|
|
OpenVAS 5 Installation on CentOS 6.2
Install Centos 6.2 Minimal
OS: CentOS 6.2 32bit
Hardware: Virtual Machine (VirtualBox 4.1.14)
OpenVAS: 5
About
OpenVAS is an opensource vulnerability network scanner.
OpenVAS let you scan your network for vulnerabilities and create a report on your network status.
Prerequisite
Disable SELINUX
vi /etc/selinux/config
…
SELINUX=disabled
…
Disable the firewall
Install wget
yum install wget -y
Update your Operating System and reboot
yum update -y
reboot
OpenVAS Installation
Install atomic repository
wget -q -O – http://www.atomicorp.com/installers/atomic |sh
Atomic Archive installer, version 2.0.3
BY INSTALLING THIS SOFTWARE AND BY USING ANY AND ALL SOFTWARE
PROVIDED BY ATOMICORP LIMITED YOU ACKNOWLEDGE AND AGREE:
THIS SOFTWARE AND ALL SOFTWARE PROVIDED IN THIS REPOSITORY IS
PROVIDED BY ATOMICORP LIMITED AS IS, IS UNSUPPORTED AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ATOMICORP LIMITED, THE
COPYRIGHT OWNER OR ANY CONTRIBUTOR TO ANY AND ALL SOFTWARE PROVIDED
BY OR PUBLISHED IN THIS REPOSITORY BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
Do you agree to these terms? (yes/no) [Default: yes]
ENTER
Installing the Atomic GPG key: OK
Downloading atomic-release-1.0-14.el6.art.noarch.rpm: OK
The Atomic Rocket Turtle archive has now been installed and configured for your system
The following channels are available:
atomic – [ACTIVATED] – contains the stable tree of ART packages
atomic-testing – [DISABLED] – contains the testing tree of ART packages
atomic-bleeding – [DISABLED] – contains the development tree of ART packages
Install OpenVAS
yum install openvas -y
Run openvas-setup to configure OpenVAS
openvas-setup
Openvas Setup, Version: 0.1
Step 1: Update NVT’s
Please note this step could take some time.
Once completed, NVT’s will be updated automatically every 24 hours
Updating NVTs….
Stopping openvas-scanner: [ OK ]
Starting openvas-scanner:
[ OK ]
Updating OpenVAS Manager database….
Step 2: Configure GSAD
The Greenbone Security Assistant is a Web Based front end
for managing scans. By default it is configured to only allow
connections from localhost.
Allow connections from any IP? [Default: yes] Stopping gree[ OK ]curity-assistant:
Starting greenbone-security-assistant: [ OK ]
Step 3: Choose the GSAD admin users password.
The admin user is used to configure accounts,
Update NVT’s manually, and manage roles.
Enter password: enter password for admin user
ENTER
ad main:MESSAGE:3223:2012-01-19 11h09.05 IST: No rules file provided, the new user will have no restrictions.
ad main:MESSAGE:3223:2012-01-19 11h09.05 IST: User admin has been successfully created.
Step 4: Create a user
Using /var/tmp as a temporary file holder.
Add a new openvassd user
---------------------------------
Login : humus
ENTER
Authentication (pass/cert) [pass] :
ENTER
Login password : enter user password
ENTER
Login password (again) : enter user password again
ENTER
User rules
---------------
openvassd has a rules system which allows you to restrict the hosts that humus has the right to test.
For instance, you may want him to be able to scan his own host only.
Please see the openvas-adduser(8) man page for the rules syntax.
Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)
ctrl-D
Login : humus
Password : ***********
Rules :
Is that ok? (y/n) [y]
ENTER
Setup complete, you can now access GSAD at:
https://<IP>:9392
- Start OpenVAS administrator
/etc/init.d/openvas-administrator start
- Download openvas-check-setup script and check OpenVAS setup
cd /usr/local/src/
wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup -O openvas-check-setup.sh --no-check-certificate
chmod +x openvas-check-setup.sh
./openvas-check-setup.sh --server
- Open Greenbone Security Assistent port in linux firewall
vi /etc/sysconfig/iptables
...
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9392 -j ACCEPT
...
service iptables restart
- Connect to OpenVAS server
- Using a web browser browse to https://openvas_server_IP:9392
That’s it. OpenVAS server installation completed. You can create new scans on your network and schdule them to run frequently and check their reports.
For more information on OpenVAS visit http://www.openvas.org
CentOS6.0 no longer uses faillog for keeping track of failed login attempts. Here’s an easy way to get up login tracking, and SSH time outs for PCI compliance, or just for a nice secure system.
Firstly you want to edit /etc/ssh/sshd_config to set up a timeout for SSH. You want to change the following lines;
ClientAliveCountMax is how many concurrent connections each user can have.
Then we want to edit /etc/pam.d/system-auth and add this line to the top of the auth list;
|
1
|
auth required pam_tally2.so deny=3 onerr=fail unlock_time=900
|
And then add this line to the top of the account list;
|
1
|
account required pam_tally2.so
|
Restart the SSH Daemon, and now your users will be locked out if they have 3 failed password attempts. To reset this, you can simply run
|
1
|
pam_tally2 -u $username --reset
|
Next you want to create /etc/profile.d/autologout.sh and put the following lines in it
|
1
2
3
|
TMOUT=300
readonly TMOUT
export TMOUT
|
Save that file and then
|
1
|
chmod +x /etc/profile.d/autologout.sh
|
This will log users out after 300 seconds (5 minutes). Relog and you can test this out yourself.
I have compressed most of the required files into one file called qmr1.tar.gz and qmr2.tar.gz. You will need to download both then put them in the /downloads/qmr directory that you need to create on your Centos or Fedora box.
Attachments are:
qmr1.tar
qmr2.tar
If you are looking at installing Qmail on a CentOS 5.8 system, you are at the right place. You can either follow the directions on the pages underCentOS 5.5 or just download the pdf install guide (under Qmail Files page).
Either way, you should end up with a great working system. I caution you to please look at the screen output whilst doing the install. If you see errors pop up, google them to solve before moving on. If you do not, you will likely have problems later on. Each program interacts with other programs and if something is broken, the other bits will likely fail as well.
Remember to use your logs as well. They are a great way of detecting problems or success.
Part 1 – Checklist
1. Make sure you have Fedora installed. SELINUX is a huge problem with qmail and I had to firstly put it in permissive mode and then disable it altogether. I do however have a firewall on my router. Security is another topic.
2. Make sure you have the following (on your system)
(Command line is “rpm –qa | grep pkgname”)
Eg rpm –qa | grep php
a. http
b. php
c. perl
d. perl-suidperl
e. gcc
f. gcc-c++
g. mysql
h. openssl
i. openssl-devel
j. wget
k. Personally I use midnight commander so I also install mc
l. patch
3. If any are missing, install them. For example, to install php, type:
yum install php
4. Make sure you update your entire system with “yum update” after all this.
I then run
perl –MCPAN –e shell (and go with it)
When you get cpan>
type “install Bundle::CPAN”
when you get it again, type “install CDB_File”
Type exit when it comes up CPAN3>
This last bit takes a while and you have to answer a few questions – I just hit enter to accept the default Yes answers.
