Archive for the ‘How_to’ Category

How to create bonding with bridge network ( Linux Kvm)

Thursday, November 21st, 2013

Package needed :

rpm -qa | grep bridge-utils
bridge-utils-1.2-10.el6.x86_64

Create Bondig :

cat /etc/sysconfig/network-scripts/ifcfg-bond0
 
DEVICE=bond0
ONBOOT=yes
BONDING_OPTS='mode=1 miimon=100'
BRIDGE=br0

Create Bride network:

DEVICE=br0
TYPE=Bridge
IPADDR=192.168.0.50
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=static
NM_CONTROLLED=no
DELAY=0

configure eth0:

DEVICE=eth0
HWADDR=00:1D:09:66:8A:7A
TYPE=Ethernet
UUID=5e76d7f6-7526-4b6e-baf3-cde82362a914
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
USERCTL=no
SLAVE=yes
MASTER=bond0

Configure eth1:

DEVICE=eth1
HWADDR=00:1D:09:66:8A:7C
TYPE=Ethernet
UUID=ef4ef437-73c7-4c42-8552-6777a789c5a6
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=no
USERCTL=no
SLAVE=yes
MASTER=bond0

Note : Please make sure that both eth0 and eth1 has HWADDR defined in the respective file , its needed for Virtualization and bridging.

Further Reading :NetWork Bridge

Troubleshooting: Client not getting IP from dhcp server

Saturday, September 28th, 2013

(1) If your dhcp server running fine and it has enough free IP to lease , try bellow command :

dhclient eth0

boot a system from command line when grub.cfg file is missing (debian)

Monday, April 29th, 2013

(a) if you know where is the grub.cfg located then you can run like this

configfile /boot/grub/grub.cfg or configfile (hdX,Y)/boot/grub/grub.cfg

(b) if you dont know where is grub.cfg then follow the bellow steps:

(a) set root='(hdo0,msdos1)'
(b) linux /vmlinuz root=/dev/sda1
(c) initrd /initrd.img
(d) boot

Invalid command ‘WSGIScriptAliasMatch’, perhaps misspelled \ or defined by a module not included in the server configuration(Spacewalk)

Friday, June 15th, 2012

You can enable this module by editing /etc/httpd/conf.d/wsgi.conf and un-commenting the “LoadModule wsgi_module modules/mod_wsgi.so” line.

Turn off FSCK at booting time

Friday, June 15th, 2012
$sudo tune2fs -c -1 `mount | awk '$3 == "/" {print $1}'`
or
$sudo tune2fs -c -1 /dev/yourhdd

or
set the last field of /etc/fstab to 0:
/dev/sda1 / ext4 defaults 1 0

How to install snmp in centos/debian

Wednesday, December 21st, 2011

In centos

yum install net-snmp-utils

In debian

apt-get install snmpd

Take a Backup of Original Configuration file and Create a new one

cd /etc/snmp
mv snmp.conf snmp.bk
mcedit snmp.conf

Create a new config file from scratch

agentAddress udp:192.0.0.xxx:161
rocommunity  public 192.0.0.0/24
syslocation  "MysqlServer, unit1"

Now Restart the snmpd server

In Centos

/etc/init.d/snmpd start

In Debian

 /etc/init.d/snmpd start

Check if snmp server is running or not (From the server itself)

 pgrep snmpd
19946
snmpwalk -v1 -cpublic 192.0.0.ip-of-server

Centos:Yum behind a proxy

Wednesday, November 2nd, 2011

if your servers are behind a proxy and you need to provide username and password for the proxy server , then you need to configure yum.conf file with bellow syntax

http_proxy=http://username:password@proxyaddress:port/
proxy_username=username
proxy_password=password
<pre lang="GNU">
 
if you dont need to provide username and password for proxy server then :
<pre lang="GNU">
http_proxy=http://proxyserveraddress:port/
 
<pre lang="GNU">
also  add bellow lines into .bashrc file
 
<pre lang="GNU">
http_proxy="http://proxyserveraddress:3128"
export http_proxy

Centos:How to add newly created logical volume into fstab

Wednesday, November 2nd, 2011

When you create a Logical volume , you need to add it into /etc/fstab file for it to stay as mounted when server reboot.
suppose you have create a logical volume like bellow

 
 lvdisplay
  --- Logical volume ---
  LV Name                /dev/POSREP-DB/DB
  VG Name                POSREP-DB
  LV UUID                0IEKZw-tEoI-jJWt-OGXT-F0B7-hEic-hCbteW
  LV Write Access        read/write
  LV Status              available
  # open                 1
  LV Size                1.17 GB
  Current LE             300
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:2

now you’ll need to set the label for this directory with the following command:

# e2label /dev/POSREP-DB/DB  DB

Now add this one into /etc/fstab

LABEL=DB                /DB                     ext3    defaults        0 1

at last, create a directory with bellow command

mkdir /DB

now if you reboot the server , the logical volument will be mounted automatically in /DB directory.

Linux:how to setup openvpn in centos or debain

Sunday, May 1st, 2011

In debain

apt-get install openvpn

In Centos

yum install openvpn

Create Certificate in debain

(a) The default directory for easy-rsa certificates is "/usr/share/doc/openvpn/examples/easy-rsa/2.0/". Now copy that directory into /etc/openvpn 
 
#cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/
# cd /etc/openvpn/2.0/
 
(b). Now we will create the certificate for CA
 
#. ./vars
 
#./clean-all
 
#./build-ca
 
7. Then we will create the certificate for server
 
#./build-key-server server
 
(c). Then we will create the certificate for client
 
#./build-key client
 
(d). We will build diffie hellman
 
#./build-dh
 
(e). now all the keys should be created in /keys
 
#cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/
 
#ls -al
ca.key ca.crt server.key server.csr server.crt client.key client.crt client.csr

Note :
Now we have the keys and certificates. So we will send them to our clients who want to connect OPENVPN Server. Just be sure that:

ca.key-> only,must be in CA Server

client.crt-> only,must be in Client

client.key-> only,must be in Client

server.crt-> only,must be in OPENVPN Server

server.key-> only,must be in OPENVPN Server

ca.crt-> must be in CA Server and all of the clients.

