Dummy tech: 2013

Tuesday 24 December 2013

Special permissions in Linux (SUID, SGID, Sticky Bit)

There are 3 Special permissions commonly used in linux.

1) Set User ID i.e. SUID (only for command binaries)
2) Set Group ID i.e. SGID (for command binaries and directories)
3) Sticky Bit (only for directories)

SUID (Set User ID) : When a SUID bit is set on a command then that command always executes with the User ID of its own user owner (who created it) instead of the user who is executing it.

Eg: The binary of passwd command has SUID permission set on it, that is why, when unpriviledged users execute this command, it always executes with the UID of "root" and changes their password in /etc/shadow (which is only readable or writable by root).

To set SUID on a program, run:

#chmod u+s /usr/bin/test or
#chmod 4744 /usr/bin/test

SGID (Set Group ID)(on command binary) : When SGID permission is set on any command, then that command runs with the Group ID of group owner of the command's binary instead of GID of the user who is executing it. To set SGID on a program use the following command

#chmod g+s /usr/bin/test or
#chmod 27xx /usr/bin/test

SGID (Set Group ID)(on directories) => When SGID permission is set on a directory, then all the new (future) files created under that directory will have the same group owner as that of the parent directory. Moreover subdirectories (created in future) will also have SGID bit on them. Example: If we set SGID on a directory, for example: on /tmp/test with group owner as "varu", now if another user "smith" creates any file in /tmp/test directory then the user owner of this file will be "smith" but group owner will be "varu" because of SGID on parent directory. To set SGID on a directory

#chmod g+s /usr/bin/directory or
#chmod 27xx /usr/bin/directory

Sticky Bit : The new files created under the directory having Sticky Bit on it can be only deleted by root or the user who created that file. No other user can delete that file even if they have write permission on the parent directory. EXAMPLE: /tmp directory is having Sticky Bit permission on it, that is why the content under this can be only deleted by root or the user owner of the content/file. To set Sticky Bit on a directory,

#chmod o+t /tmp/
#chmod 1777 /tmp/

Learn & share
Rzm

SGID (Set Group ID)(on directories) => When SGID permission is set on a directory, then all the new (future) files created under that directory will have the same group owner as that of the parent directory. Moreover subdirectories (created in future) will also have SGID bit on them. Example: If we set SGID on a directory, for example: on /tmp/test with group owner as "john", now if another user "mike" creates any file in /tmp/test directory then the user owner of this file will be "mike" but group owner will be "john" because of SGID on parent directory. To set SGID on a directory, run: - See more at: http://www.switchroot.com/special-permissions-in-linux-suid-sgid-sticky-bit#sthash.7nf8pcST.xew4OaOM.dpuf

Apart from traditional file permissions in linux,there are three types of special permissions:
1) Set User ID i.e. SUID (only for command binaries)
2) Set Group ID i.e. SGID (for command binaries and directories)
3) Sticky Bit (only for directories)
SUID (Set User ID) => When a SUID bit is set on a command then that command always executes with the User ID of its own user owner (who created it) instead of the user who is executing it.
EXAMPLE: The binary of passwd command has SUID permission set on it, that is why, when unpriviledged users execute this command, it always executes with the UID of "root" and changes their password in /etc/shadow (which is only readable or writable by root).
To set SUID on a program, run:
- See more at: http://www.switchroot.com/special-permissions-in-linux-suid-sgid-sticky-bit#sthash.7nf8pcST.xew4OaOM.dpufApart from traditional file permissions in linux,there are three types of special permissions:
1) Set User ID i.e. SUID (only for command binaries)
2) Set Group ID i.e. SGID (for command binaries and directories)
3) Sticky Bit (only for directories)

SUID (Set User ID) => When a SUID bit is set on a command then that command always executes with the User ID of its own user owner (who created it) instead of the user who is executing it.

EXAMPLE: The binary of passwd command has SUID permission set on it, that is why, when unpriviledged users execute this command, it always executes with the UID of "root" and changes their password in /etc/shadow (which is only readable or writable by root).

To set SUID on a program, run:

Friday 20 December 2013

Error: Error: The Yum utility failed to install the required packages. Attention! Your software might be inoperable. Please, contact product technical support.

Hi all,

I encountered the following error with Yum while Plesk upgrade. This was mainly seen when a direct upload from plesk 8.6 to 11 was tried by the customers.

