Nasser Heidari

2009-09-28

kernel behavior on panic

Filed under: Linux — Nasser Heidari @ 09:32

By default, the kernel will not reboot after a panic, there is an option that you can set as a kernel parameter on grub.conf that will cause a kernel reboot after N seconds. For example following boot parameter will force to reboot Linux after 10 seconds :

kernel /vmlinuz-2.6.18-128.1.16.el5 ro root=/dev/VolGroup00/LogVol00 panic=10

Advertisements

Linux CPU Utilization

Filed under: Linux — Nasser Heidari @ 08:32

# yum install sysstat

# mpstat -P ALL

# sar -u -P ALL 2 5

# iostat -xtc 2

top 10 CPU Killing Process :
# ps -eo pcpu,pid,user,args | sort -r -k1 | less

2009-09-26

Slackware – Apache 2 and PHP Installation

Filed under: Linux — Nasser Heidari @ 15:30

If you need to use php on apache , after installing slackware , there is dummy package that won’t install with default installation process .

# wget http://mirrors.usc.edu/pub/linux/distributions/slackware\ /slackware-13.0/slackware/l/t1lib-5.1.2-i486-1.txz # installpkg t1lib-5.1.2-i486-1.txz # echo "Include /etc/httpd/mod_php.conf" >> /etc/httpd/httpd.conf # apachectl restart

Slackware boot on CCISS Dev

Filed under: Linux — Nasser Heidari @ 13:34

Today , after Installing Slackware 13 on HP DL360 , i found out that lilo can not write the MBR and eventually the OS could not be loaded !
After a bit Googling, i solved my problem , here is the solution :

After Slackware installation finished , before rebooting to OS follow the below commands:

# mkdir /mnt/root # mount /dev/cciss/c0d0p1 /mnt/root (c0d0p1 is my / Partition) # mount -o bind /dev /mnt/root/dev # mount -t proc none /mnt/root/proc # chroot /mnt/root

After chrooting edit your lilo configuration file and change boot device:

boot = /dev/cciss/c0d0p4

and then :

# lilo -M /dev/cciss/c0d0 mbr # lilo

and then reboot to your new OS .

2009-09-24

Defending Against Slowloris (Centos)

Filed under: Linux — Nasser Heidari @ 13:52

# cd /tmp # wget ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/mod_antiloris-0.3-1.el5.MIND.i386.rpm # rpm -ivh mod_antiloris-0.3-1.el5.MIND.i386.rpm # /etc/init.d/httpd restart

2009-09-16

Slackware 13 -> Kernel 2.6.31, iptables-1.4.5 + l7-filter + TARPIT + ipp2p

Filed under: Linux — Nasser Heidari @ 15:19

————— Download and Extracting Packages:

# cd /usr/src
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.31.tar.bz2
# wget http://iptables.org/projects/iptables/files/iptables-1.4.5.tar.bz2
# wget http://enterprise.bih.harvard.edu/pub/tarpit-updates/iptables-1.4.2-tarpit.diff
# wget http://ufpr.dl.sourceforge.net/sourceforge/xtables-addons/xtables-addons-1.18.tar.bz2
# wget http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.22.tar.gz
# wget http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2009-05-28.tar.gz

# for archive in *.bz2; do tar -jxf $archive;done
# for archive in *.gz; do tar -zxf $archive;done

————— Creating symbolic links:

# ln -s linux-2.6.31 linux
# ln -s iptables-1.4.5 iptables
# ln -s xtables-addons-1.18 xtables-addons

————— Patching Kernel and Kernel Compile :

# cd /usr/src/linux
# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch 
# make menuconfig
		Networking options  --->
		...
		...
		[*] Network packet filtering framework (Netfilter)  --->
	           Core Netfilter Configuration  --->
			 Netfilter connection tracking support
			...
			...
			 "layer7" match support

# make all && make modules_install
# cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.31-l7
# cp System.map /boot/System.map-2.6.31-l7
# cp .config /boot/config-2.6.31-l7
# vi /etc/lilo.conf
      
default = Sl-2.6.31

image = /boot/vmlinuz-2.6.31-l7
  root = /dev/sda2
  label = Sl-2.6.31
  read-only
# lilo
# Reboot

————— Patching and installing iptables 1.4.5:

# cd /usr/src/iptables/extensions 
# cp ../../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7.* .
# sed -i 's/exit_error(/xtables_error(/' libxt_layer7.c 
# cd ..
# patch -p1 -NE < ../iptables-1.4.2-tarpit.diff 
# cp /usr/src/linux/include/asm-generic/bitsperlong.h /usr/src/linux/include/asm/
# ./configure --with-ksource=/usr/src/linux \
--prefix=/usr --with-xtlibdir=/lib/xtables --libdir=/lib --enable-libipq --enable-devel 
# make && make install
# cd /usr/src/l7-protocols-2009-05-28/
# make install

————— Xtables-addons compile:

