Welcome to Server Circle. It's a friendly site and all levels of experience are welcome. Be aware that we use cookies for your login.
Server Circle - Ask questions about Servers and get answers from experts.
Beta (0.65 sec)
jimrippon's profile (873 points)

About: I have been working as a Network and Systems Administrator for over 10 years, on Linux and Windows and with a large variety of hardware, software and environments across a range of both public and private sector industries.
I have a firewall (shorewall) with two networks, one with public ip-addresses and one behind a nat with private addresses. A KVM-server (Ubuntu 10.04) attached to both networks via two bridged network cards. A VPS (a KVM-virtual machine) on the KVM-host has two virtual network interfaces attached to each of the networks. I want to be able to reach the server each path from the local private network and via the public ip from Internet. link to a picture http://ubuntuone.com/0FGG30aIUK14CmCJLGcmXa With this configuration I can reach the VPS using the private network and private address and using the public address from Internet, but not using the public address from the private network. Gateway (gate) aw@gate:~$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 99.99.99.0 * 255.255.255.240 U 0 0 0 eth0 99.99.98.128 * 255.255.255.128 U 0 0 0 eth2 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 default 99.99.99.129 0.0.0.0 UG 100 0 0 eth2 KVM-host (magne) aw@magne:~$ ifconfig br0 Link encap:Ethernet HWaddr 12:25:90:39:80:44 inet addr:192.168.1.78 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: 2001:470:28:1ac:225:90ff:fe39:8044/64 Scope:Global inet6 addr: fe80::225:90ff:fe39:8044/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:81437 errors:0 dropped:0 overruns:0 frame:0 TX packets:75378 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:10458872 (10.4 MB) TX bytes:29451307 (29.4 MB) br1 Link encap:Ethernet HWaddr 12:25:90:39:80:45 inet6 addr: fe80::225:90ff:fe39:8045/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:477 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:45443 (45.4 KB) TX bytes:468 (468.0 B) aw@magne:~$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 br0 192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0 default 192.168.1.1 0.0.0.0 UG 100 0 0 br0 have also tried with this aw@magne:~$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 99.99.99.0 99.99.99.1 255.255.255.240 UG 100 0 0 br1 192.168.1.0 * 255.255.255.0 U 0 0 0 br0 192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0 default 192.168.1.1 0.0.0.0 UG 100 0 0 br0 I don't think the routing table on the bridged KVM-host does matter? VPS (virtual machine, ask) aw@ask:~$ ifconfig eth0 Link encap:Ethernet HWaddr 12:54:00:e1:b3:d7 inet addr:192.168.1.185 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: 2001:470:28:1ac:5054:ff:fee1:b3d7/64 Scope:Global inet6 addr: fe80::5054:ff:fee1:b3d7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5549 errors:0 dropped:0 overruns:0 frame:0 TX packets:1941 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:675590 (675.5 KB) TX bytes:214175 (214.1 KB) eth1 Link encap:Ethernet HWaddr 12:54:00:2a:3a:dc inet addr:99.99.99.14 Bcast:99.99.99.15 Mask:255.255.255.240 inet6 addr: fe80::5054:ff:fe2a:3adc/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2122 errors:0 dropped:0 overruns:0 frame:0 TX packets:1720 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:232251 (232.2 KB) TX bytes:198017 (198.0 KB) Eth0 are bridged with br0 in VirtManager and eth1 with br1 aw@ask:~$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 99.99.99.0 * 255.255.255.240 U 0 0 0 eth1 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 default 99.99.99.1 0.0.0.0 UG 10 0 0 eth1 default 192.168.1.1 0.0.0.0 UG 100 0 0 eth0 aw@ask:~$ Machine on the Internet (embla) aw@embla:~$ ifconfig eth2 Link encap:Ethernet HWaddr 12:30:48:88:31:b8 inet addr:88.88.88.78 Bcast:88.88.88.79 Mask:255.255.255.248 inet6 addr: fe80::230:48ff:fe88:31b8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5593116 errors:0 dropped:0 overruns:0 frame:0 TX packets:3947742 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4262717553 (4.2 GB) TX bytes:491960763 (491.9 MB) Interrupt:18 aw@embla:~$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 88.88.88.72 * 255.255.255.248 U 0 0 0 eth2 default 88.88.88.73 0.0.0.0 UG 100 0 0 eth2 aw@embla:~$ aw@embla:~$ ssh 99.99.99.14 aw@99.99.99.14's password: (working) Klient on the local network (lian) aw@lian:~$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 1 0 0 eth0 default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 aw@lian:~$ ssh 192.168.1.185 aw@192.168.1.185's password: aw@lian:~$ ssh 99.99.99.14 (hangs) I think lian and embla are correct and the error could be found in either gate/magne/ask. If ask has only one virtual ethernet with for example br1 it works both from Internet (embla) and from the local network (lian). I have fiddled with metrics for the dual default route in ask without any luck. Any ideas?
