|
||||||
Starting the DB2 control center on LinuxThis procedure describes how to start the DB2® control center on Linux®. To start the DB2 control center, perform the following steps:
People looking to create a load balanced web server solution often ask, how can they keep their web servers in sync with each other? There are many ways to go about this: NFS, lsync, rsync, etc. This guide will discuss a technique using rsync that runs from a cron job every 10 minutes. There will be two different options presented, pulling the updates from the master web server, and pushing the updates from the master web server down to the slave web servers. Our example will consist of the following servers:
Our master web server is going to the single point of truth for the web content of our domain. Therefore, the web developers will only be modifying content from the master web server, and will let rsync handle keeping all the slave nodes in sync with each other. There are a few prerequisites that must be in place: To be proactive about monitoring the status of the rsync job, both scripts posted below allow you to perform a http content check against a status file to see if the string “SUCCESS” exists. If something other then SUCCESS is found, that means that the rsync script may have failed and should be investigated. An example of this URL to monitor would be is: 192.168.1.1/datasync.status Please note that the assumption is being made that your web server will serve files that are placed in /var/www/html/. If not, please update the $status variable accordingly. Using rsync to pull changes from the master web server: This is especially useful if you are in a cloud environment and scale your environment by snapshotting an existing slave web server to provision a new one. When the new slave web server comes online, and assuming it already has the SSH key in place, it will automatically grab the latest content from the master server with no interaction needed by yourself except to test, then enable in your load balancer. The disadvantage with using the pull method for your rsync updates comes into play when you have multiple slave web servers all running the rsync job at the same time. This can put a strain on the master web servers CPU, which can cause performance degradation. However if you have under 10 servers, or if your site does not have a lot of content, then the pull method should work fine. Below will show the procedure for setting this up: 1. Create SSH keys on each slave web server: 2. Now copy the public key generated on the slave web server (/root/.ssh/id_dsa.pub) and append it to the master web servers, /root/.ssh/authorized_keys2 file. 3. Test ssh’ing in as root from the slave web server to the master web server 4. Assuming you were able to log in to the master web server cleanly, then its time to create the rsync script on each slave web server. Please note that I am assuming your sites documentroot’s are stored in /var/www/vhosts. If not, please change the script accordingly and test!
#!/bin/bash status=”/var/www/html/datasync.status” if [ -d /tmp/.rsync.lock ]; then /bin/mkdir /tmp/.rsync.lock if [ $? = “1” ]; then echo “===== Beginning rsync =====” nice -n 20 /usr/bin/rsync -axvz –delete -e ssh root@192.168.1.1:/var/www/vhosts/ /var/www/vhosts/ if [ $? = “1” ]; then echo “===== Completed rsync =====”
Be sure to set executable permissions on this script so cron can run it: Using rsync to push changes from the master web server down to slave web servers: Using rsync to push changes from the master down to the slaves also has some important advantages. First off, the slave web servers will not have SSH access to the master server. This could become critical if one of the slave servers is ever compromised and try’s to gain access to the master web server. The next advantage is the push method does not cause a serious CPU strain cause the master will run rsync against the slave servers, one at a time. The disadvantage here would be if you have a lot of web servers syncing content that changes often. Its possible that your updates will not be pushed down to the web servers as quickly as expected since the master server is syncing the servers one at a time. So be sure to test this out to see if the results work for your solution. Also if you are cloning your servers to create additional web servers, you will need to update the rsync configuration accordingly to include the new node. Below will show the procedure for setting this up: 1. To make administration easier, its recommended to setup your /etc/hosts file on the master web server to include a list of all the servers hostnames and internal IP’s.
2. Create SSH keys on the master web server: 3. Now copy the public key generated on the master web server (/root/.ssh/id_dsa.pub) and append it to the slave web servers, /root/.ssh/authorized_keys2 file. 4. Test ssh’ing in as root from the master web server to each slave web server 5. Assuming you were able to log in to the slave web servers cleanly, then its time to create the rsync script on the master web server. Please note that I am assuming your sites documentroot’s are stored in /var/www/vhosts. If not, please change the script accordingly and test!
