Wednesday, April 30, 2014

S3cmd : Used to copy files to s3 bucket from server. AWS

S3cmd : AWS command used to copy/Sync content to S3 bucket

s3cmd can be installed from epel repo or by manually compiling the code.

While installing from epel there could be dependency issue for the python.
while using epel repo we need the python version 2.4 in the server if you are having another version of python its better to go with the manual installation.

## RHEL/CentOS 6 32-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm

## RHEL/CentOS 6 64-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm

yum install s3cmd

For manual installation Download the tar file from

http://sourceforge.net/projects/s3tools/files/s3cmd/

get the tar file of the needed version .
make sure you have a python version > than 2.4 installed in the server.

untar the file using tar zxvf or zjvf as per the need and use python to run the installation script

python setup.py install

..

Configuring/Reconfiguring the s3cmd command

s3cmd --configure

Enter new values or accept defaults in brackets with Enter.
Refer to user manual for detailed description of all options.

Access key and Secret key are your identifiers for Amazon S3
Access Key: xxxxxxxxxxxxxxxxxxxxxx
Secret Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Encryption password is used to protect your files from reading
by unauthorized persons while in transfer to S3
Encryption password: xxxxxxxxxx
Path to GPG program [/usr/bin/gpg]:

When using secure HTTPS protocol all communication with Amazon S3
servers is protected from 3rd party eavesdropping. This method is
slower than plain HTTP and can't be used if you're behind a proxy
Use HTTPS protocol [No]: Yes

New settings:
Access Key: xxxxxxxxxxxxxxxxxxxxxx
Secret Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Encryption password: xxxxxxxxxx
Path to GPG program: /usr/bin/gpg
Use HTTPS protocol: True
HTTP Proxy server name:
HTTP Proxy server port: 0

Test access with supplied credentials? [Y/n] Y
Please wait, attempting to list all buckets...
Success. Your access key and secret key worked fine :-)

Now verifying that encryption works...
Success. Encryption and decryption worked fine :-)

Save settings? [y/N] y
Configuration saved to '/root/.s3cfg'

 

# s3cmd mb s3://test
Bucket 's3://test/' created

# s3cmd ls s3://test/

Upload a file
# s3cmd put file.txt s3://test/

Upload Similar files
# s3cmd put *.txt s3://test/

Uploading complete Directory
# s3cmd put -r upload-dir s3://test/
Upload files in a directory
# s3cmd put -r upload-dir/ s3://test/

Get a file
# s3cmd get s3://test/file.txt

Removing file from s3 bucket
# s3cmd del s3://test/file.txt
File s3://test/file.txt deleted

Removing directory from s3 bucket
# s3cmd del s3://test/backup
File s3://test/backup deleted
Sync direcotry .
# s3cmd sync ./back s3://test/back

attributes that can be used with Sync
--delete-removed :-remove files that are removed from the local directory .
--skip-existing :-Don't sync the files already synced.

—exclude / —include — standard shell-style wildcards, enclose them into apostrophes to avoid their expansion by the shell. For example --exclude 'x*.jpg' will match x12345.jpg but not abcdef.jpg.
—rexclude / —rinclude — regular expression version of the above. Much more powerful way to create match patterns. I realise most users have no clue about RegExps, which is sad. Anyway, if you’re one of them and can get by with shell style wildcards just use —exclude/—include and don’t worry about —rexclude/—rinclude. Or read some tutorial on RegExps, such a knowledge will come handy one day, I promise ;-)
—exclude-from / —rexclude-from / —(r)include-from — Instead of having to supply all the patterns on the command line, write them into a file and pass that file’s name as a parameter to one of these options. For instance --exclude '*.jpg' --exclude '*.gif' is the same as --

Tuesday, April 29, 2014

SSH-Tunneling

Main Options we use in ssh tunneling
-L [bind_address:]port:host:hostport

Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax: [bind_address/]port/host/hostport or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listen- ing port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.

 
-N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).


-R [bind_address:]port:host:hostport

Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.


Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded only when logging in as root on the remote machine. IPv6 addresses can be specified by enclosing the address in square braces or using an alternative syntax: [bind_address/]host/port/hostport.

By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server’s GatewayPorts option is enabled (see sshd_config(5)).

If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time.

-f Requests ssh to go to background just before command execution.

This is use-ful if ssh is going to ask for passwords or passphrases, but the user wants it in the background. This implies -n. The recommended way to start X11 programs at a remote site is with something like ssh -f host xterm.

If the ExitOnForwardFailure configuration option is set to “yes”, then a client started with -f will wait for all remote port forwards to be success- fully established before placing itself in the background.

 

Difference between Reverse tunneling and Normal tunneling.

