How to Install MySQL on CentOS 7 / RHEL 7 / Oracle Linux 7

how to install mysql
In this quick guide, i will show you how to install MYSQL on CentOS 7 / RHEL 7 / Oracle Linux 7 instead of MariaDB.

MariaDB is the default implementation of MySQL in Red Hat Enterprise Linux 7 (RHEL 7) or CentOS 7.

MariaDB is a community-developed fork of the MySQL database project, and provides a replacement for MySQL.

However, in some cases, you still need to install MySQL as your deployment database on you linux server.

How to Install MySQL on CentOS 7 / RHEL 7 / Oracle Linux 7

1. Remove MariaDB installation :
If you server already have MariaDB database server installed, i would suggest you remove it first to avoid conflict.

# sudo yum remove mariadb-server -y

2. Download MySQL 5.7 repo file :

# wget

3. Install MySQL 5.7 repo file :

# sudo rpm -ivh mysql57-community-release-el7-8.noarch.rpm

4. Install MySQL 5.7 database server :

# sudo yum install mysql-server -y

5. How to Start MySQL server in linux :

# sudo systemctl start mysqld

6. Enable auto start at boot :

# sudo systemctl enable mysqld

7. At the initial start up of the MySQL database server, the following happens, given that the data directory of the server is empty:

a) The server is initialized.
b) An SSL certificate and key files are generated in the data directory.
c) The validate_password plugin is installed and enabled.
d) A superuser account ‘root’@’localhost is created. The initial root password created can be found in the error log file. You can get the password by issue the following command :

# sudo grep 'temporary password' /var/log/mysqld.log
2016-06-19T23:08:09.439963Z 1 [Note] A temporary password is generated for root@localhost: sj-mMM;o%6Ll

8. Harden MySQL Server

Run the mysql_secure_installation script to address several security concerns in a default MySQL installation.

You will be given the choice to change the MySQL root password, remove anonymous user accounts, disable root logins outside of localhost, and remove test databases. It is recommended that you answer yes to these options.

# sudo mysql_secure_installation

Securing the MySQL server deployment.

Enter password for user root:
The 'validate_password' plugin is installed on the server.
The subsequent steps will run with the existing configuration
of the plugin.
Using existing password for root.

Estimated strength of the password: 50
Change the password for root ? ((Press y|Y for Yes, any other key for No) : yes

New password:

Re-enter new password:

Estimated strength of the password: 50
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production

Remove anonymous users? (Press y|Y for Yes, any other key for No) : y

Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : no

 ... skipping.
By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production

Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
 - Dropping test database...

 - Removing privileges on test database...

Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y

All done!

Resource :

How to Install and Setup 389 Directory Server on CentOS 7

Setup 389 Directory Server389 Directory Server (previously Fedora Directory Server) is an open source enterprise class LDAP server for Linux. It is developed by Red Hat community-supported Fedora Project. The name 389 is derived from the port number for LDAP.

In this article we will guide you through the steps on how to install and setup 389 directory server on CentOS 7.

Steps to Install and Setup 389 Directory Server on CentOS 7

1. Turn off selinux :

vi /etc/sysconfig/selinux

Change SELINUX to disabled then reboot the server :

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.

2. Perform basic performance and Security tuning for LDAP server :

# vi /etc/sysctl.conf

Add the following :

net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000
# vi /etc/security/limits.conf

Add the following :

* soft nofile 524288
* hard nofile 524288

3. Reboot the server. This is to take effect the SELINUX and performance tuning setting :

# reboot

4. Install 389 directory packages :

# yum install
# yum install 389-* -y

5. Create ldap user and set its password :

# useradd ldap
# passwd ldap

6. Start 389 installation :


This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]:

Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production

389 Directory Server system tuning analysis version 23-FEBRUARY-2012.

NOTICE : System is x86_64-unknown-linux3.10.0-327.4.5.el7.x86_64 (2 processors).

Would you like to continue? [yes]:

Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]:

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form

To accept the default shown in brackets, press the Enter key.

Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly.  If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:

Computer name [centos72.ehowstuff.local]:

The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.

System User [nobody]: ldap
System Group [nobody]: ldap

Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers.  If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server.  To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
.(e.g., the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]:

Please enter the administrator ID for the configuration directory
server.  This is the ID typically used to log in to the console.  You
will also be prompted for the password.

