Tuesday, October 7, 2008

Cherokee web server - the next generation?

Today I was surfing on the net while I was running some loong SELECT statemens on MySQL server. On the linuxquestions forum I found a thread about new web server called Cherokee. People said Cherokee's supposed to be quite fast (double as fast as Apache!) so I had to try it out myself!

I compiled Cherokee with basic settings and used default configuration files to run the tests - all I wanted to do was to test how fast Cherokee really is.

On the first test I used Cherokees default index page (sized 1700 ~bytes). I used Apache Benchmark to test the capacity of the web servers: 20 concurrent connections and 100k requests.

Here's the results:


Server Software: Apache/2.2.6
Server Hostname: localhost
Server Port: 80

Document Path: /index.html
Document Length: 1795 bytes

Concurrency Level: 20
Time taken for tests: 43.383405 seconds
Complete requests: 100000
Failed requests: 0
Write errors: 0
Total transferred: 206406192 bytes
HTML transferred: 179505385 bytes
Requests per second: 2305.03 [#/sec] (mean)
Time per request: 8.677 [ms] (mean)
Time per request: 0.434 [ms] (mean, across all concurrent requests)
Transfer rate: 4646.20 [Kbytes/sec] received


Server Software: Cherokee/0.9.3
Server Hostname: localhost
Server Port: 80

Document Path: /index.html
Document Length: 1795 bytes

Concurrency Level: 20
Time taken for tests: 24.177908 seconds
Complete requests: 100000
Failed requests: 0
Write errors: 0
Total transferred: 199401994 bytes
HTML transferred: 179501795 bytes
Requests per second: 4136.01 [#/sec] (mean)
Time per request: 4.836 [ms] (mean)
Time per request: 0.242 [ms] (mean, across all concurrent requests)
Transfer rate: 8053.96 [Kbytes/sec] received

As you can see, Cherokee is almost double as fast serving single small file. The developers at http://www.cherokee-project.com say that they have developed some über-cool I/O gadget that makes this possible.

I also wanted to test the results with a little bigger file: This time we're using 1.7 megabytes jpg image:

Server Software: Apache/2.2.6
Server Hostname: localhost
Server Port: 80

Document Path: /playboy/1.jpg
Document Length: 1791791 bytes

Concurrency Level: 20
Time taken for tests: 52.58448 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Total transferred: 740870816 bytes
HTML transferred: 738040816 bytes
Requests per second: 192.09 [#/sec] (mean)
Time per request: 104.117 [ms] (mean)
Time per request: 5.206 [ms] (mean, across all concurrent requests)
Transfer rate: 13897.96 [Kbytes/sec] received

And Cherokee:

Server Software: Cherokee/0.9.3
Server Hostname: localhost
Server Port: 80

Document Path: /playboy/1.jpg
Document Length: 1791791 bytes

Concurrency Level: 20
Time taken for tests: 47.941745 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Total transferred: 740070816 bytes
HTML transferred: 738040816 bytes
Requests per second: 208.59 [#/sec] (mean)
Time per request: 95.883 [ms] (mean)
Time per request: 4.794 [ms] (mean, across all concurrent requests)
Transfer rate: 15075.07 [Kbytes/sec] received

As you can see, this time the difference is allmost next to nothing.

So, which of the web servers is really faster? Can't say. The Apache was default installation that comes with Fedora Core. Cherokee was compiled. We were testing only one static file. In few days I'm going to make a test including Apache, Lighty, Nginx and Cherokee, testing static files (multifiles!), php scripts and all other kewl stuff. Then we'll see which of 'em is really faster!

Monday, October 6, 2008

How to compile Lighttpd on CentOS

It's very easy and very fast to compile Lighty to your Linux box on default settings. Here's and example how to compile Lighttpd 1.4.20 on CentOS 5.1.

1) Download latest version of lighty from http://www.lighttpd.net/download.

2) Extract the contents to your template directory.

