# ifconfig

eth1      Link encap:Ethernet  HWaddr 00:1C:F0:BB:A7:28
inet addr:10.10.10.11  Bcast:10.10.10.255  Mask:255.255.255.0
inet6 addr: fe80::21c:f0ff:febb:a728/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:470449435 errors:1 dropped:0 overruns:0 frame:0
TX packets:464084402 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2563674692 (2.3 GiB)  TX bytes:2243518951 (2.0 GiB)
Interrupt:225 Base address:0×2800

Just run the following syntax…

Make sure no such entries inside: /etc/sysconfig/network and /etc/modprobe.conf file

# echo “NETWORKING_IPV6=no” >> /etc/sysconfig/network
# echo “alias ipv6 off” >> /etc/modprobe.conf
# echo “alias net-pf-10 off” >> /etc/modprobe.conf
# reboot (your server to make affect)

Once reboot-ed, do :

# ifconfig

eth1      Link encap:Ethernet  HWaddr 00:1C:F0:BB:A7:28
inet addr:10.10.10.11  Bcast:10.10.10.255  Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:470471884 errors:1 dropped:0 overruns:0 frame:0
TX packets:464109169 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2574513731 (2.3 GiB)  TX bytes:2255015395 (2.1 GiB)
Interrupt:225 Base address:0×2800

0) Backup your database.
You should probably be doing this already.  Now’s a good time to make sure that your backups ran.

1) Create the script.
You’ll need the correct permissions to query the database. Here’s the command.  Be sure to change <DATABASE_NAME> as it fits.

# mysql -p -e "show tables in <DATABASE_NAME>;" | \
tail --lines=+2 | \
xargs -i echo "ALTER TABLE {} ENGINE=INNODB;" > alter_table.sql

2) Run the script.

# mysql --database=<DATABASE_NAME> -p < alter_table.sql

3) Verify it by running this command in mysql:

mysql> show table status;

SOURCE

When invoked without arguments, the date command displays the current date and time. Depending on the options specified, date will set the date and time or print it in a user defined way. I’ve seen many people writing a perl script for calculating yesterday or tomorrow. Computer loves numbers but we love relative terms like 2 days ago. Luckily GNU date command is designed to handle relative date calculation.

Why use relative date formats?

• Ease of use
• To write your own scripts
• Automate task using cron (example run a job on last day of the month or Nth day of the month or 3rd Friday and so on)

First, print today’s date:
$ date
Sun Jun 17 12:17:24 CDT 2007

Now display Yesterday’s date:
$ date --date="1 days ago"
OR try:
$ date --date="yesterday"
Sat Jun 16 12:17:20 CDT 2007

Now display Tomorrow’s date:
$ date --date="-1 days ago"
Or better try:
$ date --date="next day"
Sat Jun 16 12:17:20 CDT 2007

Getting date in the future

To get tomorrow and day after tomorrow (tomorrow+N) use day word to get date in the future.

Getting date in the past

To get yesterday and earlier day in the past use string day ago:

Moving by whole years or months

You can add year and months keywords to get more accurate date:
$ date --date='2 year ago' # past
$ date --date='3 years' # go into future
$ date --date='2 days' # future
$ date --date='1 month ago' # past
$ date --date='2 months' # future

Moving date using more precise units

• You can use fortnight for 14 day
• Week for 7 days
• hour for 60 minutes
• minute for 60 seconds
• second for one second
• You can also use this / now / today keywords to stress the meaning

To print the date of this Friday:
$ date --date='this Friday'
To print the date of the day six months and 15 day
$ date --date='6 months 15 day'
To print the date of the day two months and 5 days ago:
$ date --date='2 months 5 day ago'

You can also use relative format to setup date and time. For example to set the system clock forward by 30 minutes, enter:
# date --set='+30 minutes'

To display date in epoch time:
$ date --date='1970-01-01 00:00:01 UTC +5 hours' +%s

SOURCE

Q. How do I format date to display on screen on for my scripts as per my requirements?

A. You need to use standard date command to format date or time for output or to use in a shell script.

Syntax to specify format
date +FORMAT

Task: Display date in mm-dd-yy format

Type the command as follows:
$ date +"%m-%d-%y"
Output:

02-27-07

Turn on 4 digit year display:
$ date +"%m-%d-%Y"
Just display date as mm/dd/yy format:
$ date +"%D"

Task: Display time only

Type the command as follows:
$ date +"%T"
Output:

19:55:04

Display locale’s 12-hour clock time
$ date +"%r"
Output:

07:56:05 PM

Display time in HH:MM format:
$ date +"%H-%M"

How do I save time/date format to a variable?

Simply type command as follows at a shell prompt:
$ NOW=$(date +"%m-%d-%Y")
To display a variable use echo / printf command:
$ echo $NOW
Sample shell script:

#!/bin/bash
NOW=$(date +"%m-%d-%Y")
FILE="backup.$NOW.tar.gz"
# rest of script

Complete list of FORMAT control characters supported by date command

FORMAT controls the output.It can be the combination of any one of the following:

%%

a literal %

%a

locale’s abbreviated weekday name (e.g., Sun)

%A

locale’s full weekday name (e.g., Sunday)

%b

locale’s abbreviated month name (e.g., Jan)

%B

locale’s full month name (e.g., January)

%c

locale’s date and time (e.g., Thu Mar 3 23:05:25 2005)

%C

century; like %Y, except omit last two digits (e.g., 21)

%d

day of month (e.g, 01)

%D

date; same as %m/%d/%y

%e

day of month, space padded; same as %_d

%F

full date; same as %Y-%m-%d

%g

last two digits of year of ISO week number (see %G)

%G

year of ISO week number (see %V); normally useful only with %V

%h

same as %b

%H

hour (00..23)

%I

hour (01..12)

%j

day of year (001..366)

%k

hour ( 0..23)

%l

hour ( 1..12)

%m

month (01..12)

%M

minute (00..59)

%n

a newline

%N

nanoseconds (000000000..999999999)

%p

locale’s equivalent of either AM or PM; blank if not known

%P

like %p, but lower case

%r

locale’s 12-hour clock time (e.g., 11:11:04 PM)

%R

24-hour hour and minute; same as %H:%M

%s

seconds since 1970-01-01 00:00:00 UTC

%S

second (00..60)

%t

a tab

%T

time; same as %H:%M:%S

%u

day of week (1..7); 1 is Monday

%U

week number of year, with Sunday as first day of week (00..53)

%V

ISO week number, with Monday as first day of week (01..53)

%w

day of week (0..6); 0 is Sunday

%W

week number of year, with Monday as first day of week (00..53)

%x

locale’s date representation (e.g., 12/31/99)

%X

locale’s time representation (e.g., 23:13:48)

%y

last two digits of year (00..99)

%Y

year

%z

+hhmm numeric timezone (e.g., -0400)

%:z

+hh:mm numeric timezone (e.g., -04:00)

%::z

+hh:mm:ss numeric time zone (e.g., -04:00:00)

%:::z

numeric time zone with : to necessary precision (e.g., -04, +05:30)

%Z

alphabetic time zone abbreviation (e.g., EDT)

SOURCE

See also:

• Shell Scripting: Creating report/log file names with date in filename

This is a quick walk through on how to set up domain keys on Centos 5 using sendmail. It should also be very similar for Redhat or Fedora.

First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf

Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan

Where,

• httpd_accel_host virtual: Squid as an httpd accelerator
• httpd_accel_port 80: 80 is port you want to act as a proxy
• httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
• httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
• acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
• http_access allow localhost: Squid access to LAN and localhost ACL only
• http_access allow lan: — same as above –

Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

OR, try out sed (thanks to kotnik for small sed trick)
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'

Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid

Iptables configuration

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on

Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on

Desktop / Client computer configuration

Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.

How do I test my squid proxy is working correctly?

See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log

Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.

Problems and solutions

(a) Windows XP FTP Client

All Desktop client FTP session request ended with an error:
Illegal PORT command.

I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp

Please note that modprobe command is already added to a shell script (above).

(b) Port 443 redirection

I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, “Long answer: SSL is specifically designed to prevent “man in the middle” attacks, and setting up squid in such a way would be the same as such a “man in the middle” attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL“.

Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.

(c) Squid Proxy authentication in a transparent mode

You cannot use Squid authentication with a transparently intercepting proxy.

Further reading:

• How do I use Iptables connection tracking feature?
• How do I build a Simple Linux Firewall for DSL/Dial-up connection?
• Update: Forum topic discussion: Setting up a transparent proxy with Squid peering to ISP squid server
• Squid, a user’s guide
• Squid FAQ
• Transparent Proxy with Linux and Squid mini-HOWTO

Source

If you would like to have a set of web pages that are protected, requiring a username/password to gain access, this tutorial will show you how to set it up. This is geared towards the Unix Apache httpd servers used on holly, lamar, and www.colostate.edu. If you are using another web server, you’ll need to check that server’s documentation to see how to do this.

Steps to Password-protect a Directory

First, create a subdirectory in your web area. For the sake of this tutorial, I have created the “protect” directory. Set the permissions on the directory so that the server has read/execute. I do this by using the local command chgrp-www to set the group to the www group. This is the group that the server runs under at Colorado State University for the lamar, holly and www servers. I have used the -sd flag which sets “set group id” for a directory. This will then force any files you create within the protect directory to the www group, so if you ftp files to this directory they will be automatically readable by the server but not by any other user on the system. I then cd into the protect directory.

cd ~ric/public_html
mkdir protect
chmod g+r,g+x,o-r,o-x protect
chgrp-www -sd protect
cd protect

Next you must create a .htaccess file inside the directory you want protected. You can use either the vi or pico editors on the supported systems mentioned above or ftp the file to this directory. If you are new to unix or know little about vi then I suggest you use the pico editor or ftp the .htaccess file. The command to edit with pico is “pico .htaccess”. The .htaccess file should contain the following lines. The items in bold are things you will want to change depending on the location of the AuthUserFile and content of AuthName.

