October 2025
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

Categories

October 2025
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

ssl secure https and redirection

ssl secure https and redirection

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>

DocumentRoot /usr/share/webmail
ServerName webmail.rmohan.com
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
</VirtualHost>

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/apache2/otherserver.crt
SSLCertificateKeyFile /etc/ssl/apache2/otherserver.key
ServerName webmail.rmohan.com
SSLOptions StrictRequire
SSLProtocol all -SSLv2
</VirtualHost>

 

 

July 23rd, 2012 | Category: Apache | Leave a comment

Apache failed to start with the “No space left on device” error.

Apache failed to start with the “No space left on device” error.

Error:-
[error] (28)No space left on device: Cannot create SSLMutex Configuration Failed

These errors means that there is no available IPC (inter-process communication)  resources in the system, such as semaphores or shared memory segments. You need to check IPC resources which are  used in the server using ‘ipcs’ command:

$ ipcs -a

—— Semaphore Arrays ——–
key        semid      owner      perms      nsems
0×00000000 201293824  apache    600        1

You will be able to see a lot of semaphores under Apache . You need to kill those processes using the following script and restart apache.

$ ipcs -s | grep apache | perl -e ‘while (<STDIN>) {@a=split(/s+/); print `ipcrm sem $a[1]`}’
$ service httpd restart
July 20th, 2012 | Category: Apache | Leave a comment

Avoid hackers hacking linux

Avoid hackers hacking linux

Apply Latest OS Patches

All Linux servers running Red Hat are patched at least twice a year.

Configure SSH (server)
Settings:
Protocol            2        # Default
LogLevel            INFO        # Default
PermitRootLogin        no
HostbasedAuthentication    no        # Default
IgnoreRhosts        yes        # Default
AllowTcpForwarding    no
PermitTunnel        no        # Default
Banner            /etc/issue

Description:

The settings are made in the /etc/ssh/sshd_config file.
Only Protocol 2 can be used. Protocol 1 is deprecated.
Logging must be enabled.
Root logon must be disabled
Host based authentication is weak.
IgnoreRhosts is disabled (set to ‘yes’) because host-based authentication using .rhost is not permitted.
Tunnelling/forwarding is not permitted; it can be used to bypass Firewall rules.
Banner should contain the standard warning regarding unauthorised access.

Secure xinetd network services

Settings:
Disable all services except for psynch. In each service file in /etc/xinetd.d set this parameter:
disable = yes

Description:
Many of the default services are obsolete, vulnerable, or deprecated. Examples include rlogin and telnet.
The psynch service is required for password synchronisation. Everything should be disabled or preferably removed completely.

Minimise Boot Services
Good security practice is to only enable services that are absolutely required. The list below is allowed by default. Only the minimum required should be enabled.
Services Allowed
abrtd
acpid
atd
auditd
cpuspeed
crond
cups
ecap-monitor
funcd
haldaemon
Hardware/VM monitoring agents
iptables
kdump
lm_sensors
lvm2-monitor
mdmonitor
messagebus
netfs
network
networker
ntpd
perfcap
portmap
rhnsd
rsyslog
sshd
sysgem
sysstat
tng
Veritas SF/HA
xinetd

Description:
Because any running service could potentially have vulnerabilities, and be hijacked for malicious use, it is necessary to only enable those that are actually required. This allows us to reduce the attack surface, and reduce the opportunities available to a potential attacker.
This list contains (boot up) services one might expect to see on a new server build. Additional services can be enabled if there is a strong business justification for their use.

Set daemon umask
Settings:
The umask for init should be set to 022. This is the default in RHEL6 and is not tuneable.
The umask for all services started should also be set to 022. This is the default and is defined in /etc/init.d/functions

Description:
This ensures that all files created by daemon processes have rw-r–r–  permissions

System Network Parameter Tuning

Network Parameter Modifications
Settings:
Code these in /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096

# Malicious routing table alteration should be prevented:
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Preventing Broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

Description:
The above settings are designed to help prevent Denial of service attacks (DOS); spoofing; and redirections, with minimal performance or functionality impact.

