Wednesday, December 24, 2008

The best putty package available

Bored of Black screened Task bar filling putty? Issues with porting Saved sessions from machine to machine? Do you like tabbed SSH sessions?

Start using portaputty instead of normal putty and link it with puttycm.

Puttycm supports sessions to be saved in its own Database files. You can use the Putty sessions you have saved already right inside putty.
You can have any number of databases which allow you to arrange Remote servers in folders and convenient namings.

I personally recommend creating Database with puttycm rather than using the sessions saved in putty which doesn't offer any option to create folders and saving sessions under that directory tree.
You can even save username/password to get it logged automatically and there is an option to pass commands to be run soon after login. I can't recommend this since some bug was found with these options.

Portaputty is a variant of putty which stores all the Configuration data in text files instead of MS Windows Registry entries thereby making customization and portability much easier than ever. For example you can set the default colour behaviour to set "Use system colours" just by editing the entry UseSystemColours=1 in .putty\sessions under the directory from where you are running portaputty.

puttycm is the Putty Connection Manager that gives a user interface where we can open multiple putty sessions in tabs and store sessions in a hierarchical directory tree structure. The saved sessions are being stored in DB files and the same can be exported to XML and can be transferred.
Both puttycm and portaputty are standalone executable. No more setup is required. Only thing is mention the full path to putty(here portaputty in our case) at first run of puttycm. Download portaputty here and puttycm can be downloaded from here

A typical Putty screen will appear as below with these PuttyCM and PortaPutty

Wednesday, December 10, 2008

screen for Remote assistance and chat

screen is a UNIX utility for giving remote assistance/administration. Suppose an unskilled colleague of your own is struggling with a server at some remote location with no idea of troubleshooting a problem.
If you are able to solve that with keeping your colleague to watch how you are sorting out the issues you can use screen.

First of all ask your colleague for the username which he used to login into that remote machine. Now you can login to that remote machine as the same user. Imagine username is engineer and IP of the remote machine is 192.168.1.1. Try the below
# ssh engineer@192.168.1.1
Then after getting logged in run the screen command to set a session named myscreen
$ screen -S myscreen
Now tell your colleague to type the below for attaching his screen to your screen.
$ screen -x myscreen
Thats it. Now he can watch whatever you type and vice versa.

Monday, December 8, 2008

Run X11 programs after SSH and switch to another user

This issue arises when you are logging in as root and trying to launch some X11 programs after doing a switch to user oracle.
One solution is to login directly as the user as which you want to run thos X11 programs.
One more workaround is there.Here you can login as a different user. Thereafter run the below command
xauth list | grep "`hostname`/"| grep `echo $DISPLAY | cut -f2 -d: | cut -f1 -d.`

Copy the output. Then switch to second user and run xauth add as this output as an argument as below
xauth add training/unix:13 MIT-MAGIC-COOKIE-1 57f03bee06be924299b0bedde6499bd1

Now run any X11 programs.

Tuesday, November 25, 2008

BASH script to delete older files

# BASH Script to find files having Modification time older than 7 days and to remove.
# A provisional confirmation before deletiion has been included
# System files starting with "." in their names are excluded from deletion
# And exclusive files that are specifies in the exclusion list are prevented from being deleted

#!/bin/bash
DIR=/home/hari
LIST=/home/hari/DELETE_LIST
EXCLUSIONS=/home/hari/EXCLUSIONS

# Simply the below command will do it
# find $DIR -type f -mtime +7 | grep ^./ | grep -v -f $EXCLUSIONS -exec rm {} \;
# But for the time being it run on a CONFIRMATION before deleting the files.

#Declaration for CONFIRM()
CONFIRM()
{
echo "Going to remove $1"
echo "Do you want to Continue? -y/n"
read CHOICE
if [ $CHOICE = 'y' ]
then
rm -f $1
elif [ $CHOICE = 'n' ]
then
exit
else
echo Invalid choice
exit
fi
}
# Function FIND_FILES
FIND_FILES()
{
cd $DIR
find -type f -mtime +7 | grep ^./ | grep -v -f $EXCLUSIONS > $LIST
for i in `cat $LIST`
do
CONFIRM $ENTRY
done
}


# Call to main function FIND_FILES()
FIND_FILES
exit

Saturday, November 22, 2008

Install Linux from a remote machine

This comes into picture when one Admin doesn't have physical access to a system in which Linux needs to be installed. Here we need help from one person who is having physical access to that remote machine to get it booted from bootable media and to type the command shown below command at boot prompt.


