Monday, March 31, 2014

Install And Configure Linux Socket Monitor (LSM)

Linux Socket Monitor (LSM) is a monitoring tool which tracks changes to ports and sockets (both network and inter-process (IPC) ones used between applications on the same machine) by comparing snapshots it takes - either automatically (upon installation) or by your direction.

 

The latest version of LSM is located on its developer's website located at: http://www.rfxn.com/downloads/lsm-current.tar.gz

In order to download the tape archive (tar, tarball), run the following:

wget http://www.rfxn.com/downloads/lsm-current.tar.gz
This will download the archive to the current folder you have.

Let's extract the contents from the tarball:

tar -xvfz lsm-current.tar.gz
We are now ready to install LSM by running its installation script.

Enter the directory and run the installation:

$ cd lsm-0.6
$ ./install.sh

On Completion we get a out put like.
.: LSM installed
Install path: /usr/local/lsm
Config path: /usr/local/lsm/conf.lsm
Executable path: /usr/local/sbin/lsm
LSM version 0.6 <lsm@r-fx.org>
Copyright (C) 2004, R-fx Networks
2004, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL

generated base comparison files



Open up the LSM configuration file using nano text editor:
 nano /usr/local/lsm/conf.lsm

Here you will see a relatively long list of values which are used by LSM to operate. The one that we need to modify is the third one on the list: USER="root" which is after the commented out sections located on top.

Using your arrow keys, go down to that line and replace root with your email address.

Example:
USER="******@*****.***" 


At any given moment, you can delete or recreate the comparison files via two simple commands:

Delete snapshots (camparison files): /usr/local/sbin/lsm -d
Manually run a comparison test: /usr/local/sbin/lsm -c

And to recreate the snapshots:

Generate base comparison files: /usr/local/sbin/lsm -g

 

Friday, March 28, 2014

Creating a Nat Server From Scratch in an AWS Cloud setup.

Creating a Nat Server From Scratch in an AWS Cloud setup.

1.)Start a t1.micro instance
2.)Disable "Change Source / Dest Check", You can get the option by right clicking the instance and selecting the "Change Source / Dest Check option .
3.)Make sure the Security Group Created is able to pass all the needed IP's and port.
4.)Configuring the Nat Server.

Edit and make the net.ipv4.ip_forward entry in the /etc/sysctl.conf to 1 to enable it if its disabled.
>>echo 1 > /proc/sys/net/ipv4/ip_forward
>>>sed -i "s/net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/g" /etc/sysctl.conf

Needed Output
cat /etc/sysctl.conf |grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Add the following rules to iptables .After the command >>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE .
This command is to route all the connections which reaches eth0 to all the available paths.
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT

 

the Ports 80 and 443 are added so that the server updates in the private cloud can be done through the nat instance

Using the Nat instance as connection to Outer World for the Private Cloud.

Configure the default Route table to pass all the connection ie 0.0.0.0/0 to the Nat instance.
And configure the Route table of the Nat instance to pass all the connection ie 0.0.0.0/0 to the Internet gateway.

Thursday, March 27, 2014

Allow Remote Connection to PostgreSQL Database using psql

If the remote connection is not enabled you will be getting the following error.

“psql: could not connect to server: Connection refused” error message

To enable remote connection make the following changes in pg_hba.conf .

Modify pg_hba.conf to add Client Authentication Record

TYPE   DATABASE USER       ADDRESS           METHOD
host      all                   all            127.0.0.1/32    trust

TYPE  DATABASE  USER  IP-ADDRESS   IP-MASK                  METHOD
host     all                   all         127.0.0.1     255.255.255.255    trust

You can add 0.0.0.0/0 for allowing universal access to database.

Change the Listen Address in postgresql.conf
# grep listen /var/lib/pgsql/data/postgresql.conf
listen_addresses = 'localhost'
# grep listen /var/lib/pgsql/data/postgresql.conf
listen_addresses = '*'

Test the Remote Connection
psql -U postgres -h xxx.xxx.xxx.xxx
Welcome to psql 8.1.11 (server 8.4.18), the PostgreSQL interactive terminal.
postgres=

 

To reset the Password of the postgres user in PostgreSQL.

Find out the file pg_hba.conf and change the authentication mode to trust so that when switching to that user, it doesn't ask for password.

