January 9th, 2008 admin
There are two commonly used free file compression utlities that you will find in wide use on the internet.
tar – tape archive
This utility basically appends a list of files &/or directories into one flat file. This was commonly used in the early days of Unix when writing large amounts of information to a tape.
Creating a tape archive:
tar -cf archive.tar myDirectories/
Note – using the “v” flag prints out extra messages, as verbose mode, though it’s not related to extracting files.
Listing the contents of an archive:
tar -tf archive.tar
It is generally a good idea to preview the contents of tape archives before unpacking them. This can become a serious problem if you are currently root, and the archive just happens to jump out of the current directory, and write over some important system files.
Extracting all files from an archive:
tar -xf archive.tar
To extract just partial pieces from the archive, supply a file or directory name after the archive name. You can list as many as desiered here, separated by spaces.
tar -xf archive.tar filename
gzip – gnu zip
This is a gnu utility that is used to compress/decompress a file. Generally, if there is a set of files to compress, they will be sent through tar first to create a single file.
Compress:
gzip archive.tar
Decompress:
gunzip archive.tar.gz
Merged filenames:
Sometimes, you will download files ending with the extension *.tgz – these are essentially identical to files ending with *.tar.gz files. You can gunzip them, and untar them just the same way. If you’re working with a recent version of gnu tar, you may be able to take a shortcut, as described below.
Merging commands
The “z” flag works with gzip, to either create a tar/gzipped archive:
tar -czvf archive.tgz files/
…or decompress a tar/gzipped archive:
tar -xzvf archive.tgz
tar to a pipe
If you’re concerned with filling your disk during a tar, or with filling a disk cache, you can also tar to a pipe, which doesn’t write the compressed file to disk, but instead just stores it temporarily in memory.
tar -cf – ./filename | (cd other-directory; tar -xf -)
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on Unix file compression utilities:
January 9th, 2008 admin
This works even if the default route is wrong. As long as the route to the proxy server is known and accessible.
Use IP address of proxy server, if DNS is not working.
MUST BE EXECUTED LINE BY LINE, IN THIS ORDER ON THE COMMAND LINE. PUTTING IT INTO AN EXECUTABLE DOES NOT WORK.
set “http_proxy=http://PROXY_SERVER:PORT/”
export http_proxy=”http://PROXY_SERVER:PORT/”
set “ftp_proxy=http://PROXY_SERVER:PORT/”
export ftp_proxy=”http://PROXY_SERVER:PORT/”
Posted in Linux | Comments Off on Force current Linux shell session to use proxy server.
January 9th, 2008 admin
The transparent proxy features of squid and linux can be combined to provide a caching server that is completlely invisible to all users of your LAN or ISP. If you have some knowledge of Unix networking, the setup is easy. This page will show you how.
These directions are intended for stable kernel 2.0.x. They may or may not work on older kernels. If you are running a recent development kernel 2.1.x or stable kernel 2.2.x, please follow these directions: Transparent Proxy with Linux-2.1.x/2.2.x and Squid. This page is not meant to be an all-inclusive Squid FAQ. If you have problems or questions outside the scope of this document, please see The Squid Home Page and go to the Documentation link.
- Make sure that your kernel is configured properly. This may involve a recompile, which is beyond the scope of this document. If you need help on compiling a kernel, please see The Kernel HOWTO. You will need the following options: Prompt for Development and/or Incomplete code drivers, Network Firewalls, TCP/IP Networking, IP Forwarding/Gatewaying, IP Firewalling, IP Transparent Proxy Support. Optimize as Router Not Host is optional, but recommended.
- Install Squid. Squid can be obtained from squid.nlanr.net I would recommend that you get the latest source version of 2.1 (2.2 is still beta as of this writing)
- Gunzip and untar the archive.
- Run the following to compile squid:
./configure && make && make install
- Configure your squid.conf to your needs. There are four things you will want to make sure you have for transparent proxying:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Also pay attention to
http_port
The default value of 3128 should be fine for almost everyone. You’ll need to know what value you’re using a little later.
