Tuesday, December 3, 2013

How to hide web server version from appearing in http header

For apache, just add below lines into /etc/apache2/apache2.conf:

ServerTokens Prod

ServerSignature Off

where ServerTokens controls what kind of information being sent to the header. Options available for ServerTokens are(from apache docs):



ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2


while ServerSignature is to allow configuration of a trailing footer line under server generated documents, such as error messages and mod_proxy ftp directory listings. Putting it to off will suppress the footer line.

Once added, restart or reload apache to activate the changes.
# /etc/init.d/apache2 restart

For nginx, add below line into your /etc/nginx/nginx.conf:


server_tokens off

where this line of config will hide your nginx version number. Do not forget to restart or reload nginx, for the change to take effect.
# /etc/init.t/nginx restart

To check for the header, you can use curl:


curl -I www.foo.net

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Apache/2.2.15 (Red Hat)

where -I is for curl to grab just the http header.

Thursday, November 28, 2013

Manually manipulating iptables in CentOS and Redhat

The iptables rules in redhat based distro is being kept by default in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. To manipulate the firewall, just add or remove rules from this file, and restart iptables services. For example, we want to allow tftp port, which is port 69 udp:

  1. Edit /etc/sysconfig/iptables
    • # vi /etc/sysconfig/iptables
  2. Add the following lines, before the final LOG and DROP lines for INPUT chain:
    • -A INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT
  3. Save and close the file
  4. Restart iptables service:
    • # /etc/init.d/iptables restart
  5. Check your new iptables rules, where -L is to list all rules in the selected chain, and -n is for printing port in numeric output:
    • # sudo iptables -L -n
  6. And you can see that
    "ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:69"
    line is in the iptables file.
  7. To save the new rules permanently, just run:
    • # /etc/init.d/iptables save 

To block any particular port, you just need to edit /etc/sysconfig/iptables, remove the ACCEPT line that contain that port, and restart iptables, and you are done :)

Easily open port and service on iptables using lokkit

Lokkit is an iptable manipulating tool, and it belongs to system-config-firewall-base rpm package. This tool has many usage, but in this article, I just want to share on how to open a port in iptables using lokkit. Let's say we want to open a tcp port 1234, below is the command to do it (you must be root, or using sudo do execute this):

# lokkit -q -p 1234:tcp

where -q is for quiet mode, where no message will appear once the operation is done, and -p is for the port and protocol, in this case port 1234 using tcp protocol.

If you want to open a common service like ssh, it can be done easily by using the -s flag
# lokkit -s ssh

To list all available services that lokkit can manage, use:
# lokkit --list-services

Predefined Services with Default Environment:

ipp-client: Network Printing Client (IPP)

    default: desktop

ipp: Network Printing Server (IPP)

mdns: Multicast DNS (mDNS)

    default: desktop

ipsec: IPsec

    default: desktop

ssh: SSH



    default: server

...

To see more verbose output, you can use -v flag, like below:
# lokkit -s tftp -v
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
ip6tables: Flushing firewall rules:                        [  OK  ]
ip6tables: Setting chains to policy ACCEPT: filter         [  OK  ]
ip6tables: Unloading modules:                              [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
ip6tables: Applying firewall rules:                        [  OK  ]



Tuesday, November 12, 2013

How to capture top output to a readable format

For this case, we use batch mode in top. From top's manpage:
Starts  top in 'Batch mode', which could be useful for sending output from top to other programs or to a file.  In this mode, top will not accept input and runs until the iterations limit you've set with the '-n' command-line option or until killed.

To use it is very easy, you must provide -b for batch mode, and -n for number of iteration that you desire. You can pipe it to less, tail, head or pipe it to a file, according to your need.

foo@thorium:~$ top -b -n 1 | head

top - 10:47:15 up 3 days, 23:52,  1 user,  load average: 2.01, 0.99, 0.57

Tasks: 140 total,   2 running, 136 sleeping,   0 stopped,   2 zombie

Cpu(s): 13.2%us,  4.9%sy,  0.0%ni, 81.6%id,  0.3%wa,  0.0%hi,  0.0%si,  0.0%st

Mem:   1025608k total,   865376k used,   160232k free,    80332k buffers

Swap:   522236k total,    66468k used,   455768k free,   273996k cached


  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                              
1192 root      20   0  122m  65m  10m R 13.8  6.6 559:31.01 Xorg                                                                                                  
19333 foo   20   0  234m  61m  13m S  9.8  6.2 626:59.69 nxplayer.bin                                                                                            
19440 foo   20   0  175m  14m 9612 S  7.9  1.5   0:44.78 lxterminal  

The above command will list 10 lines of top output in batch mode, and being set to iterate only once.



