RussenReaktor’s Weblog

«u | Undo the latest change. U | Undo all changes on a line, while not having | moved off it (unfortunately). :q! | Quit vi without writing. :e! | Re-edit a messed-up file.» unix.t-a-y-l-o-r.com

«Step 1: Creating the index pages

Like already mentioned before, we have to create subdirectory and page index files first. Suse normaly stores the web pages in the following directory:

/srv/www/htdocs

We will use the same directory but will create a subdirectory for every virtual host.

mkdir /srv/www/htdocs/server_port80
mkdir /srv/www/htdocs/server_port8090
mkdir /srv/www/htdocs/server_www
mkdir /srv/www/htdocs/server_www1

You can later store you content in this directories. Let’s just create a single file called index.html that contains a message about the type of the server. An example file could look like this:

Please change the content to your needs and save a modified index file in every subdirectory.

Step 2: Setup IP based virtual host

Suse stores the vhost configuration files in the following directory:

/etc/apache2/vhosts.d

During the start-up process, Apache will automatically use all files located in this directory for the final configuration.

You can easily create new vhost configuration files by using the template like this:

cd /etc/apache2/vhosts.d/
cp vhost.template vhost-port80.conf

This will copy the default template and will create a configuration file that we will later use for our IP-based virtual host running on port 80. I recommend using vi to edit the file. Please open it like this:

vi vhost-port80.conf

As you can see, the file has everything you need to setup a virtual host, but also includes a lot of explanations and comments. To get a slim file please delete it.

Here are the lines you should change for your Apache configuration:

VirtualHost – set IP address and port here
ServerAdmin – your webmaster’s email adress
DocumentRoot – path to your web page contend (see step1)
ErrorLog – path to the error log file
CustomLog – path to the access log file
UseCanonicalName – leave it to off in this case
ScriptAlias – if you like to run cgi scripts on your web page, this is the location.

The file could look like this:

ServerAdmin webmaster@myserver.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it
ServerName server.myserver.com
DocumentRoot /srv/www/htdocs/server_port80
ErrorLog /var/log/apache2/server_port80.log
CustomLog /var/log/apache2/access_port80.log combined
HostnameLookups Off
UseCanonicalName Off
ServerSignature On
ScriptAlias /cgi-bin/ «/srv/www/htdocs/server_port80/cgi-bin/»

AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all

Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

If you like to run you web page on a different port, please use the following configuration file:

ServerAdmin webmaster@myserver.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it
ServerName server.myserver.com
DocumentRoot /srv/www/htdocs/server_port8090
ErrorLog /var/log/apache2/server_port8090.log
CustomLog /var/log/apache2/access_port8090.log combined
HostnameLookups Off
UseCanonicalName Off
ServerSignature On
ScriptAlias /cgi-bin/ «/srv/www/htdocs/server_port8090/cgi-bin/»

AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all

Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

A web server normally listens on port 80. If you like to change this or to add port 8090, you have to hack the listen.conf file. Please see step 4 for more information.

Step 3: Setup a name-based virtual host

Create a new file using the default template similar to step2:

cd /etc/apache2/vhosts.d
cp vhost.template vhost-www.conf

Here are the important hacks you have to make:
ServerName – use name you would like to see in the URL
UseCanonicalName On

Remark:
With UseCanonicalName on Apache will use the ServerName and Port directives to construct the canonical name for the server. This name is used in
all self-referential URLs, and for the values of SERVER_NAME and SERVER_PORT in CGIs.

If you have more IP addresses for your server or if you like to use different ports, please change the following line:

VirtualHost 192.168.33.101:80

The file could look like this:

ServerAdmin webmaster@myserver.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it
ServerName www.myserver.com
DocumentRoot /srv/www/htdocs/server_www
ErrorLog /var/log/apache2/server_www.log
CustomLog /var/log/apache2/access_www.log combined
HostnameLookups Off
UseCanonicalName On
ServerSignature On
ScriptAlias /cgi-bin/ «/srv/www/htdocs/server_www/cgi-bin/»

AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all

Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

Step 4: Hack the listen.conf file

The following file allows you to bind Apache to specific IP addresses and/or ports.

Please change the following lines here:

Listen – add the port or ports on which you would like to run you web pages
NameVirtualHost – this directive tells Apache on which IP address and, optionally, which port to listen for requests by clients containing the domain name in the HTTP header. The first argument can be a fully qualified domain name, but it is recommended to use the IP address. The second argument is the port and is optional. By default, port 80 is used and is configured via the Listen directive.

