dnsmasq Dns Cache Software Security Update To Fix DNS Spoofing Attacks

Posted on in Categories BIND Dns, CentOS, Debian Linux, fedora linux, Linux, Linux distribution, package management, RedHat/Fedora Linux, Security Alert last updated August 12, 2008

Red Hat has shipped a new version of its dnsmasq caching software to plug source UDP port bug. This could have made DNS spoofing attacks (CVE-2008-1447) easier. Dnsmasq is lightweight ultra fast dns cache server forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network.

Install Squid Proxy Server on CentOS / Redhat enterprise Linux 5

Posted on in Categories CentOS, Linux, RedHat/Fedora Linux, Squid caching server, Suse Linux, Sys admin, Tips last updated February 24, 2008

I’ve already wrote about setting up a Linux transparent squid proxy system. However I’m getting lots of questions about Squid basic installation and configuration:

How do I install Squid Proxy server on CentOS 5 Liinux server?

Sure Squid server is a popular open source GPLd proxy and web cache. It has a variety of uses, from speeding up a web server by caching repeated requests, to caching web, name server query , and other network lookups for a group of people sharing network resources. It is primarily designed to run on Linux / Unix-like systems. Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. Squid consists of a main server program squid, a Domain Name System lookup program (dnsserver), a program for retrieving FTP data (ftpget), and some management and client tools.

Install Squid on CentOS / RHEL 5

Use yum command as follows:
# yum install squid

Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package squid.i386 7:2.6.STABLE6-4.el5 set to be updated
--> Running transaction check

Dependencies Resolved

 Package                 Arch       Version          Repository        Size 
 squid                   i386       7:2.6.STABLE6-4.el5  updates           1.2 M

Transaction Summary
Install      1 Package(s)         
Update       0 Package(s)         
Remove       0 Package(s)         

Total download size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: squid                        ######################### [1/1] 

Installed: squid.i386 7:2.6.STABLE6-4.el5

Squid Basic Configuration

Squid configuration file located at /etc/squid/squid.conf. Open file using a text editor:
# vi /etc/squid/squid.conf
At least you need to define ACL (access control list) to work with squid. The defaults port is TCP 3128. Following example ACL allowing access from your local networks and Make sure you adapt to list your internal IP networks from where browsing should be allowed:
acl our_networks src
http_access allow our_networks

Save and close the file. Start squid proxy server:
# chkconfig squid on
# /etc/init.d/squid start


init_cache_dir /var/spool/squid... Starting squid: .       [  OK  ]

Verify port 3128 is open:
# netstat -tulpn | grep 3128

tcp        0      0      *                   LISTEN      20653/(squid)

Open TCP port 3128

Finally make sure iptables is allowing to access squid proxy server. Just open /etc/sysconfig/iptables file:
# vi /etc/sysconfig/iptables
Append configuration:
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
Restart iptables based firewall:
# /etc/init.d/iptables restart

Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

Client configuration

Open a webbrowser > Tools > Internet option > Network settings > and setup Squid server IP address and port # 3128.

See also

You may find our previous squid tips useful:

Squid Security and blocking content Related Tips

Squid Authentication Related Tips

Squid Other Tips

Red Hat enterprise Linux Install lighttpd and Fastcgi PHP

Posted on in Categories Howto, lighttpd, RedHat/Fedora Linux last updated August 29, 2007
Lighttpd logo

I have received many queries regarding how to configure and install Lighttpd web server under Red Hat Enterprise Linux version 4.0. Mark asks:

RHEL 64 bit v4.0 does not support PHP as FastCGI. Lighttpd is not available from RHN (up2date command). How do I configure and install lighttpd with FastCGI?

Ok let me answer these questions and other queries systematically. I have installed Lighttpd under both RHEL v4.0 32/64 bit version couple of times. In all cases, you need to compile both PHP and Lightttpd. Do not worry steps are quite easy.

