Apache Installation guide

For linux users (Fedora, centos, redhat )

For linux users, installation can be done in two ways. Either from source or using yum.

1. Installation

1.1 Installation using yum
Apache is included in standard linux repositories. So you can follow the below shown steps for installing using yum.

1. Install httpd binaries.
   $yum install httpd
   
2. Install http development libraries.
   $yum install httpd-devel

It was simple! Now apache webserver is installed in your machine. You can start the server using the following startup script:

$/etc/init.d/httpd start

Dont forget to configure apache to start automatically during system bootup. For that issue the following command:

$chkconfig httpd on

1.2 Installation from source (Applicable to both redhat as well as ubuntu variants)

1. Download apache source from http://httpd.apache.org/download.cgi. At the time of writing this doc, the latest stable version is 2.2.21. So I am going ahead with that.
   $cd /usr/local/src
   
   $wget http://apache.osuosl.org//httpd/httpd-2.2.21.tar.gz
2. Extract the downloaded archive.
   
   $tar -xvzf httpd-2.2.21.tar.gz
3. Change to the newly created extracted folder
   
   $cd httpd-2.2.21
4. Configure the source. Here you can use a lot of options like "--prefix=/usr/local" (will install apache inside that folder) "--with-apxs=/path/to/apxs/binary" (you need to install apxs separately if it is not there. For full list of options, just issue the command "./configure --help" without quotes. Here I am using only prefix option to make you understan.
   
   $ ./configure --prefix=/etc/httpd/
5. Build the configuration
   
   $make
6. Finally install the source package.
   
   $make install
   
   

If no errors encountered during ./configure and make, make install steps, apache should now be installed in your machine.

2. Configuration
By default, /var/www/html is the location from which web files will be served for apache. To further configure the location and adding domain names, you can follow the below shown steps.

1. Edit the file /etc/httpd/conf/httpd.conf

2. Uncomment the line:
NameVirtualHost *
(This is used to enable name based virtualhosting feature in apache, which allows you to configure multiple domain names using single IP.

3. Now add a separate virtual host entry to the end of httpd.conf for the domain name you need to create. The entries will be like the following:


ServerName mytestdomain.com
ServerAlias www.mytestdomain.com
DocumentRoot /home/mytest/public_html



Note: 192.168.1.2 is the IP address to which the domain points.
ServerName: The name of the domain.
ServerAlias: Alternate names that can be used to fetch same contents (usually www.domainname)
DocumentRoot: The directory from which the web files are fetched from.

There are lot more configuration options available for apache. But here I have mentioned only the basic ones for creating the domain.

Read More

(could mean shell command ended by signal 127 (Unknown signal 127)) from command: /usr/bin/php exim filter

This error means that the exim is trying to deliver the queue as nobody (exim security) and it does not have access to certain files used by the script for writing. This could be in most cases the log files inside the script directory.

An easy fix to this problem is to provide full permission (chmod 777) to the log files or files that script writes information to, so that the exim queue runner can access and write to log files or other files mentioned by the script.

chmod 777 /path/to/logs/of/script

Read More

make servername remote in sendmail in ubuntu

In some cases, we need to make the mail handling of server name itself to be done by a remote server. Let the server name be test.com. Then if you sent a mail from the server of test.com (from backend or through a php mailer) using sendmail to user@test.com, then the mail will be tried to be delivered locally in the main server rather than actual mail handling server and this results in a failure. In that case, what I did was the following: Hope this might help you.

checked /etc/mail/local-host-names and make sure that server name (test.com) is not there. Then did the following:

1. Open /etc/mail/sendmail.mc

vi /etc/mail/sendmail.mc

2. Added the following in the end:

define(`MAIL_HUB', `test.com.')dnl define(`LOCAL_RELAY', `test.com.')dnl 

3. ran the following command to reflect the changes:

sendmailconfig

Restarted the sendmail service and I was able to send mail to the remote mail server fine.

Read More

backup automation script in linux

sorry for the inconvenience. but the link broke and you wont be able to download the script. I will be updating this soon to a new location with an improved version.

You can download this script by clicking here.

