Category Archives: Linux/Unix

CentOS PostgreSQL Installation Tutorial – (Centos 6.x)

1 Reply

CentOS PostgreSQL Installation tutorial

CentOS PostgreSQL

centos postgresql :

PostgreSQL is a powerful, open source object-relational database system.
In the following tutorial I’ll show how to install PostgreSQL on your CentOS box

 

CentOS PostgreSQL Installation

We can install PostgreSQL in (at-least) two ways:

  • Using YUM
  • Compile from source

 

Install from repository

yum install postgresql-server
this will install the package postgresql-server, also: postgresql and postgresql-libs.
centos postgresql

centos postgresql

Install from source

If you want to install the latest version of PostgreSQL you should compile from source. it’s recommended for advanced users and one may argue it’s recommended too for production.

Anyway, this article from DigitalOcean covers this area well (and more). If you want to compile using source you better move to that article. If you prefer or installed using repository (yum), continue…

 

PostgreSQL Service

if you’ll try to start PostgreSQL using the service command, you will see an error tells you must init the db first and create the db files in: /var/lib//pgsql/data

posgresqlerror

so,

to init on centos postgresql service use:

service postgresql initdb

posgreinit

This created a data folder in /var/lib/pgsql. You can’t run this command again without deleting first this folder (and all your data).

Also, when you called the initdb command above from RedHat’s init script configured permissions on the database. These configuration settings are in the pg_hba.conf file inside the data folder.

By default all permissions are ‘Ident’,

pgsql-ident

means the only user that can get in initially is user “postgres”, so if you’ll try ‘psql’ from root you’ll get error:

psql: FATAL: Ident authentication failed for user “root”

If you want to login and use postgres with other users than `postgres` you can change the permissions method in pg_hba.conf. change from ‘ident’ to ‘md5’ is recommended.

If you want to use phpPgAdmin (described later) you should change from ‘Ident’ to ‘md5’ or else it won’t login to your system.

 

Set port and Listen Addresses

If you need to change the default port (5432 by default) and Listen Addresses (localhost by default), you can set those vars inside the postgresql.conf inside /var/lib/pgsql/data folder.

#listen_addresses = 'localhost'
#port = 5432

 

Start service

and then, to start on centos postgresql service use:

service postgresql start

postgrestart

to make centos postgresql load on boot use the chkconfig command as follows:

chkconfig postgresql on

 

and That’s it!

 

What next?

 

Managing from Command line

login to postgres

As I mentioned, default setup has ident authentication means the only user that can get in initially is user “postgres”, so if you haven’t changed permissions scheme you should su to postgres before.

to start ‘psql’ as postgres:

# change user to postgres
su - postgres
# start psql manager
psql
# CTRL + D twice to exit both psql and su.

# You can also short the two commands into:
# su postgres -c psql

Add (or create) a user with permission to specific database?

Read this great tutorial.

 

PhpPgAdmin

PostgreSQL visual interface similar to phpMyAdmin? – in short, if you know phpMyAdmin and want phpPgAdmin, you need to add the EPEL repositories, Apache (yum install httpd) and then install using:

If your permissions scheme is currently ‘Ident’ you might need to change that to ‘md5’ as PhpPgAdmin requires it.

yum install phpPgAdmin

Then visit in your browser: http://localhost/phpPgAdmin

centos phppgadmin
centos phppgadmin

Remote connection

Edit /etc/httpd/conf.d/phpPgAdmin.conf if you want to allow access remotly and restart httpd (service httpd restart).

do you use pgsql, postgres, root, administrator as login or even user without password?
if you do, set the $conf[‘extra_login_security’] entry to false in your et/phpPgAdmin/config.inc.php.

 

Change default Postgres user password

If you really want to use the “postgres” role, make sure you set it up a password and $conf[‘extra_login_security’] is false.

use the command:

passwd postgres

to change the system user password and

ALTER USER Postgres WITH PASSWORD 'password';

That alters the password for within the database. To change the password inside Postgresql. there is also short code (inside psql):

\password

Which will ask from you a new password to set.

 

 

Cheers!