The file will be mostly at following place in concerned distros

Centos /var/lib/pgsql/data/pg_hba.conf
Ubuntu /etc/postgresql/9.1/main directory

The file will be have a line like below.
# Database administrative login by Unix domain socket
local all postgres peer

change it like

# Database administrative login by Unix domain socket
local all postgres trust

Once its done while switching password will not be prompted.
Once you are inside change the password using following command.

psql -U postgres
ALTER USER postgres with password 'secure-password';

re-modify the pg_hba.conf to the older state and reload the service .

Install and configure PostgreSQL

PostgreSQL, often simply "Postgres", is a free and open-source object-relational database management system (ORDBMS) with an emphasis on extensibility and standards-compliance. PostgreSQL implements the majority of the SQL 2011 standard,is ACID-compliant and transactional (including most DDL statements) avoiding locking issues using multiversion concurrency control (MVCC), provides immunity to dirty reads and full serializability; handles complex SQL queries using many indexing methods that are not available in other databases; has updateable views and materialized views, triggers, foreign keys; supports functions and stored procedures, and other expandability, and has a large number of extensions written by third parties.

 

Configure your YUM repository

Locate and edit your distributions .repo file, located:
On Fedora: /etc/yum.repos.d/fedora.repo and /etc/yum.repos.d/fedora-updates.repo, [fedora] sections
On CentOS: /etc/yum.repos.d/CentOS-Base.repo, [base] and [updates] sections
On Red Hat: /etc/yum/pluginconf.d/rhnplugin.conf [main] section
To the section(s) identified above, you need to append a line:
exclude=postgresql*

Download and install PGDG RPM file
A PGDG file is available for each distribution/architecture/database version combination.
Browse http://yum.postgresql.org and find your correct RPM.
For example, to install PostgreSQL 9.3 on CentOS 6 64-bit:

curl -O http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/pgdg-centos93-9.3-1.noarch.rpm

Now install RPM distribution:

rpm -ivh pgdg-centos93-9.3-1.noarch.rpm

Install PostgreSQL

To list available packages:
yum list postgres*
For example, to install a basic PostgreSQL 9.3 server:

yum install postgresql93-server

# su - postgres
$ psql
psql (9.2.4)
Type "help" for help.
postgres=# help
You are using psql, the command-line interface to PostgreSQL.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit

Create a schema called test in the default database called postgres

postgres=# CREATE SCHEMA test;

Create a role (user) with password

postgres=# CREATE USER xxx PASSWORD 'yyy';

Grant privileges (like the ability to create tables) on new schema to new role

postgres=# GRANT ALL ON SCHEMA test TO xxx;

Grant privileges (like the ability to insert) to tables in the new schema to the new role

postgres=# GRANT ALL ON ALL TABLES IN SCHEMA test TO xxx;

Disconnect
postgres=# \q

Tuesday, March 25, 2014

Shell In A Box – A Web-Based SSH Terminal to Access Remote Linux Servers

Shell In A Box (pronounced as shellinabox) is a web based terminal emulator . It has built-in web server that runs as a web-based SSH client on a specified port and prompt you a web terminal emulator to access and control your Linux Server SSH Shell remotely using any AJAX/JavaScript and CSS enabled browsers without the need of any additional browser plugins such as FireSSH.


RHEL/CentOS 6 32-64 Bit


## RHEL/CentOS 6 32-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm

## RHEL/CentOS 6 64-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm


# vi /etc/sysconfig/shellinaboxd

# TCP port that shellinboxd's webserver listens on- Which ever you need , here I am choosing port 80
PORT=80

# specify the IP address of a destination SSH server
OPTS="-s /:SSH:172.16.25.125"

# if you want to restrict access to shellinaboxd from localhost only
OPTS="-s /:SSH:172.16.25.125 --localhost-only"

Wednesday, March 19, 2014

Note

http://svm.volumedrive.com:5353/login.php

USERNAME: SVM-12551

PASSWORD: qFZWlBeshOZN

Hostname server.shiraz.com
Main IP Address 142.0.42.46

Root Password centos6svm

URL: http://vps17.volumedrive.com:2407
USER: V-6862

199.168.136.126
PASS: 8a344a8f-442d-4bed-9d79-2e70adb33b58

https://vps.servermania.com:5656/login.php

Username: rraj1
Password: pNF78K3cBrbM
23.236.147.74
Initial root password for VM: ehqp0JzBOA

