One of my blog sponsors gave me the opportunity to write an unbiased review about DreamTemplate.com. You’ll have to forgive me for my lack of ‘reviewing’ experience, because I don’t do these very often.

Overview:

DreamTemplate.com is a service that offers thousands of “exclusive premium web content solutions” for webmasters that are created by professional artists and design experts, with a focus of delivering top-quality website templates without the hefty pricing of hiring a programmer/designer.

First Impression:

The layout of the site itself is very clean and organized, and the extensive template category list shows in detail what kinds of templates are offered, unlike other template services that make you guess and use a nasty search box only to not find what you’re looking for.  The design of the site, however, could be a little more creative considering the impressive level of design and artisic-ness shown in the templates they produce.

The Templates:

A lot of design sites resell templates from other services, so you tend to see the same templates on dozens of distributor sites all taking credit for them.  I’ve seen a lot of template sites, but so far how not seen any repeats on DreamTemplate.com…this leads me to the impression that their templates are truly original, which in my opinion makes their service more reliable.  What I also found interesting is that while there are a few similarities between the different templates, they are all unique in their design and no two look entirely alike.

The service:

At the time of my writing, they offer over 300 FREE templates and well over a few thousand paid website templates starting at under $60.  Considering what you’d normally expect from free or cheap templates, I’m surprised they aren’t charging more for them.  Their info page claims that the designers spend up to 15 hours (or more) on the design, so you’re definitely getting a deal.  Subscriptions are also available for users to have access to thousands of templates without paying for each individually.

Negatives:

I don’t really see many pitfalls, but one thing I didn’t see is an emphases on support.  You assume responsibility for downloading pre-made website templates, but one thing I would like to see is a maintenance or customization service for inexperienced users to be able to pay to have the template customized to their website, including the addition of content, graphics, etc.  They may already offer this service but I didn’t see it mentioned on the site, so if it’s available it needs to be made a little more obvious.

The company just bought our department brand hooked up PC’s that include ATI Radeon dual output graphics cards with massive monitors.  This is probably the only time I’d willingly admit that Windows came out ahead, as I spent a good 2 days trying to get my dual monitors to work with Ubuntu.  I finally got it figured out and I’m embarrassed to say that the answer was in front of my the whole time — a fucking GUI!  Anywho, those of you who are having trouble with this as well, here’s what I did to make it work:

My setup:

• Dell Vostro 200, Dual Core Intel CPUs, 2 Gb RAM
• ATI Radeon HD 2400 dual output graphics card (both monitors plugged into card)
• Two Dell 17” monitors

So first, shimmy over to http://ati.amd.com/support/driver.html and select your distro and card model, and download the file to your desktop.

In Terminal, chmod +x ati-driver-installer-<version>.run

Select Linux x86 installation, automatic

After the installation is complete, run:

sudo aticonfig –initial

Reboot.

After reboot, run fglrxinfo and you should get something like this describing your card:

OpenGL vendor string: ATI Technologies Inc.
OpenGL renderer string: ATI Radeon HD 2400 PRO
OpenGL version string: 2.1.7537 Release

At this point you probably see that both monitors are enabled, but are mirroring each other.  If you don’t, you might need to manually active the second:

sudo aticonfig –query-monitor

Use the output of that command and run:

sudo ati-config –enable-monitor=<result1>,<result2>

Replace result1 and result2 with the output of the first command.  Possible results are: none, crt1, crt2, lvds, tv, fmds1, tmds2

If the enable works, make it permanent:

sudo aticonfig –force-monitor=<result1>,<result2>

When both your monitors are up (whether they look how you want or not), in your GNOME gui, go to Applications > ATI Catalyst Control Center. This is where you configure how you want your dual monitors to act.

In Display Manager, set the dropdown to two monitors and change the Display Mode to “Big Desktop” — this will enable both monitors as one long desktop that you can drag your mouse and windows between.  You can also go ahead and set your resolution.

And there you go — easy dual monitor setup for Ubuntu 7.10!

I’m happy to announce my first ever perl-written plugin for WebHost Manager, which was developed by myself and one of my fellow sysadmins at InMotion Hosting. The first release is available here:

Download v.1.05

To explain a little bit of background here, many hosting companies that give some sort of **** about security will leave SSH port 22 closed except for specified IPs. Us being one of them, requests from customers for us to add their IPs to their firewalls is rather redundant when we host over 900 V-dedicated systems and 100 Dedicated boxes where customers can opt for SSH access. Therefore, I decided that it would be well worth our efforts to create a WHM plugin to allow customers to add their own IPs without ever having to contact us. I am aware that some plugin developer already has a more sophisticated APF plugin for WHM but you have to pay for it.