Etay Cohen-Solal
Development Specialist, Artist and Activist
Personal Website
http://etcs.me

Linux ACL Permissions

Leave a reply

Overview

“Access Control List (ACL) provides an additional, more flexible permission mechanism for file systems.
It is designed to assist with UNIX file permissions.
ACL allows you to give permissions for any user or group to any disc resource.” (Wikipedia)

Enable ACL on file system

Most likely is that the ACL option is already enabled on your file system but to be sure you can verify using the next command:

#make sure to replace sda2 with the name of your device
tune2fs -l /dev/sda2 | grep options

The output should be:

Default mount options:    user_xattr acl

In order to enable ACL on a file system use tune2fs command:

#make sure to replace sda2 with the name of your device
tune2fs -o acl /dev/sda2

View Linux ACL Permissions

ls command

With ls command you can see if there are any ACL permissions on a file, you will see a ‘+’ sign:

ls -l /folder-file

#Output:
-rw-rwxr--+ 1 root root 0 Mar 15 05:27 folder-file

Now we use getfacl command to see the ACL permissions.

getfacl command

You can use getfacl to view the current ACL permissions of a file or folder.

getfacl /folder-file

#Output
# file: folder-file
# owner: root
# group: root
user::rw-
user:nfsnobody:rwx
group::r--
mask::rwx
other::r--

setfacl command

#setfacl -m u:username:permissions /folder-file
setfacl -m u:bob:rwx /folder-file

#setfacl -m u:uid:permissions /folder-file
setfacl -m u:12345:rwx /folder-file

#setfacl -m g:groupname:permissions /folder-file
setfacl -m g:company:rx /folder-file

#setfacl -m g:gid:permissions /folder-file
setfacl -m g:12345:rx /folder-file

Remove all ACL permissions:

setfacl -b

Remove a specific ACL entry by username, uid, group or gid:

setfacl -x "bob"

Enjoy!

Adam Mallul
IT specialist with strong development skills
Currently an IT Manager at the Faculty of Engineering, Bar-Ilan University
Personal Website – RaveMaker.Net
http://ravemaker.net

Test firewall with netcat

Leave a reply

Overview

“The nc (or netcat) utility is used for just about anything under the sun involving TCP, UDP, or UNIX-domain sockets.
It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. Unlike telnet nc scripts nicely, and separates error messages onto standard error instead of sending them to standard output, as telnet does with some.” (NetCat Manual)

You can use netcat to listen on any available port and connect to it from a remote client, this way you can test that the firewall actually allows you to pass.

netcat installation

On CentOS you just need to use:

yum install nc -y

Test firewall with netcat

netcat server

Run netcat server on port 12345:

nc -v -l 12345

You should receive a blank line.
During connection you will see “Connection from 10.0.0.2 port 6666 [tcp/ircu-2] accepted” and whatever you write on the server will appear on the client.

netcat client

Connect to port 12345 on a remote server 10.0.0.1:

nc 10.0.0.1 12345

You should receive a blank line and whatever you write on the client will appear on the server.

netcat man page

Enjoy!

Adam Mallul
IT specialist with strong development skills
Currently an IT Manager at the Faculty of Engineering, Bar-Ilan University
Personal Website – RaveMaker.Net
http://ravemaker.net

chmod suid sgid sticky bit

Leave a reply

Overview

Linux chmod has a few options that can make your life a lot easier when managing a shared storage.
The most needed are chmod suid sgid sticky bit.
Also the impact of each one is different between files and folders.

chmod suid sgid sticky bit

SetUID and SetGID

SUID (SetUID) and SGID (SetGID) has different affects when used on files or on folders.

suid and sgid on files

When suid is set on an executable that means the file will run with the owner user permissions when run by a different user.
When used you will have the letter ‘S’ specified in the files permissions.
When you will have a lower-case ‘s’ that means it hides the permission ‘x’ of user so it means ‘t+x”

Apply SUID on ‘run.sh’:

chmod u+s run.sh

Apply SUID with 777:

chmod 4777 run.sh

Output SUID with 777:

-rwsrwxrwx.

Output SUID with 677:

drwSrwxrwx.

When sgid is set on an executable that means the file will run with the owner groups permissions when run by a different user.
When used you will have the letter ‘S’ specified in the files permissions.
When you will have a lower-case ‘s’ that means it hides the permission ‘x’ of group so it means ‘t+x”

Apply SGID on ‘run.sh’:

chmod g+s run.sh

Apply SGID with 777:

chmod 2777 run.sh

Output SGID with 777:

-rwxrwsrwx.

