fdisk /dev/<partitionname>
. Eg:% fdisk /dev/hdb1
mkfs -t ext3 /dev/<partitionname>
. Eg:% mkfs -t ext3 /dev/hdb1
fsck -f -y /dev/<partitionname>
. Eg:% fsck -f -y /dev/hdb1
/data
), then mount. Eg: % mkdir /data % mount /dev/hdb1 /data
/etc/fstab
for automatic mounting. Eg:/dev/hdb1 /data ext3 defaults 1 1
Setup some basic aliases for users to have a simpler navigation at the command line. Add the following commands to /etc/profile.d/sysaliases.sh
:
alias l='ls -l' # display file list in long format alias ll='ls -la' # display file list in long format and include all files (hidden as well) alias cls=clear # clear the screen
Alternatively, you can add these commands at the end of file /etc/bashrc
.
chfn
to change user finger information (full name, office, phone, etc). chsn
to change user login shell.finger
username
to view the current finger information. For example:$ finger jdoe Login: jdoe Name: John Doe Directory: /home/jdoe Shell: /bin/bash Office: Software Development, 211 On since Mon Aug 14 09:29 (EDT) on pts/0 from 192.168.0.3 No mail. No Plan.
Create .htaccess
file
< protectedfolder >
is where the actual folder name is going to beAuthUserFile
should ideally be outside of the webserver root.AuthType Basic AuthName "Only for Authenticated Users. Please contact your sales representative for a username and password" AuthUserFile /data/www/html/<protectedfolder>/.htpasswd <Limit GET> # Require an authenticated user Require valid-user # Or require local IP address (no authentication) Require ip 192.168.0.0/255.255.255.0 </Limit>
Create a password file and add a user:
% cd /data/www/html/<protectedfolder> % htpasswd -c .htpasswd <username>
Only add a username and password (no creation of password file):
% cd /data/www/html/<protectedfolder> % htpasswd .htpasswd <username>
Source: Apache Tutorial: htaccess Files 1)
When you put configuration directives in a .htaccess
file, and you don't get the desired effect, there are a number of things that may be going wrong.
Most commonly, the problem is that AllowOverride
is not set such that your configuration directives are being honored. Make sure that you don't have a AllowOverride None
in effect for the file scope in question. A good test for this is to put garbage in your .htaccess
file and reload. If a server error is not generated, then you almost certainly have AllowOverride None
in effect.
If, on the other hand, you are getting server errors when trying to access documents, check your Apache error log. It will likely tell you that the directive used in your .htaccess file is not permitted. Alternately, it may tell you that you had a syntax error, which you will then need to fix.
Look for this statement (and comment it out) in file /etc/httpd/conf/httpd.conf
(or /etc/apache2/sites-available/default
in Ubuntu). It should be:
#AllowOverride None
Some pages will display characters incorrectly. The character encoding might need to be changed from the default UTF-8
to the following (file /etc/httpd/conf/httpd.conf
):
AddDefaultCharset ISO-8859-1
For installations with PHP 5.1 or higher, this step is not necessary since the filters are installed by default. For other installations, setup PHP filters using the following commands:
$ wget http://pecl.php.net/filter/get $ tar xzf filter-0.11.0 $ phpize $ ./configure $ make $ make install
Then edit /etc/php.ini
and add:
extension=filter.so
Restart the web server.
In case there is an error such as error: ext/pcre/php_pcre.h: No such file or directory
, install file php_pcre.h
in /usr/local/include/php/ext/pcre/
(or /usr/include/php5/ext/pcre
):
/* +----------------------------------------------------------------------+ | PHP Version 5 | +----------------------------------------------------------------------+ | Copyright (c) 1997-2006 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | | available through the world-wide-web at the following url: | | http://www.php.net/license/3_01.txt | | If you did not receive a copy of the PHP license and are unable to | | obtain it through the world-wide-web, please send a note to | | license@php.net so we can mail you a copy immediately. | +----------------------------------------------------------------------+ | Author: Andrei Zmievski <andrei@php.net> | +----------------------------------------------------------------------+ */ /* $Id: php_pcre.h,v 1.44 2006/01/01 13:09:52 sniper Exp $ */ #ifndef PHP_PCRE_H #define PHP_PCRE_H #if HAVE_PCRE || HAVE_BUNDLED_PCRE #if HAVE_BUNDLED_PCRE #include "pcrelib/pcre.h" #else #include "pcre.h" #endif #if HAVE_LOCALE_H #include <locale.h> #endif PHP_FUNCTION(preg_match); PHP_FUNCTION(preg_match_all); PHP_FUNCTION(preg_replace); PHP_FUNCTION(preg_replace_callback); PHP_FUNCTION(preg_split); PHP_FUNCTION(preg_quote); PHP_FUNCTION(preg_grep); PHPAPI char *php_pcre_replace(char *regex, int regex_len, char *subject, int subject_len, zval *replace_val, int is_callable_replace, int *result_len, int limit, int *replace_count TSRMLS_DC); PHPAPI pcre* pcre_get_compiled_regex(char *regex, pcre_extra **extra, int *options TSRMLS_DC); PHPAPI pcre* pcre_get_compiled_regex_ex(char *regex, pcre_extra **extra, int *preg_options, int *coptions TSRMLS_DC); extern zend_module_entry pcre_module_entry; #define pcre_module_ptr &pcre_module_entry typedef struct { pcre *re; pcre_extra *extra; int preg_options; #if HAVE_SETLOCALE char *locale; unsigned const char *tables; #endif int compile_options; int refcount; } pcre_cache_entry; PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_len, pcre_extra **extra, int *preg_options, int *compile_options TSRMLS_DC); ZEND_BEGIN_MODULE_GLOBALS(pcre) HashTable pcre_cache; ZEND_END_MODULE_GLOBALS(pcre) #ifdef ZTS # define PCRE_G(v) TSRMG(pcre_globals_id, zend_pcre_globals *, v) #else # define PCRE_G(v) (pcre_globals.v) #endif #else #define pcre_module_ptr NULL #endif /* HAVE_PCRE || HAVE_BUNDLED_PCRE */ #define phpext_pcre_ptr pcre_module_ptr #endif /* PHP_PCRE_H */
