Boiling Linux and Windows

Pear Module in Ubuntu doesn’t work

hanselzen@gmail.com (Last King of Kho's Kingdom) — Fri, 10 Jul 2009 17:41:00 +0000

I have tried this tips to install and configure Pear Module and check the Pear Module but when run my script this error still appear

Warning: require_once(System.php): failed to open stream:
 No such file or directory in /path/to/check_pear.php on line 2

After did some checking, i found the culprit which is apparmor. I added pear include_path into apparmor.d/usr.sbin.apache2 then restart apparmor daemon.

Done, and now my php script can call pear module.

How to enable issue / banner message when user log in

hanselzen@gmail.com (Last King of Kho's Kingdom) — Tue, 19 May 2009 14:56:00 +0000

#Banner /etc/issue.net

Uncomment it and save the file.
Restart openssh server.
# /etc/init.d/ssh restart

How to enable banner message (MOTD) in Ubuntu (Linux) Login

hanselzen@gmail.com (Last King of Kho's Kingdom) — Fri, 20 Feb 2009 08:42:00 +0000

Edit /etc/motd.tail and put your welcome message in that file.
Enable ssh login to print welcome banner when user login:
Edit /etc/ssh/sshd_config
Find -> PrintMotd no and enable it -> PrintMotd yes
Save the file and restart ssh daemon.

Folder access restriction on IIS

hanselzen@gmail.com (Last King of Kho's Kingdom) — Tue, 10 Feb 2009 03:55:00 +0000

I need to give restriction to one of folder in my website so it can be access only from my office network.

Go to Control Panel > Administrative Tools > IIS Manager
Browse your file and choose which folder that you want to give access restriction then right click > Properties > Directory Security
Find IP address and domain name restrictions section click Edit button.
Choose Denied access and click Add...
You can choose type of restrictions you need to be allow, what i want is allow my office network so i choose Group of computers
I key in
Network ID: 10.0.0.0 (my office network ip range)
Subnet mask: 255.255.0.0

How to create / build .deb packages

hanselzen@gmail.com (Last King of Kho's Kingdom) — Tue, 10 Feb 2009 02:38:00 +0000

Came across the websites i found detail how to build .deb packages.

Another easy way to create .deb.

Install it and when you compile a software type "sudo checkinstall -D" instead of "sudo make install", it will install the software giving synaptic all the needed informations to see it and create a .deb.

How to reset password on Windows and Unix (Linux)

hanselzen@gmail.com (Last King of Kho's Kingdom) — Tue, 10 Feb 2009 00:31:00 +0000

Resetting the Root Password on Windows Systems

Use the following procedure for resetting the password for any MySQL root accounts on Windows:

Log on to your system as Administrator.
Stop the MySQL server if it is running. For a server that is running as a Windows service, go to the Services manager:
```
Start Menu -> Control Panel -> Administrative Tools -> Services
```
Then find the MySQL service in the list, and stop it.

If your server is not running as a service, you may need to use the Task Manager to force it to stop.
Create a text file and place the following statements in it. Replace the password with the password that you want to use.
```
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
```
The UPDATE and FLUSH statements each must be written on a single line. The UPDATE statement resets the password for all existing root accounts, and the FLUSH statement tells the server to reload the grant tables into memory.
Save the file. For this example, the file will be named C:\mysql-init.txt.
Open a console window to get to the command prompt:
```
Start Menu -> Run -> cmd
```
Start the MySQL server with the special --init-file option:
```
C:\> C:\mysql\bin\mysqld --init-file=C:\mysql-init.txt
```
If you installed MySQL to a location other than C:\mysql, adjust the command accordingly.

The server executes the contents of the file named by the --init-file option at startup, changing each root account password.

You can also add the --console option to the command if you want server output to appear in the console window rather than in a log file.

If you installed MySQL using the MySQL Installation Wizard, you may need to specify a --defaults-file option:
```
C:\> "C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe"
        --defaults-file="C:\Program Files\MySQL\MySQL Server 5.1\my.ini"
        --init-file=C:\mysql-init.txt
```
The appropriate --defaults-file setting can be found using the Services Manager:
```
Start Menu -> Control Panel -> Administrative Tools -> Services
```
Find the MySQL service in the list, right-click on it, and choose the Properties option. The Path to executable field contains the --defaults-file setting.
After the server has started successfully, delete C:\mysql-init.txt.
Stop the MySQL server, then restart it in normal mode again. If you run the server as a service, start it from the Windows Services window. If you start the server manually, use whatever command you normally use.

You should now be able to connect to MySQL as root using the new password.