Openvpn server file configuration : (In debain)

(a) create a file in /etc/openvpn/server.conf
#vim /etc/openvpn/server.conf

and past the following :

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
 
#Note:
#(it should be a network that you DONT currently use)
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#Note
#(whatever the network is that you want the VPN client to connect to)
push "route 192.168.2.0 255.255.255.0"
#push "redirect-gateway def1"
push "dhcp-option DNS 192.168.2.1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3

Now Restart the openvpn server

/etc/init.d/openvpn restart

Make sure firewall can forward port 1194 to your openvpn server

Linux: Mutt(How to attach file from command line)

Wednesday, January 5th, 2011

If you want to attach a file in mutt from command line :

 echo "Body of email" | mutt -a attach.txt -s "subject" user@gmail.com

-a : please provide the full path for attachment.

Linux:How to exclude packages from yum update

Tuesday, January 4th, 2011

If you want to exclude packages from yum update then you can type –exclude command as bellow :

 yum update --exclude=openssl,openssl-devel,bind,bind-chroot,bind-utils,bind-libs

Or

 yum update --exclude=openssl --exclude=openssl-devel --exclude=bind --exclude=bind-chroot --exclude=bind-utils --exclude=bind-libs

Or

Linux: How to configure sendmail to receive email (Basic Steps)

Monday, December 13th, 2010

Ref:http://www.sendmail.org/tips/virtualHosting

(a) Edit /etc/mail/sendmail.mc and modify bellow lines , It will allow sendmail to received email from outside of localhost.

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
to
 
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

(b) Edit /etc/mail/virtualtable type , this will map virtual addresses into real addresses

joe@yourdomain.com jschmoe

Here, sendmail will receive email , and any email comming with address joe@yourdomain.com will be delivered into to jschmoe’s inbox

(c) Edit /etc/mail/local-host-names and insert the domain name. This lets Sendmail know that you will provide it with a list of domains for which it may accept mail

fosiul.com
domain1.com
domain2.com

(d) Now restart sendmail

service sendmail restart

e) Open the port 25 in your firewall or iptables

Linux:How to configure centralized yum repo server (Centos)

Friday, November 26th, 2010

Local yum repository is used for local network and to make sure that all your server has same rpm for benchmarking and patching purpose.Its also save bandwidth because all the rpm will be store in one server(Central Repo Server) and rest of the servers will install those rpm from local repo server. Hence they don’t have to download from public server.

For Creating Central Repo server, you will need a Apache server .

In our organization I have created Yum server directory under (Its for 64 bit server)
/usr/local/apache/htdocs/install/centos64/
But you can chose any Directory .

    Building the Base Repository:

Step 1 :# Copy all content from CD/DVD to Repository Directory

Copy all the files and directory from Centos 5.5 DVD or CD into /usr/local/apache/htdocs/install/centos64/
So your directory should look like bellow

[root@controlserver1 centos64]# ls
CentOS                 RELEASE-NOTES-de.html     RELEASE-NOTES-nl
EULA                   RELEASE-NOTES-en          RELEASE-NOTES-nl.html
GPL                    RELEASE-NOTES-en.html     RELEASE-NOTES-pt_BR
images                 RELEASE-NOTES-en_US       RELEASE-NOTES-pt_BR.html
isolinux               RELEASE-NOTES-en_US.html  RELEASE-NOTES-ro
kicks                  RELEASE-NOTES-es          RELEASE-NOTES-ro.html
ks.cfg                 RELEASE-NOTES-es.html     repodata
NOTES                  RELEASE-NOTES-fr          RPM-GPG-KEY-beta
RELEASE-NOTES-cs       RELEASE-NOTES-fr.html     RPM-GPG-KEY-CentOS-5
RELEASE-NOTES-cs.html  RELEASE-NOTES-ja          TRANS.TBL
RELEASE-NOTES-de       RELEASE-NOTES-ja.html

As you can see Centos Directory has all the rpm , So I decided to make Centos directory as my Centralized yum directory.

For Centralized yum repository , I need to create rpm headers for base repository , so execute bellow command

Step 2: Create the base repository headers

createrepo /usr/local/apache/htdocs/install/centos64/CentOS

Upper command will create repodata directory under Centos directory
the directory should be like bellow :

[root@controlserver1 CentOS]# cd repodata/
[root@controlserver1 repodata]# pwd
/usr/local/apache/htdocs/install/centos64/CentOS/repodata
[root@controlserver1 repodata]# ls -al
total 14252
drwxr-xr-x 2 root root    4096 Nov 26 15:20 .
drwxr-xr-x 3 root root  221184 Nov 26 15:20 ..
-rw-r--r-- 1 root root 3373682 Nov 26 15:20 filelists.xml.gz
-rw-r--r-- 1 root root 9813890 Nov 26 15:20 other.xml.gz
-rw-r--r-- 1 root root 1144150 Nov 26 15:20 primary.xml.gz
-rw-r--r-- 1 root root     951 Nov 26 15:20 repomd.xml
[root@controlserver1 repodata]#

Building repository for updating yum packages

Step 3: Create a directory call updates

[root@controlserver1 centos64]# pwd
/usr/local/apache/htdocs/install/centos64
[root@controlserver1 centos64]# mkdir updates

So it should be like this

[root@controlserver1 centos64]# pwd
/usr/local/apache/htdocs/install/centos64
[root@controlserver1 centos64]# ls
CentOS                 RELEASE-NOTES-de.html     RELEASE-NOTES-nl
EULA                   RELEASE-NOTES-en          RELEASE-NOTES-nl.html
GPL                    RELEASE-NOTES-en.html     RELEASE-NOTES-pt_BR
images                 RELEASE-NOTES-en_US       RELEASE-NOTES-pt_BR.html
isolinux               RELEASE-NOTES-en_US.html  RELEASE-NOTES-ro
kicks                  RELEASE-NOTES-es          RELEASE-NOTES-ro.html
ks.cfg                 RELEASE-NOTES-es.html     repodata
NOTES                  RELEASE-NOTES-fr          RPM-GPG-KEY-beta
RELEASE-NOTES-cs       RELEASE-NOTES-fr.html     RPM-GPG-KEY-CentOS-5
RELEASE-NOTES-cs.html  RELEASE-NOTES-ja          TRANS.TBL
RELEASE-NOTES-de       RELEASE-NOTES-ja.html     updates

Step 4: Select an rsync mirror to upload
Select any mirror from here:
http://www.centos.org/modules/tinycontent/index.php?id=31

Step 5 : Rsync the updates-released repository

 rsync -avrt rsync://rsync.mirrorservice.org/mirror.centos.org/5.5/updates/x86_64/RPMS/ --exclude=debug/ /usr/local/apache/htdocs/install/centos64/updates/

It will download all the rpms from listed website into my updates directory.

