apache puppet module (example)

init.pp (/etc/puppet/modules/apache/manifests)

class apache {
	package {
			ensure => installed
	package {
			ensure => installed,
			notify =>  Exec["reload-apache2"],
			require => Package["apache2"],
	service { "apache2":
		ensure => running,
		hasstatus => true,
		hasrestart => true,
		require => Package["apache2"],
	file { "/etc/apache2/sites-available/debian.fosiul.lan":
		ensure => present,
		source => "puppet://$servername/modules/apache/scripts/debian.fosiul.lan",
		owner => root,
                group => root,
		replace => true,
		force =>true
	file { "/etc/apache2/sites-available/web1.fosiul.lan":
                ensure => present,
                source => "puppet://$servername/modules/apache/scripts/web1.fosiul.lan",
                owner => root,
                group => root,
                replace => true,
                force =>true
		define module ( $ensure = 'present', $require = 'apache2' ) {
      		case $ensure {
         'present' : {
            exec { "/usr/sbin/a2enmod $name":
               unless => "/bin/readlink -e ${apache2_mods}-enabled/${name}.load",
               notify => Exec["force-reload-apache2"],
               require => Package[$require],
         'absent': {
            exec { "/usr/sbin/a2dismod $name":
               onlyif => "/bin/readlink -e ${apache2_mods}-enabled/${name}.load",
               notify => Exec["force-reload-apache2"],
               require => Package["apache2"],
         default: { err ( "Unknown ensure value: '$ensure'" ) }
	exec {
			command => "/etc/init.d/apache2 reload",
			refreshonly =>true,

Ref : http://projects.puppetlabs.com/projects/1/wiki/Debian_Apache2_Recipe_Patterns

(b) Create related file under /etc/puppet/modules/apache/files/scripts

All about yum command for Redhat/Centos/Fedora

Display List of updated software ( Security fix)

yum list updates
yum check-update

Patch up system by applying all updates

yum update

List all installed packages

rpm -qa

How to find a perticular installed packages( httpd)

rpm -qa | grep httpd

How to look update for specific packages

yum update {package-name-1}

To check for and update httpd package, enter:

yum update httpd

How to install packages by yum

yum install package-name
example : yum install httpd

How to exclude package name from update

yum --exclude=packagename* update

How to check for yum updates automatically by bash script:
Will be continue….

vsftpd: Failed to retrieve directory listing

Problem: If vsftpd failed to retrieves directory listing then do the following:

In vsftpd.conf

example : [ pasv_min_port=1023]

example : [pasv_max_port=1050]

Now add port 1023-1050 in iptables

iptables -A INPUT –source xx.xx.xx.xx -p tcp –dport 1023:1050 -j ACCEPT

it will allow filezilla to connect to ftp server via passive mode.

Basic Linux User administration Commands

  1. useradd -s /sbin/nologin username : It will prevent user to login to server
  2. userdel -r username: -r delete everything( home directory,mail spool) without -r it will just delete account references from user and groups
  3. usermod -L username : -L to disable user account
  4. usermod -U username : -U enable the user account.
  5. echo ‘mypassword’ | passwd –stdin username : allow to pipe a new plain text password.
  6. groupadd [ [-g gid [-o]] [-r] [-f] groupname : -f to force groupadd to accept an existing group name, -r to create a system group
  7. gpasswd [ -A username] [-M usrname] groupname : -A username to assign username as groupnames’s group administrator. – M username adds username to groupname’s membership roster.
  8. who [-Hil] | [-q] : -H options to add column heading to who’s output, -i to add users idle time, -l force to show fully qualified domian , -q to obtain total number of logged in users.

w [-husf] [username] : by defautl w prints header information. -h disable header information.-s generate the sort output. -f disable the host


SSH Dictionary Attack Prevention with iptables

Ref :http://hostingfu.com/article/ssh-dictionary-attack-prevention-with-iptables

Last week (9-15 April). 8,750 failed SSH login attempt, averaging almost one per minute, trying out all kinds of possible user names and left tons of junk in my message log. The recent SSH brute-force attacks (actually it’s not that recent) are rather annoying, and this article at Whitedust.com has useful information on how to prevent this kind of attacks.

For me I have always used AllowUsers directive in /etc/ssh/sshd_config to limit the users that can login. In my setup, I have

AllowUsers root@home-IP my-regular-login

It allows root ssh login, but only from my home ADSL connection with static IP address so I can automate backups. Then it also includes a user ID that I regularly use to log into this VPS. If I need to do some system administration, I’ll use either su or sudo once I am inside.

However I found it is also ideal to slow down the attack when the infested host started to brute force the SSH authentication. There are many scripts/user-land daemons that perform monitoring and blocking. However in a resource limited VPS, I prefer to use something that has less demand in memory/CPU usage. IPTables recent module provides a kernel level solution with little overhead.

This is what I have in my iptables rules:

iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

What it does is:

  1. Create a new chain SSH_CHECK, and all incoming SSH connection (TCP port 22) will go into this chain to test the condition.
  2. Condition is, for any source IP address there cannot be more than 3 SSH connection attempts within a 60 seconds window.
  3. If condition has been met, then all packets from that source IP address will be dropped.
  4. That source IP can only connect again if condition is cleared again, i.e. there has been 60 seconds of quiet time.

I found it quite effectively and dramatically reduce bot attacks on SSH port. Still, it is important to remove shell access from users that no longer require it, and choose sensible random password that is difficult to guess.


Allow ssh connection from selected Ip:
iptables -A INPUT –source xx.xx.xx.xx -p tcp –dport 22 -j ACCEPT
iptables -A INPUT –source yy.yyy.yy.yy -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -j DROP

Only allow ssh to linux box:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT –source xx.xx.xx.xx -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

How to avoid TCP SYN FLOODING :
echo 1 > /proc/sys/net/ipv4/tcp_syncookies.

Iptables for MASQUERADE

# iptables -t nat -A POSTROUTING -s -o eth1 -j MASQUERADE
The following command enables FTP connection tracking through your

# modprobe -a ip_conntrack_ftp ip_nat_ftp