Resolving subsys locked for

Today I was restarting my tomcat service and I saw

Tomcat didn't stop in a timely manner (pid[FAILED]) and subsys locked for tomcat

This means the service was running at one time, but has crashed.

When you start a service, it creates a “lock” file to indicate that the service is running. This helps avoid multiple instances of the service. When you stop a service, this lock file is removed.

When a running service crashes, the lock file exists but the process no longer exists. Thus, the message.

Look at the two areas /var/run/*.pid and /var/lock/subsys/*. These are expected to agree with each other. That is, if the (emtpy file) lockfile /var/lock/subsys/crond exists, then the first line of the file /var/run/crond.pid is expected to contain the PID of the process running for this service. If no such process is running, then something is wrong. If a process is indeed running (as you see) but it is not that PID, then something is probably confused.

Posted in Linux, Tomcat | Leave a comment

Resolving “Access denied; you need (at least one of) the PROCESS privilege(s) for this operation”

I do have logged in with a mysql user easypay who has all privileges on a DB easypay and was executing the command

show engine innodb status

Mysql gave error as

[Error Code: 1227, SQL State: 42000] Access denied; you need (at least one of) the PROCESS privilege(s) for this operation

Even though grant all permission on the specified I was getting error.

Simply run

GRANT SELECT, PROCESS ON *.* TO 'easypay'@'localhost';

and your troubles should be over.

If you have the PROCESS privilege for all DB(s), you can see all threads. If you have the SUPER privilege, you can kill all threads and statements. Otherwise, you can see and kill only your own threads and statements.

You can also use the mysqladmin processlist and mysqladmin kill commands to examine and kill threads.

Posted in Linux, MySQL | Leave a comment

Setting up Master Slave DNS server

The DNS ( Domain Name System ) is a distributed system, used for translate domain names to IP and vice a versa

Network Scenario for this Setup
Master DNS Server IP: 10.10.10.20 ( ns1.example.net )
Slave  DNS Server IP: 10.10.11.243 ( ns2.example.net )
Domain Name : demoexample.net   ( For Testing Purpose )
Domain IP   : 10.10.10.100  ( For Testing Purpose )
Install Required RPMS ( at Master and Slave Both )

Install bind packages at both Master and Slave dns servers using following commands.

# yum install bind bind-chroot
Setup Master (NS1) DNS Server

There are two types of configuration files in DNS.

  • One is main dns configuration files named “named.conf”
  • Another type of configuration file are called zone file. Which is individually created for all domains. named.conf keeps an entry for all zone files.
Configure named.conf using below configuration
# vim /var/named/chroot/etc/named.conf

Content of named.conf:

// /var/named/chroot/etc/named.conf
acl internals {
    127.0.0.0/8;
    10.10.10.0/24;
    10.10.11.0/24;
   115.254.78.93;
};

acl slaves {
    10.10.11.243/32;
    97.74.243.55/32;
    10.10.10.0/24;
};

acl trusted {
        10.10.11.240/28;
        10.10.10.0/24;
};

options {
        listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 { any; };
#       version "Please go Ahead";
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
#        query-source    port 53;
#        query-source-v6 port 53;
        allow-query     { any; };
        allow-recursion {
                        slaves;
                        trusted;
                        internals;
                         };
        allow-transfer { slaves; };
};

#logging {
#        channel default_debug {
#                file "data/named.run";
#                severity dynamic;
#        };
#};

logging {
   channel default_syslog { syslog local2; severity notice; };
   category "default" { "debug"; };
   category "general" { "debug"; };
   category "database" { "debug"; };
   category "security" { "debug"; };
   category "config" { "debug"; };
   category "resolver" { "debug"; };
   category "xfer-in" { "debug"; };
   category "xfer-out" { "debug"; };
   category "notify" { "debug"; };
   category "client" { "debug"; };
   category "unmatched" { "debug"; };
   category "network" { "debug"; };
   category "update" { "debug"; };
   category "queries" { "debug"; };
   category "dispatch" { "debug"; };
   category "dnssec" { "debug"; };
   category lame-servers {null; };
   category edns-disabled { null; };
   channel "debug" {
     file "/var/log/named/named.log" versions 2 size 1024m;
     print-time yes;
     print-category yes;
   };
};



include "/etc/rndc.key";
controls {
        inet 127.0.0.1 port 953 allow { localhost; };
       };

view localhost_resolver {
        match-clients      { internals; };
        match-destinations { localnets; };
#        recursion yes;
        include "/etc/named.rfc1912.zones";
        include "/var/named/named.zones";
        include "/var/named/named_new.zones";
};
view "external" {
        match-clients      { any; };
        match-destinations { any; };
#        recursion no;

        include "/var/named/named.zones";
        include "/var/named/named_new.zones";
};
# vim /var/named/named.zones

