My Experiences With Linux

Monitor your changed files in real-time in Linux

2011-10-07T14:10:00.000+05:30

Everybody knows top or htop. Ever wished there was something similar but to monitor your files instead of CPU usage and processes? Well, there is.
Run this:

watch -d -n 2 ‘df; ls -FlAt;’

and you’ll get to spy on which files are getting written on your system. Every time a file gets modified it will get highlighted for a second or so. The above command is useful when you grant someone SSH access to your box and wish to know exactly what they’re modifying.

Knowing Apache Logs

2010-01-19T12:45:00.003+05:30

LOG is the main friend of an Apache Administrator. We can see error_log , access_logs under LOG directory in Apache web server. It contain many things. Here I am briefly explaining what all the fields mean in a single line of Apache Log. CLF or Common Log Format is the core of logging in Apache. A module called mod_log_config is responsible for all these logging activities.

The CLF log file contains a separate line for each request. A line is composed of several tokens separated by spaces:

host ident authuser date request status bytes

host : The fully qualified domain name of the client, or its IP address

ident : If the IdentityCheck directive is enabled and the client machine runs
identd, then this is the identity information reported by the client

authuser :If the requested URL required a successful Basic HTTP authentication,
then the user name is the value of this token.

date : The date and time of the request. The date field can be [day/month/year:hour:minute:second zone]

request : The request line from the client, enclosed in double quotes (“).

status : The three-digit HTTP status code returned to the client.

bytes : The number of bytes in the object returned to the client, excluding all
HTTP headers.

Multitail - For viewing multiple logs simultaneoulsy

2010-01-03T15:38:00.006+05:30

Tail is a command in unix like systems for viewing log files. We can view only one log at a time , for viewing multiple log files we can use multitail.

1.Installation

yum install multitail (For Redhat , Centos )

apt-get install multitail (Ubuntu ,Debian )

2.Usage

multitail -f /var/log/httpd/error_log /var/log/httpd/access_log

3.Also you can run a command and watch its output

multitail -f /var/log/iptable.log "ping server.com"

4.You can see 3 files in 2 columns

multitail -s 2 /var/log/qmail_pop.log /var/log/qmail_send.log /var/log/spamassassin.log

Enjoy !!!

OpenSSH Security Tips

2010-01-03T15:14:00.003+05:30

OpenSSH is tool used for connecting and managing remote linux machines. And this should be secured. I am here by telling some security tips to make the SSH server perfect.

1.The following iptable rule will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP

2.Disable Empty Passwords

Open the file /etc/sshd/sshd_config and

PermitEmptyPasswords no

3.TCPWrappers

open --> vi /etc/hosts.deny
sshd:ALL

then

open --> vi /etc/hosts.allo

sshd:192.168.1.32 192.168.1.21 (Change to your desired IP)

4.Change the SSH Port

The Idea behind this , suppose we change the port 22 to something other say Oracle 1521 , the attackers thinks that this is an Oracle server and will try oracle hacking tools :)

Port 300

5.Force Logout for Idle Sessions
ClientAliveInterval 300
ClientAliveCountMax 0


And to be continued .......

Search Google from Linux commandline

2009-08-17T17:36:00.003+05:30

Nothing to say about google. You can search google for a result even from your linux command line.

curl -A Mozilla http://www.google.com/search?q=Linux |html2text -width 80

You need to install CURL and HTML2TEXT in your box.

apt-get install curl html2text (Debian / Ubuntu)
yum install curl html2text (Fedora / Centos / RHEL)

Enjoy ....

Update Twitter from a Linux Shell

2009-08-17T16:09:00.003+05:30

Everybody knows now about TWITTER. It is a free social networking and micro-blogging service that enables its users to send and read messages known as tweets. Tweets are text-based posts of up to 140 characters displayed on the author's profile page and delivered to the author's subscribers who are known as followers. Senders can restrict delivery to those in their circle of friends or, by default, allow open access. Users can send and receive tweets via the Twitter website, Short Message Service (SMS) or external applications. While the service costs nothing to use, accessing it through SMS may incur phone service provider fees.
There is a lot of APIs available to update twitter now like TwitterFox (Firefox Addon) TweetDeck. But now how can I update twitter from my Linux terminal ? Here follows the answer. This is simple using CURL.

curl -u user:password -d status=”Your status message” http://twitter.com/statuses/update.xml

Wher user is your twitter username and password is your twitter password .

If curl is not installed do the following

apt-get install curl (Debian / Ubuntu)
yum install curl (Fedora / RHEL / Centos)

So keep in touch with twitter if you are in Datacentre .....

Apache Error - No space left on device: Couldn't create accept lock or Cannot create SSLMutex

2009-06-18T14:36:00.003+05:30

Some times you people may face this following error in your Apache Server. The error is as follows while trying to restart.after a configuration changes or something like that

[emerg] (28)No space left on device: Couldn't create accept lock

[crit] (28)No space left on device: mod_rewrite: could not create rewrite_log_lock Configuration Failed

[Wed Dec 07 00:00:09 2005] [error] (28)No space left on device: Cannot create SSLMutex

This is happened due to someking of memory leaking. Normally people do the following to fix this.

1.Checking the harddisk space usage

2.To explicetely different Lockfiles using the LockFile-directive

3.non-default AcceptMutex (flock) which then solved the acceptlock-issue and ended in the rewrite_log_lock-issue.

4.Reboot

The fourth option will only work,because this is due to the following reason

There were myriads of semaphore-arrays left, owned by my apache-user. Removing this semaphores immediately solved the problem

Do the following as ROOT

[root@apache.org] ipcs -s | grep apache | perl -e 'while () { @a=split(/\s+/); print `ipcrm sem $a[1]`}' -- (If You Love Perl)

[root@apache.org] ipcs -s | grep apache | awk ' { print $2 } ' | xargs ipcrm sem (If you Love Sh)

Have a great Day with Apache !!!

Apache Real Time monitoring APACHETOP

2009-05-23T13:31:00.005+05:30

Apache top is another tool for apache real time monitoring. This is just like the TOP command in *nix based systems. Here this can show a lot of informations from the Apache Web Server.

[root@apache.org]mkdir -p /opt/src

[root@apache.org]cd /opt/src

[root@apache.org]wget http://www.webta.org/apachetop/apachetop-0.12.6.tar.gz

[root@apache.org]tar -zxf apachetop-0.12.6.tar.gz

[root@apache.org]cd apachetop-0.12.6

[root@apache.org]./configure --with-logfile=/var/log/httpd/access_log

[root@apache.org]make

[root@apache.org]make install

OK,Lets trigger it....

[root@apache.org] apachetop

Following Screenshot says it all. This was taken from my local test machine.

Try apachetop --help for more available switches

Apache RealTime Monitoring MOD_STATUS

2009-05-23T13:07:00.005+05:30

There is number of tools available to monitor apache in realtime. Like Nagios,Cacti etc. But those tools are little difficult to configure for the first time (Experts Please excuse :-) ). Here I would like to introduce couple of simple tools which help the Webserver admin to monitor his Apache webserver in real time through Web and Console.

Mod_Status

Status Module is a builtin module for apache for a default installation. First checkout whether this module is compiled with your Apache.