For Apache, we need to get the following cert components:
.pfx
or .p12
):acme-cert-key-pair.pfx
.crt
or .pem
): acme-cert-pem.crt
.key
): acme-decrypted.key
.crt
): gd_bundle.crt
Get PFX file from Certificate Authority (CA), then extract cert and private key (encrypted and decrypted). Eg. for organization Acme:
#!/bin/bash # # Export the private key file from the pfx file echo "### Export the private key file from the pfx file" openssl pkcs12 -in acme-cert-key-pair.pfx -nocerts -out acme-encrypted.key # Remove the passphrase from the private key echo echo "### Remove the passphrase from the private key" openssl rsa -in acme-encrypted.key -out acme-decrypted.key # Export the certificate file from the pfx file echo echo "### Export the certificate file from the pfx file" openssl pkcs12 -in acme-cert-key-pair.pfx -clcerts -nokeys -out acme-cert-pem.crt
NOTE: The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.
When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.
The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.
Apache and other similar servers use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files. (Source: https://www.sslshopper.com/ssl-converter.html)
Edit /etc/apache2/sites-available/default-ssl
to include:
# A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. # #--- Self-signed Certificate & Key --- ##SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem ##SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key #--- CA-signed Certificate & Key --- # Note: When Private Key is decrypted, it requires no password when restarting Apache SSLCertificateFile /etc/ssl/certs/acme-cert-pem.crt SSLCertificateKeyFile /etc/ssl/private/acme-decrypted.key ##SSLCertificateKeyFile /etc/ssl/private/acme-encrypted.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt SSLCertificateChainFile /etc/apache2/ssl.crt/ca-godaddy-bundle.crt
Restart Apache:
% /etc/init.d/apache2 restart
% tail -f /var/log/apache2/error.log
https
in the URL.
When getting a cert, a CA will request to submit a CSR file with the multiple domains that will be using the cert. This is how to create the CSR file using the SubjectAltName
method in OpenSSL, assuming we need it to certify domains acme.com www.acme.com secure.acme.com:
Create an OpenSSL custom config file /etc/ssl/mycerts/openssl.cnf
:
[ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name req_extensions = req_ext # The extentions to add to the self signed cert [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Florida localityName = Locality Name (eg, city) localityName_default = Longwood organizationName = Organization Name (eg, company) organizationName_default = Acme, Inc. commonName = Common Name (eg, YOUR name) commonName_default = www.acme.com commonName_max = 64 [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = acme.com DNS.2 = secure.acme.com
Generate the private key file
$ openssl genrsa -out acme.key 2048
Generate the CSR file
$ openssl req -new -newkey rsa:2048 -nodes -keyout acme.key -out acme.csr -config openssl.cnf
Verify CSR file
$ openssl req -text -noout -in acme.csr
Once you are happy with the settings in that file, you can submit it to the CA to generate the certificate for you.
See also:
Turning on/off enforcing at boot time 2):
You can specify the SELinux mode using the configuration file /etc/sysconfig/selinux
.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
Setting the value to enforcing is the same as adding enforcing=1
to your command line when booting the kernel to turn enforcing on, while setting the value to permissive is the same as adding enforcing=0
to turn enforcing off. Note that the command line kernel parameter overrides the configuration file.
However, setting the value to disabled is not the same as the selinux=0
kernel boot parameter. Rather than fully disabling SELinux in the kernel, the disabled setting instead turns enforcing off and skips loading a policy.
Register the Samba service to run at server boot time:
$ /sbin/chkconfig --level 35 smb on
Run the Samba service:
$ /sbin/service smb start
Add samba users. For example:
$ cd /etc/samba $ smbpasswd -a jdoe
NOTE: Make sure the samba user matches a Linux user, otherwise it will not create the samba user. If you do not wish to give the user shell access in Linux, just set the shell to /sbin/nologin
.
Test by connecting a client machine to the Samba server.
Linux
$ smbclient -L //server1 -d 3
Windows
C:\> net view \\server1 C:\> net use \\server1\data Enter the user name for 'server1': jdoe Enter the password for server1: ****
To disconnect from the share:
C:\> net use \\server1\data /delete
If after providing username and password there is no successful connection, and the error log in /var/log/samba/
machinename.log
shows
[2006/08/14 14:01:54, 0] smbd/service.c:make_connection_snum(911) ' ''ShareName'' ' does not exist or permission denied when connecting to [''ShareName''] Error was Permission denied
then you must configure SELinux to allow Windows XP client machines to connect correctly to those shares. Perform the following:
Source: Nazin Blog 3)
If you only share user home directories in Samba, then simply configure SELinux to allow that. There are two steps:
$ chcon -t samba_secrets_t /etc/samba/smbpasswd $ chcon -t samba_secrets_t /etc/samba/secrets.tdb
booleans.local
file (usually at /etc/selinux/targeted/booleans.local
):samba_enable_home_dirs=1
This solution works perfectly, but only when sharing just user home directories. When sharing other paths, this solution is incomplete. You would need to disable SELinux for Samba.
