Quick tip to find out the clients connecting to a NFS server.
- Check the ports that NFS uses
grep -i nfs /etc/services
- Check the clients connecting to the server using the port from above
netstat -an | grep 2049
September 1, 2011
HOW TO : Find the clients connecting to a NFS server
HOW TO : Search ownership of files in Linux
Say you have a directory with a bunch of sub directories and files and you want to see if all the files are owned by a particular user, you can use the following set of commands
ls DIRECTORY_PATH -l -R | awk {'print $3'} | grep -v USER_NAME
The set of commands do the following
- ls -l -R shows the list of files and directories
- awk prints the name of the owner of the file (it is the third column)
- grep shows only the lines where the owner name doesn’t match
And yeah.. this works in most variants of Linux 
.
August 22, 2011
HOW TO : Apache and SELinux
Quick note for future reference..
If you ever run into errors like this
<pre>Starting httpd: Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
(13)Permission denied: httpd: could not open error log file /etc/httpd/logs/error_log.
Unable to open logs
[FAILED]
And you are scratching your head why Apache is throwing these errors, even when the said directory and files exist. And you have the right permissions!! Check if you have SELinux running and being enforced.
On RHEL, you can check if SELinux is running by
cat /selinux/enforce
The two values are 0 and 1. 0 means, SELinux is not being enforced and 1 means it is.
You can quickly disable SELinux temporarily by
echo 0 >/selinux/enforce
If you want to disable it permanently (i.e. survive reboots), you have to edit the file /etc/selinux/config and change the SELINUX line from enabled to disabled.
HOW TO : Playbook for creating an effective IT team
Tom Limoncelli put together a list of questions that are essentially a cheat-sheet to creating and running a very effective IT team. He called it the Limoncelli Test (as a tribute to the Joel Spolsky‘s Joel Test) and it can be found at http://everythingsysadmin.com/the-test.html.
The only additional thing I would add to the list is to have a roadmap for the function you provide and ensure it is updated quarterly. A lot of teams spend a lot of time on what they do now, but don’t focus on what they “can” do. This is similar to IT functions spending more than 70% – 80% of their budgets on maintenance rather than innovating.
August 17, 2011
HOW TO : Use grep to search for credit card numbers
I was looking for a quick way to search for credit card numbers in a file and ran across this excellent post by Adrian Rollett. I tweaked his suggestion a bit to show some additional data.
Original suggestion
grep '\(^\|[^0-9]\)\{1\}\([345]\{1\}[0-9]\{3\}\|6011\)\{1\}[-]\?[0-9]\{4\}[-]\?\[0-9]\{2\}[-]\?[0-9]\{2\}-\?[0-9]\{1,4\}\($\|[^0-9]\)\{1\}' FILE_TO_SEARCH
My modification
grep '\([345]\{1\}[0-9]\{3\}\|6011\)\{1\}[ -]\?[0-9]\{4\}[ -]\?[0-9]\{2\}[-]\?[0-9]\{2\}[ -]\?[0-9]\{1,4\}' --color -H -n FILE_TO_SEARCH
The modified command will show the name of the file the number was found and at which line. You can tweak it further using additional options for grep. A good reference guide can be found here.
July 20, 2011
HOW TO : Export and import certificates using keytool
Keytool is a java utility to manage SSL key databases (stores). Here are a couple of options for using this tool
- List the certificates in the keystore
keytool -list -keystore NAME_OF_KEYSTORE_FILE
- Export a particular certificate from the keystore
keytool -export -alias ALIAS_NAME_OF_CERT -keystore NAME_OF_KEYSTORE_FILE
- Import a certificate into the keystore
keytool -import -alias ALIAS_NAME_YOU_WANT -keystore NAME_OF_KEYSTORE_FILE -file NAME_OF_CERT_FILE_TO_IMPORT
July 14, 2011
HOW TO : Use netcat (nc) on Windows 7
netcat is a swiss army tool for network/security professionals. You can use it to listen on certain ports or connect to certain ports. For example, say, you configured your firewall to allow TCP 80 traffic to your web server. But your web server is not built yet and you want to validate the rule. You can run netcat on your workstation to listen on port 80, assign the IP address of the web server to your workstation and test the rule.
