SSH port forwarding allows you to establish a secure SSH session and then tunnel arbitrary TCP connections through it.
The syntax is: ssh -L localport:remotehost:remoteport remotehostip
[root@Desktop]# ssh -L 5280:localhost:5280 192.168.0.38
Password: *******
It should come to remote server shell, leave it as is.
You can avoid logging in Server by using -N option with ssh command.
Friday, August 19, 2011
Thursday, August 18, 2011
Install aborted by user Installation aborted while installing R1soft
When installing the 2.x agent the installation fails with the following:
root@box:/usr/src# ./linux-agent-64-1.78.0-generic.run
Verifying archive integrity... All good.
Uncompressing Righteous Backup Linux Agent..........................................................................................................
Install aborted by user
Installation aborted
Cause
Debian has switched to a new terminal database included in the ncurses-base package. This terminal database is required for the CDP installer.
http://packages.debian.org/squeeze/ncurses-base
Resolution
Installing the ncurses-term package and setting the new TERM variable will allow the CDP installer to run properly.
#apt-get -y install ncurses-term
#export TERM=xterm1
#apt-get -y install linux-headers-$(uname -r)
If you do not have rsync installed on your system, please install it now in order to have the prerequisites necessary for this walkthrough:
#apt-get -y install rsync
The following commands will allow you to run the installer. For this example, the installer has been placed in /usr/src.
root@box:/usr/src# ./linux-agent-64-1.78.0-generic.run
For more information on installing the CDP agent, please refer to:
http://wiki.r1soft.com/display/R1D/Installing+the+Linux+Agent
root@box:/usr/src# ./linux-agent-64-1.78.0-generic.run
Verifying archive integrity... All good.
Uncompressing Righteous Backup Linux Agent..........................................................................................................
Install aborted by user
Installation aborted
Cause
Debian has switched to a new terminal database included in the ncurses-base package. This terminal database is required for the CDP installer.
http://packages.debian.org/squeeze/ncurses-base
Resolution
Installing the ncurses-term package and setting the new TERM variable will allow the CDP installer to run properly.
#apt-get -y install ncurses-term
#export TERM=xterm1
#apt-get -y install linux-headers-$(uname -r)
If you do not have rsync installed on your system, please install it now in order to have the prerequisites necessary for this walkthrough:
#apt-get -y install rsync
The following commands will allow you to run the installer. For this example, the installer has been placed in /usr/src.
root@box:/usr/src# ./linux-agent-64-1.78.0-generic.run
For more information on installing the CDP agent, please refer to:
http://wiki.r1soft.com/display/R1D/Installing+the+Linux+Agent
R1soft installation in Debian server
If you are getting the below errors while installing R1soft in Debian servers
=====================
oot@box~# /usr/bin/r1soft-cki
Checking for binary module
..
No binary module found
Gathering kernel information
Gathering kernel information complete.
Creating kernel headers package
Checking '/usr/src/linux-headers-2.6.30-1-common' for kernel headers
Found headers in '/usr/src/linux-headers-2.6.30-1-common'
Compressing...
uploading kernel package 100% 3863KB 3.8MB/s 00:01
Starting module build...
............................gathering required information...
sending request for kernel module...
kernel module installer failed. (0):
chroot chroot make
make[1]: Entering directory `/'
~~~~~~
make: Entering an unknown directory
make: *** /usr/src/linux-headers-2.6.30-1-common: No such file or directory. Stop.
make: Leaving an unknown directory
make[4]: *** [all] Error 2
~~~~~~
=====================
This issue is known to affect Debian, Suse, and other distros using separate architecture-specific module directories in their header packages.
Thanks to Chris at Interspire.com for working closely with us to discover a resolution.
The Debian developers have removed their common/architecture specific symlinks for the kernel headers in 2.6.29 and higher,
and in the process, have broken a whole heap of kernel module building, including the R1Soft CDPAgent module
(refer to here: http://bugs.debian.org/cgi-bin/bugrepaort.cgi?bug=521515)
Basically, there are now two kernel module directories, both of which contain necessary files:
drwxr-xr-x 4 root root 4096 2010-01-20 05:43 linux-headers-2.6.32-trunk-amd64
drwxr-xr-x 4 root root 4096 2010-01-20 05:47 linux-headers-2.6.32-trunk-common
Resolution
Copying the contents of these two directories into a temporary directory, with the proper makefile chosen,
will allow the r1soft-cki process to compile a module successfully.
cd /usr/src/
/bin/cp -ra linux-headers-2.6.32-3-amd64/ /usr/src/r1build
/bin/cp -ra linux-headers-2.6.32-3-common/* /usr/src/r1build/
Now, point the r1soft-cki utility to use your temporary directory, with the following flags added to the command.