Resetting the Root Password on Unix Systems

Use the following procedure for resetting the password for any MySQL root accounts on Unix. The instructions assume that you will start the server so that it runs using the Unix login account that you normally use for running the server. For example, if you run the server using the mysql login account, you should log in as mysql before using the instructions. (Alternatively, you can log in as root, but in this case you must start start mysqld with the --user=mysql option. If you start the server as root without using --user=mysql, the server may create root-owned files in the data directory, such as log files, and these may cause permission-related problems for future server startups. If that happens, you will need to either change the ownership of the files to mysql or remove them.)

Log on to your system as the Unix mysql user that the mysqld server runs as.
Locate the .pid file that contains the server's process ID. The exact location and name of this file depend on your distribution, host name, and configuration. Common locations are /var/lib/mysql/, /var/run/mysqld/, and /usr/local/mysql/data/. Generally, the file name has an extension of .pid and begins with either mysqld or your system's host name.

You can stop the MySQL server by sending a normal kill (not kill -9) to the mysqld process, using the path name of the .pid file in the following command:
```
shell> kill `cat /mysql-data-directory/host_name.pid`
```
Note the use of backticks rather than forward quotes with the cat command; these cause the output of cat to be substituted into the kill command.
Create a text file and place the following statements in it. Replace the password with the password that you want to use.
```
UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
```
The UPDATE and FLUSH statements each must be written on a single line. The UPDATE statement resets the password for all existing root accounts, and the FLUSH statement tells the server to reload the grant tables into memory.
Save the file. For this example, the file will be named /home/me/mysql-init. The file contains the password, so it should not be saved where it can be read by other users.
Start the MySQL server with the special --init-file option:
```
shell> mysqld_safe --init-file=/home/me/mysql-init &
```
The server executes the contents of the file named by the --init-file option at startup, changing each root account password.
After the server has started successfully, delete /home/me/mysql-init.

You should now be able to connect to MySQL as root using the new password.

Alternatively, on any platform, you can set the new password using the mysql client (but this approach is less secure):

Stop mysqld and restart it with the --skip-grant-tables option.
Connect to the mysqld server with this command:
```
shell> mysql
```

Issue the following statements in the mysql client. Replace the password with the password that you want to use.

mysql> UPDATE mysql.user SET Password=PASSWORD('MyNewPass')
   ->                   WHERE User='root';
mysql> FLUSH PRIVILEGES;

You should now be able to connect to MySQL as root using the new password.

How to fix drop down menu blocked by flash

hanselzen@gmail.com (Last King of Kho's Kingdom) — Mon, 09 Feb 2009 06:57:00 +0000

In your swf code in the html, add the following to your OBJECT statement:
<param name="WMode" value="Transparent">

Then if you have an EMBED statement, add:
wmode="transparent"

Sample:

<param name="movie" value="file.swf">
<param name="quality" value="high">
<span style="font-weight: bold;"></span>
<param name="WMode" value="Transparent">
<embed src="tes.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="640" height="340" wmode="transparent"></embed>

Reload php.ini on IIS

hanselzen@gmail.com (Last King of Kho's Kingdom) — Mon, 09 Feb 2009 06:16:00 +0000

Making changes to the php.ini file settings will not be seen until the IIS (Internet Information Services) reloads or re-caches the settings. To check the current php.ini file settings, create a page that displays the PHP info.

Sample PHP info page (phpinfo.php):

Open your IIS 6 manager, expand the Application Pools folder, right click on DefaultAppPool and press Recycle. It only takes a second.

Then reload the sample PHP info page (phpinfo.php). The new setting will be listed.

How to change ssh (login) welcome banner (message) in Ubuntu (Linux)

hanselzen@gmail.com (Last King of Kho's Kingdom) — Fri, 06 Feb 2009 08:43:00 +0000

Simple:
Edit /etc/motd and change the text with your choosen welcome banner.

Detail:
Every time I connect to my Ubuntu development server through my ssh client, I receive the same message and I'm getting tired of seeing it, so I decided to change the message to something else.

Here's the message that I get every time:

Linux superfast 2.6.20-16-generic #2 SMP Thu Jun 7 19:00:28 UTC 2007 x86_64

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Mon Aug 13 01:05:46 2007 from ipaddress removed

geek@superfast:~$

Changing this message requires editing two different files. The first three sections can be modified by editing the following file:

/etc/motd

This file contains the linux build number as well as the Ubuntu warranty message. I don't find this particularly useful, so I removed all of it and replaced it with my own message.

To disable the last login message (which I don't recommend doing), you will need to edit the following file in sudo mode:

/etc/ssh/sshd_config

Find this line in the file and change the yes to no as shown:

PrintLastLog no

Now when you login, you'll get a blank prompt, although I wouldn't necessarily recommend it because it's useful to see the last login to the system for security reasons. This is my prompt now:

This is a superfast system. Please max out the cpu accordingly.

