How to Increase max_connections in MySQL without restarting MySQL service.

How to Increase max_connections in MySQL without restarting MySQL service.

If mysql connection reaches to it maximum (max) limit then you can see errors like “too many connections”. You can increase the connection limit without restart mysql.

As we know my.cnf is default configuration file for mysqld service and by default it is located in /etc directory unless and until you have changed it.

To find out how many max_connections are allowed currently on your mysql server use following command from mysql prompt.

mysql> select @@max_connections;
+——————-+
| @@max_connections |
+——————-+
| 500 |
+——————-+

max_connections is a GLOBAL variable. we can increase it on the fly without restarting mysqld service.

Use following command to increase max connection.

mysql> set global max_connections = 600;
Query OK, 0 rows affected (0.02 sec)

If you check again you will see that limit of max_connections is increased.

mysql> select @@max_connections;
+——————-+
| @@max_connections |
+——————-+
| 600 |
+——————-+

Note: It is important that you edit your /etc/my.cnf to add max_connections = 600 otherwise when you restart mysqld service in future, It will complain again after it hits the old max_connections limit.

Please check that vzdev kernel module is loaded and you have sufficient permissions to access the file

Today I got an error while trying to install a new VE in OpenVZ

Please check that vzdev kernel module is loaded and you have sufficient permissions to access the file.

# vzctl create 101 –ostemplate centos-6-x86_64
Unable to open /dev/vzctl: No such device or address
Please check that vzdev kernel module is loaded and you have sufficient permissions to access the file.

Solution :-

# /etc/init.d/vz restart
Stopping OpenVZ: [ OK ]
Starting OpenVZ: [ OK ]
Applying OOM adjustments: [ OK ]
Bringing up interface venet0: [ OK ]

How to configure multiple apache virtual hosts on multiple ports

How to configure multiple apache virtual hosts on multiple ports

I have a server with one IP address. I want to run several virtual hosts in an Apache 2.4. And I want all virtual hosts to be accessible on port 80,8000 and 443 (ssl).

The Listen directive tells the server to accept incoming requests only on the specified ports or address-and-port combinations. If only a port number is specified in the Listen directive, the server listens to the given port on all interfaces. If an IP address is given as well as a port, the server will listen on the given port and interface. Multiple Listen directives may be used to specify a number of addresses and ports to listen on. The server will respond to requests from any of the listed addresses and ports.

=-==–=
Listen *:80
Listen *:8080

NameVirtualHost *:80
NameVirtualHost *:8080

VirtualHost *:80
ServerName a.foo.com
DocumentRoot /www/a
/VirtualHost

VirtualHost *:8080
ServerName b.foo.com
DocumentRoot /www/ab
VirtualHost
=-=-=-

Domain slowness issue

Today one of our domain was facing slowness issue. Domain response time is bit slow than earlier.

Here is the script to check the domain response time.
————-
[root@server02 ~]# cat /root/site_response.sh
#!/bin/bash

CURL=”/usr/bin/curl”
GAWK=”/usr/bin/gawk”
#echo -n “Please pass the url you want to measure: ”
read url
URL=”$url”
result=`$CURL -o /dev/null -s -w %{time_connect}:%{time_starttransfer}:%{time_total} $URL`
echo “Time_Connect — Time_start_transfer — Time_total ”
echo $result | $GAWK -F: ‘{ print $1″ “$2” “$3}’
————-

For checking the domain slowness we can put a php test page. Here it is “testdb.php”. After executing the script the domain is responding faster.

————-
[root@server02 ~]# for i in {1..15}; do echo “http://www.domain.com/testdb.php” | /root/site_response.sh; done
Time_Connect — Time_start_transfer — Time_total
0.339 0.484 0.488
Time_Connect — Time_start_transfer — Time_total
0.185 0.332 0.336
——————

Then you need to load the domain, this will load slowly.

———————
[root@server02 ~]# for i in {1..15}; do echo “http://www.domain.com/responses/contact/contact-success.html” | /root/site_response.sh; done
Time_Connect — Time_start_transfer — Time_total
0.185 63.641 63.779
Time_Connect — Time_start_transfer — Time_total
0.184 63.655 63.728
———————

Try to stop the CSF Firewall and load the domain this will be faster. Now you can see the domain is loading faster than earlier.

—————–
[root@server02 ~]# for i in {1..15}; do echo “http://www.domain.com/” | /root/site_response.sh; done
Time_Connect — Time_start_transfer — Time_total
0.189 0.515 0.669
Time_Connect — Time_start_transfer — Time_total
0.187 0.512 0.668
—————–

If you are experiencing the same issue we can conclude that there was some issues with the server firewall. So we need investigate why the domain is caught on firewall. Here we have checked the firewall logs in /var/log/messages. But we can’t see any IP address is blocked from the source server.

