January 6, 2009
Situasi :
server ada 2 rangkaian yg dia masuk. so maksud kata dia ada dua adapter iaitu:
eth0 - Rangkaian A
dan
eth1 - Rangkaian B
utk membolehkan server tersebut ONLINE ke network A dan B maka dia kena taruk default route ip router
network berkenaan. Jadi masalahnya default Route nih mana bley ada 2. So itu lah punca masalah di sini.
How to solve ?
setelah hampir sebulan jugak aku dok melilau tanya pakcik google.. dan akhirnya aku dah jumpa penyelesaian nya.
ok mola2.
sblum tuh kita kasi contoh IP utk kedua2 jenis rangkaian
eth0 - 10.10.10.9/24 gw - 10.10.10.1
eth1 - 172.16.16.8/24 gw - 172.16.16.1
sblum nak buat bnda nih make sure linux hangpa sapot akan “policy routing”
kalu tak sapot sila lah bg sapot.. so aku takmo terang mcm mn nak bg sapot. tp kalu hangpa pakai centos 5.* mmg dah sapot.
ok then kita dptkan current info pasal route kita
taip :
# netstat -anr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
172.16.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 172.16.16.1 0.0.0.0 UG 0 0 0 eth1
so dari maklumat di atas default route kita skang ialah 172.16.16.1 iaitu pada eth1
1. taip :
echo "1 admin" >> /etc/iproute2/rt_tables
2. then taip
ip route add 10.10.10.0/24 dev eth0 src 10.10.10.1 table admin
ip route add default via 10.10.10.1 dev eth0 table admin
so kita dah create routing table admin yang mana kita bley view dengan taip command :
ip rule
dah keluaq lagu nih :
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
3. lepaih tu taip nih plak
ip rule add from 10.10.10.9/32 table admin
ip rule add to 10.10.10.9/32 table admin
kemudian taip ip rule dan result dia :
0: from all lookup local
32764: from all to 10.10.10.9 lookup admin
32765: from 10.10.10.9 lookup admin
32766: from all lookup main
32767: from all lookup default
4. kalu perlu ushar firewall takut dia block apa2.. utk test seeloknya matikan terus iptables dulu.
5. Siap..
Rujukan : http://www.linuxhorizon.ro/iproute2.html
July 8, 2008
sebelum nih aku tak pernah lagi la setup manually benda nih, slalu dok pakai klik2 ja dlm WHM/CPANEL utk create SSL site.
atas tugasan yg diterima so aku dimintak utk up kan apache + openssl + cert yang mana cert yang akan aku buat nih adalah cert sndiri bikin yg tidak diiktiraf oleh mana2 badan bertanggungjawab tak kiralah ianya NGO mahupun Gomen.
ok saya anggap anda telah tersedia dengan apache yang telah dicompile bersama2 openssl.
1. kita buat sijil palsu dulu.. langkah2 dia
buat directory nama sslcert .. tak kisah sebenaqnya boh pi la nama apa yg anda suka.
mkdir sslcert
chmod kat dia dengan
chmod 0700 sslcert
lepaih tu buat subfolder dlm dia mcm nih
mkdir certs private
2. kemudian kita buat database file utk nanti2 leh keep track sijil2 yang kita buat
echo '100001' >serial
touch certindex.txt
3. lepaih tu bukak sebarang editor contoh vim ka nano ka.. buat file nama openssl.cnf dan copy paste benda ni
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
3. lepas tu kita buat root cert dengan arahan dibawah
openssl req -new -x509 -extensions v3_ca -keyout \
private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf
nota: fungsi \ selepas keyout tuh sebenaqnya utk pendekkan command yg terlalu panjang..so just copy selebihnya dan enter
selepas ja taip tu nanti dia akan mintak passwd so silalah simpan passwd itu baik2
lepaih tu dia akan tanya pasal nama company, nama server , email dan etc. kalu nak mohong tulih pun harap dpt ingat apa yg anda tulih sebab lepaih nih ada skali lagik proses mcm nih yang akan tanya soklan yang sama so jawapan pun mesti kena sama.. tidak nnanti sijil anda tak sah.
4. Ok lepaih tu kita install cert nih dalam apache plak
5. ok kita buat kunci dan signing punya request pulak
openssl req -new -nodes -out name-req.pem -keyout private/name-key.pem -config ./openssl.cnf
lepaih taip ja command nih dia akan tanya soklan2 pasai nama kompeni dan sebagainya macam yg mola2 td.. so pastikan jawapan sama cam yg mola2 td. Dan dia akan create dua file nih
name-req.pem - fail request
name-key.pem - fail kunci dia dok dlm private
6. lepaih tu kita sign the request dengan command ni
openssl ca -out name-cert.pem -config ./openssl.cnf -infiles name-req.pem
so akan ter create lah fail2 berikut
name-cert.pem - inilah fail sijil tersebut
.pem - ini adalah copy cert nomot
7. kemudia kita copy file2 kunci dan sijil td ke tampat yg sepatutnya
cp name-key.pem /etc/httpd/conf/ssl.key/
cp name-cert.pem /etc/httpd/conf/ssl.crt/
kalu folder ssl.key ngan ssl.crt tuh tak wujud so gunalah command sense anda.
8. lepaih tu langkah yg terakhir cari fail httpd.conf anda dan taruk lah spt coding dibawah dan diubah mengikut citara masing2.
