Saturday, December 8, 2012



Autonomous System:  




# Cacti

# Percona plugin for Cacti

# NTP Server and Client

# MySQL partition

==== grub4dos ==============================

1. Install grub4dos to USB/External HDD
2. Copy ISO file to USB/External HDD
3. Edit menu.lst as following:

title HirentBoot9.9v3.iso (0xFF)
find --set-root /HirentBoot9.9v3.iso
map /HirentBoot9.9v3.iso (0xFF)
map --hook
root (0xFF)
chainloader (0xFF)

title CentOS57.iso (0xFF)
find --set-root /CentOS57.iso
map /CentOS57.iso (0xFF)
map --hook
root (0xFF)
chainloader (0xFF)

Note: Use CDBurnerXP to create ISO file.

phpMyAdmin installation
1. Download source code
2. Extract source code to /var/www/html/phpmyadmin
3. Create /etc/httpd/conf.d/phpmyadmin.conf as follows

Alias /phpmyadmin "/var/www/html/phpMyAdmin-2.11.11-english"

<Directory "/var/www/html/phpMyAdmin-2.11.11-english">
   Options None
   AllowOverride None
   Order allow,deny
   Allow from

Hide db:

vim path/to/
$cfg['Servers'][$i]['hide_db'] = '^information_schema|mysql|test$'; 

Allow/Deny user
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow';
$cfg['Servers'][$i]['AllowDeny']['rules'] = array('deny admin from all'); // Deny user admin

SHOW GRANTS FOR 'bbdev'@'localhost';

mysqldump -uroot -p<password> --single-transaction --databases db1 db2

Create ~/.exrc, change settings such as
:set ts=4

Cisco Router

Enable SSH login

1. Set hostname
yourname#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
yourname (config)#hostname LabRouter

2. Set domain name
LabRouter(config)#ip domain-name

3. We generate a certificate that will be used to encrypt the SSH packets using the crypto key generate rsa command
LabRouter(config)#crypto key generate rsa

4. Config vty lineLabRouter(config)#line vty 0 4
LabRouter(config-line)#login local
LabRouter(config-line)#transport input ssh

5. Create router's account
LabRouter(config)#username XXXX privilege 15 secret XXXX

6. Set SSH version
LabRouter(config)#line vty 0 4
LabRouter(config)#ip ssh version 2

Port forwarding

R1841_Punch(config)#ip nat inside source static tcp 80 <public ip> 80 extendable

R1841_Punch(config)#ip nat inside source static tcp 443
<public ip>443 extendable

R1841_Punch(config)#ip nat inside source static tcp 943
<public ip> 943 extendable

R1841_Punch(config)#ip nat inside source static udp 1194
<public ip> 1194 extendable

[root@abc ~]# cat /etc/syslog-ng/syslog-ng.conf
# syslog-ng configuration file.
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
# See syslog-ng(8) and syslog-ng.conf(5) for more information.

options {
    sync (0);
    time_reopen (10);
    log_fifo_size (1000);
    long_hostnames (no);
    use_dns (yes);
    use_fqdn (yes);
    create_dirs (yes);
    keep_hostname (no);

source s_sys {
    file ("/proc/kmsg" log_prefix("kernel: "));
    unix-stream ("/dev/log");
    # udp(ip( port(514));

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv)
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

# Define all the sources of localhost generated syslog
# messages and label it "d_localhost"
#source s_localhost {
#          pipe ("/proc/kmsg" log_prefix("kernel: "));
#          unix-stream ("/dev/log");
#          internal();

# Define all the sources of network generated syslog
# messages and label it "d_network"
source s_network {

# Define the destination "d_localhost" log directory
#destination d_localhost {
#           file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/localhost/$FACILITY.log");

# Define the destination "d_network" log directory
destination d_network {
          file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");

# Any logs that match the "s_localhost" source should be logged
# in the "d_localhost" directory

#log { source(s_localhost);
#      destination(d_localhost);

# Any logs that match the "s_network" source should be logged
# in the "d_network" directory

log { source(s_network);
[root@abc ~]#  


Q: First - what happens if I don't give a passphrase? Is some sort of pseudo random phrase used? I'm just looking for something "good enough" to keep casual hackers at bay.
Second - how do I generate a key pair from the command line, supplying the passphrase on the command line?
A: If you don't use a passphrase, then the private key is not encrypted with any symmetric cipher - it is output completely unprotected.
You can generate a keypair, supplying the password on the command-line using an invocation like (in this case, the password is foobar):
openssl genrsa -aes128 -passout pass:foobar 2048
However, note that this passphrase could be grabbed by any other process running on the machine at the time, since command-line arguments are generally visible to all processes.
A better alternative is to write the passphrase into a temporary file that is protected with file permissions, and specify that:
openssl genrsa -aes128 -passout file:passphrase.txt 2048
Or supply the passphrase on standard input:
openssl genrsa -aes128 -passout stdin 2048
You can also used a named pipe with the file: option, or a file descriptor.