Last login: Mon Aug 13 01:24:14 2007 from ipaddress removed
geek@superfast:~$

Root login email notification in Linux All Variant

hanselzen@gmail.com (Last King of Kho's Kingdom) — Fri, 06 Feb 2009 08:34:00 +0000

Edit /root/.bashrc or /root/.bash_profile
Put this code inside .bashrc

echo 'ALERT - Root Shell Access `hostname` on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" email@myhost.com

How to check whether IPV6 enabled or not?

hanselzen@gmail.com (Last King of Kho's Kingdom) — Fri, 06 Feb 2009 08:16:00 +0000

root@master:/etc# ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:1d:09:f2:56:d6
inet addr:172.16.188.155 Bcast:172.16.188.255 Mask:255.255.255.0
inet6 addr: fe80::21d:9ff:fef2:56d6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:380 errors:0 dropped:0 overruns:0 frame:0
TX packets:138 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69003 (67.3 KB) TX bytes:30542 (29.8 KB)
Interrupt:16 Memory:f8000000-f8012100

That means your IPV6 is enabled. If your IPV6 disabled the result should like this:
root@master1:~# ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:1d:09:f2:56:d6
inet addr:172.16.188.155 Bcast:172.16.188.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:186 errors:0 dropped:0 overruns:0 frame:0
TX packets:61 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37514 (36.6 KB) TX bytes:8590 (8.3 KB)
Interrupt:16 Memory:f8000000-f8012100

You may read How to disable IPV6 if no longer in use?

Send Automatic Email Notification When Security Upgrades Available (Debian / Ubuntu Linux)

hanselzen@gmail.com (Last King of Kho's Kingdom) — Fri, 06 Feb 2009 03:56:00 +0000

Q. How do I force apt-get to send me email when upgrades or security updates available under Debian or Ubuntu Linux? Do I need to write a shell script which generates a mail with a list of all packages currently pending an upgrade?

A. No you don't have to write a shell script. You need to use apticron command / script for notification. apticron is mainly intended for automatic notification of pending security updates but can also be used in many other situations where timely updates are neccessary.

Install apticron

Type the following command at a shell prompt:
# apt-get update # apt-get install apticron

Configure apticron to send email notifications

The default coniguration file is located at /etc/apticron/apticron.conf. Open file using text editor:
# vi /etc/apticron/apticron.conf
You need to set email address to email the notification as follows:
EMAIL="vivek@nixcraft.in"
My sample configuration file:

# apticron.conf
#
# set EMAIL to a list of addresses which will be notified of impending updates
#
EMAIL="admin@myhost.com"

#
# Set LISTCHANGES_PROFILE if you would like apticron to invoke apt-listchanges
# with the --profile option. You should add a corresponding profile to
# /etc/apt/listchanges.conf
#
# LISTCHANGES_PROFILE="apticron"

#
# Set SYSTEM if you would like apticron to use something other than the output
# of "hostname -f" for the system name in the mails it generates
#
# SYSTEM="foobar.example.com"

#
# Set IPADDRESSNUM if you would like to configure the maximal number of IP
# addresses apticron displays. The default is to display 1 address of each
# family type (inet, inet6), if available.
#
# IPADDRESSNUM="1"

#
# Set IPADDRESSES to a whitespace seperated list of reachable addresses for
# this system. By default, apticron will try to work these out using the
# "ip" command
#
# IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"

Save and close the file. /etc/cron.daily/apticron is the cron script for executing apticron daily and it will send you notfication when updates available.

Sample apticron email

Here is a sample email:

apticron report [Sun, 06 Jul 2008 07:07:23 +0000]
========================================================================

apticron has detected that some packages need upgrading on:

vip.clicklinux.org
[ 72.51.34.244 ::72.51.34.244 ]

The following packages are currently pending an upgrade:

libpcre3 6.7+7.4-4

========================================================================

Package Details:

Reading changelogs...
--- Changes for pcre3 (libpcre3) ---
pcre3 (6.7+7.4-4) stable-security; urgency=high

* Non-maintainer upload by the security team.
* Apply patch from Tavis Ormandy to fix a heap overflow in the compiler,
 triggered by patterns which contain options and multiple branches
 (CVE-2008-2371).

-- Florian Weimer   Fri, 04 Jul 2008 21:15:19 +0200

========================================================================

You can perform the upgrade by issuing the command:

aptitude dist-upgrade

as root on vip.clicklinux.org

It is recommended that you simulate the upgrade first to confirm that
the actions that would be taken are reasonable. The upgrade may be
simulated by issuing the command:

aptitude -s -y dist-upgrade

-- apticron

You will get an email when security updates released by Debian / Ubuntu security team. I also suggest subscribing to Debian email security update notification and Ubuntu Linux security notification via RSS or email.

