Author Archives: Adam Mallul

configure apache

Apache Active Directory Authentication

Overview

This tutorial provides an example of Apache Active Directory Authentication using the Authz LDAP module.
Apache and SSL settings are not in the scope of this tutorial.
Continue reading

Basic SELinux Security Concepts

Overview

“SELinux is a security enhancement to Linux which allows users and administrators more control over access control.” (selinuxproject.org”
Continue reading

Change BlueStacks App Player Resolution

Overview

BlueStacks App Player for Windows is a great Android emulator that supports most of the common apps and games from Google Play.
In this tutorial I will show you how to Change BlueStacks App Player Resolution in Windows.

Download and Install BlueStacks App Player

  1. Go to http://www.bluestacks.com/ and download BlueStacks App Player
  2. Open BlueStacks App Player and register your GMail Account details
  3. Close BlueStacks

Change BlueStacks App Player Resolution

There are several values ‘GuestHeight/GuestWidth’, and ‘WindowHeight/WindowWidth’.
The ‘Guest’ values sets the Androids resolution and the ‘Window’ values sets the window resolution.

  1. Open ‘regedit’: Start->Run->regedit
  2. Navigate to: ‘HKEY_LOCAL_MACHINE/SOFTWARE/BlueStacks/Guests/Android/FrameBuffer/0/’
  3. Double click the value ‘GuestHeight’
  4. Change Base to Decimal
  5. Input your desired Height resolution
  6. Double click the value ‘GuestWidth’
  7. Change Base to Decimal
  8. Input your desired Height resolution

Repeat the process for the ‘WindowHeight’ and ‘WindowWidth’ values.
Change BlueStacks App Player Resolution

Enjoy!

Optimize BlueStacks App Player for Windows

Overview

BlueStacks App Player for Windows is a great Android emulator that supports most of the common games on Google Play.
In this tutorial I will give you a few tips how to optimize BlueStacks App Player for Windows.

Download and Install BlueStacks App Player

  1. Go to http://www.bluestacks.com/ and download BlueStacks App Player
  2. Open BlueStacks App Player and register your GMail Account details
  3. Close BlueStacks

Adjust BlueStacks RAM (Memory)

BlueStacks App Player comes with a default of 768MB RAM.

  1. Open ‘regedit’: Start->Run->regedit
  2. Navigate to: ‘HKEY_LOCAL_MACHINE/SOFTWARE/BlueStacks/Guests/Android’
  3. Double click the value ‘Memory’
  4. Change Base to Decimal
  5. Input your desired RAM amount
    DO NOT USE MORE THEN HALF OF YOUR PHYSICAL RAM!!
    For example: If you have 4GB of RAM input 2GB: ‘2048’
  6. optimize BlueStacks RAM

Flickering Issue with NVidia Display Adapter

Sometimes with NVidia GPUs there is an issue that causes the screen to flicker.
CHANGE THIS ONLY IF YOUR BLUESTACKS APP IS FLICKERING!!

  1. Open NVidia Control Panel and navigate to ‘Manage 3D Settings’
  2. Select tab ‘Program Settings’
  3. Click Add and Select ‘BlueStacks Frontend’
  4. Scroll down to ‘Threaded optimization’ and change it to ‘Off’
  5. optimize BlueStacks NVidia GPU

BlueStacks Process priority

Increase BlueStacks Process priorities in Task Manager:

  1. Open Task Manager and go to Details tab
  2. Right-Click ‘HD-Frontend’ and change priority to Above-Normal
  3. optimize BlueStacks NVidia CPU

Enjoy!!

Linux ACL Permissions

Overview

“Access Control List (ACL) provides an additional, more flexible permission mechanism for file systems.
It is designed to assist with UNIX file permissions.
ACL allows you to give permissions for any user or group to any disc resource.” (Wikipedia)

Enable ACL on file system

Most likely is that the ACL option is already enabled on your file system but to be sure you can verify using the next command:

#make sure to replace sda2 with the name of your device
tune2fs -l /dev/sda2 | grep options

The output should be:

Default mount options:    user_xattr acl

In order to enable ACL on a file system use tune2fs command:

#make sure to replace sda2 with the name of your device
tune2fs -o acl /dev/sda2

View Linux ACL Permissions

ls command

With ls command you can see if there are any ACL permissions on a file, you will see a ‘+’ sign:

ls -l /folder-file

#Output:
-rw-rwxr--+ 1 root root 0 Mar 15 05:27 folder-file

Now we use getfacl command to see the ACL permissions.

getfacl command

You can use getfacl to view the current ACL permissions of a file or folder.

getfacl /folder-file

#Output
# file: folder-file
# owner: root
# group: root
user::rw-
user:nfsnobody:rwx
group::r--
mask::rwx
other::r--

setfacl command

#setfacl -m u:username:permissions /folder-file
setfacl -m u:bob:rwx /folder-file

#setfacl -m u:uid:permissions /folder-file
setfacl -m u:12345:rwx /folder-file

#setfacl -m g:groupname:permissions /folder-file
setfacl -m g:company:rx /folder-file

#setfacl -m g:gid:permissions /folder-file
setfacl -m g:12345:rx /folder-file

Remove all ACL permissions:

setfacl -b

Remove a specific ACL entry by username, uid, group or gid:

setfacl -x "bob"

Enjoy!