Now anaconda will start to run and will pause at a particular moment showing the below message


Now try to telnet to this IP from a remote machine and proceed with installation steps as usual as we do as shown below

Monday, September 22, 2008

How to disable a specific command(s) for a certain user.

Please follow the below steps to disable a specific command(s) for a certain user.

# su - hari
$ which rm (Here rm command as an example)
$ mkdir ~/bin
$ ln -s /bin/* ~/bin/ (/bin is the PATH for rm)
$ rm -rf ~/bin/rm

Take the output of $PATH for this user

$ echo $PATH > MyPATH.txt
Edit this file and replace /bin with ~/bin

Login as root

$ su -
# cat /home/hari/MyPATH.txt >> /home/hari/.bashrc

Change the permission of /home/hari/.bashrc
# chmod 444 /home/hari/.bashrc
# chattr +i /home/hari/.bashrc


That's all.
But the user can reset the PATH variable anytime to overcome this.
Please comment with alternatives for this.

Monday, July 28, 2008

Disable Media Check for cdrom

Grub.conf
dma=off apci=off apm=off

/etc/hdparm.conf
command_line {
hdparm -d1 /dev/cdrom
}

command_line {
hdparm -d1 /dev/cdrom1
}

sysctl.conf
dev.cdrom.check_media = 0

MySQL Compilation

# groupadd mysql
# useradd -g mysql -c "MySQL Server" mysql
# tar zxf mysql-5.0.45.tar.gz
# cd /usr/local/src/ mysql-5.0.45
# .chown -R root.root *
# ./configure \--prefix=/usr/local/mysql \--localstatedir=/usr/local/mysql/data \--disable-maintainer-mode \--with-mysqld-user=mysql \--with-unix-socket-path=/tmp/mysql.sock \--without-comment \--without-debug \

# groupadd mysql
# useradd -g mysql -c "MySQL Server" mysql
# tar zxf mysql-5.0.45.tar.gz
# cd /usr/local/src/ mysql-5.0.45
# chown -R root.root *
# ./configure \--prefix=/usr/local/mysql \--localstatedir=/usr/local/mysql/data \--disable-maintainer-mode # \--with-mysqld-user=mysql \--with-unix-socket-path=/tmp/mysql.sock \--without-comment \--without-debug \--without-bench
# make && make install
# ./scripts/mysql_install_db
# chown -R root:mysql /usr/local/mysql
# chown -R mysql:mysql /usr/local/mysql/data
# cp support-files/my-medium.cnf /etc/my.cnf
# chown root:sys /etc/my.cnf
# chmod 644 /etc/my.cnf
# echo "/usr/local/mysql/lib/mysql" >> /etc/ld.so.conf
# ldconfig
# cp ./support-files/mysql.server /etc/rc.d/init.d/mysql
# chmod +x /etc/rc.d/init.d/mysql
# /sbin/chkconfig --level 3 mysql on
# cd /usr/local/mysql/bin
# for file in *; do ln -s /usr/local/mysql/bin/$file /usr/bin/$file;

# /etc/init.d/mysql start

Open multiple tabs with Gnome-Tminal

gnome-terminal --geometry=125x75 --tab -e "ssh
192.168.0.67 -l myuser" --tab -e "ssh
192.168.0.45 -l root" --tab -e "ssh 192.168.0.88 -l
root" --tab -e "ssh 192.168.1.145 -l root -p 22999"

Set date from CLI

# date 030710532008
date
Fri Mar 7 10:53:01 IST 2008

Tuesday, March 11, 2008

Bugzilla installation

Reference
bugzilla.org
Download the latest Stable Release
# cd /usr/local/src
# wget http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-3.0.3.tar.gz
# tar xzf bugzilla-3.0.3.tar.gz
# cd bugzilla-3.0.3
First,run the checksetup.pl script to check for any dependant packages that need to be installed
# ./checksetup.pl --check-modules
NOTE: You must run any commands listed below as root.
***********************************************************************
* REQUIRED MODULES *
***********************************************************************
* Bugzilla requires you to install some Perl modules which are either *
* missing from your system, or the version on your system is too old. *
* *
* The latest versions of each module can be installed by running the *
* commands below. *
***********************************************************************
COMMANDS:
/usr/bin/perl -MCPAN -e 'install "Email::Send"'
/usr/bin/perl -MCPAN -e 'install "Template"'
/usr/bin/perl -MCPAN -e 'install "Email::MIME::Modifier"'
/usr/bin/perl -MCPAN -e 'install "Date::Format"'
So run one by one
# /usr/bin/perl -MCPAN -e 'install "Email::Send"'
Fine
# /usr/bin/perl -MCPAN -e 'install "Template"'
Fine
# /usr/bin/perl -MCPAN -e 'install "Email::MIME::Modifier"'
Fine
# /usr/bin/perl -MCPAN -e 'install "Date::Format"
Fine
Now configure Database and Apache settings
# cd /usr/local/src/bugzilla-3.0.3
# vi localconfig

