faysalmicrotech

Wolvix-The Linux for home users

2010-11-11T04:51:00.000-08:00

Wolvix is a desktop oriented GNU/Linux distribution based on Slackware. It features the Xfce desktop environment and a comprehensive selection of development, graphics, multimedia, network and office applications. It's mainly targeted at home users and strives to provide a balance between everyday computing tasks, creativity, work and enjoyment.
Using Wolvix does not require more than basic computer skills, but installing and administering the system might require more knowledge than some of the other GNU/Linux distributions. Much like Slackware, Wolvix sometimes requires you to roll up your sleves and get your hands dirty. So if the thought of using the command line and reading documentation scares you, you might be better off using another distribution.
By default Wolvix only includes GTK+ applications, this is not because the developers hate Qt programs, it's mainly an aesthetic choice. The Qt widget looks out-of-place under Xfce, which use GTK+ and there are pleny of great GTK+ applications to choose from.
Wolvix does not strictly follow the 'one-application-per-task' mantra that some other distributions do. In Wolvix you will sometimes find that there are two, or perhaps even three applications that basically does the same thing. One reason for this is that some application fill each other out in functionality. Another reason is choice; we all have different preferences, my preferred text editor is not necessarily the one you prefer. There is of course a balance to this, the goal is not to create a bloated distribution, but some times one application is simply not enough.
Though Wolvix is fast and has a low memory footprint, it's not specifically developed for old computers, as it features modern software; which has modern hardware requirements. But it should perform well on systems which are not the latest and greatest. You should get acceptable performance from Wolvix and most of it's applications on a computer with a 700Mhz CPU and 256MB RAM.

An index of BASH command for Linux

2010-11-11T04:45:00.000-08:00

adduser  Add a user to the system
  addgroup Add a group to the system
  alias    Create an alias •
  apropos  Search Help manual pages (man -k)
  apt-get  Search for and install software packages (Debian/Ubuntu)
  aptitude Search for and install software packages (Debian/Ubuntu)
  aspell   Spell Checker
  awk      Find and Replace text, database sort/validate/index
b
  basename Strip directory and suffix from filenames
  bash     GNU Bourne-Again SHell 
  bc       Arbitrary precision calculator language 
  bg       Send to background
  break    Exit from a loop •
  builtin  Run a shell builtin
  bzip2    Compress or decompress named file(s)
c
  cal      Display a calendar
  case     Conditionally perform a command
  cat      Display the contents of a file
  cd       Change Directory
  cfdisk   Partition table manipulator for Linux
  chgrp    Change group ownership
  chmod    Change access permissions
  chown    Change file owner and group
  chroot   Run a command with a different root directory
  chkconfig System services (runlevel)
  cksum    Print CRC checksum and byte counts
  clear    Clear terminal screen
  cmp      Compare two files
  comm     Compare two sorted files line by line
  command  Run a command - ignoring shell functions •
  continue Resume the next iteration of a loop •
  cp       Copy one or more files to another location
  cron     Daemon to execute scheduled commands
  crontab  Schedule a command to run at a later time
  csplit   Split a file into context-determined pieces
  cut      Divide a file into several parts

d
  date     Display or change the date & time
  dc       Desk Calculator
  dd       Convert and copy a file, write disk headers, boot records
  ddrescue Data recovery tool
  declare  Declare variables and give them attributes •
  df       Display free disk space
  diff     Display the differences between two files
  diff3    Show differences among three files
  dig      DNS lookup
  dir      Briefly list directory contents
  dircolors Colour setup for `ls'
  dirname  Convert a full pathname to just a path
  dirs     Display list of remembered directories
  dmesg    Print kernel & driver messages 
  du       Estimate file space usage
e
  echo     Display message on screen •
  egrep    Search file(s) for lines that match an extended expression
  eject    Eject removable media
  enable   Enable and disable builtin shell commands •
  env      Environment variables
  ethtool  Ethernet card settings
  eval     Evaluate several commands/arguments
  exec     Execute a command
  exit     Exit the shell
  expect   Automate arbitrary applications accessed over a terminal
  expand   Convert tabs to spaces
  export   Set an environment variable
  expr     Evaluate expressions
f
  false    Do nothing, unsuccessfully
  fdformat Low-level format a floppy disk
  fdisk    Partition table manipulator for Linux
  fg       Send job to foreground 
  fgrep    Search file(s) for lines that match a fixed string
  file     Determine file type
  find     Search for files that meet a desired criteria
  fmt      Reformat paragraph text
  fold     Wrap text to fit a specified width.
  for      Expand words, and execute commands
  format   Format disks or tapes
  free     Display memory usage
  fsck     File system consistency check and repair
  ftp      File Transfer Protocol
  function Define Function Macros
  fuser    Identify/kill the process that is accessing a file
g
  gawk     Find and Replace text within file(s)
  getopts  Parse positional parameters
  grep     Search file(s) for lines that match a given pattern
  groups   Print group names a user is in
  gzip     Compress or decompress named file(s)
h
  hash     Remember the full pathname of a name argument
  head     Output the first part of file(s)
  help     Display help for a built-in command •
  history  Command History
  hostname Print or set system name
i
  id       Print user and group id's
  if       Conditionally perform a command
  ifconfig Configure a network interface
  ifdown   Stop a network interface 
  ifup     Start a network interface up
  import   Capture an X server screen and save the image to file
  install  Copy files and set attributes
j
  jobs     List active jobs •
  join     Join lines on a common field
k
  kill     Stop a process from running
  killall  Kill processes by name
l
  less     Display output one screen at a time
  let      Perform arithmetic on shell variables •
  ln       Make links between files
  local    Create variables •
  locate   Find files
  logname  Print current login name
  logout   Exit a login shell •
  look     Display lines beginning with a given string
  lpc      Line printer control program
  lpr      Off line print
  lprint   Print a file
  lprintd  Abort a print job
  lprintq  List the print queue
  lprm     Remove jobs from the print queue
  ls       List information about file(s)
  lsof     List open files
m
  make     Recompile a group of programs
  man      Help manual
  mkdir    Create new folder(s)
  mkfifo   Make FIFOs (named pipes)
  mkisofs  Create an hybrid ISO9660/JOLIET/HFS filesystem
  mknod    Make block or character special files
  more     Display output one screen at a time
  mount    Mount a file system
  mtools   Manipulate MS-DOS files
  mtr      Network diagnostics (traceroute/ping)
  mv       Move or rename files or directories
  mmv      Mass Move and rename (files)
n
  netstat  Networking information
  nice     Set the priority of a command or job
  nl       Number lines and write files
  nohup    Run a command immune to hangups
  notify-send  Send desktop notifications
  nslookup Query Internet name servers interactively
o
  open     Open a file in its default application
  op       Operator access 
p
  passwd   Modify a user password
  paste    Merge lines of files
  pathchk  Check file name portability
  ping     Test a network connection
  pkill    Stop processes from running
  popd     Restore the previous value of the current directory
  pr       Prepare files for printing
  printcap Printer capability database
  printenv Print environment variables
  printf   Format and print data •
  ps       Process status
  pushd    Save and then change the current directory
  pwd      Print Working Directory
q
  quota    Display disk usage and limits
  quotacheck Scan a file system for disk usage
  quotactl Set disk quotas
r
  ram      ram disk device
  rcp      Copy files between two machines
  read     Read a line from standard input •
  readarray Read from stdin into an array variable •
  readonly Mark variables/functions as readonly
  reboot   Reboot the system
  rename   Rename files
  renice   Alter priority of running processes 
  remsync  Synchronize remote files via email
  return   Exit a shell function
  rev      Reverse lines of a file
  rm       Remove files
  rmdir    Remove folder(s)
  rsync    Remote file copy (Synchronize file trees)
s
  screen   Multiplex terminal, run remote shells via ssh
  scp      Secure copy (remote file copy)
  sdiff    Merge two files interactively
  sed      Stream Editor
  select   Accept keyboard input
  seq      Print numeric sequences
  set      Manipulate shell variables and functions
  sftp     Secure File Transfer Program
  shift    Shift positional parameters
  shopt    Shell Options
  shutdown Shutdown or restart linux
  sleep    Delay for a specified time
  slocate  Find files
  sort     Sort text files
  source   Run commands from a file `.'
  split    Split a file into fixed-size pieces
  ssh      Secure Shell client (remote login program)
  strace   Trace system calls and signals
  su       Substitute user identity
  sudo     Execute a command as another user
  sum      Print a checksum for a file
  suspend  Suspend execution of this shell •
  symlink  Make a new name for a file
  sync     Synchronize data on disk with memory
t
  tail     Output the last part of files
  tar      Tape ARchiver
  tee      Redirect output to multiple files
  test     Evaluate a conditional expression
  time     Measure Program running time
  times    User and system times
  touch    Change file timestamps
  top      List processes running on the system
  traceroute Trace Route to Host
  trap     Run a command when a signal is set(bourne)
  tr       Translate, squeeze, and/or delete characters
  true     Do nothing, successfully
  tsort    Topological sort
  tty      Print filename of terminal on stdin
  type     Describe a command •
u
  ulimit   Limit user resources •
  umask    Users file creation mask
  umount   Unmount a device
  unalias  Remove an alias •
  uname    Print system information
  unexpand Convert spaces to tabs
  uniq     Uniquify files
  units    Convert units from one scale to another
  unset    Remove variable or function names
  unshar   Unpack shell archive scripts
  until    Execute commands (until error)
  useradd  Create new user account
  usermod  Modify user account
  users    List users currently logged in
  uuencode Encode a binary file 
  uudecode Decode a file created by uuencode
v
  v        Verbosely list directory contents (`ls -l -b')
  vdir     Verbosely list directory contents (`ls -l -b')
  vi       Text Editor
  vmstat   Report virtual memory statistics
w
  watch    Execute/display a program periodically
  wc       Print byte, word, and line counts
  whereis  Search the user's $path, man pages and source files for a program
  which    Search the user's $path for a program file
  while    Execute commands
  who      Print all usernames currently logged in
  whoami   Print the current user id and name (`id -un')
  Wget     Retrieve web pages or files via HTTP, HTTPS or FTP
  write    Send a message to another user 
x
  xargs    Execute utility, passing constructed argument list(s)
  xdg-open Open a file or URL in the user's preferred application.
  yes      Print a string until interrupted
  .        Run a command script in the current shell
  ###      Comment / Remark