Asked in: Linux-Servers  (1 answers)
jimrippon's response: My first observation is that you have two gateways configured on ask - you should only have one (on its public-side interface) - that being the route you want all external traffic to take out of the system. That is unlikely to solve the problem, I suspect, as I would think the issue you describe is being caused by the NAT rules on gate. I would think gate is performing NAT translation on traffic from your internal (192.168-net) network out to the internet but not to the 99-net interface (this may be easily configurable in your firewall interface, but I haven't used shorewall in approaching 10 years). You will need to either remove the internal (192.168-net) interface from ask or configure gate to NAT the requests coming from 192.168-net to 99-net in order for the communication to work between lian and ask's public 99-net address. Hope this helps, Jim
Any suggestions for securely keeping 50 keys and being able to move them safely between hosts for backing them up?
Asked in: Linux-Servers  (3 answers)
jimrippon's response: Are these public keys or private keys? For public keys, you should be able to move them between systems with basic security in place - copy them using scp/sftp for example. The content of the public key is not a secret. If you are referring to private keys, I would suggest that rather than sharing the private key between hosts you accept more than one public key on the servers to which you are connecting - that or store your private keys on encrypted removable media and take them with you (that is assuming these keys are being used by a physical user). If these keys are being used by automated systems, you will probably want to look at transporting using encrypted removable media - systems such as trucrypt (http://www.truecrypt.org/) and gnupg (http://www.gnupg.org/) are available which have mechanisms to allow you to do this. Linux shell commands that might be entered to use GPG to create a compressed, encrypted file containing a folder of keys might look like this: tar czvf ~/keydir.tar.gz /etc/keydir gpg -c ~/keydir.tar.gz -o /media/usbdrive/keydir.tar.gz.gpg The gpg command will prompt you for a password which will be used as the encryption key. Once you reach your target system, decrypt the gpg file and extract like so: gpg /media/usbdrive/keydir.tar.gz.gpg -o ~/keydir.tar.gz cd / tar zxvf ~/keydir.tar.gz You will need to have permissions to read/write to the relevant directories, and have the following relevant applications installed (they should be available from your system's package manager): tar gzip gpg/gnupg Hope this helps, Jim
What does the acronym PHP stand for ? Thank you for your help.
Asked in: Linux-Servers  (3 answers)
jimrippon's response: From the PHP FAQ (http://us.php.net/manual/en/faq.general.php): "PHP stands for PHP: Hypertext Preprocessor. This confuses many people because the first word of the acronym is the acronym. This type of acronym is called a recursive acronym."
I've just run nmap on a server that I know has some ports open it didn't find. Does IPtables hide ports completely ? TCP wrappers doesn't seem to.
Asked in: Server-Firewalls  (2 answers)
jimrippon's response: You can make ports disappear completely with iptables by sending packets to a DROP target. If you wish to, you can send to a REJECT target instead which will reply with icmp packets saying the port is blocked instead of looking like its just not there.
I'm sure I used to know how to do this but can't remember.
Asked in: Ubuntu-Linux-Servers  (4 answers)
jimrippon's response: You can tell the CPU supports 64-bit (regardless of the system installed) by looking for the "lm" flag in /proc/cpuinfo - a quick one-liner that checks this for you could be as follows: 
grep -e ^flags /proc/cpuinfo | head -1 | grep -q "lm" && echo "64-bit flags present" || echo "No 64-bit flags present"
I'm seeing this NTP error a lot on a server: Requested time correction of 1208 seconds exceeds sanity limit. You must set the clock manually to correct this. It's beginning to get tiresome. How can I workaround it ?
