How to manage "Error establishing database connection" error

1. The first thing that you need to verify that MySQL server running fine or not. If it's not running see the error log in

/var/lib/mysql/hostname.err

You will get the error from there. Fix the error and start the MySQL instant.

2. Sometime you will see this error even after successful restart of MySQL server. You need to make sure the error is not there for all sites. If it's only for one domain, then  it's due to one particular database connection string.

You need to make sure the database user has enough permission over the database. Also update the password of the database user from WHM >> SQL user password reset
option as per the site's configuration file.

This will fix the issue

3. If everything updated correctly and the error still appears then, please see if that database is corrupted or not. You can check this by taking a backup of the database using mysqldump. If it's showing any error for any table fix the table and the error will disappear.

In some WP site, WP-super cache plugin caused some caching issue. So consider the cache settings too, while handling WP sites.

How to Get Rid of Heartbleed Bug

   The best way to get rid of  "Heartbleed Bug" is to upgrade OpenSSL version to the latest one.

Please follow below script to update OpenSSL

curl https://www.openssl.org/source/openssl-1.0.1g.tar.gz | tar xz && cd openssl-1.0.1g && ./config && make && make install

ln -sf /usr/local/ssl/bin/openssl `which openssl`

openssl version

You are done :)

Disable Recursion for DNS [Plesk,Windows and Linux]

                     

              To restrict as much as possible attack on your name server and avoid your resources consumed by tons of illegitimate queries, it’s wise to disable recursive lookup from the Internet for domains that are not served by your DNS server. The DNS server will attempt to resolve the name locally, then will forward requests to any DNS servers specified as forwarders. If Do not use recursion for this domain is enabled, the DNS server will pass the query on to forwarders, but will not recursively query any other DNS servers (e.g. External DNS servers) if the forwarders cannot resolve the query. If Disable recursion (also disables forwarders) is set, The server will attempt to resolve a query from its own database only. It will not query any additional servers.

Disable Recursion in Plesk

   1. Log into the Plesk Admin Panel.
   2. Select Tools and Settings.
   3. Click DNS Template Settings from the section.
   4. Select Localnets from the DNS Recursion section.
   5. Click the OK button.

Disable Recursion in Windows Server 2003 and 2008

  1.  Access the DNS Manager from the Start menu:
        Click the Start button.
        Select Administrative Tools.
        Select DNS.
  2.  Right click on the desired DNS Server in the Console Tree.
  3.  Select the Proprerties tab.
  4. Click the Advanced button in the Server Options section.
  5.  Select the Disable Recursion checkbox.
  6. Click the OK button.

Disable Recursion in Linux

    /etc/bind/named.conf
    /etc/named.conf
    Open the named.conf file in your preferred editor.
    Add the following details to the Options section:
    allow-transfer {"none";};
    allow-recursion {"none";};
    recursion no;
    Restart the service;

While Handling Site loading slow issue!

Hey Guys,

If any client complaints that the site loading slow for him, then it's not good practice to reply him like "it's loading fine from our end!". There are a few reasons that make the site load slow

1. Server load

The first thing you need to make sure that, the server load is not high. There are a few commands that can help you to monitor the same

# nice top -c
# sar

If it's not showing any spike in his logs, then you can move to the next step.

2. Apache connections

Make sure there are not heavy connections to port 80. If it's an OpenVZ VM then 500 connections to that VM is a little higher value.
Make sure there are no DDos, you can use below commands to check the connections to the server

# netstat -plan | grep :80 | wc -l [to check the current connections to port 80]

There are lots of options are available for netstat command. You can check that, if you notice any IP having large number of connections, block him on the firewall.

3. Large number of database queries

Next, you need to check the database. Use the below command to see the current query status on MySQL

# mysqladmin proc

It will show you the current stats. If any user having large query in queue. Then kill that user process using below command

# killall -9 -v -u username

Then you can optimize that yours database that caused the issue. Using below command

# mysqlcheck --all-databases -o [To optimize all database]

Only MyIssam tables can be optimized using above command.

You can also optimize tables using PHPMyAdmin.

1. Login to WHM
2. Go to PHPMyAdmin
3. Select database
3. Select all MyIssam tables
4. There will be a drop down table at the bottom, select optimize option for that.
5. Done

It will fix the site loading issues in most of the cases.

