Tipsheet

Tips and tricks...

Sendmail tips

  1. Backup files:
       /etc/mail/sendmail.mc
       /etc/mail/sendmail.cf
       /etc/mail/access
       /etc/mail/access.db
       /etc/aliases
  2. These changes go in the /etc/mail/sendmail.mc file:

    Security enhancements:

    • Require a HELO or EHLO greeting from the sending SMTP server.
    • Put limits on Sendmail forks and other settings to stop a DOS attack from overwhelming server.
    • Munge the Sendmail server identification.
    • Recipient throttle to identify when an envelope arrives with more than 4 invalid users, presuming that this is a dictionary attack.
    • Limit the number of recipients in a single message.

    dnl #
    dnl #start security mods
    define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun,needmailhelo')dnl
    define(`confMAX_DAEMON_CHILDREN',20)dnl
    define(`confSMTP_LOGIN_MSG',$j Sendmail; $b)dnl
    define(`confMIN_FREE_BLOCKS', `4000')dnl
    define(`confMAX_HEADERS_LENGTH', `32000')dnl
    define(`confMAX_MIME_HEADER_LENGTH', `1024')dnl
    define(`confBAD_RCPT_THROTTLE',`4')dnl
    define(`confMAX_RCPTS_PER_MESSAGE', `10')
    dnl #end security mods
    dnl #

    Enable DNS BlockLists:

    dnl #
    dnl # Begin Spam Block Enhancement mod
    dnl # Start BlockList
    FEATURE(`dnsbl', `bl.spamcop.net', `"554 Spam blocked - see http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
    FEATURE(`dnsbl', `zen.spamhaus.org', `"554 Rejected - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}')dnl
    dnl # sorbs dynamic user list ( not dial up )
    FEATURE(`dnsbl', `dul.dnsbl.sorbs.net', `"554 Rejected "$&{client_addr}" - see http://dnsbl.sorbs.net"')dnl
    dnl # End BlockList
    dnl # Start dont bounce errors back to me
    define(`confDOUBLE_BOUNCE_ADDRESS', `dev-null')dnl
    dnl # End dont bounce
    dnl # Start delay checks, so we see the intended recipient
    dnl # Added friend so we can exempt specified local user via access file
    FEATURE(`delay_checks',`friend')dnl
    dnl # End delay checks
    dnl # End Spam Block Enhancement mod
    dnl #

    All of the above should go before the line:

    FEATURE(`blacklist_recipients')dnl

    Notes:

    The above Double Bounce Address throws the double bounces into the bit bucket.

    The delay_checks feature causes it to log the sender from address and other info, when it rejects spam.

  3. Create an alias in "/etc/aliases" called dev-null and point it to "/dev/null":

    dev-null: /dev/null

  4. In file "/etc/mail/access", enter:

    Connect:xxx.xxx.xxx.xxx OK

    where xxx.xxx.xxx.xxx is the server IP. This keeps you from blocking yourself, if you happen to get listed in one of the blocklists used!

  5. To apply the configurations, run:

    # newaliases
    # makemap hash /etc/mail/access.db < /etc/mail/access
    # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
    # /sbin/service sendmail restart

makedepend on CentOS

Recently I've had to provide a developer with the makedep tool. It is available via imake rpm. However, it is deprecated and when installing automake and autoconf, it should automatically get installed as it is a required package by autoconf.

Metadata file does not match checksum

If getting the error "Metadata file does not match checksum", try running `

# yum clean metadata

`yum clean all` should also resolve the issue if the metadata fails.

Get a count of files/folder in a directory

$ ls -A1 /path/to/folder | wc -l

Lists out the files in a directory including hidden files in a single-column format and pipes it through a line count via wc.

GalleryRemote on Ubuntu Edgy 6.10

Gallery Remote install kept erroing out with:

Preparing to install...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...
nawk: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory
dirname: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
/bin/ls: error while loading shared libraries: librt.so.1: cannot open shared object file: No such file or directory
basename: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
dirname: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
basename: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
hostname: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory

Launching installer...

grep: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
/usr/local/java/bin/java: error while loading shared libraries: libpthread.so.0: cannot open shared object file: No such file or directory

The way around the error was to comment out the assumed kernel.

$ cp GalleryRemote.1.5.Linux.NoVM.bin GalleryRemote.1.5.Linux.NoVM.bin.bak
$ cat GalleryRemote.1.5.Linux.NoVM.bin.bak | \
  sed "s/export LD_ASSUME_KERNEL/#xport LD_ASSUME_KERNEL/" > GalleryRemote.1.5.Linux.NoVM.bin

Once installed Gallery Remote would not run and I had run the same hack for the Gallery_Remote launcher script as well.

$ cp Gallery_Remote Gallery_Remote.bak
$ cat Gallery_Remote.bak | \
  sed "s/export LD_ASSUME_KERNEL/#xport LD_ASSUME_KERNEL/" > Gallery_Remote

services that are not necessary on a web server

These are some services I would normally turn off on web servers.
NOTE: usage may vary.

