Pure-ftpd and ClamAV on CentOS using uploadscript

[root@www ~]# vim /etc/pure-ftpd/pure-ftpd.conf
# uncomment the Call Upload script Line

CallUploadScript   yes

[root@www ~]# vim /etc/pure-ftpd/clamscan.sh
# create new script for running files through ClamAV $1 Full File Name
#!/bin/bash
/usr/bin/clamscan --remove --quiet --no-summary "$1"

[root@www ~]# chmod 755 /etc/pure-ftpd/clamscan.sh

[root@www ~]# pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh

[root@www ~]# echo “pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh” >> /etc/rc.local

[root@www ~]# service pure-ftpd restart

Stopping pure-ftpd:                  [  OK  ]
Starting pure-ftpd:                  [  OK  ]

Read More

Chart based fonts

It is pretty exciting to see simplification for charting, overall, it makes sense, but requires deep understanding of how to implement the design. There are rich libraries, such as Google Charts, that are more practical, but the concept of using fonts for charts is a good step forward especially in the case of lighter implementations that are cross platform supportive. More importantly, scaling for screen-size from the concept of a “chart font” is exciting as well.

You can see examples of Chart Fonts here: Chartwell

Read More

FreeBSD to Linux window command

Are you an old school FreeBSD user that was using:

$  window

I used window every time I logged onto a server and missed it when I started using CentOS (and Enterprise Linux) more. I finally found a worthy adversary to window. In enters tmux.

#  yum install tmux

# tmux

That is it, read the docs on how to use it, you should learn love it more then window, especially because it’s screen and window combined!!

Read More

Protecting WordPress BruteForce on Linux

I was playing with a new serviced I stumbled across called Fail2Ban. I am still learning the ins and outs, but I did manage to get a server protected from WordPress Brute Force attacks using IPTABLES and fail2ban.  These steps were performed on CentOS 6.

Install fail2ban

#>  sudo yum install fail2ban

 

Configure Fail2ban, go through jail.conf line by line and decide how you want it setup.

#>  cd /etc/fail2ban && vim jail.conf

 

Add support for WordPress login protection. This blocks the offending IP for two days (172800) if they fail to login 4 times in a one hour span (3600).

#> cd /etc/fail2ban && vim  jail.local

 

Paste in this info — This is assuming that your logging is in the same location as defined below. Most setups would be more like “/var/log/httpd/vhosts/*/*.log” for the logpath. Notice the simple wildcards for setting up the logging paths.

[apache-wp-login]
action = iptables-multiport[name=”apache-wp-login”, port=”http,https”]
enabled = true
port = http,https
filter = apache-wp-login
logpath = /var/log/httpd/access_log
maxretry = 4
findtime = 3600 #in seconds
bantime = 172800 #in seconds

Next, setup the wordpress filter for fail2ban. Now, I had to play with this one a little bit to get it to match up with my log format. The trick is setting <host>. This is where fail2ban reads the IP address to block. So if you don’t get this expression to match your logging format exactly then this will not work. I just use Apache Common as my log format (I append the virtualhost domain %v at the end of the common, for log splitting).

#> cd /etc/fail2ban/ && vim filter.d/apache-wp-login.conf

Paste in the blow information into the apache-wp-login.conf file.

[Definition]
failregex = <HOST>.*] “POST /wp-login.php
ignoreregex =

Restart fail2ban

#> sudo service fail2ban restart

Checkout the work and run this command over and over again as your blocks build up.

#> sudo iptables -L -n

Enjoy!!!!

 

Read More

MAC OS X Mavericks You need Java SE 6 Runtime Error Message Fix

After installing Mavericks, you might have trouble running your regular Java Apps. When you launch the app you will see an error message like in the screenshot.

My issues were with Cisco ADSM Manager, Photoshop, VNC and a KVM over IP program I use for my home media and backup center. All were unavailable after the update, it took a few days, but it appears I was not the only one. A support page is setup by apple to correct the issue:

java

 

 

To fix the error message, you will need to go here, download and install:
http://support.apple.com/kb/DL1572

 

Read More

Force UTF8 in PHP from MySQL

I had to deal with this in my personal blog and figured out this fix for it. Essentially, this forces the MySQL client to convert to UTF8 when you SELECT. You can do this in any language, but I just included PHP because it was in a WordPress plugin that I corrected to fix UTF8 output on my site.

