Tips and Tricks about Servers and Applications

Subversion : Removing uncommitted transactions

Liju — Thu, 03 May 2012 19:07:20 +0000

One of the projects badly affected by the following errors and user requested us to re-load the new repository with latest code they have. After spending some time in net, it’s is identified that there are lots of uncommitted transaction logs are occurred in svn repository. This cause svn stops to execute any further commits after that. A quick fix for this problem is to delete all the broken commit from the repository.

This is the error users getting on eclipse editor while committing changes

org.apache.subversion.javahl.ClientException: RA layer request failed
svn: Commit failed (details follow):
svn: Server sent unexpected return value (500 Internal Server Error) in response to PUT request for '/svn/intersight/!svn/wrk/dfbb33ea-17f5-9347-a3f2-3c597d8a7c9a/trunk/WebContent/WEB-INF/lib/jpa-api-2.0-cr-1.jar'

org.apache.subversion.javahl.ClientException: RA layer request failed
svn: Commit failed (details follow):

I found many broken links are recorded in SVN repository.

[root@server SVNRepositories]# svnadmin lstxns svnrepo
23-1
14-1
42-1
43-1
34-1
25-1
42-2
44-1
34-2
42-3
17-1
26-1
43-2
26-2
37-1
26-3

I did restart Apache as I use svn deployment over the mov_dav and it did not helpful.
Removing all the queued/broken commits

Use the following method,

Eg: svnadmin rmtxns /path/to/svn `svnadmin lstxns /path/to/svn`

[root@SVNRepositories]# svnadmin rmtxns myrepo `svnadmin lstxns myrepo`
Transaction '23-1' removed.
Transaction '14-1' removed.
Transaction '42-1' removed.
Transaction '43-1' removed.
Transaction '34-1' removed.

That’s it.

To verify

# svnadmin lstxns myrepo shows empty list

Converting RedHat to CentOS in online remotely

Liju — Mon, 30 Apr 2012 01:17:16 +0000

This is very rare scenario which come to face in your life. One of my friend had installed RedHat Enterprise Server 5.5 on his home network by the help of his friend. Unfortunately he doesn’t any redhat login info to register his OS to get redhat support and lost his DVD after the install.

Now he contact me and asked me to help to install Subversion on his server. After logged into the server, it is found that this server does not have svn installed and also I could not get the RedHat yum packages freely over the web. So I’m worried and stuck the installation time. Tried to enable various yum repositories but nothing gonna help me .. Really I lost hope and planning to move ahead with OS re-installation even though this server is located on another county

Googling lead me to have some idea about enabling CentOS repository support to redhat. See this link http://www.tuxradar.com/answers/440

But this doesn’t work for me fully. Here is my solution.

1. Removed the redhat repository entries from “/etc/yum.repos.d”

#rm -rf /etc/yum.repos.d/*

2. Remove the rpm “redhat-release-5Server-5.5.0.2.i386″

#rpm -qa | grep "redhat"
#rpm -e redhat-release-5Server-5.5.0.2 --nodeps

3. You may need to find the CentOS alternative repository ( here I used CentOS 5.5 ) and downloaded the rpm “centos-release-5-5.el5.centos.i386.rpm” and “centos-release-notes-5.5-0.i386.rpm” Pls note : My OS architecture is 32 bit.

#rpm -ivh centos-release-notes-5.5-0.i386.rpm
#rpm -ivh centos-release-5-5.el5.centos.i386.rpm

4. Grab the CentOS repository file respect to your OS distribution (here CentOS 5.5)
login to your CentOS machine which has the same redhat revison installed and grab the files “CentOS-Base.repo” and “CentOS-Media.repo” from “/etc/repos.d”

copy these files under “/etc/repos.d/”

5. Activate the new yum repository.

# yum update

This steps will prompt to you to install new CentOS kernel “kernel-PAE-2.6.18-194.el5” in order to enable centos package support.

Just go ahead PAE kernel installs and this will add new kernel entries in “/etc/grub.conf” and then reboot the server to load new kernel.

You will see new CentOS kernel loaded and you may continue to use the CentOS Package support using yum package manager.