4. Tweak Apache settings

Go to WHM » Home » Service Configuration » Apache Configuration » Global Configuration

See the values in

Server Limit (Maximum: 20,000)
Max Clients
Max Requests Per Child
Keep-Alive >> On
Keep-Alive Timeout
Max Keep-Alive Requests
Timeout

Adjust the values according to your need and current connections to the server.

5. Tune MySQL, instant.

In cPanel 11.40 MySQL tuner has been already there on the server.

Run # /usr/local/cpanel/bin/mysqltuner.pl

It will display the values that needed to be adjusted to fit for current need.

Note: If you put any large value in my.cnf file, then there is a chance to get not enough memory error on MySQL. Please be careful while adding large values like
1G/2G

WHM security best practice.

Hey Guys,

If you are going to harden any WHM/cPanel server, then you can use the below check list/settings for that.

Please make sure to check what you are doing, select the options that suites your need. Do not need to enable all options mentioned


1. The Tweak Settings checklist [Home >> Server Configuration >> Tweak Settings]

Enable HTTP Authentication Off
Cookie IP Validation On
Proxy Subdomain Creation Off
Require SSL On
Security Tokens On [helps to prevent XSRF attacks. ]
Block Common Domains Usage On [Help to prevent creation of hotmail.com or google.com by user]
Attempt to prevent pop3 connection floods On
Default catch-all/default address behavior for new accounts Blackhole
BoxTrapper Spam Trap Off
Allow cPanel users to reset their password via email Off
Send passwords in plaintext over email when creating a new account Off

2. The Security Center checklist [Home >> Security Center]

Password Strength Configuration: A value of 50 or greater.
PHP open_basedir Tweak: Enabled
Apache mod_userdir Tweak: Enabled
Compiler Access: Disabled
Manage Wheel Group Users: Remove all users except for root and your main account.
Shell Fork Bomb Protection: Enabled
Manage Shell Access: Disable shell access for all other users.
cPHulk Brute Force Protection: Enabled
cPanel Demo Mode: Disable

3. Disable identification output for Apache

a.Log in to WHM and access the Apache Global Configuration feature (Home >> Service Configuration >> Apache Configuration >> Global Configuration).
b.Select Off (PCI Recommended) from the ServerSignature menu.
c.Click Save.

4. EasyApache configuration

Enable below modules

suPHP
Suhosin [Optional]
mod_security [OPtional]

Do not include by default

mod_frontpage
mod_perl
mod_JK
mod_Mono
mod_Mono2
Xcache
EAccelerator
Any other modules that are marked as End-Of-Life or Deprecated.

6. php.ini & disabled functions

safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd,popen, proc_open, allow_url_fopen

7. SSH

# vi /etc/ssh/sshd_config
Change Protocol 2,1 to Protocol 2
Change #Port 22 to some other port and uncomment it
Like, Port 1337

Note: Make sure new port is already enabled in Firewall rules.

8. Firewall, CSF Installation

#vi /etc/csf/csf.conf

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2087,2089,2703"
CT_LIMIT = “200″
CT_PERMANENT = “1″
CT_BLOCK_TIME = “1800″
CT_INTERVAL = “60″
CSF has an option “Server Security Check”. Go to WHM >> Plugins >> CSF >> Test Server Security to see more security options.

9. SYN Cookies

# vi /etc/sysctl.conf

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

service network restart [If you have access to the server via IPMI or via Node]

10. Apache Settings [Main » Service Configuration » Apache Configuration » Global Configuration]

SSLCipherSuite: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
TraceEnable: Off
ServerSignature: Off
ServerTokens: Product Only
FileETag: None
MaxRequestsPerChild: 1000

11. FTP Settings

Allow Anonymous Logins: No
Allow Anonymous Uploads: No
Allow Logins with Root Password: No



Mitigate Slowloris Attacks: http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/SlowlorisAttacks
Symlink Race Condition Protection: http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/SymlinkPatch
CSF Configuration: http://blog.softlayer.com/2013/iptables-tips-and-tricks-csf-configuration/
OpenSSH Server Best Security Practices: http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
PHP Security Best Practices: http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html