Category Archives: Linux

virt-manager without root

To be able to execute virt-manager without root privilege,

– create a new group

# group add libvirt

– Add the required users to this group by editing the /etc/groups file

– Edit the libvirtd configurations:

# vi /etc/libvirt/libvirtd.conf

– Add the following configurations.

unix_sock_group = "libvirt"
auth_unix_rw = "none"

– Restart libvirtd,

#service libvirtd restart

– Logout and try to access libvirtd

$ ssh -X <username>@<host> virt-manager

./arun

cPanel – Chkservd showing Exim/IMAP getting failed numerous times ?

— Check chkservd logs (/var/log/chkservd.log ) and see if we can find something
like this in-relation to exim

==========================

>> AUTH PLAIN AF9fsdsdxcxcxcX19pspdivxc1k1MGJYek44eXpOMVliWkdOdF
dfTVRWbjNPU29uADlBVEFlMG 1MR0hsMVRESlI2WnFIZ3FRSDWWEXQ0dMYUlqZzVEbTFMY
k1FQUpHJokUtTAn:DWQ=

<< 421 host.xxxx.com Service not available - closing connection exim: ** [421 host.xxxx.com: Service not available - closing connection != 2]

==========================

-- This shows that the check daemon failed to authenticate
with the temporal auth key (exim ) and therefore check is getting
failed.

-- As a result of this, we can find lots of SMTP authentication failures
in exim_mainlog ( both from valid and invalid IP's )

-- To fix this issue with exim-auth key, we need to generate them.

-- # cd /var/cpanel/serviceauth/
# rm -rf exim
# service cpanel restart
# service exim restart

Monitor chkservd logs ( /var/log/chkservd.log ) and make sure things are fine !

Setup GeoIP (PECL) for piwik geolocation and updating old visits

GeoIP is the recommended way to accurately determine the location of the visitor, by default geolocation settings may provide in accurate result.

To enable GeoIP(PECL) from redhat/centos machines:
# yum install php-pecl-geoip
#apachectl restart
# php -m | grep -i geo
geoip

From Piwik, Settings –> Geolocation –> GeoIP (PECL)

To reindex the old visits:
# cd misc/others
# php ./geoipUpdateRows.php
[note] Found working provider: geoip_pecl
90094 rows to process in piwik_log_visit and piwik_log_conversion....
.
.
.
100% done!

Error when trying to FTP !

When trying to FTP-in, facing this error ? :

=================

Status: Resolving address of xxxxxxxxxxxxxxx.com
Status: Connecting to xx.xx.xx.xx:21…
Status: Connection established, waiting for welcome message…
Response: 421 Too many connections (x) from this IP
ons (x) from this IP

=================

As the logs indicate, the limit for connections from the IP you are trying
to login has reached its maximum value.

Increase this from the configuration file, the value 'MaxClientsPerIP'
( if its pure-ftp ) or 'MaxClientsPerHost' ( pro-ftpd)
and restart the service.

Alternatively, you can also terminate the existing connections, if they are not in use.
# netstat -plan | grep :21 and kill the corresponding process
( # kill -9 PID )

Send attachments from command line with mutt

To send e-mails from command line with attachments using mutt.

Set the from address with EMAIL=
-s – Subject
-a – attachment file
recipient name
-c – for CC
-b – for BCC
create a text file (eg: /tmp/testmessage) , with the body of the message.

EMAIL="foo@bar" mutt -s "Subject" -a test.doc foo1@bar -c foo2@bar < /tmp/testmessage

Issue with NTP servers — The new DDoS target !!

Just like the DDoS is hitting web-servers and DNS servers, it has started hitting
the ntpd servers which are left open.

This is a very recent attack. The Network Time Protocol, or NTP, syncs time
between machines on the network, and runs over port 123 UDP. It’s typically
configured once by network administrators and often is not updated.

Recently there is a major jump in attacks via the protocol. Attackers appear to be
employing NTP for DDoSing similar to the way DNS is being abused in such attacks.
They transmit small spoofed packets requesting a large amount of data sent to the
DDoS target’s IP address. It’s all about abusing the so-called “monlist” command
in an older version of NTP. Monlist returns a list of the last 600 hosts that have
connected to the server.

To check if your ntp service is open/vulernable :

# ntpdc -c monlist IP ( See if it returns the list of hosts,
if it does, it is vulnerable )

To get around this,

# The easiest way to update to NTP version 4.2.7, which removes the monlist
command entirely.

# If upgrading is not an option, you can start the NTP daemon with noquery enabled
in the NTP conf file. This will disable access to mode 6 and 7 query
packets (which includes monlist).