This last bit is needed for Spamassassin.
Required Files to complete Setup
These can all be downloaded from the “QMR Files” page.
Firstly however, create a directory for all the files to go into:
mkdir /downloads/qmr
Part 2 – Run Script to create the necessary users etc for qmail install
Run the following script to create all the necessary users and folders / files and also to patch qmail with John Simpsons latest patch (currently 7.10). You should go check that this is still the latest and if not, edit the script and download the latest patch.
cd /downloads/qmr/scripts/install
qmr_install_with_jms1.script
This script will:
Make some necessary directories
Create necessary users and groups
Unpack qmail-1.03 and patch it with John Simpsons 7.10 patch
Unpack ucspi-tcp and daemontools and put them in the correct places on the system
Create logging directories and supervise script directories
Part 3 – Install Qmail (with John Simpsons patches already done)
Then go to the /qmail-1.03-jms1-7.10 directory.
make man && make setup check
Qmail is now installed but you still have a lot to do. When finished, type
./config-fast rmohan.com
For example
./config-fast rmohan.com
# make clean
We are now done getting qmail setup (for now)!
Part 4 – Install ucspi-tcp
cd /usr/src/qmail/ucspi-tcp-0.88
We must also patch this file.
patch < /downloads/qmr/patches/ucspi-tcp-0.88.errno.patch
It will display “pathching file error.h” – this is what we want (even though logically it sounds bad, it is not)
make && make setup check
That is all for this. Now to install qmail…
Part 5 – Install Daemontools
cd /package/admin/daemontools-0.76/src
We must patch this file as well
patch < /downloads/qmr/patches/daemontools-0.76.errno.patch
It will display “pathching file error.h” – this is what we want (even though logically it sounds bad, it is not)
cd ..
package/install
That’s it.
Part 6 – Install Ezmlm-idx
cd /downloads/qmr
tar zxvf ezmlm-idx-7.0.2.tar.gz
cd ezmlm-idx-7.0.2
make && make setup
Part 7 – Install Autorespond
cd /downloads/qmr
tar zxvf autorespond-2.0.5.tar.gz
cd autorespond-2.0.5
make && make install
Part 8 – Qmail-updater
cd /var/qmail/supervise
mkdir –m 1755 qmail-updater
mkdir –m 755 qmail-updater/log
cd qmail-updater/log
cp /downloads/qmr/service-any-log-run run
chmod 755 run
cd ..
cp /downloads/qmr/pipe-watcher pipe-watcher
cp /downloads/qmr/update-qmail update-qmail
cp /downloads/qmr/service-qmail-updater-run run
chmod 755 pipe-watcher update-qmail run
The last step here is to link the qmail-updater directory in the /service directory so daemontools can run it.
ln –s /var/qmail/supervise/qmail-updater /service/
Wait a few seconds then run:
svstat /service/qmail-updater /service/qmail-updater/log
You should see output showing up for more than 3 seconds for both.
Part 9 – Install Vpopmail with onchange
First we need to install Skel
cd ~vpopmail
tar zxvf /downloads/qmr/skel.tgz
chown –R vpopmail:vchkpw skel
chmod –R 700 skel/
chmod 0600 skel/.qmail skel/mailfilter
We want to install vpopmail with the onchange function enabled. The latest version is 5.4.30 currently.
cd /downloads/qmr
tar zxvf vpopmail-5.4.30.tar.gz
cd vpopmail-5.4.30
./configure –enable-logging=p –enable-onchange-script
make install-strip
If that all run without errors, vpopmail is configured and installed. Now we must get the onchange function working.
cd /~vpopmail/etc
cp /downloads/qmr/onchange onchange
This is the script that vpopmail will execute when a user or domain is added or deleted from the system. You need to now set permissions:
chown vpopmail:vchkpw ~vpopmail/etc/onchange
chmod 750 ~vpopmail/etc/onchange
chmod +x ~vpopmail/etc/onchange
Now that the onchange script is in place we can test it with the qmail-updater log file. Open up another session (Ctrl+Alt+F2) and type
tail –f /service/qmail-updater/log/main/current
Go back to the original session (ctrl+Alt+F1) and add a domain and user and you should see your log file in the other session change – stuff goes in it.
cd ~vpopmail/bin
./vadddomain rmohan.com
./vadduser test@rmohan.com password
If the log file fills up with stuff, congratulations.
We need to make a slight modification to the vchkpw file to make it work with SMTP with ssl work.
cd ~vpopmail/bin
chmod 6711 vchkpw
chown vpopmail:vchkpw vchkpw
Part 10 – Validrccptto and Auth
We must then create the validrcptto and auth files which reside in /var/qmail/control.
To do this, we use the mkvalidrcptto and mkauth scripts.
cd /usr/local/bin
wget http://qmail.jms1.net/scripts/mkvalidrcptto
wget http://qmail.jms1.net/scripts/mkauth
chmod 755 mkvalidrcptto mkauth
Then we run the scripts:
mkvalidrcptto –c /var/qmail/control/validrcptto.cdb
mkauth –c /var/qmail/control/auth.cdb
To test
ps axww | grep readproctitle
the output should be something like
0:0 read……..service errors……………………
………………………………………………………………….
………………………………………………………………….
Part 11 – Install Maildrop
You need maildrop aside from anything else, for qmail-scanner – which needs reformime.
Before you install maildrop, you need to install “pcre”. Download the file to the qmr directory.
tar zxvf pcre-8.12
cd /downloads/qmr/pcre-8.12
./configure
make
make install
make clean
Then
cd /downloads/qmr
tar xvf maildrop-2.5.5.tar.bz2
cd maildrop-2.5.5
./configure –enable-maildrop-uid=root –enable-maildrop-gid=vchkpw
make install clean
We now add logging options to maildrop.
cd /var/qmail/supervise
mkdir –m 1755 maildrop-logger
mkdir –m 755 maildrop-logger/log
cd maildrop-logger/log
cp /downloads/qmr/service-any-log-run run
chmod 755 run
cd ..
cp /downloads/qmr/log-maildrop log-maildrop
cp /downloads/qmr/pipe-watcher pipe-watcher
cp /downloads/qmr/maildrop-logger-run run
chmod 755 pipe-watcher log-maildrop run
touch /tmp/log-maildrop
chown vpopmail:vchkpw /tmp/log-maildrop
Now we start the maildrop-logger service
ln –s /var/qmail/supervise/maildrop-logger /service/
Wait a bit then check
svstat /service/maildrop-logger /service/maildrop-logger/log
Again, it all should be running for more than 3 seconds
Part 12 – Uninstall Sendmail
To find out the version numbers to remove type
rpm –qa | grep sendmail
Then
/etc/rc.d/init.d/sendmail stop
Then
rpm –e –nodeps sendmail-x.x.x (version number from results above)
rpm –e –nodeps sendmail-cf-x.x.x (version number from results above)
We now need to establist an artificial sendmail path – or a symbolic link to Qmails sendmail. This is needed to ensure the whole system is able to send mail.
ln –s /var/qmail/bin/sendmail /usr/lib/sendmail
ln –s /var/qmail/bin/sendmail /usr/sbin/sendmail
That’s it for this step.
