Archive for August, 2009

How to install mod_security by yum(Redhat-Centos 5)

Friday, August 28th, 2009

1.Download the EPEL repo :

rpm -Uvh

2.Then type the following command :

yum install mod_security

Note : Mod_security require, If you don’t have this , it will throw an error while installing by yum.

--> Processing Dependency: for package: mod_security
--> Finished Dependency Resolution
mod_security-2.5.9-1.el5.i386 from epel has depsolving problems
--> Missing Dependency: is needed by package mod_security-2.5.9- 1.el5.i386 (epel)
Error: Missing Dependency: is needed by package mod_security-2.5.9 -1.el5.i386 (epel)

Solution: You can download the rpm from this website

If your server complain you have installed already newer version then you can reinstall the installed version by using

-bash-3.2# rpm -qa | grep lua
-bash-3.2# rpm -e lua-5.1.4-1.el5.rf
-bash-3.2# rpm -Uvh lua-5.1.4-1.i386.rpm
Preparing… ########################################### [100%]
1:lua ########################################### [100%]

Now type

-bash-3.2# updatedb

-bash-3.2# locate

So it shows that your server has the required file for it to install mod_security

Now run

yum install mod_security

It should installed now
mod_security configuration files

  1. /etc/httpd/conf.d/mod_security.conf – main configuration file for the mod_security Apache module.
  2. /etc/httpd/modsecurity.d/ – all other configuration files for the mod_security Apache.
  3. /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf – Configuration contained in this file should be customized for your specific requirements before deployment.
  4. /var/log/httpd/modsec_debug.log – Use debug messages for debugging mod_security rules and other problems.
  5. /var/log/httpd/modsec_audit.log – All requests that trigger a ModSecurity events (as detected) or a serer error are logged (“RelevantOnly”) are logged into this file.

After installing mod_security , Edit modsecurity_crs_10_config.conf file and make sure

bellow line is enabled.

SecRuleEngine On

Now restart the httpd server by

service httpd restart

Check the /var/log/httpd/error_log for this lines

[Fri Aug 28 10:48:24 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.mod configured.

Note : I have tested this on Centos5 (2.6.18-128.1.14.el5xen).



Tools for securing Linux server and its services

Thursday, August 27th, 2009

a) Fail2Ban: Which will ban IP address after few failure attempts

website :

b)Rootkit Hunter : It will scan your server for any unauthorized scripts.

Website :

To download :

c)PortSentry : This tool will block IP who is trying to scan your server for open ports.

Ref :

How to install :


e) mod_evasive : It will ban IP for certain conditions ,example :

  • Requesting the same page more than a few times per second
  • Making more than 50 concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted (on a blocking list)

Web Site :

To be.. continue..

Critical vulnerability in the Linux kernel affects all versions since 2001

Thursday, August 27th, 2009

Ref :–/news/114072

Google security specialists Tavis Ormandy and Julien Tiennes report that a critical security vulnerability in the Linux kernel affects all versions of 2.4 and 2.6 since 2001, on all architectures. The vulnerability enables users with limited rights to get root rights on the system. The cause is a NULL pointer dereference in connection with the initialisation of sockets for rarely used protocols.

A pointer structure usually defines what operations a socket supports, for example accept, bind and so on. If, say, the accept operation is not implemented, it should point to a predefined component such as sock_no_accept. This is evidently not the case with all implemented protocols. The report mentions PF_BLUETOOTH, PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX and PF_ISDN, among others, as having unimplemented operations. Some pointers remain uninitialised, and this can be exploited in conjunction with the function sock_sendpage to execute code with root rights.

Ormandy and Tiennes believe that all Linux version 2.4 and 2.6 since May 2001 are affected, which means 2.4.4 up to and including, as well as 2.6.0 up to and including Instead of fixing all incompletely implemented protocols, the kernel developers have simply remapped sock_sendpage to the function kernel_sendpage, which also handles the case of an uninitialised pointer. So far, this correction has only gone into the kernel repository.

However, a new official kernel version can be expected shortly since an exploit for the vulnerability is already publicly available. The author of the code is again Brad Spengler, who published a root exploit for the Linux kernel in mid-July. In a short test on a completely patched Ubuntu 8.10 in the heise Security office, The H’s associates found that the new exploit gave root access to the system.