$create_htaccess = 1;
$webservergroup = 'nobody';
$db_driver = 'mysql';
$db_host = 'localhost';
$db_name = 'bugs';
$db_user = 'bugs';
$db_pass = 'secret';
$db_port = 3306;
$db_sock = '/tmp/mysql.sock';
$db_check = 1;
$index_html = 0;
$cvsbin = '/usr/bin/cvs';
$interdiffbin = '/usr/bin/interdiff';
$diffpath = '/usr/bin';

Re-run checksetup.pl
# ./checksetup.pl
Now it will create the database and WebServer data like .htaccess files.
MySQL
Allow large attachments
# vi /etc/my.cnf
max_allowed_packet=1M
Allow small words in full-text indexes
ft_min_word_len=2
Add a user to MySQL
# mysql -u root -pmysql
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY 'secret';
Query OK, 0 rows affected (0.04 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.01 sec)
Configure Apache
First create a soft link to Bugzilla in your WebServer's DocumentRoot
# cd /var/www/html
# ln -s /usr/local/src/bugzilla-3.0.3 bugzilla
# vi /usr/local/apache/conf/httpd.conf

AddHandler cgi-script .cgi
Options +Indexes +ExecCGI
DirectoryIndex index.cgi
AllowOverride Limit

# /usr/local/apache/bin/apachectl restart
Now it should up at http://localhost/bugzilla

Tuesday, March 4, 2008

Log Server using Syslog-NG

Server - RHEL 5
Stop Syslog and turn it off through Run Levels

# service syslog stop
# chkconfig syslog off

Download syslog-ng
# cd /usr/local/src
# wget http://www.balabit.com/downloads/files/eventlog/0.2/eventlog-0.2.5.tar.gz

# tar xzf eventlog-0.2.5.tar.gz
# cd eventlog-0.2.5
# ./configure --prefix=/usr/local/eventlog
# make
# make install

# cd /usr/local/src
# wget http://www.balabit.com/downloads/files/libol/0.3/libol-0.3.18.tar.gz
# tar xzf libol-0.3.18.tar.gz
# cd libol-0.3.18
# ./configure --prefix=/usr/local/libol
# make
# make install

# cd /usr/local/src
# wget http://www.balabit.com/downloads/files/syslog-ng/sources/2.0/src/syslog-ng-2.0.6.tar.gz
# tar xzf syslog-ng-2.0.6.tar.gz
# cd syslog-ng-2.0.6

# export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig
# ./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol/
# make
# make install

# cd /usr/local/syslog-ng
# mkdir etc
# cd etc
# vi syslog-ng.conf

### Refer http://www.campin.net/syslog-ng.conf
options {
keep_hostname(yes);
long_hostnames(off);
sync(1);
log_fifo_size(1024);
};

source src {
pipe("/proc/kmsg");
unix-stream("/dev/log");
internal();
udp();
tcp(port(5140) keep-alive(yes));
};

destination authlog { file("/var/log/syslog-ng/auth.log"); };
destination syslog { file("/var/log/syslog-ng/syslog"); };
destination cron { file("/var/log/syslog-ng/cron.log"); };
destination daemon { file("/var/log/syslog-ng/daemon.log"); };
destination kern { file("/var/log/syslog-ng/kern.log"); };
destination lpr { file("/var/log/syslog-ng/lpr.log"); };
destination user { file("/var/log/syslog-ng/user.log"); };
destination uucp { file("/var/log/syslog-ng/uucp.log"); };

destination mail { file("/var/log/syslog-ng/mail.log"); };
destination maillog { file("/var/log/syslog-ng/maillog"); };
destination mailinfo { file("/var/log/syslog-ng/mail.info"); };
destination mailwarn { file("/var/log/syslog-ng/mail.warn"); };
destination mailerr { file("/var/log/syslog-ng/mail.err"); };

destination debug { file("/var/log/syslog-ng/debug"); };
destination messages { file("/var/log/syslog-ng/messages"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty8"); };

filter f_attack_alert {
match("attackalert");
};

filter f_ssh_login_attempt {
program("sshd.*")
and match("(Failed|Accepted)")
and not match("Accepted (hostbased|publickey) for (root|zoneaxfr) from (10.4.3.1)");
};

filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };

filter f_news { facility(news); };

filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_daemon); destination(messages); };
log { source(src); filter(f_kern); destination(messages); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_user); destination(messages); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); destination(maillog); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };

destination HOSTBASED {
file("/var/log/syslog-ng/HOSTBASED/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
);
};

log {
source(src);
destination(HOSTBASED);
};