Logging

Syslog Message Capture

Settings:
Send all AUTHPRIV and AUTH messages to the loghost server:
Example entry in /etc/syslog.conf

# The authpriv file has restricted access.
authpriv.*                /var/log/secure
auth.*                /var/log/secure

# Security Syslog
auth.info                @loghost-gen
authpriv.info            @loghost-gen
# End of Security Syslog

Description:
Authentication messages, including ‘su’ to another account must be recorded in the /var/log/secure file. Additionally, these messages must be sent to the remote log consolidation server, known as loghost-gen. The log consolidation server provides an indelible record of authentication events.

File and Directory Permissions/Access

Password File

Settings:
Ensure that MD5 and shadow passwords are selected.

Description:
These are the default settings. The DES algorithm is now broken, and must not be used. If password shadowing is disabled, the hashes will be stored in /etc/passwd, which is world readable. It would be possible to attempt to crack these hashes, and obtain account passwords.

File System Restriction

Settings:
The following ‘nosuid’, ‘nodev’ and ‘noexec’ settings must be added in /etc/fstab

/dev/rootvg/var      /var          ext3    defaults,nosuid                          1 2
/dev/rootvg/home  /home       ext3    defaults,nosuid,nodev               1 2
/dev/rootvg/          /apps        ext3    defaults,nodev                           1 2
/dev/rootvg/tmp    /tmp          ext3    defaults,nosuid,noexec,nodev  1 2
/dev/rootvg/crash  /var/crash  ext3    defaults,nosuid,noexec,nodev  1 2
/dev/rootvg/ opt    /opt           ext3    defaults,nodev                          1 2
/dev/rootvg/usr     /usr           ext3    defaults,nodev                          1 2
/dev/rootvg/data   /data         ext3    defaults,nosuid,noexec,nodev  1 2

Description:
These restrictions are to control mounting of filesystems:
nosuid    – prevent suid/sgid access
nodev     – prevent devices being created
noexec    – prevent execution of binaries

Accidental Deletion Protection

Settings:
Set permissions on /tmp to include the sticky-bit i.e rwxrwxtwt (1777).

Description:
This will prevent file deletion except for the owner of the file.

Eliminate World-Writable Files

Settings:
Ensure files do not have ‘write’ permission for ‘other’ category
chmod o-w <filename>

Data in these files could be compromised by anyone with access to the server.
NOTE: Certain vendor applications may break if this setting is made, so exercise caution before making this change.

Ensure Only Authorised Executables are SUID/SGID

Settings:
Only entries in appendix X should have SUID/SGID set.

The SUID/SGID facility allows executables to execute under root, when run under a non-root account, e.g. ping

Orphaned Files
Settings:
Orphaned files must be removed, or an owner allocated.

Description:
These files do not have an owner, and it may be indicative of a break-in, or some other problem.

7.7.    Permissions
Settings:
File                                          Owner        Group      Access Permissions (minimum)
/etc/passwd                              root           root         644
/etc/shadow                              root           root         400
/etc/group                                 root           root        644
/etc/pam.d/<files>                    root           root         644
/etc/at.allow                              root           root         400
/etc/cron.allow                           root           root         400
/etc/crontab                              root            root         400
/etc/ssh/sshd.config                   root            root         400
/etc/syslog.conf                         root            root         600
/var/log/secure                          root            root         600

Description:
These important files should have the permissions set as specified, as a minimum.

System Access, Authentication and Authorisation

Remove .rhosts Feature
Settings:
In /etc/pam.d/rlogin and /etc/pam.d/rsh, remove the entries containing the line:

pam_rhosts_auth.so

Description:
Removing the ‘pam_rhosts_auth.so’ clause is an additional security measure, should rlogin/rsh be enabled. The .rhosts facility has weak authentication, and should not be used.

Restrict Access to at/cron
Settings:
In /etc remove the at.deny and cron.deny files.
Add the entry ‘root’ to at.allow and cron.allow. Remove any other user names that may be present.

Description:

The objective is to restrict the scheduling of jobs to the root account only. BNPP has a scheduling tool that should be used by application teams
who wish to have scheduled tasks.

8.3.    Prevent Receiving of syslog Messages

Settings:
The /etc/init.d/syslog file must have this setting:  SYSLOGD_OPTIONS=”-m 0”
Description:
The absence or the –r switch, prevents receiving remote syslog messages. A server that is configured to receive syslog messages can be compromised by being bombarded with (fake) syslog messages. This setting prevents a DOS attack.