 

SSH-Tunnel

 

 

Normal tunneling

 

ssh -L 8888:www.linux.ro:80 user@computer -N

ssh -L 8888:www.linux.ro:80 -L 110:mail.linux.ro:110 \

25:mail.linux.ro:25 user@computer -N

The second example (see above) show you how to setup your ssh tunnel for web, pop3

and smtp. It is useful to recive/send your e-mails when you don't have direct access

to the mail server.

 

For the ASCII art and lynx browser fans here is illustrated the first example:

 

+--------------+<--port 22-->+--------------------+<--port 80-->o-----------+

|SSH Client|----------------------|ssh_server|----------------------|   host    |

+-------------------+                                  +----------+                                            o-----------+

localhost:8888                                            computer                             www.linuxon.ro:80

 

 

For example, if the remote server in question was myserver.example.com you could run the following command on your local system to create a tunnel as described above:

 

ssh -T -N -L 3308:localhost:3306 myserver.example.com

The meat of the command is the -L option, which tells ssh to listen on port 3308 locally and then on the remote side to forward all traffic on that port to localhost:3306. Note that the localhost here is not referring to the local system but rather where to forward things to on the remote side, in this case to localhost on the remote side.

 

ssh -T -N -L 3308:private.local:3306 myserver.example.com

Here, ssh listens on port 3308 on the local system and it forwards that data to port 3306 on private.host, but it does that via the server myserver.example.com. In other words the local traffic on port 3308 gets transferred first to the remote system which then transfers it to port 3306 on private.host. Of course, if private.local's mysql server is only listening on its local interface this won't work, you'll need something more involved.

 

ssh -R 9001:intra-site.com:80 home (Executed from 'work')

Once executed the SSH client at ‘work’ will connect to SSH server running at home creating a SSH channel. Then the server will bind port 9001 on ‘home’ machine to listen for incoming requests which would subsequently be routed through the created SSH channel between ‘home’ and ‘work’. Now it’s possible to browse the internal site
by visiting http://localhost:9001 in ‘home’ web browser. The ‘work’ will then create a connection to intra-site and relay back the response to ‘home’ via the created SSH channel.

 

 

 

Monday, April 28, 2014

SVN access manager

To use SVN Access Manager you need at least:

a working subversion installation
a MySQL Database, version 4 or higher, a PostgreSQL 8 or higher database or an Oracle 10g or higher database
an Apache web server, version 2.0 or higher with DAV, mod_authz and SVN support
PHP version 5.2 or higher with working oci8 support if using Oracle database

To use SVN Access Manager you need at least:
a working subversion installation
a MySQL Database, version 4 or higher, a PostgreSQL 8 or higher database or an Oracle 10g or higher database
an Apache web server, version 2.0 or higher with DAV, mod_authz and SVN support
PHP version 5.2 or higher with working oci8 support if using Oracle database

Go to a directory where the software can be accessed by your Apache web server. Unpack the archive. For our example do the following:
http://sourceforge.net/projects/svn-access-mana/files/
# mkdir /etc/svn
# mkdir /etc/svn-access-manager
# mkdir /usr/share/svn-access-manager
# chown apache:apache /etc/svn /etc/svn-access-manager
# cd /usr/share/svn-access-manager
# tar -xvfz svnaccessmanager-0.5.0.0.tar.gz

2.2.3 Setup a MySQL database and a database user

You need a database for SVN Access Manager and an user with full access to this database. To create the database do the following as root user of your MySQL database:

CREATE DATABASE svnadmin;
To create a user having access to this database do the following as root user of your MySQL database:

CREATE USER 'svnadmin'@ 'localhost' IDENTIFIED BY '*******';

GRANT USAGE ON * . * TO 'svnadmin'@ 'localhost' IDENTIFIED BY '*******'
WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0
MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

GRANT ALL PRIVILEGES ON `svnadmin` . * TO 'svnadmin'@ 'localhost';
After finishing the database work continue with installing SVN Access Manager.

If you get an error "No database selected" during installation check if the database user has sufficient rights to access and to work with the database!

SVN-Subversion installation and configuration

 

Installing SVN

yum install mod_dav_svn subversion
Add it in httpd conf or in httpd/conf.d/subversion.conf

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

<Location /svn>
DAV svn
SVNParentPath /var/www/svn
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile /etc/svn-auth-users
Require valid-user
</Location>

Creating User for accessing the SVN

htpasswd -cm /etc/svn-auth-users user1
New password:
Re-type new password:
Adding password for user user1

## Create user2 ##
htpasswd -m /etc/svn-auth-users user2
New password:
Re-type new password:
Adding password for user user2

Creating the directories and correcting permissions

mkdir /var/www/svn
cd /var/www/svn

Creating repositories

svnadmin create testrepo
chown -R apache.apache testrepo


## If you have SELinux enabled (you can check it with "sestatus" command) ##
## then change SELinux security context with chcon command ##

chcon -R -t httpd_sys_content_t /var/www/svn/testrepo

## Following enables commits over http ##
chcon -R -t httpd_sys_rw_content_t /var/www/svn/testrepo

or else disable the selinux
setenforce 0
Restart the service

systemctl restart httpd.service
## OR ##
service httpd restart

## CentOS / RHEL ##
/etc/init.d/httpd restart
## OR ##
service httpd restart

 

Friday, April 25, 2014

Linux Acl in detail

Let's assume we have /dev/sda1 mounted on /data1 and we want to enable the acl option.