"Error: The Yum utility failed to install the required packages.
Attention! Your software might be inoperable.
Please, contact product technical support."

The issue occurred due to the following so file soft links.
-------------------------------------------------------------------------------------------------------
xxxx-bash-3.2# ls -al /usr/lib/libz*
-rw-r--r-- 1 root root 101462 Aug 23 09:13 /usr/lib/libz.a
lrwxrwxrwx 1 root root     13 Dec 21 02:23 /usr/lib/libz.so -> libz.so.1.2.5
lrwxrwxrwx 1 root root     13 Dec 21 02:23 /usr/lib/libz.so.1 -> libz.so.1.2.5
-rwxr-xr-x 1 root root 73580 Jan 10 2007 /usr/lib/libz.so.1.2.3
-rwxr-xr-x 1 root root 95004 Aug 23 09:13 /usr/lib/libz.so.1.2.5
-------------------------------------------------------------------------------------------------------

Replacing the soft links in the server with the command ln -s helped me

Command summary after soft link was replaced.
------------------------------------------------------------------------------------------------------
xxxx-bash-3.2# ls -al /usr/lib/libz*
-rw-r--r-- 1 root root 101462 Aug 23 09:13 /usr/lib/libz.a
lrwxrwxrwx 1 root root     13 Dec 21 02:23 /usr/lib/libz.so -> libz.so.1.2.3
lrwxrwxrwx 1 root root     13 Dec 21 02:23 /usr/lib/libz.so.1 -> libz.so.1.2.3
-rwxr-xr-x 1 root root 73580 Jan 10 2007 /usr/lib/libz.so.1.2.3
-rwxr-xr-x 1 root root 95004 Aug 23 09:13 /usr/lib/libz.so.1.2.5

xxxx-bash-3.2#yum clean all
------------------------------------------------------------------------------------------------------

If the reported steps does not do the trick for you .
You can also try to reinstall the yum Packages with rpm.

Command summary
---------------------------------------------
#cd /usr/lib
#ln -s libz.so.1.2.3 /usr/lib/libz.so
#ln -s libz.so.1.2.3 /usr/lib/libz.so.1
---------------------------------------------

Reference:http://pads.tiddlyspace.com/YumSegmentationFault

Learn & Share
rzm

Tuesday 10 December 2013

Script to monitor tomcat service

Hi all,

This is a small script which could be used to monitor tomcat service is webserver to prevent down time if the tomcat service goes down. It helped me once to maintain the tomcat service in running status for a customer who had problem with tomcat service going down intermittently.

Script

-------------------------------------------------------------------------------------------------------------------------------

#!/bin/bash

CHECK_URL="http://example.com/index.jsp"
CHECK_KEYWORD="synosure"
MAXTRIES=2
SLEEPTIME=1
LOGFILE=/var/log/tomcat_check.log
TOMCATSH=/etc/init.d/tomcat

### Functions -----------------------

# check for a few times

function checkTomcatUp {
_maxtries=$1
for (( i=0; i<${_maxtries}; i=i+1 ))
do
/usr/bin/curl -s -m 30 "${CHECK_URL}" | grep "${CHECK_KEYWORD}"

> /dev/null

if [ $? -eq 0 ]
then
exit 0
fi
sleep ${SLEEPTIME}
done
}

### ---------------------------------

checkTomcatUp ${MAXTRIES}

# perform tomcat restart

echo `date` "--- Restarting Tomcat ---" >> ${LOGFILE}

# stop tomcat

echo `date` "Stopping Tomcat..." >> ${LOGFILE}

#${TOMCATSH} stop

# wait a while, then check if really stopped

#sleep 2
pid=`ps auwwx |grep "org.apache.catalina.startup.Bootstrap" |grep -v
grep|awk '{print $2;}'`
while [ "X${pid}" != "X" ]
do
echo `date` "Killing Tomcat, PID=" ${pid} >> ${LOGFILE}
kill -9 ${pid}
sleep 2
pid=`ps auwwx |grep "org.apache.catalina.startup.Bootstrap" |grep -v
grep|awk '{print $2;}'`
done

# start tomcat

echo `date` "Starting Tomcat..." >> ${LOGFILE}
${TOMCATSH} start

# give tomcat some time to start background processes

sleep 5

# just do 1 more check

checkTomcatUp 1
echo `date` "Giving up... waiting for next cron" >> ${LOGFILE}

exit 1
-------------------------------------------------------------------------------------------------------------------------------

Brief of script:

This script basically checks whether the website is up by using the curl command which will download the page like a normal browser in the command prompt (note that it will be in html format). Now i check for a key work of my choice in it. It could be any word included in your index page. The MAXTRIES variable in this example helps us to limit the no of checks done.