Requirements:

- cPanel/WHM (tested on version 11.18)

- APF 0.9 (tested on 0.9.6)

- iptables enabled and working (if you are able to restart APF without any errors, it’s probably fine)

Note: default privileges will allow anyone with WHM/reseller access to use this plugin. You can manually change this in the addon_add2apf.cgi file if you want.

Installation:

cd /usr/local/cpanel/whostmgr/docroot/cgi
wget http://v-nessa.net/wp-content/scripts/apfadd_whm_1.05.tar.gz
tar -xvzf apfadd_whm_1.05.tar.gz
rm -f apfadd_whm_1.05.tar.gz

Simple enough?

From there, load up WHM and on the left side you’ll see an option to “Add IP to Firewall” and the plugin page will give you examples of what you can add. The script is set up to allow:

Hostname - v-nessa.net
Single IP - 205.134.252.71
IP CIDR - 205.134.252.71/24
Port/IP - d=22:s=205.134.252.71
Port/CIDR - d=22:s=205.134.252.71/24

Of course, the error checking is not perfect, so just be aware of what you’re adding or you might unintentionally ‘break’ your firewall, which usually results in blocked traffic.

Eventually I’m sure I’ll end up adding the ability to manage ports and remove IPs for users with a certain access level, but currently I don’t see a need to do so because I don’t believe that non-root users should have that type of access. Note that per the readme, you can edit the addon file to limit access to users with a certain reseller ACL privilege.

I don’t know about you other cPanel system admins out there, but I find WHM to be very useful for the more advanced and time-consuming tasks, such as installing SSL certificates. However, the easy stuff like changing an account’s package and resetting passwords is a royal pain in the ass as far as convenience is concerned when you have to log into WHM, list accounts, and make whatever change.

I recently became favorable towards the WHM XML API functionality which will let me do a majority of the everyday account-related tasks from command line without ever opening my browser, which is a lot easier when managing thousands of users across multiple servers. Below are a couple scripts I’ve put together using the XML API from a base script in the cPanel forums:

Change account password

Change account package

Both are run via command line, and the arguments passed to the PHP script as variables. For example, to change an account’s password:

./chacctpass myuser mypass1234

Customizing these scripts to perform different functions is easy via the following steps:

- change if ($argc != 3) to the number of command line arguments you wish to pass to the script plus one. In the above example there are two arguments and since the script name counts, add one and that makes 3.

- in the section where the arguments are assigned to variables (like $cpuser, etc), name your variables. The first one should have an array value of 0, then 1, 2, etc.

- edit the usage example, which will come up if the required number of arguments is not provided…you can add any text you like

- if you’re using a hash (which is more secure than user/pass authentication), go fetch your remote access key from WHM and put it in the $hash value within quotes, format intact. Otherwise, put in your WHM user’s username and password

- change the $server variable to your server’s hostname

- change $apipath to the WHM path for the function you are using. You can find a whole list of them here, and most will give you the path to use in the examples sections. In the API path, insert your variable names where the values are suppose to be. For instance:

$apiPath = “/xml-api/passwd?user=myuser&pass=mypass1234″;

Would be:

$apiPath = “/xml-api/passwd?user=$cpuser&pass=$newpass”;

In the header section, uncomment whichever $header .= “Authorization: line that matches your authentication method (user/pass or hash)

Once you’ve configured your API script, chmod to 700 and run from the command line as show in my example. It’s better to lock down the script by changing its ownership only to the user that will be using it, and not giving read, write, or execute permissions to anyone else.

Note: for these scripts to work you have to have PHP compiled with OpenSSL support, otherwise change the socket variables to http over port 2086.

I came across nomao.com today and I must say that it’s probably the best non-social networking site I’ve see so far. It’s basically a website where you sign up and add your favorite hot spots and important locations so your friends can look at your profile and get directions to wherever. It’s kind of like a social map, and it lets you add pictures and video to your locations, schedule events, and recommend your spots to friends. It also has a nice export feature for you to post your map to various blogging platforms. Here’s a map I took of my house:

Well, my 21st birthday is finally here…yay! Of course, all that means to me is that I can now do everything I’ve already been doing for the last four years, only now I’d be doing it legally. So happy birthday to me, I’m getting plastered tonight.

FYI, no pics yet — the party is this Friday the 25th so I’ll have plenty then and I’ll post ‘em here.

I often worry about my PC at work — it’s about 3 or 4 years old now and I’ve already crashed it twice by running Ubuntu updates and not letting them finish. Luckily I have my home drive mounted as a separate partition so reinstalling the OS isn’t a huge inconvenience aside from having to reinstall all my apps.