Monday, November 11, 2013

Autospawn screen session on ssh connection

This is particularly useful in a situation where your ssh connection always get disconnected, and you have no privilege to tweak the ssh server settings to avoid that.


  1. First method, simple and easy, but will create multiple screens if you have more ssh sessions: 
    echo "screen -R" >> ~/.bash_profile; source ~/.bash_profile
  2. 2nd method, smarter than the above, will attach to the existing screen session if there is any, and create new one if none is available 
    echo "if $(screen -ls | grep -q pts); then screen -x; else screen -R; fi" >> ~/.bash_profile; source ~/.bash_profile

Tuesday, September 24, 2013

Changing background color theme in vim

Sometimes, when you open a document in vim, the color of the font and background is not easy on the eye, like below:













In order to encounter this, you can change the backgroud of vim to use light background, by using
:set background=light
or
:set bg=light
in vim to become like below:












You can change the backgound back to dark by using
:set background=dark
or
:set bg=dark
in vim.

That's all, hope this is going to be useful to you.


Monday, August 26, 2013

How to extract deb file without having dpkg

.deb files are regular ar archives. You can manipulate the file by using ar command.

For example, I have a package called lynx_2.8.8dev.15-2_all.deb in a centos box.

$ cat /etc/issue
CentOS release 6.4 (Final)
Kernel \r on an \m

$ ls -lh
total 4.0K
-rw-rw-r--. 1 foo foo 3.9K Jan 18  2013 lynx_2.8.8dev.15-2_all.deb

To extract the file, just run ar x <.deb.filename>
$ ar x lynx_2.8.8dev.15-2_all.deb
You will see 3 files being extracted, control.tar.gz, data.tar.gz and debian binary.
$ ls
control.tar.gz  data.tar.gz  debian-binary  lynx_2.8.8dev.15-2_all.deb

debian-binary is a text file containing deb packaging version number.
$ cat debian-binary 
2.0

control.tar.gz contained control, preinst and md5sums.
$ tar -tf control.tar.gz ./
./md5sums
./control
./preinst

data.tar.gz is a compressed file containing the files which are going to be installed on the system.
$ tar -tf data.tar.gz ./
./usr/
./usr/share/
./usr/share/doc/
./usr/share/doc/lynx/
./usr/share/doc/lynx/copyright
./usr/share/doc/lynx/changelog.Debian.gz

Wednesday, July 10, 2013

Print to pdf from command

To enable this, there are 2 packages that you need to install, which are cups and cups-pdf. This has been tested on CentOS 5.5.

# yum install cups cups-pdf -y

Once installed, check which printer is available:

$ lpstat -p -d 

printer Cups-PDF is idle.  enabled since Wed 10 Jul 2013 09:30:05 AM EST

no system default destination

where lpstat is to show cups status information, -p is to tell lpstat to list all printers available and -d is to show the current default destination. In this case, this system has one printer installed, which is Cups-PDF.

To print, lpr command is needed:

$ echo "Printing some characters to a pdf file" | lpr -P Cups-PDF -J print01.pdf

where -P is to specify the printer name that you want to use, and -J is for the output file name.

The file will be saved in ~/Desktop, but this can be changed in /etc/cups/cups-pdf.conf.

$ ls ~/Desktop/

print01.pdf

Tuesday, June 11, 2013

Unmounting stuck nfs mounts

This usually happened when the nfs server is down, you cannot umount the nfs mount, because the system will say "not found or server not reachable"

$ sudo umount /opt/logs/production

umount.nfs: nfs.local:/var/lib/backup: not found / mounted or server not reachable

umount.nfs: nfs.local:/var/lib/backup: not found / mounted or server not reachable

To fix this, you need to force mount it with lazy flag:

$ sudo umount -f -l /opt/logs/production

where -f is to do force unmount, and -l is for lazy unmounting. From man:
"Lazy  unmount.  Detach  the  filesystem from the filesystem hierarchy now, and cleanup all references to the filesystem as soon as it is not busy anymore."

That's all folks.

Friday, April 26, 2013

Logical AND and OR in bash

In bash (bourne again shell), the logical operand AND and OR are being symbolized by && and ||. The usage example are as follow:

&& ( If first command succeed, continue with second command, else stop )

$ ls 
cat  lion  tiger

$ ls cat && echo "there is cat"
cat
there is cat
 
$ ls elephant && echo "there is elephant"
ls: cannot access elephant: No such file or directory


You can see from above that command `echo "there is elephant"` did not get executed because the command `ls elephant` did not successfully finish (non zero exit code)


|| ( If  the first command failed, execute second command, else stop )

$ ls 
cat  lion  tiger

$ ls cat || echo "there is no cat"
cat

$ ls elephant || echo "there is no elephant"
ls: cannot access elephant: No such file or directory
there is no elephant


Now you can see that, if the first command returned non zero exit code (failed), the second command will be executed.