July 20th, 2012 | Category: Security on Centos | Leave a comment

Enabling GZIP compression : Jboss

Enabling GZIP compression for your web application is a good way to accelerate your web site. This can reduce the size of data being transferred and, consequently, speed your application.

Enabling compression on the web server will make data be transferred in compressed form. The browser will decompress the data on the fly, making the application faster. If your application uses Ajax, what usually increases the volume of data transferred from server to client, compression of data will significantly improve your application performance.

Here is how to enable GZIP compression on jboss: edit file /conf/server.xml and add to the HTTP Connector configuration something like this:

compression=”on”
compressionMinSize=”2048″
noCompressionUserAgents=”gozilla, traviata”
compressableMimeType=”text/html,text/xml”
An example of a HTTP Connector configuration with compression enabled could be:

Connector port=”8080″ maxHttpHeaderSize=”8192″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” redirectPort=”8443″ acceptCount=”100″
connectionTimeout=”20000″ disableUploadTimeout=”true”
compression=”on”
compressionMinSize=”2048″
noCompressionUserAgents=”gozilla, traviata”
compressableMimeType=”text/html,text/xml”

July 20th, 2012 | Category: JBOSS | Leave a comment

kills all pids matching the search word

kills all pids matching the search word

ps -ef | awk ‘/apache/ && !/awk/ {print $2}’ | xargs -r kill -9

July 20th, 2012 | Category: Linux Commands | Leave a comment

Zombie Process

Zombies don’t just appear in scary movies anymore, sometimes they also appear on your Linux systems; but don’t fret they are mostly harmless.

What is a Zombie Process?

Before we get started I wanted to first cover what exactly a Zombie process is.

Linux and Unix both have the ability for a process to create a sub process otherwise known as a “Child Process”. Once a process creates a new sub process the first process then becomes a “Parent Process” as it has spawned a child process during its execution.

A Zombie or defunct process is a process that has finished its execution and is waiting for its Parent Process to read its exit status. Because the child process has finished, it is technically a “dead” process however since it is waiting for its parent there is still an entry in the process table. The zombie’s parent process does not necessarily need to be running for a zombie to appear, however it is most common to see a zombie process whose parent has died unexpectedly.

How to spot a Zombie Process

Zombie processes can be found easily with the ps command. Within the ps output there is a STAT column which will show the processes current status, a zombie process will have Z as the status. In addition to the STAT column zombies commonly have the words <defunct> in the CMD column as well.

Example:

$ ps -elf | grep Z
F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
1 Z madflojo 28827 28821 0 80 0 - 0 exit 12:28 pts/4 00:00:00 [zombies.aahhh]
1 Z madflojo 28828 28821 0 80 0 - 0 exit 12:28 pts/4 00:00:00 [zombies.aahhh]
1 Z madflojo 28829 28821 0 80 0 - 0 exit 12:28 pts/4 00:00:00 [zombies.aahhh]
1 Z madflojo 28830 28821 0 80 0 - 0 exit 12:28 pts/4 00:00:00 [zombies.aahhh]
1 Z madflojo 28831 28821 0 80 0 - 0 exit 12:28 pts/4 00:00:00 [zombies.aahhh]

What is the difference between a Zombie and Orphaned Process?

Orphaned processes are very similar to Zombie processes; however there is one major difference. An Orphaned process is a child process that is still an active process whose parent has died. Unlike zombies the orphaned process will be reclaimed or adopted by the init process.

How to spot an Orphaned Process

Orphaned processes can be found easily with the ps command as well. Within the ps output there is a PPID column which will show the processes parent process id; a orphaned process will have the PPID of 1 which is the init process.

You may be thinking to yourself, how do I differentiate an Orphaned process from a Daemon process? Well in short, there is no difference. For all intents and purposes a daemon process is a orphaned process, however the exiting of the parent process is on purpose rather than by error.

Example:

$ ps -elf | grep sshd
4 S root 718 1 0 80 0 - 12487 poll_s Jun07 ? 00:00:00 /usr/sbin/sshd -D

What to do about Zombie Processes?

Before performing any activity to clean up zombie processes it is best to identify the root cause of the issue. Zombie processes do not indicate a normal state for your system, they may be benign for now however like real zombies they become more troublesome when they are in large numbers. They also indicate either a system issue or an application issue depending on the source of the processes.

