Government transformation and demand for Linux expertise

IT is changing organizations across the globe, impacting enterprises, governments and the wider public sector. Open source in particular is a driver in innovation, giving organizations a competitive edge and an ability to scale and adapt to changing market demands.

According to the 2014 Linux Jobs Report, demand for Linux expertise continues to grow, with hiring managers across a number of industries citing Linux talents as one of the top recruitment priorities this year.

Governments also a key industry for Linux talents

Unsurprisingly, with more government IT transformation projects under way in Asia Pacific, the need to reinvest in government employees’ skills is also on the rise. This may be due to legacy systems, often built on proprietary platforms and supported by IT teams with skill sets limited by the technologies they had to maintain.

In an interview on this with Harish Pillay,he shared an example with the Lotus Notes system, which was adopted by governments throughout southeast Asia over the past 20 years. When the time came for these governments to move to a new and more capable platform, they had to conduct extensive staff retraining for a new tool. Of course, this led to climbing expenditures given the need for new training.

With proprietary systems like Lotus Notes, there is a need to keep learning fixed and limited skills to support proprietary, vendor-specific set ups. Open source knowledge (Linux training) is, generally, highly transferable and can be applied to almost any Linux platform.

This type of interoperability between systems and skills will become a key consideration, for governments and enterprises alike, to ensure that adopting new technologies is as simple and cost-efficient as possible.

Increasing demand for Linux jobs

Hiring managers in both governments and enterprises are bolstering Linux talent plans, according to the 2014 Linux Jobs Report. This report is assembled from a survey taken across 1,100 hiring managers and 4,000 professionals within the Linux space.

In fact, the demand for Linux expertise is so high that salaries are being driven above industry norms, in turn causing these Linux professionals to identify Linux knowledge as a career-advancing tool.

President of technology for professional website Dice, Shravan Goli, explained that enterprises are increasingly describing Linux as core to the business.

The Singaporean government appears to understand the need for local initiatives and frameworks, as the new fair consideration framework has led to increased competition for local IT talent.

“In turn, hiring managers are turning up the dial on the incentives offered to technology talent with Linux skills. These professionals are working on projects tightly aligned with a future vision of what enterprises look like,” he said.

Growth in APAC IT talent

The Singaporean government appears to understand the need for local initiatives and frameworks, as the new fair consideration framework has led to increased competition for local IT talent.

This is according to recruiting expert Hays, which also announced a list of the IT skills presently in demand.

“Due to a limited talent pool in the storage, security, cloud or hosted domains, the market is also facing a shortage of technically skilled pre-sales people,” said Regional Director of Hays in Singapore and Malaysia, Chris Mead. He explained that service management, cloud architecture and process and quality specialist roles were also in high demand.

“We expect the supply shortage of these professionals to continue as businesses are consistently evaluating their IT operations to enable optimal efficiency and a continual improvement of their IT services.”

rhel7-offer
Red Hat® performance-based classroom training provides the hands-on, real-world skills that IT professionals and developers require.

 

Conclusion

As governments and enterprises increasingly undertake transformation projects with new open source technologies, the demand for Linux expertise will no doubt mirror these trends.

It is important that IT professionals find the appropriate training that will prove to be a long term asset to them and their organizations. On the other side of this transformation governments should consider local initiatives to support Linux training programs, thus growing the skill base for Linux and other open source standards.

Click here for full Story

How to Setup Bind DNS Server in Chroot Jail on CentOS 7

bind dns

BIND (Berkeley Internet Name Daemon) also known as NAMED is the most widely used linux dns server in the internet.

This tutorial will explain how we can setup BIND DNS in a chroot jail in CentOS 7, the process is simply unable to see any part of the filesystem outside the jail. For example, in this post, i will configure BIND dns to run chrooted to the directory /var/named/chroot/.

Well, to BIND dns, the contents of this directory will appear to be /, the root directory. A “jail” is a software mechanism for limiting the ability of a process to access resources outside a very limited area, and it’s purposely to enhance the security.

Unlike with earlier versions of BIND, you typically will not need to compile named statically nor install shared libraries under the new root.

Chroot Environment initialization script will mount the above configuration files using the mount –bind command, so that you can manage the configuration outside this environment. There is no need to copy anything into the /var/named/chroot/ directory because it is mounted automatically. This simplifies maintenance since you do not need to take any special care of BIND configuration files if it is run in a chroot environment. You can organize everything as you would with BIND not running in a chroot environment.

