UnixServerAdmin

Server Administration & Management

How to drop or clear cache in linux

Many times you may find the system is running out of memory. When checked you can see lots of memory is assigned to buffers and caches. Allocating lots of memory to buffers and caches is not necessary. If you are running mysql and oracle like softwares, they have their own buffers and caches. So mostly you can free or drop this buffers and caches. Here is process to drop caches in Linux. Also the entry for sysctl.conf so that it will remember the action.

According to the linux documentations, the variable drop_caches defined as, Writing to this will cause the kernel to drop clean caches, dentries and inodes from memory, causing that memory to become free.

To free pagecache:

# echo 1 > /proc/sys/vm/drop_caches

To free dentries and inodes:

# echo 2 > /proc/sys/vm/drop_caches

To free pagecache, dentries and inodes:

# echo 3 > /proc/sys/vm/drop_caches

As this is a non-destructive operation and dirty objects are not freeable, the user should run `sync’ first. So the command to drop all caches are,

# sync; echo 3 > /proc/sys/vm/drop_caches

Or you can specify this in /etc/sysctl.conf

# echo “vm.drop_caches = 3” >> /etc/sysctl.conf

Now reload sysctl.conf

# sysctl -p

Advertisements

February 28, 2012 Posted by | Tips & Tricks, Unix/Linux | , , | Leave a comment

How to configure Apache server to listen Multiple Ports

By default Apache server listens on TCP port 80 but I’d like an Apache Web Server to listen on port 80 and port 8080. The following article explains how do I configure Apache server to listen multiple ports under CentOS Linux Server.

To configure Apache server to listen multiple ports, you need to login as root and open configure file /etc/httpd/conf/httpd.conf and modify the Listen directive tells the server to accept incoming requests on the specified port.

# vi /etc/httpd/conf/httpd.conf

Find line that read as follows:

Listen 80

Force Apache server to listen on both port 80 and 8080:

Listen 80
Listen 8080

And find the VirtualHost portion for your website config and add *:8080 as shown below:

<VirtualHost *:80 *:8080>

</VirtualHost>

Save and close the file. Restart apache server:

# service httpd restart

February 26, 2012 Posted by | Apache | , | Leave a comment

How To display vi / vim text editor line numbers

Displaying line numbers in vi/vim can be very useful for debugging code errors and to improve overall readability of a program. For example, if we are writing C program or Shell script and want to check coding mistakes after running or compiling it, turning on or off this feature may help a lot to identify coding problem.

To display line numbers along the left side of a window, type any one of the following:

:set nu “or”

:set number

Hide line numbers in vi/vim

To turn off line number again, type the following command:

:set nu!

Make vi/vim show line numbers by default

The vimrc files contains optional runtime configuration settings to initialize vi/vim when it starts. On Unix/Linux based systems, the file is named .vimrc. To display line numbers every time you start vi/vim, append following line to your ~/.vimrc file:

# touch ~/.vimrc

set number

Save and close the file, type

:wq!

February 24, 2012 Posted by | Tips & Tricks, Unix/Linux | , , | Leave a comment

How to see the load average of all the vps on the node in Virtuozzo

# vzlist -o veid,laverage

CTID      LAVERAGE
150       0.00/0.02/0.02
350       0.00/0.00/0.00
450       0.00/0.05/0.06
5095      0.00/0.05/0.04
6970      0.01/0.09/0.06
7170      57.00/56.97/56.91

February 22, 2012 Posted by | Virtualization, Virtuozzo | , , | Leave a comment

iptables.sh

#########################################
# IP address block  file ################
#########################################

iptables -F # Flush Iptables

#########################################
# Block Incoming Connection #############
# iptables -A INPUT -s X.x.x.x -j DROP ##
#########################################

##########################################
# Block Outgoing Connection ##############
# iptables -A OUTPUT -d X.x.x.x -j DROP ##
##########################################

