Thursday, December 26, 2013

Setting up Postfix to relay through Google Mail


 Install postfix and required packages:
  # yum install postfix cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5
  # chkconfig postfix on
  # chkconfig saslauthd on

Create SSL cert:
  # mkdir /etc/postfix/certs
  # cd /etc/postfix/certs
  # openssl dsaparam 1024 -out dsa1024.pem
  # openssl req -x509 -nodes -days 3650 -newkey dsa:dsa1024.pem -out mycert.pem -
keyout mykey.pem
  # ln -s mycert.pem CAcert.pem
  # openssl req -x509 -new -days 3650 -key mykey.pem -out mycert.pem

Create GMail authentication file:
  # vi /etc/postfix/sasl_passwd

Add the follow content:
  smtp.gmail.com username@googleapp.domain:password

Generate postfix sasl_passwd database:
  # postmap hash:/etc/postfix/sasl_passwd
  # chmod 600 /etc/postfix/sasl_passwd
  # chmod 600 /etc/postfix/sasl_passwd.db

Setting Postfix
  # vi /etc/postfix/main.cf

Edit main.cf
  inet_interfaces = all
  mydestination = localhost, $myhostname, localhost.$mydomain
  mynetworks = 172.30.10.0/24

Write the following contents to main.cf
  # SMTP relayhost
  relayhost = [smtp.gmail.com]:587
  
  ## TLS Settings
  smtp_tls_loglevel = 1
  smtp_tls_CAfile = /etc/postfix/certs/CAcert.pem
  smtp_tls_cert_file = /etc/postfix/certs/mycert.pem
  smtp_tls_key_file = /etc/postfix/certs/mykey.pem
  smtp_use_tls = yes
  smtpd_tls_CAfile = /etc/postfix/certs/CAcert.pem
  smtpd_tls_cert_file = /etc/postfix/certs/mycert.pem
  smtpd_tls_key_file = /etc/postfix/certs/mykey.pem
  smtpd_tls_received_header = yes
  smtpd_use_tls = yes
  
  # configuracion tls
  smtp_use_tls = yes
  smtp_sasl_auth_enable = yes
  smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
  smtp_sasl_security_options = noanonymous
  smtp_sasl_tls_security_options = noanonymous
  
  # alias de mapeo interno a externo
  smtp_generic_maps = hash:/etc/postfix/generic

Finally, restart postfix
  # postmap hash:/etc/postfix/generic
  # /etc/init.d/postfix restart


Credit to my senior Voo

Friday, December 20, 2013

owncloud on Centos 6

Installation

go to https://fedoraproject.org/wiki/EPEL
and install the latest epel into your centos

#  wget http://ftp.riken.jp/Linux/fedora/epel/6/i386/epel-release-6-8.noarch.rpm
#  rpm -i epel-release-6-8.noarch.rpm

Then now go to http://owncloud.org/install/
to get the latest owncloud version

# wget http://download.opensuse.org/repositories/isv:ownCloud:community/CentOS_CentOS-6/isv:ownCloud:community.repo

then now install owncloud

# yum install owncloud

-----------------------------------------------------------------------------------------------
Tweak

max upload size
edit max upload size can be done at
/var/www/html/owncloud/.htaccess
you will notice got this value inside it and you can change according to your prefrence



php_value upload_max_filesize 513M
php_value post_max_size 513M
php_value memory_limit 512M


Wednesday, December 18, 2013

phpmyadmin at EC2

At amazon server, after you done setup Mysql or RDS, proceed to install phpmyadmin

First you need to enable the epel repo
# vim /etc/yum.repo.d/epel.repo

enable [epel] and [epel-source]
change enabled=0
to enabled=1

save and exit

Then now install phpmyadmin and configure

# yum install phpmyadmin
# vim /etc/httpd/conf.d/phpMyAdmin.conf

change and highlight all the following

#Order Deny,Allow
#Deny from All

Edit the phpmyadmin
# vim /etc/phpMyAdmin/config.inc.php

then edit the host to where your mysql located at either at local or RDS

$cfg['Servers'][$i]['host'] = 'localhost';


Restart httpd
# /etc/init.d/httpd restart

then try to access it at
http://<your-server-IP>/phpmyadmin
the login is your database root login and password

