Linux Help and Info Center

Major Search Engine Yahoo and Google learning to crawl Flash

noreply@blogger.com (Unknown) — Wed, 02 Jul 2008 13:29:00 +0000

The statistics show that Adobe Flash is installed in a whooping 98% of computers connected to the Internet. The use of Flash, a Web developer is able to give his imagination a free field and build magnificent multimedia intensive but also functional sites.

But so far, building Flash sites had a singular disadvantage. However, search engines had no way of indexing unless the Web developer also included text in its Flash site explaining what the site or rather on the content of the site is all about.

Some time ago, Adobe has published the file format Flash SWF as an open specification that encourages third-party developers to create applications that could make Flash files. Adobe has now gone one step further and collaborates closely with Internet search engine companies Yahoo and Google for help in indexing Flash. It is a clear green light for all web developers to start creating sites that are heavy on the Flash content. It also means the Web developers can reduce the size of their Flash sites by deleting the text.

You should know that the latest version of Adobe Flash Player is available for Linux as a platform and make Flash which is a universal format to share and present content on the Web.

Read the official information from Adobe and the announcement of Google.

Set Up Shorewall Firewall On CentOS

noreply@blogger.com (Unknown) — Wed, 02 Jul 2008 13:20:00 +0000

This tutorial will guide you through the setting of Shorewall (Shoreline) 4.0 firewall on CentOS 5.1, which can be easily adapted to any other Linux distribution.

The Shoreline of firewalls, more commonly known as "Shorewall" is a high-level configuration tool Netfilter. You describe your firewall / gateway using entries in a set of configuration files. Shorewall read configuration files and with the help of utility iptables, Shorewall configure Netfilter to match your needs. Shorewall can be used on a dedicated firewall system , a multi-function gateway / router / server or on GNU / Linux system. Shorewall doesn't use Netfilter ipchains compatibility mode and can thus benefit from connecting Netfilter state monitoring capabilities.

http://www.shorewall.net/

Important Note:
Before installing shorewall we need to uninstall ipchains if you installed in your machine.

Download shorewall

wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-4.0.11-2.noarch.rpm

wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-perl-4.0.11-2.noarch.rpm

wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-shell-4.0.11-2.noarch.rpm

You can check download section in shorewall official web site for newer versions.
http://www.shorewall.net/download.htm

Install Shorewall

Installing shorewall is quite easy. Just open a terminal and do a

rpm -ivh shorewall-perl-4.0.11-2.noarch.rpm shorewall-shell-4.0.11-2.noarch.rpm shorewall-4.0.11-2.noarch.rpm

and you're all ready. Don't close your terminal, because we will need it some more.

Setting Shorewall

The program will not start unless you change the shorewall configuration file /etc/shorewall/shorewall.conf .You can do this in following way:

vim /etc/shorewall/shorewall.conf

Change the first line from

STARTUP_ENABLED=No

STARTUP_ENABLED=Yes

Save and exit (in VIM, hit [ESC] and then ':wq').

If you want to configure shorewall you need to copy the sample configuration file from
/usr/share/doc/shorewall-4.0.11/Samples/. In Samples directory there are 3 different directories :one-interface/,two-interfaces/ and
three-interfaces/. Depending on your network,you can do this by the following command:

cp /usr/share/doc/shorewall-4.0.11/Samples/one-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

cp /usr/share/doc/shorewall-4.0.11/Samples/two-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

cp /usr/share/doc/shorewall-4.0.11/Samples/three-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

Now you have configuration files located in /etc/shorewall.

Zones Configuration

Open and edit the file /etc/shorewall/zones to specify the different network zones,
these are just labels that you will use in the other files.

vim /etc/shorewall/zones

Consider the Internet(net) as one zone, and a private network(dmz) as another zone.The firewall zone or "fw" is your linux box itself.
If you have these then the zones file would look like this:

#ZONE TYPE OPTIONS  IN OPTIONS  OUT OPTIONS
#
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Interfaces Configuration

The next file to edit is the interfaces file to specify the interfaces on your machine.

vim /etc/shorewall/interfaces

Here you will connect the zones that you defined in the previous step with an actual interface.
The third field is the broadcast address for the network attached to the interface ("detect" will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point.

#ZONE INTERFACE BROADCAST OPTIONS
net     eth0            detect          tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc     eth1            detect          tcpflags,nosmurfs
dmz     eth2            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Policy Configuration

The next file defines your firewall default policy. The default policy is used if no other rules apply.
Often you will set the default policy to REJECT or DROP as the default, and then configure
specifically what ports/services are allowed in the next step, and any that you do not configure are by default
rejected or dropped according to this policy.

vim /etc/shorewall/policy

An example policy (based on the zones and interfaces we used above) would be:

#SOURCE  DEST  POLICY  LOG LEVEL LIMIT:BURST
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc  net  ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT.  (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc  dmz  REJECT  info
loc  $FW  REJECT  info
loc  all  REJECT  info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
$FW  net  REJECT  info
$FW  dmz  REJECT  info
$FW  loc  REJECT  info
$FW  all  REJECT  info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT.  This may be useful if you run a proxy server in
# your DMZ.
dmz  net  REJECT  info
dmz  $FW  REJECT  info
dmz  loc  REJECT  info
dmz  all  REJECT  info
#
# Policies for traffic originating from the Internet zone (net)
#
net  dmz  DROP  info
net  $FW  DROP  info
net  loc  DROP  info
net  all  DROP  info
# THE FOLLOWING POLICY MUST BE LAST
all  all  REJECT  info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Rules Configuration

The most important file is the rules. This is where you set what is allowed or not.
Any new connection that comes into your firewall passes over these rules, if none of these apply, then the
default policy will apply.

Note: This is only for new connections, existing connections are automatically accepted.

The comments in the file give you a good idea of how things work, but the following will provided an example
that can give you a head-start:

vim /etc/shorewall/rules

An example would be:

#############################################################################################################
#ACTION  SOURCE  DEST PROTO DEST SOURCE  ORIGINAL RATE USER/ MARK
#      PORT PORT(S)  DEST  LIMIT  GROUP
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW  net
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT      loc             $FW
SSH/ACCEPT      loc             dmz
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz  net
#
# Drop Ping from the "bad" net zone.
#
Ping/DROP     net             $FW
#
#       Make ping work bi-directionally between the dmz, net, Firewall and local zone
#       (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT     loc             $FW
Ping/ACCEPT     dmz             $FW
Ping/ACCEPT     loc             dmz
Ping/ACCEPT     dmz             loc
Ping/ACCEPT     dmz             net
ACCEPT  $FW  net  icmp
ACCEPT  $FW  loc  icmp
ACCEPT  $FW  dmz  icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
#Ping/ACCEPT    net             dmz
#Ping/ACCEPT    net             loc
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Finally

Well we are done, let's fire up the services and begin testing.

service shorewall start

Shorewall Web interface or GUI tool

We have a webmin interface for shorewall to configure through GUI. You can download from http://www.webmin.com/download/modules/shorewall.wbm.gz.

Configuring The Firewall Using IPTABLES

noreply@blogger.com (Unknown) — Thu, 26 Jun 2008 19:55:00 +0000

About the Script:

The script is about to build a firewall in Linux using iptables, the user need only to monitor and respond to simple and easy measures and the script will generate the user specified iptables rule in its form original.

I tested the script to PCLinuxOS, FEDORA-9, DREAM_LINUX, UBUNTU-8.
This is my iptables, version 1.0

About iptables:

Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One way to provide additional protection is to invest in a firewall. Although prices are still falling, in some cases, you be able to create a comparable unit using the Linux iptables package on a server for little or no additional cost.

Originally, most firewall / NAT package running on Linux was ipchains, but it had a number of shortcomings. To remedy this situation, Netfilter organization has decided to create a product called iptables.

Starting of the Script

A Menu will appear like this:

*****Main Menu*****
1. Check Iptables Package
2. Iptables Services
3. Build Your Firewall with Iptables
4. Exit

1. Check Iptables Package

Now let the user select the option 1. Check iptable Package from the menu by pressing "1" from the keyboard.

Now the script confirms that the user must be Root, and we know that the UID of Root is zero ( 0 ). So first I have to compare the UID of the current user with zero ( 0 ), if the UID doesn't match with the UID of root then it will display the following message:

****You must be the root user to run this script!****

and if the UID matches with root's UID then it displays the following message and runs the script:

***Identity Verified_You are the Root***

We can check the UID of the current user by typing the following command in the terminal:

echo $UID

If the identity of the user is verified as root, then the script will check the iptables package in the Linux OS by using the following command.

rpm -q iptables

*****Main Menu*****
1. Check Iptables Package
2. Iptables Services
3. Build Your Firewall with Iptables
4. Exit

Now if the user selects the option 2. Iptables Services then the checkstatus function will be called. In this function there are some options for the user:

*****Note: Save your Iptables before stop/Restart the iptables Services*****
1. Save the iptables
2. Status of Iptables
3. Start iptables Services
4. Stop iptables Services
5. Restart iptable Services
6. Flush iptables (**Use Carefully_it will remove all the rules from iptables**)
7. Go back to Main Menu

If the user selects 1. Save the iptables the iptables rules will be saved in the Linux OS by using the following command:

/etc/init.d/iptables save

If the user selects 2. Status of iptables the current status of iptables will be displayed, using the following command:

/etc/init.d/iptables status

Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.1.45 172.16.4.8 reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.1.1 192.168.1.25
LOG icmp -- anywhere anywhere LOG level warning

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP udp -- 192.168.6.3 10.6.3.7

If the user selects 3. Start iptables Services then iptables will be started, using the following command:

/etc/init.d/iptables start

If the user selects 4. Stop iptables Services then iptables will be stopped, using the following command:

/etc/init.d/iptables stop

If the user selects 5. Restart iptable Services then iptables will be restarted, using the following command, it will load the saved iptables rules:

/etc/init.d/iptables restart

If the user selects 6. Flush iptables then iptables will be flushed, (**use Carefully_it will remove all the rules from iptables**), using the following command, it will flush the saved iptables rules:

iptables -F

To go back to the Main Menu the user must select option 7. Go back to Main Menu.

*****Main Menu*****
1. Check Iptables Package
2. Iptables Services
3. Build Your Firewall with Iptables
4. Exit

Option 3. Build your Firewall with Iptables is the heart of this script, by using this option users can create the firewall with iptables using simple steps, when a user selects the option 3. Build your Firewall with Iptables then the script will ask the user to create the firewall.

Using Which Chain of Filter Table?
1. INPUT
2. OUTPUT
3. Forward"

The above menu will ask the user to select the chain where he/she wants to put the rule.

Now the script will ask the user to get the IP information from the Source side...

1. Firewall using Single Source IP
2. Firewall using Source Subnet
3. Firewall using for All Source Networks

Then the above menu ask the user the above three question, if the user selects the option 1. Firewall using Single Source IP then the script will ask the user to enter the IP address.

If the user selects option 2. Firewall using Source Subnet then the script will ask the user to enter the subnet in the form of "192.168.1.0/24".

If the user selects option 3. Firewall using for All Source Networks then the script will put 0/0 in the variable named "ip_source" in the script.

Now the script will ask the user to get the IP information from the Destination side...

1. Firewall using Single Destination IP
2. Firewall using Destination Subnet
3. Firewall using for All Destination Networks

Then the above menu asks the user the above three questions, if the user selects option 1. Firewall using Single Destination IP then the script will ask the user to enter the IP address.

If the user selects option 2. Firewall using Destination Subnet then the script will ask the user to enter the subnet in the form of "192.168.1.0/24"

If the user selects option 3. Firewall using for All Destination Networks then the script will put 0/0 in the variable named "ip_dest" in the script.

Now the script asks the user to select the PROTOCOL:

1. Block All Traffic of TCP
2. Block Specific TCP Service
3. Block Specific Port
4. Using no Protocol

Now from the above displayed menu if the user selects 1. Block All Traffic of TCP then the script will block all the TCP Traffic.

If the user selects 2. Block Specific TCP Service, now the script will ask the user to enter the TCP Service of his/her choice (e.g ICMP).

Note: the TCP Service name should be in CAPITAL LETTERS!!!

If the user selects 3. Block Specific Port the script will ask the user to enter the PORT number.

Now the script prompts the user What to do with the Above Created Rule?

What to do with Rule?
1. Accept the Packet
2. Reject the Packet
3. Drop the Packet
4. Create Log

If the user selects 1. Accept the Packet then the packet will be accepted.

If the user selects 2. Reject the Packet then the packet will be rejected.

If the user selects 3. Drop the Packet then the packet will be dropped.

If the user selects 4. Create Log then only the log will be created.

Now the following message will be shown to the user:

Press Enter key to Generate the Complete Rule!!!