To see the IP address we need to enable inbound and outbound blocks logs in CSF firewall.

# vim /etc/csf/csf.conf

# Enable logging of dropped connections to blocked ports to syslog, usually
# /var/log/messages. This option needs to be enabled to use Port Scan Tracking

DROP_LOGGING = “1”
DROP_IP_LOGGING = “1”
DROP_OUT_LOGGING = “1”
———————->

After editing save and exit, also restart the CSF Firewall.

Then try to reload the domain and check the logs /var/log/messages. Then you can see the DST=69.58.188.42 IP address was blocked on CSF Firewall go and remove the IP adress from CSF.

Jul 23 22:43:01 lithium kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=72.34.59.62 DST=69.58.188.42 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41190 DF PROTO=TCP SPT=59262 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=32359 GID=32361

For deleting IP address from CSF use this commands.

#csf -a 69.58.xx.xx
#csf -r

After restarting the CSF Firewall check the domain response time using script. Now we can see that the domain is loading much faster than earlier.

———————->
[root@server02 ~]# for i in {1..15}; do echo “http://www.domain.com/” | /root/site_response.sh; done
Time_Connect — Time_start_transfer — Time_total
0.189 0.515 0.669
Time_Connect — Time_start_transfer — Time_total
0.187 0.512 0.668
———————->

How to install Java in Centos 5 and 6

How to install Java in Centos 5 and 6

First you need to Download Archive File from oracle.

Download latest version of java from http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

Install JAVA using Alternatives

After extracting java archive file, you just need to set up to use newer version of java using alternatives using the follwoing commands.

# cd /usr/src/jdk1.7.0_65/
# alternatives –install /usr/bin/java java /opt/jdk1.7.0_65/bin/java 2
# alternatives –config java

There are 4 programs which provide ‘java’.

Selection Command
———————————————–
* 1 /usr/lib/jvm/jre-1.6.0-openjdk/bin/java
+ 2 /opt/jdk1.7.0_55/bin/java
3 /opt/jdk1.7.0_60/bin/java
4 /opt/jdk1.7.0_65/bin/java

Enter to keep the current selection[+], or type selection number: 4 [Press Enter]
Now you may also required to setup javac and jar commands path using alternatives

# alternatives –install /usr/bin/jar jar /opt/jdk1.7.0_65/bin/jar 2
# alternatives –install /usr/bin/javac javac /opt/jdk1.7.0_65/bin/javac 2
# alternatives –set jar /opt/jdk1.7.0_65/bin/jar
# alternatives –set javac /opt/jdk1.7.0_65/bin/javac

Check JAVA Version

Use following command to check which version of java is currently being used by system.

# java -version
java version “1.7.0_65”
Java(TM) SE Runtime Environment (build 1.7.0_65-b17)
Java HotSpot(TM) Client VM (build 24.60-b09, mixed mode)

Setup Environment Variables

Most of java based application’s uses environment variables to work. Use following commands to set up it.

Setup JAVA_HOME Variable

# export JAVA_HOME=/opt/jdk1.7.0_65

Setup JRE_HOME Variable

# export JRE_HOME=/opt/jdk1.7.0_65/jre

Setup PATH Variable

# export PATH=$PATH:/opt/jdk1.7.0_65/bin:/opt/jdk1.7.0_65/jre/bin

You can follow above steps to install multiple version of java as same time, but you can use only one version at a time.

How to Install an Apache module without recompiling Easyapache

How to Install an apache module without recompiling (Easyapache)

Login the server

cd /home/cpeasyapache/src/httpd-2.x.x/modules/mappers/

Make sure the module is in uncompiled format (mod_module.c).

From command prompt run:

/usr/local/apache/bin/apxs -c mod_module.c
Example : /usr/local/apache/bin/apxs -c mod_imagemap.c

This will create the DSO in /home/cpeasyapache/src/httpd-2.x.x/modules/mappers/.libs/ folder.

Copy the mod_module.so file to /usr/local/apache/modules/ file

Load the module and enable it in Apache configuration file.

Check whether module is installed or not by using the below command :

/usr/local/apache/bin/apachectl -t -D DUMP_MODULES
=-=-=-=-=-

How to Install PHP module without running Easyapache on cPanel

How to Install PHP module without running Easyapache on cPanel

Login the server
Go to path /home/cpeasyapache/src/php-5.x/ext/sqlite

Here I am trying to enable sqlite

# phpize (this will create ./configure command )
# ./configure
# make
# make install

You can find the extension dir path and you need to enter the extension dir path in php.ini as follows :

# ll usr/local/lib/php/extensions/no-debug-non-zts-20060613/
extension=sqlite.so

NOTE : You can enable the module if it is available in /home/cpeasyapache/src/php-5.x.x/ext/

How to migrate MySQL to MariaDB + cPanel

How to migrate MySQL to MariaDB + cPanel

With Oracle’s fairly recent acquisition of MySQL, a lot of people are looking to move away from MySQL in fear of Oracle changing the licensing, which could force you to change database back ends. MariaDB was initially forked in January of 2009. We can make this transition quickly, but not without some downtime, as we can’t have both databases working on the same files simultaneously.