Ormandy and Tiennes say, however, that the exploit will not work on current kernels with mmap_min_addr support if a number greater than zero is defined by means of sysctl as the value for vm.mmap_min_addr.

Patches for this problems are :

Bash script to check for automatic yum updates

Thursday, August 27th, 2009
# This script will check for available package-
# update for Centos/Redhat 5 sytem
# Written by        : Fosiul Alam
# Version           :1.0
# Created Date      : 27/08/2009
# Last Modification : 27/08/2009
# Command use       : yum -e0 -d0 check-update
# Usage             : /
_TODAY=`date '+%A'`
_YESTERDAY=`date '+%A' --date='1 day ago'`
#Delete Yesterday's tmp.txt file( Housekeeping)
#check if yum-reports.txt file exists or not
if [ -e $_EMAIL_REPORTS ]
#if the file exists then delete the file
#Create the file again
#Initialize yum command into the variables
yum -e0 -d0 check-update >$_CMD_FILE
#Check if file is exists and not  empty
if [ -s $_CMD_FILE ]
echo "Daily($_TODAY) Yum Updates Reports for $_GET_HOSTNAME " >> $_EMAIL_REPORTS
echo "There are some updates availabe for your attention" >> $_EMAIL_REPORTS
echo "###########Updates Are###########" >> $_EMAIL_REPORTS
echo "############## Updates Finished#####" >> $_EMAIL_REPORTS
cat $_EMAIL_REPORTS | mail -s "Yum Reports For $_GET_HOSTNAME "
echo " NO Updates for $_TODAY" >/dev/null 2>&1

All about yum command for Redhat/Centos/Fedora

Wednesday, August 26th, 2009

Display List of updated software ( Security fix)

yum list updates
yum check-update

Patch up system by applying all updates

yum update

List all installed packages

rpm -qa

How to find a perticular installed packages( httpd)

rpm -qa | grep httpd

How to look update for specific packages

yum update {package-name-1}

To check for and update httpd package, enter:

yum update httpd

How to install packages by yum

yum install package-name
example : yum install httpd

How to exclude package name from update

yum --exclude=packagename* update

How to check for yum updates automatically by bash script:
Will be continue….

reverse proxying with apache

Wednesday, August 26th, 2009


Module : mod_proxy.c

In httpd.conf , under bellow section all reverse proxy rules will go

<IfModule mod_proxy.c>
#ProxyRequests On

ProxyRequests Off
#<Proxy *>
# Order deny,allow
# Deny from all
# Allow from

# Enable/disable the handling of HTTP/1.1 “Via:” headers.
# (“Full” adds the server version; “Block” removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#ProxyVia On

# To enable a cache of proxied content, uncomment the following lines.
# See for more details.
#<IfModule mod_disk_cache.c>
# CacheEnable disk /
# CacheRoot “/var/cache/mod_proxy”
#Add the Reverse Proxy rules

ProxyPass /foo
ProxyPassReverse /foo


#End of proxy directives.

Note : Make sure if you use reverse proxy then ProxyRequests is Off.

How to allow perl/cgi script to run from virtualhost

Wednesday, August 26th, 2009


If you want to run a perl script like this , you will have to to define explicitly use the Options directive, inside your main server configuration file, to specify that CGI execution was permitted in a particular directory:


<VirtualHost *:80>
DocumentRoot /var/www/html/mydomain/
ErrorLog logs/
CustomLog logs/ common

<Directory “/var/www/html/mydomain/”>
Options FollowSymLinks ExecCGI
AllowOverride None
Order allow,deny
Allow from all


The above directive tells Apache to permit the execution of CGI files.

You will also need to tell the server what files are CGI files. The following AddHandler directive tells the server to treat all files with the cgi or pl extension as CGI programs:

AddHandler cgi-script .cgi .pl

Now Save the configuration file and Restart apache.

How to optimize Thread Cache variables for MySQL server

Monday, August 17th, 2009

If you have a busy server that’s getting a lot of quick connections, set your thread cache high enough that the Threads_created value in SHOW STATUS stops increasing. Your CPU will thank you.