If I am not mistaken, nc comes as a default tool in most of the Linux distros. You can download the windows port of the tool at http://www.securityfocus.com/tools/139
The command to have netcat listen on a specific port is “nc -l PORT_NUMBER”. If you run this on a Windows 7 machine, you will get this dreaded message “local listen fuxored: INVAL”. The fix is to run it with a -L option. So the command would like this
nc -L -p 80
The -L means “listen harder, re-listen on socket close” .. Have to dig deeper and see what it really means though. I will leave that for another blog post.
And if you want to validate that netcat is indeed listening on that port, you can connect to that port from another workstation by using nmap.
March 8, 2011
HOW TO : Enable global reverse proxy with certain exclusions in Apache
Say you want to enable reverse proxy on a site powered by Apache Web Server where all traffic to the web site it reverse proxied to a different server, but you want to exclude certain paths from being reverse proxies. I don’t know why you would want to do that .. but we ran into that scenario at work and I wanted to document the config for future reference. The picture below shows a high level view of the traffic
- Ensure the following modules are being loaded in Apache.
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule rewrite_module modules/mod_rewrite.so
- In the virtual host configuration for kudithipudi.org add the following lines
ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /static ! ProxyPass /media ! ProxyPass / http://INTERNAL_SERVER:8888 ProxyPassReverse / http://INTERNAL_SERVER:8888
March 4, 2011
HOW TO : Trick to find out your IP address from a web server farm
This is a quick trick I came up with to find out the IP address of a client that is trying to access a farm of web servers that you have access to. The diagram below shows the network path for a typical web server. 
You have a client that might be sitting behind a (or multiple) proxy server. And there is a load balancer involved because you have multiple web servers for redundancy.
We were recently working on some rewrite rules for our web servers at work and we needed to find out what IP address the web servers were seeing the client traffic come from. Couple of challenges
- Which web server do you check? The load balancer can send you traffic to any server.
- What IP address are you going to look for? Wait that is the original problem right .
The web servers usually write an entry to the error log when they serve a 404 error. So we can use that to figure out which web server you are hitting and what IP address the web server is seeing you as. Here’s the trick
- On the client side go to http://WEBSITE_ADDRESS/Get_Me_My_IP (or some other URL, which you know doesn’t exist on the web site)
- On the server side, grep for “Get_Me_My_IP” in the web server error logs
Here is an example, I ran on this website (http://kudithipudi.org)
- Client Side : Go to http://kudithipudi.org/what_is_my_ip
- Server Side : grep for “what_is_my_ip”
root@samurai:/var/log/apache2# grep -i what_is_my_ip access_kudithipudi.log 199.27.130.105 - - [04/Mar/2011:16:07:18 +0000] "GET /what_is_my_ip HTTP/1.0" 40 4 5495 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/2 0110218 Firefox/3.6.14 ( .NET CLR 3.5.30729; .NET4.0E)"
- From this entry I can figure out that my client is appearing as "199.27.130.105" to the web server.
February 11, 2011
HOW TO : Setup Global Redirect in Lighttpd
If you have ever managed a web application, you know you have to take it down at times . And you usually want to show an simple page stating that you are down for maintenance. Here is a simple way to setup a “maintenance” splash page. The assumption is that you have a Linux server to host the maintenance page.
- Configure lighttpd (HTTP Server) on the server using instructions from this article on Cyberciti.
- Edit the lighttpd.conf file and add the following line in your site configuration
server.error-handler-404 = "index.html"
- Name your maintenance page as index.html and upload it to the document root (in this example, it is /var/www/html)
You are essentially telling the web server to display index.html whenever the user is trying to access content that is not present on the server. And since there is no content on the server other than the index.html, the web browser will always display the index.html page..