# cd /usr/src/xtables-addons 
# ./configure  --with-xtables=/lib  --prefix=/usr \
--mandir=/usr/share/man --infodir=/usr/share/info --libexecdir=/lib  \
--with-ksource=/usr/src/linux --includedir=/usr/include/ 
# make && make install

————— Testing the Installation:

# iptables -j TARPIT -h
# iptables -m ipp2p  -h
# iptables -m layer7 -h

Thanks to:
http://www.ecualug.org
http://www.altctrldel.com

Squid as a reverse proxy (Web Accelerator)

Filed under: Linux — Nasser Heidari @ 03:25

Web Server IP Address –> 192.168.0.1
Public IP address (The Address that Squid will listen on to handle web requests) –> 10.10.10.10
web Server FQDN name —> https://linax.wordpress.com

# cd /usr/local/src/
# wget http://www.squid-cache.org/Versions/v2/2.7/squid-2.7.STABLE6.tar.bz2
# tar -jxf squid-2.7.STABLE6.tar.bz2
# cd squid-2.7.STABLE6/
# ./configure  --prefix=/opt/squid2.7 --disable-internal-dns \
 --enable-forward-log  --enable-follow-x-forwarded-for  --enable-snmp \
--enable-linux-netfilter  --enable-http-violations  --enable-delay-pools \
--enable-storeio=diskd,aufs,ufs,coss  --with-coss-membuf-size=8388608  --with-large-files \
--enable-large-cache-files  --with-maxfd=8192  --enable-async-io=64  \
--enable-removal-policies=lru,heap --enable-useragent-log  --enable-referer-log  \
--enable-err-languages=English  --enable-default-err-language=English
# make && make install
# cd /opt/squid2.7/etc/
# cp squid.conf{,-bak}

