Debian

Using DPKG To Install OpenVZ On Debian

DPKG package manager to install OpenVZ, all you need to do is download the OpenVZ components, and let DPKG do the rest.

Download the lastest kernel revision level, for your particular DEBIAN distro. For me, this was:

linux-image-2.6.18-openvz-k7_028.18.1-2.6.18-12-1_i386.deb

Next,go to this URL: http://download.openvz.org/debian-systs/pool/openvz/v/

Download:

* vzctl
* vzprocps
* vzquota

and an OS template cache, from the “vzctl-ostemplate” directory. I chose DEBIAN 5.0.

vzctl-ostmpl-debian-5.0-i386-minimal_20090121_i386.deb

Open a terminal shell, and log in as “root”.(use “SU” or “SUDO”)

Create a “/vz” directory.

Continue reading “Using DPKG To Install OpenVZ On Debian” »

Be the first to comment - What do you think?  Posted by Aniruddh - December 20, 2011 at 4:33 pm

Categories: Debian, OpenVZ   Tags:

Postfix Monitoring With Mailgraph And pflogsumm On Debian Lenny

These graphs can be accessed with a browser, whereas pflogsumm (“Postfix Log Entry Summarizer”) can be used to send reports of Postfix activity per email.How you can monitor your Postfix mailserver with the tools Mailgraph and pflogsumm. Mailgraph creates daily, weekly, monthly, and yearly graphs of sent, received, bounced, and rejected emails and also of spam and viruses, if SpamAssassin and ClamAV are integrated into Postfix (e.g. using amavisd-new).

1 Preliminary Note

Linux system has the IP address 192.168.0.100 and hosts the web site http://www.example.com with the document root /var/www/www.example.com/web and a cgi-bin directory of /var/www/www.example.com/cgi-bin, and I will send the pflogsumm reports to the email address postmaster@example.com.

2 Mailgraph

Debian Lenny has packages for Mailgraph and pflogsumm,simply install these and also install rrdtool that stores the data which is needed by Mailgraph to draw the graphs

aptitude install rrdtool mailgraph

configure the mailgraph package

dpkg-reconfigure mailgraph

You will be asked a few questions:

Should Mailgraph start on boot? < -- Yes
Logfile used by mailgraph: <-- /var/log/mail.log

Then there's also this question:

Count incoming mail as outgoing mail?

If you have integrated a content filter like amavisd (for spam and virus scanning) into Postfix (like in this tutorial: Integrating amavisd-new Into Postfix For Spam- And Virus-Scanning),

During the installation, the system startup links for Mailgraph are created automatically, and Mailgraph also gets started automatically, so we don't need to start it manually.

cp -p /usr/lib/cgi-bin/mailgraph.cgi /var/www/www.example.com/cgi-bin

3 pflogsumm

To install pflogsumm run

aptitude install pflogsumm

pflogsumm to be run by a cron job each day and send the report to postmaster@example.com. Therefore we must configure our system that it writes one mail log file for 24 hours, and afterwards starts the next mail log so that we can feed the old mail log to pflogsumm. Therefore we configure logrotate (that’s the program that rotates our system’s log files) like this: open /etc/logrotate.conf and append the following stanza to it, after the line # system-specific logs may be configured here

vi /etc/logrotate.conf

create the script /usr/local/sbin/postfix_report.sh which invokes pflogsumm and makes it send the report to postmaster@example.com

vi /usr/local/sbin/postfix_report.sh

Continue reading “Postfix Monitoring With Mailgraph And pflogsumm On Debian Lenny” »

Be the first to comment - What do you think?  Posted by Aniruddh - December 18, 2011 at 3:13 pm

Categories: Debian   Tags:

Caching With Apache’s mod_cache On Debian Lenny

how you can cache your web site contents with Apache’s mod_cache on Debian Lenny. If you have a high-traffic dynamic web site that generates lots of database queries on each request, you can decrease the server load dramatically by caching your content for a few minutes or more (that depends on how often you update your content).

1 Preliminary Note

I’m assuming that you have a working Apache2 setup (Apache 2.2.x – prior to that version, mod_cache is considered experimental) from the Debian repositories – the Apache version in the Debian Lenny repositories is 2.2.9 so you should be good to go.

I’m using the document root /var/www here for my test vhost – you must adjust this if your document root differs.

2 Enabling mod_cache

mod_cache has two submodules that manage the cache storage, mod_disk_cache (for storing contents on the hard drive) and mod_mem_cache (for storing contents in memory which is faster than disk caching). Decide which one you want to use and continue either with chapter 2.1 (mod_disk_cache) or 2.2 (mod_mem_cache).