Asked in: Linux-Servers  (5 answers)
jimrippon's response: You can add the "iburst" option to your server lines in ntpd.conf to force the server to synchronise time when the service starts (very useful if your system is off for a while and the time slips too far), then keep up with the server eg: server pool.ntp.org iburst Hope this helps.
I use an NTP server (S300) in my company. But in the second half of every year our clock changes by about an hour. All of our servers use the time NTP server to sync their time. I don't know how can I change the clock to an exact time so the new time will be use for 6 months. Please help if you can.
Asked in: Linux-Servers  (3 answers)
jimrippon's response: If your change of time is a Daylight Savings timezone change, you can achieve this automatically by setting the timezone on your systems. Most Linux distributions provide a method of doing this automatically, by either replacing or linking the file /etc/timezone. Windows also allows you to set the timezone. Your NTP server should always provide the correct time to your systems, they will then make the necessary adjustments themselves so that you are displayed the correct local time according to your timezone setting. Hope this helps.
I don't run IPtables on the server I'm posting about because there's a firewall in front of it but sometimes IPtables is very handy for just blocking an IP address. I'm looking for a quick (and temporary) banning script that will completely block inbound and outbound traffic to one IP address without locking me out of the server ! Can anyone help ? 100 points to you if you can. Thank you.
Asked in: Server-Firewalls  (2 answers)
jimrippon's response: It sounds like you're looking for something like this: #!/bin/bash # # blockip.sh # # Make sure we had an argument if [ "$1" != "" ]; then iptables -I INPUT -s $blocktarget -j DROP iptables -I OUTPUT -d $blocktarget -j DROP else return 255 fi Place that in a file (named in my example below /usr/local/bin/blockip.sh) and run as root: /usr/local/bin/blockip.sh 192.168.1.5 The inverse script - to unblock the IP - would look like this: #!/bin/bash # # unblockip.sh # # Make sure we had an argument if [ "$1" != "" ]; then iptables -D INPUT -s $blocktarget -j DROP iptables -D OUTPUT -d $blocktarget -j DROP else return 255 fi Hope this helps.
I'm new to Fedora. Where does it save the IPtables rule sets ? I can only find these files ! /etc/init.d/iptables and /sbin/iptables Thanks for any help.
Asked in: Fedora-Linux-Servers  (4 answers)
jimrippon's response: Fedora's iptables init script stores the iptables-save configuration in /etc/sysconfig/iptables You can save and reload changes you make using the iptables tools by using the init script like so: service iptables save service iptables restart Also take a look at /etc/sysconfig/iptables-config - its well commented, and you can set options such as save on stop which would automatically save any changes when you shutdown/reboot your system.
Are there production experiences with Dummynet (the alternative to iptables) ported from BSD ? I've read that it's really good but not ready for production. Thanks !
Asked in: Server-Firewalls  (2 answers)
jimrippon's response: From what I can see, Dummynet is not a firewall - it is a network/protocol simulation and testing tool that allows you to do things such as throttle/rate-limit certain types of traffic, load-balance traffic, implement queueing on traffic etc. It does not appear to have traditional firewalling capabilities. The most established port of a BSD Firewall to Linux that I have come across is IPFW (this is used alongside Dummynet in many implementations judging from my brief net trawl). If what you are looking for is a nice interface with which to configure your system firewall I would suggest you are better off sticking with NetFilter (IPTables) as this is built into the core of a Linux kernel and explore the available tools for managing it:
  • FWBuilder: http://www.fwbuilder.org
  • Firestarter: http://www.fs-security.com/
  • GUFW (if you are using ubuntu): http://gufw.tuxfamily.org/
I've heard of http://www.amanda.org and rsync. Can anyone recommend any other backup software for Linux ? Thank you.
Asked in: Linux-Servers  (3 answers)
jimrippon's response: I have used Bacula (http://www.bacula.org) to some effect in the past - might be worth considering. Have to admit, I have since moved to amanda so can recommend that from my experience.
How can I make sure root definitely can't login? Thanks.