Add the below lines to /etc/ntp.conf :

========

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

========

If monolist query is disabled,

# ntpdc -n -c monlist IP should return,

xx.xx.xx.xx: timed out, nothing received
***Request timed out

The basic issue is that all the ntp servers are left open, meaning any servers
can query them. For eg we have the following part in the config
file of a ntpd server :

============

# — CLIENT NETWORK ——-

============

– under this portion, either nothing would be given ( which means all can access/query )
or the following,

restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

which means all can still access/query, in particular that range specified cannot do the
above 3 actions.

still this makes them an open ntpd service, which responds to the queries.

If the following was given,

restrict 192.168.1.0 mask 255.255.255.0 notrust noquery nomodify notrap

it implies all systems under the above n/w segment can access, but cannot
query, –similar to the 2 liner which is given irrespective of all n/w segments.

Before you become a part in the chain, take the preventive measures.

An issue with exim — mails not getting delivered to certain mail-servers

Facing an issue with exim, that it doesn’t send any mails to certain SMTP server’s like gmail etc?

First place to check is the /var/log/exim_mainlog and see if you can spot something like this

=============

-bash-3.2# grep 1W6OuM-0005cl-J8 /var/log/exim_mainlog
2014-01-23 19:21:42 1W6OuM-0005cl-J8 <= root@host.xxxx. U=root P=local S=350 T=”test mail” for test@gmail.com
2014-01-23 19:21:42 cwd=/var/spool/exim 4 args: /usr/sbin/exim -v -Mc 1W6OuM-0005cl-J8
2014-01-23 19:21:42 1W6OuM-0005cl-J8 gmail-smtp-in.l.google.com [xxxx:abcd:xxxx:xab::xa] Network is unreachable
2014-01-23 19:21:43 1W6OuM-0005cl-J8 Completed

============

You can see that exim is trying to send outgoing emails via IPv6 . It happens if the recipient server supports it, ( gmail supports it ) as a result mail delivery gets affected or the mails reach junk/spam folder.

If IPv6 delivery is not intended and DNS records for the same are not configured, then the recipient SMTP server would not be able to obtain a reverse DNS entry of the sending IP ( IP in IPv6 ) and as a result it affects the mail delivery.

To get around this, either configure your IPv6 DNS entries or just force exim to send mails only via IPv4 by adding the below line to the exim config file ( /etc/exim.conf

disable_ipv6 = true

Finally restart exim.

Create bootable USB on OSX

– Identify the disk number for the USB disk inserted, usually you can find it from the “Name” and “Size” field.
Below eg: , We inserted a USB with 4.1 GB size (so as the identified: “disk2”.)
Open terminal and execute the following commands:

sh-3.2$ diskutil list
/dev/disk0
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:      GUID_partition_scheme                        *120.0 GB   disk0
1:                        EFI EFI                     209.7 MB   disk0s1
2:          Apple_CoreStorage                         119.0 GB   disk0s2
3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
/dev/disk1
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:                  Apple_HFS Macintosh HD           *118.7 GB   disk2
/dev/disk2
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:                            UNTITLED        *4.1 GB     disk2

– Unmount the disk
sh-3.2$ diskutil unmountDisk /dev/disk3
Unmount of all volumes on disk3 was successful

– write the ISO file to USB using dd command
sh-3.2$ sudo dd if=Downloads/ubuntu-12.04.3-desktop-i386.iso of=/dev/disk2 bs=1m
Password:
707+0 records in
707+0 records out
741343232 bytes transferred in 139.059398 secs (5331126 bytes/sec)

– Unmount the disk
sh-3.2$ diskutil eject /dev/disk3
Disk /dev/disk3 ejected

Protect your server from DDoS attacks – Part 2 !!

We have been talking about DDoS attacks directed at the web-server all this
while  ( http://letushare.com/protect-your-server-from-ddos-attacks )

Another headache would be when these attacks are directed at our DNS services,
which is often called as DNS Amplification Attacks.

In Simple words, the attack can be explained as follows :

Someone makes an enquiry to you, on how to reach a particular destination. You are not actually sure of the location either, so you ask your friends nearer to you, and if you don’t get an answer from them, you are determined to somehow get an answer and you start inquiring
further until you get one. ( Basically you do not know this ‘someone’ who requested your help)

And this ‘someone’ has not stopped there. He has asked this same question to
lots many other people whom like you are determined to get an answer. He would
conclude by saying, if you get an answer, please ring me to 111 – a fake number of
some unknown poor guy.

