Archive for the ‘General linux’ Category

Download and Extract Memcache package
root@server [~]# cd /usr/local/src
root@server [/usr/local/src]# wget http://pecl.php.net/get/memcache-3.0.6.tgz
root@server [/usr/local/src]# tar -xzf memcache-3.0.6.tgz
Compilation and installation
root@server [/usr/local/src]# cd memcache-3.0.6
root@server [/usr/local/src/memcache-3.0.6]# phpize
Configuring for:
PHP Api Version: 20090626
Zend Module Api No: 20090626
Zend Extension Api No: 220090626

root@server [/usr/local/src/memcache-3.0.6]# ./configure
root@server [/usr/local/src/memcache-3.0.6]# make
root@server [/usr/local/src/memcache-3.0.6]# make install

Enable memcache in php.ini
root@server [~]# echo “extension=memcache.so” >> /usr/local/lib/php.ini
root@server [~]# /etc/init.d/httpd restart

If ‘memcache’ is successfully loaded, you will get a result as like follows.

root@server [~]# php -i | grep memcache
memcache
memcache support => enabled
memcache.allow_failover => 1 => 1
memcache.chunk_size => 32768 => 32768
memcache.compress_threshold => 20000 => 20000
memcache.default_port => 11211 => 11211
memcache.hash_function => crc32 => crc32
memcache.hash_strategy => consistent => consistent
memcache.lock_timeout => 15 => 15
memcache.max_failover_attempts => 20 => 20
memcache.protocol => ascii => ascii
memcache.redundancy => 1 => 1
memcache.session_redundancy => 2 => 2

Every file on our Linux system, including directories, is owned by a specific user and group. Therefore, file permissions are defined separately for users, groups, and others.

User: The username of the person who owns the file. By default, the user who creates the file will become its owner.

Group: The usergroup that owns the file. All users who belong into the group that owns the file will have the same access permissions to the file. This is useful if, for example, we have a project that requires a bunch of different users to be able to access certain files, while others can’t. In that case, we’ll add all the users into the same group, make sure the required files are owned by that group, and set the file’s group permissions accordingly.

Other: A user who isn’t the owner of the file and doesn’t belong in the same group the file does. In other words, if we set a permission for the “other” category, it will affect everyone else by default. For this reason, people often talk about setting the “world” permission bit when they mean setting the permissions for “other.”

There are three types of access permissions on Linux: read, write, and execute. These permissions are defined separately for the file’s owner, group and all other users.

Read permission. On a regular file, the read permission bit means the file can be opened and read. On a directory, the read permission means we can list the contents of the directory.

Write permission. On a regular file, this means we can modify the file, aka write new data to the file. In the case of a directory, the write permission means we can add, remove, and rename files in the directory. This means that if a file has the write permission bit, we are allowed to modify the file’s contents, but we’re allowed to rename or delete the file only if the permissions of the file’s directory allow us to do so.

Execute permission. In the case of a regular file, this means we can execute the file as a program or a shell script. On a directory, the execute permission (also called the “search bit”) allows us to access files in the directory and enter it, with the cd command, for example. However, note that although the execute bit lets us enter the directory, we’re not allowed to list its contents, unless we also have the read permissions to that directory.

We can view the access permissions of a file by doing the long directory listing with the ls -l command. This is what a long directory listing might look like:


jijo.tj@4wing2:~$ ls -l
total 457
-rw-r–r– 1 jijo.tj pivusers 14737 2012-09-15 08:57 Analysed Tickets.txt~
-rw-r–r– 1 jijo.tj pivusers 8839 2012-11-12 22:38 Assignment
-rw-r–r– 1 jijo.tj pivusers 10988 2012-11-13 18:54 Assignment – Apache

The very first column, shows the file type and permissions. The second column shows the number of links (directory entries that refer to the file), the third one shows the owner of the file, and the fourth one shows the group the file belongs to. The other columns show the file’s size in bytes, date and time of last modification, and the filename.

The first column, the one that shows the file’s permissions, is organized into four separate groups.

The first group consists of only one character, and it shows the file’s type. For example, d means a directory and – means a normal file.