Source:
- http://www.cyberciti.biz/faq/apt-get-apticron-send-email-upgrades-available/
- http://www.debian-administration.org/articles/491

ubuntu upgrade vs dist-upgrade

hanselzen@gmail.com (Last King of Kho's Kingdom) — Fri, 06 Feb 2009 03:33:00 +0000

apt-get dist-upgrade (smart upgrade in Synaptic):

this command upgrades packages trying to satisfy the dependencies in a "smart" way -- that might mean removing packages. It is not recommended to use it if you don't know exactly what you are doing.

apt-get upgrade (default upgrade in Synaptic):

this command upgrades only the upgradeable packages, it doesn't remove packages. From man apt-get: "New versions of currently installed packages that cannot be upgraded without changing the install status of another package will be left at their current version."

How to prompt user login and password in phpmyadmin

hanselzen@gmail.com (Last King of Kho's Kingdom) — Thu, 05 Feb 2009 03:23:00 +0000

Edit config.inc.php
and the exact line is :

$cfg['Servers'][$i]['auth_type'] = 'http'; // Authentication method (config, http or cookie based)
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = '';

Change original auth_type "tcp" to "http".

Auto Log in in Ubuntu Desktop

hanselzen@gmail.com (Last King of Kho's Kingdom) — Tue, 03 Feb 2009 08:47:00 +0000

I found it so troublesome when i should do log in every time i turn my pc on. I want it like windows that may do automatically log in so i don't need to type in username and password anymore.

1) Go to System > Administration > Login Window
2) Enter your password
3) Go to Security tab and check Enable automatic login
4) Enter your username and press Close

Other way, you may choose Log in automatically from Ubuntu Installation.

Restart your pc to find our whether the setting is working.

Best Linux Web Hosting ( Unlimited Domains, Disk Space and Bandwidth )

hanselzen@gmail.com (Last King of Kho's Kingdom) — Sat, 31 Jan 2009 14:00:00 +0000

After i made a deep research and compared all Linux Web Hosting, i came out with this list. I was looking for a web hosting that support unlimited domains with unlimited disk space and bandwidth. After came across with all user reference i found the other good hosting that support unlimited domains. I put hostgator in the first position for all their benefit. As what all hostgator clients testified, hostgator really give them 24x7x365 service and they have a good support team also.

1. Hostgator

I found only good testimonial from all hostgator customers. They really satisfied with hostgator service.

Uptime: 9/10
Support: 9/10
Feature: 9/10
Price: 9/10

Price : start from $4.95/month.
Hostgator Coupon

2. Bluehost

Bluehost provide unlimited domains which you may control it from one control panel. They offered best deal with best hardware.

Uptime: 7/10
Support: 6/10 (They don't provide live chat)
Feature: 9/10
Price: 9/10

Price: start from $6.95/month
I can give your $50 rebate if you buy from my link.

3. Host Monster

It's the same hosting with Bluehost but with lower grade of hardware.

Uptime: 6/10
Support: 4/10 (They don't provide live chat)
Feature: 9/10
Price: 10/10

Price: start from $5.95/month
I can give your $50 rebate if you buy from my link.

4. Hostupon

They are a new hosting company. Just established since 2007 but they hosting really kick butt.

Uptime: 7/10
Support: 4/10
Feature: 9/10
Price: 10/10

Price: start from $4.95/month with 30 days money back guarantee.
Coupon: HPR50 (get $50 off)
They provide live chat but not for 24 hours. Supports team will away on weekend. I did sent email to ask about hosting package on Saturday and they replied on the next Sunday.

5. Webhostingpad

Quite new established hosting company. They established since 2005, customers review mixed. Some complain about uptime and support but most will give a good review. Unlimited domains from addon domains.

Uptime: 8/10
Support: 6/10
Feature: 9/10
Price: 10/10

Price: start from $3.96/month with 30 days money back guarantee.
Coupon:
- Webhostingpad Coupon $25 Off : revpad25, promo25 (valid for 2 & 3 years plan)
- Webhostingpad Coupon $12 Off : 12off

How to claim your rebate?
You must buy the hosting package from my given link, then send email stating transaction date, domain name and your paypal account. I will send the money after 3 month from your transaction date.