Ref :

“As soon as I optimized the thread cache, MySQL’s server load dropped over 50%!”


How to set thread cache :

You should keep your thread cache ( variables name ‘thread_cache_size’) large enough that Threads_created doesn’t increase very often.

To check whether the thread cache is large enough, watch the “Threads_created” status variable and ‘thread_cache_size’ system variables.

mysql> show status like ‘threads_created’;
| Variable_name | Value |
| Threads_created | 2 |
1 row in set (0.00 sec)

Bellow commands will show the size of threads cache size :

mysql> show variables like ‘thread_cache_size’;
| Variable_name | Value |
| thread_cache_size | 12 |
1 row in set (0.00 sec)

A good approach is to watch the Threads_connected variable and try to set thread_cache_size large enough to handle the typical fluctuation in your workload.

Bellow commands will show all threads related status:

mysql> show status like ‘threads_%’;
| Variable_name | Value |
| Threads_cached | 2 |
| Threads_connected | 1 |
| Threads_created | 3 |
| Threads_running | 1 |
4 rows in set (0.00 sec)

How to monitor Threads by cacti : Working on it…

How to optimized MySql server

Monday, August 17th, 2009

Ref: MySQL® 5 Certification Study Guide

Ref: High performace MySQL

  1. The MyISAM Key Cache
  2. The MyISAM key block size
  3. The Thread Cache
  4. The Table Cache

vsftpd: Failed to retrieve directory listing

Friday, August 14th, 2009

Problem: If vsftpd failed to retrieves directory listing then do the following:

In vsftpd.conf

example : [ pasv_min_port=1023]

example : [pasv_max_port=1050]

Now add port 1023-1050 in iptables

iptables -A INPUT –source xx.xx.xx.xx -p tcp –dport 1023:1050 -j ACCEPT

it will allow filezilla to connect to ftp server via passive mode.

How to Rebuilding failed Linux software RAID

Friday, August 14th, 2009


Recently I had a hard drive fail. It was part of a Linux software RAID 1 (mirrored drives), so we lost no data, and just needed to replace hardware. However, the raid does requires rebuilding. A hardware array would usually automatically rebuild upon drive replacement, but this needed some help.

When you look at a “normal” array, you see something like this:

# cat /proc/mdstat
Personalities : [raid1]
read_ahead 1024 sectors
md2 : active raid1 hda3[1] hdb3[0]
262016 blocks [2/2] [UU]

md1 : active raid1 hda2[1] hdb2[0]
119684160 blocks [2/2] [UU]

md0 : active raid1 hda1[1] hdb1[0]
102208 blocks [2/2] [UU]

unused devices:

That’s the normal state – what you want it to look like. When a drive has failed and been replaced, it looks like this:

Personalities : [raid1]
read_ahead 1024 sectors
md0 : active raid1 hda1[1]
102208 blocks [2/1] [_U]

md2 : active raid1 hda3[1]
262016 blocks [2/1] [_U]

md1 : active raid1 hda2[1]
119684160 blocks [2/1] [_U]
unused devices:

Notice that it doesn’t list the failed drive parts, and that an underscore appears beside each U. This shows that only one drive is active in these arrays – we have no mirror.

Another command that will show us the state of the raid drives is “mdadm”

# mdadm -D /dev/md0
Version : 00.90.00
Creation Time : Thu Aug 21 12:22:43 2003
Raid Level : raid1
Array Size : 102208 (99.81 MiB 104.66 MB)
Device Size : 102208 (99.81 MiB 104.66 MB)
Raid Devices : 2
Total Devices : 1
Preferred Minor : 0
Persistence : Superblock is persistent

Update Time : Fri Oct 15 06:25:45 2004
State : dirty, no-errors
Active Devices : 1
Working Devices : 1
Failed Devices : 0
Spare Devices : 0

Number Major Minor RaidDevice State
0 0 0 0 faulty removed
1 3 1 1 active sync /dev/hda1
UUID : f9401842:995dc86c:b4102b57:f2996278

As this shows, we presently only have one drive in the array.