If you are running the same major version of MySQL as MariaDB. Currently this means you must be running MySQL 5.5 and intend on moving to MariaDB 5.5.

Next, you need to take all the databases backup. These commands dump every SQL database you have to a single file. Make sure you do this on a partition big enough to hold your data.

# mysqldump –all-databases –routines –triggers > /home/alldata-`date +%F`.sql

First and foremost, shut down the MySQL service.

# service stop mysql

We are now done with MySQL. Use your package manager to remove it. Do not worry about associated libraries, as MariaDB is a drop in replacement. It should remain compatible at the API layer.

# /scripts/update_local_rpm_versions –edit target_settings.MySQL50 uninstalled
# /scripts/update_local_rpm_versions –edit target_settings.MySQL51 uninstalled
# /scripts/update_local_rpm_versions –edit target_settings.MySQL55 uninstalled
# /scripts/update_local_rpm_versions –edit target_settings.MySQL56 uninstalled

Remove the existing MySQL RPMs from your server. This will leave a clean slate for the MariaDB installation.

# /scripts/check_cpanel_rpms –fix –targets=MySQL50,MySQL51,MySQL55,MySQL56

Next, add the MariaDB repositories, and install it.

vi /etc/yum.repos.d/MariaDB.repo
———

# MariaDB 5.5 CentOS repository list – created 2013-06-23 21:13 UTC
# http://mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/5.5/centos6-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

——–

Edit /etc/yum.conf file and remove php* and mysql* from the exclude line. The exclude line in your /etc/yum.conf file may appear similar to the following example:

exclude=bind-chroot courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* ruby* spamassassin* squirrelmail* 

Installing the new MariaDB packages.

# yum install MariaDB-server MariaDB-client MariaDB-devel php-mysql

# /etc/init.d/mysql start
# mysql_upgrade
# /etc/init.d/mysql restart

Rebuild EasyApache’s PHP to ensure that all PHP modules remain intact

# /scripts/easyapache –build

If you need to Switching back to MySQL

First you need to removing mariaDB package.

# yum remove MariaDB*

Install the MySQL RPM targets

# /scripts/update_local_rpm_versions –edit target_settings.MySQL50 installed
# /scripts/update_local_rpm_versions –edit target_settings.MySQL51 installed
# /scripts/update_local_rpm_versions –edit target_settings.MySQL55 installed
# /scripts/update_local_rpm_versions –edit target_settings.MySQL56 installed

Installing MySQL package

# /scripts/check_cpanel_rpms –fix –targets=MySQL50,MySQL51,MySQL55,MySQL56

Restoring the MySQL databases

# mysql < /home/db_dump/alldb.sql backup in (/home/alldb-`date +%F`.sql)

Or

# /etc/init.d/mysql stop
# mv /var/lib/mysql /var/lib/mysql_mariadb-`date +%F`
# cp -p -r /var/lib/mysql_mysql_date /var/lib/mysql
# /etc/init.d/mysql start
# mysql_upgrade

After that check the MySQL logs also revert the my.cnf file.

How do we know that the server is under DDOS attack?

DDOS attack measures

How do we know that the server is under DDOS attack?

We can confirm it by checking the result of netstat command:

netstat -an|awk ‘/tcp/ {print $6}’|sort|uniq -c

This will show the states and number of connections at that time. The different states that are visible mostly in servers are:

1. ESTABLISHED – This will be legitimate connections established to the server
2. SYN_SENT – The client will be actively attempting to establish a connection.
3. SYN_RECV – A connection request has been received from the network.
4. FIN_WAIT – The socket is closed, and the connection is shutting down.
5. TIME_WAIT – The socket is waiting after close to handle packets still in the network.
6. LISTEN – The socket is listening for incoming connections.
7. LAST_ACK – The remote end has shut down, and the socket is closed. Waiting for acknowledgement.

If the number of connections in SYN_SENT, SYN_RECV, TIME_WAIT, FIN_WAIT are very large in the rate of 1000s then the server is surely under attack.

As a first step we can tweak the values set for SYN_SENT, SYN_RECV, TIME_WAIT, FIN_WAIT in the file /etc/sysctl.conf. Reduce the value of net.ipv4.tcp_fin_timeout to 3 or 5. Normally it will be set to 120 as default. Make the following changes in /etc/sysctl.conf

# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 3

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

Then execute the command :

sysctl -p

Then we will have to find out how the attack is being performed, is it from any particular IP or from large number of IP addresses to the server. If it is from any particular IP to the server, then we can fix it by blocking the IP in the firewall. If it is from a large number of IP with one or 2 connections then we will have to find more details to stop it. But will will not be able to completely stop the DDOS attack, we will have to tweak some settings in the server so that the number of connections can be reduced.