[root@valuemobile ~]# rpm -qa | grep "PAE"
kernel-PAE-2.6.18-308.4.1.el5.centos.plus
kernel-PAE-devel-2.6.18-194.el5
kernel-PAE-2.6.18-194.el5
kernel-PAE-devel-2.6.18-308.4.1.el5.centos.plus
[root@valuemobile ~]# uname -r
2.6.18-308.4.1.el5.centos.plusPAE
[root@valuemobile ~]#

Boosting site performance using Nginx, Php-FPM and APC

Liju — Tue, 17 Apr 2012 21:03:27 +0000

Earlier I had tried to boost the php based web application using Nginx weberver using php-cgi module. It’s also showing better performance compare to older Apache-Php module.

Ngnix is the fastest http server and we are using the power of cgi scripts to boost the php compilation speed. Obviously the combination of Nginx+ php-cgi module performs much better for small high speed websites. But this new technology php-fpm would also helpful to manage the different cgi requests effectively.

In this post, I am using the power of php-fpm and APC which would accelerate the pages response time much more faster. Here you need to understand the role of diff application.

1. Nginx : It’s a fastest, light weight http webserver which is good for server static pages/files.
2. Php-fpm (FastCGI Process Manager) : This is the manager for administrating cgi process.
3. APC [Alternative PHP Cache]: This program will caches all the php request which had being executed recently and serves it when it requested next time until the cache expires. So it’s saves the execution time as well as server processing power.
4. Memcache : It is used for caching mysql queries which is frequently executed by php.

Let’s start the server preparation.,

I would not recommend to do it on any existing production servers since this process requires php re-installation. So try it on fresh server ( Here i uses CentOS6.2 (64 bit).

Installing PHP-FPM from Remi Repository.

Let’s completed the basic LAMP setup on new server and install the Remi- repository suit to your platform. You may get the install document from here, skip Apache,

#yum install php* mysql*
# wget http://rpms.famillecollet.com/enterprise/6/remi/x86_64/remi-release-6-1.el6.remi.noarch.rpm
#rpm -ivh remi-release-6-1.el6.remi.noarch.rpm --nodeps
#yum --enablerepo=remi install php php-fpm
#chkconfig --level 345 php-fpm on
#/etc/init.d/php-fpm restart
[root@ ~]# netstat -nlp | grep "9000"
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 10188/php-fpm
[root@oyemedia ~]#
#yum --enablerepo=remi install php-gd php-mysql php-mbstring php-xml php-mcrypt

2. Installing Nginx from Repository

Here we need to use the repository provided by the Ngnix website. Create a repository file under “/etc/repos.d/” to grab it. Create a file named “/etc/yum.repos.d/nginx.repo” and add the following content.

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

Installing Nginx using yum.

#vi /etc/yum.repos.d/nginx.repo
#yum install nginx
#chkconfig nginx on
#service nginx start
[root@ ~]# netstat -nlp | grep "80"
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 32586/nginx
[root@oyemedia ~]#

3. Installing APC and memcache

#yum install gcc, make pcre
#pecl install apc
# yum install php-pecl-memcache
#vi /etc/php.ini
root@oyemedia ~]# php -m | egrep -E "apc|memcache"
apc
memcache

Add the APC extenion in /etc/php.ini file eg: extension = apc.so. You may configure it’s value by adding/modifying the values in ” /etc/php.d/apc.ini” file as well.

We have completed the half part of the setup.

Next we need to re-tune the Nginx for servicing Php pages along with zip compression enabled. This is the virtual host file for serving joomla site. You may download the files from here

server {
server_name mydomain.com;
listen 174.28.17.98:80;
rewrite ^(.*) http://www.mydomain.com$1 permanent;
}
server {
listen 174.28.17.98:80;
server_name www.mydomain.com ;
access_log /home/mydomain/access.log;
error_log /home/mydomain/public_html/error.log warn
root /home/mydomain/public_html;
index index.php index.html;

client_header_timeout 240s;
client_body_timeout 240s;
fastcgi_read_timeout 240s;

location / {
expires 30d;
error_page 404 = @joomla;
log_not_found off;

try_files $uri $uri/ /index.php?q=$request_uri;
}

location @joomla {
rewrite ^(.*)$ /index.php?q=$1 last;
}

error_page 500 502 503 504 404 /404.html;
location = /404.html {
root /home/mydomain/public_html/;
}

gzip on;
gzip_http_version 1.1;
gzip_comp_level 4;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_types text/plain application/xhtml+xml text/css application/xml application/xml+rss text/javascript

application/javascript application/x-javascr$
gzip_proxied any;
gzip_disable "MSIE [1-6]\.";