Asked in: Linux-Servers  (5 answers)
jimrippon's response: You have some options depending on how stringently you want to prevent root logins. To prevent someone connecting via ssh as root, set the PermitRootLogin option to "No" in your /etc/ssh/sshd_config file: PermitRootLogin no If you are sure that you will only ever log into the system directly as root from its console, you can modify the file
/etc/securetty
and remove any virtual console lines, leaving only "console" and "tty0" type lines - bear in mind that the line "console" may not be your login prompt at boot, as multiple tty sessions will be spawned and you will be presented with one of these even when locally connected to the machine. On its own that may achieve what you are looking for, but there are other measures you can take to further lock down the root account. You should also consider making sure normal users cannot use the su command to become root - this can be done by restricting su access to members of the wheel group as described here http://www.cyberciti.biz/tips/restrict-the-use-of-su-command.html The next thing to do is to check that sudoers is not going to allow users to elevate their privileges to do things they shouldn't - there is lots of good documentation around on configuring sudo - such as "man 8 visudo" and "man 5 sudoers" or google. Sudo is a very versatile and granular way to assign administrative tasks to users and keep your root account restricted, I strongly suggest you use this to provide maintenance permissions. Finally, you have the option of renaming the root account - this is not much of a deterrent for any determined attacker, especially if they can gain access to your box as another user, and may invalidate some or all of the measures mentioned already.
Can I forward requests to port 80 to port 8080 with SSH ? Or how should I do it if not ?
Asked in: Linux-Servers  (2 answers)
jimrippon's response: Forwarding in SSH is achieved with the -L option like so: ssh -L 127.0.0.1:80:127.0.0.1:8080 user@host this would open an SSH tunnel as "user" to remote host named "host" and forward traffic to 127.0.0.1 port 80 locally to address 127.0.0.1 port 8080 on "host". If you want to access the local end from other machines on your network, you would need to change the first 127.0.0.1 for your IP address they will be connecting to on port 80. SSH, however, is not what I would choose to do port forwarding (unless secure traffic across the link or network restrictions require it) - for this I would normally lean towards setting up a Destination NAT in IPTables: iptables -t nat -I PREOUTING -p tcp -d 127.0.0.1 --dport 80 -j DNAT --to-destination 127.0.0.1:8080 Alternatively, if you are using Apache already, you might look into using mod_rewrite to send the user to the correct port as described in this post: http://bit.ly/l3QAIs - you could even use apache with mod_rewrite to proxy your requests.
I'm very new to RAID and think I should probably have it running to protect data on my Ubuntu Server. I've done a bit of reading already. What RAID level should I use and how do I do it ?
Asked in: Ubuntu-Linux-Servers  (2 answers)
jimrippon's response: This would depend on your requirements and expectations of creating a RAID array. To protect data, your choices are twofold: * Raid 1 (mirror) with a hot spare * Raid 5 across all three drives With Raid 1 you write identical data to two drives simultaneously. As you have three disks, you would either use the third to store data outside your protected RAID or leave it ready as a hot spare - in case one of the other drives fails, it would automatically become the second member of the RAID mirror. With Raid 5 you write data across all three disks, with a rough ratio of 2 parts data to 1 part parity all shared between all drives. As you only have three drives, your array would be unusable should one drive fail until you replaced it and the array was rebuilt on the newly replaced drive.
I know this is probably a basic question but how do I know when each server needs patched with security updates ? Where is the config for the email address etc ? Thank you.
Asked in: Debian-Linux-Servers  (1 answers)
jimrippon's response: What you are looking for is a package called apticron: http://www.debian-administration.org/articles/491 The instructions above will take you through the basic installation and configuration - it will run on a schedule and check for any available updates, then email you at the address you configured for your root user (at the end of /etc/aliases) with a list of available updates. You should look at the file /etc/apticron/apticron.conf once installed - you can configure a different email address here, amongst many other options such as changing the email subject line, hiding packages that are on hold, show only new packages since the last check etc.