Learn & share
rzm

Friday 22 November 2013

Error : Old version of mysqlclient15 is installed, which can lead to upgrade fail ( When upgrading from plesk 9.5.4 to plesk 11.x)

Detailed error encountered:
------------------------------------------------------------------------------------------------------
EMERGENCY: Old version of mysqlclient15 is installed, which can lead to upgrade
fail. You can apply workaround from article http://kb.parallels.com/en/113737?

* Kindly apply the workaround given by Plesk http://kb.parallels.com/en/113737
before you proceed to upgrade the plesk.
------------------------------------------------------------------------------------------------------

The reported error is occurred while upgrade of plesk. Parallels suggest the solution to it as
show in the KB. http://kb.parallels.com/en/113737. The KB show how to apply the solution
once the upgrade is completed. You can also try to upgrade the mysqlclient before upgrade for the
upgrade to go smoothly. Please make sure that you don't have any other external repos enabled and make sure that you about yum install if other packages are shown for upgrade. before confirming a yes.

Command summary usage
----------------------------------------------------------------
#yum update mysqlclient15
#rpm -qa | grep mysqlclient15
----------------------------------------------------------------

Once Mysql client is upgraded please go ahead with the upgrade of plesk via autoinstaller
(/usr/local/psa/admin/bin/autoinstaller). The upgrade should go smoothly without any issues.

Learn & share
rzm

Wednesday 20 November 2013

Enable Mod deflate in plesk servers (10.x,11.x)

In the latest plesk 10.x and 11.x there is an option to add Apache modules from GUI

under "Tools&Settings >> Apache Modules". It just needs selection and saving to

enable Apache modules from the Plesk panel.

Once the module is enabled. We will have to make sure that it is loaded in the

configuration file by using the following command.

-----------------------------------------------

grep 'mod_deflate' /etc/httpd/conf/httpd.conf

-----------------------------------------------

if it is not loaded we will have to edit the http configuration file to enable it

with the following command

-------------------------------------------------------------------------------------

perl -pi -e 's/# LoadModule mod_deflate/LoadModule mod_deflate/g' /etc/httpd/conf/httpd.conf

-------------------------------------------------------------------------------------

In normal cases it will be enabled. Once this is done it is a good ideas to back up the configuration file.

---------------------------------------------------------------

cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak

---------------------------------------------------------------

Once the backup is done we will have to add up the following lines in httpd.conf using text editors like vi.

vi /etc/httpd/conf/httpd.conf
and add the following lines at the end of the configuration file.
---------------------------------------------------------------------------------

 #
 # Deflate output configuration
 #
 AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
 BrowserMatch ^Mozilla/4 gzip-only-text/html
 BrowserMatch ^Mozilla/4\.0[678] no-gzip
 BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

---------------------------------------------------------------------------------

Please check the syntax is correct once editing the apache conf by using the following

command

------------------------

/usr/sbin/apachectl -t

------------------------

Please restart the Apache process for the configuration changes to take place.

----------------------------

/usr/sbin/apachectl graceful

----------------------------

Learn & Share.

rzm

Monday 18 November 2013

Error : 1030 Got error 28 from storage engine ( From Mysql DB)

Error : 1030 Got error 28 from storage engine

Error encountered:
----------------------------------------------------------------------------------------
ERROR: Zend_Db_Statement_Exception: SQLSTATE[HY000]: General error: 1030 Got error 28 from storage engine

Additionally, an exception has occurred while trying to report this error: Zend_Db_Statement_Exception
SQLSTATE[HY000]: General error: 1030 Got error 28 from storage engine (Pdo.php:234)

<http://kb.parallels.com/plesk-error/search?metaId=fefb2d1dcd85711d0535f0978c1de361&messageId=4b6a0cdec167dfaa64fc3fbe7dc2061e&file=Pdo.php&line=234&type=Zend_Db_Statement_Exception&message=SQLSTATE%5BHY%5D%3A+General+error%3A++Got+error++from+storage+engine> Search for related Knowledge Base articles
----------------------------------------------------------------------------------------

Cause: The reported issue is mosly caused due to limited space in server or temp folder.

