTP over SSL/TLS (FTPS), and SSH File Transfer Protocol (SFTP).
4. OpenVPN is a cost-effective, lightweight SSL VPN.
5. Lighttpd SSL (Secure Server Layer) Https Configuration And Installation
6. Apache SSL (Secure Server Layer) Https (mod_ssl) Configuration And Installation

#1.1: Avoid Using FTP, Telnet, And Rlogin / Rsh

Under most network configurations, user names, passwords, FTP / telnet / rsh commands and transferred files can be captured by anyone on the same network using a packet sniffer. The common solution to this problem is to use either OpenSSH , SFTP, or FTPS (FTP over SSL), which adds SSL or TLS encryption to FTP. Type the following command to delete NIS, rsh and other outdated service:
# yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve

#2: Minimize Software to Minimize Vulnerability

Do you really need all sort of web services installed? Avoid installing unnecessary software to avoid vulnerabilities in software. Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed set of software packages on a system. Delete all unwanted packages.
# yum list installed
# yum list packageName
# yum remove packageName
OR
# dpkg --list
# dpkg --info packageName
# apt-get remove packageName

#3: One Network Service Per System or VM Instance

Run different network services on separate servers or VM instance. This limits the number of other services that can be compromised. For example, if an attacker able to successfully exploit a software such as Apache flow, he / she will get an access to entire server including other services such as MySQL, e-mail server and so on. See how to install Virtualization software:

• Install and Setup XEN Virtualization Software on CentOS Linux 5
• How To Setup OpenVZ under RHEL / CentOS Linux

#4: Keep Linux Kernel and Software Up to Date

Applying security patches is an important part of maintaining Linux server. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions. All security update should be reviewed and applied as soon as possible. Again, use the RPM package manager such as yum and/or apt-get and/or dpkg to apply all security updates.
# yum update
OR
# apt-get update && apt-get upgrade
You can configure Red hat / CentOS / Fedora Linux to send yum package update notification via email. Another option is to apply all security updates via a cron job. Under Debian / Ubuntu Linux you can use apticron to send security notifications.

#5: Use Linux Security Extensions

Linux comes with various security patches which can be used to guard against misconfigured or compromised programs. If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel.

#5.1: SELinux

I strongly recommend using SELinux which provides a flexible Mandatory Access Control (MAC). Under standard Linux Discretionary Access Control (DAC), an application or process running as a user (UID or SUID) has the user’s permissions to objects such as files, sockets, and other processes. Running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. See the official Redhat documentation which explains SELinux configuration.

#6: User Accounts and Strong Password Policy

Use the useradd / usermod commands to create and maintain user accounts. Make sure you have a good and strong password policy. For example, a good password includes at least 8 characters long and mixture of alphabets, number, special character, upper & lower alphabets etc. Most important pick a password you can remember. Use tools such as “John the ripper” to find out weak users passwords on your server. Configure pam_cracklib.so to enforce the password policy.

#6.1: Password Aging

The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password. The /etc/login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration. To disable password aging, enter:
chage -M 99999 userName
To get password expiration information, enter:
chage -l userName
Finally, you can also edit the /etc/shadow file in the following fields:

{userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:

Where,

1. Minimum_days: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password.
2. Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password).
3. Warn : The number of days before password is to expire that user is warned that his/her password must be changed.
4. Expire : Days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

I recommend chage command instead of editing the /etc/shadow by hand:
# chage -M 60 -m 7 -W 7 userName
Recommend readings:

• Linux: Force Users To Change Their Passwords Upon First Login
• Linux turn On / Off password expiration / aging
• Lock the user password
• Search for all account without password and lock them
• Use Linux groups to enhance security

#6.2: Restricting Use of Previous Passwords

You can prevent all users from using or reuse same old passwords under Linux. The pam_unix module parameter remember can be used to configure the number of previous passwords that cannot be reused.

#6.3: Locking User Accounts After Login Failures

Under Linux you can use the faillog command to display faillog records or to set login failure limits. faillog formats the contents of the failure log from /var/log/faillog database / log file. It also can be used for maintains failure counters and limits.To see failed login attempts, enter:
faillog
To unlock an account after login failures, run:
faillog -r -u userName
Note you can use passwd command to lock and unlock accounts:
# lock account
passwd -l userName
# unlocak account
passwd -u userName


#6.4: How Do I Verify No Accounts Have Empty Passwords?

Type the following command
# awk -F: '($2 == "") {print}' /etc/shadow
Lock all empty password accounts:
# passwd -l accountName

#6.5: Make Sure No Non-Root Accounts Have UID Set To 0

Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:
# awk -F: '($3 == "0") {print}' /etc/passwd
You should only see one line as follows:

root:x:0:0:root:/root:/bin/bash

If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.