  1. gpm -- mouse
  2. mdmonitor -- monitor raid devices
  3. netfs -- nfs, samba etc...
  4. autofs -- automount, nfs, cd etc...
  5. kudzu -- detect new hardware
  6. restorecond -- monitor selinux file context
  7. mcstrans -- mandatory access control selinux translation
  8. messagebus -- routes messages between applications
  9. haldaemon -- maintains database of devices connected

There may be more, but if you've cleaned up your rpm packages, it would probably not exist.

rpm packages not necessary for a web server

Below is a list of rpm packages that are not necessary on a web server. Use it as a reference starting point for cleaning up servers. You may also want to make sure not to run services not required by the server.
NOTE: usage may vary and removal should be in the order listed:

  1. redhat-lsb cups system-config-printer-libs system-config-printer paps -- printer support

  2. system-config-soundcard  -- gui for sound setup

  3. system-config-securitylevel-tui -- gui for setting up security

  4. nfs-utils system-config-nfs nfs-utils-lib -- nfs server

  5. portmap -- manage RPC connections
  6. ypbind yp-tools -- NIS client binding
  7. htmlview  -- view webpages via gui

  8. system-config-services system-config-samba pinfo system-config-users system-config-date -- gui configs

  9. samba samba-client samba-common -- samba support

  10. oprofile oprofile-devel oprofile-gui qt
  11. vnc
  12. libglade2 libgnomecanvas usermode-gtk libbonoboui libgnomeui libglade-java pygtk2-libglade system-config-httpd system-config-network gnome-mount libgnome-java gnome-python2-bonobo gnome-python2-canvas gnome-python2 authconfig-gtk system-config-lvm authconfig-gtk pirut gnome-vfs2 gnome-python2-gnomevfs gnome-python2-gconf libgnome libgsf librsvg2 librsvg2
    ImageMagick
  13. gnome-mime-data gnome-keyring  notify-python

  14. GConf2 notification-daemon bluez-gnome libgconf-java libnotify bluez-utils
  15. libgtk-java libvte-java
  16. pygtk2 system-config-language system-config-rootpassword
  17. vte
  18. libwnck
  19. glib-java cairo-java frysk
  20. libwmf
  21. gtk2
  22. cups-libs

  23. ghostscript ghostscript-fonts

  24. avahi avahi-glib
  25. wpa_supplicant NetworkManager
  26. system-config-rootpassword
  27. system-config-language

  28. system-config-keyboard
  29. system-config-network-tui firstboot-tui
  30. system-config-securitylevel-tui
  31. dhcpv6_client dhcdbd dhclient -- dhcp support

  32. irda-utils -- Infra Red communications
  33. isdn4k-utils -- ISDN
  34. apmd -- laptop power management
  35. cpuspeed -- dynamically changing cpu speed
  36. bluez-libs -- bluetooth
  37. irqbalance -- irq load balancing on multi-cpus (remove only in single cpu situation)
  38. rsh -- unsecure remote access
  39. talk -- internet talk protocol
  40. foomatic -- printer driver database
  41. finger -- finger client
  42. eject -- eject removable media
  43. cvs -- concurrent version control

  44. rcs -- revision control system
  45. dosfstools mkbootdisk -- bootdisk
  46. redhat-menus desktop-file-utils startup-notification -- desktop
  47. ppp rp-pppoe wvdial -- dialup
  48. esound -- sound daemon
  49. pcmciautils -- PCMCIA Cardbus
  50. pcsc-lite coolkey ifd-egate ccid
  51. OpenIPMI net-snmp-libs
  52. ImageMagick-devel -- ImageMagick development package
  53. xorg-x11-devel -- X server development package
  54. acpid -- power management (remove if you don't shutdown using power button)

Changing Timezones

# rm /etc/localtime
# ln -s /usr/share/zoneinfo/US/Eastern /etc/localtime
# hwclock --systohc

Generating Apache SSL Self-Signed Certificate

# openssl req -x509 -newkey rsa:1024 -keyout /etc/httpd/conf/ssl.key/server.key -out /etc/httpd/conf/ssl.crt/server.crt -days 9999 -nodes
# chown root:root /etc/httpd/conf/ssl.key/server.key
# chmod 400 /etc/httpd/conf/ssl.key/server.key

lftp with TLS/SSL

lftp ftp client support tls/ssl so why not use a secure connection for ftp.

$ lftp
lftp :~> set ftp:ssl-force true
lftp :~> connect ftp.domain.tld
lftp ftp.domain.tld:~> login <username>

Insist on your host to serve up ftp with tls/ssl support so all data is secured.

If using proftpd server, tls/ssl can be configured via "/etc/proftpd.conf":

<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/log/proftpd/tls.log
    TLSProtocol TLSv1

    # Are clients required to use FTP over TLS when talking to this server?
    TLSRequired off

    # Server's certificate
    TLSRSACertificateFile /etc/pki/tls/proftpd/server.cert.pem
    TLSRSACertificateKeyFile /etc/pki/tls/proftpd/server.key.pem

    # CA the server trusts
    #TLSCACertificateFile /etc/pki/tls/proftpd/root.cert.pem

    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off

    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate required off

</IfModule>

The certificate can be generated to be used on the ftp server via:

# cd /etc/pki/tls/proftpd/
# openssl req -new -x509 -days 3650 -nodes -out server.cert.pem -keyout server.key.pem

Reference:

Syndicate content
Comment