Linux.com

Community Blogs



How To Install Tomcat 7 Server on CentOS & RedHat

Apache Tomcat is an opensource webserver product of Apache Foundation like Apache HTTP server. It is used to deploying Java Servlet and JSP applications. To deploy any application in Tomcat we can simply create a war file and deploy them. 

Read this article Install Apache Tomcat on CentOS/RHEL servers for details information.

 

How to Install Zabbix Monitoring Tool on Linux

How to Install Zabbix Monitoring Tool on Linux. Zabbix is an open source software for networks and application monitoring. Zabbix provides agents to monitor remote hosts as well as Zabbix includes support for monitoring via SNMP, TCP and ICMP checks. Click here to know more about zabbix.


Click here to read full article

Zabbix is an open source software for networks and application monitoring. Zabbix provides agents to monitor remote hosts as well as Zabbix includes support for monitoring via SNMP, TCP and ICMP checks. Click here to know more about zabbix.
 

A Simple BASH Script to Test Your Internet Connectivity

Most of the users all over the world make use of Google's Index Page to check whether their Internet connection is working or not.  Many times it is required to check periodically whether the server you are running is connected to internet or not. It is very cumbersome to open the web page every time you wish to check the connection. As an alternative, it definitely makes sense to run some scripts in the background periodically scheduling them using cron.

Read More on YourOwnLinux...

 

Making Bootable USB using Syslinux

Note Kindly check the following packages on your system: 1. syslinux if not installed then install it using yum yum install syslinux 2. qemu-system-x86_64 ( i am installin 64 bit fedora so to test the pen drive finally we need this Virt. machine) if not installed then install it using yum yum install -y qemu.x86_64 it will take some time Note if you dont want to test ur pen drive then you can skip the above step: Now we can start the process 1. Download the ISO image of the OS ( Linux) on you system and mount the same under some directory. e.g with the following command. mount -t iso9660 /home/harkamal/ISO/Fedora-16-x86_64-Live-KDE.iso /mnt/iso/ 2. use a pen drive which doesn't contain any files, it can have folders but not free files. and at least 1GB free space. Now find out where you pen drive has mounted automaticall it gets mounted on /media/HARKAMAL Note: HARKAMAL is the LABEL of my pen drive yours could be something else pl. note it. command to find out where your pen drive gets mounted are df -h or fdisk -l use the first one as root user or use sudo instead. in my case it was /deb/sdb1 pl note it too. 3. go to /mnt/iso with the command cd /mnt/iso ( here u have mounted the ISO img. in step 1 with mount cmd) 4 Now run cp * -rv /media/HARKAMAL/ note: pl change the LABLEL accordingly 5 now run the following command syslinux --install -d EFI/boot/ /dev/sdb1 6 Now go to the directory /media/HARKAMAL/EFI/boot cd /media/HARKAMAL/EFI/boot 7. here copy isolinux.cfg to syslinux.cfg command is: cp isolinux.cfg syslinux.cfg 8 Now we have to edit the file syslinux.cfg open it using vim and changes the very first stanza under the heading label linux0 consisting of the line: "append initrd=initrd0.img root=live:CDLABEL=Fedora-16-x86_64-Live-KDE.iso rootfstype=auto ro liveimg quiet rhgb rd.luks=0 rd.md=0 rd.dm=0" now remove 'quiet and rhgb' entries from the above line and also remove root=live:CDLABEL=Fedora-16-x86_64-Live-KDE.iso change it to root=LABEL=HARKAMAL after making the above changes the line should finally look like: append initrd=initrd0.img root=LABEL=HARKAMAL rootfstype=auto ro liveimg rd.luks=0 rd.md=0 rd.dm=0 Note there should not be any space between root,LABELand HARKAMAL Now our usb is ready to use we can test it by running the following command on Virtual machine. command to test the USB is: qemu-system-x86_64 -hda /dev/sdb1 -m 256 -vga std. if you virtual machine gets started with installing Fedora 16 option it menas ur USN+B is ready to use and install the ISO Enjoy))))))))))))))))) Keep Posted Regards Harkamal

 

Linux vs Windows Data Servers (the bottom line)

Based on years of writing software within a network environment, and communicating with database servers running on both Microsoft Windows or Linux that provide access to databases like Microsoft SQL server and PostgreSQL  I have to say, Microsoft better look over their shoulders,  the competition is gaining a strong hold on corporate decision makers and how they foresee the future's bottom line.

