Category Archives: Red Hat/CentOS

Extra Packages for Enterprise Linux – EPEL HowTo

EPEL (Extra Packages for Enterprise Linux) is a volunteer-based community effort from the Fedora project to create a repository of high-quality add-on packages that complement the Fedora-based Red Hat Enterprise Linux (RHEL) and its compatible spinoffs, such as CentOS and Scientific Linux.

Adding EPEL repo is very easy:

wget http://ftp.heanet.ie/pub/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm

From unknown reason for me, CentOS 6.x goes without php-mcrypt package and it is impossible to install this rpm from base repos. Some apps will complain about this and one of the solutions is to install this rpm from EPEL repo… After you added EPEL repo, type:

yum install php-mcrypt

Centos server – DOCSIS howto

DOCSIS stands for Data over Cable Service Interface Specification and is a standard developed by Cablelabs.

docsis is a small program that can be used to generate binary configuration files for DOCSIS-compliant cable modems. Click here to get the latest version.

Unpack the downloaded package with

tar -xvzf docsis-0.9.6.tar.gz
cd docsis-0.9.6/
./configure
make
make install

In case that configure complains about missing packages, install them with yum (usually gcc, bison, net-snmp-devel, flex).

Enter docsis command to see the output

[root@s1 /]# docsis
DOCSIS Configuration File creator, version 0.9.6
Copyright (c) 1999,2000,2001 Cornel Ciocirlan, ctrl@users.sourceforge.net
Copyright (c) 2002,2003,2004,2005 Evvolve Media SRL, docsis@evvolve.com
 
To encode a cable modem configuration file:
         docsis -e   
To encode multiple cable modem configuration files:
         docsis -m  ...   
To encode a MTA configuration file:
         docsis -p  
To encode multiple MTA configuration files:
         docsis -m -p  ...  
To decode a CM or MTA config file:
         docsis -d 
 
Where:
              = name of text (human readable) cable modem or MTA
                          configuration file
              = text file containing the authentication key
                          (shared secret) to be used for the CMTS MIC
           = name of output file where the binary data will
                          be written to (if it does not exist it is created).
           = name of binary file to be decoded
         = new extension to be used when encoding multiple files
 
See examples/*.cfg for configuration file format.
 
Please send bugs or questions to docsis-users@lists.sourceforge.net

NOTE

It is possible to get the next error during make

docsis_lex.o: In function `yylex':
/downloads/docsis-0.9.6/src/docsis_lex.c:1734: undefined reference to `yywrap'
collect2: ld returned 1 exit status
make[2]: *** [docsis] Error 1
make[2]: Leaving directory `/downloads/docsis-0.9.6/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/downloads/docsis-0.9.6'
make: *** [all] Error 2

To solve this problem, install flex with yum install flex flex-devel.
Then repeat ./configure and make commands.

How to set Access/Restrictions on users logins

I wanted to enable time limit for some users so they are able to use FTP server only during working time.

For RH based systems with Vsftpd

Open /etc/security/time.conf and add

vsftpd;*;SOME_USER;Al0800-1600

to the end.

Then open /etc/pam.d/vsftpd and add

account    required     pam_time.so

as the first line in account section so the file looks a like:

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      password-auth
account    required     pam_time.so
account    include      password-auth
session    required     pam_loginuid.so
session    include      password-auth

Save the changes and try to login via ftp. In case you want to disable SSH, you should do the same:

Add

account    required     pam_time.so

inside /etc/pam.d/sshd and

sshd;*;SOME_USER;Al0800-1600

inside /etc/security/time.conf file.

CentOS server – Simple quota howto

From time to time you can run into storage issues where users are uncontrolled and they decide to use your storage as their own. There are several solutions for this problem and I’ll tell you the two of them. The first solution is to delete their account and brake their arms so they won’t be able to use computer at all. This solution is now always acceptable so you should check the second one…

Continue reading CentOS server – Simple quota howto

CentOS server – basic Apache settings

It is recommended to set up a few things before you go live with your web server.