[root@server ~]# tune2fs -l /dev/sda1
To enable ACLs on a filesystem, we must set the fs default and remount:
[root@server ~]# tune2fs -o acl /dev/sda1
[root@server ~]# mount -o remount,acl /data1
Use getfacl to view ACLs:

[root@server ~]# touch /data1/foo.txt
[root@server ~]# getfacl /data1/foo.txt
getfacl: Removing leading '/' from absolute path names
# file: data1/foo.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
Use setfacl to set ACLs, with -m to modify and -x to remove a given ACL.
give user ram read+write+execute on a file:

[root@server ~]# setfacl -m u:ram:rwx /data1/foo.txt
give group peeps read+write on a file:
[root@server ~]# setfacl -m g:peeps:rw /data1/foo.txt
remove ram's ACL permissions:
[root@server ~]# setfacl -x u:ram /data1/foo.txt
set the default ACL permissions on a directory:
[root@server ~]# setfacl -m d:g:peeps:rw /data1/stuff/
revoke write permission for everyone:
[root@server ~]# setfacl -m m::rx /data1/foo.txt
When ACLs are present, an ls -l will show a plus sign to notify you:

[root@server ~]# ls -l /data1/foo.txt
-rw-rwxr--+ 1 root root 0 Dec 3 14:54 /data1/foo.txt
Note that the mv and cp -p commands will preserve ACLs. If you have defaults set on a parent directory, new files in that directory will inherit those settings.
If you want to remove all ACLs, reverting back to the base unix permissions of owner, group and other:

[root@server ~]# setfacl --remove-all /data1/foo.txt

Thursday, April 24, 2014

Flush Your Local DNS Cache

 

Windows Vista/Windows 7:
ipconfig /flushdns
Successfully flushed the DNS Resolver Cache.

Windows XP
ipconfig /flushdns
Successfully flushed the DNS Resolver Cache.

Mac OS X 10.5.2 and above
dscacheutil -flushcache

Mac OS X 10.5.1 and below
Click on the Finder icon in your dock. Open your Applications folder.
Inside the Applications folder, click on Utilities and then Terminal.
Type the following command in the Terminal window and press Enter:
lookupd -flushcache

Linux

nscd -i hosts
– Clear local DNS cache for current user.
nscd -I hosts
– Clear local DNS cache for all users.

Wednesday, April 23, 2014

Creating a custom Nagios function

Nagios Exit Codes
Exit Code Status
0 OK
1 WARNING
2 CRITICAL
3 UNKNOWN
Create the Script to be added as the Plugin

#!/bin/bash
used_space=`df -h / | grep -v Filesy | awk '{print $5}' | sed 's/%//g'`
case $used_space in
[1-84]*)
echo "OK - $used_space% of disk space used."
exit 0
;;
[85]*)
echo "WARNING - $used_space% of disk space used."
exit 1
;;
[86-100]*)
echo "CRITICAL - $used_space% of disk space used."
exit 2
;;
*)
echo "UNKNOWN - $used_space% of disk space used."
exit 3
;;
esac

try to put the script in same plugin directory with the other ones
/usr/lib/nagios/plugins/

make it executable
Add Your New Command to Nagios Checks on Nagios Monitoring Server

Define new command in /etc/nagios/objects/commands.cfg
define command{
command_name usedspace_bash
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c usedspace_bash
}
Add Your Script to NRPE configuration on client host
command[usedspace_bash]=/usr/lib/nagios/plugins/usedspace.sh

 

adding to configuration
/etc/nagios/servers/<name-0f-config>.cfg
define service {
use generic-service
host_name Hostname
service_description Custom Disk Checker In Bash
check_command usedspace_bash
}

 

 

Tuesday, April 22, 2014

Adding ESXI to Nagios

yum install perl-Pod-Perldoc perl-CPAN openssl-devel
# wget http://dl.fedoraproject.org/pub/epel/6/i386/perl-Nagios-Plugin-0.35-1.el6.noarch.rpm
# wget http://mirror.centos.org/centos/6/os/i386/Packages/perl-Config-Tiny-2.12-7.1.el6.noarch.rpm
# wget http://mirror.centos.org/centos/6/os/i386/Packages/perl-Params-Validate-0.92-3.el6.i686.rpm
# rpm -ivh perl-Nagios-Plugin-0.35-1.el6.noarch.rpm perl-Config-Tiny-2.12-7.1.el6.noarch.rpm perl-Params-Validate-0.92-3.el6.i686.rpm
# cd /root
# tar xvzf VMware-vSphere-Perl-SDK-4.1.0-254719.i386.tar.gz
# cd vmware-vsphere-cli-distrib/
# ./vmware-install.pl