To run the second command, while ignoring the first command's result, use ";" instead:

$ ls tiger; echo "there is tiger"
tiger
there is tiger

$ ls elephant; echo "there is no elephant"
ls: cannot access elephant: No such file or directory
there is no elephant


That's all folks.





Thursday, April 25, 2013

ssh through socks proxy

This technique is very useful if you have a firewall between you and your destination, and somehow the only way you could get in to the destination is by ssh'ing into a jumpbox and ssh again to the destination. In this scenario example, I'll call the machine we initiate this technique as A.local, the jumpbox as B.local and the destination server as C.local, and we will use a user called aladdin.

A.local -> B.local (jumpbox) -> C.local

To do this, please follow below steps:

Add below settings to your ssh config in A.local, the file is usually ~/.ssh/config
Host B.local 
DynamicForward localhost:1080 
Host C.local 
ProxyCommand /usr/bin/nc -x localhost:1080 %h %p

Initiate a socks proxy connection, and leave it open (-D is for dunamic application-level port forwarding and 1080 can be any port of your choice, 1080 is socks proxy default port for nc):
[A.local]$ ssh -D 1080 aladdin@B.local

Open another terminal, and run ssh as if you have direct connection to C.local
[A.local]$ ssh aladdin@C.local

Voila, your ssh session will go through as if you have direct connection to C.local.


If you just doesn't want to put it into your config, you can use it on the fly by using below command after you have initiate the socks proxy:

[A.local]$ ssh -o "ProxyCommand /usr/bin/nc -x localhost:1080 %h %p" aladdin@C.local

Or you can also put it as alias for easy usage:

[A.local]$ alias 

alias proxyssh='ssh -o "ProxyCommand /usr/bin/nc -x localhost:1080 %h %p"'




Using curl to check on site availability

The easy way to check if a site is available, is by using curl. For example, if you want to check whether www.google.com is available or not, jut run:

$ curl -I www.google.com

HTTP/1.1 200 OK

Date: Thu, 25 Apr 2013 06:03:06 GMT

Expires: -1

Cache-Control: private, max-age=0

Content-Type: text/html; charset=ISO-8859-1

Set-Cookie: PREF=ID=f4eacf44ddfe9913:FF=0:TM=1366869786:LM=1366869786:S=pD4jQT9xbgTOjuKG; expires=Sat, 25-Apr-2015 06:03:06 GMT; path=/; domain=.google.com

Set-Cookie: NID=67=KULBN37y3Mw7TIYNurxqV3L9OAm0gaj4VhRxz0_OsayoTS8C7nPN9QLCMovAzkVxhKfoop1EcHjWiBWjv7Vxl2C5iQ-Z8J0zcVtv4YfrJXs2ypRegbp2Y8MPcJjTyX1p; expires=Fri, 25-Oct-2013 06:03:06 GMT; path=/; domain=.google.com; HttpOnly

P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Server: gws

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Transfer-Encoding: chunked 
 
with -I for fetching the HTTP-header only. In this case the return code is 200, and it means the site is available.

Monday, February 11, 2013

Clear off swap

Today I have an issue where my swap is almost full. To check your swap usage:

$ free -m

                    total       used       free     shared    buffers     cached

Mem:          1024        157        866          0         11         48

-/+ buffers/cache:         97        926

Swap:          127         95         32

where -m is for the value to be listed in megabytes.

To clear the swap off, please use below commands (please run as root, or sudo):

# sync && /sbin/sysctl vm.drop_caches=3 && swapoff -a && swapon -a 


where sync is to force changed blocks to disk and update the super block; sysctl vm.drop_caches=3 is to free pagecache, dentries and inodes; swapoff is to turn off swap and swapon is to turn swap back on, obviously :)

p.s. Thanks to linuxnetadmin and linuxinsight for the tips.

And you will get free swap after that:

$ free -m

                    total       used       free     shared    buffers     cached

Mem:          1024        157        866          0         11         48

-/+ buffers/cache:         97        926

Swap:          127         0         127
 
 
That's all folks.

Friday, February 1, 2013

ldapvi - ldap client using text editor

Today I stumbled upon a good tool in managing ldap, which is ldapvi. The reason this tool champs over my previous ldap management tool, which is phpldapadmin, is, it is based on text editor, and can be used in terminal ~ cool :)

To install this tool, all you need is to use your package manager, in my case, yum:

$ sudo yum install ldapvi

Once you have finished installing, launch it with your username and ldap server:

$ sudo ldapvi --user cn=admin,ou=people,dc=local,dc=lan  --host ldap.local.lan

For first time use, you need to set your preferred text editor. Once logged in, you can change the ldap record as if you are working on a very long text file. Once you are done, save like how you normally save a text file, ldapvi will ask for confirmation, and you are done.