Forwarder zone

If you want a name server to forward queries for certain domain names to another name server, use a zone statement of type forward to tell a BIND server to forward queries for domain names that end in the specified suffix to particular name servers. For example:

zone "example.net" {

    type forward;

    forwarders { 10.10.10.20; };

};

This tells the name server to forward queries for domain names that end inexample.netto the name server at 10.10.10.20.

As with the corresponding optionssub-statement, you can list multiple forwarders in the forwarderssub-statement.

Posted in DNS, Linux | Leave a comment

Stub zones

Stub zones are a little like slave zones, in that the name server periodically checks with its master server to see if the zone’s serial number has changed. But instead of transferring the whole zone, it retrieves just the zone’s SOA and NS records, plus any necessary glue A records, using discrete queries. That’s enough information to tell the name server where to begin iterative name resolution of domain names that end in the domain name of the stub zone. For example, here’s a stub zone definition very similar to the forward zone :

zone "example.org" {

    type stub;

    masters { 10.10.10.20; };

    file "example.org.zone";

};

Rather than sending a recursive query to the name server at 10.10.10.20 for information about any domain name that ends with example.org, this name server would learn the example.org NS records, and send one of those name servers a non recursive query for the domain name it needed. It would then follow any successive referrals to find the answer. This is less work for the name server at 10.10.10.20, but it also requires connectivity to any name server the local name server might be referred to.

Posted in DNS, Linux | Leave a comment

Tips to secure your Apache Server

As a sysadmin, you should secure your Apache web server

  1. Hide Apache Version and OS Identity

Open configuration file with vim editor and search for “ServerSignature“, its by default On. We need to Off these server signature and the second line “ServerTokens Prod” tells Apache to return only Apache as product in the server response header on the every page request, It suppress the OS, major and minor version info.

ServerSignature Off
ServerTokens Prod

Following are possible ServerTokens values:

  • ServerTokens Prod displays “Server: Apache”
  • ServerTokens Major displays “Server: Apache/2″
  • ServerTokens Minor displays “Server: Apache/2.2″
  • ServerTokens Min displays “Server: Apache/2.2.17″
  • ServerTokens OS displays “Server: Apache/2.2.17 (Unix)”
  • ServerTokens Full displays “Server: Apache/2.2.17 (Unix) PHP/5.3.5″ (If you don’t specify any ServerTokens value, this is the default)
  1. Disable Directory Listing

By default Apache list all the content of Document root directory in the absence of index file.

We can turn off directory listing by using Options directive in configuration file for a specific directory. For that we need to make an entry in httpd.conf or apache2.conf file.

<Directory /var/www/html>
    Options -Indexes
</Directory>
  1. Keep updating Apache Regularly

Apache developer community is continuously working on security issues and releasing its updated version with new security options. So It is always recommended to use the latest version of Apache as your web server.

To check Apache version: You can check your current version with httpd -v command.

# httpd -v
Server version: Apache/2.2.15 (Unix)
Server built:   Aug 13 2013 17:29:28

You can update your version with the following command.

# yum update httpd

It is also recommended to keep your Kernel and OS updated to the latest stable releases if you are not running any specific application which works only on specific OS or Kernel.

  1. Disable Unnecessary Modules

It’s always good to minor the chances of being a victim of any web attack. So it’s recommended to disable all those modules that are not in use currently. You can list all the compiled modules of web server, using following command.

# grep LoadModule /etc/httpd/conf/httpd.conf

# have to place corresponding `LoadModule' lines at this location so the
# LoadModule foo_module modules/mod_foo.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
....

Above is the list of modules that are enabled by default but often not needed: mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex. To disable the particular module, you can insert a “#” at the beginning of that line and restart the httpd service.

  1. Run Apache as separate User and Group

With a default installation Apache runs its process with user nobody or daemon. For security reasons it is recommended to run Apache in its own non-privileged account. For example: apacheadmin.

Create Apache User and Group
# groupadd apacheadmin
# useradd -d /var/www/ -g apacheadmin -s /bin/nologin apacheadmin

Now you need to tell Apache to run with this new user and to do so, we need to make an entry in /etc/httpd/conf/httpd.conf and restart the service.

Open /etc/httpd/conf/httpd.conf with vim editor and search for keyword “User” and “Group” and there you will need to specify the username and groupname to use.

User apacheadmin
Group apacheadmin
  1. Use Allow and Deny to Restrict access to Directories

We can restrict access to directories with “Allow” and “Deny” options in httpd.conf file. Here in this example, we’ll be securing root directory, for that by setting the following in the httpd.conf file.