# mkdir /var/log/syslog-ng

Started syslog-ng daemon
# /usr/local/syslog-ng/sbin/syslog-ng

Client - RHEL 5

Stop Syslog and turn it off through Run Levels

# service syslog stop
# chkconfig syslog off

Download syslog-ng
# cd /usr/local/src
# wget http://www.balabit.com/downloads/files/eventlog/0.2/eventlog-0.2.5.tar.gz
# tar xzf eventlog-0.2.5.tar.gz
# cd eventlog-0.2.5
# ./configure --prefix=/usr/local/eventlog
# make
# make install

# cd /usr/local/src
# wget http://www.balabit.com/downloads/files/libol/0.3/libol-0.3.18.tar.gz
# tar xzf libol-0.3.18.tar.gz
# cd libol-0.3.18
# ./configure --prefix=/usr/local/libol
# make
# make install

# cd /usr/local/src
# wget http://www.balabit.com/downloads/files/syslog-ng/sources/2.0/src/syslog-ng-2.0.6.tar.gz
# tar xzf syslog-ng-2.0.6.tar.gz
# cd syslog-ng-2.0.6

# export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig
# ./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol/
# make
# make install

# cd /usr/local/syslog-ng
# mkdir etc
# cd etc
# vi syslog-ng.conf

Reference - http://www.campin.net/syslog-ng.conf

options {
keep_hostname(yes);
long_hostnames(off);
sync(1);
log_fifo_size(1024);
};

source src {
pipe("/proc/kmsg");
unix-stream("/dev/log");
internal();
udp();
tcp(port(5140) keep-alive(yes));
};

destination loghost { tcp("192.168.0.111" port(5140)); };

filter f_attack_alert {
match("attackalert");
};

filter f_ssh_login_attempt {
program("sshd.*")
and match("(Failed|Accepted)")
and not match("Accepted (hostbased|publickey) for (root|zoneaxfr) from (10.4.3.1)");
};

filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };

filter f_news { facility(news); };

filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

log { source(src); filter(f_authpriv); destination(loghost); };
log { source(src); filter(f_syslog); destination(loghost); };
log { source(src); filter(f_daemon); destination(loghost); };
log { source(src); filter(f_kern); destination(loghost); };
log { source(src); filter(f_lpr); destination(loghost); };
log { source(src); filter(f_mail); destination(loghost); };
log { source(src); filter(f_user); destination(loghost); };
log { source(src); filter(f_uucp); destination(loghost); };
log { source(src); filter(f_mail); destination(loghost); };
log { source(src); filter(f_mail); filter(f_info); destination(loghost); };

filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

log { source(src); filter(f_authpriv); destination(loghost); };
log { source(src); filter(f_syslog); destination(loghost); };
log { source(src); filter(f_daemon); destination(loghost); };
log { source(src); filter(f_kern); destination(loghost); };
log { source(src); filter(f_lpr); destination(loghost); };
log { source(src); filter(f_mail); destination(loghost); };
log { source(src); filter(f_user); destination(loghost); };
log { source(src); filter(f_uucp); destination(loghost); };
log { source(src); filter(f_mail); destination(loghost); };
log { source(src); filter(f_mail); filter(f_info); destination(loghost); };
log { source(src); filter(f_mail); filter(f_warn); destination(loghost); };
log { source(src); filter(f_mail); filter(f_err); destination(loghost); };
log { source(src); filter(f_messages); destination(loghost); };
log { source(src); filter(f_emergency); destination(loghost); };

destination std {
file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
);
};

log {
source(src);
destination(std);
};


# mkdir /var/log/syslog-ng

Started syslog-ng daemon
# /usr/local/syslog-ng/sbin/syslog-ng

Monday, March 3, 2008

Log Server using Syslog

Log Server Setup

Allow remote machines to Log

# vi /etc/sysconfig/syslog
Replaced
SYSLOGD_OPTIONS="-m 0"
with
SYSLOGD_OPTIONS="-rm 0"

Setup Log Rotation Policy
# vi /etc/logrotate.conf
daily
# keep 7 days worth of backlogs
rotate 7
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

