Wednesday, August 6, 2008

Generate ssl certs

https certs
Setp 1> Generate ssl certificates

#openssl genrsa -des3 -out hostname.key 1024

#openssl req -new -key hostname.key -out hostname.csr

#openssl x509 -req -days 365 -in hostname.csr -signkey hostname.key -out hostname.crt

step 2> Add Certificate to /etc/httpd/conf.d/ssl.conf

# vi /etc/httpd/conf.d/ssl.conf

(note: just remove comment "#" from SSLCertificate and add filename)

# Server Certificate:
SSLCertificateFile /etc/httpd/conf/cert/hostname.crt
# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/cert/hostname.key

dovecot ssl certs
Setp 1> Generate ssl certificates

#openssl genrsa -des3 -out /usr/share/ssl/private/dovecot.pem 2048

#openssl req -new -x509 -key /usr/share/ssl/private/dovecot.pem -out /usr/share/ssl/certs/dovecot.pem -days 1095

step 2> modify into /etc/dovecot.conf

URL redirect

Redirect Directive

Description: Sends an external redirect asking the client to fetch a different URL
Syntax: Redirect [status] URL-path URL
Context: server config, virtual host, directory, .htaccess
Override: FileInfo
Status: Base
Module: mod_alias

The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.

The old URL-path is a case-sensitive (%-decoded) path beginning with a slash. A relative path is not allowed. The new URL should be an absolute URL beginning with a scheme and hostname.


vi /etc/apache2/apache2.conf

RewriteEngine on
Redirect /service

If the client requests http://myserver/service/foo.txt, it will be told to access instead.

Meta Refresh URL Redirect

Meta Refresh URL Redirect is an example of a meta refresh URL redirect.
The code is,

< meta http-equiv="refresh" content="5;url=" />

This method displays the new page that the refresh points to by 5 seonds.

PHP URL Redirect

The code for redirect URL, code goes at the top of the page.

Monday, August 4, 2008

All about RPM

How can I install or upgrade a package? Can I install an old one?

// Simply install rpm

rpm -i package.rpm

// The "-v" is for verbose and "-h" for the hashing marks.

rpm -ivh package.rpm

// Upgrade / Install a new-package

rpm -Uvh new-package.rpm

// Downgrade Samba to old version

rpm -Uvh --oldpackage Samba-old-version.rpm

// Simply remove a package

rpm -e package

// Simulate what will be done before erase

rpm -e --test package;

// Backup the package before erase

rpm -e --repackage package

// see dependencies of the RPM package you're trying to erase

rpm -q --whatrequires kernel

// Simply query an installed package

rpm -q yum

// know all installed packages on your system

rpm –qa

// Check if pkg is installed

rpm -qa | grep -i pkg

// Query an uninstalled pkg

rpm -qpi vnc-server-4.0-0.beta4.3.2.i386.rpm

// get list of packages & programs required for some pkg installation

rpm -qpR package.rpm

// query an installed package eg. Kernel

rpm -qR kernel

// find which package the file /usr/bin/smbmount belongs to

rpm -qf /usr/bin/smbmount

// list what files will be installed by a package

rpm -ql cpp

// list what files will be installed by an RPM package

rpm -qpl cpp-3.3.2-1.i386.rpm

//Direct install frm ftp server

rpm -Uvh ftp://user:pass@ftpserver/directory/package.rpm

// anonymous ftp and using proxy

rpm -qpl --ftpproxy proxyserver --ftpport port ftp://ftpserver/dir/remote-package.rpm
rpm -qpR --httpproxy proxyserver --httpport port http://webserver/dir/remote-package.rpm

// simulate the effect of execution- "rpm -ivh new-kernel.rpm"

rpm -ivh --test new-kernel.rpm

// Freshen / Upgrade only installed packages

rpm -Fvh new-package.rpm

// figure out the Kernel version(smp, bigmem) and base arch(i386, athlon)?