#!/bin/bash webservers=(web01 web02 web03 web04 web05) if [ -d /tmp/.rsync.lock ]; then /bin/mkdir /tmp/.rsync.lock if [ $? = “1” ]; then for i in ${webservers[@]}; do echo “===== Beginning rsync of $i =====” nice -n 20 /usr/bin/rsync -avzx –delete -e ssh /var/www/vhosts root@$i:/var/www/vhosts if [ $? = “1” ]; then echo “===== Completed rsync of $i =====”;
Be sure to set executable permissions on this script so cron can run it: Now that you have the script in place and tested, its now time to set this up to run automatically via cron. For the example here, I am setting up cron to run this script every 10 minutes. If using the push method, put the following into the master web servers crontab:
If using the pull method, put the following onto each slave web servers crontab:
How to install squid proxy on centos 6 Squid is a proxy server for caching and filtering web content . Squid proxy is used by various organisation and internet providers to reduce bandwidth and to increase response time . Squid proxy service will cache the requested web-content and re-using it for the further request of the same content. Steps to install and configure a perfect squid proxy server in Linux. This configuration Should work on all rpm based distributions(Redhat,CentOS,Fedora,etc.) Step1: Install squid packages first Step2: Edit the squid’s configuration file “squid.conf” located in /etc/squid/ #In 18th line add your proxy client network(if 192.168.10.1 to 255) and a name for network (here netusers is acl name) #In the 51st line, allow internet access to above specified network range # in the 64th line (remove # if present), and change port number if required #Add the below 3 lines to the bottom of file #Add the below line to bottom add (hide IP address) #Add below line to bottom(add your visible hostname) #(now save the squid.conf file) Step3: start squid daemon Then verify the port 3128 is open Configure firewall: Step4: In the allowed clients(192.168.10.1 to 192.168.10.255) Configure web browser’s proxy settings to use the proxy server for internet access. Configuring Squid as Transparent Proxy squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. An intercepting proxy (also known as a “transparent proxy“) combines a proxy server with a gateway. Connections made by client browsers through the gateway are redirected through the proxy without client-side configuration (or often knowledge). So the client never realize and don’t have to configure the client machine to use the proxy, but they are using it. You can configure squid as transparent proxy. Squid normally listens to port 3128 and replace with The most important line is: “http_port 3128 intercept” : This line means, Squid proxy run as transparent proxy at port 3128. Later you need to edit the iptables to bypass every request/response connection through this port. Redirect the all HTTP traffic. If you would like to redirect the all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules Example: Where eth1,eth0 are the LAN (eth1), WAN (eth0) devices and 192.168.10.1 (squid server IP) is the IP address of your LAN device. If you wish to monitor the performance of your proxy you can look as some log parser’s (sarg, calamaris, ect.) How to change Squid server default listening port Every network services has a particular port numbers. Same way the Squid proxy server will listen on port 3128/TCP by default. But you can change the listening port by editing the squid.conf file. And you should open the same port in squid servers firewall and in ip packet forwarding devices if required. Below is the way to change Squid listen port number. Go to 64th line if you are using squid version 3.0 or above. Now save the squid.conf file and restart squid server
How to open a port in squid server y default the following TCP port numbers are opened in squid proxy server. How to enable time based access restrictions in squid proxy server Sometimes you may need to enable a time based access restrictions in your squid server. Squid proxy can do this with “time” access list(ACL). All you need to create a “time” ACL with required time and dates from the week and apply with access restriction ACLs. Creating time ACL Configure the time based restrictions like below How to enable ftp access through squid proxy server Squid work as a http proxy with default configurations and will not process ftp requests from clients. You can configure squid as ftp proxy by editing the “squid.conf” configuration file in “/etc/squid/” directory. Save the squid.conf file Reload squid service with changes Use Internet explorer or firefox for ftp upload and download To access a ftp server use this way ftp://username:password@ipaddress:port (press enter) Block https sites in squid proxy here the post will show you how to block complete “http” and “https” facebook access in office times in your squid proxy server. eg: block https://www.facebook.com, https://twitter.com, and https://www.blogger.com. Create an acl with facebook domain (dstdomain) and deny both http and https access. Step1: Create a new acl with facebook.com twitter.com and blogger.com (Dont forget to add a dot (“.”) before facebook.com) Add the Configurations to squid.conf Create an acl for facebook domain (any required sites) Step2: Deny the above domain to connect via ssl connection (https) (save the squid.conf configuration file) Tips: The way to include multiple sites in one ACL How to block flash ads in squid proxy server Configure your Squid proxy server to block flash ads (advertisements) in websites. So squid server filter flash ads contents. acl flash_ads rep_mime_type application/x-shockwave-flash #2: Deny flash ads by denying the above acl (against any ipaddress acl) Now Save the squid.conf file 3: Reload squid service to take effect changes Important: Sometimes clearing the client browser’s cache/cookie is required.) Block Downloading File Types Like mp3, exe, zip, etc In Squid Squid server can block/deny downloading particular file types like pictures, musics, videos, executable files etc. This file content filtering in squid is based on the file extension types like .exe, .mp3, .avi, .jpeg, .torrent, .zip etc. Blocking file types in squid. First of all, create an ACL file includes all the file types to block downloading them. \.