Part 13 – Install Dovecot
Do not try to install any courier stuff as they do not support vpopmail any more.
The latest stable version is dovecot-1.2.12. As always check this is the latest stable version. I did try the later version of 2.0.11 but that caused issues so I used 1.2.12. Your choice !
cd /downloads/qmr
tar xzf dovecot-1.2.12.tar.gz
cd dovecot-1.2.12
cp /downloads/qmr/configure.dovecot configure.dovecot
chmod 755 configure.dovecot
./configure.dovecot
make
make install
There seems to be a few directories either weren’t created, or were created with bad permissions. The following commands fixed the problems:
mkdir -m 0755 /usr/local/var /usr/local/var/run /usr/local/var/run/dovecot
chmod go=u-w /usr/local/share /usr/local/share/doc
chmod -R go=u-w /usr/local/lib/dovecot /usr/local/libexec/dovecot /usr/local/share/doc/dovecot
The next step is to create a new non-root userid which is used to process authentication requests.
This command is specific to Linux, and will probably need to be adjusted for other systems. The idea is to create a userid which cannot log in, which has no valid shell, and has no home directory- one which, if somebody were to “hack” into it, wouldn’t be able to do much.
useradd -M -d /nohome -s /bin/false -c ‘Dovecot user’ dovecot
________________________________________
Configuring Dovecot
Dovecot itself is configured using a single control file, which will is in
/usr/local/etc/dovecot.conf
When you install the software, it creates a dovecot-example.conf file in this directory, and the directions with the software tell you to rename or copy the file to dovecot.conf and then customize it.
There is a customised dovecot.conf file (thanks to John Simpson). Note that an invalid IP, so you will need to customize the file before using it- either that, or use the dovecot-example.conf file and build your own configuration.
The first thing you’ll need to do is adjust the “first_valid_uid” and “last_valid_uid” values in the file. Find the numeric uid of the vpopmail user…
id -u vpopmail
My result was 508
To copy the dovecot.conf file (mentioned above, then
cd /usr/local/etc
cp /downloads/qmr/dovecot.conf dovecot.conf
chown root:root dovecot.conf
If the IMAP servers will ONLY be used for vpopmail accounts, make sure both of these values are set to that number (in this case, 508.) Also make sure both lines are un-commented (i.e. remove the “#” in front of the “last_valid_uid” line.)
## Mail processes
verbose_proctitle = yes
first_valid_uid = 508
last_valid_uid = 508
You also need to change the ip addresses too your own. – (at ssl_listen twice) eg 192.168.1.6
Building the daemontools service(s)
This shows how to set up a daemontools service which starts the main dovecot process, which will listen for incoming IMAP and/or POP3 connections as specified in the dovecot.conf file.
On my server, all of my daemontools physical service directories are in the
/var/qmail/supervise directory.
Your own server may be different- the physical directory can be anywhere on the system, except within the “/service” directory itself.
cd /var/qmail/supervise
mkdir -m 0755 dovecot dovecot/log
cd dovecot/log
cp /downloads/qmr/service-any-log-run run
chmod 0755 run
cd ..
cp /downloads/qmr/service-dovecot-run run
chmod 0755 run
Use your text editor of choice.
Like the other “service-blah-run” scripts, this one consists of configuration variables at the top, followed by code to build the final command line, and then run it. The variables are:
• IP is the IP address you want to listen on. You can set it to “0” if you want it to listen on every IP attached to your system, however I don’t normally recommend doing things that way.
• PORT is the TCP port number you want to listen on. The standard values are 143 for IMAP, 993 for SSL-IMAP, 110 for POP3, and 995 for SSL-POP3.
I DO NOT RECOMMEND RUNNING NON-SSL POP3 OR IMAP SERVICES on any unsecured network (i.e. on the open Internet) because the authentication methods for both POP3 and IMAP involve sending the password across the wire in plain text. Remember, if some “bad person” happens to get one of your users’ passwords, they not only have access to that user’s email, they will probably have the ability to use that ID and password with an SMTP AUTH command, and use your server as a relay.
• MAX is the maximum number of concurrent connections allowed by this service. If this is blank, a default value of 40 will be used instead.
• ACCESS_CDB gives the name of a .cdb file made by tcprules, which controls which clients are and are not allowed to connect. Note that if you plan to use rules involving remote userids (very few people do, because they are so easily forged) you will need to remove the “R” from the options of tcpserver and/or sslserver within the script itself.
• SVC_LOGIN is the full pathname of the service you wish to run. Normally this will be “imap-login” or “pop3-login”.
• IS_SSL should be set to a number greater than zero if this is to be an SSL-secured service. This tells the script to use sslserver instead of tcpserver, exports the CERTFILE variable (needed by sslserver), and adds a flag to the end of the command line which tells imap-login or pop3-login that the connection is already encrypted.
• CERTFILE should be set to the full pathname to the .pem file containing the server’s encryption key. You can point this to the same servercert.pem file used by qmail-smtpd if you like.
________________________________________
Start up Dovecot
This is just like starting up any other daemontools service – create a symlink from /service/something to the physical service directory, wait about ten seconds, and make sure it’s running.
ln -s /var/qmail/supervice/dovecot/service/
Wait about ten seconds…
svstat /service/dovecot /service/dovecot/log
/service/dovecot: up (pid 23841) 8 seconds
/service/dovecot/log: up (pid 23843) 8 seconds
As we have not yet set up the certfile, the service will not run properly. If you check the log file in /var/qmail/supervise/dovecot/log/main/current
It will show an error about the certificate file.
Fixing that is next…
Part 14 – Install UCSPI-SSL create Certificates
Now we need to install ucspi-ssl so qmail will accept smtp connections with ssl.
cd /package
tar zxvf /downloads/qmr/ucspi-ssl-0.70.tar.gz
cd host/superscript.com/net/ucspi-ssl-0.70
Compile the package
package/compile
Run some tests: Note There are some fatal cypher errors and broken pipe errors only, that is ok – ignore them.
package/rts
Install the package
package/install
That is that. Now we need to create the key:
cd /var/qmail/control
openssl req –newkey rsa:1024 –x509 –nodes –days 3650 –out servercert.pem –keyout servercert.pem
Answer the questions and make sure the Common Name is the name of your mail server!!
Now we give proper ownership
chown root:nofiles servercert.pem
The “nofiles” group is the group which qmaild belongs to. This combination of ownership and permissions allows qmail-smtpd to read the key but not change or delete it.
chmod 640 servercert.pem
cp servercert.pem clientcert.pem
chown root:qmail clientcert.pem
chmod 640 clientcert.pem
You can now go back and check that dovecot is working:
svstat /service/dovecot /service/dovecot/log
/service/dovecot: up (pid 23841) 8 seconds
/service/dovecot/log: up (pid 23843) 8 seconds
Part 14 – Finalise the qmail installation
There is a bit in this but it is not too difficult. I have modified a script from the old qmailrocks site to suit Fedora. To start with run a script which will:
- Copy all the supervise scripts to their correct locations
- Copy qmail.rc and qmailctl to the propper locations and create the necessary symbolic links.