AuthUserFile /z/ric/secret/.htpasswd
AuthGroupFile /dev/null
AuthName "Ric's protected files"
AuthType Basic

<Limit GET>
require valid-user
</Limit>

The AuthName is what the user will see when they’re prompted for a password – something to the effect of “Enter the username for Ric’s Protected files”. The AuthUserFile is location of the password file and should be not accessible with a url on the server for security reasons. This is a full unix path and the permissions should be set up like the “protect” directory using the chmod and chgrp-www commands above so the only one that can read this file is the owner and the server. To get the full path of a directory, cd to that directory and enter the command “pwd” to print the working directory path.

Now you’ll have to set up the password file. You’ll need to use the htpasswd program. It is included with the Apache httpd server.

First cd to the directory that contains the password file. In this example the password file is called .htpasswd and is in the directory /z/ric/secret/ as indicated by the AuthUserFile file entry in the .htaccess file. For every username you want to add to the password file, enter the following. (the -c is only required the first time; it indicates that you want to create the .htpasswd file).

$~ cd
$~ mkdir secret
$~ cd secret
$~ htpasswd -c .htpasswd pumpkin

[ you're prompted for the password for pumpkin]
[ if you have other users enter the following. Don't use the -c]

$~ htpasswd .htpasswd user2
$~ htpasswd .htpasswd user3

Again, make sure the permissions are set up like the “protect” directory using the chmod and chgrp-www commands above so the only one that can read files in the “secret” directory is the owner and the server.

Here is the protected page using the above setup to password protect this page. The username is “pumpkin” and password is “pie”.

[source]

If you’re going to be doing a lot of Geotargeting or IP Address Lookups, please take a feed instead which will preserve both our bandwidth and your bandwidth.

Simple GET

That said, there is an easy HTTP oriented API to locate IP addresses and Geocode them. If you don’t supply the “?ip=aa.bb.cc.dd” bit, then the ip address lookup of the calling machine will be located instead (here, the aa,bb,cc,dd are decimal digits). If you add &position=true to the end of the URL then latitude and longitude will be returned also. Both HTML and XML formats are supplied for your convenience.

http://api.hostip.info/country.php
US

http://api.hostip.info/get_html.php?ip=12.215.42.19
Country: UNITED STATES (US)
City: Sugar Grove, IL

http://api.hostip.info/get_html.php?ip=12.215.42.19&position=true
Country: UNITED STATES (US)
City: Sugar Grove, IL
Latitude: 41.7696
Longitude: -88.4588

http://api.hostip.info/?ip=12.215.42.19
[use the URL above for an example - XML too long to paste below]

Country Flag

Paste the following code into your HTML to get a country flag of the ip address. The database is significantly more accurate (it ought to be 100%) for countries than for cities. It would be nice if y’all would make the flag a link to the www.hostip.info home page (http://www.hostip.info/) so they can come by if they’re interested – it’ll only benefit you in the long run. After all, the results get more accurate as more visitors submit their IP addresses!
Flag of visitor’s location:

<A HREF=”http://www.hostip.info”>
<IMG SRC=”http://api.hostip.info/flag.php” BORDER=”0″ ALT=”IP Address Lookup”>
</A>

Flag of any IP address:

<A HREF=”http://www.hostip.info”>
<IMG SRC=”http://api.hostip.info/flag.php?ip=12.215.42.19″ ALT=”IP Address Lookup”>
</A>

Embedded Applet

The following is designed to be embedded within another HTML page using the OBJECT tag. This will reproduce the zoom-in applet, (or an explanatory message with a link to fix, if the IP address lookup is unknown). Which means you can embed the applet in your own site without needing to have the local database and map data (which runs to a few gigabytes…)

All you need do is include the OBJECT block below in your HTML. Note, you can also add “?ip=aaa.bbb.ccc.ddd” to the frame.html url below to map a specific IP address.

<OBJECT DATA='http://www.hostip.info/map/frame.html'

  TYPE='text/html' BORDER=0

  WIDTH=610 HEIGHT=330 HSPACE=0 VSPACE=0>

</OBJECT>

*NIX Shell Script

You can use the following shell script to call in your favorite *NIX environment.

#!/bin/bash
lynx -dump “http://api.hostip.info/get_html.php?ip=$1″

By default, Apache comes preconfigured to serve a maximum of 256 clients simultaneously. This particular configuration setting can be found in the file /etc/httpd/conf/httpd.conf

If your server has 2 GB of RAM, and you’re sharing your server with MySQL(true in my case), you’ll want to reserve about half of it for Apache (1 GB)

MaxClients: here is the process of determining MaxClients. type

ps -U apache -u apache u

See the number of apache process running in you command prompt.

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
apache 7694 0.0 0.3 42704 6680 ? S 18:30 0:00 /usr/sbin/httpd

The above indicates that a single httpd process is using 6.6 MB of RSS (Resident Set Size) memory (or non-swapped physical memory) and that it is using 42 MB of VSZ (Virtual Size) memory. This depends on the number of modules you have loaded and running in Apache.

As shared libraries are included in this number, it’s not 100 percent accurate. We can assume that half the RSS number is “real” memory. Let’s assume that each httpd process is using (6.6/2=3.3) 4 MB of memory. So if you have 1 GB ram then divide it with 4 MB of memory, which leaves room for around 256 concurrent httpd processes.

Set MaxClients 256

Or

Somebody prefers to set MaxClients using following rule

MaxClients = 150 x RAM (GB)

So for example if you have 2 GB RAM (dedicated for apache) set this value to 300. In my case IT WILL BE 150

Or

Some individuals maintain that each httpd thread uses about 5 MB of “real” memory. So they determine by the following way..

Or

MaxClients = RAM(MB)/5

So for example if you have 2 GB RAM (dedicated for apache) set this value to 409. In my case IT WILL BE 204(1 GB for apache)

Note: There is no reason for you to set it any higher unless you have a specific problem with this value. A high value can lead to a complete server hang in case of a DOS attack. A value too low can create timeout problems for your clients if the limit is reached

StartServers – Sets the number of child server processes created on startup. This setting depends greatly on the type of webserver you run. If you run low traffic websites on that server set it low to something like 5. If you have resource intensive websites on that server you should set it close to MaxClients.

MaxRequestsPerChild – Controls the number of request the a child serves before the child is killed. This should not be set too low as it will put an unnecessary load on the apache server to recreate the child. I suggest setting it to 1000.

But we are going to use 2000 for handling heavy traffic load properly.

MinSpareServers and MaxSpareServers – MaxSpareServers and MinSpareServers control how many spare (unused) child-processes Apache will keep alive while waiting for more requests to put them to use. Each child-process consumes resources, so having MaxSpareServers set too high can cause resource problems. On the other hand, if the number of unused servers drops below MinSpareServers, Apache will fork. Leave those values to: MinSpareServers 5 MaxSpareServers 10

ServerLimit: Its better to keep Server limit same as the value of MaxClients.

MaxRequestsPerChild: I’ve Kept default apache value for this one.

So few changes need to be made in httpd.conf file which is located in /etc/httpd/conf/ directory

<IfModule prefork.c>
StartServers     140
MinSpareServers    5
MaxSpareServers   10
ServerLimit      150
MaxClients       150
MaxRequestsPerChild  4000
</IfModule>

[Note]: Response time depends on MaxClients. If you increase the MaxClients number, server will response more quickly for each request but  a high value can lead to a complete server hang.

Ab is a tool for benchmarking the performance of your Apache HyperText Transfer Protocol (HTTP) server. It does this by giving you an indication of how many requests per second your Apache installation can serve.

uptime command in your root login should not yield a load average above 1, and the server should respond to commands quickly

ab -n 10000 -c 200 -k http://your_url
-c = concurrent connections
-t = time limit
-n = # of requests

Keep tuning until you hit your maximum desired load average. For servers used interactively often, having a load above 3 is way too much to use the server comfortably. For servers used mostly as real servers, a maximum load average of 10 should be acceptable. More than that, and you’ll find yourself needing to reboot the server when experiencing heavy traffic conditions, because no terminal or remote console will respond quickly to commands, and managing the server will be impossible.

How to configure few things in php.ini file for supporting huge traffic

* Enable the compression of HTML by putting in your php.ini:

output_handler = ob_gzhandler

** Switch from file based sessions to shared memory sessions. Compile PHP with the –with-mm option and

set session.save_handler=mm

Configure mysql. Change my.cnf file for better performance.

The database parameters are tuned for systems with 1 GB RAM (for ISO CD images). If you have higher RAM, please change the following in the “my.cnf” MySQL configuration file under /etc/mysql or /etc directory.

For a machine running with 512 MB of RAM, you can set these to:

key_buffer=128M table_cache=1024 sort_buffer=64M read_buffer=2M record_buffer=4M

For a machine running with 1 GB of RAM, you can set these to:

key_buffer=256M table_cache=2048 sort_buffer=128M read_buffer=2M record_buffer=8M

For a machine running with 2 GB of RAM, you can set these to:

key_buffer=512M table_cache=3072 sort_buffer=256M read_buffer=2M record_buffer=8M

For a machine running with 4 GB of RAM, you can set these to:

key_buffer=1G table_cache=4096 sort_buffer=512M read_buffer=2M record_buffer=8M

Original Post

To search in the current directory and all sub directories for a file named httpd.conf

find . -name “httpd.conf” -print

To find some string or text, type

find . -exec grep “MaxClients” ‘{}’ \; -print

This command will search in the current directory and all sub directories. All files that contain the string with the path.

If you want to just find each file then pass it on for processing use the -q grep option. This finds the first occurrance of the search string. It then signals success to find and find continues searching for more files.

find . -exec grep -q “www.athabasca” ‘{}’ \; -print

Send 1000 Request to apache using apache benchmark

ab -n 1000 -c 200 -k YOUR_URL

To view error log of httpd. type

grep -i maxclient /var/log/httpd/error_log*

To view Process status type and load average type top and uptime respectively.