#7: Disable root Login

Never ever login as root user. You should use sudo to execute root level commands as and when required. sudo does greatly enhances the security of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too.

#8: Physical Server Security

You must protect Linux servers physical console access. Configure the BIOS and disable the booting from external devices such as DVDs / CDs / USB pen. Set BIOS and grub boot loader password to protect these settings. All production boxes must be locked in IDCs (Internet Data Center) and all persons must pass some sort of security checks before accessing your server. See also:

• 9 Tips To Protect Linux Servers Physical Console Access.

#9: Disable Unwanted Services

Disable all unnecessary services and daemons (services that runs in the background). You need to remove all unwanted services from the system start-up. Type the following command to list all services which are started at boot time in run level # 3:
# chkconfig --list | grep '3:on'
To disable service, enter:
# service serviceName stop
# chkconfig serviceName off

#9.1: Find Listening Network Ports

Use the following command to list all open ports and associated programs:
netstat -tulpn
OR
nmap -sT -O localhost
nmap -sT -O server.example.com
Use iptables to close open ports or stop all unwanted network services using above service and chkconfig commands.

#9.2: See Also

• update-rc.d like command on Redhat Enterprise / CentOS Linux.
• Ubuntu / Debian Linux: Services Configuration Tool to Start / Stop System Services.
• Get Detailed Information About Particular IP address Connections Using netstat Command.

#10: Delete X Windows

X Windows on server is not required. There is no reason to run X Windows on your dedicated mail and Apache web server. You can disable and remove X Windows to improve server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter:
# yum groupremove "X Window System"

#11: Configure Iptables and TCPWrappers

Iptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel. Use firewall to filter out traffic and allow only necessary traffic. Also use the TCPWrappers a host-based networking ACL system to filter network access to Internet. You can prevent many denial of service attacks with the help of Iptables:

• Lighttpd Traffic Shaping: Throttle Connections Per Single IP (Rate Limit).
• How to: Linux Iptables block common attack.
• psad: Linux Detect And Block Port Scan Attacks In Real Time.

#12: Linux Kernel /etc/sysctl.conf Hardening

/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time. Sample /etc/sysctl.conf:

# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1

#13: Separate Disk Partitions

Separation of the operating system files from user files may result into a better and secure system. Make sure the following filesystems are mounted on separate partitions:

• /usr
• /home
• /var and /var/tmp
• /tmp

Create septate partitions for Apache and FTP server roots. Edit /etc/fstab file and make sure you add the following configuration options:

1. noexec – Do not set execution of any binaries on this partition (prevents execution of binaries but allows scripts).
2. nodev – Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc).
3. nosuid – Do not set SUID/SGID access on this partition (prevent the setuid bit).

Sample /etc/fstab entry to to limit user access on /dev/sda5 (ftp server root directory):

/dev/sda5  /ftpdata          ext3    defaults,nosuid,nodev,noexec 1 2

#13.1: Disk Quotas

Make sure disk quota is enabled for all users. To implement disk quotas, use the following steps:

1. Enable quotas per file system by modifying the /etc/fstab file.
2. Remount the file system(s).
3. Create the quota database files and generate the disk usage table.
4. Assign quota policies.
5. See implementing disk quotas tutorial for further details.

#14: Turn Off IPv6

Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits. Currently there are no good tools out which are able to check a system over network for IPv6 security issues. Most Linux distro began enabling IPv6 protocol by default. Crackers can send bad traffic via IPv6 as most admins are not monitoring it. Unless network configuration requires it, disable IPv6 or configure Linux IPv6 firewall:

• RedHat / Centos Disable IPv6 Networking.
• Debian / Ubuntu And Other Linux Distros Disable IPv6 Networking.
• Linux IPv6 Howto – Chapter 19. Security.
• Linux IPv6 Firewall configuration and scripts are available here.

#15: Disable Unwanted SUID and SGID Binaries

All SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem or bug. All local or remote user can use such file. It is a good idea to find all such files. Use the find command as follows:
#See all set user id files:
find / -perm +4000
# See all group id files
find / -perm +2000
# Or combine both in a single command
find / \( -perm -4000 -o -perm -2000 \) -print
find / -path -prune -o -type f -perm +6000 -ls

You need to investigate each reported file. See reported file man page for further details.

#15.1: World-Writable Files

Anyone can modify world-writable file resulting into a security issue. Use the following command to find all world writable and sticky bits set files:
find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
You need to investigate each reported file and either set correct user and group permission or remove it.