3) Run .configure. I want to install application to place other than default, therefore I use --prefix -option:

[root@cluster1 lighttpd-1.4.20]# ./configure --prefix=/opt/lighttpd-1.4.20

4) After configuring you receive list of which modules and features are enabled:

enabled:
mod_access
mod_accesslog
mod_alias
mod_auth
mod_cgi
mod_compress
mod_dirlisting
mod_evhost
mod_expire
mod_extforward
mod_fastcgi
mod_flv_streaming
mod_indexfiles
mod_proxy
mod_redirect
mod_rewrite
mod_rrdtool
mod_scgi
mod_secdownload
mod_setenv
mod_simple_vhost
mod_ssi
mod_staticfile
mod_status
mod_trigger_b4_dl
mod_userdir
mod_usertrack
mod_webdav
disabled:
mod_cml
mod_magnet
mod_mysql_vhost

Features:

enabled:
auth-crypt
compress-bzip2
compress-deflate
compress-gzip
large-files
network-ipv6
regex-conditionals
disabled:
auth-ldap
network-openssl
stat-cache-fam
storage-gdbm
storage-memcache
webdav-locks
webdav-properties

5) Run mtake and after that run make install

6) If you use another prefix instead of default, you have to copy lighttpd.conf manually. After that you have to make default directories (htdocs & log directory) manually.

7) Start lighty with option -f to define configuration directory:

[root@cluster1 man1]# ./lighttpd -f /etc/lighhtpd/lighttpd.conf

8) Connect localhost:80 with our web browser!

Argument list too long

Have you ever seen this very annoying error message? I bet you have!

I had to move little over 36k files in one directory to another box. Scp and both let me know there's too many files for them to handle. So what to do?

Each shell session has a pre-configured amount of storage with a hard limit. To check it you can type getconf ARG_MAX which will type whatever the max arg is in your box.

You can work around this easily wit tar. Just pre-build list of filenames and then pass the list to tar:


find . -iname '*.gif' > list.txt
tar czvf files.tar.gz --files-from list.txt


Sit back and enjoy the ride while box archives your files!

Sunday, October 5, 2008

How to install NGINX

Nginx (pronounced Engine-X) is a russian open source httpd server originally written by Igor Sysoev back in 2005. Nginx is a very light weight httpd server and reverse proxy. It is estimated that approx. 3 per cent of all web servers run nginx. In Russia the number is as high as 20 percent, including some of their biggest web sites. Nginx is also used by Wordpress.com and 4chan.

Why use Nginx instead of Apache or Lighty? Nginx should be fast. I mean FAST. Fast in a way of over 10000 concurrent requests / sec per server. Now that's fast!

I have wanted to screw 'round with Nginx for a while, so here goes nothing!

How to install Nginx on your Linux box

Nginx can be downloaded from www.nginx.net. Simple web page displays the latest distribution packages and small introduction. Further instructions can be found from Nginx Wiki.

I installed Nginx on my CentOs 5.1 running on VMWare & Macbook. Nginx's version was 0.6.32. The default installation is very straightforward - configure, make & make install. I had to install pcre packages to my box before installing httpd server in order to enable rewrite module. I also used --prefix module to install application where i wanted:

[root@cluster1 nginx-0.6.32]# ./configure --prefix=/opt/nginx-0.6.32
[root@cluster1 nginx-0.6.32]# make
[root@cluster1 nginx-0.6.32]# make install

After this Nginx is ready to serve static files!


How to configure Nginx

When you move to your Nginx installation directory, here's what you see:

drwxr-xr-x 2 root root 4096 Oct 5 23:52 sbin
drwxr-xr-x 2 root root 4096 Oct 5 23:52 html
drwxr-xr-x 2 root root 4096 Oct 5 23:52 conf

Sbin directory has only nginx executable file which starts up httpd. Html directory is same as htdocs directory in Apache - copy your files here in order to serve 'em to the world! Conf-file has all configuration files.

