Posts Tagged ‘Debian’

Install BIND nameserver in a chroot on Debian 6

Wednesday, October 17, 2012 posted by Till

This tutorial is about chrooting a BIND (named) installation on Debian 6. Chrooting is used for security reasons, in case that BIND gets hacked on the server, the hacker is jailed into the chroot and can not get access to other services.

 

Installation

 

apt-get install bind9

to install BIND9.

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS=”-u bind” so that it reads OPTIONS=”-u bind -t /var/lib/named”:

vi /etc/default/bind9

# run resolvconf?
RESOLVCONF=yes

# startup options for the server
OPTIONS=”-u bind -t /var/lib/named”
Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when BIND gets updated in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We need to create the file /etc/rsyslog.d/bind-chroot.conf…

vi /etc/rsyslog.d/bind-chroot.conf

… with the following line so that we can still get important messages logged to the system logs:

$AddUnixListenSocket /var/lib/named/dev/log

Restart the logging daemon:

/etc/init.d/rsyslog restart

Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start

Thanks to Falko Timme from Howtoforge.com for this tutorial.

 

Debugging of ISPConfig 3 server actions in case of a failure

Friday, January 13, 2012 posted by Till

The follwing article describes the steps that can be taken to debug the ISPConfig 3 server scripts.

Enable the debug Loglevel in ISPConfig

Login to the ISPConfig intterface and set the log level to Debug under System > System > Server Config (see also chapter 4.9.2.2 of the ISPConfig 3 manual) for the affected server. After one or two minutes, there should be more detailed messages in ISPConfig’s system log (Monitor > System State (All Servers) > Show System-Log).

Disable the server.sh cronjob

Go to the command line of the server on which the error happens (on multiserver systems, it is often the slave and not the master) and run (as root):

crontab -e

Comment out the server.sh cron job:

#* * * * * /usr/local/ispconfig/server/server.sh > /dev/null >> /var/log/ispconfig/cron.log

Run the server script manually to get detailed debug output

Then run the command:

/usr/local/ispconfig/server/server.sh

This will display any errors directly on the command line which should help you to fix the error. If you have fixed
the error, please don’t forget to uncomment the server.sh cron job again.

Apache mod-security installation on Debian 6.0 (squeeze)

Monday, January 2, 2012 posted by Till

Install the apache mod-security 2 module with apt from the Debian repositories

apt-get install libapache-mod-security

Create the folder for the mod-security configuration files

mkdir /etc/apache2/mod-security
chmod 600 /etc/apache2/mod-security

Download and unpack the mod-security rules

cd /tmp
wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
tar fvx modsecurity-core-rules_2.5-1.6.1.tar.gz
mv *.conf /etc/apache2/mod-security/
ln -s /var/log/apache2 /etc/apache2/logs

Configure apache to load the activated mod-security rules

vi /etc/apache2/conf.d/mod-security.conf

Include /etc/apache2/mod-security/*.conf

To enable mod-security, edit the file

vi /etc/apache2/mod-security/modsecurity_crs_10_config.conf

and remove the # in front of the line:

SecDefaultAction “phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace”

Then reload apache.

/etc/init.d/apache2 force-reload

Mod security will now start to block hack attempts to your websites and log the actions in the file /var/log/apache2/modsec_audit.log.

tail /var/log/apache2/modsec_audit.log

You will see very likely some falsely blocked URL’s. To whitelist them, you can add the ID’s of the rules that should not be used in the whitelist file.

Example:

vi /etc/apache2/mod-security/modsecurity_crs_99_whitelist.conf

SecRuleRemoveById 960015
SecRuleRemoveById 960016

Install .deb Packages Manually (Linux Debian/Ubuntu)

Friday, December 9, 2011 posted by CSch

When you download packages for Linux Debian or Ubuntu they usually come in the .deb format and are installed automatically by your local package manager. If you download them from the internet instead of the repositorial way however you are given the .deb file and have to deal with it yourself. To install it, open a terminal, direct it to the folder where it has been downloaded to with cd and use the dpkg command:

cd /home/ctest/Downloads/
dpkg -i random_name.deb

Detailed information about the hard disk type, disk vendor etc. of the disk used on a Linux system can be aquired with the linux tool hdparm. If hdparm is not installed on your server, it can be installed with this command (on Debian and Ubuntu systems):

apt-get install hdparm

For other Linux distributions, use the software installer and search for the package name ‘hdparm’.

To get the detailed disk info, run this command

hdparm -I /dev/sda

The device /dev/sda is the first SATA disk on the server, the second disk is /dev/sdb. Replace /dev/sda in the command with the name of the device that you want to query.

Every modern disk has a internal monitoring function called SMART that keeps track on errors in that disk. There is a software package called smartmontools on Linux which can be used to query the SMART status of the disk to monitor if the disk might fail in near future.

Installation

apt-get install smartmontools

Usage

First we need to know the internal device name of the harddisks. For the first SATA disk, this is normally /dev/sda, the second is /dev/sdb etc. If you are unsure about the device names of your computer, then you can get them with:

fdisk -l

The command lists the partitions e.g. /dev/sda1. To get the device name, use the partition name without the number, e.g. the device of partition/dev/sda1 is /dev/sda.

To get a summary of the healt status of the disk, run:

smartctl –health /dev/sda

replace /dev/sda with the device name of the harddisk that you want to query.

The output will look similar to this:

~# smartctl --health /dev/sda
smartctl version 5.38 [x86_64-unknown-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

To get the full detailed output of all parameters, use this command:

smartctl –all /dev/sda

 

The webalizer package in Debain 6 has currently small bug as the required package for the  GeoIP database is not installed automatically when webalizer is isntalled. The symptoms are that webalizer statistics are not created and this error message is displayed when webalizer is run:

Error Opening file /usr/share/GeoIP/GeoIP.dat

The solution is to install the missing package manually:

apt-get install geoip-database

I’ve got the following error message on Debian Linux (6.0) with Courier IMAP server:

Filesystem notification initialization error -- contact your mail
administrator (check for configuration errors with the FAM/Gamin library)

when I tried to access a IMAP share. The resaon for the problem seems to be that the “fam” package was not working correctly. The solution is to install the gamin package which can replace fam in a courier setup:

apt-get install gamin

Dont worry when you get a message from apt that libfam0 gets uninstalled but is required by courier. This had no geative effects on my server.

How to convert RPM software packages to Debian (.deb)

Thursday, March 4, 2010 posted by Till

Maybe you had this problem already: you use Debian or Ubuntu Linux and a software package that you like to install is only available in RPM format. The solution is a handy tool called alien, which converts .rpm files to .deb. Installing alien:

apt-get install alien

Converting a rpm package to debian format:

alien –to-deb /tmp/mysoftwarefile.rpm

Conversions from .deb to rpm are also possible:

alien –to-rpm /tmp/mysoftwarefile.deb

Sometimes you need to know which debian package contains a specific file e.g. because you deleted a system file accidently or you try to install a new software that requires this file. The apt package management utility which is used in Debian and Ubuntu comes with a handy tool called apt-file which allows a saerch for filenames in the package database.

Install apt-file

apt-get install apt-file

Update the apt-file database

apt-file update

Search for a specific file name, e.g. “lcrypto”

apt-file search /bin/bash

apt-file search /bin/bash
bash: /bin/bash
bash: /usr/bin/bashbug
bash-minimal: /bin/bash-minimal
bash-static: /bin/bash-static
bashdb: /usr/bin/bashdb
mybashburn: /usr/bin/bashburn