sandip's blog

There are two basic approaches for listing the ports that are listening on the network. The less reliable approach is to query the network stack by typing commands such as `netstat -an` or `lsof -i`. This method is less reliable since these programs do not connect to the machine from the network but rather check to see what is running on the system. For this reason, these applications are frequent targets for replacement by attackers in an attempt to cover their tracks if they open unauthorized network ports.

A more reliable way to check which ports are listening on the network is to use a port scanner such as nmap.

PAM (Pluggable Authentication Module) can be used to limit users who have access to a certain service based on a list. For example, you can limit SSH connections via PAM.

In "/etc/pam.d/sshd", add the following line:

auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/ssh_allow.pamlist

This will allow a user to login via sshd if they are listed in the "/etc/ssh_allow.pamlist" file. The options specified have the following meanings:

Below are some of the excellent web resources I have utilized to get me started on Java. Hope this helps others too.

1. MITs Open Courseware: 1.00 Introduction to Computers and Engineering Problem Solving, Fall 2002
   
2. Sofia Project: Introduction to Java Programming
   
3. Bruce Eckels Free eBook from MindView.net: Thinking in Java, 3rd Edition
   

On a Dell Latitude D800 with an Intel Corp. PRO/Wireless 2200BG card, intel has a project to support the miniPCI adapter on Linux at ipw2200.sourceforge.net.

In order to use the IPW2200 driver you will need the following:

1. Linux with a 2.6.4+ kernel. See the INSTALL document for information on specific options required to be enabled in the kernel.
   
2. Wireless Extensions (v16) and Tools (v27-pre23).
   

I had no trouble while upgrading from FC1 to FC3. However, on reboot the system seemed to hang on "configuring kernel parameters" during the boot process and fail to remount filesystems as read-write, with consequent hang while trying to start system logger. The boot process would be fine as long as the system is not booting to runlevel 5.

The fix was to remove "rhgb" from "/etc/grub.conf" kernel parameters, since this attempts graphical install before nvidia is ready. On reboot without "rhgb" in grub, it makes it to all the way to the text login screen, but X cant start and comes up with an error message saying it cant initialise the nvidia kernel module.

APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. APF is ideal for deployment in many server environments based on Linux.

Below are notes on installing, configuring and running APF.

1. Download the latest tarball via rfxnetworks.com
   
2. Extract and install it:
   

   # tar -xvzf apf-current.tar.gz
   # cd apf*
   # ./install.sh
   

The site migration was done from a server with Ensim Basic 3.1.12-9 (secure) to a server running Ensim Pro 4.0.2-7 (serv01).

1. ----- Preparation prior to migration -----
   
2. 48 hrs prior to migration, edit the SOA settings with the "Refresh Interval" and the "Minimum Time To Live" to 600 for the domains.
   
3. Remove frontpage extensions from all sites.
   
4. Backup sites on secure (ensim 3.1.12-9) with ensimbackup and move it to serv01.
   

   # ensimbackup -l </path/to/domain_list>
   

5. ----- In serv01 -----
6. Check to make sure that the default site template has enough databases to assign in pro.
   
7. Remove all instances of the domains to be restored in /etc/bind/secure_dns.conf .
   
8. Delete all corresponding /var/named/sec.domain.tld files.
   

   # for x in `cat <domain list file>`; do rm /var/named/sec.$x; done
   

9. Restart named.
10. Turn sim checking off for webbpliance (init.ocwhttpd off) in "/usr/local/sim/config/mods.control"
    
11. `service webppliance stop`
    
12. Unhide all hidden services.
    
13. Restore with ensimprorestore on serv01 (ensim 4.0.2-7.rhel).
    

    # ensimprorestore -a </path/to/dir/>
    

14. Assign Spam Filter and Mail Scanner and remove ssh and squirrelmail for the restored domains.

    # for x in `cat <domain list file>`; do \
    # EditVirtDomain -c mailscanner,on -c spam_filter,on \
                   -c ssh,off -c sqmail,off [-c frontpage,on] $x; done
    

15. Hide services, `/etc/appliance/svcdb/hide.sh hide`
16. `service webppliance start`
    
17. Turn sim checking on for webbpliance (init.ocwhttpd on).
    
18. Run `/var/www/html/secureDNS/dns_updater.php`.
    
19. Disable /etc/bind/dnsupdate for 48 hrs.
    
20. ----- In secure -----
    
21. Delete all instances of the domains from the zone list, "/etc/bind/bind.conf.wp".
    
22. Delete all corresponding /var/named/zone.domain.tld files.
    

    # for x in `cat <domain list file>`; do rm /etc/bind/zone.$x; done
    # for x in `cat <domain list file>`; do rm /var/named/db.$x; done
    

23. Restart named.
24. Run `/etc/bind/dnsupdate` in secure.
    
25. Delete the accounts after 48 hrs.
    
26. ----- Old Method, use only for reference -----
    
27. Create the Reseller Account.
    
28. Assign the site to the Reseller account with high security, no squirrelmail (available by default) and no SSH. Also, change the number of database back to the original number... which is normally 1.
    