When you start up your nginx (just go to sbin and type ./nginx in order to start your web server!) you get few more directories:

drwx------ 2 nobody root 4096 Oct 5 23:52 proxy_temp
drwxr-xr-x 2 root root 4096 Oct 5 23:52 logs
drwx------ 2 nobody root 4096 Oct 5 23:52 fastcgi_temp
drwx------ 2 nobody root 4096 Oct 5 23:52 client_body_temp

In the conf-directory you can see the following files:

-rw-r--r-- 1 root root 3610 Oct 5 23:52 win-utf
-rw-r--r-- 1 root root 2726 Oct 5 23:52 nginx.conf.default
-rw-r--r-- 1 root root 2726 Oct 5 23:52 nginx.conf
-rw-r--r-- 1 root root 2991 Oct 5 23:52 mime.types.default
-rw-r--r-- 1 root root 2991 Oct 5 23:52 mime.types
-rw-r--r-- 1 root root 2223 Oct 5 23:52 koi-win
-rw-r--r-- 1 root root 2837 Oct 5 23:52 koi-utf
-rw-r--r-- 1 root root 909 Oct 5 23:52 fastcgi_params.default
-rw-r--r-- 1 root root 909 Oct 5 23:52 fastcgi_params

The most important file of them all is of course nginx.conf. The default configuration looks like this after installation:

#user nobody;
worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;


events {
worker_connections 1024;
}


These are default configuration parameters to set user and logging preferences. If you are your box to run many different applications it is a good idea to change default user to something else, like "nginx" or "www_user".

Worker_connections parameter sets the maximum number of connections each worker can handle. This is quite good default value.

The following part defines base settings for the http access:

http {
include mime.types;
default_type application/octet-stream;


You should not tamper round with mime types because you will likely end up with screwed up web server!

If you want to, you can also change default log format in the following part.

#log_format main '$remote_addr - $remote_user [$time_local] $request '
# '"$status" $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';

#access_log logs/access.log main;


TCP nopush setting means that HTTP response hearders are all sent in one packet. Sendfile setting means that Nginx ignores the details of the file it is sending and uses kernel sendfile support instead. Keepalive setting defines how long server waits for users packets. This should be changed only to few seconds on busy sites. Gzip compression saves bandwith on site, depending what kind of packets server is sending.

sendfile on;
#tcp_nopush on;

#keepalive_timeout 0;
keepalive_timeout 65;

#gzip on;



The following server part is just like server settings on Apache HTTPD and if you have tampered 'round with Apache before this is quite straightforward to you.

server {
listen 80;
server_name localhost;

#charset koi8-r;

#access_log logs/host.access.log main;

location / {
root html;
index index.html index.htm;
}

#error_page 404 /404.html;

# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}


Example how to configure virtual host on Nginx:

# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;

# location / {
# root html;
# index index.html index.htm;
# }
#}




These were basic examples of Nginx and what one can do with it. I stripped some configuration examples but here you can see the basics. Later we're going to configure Nginx to use PHP and we're going thru how to use mod_rewrite with Nginx.

Benchmarking Apache 2 vs. Lighttpd

Have you ever wondered which is faster, Apache 2 or Lighttpd? Everyone says that Lighttpd (or lighty) is a much faster, but is it really so?

I found this curious article I'd like to share with you. It can be originally be found here but I'm also going to write a short version about the article below:

The benchmark shows how Apache 2.2.3 compares to Lighttpd 1.4.13 when delivering static HTML file approx 50 kilobytes. Test was made with Apache benchmark.

The test was made on a Debian Etch running inside VMware. The box was quite old but it shouldn't affect on the tendency.

Versions were:

*Apache 2.2.3 mpm-prefork with default Debian configuration.
*Lighttpd 1.4.13 with default Debian configuration.

The HTML file was approx 50 kilobytes in size and it was saved as test.html.

I've run the following commands ten times each and calculated the average requests per second that the web server could handle:

*ab -n 100 -c 5 http://localhost/test.html
*ab -n 1000 -c 5 http://localhost/test.html
*ab -n 10000 -c 5 http://localhost/test.html
*ab -n 100 -c 50 http://localhost/test.html
*ab -n 1000 -c 50 http://localhost/test.html
*ab -n 10000 -c 50 http://localhost/test.html
*ab -n 100 -c 100 http://localhost/test.html
*ab -n 1000 -c 100 http://localhost/test.html
*ab -n 10000 -c 100 http://localhost/test.html

-n is the number of requests to perform for the benchmarking session; -c is the number of multiple requests to perform at a time.

Here's result of the test:



As you can see, lighty is almost one third faster on static pages! Knowin this one has to consider if it is worth using lighty instead of Apache. Personally I choose Apache? Why? More modules and knowledge. Maybe some day I'll start using Lighty. Or Nginx. Woudln't that be kewl?