Content of named.zones:

zone "example.net" IN {
        type master;
        file "example.net.zone";
        allow-transfer {
                10.10.11.243;
        };
};
zone "nethost.com" IN {
        type master;
        file "nethost.com.zone";
        allow-transfer {
                10.10.11.243;
        };
};
zone "testreflexologydayspa.com" IN {
        type master;
        file "testreflexologydayspa.com.zone";
        allow-transfer {
                10.10.11.243;
        };
};
zone "nethost.net" IN {
        type master;
        file "nethost.net.zone";
        allow-transfer {
                10.10.11.243;
        };
};
# vim /var/named/named_new.zones

Content of named_new.zones:

zone "sahana.on.com"{
       type master;
       file "s/p-sahana.on.com";
        also-notify { 64.68.200.91; };
       allow-transfer {
       10.10.11.243;
        64.68.200.91;
        72.52.2.1;
        64.68.196.10;
        64.68.192.210;
       };
};
zone "oahanacolleges.com"{
       type master;
       file "o/p-oahanacolleges.com";
        also-notify { 64.68.200.91; };
       allow-transfer {
        64.68.200.91;
       10.10.11.243;
        72.52.2.1;
        64.68.196.10;
        64.68.192.210;
       };
};
zone "1101baybay.ca"{
       type master;
       file "1/p-1101baybay.ca";
       allow-transfer {
       10.10.11.243;
       };
};
Create a zone file for your domain “example.net”
# vim /var/named/example.net

Content of zone file:

$ORIGIN .
$TTL 600        ; 10 minutes
example.net     IN SOA  sys.example.net. root.sys.example.net. (
                                2014021800 ; serial
                                7200       ; refresh (2 hours)
                                3600       ; retry (1 hour)
                                43200     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.example.net.
                        NS      ns2.example.net.
                        A       10.10.10.32
                        MX      0 example-net.mail.eo.outlook.com.
                        TXT     "v=spf1 include:outlook.com ~all"
                        SRV     100 1 5061 sipfed.online.lync.com.
$ORIGIN example.net.
adminfs                 A       10.10.11.29
autodiscover            CNAME   autodiscover.outlook.com.
home                    A       10.10.10.95
ns1                     A       10.10.10.20
ns2                     A       10.10.11.243
ns3                     A       10.10.11.243
webmail                        IN        A         10.10.10.64
*                              IN        A         10.10.10.64
Create a zone file for your reverse domain “10.10.10.in-addr.arpa.zone”
# vim /var/named/10.10.10.in-addr.arpa.zone

Content of zone file:

$ORIGIN .
$TTL 600        ; 10 minutes
10.10.10.in-addr.arpa IN SOA  ns1.example.net. root.example.net. (
                                2014032001 ; serial
                                7200       ; refresh (2 hours)
                                3600       ; retry (1 hour)
                                43200     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.example.net.
                        NS      ns2.example.net.
$ORIGIN 10.10.10.in-addr.arpa.
100                     PTR     cpanel.midinet.com.
120                     PTR     winpl.midinet.com.
150                     PTR     urban.ca.
20                      PTR     ns1.example.net.
85                      PTR     ratherlaugh.com.
86                      PTR     statusopenged.com.
87                      PTR     open.statusopenged.com.
88                      PTR     offresgetsmain.net.
89                      PTR     stat.offresgetsmain.net.
227                     PTR     devanorth.com.
84                      PTR     wiki.eausergroup.org.
55                      PTR     equipmentscheduling.com.
Start named service

Startnamed(bind) service using following command and setup auto start on system boot.

# /etc/init.d/named restart
# chkconfig named on
Setup Slave (NS2) DNS Server

At slave dns server you need to updatenamed.conf file only. All zone files will automatically synced from master dns server. Any changes done on Master will reflect on slave after a specified time interval.