# caching of files
location ~* \.(ico|pdf|flv)$ {
expires 60d;
}

location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
expires 14d;
}

location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /home/mydomain/public_html$fastcgi_script_name;
include fastcgi_params;
}
# Select files to be deserved by nginx
location ~* ^.+.(swf|zip|rar|html|htm|pdf)$ {
#location ~* ^.+.(zip|rar|html|htm|pdf)$ {
root /home/mydomain/public_html/;
expires 7d;
}
}

Note : You may need to change the ip address [174.28.17.98:80] and the web location [ /home/mydomain/public_html] according to your setup.

Now test the Nginx config and restart the service,

[root@ ~]# service nginx configtest
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@oyemedia ~]# service nginx restart
Stopping nginx: [ OK ]
Starting nginx: [ OK ]
[root@ ~]#

Whola !!! That’s it.

SSH auto login to linux server from Windows using Putty.

Liju — Fri, 13 Apr 2012 15:55:38 +0000

I’m using windows desktop and always half part of the screen is filled up with many puty screens. Sometimes I have to be logged for long time and sometimes not. I frequently disconnected as the my router device wil terminate the tcp connection which is idle more than 5 minutes. it’s so sad .

So I have many number of “putty logins” in a day which required to open/run the putty application, find the exact password from file etc which is a kind of disturbance I think. Now I want to save the effort, faster sever access and minimize the time spend for this putty logins.

1. Generate the public key and private key files.

Download PuTTYgen.exe from here and run the application. Click on generate button to generate both private and public key. Copy the public key to clipboard shown on the screen. Also save the private key in a secure location on your drives. This key is require for the file authentication

Pls note anyone can login to the server using this private file with the assumption of user and server ip.

2. Storing public key in Server.

SSH login to the server to which you access without login and create authorization file (“~/.ssh/authorized_keys“) and copy the clip board content which had copied the public key.

[root@rc-090 ~]# vi ~/.ssh/authorized_keys

That’s it . All are rest.

Download putty and run it.

Now you need to give

a. host name including user name and the server name.
b. Label for storing this login details.
c. Choose the private key file and save the label. See the screen,

You will see the following screen once you logged in to the server,

MySQL : interactive_timeout v/s wait_timeout

Liju — Fri, 13 Apr 2012 12:57:51 +0000

Most of the database intensive applications are worring about the default values of these variables obviously. Developers used to inform me that they need to extend the wait_timeout value in order to complete the query execution.

After some googling, it is found that default “wait_timeout” value is good enough. We may need to reduce it to boost the server performance which will helpful to minimize the “sleep” process loaded in memory. Increasing number of sleeping process will reduces the server performance gradually. So always keep the default value and make it reduce until the program/application does not create any sleeping process which would helpful to improve the performance noticeable. Slow_log_query is another possible reason to have many sleeping process.

interactive_timeout : interactive time out for mysql shell sessions in seconds like mysqldump or mysql command line tools.
wait_timeout” : the amount of seconds during inactivity that MySQL will wait before it will close a connection on a non-interactive connection in seconds.

How to change the these variables

a. changing values at run time
Log in to the mysql console and set the variable.

mysql> SET interactive_timeout=200;
Query OK, 0 rows affected (0.01 sec)

mysql> SET GLOBAL interactive_timeout=200;
Query OK, 0 rows affected (0.00 sec)

mysql> show variables like "%timeout%";
+----------------------------+-------+
| Variable_name | Value |
+----------------------------+-------+
| connect_timeout | 200 |
| delayed_insert_timeout | 300 |
| innodb_lock_wait_timeout | 50 |
| innodb_rollback_on_timeout | OFF |
| interactive_timeout | 200 |
| net_read_timeout | 200 |
| net_write_timeout | 200 |
| slave_net_timeout | 3600 |
| table_lock_wait_timeout | 50 |
| wait_timeout | 200 |
+----------------------------+-------+
10 rows in set (0.00 sec)

b. Using my.cnf : Add the following values in /etc/my.cnf” and restart the mysql server.