After doing some googling I came across SBackup, which is a simple backup program to back up whatever on your system to wherever you want to keep your backups — without having to configure a script.

First, install sbackup via apt-get, yum, or whatever other package manager you use:

$ sudo apt-get install sbackup

Then open the backup manager under System > Administration > Simple Backup Config

Now, I used the custom backup settings because I didn’t want to back up everything on my system — all I’m concerned about is everything in my home directory, such as my Documents, email, and porn browser settings. To select what you want backed up, go to the Include tab and Add Directory or Add File to include files and folders in your backups.

Naturally there are some files within your selected folders that you don’t want to back up, like your trash and cache. You can add those under the Exclude tab.

Next set your timing — I did ‘precisely’ every day at 5pm when I won’t be here to experience the extreme lag of my 14G home directory being tarred up. As for the Purging options, I chose Logarithmic so that I don’t have old backups that I don’t need — I only need the backups in case my PC crashes and I lose everything, so I don’t care about backups from two weeks ago.

The destination part is where you want your backups to go. The default is /var/backup, but if your PC crashes, that isn’t going to be very convenient for you. Therefore one of the two options should be the one you go with:

- Custom local directory: If you have a floppy disk (which I pray you do not) or a USB drive, you can usually find those in the /media directory and have those mounted to copy your backups

- Remote directory: If you have FTP or SSH access to a remote server, you can have your backups uploaded. The syntax is simple:

ssh://user:password@serverip:/remote/dir

After you have everything configured, save your settings and hit Backup Now! to run a test and make sure everything is working.

My phrase last week was “sexual chocolate” — I have no idea where I heard it from or why I had such an urge to repeat it and linger on the laughter and dirty looks. I though it was something like chocolate that you use during, um, relations, but it appears that I was sooooo wrong as there are many meanings:

Meaning 1: A band in the movie “Coming to America”

Sexual Chocolate is the name of a Melbourne, AU cover band that performs in night clubs, not to be confused with the name of Eddie Murphy’s band in the 1988 movie “Coming to America” that performed Whitney Houston’s single “Greatest Love of All.”

Meaning 2: A song by Cee-lo with the following chorus:

They call it the - sexual chocolate
Eh, good God y’all - sexual chocolate
Ho, take it easy now - sexual chocolate
Hey, eh-eyyyy now now - sexual chocolate
Oooh, and they call it the - sexual chocolate
Ho, good God y’all - sexual chocolate
Huh, take it easy now - sexual chocolate
Ahhhh-hah hah-ahhhh-ahhhh - sexual chocolate

Meaning 3: A 60’s and 70’s term used to describe gay, black men.

Meaning 4: What this guy from Sparrows Point, Maryland calls himself on MySpace

Meaning 5: Something like 2girls1cup.com  (sorry, no link because it’s against our TOS)

Meaning 6: A sexy person dipped in chocolate

“Give me a piece of that sexual chocolate!”

However, The definition that won the prize was given quite bluntly on urbandictionary.com as  “chocolate that happens to be sexual”

Thank you, urbandictionary.com, for being so politically correct in a time of crisis.

Those of you who are server admins or use certain merchant services know what I’m taking about — it’s that dreaded security scan that picks apart your server to tell you everything that it thinks is wrong, assuming you have the knowledge or access to fix it: yes, the PCI scan. PCI compliancy is a somewhat new procedure used by security companies and financial institutions to measure the security of a webserver that collects and stores sensitive information. The reasons for getting a scan vary, but are most commonly for legal reasons or just the assurance that your server is subject to certain vulnerabilities.

After dealing with 2-3 PCI scans a week for the last year, I’ve put together a common procedure for how to make your server compliant to current PCI standards. Note that each scan company is different and may report other issues, and if you’re using ControlScan then, well, I feel sorry for you. I’m also assuming that you are on a Linux server running cPanel and LAMP.

Step 1: Make sure you have a firewall

PCI scans are nazis about unjustified open ports, so only open the ones that you need in order for services to run effectively. Manually configuring iptables is a pain in the ass, so I recommend using APF or CSF (if you have cPanel) and then configuring the allow rules to only allow ports for active services.

Note that both indicate the opening of cPanel ports 2082, 2095, and 2086, but some scans will complain about these being nonsecure. If that is the case you can configure within WHM to only use the secure ports, then remove the nonsecure ones from the firewall so they can’t be accessed. You should also close MySQL port 3306 for external hosts and allow them on a per-IP basis to anyone other than localhost has to be allowed.