<Directory />
   Options None
   Order deny,allow
   Deny from all
</Directory>
  1. Options “None” – This option will not allow users to enable any optional features.
  2. Order deny, allow – This is the order in which the “Deny” and “Allow” directives will be processed. Here it will “deny” first and “allow” next.
  3. Deny from all – This will deny request from everybody to the root directory, nobody will be able to access root directory.
  1. Use mod_security and mod_evasive Modules to Secure Apache

These two modules “mod_security” and “mod_evasive” are very popular modules of Apache in terms of security.

Mod_security

Where mod_security works as a firewall for our web applications and allows us to monitor traffic on a real time basis. It also helps us to protect our websites or web server from brute force attacks. You can simply install mod_security on your server with the help of your default package installers.

Install mod_security on RHEL/CentOS/Fedora/
# yum install mod_security
# /etc/init.d/httpd restart
Mod_evasive

mod_evasive works very efficiently, it takes one request to process and processes it very well. It prevents DDOS attacks from doing as much damage. This feature of mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack. This module detects attacks with three methods.

  1. If so many requests come to a same page in a few times per second.
  2. If any child process trying to make more than 50 concurrent requests.
  3. If any IP still trying to make new requests when its temporarily blacklisted.

mod_evasive can be installed directly from the source. Here, we have an Installation and setup guide of these modules which will help you to set up these Apache modules in your Linux box.

  1. Disable Apache’s following of Symbolic Links

By default Apache follows symlinks, we can turn off this feature with FollowSymLinks with Options directive. And to do so we need to make the following entry in main configuration file.

Options -FollowSymLinks

And, if any particular user or website need FollowSymLinks enable, we can simply write a rule in “.htaccess” file from that website.

# Enable symbolic links
Options +FollowSymLinks

Note: To enable rewrite rules inside “.htaccess” file “AllowOverride All” should be present in the main configuration globally.

  1. Turn off Server Side Includes and CGI Execution

We can turn off server side includes (mod_include) and CGI execution if not needed and to do so we need to modify main configuration file.

Options -Includes
Options -ExecCGI

We can do this for a particular directory too with Directory tag. Here In this example, we are turning off Includes and Cgi file executions for “/var/www/html/web1” directory.

<Directory "/var/www/html/web1">
Options -Includes -ExecCGI
</Directory>

Here are some other values with can be turned On or off with Options directive.

  1. Options All – To enable All options at once. This is the default value, If you don’t want specify any values explicitly in Apache conf file or .htaccess.
  2. Options IncludesNOEXEC – This option allows server side includes without the execute permission to a command or cgi files.
  3. Options MultiViews – Allows content negotiated multiviews with mod_negotiation module.
  4. Options SymLinksIfOwnerMatch – It’s similar to FollowSymLinks. But, this will follow only when the owner is the same between the link and the original directory to which it is linked.
  1. Limit Request Size

By default Apache has no limit on the total size of the HTTP request i.e. unlimited and when you allow large requests on a web server its possible that you could be a victim of Denial of service attacks. We can Limit the requests size of an Apache directive “LimitRequestBody” with the directory tag.

You can set the value in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed in a request body. You can set this limit according to your site needs, Suppose you have a site where you allows uploads and you want to limit the upload size for a particular directory.

Here in this example, user_uploads is a directory which contains files uploaded by users. We are putting a limit of 500K for this.

<Directory "/var/www/myweb1/user_uploads">
   LimitRequestBody 512000
</Directory>
  1. Protect DDOS attacks and Hardening

Well, it’s true that you cannot completely protect your web site from DDos attacks. Here are some directives which can help you to have a control on it.

  1. TimeOut : This directive allows you to set the amount of time the server will wait for certain events to complete before it fails. Its default value is 300 secs. It’s good to keep this value low on those sites which are subject to DDOS attacks. This value totally depends on kind of request you are getting on your website. Note: It could pose problems with come CGI scripts.
  2. MaxClients : This directive allows you to set the limit on connections that will be served simultaneously. Every new connection will be queued up after this limit. It is available with Prefork and Worker both MPM. The default value of it is 256.
  3. KeepAliveTimeout : Its the amount of time the server will wait for a subsequent request before closing the connection. Default value is 5 secs.
  4. LimitRequestFields : It helps us to set a limit on the number of HTTP request’s header fields that will be accepted from the clients. Its default value is 100. It is recommended to lower this value if DDos attacks are occurring as a result of so many http request headers.
  5. LimitRequestFieldSize : It helps us to set a size limit on the HTTP Request header.
  1. 12. Enable Apache Logging

Apache allows you to logging independently of your OS logging. It is wise to enable Apache logging, because it provides more information, such as the commands entered by users that have interacted with your Web server.