[root@apache.org] cat /etc/httpd/conf/httpd.conf | grep status_module

LoadModule status_module modules/mod_status.so

Make sure this line was not comment out. OK,Lets take the backup of your current configuration file

[root@apache.org]cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf_backup

[root@apache.org]vim /etc/httpd/conf/httpd.conf

Goto Last Line and Paste the following

SetHandler server-status
Order Deny,Allow
Allow from all
<\Location >

Search for the Line "ExtendedStatus". Normally this line is commented out. Uncomment it.

Save and Exit

Take your browser. http://your.domain.com/server-status

Take a look at the values,Its Realtime values from the Apache. To view this page continuously,I mean refreshing automatically

http://your.domain.com/server-status?refresh=N
(This N is any number).

Update notification through email RHEL / Centos

2009-05-18T13:42:00.005+05:30

As everybody know,the system should be update. So an administrator should be vigilant on the new updates and patches from the vendor. But how do we know there is a patch available in the remote server. Here a way to get notified when an update is available.

#vim /etc/yum/yum-updatesd.conf

[main]
# how often to check for new updates (in seconds)
run_interval = 3600
# how often to allow checking on request (in seconds)
updaterefresh = 600

# how to send notifications (valid: dbus, email, syslog)
emit_via = email
# who to send the email
email_to = admin@adminguru.co.nr

# who send the notifications
email_from = updates@backup.server.com
#
# should we listen via dbus to give out update information/check for
# new updates
dbus_listener = yes

# automatically install updates
do_update = no
# automatically download updates
do_download = no
# automatically download deps of updates
do_download_deps = no

Save and Exit

Restart the Yum updater

#/etc/init.d/yum-updatesd restart

You will be notified when an update is available. Sample Email is as follows.

Hi,
This is the automatic update system on server.backup.com.

There are 2 package updates available. Please run the system updater.

Packages available for update:

    kernel-2.6.18-92.el5
    kopete                       

Thank You,
Your Computer

Block Coutry wise traffic using Iptables.

2009-05-18T13:11:00.003+05:30

Some countries are blacklisted in ecommerce area due to spam flooding and DoS attacks. Its not difficult to find the root of an IP address. So the following script will block country based traffic in to your web server. The data will be updated in every day through a cronjob.
You need to visit this SITE to download the zone file for which country you need to block.

#mkdir -p /opt/scripts

#vim /opt/scripts/ip_country_deny.sh

Copy Paste the following

#!/bin/bash
### Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code ###
ISO="af cn"

### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep

### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"

cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}

# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# clean old rules
cleanOldRules

# create a new iptables list
$IPT -N $SPAMLIST

for c  in $ISO
do
# local zone file
tDB=$ZONEROOT/$c.zone

# get fresh zone file
$WGET -O $tDB $DLROOT/$c.zone

# country specific log message
SPAMDROPMSG="$c Country Drop"

# get
BADIPS=$(egrep -v "^#|^$" $tDB)
for ipblock in $BADIPS
do
   $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
   $IPT -A $SPAMLIST -s $ipblock -j DROP
done
done

# Drop everything
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST

# call your other iptable script
# /path/to/other/iptables.sh

exit 0
#Script Ends Here....

Save and Exit

Setup a crontab for working in every day

#vim /etc/crontab

Add the following at the end of the file

03 03 * * * root /opt/scripts/ip_country_deny.sh

To start the script immediately

#/opt/scripts/ip_country_deny.sh

#iptable -L -n -v

Check out the wonderful output....

Disable USB in Grub

2009-05-18T12:50:00.000+05:30

Now a days USB storage devices are common in the industry. This is very halmful in any unsecured network. Because this devices are considered to be the virus spreading agents. In corporates USB media is prevented because of above said reasons. So here a small tip to prevent USB storage in Linux machines through GRUB.

Scenario
OS : Debian / Ubuntu

Open the Grub configuration file

#vi /boot/grub/menu.lst

Add "nousb" at the end of the Kernel Line. Like the following

kernel /vmlinuz-2.6.18-128.1.1.el5 ro root=LABEL=/ console=tty0 console=ttyS1,19200n8 nousb

Secure GRUB with a strong Password !!!

#/sbin/shutdown -r now

So nobody can use USB storage unless you allowed to do so.

Adding a VLAN in CISCO 2900

2009-05-17T13:49:00.001+05:30

Creating a Virtual Lan is an advanced job in the case of networking. This needs experience in networking,Switching etc. But here i am stating how to add a new VLAN in the CISCO 2900 XL.

Assumptions
1.You have a basic knowledge in networking
2.You have the administrator access to switch
3.You should be aware on what you are doing !!!

CISCO2900>switchport mod access

CISCO2900>switchport mod access vlan5

CISCO2900>conf t

CISCO2900>int Fast 0/31

CISCO2900>description To Marketing LAN

CISCO2900>write

DONE.

Qmail Tips & Tricks.

2009-05-16T13:24:00.006+05:30

qmail is a mail transfer agent that runs on Unix. It was written, starting December 1995, by Daniel J. Bernstein as a more secure replacement for the popular Sendmail program. qmail's source code is released to the public domain, making qmail free software. Most Popular email services like Yahoo,Gmail are using qmail for their mail traffic. Here I am pasting some qmail tips,which helped me to override when I was blackout with my Qmail Box.

qmailctl - This command will show you a lot of information about your qmail server.

[root@mail.admin.org] qmailctl stat
/service/qmail-send: up (pid 3030) 30 seconds
/service/qmail-send/log: up (pid 3025) 30 seconds
/service/qmail-smtpd: up (pid 3028) 30 seconds
/service/qmail-smtpd/log: up (pid 3029) 30 seconds
/service/qmail-pop3d: up (pid 3026) 30 seconds
/service/qmail-pop3d/log: up (pid 3027) 30 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0

The above output means your Qmail server is Ready to deliver / receive messages. The seconds figure should be same,for a clean server.

[root@mail.admin.org]qmailctl queue
messages in queue: 0
messages in queue but not yet preprocessed: 0

This will shows the list of mails which were not delivered in the server.

[root@mail.admin.org]qmailctl queue | wc -l
Which will give the number of mails in the queue.

[root@mail.admin.org]qmailctl start
Starts mail service (smtp connection accepted, mail can go out)

[root@mail.admin.org]qmailctl stop
Stops mail service (smtp connections refused, nothing goes out).

[root@mail.admin.org]qmailctl pause
Temporarily stops mail service (connections accepted, nothing leaves).

To block a sender or entire domain to your Qmail Box. Because some times you need to block a user or entire domain from outside world to reach to your qmail

[root@mail.admin.org] vi /var/qmail/control/badmailfrom

Inside the " badmailfrom " file, the syntax might look something like this:

spam@spammerhell.org
@spammerhell.org

What do the above lines do?

The entry for "spam@spammerhell.org" would block all mail coming from "spam@spammerhell.org".

The entry for "@spammerhell.org" would block any and all mail coming from the domain "@spammerhell.org".

To be Continued....
Because Qmail Administration is an Ocean,I am just seeing it from the Shore. ..

