Mar 11

Free website security scanner tools – wwwscan

By jason Security Tools No Comments »

wwwscan is a very good free website security scanner tools,It can help you improve your website security level,hope it can help you.

<Usage>:  wwwscan <HostName|Ip> [Options]
<Options>:
          -p port        : set http/https port
          -m thread      : set max thread
          -t timeout     : tcp timeout in seconds
          -r rootpath    : set root path to scan
          -ssl           : will use ssl
<Example>:
          wwwscan www.target.com -p 8080 -m 10 -t 16
          wwwscan www.target.com -r "/test/" -p 80
          wwwscan www.target.com –ssl

You can download it from here.

Tagged with:
Mar 10

CentOS 5.4 released

By jason Linux/Unix Oprating system No Comments »

Almost two months after RHEL5.4, Centos 5.4 was released on the 21st October. This version includes various changes into the virtualization field and it includes support for KVM (kernel-based virtual machine) hypervisor and the Xen hypervisor.

Also this release features many bug fixes and security updates, and should be an easy upgrade for users running centos5.x:
yum update

For the full list of packages changed/added please see the centos5.4 release notes: http://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.4

Tagged with:
Mar 09

Syntax error on MySQL replication slave

By jason Mysql Server No Comments »

Here’s an interesting one, what if you have a MySQL replication setup and the slave stops replicating with a syntax error? The slave should be executing the exact same commands as the master, right? Well, as it turns out, yes and no. There is a bug in MySQL that has been fixed in 5.0.56 according to the bug report. It’s a long story and it’s worth the read but what happens is that a timeout in the network connection between the master and the slave can cause the master to resend part of packet that it sent before. The slave handled the previous packet correctly so it’s not expecting a resend and as a result it starts writing some garbage to the relay log (which is where it stored the statements it will execute). The SQL command gets mangled in the process and when the slave tries to execute it, voila, a syntax error.

To fix this you can use the CHANGE MASTER command to set the slave to the master bin log file and position that shows up in the SHOW SLAVE STATUS output. Make sure you use the Relay_Master_Log_File and Exec_Master_Log_Pos fields since they indicate what position in the master binlog the slave actually thought it was executing. Keep in mind that corruption and its effects are hard to predict. It will definitely be useful to compare the master and slave afterward using the MaatKit tools.

As some more background, the server log will be probably show and error like this to indicate there was a network error:
[ERROR] Error reading packet from server: Lost connection to MySQL server during query (server_errno=2013)

And finally, if you do read the entire bug thread you will notice that the original developer of MySQL also has an opinion on this.

Tagged with:
Mar 08

Tunning Kernel Parameters Improving Linux Network Performance

By jason Linux/Unix Oprating system No Comments »

By tunning kernel parameters can improve linux socket io performance.  The settings for sysctl.conf below apply for Fedora, RedHat, Centos OS as well as other Linux flavors. These settings will improve your server network performance and some little protection against ddos attacks as well.

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 400

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Lower syn retry rates
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

Tagged with:
Mar 07

Linux Check Disk Space with the Commands du and df

By jason Linux/Unix Oprating system No Comments »

To get a summary of the available and used disk space on your Linux system is to type in the df command in a terminal window. The command df stands for "disk filesystem". With the -h option (df -h) it shows the disk space in "human readable" form, which in this case means, it gives you the units along with the numbers.

The output of the df command is a table with four columns. The first column contains the file system path, which can be a reference to a hard disk or another storage device, or a file system connected through the network. The second column shows the capacity of that file system. The third column shows the available space, and the last column shows the path on which that file system is mounted. The mount point is the place in the directory tree where you can find and access the that file system.

The du command on the other hand shows the disk space used by the files and directories in the current directory. Again the -h option (df -h) makes the output easier to comprehend.

By default, the du command lists all subdirectories to show how much disk space each has occupied. This can be avoided with the -s option (df -h -s). This only shows a summary. Namely the combined disk space used by all subdirectories. If you want to show the disk usage of a directory (folder) other than the current directory, you simply put that directory name as the last argument. For example: du -h -s website, where "website" would be a subdirectory of the current directory.

Tagged with:
Mar 06

Google offer free DNS service

By jason The Google World No Comments »

Google will start pushing for a faster web next year, and there have been several rumors in the SEO and marketing world that google will add page speed to its SEO rankings algorithm.  They have announced that  Google will offer a free DNS service.

First off, this is great.  It should improve the speed of looking up the DNS info of many sites, and if the service takes off, it should take the load off your NS.

The focus on speed if very clear, the Google public DNS server lists this first as one of the advantages.  It also points to the speed problems caused by DNS latency.

Google Public DNS IP addresses

The Google Public DNS IP addresses are as follows:

  • 8.8.8.8
  • 8.8.4.4
Tagged with:
Mar 05

Install DHCP-SERVER in Linux Debian

By jason Linux/Unix Oprating system No Comments »

 

Installing  DHCP Server in debian linux is not that hard actually…

I assume you have the following configuration on your host:

2 internal nics:
eth0 (For internal  )
eth1 (for internet)

1. Setting up your eth0 for dhcp use

The most important thing you need to do is configuring static ip adresses.

I will use the following IP adress 192.168.10.x as my ip-adress range.

We type the following command: nano /etc/network/interfaces

And be sure the settings are the same as below:

auto eth0
iface eth0 inet static
address 192.168.10.1
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255

After you have modified the file press control+x you will get a confirmation telling you to save the file yes or no.. We do Y and press Enter

restart the network interface type:


/etc/init.d/networking restart

And press enter.