Step 2: Update your system

This is an obvious one, but you’d be surprised how many people still have old packages installed on the server. With cPanel, running /scripts/upcp will usually update the vital system software as long as you have your update configuration in WHM set to allow it, but otherwise I would recommend doing a yum update, up2date, or whatever else you use to manage packages to make sure everything is up to date.

Nowadays old versions of MySQL, PHP, and Apache are no longer squeezing through either, so you need to upgrade to at least MySQL 4.1.22, PHP 5.2.5, and Apache 1.3.39 (some scans will want Apache 2.0.x).

Step 3: FIx OpenSSL

If you did a package update this was probably already taken care of, but if you installed via source you need to make sure you’re using at least 0.9.7j, which is the oldest version that most PCI scans allow. You can get your sources from here, and it may require a recompile of Apache and other services that use it. To check your OpenSSL version, type ‘openssl‘ from your SSH prompt and then type ‘version‘.

Note to Redhat/Fedora/CentOS users: If you’re running a somewhat recent version of your OS your openSSL version probably is something like 0.9.7a, but due to Redhat backporting this may be a false-positive. If you’re on any Redhat-based distribution, just tell your scan company and they’ll bypass OpenSSL checks.

Step 4: Check your SSL certificates

In order to pass a PCI scan your server must have at least one SSL certificate signed by a recognized certificate authority, and any services using SSL need to be using a certificate as well. Go cough up $30-$100 and buy a decent 264-bit SSL certificate and install it not just for Apache, but also for all of your active services. WebHost Manager has a section for installing service SSL certificates to make this process easier.

Step 5: Disable SSLv2 and other weak encryption methods

This one always gets me, because there is no way to disable SSLv2 for everything at once, at least not one that I know of. What makes this part the worse is that not all services support the choosing of SSL protocols and ciphers, but luckily unless you are using ControlScan the ones that don’t are probably not going to show up. Here’s how you do it for common services that are reported:

Apache:

Add these lines to your httpd.conf (you may to add them to each secure vhost as well):

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

POP3 and IMAP:

Edit the following files:

/usr/lib/courier-imap/etc/pop3d-ssl
/usr/lib/courier-imap/etc/imapd-ssl

Comment out the existing TLS_CIPHER_LIST line and replace it with the following and restart courier-imap:

TLS_CIPHER_LIST=”ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH”

Exim:

Add the following to exim.conf:

tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2

For other services that might be on your system, take a look at this guide.

Step 6: Disable mod_userdir (or whatever cPanel is calling it nowadays)

If you are able to go to http://yourserverip/~yourusername, then you have mod_userdir enabled and the scan will probably complain. You can disable this in WHM under Security Center > Apache mod_userdir Tweak, or in httpd.conf add “userdir disabled user1 user2 user3 …etc”

Step 7: Put Apache in incognito mode and disable the bad stuff

If you try to get an Apache error (like a 404 error), the footer of that page probably contains more information that you may want to share about your Apache setup. You can disable this in your httpd.conf by adding these lines:

ServerSignature Off
ServerTokens Prod
FileETag None

You can read more about these here.

Another thing that some scans report is the use of 413 errors. You should add this line to httpd.conf as a workaround:

ErrorDocument 413 /index.php (or any other file)

Just about all scans will complain if the ‘trace’ and ‘track’ apache methods are enabled on your server. You can fix this by adding these lines to your Virtualhost entries or .htaccess files:

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)$ [NC]
RewriteRule ^.*$ - [F]

You should also disable directory indexes, which can be done most easily in your cPanel’s index manager. Directory indexes allow the listing of files inside folders that do not have an index page. You can also disable these in your .htaccess files:

Options All -Indexes

Ending notes

Really, it doesn’t matter how secure your server is if your web application scan is poorly programmed, so your server should not be the ending point in security. Some PCI scan companies are able to detect common vulnerabilities in web applications, but you should take the extra steps to stay ahead of the game and update your site software on a regular basis.

The good people over at blogged.com ranked me at an 8.2 out of 10. I never even heard of blogged.com until I got an email from one of their editors yesterday stating:

“We evaluated your blog based on the following criteria: Frequency of
Updates, Relevance of Content, Site Design, and Writing Style.
After carefully reviewing each of these criteria, your site was given its 8.2 score.”

Looking over the site it looks like it has a nice directory of blogs in there, as each one is rated on a scale of 1 to 10 based on their quality and are hand-picked by the editors. Users have the ability to rank your blog too but according to the FAQ’s it doesn’t significantly affect your rating because the editors rate all of the blogs. Either way, I feel like I’m back in high school again trying to run a popularity contest. So ummm…vote for me.