At this point, the money paid out with setting up a Microsoft SQL data server by the time they factor in the cost of the operating system, the database software, the per-seat licensing, and support you almost have to take a step back and scratch your head with how much money it takes to put this in production.

Again, based on my own experience, I’m not sure why anyone would want their corporate data on a Windows-based server that requires a lot more money and maintenance to keep the server up and running, while maintaining availability, reliability, and security.

A well configured Linux data server provides a much better overall experience for a fraction of the cost.

With how companies are struggling to operate in the green, why anyone wouldn’t explore these open source options like PostgreSQL, MySQL, and operating systems like CentOS just doesn’t make any sense.

 

How to Configure (And Troubleshoot) Pulp: The Ultimate Repository Management Tool

Pulp is a nifty piece of python code which I recently deployed to manage some ( a lot, actually) external linux repositories. Pulp is a great tool if you want to manage a lot of repositories and related content like packages, arches, distros and erratas etc. It'll not only help you to mirror the repositories but also to do remote installs to the clients (pulp calls it consumers) and groups. So, let us get started.
Make sure that you have a good amount of disk space on your server.
There is a really good documentation here on how the installation works. I'll write about some tips and tricks which are not there in the documentation.
1. How do I install it on Scientific Linux and other Enterprise Linux Servers, nss package is not of the latest version?
You need to enable the rolling repo for in Scientific Linux for this. It is not included in the yum.conf.d by default so chances are that you'll get an older version of nss if rolling repo is not added.
2. I am getting a "SSL WrongHost" error. How do I fix that?
First, you need to pick a hostname for the server (localhost.localdomain is a bad choice). Set the hostname using command "hostname ". Now we are going to generate a certificate for this domain to get rid of ssl error.
Just do a "cd /etc/pki/tls/certs/" and there will be a localhost.crt. Just rename it to something else and run "make testcrt" to get a new certificate. Follow the said steps closely in order.
3. I installed both pulp and pulp-cds on same server and now I am getting httpd alias problem. How to resolve?
Well, I understand the enthusiasm of trying out stuff but pulp and pulp-cds are not supposed to be installed on same server, not unless you know the ins and outs of pulp and what you are doing. The problem occurs because both pulp.conf and pulp-cds.conf in conf.d has same alias defined but for different targets. So comment out the Alias in pulp-cds.conf or get rid of the pulp-cds package all together, I would do the later one.
4. I want to use the repo using http. How do I do that?
Just find out the lines mentioned below in httpd conf directory and comment them out using "#".
SSLRequireSSL
SSLVerifyClient optional_no_ca
SSLVerifyDepth 2
SSLOptions +StdEnvVars +ExportCertData

 

Migrate Bugzilla 3.0 Server to a Bugzilla 4.0 Server

Summary

I recently did a migration from Bugzilla 3.0 running on one server to Bugzilla 4.0 running on a new server.  Since I was already writing these down as I went, I thought that I would share these instructions with the greater Linux community.  You may find that some of these instructions may need to be run in a slightly different order, but this is a pretty complete account of what it took to get this going on the new server.  I know that I had to periodically go back the the ./checksetup.pl script over and over throughout the process to check myself and figure out what needed to occur next.  I tried to arrange all of these in an order that will work, but if you have to install the bugzilla folder first and continually re-run ./checkseutp.pl, it's pretty much what I had to do.

These instructions are for RedHat 5.5.

Backup Your Current Bugzilla 3.0 Database

These directions all assume that you have a Bugzilla 3.0 database that you've backed up with teh following commands: 

sudo mkdir /data/backups/mysql-bugzilla-3.0
sudo chown www-data.www-data /data/backups/mysql-bugzilla-3.0
mysqldump -u bugs --password=XXXXXXXXX bugs | gzip -9v > `date '+/data/backups/mysql-bugzilla-3.0/bugs_%Y%m%d.sql.gz'`

 

Setup Apache

Install the Web Server, set the run levels, and start the service:

[root@mybugzilla]# yum groupinstall "Web Server"
[root@mybugzilla]# yum chkconfig --levels 2345 httpd on
[root@mybugzilla]# service httpd restart


Try the main site to ensure that apache is setup correctly by browsing to your site name or to http://localhost

You should see the default apache site showing that the webserver is installed properly.


Modify the httpd.conf file

Open the /etc/httpd/conf/httpd.conf file in your favorite editor.  Add these lines to the end of your httpd.conf file:

PerlSwitches -w -T
PerlConfigRequire /var/www/html/bugz/mod_perl.pl

Also make sure that you have the line "KeepAlive Off" per the bugzilla install instructions.

