How to upgrade lighttpd tar ball (source code) installation

Posted on in Categories CentOS, Howto, lighttpd, Linux, RedHat/Fedora Linux, Security, Suse Linux, Sys admin, Tips, Ubuntu Linux last updated September 1, 2007

Upgrading lighttpd is a piece of cake. There are two methods:

a) Use yum or apt-get or FreeBSD ports / command to update binary lighttpd package

b) Just download latest lighttpd tar ball from official web site and install the same.

Let us see how to upgrade lighttpd using source code (tar ball).

# 1 : Download lighttpd

Use wget or lftp command line http / ftp accelerator tools:
$ cd /opt
$ wget

# 2 : Verify lighttpd

Use sha1sum or md5sum hash to verify lighttpd tar ball integrity:
$ md5sum lighttpd-1.4.17.tar.gz

# 3: Configure lighttpd

Now configure and compile lighttpd web server:
$ ./configure
$ make

# 4: Stop lighttpd

First stop currently running lighttpd web server:
# /etc/init.d/lighttpd stop
Make sure you are in installation directory, use the following command to uninstall old version:
# make uninstall

# 5: Install lighttpd

Just enter the following command:
# make install
Start lighttpd:
# /etc/init.d/lighttpd start
Watch out for lighttpd log files for any problems:
# tail -f /var/log/messages
# tail -f /var/log/lighttpd/error.log
# tail -f /var/log/lighttpd/scripts.log
# tail -f /var/log/lighttpd/access.log

A note about binary package upgrade method

You can download rpm file or use yum / apt-get command:
apt-get update lighttpd
yum update lighttpd

Install Squid Proxy Server on CentOS / Redhat enterprise Linux 5

Posted on in Categories CentOS, Linux, RedHat/Fedora Linux, Squid caching server, Suse Linux, Sys admin, Tips last updated August 30, 2007

I’ve already wrote about setting up a Linux transparent squid proxy system. However I’m getting lots of questions about Squid basic installation and configuration:

How do I install Squid Proxy server on CentOS 5 Liinux server?

Sure Squid server is a popular open source GPLd proxy and web cache. It has a variety of uses, from speeding up a web server by caching repeated requests, to caching web, name server query , and other network lookups for a group of people sharing network resources. It is primarily designed to run on Linux / Unix-like systems. Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. Squid consists of a main server program squid, a Domain Name System lookup program (dnsserver), a program for retrieving FTP data (ftpget), and some management and client tools.

Install Squid on CentOS / RHEL 5

Use yum command as follows:
# yum install squid

Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package squid.i386 7:2.6.STABLE6-4.el5 set to be updated
--> Running transaction check

Dependencies Resolved

 Package                 Arch       Version          Repository        Size
 squid                   i386       7:2.6.STABLE6-4.el5  updates           1.2 M

Transaction Summary
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)

Total download size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: squid                        ######################### [1/1]

Installed: squid.i386 7:2.6.STABLE6-4.el5

Squid Basic Configuration

Squid configuration file located at /etc/squid/squid.conf. Open file using a text editor:
# vi /etc/squid/squid.conf
At least you need to define ACL (access control list) to work with squid. The defaults port is TCP 3128. Following example ACL allowing access from your local networks and Make sure you adapt to list your internal IP networks from where browsing should be allowed:
acl our_networks src
http_access allow our_networks

Save and close the file. Start squid proxy server:
# chkconfig squid on
# /etc/init.d/squid start


init_cache_dir /var/spool/squid... Starting squid: .       [  OK  ]

Verify port 3128 is open:
# netstat -tulpn | grep 3128

tcp        0      0      *                   LISTEN      20653/(squid)

Open TCP port 3128

Finally make sure iptables is allowing to access squid proxy server. Just open /etc/sysconfig/iptables file:
# vi /etc/sysconfig/iptables
Append configuration:
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT
Restart iptables based firewall:
# /etc/init.d/iptables restart

Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

Client configuration

Open a webbrowser > Tools > Internet option > Network settings > and setup Squid server IP address and port # 3128.

See also

You may find our previous squid tips useful:

Squid Security and blocking content Related Tips

Squid Authentication Related Tips

Squid Other Tips

Linux audit files to see who made changes to a file

Posted on in Categories File system, GNU/Open source, Howto, Linux, Monitoring, RedHat/Fedora Linux, Security, Sys admin, Tips last updated March 19, 2007

This is one of the key questions many new sys admin ask:

How do I audit file events such as read / write etc? How can I use audit to see who changed a file in Linux?