To then obtain the matching public key, you need to use openssl rsa, supplying the same passphrase with the -passin parameter as was used to encrypt the private key:
openssl rsa -passin file:passphrase.txt -pubout
(This expects the encrypted private key on standard input - you can instead read it from a file using -in <file>).

Example of creating a 2048-bit private and public key pair in files, with the private key pair encrypted with password foobar:
openssl genrsa -aes128 -passout pass:foobar -out privkey.pem 2048
openssl rsa -in privkey.pem -passin pass:foobar -pubout -out

Linux Firewall

Tuning Linux firewall connection tracker ip_conntrack

If your Linux server should handle lots of connections, you can get into the problem with ip_conntrack iptables module. It limits number of simultaneous connections your system can have. Default value (in CentOS and most other distros) is 65536.
To check how many entries in the conntrack table are occupied at the moment:

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

Or you can dump whole table :

cat /proc/net/ip_conntrack
Conntrack table is hash table (hash map) of fixed size (8192 entries by default), which is used for primary lookup. When the slot in the table is found it points to list of conntrack structures, so secondary lookup is done using list traversal. 65536/8192 gives 8 – the average list length. You may want to experiment with this value on heavily loaded systems.
Modifying conntrack capacity
To see the current conntrack capacity:

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max

You can modify it by echoing new value there:

# echo 131072 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max

Changes are immediate, but temporary – will not survive reboot.
Modifying number of buckets in the hash table
As mentioned above just changing this parameter will give you some relief, if your server was at the cap, but it is not ideal setup. For 1M connections average list becomes 1048576 / 8192 = 128, which is a bit too much.
To see current size of hash table:

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets

which is read-only aliase for module parameter:

cat /sys/module/ip_conntrack/parameters/hashsize

You can change it on the fly as well:

#echo 32768 > /sys/module/ip_conntrack/parameters/hashsize
# cat /sys/module/ip_conntrack/parameters/hashsize
Persisting the changes
Making these changes persistent is a bit tricky.
For total number of connection just edit /etc/sysctl.conf (CentOs, Redhat etc) and you are done:

# conntrack limits
net.ipv4.netfilter.ip_conntrack_max = 131072
Not so easy with hashtable size. You need to pass parameters to kerenl module at boot time. Edit add to /etc/modprobe.conf:

options ip_conntrack hashsize=32768
Memory usage
You can find how much kernel memory each conntrack entry occupies by grepping /var/log/messages :

ip_conntrack version 2.4 (8192 buckets, 65536 max) - 304 bytes per conntrack
1M connections would require 304MB of kernel memory.

Listing package installed by date time
rpm -qa --qf '%{INSTALLTIME} (%{INSTALLTIME:date}): %{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n' | sort -n


A list of handy tput command line options

  • tput bold - Bold effect
  • tput rev - Display inverse colors
  • tput sgr0 - Reset everything
  • tput setaf {CODE}- Set foreground color, see color {CODE} table below for more information.
  • tput setab {CODE}- Set background color, see color {CODE} table below for more information.

Various color codes for the tput command

Color {code}Color

export PS1='\[\e[1;32m\][\u@\w]\$\[\e[00m\] '
export LSCOLORS=gxfxcxdxbxegedabagacad

export PS1="[\u@\h($BEGIN_COLOR master $END_COLOR) \W]# "

Generate userPassword
# slappasswd
New password:
Re-enter new password:

Generate sambaNTPassword

use Crypt::SmbHash;

$password = $ARGV[0];

if ( !$password ) {
print "Not enough argument\n";
print "Usage: $0 password\n";
exit 1;

my ($lm, $nt) = ntlmgen $password;
print "LM = $lm\n";
print "NT = $nt\n";


yum install openvpn -y
cp /usr/share/doc/openvpn-2.3.1/sample/sample-config-files/server.conf /etc/openvpn/server.conf
Follow comments to modify  /etc/openvpn/server.conf
Download easy-rsa from below:
Extract the package:
tar -zxvf easy-rsa-2.2.0_master.tar.gz
Copy to OpenVPN directory:
cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/

Now let’s create the certificate:
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
Build CA:
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter
Build key server:
./build-key-server server
Almost the same with ./ but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
Build Diffie Hellman (wait a moment until the process finish):
Generate client key
./build-key-pass client

1 comment:

Anonymous said...

I know this if off topioc but I'm looking into starting my own weblog
and was wondering what alll is required to get setup?
I'm assuming having a blog like yours would cost a pretty penny?
I'm not very internet savvy so I'm not 100% sure.Any recommendations
or advice would be greatly appreciated. Thankk you

Here is my site ... ()