LinuxWebLog.com

Below is reference of how I have setup chroot SSH jail for users in CentOS-4.6 with ISPConfig installed replacing the openssh rpm with the one from chrootssh.sourceforge.net .

It's easy on ISPConfig as support for chroot SSH is now built in with the control panel, you simply need to get chrootSSH installed and then enable the ssh option located in the config file at "/home/admispconfig/ispconfig/lib/config.inc.php":

If you need for the ssh chroot to access additional application, the file "/root/ispconfig/scripts/shell/create_chroot_env.sh" which builds the chroot needs to be edited. Also, check and edit the location of mysql socket file.

It's not quite as clean as the socket binding under Apache but the principle works something like this.

1. In Standalone mode, to listen on the primary IP of a host use the SocketBindTight directive.

   In "/etc/proftpd.conf":

   SocketBindTight                 on
   

2. To listen on a interfaces which are not the primary host interface, use the SocketBindTight directive, place your server configuration in a block and use "Port 0" for the main host configuration and and "Port 21" inside the VirtualHost block.
   Port                            0
SocketBindTight                 on
<VirtualHost xxx.xxx.xxx.xxx>
    &nbsp;   Port 21
    &nbsp;   DefaultRoot   &nbsp;    &nbsp;    ~
    &nbsp;   AllowOverwrite  &nbsp;    &nbsp;  on
    &nbsp;   Umask    &nbsp;    &nbsp;    &nbsp;    002
</VirtualHost>

These are supplement notes I had taken down a while back doing an install of nagios and n2rrd on a Fedora-7 box and recently came very handy when doing the install in a redhat (RHEL-3) box as well:

Nagios Install:

On RHEL3, I used (dags rpms) rpmforge. Here is my yum.conf for rpmforge:

Notes: I settled for icmp instead of ping, as it is a lot faster. However, icmp required setting setuid for "/usr/lib/nagios/plugins/check_icmp" for it to work. Also, had to rebuild nagios-plugins from source as root in order for the plugin to be installed.

I use squrrelmail in text mode and recently I've had to retrieve a password at Dell. The reset password email however comes with html embeded in base64 encoded text. So my webmail did not show up the embeded html link. With some knowledge of uudecode, I was able to view the exact link to reset the password.

The sharutils package contains the GNU utilities uuencode and uudecode.

Here's a brief background and usage:

uuencode is a program that encodes binary files as plain ASCII text so that they can be sent through electronic mail. The program expands single characters that can't be viewed or printed as normal text into pairs of text characters, and the resulting encoded file is somewhat larger than the original binary file. This process is necessary to prevent mail, news, and terminal programs from misinterpreting the non-text characters in binary files as special instructions.

First I copied over the actual base64 encoded text from my local email folder which looks similar to:

I then added text in the beginning and end to specify the base64 encoded as below:

The text was then decoded using:

The sendmail access database file can be created to accept or reject mail from selected domains.

Since "/etc/mail/access" is a database, after creating the text file, use makemap to create the database map.

Below is what my access file currently looks like and can be used as a starting point. All internal addresses have been changed except for spammers!!

# by default we allow relaying from localhost...
localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY

# Allow Connect from local server IPs
Connect:207.44.206.144   OK

# Accept Mail
# accept mail from PayPal
paypal.com      OK

# Reject Mail
posterclub@e.allposters.com     REJECT
posterclub@email.allposters.com REJECT
plastmarket.com                 REJECT
jr@jrtr.org                     REJECT
7b2.606@fe01.atl2.webusenet.com REJECT
mysoldpad.com                   REJECT

# Discard Mail
1and1-private-registration.com  DISCARD
# forum admin mails:
fictionaluser@gmail.com         DISCARD

# Reject full mailbox
fictionaluser@linuxweblog.com ERROR:4.2.2:450 mailbox full
fictionaluser@linuxweblog.net REJECT

# Blacklist recipients
linuxweblog.net ERROR:550 That host does not accept mail

# Spam friend domains: exempt domains from dnsbl list checking
Spam:linuxweblog.org      FRIEND

# Spam friend users: exempt email users from dnsbl list checking
# example:
# Spam:user@domain.tld         FRIEND
# clients
Spam:fictionalclient@hotmail.com  FRIEND

# Auto REJECT via hourly cron added below

Since Drupal has been coming out with rapid updates, mainly due to security fixes, it's quite cumbersome to have to keep it up to date. However, with the below setup and the script to help with the maintenance, it was a breeze with the last update. The script has been used to upgrade from 5.5 to 5.6 release.