 

1. UPDATE YOUR tables
ALTER TABLE TB_NAME CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci;

2. Set server locale
LANG=en_US.UTF-8
LC_CTYPE=”en_US.UTF-8″
LC_NUMERIC=”en_US.UTF-8″
LC_TIME=”en_US.UTF-8″
LC_COLLATE=”en_US.UTF-8″
LC_MONETARY=”en_US.UTF-8″
LC_MESSAGES=”en_US.UTF-8″
LC_PAPER=”en_US.UTF-8″
LC_NAME=”en_US.UTF-8″
LC_ADDRESS=”en_US.UTF-8″
LC_TELEPHONE=”en_US.UTF-8″
LC_MEASUREMENT=”en_US.UTF-8″
LC_IDENTIFICATION=”en_US.UTF-8″
LC_ALL=

3. Add this to your PHP code just before any “SELECT * FROM…” STATEMENT
$local_res = mysql_query( ‘SET NAMES utf8;’ );

4. Change Putty to use UTF-8 (to help with debugging)

Read More

TinyDNS (DJBDNS) on CentOS

This is how I installed TinyDNS (DJBDNS) on CentOS.

Setup the accounts to be used:

    #> useradd -s /bin/false tinydns
    #> useradd -s /bin/false dnslog

Setup the timezone, make sure the servers are very close in time to prevent errors in setup:

    #> cd /etc
    #> ln -sf /usr/share/zoneinfo/America/Los_Angeles localtime

Add Daemon tools:

    #> cd /usr/local/src/
    #> mkdir daemontools
    #> cd daemontools
    #> wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
    #> tar xvfz daemontools-0.76.tar.gz
    #> cd admin/daemontools-0.76/

Add ” -include /usr/include/errno.h” at the end of 1st line:

    #> vi compile/conf-cc
    #> ./package/install
    #> cd /command
    #> \rm *
    #> cp -rp /root/daemontools/admin/daemontools/command/* .

Get rid of that svscanboot line because it’s not used from fc9:

    #> vi /etc/inittab

Create this new file:

    #> vi /etc/event.d/svscan

The content of this file /etc/event.d/svscan is:

    #> start on runlevel [2345]
    #> stop on runlevel [016]
    #> respawn
    #> exec /command/svscanboot

Now daemontools setup is complete. Do a “ps -ef” to see if svscan is running. If not, manually start it, or reboot:

    #> cd /usr/local/src/
    #> mkdir ucspi-tcp
    #> cd ucspi-tcp/
    #> wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
    #> tar xvfz ucspi-tcp-0.88.tar.gz
    #> cd ucspi-tcp-0.88

Put ” -include /usr/include/errno.h” at the end of 1st line:

    #> vi conf-cc
    #> make
    #> ./install

Setup DJBDNS:

    #> cd /usr/local/src/
    #> mkdir djbdns
    #> cd djbdns/
    #> wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
    #> tar xvfz djbdns-1.05.tar.gz
    #> cd djbdns-1.05
    #> mkdir -p /var/multilog/svscan-service
    #> chown multilog:nofiles /var/multilog/svscan-service
    
Add ” -include /usr/include/errno.h” to the 1st line:

    #> vi conf-cc
    #> make
    #> make setup check
    #> ./install

Make sure svscan looks like this:

    #> cat /etc/event.d/svscan
    start on runlevel [2345]
    stop on runlevel [016]
    respawn
    exec /command/svscanboot

TinyDNS:

    #> useradd -s /bin/false tinydns
    #> useradd -s /bin/false dnslog
    #> tinydns-conf tinydns dnslog /etc/tinydns 10.11.0.50
    #> ln -s /etc/tinydns /service/
    #> svstat /service/tinydns

Testing:

    Run “svstat /service/tinydns” again, it should show how many seconds the service is been running. If not then you might have an issue.

Final Test (add a record and dig the local server):

    #> cd /etc/tinydns/root/
    #> ./add-ns my-test-site-domain1234567890.com 10.11.0.50
    #> dig my-test-site-domain1234567890 @10.11.0.50

You should see something like this:

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.4 <<>> my-test-site-domain1234567890 @10.11.0.50
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2519
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;my-test-site-domain1234567890.               IN      A

    ;; ANSWER SECTION:
    my-test-site-domain1234567890.        3600    IN      A       10.11.0.50

    ;; Query time: 0 msec
    ;; SERVER: 10.11.0.6#53(10.11.0.6)
    ;; WHEN: Sat Sep 15 18:56:40 2012
    ;; MSG SIZE  rcvd: 114

Troubleshooting:

    * cat /etc/tinydns/log/main/current to see if there’s error.
    * Check /var/log/messages for messages on iptables for SELinux Security
    * Make sure there’s a supervise directory in /etc/tinydns/
    * Make sure there’s No directory under /etc/tinydns/env
    * Delete /service/tinydns link and re-link
    * Delete /etc/tinydns directory and re-create them using tinydns-conf
    * Start and Stop the service using “svc” (“svc -d” then “svc_u” or “svc -t” etc.)