Similarly, an attacker spoofs IP addresses ( he might spoof it to an IP to which
he would like to carry a DDoS attack – called as the target – like the fake 111 number ) and sends a request to your DNS server asking to resolve a domain. Your DNS server would not have any details about it in your local db’s. So it goes around the internet trying to resolve the domain and as a result the request-queries and the reply-queries increase beyond a limit as the attacker sends more and more request queries.

Now, remember your server might be 1 in 10000 out of which the attacker would direct the reply’s to a target. ( If source IP of the DNS query was spoofed to that of the target’s IP )

So basically, this sort of DDoS attacks, not only affects the ‘target’ but also all the
DNS server’s participating in this attack, as they are flooded with queries ( request and reply )

Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. In most attacks of this type, the spoofed queries sent by the attacker are of the type, “ANY,” which returns all known information about a DNS zone in a single request. Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic being generated by these DNS services and in the end- the amount of traffic directed at the target would be huge.

So, how can we prevent this from happening ?

Going back to our previous illustration, when that ‘someone’ asked you for a help,
its you who sought to find an answer. You could have said :

“Im sorry, I dont know the route to that destination. Neither do i know you, so i cant spend
my time/energy in assisting you.

This is where you can make your DNS server a closed resolver.

More on this is found at the page, http://letushare.com/169/

And suppose, consider this, your DNS server is closed, still it would receive the
queries from the attacker and your server would have to reply to those DNS queries. Just that
it is not a part of the attack. These replies too might hinder your services if too
much requests are being directed to your server.

Here you can use iptables to set a rate-limit on the queries reaching your DNS port.

First make sure the recent module is loaded in the server
This module is needed to get this particular aspect of iptables working.

First rule is set to move all the packets received in port 53 to a new chain


# iptables -N block ( create a new chain )
# iptables -A INPUT -p udp --dport 53 -j block

Then,

# iptables -A block -m recent --set --name DNSQF --rsource ( creating a db DNSQF to capture the packets )

# iptables -A block -m recent --update --seconds 5 --hitcount 15 --name DNSQF

--rsource -j DROP ( set the rule for the db DNSQF which stores recent IPs )

The above rule implies to drop every packets after the 15th one, in a time-frame of 5 seconds.

Availing these rules in iptables, can in way help to reduce the traffic in your server,
when DNS queries are made to your server, even when it is a closed resolver.

MySQL server not starting ?

There are ton’s of causes for which MySQL might not start,
ranging from disk space full to databases getting corrupt.

First place where you have to check for a clue is the .err log
( /var/lib/mysql/hostname.err )

If the err corresponds to something like this :

InnoDB: End of page dump
140104 12:33:19 InnoDB: Page checksum 2288969011, prior-to-4.0.14-form checksum 2949853821
InnoDB: stored checksum 492713095, prior-to-4.0.14-form stored checksum 2949853821
InnoDB: Page lsn 0 40542, low 4 bytes of lsn at page end 40542
InnoDB: Page number (if stored to page already) 47,
InnoDB: space id (if created with >= MySQL-4.1.1 and stored already) 0
InnoDB: Page may be an update undo log page
InnoDB: Page may be an index page where index id is 12
InnoDB: Also the page in the doublewrite buffer is corrupt.
InnoDB: Cannot continue operation.
InnoDB: You can try to recover the database with the my.cnf
InnoDB: option:
InnoDB: innodb_force_recovery=6

One of the reason for this error is the use of multiple
storage engines, MyISAM or InnoDB

Check your /etc/my.cnf for any lines which highlight the use
of multiple storage engines.

Following can be an example :

innodb_force_recovery=4
default-storage-engine=MyISAM

The above configuration implies MyISAM is the default
storage engine, but another setting related to innoDB is
already given, which conflicts.

If your default storage engine is MyISAM, then
giving the following option in /etc/my.cnf would
help : skip-innodb

Virus scanning for file uploads with clamav/php

Download and install the following packages, in case your repository has those package just use the management tool to install.

Ubuntu/Debian/Mint

# apt-get install clamav clamav-db clamd clamav-devel php-devel

Redhat

# yum install php-devel
# wget http://pkgs.repoforge.org/clamav/clamav-0.97.7-1.el5.rf.i386.rpm
# wget http://pkgs.repoforge.org/clamav/clamav-db-0.97.7-1.el5.rf.i386.rpm
# wget http://pkgs.repoforge.org/clamav/clamd-0.97.7-1.el5.rf.i386.rpm
# wget http://pkgs.repoforge.org/clamav/clamav-devel-0.97.7-1.el5.rf.i386.rpm
# rpm -Uvh clam*
# freshclam
# service clamd start

