This article follows Mod_Rewrite and .htaccess which explains how an .htaccess file can be used to prevent search engines from indexing non-www web pages that contain exactly the same content as those with-www in front. By hiding the 'duplicate content' we avoid the risk of a 'downgrading' effect by Google and other search engines.
Exactly the same principle applies to web page addresses like:
http://www.mysite.com/index.php
http://www.mysite.com/subfolder/index.php
when we want the content to be displayed only on:
http://www.mysite.com/
http://www.mysite.com/subfolder/
This can be done by using ModRewrite to permanently redirect (eg):
http://www.mysite.com/index.php
to
http://www.mysite.com/
The file index.php continues to exist on the website but there's no need for 'index.php' to appear in the page address for its content to be displayed. The same applies to 'index.html', 'default.html' (etc) and to 'index' pages located in sub-folders, eg '/subfolder/index.php' or '/subfolder/another/index.php'. Those filenames should never normally be displayed to the visitor. The process of hiding them is sometimes referred to as the canonicalization of index pages.
The .htaccess file
For websites running on Apache web server (most websites do), a Mod_Rewrite module can be enabled to allow an .htaccess file to be installed in the root folder, containing rules on how web page requests should be rewritten 'behind the scenes' by the 'rewriting engine'. The Mod_Rewrite rules to achieve the effect we want here are:
#
Options +FollowSymLinks
RewriteEngine On
#
# REDIRECT /folder/index.php to /folder/
RewriteCond %{THE_REQUEST}
(on same line) ^[A-Z]{3,9}\ /([^/]+/)*index\.php\ HTTP/
RewriteRule ^(([^/]+/)*)index\.php$
(on same line) http://www.mysite.com/$1 [R=301,L]
#
Piece by piece…
A line beginning with hash (#) is ignored by the web server and is useful to split up the rules visually, and to add comments.
Options +FollowSymLinks
RewriteEngine On
For the rewriting engine to work, we need to enable Options FollowSymLinks and set RewriteEngine On (this is for security).
# REDIRECT /folder/index.php to /folder/
RewriteCond %{THE_REQUEST}
(on same line) ^[A-Z]{3,9}\ /([^/]+/)*index\.php\ HTTP/
RewriteRule ^(([^/]+/)*)index\.php$
(on same line) http://www.mysite.com/$1 [R=301,L]
The .htaccess file is eliminating the duplicate content problem by redirecting the visitor (and Google) from all the site's web page addresses that contain the superfluous index.php to the folder name (directory) in which they reside. Exactly the same content is presented as if the index.php file itself was being viewed, but index.php doesn't appear in the browser's address bar.
How the Mod_Rewrite works
(1) RewriteCond
Looking first at RewriteCond, we need to specify the conditions under which the RewriteRule will be processed by the server, and here, we want our rule to apply to any 'index.php' page requested on the domain. This prevents the .htaccess file from triggering an 'infinite loop' on the server, in which the RewriteRule keeps repeating itself. If the request contains 'index.php' (as in the condition we've referenced), it has not yet been rewritten. If it has been rewritten, it won't contain 'index.php' and the RewriteRule won't be applied.
%{THE_REQUEST}
In this part, {THE_REQUEST}, is a standard server variable, in this instance the page requested by the visitor, because that's what we're going to try to match in the second part. In RewriteCond, a server variable is preceded by $ to denote an Apache variable.
^[A-Z]{3,9}\ /([^/]+/)*index\.php\ HTTP/
This second part is known as the 'condition'. The ^ caret defines the start, and is followed by a regular expression. Looking at the regular expression in detail:
[A-Z]{3,9}\ matches from 3 to 9 occurences of any uppercase letter (eg 'GET') followed by an \ escaped space.
/([^/]+/)* matches a forward slash followed by any quantity of [one or more characters not preceded by a forward slash but ending with a forward slash], eg '/subfolder1/subfolder2/'.
index\.php\ matches 'index.php' - the backslashes are required to 'escape' (i) the dot metacharacter (to make it into a real dot) and (ii) the space before 'HTTP/'.
HTTP/ matches 'HTTP/'.
Why do we need all this? Because we're testing our condition against {THE_REQUEST} - the entire client request header for an 'index' page, which is typically something like:
GET /index.php HTTP/1.1
or
GET /subfolder1/index.php HTTP/1.1
(2) RewriteRule
Looking now at the RewriteRule, it contains three essential parts.
^(([^/]+/)*)index\.php$
This first part is the 'thing' that we want to be re-written by the web server. The ^ caret symbol defines the start, (([^/]+/)*) is a designated variable (using brackets) containing a regular expression that matches a forward slash followed by any quantity of [one or more characters not preceded by a forward slash but ending with a forward slash], eg '/subfolder1/subfolder2/', index\.php matches 'index.php', and the $ symbol defines the end.
http://www.mysite.com/$1
This second part is what we want the server to process behind the scenes. It consists of the domain's root folder (homepage) plus the designated variable from the first part, expressed as $1.
In the above example, the designated variable (([^/]+/)*) is added by the server, after the page has been requested, as $1 to the end of http://www.mysite.com/. If the requested 'index' page is the site's homepage, the $1 variable will be empty and the server will simply process http://www.mysite.com/. If the requested 'index' page is in a subfolder and the designated variable's value is '/folder1/', the server will process http://www.mysite.com/folder1/.
[R=301,L]
This third part, the flag, designates any special instructions that might be needed, in this instance R=301 for redirect permanently and L for 'last rule' so that no other rules are processed for the specified rewrite condition.
The full rewrite rule is thus:
RewriteRule ^(([^/]+/)*)index\.php$
(on same line) http://www.mysite.com/$1 [R=301,L]
The RewriteRule in action
Here, again, is the full .htaccess file:
#
Options +FollowSymLinks
RewriteEngine On
#
# REDIRECT /folder/index.php to /folder/
RewriteCond %{THE_REQUEST}
(on same line) ^[A-Z]{3,9}\ /([^/]+/)*index\.php\ HTTP/
RewriteRule ^(([^/]+/)*)index\.php$
(on same line) http://www.mysite.com/$1 [R=301,L]
#
In plain English, it's saying that "if someone tries to open a folder's 'index.php' page, redirect them to a version of the folder without 'index.php', and if the visitor is Google(bot), mention the fact that this is permanent."
See this in action by typing http://www.patricktaylor.com/index.php into an HTTP viewer. The first receiving header is HTTP/1.1 301 Moved Permanently and the second receiving header is HTTP/1.1 200 OK. And of course it can be tested by attempting to view http://www.patricktaylor.com/index.php in your browser.
Monday, July 20, 2009
Mod_Rewrite and .htaccess
Grabbing code snippets off the web and re-using them on one's own websites is easy enough to do. Every web designer solves a problem this way at one time or another. Having done so, why not take a little trouble to understand what the code is doing? This article looks at a simple example of a code snippet and attempts to demystify some of the so-called voodoo surrounding rewriting URLs with .htaccess.
Mod_Rewrite is an Apache web server module that is often installed on shared web hosting packages. If the module is available, a special file named .htaccess can be uploaded to the server, containing rules on how web page requests should be handled 'behind the scenes' by the 'rewriting engine'. The .htaccess file is normally placed in a website's root folder to apply its effect to all pages on the domain.
Why have an .htaccess file?
An .htaccess file is important to any webmaster who is interested in a good ranking in search engines, especially Google. It has many uses, the most basic being to prevent search engines from indexing different pages (URLs) that contain exactly the same content.
A simple .htaccess example: the canonical URL
Consider two web pages:
http://www.mysite.com/
http://mysite.com/
Technically, these two URLs are different pages, but they contain exactly the same content when viewed. If Google indexes both, there's a risk that one, or the other, or both, will be 'downgraded' by Google as 'duplicate content'. With the .htaccess file, this can be prevented by nominating only one as the 'canonical' homepage. Here's an example of what to put in the file:
#
Options +FollowSymLinks
RewriteEngine On
#
# REDIRECT to canonical url
RewriteCond %{HTTP_HOST} ^mysite\.com [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R=301,L]
#
Piece by piece…
A line beginning with hash (#) is ignored by the web server and is useful to split up the rules visually, and to add comments.
Options +FollowSymLinks
RewriteEngine On
For the rewriting engine to work, we need to enable Options FollowSymLinks and set RewriteEngine On (this is for security).
# REDIRECT to canonical url
RewriteCond %{HTTP_HOST} ^mysite\.com [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R=301,L]
The 'canonical URL' is the preferred internet address for a web page, and in the above instance is any page at http://www.mysite.com/. The .htaccess file is removing the duplicate content problem by redirecting the visitor (and Google) from the non-www version to the with-www version. This means that only canonical URLs will ever be accessible - for all the pages on the domain, not just the homepage.
How the Mod_Rewrite works
(1) RewriteCond
Looking firstly at RewriteCond, we need to specify the conditions under which the RewriteRule will be processed by the server, and here, we want our rule to apply only when a visitor (or Google) attempts to view http://mysite.com/any-page (without www).
%{HTTP_HOST}
In this first part, {HTTP_HOST}, is a standard server variable, in this instance the site's host (domain name), because that's what we're going to try to match in the second part. In RewriteCond, a server variable is preceded by $ to denote an Apache variable.
^mysite\.com
This second part is known as the 'condition'. The ^ caret symbol defines the start and mysite\.com is the pattern to be matched, in this instance http://mysite.com without www. The backslash before the dot is required to 'escape' it, because in a regular expression, the dot is a special 'metacharacter'. Escaping the dot converts it back to a normal character - a plain dot.
[NC]
This third part is known as the flag. [NC] stands for no case (case-insensitive).
The full rewrite condition is thus:
RewriteCond %{HTTP_HOST} ^mysite\.com [NC]
(2) RewriteRule
Looking now at the RewriteRule, it contains three essential parts.
^(.*)$
This first part is the 'thing' that we want to be re-written by the web server. The ^ caret symbol defines the start, (.*) is a designated variable (using brackets) containing a regular expression that matches any combination of characters, and the $ symbol defines the end.
http://www.mysite.com/$1
This second part is what we want the server to process behind the scenes. It consists of the canonical URL, plus the designated variable from the first part, expressed as $1. If we had two designated variables we could use $1 and $2.
In the above example, the (.*) (any combination of characters, eg: 'about-us.html') is added by the server, after the page has been requested, as $1 to the end of http://www.mysite.com/ to make http://www.mysite.com/about-us.html.
[R=301,L]
This third part, the flag, is an integral part of the rule writing process because it designates any special instructions that might be needed, in this instance R=301 for redirect permanently and L for 'last rule' so that no other rules are processed for the specified rewrite condition.
The full rewrite rule is thus:
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R=301,L]
The RewriteRule in action
Here, again, is the full .htaccess file:
#
Options +FollowSymLinks
RewriteEngine On
#
# REDIRECT to canonical url
RewriteCond %{HTTP_HOST} ^mysite\.com [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R=301,L]
#
In plain English, it's saying that "if someone tries to open any page on our website without entering www at the front, redirect them to a version of the page with the www, and if the visitor is Google(bot), mention the fact that this is permanent."
The redirect can be tested by typing a web page address like http://patricktaylor.com/mod_rewrite-htaccess into an HTTP viewer. The first receiving header is HTTP/1.1 301 Moved Permanently and the second receiving header is HTTP/1.1 200 OK. And of course the addition of www can be tested by pasting http://patricktaylor.com/ into your browser's address bar.
A general note: on some shared web hosting accounts, the .htaccess file can't be seen when the root folder is opened in an FTP client. This can often be corrected by enabling server side filtering in the FTP client program and setting the remote filter as -rtaF. The precise details of how to do this will vary from one program to another.
Mod_Rewrite is an Apache web server module that is often installed on shared web hosting packages. If the module is available, a special file named .htaccess can be uploaded to the server, containing rules on how web page requests should be handled 'behind the scenes' by the 'rewriting engine'. The .htaccess file is normally placed in a website's root folder to apply its effect to all pages on the domain.
Why have an .htaccess file?
An .htaccess file is important to any webmaster who is interested in a good ranking in search engines, especially Google. It has many uses, the most basic being to prevent search engines from indexing different pages (URLs) that contain exactly the same content.