Thursday, December 12, 2013

EC2 rotate snapshot


Here is the script to auto delete those snapshot that is older than n days

Requirements
- Python
- Boto >=2.4.0

option list

-k = access key ID
-s = secret access key
-a = how many days
-d = description contain
-r = region

example
ec2-rotate-snapshot.py -k AKIAert5EYQKJBN6TASQ -s 8ka5hp9lDOPjDNOJsdfnmaHcMWAsdamoWbH4HhBj -a 5 -d "backup" -r eu-west-1

this will check snapshot that is more than 5 day and contain word "backup" in region eu-west-1 and proceed to delete

reference/source
I get this from https://bitbucket.org/romabysen/ec2-rotate-snapshots/overview
owner is Lars Hansson
so please feel free to thanks him for this wonderful script




Script start here
--------------------------------------------------------------------------------

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# :copyright: (c) 2013 by Lars Hansson.
# :license: ISC, see LICENSE for more details.
#
"""Utility for rotating EC2 snaphots"""

import os
import sys
import time
import logging
from optparse import OptionParser
import datetime
import re
import boto.ec2

DEFAULT_REGION = boto.ec2.EC2Connection.DefaultRegionName


def setup_logging(level):
    logger = logging.getLogger('ec2-rotate-snapshot')
    ch = logging.StreamHandler()
    logger.setLevel(level)
    logger.addHandler(ch)


def log_err(msg):
    logger = logging.getLogger('ec2-rotate-snapshot')
    logger.error(msg)


def log_info(msg):
    logger = logging.getLogger('ec2-rotate-snapshot')
    logger.info(msg)


def match_tags(tags, m_tags):
    if not m_tags:
        return True
    for item in m_tags:
        if item.find('=') != -1:
            (tag, value) = item.split('=')
            for k, v in tags.items():
                if k == tag and v == value:
                    return True
        else:
            if item in tags.keys():
                return True
    return False


def match_timeframe(start_time, timeframe):
    if not timeframe:
        return True
    dt_start_time = datetime.datetime.strptime(start_time, '%Y-%m-%dT%H:%M:%S.%fZ')
    (start, end) = timeframe.split('-')
    frame_start = dt_start_time.replace(hour=int(start.split(':')[0]),
                                        minute=int(start.split(':')[1]),
                                        second=0)
    frame_end = dt_start_time.replace(hour=int(end.split(':')[0]),
                                      minute=int(end.split(':')[1]),
                                      second=0)
    if frame_end < frame_start:
        frame_end = frame_end + datetime.timedelta(days=+1)
    return frame_start <= dt_start_time <= frame_end


def match_age(start_time, age):
    if not age:
        return True
    st = time.strptime(start_time, '%Y-%m-%dT%H:%M:%S.%fZ')
    at = time.gmtime(time.time() - (86400 * age))
    return st < at


def match_string(mstring, pattern):
    if not pattern:
        return True
    if not mstring:
        return False
    if re.search(pattern, mstring) is not None:
        return True
    return False


def cleanup_snapshots(pattern, opts):
    conn = boto.ec2.connect_to_region(opts.region)
    for snap in conn.get_all_snapshots(owner='self'):
        if (match_string(snap.description, pattern) and match_tags(snap.tags, opts.tag) and
            match_timeframe(snap.start_time, opts.timeframe) and
                match_age(snap.start_time, opts.age)):
            if opts.delete:
                try:
                    conn.delete_snapshot(snap.id)
                except boto.exception.EC2ResponseError:
                    # Retry deleting since sometimes random errors happen
                    try:
                        time.sleep(2)
                        conn.delete_snapshot(snap.id)
                    except boto.exception.EC2ResponseError:
                        log_err('Error! Snapshot %s not deleted' % (snap.id))
                        continue
                log_info('Snapshot deleted: %s' % (snap.id))
                time.sleep(0.5)
            else:
                log_info('Snapshot: %s, start time: %s, description: %s, tags: %s' %
                        (snap.id, snap.start_time, snap.description, snap.tags.keys()))


