Category Archives: Red Hat/CentOS

Why PostgreSQL is not so popular? (howto part 2)

So… After the first part (Link) where we talk about the installation,
the next step would be to create root user and to change postgres and root password.

[root@XTdata init.d]# su postgres
bash-3.2$ createuser -s root
bash-3.2$ createdb root --owner=root
exit
 
[root@XTdata data]# psql
psql (9.2.4)
Type "help" for help.
 
root=# ALTER USER postgres WITH PASSWORD 'SomePAASWDe348';
ALTER ROLE
root=# ALTER USER root WITH PASSWORD 'SomePAASWDe3489898';
ALTER ROLE
root=# \q

Now, the next step would be to allow remote connections.

postgresql.conf is the main PostgreSQL config file. To be able to reach the server remotely, find the commented line

#listen_addresses = 'localhost'         # what IP address(es) to listen on;

uncomment the line and replace the localhost with the servers IP address. (or replace it with * which means – listen on all interfaces)

listen_addresses = '*'         # what IP address(es) to listen on;

PostgreSQL, by default, refuses all connections it receives from any remote host. The remote hosts can be controled via pg_hba.conf file (located in the same dir like postgresql.conf).

Add the next line

host    all             all             192.168.10.57/32         md5

where 192.168.10.57 is the remote host IP address.

Also, you can allow any host by replacing the 192.168.10.57/32 with 0.0.0.0/0.

The line syntax is

local      DATABASE  USER  METHOD  [OPTIONS]
host       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
hostssl    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
hostnossl  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]

which is documented inside the pg_hba.conf. Save the file and restart the server.

I prefer the pgAdmin III tool which can be used for remote management. Fire it up, select File, Add Server… Enter name, host, Username and password.

This should be enough for now…

Logrotate settings

As you probably know, the default logrotate period on RH based distros is 7 days. From my point of view, this number is to big for production servers (files can became extremely large so grep through them can be very slow).

To change this behavior, open /etc/logrotate.conf and replace weekly line with daily. Also, increase the number of files you would like to keep from 4 to something larger (for example 40 or 50 which means 40 or 50 days)

It should looks a like

# see "man logrotate" for details
# rotate log files weekly
#weekly
daily
 
# keep 4 weeks worth of backlogs
rotate 70

Extra Packages for Enterprise Linux – EPEL HowTo

EPEL (Extra Packages for Enterprise Linux) is a volunteer-based community effort from the Fedora project to create a repository of high-quality add-on packages that complement the Fedora-based Red Hat Enterprise Linux (RHEL) and its compatible spinoffs, such as CentOS and Scientific Linux.

Adding EPEL repo is very easy:

wget http://ftp.heanet.ie/pub/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm

From unknown reason for me, CentOS 6.x goes without php-mcrypt package and it is impossible to install this rpm from base repos. Some apps will complain about this and one of the solutions is to install this rpm from EPEL repo… After you added EPEL repo, type:

yum install php-mcrypt

Centos server – DOCSIS howto

DOCSIS stands for Data over Cable Service Interface Specification and is a standard developed by Cablelabs.

docsis is a small program that can be used to generate binary configuration files for DOCSIS-compliant cable modems. Click here to get the latest version.

Unpack the downloaded package with

tar -xvzf docsis-0.9.6.tar.gz
cd docsis-0.9.6/
./configure
make
make install

In case that configure complains about missing packages, install them with yum (usually gcc, bison, net-snmp-devel, flex).

Enter docsis command to see the output

[root@s1 /]# docsis
DOCSIS Configuration File creator, version 0.9.6
Copyright (c) 1999,2000,2001 Cornel Ciocirlan, ctrl@users.sourceforge.net
Copyright (c) 2002,2003,2004,2005 Evvolve Media SRL, docsis@evvolve.com
 
To encode a cable modem configuration file:
         docsis -e   
To encode multiple cable modem configuration files:
         docsis -m  ...   
To encode a MTA configuration file:
         docsis -p  
To encode multiple MTA configuration files:
         docsis -m -p  ...  
To decode a CM or MTA config file:
         docsis -d 
 
Where:
              = name of text (human readable) cable modem or MTA
                          configuration file
              = text file containing the authentication key
                          (shared secret) to be used for the CMTS MIC
           = name of output file where the binary data will
                          be written to (if it does not exist it is created).
           = name of binary file to be decoded
         = new extension to be used when encoding multiple files
 
See examples/*.cfg for configuration file format.
 