A simple .htaccess example: the canonical URL
Consider two web pages:
http://www.mysite.com/
http://mysite.com/
Technically, these two URLs are different pages, but they contain exactly the same content when viewed. If Google indexes both, there's a risk that one, or the other, or both, will be 'downgraded' by Google as 'duplicate content'. With the .htaccess file, this can be prevented by nominating only one as the 'canonical' homepage. Here's an example of what to put in the file:
#
Options +FollowSymLinks
RewriteEngine On
#
# REDIRECT to canonical url
RewriteCond %{HTTP_HOST} ^mysite\.com [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R=301,L]
#
Piece by piece…
A line beginning with hash (#) is ignored by the web server and is useful to split up the rules visually, and to add comments.
Options +FollowSymLinks
RewriteEngine On
For the rewriting engine to work, we need to enable Options FollowSymLinks and set RewriteEngine On (this is for security).
# REDIRECT to canonical url
RewriteCond %{HTTP_HOST} ^mysite\.com [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R=301,L]
The 'canonical URL' is the preferred internet address for a web page, and in the above instance is any page at http://www.mysite.com/. The .htaccess file is removing the duplicate content problem by redirecting the visitor (and Google) from the non-www version to the with-www version. This means that only canonical URLs will ever be accessible - for all the pages on the domain, not just the homepage.
How the Mod_Rewrite works
(1) RewriteCond
Looking firstly at RewriteCond, we need to specify the conditions under which the RewriteRule will be processed by the server, and here, we want our rule to apply only when a visitor (or Google) attempts to view http://mysite.com/any-page (without www).
%{HTTP_HOST}
In this first part, {HTTP_HOST}, is a standard server variable, in this instance the site's host (domain name), because that's what we're going to try to match in the second part. In RewriteCond, a server variable is preceded by $ to denote an Apache variable.
^mysite\.com
This second part is known as the 'condition'. The ^ caret symbol defines the start and mysite\.com is the pattern to be matched, in this instance http://mysite.com without www. The backslash before the dot is required to 'escape' it, because in a regular expression, the dot is a special 'metacharacter'. Escaping the dot converts it back to a normal character - a plain dot.
[NC]
This third part is known as the flag. [NC] stands for no case (case-insensitive).
The full rewrite condition is thus:
RewriteCond %{HTTP_HOST} ^mysite\.com [NC]
(2) RewriteRule
Looking now at the RewriteRule, it contains three essential parts.
^(.*)$
This first part is the 'thing' that we want to be re-written by the web server. The ^ caret symbol defines the start, (.*) is a designated variable (using brackets) containing a regular expression that matches any combination of characters, and the $ symbol defines the end.
http://www.mysite.com/$1
This second part is what we want the server to process behind the scenes. It consists of the canonical URL, plus the designated variable from the first part, expressed as $1. If we had two designated variables we could use $1 and $2.
In the above example, the (.*) (any combination of characters, eg: 'about-us.html') is added by the server, after the page has been requested, as $1 to the end of http://www.mysite.com/ to make http://www.mysite.com/about-us.html.
[R=301,L]
This third part, the flag, is an integral part of the rule writing process because it designates any special instructions that might be needed, in this instance R=301 for redirect permanently and L for 'last rule' so that no other rules are processed for the specified rewrite condition.
The full rewrite rule is thus:
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R=301,L]
The RewriteRule in action
Here, again, is the full .htaccess file:
#
Options +FollowSymLinks
RewriteEngine On
#
# REDIRECT to canonical url
RewriteCond %{HTTP_HOST} ^mysite\.com [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R=301,L]
#
In plain English, it's saying that "if someone tries to open any page on our website without entering www at the front, redirect them to a version of the page with the www, and if the visitor is Google(bot), mention the fact that this is permanent."
The redirect can be tested by typing a web page address like http://patricktaylor.com/mod_rewrite-htaccess into an HTTP viewer. The first receiving header is HTTP/1.1 301 Moved Permanently and the second receiving header is HTTP/1.1 200 OK. And of course the addition of www can be tested by pasting http://patricktaylor.com/ into your browser's address bar.
A general note: on some shared web hosting accounts, the .htaccess file can't be seen when the root folder is opened in an FTP client. This can often be corrected by enabling server side filtering in the FTP client program and setting the remote filter as -rtaF. The precise details of how to do this will vary from one program to another.
Thursday, July 2, 2009
Generate CSR for Red Hat Linux Apache / SSL Server
Step 1: Generating the Private Key
1. Use the cd command to move to the /etc/httpd/conf directory.
2. As root, type in one of the following three commands to generate your key:
3. If you're using Official Red Hat Linux Professional and you want to use the included password feature, type in the following command: make genkey
4. Your key will be generated and you will be asked to enter and confirm a password. Please note that you will need to remember and enter this password every time you start your secure Web server, so don't forget it.
5. If you're using Official Red Hat Linux Professional and you don't want to be required to type in a password every time you start your secure Web server, use the following command instead of make genkey to create your key (note that the following command should be typed in all on one line):
/usr/sbin/sslgenrsa -rand /dev/urandom -out ssl.key/server.key 1024
6. Then use the following command to set the correct permissions on your key:
chmod go-rwx ssl.key/server.key
7. If you use the above commands to create your key, you will not need to use a password to start your secure Web server. However, we don't recommend that you disable the password feature for your secure Web server, since it decreases the level of security for your server.
8. Your key will be created and saved to a file named server.key. If you're using Official Red Hat Linux Professional, server.key will be located in the /etc/httpd/conf/ssl.key directory. If you're using Official Red Hat Linux Professional, International Edition, server.key will be located in /etc/httpd/conf.
Step 2: Create the Certificate Signing Request
1. In the /etc/httpd/conf directory, become root and type in one of the following two commands:
2. If you're using Official Red Hat Linux Professional, type in the following command:
make certreq
3. If you're using Official Red Hat Linux Professional, International Edition, type in the following single command (all on one line):
/usr/bin/openssl req -new -key /etc/httpd/conf/server.key -out /etc/httpd/conf/server.csr
4. You will be prompted for your password (if you used a password when you generated your key). Type in the password, if necessary.
5. You'll see some instructions and you will be prompted for responses. Your inputs will be incorporated into the CSR.
6. When you've finished entering your information, a file named server.csr will be created. If you're using Official Red Hat Linux Professional, server.csr will be located in the /etc/httpd/conf/ssl.csr directory.
7. You have just created a key pair and a CSR.
8. The server.csr file contains your certificate request. To copy and paste the information into the orderform, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
9. Go to our website ssl.nu for the SSL Certicate request
Terms defined:
Country Name (C):
Use the two-letter code without punctuation for country, for example: US or CA.
State or Province (S):
Spell out the state completely; do not abbreviate the state or province name, for example: California
Locality or City (L):
The Locality field is the city or town name, for example: Berkeley.
Organization (O):
If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XYZ Corporation
Organizational Unit (OU):
This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
Common Name (CN):
The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".
Note: When prompted for your "first- and lastname", enter the desired Common Name.
SSL Certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
Networking4all certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
Please do not enter your email address, challenge password or an optional company name when generating the CSR.
1. Use the cd command to move to the /etc/httpd/conf directory.
2. As root, type in one of the following three commands to generate your key:
3. If you're using Official Red Hat Linux Professional and you want to use the included password feature, type in the following command: make genkey
4. Your key will be generated and you will be asked to enter and confirm a password. Please note that you will need to remember and enter this password every time you start your secure Web server, so don't forget it.
5. If you're using Official Red Hat Linux Professional and you don't want to be required to type in a password every time you start your secure Web server, use the following command instead of make genkey to create your key (note that the following command should be typed in all on one line):
/usr/sbin/sslgenrsa -rand /dev/urandom -out ssl.key/server.key 1024
6. Then use the following command to set the correct permissions on your key:
chmod go-rwx ssl.key/server.key
7. If you use the above commands to create your key, you will not need to use a password to start your secure Web server. However, we don't recommend that you disable the password feature for your secure Web server, since it decreases the level of security for your server.
8. Your key will be created and saved to a file named server.key. If you're using Official Red Hat Linux Professional, server.key will be located in the /etc/httpd/conf/ssl.key directory. If you're using Official Red Hat Linux Professional, International Edition, server.key will be located in /etc/httpd/conf.
Step 2: Create the Certificate Signing Request
1. In the /etc/httpd/conf directory, become root and type in one of the following two commands:
2. If you're using Official Red Hat Linux Professional, type in the following command:
make certreq
3. If you're using Official Red Hat Linux Professional, International Edition, type in the following single command (all on one line):
/usr/bin/openssl req -new -key /etc/httpd/conf/server.key -out /etc/httpd/conf/server.csr
4. You will be prompted for your password (if you used a password when you generated your key). Type in the password, if necessary.
5. You'll see some instructions and you will be prompted for responses. Your inputs will be incorporated into the CSR.
6. When you've finished entering your information, a file named server.csr will be created. If you're using Official Red Hat Linux Professional, server.csr will be located in the /etc/httpd/conf/ssl.csr directory.
7. You have just created a key pair and a CSR.
8. The server.csr file contains your certificate request. To copy and paste the information into the orderform, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
9. Go to our website ssl.nu for the SSL Certicate request
Terms defined:
Country Name (C):
Use the two-letter code without punctuation for country, for example: US or CA.
State or Province (S):
Spell out the state completely; do not abbreviate the state or province name, for example: California
Locality or City (L):
The Locality field is the city or town name, for example: Berkeley.
Organization (O):
If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XYZ Corporation
Organizational Unit (OU):
This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
Common Name (CN):
The Common Name is the Host + Domain Name. It looks like "www.company.com" or "company.com".
Note: When prompted for your "first- and lastname", enter the desired Common Name.
SSL Certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
Networking4all certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".
Please do not enter your email address, challenge password or an optional company name when generating the CSR.
Create a Certificate Signing Request using the RSA private key
Create a Certificate Signing Request using the RSA private key
openssl req -new -key domain.com.key -out domain.com.csr
Use following script for generating CSR
#/scripts/gencrt
This script will ask you all the information like email address , domain name, Ip Address country code , Locality , Company , company Divison etc.
enter the proper information as per the request and the certificate will get generated under directory /usr/share/ssl/Certs/ as www.tuks123.com.csr
openssl req -new -key domain.com.key -out domain.com.csr
Use following script for generating CSR
#/scripts/gencrt
This script will ask you all the information like email address , domain name, Ip Address country code , Locality , Company , company Divison etc.
enter the proper information as per the request and the certificate will get generated under directory /usr/share/ssl/Certs/ as www.tuks123.com.csr
Generate csr and install SSL through shell
You can generate a csr through the shell using the following command:
root@server1[/]# /scripts/gencsr
This will ask you all the information like email address, domain name, country code, City, Company etc; fill the values and it generates a csr certificate and a private key.Use the following steps to install an ssl certificate:
Please check the domain name for which the ssl certificate is issued means www.domainname.com or domainname.com. Suppose you have to install an ssl certificate for domainname.com. You already generate csr for the domainname.com. Check following steps.
1)
Go to directory /usr/share/ssl/certs
root@server1[/]# cd /usr/share/ssl/certs
Please check domainname.com.csr file is present already.
root@server1[/usr/share/ssl/certs]# ls –l | grep domainname.com.csr
Create the .crt file and paste the ssl certificate into a .crt file as per below
root@server1 [/usr/share/ssl/certs]# vi domainname.com.crt
paste ssl certificate
save the file.
If cabundle is provided by the client then add it in the domainname.com.cabundle file under the directory /usr/share/ssl/certs
root@server1 [/usr/share/ssl/certs]# vi domainname.com.cabundle
paste the cabundle key and save the file.
2)
Go to directory /usr/share/ssl/private and check to see if the file domainname.com.key is already present.
root@server1[/]# cd /usr/share/ssl/private
root@server1[/usr/share/ssl/private]# ls –l | grep domainname.com.key
3)
Go to the file /etc/httpd/conf/httpd.conf and copy the virtual host entry for the domainname.com in notepad and add the following line above the end of the tag
SSLEnable
SSLCertificateFile /usr/share/ssl/certs/domainname.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/domainname.com.key
SSLCACertificateFile /usr/share/ssl/certs/domainname.com.cabundle
SSLLogFile /usr/local/apache/domlogs/shop.discdudes.com-ssl_data_log
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
Add the following line above the virtual host entry.
add the following line at the end of the virtualhost tag.
Now your sslVH entry should look like as per below. Please check the sample sslVH entry.