When the user presses the Enter key then the script generates the original rule with the correct syntax and displays it to the user, in my case:

The Generated Rule is
iptables -A INPUT -s 192.168.0.0/24 -d 172.16.0.0/16 -p TCP -j ACCEPT

Now the script shows the following message to the user:

Do you want to Enter the Above rule to the IPTABLES? Yes=1 , No=2

If the above rule is correct then the user presses 1 for Yes and adds the rule to iptables
otherwise 2 for No and the script will return to let the user edit the rule.

Here is the whole script:

#!/bin/bash
echo -e "****************Welcome*************"
###############################IPTABLE SERVICES PROGRAM BEGINS HERE###############################
checkstatus()
 {
  opt_checkstatus=1
 while [ $opt_checkstatus != 7 ]
      do
       clear
  #echo -e "\nChoose the Option Bellow!!!\n
  echo -e "\n\t*****Note: Save your Iptables before stop/Restart the iptables Services*****\n"
  echo -e "   1. Save the iptables\n
   2. Status of Iptables\n
   3. Start iptables Services\n
   4. Stop iptables Services\n
   5. Restart iptable Services\n
   6. Flush iptables (**Use Carefully_it will remove all the rules from iptables**)\n
   7. Go back to Main Menu"
  read opt_checkstatus
  case $opt_checkstatus in
   1) echo -e "*******************************************************\n" 
               /etc/init.d/iptables save 
      echo -e "\n*******************************************************\n"
    echo -e "Press Enter key to Continue..."
    read temp;;
   2) echo -e "*******************************************************\n"
               /etc/init.d/iptables status 
      echo -e "*******************************************************"
                                echo -e "Press Enter key to Continue..."
                                     read temp;;
   3) echo -e "*******************************************************\n"  
               /etc/init.d/iptables start 
      echo -e "*******************************************************\n"
                                 echo -e "Press Enter key to Continue..."
                                       read temp;;
   
   4) echo -e "*******************************************************\n"
               /etc/init.d/iptables stop
      echo -e "*******************************************************\n"
                                echo -e "Press Enter key to Continue..."
                                     read temp;;
     
             5) echo -e "*******************************************************\n"
                      /etc/init.d/iptables restart 
      echo -e "*******************************************************\n"
                                echo -e "Press Enter key to Continue..."
                                     read temp;;
   6) iptables -F 
   echo -e "*******************************************************"
   echo -e "All the Rules from the Iptables are Flushed!!!"
   echo -e "*******************************************************\n"
                                echo -e "Press Enter key to Continue..."
                                 read temp;;
   7) main;;
   *) echo -e "Wrong Option Selected!!!"
  esac
 done
 }
###############################BUILD FIREWALL PROGRAM BEGINS FROM HERE############################### 
buildfirewall()
 {
  ###############Getting the Chain############
  echo -e "Using Which Chain of Filter Table?\n
  1. INPUT
  2. OUTPUT
  3. Forward"
  read opt_ch
  case $opt_ch in
   1) chain="INPUT" ;;
   2) chain="OUTPUT" ;;
   3) chain="FORWARD" ;;
   *) echo -e "Wrong Option Selected!!!"
  esac
 
  #########Getting Source IP Address##########
  #Label
   
  echo -e "
  1. Firewall using Single Source IP\n
  2. Firewall using Source Subnet\n
  3. Firewall using for All Source Networks\n"
  read opt_ip
   
  case $opt_ip in
   1) echo -e "\nPlease Enter the IP Address of the Source"
   read ip_source ;;
   2) echo -e "\nPlease Enter the Source Subnet (e.g 192.168.10.0/24)"
   read ip_source ;;
   3) ip_source="0/0" ;;
   #4) ip_source = "NULL" ;;
   *) echo -e "Wrong Option Selected"
  esac
  #########Getting Destination IP Address##########
   echo -e "
  1. Firewall using Single Destination IP\n
                2. Firewall using Destination Subnet\n
         3. Firewall using for All Destination Networks\n"
  
     read opt_ip
              case $opt_ip in
        1) echo -e "\nPlease Enter the IP Address of the Destination"
                     read ip_dest ;;
               2) echo -e "\nPlease Enter the Destination Subnet (e.g 192.168.10.0/24)"
                     read ip_dest ;;
               3) ip_dest="0/0" ;;
        #4) ip_dest = "NULL" ;;
               *) echo -e "Wrong Option Selected"
       esac
       ###############Getting the Protocol#############
       echo -e "
       1. Block All Traffic of TCP
       2. Block Specific TCP Service
       3. Block Specific Port
       4. Using no Protocol"
       read proto_ch
       case $proto_ch in
        1) proto=TCP ;;
        2) echo -e "Enter the TCP Service Name: (CAPITAL LETTERS!!!)"
       read proto ;;
        3) echo -e "Enter the Port Name: (CAPITAL LETTERS!!!)" 
       read proto ;;
        4) proto="NULL" ;;
        *) echo -e "Wrong option Selected!!!"
       esac
 
       #############What to do With Rule############# 
       echo -e "What to do with Rule?
       1. Accept the Packet
       2. Reject the Packet
       3. Drop the Packet
       4. Create Log"
       read rule_ch
       case $rule_ch in 
        1) rule="ACCEPT" ;;
        2) rule="REJECT" ;;
        3) rule="DROP" ;;
        4) rule="LOG" ;;
       esac
###################Generating the Rule####################
echo -e "\n\tPress Enter key to Generate the Complete Rule!!!"
read temp
echo -e "The Generated Rule is \n"
if [ $proto == "NULL" ]; then
 echo -e "\niptables -A $chain -s $ip_source -d $ip_dest -j $rule\n"
 gen=1
else
 echo -e "\niptables -A $chain -s $ip_source -d $ip_dest -p $proto -j $rule\n"
 gen=2
fi 
echo -e "\n\tDo you want to Enter the Above rule to the IPTABLES? Yes=1 , No=2"
read yesno
if [ $yesno == 1 ] && [ $gen == 1 ]; then
 iptables -A $chain -s $ip_source -d $ip_dest -j $rule
else if [ $yesno == 1 ] && [ $gen == 2 ]; then
 iptables -A $chain -s $ip_source -d $ip_dest -p $proto -j $rule         
   
else if [ $yesno == 2 ]; then
 
 main
fi
fi
fi
}
      
main()
{
 ROOT_UID=0
 if [ $UID == $ROOT_UID ];
 then
 clear
 opt_main=1
 while [ $opt_main != 4 ]
 do
echo -e "/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\n" 
#############Check Whether the iptables installed or not############ 
 echo -e "\t*****Main Menu*****\n
 1. Check Iptables Package\n
 2. Iptables Services\n
 3. Build Your Firewall with Iptables\n
 4. Exit"
 read opt_main
 case $opt_main in
  1) echo -e "******************************"
    rpm -q iptables 
     echo -e "******************************" ;;
  2) checkstatus ;;
  3) buildfirewall ;;
  4) exit 0 ;;
  *) echo -e "Wrong option Selected!!!"
 esac
done
else
 echo -e "You Must be the ROOT to Perfom this Task!!!"
fi
}
main
exit 0

Set Up DHCP Failover On Centos

noreply@blogger.com (Unknown) — Wed, 25 Jun 2008 09:00:00 +0000

This tutorial will guide you through setting up DHCP fail on CentOS 5.1 default using the ISC DHCP server, which can be easily adapted to any other Linux distribution on the market. You'll probably need changeover in network environments where downtime can not be tolerated. At my house is running a configuration DLNA so I need my devices to be able to obtain network settings at any time.

Since DHCP and DNS often go hand in hand i will be setting up a local DNS server which allows updates dynamic, such as host names will be automatically updated DNS forever when a lease is granted to a customer.

My setup use the following configuration please substitute to your own network configuration.

Domain name - home.topdog-software.com

Network - 192.168.1.0/24

DHCP servers - 192.168.1.2,192.168.1.3

Gateway - 192.168.1.254

DNS servers - 192.168.1.2,192.168.1.3

Install required Packages

DHCP
# yum install dhcp -y

DNS
# yum install bind bind-chroot caching-nameserver -y

NTP
# yum install ntp -y

Configuration :
DHCP

Backup your original config on the Master 192.168.1.2:

# cp /etc/dhcpd.conf /etc/dhcpd.conf.orig

Edit the DHCP configuration /etc/dhcpd.conf on the master 192.168.1.2 and add the following, read the comments to understand the options:

authoritative;                                  # server is authoritative
option domain-name "home.topdog-software.com";       # the domain name issued
option domain-name-servers 192.168.1.2,192.168.1.3;  # name servers issued
option netbios-name-servers 192.168.1.2;             # netbios servers
allow booting;                                       # allow for booting over the network
allow bootp;                                         # allow for booting
next-server 192.168.1.2;                             # TFTP server for booting
filename "pxelinux.0";                               # kernel for network booting
ddns-update-style interim;                           # setup dynamic DNS updates
ddns-updates on;
ddns-domainname "home.topdog-software.com";          # domain name for DDNS updates
key rndckey {
        algorithm       hmac-md5;
        secret          "xxxxxxxxxx";                # get from the /etc/rndc.key file
}
zone home.topdog-software.com                        # forward zone to update
{
        primary 127.0.0.1;                           # update on the local machine
        key rndckey;                                 # key to use for the update
}
zone 1.168.192.in-addr.arpa                          # reverse zone to update
{
        primary 127.0.0.1;                           # update on the local machine
        key rndckey;                                 # key for update
}
failover peer "home-net" {                           # fail over configuration
         primary;                                    # This is the primary
         address 192.168.1.2;                        # primarys ip address
         port 647;
         peer address 192.168.1.3;                   # peer's ip address
         peer port 647;
         max-response-delay 60;
         max-unacked-updates 10;
         mclt 3600;
         split 128;
         load balance max seconds 3;
}
subnet 192.168.1.0 netmask 255.255.255.0             # zone to issue addresses from
{
        pool {
                failover peer "home-net";            # pool for dhcp leases with failover bootp not allowed 
                deny dynamic bootp clients;         
                option routers 192.168.1.254;
                range 192.168.1.25 192.168.1.50;
        }
        pool {                                       # accomodate our bootp clients here no replication and failover
                option routers 192.168.1.254;
                range 192.168.1.51 192.168.1.55;
        }
        allow unknown-clients;
        ignore client-updates;
}

Back up your original config on the Slave 192.168.1.3:

# cp /etc/dhcpd.conf /etc/dhcpd.conf.orig

Edit the DHCP configuration /etc/dhcpd.conf on the slave 192.168.1.3 and add the following, read the comments to understand the options:

authoritative;                                  # server is authoritative
option domain-name "home.topdog-software.com";       # the domain name issued
option domain-name-servers 192.168.1.2,192.168.1.3;  # name servers issued
option netbios-name-servers 192.168.1.2;             # netbios servers
allow booting;                                       # allow for booting over the network
allow bootp;                                         # allow for booting
next-server 192.168.1.2;                             # TFTP server for booting
filename "pxelinux.0";                               # kernel for network booting
ddns-update-style interim;                           # setup dynamic DNS updates
ddns-updates on;
ddns-domainname "home.topdog-software.com";          # domain name for DDNS updates
key rndckey {
        algorithm       hmac-md5;
        secret          "xxxxxxxxxx";                # get from the /etc/rndc.key file on the master
}
zone home.topdog-software.com                        # forward zone to update
{
        primary 192.168.1.2;                         # update on the local machine
        key rndckey;                                 # key to use for the update
}
zone 1.168.192.in-addr.arpa                          # reverse zone to update
{
        primary 192.168.1.2;                         # update on the local machine
        key rndckey;                                 # key for update
}
failover peer "home-net" {                           # fail over configuration
         secondary;                                  # This is the secondary
         address 192.168.1.3;                        # our ip address
         port 647;
         peer address 192.168.1.2;                   # primary's ip address
         peer port 647;
         max-response-delay 60;
         max-unacked-updates 10;
         mclt 3600;
         load balance max seconds 3;
}
subnet 192.168.1.0 netmask 255.255.255.0             # zone to issue addresses from
{
        pool {
                failover peer "home-net";            # pool for dhcp leases with failover bootp not allowed 
                deny dynamic bootp clients;         
                option routers 192.168.1.254;
                range 192.168.1.25 192.168.1.50;
        }
        pool {                                       # accomodate our bootp clients here no replication and failover
                option routers 192.168.1.254;
                range 192.168.1.51 192.168.1.55;
        }
        allow unknown-clients;
        ignore client-updates;
}

DNS

Back up the the Bind configuration on the master:

# cp /var/named/chroot/etc/named.caching-nameserver.conf /var/named/chroot/etc/named.caching-nameserver.conf.orig

Edit the configuration to reflect the config below.