Although I already knew that /dev/hdb was the other part of the raid array, you can look at /etc/raidtab to see how the raid was defined:

raiddev /dev/md1
raid-level 1
nr-raid-disks 2
chunk-size 64k
persistent-superblock 1
nr-spare-disks 0
device /dev/hda2
raid-disk 0
device /dev/hdb2
raid-disk 1
raiddev /dev/md0
raid-level 1
nr-raid-disks 2
chunk-size 64k
persistent-superblock 1
nr-spare-disks 0
device /dev/hda1
raid-disk 0
device /dev/hdb1
raid-disk 1
raiddev /dev/md2
raid-level 1
nr-raid-disks 2
chunk-size 64k
persistent-superblock 1
nr-spare-disks 0
device /dev/hda3
raid-disk 0
device /dev/hdb3
raid-disk 1

To get the mirrored drives working properly again, we need to run fdisk to see what partitions are on the working drive:

# fdisk /dev/hda

Command (m for help): p

Disk /dev/hda: 255 heads, 63 sectors, 14946 cylinders
Units = cylinders of 16065 * 512 bytes

Device Boot Start End Blocks Id System
/dev/hda1 * 1 13 104391 fd Linux raid autodetect
/dev/hda2 14 14913 119684250 fd Linux raid autodetect
/dev/hda3 14914 14946 265072+ fd Linux raid autodetect

Duplicate that on /dev/hdb. Use “n” to create the parttions, and “t” to change their type to “fd” to match. Once this is done, use “raidhotadd”:

# raidhotadd /dev/md0 /dev/hdb1
# raidhotadd /dev/md1 /dev/hdb2
# raidhotadd /dev/md2 /dev/hdb3

The rebuilding can be seen in /proc/mdstat:

# cat /proc/mdstat
Personalities : [raid1]
read_ahead 1024 sectors
md0 : active raid1 hdb1[0] hda1[1]
102208 blocks [2/2] [UU]

md2 : active raid1 hda3[1]
262016 blocks [2/1] [_U]

md1 : active raid1 hdb2[2] hda2[1]
119684160 blocks [2/1] [_U]
[>………………..] recovery = 0.2% (250108/119684160) finish=198.8min speed=10004K/sec
unused devices:

The md0, a small array, has already completed rebuilding (UU), while md1 has only begun. After it finishes, it will show:

# mdadm -D /dev/md1
Version : 00.90.00
Creation Time : Thu Aug 21 12:21:21 2003
Raid Level : raid1
Array Size : 119684160 (114.13 GiB 122.55 GB)
Device Size : 119684160 (114.13 GiB 122.55 GB)
Raid Devices : 2
Total Devices : 2
Preferred Minor : 1
Persistence : Superblock is persistent

Update Time : Fri Oct 15 13:19:11 2004
State : dirty, no-errors
Active Devices : 2
Working Devices : 2
Failed Devices : 0
Spare Devices : 0

Number Major Minor RaidDevice State
0 3 66 0 active sync /dev/hdb2
1 3 2 1 active sync /dev/hda2
UUID : ede70f08:0fdf752d:b408d85a:ada8922b

I was a little surprised that this process wasn’t entirely automatic. There’s no reason it couldn’t be. This is an older Linux install; I don’t know if more modern versions will just automatically rebuild.

Centos/Redhat/Debain Internet Connection Sharing

Friday, August 14th, 2009

Network Setup :
eth0 = [ Isp router]
eth1 = [ Internal network]

Check if IPv4 forwarding is ON or OFF :
cat /proc/sys/net/ipv4/ip_forward
if result = 0 then will have to On it by this command :

echo “1” > /proc/sys/net/ipv4/ip_forward

Now have to Enable IP masquerading by adding rules in iptables

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[ Now all internet request will go via eth0]

If internal computers are unable to ping by domain name, then have to add bellow rule to allow all UDP [53] request to go to router(For Centos and Redhat)
-A RH-Firewall-1-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 53 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m state –state NEW -m udp –dport 53 -j ACCEPT

How to sent email to a distribution group by sendmail

Wednesday, August 12th, 2009

goto /etc/mail
vi virtualtable allusers

Now go to

vi allusers.txt


[ Here you will have to just write the username (system username)]
[If you have lots of user then you can use script to copy all username from /etc/password to /etc/mail/allusers.txt file]

Now save the file

vi /etc/newaliases

Insert this line

allusers: :include:/etc/mail/allusers.txt

Then make new aliases
That’s it
Now when you will sent email to
It will sent that email to every user in that group.