Description:

This script when executed will generate a customized script file according to your backup needs and you just need to execute that script file in your cronjob for your backup process. Upon execution, you will be asked for a series of qns according to which the final script will be generated.

This will also display the line that you need to enter into your cronjob, so all you have to do is:

1. Open cronfile.

crontab -e

2. Paste the cron line that is displayed at the end of executing this script.

PS: cronscript.sh is the name of customized script that is generated at the end of execution and will be stored where you are executing this script. If you change its location after that, change the path in cron entry as well.

Requirements:

1. ncftp package is needed if you are going to use FTP for remote backup. You can install it using yum.

yum install ncftp*

2. If you are using ssh for backup, just make sure that you atleast connect once from the source machine to backup machine using ssh. This is to avoid the extra prompt while cron script tries to connect to remote machine.

Thats all for now. ENjoy!!

Read More

no mysql_check in nagios plugins ubuntu

1. apt-get install libmysqlclient15-dev

2. Now recompile nagios plugins with mysql plugin.

./configure --with-mysql

make

make install

Now check the folder /usr/local/nagios/libexec/ or wherever you had installed nagios and you will find check_mysql plugin required for checking mysql service.

Read More

how to detect servername as remote domain for mailing by sendmail

In some cases, the mails for the main hostname will be handled by remote mail servers and sendmail will tend to detect it as local domain name and hence mails from the server to the particular hostname will be taken as local. To rectify this problem, you can follow the following steps:

Before performing the following, make sure that mx entries of the hostname is resolving properly to the remote mail server. You can check this using the command:

dig mx hostname.com

1. open /etc/mail/sendmail.cf

vi /etc/mail/sendmail.cf

2. make the following change:

O DontProbeInterfaces=False

3. Save the file and restart sendmail

/etc/init.d/sendmail restart

Now mails to the hostname from the server will be relayed remotely.

Read More

sendmail how to relay mails to servername remotely

In some cases, the mails for the main hostname will be handled by remote mail servers and sendmail will tend to detect it as local domain name and hence mails from the server to the particular hostname will be taken as local. To rectify this problem, you can follow the following steps:

Before performing the following, make sure that mx entries of the hostname is resolving properly to the remote mail server. You can check this using the command:

dig mx hostname.com

1. open /etc/mail/sendmail.cf

vi /etc/mail/sendmail.cf

2. make the following change:

O DontProbeInterfaces=False

3. Save the file and restart sendmail

/etc/init.d/sendmail restart

Now mails to the hostname from the server will be relayed remotely.

Read More

trouble installing vlc in ubuntu 11.04 natty version

If you encounter problems while installing vlc player in ubuntu 11.04 , then just do the following as a speedy solution:

1. Open /etc/apt/sources.list in your favorite editor:

nano /etc/apt/sources.list

2. Add the following entry at the bottom of the file:

deb http://ubuntu.mirror.cambrium.nl/ubuntu/ natty main

3. apt-get update

4. apt-get install vlc mozilla-plugin-vlc

And you are done! Now right click on any video files and select "open with" and then select vlc from the list. Enjoy :)

Read More

how to install vlc in ubuntu 11.04 natty

First add the required repo path in sources.list file.

1. Open /etc/apt/sources.list in your favorite editor:

nano /etc/apt/sources.list

2. Add the following entry at the bottom of the file:

deb http://ubuntu.mirror.cambrium.nl/ubuntu/ natty main

3. apt-get update

4. apt-get install vlc mozilla-plugin-vlc

And you are done! Now right click on any video files and select "open with" and then select vlc from the list. Enjoy :)

Read More

vlc : Depends: vlc-nox (= 1.1.9-1ubuntu1) but it is not going to be installed natty

This is quite a nasty error when trying to install vlc player in ubuntu.

If you encounter this problem while installing vlc player in ubuntu 11.04 , then just do the following:

1. Open /etc/apt/sources.list in your favorite editor:

nano /etc/apt/sources.list

2. Add the following entry at the bottom of the file:

deb http://ubuntu.mirror.cambrium.nl/ubuntu/ natty main

3. apt-get update

4. apt-get install vlc mozilla-plugin-vlc

And you are done! Now right click on any video files and select "open with" and then select vlc from the list. Enjoy :)

This error took a lot of headaches and finally I succeeded in installing vlc in this way.