The file could look like this:

Listen 80
Listen 8090

Listen 443

NameVirtualHost 192.168.33.101:80

To trouble shot you configuration, you should run the following command from the linux console:

tail –f /var/log/messages

Please do not forget the restart Apache after changing the configuration using the following commands (watch for errors):

service apache2 restart

or

/etc/init.d/apache2 restart» linux-tip.net

«Overview

The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process.

Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser).

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server’s private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.

If SSL utilizes public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessary – the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.

Step 1: Generate a Private Key

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus
…………………………………………………++++++
……..++++++
e is 65537 (0×10001)
Enter PEM pass phrase:
Verifying password – Enter PEM pass phrase:

Step 2: Generate a CSR (Certificate Signing Request)

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for «Common Name (e.g., YOUR name)». It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://public.akadia.com, then enter public.akadia.com at this prompt. The command to generate the CSR is as follows:

openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:New Jersey
Locality Name (eg, city) [Newbury]:EastOrange
Organization Name (eg, company) [My Company Ltd]:Mycompany
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:Mycompany.com
Email Address []:Jack@Mycompany.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

The newly created server.key file has no more passphrase in it.

-rw-r–r– 1 root root 745 Jun 29 12:19 server.csr
-rw-r–r– 1 root root 891 Jun 29 13:22 server.key
-rw-r–r– 1 root root 963 Jun 29 13:22 server.key.org

Step 4: Generating a Self-Signed Certificate

At this point you will need to generate a self-signed certificate because you either don’t plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

To generate a temporary certificate which is good for 365 days, issue the following command:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=US/ST=NewJersey/L=EastOrange/O=Mycompany Group/OU=IT/CN=Mycompanygroup/emailAddress=Jack@Mycompany.com

Getting Private key

Step 5: Installing the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.

chmod 755 /etc/httpd/conf/ssl.crt/server.crt
mv /etc/httpd/conf/ssl.crt/server.crt /etc/httpd/conf/ssl.crt/server1.crt
cp server.crt /etc/httpd/conf/ssl.crt/server.crt
chmod 600 /etc/httpd/conf/ssl.crt/server1.crt
chmod 600 /etc/httpd/conf/ssl.crt/server.crt

chmod 755 /etc/httpd/conf/ssl.key/server.key
mv /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.key/server1.key
cp server.key /etc/httpd/conf/ssl.key/server.key
chmod 600 /etc/httpd/conf/ssl.key/server1.key
chmod 600 /etc/httpd/conf/ssl.key/server.key

Step 6: Configuring SSL Enabled Virtual Hosts

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SetEnvIf User-Agent «.*MSIE.*» nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log «%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \»%r\» %b»

Step 7: Restart Apache and Test

/etc/init.d/httpd stop
/etc/init.d/httpd start» dibaliklayar.blogspot.com

«Use the following command to reload a unix profile (/etc/profile, ~/.profile, ~/.bash_profile …):
$ . ~/.profile
$ . /etc/profile

Notice: . (dot) is a command that originates from source command. On some unix flavours (FreeBSD 6 for example) source command works still:
$ source ~/.profile
$ source /etc/profile

.profile settings overwrite those in /etc/profile. You can also use .bash_profile in your home directory to customize your bash shell’s profile.

Basically, if you need to load shell variables from any file just run the . (dot) command, followed by space and (the absolute path is necessary) the path to the file. (Be carefull what file you’re loading variables from because you meight overwrite some important environment variables and your system could become unstable). » ivorde.ro

«With Linux processes run under a user-ID. This gives them access to all resources (files etc…) that this user would have access to. There are 2 user IDs. The real user-ID and the effective user-ID. The effective user-ID is the one that determines the access to files. Save the following script under the name idinfo and make it executable (chmod 755 idinfo).

#!/bin/sh
#idinfo: Print user information
echo » effective user-ID:»
id -un
echo » real user-ID:»
id -unr
echo » group ID:»
id -gn

When you run the script you will see that the process that runs it gets your user-ID and your group-ID:

effective user-ID:
alice
real user-ID:
alice
group ID:
users

When Tux runs your idinfo program then he gets a similar output that shows the process now running under the ID of tux. The output of the program depends only on the user that runs it and not the one who owns the file.

For security reasons the s-bit works only when used on binaries (compiled code) and not on scripts (an exception are perl scripts). Therefore we create a C-program that will call our idinfo program:

/*suidtest.c*/
#include
#include
int main(){
/*secure SUID programs MUST
*not trust any user input or environment variable!! */

char *env[]={«PATH=/bin:/usr/bin»,NULL};
char prog[]=»/home/alice/idinfo»;
if (access(prog,X_OK)){
fprintf(stderr,»ERROR: %s not executable\n»,prog);
exit(1);
}
printf(«running now %s …\n»,prog);
setreuid(geteuid(),geteuid());
execle(prog,(const char*)NULL,env);
perror(«suidtest»);

return(1);
}

Compile the program with «gcc -o suidtest -Wall suidtest.c» and set the s-bit on the owner:

>chmod 4755 suidtest
or
>chmod u+s suidtest

Run it! What happens? Nothing ? Run it from a different user!