Output SGID with 767:

drwxrwSrwx.

suid and sgid on folders

suid and sgid on folders means inherit permissions for newly created files.
sgid will set the owner group permission of all new files the same as folders owner group.
Linux ignores the suid permission on folders.

Sticky-Bit

“When the sticky bit is set, only the item’s owner, the directory’s owner, or the superuser can rename or delete files.” (Wikipedia)

Sticky_bit is mostly applied to folders, it has a few uses on files but that not in the scope of this tutorial.

When used you will have the letter ‘T’ specified in the folders permissions.
When you will have a lower-case ‘t’ that means it hides the permission ‘x’ of others so it means ‘t+x”

Output sticky bit with 777:

drwxrwxrwt.

Output sticky bit with 776:

drwxrwxrwT.

Apply sticky bit to ‘/folder’:

chmod +t /folder

Apply sticky bit with 777:

chmod 1777 /folder

Enjoy!

Adam Mallul
IT specialist with strong development skills
Currently an IT Manager at the Faculty of Engineering, Bar-Ilan University
Personal Website – RaveMaker.Net
http://ravemaker.net

CentOS xrdp HowTo

Leave a reply

Overview

xrdp is a free open-source remote desktop server for Linux.
Installing xrdp on CentOS might be a little tricky since CentOS repositories does not contain the xrdp package.
Even the EPEL repository (Extra Packages Enterprise Linux) only contains an old version of xrdp.

CentOS xrdp HowTo

Add EPEL repo

First you need to add the EPEL repository that has an older version of xrdp.

rpm -Uvh http://ftp.uni-bayreuth.de/linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

Install xrdp from EPEL repo

yum install xrdp -y

Install dependencies

yum install tiger-vncserver autoconf automake libtool openssl-devel pam-devel libX11-devel libXfixes-devel -y

Download and install xrdp from source

Now that you have the older version of xrdp installed you can easily compile the latest version on top of the old one.

Download xrdp from sourceforge http://sourceforge.net/projects/xrdp/files/ to /opt folder.

extract the content of the file

tar -xvzf xrdp-v0.6.1.tar.gz

compile and install xrdp:

cd xrdp-v0.6.1
./bootstarp
./configure
make
make install

start xrdp and make sure it is set to run at startup:

service xrdp start
chkconfig xrdp on

Customize xrdp settings

The xrdp service config files are located at ‘/etc/xrdp/’:
We will edit these three:

/etc/xrdp/xrdp.ini
/etc/xrdp/sesman.ini
/etc/xrdp/startwm.sh

Remove login options

Edit ‘/etc/xrdp/xrdp/ini’ and delete from xrdp2 block to the end of the file leaving only the xrdp1 option.

Limit access to certain group

Edit ‘/etc/xrdp/sesman.ini’ and change ‘TerminalServerUsers=tsusers’ to the group name you wan to allow access.
If unset or set to an invalid or non-existent group, login for all users is enabled.

Add environment variables

xrdp has a different set of environment variables than regular bash session.
Edit ‘/etc/xrdp/startwm.sh’ and add at the beginning of the file the environment variables you want.
for example add ‘/bin’ and ‘/sbin’ to the PATH variable:

export PATH=$PATH:/bin:/sbin

Set session limits to avoid login failed error

Edit ‘/etc/xrdp/sesman.ini’ and change ‘MaxSessions=10’ to ‘MaxSessions=100’
 
 
 
xCentOS xrdp HowTo

Enjoy.

Adam Mallul
IT specialist with strong development skills
Currently an IT Manager at the Faculty of Engineering, Bar-Ilan University
Personal Website – RaveMaker.Net
http://ravemaker.net
cento tomcat

CentOS Tomcat server installation is easy!

3 Replies

CentOS Tomcat installation

CentOS Tomcat

centos tomcat

“Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process.” from Tomcat homepage.

 

Prerequisities

  • CentOS 6.x (I haven’t tested this on older versions but it should probably work as well) 

Check your Java installation

before we’ll continue the installation of Tomcat, the JDK (Java Development Kit) should be installed on your CentOS machine. to check for Java support use the command:

java -version

javanotfound

if bash returns ‘command not found‘ then continue to the next step and install the JDK, else skip the step and continue to Tomcat server installation.