Tuesday, September 30, 2008

Basic Commands in UNIX

Here's a short list of basic commands in UNIX. I have copied the list originally from another page which I cannot remember and I did some editing to it.

Files

* ls --- lists your files
* ls -l --- lists your files in 'long format'
* ls -a --- lists all files
* more filename --- shows the first part of a file. Hit the space bar to see more or q to quit. You can use /pattern to search for a pattern.
* emacs filename --- is an editor that lets you create and edit a file.
* mv filename1 filename2 --- moves a file
* cp filename1 filename2 --- copies a file
* rm filename --- removes a file.
* diff filename1 filename2 --- compares files, and shows where they differ
* wc filename --- tells you how many lines, words, and characters there are in a file
* chmod options filename --- lets you change the read, write, and execute permissions on your files. For example, chmod 777 file

File Compression
* gzip filename --- compresses files, so that they take up much less space.
* gunzip filename --- uncompresses files compressed by gzip.

Directories

* mkdir dirname --- make a new directory
* cd dirname --- change directory.
* pwd --- tells you where you currently are.

Finding things

* grep string filename(s) --- looks for the string in the files. This can be useful a lot of purposes, e.g. finding the right file among many.

About your (electronic) self

* whoami --- returns your username.
* passwd --- lets you change your password.
* ps -u yourusername --- lists your processes.

How to restart linux

There are many ways to restart your linux computer.

If you are using GUI interface, shutting down or rebooting the computer depends of the GUI you are using. Usually shutdown, reboot etc. commands are located thru the GUI's main menu or bar located at the bottom of the screen.

If you are using shell window, the easiest way to restart linux is to use "reboot" command:

*Change to root user
*simpy type reboot and hit enter, and the computer restarts.

Hope this helps you linux newbies to restart linux :)

How to install RPM

What is RPM?



Many Linux distributions use RPM as the default application management system. This means that when using RPM packages, it is quite easy to install applications to your favorite Linux distributions.

RPM is originally developed by Red Hat, but nowadays you can run into rpm in many other linux distributions (for example Fedora Core, CentOS, Mandriva or Yellow Dog Linux) and even on other operating systems (Novel Netware and IBM Aix).

RPM packaged software follows usually the following format:

(name)-(version)-(release).(arch).rpm

For example: httpd-2.23-2.i386.rpm

Also source codes can be downloaded in rpm packages. For example httpd-2.23-2.i386.src.rpm. RPM files with the noarch.rpm extension refer to files that don't depend on a computer's architecture.

Install RPM

Installing RPM package is very easy and straightforward:

* rpm -ivh package.rpm - installs package.rpm
* rpm -Uvh package.rpm - updates package.rpm
* rpm -qi package - displays (already installed ) information about application "package"
* rpm -qpi package.rpm - displays information about rpm-file
* rpm -qpl package.rpm - displays files included in package.rpm
* rpm -qa - lists all rpm packages installed to your distribution
* rpm --rebuilddb - rebuilds your rpm database

With these simple commands you can install rpm packages to your linux distribution!

Sunday, September 14, 2008

Secure linux server with fail2ban

I have written shortly about fail2ban earlier, but since fail2ban is so awesome application, I wanted to tell a little more about the application. It works like DenyHosts, which I am planning to test later.

Fail2ban is basically a tool that observers all login attempts to your server thru various services, like SSH, HTTPD, FTP, Telnet (oh god, no telnet, please!). If it finds failed login attempt many times in a row from the same IP / host, it blocks that IP / host with an iptables firewall rule. Handy piece of software, I say!

We're going to configure fail2ban to monitor SSH server, because I'm not using any other open service in my linux server. If you're using proftpd or some else server that requires authentication, it is quite easy to implement the changes to those servers, too!

1) Install fail2ban

Easiest way to install fail2ban is to use yum. As I have said before, it is easy to use yum and you win a lots of time when using it. If you know exactly what you're doing, go ahead and compile your own applications!

yum install fail2ban

Start fail2ban and create system startup links:

/etc/init.d/fail2ban start
chkconfig --levels 235 fail2ban on


2) Configuring fail2ban

Fail2ban configuration files can be found in the /etc/fail2ban directory. The default configuration is in jail.conf file. Take a look and you see it is not hard to understand! You can see [default] section at the beginning of the configuration file. You can override the settings below.