Beautifying Nagios

2009-05-11T18:18:00.008+05:30

Nagios is a popular open source computer system and network monitoring software application. It watches hosts and services, alerting users when things go wrong and again when they get better. Nagios, originally created under the name NetSaint, was written and is currently maintained by Ethan Galstad, along with a group of developers actively maintaining both official and unofficial plugins. Nagios was originally designed to run under Linux, but also runs well on other Unix variants. There is lot of plugins available in nagios for various purposes. But so far nothing found to beautify nagios from traditional look. Now there is a beautiful theme available

to beautify the nagios. This will give you a new look for your monitoring master.

Assumptions.
You have installed and setup Nagios for your network.
You are the Nagios Administrator.

[nagios@server]# wget http://tomas.cat/blog/sites/default/files/nagios-nuvola-1.0.3.tar_.gz

[nagios@server]# tar zxvf nagios-nuvola-1.0.3.tar_.gz

[nagios@server]# cp -a nuvola/html/* /usr/share/nagios3/htdocs/

[nagios@server]# cp -a nuvola/html/stylesheets/* /etc/nagios3/stylesheets/.

Reload Nagios

[nagios@server]#/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
[nagios@server]# /etc/init.d/nagios reload

Check out......How beautiful ........

ScreenShots of my Nagios server after Makeup

How to Find Server is Under DDOS

2009-04-16T13:08:00.002+05:30

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.

netstat -anp | grep "tcp\|udp" | awk {'print $5'} | cut -d: -f1 | uniq -c | sort -n

So what will be the output ?

1 0.0.0.0
1 208.80.152.2
1 208.80.152.2
1 208.80.152.3
1 209.85.135.103
1 209.85.135.113
1 74.125.43.113
2 208.80.152.2
2 208.80.152.3
2 208.80.152.3
3 0.0.0.0
3 208.80.152.2

Left column indicates the number of connection,from the IP address which shown in right column. This was taken from my local test machine. If you are under an attack,this number may vary. The number will be any number.

Manage your Server Farm with CapistranO

2009-04-14T14:14:00.006+05:30

Capistrano is an open source tool for running scripts on multiple servers; its main use is deploying web applications. It automates the process of making a new version of an application available on one or more web servers, including supporting tasks such as changing databases. Capistrano is written in the Ruby language and is distributed using the RubyGems distribution channel. It is an outgrowth of the Ruby on Rails web application framework, but has also been used to deploy web applications written using other frameworks, including ones written in PHP. The usage on the bash command line is easy to learn. When used with the Ruby on Rails Framework many default Capistrano recipes can be used, e.g. to deploy current changes to the web application or roll back to the previous deployment state.

Installation

#apt-get install ruby1.8 ruby1.8-dev rubygems1.8 libruby-extras libruby1.8-extras
(Ubuntu / Debian)

#yum install ruby1.8 ruby1.8-dev rubygems1.8 libruby-extras libruby1.8-extras
(Centos / Redhat)

Check the Ruby Details

#ruby -v
ruby 1.8.7

OK,Lets move to install Capistrano Boy

#gem install -y capistrano echoe

Capistrano makes a few assumptions about your servers. In order to use Capistrano, you will need to comply with these assumptions:

You are using SSH to access your remote machines. Telnet and FTP are not supported.
Your remote servers have a POSIX-compatible shell installed. The shell must be called “sh” and must reside in the default system path.
If you are using passwords to access your servers, they must all have the same password. Because this is not generally a good idea, the preferred way of accessing your
servers is with a public key. Make sure you’ve got a good passphrase on your key.

We are going to trigger some examples here. So my remote servers are 192.168.1.12 and 192.168.1.13 (You can Add any number here).

In the following example we are going to check the uptime of above servers.

Copy paste the following code into a text editor (Vim,Emacs).

task :health, :hosts => "192.168.1.12" , "192.168.1.13" do
run "uptime"
end

Save the file with name "capfile" without any extension.

Wakeup the code

#cap health

I found that some times while you apply this command shell returned an error "Command not found",then do the following

#vi ~/.bashrc

Copy paste the following at the end of the File

export PATH=$PATH:/var/lib/gems/1.8/bin

Then rebuild the bashrc

# source ~/.bashrc

Then Re-run the command,If you are against a password access server,it will ask for the password,enter it,other wise the result will be like following

[192.168.1.12] executing command
[192.168.1.13] executing command
** [out :: 192.168.1.12] 11:30:55 up 27 days, 22:40, 0 users, load average: 0.01, 0.01, 0.00
** [out :: 192.168.1.12] 11:30:55 up 37 days, 08:40, 0 users, load average: 0.05, 0.01, 0.08
command finished

We Can Do any command by the above said method,I hope you will be happy if you have a critical update on all of your 100 servers ...
Is int it ?

Monitoring Disk Usage In Linux

2009-04-12T13:43:00.004+05:30

One of the routine job of a Linux administrator to monitor the Disk space continuously. Normal people will write a simple script to check the disk space and report to system administrator through email. Good Idea,but here i am telling a new one which will continuously monitor your Disk and report if it cross a preset value. This will run as a cronjob.

#!/bin/bash
#Script for monitoring Disk Usage
#Author BipinDas,Arab Open University.
ADMIN="yourname@yourdomain.com"
# set alert level 80% is default
ALERT=80
df -H | grep -vE '^Filesystem|tmpfs|cdrom' | awk '{ print $5 " " $1 }' | while read output;
do
#echo $output
usep=$(echo $output | awk '{ print $1}' | cut -d'%' -f1 )
partition=$(echo $output | awk '{ print $2 }' )
if [ $usep -ge $ALERT ]; then
echo "Running out of space \"$partition ($usep%)\" on $(hostname) $(hostname -i) as on $(date)" |
mail -s "Alert: Almost out of disk space $usep " $ADMIN
fi
done

Save it as disk_monitor.sh in your scripts folder.

Open Crontab Editor

vi /etc/crontab

*/5 * * * * root /path/to/script/disk_monitor.sh

Perfect,This will frequently check your Disk and inform once it cross the limit.

Network Failover

2008-12-24T12:37:00.004+05:30

Failover is the process of switching to a backup component, element, or operation while recovery from a disruption is undertaken. Failover procedures determine the continuity of a network operation. Failover mechanisms can be devised so that they take place immediately or shortly after a disruption occurs. Many systems use automatic failover and data replication for instant recovery. Preemptive failover can also be used if an imminent disruption is detected.Failover requires the availability of a backup system to eventually take overservice. The type of failover model required dictates the backup state of readiness(Figure 2.2). There are three basic types of failover model. Each has implications onthe amount of information that must be available to the backup system at the time of failover:

• Hot or immediate failover requires a running duplicate of the production system as a backup to provide immediate recovery. Consequently, it is the more complex end expensive to implement. The backup system, referred to as a hot standby, must constantly be updated with current state information about the activity of the primary system, so that it is ready to take over operation quickly when needed. This is why this type of failover is sometimes referred to as a
stateful failover. Applications residing on the backup system must be designed to use this state information when activated. For these reasons, hot standby systems are often identical to the primary system. They are sometimes designed to load share with the primary system, processing a portion of the live traffic.

• Cold failover, on the other hand, is the least complex to implement but likely results in some disruption until the backup is able to initiate service. A cold standby backup element will maintain no information about the state of the primary system and must begin processing as if it were a new system. The backup must be initialized upon failover, consuming additional time. For these reasons, a cold failover model is usually the least expensive to implement.