Restart Apache

[root@mybugzilla]# service httpd restart

Setup MySQL

Install MySQL, set the service to start on boot, and set the mysql root password:

[root@mybugzilla]# <b>yum groupinstall "MySQL Database"</b>
[root@mybugzilla]# <b>chkconfig --levels 2345 mysqld</b>
[root@mybugzilla]# <b>service mysqld restart</b>
[root@mybugzilla]# <b>/usr/bin/mysqladmin -u root password 'XXXX'</b>


Now login to mysql:

[root@mybugzilla]#  <b>mysql -pXXXX</b>


Once logged into mysql as root, create the bugs user and the database:

mysql> create user 'bugs'@'localhost' IDENTIFIED BY 'XXXpasswordXXX';
mysql> create database bugs;
mysql> show databases;

Restore data

These instructions assume that you followed the above instructions for exporting your bugzilla database from Bugzilla 3.0.

[root@mybugzilla]# cd /path/to/restore/file
[root@mybugzilla]# gunzip bugs_20110414.sql.gz
[root@mybugzilla]# mysql -u root -pXXXX bugs < bugs_20110414.sql

Grant Permissions

Login to mysql as above and run

mysql> grant all on bugs.* to 'bugs'@'localhost';

 

Fix MySQL Defaults in /etc/my.cnf

Edit the /etc/my.cnf file and add these lines under the [mysqld] section:

[mysqld]
# Allow packets up to 4MB
max_allowed_packet=4M

# Allow small words in full-text indexes
ft_min_word_len=2


This ensures that uploaded attachments to bugs is now 4MB instead of the default 1MB.

Restart MySQL

Restart the service to ensure any changes above are loaded:

service mysqld restart

 

Setup Bugzilla

Prep Bugzilla

Create the directories and download Bugzilla:

[root@mybugzilla]# cd /var/www
[root@mybugzilla]# mkdir bugz
[root@mybugzilla]# cd bugz
[root@mybugzilla]# wget http://ftp.mozilla.org/pub/mozilla.org/webtools/bugzilla-4.0.tar.gz
[root@mybugzilla]# tar xzvf bugzilla-4.0.tar.gz
[root@mybugzilla]# cd /var/www/html
[root@mybugzilla]# ln -s ../bugz/bugzilla-4.0 bugz
[root@mybugzilla]# cd /var/www/bugz/bugzilla-4.0

 

Install Bugzilla Dependencies

./checksetup.pl --check-modules


You will be told you should run several commands to install all the perl modules.  For example,
I was told to run these:

[root@mybugzilla]# /usr/bin/perl install-module.pl Digest::SHA
[root@mybugzilla]# /usr/bin/perl install-module.pl Date::Format
[root@mybugzilla]# /usr/bin/perl install-module.pl DateTime
[root@mybugzilla]# /usr/bin/perl install-module.pl DateTime::TimeZone
[root@mybugzilla]# /usr/bin/perl install-module.pl Template
[root@mybugzilla]# /usr/bin/perl install-module.pl Email::Send
[root@mybugzilla]# /usr/bin/perl install-module.pl Email::MIME
[root@mybugzilla]# /usr/bin/perl install-module.pl List::MoreUtils


or just simply:

  [root@mybugzilla]# /usr/bin/perl install-module.pl --all

  DateTime won't build so I'm trying this:

  [root@mybugzilla]# yum install mysql-devel gd gd-devel perl-DBD-MySQL mod_perl-devel

    (per instructions at http://www.bugzilla.org/docs/4.0/en/html/installation.html)
  The perl-DBD-MySQL package is 3.07 which is too old (4.0 is needed) so I had to be sure to
run the cpan install:

[root@mybugzilla]# /usr/bin/perl install-module.pl DBD::mysql

  I noticed that DateTime complains that I only have Archive::Tar 1.3901 which it found in the
perl-Archive-Tar package.  I upgraded with the following:

[root@mybugzilla]# /usr/bin/perl install-module.pl Archive::Tar

  Which got me Archive::Tar 1.76, which stopped the complaints in DateTime.  I installed datetime
running these:

[root@mybugzilla]# /usr/bin/perl install-module.pl Module::Build
[root@mybugzilla]# /usr/bin/perl install-module.pl DateTime

 

Install Additional Modules

I installed these extra modules:

[root@mybugzilla]# /usr/bin/perl install-module.pl Net::LDAP
[root@mybugzilla]# /usr/bin/perl install-module.pl GD
[root@mybugzilla]# /usr/bin/perl install-module.pl Chart::Lines
[root@mybugzilla]# /usr/bin/perl install-module.pl Email::Reply
[root@mybugzilla]# /usr/bin/perl install-module.pl Apache2::SizeLimit
[root@mybugzilla]# /usr/bin/perl install-module.pl GD::Graph
[root@mybugzilla]# /usr/bin/perl install-module.pl PatchReader
[root@mybugzilla]# /usr/bin/perl install-module.pl Email::MIME::Attachment::Stripper

    I know that out of the above, if you don't have Apache2::SizeLimit then there will be a problem when restarting the httpd server, which (per the above instructions) includes a reference to the mod_perl.pl script in the bugzilla folder, which in turn uses Apache2::SizeLimit.  If you have trouble (as I did), make sure you have the =mod_perl-devel= package installed in order to install Apache2::SizeLimit.

Edit Configuration

Now you'll need to edit the localconfig file to setup the variables.  Make sure you have these variables set.  You'll probably have to manually set
those listed in bold:

$create_htaccess = 1;
$webservergroup = 'apache';
$use_suexec = 0;
$db_driver = 'mysql';
$db_host = 'localhost';
$db_name = 'bugs';
$db_user = 'bugs';
<b>$db_pass = 'XXXpasswordXXX';</b>
$db_port = 0;
$db_sock = '';
$db_check = 1;
$index_html = 0;
$cvsbin = '/usr/bin/cvs';
$interdiffbin = '/usr/bin/interdiff';
$diffpath = '/usr/bin';
$site_wide_secret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';

 

Re-Run CheckSetup

Now re-run checksetup now that you've fixed the localconfig file.  This should test the settings in the localconfig to ensure the correct db name, user name and password:

./checksetup.pl --check-modules


The script may remind you to perform some actions documented above.  If you've missed anything, go ahead and fix it now before continuing.

Bugzilla Upgrade

Upgrading can cause serious harm to the database.  Make sure you've backed up or you have a file migrated from another server that you can use to restore the database 'bugs' table in case the following fail.  There are probably more ways to migrate, but these are the actions that I took.

Ensure the character encoding is correct

Your database must be in UTF-8.  If the previous database used another encoding, you should fix it with the recode.pl script.

[root@mybugzilla]# /usr/bin/perl install-module.pl Encode::Detect
[root@mybugzilla]# cd /var/www/bugz/bugzilla-4.0/
[root@mybugzilla]# contrib/recode.pl --dry-run --guess


Review what changes then do the command for real:

[root@csobugzilla]# contrib/recode.pl --guess

 

Continue with the checksetup.pl

Try the checksetup.pl script again.  You can now safely continue when prompted about the UTF-8 stuff.

References

http://www.bugzilla.org/docs/4.0/en/html/configuration.html
http://www.velikan.net/import-sql-dump-file-to-mysql-database/
http://dev.mysql.com/doc/refman/5.1/en

 

Simple Kexec example

Some time ago I was helping a friend with some kexec problems and written some notes on how to use it - here a CentOS based server was used, but the process should be pretty similiar also for other distributions. The main advantage is in skipping the BIOS init part which on servers takes quite some time. I personally use it for the gateway server (it has also other functions, like dns, dhcp, openvpn server) and testing servers reboots with minimal downtime. A nice kexec description is on its man page:

kexec is a system call that enables you to load and boot into another kernel from the currently running kernel. kexec performs the function of the boot loader from within the kernel. The primary difference between a standard system boot and a kexec boot is that the hardware initialization normally performed by the BIOS or firmware (depending on architecture) is not performed during a kexec boot. This has the effect of reducing the time required for a reboot.

CentOS, Fedora users can install it using yum:

[root@cent:~]# yum install kexec-tools

To switch between kernels you have to install a new one, here for example after running a ''yum update'' also a new kernel was installed - the 2.6.18-194.11.4.el5 version.

[root@cent:~]# yum update
[...]
Installed:
  kernel.x86_64 0:2.6.18-194.11.4.el5  kernel-devel.x86_64 0:2.6.18-194.11.4.el5
[...]

Current kernel is 2.6.18-194.11.3.el5

[root@cent:~]# uname -r
2.6.18-194.11.3.el5

For kexec, kernel and initrd path will be specified; paths (not full) can be found for example in the grub.conf file which was already updated.

[root@cent:~]# cat /etc/grub.conf
[...]
title CentOS (2.6.18-194.11.4.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-194.11.4.el5 ro root=LABEL=/
        initrd /initrd-2.6.18-194.11.4.el5.img
title CentOS (2.6.18-194.11.3.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-194.11.3.el5 ro root=LABEL=/
        initrd /initrd-2.6.18-194.11.3.el5.img
[...]