Solution : Just free up space in the server and temp folders.

Command usage:

Use df -h to check disk space in the server and /tmp.
Also check out the permissions for /tmp directory.

Reference: http://stackoverflow.com/questions/10631387/1030-got-error-28-from-storage-engine

Learn and share
rzm

Saturday 16 November 2013

dpkg cheat sheet

Syntax                                 Explanation                                      Example
dpkg -i {.deb package}    Install the package                                 dpkg -i zip_2.31-3_i386.deb

dpkg -i {.deb package}      Upgrade package if it is installed         dpkg -i zip_2.31-3_i386.deb
                                           else install a fresh copy of package

dpkg -R {Directory-name}Install all packages recursively             dpkg -R /tmp/downloads
                                          from directory

dpkg -r {package}        Remove/Delete an installed package    dpkg -r zip
                           except configuration files

dpkg -P {package}            Remove/Delete everything including     dpkg -P apache-perl
                                 configuration files

dpkg -l                               List all installed packages, along             dpkg -l,dokg -l | less,
                                          with package version and short                dpkg -l '*apache*'
                                          description                                                dpkg -l | grep -i 'sudo'

dpkg -l {package}       List individual installed packages,           dpkg -l apache-perl
                                          along with package version and
                                          short description
dpkg -L {package}           Find out files are provided by the            dpkg -L apache-perl,dpkg -L perl
                                          installed package i.e. list where
                                          files were installed

dpkg -c {.Deb package}    List files provided (or owned) by            dpkg -c dc_1.06-19_i386.deb
                                          the package i.e. List all files
                                          inside debian .deb package file,
                                          very useful to find where files
                                          would be installed
dpkg -S {/path/to/file}     Find what package owns the file              dpkg -S /bin/netstat
                       i.e. find out what package does              dpkg -S /sbin/ippool
                                         file belong

dpkg -p {package}           Display details about package                  dpkg -p lsof
                                    package group, version, maintainer,
                          Architecture, display depends
                                  packages, description etc
dpkg -s {package} | grep Status Find out if Debian package    dpkg -s lsof | grep Status
                      is installed or not (status)

apt-get cheatsheet

apt-get install {package}     :Install the new package. If package is installed then try to upgrade
                                 to latest version apt-get install zip apt-get install lsof samba mysql-client
apt-get remove {package}     :Remove/Delete an installed package except configuration files
                                 apt-get remove zip
apt-get --purge remove {package}:Remove/Delete everything including configuration files
                                  apt-get --purge remove mysql-server

apt-get upgrade, apt-get update: Resynchronize the package index files and Upgrade the Debian Linux system
                                 including security update (Internet access required)     apt-get update apt-get upgrade

apt-get update,apt-get dist-upgrade: Usually use to upgrade to Debian distribution. For example Woody to
                                     Sarge upgrade. 'dist-upgrade' in addition to performing the function
                                     of upgrade, also intelligently handles changing dependencies with new
                                     versions of packages; apt-get has a "smart" conflict resolution system,
                                     and it will attempt to upgrade the most important packages at the expense
                                     of less important ones if necessary.

Cron cheatsheet

# Cron cheatsheet
#
# * * * * * command to be executed
# - - - - -
# | | | | |
# | | | | +- - - - day of week (0 - 6) (Sunday=0)
# | | | +- - - - - month (1 - 12)
# | | +- - - - - - day of month (1 - 31)
# | +- - - - - - - hour (0 - 23)
# +- - - - - - - - minute (0 - 59)

# Alarm clock set to 6:30AM
# 30 6 * * * /home/nano/alarm

For several fields, you may denote subdivision by using the forward-slash (/) character. To execute a job every 5 minutes, */5 in the minutes field would specify this condition.

Spans may be indicated using the dash (-) character. To execute a job Monday through Friday, MON-FRI should be used in the day-of-week field.

Multiple values may be separated using the comma (,) character. The specification of 1,15 in the day-of-month field would result in the job firing on the 1st and 15th of each month.

Either day-of-month or day-of-week must be specified using the ? character, since specifying both is contradictory.

Tuesday 12 November 2013

How to set up VPN server in linux

I will show you how to configure a VPN server with pptpd. It can also be installed with L2TP or OpenVPN. I have not tried the later.