The answer is to use 2.6 kernel’s audit system. Modern Linux kernel (2.6.x) comes with auditd daemon. It’s responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. The default file is good enough to get started with auditd.

In order to use audit facility you need to use following utilities
=> auditctl – a command to assist controlling the kernel’s audit system. You can get status, and add or delete rules into kernel audit system. Setting a watch on a file is accomplished using this command:

=> ausearch – a command that can query the audit daemon logs based for events based on different search criteria.

=> aureport – a tool that produces summary reports of the audit system logs.

Note that following all instructions are tested on CentOS 4.x and Fedora Core and RHEL 4/5 Linux.

Task: install audit package

The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. CentOS/Red Hat and Fedora core includes audit rpm package. Use yum or up2date command to install package
# yum install audit
# up2date install audit

Auto start auditd service on boot
# ntsysv
# chkconfig auditd on
Now start service:
# /etc/init.d/auditd start

How do I set a watch on a file for auditing?

Let us say you would like to audit a /etc/passwd file. You need to type command as follows:
# auditctl -w /etc/passwd -p war -k password-file


  • -w /etc/passwd : Insert a watch for the file system object at given path i.e. watch file called /etc/passwd
  • -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
  • -k password-file : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs.

In short you are monitoring (read as watching) a /etc/passwd file for anyone (including syscall) that may perform a write, append or read operation on a file.

Wait for some time or as a normal user run command as follows:
$ grep 'something' /etc/passwd
$ vi /etc/passwd

Following are more examples:

File System audit rules

Add a watch on “/etc/shadow” with the arbitrary filterkey “shadow-file” that generates records for “reads, writes, executes, and appends” on “shadow”
# auditctl -w /etc/shadow -k shadow-file -p rwxa

syscall audit rule

The next rule suppresses auditing for mount syscall exits
# auditctl -a exit,never -S mount

File system audit rule

Add a watch “tmp” with a NULL filterkey that generates records “executes” on “/tmp” (good for a webserver)
# auditctl -w /tmp -p e -k webserver-watch-tmp

syscall audit rule using pid

To see all syscalls made by a program called sshd (pid – 1005):
# auditctl -a entry,always -S all -F pid=1005

How do I find out who changed or accessed a file /etc/passwd?

Use ausearch command as follows:
# ausearch -f /etc/passwd
# ausearch -f /etc/passwd | less
# ausearch -f /etc/passwd -i | less

  • -f /etc/passwd : Only search for this file
  • -i : Interpret numeric entities into text. For example, uid is converted to account name.


type=PATH msg=audit(03/16/2007 14:52:59.985:55) : name=/etc/passwd flags=follow,open inode=23087346 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/16/2007 14:52:59.985:55) :  cwd=/webroot/home/lighttpd
type=FS_INODE msg=audit(03/16/2007 14:52:59.985:55) : inode=23087346 inode_uid=root inode_gid=root inode_dev=08:02 inode_rdev=00:00
type=FS_WATCH msg=audit(03/16/2007 14:52:59.985:55) : watch_inode=23087346 watch=passwd filterkey=password-file perm=read,write,append perm_mask=read
type=SYSCALL msg=audit(03/16/2007 14:52:59.985:55) : arch=x86_64 syscall=open success=yes exit=3 a0=7fbffffcb4 a1=0 a2=2 a3=6171d0 items=1 pid=12551 auid=unknown(4294967295) uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd comm=grep exe=/bin/grep

Let us try to understand output

  • audit(03/16/2007 14:52:59.985:55) : Audit log time
  • uid=lighttpd gid=lighttpd : User ids in numerical format. By passing -i option to command you can convert most of numeric data to human readable format. In our example user is lighttpd used grep command to open a file
  • exe=”/bin/grep” : Command grep used to access /etc/passwd file
  • perm_mask=read : File was open for read operation

So from log files you can clearly see who read file using grep or made changes to a file using vi/vim text editor. Log provides tons of other information. You need to read man pages and documentation to understand raw log format.

Other useful examples

Search for events with date and time stamps. if the date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/05. An example of time is 18:00:00.
# ausearch -ts today -k password-file
# ausearch -ts 3/12/07 -k password-file

Search for an event matching the given executable name using -x option. For example find out who has accessed /etc/passwd using rm command:
# ausearch -ts today -k password-file -x rm
# ausearch -ts 3/12/07 -k password-file -x rm

Search for an event with the given user name (UID). For example find out if user vivek (uid 506) try to open /etc/passwd:
# ausearch -ts today -k password-file -x rm -ui 506
# ausearch -k password-file -ui 506

Other auditing related posts

Further readings

  • Read man pages – auditd, ausearch, auditctl

Updated for accuracy.