#######################################################################
# Allow Incoming SSH only from a Sepcific Network ###################################
# iptables -A INPUT -p tcp -s 10.10.10.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT ##
# iptables -A INPUT -p tcp -s 202.54.12.203 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT ##
########################################################################

########################################################################
# Allow Multiple Ports from Outside world ##########################################
# iptables -A INPUT -p tcp -m multiport –dports 22,80,443 -m state –state NEW,ESTABLISHED -j ACCEPT ##
#######################################################################

February 20, 2012 Posted by | Firewall, Security, Shell Script | , , | Leave a comment

General Iptables Firewall Rules

1. Delete all existing rules
# iptables -F

2. Set default chain policies
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP

3. Block a specific ip-address
BLOCK_THIS_IP=”x.x.x.x”
# iptables -A INPUT -s “$BLOCK_THIS_IP” -j DROP

4. Allow ALL incoming SSH
# iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

5. Allow incoming SSH only from a sepcific network
# iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

6. Allow incoming HTTP
# iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT

Allow incoming HTTPS
# iptables -A INPUT -i eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT

7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
# iptables -A INPUT -i eth0 -p tcp -m multiport –dports 22,80,443 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp -m multiport –sports 22,80,443 -m state –state ESTABLISHED -j ACCEPT

8. Allow outgoing SSH
# iptables -A OUTPUT -o eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

9. Allow outgoing SSH only to a specific network
# iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

10. Allow outgoing HTTPS
# iptables -A OUTPUT -o eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT

11. Load balance incoming HTTPS traffic
# iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 0 -j DNAT –to-destination 192.168.1.101:443
# iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 1 -j DNAT –to-destination 192.168.1.102:443
# iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 2 -j DNAT –to-destination 192.168.1.103:443

12. Ping from inside to outside
# iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
# iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT

13. Ping from outside to inside
# iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
# iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT

14. Allow loopback access
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT

15. Allow packets from internal network to reach external network.
if eth1 is connected to external network (internet)
if eth0 is connected to internal network (192.168.1.x)
# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

16. Allow outbound DNS
# iptables -A OUTPUT -p udp -o eth0 –dport 53 -j ACCEPT
# iptables -A INPUT -p udp -i eth0 –sport 53 -j ACCEPT

17. Allow NIS Connections
rpcinfo -p | grep ypbind ; This port is 853 and 850
# iptables -A INPUT -p tcp –dport 111 -j ACCEPT
# iptables -A INPUT -p udp –dport 111 -j ACCEPT
# iptables -A INPUT -p tcp –dport 853 -j ACCEPT
# iptables -A INPUT -p udp –dport 853 -j ACCEPT
# iptables -A INPUT -p tcp –dport 850 -j ACCEPT
# iptables -A INPUT -p udp –dport 850 -j ACCEPT

18. Allow rsync from a specific network
# iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 –dport 873 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 873 -m state –state ESTABLISHED -j ACCEPT

19. Allow MySQL connection only from a specific network
# iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 –dport 3306 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 3306 -m state –state ESTABLISHED -j ACCEPT

20. Allow Sendmail or Postfix
# iptables -A INPUT -i eth0 -p tcp –dport 25 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 25 -m state –state ESTABLISHED -j ACCEPT

21. Allow IMAP and IMAPS
# iptables -A INPUT -i eth0 -p tcp –dport 143 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 143 -m state –state ESTABLISHED -j ACCEPT

# iptables -A INPUT -i eth0 -p tcp –dport 993 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 993 -m state –state ESTABLISHED -j ACCEPT

22. Allow POP3 and POP3S
# iptables -A INPUT -i eth0 -p tcp –dport 110 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 110 -m state –state ESTABLISHED -j ACCEPT

# iptables -A INPUT -i eth0 -p tcp –dport 995 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 995 -m state –state ESTABLISHED -j ACCEPT

23. Prevent DoS attack
# iptables -A INPUT -p tcp –dport 80 -m limit –limit 25/minute –limit-burst 100 -j ACCEPT

24. Port forwarding 422 to 22
# iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 –dport 422 -j DNAT –to 192.168.102.37:22
# iptables -A INPUT -i eth0 -p tcp –dport 422 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 422 -m state –state ESTABLISHED -j ACCEPT