[mysqld]
interactive_timeout=180
wait_timeout=180

Pls note that “wait_timeout” would be helpful to clear the sleeping process as “interactive_timeout” does not make any performance improvement since it affect the command line sessions. Obviously increasing the values of connect_timeout, net_read_timeout and net_write_timeout would help to skip the timeout errors when lengthy queries are being executed.

How to kill the MySQL Sleeping process

Nagios : Enabling FREE SMS notification [INDIA]

Liju — Sat, 07 Apr 2012 14:07:55 +0000

Here I found some good trick to enable Nagios sms notification free for Indian users using one of the sms free service offered by way2sms website. have a look at way2sms.com.

Most of the cases I used to take tiny pieces of information from different blog sites and customize and modify it for my purpose. This website (brijin.net) has the python script to send sms using way2sms. I’m thanking to that blog owner .

Action involved are,

1. Register new account with way2sms.com.
2. Configure python script
3. Add the new nagios command for enabling sms notification for service and host failure.
4. Update the contact information.

1. Create an account with way2sms.com

Register your moble and this service company send you the login details over sms. You need this login information in python script to send sms. This script just does the normal web login to send sms.

2. Install python script

Create a script under “/usr/local/nagios/libexec/send_sms.py“. You may need to update the following fields in the script
br["username"] = “” #YOUR MOBILE NUMBER HERE
br["password"] = “” #YOUR PASSWORD HERE

Here is the script content.

#!/usr/bin/env python

import sys
import time
try:
import mechanize
except ImportError:
print "Please install mechanize module for python"
print "Install python-mechanize, if you are on a Ubuntu/Debian machine"
sys.exit(1)
try:
from optparse import OptionParser
except ImportError:
print "Error importing optparse module"
sys.exit(1)

def SendSMS(mobile,text):
print ">>> initializing.."
br = mechanize.Browser()
print ">>> connecting to way2sms..."
try:
br.open("http://site3.way2sms.com/entry.jsp")
br.select_form(name="loginform")
br["username"] = "" #YOUR MOBILE NUMBER HERE
br["password"] = "" #YOUR PASSWORD HERE
br.form.method="POST"
br.form.action="http://site1.way2sms.com/Login1.action"
print ">>> " + br.title()
response = br.submit()
response.get_data()
print ">>> logged in.."
except:
print ">>> FATAL: Error occurred while login process!"
sys.exit(1)
try:
print ">>> sending message..."
br.open("http://site1.way2sms.com/jsp/InstantSMS.jsp")
br.select_form(name="InstantSMS")
br["MobNo"] = mobile
br["textArea"] = text
br.form.method="POST"
br.form.action="http://site1.way2sms.com/quicksms.action"
response = br.submit()
print ">>> submitting..."
print ">>> logging out..."
br.open("http://site1.way2sms.com/jsp/logout.jsp")
br.close()
except:
print ">>> html seems to be changed!"
print ">>> please modify the program to work with newly modified website!"
sys.exit(1)

def main():
parser = OptionParser()
usage = "Usage: %prog -m [number] -t [text]"
parser = OptionParser(usage=usage, version="%prog 1.0")
parser.add_option("-m", "--number", action="store", type="string",dest="number", help="Mobile number to send sms")
parser.add_option("-t", "--text", action="store", type="string", dest="text", help="Text to send")
(options, args) = parser.parse_args()
if options.number and options.text:
SendSMS(options.number,options.text)
else:
print "Fatal: Required arguments are missing!"
print "Use: -h / --help to get help."

if __name__ == "__main__":
main()

Now you need to install python-mechanize in order to work this script. so you need to install python package installer program “eazy_install” which shipped with setuptools.

[root@nagios /]# wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz#md5=7df2a529a074f613b509fb44feefe74e
[root@nagios /]# tar -zxvf setuptools-0.6c11.tar.gz
[root@nagios /]# cd setuptools-0.6c11
[root@nagios setuptools-0.6c11]# python ./setup.py install
[root@nagios setuptools-0.6c11]# easy_install mechanize

Now you need to verify the packages are correctly installed.