• Warm failover uses a backup system that is not provided with state information on the primary system until a failover takes place. Although the backup may already be initialized, configuration of the backup with the information may be required, adding time to the failover process. In some variants of this model, the standby can perform other types of tasks until it is required to take over the primary system’s responsibilities. This model is less expensive than
the hot standby model because it reduces standby costs and may not necessarily require a backup system identical to the primary system

Checking Load of server in Frequent intervals

2008-12-03T11:27:00.005+05:30

One of the major problem in linux server is rising of load to high. This can be happened due to various reason. This script will check the load of machine in frequent intervals and inform the administrator through email. This will also send the current server status.

#mkdir -p /opt/scripts
#cd /opt/scripts
#touch server_load.sh
#chmod 755 server_load.sh

Copy paste the following into the server_load.sh

#!/bin/bash
EMAIL="yourname@yourdomain.com"
SUBJECT="Alert $(hostname) load average is $L05"
TEMPFILE="/tmp/$(hostname)"
echo "Load average Crossed allowed limit." >> $TEMPFILE
echo "Hostname: $(hostname)" >> $TEMPFILE
echo "Local Date & Time : $(date)" >> $TEMPFILE
echo "| Uptime status: |" >> $TEMPFILE
echo "-----------------------------------------------------" >> $TEMPFILE
/usr/bin/uptime >> $TEMPFILE
echo "-----------------------------------------------------" >> $TEMPFILE
echo "| Top 20 CPU consuming processes: |" >> $TEMPFILE
ps aux | head -1 >> $TEMPFILE
ps aux --no-headers | sort -rn | head -20 >> $TEMPFILE
echo "| Top 10 memory-consuming processes: |" >> $TEMPFILE
ps aux --no-headers| sort -rn | head >> $TEMPFILE
echo "----------------------------------------------------" >> $TEMPFILE
echo "| Memory and Swap status: |" >> $TEMPFILE
/usr/bin/free -m >> $TEMPFILE
echo "----------------------------------------------------" >> $TEMPFILE
echo "| Active network connection: |" >> $TEMPFILE
echo "----------------------------------------------------" >> $TEMPFILE
/bin/netstat -tnup | grep ESTA >> $TEMPFILE
echo "----------------------------------------------------" >> $TEMPFILE
echo "| Disk Space information: |" >> $TEMPFILE
echo "----------------------------------------------------" >> $TEMPFILE
/bin/df -h >> $TEMPFILE
echo "-----------------THE END----------------------------" >> $TEMPFILE

#Store the Current Load into a variable
L05="$(uptime|awk '{print $(NF-2)}'|cut -d. -f1)"

#Checking whether it goes beyond the limit

if test $L05 -gt 0
then
mail -s "$SUBJECT $L05" "$EMAIL" < $TEMPFILE fi #Remove the Temporary file.
rm -f $TEMPFILE

Create CronJob for this
#vi /etc/crontab
#The following script will run in every minute.
*/1 * * * * root /opt/scripts/server_load.sh

Block Bad Bots using htaccess

2008-12-01T16:08:00.000+05:30

Bots are software applications that run automated tasks over the Internet. But there is some bad bots which will run on your web root and pass your information to outside public. This should be prevented. In this article I am stating how to search for a bad bot and prevent it.

Enable the htaccess as described in the previous post

Open the htaccess

vi .htaccess

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^BadBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^EvilScraper [OR]
RewriteCond %{HTTP_USER_AGENT} ^FakeUser
RewriteRule ^(.*)$ http://go.away/

Save and exit
So, what does this code do? It's simple: the above lines tell your webserver to check for any bot whose user-agent string starts with "BadBot". When it sees a bot that matches, it redirects them to a non-existent site called "go.away". And
also it will check for 3 types of bots and if found one among them the control will be directed to some site.

Prevent access from an IP address using .htaccess

2008-12-01T15:34:00.002+05:30

htaccess is a powerful tool is used to manipulated the webroot and apache configurations as well. The Rewrite rules can be written in .htaccess file. .htaccess file normally located in the webroot.

#Open the Apache configuration file.

vi /etc/httpd/conf/httpd.conf (Redhat Based,Centos Distros)
vi /etc/apache2/apache2.conf (Debian Based,Ubuntu Distros)

# Uncomment the Following Line

LoadModule rewrite_module modules/mod_rewrite.so

we need to change the AllowOverride directive also from

Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Satisfy all

to

Options FollowSymLinks
AllowOverride All
Order deny,allow
Deny from all
Satisfy all

Perfect !!! You have enabled the .htaccess support in your apache webserver.

Now go to your webroot. Normally its /var/www/html/domain.com. Create an htaccess file

touch .htaccess

vi .htaccess

Copy paste the following in to .htaccess file

order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
allow from all

Save And Exit

Viola !!! You have blocked the above IPs from watching your site. Same like you can restrict an IP range also. Do the following if you would like to block a range

order allow,deny
deny from 123.45.6
deny from 012.34.
allow from all

You can block an ISP through the above method. Changes will look like following

order allow,deny
deny from some-evil-isp.com
deny from subdomain.another-evil-isp.com
allow from all

The above will all traffic from the specified Internet Service Providers IPs

How your Linux Boots ?

2008-10-23T13:36:00.002+05:30

This is the Normal boot process of a Linux Operating System in to your computer. Boot process takes place in 4 scenes with 4 main characters.

Scene 1
when the computer is switched on,it automatically invokes BIOS[a ROM chip embedded in the motherboard].The BIOS will start the processor and perform a POST[power on self test] to check whether the connected device are ready to use and are working properly. Once the POST is completes BIOS will jump to a specified location in the RAM and check for the booting device.The boot sector is always the first sector of the hard disk and BIOS will load the MBR into the memory.

Scene 2
Here the boot loader takes the control of the booting process.LILO or GRUB are the boot loaders commonly available. It will help the user to select various boot options.Depending on the boot option selected the kernel is loaded.

scene 3

After kernel is loaded the kernel will take the control of the booting process and it will initialize all the hardwares including I/O processors etc.kernel then creates a root device and mounts the partitions.

Scene 4
INIT is loaded

Encrypt the Mail Attachment.

2008-10-15T10:26:00.001+05:30

Now a days internet is considered to be the most unsecured area of data transfer. Most people will send emails with attachment of their confidential matters,agreements etc. Anybody can read once you hack the email. But if attach with an encrypted key,you can open only with the help of a password,which you give at the time of encryption. I am briefing,how to encrypt a file.

Infrastructure

OS: Ubuntu 8.04
Application : gpgv

#gpg -c

This time it will ask for the password twice,give it. And you are done. Now you can
see a filename called Filename.gpg. You can send it through internet comfortably.

For Decrypting do the following

#gpg Filename.gpg

Again it will ask for the password. Give ,OK file is decrypted.

Restart APACHE Safely

2008-10-10T15:17:00.002+05:30

In all the Unix like machines ,there is an INIT script running for APACHE. Normally it is located in /etc/init.d/httpd (In case of REDHAT based systems). But in Debian based systems it could be /etc/init.d/apache2. For restarting we use the following

#/etc/init.d/httpd restart (Redhat Based Systems)

OR

#/etc/init.d/apache2 restart (Debian Based Systems)

While doing this command,it will KILL all the listening processes in the machine and stopping and starting Apache. But the problem is while applying the command CLIENTS will losts its all the established connections and result may be an error.