Source:
http://www.webhostingrally.com
http://hostjury.com
http://b2evolution.net
http://www.hostingreviewsbyusers.com
http://www.webhostingpadreview.org
http://www.webhostingstuff.com

How to configure tcp wrappers (hosts.allow and hosts.deny)

hanselzen@gmail.com (Last King of Kho's Kingdom) — Fri, 23 Jan 2009 08:09:00 +0000

TCP Wrapper compatibility:
Check your application whether compatible with tcp wrapper or not.
How can you find out if your application is compatible? Use this command:

syntax: ldd /path/to/binary | grep wrap (general example)
ldd /usr/sbin/sshd | grep wrap (shows that the sshd refers to libwrap)
libwrap.so.0 => /lib/libwrap.so.0 (0x00007f142f0af000)

ldd /usr/sbin/apache2 | grep wrap (show that apache does not refer to libwrap)
result zero

hosts.allow and hosts.deny.

- host.allow ( Choose ip range that you want to allow )
ALL: 172.16.172.0/255.255.255.0 : ALLOW
ALL: 172.16.188.0/255.255.255.0 : ALLOW
ALL: 172.16.189.0/255.255.255.0 : ALLOW
ALL: 172.16.178.0/255.255.255.0 : ALLOW
ALL: 172.16.179.0/255.255.255.0 : ALLOW
- host.deny (Paranoid setting block all connection except in hosts.allow)

#(denying all services to all hosts)
ALL:ALL

The syntax of the hosts.allow and hosts.deny files are:

service(s) : ips or hosts

conclusion

The hosts.allow and hosts.deny files are very flexible and allow you to lock down your network in very granular ways. The limitation of some applications not honoring hosts.allow and hosts.deny is the biggest thing to remember. Make sure the service you are trying to block refers to libwrap.so before you start writing rules or you may sit and wonder why your rules don’t work, when its really the application itself not being compatible.

If you need to hardened you system more, please read about this Ubuntu Hardening guide.

Apache hardening guide with PHP

hanselzen@gmail.com (Last King of Kho's Kingdom) — Thu, 22 Jan 2009 03:26:00 +0000

#1: Update, update, update

Just because it is Apache running on Linux doesn’t mean you shouldn’t bother to update. New holes and security risks are found all the time. You should always develop a sound update policy to keep on top of patches. If you have installed Apache with your distributions package manager, you can make the updates go seamlessly. If you have installed from source, make sure that upgrade is not going to break any modules or dependencies your Web site has. And if you update Apache, make sure PHP (if used) is updated as well.

#2: Use the right user:group

I have seen Apache installed under many groups and/or users. One of the biggest offenders is the root user. This can lead to some serious issues. Or say both Apache and MySQL are run by the same user/group. If there is a hole in one, it can lead to an attack on the other. The best scenario is to make sure Apache is run as the user and group apache. To make this change, open the httpd.conf file and check the lines that read:

User

Group

Change these entries to:

User apache

Group apache

If you get any errors indicating the group or user do not exist, you’ll have to create them.

#3: Turn off unwanted services

There are a few services and/or features that you will want to turn off or not allow. All of these services can be disabled in the httpd.conf file. Those services/features that could cause the most issues include:

* Directory browsing. This is done within a directory tag (the document root is a good place to start) using the Options directive and is set with “-Indexing”.
* Server side Includes. This is another feature that is disabled within a directory tag (using Options directive) and is set with “-Includes”.
* CGI execution. Unless your site needs CGI, turn this off. This feature is also set within a directory tag using the Options directive, with “-ExecCGI”.
* Symbolic links. Set this inside a (surprise, surprise) directory tag with “-FollowSymLinks”.
* None. You can turn off all options (in the same way you set the above) using “None” with the Option directive.

#4: Disable unused modules

Apache has a ton of modules. To get an idea how many modules your installation is running, issue the command (as the root user) grep -n LoadModule httpd.conf from within your Apache configuration directory. This command will show you every module Apache is loading, along with the line number it falls on. To disable the modules you don’t need, simply comment them out with a single # character at the beginning of the module line.

#5: Restrict access

Say you have an intranet that contains critical company information. You will want to deny anyone outside your private network from seeing this information. To do this, you can restrict access to your internal network by adding the following inside a directory tag in your httpd.conf file:

Order Deny, Allow

Deny from all

Allow from 192.168.1.0/16

where 192.168.1.0/16 is the configuration matching your internal network. As with all modifications to the httpd.conf file, make sure you restart Apache so the changes take effect.

#6: Limit request size

Denial of service attacks are always a possibility when you allow large requests on Apache. Apache has a directive, LimitRequestBody, that is placed within a Directory tag. The size of your limit will depend upon your Web site’s needs. By default, LimitRequestBody is set to unlimited.