Configure php-clamav

Download php-clamav from from sf.net

# wget http://downloads.sourceforge.net/project/php-clamav/0.15/php-clamav_0.15.7.tar.gz
# tar xvzf php-clamav_0.15.7.tar.gz
# cd php-clamav-0.15.7/
# phpize
#./configure –with-clamav
# make
# cp modules/clamav.so /usr/lib/php/modules/

Add the modules to php.ini if required.

extension=clamav.so

Make sure the module is loaded

# php -i | grep -i clam
clamav

Incase you see the following error create a symlink to clamav path
LibClamAV Error: cl_load(): Can’t get status of /var/lib/clamav

# ln -s /var/clamav /var/lib/clamav

Test script
Get the testing virus file from http://www.eicar.org/86-0-Intended-use.html and save it on a file (eg: /tmp/virus.txt)

Create a php script:
cat > check_virus.php

<?php
$file = ‘/tmp/testing.txt’;
$retcode = cl_scanfile($file, $virusname);
if ($retcode == CL_VIRUS) {
echo .”Virus found name : “.$virusname;
} else {
echo .cl_pretcode($retcode);
}
?>

$ php check_virus.php
Virus found name : Eicar-Test-Signature

./arun

Create CSR and implement in apache

These steps are used to generate a CSR to get the SSL certificate signed with verisign. The filenames used are just examples.

$ /usr/bin/openssl genrsa -rand /dev/urandom -out <web_root>/domain_name.key 2048
$ /usr/bin/openssl req -new -key <web_root>/domain_name.key -out <web_root>/domain_name.csr

Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:<make sure it matches exactly with your domain>
Email Address []:

Create the certificate without passphrase if you dont want passphrase to be prompted for every webserver restart.

Upload the CSR to the Certificate Authority and get the signed certificate and save it as domain_name.crt. If it is from verisign get both intermediate certificates and add it to a file (eg: intermediate.ca.crt)

In virtual host configuration

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:+EXP:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA!EXP-RC2-CBC-MD5!EXP-RC4-MD5

SSLCertificateFile <web_root>/domain_name.crt

SSLCertificateKeyFile <web_root>/domain_name.key

SSLCACertificateFile <web_root>/intermediate.ca.crt

Restart webservice and verify the certificate, you may use the verisign cert checker (https://ssl-tools.verisign.com/#certChecker)

Install rich text editor in mediawiki

The WYSIWYG extension enables a more intuitive editing of pages on a MediaWiki-based site

Download the package suitable for your mediawiki version

http://www.mediawiki.org/wiki/Extension:WYSIWYG#Download

$ unzip WYSIWYG.zip

$ cp -prf WYSIWYG

$media_wiki/extensions/

$ vi LocalSettings.php added

require_once(“$IP/extensions/WYSIWYG/WYSIWYG.php”);

$wgGroupPermissions[‘*’][‘wysiwyg’]=true;

$wgGroupPermissions[‘registered_users’][‘wysiwyg’]=true;

define permissions as per your requirements.

Upgrade php to 5.3 – directadmin

# cd /usr/local/directadmin/custombuild
# ./build set php5_ver 5.3
# ./build update
# ./build php n
# /etc/init.d/httpd restart

This may break your softaculous, if it cannot load the correct ioncube.

Site error: the file /usr/local/directadmin/plugins/softaculous/images/inc.php requires the ionCube PHP Loader ioncube_loader_lin_5.3.so to be installed by the site administrator.

Edit your php.ini to fix it

# vi /usr/local/directadmin/plugins/softaculous/php.ini
zend_extension = "/usr/local/ioncube/ioncube_loader_lin_5.3.so" // replace it with correct path
# /etc/init.d/httpd restart

Install Raspbmc media center on RaspberryPi

RASPBMC

RASPBMC

Eventhoug I am happy with xbian , was just trying Raspbmc as well 🙂

Raspbmc  media center for the Raspberry Pi and is based on Raspbian and XBMC.

All credits go to Sam Nazarko, Thanks for excellent work.

Reference: http://www.raspbmc.com/,

You may use XPi Installer instead of the following method, http://www.xbmchub.com/blog/2012/11/02/installing-xbian-to-raspberry-pi-from-mac/

Install raspbmc on SDcard from MAC OSX / Linux / Windows ,

Download the raspbmc, change permission and execute. Make sure that you select the correct disk ( verify the info from disk utilities in MAC OS X)

