If you run into a situation, where you need to search through a bunch of files and print the names of the files that don’t contain a particular string, here is how you do it in Linux
[code]find -name PATTERN_FOR_FILE_NAMES | xargs grep -L STRING_YOU_ARE_SEARCHING_FOR [/code]
The -L option for grep does this (according to the manual)
Suppress normal output; instead print the name of each input file from which no output would normally have been printed. The scanning will stop on the first match.
Quick one liner for capturing traffic destined to and arriving from a host (IP address) using tcpdump and writing it to a file for analyzing later on
[code]tcpdump -s0 host x.x.x.x -w destination.pcap [/code]
Continuing to lock down the server as part of project uptime a bit more.. I highly recommend enabling and using iptables on every Linux server. I want to restrict inbound traffic to the server to only SSH (tcp port 22) and HTTP(S) (tcp port 80/443). Here’s the process
Check the current rules on the server
[code]sudo iptables -L [/code]
Add rules to allow SSH, HTTP and HTTPS traffic and all traffic from the loopback interface
[code]sudo iptables -I INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp –dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp –dport http -j ACCEPT
sudo iptables -A INPUT -p tcp –dport https -j ACCEPT
[/code]
Drop any traffic that doesn’t match the above mentioned criteria
[code]sudo iptables -A INPUT -j DROP [/code]
save the config and create script for the rules to survive reboots by running
[code]sudo su –
iptables-save > /etc/firewall.rules[/code]
now create a simple script that will load these rules during startup. Ubuntu provides a pretty neat way to do this. You can write a simple script and place it in /etc/network/if-pre-up.d and the system will execute this before bringing up the interfaces. You can get pretty fancy with this, but here is a simple scrip that I use
[code]
samurai@samurai:/etc/network/if-pre-up.d$ cat startfirewall
#!/bin/bash
# Import iptables rules if the rules file exists
if [ -f /etc/firewall.rules ]; then
iptables-restore </etc/firewall.rules
fi
exit 0
[/code]
Now you can reboot the server and check if your firewall rules are still in effect by running
[code]sudo iptables -L [/code]
Things have been a bit hectic at work.. so didn’t get a lot of time to work on this project. Now that that the new server has been setup and the kernel updated, we get down to the mundane tasks of installing the software.
One of the first things I do, when configuring any new server is to restrict root user from logging into the server remotely. SSH is the default remote shell access method nowadays. Pls don’t tell me you are still using telnet :).
And before restricting the root user for remote access, add a new user that you want to use for regular activities, add the user to sudo group and ensure you can login and sudo to root as this user. Here are the steps I follow to do this on a Ubuntu server
Add a new user
[code]useradd xxxx [/code]
Add user to sudo group
[code]usermod -G sudo -a xxxx[/code]
Check user can sudo to gain root access
[code]sudo su – xxxx
su – [/code]
Now moving into the software installation part
Install Mysql
[code]sudo apt-get install mysql-server [/code]
you will be prompted to set the root user during this install. This is quite convenient, unlike the older installs, where you had to set the root password later on.
Install PHP
[code]sudo apt-get install php5-mysql [/code]
In addition to installing the PHP5-mysql, this will also install apache. I know, I mentioned, I would like to try out the new version of Apache. But it looks like Ubuntu, doesn’t have a package for it yet. And I am too lazy to compile from source :).
With this you have all the basic software for wordpress. Next, we will tweak this software to use less system resources.
In the fortune magazine, there is a section (and for the life of me.. I cannot seem to find it online and I just cleared my dining table of all the back issues of the magazine 🙁 ) on how business leaders see trends in real life and than make judgements on where the economy is headed. For example, if someone sees a starbucks they visit regularly become more busier than normal, that person judges that the economy is doing well.
I judge good talent (think sysadmin, dba, programmer, application engineer etc) in a somewhat similar fashion. I should note that this system is not perfect, but it seems to have worked out more than not for me so far. I judge their talent based on what browser and how they use it.
THE BEST
Ever see a person who has multiple browsers (not tabs) open and is doing a specialized task in each one of them? Their home screen is usually set to a specialized search engine (blekko, duckduckgo, wolframalpha) and they have add-ons that block ads and show them a variety of information of the site they visit. These are usually the best folks to have on your team. These are the folks that you want your systems designed by.
THE GOOD
This group tends to either use firefox or chrome. Has Google as their home-page and know how to use multiple tabs. Yeah.. sorry, I a browser discriminator :). Since there can only be a few rock stars in the world, you should consider yourselves lucky if most of the members in your team belong to this group.
THE REST
Ever see someone, whose homepage looks like Google but is not.. And has a bunch of “toolbars” that take up 1/3rd of the screen. And has popups showing up randomly? Yep.. these are the folks you don’t want touching your code. Even with a 10 foot pole.. no sir.. Having these folks move to firefox and/or chrome doesn’t help the situation either :).
Back in 2009 (last decade!! 🙂 ), I wrote a blog post on how you can trick windows to route traffic destined to a particular IP address to a black-hole. In it, I mentioned the command to route traffic to /dev/null in Linux was [code]<code>route ADD IP_ADDRESS_OF_MAIL_SERVER MASK 255.255.255.255 127.0.0.1</code> [/code]
I ran into a need to try it today and looks like the trick doesn’t work :). So here is the right command if you want to route traffic to the loopback (or blackhole) destined to a particular IP address [code]sudo route add -host IP_ADDRESS_OF_HOST/NETWORK_MASK lo [/code]
For example if I want to black-hole traffic destined to 74.205.216.2, I would do the following [code] sudo route add -host 74.205.216.2/32 lo [/code]
After I installed the new kernel as mentioned in this update, I was still seeing the server booting up with the older version. I tried to have the kernel install option (apt-get install linux-image-VERSION) to overwrite the grub config, but the server wouldn’t boot up after that.