The file suidtest is owned by alice and has the s-bit set where normally the x is for the owner of the file. This causes the file to be executed under the user-ID of the user that owns the file rather than the user that executes the file. If Tux runs the program then this looks as follows:

>ls -l suidtest
-rwsr-xr-x 1 alice users 4741 Jan 1 21:53 suidtest
>whoami
tux

running now /home/alice/idinfo …
effective user-ID:
alice
real user-ID:
alice
group ID:
users

As you can see this is a very powerful feature especially if root owns the file with s-bit set. Any user can then do things that normally only root can do. A few words on security. When you write a SUID program then you must make sure that it can only be used for the purpose that you intended it to be used. Always set the path to a hard-coded value. Never rely on environment variables or functions that use environment variables. Never trust user input (config files, command line arguments….). Check user input byte for byte and compare it with values that you consider valid.

When a SUID program is owned by root then both the effective and the real user-ID can be set (with setreuid() function).

Set-UID programs are often used by «root» to give ordinary users access to things that normally only «root» can do. As root you can e.g modify the suidtest.c to allow any user to run the ppp-on/ppp-off scripts on your machine.

Note: It is possible to switch off Suid when mounting a file system. If the above does not work then check your /etc/fstab. It should look like this:
/dev/hda5 / ext2 defaults 1 1
If you find the option «nosuid» there then this Suid feature is switched off. For details have a look at the man-page of mount. » linuxfocus.org

«In this paper, we’ll present the various forms of authentication available to the Secure Shell user and contrast the security and usability tradeoffs of each. Then we’ll add the extra functionality of agent key forwarding, we hope to make the case that using ssh public key access is a substantial win. » unixwiz.net

«There was several suggestions to deal with partitions using linux fdisk on this forum but little explanation how. Since linux fdisk is much more complex than DOS fdisk it can be very confusing, especialy to inexpirienced windows user, so I decided to write something about metter.
First of all you will need some linux distribution. Let it be DSL (damn small linux). After you create bootable media, connect disk you want to format and boot.

1.NAMING

Fdisk needs to know the name of device it will work with. It means that you will need to open root console antype : «fdisk «. In linux it goes like this:
IDE disks:

primary master – /dev/hda
primary slave – /dev/hdb
secondary master – /dev/hdc
secondary slave – /dev/hdd

SCSI:
scsi disks are seen as /dev/sda, /dev/sdb, /dev/sdc etc.

USB:
USB disks are seen as SCSI.

[note]Some older (pre 2.6 kernel) sets IDE DVD/CD burners to mount like scsi device. It is because of compatibility with burning software which worked only with scsi devices[note]

2.PARTITION NAMING

After you typed «fdisk «, you are in fdisk prompt. Typing «p» you can get list of partitions allready present. For example:

Command (m for help): p

Disk /dev/hda: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hda1 * 1 9601 77120001 83 Linux
/dev/hda2 9602 9729 1028160 82 Linux swap

Command (m for help):

Here you can see (in this case) two primary partitions one ext3 (linux) and second «linux swap» type. Disk can be splited in 4 primary partitions of which one can be extended and they are named from /dev/hda1 to /dev/hda4. One of them can be extended partition which can contain logical partitions. Logical partitions are allways named from /dev/hda5 upward, /dev/hda6, /dev/hda7…
[on IDE disks you can have up to 63 logical partitions and on SCSI disk you can have it up to 15]

3.ADDING PARTITION

In fdisk prompt type «n».
Now, you have to choose what type your new partition will be.

Command (m for help): n
Command action
e extended
p primary partition (1-4)

After you choose type of partition, if there are more than one option you will be asked for partition number.
Next you will be asked for start cylinder and by default it is the lowest possible. I suggest leaving it as it is. Next you will need to enter end cylinder, default is last possible. Here you can enter values like +size or +sizeM or +sizeK or +sizeG where size is number of bytes, sizeG is GB, +sizeM is MB and sizeK is KB (+1024, +8192K, +13M, +4G).

4.TYPE OF PARTITION

Partition type needs to be defined. Type L, and listing will show.

