admin

Project Uptime : Progress Report – 4

Continuing to lock down the server as part of project uptime a bit more.. I highly recommend enabling and using iptables on every Linux server. I want to restrict inbound traffic to the server to only SSH (tcp port 22) and HTTP(S) (tcp port 80/443). Here’s the process

Check the current rules on the server

[code]sudo iptables -L [/code]

Add rules to allow SSH, HTTP and HTTPS traffic and all traffic from the loopback interface

[code]sudo iptables -I INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp –dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp –dport http -j ACCEPT
sudo iptables -A INPUT -p tcp –dport https -j ACCEPT
[/code]

Drop any traffic that doesn’t match the above mentioned criteria

[code]sudo iptables -A INPUT -j DROP [/code]

save the config and create script for the rules to survive reboots by running

[code]sudo su –
iptables-save > /etc/firewall.rules[/code]

now create a simple script that will load these rules during startup. Ubuntu provides a pretty neat way to do this. You can write a simple script and place it in /etc/network/if-pre-up.d and the system will execute this before bringing up the interfaces. You can get pretty fancy with this, but here is a simple scrip that I use

[code]
samurai@samurai:/etc/network/if-pre-up.d$ cat startfirewall
#!/bin/bash

# Import iptables rules if the rules file exists

if [ -f /etc/firewall.rules ]; then
iptables-restore </etc/firewall.rules
fi

exit 0
[/code]

Now you can reboot the server and check if your firewall rules are still in effect by running

[code]sudo iptables -L [/code]

Project Uptime : Progress Report – 3

Things have been a bit hectic at work.. so didn’t get a lot of time to work on this project. Now that that the new server has been setup and the kernel updated, we get down to the mundane tasks of installing the software.

One of the first things I do, when configuring any new server is to restrict root user from logging into the server remotely. SSH is the default remote shell access method nowadays. Pls don’t tell me you are still using telnet :).

And before restricting the root user for remote access, add a new user that you want to use for regular activities, add the user to sudo group and ensure you can login and sudo to root as this user. Here are the steps I follow to do this on a Ubuntu server

Add a new user

[code]useradd xxxx [/code]

Add user to sudo group

[code]usermod -G sudo -a xxxx[/code]

Check user can sudo to gain root access

[code]sudo su – xxxx
su – [/code]

Now moving into the software installation part

Install Mysql

[code]sudo apt-get install mysql-server [/code]

you will be prompted to set the root user during this install. This is quite convenient, unlike the older installs, where you had to set the root password later on.

Install PHP

[code]sudo apt-get install php5-mysql [/code]

In addition to installing the PHP5-mysql, this will also install apache. I know, I mentioned, I would like to try out the new version of Apache. But it looks like Ubuntu, doesn’t have a package for it yet. And I am too lazy to compile from source :).

With this you have all the basic software for wordpress. Next, we will tweak this software to use less system resources.

March 28, 2012 by admin Databases HOWTO Linux Networking security Technology Uncategorized Web 0

HOW TO : Identify good talent

In the fortune magazine, there is a section (and for the life of me.. I cannot seem to find it online and I just cleared my dining table of all the back issues of the magazine 🙁 ) on how business leaders see trends in real life and than make judgements on where the economy is headed. For example, if someone sees a starbucks they visit regularly become more busier than normal, that person judges that the economy is doing well.

I judge good talent (think sysadmin, dba, programmer, application engineer etc) in a somewhat similar fashion. I should note that this system is not perfect, but it seems to have worked out more than not for me so far. I judge their talent based on what browser and how they use it.

THE BEST

Ever see a person who has multiple browsers (not tabs) open and is doing a specialized task in each one of them? Their home screen is usually set to a specialized search engine (blekko, duckduckgo, wolframalpha) and they have add-ons that block ads and show them a variety of information of the site they visit. These are usually the best folks to have on your team. These are the folks that you want your systems designed by.

THE GOOD

This group tends to either use firefox or chrome. Has Google as their home-page and know how to use multiple tabs. Yeah.. sorry, I a browser discriminator :). Since there can only be a few rock stars in the world, you should consider yourselves lucky if most of the members in your team belong to this group.

THE REST

Ever see someone, whose homepage looks like Google but is not.. And has a bunch of “toolbars” that take up 1/3rd of the screen. And has popups showing up randomly? Yep.. these are the folks you don’t want touching your code. Even with a 10 foot pole.. no sir.. Having these folks move to firefox and/or chrome doesn’t help the situation either :).

March 27, 2012 by admin HOWTO Management Uncategorized 3

HOW TO : Route traffic to loopback interface in Linux

Back in 2009 (last decade!! 🙂 ), I wrote a blog post on how you can trick windows to route traffic destined to a particular IP address to a black-hole. In it, I mentioned the command to route traffic to /dev/null in Linux was [code]<code>route ADD IP_ADDRESS_OF_MAIL_SERVER MASK 255.255.255.255 127.0.0.1</code> [/code]

I ran into a need to try it today and looks like the trick doesn’t work :). So here is the right command if you want to route traffic to the loopback (or blackhole) destined to a particular IP address [code]sudo route add -host IP_ADDRESS_OF_HOST/NETWORK_MASK lo [/code]

For example if I want to black-hole traffic destined to 74.205.216.2, I would do the following [code] sudo route add -host 74.205.216.2/32 lo [/code]

March 26, 2012 by admin HOWTO Linux Networking Uncategorized 0

Dreaming

James Cameron successfully completed a deep dive into the deepest part of the ocean today. And with it, he repeated a feat that was tried 50 years ago. I cannot wait for the documentary he is going to make out of this dive. I put this on the same scale as someone flying to the moon and back. Yes, I know it was done before. But it has never been repeated again.

