Magento, PrestaShop, Opencart Website E-Mail going to Spam

When you set up a website such as e-commerce site. You will need to send out E-Mail within your website. The simplest way to send out E-Mail is by using their build in script, usually called the PHP Mail(). However, when using the service, your E-Mail always seems to go straight to your customers’ E-Mail spam section.

Here is one of the fixes that you will need:

You need to set your Sender Policy Framework (SPF) correctly. You can read more about SPF Record at the wikipedia site. You can set the SPF where you set up your DNS configurations.

I have my domains with CloudFlare. Setting up on their DNS control panel was simple to do, yours may not be as easy.

Here is the config:
TYPE: TXT
NAME: pcwired.com
VALUE: v=spf1 a mx include:hotmail.com ip4:198.100.3.2/24 include:73.hostingnow.net ~all
TTL: 1 hour

You can see the Wikipedia page for more SPF command lines.

 

As you can see from the above config, I am telling the E-Mail client that the E-Mail going out of my web server is valid and owned by my domain name. Therefore, making the E-Mail legit.

If this fix does not work for you, you may have other problems.

nginx How to Alias (Relinking)

I have been setting up Magento E-commerce shop for a few of my clients. Many of them do both wholesale and retail with 2 separate domain names. Since Magento allowed us to setup multi-stores with one platform, one problem I came across was that I need different robots.txt and sitemap.xml set ups for each domain as search engines only looks for them at the root directory. So, I had to redirect these files depending on the domain at the nginx level so that search engine can get access to the correct file.

The following config will help you redirect/alias

location /filename {
        alias /path/to/the/file;
    }

 

How to Set SSL Ciphers and update OpenSSL for PCI Compliant (Apache)

SSL Cipher Settings (PCI Compliant)

If you going to use SSL for your site, make sure that you disable low level ciphers.
To do this, simply edit:

#/etc/httpd/conf.d/ssl.conf

SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RCA4+RSA:+HIGH:!LOW:!MEDIUM

#Save the file and restart the apache
service httpd restart

#check to see if the settings are working
openssl s_client -connect localhost:443 -cipher EXP:HIGH

#the below command should throw you an error
openssl s_client -connect localhost:443 -cipher EXP:LOW
openssl s_client -connect localhost:443 -cipher EXP:MEDIUM

By default CentOs comes with openssl version 1.0.0. However openssl has been updated a year ago to 1.0.1 to support high ciphers such as TLS 1.1 and 1.2. Normally, before updating the openssl, I would backup the server first if anything goes wrong. The reason is that openssl is used by many programs within the linux.

To update the openssl, you will need to manually install the package by rpm

#installing openssl 1.0.1e
rpm -Uvh http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/ius-release-1.0-10.ius.el6.noarch.rpm

#install yom-plugin-replace
yum install yum-plugin-replace

#replacing openssl 1.0.1e name
yum replace openssl --replace-with openssl10

I have also replaced the above SSLCipherSuite to

SSLCipherSuite 'AESGCM:RC4:SHA384:SHA256:AES !aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!kEDH:!PSK:!SRP:!kECDH'

You should also disable SSL Compression as it is vulnerable to CRIME attack according to ssllabs.com

# /etc/httpd/conf/httpd.conf
# Disable Module within Apache by using a #
#LoadModule deflate_module modules/mod_deflate.so

and then:

echo >>/etc/sysconfig/httpd export OPENSSL_NO_DEFAULT_ZLIB=1
# Restart Apache Server
service httpd restart

After you had finished the configuration, have your site be tested with http://www.ssllabs.com

How to Remove Apache Header

Removing Apache Header

Some third party scanners gives a warning about having the Apache server name to be public. One of the main reasons to hide this is to give hackers a hard time to guess what web servers you are using. Giving out your Apache version and your OS can let hackers quickly search your server for known vulnerabilities.

edit:

/etc/httpd/conf/httpd.conf

#Change the following
ServerSignature On

#to

ServerSignature Off

Backing up VPS Server to Raspberry Module or Home Server

I had a Raspberry Pi laying around and I was wondering if I could put it to use. Lately, my web hosting server had been hit by a unpleasant attack that wiped all the data on the server nodes. I was glad that they had backups elsewhere to restore from the attack. They may have backups at different locations, but you never know what will happen next. Just to be safe, I feel that backing up the VPS Server locally will be a good choice as well.

If you are looking to back up to your computer server, it should work the same.

Setting up the Respberry Pi

Installing the os:

Installing the Raspbian “wheezy” OS is the easiest thing to the world. Simply download the iso here. While you are downloading the iso, you will need specific tools required to format your sd card. All instructions are posted on the eLinux.org website for Raspberry Pi here.

Setting up the iptables:

For the iptables, I recommend going to “Simple Iptables Script Generator” and generate the bash shell script for you. However there are some things to change on the generated code.

Here are slight changes from the generated iptables shell script:

#!/bin/sh

# iptables script generated 2013-07-20
# http://www.mista.nu/iptables

IPT="sudo iptables"

# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain

# Set default policies for all three default chains
$IPT -P INPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 192.168.1.0/24 -j DROP

# Accept inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Allow inbound access to Samba shares
$IPT -A INPUT -p udp -m udp --dport 137 -s 192.168.1.0/24 -j ACCEPT
$IPT -A INPUT -p udp -m udp --dport 138 -s 192.168.1.0/24 -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -s 192.168.1.0/24 -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -s 192.168.1.0/24 -j ACCEPT

# Accept inbound ICMP messages
$IPT -A INPUT -p ICMP --icmp-type 8 -s 192.168.1.0/24 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -s 192.168.1.0/24 -j ACCEPT

# Accept outbound packets
$IPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

# Allow output
$IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

$IPT -A INPUT -j DROP
$IPT -A OUTPUT -j DROP

The above iptables allow SAMBA and SSH access only. You may need to add extra filters for other services. You will also need to change the ip address “192.168.1.0/24” to your local ip as in “x.x.x.0/24”.