I'm really struggling with this PHP and MYSQL coding: $result = mysql_query("SELECT ...") or die(mysql_error()); while ($array = mysql_fetch_array( $result )) { $result = mysql_query("SELECT ... ) or die(mysql_error()); $detail = mysql_fetch_array($result); $result = mysql_query("SELECT ...") or die(mysql_error()); $user = mysql_fetch_array($result); print ("$user[2]"); } The while loop only outputs one entry ... WHY ?!!!! Can anyone please help ? I'll offer 50 of my points (and I think you get 50 points for a best answer too). Thanks.
Asked in: OtherProgramming  (2 answers)
jimrippon's response: My suspicion is that you are re-using the same result variable, so your original query's results are overwritten with each subsequent result. Try re-naming your variables like so: $result = mysql_query("SELECT ...") or die(mysql_error()); while ($array = mysql_fetch_array( $result )) { $detailresult = mysql_query("SELECT ... ) or die(mysql_error()); $detail = mysql_fetch_array($detailresult); $userresult = mysql_query("SELECT ...") or die(mysql_error()); $user = mysql_fetch_array($userresult); print ("$user[2]"); }
How do I set up round robin DNS ? I don't really understand DNS but I think www.domain.com only has one IP address attached to it. How can DNS have more than one IP address for www.domain.com ? Thank you.
Asked in: DNS-Servers  (1 answers)
jimrippon's response: This is achieved in one of two ways in normal cases: 1) Multiple DNS Entries: You can have a number of A records - these pair a domain name with a single IP address - or CNAME records - these point a domain name to a different A record (this allows you to have one entry to change if a single IP address is hosting a number of domains). With this method, when you perform a DNS query you will see a number of IP addresses returned: [jim@d620fedora ~]$ nslookup www.google.co.uk 8.8.8.8 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: www.google.co.uk canonical name = www.google.com. www.google.com canonical name = www.l.google.com. Name: www.l.google.com Address: 209.85.229.99 Name: www.l.google.com Address: 209.85.229.147 Name: www.l.google.com Address: 209.85.229.104 2) You have a dynamic DNS server Some DNS servers (for example the Zeus Global Load Balancer) can respond differently based on an intelligent algorithm. This could be a number of things - the least loaded server, the closest server to your IP's global location etc. In this case, you would normally see fewer addresses in your lookup but they may change depending on where you are or what load is on the servers you are accessing.
Which RSS feeds or mailing lists should I be subscribed to for keeping an eye out for Ubuntu security updates and other problems with specific Ubuntu server ? Thank you for your guidance.
Asked in: Ubuntu-Linux-Servers  (5 answers)
jimrippon's response: It's worth also having apticron installed on your Ubuntu server - it will email you available updates on a schedule that you can define. A good quick start FAQ is available here: http://www.cyberciti.biz/faq/apt-get-apticron-send-email-upgrades-available/
Is is possible to create a rule that will drop traffic on a string being present in a packet ? It would save me lots of work !
Asked in: Server-Firewalls  (1 answers)
jimrippon's response: There is a string-matching module in iptables on most current distributions of linux. From the output of "man iptables": string This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14. --algo {bm|kmp} Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) --from offset Set the offset from which it starts looking for any matching. If not passed, default is 0. --to offset Set the offset up to which should be scanned. That is, byte offset-1 (counting from 0) is the last one that is scanned. If not passed, default is the packet size. [!] --string pattern Matches the given pattern. [!] --hex-string pattern Matches the given pattern in hex notation. So, to block based on a string: iptables -t raw -A PREROUTING -m string --algo bm --string "badstring" -j DROP
Is this the way to do this ? I can't find any documentation unfortunately. Can anybody help please ?
Asked in: Server-Firewalls  (2 answers)
jimrippon's response: You can certainly use NAT to forward requests for one IP address to another. This will do so transparently from the client's perspective. To do so you place rules in the NAT table's (PREROUTING, FORWARD and POSTROUTING). In my example below, you redirect all requests going to 8.8.8.8 (one of google's DNS servers) to an internal address 192.168.1.20: iptables -t nat -A PREROUTING -d 8.8.8.8 -j DNAT --to-destination 192.168.1.20 iptables -t nat -A POSTROUTING -s 192.168.1.20 -j SNAT --to-source 8.8.8.8 You can read more about nat at linux-ip.net here: http://linux-ip.net/html/ch-nat.html
Is there a way to make users change their password every three months ? I can't find it. Thank you.