[Ee][Xx][Ee]$ #Block downloading exe executable files Then, edit the squid configuration file and add an ACL for above created acl file. (Add the above three lines and save the squid.conf file) Restart or reload squid server Verify the file type filtering/blocking by downloading any files from the Internet How to block utorrent application and torrent large file downloading in squid Utorrent application uses all the unregistered posts 1025-65535 with random selection method. So blocking all those port numbers will block the bulk file downloading with utorrent application. Edit the Squid.conf configuration file By default all the port numbers from 1025-65535 are configured as “Safe_ports” and allowed for browsing. And create a new ACL for the same port range just below the above line (with different acl name, like below) And deny browsing to the websites with denied port numbers (both normal and secure) # now save the squid.conf file Reload Squid server with new configuration. Verify Denying How to block a Web Browser in Squid proxy Blocking some web browsers is possible in squid proxy server. Squid can block all the requests from web browsers like Internet explorer, Chrome, Firefox, etc. Create an “acl” with the bad web browser types and finaly deny the access. Add all the below configurations to the Squid server configuration file “/etc/squid/squid.conf”. #Block Chrome in squid proxy #Deny the requests from chrome #Deny the requests from firefox #Deny the requests from chrome #Block Internet Explorer in squid proxy Many of you probably know about port scanning. It’s a very simple process, where essentially you attempt to to make a connection on several ports of several machines. If the port is closed, a reset is returned. If the port is open, a SYN+ACK is returned. Now, there are some other types of scans, such as a FIN scan, Xmas Tree scan, and a NULL scan. These basically work on the same principals of a SYN (normal) scan, but using some different TCP flags (ones that should never be seen in valid TCP connections). If you’d like, read up on the different types of scans here, which is also a good site to determine what type of reply you want to give the scanning host. It also shows how to perform the scans using NMap. So, most of the time, you want to just drop invalid packets, since the easiest way to deal with them is not to. However, you may wish to use REJECT here, since what the host does and does not return is part of the data collected. Being able to decide what to return could give you an edge over an attacker. If you return tcp-resets, then you can make an attacker (or more likely a bot) think that all the ports on the host are closed. Different operating systems also respond differently to the various stealth scans, so be mindful of that as well. I wrote some simple firewall rules to detect, log, and block (either with a tcp-reset or just dropping the packet entirly. This script was made to run on top of an existng firewall. ## IPTables rules for detecting and blocking several different scans ## Note on Rule Order – since these are Inserts (designed to be easily plugged into ## TCP Null Scan ## TCP Fin Scan ## TCP Xmas Tree Scan #! / Bin / sh Contents What is Bridging? What is Bridging? A bridge is a network device, that connects two network segments of any network type (ethernet, token ring etc.) transparently to form one subnet. Transparency means, that you do not have to tell any component (computer, application etc.) that there is a new device between them. So, no configuration on them is needed. And your bridge is really stealthy, because it does not need any IP address. You can easily build a bridge using a computer with at least two network interfaces. Here, in this section, I want to decribe howto setup a bridge using Linux (here wirth kernel 2.4.24), because based on the transparency characteristics of a bridge, you can build security enhancing network devices like bridging (transparent) firewalls and intrusion prevention systems. Installing a Bridge There are two things to do. First, you have to install the bridge-utils. Under gentoo you just type: emerge bridge-utils If your distribution is not shiped with bridge-utils, then you can download them from sourceforge. You can configure, compile and install bridge-utils the standard way. The second thing to do is to prepare the kernel. Fortunately, you have to activate all drivers you need to run your box properly. In addition, you have to active (this depends on the development status of the kernel features): Code maturity level options –> Prompt development and/or incomplete code/drivers Then simply recompile and install your new kernel. Reboot. If you are using modules, then load them! Configuring a Bridge Configuring a bridge a really straightforward. See table 1. Table 1: Configuring the Bridge Now you have a network device, that forwards traffic between two network segments transparently. But what do the commands in table 1 do exactly? With the first two lines, you bring the two ethernet interfaces eth0 and eth1 up, without assigning an IP address to them. The 0.0.0.0 garantees, thet even if an IP address was assigned at startup, it will be overwritten. In the third line a new device, here a bridge, called br0 is created. Lines 4 and 5 add the two interfaces eth0 and eth1 to our bridge br0. In the last line, we bring our bridge br0 up. Again, we assign no IP address to it. What is a Bridging Firewall? A bridging firewall is also often called a transparent firewall and some benefits come with its’ design: Zero configuration. From a networking standpoint, there are virtually no changes. How can this be? Easy, the bridging firewall is plugged in-line with the network it is protecting. This means you can put it between two routers, or a router and a switch. You could even put it in front of a single machine. While it might be placed exactly where it should be if it were acting as a gateway or router, it’s not. Remember, it merely moves frames after inspecting them between interfaces. This means that there’s no need to make any changes to your existing network. It is completely transparent. No subnetting headaches or configuration updates are required with this device. The are two possibilities to realize a bridging firewall: with ebtables or with iptables. In ebtables the focus is more on OSI layer 2-3, where in iptables it is more on ISO layer 3-4. Ebtables might be more suitable in scenarios, where the bridge connects two network segments within one subnet, where iptables might be more suitable where the bridge is placed before a router that connects the subnet to another net. Installing a Bridging Ebtables Firewall? First of all you need a bridge. Above I have decribed how to install and configure it. Secondly you have to install the ebtables packages. Under gentoo just do a emerge ebtables But keep in mind, that this package is masked. If this package is not shipped with your distribution, then download it from sourceforge. You can configure, compile and install ebtables the standard way. ebtables can be seen as a replacement for iptables. But it uses other tables within the kernel. The next step is to enhance the kernel with the ebtables-brnf-patch (not necessary for kernel 2.6, because it is already in there). You can download it from sourceforge. Decompress it and the patch your kernel with the corresponding version of ebtables-brnf: patch -p1 <patch_file Within the kernel you have to activate: Networking options –> Network packet filtering (replaces ipchains) Then a list of options for ebtables pops up. you can select, for simplicity, all of them. Then simply recompile, and install your new kernel. Reboot. If you are using modules, then load them! Configuring a Bridging Ebtables Firewall? The bridge is now running and the kernel already prepared for configuring a firewall via ebtables. The