Step 6: Rsync the repodata from

Go into updates directory and download all the contents from repodata.

[root@controlserver1 updates]# pwd
/usr/local/apache/htdocs/install/centos64/updates
[root@controlserver1 updates]#
 
rsync -avrt rsync://rsync.mirrorservice.org/mirror.centos.org/5.5/updates/x86_64/repodata --exclude=debug/ /usr/local/apache/htdocs/install/centos64/updates/

Step 7:Edit yum.conf

Create a repo file under your : /etc/yum.repos.d directory.

[root@mysqlcluster2 yum.repos.d]# pwd
/etc/yum.repos.d
[root@mysqlcluster2 yum.repos.d]# ls
CentOS-Base.repo CentOS-Media.repo local.repo
[root@mysqlcluster2 yum.repos.d]

And disable other repos by inserting enabled=0 , Example :
[centosplus]
name=CentOS-$releasever – Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

Insert the bellow lines into local.repo files

[base-local]
name=Centos $releasever - $basearch
failovermethod=priority
baseurl=http://10.0.0.55/centos64/CentOS/
enabled=1
gpgcheck=0
 
[updates-local]
name=Centos $releasever - $basearch - Updates
failovermethod=priority
baseurl=http://10.0.0.55/centos64/updates/
enabled=1
gpgcheck=0

Now try yum command

 yum clean all
Loaded plugins: fastestmirror
Cleaning up Everything
Cleaning up list of fastest mirrors
[root@mysqlcluster2 /]# yum update
Loaded plugins: fastestmirror
Determining fastest mirrors
base-local                                               |  951 B     00:00
base-local/primary                                       | 1.1 MB     00:00
base-local                                                            3186/3186
updates-local                                            | 1.9 kB     00:00
updates-local/primary_db                                 | 1.0 MB     00:00
Setting up Update Process

Centralized Local repository is done!!..

Linux:How to install vncserver

Monday, November 15th, 2010

Ref: http://wiki.centos.org/HowTos/VNC-Server

(a)Install vnc-server packages

yum install vnc-server

(b)Create your VNC users

useradd user1

(c)Set your users’ VNC passwords:
Login to each user, and run vncpasswd. This will create a .vnc directory.

vncpasswd

(d)Edit the server configuration
Edit /etc/sysconfig/vncservers, and add the following to the end of the file.

VNCSERVERS="2:root 3:user1"
VNCSERVERARGS[2]="-geometry 640x480"
VNCSERVERARGS[3]="-geometry 640x480"

(e)Create xstartup scripts/ Starting the server

 /sbin/service vncserver start

(g) Edit xstartup
Login each user’s home directory and Edit xstartup file

cd /root/.vnc
 vi xstartup
Uncomment bellow 2 lines 
 unset SESSION_MANAGER
 exec /etc/X11/xinit/xinitrc

xstartup file should be like this

#!/bin/sh
( while true ; do xterm ; done ) &
 
# Uncomment the following two lines for normal desktop:
 unset SESSION_MANAGER
 exec /etc/X11/xinit/xinitrc
 
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &

(g) Restart vnserver again

service restart vncserver

How to run perl/Python script from Linux Apache server

Thursday, September 2nd, 2010

For httpd.conf ( /usr/local/apache/conf – if you compile by source OR /etc/httpd/conf/httpd -: if you compile by yum)

ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"

If you want to run cgi script from under your domain , example , www.fosiul.com/cgi-bin/test.cgi , do as bellow

<VirtualHost *:80>
ServerAdmin fosiul@example.co.uk
DocumentRoot /usr/local/apache/htdocs/example/
ServerName www.example.co.uk
ServerAlias example.co.uk
......................................
......................................
 
<Directory "/usr/local/apache/htdocs/example/">
Options FollowSymLinks ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/local/apache/htdocs/example/cgi-bin/">
        Order deny,allow
        Allow from all                
       Allow from xx.xx.xx.xx # If you just want to run cgi script from certain Ips , then you need to disable "Allow from All" options
       #Deny from all  # if you only want to allow cgi script from certain ip then you need to enable "Deny from all" options
        </Directory>
 
ScriptAlias /cgi-bin/ /usr/local/apache/htdocs/example/cgi-bin/

Now create a directory under : /usr/local/apache/example/cgi-bin
Create a cgi script

#!/usr/bin/perl -T
use strict;
use CGI;
my $cgi = new CGI;
print $cgi->header;
print $cgi->start_html('test world');
print $cgi->h1('Hellow test');
print $cgi->li('list');
print $cgi->end_html();

run this cgi script : http://www.example.co.uk/cgi-bin/test.cgi

How to run a python under cgi script

create a cgi script (testpy.cgi) as bellow to run python

#!/usr/bin/python
print "Content-Type: text/plain\n\n"
print "Hello, World!\n"

Now run this script as , www.example.co.uk/cgi-bin/testpy.cgi

Linux:How to configure/secure public primary/secondary bind dns server

Wednesday, September 1st, 2010

Localhost Resolver :
(a) install bind

yum install bind bind-chroot bind-devel

(b) Copy named.conf and related files from /usr/share/doc/bind-9.3.6/sample/etc/

cp /usr/share/doc/bind-9.3.6/sample/etc/* /var/named/chroot/etc/

(c) File lists in /var/named/chroot/etc are as bellows :

[root@publicdns1 etc]# ls
localtime   named.rfc1912.zones  rndc.conf
named.conf  named.root.hints     rndc.key

Check the Ownership of files. Ownership should be root:named as
bellow:

[root@publicdns1 etc]# pwd
/var/named/chroot/etc
[root@publicdns1 etc]# ls -al
total 64
drwxr-x--- 2 root named 4096 Aug 28 13:38 .
drwxr-x--- 6 root named 4096 Aug 28 13:37 ..
-rw-r--r-- 1 root root  3661 Aug 24 12:53 localtime
-rw-r--r-- 1 root named 5299 Aug 28 13:38 named.conf
-rw-r--r-- 1 root named  775 Aug 28 12:20 named.rfc1912.zones
-rw-r--r-- 1 root named  524 Aug 28 12:20 named.root.hints
-rw-r--r-- 1 root named    0 Aug 28 12:20 rndc.conf
-rw-r----- 1 root named  113 Aug 28 12:12 rndc.key
[root@publicdns1 etc]#