The steps necessary to clean up zombie processes is complicated and very situational, below are a couple of high level answers that can guide you to a solution.

If the parent process is still active

If the parent process of the zombie or zombies is still active (not process id 1) than this is an indication that the parent process is stalled on a certain task and has not yet read the exit status of the child processes. At this point the resolution is extremely situational, you can use the strace command to attach to the parent process and troubleshoot from there.

You may also be able to make the parent process exit cleanly taking its zombie children with it by issuing the kill command. If you do run the kill command I suggest that you run a kill with the default signal -15 (SIGTERM) rather than using a -9 (SIGKILL); as SIGTERM will tell the parent process to exit cleanly which is more likely to read the exit status of the zombie children.

If the parent process is no longer active

If  the parent process is no longer active than the clean up activity becomes a choice; at this point you can leave the zombie processes on your system, or you can simply reboot. A Zombie process whose parent is no longer active is not going to be cleaned up without rebooting the system. If the zombie processes are only in small numbers and not reoccurring or multiplying than it may be best to leave these processes be until the next reboot. If however they are multiplying or in a large number than this is an indication that there is a significant issue with your system.

July 20th, 2012 | Category: TIPS on Linux | Leave a comment

Dealing with a large active log

Dealing with a large active log

When the log size gets to say 1GB we want to back it up in another directory and empty the current log file.

Therefore basically we are doing:

cp SystemOut.log <some dir with large space>
cat /dev/null > SystemOut.log

 

 

July 20th, 2012 | Category: Linux Commands | Leave a comment

Configure software raid Windows Server 2008

Configure software raid Windows Server 2008

RAID (Redundant Array of Independent Disks) is technology which enables making redundant logical disks using arrays of physical disks. Making such logical disk unit enables redundancy and better performance of disk storage. There are a few types of RAID is sense of way redundancy is achieved and technology used.

Basically, with RAID data is spread across two or more hard disks. There is more RAID types depend on way data is organized on redundant disks. Data can be spanned, striped or mirrored through physical disks. Way the data is distributed across disks defines common RAID levels:

RAID 0 – block of data are striped through physical disks

RAID 1- data are mirrored, same data exists on physical disks used in RAID

RAID 2 – bits of data are stripped across disks with dedicated disk for parity

RAID 3 – bytes of data are stripped across disks with dedicated disk for parity

RAID 4 – blocks of data are stripped across disks with dedicated disk for parity

RAID 5 – blocks of data are striped and parity is distributed across data disks

RAID 6 – blocks of data are stripped with double distributed parity across data disks

There are combination of above RAID levels like RAID 51 (RAID 5+RAID 1) or RAID 50 or similar.

As there is levels of RAID which provides redundancy and efficiency in read/write data, there are three types of RAID depends of technology for RAID controlling: hardware, firmware and software RAID. Hardware RAID assumes existing of dedicated hardware RAID controller in machine where RAID exists. It can be hardware chip on board controlling disk units or dedicated card (e.g. PCI card in PC) for hardware control of RAID. In firmware RAID there is chip for RAID but not dedicated only for Hardware RAID controlling. It can be usual hard disk controller with firmware for RAID included. Also, firmware RAID assumes driver in OS as interface for RAID firmware. Software RAID is operating system controlled RAID. It uses CPU power for RAID function. Windows Server 2008 offers this type of RAID. In this article I’ll show how to configure software RAID in Windows Server 2008.

With software RAID in Windows redundancy is made on volume level. Here can be created arrays of redundant volumes where volumes are logical disks ‘seen“ by windows. Also, system volume cannot be mirrored or striped by RAID. Reason for that is windows cannot boot from volume that is in redundant configuration.  You can make redundant volumes used for data to keep integrity and redundancy for your data saved on disk.

Main condition for software RAID is to have one or more redundant physical disks on server on which you configure RAID. For example, let say we have two redundant disks. After right click on Computer, then Manage and then choose Storage->Disk management appears window on which can be seen disk resources of server:

 

 

 

There is one system volume and two unallocated spaces on redundant physical disks. By right click on unallocated space on one of redundant disks appears menu in which can be chosen type of redundancy we want to configure:

 

There are four possibilities for new volume which can be created in unallocated space: new simple volume, new spanned volume, new striped volume, new mirrored volume and new RAID-5 volume. I’ll describe all options and its characteristics.