ServerAlias domainname.com
ServerAdmin webmaster@domainname.com
DocumentRoot /home/username/public_html
BytesLog domlogs/domainname.com-bytes_log
ServerName domainname.com
User username
Group username
CustomLog /usr/local/apache/domlogs/domainname.com combined
ScriptAlias /cgi-bin/ /home/username/public_html/cgi-bin/
SSLEnable
SSLCertificateFile /usr/share/ssl/certs/domainname.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/domainname.com.key
SSLCACertificateFile /usr/share/ssl/certs/domainname.com.cabundle
SSLLogFile /usr/local/apache/domlogs/shop.discdudes.com-ssl_data_log
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
4)
If cabundle is not given by the client then remove the following line from the sslVH entry
SSLCACertificateFile /usr/share/ssl/certs/domainname.com.cabundle
5)
Add the sslVH entry in httpd.conf file and restart the httpd service.
Now you are able to access site https://domainname.com
Please check the file paths are correctly specified for .crt, .key and .cabundle file. If the file paths are incorrect in the sslVH entry then the httpd service won’t started.
root@server1[/]# /scripts/gencsr
This will ask you all the information like email address, domain name, country code, City, Company etc; fill the values and it generates a csr certificate and a private key.Use the following steps to install an ssl certificate:
Please check the domain name for which the ssl certificate is issued means www.domainname.com or domainname.com. Suppose you have to install an ssl certificate for domainname.com. You already generate csr for the domainname.com. Check following steps.
1)
Go to directory /usr/share/ssl/certs
root@server1[/]# cd /usr/share/ssl/certs
Please check domainname.com.csr file is present already.
root@server1[/usr/share/ssl/certs]# ls –l | grep domainname.com.csr
Create the .crt file and paste the ssl certificate into a .crt file as per below
root@server1 [/usr/share/ssl/certs]# vi domainname.com.crt
paste ssl certificate
save the file.
If cabundle is provided by the client then add it in the domainname.com.cabundle file under the directory /usr/share/ssl/certs
root@server1 [/usr/share/ssl/certs]# vi domainname.com.cabundle
paste the cabundle key and save the file.
2)
Go to directory /usr/share/ssl/private and check to see if the file domainname.com.key is already present.
root@server1[/]# cd /usr/share/ssl/private
root@server1[/usr/share/ssl/private]# ls –l | grep domainname.com.key
3)
Go to the file /etc/httpd/conf/httpd.conf and copy the virtual host entry for the domainname.com in notepad and add the following line above the end of the tag
SSLEnable
SSLCertificateFile /usr/share/ssl/certs/domainname.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/domainname.com.key
SSLCACertificateFile /usr/share/ssl/certs/domainname.com.cabundle
SSLLogFile /usr/local/apache/domlogs/shop.discdudes.com-ssl_data_log
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
Add the following line above the virtual host entry.
add the following line at the end of the virtualhost tag.
Now your sslVH entry should look like as per below. Please check the sample sslVH entry.
ServerAlias domainname.com
ServerAdmin webmaster@domainname.com
DocumentRoot /home/username/public_html
BytesLog domlogs/domainname.com-bytes_log
ServerName domainname.com
User username
Group username
CustomLog /usr/local/apache/domlogs/domainname.com combined
ScriptAlias /cgi-bin/ /home/username/public_html/cgi-bin/
SSLEnable
SSLCertificateFile /usr/share/ssl/certs/domainname.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/domainname.com.key
SSLCACertificateFile /usr/share/ssl/certs/domainname.com.cabundle
SSLLogFile /usr/local/apache/domlogs/shop.discdudes.com-ssl_data_log
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
4)
If cabundle is not given by the client then remove the following line from the sslVH entry
SSLCACertificateFile /usr/share/ssl/certs/domainname.com.cabundle
5)
Add the sslVH entry in httpd.conf file and restart the httpd service.
Now you are able to access site https://domainname.com
Please check the file paths are correctly specified for .crt, .key and .cabundle file. If the file paths are incorrect in the sslVH entry then the httpd service won’t started.
Wednesday, July 1, 2009
Processes listening on a particular port
Inorder to find out the process listening on a particula port you can use the following command
lsof -i TCP:portnumber
eg: lsof -i TCP:80
httpd 31969 linux 3u IPv6 8152068 TCP *:http (LISTEN)
httpd 31971 linux 3u IPv6 8152068 TCP *:http (LISTEN)
httpd 31972 linux 3u IPv6 8152068 TCP *:http (LISTEN)
lsof -i TCP:portnumber
eg: lsof -i TCP:80
httpd 31969 linux 3u IPv6 8152068 TCP *:http (LISTEN)
httpd 31971 linux 3u IPv6 8152068 TCP *:http (LISTEN)
httpd 31972 linux 3u IPv6 8152068 TCP *:http (LISTEN)
Fixing corrupted RPM db
Remove /var/lib/rpm/__db* files to avoid stale locks:
cd /var/lib/rpm
rm -rf __db*
Rebuild RPM database
# rpm --rebuilddb
# rpmdb_verify Packages
If you are still getting errors, then try your luck with following commands:
# mv Packages Packages-BAKUP
# db_dump Packages-BAKUP | db_load Packages
# rpm -qa
# rpm --rebuilddb
cd /var/lib/rpm
rm -rf __db*
Rebuild RPM database
# rpm --rebuilddb
# rpmdb_verify Packages
If you are still getting errors, then try your luck with following commands:
# mv Packages Packages-BAKUP
# db_dump Packages-BAKUP | db_load Packages
# rpm -qa
# rpm --rebuilddb
password protecting directories using .htaccess
If you want to protect /home/username/publlic_html do as follows
cd /home/username/publlic_html
touch .htaccess [if it is already there you can use it no need to create]
Add the following line to the .htaccess file
AuthUserFile /home/username/public_html/.htpasswd
AuthName "Title for Protected Site"
AuthType Basic
Require valid-user
The next stage is creating the .htpasswd file create it in the same directory as .htaccess
cd /home/username/public_html [same place where your .htaccess is]
touch .htpasswd
htpasswd -c .htpasswd test
New password:
Re-type new password:
Adding password for user test
Thats it dont forget to change ownership and permission
cd /home/username/publlic_html
touch .htaccess [if it is already there you can use it no need to create]
Add the following line to the .htaccess file
AuthUserFile /home/username/public_html/.htpasswd
AuthName "Title for Protected Site"
AuthType Basic
Require valid-user
The next stage is creating the .htpasswd file create it in the same directory as .htaccess
cd /home/username/public_html [same place where your .htaccess is]
touch .htpasswd
htpasswd -c .htpasswd test
New password:
Re-type new password:
Adding password for user test
Thats it dont forget to change ownership and permission
How to enable and disable ping request
To disable ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
To enable ping
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
To enable ping
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
WHAT IS RSYNC
RSYNC
rsync utility is used for synchronising files one of the major adavantage of rsync is that rsync can preserve permissions and ownership information, copy symbolic links, and generally is designed to intelligently handle your files
The basic syntax for rsync is simple enough -- just run
rsync [options] source destination
If you want to rsync the contents from /home/mabin/ to /var/www/html/ the command
rsync -a /home/mabin /var/www/html
Whe doing rsync there is a big meaning in the ending '/' because if I rsync /home/mabin/ then only the contents inside the folder mabin will be copied.....but if didn't used the '/' ie /home/mabin then the entire directory will be taken ..that is a directory named mabin will be created at the destination
some switches with rsync
-----------------------------
-a --> archive option, which actually combines several rsync options. It combines the recursive and copy symlinks options, preserves group and owner, and generally makes rsync suitable for making archive copies. Note that it doesn't preserve hardlinks
-H --> Copies hard link
-v --> verbose mode
-z --> Compress option, will compress the data during transfer
--delete --> For deleting the already transferred data from source (a dangerous option, try to avoid it)
--exclude=".*/" --> To avoid copying hidden files. With this option you can avoid copying any particular file( If you dont want to copy .php files then pot it like this --exclude="*.php/"
sample command for local copying
----------------------------------------
rsync -avh /home/mabin/ /var/www/html
Rsync for remote copying
------------------------------------------------------------
rsync -avhe ssh /home/user/dir/ user@remote.host.com:dir/
If you want to know how fast the transfer is going use the --progress option
rsync --progress -avhe ssh /home/user/dir/ user@remote.host.com:dir/
rsync utility is used for synchronising files one of the major adavantage of rsync is that rsync can preserve permissions and ownership information, copy symbolic links, and generally is designed to intelligently handle your files
The basic syntax for rsync is simple enough -- just run
rsync [options] source destination
If you want to rsync the contents from /home/mabin/ to /var/www/html/ the command
rsync -a /home/mabin /var/www/html
Whe doing rsync there is a big meaning in the ending '/' because if I rsync /home/mabin/ then only the contents inside the folder mabin will be copied.....but if didn't used the '/' ie /home/mabin then the entire directory will be taken ..that is a directory named mabin will be created at the destination
some switches with rsync
-----------------------------
-a --> archive option, which actually combines several rsync options. It combines the recursive and copy symlinks options, preserves group and owner, and generally makes rsync suitable for making archive copies. Note that it doesn't preserve hardlinks
-H --> Copies hard link
-v --> verbose mode
-z --> Compress option, will compress the data during transfer
--delete --> For deleting the already transferred data from source (a dangerous option, try to avoid it)
--exclude=".*/" --> To avoid copying hidden files. With this option you can avoid copying any particular file( If you dont want to copy .php files then pot it like this --exclude="*.php/"
sample command for local copying
----------------------------------------
rsync -avh /home/mabin/ /var/www/html
Rsync for remote copying
------------------------------------------------------------
rsync -avhe ssh /home/user/dir/ user@remote.host.com:dir/
If you want to know how fast the transfer is going use the --progress option
rsync --progress -avhe ssh /home/user/dir/ user@remote.host.com:dir/
How do I export and import a mysql db using PHPMyAdmin?
Step 1: Open phpMyAdmin and select the database from where you want to export data and/or structure. Go to the tab with "Export". Select the table(s) you want to save.
Select the option you need: Data only or data and structure or structure only:
--> if you only want to update a table on another server, which has a table with the same structure, then you choose data only
--> if you want to create a new table on another server (for instance, if you have a development environment and you now want to put your application in production) then choose structure only
--> if you are moving a complete table, choose data and structure Select "save as file" Hit "go" You can now enter a filename and specify where the file needs to be saved. It's recommended to choose a meaningful filename that includes the date. Like "shop_05_07_03.sql" This creates the dumpfile. If you open it in notepad or any other texteditor, it looks something like: Quote:
# phpMyAdmin MySQL-Dump # version 2.4.0 # http://www.phpmyadmin.net/ (download page) # # Host: thehostname would be here # Generation Time: Apr 04, 2004 at 02:39 PM # Server version: 4.0.13 # PHP Version: 4.2.3 # Database : `db-name would be here` # -------------------------------------------------------- # # Table structure for table `test` # CREATE TABLE test ( siteID int(6) NOT NULL auto_increment, uname tinytext NOT NULL, upwd tinytext NOT NULL, nick tinytext NOT NULL, sitename text NOT NULL, regdate date NOT NULL default '9999-01-01', numtrial int(7) unsigned NOT NULL default '0', PRIMARY KEY (siteID) ) TYPE=MyISAM COMMENT='Table with userinfo'; # # Dumping data for table `useradmin` # INSERT INTO test VALUES (1, 'mytest', 'testt', 'myteste', 'www.mysite.com/site/test.html', '0000-00-00', 0);
This is the dumpfile for table 'test' that contains one record. As you can see, it's just a series of sql statements to recreate the table and insert all records.
Step 2: If necessary, can can upload this file to a server or move it to another PC (on a disk or whatever)
Step 3: Open phpMyAdmin. Select the database you want to import the table(s) in. Go to the SQL tab. Look at the bottom for "Or location of the textfile" and browse to the dumpfile. Doubleclick on it so that the fileadress appears in the textbox. Then hit "go" All sql-statement will be executed and you will get a notification after the file is processed.