To open a file and search something(Here Example is: MaxClients) from there type

vi +/MaxClients /etc/httpd/conf/httpd.conf

To view total memory used by httpd, type

ps -ylC httpd –sort:rss

Original Post

Easy part, just create like below .htaccess file on your web folder :

AuthName “My Protected Site”
AuthUserFile /home/apache/.htpasswd
AuthType basic
Require valid-user
Order Deny,Allow
Deny from all
Allow from 192.168.1. 192.168.2.
Satisfy Any

Good luck!

We have 2 ways, to get this done. You just need to choose, which way is suitable for you

Long Way:

1. Log in to your Account Manager.

2. Visit: https://certs.godaddy.com/ManageProducts.do

3. On “Manage SSL Certificates”, click on your domain name.

4. Click on “SITE SEAL” tab to manage your site seal

5. Choose “Site Seal Image Size”

6. Click on Submit button.

7. On the right side box, copy-paste the javascript provided, into your sidebar website.

8. Done.

Easy way:

1. Log in to your Account Manager.

2. Visit Manage Site Seal page: https://certs.godaddy.com/ManageSiteSeal.do

3. Choose “Site Seal Image Size”

4. Click on Submit button.

5. On the right side box, copy-paste the javascript provided, into your sidebar website.

6. Done.

This information is ONLY relevant to PHP4 and Apache 1.3. (BUT possible can be work also in PHP 5.x and Apache 2.x ) We historically used PHP for all our web work. We have decided to migrate to ruby for lots of reasons for all our new web development but we still have lots of PHP stuff hanging around.

Background

We regularly mix PHP and SSIs for the following reasons:

• Laziness – we have a lot of historic SSI stuff lying around and do not want to change it. We prefer evolution to revolution.
• Appropriateness. Not all systems are good at everything. We find that conditionally selecting ‘lumps’ of code to deliver browser specific pages (see server side browser sniffing) is a lot cleaner and easier with SSI. That does not take away from either technology.

Nesting PHP and SSI

The rules go like this (PHP4 and Apache 1.3 – we understand that Apache 2 is more flexible but have not yet made the transition):

1. You can invoke SSI files from within PHP but must use the PHP virtual() function not include(). Variables set within PHP are NOT available to SSI so our favorite ‘wheeze’ of supplying last modified dates to a standard footer do not work.
2. You can include SSI files using the include virtual SSI directive but the SSI filename must have a .shtml extension even if the XBitHack is being used.
3. You cannot include PHP files using the include virtual SSI directive.
4. Variables set within the General Apache section (we use this technique for server side bowser sniffing) are available to both .php and .shtml files no matter how they are called.

Note: We would guess that the Apache environment for each type of file (.php and .shtml) is initialised to the same state as when the page is first called, whereas a nested .php files uses the same php environment and therefore reflects any dynamic changes.

Examples

The following is our standard level 1 template implemented in SSI first and then PHP.

SSI Version

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html">
<meta name="GENERATOR" content="company">
<!--#include virtual="/templates/meta.html" -->
<title>Level 1 template</title>
<!-- conditionally generated style sheet -->
<!--#include virtual="/templates/styles.shtml" -->
<!-- conditionally generated javascript code -->
<!--#include virtual="/scripts/javascript.shtml" -->
</head>
<body>
<!-- banner/page headings -->
<!--#include virtual="/templates/level_1.shtml" -->
<div class="page-content">

<!-- unique page contents go here -->

</div>
<!--#config timefmt="%B %d %Y" -->
<!--#set var="real_date" value="$LAST_MODIFIED" -->
<!--#include virtual="/templates/footer.shtml" -->
</body>
</html>

PHP Version

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="company">
<meta name="keywords" content="blah, blah">
<title>Cool Tools</title>
<?php
<!-- conditionally generated style sheet -->
  virtual ("/templates/styles.shtml");
<!-- conditionally generated javascript code -->
  virtual ("/scripts/javascript.shtml");
?>
</head>
<body>
<?php
<!-- banner/page headings -->
  virtual ("/templates/level_1.shtml");
?>
<div class="page-content">

<!-- unique page contents go here -->

</div>
<?php
  $real_date = date("F d, Y.", getlastmod());
  include ("../templates/footer.php");
?>
</body>
</html>

Notes:

1. You will notice that the styles, javascript and standard page navigation header use the PHP virtual() function because they contain SSI directives but the files are otherwise unchanged.
2. Our SSI ‘last modified’ date ‘wheeze’ for the footer does not work in a mixed PHP/SSI environment (because you cannot pass variables between PHP and SSI). Instead we have to create a “footer.php” file and set the variable ‘real_date’ using the PHP date() and getlastmod() functions. This file is invoked with the include() function because it is a standard PHP file. In ‘footer.php’ we just use ‘echo $real_date’ to place our last modified date in the output stream. Yes its simpler in PHP but now we have to maintain two versions of our standard footer.

Original

Question:

I am having troubles with serverpronto bots attacking my site in droves.

How would I block this range of ip address in .htaccess using deny:

69.60.114.0 – 69.60.125.255

for example, to block one ip I would have:
Deny from 64.251.14.99

But how would I block the whole range given?

Thank you in advance
jdMorgan

Answer:

Denying 69.60.114.0 – 69.60.125.255

Any of the following:

Deny from 64.251.114
Deny from 64.251.115
Deny from 64.251.116
Deny from 64.251.117
Deny from 64.251.118
Deny from 64.251.119
Deny from 64.251.120
Deny from 64.251.121
Deny from 64.251.122
Deny from 64.251.123
Deny from 64.251.124
Deny from 64.251.125

-or-

# Deny 69.60.114.0 – 69.60.115.255 (512 addresses)
Deny from 69.60.114.0/23
# Deny 69.60.116.0 – 69.60.119.255 (1024 addresses)
Deny from 69.60.116.0/22
# Deny 69.60.120.0 – 69.60.123.255 (1024 addresses)
Deny From 69.60.120.0/22
# Deny 69.60.124.0 – 69.60.125.255 (512 addresses)
Deny from 69.60.124.0/23

-or-

# Deny 69.60.114.0 – 69.60.115.255 (512 addresses)
Deny from 69.60.114.0/255.255.254.0
# Deny 69.60.116.0 – 69.60.119.255 (1024 addresses)
Deny from 69.60.116.0/255.255.252.0
# Deny 69.60.120.0 – 69.60.123.255 (1024 addresses)
Deny From 69.60.120.0/255.255.252.0
# Deny 69.60.124.0 – 69.60.125.255 (512 addresses)
Deny from 69.60.124.0/255.255.254.0

-or-

Setenvif Remote-Addr “^69\.60\.1(1[4-9]¦2[0-5])\.” getout
Deny from getout

How to set PHP error notice hidden in httpd.conf (vhost):

<VirtualHost *:80>
  ...
  php_flag display_startup_errors off
  php_flag display_errors off
  php_flag html_errors off
  ...
</VirtualHost>

How to set individual php.ini in httpd.conf (vhost):

<VirtualHost *:80>
  ...
  PHPIniDir '/path/to/php/conf/php-foo.ini'
  ...
</VirtualHost>

How to set individual PHPError.log in httpd.conf (vhost):

<VirtualHost *:80>
  ...
  php_flag  log_errors on
  php_value error_log  /path/to/site/PHPerror.log
  ...
</VirtualHost>

Complete Information

How to Install FFmpeg in Linux ~The Easy Way~

Original Post

FFmpeg is so important if you are planning to run a video website with streaming with conversion of video files to different video formats. This tutorial is intended for Centos/Redhat versions of Linux where any novice user can install ffmpeg without compiling the source which is a more traditional way of installing the FFmpeg software on linux servers. In this tutorial i will show you the easy way to install ffmpeg and ffmpeg-php (php extension) with just yum rather than compiling ffmpeg from source files.

FFmpeg (http://ffmpeg.mplayerhq.hu)
Mplayer + Mencoder (http://www.mplayerhq.hu/design7/dload.html)
Flv2tool (http://inlet-media.de/flvtool2)
Libogg + Libvorbis (http://www.xiph.org/downloads)
LAME MP3 Encoder (http://lame.sourceforge.net)
FlowPlayer – A Free Flash Video Player – http://flowplayer.org/

Installing FFMpeg

yum install ffmpeg ffmpeg-devel

If you get package not found, then you will need to add few lines in the yum repository for dag packages installation. Create a file named dag.repo in /etc/yum.repos.d with the following contents on it

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1

then

yum install ffmpeg ffmpeg-devel

If everything is fine, then the installation should proceed smoothly. If not you will get something like warning GPG public key missing .

Common Errors

To fix rpmforge GPG key warning:

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

For more information refer to this faq depending on Centos version

Missing Dependency Error:

If you get missing dependency error like shown below, in the middle of ffmpeg installation

Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package ffmpeg
Error: Missing Dependency: libtheora.so.0(libtheora.so.1.0) is needed by package ffmpeg
Error: Missing Dependency: rtld(GNU_HASH) is needed by package ffmpeg
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package imlib2
Error: Missing Dependency: rtld(GNU_HASH) is needed by package a52dec
Error: Missing Dependency: rtld(GNU_HASH) is needed by package imlib2
Error: Missing Dependency: rtld(GNU_HASH) is needed by package gsm
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package x264
Error: Missing Dependency: rtld(GNU_HASH) is needed by package xvidcore
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package lame
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package a52dec
Error: Missing Dependency: rtld(GNU_HASH) is needed by package faad2
Error: Missing Dependency: rtld(GNU_HASH) is needed by package x264
Error: Missing Dependency: rtld(GNU_HASH) is needed by package lame
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package xvidcore
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package faac
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package faad2
Error: Missing Dependency: libgif.so.4 is needed by package imlib2
Error: Missing Dependency: rtld(GNU_HASH) is needed by package faac
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package gsm
Error: Missing Dependency: libpng12.so.0(PNG12_0) is needed by package imlib2
Error: Missing Dependency: rtld(GNU_HASH) is needed by package libmp4v2
Error: Missing Dependency: libc.so.6(GLIBC_2.4) is needed by package libmp4v2

then most commonly you have GLIB 2.3 installed instead of GLIB 2.4 version. To check the current GLIB version installed on your server. just use:

yum list glib*

and it should list the latest GLIB package version.

