The first step is to check if /tmp is already secure. Some data centers do not create a /tmp partition while others do.
#df -h |grep tmp
If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
#cat /etc/fstab |grep tmp
If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.
Create a ~1000Mb partition
#cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=1000000
Format the partion
#mkfs.ext2 /dev/tmpMnt
When it asks about not being a block special device press Y
Make a backup of the old data
#cp -Rp /tmp /tmp_backup
Mount the temp filesystem
#mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
Set the permissions
#chmod 0777 /tmp
Copy the old files back
#cp -Rp /tmp_backup/* /tmp/
Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
Open the file in vi:
#vi /etc/fstab
Now add this single line at the bottom:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0
Umount and remount /dev/shm for the changes to take effect.
#umount /dev/shm
#mount /dev/shm
Next delete the old /var/tmp and create a link to /tmp
#rm -rf /var/tmp/
#ln -s /tmp/ /var/
If everything still works fine you can go ahead and delete the /tmp_backup directory.
#rm -rf /tmp_backup
You /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories. Like I have said in other articles there are still ways in but this is one of the many layers of security you should have on your system.
Wednesday, July 22, 2009
Change mysql data directory
The default location is /var/lib/mysql
You can change mysql data directory by adding the following entries in /etc/my.cnf file
datadir=newlocation/path
save the file, move the necessary database files from /var/lib/mysql to the new location and restart mysql.
To check if the new location is added correctly, login to mysql as root and create a test database and check the new location if the new database files are added or not.
If mysql doesnt start after restarting then check the logs for an error
# tail -f /var/log/mysqld.log
If there are no specific errors mentioned check if selinux is enabled or not. If its enabled then you may disable it and try starting mysql.
commands to check if selinux is enabled
#getenforce
the result will be like enabled, permissive or targeted You can disable it by editing the configuration file /etc/selinux/config (RHEL/centos)
You can change mysql data directory by adding the following entries in /etc/my.cnf file
datadir=newlocation/path
save the file, move the necessary database files from /var/lib/mysql to the new location and restart mysql.
To check if the new location is added correctly, login to mysql as root and create a test database and check the new location if the new database files are added or not.
If mysql doesnt start after restarting then check the logs for an error
# tail -f /var/log/mysqld.log
If there are no specific errors mentioned check if selinux is enabled or not. If its enabled then you may disable it and try starting mysql.
commands to check if selinux is enabled
#getenforce
the result will be like enabled, permissive or targeted You can disable it by editing the configuration file /etc/selinux/config (RHEL/centos)
How to add a range of IP's
For a small range of IPs, you can manually add each IP to a file called ifcfg-eth0:x, which resides in /etc/sysconfig/network-scripts/.
For instance, if you want to add 10 IP addresses, you'll have to create 10 files in that directory, starting with ifcfg-eth0:0 and ending
with ifcfg-eth0:10. Each file will contain:
CODE
DEVICE=eth0:0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.0.2
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
TYPE=Ethernet
The IPADDR will increase from 192.168.0.2 to 192.168.0.12.
But what if you have to add 100 IP addresses? It could be physically possible to manually add a file for each of them. But how about
1000 IP addresses? Or 10,000? Fortunately, RedHat based systems offer a quick and easy way to bind a range of IPs, eliminating the
need to create a lot of files and saving a lot of your time.
Create a file called ifcfg-eth0-range0 in the /etc/sysconfig/network-scripts directory. This file must contain the following strings:
CODE
IPADDR_START=192.168.0.10
IPADDR_END=192.168.0.110
CLONENUM_START=0
Let's see what each of them does:
IPADDR_START: This is the first IP from the address range you want to bind to your ethernet device.
IPADDR_END: This is, of course, the last IP from that address range.
CLONENUM_START: This is the number that will be assigned to the first IP alias interface. For instance, if your Internet interface is eth0 and CLONENUM_START is 0, then this config file will create 100 interfaces starting with eth0:0 (eth0:0, eth0:1, eth0:2 etc) and ending with eth0:100.
NOTE! Be careful if you need to add more ranges of IPs. You'll have to use a proper value for CLONENUM_START. For instance, if you need to add a second range with 100 IPs besides the one above, create a new file called ifcfg-eth0-range1 and set the CLONENUM_START to 101 so an overwrite will be avoided.
After making any changes to any of the files created in the network-scripts directory, you have to run the following command so the changes are applied and the address range is activated:
# service network restart
For instance, if you want to add 10 IP addresses, you'll have to create 10 files in that directory, starting with ifcfg-eth0:0 and ending
with ifcfg-eth0:10. Each file will contain:
CODE
DEVICE=eth0:0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.0.2
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
TYPE=Ethernet
The IPADDR will increase from 192.168.0.2 to 192.168.0.12.
But what if you have to add 100 IP addresses? It could be physically possible to manually add a file for each of them. But how about
1000 IP addresses? Or 10,000? Fortunately, RedHat based systems offer a quick and easy way to bind a range of IPs, eliminating the
need to create a lot of files and saving a lot of your time.
Create a file called ifcfg-eth0-range0 in the /etc/sysconfig/network-scripts directory. This file must contain the following strings:
CODE
IPADDR_START=192.168.0.10
IPADDR_END=192.168.0.110
CLONENUM_START=0
Let's see what each of them does:
IPADDR_START: This is the first IP from the address range you want to bind to your ethernet device.
IPADDR_END: This is, of course, the last IP from that address range.
CLONENUM_START: This is the number that will be assigned to the first IP alias interface. For instance, if your Internet interface is eth0 and CLONENUM_START is 0, then this config file will create 100 interfaces starting with eth0:0 (eth0:0, eth0:1, eth0:2 etc) and ending with eth0:100.
NOTE! Be careful if you need to add more ranges of IPs. You'll have to use a proper value for CLONENUM_START. For instance, if you need to add a second range with 100 IPs besides the one above, create a new file called ifcfg-eth0-range1 and set the CLONENUM_START to 101 so an overwrite will be avoided.
After making any changes to any of the files created in the network-scripts directory, you have to run the following command so the changes are applied and the address range is activated:
# service network restart
Thursday, July 2, 2009
Adding New repositories to YUM
to add new repos in yum follow the steps below.
cd /etc/yum.repos.d/
vi dag.repo // the add the following lines in that file//
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
//save and quit//
for remi repo visit the url below
http://blog.famillecollet.com/pages/Config-en
cd /etc/yum.repos.d/
vi dag.repo // the add the following lines in that file//
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
//save and quit//
for remi repo visit the url below
http://blog.famillecollet.com/pages/Config-en
Subscribe to:
Posts (Atom)