1) Install ppp in the server
2) Download pptpd-1.3.4-2.rhel5.x86_64.rpm in the server
3) Install the downloaded pptpd rpm package in the server
4) Edit IP setting in the pptpd.conf (/etc/pptpd.conf) you will have to specify the server
   address and the network range (localip,remoteip)
5) Add user accounts in /etc/ppp/chap-secrets (assign username and password)
   in the specified format.
   ---------------------------------------------------------
   # client    server    secret            IP addresses
     rasimvs pptpd password *
   ---------------------------------------------------------
6) You can also do the optional settings of DNS resolver
   /etc/ppp/options.pptpd

    ms-dns 8.8.8.8
    ms-dns 4.4.4.4
7) Enable Network forwarding in /etc/sysctl.conf
     net.ipv4.ip_forward = 1
     sysctl -p
8) Configure firewall rules using the following commands

---------------------------------------------------------
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
service iptables save
service iptables restart
---------------------------------------------------------
9) Add pptp to check config so that it is started on restarts
    chkconfig pptpd on

10) restart the pptpd service or may be restart theserver.

Command summary on this regard.

--------------------------------------------------------------------------------------------------------------------------
yum install ppp
cd /usr/local/src/
wget http://lnmpp.googlecode.com/files/pptpd-1.3.4-2.el6.x86_64.rpm
rpm -Uvh pptpd-1.3.4-2.el6.x86_64.rpm
vi /etc/pptpd.conf
vi /etc/ppp/chap-secrets
vi /etc/ppp/options.pptpd
vi /etc/sysctl.conf
sysctl -p
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
service iptables save
service iptables restart
chkconfig pptpd on
getenforce
vi /etc/selinux/config
init 6
--------------------------------------------------------------------------------------------------------------------------

Monday 11 November 2013

Yum clean all options

The following are the ways which you can invoke yum in clean mode. Note
that "all files" in the commands below means "all files in currently
enabled repositories". If you want to also clean any (temporarily)
disabled repositories you need to use --enablerepo='*' option.

yum clean expire-cache
Eliminate the local data saying when the metadata and mir‐
rorlists were downloaded for each repo. This means yum will
revalidate the cache for each repo. next time it is used. How‐
ever if the cache is still valid, nothing significant was
deleted.

yum clean packages
Eliminate any cached packages from the system. Note that pack‐
ages are not automatically deleted after they are downloaded.

yum clean headers
Eliminate all of the header files, which old versions of yum
used for dependency resolution.

yum clean metadata
Eliminate all of the files which yum uses to determine the
remote availability of packages. Using this option will force
yum to download all the metadata the next time it is run.

yum clean dbcache
Eliminate the sqlite cache used for faster access to metadata.
Using this option will force yum to download the sqlite metadata
the next time it is run, or recreate the sqlite metadata if
using an older repo.

yum clean rpmdb
Eliminate any cached data from the local rpmdb.

yum clean plugins
Tell any enabled plugins to eliminate their cached data.

Learn and share
rzm

How to enable EPEL repository in RHEL/Centos6 64bit

EPEL (Extra Packages for Enterprise Linux) is open source repository based on Fedora which provides additional softwares for linux which could be installed using yum.

Basically this just involves 4 steps
1) Login as root user or (do su - and make user root)
2) Downloading the rpm package for enabling the repository for yum.
3) Install it via rpm commands.
4) Use yum command to clean current settings(clears information of all
enabled repo)

You can also check the currently enabled repository list by the command
"yum repolist "

Command summary

------------------------------------------------------------------------------

#su -

#wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

#rpm -ivh epel-release-6-8.noarch.rpm

#yum clean all

#yum repolist

------------------------------------------------------------------------------

Note: change "x86_64" to i386 for 32 bit OS

hope this helps you.

rzm

IP tables basic overview and usage

I have been working with iptables for quiet some time. iptables rules are stored iin the file /etc/sysconfig/iptables

There are mainly 3 tables under iptables filter,nat and mangle
filter : used for packet filtering
nat : used to provide packet modification capabilities; NAT/PAT and IP masquerading
mangle : used for setting packet options and marking packets for further filtering or routing

