Apache vs SELinux 25 September 2006Posted by Maulvi Bakar in : Linux,Work , add a comment
Towards the end of the working week, I receive a request from a colleague to have access to the ftp account folder via http. The guy is on site in a foreign country and it seems that his net access is being regulated (read – no ftp).
Now that seems reasonable, considering I was not in the office for the whole week due to an extended training/seminar that I am attending. Luckily I thought, since the training premises gave me access to wifi internet -whee!!
Here I am thinking I can solve it in the next few minutes!
I have a folder in the /home directory – “/home/thefolder“. I thought a simple settings as below in httpd.conf is enough -
Alias /thefolder "/home/thefolder/"
Options MultiViews Indexes Includes FollowSymLinks
Allow from all
AuthName "The Folder Authentication"
Require user theaccount
I keep getting 403 – Forbidden errors. Checked the permissions, double-checked it, even making it 777 – world-readable! FAIL!
I felt like screaming!
/var/log/httpd/error_log shows access is denied, even with 777 – world readable!
I felt some suspicions, the SELinux thingy began to smell fishy. Cursory examinations of the /var/log/messages logs shows some clues – Bleagh!
The analogy is like this -
Someone who does not have permission to a certain facility but has been given one, will still not be given access. That is what SELinux is all about.
Basically, it is Linux’s Last Line of Defence.
Read all about it and it’s relations to Apache here!
OpenBSD – Reloading pf.conf 18 September 2006Posted by Maulvi Bakar in : Unix,Work , add a comment
OpenBSD, world most secure OS. Also one of the most User-Hostile ones. Now, I needed to reload the firewall rules. Modified some settings in the /etc/pf.conf and this is how did it to reload the ruleset -
$ pfctl -f /etc/pf.conf
This will reload the ruleset plainly from the file specified. The -R flag only loads the filtering rules. -N only loads the NAT rules. Should there be need to reload just the filtering and/or NAT rules, just use the appropriate options.
Ubuntu Linux – Root Account 17 September 2006Posted by Maulvi Bakar in : Home,Linux , 1 comment so far
I like Ubuntu Linux, always have.Â Nice features, fairly comprehensive repositories for softwares.Â The only thing that bugs the hell out of me is the non-existance of the root account.Â Anytime you want to do something, it’s sudo this, and sudo that…
Well, this is how I did it -
sudo passwd root
I can now either use su to change to root, or even login as root..
Detached process with wget 8 September 2006Posted by Maulvi Bakar in : Linux,Work , add a comment
Now, this is the umpteenth time I tried to post this. Problem with my webhoster’s security settings. It’s the infamous 406 Not Acceptable error!
Anyway, I need to download a fairly large file on my server which I accessed it remotely via ssh. Problem is that I can’t wait while it finishes the download. I need to close the session and get some real work done somewhere else (Hey the laptop battery might expire on me)
This is how I do it -
# (wget -o logfile http://www.example.com/dl_file.gz &)
The “wget -o logfile” parameter will allow you to monitor the download progress in real time. Just tail the logfile -
# tail -f ./logfile
You can also monitor the process thus -
# ps -ef | grep wget
This one will show you all the wget processes that you have detached, including information of what file is currently being downloaded complete with the url and logfiles.
Probably you’ll want to assign a different log file name for each of the detached process
-ps Much appreciation to Alexander B. of my WebHost for assisting in that pesky 406 error.
IBM DB2 Certification 5 September 2006Posted by Maulvi Bakar in : Work , add a comment
We need to deploy an IBM Websphere Portal.Â One of the requirements is a database backend.Â It was decided to install IBM DB2.Â While I’m whittling away the time awating the completion of the installation, I come across this particular info.Â It is just a basic paper, but..Â Since it is quite affordable at RM228 at Thomson Prometric, well..
Passive FTP and IPTables 4 September 2006Posted by Maulvi Bakar in : Linux,Work , add a comment
Had to configure an FTP server at work. For reasons best left for discussion in a later undetermined future date, we put the FTP server outside the firewall. Therefore, the machine in question needs to be protected by it own built-in firewall.
IPTables to the rescue.
There’s a snag. The default IP connection tracking doesn’t seem to work properly. IPTables rules below suggest that stateful inspection would do IP connection tracking as well, apparently not-
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT
Seems that the “ip_conntrack_ftp” needed to be loaded separately in order to enable it.
That should do the trick… but to have IPTables load it automatically, edit the file “/etc/sysconfig/iptables-config”
Add the following into it -