2.1 mod_disk_cache

vi /etc/apache2/mods-available/disk_cache.conf

enable mod_cache and mod_disk_cache

a2enmod cache
a2enmod disk_cache

/etc/init.d/apache2 restart

make sure that our cache directory /var/cache/apache2/mod_disk_cache doesn’t fill up over time, we have to clean it with the htcacheclean command. That command is part of the apache2-utils package

aptitude install apache2-utils

start htcacheclean as a daemon

htcacheclean -d30 -n -t -p /var/cache/apache2/mod_disk_cache -l 100M -i

clean our cache directory every 30 minutes and make sure that it will not get bigger than 100MB. To learn more about htcacheclean, take a look at

man htcacheclean

you don’t want to start htcacheclean manually each time you reboot the server – therefore we edit /etc/rc.local…

vi /etc/rc.local

2.2 mod_mem_cache

mod_mem_cache configuration is located in /etc/apache2/mods-available/mem_cache.conf:

vi /etc/apache2/mods-available/mem_cache.conf

Continue reading “Caching With Apache’s mod_cache On Debian Lenny” »

Be the first to comment - What do you think?  Posted by Aniruddh - December 13, 2011 at 7:13 am

Categories: Apache, Debian   Tags:

Putting Varnish In Front Of Apache On Ubuntu/Debian

Varnish is an open source “web accelerator” which you can use to speed up your website.

It can cache certain static elements, such as images or javascript but you can also use it for other purposes such as Loadbalancing or some additional security.

In this tutorial we will focus on the latter one.
In this mode, Varnish will stop incomplete HTTP requests from reaching your Apache webserver.

Installing Varnish

However, you might want to use the Varnish repository to make sure you have a more recent version. To add this one, execute this

sudo curl http://repo.varnish-cache.org/debian/GPG-key.txt | apt-key add -

sudo echo "deb http://repo.varnish-cache.org/debian/ $(lsb_release -s -c) varnish-2.1" >> /etc/apt/sources.list

Update APT and install Varnish

sudo apt-get update

sudo apt-get install varnish

Changing Varnish settings

to change the default port. Edit /etc/default/varnish

vim /etc/default/varnish

Continue reading “Putting Varnish In Front Of Apache On Ubuntu/Debian” »

Be the first to comment - What do you think?  Posted by Aniruddh - December 3, 2011 at 11:02 am

Categories: Apache, Debian, Ubuntu, Web Server   Tags:

How To Configure PureFTPd To Accept TLS Sessions On Debian Lenny

FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to configure PureFTPd to accept TLS sessions on a Debian Lenny server.

1 Preliminary Note

a working PureFTPd setup on your Debian Lenny server, e.g. as shown in this tutorial: Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Debian Lenny.

2 Installing OpenSSL
OpenSSL is needed by TLS; to install OpenSSL

aptitude install openssl

3 Configuring PureFTPd

If you want to allow FTP and TLS sessions, run

[ccINb_bash width="700"]
echo 1 > /etc/pure-ftpd/conf/TLS

If you want to accept TLS sessions only (no FTP), run

echo 2 > /etc/pure-ftpd/conf/TLS

To not allow TLS at all (only FTP), either delete /etc/pure-ftpd/conf/TLS or run

echo 0 > /etc/pure-ftpd/conf/TLS

4 Creating The SSL Certificate For TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first

mkdir -p /etc/ssl/private/

Continue reading “How To Configure PureFTPd To Accept TLS Sessions On Debian Lenny” »

Be the first to comment - What do you think?  Posted by Aniruddh - November 30, 2011 at 8:17 pm

Categories: Debian, File Server   Tags:

Preventing Brute Force Attacks With BlockHosts On Debian Lenny

This show how to install and configure BlockHosts on a Debian Lenny system. BlockHosts is a Python tool that observes login attempts to various services, e.g. SSH, FTP, etc., and if it finds failed login attempts again and again from the same IP address or host, it stops further login attempts from that IP address/host. By default, BlockHosts supports services that use TCP_WRAPPERS, such as SSH, i.e. services, that use /etc/hosts.allow or /etc/hosts.deny, but it can also block other services using iproute or iptables.

1 Preliminary Note

I have tested BlockHosts on a Debian Lenny system.

I will show you how to to use it with a service that uses /etc/hosts.allow or /etc/hosts.deny (sshd) and with a service that doesn’t use TCP_WRAPPERS, e.g. Debian’s ProFTPd package. Services that don’t use /etc/hosts.allow or /etc/hosts.deny can be blocked by iproute or iptables.

2 Installing BlockHosts

BlockHosts is written in Python should install python

aptitude install python

install BlockHosts

cd /tmp
wget http://www.aczoom.com/tools/blockhosts/BlockHosts-2.5.0.tar.gz
tar xvfz BlockHosts-2.5.0.tar.gz
cd BlockHosts-2.5.0
python setup.py install --force

to edit /etc/blockhosts.cfg.

vi /etc/blockhosts.cfg

modify /etc/hosts.allow

back up your current /etc/hosts.allow

cp /etc/hosts.allow /etc/hosts.allow_orig

Continue reading “Preventing Brute Force Attacks With BlockHosts On Debian Lenny” »

Be the first to comment - What do you think?  Posted by Aniruddh - November 26, 2011 at 7:06 pm

Categories: Debian   Tags:

Hosting Multiple SSL Web Sites On One IP Address With Apache 2.2 And GnuTLS (Debian Lenny)

host multiple SSL-encrypted web sites (HTTPS) on one IP address with Apache 2.2 and GnuTLS on a Debian Lenny server.