- Install the IP Firewall Administration package if you don’t already have it. You can get this from: tsx-11.mit.edu/pub/linux/packages/tools. (You should already have it; it comes with Slackware, Red Hat, and Debian…).
- Set up your IP firewalling rules. You need to know two things, the IP address of the box (I’ll use 192.168.1.1 as an example) and the port that squid is running on (I’ll use the default 3128 as an example). Use the following commands:
ipfwadm -I -a a -P tcp -S any/0 -D 127.0.0.1 80
ipfwadm -I -a a -P tcp -S any/0 -D 192.168.1.1 80
ipfwadm -I -a a -P tcp -S any/0 -D any/0 80 -r 3128
Add these to your appropriate startup script(s).
- If this is a new installation of squid, initialize squid’s cache directories with
squid -z
- Start squid with
squid &
- Change the gateways for the computers on your LAN and or ISP to point to the IP address of your squid box and you’re in business.
Posted in Linux | Comments Off on Transparent Proxy with Linux and Squid 2
January 9th, 2008 admin
Central control – The user cannot change his/her browser to bypass the cache.
Not Robust – Because transparent caching relies on stable routed path between the client and the origin server which happens to pass through a “cached path,” it is susceptible to routing changes in the Internet. In other words, if a connection between a client and a cache is established and a routing change occurs which causes the client to take a path which no longer flows through the “diverting” network device, the session will break and the user will have to reload the page. If routes in the Internet are flapping, then results will be even more unpredictable.
User control – Transparent caching takes control away from the user. Many users have very strong biases about caching and will actually change ISPs to either avoid it or get it.
Browser dependency – For successful operation, many transparent caches rely on the browser supplying the host name of the origin server in the HTTP request header. This is required because these caches cannot access the destination IP address of the origin server from the IP address of the packet. Therefore, upon a cache miss, they cannot determine the origin server address to send the request to. Some early browsers do not provide this information and therefore will not work properly with these transparent caches, but 90% of today’s browsers satisfy the above. In the real world, Many network providers have observed that a significant amount of HTTP requests are for non-cacheable content (as much as 35-45%). The hit rate and performance of the cache is inversely proportional to the amount of non-cacheable content sent to the cache.
Policy based routing.
Using smart switching.
By setting Squid Box as a Gateway.
L4 SWITCH – An L4 switch operates at Layer 4 in the OSI model – the Transport layer. L4 switches base their switching decisions on information in the TCP header, and TCP is a protocol that resides at Layer 4 in the OSI seven-layer model. These switches determine where to pass the traffic based on the port number.
|
|
L7 SWITCH – At the time of this writing, more sophisticated switches are becoming available. These new switches operate at Layer 7 of the OSI model – the Application layer. Because these switches operate at Layer 7, they can understand URLs and can understand much more about the traffic than an L4 switch can. An L7 switch provides the same features that an L4 switch provides plus additional, more sophisticated features. |
Some L4 and L7 switches can switch more than a gigabyte of data.
For HTTP transparent caching, they partition traffic based on the requested Web server’s IP address.
For HTTP transparent caching, they can be configured to send traffic directly to the Internet if a Web cache fails.
How the L7 switch is different :
|
|
An L7 switch can partition HTTP client traffic based on the requested URL. |
|
|
For HTTP requests, the L7 switch can look at the request and determine whether the object is cacheable. With an L7 switch, requests for obviously non-cacheable objects, such as URLs with cookies and CGI, will bypass the cache. Non-cacheable objects are then obtained directly from a Web server. |
Performance comparison between L4 and L7 switches :
|
|
The performance of L4 and L7 switches is similar. However, because the L7 switch looks more closely at TCP/IP packets for port 80 or port 119, its response time is slightly slower than that of an L4 switch. |
Packets headed for port 80 on some computer on the Internet must be redirected by the router or L4 switch (As explained before) to the computer where squid is running. This can be achieved by setting squid box as a Gateway also.