Also the arguments passed to the kernel at boot time are needed, you can look at your current arguments in the /proc/cmdline file. Later these same arguments will be given for the new kernel.

[root@cent:~]# cat /proc/cmdline
ro root=LABEL=/

Now to load the new kernel:

[root@cent:~]# kexec -l /boot/vmlinuz-2.6.18-194.11.4.el5 
--initrd=/boot/initrd-2.6.18-194.11.4.el5.img 
--command-line="$( cat /proc/cmdline )"

Start the magic and boot to the new loaded kernel:

[root@cent:~]# kexec -e

Hope this post will be helpful and inspire others to some kexec experiments :)

 

Midnight Commander Notes

Midnight commander is a popular file manager available from repositories in almost all major Linux distributions. Many new users find it difficult to work on servers only from command line so midnight commander is a welcomed help. Here are some tips and notes how to use this tool together with my most used shortcuts that I used to give users that never worked with it before. As always for a complete list of keyboard shortcuts and much more man mc or info mc should work.

 

Usage tips

To start midnight commander simply type mc.

[podlevak@55cent:~]$ mc

 

If you want the panels pointing to some specific directories append a path (or two) after the mc:

[podlevak@55cent:~]$ mc /etc/httpd/ /var/log/

 

To go back to command line you don't have to quit midnight commander with F10 - on most shells, here bash is used, ctrl-z will put mc into background and it can be put back to foreground with fg command.

[podlevak@55cent:~]$ mc /etc/httpd/ /var/log/

[1]+  Stopped                 /usr/bin/mc -P "$MC_PWD_FILE" "$@"

[podlevak@55cent:~]$ fg

Another way is using the ctrl-o shortcut for hiding the panels; to show them press ctrl-o again.

 

Midnight commander comes with an integrated editor and viewer - you can use them also directly:

[podlevak@55cent:~]$ mcview /etc/hosts

[podlevak@55cent:~]$ mcedit new_file

 

Shortcuts

I've divided the shortcuts into three groups according to their usage. A little note on how to use them:

  1. when using a shortcut like ctrl-r, hold down the control key and then press the r key
  2. for shortcut like ctrl-x-o hold down the control key and then press the x key, let go and press the o key

File manipulation and shell commands

  • ctrl-x-c change permissions
  • ctrl-x-o change owner
  • ctrl-x-s create symlink
  • ctrl-x-ctrl-s edit symlink
  • esc-tab completion, like tab in shell
  • alt-s search in active panel, after pressing keys just write
  • alt-p previous entered command
  • alt-n next entered command
  • ctrl-space show directory size
  • ctrl-x-i shows file / directory info, press again to return to panel
  • ctrl-x-q quick view - view content of files in a preview window (F7 for search works), press again to return to panel

Displaying content

  • ctrl-o turn off/hide the panels, 2x turns them on
  • ctrl-r rescan (refresh active panel)
  • ctrl-u flip panels
  • alt-o open path in other panel
  • ctrl- frequently used directories, directory hot-list

Selecting

  • Insert select single file
  • * (asterisk) select all files, 2x un-selects if all files were selected, or inverts selection if files were selected (using a mask or insert)
  • + (plus) select mask, regular expression can be used
  • - (minus) un-select mask, regular expression can be used
 

VPN-O-Rama : IPCop to PFSense with IPSec

Introduction

Here's another episode of my VPN saga, this time we'll connect IPCop to PFSense with IPSec.

Just few words about PFSense (http://www.pfsense.org/) if you don't know it; I've always used BSD and I'm a big fan of it, OK we're in a Linux site but many of you may possibly argue about BSD proof of scalability, stability, security, simplicity (IMHO) and networking capabilities (even after recent events, fake or not).

BSD PF (http://www.openbsd.org/faq/pf/) (Packet Filter) if a great technology and I totally love it, I don't want to start a flame war between Packet Filter and IPTables, this article is just focused on building an IPSec connection between Linux and a particular BSD distro (PFSense). I've done some research after dealing with M0n0wall, Smoothwall and so on and I've decided to give PFSense a try. It's one of my favorite firewall distributions, SOHO installations but even heavy duty connections and features (NAT traversal or load balancing for example), it's not a project for hobbyists, it may scale to business class installations easily.

Following this “VPN by examples” guide I'll connect PFSense to IPCop with an IPSec connection, both machines have static IP addresses, in later examples I'll use even dynamic IPs; I didn't find anything related to IPCop to PFSense available on the web so I've decided to publish my documentation with a lot of screenshots as usual.