2. Install and configure the dhcp server

If you have completed the step above we are going to install the dhcp and configure it.

First lets install the module:

apt-get install dhcp3-server

After a while it gives a blue screen with a warning. Just press enter and let him install.

When it finished installing the server will not start. We need to bind him to a interface and give a IP range to lease.

2.1 Binding the interface

Enter the following command

nano /etc/default/dhcp3-server

Press enter

Edit the following line

INTERFACES=”"
To
INTERFACES=”eth1″

After you have modified the file press control+x you will get a confirmation telling you to save the file yes or no.. We do Y and press Enter

2.2 configuring the DHCP Release

We are at the final step and after that we have a full DHCP Server Running!

We are not going to use the default config file of the dhcp server however we are going to keep a copy of the config file.

go to the following directory:

cd /etc/dhcp3/

Make a backup copy of the following config file by typing the following command:

cp dhcpd.conf dhcpd.old.conf

And press Enter.

Now remove the file that you have backuped

rm dhcpd.conf

We make the new dhcpd.conf in this step as I promised type:

nano dhcpd.conf

Now  copy/paste the following data into the file

subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.10 192.168.10.100;
option domain-name-servers 192.168.1.1;
option domain-name “Failserver.nl”;
option netbios-name-servers 192.168.10.1;
option routers 192.168.10.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
default-lease-time 86400;
max-lease-time 676800;
}

After you have modified the file press control+x you will get a confirmation telling you to save the file yes or no.. We do Y and press Enter

Now restart the DHCP3 server

/etc/init.d/dhcp3-server restart

Tagged with:
Mar 04

Linux software RAID 5 very slow

By jason Linux/Unix Oprating system No Comments »

Here I am going to tell about  Linux software RAID. If it’s very slow,you can test it with my way, hope it can help you.
So I had a ASUS P6T motherboard which has Intel ICH10R raid controller, 3x 1 Tb SATA 2 HDDs and Intel Core i7 920 processor. So I wanted to install Fedora 10 on that machine.
After configuring RAID 5 in the BIOS I booted the Fedora 10 installation DVD to start the installation. BUT! Suddenly I saw that Anaconda see 3 separate hard drives instead of 1 RAID device. After some googleing I figured out that my motherboard don’t have real RAID controller. Instead it is fakeraid controller. It is just software raid which software is located in BIOS. So I decided to use linux software raid, because it is definitely better than the from ASUS.
So installed Fedora 10 with linux software RAID 5 with LUKS encryption. After installation machine started to work very slowly. I thought it so because of the encryption, but after some googleing I understood that the encryption can’t slow down the machine that way. The thing was when you newly create RAID 5 array it needs to build the 3rd hard drive and it take a lot of time. It took from me approximately 4 hours to finish that operation on 1 Tb hard drives. You can check the rebuild status at any time invoking one of the following commands:

# cat /proc/mdstat

or

# mdadm --detail /dev/md0

After rebuild was over and after some tunings , I had ~90 Mb/s write and ~200 Mb/s read.

Tuning parameters was:

echo 32768 > /sys/block/md0/md/stripe_cache_size
blockdev --setra 65536 /dev/md0
Tagged with:
Mar 03

Mysql grant privileges to db

By jason Mysql Server No Comments »

If you want to grant remote access privileges to a DB on your server,Please look fllow.

First login trough SSH on your server and get access to you mysql

$mysqladmin -u xxx password  xxx

Note: the db user and db passwd are your database username and database password

GRANT ALL PRIVILEGES ON db_base.* TO db_user @’%’ IDENTIFIED BY ‘db_passwd’;

You can also grant accesss to a specific IP adress

GRANT ALL PRIVILEGES ON failserv_example.* TO failserver@’xx.xx.xx.xx’ IDENTIFIED BY ‘db_passwd’;

(where x is your own remote IP)

Refresh privileges,After that to activate your setting type

FLUSH PRIVILEGES;

And exit your mysql

$mysql>quit

Tagged with:
Mar 02

Iptables ip_conntrack table set-up and tunning for high load UDP traffic

By jason Security Tools No Comments »

If you run a busy DNS server or any other service that uses a lot of UDP traffic, it’s possible that your default Iptable conntrack sessions (connection tracking entries in kernel memory) settings are too low and netfilter is unable to track all your sessions.

The error is usually something like this:

Sep 10 12:53:44 hostname01 kernel: ip_conntrack: table full, dropping packet.

You need to tune sysctl net.ipv4.ip_conntrack_max value, let’s say increase it twice or more times and see if you still get the error messages on the console or syslog.

Depending on your OS, the formula for calculating the maximum number of conntrack sessions your box can handle is as follows:

The size of each session record really depends on the kernel config and many other compile options. For 2.6.* kernels it is around 300 bytes.

You can also easily check out the current usage of connection tracking

wc -l /proc/net/ip_conntrack

Default sysctl settings for Red Hat Enterprise boxes, possible the same applies for Fedora and Centos.

net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3
net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0
net.ipv4.netfilter.ip_conntrack_tcp_loose = 3
net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300
net.ipv4.netfilter.ip_conntrack_log_invalid = 0
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.netfilter.ip_conntrack_checksum = 1
net.ipv4.netfilter.ip_conntrack_buckets = 8192
net.ipv4.netfilter.ip_conntrack_count = 18988
net.ipv4.netfilter.ip_conntrack_max = 34576

You can decrease the net.ipv4.netfilter.ip_conntrack_tcp_timeout_established, by half, at least.

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=216000

I hope this helps you with your Linux server network stack tunning. Good luck!

Tagged with:
Previous Entries
preload preload preload