Remove the welcome page

Open /etc/httpd/conf.d/welcome.conf file and comment all lines.

# This configuration file enables the default "Welcome"
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL.  To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$">
#    Options -Indexes
#    ErrorDocument 403 /error/noindex.html
#</LocationMatch>

Restart Apache with service httpd restart.

Basic httpd config

Open /etc/httpd/conf/httpd.conf and find the line

Options Indexes FollowSymLinks

inside <Directory “/var/www/html”> section. Add – before Indexes as shown below.

Options -Indexes FollowSymLinks

(If you leave this line as it was, your files and directory list inside /var/www/html dir will be shown to anyone)

Line “LogLevel warn” do not change while you’re testing your web apps. Later, when you want to fire up your server for production use, replace warn with crit.

For security reasons, it is good idea to remove the server signature. To achieve this, find the line ServerSignature On and replace the On with Off

ServerSignature Off

Also, if you want to hide the web server version, OS, etc,… Check the ServerTokens parameter. Default CentOS is ServerTokens OS
All available options are:

ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full

CentOS server – Vsftpd Howto

To set up your CentOS as a secure FTP server, follow the next couple steps

Install VSFTPD with

yum install vsftpd

Turn on vsftpd auto start with

chkconfig --level 235 vsftpd on

Open vsftpd.conf

nano /etc/vsftpd/vsftpd.conf

and edit the next:

1. Change anonymous_enable=YES to anonymous_enable=NO

2. Uncomment chroot_local_user=YES line (In CentOS 5.x you will need to add this line)

3. Change the default port number from 21 to XXXXX (where XXXXX is above 1024) with listen_port=XXXXX

It this line doesn’t exist, paste it to the end of the file. Be sure that port XXXXX is accessible.

Restart vsftpd with service vsftpd restart. Please keep in mind that changing default port number doesn’t mean that your server is 100% secured. It will help you to avoid random dictionary attacks and your log files will be much smaller. Good password is a MUST.

PHP Fatal error: Class ‘DOMDocument’ not found in …

This morning I found the next errors inside the web server log.

PHP Warning: include(DOMDocument.php) [<a href="function.include">function.include</a>]: failed to open stream: No such file or directory in ......
PHP Warning: include() [<a href="function.include">function.include</a>]: Failed opening 'DOMDocument.php' for inclusion (include_path='.....
PHP Fatal error: Class 'DOMDocument' not found in .....

The solution for this problem is to install the missing php-xml rpm.

yum install php-xml

MySQL Performance – Howto – part 1 (high performance tuning scripts)

Often the server admin has little control over the applications which uses MySQL and it is hard to find the bottlenecks. This blog post can’t bring the peace in the world, or help NASA to finally land on the Mars. Instead those tasks, I’ll try to solve something else and present my own experiences with MySQL storage engines (at least for MyISAM and InnoDB as the most popular).
Continue reading MySQL Performance – Howto – part 1 (high performance tuning scripts)

FreeRadius install howto (3)

In this post I will say something about FreeRadius config files, database connection, basic instruction how to insert user in database, etc. Before you step inside this post, I recommend reading part 1 and part 2.

I suppose you’re using RH based distros (Red Hat, CentOS, Fedora,..) and you already installed FreeRadius from source (config files are located in /usr/local/etc/raddb/). Now lets get back to FreeRadius source dir (the place where you extracted the tar.gz).

Inside redhat dir you can find freeradius-radiusd-init script which can be used for easy start/stop radiusd process. Copy this script to /etc/init.d/ dir

# cp freeradius-radiusd-init /etc/init.d/radiusd

Now open /etc/init.d/radiusd script and change the next lines

exec=${exec:=/usr/sbin/$prog}
config_dir=${config_dir:=/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/var/lock/subsys/radiusd}

into

exec=${exec:=/usr/local/sbin/$prog}
config_dir=${config_dir:=/usr/local/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/usr/local/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/var/lock/subsys/radiusd}

Save changes and exit from editor. (Notice above that we actually changed the path from / to /usr/local/)

Now you can easily start/stop radiusd process.