How to make VIM as IDE for Bash and Perl

Wednesday, August 12th, 2009

For Bash IDE:
1. Download file from this site :
2. Unzip file in /etc/vim directory also either copy the bash-support from /etc/vim to the user’s home directory [ cd /home/user, mkdir .vim, cp -r /etc/vim/bash-support /home/user/.vim] Or unzip in user’s home directory [ /home/user/.vim]

3. Open your script in gvim mood. [ gvim]
Read More :

For Perl :
1.Download the zip file from here :
Then follow the same way for bash.

Master to slave and slave to master replication

Wednesday, August 12th, 2009

Master :
1. Create user and give the privileges:
2. Define the log setting in my.cnf
log-bin = mysql-bin
server_id = 2
3. Restart the server /etc/init.d/mysqld restart
4. check the status of the server by : show master status\G;

Slave :
1. Enable necessary log:
log-bin = mysql-bin
server_id = 3
relay-log = mysql-relay-bin
log_slave_updates =1
read_only =1
2. Create replication user in Slave server: GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO reply@’host-name’ IDENTIFIED BY ‘some-pass’;
3. Change the informaiton in by inserting bellow command in command line
-> MASTER_USER=’reply’,
->MASTER_LOG_FILE=’mysql-bin.000001′ , { you can check log file status from SHOW MASTER STATUS\G output form Master server }

4. Restart the slave : slave start ;
5. Look for 2 things in SHOW SLAVE STATUS\G; report :
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Seconds_Behind_Master: 0

Note : if Slave_IO_Running: = NO , then check the log /var/log/mysqld.log file for further information such as

090428 7:51:18 [ERROR] Slave I/O thread: error connecting to master ‘reply@Master-host-name:3306’: Error: ‘Host ‘your-host-name.’ is not allowed to connect to this MySQL server’ errno: 1130 retry-time: 60 retries : 86400
090428 8:07:18 [Note] Slave I/O thread killed while connecting to master
090428 8:07:18 [Note] Slave I/O thread exiting, read up to log ‘mysql-bin.000001’, position 106

Query Cache in mysqlserver

Wednesday, August 12th, 2009

Ref:MySQL® 5 Certification Study Guide
Ref:Hight Performance Mysql Server(2nd Edition)

How to find out if Query Cache is enabled:

mysql> SHOW VARIABLES LIKE 'have_query_cache';
| Variable_name    | Value |
| have_query_cache | YES   |

How to enable Query Cache:

Edit my.cnf file and Add as bellow:

query_cache_type = 1

 query_cache_size = 10M

query_cache_limit = 2M

Bellow Command will show the variables setting for your mysql server.

mysql> SHOW VARIABLES LIKE 'query_cache%';
| Variable_name | Value |
| query_cache_limit | 1048576 |
| query_cache_min_res_unit | 4096 |
| query_cache_size | 8388608 |
| query_cache_type | ON |
| query_cache_wlock_invalidate | OFF |

query_cache_size is the size of the query cache in bytes. If the size is 0,the cache is disabled
even if query_cache_type is not OFF.

How to setup query cache in runtime :

Ref :

Basic Linux User administration Commands

Wednesday, August 12th, 2009
  1. useradd -s /sbin/nologin username : It will prevent user to login to server
  2. userdel -r username: -r delete everything( home directory,mail spool) without -r it will just delete account references from user and groups
  3. usermod -L username : -L to disable user account
  4. usermod -U username : -U enable the user account.
  5. echo ‘mypassword’ | passwd –stdin username : allow to pipe a new plain text password.
  6. groupadd [ [-g gid [-o]] [-r] [-f] groupname : -f to force groupadd to accept an existing group name, -r to create a system group
  7. gpasswd [ -A username] [-M usrname] groupname : -A username to assign username as groupnames’s group administrator. – M username adds username to groupname’s membership roster.
  8. who [-Hil] | [-q] : -H options to add column heading to who’s output, -i to add users idle time, -l force to show fully qualified domian , -q to obtain total number of logged in users.

