Parse apache vhosts file

So, I wanted to parse the apache config file so I could get the ServerName and the DocumentRoot of each VirtualHost.

awk '/^<VirtualHost*/,/^<\/VirtualHost>/{if(/^<\/VirtualHost>/)p=1;if(/ServerName|DocumentRoot|## User/)out = out (out?OFS:"") (/User/?$3:$2)}p{print out;p=0;out=""}' vhosts.conf

The command will output the info in the format:

ServerName DocumentRoot

or opposite depending on the order in which they appear on the VirtualHost

 

Note: You should exclude those VirtualHosts which are only redirects

Change sendmail queue

To actually change it, modify the /etc/sysconfig/sendmail file. It’ll look something like this:

DAEMON=yes
QUEUE=1h

Change the QUEUE unit to suit your preferences.

QUEUE=5m

Forcing queue send on individual email message

You can flush the message with:

sendmail -qIyourqueueID -oTnow

The “I” flag to the -q flag specifies which queue ID to use. The -oTnow flag sets the queue timeout to “now”. Note sendmail will still try to deliver the message once when you do this.

Vulnerable service: Netbios

Go into your firewall file /etc/sysconfig/iptables.

If you use Active Directory and want to enable that function ONLY in Samba use.

-A RH-Firewall-1-INPUT -s 192.168.10.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.10.0/24 -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT

Don’t be scared of the syntax. I’m not going to cover firewalls but understand the basics.

-s (ip address) limits to the Class C ip addresses of your installation. Of course you need to modify to your own network and this makes is far more secure than giving the entire world access to your network.

--state NEW [basically means a new rule.]

-p [the port you want to open up which is either tcp or udp. I’ve done the hard work for you so you don’t have to figure out which type to open up]

dport 445 [This is the port number. Again for AD we use port 445.

Now, if your Samba setup demands the old netbios calls:

-A RH-Firewall-1-INPUT -s 192.168.10.0/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.10.0/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.10.0/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT

Be sure to watch out for case issues and don’t make a mistake on tcp or udp otherwise samba won’t function properly. This has to be right — as I’ve found out myself with a couple of typos!

Now restart the firewall. There are two ways of restarting a service on CentOS

  1. service iptables restart
  2. /etc/init.d/iptables restart

Either one works. You can also just restart the server if you want to as well.

note: You can use Redhat’s system tool for editing the firewall, but it is not recommend. It won’t add the -s parameter and will open up all the samba ports 137 – 139 and 445 which is not a recommended scenario.

SOURCE: https://wiki.centos.org/HowTos/SetUpSamba

Instalar módulos PECL/PEAR PHP no CentOS

The default RHEL 5.2 installation does not come with xdebug as part of any of the php RPMs. A quick look around the Net also provided no real RPM candidates that I could use on this system so I had to fall back to using the package management tools (pecl and pear) provided by php.

$ sudo pecl install xdebug
downloading xdebug-2.0.3.tgz ...
Starting to download xdebug-2.0.3.tgz (286,325 bytes)
...........................................................done: 286,325 bytes
66 source files, building
running: phpize
Configuring for:
PHP Api Version:         20041225
Zend Module Api No:      20060613
Zend Extension Api No:   220060519
/usr/bin/phpize: /tmp/pear/download/xdebug-2.0.3/build/shtool: /bin/sh: bad interpreter: Permission denied
Cannot find autoconf. Please check your autoconf installation and the $PHP_AUTOCONF
environment variable is set correctly and then rerun this script.

ERROR: `phpize' failed

Yep, loving it already!

Why on earth am I not able to invoke /bin/sh (as can be seen by the ‘/bin/sh: bad interpreter: Permission denied’ error above)? Let’s see if root can actually run the shell interpreter:

$ sudo /bin/sh
sh-3.2# exit

OK, everything looks good. Why is it breaking when we’re trying to run the interpreter from /tmp/pear/download/xdebug-2.0.3/build/shtool?

Back to basics

Perhaps this has something to do with where we’re trying to run it from and the user we’re doing the installation as (root) seems to be capable of running the interpreter but not from the shtool script for some reason.