If the ownership is not right then we can change it as follows :

chown root:named named.conf  named.rfc1912.zones named.root.hints rndc.conf  rndc.key

(d) Copy named.root into /var/named/chroot/var/named directory

cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root  /var/named/chroot/var/named/

File lists are :

[root@publicdns1 named]# ls
data  domain.co.uk.zone  named.root  slaves
[root@publicdns1 named]#

(e) For allowing internal pc’s to resolve dns request and for internal host name , we need to work on “view “localhost_resolver” ” section as bellow

view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver                                              ).
 * If all you want is a caching-only nameserver, then you need only define this                                              view:
 */
        match-clients           { localhost;10.0.0.0/24; };
        match-destinations      { localhost;10.0.0.0/24; };
        recursion yes;
        # all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * ONLY be served to localhost clients:
         */
        include "/etc/named.rfc1912.zones";
};

Note : all the internal zone information will be placed on named.rfc1912.zones files

(f) Now edit named.rfc1912.zones which is located /var/named/chroot/etc
and enter bellow lines

zone “internaldomain.local” IN {

type master;
file “internaldomain.local.zone”;
};

So the Edited named.rfc1912.zones file be like bellow

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
//zone "." IN {
//      type hint;
//      file "named.ca";
//};
zone "internaldomain.local" IN {
 
        type master;
        file "internaldomain.local.zone";
 
};
 
zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};
 
zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};
 
zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};
 
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};
 
zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};
 
zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
};

(g)

create a zone file internaldomain.local.zone file in /var/named/chroot/var/named like bellow:

$TTL    86400
@               IN SOA  @       root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
 
                          IN NS           internaldns
                          IN MX   10     internalmailserver
                          IN        A      10.0.0.20
internaldns            IN        A      10.0.0.9
Account               IN        A       10.0.0.6
internalmailserver   IN        A   10.0.0.10
www                    IN        A       10.0.0.20

Note : make sure you have permission as bellow or bind would not be able to read it.

chown root:named internaldomain.local.zone

Primary Server:

(A)
Create zone entries in named.conf
Since This server will work as public dns server,We will create zone entries for example.co.uk under external views.

view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subnets:
 */
        match-clients           { any; };
        match-destinations      { any; };
 
        recursion no;
        // you'd probably want to deny recursion to external clients, so you don't
        // end up providing free DNS service to all takers
 
    allow-query-cache { none; };
        // Disable lookups for any cached data and root hints
 
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
        ### Add Authoritiative zone for example.co.uk#######
        zone "example.co.uk" IN {
        type master;
        file "example.co.uk.zone";
        allow-update { none; };
        allow-transfer { 22.33.44.55; };//only this host will received updates from this master server.
 
};
 
};

Secondary Server :

Follow every steps from beginning . We just need to make changes on named.conf file to allow slave to download zone file, updates from master server.

view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subnets:
 */
        match-clients           { any; };
        match-destinations      { any; };
 
        recursion no;
        // you'd probably want to deny recursion to external clients, so you don't
        // end up providing free DNS service to all takers
 
    allow-query-cache { none; };
        // Disable lookups for any cached data and root hints
 
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
        ### Add Authoritiative zone for example.co.uk#######
      zone "example.co.uk" IN {
        type slave;
        file "slaves/example.co.uk.zone";
        masters { 55.55.55.55 ;};
};
 
};

Full named.conf file for Primary Name server(Public + Local host resolver :

 cat named.conf
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
        // Those options should be used carefully because they disable port
        // randomization
        // query-source    port 53;
        // query-source-v6 port 53;
 
        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
 
};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/nam                                             ed).
 *      By default, SELinux policy does not allow named to modify the /var/named                                              directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver                                              ).
 * If all you want is a caching-only nameserver, then you need only define this                                              view:
 */
        match-clients           { localhost;10.0.0.0/24; };
        match-destinations      { localhost;10.0.0.0/24; };
        recursion yes;
        # all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * ONLY be served to localhost clients:
         */
        include "/etc/named.rfc1912.zones";
};
view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subn                                             ets:
 */
        match-clients           { any; };
        match-destinations      { any; };
 
        recursion no;
        // you'd probably want to deny recursion to external clients, so you don                                             't
        // end up providing free DNS service to all takers
 
        allow-query-cache { none; };
        // Disable lookups for any cached data and root hints
 
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
            zone "example.co.uk" IN {
        type master;
        file "example.co.uk.zone";
        allow-update { none; };
        allow-transfer { 22.33.44.55; };//only this host will received updates from this master server.
 
};
 
};

Full named.conf for Public Slave server

 cat named.conf
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
        // Those options should be used carefully because they disable port
        // randomization
        // query-source    port 53;
        // query-source-v6 port 53;
 
        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
 
};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/nam                                             ed).
 *      By default, SELinux policy does not allow named to modify the /var/named                                              directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver                                              ).
 * If all you want is a caching-only nameserver, then you need only define this                                              view:
 */
        match-clients           { localhost;10.0.0.0/24; };
        match-destinations      { localhost;10.0.0.0/24; };
        recursion yes;
        # all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * ONLY be served to localhost clients:
         */
        include "/etc/named.rfc1912.zones";
};
view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subn                                             ets:
 */
        match-clients           { any; };
        match-destinations      { any; };
 
        recursion no;
        // you'd probably want to deny recursion to external clients, so you don                                             't
        // end up providing free DNS service to all takers
 
        allow-query-cache { none; };
        // Disable lookups for any cached data and root hints
 
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";
 
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
 
        zone "example.co.uk" IN {
        type slave;
        file "slaves/example.co.uk.zone";
        masters { 55.55.55.55 ;};
};
 
};

Securing Name server :
(a) Dont End up providing free dns service for every one

options {
     recursion no;
};

(b)

options {
      fetch-glue no;
};

(c)Allow zone transfer from specific host

 ### Add Authoritiative zone for example.co.uk#######
        zone "example.co.uk" IN {
        type master;
        file "example.co.uk.zone";
        allow-update { none; };
        allow-transfer { 22.33.44.55; };//only this host will received updates from this master server.