options {
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        query-source    port 53;
        query-source-v6 port 53;
        allow-query     { localhost; localnets; };
};
include "/etc/rndc.key";
include "/etc/named.rfc1912.zones";
zone "home.topdog-software.com" {
        type master;
        file "data/home.topdog-software.com.hosts";
        allow-transfer { 192.168.1.3; };
        allow-update { key "rndckey"; };
        allow-query { any; };
};
zone "1.168.192.in-addr.arpa" {
        type master;
        file "data/1.168.192.in-addr.arpa.hosts";
        allow-transfer { 192.168.1.3; };
        allow-update { key "rndckey"; };
        allow-query { any; };
};

Back up the the Bind configuration on the slave:

# cp /var/named/chroot/etc/named.caching-nameserver.conf /var/named/chroot/etc/named.caching-nameserver.conf.orig

Edit the configuration to reflect the config below.

options {
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        query-source    port 53;
        query-source-v6 port 53;
        allow-query     { localhost; localnets; };
};
include "/etc/rndc.key";
include "/etc/named.rfc1912.zones";
zone "home.topdog-software.com" {
        type slave;
        masters { 192.168.1.2; };
        file "data/home.topdog-software.com.hosts";
};
zone "1.168.192.in-addr.arpa" {
        type slave;
        masters { 192.168.1.2; };
        file "data/1.168.192.in-addr.arpa.hosts";
};

Create the zone files on the master

/var/named/chroot/var/named/data/home.topdog-software.com.hosts

$ORIGIN .
$TTL 38400 
home.topdog-software.com IN SOA ns1.home.topdog-software.com. andrew.topdog.za.net. (
                                2008061629 ; serial
                                10800      ; refresh (3 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                38400      ; minimum (10 hours 40 minutes)
                                )
                        NS      ns1.home.topdog-software.com.
                        NS      ns2.home.topdog-software.com.
ns1      IN    A 192.168.1.2
ns2      IN    A 192.168.1.3

/var/named/chroot/var/named/data/1.168.192.in-addr.arpa.hosts

$ORIGIN .
$TTL 38400      ; 10 hours 40 minutes
1.168.192.in-addr.arpa  IN SOA  ns1.home.topdog-software.com. andrew.topdog.za.net. (
                                2008061644 ; serial
                                10800      ; refresh (3 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                38400      ; minimum (10 hours 40 minutes)
                                )
                        NS      ns1.home.topdog-software.com.
                        NS      ns2.home.topdog-software.com.
2    IN  PTR ns1.home.topdog-software.com.
3    IN  PTR ns2.home.topdog-software.com.

NTP

NTP is required because the two DHCP servers need to be in sync for fail over as well as DDNS to take place. You can run a full fledged NTP server if you want, i will only provide you with instructions on using cron to sync NTP to an external NTP server every hour. You need to do this on BOTH servers.

create a file /etc/cron.hourly/timesync and add the following:
```
#!/bin/bash
#
ntpdate -s 0.rhel.pool.ntp.org
```

make the file executable and run it for the first time:
# /etc/cron.hourly/timesync

Finally

Well we are done, let's fire up the services and begin testing.

on the master:
# service named start

# service dhcpd start

on the slave:
# service named start

# service dhcpd start

You should see the following in your logs on the master:

Jun 16 13:58:56 kudusoft dhcpd: failover peer home-net: I move from recover to startup
Jun 16 13:58:56 kudusoft dhcpd: dhcpd startup succeeded
Jun 16 13:58:56 kudusoft dhcpd: failover peer home-net: I move from startup to recover
Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: peer moves from unknown-state to recover
Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: requesting full update from peer
Jun 16 13:59:12 kudusoft dhcpd: Sent update request all message to home-net
Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: peer moves from recover to recover
Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: requesting full update from peer
Jun 16 13:59:12 kudusoft dhcpd: Update request all from home-net: sending update
Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: peer update completed.
Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: I move from recover to recover-done
Jun 16 13:59:13 kudusoft dhcpd: Sent update done message to home-net
Jun 16 13:59:13 kudusoft dhcpd: failover peer home-net: peer moves from recover to recover-done
Jun 16 13:59:13 kudusoft dhcpd: failover peer home-net: I move from recover-done to normal
Jun 16 13:59:13 kudusoft dhcpd: failover peer home-net: peer moves from recover-done to normal
Jun 16 13:59:14 kudusoft dhcpd: pool 914eb10 192.168.1/24 total 26  free 25  backup 0  lts -12
Jun 16 13:59:14 kudusoft dhcpd: pool 914eb10 192.168.1/24  total 26  free 25  backup 0  lts 12

And on the slave:

Jun 16 13:59:12 shaka dhcpd: Sending on   Socket/fallback/fallback-net
Jun 16 13:59:12 shaka dhcpd: failover peer home-net: I move from recover to startup
Jun 16 13:59:12 shaka dhcpd: failover peer home-net: peer moves from unknown-state to recover
Jun 16 13:59:12 shaka dhcpd: dhcpd startup succeeded
Jun 16 13:59:12 shaka dhcpd: failover peer home-net: requesting full update from peer
Jun 16 13:59:12 shaka dhcpd: failover peer home-net: I move from startup to recover
Jun 16 13:59:12 shaka dhcpd: Sent update request all message to home-net
Jun 16 13:59:12 shaka dhcpd: Sent update done message to home-net
Jun 16 13:59:12 shaka dhcpd: Update request all from home-net: nothing pending
Jun 16 13:59:12 shaka dhcpd: failover peer home-net: peer moves from recover to recover-done
Jun 16 13:59:14 shaka dhcpd: failover peer home-net: peer update completed.
Jun 16 13:59:14 shaka dhcpd: failover peer home-net: I move from recover to recover-done
Jun 16 13:59:14 shaka dhcpd: failover peer home-net: peer moves from recover-done to normal
Jun 16 13:59:14 shaka dhcpd: failover peer home-net: I move from recover-done to normal
Jun 16 13:59:14 shaka dhcpd: pool 9d78ad8 192.168.1/24 total 26  free 25  backup 0  lts 12
Jun 16 13:59:14 shaka dhcpd: pool response: 12 leases

Securing Postgresql with Two-Factor Authentication

noreply@blogger.com (Unknown) — Wed, 25 Jun 2008 03:48:00 +0000

This tutorial will demonstrate how to secured PostgreSQL databases using two factors authentication of the WiKID strong authentication server via WFP on Linux. We assume that you have PostgreSQL and WiKID strong authentication server configured.

Configuring Postgresql

Configuring Postgresql to use PAM authentication is trivial. Edit the pg_hba.conf file to use PAM and add
an entry for PAM for the appropriate network:

host all all 192.168.0.0/24 pam postgresql

This entry specifies that all the users from the local lan (192.168.x.x) will use PAM, specifically the file postgresql which on redhat flavors is found in /etc/pam.d. We assume you have a separate line for access by applications. You don't want to break any applications that are using Postgres.

Configuring PAM

If your system does not have a package for pam_radius you can download the source from the Pam Radius website. Installation documentation is
also available.

Once installed, edit the postgresql PAM file to use radius:

#%PAM-1.0 
 
auth       sufficient   /lib/security/pam_radius_auth.so 
 
account    include      system-auth 
 
password   include      system-auth 
 
session    include      system-auth

PAM settings vary by linux flavor, so please consult your distribution's PAM documentation.

Now edit the /etc/raddb/server file to point to your WiKID server:

# server[:port] shared_secret      timeout (s)
#127.0.0.1      secret             1
192.168.0.10    your_shared_secret  3

Configuring the WiKID Strong Authentication Server
Adding a domain to the WiKID server

The WiKID Authentication System employs the concept of authentication domains. An authentication domain is a segmentation of authentication authority. Any given token client using the system can participate in any number of authentication domains. These domains may exist on an individual WiKID Strong Authentication Server or they may exist on separate and discrete servers (or any combination). Conversely, a WiKID Strong Authentication Server may provide authentication services for any number of discrete domains. These domains may be exclusive or inclusive of any set of token clients.

An authentication domain is initially defined by the 12-digit code used in token client provisioning. This code allows any un-configured, unrelated token client to locate and register with a particular WiKID Strong Authentication Server and domain. In practice, the 12-digit code signifies a zero-padded IP address that is Internet accessible. Optionally, if may designate a prefix in the wikidsystems.net domain. For example, a WiKID Strong Authentication Server with the public IP address of 27.232.7.14 would be directly accessible via the 12-digit code 027232007014. Using the wikidsystem.net service, codes signifying non-routable IP addresses may be used, such as 999888777666. You can also alter the DNS settings by deploying a custom jw.properties file with your software token.

Selecting the [Domains] header option will display the current domains served by this WiKID Strong Authentication Server. See Figure 1 below.

Figure 1 – Domain Configuration Screen

Selecting [Create New Domain] on this screen will allow the administrator to establish a new authentication domain for this server. The new domain parameter screen is depicted in Figure 2.

The required domain configuration options are:

Domain Name – This is a descriptive label for this domain visible only in the administration system.

Device Domain Name – This is the domain label that will appear in the menu option on the token client. This label should be relatively short to facilitate viewing on a mobile device.

Minimum PIN Length - This is the minimum allowable PIN length for this domain. Any attempt to set a pin shorter than this value will generate an error on the client token client.

Passcode Lifetime – This parameter specifies the maximum lifetime of the one-time passcode generated in this domain. After N elapsed seconds, the one-time passcode will automatically be invalidated.

Server Code – This is the zero-padded IP address of the server or the pre-registered prefix in the wikidsystems.net domain. This value must be exactly 12 digits in length.

Max Bad PIN Attempts – The maximum number of bad PINs attempted by a token client in this domain before the token is disabled.

Max Bad Passcode Attempts – The maximum number of bad passcodes entered for a userid registered in this domain before the userid is disabled.

Max Sequential Offlines – The maximum number of times a token client may use the offline challenge/response authentication before being required to authenticate online. This feature is used in the Enterprise version for the wireless clients when they are out-of-network coverage.

Use TACACS+ Select this to use TACACS+ for this domain.

Creating Network Clients

Network clients are systems that request one-time password validation from a WiKID Strong Authentication Server. These systems act in a proxy capacity, accepting questionable information from users and communicating with the WiKID Strong Authentication Server for validation.
Network clients utilize one of the installed protocol modules. The protocol module must be installed, initialized and enabled before you can configure add a network client for it.

Each network client must be configured on the WiKID Strong Authentication Server before it will allow the client to request validation.
Figure 3 shows the initial network client screen.

Initial Network Client Screen

Select – Create new Network Client - to begin adding a network client. You will be presented with a screen similar to Figure 4 below.

Network Client Properties Screen

These are the general network client properties. These values are required for each network client configured, regardless of the protocol selected. Property definitions are:

Name – The descriptive name of the server. This will be the primary display name in the administrative system and in system logs and reports. It is recommended that you use a combination of hostname, and WiKID domain for clarity.

IP Address – The IP address of the network client.

Protocol – The communications protocol used by this network client. Only protocols previously enabled will be available. The protocol selection will dictate the additional properties that must be defined for this client. In this instance, choose Radius.

Domain – This is the WiKID authentication domain in which this client will request credential validation. Your postgresql administrators will need to have their tokens registered in this domain.

Radius traffic is encoded by a shared secret, so we need to enter the same shared secret here as we entered on Postgresql server's /etc/raddb/server file:

That's it! To access Postgresql from the command line or from any GUI interface will require a one-time passcode from the WiKID Strong Authentication server.

Install MySQL Proxy On CentOS

noreply@blogger.com (Unknown) — Mon, 23 Jun 2008 18:25:00 +0000

This tutorial explains how you can install MySQL Proxy on a CentOS 5 (x86_64). MySQL Proxy is a simple program that sits between your client and MySQL server that can monitor, analyze and transform their communication. Its flexibility allows an unlimited number of uses; common include: load balancing, failover; query analysis, filtering and application modification, and many others.

