Dustin Larmeir's tech blog.
Archive for December, 2008
Beer of the month, Morland Hen’s Tooth
Dec 28th
This beer is pretty good. Very robust and stronger than normal medium brown ales. This beer comes in at ALC 6.5% Vol. and goes down really smooth, with a clean after taste. I would highly recommend this English import.
APF removal howto and script for CentOS/RedHat
Dec 27th
If you have ever worked with APF you know that this firewall will need to be completely remove to avoid any issues. I have wrote a small script to clean this firewall out of any CentOS/RedHat system and it is available here : http://larmeir.com/downloads/apfremove.sh .
Below is the source of the script:
apf -f
#
/etc/init.d/iptables stop
#
rm -rf /etc/apf
#
rm -rf /etc/cron.daily/fw
#
rm -rf /usr/local/sbin/apf
#
rm /etc/init.d/apf
#
chkconfig –del apf
Hopefully this will come of some use for somone out there 
How to install grsec enabled kernel on Redhat 5.2 ES
Dec 27th
Per http://en.wikipedia.org/wiki/Grsec – grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. Its typical application is in web servers and systems that accept remote connections from untrusted locations, such as systems offering shell access to its users.
Notes from my GRSEC kernel installation.
cd into your /usr/src directory
cd /usr/src/
Download the kernel source from kernel.org
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.5.tar.bz2
Extract the kernel archive
tar jxvf linux-2.6.24.5.tar.bz2
Get the latest grsec security patch
wget http://www.grsecurity.net/grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz
Extract the patch
gunzip http://www.grsecurity.net/grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz
Apply the patch to the kernel
patch -p0 grsecurity-2.1.11-2.6.24.5-200804211829.patch
Cd into the kernel directory
cd /usr/src/linux-2.6.24.5
Get the kernel source prepared
make clean
make mrproper
Make a menu.config
make menuconfig
note: if you are using an old .config file, then copy it to /usr/scr/linux-2.6.24.5 and do the following:
make oldconfig
Ensure all to the proper kernel modules are selected.
People commonly forget iptables support, dont forget about this! Also, usb support is important if you are hosted with a dedicated hosting provider. You can find the grsec options under security. Also, iptables support can be found under network options –> network packet filtering
Compile the kernel
make
Install the kernel modules
make modules_install
Install the kernel
make install
Setup the grub.conf
Your entry should look something like this
title Red Hat Enterprise Linux Server (2.6.24.5-grsec)
root (hd0,0)
kernel /vmlinuz-2.6.24.5-grsec ro root=LABEL=/ console=tty0 console=ttyS1,19200n8
initrd /initrd-2.6.24.5-grsec.img
Reboot the server.
If you have remote console or kvm service like those provided at SoftLayer this is the time to use it. If the kernel was compiled wrong or you have any issues this can result in a kernel panic that will take the server offline. If you are using a company without these features, have a local tech reboot it and if it fails, have them boot you back into your original kernel.
This howto is 100% working, tested and accurate.
Helpful external links
Lighttpd, a HowTo for Debian etch 4.0 plus extras
Dec 27th
This weekend I took a old box laying around the house and installed my Debian Etch 4.0 on it. Here is a run down of notes from the installation as well as some configuration I performed on it. Hopefully some of this will help those of you out there trying to figure out this awesome, fast web server.
1. Installation of lighttpd, php5 cgi with apt
apt-get install -y lighttpd php5-cgi
2. Configuring the lighttpd.conf
vi /etc/lighttpd/lighttpd.conf
look for the area called server modules, which is as the top and
ensure “mod_fastcgi”, and “mod_auth”, are both added. Mod fast_cgi
enables php functionality and mod_auth enables .htaccess support.
server.modules = (
“mod_access”,
“mod_auth”,
“mod_alias”,
“mod_accesslog”,
“mod_fastcgi”,
# “mod_rewrite”,
# “mod_redirect”,
# “mod_status”,
# “mod_evhost”,
# “mod_compress”,
# “mod_usertrack”,
# “mod_rrdtool”,
# “mod_webdav”,
# “mod_expire”,
# “mod_flv_streaming”,
# “mod_evasive”
)
At the very end of the file, add the following configurationdirective that tells lighttpd where php
fastcgi.server = ( “.php” => (( “bin-path” => “/usr/bin/php5-cgi”,
“socket” => “/tmp/php.socket”
)))
3. Configuring the php.ini file
All we need to do now is to add aconfiguration directive to the php.ini file
vi /etc/php5/cgi/php.ini and add this line to the very end of the file:
cgi.fix_pathinfo = 1
4. Testing the lighttpd.conf for errors
lighttpd -t -f /etc/lighttpd/lighttpd.conf
5. Restarting lighttpd
/etc/init.d/lighttpd restart
6. Adding a SSL vhost with a self signed cert
Generating a self signed cert example
mkdir /etc/lighttpd/ssl/yourdomain.com -p
cd /etc/lighttpd/ssl/yourdomain.com
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
chmod 0600 /etc/lighttpd/ssl/yourdomain.com
Creating a vhost with SSL support
vi /etc/lighttpd/lighttpd.conf
vhost with SSL support Example below:
$SERVER["socket"] == “192.168.1.8:443″ {
server.document-root = “/netshare”
ssl.engine = “enable”
ssl.pemfile = “/etc/lighttpd/ssl/yourdomain.com/server.pem”
}
7. Adding .htaccess protection
Assuming mod_auth is enabled you can create a directory configuration with .htaccess enabled:
example .htaccess protected vhost
auth.backend = “htpasswd”
auth.backend.htpasswd.userfile = “/yourhtpasswddirectory/.htpasswd”
auth.require = ( “/yourpasswordprotecteddirectory” =>
(
“method” => “basic”,
“realm” => “Access Denied!”,
“require” => “valid-user”
)
)
The .htaccess works the same as a regular apache .htaccess.you can either use htpasswd -c to create the password file or a online generator such as http://www.webmaster-toolkit.com/htaccess-generator.shtml for this purpose. I hope these examples help people. – Dustin