Source: Nazin Blog 4)
Although there might be other ways to configure SELinux to allow Samba to share other paths, a quick solution is to simply disable SELinux for the Samba daemon only.
Perform the following commands once:
$ setsebool -P smbd_disable_trans 1 $ /sbin/service smb restart
The setsebool
command, with the -P option, will actually write this entry into the booleans.local
file for you, to make it permanent.
Start the mysql service:
$ /sbin/service mysqld start
Register the mysql service to start up at boot time:
$ /sbin/chkconfig --level 35 mysqld on
Create a password for root user:
$ /usr/bin/mysqladmin -u root password 'new-password' $ /usr/bin/mysqladmin -u root -h server1.mydomain.com password 'new-password'
To connect to Linux's desktop remotely, use VNC Server on the Linux machine, and VNC Viewer on the client machine (Windows workstation).
On the Linux server, connect (ssh, telnet, etc.) with the desired user, then run the VNC Server:
$ vncserver
server1.example.com:1
On the client machine, you have a choice on how to connect:
http://server1.example.com:5801/
using the password. Note: the number 1 means the display connection number, so if you connected as display 7, the port should be 5807.C:\Apps\VNC\> vncviewer.exe
Configure VNC to Load Automatically
Edit the file /etc/sysconfig/vncserver
to include all the users and their respective display settings. For example, we want the vncserver to boot automatically for users mayr and joel with displays 2 and 3 respectively, we would do the following:
# # /etc/sysconfig/vncserver # #The VNCSERVERS variable is a list of display:user pairs. # separated by spaces, eg: VNCSERVERS="1:joe 2:jill" # # Uncomment the line below to start a VNC server on display :1 # as my 'myusername' (adjust this to your own). You will also # need to set a VNC password; run 'man vncpasswd' to see how # to do that. # # DO NOT RUN THIS SERVICE if your local area network is # untrusted! For a secure way of using VNC, see # <URL:http://www.uk.research.att.com/vnc/sshvnc.html>. VNCSERVERS="1:jsmith 2:jdoe"
Configure VNC to run GNOME/KDE as desktop
Startup settings: edit the file ~/.vnc/xstartup
#!/bin/sh # Linux VNC session startup script unset SESSION_MANAGER vncconfig -iconic & xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" & xterm -geometry 80x50+510+10 -ls -title "$VNCDESKTOP Desktop" & xterm -geometry 80x24+10+350 -ls -title "$VNCDESKTOP Desktop" -bg black -fg white & exec /etc/X11/xinit/xinitrc
Configure VNC to run TWM (Tom's Window Manager) as desktop
Startup settings: edit the file ~/.vnc/xstartup
#!/bin/sh # Uncomment the following two lines for normal desktop: # unset SESSION_MANAGER # exec /etc/X11/xinit/xinitrc [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources xsetroot -solid grey vncconfig -iconic & xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" & xterm -geometry 80x50+510+10 -ls -title "$VNCDESKTOP Desktop" & xterm -geometry 80x24+10+350 -ls -title "$VNCDESKTOP Desktop" -bg black -fg white & twm &
Stop a VNC session
Stop a VNC session (assuming it is in display :1) :
$ vncserver -kill :1
You can switch between the following desktops:
Use the switchdesk
command. For example:
$ switchdesk kde
Enable the the iptables
firewall, and use the /etc/rc.d/arno-iptables-firewall
to tighten security. First, edit the file /etc/arno-iptables-firewall.conf
:
# Put in the following variables which ports or IP protocols you want to leave # open to the whole world. # ----------------------------------------------------------------------------- OPEN_TCP="22 80" OPEN_UDP="22 80" OPEN_IP="" OPEN_ICMP=0
Run the script /etc/rc.d/arno-iptables-firewall
to start it:
$ cd /etc/rc.d/ $ ./arno-firewall-script.sh restart
ufw
: % ufw enable
% ufw default deny % ufw allow to any port 80 # http % ufw allow to any port 443 # https % ufw allow from 192.168.0.0/24 to any port 22 # ssh % ufw allow from 192.168.0.0/24 to any port 25 # smtp % ufw allow from 192.168.0.0/24 to any port 123 # ntp % ufw allow from 192.168.0.0/24 to any port 143 # imap % ufw allow from 192.168.0.0/24 to 192.168.0.149 port 465 # smtp over SSL % ufw allow from 192.168.0.0/24 to any port 53 # dns % ufw allow from 192.168.0.0/24 to any port 67 # dhcp server % ufw allow from 192.168.0.0/24 to any port 68 # dhcp client % ufw allow proto udp from 192.168.0.0/24 to 192.168.0.149 port 137 # samba NetBIOS Name Service % ufw allow proto udp from 192.168.0.0/24 to 192.168.0.149 port 138 # samba NetBIOS Datagram Service % ufw allow from 192.168.0.0/24 to any port 139 # samba NetBIOS Session Service % ufw allow from 192.168.0.0/24 to any port 445 # samba SMB file sharing % ufw allow from 192.168.0.0/24 to 192.168.0.31 port 3690 # Subversion server using ip 192.168.0.31
% ufw delete allow to any port 80 # delete http rule
/var/www/html/wiki
)$ tar xzvf mediawiki-x.x.x.tar.gz
mysql> create database wikidb; mysql> grant create, select, insert, update, delete, lock tables on wikidb.* to wiki@localhost identified by 'password'; mysql> flush privileges;
Disable certain users from editing pages, and enabling others. Add the following lines to MediaWiki/LocalSettings.php
:
# Disable anonymous and regular users from editing pages $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['user']['edit'] = false; # Enable 'swdev' group members to edit pages. # Add new groups here, just like 'swdev'. $wgGroupPermissions['swdev']['edit'] = true;
To change which groups a user belongs to, login as Admin
and visit Special:Specialpages and click the link to 'User Rights Management' on the very bottom of the list which will bring them to Special:Userrights and follow the on-screen instructions.