At a minimum Centos 5 final x86_64 install:

yum
install gcc.x86_64 libevent.x86_64 libevent-devel.x86_64
readline.x86_64 readline-devel.x86_64 ncurses.x86_64
ncurses-devel.x86_64 glib2.x86_64 glib2-devel.x86_64

cd /usr/local/src/

wget http://www.lua.org/ftp/lua-5.1.3.tar.gz

tar zxvf lua-5.1.3.tar.gz

cd lua-5.1.3

make linux

make install

wget
http://dev.mysql.com/get/Downloads/MySQL-Cluster-6.2/mysql-5.1.23-ndb-6.2.15-linux-x86_64-glibc23.tar.gz/\
from/http://www.mirrorservice.org/sites/ftp.mysql.com/

tar xzvf mysql-5.1.23-ndb-6.2.15-linux-x86_64-glibc23.tar.gz

ln -s mysql-5.1.23-ndb-6.2.15-linux-x86_64-glibc23 mysql

PATH=$PATH:/usr/local/mysql/bin

export PATH

Edit your .profile to make this permanent:

# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
       . ~/.bashrc
fi

# User specific environment and startup programs

PATH=$PATH:/usr/local/mysql/bin:$HOME/bin

export PATH
unset USERNAME

wget
http://dev.mysql.com/get/Downloads/MySQL-Proxy/mysql-proxy-0.6.1.tar.gz/from/http://www.mirrorservice.org/sites/ftp.mysql.com/

tar zxvf mysql-proxy-0.6.1.tar.gz

cd mysql-proxy-0.6.1

./configure LDFLAGS="-lm -ldl" LUA_CFLAGS="-I/usr/local/include/" LUA_LIBS=/usr/local/lib/liblua.a

make

make install

Let's create a sample LUA script so you can see some logs.

mkdir /var/log/mysql-proxy/

mkdir -p /usr/local/mysql/lua-scripts/

vi /usr/local/mysql/lua-scripts/simple-log.lua

(see: http://www.oreillynet.com/pub/a/databases/2007/07/12/getting-started-with-mysql-proxy.html?page=3

Script modified to get IP and to use proxy.connection.server.thread_id.)

local log_file = '/var/log/mysql-proxy/mysql.log'
local fh = io.open(log_file, "a+")

function read_query( packet )
if string.byte(packet) == proxy.COM_QUERY then
 local query = string.sub(packet, 2)
 fh:write( string.format("%s %6d -- %s :IP %s :USER: %s\n",
 os.date('%Y-%m-%d %H:%M:%S'),
 proxy.connection.server.thread_id,
 query,
 proxy.connection.client.address,
 proxy.connection.client.username))
fh:flush()
end
end

Now start up your proxy using the variable --proxy-backend-addresses to point the proxy at your servers.

/usr/local/sbin/mysql-proxy
--proxy-lua-script=/usr/local/mysql/lua-scripts/simple-log.lua
--proxy-backend-addresses=192.168.1.33:3306
--proxy-backend-addresses=192.168.1.34:3306 --daemon

192.168.1.33 and 192.168.1.34 are the MySQL nodes that the proxy will be connecting to.

Allow connections for the proxy through your firewall:

### ALLOWED TO CONNECT TO MYSQL PROXY
###
### LOCAL ADMINS
-A INPUT -s SRC-IP -d DST-IP -p tcp -m state --state NEW -m tcp --dport 4040 -j ACCEPT

Where DST-IP is my proxy server and SRC-IP is my local box (client machine).

Now
from your local box (not the mysql-proxy server) try and connect to the
backend databases through the proxy ( user with relevent permissions
must exist in the db).

mysql -u dba_admin -p -h PROXY-SERVER -P 4040

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 16 to server version: 5.1.23-ndb-6.2.15

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;

mysql> quit

Bye

N.B. The proxy uses the port 4040 instead of 3306.

Test the mysql-proxy admin interface from the mysql-proxy server:

mysql -u root -p -h 127.0.0.1 -P 4041

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 1

Server version: 5.1.20-agent MySQL Enterprise Agent

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select * from proxy_connections;

+------+--------+-------+------+
| id | type | state | db |
+------+--------+-------+------+
| 0 | server | 0 | |
| 1 | proxy | 0 | |
| 2 | server | 10 | |
+------+--------+-------+------+

3 rows in set (0.00 sec)

mysql>quit

bye

Job done! Now read on:

http://dev.mysql.com/tech-resources/articles/proxy-gettingstarted.html

http://forge.mysql.com/wiki/MySQL_Proxy

http://www.oreillynet.com/pub/a/databases/2007/07/12/getting-started-with-mysql-proxy.html?page=1

Intrusion Detection For PHP

noreply@blogger.com (Unknown) — Sun, 22 Jun 2008 18:32:00 +0000

This tutorial explains how to set up PHPIDS on a web server with Apache2 and PHP5. PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art layer of security for your PHP based web application. The IDS or bands or filters sanitizes any malicious input, it recognizes when an attacker tries to break your site and reacts exactly how you want. On the basis of a set of highly approved and tested filtering rules any attack is a digital impact rating which makes it easy to decide what type of action should follow the hacking attempt. It may be the simple logging to send an urgent email to the development team, displaying a warning message to the attacker or even to terminate the user session.

1 Preliminary Note

I have tested this on a Debian Etch LAMP system with Apache2 and PHP5 and the IP address 192.168.0.100. The Apache user and group on Debian Etch is www-data, so if you are on a different distribution, the Apache user and group might be different. The location of php.ini (/etc/php5/apache2/php.ini on Debian Etch) might differ as well.

I'm using a virtual host with the document root /var/www/web1/web in this example.

2 Installing PHPIDS

For security reasons, I want to install PHPIDS outside of the document root, so I create the directory /var/www/web1/phpids:

mkdir /var/www/web1/phpids

Then I install PHPIDS as follows (at the time of this writing the latest version was 0.4.7) - of all the contents of the phpids-0.4.7.tar.gz file, we only need the lib/ directory:

cd /tmp

wget http://php-ids.org/files/phpids-0.4.7.tar.gz

tar xvfz phpids-0.4.7.tar.gz

cd phpids-0.4.7

mv lib/ /var/www/web1/phpids/

Now I change to the directory /var/www/web1/phpids/lib/IDS...

cd /var/www/web1/phpids/lib/IDS

... and make the tmp/ directory (which will hold the PHPIDS log file) writable for the Apache user and group:

chown -R www-data:www-data tmp/

Next we configure the PHPIDS configuration file (Config.ini):

cd Config/

vi Config.ini

I'm using the default configuration here, all I did was to adjust the paths:

; PHPIDS Config.ini

; General configuration settings

; !!!DO NOT PLACE THIS FILE INSIDE THE WEB-ROOT IF DATABASE CONNECTION DATA WAS ADDED!!!

[General]

    filter_type     = xml
    filter_path     = /var/www/web1/phpids/lib/IDS/default_filter.xml
    tmp_path        = /var/www/web1/phpids/lib/IDS/tmp
    scan_keys       = false

    exceptions[]    = __utmz
    exceptions[]    = __utmc

; If you use the PHPIDS logger you can define specific configuration here

[Logging]

    ; file logging
    path            = /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt

    ; email logging

    ; note that enabling safemode you can prevent spam attempts,
    ; see documentation
    recipients[]    = test@test.com.invalid
    subject         = "PHPIDS detected an intrusion attempt!"
    header                      = "From: <PHPIDS> info@php-ids.org"
    safemode        = true
    allowed_rate    = 15

    ; database logging

    wrapper         = "mysql:host=localhost;port=3306;dbname=phpids"
    user            = phpids_user
    password        = 123456
    table           = intrusions

; If you would like to use other methods than file caching you can configure them here

[Caching]

    ; caching:      session|file|database|memcached|none
    caching         = file
    expiration_time = 600

    ; file cache
    path            = /var/www/web1/phpids/lib/IDS/tmp/default_filter.cache

    ; database cache
    wrapper         = "mysql:host=localhost;port=3306;dbname=phpids"
    user            = phpids_user
    password        = 123456
    table           = cache

    ; memcached
    ;host           = localhost
    ;port           = 11211
    ;key_prefix     = PHPIDS
    ;tmp_path       = /var/www/web1/phpids/lib/IDS/tmp/memcache.timestamp

3 Using PHPIDS

We will now create the file /var/www/web1/web/phpids.php which will call PHPIDS for us (we will later on prepend that file to all our PHP files so that our PHP files can make use of PHPIDS automatically):

vi /var/www/web1/web/phpids.php

<?php
set_include_path(
   get_include_path()
   . PATH_SEPARATOR
   . '/var/www/web1/phpids/lib'
  );

  require_once 'IDS/Init.php';
  $request = array(
      'REQUEST' => $_REQUEST,
      'GET' => $_GET,
      'POST' => $_POST,
      'COOKIE' => $_COOKIE
  );
  $init = IDS_Init::init('/var/www/web1/phpids/lib/IDS/Config/Config.ini');
  $ids = new IDS_Monitor($request, $init);
  $result = $ids->run();

  if (!$result->isEmpty()) {
   // Take a look at the result object
   echo $result;
   require_once 'IDS/Log/File.php';
   require_once 'IDS/Log/Composite.php';

   $compositeLog = new IDS_Log_Composite();
   $compositeLog->addLogger(IDS_Log_File::getInstance($init));
   $compositeLog->execute($result);
  }
?>

Now when you call that file in a browser, (e.g. http://192.168.0.100/phpids.php), you will see a blank page. But if you try to append some malicious parameters to the URL (e.g. http://192.168.0.100/phpids.php?test=%22%3EXXX%3Cscript%3Ealert(1)%3C/script%3E), PHPIDS will detect this and print its findings in the browser:

Now we have to find a way to make our PHP scripts use PHPIDS. Of course, you don't want to modify all your PHP scripts (you could have hundreds of them...). Fortunately, there's a better way: we can tell PHP to prepend a PHP script whenever a PHP script is called. For example, if we call the script info.php in a browser, PHP would first execute phpids.php and then info.php, and we don't even have to modify info.php.

We can do this by using PHP's auto_prepend_file parameter. We can either set this in our php.ini (this is a global setting which is valid for all PHP web sites on the server), or in an .htaccess file (this is a setting valid only for the web site in question):

php.ini

Open your php.ini (e.g. /etc/php5/apache2/php.ini), and set auto_prepend_file to /var/www/web1/web/phpids.php:

vi /etc/php5/apache2/php.ini

[...]
auto_prepend_file = /var/www/web1/web/phpids.php
[...]

Restart Apache afterwards:

/etc/init.d/apache2 restart

.htaccess

Instead of modifying php.ini (which is a global change, i.e., the change is valid for all web sites that use PHP on the server), you can instead use an .htaccess file (so the setting would be valid only for the web site for which you create the .htaccess file):

vi /var/www/web1/web/.htaccess

php_value auto_prepend_file /var/www/web1/web/phpids.php

Please make sure that the vhost for the web site in /var/www/web1/web contains something like this (otherwise the php_value line in the .htaccess file will be ignored) (if you have to modify the vhost, please don't forget to restart Apache):

<Directory /var/www/web1/web/>
AllowOverride All
</Directory>

Now we create a simple PHP file, /var/www/web1/web/info.php:

vi /var/www/web1/web/info.php

<?php
phpinfo();
?>

Call that file in a browser (http://192.168.0.100/info.php), and you should see the normal phpinfo() output.

Now append some malicious parameters to the URL (e.g. http://192.168.0.100/info.php?test=%22%3EXXX%3Cscript%3Ealert(1)%3C/script%3E), and you should find a PHPIDS report before the phpinfo() output (because /var/www/web1/web/phpids.php was executed before /var/www/web1/web/info.php):

PHPIDS logs to /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt, so you should see something in the log now:

cat /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt

"192.168.0.200",2008-06-04T17:36:08+02:00,54,"xss csrf id rfe lfi","REQUEST.test=%5C%22%3EXXX%3Cscript%3Ealert%281%29%3C%2Fscript%3E GET.test=%5C%22%3EXXX%3Cscript%3Ealert%281%29%3C%2Fscript%3E",
"%2Finfo.php%3Ftest%3D%2522%253EXXX%253Cscript%253Ealert%281%29%253C%2Fscript%253E"

Now by observing that log you learn what hackers are trying to do to your PHP applications, and you can try to harden your applications.

To add another level of security, we can stop our PHP scripts from executing if PHPIDS find that they are under attack: we simply add something like die('<h1>Go away!</h1>'); to the if (!$result->isEmpty()) {} section of the /var/www/web1/web/phpids.php script:

vi /var/www/web1/web/phpids.php

<?php
set_include_path(
   get_include_path()
   . PATH_SEPARATOR
   . '/var/www/web1/phpids/lib'
  );

  require_once 'IDS/Init.php';
  $request = array(
      'REQUEST' => $_REQUEST,
      'GET' => $_GET,
      'POST' => $_POST,
      'COOKIE' => $_COOKIE
  );
  $init = IDS_Init::init('/var/www/web1/phpids/lib/IDS/Config/Config.ini');
  $ids = new IDS_Monitor($request, $init);
  $result = $ids->run();

  if (!$result->isEmpty()) {
   // Take a look at the result object
   echo $result;
   require_once 'IDS/Log/File.php';
   require_once 'IDS/Log/Composite.php';

   $compositeLog = new IDS_Log_Composite();
   $compositeLog->addLogger(IDS_Log_File::getInstance($init));
   $compositeLog->execute($result);

   die('<h1>Go away!</h1>');
  }
?>

If there's no attack, the scripts are executed, but if PHPIDS finds an attack, it prevents the scripts from being executed and displays a message to the hackers:

4 Links

PHPIDS: http://php-ids.org

PHP: http://www.php.net

Apache: http://httpd.apache.org

New Version of OpenSUSE Released

noreply@blogger.com (Unknown) — Thu, 19 Jun 2008 13:36:00 +0000

OpenSUSE has released its latest version alias 11.0 today. This version will contain fresh innovations and new features. Some of them being the inclusion of KDE 4.04, marks a new theme installation, the latest Linux kernel (2.6.25.4) and a series of characteristics of OpenSUSE.