The reason i was getting this error was my rpmforge packages was pointed to centos 5 versions instead of centos 4.6.

To fix dependency error:

To fix this error, you might need to check your rpmforge packages compatible to the release of your existing CentOS version.
Check the file /etc/yum.repos.d/rpmforge.repo and it should look like for Centos 4.6(Final). If you have lines like http://apt.sw.be/redhat/el5/en/mirrors-rpmforge you might need to make changes to the rpmforge.repos like shown below

Note: Backup the original rpmforge.repo file before you edit its content.

[rpmforge]
name = Red Hat Enterprise $releasever – RPMforge.net – dag
#baseurl = http://apt.sw.be/redhat/el4/en/$basearch/dag
mirrorlist = http://apt.sw.be/redhat/el4/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1

To know what linux type and version you are running

cat /etc/redhat-release

Once this is done, do again:  yum install ffmpeg.

This trick resolved the problem in my linux box running Centos 4.6 and this is the only way i found to install ffmpeg using yum.

To check the FFmpeg working:

Finally, check the ffmpeg whether it is working or not.

> ffmpeg
> ffmpeg -formats
> ffmpeg –help
// This lists path of mpeg, its modules and other path information

ffmpeg -i Input.file Output.file

To check what audi/video formats are supported

ffmpeg -formats > ffmpeg-format.txt

Open the ffmpeg-formats.txt to see the ooutput

D means decode
E means encode
V means video
A means audio
T = Truncated

Install FFMPEG-PHP Extension

FFmpeg-php is a very good extension and wrapper for PHP which can pull useful information about video through API interface. Inorder to install it you will need to download the source file and then compile and install extension in your server. You can download the source tarball : http://ffmpeg-php.sourceforge.net/

wget /path/to/this/file/ffmpeg-php-0.5.2.1.tbz2

tar -xjf ffmpeg-0.5.2.1.tbz2

phpize

./configure
make
make install

Common Errors

1. If you get command not found error for phpize, then you will need to do yum install php-devel

2. If you get error like “ffmpeg headers not found” while configuring the source.

configure: error: ffmpeg headers not found. Make sure ffmpeg is compiled as shared libraries using the –enable-shared option

then it means you have not installed ffmpeg-devel packages.

To Fix: Just install ffmpeg-devel using

yum install ffmpeg-devel

3. If you get an error like shared libraries not found problem and the program halts in the middle, then you must specify the ffmpeg installed path explicitly to the ./configure.

configure: error: ffmpeg shared libraries not found. Make sure ffmpeg is compiled as shared libraries using the –enable-shared option

To Fix:

1. First find out the ffmpeg path with ffmpeg –help command. The prefix default path should be like /usr/local/cpffmpeg
2. Configure the FFmpeg-php with –with-ffmpeg option

./configure –with-ffmpeg=/usr/local/cpffmpeg

That should resolve the problem!

Editing PHP.INI

Once you have done that without any problems then you will see the php extension file /usr/local/lib/php/extensions/no-debug-non-zts-20060613/ffmpeg.so and you will need mention that extension in php.ini file

nano /usr/local/lib/php.ini

Put the below two lines at the end of the php.ini file

[ffmpeg]
extension=ffmpeg.so

Then restart the server service httpd restart

To check whether ffmpeg enabled with php, point your browser to test.php file. It should show the confirmation of installed ffmpeg php extension

// #test.php

<?php

phpinfo()

?>

If any case the ffmpeg does not show in the phpinfo() test make sure that php.ini path to ffmpeg.so is correct. Still the problem occurs, the reason could be you might be using older versions of ffmpeg-php which is buggy. Just download the latest version of ffmpeg-php source then compile it.

Installing Mplayer + Mencoder

Just issue the following yum commands to install the rest of the packages.

yum install mplayer mencoder

Installing FlvTool2

Flvtool2 is a flash video file manipulation tool. It can calculate metadata and can cut and edit cue points for flv files.

If you are on Centos 5 try yum install flvtool2 with dag repository and if you get package not found you will need to manually download and compile the flvtool2. You can download latest version of flvtool2 here: http://rubyforge.org/projects/flvtool2/

wget <url-link>

ruby setup.rb config
ruby setup.rb setup
sudo ruby setup.rb install

If you get command not found error, it probably means that you dont have ruby installed.

yum install ruby

Thats it! Once ffmpeg works fine with php extension, download a sample video, convert to .flv format in the command line and plug it to flowplayer to see it work on your web browser. Try also to download the video file offline and see whether the converted flv file works well with both audio and video.

Useful Links

• FFmpeg (http://ffmpeg.mplayerhq.hu)
• Mplayer + Mencoder (http://www.mplayerhq.hu/design7/dload.html)
• Flv2tool (http://inlet-media.de/flvtool2)
• Libogg + Libvorbis (http://www.xiph.org/downloads)
• LAME MP3 Encoder (http://lame.sourceforge.net)
• FlowPlayer – A Free Flash Video Player – http://flowplayer.org/
• Install FFmpeg from Compiling Source (Tutorial Link)
• Nice FFmpeg Installation Tutorial (click here)
• Important Audio Codecs (http://www.mplayerhq.hu/DOCS/HTML/en/audio-codecs.html)
• Common Errors & Fixes while Installing FFmpeg (click here)

/usr/bin/ld: cannot find -lltdl
collect2: ld returned 1 exit status

What you need to do, is just follow the below steps.

1. Verify that the libtool and libtool-ltdl packages are installed.
2. Symlink libltdl.so to libltdl.so.x.x.x

If libtool and libtool-ltdl already exist, you may go to Step Two.
Step One

[root@banzaibill ~]# yum install libtool-ltdl libtool

Now you have libtool installed. To check it out, do:

[root@banzaibill ~]# yum info libtool*

Step Two

PHP looks for the libltdl library only at /usr/lib/libltdl.so

The symlink to this file is not included in the libtool packages. Do below commands:

[root@banzaibill ~]# cd /usr/lib
[root@banzaibill lib]# ln -s libltdl.so.3.1.4 libltdl.so

And that’s it. PHP should configure and compile without error.

I found good examples for this.

- Quick HOWTO (from LinuxHomeNetworking.com) – download

- Sample IPTABLES Configuration (RedHat/CentOS) – download

I declare from the beginning that I am no authority on digital certificates.

This document is a summary of all the articles I have read about openssl. It describes in short how to become your own Certificate Authority (CA) and how to create and sign your own certificate requests. Make no mistake, these certificates are good only for personal use or for use in your intranet in order to provide a secure way to login or communicate with your services, so that passwords or other data is not transmitted in the clear. Noone else will or should trust these certificates.

Prerequisites

The package openssl should be installed in the machine you will use to manage your certificates or create the certificate requests.

First things first…

The openssl package comes with some scripts that can help you create your server certificates fast, but here I will describe how to set things up from scratch in a new directory, so that you can customize things later if you like or delete everything without touching openssl’s or the system’s default files. This article is based on a Fedora installation, but will do for all distributions.

Creating the necessary directories

First of all we will create a directory tree where all certificate stuff will be kept. Fedora’s default directory is /etc/pki/tls/. So, as root, we create our own directories:

# mkdir -m 0755 /etc/pki_jungle

And then we create our CA’s directory tree:

# mkdir -m 0755 \
     /etc/pki_jungle/myCA \
     /etc/pki_jungle/myCA/private \
     /etc/pki_jungle/myCA/certs \
     /etc/pki_jungle/myCA/newcerts \
     /etc/pki_jungle/myCA/crl

• myCA is our Certificate Authority’s directory.
• myCA/certs directory is where our server certificates will be placed.
• myCA/newcerts directory is where openssl puts the created certificates in PEM (unencrypted) format and in the form cert_serial_number.pem (eg 07.pem). Openssl needs this directory, so we create it.
• myCA/crl is where our certificate revokation list is placed.
• myCA/private is the directory where our private keys are placed. Be sure that you set restrictive permissions to all your private keys so that they can be read only by root, or the user with whose priviledges a server runs. If anyone steals your private keys, then things get really bad.

Initial openssl configuration

We are going to copy the default openssl configuration file (openssl.cnf) to our CA’s directory. In Fedora, this file exists in /etc/pki/tls. So, we copy it to our CA’s dir and name it openssl.my.cnf. As root:

# cp /etc/pki/tls/openssl.cnf /etc/pki_jungle/myCA/openssl.my.cnf

This file does not need to be world readable, so we change its attributes:

# chmod 0600 /etc/pki_jungle/myCA/openssl.my.cnf

We also need to create two other files. This file serves as a database for openssl:

# touch /etc/pki_jungle/myCA/index.txt

The following file contains the next certificate’s serial number. Since we have not created any certificates yet, we set it to “01“:

# echo '01' > /etc/pki_jungle/myCA/serial

Things to remember

Here is a small legend with file extensions we will use for the created files and their meaning. All files that will be created will have one of these extensions:

• KEY – Private key (Restrictive permissions should be set on this)
• CSR – Certificate Request (This will be signed by our CA in order to create the server certificates. Afterwards it is not needed and can be deleted)
• CRT – Certificate (This can be publicly distributed)
• PEM – We will use this extension for files that contain both the Key and the server Certificate (Some servers need this). Permissions should be restrictive on these files.
• CRL – Certificate Revokation List (This can be publicly distributed)

Create the CA Certificate and Key

Now, that all initial configuration is done, we may create a self-signed certificate, that will be used as our CA’s certificate. In other words, we will use this to sign other certificate requests.