$ ls -ld /tmp/
drwxrwxrwt 17 root root 4096 Jun 18 07:41 /tmp/

Obviously _not_ a permissions issue.

$ grep tmp /etc/fstab
/dev/sda2     /tmp    ext3    defaults,nosuid,nodev,noexec    1 2

Ah, there you are! /tmp is mounted with a ‘noexec’ flag so that’s what’s causing the execution to fail when we try to install xdebug via pecl. No problem, I’ll just set pecl to use /var/tmp instead … oh, wait, on RHEL systems /var/tmp is just a symlink to /tmp.

*sigh*

Hand me half a brick

Time to work around the issue. Let’s go find those directories pear expects to be somehow related to /tmp or /var/tmp:

$ pear config-show | grep tmp
PEAR Installer download        download_dir     /tmp/pear/download
PEAR Installer temp directory  temp_dir         /var/tmp
$ pear config-set download_dir /root/tmp/pear/download
$ pear config-set temp_dir /root/tmp

I updated these to temporarily point elsewhere:

$ pecl config-show | grep tmp
PEAR Installer download        download_dir     /root/tmp/pear/download
PEAR Installer temp directory  temp_dir         /root/tmp

$ sudo mkdir -p /root/tmp/pear/download

Source: http://blog.ntrippy.net/2008/06/installing-peclpear-php-modules-on-rhel.html

Atualizar ICU para o php-intl no CentOS

I chose to install the latest version for CentOS 5 available on http://site.icu-project.org.

make sure we have the developer packages needed for procedure

# yum -y install php-devel php-pear

download and unpackage tar which code for relevant ICU lib version

# mkdir src
# cd src/
# wget http://download.icu-project.org/files/icu4c/58.1/icu4c-58_1-src.tgz
# tar zxf icu4c-58_1-src.tgz

build and install the library into /opt/icu4c-58_1

# cd icu/source/
# ./configure --prefix /opt/icu4c-58_1 && make && make install

build and install the php-intl version
enter /opt/icu4c-58_1 at prompt for ICU library location

# pecl install intl
# ldconfig

add an ini file wity contents: extension=intl.so

# vi /etc/php.d/intl.ini

you can now check to see if it’s loaded

# php -i | grep intl

restart the apache web server and you’re good to go

# service httpd restart

Yum install/update errors “cpio: rename”

Occasionally, RPMs will set the xattr immutable flag on important libraries as a safety mechanism to try to prevent core OS breakage. Unfortunately, this will cause package upgrade failures with vague error messages. Eg.:

[root@archive ~]# yum update -y nss
Loaded plugins: fastestmirror, priorities, security, upgrade-helper
Loading mirror speeds from cached hostfile
 * epel: mirrors.sdm.noao.edu
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package nss.i386 0:3.13.6-3.el5_9 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch           Version                   Repository         Size
================================================================================
Updating:
 nss           i386           3.13.6-3.el5_9            updates           1.1 M

Transaction Summary
================================================================================
Install       0 Package(s)
Upgrade       1 Package(s)

Total download size: 1.1 M
Downloading Packages:
nss-3.13.6-3.el5_9.i386.rpm                              | 1.1 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating       : nss                                                      1/2 
Error unpacking rpm package nss-3.13.6-3.el5_9.i386
error: unpacking of archive failed on file /usr/lib/libfreebl3.so: cpio: rename

Failed:
  nss.i386 0:3.13.6-3.el5_9                                                     

Complete!

RPM uses cpio as it’s archive format, which is why we’re seeing a cpio error when trying to replace the file /usr/lib/libfreebl3.so.
Lets investigate that file.

[root@archive ~]# ls -la /usr/lib/libfreebl3.so
-rwxr-xr-x 1 root root 240612 Apr  8  2007 /usr/lib/libfreebl3.so
[root@archive ~]# lsattr /usr/lib/libfreebl3.so
----i-------- /usr/lib/libfreebl3.so

The “immutable” flag has been set which means that file can not be modified or unlinked reguardless of it’s standard POSIX permissions. We need to remove that flag in order for the package upgrade to complete.