# cd /usr/lib/nagios/plugins/
Download check_esx3.pl and make it executable
http://exchange.nagios.org/components/com_mtree/attachment.php?link_id=2154&cf_id=29
chmod +x check_esx3.pl


vim /usr/local/nagios/etc/objects/vmware.cfg
First define all your hosts as shown below

# Host esx01
define host{
use vmware-server
host_name esxi01
alias VMWare ESXi 01
address IP Address
}
define host{
use vmware-server
host_name esxi02
alias VMWare ESXi 02
address IP Address
}
# Similarly you can define all the hosts

# Now define a hostgroup for your Esxi Hosts:

define hostgroup{
hostgroup_name Esxi-Servers ; The name of the hostgroup

alias Vmware Servers ; Long name of the group

members esxi01,esxi02
}

# Now create the service definition as shown below
# check cpu
define service{
use generic-service
host_name esxi01
service_description ESXi CPU Load
check_command check_esx_cpu!80!90
}

# check memory usage
define service{
use generic-service
host_name esxi01
service_description ESXi Memory usage
check_command check_esx_mem!80!90
}

# check net
define service{
use generic-service
host_name esxi01
service_description ESXi Network usage
check_command check_esx_net!102400!204800
}

# check runtime status
define service{
use generic-service
host_name esxi01
service_description ESXi Runtime status
check_command check_esx_runtime
}

# check io read
define service{
use generic-service
host_name esxi01
service_description ESXi IO read
check_command check_esx_ioread!40!90
}

# check io write
define service{
use generic-service
host_name esxi01
service_description ESXi IO write
check_command check_esx_iowrite!40!90
}

Define the commands related to ESXi in the /usr/local/nagios/etc/objects/command.cfg file

vim /usr/local/nagios/etc/objects/commands.cfg
# check vmware esxi machine
# check cpu
define command{
command_name check_esx_cpu
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l cpu -s usage -w $ARG1$ -c $ARG2$
}

# check memory usage
define command{
command_name check_esx_mem
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l mem -s usage -w $ARG1$ -c $ARG2$
}

# check net usage
define command{
command_name check_esx_net
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l net -s usage -w $ARG1$ -c $ARG2$
}

# check runtime status
define command{
command_name check_esx_runtime
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l runtime -s status
}

# check io read
define command{
command_name check_esx_ioread
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l io -s read -w $ARG1$ -c $ARG2$
}

# check io write
define command{
command_name check_esx_iowrite
command_line $USER1$/check_esx -H $HOSTADDRESS$ -u $USER11$ -p $USER12$ -l io -s write -w $ARG1$ -c $ARG2$
}

Adding configuration to nagios

vim /usr/local/nagios/etc/nagios.cfg
cfg_file=/usr/local/nagios/etc/objects/vmware.cfg

Tuesday, April 15, 2014

Openssl-heartbleed-fix

Downloading and updating the SSL.

cd /usr/src
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -zxf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config shared
make
make test
make install
cd /usr/src
rm -rf openssl-1.0.1g.tar.gz
rm -rf openssl-1.0.1g

to over write the current open ssl use the following config mode .


./config --prefix=/usr --openssldir=/usr/local/openssl shared

 

Sunday, April 13, 2014

Ubuntu- DNS - setting it to static and dynamic

In case of static

cat /etc/network/interfaces
# The loopback network interface  
auto lo
iface lo inet loopback


# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.58
gateway 192.168.1.1
network 192.168.1.0
broadcast 192.168.1.255
dns-nameservers 66.212.63.228 66.212.48.10

Setting it to dhcp


 iface eth0 inet dhcp

 

Friday, April 11, 2014

Mod-Security Installing Along with - Open Source Rules

Installing the Mod Security.

## For RHEL/CentOS 6.2/6.1/6/5.8 ##

Installing needed Modules

yum install gcc make
yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel\

Installing the Mod-Security

## For RHEL/CentOS 6.2/6.1/6/5.8 ##
cd /usr/src
wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz
tar xzf modsecurity-apache_2.6.6.tar.gz
cd modsecurity-apache_2.6.6
./configure
make install
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

Adding the Mod-security Module to the Apache

# vi /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

[root@54 modsecurity-apache_2.6.6]# httpd -t -D DUMP_MODULES |grep sec
security2_module (shared)
Syntax OK
[root@54 modsecurity-apache_2.6.6]#

<IfModule security2_module>
Include conf.d/modsecurity.conf
</IfModule>

 

Adding new Mod-Security Rules ..