- Set all needed permissions on the supervise scripts
Ok. To get things going:
cd / downloads/qmr/scripts/finalise
chmod 755 finalize_linux.script
./finalize_linux.script
Configuring Qmail
Now we will need to edit a few files to make them work on the new system for this new server.
cd /var/qmail/supervise/qmail-pop3d
We need to edit the run file.
vi run (or mc or whatever editor)
Change the mail server name (line 4 at the end) to your mail server. Eg mail.test.com.au /
cd /var/qmail/supervise/qmail-smtpd
vi run
IP=1.2.3.4 (change this to your ip address obviously)
Port=25 (set the port number we will be listening on)
SSL=0 (This says do not run an SSL-only service)
FORCE_TLS=0 (Refuse to accept mail from clients who have not done STARTTLS)
DENY_TLS=0 (Do not refuse to process the STARTTLS command)
AUTH=0 (We are turning off auth on port 25 and only allow incomming mail)
Require_Auth=0 (Refuse to accept mail from clients who have not done AUTH).
You must also uncomment the following line of the smtp run file or else no mail will be scanned by qmail scanner. Make it this:
QMAILQUEUE=”$VQ/bin/qmail-scanner-queue.pl”
Now we need to set up some qmail aliases. Replace postmaster@test.com.au with the addres you want the mail to go to:
echo postmaster@test.com.au > /var/qmail/alias/.qmail-root
echo postmaster@test.com.au > /var/qmail/alias/.qmail-postmaster
echo postmaster@test.com.au > /var/qmail/alias/.qmail-mailer-daemon
Now we set up selective relaying.
mkdir /etc/tcp
cd /etc/tcp
cp /downloads/qmr/etc-tcp-makefile Makefile
Now create the smtp file. Add your ip address. If your ip address was
192.168.1.1, then it will go like this:
vi /etc/tcp/smtp
Add the following to the new file:
192.168.1.:allow,RELAYCLIENT=””
:allow
save this and then run:
gmake
You should get output saying
tcprules smtp.cdb smtp.tmp < smtp
chmod 644 smtp.cdb smtp
Setting up smtp with SSL
We need to edit the file
vi /var/qmail/supervise/qmail-smtpd-ssl/run
Set the following values:
IP=1.2.3.4 (change this to your own ip address obviously)
Port=465 (set the port number we will be listening on)
SSL=1 (This says to run an SSL-only service)
FORCE_TLS=0 (Ignored for ssl services)
DENY_TLS=0 (Ignored for ssl services)
AUTH=1 (Allow the AUTH command)
Require_Auth=1 (Refuse to accept mail from clients who have not done AUTH).
You must also uncomment the following line of the smtp run file or else no mail will be scanned by qmail scanner. Make it this:
QMAILQUEUE=”$VQ/bin/qmail-scanner-queue.pl”
Save the file then…
Creating the smtpssl file
cd /etc/tcp
vi smtpssl
in this new file, simply put the following and then save it.
:allow
Now you need to edit the Makefile and add smtpssl.cdb after smtp.cdb, save and exit. Now run:
gmake
The final step is to start the service running:
ln –s /var/qmail/supervise/qmail-smtpd-ssl /service/
Now check that the service is running ok by:
svstat /service/qmail-smtpd-ssl /service/qmail-smtpd-ssl/log
As usual, if you see the output is up for more than 3 seconds, all is OK
Now we want to start qmail:
qmailctl start
You should get output like:
Starting qmail…
Starting qmail-send
Starting qmail-smtpd
Starting qmail-pop3d
To check to make sure it is running ok type:
qmailctl stat
As long as everything is up for more that say 3 seconds you have succeeded. Well done.
That is all that finished.
You could just operate a mail server with what you now have but lets install programs to make life much easier. For example, you could easily just manage all your mail accounts and domains with vpopmail. But using qmailadmin and vqadmin is much nicer and easier. Squirrelmail makes life easier for all your users as they can get their mail via a web browser. Clamav checks for viruses in mail and spamassassin gets rid of a lot of spam.
Anyway lets get on with it…..
Part 16 – Install Spamassassin
I have done this in two different ways – both worked. You can compile from source then install or
The simplist way is just use yum to install it:
yum install spamassassin
Then go and edit /etc/mail/spamassassin/local.cf
All you have to put in this file is
required_score 3.2 (that is what I use)
And if you want you can create a whitelist of good known email addresses – eg friends
whitelist_from good@emailaddress.com.au
Now to set it up under daemontools.
mkdir –m 1755 /var/qmail/supervise/spamd
mkdir –m 755 /var/qmail/supervise/spamd/log
cd /var/qmail/supervise/spamd
cp /downloads/qmr/spamd-run run
chmod 755 run
cd log
cp /downloads/qmr/service-any-log-run run
chmod 755 run
All we need to do now is create the service:
ln –s /var/qmail/supervise/spamd /service/
Wait a bit then:
svstat /service/spamd /service/spamd/log
Again, make sure the service is up for more than say 3 seconds. If issues, stop the service and then restart it.
I also then type
sa-update
to update spamassassin
That’s it for spamassassin.
Part 17 – Install Clamav – Updated March 2012
For the first time install of Clamav, you need to create a new user and group to your system:
groupadd clamav
groupadd qscand
useradd –g clamav –s /bin/false –c “Clam Antivirus” clamav
useradd –g qscand –s /bin/false –c “Qscand” qscand
Now you need to download Clamav from clamav.net. Get the latest stable version which is currently 0.97.3
cd /downloads/qmr
wget http://downloads.sourceforge.net/clamav/clamav-0.97.3.tar.gz
tar zxvf clamav-x.x.x.tar.gz
cd clamav-x.x.x
./configure
make
make check
make install
make clean
Now you need to create the clamd and freshclam service scripts.
cd /var/qmail/supervise
mkdir –m 1755 clamd
mkdir –m 0755 clamd/log
cd clamd
cp /downloads/qmr/service-clamd-run run
chmod 755 run
cd log
cp /downloads/qmr/service-any-log-run run
chmod 755 run
cd /var/qmail/supervise
mkdir –m 1755 freshclam
mkdir –m 0755 freshclam/log
cd freshclam
cp /downloads/qmr/service-freshclam-run run
chmod 755 run
cd log
cp /downloads/qmr/service-any-log-run run
chmod 755 run
Now we need to edit the clamd.conf file so it will run correctly via daemontools.
chmod 744 /usr/local/etc/clamd.conf
vi /usr/local/etc/clamd.conf (or type mc and use midnight commander if you like)
#Example – must be commented out
#LogFile – comment out
#LogSysLog no – comment out
#PidFile /var/run/clamav – comment out
DatabaseDirectory /usr/local/share/clamav
LocalSocket /tmp/clamd.socket – uncomment this
FixStaleSocket yes – optional
User qscand
Foreground yes – this is absolutely required to run via daemontools
chown –R qscand:qscand /usr/local/share/clamav
Configuring freshclam
The freshclam program checks for updated virus definition files and, if it finds them, downloads and installs them automatically. It then sends a message to clamd, telling it to read the new definitions into memory, and can also call another program that we specify. We will be using this “call another program” capability to inform qmail-scanner and/or simscan to update its version database, so the headers that they add to email messages will have accurate version numbers.