 

Install Java Development Kit (JDK)

To install the jdk we have 2 options:

  1. Install OpenJDK – Using YUM.
  2. Install Oracle JDK – Install manually.

I’ll explore both:

Option 1: Install Open-JDK using YUM

For beginners and testing purposes you should go with this option.

Why should I use the Oracle JDK over the OpenJDK, or vice-versa? [closed]

The command to install JDK using YUM is very simple:

yum install java

yuminstall java

  • Note: use sudo if you are not logged-in with root.
  • the command will install the latest jdk (1.7 as for this date). If you want to install older version use the full name (search using: $ yum search jdk)yum-search-jdk
    You can see you can install the 1.6 version by typing: yum install java-1.6.0

Check you have installed it right:

javafound

 

Option 2: Install JDK manually

Download your required JDK here.

Note: I can’t give you an WGET command to download, because you need to Accept License Agreement before downloading any file.

You can download and install using the RPM or the tar.gz (both with x86 or x64) on your CentOS machine:

downloadjava

 

 

In case of our CentOS we can download and install the .rpm file or the .tar.gz file.

RPM can be installed ONLY by the root.
TAR.GZ can be installed be any user on the computer.

 

Option A: Install using .rpm

make sure to uninstall older installations (if any):

rpm –e <package name>

To install the jdk using the downloaded rpm use the rpm command:

rpm –ivh jdk-7u45-linux-x64.rpm

If you just want to upgrade a package you’ve already installed use the -Uvh parameter.

rpm –Uvh jdk-7u45-linux-x64.rpm

Delete the .rpm file if you want to save disk space.

Read more about installation of Oracle Java on Centos here on ItekBlog

 

Use alternatives :

alternatives –install /usr/bin/java java /usr/java/latest/jre/bin/java 20000
alternatives –install /usr/bin/javaws javaws /usr/java/latest/jre/bin/javaws 20000

alternatives

and config your default jdk (if you have more then one) using:

using:

alternatives –config java

alternatives-config

 

Test your environment

Just as in the first step: type java -version to see if your have jdk installed.

oraclejavaversion

 

Option B: Install using tar.gz

The advantage of tar.gz installation of the JDK is that we can able to install multiple version of java if required.

The archive can be installed by anyone (not only root users), in any location that you can write to. However, only the root user can install the JDK into the system location.

You need to unpack the .tar.gz file (using tar -xzf) into the  the location where you would like the JDK to be installed.

Unpack the tarball and install the jdk:

tar zxvf jdk-7u<version>-linux-i586.tar.gz

Delete the .tar.gz file if you want to save disk space.

 

Use alternatives :

alternatives –install /usr/bin/java java /path/to/jdk1.7.0_45/bin/java 2
alternatives –config java

read more about installation of jdk in the oracle documentation.

for extended installation tutorial read this post by adam in this blog.

 

JDK 1.6 vs JDK 1.7

read more on What is the difference between jdk 1.6 and 1.7 ?

 

Environment Variables

1
JAVA_HOME

 is a 

1
environment

 variable (in Unix terminologies), or a PATH variable (in Windows terminology) you need to create to point to where Java is installed. ($JAVA_HOME/bin/java should execute the Java runtime).

Why doesn’t the Java SDK installer set JAVA_HOME?

To set it for your current session type at bash:

export JAVA_HOME=/usr/java/jdk1.7.0_05
export PATH=$PATH:$JAVA_HOME/bin

To set the JAVA_HOME permanently we need to add the commands to the ~/.bash_profile file of the user.
We can also add it /etc/profile and then source it to give to all users.

 

Test Environment Variables

use the echo command to check you’ve configured the variables:

echo $JAVA_HOME
echo $PATH

echovars

 

Installing Tomcat

After we have java installed and tested we can continue to the installation of the Tomcat server.

Download Tomcat

Since Apache Tomcat is distributed as binaries, all you have to do is to download it and start it.

Download apache-tomcat-x.x.xx.tar.gz (latest version or any) from Apache Tomcat Homepage

I’ll go with the tomcat 8 – tar.gz package.

centos tomcat

centos tomcat

and using command:

cd /usr/share
wget http://apache.spd.co.il/tomcat/tomcat-8/v8.0.0-RC10/bin/apache-tomcat-8.0.0-RC10.tar.gz

tomcat-wget

verify and extract the download using::

md5sum apache-tomcat-8.0.0-RC10.tar.gz
tar xvzf apache-tomcat-8.0.0-RC10.tar.gz

and I have a /usr/share/apache-tomcat-8.0.0-RC10 folder now.