Chrooted Bind DNS server was by default configured to /var/named/chroot. You may follow this complete steps to implement Bind Chroot DNS Server on CentOS 7 virtual private server (VPS).

Setup Bind DNS Server in Chroot Jail on CentOS 7

1. Install Bind Chroot DNS server :

# yum install bind-chroot -y

2. To enable the named-chroot service, first check if the named service is running by issuing the following command:

# systemctl status named

If it is running, it must be disabled.
To disable named, issue the following commands as root:

# systemctl stop named
# systemctl disable named

3. Initialize the /var/named/chroot environment by running:

# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
# systemctl stop named
# systemctl disable named
# systemctl start named-chroot
# systemctl enable named-chroot
ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'

The following directories are automatically mounted into the /var/named/chroot/ directory if the corresponding mount point directories underneath /var/named/chroot/ are empty:

Verify Chroot Environment :

# ll /var/named/chroot/etc
total 28
-rw-r--r-- 1 root root   372 Dec  1 23:04 localtime
drwxr-x--- 2 root named 4096 Nov 22 01:28 named
-rw-r----- 1 root named 1705 Mar 22  2016 named.conf
-rw-r--r-- 1 root named 2389 Nov 22 01:28 named.iscdlv.key
-rw-r----- 1 root named  931 Jun 21  2007 named.rfc1912.zones
-rw-r--r-- 1 root named  487 Jul 19  2010 named.root.key
drwxr-x--- 3 root named 4096 Jan  4 22:12 pki
# ll /var/named/chroot/var/named
total 32
drwxr-x--- 7 root  named 4096 Jan  4 22:12 chroot
drwxrwx--- 2 named named 4096 Nov 22 01:28 data
drwxrwx--- 2 named named 4096 Nov 22 01:28 dynamic
-rw-r----- 1 root  named 2076 Jan 28  2013 named.ca
-rw-r----- 1 root  named  152 Dec 15  2009 named.empty
-rw-r----- 1 root  named  152 Jun 21  2007 named.localhost
-rw-r----- 1 root  named  168 Dec 15  2009 named.loopback
drwxrwx--- 2 named named 4096 Nov 22 01:28 slaves

4. Create bind dns related files into chrooted directory :

# touch /var/named/chroot/var/named/data/cache_dump.db
# touch /var/named/chroot/var/named/data/named_stats.txt
# touch /var/named/chroot/var/named/data/named_mem_stats.txt
# touch /var/named/chroot/var/named/data/named.run
# mkdir /var/named/chroot/var/named/dynamic
# touch /var/named/chroot/var/named/dynamic/managed-keys.bind

5. Bind lock file should be writeable, therefore set the permission to make it writable as below :

# chmod -R 777 /var/named/chroot/var/named/data
# chmod -R 777 /var/named/chroot/var/named/dynamic

6. Copy /etc/named.conf chrooted bind config folder :

# cp -p /etc/named.conf /var/named/chroot/etc/named.conf

7.Configure main bind configuration in /etc/named.conf. Append the example.local zone information to the file :

# vi /var/named/chroot/etc/named.conf

Create forward and reverse zone into named.conf:

..
..
zone "example.local" {
    type master;
    file "example.local.zone";
};

zone "0.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.0.zone";
};
..
..

Full named.conf configuration :

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "example.local" {
    type master;
    file "example.local.zone";
};

zone "0.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.0.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

8. Create Forward and Reverse zone files for domain example.local.

a) Create Forward Zone :

# vi /var/named/chroot/var/named/example.local.zone

Add the following and save :

;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     example.local. hostmaster.example.local. (
                               2014101901      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

;       Define the nameservers and the mail servers

               IN      NS      ns1.example.local.
               IN      NS      ns2.example.local.
               IN      A       192.168.0.70
               IN      MX      10 mx.example.local.

centos7          IN      A       192.168.0.70
mx               IN      A       192.168.0.50
ns1              IN      A       192.168.0.70
ns2              IN      A       192.168.0.80

b) Create Reverse Zone :

# vi /var/named/chroot/var/named/192.168.0.zone
;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     example.local. hostmaster.example.local. (
                               2014101901      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

0.168.192.in-addr.arpa. IN      NS      centos7.example.local.

70.0.168.192.in-addr.arpa. IN PTR mx.example.local.
70.0.168.192.in-addr.arpa. IN PTR ns1.example.local.
80.0.168.192.in-addr.arpa. IN PTR ns2.example.local.