Getting a blank screen after posting an edit or uploading an image file
upload_max_filesize
and post_max_size
in file /etc/php.ini
.MediaWiki/LocalSettings.php
:ini_set( 'memory_limit', '20M' ); # You might need to increase the limit
Directory permissions for /var/spool/mail
should be drwxrwxr-x
for group mail
(in case it is not working). Otherwise, it will have trouble sending mail.
Verify version of Sendmail:
$ sendmail -d0.1 -bt < /dev/null
Default Sendmail Settings for Receiving Mail
The default configuration for Sendmail does not allow for the receiving of mail except from yourself (localhost). To receive mail, perform the following operations:
/etc/mail/sendmail.mc
and /etc/mail/sendmail.cf
/etc/mail/sendmail.mc
and change/comment the line DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
to display:dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
Mail Relay
Setup mechanism for mail relay. Choose one of the following (be careful with the quotes ` ' ):
FEATURE(`relay_entire_domain')dnl <-- domain names must be added to /etc/mail/access FEATURE(`relay_hosts_only')dnl <-- hosts names (FQDN) must be added to /etc/mail/access
Run this command to regenerate sendmail.cf:
$ m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
Edit files /etc/mail/local-host-names
. It contains all of the alternate host names of the server. (i.e. domain-name.com) Sendmail will not accept mail for a domain unless it is permitted to do so by the contents of this file.
#--- /etc/mail/local-host-names --- example.com mail.example.com 10.10.10.2
Create /etc/mail/access
and /etc/mail/relay-domains
to add domains and handle mail for those domains. Otherwise, the anti-spam configuration will only honor local mail and refuse any other.
#--- /etc/mail/access --- localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY example.com RELAY 192.168. RELAY
#--- /etc/mail/relay-domains --- example.com RELAY_FROM mail.example.com RELAY_FROM pc01.example.com RELAY_FROM dsl01.cableco.com RELAY_FROM 10.10.10.2 RELAY_FROM 192.168.0. RELAY_FROM
Regenerate hash tables by typing:
$ makemap hash /etc/mail/access < /etc/mail/access $ makemap hash /etc/mail/relay-domains < /etc/mail/relay-domains
Run and Test Sendmail
Restart the sendmail service:
$ /sbin/service sendmail restart
Test sendmail with verbose mode:
$ date | sendmail -v jdoe@hotmail.com
Edit the file /etc/mail/access
to include:
#--- /etc/mail/access --- from:nobody REJECT from:apache REJECT from:apache@localhost REJECT apache@ REJECT apache@localhost REJECT
Remove unsafe copies of /cgi-bin/formmail.pl
. It allows external users to send mail as nobody@localhost or apache@locahost. Do a security audit on users' cgi programs, and you might find one with a vulnerablity. If you must use one, install one you can trust in a common cgi-bin, and instruct users on how to use it.
/var/spool/mail
should be drwxrwxr-x
for group mail. Otherwise, it will have trouble sending mail./etc/aliases
): Various error messages in the system will normally be issued as internal email. To ensure that these will actually be read, one should create an /etc/aliases
. An example that should cover most eventualities is: # # /etc/aliases # format: alias: name # postmaster: root ftp: root news: root usenet: root faxmaster: root fax: root webmaster: root mailer.daemon: root support: superadmin, jsmith acctng: jdoe, jsmith
newaliases
every time you change /etc/aliases
.$ newaliases
In the DNS database entry for example.com (file /etc/named/example.com.hosts
), include the proper MX record. This is a slightly different example compared to the DNS file shown above (see DNS Configuration):
; ; Zone file for example.com ; ; domain = example.com ; host = server1.example.com ; e-mail = root@example.com ; @ IN SOA example.com. root.example.com. ( 20010016 ; Serial 8H ; Refresh 2H ; Retry 1W ; Expire 1D) ; Minimum TTL TXT "Sample DNS Server" NS example.com. ; internet address of name server MX 10 example.com. ; primary mail exchanger ; localhost A 127.0.0.1 router A 200.35.85.89 ns A 200.35.85.90 www A 200.35.85.90 mail A 200.35.85.90 pop A 200.35.85.90 server1 A 192.168.1.2 ftp A 192.168.1.2
Add the domain name to the /etc/hosts
file in the line where the mail host is found. This is done because of mail looping occurs when the DNS zone (see above zone definition /etc/named/example.com.hosts
) has the same mail hosts as the hosts being defined. Here server1
, mail
, and example.com
are the same, so looping will occur and delivery of messages will not occur. Eg: server1.example.com
is the mail server in this case so:
# # /etc/hosts # # For loopbacking. 127.0.0.1 localhost 200.35.85.90 www.example.com www mail.example.com mail example.com 192.168.1.2 server1.example.com server1 example.com # End of hosts.