To configure freshclam, we will edit a file called freshclam.conf, which will be found in the same directory where we found the clamd.conf file (above.) This is a list of the changes we need to make:
chmod 744 /usr/local/etc/freshclam.conf
vi /usr/local/etc/freshclam.conf (or use mc as above)
#Example – comment out
DatabaseDirectory /usr/local/share/clamav
#UpdateLogFile – comment out
#LogSyslog – no
#Pidfile – comment out
DatabaseOwner qscand
checks 24
Foreground yes
Set up the services to start
ln –s /var/qmail/supervise/clamd /service/
ln –s /var/qmail/supervise/freshclam /service/
Now check the services are running:
svstat /service/clamd /service/clamd/log
and then
svstat /service/freshclam /service/freshclam/log
make sure each is up for more than 3 seconds and all is ok. That is it for Clamav.
Part 18 – Install Qmail-scanner
The latest version (currently) is 2.10 as at March 2012 – you need to google the file to download
cd /downloads/qmr
tar zxvf qmailscanner-2.10.tar.gz
cd qmailscanner-2.10
cp /downloads/qmr/qms-config qms-config
Now you need to change the qms-config to match your settings. The bits in bold must be changed to your domain specific settings. If you have multiple domain names, in local-domains, separate them by a comma (no space).
When you have made your changes, then make it executable and give it a test run:
chmod 755 qms-config
./qms-config
When it asks you Continue? ([Y] / [N]) go ahead and hit Y
It will ask this twice. If all goes well you will get Finished. and a bit more without error messages.
If the above worked, then you will need to actually install:
./qms-config install
Updating the qmail-scanner version files
The first one is the command that updates your version files. It updates your headers when you upgrade ClamAV or SpamAssassin. It also helps keep the /var/spool/qscan folder clear when SMTP sessions are dropped.
Put this one in a cron and run it once a day.
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl –z
Anytime you update qmail-scanner you should also run
setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl –g
One final ownership check
chown –R qscand:qscand /var/spool/qscan
Testing Qmail-scanner
Now before we finish, we need to test that it works. Make sure you have set up your main domain and email accounts (in particular the domain that you set the aliases to earlier) as these are where the test emails will go. Then run the following:
/downloads/qmmr/qmail-scanner-2.0.8/contrib/test_installation.sh –doit
When this runs, it will send 4 messages – 2 with viruses, one standard message and a piece of junk mail. So when this runs, you should have 1 in /var/spool/qscan/quarantine/viruses/new , 1 message in /var/spool/qscan/quarantine/policy/new , 1 message in ~vpopmail/domains/domainXXX/postmaster/Maildir/new and 1 in your ~vpopmail/domains/domainXXX/postmaster/Maildir/.Spam/new folder (or this will be in your maildir).
All you need to do to finish is to restart qmail:
qmailctl restart
That’s Qmail-scanner installed! Well done.
Part 19 – Install VqAdmin
VqAdmin is a nice simple web based interface that lets us manage Vpopmail. You can create new domains, new users, net quotas and more.
cd /downloads/qmr
tar zxvf vqadmin-X.x.x
cd vqadmin-X.x.x
./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/html
(If the paths above are not the same on your system, change them to match)
make && make install-strip
If the installation is successful, VqAdmin will install itself in the cgi-bin directory of your website.
Now you need to edit your apache file (or httpd.conf file).
vi /etc/httpd/conf/httpd.conf
Now, on about line 325 (of mine anyway) you need to change it to
AllowOverride ALL
Also on about line 265, make sure your servername is defined.
Insert (on mine I did it on line 575 but that does not really matter)
<Directory “/var/www/cgi-bin/vqadmin”>
deny from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
</Directory>
That’s that bit done.
cd /var/www/cgi-bin/vqadmin
Now you need to create a .htaccess file to password protect the vqadmin interface. There should already be a .htaccess file in the vqadmin directory, so all you need to do is configure it.
vi .htaccess
AuthType Basic
AuthUserFile /etc/httpd/conf/.htpasswd (in fact you can put this wherever you like)
AuthName vQadmin
require valid-user
satisy any
Now change ownership
chown apache .htaccess
chmod 644 .htaccess
Now you need to create a corresponding .htpasswd file that will contain the username and encrypted password for the VqAdmin administrator.
htpasswd –bc /etc/httpd/conf/.htpasswd admin admin-password
chmod 644 /etc/httpd/conf/.htpasswd
Make sure you leave the user admin as admin else it won’t work. Obviously the admin-password should be a password.
Now we need to restart apache.
apachectl stop
apachectl start
If all has gone well, in you web browser, put:
http://www.rmohan.com/cgi-bin/vqadmin/vqadmin.cgi
Enter admin and whatever password you created and hey presto. You can now add domains, users etc. If you get errors such as 500 Internal Server error, check permissions with vqadmin.cgi file.
Part 19 – Installing Qmailadmin
This provides us with a nice web based interface for administering mail accounts once they are set up through Vpopmail or VqAdmin.
cd /downloads/qmr
tar zxvf qmailadmin-X.xx.x
cd qmailadmin-X.x.x
./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/html –enable-modify-spam –enable-ezmlm.idx
make && make install-strip
Now to make sure when we add new users via qmailadmin that we want Spam Fighting turned on by default edit the following:
vi /usr/local/share/qmailadmin/html/add_user.html
find the line
<input type=”checkbox” name=”spamcheck”>
Change it to:
<input type=”checkbox” name=”spamcheck” checked>
That it for the install.
Now open your web browser and go to:
http://www.rmohan.com/cgi-bin/qmailadmin
You all done here.
Part 21 – install Squirrelmail.
Squirrelmail is a web based program that allows you to access your email via a web browser.
First you must check that you have PHP uploads turned on.
vi /etc/php.ini
The line you want to check / edit is:
file_uploads = On
That’s that. Now on to installing Squirrelmail.
cd /var/www/html
tar zxvf /downloads/qmr/squirrelmail-X.x.x.tar.gz
Now rename the untared folder to something more friendly…
mv squirrelmail-X.x.x webmail
Now we configure squirrelmail..
mkdir /var/local/squirrelmail
mkdir /var/local/squirrelmail/data
chown –R apache:apache /var/local/squirrelmail/data
cd webmail/config
./conf.pl
This will run the squirrelmail setup scriot which allows you to customise the installation and set your server settings. Most of the important things are in area #2 which is called “Server Settings”.
You will be presented with a menu. Under 1 – Organization Preferences, Any one of the setings inside this window are optional. When you are done, hit S to save and then hit Enter and then hit R to go back to the Main Menu.