DocumentRoot /var/www/html
ServerName 192.168.1.98
ServerAdmin someone@your.domain
ErrorLog /etc/httpd/logs/ssl_error_log
TransferLog /etc/httpd/logs/ssl_access_log
SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/name-cert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/name-key.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /etc/httpd/logs/ssl_request_log
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Rujukan : http://www.flatmtn.com/
August 1, 2007
1. Open Synaptic and get ndiswrapper-tools
2. Download WPC54G driver for windows at ftp://ftp.linksys.com/international/drivers/WPC54G_driver_utility_v3.1.zip
3. Unzip the driver
4. cd WPC*/Driver/NT
5. sudo ndiswrapper -i LSBCMNDS.inf
6. sudo modprobe ndiswrapper
7. echo ndiswrapper >> /etc/modules
8. Go to Network settings disable eth0.
9. Put WPC54G pcmpcia card
10. Run dmesg u will see wlan0: ndiswrapper ethernet bla bla bla
11. Check ifconfig then u r in the network.
DONE
optional
12. To scan network : iwlist wlan0 scan
January 10, 2007
Today as usual i'm logon to my server and put some command to monitor my server status. i try to lookup the hdd used for each partition and saw :
Filesystem Size Used Avail Use% Mounted on
/dev/sda5 2.0G 1.5G 441M 77% /
/dev/sda1 99M 14M 80M 15% /boot
none 489M 0 489M 0% /dev/shm
/dev/sda8 205G 43G 152G 22% /home
/dev/sda7 2.0G 40M 1.9G 3% /tmp
/dev/sda2 15G 5.6G 8.2G 41% /usr
/dev/sda3 2.5G 2.3G 0 100% /var
/tmp 2.0G 40M 1.9G 3% /var/tmp
Huh~ my /var just got full.
I just remember that my mysql data was in there /var/lib/mysql. If i let it go the mysql will get write error and the daemon should not working properly.
First i try to use easy way to copy all the data to other partition into /home/mysql/
then i edit the /etc/my.cnf and put datadir = /home/mysql
then i restart the mysql.
Suddenly all goes wrong. My mysqld does not work anymore and could not be start.
It's about half and hour i struggle to settle this problem and i found the best solution to make this happen smoothly.
First edit the my.cnf:
pico -w /etc/my.cnf
Now in the mysqld section add the following:
pid-file = /home/mysql/mysqld.pid
socket = /var/lib/mysql/mysql.sock
datadir = /home/mysql
basedir = /home/mysql
Now we are going to copy all of the data to the new partition. Notice that we do the copy TWICE, that is because moving 1gb++ of data can take some time and the tables may have changed. When we run it the second time we hopefully get it so that when the switch over happens there is very little, if any, lost data. If you can afford the downtime simply shut down mysql before running this command. If you cannot though running it twice then quickly copy/pasting the other commands is a valid substitute.
rsync -vrplogDtH /var/lib/mysql/ /home/mysql/
rsync -vrplogDtH /var/lib/mysql/ /home/mysql/
Now we need to setup the mysql.sock so that it operates correctly:
ln -s /home/mysql/mysql.sock /var/lib/mysql/mysql.sock
rm -rf /tmp/mysql.sock
ln -s /home/mysql/mysql.sock /tmp/mysql.sock
Restart mysql so it is on the new parition:
killall -9 mysqld
service mysql start
*Note* I do not show you deleting the /var/lib/mysql directory, go ahead and do that a few days after the move if you do not have good backups incase something went wrong. Make sure when you delete the /var/lib/mysql directory you recreate it so that the mysql.sock file can be created in the directory. Do the following to remove the old data and get the mysql.sock correctly set back up.
rm -rf /var/lib/mysql
mkdir /var/lib/mysql
chown mysql /var/lib/mysql
service mysql restart
ln -s /home/mysql/mysql.sock /var/lib/mysql/mysql.sock
rm -rf /tmp/mysql.sock
ln -s /home/mysql/mysql.sock /tmp/mysql.sock
Thats it, you are all done with moving mysql!
November 14, 2006
One way to stop one of the more basic attacks on a server is mod_evasive. This how-to will walk though the process of installing and configuring mod_evasive. This apache module will help protect against people sending too many requests to the webserver in an attempt to flood it. If it detects too many connections the offending ip will be blocked from the accessing apache for This is especially useful when the server is continuously getting attacked. With this default configuration it will block the offending ip for 10 minutes. If it continues to try and flood mod_evasive will automatically add more time to this.
let's install it ~!!!
Follow this section for Apache 1.3.x.
-----command-----
cd /usr/local/src
wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/etc/httpd/bin/apxs -cia mod_evasive.c
-----command-----
Follow this section for Apache 2.0.x.
-----command-----
up2date -i httpd-devel
cd /usr/local/src
wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -zxf mod_evasive_1.10.1.tar.gz
cd mod_evasive
/usr/sbin/apxs -cia mod_evasive20.c
-----command-----
If you are adding the is module to apache 1.3.x the following lines need to be added to the httpd.conf below the AddModule section.
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
If you are using apache 2.0.x you need to scroll to below the LoadModule section in the httpd.conf and add the following:
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSBlockingPeriod 600
Exit and save out of the httpd.conf
Now it should be ready to go. Exit out of pico and restart apache.
-----command-----
service httpd restart
-----command-----
