NFS:  Provide Network shares to specific Clients

(I am using NFS server and NFS clients for this context, but actually no NFS server exists, the server which is sharing NFS files assumed as NFS server and the clients or servers which are accessing those NFS files are assumed as NFS clients)

On the NFS server Side (server IP 192.168.2.250)

Install necessary packages,

#yum install nfs-utils rpcbind

#/etc/init.d/nfs start

#/etc/init.d/rpcbind start

Create NFS shares:

Edit file /etc/exportfs

Inside /etc/exportfs add the mount point and share permissions,

#nano /etc/exportfs

#add the shares

Download As PDF

<<< More >>>

Virtual Host configuration in Plesk Control Panel

There are two files in Plesk to configure hosts. One is http.include and another is vhost.conf.

By default Plesk uses http.include file as the default config file for creating new domains.

Both http.include and vhosts.conf files will be under

/var/www/vhosts/example.com/conf/

Virtual Host file in Plesk panel is used to redirect (not actually redirecting the domain – change physical location of httpdocs folder). In other words, two or more domain names are sharing single physical path.

Example config assumes, existing domain as domain.com and newdomain as newdomain.com

Create a new vhost.conf under

/var/www/vhosts/newdomain.com/conf/vhost.conf

Download As PDF

<<< More >>>

Add an IP address to CentOS server

Sometimes due to business growth or testing purposes, we do need an IP address assigned to the server interface. When I came across with adding IP to server, it was little annoying. I followed many number of Google results but ended with wrong configuration.

Finally I myself found out that simply restarting network after adding IP address would be enough.

To add IP,

Make a copy of existing interface config in /etc/sysconfig/network-scripts/ifcfg-eth0 to ifcfg-eth0:0

Get in to the folder,

#cd /etc/sysconfig/netwok-scripts

#cp ifcfg-eth0 ifcfg-eth0:0

Edit newly created interface,

#nano ifcfg-eth0:0

Change the device to eth0:0

And change the IP address,

Download As PDF

<<< More >>>

Secure Subversion Setup(Centos + Apache + SSL)

Secure subversion setup (Centos 5.6+Apache+SSL)

Subversion is an open source version control for any type of programming. For ex. in software development, versioning is most important. Versioning is most recommended in web development.

Subversion can keep maximum of 2³² – 1 versions in 32-bit operating system. For 64-bit it’s infinite.

Subversion can serve files in two methods; one is through SVN daemon – which run SVN as a service, second is running SVN with apache – which run as application.

Setting up SVN daemon is very easy compare to run with apache.

1.       Install SVN as a daemon.

 yum install subversion

#second step is to create SVN repository,

svnadmin create /var/www/svnrepo

cd /var/www/svnrepo

#edit configuration file in svnrepo

nano conf/ svnserve.conf

#find the below lines and uncomment or add these lines,

anon-access = none

auth-access = write

password-db = passwd

#save the file

#next edit the file called passwd, which contain users who authorized to access SVN repository

nano /conf/passwd

#add users and password under [users] directive

#save and close.

Download As PDF

<<< More >>>

Create Self Signed SSL certificate

user@localhost# openssl genrsa -des3 -out private.key 2048

user@localhost# openssl rsa -in svn.key -out private.pem

(This is mandatory for some web servers, for ex light httpd only accepts .pem file. Apache server can also accepts .pem file)

user@localhost# openssl req –new –key private.key –out requesr.csr

Enter pass phrase for private.key:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:
Email Address []:

Download As PDF

<<< More >>>

SSH password-less authentication

SSH key authentication (No password):

SSH key authentication is most popular among Linux system administrators. SSH key authentication is recommended whenever remote servers are accessed more frequently. This provide confidentiality and integrity of data exchanged between client and server. SSH itself more secured, but if anyone use more than one security mechanism its considered as very secured. 

Traditional SSH method uses password authentication. This is considered as vulnerable because it can be compromised by man in the middle attack (attack on confidentiality). Man in the middle attack means, third person can act as claimed person and can sniff the connection.

SSH authentication is a combination of SSH and cryptography.

Advantages of SSH Cryptography

1. Confidentiality - Make sure that no third person is involved in the communication

2. Integrity - Ensures authorized modifications during transmission. 

3. Easy to implement.

Download As PDF

<<< More >>>

INSTALLING AND SECURING ASTERISK/ELASTIX (PBX) ON CENTOS

Installation of PBX server
To install Phone server, insert Elastix CD and follow the screen instructions.
Securing PBX/Asterisk server:
Basic Security measures:
1. Secure Extensions
The extension in Elastix is very vulnerable to attack. Enabling extensions with weak password would open the way for attackers to hack the phone system.
1.1 Strong secret password for extensions (either combination of numbers, letters, Ascii chars)
1.2 Use allow/deny field
Deny 0.0.0.0/0.0.0.0
Allow 192.168.0.0/255.255.255.0
This only allows extension to connect to local network. For example if local network is 10.1.1.0 use 10.1.1.0/255.255.255.0 in allow field
1.3 No NAT for extensions – don’t enable NAT for extensions
2. Block Anonymous SIP calls
Allowing anonymous calls is weakening the phone server. Anyone can make fake calls and scan phone system structure including extension. Blocking anonymous SIP calls is the best security practice for PBX.
Go to general settings and select NO to allow anonymous calls
3. Block SIP guests
Do not allow guest SIP account to register with PBX.
Open Unembedded freePBX and in tools section, click Asterisk settings. Select NO to Allow SIP guests.
4. Do not install any extra services on phone system unless need. (There would be more unwanted ports)
Advanced Security measures:

Download As PDF

<<< More >>>

How to Mount CIFS File system (SAMBA Shares) on remote Windows/Linux systems.


