If you want to filter a net browsing in a linux gateway server using iptables,squid and Dansguardian follow my steps
etho=Internet ipaddress
eth1=192.168.0.229
Do the necessary steps to make Linux machine as router and gateway
# yum install squid
Open the configuration file of the squid.
# vi /etc/squid/squid.conf
Enter the following line
http_port 3128 transparent
Add the Acls
acl home_network src 192.168.0.0/24
http_access allow home_network
# service squid start
# iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
# service iptables save
# service iptables restart
This Will block your employess from connecting to squid directly.
1 . Install Dansguardian from the source or RPM
I am using RPM here
The files are installed in /etc/dansguardian. Open Main configuration file of dansguardian. Enter the following details.
# vi /etc/dansguadian/dansguardian.conf
proxyip = 192.168.0.229
proxyport = 3128
filterport = 8080
save the file.
Run the following redirect
# iptables -A PREROUTING -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
In the clients set the gateway as 192.168.0.229(in my case)
Wednesday, September 29, 2010
Wednesday, September 22, 2010
Shell script to start Authdeamon
#! /bin/sh
case "$1" in
start)
echo "Initializing authdaemon. (Courier)"
/usr/local/sbin/authdaemond start
;;
stop)
echo "Shutting down authdaemon:"
/usr/local/sbin/authdaemond stop
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0
~
case "$1" in
start)
echo "Initializing authdaemon. (Courier)"
/usr/local/sbin/authdaemond start
;;
stop)
echo "Shutting down authdaemon:"
/usr/local/sbin/authdaemond stop
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0
~
Tuesday, September 21, 2010
Sunday, September 19, 2010
YUM THROUGH PROXY
If your internal network is protected with a proxy server and firewall use the following settings to use yum
1. Open a shell
2. export http_proxy=http://proxyhost:port number
Eg: http_proxy=http://192.168.0.229:3128
3. yum list
Enjoyyyy
1. Open a shell
2. export http_proxy=http://proxyhost:port number
Eg: http_proxy=http://192.168.0.229:3128
3. yum list
Enjoyyyy
Saturday, September 18, 2010
OPENVZ COMMANDS
OpenVZ is an Operating System-level server virtualization solution, built on Linux. OpenVZ creates isolated, secure virtual environments.
FILES
/etc/vz/vz.conf
/etc/vz/conf/veid.conf
/proc/vz/veinfo
/proc/vz/vzquota
/proc/user_beancounters
/proc/fairsched
Log file /var/log/vzctl.log
vzctl Commands
Usage: vzctl [options] [parameters]
Help : vzctl --help
1. stop a VE (start/stop/restart) -
#vzctl stop VEID
2. to stop a VE in fast mode -
#vzctl stop VEID --fast
3. to see all the VE's -
#vzlist -a
4. to enter a VE -
#vzctl enter VEID
5. to see the uptime of a VE - run this from the node -
#vzctl exec VEID uptime
6. to see all the running process in a VE from the node -
#vzctl exec VEID ps aux
7. list the load of each VE -
#for vps in `vzlist -1`; do echo "$vps: `vzctl exec2 $vps uptime`"; done
8. when you think it is a RAM issue (Out Of Memory)-
#less /var/log/messages|grep OOM|grep VEID|wc -l
9. Reinstall a VE - all data will be lost and a fresh install will be there -
#vzctl reinstall VEID
10. number of running VE's in the node -
#vzlist|grep running|wc -l
11. To find the status of a VC:
#vzctl status VEID
12. You can execute commands inside a VC from the node itself
#vzctl exec VEID COMMAND
13. Check inodevalue
#df -i
14. Set inodevalue
#vzctl set VEID --diskinodes 2000000:2000000 --save
15. Check numiptent value
#egrep numiptent /proc/user_beancounters
numiptent 336 336 2147483647 2147483647 0
16. Set numiptent value
#vzctl set VEID --numiptent 2000000:2000000 --save
17. To permanently remove this VE:
#vzctl destroy VE_ID
Configuration Commands
1) vzctl set VEID –-hostname vps.domain.com -–save : To set the Hostname of a VPS.
2) vzctl set VEID –-ipadd 1.2.3.4 –-save : To add a new IP to the hosting VPS.
3) vzctl set VEID –-ipdel 1.2.3.4 –-save : To delete the IP from VPS.