Customize Log types and log destination

# vi /etc/syslog.conf
local7.* /var/log/apache_error_log
local1.info /var/log/apache_access_log

Restart Syslogd to take effect of the changes made

# /etc/init.d/syslog restart

Client Configurations

1.RHEL5

# vi /etc/syslog.conf
*.* @192.168.0.111

Restart Syslog
# /etc/init.d/syslog restart

Log files Replicated
All those logs handled by Syslog daemon
For example
messages
audit/audit.log
boot.log
cron.log
secure

2.OpenBSD
# vi /etc/syslog.conf
*.* @192.168.0.111
# reboot

In the Server 's /etc/syslog.conf added the following
auth.info /var/log/OpenBSD_authlog
daemon.info /var/log/OpenBSD_daemon

# /etc/init.d/syslog restart

Log files Replicated
authlog
messages
daemon

3.OpenSolaris
# vi /etc/syslog.conf
*.* @192.168.0.111
# reboot

LOG FILES /var/svc/log

Redirection of Apache logs to Syslog and thereby to Centralized Log Server

Customize ErrorLog and CustomLog of Apache
# vi /usr/local/apache/conf/httpd.conf
ErrorLog syslog
CustomLog "|/usr/bin/logger -p local1.info" common

Define local log files and Log Server
# vi /etc/syslog.conf
*.* @192.168.0.111
local7.* /var/log/apache_error_log
local1.info /var/log/apache_access_log
Restart services
# /etc/init.d/syslog restart
# /usr/local/apache/bin/apachectl restart

Reference : devshed.com
apache.org

Apache SSL Certificate Creation

# cd /usr/local/apache
# mkdir cert
# cd cert
1. Generate your own Certificate Authority (CA)
# openssl genrsa -out ca.key 4096
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
2.Generate a server key and request for signing (csr)
# openssl genrsa -out server.key 4096
# openssl req -new -key server.key -out server.csr
3.Sign the certificate signing request (csr) with the self-created certificate authority (CA) that you made earlier
# openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

# vi /usr/local/apache/conf/httpd.conf
ServerName xxx.xxx.xxx.xxx:443
Listen xxx.xxx.xxx.xxx:443
LoadModule ssl_module modules/mod_ssl.so

SSLEngine on
SSLCertificateFile /usr/local/apache/cert/server.crt
SSLCertificateKeyFile /usr/local/apache/cert/server.key

# /usr/local/apache/bin/apachectl restart

To do the same with a Passphrase follow below

# cd /usr/local/apache
# mkdir cert
# cd cert
# openssl genrsa -des3 -out ca.key 4096
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# openssl genrsa -des3 -out server.key 4096
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Rest of the configuration remains same

Reference

Monday, February 11, 2008

Firewall Failover with CARP,PF and PFSYNC in OpenBSD 4.2 under VMWare ESX3

CARP Setup
----------

Reference
http://www.openbsd.org/faq/pf/carp.html


CARP Master
-----------
# cat /etc/hostname.pcn1
# ifconfig carp0 create
# ifconfig pcn1 up

# ifconfig carp0 vhid 2 pass mysecretpassword carpdev pcn1 advbase 1 advskew 1 state master PUB.LIC.IPA.DDR netmask 255.255.255.0 broadcast PUB.LIC.IPA.DDR

# echo "inet PUB.LIC.IPA.DDR 255.255.255.0 PUB.LIC.IPA.DDR vhid 2 pass mysecretpassword carpdev pcn1 advbase 1 advskew 1 state master" > /etc/hostname.carp0

Note : Enable Promiscuous Mode for Virtual Switch related with pcn1

# ifconfig carp1 create

# ifconfig carp1 vhid 1 pass mysecretpassword carpdev pcn0 advbase 1 advskew 1 state master 192.168.0.254 netmask 255.255.255.0 broadcast 192.168.0.255

Note : Enable Promiscuous Mode for Virtual Switch related with pcn0

# vi /etc/pf.conf

pass out on $lan_if proto carp keep state

# pfctl -f /etc/pf.conf

# sysctl -w net.inet.carp.allow=1
# vi /etc/sysctl.conf
net.inet.carp.allow=1

# echo "inet 192.168.0.254 255.255.255.0 192.168.0.255 vhid 1 pass mysecretpassword carpdev pcn0 advbase 1 advskew 1 state master" > /etc/hostname.carp1