OWASP core rule set

wget http://pkgs.fedoraproject.org/repo/pkgs/mod_security_crs/modsecurity-crs_2.2.5.tar.gz/a
aeaa1124e8efc39eeb064fb47cfc0aa/modsecurity-crs_2.2.5.tar.gz
tar zxvf modsecurity-crs_2.2.5.tar.gz
mv modsecurity-crs_2.2.5 modsecurity-crs

mv modsecurity-crs /etc/httpd/conf.d/

Adding the rules to httpd

<IfModule security2_module>
Include conf.d/modsecurity.conf
Include conf.d/modsecurity-crs/activated_rules/*.conf
Include conf.d/modsecurity-crs/base_rules/*.conf
Include conf.d/modsecurity-crs/optional_rules/*.conf
Include conf.d/modsecurity-crs/slr_rules/*.conf
</IfModule>

More rules are available at
sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

Now the Mod Security is in the detect mode . once we are set we need to move it to on mode


[root@54 conf]# cat /etc/httpd/conf.d/modsecurity.conf |grep SecRuleEngine -i

SecRuleEngine DetectionOnly

# when SecRuleEngine is set to DetectionOnly mode in order to minimize

[root@54 conf]#


Change to


SecRuleEngine on

 

Thursday, April 10, 2014

Setting the Mysql into a ReadOnly mode..

whole database to read only mode by this commands:

In the MySQL Prompt

FLUSH TABLES WITH READ LOCK;
SET GLOBAL read_only = 1;

and back to normal mode with:
SET GLOBAL read_only = 0;
UNLOCK TABLES;

Wednesday, April 9, 2014

Git-Master Client configuration

First make sure that the git master server and client server are able to connect each other and has proper hostname  set. Also the master and client should be able to access each other with out password.

Making sure that master and client knows each other .

echo "x.x.x.x master.gitserver.com" >> /etc/hosts

echo "x.x.x.x client.gitserver.com" >> /etc/hosts

Setting the Hostname

hostname master.gitserver.com

hostname client.gitserver.com

making sure master and client are able to connect each other with out password

Make use of ssh-keygen and ssh-copy-id to get  this done or you can follow the Blog post http://enekumvenamorublog.wordpress.com/2013/05/17/creating-password-free-connection-between-two-servers-connecting-to-server-a-with-a-private-key/

 

Create a user git in both server and use that user for the process as to keep the security up.

Once this is done ..

Make the Git Repo direcotry..

mkdir /home/git/GIT-Projects

inside that make the needed project name such as proc1

mkdir  /home/git/GIT-Projects.proc1

Intialize the project directory ..

cd  /home/git/GIT-Projects/proc1
[git@master proc1]$ git init --bare

Initialized empty Git repository in /home/git/GIT-Projects/proc1/

[git@master proc1]$


Now at Client



[git@client ~]$ mkdir /home/git/prod1

[git@client ~]$ cd /home/git/prod1

[git@client prod1]$ git init

Initialized empty Git repository in /home/git/prod1/.git/


[git@client prod1]$ git add .

[git@client prod1]$ touch {1..2}

[git@client prod1]$ git add *

[git@client prod1]$ git commit -m "Fist Commit "

[master (root-commit) c1b3efb] Fist Commit

Committer: git <git@client.gitserver.com>

Your name and email address were configured automatically based

on your username and hostname. Please check that they are accurate.

You can suppress this message by setting them explicitly:


git config --global user.name "Your Name"

git config --global user.email you@example.com


If the identity used for this commit is wrong, you can fix it with:


git commit --amend --author='Your Name <you@example.com>'


0 files changed, 0 insertions(+), 0 deletions(-)

create mode 100644 1

create mode 100644 2

[git@client prod1]$


[git@client prod1]$ git remote add orgin git@master.gitserver.com:/home/git/GIT-Projects/proc1

[git@client prod1]$ git push orgin master

Counting objects: 3, done.

Compressing objects: 100% (2/2), done.

Writing objects: 100% (3/3), 208 bytes, done.

Total 3 (delta 0), reused 0 (delta 0)

To git@master.gitserver.com:/home/git/GIT-Projects/proc1

* [new branch] master -> master

[git@client prod1]$


 


git push -u origin master:anotherBranch



Tuesday, April 8, 2014

Puppet + Centos - Master and Client

Configuring the Puppet Master and client.

Following the below step in both Master and client for initial configuration.

Downloading and installing needed RPM for the Puppet

rpm -ivUh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm


Installing the Puppet Server

yum install puppet-server

Installing the client

yum install puppet

Setting up the hostname and making sure the master and client are able to connect to each other.

echo "
xxx.xxx.xxx.xxx master.puppet.com

xxx.xxx.xxx.xxx client.puppet.com


" >> /etc/hosts


ping -c 3 client.puppet.com

ping -c 3 master.puppet.com

Setting the Iptables .

Either we need to switch the Iptables off or Open the port 8140

iptables -A INPUT -p tcp --dport 8140 -m state --state NEW,ESTABLISHED -j ACCEPT

Once the above setting is done in both server and client .