New simple volume enables creating new logical volume on unallocated space. This option does not provide redundancy, only creating new volume.

New spanned volume option enables creating new spanned volume which means volume that is spread across more physical disks but there is no redundancy for volume, only more disk space. If one of disk fails, data on volume is lost. Spanned volumes are not RAID like type of disks.

New striped volume is volume striped across two or more physical disks. This is standard RAID 0 configuration. Data are striped but there is no redundancy only expansion of disk space.

New mirrored volume enables redundancy of data mirrored on disks. When mirrored volume is created there is copy of mirrored volume on two or more physical disks. If one of disks fails there is a full copy of data on other disk and redundancy if achieved. This is standard RAID 1.

New RAID-5 volume option is for creating RAID 5 level which is block level striping with distributed parity. For this level at least three disks are needed and because of that this option is in our example greyed..

In this example we will create stripped volume across two disks. At the beginning we have disk configuration in windows server 2008 shown on next picture:

 

 

Let say we want to create stripped volume on unallocated space on disks 1 and 2. Right click on unallocated space on disk 1 and select New striped volume. Next window appears:

 

Click Next.

 

 

 

In this window we will choose disk for stripped volume spreading and size of volume which depends on size of unallocated space. Let say we want to choose maximum available size for stripped volume and use disks 1 and to for volume. In that case Disk 1 should be added on left field (“selected“) by click on Disk 1 and then button Add. After that click Next. New window appears:

In this window we choose drive letter for stripped volume. Let say F. Click Next.

In this window are options for volume formatting. In this example we want to create NTFS formatted volume and that option is chosen. Click Next.

 

Before volume is formatted physical disks must be converted to dynamic disks what is condition for making redundancy on it. Because of that conversion should be confirmed by clicking Yes. After that volume is created and formatted which can be seen on next picture:

 

ew stripped volume is labeled with F: (New volume). Green color on disk label indicate that volume is striped (colors on the bottom of window show volume type)

In this example we created stripped volume which is analogue to RAID 0 configuration. Same way can be used for creation other types of redundant volumes. Hope this easy demonstration will give you a confident to create your own way to protect your valuable information in Windows 2008.

July 19th, 2012 | Category: Windows | Leave a comment

Operating systems and network tuning

Operating systems and network tuning

Network tuning can reduce Transmission Control Protocol (TCP) stack delay by changing connection settings and can improve throughput by changing TCP buffers.

Operating systems

A Windows system needs the least tuning while a Solaris system needs the most tuning. The following information pertains to each system specified, and might improve WebSphere® eXtreme Scale performance. You should tune according to your network and application load.

Windows

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters
MaxFreeTcbs = dword:00011940
MaxHashTableSize = dword:00010000
MaxUserPort = dword:0000fffe
TcpTimedWaitDelay = dword:0000001e

Solaris

ndd -set /dev/tcp tcp_time_wait_interval 60000
fndd -set /dev/tcp tcp_keepalive_interval 15000
ndd -set /dev/tcp tcp_fin_wait_2_flush_interval 67500
ndd -set /dev/tcp tcp_conn_req_max_q 16384
ndd -set /dev/tcp tcp_conn_req_max_q0 16384
ndd -set /dev/tcp tcp_xmit_hiwat 400000
ndd -set /dev/tcp tcp_recv_hiwat 400000
ndd -set /dev/tcp tcp_cwnd_max 2097152
ndd -set /dev/tcp tcp_ip_abort_interval 20000
ndd -set /dev/tcp tcp_rexmit_interval_initial 4000
ndd -set /dev/tcp tcp_rexmit_interval_max 10000
ndd -set /dev/tcp tcp_rexmit_interval_min 3000
ndd -set /dev/tcp tcp_max_buf 4194304

AIX®

/usr/sbin/no -o tcp_sendspace=65536
/usr/sbin/no -o tcp_recvspace=65536
/usr/sbin/no -o udp_sendspace=65536
/usr/sbin/no -o udp_recvspace=65536
/usr/sbin/no -o somaxconn=10000
/usr/sbin/no -o tcp_nodelayack=1
/usr/sbin/no –o tcp_keepinit=40
/usr/sbin/no –o tcp_keepintvl=10