(d) Don’t disclose Bind version

options {
     version "Not disclosed";
 
};

Linux:How to configure logrotate for ModSecurity(source install)

Monday, April 26th, 2010

Problem: When you install Mod-security from source , by default log-rotate will not rotate those logs file as the path for log files are not defined logrotate configuration file by default. So if you want to allow logo-ratate to rotate your modsecurity log files. here is the steps:

1. Create a file modsecurity under /etc/logrotate.d

 cd /etc/logrotate.d/
touch modsecurity

2. Copy and past bellow lines in their

#Bellow is my modsecurity log file (/opt/modsecurity/var/log/audit.log)
 
/opt/modsecurity/var/log/audit.log {
    missingok
    notifempty
    postrotate
 ##Restart the apache daemon
       /usr/local/apache/bin/apachectl graceful > /dev/null 2>/dev/null || true
    endscript
}

Now you can forcefully rotate log files by executing bellow commands:

 
logrotate -f /etc/logrotate.conf

Linux:How to create multiple OpenVPN instances

Monday, April 26th, 2010

Problem :
How to configure openvpn to create multiple instances and listen more then 2 ports(1194,1195) ??
Solution:
you need more then 2 openvpn configuration file. example : openvpn.conf and openvpn1.conf

Now you need to define different port , Server Ip address,ifconfig-pool-persist, and log files

For openvpn.conf :

port 1194
proto tcp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
log         openvpn.log
log-append  openvpn.log

For openvpn1.conf :

 
port 1195
proto tcp
dev tun
server 192.168.1.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/config2/ipp.txt
log         /etc/openvpn/config2/openvpn.log
log-append  /etc/openvpn/config2/openvpn.log

Now start openvpn daemon with these 2 config file separately

shell> openvpn –config /etc/openvpn/openvpn.conf &
shell> openvpn –config /etc/openvpn/openvpn1.conf &

Or add this into /etc/rc.local file so that when computer will reboot , it will start automatically.

so now if you take ifconfig output , it will show like this

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
 
tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.1.1  P-t-P:192.168.1.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Linux:How to use aide to check file system integrity

Monday, March 15th, 2010

Installing Aide:

Yum install aide

Creating the database:

aide -c /etc/aide.conf –i
Output : AIDE database at /var/lib/aide/aide.db.new.gz initialized.
This process creates a new file, aide.db.new.gz in /var/lib/aide/.You must rename this file to aide.db.gz, which is the correct name for the AIDE database.

Testing Aide:

aide -c /etc/aide.conf –C

Linux-How to conferm 64bit/32bit capability of CPU

Wednesday, February 17th, 2010

How many CPU in the system :

commands : cat /proc/cpuinfo

 
[root@server ~]# cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Xeon(TM) CPU 3.40GHz
stepping        : 3
cpu MHz         : 3401.008
cache size      : 2048 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 1
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm constant_tsc pni monitor ds_cpl est cid xtpr
bogomips        : 6805.07
 
processor       : 1
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Xeon(TM) CPU 3.40GHz
stepping        : 3
cpu MHz         : 3401.008
cache size      : 2048 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 1
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm constant_tsc pni monitor ds_cpl est cid xtpr
bogomips        : 6799.15
 
processor       : 2
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Xeon(TM) CPU 3.40GHz
stepping        : 3
cpu MHz         : 3401.008
cache size      : 2048 KB
physical id     : 3
siblings        : 2
core id         : 3
cpu cores       : 1
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm constant_tsc pni monitor ds_cpl est cid xtpr
bogomips        : 6799.30
 
processor       : 3
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Xeon(TM) CPU 3.40GHz
stepping        : 3
cpu MHz         : 3401.008
cache size      : 2048 KB
physical id     : 3
siblings        : 2
core id         : 3
cpu cores       : 1
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm constant_tsc pni monitor ds_cpl est cid xtpr
bogomips        : 6799.40
 
[root@server ~]#

From the example above there is 4 processor in the system [ processor 0 …. processor 3]

also :

short cut : cat /proc/cpuinfo  | grep processor
processor       : 0
processor       : 1
processor       : 2
processor       : 3


How to find out if processors are 64bit or 32 bit

From the out put cat /proc/cpuinfo, look at the flags column, if there is a word call lm , that means its
a 64bit processor.

Short cut commands :
grep flags /proc/cpuinfo

output :

[root@server ~]# grep flags /proc/cpuinfo
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm constant_tsc pni monitor ds_cpl est cid xtpr
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm constant_tsc pni monitor ds_cpl est cid xtpr
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm constant_tsc pni monitor ds_cpl est cid xtpr
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe lm constant_tsc pni monitor ds_cpl est cid xtpr

From the output above, all four processors has lm word, which means its 64 bit processors
if you do not see lm word, then its 32 bit processor.

How to install apache2-php-mysql from source

Thursday, September 10th, 2009

Prerequisite : yum install gcc-c++ gcc make ncurses-devel openssl-devel glibc* libc-*

Packages required for php: yum install libjpeg-devel libpng-devel curl-devel libmcrypt-devel krb5-devel

Apache Server Installation from Source:
Apache installation directory is : /usr/local/apache
a) Download the apache source file from : http://httpd.apache.org/download.cgi
b) Download the source file in to /tmp directory.
c) I am guessing the source file is httpd-2.2.13.tar.gz
d) Cd /tmp
e) tar –xvzf httpd-2.2.13.tar.gz
f) cd httpd-2.2.13

g)

 
./configure  --prefix=/usr/local/apache --with-included-apr --with-php --with-mysql --with-susexec --disable-info --with-mpm=prefork --enable-so --enable-cgi --enable-rewrite --enable-ssl --enable-mime-magic --enable-unique-id --enable-mods-shared="proxy cache ssl all"

h) make
i) make install
j)To restart apache : /usr/local/apache/bin/apachectl start

MySql Server Install from source:

Ref:http://dev.mysql.com/doc/refman/5.1/en/quick-install.html

a)Download my.version.tar.gz from
http://dev.mysql.com/downloads/mysql/5.1.html#source

b)shell> groupadd mysql
c)shell> useradd -g mysql mysql
d)shell> gunzip < mysql-VERSION.tar.gz | tar -xvf – e)shell> cd mysql-VERSION
f)