Configure named.conf using below configuration
# vim /var/named/chroot/etc/named.conf

Content of named.conf

// /var/named/chroot/etc/named.conf
acl trusted {
        10.10.11.240/28;
        10.10.10.0/24;
        10.10.11.0/24;
};


options {
        listen-on port 53 { 127.0.0.1; any; };
        version "Please go Ahead";
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
#        query-source    port 53;
#        query-source-v6 port 53;
        allow-query     { any; };
        allow-transfer { none; };
        allow-recursion { trusted;};
        allow-notify {trusted;};

};
#logging {
#        channel default_debug {
#                file "data/named.run";
#                severity dynamic;
#        };
#};


logging {
   channel default_syslog { syslog local2; severity notice; };
   category "default" { "debug"; };
   category "general" { "debug"; };
   category "database" { "debug"; };
   category "security" { "debug"; };
   category "config" { "debug"; };
   category "resolver" { "debug"; };
   category "xfer-in" { "debug"; };
   category "xfer-out" { "debug"; };
   category "notify" { "debug"; };
   category "client" { "debug"; };
   category "unmatched" { "debug"; };
   category "network" { "debug"; };
   category "update" { "debug"; };
   category "queries" { "debug"; };
   category "dispatch" { "debug"; };
   category "dnssec" { "debug"; };
   category lame-servers {null; };
#   category edns-disabled { null; };
   channel "debug" {
     file "/var/log/named/named.log" versions 2 size 150m;
     print-time yes;
     print-category yes;
   };
};

include "/etc/rndc.key";
controls {
        inet 127.0.0.1 port 953 allow { localhost; };
       };
view localhost_resolver {
        match-clients      { localnets; };
        match-destinations { localhost; };
#        recursion yes;
        include "/etc/named.rfc1912.zones";
        include "/var/named/named.zones";
        include "/var/named/named_new.zones";
};
view "external" {
        match-clients      { any; };
        match-destinations { any; };
        include "/var/named/named.zones";
        include "/var/named/named_new.zones";
};
# vim /var/named/named.zones
zone "example.net" IN {
        type slave;
        masters { 10.10.10.20; };
        file "example.net.zone";
};
zone "nethost.com" IN {
        type slave;
        masters { 10.10.10.20; };
        file "nethost.com.zone";
};
zone "reflexologydayspa.com" IN {
        type slave;
        masters { 10.10.10.20; };
        file "reflexologydayspa.com.zone";
};
zone "nethost.net" IN {
        type slave;
        masters { 10.10.10.20; };
        file "nethost.net.zone";
};
zone "westmountroutes.com" IN {
        type slave;
        masters { 10.10.10.20; };
        file "westmountroutes.com.zone";
};
zone "siteinmotionhosting.com" IN {
        type slave;
        masters { 10.10.10.20; };
        file "siteinmotionhosting.com.zone";
};
# vim /var/named/named_new.zones
zone "iaaos.ca"{
       type slave;
       masters { 10.10.10.20; } ;
       file "i/s-iaaos.ca";
};
zone "saco.ca"{
       type slave;
       masters { 10.10.10.20; } ;
       file "o/s-saco.ca";
};
zone "schooldelontario.ca"{
       type slave;
       masters { 10.10.10.20; } ;
       file "c/s-schooldelontario.ca";
};
zone "saco.on.ca"{
       type slave;
       masters { 10.10.10.20; } ;
       file "s/s-saco.on.ca";
};
zone "ontarioschool.ca"{
       type slave;
       masters { 10.10.10.20; } ;
       file "o/s-ontarioschool.ca";
};
zone "1101bay.ca"{
       type slave;
       masters { 10.10.10.20; } ;
       file "1/s-1101bay.ca";
};
zone "1101bay.com"{
       type slave;
       masters { 10.10.10.20; } ;
       file "1/s-1101bay.com";
};
# vim /var/named/example.net.zone
$ORIGIN .
$TTL 600        ; 10 minutes
example.net     IN SOA  ns1.example.net. root.ns1.example.net. (
                                2014021800 ; serial
                                7200       ; refresh (2 hours)
                                3600       ; retry (1 hour)
                                43200     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.example.net.
                        NS      ns2.example.net.
                        A       10.10.10.32
                        MX      0 example-net.mail.eo.outlook.com.
                        TXT     "v=spf1 include:outlook.com ~all"
                        SRV     100 1 5061 sipfed.online.lync.com.
$ORIGIN example.net.
adminfs                 A       10.10.11.29
autodiscover            CNAME   autodiscover.outlook.com.
home                    A       10.10.10.95
ns1                     A       10.10.10.20
ns2                     A       10.10.11.243
ns3                     A       10.10.11.243
webmail                 A       10.10.10.64
*                       A       10.10.10.64
# vim /var/named/10.10.10.in-addr.arpa.zone
$ORIGIN .
$TTL 600        ; 10 minutes
10.10.10.in-addr.arpa IN SOA  ns1.example.net. root.example.net. (
                                2014032001 ; serial
                                7200       ; refresh (2 hours)
                                3600       ; retry (1 hour)
                                43200     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.example.net.
                        NS      ns2.example.net.
$ORIGIN 10.10.10.in-addr.arpa.
100                     PTR     cpanel.midinet.com.
120                     PTR     winpl.midinet.com.
150                     PTR     urban.ca.
20                      PTR     ns1.example.net.
85                      PTR     ratherlaugh.com.
86                      PTR     statusopenged.com.
87                      PTR     open.statusopenged.com.
88                      PTR     offresgetsmain.net.
89                      PTR     stat.offresgetsmain.net.
227                     PTR     devanorth.com.
84                      PTR     wiki.eausergroup.org.
55                      PTR     equipmentscheduling.com.
Start named Service