 

Start the server
[root@master ~]# /etc/init.d/puppetmaster restart

Stopping puppetmaster: [FAILED]

Starting puppetmaster: [ OK ]

Now from client try checking for signed Certificates.
[root@client ~]# puppetd --server=master.puppet.com --waitforcert 60 --test  

Now the client will ask for certificate to master server , Now we need to check and sign the clients certificate from master server


[root@master ~]# puppetca --list

"client.puppet.com" (B7:B2:29:23:E9:D1:F1:BB:DB:EA:A4:76:E4:D2:67:63)


[root@master ~]# puppetca --sign client.puppet.com


notice: Signed certificate request for client.puppet.com

notice: Removing file Puppet::SSL::CertificateRequest client.puppet.com at '/var/lib/puppet/ssl/ca/r

equests/client.puppet.com.pem'


[root@master ~]# puppetca --list



If you have reached here with out any error then half of the thing is done. Now we need to create the configuration for the clients in the master. we need to add the configuration to  /etc/puppet/manifests/site.pp file. you can find a sample configuration file below.

Sample Configuration page

[root@master ~]# cat /etc/puppet/manifests/site.pp
# Create "/tmp/testfile" if it doesn't exist.
file { "/tmp/outside":
ensure => present,
mode => 644,
owner => root,
group => root
}
class test_class {
file { "/tmp/testfile":
ensure => present,
mode => 644,
owner => root,
group => root
}
}
package {
'httpd':
ensure => installed }
service {
'httpd':
ensure => true,
enable => true,
require => Package['httpd']
}
# tell puppet on which client to run the class
node client {
include test_class
}
[root@master ~]#

 

Sunday, April 6, 2014

Chrooting -- Changing Password of linux.

mount /dev/sda1 /mnt

then

chroot /mnt

then

passwd root

sometimes chroot /mnt may bot work due to your partition schema or just could not find zch or bash and in such case you could run

chroot /mnt /bin/bash

Saturday, April 5, 2014

Tcpdump - Packet Analysing.

Tcpdump

tcpdump command is also called as packet analyzer.

tcpdump command will work on most flavors of unix operating system. tcpdump allows us to save the packets that are captured, so that we can use it for future analysis. The saved file can be viewed by the same tcpdump command. We can also use open source software like wireshark to read the tcpdump pcap files.

 

Display Available Interfaces

tcpdump -D

root@server [~]# tcpdump -D
1.venet0
2.any (Pseudo-device that captures on all interfaces)
3.lo
root@server [~]#

Capture Packets from Specific Interface

root@server [~]# tcpdump -i venet0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:00:42.331707 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735409106:3735409314, ack 2338129367, win 245, options [nop,nop,TS val 585670560 ecr 6439886], length 208
17:00:42.332608 IP server.ambazhathinkal.in.51256 > google-public-dns-a.google.com.domain: 9961+ PTR? 142.105.229.117.in-addr.arpa. (46)
17:00:42.366150 IP google-public-dns-a.google.com.domain > server.ambazhathinkal.in.51256: 9961 NXDomain 0/1/0 (135)
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@server [~]#

Capture Only N Number of Packets
root@server [~]# tcpdump -c 2 -i venet0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:03:14.203134 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735412498:3735412706, ack 2338129623, win 245, options [nop,nop,TS val 585822432 ecr 6591730], length 208
17:03:14.203745 IP server.ambazhathinkal.in.54248 > google-public-dns-a.google.com.domain: 58709+ PTR? 142.105.229.117.in-addr.arpa. (46)
2 packets captured
6 packets received by filter
0 packets dropped by kernel
root@server [~]#

Print Captured Packets in ASCII
root@server [~]# tcpdump -c 2 -A -i venet0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:04:06.388115 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735414290:3735414498, ack 2338130631, win 245, options [nop,nop,TS val 585874617 ecr 6643936], length 208
E.....@.@......Ju.i..........]
.....N3.....
"....e`.......{.jx.o....._../.......!#.[L.y..A.8.S.......P..c.....M.u^.......m.....i...: .........".Z/7.)M.@..s.
crU.#......c..u.xr2.5..R..-..Ge....d$~$.nHSQ^..4.5.9H.B%2N1..u..+......Kd...nUe...v.bF.C|V...\6.:..
17:04:06.391171 IP server.ambazhathinkal.in.40493 > google-public-dns-a.google.com.domain: 21091+ PTR? 142.105.229.117.in-addr.arpa. (46)
E..J..@.@......J.....-.5.6j.Rc...........142.105.229.117.in-addr.arpa.....
2 packets captured
6 packets received by filter
0 packets dropped by kernel
root@server [~]#