#7: Employ mod_security

One of the most important Apache modules is mod_security. This module handles many tasks, including simple filtering, regular expression filtering, URL encoding validation, and server identity masking. The mod_security installation and setup is a bit beyond a one-paragraph description. But you can begin by adding the “unique_id” and “security2″ directives in the Apache modules section. Once you have added the entries, run the command service apache2 configtest. If you get returned Syntax OK you’re good to go.
#8: Do not allow browsing outside the document root

Allowing browsing outside the document root is inviting trouble. Unless you have a specific need to allow it, disable this feature. First, you’ll need to edit the document root Directory entry like so:

Order Deny, Allow

Deny from all

Options None

AllowOverride None

Now, if you need to add options to any directory within the document root, you will have to add a new Directory entry for each one.

#9: Hide Apache’s version number

The best offense is a good defense. And one of the best defenses is to obfuscate as much information about your service as you can. One crucial bit of information to hide is the Apache version number. By hiding it, you keep unwanted users from knowing how to quickly hack your Web server. To hide Apache’s version number, add the following in your document root Directory tag:

ServerSignature Off

ServerTokens Prod

#10: Immunize httpd.conf

One of the best security measures is to hide your httpd.conf file from prying eyes. If people who shouldn’t see your httpd.conf file can’t see it, they can’t change it. To immunize the httpd.conf file, set the immutable bit with the following command:

chattr +i /path/to/httpd.conf

where /path/to/httpd.conf is the path to your Apache configuration file. Now it will be very difficult for anyone to make any changes to httpd.conf.

Apache have a very close relation with php so i think we need to hardened php too.
- Disable unnecessary PHP variable

Edit /etc/php5/apache2/php.ini and /etc/php5/cli/php.ini
Turn off some of this variable:
allow_call_time_pass_reference = Off
magic_quotes_gpc = Off
register_long_arrays = Off
register_argc_argv = Off
allow_url_fopen = Off
expose_php = Off
disable_functions = symlink,shell_exec,proc_close,proc_open,dl,passthru,escapeshellarg,escapeshellcmd,openlog, apache_child_terminate,apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,virtual, phpinfo

This guide taken from this site. If you looking for full (more complicated) guide you may read guide from xianshield.org

Install Adobe Acrobat Reader on Ubuntu and CentOS

hanselzen@gmail.com (Last King of Kho's Kingdom) — Wed, 21 Jan 2009 02:12:00 +0000

There is no Adobe Acrobat Reader package in Ubuntu Repository until now. How to install it on our Ubuntu Desktop?
Download latest Adobe Reader from Adobe Website choose Linux - x86 (.deb) from OS list.
From console, this is latest version until i post this article (21/01/2009):

wget http://ardownload.adobe.com/pub/adobe/reader/unix/8.x/8.1.3/enu/AdobeReader_enu-8.1.3-1.i386.deb

Install downloaded package. From Ubuntu Xwindow double click downloaded package file and install.
Console:

dpkg -i AdobeReader_enu-8.1.3-1.i386.deb

After installation finish go to Applications > Office > and find Adobe Reader shortcut.
This step by step also can be apply to CentOS since they use the same source package.

mysql clustering database replication vs file-based replication ( mysql+drbd+heartbeat )

hanselzen@gmail.com (Last King of Kho's Kingdom) — Tue, 20 Jan 2009 15:09:00 +0000

You have a low budget to implement mysql clustering, i suggest you to choose Heartbeat+DRBD. I have used my old server (PIII+512Mb) to developt MySQL Clustering. I only need 2 server to implement this clustering method compared with MySQL Clustering use replication method you'll need at least 4 server and you also need good hardware with big memory size to implement this clustering.

Need to know more about MySQL Replication concept? You may check Mysql Clustering white paper.

How to check disk uuid

hanselzen@gmail.com (Last King of Kho's Kingdom) — Tue, 20 Jan 2009 08:42:00 +0000

Since my fstab use disk-uuid to mount the disk therefore I need to know what is my disk uuid . This command will do uuid check for the disk.

blkid /dev/disk

How to create Apparmor configuration file for Apache

hanselzen@gmail.com (Last King of Kho's Kingdom) — Mon, 19 Jan 2009 06:43:00 +0000

If you need to hardened apache service with apparmor. Here is the step by step how to create apparmor configuration file for apache.

First, activate profile generation. Skip for repository section, just answer later (L):

sudo genprof -d /var/log/syslog /usr/sbin/apache2

Setting /usr/sbin/apache2 to complain mode.

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the "Scan" button below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

Profiling: /usr/sbin/apache2

[(S)can system log for SubDomain events] / (F)inish

Keep this open, don't press (S) or (F) yet because we still have some task to be done.

Second, open new console and try to restart apache service.

sudo /etc/init.d/apache2 stop
sudo /etc/init.d/apache2 start

Try to access or test your web application, this will help apparmor to cache all permission for your web access directories and files. After you finish with web application testing go back to console which still running genprof command then Press (S). Genprof will prompt some question, and you may choose whether you want to allow or deny the permission.