For a list of new features, read the release notes. And then go see screenshots of the installer to get an idea of how easy it is to be installed on your machine.

Set Up WebDAV With MySQL Authentication On Apache2

noreply@blogger.com (Unknown) — Tue, 17 Jun 2008 14:04:00 +0000

The guide explains how to set up WebDAV MySQL Authentication (using mod_auth_mysql) Apache2 on a server Debian Etch. WebDAV means Web-based Distributed Authoring and versioning and is a set of extensions to the HTTP protocol which allows users to edit files directly on the Apache server so they do not need to be downloaded or sent via FTP. Of course, WebDAV may also be used to send and download files.

1 Preliminary Note

I'm using a Debian Etch server with the hostname server1.example.com and the IP address 192.168.0.100 here.

2 Installing Apache2, WebDAV, MySQL, mod_auth_mysql

Unfortunately libapache2-mod-auth-mysql is available as a Debian package only for Debian Lenny (testing) and Sid (unstable), but not for Etch. Therefore we will install the libapache2-mod-auth-mysql package from Lenny. To do this, open /etc/apt/sources.list and add the line deb http://ftp2.de.debian.org/debian/ lenny main; your /etc/apt/sources.list could then look like this:

vi /etc/apt/sources.list

deb http://ftp2.de.debian.org/debian/ etch main
deb-src http://ftp2.de.debian.org/debian/ etch main

deb http://ftp2.de.debian.org/debian/ lenny main

deb http://security.debian.org/ etch/updates main contrib
deb-src http://security.debian.org/ etch/updates main contrib

Of course (in order not to mess up our system), we want to install packages from Lenny only if there's no appropriate package from Etch - if there are packages from Etch and Lenny, we want to install the one from Etch. To do this, we give packages from Etch a higher priority in /etc/apt/preferences:

vi /etc/apt/preferences

Package: *
Pin: release a=etch
Pin-Priority: 700

Package: *
Pin: release a=lenny
Pin-Priority: 650

(The terms etch and lenny refer to the appropriate terms in /etc/apt/sources.list; if you're using stable and testing there, you must use stable and testing instead of etch and lenny in /etc/apt/preferences as well.)

Afterwards, we update our packages database:

apt-get update

If you're getting an error like this:

Segmentation faultsts... 96%

or this one:

E: Dynamic MMap ran out of room

open /etc/apt/apt.conf and add a line for APT::Cache-Limit with a very high value, e.g. like this:

vi /etc/apt/apt.conf

APT::Cache-Limit "100000000";

Then run

apt-get update

again and upgrade the installed packages:

apt-get upgrade

(If you see any questions, you can accept the default values.)

To install Apache2, WebDAV, MySQL, and mod_auth_mysql, we run:

apt-get install apache2 mysql-server mysql-client libapache2-mod-auth-mysql

Create a password for the MySQL user root (replace yourrootsqlpassword with the password you want to use):

mysqladmin -u root password yourrootsqlpassword

Then check with

netstat -tap | grep mysql

on which addresses MySQL is listening. If the output looks like this:

tcp 0 0 localhost.localdo:mysql *:* LISTEN 2713/mysqld

which means MySQL is listening on localhost.localdomain only, then you're safe with the password you set before. But if the output looks like this:

tcp 0 0 *:mysql *:* LISTEN 2713/mysqld

you should set a MySQL password for your hostname, too, because otherwise anybody can access your database and modify data:

mysqladmin -h server1.example.com -u root password yourrootsqlpassword

Afterwards, enable the WebDAV and mod_auth_mysql modules:

a2enmod dav_fs

a2enmod dav

a2enmod auth_mysql

Reload Apache:

/etc/init.d/apache2 force-reload

3 Creating A Virtual Host

I will now create a default Apache vhost in the directory /var/www/web1/web. For this purpose, I will modify the default Apache vhost configuration in /etc/apache2/sites-available/default. If you already have a vhost for which you'd like to enable WebDAV, you must adjust this tutorial to your situation.

First, we create the directory /var/www/web1/web and make the Apache user (www-data) the owner of that directory:

mkdir -p /var/www/web1/web

chown www-data /var/www/web1/web

Then we back up the default Apache vhost configuration (/etc/apache2/sites-available/default) and create our own one:

mv /etc/apache2/sites-available/default /etc/apache2/sites-available/default_orig

vi /etc/apache2/sites-available/default

NameVirtualHost *
<VirtualHost *>
  ServerAdmin webmaster@localhost

  DocumentRoot /var/www/web1/web/
  <Directory /var/www/web1/web/>
          Options Indexes MultiViews
          AllowOverride None
          Order allow,deny
          allow from all
  </Directory>

</VirtualHost>

Then reload Apache:

/etc/init.d/apache2 reload

Unlock Encrypted Root Partition

noreply@blogger.com (Unknown) — Fri, 13 Jun 2008 14:34:00 +0000

Systems fully encrypted to prevent others from obtaining your data from physical access. The rational of an encryption system is that you do not worry about what you encrypt and what not, because everything (except for / boot), will be encrypted.

However, the problem I encountered so far, how could I restart my computer from a distance? I would be obliged to be in front of the computer and enter the password. I asked at this stage how I could restart the computer remotely.

On Debian Administrator then I found an article written by Wulf (Coulmann Wolfram), in which he creates an initrd with Dropbear light as ssh server and unlock a script. However, the script still has some bugs and is not suitable for Ubuntu. In comments There are some changes (in particular comment # 31 and # 29), which will also work on Ubuntu.

The Script

Well, here's the script: dropbear

#!/bin/bash
# We add dropbear to the initrd to be able
# mount crypted partitions from remote
# copyright Wulf Coulmann
# GNU GPL
# http://www.gnu.org/licenses/gpl.html
#
# Download me here: http://gpl.coulmann.de/dropbear
# get infos about this script here:
# http://gpl.coulmann.de/ssh_luks_unlock.html
# Modified by Anonymous 2008
# Modified By Geoffroy RABOUIN 26/05/2008
# Modified by hyper_ch 15/06/2008
### INSTRUCTIONS FOR UBUNTU ###
# 0. Enable root login
# 1. Install killall, busybox and dropbear:
#    ~# sudo apt-get install psmisc busybox dropbear
# 2. Edit network configuration below and copy contents
#    of this file to /etc/initramfs-tools/hooks/dropbear
# 3. Save the script and make it executable:
#    ~# sudo chmod +x /etc/initramfs-tools/hooks/dropbear
# 4. Create new initrd:
#    ~# sudo mkinitramfs -o /boot/netboot
# 5. Edit /boot/grub/menu.lst and add your new initrd as the first entry
# 6. Delete the dropbear script the hooks folder
#    ~# sudo rm /etc/initramfs-tools/hooks/dropbear
# 7. Profit!
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# load the prepared functions of debians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions
# build the directories
DIRS='/lib /bin /usr/bin /usr/sbin/ /proc/ /root/.ssh/ /var/ /var/run/ /etc/dropbear/'
for now in $DIRS ; do
if [ ! -e ${DESTDIR}$now ]
then
mkdir -p ${DESTDIR}$now
fi
done
# copy the ssh-daemon and librarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/
#copy_exec /usr/bin/strace /usr/bin/
#copy_exec /bin/nc /bin/
copy_exec /usr/bin/wc /usr/bin/
# some librarys are not autoincluded by copy_exec
copy_exec /lib/libnss_compat.so.2 /lib/
copy_exec /usr/lib/libz.so.1 /usr/lib/
copy_exec /etc/ld.so.cache /etc/
copy_exec /lib/libutil.so.1 /lib/
# we copy config and key files
cp -pr /etc/dropbear/dropbear_dss_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/dropbear/dropbear_rsa_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/passwd ${DESTDIR}/etc/
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
if [ -e /root/.ssh/authorized_keys ]
then
cp -pr /root/.ssh/authorized_keys ${DESTDIR}/root/.ssh/
fi
cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/
cp -pr /etc/localtime ${DESTDIR}/etc/
cp -pr /lib/tls ${DESTDIR}/lib/
# we don't have bash in our initrd
# also we only add the root account
cat /etc/passwd | grep root | sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd
cat /etc/shadow | grep root > ${DESTDIR}/etc/shadow
cat /etc/group | grep root > ${DESTDIR}/etc/group
cat >${DESTDIR}/scripts/local-top/network_ssh << 'EOF'
#!/bin/sh
# we start the network and ssh-server
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# build up helpful environment
[ -d /dev ] || mkdir -m 0755 /dev
[ -d /root ] || mkdir --mode=0700 /root
[ -d /tmp ] || mkdir /tmp
[ -d /sys ] || {
mkdir /sys
mount -t sysfs -o nodev,noexec,nosuid none /sys
}
[ -d /proc ] || {
mkdir /proc
mount -t proc -o nodev,noexec,nosuid none /proc
}
mkdir -p /var/lock
mkdir -p /var/log
touch /var/log/lastlog
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts
/bin/sleep 5
################# CHANGE THE LINES BELOW #################
# The network setup: edit ip address and gateway to match your needs
ifconfig eth0 172.16.2.128 netmask 255.255.255.0
route add default gw 172.16.2.2
################# CHANGE THE LINES ABOVE #################
# display the network settings for double check
ifconfig
# If you like to use dhcp make sure you include dhclient or pump in
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /sbin/dhclient
# for debugging ssh-server you may run it in forgound
# /usr/sbin/dropbear -E -F
# for more debugging you may run it with strace
# therfor you have to include strace and nc at top of
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /usr/bin/strace
# copy_exec /usr/bin/nc
# then start nc on an other host and run
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip of="" other="" host=""> <nc port="" of="" other="" host="">
# e.g.:
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888
# We will use /dev/urandom because /dev/random gets easily blocked
mv /dev/random /dev/random.old
ln -s /dev/urandom /dev/random
# /usr/sbin/dropbear -E -F -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
/usr/sbin/dropbear -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
#ls -al
rm -f /dev/random
mv /dev/random.old /dev/random
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh
cat >${DESTDIR}/etc/dropbear/banner << 'EOF'
To unlock root-partition run
unlock
EOF
# script to unlock luks via ssh
# dirty but effektive
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh
/bin/sh /scripts/local-top/cryptroot
# Kill processes locking boot process
[ `ls /dev/mapper/ | grep -v control| wc -l | awk '{print $1}'` -gt 0 ] && {
for i in `ps | grep -E "cryptroot|cryptsetup" | awk '{ print $1 }'`
do
kill $i
done
}
/bin/sh /scripts/local-bottom/rm_dropbear
EOF
chmod 700 ${DESTDIR}/usr/bin/unlock
# make sure we exit dropbear at the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear << 'EOF'
#!/bin/sh
PREREQ=""
prereqs()
{
echo ""
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# we kill dropbear ssh-server
/usr/bin/killall dropbear
EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear

Step 0: Enable root login

First, you have to enable the root account.

sudo passwd root

The reason why I say that root must be enabled is, because I couldn't work out how to get the whole sudo permission stuff into the initrd. I'm sure there must be a way and if someone is willing to take up the challenge, please go ahead. However you can enable root login only during the creation of the initrd. Once it's created then the according stuff is saved in there and you can remove root login from the actual installation again. The root login is only required to log into dropbear and then run the unlock script. It's not used for anything else.

Step 1: Install required packages

Install those packages:

sudo apt-get install psmisc busybox dropbear

Step 2: Configure network

In the script change the network configuration to your needs. I have sofar only used static ips. The script itself provides also option for dhcp - however I did not try those.

################# CHANGE THE LINES BELOW #################
# The network setup: edit ip address and gateway to match your needs
ifconfig eth0 172.16.2.128 netmask 255.255.255.0
route add default gw 172.16.2.2
################# CHANGE THE LINES ABOVE #################

The above settings are just the values from my vmware machine on where I tested it.

Step 3: Save the script and make it executable:

Save the altered script to [I]/etc/initramfs-tools/hooks/dropbear[/I] and make it then executable:

sudo chmod +x /etc/initramfs-tools/hooks/dropbear

Step 4: Create new initrd

Run this command to create a new initrd with the name of "netboot". Of course you can rename "netboot" to anything you like.

sudo mkinitramfs -o /boot/netboot

Step 5: Edit /boot/grub/menu.lst and add your new initrd as the first entry

Now you have to edit grub's menu list to add the new init.rd.

Run:

sudo nano /boot/grub/menu.lst

to edit the menu.lst in nano.

Go to the end (or almost) and copy an existing kernel entry e.g.

title           Ubuntu 8.04.1, kernel 2.6.24-19-generic
root            (hd0,1)
kernel          /vmlinuz-2.6.24-19-generic root=/dev/mapper/sda4_crypt ro quiet splash
initrd          /initrd.img-2.6.24-19-generic

Change it to something like:

title           Netboot
root            (hd0,1)
kernel          /vmlinuz-2.6.24-19-generic root=/dev/mapper/sda4_crypt ro quiet splash
initrd          /netboot

Don't copy my example directly but use yours. That way the root hd entry and the mapper name are correct.

