Linux: Iptables # 21 Allow MS-SQL server incoming request ?

Posted on in Categories News last updated July 29, 2005

MSSQL database server and by default it listen on TCP port 1433 . Following iptable rules allows incoming client request (open port 1433) for server IP address 202.54.1.20 :
iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d 202.54.1.20 –dport 1433 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 1433 -d 0/0 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

Linux: Iptables # 20 Allow ORACLE server incoming request?

Posted on in Categories News last updated July 29, 2005

Oracle is powerful enterprise class database server and by default it listen on TCP port 1521. Following iptable rules allows incoming client request (open port 1521) for server IP address 202.54.1.20 :
iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d 202.54.1.20 –dport 1521 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 1521 -d 0/0 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

Restrict access to Oracle database server from web server only. Following example allows Oracle database server access (202.54.1.20) from web server (202.54.1.50) only:
iptables -A INPUT -p tcp -s 202.54.1.50 –sport 1024:65535 -d 202.54.1.20 –dport 1521 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 1521 -d 202.54.1.50 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

Allow outgoing Oracle client request from firewall host 202.54.1.20:
iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 1024:65535 -d 0/0 –dport 1521 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 –sport 1521 -d 202.54.1.20 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

Linux: Forcing Apache to correct misspellings of URL

Posted on in Categories News last updated July 28, 2005

Apache has mod_speling for automatic URL spell-correction. For example when on this site you can request the page using following format:

http://cyberciti.biz/news is same as use URL http://cyberciti.biz/news.php.

This module help visitor to get correct content instead of error 404 – document not found and you can also omit file extension such as .pl, .php, .html etc in urls references. It attempts to correct misspellings of URLs that users might have entered, by ignoring capitalization and by allowing up to one misspelling. This must be configured on massive web hosting server by ISP and web hosting service providers so the hosting customer can take advantage of this module.

Following steps demonstrates how to activate this module under Debian GNU/Linux:

A) Open your Apache modules configuration file:
# vi /etc/apache-perl/modules.conf

B) Append following line to this file:
LoadModule speling_module /usr/lib/apache/1.3/mod_speling.so

C) Save the file.

D) This module need to be configured via httpd.conf via CheckSpelling directive. You can configure it for entire site, particular virtual host or even via .htaccess file. Open your /etc/apache-perl/httpd.conf and add followint line in server config context:

CheckSpelling on

E) Restart the apache:
# /etc/init.d/apache-perl restart

Please note that above steps are same under FreeBSD/Solaris for Apache web server except for file location i.e. httpd.conf and modules.conf. Please refer man page for more info.

Linux: Iptables Allow PostgreSQL server incoming request

Posted on in Categories Howto, Iptables, Linux, Postgresql last updated July 28, 2005

PostgreSQL is an object relational database system that has the features of traditional commercial database systems with enhancements to be found in next-generation DBMS systems. PostgreSQL is free and the complete source code is available.

Open port 5432

By default PostgreSQLt listen on TCP port 5432. Use the following iptables rules allows incoming client request (open port 5432) for server IP address 202.54.1.20 :

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 5432 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

As posted earlier, you do not wish give access to everyone. For example in web hosting company or in your own development center, you need to gives access to POSTGRES database server from web server only. Following example allows POSTGRES database server access (202.54.1.20) from Apache web server (202.54.1.50) only:

iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 5432 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Allow outgoing POSTGRES client request (made via postgresql command line client or perl/php script), from firewall host 202.54.1.20:

iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 5432 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Linux: Iptables Allow MYSQL server incoming request on port 3306

Posted on in Categories Howto, Iptables, Linux, MySQL, Security, Tips last updated July 28, 2005

MySQL database is a popular for web applications and acts as the database component of the LAMP, MAMP, and WAMP platforms. Its popularity as a web application is closely tied to the popularity of PHP, which is often combined with MySQL. MySQL is open source database server and by default it listen on TCP port 3306. In this tutorial you will learn how to open TCP port # 3306 using iptables command line tool on Linux operating system.

Linux: Iptables # 17 Allow secure POP3S incoming request?

Posted on in Categories News last updated July 25, 2005

Secure POP3S uses the tcp port 995 by default. Following iptable rules will allow server POP3S incoming client request (open port 995) for server ip address 202.54.1.20:
iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d 202.54.1.20 –dport 995 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 995 -d 0/0 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

Following rules allows POP3S outgoing client request from firewall host 202.54.1.21 (open port 995):
iptables -A OUTPUT -p tcp -s 202.54.1.21 –sport 1024:65535 -d 0/0 –dport 995 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 –sport 995 -d 202.54.1.21 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

Linux: Iptables # 16 How to allow secure mail SMTPS?

Posted on in Categories News last updated July 25, 2005

Secure SMTPS uses the tcp port 465 by default. Following iptable rules will allow server SMTPS incoming client request (open port 465) for server ip address 202.54.1.20:
iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d 202.54.1.20 –dport 465 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 465 -d 0/0 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

Following rules allows SMTPS outgoing client request from firewall host 202.54.1.21 (open port 465):
iptables -A OUTPUT -p tcp -s 202.54.1.21 –sport 1024:65535 -d 0/0 –dport 465 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 –sport 465 -d 202.54.1.21 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

Running Commands on a Remote Linux / UNIX Host

Posted on in Categories CentOS, Debian Linux, FreeBSD, Gentoo Linux, Howto, HP-UX, Linux, Monitoring, Networking, OpenBSD, OS X, RedHat/Fedora Linux, Security, Shell scripting, Solaris, Tips, Ubuntu Linux, UNIX last updated July 25, 2005

You would like to execute a command on a remote Linux/FreeBSD/Solaris/UNIX host and have the result displayed locally. Once result obtained it can be used by local script or program. A few examples:
=> File system and disk information

=> Get user information

=> Find out all running process

=> Find out if particular service is running or not etc

You can use rsh or ssh for this purpose. However, for security reason you should always use the ssh and NOT rsh. Please note that remote system must run the OpenSSH server.