In Squid Box, packets which are redirected by a smart switch or router to the Squid box still need to be redirected to the port where Squid is listening on. Redirecting these packets cannot be done by Squid. Redirecting packets must be done by the Linux kernel, using the IP-chains program. The kernel then receives a packet on port 80, looks at the firewall configuration, and adjusts the packet appropriately i.e. by changing the destination port to 3128, or whatever port Squid is running on. If you need IP Filter redirection, then use the -enable-ipf-transparent configure option in Squid to support certain HTTP clients (HTTP/1.0 clients, NOT sending the Host header). However, normal browsing using the popular browsers will work even without it.
Positive :
Using smart switching
Positive :
|
|
Fail over : For HTTP transparent caching, if a Squid proxy server is down or is too busy, the switch passes the traffic to the Internet or, if there are multiple Squid Proxy Servers, to another Squid proxy server it is configured to recognize.
|
Negative:
Comparison of using a router to using an L4 or L7 switch
|
|
For many routers, complex filters, such as a filter for intercepting HTTP (port 80) or NNTP (port 119) requests, can have a dramatic negative impact on the performance of the router. Conversely, L4 and L7 switches are designed to intercept packets of different types. With a policy-based router (non-Cisco router or a Cisco router not running WCCP), the system administrator must manually set up how requests will be distributed, which might result in less efficient partitioning of requests than if a switch were used.
|
Squid box as a Gateway
Positive:
|
|
Low cost of implementation |
Negative :
|
|
It is beneficial only for small LAN and WAN users. |
Conclusion
This paper has outlined the various methods of implementing Transparent Caching using Squid. Each of these methods has its advantages, the choice is left to the implementation team which has to decide based on their network, data access pattern, volume of data, request rate, criticality and budget available. Web caching is a matured technology and Squid is very widely used web caching application, the choice and method of implementation as said may vary, although other features present in the implementation may continue or be enhanced, the underlying fundamentals will be the same as those discussed here. There are other tools available to supplement the system like reporting tools, configuration and management tools and load balancing for implementing multiple cache boxes. And finally the overall success largely depends on the configuration and fine-tuning of both Squid and Linux.
Posted in Linux | Comments Off on Implementing Transparent Caching using Squid
January 9th, 2008 admin
This describes how to set up squid auth with the /etc/passwd (actually /etc/shadow if you use it, which modern distros would)
Note: There are other ways to authenticate. Recommended reading is: http://www.squid-cache.org/Doc/FAQ/FAQ.txt
Nevertheless I have done this on a RedHat 9.0 machine in a secure environment and it works:
Do this as root:
chown root.root /usr/local/squid/bin/ncsa_auth
chmod 755 /usr/local/squid/bin/ncsa_auth
chmod u+s /usr/local/squid/bin/ncsa_auth
then change squid.conf so it reads :
auth_param basic program /usr/lib/squid/ncsa_auth /etc/shadow
auth_param basic children 5
auth_param basic realm proxy-caching
auth_param basic credentialsttl 2 hours
and add these lines:
acl passwd proxy_auth REQUIRED
http_access allow passwd
You then would create a normal user on your machine. Yes, they also get access to other things.
This should be all you have to do.
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on Squid authentication
January 9th, 2008 admin
Since there’s a million different pages covering Samba, I’ll just make some
short notes what I had to change in the default config to have machine keep a
network disk sharable to allow my other computer mount it as a network disk
using Windows 98, without specifying a password.
Change the line in /etc/smb.conf that says security = user to
instead become security = share.
Add a section in the ‘Share Definitions’ that looks something like:
[data]
comment = General Data Disk
path = /data
read only = No
guest ok = Yes
Make samba reload the config file and fly…
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on Very Simple Samba Disk Sharing
January 9th, 2008 admin
by David “Del” Elson
last updated May 30, 2001 Introduction
A web proxy server is a useful service to have on your network, or between your network and the Internet, as it provides an extra security layer that
insulates your users from the Internet. A proxy server can also act as a cache, allowing users to share downloads transparently and speeding up
Internet access, especially for frequently-used files. Squid is a high-performance and relatively secure web proxy server that includes good caching
facilities. It is one of the most commonly used proxy servers on the Internet. More information about Squid can be obtained
http://www.squid-cache.org/. This article will give a general overview of setting up Linux and Squid as a web proxy server.