Change to our CA’s directory. This is where we should issue all the openssl commands because here is our openssl’s configuration file (openssl.my.cnf). As root:

# cd /etc/pki_jungle/myCA/

And then create your CA’s Certificate and Private Key. As root:

# openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825

This creates a self-signed certificate with the default CA extensions which is valid for 5 years. You will be prompted for a passphrase for your CA’s private key. Be sure that you set a strong passphrase. Then you will need to provide some info about your CA. Fill in whatever you like. Here is an example:

Country Name (2 letter code) [GB]:GR
State or Province Name (full name) [Berkshire]:Greece
Locality Name (eg, city) [Newbury]:Thessaloniki
Organization Name (eg, company) [My Company Ltd]:My Network
Organizational Unit Name (eg, section) []:My Certificate Authority
Common Name (eg, your name or your server's hostname) []:server.example.com
Email Address []:whatever@server.example.com

Two files are created:

• certs/myca.crt – This is your CA’s certificate and can be publicly available and of course world readable.
• private/myca.key – This is your CA’s private key. Although it is protected with a passphrase you should restrict access to it, so that only root can read it:

  # chmod 0400 /etc/pki_jungle/myCA/private/myca.key

More openssl configuration (mandatory)

Because we use a custom directory for our certificates’ management, some modifications to /etc/pki_jungle/myCA/openssl.my.cnf are necessary. Open it in your favourite text editor as root and find the following part (around line 35):

[ CA_default ]

dir     = ../../CA      # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject = no            # Set to 'no' to allow creation of
                    # several ctificates with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.

certificate = $dir/cacert.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
#crlnumber  = $dir/crlnumber    # the current crl number must be
                    # commented out to leave a V1 CRL
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/cakey.pem    # The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions = usr_cert      # The extentions to add to the cert

You should modify the following settings in order to coform to our custom directory and our custom CA key and certificate:

[ CA_default ]

dir     = .                # <--CHANGE THIS
certs       = $dir/certs
crl_dir     = $dir/crl
database    = $dir/index.txt
#unique_subject = no

new_certs_dir   = $dir/newcerts

certificate = $dir/certs/myca.crt   # <--CHANGE THIS
serial      = $dir/serial
#crlnumber  = $dir/crlnumber

crl     = $dir/crl.pem
private_key = $dir/private/myca.key    # <--CHANGE THIS
RANDFILE    = $dir/private/.rand

x509_extensions = usr_cert

Create a Server certificate

Further openssl.my.cnf file’s customization is possible, so that we define our policy for certificate creation and signing or define our desired extensions for the new certificates. I may add this info to a future version of this document. It’s easy though, just try to familiarize yourself with the openssl.cnf’s structure and you’ll figure it out.

Anyway, the certificates we are going to create, without customizing openssl.my.cnf any further, are general purpose certificates and their usage in not restricted to server authentication only. One thing that you should take a note of is that the private keys will not be protected by a passphrase, so that when the services are restarted they do not ask for a passphrase. This means that you should set restrictive permissions on the private keys, so that only root or the user under whose priviledges a server runs can read these files.

Generate a Certificate Request

First, we change to our CA’s directory:

# cd /etc/pki_jungle/myCA/

Then we create the certificate request:

# openssl req -config openssl.my.cnf -new -nodes -keyout private/server.key -out server.csr -days 365

The -nodes option is needed so that the private key is not protected with a passphrase. If you do not intend to use the certificate for server authentication, you should not include it in the above command.
You can customize the number of days you want this certificate to be valid for.

You will be prompted for the certificate’s info. Here is an example:

Country Name (2 letter code) [GB]:GR
State or Province Name (full name) [Berkshire]:Greece
Locality Name (eg, city) [Newbury]:Thessaloniki
Organization Name (eg, company) [My Company Ltd]:My Network
Organizational Unit Name (eg, section) []:My Web Server
Common Name (eg, your name or your server's hostname) []:www.server.example.com
Email Address []:whatever@server.example.com

The Common Name (CN) is the info that uniquely distinguishes your service, so be sure that you type it correctly.

When prompted for some extra attributes (challenge password, optional company name) just hit the [Enter] key.
Two files are created:

• server.csr – this is the certificate request.
• private/server.key – this is the private key, which is not protected with a passphrase.

Set restrictive permissions on the private key. Only root or the user that is used to run the server should be able to read it. For example:

# chown root.root /etc/pki_jungle/myCA/private/server.key
# chmod 0400 /etc/pki_jungle/myCA/private/server.key

Or:

# chown root.apache /etc/pki_jungle/myCA/private/server.key
# chmod 0440 /etc/pki_jungle/myCA/private/server.key

Sign the Certificate Request

Now we are going to sign the certificate request and generate the server’s certificate.

First, we change to our CA’s directory:

# cd /etc/pki_jungle/myCA/

Then we sign the certificate request:

# openssl ca -config openssl.my.cnf -policy policy_anything -out certs/server.crt -infiles server.csr

You will need to supply the CA’s private key in order to sign the request. You can check the openssl.my.cnf file about what policy_anything means. In short, the fields about the Country, State or City is not required to match those of your CA’s certificate.

After all this is done two new files are created:

• certs/server.crt – this is the server’s certificate, which can be made available publicly.
• newcerts/01.pem – This is exactly the same certificate, but with the certificate’s serial number as a filename. It is not needed.

You can now delete the certificate request (server.csr). It’s no longer needed:

# rm -f /etc/pki_jungle/myCA/server.csr

Verify the certificate

You can see the certificate’s info with the following:

# openssl x509 -subject -issuer -enddate -noout -in /etc/pki_jungle/myCA/certs/server.crt

Or the following:

# openssl x509 -in certs/server.crt -noout -text

And verify that the certificate is valid for server authentication with the following:

# openssl verify -purpose sslserver -CAfile /etc/pki_jungle/myCA/certs/myca.crt /etc/pki_jungle/myCA/certs/server.crt

Server certificate and key in one file

Some servers, for example vsftpd, require that both the private key and the certificate exist in the same file. In a situation like that just do the following:

# cat certs/server.crt private/server.key > private/server-key-cert.pem

You should restrict access to the final file and delete server.crt and server.key since thay are no longer needed.

# chown root.root private/server-key-cert.pem
# chmod 0400 private/server-key-cert.pem
# rm -f certs/server.crt
# rm -f private/server.key

Revoke a Server Certificate

If you do not want a certificate to be valid any more, you have to revoke it. This is done with the command:

# openssl ca -config openssl.my.cnf -revoke certs/server.crt

Then you should generate a new CRL (Certificate Revokation List):

# openssl ca -config openssl.my.cnf -gencrl -out crl/myca.crl

The CRL file is crl/myca.crl.

Distribute your certificates and CRL

Your CA’s certificate and your servers’ certificates should be distributed to those who trust you so they can import them in their client software (web browsers, ftp clients, email clients etc). The CRL should also be published.

There are often problems with sendmail once it has been installed due to the tightening up of sendmail to stop spammers

Sendmail-8.11.6-15 Connection refused

Sendmail & tcp wrapper rejection

Cannot relay from valid ip address (Outlook)

1) Sendmail-8.11.6-15 Connection refused

Cannot telnet to port 25, then Sendmail has not been corretly set up. This is a problem with RedHat 7.3 or more where Sendmail by default is set to only send from the localhost, you could say this is Good as Sendmail can not spew when set up on a system that is not going to use it.

File: /etc/sendmail.cf

Did you make the DAEMON_OPTIONS change mentioned in the release notes? Your sendmail.cf should *NOT* have this line:

O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

It needs to be hashed out to this:

#O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

File: /etc/mail/sendmail.mc

You can also change sendmail.mc, but this is just the configuration file that is used to create sendmail.cf. You can either delete it or change the .mc file from

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)

to:

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)

You do not need to rebuild sendmail.cf if you make the changes directly to sendmail.cf.

To rebuild sendmail.cf is a headache so better to edit sendmail.cf and restart sendmail.

2) Sendmail & tcpwrappers rejection

File: /etc/hosts.allow

sendmail: ALL EXCEPT \
203.204. \
218.

3) Cannot relay from valid ip address (Outlook)

Sendmail has been installed and the above patches have been appilied, email is being sent fine from with in Horde, but as soon as a valid client (ip address) seeks to send emails through the server using a client mail program (outlook), we get a Relaying Rejected message.

The answer to this problem was archived when researching this page on sendmail.org.
http://www.sendmail.org/~ca/email/relayingdenied.html

Feb 24 08:39:20 mail sendmail[17602]: i1NJdKCq017602: ruleset=check_rcpt, arg1=<someone@someone.co.nz>, relay=me.somehereelse.co.nz [192.168.xx.19], reject=550 5.7.1 <someone@someone.co.nz>… Relaying denied
(parts of message changed for security)

Generally the /etc/mail/access file only has allowed client ip addresses for relaying. Now with new versions of Sendmail I have found it necessary to put in the allowed name that the PCs are giving to sendmail.

File: /etc/mail/access

access-info.co.nz                 RELAY

This lines is needed in /etc/mail/access to enable name resolution.

You may also need the following line in hosts to also enable dns ip lookup

File: /etc/hosts

192.168.xx.xx    laptop.access-info.co.nz    laptop

Replace xs with valid ip address for the PC trying to send via outlook.

Original Post

p{
   color: black;
   _color: blue;
}

div#content{
    height: auto;
    min-height: 400px;
    _height: 400px;
}

In Windows Server 2003, you can use Scheduled Tasks in Control Panel to create, delete, configure, or display scheduled tasks. You can also use Schtasks.exe to schedule tasks manually.

Back to the top

Overview of the Schtasks.exe Tool

loadTOCNode(2, ’summary’);
Schtasks schedules commands and programs to run periodically or at a specific time. Schtasks adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.

Back to the top

Syntax and Parameters

loadTOCNode(2, ’summary’);
The following is a list of the syntax and parameters that you can use with Schtasks.exe:

• Schtasks /Create

  loadTOCNode(3, ’summary’);
  Creates a new scheduled task.