#15.2: Noowner Files

Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group
find /dir -xdev \( -nouser -o -nogroup \) -print
You need to investigate each reported file and either assign it to an appropriate user and group or remove it.

#16: Use A Centralized Authentication Service

Without a centralized authentication system, user auth data becomes inconsistent, which may lead into out-of-date credentials and forgotten accounts which should have been deleted in first place. A centralized authentication service allows you maintaining central control over Linux / UNIX account and authentication data. You can keep auth data synchronized between servers. Do not use the NIS service for centralized authentication. Use OpenLDAP for clients and servers.

#16.1: Kerberos

Kerberos performs authentication as a trusted third party authentication service by using cryptographic shared secret under the assumption that packets traveling along the insecure network can be read, modified, and inserted. Kerberos builds on symmetric-key cryptography and requires a key distribution center. You can make remote login, remote copy, secure inter-system file copying and other high-risk tasks safer and more controllable using Kerberos. So, when users authenticate to network services using Kerberos, unauthorized users attempting to gather passwords by monitoring network traffic are effectively thwarted. See how to setup and use Kerberos.

#17: Logging and Auditing

You need to configure logging and auditing to collect all hacking and cracking attempts. By default syslog stores data in /var/log/ directory. This is also useful to find out software misconfiguration which may open your system to various attacks. See the following logging related articles:

1. Linux log file locations.
2. How to send logs to a remote loghost.
3. How do I rotate log files?.
4. man pages syslogd, syslog.conf and logrotate.

#17.1: Monitor Suspicious Log Messages With Logwatch / Logcheck

Read your logs using logwatch or logcheck. These tools make your log reading life easier. You get detailed reporting on unusual items in syslog via email. A sample syslog report:

 ################### Logwatch 7.3 (03/24/06) ####################
        Processing Initiated: Fri Oct 30 04:02:03 2009
        Date Range Processed: yesterday
                              ( 2009-Oct-29 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: www-52.nixcraft.net.in
  ##################################################################

 --------------------- Named Begin ------------------------

 **Unmatched Entries**
    general: info: zone XXXXXX.com/IN: Transfer started.: 3 Time(s)
    general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 3 Time(s)
    general: info: zone XXXXXX.com/IN: Transfer started.: 4 Time(s)
    general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 4 Time(s)

 ---------------------- Named End -------------------------

  --------------------- iptables firewall Begin ------------------------

 Logged 87 packets on interface eth0
   From 58.y.xxx.ww - 1 packet to tcp(8080)
   From 59.www.zzz.yyy - 1 packet to tcp(22)
   From 60.32.nnn.yyy - 2 packets to tcp(45633)
   From 222.xxx.ttt.zz - 5 packets to tcp(8000,8080,8800)

 ---------------------- iptables firewall End -------------------------

 --------------------- SSHD Begin ------------------------

 Users logging in through sshd:
    root:
       123.xxx.ttt.zzz: 6 times

 ---------------------- SSHD End -------------------------

 --------------------- Disk Space Begin ------------------------

 Filesystem            Size  Used Avail Use% Mounted on
 /dev/sda3             450G  185G  241G  44% /
 /dev/sda1              99M   35M   60M  37% /boot

 ---------------------- Disk Space End -------------------------

 ###################### Logwatch End #########################

(Note output is truncated)

#17.2: System Accounting with auditd

The auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. With auditd you can answers the following questions:

1. System startup and shutdown events (reboot / halt).
2. Date and time of the event.
3. User respoisble for the event (such as trying to access /path/to/topsecret.dat file).
4. Type of event (edit, access, delete, write, update file & commands).
5. Success or failure of the event.
6. Records events that Modify date and time.
7. Find out who made changes to modify the system’s network settings.
8. Record events that modify user/group information.
9. See who made changes to a file etc.

See our quick tutorial which explains enabling and using the auditd service.

#18: Secure OpenSSH Server

The SSH protocol is recommended for remote login and remote file transfer. However, ssh is open to many attacks. See how to secure OpenSSH server:

• Top 20 OpenSSH Server Best Security Practices.

#19: Install And Use Intrusion Detection System

A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.

It is a good practice to deploy any integrity checking software before system goes online in a production environment. If possible install AIDE software before the system is connected to any network. AIDE is a host-based intrusion detection system (HIDS) it can monitor and analyses the internals of a computing system.

Snort is a software for intrusion detection which is capable of performing packet logging and real-time traffic analysis on IP networks.