So after a lot of head scratching and googling, I found the solution. Rather than have the install program automatically update the grub config file, you have to manually edit it.
So install the latest kernel using the commands as mentioned in my previous post (https://kudithipudi.org/2012/03/07/project-uptime-progress-report-1/) and when prompted about the having an existing grub menu and if you want to overwrite it, just say no. Then do the following
Here’s my before and after comparisons for the server I am building
BEFORE (this is after the line ## End Default Options ##)
[code]
title Ubuntu 11.10, kernel 3.0.0-12-virtual
root (hd0)
kernel /boot/vmlinuz-3.0.0-12-virtual root=/dev/xvda1 console=hvc0 ro quiet splash
initrd /boot/initrd.img-3.0.0-12-virtual
title Ubuntu 11.10, kernel 3.0.0-12-virtual (recovery mode)
root (hd0)
kernel /boot/vmlinuz-3.0.0-12-virtual root=/dev/xvda1 console=hvc0 ro single
initrd /boot/initrd.img-3.0.0-12-virtual
title Ubuntu 11.10, kernel 3.0.0-16-virtual
root (hd0)
kernel /boot/vmlinuz-3.0.0-16-virtual root=/dev/xvda1 console=hvc0 ro quiet splash
initrd /boot/initrd.img-3.0.0-16-virtual
title Chainload into GRUB 2
root (hd0)
kernel /boot/grub/core.img
title Ubuntu 11.10, memtest86+
root (hd0)
[/code]
AFTER
[code]
title Ubuntu 11.10, kernel 3.0.0-12-virtual
root (hd0)
kernel /boot/vmlinuz-3.0.0-12-virtual root=/dev/xvda1 console=hvc0 ro quiet splash
initrd /boot/initrd.img-3.0.0-12-virtual
title Ubuntu 11.10, kernel 3.0.0-12-virtual (recovery mode)
root (hd0)
kernel /boot/vmlinuz-3.0.0-12-virtual root=/dev/xvda1 console=hvc0 ro single
initrd /boot/initrd.img-3.0.0-12-virtual
title Ubuntu 11.10, kernel 3.0.0-16-virtual
root (hd0)
kernel /boot/vmlinuz-3.0.0-16-virtual root=/dev/xvda1 console=hvc0 ro quiet splash
initrd /boot/initrd.img-3.0.0-16-virtual
title Chainload into GRUB 2
root (hd0)
kernel /boot/grub/core.img
title Ubuntu 11.10, memtest86+
root (hd0)
[/code]
BTW.. Grub is the boot manager (and a lot more) in Linux.
Quick onliner on generating a MD5 fingerprint for a SSL certificate using openssl
[code]openssl x509 -noout -md5 -fingerprint -in NAME_OF_CERTIFICATE_FILE [/code]
If you don’t specify the -md5 option, you will get a SHA1 fingerprint.
By default, most of the Linux distros limit the number of processes that a user can spawn. This is put in place to limit (un)intended cases when a process might just fork off processes without a limit and bring down a server.
For RHEL (and CentOS), the default is 1024 processes per user. In some cases, you do need to increase the number of processes that a particular user can spawn. For example if you are running a database or an application server, you definitely want to tweak this number because these apps tend to create a lot of threads.
As a side note, if you run into this limitation on a machine running jboss, you typically see an error with the following string in your server logs [code]java.lang.OutOfMemoryError: unable to create new native thread.[/code]
. Looking at the error, one would think it is related to memory issues :).
OK.. back to the subject at hand. Here is the process for identifying your limits and then tweaking them as required in RHEL or CentOS.
* soft nproc 2000[/code]
You can also check the limits of a particular user by finding a process ID being executed by that user and running [code]sudo cat /proc/PROCESS_ID/limits [/code]
One of the capabilities of Jboss is that it can serve HTTP traffic. By default Jboss does not log any of the HTTP traffic in it’s log files. Here is a quick howto on enabling this logging. This post is specific to Jboss 4.x (ancient!!) and I will post another one soon on how do it in version 5.x and newer.
Edit the server.xml file located in $JBOSS_HOME/servers/$PROFILE/deploy/jboss-web.deployer and replace the commented out access logger section as such
FROM
[code]<!–
<Valve className="org.apache.catalina.valves.AccessLogValve"
prefix="localhost_access_log." suffix=".log"
pattern="common" directory="${jboss.server.log.dir}"
resolveHosts="false" />
–> [/code]
TO
[code]<Valve className="org.apache.catalina.valves.AccessLogValve"
prefix="localhost_access_log." suffix=".log"
pattern="common" directory="${jboss.server.log.dir}"
resolveHosts="false" /> [/code]
This will start creating a file with the format localhost_access_log.CURRENT_DATE.log in the $JBOSS_HOME/server/$PROFILE/log folder
But it isn’t fun if you just leave the default logging right :). The pattern formats of common and combined are similar to the standard apache logging options. But if you wanted to have certain content and format in the log files, you have a lot of options. Jboss community has documented all the data that is exposed through this valve at http://docs.jboss.org/jbossweb/latest/api/org/apache/catalina/valves/AccessLogValve.html
So say, I want to log the referrer header, user agent and the value of a cookie called JSESSONID and log all this data into a file called jboss_web_access_log, I setup the options as such
[code]<Valve className="org.apache.catalina.valves.AccessLogValve"
prefix="jboss_web_access_log." suffix=".log"
pattern="%h %p %l %u %t %r %s %b ‘%{Referer}i’ ‘%{User-Agent}i’ ‘%{JSESSIONID}c’"
directory="${jboss.server.log.dir}"
resolveHosts="false" /> [/code]