Startnamed(bind) service using below command.

# /etc/init.d/named restart
# chkconfig named on

After restartingnamedservice, Check zone files on slave dns server at /var/named/chroot/var/named/slaves/.

Step 4: Finally Test Your DNS Setup

Query to your Master and Slave DNS Server directly using following commands, You will get the same resonse from both servers.
Syntax: nslookup <domainname.com> <dns server name/ip>

Query to Master DNS Server:

# nslookup demoexample.net 10.10.10.20

Server:         10.10.10.20
Address:        10.10.10.20#53

Name:   demoexample.net
Address: 10.10.10.100

Query to Slave DNS Server:

# nslookup demoexample.net 10.10.11.243

Server:         10.10.11.243
Address:        10.10.11.243#53

Name:   demoexample.net
Address: 10.10.10.100

Above outputs is showing that dns server has successfully resolved domain demoexample.net from master and slave dns servers.

Posted in DNS, Linux | Leave a comment

Fix for InnoDB: ERROR: the age of the last checkpoint is …

I recently have to restore production DB to local environment and I saw mysql log giving with bunch of errors like this

InnoDB: largest such row.
150817 23:22:56  InnoDB: ERROR: the age of the last checkpoint is 9440934,
InnoDB: which exceeds the log group capacity 9433498.
InnoDB: If you are using big BLOB or TEXT rows, you must set the
InnoDB: combined size of log files at least 10 times bigger than the
InnoDB: largest such row.
150817 23:23:25  InnoDB: ERROR: the age of the last checkpoint is 9439873,
InnoDB: which exceeds the log group capacity 9433498.
InnoDB: If you are using big BLOB or TEXT rows, you must set the
InnoDB: combined size of log files at least 10 times bigger than the
InnoDB: largest such row.
150817 23:23:51  InnoDB: ERROR: the age of the last checkpoint is 9442549,
InnoDB: which exceeds the log group capacity 9433498.
InnoDB: If you are using big BLOB or TEXT rows, you must set the
InnoDB: combined size of log files at least 10 times bigger than the
InnoDB: largest such row.

Well, what does all this mean?
So, as it seems, the InnoDB log file settings need to be updated. I found a listing of the steps to take on MySQL’s website. Here are those steps fleshed out a little.
1) Make sure your innodb_fast_shutdown settings is not 2To fix this, set it to one by runnning the following query:

SET GLOBAL innodb_fast_shutdown = 1;

2) Shut down mysql and look for errors in the log to make sure nothing went wrong.

service mysqld stopcat /var/log/mysql.log

3) Copy the old log files to a new place in case something goes wrong.

mv /var/lib/mysql/ib_logfile* ..
4) Next edit your /etc/my.cnf file to increase your InnoDB log size:

innodb_log_file_size = 128M

You may see people suggesting really large values for the log file size — I saw a value of 768M in one StackOverflow answer. If that seems like a suspiciously large, random value to you (especially considering the default is 5M) then you’re on to something. But that begs the question, what should the value be? Here is a helpful article on how to properly size your log files.
5) Lastly, watch your /var/log/mysql.log file and start MySQL back up.

service mysqld start

One helpful tip, if mysql gives any error then you probably tried to skip step 3, like I did. Turns out, this is an important step and your MySQL server may not even start up, without it. It’s easy to fix though, either go back and do step 3 or remove your edits made in step 4 and restart mysqld. You should be all set.
Posted in Linux, MySQL | Leave a comment

How to (Automatically) Backup Your Website into Dropbox

As owners of websites, one of the more important things you should do is to regularly backup the website. Most web hosting providers will enable daily or weekly backups, mainly for their disaster recovery purpose only. You can do backup of website by yourself using the Backup function in hosting control panels like cPanel, Plesk and DirectAdmin.