There is a wonderful command is in Apache for preventing this,the command is APACHECTL. Normally called Apache Control. Before restarting apache think once and apply the following

#apachectl -k graceful

The impact is Apache will serve all the established requests to the server. Then only it go for RE-start. User wont have a feelings of this COLD restart.

What is GLUE Record

2008-10-10T14:44:00.001+05:30

A glue record is an A record that is created as part of a delegation. If a zone is delegated to a name server whose hostname is a Descendant of that particular zone, then a glue record for that hostname must be included in the delegation.

How to Find APACHE under Attack

2008-09-24T15:37:00.006+05:30

Apache is the worlds largest using WEB SERVER. According to netcraft survey 49.73% of the market is owned by this wonderful product. This was free under GPL. The attackers are trying to hack the websites,whichever may be the server. So a Web Administrator should be vigilant about his Apache server.

Here I would like to tell how an administrator find whether his Apache server is Under Attack.

1.First checkout the load of the server

top -u apache (Here apache means the web server user)

Tasks: 126 total, 1 running, 125 sleeping, 0 stopped, 0 zombie
Cpu(s): 3.8%us, 0.7%sy, 0.0%ni, 94.3%id, 1.1%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 1027224k total, 927296k used, 99928k free, 46428k buffers
Swap: 3004112k total, 0k used, 3004112k free, 410736k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
5573 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5575 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5576 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5577 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2
5578 apache 20 0 20696 3284 584 S 0 0.3 0:00.00 apache2

This is the normal stage of Apache. If the CPU usage is increasing,take care you are in trouble

2.Check the number of running Apache processes

ps -ef | grep apache | wc -l

If you get a number below 50,no problem. Other wise something nasty is happening

3.Check how many listening connection to port 80

ps -ef | grep apache | wc -l

If the number goes beyong 100,an attacker closely watching your servers

4.Check your listening foriegn IPs

netstat -tn

You can see that the same IP or IPrange is listening on your Web port (80). If you made a DNS lookup to those IPs You can found that all those IPS are come from a DHCP pool,it means ATTACK.

MySQL Replication - A brief Note

2008-09-24T15:10:00.001+05:30

Replication enables data from one MySQL database server (called the master) to be replicated to one or more MySQL database servers (slaves). Replication is asynchronous - your replication slaves do not need to be connected permanently to receive updates from the master, which means that updates can occur over long-distance connections and even temporary solutions such as a dial-up service. Depending on the configuration, you can replicate all databases, selected databases, or even selected tables within a database. With the help of Replication we can assure the scalability of Data. Because once the Master server went off-line,the slave will act as the master and start serving data. The Data will be replicated into slave server in a frequent intervals. Replication in MySQL features support for one-way, asynchronous replication, in which one server acts as the master, while one or more other servers act as slaves

The mail advantages of MySQL Replication are as follows

1.Scale-out solutions
spreading the load among multiple slaves to improve performance. In this environment, all writes and updates must take place on the master server. Reads, however, may take place on one or more slaves. This model can improve the performance of writes (since the master is dedicated to updates), while dramatically increasing read speed across an increasing number of slaves.

2.Data security
Because data is replicated to the slave, and the slave can pause the replication process, it is possible to run backup services on the slave without corrupting the corresponding master data.

3.Analytics
Live data can be created on the master, while the analysis of the information can take place on the slave without affecting the performance of the master.

4.Long-distance data distribution
If a branch office would like to work with a copy of your main data, you can use replication to create a local copy of the data for their use without requiring permanent access to the master.

Voice problem in Firefox Flash plugin

2008-09-24T14:16:00.000+05:30

The latest version of Ubuntu is Hardy. Its a perfect desktop I have ever seen. Some times you may face a problem hearing sound in FLASH player of Firefox. I am telling here how to solve it. Most of the case its due to missing of a library file of adobe flash player

Infrastructure
OS :Ubuntu 8.04
Browser : Firefox 3

apt-get install libflashsupport

Restart the Firefox and enjoy the Sound

Wireless Internet in Ubuntu Hardy

2008-09-18T10:23:00.002+05:30

People think getting wireless connectivity in LINUX is a difficult task. That is not right always It takes some times to configure. Because there is a one button click environment is not available nowadays. So we need some more steps to get it working. Also I am preparing a Script to do this automatically.

Scenario
To get wireless internet through DLINK access point in the ubuntu 8.04

Infrastructure

Machine : Acer Aspire 4715Z NWXMI-Pentium dual core-T2310
OS : Ubuntu 8.04
Wireless card : Atheros

1.First of all check your BIT version of OS

getconf LONG_BIT

2.Check the Manufacture of your wireless car

lspci | grep wireless

3.Lets install the Drivers for Atheros Card . Download the ndiswrapper source code and AR5007EG Windows drivers

http://wifix.sourceforge.net/software.php?title=ndiswrapper

4.Download the AR5007EG Windows XP drivers,If you're using a 32-bit version of Linux, use this command

wget http://blakecmartin.googlepages.com/ar5007eg-32-0.2.tar.gz

5.Extract the archieves

tar xvf ar5007eg-*.tar.gz
tar xvf ndiswrapper-newest.tar.gz

6.Ensure you have your kernel headers and the build essential package.

aptitude update && sudo aptitude install linux-headers-$(uname -r) build-essential

7.Blacklist the ath_pci kernel module (it doesn't support our chipset).

echo "blacklist ath_pci" | sudo tee -a /etc/modprobe.d/blacklist

8.Compile Ndiswrapper

pushd ndiswrapper-*/
sudo make uninstall
make
sudo make install
popd

9.Install the Windows drivers (using ndiswrapper).

pushd */ar5007eg/
sudo ndiswrapper -i net5211.inf
popd

10.Make sure Ndiswrapper up and running everytime OS starts

sudo modprobe ndiswrapper
echo "ndiswrapper" | sudo tee -a /etc/modules

11.Just Reboot the Laptop
/sbin/shutdown -r now

You will get a NETWORK icon in the right top panel. Click on the ICON and search for available access point.
EnjoY WirelesS InterneT.

Prevent DoS attack in Linux using IPTABLES

2008-09-15T14:04:00.005+05:30

A major problem facing by mail server admin is DOS (Deniel Of Service) attack. Hackers will try to mess up with the most popular ports of a UNIX/LINUX machines. We can prevent this my writing an IPTABLE rule in the server. The working is ,if some one is trying make connection continuously through a specified port the rule will block the IPADDRESS permanently. Here I am stating the securing of PORT 25 (SMTP) here you can use your own

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

This will Block all the IP ADDRESS which will make connection to port 25 continuously within ie 4 SMTP connection within 60 seconds. You can change PORT,INTERVALs here.

We can also log these ips as well and use for future purpose for example,if you would like to add these logged IP to TCPWRAPPER etc.
Do the following.