How to keep a detailed audit trail of what's being done on your Linux systems

Posted on in Categories Linux, RedHat/Fedora Linux, Security, Suse Linux, Ubuntu Linux, UNIX last updated November 14, 2006

Intrusions can take place from both authorized (insiders) and unauthorized (outsiders) users. My personal experience shows that unhappy user can damage the system, especially when they have a shell access. Some users are little smart and removes history file (such as ~/.bash_history) but you can monitor all user executed commands.

It is recommended that you log user activity using process accounting. Process accounting allows you to view every command executed by a user including CPU and memory time. With process accounting sys admin always find out which command executed at what time 🙂

The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa.

  • The ac command displays statistics about how long users have been logged on.
  • The lastcomm command displays information about previous executed commands.
  • The accton command turns process accounting on or off.
  • The sa command summarizes information about previously executed commmands.

Task: Install psacct or acct package

Use up2date command if you are using RHEL ver 4.0 or less
# up2date psacct
Use yum command if you are using CentOS/Fedora Linux / RHEL 5:
# yum install psacct
Use apt-get command if you are using Ubuntu / Debian Linux:
$ sudo apt-get install acct OR # apt-get install acct

Task: Start psacct/acct service

By default service is started on Ubuntu / Debian Linux by creating /var/account/pacct file. But under Red Hat /Fedora Core/Cent OS you need to start psacct service manually. Type the following two commands to create /var/account/pacct file and start services:
# chkconfig psacct on
# /etc/init.d/psacct start

If you are using Suse Linux, the name of service is acct. Type the following commands:
# chkconfig acct on
# /etc/init.d/acct start

Now let us see how to utilize these utilities to monitor user commands and time.

Task: Display statistics about users’ connect time

ac command prints out a report of connect time in hours based on the logins/logouts. A total is also printed out. If you type ac without any argument it will display total connect time:
$ acOutput:

total       95.08

Display totals for each day rather than just one big total at the end:
$ ac -dOutput:

Nov  1  total        8.65
Nov  2  total        5.70
Nov  3  total       13.43
Nov  4  total        6.24
Nov  5  total       10.70
Nov  6  total        6.70
Nov  7  total       10.30
Nov 12  total        3.42
Nov 13  total        4.55
Today   total        0.52

Display time totals for each user in addition to the usual everything-lumped-into-one value:
$ ac -pOutput:

        vivek                             87.49
        root                                 7.63
        total       95.11

Task: find out information about previously executed user commands

Use lastcomm command which print out information about previously executed commands. You can search command using usernames, tty names, or by command names itself.

Display command executed by vivek user:
$ lastcomm vivekOutput:

userhelper        S   X vivek  pts/0      0.00 secs Mon Nov 13 23:58
userhelper        S     vivek  pts/0      0.00 secs Mon Nov 13 23:45
rpmq                    vivek  pts/0      0.01 secs Mon Nov 13 23:45
rpmq                    vivek  pts/0      0.00 secs Mon Nov 13 23:45
rpmq                    vivek  pts/0      0.01 secs Mon Nov 13 23:45
gcc                     vivek  pts/0      0.00 secs Mon Nov 13 23:45
which                   vivek  pts/0      0.00 secs Mon Nov 13 23:44
bash               F    vivek  pts/0      0.00 secs Mon Nov 13 23:44
ls                      vivek  pts/0      0.00 secs Mon Nov 13 23:43
rm                      vivek  pts/0      0.00 secs Mon Nov 13 23:43
vi                      vivek  pts/0      0.00 secs Mon Nov 13 23:43
ping              S     vivek  pts/0      0.00 secs Mon Nov 13 23:42
ping              S     vivek  pts/0      0.00 secs Mon Nov 13 23:42
ping              S     vivek  pts/0      0.00 secs Mon Nov 13 23:42
cat                     vivek  pts/0      0.00 secs Mon Nov 13 23:42
netstat                 vivek  pts/0      0.07 secs Mon Nov 13 23:42
su                S     vivek  pts/0      0.00 secs Mon Nov 13 23:38

For each entry the following information is printed. Take example of first output line:
userhelper S X vivek pts/0 0.00 secs Mon Nov 13 23:58