Read More

create ssh-keypair using putty-gen in windows

If you don't have puttygen, Download putty-gen utility from this link

You can also view the list of puttygen for various OS distros here

1. Download puttygen
2. Run the downloaded software.
3. You will be presented with the following API:

4. Click on "Generate" button. You will need to keep the mouse moving for generating random key. You will see the following image:
5. Save the private key. (You do not need to enter a passphrase if you dont want to enter the passphrase each time you login to the server using this key). Note the location in which you save the key. Give a suitable name. The extension will be ppk.

6. Save the public key. No extension needed. The contents inside this file will be the same which is highlighted under "Public key for pasting into OpenSSH authorized_keys file.

7. Now copy the contents of this public key into the proper location in the server into which you are logging into. The location should be as follows:

/root/.ssh/authorized_keys (if you need to login as root into the server)
or
/home/user/.ssh/authorized_keys (if you need to login as "user". /home/user is the home directory of the user and it can vary. if there is no .ssh directory inside the home dir of the user, then just create one and create the file authorized_keys inside it).

And you are done.

Now you can connect to the server using putty and the private key in your local machine using the following steps:

1. Run putty (not putty-gen). You can get putty.exe from the link here
2. As shown in the pic, expand "SSH" and select "Auth" in the left pane. Click "Browse" button and select the previously saved private key.

3. Now select "session" from the left pane and fill in the server IP address and ssh port and click on "Open" button.
PS: ensure that there are no default login names by clicking on "Data" option under the section "Connection" in the left pane.

You are done. Enjoy!

Read More

create ssh-key pair for key based authentication

For windows users:
To generate ssh keypair using puttygen in windows, follow my guide here.

For linux users:

This guide assumes that key based authentication is already enabled in the server. If you are a server admin, you can follow the guide here to set it up. If you are an end user, just confirm with your server provider whether key based authentication is enabled in ssh.

1. Create a key pair in local machine using the following command:

ssh-keygen -t rsa

Just press enter to save the key pair in the default location. For root user, it will be /root/.ssh and for any other user, it will be /home/user/.ssh (assuming /home/user is the home dir of user)

You do not need to enter any pass-phrase during key creation, or else you will be asked to enter pass-phrase each time you login with key.

You now have two keys generated inside .ssh directory. id_rsa and id_rsa.pub.

id_rsa_pub is the public key and needs to be put in the server.

2. Assign proper permission.

chmod 600 .ssh/id_rsa

3. copy the contents of id_rsa.pub into the file '/root/.ssh/authorized_keys' in the server to which you need to connect (if you need to connect as root user) or '/home/user/.ssh/authorized_keys' if you need to connect as "user".

(IMP: if there is no .ssh folder in your user's home directory, create one)

scp .ssh/id_rsa.pub user@serverip:~user/.ssh/temp.pub

4. Now login to the server and copy the contents of id_rsa.pub into the file authorized_keys.

ssh user@serverip

cat .ssh/temp.pub >> .ssh/authorized_keys

And you are done. Just logout and then simply login using the normal ssh command and you won't be prompted for a password.

Note: if you didn't save the private key in the default location, just use -i flag along with ssh command and specify the location of private key file.

ssh -i /test/id_rsa root@serverip

Note: In some cases, you would need to add the private key into ssh-agent after generating it. For that issue the foll command in your local machine after generating key pair.

ssh-add .ssh/id_rsa

.ssh/id_rsa is the private key path and may vary according to the way you saved them.

If you experience an error when issuing the above command, it can be rectified by issuing the following command:

eval `ssh-agent`

and then

ssh-add .ssh/id_rsa

Read More

ssh-add Error:'Could not open a connection to your authentication agent'

If you see this error, just use the following command to export the value of ssh-agent.

eval `ssh-agent`

Read More

227 Entering Passive Mode. ftp: connect: Connection refused vsftp

In the case of vsftp, you need to give the following in the configuration file: /etc/vsftpd/vsftpd.conf

open the conf file in your favorite editor and edit the following:

#(xx.xx.xx.xx is the server's public IP)

pasv_address=xx.xx.xx.xx

pasv_min_port=60000

pasv_max_port=65000

Save the file and restart vsftp.