Install and configure Lighttpd under RHEL

RedHat Linux use RHN to provide stable version of all software(s) including PHP/Apache and for some weird reasons it does not come with lighttpd web server. However, I have tested RHEL v.5.0 (beta) which comes with lots of goodies such as caching software, fastcgi etc.

Step #1: Install and configure Lighttpd under RHEL 64 bit v4.0

First, you need to remove installed PHP version. Use rpm -qa | grep php command to find out list of all installed PHP rpm files:
# rpm -qa | grep phpRemove all PHP files:# rpm -e php php-devel php-imap php-ldap php-pear

Step #2: Download lighttpd source code

There is no official RPM file available from Red Hat itself for 64/32 bit version. You can download and compile Lighttpd as follows:
# wget http://lighttpd.net/download/lighttpd-1.4.16.tar.gz
# tar -zxvf lighttpd-1.4.16.tar.gz
# cd lighttpd-1.4.16

Step #3: Compile and install lighttpd:

Following commands will compile lighttpd with OpenSSL support. First, configure lighttpd:
# ./configure --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --with-openssl

Now compile lighttpd
# make

Install lighttpd:
# make install

Step #4: Build PHP RPM as FastCGI

Now recompile PHP and build PHP RPM as FastCGI. Download PHP SRPM from official Red Hat Site or use following command to download PHP source RPM (recommended):
# cd /opt
# up2date -d --src php

Now install downloaded source RPM file:
# rpm -ivh php-4.3.9-3.1.src.rpm

First, install all necessary development libraries:
# up2date aspell-devel libjpeg-devel libpng-devel libc-client-devel mysql-devel postgresql-devel unixODBC-devel net-snmp-devel elfutils-devel libxslt-devel freetype-devel

Open php rpm configuration file:
# cd /usr/src/redhat/SPECS/
Open php.spec file:
# vi php.spec
Find out line, which read as follows:

Before that line add:
--enable-fastcgi \
Save and close the file.

Compile and build RPM file:
# rpmbuild -bb php.spec

Now install all newly rebuild RPM files. Go to /usr/src/redhat/RPMS/x86_64 directory, where all newly build RPMs are stored:
# cd /usr/src/redhat/RPMS/x86_64
# rpm -ivh php-4.3.9-3.18.x86_64.rpm php-gd-4.3.9-3.18.x86_64.rpm php-imap-4.3.9-3.18.x86_64.rpm php-mysql-4.3.9-3.18.x86_64.rpm php-mbstring-4.3.9-3.18.x86_64.rpm php-pear-4.3.9-3.18.x86_64.rpm

Make sure php is installed with fastcgi:
# php -vOutput:

PHP 4.3.9 (cgi-fcgi) (built: Oct  2 2006 15:31:07)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies

If you do not have development environment installed or if you are too lazy to compile download AMD x86_64 RPM files. Please note that these files are provided as it is.