Display Captured Packets in HEX and ASCII

root@server [~]# tcpdump -c 2 -XX -i venet0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:05:08.618109 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735416610:3735416818, ack 2338132071, win 264, options [nop,nop,TS val 585936847 ecr 6706171], length 208
0x0000: 0004 ffff 0000 0000 0000 0000 0000 0800 ................
0x0010: 4510 0104 a8ce 4000 4006 066c 17ec 934a E.....@.@..l...J
0x0020: 75e5 698e 0016 cba6 dea5 ef22 8b5d 1067 u.i........".].g
0x0030: 8018 0108 dbb6 0000 0101 080a 22ec afcf ............"...
0x0040: 0066 53fb 78bd e9bd 17f8 ff6d f6e4 3fa9 .fS.x......m..?.
0x0050: e9a0 25b1 67f1 7440 ccc8 7e9c 30e4 dd9d ..%.g.t@..~.0...
0x0060: e5b0 c36a 615c 3c8f 9c37 e2a4 d023 5ddb ...ja\<..7...#].
0x0070: fa1c 4e11 8718 823e ca5e 0c8d 02f6 14c4 ..N....>.^......
0x0080: 1c5d 3d13 6dfa a241 4108 0eed 4aae 4ba2 .]=.m..AA...J.K.
0x0090: 3f87 78c6 0d0d d5fc dccb aed2 164e b06f ?.x..........N.o
0x00a0: 3f64 023d 5ad2 3782 578e 677d 53d5 2282 ?d.=Z.7.W.g}S.".
0x00b0: 7691 6e26 8766 1712 dd94 bac6 5f32 8127 v.n&.f......_2.'
0x00c0: c25e 39fa 1ae8 8590 8b2c 5c66 a72e ae6f .^9......,\f...o
0x00d0: e565 1885 b34a 8fb6 7831 7f53 03cb a124 .e...J..x1.S...$
0x00e0: ac09 cfe6 79fb 32b1 47f4 fc1e 815b d658 ....y.2.G....[.X
0x00f0: fb1d eaa4 193a 0aea c91a 0979 e60e 8f81 .....:.....y....
0x0100: b1f5 75e5 9ce9 0098 4b78 88e3 5c9f 6548 ..u.....Kx..\.eH
0x0110: 2400 f7d2 $...
17:05:08.618451 IP server.ambazhathinkal.in.41925 > google-public-dns-a.google.com.domain: 40716+ PTR? 142.105.229.117.in-addr.arpa. (46)
0x0000: 0004 ffff 0000 0000 0000 0000 0000 0800 ................
0x0010: 4500 004a afcf 4000 4011 cf8d 17ec 934a E..J..@.@......J
0x0020: 0808 0808 a3c5 0035 0036 184b 9f0c 0100 .......5.6.K....
0x0030: 0001 0000 0000 0000 0331 3432 0331 3035 .........142.105
0x0040: 0332 3239 0331 3137 0769 6e2d 6164 6472 .229.117.in-addr
0x0050: 0461 7270 6100 000c 0001 .arpa.....
2 packets captured
7 packets received by filter
0 packets dropped by kernel
root@server [~]#
Capture and Save Packets in a File
That tcpdump has a feature to capture and save the file in a .pcap format, to do this just execute command with -w option.

root@server [~]# tcpdump -w capture.pcap -i venet0 -c 2
tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@server [~]#

Read Captured Packets File
reading from file capture.pcap, link-type LINUX_SLL (Linux cooked)
17:08:38.806091 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735422754:3735422882, ack 2338135191, win 301, options [nop,nop,TS val 586147035 ecr 6916384], length 128
17:08:39.017626 IP 117.229.105.142.52134 > server.ambazhathinkal.in.ssh: Flags [.], ack 4294967248, win 350, options [nop,nop,TS val 6916625 ecr 586146889], length 0
root@server [~]#

Capture IP address Packets
root@server [~]# tcpdump -n -i venet0 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:10:08.004118 IP 23.236.147.74.ssh > 117.229.105.142.52134: Flags [P.], seq 3735427426:3735427634, ack 2338139127, win 320, options [nop,nop,TS val 586236233 ecr 7005529], length 208
17:10:08.005101 IP 23.236.147.74.ssh > 117.229.105.142.52134: Flags [P.], seq 208:432, ack 1, win 320, options [nop,nop,TS val 586236234 ecr 7005529], length 224
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@server [~]#

Receive only the packets of a specific protocol type
You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp.
Capture only TCP Packets.
root@server [~]# tcpdump tcp -n -i venet0 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:11:07.476977 IP 23.236.147.74.ssh > 117.229.105.142.52134: Flags [P.], seq 3735429474:3735429682, ack 2338140615, win 339, options [nop,nop,TS val 586295706 ecr 7065032], length 208
17:11:07.478077 IP 23.236.147.74.ssh > 117.229.105.142.52134: Flags [P.], seq 208:432, ack 1, win 339, options [nop,nop,TS val 586295707 ecr 7065032], length 224
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@server [~]#
Capture Packet from Specific Port
root@server [~]# tcpdump -i venet0 -c 2 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:13:27.897094 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735436786:3735436994, ack 2338145415, win 376, options [nop,nop,TS val 586436126 ecr 7205457], length 208
17:13:27.931104 IP 117.229.105.142.52134 > server.ambazhathinkal.in.ssh: Flags [.], ack 4294967200, win 350, options [nop,nop,TS val 7205530 ecr 586435792], length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@server [~]#