Installing Linux
The best way to install Linux is to use one of the many freely available distributions. Red Hat Linux and Debian are two of the more popular
distributions of Linux. Each distribution of Linux will come with its own installation instructions, usually packaged with the distribution or available on
the Internet. For example, the Red Hat Linux installation instructions for version 7.1 are available here. You may also want to look at a previous
SecurityFocus article, Installing Linux, by Peter Merrick, includes some recommendations on system hardening that you may want to think about
before installing squid.
Installing Squid
Installing From Package
Note that your Linux distribution will usually come bundled with a packaged version of Squid; however, it may not be installed at the time the
distribution was installed. For example, after installing Red Hat Linux 7.1, you will find that the Squid package is not installed. Squid is located on the
Red Hat installation CD #2, in the RedHat/RPMS directory. To install it from there, make sure that you are logged in as root, and use the rpm
command as follows:
mount /mnt/cdrom
rpm -Uhv /mnt/cdrom/RedHat/RPMS/squid-*.rpm
umount /mnt/cdrom
During the installation process, you should see a row of hashes (#) to indicate the progress of the installation.
On a Debian Linux system, you can use the apt-get program to automatically download and install squid from the Internet, as follows:
apt-get install squid
Note that if you are not connected to the Internet, the above command will fail. You may instead want to install squid from a Debian CD-ROM.
Installation instructions from CD-ROM may vary, and so you should check with the person who supplied your CD-ROM.
Installing From Source
If you prefer to install Squid from the source files, then you can do this on just about any Unix system. First, you will need to obtain the latest source
code from the Squid web site, at http://www.squid-cache.org/.
The Squid source code comes in a compressed tar file, so you will need to uncompress it as follows:
zcat squid-2.3.STABLE4-src.tar.gz | tar xf –
(note: to do this, I obtained the 2.3.STABLE4 release of Squid from the Squid web site. You may have a different release of Squid, and so may need
to adjust the above command.
Once you have uncompressed the tar file, you will need to configure, make, and install Squid as follows:
cd squid-2.3.STABLE4
./configure
make all
make install
For further information on installing squid, read the INSTALL file which is provided with the Squid source code. You may wish to provide some options
to the above ./configure command to specify the location of the squid programs, configuration files, etc.
Configuring Squid
Everything in Squid is configured using a single configuration file, called squid.conf. Depending on your Linux distribution, the file may be in
/etc/squid.conf or in /etc/squid/squid.conf. Before proceeding any further, you should locate this file on your system. One way to do this is with the
command:
locate squid.conf
There are a number of methods of configuring squid using a web based or other GUI. These GUIs have the ability to read, understand, and write
back the configuration file to the correct place.
Instead of focusing on one of these GUIs, I will show you some examples of configuring Squid manually. For this purpose, you will need a text editor
such as vi or emacs (or even a GUI based editor such as kedit if you prefer), and you will also need to be logged in on your server as root so that you
have write access to the Squid configuration file.
The Squid configuration file contains many, many options. I will not cover all of these options (there are comments throughout the file as to what
these options mean), but I will focus on getting some of the most common options correct.
Default Configuration
By default, Squid comes with a configuration file that is mostly correct and almost useable. It contains default settings for many of the options that
require a setting, and should, by itself, allow access to your Squid configuration in a fairly secure manner from your local server only.
In order to allow Squid to be used as a proxy server for your entire network, there are a number of things that you will want to configure before you
begin using Squid.
Starting Point (Basic) Configuration
When I began using Squid, I found that most of the comments in the squid.conf file were useful and informative. These days, however, I have
developed a bit of a habit of deleting all of them (including the blank lines) before I begin. This reduces Squid’s 76K default configuration file as
supplied on Red Hat 7.1 to 688 bytes! I find that I only use a few of the configuration items in this file, and the smaller file is much easier to work with
in an editor.
To the basic (as-supplied) squid configuration file, I add the following options:
acl privatenet src 192.168.0.0/255.255.0.0
http_access allow privatenet
cache_effective_user squid
cache_effective_group squid
There are a few things to make note of regarding these options:
The acl privatenet src statement above needs to reflect your internal network. For example, I have a couple of private networks located behind
my firewall that use the IANA assigned private address ranges 192.168.x.x. For the sake of convenience, I allow the entire 192.168.x.x network
to access squid since there are not any of these on the Internet, as all of them must be private.