Select the option you need: Data only or data and structure or structure only:
--> if you only want to update a table on another server, which has a table with the same structure, then you choose data only
--> if you want to create a new table on another server (for instance, if you have a development environment and you now want to put your application in production) then choose structure only
--> if you are moving a complete table, choose data and structure Select "save as file" Hit "go" You can now enter a filename and specify where the file needs to be saved. It's recommended to choose a meaningful filename that includes the date. Like "shop_05_07_03.sql" This creates the dumpfile. If you open it in notepad or any other texteditor, it looks something like: Quote:
# phpMyAdmin MySQL-Dump # version 2.4.0 # http://www.phpmyadmin.net/ (download page) # # Host: thehostname would be here # Generation Time: Apr 04, 2004 at 02:39 PM # Server version: 4.0.13 # PHP Version: 4.2.3 # Database : `db-name would be here` # -------------------------------------------------------- # # Table structure for table `test` # CREATE TABLE test ( siteID int(6) NOT NULL auto_increment, uname tinytext NOT NULL, upwd tinytext NOT NULL, nick tinytext NOT NULL, sitename text NOT NULL, regdate date NOT NULL default '9999-01-01', numtrial int(7) unsigned NOT NULL default '0', PRIMARY KEY (siteID) ) TYPE=MyISAM COMMENT='Table with userinfo'; # # Dumping data for table `useradmin` # INSERT INTO test VALUES (1, 'mytest', 'testt', 'myteste', 'www.mysite.com/site/test.html', '0000-00-00', 0);
This is the dumpfile for table 'test' that contains one record. As you can see, it's just a series of sql statements to recreate the table and insert all records.
Step 2: If necessary, can can upload this file to a server or move it to another PC (on a disk or whatever)
Step 3: Open phpMyAdmin. Select the database you want to import the table(s) in. Go to the SQL tab. Look at the bottom for "Or location of the textfile" and browse to the dumpfile. Doubleclick on it so that the fileadress appears in the textbox. Then hit "go" All sql-statement will be executed and you will get a notification after the file is processed.
Apache not starting:(No space left on device: mod_rewrite)
The error specifies that there is no more space left in Semaphore Arrays for Apache.
Please run this through shell
for ipsemId in $(ipcs -s | grep apache | cut -f 2 -d ' '); do ipcrm $ipsemId; done
Please run this through shell
for ipsemId in $(ipcs -s | grep apache | cut -f 2 -d ' '); do ipcrm $ipsemId; done
VPS related issues
Please visit this link for vps related issues:
http://forum.openvz.org/index.php?t=thread&frm_id=2&
http://forum.openvz.org/index.php?t=thread&frm_id=2&
Adding ssh key-passwordless login
On the source server do the following
ssh-keygen -t dsa -f filename
It will prompt for a passphrace, it is desirable to leave it empty.
Two files will be created
filename
filename.pub
copy the filename.pub file to the destination server to the location /root/.ssh add the public key entry into authorized_keys as follows
cat filename.pub >> authorized_keys
/etc/init.d/sshd restart
ssh-keygen -t dsa -f filename
It will prompt for a passphrace, it is desirable to leave it empty.
Two files will be created
filename
filename.pub
copy the filename.pub file to the destination server to the location /root/.ssh add the public key entry into authorized_keys as follows
cat filename.pub >> authorized_keys
/etc/init.d/sshd restart
Disk quota error in VPS
This error occurs due to 2 reasons: DISKINODES or DISKSPACE configuration in VPS
solution: This worked for me as the DISKINODES did nto have much space assigned.
Try changing it to : DISKINODES="1000000:1200000" and restart vps
solution: This worked for me as the DISKINODES did nto have much space assigned.
Try changing it to : DISKINODES="1000000:1200000" and restart vps
Ip tables
Iptables is a packet filtering tool which allows system administrator to define incoming and outgoing packets to a system using certain rules. Iptables can be confusing it's pretty straightforward once you get the hang of it.
Iptables is in short a Linux based packet filtering firewall. Iptables interfaces to the Linux netfilter module to perform filtering of network packets. This can be to deny/allow traffic filter or perform Network Address Translation (NAT). With careful configuration iptables can be a very cost effective, powerful and flexible firewall or gateway solution. Iptables is available from http://www.netfilter.org/ or via your Linux distribution.
Rules, Chains, and Tables
Iptables rules are grouped into chains. A chain is a set of rules used to determine what to do with a packet. These chains are grouped into tables. Iptables has three built in tables filter, NAT, mangle. More tables can be added through iptables extensions.
Filter Table
The filter table is used to allow and block traffic, and contains three chains INPUT, OUTPUT, FORWARD. The input chain is used to filter packets destined for the local system. The output chain is used to filter packets created by the local system. The forward chain is used for packets passing through the system, mainly used for gateways/routers.
There are three real "chains" which iptables uses:
* INPUT
Which is used to grant or deny incoming connections to your machine.
* OUTPUT
Which is used to grant or deny outgoing connections from your machine.
* FORWARD
Which is used for forwarding packages across interfaces, only really needed (in general) when you're setting up a gateway machine.
NAT Table
The NAT table is used to setup the rules to rewrite packets allowing NAT to happen. This table also has 3 chains, PREROUTING, POSTROUTING, and OUTPUT. The prerouting chain is where packets come to prior to being parsed by the local routing table. The postrouting chain is where packets are sent after going through the local routing table. The output chain
The general form of an IP tables command is:
iptables -A CHAIN -p tcp/udp [options] -j ACTION
The CHAIN we've briefly covered before, "INPUT", "OUTPUT", "FORWARD", etc. Here "-A INPUT" means "append this rule to the input chain".
The "-p tcp" means this rule applies only to TCP connections, not UDP. (To specify UDP connections you'd use "-p udp" instead.)
"[options]" is where you specify what you wish to match against.
Finally "-j ACTION" is used to specify what to do to packets which match your rule. Usually an action will be one of "-j DROP" to drop the package, "-j ACCEPT", to accept the packet or "-j LOG" to log it.
Commands
The first step is to know iptables commands.
Main commands
* -A --append : Add the rule a the end of the specified chain
Code:
iptables -A INPUT ...
* -D --delete : Allow to delete a chain.
There's 2 way to use it, you can specify the number of the chain to delete or specify the rule to delete
Code:
iptables -D INPUT 1
iptables -D INPUT --dport 80 -j DROP
* -R --replace : Allow to replace the specified chain
Code:
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
* -I --insert : Allow to add a chain in a specific area of the global chain
Code:
iptables -I INPUT 1 --dport 80 -j ACCEPT
* -L --list : Display the rules
Code:
iptables -L # Display all the rules of the FILTER chains
iptables -L INPUT # Display all the INPUT rules (FILTER)
* -F --flush : Delete all the rules of a chain
Code:
iptables -F INPUT # Delete all the rules of the INPUT chain
iptables -F # Delete all the rules
* -N --new-chain : Allow to create a new chain
Code:
iptables -N LOG_DROP
* -X --delete-chain : Allow to delete a chain
Code:
iptables -X LOG_DROP # Delete the LOG_DROP chain
iptables -X # Delete the chains
* -P --policy : Allow to specify to the kernel the default policy of a chain ACCEPT, REJECT, DROP ...
Code:
iptables -P INPUT DROP
Basic Uses
The most common use of iptables is to simply block and allow traffic.
Allow Traffic
Iptables allows you to allow traffic based on a number of different conditions such as Ethernet adapter, IP Address, port, and protocol.
Allow incoming TCP traffic on port 22 (ssh) for adapter eth0
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1 âۉ€Å“ 192.168.0.254.
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
Block Traffic
Iptables can block traffic on the same conditions that traffic can be allowed.
Blocks inbound TCP traffic port 22 (ssh)
iptables -A INPUT -p tcp -m tcp --dport 22 -j DRROP
Blocks inbound TCP traffic on port 80 (HTTP) from the IP 192.168.1.100
iptables -A INPUT -s 192.168.1.100 -p tcp -m tcp --dport 80 -j DRROP
Limit Traffic
Along with allowing and denying traffic IP tables can be used to limit the number of connections allowed over time thresholds.
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DRROP
[:p:] this is a common set of rules used to block brute force ssh attacks. The first rule makes sure the IP connecting is added to the sshbrute list. The second rule tells iptables to check the sshbrute list and if the packet threshold is exceeded to drrop the traffic.
Common Options and Switches
-A -- adds a rule at the end of the chain
-I -- inserts the rule at the given rule number. If no rule number is given the rule is inserted at the head of the chain.
-p -- protocol of the rule
--dport the destination port to check on the rule
-i -- interface on which the packet was received.
-j -- what to do if the rule matches
-s -- source IP address of packet
-d -- destination IP address of packet
Examples :
Drop all inbound telnet traffic
iptables -I INPUT -p tcp --dport 23 -j DRrOP
Drop all outbound web traffic
iptables -I OUTPUT -p tcp --dport 80 -j DRROP
Drop all outbound traffic to 192.168.0.1
iptables -I OUTPUT -p tcp --dest 192.168.0.1 -j DRROP
Allow all inbound web traffic
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Allow inbound HTTPS traffic from 10.2.2.4
iptables -I INPUT -s 10.2.2.4 -p tcp -m tcp --dport 443 -j DRROP
Deny outbound traffic to 192.2.4.0-192.2.4.255
iptables -I OUTPUT -d 192.2.4.6.0/24 -j DRROP
Allow incoming connections to port 21 from one IP address 11.22.33.44
iptables -A INPUT -p tcp -m state --state NEW --dport 21 --source 11.22.33.44
Deny all other incoming connections to port 21.
iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j DROP
We used the "-m state --state NEW --dport 21" to match against new connections to port 21. Other options allow you to match against different things.
Iptables is in short a Linux based packet filtering firewall. Iptables interfaces to the Linux netfilter module to perform filtering of network packets. This can be to deny/allow traffic filter or perform Network Address Translation (NAT). With careful configuration iptables can be a very cost effective, powerful and flexible firewall or gateway solution. Iptables is available from http://www.netfilter.org/ or via your Linux distribution.
Rules, Chains, and Tables
Iptables rules are grouped into chains. A chain is a set of rules used to determine what to do with a packet. These chains are grouped into tables. Iptables has three built in tables filter, NAT, mangle. More tables can be added through iptables extensions.
Filter Table
The filter table is used to allow and block traffic, and contains three chains INPUT, OUTPUT, FORWARD. The input chain is used to filter packets destined for the local system. The output chain is used to filter packets created by the local system. The forward chain is used for packets passing through the system, mainly used for gateways/routers.
There are three real "chains" which iptables uses:
* INPUT
Which is used to grant or deny incoming connections to your machine.
* OUTPUT
Which is used to grant or deny outgoing connections from your machine.
* FORWARD
Which is used for forwarding packages across interfaces, only really needed (in general) when you're setting up a gateway machine.
NAT Table
The NAT table is used to setup the rules to rewrite packets allowing NAT to happen. This table also has 3 chains, PREROUTING, POSTROUTING, and OUTPUT. The prerouting chain is where packets come to prior to being parsed by the local routing table. The postrouting chain is where packets are sent after going through the local routing table. The output chain
The general form of an IP tables command is:
iptables -A CHAIN -p tcp/udp [options] -j ACTION
The CHAIN we've briefly covered before, "INPUT", "OUTPUT", "FORWARD", etc. Here "-A INPUT" means "append this rule to the input chain".
The "-p tcp" means this rule applies only to TCP connections, not UDP. (To specify UDP connections you'd use "-p udp" instead.)
"[options]" is where you specify what you wish to match against.
Finally "-j ACTION" is used to specify what to do to packets which match your rule. Usually an action will be one of "-j DROP" to drop the package, "-j ACCEPT", to accept the packet or "-j LOG" to log it.
Commands
The first step is to know iptables commands.
Main commands
* -A --append : Add the rule a the end of the specified chain
Code:
iptables -A INPUT ...
* -D --delete : Allow to delete a chain.
There's 2 way to use it, you can specify the number of the chain to delete or specify the rule to delete
Code:
iptables -D INPUT 1
iptables -D INPUT --dport 80 -j DROP
* -R --replace : Allow to replace the specified chain
Code:
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
* -I --insert : Allow to add a chain in a specific area of the global chain
Code:
iptables -I INPUT 1 --dport 80 -j ACCEPT
* -L --list : Display the rules
Code:
iptables -L # Display all the rules of the FILTER chains
iptables -L INPUT # Display all the INPUT rules (FILTER)
* -F --flush : Delete all the rules of a chain
Code:
iptables -F INPUT # Delete all the rules of the INPUT chain
iptables -F # Delete all the rules
* -N --new-chain : Allow to create a new chain
Code:
iptables -N LOG_DROP
* -X --delete-chain : Allow to delete a chain
Code:
iptables -X LOG_DROP # Delete the LOG_DROP chain
iptables -X # Delete the chains
* -P --policy : Allow to specify to the kernel the default policy of a chain ACCEPT, REJECT, DROP ...