/etc/init.d/vsftpd restart

Now open the ports 60000 to 65000 in your server firewall. In the case of aws instance, you can do this through "security group" in the aws interface.

Read More

Shell script to clean semaphores

Semaphores are used to prevent multiple processes from accessing critical piece of code at the same time and thereby corrupting it. The fields in semaphores are:

count: initial value of 1,which means only one process can access this resource at any given point of time. When a process accesses the resource, the count is decreased. When a process is finished processing the resource, count is increased.

waking: The number of processes waiting for this resource to become free and thereby waiting for awakening.

wait queue: processes waiting for this resource are assigned to this queue.

lock: buzz lock used when waking field is accessed.

PS: The download link mentioned below is not working now. I will update the location soon with the script.

You can download the one line script to clean semaphores here

Grant executable privilege to the file and then run.

chmod u+x cleansema.sh

./cleansema.sh

Read More

Script to delete mysql procs sleeping

The following shell script will eliminate mysql sleeping processes.

PS: The download link mentioned below is not working . I will soon update the location with the script.
You can download the script here

Grant exec privilege to the script and then run.

chmod u+x mysqlprocdel
./mysqlprocdel

Read More

no mysql_check in nagios plugins

If there is no mysql_check plugin after compiling and installing nagios plugins, you can follow the below shown steps:

For redhat, centos

1. Install mysql-devel in the server.

yum install mysql-devel

2. Now recompile nagios plugins with mysql plugin.

./configure --with-mysql

make

make install

For Debian,ubuntu:

For Debian and ubuntu distros, you can follow the guide here.

Now check the folder /usr/local/nagios/libexec/ or wherever you had installed nagios and you will find check_mysql plugin required for checking mysql service.

Read More

configure: error: not found. Please provide a path to MagickWand-config or Wand-config program

Usually this error occurs if there is no ImageMagick library available in the server. As a result, you will also be not able to install imagick support for php in the server. You can follow the below shown steps to counter this error.

1. cd /usr/local/src

2. Get the complete imagemagick library. You can get it from http://www.imagemagick.org/script/download.php

ex: wget ftp://mirror.aarnet.edu.au/pub/imagemagick/ImageMagick-6.6.7-10.tar.gz

3. tar -xvzf ImageMagick-6.6.7-10.tar.gz (or the version/distro you downloaded).

4. cd ImageMagick-6.6.7-10 (or the version/distro you downloaded).

5. ./configure

6. make

7. make install

And you are done! You can now install imagick or whatever app that needs this library without any error. Enjoy :)

Read More

how to connect filezilla using keybased authentication

Here you will be using sftp in filezilla to connect using a key. This guide assumes that key based authentication is already enabled in the server(confirm with your server provider if you are not an admin) and you have generated key pair in your local machine. If not, you can follow my guide here to generate a key pair.

Now you will have your private key file in your machine and the public key in the server to which you will be connecting. So the next job is to configure filezilla to use private key to connect to server. You can follow below shown steps for that:

1. open Filezilla and go to Edit >> Settings.

2. Click on the option "SFTP" in the left window pane. Click on "Add Key" button in the right pane and then select the private key in your machine(if it is inside .ssh folder, you can use the "search" option in the new window and enter .ssh in the field, after selecting the home directory). The default location will be .ssh/id_rsa as mentioned in my other guide specified in the link above.

3. Once the key is added, simply close it and take "File" >> "Site manager" in Filezilla and then click "New site".

4. Enter server ip/hostname in "Host" field, ssh port in "port" field, Protocol as "SFTP-SSH File Transfer Protocol", Logon type as "Normal", username in "User" field and leave the password field empty.

5. Now simply click "connect" to get connected without needing to enter the password.

Feel free to post if you have any doubts.

Read More

how to setup ssh using key based authentication

First you need to enable key based authentication in the server. For that edit the file /etc/sshd/sshd_config in the server and uncomment the following entries:

=======
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
=======

restart ssh service

/etc/init.d/sshd restart

Now in your client machine create ssh key pair using the following commands

1. ssh-keygen -t rsa

just press enter when prompted for a pass phrase, as we do not need to enter passcodes during key based authentication.