Bind dns related articles

Reference :
https://www.centos.org/docs/2/rhl-rg-en-7.2/ch-bind.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-bind.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-BIND.html

How to Change Hostname on CentOS 7.0/RHEL 7.0

Q. I have CentOS 7.0 virtual private server, but the default hostname still localhost.localdomain. How do i change the hostname to my prefer hostname or FQDN ?

[root@localhost ~]# hostname
localhost.localdomain

A. There are four(4) method to change the hostname on CentOS 7.0/RHEL 7.0.

Method 1
1. Login to your VPS as a root.
2. Type hostname followed by the new hostname.

As example :

[root@localhost ~]# hostname mynewhostname.local
[root@localhost ~]# hostname
mynewhostname.local

Note : But the following changes will be lost after reboot.

Method 2
1. Login to your VPS as a root.
2. Use hostnamectl set-hostname command to change the current hostname :

As example :

[root@localhost ~]# hostnamectl set-hostname ns1.e-coupondeals.com

3. Restart the systemd-hostnamed daemon to reflect the changes permanently :

[root@localhost ~]# systemctl restart systemd-hostnamed

4. Check the new hostname :

[root@localhost ~]# hostnamectl status
   Static hostname: ns1.e-coupondeals.com
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 72863e389b584a4dab36fae7f3bffda2
           Boot ID: 1cf2f4b5478649549916c0a5bd5d2414
    Virtualization: xen
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.15.4-x86_64-linode45
      Architecture: x86_64

Method 3
1. Login to your VPS as a root.
2. Modify /etc/hostname using your favourite text editor replace localhost.localdomain to your most prefered hostname or FQDN:

[root@ns1 ~]# vi /etc/hostname

Edit to the following as example :

ns1.e-coupondeals.com

3. Try to login again by opening another putty session :

[root@ns1 ~]# hostname
ns1.e-coupondeals.com

Method 4
1. Login to your VPS as a root.
2. Type nmtui in the terminal:

[root@ns1 ~]# nmtui

3. Text user interface will appear :
centos7-change hostname1

4. Using the arrow keys select Set system hostname and use tab to select OK.
centos7-change hostname2

5. Confirmation message will appear, Press OK to complete.

How to Perfom SMTP Test Command in Linux

Q. I just installed postfix on my linux virtual private server (VPS), but i am not sure how to verify the SMTP service and perform SMTP test to ensure the email delivery working fine or not ?

A. In Linux, you can send email, peform SMTP test and diagnose email errors through the TELNET linux command :

As an example :

[root@localhost ~]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 localhost.localdomain ESMTP Postfix
helo abc.com
250 localhost.localdomain
mail from:user@scriptsmy.com
250 2.1.0 Ok
rcpt to:ehowstufff@gmail.com
250 2.1.5 Ok
data
354 End data with .
Subject: test Email From Scriptsmy.com
Hi,

This is just test email.

regards,
.
250 2.0.0 Ok: queued as A0E013CC6
quit
221 2.0.0 Bye

Type command 1 to command 7
Command 1 :

[root@localhost ~]# telnet localhost 25

Command 2 :

helo abc.com

Command 3 :

mail from:user@scriptsmy.com

Command 4 :

rcpt to:ehowstufff@gmail.com

Command 5 :

data

Command 6 :

Subject: test Email From Scriptsmy.com
Hi,

This is just test email.

regards,
.

Command 7 :

quit

Check the status in maillog

[root@localhost ~]# tail -f /var/log/maillog
Oct 18 06:01:49 localhost postfix/cleanup[20296]: A0E013CC6: message-id=<20141018060058.A0E013CC6@localhost.localdomain>
Oct 18 06:01:49 localhost postfix/qmgr[20267]: A0E013CC6: from=, size=401, nrcpt=1 (queue active)
Oct 18 06:01:50 localhost postfix/smtp[20318]: A0E013CC6: to=, relay=gmail-smtp-in.l.google.com[2607:f8b0:4003:c05::1a]:25, delay=76, delays=75/0.01/0.12/1.3, dsn=2.0.0, status=sent (250 2.0.0 OK 1413612110 yv8si3312807oeb.10 - gsmtp)
Oct 18 06:01:50 localhost postfix/qmgr[20267]: A0E013CC6: removed
Oct 18 06:01:53 localhost postfix/smtpd[20293]: disconnect from localhost[::1]

How to Setup Varnish 3.0 in Front of Nginx, PHP5.4 (PHP-FPM)

In the previous post, i have describes the steps to setup web server that running on Nginx and PHP5.4 (PHP-FPM). The setup and configuration work well with the WordPress site. This article will describe how to speed up the existing NGINX + PHP web server with one of the popular web accelerator called Varnish Cache, also known as caching HTTP reverse proxy. Varnish cache will speed up the website delivery to the visitor and reduce the CPU time, less database requests and file lookups. This steps to setup varnish has been tested on CentOS 6, CentOS 7, Oracle Linux 7 and RHEL 7.