 

This article will follow my previous “VPN-O-Rama: IPCop to IPCop with IPSec” (http://www.linux.com/community/blogs/vpn-o-rama-ipcop-to-ipcop-with-ipsec.html) and I'll add a new machine to the same network, so it will be:

 

Network topology:

 

Office

Network

Subnet

Headquarter (Coruscant)

10.0.2.0

255.255.255.0

Subsidiary 1 (Alderaan)

10.0.3.0

255.255.255.0

Subsidiary 1 (Tatooine)

10.0.4.0

255.255.255.0

 

 

Firewalls:

 

Location/Name

Firewall Distro

Private IP (LAN)

Public IP (WAN)

Coruscant

IPCop v1.4.21

10.0.2.94

10.0.0.94

Alderaan

IPCop v1.4.21

10.0.3.95

10.0.0.95

Tatooine

PFSense v1.2.3

10.0.4.96

10.0.0.96

 

 

I've skipped PFSense installation process to focus on a ready new installed PFSense machine named Tatooine, let me know if you need an article on it.

 

My Goal

 

I'd like to achieve an IPSec connection between two static machines (Tatooine and Coruscant), no firewalls or other port blocking rules on public WAN between these two firewalls, variations on this task may follow on following articles

 

PFSense Configuration

Here's PFSense main GUI in the private network example:

 

WARNING:

Before every configuration please consider we're creating an example and we're using private networks (10.0.0.0 Class A IPs on WAN), on PFSense there's an option made for blocking private network traffic on WAN, before starting with our example you need to disable this rule ! Under Menu Interfaces / WAN there's an option named “Block private networks”. Just forget it if you're using a real network on public classes (on WAN), see screenshot and disable this rule if you're in my case

 

Now go under VPN menu, option IPSec

Enable “Enable IPSec” check box and hit “Save” button, see:

 

then click the “Add tunnel” icon on the right side of the page, now you've a new page where you can specify VPN tunnel options. Here's what I've done:

General parameters (PFSense related)

  • Tunnel enabled, so disable this tunnel check box is unchecked

  • Interface WAN, in my case I need to use WAN to reach remote subnet

  • DPD interval (dead peer detection), in my case 60 seconds (it should be enough for everyone)

  • Remote Subnet, in this example is 10.0.2.0 (Coruscant network) with a 24 bit mask (255.255.255.0)

  • Remote Gateway, in this example is 10.0.0.94 (Coruscant firewall on public network)

 

VPN Phase 1 Authentication (VPN Parameters for phase 1)

  • Negotiation Mode, set to “main

  • My Identifier, left as it is (my IP address). In my case I've a quite easy network connection with two static IP addresses, no NAT traversal or other stuff around. We'll see advanced configurations with NAT and dynamic IP addresses the next time

  • Encryption algorithm, I'm using Blowfish, much better than 3DES. Please remember all your parameters, they must match settings chosen on the remote side

  • Hash algorithm, MD5 for hashing, I've chosen MD5 here and on IPCop side

Let me show you first page with parameters from above

 

Let's go on with:

  • DH key group, select option “5” (on IPCop I've chosen 1536 bits)

  • Lifetime, set it to 3600 seconds (1 hour)

  • Authentication Method, I'm now using “pre-shared key”, CA (Certification Authorities) are not available as native services on PFSense. Developers are focusing their software on firewall features and I respect their ideas related on keeping CAs outside even if it would be great to have something inside (like IPCop and other Linux distros). Creating a CA from scratch on an another PC requires a lot of time and it's out of this article tasks, I'll write down some notes on it if you need it. To keep things as simple as I can I've chosen to use Pre Shared Key, this is not a roadwarrior connection but a connection between two offices so it's something a common user never see

  • Pre-Shared Key, I'm using “12345” (“I've got the same combination on my luggage” cit.: http://en.wikiquote.org/wiki/Spaceballs )

And here's another shot:

 

VPN Phase 2 proposal (SA/Key Exchange)

Here's the second round of a VPN connection: key proposal and exchange, here are my parameters:

  • Protocol: ESP, encryption

  • Encryption algorithms, I'm using Blowfish, I've disabled everything else to avoid confusion so VPN server avoids even their proposal

  • Hash algorithms, SHA1 and MD5, keep them as they are

  • PFS key group, we're using 1536 bit so option “5” is the way to go

  • Lifetime, is 28800 (8 hours)

No keep alive host, use something if you detect drops on your line

Here's my shot:

I'll repeat it again, please keep in mind all these parameters are mandatory , you need to fill them even if PFSense tells you they're optionals and even more important: write them to a notepad and report them as they are on the IPCop side.