Basic Lighttpd configuration

a) Add a lighttpd user
# adduser -s /sbin/nologin lighttpd

b) Create a lighttpd.conf file
# mkdir /etc/lighttpd
# cd /etc/lighttpd
# vi lighttpd.conf
Add following config code:
server.modules = (
"mod_accesslog" )
index-file.names = ( "index.php", "index.html",
"index.htm", "default.htm" )
mimetype.assign = (
".rpm" => "application/x-rpm",
".pdf" => "application/pdf",
".sig" => "application/pgp-signature",
".spl" => "application/futuresplash",
".class" => "application/octet-stream",
".ps" => "application/postscript",
".torrent" => "application/x-bittorrent",
".dvi" => "application/x-dvi",
".gz" => "application/x-gzip",
".pac" => "application/x-ns-proxy-autoconfig",
".swf" => "application/x-shockwave-flash",
".tar.gz" => "application/x-tgz",
".tgz" => "application/x-tgz",
".tar" => "application/x-tar",
".zip" => "application/zip",
".mp3" => "audio/mpeg",
".m3u" => "audio/x-mpegurl",
".wma" => "audio/x-ms-wma",
".wax" => "audio/x-ms-wax",
".ogg" => "application/ogg",
".wav" => "audio/x-wav",
".gif" => "image/gif",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".png" => "image/png",
".xbm" => "image/x-xbitmap",
".xpm" => "image/x-xpixmap",
".xwd" => "image/x-xwindowdump",
".css" => "text/css",
".html" => "text/html",
".htm" => "text/html",
".js" => "text/javascript",
".asc" => "text/plain",
".c" => "text/plain",
".cpp" => "text/plain",
".log" => "text/plain",
".conf" => "text/plain",
".text" => "text/plain",
".txt" => "text/plain",
".dtd" => "text/xml",
".xml" => "text/xml",
".mpeg" => "video/mpeg",
".mpg" => "video/mpeg",
".mov" => "video/quicktime",
".qt" => "video/quicktime",
".avi" => "video/x-msvideo",
".asf" => "video/x-ms-asf",
".asx" => "video/x-ms-asf",
".wmv" => "video/x-ms-wmv",
".bz2" => "application/x-bzip",
".tbz" => "application/x-bzip-compressed-tar",
".tar.bz2" => "application/x-bzip-compressed-tar"
########## BASE CONFIG - EDIT BELOW #########################
server.tag = "lighttpd (RedHat)"
accesslog.filename = "/var/log/lighttpd/access_log"
server.errorlog = "/var/log/lighttpd/error_log"
server.document-root = "/var/www/html/"
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
server.port = 80
server.bind = "202.54.xxx.xxx"
server.error-handler-404 = "/errorr404.php"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "lighttpd"
server.groupname = "lighttpd"
compress.cache-dir = "/tmp/lighttpd/cache/compress/"
compress.filetype = ("text/plain", "text/html")
$HTTP["url"] =~ "\.pdf$" {
server.range-requests = "disable"
fastcgi.server = ( ".php" =>
( "localhost" =>
"socket" => "/tmp/php-fastcgi.socket",
"bin-path" => "/usr/bin/php",
"max-procs" => 2,

c) Create a lighttpd sysconfig file:
# vi /etc/sysconfig/lighttpd
Add following line:
Save and close the file.

d) Create a lighttpd startup file (init.d script)
# vi /etc/init.d/lighttpd
Append following line:
# lighttpd Startup script for the lighttpd server
# chkconfig: - 85 15
# description: Lighttpd web server
# processname: lighttpd
# config: /etc/lighttpd/lighttpd.conf
# config: /etc/sysconfig/lighttpd
# pidfile: /var/run/lighttpd.pid
# Source function library
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/lighttpd ]; then
. /etc/sysconfig/lighttpd
if [ -z "$LIGHTTPD_CONF_PATH" ]; then
start() {
echo -n $"Starting $prog: "
daemon $lighttpd -f $LIGHTTPD_CONF_PATH
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
stop() {
echo -n $"Stopping $prog: "
killproc $lighttpd
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
return $RETVAL
reload() {
echo -n $"Reloading $prog: "
killproc $lighttpd -HUP
return $RETVAL
case "$1" in
if [ -f /var/lock/subsys/$prog ]; then
status $lighttpd
echo $"Usage: $0 {start|stop|restart|condrestart|reload|status}"
exit $RETVAL

Save and close the file.

e) Create necessary directories and set correct permissions:
# mkdir -p /var/log/lighttpd
# mkdir -p /tmp/lighttpd/cache/compress/
# chown lighttpd:lighttpd /var/log/lighttpd
# chown lighttpd:lighttpd /tmp/lighttpd/cache/compress/

f) Start the lighttpd, but first stop Apache if running:
# chkconfig httpd off
# /etc/init.d/httpd stop
# chkconfig --add lighttpd
# chkconfig lighttpd on
# /etc/init.d/lighttpd start

Verify that Lighttpd is running:
# netstat -tulpn | grep :80

Update: See how to use lighttpd and FastCGI configuration under RHEL 5.0 / CentOS 5.0.