Read More

How to add SSH keys the easy way

There are many ways to add SSH keys, but it gets into a gray area when trying to implement this server to server. Like for RSYNC, DNS Syncing, Backups, etc… Here is what I learned recently on how to set this up really fast.

On the server you want other servers (hosts) to be able to login with:

#> ssh-keygen
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

And then to get the hosts setup to login (let’s say the hosts is 192.168.1.100):

#> ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.1.100

Remember, all these commands are executed on the server that you want to allow other servers to connect to. So this is the PARENT server and the the child servers are the host (i.e. 192.168.1.100).

Read More

DJBDNS TinyDNS Listening IP Address

How can I tell which IP address TinyDNS is setup to listen to?

This is a great question, and one that I have struggled with in the past. Here are some notes and then a quick answer, followed by how to adjust that.

1. How do I know what IP TinyDNS is listening to?

The easiest way to tell is to run this command:

#> netstat -aup

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 *:omirr *:* 2328/rpc.statd
udp 0 0 *:811 *:* 2328/rpc.statd
udp 0 0 ns1.myserver.com:domain *:* 2856/tinydns
udp 0 0 *:37736 *:* 2793/avahi-daemon
udp 0 0 *:mdns *:* 2793/avahi-daemon
udp 0 0 *:sunrpc *:* 2285/portmap

Notice that it is actually not listening to an IP at all but a domain name. In fact, this is the hostname of the server and this is caused from TinyDNS listening to the localhost IP “127.0.0.1”.

What next? Find your TinyDNS /env/ folder.

#> locate IP | grep tiny

/etc/tinydns/env/IP

Open up the IP file and change the IP.

#> vim /etc/tinydns/env/IP

Restart the server and you are all done. I know, you can just restart the service, but I have had better luck just restarting the server than the service.

One final note, if you are using DNSCACHE and not TinyDNS then you can just locate the IP file in …../dnscache/env/ and make the same change, restart, etc…. and you are all set.

 

Read More

MySQL Backup on UNIX/LINUX

I came across this script online months ago, tuned it to work a little different and shared it here. Use this to backup your MySQL databases on a UNIX/LINUX server.

  1. Create a MySQL user that is read only. I use PHPMyAdmin, so I just create a new user under privileges and set the user for global rights as “SELECT” (FIRST COLUMN), ” “LOCK TABLES” (THIRD COLUMN), “RELOAD” (THIRD COLUMN). If you do not use PHPMyAdmin then here is the SQL statement:CREATE USER ‘SOME_USER’@’localhost’ IDENTIFIED BY ‘SOME_PASSWORD’;

    GRANT SELECT ,
    RELOAD ,
    LOCK TABLES ON * . *
    TO 'SOME_USER'@'localhost'
    IDENTIFIED BY 'SOME_PASSWORD'
    WITH MAX_QUERIES_PER_HOUR 0
     

  2. Setup this script, I put it in /usr/local/scripts/bk_mysql.sh

    #!/bin/sh
    DIR=/backup/mysql/
    DATESTAMP=$(date +%Y%m%d)
    DB_USER=SOME_USER
    DB_PASS='SOME_PASSWORD'
    # remove backups older than $DAYS_KEEP
    DAYS_KEEP=60
    find ${DIR}* -mtime +$DAYS_KEEP | grep \.gz | xargs rm -f; 2> /dev/null
    # create backups securely
    umask 006

    # list MySQL databases and dump each
    DB_LIST=`mysql -u $DB_USER -p"$DB_PASS" -e'show databases;'`
    DB_LIST=${DB_LIST##Database}
    for DB in $DB_LIST;
    do
    FILENAME=${DIR}${DB}/${DB}-${DATESTAMP}.sql.gz
    mkdir -p ${DIR}${DB}
    mysqldump --add-drop-table --complete-insert --default-character-set=utf8 --allow-keywords -u $DB_USER -p"$DB_PASS" --opt --flush-logs $DB | gzip > $FILENAME
    done

    exit 0

     

  3. Give the file the correct rights
    #SERVER> chmod a+x /usr/local/scripts/bk_mysql.sh
  4. Add this to your crontab (nightly)#SERVER> crontab -e#  *    *    *    *    *      command to be executed
    #  –    –    –    –    –
    #  |    |    |    |    |
    #  |    |    |    |    +—– day of week (0 – 6) (Sunday=0)
    #  |    |    |    +———- month (1 – 12)
    #  |    |    +————— day of month (1 – 31)
    #  |    +——————– hour (0 – 23)
    #  +————————- min (0 – 59)15      2    *    *     *     /usr/local/scripts/bk_mysql.sh

 

Read More