best is always to have a real life example to show how it works. My example will be based on the following environment: There is a NAT-Router with the IP address 192.168.1.1 playin the role of a gateway all clients within the subnet 192.168.1.0/24 and connection them to the internet Table 2: Configuring the Bridging Ebtables Firewall The syntax of ebtables is quite similar to the one of iptables.Because we are using briding, that has in our case a lot of similarities to routing, we have to configure only our FORWARD chain. In the first line we set our default policy to DROP, meaning, that all packages not matching any other rule, are dropped by default. The second line says, that our bridging firewall will let ARP packages pass. The parameter -p is used to specify a protocol in hex. 0x806 is ARP (Address Resolution Protocol). This is needed, because the clients within a subnet communicate based on layer 2 of the OSI model. And so they have to find the MAC addresses based on the IP addresses they know. In the third and fourth line we grant the client 192.168.1.52 to do surf the WWW. -p 0x800 is the well known Internet Protocol (IP). –ip-dst and –ip-src give the destination and source IP respectively. –ip-proto specifies the IP protocol, here TCP. With –ip-dport and –ip-sport we specify the destination and sourceport, here port 80 (the standard port for http traffic). The last two lines eneble the client 192.168.1.52 to do dns requests. The NAT router 192.168.1.1 serves as a DNS forwarder. In this case the source and destination addresses are well known. The IP protocol used is UDP and the port on the NAT router serving DNS is 53. Configured this way, our bridging firewall will only let one client through and will enable him to surf in the WWW. Installing a Bridging Iptables Firewall? First of all you need a bridge. Above I have decribed how to install and configure it. Secondly you have to install the iptables packages. Under gentoo just do a emerge iptables The software is shiped with really every distribution. So you do not need to download it. Within the kernel you have to activate at least the following options: Networking options –> Network packet filtering (replaces ipchains) Then simply recompile, and install your new kernel. Reboot. If you are using modules, then load them! Configuring a Bridging Iptables Firewall? Because iptables is well documented (and there is also a howto on linuxsecure) I will not go into detail here. I will only show a very small example here that uses connection tracking. The bridged iptables firewall will only let connections from client 192.168.1.52 out (willforward them) but no connections in. See table 3 for details. Table 3: Configuring the Bridging Iptables Firewall The first line in table 3 configures the default policy. Any traffic, that is not matched by a rule is dropped. The next two lines tell iptables to let only packets in that belong to an existing connection or are related to it. As configured in line 3, new connections can only be established from client 192.168.1.52. What is an Intrusion Prevention System? I have already written a few lines about Intrusion Detection System (IDS) here One big point about flexible responses I have made there, is that despite the practicability of flexible responses, it is not fast/reliable enough. So If you want it, then you have to implement IDS with flexible response (or something similar) onto a router. A bridge is very similar to a router. It is a single entry or exit point to a network segment. So all traffic going in or out has to go through it. If you install an Intrusion Detection System on a bridge (or router) and if you configure it in a way, that it will not forward packages identified as containing an attack signature, then you have an Intrusion Prevention System (IPS). Installing an Intrusion Prevention System Here, I will show how to install an IPS on a bridge. Installing one on a router is quite the same. First, we have to set up the bridge, as shown above. Then we have to download snort_inline from sourceforge. Then just do ./configure –enable-inline Because snort_inline receives the network packages via iptables, we have to activate userspace queueing in the kernel: Networking options –> Network packet filtering (replaces ipchains) Then simply recompile, and install your new kernel. Reboot. If you are using modules, then load them! Configuring an Intrusion Prevention System The configuration of snort_inline is nearly the same as for snort, exept for the rule types. There are three new rule types, namely drop, reject, and sdrop: The drop rule will tell iptables to drop the packet and log it via usual snort means. Now we have to tell iptables to sent all packages going through the bridge to the table QUEUE, so that snort_inline can get them from there. This can be archived with the commands in table 4. Table 4: Preparing Iptables for Snort_Inline The first line is not really necessary. The second line configures netfilter to push all packages in the FORWARD chain in to the table QUEUE. What we have to do now is to change some of the rules in a way, that network packages matching attack signatures are not only detected, but also droped, so that they will never arrive at the target host. For example, we can prohibit packages matching the ICMP PING NMAP signature by simply changing the rule alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP PING NMAP”; dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;) to drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP PING NMAP”; dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;) Within snort_inline the rule application order has changed, in order to get intrusion prevention functionality. The new rule application order is now: ->activation->dynamic->drop->sdrop->reject->alert->pass->log To start snort in inline mode, we have to use the new switch Q, meaning, that snort will not receive packages by sniffing on the wire, but via iptables: snort_inline -QDc /etc/snort_inline/snort.conf -l /var/log/snort_inline where /var/log/snort_inline is the directory, where snort logs the alerts/drops. What Is Stealth Firewalling with Linux? A Brief Explanation of Netfilter Thanks to the flexibility of the netfilter subsystem and the way it handles packets, we can use it to apply firewall rules to network traffic, even if the device is not operating at the IP layer. The subsystem doesn’t actually care; it can apply firewall rules to whatever traffic passes through it. To help explain this, Figure 1 shows which netfilter rules are applied to the bridge interface, and the order in which they are applied for traffic flowing from eth0 to eth1 over the bridge. Figure 1