# reboot

CARP Backup
-----------

# cat /etc/hostname.pcn1
# ifconfig carp0 create
# ifconfig pcn1 up

# ifconfig carp0 vhid 2 pass mysecretpassword carpdev pcn1 advbase 1 advskew 1 state backup PUB.LIC.IPA.DDR netmask 255.255.255.0 broadcast PUB.LIC.IPA.DDR

# echo "inet PUB.LIC.IPA.DDR 255.255.255.0 PUB.LIC.IPA.DDR vhid 2 pass mysecretpassword carpdev pcn1 advbase 1 advskew 1 state backup" > /etc/hostname.carp0

Note : Enable Promiscuous Mode for Virtual Switch related with pcn1

# ifconfig carp1 create

# ifconfig carp1 vhid 1 pass mysecretpassword carpdev pcn0 advbase 1 advskew 1 state backup 192.168.0.254 netmask 255.255.255.0 broadcast 192.168.0.255

# vi /etc/pf.conf
pass out on $lan_if proto carp keep state

# pfctl -f /etc/pf.conf

# sysctl -w net.inet.carp.allow=1
# vi /etc/sysctl.conf
net.inet.carp.allow=1

Note : Enable Promiscuous Mode for Virtual Switch related with pcn0

# echo "inet 192.168.0.254 255.255.255.0 192.168.0.255 vhid 1 pass mysecretpassword carpdev pcn0 advbase 1 advskew 1 state backup" > /etc/hostname.carp1

# reboot

But VMWare will not allow CARP device to be used. It will not accept any request to a real hardware unless it is
addresed to it. As a solution we have to recompile VMWare Kernel OR We have to enable Promiscuous Mode for virtual NIC and Virtual Switch.

Reference
---------
http://www.ogris.de/docs/vmware-server-vrrp.html
http://paul.ouderkirk.ca/2006/10/11/network-experiments-with-vmware-server
http://paul.ouderkirk.ca/2006/10/11/network-experiments-with-vmware-server

When using a vswitch, both the virtual adapter and vswitch must have promiscuous mode enabled
So here I enabled the Promiscuous Mode.

1. Login to the Virtual Infrastructure Client
2. Then Right Click on the Virtual Switch listed in the right bottom of the Main Window.
3. Thereby we will get the "PropertiesWindow"
4. Go to the Security Tab -> Edit Promiscuous mode to "Accept"
Thats all. The CARP Interface should work now

References
----------
http://pubs.vmware.com/vi35/server_config/wwhelp/wwhimpl/common/html/wwhelp.htm?context=server_config&file=sc_adv_netwk.6.4.html
http://communities.vmware.com/thread/33241
http://www.virtualscoop.org/?q=comment/reply/9

Packet Filter (PF)
------------------
# vi /etc/rc.conf.local
# pf=YES

# pfctl -e

Enabled IP forwarding

# sysctl -w sysctl net.inet.ip.forwarding=1
# echo "sysctl net.inet.ip.forwarding=1" >> /etc/sysctl.conf
# sysctl -p /etc/sysctl.conf


PFSYNC Setup
------------

Master PF Server
----------------
# ifconfig pfsync0 syncdev pcn0 [ syncpeer 192.168.0.221 ]
# ifconfig pfsync0 up
# echo "up syncdev pcn0" > /etc/hostname.pfsync0
# vi /etc/pf.conf
sync_if=$lan_if
pass on $sync_if proto pfsync
pfctl -f /etc/pf.conf

# sysctl -w net.inet.carp.preempt=1
# vi /etc/sysctl.conf
net.inet.carp.preempt=1

# reboot

Backup PF Server
----------------
# ifconfig pfsync0 syncdev pcn0 [ syncpeer 192.168.0.220 ]
# ifconfig pfsync0 up
# echo "up syncdev pcn0" > /etc/hostname.pfsync0
# vi /etc/pf.conf
sync_if=$lan_if
pass on $sync_if proto pfsync
pfctl -f /etc/pf.conf

# sysctl -w net.inet.carp.preempt=1
# vi /etc/sysctl.conf
net.inet.carp.preempt=1
# reboot


##################################
/etc/pf.conf
##################################

# $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

############# OPTIONS,LISTS #######################

lan_if="pcn0"
wan_if ="pcn1"
int_carp_if="carp1"
ext_carp_if="carp0"
sync_if=$lan_if

INT_CARP_IP=192.168.0.254
EXT_CARP_IP=PUB.LIC.IPA.DDR
#PUBLIC_IP=$INT_CARP_IP
#PUBLIC_IP=192.168.0.254
REAL_SERVER=192.168.0.50

