How To (s)

Using Rsync

May 4, 2011 in BlueOnyx Projects, CentOS, How To (s) by JM Blowfish  |  5 Comments

I was experimenting with Blueonyx the other day and found that I could use rsync over the internet with no problem. Remembering that BO has alias directories I made sure I created sites using the web GUI then I used rsync to simply move the data from the primary server to a secondary server at a different location. (Handy!)
1. Make sure you do these operations as root. Make a new user (unpriviledged) on the primary server and give that user read access to the files you wish to duplicate on the secondary server.

#useradd -d /home/anewuser -m -s /bin/bash anewuser -This will creeate anewuser with a profile directory of home/anewuser – create a password by entering #passwd anewuser
2. To test rsunc funtionality you have a couple more things to do.
-if the servers are connected through a LAN then nothing extra is necessary. If the servers have a firewall between them, such as across the internet, then you must open port 22 to allow ssh.
On the duplicate server, enter this command at a terminal prompt:
#rsync -avz -e ssh anewuser@server1.example.com:/directory_name_of_files/ /duplicate_directory_name/

You should get this (or something like this) for feedback:
The authenticity of host ‘server1.example.com (192.168.0.100)’ can’t be established.RSA key fingerprint is 32:e5:79:8e:5f:5a:25:a9:f1:0d:ef:be:5b:a6:a6:23.Are you sure you want to continue connecting (yes/no)?
3. enter ‘yes’
4. you will then be asked for anewuser’s password. Enter the password you made on the primary server and then you will see files being synced. (provided the connection is working correctly) If you have problems it is because the 2 machines are not talking to each other. Make sure to check your firewall. I have not tried this across different subnets but you should be able to do it provided you setup the correct routes on your router.

If you do not have rsync installed, (ubuntu or debian) you can enter the following command at a terminal prompt to install it:
#apt-get install rsync

Thats about it. Once you have connectivity and rsync works you can move on with more complex settings to automate rsync and duplicate your files. Have fun.

Install LAMP on Ubuntu 8.04 Standard

April 8, 2011 in How To (s) by JM Blowfish  |  1 Comments

Installing all the components of a L(linux kernel), A(Apache web server), M(mysql server), and P(php scripting) on a Ubuntu Server (almost any build infact) is pretty simple. I continue to post these simple How To;s because I know what it was like when I first started using Linux and more specifically Ubuntu which is different then say CentOS (which uses yum – yellow dog update) or Red Hat (which uses an RPM system for updates).
To install LAMP on a standard Ubuntu build do the following:

1. Open a terminal window and login as Root.
2. At the command prompt type in (or copy and paste)
root@localhost:~#apt-get install apache2 php5-mysql libapache2-mod-php5 mysql-server

3. When prompted enter your root password for the mysql server. It will ask you to confirm it so don’t get enter happy. :)
4. Thats It! You should be good to go.
Please comment if you have any questions or problems.

Just as aside – if you are installing something like wordpress or one of the open source e-commerce packages on your server you will probably need to install GD extension as well so at the command prompt enter this:

apt-get install php5-gd

Make sure you restart apache when you are finished.
/etc/init.d/apache2 restart

Hope that helps!

Webmin 1.530 Easy Installation Steps

April 5, 2011 in How To (s), Ubuntu Projects by JM Blowfish  |  1 Comments

To install webmin on any Ubuntu Server follow these simple steps:

Open a terminal window and get root priviledge by typing su or using sudo. I have root access enabled on my servers so I don’t have to add the sudo at the beginning of each line.

1. wget http://code.google.com/p/kembangcybernet/downloads/detail?name=webmin-1.530.tar.gz&can=2&q=/webmin-1.530.tar.gz
2. tar xvf webmin-1.530.tar.gz
3. cd webmin-1.530
4. sh setup.sh
5. Follow terminal instructions. Going with defaults is fine except I would suggest changing the port from 10000 to something a little more unique and I would also change ‘admin’ to a more unique name as well.
5. When it is finished, and you miss the simle login instructions, go to:
http://yourhostname and/or IP address:port number(default 10000) Type in username and password.
6. You should probably update Webmin first once you are logged in. The update appears at the bottome of the initial system information screen. Enjoy!