Configuration directory server
administrator ID [admin]:
Password (confirm):

The information stored in the configuration directory server can be
separated into different Administration Domains.  If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.

If you are not using administrative domains, press Enter to select the
default.  Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.

Administration Domain [ehowstuff.local]:

The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]:

Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [centos72]:

The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=ehowstuff, dc=local]:

Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]:
Password (confirm):

The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is

Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.

Administration port [9830]:

The interactive phase is complete.  The script will now set up your
servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'centos72' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .

7. Start the dirsrv admin service and dirsrv instance :

# systemctl start dirsrv-admin
# systemctl start dirsrv@centos72

8. Configure dirsrv admin service and all dirsrv instance auto start at boot :

# systemctl enable && systemctl enable dirsrv-admin

9. Allow management and directory service ports :

# firewall-cmd --permanent --add-port=389/tcp
# firewall-cmd --permanent --add-port=636/tcp
# firewall-cmd --permanent --add-port=9830/tcp
# firewall-cmd --reload

10. Verify all the allowed ports :

# firewall-cmd --list-all
public (default, active)
  interfaces: ens160
  services: dhcpv6-client ssh
  ports: 389/tcp 9830/tcp 80/tcp 636/tcp
  masquerade: no
  rich rules:

11. Login to your 389 directory from console.

Setup 389 Directory Server

12. Your 389 directory administration console will look as below :

Setup 389 Directory Server

How to Migrate LVM or Volume Group to New Linux Server

Migrate LVMThis article will describe on how to move or migrate LVM and volume group from one server to another.

If you are working in a production environment then you have to know about the software disk management and all the methods to provide flexibility in storage management.

LVM stand for logical volume management. It is a tool to manage and provides a higher-level view of the disk storage.

Below tutorial will be very useful for system administrators who have problems on the linux operating system and want to mount the mounted partition to other systems.

This should be the most simple recovery strategy if we run Linux in VMware virtual machines.

Migrating LVM or Volume Group to new server should be the fastest way to access the important linux partition that may contains user’s data or important configuration files.

How to Migrate LVM or Volume Group to New Server

1. Add vdisk to new virtual machine.

a) Click “Add” to proceed :

Migrate LVM

b) Select “Hard Disk” device type :

Migrate LVM

c) Please choose “Use and existing virtual disk” :

Migrate LVM

d) Browse to vdisk location :

Migrate LVM

e) Click Next to proceed :

Migrate LVM

f) Click finish :

Migrate LVM

g) Finally click “OK” to complete :

Migrate LVM

2. Once the vdisk as been added to new Linux server, please proceed to rescan the linux VM.

a) Identify host bus number :

# ls /sys/class/scsi_host/
host0  host1  host2

b) Rescan the SCSI Bus to Add a SCSI Devices :

# echo "- - -" > /sys/class/scsi_host/host0/scan
# echo "- - -" > /sys/class/scsi_host/host1/scan
# echo "- - -" > /sys/class/scsi_host/host2/scan

3. Check the new disk. The second vdisk by default will be recognised as /dev/sdb. Since the partition type has been formatted as LVM on the previous system, it will show Id “8e” if you run fdisk command.

# fdisk -l

Disk /dev/sdb: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xce931872

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1               1        1305    10482381   8e  Linux LVM

There are two method to register and activate the LVM and volume group into new linux server. Proceed to steps 4 – 9 for Method 1. Go to step 10 for Method 2.

4. Use lvscan to scans all known volume groups or all supported LVM block devices in the system for defined Logical Volumes. The output consists of one line for each Logical Volume indicating whether it is active or inactive :

# lvscan
  inactive          '/dev/vg_newlvm/newvol' [9.99 GiB] inherit
  ACTIVE            '/dev/vg_centos66/lv_root' [30.00 GiB] inherit
  ACTIVE            '/dev/vg_centos66/lv_swap' [8.00 GiB] inherit

5. Check existing volume group and logical volume:

# vgscan
  Reading all physical volumes.  This may take a while...
  Found volume group "vg_newlvm" using metadata type lvm2
  Found volume group "vg_centos66" using metadata type lvm2

One of the logical volume in “vg_newlvm” volume group still inactive status.