Configure the server. Edit the following files: /etc/news/expire.ctl
# Keep local newsgroup 3 months (server1.example.com). server1.*:A:3:90:90
/etc/news/nnrp.access
## nnrp.access - access file for on-campus NNTP sites ## Format: ## <host>:<perm>:<user>:<pass>:<groups> ## Connecting host must be found in this file; the last match found is ## used, so put defaults first. ## <host> Wildcard name or IP address ## <perm> R to read; P to post ## <user> Username for authentication before posting ## <pass> Password, for same reason ## <groups> Newsgroup patterns that can be read or not read ## To disable posting put a space in the <user> and <pass> fields, since ## there is no way for client to enter one. ## ## Default is no access, no way to authentication, and no groups. *:: -no- : -no- :!* ## Foo, Incorporated, hosts have no password, can read anything. *:Read Post:::spinnaker* localhost:Read Post:::* server1.example.com:Read Post:::*
Run service:
$ /sbin/service innd start $ /sbin/chkconfig --level 35 innd on
Disable SELinux protection:
$ setsebool -P innd_disable_trans 1 $ /sbin/service innd restart
Edit the permissions file /etc/news/readers.conf
to enable local machines to read/post:
# This auth group matches all connections from example.com or machines in # the example.com domain and gives them the identity <local>@example.com. # Instead of using wildmat patterns to match machine names, you could also # put a wildmat pattern matching IP addresses or an IP range specified # using CIDR notation (like 10.10.10.0/24) here. auth "local" { hosts: "*.example.com, example.com, 192.168.0.0/24" default: "<local>@example.com" } . . . # Now for the access groups. All of our access groups should have users: # parameters so there are no access groups that match connections without # an identity (such as are generated by the "abusers" entry above). # First, the default case of local users, who get to read and post to # everything. access "local" { users: "<local>@example.com" newsgroups: "*" }
To create a local news group, perform the following steps:
innd
is running./etc/news/expire.ctl
, (in the site directory, then make install
)./var/lib/news/newsgroups
file, using shlock
, and append the newsgroup description to the file. The following example seems to function: $ shlock -f /var/lib/news/LOCK.newsgroups -p $$ && echo "examplesite.class.bskt201<tab>Introductory Basket Weaving" >> /var/lib/news/newsgroups && rm /var/lib/news/LOCK.newsgroups
$ /usr/lib/news/bin/ctlinnd newgroup examplesite.dept.news.group m "John Doe (Mod)"
/etc/news/newsfeeds
to restrict the local groups to your organization:ME:!local.*:: out.going.site:*,!local.*:Tf,Wnm:
Please consider, that local
is a very common name for local groups, so if a user crossposts to local.test
and misc.test
the article will show up in all local.test
over the world. So please choose a 'better' name.
Create a daily cron task to backup some important files to a directory (for example: /data/backup
). This script should be created as /etc/cron.daily/backup.sh
:
#!/bin/bash ## script: /etc/cron.daily/backup.sh ## ## removes old backup file rm -rf /data/backup/* ## backup the following directories: tar -czvf /data/backup/mail-backup.tar.gz /var/spool/mail tar -czvf /data/backup/home-backup.tar.gz /home tar -czvf /data/backup/website-backup.tar.gz /var/www/html tar -czvf /data/backup/mysql-data-backup.tar.gz /var/lib/mysql tar -czvf /data/backup/etc-dir.tar.gz /etc ## send reminder to sysadmin to pull the tarball from the server. mail root -s "Get the backup tarball off the server"
Source: Quick HOWTO: Linux Users and Sudo 5)
Use sudo when several administrators maintain a system. This allows access to the right people without giving away full root access, and losing track of what changes were done by whom.
$ sudo more /etc/sudoers
The su command allows a regular user to become the system's root user if they know the root password. A user with sudo rights to use the su command can become root, but they only need to know their own password, not that of root as seen here.
jdoe@example.com:~$ sudo su - Password: root@example.com:~#
Some systems administrators will use sudo to grant root privileges to their own personal user account without the need to provide a password.
Use this special text editor that is used to edit the /etc/sudoers configuration file:
$ visudo
File format:
usernames/group servername = (usernames command can be run as) command
Guidelines:
There are some general guidelines when editing this file:
%users
.ALL
can mean all usernames, groups, commands and servers.ALL
suffices for the server name.NOPASSWD
keyword provides access without prompting for your password. This section presents some simple examples of how to do many commonly required tasks using the sudo utility.
You can grant users jdoe
and jsmith
full access to all privileged commands, with this sudoers entry.
jdoe, jsmith ALL=(ALL) ALL
This is generally not a good idea because this allows jdoe and jsmith to use the su command to grant themselves permanent root privileges thereby bypassing the command logging features of sudo. The example on using aliases in the sudoers file shows how to eliminate this problem.