Now we want to go to 2 – Server settings. Hit 1 for Domain and hit Enter on the keyboard. You can type the name of the server or the local IP or public IP, whichever you prefer. If your mailserver is behind a router/firewall, I use the local IP. If you are on the public side of things, the hostname or the static IP will work fine.
Under Server settings we want to use the following. Please change x.x.x.x to the IP of your mail server:
1. Domain : x.x.x.x
2. Invert Time : false
3. Sendmail or SMTP : Sendmail
A. Update IMAP Settings : localhost:143 (other)
B. Change Sendmail Config : /var/qmail/bin/sendmail
Hit Y and then hit Enter. Hit S to save and then hit Enter again. Hit Q to quit and exit the menu.
If you like there are other features you can customise but not critical. Once you are done here, we must configure Apache to serve our new webmail interface.
Open up the httpd.conf file and add the following down the bottom under Virtual Domains..
vi /etc/httpd/conf/httpd.conf
<VirtualHost 1.2.3.4:80>
ServerName mail.rmohan.com
ServerAlias mail.*
ServerAdmin postmaster@rmohan.com
DocumentRoot /var/www/html
</VirtualHost>
Now all you need to do is restart apache
apachectl stop
apachectl start
Now in your browser:
http://www.rmohan.com/webmail
That is it. You now have a great qmail server with lots of useful extras.
Now for Maintenance of everything we have set up…
Part 22 – notes on Changing and Maintaining your new Qmail Server
Services
To start, stop or restart a service (run under daemontools – ie the ones in the /service directory):
To stop
svc –d /service/name (d is for down)
eg svc /-d /service/spamd will stop spamd
To start
svc –u /service/name (u is for up)
To restart
svc –t /service/name
To check all your services at once
svstat /service/* /service/*/log
Qmail-Scanner
I wanted the subject line to be altered with spam messages. To do this, you need to edit the qmail-scanner-queue.pl file in /var/qmail/bin…
in this file on my system (line 258) says:
my $spamc_subject=’***Spam***’ ;
I set it to delete messages more than 5 over my limit of 3.2. You can edit this two lines below
my $sa_quaratnine_over=’5’ ;
This is all I did.
Update Clamav
This would be the cause of most pain as it changes every 3 months or so. To see info about freshclam and if it is current type: freshclam -v
Or you can look in the file /service/freshclam/log/main/current and see if clamav is outdated. It will say so in the log. To upgrade your clamav, go to the clamav site and download the latest stable source file:
http://www.clamav.net/lang/en/download.sources
Now download the latest and put it in your downloads directory. For example, to download 96.1 version,
cd /downloads
wget http://downloads.sourceforge.net/clamav/clamav-0.97.3.tar.gz
tar zxvf clamav-0.97.3.tar.gz
cd /clamav-0.97.3
I then backup the clamd.conf and freshclam.conf files to be sure.
cd/downloads
cp /usr/local/etc/freshclam.conf freshclam.conf
cp /usr/local/etc/clamd.conf clamd.conf
You must then stop qmail and clamav and also freshclam…
qmailctl stop
svc –d /service/clamd
svc –d /service/freshclam
Now we start the upgrade:
./configure
make (This can take some time)
make check (Same – make sure the tests passed – ie no errors)
make install
make clean
Check the conf files and if they are still the same (they should be unaltered).
Start up the services again:
qmailctl start
svc –u /service/clamd
svc –u /service/freshclam
You must now update qmail-scanner database
setuidgid /var/qmail/bin/qmail-scanner-queue.pl –g
and also update the version number
setuidgid /var/qmail/bin/qmail-scanner-queue.pl –z
Now type freshclam –v and you will see the new version number. That’s it for updating clamav. I just did this exactly and it worked perfectly on my system.
To install Oracle 11g DB, just install the following packages at the startup and continue
# yum install binutils gcc glibc glibc-devel cpp make setarch pdksh libaio libaio-devel compat-gcc-34 compat-gcc-34-c compat-libstdc-296 compat-libstdc-33 sysstat -y
Creating groups and user for Oracle Installation:
# groupadd oinstall
# groupadd dba
# useradd -m -g oinstall -G dba -d /home/oracle -s /bin/bash -c “Oracle Software Owner” oracle
# passwd oracle
Installing Oracle DB:
# mv 11g package to /home/oracle
# cd /home/oracle
# chown oracle *
# cd
Now as oracle user execute the installation script
# xhost +
# su – oracle
unzip both the packages, after unzip it, a folder called “database” is created.
# cd database
# ./runInstaller
a graphical window will appear, Let me tell what all options to select in each window
1st window:-Next2nd Window:-
select Create and configure a database
3rd Window:-
select Server Class
4th Window:-
Single Instance database Installation
5th Window:-
Advanced Install
6th Window:-
select the language to install(english)
7th Window:-
enterprise edition
8th Window:-
Oracle Base:-
/home/oracle/app/oracleSoftware Location:-
/home/oracle/app/oracle/product/11.2.0/dbhome_1
9th Window:-Inventory Directory:-
/home/oracle/app/oraInventoryInventory Group name:-
oinstall
10th Window:-
General Purpose
11th Window:-
Global Database Name:-
orcl
SID
orcl
12th Window:-
select all default characters
13th Window:-
default option
14th Window:-
File System: /home/oracle/app/oracle/oradata
15th Window:-
Do not enable Automated Backup
16th Window:-
use same password for all accounts: oracle
17th Window:-
DataBase Administrator group:- dba
DataBase Operator group:- oinstall
18th Window:-
if any error comes run the script and if packages error comes install those packages using yum.
fix and check again (tab) / and install packages needed using yum
[
Setting Kernel Parameters…
fs.file-max = 65536
fs.file-max = 6815744
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_max = 1048576
net.core.rmem_max = 4194304
net.core.wmem_max = 262144
net.core.wmem_max = 1048576
fs.aio-max-nr = 1048576
]
19th Window:-
finish, installation start
20th Window:-
installing
21th Window:-
close
Connecting to the Database, Now reboot server and login as oracle user. To login to our database, we run sqlplus. But before it, set Environment Variables. Add the below lines to .bash_profile file in the /home/oracle directory.
# su – oracle [ login as oracle user ]
Then export Oracle Path:- ( for 11g )
vim .bash_profile
vim /etc/profile
Then export Oracle Path:-
export ORACLE_BASE=/home/oracle/app/oracle
export ORACLE_HOME=$ORACLE_BASE/product/11.2.0/dbhome_1
export ORACLE_SID=orcl
export PATH=$PATH:$ORACLE_HOME/bin
export LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib
export PATH=$ORACLE_HOME/bin:$PATH
This will Complete the basic steps in Oracle DB setup.
Now you can start the database.
$ lsnrctl start
The above command starts the database listener. Below command starts the database
$ dbstart[ /etc/oratab
orcl:/home/oracle/oracle/product/10.2.0/db_1:Y ( change N to Y ) ]To start the Oracle Enterprise Manager execute the below command.