Setup Varnish in front of Nginx

Varnish is a HTTP accelerator that can run side by side with either Apache or Nginx web server. In this tutorial, i will setup Varnish to run on port 80 while NGINX on port 8080.

Setup Varnish

Benefits of Varnish

1. Reduce server CPU load and time
2. Increase website load speed
3. Can handle large number of websites visitors
4. Varnish supports load balancing

How to Setup Varnish

1. Setup Nginx, PHP5.4 (PHP-FPM) as web server. Refer to this tutorial.

2. Install varnish :

[root@vps ~]# wget https://repo.varnish-cache.org/redhat/varnish-3.0/el6/noarch/varnish-release/varnish-release-3.0-1.el6.noarch.rpm
[root@vps ~]# rpm -Uvh varnish-release-3.0-1.el6.noarch.rpm
[root@vps ~]# yum install varnish -y

3. Configure and setup Varnish :

Below configuration for /etc/sysconfig/varnish and /etc/varnish/default.vcl say that NGINX are running as the backend server on localhost at port 8080 while Varnish will run in front of it listening on port 80.

a. Modify /etc/sysconfig/varnish :

[root@vps ~]# vim /etc/sysconfig/varnish

Add the following. if your VPS running SSD disk, you can select varnish_storage as a cache method instead of memory (-s malloc) :

..
..
DAEMON_OPTS="-a :80 \
             -T localhost:6082 \
             -f /etc/varnish/default.vcl \
             -u varnish -g varnish \
             -S /etc/varnish/secret \
             -p thread_pool_add_delay=2 \
             -p thread_pools=2 \
             -p thread_pool_min=400 \
             -p thread_pool_max=4000 \
             -p session_linger=50 \
             -p sess_workspace=262144 \
             -s file,/var/lib/varnish/varnish_storage.bin,512m"
..
..
VARNISH_LISTEN_PORT=80
..
..

b. Modify /etc/varnish/default.vcl :

[root@vps ~]# vim /etc/varnish/default.vcl

Add as below :

backend default {
    .host = "127.0.0.1";
    .port = "8080";
    .connect_timeout = 600s;
    .first_byte_timeout = 600s;
    .between_bytes_timeout = 600s;
    .max_connections = 800;
}


acl purge {
	"127.0.0.1";
}

sub vcl_recv {


	# Allow purge requests
	if (req.request == "PURGE") {
        if (!client.ip ~ purge) {
            error 405 "Not allowed.";
        }
        ban("req.url ~ ^" + req.url + " && req.http.host == " + req.http.host);
        return(lookup);
    }

	# Add header for sending client ip to backend
	set	req.http.X-Forwarded-For = client.ip;

	# Normalize	content-encoding
	if (req.http.Accept-Encoding) {
        if (req.url ~ "\.(jpg|png|gif|gz|tgz|bz2|lzma|tbz)(\?.*|)$") {
            remove req.http.Accept-Encoding;
        } elsif (req.http.Accept-Encoding ~ "gzip") {
            set req.http.Accept-Encoding = "gzip";
        } elsif (req.http.Accept-Encoding ~ "deflate") {
            set	req.http.Accept-Encoding = "deflate";
        } else {
            remove req.http.Accept-Encoding;
        }
    }

    # Remove cookies and query string for real static files
    if (req.url ~ "^/[^?]+\.(gif|jpg|jpeg|swf|css|js|txt|flv|mp3|mp4|pdf|ico|png|gz|zip|lzma|bz2|tgz|tbz)(\?.*|)$") {
       unset req.http.cookie;
       set req.url = regsub(req.url, "\?.*$", "");
    }