For more information on why this couldn’t be done prior to OpenSSL 0.98g or with GnuTLS please refer to http://en.wikipedia.org/wiki/Server_Name_Indication.

I will mention that Virtual Hosting SSLs on the same IP address has 1 or 2 caveats before beginning and before anyone begins ripping out and handing back IPs to their ISPs.

1. Firefox 2.0+ works on all platforms (Mac/Windows/Linux) – it has its own TLS implementation – if you have SSLv2 enabled for VMware tools, Firefox doesn’t work either, but by default Firefox comes with v2 disabled by default
2. Windows XP does not support SNI and still has 40% share in the world so you could alienate a lot of people unless they are using Firefox on XP.
3. Browsers like Safari/Chrome/IE only work on Vista or greater because they use the O/S TLS implementation
4. Safari/Chrome only work on 10.5.7 or above on Macs

Continue reading “Hosting Multiple SSL Web Sites On One IP Address With Apache 2.2 And GnuTLS (Debian Lenny)” »

Be the first to comment - What do you think?  Posted by Aniruddh - November 24, 2011 at 2:35 am

Categories: Apache, Debian   Tags:

Upgrade Debian Lenny To Squeeze In A Few Simple Steps

systems did not have any RAID devices and use a simple partition scheme from a default basic Lenny install. If your setup deviates much from this, it’s highly recommended to read all details of the Debian Release Notes before you continue. Be warned. All commands are run as root and Debian recommends to use apt-get for the Squeeze upgrade process.

As with all upgrades, begin with a backup of your critical data

tar -czvf host.etc.tar.gz /etc

Edit your Apt sources list file
o prepare for the installer, we need to get to a point where the package system is in a clean state. Move the preferences file from the directory if used. If you have a very complicated Debian source file, I would recommend that this is simplified to near the original install

Update the packages for Lenny

apt-get update

Ready for first upgrade

apt-get upgrade
apt-get dist-upgrade

Check that no packages are on hold or in any half installed state
Ensure that we do not have any packages on hold

dpkg --audit
dpkg --get-selections | grep hold

For the final go ahead test

aptitude

Update the source list for Squeeze

apt-get update

Squeeze upgrade in two careful steps

apt-get upgrade

the exact version numbers and architecture and install

uname -r
apt-get install linux-image-2.6.26-2-amd64

system is old like my laptop it would install

apt-get install linux-image-2.6.26-2-686

Prepare grub2 and udev for the new system

update-grub
apt-get install udev

Once previous steps have completed, it’s time to restart the system

reboot

Almost there
system has restarted, continue with the full upgrade phase, download and upgrade

apt-get -d dist-upgrade

apt-get dist-upgrade

The latter will be interactive. Starting the system with the first menu item shows if grub2 works properly

upgrade-from-grub-legacy

Be the first to comment - What do you think?  Posted by Aniruddh - November 23, 2011 at 1:59 am

Categories: Debian   Tags:

amon.so: Hijacking System Calls For Hardening PHP – Debian Lenny And Squeeze

Library that integrates with the PHP interpreter and intercepts and manipulates the system calls provided by libc6. It replace the execve() syscall with a custom function which does extra sanity checking in order to prevent that an attacker could execute arbitrary code on the system exploiting a vulnerability in a web-based application (such as a bugged cms). It’s open-source software released under the terms of the GPL license and compatible with PHP running as a CGI process or Apache’s DSO module.

to install the compiler (gcc) with development libraries and header files, open a terminal and execute the following command

apt-get install build-essential

next step is to download source code so we can get the file using wget

wget http://www.lucaercoli.it/amon/amon.c

needed for installing the software, execute this command to generate the shared library file

gcc -fPIC -shared -ldl -o amon.so amon.c

Continue reading “amon.so: Hijacking System Calls For Hardening PHP – Debian Lenny And Squeeze” »

Be the first to comment - What do you think?  Posted by Aniruddh - November 21, 2011 at 5:03 am

Categories: Debian   Tags:

How To Save Traffic With Lighttpd’s mod_compress (Debian Squeeze)

Describe how to configure mod_compress on a Lighttpd web server (on Debian Squeeze). mod_compress allows Lighttpd to compress files and deliver them to clients (e.g. browsers) that can handle compressed content which most modern browsers do. With mod_compress, you can compress HTML, CSS, Javascript, text or XML files to approx. 20 – 30% of their original sizes, thus saving you server traffic and making your modem users happier.

Compressing files causes a slightly higher load on the server, but in my experience this is compensated by the fact that the clients’ connection times to your server decrease a lot. For example, a modem user that needed seven seconds to download an uncompressed HTML file might now only need two seconds for the same, but compressed file.

By using mod_compress you don’t have to be afraid that you exclude users with older browsers that cannot handle compressed content. The browser negotiates with the server before any file is transferred, and if the browser does not have the capability to handle compressed content, the server delivers the files uncompressed.

Continue reading “How To Save Traffic With Lighttpd’s mod_compress (Debian Squeeze)” »

Be the first to comment - What do you think?  Posted by Aniruddh - at 5:03 am

Categories: Debian   Tags:

Next Page »