$ emctl start dbconsole
Now open a new terminal and access the newly created database using
sqlplus as oracle user.[ # su – oracle ]
$ sqlplus system/oracle@orcl
NOTE : oracle is the password set for the newly created database during installation
Oracle Startup script used for Automatic start up of oracle db after rebooting the machine. I have already explained how to install oracle 11g in previous posts and just note how to add a startup script with respect to that settings
For automatically restart the oracle after system reboot create a file called oracle ( any name ) in /etc/init.d/ and give executable permission and paste the code into it. And make a link to /etc/rc5.d/ for that
# cd /etc/rc5.d
# ll
# ln -s ../init.d/oracle S86oracle
# vim /etc/init.d/oracle —– and paste the below script into it. and then make the above link into it.
# Oracle Startpup script
ORACLE_HOME=/home/oracle/app/oracle/product/11.2.0/dbhome_1
ORA_OWNER=oracle
case “$1” in
‘start’) #If the system is starting, then…
echo -e “\e[34mStarting ORACLE…\e[0m”
#Start the listener
su – $ORA_OWNER -c “$ORACLE_HOME/bin/lsnrctl start 2>&1> /dev/null”
#Start the database
su – $ORA_OWNER -c “$ORACLE_HOME/bin/dbstart 2>&1 > /dev/null”
# su – $ORA_OWNER -c “$ORACLE_HOME/bin/emctl start dbconsole 2>&1 > /dev/null” #Start OEM
;;
‘stop’) #If the system stops, that is we’re shutting down our OS, then…
echo -e “\e[34mStopping ORACLE…\e[0m”
# su – $ORA_OWNER -c “$ORACLE_HOME/bin/emctl stop dbconsole 2>&1 > /dev/null”
su – $ORA_OWNER -c “$ORACLE_HOME/bin/dbshut 2>&1 > /dev/null”
su – $ORA_OWNER -c “$ORACLE_HOME/bin/lsnrctl stop 2>&1 > /dev/null”
;;
esac
OR
# Oracle Startpup script
ORACLE_HOME=/home/oracle/oracle/product/10.2.0/db_1
ORA_OWNER=oracle
case “$1” in
‘start’) #If the system is starting, then…
echo -e “e[34mStarting ORACLE…e[0m”
su – $ORA_OWNER -c “$ORACLE_HOME/bin/lsnrctl start 2>&1> /dev/null”
#Start the listener
su – $ORA_OWNER -c “$ORACLE_HOME/bin/dbstart 2>&1 > /dev/null”
#Start the database
su – $ORA_OWNER -c “$ORACLE_HOME/bin/emctl start dbconsole 2>&1 >
/dev/null” #Start
OEM
;;
‘stop’) #If the system is stops, that is we’re shutting down our OS,
then…
echo Oracle startup script
ORACLE_HOME=/home/oracle/oracle/product/10.2.0/db_1
ORA_OWNER=oracle
case “$1” in
‘start’) #If the system is starting, then…
echo -e “e[34mStarting ORACLE…e[0m”
su – $ORA_OWNER -c “$ORACLE_HOME/bin/lsnrctl start 2>&1> /dev/null”
#Start the listener
su – $ORA_OWNER -c “$ORACLE_HOME/bin/dbstart 2>&1 > /dev/null”
#Start the database
su – $ORA_OWNER -c “$ORACLE_HOME/bin/emctl start dbconsole 2>&1 >
/dev/null” #Start
OEM
;;
‘stop’) #If the system is stops, that is we’re shutting down our OS,
then…
echo -e “e[34mStopping ORACLE…e[0m”
su – $ORA_OWNER -c “$ORACLE_HOME/bin/emctl stop dbconsole 2>&1 >
/dev/null”
su – $ORA_OWNER -c “$ORACLE_HOME/bin/dbshut 2>&1 > /dev/null”
su – $ORA_OWNER -c “$ORACLE_HOME/bin/lsnrctl stop 2>&1 > /dev/null”
;;
esac
-e “e[34mStopping ORACLE…e[0m”
su – $ORA_OWNER -c “$ORACLE_HOME/bin/emctl stop dbconsole 2>&1 >
/dev/null”
su – $ORA_OWNER -c “$ORACLE_HOME/bin/dbshut 2>&1 > /dev/null”
su – $ORA_OWNER -c “$ORACLE_HOME/bin/lsnrctl stop 2>&1 > /dev/null”
;;
esac
Change the path according to your path
Save the file as oracle in /etc/init.d directory and make it executable. This script starts the listener, database and enterprise manager.
# vim /etc/init.d/oracle
# chmod 755 /etc/init.d/oracle
Installing Oracle database Client to access DB
Either you can use sqldeveloper as oracle client or you can execute it from the command line using # sqlplus
We can access oracle server graphically by using a package called sqldeveloper.
sqldeveloper-2.1.1.64.45-1.noarch.rpm
# rpm -ivh sqldeveloper-2.1.1.64.45-1.noarch.rpm
if the front end not getting install the jdk package and try…
# or install jdk on root and put the package in user account and run the ./sqldeveloper.sh from user account. if it shows any permission problem give 777 permission for .sh file and install and tell the jdk installed path while asking. Also included path in /etc/profile and if needed add it in .bashrc file
From the console we can use a Client called sqlplus
$ sqlplus /nolog —– It starts sqlplus without logging in to a database.
$ connect / as sysdba —— Connecting as an administrative user,No password is required. This is equivalent to the desupported “connect internal” method.
$ sqlplus -s /nolog ———– Sets silent mode which suppresses the display of the SQL*Plus banner, prompts, and echoing of commands.
$ SQLPLUS [ { username[/passward][@connect_identifier] | / } [ AS { SYSDBA | SYSOPER } ] | /NOLOG ]
/home/oracle/app/oracle/product/11.2.0/dbhome_1/network/admin/tnsnames.ora ( In this path we are defining the connect_identifier, Using connect using identifier we can access the db and tables of another system. To do so define the hostname,port,connect_identifier etc in tnsnames.ora file(copy the contents and edit the files)
$ sqlplus system/oracle@pfdb (connect_identifier)
we can connect to remote machine using this OR We can give the remote machine details in
tnsnames.ora, else connect using ipaddress and port/ We can give any connect_identifier name.
$ sqlplus system/oracle@orcl —— Give the connection details in tnsnames.ora
Starting oracle listener
$ lsnrctl start
Start the database
$ dbstart
Starting oracle Enterprise manager
$ emctl start dbconsole
Shutting down the database
$ dbshut
Stopping the listener
$ lsnrctl stop
Stopping oracle Enterprise manager
$ emctl stop dbconsole
Starts sqlplus without logging in to a database
# su oracle
$ sqlplus /nolog
Logging into default oracle db
$ sqlplus system/oracle11@pfdb
The automatic startup and shutdown of the Oracle database can be achieved with the files dbstart and dbshut both provided by Oracle. These files rely on the existance of the file /etc/oratab to work
$ cat /etc/oratab
orcl:/u01/app/oracle/product/10.2.0/db_1:Y
The first field is the name of my database (orcl), the second one is my home directory
(/u01/app/oracle/product/10.2.0/db_1), and the third indicates to the dbstart utility whether the database should, or should not be brough up at the system boot time with “Y” or “N” parameters respectively. As root user, we’ll change last field of this line from “N” to “Y” to let dbstart utility start this database when it runs.