Here's explanations for the settings:

* ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban. For example, if the computer from which you're connecting to the server has a static IP address, you might want to list it here.

* bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).

* maxretry: Max. number of failed login attempts before a host is blocked by fail2ban.

* filter: Refers to the appropriate filter file in /etc/fail2ban/filter.d.

* action: Refers to the appropriate action file in /etc/fail2ban/action.d.

* logpath: The log file that fail2ban checks for failed login attempts.

Make sure to replace the email address you@mail.com with your own email address so that you get notified when someone gets blocked by fail2ban.

After you have edited your configuration to the way you want it, restart your fail2ban and you're good to go!

Fail2ban logs to /var/log/fail2ban.log, so you can check that file to find out if/what hosts got blocked. If a host got blocked by fail2ban, it looks like this:

2008-08-08 17:49:09,466 fail2ban.actions: WARNING [sshd] Ban 1.2.3.4
2008-08-08 18:08:33,213 fail2ban.actions: WARNING [sshd] Ban 1.2.3.4

You can also check your firewall to see if any hosts are currently blocked. Simply run

iptables -L

For services that use TCPWrappers to block hosts, take a look at /etc/hosts.deny.

How to install Lighttpd with PHP and MySQL to Fedora Core

Lighttpd, or light, is a fast, light and secure webserver which is designed and optimized for speed-critical environments. Many huge websites (Youtube, Wikipedia for example) use lighttpd to serve static content. Also many sites that get more than thousand hits / second use lighty.

Compared to Apache HTTPD or nginx, Lighttpd is not as fust as nginx but it is easier to configure and implement. Compared to Apache, it is faster but has less options. You have to consider which httpd server to use. I personally love to use Apache because of its modules, but I wouldn't hesitate to change to lighty!

1) Install MySQL

First thing you need to do - if you don't allready have MySQL installed - is to install MySQL.

You can do this any way you want, but the easiest way is to use YUM:

yum install mysql mysql-server

Make sure you start mysqld. You should also make sure your mysqld starts when your linux starts up:

chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start


I personally install mysql server from binaries but this is the easiest and fastest way to get your mysql server up and running.

When you install your mysql server, there is no password set for mysql root user. Unless you're using some virtual linux running on your personal laptop used only for developing things, change this immediatelly!

mysqladmin -u root password newpassword

Installing Lighttpd

Since we're using Fedora and we're able to use Yum to install applications, we install lighty this way:

yum install lighttpd

Next, start up your lighty and make sure it starts up when restarting your linux server:

chkconfig --levels 235 lighttpd on
/etc/init.d/lighttpd start


You can now test your ligty. Go to http://127.0.0.1 and you should get a page like this:



3) Install PHP

Lighttpd can use FastCGI to render PHP pages. This can be also installed with YUM:

yum install lighttpd-fastcgi php-cli

That's it! Restart your lighty and you're all good to go!

Monday, May 5, 2008

Nginx

Today I ran up to quite intresting product from Russia - Nginx.

Nginx is high performance web and proxy server and, what I have heard, it's capable to run quite high load on very low requirements. Regarding to this article, Wordpress.com is using Nginx as load balancer, handling over 8000 requests / sec. That's quite impressive!

What's best, Nginx is really lightweight. According to testimonials in Nginx wiki, this web server can be run with really low RAM. Excellent.

I'm going to screw 'round with this piece of software now. Going to report you back later!

Thursday, March 13, 2008

Apache Internal Dummy Connection

Yesterday I updated our Apache HTTPD to the latest version (2.2.8). Soon after this I noticed that HTTPD's access log was logging some stange requests:

::1 - - [13/Mar/2008:09:05:13 +0200] "OPTIONS * HTTP/1.0" 200 -

And what does the request do?

[asdf@foobar logs]# telnet localhost 5453
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
OPTIONS * HTTP/1.0

HTTP/1.1 200 OK
Date: Thu, 13 Mar 2008 07:06:43 GMT
Server: Apache/2.2.8 (Unix) PHP/5.2.5
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Connection closed by foreign host.