 

http://wso2.com/cloud/stratos/
http://nirmalfdo.blogspot.in/
http://www.slideshare.net/wso2.org/
http://support.microsoft.com/kb/2697421

 

Friday, March 14, 2014

Hosts file in Windows

# For Windows 9x and ME place this file at "C:\Windows\hosts"
# For NT, Win2K and XP use "C:\windows\system32\drivers\etc\hosts"
# or "C:\winnt\system32\drivers\etc\hosts"
# For Windows 7 and Vista use "C:\windows\system32\drivers\etc\hosts"
# or "%systemroot%\system32\drivers\etc\hosts"
# You may have to use Notepad and "Run as Administrator"
# For Linux, Unix, or OS X place this file at "/etc/hosts". You will
# require root access to do this. Saving this file to "~/hosts" will
# allow you to run something like "sudo cp ~/hosts /etc/hosts".
# Ubuntu users who experience trouble with apt-get should consult
# http://ubuntuforums.org/archive/index.php/t-613521.html
# For OS/2 copy the file to "%ETC%\HOSTS" and in the CONFIG.SYS file,
# ensure that the line "SET USE_HOSTS_FIRST=1" is included.
# For BeOS place it at "/boot/beos/etc/hosts"
# On a Netware system, the location is System\etc\hosts"

 

#<localhost>
127.0.0.1 localhost
127.0.0.1 localhost.localdomain
255.255.255.255 broadcasthost
::1 localhost
127.0.0.1 local
fe80::1%lo0 localhost
#</localhost>

Monday, March 10, 2014

Enable SELinux

Installing Selinux

yum install -y selinux-policy-targeted selinux-policy libselinux libselinux-python libselinux-utils policycoreutils policycoreutils-python setroubleshoot setroubleshoot-server setroubleshoot-plugins
Use the

rpm -qa | grep selinux

rpm -q policycoreutils

rpm -qa | grep setroubleshoot

commands to confirm that the SELinux packages are installed. This guide assumes the following packages are installed: selinux-policy-targeted, selinux-policy, libselinux, libselinux-python, libselinux-utils, policycoreutils, policycoreutils-python, setroubleshoot, setroubleshoot-server, setroubleshoot-plugins. If these packages are not installed, as the Linux root user, install them via the yum install package-name command. The following packages are optional: policycoreutils-gui, setroubleshoot, and mcstrans.
Before SELinux is enabled, each file on the file system must be labeled with an SELinux context. Before this happens, confined domains may be denied access, preventing your system from booting correctly. To prevent this, configure SELINUX=permissive in /etc/selinux/config:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
As the Linux root user, run the reboot command to restart the system. During the next boot, file systems are labeled. The label process labels all files with an SELinux context:
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
****
Each * (asterisk) character on the bottom line represents 1000 files that have been labeled. In the above example, four * characters represent 4000 files have been labeled. The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives. On modern systems, this process can take as little as 10 minutes.
In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as the Linux root user, run the grep "SELinux is preventing" /var/log/messages command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to Chapter 8, Troubleshooting for troubleshooting information if SELinux denied access during boot.
If there were no denial messages in /var/log/messages, configure SELINUX=enforcing in /etc/selinux/config:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Reboot your system. After reboot, confirm that getenforce returns Enforcing:
~]$ getenforce
Enforcing
As the Linux root user, run the semanage login -l command to view the mapping between SELinux and Linux users. The output should be as follows:
Login Name SELinux User MLS/MCS Range

__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
If this is not the case, run the following commands as the Linux root user to fix the user mappings. It is safe to ignore the SELinux-user username is already defined warnings if they occur, where username can be unconfined_u, guest_u, or xguest_u:
semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__
semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root
semanage user -a -S targeted -P user -R guest_r guest_u
semanage user -a -S targeted -P user -R xguest_r xguest_u

Thursday, March 6, 2014

Reset Ownership cPanel Home Directories

for i in `cat /etc/trueuserdomains | awk ‘{print $2}’`
do
chown $i.$i /home/$i -R;
chown $i.mail /home/$i/etc -R;
chown $i.nobody /home/$i/public_html;
done;

Tuesday, March 4, 2014

Resizing EBS Volumes for EBS Backed instances.