The http_access allow privatenet statement must occur before the defaulthttp_access line in the squid.conf file, which is http_access deny all.
Here is an example, from my squid.conf file:
acl privatenet src 192.168.0.0/255.255.0.0
http_access allow localhost
http_access allow privatenet
http_access deny all
By default, Red Hat Linux creates a user called ‘squid’, in the group called ‘squid’, and makes this user the owner of the /var/spool/squid
directory which is where Squid stores its cache. It makes sense to run the squid process as this (unprivileged) ‘squid’ user, for security
purposes. That way, anyone managing to hack the squid process using a buffer overflow or similar attack will not end up with root access to
your machine.
Configuration Examples
Note that the above configuration file entries only provide a small part of what you may want to do with your Squid proxy. Some other examples are
noted in this section.
Logging
By default, Squid stores some information in a few log files. I prefer to specify the log files that I expect Squid to use directly in the squid.conf file, as
follows:
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
With the above lines, Squid will store error messages in the file /var/log/squid/cache.log (this should be checked periodically), and access messages
in the file /var/log/squid/access.log. There are a number of useful programs that can analyse the access log file, including SARG (formerly known as
sqmgrlog).
I have never found anything useful in squid’s cache_store_log file, so this can be disabled safely by using the line above.
Cache Access
You may want to allow access to your cache from a number of networks. This is accomplished by using various acl and http_access lines.
Note that an acl line defines a network or other access device, whereas the http_access (acl) (allow/deny) line grants or denies access to the acl that
you have defined. Therefore, you should put your acl lines before the http_access lines in your configuration file.
I have given one example of allowing access to a private network above. Note that you should refrain from using a catch-all line like http_access allow
all unless you really want the entire Internet using your squid Server as their web cache!
Talking to an External (Upstream) Proxy
It may be advantageous to use an upstream proxy for Squid. This can speed Internet access up noticeably; for example, when your ISP also has a
Squid cache that many users access. The ISP’s cache can, over time, build up a large cache of many different sites, allowing faster access to those
sites to your network.
For inter-cache communication, Squid supports a protocol known as ‘ICP’. ICP allows caches to communicate to each other using fast UDP packets,
sending copies of small cached files to each other within a single UDP packet if they are available. Many other cache products also support ICP, and
if you are going to network caches together then you should ensure that they all support ICP or a similar protocol.
To use an upstream proxy effectively, you should first determine what address it is (eg: proxyserver.yourisp.com), and what cache and ICP port (if
any) it uses. Most ISPs will be happy to provide you with that information from their web sites or over the phone.
Using an upstream proxy that supports ICP is simple, using a line like this one:
cache_peer proxy.yourisp.com parent 3128 3130
prefer_direct off
The cache_peer line specifies the host name, the cache type (“parent”), the proxy port (3128) and the ICP port (in this case, the default, which is
3130).
If your parent cache does not support ICP then you could try the following combination instead:
cache_peer proxy.yourisp.com parent 3128 7 no-query default
prefer_direct off
Sibling Proxies and Sharing Caches
Note that in a high-volume situation, or a company with several connections to the Internet, Squid supports a multi-parent, multi-sibling hierarchy of
caches, provided that all of the caches support ICP. For example, your company may operate two caches, each with their own Internet connection but
sharing a common network backbone. Each cache could have a cache_peer line in the configuration file such as:
cache_peer theotherproxy.yournetwork.com sibling 3128 3130
Note that the peer specification has changed to sibling, which means that we will fetch files from the other cache if they are present there, otherwise
we will use our own Internet connection.