4) vzctl set VEID –-userpasswd root:new_password -–save : To reset root password of a VPS.
5) vzctl set VEID -–nameserver 1.2.3.4 -–save : To add the nameserver IP’s to the VPS.
6) vzctl exec VEID command : To run any command on a VPS from Node.
7) vzyum VEID install package_name : To install any package/Software on a VPS from Node.
FILES
/etc/vz/vz.conf
/etc/vz/conf/veid.conf
/proc/vz/veinfo
/proc/vz/vzquota
/proc/user_beancounters
/proc/fairsched
Log file /var/log/vzctl.log
vzctl Commands
Usage: vzctl [options]
Help : vzctl --help
1. stop a VE (start/stop/restart) -
#vzctl stop VEID
2. to stop a VE in fast mode -
#vzctl stop VEID --fast
3. to see all the VE's -
#vzlist -a
4. to enter a VE -
#vzctl enter VEID
5. to see the uptime of a VE - run this from the node -
#vzctl exec VEID uptime
6. to see all the running process in a VE from the node -
#vzctl exec VEID ps aux
7. list the load of each VE -
#for vps in `vzlist -1`; do echo "$vps: `vzctl exec2 $vps uptime`"; done
8. when you think it is a RAM issue (Out Of Memory)-
#less /var/log/messages|grep OOM|grep VEID|wc -l
9. Reinstall a VE - all data will be lost and a fresh install will be there -
#vzctl reinstall VEID
10. number of running VE's in the node -
#vzlist|grep running|wc -l
11. To find the status of a VC:
#vzctl status VEID
12. You can execute commands inside a VC from the node itself
#vzctl exec VEID COMMAND
13. Check inodevalue
#df -i
14. Set inodevalue
#vzctl set VEID --diskinodes 2000000:2000000 --save
15. Check numiptent value
#egrep numiptent /proc/user_beancounters
numiptent 336 336 2147483647 2147483647 0
16. Set numiptent value
#vzctl set VEID --numiptent 2000000:2000000 --save
17. To permanently remove this VE:
#vzctl destroy VE_ID
Configuration Commands
1) vzctl set VEID –-hostname vps.domain.com -–save : To set the Hostname of a VPS.
2) vzctl set VEID –-ipadd 1.2.3.4 –-save : To add a new IP to the hosting VPS.
3) vzctl set VEID –-ipdel 1.2.3.4 –-save : To delete the IP from VPS.
4) vzctl set VEID –-userpasswd root:new_password -–save : To reset root password of a VPS.
5) vzctl set VEID -–nameserver 1.2.3.4 -–save : To add the nameserver IP’s to the VPS.
6) vzctl exec VEID command : To run any command on a VPS from Node.
7) vzyum VEID install package_name : To install any package/Software on a VPS from Node.
PERMENETLY MOUNTING THE REMOTE WINDOWS SHARE USING /etc/fstab
To permanently mount the Windows share to Linux enter the following entry to the /etc/fstab and run
//192.168.1.21/D /mnt cifs defaults,credentials=/root/samba_credentials 0 0
:wq
# mount -a
//192.168.1.21/D /mnt cifs defaults,credentials=/root/samba_credentials 0 0
:wq
# mount -a
PRIVATE READ WRITE SHARE
Private write share.
Create a share like below in /etc/samba/smb.conf
security = share
[privatewrite]
path = /private
writable = yes
create mask = 0765
valid users = vasanth
# smbpasswd -a vasanth
# smbpasswd -e vasanth
Create a share like below in /etc/samba/smb.conf
security = share
[privatewrite]
path = /private
writable = yes
create mask = 0765
valid users = vasanth
# smbpasswd -a vasanth
# smbpasswd -e vasanth
MAPPING LINUX FOLDER TO WINDOWS
MAPPING LINUX FOLDER TO WINDOWS
In winbox open cmd
Type trhe following command
> net use * \192.168.1.12\privatewrite /user:vasanth
It will prompt for password. Give it the remote Linux folder is mapper to my computer as drive Z: in windox
> net use // this command will display the current connections to the our windows server
To disconnect the drive
right click >> disconnect
or
> net use z: /delete
In winbox open cmd
Type trhe following command
> net use * \192.168.1.12\privatewrite /user:vasanth
It will prompt for password. Give it the remote Linux folder is mapper to my computer as drive Z: in windox
> net use // this command will display the current connections to the our windows server
To disconnect the drive
right click >> disconnect
or
> net use z: /delete
TO MAKE A HIDDEN SHARE IN WINDOWS
Enter the share in smb.conf
[privatewrite]
path = /private
writable = yes
create mask = 0765
valid users = vasanth
browseable = no
//this line cause the share to became invisible.