This will provide you a key pair and the default location will be:

if you are root user in client machine:
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub

if you are a user in client machine:
/home/user/.ssh/id_rsa
/home/user/.ssh/id_rsa.pub

2. Assign proper permission to id_rsa file.

chmod 600 /root/.ssh/id_rsa

or

chmod 600 /home/user/.ssh/id_rsa.pub

3. you now need to paste the contents of id_rsa.pub to the /root/.ssh/authorized_keys file in the server if you need to login as root to the server or .ssh/authorized_keys file inside the user's home directory in server(generally /home/user/ ) if you need to login as user. (most probably if it is inside a user's home dir, you would be needing to create the .ssh folder and inside that the specified file. For root, .ssh folder will be there by default).

thats it! you can now login to the server by simply issuing the following command and without a password

ssh root@serverip

Note: In some cases, you would need to add the private key into ssh-agent after generating it. For that issue the foll command in your local machine after generating key pair.

ssh-add .ssh/id_rsa

.ssh/id_rsa is the private key path and may vary according to the way you saved them.

If you experience an error when issuing the above command, it can be rectified by issuing the following command:

eval `ssh-agent`

and then

ssh-add .ssh/id_rsa

Read More

Upgrading opennms to version 1.9.8

The unstable version has its own bugs, but at times we need an unstable version, as it has a lot more features. I did made a recent upgrade of my opennms installation to 1.9.8 from 1.8.12-1. I had to go through a heck lot of problems during the upgrade and my app went down and at some point, I thought it will become useless. But I have managed to upgrade it finally without any problems. So I am noting down the steps that I had done for this upgrade to work properly.

Backup your existing installation files and database (just in case)

1. copy the "etc" folder in your opennms installation.

tar -C $OPENNMS_HOME -cvzf /root/opennmsback/opennms-etc-backup.tar.gz etc

2. Create a database backup

pg_dump -U postgres -Fc -C -f /root/opennmsback/opennms-database-backup.pg opennms

Upgrading to the latest version

1.Download the yum repos of the opennms version suitable for your distro from http://yum.opennms.org/

cd /usr/src

wget http://yum.opennms.org/repofiles/opennms-repo-unstable-rhel5.noarch.rpm

2. Removing the current repo rpm (this is important. I didn't do this first time and I was screwed totally, from which I have learned my mistake and managed to get it working)

rpm -e `rpm -qa |grep opennms-repo`

rpm -ivh opennms-repo-unstable-rhel5.noarch.rpm (this will depend upon your particular repo download)

3. yum update opennms (updating opennms and resolving dependencies)

4. /opt/opennms/bin/install -dis

5. /etc/init.d/opennms restart

Login to the admin web interface and check the version from admin >> system information.

PS:

Incase you need to restore the database, delete the existing DB and create a new one and then restore.

dropdb -U postgres opennms

createdb -U postgres opennms

Read More

postgres backup and restore command

You can backup a postgres database backup using the following command:

pg_dump -U postgres -Fc -f /backupdir/test.pgsql.gz test

<--- test being the database name ---->

Similarly the backup file can be restored using the following command:

pg_restore -U postgres -Fc -d test /backupdir/test.pgsql.gz

Read More

SEVERE: Error initializing endpoint java.net.BindException: Permission denied:80

This error occurs when you try to start/run tomcat as another user. In linux/unix systems, all ports under 1024 are privileged and reserved and hence can be opened only by root.

However, there is a workaround for this, but it should mean that ports of this service should be changed to something greater than 1024. But you can still make this port change transparent to end users by using iptables NAT. So you need to perform the following for the whole thing to work normally, but still using a user to run tomcat app.

Solution:

1. edit conf/server.xml and change http port from 80 to 8080 and https port from 443 to 8181.

