Wednesday, August 6, 2008
Generate ssl certs
===========
Setp 1> Generate ssl certificates
#openssl genrsa -des3 -out hostname.key 1024
#openssl req -new -key hostname.key -out hostname.csr
#openssl x509 -req -days 365 -in hostname.csr -signkey hostname.key -out hostname.crt
step 2> Add Certificate to /etc/httpd/conf.d/ssl.conf
# vi /etc/httpd/conf.d/ssl.conf
(note: just remove comment "#" from SSLCertificate and add filename)
# Server Certificate:
SSLCertificateFile /etc/httpd/conf/cert/hostname.crt
# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/cert/hostname.key
dovecot ssl certs
==================
Setp 1> Generate ssl certificates
#openssl genrsa -des3 -out /usr/share/ssl/private/dovecot.pem 2048
#openssl req -new -x509 -key /usr/share/ssl/private/dovecot.pem -out /usr/share/ssl/certs/dovecot.pem -days 1095
step 2> modify into /etc/dovecot.conf
URL redirect
Description: Sends an external redirect asking the client to fetch a different URL
Syntax: Redirect [status] URL-path URL
Context: server config, virtual host, directory, .htaccess
Override: FileInfo
Status: Base
Module: mod_alias
The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.
The old URL-path is a case-sensitive (%-decoded) path beginning with a slash. A relative path is not allowed. The new URL should be an absolute URL beginning with a scheme and hostname.
Example:
vi /etc/apache2/apache2.conf
RewriteEngine on
Redirect /service http://www.bar.com/service
If the client requests http://myserver/service/foo.txt, it will be told to access http://www.bar.com/service/foo.txt instead.
Meta Refresh URL Redirect
Meta Refresh URL Redirect is an example of a meta refresh URL redirect.
The code is,
< meta http-equiv="refresh" content="5;url=http://www.foo.org" />
This method displays the new page that the refresh points to by 5 seonds.
PHP URL Redirect
The code for redirect URL, code goes at the top of the page.
header("location:http://www.foo.org/index.php");
exit;
?>
Monday, August 4, 2008
All about RPM
How can I install or upgrade a package? Can I install an old one?
// Simply install rpm
rpm -i package.rpm
// The "-v" is for verbose and "-h" for the hashing marks.
rpm -ivh package.rpm
// Upgrade / Install a new-package
rpm -Uvh new-package.rpm
// Downgrade Samba to old version
rpm -Uvh --oldpackage Samba-old-version.rpm
// Simply remove a package
rpm -e package
// Simulate what will be done before erase
rpm -e --test package;
// Backup the package before erase
rpm -e --repackage package
// see dependencies of the RPM package you're trying to erase
rpm -q --whatrequires kernel
// Simply query an installed package
rpm -q yum
// know all installed packages on your system
rpm –qa
// Check if pkg is installed
rpm -qa | grep -i pkg
// Query an uninstalled pkg
rpm -qpi vnc-server-4.0-0.beta4.3.2.i386.rpm
// get list of packages & programs required for some pkg installation
rpm -qpR package.rpm
// query an installed package eg. Kernel
rpm -qR kernel
// find which package the file /usr/bin/smbmount belongs to
rpm -qf /usr/bin/smbmount
// list what files will be installed by a package
rpm -ql cpp
// list what files will be installed by an RPM package
rpm -qpl cpp-3.3.2-1.i386.rpm
//Direct install frm ftp server
rpm -Uvh ftp://user:pass@ftpserver/directory/package.rpm
// anonymous ftp and using proxy
rpm -qpl --ftpproxy proxyserver --ftpport port ftp://ftpserver/dir/remote-package.rpm
rpm -qpR --httpproxy proxyserver --httpport port http://webserver/dir/remote-package.rpm
// simulate the effect of execution- "rpm -ivh new-kernel.rpm"
rpm -ivh --test new-kernel.rpm
// Freshen / Upgrade only installed packages
rpm -Fvh new-package.rpm
// figure out the Kernel version(smp, bigmem) and base arch(i386, athlon)?
rpm -q --qf "Kernel arch type is: %{ARCH}\nKernel name is: %{VERSION}\n" kernel
How can I install a new Kernel version but keeping my old one installed?