Denying Bad Files
There are a number of files that I don’t allow my users to fetch, including the notorious WIN-BUGFIX.EXE file that was distributed with the Melissa
virus. A simple ACL line to stop this file from being downloaded is as follows:
acl nastyfile dstdom_regex -i WIN[.*]BUG[.*]EXE
http_access deny nastyfile
Advanced Configuration
There are a number of other tricks that you can do with your Squid proxy. These include things like authentication, transparent proxying, denying
access to certain files (eg: MP3 files) during business hours, etc. One word of warning: the Squid configuration file is fragile, and easily broken. If you
break the configuration file then Squid will refuse to work, and may give you an error message that is not sufficiently understandable for you to figure
out what you break. For that reason it might be advisable to:
make small changes, one at a time;
keep a backup copy of your working squid configuration file; and,
keep your squid configuration file under version control, such as in RCS or CVS.
Authentication
Authenticating users to squid is one of the most common tasks that is required of administrators, for example, where your company grants or denies
internet access by user.
Setting up an acl to allow or deny user access can be done with the following configuration file lines:
authenticate_program /your/authentication/program
acl validusers proxy_auth REQUIRED
http_access allow validusers
The only thing remaining is to find a suitable proxy authentication program. Note that squid does not provide any internal authentication, you have to
point the authenticate_program line at an external authentication program of some kind.
Squid (as supplied on Red Hat 7.1) comes with a number of authentication programs, stored in /usr/lib/squid. These include smb_auth (for
authenticating to an NT domain), squid_ldap_auth (for authenticating to an LDAP directory), and my preferred candidate which is pam_auth, which
uses the system PAM libraries to authenticate users. The advantage of using pam_auth is that you can configure PAM to authenticate users through
a variety of methods, and have the entire system and all programs on it (including the login program, XDM, Squid, Apache, and others) all using the
same authentication configuration information and server.
To configure pam_auth, you will need to set up the following (note that this is for Red Hat Linux, instructions may vary for Debian):
Create an /etc/pam.d/squid file. This should look like this:
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
Make sure you have the following line in your squid configuration file:
authenticate_program /usr/lib/squid/pam_auth
Make sure that you have run authconfig on your Red Hat system to define what authentication server you are using. I prefer to use LDAP,
although you may use NIS, NIS+, or the shadow password files.
Transparent Proxying
Transparent proxying is a method whereby you can put a proxy server between your network and the Internet, and have all WWW accesses directed
to the proxy server automatically (note that this works for WWW but not for FTP). The user must be aware that transparent proxying and
authentication are incompatible. They cannot both be done on the same server. If you were to try it, it might look like it is working but it is not. If you
must use authentication, then don’t try transparent proxying.
To set up transparent proxying, you need two things:
A firewall rule, redirecting outbound traffic from your network to the proxy server.
A squid configuration rule allowing squid to act as a transparent proxy.
To set up your firewall rule, you will need a rule such as the following (which is for ipchains):
/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 80 -j REDIRECT 3128
For iptables (Linux Kernel 2.4 and later) users, you may like to set up an iptables-based firewall on your squid server. As part of the firewall, you will
need to create a DNAT rule mapping outgoing traffic on port 80 to port 3128 of the proxy server. Some programs that provide a GUI interface to
iptables are discussed in A Comparison of iptables Automation Tools by Anton Chuvakin and there is also a netfilter home page where you can find
some documentation and a HOWTO with some more detailed instructions on setting up NAT rules.
The required Squid configuration lines to allow Squid to act as a transparent proxy are as follows:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Security Issues
Before Exposing Your Server to the Internet
Before exposing your server to the Internet, you should ensure that all unwanted services are turned off or disabled, that a secure firewall is in place,
and that you have ensured that some level of monitoring is in place to detect and prevent intrusion. Previous SecurityFocus articles, such asSecuring
Linux part 1 and part 2 provide more information on this topic.
Ongoing monitoring
As with any server that is connected to the Internet, you may wish to have some kind of ongoing monitoring performed. A couple of useful programs
for doing this include logcheck (mentioned in Securing Linux part 2, listed above), and AIDE, which is covered in Securing Linux with AIDE by Kristy
Westphal.
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on CONFIGURING LINUX AND SQUID AS A WEB PROXY
January 9th, 2008 admin
added 3.19.2002 — written by David van Geyn (original location http://freebsd.peon.net/tutorials/20/)——————————————————————————–
Article Description: This document will briefly describe how to set up Sendmail on one host to route to another mail host on a port different than 25.
