How to Recover the Password for root on CentOS 5.7

In this post i will show how password recovery for lost root account’s password is performed. This is especially for those who always forgot their CentOS 5.7 root password. The steps is easy as below :

1. Reboot the CentOS machine
2. When booting up, press any key to go into the select menu.
3. The press ‘e’ to navigate to second grub.conf line (kernel)

recover
4. Press ‘e’ to edit the line :
recover
5. Add ‘single’ to “ro root=LABEL=/ single” as below :
recover
6. At ‘#’ command line, type ‘passwd’ to create new password. Then reboot machine as usual.
recover

How to Disable Firewall on RHEL 6

In this post, i will show how to disable Linux Iptables Firewall on Red Hat Enterprise Linux 6 (RHEL 6). A Linux firewall on RHEL 6 can be configured to filter every network packet that passes into or out of network. In some cases such as testing and development environment, you will need to disable the iptables firewall. To disable linux iptables firewall on RHEL6, you just to execute the following commands :

1. Before stop the iptables, save the firewall setting using the following command :

[root@rhel6 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

2. Stop iptables using the following command :

[root@rhel6 ~]# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]

3. To ensure that iptables will not started at boot time, pleas execute this chkconfig command :

[root@rhel6 ~]# chkconfig iptables off

4. If IPv6 firewall is enabled, please disable it using the following commands :

[root@rhel6 ~]# service ip6tables save
ip6tables: Saving firewall rules to /etc/sysconfig/ip6table[  OK  ]
[root@rhel6 ~]# service ip6tables stop
ip6tables: Flushing firewall rules:                        [  OK  ]
ip6tables: Setting chains to policy ACCEPT: filter         [  OK  ]
ip6tables: Unloading modules:                              [  OK  ]
[root@rhel6 ~]# chkconfig ip6tables off

How to set the SGID bit on a Directory on CentOS 6.2 Linux Server

SetGID or “set group ID upon execution” are the Unix access rights flags that allow users to run an executable with the permissions of the executable’s group. They are often used to allow users on a computer system or group to run programs with temporarily elevated privileges in order to perform a specific task. In this post, i will show the command that would set the SGID bit on the /home/ehowstuff directory on CentOS 6.2. At most cases, SetGID or SGID are needed for tasks that require higher privileges than those which common users have, such as changing their login password.

Default permission on the /home/ehowstuff directory as below :

[root@centos62 ~]# ls -l /home | grep ehowstuff
drwx------. 2 ehowstuff ehowstuff 4096 Jan 29 21:18 ehowstuff

There are two different commands that available to set the SGID bit on the /home/ehowstuff directory. If that’s all you want to do, run the following command:

[root@centos62 ~]# chmod g+s /home/ehowstuff

Result :

[root@centos62 ~]# ls -l /home | grep ehowstuff
drwx--S---. 2 ehowstuff ehowstuff 4096 Jan 29 21:18 ehowstuff

Alternatively, if you’re also assigning full user and group permissions to /home/ehowstuff, you could run the following command:

[root@centos62 ~]# chmod 2770 /home/ehowstuff

Result :

[root@centos62 ~]# ls -l /home | grep ehowstuff
drwxrws---. 2 ehowstuff ehowstuff 4096 Jan 29 21:18 ehowstuff

How to Allow and Deny Access for Remote SSH to CentOS 6.2

In this post, i will show on how to allow and deny access for Remote SSH to CentOS server. This post will configure SSH access as follows:
– Only ehowstuff and root has remote SSH access to the machine within ehowstuff.local
– Clients within bloggerbaru.com should NOT have access to ssh on your system

Please note that all systems in that domain are in the 192.168.1.0/255.255.255.0 subnet, and all systems in that subnet are in bloggerbaru.com.

1. Modify ssh_config as below :

[root@centos62 ~]# vi /etc/ssh/sshd_config
AllowUsers ehowstuff root

2. Make sshd auto start on boot and restart sshd service :

[root@centos62 ~]# chkconfig sshd on
[root@centos62 ~]# /etc/init.d/sshd restart

3. Open iptables configuration as below :

[root@centos62 ~]# vi /etc/sysconfig/iptables

4. Append this line on your iptables setting :

-A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j REJECT

5. Restart the iptables :

[root@centos62 ~]# /etc/init.d/iptables restart

How to Disable the SELinux on RHEL 6

In Redhat Enterprise Linux 6 (RHEL 6) minimal server installation, SELinux is set to enable. To disable SELinux, without having to reboot, you can use the setenforce command as below:

    [root@rhel6 ~]# setenforce 0
    

To disabled the SELinux on your next reboot, please change “SELINUX=enforcing” to “SELINUX=disabled”.