def handle_options():
    """Parse commandline options"""
    usage = 'Usage: %prog [options] <regular expression>'
    version = '%prog 0.1.0'
    parser = OptionParser(usage=usage, version=version)
    parser.add_option('-k', dest='key', help='AWS access key id')
    parser.add_option('-s', dest='secret', help='AWS secret access key')
    parser.add_option('-r', dest='region', help='Region. Default: %s' % (DEFAULT_REGION))
    parser.add_option('-a', dest='age', type='int', default=None,
                      help='Older than these many days')
    parser.add_option('-t', action='append', dest='tag', default=None,
                      help='Match this tag and, optionally, content')
    parser.add_option('-T', dest='timeframe', default=None,
                      help='Timeframe selector. Example: 15:30-15:45')
    parser.add_option('-d', dest='delete', action='store_true', default=False,
                      help='Actually delete instead of printing the matches')
    parser.add_option('-q', action='store_true', default=False, dest='quiet', help='Only print errors')
    (opts, args) = parser.parse_args()
    if opts.quiet:
        setup_logging(logging.ERROR)
    else:
        setup_logging(logging.INFO)
    if opts.key is not None:
        os.environ["AWS_ACCESS_KEY_ID"] = opts.key
    if opts.secret is not None:
        os.environ["AWS_SECRET_ACCESS_KEY"] = opts.secret
    if len(args) == 0:
        log_err('A regular expression is required.')
        parser.print_usage()
        sys.exit(1)
    if len(args) > 1:
        log_err('Too many regular expressions.')
        parser.print_usage()
        sys.exit(1)
    return (opts, args)


def main():
    """The main loop"""
    (opts, args) = handle_options()
    pattern = args[0]
    cleanup_snapshots(pattern, opts)

if __name__ == '__main__':
    main()

Wednesday, December 11, 2013

Mysql change time zone in RDS


First login into RDS mysql
then pump this into it

Change the database into your database name
then change the timezone as well

DELIMITER |
    CREATE PROCEDURE mysql.store_time_zone ()
       IF NOT (POSITION('database@' IN CURRENT_USER()) = 1) THEN    
           SET SESSION time_zone = '+8:00';
   END IF
| DELIMITER ;

after done, grant the permission for this

GRANT EXECUTE ON PROCEDURE `mysql`.`store_time_zone` TO 'database'@'172.31.8.2';

then at RDS Dashboard console,
go to Parameter Groups > yours Mysql parameter > edit parameter
search init_connect, then at the edit value put this into it " CALL mysql.store_time_zone "  and save it

Wednesday, October 23, 2013

MySQL setup for centos 6.3 or amazon linux and simple command

Centos 6.3 MySQL installation and setup

# yum install mysql mysql-devel mysql-server
# /etc/init.d/mysql start
# /usr/bin/mysql_secure_installation

If it prompt for password. you can try empty password or "password"

Then setup according to what you want it be

Login using
# mysql -u root -p

For Amazon linux

If you no using RDS and use mysql on server itself.
after install mysql server, originally it didnt come with database and root users
you need to start run the mysqld services to let it build the first database

# /etc/init.d/mysqld start

then you need to stop it so we can use the safe mode

# /etc/init.d/mysqld stop
# mysqld_safe --skip-grant-tables &

This will start in safe mode, you can access mysql without password

# mysql -u root

mysql> insert into user (Host, User, Password) values ('localhost','root','');

mysql> update user set Select_priv='Y',Insert_priv='Y',Update_priv='Y',Delete_priv='Y',Create_priv='Y',Drop_priv='Y',Reload_priv='Y',Shutdown_priv='Y',Process_priv='Y',File_priv='Y',Grant_priv='Y',References_priv='Y',Index_priv='Y',Alter_priv='Y',Show_db_priv='Y',Super_priv='Y',Create_tmp_table_priv='Y',Lock_tables_priv='Y',Execute_priv='Y',Repl_slave_priv='Y',Repl_client_priv='Y',Create_view_priv='Y',Show_view_priv='Y',Create_routine_priv='Y',Alter_routine_priv='Y',Create_user_priv='Y',Event_priv='Y' ,Trigger_priv='Y' ,Create_tablespace_priv='Y' where user='root';

This will help to create the root users
then you can exit it and close all safe mode