To do so you need to include the mod_log_config module. There are three main logging-related directives available with Apache.

  1. TransferLog: Creating a log file.
  2. LogFormat : Specifying a custom format.
  3. CustomLog : Creating and formatting a log file.

You can also use them for a particular website it you are doing Virtual hosting and for that you need to specify it in the virtual host section. For example, here is the my website virtual host configuration with logging enabled.

<VirtualHost *:80>
DocumentRoot /var/www/html/example.com/
ServerName www.example.com
DirectoryIndex index.htm index.html index.php
ServerAlias example.com
ErrorDocument 404 /404.php
ErrorLog /var/log/httpd/example.com_error_log
CustomLog /var/log/httpd/example.com_access_log combined
</VirtualHost>
  1. 13. Securing Apache with SSL Certificates

Last, but not the least SSL certificates, you can secure your all the communication in an encrypted manner over the Internet with SSL certificate. Suppose you have a website in which people login by proving their Login credentials or you have an E- Commerce website where people provides their bank details or Debit/Credit card details to purchase products, by default your web server send these details in plain – text format but when you use SSL certificates to your websites, Apache sends all this information in encrypted text.

You can purchase SSl certificates from So many different SSL providers like namecheap.com. If you are running a very small web business and do not willing to purchase an SSL certificate you can still assign a Self signed certificate to your website. Apache uses the mod_ssl module to support SSL certificate.

# openssl genrsa -des3 -out example.com.key 1024
# openssl req -new -key example.com.key -out exmaple.csr
# openssl x509 -req -days 365 -in example.com.com.csr -signkey example.com.com.key -out example.com.com.crt

Once your certificate has been created and signed. Now you need to add this in Apache configuration. Open main configuration file with vim editor and add the following lines and restart the service.

<VirtualHost 172.16.25.125:443>
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/example.com.crt
        SSLCertificateKeyFile /etc/pki/tls/certs/example.com.key
        SSLCertificateChainFile /etc/pki/tls/certs/sf_bundle.crt
        ServerAdmin mp@example.com
        ServerName example.com
        DocumentRoot /var/www/html/example/
        ErrorLog /var/log/httpd/example.com-error_log
        CustomLog /var/log/httpd/example.com-access_log common
</VirtualHost>

Open up your browser, type https://example.com, and you will be able to see the new self-signed certificate.

  1. Restrict access to a specific network (or ip-address)

If you want your site to be viewed only by a specific ip-address or network, do the following:

To allow a specific network to access your site, give the network address in the Allow directive.

<Directory /site>
  Options None
  AllowOverride None
  Order deny,allow
  Deny from all
  Allow from 10.10.0.0/24
</Directory>

To allow a specific ip-address to access your site, give the ip-address in the Allow directive.

<Directory /site>
  Options None
  AllowOverride None
  Order deny,allow
  Deny from all
  Allow from 10.10.1.21
</Directory>
Posted in Apache | Leave a comment

Editing users cronjob through ssh

I can see cronjobs owned by root by

crontab -l

You can use following command to see user’s crons

crontab -u username -l

User’s cron jobs reside in /var/spool/cron/ you can see them there also.

You would have to run this as root

for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done

will loop over each user name listing out their crontab. The crontabs are owned by the respective users so you won’t be able to see another user’s crontab w/o being them or root.

 

If you wished to have a script named /root/backup.sh run every day at 3am, your crontab entry would look like as follows. First, install your cronjob by running the following command:
# crontab -e
Append the following entry:
0 3 * * * /root/backup.sh
Save and close the file.

Cron Easy to remember format:

* * * * * command to be executed
- - - - -
| | | | |
| | | | ----- Day of week (0 - 7) (Sunday=0 or 7)
| | | ------- Month (1 - 12)
| | --------- Day of month (1 - 31)
| ----------- Hour (0 - 23)
------------- Minute (0 - 59)

If you wish to edit a users cronjob, following command would be used :

# crontab -u username -e

Posted in Linux | Leave a comment

Compiling shared PHP modules

So you want to add postgres support to PHP (or something like that), but you don’t want to re-compile the whole thing. You just want a shared module.

Its easier than I first thought. Here is how I have done it.

First create a test php page to check phpinfo() and find which version of php you are running, then download it from php.net. I’m using 5.4.14 so my example will reflect that.