# lvscan
inactive '/dev/vg_newlvm/newvol' [9.99 GiB] inherit
ACTIVE '/dev/vg_centos66/lv_root' [17.51 GiB] inherit
ACTIVE '/dev/vg_centos66/lv_swap' [2.00 GiB] inherit

6. Export the volume group “vg_newlvm” :

# vgexport vg_newlvm
Volume group "vg_newlvm" successfully exported

7. Then import volume group “vg_newlvm”:

# vgimport vg_newlvm
Volume group "vg_newlvm" successfully imported

8. To activate volume groups “vg_newlvm”, run the following command :

# vgchange -ay vg_newlvm
1 logical volume(s) in volume group "vg_newlvm" now active

9. Check again updated logical volume and volume group status :

# lvscan
  ACTIVE            '/dev/vg_newlvm/newvol' [9.99 GiB] inherit
  ACTIVE            '/dev/vg_centos66/lv_root' [17.51 GiB] inherit
  ACTIVE            '/dev/vg_centos66/lv_swap' [2.00 GiB] inherit

Method 2 :

10. The fastest method to activate the migrated LVM or Volume Group are as below :

# lvscan
inactive '/dev/vg_newlvm/newvol' [9.99 GiB] inherit
ACTIVE '/dev/vg_centos66/lv_root' [17.51 GiB] inherit
ACTIVE '/dev/vg_centos66/lv_swap' [2.00 GiB] inherit

Use lvchange command to activate the LVM.

# lvchange -ay /dev/vg_newlvm/newvol
# lvscan
ACTIVE '/dev/vg_newlvm/newvol' [9.99 GiB] inherit
ACTIVE '/dev/vg_centos66/lv_root' [17.51 GiB] inherit
ACTIVE '/dev/vg_centos66/lv_swap' [2.00 GiB] inherit

11. Create /data folder :

# mkdir -p /data

12. Mount the migrated LVM to /data

# mount /dev/vg_newlvm/newvol /data

13. Verify /date to use migrated LVM :

# df -lh
Filesystem            Size  Used Avail Use% Mounted on
                       18G  5.2G   12G  32% /
tmpfs                 939M     0  939M   0% /dev/shm
/dev/sda1             477M   67M  385M  15% /boot
                      9.8G   32M  9.2G   1% /data

How to Change default runlevel in CentOS 7 / RHEL 7

Change default runlevelIn CentOS 7 and RHEL 7, the systemd process replaces the init process for starting services at boot time and also for changing the runlevels. It uses “targets” instead of run-levels and relies on systemctl command to change runlevel or to change the target.

The systemd provides much more control than the init process does while still supporting existing init scripts.

Take note that in RHEL 7 and CentOS 7, any edits of /etc/inittab file will not take effect.

The following articles describe how to change default runlevel in CentOS 7 / RHEL 7.

1. How to determine the state that the system currently configured to boot to :

# systemctl get-default

Example 1 :
If the system running on Non-GUI Mode, “systemctl get-default” command will return “” :

Method 1 :

[root@centos72 ~]# systemctl get-default

Method 2 :

[root@centos72 ~]# ls -al /etc/systemd/system/
lrwxrwxrwx. 1 root root 37 May 30  2015 -> /lib/systemd/system/

Example 2 :
If the system running on GUI Mode, “systemctl get-default” command will return “” :
Method 1 :

[root@centos72-gui ~]# systemctl get-default

Method 2 :

[root@centos72-gui ~]# ls -al /etc/systemd/system/
lrwxrwxrwx. 1 root root 36 Jun  5  2015 /etc/systemd/system/ -> /lib/systemd/system/

However, you can still use the runlevel command as it was left intact for backward compatibility:

[root@centos72 ~]# runlevel
N 3
[root@centos72-gui ~]# runlevel
N 5

In case you are required to change from your CentOS 7 from Non-GUI (text-based) mode to GNOME Desktop mode, you have to ensure the following group of packages has been installed properly :

a) Server with GUI (This is for server)
b) GNOME Desktop
c) Graphical Administration Tools