[root@ms /]# service radiusd
Usage: /etc/init.d/radiusd {start|stop|status|restart|condrestart|try-restart|reload|force-reload}

Also, you can exec chkconfig –level 235 radiusd on to start radiusd on boot.

Now lets get back to our setup.

I suppose you have at least one NAS (A Network Access Server (NAS) is a system that provides access to a network. In some cases also known as a Terminal Server or Remote Access Server (RAS).) NAS is a CLIENT for your radiusd server so please do not mess users and clients. Freeradius doesn’t interact with your users directly so “radius client” is another term for NAS.

The first step is to add your NAS to client list and to create a unique password. Inside clients.conf (/usr/local/etc/raddb/clients.conf) you can find the next lines

#client 192.168.0.0/24 {
#       secret          = testing123-1
#       shortname       = private-network-1
#}

Uncomment those lines and set up client IP address according to your addresses. In the example shown above, all IPs from 192.168.0.0/24 network will be able to use your radiusd server.

You can allow any IP with

client 0.0.0.0/0 {
       secret          = mysecret
       shortname       = myNAS
}

which means all IPs in the world can use my radius server (which is not recommended)…

To allow only one IP (in this case 192.168.0.15),

client 192.168.0.15 {
       secret          = mysecret
       shortname       = myNAS
}

Delete user Cleartext-Password := “password” line from users because we don’t need this any more.

Stop radiusd and start in debugging mode (radiusd -X).

You should see the similar lines

...............
radiusd: #### Loading Clients ####
 client localhost {
        ipaddr = 127.0.0.1
        require_message_authenticator = no
        secret = "testing123"
        nastype = "other"
 }
 client 192.168.0.15 {
        require_message_authenticator = no
        secret = "mysecret"
        shortname = "myNAS"
 }
...........

This means that radiusd will allow NAS with IP address 192.168.0.15 and secret mysecret. Ctrl+C to stop radiusd.

In case you want to use MySQL with freeradius, you should do the next steps. Before anything, you need to create a database for freeradius.

Connect as root to your mysql and exec next queries.

CREATE USER 'radius'@'localhost' IDENTIFIED BY  'radpass';
GRANT USAGE ON * . * TO  'radius'@'localhost' IDENTIFIED BY  'radpass';
CREATE DATABASE IF NOT EXISTS  `radius` ;
GRANT ALL PRIVILEGES ON  `radius` . * TO  'radius'@'localhost';

Another option is to use admin.sql script from raddb/sql/mysql dir.

CREATE USER 'radius'@'localhost';
SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('radpass');
GRANT SELECT ON radius.* TO 'radius'@'localhost';
GRANT ALL ON radius.radacct TO 'radius'@'localhost';
GRANT ALL ON radius.radpostauth TO 'radius'@'localhost';

This script will set a little bit safer permissions where radius will be able only to write radacct and radpostauth tables. (Do not forget to change default username/pass shown above).

The next step is to import default Freeradius tables (the sql files can be found inside raddb/sql/mysql dir). You should import nas.sql and schema.sql. The nas.sql will create a table for your NASes. It is much easier to maintain the NAS list inside database then inside clients.conf. Also, you can add more fields to nas table so you can do other operations with your NAS.