Please send bugs or questions to docsis-users@lists.sourceforge.net

NOTE

It is possible to get the next error during make

docsis_lex.o: In function `yylex':
/downloads/docsis-0.9.6/src/docsis_lex.c:1734: undefined reference to `yywrap'
collect2: ld returned 1 exit status
make[2]: *** [docsis] Error 1
make[2]: Leaving directory `/downloads/docsis-0.9.6/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/downloads/docsis-0.9.6'
make: *** [all] Error 2

To solve this problem, install flex with yum install flex flex-devel.
Then repeat ./configure and make commands.

How to set Access/Restrictions on users logins

I wanted to enable time limit for some users so they are able to use FTP server only during working time.

For RH based systems with Vsftpd

Open /etc/security/time.conf and add

vsftpd;*;SOME_USER;Al0800-1600

to the end.

Then open /etc/pam.d/vsftpd and add

account    required     pam_time.so

as the first line in account section so the file looks a like:

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      password-auth
account    required     pam_time.so
account    include      password-auth
session    required     pam_loginuid.so
session    include      password-auth

Save the changes and try to login via ftp. In case you want to disable SSH, you should do the same:

Add

account    required     pam_time.so

inside /etc/pam.d/sshd and

sshd;*;SOME_USER;Al0800-1600

inside /etc/security/time.conf file.

CentOS server – Simple quota howto

From time to time you can run into storage issues where users are uncontrolled and they decide to use your storage as their own. There are several solutions for this problem and I’ll tell you the two of them. The first solution is to delete their account and brake their arms so they won’t be able to use computer at all. This solution is now always acceptable so you should check the second one…

Continue reading CentOS server – Simple quota howto

CentOS server – basic Apache settings

It is recommended to set up a few things before you go live with your web server.

Remove the welcome page

Open /etc/httpd/conf.d/welcome.conf file and comment all lines.

# This configuration file enables the default "Welcome"
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL.  To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$">
#    Options -Indexes
#    ErrorDocument 403 /error/noindex.html
#</LocationMatch>

Restart Apache with service httpd restart.

Basic httpd config

Open /etc/httpd/conf/httpd.conf and find the line

Options Indexes FollowSymLinks

inside <Directory “/var/www/html”> section. Add – before Indexes as shown below.

Options -Indexes FollowSymLinks

(If you leave this line as it was, your files and directory list inside /var/www/html dir will be shown to anyone)

Line “LogLevel warn” do not change while you’re testing your web apps. Later, when you want to fire up your server for production use, replace warn with crit.

For security reasons, it is good idea to remove the server signature. To achieve this, find the line ServerSignature On and replace the On with Off

ServerSignature Off

Also, if you want to hide the web server version, OS, etc,… Check the ServerTokens parameter. Default CentOS is ServerTokens OS
All available options are:

ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full

CentOS server – Vsftpd Howto

To set up your CentOS as a secure FTP server, follow the next couple steps

Install VSFTPD with

yum install vsftpd

Turn on vsftpd auto start with

(CentOS 6.x)

chkconfig --level 235 vsftpd on

(CentOS 7.x)

systemctl vsftpd enable

Open vsftpd.conf

nano /etc/vsftpd/vsftpd.conf

and edit the next:

1. Change anonymous_enable=YES to anonymous_enable=NO

2. Uncomment chroot_local_user=YES line (In CentOS 5.x you will need to add this line)

3. Change the default port number from 21 to XXXXX (where XXXXX is above 1024) with listen_port=XXXXX

It this line doesn’t exist, paste it to the end of the file. Be sure that port XXXXX is accessible.

4. The vsftpd version that comes with Centos 7 does not permit  chrooted local users to write by default. To “fix” this, you’ll need to add the next line:

allow_writeable_chroot=YES

Restart vsftpd with service vsftpd restart. Please keep in mind that changing default port number doesn’t mean that your server is 100% secured. It will help you to avoid random dictionary attacks and your log files will be much smaller. Good password is a MUST.

PHP Fatal error: Class ‘DOMDocument’ not found in …

This morning I found the next errors inside the web server log.

PHP Warning: include(DOMDocument.php) [<a href="function.include">function.include</a>]: failed to open stream: No such file or directory in ......
PHP Warning: include() [<a href="function.include">function.include</a>]: Failed opening 'DOMDocument.php' for inclusion (include_path='.....
PHP Fatal error: Class 'DOMDocument' not found in .....

The solution for this problem is to install the missing php-xml rpm.

yum install php-xml

MySQL Performance – Howto – part 1 (high performance tuning scripts)

Often the server admin has little control over the applications which uses MySQL and it is hard to find the bottlenecks. This blog post can’t bring the peace in the world, or help NASA to finally land on the Mars. Instead those tasks, I’ll try to solve something else and present my own experiences with MySQL storage engines (at least for MyISAM and InnoDB as the most popular).
Continue reading MySQL Performance – Howto – part 1 (high performance tuning scripts)