 

Test Tomcat server

Tomcat by default start on port 8080 you can start the server now by typing at bash:

cd apache-tomcat-8.0.0-RC10
./bin/startup.sh

tomcat-start

 

Now Access the tomcat by connecting your server with a web browser on port 8080.

http://localhost:8080

tomcat

If you cannot access the above Tomcat page, make sure to stop iptables (since CentOS has iptables on by default set to block the Tomcat’s default listening port 8080).

service iptables stop

to permanently disable iptables (NOT RECOMMENDED AT ALL) use:

chkconfig iptables off

Change the Tomcat server port

Locate server.xml in {Tomcat installation folder}/conf/ which is at /usr/share/apache-tomcat-8.0.0-RC10/conf in our case

Find the following:

 <!-- Define a non-SSL HTTP/1.1 Connector on port 8180 -->
    <Connector port="8080" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />

and change the 8080 port to your required port.

 

Start on boot

To start the tomcat service on system boot create the file /etc/init.d/tomcat8 (I am using vi /etc/init.d/tomcat8) and fill it with:

#!/bin/bash 
# description: Tomcat Start Stop Restart 
# processname: tomcat 
# chkconfig: 234 20 80 
JAVA_HOME=/usr/java/jdk1.7.0_05 
export JAVA_HOME 
PATH=$JAVA_HOME/bin:$PATH 
export PATH 
CATALINA_HOME=/usr/share/apache-tomcat-8.0.0-RC10
 
case $1 in 
start) 
sh $CATALINA_HOME/bin/startup.sh 
;; 
stop) 
sh $CATALINA_HOME/bin/shutdown.sh 
;; 
restart) 
sh $CATALINA_HOME/bin/shutdown.sh 
sh $CATALINA_HOME/bin/startup.sh 
;; 
esac 
exit 0

Now set the permissions on the file and the catalina.sh file:

chmod a+x /etc/init.d/tomcat8
chmod a+x /usr/share/apache-tomcat-8.0.0-RC10/bin/catalina.sh

to start/stop/restart the service use:

service tomcat8 start
service tomcat8 restart
service tomcat8 stop

to start the service on boot use:

chkconfig --add tomcat8
chkconfig tomcat8 on

to disable it later you can use off instead of on:

chkconfig tomcat8 off

 

 

That’s it! you have your CentOS Tomcat server working and runing… 

Etay Cohen-Solal
Development Specialist, Artist and Activist
Personal Website
http://etcs.me

DD-WRT set date manually

3 Replies

dd-wrt set date manually

dd-wrt set date manually – In this tutorial I’ll explain how to set the date and time in dd-wrt based routers.

 

dd-wrt set date manually

My dd-wrt system is dd-wrt v24-sp2 (11/02/09) std
(SVN revision 13064M VINT Eko).

It may not work on your system but I’ll explain the basics so you should be able to find your own way.

 

dd-wrt set date manually

in dd-wrt set date manually using command-line. you can do this by:

  • SSH to your dd-wrt machine, or
  • use the web interface to run command line

Becuase ssh is not opened by default on all dd-wrt machines I’ll explain how to set the date and time using the second method – using the web interface. but the same command and rules apply also to SSH connection.

 

Admin Panel

go to your dd-wrt admin managment panel on your browser and view the Administration / Commands page. it may be different in your system version but you should able to find quickly where the Commands page is.

dd-wrt set date

dd-wrt set date

Date

You can use the Date command inside your dd-wrt box to read and set your system time and date.

View current date (NOW)

to view your current date as configured in your dd-wrt machine use the ‘date‘ command.
Just fill the commands input box with ‘date’ and click on the ‘Run Commands‘ button.

date

dd-wrt-date

 

dd-wrt set date manually

Here it may be tricky. I’ve found several online blogs and manuals but nothing worked. to set the dd-wrt date manually I’ve succeded with the following command:

date 022720012014

Month Day Hours Minutes Year
02 27 20 01 2014

 

 

dd-wrt-set-date

 

that’s it. I hope It helped you to configure your dd-wrt set date manually.

