Plesk install and security audit

[laughingbuddha]

Thanks, I'll give that ago.

Cheers,

Matt

[laughingbuddha]

Ok, cool. I didn't know you could use another dns server.

Thanks for the heads up.

Matt

[scott]

you'll find using a local DNS server will improve performance for a lot of things on the system as well. Spamassassin, RBL's, web stats, etc.

[laughingbuddha]

Ah righty. They gave me a 16 ip range with 12 usable. They have given me there dns ips which I will use.

Cheers guys. Hopefully the change of IP address from the local settings of my LAN to the new IPs will go smoothly. I'm going to give that ago in the morning.

Matt

[faris]

Does your co-lo company offer you remote console access? If not, and you don't want to try a different co-lo company next time round, then for your next server you might want to consider some form of remote access card to give you access to your system if you lose contact with it due to a network screw-up (or other connectivity or even a boot problem if the card allows you to use virtual cd-rom and virtual floppy devices).

Faris.

[laughingbuddha]

HP does have lights out management, but I've turned it off and I would have to use another seperate ethernet connection.

The server house is less that 30 minutes from my house, and access is pritty flexible. I'm going to consider another server house for the next server, but for now I'm just kick starting the whole hosting side of my business properly so cost is a key issue.

Thanks,

Matt

[scott]

If you've got 2 boxes close to one another in the rack, you can do most of that with nothing more complicated than a $3 null modem cable. It would get you the same level of access as an expensive KVM.

[laughingbuddha]

Ah, ok. Once I've got a second one it I'll sort that out.

Thanks for the advice faris on the ip changing. I stepped through it this morning and it worked a treat. I've made a guide for future reference. Server is now up and running. It's been up for the last 2 hours, and the tech lady (wow a tech girly, don't see that much in the uk) allowed me to have 2 mains inputs to the server so I could run the redundent psu as well. Something I would normaly pay for.

Funny thing is the sales guy charged me for 2 x 1u slots as he felt the power needs for the server would go over the 75watt per U allocation they give. The thing is, the tech lady who helped me with the install said it'ss hardly using much at all according to there meters.

If that's the case I'm going to get them to off-set the cost of the extra power onto more bandwidth.

One other question. When setting up nameservers in plesk, is it best to use 2 dedicated/exclusive IPs for the 2 nameservers, or can you use a shared ip for each?

I've got 12 usable IPs, currently only 1 is setup on the server for the servers main IP and is also setup as a shared IP (I think this is default in Plesk).

Thanks guys,

Matt

[faris]

Shared IPs for namervers are fine. It makes not one jot of difference.

Faris.

[biggles]

I can recommend using xname.org for secondary dns. Works like a charm with Plesk!

[laughingbuddha]

At last I have now got the correct License key (they sent me the wrong one yesterday).

With nameservers, am I correct in thinking that I need to request a reverse dns entry for each nameserver (ns1.blahblah.com and ns2.blahblah.com)?

Also when configuring the dns records in plesk to setup the nameservers, do I need a <ip> /24 PTR <domain> entry/record?

I'll be making my purchase of ASL later today too. Just want to get the nameservers up first. Qmail and ClamAV are still working ok after the change of IP.


Matt

[faris]

At last I have now got the correct License key (they sent me the wrong one yesterday).

With nameservers, am I correct in thinking that I need to request a reverse dns entry for each nameserver (ns1.blahblah.com and ns2.blahblah.com)?

Also when configuring the dns records in plesk to setup the nameservers, do I need a <ip> /24 PTR <domain> entry/record?

I'll be making my purchase of ASL later today too. Just want to get the nameservers up first. Qmail and ClamAV are still working ok after the change of IP.


Matt

No, you don't need rdns entries of ns1.domain.com and ns2.domain.com

It would be nice for the rdns to match the "main" domain name assigned to the IP, however. For example, you might have your own domain name as the default domain for your main shared IP. rdns should match that domain.

You should have one PTR record for each IP. That PTR record should match the rdns for that IP.

The only time the PTR record is used (in a typical Plesk setup) is really by qmail, which will do a local lookup when creating mail headers.

If you have a look at http://www.cymru1.net/linux-vps/vps-hints-and-tips.php and click on Understanding and Setting Up DNS, you'll find plenty of detail on what you need to do regarding PTR and other bits.

Faris.

[laughingbuddha]

In the guide on your site, you remove the PTR record from the dns template, but in the guide I read at here (Jodohost) they never mentioned removing the PTR record.

On my server I've used the .net version of the companies domain name for the servers and any future servers (I also have another vps with geekstorage that is running as a name server on ns3 and ns4 with the main server url being s2.mycompany.net).

So the server is called s1.mycompany.net and the nameservers are ns1 and ns2. So I added youandtheweb.net up as a domain on the server (even though it's not my main website, the .co.uk is) so I could setup the nameservers and redirect IPs and so on.