Syntax for running command on a remote host:
ssh [USER-NAME]@[REMOTE-HOST] [command or script]

Where,

  • ssh: ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine.
  • USER-NAME: Remote host user name.
  • REMOTE-HOST: Remote host ip-address or host name, such as fbsd.cyberciti.biz.
  • command or script: Command or shell script is executed on the remote host instead of a login shell.

Examples

(A) Get disk information from a server called www1.cyberciti.biz:
$ ssh [email protected] df -h

(B) List what ports are open on remote host
$ ssh [email protected] netstat -vatn

(C) Reboot remote host:
$ ssh [email protected] reboot

(D) Restart mysql server (please note enclosed multiple command line arguments using a single or double quotes)
$ ssh [email protected] '/etc/init.d/mysql restart'

(E) Get memory information and store result/output to local file /tmp/memory.status:
$ ssh [email protected] 'free -m' > /tmp/memory.status

(G) You can also run multiple command or use the pipes, following command displays memory in format of “available memory = used + free memory” :
$ ssh [email protected] free -m | grep "Mem:" | awk '{ print "Total memory (used+free): " $3 " + " $4 " = " $2 }'

See how to configure ssh for password less login using public key based authentication.

=> Related: shell script to get uptime, disk usage, cpu usage, RAM usage,system load,etc. from multiple Linux servers and output the information on a single server in a html format.

Linux : How to run a command when boots up?

Posted on in Categories News last updated July 24, 2005

Other distribution provided the file called /etc/rc.local but Debian does not use rc.local to customize the boot process. You can use simple method as follows to customize it.

(A) Execute command at system startup
Let us assume you would like to run command called

i) Create a script called mystartup.sh in /etc/init.d/ directory(login as root)
# vi /etc/init.d/mystartup.sh

ii) Add commands to this script one by one:
#!/bin/bash
echo “Setting up customized environment…”
fortune

iii) Setup executable permission on script:
# chmod +x /etc/init.d/mystartup.sh

iv)Make sure this script get executed every time Debian Linux system boot up/comes up:
# update-rc.d mystartup.sh defaults 100

Where,
mystartup.sh: Your startup script name
defaults : The argument ‘defaults’ refers to the default runlevels, which are 2 through 5.
100 : Number 100 means script will get executed before any script containing number 101. Just run the command ls –l /etc/rc3.d/ and you will see all script soft linked to /etc/init.d with numbers.

Next time you reboot the system, you custom command or script will get executed via mystartup.sh. You can add more commands to this file or even call other shell/perl scripts from this file too.

(B) Execute shell script at system startup
Open the file mystartup.sh in /etc/init.d/ directory
# vi /etc/init.d/ mystartup.sh

Append your script path to the end as follows (suppose your script is /root/fw.start – script that starts firewall)

/root/fw.start

Save the file.

For more info on ‘Customizing your installation of Debian GNU/Linux’ visit Offical Debian DOC/FAQ

Linux / UNIX: Finding and locating files with find command part # 2

Posted on in Categories CentOS, File system, FreeBSD, GNU/Open source, Howto, Linux, Linux desktop, OpenBSD, RedHat/Fedora Linux last updated July 23, 2005

In the first part we talked about find command basic usage.

Now let us see how to use find command
(a) To gain lots of useful information about users and their files

(b) Monitor and enhance the security of system using find command

Finding all set user id files

setuid (“suid”) and setgid are access right flags that can be assigned to files and directories on a Unix based operating system. They are mostly used to allow users on a computer system to execute binary executables with temporarily elevated privileges in order to perform a specific task.
# find / -perm +u=s
OR
# find / -perm +4000

See also, shell script to find all programs and scripts with setuid set on.

Finding all set group id files

# find / -perm +g=s
OR
# find / -perm +2000

See also, shell script to find all programs and scripts with setgid bit set on.

Finding all large directories

To find all directories taking 50k (kilobytes) blocks of space. This is useful to find out which directories on system taking lot of space.
# find / -type d -size +50k
Output:

/var/lib/dpkg/info
/var/log/ksymoops
/usr/share/doc/HOWTO/en-html
/usr/share/man/man3

Finding all large files on a Linux / UNIX

# find / -type f -size +20000k
Output:

var/log/kern.log
/sys/devices/pci0000:00/0000:00:02.0/resource0
/sys/devices/pci0000:00/0000:00:00.0/resource0
/opt/03Jun05/firefox-1.0.4-source.tar.bz2

However my favorite hack to above command is as follows:
# find / -type f -size +20000k -exec ls -lh {} \; | awk '{ print $8 ": " $5 }'

/var/log/kern.log: 22M
/sys/devices/pci0000:00/0000:00:02.0/resource0: 128M
/sys/devices/pci0000:00/0000:00:00.0/resource0: 256M
/opt/03Jun05/firefox-1.0.4-source.tar.bz2: 32M

Above command will find all files block size greater than 20000k and print filename followed by the file size. Output is more informative as compare to normal find command output 😀