CDP2
# /usr/bin/r1soft-cki --get-module --kernel-dir /usr/src/r1build
CDP3
# /usr/bin/r1soft-setup --get-module --kernel-dir /usr/src/r1build
After a successful build, you can delete the temporary directory, start the agent, and enjoy Continuous Data Protection!
rm -r /usr/src/r1build
buagentctl start
=====================
oot@box~# /usr/bin/r1soft-cki
Checking for binary module
..
No binary module found
Gathering kernel information
Gathering kernel information complete.
Creating kernel headers package
Checking '/usr/src/linux-headers-2.6.30-1-common' for kernel headers
Found headers in '/usr/src/linux-headers-2.6.30-1-common'
Compressing...
uploading kernel package 100% 3863KB 3.8MB/s 00:01
Starting module build...
............................gathering required information...
sending request for kernel module...
kernel module installer failed. (0):
chroot chroot make
make[1]: Entering directory `/'
~~~~~~
make: Entering an unknown directory
make: *** /usr/src/linux-headers-2.6.30-1-common: No such file or directory. Stop.
make: Leaving an unknown directory
make[4]: *** [all] Error 2
~~~~~~
=====================
This issue is known to affect Debian, Suse, and other distros using separate architecture-specific module directories in their header packages.
Thanks to Chris at Interspire.com for working closely with us to discover a resolution.
The Debian developers have removed their common/architecture specific symlinks for the kernel headers in 2.6.29 and higher,
and in the process, have broken a whole heap of kernel module building, including the R1Soft CDPAgent module
(refer to here: http://bugs.debian.org/cgi-bin/bugrepaort.cgi?bug=521515)
Basically, there are now two kernel module directories, both of which contain necessary files:
drwxr-xr-x 4 root root 4096 2010-01-20 05:43 linux-headers-2.6.32-trunk-amd64
drwxr-xr-x 4 root root 4096 2010-01-20 05:47 linux-headers-2.6.32-trunk-common
Resolution
Copying the contents of these two directories into a temporary directory, with the proper makefile chosen,
will allow the r1soft-cki process to compile a module successfully.
cd /usr/src/
/bin/cp -ra linux-headers-2.6.32-3-amd64/ /usr/src/r1build
/bin/cp -ra linux-headers-2.6.32-3-common/* /usr/src/r1build/
Now, point the r1soft-cki utility to use your temporary directory, with the following flags added to the command.
CDP2
# /usr/bin/r1soft-cki --get-module --kernel-dir /usr/src/r1build
CDP3
# /usr/bin/r1soft-setup --get-module --kernel-dir /usr/src/r1build
After a successful build, you can delete the temporary directory, start the agent, and enjoy Continuous Data Protection!
rm -r /usr/src/r1build
buagentctl start
Saturday, August 13, 2011
Adding SSH keys
If you need an automatic login from host A to Host B please follow the below steps.
1) SSH into server A
2) Execute the below command
ssh-keygen -t rsa (dont give any input just hit enter for all questions, the private key and public will stored in the default location)
3) Copy the public key (/root/.ssh/id_rsa.pub) and save in the following file of remote host server B
.ssh/authorized_keys2
and change the ownership of this file to 640
1) SSH into server A
2) Execute the below command
ssh-keygen -t rsa (dont give any input just hit enter for all questions, the private key and public will stored in the default location)
3) Copy the public key (/root/.ssh/id_rsa.pub) and save in the following file of remote host server B
.ssh/authorized_keys2
and change the ownership of this file to 640
Tuesday, August 9, 2011
IPTABLES
First check whether the IP in add in your IP tables.
iptables -nL | grep
If the IP is listed in your iptable rules then please delete it using the below commands.