2. Now start the service as required user and verify the service status

netstat -lpan |grep 8080

netstat -lpan |grep 8181

3. Now since the service is up, you need to make it available through browser in a normal way, so that users will never know the actual ports of the service. You can user NAT for that. Issue the following iptables command, which will direct traffic to 80 and 443 to 8080 and 8181 in the server respectively.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8181

And you are all done and the service is now running as user with higher ports, but to end users, it is all same as normal ports :)

Read More

227 Entering Passive Mode ftp: connect: Connection timed out proftp service

Sometimes (esp in amazon instance, where internal IP mapping is used, when you connect to a domain created through ftp, you will most likely encounter problem "ls command timed out" when listing the files after logging in)

The work around for this is to add the following in proftpd.conf file.
MasqueradeAddress xx.xx.xx.xx
PassivePorts 60000 65000

xx.xx.xx.xx is the external IP address.

After this, if you are using amazon instance, login to aws console and then edit "Security Group" corresponding to that instance and open incoming tcp ports 60000 - 65000.

Now connect using ftp and issue ls command and it will work fine. enjoy!

Note for freaks: How you can calculate the random passive port that is connected.

After connecting to FTP and then listing the directories, you will see a line similar to the one shown below (values will differ)
Entering Passive Mode (71,7,231,187,192,32)

Here first four places indicates IP address of the server. Here it is 71.7.231.187
The next two integers are used to calculate passive port that is currently being used. It is calculated as follows. I am using the above example.
passive port=192*256 + 32
Here 192 is the second last integer and 32 is the last integer, 256 is a static value used for calculation.

Read More

how to set DKIM/Domain keys using dkimproxy in postfix

dkimproxy is an excellent tool to sign mails with domain keys as well as dkim in a single stretch. Here are the steps that I followed to install dkimproxy with postfix. Here the first part is common for all MTAs and the second part here is concerned with postfix, since i used postfix. You have to use settings related to your specific MTA for the second part.

PART 1: Installing dkimproxy.

First you need to install perl modules Mail::DKIM, Net::server and Error. You can do it using the perl installer cpan. Issue the following commands:

#cpan (you will be taken into cpan interface)

#cpan>install Mail::DKIM

#cpan>install Net::server

#cpan>install Error

Now download and install dkimproxy source from http://sourceforge.net/projects/dkimproxy/files/dkimproxy/1.3/dkimproxy-1.3.tar.gz/download

wget http://sourceforge.net/projects/dkimproxy/files/dkimproxy/1.3/dkimproxy-1.3.tar.gz/download

tar -xvzf dkimproxy-1.3.tar.gz

cd dkimproxy-1.3

./configure --prefix=/usr/local/dkimproxy (Here I used this location)

make

make install

Part 2: Configuring dkim proxy and setting the environment.

Create a user dkim.

#useradd -d /usr/local/dkimproxy dkim

chown dkim:dkim /usr/local/dkimproxy -R

Now is the time to create private/public key pairs.

mkdir /usr/localdkimproxy/keys

cd /usr/local/dkimproxy/keys

#openssl genrsa -out private.key 1024

#openssl rsa -in private.key -pubout -out public.key

Now you will have two key pairs private.key & public.key

Public key should be published in DNS zone file of the domain. Use only the contents in public.key after removing the PEM headers and then use it as one big line and form a txt record as given below:

test._domainkey IN TXT "k=rsa; t=s; p=MHwwDQYJK ... OprwIDAQAB"

Here test is any name (selector name) that you choose that makes sense to you, and contents after p should be the public key contents. I have here omitted part of public key for convenience.

So you can check the validity of key data in zone file by issuing the following command from any linux machine:

#dig +trace txt test._domainkey.domain.tld

where domain.tld is the actual domain name.

Now we need to setup outbound signing config file.

#cp /usr/local/dkimproxy/etc/dkimproxy_out.conf.example /usr/local/dkimproxy/etc/dkimproxy_out.conf

edit /usr/local/dkimproxy/etc/dkimproxy_out.conf using your favorite editor and make changes in the following sections:

# specify what domains DKIMproxy can sign for (comma-separated, no spaces) domain domain.tld

# specify location of the private key keyfile /usr/local/dkimproxy/keys/private.key

# specify the selector (i.e. the name of the key record put in DNS) selector test

Now the configuration part is over and you can start the dkimproxy outbound signing using the following command:

/usr/local/dkimproxy/bin/dkimproxy.out --conf_file=/usr/local/dkimproxy/etc/dkimproxy_out.conf --user=dkim --group=dkim &

