Autonomous System: http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-1/autonomous_system_numbers.html
http://as.robtex.com/as38636.html
Whois: http://www.team-cymru.org/Services/ip-to-asn.html
http://whois.cymru.com/cgi-bin/whois.cgi
CIDR
http://www.cidr-report.org/cgi-bin/as-report?as=AS2527&v=4&view=2.0
# SNMP
http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/mrtg/mrtg_config_step_3.php
http://www.paessler.com/info/snmp_mibs_and_oids_an_overview
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do
# Cacti
http://www.cyberciti.biz/faq/fedora-rhel-install-cacti-monitoring-rrd-software/
# Percona plugin for Cacti
http://www.percona.com/doc/percona-monitoring-plugins/cacti/mysql-templates.html
http://www.percona.com/doc/percona-monitoring-plugins/cacti/installing-templates.html
http://www.percona.com/downloads/percona-monitoring-plugins/
# NTP Server and Client
http://www.cyberciti.biz/faq/rhel-fedora-centos-configure-ntp-client-server/
# MySQL partition
http://dev.mysql.com/doc/refman/5.1/en/partitioning-management-range-list.html
==== grub4dos ==============================
1. Install grub4dos to USB/External HDD
2. Copy ISO file to USB/External HDD
3. Edit menu.lst as following:
title HirentBoot9.9v3.iso (0xFF)
find --set-root /HirentBoot9.9v3.iso
map /HirentBoot9.9v3.iso (0xFF)
map --hook
root (0xFF)
chainloader (0xFF)
title CentOS57.iso (0xFF)
find --set-root /CentOS57.iso
map /CentOS57.iso (0xFF)
map --hook
root (0xFF)
chainloader (0xFF)
Note: Use CDBurnerXP to create ISO file.
=========================================
phpMyAdmin installation
1. Download source code
2. Extract source code to /var/www/html/phpmyadmin
3. Create /etc/httpd/conf.d/phpmyadmin.conf as follows
Alias /phpmyadmin "/var/www/html/phpMyAdmin-2.11.11-english"
<Directory "/var/www/html/phpMyAdmin-2.11.11-english">
Options None
AllowOverride None
Order allow,deny
Allow from 119.15.160.25/32 210.86.225.160/28
</Directory>
Hide db:
vim path/to/config.inc.php
$cfg['Servers'][$i]['hide_db'] = '^information_schema|mysql|test$';
Allow/Deny user
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('deny admin from all'); // Deny user admin
MySQL
SHOW GRANTS FOR 'bbdev'@'localhost';
mysqldump -uroot -p<password> --single-transaction --databases db1 db2
vi/vim
Create ~/.exrc, change settings such as
:set ts=4
=================================
Cisco Router
=================================
Enable SSH login
1. Set hostname
yourname#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
yourname (config)#hostname LabRouter
LabRouter(config)#
2. Set domain name
LabRouter(config)#ip domain-name CiscoLab.com
3. We generate a certificate that will be used to encrypt the SSH packets using the crypto key generate rsa command
LabRouter(config)#crypto key generate rsa
4. Config vty lineLabRouter(config)#line vty 0 4
LabRouter(config-line)#login local
LabRouter(config-line)#transport input ssh
5. Create router's account
LabRouter(config)#username XXXX privilege 15 secret XXXX
6. Set SSH version
LabRouter(config)#line vty 0 4
LabRouter(config)#ip ssh version 2
Port forwarding
R1841_Punch(config)#ip nat inside source static tcp 10.0.0.9 80 <public ip> 80 extendable
R1841_Punch(config)#ip nat inside source static tcp 10.0.0.9 443 <public ip>443 extendable
R1841_Punch(config)#ip nat inside source static tcp 10.0.0.9 943 <public ip> 943 extendable
R1841_Punch(config)#ip nat inside source static udp 10.0.0.9 1194 <public ip> 1194 extendable
=================================
syslog-ng
=================================
[root@abc ~]# cat /etc/syslog-ng/syslog-ng.conf
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (no);
use_dns (yes);
use_fqdn (yes);
create_dirs (yes);
keep_hostname (no);
};
source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));
};
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };
filter f_kernel { facility(kern); };
filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };
filter f_auth { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_emergency { level(emerg); };
filter f_news { facility(uucp) or
(facility(news)
and level(crit..emerg)); };
filter f_boot { facility(local7); };
filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
# Define all the sources of localhost generated syslog
# messages and label it "d_localhost"
#source s_localhost {
# pipe ("/proc/kmsg" log_prefix("kernel: "));
# unix-stream ("/dev/log");
# internal();
#};