[root@archive ~]# chattr -i /usr/lib/libfreebl3.so
[root@archive ~]# lsattr /usr/lib/libfreebl3.so
------------- /usr/lib/libfreebl3.so

Now we can try to update the nss package again…

[root@archive ~]# yum update -y nss
Loaded plugins: fastestmirror, priorities, security, upgrade-helper
Loading mirror speeds from cached hostfile
 * epel: mirrors.sdm.noao.edu
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package nss.i386 0:3.13.6-3.el5_9 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch           Version                   Repository         Size
================================================================================
Updating:
 nss           i386           3.13.6-3.el5_9            updates           1.1 M

Transaction Summary
================================================================================
Install       0 Package(s)
Upgrade       1 Package(s)

Total download size: 1.1 M
Downloading Packages:
nss-3.13.6-3.el5_9.i386.rpm                              | 1.1 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating       : nss                                                      1/2 
Error unpacking rpm package nss-3.13.6-3.el5_9.i386
error: unpacking of archive failed on file /usr/lib/libsoftokn3.so: cpio: rename

Failed:
  nss.i386 0:3.13.6-3.el5_9                                                     

Complete!

Looks like we found another file with xattrs set…

[root@archive ~]# ls -la /usr/lib/libsoftokn3.so
-rwxr-xr-x 1 root root 348040 Apr  8  2007 /usr/lib/libsoftokn3.so
[root@archive ~]# lsattr /usr/lib/libsoftokn3.so
----i-------- /usr/lib/libsoftokn3.so
[root@archive ~]# chattr -i /usr/lib/libsoftokn3.so
[root@archive ~]# lsattr /usr/lib/libsoftokn3.so
------------- /usr/lib/libsoftokn3.so

Let try that update yet again…

[root@archive ~]# yum update -y nss
Loaded plugins: fastestmirror, priorities, security, upgrade-helper
Loading mirror speeds from cached hostfile
 * epel: mirrors.sdm.noao.edu
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package nss.i386 0:3.13.6-3.el5_9 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch           Version                   Repository         Size
================================================================================
Updating:
 nss           i386           3.13.6-3.el5_9            updates           1.1 M

Transaction Summary
================================================================================
Install       0 Package(s)
Upgrade       1 Package(s)

Total download size: 1.1 M
Downloading Packages:
nss-3.13.6-3.el5_9.i386.rpm                              | 1.1 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating       : nss                                                      1/2 
/sbin/ldconfig: /usr/lib/libsoftokn3.so is not a symbolic link

/sbin/ldconfig: /usr/lib/libfreebl3.so is not a symbolic link

  Cleanup        : nss                                                      2/2 

Updated:
  nss.i386 0:3.13.6-3.el5_9                                                     

Complete!

Source: https://joshua.hoblitt.com/rtfm/2013/05/dealing_with_rpm_cpio_rename_package_installupdate_errors/

Instalar PHP 5.5 no CentOS 5

Verificar se existem pacotes instalados:

# yum list installed | grep php

Se existirem pacotes então é necessário removê-los:

# yum remove php php-cli php-common php-gd php-ldap php-mbstring php-mcrypt php-mysql php-pdo

Instalar o repositório webtatic

# rpm -Uvh http://mirror.webtatic.com/yum/el5/latest.rpm

Podemos então verificar quais os pacotes disponíveis:

# yum --enablerepo=webtatic list available | grep php55w

A seguir, instalamos os pacotes do PHP 5.5

# yum --enablerepo=webtatic install php55w php55w-cli php55w-common php55w-gd php55w-ldap php55w-mbstring php55w-mcrypt php55w-mysql php55w-pdo php55w-soap php55w-intl php55w-opcache

Nota: No meu caso, já tinha o repositório instalado anteriormente e não deixava instalar os pacotes do PHP 5.5 porque as chaves do repositório não eram válidas. Foi necessário atualizar as chaves:

# rpm --import http://repo.webtatic.com/yum/RPM-GPG-KEY-webtatic-andy

PHP já deve estar na versão 5.5. Podemos verificar com o comando:

# php -v
PHP 5.5.38 (cli) (built: Jul 21 2016 13:42:32)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies

Finalmente, reiniciamos o Apache:

# service httpd restart

Configurar Logwatch para usar ssmtp

This guide will explain how to set up ssmtp (a simple SMTP delivery agent) for emailing logs to an email address using logwatch.