Commands marked • are bash built-ins, these are available under all shells.

Building a LAMP Server

2009-11-04T01:32:00.000-08:00

This document will walk you through the installation of what is known as a "LAMP" system: Linux, Apache, MySQL and PHP. Depending on who you talk to, the P also stands for Perl or Python, but in general, it is assumed to be PHP. I run CentOS on my servers; these directions were written for CentOS/Red Hat/Fedora. I have had requests for SuSE (another RPM-based distribution) as well as Debian-based systems, so I will work on variants of these directions for those distributions in the future (donations might help speed that process up!). The main difference between the distributions is in the paths to the startup scripts.

Red Hat systems used /etc/rc.d/init.d and SuSE uses /etc/init.d.

If you are not comfortable with trying this procedure yourself, I am available for hire to install LAMP systems, or assist you with any other Linux-based projects.

If you need an SSL-enabled server, I have a LAMP with SSL howto as well.
I designed this document so you can just copy/paste each line or block of commands into your shell session and it will "just work" for you. This avoids tedious typing, and the inevitable typos or missed steps that result. These commands work properly via copy/paste. If you are having problems and you are not using copy/paste, please re-check your typing before sending me an email saying "It doesn't work."

Text in a "command" box like this one is a literal Linux commandline, and should be typed or pasted exactly as written.

One note: many many people have followed these directions as written, and have not had any problems.
If you are having a problem, chances are it's something you are doing (or not doing), something different
about your computer, etc.

It is probably NOT this procedure. :)

Initial Steps

PLEASE BE AWARE THAT A SOURCE-BASED INSTALLATION LIKE THIS ONE IS NOT NEEDED FOR A BASIC LAMP SERVER! You should only be doing a source-based installation if you need to alter settings in one or more components of the LAMP stack (e.g., you need a feature in PHP that isn't in the default RPM). If you are just getting started with LAMP, use the binaries provided by your distribution - it is much simpler, and a lot easier to upgrade later.

Most out-of-the-box Red Hat Linux installations will have one or more of the LAMP components installed via RPM files. I personally believe in installing things like this from source, so I get the most control over what's compiled in, what's left out, etc. But source code installs can wreak havoc if overlaid on top of RPM installs, as the two most likely won't share the same directories, etc.
If you have not yet installed your Linux OS, or just for future reference, do not choose to install Apache, PHP, or MySQL during the system installation. Then you can immediately proceed with the source-based install listed here.
Note: to install applications from source code, you will need a C++ compiler (gcc++) installed. This is generally taken care of, but I've had enough queries about it that I've added this note to avoid getting more! You can use your distribution's install CDs to get the proper version of the compiler. Or, if you are using an RPM based distro, you can use a site like http://www.rpmfind.net/ to locate the correct RPM version for your system. (You will obviously not be able to use/rebuild a source RPM to get the compiler installed, as you need the compiler to build the final binary RPM!) On a Fedora system, you can do this command:

su - root
yum install gcc gcc-c++

Because we will be installing software to directories that "regular" users don't have write access to, and also possibly uninstalling RPM versions of some applications, we'll log in as root. The only steps that need root access are the actual installation steps, but by doing the configure and make steps as root, the source code will also be inaccessible to "regular" users.
If you do not have direct access (via keyboard) to the server, PLEASE use Secure Shell (SSH) to access the server and not telnet!! Whenever you use telnet (or plain FTP for that matter), you are transmitting your username, password, and all session information in "plain text". This means that anyone who can access a machine someplace between your PC and your server can snoop your session and get your info. Use encryption wherever possible!

su - root

Remove RPM Versions of the Applications

Before we start with our source code install, we need to remove all the existing RPM files for these products. To find out what RPMs are already installed, use the RPM query command:

rpm -qa

in conjunction with grep to filter your results:

rpm -qa | grep -i apache
rpm -qa | grep -i httpd
rpm -qa | grep -i php
rpm -qa | grep -i mysql

The 'httpd' search is in case you have Apache2 installed via RPM.

To remove the RPMs generated by these commands, do

rpm -e filename

for each RPM you found in the query. If you have any content in your MySQL database already, the RPM removal step should not delete the database files. When you reinstall MySQL, you should be able to move all those files to your new MySQL data directory and have access to them all again.

Get the Source Code for all Applications

We want to put all our source code someplace central, so it's not getting mixed up in someone's home directory, etc.

cd /usr/local/src

One way application source code is distributed is in what are known as "tarballs." The tar command is usually associated with making tape backups - tar stands for Tape ARchive. It's also a handy way to pack up multiple files for easy distribution. Use the man tar command to learn more about how to use this very flexible tool.
At the time of updating this, the current versions of all the components we'll use are:

MySQL - 4.1.22
Apache - 1.3.37
PHP - 4.4.6

Please note: these are the only versions of these that I have set up myself, and verified these steps against. If you use another version of any component, especially a newer version, this HOWTO may not be accurate, and I won't be able to provide free support under those circumstances. Paid support and assistance is always available however.

wget http://www.php.net/distributions/php-4.4.6.tar.gz
wget http://apache.oregonstate.edu/httpd/apache_1.3.37.tar.gz

There may be an Apache mirror closer to you - check their mirror page for other sources. Then insert the URL you get in place of the above for the wget command.
For MySQL, go to http://www.mysql.com/ and choose an appropriate mirror to get the newest MySQL version (v4.1.22).

Unpack the Source Code

tar zxf php-4.4.6.tar.gz
tar zxf apache_1.3.37.tar.gz
tar zxf mysql-4.1.22.tar.gz

This should leave you with the following directories:

/usr/local/src/php-4.4.6
/usr/local/src/apache_1.3.37
/usr/local/src/mysql-4.1.22

Build and Install MySQL

First, we create the group and user that "owns" MySQL. For security purposes, we don't want MySQL running as root on the system. To be able to easily identify MySQL processes in top or a ps list, we'll make a user and group named mysql:

groupadd mysql
useradd -g mysql -c "MySQL Server" mysql

If you get any messages about the group or user already existing, that's fine. The goal is just to make sure we have them on the system.
What the useradd command is doing is creating a user mysql in the group mysql with the "name" of MySQL Server. This way when it's showed in various user and process watching apps, you'll be able to tell what it is right away.
Now we'll change to the "working" directory where the source code is, change the file 'ownership' for the source tree (this prevents build issues in reported in some cases where the packager's username was included on the source and you aren't using the exact same name to compile with!) and start building.
The configure command has many options you can specify. I have listed some fairly common ones; if you'd like to see others, do:

./configure --help | less

to see them all. Read the documentation on the MySQL website for a more detailed explanation of each option.

cd /usr/local/src/mysql-4.1.22

chown -R root.root *

make clean

./configure \
--prefix=/usr/local/mysql \
--localstatedir=/usr/local/mysql/data \
--disable-maintainer-mode \
--with-mysqld-user=mysql \
--with-unix-socket-path=/tmp/mysql.sock \
--without-comment \
--without-debug \
--without-bench

18-Jul-2005: If you are installing MySQL 4.0.x on Fedora Core 4, there is a problem with LinuxThreads that prevents MySQL from compiling properly. Installing on Fedora Core 3 works fine though. Thanks to Kevin Spencer for bringing this to my attention. There is a workaround listed at http://bugs.mysql.com/bug.php?id=9497. Thanks to Collin Campbell for that link. Another solution can be found at http://bugs.mysql.com/bug.php?id=2173. Thanks to Kaloyan Raev for that one.