w [-husf] [username] : by defautl w prints header information. -h disable header information.-s generate the sort output. -f disable the host


How to add a new hardrive in linux with LVM

Wednesday, August 12th, 2009

The steps are :

Create Physical volume Or Extend the existing volume:

  1. Create a Physical volume by: pvcreate /dev/hdc ( Here the new partition name is /dev/hdc)
  2. Creating a Volume Group : vgcreate /dev/VolGroup01 /dev/hdc
  3. OR to extended the existing Volume Group :vgextend /devVolgroup01 /dev/hdc

Create Logical Volume :

check how much free PE you got by : vgdisplay
It will show something like this :
Free PE / Size 319 / 9.97 GB
Now to create logical volume
lvcreate -l number_of_PEs /dev/Volgroup01 -n LogicalVolumeName
lvcreate -L 800MB /dev/Volgroup01 -n LogicalVolumeName
Now to check if it works type :lvdisplay
to see how much space you left you can check again by : vgdisplay , it will show something like this
Free PE / Size 294 / 9.19 GB

Now you need to mount the logical volume with a directory:

Format the logical volume : mkfs.ext3 /dev/VolGroup00/LogicalVolumeName
Now mount it : mount /dev/VolGroup00/LogicalVolumeName /mount-point
Now Create a lable for this mount point
e2label /dev/VolGroup00/LogicalVollumeName /mount-point/ and add this reference in /etc/fstab
LABEL=/mount-point /mount-point ext3 defaults 1 2

How to Setup a transparent proxy with Squid

Wednesday, August 12th, 2009

by LinuxTitli [Last updated: December 5, 2007]

Setup :

i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid).
ii) Eth0: IP:
iii) Eth1: IP: ( network (around 150 windows XP systems))
iv) OS: Red Hat Enterprise Linux 4.0 (Following instruction should work with Debian and all other Linux distros)

Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.

Server Configuration:

  • Step #1 : Squid configuration so that it will act as a transparent proxy
  • Step #2 : Iptables configuration
    • a) Configure system as router
    • b) Forward all http requests to 3128 (DNAT)
  • Step #3: Run scripts and start squid service

First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf

Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src
http_access allow localhost
http_access allow lan


  • httpd_accel_host virtual: Squid as an httpd accelerator
  • httpd_accel_port 80: 80 is port you want to act as a proxy
  • httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
  • httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
  • acl lan src Access control list, only allow LAN computers to use squid
  • http_access allow localhost: Squid access to LAN and localhost ACL only
  • http_access allow lan: — same as above —

Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

OR, try out sed (thanks to kotnik for small sed trick)
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl purge method PURGE
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid

Iptables Configuration:

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
# squid server IP
# Interface connected to Internet
# Interface connected to LAN
# Squid port
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on

Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on

How to test if squid is working properly ?

See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log

Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.

Problem and Solutions:

(a) Windows XP FTP Client

All Desktop client FTP session request ended with an error:
Illegal PORT command.

I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp

Please note that modprobe command is already added to a shell script (above).

(b) Port 443 redirection

I had block out all connection request from our router settings except for our proxy ( server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, “Long answer: SSL is specifically designed to prevent “man in the middle” attacks, and setting up squid in such a way would be the same as such a “man in the middle” attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL“.

Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.

(c) Squid Proxy authentication in a transparent mode

You cannot use Squid authentication with a transparently intercepting proxy.

Basic kernel related commands

Wednesday, August 12th, 2009

depmod -a :
it will add new module automaticaly
modprobe drivername:
it will add that specifiq driver
Preventing “ping of death” :
cat /proc/sys/net/ipv4/tcp_syncookies , output should be 1
to show the installed kernel module
/lib/modules/kernel_virson/Directory :
here all kernel modules are stored
modprobe -r modulename :
will remove that module