[root@nagios ~]# python /usr/local/nagios/libexec/send_sms.py -h
usage: Usage: send_sms.py -m [number] -t [text]

options:
--version show program's version number and exit
-h, --help show this help message and exit
-m NUMBER, --number=NUMBER
Mobile number to send sms
-t TEXT, --text=TEXT Text to send
[root@nagios ~]#

Sending test sms

[root@nagios ~]# python /usr/local/nagios/libexec/send_sms.py -m 94977720 -t " Testing Nagios notification"
>>> initializing..
>>> connecting to way2sms...
>>> Free SMS, Send Free SMS, Send Free SMS to india, Free email alerts, email2SMS, SMS Alerts,Bill Reminders, EMI Reminders, Loan Reminders, TV Shows Reminders, Future SMS, Mobile Bill Reminders
>>> logged in..
>>> sending message...
>>> submitting...
>>> logging out...
[root@nagios ~]#

So your installation looks good.

3. Updating “/usr/local/nagios/etc/objects/commands.cfg” file
Open the file and append the following lines at the end of file

define command{
command_name notify-host-by-sms
command_line /usr/local/nagios/libexec/send_sms.py -m $CONTACTPAGER$ -t "Type: $NOTIFICATIONTYPE$\
Host: $HOSTNAME$ \
State: $HOSTSTATE$ \
Address: $HOSTADDRESS$ \
Info: $HOSTOUTPUT$ Time: $LONGDATETIME$"
}

define command{
command_name notify-service-by-sms
command_line /usr/local/nagios/libexec/send_sms.py -m $CONTACTPAGER$ -t "Type: $NOTIFICATIONTYPE$\
Host: $HOSTNAME$ \
Service: $SERVICEDESC$ \
State: $SERVICESTATE$ \
Date/Time: $LONGDATETIME$ Additional Info:$SERVICEOUTPUT$"
}

4. Update your contact information (/usr/local/nagios/etc/objects/contacts.cfg)

You may need to add 3 lines in it.

service_notification_commands notify-service-by-email,notify-service-by-sms
host_notification_commands notify-host-by-email,notify-service-by-sms
pager 9744209638

My sample contact will look like this.

define contact{
contact_name liju
use generic-contact
alias Liju Mathew
email liju@serveridol.com
service_notification_commands notify-service-by-email,notify-service-by-sms
host_notification_commands notify-host-by-email,notify-service-by-sms
pager 94000000
}

[root@nagios ~]# service nagios restart
Running configuration check…done.
Stopping nagios: done.
Starting nagios: done.
[root@nagios ~]#

Then simply restart Nagios service. For the testing purpose you may set one incorrect service name which was not defined in nrpe commands list. So that you get a notification sms and have the test easily.

Cool !!! Now you have ABSOLUTELY FREE nagios sms alert facility.

You may also use this script for sending sms if any critical systems/process reached the threshold limit like backup failure, intruder detention found etc. etc.

nJnoy

CentOS : Extending default memory limit

Liju — Mon, 26 Mar 2012 13:43:04 +0000

One of the CentOS box is not identified the exact RAM which had up-graded to 4GB. We are using CentOS 5.3 version. As a quick fix for this solution is to install new kernel which support PAE (Physical Address Extension) is a feature to allow (32-bit) x86 processors to access a physical address space (including random access memory and memory mapped devices) larger than 4 gigabytes.

So you need to install new kernel which support PAE. In CentOS install “kernel-PAE” package to do this.

Before the modification, the desktop has showing 3.2GB only

[root@rc-147 ~]# free -m
total used free shared buffers cached
Mem: 3286 3177 109 0 178 518
-/+ buffers/cache: 2480 806
Swap: 2000 0 2000
[root@rc-147 ~]#