    # Don't cache admin
    if (req.url ~ "((wp-(login|admin|comments-post.php|cron.php))|login)" || req.url ~ "preview=true" || req.url ~ "xmlrpc.php") {
        return (pass);
    } else {
    	unset req.http.cookie;
    }
}

sub vcl_hit {
	# purge cached objects from memory
	if (req.request == "PURGE") {
		purge;
		error 200 "Purged";
	}
}

sub vcl_miss {
	# purge cached objects varients from memory
	if (req.request == "PURGE") {
		purge;
		error 404 "Purged varients";
	}
}

sub vcl_fetch {
	# Dont cache admin
	if (req.url ~ "(wp-(login|admin|comments-post.php|cron.php))|login" || req.url ~ "preview=true" || req.url ~ "xmlrpc.php") {
    	    return (deliver);
	} else {
    	    if ( beresp.ttl > 0s ) {
    	        unset beresp.http.set-cookie;
    	    }
	}
}


sub vcl_deliver {

	# Remove unnecessary headers
	remove resp.http.Server;
	remove resp.http.X-Powered-By;
	remove resp.http.X-Varnish;
	remove resp.http.Via;

	# DIAGNOSTIC HEADERS
	if (obj.hits > 0) {
		set resp.http.X-Cache = "HIT";
	} else {
		set resp.http.X-Cache = "MISS";
	}

}

4. Reconfigure NGINX to work with Varnish :

a. Configure default.conf :

[root@vps ~]# vim /etc/nginx/conf.d/default.conf

Add the following :

..
server {
    listen       127.0.0.1:8080;
    server_name  localhost;
..

b. Configure common.conf :

[root@vps ~]# vim /etc/nginx/conf.d/common.conf
..
..

listen 127.0.0.1:8080;
..
..

c. Configure Vhost for domain example.com :

[root@vps ~]# vim /etc/nginx/sites-available/example.com.conf

Change listen to 127.0.0.1:8080; :

server {
listen       127.0.0.1:8080;
    server_name example.com;
    rewrite ^/(.*)$ http://www.example.com/$1 permanent;
}
..

5. Restart NGINX, php-fpm and Varnish :

[root@vps ~]# service nginx restart; service php-fpm restart; service varnish restart

6. Make sure NGINX listening to port 8080 and Varnish port 80 :

[root@vps ~]# netstat -plunt  | grep LISTEN
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      3119/varnishd
tcp        0      0 127.0.0.1:8080              0.0.0.0:*                   LISTEN      3065/nginx

Thats All.

How to Setup Nginx,PHP5.4, PHP-FPM, MySQL 5.5 On CentOS 6.5 VPS

This post will show you the procedure to setup Nginx, PHP5.4, PHP-FPM and MySQL 5.5 On CentOS 6.5 Virtual private server(VPS). You need to setup the required repo such as EPEL, Remi and also the NGINX repo.

What is NGINX ?

NGINX is an alternate web server for Apache. Nginx is an open source web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols. Many websites and the web developer have moved to NGINX because it’s scalable, low resources, can handle many users concurrency and good website performance. Now it still third most popular web server in the world and it serve just over 14% of all hostnames.

What is PHP(PHP-FPM) ?

PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language. PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites.

What is MySQL ?

MySQL Database server is one of the most popular used database in the internet especially for content management and blogging site.

Steps to setup Nginx,PHP5.4, PHP-FPM, MySQL 5.5 On CentOS 6.5 VPS

1. Setup EPEL and Remi repository.
How to prepared EPEL and how to configure Remi repository in to CentOS.

2. Install php 5.4, php-fpm and MySQL 5.5 Server :

[root@vps-08 ~]# yum --enablerepo=remi install php php-mysql php-fpm mysql mysql-server -y

3. Setup repository for nginx :

[root@vps-08 ~]# vi /etc/yum.repos.d/nginx.repo

Add the following and save :

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

4. Install and setup NGINX :
Run the following command to install NGINX.

[root@vps-08 ~]# yum install nginx -y

a. Setup NGINX config file :

[root@vps-08 ~]# vi /etc/nginx/nginx.conf

Add the following and save:

user  nginx;
worker_processes  2;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    gzip  on;
    gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;

    include /etc/nginx/sites-available/*.conf;

}

b. Create sites-available directory and create nginx virtual host for example.com domain :

[root@vps-08 ~]# mkdir /etc/nginx/sites-available
[root@vps-08 ~]# vi /etc/nginx/sites-available/example.com.conf

Add the following and save :

server {
listen       80;
    server_name example.com;
    rewrite ^/(.*)$ http://www.example.com/$1 permanent;
}

server {
        server_name www.example.com;
        root /var/www/html/example;
        access_log /var/log/nginx/example.com.access.log;
        error_log /var/log/nginx/example.com.error.log;
        include conf.d/common.conf;
        include conf.d/wordpress.conf;
        include conf.d/w3tc.conf;
}

c. Create these three configuration files. It was optimized for WordPress site.