Code:
iptables -P INPUT DROP
Basic Uses
The most common use of iptables is to simply block and allow traffic.
Allow Traffic
Iptables allows you to allow traffic based on a number of different conditions such as Ethernet adapter, IP Address, port, and protocol.
Allow incoming TCP traffic on port 22 (ssh) for adapter eth0
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1 âۉ€Å“ 192.168.0.254.
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
Block Traffic
Iptables can block traffic on the same conditions that traffic can be allowed.
Blocks inbound TCP traffic port 22 (ssh)
iptables -A INPUT -p tcp -m tcp --dport 22 -j DRROP
Blocks inbound TCP traffic on port 80 (HTTP) from the IP 192.168.1.100
iptables -A INPUT -s 192.168.1.100 -p tcp -m tcp --dport 80 -j DRROP
Limit Traffic
Along with allowing and denying traffic IP tables can be used to limit the number of connections allowed over time thresholds.
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DRROP
[:p:] this is a common set of rules used to block brute force ssh attacks. The first rule makes sure the IP connecting is added to the sshbrute list. The second rule tells iptables to check the sshbrute list and if the packet threshold is exceeded to drrop the traffic.
Common Options and Switches
-A -- adds a rule at the end of the chain
-I -- inserts the rule at the given rule number. If no rule number is given the rule is inserted at the head of the chain.
-p -- protocol of the rule
--dport the destination port to check on the rule
-i -- interface on which the packet was received.
-j -- what to do if the rule matches
-s -- source IP address of packet
-d -- destination IP address of packet
Examples :
Drop all inbound telnet traffic
iptables -I INPUT -p tcp --dport 23 -j DRrOP
Drop all outbound web traffic
iptables -I OUTPUT -p tcp --dport 80 -j DRROP
Drop all outbound traffic to 192.168.0.1
iptables -I OUTPUT -p tcp --dest 192.168.0.1 -j DRROP
Allow all inbound web traffic
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Allow inbound HTTPS traffic from 10.2.2.4
iptables -I INPUT -s 10.2.2.4 -p tcp -m tcp --dport 443 -j DRROP
Deny outbound traffic to 192.2.4.0-192.2.4.255
iptables -I OUTPUT -d 192.2.4.6.0/24 -j DRROP
Allow incoming connections to port 21 from one IP address 11.22.33.44
iptables -A INPUT -p tcp -m state --state NEW --dport 21 --source 11.22.33.44
Deny all other incoming connections to port 21.
iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j DROP
We used the "-m state --state NEW --dport 21" to match against new connections to port 21. Other options allow you to match against different things.
Squirrel mail login prompting repeatedly
Sometimes these issue is found in cpanel servers.
If you are facing any such issues. Please restart the following services
/scripts/restartsrv_exim
/scripts/restartsrv_cppop
/scripts/restartsrv_imap
If you are facing any such issues. Please restart the following services
/scripts/restartsrv_exim
/scripts/restartsrv_cppop
/scripts/restartsrv_imap
Log File Paths
The first place you should go when trying to debug a problem is the log file for that program.
The list of Log Files are as follows:
DirectAdmin:
/var/log/directadmin/error.log
/var/log/directadmin/errortaskq.log
/var/log/directadmin/system.log
/var/log/directadmin/security.log
Apache:
/var/log/httpd/error_log
/var/log/httpd/access_log
/var/log/httpd/suexec_log
/var/log/httpd/fpexec_log
/var/log/httpd/domains/domain.com.error.log
/var/log/httpd/domains/domain.com.log
/var/log/messages (generic errors)
Proftpd:
/var/log/proftpd/access.log
/var/log/proftpd/auth.log
/var/log/messages (generic errors)
vm-pop3d:
/var/log/maillog
/var/log/messages
named (bind):
/var/log/messages
exim:
/var/log/exim/mainlog
/var/log/exim/paniclog
/var/log/exim/processlog
/var/log/exim/rejectlog
(on FreeBSD, they have "exim_" in front of the filenames)
mysqld:
RedHat:
/var/lib/mysql/server.hostname.com.err
FreeBSD:
/usr/local/mysql/data/server.hostname.com.err
crond:
/var/log/cron
To view a log file, run:
less /var/log/filename
Where /var/log/filename is the path of the log you wish to view. If the log is too large you can use the "tail" command:
tail -n 30 /var/log/filename
Where 30 is the number of lines from the end you wish to view.
The list of Log Files are as follows:
DirectAdmin:
/var/log/directadmin/error.log
/var/log/directadmin/errortaskq.log
/var/log/directadmin/system.log
/var/log/directadmin/security.log
Apache:
/var/log/httpd/error_log
/var/log/httpd/access_log
/var/log/httpd/suexec_log
/var/log/httpd/fpexec_log
/var/log/httpd/domains/domain.com.error.log
/var/log/httpd/domains/domain.com.log
/var/log/messages (generic errors)
Proftpd:
/var/log/proftpd/access.log
/var/log/proftpd/auth.log
/var/log/messages (generic errors)
vm-pop3d:
/var/log/maillog
/var/log/messages
named (bind):
/var/log/messages
exim:
/var/log/exim/mainlog
/var/log/exim/paniclog
/var/log/exim/processlog
/var/log/exim/rejectlog
(on FreeBSD, they have "exim_" in front of the filenames)
mysqld:
RedHat:
/var/lib/mysql/server.hostname.com.err
FreeBSD:
/usr/local/mysql/data/server.hostname.com.err
crond:
/var/log/cron
To view a log file, run:
less /var/log/filename
Where /var/log/filename is the path of the log you wish to view. If the log is too large you can use the "tail" command:
tail -n 30 /var/log/filename
Where 30 is the number of lines from the end you wish to view.
Basic commands in Exim
Print a count of the messages in the queue:
root@localhost# exim -bpc
Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient):
root@localhost# exim -bp
Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals):
root@localhost# exim -bp | exiqsumm
Print what Exim is doing right now:
root@localhost# exiwhat
Test how exim will route a given address:
root@localhost# exim -bt alias@localdomain.com
user@thishost.com
<-- alias@localdomain.com
router = localuser, transport = local_delivery
root@localhost# exim -bt user@thishost.com
user@thishost.com
router = localuser, transport = local_delivery
root@localhost# exim -bt user@remotehost.com
router = lookuphost, transport = remote_smtp
host mail.remotehost.com [1.2.3.4] MX=0
Run a pretend SMTP transaction from the command line, as if it were coming from the given IP address. This will display Exim's checks, ACLs, and filters as they are applied. The message will NOT actually be delivered.
root@localhost# exim -bh 192.168.11.22
Display all of Exim's configuration settings:
root@localhost# exim -bP
Searching the queue with exiqgrep
Exim includes a utility that is quite nice for grepping through the queue, called exiqgrep. Learn it. Know it. Live it. If you're not using this, and if you're not familiar with the various flags it uses, you're probably doing things the hard way, like piping `exim -bp` into awk, grep, cut, or `wc -l`. Don't make life harder than it already is.
First, various flags that control what messages are matched. These can be combined to come up with a very particular search.
Use -f to search the queue for messages from a specific sender:
root@localhost# exiqgrep -f [luser]@domain
Use -r to search the queue for messages for a specific recipient/domain:
root@localhost# exiqgrep -r [luser]@domain
Use -o to print messages older than the specified number of seconds. For example, messages older than 1 day:
root@localhost# exiqgrep -o 86400 [...]
Use -y to print messages that are younger than the specified number of seconds. For example, messages less than an hour old:
root@localhost# exiqgrep -y 3600 [...]
Use -s to match the size of a message with a regex. For example, 700-799 bytes:
root@localhost# exiqgrep -s '^7..$' [...]
Use -z to match only frozen messages, or -x to match only unfrozen messages.
There are also a few flags that control the display of the output.
Use -i to print just the message-id as a result of one of the above two searches:
root@localhost# exiqgrep -i [ -r | -f ] ...
Use -c to print a count of messages matching one of the above searches:
root@localhost# exiqgrep -c ...
Print just the message-id of the entire queue:
root@localhost# exiqgrep -i
Managing the queue
The main exim binary (/usr/sbin/exim) is used with various flags to make things happen to messages in the queue. Most of these require one or more message-IDs to be specified in the command line, which is where `exiqgrep -i` as described above really comes in handy.
Start a queue run:
root@localhost# exim -q -v
Start a queue run for just local deliveries:
root@localhost# exim -ql -v
Remove a message from the queue:
root@localhost# exim -Mrm [ ... ]
Freeze a message:
root@localhost# exim -Mf [ ... ]
Thaw a message:
root@localhost# exim -Mt [ ... ]
Deliver a message:
root@localhost# exim -M [ ... ]
Force a message to fail and bounce as "cancelled by administrator":
root@localhost# exim -Mg [ ... ]
Remove all frozen messages:
root@localhost# exiqgrep -z -i | xargs exim -Mrm
Remove all messages older than five days (86400 * 5 = 432000 seconds):
root@localhost# exiqgrep -o 432000 -i | xargs exim -Mrm
Freeze all queued mail from a given sender:
root@localhost# exiqgrep -i -f luser@example.tld | xargs exim -Mf
View a message's headers:
root@localhost# exim -Mvh
View a message's body:
root@localhost# exim -Mvb
View a message's logs:
root@localhost# exim -Mvl
Add a recipient to a message:
root@localhost# exim -Mar
[
... ]
Edit the sender of a message:
root@localhost# exim -Mes
Access control
Exim allows you to apply access control lists at various points of the SMTP transaction by specifying an ACL to use and defining its conditions in exim.conf. You could start with the HELO string.
# Specify the ACL to use after HELO
acl_smtp_helo = check_helo
# Conditions for the check_helo ACL:
check_helo:
deny message = Gave HELO/EHLO as "friend"
log_message = HELO/EHLO friend
condition = ${if eq {$sender_helo_name} }
deny message = Gave HELO/EHLO as our IP address
log_message = HELO/EHLO our IP address
condition = ${if eq {$sender_helo_name}{$interface_address} }
accept
NOTE: Pursue HELO checking at your own peril. The HELO is fairly unimportant in the grand scheme of SMTP these days, so don't put too much faith in whatever it contains. Some spam might seem to use a telltale HELO string, but you might be surprised at how many legitimate messages start off with a questionable HELO as well. Anyway, it's just as easy for a spammer to send a proper HELO than it is to send HELO im.a.spammer, so consider yourself lucky if you're able to stop much spam this way.
Next, you can perform a check on the sender address or remote host. This shows how to do that after the RCPT TO command; if you reject here, as opposed to rejecting after the MAIL FROM, you'll have better data to log, such as who the message was intended for.
# Specify the ACL to use after RCPT TO
acl_smtp_rcpt = check_recipient
# Conditions for the check_recipient ACL
check_recipient:
# [...]
drop hosts = /etc/exim_reject_hosts
drop senders = /etc/exim_reject_senders
# [ Probably a whole lot more... ]
This example uses two plain text files as blacklists. Add appropriate entries to these files - hostnames/IP addresses to /etc/exim_reject_hosts, addresses to /etc/exim_reject_senders, one entry per line.
It is also possible to perform content scanning using a regex against the body of a message, though obviously this can cause Exim to use more CPU than it otherwise would need to, especially on large messages.
# Specify the ACL to use after DATA
acl_smtp_data = check_message
# Conditions for the check_messages ACL
check_message:
deny message = "Sorry, Charlie: $regex_match_string"
regex = ^Subject:: .*Lower your self-esteem by becoming a sysadmin
accept
Fix SMTP-Auth for Pine
If pine can't use SMTP authentication on an Exim host and just returns an "unable to authenticate" message without even asking for a password, add the following line to exim.conf:
begin authenticators
fixed_plain:
driver = plaintext
public_name = PLAIN
server_condition = "${perl{$1}{$2}{$3}}"
server_set_id = $2
> server_prompts = :
This was a problem on CPanel Exim builds awhile ago, but they seem to have added this line to their current stock configuration.
Log the subject line
This is one of the most useful configuration tweaks I've ever found for Exim. Add this to exim.conf, and you can log the subject lines of messages that pass through your server. This is great for troubleshooting, and for getting a very rough idea of what messages may be spam.
log_selector = +subject
Reducing or increasing what is logged.