    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=enforcing
    # SELINUXTYPE= can take one of these two values:
    #     targeted - Targeted processes are protected,
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted
    

Change to the following :

    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=disabled
    # SELINUXTYPE= can take one of these two values:
    #     targeted - Targeted processes are protected,
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted
    

How to Secure MySQL Database Server

A Default MySQL installation is completely vulnerable to attacks. MySQL installation should be made as secure as possible. This is to protect the data collections and the information maintained by the MySQL server from unauthorized or anonymous access. In This post, i will share with you on how to secure your database server with the simple configuration and wizard.

Default and unsecured MySQL database:

    mysql> select user,host,password from mysql.user;
    +------+-----------+------------------+
    | user | host      | password         |
    +------+-----------+------------------+
    | root | localhost |                  |
    | root | CentOS57  |                  |
    | root | 127.0.0.1 |                  |
    |      | localhost |                  |
    |      | CentOS57  |                  |
    +------+-----------+------------------+
    5 rows in set (0.00 sec)
    

root password has not been set and anonymous user can access this MySQL server.

Simply run this command to secure MySQL server:

    [root@CentOS57 ~]# /usr/bin/mysql_secure_installation
    
    [root@CentOS57 ~]# /usr/bin/mysql_secure_installation
    
    
    
    
    NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
          SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
    
    
    In order to log into MySQL to secure it, we'll need the current
    password for the root user.  If you've just installed MySQL, and
    you haven't set the root password yet, the password will be blank,
    so you should just press enter here.
    
    Enter current password for root (enter for none):
    OK, successfully used password, moving on...
    
    Setting the root password ensures that nobody can log into the MySQL
    root user without the proper authorisation.
    
    Set root password? [Y/n] y
    New password:
    Re-enter new password:
    Password updated successfully!
    Reloading privilege tables..
     ... Success!
    
    
    By default, a MySQL installation has an anonymous user, allowing anyone
    to log into MySQL without having to have a user account created for
    them.  This is intended only for testing, and to make the installation
    go a bit smoother.  You should remove them before moving into a
    production environment.
    
    Remove anonymous users? [Y/n] y
     ... Success!
    
    Normally, root should only be allowed to connect from 'localhost'.  This
    ensures that someone cannot guess at the root password from the network.
    
    Disallow root login remotely? [Y/n] n
     ... skipping.
    
    By default, MySQL comes with a database named 'test' that anyone can
    access.  This is also intended only for testing, and should be removed
    before moving into a production environment.
    
    Remove test database and access to it? [Y/n] n
     ... skipping.
    
    Reloading the privilege tables will ensure that all changes made so far
    will take effect immediately.
    
    Reload privilege tables now? [Y/n] y
     ... Success!
    
    Cleaning up...
    
    
    
    All done!  If you've completed all of the above steps, your MySQL
    installation should now be secure.
    
    Thanks for using MySQL!
    

Secure MySQL database :

    mysql> select user,host,password from mysql.user;
    +------+-----------+------------------+
    | user | host      | password         |
    +------+-----------+------------------+
    | root | localhost | 5d2e19393cc5ef67 |
    | root | CentOS57  | 5d2e19393cc5ef67 |
    | root | 127.0.0.1 | 5d2e19393cc5ef67 |
    +------+-----------+------------------+
    3 rows in set (0.00 sec)
    

Above steps is not the complete solutions to secure your production MySQL server. It just only basics how-to steps from my own experiences. I highly recommend you to read through the following article:
http://dev.mysql.com/doc/refman/5.0/en/security.html
http://dev.mysql.com/doc/refman/5.0/en/default-privileges.html

How to Disable the SELinux on CentOS 6.2

In CentOS 6.2 minimal server installation, SELinux is set to enable. To disabled the SELinux, please change “SELINUX=enforcing” to “SELINUX=disabled”. This will disable SELinux on your next reboot.

    [root@centos6 ~]# vi /etc/selinux/config
    
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=enforcing
    # SELINUXTYPE= can take one of these two values:
    #     targeted - Targeted processes are protected,
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted
    
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=disabled
    # SELINUXTYPE= can take one of these two values:
    #     targeted - Targeted processes are protected,
    #     mls - Multi Level Security protection.
    SELINUXTYPE=targeted
    

To disable SELinux, without having to reboot, you can use the setenforce command as below:

    [root@centos6 ~]# setenforce 0