Etay Cohen-Solal
Development Specialist, Artist and Activist
Personal Website
http://etcs.me
G-WAN

CentOS G-WAN server installation instructions

1 Reply

CentOS G-WAN Server

CentOS G-WAN server

G-WAN is a web server with scripts in Asm, C, C++, C#, D, Go, Java, Javascript, Lua, Objective-C, Perl, PHP, Python, Ruby and Scala.

G-WAN better uses CPU Cores
to make the Internet of Things
fly thousand times higher !

Leverage legacy servers and
low-consumption CPUs to
do more with less!

G-WAN works best on Linux distributions like Debian or CentOS, both of which offer ‘Desktop’ and ‘Server’ flavors.

 

CentOS G-WAN server installation instructions

CentOS G-WAN installation instructions

 

Installation

choose a location for your installation. for demonstration purposes we’ll install G-WAN to /opt

cd /opt
wget http://gwan.com/archives/gwan_linux64-bit.tar.bz2
tar -xjf gwan_linux64-bit.tar.bz2; cd gwan_linux64-bit
sudo ./gwan
centos g-wan

centos g-wan

use the 32bit version instead (http://gwan.com/archives/gwan_linux32-bit.tar.bz2) if you need.

Test

Then, type http://localhost:8080/ in your browser

centos g-wan

centos g-wan server default homepage

and play with the/gwan/.../csp samples.

 

Programming Languages

If you want to install more Programming Languages read the FAQ – Setup of Programming Languages

To install all 15 languages using the bash script donated by generous user on many Linux distributions (Debian, LinuxMint, CentOS, Fedora, RedHat, Manjaro, Arch Linux and Bridge) use:

cd /opt
wget http://www.as2.com/linux/tools/G-WAN_full-install.tar.bz2
tar -xjf G-WAN_full-install.tar.bz2
./G-WAN_full-install

The installation menu is available in English, German, French and Spanish!

 

Service mode

To start G-WAN as a service (make it start automatically at boot time) use this instructions

with one exception for CentOS in the manual:

instead of:

sudo update-rc.d gwan defaults 95 5

use:

sudo chkconfig gwan on

and you don’t need to restart.

 

What’s next?

check the API and Frequently Asked Questions.

Stackoverflow lists many more examples and will let you search for replies to common questions.

 

And that’s it. you have G-WAN server.

Etay Cohen-Solal
Development Specialist, Artist and Activist
Personal Website
http://etcs.me

iptables examples on CentOS

Overview

“iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.”

In this tutorial I will give a few essential examples of how to use iptables on CentOS

iptables

There are several ways to configure iptables on CentOS.
The simplest way is to use the command system-config-firewall/system-config-firewall-tui, it will help you set up standard rules like Web Server, FTP Server and a few more.
The second way is to use iptables command to edit the configuration – this method is best for testing since it will NOT save the settings until you run the command:

/etc/init.d/iptables save

The third way is to edit the file /etc/sysconfig/iptables and that is what I will show you today.

iptables chains

First we clear the content of /etc/sysconfig/iptables using:

echo > /etc/sysconfig/iptables

Set all the default chains to DROP and save the file:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

Now we are ready to insert the necessary rules to our chains.

Stateful configuration

Using a stateful rule to allow all established connections:

#Allow all Established connections
-A INPUT -p all -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p all -m state --state ESTABLISHED -j ACCEPT

Some services requires you to allow related connections (ftp,tftp…):

#Allow all Related connections
-A INPUT -p all -m state --state RELATED -j ACCEPT
-A OUTPUT -p all -m state --state RELATED -j ACCEPT

iptables examples

Allow LocalHost

First we need to insert a rule to allow localhost to communicate:

#All localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

Allow Web Browsing

#Out Internet Access
-A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

#Out Internet Access SSL
-A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Allow Outgoing SSH

#Out SSH
-A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming SSH

Allow Incoming SSH from a specified subnet/ip address

#In SSH
-A INPUT -p tcp -s 10.0.0.0/24 --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming SSH from all

#In SSH
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming Web Server

#In Internet Access Port 80
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

#In Internet Access SSL Port 443
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Allow DHCP Client

