How to configure the passive ports range for ProFTPd on a server behind a firewall

Note: When configuring the passive port range, a selected port range must be in the non-privileged range (e.g., greater than or equal to 1024). It is strongly recommended that the chosen range should be large enough to handle many simultaneous passive connections. The default passive port range is 49152-65535 (the IANA registered ephemeral port range).

1. Connect to a server via SSH.
2. Run the command below to check if the passive port range is configured in the FTP server:
   # sed -n '/\<Global/,/\/Global/p' /etc/proftpd.conf /etc/proftpd.d/* | grep PassivePorts
   If the command returns the same output as below, the passive port range is set up in ProFTPd configuration. Continue to step 3.
   PassivePorts 49152 65535
   If no output is returned, configure the passive port range:
   2.1. Create the /etc/proftpd.d/55-passive-ports.conf file using the following command:
   # touch /etc/proftpd.d/55-passive-ports.conf
   2.2. Open the /etc/proftpd.d/55-passive-ports.conf file in a text editor. In this example, we use the vi editor:
   # vi /etc/proftpd.d/55-passive-ports.conf
   2.3. Paste the content below in the file:
   <Global>
   PassivePorts 49152 65535
   </Global>
   2.4. Save the changes and close the file.
3. Enable the kernel modules in the system:
   Note: Actions that involves kernel modules configuration should be performed on a physical or a virtual machine with full hardware emulation. If a VZ container is used, the same actions should be performed on a hardware node where this VZ container is running.
   3.1. Enable the nf_conntrack_ftp module:
   # /sbin/modprobe nf_conntrack_ftp
   3.2. If the server is behind the NAT (private IP address is configured in the system), enable the kernel nf_nat_ftp module as well:
   # /sbin/modprobe nf_nat_ftp
   3.3. Verify the changes:
   # lsmod | grep nf_nat_ftp
   nf_nat_ftp 16384 0
   nf_conntrack_ftp 20480 1 nf_nat_ftp
   nf_nat 32768 1 nf_nat_ftp
   nf_conntrack 131072 3 nf_conntrack_ftp,nf_nat_ftp,nf_nat
   3.4. To keep the changes after a system reboot, apply these steps:
   • Add the modules to the /etc/modules-load.d/modules.conf file with these commands:
     # echo nf_nat_ftp >> /etc/modules-load.d/modules.conf
     # echo nf_conntrack_ftp >> /etc/modules-load.d/modules.conf
   • On CentOS/RHEL-based distributions, add the modules to the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file as follows:
     # cat /etc/sysconfig/iptables-config | grep IPTABLES_MODULES
     IPTABLES_MODULES="nf_conntrack_ftp ip_nat_ftp"
4. Restart the xinetd service to apply changes:
   # service xinetd restart
5. Open the passive port range in a firewall:
   Note: If there is an intermediate firewall between a Plesk server and the Internet, make sure that the passive port range is allowed in its configuration as well. Contact your Internet Service Provider for assistance.
   To open the ports in a local firewall, follow these steps:
   • Manually
     # iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
     # iptables -I INPUT 2 -p tcp --match multiport --dports 49152:65535 -j ACCEPT
     # service iptables save
   • Using Plesk Firewall (Recommended)

Read More

Watch mysql processlist in (almost) real time

watch -n 1 “mysql -h 10.0.0.1 -u username -pPASSWORD -e ‘SHOW PROCESSLIST;'”

Read More

.my.cnf – mysql user & password

This one is for lazy ones! If you are paranoid about security, do not use this.

Create file ~/.my.cnf and add following lines in it and replace mysqluser & mysqlpass values.

[client]
user=mysqluser
password=mysqlpass

For safety, make this file readable to you only by running chmod 0600 ~/.my.cnf 

Read More