  • Syntax:
    schtasks /create/tn TaskName /tr TaskRun /sc schedule [/mo modifier] [/d day] [/m month[,month...] [/i IdleTime] [/st StartTime] [/sd StartDate] [/ed EndDate] [/du duration] [/s computer [/u [domain\]user /p password]] [/ru {[Domain\]User | “System”} [/rp Password]] /?
  • Parameters:
    • /tn TaskName Specifies a name for the task.
    • /tr TaskRun Specifies the program or command that the task runs. Type the fully qualified path and file name of an executable file, script file, or batch file. If you omit the path, Schtasks.exe assumes that the file is in the Systemroot\System32 folder.
    • /sc schedule Specifies the schedule type. Valid values are MINUTE, HOURLY, DAILY, WEEKLY, MONTHLY, ONCE, ONSTART, ONLOGON, ONIDLE.
    • /mo modifier Specifies how frequently the task runs in its schedule type. This parameter is required for a MONTHLY schedule. This parameter is valid, but optional, for a MINUTE, HOURLY, DAILY, or WEEKLY schedule. The default value is 1.
    • /d day Specifies a day of the week or a day of a month. Valid only with a WEEKLY or MONTHLY schedule.
    • /m month[,month...] Specifies a month of the year. Valid values are JAN – DEC and * (every month). The /m parameter is valid only with a MONTHLY schedule. It is required when the LASTDAY modifier is used. Otherwise, it is optional and the default value is * (every month).
    • /i IdleTime Specifies how many minutes the computer is idle before the task starts. Type a whole number from 1 to 999. This parameter is valid only with an ONIDLE schedule, and then it is required.
    • /st StartTime Specifies the time of day that the task starts in HH:MM:SS 24-hour format. The default value is the current local time when the command completes. The /st parameter is valid with MINUTE, HOURLY, DAILY, WEEKLY, MONTHLY, and ONCE schedules. It is required with a ONCE schedule.
    • /sd StartDate Specifies the date that the task starts in MM/DD/YYYY format. The default value is the current date. The /sd parameter is valid with all schedules, and is required for a ONCE schedule.
    • /ed EndDate Specifies the last date that the task is scheduled to run. This parameter is optional. It is not valid in a ONCE, ONSTART, ONLOGON, or ONIDLE schedule. By default, schedules have no ending date.
    • /du Duration Specifies a maximum length of time for a minute or hourly schedule in the HHHH:MM 24-hour format. After the specified time elapses, Schtasks does not start the task again until the start time happens again. By default, task schedules have no maximum duration. This parameter is optional and valid only with a MINUTE or HOURLY schedule.
    • /s Computer Specifies the name or IP address of a remote computer, with or without backslash characters. The default is the local computer.
    • /u [domain\]user Runs the command with the permissions of the specified user account. By default, the command runs with the permissions of the user who is logged on to the computer that is running Schtasks.
    • /p password Specifies the password of the user account that you specified in the /u parameter. This parameter is required when the /u parameter is used.
    • /ru {[Domain\]User | “System”} Runs the tasks with the permission of the specified user account. By default, the task runs with the permissions of the user who is logged on to the computer that is running Schtasks.
    • /rp Password Specifies the password of the user account that is specified in the /ru parameter. If you omit this parameter when you specify a user account, Schtasks.exe prompts you for the password and obscures the text you type. Tasks that run with permissions of the NT Authority\System account do not require a password and Schtasks.exe does not prompt for one.
    • /? Displays help at the command prompt.

  back to the top

• Schtasks /Change

  loadTOCNode(3, ’summary’);
  Changes one or more of the following properties of a task:

  • The program that the task runs (/tr ).
  • The user account under which the task runs (/ru ).
  • The password for the user account (/rp ).
  • Syntax:schtasks /change /tn TaskName [/s computer [/u [domain\]user /p password]] [/tr TaskRun] [/ru [Domain\]User | “System”] [/rp Password]
  • Parameters:
    • /tn TaskName Identifies the task to be changed. Type the task name.
    • /s Computer Specifies the name or IP address of a remote computer with or without backslash characters. The default is the local computer.
    • /u [domain\]user Runs the command with the permissions of the specified user account. By default, the command runs with the permissions of the user who is logged on to the computer that is running Schtasks.
    • /p password Specifies the password of the user account that you specified in the /u parameter. This parameter is required when the /u parameter is used.
    • /tr TaskRun Changes the program that the task runs. Type the fully qualified path and file name of an executable file, script file, or batch file. If you omit the path, Schtasks.exe assumes that the file is in the Systemroot\System32 folder. The specified program replaces the original program that is run by the task.
    • /ru [Domain\]User | “System” Changes the user account for the task.
    • /rp Password Changes the account password for the task. Type the new password.
    • /? Displays help at the command prompt.

  back to the top

• Schtasks /Run

  loadTOCNode(3, ’summary’);
  Starts a scheduled task immediately. The run operation ignores the schedule, but uses the program file location, user account, and password that are saved in the task to run the task immediately.

  • Syntax:schtasks /run /tn TaskName [/s computer [/u [domain\]user /p password]] /?
  • Parameters:
    • /tn TaskName Identifies the task. This parameter is required.
    • /s Computer Specifies the name or IP address of a remote computer with or without backslash characters. The default is the local computer.
    • /u [domain\]user Runs the command with the permissions of the specified user account. By default, the command runs with the permissions of the user who it logged on to the computer that is running Schtasks.
    • /p password Specifies the password of the user account that you specified in the /u parameter. This parameter is required when the /u parameter is used.
    • /? Displays help at the command prompt.

  back to the top

• Schtasks /End

  loadTOCNode(3, ’summary’);
  Stops a program that was started by a task.

  • Syntax: schtasks /end /tn TaskName [/s computer [/u [domain\]user /p password]] /?
  • Parameters:
    • /tn TaskName Identifies the task that started the program. This parameter is required.
    • /s Computer Specifies the name or IP address of a remote computer with or without backslash characters. The default is the local computer.
    • /u [domain\]user Runs the command with the permissions of the specified user account. By default, the command runs with the permissions of the user who is logged on to the computer that is running Schtasks.
    • /p password Specifies the password of the user account that is specified in the /u parameter. This parameter is required when the /u parameter is used. /? Displays help.

  back to the top

• Schtasks /Delete

  loadTOCNode(3, ’summary’);
  Deletes a scheduled task.

  • Syntax:schtasks /delete /tn {TaskName | *} [/f ] [/s computer [/u [domain\]user/p password]] [/? ]
  • Parameters:
    • /tn {TaskName | *} Identifies the task being deleted. This parameter is required.
      • TaskName Deletes the named task.
      • * Deletes all the scheduled tasks on the computer.
    • /f Suppresses the confirmation message. The task is deleted without warning.
    • /s Computer Specifies the name or IP address of a remote computer with or without backslash characters. The default is the local computer.
    • /u [domain\]user Runs the command with the permissions of the specified user account. By default, the command runs with the permissions of the user who is logged on to the computer that is running Schtasks.
    • /p password Specifies the password of the user account that you specified in the /u parameter. This parameter is required when the /u parameter is used.
    • /? Displays help at the command prompt.

  back to the top

• Schtasks /Query

  loadTOCNode(3, ’summary’);
  Displays all the tasks that are scheduled to run on the computer, including those that are scheduled by other users:

  • Syntax:schtasks [/query] [/fo {TABLE | LIST | CSV}] [/nh ] [/v] [/s computer [/u [domain\]user/p password]]
  • Parameters:[/query] The operation name is optional. Typing schtasks without any parameters performs a query.
  • /fo {TABLE | LIST | CSV} Specifies the output format. TABLE is the default. /nh Omits column headings from the table display. This parameter is valid with the TABLE and CSV output formats.
  • /v Adds advanced properties of the tasks to the display. Queries using /v should be formatted as LIST or CSV.
  • /s Computer Specifies the name or IP address of a remote computer with or without backslash characters. The default is the local computer.
  • /u [domain\]user Runs the command with the permissions of the specified user account. By default, the command runs with the permissions of the user who is logged on to the computer that is running Schtasks.
  • /p password Specifies the password of the user account that is specified in the /u parameter. This parameter is required when the /u parameter is used.
  • /? Displays help at the command prompt.

Back to the top

How to Create a Scheduled Task

loadTOCNode(2, ’summary’);
To create a scheduled task:

1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type net start, and then press ENTER to display a list of currently running services. If Task Scheduler is not displayed in the list, type net start “task scheduler”, and then press ENTER.
3. At the command prompt, type schtasks /create /tn “Application_Name” /tr c:\apps\Application_Name /sc Value /st HH:MM:SS /ed MM/DD/YYYY, and then press ENTER. Note that you may have to change the parameters for your situation. For example, you might type schtasks /create /tn “My App” /tr c:\apps\myapp.exe /sc daily /st 08:00:00 /ed 12/31/2004 This example schedules the MyApp program to run once a day, every day, at 8:00 A.M. until December 31, 2004. Because it omits the /mo parameter, the default interval of 1 is used to run the command every day.

Back to the top

How to Change a Scheduled Task

loadTOCNode(2, ’summary’);
To change a scheduled task:

1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, typenet start, and then press ENTER to display a list of currently running services. If Task Scheduler is not displayed in the list, type net start “task scheduler”, and then press ENTER.
3. At the command prompt, typeschtasks /change /tn TaskName [/s computer [/u [domain\]user /p password]] [/tr TaskRun] [/ru [Domain\]User | “System”] [/rp Password] , and then press ENTER. Note that you may have to change the parameters for your situation. For example, to change the program that a task runs, type: schtasks /change /tn “Application_Name” /tr C:\File_Path\Application_Name.exe

Back to the top

How to Run a Scheduled Task

loadTOCNode(2, ’summary’);
To manually run a scheduled task outside its schedule:

1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type net start, and then press ENTER to display a list of currently running services. If Task Scheduler is not displayed in the list, type net start “task scheduler”, and then press ENTER.
3. At the command prompt, type schtasks /run /tn TaskName [/s computer [/u [domain\]user /p password]] , and then press ENTER. Note that you may have to change the parameters for your situation. For example, to run a task on the local computer, type schtasks /run /tn “Task_Name” .