Disable identd lookups
Frankly, I don't think identd has been useful for a long time, if ever. Identd relies on the connecting host to confirm the identity (system UID) of the remote user who owns the process that is making the network connection. This may be of some use in the world of shell accounts and IRC users, but it really has no place on a high-volume SMTP server, where the UID is often simply "mail" or whatever the remote MTA runs as, which is useless to know. It's overhead, and results in nothing but delays while the identd query is refused or times out. You can stop your Exim server from making these queries by setting the timeout to zero seconds in exim.conf:
rfc1413_query_timeout = 0s
Disable Attachment Blocking
To disable the executable-attachment blocking that many Cpanel servers do by default but don't provide any controls for on a per-domain basis, add the following block to the beginning of the /etc/antivirus.exim file:
if $header_to: matches "example\.com|example2\.com"
then
finish
endif
It is probably possible to use a separate file to list these domains, but I haven't had to do this enough times to warrant setting such a thing up.
Searching the logs with exigrep
The exigrep utility (not to be confused with exiqgrep) is used to search an exim log for a string or pattern. It will print all log entries with the same internal message-id as those that matched the pattern, which is very handy since any message will take up at least three lines in the log. exigrep will search the entire content of a log entry, not just particular fields.
One can search for messages sent from a particular IP address:
root@localhost# exigrep '<= .* \[12.34.56.78\] ' /path/to/exim_log
Search for messages sent to a particular IP address:
root@localhost# exigrep '=> .* \[12.34.56.78\]' /path/to/exim_log
This example searches for outgoing messages, which have the "=>" symbol, sent to "user@domain.tld". The pipe to grep for the "<=" symbol will match only the lines with information on the sender - the From address, the sender's IP address, the message size, the message ID, and the subject line if you have enabled logging the subject. The purpose of doing such a search is that the desired information is not on the same log line as the string being searched for.
root@localhost# exigrep '=> .*user@domain.tld' /path/to/exim_log | fgrep '<='
Generate and display Exim stats from a logfile:
root@localhost# eximstats /path/to/exim_mainlog
Same as above, with less verbose output:
root@localhost# eximstats -ne -nr -nt /path/to/exim_mainlog
Same as above, for one particular day:
root@localhost# fgrep YYYY-MM-DD /path/to/exim_mainlog | eximstats
Bonus!
To delete all queued messages containing a certain string in the body:
root@localhost# grep -lr 'a certain string' /var/spool/exim/input/ | \
sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
Note that the above only delves into /var/spool/exim in order to grep for queue files with the given string, and that's just because exiqgrep doesn't have a feature to grep the actual bodies of messages. If you are deleting these files directly, YOU ARE DOING IT WRONG! Use the appropriate exim command to properly deal with the queue.
If you have to feed many, many message-ids (such as the output of an `exiqgrep -i` command that returns a lot of matches) to an exim command, you may exhaust the limit of your shell's command line arguments. In that case, pipe the listing of message-ids into xargs to run only a limited number of them at once. For example, to remove thousands of messages sent from joe@example.com:
root@localhost# exiqgrep -i -f '' | xargs exim -Mrm
root@localhost# exim -bpc
Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient):
root@localhost# exim -bp
Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals):
root@localhost# exim -bp | exiqsumm
Print what Exim is doing right now:
root@localhost# exiwhat
Test how exim will route a given address:
root@localhost# exim -bt alias@localdomain.com
user@thishost.com
<-- alias@localdomain.com
router = localuser, transport = local_delivery
root@localhost# exim -bt user@thishost.com
user@thishost.com
router = localuser, transport = local_delivery
root@localhost# exim -bt user@remotehost.com
router = lookuphost, transport = remote_smtp
host mail.remotehost.com [1.2.3.4] MX=0
Run a pretend SMTP transaction from the command line, as if it were coming from the given IP address. This will display Exim's checks, ACLs, and filters as they are applied. The message will NOT actually be delivered.
root@localhost# exim -bh 192.168.11.22
Display all of Exim's configuration settings:
root@localhost# exim -bP
Searching the queue with exiqgrep
Exim includes a utility that is quite nice for grepping through the queue, called exiqgrep. Learn it. Know it. Live it. If you're not using this, and if you're not familiar with the various flags it uses, you're probably doing things the hard way, like piping `exim -bp` into awk, grep, cut, or `wc -l`. Don't make life harder than it already is.
First, various flags that control what messages are matched. These can be combined to come up with a very particular search.
Use -f to search the queue for messages from a specific sender:
root@localhost# exiqgrep -f [luser]@domain
Use -r to search the queue for messages for a specific recipient/domain:
root@localhost# exiqgrep -r [luser]@domain
Use -o to print messages older than the specified number of seconds. For example, messages older than 1 day:
root@localhost# exiqgrep -o 86400 [...]
Use -y to print messages that are younger than the specified number of seconds. For example, messages less than an hour old:
root@localhost# exiqgrep -y 3600 [...]
Use -s to match the size of a message with a regex. For example, 700-799 bytes:
root@localhost# exiqgrep -s '^7..$' [...]
Use -z to match only frozen messages, or -x to match only unfrozen messages.
There are also a few flags that control the display of the output.
Use -i to print just the message-id as a result of one of the above two searches:
root@localhost# exiqgrep -i [ -r | -f ] ...
Use -c to print a count of messages matching one of the above searches:
root@localhost# exiqgrep -c ...
Print just the message-id of the entire queue:
root@localhost# exiqgrep -i
Managing the queue
The main exim binary (/usr/sbin/exim) is used with various flags to make things happen to messages in the queue. Most of these require one or more message-IDs to be specified in the command line, which is where `exiqgrep -i` as described above really comes in handy.
Start a queue run:
root@localhost# exim -q -v
Start a queue run for just local deliveries:
root@localhost# exim -ql -v
Remove a message from the queue:
root@localhost# exim -Mrm [ ... ]
Freeze a message:
root@localhost# exim -Mf [ ... ]
Thaw a message:
root@localhost# exim -Mt [ ... ]
Deliver a message:
root@localhost# exim -M [ ... ]
Force a message to fail and bounce as "cancelled by administrator":
root@localhost# exim -Mg [ ... ]
Remove all frozen messages:
root@localhost# exiqgrep -z -i | xargs exim -Mrm
Remove all messages older than five days (86400 * 5 = 432000 seconds):
root@localhost# exiqgrep -o 432000 -i | xargs exim -Mrm
Freeze all queued mail from a given sender:
root@localhost# exiqgrep -i -f luser@example.tld | xargs exim -Mf
View a message's headers:
root@localhost# exim -Mvh
View a message's body:
root@localhost# exim -Mvb
View a message's logs:
root@localhost# exim -Mvl
Add a recipient to a message:
root@localhost# exim -Mar
[
... ]
Edit the sender of a message:
root@localhost# exim -Mes
Access control
Exim allows you to apply access control lists at various points of the SMTP transaction by specifying an ACL to use and defining its conditions in exim.conf. You could start with the HELO string.
# Specify the ACL to use after HELO
acl_smtp_helo = check_helo
# Conditions for the check_helo ACL:
check_helo:
deny message = Gave HELO/EHLO as "friend"
log_message = HELO/EHLO friend
condition = ${if eq {$sender_helo_name} }
deny message = Gave HELO/EHLO as our IP address
log_message = HELO/EHLO our IP address
condition = ${if eq {$sender_helo_name}{$interface_address} }
accept
NOTE: Pursue HELO checking at your own peril. The HELO is fairly unimportant in the grand scheme of SMTP these days, so don't put too much faith in whatever it contains. Some spam might seem to use a telltale HELO string, but you might be surprised at how many legitimate messages start off with a questionable HELO as well. Anyway, it's just as easy for a spammer to send a proper HELO than it is to send HELO im.a.spammer, so consider yourself lucky if you're able to stop much spam this way.
Next, you can perform a check on the sender address or remote host. This shows how to do that after the RCPT TO command; if you reject here, as opposed to rejecting after the MAIL FROM, you'll have better data to log, such as who the message was intended for.
# Specify the ACL to use after RCPT TO
acl_smtp_rcpt = check_recipient
# Conditions for the check_recipient ACL
check_recipient:
# [...]
drop hosts = /etc/exim_reject_hosts
drop senders = /etc/exim_reject_senders
# [ Probably a whole lot more... ]
This example uses two plain text files as blacklists. Add appropriate entries to these files - hostnames/IP addresses to /etc/exim_reject_hosts, addresses to /etc/exim_reject_senders, one entry per line.
It is also possible to perform content scanning using a regex against the body of a message, though obviously this can cause Exim to use more CPU than it otherwise would need to, especially on large messages.
# Specify the ACL to use after DATA
acl_smtp_data = check_message
# Conditions for the check_messages ACL
check_message:
deny message = "Sorry, Charlie: $regex_match_string"
regex = ^Subject:: .*Lower your self-esteem by becoming a sysadmin
accept
Fix SMTP-Auth for Pine
If pine can't use SMTP authentication on an Exim host and just returns an "unable to authenticate" message without even asking for a password, add the following line to exim.conf:
begin authenticators
fixed_plain:
driver = plaintext
public_name = PLAIN
server_condition = "${perl{$1}{$2}{$3}}"
server_set_id = $2
> server_prompts = :
This was a problem on CPanel Exim builds awhile ago, but they seem to have added this line to their current stock configuration.
Log the subject line
This is one of the most useful configuration tweaks I've ever found for Exim. Add this to exim.conf, and you can log the subject lines of messages that pass through your server. This is great for troubleshooting, and for getting a very rough idea of what messages may be spam.
log_selector = +subject
Reducing or increasing what is logged.
Disable identd lookups
Frankly, I don't think identd has been useful for a long time, if ever. Identd relies on the connecting host to confirm the identity (system UID) of the remote user who owns the process that is making the network connection. This may be of some use in the world of shell accounts and IRC users, but it really has no place on a high-volume SMTP server, where the UID is often simply "mail" or whatever the remote MTA runs as, which is useless to know. It's overhead, and results in nothing but delays while the identd query is refused or times out. You can stop your Exim server from making these queries by setting the timeout to zero seconds in exim.conf:
rfc1413_query_timeout = 0s
Disable Attachment Blocking
To disable the executable-attachment blocking that many Cpanel servers do by default but don't provide any controls for on a per-domain basis, add the following block to the beginning of the /etc/antivirus.exim file:
if $header_to: matches "example\.com|example2\.com"
then
finish
endif
It is probably possible to use a separate file to list these domains, but I haven't had to do this enough times to warrant setting such a thing up.
Searching the logs with exigrep
The exigrep utility (not to be confused with exiqgrep) is used to search an exim log for a string or pattern. It will print all log entries with the same internal message-id as those that matched the pattern, which is very handy since any message will take up at least three lines in the log. exigrep will search the entire content of a log entry, not just particular fields.
One can search for messages sent from a particular IP address:
root@localhost# exigrep '<= .* \[12.34.56.78\] ' /path/to/exim_log
Search for messages sent to a particular IP address:
root@localhost# exigrep '=> .* \[12.34.56.78\]' /path/to/exim_log
This example searches for outgoing messages, which have the "=>" symbol, sent to "user@domain.tld". The pipe to grep for the "<=" symbol will match only the lines with information on the sender - the From address, the sender's IP address, the message size, the message ID, and the subject line if you have enabled logging the subject. The purpose of doing such a search is that the desired information is not on the same log line as the string being searched for.
root@localhost# exigrep '=> .*user@domain.tld' /path/to/exim_log | fgrep '<='
Generate and display Exim stats from a logfile:
root@localhost# eximstats /path/to/exim_mainlog
Same as above, with less verbose output:
root@localhost# eximstats -ne -nr -nt /path/to/exim_mainlog
Same as above, for one particular day:
root@localhost# fgrep YYYY-MM-DD /path/to/exim_mainlog | eximstats
Bonus!
To delete all queued messages containing a certain string in the body:
root@localhost# grep -lr 'a certain string' /var/spool/exim/input/ | \
sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
Note that the above only delves into /var/spool/exim in order to grep for queue files with the given string, and that's just because exiqgrep doesn't have a feature to grep the actual bodies of messages. If you are deleting these files directly, YOU ARE DOING IT WRONG! Use the appropriate exim command to properly deal with the queue.
If you have to feed many, many message-ids (such as the output of an `exiqgrep -i` command that returns a lot of matches) to an exim command, you may exhaust the limit of your shell's command line arguments. In that case, pipe the listing of message-ids into xargs to run only a limited number of them at once. For example, to remove thousands of messages sent from joe@example.com:
root@localhost# exiqgrep -i -f '' | xargs exim -Mrm
How to enable“Update Now” Button in Cpanel Awstats
Tired of bugging your host to update Cpanel awstats? You can generate stats, update it by your own by clicking the ‘update now’ link at the top of the main page in the awstats. You can place this “update now” by yourself .