How to create network shares in Linux 
Samba shares can be mounted across both Linux and windows systems. Earlier samba was using NFS file share, which is Network File System, more vulnerable to attack. Recent days, samba uses CIFS (Common Internet File System) which is considered as more secure than NFS.
To mount share in windows
Just open run command and type share name, for e.x if the server name is 192.168.1.85 and shared folder name is 'Share'.
//192.168.1.85/Share
Mount shared folder in Linux
For temporary mount type, 
mount -t cifs //192.168.1.85/Share /localdirectory/tmp/ -o username=user, password=pass
This command mount the remote share locally in specified directory.
To mount permanently, type
edit /etc/auto.misc and add 
net -fstype=cifs,rw,username=user,password=pass ://192.168.1.85/Share
The permanent mount location would be /misc/net directory. (Note: net Folder inside misc need not to be present)
Finally Restart or Start Automount services as ,
/etc/init.d/autofs restart
To verify the mounted drives, Goto folder /misc/net and list the directories.
#ls -lh /misc/net

Download As PDF

Secure FTP server in Linux

Setting up secure FTP server in Ubuntu 10.10

Initial requirements

If you already running any other FTP services in your network environment, decide which port you want to use with FTP.

Create users for accessing FTP services and change user directories accordingly in /etc/passwd file

Download and install

1. sudo apt-get install vsftpd
2. configure the vsftpd.conf to change the settings. Most of the default settings will work with vsftpd but few changes are mandatory.
3. Edit /etc/vsftpd.conf using nano.
4. By default passive mode is enabled on vsftpd.  If you want to disable passive mode just add pasv-enable=NO
5. Also if you want to change the default port no add or change this line listen_port=21
6. Try to jail FTP users within their directory

Troubleshooting vsFTP errors

1. 1.       vsFTP Login authentication failed

Possible solutions:

1.1   In FTP, client use only FTP service rather than choosing SFTP or different one.

1.2   Select the password which is not more complex. Means if you include complex ASCII characters, FTP server won’t recognize.

1.3   Disable SSL on vsftp. Add this command to vsftpd.conf file ssl_enable=NO

1.4   Makes sure to disable anonymous authentication.

2.       Can’t access the directories. Listing the remote directories ‘/’ failed. Error numbers include 500, 533 or any series in 500.

2.1 change permissions on the directories with Recursive permissions.
E.x          chmod –R 777 folder_name_of_FTP_Access
2.2 set umask value in vsftpd.conf to 002. Umask_value=002
2.3 edit etc/passwd file to change directories for FTP users

Download As PDF

Adding multiple sites to apache/hosting different sites on apache with DRUPAL
For each site you want to host in apache, you must have created separate folders for each site in /var/www directory. This is same like creating sites on IIS.
mkdir /var/www/www.example.com
mkdir /var/www/www.example.com/htdocs
mkdir /var/www/www.example.com/cgi-bin
mkdir /var/www/www.example.com/logs
Create individual configuration file for each site. User defined settings for apache will be configured in http.conf file.
Copy the drupal installation file to each individual site folder. Ex. Copy the drupal directory to /var/www1/ www.example.net/
This copying process make easy to install and configure the drupal for each site.
Edit the httpd.conf file as follows,

Download As PDF

<<< More >>>

DriveMap using group policy

How to force drive map for all users under active directory?

Drive MAP is sharing network drive among all users in the network. In other words Drive MAP is the logical location of network shared drive locally.

In windows environment network sharing can be achieved in many ways. The following method would be the efficient and no action needed at user end.

To share a network drive under windows domain environment,

First create a small script with following line,

net use i: /delete

net use  i : \\ipaddress\sharename

Save script as drivemap.bat store under SYSVOL/domain/scripts/drivemap.bat

Second step is,

Open Group policy management from mmc, and create a new policy and link it with domain.

In group policy editor,

Open    

User Configuration

                                Windows settings  

                                                Scripts  

                Logon

Under logon, add the script and click O.K.

Download As PDF

Linux backup script

This is very simple backup script with rsync.

This script take backup from remote location and stores locally (Central backup management).

Once the backup finished script notify to the user with time, date and amount of data transferred.