LINUX

sysctl -w net.ipv4.tcp_timestamps=0
sysctl -w net.ipv4.tcp_tw_reuse=1
sysctl -w net.ipv4.tcp_tw_recycle=1
sysctl -w net.ipv4.tcp_fin_timeout=30
sysctl -w net.ipv4.tcp_keepalive_time=1800
sysctl -w net.ipv4.tcp_rmem="4096 87380 8388608"
sysctl -w net.ipv4.tcp_wmem="4096 87380 8388608"
sysctl -w net.ipv4.tcp_max_syn_backlog=4096

HP-UX

ndd -set /dev/tcp tcp_ip_abort_cinterval 20000

Linux Tweaking

Raising netowrk limits for broadband under Linux
2003.04.01 16:03 by Philip
Keywords: TCP Window, WAN, TCP/IP, tweak, Linux

 

The TCP/IP parameters for tweaking a Linux-based machine for fast internet connections are located in /proc/sys/net/… (assuming 2.1+ kernel). This location is volatile, and changes are reset at reboot. There are a couple of methods for reapplying the changes at boot time, ilustrated below.

Locating the TCP/IP related parameters

All TCP/IP tunning parameters are located under /proc/sys/net/… For example, here is a list of the most important tunning parameters, along with short description of their meaning:

/proc/sys/net/core/rmem_max – Maximum TCP Receive Window
/proc/sys/net/core/wmem_max – Maximum TCP Send Window
/proc/sys/net/ipv4/tcp_rmem – memory reserved for TCP receive buffers
/proc/sys/net/ipv4/tcp_wmem – memory reserved for TCP send buffers
/proc/sys/net/ipv4/tcp_timestamps – timestamps (RFC 1323) add 12 bytes to the TCP header…
/proc/sys/net/ipv4/tcp_sack – tcp selective acknowledgements.
/proc/sys/net/ipv4/tcp_window_scaling – support for large TCP Windows (RFC 1323). Needs to be set to 1 if the Max TCP Window is over 65535.

Keep in mind everything under /proc is volatile, so any changes you make are lost after reboot.

There are some additional internal memory buffers for the TCP Window, allocated for each connection:
/proc/sys/net/ipv4/tcp_rmem – memory reserved for TCP rcv buffers (reserved memory per connection default)
/proc/sys/net/ipv4/tcp_wmem – memory reserved for TCP snd buffers (reserved memory per connection default)

The tcp_rmem and tcp_wmem contain arrays of three parameter values: the 3 numbers represent minimum, default and maximum memory values. Those 3 values are used to bound autotunning and balance memory usage while under global memory stress.

Applying TCP/IP Parameters at System Boot

You can edit /etc/rc.local, or /etc/boot.local depending on your distribution so the parameters get automatically reapplied at boot time. The TCP/IP parameters should be self-explanatory: we’re basically setting the TCP Window to 256960, disabling timestamps (to avoid 12 byte header overhead), enabling tcp window scaling, and selective acknowledgements:

echo 256960 > /proc/sys/net/core/rmem_default
echo 256960 > /proc/sys/net/core/rmem_max
echo 256960 > /proc/sys/net/core/wmem_default
echo 256960 > /proc/sys/net/core/wmem_max

echo 0 > /proc/sys/net/ipv4/tcp_timestamps 
echo 1 > /proc/sys/net/ipv4/tcp_sack 
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling

Change the values above as desired, depending on your internet connection and maximum bandwidth/latency. There are other parameters you can change from the default if you’re confident in what you’re doing – just find the correct syntax of the values in /proc/sys/net/… and add a line in the above code analogous to the others. To revert to the default parameters, you can just comment or delete the above code from /etc/rc.local and restart.

Another method to reapply the values upon boot is to include the following in your /etc/sysctl.conf (adjust RWIN values as needed):

net.core.rmem_default = 256960
net.core.rmem_max = 256960 
net.core.wmem_default = 256960
net.core.wmem_max = 256960 

net.ipv4.tcp_timestamps = 0 
net.ipv4.tcp_sack = 1 
net.ipv4.tcp_window_scaling = 1

Notes:
Execute sysctl -p to make these new settings take effect.
To manually set the MTU value under Linux, use the command: ifconfig eth0 mtu 1500 (where 1500 is the desired MTU size)

Changing Current Values without rebooting

The current TCP/IP parameters can be edited without the need for reboot in the following locations:

/proc/sys/net/core/
rmem_default = Default Receive Window
rmem_max = Maximum Receive Window
wmem_default = Default Send Window
wmem_max = Maximum Send Window

/proc/sys/net/ipv4/
You’ll find timestamps, window scalling, selective acknowledgements, etc.