1. Installing Kernel PAE package

[root@rc-147 yum.repos.d]# yum install kernel-PAE
Loaded plugins: fastestmirror
Determining fastest mirrors
My-Repo-Centos-5 | 951 B 00:00
primary.xml.gz | 936 kB 00:00
Rain-Concert-Centos-5 2628/2628
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
There are unfinished transactions remaining. You migh tconsider running yum-complete-transaction first to finish them.
--> Running transaction check
---> Package kernel-PAE.i686 0:2.6.18-194.el5 set to be installed
--> Finished Dependency Resolution
Dependencies Resolved
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
kernel-PAE i686 2.6.18-194.el5 My-Repo-Centos-5 17 M
Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 17 M
Is this ok [y/N]: y
Downloading Packages:
kernel-PAE-2.6.18-194.el5.i686.rpm | 17 MB 00:01
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : kernel-PAE [1/1]
Installed: kernel-PAE.i686 0:2.6.18-194.el5
Complete!
[root@rc-147 yum.repos.d]#

2. Enabling new kernel entry in “/etc/grub.conf”

2. Change the default boot option to 0. Note the new kernel entry listed in it (vmlinuz-2.6.18-194.el5PAE)

#cat /etc/grub.conf"
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
password --md5 $1$SXQbd/$cg/35eLfANUf7rUxiPX0u.
hiddenmenu
title CentOS (2.6.18-194.el5PAE)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.el5PAE ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-194.el5PAE.img
title CentOS (2.6.18-128.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-128.el5 ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-128.el5.img

3. Reboot the server.

Verify the memory status

[root@rc-1147 ~]# free -m
total used free shared buffers cached
Mem: 4041 2284 1756 0 258 735
-/+ buffers/cache: 1290 2750
Swap: 2047 0 2047
[root@rc-163 ~]#
[root@rc-163 ~]# uname -rmo
2.6.18-164.el5PAE i686 GNU/Linux
[root@rc-163 ~]#

That’s it -:)

Linux : Configuring secure sftp server

Liju — Sat, 10 Mar 2012 16:13:20 +0000

As we all know, most system users can have sftp access to Linux box by default along with ssh access. So that we can transfer the files securely over it.

But the real headache of this system is, all the users can access any of system files and also has shell access to the server which will open a door to a authorized stranger to know about the server roles and can grab the imp. files he wants.

Drawback : What I found is sftp system doesn’t have any log facility ie no record if any file transactions which done over it. So that we can’t trace out what are happening once the sftp session started. Also most of the latest

Redhat/CentOS OS still using the older openssh version which doesn’t support chroot ssh setup.

-sh-3.2# ssh -version
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Bad escape character 'rsion'.
-sh-3.2# cat /etc/redhat-release
CentOS release 5.5 (Final)

What I’m planning to do is,

1. Install a new openssh server and run it over on a new port for only sftp access
2. Set a chroot restriction to all users.
3. It won’t harm any production servers.

1. Installing openssh package

1. Download openssh package from http://www.openssh.org/portable.html

[root@web01 ~]#cd /home/installation/
[root@web01 ~]#wget http://ftp.wu-wien.ac.at/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz
[root@web01 ~]#tar -zxvf openssh-5.9p1.tar.gz
[root@web01 ~]cd openssh-5.9p1
[root@web01 ~]./configure --prefix=/var/opt/openssh
[root@web01 ~]make
[root@web01 ~]make install
[root@web01 ~] ln -s /var/opt/openssh/sbin/sshd /usr/sbin/sftpserver

Now all the openssh files are copied under “/var/opt/openssh” folder. Next we need to create a startup script for as a service.

[root@fc-web01 ~]# vi /etc/init.d/opensshd
Which having the following lines,

#!/bin/bash
# chkconfig: 35 60 25
# description: OpenSSH chrooted sftp only daemon
#
# Note that /usr/sbin/sftpfoo is simply a symlink to /usr/sbin/sshd
#
pidfile='/var/run/sftpserver.pid'
case "${1}" in
start ) exec -a /usr/sbin/sftpserver /var/opt/openssh/sbin/sshd -f /var/opt/openssh/etc/sshd_config
;;
stop ) kill -9 $(cat ${pidfile})
;;
restart) stop
sleep 3
start
;;
* ) echo "Usage: ${0} (start|stop|restart)"
;;
esac

exit 0

2. Modifying SSH config file

You may need to add the following line at the bottom of ‘ /var/opt/openssh/etc/sshd_config” file

Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Note: You must have define new ssh port in this file (Eg. Port 22222 ) you may need to delete/comment the line start with “#Subsystem sftp /var/opt/openssh/libexec/sftp-server ”