Test firewall with netcat

Overview

“The nc (or netcat) utility is used for just about anything under the sun involving TCP, UDP, or UNIX-domain sockets.
It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. Unlike telnet nc scripts nicely, and separates error messages onto standard error instead of sending them to standard output, as telnet does with some.” (NetCat Manual)

You can use netcat to listen on any available port and connect to it from a remote client, this way you can test that the firewall actually allows you to pass.

netcat installation

On CentOS you just need to use:

yum install nc -y

Test firewall with netcat

netcat server

Run netcat server on port 12345:

nc -v -l 12345

You should receive a blank line.
During connection you will see “Connection from 10.0.0.2 port 6666 [tcp/ircu-2] accepted” and whatever you write on the server will appear on the client.

netcat client

Connect to port 12345 on a remote server 10.0.0.1:

nc 10.0.0.1 12345

You should receive a blank line and whatever you write on the client will appear on the server.

netcat man page

Enjoy!

chmod suid sgid sticky bit

Overview

Linux chmod has a few options that can make your life a lot easier when managing a shared storage.
The most needed are chmod suid sgid sticky bit.
Also the impact of each one is different between files and folders.

chmod suid sgid sticky bit

SetUID and SetGID

SUID (SetUID) and SGID (SetGID) has different affects when used on files or on folders.

suid and sgid on files

When suid is set on an executable that means the file will run with the owner user permissions when run by a different user.
When used you will have the letter ‘S’ specified in the files permissions.
When you will have a lower-case ‘s’ that means it hides the permission ‘x’ of user so it means ‘t+x”

Apply SUID on ‘run.sh’:

chmod u+s run.sh

Apply SUID with 777:

chmod 4777 run.sh

Output SUID with 777:

-rwsrwxrwx.

Output SUID with 677:

drwSrwxrwx.

When sgid is set on an executable that means the file will run with the owner groups permissions when run by a different user.
When used you will have the letter ‘S’ specified in the files permissions.
When you will have a lower-case ‘s’ that means it hides the permission ‘x’ of group so it means ‘t+x”

Apply SGID on ‘run.sh’:

chmod g+s run.sh

Apply SGID with 777:

chmod 2777 run.sh

Output SGID with 777:

-rwxrwsrwx.

Output SGID with 767:

drwxrwSrwx.

suid and sgid on folders

suid and sgid on folders means inherit permissions for newly created files.
sgid will set the owner group permission of all new files the same as folders owner group.

Linux ignores the suid permission on folders.

Sticky-Bit

“When the sticky bit is set, only the item’s owner, the directory’s owner, or the superuser can rename or delete files.” (Wikipedia)

Sticky_bit is mostly applied to folders, it has a few uses on files but that not in the scope of this tutorial.

When used you will have the letter ‘T’ specified in the folders permissions.
When you will have a lower-case ‘t’ that means it hides the permission ‘x’ of others so it means ‘t+x”

Output sticky bit with 777:

drwxrwxrwt.

Output sticky bit with 776:

drwxrwxrwT.

Apply sticky bit to ‘/folder’:

chmod +t /folder

Apply sticky bit with 777:

chmod 1777 /folder

Enjoy!

CentOS xrdp HowTo

Overview

xrdp is a free open-source remote desktop server for Linux.
Installing xrdp on CentOS might be a little tricky since CentOS repositories does not contain the xrdp package.
Even the EPEL repository (Extra Packages Enterprise Linux) only contains an old version of xrdp.

CentOS xrdp HowTo

Add EPEL repo

First you need to add the EPEL repository that has an older version of xrdp.

rpm -Uvh http://ftp.uni-bayreuth.de/linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

Install xrdp from EPEL repo

yum install xrdp -y

Install dependencies

yum install tiger-vncserver autoconf automake libtool openssl-devel pam-devel libX11-devel libXfixes-devel -y

Download and install xrdp from source

Now that you have the older version of xrdp installed you can easily compile the latest version on top of the old one.

