Tuning

PHP is an open-source server-side scripting language, and it is a widely used. The Apache/Nginx/Lighttpd web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for Linux and Unix sysadmins for configuring PHP securely.
[continue reading…]

Some time ago ext4 was released and available for Linux kernel. ext4 provides some additional benefits and perforce over ext3 file system. You can easily convert ext3 to ext4 file system. The next release of Fedora, 11, will default to the ext4 file system unless serious regressions are seen. In this quick tutorial you will learn about converting ext3 to ext4 file system.
[continue reading…]

I’ve already written about Linux process accounting under Linux ( see how to keep a detailed audit trail of what’s being done on your Linux systems). You can easily setup process accounting under FreeBSD.

FreeBSD Process Accounting

FreeBSD process accounting is a security method in which you can keep track of system resources used, their allocation among users, provide for system monitoring, and minimally track a user’s commands.
[continue reading…]

Linux and other Unix-like operating systems use the term “swap” to describe both the act of moving memory pages between RAM and disk and the region of a disk the pages are stored on. It is common to use a whole partition of a hard disk for swapping. However, with the 2.6 Linux kernel, swap files are just as fast as swap partitions. Now, many admins (both Windows and Linux/UNIX) follow an old rule of thumb that your swap partition should be twice the size of your main system RAM. Let us say I’ve 32GB RAM, should I set swap space to 64 GB? Is 64 GB of swap space required? How big should your Linux / UNIX swap space be?
[continue reading…]

A few days ago I noticed that NFS performance between a web server node and NFS server went down by 50%. NFS was optimized and the only thing was updated Red Hat kernel v5.2. I also noticed same trend on CentOS 5.2 64 bit edition.

NFS server crashed each and every time web server node tried to store a large file 20-100 MB each. Read performance was fine but write performance went to hell. Finally, I had to rollback the updates. Recently, while reading Red Hat site I came across the solution.

Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5:

* a 50-75% drop in NFS server rewrite performance, compared to Red Hat
Enterprise Linux 4.6, has been resolved.

After upgrading kernel on both server and client my issue resolved:
# yum update

Drupal is modular framework and content management system (CMS) and works under Lighttpd too. By default, Drupal passes path arguments to itself via its internally generated URLs. This results in URLs that look like the following: “http://www.example.com/?q=node/83.” This can make URLs hard to read and it also stops many search engines, like Google, from indexing the pages with these URLs.

You can tell Drupal to use “clean URLs”, eliminating the “?q=” in internal URLs. Assuming that your site hosted in rootdirectory itself, open your lighttpd.conf file or domain configuration file:
# vi lighttpd.conf
Make sure mod_rewrite is enabled:
server.modules += ( "mod_rewrite" )
Append following configuration directives:

url.rewrite-final = (
  "^/system/test/(.*)$" => "/index.php?q=system/test/$1",
  "^/system/test-clean-url/(.*)$" => "/index.php?q=system/test-clean-url/$1",
  "/rss.xml$" => "/index.php?q=rss.xml",
  "^/search/(.*)$" => "/index.php?q=search/$1",
  "^/([^.?]*)\?(.*)$" => "/index.php?q=$1&$2",
  "^/([^.?]*)$" => "/index.php?q=$1",
}
# Error 404
server.error-handler-404  = "/index.php"
 
# stop these
url.access-deny = ( "~", ".inc", ".engine", ".install", ".module", ".sh", "sql", ".theme", ".tpl.php", ".xtmpl", "Entries", "Repository", "Root" )

Save and close the file. Restart lighttpd, enter:
# /etc/init.d/lighttpd restart
Feel free to adjust rules as per your setup.

Further readings:

So how do you assign static names for SCSI device using udev under Linux? Simply use the scsi_id and other udev tools such as :

[a] scsi_id – retrieve and generate a unique SCSI identifier.
[b] udev_start – script to initialize /dev by using udev
[c] udevtest – simulate a udev run and print the action to the console.

What the hell is udev?

udev is the device manager for the Linux 2.6 kernel series. Its primary function is managing device nodes in /dev. Old UNIX system creates device in the /dev with static files. udev dynamically provides only the nodes for the devices actually present on a system.

Note following configuration is only tested on Gentoo / RHEL 5.x / CentOS 5.x Linux server systems but it should work with other distros with udev support.

Step # 1: Get WWID of the SCSI device

To get the WWID of /dev/sdd, type:
# scsi_id -g -u -s /block/sdd
Where,

  • -g : Treat the device as white listed
  • -u : Reformat the output
  • -s /bock/sdd : Generate an id for the /block/sdd (/dev/sdd). The mount point must not be included. For example, use /block/sdd, not /sys/block/sdd.

Step # 2: Create /etc/udev/rules.d/25-names.rules file

Open /etc/udev/rules.d/25-names.rules and append following text (replace WWID with actual id obtained from above command):

KERNEL=="sd*", BUS=="scsi", PROGRAM=="/sbin/scsi_id -g -u -s %p", RESULT=="WWID", SYMLINK+="scsiharddisk%n"

Above rule will create /dev/scsiharddisk (a symlink – select any other meaningful name as per your proecjet ) for the SCSI device with a given WWID. Please note that partitions on this device will be assigned the device names like /dev/scsiharddisk1, /dev/scsiharddisk2 and so on. Next, verify that everything is correct order, enter:
# udevtest
Start initialize /dev for new devices:
# start_udev
Verify symbolic links are created, enter:
# ls -l /dev/scsiharddisk*

Read the man pages for more information:
man scsi_id
man udevtest
man 7 udev

Many of our regular readers like to know more about lighttpd hotlink protection using mod_rewrite. Lighttpd can use HTTP referrer to detect hotlink and can be configured to partially protect hosted media from inline linking, usually by not serving the media or by serving a different file.

Lighttpd anti hotlinking configuration – redirect to another media

Open lighttpd.conf configuration file:
# vi /etc/lighttpd/lighttpd.conf
Append the following directive to redirect to a default picture called /hotlink.png:

$HTTP["referer"] =~ ".*BADDOMAIN\.com.*|.*IMAGESUCKERDOMAIN\.com.*|.*blogspot\.com.*" {
  url.rewrite = ("(?i)(/.*\.(jpe?g|png))$" => "/hotlink.png" )
}

So if anyone from *.blogspot.com linked www.cyberciti.biz/image.png it will be replaced with www.cyberciti.biz/hotlink.png. I’ve written small script to detect excessive hotlink from log file and ban all those domains. Most types of electronic media can be redirected this way, including video files, music files, and animations etc.

Related: Apache web server user can stop leechers using mod_rewrite / .htaccess rules.

A sudden outburst of violent disk I/O activity can bring down your email or web server. Usually, a web, mysql, or mail server serving millions and millions pages (requests) per months are prone to this kind of problem. Backup activity can increase current system load too. To avoid this kind of sudden outburst problem, run your script with scheduling class and priority. Linux comes with various utilities to manage this kind of madness.
[continue reading…]