# killall mysql_safe
# /etc/init.d/mysqld on

you can login the console in normal mode

# mysql -u root

mysql> grant all privileges on *.* to 'root'@'localhost' with grant option;

then exit it and update the root password

# mysqladmin -u root password NEWPASSWORD




Manage Databases

create database
# mysql> create database [databasename];

delete database
# mysql> drop database [databasename];

show all database
mysql> show databases;

show database's fiels formats
mysql> describe [databasename];

switch to database
mysql> use [databasename];

Manage Tables

Show all tables in database
mysql> show tables;

show all data in table
mysql> SELECT * FROM  [table]

show info from selected rows with value "Name"
mysql> SELECT * FROM  [table]  Where [field] = "Name";

Manage Users

Create users

mysql> CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';


if you want to allow access from anywhere for that user, you can use "%" wildcard to replace the localhost


mysql> CREATE USER 'newuser'@'%' IDENTIFIED BY 'password';


Grant Privileges to users
mysql> GRANT ALL PRIVILEGES ON * . * TO 'newuser'@'localhost';
mysql> FLUSH PRIVILEGES;

Extra privileges information

  • ALL PRIVILEGES- as we saw previously, this would allow a MySQL user all access to a designated database (or if no database is selected, across the system)

  • CREATE- allows them to create new tables or databases

  • DROP- allows them to them to delete tables or databases

  • DELETE- allows them to delete rows from tables

  • INSERT- allows them to insert rows into tables

  • SELECT- allows them to use the Select command to read through databases

  • UPDATE- allow them to update table rows

  • GRANT OPTION- allows them to grant or remove other users' privileges

Example:
GRANT [type of permission] ON [database name].[table name] TO ‘[username]’@'localhost’;


Remove users privileges
REVOKE [type of permission] ON [database name].[table name] TO ‘[username]’@‘localhost’;

delete user
mysql> DROP USER ‘demo’@‘localhost’;


Migrate database

Before migrating, please check the /etc/my.conf to check what engine it use.
you need to set it to the new database before you import in the data

backup database out
# mysqldump -u root -p [database] > database.sql

backup all database
# mysqldump -u root -p --all-databases > alldb.sql
restore database
# mysql -u root -p [database] < database.sql

restore all database
# mysql -u root -p < alldb.sql
backup database out for innodb
if you face this error message

Access denied for user ‘root’@’localhost’ to database ‘testing’ when using LOCK TABLES

you can try add --single-transaction
example
# mysqldump -u root -p --single-transaction [database] > database.sql


Other / Troubleshoot


ERROR 1040 (00000): Too many connections

check how many process list
mysql> show processlist;

and increase the parameter at my.cnf
max_connections = 500
---------------------------------------------------------------

If you fresh install mysql, the root password is either is empty or had set temp password.
for temp password, check this

grep 'temporary password' /var/log/mysqld.log
-----------------------------------------------

After login, it need you to reset the password, some mysql implement some requirement on its password, use this command to check

SHOW VARIABLES LIKE 'validate_password%';

if you want to update it, use below example command


SET GLOBAL validate_password_length = 6;
SET GLOBAL validate_password_number_count = 0;

reference:
https://dev.mysql.com/doc/refman/8.0/en/validate-password-options-variables.html
-----------------------------------------------

below command is to set the user use back the native password auth

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '<password>';


Monday, May 27, 2013

Logical Volume basic command

Create LVM

show all HDD currently available
# fdisk -cul

select hdd that you wish to make into LVM
# fdisk -cu /dev/sdb

create partition and set it the system type to LVM
# p  ( print all partition )
# n  ( create new partition )
# t  ( change system type )
# 8e ( change it to LVM type )
# w  ( save it )

After done, you will see /dev/sdb1 was created
now we proceed to create LVM
# pvcreate /dev/sdb1
# vgcreate vg00 /dev/sdb1
This will create a volume group name vg00

# lvcreate -L 10G --name lvdata vg00
This will create a logical volume name lvdata with 10G size from vg00

# mkfs.ext4  /dev/mapper/vg00-lvdata
This will format the LV we created to ext4 format so we can use it

------------------------------------------------------------------------

Replace HDD for LVM


# pvscan
# vgextend vg00 /dev/xvdk1 
# pvmove /dev/xvdf1
# vgreduce vg00 /dev/xvdf1
#  pvremove /dev/xvdf1



------------------------------------------------------------------------

Adding existing VG into new server

# vgexport vg00
# vgimport vg00
# vgchange -ay vg00

-----------------------------------------------------------------------

Reduce LV

# unmount /home
# e2fsck -f /dev/mapper/vg00-lvhome
# resize2fs -p /dev/mapper/vg00-lvhome 3G
# lvreduce -L 3G /dev/mapper/vg00-lvhome
# e2fsck -f /dev/mapper/vg00-lvhome