# Define all the sources of network generated syslog
# messages and label it "d_network"
source s_network {
tcp(max-connections(5000));
udp();
};
# Define the destination "d_localhost" log directory
#destination d_localhost {
# file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/localhost/$FACILITY.log");
#};
# Define the destination "d_network" log directory
destination d_network {
file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");
};
# Any logs that match the "s_localhost" source should be logged
# in the "d_localhost" directory
#log { source(s_localhost);
# destination(d_localhost);
#};
# Any logs that match the "s_network" source should be logged
# in the "d_network" directory
log { source(s_network);
destination(d_network);
};
[root@abc ~]#
=================================
OpenSSL
=================================
Q: First - what happens if I don't give a passphrase? Is some sort of pseudo random phrase used? I'm just looking for something "good enough" to keep casual hackers at bay.
Second - how do I generate a key pair from the command line, supplying the passphrase on the command line?
A: If you don't use a passphrase, then the private key is not encrypted with any symmetric cipher - it is output completely unprotected.
You can generate a keypair, supplying the password on the command-line using an invocation like (in this case, the password is
foobar):openssl genrsa -aes128 -passout pass:foobar 2048
However, note that this passphrase could be grabbed by any other process running on the machine at the time, since command-line arguments are generally visible to all processes.
A better alternative is to write the passphrase into a temporary file that is protected with file permissions, and specify that:
openssl genrsa -aes128 -passout file:passphrase.txt 2048
Or supply the passphrase on standard input:
openssl genrsa -aes128 -passout stdin 2048
You can also used a named pipe with the
file: option, or a file descriptor.
To then obtain the matching public key, you need to use
openssl rsa, supplying the same passphrase with the -passin parameter as was used to encrypt the private key:openssl rsa -passin file:passphrase.txt -pubout
(This expects the encrypted private key on standard input - you can instead read it from a file using
-in <file>).
Example of creating a 2048-bit private and public key pair in files, with the private key pair encrypted with password
foobar:openssl genrsa -aes128 -passout pass:foobar -out privkey.pem 2048
openssl rsa -in privkey.pem -passin pass:foobar -pubout -out privkey.pub===========================
Linux Firewall
===========================
Tuning Linux firewall connection tracker ip_conntrack
1 Reply
Overview
If your Linux server should handle lots of connections, you can get into the problem with ip_conntrack iptables module. It limits number of simultaneous connections your system can have. Default value (in CentOS and most other distros) is 65536.
If your Linux server should handle lots of connections, you can get into the problem with ip_conntrack iptables module. It limits number of simultaneous connections your system can have. Default value (in CentOS and most other distros) is 65536.
To check how many entries in the conntrack table are occupied at the moment:
Or you can dump whole table :
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_countOr you can dump whole table :
cat /proc/net/ip_conntrack
Conntrack table is hash table (hash map) of fixed size (8192 entries by default), which is used for primary lookup. When the slot in the table is found it points to list of conntrack structures, so secondary lookup is done using list traversal. 65536/8192 gives 8 – the average list length. You may want to experiment with this value on heavily loaded systems.
Modifying conntrack capacity
To see the current conntrack capacity:
You can modify it by echoing new value there:
Changes are immediate, but temporary – will not survive reboot.
To see the current conntrack capacity:
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_maxYou can modify it by echoing new value there:
# echo 131072 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
131072Changes are immediate, but temporary – will not survive reboot.
Modifying number of buckets in the hash table
As mentioned above just changing this parameter will give you some relief, if your server was at the cap, but it is not ideal setup. For 1M connections average list becomes 1048576 / 8192 = 128, which is a bit too much.