A good backup should have following criteria:

  • Backup your data as frequently as possible.
  • Give higher priority to critical data like database and web contents. Try to exclude temporary files.
  • Your backup should NOT be saved inside the same server.
  • Your backup should be retrievable and accessible anytime, anywhere.
  • You should get notified for every backup status which has been scheduled.
  • Your backup should be compressed, if disk space or bandwidth is your concern.

Cloud storage is becoming the best way to store files. Popular providers like Amazon S3, Dropbox, iCloud and Box.net are offering these facilities for free with some limitations. But, none of them are supporting FTP as the medium to transfer while almost all of webhosting providers only allow this transfer method.

Backup Box

Here’s where Backup Box comes in. Backup Box helps you securely transfer anything on an FTP server to your Dropbox account. Actually, Backup Box can integrate your FTP account with cloud storage providers like Amazon, GitHub, Box.net and Flickr as well. At this very moment, only Dropbox integration is supported while the others are still under development. It is free to use, with limited features like monthly backup schedule and immediate transfer schedule. In this post, I am focusing on preparing the backup data for weekly backup while running on cPanel server.

We can use this tool with various ways of implementation such as 1, directly copying the web directory using FTP and transferring to Dropbox (compressed or uncompressed) or 2, creating a compressed backup (cPanel backup) and using FTP to fetch the backup to Dropbox.

Before we proceed with the tutorial, ensure that you have following required information:

  • An FTP account which is mapped to your web directory. Get it from your hosting control panel.
  • A Dropbox account. You can register here for free.
  • A Backup Box account. You can register here for free.

Web directory > FTP > Dropbox

Since the database is also important, we need to prepare the database backup and put it into our web directory. If you are running on Linux hosting, you can use a task scheduler called a cron job with some help from mysqldump. In cPanel, it is located under cPanel > Advanced > Cron jobs.

Let’s use the following data as an example:

1
2
3
Web directory path: /home/mycpanel/public_html
cPanel username: mycpanel
cPanel password: mypass123$

Create a new weekly cron job and use the following command:

1
mysqldump --opt -Q -u mycpanel -p'mypass123$' --all-databases > /home/mycpanel/public_html/databases.sql

An Example:

This will create an SQL backup file which includes all the databases under your cPanel account. Login into Backup Box. On the left panel, login into the FTP account by clicking the ‘gear’ icon. On the right panel, login into your Dropbox account.

transfer-public-html

You can choose Transfer public_html as a folder in the Transfer Options. This will transfer the whole public_html folder including all files into your Dropbox account. You can now start the immediate transfer by clicking Review. This will transfer the public_html folder to Dropbox. Once done, you can create Monthly schedule to automate this backup task monthly. Just click Monthly > select Date and Time > Finalize and Run. Note: If you want to use weekly or daily backup, you need to upgrade your subscription as stated in the website. Do not forget to change the cron job setting based on when you want the backup schedule to happen

cPanel backup > FTP > Dropbox

The good thing about cPanel is you can generate your own backup automatically using cPanel API. In this case, we will use PHP script to run on schedule to generate backup. Since the backup location needs to be exclusively for Backup Box, we will need to create an FTP account which is mapped to a new backup folder.

Go to cPanel > FTP and create an FTP account as the screenshot below. Do not create the FTP directory under public_html because it is accessible publicly via web browser (unless you protect the directory with a password):

add-ftp-account

We need to use PHP with cPanel API to trigger the backup process. Download this file (cpanel-php-backup.zip) and unzip it. You should see 2 files, cpanel-backup.php and xmlapi.php.inc. Change all required information inside cpanel-backup.php as below:

1
2
3
4
5
6
7
8
9
// Credentials for cPanel account
$source_server_ip = ""; // Server IP or domain name eg: 212.122.3.77 or cpanel.domain.tld
$cpanel_account = ""; // cPanel username
$cpanel_password = ""; // cPanel password
// Credentials for FTP to Backup Box
$ftpacct = ""; // FTP account
$ftppass = ""; // FTP password
$email_notify = ''; // Email address for backup notification

Save the file and upload both files into your public_html directory using FTP. You can start to generate a backup by accessing the PHP file directly via browser, which is usually http://www.yourwebsite.com/cpanel-backup.php .