Device Drivers You may also need to install ebtables for your distribution. The userspace ebtables utility and 2.4 kernel patches are available at http://sf.net/projects/ebtables and from our Web site – www.gotroot.com. Next we need to set up our firewall, in this case it’s named Minimoose (kudos to those of you who get this reference), to bridge traffic between our network, 10.10.10.0/24, and our gateway, 10.10.10.1. The goal is to put Minimoose between the network and the gateway device. We start this process by first configuring Minimoose’s interfaces to act as a bridge. This is accomplished by using the userspace tool, brctl, to set up the bridged interfaces and to “capture” them. In this hypothetical example, Minimoose has two interfaces. One is pointing at the gateway router, which has an IP address 10.10.10.1 and is reached via ethernet interface eth0. Minimoose’s other interface, eth1, is facing the actual 10.10.10.0/24 network. Remember, the bridge does not need any IP addresses. It’s going to “bridge” the traffic between these two points, allowing traffic to move from the 10.10.10.0/24 network to the gateway router, 10.10.10.1, and vice versa as defined by the firewall rules on Minimoose. The first step, as already explained, is to set up the interfaces on Minimoose and to configure it as a bridge: 1. Create the logical interface in the kernel, which is called br0. [root@minimoose root]# brctl addbr br0 2. Add the left interface, eth0, that connects to the 10.10.10.1 gateway. [root@minimoose root]# brctl addif br0 eth0 3. Add the right interface, eth1, that connects to the 10.10.10.0/24 network. [root@minimoose root]# brctl addif br0 eth1 4. Activate the bridged interfaces by bringing up the two real interfaces. [root@minimoose root]# ifconfig eth0 0.0.0.0 promisc up At this point your bridge is working. As you have probably surmised, Minimoose doesn’t even have an IP address for itself. Although it’s probably a good idea to add an IP address to one of those interfaces for management reasons, you don’t have to in most instances. For example, you could just as easily connect this device to a serial console, or add another interface and run an “Out of Band” network just for admining your stealth firewall, or something like that if you’re über paranoid. Figure 2 shows our network, 10.10.10.0/ 24, before we put our firewall in place. Figure 2
Now we put our firewall, Minimoose, in place as shown in Figure 3. Figure 3 With traffic passing from 10.10.10.0/24 to the gateway through Minimoose, it’s time to do something interesting with the firewall. Listing 1 provides a simple example script that sets up the firewall rules and configures them to stealthily drop all SMB traffic moving between the gateway and the hosts on the 10.10.10.0/24 network. These rules also allow traffic to move in both directions, not just from the 10.10.10.0/24 network outward, but also from the gateway back into the 10.10.10.0/24 network. This listing will help illustrate the stealthy nature of this configuration; neither the hosts on the 10.10.10/24 network nor the gateway will “see” any changes in the network, except that SMB traffic is not flowing between the two. In the previous example you can see that applying firewall rules to Layer 3 (IP) traffic works exactly the same as it does with a normal firewall, that is we need to apply those rules to the FORWARD table, and of course make sure you enable ip_forwarding on our firewall for this example to work: echo 1 > /proc/sys/net/ipv4/ip_forward Another application of a stealth firewall would be to act as a transparent proxy server. We frequently add squid to our firewalls for performance reasons and this next example shows how to configure the squid Web proxy cache server for your stealth firewall. The good news is that setting this up is easy; the bad news is that it requires adding an IP address to the stealth firewall and, because of this, your firewall will not be as stealthy as you might like, as Web requests will be seen as if they were coming from the bridge’s IP address and, of course, your bridge will now have an IP address. Keep in mind, this doesn’t mean that other traffic will appear to come from the bridge’s IP address or that you need to change any default routes on your network. The stealth firewall will just be seen as another node on your network, not as a router. The steps to set this up are: 1. Install squid and configure squid.conf to allow connections from localhost. This is typically the default configuration for squid. The steps to do this are beyond the scope of this article, but if you are having problems, please visit our Web site for documentation: www.gotroot.com. 2. Add an IP address to your bridge interface, if you haven’t already done so. In the commands that follow, replace the variable $MANAGEMENTIP with the IP address you intend to assign to your bridge, and the $MANAGEMENTGATEWAY variable with the gateway address for your network. ifconfig br0 $MANAGEMENTIP 3. Finally, add the following two rules to your firewall: iptables -A INPUT -i <internal interface on bridge, such as eth1> -p tcp -d $MANAGEMENTIP -s iptables -t nat -A PREROUTING -i <internal interface on bridge, such as eth1> -s 10.10.10.0/24 -p Click this link to download complete Source Code Your stealth firewall is now configured to grab all the port 80 traffic coming from our hypothetical stealth firewall’s internal network, 10.10.10.0/24. Redirect it to squid, and then allow squid to request and cache the documents. Again, all Web requests will now come from the bridge’s IP address. Hopefully this brief introduction to stealth firewalls has encouraged you to think up your own ways to use them in your environment. Stealth firewalls are a fantastic and reliable tool for any network or security administrator. They’re easy to set up, can be more secure than classic IP firewalls, and because they require no routing and don’t have to be integrated into the network’s routing scheme, they are actually less of a risk to a network, from a point-of-failure perspective, than a traditional IP firewall. As we already mentioned, if the stealth firewall fails, just run a patch cable around it. Of course, this eliminates your firewall and we don’t want that. The good news is that there’s an easy solution to that problem as well, and it allows you to create a fully automatic failover between two or more stealth firewalls. The better news is that this is already built into Linux and is very robust, but that discussion is for another time. Infrarecorder Great application, it is a very good alternative to Nero. Add files and burn! 7-zip Great application, it is a very good alternative to Winzip. Bulk rename utility This is a very cool application, it will let you rename filenames in bulk. DO NOT get discouraged by its complex look, it is very easy to use once you understand it. And it is very powerfull. Daemon tools Mount ISO files to a virtual CD/DVD. WinSCP A must have application to connect to remote FTP, sFTP or SCP. Will give a system wide file access through SSH. Gimp Must have application for picture manipulations. It is a very good alternative to Photoshop. Open Office It is a very good alternative to Microsoft Office. Firefox A must have alternative to Internet Explorer! Irfanview The best picture viewer. Jalbum Create web photo album. The best. PDF Creator Create PDF Files. Bytecount Great application by Hans Nelisse to find directory tree size. Very very usefull. uvnc Must have application to remote control a computer. UBCD – Ultimate boot cd Must have boot cd/dvd. LC ISO Creator A 14 kb ISO creator. Easy, fast, great application. This is another must have. Linkchecker An easy to use, great web site link checker for Windows. 