The above entry in the smb.conf make the share hidden but . It is still accessible using unc path.
On windows network places address bar please type
\\192.168.1.12\privatewrite
# smbclient -L server1
[privatewrite]
path = /private
writable = yes
create mask = 0765
valid users = vasanth
browseable = no
//this line cause the share to became invisible.
The above entry in the smb.conf make the share hidden but . It is still accessible using unc path.
On windows network places address bar please type
\\192.168.1.12\privatewrite
# smbclient -L server1
TO FIND OUT THE STATUS OF A FILE IN LINUX
# stat smb.conf
OUTPUT:
File: `smb.conf'
Size: 10041 Blocks: 24 IO Block: 4096 regular file
Device: 803h/2051d Inode: 1901530 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2010-06-17 07:12:01.000000000 +0530
Modify: 2010-06-17 07:09:52.000000000 +0530
Change: 2010-06-17 07:09:52.000000000 +0530
OUTPUT:
File: `smb.conf'
Size: 10041 Blocks: 24 IO Block: 4096 regular file
Device: 803h/2051d Inode: 1901530 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2010-06-17 07:12:01.000000000 +0530
Modify: 2010-06-17 07:09:52.000000000 +0530
Change: 2010-06-17 07:09:52.000000000 +0530
STEPS TO SHARE PRINTER FROM LINUX TO WINDOWS.
STEPS TO SHARE PRINTER FROM LINUX TO WINDOWS.
1.connect the printer and share it properly for all the hosts.
2.Restart smb daemon.
3.Samba reads the /etc/printcap file.
4.Search the printer from windows. You will surely get the printer there.
The section that is responsible for sharing printers in smb.conf is as follows.
load printers = yes
// Load the printer from cups.
cups options = raw
// This option assume that the windows system has a driver that has been shared by the samba and spool the jobs through the samba.
; printcap name = /etc/printcap
printing = cups
NOTE: The driver for the shared printer should be in stalled in the windows host.
1.connect the printer and share it properly for all the hosts.
2.Restart smb daemon.
3.Samba reads the /etc/printcap file.
4.Search the printer from windows. You will surely get the printer there.
The section that is responsible for sharing printers in smb.conf is as follows.
load printers = yes
// Load the printer from cups.
cups options = raw
// This option assume that the windows system has a driver that has been shared by the samba and spool the jobs through the samba.
; printcap name = /etc/printcap
printing = cups
NOTE: The driver for the shared printer should be in stalled in the windows host.
INSTALLING NEW KERNEL FROM THE SOURCE
Download the latest kernel from http:www.kernel.org
wget -c http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.tar.gz
# tar xvzf linux-2.6.33.tar.gz
# cd linux-2.6.33
# cp /boot/config-`uname -r` .config
# make menuconfig
# make bzImage
# make modules
# make modules_install
# make install
wget -c http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.tar.gz
# tar xvzf linux-2.6.33.tar.gz
# cd linux-2.6.33
# cp /boot/config-`uname -r` .config
# make menuconfig
# make bzImage
# make modules
# make modules_install
# make install
Friday, September 17, 2010
IPTABLES SCRIPT THAT CAN BE USED IN GATEWAYS
LAN="eth1"
INTERNET="eth0"
IPTABLES="/sbin/iptables"
/sbin/modprobe ip_conntrack_ftp
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# $IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -p tcp --destination-port 80 -j DROP
$IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -d 192.168.0.0/24 -j ACCEPT
# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Blocking direct internet access
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 -m state --state NEW -j DROP
# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
# Allow ssh from LAN to INTERNET interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
# Allow FTP connections FROM LAN to INTERNET
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
-- INSERT --
#$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 20 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 20 -m state --state NEW -j ACCEPT
# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state --state NEW -j ACCEPT
# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT
# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state --state NEW -j ACCEPT
# Allow Squid to proxy ftp, http, https, and AIM traffic
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state --state NEW -j ACCEPT
# Create a LOGDROP chain to log and drop packets
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG
$IPTABLES -A LOGDROP -j DROP
# Drop all other traffic
$IPTABLES -A INPUT -j LOGDROP
INTERNET="eth0"
IPTABLES="/sbin/iptables"
/sbin/modprobe ip_conntrack_ftp
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# $IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -p tcp --destination-port 80 -j DROP
$IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -d 192.168.0.0/24 -j ACCEPT
# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Blocking direct internet access
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 -m state --state NEW -j DROP
# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
# Allow ssh from LAN to INTERNET interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
# Allow FTP connections FROM LAN to INTERNET
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
-- INSERT --
#$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 20 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 20 -m state --state NEW -j ACCEPT
# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state --state NEW -j ACCEPT
# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT
# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state --state NEW -j ACCEPT
# Allow Squid to proxy ftp, http, https, and AIM traffic
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state --state NEW -j ACCEPT
# Create a LOGDROP chain to log and drop packets
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG
$IPTABLES -A LOGDROP -j DROP
# Drop all other traffic
$IPTABLES -A INPUT -j LOGDROP
Webcam under Linux
1. Plug your webcam to USB port
2. Check whether the Webcam detected or not. Please do the following steps
# ls -l /dev/video0
crw------- 1 root root 81, 0 Sep 18 12:01 /dev/video0
If the output like above your webcam is detected in Linux.
3 . Install luvcview
Get the latest source from the following URL.
http://mxhaard.free.fr/spca50x/Investigation/uvc/
# tar xvzf luvcview-20060207.tar.gz
# cd luvcview-20060207
# make
# make install
4. After the above steps run the following command
# luvcview -f yuv
Now you can view your face in your Desktop.
Enjoyyyy
Vasanth.T.M
Systems Administrator(Linux)
Ph:+919496824351
2. Check whether the Webcam detected or not. Please do the following steps
# ls -l /dev/video0
crw------- 1 root root 81, 0 Sep 18 12:01 /dev/video0
If the output like above your webcam is detected in Linux.
3 . Install luvcview
Get the latest source from the following URL.
http://mxhaard.free.fr/spca50x/Investigation/uvc/
# tar xvzf luvcview-20060207.tar.gz
# cd luvcview-20060207
# make
# make install
4. After the above steps run the following command
# luvcview -f yuv
Now you can view your face in your Desktop.
Enjoyyyy
Vasanth.T.M
Systems Administrator(Linux)
Ph:+919496824351
Wednesday, September 15, 2010
SQUID monitoring
tail -f /var/log/squid/access.log | awk '{print$3 " " $8 " " $7}' // Use this script to monitor the We usage in ur home network
Thursday, August 26, 2010
Cpanel Error
If You are experiencing the following error
pcfg_openfile: unable to check htaccess file, ensure it is readable
Do the following
Login to Cpanel
go Frontpage Extensions
Reinstall it
Reload the Url
Now it will be Okay.
pcfg_openfile: unable to check htaccess file, ensure it is readable
Do the following
Login to Cpanel
go Frontpage Extensions
Reinstall it
Reload the Url
Now it will be Okay.
Find Usefull Commands
# find /path/to/base/dir -type f -exec chmod 755 {} \;
# find public_html/ -type f -exec chmod 644 {} \;
# find public_html/ -type f -exec chmod 644 {} \;
Find Usefull Commands
# find /path/to/base/dir -type f -exec chmod 755 {} \;
# find public_html/ -type f -exec chmod 644 {} \;
# find public_html/ -type f -exec chmod 644 {} \;
Monday, August 9, 2010
What is SSL and what are Certificates?
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. This is in short how it works.
1.
A browser requests a secure page (usually https://).
2.
The web server sends its public key with its certificate.
3.
The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
4.
The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
5.
The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
6.
The web server sends back the requested html document and http data encrypted with the symmetric key.
7.
The browser decrypts the http data and html document using the symmetric key and displays the information.
Several concepts have to be understood here.
1.
A browser requests a secure page (usually https://).
2.
The web server sends its public key with its certificate.
3.
The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
4.
The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
5.
The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
6.
The web server sends back the requested html document and http data encrypted with the symmetric key.
7.
The browser decrypts the http data and html document using the symmetric key and displays the information.
Several concepts have to be understood here.
Subscribe to:
Posts (Atom)