The first character can be any of these:

d = directory
– = regular file
l = symbolic link
s = Unix domain socket
p = named pipe
c = character device file
b = block device file

The next nine characters show the file’s permissions, divided into three groups, each consisting of three characters. The first group of three characters shows the read, write, and execute permissions for user, the owner of the file. The next group shows the read, write, and execute permissions for the group of the file. Similarly, the last group of three characters shows the permissions for other, everyone else. In each group, the first character means the read permission, the second one write permission, and the third one execute permission.

The characters are pretty easy to remember.

r = read permission
w = write permission
x = execute permission
– = no permission

chmod

We can set file permissions with the chmod command. Both the root user and the file’s owner can set file permissions. chmod has two modes, symbolic and numeric.

The symbolic mode is pretty easy to remember. First, we decide if we set permissions for the user (u), the group (g), others (o), or all of the three (a). Then, we either add a permission (+), remove it (-), or wipe out the previous permissions and add a new one (=). Next, we decide if we set the read permission (r), write permission (w), or execute permission (x). Last, we’ll tell chmod which file’s permissions we want to change.

Let’s have a couple of examples. Suppose we have a regular file called testfile, and the file has full access permissions for all the groups (long directory listing would show -rwxrwxrwx as the file’s permissions).

Wipe out all the permissions but add read permission for everybody:
$ chmod a=r testfile
After the command, the file’s permissions would be -r–r–r–

Add execute permissions for group:
$ chmod g+x testfile
Now, the file’s permissions would be -r–r-xr–

Add both write and execute permissions for the file’s owner. Note how we can set more than one permission at the same time:
$ chmod u+wx testfile
After this, the file permissions will be -rwxr-xr–

Remove the execute permission from both the file’s owner and group. Note, again, how we can set them both at once:
$ chmod ug-x testfile
Now, the permissions are -rw-r–r–

The other mode in which chmod can be used is the numeric mode. In the numeric mode, the file permissions aren’t represented by characters. Instead, they are represented by a three-digit octal number.

4 = read (r)
2 = write (w)
1 = execute (x)
0 = no permission (-)

To get the permission bits we want, we add up the numbers accordingly. For example, the rwx permissions would be 4+2+1=7, rx would be 4+1=5, and rw would be 4+2=6. Because we set separate permissions for the owner, group, and others, we’ll need a three-digit number representing the permissions of all these groups.

Let’s have an example.
$ chmod 755 testfile
This would change the testfile’s permissions to -rwxr-xr-x. The owner would have full read, write, and execute permissions (7=4+2+1), the group would have read and execute permissions (5=4+1), and the world would have the read and execute permissions as well.

Let’s have another example:
$ chmod 640 testfile
In this case, testfile’s permissions would be -rw-r—–. The owner would have read and write permissions (6=4+2), the group would have read permissions only (4), and the others wouldn’t have any access permissions (0).

The numeric mode may not be as straightforward as the symbolic mode, but with the numeric mode, we can more quickly and efficiently set the file permissions.

chown

we can change the owner and group of a file or a directory with the chown command. Please, keep in mind we can do this only if we are the root user or the owner of the file.

Set the file’s owner:
$ chown username somefile
After giving this command, the new owner of a file called somefile will be the user username. The file’s group owner will not change. Instead of a user name, we can also give the user’s numeric ID here if we want.

we can also set the file’s group at the same time. If the user name is followed by a colon and a group name, the file’s group will be changed as well.
$ chown username:usergroup somefile
After giving this command, somefile’s new owner would be user username and the group usergroup.

we can set the owner of a directory exactly the same way we set the owner of a file:
$ chown username somedir
Note that after giving this command, only the owner of the directory will change. The owner of the files inside of the directory won’t change.

In order to set the ownership of a directory and all the files in that directory, we’ll need the -R option:
$ chown -R username somedir
Here, R stands for recursive because this command will recursively change the ownership of directories and their contents. After issuing this example command, the user username will be the owner of the directory somedir, as well as every file in that directory.