Kernel Tuning: Kernel Runtime Parameters
Several kernel features, such as IP forwarding or the maximum number of files, can be
turned on or off without compiling and installing a new kernel or module. These tunable
parameters are controlled by the files in /proc/sys directory. Parameters that you set are made
in the /etc/sysctl.conf file. You use the sysctl command directly. The -p option causes
sysctl to read parameters from the /etc/sysctl.conf file (you can specify a different file). You
can use the -w option to change specific parameters. You reference a parameter with its key.
A key is the parameter name prefixed with its proc system categories (directories), such as
net.ipv4.ip_forward for the ip_forward parameter located in /proc/sys/net/ipv4/. To
display the value of a particular parameter, just use its key. The -a option lists all available
changeable parameters. In the next example, the user changes the domain name parameter,
referencing it with the kernel.domainname key (the domainname command also sets the
kernel.domainname parameter):
# sysctl -w kernel.domainname=””
The following example turns on IP forwarding:
# sysctl -w net.ipv4.ip_forward=1
If you use just the key, you display the parameter’s current value:
# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

SSH Dictionary Attack Prevention with iptables

Wednesday, August 12th, 2009

Ref :

Last week (9-15 April). 8,750 failed SSH login attempt, averaging almost one per minute, trying out all kinds of possible user names and left tons of junk in my message log. The recent SSH brute-force attacks (actually it’s not that recent) are rather annoying, and this article at has useful information on how to prevent this kind of attacks.

For me I have always used AllowUsers directive in /etc/ssh/sshd_config to limit the users that can login. In my setup, I have

AllowUsers root@home-IP my-regular-login

It allows root ssh login, but only from my home ADSL connection with static IP address so I can automate backups. Then it also includes a user ID that I regularly use to log into this VPS. If I need to do some system administration, I’ll use either su or sudo once I am inside.

However I found it is also ideal to slow down the attack when the infested host started to brute force the SSH authentication. There are many scripts/user-land daemons that perform monitoring and blocking. However in a resource limited VPS, I prefer to use something that has less demand in memory/CPU usage. IPTables recent module provides a kernel level solution with little overhead.

This is what I have in my iptables rules:

iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

What it does is:

  1. Create a new chain SSH_CHECK, and all incoming SSH connection (TCP port 22) will go into this chain to test the condition.
  2. Condition is, for any source IP address there cannot be more than 3 SSH connection attempts within a 60 seconds window.
  3. If condition has been met, then all packets from that source IP address will be dropped.
  4. That source IP can only connect again if condition is cleared again, i.e. there has been 60 seconds of quiet time.

I found it quite effectively and dramatically reduce bot attacks on SSH port. Still, it is important to remove shell access from users that no longer require it, and choose sensible random password that is difficult to guess.


Wednesday, August 12th, 2009

Allow ssh connection from selected Ip:
iptables -A INPUT –source xx.xx.xx.xx -p tcp –dport 22 -j ACCEPT
iptables -A INPUT –source yy.yyy.yy.yy -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -j DROP

Only allow ssh to linux box:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT –source xx.xx.xx.xx -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

How to avoid TCP SYN FLOODING :
echo 1 > /proc/sys/net/ipv4/tcp_syncookies.

Iptables for MASQUERADE

# iptables -t nat -A POSTROUTING -s -o eth1 -j MASQUERADE
The following command enables FTP connection tracking through your

# modprobe -a ip_conntrack_ftp ip_nat_ftp

How to install openssh-server in knoppix

Tuesday, August 11th, 2009

In knoppix,
cd /etc/apt/
nano sources.list
add any good debain repo such as

deb stable main contrib non-free

then : Save the file
then : apt-get update

then type: apt-get install openssh-server
also , give a password to root because currently knoppix does not have any root password.

repo ref:

How to find expensive I/O process for I/O bottol neck

Tuesday, August 11th, 2009

To find the most expensive process which causing the I/O bottol neck :

1. iotop (
Iotop requires Python ≥ 2.5 and a Linux kernel ≥ 2.6.20 with the TASK_DELAY_ACCT and TASK_IO_ACCOUNTING options enabled.
2. idstat from sysstat packages

But Iotop provides more user friendly output then idstat.

How to Change Ip from Dynamic to Static

Tuesday, August 11th, 2009

In Debain :

auto eth0
iface eth0 inet static

then /etc/init.d/networking restart

In Centos:
vi /etc/sysconfig/network-scripts/ifcfg-eth0

then : /etc/network/restart

Hello world!

Tuesday, August 11th, 2009

Welcome to

This is my own knowledge base web site. This site is updated daily on computer related articles, new problem solving technique,”How to documents”.