#20: Protecting Files, Directories and Email

Linux offers excellent protections against unauthorized data access. File permissions and MAC prevent unauthorized access from accessing data. However, permissions set by the Linux are irrelevant if an attacker has physical access to a computer and can simply move the computer’s hard drive to another system to copy and analyze the sensitive data. You can easily protect files, and partitons under Linux using the following tools:

• To encrypt and decrypt files with a password, use gpg command.
• Linux or UNIX password protect files with openssl and other tools.
• See how to encrypting directories with ecryptfs.
• TrueCrypt is free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux.
• Howto: Disk and partition encryption in Linux for mobile devices.
• How to setup encrypted Swap on Linux.

#20.1: Securing Email Servers

You can use SSL certificates and gpg keys to secure email communication on both server and client computers:

• Linux Securing Dovecot IMAPS / POP3S Server with SSL Configuration.
• Linux Postfix SMTP (Mail Server) SSL Certificate Installations and Configuration.
• Courier IMAP SSL Server Certificate Installtion and Configuration.
• Configure Sendmail SSL encryption for sending and receiving email.
• Enigmail: Encrypted mail with Mozilla thunderbird.

Other Recommendation:

• Backups – It cannot be stressed enough how important it is to make a backup of your Linux system. A proper offsite backup allows you to recover from cracked server i.e. an intrusion. The traditional UNIX backup programs are dump and restore are also recommended.
• How to: Looking for Rootkits.
• Howto: Enable ExecShield Buffer Overflows Protection.
• Subscribe to Redhat or Debian Linux security mailing list or RSS feed.

Recommend readings:

1. Red Hat Enterprise Linux – Security Guide.
2. Linux security cookbook- A good collections of security recipes for new Linux admin.
3. Snort 2.1 Intrusion Detection, Second Edition – Good introduction to Snort and Intrusion detection under Linux.
4. Hardening Linux – Hardening Linux identifies many of the risks of running Linux hosts and applications and provides practical examples and methods to minimize those risks.
5. Linux Security HOWTO.

In the next part of this series I will discuss how to secure specific applications (such as Proxy, Mail, LAMP, Database) and a few other security tools. Did I miss something? Please add your favorite system security tool or tip in the comments.

Having implemented a number of websites now in Magento and being the web hosting provider for them also, it’s been both challenging and rewarding trying to get Magento running at an acceptable speed.People generally don’t understand what’s happening when they say “my website is slow”. So, for those of you unfamiliar with benchmarking / understanding what factors to consider when a page loads from a server, we have quite a number of variables.

1. Your URL you type into a browser, translates to an IP address – this check should take a very, very short time
2. Your browser then begins to access the web server where your website is hosted to ask for the page you want, this can cause some delay, typically 40-200ms (bottleneck 1.)
3. In the case of Magento,it uses PHP as the software language that runs the site, so the php begins to execute (bottleneck 2.)
4. PHP then reaches a part of it’s code it needs to access the database to retrieve website data and sometimes insert information about who you are. (bottleneck 3.)
5. The PHP code retrieves the information, does a bit more computing on it (for simplicity, this is still bottleneck 2) and then sends it to your web server
6. Your webserver can then send it or compress it and then send it to you (bottlneck 4)
7. The data is sent over the internet to your browser (bottlneck 5)
8. Your browser must ‘render’ the data it receives into an actual web page (bottleneck 6)

I will assume you are here specifically for Magento issues, so let’s get started with the basics. I will make the assumption that your web server is running Apache and you have very little control over that.

Preparation – the “before”

1. If you are familiar with the, use Firefox and the Firebug extension and the Yslow extension. Take a screenshot of your statistics.
2. Alternatively, what I suggest is to go to WebsiteOptimization if you’re fairly new to this. You basically enter your URL and click. Print out the page, preferably to PDF before we begin.

Check Magento Caching is turned on (if not developing still)

1. Login to your Magento Admin
2. go to System -> Cache Management
3. in the dropdown box, choose “enable” and tick all the boxes, then save settings.

Let’s start simple – .htaccess and gzip/deflate

1. Go to mod_gzip tester and enter your magento site address. If it comes back with a big green tick and says http://yourmagentosite.com is gzipped, then you’re in business and skip step 2. If not..go to step 2
2. Using ftp or ssh, however you access your magento website, go to the root of the site and find your .htaccess file. Scroll down until you see something like:

<ifmodule mod_deflate.c>
# Insert filter
SetOutputFilter DEFLATE
# Netscape 4.x has some problems...
#BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# Don't compress images
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</ifmodule>

3. Make sure it looks like above. A hash in front of the line means it’s commented out. If your .htaccess file does look like this AND mod_gzip tester is still not showing enabled, you need to talk to your web hosting provider. They may not allow overrides or may not have the deflate module installed or enabled. If it doesn’t look like the above, remove the hashes from your lines so that it reflects what is above, then retest with mod_gzip tester
4. Take a screenshot / pdf printout of Yslow / websiteoptimizer results.