Now comes the long part, where the source code is actually compiled and then installed. Plan to get some coffee or take a break while this step runs. It could be 10-15 minutes or more, depending on your system's free memory, load average, etc.

make && make install

Configure MySQL

MySQL is "installed" but we have a few more steps until it's actually "done" and ready to start. First run the script which actually sets up MySQL's internal database (named, oddly enough, mysql).

./scripts/mysql_install_db

Then we want to set the proper ownership for the MySQL directories and data files, so that only MySQL (and root) can do anything with them.

chown -R root:mysql /usr/local/mysql
chown -R mysql:mysql /usr/local/mysql/data

Copy the default configuration file for the expected size of the database (small, medium, large, huge)

cp support-files/my-medium.cnf /etc/my.cnf
chown root:sys /etc/my.cnf
chmod 644 /etc/my.cnf

If you get an error message about the data directory not existing, etc., something went wrong in the mysql_install_db step above. Go back and review that; make sure you didn't get some sort of error message when you ran it, etc.

Now we have to tell the system where to find some of the dynamic libraries that MySQL will need to run. We use dynamic libraries instead of static to keep the memory usage of the MySQL program itself to a minimum.

echo "/usr/local/mysql/lib/mysql" >> /etc/ld.so.conf
ldconfig

Now create a startup script, which enables MySQL auto-start each time your server is restarted.

cp ./support-files/mysql.server /etc/rc.d/init.d/mysql
chmod +x /etc/rc.d/init.d/mysql
/sbin/chkconfig --level 3 mysql on

Then set up symlinks for all the MySQL binaries, so they can be run from anyplace without having to include/specify long paths, etc.

cd /usr/local/mysql/bin
for file in *; do ln -s /usr/local/mysql/bin/$file /usr/bin/$file; done

MySQL Security Issues

First, we will assume that only applications on the same server will be allowed to access the database (i.e., not a program running on a physically separate server). So we'll tell MySQL not to even listen on port 3306 for TCP connections like it does by default.
Edit /etc/my.cnf and uncomment the

skip-networking

line (delete the leading #).
For more security info, check this great tutorial over at SecurityFocus.

Start MySQL

First, test the linked copy of the startup script in the normal server runlevel start directory, to make sure the symlink was properly set up:

cd ~
/etc/rc.d/rc3.d/S90mysql start

If you ever want to manually start or stop the MySQL server, use these commands:

/etc/rc.d/init.d/mysql start
/etc/rc.d/init.d/mysql stop

Let's "test" the install to see what version of MySQL we're running now:

mysqladmin version

It should answer back with the version we've just installed...
Now we'll set a password for the MySQL root user (note that the MySQL root user is not the same as the system root user, and definitely should not have the same password as the system root user!).

mysqladmin -u root password new-password

(obviously, insert your own password in the above command instead of the "new-password" string!)

You're done! MySQL is now installed and running on your server. It is highly recommended that you read about MySQL security and lock down your server as much as possible. The MySQL site has info at http://www.mysql.com/doc/en/Privilege_system.html.

Test MySQL

To run a quick test, use the command line program mysql:

mysql -u root -p

and enter your new root user password when prompted. You will then see the MySQL prompt:

mysql>

First, while we're in here, we'll take care of another security issue and delete the sample database test and all default accounts except for the MySQL root user. Enter each of these lines at the mysql> prompt:

drop database test;
use mysql;
delete from db;
delete from user where not (host="localhost" and user="root");
flush privileges;

As another security measure, I like to change the MySQL administrator account name from root to something harder to guess. This will make it that much harder for someone who gains shell access to your server to take control of MySQL.

MAKE SURE YOU REMEMBER THIS NEW NAME, AND USE IT WHEREVER
YOU SEE "root" IN OTHER DIRECTIONS, WEBSITES, ETC.

ONCE YOU DO THIS STEP, THE USERNAME "root" WILL CEASE TO
EXIST IN YOUR MYSQL CONFIGURATION!

update user set user="sqladmin" where user="root";
flush privileges;

Now, on with the "standard" testing... First, create a new database:

create database foo;

You should see the result:

Query OK, 1 row affected (0.04 sec)

mysql>

Delete the database:

drop database foo;

You should see the result:

Query OK, 0 rows affected (0.06 sec)

mysql>

To exit from mysql enter \q:

Build and Install Apache (with DSO support)

The advantage to building Apache with support for dynamically loaded modules is that in the future, you can add functionality to your webserver by just compiling and installing modules, and restarting the webserver. If the features were compiled into Apache, you would need to rebuild Apache from scratch every time you wanted to add or update a module (like PHP). Your Apache binary is also smaller, which means more efficient memory usage.
The downside to dynamic modules is a slight performance hit compared to having the modules compiled in.

cd /usr/local/src/apache_1.3.37

make clean

./configure \
--prefix=/usr/local/apache \
--enable-shared=max \
--enable-module=rewrite \
--enable-module=so

make && make install

Build and Install PHP

This section has only been tested with PHP v4.x. If you are trying to build PHP 5.x, I do not have experience with this yet, and do not provide free support for you to get it working. Please note that there are many options which can be selected when compiling PHP. Some will have library dependencies, meaning certain software may need to be already installed on your server before you start building PHP. You can use the command

./configure --help | less

once you change into the PHP source directory. This will show you a list of all possible configuration switches. For more information on what these switches are, please check the PHP website documentation.

cd /usr/local/src/php-4.4.6

./configure \
--with-apxs=/usr/local/apache/bin/apxs \
--disable-debug \
--enable-ftp \
--enable-inline-optimization \
--enable-magic-quotes \
--enable-mbstring \
--enable-mm=shared \
--enable-safe-mode \
--enable-track-vars \
--enable-trans-sid \
--enable-wddx=shared \
--enable-xml \
--with-dom \
--with-gd \
--with-gettext \
--with-mysql=/usr/local/mysql \
--with-regex=system \
--with-xml \
--with-zlib-dir=/usr/lib

make && make install

cp php.ini-dist /usr/local/lib/php.ini

I like to keep my config files all together in /etc. I set up a symbolic link like this:

ln -s /usr/local/lib/php.ini /etc/php.ini

Then I can just open /etc/php.ini in my editor to make changes.
Recommended reading on securing your PHP installation is this article at SecurityFocus.com.

Edit the Apache Configuration File (httpd.conf)

I like to keep all my configuration files together in /etc, so I set up a symbolic link from the actual location to /etc:

ln -s /usr/local/apache/conf/httpd.conf /etc/httpd.conf

Now open /etc/httpd.conf in your favorite text editor, and set all the basic Apache options in accordance with the official Apache instructions (beyond the scope of this HOWTO).
Also recommended is the article on securing Apache.
To ensure your PHP files are properly interpreted, and not just downloaded as text files, remove the # at the beginning of the lines which read:

#AddType application/x-httpd-php .php
#AddType application/x-httpd-php-source .phps

If the AddType lines above don't exist, manually enter them (without the leading # of course) after the line

AddType application/x-tar .tgz

or anyplace within the section of httpd.conf.
If you wish to use other/additional extensions/filetypes for your PHP scripts instead of just .php, add them to the AddType directive:

AddType application/x-httpd-php .php .foo
AddType application/x-httpd-php-source .phps .phtmls

An example: if you wanted every single HTML page to be parsed and processed like a PHP script, just add .htm and .html:

AddType application/x-httpd-php .php .htm .html

There will be a bit of a performance loss if every single HTML page is being checked for PHP code even if it doesn't contain any. But if you want to use PHP but be "stealthy" about it, you can use this trick.
Add index.php to the list of valid Directory Index files so that your "default page" in a directory can be named index.php.

DirectoryIndex index.php index.htm index.html

You can add anything else you want here too. If you want foobar.baz to be a valid directory index page, just add the .baz filetype to the AddType line, and add foobar.baz to the DirectoryIndex line.