Firts of all Set your Log Daemon to log the IPTABLES

# vi /etc/syslog.conf

Add the following line at the end of the file

#kern.warning /var/log/iptables.log
#touch /var/log/iptables.log

Restart the System Log Service

#/etc/init.d/syslog restart (On Redhat based,Centos)

iptables -A INPUT -j LOG --log-level 4

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP --log-prefix '** HACKERS **'--log-level 4

PERFECT. THE HACKERS ARE BEING LOGGED NOW !!!.

The next stage is to add these logged ips to TCPWRAPPER (/etc/hosts.deny).

#/bin/cat /var/log/iptables.log | awk '{print $9}' | cut -f2 -d "=" >> /root/badip.txt

The above line will grep the SOURCE ip from the log and append to badip.txt

Next Run this command as a frequent interval with the help of CRON

#vi /etc/crontab

*/1 * * * * root /bin/cat /var/log/iptables.log | awk '{print $9}' | cut -f2 -d "=" >> /root/badip.txt

Here the script will run in every minutes. The file will be grow up rapidly to heavy size if your server have heavy traffic. So CleanUP the file in a frequent intervals. Better setup another CRON for it.

Next to add these IPs in the hosts.deny file

#vi /etc/hosts.deny
SSHD:/root/badip.txt

So things are clear. The first CRON job will update the file badip.txt list, as well as it will blocked by TCPWRAPPER.

Restrict Access With Apache

2008-06-18T14:15:00.011+05:30

In this document I hereby explain how to restrict access to a specified Directory in Apache.

My infrastructure is
FC9
Apache 2.2.6

For this example let’s say I want to protect a directory called private. Although your files may be in other locations, my files are located here:

Directory to protect: /var/www/htdocs/private
httpd.conf: /etc/apache/conf/httpd.conf

The very first thing to do is create an .htaccess file with following details right in the Directory

[root@server ] touch /var/www/htdocs/private/.htaccess
[root@server ] vi /var/www/htdocs/private/.htaccess

AuthType Basic
AuthUserFile /var/www/conf/.htpasswd
AuthName RestrictedArea
require valid-user
satisfy any

Here the .htpasswd file is storing the user name and password of authenticated users. You can specify this file any where in the directory.
Change its ownership and permissions

[root@server ]chown apache.apache /var/www/conf/.htpasswd
[root@server ]chmod 644 /var/www/conf/.htpasswd

Next lets add this following content in the httpd.conf file. Put the following content in the Directory Tag

[root@server]vi /etc/httpd/conf/httpd.conf

deny from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow

Save and Exit

Now Lets add some users in the .htpasswd files

[root@server]htpasswd –bc /var/www/conf/.htpasswd admin passwd

OK,Now lets restart the Apache

[root@server]apachectl -k graceful

Check the Web server ports are listening.

[root@server]netstat -ntlp

If the 80 port is listening go to your favourite web browser and type the address. It will ask for user name and password to check in.Other wise you will get an internal server error. You may miss something. Check with your server logs.

Point-to-Point Tunneling Protocol in FC9 How-To

2008-06-11T10:10:00.012+05:30

This article describe about how to setup a MPPE in Fedora 9.PPTP is used to connect a remote local network using Virtual Private Network. You can use this article in a COPY-PASTE method. It works fine for me. If you found any difficult while doing this,feel free to contact me

System Requirements

1.Kernel 2.6.15 or Later.

install MPPE capability:

MPPE is Microsoft Point-To-Point Encryption, and is described in RFC3078. You will need to install it if your PPTP Server requires it, and if your kernel is before 2.6.15. Microsoft Windows VPN Server requires MPPE. If you do not require MPPE, skip this step.

If you can upgrade to 2.6.15 or later, do so, then skip the remainder of this step.

1.Install the kernel-devel package for your kernel (or kernel-smp-devel if you are running an SMP kernel), for example:

# yum install kernel-devel

2.Check that your system is running the kernel corresponding to the package requested in the previous step. Use the uname command to display the version of the running kernel, for example:

# uname -r

If the version shown is not the version installed in the previous step, reboot into that kernel. Otherwise the dkms build below may fail, because the kernel package for the current kernel may not be installed.

3. install the dkms package:

# yum install dkms

4. download the kernel_ppp_mppe dkms rpm and install it:

# rpm --install kernel_ppp_mppe-1.0.2-3dkms.noarch.rpm

5. test that the MPPE module loads on request:

# modprobe ppp-compress-18 && echo success

Note: this may fail if the ppp_generic module was already loaded when the kernel_ppp_mppe package was installed, as the original module is replaced on disk but not in memory. Check this by unloading the module, e.g. using "rmmod ppp_generic" or rebooting. Then repeat the modprobe.

# download the PPTP client program pptp rpm and install it like this:

# rpm --install pptp-1.7.0-1.i386.rpm

Note: alternatively we've been told that you can get it from Fedora Extras, like this:

# yum install pptp

# verify that you have dependencies installed for the packages in the next step; (usually this is only a problem if you did a custom install):

# yum install libxml libglade

These packages are also available on the distribution media.

# download the configuration program interpreter php-pcntl rpm install it like this:

# rpm --install php-pcntl-4.4.0-1.i386.rpm

# download the configuration program GTK+ interface php-gtk-pcntl rpm (mirror link) and install it like this:

# rpm --install php-gtk-pcntl-1.0.2-1.i386.rpm

# download the configuration program pptpconfig rpm and install it like this:

# rpm --install pptpconfig-20040722-6.noarch.rpm

Configuration

obtain from your PPTP Server administrator:

the IP address or host name of the server,
the authentication domain name, (e.g. WORKGROUP),
the username you are to use,
the password you are to use,
whether encryption is required.

run pptpconfig as root, and a window should appear,

enter the server, domain, username and password into the Server tab,

if you decided in Installation step 1 above that you would need MPPE, and if your administrator says encryption is required, then on the Encryption tab, click on Require Microsoft Point-to-Point Encryption (MPPE),

click on Add, and the tunnel will appear in the list,

click on the tunnel to select it, click on Start, and a window will appear with the tunnel connection log and status,

Mail sending from EC2 using Postfix.

2008-05-30T14:32:00.005+05:30

One of the main problem I found in the EC2 is to sending mail to outside world. Some mail servers like YAHOO and HOTMAIL will block all the orphan mails from EC2 as SPAM. So people cannot send mail like CustomerVerification,NewsLetter from EC2 comfortably.So I am hereby stating an alternate method which was experimented by Paul to get out of this problem. This is sending mails using POSTFIX

Scenario
1.Amazon EC2
2.Customised AMI from FC4

HowTo

1.Stop Sendmail
#/etc/init.d/sendmail stop
#chkconfig --levels 2345 sendmail off

2.Installing Postfix
#yum -y install postfix

3.Editing the /etc/postfix/main.cf
#vi /etc/postfix/main.cf

myhostname = www.YOURDOMAIN.com
mydomain = YOURDOMAIN.com
myorigin = $mydomain

smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localdomain, localhost, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +

# SECURITY NOTE: Listening on all interfaces. Make sure your firewall is
# configured correctly
inet_interfaces = all

relayhost = [mail.authsmtp.com]
smtp_connection_cache_destinations = mail.authsmtp.com
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:YOUR_AUTHSMPT_USER_ID:YOUR_AUTHSMTP_PW
smtp_sasl_security_options = noanonymous

default_destination_concurrency_limit = 4

soft_bounce = yes

4.Save and Exit
5.Start the Postfix
#/etc/init.d/postfix start
6.Check whether master is listening or not
#ps -ef | grep master

Enjoy Mailing from EC2 without trouble

How a DNS works - Simple Example

2008-05-29T17:06:00.005+05:30

A User opens a web browser and tries to connect to www.google.com. The operating system not knowing the IP Address for www.google.com, asks the ISP's DNS Server for this information.
The ISP's DNS Server does not know this information, so it connects to a Root Server to find out what name server, running somewhere in the world, to know the information about google.com.
The Root Server tells the ISP's DNS Server to contact a particular name server that knows the information about google.com.
The ISP's DNS Server connects to Google's DNS server and asks for the IP Address for www.google.com.
Google's DNS Server responds to the ISP's DNS server with the appropriate IP Address.
The ISP's DNS Server tells the User's operating system the IP Address for google.com.
The operating system tells the Web Browser the IP Address for www.google.com.
The web browser connects and starts communication with www.google.com.