LAN_NODES = "{ 192.168.0.1, 192.168.0.2, 192.168.0.3, 192.168.0.4, 192.168.0.5 }"

scrub in all

########### NAT #########################################
############ Redirect HTTP,MySQL,SMTP,IMAP and FTP connections to REAL SERVER
rdr on $wan_if proto tcp from any to $EXT_CARP_IP port {80,3306,25,143,21} -> $REAL_SERVER
rdr on $lan_if proto tcp from any to $INT_CARP_IP port {80,3306,25,143,21} -> $REAL_SERVER

### SNAT Outgoing FTP,HTTP,SMTP,IMAP and MySQL traffic through LAN Interface
nat on $lan_if proto tcp from any to $REAL_SERVER port { 21,80,25,143,3306 } -> $lan_if
nat on $lan_if proto tcp from $REAL_SERVER to any port { 21,80,25,143,3306 } -> $lan_if

nat on $wan_if proto tcp from any to $INT_CARP_IP port { 21,80,25,143,3306 } -> $int_carp_if
nat on $wan_if proto tcp from $INT_CARP_IP to any port { 21,80,25,143,3306 } -> $int_carp_if

### Internet sharing for CLUSTERNODES
nat on $wan_if proto tcp from $LAN_NODES to any -> $wan_if
nat on $wan_if proto udp from $LAN_NODES to any -> $wan_if

## No NAT for others in LAN
no nat on $wan_if proto tcp from $lan_if:network to any

################### FILTER ################################
pass in quick on carp1
pass on $sync_if proto pfsync
pass in quick on $lan_if proto tcp to port 22
pass in quick on $lan_if from $REAL_SERVER
pass in quick on $lan_if to $REAL_SERVER
pass in quick on $lan_if proto tcp from $LAN_NODES to $lan_if
pass in quick on $lan_if proto udp from $LAN_NODES to $lan_if

### Prevent SYNFLOOD Attack
pass in quick on $wan_if proto tcp from any to $EXT_CARP_IP port {80,443,21,3306,25,143} flags S/SA synproxy state
pass in quick on $lan_if all allow-opts

###### pass out quick on $lan_if proto carp
pass out quick on carp1
pass out on $lan_if proto carp keep state
pass out on $lan_if all
pass out on $lan_if proto tcp from $INT_CARP_IP to any port {21,53,80,443}

## Possible Spoofing
block in quick from urpf-failed label uRPF
pass in quick from $lan_if
pass in quick on $lan_if from $lan_if
block in all

################# ATTACK Preventions ##################
set skip on lo0
antispoof for $ext_carp_if inet
antispoof for $lan_if inet

######################################################################
# block in on $lan_if from any to any

## table { 192.168.0.0/24 }
## table const { 192.168.0.0/16, 172.16.0.0/12,10.0.0.0/8 }

## table persist

## block in on $int_if from { , } to any
## table { 192.168.0.24/8 !192.0.0.0/24 }
## pass in on $int_if from to any
## block in on $int_if from to any

Wednesday, January 16, 2008

Squid dead but subsys locked

# /etc/init.d/squid status
squid dead but subsys locked

# df -h
# rm -rf /var/run/squid.pid
# rm -rf /var/lock/subsys/squid

# tail -f /var/log/messages
# tail -f /var/log/squid/cache.log
# /etc/init.d/squid start

2007/12/28 09:57:16| Starting Squid Cache version 2.5.STABLE6 for i386-redhat-linux-gnu...
2007/12/28 09:57:16| Process ID 26701
2007/12/28 09:57:16| With 1024 file descriptors available
2007/12/28 09:57:16| DNS Socket created at 0.0.0.0, port 33056, FD 4
2007/12/28 09:57:16| Adding nameserver 202.XX.XX.XXX from /etc/resolv.conf
2007/12/28 09:57:16| Adding nameserver 202.XX.XX.XXX from /etc/resolv.conf
2007/12/28 09:57:16| Adding nameserver 192.168.0.254 from /etc/resolv.conf
2007/12/28 09:57:16| User-Agent logging is disabled.
2007/12/28 09:57:16| Referer logging is disabled.
2007/12/28 09:57:16| Unlinkd pipe opened on FD 9
2007/12/28 09:57:16| Swap maxSize 102400 KB, estimated 7876 objects
2007/12/28 09:57:16| Target number of buckets: 393
2007/12/28 09:57:16| Using 8192 Store buckets
2007/12/28 09:57:16| Max Mem size: 51200 KB
2007/12/28 09:57:16| Max Swap size: 102400 KB
2007/12/28 09:57:16| /var/spool/squid/swap.state.new: (13) Permission denied
FATAL: storeDirOpenTmpSwapLog: Failed to open swap log.
Squid Cache (Version 2.5.STABLE6): Terminated abnormally.
CPU Usage: 0.013 seconds = 0.006 user + 0.007 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0