   ./configure --prefix=/usr/local/mysql --with-ssl --with-plugins=innobase

note:: for mysql 5.1 : to add innodb support its ” –with-plugins=innobase” but for 5.0 its “./configure –with-innodb”
g)shell> make
h)shell> make install
i)shell> cp support-files/my-medium.cnf /etc/my.cnf
j)shell> cd /usr/local/mysql
k)shell> chown -R mysql .
l)shell> chgrp -R mysql .
m)shell> bin/mysql_install_db -–user=mysql
n)shell> chown -R root .
o)shell> chown -R mysql var
p)shell> bin/mysqld_safe -–user=mysql &

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
./bin/mysqladmin -u root password 'new-password'

Php installation from source with GD library Support

http://www.php.net/manual/en/install.unix.apache2.php

a) Download the php source from here : http://www.php.net/downloads.php
b) Download the source file in to /tmp directory
c) Here I am gussing the php version is php-5.3.0.tar.gz
d) Tar –xvzf php-5.3.0.tar.gz
e) Cd php-5.3.0
f)

./configure --with-apxs2=/usr/local/apache/bin/apxs --with-mysql=/usr/local/mysql --enable-mbstring --with-gd --with-zlib --with-jpeg-dir --with-png-dir --with-openssl --with-curl --with-mcrypt --with-imap --with-imap-ssl --with-kerberos --with-mysqli=/usr/local/mysql/bin/mysql_config

g) make
h) make install
i) setup your php.ini : cp php.ini-dist /usr/local/lib/php.ini

j) In httpd.conf file.. check for bellow lines

LoadModule php5_module modules/libphp5.so

j) Add the bellow lines in httpd.conf file to allow .php extension.
add bellow lines under directive

Add php extension

 
<FilesMatch "\.phps$">
          SetHandler application/x-httpd-php-source
      </FilesMatch>
 
 <FilesMatch "\.ph(p[2-6]?|tml)$">
          SetHandler application/x-httpd-php
      </FilesMatch>

j) Stop apache /usr/local/apache/bin/apachectl1 stop
k) Restart apache /usr/local/apache/bin/apachectl1 start

Note :

(a) configure: error: xml2-config not found. Please check your libxml2 installation. : yum install libxml2-devel

(b) configure: error: libpng.(a|so) not found.
configure: error: libjpeg.(a|so) not found.
(c) Error : configure: error: utf8_mime2text() has new signature, but U8T_CANONICAL is missing
yum install libc-client-devel*
So it will try to find accurate rpm for your kernel(32/64)

(d) If you have older httpd daemon running , please stop that daemon,Other wise when you will start apache daemon, it will through an error .You can check by bellow command to make sure you don’t have any other httpd is running in background.

ps aux | grep -v grep | grep httpd

If this returns value that means another httpd daemon is running and you can stop it by executing

service httpd stop

Last Update : 14-09-2010

How to backup linux Server remotely

Monday, September 7th, 2009

Bellow article will show how to backup a Linux server remotely by using RSYNC with public key base authentication.

To make this backup process automatic we need a password less authentication system so that we don’t have to insert username and password before backup starts.

How to create Key base authentication:

Here are the steps you need to do on the computer that acts as the SSH client:

1) Generate your SSH encryption key pair for the filecopy account. Press the Enter key each time you are prompted for a password to be associated with the keys. (Do not enter a password.)

[filecopy@bigboy filecopy]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key
(/filecopy/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in
/filecopy/.ssh/id_dsa.
Your public key has been saved in
/filecopy/.ssh/id_dsa.pub.
The key fingerprint is:
1e:73:59:96:25:93:3f:8b:50:39:81:9e:e3:4a:a8:aa
filecopy@bigboy
[filecopy@bigboy filecopy]#

2) These keyfiles are stored in the.ssh subdirectory of your home directory. View the contents of that directory. The file named id_dsa is your private key, and id_dsa.pub is the public key that you will be sharing with your target server. Versions other than RedHat/Fedora may use different filenames, use the SSH man pages to verify this.

[filecopy@bigboy filecopy]# cd ~/.ssh
[filecopy@bigboy filecopy]# ls
id_dsa  id_dsa.pub  known_hosts
[filecopy@bigboy .ssh]#

3) Copy only the public key to the home directory of the account to which you will be sending the file.

[filecopy@bigboy .ssh]# scp id_dsa.pub filecopy@smallfry:public-key.tmp

Now, on to the server side of the operation.

Configuration – Server Side

Here are the steps you need to do on the computer that will act as the SSH server.

1) Log into smallfry as user filecopy. Create an .ssh subdirectory in your home directory and then go to it with cd.

[filecopy@smallfry filecopy]# ls
public-key.tmp
[filecopy@smallfry filecopy]# mkdir .ssh
[filecopy@smallfry filecopy]# chmod 700 .ssh
[filecopy@smallfry filecopy]# cd .ssh

2) Append the public-key.tmp file to the end of the authorized_keys file using the >> append redirector with the cat command. The authorized_keys file contains a listing of all the public keys from machines that are allowed to connect to your Smallfry account without a password. Versions other than RedHat/Fedora may use different filenames, use the SSH man pages to verify this.

[filecopy@smallfry .ssh]# cat ~/public-key.tmp >> authorized_keys
[filecopy@smallfry .ssh]# rm ~/public-key.tmp

From now on you can use ssh and scp as user filecopy from server bigboy to smallfry without being prompted for a password.

2. Taking Backup by Rsync

Write a Backup script Example : backup.sh in /root directory

cd /root

vi backp.sh

Press I to Insert

then Write like this :

#!/bin/bash

DESTROOT=”/backups”
TODAY=`date ‘+%A’`

rsync -e ssh -avz –delete filecopy@smallfry:/var/www $DESTROOT/backup

#Archive todays files
tar czvf $DESTROOT/archived/${TODAY}-backup.tar.gz $DESTROOT/backup > $DESTROOT/archived/${TODAY}-backup.log

Press :wq [ to Save the file and exit]

then : chmod 700 backup.sh [ so it will make this file executable for root]

Explanation : The Script will connect to the server smallfry via Ssh, then will download all the files from /var/www directory to local pc under /backups Directory.

3. Automate the system by Crontab

crontab -e

Press I to insert
00 3 * * 1-5 /root/backup.sh >/dev/null 2>&1

Press :wq [ to save the file]

Explanation : Now crontab will execute this file First minute 3 am Every day Every month Monday to Friday .

Tools for securing Linux server and its services

Thursday, August 27th, 2009

a) Fail2Ban: Which will ban IP address after few failure attempts

website : http://www.fail2ban.org/wiki/index.php/Main_Page

b)Rootkit Hunter : It will scan your server for any unauthorized scripts.