here is my squid.conf :
—————————————————————
# cat squid.conf

acl all src all acl web-server dst 192.168.0.1/255.255.255.255 acl http_port port 80 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow web-server http_port all http_access deny all deny_info https://linax.wordpress.com/ all icp_access deny all http_port 10.10.10.10:80 accel defaultsite=linax.wordpress.com cache_peer 192.168.0.1 parent 80 0 no-query originserver default icp_port 0 hierarchy_stoplist cgi-bin ? cache_mem 1024 MB maximum_object_size_in_memory 128 KB cache_dir aufs /opt/squid2.7/var/cache 4096 16 256 cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF maximum_object_size 104857 KB access_log /opt/squid2.7/var/logs/access.log squid logfile_rotate 1 refresh_pattern cgi-bin 1 40% 2 refresh_pattern \.asp$ 1 40% 2 refresh_pattern \.acgi$ 1 40% 2 refresh_pattern \.cgi$ 1 40% 2 refresh_pattern \.pl$ 1 40% 2 refresh_pattern \.shtml$ 1 40% 2 refresh_pattern \.php3$ 1 40% 2 refresh_pattern \? 1 40% 2 refresh_pattern \.gif$ 10080 90% 43200 reload-into-ims refresh_pattern \.jpg$ 10080 90% 43200 reload-into-ims refresh_pattern \.bom\.gov\.au 30 20% 120 reload-into-ims refresh_pattern \.html$ 480 50% 22160 reload-into-ims refresh_pattern \.htm$ 480 50% 22160 reload-into-ims refresh_pattern \.class$ 10080 90% 43200 reload-into-ims refresh_pattern \.zip$ 10080 90% 43200 reload-into-ims refresh_pattern \.jpeg$ 10080 90% 43200 reload-into-ims refresh_pattern \.mid$ 10080 90% 43200 reload-into-ims refresh_pattern \.shtml$ 480 50% 22160 reload-into-ims refresh_pattern \.exe$ 10080 90% 43200 reload-into-ims refresh_pattern \.thm$ 10080 90% 43200 reload-into-ims refresh_pattern \.wav$ 10080 90% 43200 reload-into-ims refresh_pattern \.txt$ 10080 90% 43200 reload-into-ims refresh_pattern \.cab$ 10080 90% 43200 reload-into-ims refresh_pattern \.au$ 10080 90% 43200 reload-into-ims refresh_pattern \.mov$ 10080 90% 43200 reload-into-ims refresh_pattern \.xbm$ 10080 90% 43200 reload-into-ims refresh_pattern \.ram$ 10080 90% 43200 reload-into-ims refresh_pattern \.avi$ 10080 90% 43200 reload-into-ims refresh_pattern \.chtml$ 480 50% 22160 reload-into-ims refresh_pattern \.thb$ 10080 90% 43200 reload-into-ims refresh_pattern \.dcr$ 10080 90% 43200 reload-into-ims refresh_pattern \.bmp$ 10080 90% 43200 reload-into-ims refresh_pattern \.phtml$ 480 50% 22160 reload-into-ims refresh_pattern \.mpg$ 10080 90% 43200 reload-into-ims refresh_pattern \.pdf$ 10080 90% 43200 reload-into-ims refresh_pattern \.art$ 10080 90% 43200 reload-into-ims refresh_pattern \.swf$ 10080 90% 43200 reload-into-ims refresh_pattern \.mp3$ 10080 90% 43200 reload-into-ims refresh_pattern \.ra$ 10080 90% 43200 reload-into-ims refresh_pattern \.spl$ 10080 90% 43200 reload-into-ims refresh_pattern \.viv$ 10080 90% 43200 reload-into-ims refresh_pattern \.doc$ 10080 90% 43200 reload-into-ims refresh_pattern \.gz$ 10080 90% 43200 reload-into-ims refresh_pattern \.Z$ 10080 90% 43200 reload-into-ims refresh_pattern \.tgz$ 10080 90% 43200 reload-into-ims refresh_pattern \.tar$ 10080 90% 43200 reload-into-ims refresh_pattern \.vrm$ 10080 90% 43200 reload-into-ims refresh_pattern \.vrml$ 10080 90% 43200 reload-into-ims refresh_pattern \.aif$ 10080 90% 43200 reload-into-ims refresh_pattern \.aifc$ 10080 90% 43200 reload-into-ims refresh_pattern \.aiff$ 10080 90% 43200 reload-into-ims refresh_pattern \.arj$ 10080 90% 43200 reload-into-ims refresh_pattern \.c$ 10080 90% 43200 reload-into-ims refresh_pattern \.cpt$ 10080 90% 43200 reload-into-ims refresh_pattern \.dir$ 10080 90% 43200 reload-into-ims refresh_pattern \.dxr$ 10080 90% 43200 reload-into-ims refresh_pattern \.hqx$ 10080 90% 43200 reload-into-ims refresh_pattern \.jpe$ 10080 90% 43200 reload-into-ims refresh_pattern \.lha$ 10080 90% 43200 reload-into-ims refresh_pattern \.lzh$ 10080 90% 43200 reload-into-ims refresh_pattern \.midi$ 10080 90% 43200 reload-into-ims refresh_pattern \.movie$ 10080 90% 43200 reload-into-ims refresh_pattern \.mp2$ 10080 90% 43200 reload-into-ims refresh_pattern \.mpe$ 10080 90% 43200 reload-into-ims refresh_pattern \.mpeg$ 10080 90% 43200 reload-into-ims refresh_pattern \.mpga$ 10080 90% 43200 reload-into-ims refresh_pattern \.pl$ 10080 90% 43200 reload-into-ims refresh_pattern \.ppt$ 10080 90% 43200 reload-into-ims refresh_pattern \.ps$ 10080 90% 43200 reload-into-ims refresh_pattern \.qt$ 10080 90% 43200 reload-into-ims refresh_pattern \.qtm$ 10080 90% 43200 reload-into-ims refresh_pattern \.ras$ 10080 90% 43200 reload-into-ims refresh_pattern \.sea$ 10080 90% 43200 reload-into-ims refresh_pattern \.sit$ 10080 90% 43200 reload-into-ims refresh_pattern \.tif$ 10080 90% 43200 reload-into-ims refresh_pattern \.tiff$ 10080 90% 43200 reload-into-ims refresh_pattern \.snd$ 10080 90% 43200 reload-into-ims refresh_pattern \.wrl$ 10080 90% 43200 reload-into-ims refresh_pattern ^ftp: 1440 60% 22160 refresh_pattern ^gopher: 1440 20% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 480 50% 22160 reload-into-ims quick_abort_min 32 KB quick_abort_max 32 KB quick_abort_pct 95 acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache coredump_dir /opt/squid2.7/var/cache cache_mgr nasser@linax.wordpress.com visible_hostname linax.wordpress.com dns_children 8 forwarded_for on emulate_httpd_log on redirect_rewrites_host_header off buffered_logs on

—————————————————————
First Start:

# mkdir /opt/squid2.7/var/cache
# chown -R nobody:nobody /opt/squid2.7/var/cache
# /opt/squid2.7/sbin/squid -z

# /opt/squid2.7/sbin/squid -D

Thanks to Pejman Moghadam

2009-09-12

Linux Dummy network device

Filed under: Linux — Nasser Heidari @ 18:05

A dummy interface is used by TCP/IP to assign an IP address to your machine, which is required for both SLIP and PPP. The reason for a dummy interface is simple: When you connect to an ISP, your IP address is often assigned dynamically, and you never know what the IP address will be in advance. This can cause problems for TCP/IP routines in your kernel that need to know an IP address to function properly. TCP/IP is happy when you assign an IP address—the dummy interface IP address—to your machine. The need for an IP address internally is most important when you are not connected to your ISP because many network-aware applications (such as email, newsreaders, and so on) need to have some IP address to connect to, even if it doesn’t lead anywhere. This dummy interface IP address does not conflict with the one assigned by your ISP.

# modprobe dummy # ifconfig dummy0 1.2.3.4 netmask 255.0.0.0 # modprobe dummy -o dummy1 # ifconfig dummy1 4.3.2.1 netmask 255.255.0.0

if you need to create 5 dummy interfaces , you can use this command :

# modprobe dummy numdummies=5