1 Disabling Mod_Security Globally [edit] Disabling Mod_Security Globally Step 1) Disable config file mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled Step 2) Restart Apache service httpd restart [edit] Disabling Mod_security per domain For Plesk and similar systems you can also disable modsecurity in the Apache configuration. Step 1) Edit the vhost/vhost_ssl.conf for the domain vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf Step 2) Add the following <IfModule mod_security2.c> Then restart apache, if you are using Plesk then you will also need follow steps 3 and 4. Step 3) Add vhost.conf to domain config /usr/local/psa/admin/bin/websrvmng -a Step 4) Restart Apache service httpd restart [edit] Disabling Mod_security per domain for an IP address For Plesk and similar systems you can also disable modsecurity in the Apache configuration. Step 1) Edit the vhost/vhost_ssl.conf for the domain vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf Step 2) Add the following <IfModule mod_security2.c> Then restart apache, if you are using Plesk then you will also need follow steps 3 and 4. Step 3) Add vhost.conf to domain config /usr/local/psa/admin/bin/websrvmng -a Step 4) Restart Apache service httpd restart [edit] Disable Mod_security on a global URL Step 1) Create a global exclude file vim /etc/httpd/modsecurity.d/00_custom_exclude.conf Step 2) Add the LocationMatch for the url to exclude. Example: /server.php <LocationMatch /server.php> Step 3) Restart apache service httpd restart [edit] Disable Mod_security for an IP address In ASL, just click the “Whitelist” button. If you are not using ASL, simply add your IP address to the file: /etc/asl/whitelist And restart Apache. Note: For this rule to work, in ASL you must have the MODSEC_00_WHITELIST ruleset enabled. If you are not using ASL, then you must have the 00_asl_whitelist.conf ruleset loaded. [edit] Whitelist an IP See above, “Disable Mod_security for an IP address” If you have ASL installed: Method 1: Log into the ASL GUI, and click on the “Configuration” tab. Then click “Rule Management”, then click the “Rules” tab, then click the “WAF” tab. Type in the rule ID and the rule manager will pull up the rule. Click on the green down error which will pull up the options for this rule. Type in the vhost name into the Text box on the left side of the options, then click “add”. Keep in mind this is literal, so if you have a vhost with the name “example.com” that serves content for “ftp.example.com” and “www.example.com” you will need to add those FQDNs as well. Method 2: Run this command as root: asl -dr RULE_ID –vhost www.example.com Replace RULE_ID with the ID of the rule you want to disable for the vhost. Keep in mind this is literal, so if you have a vhost with the name “example.com” that serves content for “ftp.example.com” and “www.example.com” you will need to add those as well. For example: asl -dr RULE_ID –vhost www.example.com asl -dr RULE_ID –vhost ftp.example.com asl -dr RULE_ID –vhost example.com If you do not have ASL installed you will have to do this manually: Step 1) Edit the vhost/vhost_ssl.conf for the domain vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005 <LocationMatch .*> If you want to disable multiple rules: Step 2) Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006 <LocationMatch .*> [edit] Disable Mod_security rule for a specific application in a single domain Step 1) Edit the vhost/vhost_ssl.conf for the domain vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005 <LocationMatch /URL/path/to/application.php> [edit] Disable Mod_security rule for all domains Method 1: Log into the ASL GUI, and click on the “Configuration” tab. Then click “Rule Management”, then click the “Rules” tab, then click the “WAF” tab. Type in the rule ID and the rule manager will pull up the rule. Click on the green down error which will pull up the options for this rule. Set “disabled” to yes and click update. Method 2: Use ASL utility to disable rule by ID. Example: 950005 asl –disable-rule 950005 Note: This requires that Atomic Secured Linux be installed. If you do not have Atomic Secured Linux installed you can disable a rule globally manually by adding a rule to your own custom rules files that contains a line similar to this: <LocationMatch .*> Custom rules should be loaded after atomicorp rules. A good place to add this, again only if you do not have ASL installed, is in the 999_user_exclude.conf file. If you don’t have this file, just create it. Then make sure your modsecurity configuration is setup to load this file. Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded. A good place to add this in the 999_user_exclude.conf file. If you don’t have this file, just create it. Then make sure your modsecurity configuration is setup to load this file. <LocationMatch /url/to/your/application> Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system. Step 1) Edit the vhost/vhost_ssl.conf for the domain vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf Step 2) Add the LocationMatch for the rule to exclude. <LocationMatch /foo/bar.php> Step 3) Add IP to /etc/asl/whitelist echo “10.11.12.13” >> /etc/asl/whitelist Or: If you want to create a special whitelist for just that application: Step 1) Edit the vhost/vhost_ssl.conf for the domain vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf Step 2) Add the LocationMatch for the rule to exclude. <LocationMatch /foo/bar.php> Step 3) Create your custom whitelist and add IP to /etc/asl/whitelist echo “10.11.12.13” >> /path/to/your/custom/whitelist_for_this_application Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line. If you need to customize a rule do not change the asl*conf files. These files will be overwritten by updates. If you need to change a rule because it is incorrectly blocking something we recommend you report it to use as a False Postive, using the Reporting_False_Positives procedure. If you simply want to modify a rule to perform different actions, then copy the entire rule into your own rule file, and make sure you tell mod_security not to enable the original ASL rule. You can do that by using the mod_security action SecRuleRemoveById. Here is a simple example: If you had an original rule like this: SecRule REQUEST_URI “/foo” “t:normalisePath,id:9000000,rev:1,severity:2,msg:’Atomicorp.com WAF Rules: Block /foo'” And you want it to block “bar” instead of “foo”, then you would copy the entire rule into your own custom rule file. If you are using our rules we recommend you use the filename 99_asl_zzz_custom.confm and change the id: field to an unused ID. SecRuleRemoveById 9000000 These are the reserved ranges: * 1-99,999; reserved for local (internal) use. Use as you see fit but do not use this range for rules that are distributed to others.