In order to automate cPanel backup creation, we need to setup a weekly cron job into cPanel and use following command:

1
php -q /home/username/public_html/cpanel-backup.php

Here is a sample:

add-new-cron-job

Login into Backup Box. On the left panel, login into the FTP account (use the backup box FTP account) and in the right panel, login into your Dropbox account:

transfer-only-content-of

Since we store backup files into a dedicated folder, we can only transfer the contents of it. Select Transfer only the contents of / in the Transfer Options as the transfer method.

You can now start the immediate transfer by clicking Review. This will transfer the public_html folder to Dropbox. Once done, you can create Monthly schedule to automate this backup task monthly. Just click Monthly > select Date and Time > Finalize and Run.

Note: If you want to use weekly or daily backup, you need to upgrade your subscription as stated in the website. If you do, do not forget to change the cron job setting according to your backup schedule. Another thing, the PHP script will delete all previous cPanel backup before it generate new backups. This to make sure your backup will not eat up much disk space.

Posted in Backup, CPanel | Tagged | Leave a comment

How to force www or non-www in htaccess

You need to create  a .htaccess file under the webroot directory of your domain and store the following code in it

.

Be sure to replace ‘test.com‘ with your actual domain name. NOTE: do not place both selections of code in the file as it will cause an error.

#Force www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^test.com [NC]
RewriteRule ^(.*)$ http://www.test.com/$1 [L,R=301,NC]

 

#Force non-www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.test\.com [NC]
RewriteRule ^(.*)$ http://test.com/$1 [L,R=301]

Now, when you type in your domain name with either www in front or not, it should display as you have set it in the .htaccess file.

Posted in Linux | Leave a comment

Setting up TCP Wrappers and local firewall on a remote host

If you use local firewall rules and tcp wrappers on a remote host where you might get locked out, with no easy way to get logged in again, here is a quick howto on playing it safe. The trick is to setup a couple cron jobs to undo whatever you stuffed up.

I scheduled two 10 minute recurring jobs. Gives you 10 minute windows of configuring/testing before security resets.

Set two cron jobs:

[root@kanyakonil root]# crontab -l
/10 * * * * cp /root/hosts.deny /etc/hosts.deny
/10 * * * * /sbin/iptables --flush

Tcp wrappers:

I made a copy of /etc/hosts.deny file in /root and then waited for the next cron run to test if the copy is really working as expected.

It looked good after cron ran.

# cat /etc/hosts.deny
#
...
#ALL: ALL

Now uncomment the ALL: ALL line in the real /etc/hosts.deny and start testing /etc/hosts.allow rules.

# more /etc/hosts.allow
...
# Host allowed to SSH
sshd: xx.xx.xx.xx

Test from non allowed and allowed host.

Feb 24 05:32:56 kanyakonil sshd[12346]: pam_unix(sshd:session): session opened for user aharon by (uid=0)
Feb 24 05:33:43 kanyakonil sshd[12380]: refused connect from host.domain.com (::ffff:xx.xx.xx.xx)
Feb 24 05:34:34 kanyakonil sshd[12386]: Accepted password for aharon from xx.xx.xx.xx port 37415 ssh2
Feb 24 05:34:34 kanyakonil sshd[12386]: pam_unix(sshd:session): session opened for user aharon by (uid=0)

Now lets go tune the firewall rules…

List rules:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcache
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Saved rules in this file:

# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Delete unneeded rules:

# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT

Check (and test using something like nmap):

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

kanyakonil@philip:~$ sudo nmap -A -T4 192.168.1.3

Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-16 22:42 WIT

Interesting ports on 192.168.1.3:

Not shown: 1693 filtered ports

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.0 ((Linux/SUSE))

113/tcp closed auth

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: HOME)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: HOME)

MAC Address: 00:0D:88:B3:72:F3 (D-Link)

Device type: general purpose|WAP|specialized|storage-misc|broadband router

Running (JUST GUESSING) : Linux 2.6.X|2.4.X (97%), Siemens linux (93%), Atmel Linux 2.6.X (92%), Inventel embedded (89%), Linksys Linux 2.4.X (89%), Asus Linux 2.4.X (89%), Maxtor Linux 2.4.X (89%), Netgear embedded (87%)

Aggressive OS guesses: Linux 2.6.13 – 2.6.18 (97%), Siemens Gigaset SE515dsl wireless broadband router (93%), Linux 2.6.11 – 2.6.15 (Ubuntu or Debian) (93%), Linux 2.6.15-27-686 (Ubuntu Dapper, X86) (93%), Atmel AVR32 STK1000 development board (runs Linux 2.6.16.11) (92%), Linux 2.6.14 – 2.6.17 (92%), Linux 2.6.17 – 2.6.18 (x86) (92%), Linux 2.6.17.9 (X86) (92%), Linux 2.6.9-42.0.2.EL (RedHat Enterprise Linux) (92%), Linux 2.6.9 – 2.6.12 (x86) (92%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .

Nmap finished: 1 IP address (1 host up) scanned in 58.830 seconds


Save the rules:

# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

Check stored rules:

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Fri Feb 24 05:48:21 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [734:96465]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Feb 24 05:48:21 2012

Check running rules:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Posted in Security | Leave a comment

Some Shell Scripts

Shell Script to add zone to DNS server.

NS1 = ns1.example.net
NS2 = ns2.example.net

#!/bin/bash
# check to see if the script is being run as root or not
grep=`which grep`
rndc=`which rndc`
if [ "$(id -u)" != "0" ]; then
echo "You must be root in order to run this script. You are `whoami`."
exit 1
fi
# if this is a cPanel server, exit the script as a DNS zone can be created from WHM
if [ -d "/usr/local/cpanel" ]; then
echo "This is a cPanel box. You can create the DNS zone from WHM."
exit 1;
# if this is a Plesk server, exit the script as the DNS zone can be created from Plesk itself
elif [ -d "/usr/local/psa" ]; then
echo "This is a Plesk box. You can create the DNS zone from the Plesk Control Panel."
exit 1;
else
domain=$1
echo "Please enter the domain name"
read domain
ip=$2
echo "Please enter the IP address for the domain"
read ip
test=`echo "${ip}." | $grep -E "([0-9]{1,3}\.){4}"`
if [ "$test" ]
then
echo "$ip" | nawk -F. '{
if ( (($1>=0) && ($1<=255)) &&    (($2>=0) && ($2<=255)) &&    (($3>=0) && ($3<=255)) &&    (($4>=0) && ($4<=255)) ) { print($0 " is a valid IP address. Using this IP." ); } else { print($0 ": Please specify a correct IP address." ); exit 1; } }' else echo "${ip} is not a valid IP address, exiting script!" exit 1; fi fi //echo "The zone file for the domain $domain will be created using $ip." //admin=$3 //echo "Please enter the administrator for this domain's DNS in a admin.domain.com form" //read admin //ns1=$4 //echo "Please enter the primary nameserver for $domain" //read ns1 //ns2=$5 //echo "Please enter the secondary nameserver for $domain" //read ns2 # ok, so enough with the chit-chat, let's move on to the DNS stuff serial=`date +%Y%m%d00` folder=`echo $domain|cut -c1` mkdir /var/named/$folder touch /var/named/$folder/$domain.zone echo -e "\$ORIGIN ." >> /var/named/$domain.zone
echo -e "\$TTL 600     ; 10 minutes" >> /var/named/$folder/$domain.zone
echo "$domain   IN     SOA    ns1.$domain. root.ns1.example.net. (" >> /var/named/$folder/$domain.zone
echo "               $serial    ; serial, todays date + todays serial" >> /var/named/$folder/$domain.zone
echo "               7200           ; refresh, seconds" >> /var/named/$folder/$domain.zone
echo "               3600            ; retry, seconds" >> /var/named/$folder/$domain.zone
echo "               43200         ; expire, seconds" >> /var/named/$folder/$domain.zone
echo "               3600 )            ; minimum, seconds" >> /var/named/$folder/$domain.zone
echo "                  IN       A    $ip" >> /var/named/$folder/$domain.zone
echo "                  IN       NS    ns1.example.net" >> /var/named/$folder/$domain.zone
echo "                  IN       NS    ns2.example.net" >> /var/named/$folder/$domain.zone
echo "                  IN       MX    5 mail.$domain." >> /var/named/$folder/$domain.zone
echo -e "\$ORIGIN $domain." >> /var/named/$folder/$domain.zone
echo "mail.$domain. IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "www           IN     CNAME $domain." >> /var/named/$folder/$domain.zone
echo "ftp           IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "sql           IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "ns1           IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "ns2           IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "Done creating DNS zone, adding the zone to named.conf in named.zone file"
echo "zone \"$domain\" IN {" >> /etc/named/named.zone
echo "     type master;" >> /etc/named/named.zone
echo "     file \"/var/named/$folder/$domain.zone\";" >> /etc/named/named.zone
echo "     allow-transfer {" >> /etc/named/named.zone
echo "     10.10.11.243;" >> /etc/named/named.zone
echo "     };" >> /etc/named/named.zone
echo "};" >> /etc/named/named.zone
echo "Zone addded to named.conf. Restarting rndc & named"
sleep 2
$rndc reload
/etc/init.d/named restart
echo "All done"


