Empulse Group a collection of notes from a sys admin, musician, and father

15May/110

rsync

To sync contents of two directories using rsync.

 

Access via remote shell:

Pull: rsync [OPTION...] [USER@]HOST:SRC... [DEST]

Push: rsync [OPTION...] SRC... [USER@]HOST:DEST

 

-v, --verbose increase verbosity

-a, --archive archive mode; equals -rlptgoD (no -H,-A,-X)

-u, --update skip files that are newer on the receiver

--existing skip creating new files on receiver

--ignore-existing skip updating files that exist on receiver

-z, --compress compress file data during the transfer

 

 

 

SYNC: pull, then push data

 

PULL: rsync -avz --ignore-existing test1@empulsegroup.com:/home/test1/Documents .

PUSH: rsync -avz Documents test1@empulsegroup.com:/home/test1

 

22Feb/110

Tricks with iptables

Use iptables to force mail out a specific ip address:

[root@www ~]# iptables -t nat -A POSTROUTING -p tcp --dport 25 -j SNAT --to-source 192.168.100.123

Rate limit port 80, 100 connection limit:

[root@www ~]# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j DROP
8Jan/110

50 UNIX / Linux Sysadmin Tutorials

50 UNIX / Linux Sysadmin Tutorials.

2Jan/110

Journal Aborted

1. Blow away the journal.

[root@www ~]# tune2fs -O ^has_journal /dev/hda5

1a. If this fails because of the needs_recovery flag, you will need to run the following.

[root@www ~]# debugfs -w /dev/hda5
debugfs: features ^needs_recovery
debugfs: quit

Again, try to blow away the journal.

[root@www ~]# tune2fs -O ^has_journal /dev/hda5

2. Now, you can fsck the partition.

[root@www ~]# fsck.ext2 -f /dev/hda5

3. Rebuild the journal.

[root@www ~]# tune2fs -j /dev/hda5
15Nov/100

Setting up vsftpd with MySQL authentication

Here we will be setting up vsftpd to use MySQL for authentication using pam_mysql.  MySQL already uses PAM so we will just need to edit the pam file for this service to use the pam_mysql module. Then, we edit the vsftpd.conf file. And finally, the user credentials will be stored in a MySQL database.

Install packages:

  • pam_mysql
  • mysql
  • vsftpd
[root@www ~]# cat /etc/pam.d/vsftpd
auth required /lib64/security/pam_mysql.so user=vsftpd passwd=foo host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=0 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime
## i will just space these 2 lines out ##
account required /lib64/security/pam_mysql.so user=vsftpd passwd=foo host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=passwd crypt=0 sqllog=1 logtable=logs logmsgcolumn=msg logusercolumn=user logpidcolumn=pid loghostcolumn=host logrhostcolumn=rhost logtimecolumn=logtime

Note: For the crypt=x option, the following applies
-------
0 = No encryption. Passwords in database in plaintext. NOT recommended!
1 = Use crypt
2 = Use MySQL PASSWORD() function

[root@www ~]# grep -v \# /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
nopriv_user=vsftpd
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=vsftpd
local_root=/home/vsftpd/$USER
user_sub_token=$USER
virtual_use_local_privs=YES
chroot_local_user=YES

Then we need to create a 'vsftpd' system user. Our virtual ftp users will have home directories under /home/vsftpd. We also have to manually create the home directory for the virutal users as specificed by the "local_root" directive in the vsftpd.conf file.

[root@www ~]# useradd --home /home/vsftpd -m --shell /bin/false vsftpd
[root@www ~]# mkdir /home/vsftpd/test3
[root@www ~]# chown vsftpd:vsftpd /home/vsftpd/test3/

CREATE DATABASE AND TABLES IN MYSQL

> create database vsftpd;
> use vsftpd;
> create table users (id int AUTO_INCREMENT NOT NULL, name char(128) binary NOT NULL, passwd char(128) binary NOT NULL, primary key(id) );
> create table logs (msg varchar(255), user char(128), pid int, host char(128), rhost char(128), logtime timestamp );
> INSERT INTO users (name, passwd) VALUES ('test5', 'test5'); // for plain text, crypt=0 in /etc/pam.d/vsftpd
> insert into users (name, passwd) values ('eric@empulsegroup.com',password('tististis')); // when using MySQL PASSWORD() function or crypt=2 in the pam file

6Nov/100

Setting up Postfix with SMTP authentication, TLS support, Spam Assassin mail filter, and procmail

1. Set up Postfix with SMTP authentication,
2. TLS support,
3. Spam Assassin mail filter,
4. procmail to move spam messages at server

********************************************************

1. POSTFIX MAIL SERVER INSTALL WITH SMTP AUTH:

Cyrus-SASL is a software that provides different methods and mechanisms of authentication.