I did a little research on the web and came up with the following links:
http://vdachev.net/blog/2007/02/01/apache-internal-dummy-connection/
http://apache.hpi.uni-potsdam.de/document/4_3Multitasking_server.html

It seems like the request above is called "Internal Dummy Connection", and it's a way for apache to let it's children processes know it's time to die. It's usually nothing you should worry about, but if you see many child processes spawn and die, you may want to configure MinSpareServers and MaxSpareServers directives, and your MaxRequestsPerChild.

If you want to clean up your HTTPD access logs, you can do the following:

SetEnvIf Remote_Addr “::1″ dontlog
CustomLog /foo/bar/access.log combined env=!dontlog

Wednesday, March 5, 2008

Discovering duplicate files

A while ago I had a problem. I had to change my file servers hard drives, and I didn't have large enough hard drive to take copies of. This lead to the situation where I had copies of my data spread on various computers, and after I got my server up and running again, I realized there were quite many duplicate files on my server.

Luckily I found a nice small application called fdupes. This program goes thru directories and creates MD5 sum of every file. After the process it compares the MD5 sums and lets the user know which files are duplicates.

Fdupes can be found on regular Fedora Core yum repository and the usage of the program is quite easy:

fdupes -r /share << the directory you want to scan, recursively

The program gives you nice list of the duplicate files

Tuesday, February 26, 2008

Truecrypt 5.0 on Fedora Core

That's it! I've had enough with TC on my box. And all it took was six days. Before it, I ran TC on Ubuntu for one week. And now it's history!

My problems began when I was installing TC on Ubuntu. Or actually, there was no problem when installing Truecrypt. I found this version of Truecrypt, build on X86_64. The problems began when I was trying to use ext2 or ext3 -filesystem on Ubuntu. Truecrypt supports FAT32 and NTFS -filesystems straight out of the box. Can you imagine Linux box using FAT filesystem?

Well, luckily there is a way how to use some other filesystem on Truecrypt. Well, did it work? No, sir! mkfs.ext3 crashed my machine. So did mkfs.ext2. What's the solution? Reiserfs!

After few hours of struggle, I finally had my (k)Ubuntu installation with a hard drive encrypted with Truecrypt. The filesystem had to be Reiserfs, because mkfs with ext2/ext3 failed.

After few days of usage, I ran into problem that my box started to crash randomly. I thought that the problem was xscreensaver, so I disabled it. I also had problems with (k)Ubuntu's firewall >> I decided to install my beloved Fedora Core. I managed to install Truecrypt using .deb files, and I allready had my hard drives encrypted with reiserfs.

Goodbye, problems? So I thought. I started to move backups from my other boxes to ecrypted filesystems, and I ran into problems of crashing box. Again. Luckily this time I had my ssh session open with top runnig on the screen. I saw that my box's iowait was 99% and system load near 50 before crashing. Conclusion: Truecrypt doesn't like small files (like your picture collection, large amount of midi files, or even mp3 files. I tried to copy one 12gb tar archive from encrypted filesystem to "clean" filesystem, iowait 99% and crash. Again. At this point I decided that this is no time for me to use ecryption. Adios, Truecrypt! Maybe next time!

I have to say, that the usage of TC was quite easy. Point n' click. But the results were bogus. What a shame.

I must admit that I will follow truecrypt forums and if I find out that the performance problems are gone, I'll give it another shot.

Monday, February 25, 2008

Tightening SSHD security on Fedora Core

Here's few tips how to improve your SSHD security on your Fedora Core box. With these easy steps you can make sure no-one's gonna hack into your box.

1) Install fail2ban

Fail2ban is a script, that actively tracks the connections against sshd. If someone tries to scan your sshd using many different account names and passwords, fail2ban denies connections from that IP for 15 minutes.

You can install fail2ban easily with yum:
[root@machine ssh]# yum install -y fail2ban.noarch

You can start using fail2ban straight after installation is complete:

[root@machine ssh]# /etc/init.d/fail2ban start

The log file is found at /var/log. Fail2ban can also send email with information about banned IP-addresses.

2) Restricted ssh connections

You can allow ssh connections only for specified accounts.