Graphical Representation

Amazon S3. New definition in Storage

2008-05-20T10:42:00.002+05:30

Amazon S3 (Simple Storage Service) is an online storage web service offered by Amazon Web Services. Amazon S3 provides unlimited storage through a simple web services interface. Amazon launched S3, its first publicly-available web service, in the United States in March 2006 and in Europe in November 2007. Amazon charges fees for data stored and for bandwidth used in sending and receiving data. Amazon S3 uses the same scalable storage infrastructure that Amazon.com uses to run its own global e-commerce network.[citation needed Amazon S3 is reported to store more than 10 billion objects as of November 2007.[citation needed] Many small start-ups and enterprise clients use S3 as a web hosting service, image hosting service, back-up system, and more ...

Amazon EC2. New Wave in Webhosting

2008-05-20T10:40:00.002+05:30

Amazon Elastic Compute Cloud, also known as "EC2", is a commercial web service which allows paying customers to rent computers to run computer applications on. EC2 allows scalable deployment of applications by providing a web services interface through which customers can request an arbitrary number of Virtual Machines, i.e. server instances, on which they can load any software of their choice. Current users are able to create, launch, and terminate server instances on demand, hence the term "elastic". The Amazon implementation allows server instances to be created in zones that are insulated from correlated failures. EC2 is one of several Web Services provided by Amazon.com under the blanket term Amazon Web Services (AWS).

SCRIPT TO MONITOR A SERVER IN EVERY 30 MINUTES

2007-04-12T15:06:00.000+05:30

This script is used to check the health of Your servers.
# !/bin/bash

# add ip / hostname separated by while space

HOSTS="aaa.com bbb.com 202.10.193.46 router"

# no ping request

COUNT=1

# email report when

SUBJECT="Ping failed Server Seems to be DOWN"

EMAILID="Your emailid"

for myHost in $HOSTS

do

count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }')

if [ $count -eq 0 ]; then

# 100% failed

echo "Host : $myHost is down (ping failed) at $(date)" | mail -s "$SUBJECT" $EMAILID

Interview Questions for Linux Administrator

2007-04-12T14:59:00.000+05:30

The following are some questions which I faced from the interview board for the post of Linux Administrator. This will be update when I get more resources.

1.When do you need a virtual hosting ?

The term Virtual Host refers to the practice of maintaining more than one server on one machine, as differentiated by their apparent hostname. For example, it is often desirable for companies sharing a web server to have their own domains, with web servers accessible as www.company1.com and www.company2.com, without requiring the user to know any extra path information.

2.In which port telnet is listening?

3.How to get the listening ports which is greater than 6000 using netstat ?

4.How to block and openrelay ?

Open relays are e-mail servers that are configured to accept and transfer e-mail on behalf of any user anywhere, including unrelated third parties.

The qmail-smtpd daemon will consult the rcpthosts control file to determine valid destination addresses, and reject anything else.

5.What is sandwitch configuration in qmail ?

Qmail + Clam + Spamassassin- This is normally called Sandwitch configuration in qmail.

6.Advantages of Qmail ?

More secure, better designed, modular, faster, more reliable, easier to configure, don't have to upgrade it every few months or worry about being vulnerable to something due to some obscure feature being enabled

qmail supports host and user masquerading, full host hiding, virtual domains, null clients, list-owner rewriting, relay control, double-bounce recording, arbitrary RFC 822 address lists, cross-host mailing list loop detection, per-recipient checkpointing, downed host backoffs, independent message retry schedules, etc. qmail also includes a drop-in ``sendmail'' wrapper so that it will be used transparently by your current UAs.

7.What is the difference between POP3 and IMAP ?

The Difference

POP3 works by reviewing the inbox on the mail server, and downloading the new messages to your computer. IMAP downloads the headers of the new messages on the server, then retrieves the message you want to read when you click on it.

When using POP3, your mail is stored on your PC. When using IMAP, the mail is stored on the mail server. Unless you copy a message to a "Local Folder" the messages are never copied to your PC.

Scenarios of Use

POP3

· You only check e-mail from one computer.

· You want to remove your e-mail from the mail server.

IMAP

· You check e-mail from multiple locations.

· You use Webmail.

8.How to drop packets using iptables ?

Iptables -A INPUT -s xx.xx.xx.xx -d xx.xx.xx.xx -j DROP

9.Daily routines of Linux Administrators ?

*.Check the health of servers

*.Check for updates

*.Check the Backup

*.Check with the trouble ticketing system for any unread ticket.

*.Troubleshoot if there any problem

*.Installation of new servers, if needed.

*.Report to the Boss

10.How to take the Dump of a MySQL Database ?

Mysqldump databasename > dumpname

11.How to know the CPU usage of each process ?

Top, uptime

12.How to bind another IP in a NIC ?

Copy the contents eth0 to eth1, and change the ipaddress. Restart the network. .

13.Transparently proxy all web-surfing through Squid box

iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to

14.Transparently redirect web connections from outside to the DMZ web server.

iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.1 -dport 80 -j DNAT –to

15 Howto Activate the forwarding

echo 1 >/proc/sys/net/ipv4/ip_forward

16.Kill spoofed packets

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 1 > $f

done.

$iptables -A LDROP --proto tcp -j LOG --log-level info \ --log-prefix “TCP Drop”

IPTABLE firewall for a corporate mail server.

2007-04-12T14:15:00.000+05:30

This is an IPTABLE firewall for a corporate mail server. This working fine for various live servers. All are running Qmail. You can test it it locally first.
Please do not install it on remote server first. For further queries regarding this script please ask to me on bipinkdas@gmail.com

#THIS IPTABLE RULES ARE FOR A QMAIL SERVER
#Replace ips as needed,if you need further queries do contact webmaster.