And finally you will need to save your iptables, so that it will be loaded again on reboot.

iptables-save

Setting up passwordless log in with sshkey:

Setting up a passwordless ssh log in is very useful for the cron job to automate the process as we will not be required to enter the login password every time we do rsync.

#Navigate
cd /~/.ssh

#Generate a public and private SSH key
ssh-keygen

#You should see the following:
############################################
#Generating public/private rsa key pair.
#Enter file in which to save the key (/home/pi/.ssh/id_rsa):

#Enter exactly what they tell you to enter, in this case: /home/pi/.ssh/id_rsa

#Lease the passphrase empty, simply press enter!

#Enter passphrase (empty for no passphrase):
#Enter same passphrase again:

#Your identification has been saved in /home/pi/.ssh/id_rsa.
#Your public key has been saved in /home/pi/.ssh/id_rsa.pub.
#The key fingerprint is:
#97:aa:de:20:40:e7:68:9b:ca:3f:4b:a9:0e:58:4c:7e [email protected]
#The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|  o .            |
| = +       .     |
|  B E   S o      |
|.o =.    o       |
|o oo. . .        |
|o.o. . +         |
|o+.oo.o .        |
+-----------------+

You know should have 2 files in your /~/.ssh.

id_rsa is the private key that you will be required to use when you log into your ssh account. This file is like your password, but in a file format.

id_rsa.pub is the public file that that will be stored within the raspberry pi. In order for the passwordless ssh to work, you will need to rename “id_rsa.pub” to “authorized_keys”.

cat id_rsa.pub > authorized_keys

#Change the permission to 0600 so your user can read it
sudo chmod 0600 authorized_keys

#Now that you had set the authorized_keys, you may remove id_rsa.pub
rm id_rsa.pub

Since we had set the keys for ssh log ins, we will now set ssh to disable password log ins when keys are not provided.

sudo nano /etc/ssh/sshd_config

#Set PasswordAuthentication to no
PasswordAuthentication no

#Ctrl+x and y to save

Installing rsync:

#Simply run
sudo apt-get install rsync

Setting up the external hard drive:

Now you may plugin your external hard drive to the Raspberry Pi.

#Check to see your device location
sudo fdisk -l
#Our device is located on /dev/sda1, but yours might be different

#If you haven't formated your external drive to Ext4, you may do so by:
sudo mkfs.ext4 /dev/sda1 -L untitled

#Mounting the External Hard Drive
sudo mkdir /mnt/usbdrive
sudo mount /dev/sda1 /mnt/usbdrive
sudo chown -R pi:pi /mnt/usbdrive

#Check to see if the drive type and if it is mounted correctly to the directory of your choice
sudo mount -l

#Check to see the drive space and mount directory
df -h

#Now that we had mounted the external drive, we would like it to automatically mount the drive on reboot.
sudo nano /etc/fstab

#Add the following line the config
/dev/sda1  /mnt/usbdrive  ext4  defaults  0  0

Setting up the main server

Installing rsync

#Ubuntu/Debian
sudo apt-get install rsync

#CentOS/RedHat
yum install rsync

Copying Over the private key for the ssh log in we created in the Raspberry Pi

nano /~/raspberrypikey

#you may open up the private key in Raspberry Pi and copy the code to be pasted to your nano editor.

Testing rsync

#Lets just create a test file.
nano /~/testfile

#rsync that testfile to your Raspberry Pi
rsync --progress -avhe "ssh -i /~/raspberrypikey" --delete-after /~/testfile [email protected]:/mnt/usbdrive
#user - is the user id of your raspberry pi, the default is pi
#X.X.X.X - is your ip address

#If things went well, you should able to see the testfile in your Raspberry Pi located at /mnt/usbdrive

 Setting up the cron job

#Setting the cron job to automatically back up your vps server
crontab -u root -e

#This will bring you to vim editor. Press "i" to start editing. Input the following:
0 4 * * 1 rsync --progress -avhe "ssh -i /~/raspberrypikey" --delete-after /home /etc /root /var [email protected]:/mnt/usbdrive/backup

#The first 5 numbers sets the time and dates for the cron job to execute, see the chart bellow:
###############################
# *    *    *    *    *  command to execute
# ┬    ┬    ┬    ┬    ┬
# │    │    │    │    │
# │    │    │    │    │
# │    │    │    │    └───── day of week (0 - 6) (0 to 6 are Sunday to Saturday, or use names)
# │    │    │    └────────── month (1 - 12)
# │    │    └─────────────── day of month (1 - 31)
# │    └──────────────────── hour (0 - 23)
# └───────────────────────── min (0 - 59)

 

**Setting up the mySQL backup script

The above back upp only deals with local files only. It will not back up your databases. For databases, you may want to have a bash script to do updates daily.

I have found twhiting9275 script at the cpanel.net forum very useful.

 

Everything is now set to back up your VPS server to your Raspberry Pi.

Any questions and corrections, feel free to commend below.

Author: Jason Lin