As mentioned above just changing this parameter will give you some relief, if your server was at the cap, but it is not ideal setup. For 1M connections average list becomes 1048576 / 8192 = 128, which is a bit too much.
To see current size of hash table:
which is read-only aliase for module parameter:
You can change it on the fly as well:
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_bucketswhich is read-only aliase for module parameter:
cat /sys/module/ip_conntrack/parameters/hashsizeYou can change it on the fly as well:
#echo 32768 > /sys/module/ip_conntrack/parameters/hashsize
# cat /sys/module/ip_conntrack/parameters/hashsize
32768
Persisting the changes
Making these changes persistent is a bit tricky.
For total number of connection just edit
Making these changes persistent is a bit tricky.
For total number of connection just edit
/etc/sysctl.conf (CentOs, Redhat etc) and you are done:
# conntrack limits
net.ipv4.netfilter.ip_conntrack_max = 131072
Not so easy with hashtable size. You need to pass parameters to kerenl module at boot time. Edit add to
/etc/modprobe.conf:
options ip_conntrack hashsize=32768
Memory usage
You can find how much kernel memory each conntrack entry occupies by grepping /var/log/messages :
ip_conntrack version 2.4 (8192 buckets, 65536 max) - 304 bytes per conntrack
1M connections would require 304MB of kernel memory.
======================
RPM
======================
Listing package installed by date time
rpm -qa --qf '%{INSTALLTIME} (%{INSTALLTIME:date}): %{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n' | sort -n==========================
BASH SHELL
==========================
A list of handy tput command line options
- tput bold - Bold effect
- tput rev - Display inverse colors
- tput sgr0 - Reset everything
- tput setaf {CODE}- Set foreground color, see color {CODE} table below for more information.
- tput setab {CODE}- Set background color, see color {CODE} table below for more information.
Various color codes for the tput command
| Color {code} | Color |
| 0 | Black |
| 1 | Red |
| 2 | Green |
| 3 | Yellow |
| 4 | Blue |
| 5 | Magenta |
| 6 | Cyan |
| 7 | White |
export PS1='\[\e[1;32m\][\u@\w]\$\[\e[00m\] '
export LSCOLORS=gxfxcxdxbxegedabagacad
BEGIN_COLOR="\e[0;31m"
END_COLOR="\e[m"
export PS1="[\u@\h($BEGIN_COLOR master $END_COLOR) \W]# "
==========================
OpenLDAP
==========================
Generate userPassword
# slappasswd
New password:
Re-enter new password:
{SSHA}xNkreAEiJpX2oyHbjiai0BUdqiEdwcYo
Generate sambaNTPassword
************************************
#!/usr/bin/perl
use Crypt::SmbHash;
$password = $ARGV[0];
if ( !$password ) {
print "Not enough argument\n";
print "Usage: $0 password\n";
exit 1;
}
my ($lm, $nt) = ntlmgen $password;
print "LM = $lm\n";
print "NT = $nt\n";
************************************
==========================
OpenVPN
==========================
yum install openvpn -y
cp /usr/share/doc/openvpn-2.3.1/sample/sample-config-files/server.conf /etc/openvpn/server.conf
Follow comments to modify /etc/openvpn/server.conf
Download easy-rsa from below:
wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
Extract the package:
tar -zxvf easy-rsa-2.2.0_master.tar.gz
Copy to OpenVPN directory:
cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/
Now let’s create the certificate:
cd /etc/openvpn/easy-rsa/2.0 chmod 755 * source ./vars ./vars ./clean-all
Build CA:
./build-ca
Country Name: may be filled or press enter State or Province Name: may be filled or press enter City: may be filled or press enter Org Name: may be filled or press enter Org Unit Name: may be filled or press enter Common Name: your server hostname Email Address: may be filled or press enter
Build key server:
./build-key-server server
Almost the same with ./build.ca but check the changes and additional Common Name: server A challenge password: leave Optional company name: fill or enter sign the certificate: y 1 out of 1 certificate requests: y
Build Diffie Hellman (wait a moment until the process finish):
./build-dhGenerate client key
./build-key-pass client