Start Apache

We want to set Apache up with a normal start/stop script in /etc/rc.d/init.d so it can be auto-started and controlled like other system daemons. Set up a symbolic link for the apachectl utility (installed automatically as part of Apache):

ln -s /usr/local/apache/bin/apachectl /etc/rc.d/init.d/apache

Then set up auto-start for runlevel 3 (where the server will go by default):

ln -s /etc/rc.d/init.d/apache /etc/rc.d/rc3.d/S90apache

Then start the daemon:

/etc/rc.d/init.d/apache start

You can check that it's running properly by doing:

ps -ef

and look for the httpd processes.

VSFTP for CentOS

2009-10-22T03:55:00.000-07:00

Introduction

The File Transfer Protocol (FTP) is used as one of the most common means of copying files between servers over the Internet. Most web based download sites use the built in FTP capabilities of web browsers and therefore most server oriented operating systems usually include an FTP server application as part of the software suite. Linux is no exception.

This chapter will show you how to convert your Linux box into an FTP server using the default Very Secure FTP Daemon (VSFTPD) package included in Fedora.
FTP Overview

FTP relies on a pair of TCP ports to get the job done. It operates in two connection channels as I'll explain:

FTP Control Channel, TCP Port 21: All commands you send and the ftp server's responses to those commands will go over the control connection, but any data sent back (such as "ls" directory lists or actual file data in either direction) will go over the data connection.

FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfers between the client and server.

In addition to these channels, there are several varieties of FTP.
Types of FTP

From a networking perspective, the two main types of FTP are active and passive. In active FTP, the FTP server initiates a data transfer connection back to the client. For passive FTP, the connection is initiated from the FTP client. These are illustrated in Figure 15-1.
Figure 15-1 Active And Passive FTP Illustrated

Image:Ftp.gif

From a user management perspective there are also two types of FTP: regular FTP in which files are transferred using the username and password of a regular user FTP server, and anonymous FTP in which general access is provided to the FTP server using a well known universal login method.

Take a closer look at each type.
Active FTP

The sequence of events for active FTP is:

1. Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over this connection.
2. Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port (greater than 1024) on the client.
3. Thus the ls listing that you asked for comes back over the port 20 to high port connection, not the port 21 control connection.

FTP active mode therefore transfers data in a counter intuitive way to the TCP standard, as it selects port 20 as it's source port (not a random high port that's greater than 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.

Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.
Passive FTP

Passive FTP works differently:

1. Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ls and get are sent over that connection.
2. Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.

Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers. Because client always initiates the required connections, passive FTP works better for clients protected by a firewall.

As Windows defaults to active FTP, and Linux defaults to passive, you'll probably have to accommodate both forms when deciding upon a security policy for your FTP server.
Regular FTP

By default, the VSFTPD package allows regular Linux users to copy files to and from their home directories with an FTP client using their Linux usernames and passwords as their login credentials.

VSFTPD also has the option of allowing this type of access to only a group of Linux users, enabling you to restrict the addition of new files to your system to authorized personnel.

The disadvantage of regular FTP is that it isn't suitable for general download distribution of software as everyone either has to get a unique Linux user account or has to use a shared username and password. Anonymous FTP allows you to avoid this difficulty.
Anonymous FTP

Anonymous FTP is the choice of Web sites that need to exchange files with numerous unknown remote users. Common uses include downloading software updates and MP3s and uploading diagnostic information for a technical support engineers' attention. Unlike regular FTP where you login with a preconfigured Linux username and password, anonymous FTP requires only a username of anonymous and your email address for the password. Once logged in to a VSFTPD server, you automatically have access to only the default anonymous FTP directory (/var/ftp in the case of VSFTPD) and all its subdirectories.

As seen in Chapter 6, "Installing Linux Software", using anonymous FTP as a remote user is fairly straight forward. VSFTPD can be configured to support user-based and or anonymous FTP in its configuration file which you'll see later.
Problems With FTP And Firewalls

FTP frequently fails when the data has to pass through a firewall, because firewalls are designed to limit data flows to predictable TCP ports and FTP uses a wide range of unpredictable TCP ports. You have a choice of methods to overcome this.

Note: The Appendix II, "Codes, Scripts, and Configurations", contains examples of how to configure the VSFTPD Linux firewall to function with both active and passive FTP.
Client Protected By A Firewall Problem

Typically firewalls don't allow any incoming connections at all, which frequently blocks active FTP from functioning. With this type of FTP failure, the active FTP connection appears to work when the client initiates an outbound connection to the server on port 21. The connection then appears to hang, however, as soon as you use the ls, dir, or get commands. The reason is that the firewall is blocking the return connection from the server to the client (from port 20 on the server to a high port on the client). If a firewall allows all outbound connections to the Internet, then passive FTP clients behind a firewall will usually work correctly as the clients initiate all the FTP connections.

* Solution

Table 15-1 shows the general rules you'll need to allow FTP clients through a firewall:
Table 15-1 Client Protected by Firewall - Required Rules for FTP
Method Source Address Source Port Destination Address Destination Port Connection Type
Allow outgoing control connections to server
Control Channel FTP client / network High1 FTP server2 21 New
FTP server2 21 FTP client/ network High Established3
Allow the client to establish data channels to remote server
Active FTP FTP server 2 20 FTP client / network High New
FTP client / network High FTP server 2 20 Established3
Passive FTP FTP client / network High FTP server 2 High New
FTP server 2 High FTP client / network High Established 3

1 Greater than 1024.

2 In some cases, you may want to allow all Internet users to have access, not just a specific client server or network.

3 Many home-based firewall/routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.

Server Protected By A Firewall Problem

Typically firewalls don't let any connections come in at all. When a an incorrectly configured firewall protects an FTP server, the FTP connection from the client doesn't appear to work at all for both active and passive FTP.

* Solution

Table 15-2 Rules needed to allow FTP servers through a firewall.
Method Source Address Source Port Destination Address Destination Port Connection Type
Allow incoming control connections to server
Control Channel FTP client / network 2 High1 FTP server 21 New
FTP server 21 FTP client / network 2 High Established3
Allow server to establish data channel to remote client
Active FTP FTP server 20 FTP client / network 2 High New
FTP client / network 2 High FTP server 20 Established3
Passive FTP FTP client / network 2 High FTP server High New
FTP server High FTP client / network 2 High Established 3

1 Greater than 1024.
2 In some cases, you may want to allow all Internet users to have access, not just a specific client server or network.
3Many home-based firewall/routers automatically allow traffic for already established connections. This rule may not be necessary in all cases.

How To Download And Install VSFTPD

Most Linux software products are available in a precompiled package format. Downloading and installing packages isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", covers how to do this in detail. It is best to use the latest version of VSFTPD.

When searching for the file, remember that the VSFTPD packages' filename usually starts with the word vsftpd followed by a version number, as in vsftpd-1.2.1-5.i386.rpm for Redhat/Fedora or vsftpd_2.0.4-0ubuntu4_i386.deb for Ubuntu.
How To Get VSFTPD Started

With Fedora, Redhat, Ubunbtu and Debian You can start, stop, or restart VSFTPD after booting by using these commands:

[root@bigboy tmp]# /etc/init.d/vsftpd start
[root@bigboy tmp]# /etc/init.d/vsftpd stop
[root@bigboy tmp]# /etc/init.d/vsftpd restart

With Redhat / Fedora you can configure VSFTPD to start at boot you can use the chkconfig command.

[root@bigboy tmp]# chkconfig vsftpd on

With Ubuntu / Debian the sysv-rc-conf command can be used like this:

root@u-bigboy:/tmp# sysv-rc-conf on

Note: In RedHat Linux version 8.0 and earlier, VSFTPD operation is controlled by the xinetd process, which is covered in Chapter 16, "Telnet, TFTP, and xinetd". You can find a full description of how to configure these versions of Linux for VSFTPD in Appendix III, "Fedora Version Differences."

Testing the Status of VSFTPD

You can always test whether the VSFTPD process is running by using the netstat -a command which lists all the TCP and UDP ports on which the server is listening for traffic. This example shows the expected output.

[root@bigboy root]# netstat -a | grep ftp
tcp 0 0 *:ftp *:* LISTEN
[root@bigboy root]#

If VSFTPD wasn't running, there would be no output at all.
The vsftpd.conf File

VSFTPD only reads the contents of its vsftpd.conf configuration file only when it starts, so you'll have to restart VSFTPD each time you edit the file in order for the changes to take effect. The file may be located in either the /etc or the /etc/vsftpd directories depending on your Linux distribution.

This file uses a number of default settings you need to know about.