Download xrdp from sourceforge http://sourceforge.net/projects/xrdp/files/ to /opt folder.

extract the content of the file

tar -xvzf xrdp-v0.6.1.tar.gz

compile and install xrdp:

cd xrdp-v0.6.1
./bootstarp
./configure
make
make install

start xrdp and make sure it is set to run at startup:

service xrdp start
chkconfig xrdp on

Customize xrdp settings

The xrdp service config files are located at ‘/etc/xrdp/’:
We will edit these three:

/etc/xrdp/xrdp.ini
/etc/xrdp/sesman.ini
/etc/xrdp/startwm.sh

Remove login options

Edit ‘/etc/xrdp/xrdp/ini’ and delete from xrdp2 block to the end of the file leaving only the xrdp1 option.

Limit access to certain group

Edit ‘/etc/xrdp/sesman.ini’ and change ‘TerminalServerUsers=tsusers’ to the group name you wan to allow access.
If unset or set to an invalid or non-existent group, login for all users is enabled.

Add environment variables

xrdp has a different set of environment variables than regular bash session.
Edit ‘/etc/xrdp/startwm.sh’ and add at the beginning of the file the environment variables you want.
for example add ‘/bin’ and ‘/sbin’ to the PATH variable:

export PATH=$PATH:/bin:/sbin

Set session limits to avoid login failed error

Edit ‘/etc/xrdp/sesman.ini’ and change ‘MaxSessions=10’ to ‘MaxSessions=100’
 
 
 
xCentOS xrdp HowTo

Enjoy.

iptables examples on CentOS

Overview

“iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.”

In this tutorial I will give a few essential examples of how to use iptables on CentOS

iptables

There are several ways to configure iptables on CentOS.
The simplest way is to use the command system-config-firewall/system-config-firewall-tui, it will help you set up standard rules like Web Server, FTP Server and a few more.
The second way is to use iptables command to edit the configuration – this method is best for testing since it will NOT save the settings until you run the command:

/etc/init.d/iptables save

The third way is to edit the file /etc/sysconfig/iptables and that is what I will show you today.

iptables chains

First we clear the content of /etc/sysconfig/iptables using:

echo > /etc/sysconfig/iptables

Set all the default chains to DROP and save the file:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

Now we are ready to insert the necessary rules to our chains.

Stateful configuration

Using a stateful rule to allow all established connections:

#Allow all Established connections
-A INPUT -p all -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p all -m state --state ESTABLISHED -j ACCEPT

Some services requires you to allow related connections (ftp,tftp…):

#Allow all Related connections
-A INPUT -p all -m state --state RELATED -j ACCEPT
-A OUTPUT -p all -m state --state RELATED -j ACCEPT

iptables examples

Allow LocalHost

First we need to insert a rule to allow localhost to communicate:

#All localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

Allow Web Browsing

#Out Internet Access
-A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

#Out Internet Access SSL
-A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Allow Outgoing SSH

#Out SSH
-A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming SSH

Allow Incoming SSH from a specified subnet/ip address

#In SSH
-A INPUT -p tcp -s 10.0.0.0/24 --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming SSH from all

#In SSH
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming Web Server

#In Internet Access Port 80
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

#In Internet Access SSL Port 443
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Allow DHCP Client

#In/Out DHCP Client
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT

Allow DHCP Server

#In/Out DHCP Server
-A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT

Allow DNS requests

#Out DNS
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

Allow Incoming ping

#In ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Outgoing ping

#Out ping
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Zabbix Agent

#In Zabbix Agent
-A INPUT -p tcp --dport 10050 -m state --state NEW -j ACCEPT

Allow Outgoing RDP

#Out RDP
-A OUTPUT -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Allow Incoming RDP Server

#In RDP
-A INPUT -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Allow SMTP Server

#In SMTP
-A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

Allow SMTP Client

#Out SMTP
-A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

Allow SMTPs Server

#In SMTPs
-A INPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT

Allow SMTPs Client

#Out SMTPs
-A OUTPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT

Allow SMTP TLS Server

#In SMTP TLS
-A INPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

Allow SMTP TLS Client

#Out SMTP TLS
-A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

Allow POP Server

#In POP
-A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Allow POP Client

#Out POP
-A OUTPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Allow POPs Server

#In POPs
-A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

Allow POPs Client

#Out POPs
-A OUTPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

Allow IMAP Server

#In IMAP
-A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT

Allow IMAP Client

#Out IMAP
-A OUTPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT

Allow IMAPs Server

#In IMAPs
-A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

Allow IMAPs Client

#Out IMAPs
-A OUTPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

Allow mySQL Server

#In mySQL
-A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Allow mySQL Client

#Out mySQL
-A OUTPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Allow NTP Server

#In NTP
-A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

Allow NTP Client

#Out NTP
-A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

Allow rsync

#In rsync
-A INPUT -p tcp --dport 873 -m state --state NEW -j ACCEPT

#Out rsync
-A OUTPUT -p tcp --dport 873 -m state --state NEW -j ACCEPT

Allow rsyslogd

#In rsyslogd
-A INPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 514 -m state --state NEW -j ACCEPT