Note: The script does not currently have any checks (extreme alpha stage) and my Drupal installation is not a standard install so usage may vary. Make sure you understand the script prior to running it. Usual disclaimer applies. You will also need root level access to shell to run the script as it is set to change ownership of files and folders using the "chown" command.

My current Drupal install are based on symbolic links for easy maintenance and upgrades. The layout is as below:

/var/www/html, /var/www/html/site_files, /var/www/html/sites are all symbolically linked to the /var/www/drupal-5.x, /var/www/drupal_files, /var/www/drupal_sites respectively where /var/www/html is the web root.

Document Root = /var/www/html            -> /var/www/drupal-5.x
Files Folder  = /var/www/html/site_files -> /var/www/drupal_files
Sites Folder  = /var/www/html/sites      -> /var/www/drupal_sites

Also, any customization to the .htaccess is on top of the default Drupal code. So the script will automatically prepend the data to the upgraded .htaccess file. Since, I also have the gallery module, the .htaccess file is also set to be writable by apache.

Don't forget to set your site in "maintenance mode" with the default theme, and disable all modules prior to the upgrade. Although, I've done some updates with all modules available without any issues. Also, my custom theme resides in the sites folder and stays untouched with the update.

Place the script in "/var/www" (just outside your document root) and run the update via:

Once completed, run update.php to update any changes to the database. Set site back to production mode, re-applying any customization as necessary.

APT-GET

• Clean up non-existent data
  
  # apt-get autoclean
• Update list
  
  # apt-get update
• Install/update a package
  
  # apt-get install <pkg>
• review dist-upgrade prior:
  
  # apt-get -Vsu -o Debug::pkgProblemResolver=yes dist-upgrade
• Apply updates
  
  # apt-get -Vu upgrade
• Upgrade all dependencies
  
  # apt-get -Vu dist-upgrade
• Search cache
  
  # apt-cache search <pkg>
• Remove and purge packages
  
  # apt-get --purge remove <pkg>

DPKG

• Install/Update package
  
  # dpkg -i <pgk>
• Check listing of installed packages
  
  # dpkg -l *<pkg>*
• file belongs to
  
  # dpkg --search /path/to/file
• List of file in package
  
  #dpkg -L <pkg>
• Info about package
  
  # dpkg -s <pkg>

SERVICES

• Manage services at init levels.
  
  # sysv-rc-conf
# update-rc.d

The below notes is specifically for centos-4.6 :

Installation:

Instantiating svn:

Initial svn import:

Instantiating trac:

Install trac plugins:

trac.ini conf setup:

Apache trac conf setup:

Apache subversion conf setup:

Trac privileges:

Login as the admin user and setup Trac plugins, permissions etc...

NTP is a protocol designed to synchronize the clocks of computers over a network, easy to setup and probably comes packaged with the OS.

Here's what was needed on a Fedora-6:

1. Install the ntp rpm if not already installed.
   
   # yum install ntp
2. Open up UDP port 123, both incoming and outgoing on the firewall.
   
3. Find a reliable close ntp pool server or you could just use the hub, "pool.ntp.org" and add it to the server list in "/etc/ntp.conf" file.
   
4. Make sure your computer's clock is set to something sensible (within a few minutes of the 'true' time) - you could use `ntpdate pool.ntp.org`, or you could just use the date command and set it to your wristwatch, and also synchronize the hardware clock.
   
5. Make sure ntp starts up at boot and then start the service:
   
   # /sbin/chkconfig ntpd on
# /sbin/service ntpd start
6. Ater some time if you want to see exactly what is happening, you can run the query command:
   
   # ntpq -pn localhost

Immensely useful article for learning about Linux kernel at IBM DeveloperWorks.