Keep in mind the values in /proc will be reset upon reboot. You still need to add the code in /etc/rc.local or /etc/boot.local in order to have the changes applied at boot time as described above.

Other TCP Parameters to consider

TCP_FIN_TIMEOUT
This setting determines the time that must elapse before TCP/IP can release a closed connection and reuse its resources. During this TIME_WAIT state, reopening the connection to the client costs less than establishing a new connection. By reducing the value of this entry, TCP/IP can release closed connections faster, making more resources available for new connections. Addjust this in the presense of many connections sitting in the TIME_WAIT state:

# echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
(default: 60 seconds, recommended 15-30 seconds)

Notes:
You can use any of the earlier described methods to reapply these settings at boot time.
Here is a quick way to view the number of connections and their states:

netstat -tan | grep ‘:80 ‘ | awk ‘{print $6}’ | sort | uniq -c

TCP_KEEPALIVE_INTERVAL
This determines the wait time between isAlive interval probes. To set:

echo 30 > /proc/sys/net/ipv4/tcp_keepalive_intvl
(default: 75 seconds, recommended: 15-30 seconds)

TCP_KEEPALIVE_PROBES
This determines the number of probes before timing out. To set:

echo 5 > /proc/sys/net/ipv4/tcp_keepalive_probes
(default: 9, recommended 5)

TCP_TW_RECYCLE
It enables fast recycling of TIME_WAIT sockets. The default value is 0 (disabled). The sysctl documentation incorrectly states the default as enabled. It can be changed to 1 (enabled) in many cases. Known to cause some issues with hoststated (load balancing and fail over) if enabled, should be used with caution.

echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
(boolean, default: 0)

TCP_TW_REUSE
This allows reusing sockets in TIME_WAIT state for new connections when it is safe from protocol viewpoint. Default value is 0 (disabled). It is generally a safer alternative to tcp_tw_recycle

echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
(boolean, default: 0)

Note: The tcp_tw_reuse setting is particularly useful in environments where numerous short connections are open and left in TIME_WAIT state, such as web servers. Reusing the sockets can be very effective in reducing server load.

Kernel Recompile Option

There is another method one can use to set TCP/IP parameters, involving kernel recompile… If you’re brave enough. Look for the parameters in the following files:
/LINUX-SOURCE-DIR/include/linux/skbuff.h
Look for SK_WMEM_MAX & SK_RMEM_MAX
/LINUX-SOURCE-DIR/include/net/tcp.h
Look for MAX_WINDOW & MIN_WINDOW

July 19th, 2012 | Category: Uncategorized | Leave a comment

qmail installation Centos 5.5

mkdir /root/qmail
cd /root/qmail
wget http://www.qmail.org/netqmail-1.06.tar.gz
wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz –> inetd/xinetd substitute manages various daemon that qmail shipped with.
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz –> Provide some services such as management as well as logging though 2 interfaces service scan and supervise (svscan/supervise).

tar -xvzf netqmail-1.06.tar.gz
tar -xvzf ucspi-tcp-0.88.tar.gz
mkdir /package
mv daemontools-0.76.tar.gz /package
mkdir /var/qmail
cd /root/qmail/netqmail-1.06
cp INSTALL.ids IDS –> This file used in compilation to create users and groups for qmail

Note:- IDS file should include only the following
groupadd nofiles
useradd -g nofiles -d /var/qmail/alias alias
useradd -g nofiles -d /var/qmail qmaild
useradd -g nofiles -d /var/qmail qmaill
useradd -g nofiles -d /var/qmail qmailp
groupadd qmail
useradd -g qmail -d /var/qmail qmailq
useradd -g qmail -d /var/qmail qmmailr
useradd -g qmail -d /var/qmail qmails