Website :http://www.chkrootkit.org/

To download : http://sourceforge.net/projects/rkhunter/

c)PortSentry : This tool will block IP who is trying to scan your server for open ports.

Ref : http://www.securityfocus.com/infocus/1580

http://www.securityfocus.com/infocus/1586

How to install : http://www.falkotimme.com/howtos/chkrootkit_portsentry/

d)mod_security

http://www.modsecurity.org/

e) mod_evasive : It will ban IP for certain conditions ,example :

  • Requesting the same page more than a few times per second
  • Making more than 50 concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted (on a blocking list)

Web Site : http://www.zdziarski.com/projects/mod_evasive/

To be.. continue..

How to Rebuilding failed Linux software RAID

Friday, August 14th, 2009

Ref: http://aplawrence.com/Linux/rebuildraid.html

Recently I had a hard drive fail. It was part of a Linux software RAID 1 (mirrored drives), so we lost no data, and just needed to replace hardware. However, the raid does requires rebuilding. A hardware array would usually automatically rebuild upon drive replacement, but this needed some help.

When you look at a “normal” array, you see something like this:

# cat /proc/mdstat
Personalities : [raid1]
read_ahead 1024 sectors
md2 : active raid1 hda3[1] hdb3[0]
262016 blocks [2/2] [UU]

md1 : active raid1 hda2[1] hdb2[0]
119684160 blocks [2/2] [UU]

md0 : active raid1 hda1[1] hdb1[0]
102208 blocks [2/2] [UU]

unused devices:

That’s the normal state – what you want it to look like. When a drive has failed and been replaced, it looks like this:

Personalities : [raid1]
read_ahead 1024 sectors
md0 : active raid1 hda1[1]
102208 blocks [2/1] [_U]

md2 : active raid1 hda3[1]
262016 blocks [2/1] [_U]

md1 : active raid1 hda2[1]
119684160 blocks [2/1] [_U]
unused devices:

Notice that it doesn’t list the failed drive parts, and that an underscore appears beside each U. This shows that only one drive is active in these arrays – we have no mirror.

Another command that will show us the state of the raid drives is “mdadm”

# mdadm -D /dev/md0
/dev/md0:
Version : 00.90.00
Creation Time : Thu Aug 21 12:22:43 2003
Raid Level : raid1
Array Size : 102208 (99.81 MiB 104.66 MB)
Device Size : 102208 (99.81 MiB 104.66 MB)
Raid Devices : 2
Total Devices : 1
Preferred Minor : 0
Persistence : Superblock is persistent

Update Time : Fri Oct 15 06:25:45 2004
State : dirty, no-errors
Active Devices : 1
Working Devices : 1
Failed Devices : 0
Spare Devices : 0

Number Major Minor RaidDevice State
0 0 0 0 faulty removed
1 3 1 1 active sync /dev/hda1
UUID : f9401842:995dc86c:b4102b57:f2996278

As this shows, we presently only have one drive in the array.

Although I already knew that /dev/hdb was the other part of the raid array, you can look at /etc/raidtab to see how the raid was defined:

raiddev /dev/md1
raid-level 1
nr-raid-disks 2
chunk-size 64k
persistent-superblock 1
nr-spare-disks 0
device /dev/hda2
raid-disk 0
device /dev/hdb2
raid-disk 1
raiddev /dev/md0
raid-level 1
nr-raid-disks 2
chunk-size 64k
persistent-superblock 1
nr-spare-disks 0
device /dev/hda1
raid-disk 0
device /dev/hdb1
raid-disk 1
raiddev /dev/md2
raid-level 1
nr-raid-disks 2
chunk-size 64k
persistent-superblock 1
nr-spare-disks 0
device /dev/hda3
raid-disk 0
device /dev/hdb3
raid-disk 1

To get the mirrored drives working properly again, we need to run fdisk to see what partitions are on the working drive:

# fdisk /dev/hda

Command (m for help): p

Disk /dev/hda: 255 heads, 63 sectors, 14946 cylinders
Units = cylinders of 16065 * 512 bytes

Device Boot Start End Blocks Id System
/dev/hda1 * 1 13 104391 fd Linux raid autodetect
/dev/hda2 14 14913 119684250 fd Linux raid autodetect
/dev/hda3 14914 14946 265072+ fd Linux raid autodetect

Duplicate that on /dev/hdb. Use “n” to create the parttions, and “t” to change their type to “fd” to match. Once this is done, use “raidhotadd”:

# raidhotadd /dev/md0 /dev/hdb1
# raidhotadd /dev/md1 /dev/hdb2
# raidhotadd /dev/md2 /dev/hdb3

The rebuilding can be seen in /proc/mdstat:

# cat /proc/mdstat
Personalities : [raid1]
read_ahead 1024 sectors
md0 : active raid1 hdb1[0] hda1[1]
102208 blocks [2/2] [UU]

md2 : active raid1 hda3[1]
262016 blocks [2/1] [_U]

md1 : active raid1 hdb2[2] hda2[1]
119684160 blocks [2/1] [_U]
[>………………..] recovery = 0.2% (250108/119684160) finish=198.8min speed=10004K/sec
unused devices:

The md0, a small array, has already completed rebuilding (UU), while md1 has only begun. After it finishes, it will show:

# mdadm -D /dev/md1
/dev/md1:
Version : 00.90.00
Creation Time : Thu Aug 21 12:21:21 2003
Raid Level : raid1
Array Size : 119684160 (114.13 GiB 122.55 GB)
Device Size : 119684160 (114.13 GiB 122.55 GB)
Raid Devices : 2
Total Devices : 2
Preferred Minor : 1
Persistence : Superblock is persistent

Update Time : Fri Oct 15 13:19:11 2004
State : dirty, no-errors
Active Devices : 2
Working Devices : 2
Failed Devices : 0
Spare Devices : 0

Number Major Minor RaidDevice State
0 3 66 0 active sync /dev/hdb2
1 3 2 1 active sync /dev/hda2
UUID : ede70f08:0fdf752d:b408d85a:ada8922b

I was a little surprised that this process wasn’t entirely automatic. There’s no reason it couldn’t be. This is an older Linux install; I don’t know if more modern versions will just automatically rebuild.