Once you finish with genprof, you will found this file /etc/apparmor.d/usr.sbin.apache2
Restart your apparmor then restart your apache daemon.

If some of your web application isn't accessible, see apparmor log to check is there any file permission has been blocked.

Jan 19 16:51:47 appserv02 kernel: [264251.884604] audit(1232355107.629:28228): type=1503 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/var/www/html/MyApps/index.php" pid=19234 profile="/usr/sbin/apache2" namespace="default"

This error log means you need to give read permission to this file "/var/www/html/MyApps/index.php". Edit and Add this below rules to your /etc/apparmor.d/usr.sbin.apache2

/var/www/html/MyApps/index.php r,

Try to restrat apparmor and apache server one more time. If you found more blocked permission from audit log, you may repeat above steps.

PSEXEC PORT

hanselzen@gmail.com (Last King of Kho's Kingdom) — Fri, 16 Jan 2009 01:17:00 +0000

My firewall has blocked me when i tried to execute psexec. What is the psexec port to open so i can execute this command on target? PSEXEC port is tcp 445.

HOWTO: Set up VNC server in Ubuntu

hanselzen@gmail.com (Last King of Kho's Kingdom) — Wed, 14 Jan 2009 06:42:00 +0000

I have 2 reference guide from:
1. http://ubuntuforums.org/showthread.php?t=259448
2. http://ubuntuforums.org/showthread.php?t=122402

What i need is to use vncserver to start kde when the user do remote desktop with vnc viewer client. IN my previous howto, i should login to kde first before i can do a remote desktop so this method will be no use if i put the server in host center and when the machine reboot, i couldn't manage to do a remote desktop to that server because kde/gnome desktop isn't activated.

I just copied this manual from the forum, just to prevent if sometimes the thread has been removed and i still have a copy in here :)

This guide is very similar to the Gnome Ubuntu HOWTO, located here:

http://ubuntuforums.org/showthread.php?t=122402

I have borrowed a lot of the notes from that author, only changing things to work for Kubuntu users. Most of the credit for the info goes to the author of that post. If you are having problems, I strongly recommend browsing through that thread first.

This guide is intended for Kubuntu users, and details how to enable Xdmcp for your KDE session. It was written using Kubuntu 6.06 (i386) as a reference. In the steps, I use kate as the text editor, but you can use whatever editor you prefer. In reality I use vi, but most people don't know vi commands so I stick with kate in these examples.

Required packages:

To make sure you have the proper software installed, execute the following:

Type in a terminal:
Code:
sudo apt-get install vnc4server xinetd xvncviewer
The latest versions are:
vnc4server: Xvnc Free Edition 4.1.1
xinetd: xinetd Version 2.3.14 libwrap loadavg
xvncviewer: VNC viewer version 3.3.7 - built Feb 20 2006 12:04:05

If you're using previous versions of any of these packages, there's no guarantee this will work. (Actually, there's no guarantee this will work anyway, but if you use versions below what I indicated, then you're just making it harder on yourself )

WARNING: Make sure you install vnc4server and NOT vncserver. These packages ARE different, and the latter will NOT work correctly.

Note to AMD64 users: The current version of vnc4server in the repositories has a bug, so you need to download and install the fixed vnc4 packages as shown below:
Code:
wget http://qt1.iq.usp.br/download/vnc4server_4.0-7.3_amd64.deb
wget http://qt1.iq.usp.br/download/xvnc4viewer_4.0-7.3_amd64.deb
sudo dpkg -i vnc4server_4.0-7.3_amd64.deb
sudo dpkg -i xvnc4viewer_4.0-7.3_amd64.deb
THE STEPS:

1. ENABLE XDMCP IN KDE

Type in a terminal:
Code:
sudo kate /etc/kde3/kdm/kdmrc
At the very bottom of the file, you'll see this section:
Code:
[Xdmcp]
Enable=false
Willing=/etc/kde3/kdm/Xwilling
Change it to look exactly like this:
Code:
[Xdmcp]
Enable=true
Port=177
Xaccess=/etc/kde3/kdm/Xaccess
Willing=/etc/kde3/kdm/Xwilling
Save the file and quit. Then type this in your terminal:
Code:
sudo kate /etc/kde3/kdm/Xaccess
This is a big file and can be confusing, so make sure you do this exactly as shown. Scroll down and find this line:
Code:
#*                                       #any host can get a login window
Remove the # from the beginning of that line, so it looks like this:
Code:
*                                       #any host can get a login window
Then find this line:
Code:
#*               CHOOSER BROADCAST       #any indirect host can get a chooser
Remove the # from the beginning of that line, so it looks like this:
Code:
*               CHOOSER BROADCAST       #any indirect host can get a chooser
Save the file and quit out of KATE.