iptables -L INPUT -n --line-numbers (List the rules with line numbers)
iptables -D INPUT <>
Save the IP tables >>> /etc/init.d/iptables save
Restart the IP tables >>>> /etc/init.d/iptables restart
Other Features
Deny access to a specific IP address
iptables -I FORWARD -d 123.123.123.123 -j DROP
Deny access to a specific Subnet
iptables -I FORWARD -s 192.168.2.0/255.255.255.0 -j DROP
Deny access to a specific IP address range with Logging
iptables -I FORWARD -m iprange --src-range 192.168.1.10-192.168.1.13 -j logdrop
Deny access to a specific Outbound IP address with logging
iptables -I OUTPUT -d 239.255.255.250 -j logdrop
Block SMTP traffic except to specified hosts
/usr/sbin/iptables -I FORWARD 1 -p tcp -d safe.server1.com --dport 25 -j logaccept
/usr/sbin/iptables -I FORWARD 2 -p tcp -d safe.server2.com --dport 25 -j logaccept
/usr/sbin/iptables -I FORWARD 3 -p tcp --dport 25 -j logdrop
Block outgoing SMTP traffic except from specified hosts
iptables -I FORWARD 1 -p tcp -s 192.168.1.2 --dport 25 -j ACCEPT
iptables -I FORWARD 2 -p tcp -s 192.168.1.1/24 --dport 25 -j REJECT
Allow HTTP traffic only to specific domain(s)
iptables -I FORWARD 1 -p tcp -d dd-wrt.com --dport 80 -j ACCEPT
iptables -I FORWARD 2 -p tcp --dport 80 -j DROP
Block all traffic except HTTP HTTPS and FTP
iptables -I FORWARD 1 -p tcp -m multiport --dports 21,80,443 -j ACCEPT
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -j DROP
Port Forwarding to a specific LAN IP
Port Forwarding can be accomplished from within the web interface here. However, the very same thing can be done a bit differently (tested and working), via command line. --u3gyxap: Example with port 443 and IP 192.168.1.2
iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 443 -j DNAT --to 192.168.1.2:443
iptables -I FORWARD -p tcp -d 192.168.1.2 --dport 443 -j ACCEPT
If you want to restrict the source IP (a question that is asked a lot on the forums), add -s 123.45.67.89 to one of your rules (replacing the IP address with the real one of course).
iptables -t nat -I PREROUTING -p tcp -s 123.45.67.89 -d $(nvram get wan_ipaddr) --dport 443 -j DNAT --to 192.168.1.2:443
iptables -I FORWARD -p tcp -d 192.168.1.2 --dport 443 -j ACCEPT
This should make it so only one IP address is able to access your forwarded port from the Internet.
In order for me to get this to work (v.24) I needed to put the "-s 123.45.67.89" in the "iptables -I FORWARD" command also - When it was in the PREROUTING command only I was still able to access the internal resource from any IP address!
iptables -nL | grep
If the IP is listed in your iptable rules then please delete it using the below commands.
iptables -L INPUT -n --line-numbers (List the rules with line numbers)
iptables -D INPUT <
Save the IP tables >>> /etc/init.d/iptables save
Restart the IP tables >>>> /etc/init.d/iptables restart
Other Features
Deny access to a specific IP address
iptables -I FORWARD -d 123.123.123.123 -j DROP
Deny access to a specific Subnet
iptables -I FORWARD -s 192.168.2.0/255.255.255.0 -j DROP
Deny access to a specific IP address range with Logging
iptables -I FORWARD -m iprange --src-range 192.168.1.10-192.168.1.13 -j logdrop
Deny access to a specific Outbound IP address with logging
iptables -I OUTPUT -d 239.255.255.250 -j logdrop
Block SMTP traffic except to specified hosts
/usr/sbin/iptables -I FORWARD 1 -p tcp -d safe.server1.com --dport 25 -j logaccept
/usr/sbin/iptables -I FORWARD 2 -p tcp -d safe.server2.com --dport 25 -j logaccept
/usr/sbin/iptables -I FORWARD 3 -p tcp --dport 25 -j logdrop
Block outgoing SMTP traffic except from specified hosts
iptables -I FORWARD 1 -p tcp -s 192.168.1.2 --dport 25 -j ACCEPT
iptables -I FORWARD 2 -p tcp -s 192.168.1.1/24 --dport 25 -j REJECT
Allow HTTP traffic only to specific domain(s)
iptables -I FORWARD 1 -p tcp -d dd-wrt.com --dport 80 -j ACCEPT
iptables -I FORWARD 2 -p tcp --dport 80 -j DROP
Block all traffic except HTTP HTTPS and FTP
iptables -I FORWARD 1 -p tcp -m multiport --dports 21,80,443 -j ACCEPT
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -j DROP
Port Forwarding to a specific LAN IP
Port Forwarding can be accomplished from within the web interface here. However, the very same thing can be done a bit differently (tested and working), via command line. --u3gyxap: Example with port 443 and IP 192.168.1.2
iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 443 -j DNAT --to 192.168.1.2:443
iptables -I FORWARD -p tcp -d 192.168.1.2 --dport 443 -j ACCEPT
If you want to restrict the source IP (a question that is asked a lot on the forums), add -s 123.45.67.89 to one of your rules (replacing the IP address with the real one of course).
iptables -t nat -I PREROUTING -p tcp -s 123.45.67.89 -d $(nvram get wan_ipaddr) --dport 443 -j DNAT --to 192.168.1.2:443
iptables -I FORWARD -p tcp -d 192.168.1.2 --dport 443 -j ACCEPT
This should make it so only one IP address is able to access your forwarded port from the Internet.
In order for me to get this to work (v.24) I needed to put the "-s 123.45.67.89" in the "iptables -I FORWARD" command also - When it was in the PREROUTING command only I was still able to access the internal resource from any IP address!
Sunday, August 7, 2011
Redirecting a URL to a different port with and without conditions
Redirecting a URL and using a specific port is a question that got my head scratching one day. Someone had a login
page for example login.html. To enhance security they later decided they would set up another server that listened on
a nonstandard port (8080) and move the login page to there. To implement this they needed to employ URL and port
redirection. This is how the port redirection can be done:
--------------------------------------------------------------------------------------------------------
RewriteEngine On
RewriteCond %{THE_REQUEST} ^[a-z]{3,9}\ /login\.html\ HTTP/ [NC]
RewriteRule ^.*login\.html$ http://secure1.example.com:8080/ [R=301,L]
--------------------------------------------------------------------------------------------------------
For use in .htaccess and if it is not set globally or for the root directory of your domain, be sure to set
Options +Indexes +FollowSymLinks as needed before the RewriteEngine On directive.
Also, depending on your server configuration you may need to use RewriteBase. Typical usage is RewriteBase /
placed just after the RewriteEngine On directive. Further details on RewriteBase are provided in a previous section.
This example is very similar to the How to redirect your home page example above except here RewriteRule and
RewriteCond match \login.html. Note that the RewriteCond insures that the target of the GET is for login.html from
only the root directory of the domain. If such a strict interpretation is not required you can remove the RewriteCond
statement. The port redirection itself is specified by the :8080 in the second argument to RewriteRule.
TIP!
You can even get more creative by modifying the RewriteCond to use HTTP_USER_AGENT in place of THE_REQUEST,
use negation on the second argument and then specify the regex for say msnbot,Slurp or Googlebot. This would cause
redirection to occur except if a search bot was requesting. This is useful because bots can't login so this would
be a method to provide crawalable content that otherwise would not get indexed.
page for example login.html. To enhance security they later decided they would set up another server that listened on
a nonstandard port (8080) and move the login page to there. To implement this they needed to employ URL and port
redirection. This is how the port redirection can be done:
--------------------------------------------------------------------------------------------------------
RewriteEngine On
RewriteCond %{THE_REQUEST} ^[a-z]{3,9}\ /login\.html\ HTTP/ [NC]
RewriteRule ^.*login\.html$ http://secure1.example.com:8080/ [R=301,L]
--------------------------------------------------------------------------------------------------------
For use in .htaccess and if it is not set globally or for the root directory of your domain, be sure to set
Options +Indexes +FollowSymLinks as needed before the RewriteEngine On directive.
Also, depending on your server configuration you may need to use RewriteBase. Typical usage is RewriteBase /
placed just after the RewriteEngine On directive. Further details on RewriteBase are provided in a previous section.
This example is very similar to the How to redirect your home page example above except here RewriteRule and
RewriteCond match \login.html. Note that the RewriteCond insures that the target of the GET is for login.html from
only the root directory of the domain. If such a strict interpretation is not required you can remove the RewriteCond
statement. The port redirection itself is specified by the :8080 in the second argument to RewriteRule.
TIP!
You can even get more creative by modifying the RewriteCond to use HTTP_USER_AGENT in place of THE_REQUEST,
use negation on the second argument and then specify the regex for say msnbot,Slurp or Googlebot. This would cause
redirection to occur except if a search bot was requesting. This is useful because bots can't login so this would
be a method to provide crawalable content that otherwise would not get indexed.
Friday, August 5, 2011
Configure remote Database connection for Fantastico and Softlocus
Fantastico
Go to /usr/local/cpanel/3rdparty/fantastico/include
touch mysqlconfig.local.php ; chmod 755 mysqlconfig.local.php
add the below lines in the newly created file
Softlocus
Go to "remote Mysql server setup", there add the remote DB IP and select radio button "password" and enter the root password of your DB server then save.
Go to /usr/local/cpanel/3rdparty/fantastico/include
touch mysqlconfig.local.php ; chmod 755 mysqlconfig.local.php
add the below lines in the newly created file
Softlocus
Go to "remote Mysql server setup", there add the remote DB IP and select radio button "password" and enter the root password of your DB server then save.
Subscribe to:
Posts (Atom)