Part 3: Configuring postfix to use dkim to sign messages

Edit /etc/postfix/master.cf and paste the following:

##########

submission inet n - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes -o content_filter=dksign:[127.0.0.1]:10027 -o receive_override_options=no_address_mappings -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

dksign unix - - n - 10 smtp

-o smtp_send_xforward_command=yes

-o smtp_discard_ehlo_keywords=8bitmime,starttls

# service for accepting messages FROM the DKIM signing proxy

127.0.0.1:10028 inet n - n - 10 smtpd

-o content_filter=

-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

-o smtpd_helo_restrictions=

-o smtpd_client_restrictions=

-o smtpd_sender_restrictions=

-o smtpd_recipient_restrictions=permit_mynetworks,reject

-o mynetworks=127.0.0.0/8

-o smtpd_authorized_xforward_hosts=127.0.0.0/8

###########

You are Done! use the command "/etc/init.d/postfix reload" to reflect the changes made in postfix configuration file.

Now mails sent via secure port 587 will be signed with appropriate dkim and domain keys!

PS: If you need to sign mails sent through 25 also, you can paste the following additional entry in master.cf file.

smtp inet n - n - - smtpd

-o content_filter=dksign:[127.0.0.1]:10027

If you have any issues, feel free to comment.

Read More

Securing /tmp in linux

Securing /tmp is an important part in linux system. I am quoting the general way to secure /tmp in case it is not mounted as a separate partition:

1. Create a file inside /dev with the required size using dd command. Here I am using 500MB.

cd /dev
dd if=/dev/zero of=tmpDSK bs=1024 count=500000

2. Format it with the required filesystem.

mkfs.ext3 /dev/tmpDSK

3. If you need to backup current /tmp dir, do it using cp -rp command. After that mount the newly created file /dev/tmpDSK on /tmp.

mount -o loop,noexec,nosuid,rw /dev/tmpDSK /tmp

4. Give sticky bit and full permission to /tmp.

chmod 1777 /tmp

5. Create entries in /etc/fstab for mounting /tmp during boot process.

vim /etc/fstab

/dev/tmpDSK /tmp ext3 loop,noexec,nosuid,rw 0 0

Save the file.

That is it. You have now got a secured /tmp directory!

Read More

redirecting urls with special chars

I fiddled away a lot of time trying to figure out how I can redirect URLS with special chars for eg:

http://www.test.com/index.php?page_id=13 to http://www.test.com/index.php?page_id=25 as every method to redirect this bit of url using .htaccess proved to be vain.

Eventually I found out a solution:

I used the following code in .htaccess and it worked like a charm:

RewriteCond %{QUERY_STRING} ^(.*&)?page_id=13(&.*)?$  
RewriteRule ^index\.php$ http://www.test.com/index.php?page_id=25 [R=301,L] 

Read More

Linux Boot process

when a machine is powered on, processor checks for BIOS in the memory stored as permanent read-only memory.
When a linux OS is installed in the system, BIOS detects MBR (512 bytes) which is in the first sector 0f the booting hard disk. Thus MBR is loading into the memory.
MBR contains the boot loader (LILO, GRUB) and it consumes 446 bytes of the MBR's total disk usage. MBR now with the help of entries in GRUB configuration file will displat boot menu for the users to enter their own choice (if there are multiple boot entries in grub.conf).

When a particular linux os is selected by the user, the bootloader(grub) loads the kernel corresponding to that boot entry with the help of instructions in its configuration file. Now the control is passed over to kernel. The kernel loads the root partition in read-only mode as described in the grub configuration file. It also loads the initrd image found in the path mentioned in grub config file, which is needed for booting the machine.

The kernel then starts the init process (/sbin/init) and thus it becomes the parent of all processes. pidof init is 1.

The following files are invoked by init script in the following order:

/etc/rc.d/rc.sysinit -- sets path, checks filesystems, starts swapping etc.
It initializes the system and remounts the partition in rw mode.

/etc/inittab -- sets the default runlevel

startup scripts from /etc/rc.d/rcx.d/ (x=0-6) --- starts or stops various services that are confined to run in the initiated runlevel

Also you can refer this

Read More