Apache ModSecurity – IP Whitelist SecRule REMOTE_ADDR “^192\.168\.2\.15$” phase:1,nolog,allow,ctl:ruleEngine=off It means the IP 192.168.2.15 will be ignored by ModSecurity. Don’t forget to restart Apache after adding new rule. APACHE :- Apache is an open source web server which guarantees availability of active websites online . The original version of apache was especially designed for unix-like operating system Nowadays, it can be implemented on variety of O.S. platforms. According to Apache Software Foundation and Net craft web server survey, 65% of websites on the internet uses Apache server. Features of Apache :- 1) Modularity 2)Uniformity 3)Portability 4)Powerful and Flexible webserver 5)Easily operable on wide variety of OS Platforms. which made possible technologies like apache modules an API for apache module enabling features such as PHP, Mysql integration, URL Rewrite, PHP Handlers, Global variables and other features. Apache Web Server Versions :- Apache 1.3 :- -Useful configuration files. Apache 2.0 :- -Most comprehensive configuration files. Apache 2.2 :- -Offers more and new flexible modules. ————————————————————————————————————————– You may felt boredom while reading below concept, But its the core and most important functional body of Apache. MPM :- MPM stands for Multiple Processing Modules. The main purpose of MPM is binding network ports on machine, accepting request and dispatching children to handle the requets. Apache implements specialized MPM. MPM must be choosen while configuring and must be compiled in the server. MPM behaves like Apache module, the basic difference is only one MPM must be loaded into the server at any time. List of Apache MPM modules are available. Refer the link for the same :- http://httpd.apache.org/docs/2.0/mod/ Some of the well know and widely implemented MPM’s :- 1) Prefork :- “The prefork MPM runs multiple processes with each child process handling one connection”. Merits :- -Stable and Secure De-Merits :- -Simultaneous execution of multiple processes >> indicates more memory usage. A typical configuration of the process controls in the Preform MPM could look as follows: StartServers 8 More Information 2) Worker :- “The worker MPM has one control process that launches multi-threaded child processes which handles one connection per thread”. Merits :- -Multi-threaded design utilizes less memory usage irrespective of high connections. De-Merits :- -DSO Module Incompatible. A typical configuration of the process-thread controls in the Worker MPM could look as follows: ServerLimit 16 More Information 3) Event :- “The Event MPM is similar to worker MPM but allows high performance by passing some of the listener thread work to each work processes. Each process can act as worker or listener depending on need and activity in CPU for respective time”. Merits :- -Better optimization. De-Merits :- -DSO Module Incompatible. A typical configuration of the process-thread controls in the Event MPM could look as follows: KeepAlive On More Information Distinguish between Perform, Worker, Event MPM’s Configurations Definitions :- * StartServers :- The number of child processes created on startup. *MinSpareServers : Minimum number of idle child processes. apache will continue to create new processes. This should be high enough, idle processes should be on hand. *MaxSpaceServers : Max number of idle child process, parent process will kill idle process in excess of limit. *MaxClients : Max number of simultaneous request i.e Max number of Apache requests. *MaxRequestsPerChild : Max number of request a child process will handle before it dies. if set to 0 ; process will never die *ServerLimit : Max number of child process, must be greater on equal to maxclient divided by thread per child. *ThreadsPerChild : No. of threads per child process. *MaxSpareThread : Min no.of idle thread. *KeepAlive ; allows for persistent connection to improve latency for connections that require multiple requests. *KeepAliveTimeout : Length of time connection will be kept open for further request before closing. *MaxKeepAliveRequests : Max no. of requests through a single keep alive connection. Mod_Deflate mod_deflate is an module of an Apache HTTP Web Server. The basic purpose of mod_deflate is to speedup download web page access time. It provides DEFLATE output filter that allows output from webserver to webbrowser in the form of compression format. It results in faster website access and decreases the amount of time in data transmission from web server to web browser. mod_gzip or mod_gz modules are similar to mod_deflate which compresses the contents using different implementations like gzip implementations and external zlib library respectively. You can check the gzip compression for website using below link :- http://aruljohn.com/gziptest.php How to Enable Mod_Deflate :- 1) # /scripts/easyapache 2) Adding the code under .htaccess file <IfModule mod_deflate.c> 3) Append below code under httpd.conf LoadModule deflate_module modules/mod_deflate.so Append following configuration <Location /> directive: <Location /> Above line only compress html and xml files. Here is the configuration from one of my production box: # /etc/init.d/httpd restart More Information Zip files corrupt when downloaded via IE but not via FF. RLimits RLimits RLimits can be added to :- The most common entries are: Limits memory usage to 100MB. (note: will not work on VZ VPS) RLimitMEM 104857600 104857600 Limits CPU usage. RLimitCPU 150 200 Limits Number of processes per user (This is what regulates the process limits on shared servers). RLimitNPROC 25 30 Mod_Expires/_Cache/_PageSpeed/_Bandwidth/_ Mod_Expires ~ $ curl -I http://www.hostgator.com Cloudflare’s caching headers: Image: Note how the image is being cached for 2 hours while the html is only being cached for 5 minutes. You can reproduce those settings with the following .htaccess rules. <filesmatch “\.