Emacs your /etc/ssh/sshd_config and add following line:

AllowUsers username1 username2

You should allso make sure Root cannot access your ssh:

PermitRootLogin no


After this, restart your sshd.

3) Change your SSHD port

By default, SSHD is located at port 22. Many port scanners try to locate ssh servers running at that address. If you change your sshd to a high port (above 1024), you get rid of many port scanning attempts. For example, nmap cannot scan ports above 1024.

In sshd_config, change:

#Port 22 >> Port 1100

Restart your sshd.


4) Allow only specific hosts to connect using TCP wrappers

You should allow SSH connections to your machine only from wanted IP addresses. Anything else is unwanted, and possibly hazadrous. For this you can use two files: /etc/hosts.deny and /etc/hosts.allow

Hosts.deny controls which traffic you want to deny, and /etc/hosts.allow which traffic you want to allow.

Here's an example how to deny all ssh access. Simply type the following to your hosts.deny:

sshd: ALL

Now, after you restart your sshd, all sshd traffic is blocked.

If you want to have access from your IP-addresses 192.168.1.1 and some public address, simply type the following to your hosts.allow:

sshd: 192.168.1 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy

If you want to allow all traffic from .se -domains, simply type this to your hosts.allow:

sshd: .se

This can be done allso with hosts.deny:

sshd : ALL EXCEPT .se

And if you want to block traffic from some countries but allow everything else, you can type this to hosts.allow

# Allow SSH (http://en.wikipedia.org/wiki/Country_code_top-level_domain)
sshd : ALL EXCEPT .br .cl .cn .hk .in .kr .mx .my .ro .ru .tw .ua

# Allow everything else
ALL : ALL

Wednesday, February 20, 2008

Fixing Joomla + JCE + madeyourweb center align

I wanted to use Joomla + JCE editor + madeyourweb -template on a web site.

After installing all necessary stuff, I realized that JCE editor uses madeyourweb -template's align=center - setting. Here's two ways to fix this:

1) Open Joomla administrator >> goto Mambots >> Site Mambots and open JCE Editor Mambot

On left side there's a text saying "Template CSS classes", change this setting to No, and Voilá, align is left again.

Here's more advanced option:

2) Edit your template_css.css and change align=center to align=left

Or

3) Copy your template_css.css to another file, edit this file and force JCE Mambot to use this CSS file in "Custom CSS Classes" -option.

Tuesday, February 19, 2008

Installing x11vnc on Fedora Core

This is a very short guide how to install x11vnc to your Fedora Core.

x11vnc allows one to view remotely and interact with real X displays (i.e. a display corresponding to a physical monitor, keyboard, and mouse) with any VNC viewer. In this way it plays the role for Unix/X11 that WinVNC plays for Windows.

x11vnc is by far the easiest available vnc server for Linux. Just download, configure/make, and off you go! And it works like a charm over ssh tunnel!

Here's how I installed x11vnc on my FC8:

1) Download .tar.gz from http://www.karlrunge.com/x11vnc/

2) Make sure you have X Software Development packets installed on your FC. To be sure, just open your sytem >> add/remove software, scroll down to development, and make sure you have X on your "x11 development".

3) After downloading http://www.karlrunge.com/x11vnc/x11vnc-0.9.4.tar.gz, just tar zxvf x11vnc-0.9.4.tar.gz, ./configure, make and make install

4) Now you have your x11vnc server ready to be tested... It's propably installed at /usr/bin/x11vnc, and you can test drive it by just typing the command "x11vnc".

Installing Truecrypt 5 on Fedora Core X86_64

This is a *VERY* short guide how to install Truecrypt 5.0 on Fedora Core x86_64. I installed TC on FC8, but this guide *should* work on any FC platform.

1) Download .deb -package (originally made for Ubuntu):
http://rapidshare.com/files/89758961/truecrypt_5.0-0ubuntu1_amd64.deb.html

2) Extract file with archive manager >> you get two different .tar.gz -files

3) Extract data.tar.gz to the root of your system.

4) start truecrypt from location /usr/sbin/truecrypt

If you are using i386 -version of Fedora Core, you can download Ubuntu packet from TC's homepage and use it to install Truecrypt on your FC.