When upgrading or installing a new Kernel version from a RPM package, the first thing you have to know is what Kernel to use. Always try to keep the current Kernel installed when upgrading, so you can test the new installed image an see if you'll get in trouble for some reason, if this happens so you can reboot with the current one. Starting from this point, we can say: Never use the "Freshen" or "Upgrade" commands unless you really knows what will going to happen. When upgrading critical packages like Kernel, try to use the Test option before executing the final command. And always try to install, not upgrade.
And finally, when upgrading, use the Backup option "--repackage" so you can reinstall the old package you've removed during upgrade process. You can issue the command below to upgrade the Kernel and making a backup of the current and installed Kernel package:
rpm -Uvh --repackage new-kernel.rpm
The Old RPM will be generated on "_repackage_dir" RPM macro, usually /var/spool/repackage. If some problem occurs with the new installed Kernel version, then use the following command to reinstall the old one:
rpm -ivh --oldpackage /var/spool/repackage/old-kernel.rpm
Make backups of old packages when updating or removing them?
rpm -Uvh --repackage new-package.rpm
rpm -e --repackage n
The backup RPMs will be generated on "_repackage_dir" RPM macro, usually /var/spool/repackage. If some problem occurs, then use the following command to reinstall: ew-package.rpm
rpm -Uvh --oldpackage /var/spool/repackage/old-package.rpm
How can I check digests and signatures against a package?
Every RPM package can be signed with a GPG key and has an MD5 hash inside its header so one can verify and validate a package. The first thing you must check is the presence of the GPG public key, you can only verify a signature if you have the right public key installed.
To install the keys, look at the directory /usr/share/rhn/, this is usually the place where GPG-KEYS are. The following command will import/install the key:
rpm --import /usr/share/rhn/GPG-KEY
rpm -qi gpg-pubkey | more // See keys already installed in ur system
rpm -K package.rpm // to verify(md5, sha1, gpg) a package.
// example output against the Iptables package:
# rpm -K /ftp/linux/fedora/1/updates/i386/iptables-1.2.9-1.0.i386.rpm
/ftp/linux/fedora/1/updates/i386/iptables-1.2.9-1.0.i386.rpm: (sha1) dsa sha1 md5 gpg OK
# rpm --showrc | grep repackage // show values of macro
-14: _repackage_all_erasures 0
-14: _repackage_dir /var/spool/repackage
-14: _repackage_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm
-14: _repackage_root %{nil}
How can I get RPM back? The command "rpm -qa" returns nothing!
Sometimes the RPM database gets broken and rpm command freezes or doesn't work as expected. How to solve this problem:
rm -f /var/lib/rpm/__* ; rpm -vv --rebuilddb
How to figure out the installation time of my packages?
rpm -qa --queryformat '%{installtime} %{installtime:date} %{name}-%{version}\n' | sort -n | sed 's/^[0-9]*//'
OR
rpm -qa -last | tac
How to figure out the size of a installed package?
rpm -qa --queryformat '%10{size} %{name}-%{version}\n' | sort –n
Thursday, June 5, 2008
creating NAT using Linux IPtables
If you are running a recent 2.6 Linux Kernel this four step process should work for you. This has been specifically tested on FCore 3, 4, 5, and 6.. should work on any modern Linux distribution. All of these commands must be executed as the root user.
First you need to tell your kernel that you want to allow IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
Then you'll need to configure iptables to forward the packets from your internal network, on /dev/eth1, to your external network on /dev/eth0. You do this will the following commands:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
You should now be NATing. You can test this by pinging an external address from one of your internal hosts. The last step is to ensure that this setup survives over a reboot. Obviously you should only do these last two steps if your test is a success.
You will need to edit /etc/sysctl.conf and change the line that says net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1. This essentially tells your kernel to do step one on boot.
Ok last step for Fedora/RHEL users. In order for your system to save the iptables rules we setup in step two you have to configure iptables correctly. You will need to edit /etc/sysconfig/iptables-config and make sure IPTABLES_MODULES_UNLOAD, IPTABLES_SAVE_ON_STOP, and IPTABLES_SAVE_ON_RESTART are all set to 'yes'.
For non-Fedora/RHEL users you can simply setup an init script for this or simply append these commands to the existing rc.local script so they are executed on boot