 

Finally hit SAVE button to create your VPN connection, now on the VPN:IPSec page hit Apply Changes button to confirm your new VPN connection.

 

IPCop Configuration

Now it's time to create the VPN connection on the IPCop side, back again on Coruscant, you'll probably see past article information (http://www.linux.com/community/blogs/vpn-o-rama-ipcop-to-ipcop-with-ipsec.html) but we don't care.

On VPNs menu, VPNs option here's the situation:

now press “Add” button in the middle of the screen to create a new PSK VPN connection with IPSec and select Net-to-Net Virtual Private Network to continue, we want to connect these two nets, then press Add to go on (see screenshot)

Here are the parameters for this VPN connection:

  • Name, Tatooine. The name of your VPN connection, choose the name you want, it really doesn't matter

  • Host IP Address: 10.0.0.94. Where VPN starts: red interface, WAN (see previous information about it)

  • Remote Host/IP: 10.0.0.96. Where your remote firewall (Tatooine) is, static IP address in my case

  • Local Subnet: 10.0.2.0/255.255.255.0 It should be already set to your own subnet LAN on Coruscant network

  • Remote Subnet: 10.0.4.0/255.255.255.0 Tatooine network information for our example

  • Check “Edit advanced settings when done” check box because you need to deal with Phase 1 & 2 advanced parameters for VPN settings, important

  • In authentication window below select “Use a Pre-Shared key” and enter “12345” as the PSK password (please choose a different one on real cases, we already have Spaceballs http://en.wikiquote.org/wiki/Spaceballs)

Here's another shot

 

Then hit Save on the bottom of the page to edit advanced settings.

Now You're in the advanced settings page where you can specify connection parameters for phase 1 & 2 (VPN)

Here you need to set:

Phase 1

  • IKE Encryption to Blowfish (both 256bit and 128bit)

  • IKE Integrity to SHA1 and MD5

  • IKE Grouptype to MODP-1536 (remember 1536 bit above ???)

  • IKE Lifetime to 1 hour

Phase 2

  • ESP Encryption to Blowfish (both 256bit and 128bit)

  • ESP Integrity to SHA1 and MD5

  • ESP Grouptype to MODP-1536

  • ESP Keylife to 8 hours

Keep additional parameters (checkboxes below) as they are, so everything unchecked except "Perfect Forward Secrecy (PFS)"

See screenshot for details

Now under main VPN menu on IPCop wait for a while (how much ? a while...) and you'll probably see something like that (open status is green)


 

On PFSense side you need to go to Status menu, IPSec option and in the Overview tab you'll see this (status with green arrow is for the on line link):

 

As you may see from this example all efforts are related to match proper VPN parameters, phase 1 and phase 2 settings needs to have same values on both sides, it's also important to mention IKE lifetime and keylife, if they don't match you don't even have the connection.

 

I hope this guide could be pretty clear for anyone, I've tried to search something like that when I was dealing with my first connection but unlikely I didn't found anything on the web.

 

Please let me know if you need further details on this connection, in the next episodes I'll show you some variations of this Config and I'll connect new distros as well, share your comments if any

 

Previous:
VPN-O-Rama: VPNs intro, practical HOWTOs
VPN-O-Rama: IPCop to IPCop with IPSec

Next:
IPSec connection between a static and dynamic IP Address



Regards

Andrea (Ben) Benini

 

 

HOWTO MySQL: Reset root password

Few days ago I've had in front of me a Gentoo installation with a MySQL Daemon, no documentation provided with the machine and absolutely no root password for the DB. I've tried to obtain the root password for MySQL and that's what I've done. These instructions are valid for every linux distro, no matter about the release or flavor.