/etc/nginx/conf.d/common.conf
/etc/nginx/conf.d/wordpress.conf
/etc/nginx/conf.d/w3tc.conf

Create common.conf :

[root@vps-08 ~]# vi /etc/nginx/conf.d/common.conf

Add the following and save.

# Global configuration file.
# ESSENTIAL : Configure Nginx Listening Port
listen 80;
# ESSENTIAL : Default file to serve. If the first file isn't found,
index index.php index.html index.htm;
# ESSENTIAL : no favicon logs
location = /favicon.ico {
    log_not_found off;
    access_log off;
}
# ESSENTIAL : robots.txt
location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}
# ESSENTIAL : Configure 404 Pages
error_page 404 /404.html;
# ESSENTIAL : Configure 50x Pages
error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }
# SECURITY : Deny all attempts to access hidden files .abcde
location ~ /\. {
    deny all;
}
# PERFORMANCE : Set expires headers for static files and turn off logging.
location ~* ^.+\.(js|css|swf|xml|txt|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
    access_log off; log_not_found off; expires 30d;
}

Configure wordpress.conf :

[root@vps-08 ~]# vi /etc/nginx/conf.d/wordpress.conf

Add the following and save :

# WORDPRESS : Rewrite rules, sends everything through index.php and keeps the appended query string intact
location / {
    try_files $uri $uri/ /index.php?q=$uri&$args;
}

# SECURITY : Deny all attempts to access PHP Files in the uploads directory
location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
}
# REQUIREMENTS : Enable PHP Support
location ~ \.php$ {
    # SECURITY : Zero day Exploit Protection
    try_files $uri =404;
    # ENABLE : Enable PHP, listen fpm sock
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# PLUGINS : Enable Rewrite Rules for SiteMap
rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.xml$ "/index.php?xml_sitemap=params=$2" last;
rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.xml\.gz$ "/index.php?xml_sitemap=params=$2;zip=true" last;
rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.html$ "/index.php?xml_sitemap=params=$2;html=true" last;
rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.html.gz$ "/index.php?xml_sitemap=params=$2;html=true;zip=true" last;

Create w3tc.conf file :

[root@vps ~]# vi /etc/nginx/conf.d/w3tc.conf

Add the following and save :

# BEGIN W3TC Page Cache core
set $w3tc_rewrite 1;
if ($request_method = POST) {
    set $w3tc_rewrite 0;
}
if ($query_string != "") {
    set $w3tc_rewrite 0;
}
if ($http_cookie ~* "(comment_author|wp\-postpass|w3tc_logged_out|wordpress_logged_in|wptouch_switch_toggle)") {
    set $w3tc_rewrite 0;
}
if ($http_cookie ~* "(w3tc_preview)") {
    set $w3tc_rewrite _preview;
}
set $w3tc_enc "";
if ($http_accept_encoding ~ gzip) {
    set $w3tc_enc _gzip;
}
set $w3tc_ext "";
if (-f "$document_root/wp-content/cache/page_enhanced/$http_host/$request_uri/_index$w3tc_rewrite.html$w3tc_enc") {
    set $w3tc_ext .html;
}
if (-f "$document_root/wp-content/cache/page_enhanced/$http_host/$request_uri/_index$w3tc_rewrite.xml$w3tc_enc") {
    set $w3tc_ext .xml;
}
if ($w3tc_ext = "") {
  set $w3tc_rewrite 0;
}
if ($w3tc_rewrite = 1) {
    rewrite .* "/wp-content/cache/page_enhanced/$http_host/$request_uri/_index$w3tc_rewrite$w3tc_ext$w3tc_enc" last;
}
# END W3TC Page Cache core

d. Modify default.conf file :

[root@vps-08 ~]# vi /etc/nginx/conf.d/default.conf
server {
    listen       80;
    server_name  localhost;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

# redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

5. Secure Mysql :

[root@vps-08 ~]# /usr/bin/mysql_secure_installation

Sample :

[root@vps-08 ~]# /usr/bin/mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!


In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] n
 ... skipping.

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...



All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!