(flv|gif|ico|jpg|jpeg|png|swf)$”> Mod_Cache and Mod_Pagespeed mod_pagespeed Install script: GET http://hgfix.net/heckel/install-pagespeed | bash Mod_Bandwidth :- “Mod_bandwidth” is a module for the Apache HTTP webserver that enable the setting of server-wide or per connection bandwidth limits, based on the directory, size of files and remote IP/domain. You can find the specific file types affected and other configuration settings in the “/usr/local/apache/conf/includes/mod_bandwidth.conf” file. Mod Security The mod_security system watches each connection and looks for suspicious use/access based on defined rule sets. When a connection matches a rule set, the connection is blocked with an error (almost always a 403 (forbidden) error). Unfortunately, mod_security – by its very nature – has to be strict. This means that occasionally, a customer’s legitimate script use will be caught by mod_security. In those instances, we will have to white list the rules being hit in order for the script to continue to function. Step 1: Determine which rule to whitelist. First, you must tail the apache error_log and determine which mod_security rule(s) need to be whitelisted. The easiest way to do this is with the command: tail -f /usr/local/apache/logs/error_log | grep ‘216.110.94.228’ Once you have that running, reload the page. You will see something similar to the following appear: Step 2: Determine the rule # being hit and white list Find the rule number, which would be the ID. In this case, the ID is highlighted, above. 1234234. Once you find the ID/rule, you will whitelist with the command: wlmodsec domain.tld rule# y/n In this case, you would use: wlmodsec hilili.com 1234234 y The y/n allows you to choose whether or not to automatically restart apache after the rule is whitelisted. This way, if you are whitelisting several domains (say a customer requests all of their domains be whitelisted against a specific rule), you can run it in a loop without having to restart after each whitelist. A loop would look similar to the following: while read -r DOMS; do wlmodsec $DOMS 1234234 n; done < domain-list After which, you would restart apache, manually. Step 3: Repeat until all rules are found/whitelisted. You’ve found on rule. Where one rule is hit, invariably there are more. Go back to step 1, and repeat until you can reload the page (or repeat the process) without triggering an error. Whitelist each rule that you trigger. It is also possible to disable mod_security, completely, for a domain; however, we do not recommend this. If a customer is wishing to do this, it must be handled by an upper tier administrator It you need to manually edit the rules they are in /opt/mod_security/whitelist.conf Example (need to replace domain.com and ruleid): SecRule SERVER_NAME “domain.com” phase:1,nolog,pass,ctl:ruleRemoveByID=ruleid mkdir -p /var/asl/data/ Then we need to add following lines to /usr/local/apache/conf/modsec2.user.conf SecUploadDir /var/asl/data/suspicious SecPcreMatchLimit 50000
I was testing authentication against Active Directory (LDAP) using Apache 2. The following worked for me in a .htaccess file but only after adding: LDAPVerifyServerCert Off in the main httpd.conf file. I presume this is related to the server name in the SSL certificate on the Active Directory server. AuthBasicProvider ldap Normal users should then be prompted for a username and password to access the directory and if correct credentials are supplied should be given access to the content. redirecting-mobile-web-users Apache Mod_Rewrite RewriteEngine On 2. Wurfl and PHP API 3. Apache Mobile Filter htaccess-examples examples Temporarily take site down for maintenance Options +FollowSymlinks or Options +FollowSymlinks
Redirecting to a New Domain Options +FollowSymLinks Force https use RewriteEngine On or RewriteEngine On Use a Custom Error Document ErrorDocument 404 /mynotfound.html Allowing access only from internal network order deny,allow Password protecting a directory with htaccess and htpasswd AuthUserFile /path/to/.htpasswd And then create the .htpasswd file with the following: /usr/local/apache/bin/htpasswd -c .htpasswd theusername There are also online tools for creating the paswords e.g.: Options +FollowSymLinks Allowing Directory Browsing in single directories with .htaccess Options +Indexes The reason why I have specified the DirectoryIndex as nonexistantfile.html is to ensure that if someone (or script) accidentally copies an index.html file into the directory that it won’t be used and instead the contents of the directory will be listed/browsable. Some Content Management Systems will copy new index.html files into directories even if you don’t want them 😉 .htaccess URL Rewriting .htaccess referers SetEnvIfNoCase Referer www\.thefirstdomain\.co\.uk good_referer=1 Apache Authentication with Active Directory (LDAP) A .htaccess file can be used to protect a directory on an Apache2 server. The code to use is: AuthType Basic The values need to be changed to reflect the Active Directory structure. The most important line appears to be AuthLDAURL which is the LDAP search. To use Exchange it may be possible to use: AuthLDAPURL “ldap://ldap.yourdomain.com:389/cn=Recipients,ou=ServerName,o=DomainName?uid?sub?(objectClass=*)“ |
||||||
|
Copyright © 2025 - All Rights Reserved Powered by WordPress & Atahualpa |
||||||
Recent Comments