Tell what happens:

$ chown -v username somefile
changed ownership of ‘somefile’ to username

Here, v stands for verbose. If we use the -v option, chown will list what it did (or didn’t do) to the file.

The verbose mode is especially useful if we change the ownership of several files at once. For example, this could happen when we do it recursively:

$ chown -Rv username somedir
changed ownership of ‘somedir/’ to username
changed ownership of ‘somedir/boringfile’ to username
changed ownership of ‘somedir/somefile’ to username

As we can see, chown nicely reports to we what it did to each file.

chgrp

In addition to chown, we can also use the chgrp command to change the group of a file or a directory. we must, again, be either the root user or the owner of the file in order to change the group ownership.

chgrp works pretty much the same way as chown does, except it changes the file’s user group instead of the owner, of course.
$ chgrp usergroup somefile
After issuing this command, the file somefile will be owned by a user group usergroup. Although the file’s group has changed to usergroup, the file’s owner will still be the same.

The options of using chgrp are the same as using chown. So, for example, the -R and -v options will work with it just like they worked with chown:

$ chgrp -Rv usergroup somedir
changed group of ‘somedir/’ to usergroup
changed group of ‘somedir/boringfile’ to usergroup
changed group of ‘somedir/somefile’ to usergroup

chown nicely reports to we what it did to each file.

CLI shortcuts

Posted: May 2, 2013 in General linux

Some shortcuts which can be used in the command line.

Ctrl + a -> Move to the start of line

Ctrl + e -> Move to the end of line

Alt + b -> Move one word backward

Alt + f -> Move one word front

Ctrl +b -> Move one letter backward

Ctrl +f -> Move one letter forward

Ctrl-u -> Delete from the cursor to the beginning of the line.

Ctrl-k -> Delete from the cursor to the end of the line.

Ctrl-w ->

Alt-r -> Undo all changes to the line.

Ctrl-y -> Pastes text from the clipboard.

Some .htaccess rules

Posted: May 2, 2013 in General linux

Redirect non-www to www

RewriteEngine On

RewriteCond %{HTTP_HOST} !^www\.

RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

1. To enable directory browsing

Options +Indexes

## block a few types of files from showing

IndexIgnore *.wmv *.mp4 *.avi

2. To disable directory browsing

Options All -Indexes

DenyIp adresses from accesssing the domain –

order allow,deny
allow from all

deny from 10.114.43.102
deny from 10.224.160.4

3. To get SSL working with HTML/SHTML

AddType text/html .html

AddType text/html .shtml

AddHandler server-parsed .html

AddHandler server-parsed .shtml

# AddHandler server-parsed .htm

4. To block users from accessing the site

order deny,allow

deny from 10.54.122.33

deny from 10.70.44.53

deny from .spammers.com

allow from all

5. To allow only LAN users

order deny,allow

deny from all

allow from 192.168.0.0/24

6. To Redirect Visitors to New Page/Directory

Redirect oldpage.html http://www.domainname.com/newpage.html

Redirect /olddir http://www.domainname.com/newdir/

If you only want to allow a certain range of IP addresses inside of 10.50.0.0 (such as from 10.50.10.20 through 10.50.10.80) you can use the following command:

iptables -A INPUT -i eth1 -m iprange –src-range 10.50.10.20-80 -j ACCEPT

7. To block site from specific referrers

RewriteEngine on

RewriteCond %{HTTP_REFERER} site-to-block\.com [NC]

RewriteCond %{HTTP_REFERER} site-to-block-2\.com [NC]

RewriteRule .* – [F]

8. To Block Hot Linking/Bandwidth hogging

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]

RewriteRule \.(gif|jpg)$ – [F]

9. To Stop .htaccess (or any other file) from being viewed

order allow,deny

deny from all

10. To Avoid the 500 Error

# Avoid 500 error by passing charset

AddDefaultCharset utf-8

11. To Grant CGI Access in a directory

Options +ExecCGI

AddHandler cgi-script cgi pl

# To enable all scripts in a directory use the following

# SetHandler cgi-script

12. To Change Script Extensions

AddType application/x-httpd-php .gne

gne will now be treated as PHP files! Similarly, x-httpd-cgi for CGI files, etc.