This entry allows user peter
and all the members of the group operator
to gain access to all the program files in the /sbin
and /usr/sbin directories
, plus the privilege of running the command /usr/local/apps/check.pl
. Notice how the trailing slash (/) is required to specify a directory location:
peter, %operator ALL= /sbin/, /usr/sbin, /usr/local/apps/check.pl
Notice also that the lack of any username entries within parenthesis () after the = sign prevents the users from running the commands automatically masquerading as another user. This is explained further in the next example.
The sudo -u
entry allows allows you to execute a command as if you were another user, but first you have to be granted this privilege in the sudoers file.
This feature can be convenient for programmers who sometimes need to kill processes related to projects they are working on. For example, programmer peter
is on the team developing a financial package that runs a program called monthend
as user accounts
. From time to time the application fails, requiring “peter” to stop it with the /bin/kill
, /usr/bin/kill
or /usr/bin/pkill
commands but only as user “accounts”. The sudoers entry would look like this:
peter ALL=(accounts) /bin/kill, /usr/bin/kill /usr/bin/pkill
User peter
is allowed to stop the monthend
process with this command:
[peter@bigboy peter]# sudo -u accounts pkill monthend
This example allows all users in the group operator
to execute all the commands in the /sbin
directory without the need for entering a password. This has the added advantage of being more convenient to the user:
%operator ALL= NOPASSWD: /sbin/
Sometimes you'll need to assign random groupings of users from various departments very similar sets of privileges. The sudoers file allows users to be grouped according to function with the group and then being assigned a nickname or alias which is used throughout the rest of the file. Groupings of commands can also be assigned aliases too.
In the next example, users peter
, jdoe
and jsmith
and all the users in the operator
group are made part of the user alias ADMINS
. All the command shell programs are then assigned to the command alias SHELLS
. Users ADMINS
are then denied the option of running any SHELLS commands and su
:
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, \ /usr/bin/ksh, /usr/local/bin/tcsh, \ /usr/bin/rsh, /usr/local/bin/zsh User_Alias ADMINS = peter, bob, bunny, %operator ADMINS ALL = !/usr/bin/su, !SHELLS
This attempts to ensure that users don't permanently su to become root, or enter command shells that bypass sudo's command logging. It doesn't prevent them from copying the files to other locations to be run. The advantage of this is that it helps to create an audit trail, but the restrictions can be enforced only as part of the company's overall security policy.
All sudo commands are logged in the log file /var/log/messages
which can be very helpful in determining how user error may have contributed to a problem. All the sudo log entries have the word sudo in them, so you can easily get a thread of commands used by using the grep
command to selectively filter the output accordingly.
Here is sample output from a user jdoe
failing to enter their correct sudo password when issuing a command, immediately followed by the successful execution of the command /bin/more sudoers
.
[root@example.com/tmp]# grep sudo /var/log/messages Nov 18 22:50:30 example.com sudo(pam_unix)[26812]: authentication failure; logname=jdoe uid=0 euid=0 tty=pts/0 ruser= rhost= user=jdoe Nov 18 22:51:25 example.com sudo: jdoe : TTY=pts/0 ; PWD=/etc ; USER=root ; COMMAND=/bin/more sudoers [root@example.com/tmp]#
Setup the following files on the server.
# File /etc/rsyncd.conf motd file = /etc/rsyncd.motd log file = /var/log/rsyncd.log pid file = /var/run/rsyncd.pid lock file = /var/run/rsync.lock [webfiles] path = /var/www/t/test comment = Audina RSync Server (temp webserver) uid = www-data gid = www-data read only = yes list = yes auth users = root,jdoe,webmirror secrets file = /etc/rsyncd.scrt hosts allow = 192.168.0.0/24
/etc/rsyncd.motd
:Welcome to Audina's RSync server (temp webserver)
/etc/rsyncd.scrt
: # File /etc/rsyncd.scrt # rsyncd password file # username:password (not same username/password as system) root:interestingpass jdoe:asyncpass webmirror:mywebsyncpass
rsync
as a daemon (service): % rsync --daemon --config=/etc/rsyncd.conf
#!/bin/bash # File /root/getwebfiles.sh # Example: Get files from server 192.168.0.149 (source) to local directory /data/mirror/webserver/www (destination) #rsync --verbose --progress --stats --compress --rsh=/usr/bin/ssh \ # --recursive --times --perms --links --delete \ # --exclude "*bak" --exclude "*~" \ # 192.168.0.149::webfiles /var/www/mirror rsync --archive --verbose --progress --stats --rsh=/usr/bin/ssh --recursive --times --perms --links --delete 192.168.0.149::webfiles /data/mirror/webserver/www
ssh
password, then when connected, type rsync
password if it prompts for it (when using auth users