First of all, you need to stop mysql daemon and all running instances of mysql, something like that:

~# /etc/init.d/mysql stop
* Stopping mysql ...
* Stopping mysqld (0)                                                    [ ok ]

Starting/stopping services may vary according to your linux distribution documentation, make a double check to remove even zombie processes or mysql opened instances (ps aex|grep mysql) and kill them if any

Now you can run this command to start the daemon with full privileges and no authentication:

mysqld_safe --skip-grant-tables &

Even if not reported in the man page or not documented with:

~# mysqld_safe --help
Usage: /usr/bin/mysqld_safe [OPTIONS]
  --no-defaults              Don't read the system defaults file
  --defaults-file=FILE       Use the specified defaults file
  --defaults-extra-file=FILE Also use defaults from the specified file
  --ledir=DIRECTORY          Look for mysqld in the specified directory
  --open-files-limit=LIMIT   Limit the number of open files
  --core-file-size=LIMIT     Limit core files to the specified size
  --timezone=TZ              Set the system timezone
  --mysqld=FILE              Use the specified file as mysqld
  --mysqld-version=VERSION   Use "mysqld-VERSION" as mysqld
  --nice=NICE                Set the scheduling priority of mysqld
  --skip-kill-mysqld         Don't try to kill stray mysqld processes
  --syslog                   Log messages to syslog with 'logger'
  --skip-syslog              Log messages to error log (default)
  --syslog-tag=TAG           Pass -t "mysqld-TAG" to 'logger'

All other options are passed to the mysqld program.

you can find more info on it at http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html (wish to have this link or just read the doc before doing it...)

Now enter in the DB with root privileges:

mysql -u root

and locate mysql default schema

use mysql;

"user" table is where you can find/reset/update information related to mysql users (not that strange...)

mysql> show columns from user;
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Host | char(60) | NO | PRI | | |
| User | char(16) | NO | PRI | | |
| Password | char(41) | NO | | | |
| Select_priv | enum('N','Y') | NO | | N | |
| Insert_priv | enum('N','Y') | NO | | N | |
| Update_priv | enum('N','Y') | NO | | N | |
| Delete_priv | enum('N','Y') | NO | | N | |
| Create_priv | enum('N','Y') | NO | | N | |
| Drop_priv | enum('N','Y') | NO | | N | |
| Reload_priv | enum('N','Y') | NO | | N | |
| Shutdown_priv | enum('N','Y') | NO | | N | |
| Process_priv | enum('N','Y') | NO | | N | |
| File_priv | enum('N','Y') | NO | | N | |
| Grant_priv | enum('N','Y') | NO | | N | |
| References_priv | enum('N','Y') | NO | | N | |
| Index_priv | enum('N','Y') | NO | | N | |
| Alter_priv | enum('N','Y') | NO | | N | |
| Show_db_priv | enum('N','Y') | NO | | N | |
| Super_priv | enum('N','Y') | NO | | N | |
| Create_tmp_table_priv | enum('N','Y') | NO | | N | |
| Lock_tables_priv | enum('N','Y') | NO | | N | |
| Execute_priv | enum('N','Y') | NO | | N | |
| Repl_slave_priv | enum('N','Y') | NO | | N | |
| Repl_client_priv | enum('N','Y') | NO | | N | |
| Create_view_priv | enum('N','Y') | NO | | N | |
| Show_view_priv | enum('N','Y') | NO | | N | |
| Create_routine_priv | enum('N','Y') | NO | | N | |
| Alter_routine_priv | enum('N','Y') | NO | | N | |
| Create_user_priv | enum('N','Y') | NO | | N | |
| ssl_type | enum('','ANY','X509','SPECIFIED') | NO | | | |
| ssl_cipher | blob | NO | | NULL | |
| x509_issuer | blob | NO | | NULL | |
| x509_subject | blob | NO | | NULL | |
| max_questions | int(11) unsigned | NO | | 0 | |
| max_updates | int(11) unsigned | NO | | 0 | |
| max_connections | int(11) unsigned | NO | | 0 | |
| max_user_connections | int(11) unsigned | NO | | 0 | |
+-----------------------+-----------------------------------+------+-----+---------+-------+
37 rows in set (0.00 sec)

Now update your password with something like that:

update user set password=PASSWORD("rememberyournewpassword") where User='root';

And don't forget to flush privileges to have everything updated

flush privileges;

and quit from DB

quit;

then stop/kill the running daemon and restart it in "normal" mode

/etc/init.d/mysql stop
## Even stop running daemons if any
ps aex |grep mysqld # to find sockets
kill -SIGKILL <pid> # to kill running mysqld pid's

Now test your new password with something like that

mysql --host=127.0.0.1 --user=root -p

and insert your new password

 

that's it

Ben

 

 
Page 4 of 9

Upcoming Linux Foundation Courses

  1. LFD320 Linux Kernel Internals and Debugging
    03 Nov » 07 Nov - Virtual
    Details
  2. LFS416 Linux Security
    03 Nov » 06 Nov - Virtual
    Details
  3. LFS426 Linux Performance Tuning
    10 Nov » 13 Nov - Virtual
    Details

View All Upcoming Courses


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board