Finally, at the top of the menu.lst also change the default boot entry accordingly. If you have 7 kernel entries, then you will put a "6" there because it starts with 0 and you add the netboot one at the bottom.

Step 6: Delete the dropbear script in the hooks folder

When I tried it on my machine, after a kernel upgrade there were some problems (which may have resulted from my earlier tries with a buggy script). Just to make sure, delete the dropbear script from the folder.

sudo rm /etc/initramfs-tools/hooks/dropbear

Step 7: Profit!

That's it... it should be working now.

A few things to mention

- Well, in the script I currently call a ifconfig after the network configuration. I did that for bugtracing. You can of course delete that from the script.

- After you have now created the netboot initrd you can either change the root password again or disable root login. As the initrd is not encrypted it is possible to get the hash of the root password and so you want to use a different one from remote unlocking the crypto drives. I highly recommend changing the password or disabling root login in the actual machine.

Change root password

sudo passwd root

or delete the root password (disable root)

sudo passwd -l root

- Although the system is fully encrypted, there are still two possible attacks left to gain access to the data:

(1) ColdBoot Attack by reading the crypto password from the ram blocks (not much you can't do against that without special hardware, see here)

(2) The created initrd can be manipulated so that it logs the crypto password somewhere. As /boot is not encrypted an attacker may gain this way the password for the LUKS-devices. You could, to prevent that, make a bootable cd with the according kernels and initrds and implement some kind of hash check... maybe there are other methods... feedback is welcomed here.

- Most of this tutorial is not from me, just a few adapations and explanations. So thanks goes to Wolfram Coulmann and the others who modified the original script.

New Opera Web Browser Released ver 0.95

noreply@blogger.com (Unknown) — Fri, 13 Jun 2008 09:23:00 +0000

Opera has released another version of its flagship Web browser with the same name. It comes with unique features, many of which are not yet available on other browsers of the box.

I have always found using Opera to be a pleasant experience. Some new features offered by Opera are as follows:

Opera Link: For the first time ever, all your bookmarks, speed dialing and notes taken in Opera Web browser will follow you everywhere around you. You can even access from your mobile phone. The catch is that you must use a Web browser Opera. Opera offers space on their server to store your bookmarks and other parameters which makes it possible.
Quick Search: Opera monitors not only Web addresses you visit, but also the words of pages you've visited. So if you do not remember the address but do not forget a word about the Web page by typing in the address bar will allow you to zero on the web page accurate.
Better protection against fraud.
A clear skin.

Opera has also claimed --
-- It’s faster, lighter and pushes us further out in front of other browsers,
-- by blending the mobile and desktop worlds together in new
-- and powerful ways.

But let the end-users who decide. Why not visit the opera and download the latest version 9.5 and take it for a spin? For all you know, you might get hooked on another fabulous Web browser.

Apache : Reduce Log File Disk Usage

noreply@blogger.com (Unknown) — Thu, 12 Jun 2008 15:36:00 +0000

Slowly, I saw my hard drive use more and more space, I knew it was the log files which are growing more and much more. I discovered that the Apache log files were the worst, it was about 1 GB of space used in 3 months.

So I decided to make a bash script, which compresses the Apache log files every month.

The script can be altered to your needs:

#!/bin/bash

MONTH="$((`date +%m`-1))"
YEAR=$(date +"%Y")

cd /var/www/

for f in $(ls /var/www | grep web); do
cd /var/www/$f/log
if [ -a $YEAR ];
then
cd $YEAR
  if [ -a 0$MONTH ];
    then
     tar -zcvf 0$MONTH.tar.gz 0$MONTH
     rm -rf /var/www/$f/log/$YEAR/0$MONTH
  fi
fi
done

Then you run this script in your crontab the first day of each month:

05 03 1 * * sh /root/logclean.sh

Guide : Whitelist Hosts In Postfix

noreply@blogger.com (Unknown) — Tue, 10 Jun 2008 18:36:00 +0000

If you run a mail server and use blacklists to block spam, you probably know this problem from time to time your customers complain they can not receive e-mails from certain freemailers. Most often this occurs because a freemailer has been abused to send spam and thus obtained a blacklist. This little guide shows you how such a whitelist Postfix mail server to make your customers happy.
I'm not issue any guarantee that it works for you!

If a blacklisted server tries to send mail to your server, you should find something like this in your mail log:

SMTP error from remote mail server after RCPT TO:<bla@example.com>: host mail.example.com [4.3.2.1]: 554 5.7.1 Service unavailable; Client host [1.2.3.4] blocked using dnsbl.sorbs.net; Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?1.2.3.4

In this example, the mail server 1.2.3.4 is blacklisted and therefore blocked.

To whitelist that server, create the file /etc/postfix/rbl_override where you list all IP addresses or host names (one per line!) that you want to whitelist:

vi /etc/postfix/rbl_override1.2.3.4 OK

1.2.3.5 OK
mail.freemailer.tld OK

After you've created/modified that file, you must runpostmap /etc/postfix/rbl_override

Next open /etc/postfix/main.cf and search for the smtpd_recipient_restrictions parameter. Add check_client_access hash:/etc/postfix/rbl_override to that parameter, after reject_unauth_destination, but before the first blacklist.

So if smtpd_recipient_restrictions looks like this now...

vi /etc/postfix/main.cf

[...]
smtpd_recipient_restrictions = reject_invalid_hostname,
   reject_unauth_pipelining,
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   reject_rbl_client multi.uribl.com,
   reject_rbl_client dsn.rfc-ignorant.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl-xbl.spamhaus.org,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client dnsbl.sorbs.net,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client ix.dnsbl.manitu.net,
   reject_rbl_client combined.rbl.msrbl.net,
   reject_rbl_client rabl.nuclearelephant.com,
   permit
[...]

... modify it so that it looks as follows:

[...]
smtpd_recipient_restrictions = reject_invalid_hostname,
   reject_unauth_pipelining,
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_client_access hash:/etc/postfix/rbl_override,
   reject_rbl_client multi.uribl.com,
   reject_rbl_client dsn.rfc-ignorant.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl-xbl.spamhaus.org,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client dnsbl.sorbs.net,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client ix.dnsbl.manitu.net,
   reject_rbl_client combined.rbl.msrbl.net,
   reject_rbl_client rabl.nuclearelephant.com,
   permit
[...]

That's it! Restart Postfix, and you're done:

/etc/init.d/postfix restart

Guide : Fix MySQL Replication

noreply@blogger.com (Unknown) — Tue, 10 Jun 2008 18:12:00 +0000

If you set up replication MySQL, you probably know this problem: there are sometimes complaints that cause invalid MySQL replication does not work. In this small guide I explain how you can repair on the MySQL slave replication without the need to establish from scratch.

I'm not issue any guarantee that it works for you!

1 Identifying The Problem

To find out whether replication is/is not working and what has caused to stop it, you can take a look at the logs. On Debian, for example, MySQL logs to /var/log/syslog:

grep mysql /var/log/syslog

server1:/home/admin# grep mysql /var/log/syslog

May 29 09:56:08 http2 mysqld[1380]: 080529 9:56:08 [ERROR] Slave: Error 'Table 'mydb.taggregate_temp_1212047760' doesn't exist' on query. Default database: 'mydb'. Query: 'UPDATE thread AS thread,taggregate_temp_1212047760 AS aggregate

May 29 09:56:08 http2 mysqld[1380]: ^ISET thread.views = thread.views + aggregate.views

May 29 09:56:08 http2 mysqld[1380]: ^IWHERE thread.threadid = aggregate.threadid', Error_code: 1146

May 29 09:56:08 http2 mysqld[1380]: 080529 9:56:08 [ERROR] Error running query, slave SQL thread aborted. Fix the problem, and restart the slave SQL thread with "SLAVE START". We stopped at log 'mysql-bin.001079' position 203015142

server1:/home/admin#

You can see what query caused the error, and at what log position the replication stopped.

To verify that the replication is really not working, log in to MySQL:

mysql -u root -p

On the MySQL shell, run:

mysql> SHOW SLAVE STATUS \G

If one of Slave_IO_Running or Slave_SQL_Running is set to No, then the replication is broken:

mysql> SHOW SLAVE STATUS \G

*************************** 1. row ***************************

Slave_IO_State: Waiting for master to send event

Master_Host: 1.2.3.4

Master_User: slave_user

Master_Port: 3306

Connect_Retry: 60

Master_Log_File: mysql-bin.001079

Read_Master_Log_Pos: 269214454

Relay_Log_File: slave-relay.000130

Relay_Log_Pos: 100125935

Relay_Master_Log_File: mysql-bin.001079

Slave_IO_Running: Yes

Slave_SQL_Running: No

Replicate_Do_DB: mydb

Replicate_Ignore_DB:

Replicate_Do_Table:

Replicate_Ignore_Table:

Replicate_Wild_Do_Table:

Replicate_Wild_Ignore_Table:

Last_Errno: 1146

Last_Error: Error 'Table 'mydb.taggregate_temp_1212047760' doesn't exist' on query. Default database: 'mydb'.
Query: 'UPDATE thread AS thread,taggregate_temp_1212047760 AS aggregate

SET thread.views = thread.views + aggregate.views

WHERE thread.threadid = aggregate.threadid'

Skip_Counter: 0

Exec_Master_Log_Pos: 203015142

Relay_Log_Space: 166325247

Until_Condition: None

Until_Log_File:

Until_Log_Pos: 0

Master_SSL_Allowed: No

Master_SSL_CA_File:

Master_SSL_CA_Path:

Master_SSL_Cert:

Master_SSL_Cipher:

Master_SSL_Key:

Seconds_Behind_Master: NULL

1 row in set (0.00 sec)

mysql>

2 Repairing The Replication

Just to go sure, we stop the slave:

mysql> STOP SLAVE;

Fixing the problem is actually quite easy. We tell the slave to simply skip the invalid SQL query:

mysql> SET GLOBAL SQL_SLAVE_SKIP_COUNTER = 1;

This tells the slave to skip one query (which is the invalid one that caused the replication to stop). If you'd like to skip two queries, you'd use SET GLOBAL SQL_SLAVE_SKIP_COUNTER = 2; instead and so on.

That's it already. Now we can start the slave again...

mysql> START SLAVE;

... and check if replication is working again:

mysql> SHOW SLAVE STATUS \G

mysql> SHOW SLAVE STATUS \G

*************************** 1. row ***************************

Slave_IO_State: Waiting for master to send event

Master_Host: 1.2.3.4

Master_User: slave_user

Master_Port: 3306

Connect_Retry: 60

Master_Log_File: mysql-bin.001079

Read_Master_Log_Pos: 447560366

Relay_Log_File: slave-relay.000130

Relay_Log_Pos: 225644062

Relay_Master_Log_File: mysql-bin.001079

Slave_IO_Running: Yes

Slave_SQL_Running: Yes

Replicate_Do_DB: mydb

Replicate_Ignore_DB:

Replicate_Do_Table:

Replicate_Ignore_Table:

Replicate_Wild_Do_Table:

Replicate_Wild_Ignore_Table:

Last_Errno: 0

Last_Error:

Skip_Counter: 0

Exec_Master_Log_Pos: 447560366

Relay_Log_Space: 225644062

Until_Condition: None

Until_Log_File:

Until_Log_Pos: 0

Master_SSL_Allowed: No

Master_SSL_CA_File:

Master_SSL_CA_Path:

Master_SSL_Cert:

Master_SSL_Cipher:

Master_SSL_Key:

Seconds_Behind_Master: 0

1 row in set (0.00 sec)

mysql>

As you see, both Slave_IO_Running and Slave_SQL_Running are set to Yes now.

Now leave the MySQL shell...

mysql> quit;

... and check the log again:

grep mysql /var/log/syslog

The last line says that replication has started again, and if you see no errors after that line, everything is ok.

Using Mono To Set Up A Shockvoice Server

noreply@blogger.com (Unknown) — Mon, 09 Jun 2008 16:05:00 +0000

It is a step-by-step instructions on how to install Shockvoice on a Linux machine. Shockvoice is a voice-over-IP communication tool. This tool is slightly different in its characteristics. It is simply a code in C # and, therefore, works on almost any platform of interest, whether Windows, Unix, Macintosh or Solaris. The customer will only be available for Windows at first.