We deal with filter table here,Some of the basic commands which we need to understand when manipulating the default table filter of iptables are as follows

iptables -L INPUT %To list the currently loaded iptable rules in INPUT chain %
iptabes-save % command to save the currently configured iptable rules%
iptables -C %command to check whether the reported command is already there in theiptables%
iptables -N % creates a new chain with a user specified name
iptables -t filter -A INPUT -j <customchain> %Adding custom chain to iptables%
iptables -g %Jump to chain with no return%
iptables -t %Table to manupulate default is filter%
iptables -t filter -A INPUT -j <custom-chain> % Adding custom chain to the INPUT table%
iptables -X <chain-name> % If you want to delete the iptables chain you have created%
iptables -A INPUT 4 -s 192.168.1.0/24 -j ACCEPT % Inputs the rule in a specific location %
iptables -A INPUT -m limit --limit % using module limit state etc%

Kernal files which could be used to prevent and during attack

# PREVENT YOU SYSTEM FROM ANSWERING ICMP ECHO REQUESTS
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# DROP ICMP ECHO-REQUEST MESSAGES SENT TO BROADCAST OR MULTICAST ADDRESSES
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# DONT ACCEPT ICMP REDIRECT MESSAGES
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# DONT SEND ICMP REDIRECT MESSAGES
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# DROP SOURCE ROUTED PACKETS
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# ENABLE TCP SYN COOKIE PROTECTION FROM SYN FLOODS
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# ENABLE SOURCE ADDRESS SPOOFING PROTECTION
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# LOG PACKETS WITH IMPOSSIBLE ADDRESSES (DUE TO WRONG ROUTES) ON YOUR NETWORK
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# DISABLE IPV4 FORWARDING
echo 0 > /proc/sys/net/ipv4/ip_forward

###############
# INPUT

# DROP INVALID
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# ALLOW ONLY ESTABLISHED, RELATED
$IPTABLES -A INPUT -p tcp -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p udp -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# DROP INVALID SYN PACKETS
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# MAKE SURE NEW INCOMING TCP CONNECTIONS ARE SYN PACKETS; OTHERWISE WE NEED TO DROP THEM
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK RESULT INTO LINUX SERVER PANIC SUCH DATA LOSS
$IPTABLES -A INPUT -f -j DROP

# DROP INCOMING MALFORMED XMAS PACKETS
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# DROP INCOMING MALFORMED NULL PACKETS
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

###############
# OUTPUT

# DROP INVALID
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

# DROP INVALID SYN PACKETS
$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# MAKE SURE NEW OUTGOING TCP CONNECTIONS ARE SYN PACKETS; OTHERWISE WE NEED TO DROP THEM
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

# DROP PACKETS WITH OUTGOING FRAGMENTS. THIS ATTACK RESULT INTO LINUX SERVER PANIC SUCH DATA LOSS
$IPTABLES -A OUTPUT -f -j DROP

# DROP OUTGOING MALFORMED XMAS PACKETS
$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL ALL -j DROP

# DROP OUTGOING MALFORMED NULL PACKETS
$IPTABLES -A OUTPUT -p tcp --tcp-flags ALL NONE -j DROP

Wednesday 30 October 2013

RPM Cheat Sheet

Syntax                                 Description                          Example
rpm -ivh {rpm-file}        Install the package               rpm -ivh mozilla-mail-1.7.5-17.i586.rpm

rpm -Uvh {rpm-file}           Upgrade package     rpm -Uvh mozilla-mail-1.7.6-12.i586.rpm

rpm -ev {package}             Erase packae                    rpm -ev mozilla-mail


rpm -ev --nodeps {package} Erase with out removing dependencies       rpm -ev --nodeps mozilla-mail

rpm -qa                               List installed packages     rpm -qa

rpm -qi {package}        Display installed    rpm -qi mozilla-mail
                                          information along with
                                            package version and
                                            short description

rpm -qf {/path/to/file}        Find out what packagea file belongs     rpm -qf /etc/passwd,rpm -qf /bin/bash

rpm -qc {pacakge-name} Display configuration file(s) for a package rpm -qc httpd

rpm -qcf {/path/to/file}      Display list of configuration files for a command rpm -qcf /usr/X11R6/bin/xeyes

rpm -qa --last                    List recent installed                 rpm -qa --last

rpm -qpR {.rpm-file}       Find out what dependencies a rpm file has                    rpm -qpR mediawiki- 1.4rc1-4.i586.rpm

rpm -qR {package}        Find dependency of comm    rpm -qR bash

TCP Ports list-cheatsheet

This summary is not available. Please click here to view the post.

Categories