1. Go to the Instances management interface and stop the instance in question. Take note of the availability zone it currently resides in, as you will need that information later. Also where the Volume is mounted /dev/sdxx.
2. Go to the Volumes management interface, find the one being used by the instance (see the “attached to” column, it will have the instance’s name) and select the Take Snapshot option.
3. Go to the Snapshots management interface and find the newly created snapshot. Choose it and select the Create Volume option. Then, you must enter the new (increased) size and select the same availability zone as the EC2 instance.
4. Go to the Volumes management interface, find the OLD volume, choose it and select the Detach Volume from instance option. Then, find the NEW volume, choose it and select the Attach Volume to instance option. Here you select the instance you want to have the increased partition and The DEVICE MOUNT POINT TO  /dev/sdxx. 
5. After the new volume is attached, you go back to the Instances management interface and start the EC2 instance again. Wait for it to come back online and connect to it through SSH.
6. Login as root (sudo, etc) and run the df -h command to get a list of the partitions. Here you will see the new one, more likely mounted at “/dev/xvda1″. Notice that the system doesn’t report the correct (increased) size yet. To fix that you will have to extend the partition in order for it to cover the rest of the free space of the volume. To do so, simply run the command: “resize2fs /dev/xvda1″.

Configure NGinx to serve static files and Apache for dynamic

CentOS 6.x

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Now that the repo is installed, we need to install NGinx

yum install nginx

Configuring NGinx

Now that NGinx is installed we need to create a VirtualHost (actually NGinx calls them Server Blocks) for each site we are hosting.
nano /etc/nginx/conf.d/virtual.conf
#Insert one of these for each of the virtualhosts you have configured in Apache

server {
listen 80;
root /path/to/site/root;
index index.php index.html index.htm;
server_name www.yourdomain.com yourdomain.com;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;

}

location ~ /\.ht {
deny all;
}
}

This configuration tells NGinx to try and serve the requested file, but to pass the request onto Apache if it's unable to do so. Requests for PHP files should be forwarded automatically. Apache will be told who requested the file in the 'X-Forwarded-For' header.

The final section tells NGinx not to check requests for .htaccess files as no one want anyone to see the contents of these.

 

Configuring Apache

We want users to hit our NGinx installation (otherwise this effort is wasted) but Apache is currently sat on port 80. So we're going to move it to 8080 (given that's the port we specified in the NGinx configuration we created).

nano /etc/httpd/conf/httpd.conf
# Find the following
Listen (someIP) 80
# Change the port to
Listen 127.0.0.1 8080

# Now at the bottom of the file, you'll find your virtualhost directives,
# Change all port definitions of 80 to 8080
# Don't forget the Default virtualhost definition
# <virtualhost *:80> becomes <virtualhost *:8080>

We change the Listen address as we don't want external hosts to access Apache directly, everything should go through NGinx. Ideally, we also want to forbid outside access to port 8080 at the firewall to ensure that the point of entry to our system is restricted to the authorised route - through NGinx.

Start the Services
We've now configured Apache to listen on a different port, so all we need to do know is restart Apache (so that it moves to port 8080) and start NGinx so that it can start handling requests.

service httpd restart
service nginx start
Now if you browse to your site, nothing should have changed visibly. However, if you check the HTTP headers you should see NGinx instead of Apache, checking a phpinfo file should still show Apache as having called the PHP parser though.

 

Additional Considerations
Security
By adding NGinx into the mix, we're increasing our potential attack surface a little - we've now got an extra application to keep patched and up to date (which is why we installed from the repo's and didn't go out-of-band). Although we've hidden Apache away behind NGinx, don't assume it's automatically shielded - if a vulnerability is exploited using a valid request, NGinx will pass the request through verbatim (assuming it couldn't handle itself). What you are protected from, though, is exploits that involve an invalid request.

SSL Connections
Nothing we've done will affect SSL connections, if Apache was configured to listen on port 443, it will continue to do so. However, this also means that all SSL requests will be handled by Apache and so the memory benefits of using NGinx as a proxy won't be present on these connections. It's more than possible (and not particularly hard) to set NGinx up as a reverse SSL proxy, but that's outside the scope of this documentation (although the steps involved are almost identical).

CPanel
If your server is running CPanel, you probably won't want to edit everything by hand. In that instance, it may be worth trying the CPanel NGinx plugin at http://nginxcp.com/. Plesk users should find that support for NGinx is included, so long as they are running version 11 or later.