First you need the latest version. NET interpreter for

http://www.go-mono.com/mono-downloads/download.html

If your system is not listed you can download a complete binary package
which can be found here:

http://www.mono-project.com/Other_Downloads

In our case we will install Mono by using the packaged installer from
this source:

wget
http://ftp.novell.com/pub/mono/archive/1.9.1/linux-installer/2/mono-1.9.1_2-installer.bin

Make it executable:

chmod +x mono-1.9.1_2-installer.bin

... and run it:

./mono-1.9.1_2-installer.bin

Follow the instructions on the screen. In our case we will install the
binary to /opt. Once
Mono is installed we need to get the latest server version of
Shockvoice. Download the latest version from the Shockvoice
downloadserver:

http://www.shockvoice.net/downloads.php

In our case we will download the Linux Server_v0.8.0pre2

Create the directory where you want to install Shockvoice.

mkdir -p /usr/share/shockvoice

Download the package:

wget
ftp://ftp.shockvoice.org/shockvoice/0.8.x/svserver-0.8.0pre2-linux.tar.gz

Unpack the package into the newly created directory:

tar -C /usr/share/shockvoice -xvzf
svserver-0.8.0pre2-linux.tar.gz

Before we will run the install.sh script, we have to choose our database type.
In this example
we choose MySQL as our favorite database. We have to do
some stuff before that.
If you want to use Sqlite as your favorite database you can have to use the
shockvoice.s3db file as
your database. Now set up the MySQL part.

Create the database:

mysql -uroot -p create shockvoice

Now import the tables to the database.

mysql -uroot -p shockvoice <
/usr/share/shockvoice.mysql.sql

Now we need to create a database user (we will name him svuser) and
grant him permissions to use the shockvoice database.

mysql -uroot -p

Enter Password:

GRANT USAGE ON shockvoice.* TO
svuser@localhost
IDENTIFIED BY '<yourpassword>';

GRANT ALL ON shockvoice.* TO
svuser@localhost IDENTIFIED
BY "<yourpassword>";

FLUSH PRIVILEGES;

Change to the directory and start the install.sh
script.

cd /usr/share/shockvoice
&& ./install.sh

Follow the instructions on the screen.

This script will create and configure the service_start, service_stop
and the config.xml file. It will try to locate the necessary files from your Mono installation. Please make sure you have mono installed before running this script.

Continue? (y/n) y

Do you have unpacked Shockvoice in /usr/share/shockvoice? (y/n) y

Do you want to create the service_start and service_stop file?
(recommend) (y/n) y

searching for mono...

Found mono binary in /opt/mono-1.9/bin/mono .. good

searching for mono-service.exe...

Found mono-service.exe binary in
/opt/mono-1.9/lib/mono/gac/mono-service/2.0.0.0__0738eb9f132ed756/mono-service.exe
.. good

Creating startscript

Creating stopscript

Do you want to create the config.xml file? (y/n) y

Creating config.xml

Please enter type of database you want to use. (e.g. sqlite, mysql or
postgres)

mysql

Please enter server which stores the database Shockvoice. (e.g.
shockvoice.s3db for sqlite or localhost for mysql)

localhost

Please enter name of the database. (leave empty for sqlite)

shockvoice

Please enter username who connects to the database. (leave empty for
sqlite)

svuser

Please enter password for database user. (leave empty for sqlite)

<yourpassword>

Database type: mysql

Database server: localhost

Database name: shockvoice

Database user: svuser

Database password: <yourpassword>

Is this Correct? (y/n) y

Remember to setup the MySql database and User!

Configfile created!

Note: If you get an error like '==:
unexpected operator' try changing the first line of the install.sh
script to

#!/bin/bash

The next thing we have
to do is to copy the libMonoPosixHelper.so
and libsvcodec.so to a
location where Mono will find them. e.g. /usr/lib:

cp libMonoPosixHelper.so libsvcodec.so
/usr/lib

That's it. Now start the server with:

./service_start

Fedora : mod_geoip For Apache2

noreply@blogger.com (Unknown) — Sun, 08 Jun 2008 12:35:00 +0000

The guide explains how to set up mod_geoip with Apache2 on a Fedora 9. mod_geoip looks up at the client IP address end-user. This allows you to redirect or prevent users based on their country. You can also use this technology for your Openx (formerly known as OpenAds or phpAdsNew) ad server to allow geographical targeting.

I'm not issue any guarantee that it works for you!

1 Preliminary Note

I'm assuming that you have a running Fedora 9 system with a working Apache2 + PHP

2 Installing mod_geoip

To install mod_geoip, we simply run:

yum install mod_geoip

You will then find the GeoIP database (GeoIP.dat) in the /usr/share/GeoIP directory. As the geographic allocation of IP addresses can change over time, it's a good idea to download the newest GeoIP.dat now:

cd /usr/share/GeoIP/

mv GeoIP.dat GeoIP.dat_orig

wget http://www.maxmind.com/download/geoip/database/GeoIP.dat.gz

gunzip GeoIP.dat.gz

Next we restart Apache:

/etc/init.d/httpd restart

That's it already!

3 A Short Test

To see if mod_geoip is working correctly, we can create a small PHP file in one of our web spaces (e.g. /var/www/html):

vi /var/www/html/geoiptest.php

<?php
print_r($_SERVER);
?>

Call that file in a browser, and it should display the SERVER array including values for GEOIP_COUNTRY_CODE, GEOIP_CONTINENT_CODE, and GEOIP_COUNTRY_NAME (make sure that you're calling the file from a public IP address, not a local one).

Array

(

[GEOIP_CONTINENT_CODE] => EU

[GEOIP_COUNTRY_CODE] => DE

[GEOIP_COUNTRY_NAME] => Germany

[HTTP_HOST] => 84.143.142.69

[HTTP_USER_AGENT] => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

[HTTP_ACCEPT] => text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

[HTTP_ACCEPT_LANGUAGE] => en-us,en;q=0.5

[HTTP_ACCEPT_ENCODING] => gzip,deflate

[HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7

[HTTP_KEEP_ALIVE] => 300

[HTTP_CONNECTION] => keep-alive

[PATH] => /sbin:/usr/sbin:/bin:/usr/bin

[SERVER_SIGNATURE] => <address>Apache/2.2.8 (Fedora) Server at 84.143.142.69 Port 80</address>

[SERVER_SOFTWARE] => Apache/2.2.8 (Fedora)

[SERVER_NAME] => 84.143.142.69

[SERVER_ADDR] => 192.168.0.100

[SERVER_PORT] => 80

[REMOTE_ADDR] => 84.143.142.69

[DOCUMENT_ROOT] => /var/www/html

[SERVER_ADMIN] => root@localhost

[SCRIPT_FILENAME] => /var/www/html/geoiptest.php

[REMOTE_PORT] => 57421

[GATEWAY_INTERFACE] => CGI/1.1

[SERVER_PROTOCOL] => HTTP/1.1

[REQUEST_METHOD] => GET

[QUERY_STRING] =>

[REQUEST_URI] => /geoiptest.php

[SCRIPT_NAME] => /geoiptest.php

[PHP_SELF] => /geoiptest.php

[REQUEST_TIME] => 1211819286

)

If you want to use Apache2 + mod_geoip for your OpenX ad server, make sure you select MaxMind mod_apache GeoIP under Settings > Main Settings > Geotargeting Settings:

4 Use Cases

You can use mod_geoip to redirect or block/allow users based on their country. You can find some useful examples for this here: http://www.maxmind.com/app/mod_geoip

5 Links

mod_geoip: http://www.maxmind.com/app/mod_geoip

Apache: http://httpd.apache.org

Fedora: http://fedoraproject.org

Trick: Fedora 9 "Sulphur" - The Perfect Server

noreply@blogger.com (Unknown) — Fri, 06 Jun 2008 02:23:00 +0000

It is a detailed description on how to set up a server Fedora 9, which offers all services needed by ISPs and hosters: Apache web server (SSL compatible) with PHP5 and Ruby, server Postfix mail with SMTP AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL, dovecote POP3/IMAP, Quota, Firewall, etc. This tutorial is written for 32-bit version of Fedora 9, but should apply to 64-bit version with very few changes.

I'll use the following software:

* Web Server: Apache 2.2.8
* PHP 5.2.5
* Ruby
* Server database: MySQL 5.0.51
* Mail Server: Postfix
* DNS: BIND9 (chroot)
* FTP server: proftpd
* POP3/IMAP server: dovecote
* Webalizer statistics for website

In the end, you should have a system that works reliably, and if you want, you can install free control panel hosting ISPConfig (ie, ISPConfig runs on it out of the box).

Read more at Howtoforge.com

Tip: Anatomy of "SELinux" or Security-Enhanced Linux

noreply@blogger.com (Unknown) — Fri, 06 Jun 2008 01:32:00 +0000

Linux ® has been described as one of the most secure operating systems available, but the National Security Agency (NSA) took Linux to the next level with the introduction of Security-Enhanced Linux (SELinux). SELinux takes the GNU / Linux operating system and extends it with a kernel and user space, changes to make bullet-proof. If you use a 2.6 kernel today, you might be surprised to know that you are using SELinux now! This article explores the ideas behind SELinux and how it is implemented.

The public networks like the Internet are dangerous places. Anyone who has a computer connected to the Internet (even temporarily) understands these dangers. Hackers can exploit the insecurity to access a system, to obtain unauthorized access to information, repurpose or a computer to send spam or participate in attacks on other high-profile systems ( using the SYN flood, as part of a Distributed Denial of Service attacks).

Read more at IBM.com

Book Review of "C++ GUI Programming with Qt4"

noreply@blogger.com (Unknown) — Wed, 04 Jun 2008 19:13:00 +0000

Qt is a multi application development platform that is widely used for the development of a GUI and non-GUI programs. Among the most visible products that were developed using Qt are KDE, the Opera Web browser, Google Earth, Skype and Photoshop Elements to name a few. Some of the reasons relevant to the use of Qt are --

Library Qt is published under a dual licensing business model means that you can develop open source or source applications closed. If you develop the first case, then you do not have to pay money for the use of the library.

Two: It is truly multi platform - which filter through the fact that you can write code for your application in a platform - say Linux, then copy the code for Windows and recompile the code, without making any changes and that your application is guaranteed to run on Windows.

Three: Mobile phone giant Nokia's recent acquisition of Trolltech certainly has infused fresh energy and magnitude in the future Qt The latest version of Qt namely version 4.3 has many improvements that make the development of GUI applications using this library for a joy for most C + + programmers.

"C + + GUI Programming with Qt4" from Jasmin Blanchette and Mark Summerfield, published in the Prentice Hall Open source software development series is in its second edition. This book is presented as the "official book of Trolltech Qt."

The main objective of this book is to learn to write programs using graphical interface Qt4 and addresses the entry-level and advanced C + + programmer. Thus, he started on a curve, hand holding the reader of the first rudimentary steps in preparing a simple C + + GUI Qt4 program using. And on chapters gradually up steam and providing readers with complex scenarios such as creating plugins, 3D graphics, application script and more. Through the book, I did not feel like I've been studying a framework rather I found the language used to explain things quite lucid, clear and interesting nonetheless.

The book is divided into three parts. A new programmer in Qt find the first part really useful, as it covers the basic concepts and practices necessary for programming in Qt The second and third part of this book comprises 12 chapters and 7 respectively specialized subjects and can be read in any order. For example, if I want to build a GUI program that needs to connect to a database at the back, so I can immediately read chapter 13: "Databases", this book provided I am aware of Part I of this book covers the basics of programming in Qt 4.

The second edition of this book is based on the first edition and contains many changes. On the one hand, a couple of new chapters have been included as "Look and Feel Personalize" and "Application Scripting." The book has been thoroughly revised to include changes incorporated in Qt 4.2 and 4.3 qt The original "Graphics" chapter has been divided into 2D and 3D graphics chapters respectively. The small chapter on Embedded programming has been expanded to include programming in Qtopia, which makes it not smaller.

What I really liked this book is realistic examples which are used to introduce each Qt control or concept. There are many images scattered inside, impart visual appeal to the pound. Moreover, these images will hopefully give the reader an idea on how to design their software.

Through this book, I find that the authors have explained the different scenarios of development programmes in Qt 4 overwhelming exhaustively, without a player. Each program is divided into digestible pieces of code with detailed explanation succeed. It is therefore very easy to understand what each line of code is doing.

The appendices contain a new section namely "Introduction to Qt Jambi." Qt Jambi is publishing Java application Qt development framework. Beyond that, there are of course other sections in the annex to the Qt installation, construction applications Qt and concise an article listing the main nuances of programming in C + + to Java and C # programmers.

One thing I noticed is that the hard book, I received did not have a CD containing the Qt library, and FDI used for the design of your applications. Then again, you can always visit the Trolltech and obtain library Qt 4.3 and applications which is available for free download. Even better, if you develop your Qt applications on Linux, it is very easy to install all necessary libraries based on the Linux distribution you use.

On the whole, this is a great book not only for any newcomer in Qt but also for the programmer made Qt to use as a reference.