——————————————————————————–
I was faced with a mail dilemma recently. My provider suddenly decided to block port 25 inbound for all ‘residential’ customers. This posed a problem for me, because I was routing all mail for me through the computer that was now blocked.
Luckily, I have access to a colocated box and was able to route mail there instead, until I figured out a way to get the mail eventually delivered to the proper box.
I searched the archives of ‘comp.mail.sendmail’ on Usenet and found what I was looking for.
A way to use mailertable to route mail to the specified host on a different port.
NOTE: Any occurence of ‘940’ in this document can be changed to whatever port you want to use.
1. First, you need to specify another listening port in your sendmail.cf on the blocked host. You can do this by adding the following line:
OOPort=940
This will make sendmail listen on port 940 in addition to port 25.
2. Specify a new ‘relay mail header masquerading recipient rewriting’ line in the sendmail.cf on the host that will be forwarding the mail to your blocked host.
This can be done by first copying the Mesmtp rewriter that looks like this:
Mesmtp, P=[IPC], F=mDFMuXa, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
T=DNS/RFC822/SMTP,
A=TCP $h
Next, modify it to look like this:
Mesmtp940, P=[IPC], F=mDFMuXa, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990,
T=DNS/RFC822/SMTP,
A=TCP $h 940
3. Now, you need to add your entry to your mailertable and indicate that you want to use ‘esmtp940’ instead of just ‘esmtp’.
example-domain.com esmtp940:[mx-blocked.example-domain.com]
4. Make sure example-domain.com has been added to your relay-domains file, otherwise the host that will receive mail on port 25 will not accept any mail for that domain.
5. Restart sendmail. Try sendmail some mail and see if your unblocked host will forward mail it receives for the domain to the blocked host on port 940.
This setup works perfectly for me. If you have any questions, comments, or suggestions let me know via ‘Feedback’.
Good luck!
——————————————————————————–
NOTE ADDED October 4, 2002
The following is a comment from an e-mail sent to me by a visitor of the site.
I received an e-mail from a visitor indicating that even though they’d added the proper things to ‘sendmail.cf’ and mailertable, the mail was still being delivered locally. The solution to this problem was to remove the domain that was supposed to be forwarded from the ‘local-host-names’ file and add it instead to the ‘relay-domains’ file.
——————————————————————————–
NOTE ADDED November 1, 2002
The following is an excerpt from an e-mail sent to me by a visitor of the site.
This is an excellent tutorial but I found that I got the dreaded ‘unknown mailer’ error (sendmail 8.12) until I actually edited the ‘smtp.m4’ file and used this to ‘Make’ a new ‘sendmail.cf’ file. The change to the ‘smtp.m4’ file that I made was very simple, I just copied the ‘esmtp’ entry at the foot of the file and pasted it with a name of my choice … this is then in the ‘sendmail.cf’ file that is created via ‘Make’; just add the port to the ‘A=TCP $h port#’ line and away you go.
Hope this helps anyone out there with Sendmail 8.12.x.
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on Routing mail to a specific host on a specific port
January 9th, 2008 admin
Install the RPMs for mysql and mysql-server manually or with YUM or similar. Some dependencies may have to be fulfilled.
Start MySQL with:
service mysqld start
Make sure it starts on reboot:
chkconfig –level 3 mysqld on
First time root login to mysql only.
———————————–
1. First time mysql login (no mysql root password set yet):
$ mysql -uroot
Welcome to the MySQL monitor.
mysql>
2. Set your system wide mysql root password. Change the xxxxxx to your
password. Be careful to keep the quotemarks around the word root and
your xxxxxx:
mysql> use mysql;
Database changed
mysql> update user set password=password(‘xxxxxx’) where user=’root’;
Query OK, 2 rows affected (0.00 sec)
Rows matched: 2 Changed: 2 Warnings: 0
3. Finish:
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit;
Bye
$
Setting up a mysql database for a user
======================================
Note. There is a very popular administration tool called phpMyAdmin at
http://www.phpmyadmin.net
Login to mysql and add an accout and a new database.
—————————————————
1. Login to mysql with your mysql root password:
Note. If this fails, maybe this is a first time login. See below.