Asked in: Ubuntu-Linux-Servers  (1 answers)
jimrippon's response: The thing you are looking for is the "chage" command. To force a user (barry in my example below) to change their password every 90 days, and warn them 10 days before it expires you would do the following: chage -M 90 -W 10 barry If you run chage with no options, it should enter interactive mode and prompt you for the options: chage barry
I can't figure it out. Can someone help me please ?
Asked in: CentOS-Linux-Servers  (3 answers)
jimrippon's response: You don't say how you want to stop these pings, but essentially there are two parts to a ping: an ICMP Echo Request and ICMP Echo Response. These two are ICMP Type 8 and ICMP Type 0 respectively. To block incoming echo requests (when someone pings your machine ignore it): iptables -I INPUT -p icmp --icmp-type 8 -j DROP If you are acting as a router/firewall for a network, you would place this in the FORWARD table: iptables -I FORWARD -p icmp --icmp-type 8 -j DROP It is generally a sensible idea to drop any unsolicited responses, so I would have the following in my INPUT table: iptables -A INPUT -p icmp --icmp-type 0 -m state ! --state RELATED,ESTABLISHED -j DROP
Any suggestions for securely keeping 50 keys and being able to move them safely between hosts for backing them up?
Asked in: Linux-Servers  (3 answers)
jimrippon's response: Are these public keys or private keys? For public keys, you should be able to move them between systems with basic security in place - copy them using scp/sftp for example. The content of the public key is not a secret. If you are referring to private keys, I would suggest that rather than sharing the private key between hosts you accept more than one public key on the servers to which you are connecting - that or store your private keys on encrypted removable media and take them with you (that is assuming these keys are being used by a physical user). If these keys are being used by automated systems, you will probably want to look at transporting using encrypted removable media - systems such as trucrypt (http://www.truecrypt.org/) and gnupg (http://www.gnupg.org/) are available which have mechanisms to allow you to do this. Linux shell commands that might be entered to use GPG to create a compressed, encrypted file containing a folder of keys might look like this: tar czvf ~/keydir.tar.gz /etc/keydir gpg -c ~/keydir.tar.gz -o /media/usbdrive/keydir.tar.gz.gpg The gpg command will prompt you for a password which will be used as the encryption key. Once you reach your target system, decrypt the gpg file and extract like so: gpg /media/usbdrive/keydir.tar.gz.gpg -o ~/keydir.tar.gz cd / tar zxvf ~/keydir.tar.gz You will need to have permissions to read/write to the relevant directories, and have the following relevant applications installed (they should be available from your system's package manager): tar gzip gpg/gnupg Hope this helps, Jim
I've just run nmap on a server that I know has some ports open it didn't find. Does IPtables hide ports completely ? TCP wrappers doesn't seem to.
Asked in: Server-Firewalls  (2 answers)
jimrippon's response: You can make ports disappear completely with iptables by sending packets to a DROP target. If you wish to, you can send to a REJECT target instead which will reply with icmp packets saying the port is blocked instead of looking like its just not there.
I don't run IPtables on the server I'm posting about because there's a firewall in front of it but sometimes IPtables is very handy for just blocking an IP address. I'm looking for a quick (and temporary) banning script that will completely block inbound and outbound traffic to one IP address without locking me out of the server ! Can anyone help ? 100 points to you if you can. Thank you.
Asked in: Server-Firewalls  (2 answers)
jimrippon's response: It sounds like you're looking for something like this: #!/bin/bash # # blockip.sh # # Make sure we had an argument if [ "$1" != "" ]; then iptables -I INPUT -s $blocktarget -j DROP iptables -I OUTPUT -d $blocktarget -j DROP else return 255 fi Place that in a file (named in my example below /usr/local/bin/blockip.sh) and run as root: /usr/local/bin/blockip.sh 192.168.1.5 The inverse script - to unblock the IP - would look like this: #!/bin/bash # # unblockip.sh # # Make sure we had an argument if [ "$1" != "" ]; then iptables -D INPUT -s $blocktarget -j DROP iptables -D OUTPUT -d $blocktarget -j DROP else return 255 fi Hope this helps.