13. To Enable Gzip – Save Bandwidth

# BEGIN GZIP

# Combine the below two lines – I’ve split it up for presentation

AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css

application/x-javascript application/javascript

# END GZIP

14. To Turn off magic_quotes_gpc

# Only if you use PHP

php_flag magic_quotes_gpc off

15. To block access to foles during certain hours of the day

Options +FollowSymLinks

RewriteEngine On

RewriteBase /

# If the hour is 16 (4 PM) Then deny all access

RewriteCond %{TIME_HOUR} ^16$

RewriteRule ^.*$ – [F,L]

16.To password protect 1 file alone

Order deny,allow

Deny from all

AuthName “htaccess password prompt”

AuthType Basic

AuthUserFile /home/askapache.com/.htpasswd

Require valid-user

AuthName “htaccess password prompt”

AuthType Basic

AuthUserFile /home/askapache.com/.htpasswd

Order deny,allow

Deny from all

Require valid-user

17. To password protect multiple files

Order deny,allow

Deny from all

AuthName “htaccess password prompt”

AuthUserFile /.htpasswd

AuthType basic

Require valid-user

18. To allow network/netmask pair

Order deny,allow

Deny from all

Allow from 10.1.0.0/255.255.0.0

19. To allow IP address

Order deny,allow

Deny from all

Allow from 10.1.2.3

20.To allow more than 1 IP address

Order deny,allow

Deny from all

Allow from 192.168.1.104 192.168.1.205

21. To Partial IP addresses, first 1 to 3 bytes of IP, for subnet restriction

Order deny,allow

Deny from all

Allow from 10.1

Allow from 10 172.20 192.168.2

22. To allow accessing site from one IP without password and allow from any address with password prompt

Order deny,allow

Deny from all

AuthName “htaccess password prompt”

AuthUserFile /home/askapache.com/.htpasswd

AuthType Basic

Require valid-user

Allow from 172.17.10.1

Satisfy Any

23. Add a .htaccess file in the directory you want to protect with the following code.

AuthType Basic

AuthName “Restricted Files”

AuthUserFile /path/to/htpwd/.htpasswd

Require valid-user

Then chmod with following commands

$ chmod 644 .htaccess

$ chmod 640 .htpasswd

IPtables&CSF

Posted: May 2, 2013 in General linux

1. To check if an ip is blocked in a server or not.

csf -g IP

grep 81.226.54.65 /etc/csf/csf.deny

grep 81.226.54.65 /var/log/lfd.log

Using IP tables

iptables -nL|grep IP

2. To unblock IP in iptables

iptables -A INPUT -s 74.129.142.20 -j ACCEPT

3. To delete an entry in iptables

iptables -D INPUT -s xx.xxx.xx.xx/yy -j DROP

iptables -D INPUT -p tcp –dport 6588 -j DROP

iptables -D INPUT -s “207.58.140.12” -j DROP

4.To restart

csf> csf -r

5. When you are not able to telnet localhost 25

check /etc/csf/csf.conf

smtp_block=’0′

6. To save new rules

/etc/init.d/iptables save

7. To block a specific IP

iptables -I INPUT -s “207.58.140.12” -j DROP

8. To Allow incoming to port 22 and 80:

iptables -A INPUT -p tcp -i eth0 –dport 80 –sport 1024:65535 -m state \–state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport 22 –sport 1024:65535 -m state \–state NEW -j ACCEPT

9. To View all current iptables rules:

iptables -L -v

10. To View all INPUT rules:

iptables -L INPUT -nv

How to block and unblock all ports:

11. To block port 25:

iptables -A INPUT -p tcp –dport 25 -j DROP

iptables -A INPUT -p udp –dport 25 -j DROP

12. To enable port 25:

iptables -A INPUT -p tcp –dport 25 -j ACCEPT

iptables -A INPUT -p udp –dport 25 -j ACCEPT

13. To track the connection state

iptables -A INPUT -p tcp -m state –state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED -j ACCEPT