* VSFTPD runs as an anonymous FTP server. Unless you want any remote user to log into to your default FTP directory using a username of anonymous and a password that's the same as their email address, I would suggest turning this off. The configuration file's anonymous_enable directive can be set to no to disable this feature. You'll also need to simultaneously enable local users to be able to log in by removing the comment symbol (#) before the local_enable instruction.
* If you enable anonymous FTP with VSFTPD, remember to define the root directory that visitors will visit. This is done with the anon_root directive.

anon_root=/data/directory

* VSFTPD allows only anonymous FTP downloads to remote users, not uploads from them. This can be changed by modifying the anon_upload_enable directive shown later.
* VSFTPD doesn't allow anonymous users to create directories on your FTP server. You can change this by modifying the anon_mkdir_write_enable directive.
* VSFTPD logs FTP access to the /var/log/vsftpd.log log file. You can change this by modifying the xferlog_file directive.
* By default VSFTPD expects files for anonymous FTP to be placed in the /var/ftp directory. You can change this by modifying the anon_root directive. There is always the risk with anonymous FTP that users will discover a way to write files to your anonymous FTP directory. You run the risk of filling up your /var partition if you use the default setting. It is best to make the anonymous FTP directory reside in its own dedicated partition.

The configuration file is fairly straight forward as you can see in the snippet below where we enable anonymous FTP and individual accounts simultaneously.

# Allow anonymous FTP?
anonymous_enable=YES
...
# The directory which vsftpd will try to change
# into after an anonymous login. (Default = /var/ftp)
anon_root=/data/directory
...
# Uncomment this to allow local users to log in.
local_enable=YES
...
# Uncomment this to enable any form of FTP write command.
# (Needed even if you want local users to be able to upload files)
write_enable=YES
...
# Uncomment to allow the anonymous FTP user to upload files. This only
# has an effect if global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
...
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
...
# Activate logging of uploads/downloads.
xferlog_enable=YES
...
# You may override where the log file goes if you like.
# The default is shown below.
xferlog_file=/var/log/vsftpd.log
...

To activate or deactivate a feature, remove or add the # at the beginning of the appropriate line.
Other vsftpd.conf Options

There are many other options you can add to this file:

* Limiting the maximum number of client connections (max_clients)
* Limiting the number of connections by source IP address (max_per_ip)
* The maximum rate of data transfer per anonymous login. (anon_max_rate)
* The maximum rate of data transfer per non-anonymous login. (local_max_rate)

Descriptions on this and more can be found in the vsftpd.conf man pages.
FTP Security Issues

FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an individual Linux user's access to non-anonymous FTP, and you can change the configuration to not display the FTP server's software version information, but unfortunately, though very convenient, FTP logins and data transfers are not encrypted.
The /etc/vsftpd.ftpusers File

For added security, you may restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged users that normally shouldn't have FTP access. As FTP doesn't encrypt passwords, thereby increasing the risk of data or passwords being compromised, it is a good idea to let these entries remain and add new entries for additional security.
Anonymous Upload

If you want remote users to write data to your FTP server, then you should create a write-only directory within /var/ftp/pub. This will allow your users to upload but not access other files uploaded by other users. The commands you need are:

[root@bigboy tmp]# mkdir /var/ftp/pub/upload
[root@bigboy tmp]# chmod 722 /var/ftp/pub/upload

FTP Greeting Banner

Change the default greeting banner in the vsftpd.conf file to make it harder for malicious users to determine the type of system you have. The directive in this file is.

ftpd_banner= New Banner Here

Using SCP As Secure Alternative To FTP

One of the disadvantages of FTP is that it does not encrypt your username and password. This could make your user account vulnerable to an unauthorized attack from a person eavesdropping on the network connection. Secure Copy (SCP) and Secure FTP (SFTP) provide encryption and could be considered as an alternative to FTP for trusted users. SCP does not support anonymous services, however, a feature that FTP does support.
Troubleshooting FTP

You should always test your FTP installation by attempting to use an FTP client to log in to your FTP server to transfer sample files.

The most common sources of day-to-day failures are incorrect usernames and passwords.

Initial setup failures could be caused by firewalls along the path between the client and server blocking some or all types of FTP traffic. Typical symptoms of this are either connection timeouts or the ability to use the ls command to view the contents of a directory without the ability to either upload or download files. Follow the firewall rule guidelines to help overcome this problem. Connection problems could also be the result of typical network issues outlined in Chapter 4, "Simple Network Troubleshooting".
Tutorial

FTP has many uses, one of which is allowing numerous unknown users to download files. You have to be careful, because you run the risk of accidentally allowing unknown persons to upload files to your server. This sort of unintended activity can quickly fill up your hard drive with illegal software, images, and music for the world to download, which in turn can clog your server's Internet access and drive up your bandwidth charges.
FTP Users with Only Read Access to a Shared Directory

In this example, anonymous FTP is not desired, but a group of trusted users need to have read only access to a directory for downloading files. Here are the steps:

1) Disable anonymous FTP. Comment out the anonymous_enable line in the vsftpd.conf file like this:

# Allow anonymous FTP?
anonymous_enable=NO

2) Enable individual logins by making sure you have the local_enable line uncommented in the vsftpd.conf file like this:

# Uncomment this to allow local users to log in.
local_enable=YES

3) Start VSFTP.

[root@bigboy tmp]# service vsftpd start

4) Create a user group and shared directory. In this case, use /home/ftp-users and a user group name of ftp-users for the remote users

[root@bigboy tmp]# groupadd ftp-users
[root@bigboy tmp]# mkdir /home/ftp-docs

5) Make the directory accessible to the ftp-users group.

[root@bigboy tmp]# chmod 750 /home/ftp-docs
[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs

6) Add users, and make their default directory /home/ftp-docs

[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user1
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user2
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user3
[root@bigboy tmp]# useradd -g ftp-users -d /home/ftp-docs user4
[root@bigboy tmp]# passwd user1
[root@bigboy tmp]# passwd user2
[root@bigboy tmp]# passwd user3
[root@bigboy tmp]# passwd user4

7) Copy files to be downloaded by your users into the /home/ftp-docs directory

8) Change the permissions of the files in the /home/ftp-docs directory for read only access by the group

[root@bigboy tmp]# chown root:ftp-users /home/ftp-docs/*
[root@bigboy tmp]# chmod 740 /home/ftp-docs/*

Users should now be able to log in via FTP to the server using their new usernames and passwords. If you absolutely don't want any FTP users to be able to write to any directory, then you should set the write_enable line in your vsftpd.conf file to no:

write_enable = NO

Remember, you must restart VSFTPD for the configuration file changes to take effect.
Sample Login Session To Test Functionality

Here is a simple test procedure you can use to make sure everything is working correctly:

1) Check for the presence of a test file on the ftp client server.

[root@smallfry tmp]# ll
total 1
-rw-r--r-- 1 root root 0 Jan 4 09:08 testfile
[root@smallfry tmp]#

2) Connect to bigboy via FTP

[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): user1
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

As expected, we can't do an upload transfer of testfile to bigboy.

ftp> put testfile
local: testfile remote: testfile
227 Entering Passive Mode (192,168,1,100,181,210)
553 Could not create file.
ftp>

But we can view and download a copy of the VSFTPD RPM located on the FTP server bigboy.

ftp> ls
227 Entering Passive Mode (192,168,1,100,35,173)
150 Here comes the directory listing.
-rwxr----- 1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.i386.rpm
226 Directory send OK.
ftp> get vsftpd-1.1.0-1.i386.rpm vsftpd-1.1.0-1.i386.rpm.tmp
local: vsftpd-1.1.0-1.i386.rpm.tmp remote: vsftpd-1.1.0-1.i386.rpm
227 Entering Passive Mode (192,168,1,100,44,156)
150 Opening BINARY mode data connection for vsftpd-1.1.0-1.i386.rpm (76288 bytes).
226 File send OK.
76288 bytes received in 0.499 secs (1.5e+02 Kbytes/sec)
ftp> exit
221 Goodbye.
[root@smallfry tmp]#

As expected, anonymous FTP fails.

[root@smallfry tmp]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
[root@smallfry tmp]#

Now that testing is complete, you can make this a regular part of your FTP server's operation.
Conclusion

FTP is a very useful software application that can have enormous benefit to a Web site or to collaborative computing in which files need to be shared between business partners. Although insecure, it is universally accessible, because FTP clients are a part of all operating systems and Web browsers. If data encryption security is of great importance to you, then you should probably consider SCP as a possible alternative. You can find more information on it in Chapter 17, "Secure Remote Logins and File Copying".