#Out rsyslogd
-A OUTPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp --dport 514 -m state --state NEW -j ACCEPT

Allow SAMBA Server

#In Samba
-A INPUT -p udp --dport 137:139 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m multiport --dport 139,445 -m state --state NEW -j ACCEPT

Allow NFS Server

NFS uses random ports on startup so we need to fix the port numbers, add the following lines to ‘/etc/sysconfig/nfs’:

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020
RDMA_PORT=20049

#In NFS
-A INPUT -p tcp -m multiport --dport 111,662,875,892,2020,2049,20049,32803 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m multiport --dport 111,662,875,892,2020,2049,20049,32769 -m state --state NEW -j ACCEPT

Allow TFTP Server

TFTP needs an iptables module called “nf_conntrack_tftp”, edit ‘/etc/sysconfig/iptables-config’ and make sure you have:

IPTABLES_MODULES="nf_conntrack_tftp"

#In TFTP
-A INPUT -p tcp --dport 69 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 69 -m state --state NEW -j ACCEPT

#You also need to allow related OUTPUT
-A OUTPUT -p all -m state --state RELATED -j ACCEPT

Allow Routing

Allow routing between Network-1 to Network-2 using 2 different NICs:

#Allow routing from eth0 to eth1
-A FORWARD -i eth0 -o eth1 -j ACCEPT

Specify port range

For example allow all communication from ports 100-200 to ports 200-300:

-A OUTPUT --sport 100:200 --dport 200:300 -j ACCEPT

Speciy IP Address range

IP Address range requires the ‘iprange’ module,
For example allow all communication to and from 10.0.0.1-10.0.0.100:

-A OUTPUT -m iprange --dst-range 10.0.0.1-10.0.0.100 -j ACCEPT
-A INPUT -m iprange --src-range 10.0.0.1-10.0.0.100 -j ACCEPT

Enjoy!

Warcraft 3 1920 HD resolutions

Overview

Warcraft 3 is one the best RTS games ever produced, released in 2002.
The only issue is that the new HD and Wide resolutions are not supported in the configuration menu.
In this tutorial I will show you how to add support for these resolutions.

Warcraft 3 1920 HD resolutions

Warcraft 3 1920 HD resolutions

Warcraft 3 1920×1080

Open regedit and go to:
HKEY_CURRENT_USER\Software\Blizzard Entertainment\Warcraft III\Video

Before you edit the value change hex value to decimal value.

reswidth = 1920
resheight = 1080

Warcraft 3 1920×1200

Open regedit and go to:
HKEY_CURRENT_USER\Software\Blizzard Entertainment\Warcraft III\Video

Before you edit the value change hex value to decimal value.

reswidth = 1920
resheight = 1200

Enjoy 🙂

Unreal Tournament 99 1920 HD resolutions

Overview

Unreal Tournament 99 is an old shooter games but it is still one of the best arena games ever produced.
The community mods and skins support makes it even more enjoyable for most of us.
The only issue is that the new HD and Wide resolutions are not supported in the configuration menu.
In this tutorial I will show you how to add support for these resolutions.

Unreal Tournament 99 1920 1080-1200 HD resolutions

Unreal Tournament 99 1920

1920×1080

Open “system/UnrealTournament.ini” with a text editor like notepad and edit the following lines:

FullscreenViewportX=1920
FullscreenViewportY=1080
FullscreenColorBits=32

1920×1200

Open “system/UnrealTournament.ini” with a text editor like notepad and edit the following lines:

FullscreenViewportX=1920
FullscreenViewportY=1200
FullscreenColorBits=32

Enjoy 🙂

tr vs sed – String manipulation commands in Linux/Unix

Overview

tr and sed are very powerful stream and character manipulation commands, Each has its own advantage with string manipulation.
tr vs sed - String manipulation commands in Linux/Unix
 

tr vs sed usage and examples

Replace “hi” with “bye”

echo "hi hi" | sed 's/hi/bye/g'
output: bye bye

echo "hi hi" | tr 'hi' 'bye'
output: by by

While sed can replace strings tr can only replace characters,
so with complete string replacement sed is the way to go.
 
Replace “good” with “bad”
echo "good good" | sed 's/good/bad/g'
output: bad bad

echo "good good" | tr 'good' 'bad'
output: bddd bddd

tr is more like a mapping command, it’s like a set of rules:
The char “g=b”, the char “o=a”,”o=d” the last one will be the active one “o=d”.
 
Change ‘ ‘ to a new line:
echo "line1 line2" | tr ' ' '\n'
output:
line1
line1

echo "line1 line2" |sed -e 's/\s\s*/\n/g'
output:
line1
line1

 
As you can see tr is a lot easier for this job.
 
 
Enjoy.