29. Delete corresponding zone records from "/etc/bind/secure_dns.conf".
    
30. Add DNS records using "/etc/bind/addZone.sh <domain.com>".
    

    #!/bin/bash
    # addZone.sh
    
    cat <<EOF >zone.$1
    zone "$1" IN {
            type master;
            file "/var/named/db.$1";
            allow-update   { key "wp_default_key."; };
            allow-transfer { localhost; 216.12.215.205; };
    };
    EOF
    
    cat <<EOF >/var/named/db.$1
    \$ORIGIN .
    \$TTL 3600      ; 1 hour
    $1              IN SOA  ns2.edices.com. admin.edices.com. (
                                    2005021308 ; serial
                                    3600       ; refresh (1 hour)
                                    600        ; retry (10 minutes)
                                    86400      ; expire (1 day)
                                    3600       ; minimum (1 hour)
                                    )
                            NS      ns1.edices.com.
                            NS      ns2.edices.com.
    \$TTL 86400     ; 1 day
                            A       207.44.206.16
                            MX      10 mail.$1.
    \$ORIGIN $1.
    
    ftp                     A       207.44.206.16
    mail                    A       207.44.206.16
    www                     A       207.44.206.16
    EOF
    
    cat <<EOF >>bind.conf.wp
    include "/etc/bind/zone.$1";
    EOF
    
    [ -f /var/named/db.$1 ] && chown named:named /var/named/db.$1 && chmod 600 /var/named/db.$1
    [ -f /var/named/sec.$1 ] && rm /var/named/sec.$1
    
    echo "Restart named manually if everything looks fine..."
    

31. Run `/var/www/html/secureDNS/dns_updater.php`.
32. Disable accounts in secure via the CLI.
    
33. Remove Zones in bind via GUI on secure.
    
34. Run `/etc/bin/dnsupdate` in secure.

I have backed up my system to an external ximeta drive using "dd" and the well-known linux live cd distribution, Knoppix to boot from. Below are the steps in brief:

1. Boot from the live cdrom distribution.
   
2. Switch to root.
   
3. Make sure NO partitions are mounted from the source hard drive.
   
4. Mount the external HD.
   

     # mount -t vfat /dev/sda1 /mnt/sda1
     

5. Backup the drive.

     # dd if=/dev/hda conv=sync,noerror bs=64K | gzip -c  > /mnt/sda1/hda.img.gz
     

   "dd" is the command to make a bit-by-bit copy of "if=/dev/hda" as the "Input File" to "of=/mnt/sda1/hda.img.gz" as the "Output File". Everything from the partition will go into an "Output File" named "hda.img.gz". "conv=sync,noerror" tells dd that if it can't read a block due to a read error, then it should at least write something to its output of the correct length. Even if your hard disk exhibits no errors, remember that dd will read every single block, including any blocks which the OS avoids using because it has marked them as bad. "bs=64K" is the block size of 64x1024 Bytes. Using this large of block size speeds up the copying process. The output of dd is then piped through gzip to compress it.

6. To restore your system:
   

     # gunzip -c /mnt/sda1/hda.img.gz | dd of=/dev/hda conv=sync,noerror bs=64K 
     

   NOTE: I've had much success leaving out "conv=sync,noerror" during restore.

7. Store extra information about the drive geometry necessary in order to interpret the partition table stored within the image. The most important of which is the cylinder size.
   

     # fdisk -l /dev/hda > /mnt/sda1/hda_fdisk.info
     

ModSecurity is an open source intrusion detection and prevention engine for web applications. Operating as an Apache Web server module, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.

• Download tarball from modsecurity.org
  
• Check that you have "httpd-devel" installed.
  
• Backup your original "httpd.conf" file.
  
• After extracting, compile and install from the relevant apache direcoty, via:
  

    # apxs -cia mod_security.c
  

Had to do some fine tuning of MySQL 4.1.9 and here is what my.cnf file looks like for a 2GHz machine with 1GB of memory.

[mysqld]
socket=/path/to/mysql.sock
datadir=/var/lib/mysql
skip-locking
skip-innodb
# MySQL 4.x has query caching available.
# Enable it for vast improvement and it may be all you need to tweak.
query_cache_type=1
query_cache_limit=1M
query_cache_size=32M
# max_connections=500
# Reduced to 200 as memory will not be enough for 500 connections.
# memory=key_buffer+(sort_buffer_size+read_buffer_size)*max_connections