Find out how to change the configuration file for Awstats to re-enable the ‘update now’ button.
Follow these steps:
1. login into cPanel
1a. Open File Manager
2. navigate to /home/username/tmp/awstats/
3. edit the .conf file (e.g. awstats.yourdomain.com.conf)
4. look for this line: AllowToUpdateStatsFromBrowser, set the value to 1 (AllowToUpdateStatsFromBrowser=1)
5. Save the .conf file. When you refresh your statistics page. you will get ‘update now’ link at the top of the page.
Find out how to change the configuration file for Awstats to re-enable the ‘update now’ button.
Follow these steps:
1. login into cPanel
1a. Open File Manager
2. navigate to /home/username/tmp/awstats/
3. edit the .conf file (e.g. awstats.yourdomain.com.conf)
4. look for this line: AllowToUpdateStatsFromBrowser, set the value to 1 (AllowToUpdateStatsFromBrowser=1)
5. Save the .conf file. When you refresh your statistics page. you will get ‘update now’ link at the top of the page.
Managing mail queue
If mail queue have more then 10000 mails client is unable to send the mails, you may need to clear out frozen mails.
exim -bpru|grep frozen | wc -l --- This will list the number of frozen mails
exim -bpru|grep frozen|awk {'print $3'}|xargs exim -Mrm --- Remove the frozen messages.
Please check mail queue properly and observer which account is sending the mask mails.
run following command to delete mails of that account.
Example:
grep -lr account@yourdomain.com /var/spool/exim/input/* | xargs rm -rf
Do the following things to delete mail from perticuler domains.
grep -lr domainname.com /var/spool/exim/input/* |xargs rm -rf
exim -bpru|grep frozen | wc -l --- This will list the number of frozen mails
exim -bpru|grep frozen|awk {'print $3'}|xargs exim -Mrm --- Remove the frozen messages.
Please check mail queue properly and observer which account is sending the mask mails.
run following command to delete mails of that account.
Example:
grep -lr account@yourdomain.com /var/spool/exim/input/* | xargs rm -rf
Do the following things to delete mail from perticuler domains.
grep -lr domainname.com /var/spool/exim/input/* |xargs rm -rf
Cannot login to Horde
Hope you would have got this issue often. The client cannot able to login to his Horde account to check his mail. He would have reached till the login screen and if he click "Login" it will stay back in the same screen instead of going to his inbox. Here is the fix for it,
Check the following first,
1. goto " cd var/lib/mysql/horde " and check if there is a file named " horde_sessionhandler.frm "
2. move all the file named "horde_sessionhandler" with other name
3. Or you can goto mysql and can drop the table "horde_sessionhandler". It will show error message some times. If so use the step 2, so that the table gets moved automatically.(Remember that if you are using step2 skip the step 3)
4. Now type in shell "mysql"
5. It will take to mysql prompt . type "use horde";
6. copy this command and paste there :
CREATE TABLE horde_sessionhandler (session_id VARCHAR(32) NOT NULL, session_lastmodified INT NOT NULL, session_data LONGBLOB, PRIMARY KEY (session_id)) ENGINE = InnoDB;
7. quit from mysql and restart mysql.
8. Try now... Your issue is fixed!!!!!
Check the following first,
1. goto " cd var/lib/mysql/horde " and check if there is a file named " horde_sessionhandler.frm "
2. move all the file named "horde_sessionhandler" with other name
3. Or you can goto mysql and can drop the table "horde_sessionhandler". It will show error message some times. If so use the step 2, so that the table gets moved automatically.(Remember that if you are using step2 skip the step 3)
4. Now type in shell "mysql"
5. It will take to mysql prompt . type "use horde";
6. copy this command and paste there :
CREATE TABLE horde_sessionhandler (session_id VARCHAR(32) NOT NULL, session_lastmodified INT NOT NULL, session_data LONGBLOB, PRIMARY KEY (session_id)) ENGINE = InnoDB;
7. quit from mysql and restart mysql.
8. Try now... Your issue is fixed!!!!!
Important Vps commands
Following are some important commands which are normally used while working on a Hardware Node.
1) vzlist -a : Shows list of all the VPS’s hosted on the Node.
2) vzctl start VPS_ID: To start the VPS.
3) vzctl stop VPS_ID : To stop (Shut Down) the VPS
4) vzctl status VPS_ID : To view the status of the particular VPS
5) vzctl stop VPS_ID –-fast : to stop the VPS quickly and forcefully
6) vzctl enter VPS_ID : To enter in a particular VPS
Configuration Commands
1) vzctl set VPS_ID –hostname vps.domain.com –save: To set the Hostname of a VPS.
2) vzctl set VPS_ID –ipadd 1.2.3.4 –save : To add a new IP to the VPS.
3) vzctl set VPS_ID –ipdel 1.2.3.4 –save : To delete the IP from VPS.
4) vzctl set VPS_ID –userpasswd root:new_password –save : to reset root password of a VPS.
5) vzctl set VPS_ID –nameserver 1.2.3.4 –save : To add the nameserver IP’s to the VPS.
6) vzctl exec VPS_ID command : To run any command on a VPS from Node.
6) vzyum VPS_ID install package_name : To install any package/Software on a VPS from Node.
Here VPS_ID refers to the ID of the Particular VPS
1) vzlist -a : Shows list of all the VPS’s hosted on the Node.
2) vzctl start VPS_ID: To start the VPS.
3) vzctl stop VPS_ID : To stop (Shut Down) the VPS
4) vzctl status VPS_ID : To view the status of the particular VPS
5) vzctl stop VPS_ID –-fast : to stop the VPS quickly and forcefully
6) vzctl enter VPS_ID : To enter in a particular VPS
Configuration Commands
1) vzctl set VPS_ID –hostname vps.domain.com –save: To set the Hostname of a VPS.
2) vzctl set VPS_ID –ipadd 1.2.3.4 –save : To add a new IP to the VPS.
3) vzctl set VPS_ID –ipdel 1.2.3.4 –save : To delete the IP from VPS.
4) vzctl set VPS_ID –userpasswd root:new_password –save : to reset root password of a VPS.
5) vzctl set VPS_ID –nameserver 1.2.3.4 –save : To add the nameserver IP’s to the VPS.
6) vzctl exec VPS_ID command : To run any command on a VPS from Node.
6) vzyum VPS_ID install package_name : To install any package/Software on a VPS from Node.
Here VPS_ID refers to the ID of the Particular VPS
Adding Reverse Dns
Adding reverse dns on a DC's resolvers need much care and attention you should ensure that you are going through the right path always. Any error in that may cause a down time to the resolvers.
Inoredr add reverse entries please follow the steps given below
1.) Ensure that the hostname resolves to the IP that the client is requesting prior to inserting the reverse DNS record. This can be done by pinging the hostname
2.) Login to the resolver server
3.) Edit the correct file for the IP address of the reverse DNS record. For example, if a client requested "please add abc.domain.com -> 205.64.34.142" then we will need to edit the file for c-class 205.64.142.1. The command would be as follows: ee /etc/namedb/master/34.64.205.in-addr.arpa
5. You will then need to insert a reverse DNS entry like: 142 IN PTR abc.domain.com.
6. Once inserted, you need to change the serial number in the file.
7. Save the file, and exit.
8. Reload named to reflect the new changes by executing the command: /etc/rc.d/named reload
Inoredr add reverse entries please follow the steps given below
1.) Ensure that the hostname resolves to the IP that the client is requesting prior to inserting the reverse DNS record. This can be done by pinging the hostname
2.) Login to the resolver server
3.) Edit the correct file for the IP address of the reverse DNS record. For example, if a client requested "please add abc.domain.com -> 205.64.34.142" then we will need to edit the file for c-class 205.64.142.1. The command would be as follows: ee /etc/namedb/master/34.64.205.in-addr.arpa
5. You will then need to insert a reverse DNS entry like: 142 IN PTR abc.domain.com.
6. Once inserted, you need to change the serial number in the file.
7. Save the file, and exit.
8. Reload named to reflect the new changes by executing the command: /etc/rc.d/named reload
Reset Mysql Root Password:
Stop mysql server
/etc/init.d/mysql.server stop
Start mysql in safe mode
/usr/local/mysql/bin/mysqld_safe --user=root --skip-grant-tables --skip-networking &
NOw the mysql will be running in the background in safe mode. You will be able to klogin as root by just using
mysql -u root
Once you got in you can use the following commands to reset the root password.
UPDATE mysql.user SET Password=PASSWORD('qwert123') WHERE User='root'; //Here password is qwert123
FLUSH PRIVILEGES;
Now just quit from the mysql prompt and try using the new password
mysql -u root -p
When it ask for passwprd, provide the new password. It will work.
/etc/init.d/mysql.server stop
Start mysql in safe mode
/usr/local/mysql/bin/mysqld_safe --user=root --skip-grant-tables --skip-networking &
NOw the mysql will be running in the background in safe mode. You will be able to klogin as root by just using
mysql -u root
Once you got in you can use the following commands to reset the root password.
UPDATE mysql.user SET Password=PASSWORD('qwert123') WHERE User='root'; //Here password is qwert123
FLUSH PRIVILEGES;
Now just quit from the mysql prompt and try using the new password
mysql -u root -p
When it ask for passwprd, provide the new password. It will work.
Some useful commands
mkdir - make directories
Usage
mkdir [OPTION] DIRECTORY
Options
Create the DIRECTORY(ies), if they do not already exist.
Mandatory arguments to long options are mandatory for short options too.
-m, mode=MODE set permission mode (as in chmod), not rwxrwxrwx - umask
-p, parents no error if existing, make parent directories as needed
-v, verbose print a message for each created directory
-help display this help and exit
-version output version information and exit
cd - change directories
Use cd to change directories. Type cd followed by the name of a directory to access that directory.Keep in mind that you are always in a directory and can navigate to directories hierarchically above or below.
mv- change the name of a directory
Type mv followed by the current name of a directory and the new name of the directory.
Ex: mv testdir newnamedir
pwd - print working directory
will show you the full path to the directory you are currently in. This is very handy to use, especially when performing some of the other commands on this page
rmdir - Remove an existing directory
rm -r
Removes directories and files within the directories recursively.
chown - change file owner and group
Usage
chown [OPTION] OWNER[:[GROUP]] FILE
chown [OPTION] :GROUP FILE
chown [OPTION] --reference=RFILE FILE
Options
Change the owner and/or group of each FILE to OWNER and/or GROUP. With --reference, change the owner and group of each FILE to those of RFILE.
-c, changes like verbose but report only when a change is made
-dereference affect the referent of each symbolic link, rather than the symbolic link itself
-h, no-dereference affect each symbolic link instead of any referenced file (useful only on systems that can change the ownership of a symlink)
-from=CURRENT_OWNER:CURRENT_GROUP
change the owner and/or group of each file only if its current owner and/or group match those specified here. Either may be omitted, in which case a match is not required for the omitted attribute.
-no-preserve-root do not treat `/' specially (the default)
-preserve-root fail to operate recursively on `/'
-f, -silent, -quiet suppress most error messages
-reference=RFILE use RFILE's owner and group rather than the specifying OWNER:GROUP values
-R, -recursive operate on files and directories recursively
-v, -verbose output a diagnostic for every file processed
The following options modify how a hierarchy is traversed when the -R option is also specified. If more than one is specified, only the final one takes effect.
-H if a command line argument is a symbolic link to a directory, traverse it
-L traverse every symbolic link to a directory encountered
-P do not traverse any symbolic links (default)
chmod - change file access permissions
Usage
chmod [-r] permissions filenames
r Change the permission on files that are in the subdirectories of the directory that you are currently in. permission Specifies the rights that are being granted. Below is the different rights that you can grant in an alpha numeric format.filenames File or directory that you are associating the rights with Permissions
u - User who owns the file.
g - Group that owns the file.
o - Other.
a - All.
r - Read the file.
w - Write or edit the file.
x - Execute or run the file as a program.