Once we reach the result that the server is under attack by checking the number of connections in different state, we need to find to which port the attack is being done. Suppose the number of connections in state SYN_RECV is large. Then we can get the details using the following command:

netstat -lpan | grep SYN_RECV | awk ‘{print $4}’ | cut -d: -f2 | sort | uniq -c | sort -nk 1

The result will be the number of connections and the port open in the server. If the second field is 80 then the attack is to apache port.

In addition to the netstat command, you can use tcpdump command to find out if there is dos attack to a particular port.

tcpdump -nn -tttt -i any port 80

Similarly you can give different ports to find out to which port attack is being done. For example, port 53, 25 etc.

Once you understand the port you need to figure out is the attack done on a particular domain or IP. Suppose the attack is done on port 80, then we can tweak the apache settings as follows:

1. Increase the MaxClients so that we can prevent the condition of apache reaching its limit, since apache could not serve new requests. MaxClients can be set to a max value of the limit set in ServerLimit
2. Set KeepAlive on to set the KeepAliveTimeout
3. KeepAliveTimeout value to be reduced to 3 or 5

So the settings will be as follows:

MaxClients 500
KeepAlive On
KeepAliveTimeout 3

/etc/init.d/httpd restart

In order to narrow down the issue, we need to find out if the attack is on any particular IP in the server. This can be found using the following command:

netstat -lpan | grep SYN_RECV | awk ‘{print $4}’ | cut -d: -f1 | sort | uniq -c | sort -nk 1

After confirming the attack to the IP, we need to find out if the attack is made to a particular domain in that IP or to the IP as a whole. For that, you can check the apache error logs or top command. If in the apache error logs, you are finding the errors for a particular domain, then you will have to perform steps to prevent attack to the domain. For that we can perform the following steps:

1. We can block the connections to the domain using modsecurity. CSF is connected to modsecurity so that if we write rule to block a domain, the IP from which connections to the domain are made will be blocked. Since it is DDOS attack, there will be many IPs connecting to the server and blocking high number of IP addresses can cause load in the server and thus server can go down. In order to prevent that, you will have to first block the checking of modsecurity in lfd.

In /etc/csf/csf.conf, set the following:

= “0”

csf -r

Then, in the modsecurity configuration file, you can add the following:

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer “domain\.com”

2. You can block the acesses to port 80 of the domain in the firewall using the following command:

iptables -I INPUT -p tcp –dport 80 -m string –string “domain.com” –algo bm -j DROP

3. If the connections are still not getting reduced, then you can limit the number of connections to the domain using bandwidth module as follows:

/scripts/setbwlimit –domain=domain.com –limit=256000

4. If nothing helped, you can nullroute the IP using the command:

iptables -I INPUT -d XX.XX.XX.XX -p tcp –dport port -j DROP

If the domain is having dedicated IP, then there is no need of above steps, you can directly make the IP down, by deleting the IP from the /etc/ips and restarting ipaliases. But in case of main shared IP, this cannot be done. We will have to reduce the TTL of the domains and change all the domains except the domain to which attack is being made to a free IP after 4 hours and then make the IP down after that so that the attack will be there for only 4 hours. But in such cases there will be issue with cpanel license etc. We will also have to make sure of the name server setting of the domain to which attack is being made. If the domain is using remote name servers, then we cant change any DNS setting of the domain in the server.

In order to prevent this in future, you can add the following commands:

iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
=-=-=-=-=-=-=-

How to check the download speed for URL’s

How to check the download speed for URL’s

[@im ~]$ curl http://www.centos.org > centos-org.html
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 24813 0 24813 0 0 114k 0 –:–:– –:–:– –:–:– 303k

2. Save the cURL Output to a file

We can save the result of the curl command to a file by using -o/-O options.

-o (lowercase o) the result will be saved in the filename provided in the command line
-O (uppercase O) the filename in the URL will be taken and it will be used as the filename to store the result

Note: When curl has to write the data to the terminal, it disables the Progress Meter, to avoid confusion in printing. We can use ‘>’|’-o’|’-O’ options to move the result to a file.

[@im ~]$ curl -o mygettext.html http://www.gnu.org/software/gettext/manual/gettext.html
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1217k 100 1217k 0 0 708k 0 0:00:01 0:00:01 –:–:– 803k

[@im ~]$ curl -O http://www.gnu.org/software/gettext/manual/gettext.html
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1217k 100 1217k 0 0 684k 0 0:00:01 0:00:01 –:–:– 768k

3. Fetch Multiple Files at a time

We can download multiple files in a single shot by specifying the URLs on the command line.

$ curl -O URL1 -O URL2