Script to check if IP is blacklisted

#!/bin/sh
# -- $Id: blcheck.xml,v 1.8 2007/06/17 23:38:00 j65nko Exp $ --

#*/15 * * * * sh /root/spam.sh 38.111.101.66|mail -s "Spam Report in 15 Min" inct@rohtan.com
#*/15 * * * * sh /root/spam.sh 38.111.101.100|mail -s "Spam Report in 15 Min" inct@rohtan.com

# Check if an IP address is listed on one of the following blacklists
# The format is chosen to make it easy to add or delete
# The shell will strip multiple whitespace

BLISTS="
    cbl.abuseat.org
    dnsbl.sorbs.net
    bl.spamcop.net
    zen.spamhaus.org
    combined.njabl.org
"

# simple shell function to show an error message and exit
#  $0  : the name of shell script, $1 is the string passed as argument
# >&2  : redirect/send the message to stderr

ERROR() {
  echo $0 ERROR: $1 >&2
  exit 2
}

# -- Sanity check on parameters
[ $# -ne 1 ] && ERROR 'Please specify a single IP address'

# -- if the address consists of 4 groups of minimal 1, maximal digits, separated by '.'
# -- reverse the order
# -- if the address does not match these criteria the variable 'reverse will be empty'

reverse=$(echo $1 |
  sed -ne "s~^\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)$~\4.\3.\2.\1~p")

if [ "x${reverse}" = "x" ] ; then
      ERROR  "IMHO '$1' doesn't look like a valid IP address"
      exit 1
fi

# Assuming an IP address of 11.22.33.44 as parameter or argument

# If the IP address in $0 passes our crude regular expression check,
# the variable  ${reverse} will contain 44.33.22.11
# In this case the test will be:
#   [ "x44.33.22.11" = "x" ]
# This test will fail and the program will continue

# An empty '${reverse}' means that shell argument $1 doesn't pass our simple IP address check
# In that case the test will be:
#   [ "x" = "x" ]
# This evaluates to true, so the script will call the ERROR function and quit

# -- do a reverse ( address -> name) DNS lookup
REVERSE_DNS=$(dig +short -x $1)

echo IP $1 NAME ${REVERSE_DNS:----}

# -- cycle through all the blacklists
for BL in ${BLISTS} ; do

    # print the UTC date (without linefeed)
    printf $(env TZ=UTC date "+%Y-%m-%d_%H:%M:%S_%Z")

    # show the reversed IP and append the name of the blacklist
    printf "%-40s" " ${reverse}.${BL}."

    # use dig to lookup the name in the blacklist
    #echo "$(dig +short -t a ${reverse}.${BL}. |  tr '\n' ' ')"
    LISTED="$(dig +short -t a ${reverse}.${BL}.)"
    echo ${LISTED:----}

done

# --- EOT ------

Posted in Linux, Shell Script | Leave a comment

Monitor linux services using bash script

# Vi check_httpd.sh

#!/bin/sh
run=`ps ax | grep /usr/local/apache/bin/httpd | grep -v grep | cut -c1-5 | paste -s -`
if [ “$run” ];
then
echo “apache is running” > /home/admin/check_httpd.log
else
/usr/local/apache/bin/apachectl -k restart
mail -s “Apache server restarted by check-httpd script ” admin [at]adminlogs[dot]info < /usr/local/apache/logs/error.log
fi

Or ( only for apache )

# Vi check_httpd.sh

#!/bin/sh
cd /tmp
wget adminlogs.info:80
if [ $? -gt 0 ]; then
/usr/local/apache/bin/apachectl -k restart
mail -s “Apache server restarted by check-httpd script ” admin [at]adminlogs[dot]info < /usr/local/apache/logs/error.log
fi

$? contains the return code of the last executed process. -gt means greater than. Usually programs return zero on success or something else on failure

Add the script to crontab ( It will check the status in every 5 minutes )

*/5 * * * * /bin/bash check_httpd.sh

Its worked fine and now I have no worry about that website and getting good sleep :)

Posted in Apache, Linux, Optimize, Shell Script | Leave a comment