3. User configuration

[root@web01 ~]#groupadd sftp ;Creating sftp group
[root@web01 ~]#mkdir -p /home/chroot/home ;creating chroot jailed home directory

Adding users with disabled shell access

[root@web01 ~]#useradd -G sftp -s /bin/false -d /home/chroot/home/sftpuser1 sftpuser1
[root@web01 ~]#chown root:root /home/chroot/home/sftpuser1
[root@web01 ~]#chmod -R 0755 /home/chroot/home/sftpuser1
[root@web01 ~]#rm -rf /home/chroot/home/sftpuser1/*
[root@web01 ~]#mkdir -p /home/chroot/home/sftpuser1/upload
[root@web01 ~]#mkdir -p /home/chroot/home/sftpuser1/download
[root@web01 ~]#mkdir -p /home/chroot/home/sftpuser1/public_html
[root@web01 ~]#chown -R sftpuser1 /home/chroot/home/sftpuser1/upload /home/chroot/home/sftpuser1/download /home/chroot/home/sftpuser1/public-html
[root@web01 ~]#passwd sftpuser1

So user has full permissions only on these three folders.

The above commands created the ‘sftuser1‘ user which is a member of ‘sftp” group. Also root user is take the ownership of users home directory. So that users can’t create/execute any command against on his home directory but can create any new files in it. My requirement is to provide sftp space to a use who can upload and download files to a server securely.

Let’s start new ssh server.

[root@fc-db01 ~]# sh /etc/init.d/opensshd start

To verify it’s running,

[root@fc-db01 ~]# netstat -nlp | grep ":22222"
tcp 0 0 0.0.0.0:22222 0.0.0.0:* LISTEN 24243/sftpserver
tcp 0 0 :::22222 :::* LISTEN 24243/sftpserver
[root@fc-db01 ~]#

That’s it –> . Start sharing secure ftp space. You also need to open the port 22222 which may require to update the your firewall/network rules.

There is one imp. fix you will have to do.
You need to add a line “DenyUsers sftpuser1″ on your primary ssh server config file (/etc/ssh/sshd_config) which is running on the default port (22) and then restart the sshd service as well.

NB: I see that you can access this ftp through Filezilla easily but Global scape FTP won’t support to connect it.

Dovecot error : ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections

Liju — Thu, 01 Mar 2012 18:33:23 +0000

You will see this error once after you configured sql based mail server based on my documentation and configure it’s account on any of MUA like Outlook or Thuderbird etc.

Open Dovecot op3/IMAP config file and change the line to “disable_plaintext_auth = no”.

[root@mail ~]# vi /etc/dovecot/dovecot.conf
[root@mail ~]# vi /etc/dovecot/conf.d/10-auth.conf
[root@mail ~]# service dovecot restart
Stopping Dovecot Imap: [ OK ]
Starting Dovecot Imap: [ OK ]
[root@mail ~]# grep "disable_plaintext_auth" /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no
# NOTE: See also disable_plaintext_auth setting.
[root@mail ~]#

Apache : Skipping Basic auth from certain known ip’s/Network

Liju — Mon, 27 Feb 2012 13:34:52 +0000

Most of us don’t like to share access certain links/pages which containing some sensitive matters. So we need to setup a mechanism to limit this access of of this area. Apache have a password a authentication mechanism to limit the access to a location which commonly called “Basic authentication“.

But this mechanism is quite annoying as it’s showing a popup to enter login details even though we access it from the office. To ellumincate this issue, we may place the auth in conjunction with network. So that Apache will not ask you logins if you are accessing from a network which know to Apache.

Here is the sample Apache entry to achieve this,

Alias /openmydb /usr/share/pma

Order Deny,Allow
Deny from All
Allow from localhost 127.0.0.0/8 ::1 64.39.0.0/24 64.39.2.144/28 64.39.4.132/30 64.39.0.64/28

AuthUserFile /etc/sec_passwords/htpasswd
AuthName "For authorized users"
AuthType Basic
Require valid-user
Satisfy any

Here allow directive open the access to listed IP’s. You may use CIDR to limit the no. of hosts to access. Pls note the text “Satisfy any” did the magic.

Cheers .. it’s a smaller tip.