directive in server side /etc/rsyncd.conf
file).http://www.stopforumspam.com/api?ip=216.24.206.59&f=json"
or with script spamcheck.php
:
<?php $url = "http://www.stopforumspam.com/api?ip=".$_GET["ip"]."&f=json"; $data = file_get_contents($url); $results = json_decode($data, true); print $results["ip"]["frequency"]; //print_r($results); ?>
Call it by:
http://www.example.com/spamcheck.php?ip=68.65.109.27
http://www.botscout.com/ipcheck.htm?ip=216.24.206.59
% ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10 OR % ps -eo pcpu,pid,user,args | sort -r -k1 | less
/etc/cron.daily/ntpdate
containing: ntpdate ntp.ubuntu.com
% sudo chmod 755 /etc/cron.daily/ntpdate
% ntpdate -u ntp.ubuntu.com pool.ntp.org
ntpd
: % sudo apt-get install ntp
/etc/ntp.conf
to include servers to connect: server ntp.ubuntu.com server pool.ntp.org
iptables
) to allow incoming queries from clients trying to synchronize to this server: % iptables -A INPUT -p udp --dport 123 -j ACCEPT % iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
Master
% apt-get install bind9 bind9-doc bind9utils
Slave
/etc/bind/named.conf.options
:options { directory "/etc/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; # add a range you allow to transfer zones allow-transfer { localhost; 192.168.0.0/24; }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; };
/etc/bind/named.conf.default-zones
: // slave zone. Check transfer with: % dig @192.168.0.104 acme.com. axfr zone "acme.com" { type slave; masters { 192.168.0.104; 192.168.0.101; }; file "/etc/bind/slaves/acme.com"; };
/etc/bind/slaves
: % mkdir /etc/bind/slaves % chmod g+w /etc/bind/slaves % chown -R bind:bind /etc/bind/slaves
% ufw enable % ufw allow to any port 80 # http % ufw allow from 192.168.0.0/24 to any port 53 # dns % ufw allow from 192.168.0.0/24 to any port 22 # ssh % ufw allow from 192.168.0.0/24 to any port 67 # dhcp server % ufw allow from 192.168.0.0/24 to any port 68 # dhcp client % ufw status
/etc/apparmor.d/usr.sbin.named
and add: /etc/bind/slaves/** rw, /etc/bind/slaves/ rw,
% /etc/init.d/bind9 restart
% dig @192.168.0.2 acme.com. axfr
When moving hard drives to new hardware, it might happen that network cards are not being detected, thus losing network access. To fix this:
/etc/udev/rules.d/70-persistent-net.rules
Sample /etc/udev/rules.d/70-persistent-net.rules
file:
# This file was automatically generated by the /lib/udev/write_net_rules # program, run by the persistent-net-generator.rules rules file. # # You can modify it, as long as you keep each rule on a single # line, and change only the value of the NAME= key. # PCI device 0x8086:/sys/devices/pci0000:00/0000:00:1e.0/0000:02:08.0 (e100) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:07:e9:3c:34:1f", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0" # PCI device 0x8086:/sys/devices/pci0000:00/0000:00:03.0/0000:02:01.0 (e1000) SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:07:e9:3c:34:1f", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"
Run these tools to find injected code in PHP files, then edit the files to remove offending code (NOTE: injection code might not be obvious…it sits at the end of a long line after many spaces, typically the first php line), or simply delete those files (if no useful code belongs to your site):
$ cd /var/www $ find . -name "*.php" -exec grep -H "eval(" {} \;
Hacked scripts tend to have injected code that looks like this:
eval($p38d[$GLOBALS['y110d20'][21]]);
Look for odd and generic filenames, such as
info.php sql.php dir.php files.php start.php plugin0.php error.php htaccess
Also, search all files for a condition:
$ egrep -Rl 'function.*for.*strlen.*isset' /var/www $ egrep -Rl '\$GLOBALS.*\\x' /var/www $ egrep -Rl 'isset.*eval' /var/www $ egrep -Rl 'PHPMailer' /var/www $ egrep -Rl 'encodeURIComponent' /var/www $ egrep -Rl 'se_referrer' /var/www $ egrep -Rl 'base64_decode' /var/www # search for "header('HTTP/1.0 404 Not Found\')" $ egrep -Rl 'HTTP/1.0 404 Not Found' /var/www $ egrep -Rl 'preg_replace("/.*/e",' /var/www $ egrep -Rl 'long2ip",' /var/www $ find /var/www -newermt "yyyy-mm-dd"
Search all PHP files for a condition:
# Examples: # $ find /home/*/public_html/ ... # $ find /var/www ... # $ find ... -exec egrep -l 'pattern1|pattern2|pattern3.*pattern4.*pattern5' "{}" \; # Show file list of files with patterns $ cd /var/www $ find . -type f -name "*php" -exec egrep -Rl '\$GLOBALS.*\\x|function.*for.*strlen.*isset' "{}" \; $ find . -type f -name "*php" -exec egrep -Rl 'isset.*eval' "{}" \; $ find . -type f -name "*php" -exec egrep -Rl '<iframe' "{}" \; $ find . -type f -name "*php" -exec egrep -Rl 'PHPMailer' "{}" \; $ find . -type f -name "*php" -exec egrep -Rl 'encodeURIComponent' "{}" \; $ find . -type f -name "*php" -exec egrep -Rl 'se-referrer' "{}" \; $ find . -type f -name "*php" -exec egrep -Rl 'base64_decode' "{}" \; $ find . -type f -name "*php" -newermt "yyyy-mm-dd" # Show files with pattern and contextual strings $ cd /var/www $ find . -name "*.php" -exec grep --color -H 'function.