6. Configure php-fpm :

[root@vps-08 ~]# vi /etc/php-fpm.d/www.conf

Update and uncomment the following :

listen = /var/run/php-fpm.sock
..
listen.mode = 0666
..
user = nginx
group = nginx
..
pm = dynamic
..
pm.max_children = 50
pm.start_servers = 10
pm.min_spare_servers = 10
pm.max_spare_servers = 10
pm.max_requests = 200
..
slowlog = /var/log/php-fpm/www-slow.log
..
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
..
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session

7. Restart the NGINX and php-fpm :
Restart the NGINX and php-fpm service to apply the changes on the configuration files.

[root@vps-08 ~]# service nginx restart; service php-fpm restart
Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]
Stopping php-fpm:                                          [  OK  ]
Starting php-fpm:                                          [  OK  ]

Check the service listened on your VPS :

[root@vps-08 ~]# netstat -plunt | grep LISTEN
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1097/rpcbind
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      18070/nginx
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1130/sshd
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      18358/mysqld
tcp        0      0 :::111                      :::*                        LISTEN      1097/rpcbind
tcp        0      0 :::22                       :::*                        LISTEN      1130/sshd

Now you can start to setup WordPress blog into your VPS server.

setup nginx

Linux systemd dev says open source is ‘SICK’, kernel community ‘awful’

Lennart Poettering, creator of the systemd system management software for Linux, says the open-source world is “quite a sick place to be in.”

He also said the Linux development community is “awful” – and he pins the blame for that on Linux supremo Linus Torvalds.

“A fish rots from the head down,” Poettering said in a post to his Google+ feed on Sunday.

Poettering said Torvalds’ confrontational and often foul-mouthed management style is “not an efficient way to run a community” and that it sets an example that is followed by other kernel developers, creating a hostile environment for newcomers.

What’s more, he said, the kernel development community is insular and the overall tone of its discourse is likely to keep it that way.

“The Linux community is dominated by western, white, straight, males in their 30s and 40s these days,” Poettering wrote. “I perfectly fit in that pattern, and the rubbish they pour over me is awful. I can only imagine that it is much worse for members of minorities, or people from different cultural backgrounds, in particular ones where losing face is a major issue.”

Torvalds is indeed well known for his acerbic posts to Linux kernel mailing lists. Poettering cited one particular missive in which Torvalds said some kernel developers should be “retroactively aborted” for their stupidity, and in another post he said he hoped ARM system-on-chip (SoC) developers would “all die in some incredibly painful accident.”

The Linux main man has no great love for the core systemd developers, either. In April he called top systemd coder Kay Sievers a “fucking prima donna” and said he didn’t want to ever work with him.

In the past, Torvalds has explained away such outbursts, saying that being grumpy is just in his nature.

“I’d like to be a nice person and curse less and encourage people to grow rather than telling them they are idiots,” Torvalds said during an online chat with Finland’s Aalto University in April. “I’m sorry – I tried, it’s just not in me.”

But Poettering isn’t buying it. As a result of the behavior of Torvalds and a few other core kernel developers, he said, he hasn’t posted to the Linux kernel mailing list “in years” – although he added that the systemd development community is “fantastic.”

“If you are a newcomer to Linux, either grow a really thick skin. Or run away, it’s not a friendly place to be in,” Poettering wrote by way of advice. “It is sad that it is that way, but it certainly is.”

Click here for full Story

How to Fix the ‘Shell Shock’ bash Vulnerability in Linux

Q. Linux system administrators who maintaining the servers that are exposed to the Internet should be the most concerned about this Shell Shock’ bash Vulnerability or attack. Most of the patches are now available from the vendors that should close this security hole. For those who still haven’t check your linux system, below are the recommended unofficial procedure in order to ensure you server are not vulnerable from Shellshock attack.

A. Follow the following procedure to secure you system.

1. As a root, login to your linux system and run the following command :

[root@centos7 ~]# env x='() { :ignored function;}; echo vulnerable' bash

2. Skip the next step if you command did not say vulnerable, meaning your bash is up to date.

If you see the return message below, kindly proceed to next steps.
Example :

[root@centos7 ~]# env x='() { :ignored function;}; echo vulnerable' bash
vulnerable

3. Perform update for bash :

[root@centos7 ~]# yum update bash -y

4. Check your current bash version. If in CentOS 7 or RHEL 7 the fix is in bash-4.2.45 :

[root@centos7 ~]# rpm -qa | grep bash
bash-4.2.45-5.el7_0.4.x86_64

Please take a look of below details from redhat article.

How does this impact systems

This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.

All versions prior to those listed as updates for this issue are vulnerable to some degree.

Products Affected:

Product/ChannelFixed in packageRemediation details
Red Hat Enterprise Linux 7bash-4.2.45-5.el7_0.4Red Hat Enterprise Linux
Red Hat Enterprise Linux 6bash-4.1.2-15.el6_5.2Red Hat Enterprise Linux
bash-4.1.2-15.el6_5.1.sjis.2Red Hat Enterprise Linux
bash-4.1.2-9.el6_2.2Red Hat Enterprise Linux 6.2 AUS
bash-4.1.2-15.el6_4.2Red Hat Enterprise Linux 6.4 EUS
Red Hat Enterprise Linux 5bash-3.2-33.el5_11.4Red Hat Enterprise Linux
bash-3.2-33.el5_11.1.sjis.2Red Hat Enterprise Linux
bash-3.2-24.el5_6.2Red Hat Enterprise Linux 5.6 LL
bash-3.2-32.el5_9.3Red Hat Enterprise Linux 5.9 EUS
Red Hat Enterprise Linux 4bash-3.0-27.el4.4Red Hat Enterprise Linux 4

Common Configuration Examples:

Red Hat performed an analysis to better understand the magnitude of this issue and how it affects various configurations. The below list is not exhaustive, but is meant to give some examples of how this issue affects certain configurations, and why the high level of complexity makes it impossible to specify something is not affected by this issue. The best course of action is to upgrade Bash to a fixed version.

PackageDescription
httpdCGI scripts are likely affected by this issue: when a CGI script is run by the web server, it uses environment variables to pass data to the script. These environment variables can be controlled by the attacker. If the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php, mod_perl, and mod_python do not use environment variables and we believe they are not affected.
Secure Shell (SSH)It is not uncommon to restrict remote commands that a user can run via SSH, such as rsync or git. In these instances, this issue can be used to execute any command, not just the restricted command.
dhclientThe Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.
CUPSIt is believed that CUPS is affected by this issue. Various user supplied values are stored in environment variables when cups filters are executed.
sudoCommands run via sudo are not affected by this issue. Sudo specifically looks for environment variables that are also functions. It could still be possible for the running command to set an environment variable that could cause a Bash child process to execute arbitrary code.
FirefoxWe do not believe Firefox can be forced to set an environment variable in a manner that would allow Bash to run arbitrary commands. It is still advisable to upgrade Bash as it is common to install various plug-ins and extensions that could allow this behavior.
PostfixThe Postfix server will replace various characters with a ?. While the Postfix server does call Bash in a variety of ways, we do not believe an arbitrary environment variable can be set by the server. It is however possible that a filter could set environment variables.

A more detailed analysis of the flaw is available at: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack

How to Lock and Unlock Zimbra Accounts from Command Line

Q. One of the account in zimbra mailbox sending spam and zimbra administrator need to lock the account then ask user to reset their current password password immediately. Once password has been reset by end user, email administrator need to unlock back the locked account. As a zimbra administrator, how can i achieve this ?

A. Login to your mailbox system, as a zimbra user, perform the following command :

To lock the account :

[root@mailbox ~]# su - zimbra
[zimbra@mailbox ~]# zmprov ma userid@domain.com  zimbraAccountStatus lock

To unlock the account :

[root@mailbox ~]# su - zimbra
[zimbra@mailbox ~]# zmprov ma userid@domain.com  zimbraAccountStatus active

How to Enable Changing SVN Log Messages or History

Issue :
When i try to change the svn log message, i am getting the error below :

Repository has not been enabled to accept revision propchanges; ask the administrator to create a pre-revprop-change hook"

Solution :

1. SVN administrator need to rename file named pre-revprop-change.tmpl under [REPOPATH]/hooks into pre-revprop-change (at the same directory without the tmpl extension).

[root@svn-server ~]# mv pre-revprop-change.tmpl pre-revprop-change

2. Change the file permission :

[root@svn-server ~]# chmod a+x pre-revprop-change

4 steps to Install NGINX on CentOS 7.0

Q. How to install NGINX on centOS 7.0 ?

A. 4 easy steps to install and run NGINX on CentOS 7.0 :

1. Add Nginx Repository :

[root@localhost ~]# rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

2. Install with yum command :

[root@localhost ~]# yum install nginx -y

3. Start NGINX service :

[root@localhost ~]# systemctl start nginx.service

4. Enable NGINX at boot :

[root@localhost ~]# systemctl enable nginx.service
ln -s '/usr/lib/systemd/system/nginx.service' '/etc/systemd/system/multi-user.target.wants/nginx.service'