I guess I'm right so far. I've ask my isp to create rdns for ns1 and ns2, but from what you said I should have instead created only one rdns. Now should that be for the servers domain name (s1.mycompany.net), or the full domain itself (www.mycompany.net which will never have a website and instead be redirected to the main site) or my companies actual website domain (www.mycompany.co.uk)?

DNS is begining to confuse me. It seemed so simple earlier on.

Matt

[laughingbuddha]

Ok this is what I've changed my main domain names dns (mycompany.net) to:

xx.xx.xx.226 / 24 PTR mycompany.net.
ftp.mycompany.net. CNAME mycompany.net.
mail.mycompany.net. A xx.xx.xx.226
ns1.mycompany.net. A xx.xx.xx.226
ns2.mycompany.net. A xx.xx.xx.227
ns3.mycompany.net. A xx.xx.xx.181 (the us vps)
ns4.mycompany.net. A xx.xx.xx.182 (the us vps)
s1.mycompany.net. A xx.xx.xx.226
s2.mycompany.net. A xx.xx.xx.181 (the us vps)
webmail.mycompany.net. A xx.xx.xx.226
www.mycompany.net. CNAME mycompany.net.
mycompany.net. NS ns1.mycompany.net.
mycompany.net. NS ns2.mycompany.net.
mycompany.net. A xx.xx.xx.226
mycompany.net. MX (10) mail.mycompany.net.

And this is what I've got in my dns template:

<domain>. NS ns1.mycompany.net.
<domain>. NS ns2.mycompany.net.
<domain>. A <ip>
<domain>. MX (10) mail.<domain>.
ftp.<domain>. CNAME <domain>.
mail.<domain>. A <ip>
webmail.<domain>. A <ip>

My my main companies website is, say www.mycompany.com, but I use mycompany.net for the servers, so as above s1.mycompany.net and s2.mycompany.net.

With rdns do I setup a rdns for just s1.mycompany.net or do I set it up for mycompany.net. I've added aPTR record (as you can see above) to the mycompany.net domain. Is that right?

Thanks,

Matt

[faris]

I'm right about the PTRs, they are wrong. Guaranteed.

You must only have one PTR per IP. Similarly, you can only have one rdns record per IP.

If you have more than one PTR per IP, when people receive email on your servers they may see a random domain hosted on that IP listed in the headers. Having that mismatch can also cause problems with mail delivery to external hosts.

You should therefore remove the PTR from the DNS template (as you have done), and manually add one to only ONE domain per IP address (as you have done, I think).

The rdns record that you ask your co-lo company to set up for each IP address should be idential to the one domain per IP to which you add the PTR record.


Indeed, the PTR record **IS*** (technically) the reverse DNS for the IP. However, since it is rare to be allowed to handle rdns yourself, the PTR record does not actually do anything as far as the outside world is concerned.

But when something running on your box does a reverse DNS lookup using the DNS server also on your box for one of your IP addresses then things can get confusing and you get these random domains given as a result. This is really only likely to happen if you have 127.0.0.1 in your resolv.conf file, but ... just in case it is wise to only have one PTR per IP.

I'm a bit confused on the rest of what you've done. The DNS and the template look fine though.

It is perfectly OK and sensible to give your servers names, e.g. s1.yourdomain.net. It is perfectly OK to use that for the rdns, but since you will have more than one IP, and therefore more than one rdns record per server, your naming convention might cause confusion.

Ignoring that, if you have s1.yourdomain.net as the rdns for the "main" IP on your server (the first one) then that domain (subdomain) should also be the one with the PTR record and ideally should also be the default domain for that IP.

But seriously, don't get hung up on the PTR stuff. I've just noticed I don't have one on the corresponding domain on one of our main servers. It is no big deal unless you have 127.0.0.1 in your resolv.conf, and even then it won't matter (usually) *** as long as you just have to make sure you don't have more than one PTR per IP ***.

When an email goes out, it will normally go out on the FIRST IP address configured on eth0. Thus, when a mailserver receives an email from your system, it will be from that IP. If anybody looks in the header, they will therefore see that IP, plus an rdns lookup on that IP (usually) which will therefore be the domain that the rdns record for that IP point to.

If anybody or anything then does an nslookup/dig/whatever for the A record for that domain, it is nice for it to resolve to the same IP. Even spamdyke, which checks rdns records in gread detail to reduce spam, does not care if the rdns and forward dns do not match, however. I'm not sure that any mailing systems/anti-spam system goes that far (but could be wrong).

Errr.....I'm lost at this point. If there was anything else please can you ask again?

Oh, please also remember that I'm not Scott. Did I mention this before? I'm known to get things wrong. Except about having only one PTR per IP.

Faris.