  • userhelper is command name of the process
  • S and X are flags, as recorded by the system accounting routines. Following is the meaning of each flag:
    • S — command executed by super-user
    • F — command executed after a fork but without a following exec
    • D — command terminated with the generation of a core file
    • X — command was terminated with the signal SIGTERM
  • vivek the name of the user who ran the process
  • prts/0 terminal name
  • 0.00 secs – time the process exited

Search the accounting logs by command name:
$ lastcomm rm
$ lastcomm passwd

rm                S     root     pts/0      0.00 secs Tue Nov 14 00:39
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:39
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:38
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:38
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:36
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:36
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:35
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:35
rm                      vivek    pts/0      0.00 secs Tue Nov 14 00:30
rm                      vivek    pts/1      0.00 secs Tue Nov 14 00:30
rm                      vivek    pts/1      0.00 secs Tue Nov 14 00:29
rm                      vivek    pts/1      0.00 secs Tue Nov 14 00:29

Search the accounting logs by terminal name pts/1
$ lastcomm pts/1

Task: summarizes accounting information

Use sa command to print summarizes information about previously executed commands. In addition, it condenses this data into a summary file named savacct which contains the number of times the command was called and the system resources used. The information can also be summarized on a per-user basis; sa will save this iinformation into a file named usracct.
# saOutput:

     579     222.81re       0.16cp     7220k
       4       0.36re       0.12cp    31156k   up2date
       8       0.02re       0.02cp    16976k   rpmq
       8       0.01re       0.01cp     2148k   netstat
      11       0.04re       0.00cp     8463k   grep
      18     100.71re       0.00cp    11111k   ***other*
       8       0.00re       0.00cp    14500k   troff
       5      12.32re       0.00cp    10696k   smtpd
       2       8.46re       0.00cp    13510k   bash
       8       9.52re       0.00cp     1018k   less

Take example of first line:
4 0.36re 0.12cp 31156k up2date

  • 0.36re “real time” in wall clock minutes
  • 0.12cp sum of system and user time in cpu minutes
  • 31156k cpu-time averaged core usage, in 1k units
  • up2date command name

Display output per-user:
# sa -uOutput:

root       0.00 cpu      595k mem accton
root       0.00 cpu    12488k mem initlog
root       0.00 cpu    12488k mem initlog
root       0.00 cpu    12482k mem touch
root       0.00 cpu    13226k mem psacct
root       0.00 cpu      595k mem consoletype
root       0.00 cpu    13192k mem psacct           *
root       0.00 cpu    13226k mem psacct
root       0.00 cpu    12492k mem chkconfig
postfix    0.02 cpu    10696k mem smtpd
vivek      0.00 cpu    19328k mem userhelper
vivek      0.00 cpu    13018k mem id
vivek      0.00 cpu    13460k mem bash             *
lighttpd   0.00 cpu    48240k mem php              *

Display the number of processes and number of CPU minutes on a per-user basis
# sa -mOutput:

                                      667     231.96re       0.17cp     7471k
root                                  544      51.61re       0.16cp     7174k
vivek                                 103      17.43re       0.01cp     8228k
postfix                                18     162.92re       0.00cp     7529k
lighttpd                                2       0.00re       0.00cp    48536k

Task: Find out who is eating CPU

By looking at re, k, cp/cpu (see above for output explanation) time you can find out suspicious activity or the name of user/command who is eating up all CPU. An increase in CPU/memory usage (command) is indication of problem.

Please note that above commands and packages also available on other UNIX like oses such as Sun Solaris and *BSD oses.

Linux Get List of Installed Software for Reinstallation / Restore All the Software Programs

Posted on in Categories Backup, Linux, Shell scripting, Tips last updated August 22, 2006

Hardware and software failures are part of life. And that is why you need to have a backup plan. I have already written about backing up files and MySQL databases. There is no need to backup all installed binaries and software programs. The following tip will not just save your time, but both Debian and RHEL based distro can be updated instantly.

Lighttpd install and configure Webalizer statistics software

Posted on in Categories lighttpd, RedHat/Fedora Linux, Sys admin, Tips, Ubuntu Linux last updated August 21, 2006
Lighttpd logo

If you are new to Lighttpd, please see how to install and configure Lighttpd web server.

The Webalizer is a fast, free, web-server log files analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser.
Statistics commonly reported by Webalizer include: hits; visits; referers; the visitors’ countries; and the amount of data downloaded. These statistics can be viewed graphically and presented by different time frames, such as per day, hour, or month.