#In/Out DHCP Client
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT

Allow DHCP Server

#In/Out DHCP Server
-A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT

Allow DNS requests

#Out DNS
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

Allow Incoming ping

#In ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Outgoing ping

#Out ping
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Zabbix Agent

#In Zabbix Agent
-A INPUT -p tcp --dport 10050 -m state --state NEW -j ACCEPT

Allow Outgoing RDP

#Out RDP
-A OUTPUT -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Allow Incoming RDP Server

#In RDP
-A INPUT -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Allow SMTP Server

#In SMTP
-A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

Allow SMTP Client

#Out SMTP
-A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

Allow SMTPs Server

#In SMTPs
-A INPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT

Allow SMTPs Client

#Out SMTPs
-A OUTPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT

Allow SMTP TLS Server

#In SMTP TLS
-A INPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

Allow SMTP TLS Client

#Out SMTP TLS
-A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

Allow POP Server

#In POP
-A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Allow POP Client

#Out POP
-A OUTPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Allow POPs Server

#In POPs
-A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

Allow POPs Client

#Out POPs
-A OUTPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

Allow IMAP Server

#In IMAP
-A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT

Allow IMAP Client

#Out IMAP
-A OUTPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT

Allow IMAPs Server

#In IMAPs
-A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

Allow IMAPs Client

#Out IMAPs
-A OUTPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

Allow mySQL Server

#In mySQL
-A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Allow mySQL Client

#Out mySQL
-A OUTPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Allow NTP Server

#In NTP
-A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

Allow NTP Client

#Out NTP
-A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

Allow rsync

#In rsync
-A INPUT -p tcp --dport 873 -m state --state NEW -j ACCEPT

#Out rsync
-A OUTPUT -p tcp --dport 873 -m state --state NEW -j ACCEPT

Allow rsyslogd

#In rsyslogd
-A INPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 514 -m state --state NEW -j ACCEPT

#Out rsyslogd
-A OUTPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp --dport 514 -m state --state NEW -j ACCEPT

Allow SAMBA Server

#In Samba
-A INPUT -p udp --dport 137:139 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m multiport --dport 139,445 -m state --state NEW -j ACCEPT

Allow NFS Server

NFS uses random ports on startup so we need to fix the port numbers, add the following lines to ‘/etc/sysconfig/nfs’:

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020
RDMA_PORT=20049


#In NFS
-A INPUT -p tcp -m multiport --dport 111,662,875,892,2020,2049,20049,32803 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m multiport --dport 111,662,875,892,2020,2049,20049,32769 -m state --state NEW -j ACCEPT

Allow TFTP Server

TFTP needs an iptables module called “nf_conntrack_tftp”, edit ‘/etc/sysconfig/iptables-config’ and make sure you have:

IPTABLES_MODULES="nf_conntrack_tftp"


#In TFTP
-A INPUT -p tcp --dport 69 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 69 -m state --state NEW -j ACCEPT

#You also need to allow related OUTPUT
-A OUTPUT -p all -m state --state RELATED -j ACCEPT

Allow Routing

Allow routing between Network-1 to Network-2 using 2 different NICs:

#Allow routing from eth0 to eth1
-A FORWARD -i eth0 -o eth1 -j ACCEPT

Specify port range

For example allow all communication from ports 100-200 to ports 200-300:

-A OUTPUT --sport 100:200 --dport 200:300 -j ACCEPT

Speciy IP Address range

IP Address range requires the ‘iprange’ module,
For example allow all communication to and from 10.0.0.1-10.0.0.100:

-A OUTPUT -m iprange --dst-range 10.0.0.1-10.0.0.100 -j ACCEPT
-A INPUT -m iprange --src-range 10.0.0.1-10.0.0.100 -j ACCEPT

Enjoy!

Adam Mallul
IT specialist with strong development skills
Currently an IT Manager at the Faculty of Engineering, Bar-Ilan University
Personal Website – RaveMaker.Net
http://ravemaker.net
VMWare Workstation start on boot CentOS

SSL handshake failed: SSL error: Key usage violation in certificate has been detected CentOS

1 Reply

SSL handshake failed: SSL error: Key usage violation in certificate has been detected CentOS

Overview

SSL handshake failed: SSL error: Key usage violation in certificate has been detected.

SSL handshake failed: SSL error: Key usage violation in certificate has been detected CentOS.