Needed Package(s):
postfix
cyrus-sasl
cyrus-sasl-plain

# /etc/init.d/saslauthd start
# /etc/init.d/postfix start
# chkconfig postfix on
# chkconfig saslauthd on

-Settings in /etc/postfix/main.cf:

inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, hash:/etc/postfix/mydomains
home_mailbox = Maildir/

myhostname = mail.domain.com // needed?
mydomain = domain.com // needed?

mynetworks = 127.0.0.0/8
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -a "$EXTENSION" // needed for procmail, can leave out for now

# SASL SUPPORT FOR CLIENTS
# The following options set parameters needed by Postfix to enable
# Cyrus-SASL support for authentication of mail clients.
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains, reject_unauth_destination

NOTE: I have both of the last 2 options in recipient_restrictions because the check_relay_domains will eventually be deprecated.

http://www.softpanorama.org/Mail/Postfix/smtpd_recipient_restrictions.shtml

Limiting SASL mechanisms:
-From file /usr/lib/sasl2/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login

# locate smtpd.conf
/usr/lib64/sasl/smtpd.conf
/usr/lib64/sasl2/smtpd.conf

TESTING: You can test this with telnet by trying to relay a message from a remote host to an email address not on the server. You should not be able to relay mail from a remote host to an email address that is not on the server.

SOURCE:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html

======================================================================================

2. TLS Support in Postfix

-Settings in /etc/postfix/main.cf:

## TLS
# Transport Layer Security
#
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/server_key.pem
smtpd_tls_cert_file = /etc/postfix/server_cert.pem
#smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

TESTING: Using telnet you should be able to use "starttls" after the "EHLO domain.com".

starttls
220 2.0.0 Ready to start TLS

SOURCE:
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html

======================================================================================

3. SPAMASSASSIN INSTALL:

-Settings in /etc/postfix/master.cf:

smtp inet n - n - - smtpd -o content_filter=spamassassin

//at the end of the file add:
spamassassin
unix - n n - - pipe
user=nobody argv=/usr/bin/spamc -e /usr/sbin/sendmail.postfix -oi -f ${sender} ${recipient}

-Settings in /etc/mail/spamassassin/local.cf:
required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
whitelist_from *@rackspace.com

TESTING: Send a spam message using the GTUBE.

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

SOURCE:
http://traxel.com/doc/spamassassin-setup.html
http://spamassassin.apache.org/gtube/

==========================================================

4. PROCMAIL INSTALL:

Here we will use procmail to send messages marked as spam to a folder on the server instead of at the users mail client.

Needed Package(s):
procmail

-Settings in /etc/postfix/main.cf:
mailbox_command = /usr/bin/procmail -a "$EXTENSION"

-Settings in /etc/procmailrc:
DEFAULT=$HOME/Maildir/
MAILDIR=$HOME/Maildir

-Settings in /home/eric/.procmailrc :
PROCMAILDIR=$HOME/.procmail
LOG=$PROCMAILDIR/pmlog
# VERBOSE=yes # turn this on for debugging
MAILDIR=$HOME/mail
INCLUDERC=$PROCMAILDIR/rc.spam
# INCLUDERC=$PROCMAILDIR/rc.morefilters
# If none of the filters match, it will go to your inbox

-Settings in /home/eric/.procmail/rc.spam:
:0:
* ^X-Spam-Level: \*\*\*\*\*
/home/eric/Maildir/.SPAM/new

[root@www ~]# crontab -l
0 0 * * * /usr/bin/sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com
0 0 * * 0 /usr/bin/sa-learn --spam /home/eric/Maildir/.SPAM/{cur,new}
0 0 * * 0 /usr/bin/sa-learn --no-sync --ham /home/eric/Maildir/{cur,new}
3 0 * * 0 find /home/eric/Maildir/.SPAM/cur/ -delete

TESTING: spam messages should now go to a directory called ".SPAM" in your Maildir.

SOURCE: http://traxel.com/doc/spamassassin-setup.html

=========================================================

21Apr/090

Nice Cacti Install How To

RedHat / CentOS Install and Configure Cacti Network Graphing Tool

16Apr/090

Reset file permissions of RPM packages

UPDATE: YOU NEED TO RUN THE FOLLOWING COMMANDS IN REVERS ORDER!

So, --setperms then --setugids. This is because setperms will overwrite sticky bits if run after setugids.

A disastrous mistake anyone can make on their Linux server is to chown or chmod their entire filesystem.

You can reset the permissions of packages installed with rpm.

To reset file permissions:

[root@www ~]# rpm --setperms {packagename}

To reset ownership permissions:

[root@www ~]# rpm --setugids {packagename}
4Apr/090

One-Liners

Search for multiple processes in one command. Example in using multiple variables.

[root@empulse ~]# ps auxf | grep -P '(wincompd:|proftpd:)'

Lower the reserved disk space to 0%. By default Linux will reserve 5% of each file system as reserve free disk space.

[root@empulse ~]# tune2fs -m 0 /dev/hda5 remove reserved space

Compare two files on two remote file systems. I saw this on Command-line-fu.

[root@empulse ~]# diff <(ssh alice cat /etc/apt/sources.list) <(ssh bob cat /etc/apt/sources.list)
29Oct/080

More Tech Notes

I just created linux.empulsegroup.com to place my Voodoo pad notes. I touch on the various Linux topics that I see on a day to day basis. This includes Apache, MySQL, mail services, and my notes to study for the RHCE exam which I recently received.

http://linux.empulsegroup.com