$ curl -O http://svn.stmlabs.com/svn/raspbmc/testing/installers/python/install.py
$ chmod u+x install.py
$ sudo python install.py 
Raspbmc installer for Linux and OS X
http://raspbmc.com
----------------------------------------
Please ensure you've inserted your SD card, and press Enter to continue.
Enter the 'IDENTIFIER' of the device you would like imaged:
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *120.0 GB   disk0
   0:      GUID_partition_scheme                        *500.1 GB   disk1
   0:                  Apple_HFS Macintosh HD           *118.7 GB   disk2
   0:     Apple_partition_scheme                        *17.4 MB    disk3
   0:     FDisk_partition_scheme                        *15.9 GB    disk4
Enter your choice here (e.g. 'disk1', 'disk2'): disk4
It is your own responsibility to ensure there is no data loss! Please backup your system before imaging
You should also ensure you agree with the Raspbmc License Agreeement
Are you sure you want to install Raspbmc to '/dev/disk4' and accept the license agreement? [y/N] y
Downloading, please be patient...
Downloaded 16.35 of 16.35 MiB (100.00%)
Unmounting all partitions...
Unmount of all volumes on disk4 was successful
Please wait while Raspbmc is installed to your SD card...
This may take some time and no progress will be reported until it has finished.
0+1173 records in
0+1173 records out
76800000 bytes transferred in 14.809589 secs (5185829 bytes/sec)
Installation complete.
Would you like to setup your post-installation settings [ADVANCED]? [y/N]N
  • Once the installation is completed, eject it from the system.
  • Insert the sdcard to RaspberryPi.
  • Connect the RaspberryPi using Ethernet cable, continue with the post installation steps.

Configure static IP on Raspberry Pi

RaspberryPi

RaspberryPi

Some access points does not deliver DHCP to the raspberrypi. You could assign the IP statically as follows:

Edit the /etc/network/interfaces file

Comment out the following lines.

> #allow-hotplug wlan0
> #wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
> #iface eth0 inet manual

Add following configs.

auto lo 
iface eth0 inet dhcp
auto wlan0
iface wlan0 inet static
address x.x.x.x
netmask x.x.x.x
gateway x.x.x.x
pre-up wpa_supplicant -Dwext -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf -B

Re-enable the interface.

ifdown wlan0
ifup wlan0

Configure the name server if required.

/etc/resolv.conf
nameserver x.x.x.x

Upgrade, Restore Drupal 7

Shell script to upgrade and restore Drupal 7 website
This script will take care of the necessary actions required for upgrading drupal to higher versions.

USAGE

  • Copy the script to your webserver.
  • Edit the script and change the variables to match with your setup
  • Give execute privilege to the owner of the script (chmod u+x upgrade-restore-drupal7.sh)
  • Execute the script ./upgrade-restore-drupal7.sh

UPGRADE

$ ./upgrade-restore-drupal7.sh 
 Please enter your choice:
 1. Update drupal
 2. Restore an old installation from backup
 3. Exit
1
Please enter the new drupal version (eg: 7.15) : 
7.18
Downloading drupal-7.18
Downloaded the the drupal version drupal-7.18
Current site backup is created: /home/foo/backups/08-01-2013-0938
Database backup created: /home/foo/backups/08-01-2013-0938.sql
Site is in maintanence mode now
Removed all drupal core files from destination
Copied the new version contents
Drupal updated to drupal-7.18
Site is active again, but please update your database, please visit http://<yourwebsite>/update.php to finalize the process
Removed the source files

RESTORE

$ ./upgrade-restore-drupal7.sh 
 Please enter your choice:
 1. Update drupal
 2. Restore an old installation from backup
 3. Exit
2
List of available backups
08-01-2013-0753
08-01-2013-0758
08-01-2013-0804
08-01-2013-0841
08-01-2013-0849
08-01-2013-0858
08-01-2013-0900
08-01-2013-0904
08-01-2013-0905
08-01-2013-0938
Please enter the backup file name to restore: (eg: 08-01-2013-0753): 
08-01-2013-0905
Site is offline now
Removed production files
Restored the filesystem backup 
Restored the database
Site is restored

View on github

Upgrading Linux Mint 13 (maya) to Linux Mint 14 (nadia).

Linux Mint 14

Linux Mint 14

Take a backup of the current sources.list, preferably make a full backup of the system.

Edit the sources.list file,
replace the occurrences of maya with nadia and precise with quantal.

$ vi /etc/sources.list
:%s/maya/nadia/g
:%s/precise/quantal/g

Resulting file may look like.

deb http://packages.linuxmint.com/ nadia main upstream import
deb http://archive.ubuntu.com/ubuntu/ quantal main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ quantal-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ quantal-security main restricted universe multiverse
deb http://archive.canonical.com/ubuntu/ quantal partner
deb http://packages.medibuntu.org/ quantal free non-free

Update the system

$ sudo apt-get update
$ sudo apt-get dist-upgrade