Kudithipudi.Org

December 12, 2011

HOW TO : Modify iptables rules

Filed under: HOWTO,Linux,Networking,security — Vinay @ 3:17 pm

Quick how to for my personal records. iptables is an open source firewall (and it does a lot more) included with most linux distributions.

Steps to add new rule to existing configuration

  • Check the list of rules and their corresponding sequence

sudo iptables -vL --line-numbers

  • Add the new rule at the required location/sequence

 sudo iptables -I INPUT LINE_NUMBER RULE

Example :

iptables -I INPUT 8 -s X.X.X.X/24 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT

  • Save the configuration

 sudo serivce iptables save

Thx to Sijis for helping with the commands.

October 31, 2011

HOW TO : Check web services using curl

Filed under: HOWTO,Linux,Networking,security,Web — Vinay @ 3:36 pm

Quick note for myself to check web services using curl ([L/U]nix utility to play with http(s) traffic)

 curl https://URL_TO_TEST --insecure --trace-ascii debug.txt

Comments on options :
–insecure is used if you are testing web services served over SSL using self signed certs
–trace-ascii dumps all traffic between the client (curl in this case) and the server in human readable format

August 22, 2011

HOW TO : Apache and SELinux

Filed under: HOWTO,Linux,Networking,Technology,Web — Vinay @ 11:13 am

Quick note for future reference..

If you ever run into errors like this

<pre>Starting httpd: Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
(13)Permission denied: httpd: could not open error log file /etc/httpd/logs/error_log.
Unable to open logs
                                                           [FAILED]

And you are scratching your head why Apache is throwing these errors, even when the said directory and files exist. And you have the right permissions!! Check if you have SELinux running and being enforced.
On RHEL, you can check if SELinux is running by

cat /selinux/enforce

The two values are 0 and 1. 0 means, SELinux is not being enforced and 1 means it is.
You can quickly disable SELinux temporarily by 

echo 0 >/selinux/enforce

If you want to disable it permanently (i.e. survive reboots), you have to edit the file /etc/selinux/config and change the SELINUX line from enabled to disabled.

July 20, 2011

HOW TO : Export and import certificates using keytool

Filed under: HOWTO,Networking,Technology — Vinay @ 2:55 pm

Keytool is a java utility to manage SSL key databases (stores). Here are a couple of options for using this tool

  • List the certificates in the keystore
keytool -list -keystore NAME_OF_KEYSTORE_FILE
  • Export a particular certificate from the keystore
keytool -export -alias ALIAS_NAME_OF_CERT -keystore NAME_OF_KEYSTORE_FILE
  • Import a certificate into the keystore
keytool -import -alias ALIAS_NAME_YOU_WANT -keystore NAME_OF_KEYSTORE_FILE -file NAME_OF_CERT_FILE_TO_IMPORT

July 14, 2011

HOW TO : Use netcat (nc) on Windows 7

Filed under: HOWTO,Networking,Technology,Windows — Vinay @ 11:28 am

netcat is a swiss army tool for network/security professionals. You can use it to listen on certain ports or connect to certain ports. For example, say, you configured your firewall to allow TCP 80 traffic to your web server. But your web server is not built yet and you want to validate the rule. You can run netcat on your workstation to listen on port 80, assign the IP address of the web server to your workstation and test the rule.

If I am not mistaken, nc comes as a default tool in most of the Linux distros. You can download the windows port of the tool at http://www.securityfocus.com/tools/139

The command to have netcat listen on a specific port is “nc -l PORT_NUMBER”. If you run this on a Windows 7 machine, you will get this dreaded message “local listen fuxored: INVAL”. The fix is to run it with a -L option. So the command would like this

nc -L -p 80

The -L means “listen harder, re-listen on socket close” :) .. Have to dig deeper and see what it really means though. I will leave that for another blog post.

And if you want to validate that netcat is indeed listening on that port, you can connect to that port from another workstation by using nmap.

February 11, 2011

HOW TO : Setup Global Redirect in Lighttpd

Filed under: HOWTO,Linux,Networking,Technology,Web — Vinay @ 8:12 pm

If you have ever managed a web application, you know you have to take it down at times :) . And you usually want to show an simple page stating that you are down for maintenance. Here is a simple way to setup a “maintenance” splash page. The assumption is that you have a Linux server to host the maintenance page.

  • Configure lighttpd (HTTP Server) on the server using instructions from this article on Cyberciti.
  • Edit the lighttpd.conf file and add the following line in your site configuration
 server.error-handler-404   = "index.html"
  • Name your maintenance page as index.html and upload it to the document root (in this example, it is /var/www/html)

You are essentially telling the web server to display index.html whenever the user is trying to access content that is not present on the server. And since there is no content on the server other than the index.html, the web browser will always display the index.html page..

February 7, 2011

HOW TO : Capture HTTP Headers using tcpdump

Filed under: HOWTO,Linux,Networking,Technology,Web — Vinay @ 11:09 am

Quick how to on capturing HTTP headers using tcpdump on a web server (running Linux).