25. Log dropped packets
# iptables -N LOGGING
# iptables -A INPUT -j LOGGING
# iptables -A LOGGING -m limit –limit 2/min -j LOG –log-prefix “IPTables Packet Dropped: ” –log-level 7
# iptables -A LOGGING -j DROP

February 18, 2012 Posted by | Firewall, Security | , , | Leave a comment

How to block or allow ips using .htaccess

Suppose you have a site example.com and in the document root directory of example.com you have a directory “admin” in which you want to restrict the access to others. But you want to give access to clients from some ips.

You can do this by creating a .htaccess file under “admin” directory.

# vim .htaccess file can be like this.

===================
Order Deny,Allow
Deny from all
Allow from IP_address1
Allow from IP_address2
Allow from IP_address3
Allow from IP_address4
Allow from IP_address5
===================

example.com/admin/ will only be accessible to IP_address1-5

February 16, 2012 Posted by | Apache, htaccess | , , | Leave a comment

How to configure Webalizer

The Webalizer is a GPL application that generates web pages of analysis, from access and usage logs, i.e. it is web log analysis software. It is one of the most commonly used web server administration tools. It was initiated by Bradford L. Barrett in 1997. Statistics commonly reported by Webalizer include: hits; visits;  referrers; the visitors’ countries; and the amount of data downloaded. These statistics can be viewed graphically
and presented by different time frames, such as per day, hour, or month.

Hit

Each HTTP request submitted by the browser is counted as one hit. Note that HTTP requests may be submitted for non-existent content, in which case they still will be counted. For example, if one of the five image files referred by the example page mentioned above is missing,
the web server will still count six HTTP requests, but in this case, five will be marked as successful (one HTML file and four images) and one as a failed request (the missing image)

Here is steps to configure webalizer

1) Install the webalizer by yum

# yum install webalizer

2) vim /etc/httpd/conf.d/webalizer.conf

=====================================
Alias /usage /var/www/usage

#<Location /usage>
#       AllowOverride AuthConfig
#       Order allow,deny
#       Allow from all
#</Location>

<Directory “/var/www/usage”>
    AllowOverride AuthConfig
   Options Indexes FollowSymLinks Includes
    Order allow,deny
    Allow from all
</Directory>
=====================================

3. Create .htacess file

# vim /var/www/usage/.htaccess

=====================================
AuthUserFile /etc/httpd/htpasswd
AuthName “Please provide Login Credentials”
AuthType Basic
require valid-user
=====================================

4. Restart httpd services.

# /etc/init.d/httpd restart

February 14, 2012 Posted by | Apache, Tips & Tricks, Unix/Linux | , , , , , | 7 Comments

How to delete files in directory by date

Sometimes, We need to delete files in a directory by date. This command will search and delete files that are 180 days old. This can be adjusted to what ever.  You can alter the number of days to find and delete.

# find /var/www/html/ -type f -ctime +180 -exec rm -f {} ; -print

Sometimes, rm command take long time and increase server load,

So please use -delete option, it is a bit faster (only works with GNU find version 4.2.XX or higher)

# find –version
GNU find version 4.2.XX or higher

How to remove txt file under /var/www/html/ directory, more than 30 days old.

# find /var/www/html/ -type f -ctime +30 -name “*.txt” -delete

How to remove txt file under /var/www/html/ directory

# find /var/www/html/ -type f  -name “*.txt” -delete

How to find txt file under /var/www/html directory

# find /var/www/html/ -type f  -name “*.txt”

 

 

February 12, 2012 Posted by | Tips & Tricks, Unix/Linux | , , , | Leave a comment

How to Remove MySQL Binary Log

MySQL configuration, by default, maintains binary logs. These logs “contain all statements that update data or potentially could have updated it (for example, a DELETE which matched no rows). Statements are stored in the form of ‘events’ that describe the modifications. The binary log also contains information about how long each statement took that updated data.” This is fine and all, but (again by default) these log files are never deleted. There is a (configurable) max file size for each log, but MySQL simply rolls over to a new log when it’s reached. Additionally, MySQL rolls over to a new log file on every (re)start. After a few months of operation, it’s easy to see how this can take up a lot of space.

MySQL Binary Log stores query event such as add, delete and update in a very details way. The Binary Log is used for two main purposes;

Data Recovery : It may be used for data recovery operations. After a backup file has been restored, the events in the binary log that were recorded after the backup was made are re-executed. These events bring databases up to date from the point of the backup.

High availability / replication : The binary log is used on master replication servers as a record of the statements to be sent to slave servers. The master server sends the events contained in its binary log to its slaves, which execute those events to make the same data changes that were made on the master.

Yes, as long as the data is replicated to Slave server, it’s safe to remove the file. It’s recommend only remove MySQL Binary Log older than 1 month. Besides, if Recovery of data is the main concern, it’s recommend to archive MySQL Binary Log. There are several ways to remove or clean up MySQL Binary Log, it’s not recommend to clean up the file manually means running the remove command.

Finally, for the current set, login to MySQL as an admin user (eg., mysql -u root -p). You’ll want to run the following two commands:

Reset Master statement is uses for new database start up during replication for Master and Slave server. This statement can be used to remove all Binary Log.

To clean up Binary Log on Master Server

# mysql -u username -p

mysql> flush logs;

mysql> reset master;

To clean up Binary Log on Slave Server

# mysql -u username -p

mysql> flush logs;

mysql> reset slave;

Above command will empty the binary logs, but not remove them. That’s it. Depending on the size and number of your logs, those two commands may take a while to run, but the end result is that any unsaved transactions will be flushed to the database, all older logs will be dropped, and the log index will be reset to 1.

Here is how to purge or clean the MySQL binary logs (NEVER remove them from the filesystem manually). PURGE BINARY LOGS statement can remove Binary Log base on date or up to a Binary Log sequence number

mysql> purge binary logs to ‘mysql-bin-log.000015’;

Alternatively, you can remove the binary older than a specific date.

mysql> purge binary logs before ‘2012-02-02 22:46:26’;

The BEFORE variant’s datetime_expr argument should evaluate to a DATETIME value (a value in ‘YYYY-MM-DD hh:mm:ss’ format). Above commands will remove the binary logs from the disk.

mysql> show binary logs;

To obtain a listing of the binary logs on the master server with above command.

The above commands should not be used when/before binary logs are used for data integrity check or for replication. You can also add to /etc/my.cnf the following Code:

expire_logs_days = 5

in order to keep only the last 5 days binary logs.

February 10, 2012 Posted by | MySQL, Tips & Tricks | , , , | Leave a comment

How to add static route in linux

Static routes improves overall performance of your network (especially bandwidth saving). They are also useful in stub networks (i.e. there is only one link to the network).

Display Current Routing Table Using following command

# ip route show

Sample output:
10.10.10.0/24 dev eth1 proto kernel  scope link  src 10.10.10.3
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.3
default via 192.168.1.254 dev eth0

You can add static route using following command:

ip route add {NETWORK} via {IP} dev {DEVICE}

For example network 172.17.0.0/24 available via 192.168.1.254:

# ip route add 172.17.0.0/24 via 192.168.1.254 dev eth0

Alternatively, you can use old good route command:

# route add -net 192.168.55.0 netmask 255.255.255.0 gw 192.168.1.254 dev eth0

The drawback of ‘ip’ or ‘route’ command is that, when Linux reboots it will forget static routes. So store them in configuration file. Static routing describes a system that does not implement adaptive routing. In these systems routes through a data network are described by fixed paths (statically). These routes are usually entered into the router by the system administrator. You need to open /etc/sysconfig/network-scripts/route-eth0 file to define static routes for eth0 interface:

# cat /etc/sysconfig/network-scripts/route-eth0

Sample Output:
GATEWAY0=192.168.1.254
NETMASK0=255.255.255.0
ADDRESS0=172.17.0.0

# service network restart

Verify new routing table:

# route -n

To make the routing information persistent, add the “route add” line as seen above into the /etc/rc.local file.

February 8, 2012 Posted by | Tips & Tricks, Unix/Linux | , , , | Leave a comment

Protected: SYN_Flood Attack Protection

This content is password protected. To view it please enter your password below:

February 6, 2012 Posted by | Firewall, Security, Shell Script, Tips & Tricks | , , , , , | Enter your password to view comments.

How to enable user authentication for single user mode

By default you will be automatically logged in to single user mode as root, this can be security risk so better to
enable a user login add the single user mode.

Note – Debian and therefore Ubuntu both require root password when booting into single user mode or recovery mode. RHEL and CentOS allows access from the console into single user mode without a password. This is handy when things get messed up preventing access to the auth subsystems. To accomplish the same behavior under Ubuntu, edit the /etc/inittab file and change the line

1. To edit this system file

# vim /etc/inittab

2. Go to a new line at the end of file then type

sum:S:wait:/sbin/sulogin

3. Save this file

4. Exit the file

February 4, 2012 Posted by | Tips & Tricks, Unix/Linux | , , , | Leave a comment

How to view Dell Service Tag from Linux, Windows & VMWare ESXi Server Virtaul Machine

1. Get DELL Service Tag on remote Windows system

Login to the Windows remote-host using VNC or remote desktop connection. Use WMIC on Windows to get service tag as shown below.

C:>wmic bios get serialnumber
SerialNumber
ABCDEF1

Following WMIC command will give make and model number along with service tag.

C:>wmic csproduct get vendor,name,identifyingnumber
IdentifyingNumber    Name                Vendor
ABCDEF1              PowerEdge 2950      Dell Inc.

If VNC or remote desktop connection to the remote-host is not available,  execute the following from the
local-host to get the service tag of the remote-host.

C:>wmic /user:administrator /node:remote-host bios get serialnumber
SerialNumber
ABCDEF1
[Note: Replace remote-host with the machine name of your remote-host.]

2. Get DELL Service Tag on remote Linux system

Login to the Linux remote-host using SSH. Use dmidecode on Linux to get service tag as shown below.

[remote-host]# dmidecode -s system-serial-number
ABCDEF1

Method 1: Identify DELL Service TAG on VMWare Server

If you’ve installed VMWare server on a base OS, you can login to the base OS, and use dmidecode to get the service tag as shown below. This is just like how you identify service tag for DELL poweredge servers on a normal non-virtual server that is running a Linux OS.

# dmidecode | more
Handle 0x0100, DMI type 1, 25 bytes.
System Information
        Manufacturer: Dell Computer Corporation
        Product Name: PowerEdge 2850
        Serial Number: H234567

Refer to View DELL Service Tag and Express Service Code From Linux and Windows for more details.

Method 2: Identify DELL Service TAG on VMWare ESXi

If you’ve installed VMWare ESXi, there is no Base OS. If you do dmidecode on one of the virtual machine running on that ESXi, you’ll not get the DELL Service TAG. Instead, you’ll get information about the VMware as shown below.

# dmidecode | more
Handle 0x0001, DMI type 1, 27 bytes
System Information
        Manufacturer: VMware, Inc.
        Product Name: VMware Virtual Platform
        Serial Number: VMware-11 aa bb cc dd ee ff gg-hh ii jj

To identify DELL service tag on this server, you should login to vSphere client

-> click on the top level node in the left-hand tree structure (this is the vmware node)
-> click on the “Configuration” tab
-> On the left side, it will display “Hardware” and “Software” sections
-> click on “Processors” link in the “Hardware” section
-> under the “System”, you’ll see the DELL service tag as shown in the picture below.

February 2, 2012 Posted by | Tips & Tricks, Unix/Linux | , , , , , | Leave a comment