Are there production experiences with Dummynet (the alternative to iptables) ported from BSD ? I've read that it's really good but not ready for production. Thanks !
Asked in: Server-Firewalls  (2 answers)
jimrippon's response: From what I can see, Dummynet is not a firewall - it is a network/protocol simulation and testing tool that allows you to do things such as throttle/rate-limit certain types of traffic, load-balance traffic, implement queueing on traffic etc. It does not appear to have traditional firewalling capabilities. The most established port of a BSD Firewall to Linux that I have come across is IPFW (this is used alongside Dummynet in many implementations judging from my brief net trawl). If what you are looking for is a nice interface with which to configure your system firewall I would suggest you are better off sticking with NetFilter (IPTables) as this is built into the core of a Linux kernel and explore the available tools for managing it:
  • FWBuilder: http://www.fwbuilder.org
  • Firestarter: http://www.fs-security.com/
  • GUFW (if you are using ubuntu): http://gufw.tuxfamily.org/
I've heard of http://www.amanda.org and rsync. Can anyone recommend any other backup software for Linux ? Thank you.
Asked in: Linux-Servers  (3 answers)
jimrippon's response: I have used Bacula (http://www.bacula.org) to some effect in the past - might be worth considering. Have to admit, I have since moved to amanda so can recommend that from my experience.
Can I forward requests to port 80 to port 8080 with SSH ? Or how should I do it if not ?
Asked in: Linux-Servers  (2 answers)
jimrippon's response: Forwarding in SSH is achieved with the -L option like so: ssh -L 127.0.0.1:80:127.0.0.1:8080 user@host this would open an SSH tunnel as "user" to remote host named "host" and forward traffic to 127.0.0.1 port 80 locally to address 127.0.0.1 port 8080 on "host". If you want to access the local end from other machines on your network, you would need to change the first 127.0.0.1 for your IP address they will be connecting to on port 80. SSH, however, is not what I would choose to do port forwarding (unless secure traffic across the link or network restrictions require it) - for this I would normally lean towards setting up a Destination NAT in IPTables: iptables -t nat -I PREOUTING -p tcp -d 127.0.0.1 --dport 80 -j DNAT --to-destination 127.0.0.1:8080 Alternatively, if you are using Apache already, you might look into using mod_rewrite to send the user to the correct port as described in this post: http://bit.ly/l3QAIs - you could even use apache with mod_rewrite to proxy your requests.
I know this is probably a basic question but how do I know when each server needs patched with security updates ? Where is the config for the email address etc ? Thank you.
Asked in: Debian-Linux-Servers  (1 answers)
jimrippon's response: What you are looking for is a package called apticron: http://www.debian-administration.org/articles/491 The instructions above will take you through the basic installation and configuration - it will run on a schedule and check for any available updates, then email you at the address you configured for your root user (at the end of /etc/aliases) with a list of available updates. You should look at the file /etc/apticron/apticron.conf once installed - you can configure a different email address here, amongst many other options such as changing the email subject line, hiding packages that are on hold, show only new packages since the last check etc.
I'm really struggling with this PHP and MYSQL coding: $result = mysql_query("SELECT ...") or die(mysql_error()); while ($array = mysql_fetch_array( $result )) { $result = mysql_query("SELECT ... ) or die(mysql_error()); $detail = mysql_fetch_array($result); $result = mysql_query("SELECT ...") or die(mysql_error()); $user = mysql_fetch_array($result); print ("$user[2]"); } The while loop only outputs one entry ... WHY ?!!!! Can anyone please help ? I'll offer 50 of my points (and I think you get 50 points for a best answer too). Thanks.
Asked in: OtherProgramming  (2 answers)
jimrippon's response: My suspicion is that you are re-using the same result variable, so your original query's results are overwritten with each subsequent result. Try re-naming your variables like so: $result = mysql_query("SELECT ...") or die(mysql_error()); while ($array = mysql_fetch_array( $result )) { $detailresult = mysql_query("SELECT ... ) or die(mysql_error()); $detail = mysql_fetch_array($detailresult); $userresult = mysql_query("SELECT ...") or die(mysql_error()); $user = mysql_fetch_array($userresult); print ("$user[2]"); }
How do I set up round robin DNS ? I don't really understand DNS but I think www.domain.com only has one IP address attached to it. How can DNS have more than one IP address for www.domain.com ? Thank you.