Capture Packets from source IP
root@server [~]# tcpdump -i venet0 -c 2 src 117.229.105.142
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:14:30.811557 IP 117.229.105.142.52134 > server.ambazhathinkal.in.ssh: Flags [.], ack 3735438258, win 350, options [nop,nop,TS val 7268377 ecr 586498643], length 0
17:14:30.821445 IP 117.229.105.142.52134 > server.ambazhathinkal.in.ssh: Flags [.], ack 209, win 349, options [nop,nop,TS val 7268418 ecr 586498679], length 0
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@server [~]#

Capture Packets from destination IP
root@server [~]# tcpdump -i venet0 -c 2 dst 117.229.105.142
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:15:21.742231 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735440594:3735440802, ack 2338147527, win 376, options [nop,nop,TS val 586549971 ecr 7319311], length 208
17:15:21.780917 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 208:448, ack 1, win 376, options [nop,nop,TS val 586550009 ecr 7319311], length 240
2 packets captured
2 packets received by filter
0 packets dropped by kernel
root@server [~]#
Capture packets with proper readable timestamp using tcpdump -tttt

root@server [~]# tcpdump -i venet0 -c 2 -tttt
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
2014-04-05 17:16:45.037856 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735441874:3735442082, ack 2338147959, win 376, options [nop,nop,TS val 586633266 ecr 7402589], length 208
2014-04-05 17:16:45.038158 IP server.ambazhathinkal.in.46789 > google-public-dns-a.google.com.domain: 39807+ PTR? 142.105.229.117.in-addr.arpa. (46)
2 packets captured
6 packets received by filter
0 packets dropped by kernel
root@server [~]#

Read packets longer than N bytes
root@server [~]# tcpdump -i venet0 greater 10 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:19:20.122230 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3735948930:3735949138, ack 2338151511, win 376, options [nop,nop,TS val 586788351 ecr 7557672], length 208
17:19:20.122730 IP server.ambazhathinkal.in.59146 > google-public-dns-a.google.com.domain: 31990+ PTR? 142.105.229.117.in-addr.arpa. (46)
2 packets captured
6 packets received by filter
0 packets dropped by kernel
root@server [~]#

tcpdump Filter Packets – Capture all the packets other than arp and rarp

root@server [~]# tcpdump -i venet0 not arp and not rarp -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:30:41.794859 IP server.ambazhathinkal.in.ssh > 117.229.105.142.52134: Flags [P.], seq 3736055922:3736056130, ack 2338154311, win 395, options [nop,nop,TS val 587470023 ecr 8239360], length 208
17:30:41.795163 IP server.ambazhathinkal.in.56375 > google-public-dns-a.google.com.domain: 62843+ PTR? 142.105.229.117.in-addr.arpa. (46)
2 packets captured
6 packets received by filter
0 packets dropped by kernel
root@server [~]#

tcpdump -D
tcpdump -i venet0
tcpdump -i venet0 -c 2
tcpdump -i venet0 -c 5 -vv
tcpdump -c 2 -A -i venet0
tcpdump -c 2 -XX -i venet0
tcpdump -w capture.pcap -i venet0 -c 2
tcpdump -r capture.pcap
tcpdump -n -i venet0 -c 2
tcpdump tcp -n -i venet0 -c 2
tcpdump -i venet0 -c 2 port 22
tcpdump -i venet0 -c 2 src 117.229.105.142
tcpdump -i venet0 -c 2 dst 117.229.105.142
tcpdump -i venet0 -c 2 -tttt
tcpdump -i venet0 greater 10 -c 2
tcpdump -i venet0 not arp and not rarp -c 2

Tuesday, April 1, 2014

Convert a text file to all lower case or all upper case

To convert a file (input.txt) to all lower case (output.txt), choose any ONE of the following:
dd
$ dd if=input.txt of=output.txt conv=lcase

awk

$ awk '{ print tolower($0) }' input.txt > output.txt

perl
$ perl -pe '$_= lc($_)' input.txt > output.txt

sed
$ sed -e 's/\(.*\)/\L\1/' input.txt > output.txt

We use the backreference \1 to refer to the entire line and the \L to convert to lower case.
To convert a file (input.txt) to all upper case (output.txt):

dd
$ dd if=input.txt of=output.txt conv=ucase

awk

$ awk '{ print toupper($0) }' input.txt > output.txt

perl
$ perl -pe '$_= uc($_)' input.txt > output.txt

sed
$ sed -e 's/\(.*\)/\U\1/' input.txt > output.txt