    • On the web server, issue the following command
       tcpdump -s 1024 -C 1024000 -w /tmp/httpcapture dst port 80
        • Stop the capture by issuing the break command (ctrl + c)
        • Open the capture file (httpcapture in this example) in wireshark and check out the headers under the  the HTTP protocol

        July 30, 2010

        HOW TO : Check status of bond interface in Linux

        Filed under: HOWTO,Linux,Networking,Technology — Vinay @ 3:03 pm

        For my notes.. If you ever wanted to check the status of a bonded interface configure in Linux (esp RHEL), you can check the status by running the following command

        [root@serverxyz bin]# cat /proc/net/bonding/bond0

        i.e. assuming the name of your bond interface is bond0.

        Output from the command

        Ethernet Channel Bonding Driver: v3.4.0 (October 7, 2008)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: eth3 (primary_reselect always)
Currently Active Slave: eth3
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth3
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:10:18:6e:b8:1a

Slave Interface: eth0
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:21:5e:11:34:32

        The configuration files involved are

        /etc/sysconfig/network-scripts/ifcfg-bond0 (Bond Interface)

        DEVICE=bond0
IPADDR=10.10.40.26
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
GATEWAY=10.10.40.1
NETWORK=10.10.40.0
BROADCAST=10.10.40.255
TYPE=Ethernet

        /etc/sysconfig/network-scripts/ifcfg-eth3 (Primary Interface)

        DEVICE=eth3
BOOTPROTO=none
ONBOOT=yes
HWADDR=00:10:18:6e:b8:1a
MASTER=bond0
SLAVE=yes
TYPE=Ethernet
USERCTL=no

        /etc/sysconfig/network-scripts/ifcfg-eth0 (Secondary Interface)

        DEVICE=eth0
HWADDR=00:21:5e:11:34:32
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
TYPE=Ethernet

        April 26, 2010

        Express.com DNS outage

        Filed under: Networking,Technology,Web — Vinay @ 9:42 pm

        I am sure a lot of people shop on express.com , but I probably get the credits for being the first blogger to post that express.com has not been responding to DNS queries since ~7:00 PM CST (4/26). Looks like Qwest is hosting DNS for Express. The name servers (most probably global load balancers) are not responding to DNS requests.

        Here’s what I get, when I queried for www.express.com

        Nameserver trace for www.express.com:

        • Looking for who is responsible for root zone and followed h.root-servers.net.
        • Looking for who is responsible for com and followed h.gtld-servers.net.
        • Looking for who is responsible for express.com and followed dca-ans-01.inet.qwest.net.

        Nameservers for www.express.com:

        • dca-ans-01.inet.qwest.net returned (NORECORDS)
        • svl-ans-01.inet.qwest.net returned (NORECORDS)

        I feel for the poor ops team scrambling around to bring up the service :) . Another reason, you want diversity in your DNS hosting.

        December 9, 2009

        HOW TO : Load/Stress test a Linux based server

        Filed under: HOWTO,Linux,Networking,Technology — Vinay @ 9:03 pm

        We ran into an issue at work recently, which prompted us to do some performance testing on some of our Linux servers. The requirement was to stress test the key components of the server (CPU, RAM, HDD, Network) and prove that different servers with the same configuration were capable of performing identically. Pretty simple right :) .. The challenge was to find tools that could be run to stress test each of the components. There were a lot of tools for CPU and memory (RAM) testing, but not a lot for network and hard drive (HDD) testing. After searching high and low, we found a couple of tools, that I wanted to document here for future reference.

        HDD Testing :

        I found a pretty interesting tool called Iozone written by William Norcott (Oracle) and Don Capps. You can get the source code and builds for major OSs at http://iozone.org . Despite installing the program using RPM, we were not able to  run the program without specifying the complete path.

        There are a ton of options for the program, but the easiest method to run it was in automated mode with the output going to an Excel spreadsheet (more like a glorified CSV file :) ). Here is the command we used

        /opt/iozone/bin/iozone -a -Rb output_excel_file.xls

        The “-a” is to tell the program in automated mode and the “-Rb” is to tell the program to format the output in Excel format. And you can then go ahead and open the spreadsheet in Excel and create 3D graphs to check and compare the output.

        Network Testing :

        Most of the information out there in terms of testing the network stack of a machine is either to copy large files over a network share or via FTP. We didn’t find that was enough to really max out a Gigport since there were protocol limitations that didn’t allow us to saturate the network port. After some searching, we stumbled across a tool called “ettcp” on Sourceforge. ettcp itself is an offshoot of ttcp. ttcp (stands for test tcp) was created to test network performance between two nodes. I couldn’t find any place to download ttcp itself, but you can download ettcp at http://ettcp.sourceforge.net/.

        We used a server, to act as a common receiver for all the servers we intended to do a performance test on. Here are the commands we used to run the test

        RECEIVER (Common Server)
        ./ettcp -r -s -f M

        The options are

        • “-r” for designating the machine as receiver
        • “-f M” for showing the output in Mega Bytes.

        TRANSMITTER (Test Servers)
        ./ettcp -t -s receiver_hostname -n 10000000 -f M

        the options are

        • “-t” for designating the machine as transmitter
        • “-s receiver_hostname” to define the receiver
        • “-n” to define the number of packets to send to the receiver
        Older Posts »

        Powered by WordPress