Asked in: DNS-Servers  (1 answers)
jimrippon's response: This is achieved in one of two ways in normal cases: 1) Multiple DNS Entries: You can have a number of A records - these pair a domain name with a single IP address - or CNAME records - these point a domain name to a different A record (this allows you to have one entry to change if a single IP address is hosting a number of domains). With this method, when you perform a DNS query you will see a number of IP addresses returned: [jim@d620fedora ~]$ nslookup www.google.co.uk 8.8.8.8 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: www.google.co.uk canonical name = www.google.com. www.google.com canonical name = www.l.google.com. Name: www.l.google.com Address: 209.85.229.99 Name: www.l.google.com Address: 209.85.229.147 Name: www.l.google.com Address: 209.85.229.104 2) You have a dynamic DNS server Some DNS servers (for example the Zeus Global Load Balancer) can respond differently based on an intelligent algorithm. This could be a number of things - the least loaded server, the closest server to your IP's global location etc. In this case, you would normally see fewer addresses in your lookup but they may change depending on where you are or what load is on the servers you are accessing.
Is is possible to create a rule that will drop traffic on a string being present in a packet ? It would save me lots of work !
Asked in: Server-Firewalls  (1 answers)
jimrippon's response: There is a string-matching module in iptables on most current distributions of linux. From the output of "man iptables": string This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14. --algo {bm|kmp} Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris) --from offset Set the offset from which it starts looking for any matching. If not passed, default is 0. --to offset Set the offset up to which should be scanned. That is, byte offset-1 (counting from 0) is the last one that is scanned. If not passed, default is the packet size. [!] --string pattern Matches the given pattern. [!] --hex-string pattern Matches the given pattern in hex notation. So, to block based on a string: iptables -t raw -A PREROUTING -m string --algo bm --string "badstring" -j DROP
Is this the way to do this ? I can't find any documentation unfortunately. Can anybody help please ?
Asked in: Server-Firewalls  (2 answers)
jimrippon's response: You can certainly use NAT to forward requests for one IP address to another. This will do so transparently from the client's perspective. To do so you place rules in the NAT table's (PREROUTING, FORWARD and POSTROUTING). In my example below, you redirect all requests going to 8.8.8.8 (one of google's DNS servers) to an internal address 192.168.1.20: iptables -t nat -A PREROUTING -d 8.8.8.8 -j DNAT --to-destination 192.168.1.20 iptables -t nat -A POSTROUTING -s 192.168.1.20 -j SNAT --to-source 8.8.8.8 You can read more about nat at linux-ip.net here: http://linux-ip.net/html/ch-nat.html
Is there a way to make users change their password every three months ? I can't find it. Thank you.
Asked in: Ubuntu-Linux-Servers  (1 answers)
jimrippon's response: The thing you are looking for is the "chage" command. To force a user (barry in my example below) to change their password every 90 days, and warn them 10 days before it expires you would do the following: chage -M 90 -W 10 barry If you run chage with no options, it should enter interactive mode and prompt you for the options: chage barry
I can't figure it out. Can someone help me please ?
Asked in: CentOS-Linux-Servers  (3 answers)
jimrippon's response: You don't say how you want to stop these pings, but essentially there are two parts to a ping: an ICMP Echo Request and ICMP Echo Response. These two are ICMP Type 8 and ICMP Type 0 respectively. To block incoming echo requests (when someone pings your machine ignore it): iptables -I INPUT -p icmp --icmp-type 8 -j DROP If you are acting as a router/firewall for a network, you would place this in the FORWARD table: iptables -I FORWARD -p icmp --icmp-type 8 -j DROP It is generally a sensible idea to drop any unsolicited responses, so I would have the following in my INPUT table: iptables -A INPUT -p icmp --icmp-type 0 -m state ! --state RELATED,ESTABLISHED -j DROP
About Us : Contact Us : Etiquette : Terms : CDN Failover : ShorterURL : CDN Fallback : © 2013 Server Circle