*for.*strlen.*isset' "{}" \; $ find . -name "*.php" -exec grep --color -H '\$GLOBALS.*\\x' "{}" \; $ find . -name "*.php" -exec grep --color -H 'isset.*eval' "{}" \; $ find . -name "*.php" -exec grep --color -H 'PHPMailer' "{}" \; $ find . -name "*.php" -exec grep --color -H 'encodeURIComponent' "{}" \; $ find . -name "*.php" -exec grep --color -H 'se_referrer' "{}" \; $ find . -name "*.php" -exec grep --color -H 'base64_decode' "{}" \; $ find . -name "*.php" -exec grep --color -H 'header(*Location:' "{}" \; $ find . -name "*.php" -exec grep --color -H 'long2ip' "{}" \; $ find . -name "*.php" -exec grep --color -H 'ip2long' "{}" \; # find '404' in PHP files (excluding in dirs tcpdf, mpdf, and fonts) $ find . \( -name tcpdf -prune \) -o \( -name mpdf -prune \) -o \( -name fonts -prune \) -o -name "*.php" -exec grep --color -H '404' "{}" \;
Sometimes, there are files tagged as .suspected
by the malware, in the hope that you will restore them without finding the malicious code embedded in them. To find files already tagged as .suspected
, use this command:
$ cd /var/www $ find . -name "*.php.suspected"
Check mail queue (sendmail
or postfix
) to make sure we are not spamming:
$ cd /var/spool/mqueue $ ls -la $ cd /var/spool/mqueue-client $ ls -la
Disable sendmail
if necessary until the server has been cleaned. Try one of these:
$ /etc/init.d/sendmail stop $ service sendmail stop
For a WordPress site, check database records for fishy code:
SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%' UNION SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%' UNION SELECT * FROM wp_posts WHERE post_content LIKE '%display:%' SELECT * FROM `wp_options` WHERE `option_name` LIKE '%srb_%' DELETE FROM `wp_options` WHERE `option_name` LIKE '%srb_%' DELETE FROM wp_options WHERE option_name LIKE '_transient_%' OR option_name LIKE 'displayed_galleries%'
In WordPress, query for unauthorized admin accounts:
SELECT u.ID, u.user_login FROM wp_usermeta m, wp_users u WHERE m.meta_key = 'wp_user_level' AND m.meta_value = 10 AND m.user_id = u.ID /* Delete unauthorized user with user_id = 312 */ DELETE FROM wp_usermeta WHERE user_id = 312 DELETE FROM wp_users WHERE ID = 312
Check the syslog to see if emails are being sent that are not supposed to:
$ tail -f /var/log/mail.log
Force any login to use HTTPS. Add a redirect for login in .htaccess
file:
RewriteCond %{HTTPS} off RewriteRule ^login$ https://www.acme.com/login [R=301,L]
Check for clean site, visiting this site:
Follow these other instructions to clean a hacked site:
References:
Under heavy IO load on servers you may see something like:
INFO: task xxxx blocked for more than 120 seconds.
Eg. in /var/log/syslog
:
INFO: task nfsd:2252 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
…typicall followed by a call trace that mentions the filesystem, and probably io_schedule and sync_buffer.
This message is not an error.
It is an indication that a program has had to wait for a very long time, and what it was doing. (which is not so informative of the reason - it's common that the real IO load issue comes from another process)
The code behind this sits in hung_task.c and was added somewhere around 2.6.30. This is a kernel thread that detects tasks that stays in the D state for a while (which typically meaning it is waiting for IO).
It complains when it sees a process has been waiting on IO so long that the whole process has not been scheduled for any CPU-time for 120 seconds (default).
Notes:
updatedb
(may be victim if it were ioniced, cause if not).SOURCE:
If your server goes down, and you get a message like:
Feb 16 03:00:12 server kernel: INFO: task httpd:16101 blocked for more than 120 seconds.
Verify memory usage:
$ sar -r
Verify CPU usage:
$ sar -u
For me the culprit was CPU reaching %idle reaching 99.18
01:40:01 PM CPU %user %nice %system %iowait %steal %idle ... 06:30:01 PM all 42.52 0.00 3.52 0.32 0.00 53.65 06:40:01 PM all 43.72 0.00 3.60 0.32 0.00 52.36 06:50:01 PM all 42.32 0.00 3.47 0.38 0.00 53.82 07:00:01 PM all 41.38 0.00 3.47 0.25 0.00 54.91 07:10:01 PM all 44.30 0.00 3.50 0.65 0.00 51.54 07:20:01 PM all 36.22 0.00 2.89 0.38 0.00 60.50 07:30:01 PM all 31.56 0.00 2.72 0.26 0.00 65.47 07:40:01 PM all 23.77 0.00 2.03 0.41 0.00 73.79 07:50:01 PM all 2.01 0.00 0.20 0.14 0.00 97.65 08:00:01 PM all 0.59 0.00 0.07 0.15 0.00 99.18 Average: all 36.88 0.10 3.22 0.39 0.00 59.41 08:06:39 PM LINUX RESTART 08:10:01 PM CPU %user %nice %system %iowait %steal %idle 08:20:01 PM all 50.79 0.00 3.62 0.08 0.00 45.51 Average: all 50.79 0.00 3.62 0.08 0.00 45.51
Temporarily apply new settings for a couple of days. See here for a detailed explanation.
$ sudo sysctl -w vm.dirty_ratio=10 $ sudo sysctl -w vm.dirty_background_ratio=5 $ sudo sysctl -w vm.swappiness=60
If everything runs smoothly, make the changes permanent:
$ vi /etc/sysctl.conf
Enter the following:
vm.dirty_ratio = 10 vm.dirty_background_ratio = 5 vm.swappiness = 60
Load settings from file /etc/sysctl.conf:
$ sudo sysctl -p
SOURCE: