Monday, June 25, 2012

SSL renegotiation enabled - Mozilla Firefox


When you try to access a site  that has SSL renegotiation enabled, you get the following error:
Renegotiation is not allowed on this SSL socket.
(Error code: ssl_error_renegotiation_not_allowed)
Firefox error
To enable SSL renegotiation you need to point your browser to about:config. After confirming that you know what you are doing, you need to search for:
security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref
and set it to true. After this you should be able to access the site.

Friday, June 22, 2012

Shell script for Archive and remove old files.


Shell script for Archive and remove old files.

cd /var/spool

ls -l |grep ^d |awk '{print $NF}' |while read folder
# if find command support -maxdepth  option
# find . -maxdepth 1 -type d |while read folder
do
  mkdir -p /backup/spool/$folder
  find $folder -mtime +15 -exec mv {} /backup/spool/$folder \; 
  cd /backup/spool
  tar -cvzf "$folder-`date '+%Y-%m-%d'`.zip" $folder
 # Below commented line will backup the removing folders if needed. 
 # mv $folder*.tar /dump_restore/spool/
  cd /backup/spool/$folder/
  rm*
  cd /var/spool
done

Archiving Old files to one tar ball


cd /var/spool
find . -mtime +15 -type f  > /tmp/filelist
tar --create --gzip --files-from /tmp/filelist --file /dump_restore/spool/repository-`date +%Y%m%d`.tar.gz
find . -mtime +15 -type f -exec rm {} \;


Monday, June 18, 2012

Apache restrict access based on IP address

Apache restrict access based on IP address to selected directories Apache web server allows server access based upon various conditions. For example you just want to restrict access to url http://sashika.suren.lk (mapped to /var/www/sashika directory) from 192.168.1.0/24 network (within intranet).

 Apache provides access control based on client hostname, IP address, or other characteristics of the client request using mod_access module.

 Open your httpd.conf file:
 # vi /etc/httpd/conf/httpd.conf

 Locate directory section (for example/var/www/sashika) and set it as follows:


<Directory /var/www/sashika/>
Order allow,deny
Allow from 192.168.1.0/24
Allow from 127
</Directory>

 
Order allow,deny: The Order directive controls the default access state and the order in which Allow and Deny directives are evaluated. The (allow,deny) Allow directives are evaluated before the Deny directives. Access is denied by default. Any client which does not match an Allow directive or does match a Deny directive will be denied access to the server.

Allow from192.168.1.0/24: The Allow directive affects which hosts can access an area of the server (i.e. /var/www/sashika/). Access is only allowed from network 192.168.1.0/24 and localhost (127.0.0.1).

Mail sending with one command without using telnet command

echo test | mailx -v -s "test" root This will test by telnet all the things......... Excellent command. nail command can used to attached any file and send it to users.

File upload script using expect

#!/usr/bin/expect
        spawn rsync -avzh -e ssh /root/backup-mail root@192.168.1.1:/root/backup/
        set pass "123456"
        expect {
        password: {send "$pass\r"; exp_continue}
        }

Error: Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding Try accessing the router by IP address instead of by hostname.

Solution: Move the WebGUI to an alternate port (Not 80 or 443) and check "Disable webConfigurator redirect rule" under System > Advanced.


 After the configuration change DNS Rebind Check Should disable and Browser HTTP_REFRER enforcement Disable.

Linux server backup Script

Linux server Backup script

#!/bin/bash

filename=/root/fwr.sh
path=/root/backup/
shift 2
if [ ! -f ${filename} ];
then
    echo "File not found!"
else
if [ ! -d ${path} ];
then
mkdir -p ${path}
fi
while [ ! -z "${path}" ] ; do
        yes | cp ${filename} ${path}
        path=$1
        shift
done
fi


filename=/etc/rc.local
path=/root/backup/
shift 2
if [ ! -f ${filename} ];
then
    echo "File not found!"
else
if [ ! -d ${path} ];
then
mkdir -p ${path}
fi
while [ ! -z "${path}" ] ; do
        yes | cp ${filename} ${path}
        path=$1
        shift
done
fi
filename=/etc/resolv.conf
path=/root/backup/
shift 2
if [ ! -f ${filename} ];
then
    echo "File not found!"
else
if [ ! -d ${path} ];
then
mkdir -p ${path}
fi
while [ ! -z "${path}" ] ; do
        yes | cp ${filename} ${path}
        path=$1
        shift
done
fi
filename=/etc/hosts
path=/root/backup/
shift 2
if [ ! -f ${filename} ];
then
    echo "File not found!"
else
if [ ! -d ${path} ];
then
mkdir -p ${path}
fi
while [ ! -z "${path}" ] ; do
        yes | cp ${filename} ${path}
        path=$1
        shift
done
fi

filename=/etc/sysconfig/network
path=/root/backup/
shift 2
if [ ! -f ${filename} ];
then
    echo "File not found!"
else
if [ ! -d ${path} ];
then
mkdir -p ${path}
fi
while [ ! -z "${path}" ] ; do
        yes | cp ${filename} ${path}
        path=$1
        shift
done
fi
filename=/etc/sysconfig/network-scripts/*
path=/root/backup/network-scripts
shift 2
if [ ! -d ${path} ];
then
mkdir -p ${path}
fi
while [ ! -z "${path}" ] ; do
        yes | cp -Rp ${filename} ${path}
        path=$1
        shift
done

filename=/etc/squid/*
path=/root/backup/squid
shift 2
if [ ! -d ${path} ];
then
mkdir -p ${path}
fi
while [ ! -z "${path}" ] ; do
        yes | cp -Rp ${filename} ${path}
        path=$1
        shift
done
filename=/etc/mail/*
path=/root/backup/mail
shift 2
if [ ! -d ${path} ];
then
mkdir -p ${path}
fi
while [ ! -z "${path}" ] ; do
        yes | cp -Rp ${filename} ${path}
        path=$1
        shift
done
filename=/var/qmail/*
path=/root/backup/qmail
shift 2
if [ ! -d ${path} ];
then
mkdir -p ${path}
fi
while [ ! -z "${path}" ] ; do
        yes | cp -Rp ${filename} ${path}
        path=$1
        shift
done

Unable to determine enabled services from ldap - Zimbra


You may face suddenly an error of Network services in Zimbra
To check whether its same issue or something else, try
# su zimbra
$zmcontrol status
Then you may found couple of services are not running, then try restarting it
$zmcontrol restart
Now you may get the same error stating “unable to determine enabled services from LDAP”
:) Congratulations ! your default 365 days of SSL certificate has expired. So simple, :)   you have to renew the certificate.
Steps to follow :
1) First stop all services of Zimbra
su – zimbra -c ‘zmcontrol stop’
2) Delete all certificate related files in Zimbra
rm -rf /opt/zimbra/ssl/*
rm -rf /opt/zimbra/ssl/.rnd
3) Delete all keys related to existing certificate
/opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
/opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su – zimbra -c ‘zmlocalconfig -s -m nokey mailboxd_keystore_password’`
(use commas carefully)
4) Edit certificate parameter
vi /opt/zimbra/bin/zmcertmgr
# Find line
# SUBJECT=”/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}”
# and change to your company name
SUBJECT=”/C=US/ST=N\/A/L=N\/A/O=xxxxxxxxxxx/OU=xxxxxxxxxxx/CN=${zimbra_server_hostname}”
# then find and change you want value days expire cert validation_days=365 to validation_days=3650
# save /opt/zimbra/bin/zmcertmgr
5) Create and deploy new self sign certificates
/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca -localonly
/opt/zimbra/bin/zmcertmgr createcrt self -new
/opt/zimbra/bin/zmcertmgr deploycrt self
su – zimbra -c ‘zmcontrol start’
/opt/zimbra/bin/zmcertmgr deploycrt self
/opt/zimbra/bin/zmcertmgr deployca
su – zimbra -c ‘zmupdateauthkeys’
/opt/zimbra/bin/zmcertmgr viewdeployedcrt


Now you can enjoy Zimbra without any certificate issues for next 10 years