Command (m for help): L

0 Empty 1c Hidden W95 FAT3 70 DiskSecure Mult bb Boot Wizard hid
1 FAT12 1e Hidden W95 FAT1 75 PC/IX be Solaris boot
2 XENIX root 24 NEC DOS 80 Old Minix c1 DRDOS/sec (FAT-
3 XENIX usr 39 Plan 9 81 Minix / old Lin c4 DRDOS/sec (FAT-
4 FAT16 <32M 3c PartitionMagic 82 Linux swap c6 DRDOS/sec (FAT-
5 Extended 40 Venix 80286 83 Linux c7 Syrinx
6 FAT16 41 PPC PReP Boot 84 OS/2 hidden C: da Non-FS data
7 HPFS/NTFS 42 SFS 85 Linux extended db CP/M / CTOS / .
8 AIX 4d QNX4.x 86 NTFS volume set de Dell Utility
9 AIX bootable 4e QNX4.x 2nd part 87 NTFS volume set df BootIt
a OS/2 Boot Manag 4f QNX4.x 3rd part 8e Linux LVM e1 DOS access
b W95 FAT32 50 OnTrack DM 93 Amoeba e3 DOS R/O
c W95 FAT32 (LBA) 51 OnTrack DM6 Aux 94 Amoeba BBT e4 SpeedStor
e W95 FAT16 (LBA) 52 CP/M 9f BSD/OS eb BeOS fs
f W95 Ext’d (LBA) 53 OnTrack DM6 Aux a0 IBM Thinkpad hi ee EFI GPT
10 OPUS 54 OnTrackDM6 a5 FreeBSD ef EFI (FAT-12/16/
11 Hidden FAT12 55 EZ-Drive a6 OpenBSD f0 Linux/PA-RISC b
12 Compaq diagnost 56 Golden Bow a7 NeXTSTEP f1 SpeedStor
14 Hidden FAT16 <3 5c Priam Edisk a8 Darwin UFS f4 SpeedStor
16 Hidden FAT16 61 SpeedStor a9 NetBSD f2 DOS secondary
17 Hidden HPFS/NTF 63 GNU HURD or Sys ab Darwin boot fd Linux raid auto
18 AST SmartSleep 64 Novell Netware b7 BSDI fs fe LANstep
1b Hidden W95 FAT3 65 Novell Netware b8 BSDI swap ff BBT

Command (m for help):

Now, type t, choose partition you created and enter code of type you want.
Type «w» and that’s it, you are done. If you want fdisk to do nothing and forget changes you have done, type «q», fdisk will do nothing until you exit it.

You will see effect next time when you remount device.

Fdisk has loads of other useful functions (defining number of cylinders, heads or sectors for example) and list of his functions you can get with typing «m».

Hope this was helpfull and sorry for my englisch.» devhardware.com

«$ tar -zcvf prog-1-jan-2005.tar.gz /home/jerry/prog» cyberciti.biz

«screen is a much under utilised program, which provides the following functionality:

* Remote terminal session management (detaching or sharing terminal sessions)
* unlimited windows (unlike the hardcoded number of Linux virtual consoles)
* scrollback buffer (not limited to video memory like Linux virtual consoles)
* copy/paste between windows
* notification of either activity or inactivity in a window
* split terminal (horizontally) into multiple regions (vertical support added Aug 2008)
* locking other users out of terminal

See also my screen settings

Key Action Notes
Ctrl+a c new window
Ctrl+a n next window I bind F12 to this
Ctrl+a p previous window I bind F11 to this
Ctrl+a » select window from list I have window list in the status line
Ctrl+a Ctrl+a previous window viewed

Ctrl+a S split terminal horizontally into regions Ctrl+a c to create new window there
Ctrl+a :resize resize region
Ctrl+a :fit fit screen size to new terminal size Ctrl+a F is the same. Do after resizing xterm
Ctrl+a :remove remove region Ctrl+a X is the same
Ctrl+a tab Move to next region

Ctrl+a d detach screen from terminal Start screen with -r option to reattach
Ctrl+a A set window title
Ctrl+a x lock session Enter user password to unlock
Ctrl+a [ enter scrollback/copy mode Enter to start and end copy region. Ctrl+a ] to leave this mode
Ctrl+a ] paste buffer Supports pasting between windows
Ctrl+a > write paste buffer to file useful for copying between screens
Ctrl+a < read paste buffer from file useful for pasting between screens

Ctrl+a ? show key bindings/command names Note unbound commands only in man page
Ctrl+a : goto screen command prompt up shows last command entered" pixelbeat.org

«As the name already suggests, ncdu is an ncurses version of the famous old ‘du’ unix command. It provides a fast and easy interface to your harddrive. Where is your disk space going? Why is your home directory that large? ncdu can answer those questions for you in just a matter of seconds!» dev.yorhel.nl