#!/bin/bash

emailaddress='user@example.com'

#setup local directory to store the backups

DIRECTORY=/srv/backups/

#set current date

DATE=`date '+%m-%d-%y%n'`

mkdir $DIRECTORY/$DATE

rsync --exclude-from '/tmp/exclude.txt' -avz user@remotehost.com:/tmp/backups/  $DIRECTORY/$DATE/ > /$DIRECTORY/$DATE/rsync.log

#the above line should be in a single line

tail -3 $DIRECTORY/$DATE/rsync.log |mail -s "Source Code Backup for example.com on $DATE" $emailaddress;

This script takes backup of all files and directories in /tmp/backups/ in remotehost.com

What happen if you don't want to backup some files and directories.

--exclude-from option specifies the list of files and folders to be excluded from backup.

Exclude file list can be in local host (For best practices Exclude list must be in local). In this Script I have stored exclude.txt in /tmp folder.

Sample Exclude list

somefilename.jpg

/log*

/test/test1/ab*

Download As PDF

Installing network file system  – command line installation

Network shares can be configured in two ways (One via SAMBA and through NFS) or in other words Linux network shares uses two different protocols to mount shares across network.
Samba uses SMB protocol to mount shares. NFS uses nfs protocol to mount network shares. 
This post describes How to creates network shares using SAMBA
(Link to How to create shares using NFS)
1. Install samba server from shell command

sudo apt-get install samba smbfs
for centos 
yum install samba
2. Edit the configuration file to adjust settings.
sudo nano /etc/samba/smb.conf
find the clobal configuration item in smb.conf file and should be starting with
#
[global]
#Security = USER
And add these lines under; these lines are creating share folders.  [homes] means, this is a share name home with description ‘Home directories’, and it’s not browseable, which means its hidden. Every user connected to this samba server can connect directly to his /home/directory

Download As PDF

<<< More >>>

How to restore Large MySQL databases on Linux

MySQL Database restore and Table restore.


There are many ways to restore a SQL database to MySQL. But most of the methods allow maximum of 200 MB file to be restored.
But when it comes to restore more than 2Gig file, it more frustration.
This method is simple, no other complex scripts.
Steps are
1. connect to the MySQL server via SSH
2. Login to MySQL server
mysql -u user -p password
3. At MySQL prompt type
use database_to_be_restored;
4. then type source followed by the path to the mysql restore file.
Ex.
use test_db;
source /tmp/test1_db.sql
4. It takes some time depends on size of the restore database. If the DB is about 2Gig size, restore process will run for 2 to 3 minutes.
There is an another use with this method.
If anyone want to restore some tables from backup database, this method is very handy.
Just copy the selected tables to new database and restore.
Or just override the existing one, it will only update new tables, everything else will be considered as duplicates and won't get update.


Note: I use this method to restore very large databases up to maximum size of 5Gig.

Download As PDF

Most common latest interview questions with answers (2010/2011)

Most common latest interview questions with answers (2010/2011)

(Technical questions expected in all interviews – for system admin/ IT administrator and other jobs related to IT networking)

1.       Port number for SMTP? The answer is port number 25.

One of the most common interview questions is SMTP port number. As per my experience most of the interviewers asked me the same (May be the first question). Everyone wonder how this question related to the job. But this question is testing your experience with firewall. How? Because every company uses some kind of mail server (Exchange or other mail server), in order to allow the messaging communication between internal company to external world, this port number plays important role. So everybody must aware of this question.

2.       What does ARP do? – ARP used to map IP address to respective MAC address.

This looks very simple, but many people answered wrongly. Most of answer would be ‘ARP converts IP to MAC’ which is completely wrong. So think twice before answer this question. Why? Answer is in next.

3.       What is DNS? (Forward DNS and reverse DNS) – DNS (Domain Naming Service) which translates host name to IP. Host name could be URL, domain name or FQDN (Fully Qualified Domain Name) of any physical/virtual machine. Reverse DNS translates IP to hostname.

Here is confusion between DNS and ARP. ARP is a layer 2 protocol which deals with Data link layer characteristics (Ex. MAC address). DNS is layer 7 application protocol, only deals with configured information in application (Ex deals with DNS SERVER).

4.       Another port number question: what is the port number for SSH? Answer is 22.

Be careful when answering this question, the interviewer may confuse you with HTTPs port number (443). We might think the answer may be 443, because both port numbers are using secure connection. HTTPs is for secure connection to the website where as SSH provides secure channel (secure communication and file transfer) between two points in network.

5.       Port number for FTP – 20 and 21. 20 for data 21 for control

6.       What is command to view IP details in windows machine and Linux machine?

IPconfig – command for listing all interface details in windows and ‘ifconfig’ for linux.

7.       What are commands associated with IPCONFIG command?

Ipconfig/release

Ipconfig/renew

Ipconfig/flushdns

8.       What is network gateway?

Network gateway is the entry or exit point for any network and connects two different networks. This gateway can be either hardware based or software based or both.

9.       What is subnet mask?

Subnet mask is used to identify network address and host address. In other words it separates network and host ID from IP address.

Download As PDF

<<< More >>>