After this operations you should have something like:

[root@ms mysql]# mysql -u radius -p
Enter password:
Welcome TO the MySQL monitor.  Commands END WITH ; OR \g.
Your MySQL connection id IS 23387
Server version: 5.0.77-log SOURCE distribution
 
TYPE 'help;' OR '\h' FOR help. TYPE '\c' TO clear the buffer.
 
mysql> USE radius;
Reading TABLE information FOR completion OF TABLE AND COLUMN names
You can turn off this feature TO GET a quicker startup WITH -A
 
DATABASE changed
mysql> SHOW TABLES;
+------------------+
| Tables_in_radius |
+------------------+
| nas              |
| radacct          |
| radcheck         |
| radgroupcheck    |
| radgroupreply    |
| radpostauth      |
| radreply         |
| radusergroup     |
+------------------+
8 ROWS IN SET (0.00 sec)
 
mysql>

Now we have a working database and we need to configure FreeRadius to use SQL.

radiusd.conf

Open radiusd.conf file (/usr/local/etc/raddb/radiusd.conf), and uncomment $INCLUDE sql.conf line inside modules section. Save changes and exit.

sql.conf

Open sql.conf and edit next lines

        # Connection info:
        server = "localhost"
        #port = 3306
        login = "radius"
        password = "radpass"
 
        # Database table configuration for everything except Oracle
        radius_db = "radius"

to fit your settings (database name, username and password).

dialup.conf

Then open /usr/local/etc/raddb/sql/mysql/dialup.conf and find the next lines (near the end)

 # Uncomment simul_count_query to enable simultaneous use checking
        simul_count_query = "SELECT COUNT(*) \
                             FROM ${acct_table1} \
                             WHERE username = '%{SQL-User-Name}' \
                             AND acctstoptime IS NULL"

Sometimes you will need to check users for simultaneous use and uncommenting sql in session section and uncommenting the query shown above will help you to do this.

default

Now open /usr/local/etc/raddb/sites-available/default and uncomment sql lines inside authorize, accounting and session sections. You can uncomment sql inside post-auth section too if you want to log login attempts (notice that this is not recommended for production servers. Your database can grow and eat up all free space in case someone tries to brute force your NAS.).

Then comment the next lines: files inside authorize section, detail, unix and radutmp inside accounting section and radutmp inside session section.

Please note that those lines we commented above are not important for now and commenting those lines can improve performance. Also, note that detail should remain uncommented in case you want to create ‘detail’ed log of the packets for accounting requests. You will need this in case you want to proxy accounting to another server.

Then save the file and check your config with radiusd -X (debugging mode).

After this you should see something like

rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4

which means your freeradius server successfully connected to MySQL database.

There are hundreds of options inside the files shown above and it is impossible to explain all of them. Read comments inside config files and try to figure yourself about them. If you’re using another database scheme, you will need to set up sql.conf and dialup.conf according to your tables. All parameters are editable and it is very easy to understand them. For example if you have a large number on users (1000-xxxx) open sql.conf and increase num_sql_socks from 5 to 15 or 20.

You should not change/delete any other lines in the config file without reading and understanding the comments!

Populating tables and testing

This is the most important part. Before you continue, you need to know what actually do you want from FreeRadius. Which kind of connection do you expect, etc. Also, you need to know something about tables, attributes, operators, etc.

This is it for now…. Next time we will add some users inside database and see what we can do.

Stay tuned…

kipmi0 problem

Few days ago one client called and asked about high CPU load on his Fedora server…
It was very easy to detect that CPU is consumed by kipmi0 process. Unfortunately classic commands kill, pkill, kill -9, … didn’t help.

The problem was in loaded modules (lsmod command)

ipmi_si 38349 0
ipmi_msghandler 32665 1 ipmi_si

I didn’t have enough time to investigate about this but simple rmmod ipmi_msghandler and rmmod ipmi_si was enough to solve this problem. Well I was wrong that this will solve the problem… After reboot it was all like before… The modules are still here and kipmi0 process was too aggressive…

Searching on Google about this problem didn’t help a lot. After some digging, I found out that the lm_sensors is responsible for loading these modules.

nano /etc/sysconfig/lm_sensors gave me the answer. At the end, there are few lines

MODULE_0=ipmi-si
MODULE_1=ipmisensors
MODULE_2=coretemp

Commenting those lines was enough to solve this problem. I suppose that this server is too old (Fedora 6) and some incompatibility exists between hardware platform and those modules…

If you have any info about this problem, please drop a comment so we can all learn something…