Then I like to put the source in someplace like /usr/local/src/php-5.4.14

/usr/local/src/php-5.4.14 # ./configure --with-pgsql=shared,/usr/local/pgsql
/usr/local/src/php-5.4.14 # make
/usr/local/src/php-5.4.14 # cp modules/pgsql.so /usr/lib64/php/extensions/

Note we only have to use the configuration line for the shared module we are compiling. We specify that we want it as a shared module, and the path (if needed). This of course assumes you already have postgres installed.

Then load that extension from php.ini by adding the following line.

[extension section]
extension=pgsql.so

Restart apache, and check your phpinfo() page again. You should see a section titled pgsql

Thats it =;)

Posted in Apache | Leave a comment

Compiling PHP 5.x From Scratch

I was asked to compile php5.4.14 on one of my server with mysql support.

I downloaded php 5.4.14 from mysql website and compiled it.

Later on mcrypt, ftp, openssl support were added to it.

I was also told to add dbase support. with –enable-dbase option php was not compiling. So to make dbase work I did

Get the source for dbase extension

As I told you, also DBase extension is no longer included, so:

1) cd /opt/php/php5-5.3.2/ext/

2) mkdir dbase

3) svn co http://svn.php.net/repository/pecl/dbase/trunk dbase

Compile the Extension

4) cd /opt/php/php5-5.3.2/ext/dbase

5) phpize

6) ./configure

7) make

Copy the extension

8) cp  /opt/php/php5-5.3.2/ext/dbase/modules/dbase.so /usr/lib/php5/20090626+lfs/.

make clean

./configure –with-config-file-path=/etc –with-config-file-scan-dir=/etc/php.d –with-apxs2 –with-libdir=lib64 –with-mysql –with-mysqli –with-zlib –with-pdo-mysql –with-mysql-sock=/var/mysql/mysql.sock –with-pdo-sqlite –with-mcrypt=/usr/bin/mcrypt –enable-ftp –enable-zip –with-openssl –with-openssl-dir=/usr/bin

 

make
make test
make install

 

Restart Apache

/etc/init.d/apache2 restart

Posted in Apache | Leave a comment

Check Port 25 with the Telnet Command

You can check your SMTP Server on SMTP port 25 with the following Telnet command:

Open a command line and type

telnet smtp-server.domain.com 25

If your server is online a connection will be established on port 25 (SMTP).

An Exchange Server answers with the following output:

220- mailserver.domain.com ESMTP Exim 4.82 #2 Fri, 30 May 2014 21:24:45 -0400
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

When you type the ‘help’ command the available commands are listed:

214-This server supports the following commands:
214 HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ATRN ETRN BDAT VRFY

Try the following to send an eMail from the command line: 

220- mailserver.domain.com ESMTP Exim 4.82 #2 Fri, 30 May 2014 21:24:45 -0400
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo myserver.domain.com
250 mailserver.domain.com Hello [10.1.11.133]
mail from:<myname@mydomain.com>
250 2.1.0 myname@mydomain.com….Sender OK
rcpt to:<recipientname@mydomain.com>
250 2.1.5 recipientname@mydomain.com
data
354 Start mail input; end with <CRLF>.<CRLF>
subject: This is a test mail
to: recipientname@mydomain.com
This is the text of my test mail.
.
250 2.6.0 <exchange.domain.com> Queued mail for delivery
quit

If the mailserver returns a “syntax error” after the “mail from:” command, you’ve probably forgotten to put the mail address in brackets <>

Posted in Linux, Mail server | Leave a comment

Deleting Linux Backup Easily With Rotation

Please create a cron job for the same and insert the following command.

find /data/backup/ -type f -ctime +90 -exec rm -f {} \; -print
find /data/backup/ -type d -ctime +90 -exec rm -rf {} \; -print

To check out the list of files

find /data/backup/ -ctime +90
Posted in Linux | Leave a comment

Reset Mysql Root Password

    •  Login to root prompt
    • Stop the mysql Server
# /etc/init.d/mysql stop
  •   start the Mysql server in safe mode
# /usr/local/mysql/bin/safe_mysqld –user=mysql –skip-grant-tables –skip-networking &
    •  Reset password
# /usr/local/mysql/bin/mysqladmin -u root flush-privileges password “newpassword”

sometime the above command would not work and password need to be reset with below given process

Login to mysql server, type the following command at shell prompt:

$ mysql -u root -p

Use mysql database (type command at mysql> prompt):

mysql> use mysql;

Change password for user root, enter:

mysql> update user set password=PASSWORD("NEWPASSWORD") where User='root';

Finally, reload the privileges:

mysql> flush privileges;
mysql> quit
  • Restart the Mysql Server
# /etc/init.d/mysql restart
Posted in MySQL | Leave a comment