Excellent CentOS 5.5 Firewall Script

April 4, 2011 in All Things Microsoft, BlueOnyx Projects, CentOS, Cisco, Hosting, How To (s), Virtualizing by JM Blowfish  |  5 Comments

accessed within our LAN and not over the Internet.

#!/bin/bash
# Explains how to setup iptables on the hardware node to allow selective access,
# but allow all traffic into the containers (VPS) so they may define their own iptables rules and
# therefore manage their own firewall.
# Author: Vivek Gite < http://www.cyberciti.biz/ >
# See tutorial : http://www.cyberciti.biz/faq/series/rhel-centos-openvz-virtualization/
# This script is under GPL v2.0 or above.
# --------------------------------------------------------------------------------------------------
IPT="/sbin/iptables"
MOP="/sbin/modprobe"
SYST="/sbin/sysctl"

### ******************************************************************************* ###
### Part 1 - Protect Hardware Node						    ###
### ******************************************************************************* ###

### HW Node Main IP ranges ###
SRVIP="123.xx.xx.yy"
ADMIN_RANGES="192.168.1.0/24"
SPOOFIP="127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24"

### Path to other scripts ###
[ -f /root/fw/blocked.ip.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/fw/blocked.ip.txt)

### Interfaces ###
PUB_IF="eth0"   # public interface
LO_IF="lo"      # loopback
VE_IF="venet0"

### start firewall ###
echo "Starting Firewall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# Enable ip_conntrack
$MOP ip_conntrack

# DROP and close everything all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Unlimited lo access
$IPT -A INPUT -i ${LO_IF} -j ACCEPT
$IPT -A OUTPUT -o ${LO_IF} -j ACCEPT

# Allow Full Outgoing connection but no incomming stuff by default
$IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop bad stuff
# get all bad spam / scrap ips
if [ -f /root/fw/blocked.ip.txt ];
then
	$IPT -N spamlist
	for ipblock in $BADIPS
	do
		 $IPT -A spamlist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix "SPAM List Block"
		 $IPT -A spamlist -i ${PUB_IF} -s $ipblock -j DROP
	done
	$IPT -I INPUT -j spamlist
	$IPT -I OUTPUT -j spamlist
	$IPT -I FORWARD -j spamlist
done

$IPT -N spooflist
for ipblock in $SPOOFIP
do
 $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix "SPOOF List Block"
 $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
done
$IPT -I INPUT -j spooflist
$IPT -I OUTPUT -j spooflist
$IPT -I FORWARD -j spooflist

# Stop sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP

# Stop Fragments
$IPT -A INPUT -i ${PUB_IF} -f -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP

# Stop NULL packets
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Stop XMAS
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Stop FIN packet scans
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Get rid of broadcast
$IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j DROP
$IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j DROP
$IPT  -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP

# allow SSH, HTTP, HTTPD and webmin ONlY from $ADMIN_RANGES
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 22 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 10000 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 80 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 443 -j ACCEPT

# Allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 30/sec  -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 3 -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 5 -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 11 -m limit --limit 30/sec -j ACCEPT

### ******************************************************************************* ###
### Part 1 - Protect Hardware Node END						    ###
### ******************************************************************************* ###

### ******************************************************************************* ###
### Part 2 - ALL VPS Specifc Config						    ###
### ******************************************************************************* ###

# Allow all ports for all VPS i.e. full access
# user can set their own firewall inside vps
$IPT -P FORWARD ACCEPT
$IPT -F FORWARD

### ******************************************************************************* ###
### Part 2 - ALL VPS Specifc Config END						    ###
### ******************************************************************************* ###

# drop and log everything else
$IPT -A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG
$IPT -A INPUT -j REJECT --reject-with icmp-port-unreachable

exit 0
Install this script at /root/fw/firewall:
# chmod +x /root/fw/firewall
Call it from /etc/rc.local
# echo '/root/fw/firewall' >> /etc/rc.local