Firstly in a terminal, enter

yum install ssmtp

After the ssmtp has installed edit the configuration file with

vim /etc/ssmtp/ssmtp.conf

and edit the configuration file

#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=!!!insert outgoing email address here!!!

# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=smtp.gmail.com:587

# Where will the mail seem to come from?
rewriteDomain=!!!enter your domain name here!!!

# The full hostname
hostname=!!!insert outgoing email address here!!!

# Are users allowed to set their own From: address? Not recommended with gmail
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
#FromLineOverride=YES

# Username and password for Google's Gmail servers
# From addresses are settled by Mutt's rc file, so
# with this setup one can still achieve multi-user SMTP
AuthUser=!!!email user name!!!
AuthPass=!!!email password!!!

#Uncomment these settings for use with gmail
#UseTLS=YES
#UseSTARTTLS=YES
#mailhub=smtp.gmail.com:587

You can now test that ssmtp is working with

cat - | /usr/sbin/ssmtp -v <your-email-address>

enter ctrl+D to send the test message

If the message has been received we can go on and configure logwatch

 

Edit logwatch to change mailer

# vim /etc/logwatch/conf/logwatch.conf
mailer = "ssmtp -v <your-email-address>"

To test it works send the security log with

sudo logwatch --logfile secure --detail high --mailto <your-email-address> --range yesterday

The certificate for ServerName.com will expire in x days

O servidor estava a enviar este email:

################# SSL Certificate Warning ################

Certificate for hostname 'ServerName.com', in file (or by nickname):
 /etc/pki/tls/certs/localhost.crt

The certificate needs to be renewed; this can be done
 using the 'genkey' program.

Browsers will not be able to correctly connect to this
 web site using SSL until the certificate is renewed.

##########################################################
 Generated by certwatch(1)

You can use the ‘genkey’ program to renew an SSL certificate if your certificate is signed by a CA (Certificate Authority), but if you’re using a self-signed certificate (like me), then genkey won’t work. The quickest solution is to merely re-create your own certificate.

Step 1: Verify Your Current Certificate Directives

If your certificate has recently expired, then it’s probably been at least a year since you tinkered with it. The warning email told you the path of your certificate file, but you should also verify the filenames, locations, and the directives of your web server’s SSL configuration by doing:

grep SSLCertificate /etc/httpd/conf.d/ssl.conf

You should get something like:

# Point SSLCertificateFile at a PEM encoded certificate. If
 SSLCertificateFile /etc/pki/tls/certs/server.crt
 SSLCertificateKeyFile /etc/pki/tls/private/server.key
 # Point SSLCertificateChainFile at a file containing the
 # the referenced file can be the same as SSLCertificateFile
 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

You’re interested in the SSLCertificateFile and SSLCertificateKeyFile directives. This example uses server.crt and server.key as the names of the certificate files. Yours may be different. Just replace them as necessary in the following instructions.

Next, take note of the permissions of those two files:

ls -lh /etc/pki/tls/certs/server.crt
 -rw------- 1 root root 1.5K Jun 24 23:02 /etc/pki/tls/certs/server.crt

ls -lh /etc/pki/tls/private/server.key
 -rw------- 1 root root 891 Jun 24 23:02 /etc/pki/tls/private/server.key

They are owned by root and can only be read and written to by root (permission 600). Your new files will need the same permissions when you’re done.

Step 2: Create the New Self-Signed Certificate and Key Files

Type the following:

openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/server.crt -keyout /etc/pki/tls/private/server.key

Answer the questions as they are presented to create your new certificate files, starting with the two-letter country code and ending with your email address. If you make a mistake, don’t worry. Just re-run the command and it will overwrite the files.

Your file permissions may not have been affected, but in some cases you’ll need to update their permissions. Do:

chmod 600 /etc/pki/tls/certs/server.crt
chmod 600 /etc/pki/tls/private/server.key

Step 3: Restart Your Web Server

Type service httpd restart to restart your web server and tell it to use the new certificate files.

You’re done!

 

Source: http://www.stevejenkins.com/blog/2010/08/renewing-a-self-signed-ssl-certificate-on-fedoracentos/