Set up a strong Linux firewall with iptables

2009-10-12T04:23:00.000-07:00

In most organizations, network security has become interwoven with standard network and system administration. Threats in the form of malicious hackers, self-propagating worms, denial of service attacks, and other nefarious security problems loom large for administrators. Of course, one of the building blocks of network security is a good firewall. Although many companies pay top dollar for commercial firewall solutions, Linux has long been a popular option for those who want to save some big money and who don't mind rolling up their sleeves and building the firewall configuration themselves.

Fortunately, the Linux firewall solution has continued to improve and thenetfilter/iptables system now provides a robust and supremely flexible solution.netfilter/iptables (netfilter is the name of the project, and iptables is the name of the Linux software itself) is a system integrated into the Linux 2.4.x kernel for the handling of packet filtering. It is the successor to the ipchains and ipfwadm systems and is the first to be incorporated directly into the kernel. Here's a look at how you can build a strong Linux firewall with iptables.

Understanding firewalls
Although there are many ways to design a firewall system, the basics remain the same. Set up a server with two network interface cards, one that connects to the Internet and one that connects to the private, internal network. (And if you want a DMZ for your hosted services, you set up a third NIC.) Then, you set up the firewall to filter packets to allow or deny certain traffic, creating a secured environment and freeing up bandwidth and processor cycles for more important work.

The main point of the firewall is to open up to the traffic that you need and close out everything else. The terms open and close refer to the actual ports, usually TCP, UDP, or ICMP, that allow connections to be established on a server. Communication between systems on the Internet can be looked at generally on a packet level. A packet contains information in its header such as source address, destination address, and protocol type, which iptables can then use to make filtering decisions.

Unlike ipchains and ipfwadm, iptables can be configured as a stateful firewall, rather than being stateless. Also known as connection tracking, being stateful means the firewall will remember previous decisions involving the handling of packets instead of treating each one as new event. Valid states include INVALID, ESTABLISHED, and NEW.

Installing iptables
The netfilter/iptables system is part of the 2.4.x kernel, as mentioned above; however, the actual firewalling software, also called iptables, is not part of the kernel. Netfilter is often used to refer to the kernel portion, while the iptables tool is used to actually insert and delete rules in the kernel’s packet filtering table. While many distributions such as Red Hat include iptables as part of their standard install, you may need to download it separately from Netfilter.org. If installing from source, the following commands should get you up and running:
# bzip2 -d iptables-1.2.6a.tar.bz2
# tar -xpf iptables-1.2.6a.tar
# cd iptables-1.2.6a
# make
# make install

Support will most likely be preconfigured for the more recent kernels, but it may be necessary to compile it yourself. You'll need to do this if you receive an error such as “iptables is incompatible with your kernel.” First, verify that you're running a 2.4.x kernel (with uname –a, for instance) and compile a new kernel. Be sure to set theCONFIG_NETFILTER option to Y.

Configuring the firewall
Once iptables is running on your system, it’s time to look at configuring the firewall. The main commands you should be familiar with are listed in Table A.

Table A
--append or –A	Append to chain
--delete or –D	Delete rule from chain
--list or –L [chain]	List rules in a chain or all chains
--flush or –F [chain]	Delete all rules in a chain or all chains

Primary commands for iptables

The best way to set up your firewall so that the rules are saved and run each time your system boots is to create a script you can run manually and/or have the system run at startup. The firewall script shown in Listing A will get us started.

While this is a simple firewall, it covers many of the basic commands you will need to use. Our first step is to configure the variables used by the script. This is helpful in larger scripts, where it’s much easier to change a variable once than to modify every entry containing that variable, such as an IP address. After that, we flush the rules with the IPTABLES –F command, allowing us to start from a clean slate by wiping out any current iptables rules that are running. This is important when you consider rules are checked in sequential order. We don’t want a lingering filter to deny packets we now want to accept, or vice versa.

Next, we set the default rules for the three main chains—we deny incoming packets by default and we allow outgoing packets and forwarded (NAT) packets by default. As mentioned before, we want to open only what we need and make sure everything else is closed. We accomplish this by setting the default action on the INPUT chain (incoming packets) to DROP. Basically, all packets processed by the chain will be dropped unless explicitly allowed.

The OUTPUT and FORWARD chains are set to ACCEPT, as this traffic is coming from the internal network. If you plan on implementing policy with iptables, you should set this to DROP. It’s also important to note that if you are allowing all traffic sourced from the internal network, it might be a good idea to do some commonsense filtering. One example of this would be to set a rule that discards packets received on the external interface with an internal IP address (a sure sign of someone who is up to something).

To permit users to connect to the server via SSH or to allow inbound HTTP requests, we need to tell iptables to allow these packets. We do this by appending rules to a particular chain. This example from my script shows how to allow SSH (TCP port 22) on the external interface:
$IPTABLES -A INPUT -i $WAN_IFACE -p TCP --destination-port 22 \ -j ACCEPT

Let's break this down. The -A means append, or add, a particular rule. The -i refers to the interface that will be receiving the packets. The protocol is specified with the –poption, which can be TCP, UDP, ICMP, or ALL. The destination port is dependent upon the particular service that access is being granted. In the case of SSH, it operates on the well-known TCP port 22. And finally, we have the target of the rule, which in this case is ACCEPT. Other possibilities include DROP, REJECT, and user-defined actions. ACCEPT allows the packet through, and DROP means the packet is discarded. REJECT is the same as DROP, but it also sends back an error response to the sender of the packet.

In the above example, we have an entry that provides port forwarding. This is a means by which services can be forwarded by an external machine to an internal one. This is especially handy when you have just one routable IP address but would like to use multiple servers. This is accomplished with a form of network address translation (NAT). In this instance, we are forwarding SMTP traffic on port 25 from ourWAN_IFACE to the internal address of 192.168.1.5. Thus, an SMTP server looks like it is sitting at 10.0.0.1. But in reality, that's the external address of the firewall, which is forwarding all requests on SMTP port 25 to the internal server at 192.168.1.5. The use of NAT provides for the return communication as well, making its use completely transparent to those connecting to it from the Internet.

For more information on iptables configuration, check out these resources:

· Netfilter/iptables FAQ

· Linux 2.4 Packet Filtering HOWTO

· Oskar Andreasson's IPTables Tutorial 1.1.9

· Iptables MAN page

· MonMotha's IPTables Firewall

Summary
Linux can help administrators create a strong firewall with the powerful, kernel-basednetfilter/iptables software. As I demonstrated, iptables can create general or specific packet filters to allow or deny traffic. This enables administrators to protect their servers from a wide variety of hazards, including service attacks and hack attempts. As always, the best way to learn is to get your hands dirty and experiment with iptableson a testing machine. This article introduced you to the basic concepts of building a strong iptables firewall. My next article will delve into some of the more advanced options that iptables has to offer.

FreeBSD-GPRS over Bluetooth

2009-10-04T06:44:00.000-07:00

Welcome to all,here are a little tutorail that
I tried to set up GPRS over bluetooth with a Nokia 6310i
on my Dell workstaion WS-420 running FreeBSD 5.3.
Everything seems working OK by bluetooth, until I try using rfcomm_pppd, where I
keep getting this error:
sep 20 06:37:23 nixie-bsd rfcomm_pppd[766]: Could not connect socket.
Connection refused (61)
I made several tries before posting but without results; attached you can find my
configuration files.
Any help, suggestion or link is greatly appreciated.
I shall be much thankful for suggestion.