----------------------------------------------------------------------

Extend LV

#  lvextend -l +100%FREE /dev/mapper/vg00-lvvar
# resize2fs -p /dev/mapper/vg00-lvvar


Monday, April 8, 2013

Disallowing root access

Disallowing root access directly login from users is for the security purpose.
There are few way of doing it and depends on which suitable to your environment.

Changing the root shell
Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin for root

This will prevent access to the root shell and log the attempt. The following programs are prevented from accessing the root account. The following programs are prevented from accessing the root account:
  • login
  • gdm
  • kdm
  • xdm
  • su
  • ssh
  • scp
  • sftp
Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs are not effected. The following programs are also not prevented from accessing the root acount
  • sudo
  • FTP cleitns
  • email clients
For sudo, users are not allow to use #sudo -i  to get access to root as this will load root profile settings and was prevented since we have make /sbin/nologin. However, you still can use #sudo -s


Disabling root SSH logins
Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no.

This will prevents root access via the OpenSSH suite of tools. The following programs are prevented from accessing the root account:
  • ssh
  • scp
  • sftp
If you intend to allow public key to access to root access, then you can change the PermitRootLogin parameter to without-password

Monday, March 11, 2013

Install Cacti for CentOS 6.3

Install Cacti in CentOS 6.3

First, install the rpmforge into your server repo from here http://wiki.centos.org/AdditionalResources/Repositories/RPMForge

Now install package needed using yum
# yum install httpd php php-mysql php-snmp mysql mysql-server net-snmp
# yum install cacti

Now Edit the cacti
# cd /etc/httpd/conf.d
# vim cacti.conf
edit the allow from 127.0.0.1 to suit your network

Now start up mysql
# /etc/init.d/mysqld start
For those just install mysql and havent setup yet, please setup using
# /usr/bin/mysql_secure_installation
and follow the guide show

Now lets create a database for cacti
# mysql -u root -p
> create database cacti;
> exit

Import the tables structure into mysql cacti database
# vim /var/www/cacti/cacti.sql
then put this above all command
     use cacti
save and exit
# mysql -u root -p < /var/www/cacti/cacti.sql

Then edit the php
# vim /var/www/cacti/include/config.php
key in the username and password for the mysql

$database_username = "root";
$database_password = "temp1234";

Now restart and start up the services
# /etc/init.d/mysqld restart
# /etc/init.d/httpd start
# /etc/init.d/snmpd start

Use browser to access your cacti
http://<your server IP>/cacti

Click "NEXT" for all
then login cacti interface using "admin" for both username and password
It will force you to change password after that

Congratz~ you are success install the Cacti server






Friday, January 11, 2013

htpasswd to protect a web pages

Lets say you have a have a smokeping services and you wish to protect it with a password. then you can use htpasswd to protect it.

First you need to cd to that folder
# cd  /opt/smokeping

then create a new htpasswd
and add user 'admin'
# htpasswd  -c /opt/smokeping/.htpasswd admin

If you have an existing htpasswd file, then you can just update it using
# htpasswd  /opt/smokeping/.htpasswd admin

after done, you need to enable this in the apache config
you need to add:


<Directory "/var/www/html/smokeping">

     AuthUserFile /opt/smokeping/.htpasswd
     AuthType Basic
     AuthName "Smokeping Admin Pages"
     Require valid-user

</Directory>


Then reload the Apache services


Tuesday, January 8, 2013

SSL cert

Generate the private key
# openssl genrsa -out myserver.key 2048

then generate the Certificate signing request (CSR) from the private key
# openssl req -new -key myserver.key -out myserver.csr

This key will be given to SSL authority to sign the cert and will return back a .crt file
After you get it, put it into apache server and append this into the httpd.conf


    SSLEngine On
    SSLCertificateKeyFile myserver.key
    SSLCertificateFile myserver.crt
    SSLCACertificateFile RapidSSL_CA_bundle.pem