Install Webalizer

If you are using Fedora Core or Cent Os, type the following command to install
# yum install webalizer

If you are using Debian Linux Os, type the following command to install
# apt-get install webalizer

Webalizer configuration

Let us see how to configure Webalizer for the domain

  • Domain name:
  • Webroot: /home/lighttpd/
  • Webalizer Webroot: /home/lighttpd/
  • Webalizer Reports directory: /home/lighttpd/
  • Webalizer configuration file: /home/lighttpd/
  • Webalizer state log file: /home/lighttpd/ (This file stored incremental processing state for logs. This is useful for large sites that have to rotate their log files more than once a month [using logrotate] )
  • Webalizer the history file: /home/lighttpd/ (keeps the data for up to 12 months worth of logs i.e. you will be able to see last 12 months stats)
    Lighttpd log file location: /var/log/lighttpd/

To configure Webalizer, copy /etc/webalizer.conf file to your webroot/stats directory. Type the following commands:
# mkdir -p /home/lighttpd/
# cp /etc/webalizer.conf /home/lighttpd/

Now open /home/lighttpd/ file:
# vi /home/lighttpd/

Setup LogFile location:
LogFile /var/log/lighttpd/

Make sure LogType is set to Lighttpd’s Combined web server log format:
LogType clf

Setup statistics report directory where you want to put the output files:
OutputDir /home/lighttpd/

Setup the name of the history file:
HistoryName /home/lighttpd/

Make sure you get stats for last 12 months:
Incremental yes

Specify the filename for saving the incremental data:
IncrementalName /webroot/home/lighttpd/

Define the hostname of report:

Setup DNSCache file name. Use the same file name for all your domains. This will speed up DNS name lookup (you need to create a directory /var/cache/webalizer):
DNSCache /var/cache/webalizer/dns_cache.db

To get accurate stats you need to hide your own site from stats:

In addition, you need to hide your own site from referrals as it gives most referrals:

Save and close the file.

Create a directory to store DNS cache file:
# mkdir -p /var/cache/webalizer

Generate test stats:
$ webalizer -c /home/lighttpd/

Map /home/lighttpd/ directory to url:
Since /home/lighttpd/ directory is out of your default webroot (/home/lighttpd/ you will not able to see the stats by visiting url You can take the help of Lighttpd’s mod_alias to map urls. Open your configuration file and type following line:
# vi /etc/lighttpd/lighttpd.conf
Append following config directives:
alias.url = (
"/stats/" => "/home/lighttpd/"

Save and close the file. Restart the Lighttpd server:
# /etc/init.d/lighttpd restart

View your stats by visiting url . Here is sample stat from my own personal website (Click to enlarge images):

Lighttpd Webalizer stats # 1

Lighttpd Webalizer stats # 2

Lighttpd Webalizer stats # 3


Since your log contains lots of personal information of your visitors (such as IP address, Search string query and much more), it is a good idea to put statistic folder/directory in a password protected directory.

Rotating log files

Finally, you need to configure logrotate to rotate logs files with Lighttpd

Re-read The Partition Table Without Rebooting Linux System

Posted on in Categories File system, Linux, RedHat/Fedora Linux, Sys admin, Tips, Troubleshooting, Ubuntu Linux last updated May 8, 2006

If you are using hot swappable hard disk and created new partition using fdisk then you need to reboot Linux based system to get partition recognized. Without reboot you will NOT able to create filesystem on your newly created or modified partitions with the mke2fs command.

However with partprobe command you should able to create a new file system without rebooting the box. It is a program that informs the operating system kernel of partition table changes, by requesting that the operating system re-read the partition table.

Uninstall files installed from a source code tar ball on Linux or Unix

Posted on in Categories Debian Linux, File system, FreeBSD, GNU/Open source, Howto, Linux, RedHat/Fedora Linux, Solaris, Suse Linux, Tips, Ubuntu Linux, UNIX last updated December 24, 2005

Installing software from a source code is common practice in Linux and Unix world. Some time this is preferred method because it gives all power and flexibility you need to optimize your software such as MySQL, PHP, Apache and more. However, uninstalling files installed from a source code tar ball can be a big headache.

Two methods can be used to uninstall files:
Continue reading “Uninstall files installed from a source code tar ball on Linux or Unix”

Linux / Unix ncftp: Upload Directory Tree To Remote FTP Server Recursively

Posted on in Categories Howto, Linux, UNIX last updated April 27, 2005

When you host your web site remotely and and the ftp server is the only way to upload all files including subdirectroies. You need to use special file transfer program such as ncftpget for recursive remote ftp server uploading purpose. Ncftp is considered as an improved FTP client. Ncftp’s improvements include support for command line editing, command histories, recursive gets/puts, automatic anonymous logins, and more.