----------------------------------------------------------------------
nixie-bsd# dmesg grep ubt0
ubt0: Dell BC02 Bluetooth USB Adapter, rev 2.00/12.66, addr 2
ubt0: Dell BC02 Bluetooth USB Adapter, rev 2.00/12.66, addr 2
ubt0: Interface 0 endpoints: interrupt=0x81, bulk-in=0x82,
bulk-out=0x2
ubt0: Interface 1 (alt.config 5) endpoints: isoc-in=0x83, isoc-out=0x3; wMaxPacketSize=49; nframes=6, buffer size=294
nixie-bsd# /etc/rc.bluetooth start ubt0
BD_ADDR:
Features: 0xff 0xff 0x8f 0x78 0x18 0x18 00 0x80
<3-slot> <5-slot>

Max. ACL packet size: 192 bytes
Number of ACL packets: 8
Max. SCO packet size: 64 bytes
Number of SCO packets: 8
nixie-bsd# hccontrol -n ubt0hci inquiry
Inquiry result, num_responses=1
Inquiry result #0
BD_ADDR:
Page Scan Rep. Mode: 0x1
Page Scan Period Mode: 00
Page Scan Mode: 00
Class: 50:02:04
Clock offset: 0x100b
Inquiry complete. Status: No error [00]
nixie-bsd# l2ping -a
0 bytes from seq_no=0 time=133.043 ms result=0
0 bytes from seq_no=0 time=133.043 ms result=0
0 bytes from seq_no=0 time=133.043 ms result=0
0 bytes from seq_no=0 time=133.043 ms result=0
nixie-bsd# rfcomm_pppd -a -c -C 1 -l
rfcomm-dialup
nixie-bsd#
nixie-bsd# tail -f /var/log/messages
Feb 20 16:54:45 pc-bsd rfcomm_pppd[766]: Could not connect socket.
Connection refused (61)
nixie-bsd# tail -f /var/log/ppp.log
nixie-bsd# hcidump -x
HCIDump - HCI packet analyzer ver 1.5
device: any snap_len: 65535 filter: 0xffffffff
< HCI Command: Create Connection(0x010x0005) plen 13 07 05 3C 57 60 00 18 CC 00 00 00 00 00 > HCI Event: Command Status(0x0f) plen 4 00 01 05 04
> HCI Event: Connect Complete(0x03) plen 11
00 2E 00 07 05 3C 57 60 00 01 00
< HCI Command: Write Link Policy Settings(0x020x000d) plen 4 2E 00 0E 00 < ACL data: handle 0x002e flags 0x02 dlen 12 L2CAP(s): Connect req: psm 3 scid 0x0059 > HCI Event: Number of Completed Packets(0x13) plen 5 01 2E 00 01 00
> HCI Event: Max Slots Change(0x1b) plen 3 2E 00 05
> HCI Event: Command Complete(0x0e) plen 6 01 0D 08 00 2E 00
> ACL data: handle 0x002e flags 0x02 dlen 16
L2CAP(s): Connect rsp: dcid 0x0040 scid 0x0059 result 0 status 0
< ACL data: handle 0x002e flags 0x02 dlen 12 L2CAP(s): Config req: dcid 0x0040 flags 0x0000 clen 0 > HCI Event: QoS Setup Complete(0x0d) plen 21
00 2E 00 00 01 00 00 00 00 00 00 00 00 88 13 00 00 FF FF FF
FF
> HCI Event: Number of Completed Packets(0x13) plen 5 01 2E 00 01 00
> ACL data: handle 0x002e flags 0x02 dlen 16
> ACL data: handle 0x002e flags 0x01 dlen 16
> ACL data: handle 0x002e flags 0x01 dlen 8
L2CAP(s): Config req: dcid 0x0059 flags 0x0000 clen 28
MTU 32772 Unknown (type 03, len 22)
< ACL data: handle 0x002e flags 0x02 dlen 14 L2CAP(s): Config rsp: scid 0x0040 flags 0x0000 result 0 clen 0 > ACL data: handle 0x002e flags 0x02 dlen 14
L2CAP(s): Config rsp: scid 0x0059 flags 0x0000 result 0 clen 0
< ACL data: handle 0x002e flags 0x02 dlen 8 L2CAP(d): cid 0x40 len 4 [psm 3] RFCOMM(s): SABM: cr 1 dlci 0 pf 1 ilen 0 fcs 0x1c > HCI Event: Number of Completed Packets(0x13) plen 5 01 2E 00 01 00
> HCI Event: Number of Completed Packets(0x13) plen 5 01 2E 00 01 00
> ACL data: handle 0x002e flags 0x02 dlen 8
L2CAP(d): cid 0x59 len 4 [psm 3]
RFCOMM(s): UA: cr 1 dlci 0 pf 1 ilen 0 fcs 0xd7
< ACL data: handle 0x002e flags 0x02 dlen 18 L2CAP(d): cid 0x40 len 14 [psm 3] RFCOMM(s): PN CMD: cr 1 dlci 0 pf 0 ilen 10 fcs 0x70 mcc_len 8 dlci 2 frame_type 0 credit_flow 15 pri 7 ack_timer 0 frame_size 667 max_retrans 0 credits 7 > HCI Event: Number of Completed Packets(0x13) plen 5 01 2E 00 01 00
> ACL data: handle 0x002e flags 0x02 dlen 16
> ACL data: handle 0x002e flags 0x01 dlen 2
L2CAP(d): cid 0x59 len 14 [psm 3]
RFCOMM(s): PN RSP: cr 0 dlci 0 pf 0 ilen 10 fcs 0xaa mcc_len 8
dlci 2 frame_type 0 credit_flow 14 pri 7 ack_timer 0 frame_size
324 max_retrans 0 credits 0
< ACL data: handle 0x002e flags 0x02 dlen 8 L2CAP(d): cid 0x40 len 4 [psm 3] RFCOMM(s): SABM: cr 1 dlci 2 pf 1 ilen 0 fcs 0x59 > HCI Event: Number of Completed Packets(0x13) plen 5 01 2E 00 01 00
> HCI Event: Link Key Request(0x17) plen 6 07 05 3C 57 60 00
> HCI Event: Disconn Complete(0x05) plen 4
00 2E 00 08
-----------
hcsecd.conf
-----------
device {
bdaddr c:e:l:l:p:h:o:n:e ;
name "Nokia 6310i" ;
key nokey ;
pin "1234" ;
}

--------
ppp.conf
--------

default:
set log Phase Chat LCP IPCP CCP tun command
ident user-ppp VERSION (built COMPILATIONDATE)

rfcomm-dialup:
enable force-scripts
set debug all
set speed 115200
set authname "test"
set authkey "test"
set phone "*99#"
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
\"\" AT OK-AT-OK \
AT+CGDCONT=1,IP,internet.wind \
\"\" AT OK-AT-OK ATE1Q0 OK \\dATD\\T TIMEOUT 40 CONNECT"
set login
set timeout 30
enable dns

resolv rewrite
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR

A five step SQUID configuration

2009-10-04T06:24:00.000-07:00

These are a few simple steps having a concise information meant to step you through the basic installation and configuration of Squid. This document is dedicated for beginners who want a simple Squid setup running in Linux. For detailed configurations please refer our Configuration Manual
Step I - Downloading and compiling Squid
You can download squid source file as a gzipped tar ball (squid-x.y-STABLE.tar.gz) available at http://www.squid-cache.org/ or from ftp://www.squid-cache.org/pub. Next you have to extract the compressed archive file and change the working directory to squidtar -xvzf squid-*-src.tar.gz cd squid -* Now enter the following commands in order to configure, compile and install squid ./configuremakemake installThis by default, will install in "/usr/local/squid". Type ./configure --help to view all available options.
Step II - Basic Configuration
Some basic configurations are to be done. Uncomment and edit the following lines in the configuration file found default at "/usr/local/squid/etc/squid.conf". cache_dir this direcitve specifies the cache directory storage format and its size as given below.cache_dir ufs /usr/local/squid/cache 100 16 256 The value 100 denotes 100MB cache size. This can be adjusted to the required size. http_portCheck http_port, 3128 is a default.http_accessBy default http_access is denied. The ACL rules should be modified to allow access only to the trusted clients. This is important because it prevents people from stealing your network resources.cache_effective_user & cache_effective_ groupSet these directive to the user and group by which squid will run. This user should have the permission to read and write in the cache directory and to the log files.
Step III -Custom Configuration
Custom configuration based on your network needsFor Configuring squid for proxyBy default, squid is configured as a direct proxy . In order to cache web traffic with squid, the browser must be configured to use the squid proxy. This needs the following information i. the proxy server's host nameii. the port by which the proxy server accepts connections. For Configuring squid for transparencyUsing squid transparently is a two part process, requiring first that squid be configured properly to accept non-proxy requests (performed in the squid module) and second that web traffic gets redirected to the squid port (achieved in three ways namely policy based routing, Using smart switching or by setting squid Box as a gateway).Getting transparent caching to work requires the following stepsi. For some operating systems, you have to configure and build a version of Squid which can recognize the hijacked connections and discern the destination addresses. For Linux this seems to work automatically. For BSD-based systems, configure squid with the --enable-ipf-transparent option and you have to configure squid ashttpd_accel_host virtualhttpd_accel_port 80httpd_accel_with_proxy onhttpd_accel_uses_host_header onii. Next you have to configure your cache host to accept the redirected packets - any IP address, on port 80 - and deliver them to your cache application. This is typically done with IP filtering/forwarding features built into the kernel. In Linux they call this ipfilter (kernel 2.4.x), ipchains (2.2.x) or ipfwadm (2.0.x).For Configuring squid for Reverse ProxyTo run Squid as an accelerator, you probably want to listen on port 80. And you have to define the machine you are accelerating for. This is done in squid module,http_port 80httpd_accel_host visolve.comhttpd_accel_port 81httpd_accel_single_host onhttpd_accel_with_proxy onIf you are using Squid as an accelerator for a virtual host system, then instead of a 'hostname' here you have to use the word virtual as:http_port 80httpd_accel_host virtualhttpd_accel_port 81httpd_accel_with_proxy onhttpd_accel_single_host off.
Step IV - Starting Squid
After you've finished editing the configuration file, you can start Squid for the first time. First, you must create the swap directories. Do this by running Squid with the -z option:/usr/local/squid/sbin/squid -zOnce that completes, you can start Squid and try it out. Probably the best thing to do is run it from your terminal and watch the debugging output. Use this command:/usr/local/squid/sbin/squid -NCd1If everything is working fine, then your console displays: "Ready to serve requests".If you want to run squid in the background, as a daemon process/usr/local/squid/sbin/squidYou should be a privileged user to start/stop squid.
Step V - Checking Working
To check if Squid is workingCheck the cache.log file in your logs directory to find out if squid works correctly. This file contains the informational and error messages that Squid generates at runtime