rpm -q --qf "Kernel arch type is: %{ARCH}\nKernel name is: %{VERSION}\n" kernel

How can I install a new Kernel version but keeping my old one installed?
When upgrading or installing a new Kernel version from a RPM package, the first thing you have to know is what Kernel to use. Always try to keep the current Kernel installed when upgrading, so you can test the new installed image an see if you'll get in trouble for some reason, if this happens so you can reboot with the current one. Starting from this point, we can say: Never use the "Freshen" or "Upgrade" commands unless you really knows what will going to happen. When upgrading critical packages like Kernel, try to use the Test option before executing the final command. And always try to install, not upgrade.
And finally, when upgrading, use the Backup option "--repackage" so you can reinstall the old package you've removed during upgrade process. You can issue the command below to upgrade the Kernel and making a backup of the current and installed Kernel package:
rpm -Uvh --repackage new-kernel.rpm
The Old RPM will be generated on "_repackage_dir" RPM macro, usually /var/spool/repackage. If some problem occurs with the new installed Kernel version, then use the following command to reinstall the old one:
rpm -ivh --oldpackage /var/spool/repackage/old-kernel.rpm

Make backups of old packages when updating or removing them?

rpm -Uvh --repackage new-package.rpm
rpm -e --repackage n
The backup RPMs will be generated on "_repackage_dir" RPM macro, usually /var/spool/repackage. If some problem occurs, then use the following command to reinstall: ew-package.rpm
rpm -Uvh --oldpackage /var/spool/repackage/old-package.rpm

How can I check digests and signatures against a package?

Every RPM package can be signed with a GPG key and has an MD5 hash inside its header so one can verify and validate a package. The first thing you must check is the presence of the GPG public key, you can only verify a signature if you have the right public key installed.
To install the keys, look at the directory /usr/share/rhn/, this is usually the place where GPG-KEYS are. The following command will import/install the key:

rpm --import /usr/share/rhn/GPG-KEY
rpm -qi gpg-pubkey | more // See keys already installed in ur system

rpm -K package.rpm // to verify(md5, sha1, gpg) a package.

// example output against the Iptables package:

# rpm -K /ftp/linux/fedora/1/updates/i386/iptables-1.2.9-1.0.i386.rpm
/ftp/linux/fedora/1/updates/i386/iptables-1.2.9-1.0.i386.rpm: (sha1) dsa sha1 md5 gpg OK

# rpm --showrc | grep repackage // show values of macro
-14: _repackage_all_erasures 0
-14: _repackage_dir /var/spool/repackage
-14: _repackage_name_fmt %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm
-14: _repackage_root %{nil}

How can I get RPM back? The command "rpm -qa" returns nothing!

Sometimes the RPM database gets broken and rpm command freezes or doesn't work as expected. How to solve this problem:

rm -f /var/lib/rpm/__* ; rpm -vv --rebuilddb

How to figure out the installation time of my packages?

rpm -qa --queryformat '%{installtime} %{installtime:date} %{name}-%{version}\n' | sort -n | sed 's/^[0-9]*//'


rpm -qa -last | tac

How to figure out the size of a installed package?

rpm -qa --queryformat '%10{size} %{name}-%{version}\n' | sort –n

Thursday, June 5, 2008

creating NAT using Linux IPtables

If you are running a recent 2.6 Linux Kernel this four step process should work for you. This has been specifically tested on FCore 3, 4, 5, and 6.. should work on any modern Linux distribution. All of these commands must be executed as the root user.

First you need to tell your kernel that you want to allow IP forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward

Then you'll need to configure iptables to forward the packets from your internal network, on /dev/eth1, to your external network on /dev/eth0. You do this will the following commands:

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

You should now be NATing. You can test this by pinging an external address from one of your internal hosts. The last step is to ensure that this setup survives over a reboot. Obviously you should only do these last two steps if your test is a success.

You will need to edit /etc/sysctl.conf and change the line that says net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1. This essentially tells your kernel to do step one on boot.

Ok last step for Fedora/RHEL users. In order for your system to save the iptables rules we setup in step two you have to configure iptables correctly. You will need to edit /etc/sysconfig/iptables-config and make sure IPTABLES_MODULES_UNLOAD, IPTABLES_SAVE_ON_STOP, and IPTABLES_SAVE_ON_RESTART are all set to 'yes'.

For non-Fedora/RHEL users you can simply setup an init script for this or simply append these commands to the existing rc.local script so they are executed on boot