$ mysql -uroot -p
Enter password:
Welcome to the MySQL monitor.
mysql>
2.Uae the administration database:
mysql> use mysql;
Database changed
3. Add a user called XXXXX with password YYYYY (keep all the quotemarks):
mysql> insert into user (host, user, password) values(‘localhost’, ‘XXXXX’,
password(‘YYYYY’));
Query OK, 1 row affected (0.04 sec)
4. Create a database for XXXXX called WWWWW:
mysql> create database WWWWW;
Query OK, 1 row affected (0.01 sec)
5. Allow user XXXXX to administer the database called WWWWW:
mysql> grant all privileges on WWWWW.* to ‘XXXXX’;
Query OK, 0 rows affected (0.02 sec)
6. Tell mysql to update the mysql users and exit:
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit;
Bye
$
++++++++++++++++++++++++
you are now ready to use your new MySQL data base and server.
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on Set up MYSQL server
January 9th, 2008 admin
I recently obtained a 120 GB hard disk and wanted to move my existing Red Hat Linux 8.0 partitions to the new disk. Here are the steps I used to move the data to the new disk:
It is a good idea to have a boot floppy made for your system. It make the recovery after all the copying so much easier:
mkbootdisk -v –device /dev/fd0 2.4.18-14
1. Connect the new hard disk as the IDE Primary Slave. You may have to change the jumper settings on the IDE Primary Master when you connect a Primary Slave. (NOTE: I connected the new drive in the position of where the old drive was, so I can easily do the bootloader creating => grub-install or lilo)
2. Boot a Red Hat Linux installation CD into Rescue Mode by typing linux rescue.
3. Use fdisk to create partitions on the new hard disk.
My old hard disk had the following file systems:
/dev/hda1 /boot 100 Megabytes
/dev/hda2 swap 512 Megabytes
/dev/hda3 / (root) Remainder of disk space
My new hard disk appears to Linux as /dev/hdf. I used fdisk to partition the new hard disk similar to that of the old hard disk.
4. Create the ext3 and swap file systems on the new hard disk.
mkfs.ext3 /dev/hdf1
mkfs.ext3 /dev/hdf3
mkswap /dev/hdf2
5. Mount the /boot and / (root) slices from both disks.
mkdir /old/boot
mkdir /old/root
mount /dev/hda1 /old/boot
mount /dev/hda3 /old/root
mkdir /new/boot
mkdir /new/root
mount /dev/hdf1 /new/boot
mount /dev/hdf3 /new/root
6. Copy the file systems from the old disk to the new disk.
cd /old/boot
tar cvf – . | tar xvf – -C /new/boot
cd /old/root
tar cvf – . | tar xvf – -C /new/root
7A. At this point you can connect your new harddrive to the primary master position and reboot for the boot floppy you made in the beginning
Then run either:
For GRUB (under RedHat):
grub-install /dev/hda
or for LILO:
lilo -v
If you have no boot floppy read on:
7B. Red Hat Linux uses file system labels in /etc/fstab. You will either have to edit the new /etc/fstab or (what I chose) use the e2label command to create file system labels on the new hard disk partitions.
e2label /dev/hdf1 /boot
e2label /dev/hdf3 /
8A. Edit the lilo boot loader configuration on the new hard disk. If you are experienced with the grub boot loader, you may want to use it instead of lilo.
umount /dev/hdf1
chroot /new/root
mount /dev/hdf1 /boot
vi /etc/lilo.conf
Add:
boot = /dev/hda
delay = 40
compact
vga = normal
root = /dev/hda3
read-only
image = /boot/vmlinuz-2.4.18-14
label = Linux
Run lilo -v to make the changes take effect.
8B grub
umount /dev/hdf1
chroot /new/root
mount /dev/hdf1 /boot
/sbin/grub-install /dev/hda
exit
If your original disk is EXT3 remember to do:
tune2fs -j /dev/hdXXX
for all your partitions except for the swap partition (that is /dev/hdf1 and /dev/hdf3 in this example)
exit
This will reboot your system and it should boot without any hickups.
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on Moving Linux to a new hard disk