A schema is a collection of database objects. A schema is owned by a database user and has the same name as that user. Schema objects are logical structures created by users to contain, or reference, their data. Schema objects include structures like tables, views, and indexes.
$ sqlplus /nolog
SQL> connect / as sysdba
Connected
Creating a New Schema
SQL> create user ctechz identified by ctehz11;
User created
Grant Permissions to user
SQL> grant create session, create table, create trigger, create sequence, create procedure, create view to ctechz;
Grant succeeded
Connecting to Schema
SQL> connect ctechz/ctechz11;
Connected
Granting table space to the schema
SQL> grant unlimited tablespace to ctechz;
Grant succeeded
Mysql Performance Tuning
MySQL Performance tuning [my.cnf file parameters + description]
[mysqld]
# Maximum allowed number of connections to the MySQL Server
max_connections = 1500
# The key buffer is a variable that is shared amongst all MySQL clients on the server. A large setting is recomended, particularly helpful with tables that have unique keys.
key_buffer = 1024M
#The size of the buffer that is used for plain index scans, range index scans, and joins that do not use indexes and thus perform full table scans. Normally, the best way to get fast joins is to add #indexes. Increase the value of join_buffer_size to get a faster full join when adding indexes is not possible.
join_buffer_size = 100M
#Each thread that does a sequential scan allocates a buffer of this size (in bytes) for each table it scans. If you do many sequential scans, you might want to increase this value, which defaults to #131072. The value of this variable should be a multiple of 4KB. If it is set to a value that is not a multiple of 4KB
read_buffer_size = 1M
#Each session that needs to do a sort allocates a buffer of this size
sort_buffer_size = 2M
#This is the old name of table_open_cache. The number of open tables for all threads. Increasing this value increases the number of file descriptors that mysqld requires.
table_cache = 1800
# Number of threads the server should cache for reuse. When a client disconnects, the client’s threads are put in the cache if there are fewer than thread_cache_size threads there.
thread_cache_size = 384
# The number of seconds the server waits for activity on a noninteractive connection before closing it.
wait_timeout = 300
# The number of seconds that the mysqld server waits for a connect packet before responding with Bad handshake.
connect_timeout = 10
# The maximum size of internal in-memory temporary tables.
tmp_table_size = 64M
# This variable sets the maximum size to which MEMORY tables are allowed to grow
max_heap_table_size = 64M
# The maximum size of one packet or any generated/intermediate string.
max_allowed_packet = 64M
# If there are more than this number of interrupted connections from a host, that host is blocked from further connections
max_connect_errors = 1000
# When reading rows in sorted order following a key-sorting operation, the rows are read through this buffer to avoid disk seeks.
read_rnd_buffer_size = 524288
# Don’t cache results that are larger than this number of bytes.Default value is 1mb
query_cache_limit = 4M
#The size of the persistent buffer used for statement parsing and execution. This buffer is not freed between statements. If you are running complex queries, a larger query_prealloc_size value might be #helpful in improving performance, because it can reduce the need for the server to perform memory allocation during query execution operations.
query_prealloc_size = 65536
# The allocation size of memory blocks that are allocated for objects created during statement parsing and execution.
query_alloc_block_size = 131072
# The amount of memory allocated for caching query results. The default value is 0, which disables the query cache.
query_cache_size = 1024M;
#Set the query cache type
# 0 or OFF : Don’t cache results in or retrieve results from the query cache.
# 1 or ON : Cache all cacheable query results except for those that begin with SELECT SQL_NO_CACHE.
# 2 or DEMAND : Cache results only for cacheable queries that begin with SELECT SQL_CACHE
query_cache_type = 1
# This variable is set from the value of the –skip-name-resolve option. If it is ON, mysqld resolves host names when checking client connections. If OFF, mysqld uses only IP numbers and all Host # column values in the grant tables must be IP numbers or localhost.
skip-name-resolve
[mysqld_safe]
#The number of files that the operating system allows mysqld to open
open_files_limit = 8192
[mysqldump]
# The maximum size of one packet or any generated/intermediate string.
max_allowed_packet = 16M
Multicast is the protocol which allow nodes inside to a cluster to communicate without knowing each other.
You can think of multicast of a radio or a TV channel, only those who are tuned received the information.
Communication between nodes is provided by JGroups, which is library for multicast communication.
What is multicasting?
There are three types of communication between computers in a network:
Unicast – one computer talks directly to another computer
Broadcast – one computer talks to all computers
Multicast – one computer talks to a select group of others
In a conventional Ethernet network, most Internet Protocol (IP) packets are sent using unicast
(host-to-host) transmission. Every computer in a network can transmit and receive packets,
which in unicast transmission are labelled with the address of the receiving computer. Each
computer listens to all the other packets that are sent in the network and looks for packets
that are addressed to itself. When a computer encounters a packet that is addressed to itself, it
interrupts the processor and hands the packet to the operating system to process.
Unicasting is great for communicating directly with one or a few other computers. However if
you want to communicate with a number of computers, unicasting becomes inefficient because
a copy of each packet must be sent to every receiving unicast address. Unicasting uses up
bandwidth fast, especially when sending large multimedia files, which already take up a lot of
Unicast transmission sends a separate stream of data to each receiver, while multicast transmission sends
one stream of data that is separated as it passes through the routers and sent on to the receivers
What are the benefits of multicasting?
Multicasting optimises the performance of your network. Because only one multicast data stream
is sent out, multicasting preserves bandwidth on your network and eliminates traffic redundancy. In
contrast, the unicast environment sends out a separate copy of the data to each receiver.
Multicasting also provides enhanced efficiency by controlling the traffic on your network and
reducing load on network devices.The clients on your network are able to decide whether or
not to listen to a multicast address, so packets are only sent to where they are required.
In addition, multicasting is scalable across different sized networks, but is particularly suited to
WAN environments. It gives people in different locations access to streaming data files, like a
video, film or live presentation without taking up excessive bandwidth or broadcasting the data
to all users on the network.
B. How do Multicast Addresses Work?
Because multicast addresses identify a transmission session rather than a specific physical
destination or host, all of the receivers in a multicast group are identified by a single IP address.
This section outlines how multicast IP and MAC addresses are structured.
How are IPv4 multicast addresses organised?
IPv4 multicasting uses class D addresses. A class D address starts with 1110 higher order bits in
the first octet, followed by a 28-bit group address.The last 28 bits of a class D address are
unstructured, unlike the class A, B and C IP addresses.These 28 bits identify the multicast group
identity, which is a single address in the range of 224.0.0.0 to 239.255.255.255.
Some IPv4 multicast addresses are reserved for particular purposes.These addresses are
assigned by the Internet Assigned Numbers Authority (IANA).Table 1 outlines some of the
well-known IPv4 multicast addresses.
|
|
Recent Comments