Let’s shrink our javascript

1. Magento uses A LOT of LARGE javascript libraries and depending on your template, it’s a good chance that these make up for 50% of your website page size. This should only affect the first page load but it’s often the first impressions that count, so let’s shrink it.
2. For this, we will use the Fooman Speedster Extension from magentoconnect. Click on the “get extension key” and then copy the key to your clipboard.
3. Now go to your magento store admin interface and click on “System -> Magento Connect -> Magento Connect Manager”. Enter your admin user/pass to access magento connect manager.
4. *Warning – once you install the extension until you fix your .htaccess, it may break your website*
5. Paste the extension key to install the extension
6. Now go to your .htaccess and under the line: #RewriteBase /magento/ add this lineRewriteRule ^(index.php/)?minify/([^/]+)(/.*.(js|css))$ lib/minify/m.php?f=$3&d=$2

7. Save your .htaccess and access your site (it may take a while to load the first time as it minifies and creates it’s cache.
8. **Test your site is working properly**
9. Take a screenshot / pdf printout of Yslow / websiteoptimizer results.

Let’s check our php settings

1. Create a file called phpinfo.php and enter this information into it.
2. Check for the following: memory_limit
3. If it’s less than 128M, try and add an entry into your .htaccess like so:

php_value memory_limit 128M

Finally, MySQL – for experienced users.

1. If you’re a mysql hero, you don’t need me to tell you how but we want to try and get the following settings in your my.cnf

query_cache_type = 1
query_cache_size = 32M
query_cache_limit=2M

2. If you don’t have root access to check /etc/my.cnf (or /etc/mysql/my.cnf) variables, then login to mysql or use phpmyadmin to show variables.

$ mysql -u mysqluser -p magento_database_name
$ mysql> SHOW VARIABLES;

3. If you don’t have control over your mysql configuration, go knocking on your Web Host’s support tickets to get them to modify it to suit you or if you’re in Australia, check us out

**If you want someone to do this all for you, lodge a support ticket at Yourwebhostingsupport with the Subject “Magento Optimisation”

Consortium News

What the Consortium has completed thus far:

- Migrated all sites to a new server.

- Found new Developers.

- Discussions pertaining to the Open Source Project.

There is much more to be done, we will not let HyperVM and Kloxo products fail.

Please note for every existing client. Cancel all pay pal subscriptions and please no longer pay your licensing invoices as this is against Open Source Standards.

Any new client, please register as normal. No invoice will be generated and you will be able to install the Lxlab products.

With these changes also comes a change in our web site address. The new site is LxCenter.org. You will now be directed to this site from the new domain. A brand new website is online soon on www.LxCenter.org.

Kind regards,

The Consortium Leaders

Brijesh, Bhargava, Arthur and Danny.

Signed, July 29th, 2009

There are a lot speculations, lets clear things out to the public. Yes, we are a bit slow, mainly that is because it is still summer and people are on hollidays too. Also there are timezone differences, so some discussions are spread over more days.

The source code, it will be PUBLIC and OpenSourced with a proper License after the first new release of HyperVM and Kloxo. When those are released, the sourcecode and structure will be hosted on a public repo website like many other OpenSource projects. We have choosen a temporary License for developers that are going to work on the source until the first releases. In that time the final OpenSource License will be choosed. So yes, the source is until the first new HyperVM and Kloxo release not public. We need first to examine the code, and changing code if it not fits a OpenSource standard. There is a lot work to do on the code because a new install system has to be created, new update system and for example the removal of the License server code. The Consortium does have the Sourcecode. It will be uploaded into a private SVN system today or tomorrow. Then it will be prepared by one person so it gets a SVN structure and branches. After that all Developers are going to see the soureccode and developing is going to be started.

Release date? that is unknown yet. Can be in a week, can be in some months. The Consortium does have a 12 months timeframe to release it to the Public. We have 11 months left (but we want it asap).

Our goal and users of the products want to see first a bug fixed release. So it is 100% security hole free. From there, everyone that wants to contribute, can work on bugfixes and new features.

Also expect a proper website on www.lxcenter.org soon. Just give us some time (and the person that is designing it).

The future is decided

Signed, august 7th, 2009 (Danny) ]]> http://quochung.net/2009/09/17/free-lxadmin-control-panel-100/feed/ 0