Now we need to restart the KDM process so it will re-read the configuration file. The easiest way to do this is to just reboot the machine. The quickest is to do the following:
Code:
ps -ef | grep kdm
This will print out a list of processes with the letters 'kdm' in the name. Find the one that looks like the following (Specifically the one that ends in /usr/bin/kdm):
Code:
root    4530      1     0 0:09:20 ?          00:00:00 /usr/bin/kdm
See the number right after root? 4530 in my example, you will almost certainly have a different number. That's the process ID or PID. Type the following command to restart kdm (Substituting the PID number you have for the 4530 in my example):
Code:
sudo kill -HUP 4530
2. SET THE VNC PASSWORD

Type this in a terminal:
Code:
sudo vncpasswd /root/.vncpasswd
3. ADD VNC SERVICE TO XINETD

Type this in a terminal:
Code:
sudo kate /etc/xinetd.d/Xvnc
Enter this in to the new file:
Code:
service Xvnc
{
      type = UNLISTED
      disable = no
      socket_type = stream
      protocol = tcp
      wait = yes
      user = root
      server = /usr/bin/Xvnc
      server_args = -inetd :1 -query localhost -geometry 1024x768 -depth 16 -once -fp /usr/share/X11/fonts/misc -DisconnectClients=0 -NeverShared passwordFile=/root/.vncpasswd
      port = 5901
}
I recommend leaving all of that code alone, but you can safely change the 1024x768 to be a bigger or smaller resolution for your Xvnc window, depending on what you want. You can also change the depth, but understand that increasing the depth bits will cause more bandwidth to be used over your network, which could slow down your VNC experience considerably.

4. RESTART XINETD

If the following code does not work, try rebooting:
Code:
sudo /etc/init.d/xinetd stop
sudo killall Xvnc
sudo /etc/init.d/xinetd start
Don't worry if you see a message like "Xvnc: no process killed". This just means there was no open, active session of VNC running at the time. This is expected and is normal.

5. TEST

If you followed all of the above steps correctly, you should now be able to test your VNC server. Type the following in a terminal:
Code:
vncviewer localhost:1
You should be prompted for the VNC password, and then see the KDM login screen where you can login and start a new X session. If that works, you can now go ahead and try to connect from remote machine using your favorite VNC client (remember to first close the local vncviewer we started above). Remember to use the VNC server machine's domain name or IP address, followed by :1 (e.g. 192.168.0.100:1). If connecting locally as shown above works, but connecting remotely fails, then this means you have a problem with a firewall which is blocking some ports. See the notes below about how to deal with that.

Note about ports: The VNC server set up as shown uses TCP port 5901. If you are using firewall software (e.g. firestarter) on that machine, you need to allow incoming connections on this port. If you are using a router which assigns your machine a private address (e.g. 192.168.0.100) which is not accessible from the internet, then you need to forward TCP port 5901 from the router to this machine.

Note about security: This setup allows any user to start an X-session remotely by logging in using his regular password (after starting the VNC connection using the VNC password), so if the user disconnects without logging out, any other user which knows the VNC password can connect afterwards and resume the same session that the first user started. So if you do not want to log out before disconnecting, it's advisable to at least lock your VNC X-session screen. Also note that while a remote user is connected thru VNC, no other connection will be accepted. An idle VNC client will be disconnected after one hour, but this can be changed by using the "-IdleTimeout" option in the server_args line in /etc/xinetd.d/Xvnc. For example, you can add "-IdleTimeout 300" to change it to 5 minutes.

reference links:
Gnome VNC howto: http://ubuntuforums.org/showthread.php?t=122402
Xdmcp in kdm: http://klomdark.servebeer.com:8081/M...px?MsgNum=1967

Good luck!

My vncserver setting a bit different since i only can see a grey window from the screen when i do the remote desktop. I use this command to run the vncserver:

user # vncserver :0 -name kde -geometry 1024x768 -depth 16 -httpport 5800

I need to run this vncserver on port 5900 so i should use :0 because my firewall only opened to this port.

How to install & configure VNC in Ubuntu - Remote Desktop in Ubuntu

hanselzen@gmail.com (Last King of Kho's Kingdom) — Wed, 07 Jan 2009 14:18:00 +0000

Install X11VNC and vnc-java packages.

# sudo apt-get install x11vnc vnc-java

Run the terminal command

# x11vnc -forever -usepw -httpdir /usr/share/vnc-java/ -httpport 5800 -shared

When you run above command, system will prompt you to create password and the password will be kept in /home//.vnc

*PS:
-usepw : use password
-shared: will allow more than 1 user to remote