Back to the top

How to End a Scheduled Task

loadTOCNode(2, ’summary’);
To end a scheduled task:

1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type net start, and then press ENTER to display a list of currently running services. If Task Scheduler is not displayed in the list, type net start “task scheduler”, and then press ENTER.
3. At the command prompt, type schtasks /end /tn TaskName [/s computer [/u [domain\]user /p password]] , and then press ENTER. For example, to end the instances of a program that was started by a scheduled task on a local computer, type schtasks /end /tn “Task_Name“.

Back to the top

How to Delete a Scheduled Task

loadTOCNode(2, ’summary’);
To delete a scheduled task:

1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type net start, and then press ENTER to display a list of currently running services. If Task Scheduler is not displayed in the list, type net start “task scheduler”, and then press ENTER.
3. At the command prompt, type schtasks /delete /tn {TaskName | *} [/f] [/s computer [/u [domain\]user /p password]], and then press ENTER. For example, to delete all tasks scheduled for the local computer, type schtasks /delete /tn * /f.

Back to the top

How to Perform a Query of Scheduled Tasks

loadTOCNode(2, ’summary’);
To perform a query of scheduled tasks:

1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type net start, and then press ENTER to display a list of currently running services. If Task Scheduler is not displayed in the list, type net start “task scheduler”, and then press ENTER.
3. At the command prompt, type schtasks /query , and then press ENTER. Output from this example displays a table of tasks that have been scheduled to run.

For more information about how to use Schtasks.exe, search for Schtasks.exe in Windo

ws Server 2003 Help.

By: Abe Getchell 2008-10-03

This article discusses the process of recovering deleted data from an ext3 partition, on a system running Linux, using a process called data carving. This basic technique is useful in any number of situations, such as recovering data that has been accidentally deleted by a user, information removed in an attempt to erase signs of a system intrusion that could be used to track the source, or data erased by an end-user attempting to cover up an acceptable use policy infraction.

This article assumes that you have a basic understanding of ext3 and the inner workings of filesystems. It is important to note that there is a certain amount of risk associated with this process. When performed improperly, the data you are attempting to recover, or other data stored on the system, could be permanently lost. While this technique is quite accurate most of the time, and very useful in any number of different situations, it is not “forensically sound” and will not hold up legally for use in court. Special software, hardware, and procedures — or professional services — are a must in situations when legal action is required.

The tools used in this article are freely available and can be downloaded from their respective websites.

The basic recovery process

In this section we will go step-by-step through the data recovery process and describe the tools, and their options, in detail. We start by listing a directory below.

[abe@abe-laptop test]$ ls -al
total 27
drwxrwxr-x 2 abe abe 4096 2008-03-29 17:48 .
drwx—— 71 abe abe 4096 2008-03-29 17:47 ..
-rwxr–r– 1 abe abe 42736 2008-03-29 17:47 weimaraner1.jpg

In the listing above we can see that there is a file named weimaraner1.jpg in the test directory. This is a picture of my dog. I don’t want to delete it. I like my dog.

[abe@abe-laptop test]$ rm -f *

Here we can see I am deleting it. Whoops! Sorry buddy. Let’s gather some basic information about the system so we can begin the recovery process.

[abe@abe-laptop test]$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 71G 14G 53G 21% /
/dev/sda1 99M 19M 76M 20% /boot
tmpfs 1007M 12K 1007M 1% /dev/shm
/dev/sdb1 887M 152M 735M 18% /media/PUBLIC

Here we see that the full path to the test directory (which is /home/abe/test) is part of the / filesystem, represented by the device file /dev/sda2.

[abe@abe-laptop test]$ su -
Password:
[root@abe-laptop ~]# debugfs /dev/sda2

Using su to gain root access, we can start the debugfs program giving it the target of /dev/sda2. The debugfs program is an interactive file system debugger that is installed by default with most common Linux distributions. This program is used to manually examine and change the state of a filesystem. In our situation, we’re going to use this program to determine the inode which stored information about the deleted file and to what block group the deleted file belonged.

debugfs 1.40.4 (31-Dec-2007)
debugfs: cd /home/abe/test
debugfs: ls -d
1835327 (12) . 65538 (4084) .. <1835328> (4072) weimaraner1.jpg

After debugfs starts, we cd into /home/abe/test and run the ls -d command. This command shows us all deleted entries in the current directory. The output shows us that we have one deleted entry and that its inode number is 1835328 — that is, the number between the angular brackets.

debugfs: imap <1835328>
Inode 1835328 is part of block group 56
located at block 1835019, offset 0×0f80

The next command we want to run is imap, giving it the inode number above so we can determine to which block group the file belonged. We see by the output that it belonged to block group 56.

debugfs: stats
[...lots of output...]
Blocks per group: 32768
[...lots of output...]
debugfs: q

Running the stats command will generate a lot of output. The only data we are interested in from this list, however, is the number of blocks per group. In this case, and most cases, it’s 32768. Now we have enough data to be able to determine the specific set of blocks in which the data resided. We’re done with debugfs now, so we type q to quit.

[root@abe-laptop ~]# dls /dev/sda2 1835008-1867775 > /media/PUBLIC/block.dat

——————–

The next thing we need to do is pull all unallocated blocks from block group 56 so we can examine their content. The dls program, from The Sleuth Kit (TSK), allows us to do just that. We simply need to know the device file, a range of blocks, and have enough space in the appropriate place to output this data. Using the information above, we can calculate the block range by multiplying the block group number and the block group size and then multiplying the block group number plus one by the blocks per group minus one. In this case, the formula would look like this:

(56 x 32768) through ((56 + 1) x 32768 – 1)

This would give us a range of 1835008 through 1867775. It’s very important that the destination of the output does not reside on the same partition as the data you’re attempting to recover. What will most likely be a large amount of data being written to disk from the output of this command could potentially overwrite the data you are trying to recover (as the blocks which stored the data from the deleted file have already been marked unallocated). You want as little disk activity as possible on the partition you’re working with. In this example, I’m using a USB thumb drive (located on /media/PUBLIC) as a location to store this data.

[root@abe-laptop ~]# mkdir /media/PUBLIC/output
[root@abe-laptop ~]# foremost -dv -t jpg -i /media/PUBLIC/block.dat -o /media/PUBLIC/output/

Next we need to attempt to extract this data from the unallocated blocks we extracted with the dls command above. To do this, we are going to use Foremost. This program is used to recover files based on header information, footer information, and internal data structures. This is the process, mentioned earlier, called data carving. First we are going to create a directory to store the foremost output (again, this should be on a separate partition). Next we are going to run the foremost command giving it the file type of jpg (which is an internally recognized type – more on custom types below), the input file, and the output directory. The output from this command is listed below.

Foremost version 1.5.3 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Sat Mar 29 18:02:29 2008
Invocation: foremost -dv -t jpg -i /media/PUBLIC/block.dat -o /media/PUBLIC/output/
Output directory: /media/PUBLIC/output
Configuration file: /usr/local/etc/foremost.conf
Processing: /media/PUBLIC/block.dat
|——————————————————————
File: /media/PUBLIC/block.dat
Start: Sat Mar 29 18:02:29 2008
Length: 110 MB (115941376 bytes)

Num Name (bs=512) Size File Offset Comment

0: 00033272.jpg 26 KB 17035264
1: 00033328.jpg 184 KB 17063936
2: 00033704.jpg 58 KB 17256448
3: 00033824.jpg 62 KB 17317888

[...]

*46: 00210136.jpg 2 KB 107589632
47: 00210144.jpg 3 KB 107593728
48: 00210392.jpg 6 KB 107720704
*
Finish: Sat Mar 29 18:02:29 2008

49 FILES EXTRACTED

jpg:= 49
——————————————————————

Foremost finished at Sat Mar 29 18:02:29 2008
[root@abe-laptop ~]#

As we can see, Foremost found forty-nine previously deleted jpg files (this output is also saved in a file named audit.txt in the root of the specified output directory). How do we know which is the file we are trying to recover? We could, as is most commonly done, open all of these files and see their contents. Another option is to simply compare file sizes. We know from our directory listing above that the jpg file we are looking for is 41k in size. There’s only one file that foremost extracted into the output directory that’s 41k, and indeed, 00114144.jpg is the file we are attempting to recover. Comparing size only works, of course, if you “know your data”. Integrity checking programs such as Tripwire play a big role in a recovery operation as you can identify the recovered data without ever inspecting the content, as well as verify its integrity. This becomes quite useful if the information you’re attempting to recover is confidential and you are not authorized to view the data.

Defining custom types in Foremost

As of Foremost v1.5.3, the internally supported data types that the program will recover without custom rules are jpg, gif, png, bmp, avi, exe, mpg, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, and cpp. If you need to recover data beyond these built-in data types, you will need to define custom types in Foremost’s configuration file (foremost.conf).

———————-

An entry that defines a type in the foremost configuration file (as explained in the documentation at the beginning of foremost.conf or in the manpage) consists of several columns: extension, case sensitivity, maximum size, header and footer (optional), and special keywords (optional). As an example that most should be familiar with, here is the entry for an html file:

htm n 50000 <html </html>

We see here that the file extension is htm (NONE can be specified if no file extension should be used during the output of extracted data), the header and footer are not case sensitive, the maximum file size is 50k bytes (which means that 50k bytes after the header will be recovered if no footer is specified or 50k bytes will be recovered if that amount of data is recovered before the defined footer is detected), the recovered file should start with “<html” (header) and end with “</html>” (footer).