# ll /var/spool/squid/swap.state*
-rw-r--r-- 1 squid squid 497088 Dec 28 10:02 swap.state
-rw-r--r-- 1 squid squid 0 Dec 27 23:20 swap.state.new

# chmod 777 /var/spool/squid/swap.state
# /etc/init.d/squid start
FAILED

# chmod 644 /var/spool/squid/swap.state*
# /etc/init.d/squid start
FAILED

# mv /var/spool/squid/swap.state.new /var/spool/squid/swap.state.new.bak
# /etc/init.d/squid start
OK...

Multiple Network connectivity issue in OpenBSD within VMWware

Only the first NIC of each Virtual machine will work .None of the rest won't.
So added a Virtual Network Resource for that Virtual machine in VMWare Control Panel
But it didn't work this time.Only the first NIC will work
So logged into the VMWare Virtual Console and checked the Virtual Switches and VLAN Settings
It was clear that there is a Virtual Switch named "vSwitch0"
And this switch contains only one NIC as its member which is "vmnic0" in our case.

So I decided to add the second NIC "vmnic3" to this switch. I tried

# esxcfg-vswitch -L vmnic3 vSwitch0

But it created problems.
After this I was unable to access the Local Network,ie the the network connected through the "vmnic0"

So I removed it from the switch and added to the same switch specifying the Portgroup also

# esxcfg-vswitch -U vmnic3 vSwitch0
# esxcfg-vswitch -p VM\ Network -L vmnic3 vSwitch0

But didn't work
So removed it

# esxcfg-vswitch -p VM\ Network -U vmnic3 vSwitch0

Created a new switch

# esxcfg-vswitch -a NewSwicth

Then added the Portgroup named "VM Network_VSNL" that is to be used by the Virtual machines.

# esxcfg-vswitch -A VM\ Network_New NewSwitch

Then brought up the "vmnic3" as the Physical UPLINK

# esxcfg-vswitch -L vmnic3 NewSwitch

Then logged into Virtual Infrastructure Client 3

Powered Off OpenBSD
Edit Settings -> Network Adapter 2
Change Switch from "VM Network" to "VM Network_New"

Power On
Then configure the second NIC(pcn1 in my case) in OpenBSD
# vi /etc/hostname.pcn1
inet 192.168.0.222 255.255.255.0 192.168.0.255

Configure gateway and DNS Servers if required
# vi /etc/mygate
192.168.0.254
# vi /etc/resolv.conf
192.168.0.254

Then restart the network service
# sh /etc/netstart

Thats all

Auto Responder plugin in SquirrelMail

1.Download the compatibility plugin and Local Auto Responder plugin from http://squirrelmail.org
2.Extract it to the Squirrelmail - plugins directory
# pwd
/var/www/html/squirrelmail/plugins
# tar xzf compatibility-2.0.9-1.0.tar.gz
# cd compatibility
3.Patch it to your squirrelmail version
# patch -p0 < patches/compatibility_patch-1.4.11.diff
patching file ../../functions/strings.php
4.Configure the Squirrelmail to include the plugin
# cd ../../config
# ./conf.pl
5.Extract Local Auto Responder Plugin
# cd ../plugins/
# tar xzf local_autorespond_forward-3.0-1.4.0.tar.gz
# cd local_autorespond_forward
6.Compile suid_backend module
# cd suid_backend/
# ./configure --enable-webuser=nobody
Here my Apache is running as user "nobody".That user should have the permission to play
with the directories under this.
# make
# make install
7.Copy the sample config.php
# cd ..
# cp config.sample.php config.php
8.Edit the config.php to use "suid" instead of "ftp" for Maildir and ".forward" files
# vi config.php
$laf_backend = 'suid';
9.Configure the Squirrelmail to include the plugin
# cd ../../config
# ./conf.pl
10.Verify the Squirrelmail's ATTACHMENT DIR and DATA DIR. Verify the permission also
# vi /var/www/html/squirrelmail/config/config.php
$attachment_dir = '/var/local/squirrelmail/attach/';
11.Create it if doesn't exist
# mkdir /var/local/squirrelmail/attach
# chown nobody.nobody /var/local/squirrelmail/attach
# chmod 755 /var/local/squirrelmail/attach

Database Clustering with Sequoia

Sequoia Installation in RHEL 5 with MyOsotis