Slax-Your Pocket Distribution

2009-09-30T03:29:00.000-07:00

Slax is a modern, portable, small and fast Linux operating system with a modular approach and outstanding design. Despite its small size, Slax provides a wide collection of pre-installed software for daily use, including a well organized graphical user interface and useful recovery tools for system administrators.The modular approach gives you the ability to include any other software in Slax easily. If you're missing your favourite text editor, networking tool or game, simply download a module with the software and copy it to Slax, no need to install, no need to configure.If you are a beginner or you're just too busy to make it yourself, follow a few steps to build your own customized operating system by using web-based interface here.

And Now Slax is also available in urdu.Its really great for urdu users and the people who urge to use computer but the english language is a problem for them.Enjoy using Slax.You may get it from http://downloads.urduweb.org/urduslax/urdu-slax-5.1.8.1.iso (Urdu Version)

For English user you may have it from the following address
http://www.slax.org/get_slax.php?download=iso

And for those who are much anxious to boot it from usb flash drive they may grab it from the following link
http://www.slax.org/get_slax.php?download=tar

Have Fun!

10 Tips for After You Install or Upgrade Ubuntu

2009-09-30T03:19:00.000-07:00

Ubuntu is becoming more and more complete and easy to configure. However, like any operating system there’s work to be done after the installation. Here’s a list of 10 tips that you can use after installing or upgrading Ubuntu.

Install software faster
As a commenter on Slashdot said: I felt a great disturbance in the force, as if thousands of apt-get repositories had cried out in pain, and were suddenly silenced.The Ubuntu software repositories can get really slow, and even stop responding completely around the time of a major Ubuntu release. Without a repository mirror, you can’t install software. The Synaptic package manager can help you find a faster mirror.Install restricted extras (and enable the multiverse repository) Install support for playback of many types of audio and video, web fonts, Java, Flash, and DVD playback all in one go. Ubuntu restricted extras allow you to easy install everything that Ubuntu can’t include by default for legal reasons.Open Applications->Add/Remove. In the Show drop down box, select All available applications. This will enable the multiverse software repository, and give you access to the restricted extras and non-free software. Start typing restricted extras into the search box and check the box beside Ubuntu restricted extras when it appears in the results. Click Appy Changes to begin installing.Silence the internal speaker beep Some Ubuntu applications make heavy use of that annoying speaker inside your PC’s case, such as Firefox when you are searching in a page. It’s not difficult permanently or temporarily disable.Clear partition icons off the desktop I like to keep my desktop clean and free of icons. Ubuntu doesn’t, and will drop icons for other disk partitions on the desktop that you likely rarely or never need. You can change a setting using gconf-editor to fix this.
Remove old configuration files If you’ve upgraded your Ubuntu installation, or use a separate home partition, all of your settings will be carried over to the new Ubuntu installation. Your desktop could look exactly the same as before! This can cause problems when newer software is loading older configuration files. To start fresh, you can remove the old configuration. Open your home folder in the file browser, and select View->Show Hidden Files. Files and folders beginning with a dot are for configuration. Back these up first, and them remove them from your home folder. The next time you log in, you will see a pristine default Ubuntu desktop.
Remove old kernels This is a tip for those of you who have upgraded from a previous version of Ubuntu or installed during development. Is your boot menu full of options for booting Ubuntu with older kernels? Mine was too. You can safely remove the ones you don’t need.Give Ubuntu a cool new look The default Ubuntu theme hasn’t changed, except for the wallpaper, in years. Why not find a new theme? Give Blubuntu a try, it’s an easily installable and complete blue alternative to the brown Human theme.
Run Windows applications with the latest WINE New WINE releases arrive every two weeks; the version in Ubuntu 8.04’s repository is already out-of-date. To be able to run Windows applications as well as possible, you should stay with the latest WINE releases.Open System->Administration->Software Sources, and select the Third Party Software tab. Click Add and paste in the official WINE Ubuntu repository http://wine.budgetdedicated.com/apt hardy mainWhen prompted, reload the repositories. Install the package wine from your package manager. Whenever a new version of WINE is released, you should see it in your Ubuntu updates.
Customize Compiz desktop effects Ubuntu’s default Compiz desktop effects settings are pretty tame. Want the cube and burning windows? Install the advanced configuration software and tweak as much as you like.Easily toggle Compiz on and off You may need to run an application or two that doesn’t work properly with Compiz, or find that it slows down 3D games. Fusion-icon runs in your notification area and makes it easy to switch between window managers. What do you do after you install a new Ubuntu system? Have any tips of your own?

BSD vs Linux

2009-09-30T01:05:00.000-07:00

BSD vs Linux
What is this?
I run FreeBSD on my computers. A lot of my friends run Linux, or at least one of the distributions of it. Naturally, then, we agree that a Unix-style operating system is the right choice, but we disagree on which to use.
It's been my impression that the BSD communit{y,ies}, in general, understand Linux far better than the Linux communit{y,ies} understand BSD. I have a few theories on why that is, but that's not really relevant. I think a lot of Linux people get turned off BSD because they don't really understand how and why it's put together. Thus, this rant; as a BSD person, I want to try to explain how BSD works in a way that Linux people can absorb.
While there's overwhelming similarity between the operating systems in most cases, there are also a lot of differences. As you probe more into the differences, you find that they emerge from deep-seated disagreements. Some are disagreements over development methodology, some over deployment and usage, some about what's important, some about who's important, and some about which flavor of ice cream is superior. Just comparing the surface differences doesn't tell you anything; it's the deeper differences that both explain and justify why each group does things the way they do.

What isn't this?
This is not:
A list of command correspondances; "'netstat -rnfinet' on BSD = 'netstat -rnAinet' on Linux" and such things.
How to do all the things involved in adminning and running a BSD box.
Why you should use BSD instead of Linux.
Why you should use Linux instead of BSD.
Why you should use this BSD instead of that BSD.
Why you should use this Linux instead of that Linux.
Why BSD is Right and Linux is Wrong.
Why Linux is Right and BSD is Wrong.
Why I am a god and you should worship me.
I, personally, for me, believe (obviously) that my OS choice is right. That's me. I'm not telling you that you should believe it. Learn the facts, and the origins behind the facts, and make up your own damn mind. That's why you have one.
Some preliminary thoughts
There're a lot of philosophical disparity between the Linux world and the BSD world. And there are a lot of expressions about it out there. One I particularly like goes something like:
BSD is what you get when a bunch of Unix hackers sit down to try to port a Unix system to the PC. Linux is what you get when a bunch of PC hackers sit down and try to write a Unix system for the PC.
Now, I like that quip, not because it's some sort of absolute revealed truth, but because it gives a very good feel for some of the differences. The BSDs, in general, are very much more like traditional Unices than Linux is. A lot of that is because they're direct-line descendants of the BSD from Berkeley, which was a direct-line descendant of the original AT&T Unix. Unix-the-trademark is a trademark of The Open Group, and Unix-the-code is owned by SCO, so one can't actually say that the BSDs are really Unix (that's the sort of statement that triggered the USL/UCB lawsuit extravaganza, in fact). But, in many ways, the BSDs are direct derivatives of traditional Unix.
That shows through in a lot of ways. It shows up in the design of the base system and the packaging of addons. It shows up in the partitioning of the mass storage. It shows up in a lot of details of the commands. And it shows up in the attitudes and reflexes and prejudices of the developers, which are reflected in the code and in the users.
BSD is designed. Linux is grown. Perhaps that's the only succinct way to describe it, and possibly the most correct.