The ASCII keyword can also be used when attempting to recover ASCII files. Specifying this keyword at the end of an entry will tell Foremost to extract all ASCII printable characters before and after the keyword defined. An example of this would be a type to recover a perl script. If, for example, you need to recover a perl script that you know included Crypt::CBC, you could use the following type definition:

pl y 100000 Crypt::CBC Crypt::CBC ASCII

Note that Crypt::CBC is listed in both the header and footer fields. This is done so that Foremost will recognize this as the string to search around when the ASCII keyword is used. A more general type to find perl scripts could be defined as follows:

pl n 100000 #!/usr/bin/perl #!/usr/bin/perl ASCII

When attempting to recover files that are not ASCII, hexadecimal and octal notation can be used by specifying \x[0-f][0-f] or \[0-3][0-7][0-7], respectively. Below is an example of hexadecimal notation describing the header and footers of a gif file:

gif y 155000000 \x47\x49\x46\x38\x37\x61 \x00\x3b

As you may have realized by now, Foremost is a very powerful tool. Learn its intricacies and it can be a wonderfully flexible tool in data recovery and computer security forensic operations. Read the Foremost man page or consult the configuration file for a complete guide to creating custom data types.

ext2 vs ext3 Data Recover

You may be asking yourself why this process is so much more difficult with ext3 than it is with ext2? This question is answered by one of the ext3 developers in the Linux ext3 FAQ:

Q: How can I recover (undelete) deleted files from my ext3 partition?
Actually, you can’t! This is what one of the developers, Andreas Dilger, said about it:

In order to ensure that ext3 can safely resume an unlink after a crash, it actually zeros out the block pointers in the inode, whereas ext2 just marks these blocks as unused in the block bitmaps and marks the inode as “deleted” and leaves the block pointers alone.
Your only hope is to “grep” for parts of your files that have been deleted and hope for the best.

The process, as described in this article, is the “grep” that Andreas is referring to. Hopefully, as ext3 is developed further, some effort will be put in to making this process easier and more reliable.

Conclusion

While going through this process may be necessary to recover information lost in any number of situations, it’s not a process you want to go through on a Monday morning to recover your organization’s payroll data after an administrator fat-fingers an rm command. The single most important piece of information you should take away from this article, in that vein, is to keep current, tested backups of business critical data that reside on the systems you manage. Regardless of the reason for its use, the process covered in this article is something that every system administrator and security analyst should have in their toolbelt.

Source

.SQM files are created by a number of Microsoft applications, most commonly Windows Live Messenger (previously known as MSN).

According to Microsoft, SQM files (standing for Software Quality Metrics) are used as part of their “Microsoft Customer Experience Program” and help improve their products by anonymously monitoring usage habits and reporting software errors/bugs.

To stop these files being created, you will need to disable the option in Windows Live Messenger. You can do this through the options menu:

1. Click HELP.
2. Select ‘Customer Experience Improvement Program’.
3. Tick on ‘I don’t want to participate right now’ box.
4. Click OK.

Please take note, that .SQM files are NOT viruses and do not contain spyware/malware and do not contain any personal information.

SQM files have a naming convention such as “sqmnoopt00.sqm”. They are normally found in the root folder of your hard-drive (C:) and more recently, the “Documents and settings/Application Data/Microsoft/MSN Messenger/” folder.

Dot What!? visitors have found that deleting SQM files is safe. Although probably true, we advise you to backup the files first.

################### Simple Story ###################

By default, you participate in a data-gathering program. Open Live Messenger, click on Help, then on Customer Experience Improvement Program, then de-check the radio button which says you want to participate. Try that. It will almost certainly work, and it’s not dangerous.

####################################################

Step 1: Back up important files

Red Hat has finally placed sendmail.cf in /etc/mail, where it belongs. To verify the location of your configuration file, type this command:

sendmail -d0.20 -bv | grep sendmail.cf

The default installation outputs this:

Conf file: /etc/mail/sendmail.cf (default for MTA)
Conf file: /etc/mail/sendmail.cf (selected)

Be sure to use this path when generating your new sendmail.cf from sendmail.mc, or no changes will take place. Back up your current sendmail.cf and the m4 file that generated it (probably /etc/mail/sendmail.mc):

cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf~
cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc~

Step 2: Make your certificate

We are also setting up STARTTLS, which allows sendmail to communicate over an encrypted layer using TLS. This is very important, as it allows us to use the LOGIN or PLAIN authentication mechanisms without transferring the password in plain text. It also allows the entire message to remain encrypted from the user’s machine to the mail server. If sendmail relays the message to another server that offers STARTTLS, the message will be encrypted again. But the most important advantage of this approach is that we get to authenticate using regular system logins and passwords, with no need to maintain a separate user database.

Red Hat’s openssl package includes a Makefile that makes it extremely easy to generate a certificate (note that on Fedora Core 4 the location is now /etc/pki/tls/certs):

cd /usr/share/ssl/certs
make sendmail.pem

Just follow the prompts and be sure to use the fully qualified domain name of the mail server for the Common Name prompt. Users will still be warned that the certificate is self-signed or not trusted, but you will prevent a warning that the certificate doesn’t match the host offering it. This certificate is suitable for testing, but you may want to investigate further about the use of certificates before deploying it in a production environment, a topic that is beyond the scope of this howto.

Step 3: Edit sendmail.mc

If you take a look at the sendmail.mc provided by Red Hat, you will notice that the necessary directives are already present but have been commented out (m4 doesn’t use the # symbol for comments, it starts a line with dnl, which stands for “delete until new line”). Since we want the easiest method possible, without sacrificing security, we need to edit these lines. Don’t cut & paste from this web page, or you may introduce unwanted characters into your configuration file that will prevent sendmail from starting.

The confAUTH_OPTIONS macro allows you to instruct sendmail not to offer plain text authentication until after a secure mechanism such as TLS is active (the p option). We are also prohibiting anonymous logins (the y option). The A option is a workaround for broken MTAs:

define(`confAUTH_OPTIONS’, `A p y’)dnl

Now we define which authentication mechanisms we will trust and use:

TRUST_AUTH_MECH(`LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `LOGIN PLAIN’)dnl

Next, we tell sendmail where to find the certificates:

define(`confCACERT_PATH’,`/usr/share/ssl/certs’)
define(`confCACERT’,`/usr/share/ssl/certs/ca-bundle.crt’)
define(`confSERVER_CERT’,`/usr/share/ssl/certs/sendmail.pem’)
define(`confSERVER_KEY’,`/usr/share/ssl/certs/sendmail.pem’)

And finally, it may be useful to increase the log level for debugging purposes (delete or comment out this line after everything is working properly):

define(`confLOG_LEVEL’, `14′)dnl

Use the m4 command to generate a new sendmail.cf:

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Be sure to use the right location for sendmail.cf, as determined earlier. Alternatively, you can use the following command in a stock Red Hat 9.0 or Fedora Core installation:

make -C /etc/mail sendmail.cf

This uses the commands in /etc/mail/Makefile to generate the new sendmail.cf configuration file.

Step 4: Test the configuration

This is where things get really interesting. sendmail must be restarted before it can use the new configuration file. Rather than simply restarting sendmail with our fingers crossed, we can test it to verify that every thing works properly. You can stop sendmail and then start it with command line options that cause it to log to a specified file. There are various ways to stop sendmail on a Red Hat/Fedora system:

service sendmail stop

or

cd /etc/mail
make stop

or

make -C /etc/mail stop

or

/etc/init.d/sendmail stop

We want to start sendmail with arguments to make it log the SMTP transaction to a special file while we are testing it:

sendmail -bD -X /tmp/test.log

Now, try to send a message from an e-mail client on another computer that does not have relay access, using your server as the outgoing mail server. You should be denied relaying. Edit your preferences so that the client uses authentication, with a login and password (not Secure Password Authentication, or SPA, which is something completely different). You should still be denied access. The last thing you need to do is to instruct the client to use SSL or TLS with the outgoing mail server (there is no need to specify a special port). After making this change, you should be able to send mail (you will be prompted to accept the certificate, however, which you might want to install to prevent further prompts). Now hit ctrl-c to stop sendmail. Restart it normally:

service sendmail restart

Now it’s time to look at the log. After the first EHLO, sendmail offers something like this:

30245 >>> 250-ENHANCEDSTATUSCODES
30245 >>> 250-PIPELINING
30245 >>> 250-8BITMIME
30245 >>> 250-SIZE
30245 >>> 250-DSN
30245 >>> 250-ETRN
30245 >>> 250-STARTTLS
30245 >>> 250-DELIVERBY
30245 >>> 250 HELP

The important thing is that AUTH is not offered here, because the channel isn’t encrypted. If you see AUTH in the first exchange, and it offers PLAIN or LOGIN, something is wrong. Look at your logs, go over the previous steps, and make sure that you generated a new sendmail.cf in the right location. The next entries in our log show that TLS is activated:

30245 <<< STARTTLS
30245 >>> 220 2.0.0 Ready to start TLS

Another EHLO takes place, followed by something like this:

30245 >>> 250-ENHANCEDSTATUSCODES
30245 >>> 250-PIPELINING
30245 >>> 250-8BITMIME
30245 >>> 250-SIZE
30245 >>> 250-DSN
30245 >>> 250-ETRN
30245 >>> 250-AUTH LOGIN PLAIN
30245 >>> 250-DELIVERBY
30245 >>> 250 HELP

Now AUTH is offered with the allowed mechanisms (but not STARTTLS, which isn’t needed here, as the channel is already encrypted). Authentication takes place, and the message is relayed to its destination.

It’s interesting to note that the username and password is Base64 encoded by the client, so it isn’t really sent as clear text:

30245 <<< AUTH PLAIN AHJvYmVydABzbHVncw==
30245 >>> 235 2.0.0 OK Authenticated

Nevertheless, it would be trivial to decode the string into the correct username/login pair (robert/slugs, in this case). Therefore, it is best to secure the transaction with TLS. If you want to verify that the transaction is encrypted, open another terminal for root, and run tcpdump:

tcpdump -s 1500 -vvxX port 25

Send a mail with easy to identify strings. You shouldn’t see your login or the message in tcpdump’s output.

Note that the certificate will be exchanged in plain text before TLS is enabled. If the mail is relayed to another server that doesn’t offer STARTTLS, you will see the content of the outgoing message in plain text.

Source

You can use below script to show the image file for public access, but public don’t have direct access to the file itself. Because its located outside of the public folder.

<?php
/* Read local file from /home/bar */
$localfile = file_get_contents("/home/userX/foo.jpg");

echo $localfile;
?>

Use below scripts :

mysql_insert_id() example