14. To Drop incoming UDP packets on port 137 and 138 without logging

iptables -A INPUT -p UDP –dport 137 -j DROP

iptables -A INPUT -p UDP –dport 138 -j DROP

15. To Accept all other incoming UDP packets

iptables -A INPUT -p UDP -j ACCEPT

16. To View max tracked connections

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max

17. To Set max tracked connections

# add the following line to rc.local if sysctl.conf doesn’t exist

echo 128000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max

18. To View Current HASHSIZE

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets

iptable rule to block an IP from accessing a domain

07 Sunday Oct 2012

Posted by cpanel stuffs in ip block, iptables

≈ Leave a Comment

You can use the following rule to block an IP from accessing a single domain.

iptables -I INPUT -s SOURCE_IP -p tcp –dport 80 -m string –string domain.com –algo bm -j DROP

Some Tips

Posted: May 2, 2013 in General linux

1. To check the CPU usage of the process running

ps -e -o pcpu,cpu,nice,state,cputime,args –sort pcpu | sed ‘/^ 0.0 /d’

2. To check whether any Zombie process are running

ps aux | awk ‘{ print $8 ” ” $2 }’ | grep -w Z

3. To store all the processes both parent and child in a file sample.txt

pstree -paul >sample.txt

4. To check the files with GB size under /backup/cpbackup

ls -lsh ./*/* |grep G

5. To exclude particular directory or file.

Step 1: Create cpbackup-exclude.conf in the user home directory.

/home/user/cpbackup-exclude.conf

Step 2: Add the files u need to exclude in that file.

Step 3: If u need to add directory dont add a trailing slash at the end it will exclude all files from directory.

6. To check Which are IP’s listening mostly to port x(example :80):

netstat -plan |grep :80|awk ‘{print $5}’ |cut -d: -f1 |sort |uniq -c |sort -n

7.To display history without line numbers:

history | perl -i -pe ‘s/^([ ]*)([0-9]*)(.*)$/$3/gi’

8. To display the date range for a site’s certs

openssl s_client -connect http://www.google.com:443 &0 |openssl x509 -dates -noout

9. To verify whether the RSA private key and certificate match you can use the following command

Save the key file as key.txt and certificate file as crt.txt

openssl rsa -modulus -noout -in key.txt | openssl md5 > key.out

openssl x509 -modulus -noout -in crt.txt | openssl md5 > crt.out

Now check both file are same using the following command:

diff key.out crt.out

The LAMP installation process

Posted: April 29, 2013 in General linux

A few words before we start. This is not a step by step instruction guide to install LAMP. This is how I completed the LAMP installation successfully!!! You may find some stuff  just as waste 😛 Please don’t put the blame on me for that 🙂

Ok. Let’s start

I referred the below URL to start LAMP installation.


http://lamphowto.com/lampssl.html

As mentioned here, before starting the installation, I checked for the RPM versions of below services.


rpm -qa | grep -i apache
rpm -qa | grep -i httpd
rpm -qa | grep -i php
rpm -qa | grep -i mysql
rpm -qa | grep -i openssl
rpm -qa | grep -i mod_ssl

Found rpm versions of httpd, aopache and openssl. Removed them using the below commands.


rpm -e httpd-2.2.3-43.el5.centos.
rpm -e vzdummy-apache-1.0-1.swsoft
rpm -e openssl-0.9.8e-12.el5_4.6

Then I downloaded below tar balls to /usr/local/src.


wget http://apache.mirrors.tds.net//httpd/httpd-2.2.23.tar.gz
wget http://us.php.net/get/php-5.3.15.tar.gz/from/this/mirror
wget http://mysql.mirrors.pair.com/Downloads/MySQL-5.5/mysql-5.5.18.tar.gz
wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
wget http://www.modssl.org/source/mod_ssl-2.8.30-1.3.39.tar.gz

Unzipped them using the below commmands.


tar zxf httpd-2.2.23.tar.gz
tar zxf mysql-5.5.28.tar.gz
tar zxf php-5.3.15.tar.gz
tar zxf openssl-1.0.1c.tar.gz
tar zxf mod_ssl-2.8.30-1.3.39.tar.gz
tar zxf mod_ssl-2.8.30-1.3.39.tar.gz

I decided to start with the mysql installation.