Numeric Permissions:
CHMOD can also to attributed by using Numeric Permissions:
400 read by owner
040 read by group
004 read by anybody (other)
200 write by owner
020 write by group
002 write by anybody
100 execute by owner
010 execute by group
001 execute by anybody
ls - Short listing of directory contents
-a list hidden files
-d list the name of the current directory
-F show directories with a trailing '/'
executable files with a trailing '*'
-g show group ownership of file in long listing
-i print the inode number of each file
-l long listing giving details about files and directories
-R list all subdirectories encountered
-t sort by time modified instead of name
cp - Copy files
cp myfile yourfile
Copy the files "myfile" to the file "yourfile" in the current working directory. This command will create the file "yourfile" if it doesn't exist. It will normally overwrite it without warning if it exists.
cp -i myfile yourfile
With the "-i" option, if the file "yourfile" exists, you will be prompted before it is overwritten.
cp -i /data/myfile
Copy the file "/data/myfile" to the current working directory and name it "myfile". Prompt before overwriting the file.
cp -dpr srcdir destdir
Copy all files from the directory "srcdir" to the directory "destdir" preserving links (-poption), file attributes (-p option), and copy recursively (-r option). With these options, a directory and all it contents can be copied to another dir
ln - Creates a symbolic link to a file.
ln -s test symlink
Creates a symbolic link named symlink that points to the file test Typing "ls -i test symlink" will show the two files are different with different inodes. Typing "ls -l test symlink" will show that symlink points to the file test.
locate - A fast database driven file locator.
slocate -u
This command builds the slocate database. It will take several minutes to complete this command.This command must be used before searching for files, however cron runs this command periodically on most systems.locate whereis Lists all files whose names contain the string "whereis". directory.
more - Allows file contents or piped output to be sent to the screen one page at a time
less - Opposite of the more command
cat - Sends file contents to standard output. This is a way to list the contents of short files to the screen. It works well with piping.
whereis - Report all known instances of a command
wc - Print byte, word, and line counts
bg
bg jobs Places the current job (or, by using the alternative form, the specified jobs) in the background, suspending its execution so that a new user prompt appears immediately. Use the jobs command to discover the identities of background jobs.
cal month year - Prints a calendar for the specified month of the specified year.
cat files - Prints the contents of the specified files.
clear - Clears the terminal screen.
cmp file1 file2 - Compares two files, reporting all discrepancies. Similar to the diff command, though the output format differs.
diff file1 file2 - Compares two files, reporting all discrepancies. Similar to the cmp command, though the output format differs.
dmesg - Prints the messages resulting from the most recent system boot.
fg
fg jobs - Brings the current job (or the specified jobs) to the foreground.
file files - Determines and prints a description of the type of each specified file.
find path -name pattern -print
Searches the specified path for files with names matching the specified pattern (usually enclosed in single quotes) and prints their names. The find command has many other arguments and functions; see the online documentation.
finger users - Prints descriptions of the specified users.
free - Displays the amount of used and free system memory.
ftp hostname
Opens an FTP connection to the specified host, allowing files to be transferred. The FTP program provides subcommands for accomplishing file transfers; see the online documentation.
head files - Prints the first several lines of each specified file.
ispell files - Checks the spelling of the contents of the specified files.
kill process_ids
kill - signal process_ids
kill -l
Kills the specified processes, sends the specified processes the specified signal (given as a number or name), or prints a list of available signals.
killall program
killall - signal program
Kills all processes that are instances of the specified program or sends the specified signal to all processes that are instances of the specified program.
mail - Launches a simple mail client that permits sending and receiving email messages.
man title
man section title - Prints the specified man page.
ping host - Sends an echo request via TCP/IP to the specified host. A response confirms that the host is operational.
reboot - Reboots the system (requires root privileges).
shutdown minutes
shutdown -r minutes
Shuts down the system after the specified number of minutes elapses (requires root privileges). The -r option causes the system to be rebooted once it has shut down.
sleep time - Causes the command interpreter to pause for the specified number of seconds.
sort files - Sorts the specified files. The command has many useful arguments; see the online documentation.
split file - Splits a file into several smaller files. The command has many arguments; see the online documentation
sync - Completes all pending input/output operations (requires root privileges).
telnet host - Opens a login session on the specified host.
top - Prints a display of system processes that's continually updated until the user presses the q key.
traceroute host - Uses echo requests to determine and print a network path to the host.
uptime - Prints the system uptime.
w - Prints the current system users.
wall - Prints a message to each user except those who've disabled message reception. Type Ctrl-D to end the message.
Usage
mkdir [OPTION] DIRECTORY
Options
Create the DIRECTORY(ies), if they do not already exist.
Mandatory arguments to long options are mandatory for short options too.
-m, mode=MODE set permission mode (as in chmod), not rwxrwxrwx - umask
-p, parents no error if existing, make parent directories as needed
-v, verbose print a message for each created directory
-help display this help and exit
-version output version information and exit
cd - change directories
Use cd to change directories. Type cd followed by the name of a directory to access that directory.Keep in mind that you are always in a directory and can navigate to directories hierarchically above or below.
mv- change the name of a directory
Type mv followed by the current name of a directory and the new name of the directory.
Ex: mv testdir newnamedir
pwd - print working directory
will show you the full path to the directory you are currently in. This is very handy to use, especially when performing some of the other commands on this page
rmdir - Remove an existing directory
rm -r
Removes directories and files within the directories recursively.
chown - change file owner and group
Usage
chown [OPTION] OWNER[:[GROUP]] FILE
chown [OPTION] :GROUP FILE
chown [OPTION] --reference=RFILE FILE
Options
Change the owner and/or group of each FILE to OWNER and/or GROUP. With --reference, change the owner and group of each FILE to those of RFILE.
-c, changes like verbose but report only when a change is made
-dereference affect the referent of each symbolic link, rather than the symbolic link itself
-h, no-dereference affect each symbolic link instead of any referenced file (useful only on systems that can change the ownership of a symlink)
-from=CURRENT_OWNER:CURRENT_GROUP
change the owner and/or group of each file only if its current owner and/or group match those specified here. Either may be omitted, in which case a match is not required for the omitted attribute.
-no-preserve-root do not treat `/' specially (the default)
-preserve-root fail to operate recursively on `/'
-f, -silent, -quiet suppress most error messages
-reference=RFILE use RFILE's owner and group rather than the specifying OWNER:GROUP values
-R, -recursive operate on files and directories recursively
-v, -verbose output a diagnostic for every file processed
The following options modify how a hierarchy is traversed when the -R option is also specified. If more than one is specified, only the final one takes effect.
-H if a command line argument is a symbolic link to a directory, traverse it
-L traverse every symbolic link to a directory encountered
-P do not traverse any symbolic links (default)
chmod - change file access permissions
Usage
chmod [-r] permissions filenames
r Change the permission on files that are in the subdirectories of the directory that you are currently in. permission Specifies the rights that are being granted. Below is the different rights that you can grant in an alpha numeric format.filenames File or directory that you are associating the rights with Permissions
u - User who owns the file.
g - Group that owns the file.
o - Other.
a - All.
r - Read the file.
w - Write or edit the file.
x - Execute or run the file as a program.
Numeric Permissions:
CHMOD can also to attributed by using Numeric Permissions:
400 read by owner
040 read by group
004 read by anybody (other)
200 write by owner
020 write by group
002 write by anybody
100 execute by owner
010 execute by group
001 execute by anybody
ls - Short listing of directory contents
-a list hidden files
-d list the name of the current directory
-F show directories with a trailing '/'
executable files with a trailing '*'
-g show group ownership of file in long listing
-i print the inode number of each file
-l long listing giving details about files and directories
-R list all subdirectories encountered
-t sort by time modified instead of name
cp - Copy files
cp myfile yourfile
Copy the files "myfile" to the file "yourfile" in the current working directory. This command will create the file "yourfile" if it doesn't exist. It will normally overwrite it without warning if it exists.
cp -i myfile yourfile
With the "-i" option, if the file "yourfile" exists, you will be prompted before it is overwritten.
cp -i /data/myfile
Copy the file "/data/myfile" to the current working directory and name it "myfile". Prompt before overwriting the file.
cp -dpr srcdir destdir
Copy all files from the directory "srcdir" to the directory "destdir" preserving links (-poption), file attributes (-p option), and copy recursively (-r option). With these options, a directory and all it contents can be copied to another dir
ln - Creates a symbolic link to a file.
ln -s test symlink
Creates a symbolic link named symlink that points to the file test Typing "ls -i test symlink" will show the two files are different with different inodes. Typing "ls -l test symlink" will show that symlink points to the file test.
locate - A fast database driven file locator.
slocate -u
This command builds the slocate database. It will take several minutes to complete this command.This command must be used before searching for files, however cron runs this command periodically on most systems.locate whereis Lists all files whose names contain the string "whereis". directory.
more - Allows file contents or piped output to be sent to the screen one page at a time
less - Opposite of the more command
cat - Sends file contents to standard output. This is a way to list the contents of short files to the screen. It works well with piping.
whereis - Report all known instances of a command
wc - Print byte, word, and line counts
bg
bg jobs Places the current job (or, by using the alternative form, the specified jobs) in the background, suspending its execution so that a new user prompt appears immediately. Use the jobs command to discover the identities of background jobs.
cal month year - Prints a calendar for the specified month of the specified year.
cat files - Prints the contents of the specified files.
clear - Clears the terminal screen.
cmp file1 file2 - Compares two files, reporting all discrepancies. Similar to the diff command, though the output format differs.
diff file1 file2 - Compares two files, reporting all discrepancies. Similar to the cmp command, though the output format differs.
dmesg - Prints the messages resulting from the most recent system boot.
fg
fg jobs - Brings the current job (or the specified jobs) to the foreground.
file files - Determines and prints a description of the type of each specified file.
find path -name pattern -print
Searches the specified path for files with names matching the specified pattern (usually enclosed in single quotes) and prints their names. The find command has many other arguments and functions; see the online documentation.
finger users - Prints descriptions of the specified users.
free - Displays the amount of used and free system memory.
ftp hostname
Opens an FTP connection to the specified host, allowing files to be transferred. The FTP program provides subcommands for accomplishing file transfers; see the online documentation.
head files - Prints the first several lines of each specified file.
ispell files - Checks the spelling of the contents of the specified files.
kill process_ids
kill - signal process_ids
kill -l
Kills the specified processes, sends the specified processes the specified signal (given as a number or name), or prints a list of available signals.
killall program
killall - signal program
Kills all processes that are instances of the specified program or sends the specified signal to all processes that are instances of the specified program.
mail - Launches a simple mail client that permits sending and receiving email messages.
man title
man section title - Prints the specified man page.
ping host - Sends an echo request via TCP/IP to the specified host. A response confirms that the host is operational.
reboot - Reboots the system (requires root privileges).
shutdown minutes
shutdown -r minutes
Shuts down the system after the specified number of minutes elapses (requires root privileges). The -r option causes the system to be rebooted once it has shut down.
sleep time - Causes the command interpreter to pause for the specified number of seconds.
sort files - Sorts the specified files. The command has many useful arguments; see the online documentation.
split file - Splits a file into several smaller files. The command has many arguments; see the online documentation
sync - Completes all pending input/output operations (requires root privileges).
telnet host - Opens a login session on the specified host.
top - Prints a display of system processes that's continually updated until the user presses the q key.
traceroute host - Uses echo requests to determine and print a network path to the host.
uptime - Prints the system uptime.
w - Prints the current system users.
wall - Prints a message to each user except those who've disabled message reception. Type Ctrl-D to end the message.
Get mysql root password from
Get mysql root password from
If you forgot your mysql root password you can get it from
/root/.my.cnf
If you forgot your mysql root password you can get it from
/root/.my.cnf
Some useful Mysql Queries
Mysql query to delete a user
mysql> delete from user where user='username';
mysql> FLUSH PRIVILEGES;
Setting Privileges
grant all privileges on DB.* to 'username'@'localhost' identified by 'pass';
SET PASSWORD FOR@localhost = OLD_PASSWORD('passwd');
To see Tables:
mysql> use DB;
mysql> show tables;
To see fields
mysql> desc tablename;
To View The contents of the table
mysql> select * from;
UPDATE Query
mysql> update
mysql> delete from user where user='username';
mysql> FLUSH PRIVILEGES;
Setting Privileges
grant all privileges on DB.* to 'username'@'localhost' identified by 'pass';
SET PASSWORD FOR
To see Tables:
mysql> use DB;
mysql> show tables;
To see fields
mysql> desc tablename;
To View The contents of the table
mysql> select * from
UPDATE Query
mysql> update