Centos/Redhat/Debain Internet Connection Sharing

Friday, August 14th, 2009

Network Setup :
eth0 = 192.168.2.1 [ Isp router]
eth1 = 10.0.0.2 [ Internal network]

Check if IPv4 forwarding is ON or OFF :
cat /proc/sys/net/ipv4/ip_forward
if result = 0 then will have to On it by this command :

echo “1” > /proc/sys/net/ipv4/ip_forward

Now have to Enable IP masquerading by adding rules in iptables

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[ Now all internet request will go via eth0]

If internal computers are unable to ping by domain name, then have to add bellow rule to allow all UDP [53] request to go to router(For Centos and Redhat)
-A RH-Firewall-1-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 53 -j ACCEPT

Or
-A RH-Firewall-1-INPUT -p udp -m state –state NEW -m udp –dport 53 -j ACCEPT

How to sent email to a distribution group by sendmail

Wednesday, August 12th, 2009

goto /etc/mail
vi virtualtable

all@yorudoman.co.uk allusers

Now go to

/etc/mail
vi allusers.txt

user1
user2
user3

[ Here you will have to just write the username (system username)]
[If you have lots of user then you can use script to copy all username from /etc/password to /etc/mail/allusers.txt file]

Now save the file

vi /etc/newaliases

Insert this line

allusers: :include:/etc/mail/allusers.txt

Then make new aliases
That’s it
Now when you will sent email to allusers@yourdomain.co.uk
It will sent that email to every user in that group.

How to make VIM as IDE for Bash and Perl

Wednesday, August 12th, 2009

For Bash IDE:
1. Download bash-support.zip file from this site : http://www.vim.org/scripts/script.php?script_id=365
2. Unzip bash-support.zip file in /etc/vim directory also either copy the bash-support from /etc/vim to the user’s home directory [ cd /home/user, mkdir .vim, cp -r /etc/vim/bash-support /home/user/.vim] Or unzip bash-support.zip in user’s home directory [ /home/user/.vim]

3. Open your script in gvim mood. [ gvim script.sh]
Read More :
http://www.vim.org/scripts/script.php?script_id=365

For Perl :
1.Download the zip file from here : http://www.vim.org/scripts/script.php?script_id=556
Then follow the same way for bash.

How to add a new hardrive in linux with LVM

Wednesday, August 12th, 2009

The steps are :

Create Physical volume Or Extend the existing volume:

  1. Create a Physical volume by: pvcreate /dev/hdc ( Here the new partition name is /dev/hdc)
  2. Creating a Volume Group : vgcreate /dev/VolGroup01 /dev/hdc
  3. OR to extended the existing Volume Group :vgextend /devVolgroup01 /dev/hdc

Create Logical Volume :

check how much free PE you got by : vgdisplay
It will show something like this :
Free PE / Size 319 / 9.97 GB
Now to create logical volume
lvcreate -l number_of_PEs /dev/Volgroup01 -n LogicalVolumeName
Or
lvcreate -L 800MB /dev/Volgroup01 -n LogicalVolumeName
Now to check if it works type :lvdisplay
to see how much space you left you can check again by : vgdisplay , it will show something like this
Free PE / Size 294 / 9.19 GB

Now you need to mount the logical volume with a directory:

Format the logical volume : mkfs.ext3 /dev/VolGroup00/LogicalVolumeName
Now mount it : mount /dev/VolGroup00/LogicalVolumeName /mount-point
Now Create a lable for this mount point
e2label /dev/VolGroup00/LogicalVollumeName /mount-point/ and add this reference in /etc/fstab
LABEL=/mount-point /mount-point ext3 defaults 1 2

How to Setup a transparent proxy with Squid

Wednesday, August 12th, 2009

by LinuxTitli [Last updated: December 5, 2007]

Setup :

i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid).
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems))
iv) OS: Red Hat Enterprise Linux 4.0 (Following instruction should work with Debian and all other Linux distros)

Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.

Server Configuration:

  • Step #1 : Squid configuration so that it will act as a transparent proxy
  • Step #2 : Iptables configuration
    • a) Configure system as router
    • b) Forward all http requests to 3128 (DNAT)
  • Step #3: Run scripts and start squid service

First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf

Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan

Where,

  • httpd_accel_host virtual: Squid as an httpd accelerator
  • httpd_accel_port 80: 80 is port you want to act as a proxy
  • httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
  • httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
  • acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
  • http_access allow localhost: Squid access to LAN and localhost ACL only
  • http_access allow lan: — same as above —

Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

OR, try out sed (thanks to kotnik for small sed trick)
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'

Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid

Iptables Configuration:

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on

Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on

How to test if squid is working properly ?

See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log

Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.

Problem and Solutions:

(a) Windows XP FTP Client

All Desktop client FTP session request ended with an error:
Illegal PORT command.

I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp

Please note that modprobe command is already added to a shell script (above).

(b) Port 443 redirection

I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, “Long answer: SSL is specifically designed to prevent “man in the middle” attacks, and setting up squid in such a way would be the same as such a “man in the middle” attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL“.

Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.

(c) Squid Proxy authentication in a transparent mode

You cannot use Squid authentication with a transparently intercepting proxy.

How to install openssh-server in knoppix

Tuesday, August 11th, 2009

In knoppix,
cd /etc/apt/
nano sources.list
add any good debain repo such as

deb http://http.us.debian.org/debian stable main contrib non-free

then : Save the file
then : apt-get update

then type: apt-get install openssh-server
also , give a password to root because currently knoppix does not have any root password.

repo ref: http://www.debian.org/doc/manuals/apt-howto/ch-basico.en.html

How to find expensive I/O process for I/O bottol neck

Tuesday, August 11th, 2009

To find the most expensive process which causing the I/O bottol neck :

1. iotop ( http://guichaz.free.fr/iotop/)
Iotop requires Python ≥ 2.5 and a Linux kernel ≥ 2.6.20 with the TASK_DELAY_ACCT and TASK_IO_ACCOUNTING options enabled.
2. idstat from sysstat packages

But Iotop provides more user friendly output then idstat.

How to Change Ip from Dynamic to Static

Tuesday, August 11th, 2009

In Debain :
/etc/networking/interfaces

auto eth0
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

then /etc/init.d/networking restart

In Centos:
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=Static
HWADDR=00:0C:29:81:90:33
ONBOOT=yes
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
GATEWAY=192.168.1.1
BROADCAST=192.168.1.255

then : /etc/network/restart