Tuesday, May 10, 2011

How to harden mysql server

Hardening mysql

First all, before doing anything take the backup of configuration file.
cp /etc/my.cnf{,.orig}
vi /etc/my.cnf

[mysqld]
skip-locking
key_buffer = 384M
max_allowed_packet = 1M
max_connections = 500
max_user_connections = 35
wait_timeout=40
connect_timeout=10
table_cache = 512
sort_buffer_size = 2M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size = 32M
thread_concurrency = 8
server-id = 1

[mysqldump]
quick
max_allowed_packet = 16M

[mysql]
no-auto-rehash

[myisamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

[mysqlhotcopy]
interactive-timeout

Save the file.

killall -9 mysqld safe_mysqld mysqld_safe 2>/dev/null
pkill -9 mysql
pkill -9 mysqld

Restart mysql service.
/etc/init.d/mysql restart

How to install pptpd on vpn openvz linux vps

The following post explains how to setup, install and configure pptpd vpn on centos linux vps created on openvz server node.

On openvz node machine :
Enable these modules.

modprobe ppp_mppe
modprobe ppp_deflate
modprobe zlib_deflate
modprobe ppp_async
modprobe ppp_generic
modprobe slhc
modprobe crc_ccitt

[root@me ~]# lsmod | grep ppp
ppp_mppe 39816 0
ppp_deflate 39168 0
zlib_deflate 52760 1 ppp_deflate
ppp_async 45056 0
ppp_generic 63632 4 ppp_mppe,ppp_deflate,ppp_async
slhc 39680 1 ppp_generic
crc_ccitt 35200 1 ppp_async

Creating and enabling PPP for vps :
Replace the VEnumber with your vps id and execute the following commands on openvz server.

vzctl set [VEnumber] --features ppp:on --save
vzctl start [VEnumber]
vzctl set [VEnumber] --devices c:108:0:rw --save
vzctl exec [VEnumber] mknod /dev/ppp c 108 0
vzctl exec [VEnumber] chmod 600 /dev/ppp

checking the module  [after installing pptpd]
/usr/sbin/pppd
You should see output like
~?}#?!}!}!} }4}"}&} } } } }%}&)Q?}4}'}"}(}"p})
Now thats done.

On openvz vps :
Install pptpd :

Use sourceforge repo to install pptpd
#yum install pptpd

Configure your network
# vi /etc/pptpd.conf
remoteip 192.168.0.234-238,192.168.0.245

Setting dns for internet access. Otherwise you wont have access to internet
#vi /etc/ppp/pptpd-options

ms-dns 8.8.8.8
ms-dns 8.8.4.4


iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o venet0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables

Now start the pptpd service


/etc/init.d/pptpd start

Add users :
[root@me ]# vi /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
vpn1 pptpd cyiefdxYn *
[root@me ]#

Usename is : vpn1
Password is : cyiefdxYn

now restart the pptpd service.
/etc/init.d/pptpd restart

Thats it.
You can check the logs while connecting to this server as

tail -f /var/log/messages

Monday, May 9, 2011

Error : Unable to open pty: No such file or directory

You may get an error while entering to a openvz vps. You cant also ssh to the vps from outside.
Error:
vzctl enter 1022
enter into VE 1022 failed
Unable to open pty: No such file or directory


1. If it is a redhat based system such as centos,
The solution is
vzctl exec VEID /sbin/MAKEDEV pty
vzctl exec VEID /sbin/MAKEDEV tty

vzctl enter VEID


To fix this issue permanently
Edit the file /etc/rc.sysinit of the VPS
Comment the line
/sbin/start_udev   to
#/sbin/start_udev 
Add the following lines after /sbin/start_udev:
/sbin/MAKEDEV tty
/sbin/MAKEDEV pty




2. If it is a debian system
vzctl exec veid update-rc.d -f udev remove
vzctl restart veid

How to create users in pptpd vpn

Open the chap-secrets file using your favorate editor and give username and password as follows.

[root@me]# vi /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
user1 pptpd abc123


save the file and restart the pptpd service.
[root@me]# /etc/init.d/pptpd restart

Friday, May 6, 2011

How to disable telnet server in linux

This is a small script to disable telnet server on centos linux. it will work on other redhat distros also.

if [ -e /etc/xinetd.d/telnet ]
then
sed -i 's/disable.*/disable = yes/' /etc/xinetd.d/telnet
service xinetd restart
fi

copy and run this in terminal. Thats it. Have fun.

How to set chattr attribute on a file

The following post explains how to set ch attribute on a file.
root@me [~]# chattr +i /etc/fstab
root@me [~]# lsattr /etc/fstab
----i--A----- /etc/fstab
root@me [~]# chattr -i /etc/fstab

root@me [~]# lsattr /etc/fstab
-------A----- /etc/fstab
root@me [~]#
The letters "acdijsuADST" select the new attributes for the files: append only (a), compressed (c), no dump (d), immutable (i), data journalling (j), secure deletion (s), no tail-merging (t), undeletable (u),no atime updates (A), synchronous directory updates (D), synchronous updates (S), and top of directory hierarchy (T)