SSL handshake failed: SSL error: Key usage violation in certificate has been detected CentOS.

 

Fix

You may experience the issue if both of the following conditions are met:

  • VisualSVN Server has a self-signed certificate applied and
  • Subversion client is built against the GnuTLS library.

GnuTLS library is an open-source alternative to OpenSSL. Most Subversion clients for Windows are built against OpenSSL and are not affected by this issue. While some Subversion packages (available mostly on Linux-based operating systems – The subversion that comes with EL 6 is linked against GnuTLS which is a change from older releases which linked against OpenSSL) are built against GnuTLS and are affected.

The server is using an SSL cert was created with the ‘key usage’ extension, and the client is using the gnutls SSL library which doesn’t understand the extension. The solution is either to have the client use the openssl library or to have the server use a cert that doesn’t use the ‘key usage’ extension.

It’s recommended to fix the issue on your server side, but you can workaround it from the client side too.

 

Fix (Server side)

Here is what visualsvn.com say:

It’s not recommended to use a self-signed certificate in a production environment. We advise to use a certificate issued by your domain or a third-party certificate authority instead of a self-signed one.

If you have to use a self-signed certificate please follow the instruction to generate a cerificate without specifying ‘Key Usage’ extension:

Add the following registry value to the Windows registry:

for 32-bit system:

[HKEY_LOCAL_MACHINE\SOFTWARE\VisualSVN\VisualSVN Server]
“CreateGnuTLSCompatibleCertificate”=dword:00000001

for 64-bit system:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VisualSVN\ VisualSVN Server]
“CreateGnuTLSCompatibleCertificate”=dword:00000001

Start VisualSVN Server Manager.
Go to Action | Properties | Certificate.
Click Change certificate… and follow the wizard instructions to generate a new self-signed certificate.

The certificate will be generated without the ‘Key Usage’ extension and will be compatible both with GnuTLS and OpenSSL.

 

Fix (Client side)

The options for client side fix are:

 

That’s it.

Etay Cohen-Solal
Development Specialist, Artist and Activist
Personal Website
http://etcs.me

VMWare Workstation start on boot CentOS

Leave a reply

VMWare Workstation start on boot CentOS

vmware workstation start on boot centos

If you are like me, using VMWare workstation on Linux (CentOS 6.4), and you want to start your virtual machines on boot, I have the answer.

Prerequisities

  • CentOS 6.x. – although the vmrun command may be working in other distributions too.
  • VMWare Workstation 4.0+

 

VMWare Workstation start on boot CentOS

VMWare Workstation start on boot CentOS

 

The Solution

Edit rc.local

add to the end of the following file:

/etc/rc.d/rc.local

the following:

vmrun -T ws start /path/to/machine.vmx nogui

create new line for each machine you want to start on boot.

 

that’s it! that how you run vmware workstation start on boot centos

 

That’s it.

Etay Cohen-Solal
Development Specialist, Artist and Activist
Personal Website
http://etcs.me

tr vs sed – String manipulation commands in Linux/Unix

Leave a reply

Overview

tr and sed are very powerful stream and character manipulation commands, Each has its own advantage with string manipulation.
tr vs sed - String manipulation commands in Linux/Unix
 

tr vs sed usage and examples

Replace “hi” with “bye”

echo "hi hi" | sed 's/hi/bye/g'
output: bye bye


echo "hi hi" | tr 'hi' 'bye'
output: by by

While sed can replace strings tr can only replace characters,
so with complete string replacement sed is the way to go.
 
Replace “good” with “bad”
echo "good good" | sed 's/good/bad/g'
output: bad bad


echo "good good" | tr 'good' 'bad'
output: bddd bddd

tr is more like a mapping command, it’s like a set of rules:
The char “g=b”, the char “o=a”,”o=d” the last one will be the active one “o=d”.
 
Change ‘ ‘ to a new line:
echo "line1 line2" | tr ' ' '\n'
output:
line1
line1


echo "line1 line2" |sed -e 's/\s\s*/\n/g'
output:
line1
line1

 
As you can see tr is a lot easier for this job.
 
 
Enjoy.

Adam Mallul
IT specialist with strong development skills
Currently an IT Manager at the Faculty of Engineering, Bar-Ilan University
Personal Website – RaveMaker.Net
http://ravemaker.net