Book Specifications
Name : C++ GUI Programming with Qt4 - Second edition
ISBN No : 0-13-235416-0
Authors : Jasmin Blanchette & Mark Summerfield
No of pages : 720
Publisher : Prentice Hall
Price : $ 59.99 (US), $ 65.99 (Canada)
Rating : 9/10

High Performance XEN On Ubuntu 8.04

noreply@blogger.com (Unknown) — Wed, 04 Jun 2008 12:01:00 +0000

This tutorial provides step-by-step instructions on how to install XEN on a Ubuntu 8.04 Server System amd64 without compromising on the disk I / O and network bandwidth. You can find all software used in the Ubuntu repositories, so no external files or source of compilation are needed.

Xen is an open-source para-virtualization virtual machine monitor (WWW), or "hypervisor", for the x86 processor architecture. Xen can run safely several VMs on a single physical system with near-Native Performance. Xen allows corporate quality functions, including:

- Virtual Machines with performance relatives of equipment.

- Live migration management VMs between physical hosts.

- Up to 32 virtual processors by guest virtual machine, with VCPU hotplug.

- x86/32, x86/32 with EAP, and x86/64 platform support.

- The virtualization technology Intel (VT-x) for unmodified guest operating systems (Microsoft Windows).

- The virtualization technology AMD (aka Pacifica SVM) on strengthening AM2 and F Opterons (2006H2)

- Excellent support equipment (supports almost all Linux device drivers).

1. Partition And Primary OS Installation

I will use Ubuntu Hardy Heron (x86_64) for the two host OS (dom0) and customers operating systems (Domu). Before that, you must have a ready target system partitions as in the following example:

For example, we have 120 gigabytes of disk space and we want to use 2 guest operating systems on:

- Take as the minimum required for host operating system (dom0), say 10-12GB => to create the first partition accordingly.

- We will divide the rest of the free space in 2 partitions, each for 2 guest OS (Domu) => to create the next two partitions accordingly.

Install Ubuntu Hardy Heron (x86_64) Server Edition (http://www.ubuntu.com/products/whatisubuntu/serveredition) on the first score. Then, on this we will install Xen things and use what OS host (dom0). As a best practice, dom0 should not be used for any purpose in production, except for the control guest OS. While select "ssh" in the selection of packages during the OS installation.

After the OS installation the first job is to update/upgrade the OS. Login to the system as root and type following commands:

# apt-get update

# apt-get upgrade

2. Host OS And Xen Installation

To install Xen and all needed dependencies, all we have to do is run the following command:

# apt-get install ubuntu-xen-server

The ubuntu-xen-server package installs the Ubuntu kernel 2.6.24-17-xen and other dependent xen packages.

Also upgrade the vi editor as follows:

# apt-get install vim

We also need to add the loop module to the kernel every time we boot our system, so we edit /etc/modules. If you already have a loop line in there, make it look like this, otherwise add it at the bottom of the file:

# vi /etc/modules

loop max_loop=64

That's all. Now reboot the system. And after the reboot check the OS and xen service as follows:

# uname -a

# xm list

3 Creating Filesystem For Guest OS (domU)

For the creation of domU we will be using "debootstrap". Here we will be using direct physical disk partitions and no filesystem images for better disk I/O for the guest OS. So format the partition for your filesystem choice. If you are interested in the xfs filesystem then you must install the "xfsprogs" package on dom0 like this:

# apt-get install xfsprogs

class

To create a filesystem on the second partition we use the following command:

If you are choosing ext3 then:

# mkfs.ext3 /dev/sda2

If you are choosing xfs then:

# mkfs.xfs /dev/sda2

Post creation of filesystem in target partition mount it to /mnt:

# mount /dev/sda2 /mnt

4. Installing The Guest OS

Install the base OS stuff in /mnt using "debootstrap":

# debootstrap --arch amd64 hardy /mnt http://archive.ubuntu.com/ubuntu

This is going to take sometime depending on your Internet connection speed.

Once done, prepare the chroot environment for /mnt:

# mount --bind /dev /mnt/dev

# mount proc /mnt/proc -t proc

# chroot /mnt /bin/bash

Open another terminal and copy a couple of files from dom0 to /mnt's respective folder:

# cp /etc/resolv.conf /mnt/etc/resolv.conf

# cp /etc/network/interface /mnt/network/interface

# cp /etc/apt/source.list /mnt/etc/apt/sources.list

# cp -R /lib/modules/2.6.24-17-xen/* /mnt/lib/modules/2.6.24-17-xen/

(If the respective folder is not present, then please create it before copying.)

Now again from the domU chroot environment use the following commands:

# apt-get update

# apt-get upgrade

# apt-get install vim ssh

If you are using the xfs filesystem then also install xfsprogs as follows:

# apt-get install xfsprogs

Update /etc/fstab as follows:

If you are using the ext3 filesystem then:

/dev/hda1 / ext3 defaults 1 2

If you are using the xfs filesystem then:

/dev/hda1 / xfs defaults 1 2

This is the minimal setup of the domU environment. Not set the root password as:

# passwd

It's going to prompt you for root's password, so provide some secret for it.

Now exit from the chroot environment:

# exit

Now umount all partitions:

# umount /mnt/dev /mnt/proc /mnt

5. Creation Of Xen Config File

Now create the first guest OS's xen config file named domu1.cfg in the /etc/xen/ folder like this:

vi /etc/xen/domu1.cfg

kernel = '/boot/vmlinuz-2.6.24-17-xen'
ramdisk = '/boot/initrd.img-2.6.24-17-xen'
memory = '512'
#
# Disk device(s).
#
root = '/dev/hda1 ro'
disk = [
'phy:/dev/sda2,hda1,w',
]
#
# Hostname
#
name = 'domu1'
#
# Networking
#
vif = [ 'ip=192.168.1.102,mac=00:16:3E:62:DA:BB' ]
#
# Behaviour
#
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'
vcpus = '2'
extra = 'xencons=tty1'

You must use a free and different IP for each guest OS.

Then start the first domU like this:

# xm create /etc/xen/domu1.cfg -c

In dom0, to list running OS's, type:

# xm list

The steps to create /dev/sda3 for the second domU are similar...

The same steps can be followed for i386 also...

Oracle - Free Linux DVD set

noreply@blogger.com (Unknown) — Tue, 03 Jun 2008 17:58:00 +0000

First, it was Ubuntu and now it is the turn of Oracle. That's right, here is a wonderful chance to get a DVD of Oracle Unbreakable Linux. Essentially Unbreakable Linux is Red Hat Enterprise Linux without the trademarks of Red Hat.

Oracle Unbreakable Linux book claims enterprise-class support for Linux with Prime Minister backports, comprehensive management, the group of software, compensation, testing and more, all at a lower cost significantly.

Figure 1. Enter Your Email

Figure 2. Enter Your Contact Detail

To order your free DVD Oracle Unbreakable Linux with free delivery and all, visit this page and click on "Sign Up". If this is your first visit to the site of Oracle, you must create an account Oracle. Next enter your shipping address, which is the address to which you wish to receive the DVD and click on "Submit". That's it. Oracle will ship a new DVD Unbreakable Linux.

Screen for Power Session

noreply@blogger.com (Unknown) — Sun, 01 Jun 2008 15:24:00 +0000

Screen is a full-screen window manager of the console, which comes with every flavor of UNIX and Linux. He is best known for multiplexing a physical terminal between several processes. By using it, you can run any number of console-based applications within a single hotel.
For example, suppose I want to launch the 'top' to keep track of the system load, change my programming code and check my mail at the same time ... Usually, I must open at least 3 terminals to do that. But using the screen utility, I can run all these programs at the same time and physical terminal. Another feature of this wonderful utility is its ability to separate the terminal emulator program running, which ensures your work is in progress, even if you inadvertently close your window, or where you disconnect. After detaching, you can once again over the same session and resume control of the management jobs.
Here how to use this utility.

1) First open a terminal and type :

$ screen

2) Screen starts and creates a new single window with a shell, pretty much like what you had before. The path name of the shell is taken from the $SHELL variable. New windows can be created within the same physical terminal using the screen commands.

3) Now that you have started screen in a terminal, suppose you want to run the 'top' program to check the System load and at the same time you want to compile a program too - Also you would like to switch between the two to see the progress made by both.

For that, first execute the first program to be run (say 'top'). now 'top' will start in the terminal.

Now open a new window in screen by pressing the '[Ctrl + a] c' - which I will state as 'C-a c' . This will create a new window in the same terminal. Here, you can give commands to compile your program.

In screen, each window is given a unique identifier. The first window is numbered 0, the next window is 1 and so on. Now to switch between your 'top' and the compiling program, you can use the key 'C-a 0' and 'C-a 1' respectively.

You can also associate names with each running window - use 'C-a A' to give a name to the current window.

Here are a few other commands that might come in handy while toggling between various running windows :

'C-a p' and 'C-a n' can be used to switch to the next or previous window respectively.
'C-a N' - where N is the number from 0 to 9, that can be used to jump to the corresponding window.
'C-a w' displays a list of all windows. The unique ID of each window with its name and running process is displayed, for each window. The current window is marked with an asterisk(*).
'C-a k' - can be used to kill the current window. You can also type 'exit' to kill the current window. If no more windows are open, then screen exits. 'C-a \' also does the same thing.
'C-a d' - detaches the present screen session. You can also detach by closing the terminal running your screen utility. Though, this appears to close your terminal session, in reality this does not happen. It only unbinds your session from the current terminal. All the programs started under screen will still keep running.

You can also log out from the machine and re-login. Then start any terminal session and type 'screen -r' to once again be connected from where you left.

In case, there were more than one screen sessions running on the machine, Screen prompts for a host.tty.pid.

For example, say I have two screen sessions. So when I type 'screen -r' command, it gives the following message:

$ screen -r
There are several suitable screens on:
2999.pts-6.localhost  (Detached)
1920.PTS-6.localhost  (Detached)
Type 
"screen [-d] -r [pid].tty.host" to resume one of them.

Choose the right tty.host to connect and you control your program. You can also share your screen session with others as the use of VNC. Imagine that you are having a problem with your code and you want to share with your boss which is located in another office. You can use the screen to share your session with your boss, and he can see what you are referring. The first user launches the screen in normal mode and executes the following ...

User1:
[Ctrl-A]:multiuser on [RET]
[Ctrl-A]:acladd

The second user starts a new screen session and connects it to the first session using ...

User2:
screen -x

Screen website at Official Screen Home Page

BBC take on the Open Source alternative

noreply@blogger.com (Unknown) — Thu, 29 May 2008 12:58:00 +0000

Of course, you know what open source and free software means. Or you would not visit this blog and reading his articles in the first place. But it is always nice to get the viewpoint of one of the main stream media. And if the media in question is the BBC, then it is all the more sweet.

I was an avid fan of the technology of the BBC program called "Click" formerly known as the "Click Online". In the last episode, Spencer Kelly - Click on the presenter shows you how to build a functional machine working for nothing. The BBC published an article by Kelly called "Open Source alternative" which gives an overview of how FOSS can enrich our lives for information zilch. The article also a short interview with Paul Allen who is the editor of Computer Active magazine.

Read the article to bbc.co.uk.

Only takes 15 seconds to Understanding XML

noreply@blogger.com (Unknown) — Thu, 29 May 2008 07:15:00 +0000

XML also known as Extensible Markup Language is a language created the structure, transporting and storing data or information. But who is the simplest explanation. In reality, there is still much to the semantics of XML. When you embark on the path to mastery of XML, you're still having terms such as XLink, naming, DTD, Schema, and so forth.

To obtain a fair idea of what it means XML, see the following article explaining XML in 10 points. It took only 15 seconds to read the article. Put in a word, they are the main points without explanation -

1. XML is for structuring data
2. It looks a bit like HTML
3. It is text, but is not intended to be read
4. It is wordy by design
5. XML is a family of technologies
6. XML is new, but not that new
7. He led the HTML to XHTML
8. XML is modular
9. XML is the basis for RDF and the semantic web
10. It is without a licence, platform-independent and well supported.

Fedora 9 code name "sulphur" released

noreply@blogger.com (Unknown) — Wed, 28 May 2008 12:48:00 +0000

There is still time for a major new version of Fedora Linux. The latest avatar of Fedora namely version 9 is the code name of sulphur. If you are bitten by the strange name of Fedora, then you should read this article to get a better perspective. So what is in store for all fans of Fedora? A number of things.

To begin with, Fedora has obtained what is known as PackageKit. It is a cross distribution management solution packages with a complete backend Yum. Then, Fedora comes with the latest and greatest version Gnome Desktop namely 2.22. KDE 4.0.3 is also the repository and can be installed on the hard core fans of KDE. But the biggest news is that Fedora is now shipped with the Sun Java that Sun has released Java under an open source license. For the full set of features, read this article that explains all the features in more detail.

And after reading the features, if you're quite excited (which you will be), then visit the download page and start your download Linux distribution Fedora alias 9 sulphur.