By doing this, Mr. Cameron has inspired to start dreaming again. That we can still fly to the moon.. that we can one day travel beyond the boundaries of our solar system

Thank you Mr. Cameron, for letting us dream again.

March 25, 2012 by admin Humanity Uncategorized 0

Driving in Texas

If you are ever driving in the country of Texas (yes, for the uninitiated, Texas is a country by itself 🙂 ), drive in the left most lane if you don’t want to get off the highway and drive in the rightmost lane if you want to get off the highway. Even the folks that only drive at 55 and are always in the right lane need to heed this advice..

Or you will be getting off and on the never ending “frontage” roads 🙂

I shared by two cents!!

March 24, 2012 by admin Fun Uncategorized 0

DID YOU KNOW : Windows mobile and wildcard certs don't work together

Wildcard SSL certificates allow you to use one certificate for all sub domains (up to one level) of a host. Say I got a wildcard SSL certificate for *.kudithipudi.org, I would be able to use it to provide SSL on blah.kudithipudi.org, ssltest.kudithipudi.org, youcannotbeserious.kudithipudi.org and the clients won’t complaint about it.

For some reason though, Windows Mobile phones don’t like wildcard certs. So if you are ever scratching your head, why every other client works, but windows mobile devices don’t..stop scratching and get a regular SSL certificate for your website/application.

Apparently, this is the case with

Windows CE
Windows Mobile 5.0
Windows Mobile 6.0
Windows Mobile 7.0

Don’t you get the feeling that someone keeps using the same library and never bothered to check/fix it? And searching on MSDN or any other Microsoft resource won’t provide you this information. This is my own deduction after beating my head against the wall for more than 3 days :).

March 23, 2012 by admin DID YOU KNOW Technology Uncategorized Windows 0

Up above the world..like a bird in the sky

March 22, 2012 by admin Photography Uncategorized 0

Stay Hungry.. Stay Foolish

Just read a really nice article on the Harvard Business Review by Walter Isaacson on leadership lessons of Steve Jobs at http://hbr.org/2012/04/the-real-leadership-lessons-of-steve-jobs/ar/pr . There were a lot of points that Walter makes in the article, but the one that resonated a lot with me was the need to “Stay Hungy.. Stay Foolish“. This is similar to having a “hacker mentality”, which I believe is one of the key ingredient for a person to be successful (professionally and personally).

Being a hacker means..

being inquisitive about how things work.
always being a student
being able to challenge “this is how we always did things”
never stop perfecting
remembering that one can (and used to) survive on ramen noodles 🙂

March 21, 2012 by admin Management Uncategorized 0

Project Uptime : Progress Report – 2

After I installed the new kernel as mentioned in this update, I was still seeing the server booting up with the older version. I tried to have the kernel install option (apt-get install linux-image-VERSION) to overwrite the grub config, but the server wouldn’t boot up after that.

So after a lot of head scratching and googling, I found the solution. Rather than have the install program automatically update the grub config file, you have to manually edit it.

So install the latest kernel using the commands as mentioned in my previous post (https://kudithipudi.org/2012/03/07/project-uptime-progress-report-1/) and when prompted about the having an existing grub menu and if you want to overwrite it, just say no. Then do the following

Check the new kernel image filename by running [code] ll /boot/vmlinuz* [/code]
Edit the grub boot menu by editing the file /boot/grub/menu.1st and add a section for the new kernel image.
Edit the default boot option to the new kernel image (NOTE.. the sequence starts from 0)
Reboot the server and enjoy the new kernel

Here’s my before and after comparisons for the server I am building

BEFORE (this is after the line ## End Default Options ##)

[code]

title Ubuntu 11.10, kernel 3.0.0-12-virtual
root (hd0)
kernel /boot/vmlinuz-3.0.0-12-virtual root=/dev/xvda1 console=hvc0 ro quiet splash
initrd /boot/initrd.img-3.0.0-12-virtual

title Ubuntu 11.10, kernel 3.0.0-12-virtual (recovery mode)
root (hd0)
kernel /boot/vmlinuz-3.0.0-12-virtual root=/dev/xvda1 console=hvc0 ro single
initrd /boot/initrd.img-3.0.0-12-virtual

title Ubuntu 11.10, kernel 3.0.0-16-virtual
root (hd0)
kernel /boot/vmlinuz-3.0.0-16-virtual root=/dev/xvda1 console=hvc0 ro quiet splash
initrd /boot/initrd.img-3.0.0-16-virtual
title Chainload into GRUB 2
root (hd0)
kernel /boot/grub/core.img

title Ubuntu 11.10, memtest86+
root (hd0)

[/code]

AFTER