Created a group ‘mysql’ and user ‘mysql’ with the following commands.


groupadd mysql
useradd -g mysql -c “MySQL Server” mysql

Moved to ‘mysql-5.5.28’ and ran ‘./configure’, but recieved ‘command not found’ error. From the Internet, understood that from mysql-5.5, cmake is used instaed of ./configure.
Ran ‘cmake mysql-5.5.28’ and again received ‘command not found’ error.

Understood that cmake needs to be installed. Downloaded ‘cmake-2.8.3.tar.gz’, unzipped, and moved to ‘cmake-2.8.3.tar.gz’.

Ran ‘./configure’ and encountered ‘gcc’ not found error.

Made yum working and installed ‘gcc’ and ‘gcc-c++’ using yum.

Then I installed ‘cmake ‘ using the below commands.


./configure
gmake
gmake install
—‘cmake mysql-5.5.28’

After removing ‘CMakeCache.txt’, ran ‘cmake mysql-5.5.28’ and encountered ‘curses library not found’ error. Installed ‘ncurses-devel’ and ran ‘cmake mysql-5.5.28’. At the end, saw the warning ‘Bison executables not found’. Ignored it and gone ahead with ‘make’ and ‘make install’. However, running ‘./scripts/mysql_install_db’ was not successful. With the assumption that installation is corrupted, tried to reinstall several times but failed as before.

Exported the bison path as below but did not help.


export PATH=$PATH:/usr/local/bison/bin

I left the mysql installation there and went for apache installation. Since I was not convinced with the installation of apache mentioned at ‘http://lamphowto.com/lampssl.html’, went for another link and got the below link.


http://www.thegeekstuff.com/2011/03/install-apache2-ssl/

I followed the instructions here and upon compiling, encountered ‘libssl not found’error.
Installed ‘libssl-dev’ using yum and compiled apache with ssl support, and successfully installed apache-2.2.17.

I came back to the mysql installation and tried to uninstall source installation using the below command, but it wasn’t successful.


make -n uninstall

I did a detail study on source installation of mysql and understood that the new installation will overwrite the old one. Also, read that it is better to download the tar ball from mysql’s site.

So, I downloaded ‘mysql-5.5.27.tar.gz’ from the below URl.


wget http://downloads.mysql.com/archives/mysql-5.5/mysql-5.5.27.tar.gz

>From the URL ‘http://dev.mysql.com/doc/refman/5.5/en/installing-source-distribution.htm’. understood that bazar, bison and perl needs to be installed before mysql. Installed perl and bazar using yum and bison from the source. After that, I successfully installed mysql-5.5.27.

However, the command mysql was not working since the server fails to identify the binary. So, I included the following line in the root’s .bashrc and .bash_profile and this fixed the issue.


PATH=${PATH}:/usr/local/mysql/bin

Then I went for the installation of ‘php-5.3.15’ with mysql support. Upon compiling, I received the ‘configure: error: xml2-config not found’ error. So, I installed ‘libxml2-devel’ using yum. When I recompiled, again ended with the error ‘configure: error: Cannot find MySQL header files under yes’. Then I specified the path of mysql as below and the compilation eneded with another error, cannot allocate memory.


./configure –with-apxs2=/usr/local/apache2/bin/apxs –with-mysql=/usr/local/mysql

Then I recompiled using the option ‘disable-fileinfo’ as below and successfully installed ‘php-5.3.15’.


./configure –with-apxs2=/usr/local/apache2/bin/apxs –with-mysql=/usr/local/mysql –disable-fileinfo

Created a phpinfo page at ‘/usr/local/apache2/htdocs’ and upon loading, it was just showing the code instead of info page. However, the page was displaying properly when using the php command:
php -r ‘print_r(phpinfo());’
I had been copied the ‘development’ version of php.ini to /usr/local/lib/php/ini. Upon checking, I could find that the ‘short_open_tag’ has the value ‘Off’ for ‘development’ version. Changed it to ‘On’ and loaded the info page successfully.
Thus, I completed the most interesting ‘LAMP’ installation.