. IDS && echo $? –> To source the file in order to execute it and echo the exist status
yum install gcc gcc-c++ make flex bison bison-devel
make setup check –> To build source files
./config-fast mail.linux.org (FQDN) –> If the FQDN is not defined you can check it using hostname -f
cd /root/qmail/ucspi-tcp-0.88
yum install patch-2.5.4-31.el5 –> Make sure that the patch command is installed
patch < /root/qmail/netqmail-1.06/other-patches/ucspi-tcp-0.88.errno.patch –> this will pactch ucspi patch to the environment
make && make setup check
cd /package
tar -xvzf daemontools-0.76.tar.gz
cd /package/admin/daemontools-0.76/src
patch < /root/qmail/netqmail-1.06/other-patches/daemontools-0.76.errno.patch
cd ..
package/install
vim /var/qmail/rc –> And add the following

!/bin/sh

Using stdout for logging
Using control/defaultdelivery from qmail-local to deliver messages by default
exec env – PATH=”/var/qmail/bin:$PATH” \
qmail-start “`cat /var/qmail/control/defaultdelivery`”

chmod 755 /var/qmail/rc
mkdir /var/log/qmail
echo “./Mailbox” > /var/qmail/control/defaultdelivery

The qmailctl script

wget http://lifewithqmail.org/qmailctl-script-dt70
mv qmailctl-script-dt70 /var/qmail/bin/qmailctl
chmod 755 /var/qmail/bin/qmailctl
ln -s /var/qmail/bin/qmailctl /usr/bin

The supervise scripts

mkdir -p /var/qmail/supervise/qmail-send/log
mkdir -p /var/qmail/supervise/qmail-smtpd/log
vim /var/qmail/supervise/qmail-send/run –> Add the following

!/bin/sh
exec /var/qmail/rc

vim /var/qmail/supervise/qmail-send/log/run –> Add the following

!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail

vim /var/qmail/supervise/qmail-smtpd/run –> Add the following

!/bin/sh

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`

if [ -z “$QMAILDUID” -o -z “$NOFILESGID” -o -z “$MAXSMTPD” -o -z “$LOCAL” ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
echo “No /var/qmail/control/rcpthosts!”
echo “Refusing to start SMTP listener because it’ll create an open relay”
exit 1
fi

exec /usr/local/bin/softlimit -m 2000000 \
/usr/local/bin/tcpserver -v -R -l “$LOCAL” -x /etc/tcp.smtp.cdb -c “$MAXSMTPD” \
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp /var/qmail/bin/qmail-smtpd 2>&1

Note: concurrencyincoming isn’t a standard qmail control file. It’s a feature of the above script. Also, that’s -1 (dash one) on the LOCAL line and -l (dash ell) on the tcpserver line.

Note: The memory limit specified in the softlimit command may need to be raised depending upon your operating system and hardware platform. If attempts to connect to port 25 fail or remote systems are unable to send you mail, or you see a message like:

/usr/local/bin/tcpserver: error while loading shared libraries:
libc.so.6: failed to map segment from shared object: Cannot allocate memory try raising it to 3000000 or 4000000.

echo 20 > /var/qmail/control/concurrencyincoming
chmod 644 /var/qmail/control/concurrencyincoming
vim /var/qmail/supervise/qmail-smtpd/log/run –> Add the following

!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpd

chmod 755 /var/qmail/supervise/qmail-send/run
chmod 755 /var/qmail/supervise/qmail-send/log/run
chmod 755 /var/qmail/supervise/qmail-smtpd/run
chmod 755 /var/qmail/supervise/qmail-smtpd/log/run

mkdir -p /var/log/qmail/smtpd
chown qmaill /var/log/qmail /var/log/qmail/smtpd
rm -rf /usr/sbin/sendmail
ln -s /var/qmail/bin/sendmail /usr/sbin
rm -rf /usr/lib/sendmail
ln -s /var/qmail/bin/sendmail /usr/lib
echo  root > /var/qmail/alias/.qmail-root
echo  root > /var/qmail/alias/.qmail-postmaster
ln -s var/qmail/alias/.qmail-postmaster /var/qmail/alias/.qmail-mailer-daemon
chmod 644 /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-postmaster
echo ‘127.:allow,RELAYCLIENT=””‘ >>/etc/tcp.smtp
qmailctl cdb
ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /service

July 16th, 2012 | Category: qmail | Leave a comment
« Newer Entries  
  Older Entries »