#clean up existing rules and delete custom chains
/sbin/iptables -t filter -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X

#set default policy to drop everything
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

$source=192.168.10.1
$dest=192.168.20.1
$dns=192.168.1.1
$backup=192.168.10.10

#####incoming rules######

#drop all invalid packets
/sbin/iptables -A INPUT -m state --state INVALID -j DROP

#allow all icmp packets from world
/sbin/iptables -A INPUT -s 0/0 -d $dest -p icmp -j ACCEPT

#allow all input from loopback
/sbin/iptables -A INPUT -i lo -j ACCEPT

#allow http from world
/sbin/iptables -A INPUT -s 0/0 -d $dest -p tcp --dport 80 -j ACCEPT

#allow mails from and to world
/sbin/iptables -A INPUT -s 0/0 -d $dest -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -d $dest -p tcp --dport 110 -j ACCEPT

#allow rsync from backup machine
/sbin/iptables -A INPUT -s $backup -d $dest -p tcp --dport 873 -j ACCEPT

#allow packets from connections we established
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

######forwarding rules######

#no forwarding rule for a mail server.

######outgoing rules######

#drop all outgoing invalid packets
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP

#allow all icmp packets to outside world
/sbin/iptables -A OUTPUT -s $source -d 0/0 -p icmp -j ACCEPT

#allow dns traffic
/sbin/iptables -A OUTPUT -s $source -d $dns -p udp --dport 53 -j ACCEPT

#allow mails to world
/sbin/iptables -A OUTPUT -s $source -d 0/0 -p tcp --dport 25 -j ACCEPT

#allow ftp to backup server
/sbin/iptables -A OUTPUT -s $source -d $backup -p tcp --dport 21 -j ACCEPT

#allow all input to loopback interface
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

#allow packets of established connections
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

######save iptables rules######
service iptables save

Free software and Me

2007-03-26T09:38:00.000+05:30

Linux is the fastest growing operating system in the world. The kernel of the Linux was developed by LINUS BENEDICT TORVALDS a finnish student. He was made it as his academic project. Its as UNIX like operating system also a predominant example of Freesoftware. It is now considered as the most secured and widely used Server Operating System.

I am not an expert in Linux System Administration. I had installed linux in my home PC on 2002. My friend Jayesh (Now working with Accenture Software Services) installed it for me. It was Redhat Linux 7.2. Since that day I have been using it for Browsing.

From 2002 I had interacted with Linux. I was working with Open software solutions ICS ltd as a supporting staff. On the part of my job I had installed more than 200 linux installations and a very little bit knowledge on networking. I had left the company on October 2005.

I had joined Spectrum softtech solutions Ltd, Keralas leading ISP. This company give me opportunity to interact with Linux servers. This company have more than 30 Linux servers. 18 of them are Qmail server for their collocation customers. 5 of them are exclusive Apache web servers. Others multipurpose linux servers including Relay server, trouble ticketing server etc. I am very much thankful to AnuBhaskar (Now working with Accenture Software Services) and LeenoJose (Now working with Ditro advanced Technologies) who taught me the basics of Linux administration. With the help of these masters I had installed my first Mail server and send an email to my friend sabeesh with a subject line of Sub:I did it.from the id bipin@bipin.com. From these masters I am trying to watch this ocean. I had completed 8 months in this company. In this short interval I had installed 5 Qmail servers, 8 Apache web servers, 1 Trouble ticketing system (OTRS).

2 Mail server migration. Etc. Apart from this I had managed the above said 30 servers for the customers. I had resigned from this company on November 2006.

I joined Ditro Advanced Technologies as Linux Administrator for their overseas client Ran Internet SL, a Spanish ISP. In this company I had met a number of challenging events, like a mail server which running on SENDMAIL/CYRUS/LDAP. Interesting thing is all these servers are running on independent machines. The motive is to share the load of each servers.

MOD_SECURE APACHE 1.9.4 – HOWTO

2007-03-22T15:13:00.000+05:30

MOD_SECURE APACHE 1.9.4 – HOWTO

ModSecurity is an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. This is also known as rule based Intrusion Detection System.

It is also an open source project that aims to make the web application firewall technology available to everyone.

(I had tested this on a debian sarge with Apache 1.3)

Create a directory for storing the source file.

$mkdir –p /opt/src

$cd /opt/src

Download the latest stable release from the mirror

modsecurity-apache_1.9.4.tar.gz

Untar the pack

$tar –zxvf modsecurity-apache_1.9.4.tar.gz

$cd mod_security-1.9.4/apache1/

$apxs -cia mod_security.c

Restart your Webserver.

/etc/init.d/httpd restart

If there was no error reporte,your installation successful.

FOLLOWING IS THE CONFIGURATION FILE

(Add to /etc/httpd/httpd.conf)

    # Turn the filtering engine On or Off

    SecFilterEngine On

    # Make sure that URL encoding is valid

    SecFilterCheckURLEncoding On

    # Only allow bytes from this range

    SecFilterForceByteRange 32 126

    # The audit engine works independently and

    # can be turned On of Off on the per-server or

    # on the per-directory basis

    SecAuditEngine RelevantOnly

    # The name of the audit log file

    SecAuditLog /var/log/httpd/audit_log

    SecFilterDebugLog /var/log/httpd/modsec_debug_log

    SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads

    #SecFilterScanPOST On

    # Action to take by default

    SecFilterDefaultAction "deny,log,status:406"

    # Redirect user on filter match

    #SecFilter xxx redirect:http://www.webkreator.com

    # Execute the external script on filter match

    #SecFilter yyy log,exec:/home/ivanr/apache/bin/report-attack.pl

    # Simple filter

    #SecFilter 111

    # Only check the QUERY_STRING variable

    #SecFilterSelective QUERY_STRING 222

    # Only check the body of the POST request

    #SecFilterSelective POST_PAYLOAD 333

    # Only check arguments (will work for GET and POST)

    #SecFilterSelective ARGS 444

    # Test filter

    #SecFilter "/cgi-bin/keyword"

    # Another test filter, will be denied with 404 but not logged

    # action supplied as a parameter overrides the default action

    #SecFilter 999 "deny,nolog,status:404"

    # Prevent OS specific keywords

    #SecFilter /etc/password

    # Prevent path traversal (..) attacks

    SecFilter "\.\./"

    # Weaker XSS protection but allows common HTML tags

    SecFilter "<( |\n)*script"

    # Prevent XSS atacks (HTML/Javascript injection)

    SecFilter "<(.|\n)+>"

    # Very crude filters to prevent SQL injection attacks

    SecFilter "delete[[:space:]]+from"

    SecFilter "insert[[:space:]]+into"

    SecFilter "select.+from"

    # Require HTTP_USER_AGENT and HTTP_HOST headers

    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Forbid file upload

    #SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data

    # Only watch argument p1

    #SecFilterSelective "ARG_p1" 555

    # Watch all arguments except p1

    #SecFilterSelective "ARGS|!ARG_p2" 666

    # Only allow our own test utility to send requests (or Mozilla)

    #SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"

    # Do not allow variables with this name

    #SecFilterSelective ARGS_NAMES 777

    # Do now allow this variable value (names are ok)

    #SecFilterSelective ARGS_VALUES 888

    # Stop spamming through FormMail

    # note the exclamation mark at the beginning

    # of the filter - only requests that match this regex will

    # be allowed

        #SecFilterSelective "ARG_recipient" "!@webkreator.com$"

    # when allowing upload, only allow images

    # note that this is not foolproof, a determined attacker

    # could get around this

        #SecFilterInheritance Off

        #SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"

Restart the Your Web server again

/etc/init.d/httpd restart.