2. How to Install Gnome GUI in CentOS 7 :

# yum groupinstall "GNOME Desktop" "Graphical Administration Tools" "Server with GUI"

3. How to list all currently loaded and available targets :

# systemctl list-units -t target
UNIT                 LOAD   ACTIVE SUB    DESCRIPTION         loaded active active Basic System    loaded active active Encrypted Volumes         loaded active active Login Prompts     loaded active active Graphical Interface  loaded active active Local File Systems (Pre)      loaded active active Local File Systems    loaded active active Multi-User System       loaded active active Network         loaded active active Paths loaded active active Remote File Systems (Pre)     loaded active active Remote File Systems        loaded active active Slices       loaded active active Sockets          loaded active active Swap       loaded active active System Initialization        loaded active active Timers

In below example, the following target are required to be laoded :     loaded active active Graphical Interface    loaded active active Multi-User System

How to Change default runlevel

4. How to Change default runlevel from Non-GUI (text-based) mode to GNOME Desktop in CentOS 7 / RHEL 7

# systemctl set-default

5. How to Change default runlevel from GNOME Desktop to Non-GUI (text-based) mode in CentOS 7 / RHEL 7

# systemctl set-default

Resource :

Microsoft Will Bring Its SQL Database Software to Linux

microsoft-linuxNearly one quarter of all the servers running in Microsoft’s Azure cloud service are powered by the open source operating system Linux. But you can’t actually run much Microsoft software on those Linux servers.

That’s about to change. Companies will soon be able to run Microsoft’s database software SQL Server on Linux, Microsoft’s Scott Guthrie said in a blog post today.

Or at least part of it. A spokesperson clarified that Microsoft will offer at least SQL Server’s core capabilities. Other components will depends on customer demand and feedback.

Microsoft isn’t open sourcing SQL Server’s code, but making it run-able on Linux is a big change for the company. Microsoft has long offered a Mac version of its Office suite and has recently released versions for Android and iOS. Other than that, however, you generally need to run Windows if you want to use Microsoft software. Few Microsoft applications run on Linux today, and those that do were acquired from other companies, such as Skype, Revolution R Enterprise, and Wunderlist.

Love for Linux

But Microsoft has been warming to the idea of supporting software on other platforms. Just last month the company announced plans to acquire Xamarin, a company that develops a cross-platform version of Microsoft’s popular .NET programming framework—a tool that enables developers to use Microsoft’s C# programming language to build applications that run on Linux and Apple’s operating systems, not just Windows.

Microsoft’s newfound love for Linux was a long time coming. Back in 2001, former CEO Steve Ballmer famously called Linux a “cancer.” In 2007, Microsoft threatened to sue Linux companies such as Red Hat for patent infringement.

But over the years, as open source won over not just hackers but corporations and governments as well, Microsoft changed its tune. It partnered with Red Hat in 2009 to ensure compatibility between the two company’s products. In 2012, it announced support for Linux on Azure and now even uses the operating system to actuallyrun the cloud service. But for years, Microsoft’s main forays into open source were focused on bringing open source software that already ran on Linux to Windows, such as the data crunching platform Hadoop, the programming platform Node.js and the code management tool Git. Enabling users to run SQL Server on Linux, even if it isn’t open sourcing the underlying software, is another step in this new direction.

Whether users actually want to run SQL Server on Linux is another question entirely. Oracle’s flagship database software is still far more popular than Microsoft’s, and open source alternatives like MySQL and PostgreSQL are already enormously popular on Linux. But it is possible that more companies would pay for Microsoft SQL Server licenses if they could run it on Linux, thus avoiding having to pay for both a Windows Server license and a SQL Server license. That might end up being a wash for Microsoft’s bottom line. But more openness to open source could ultimately mean more techies are open to Microsoft.

Article Source
Picture source :

How to Disable IPv6 on Redhat / CentOS 6 / CentOS 7

This howto will show you how to disable ipv6 on RHEL 6/7, CentOS 6 and CentOS7.

IPv6 is enabled by default. In this article I summarize 3 configuration which needs to be changed to completely disable ipv6.

Check the configuration of the existing network with the “ifconfig” command. If inet6 appears in the configuration, means IPv6 is enabled.

Disable IPv6 on Redhat

Here are details on how to disable IPv6 on Redhat / CentOS 6 / CentOS 7 :

1. Update /etc/sysctl.conf :

Method 1 :

# vi /etc/sysctl.conf

Add the following :

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Run the following command to take effect.

# sysctl -p

Disable IPv6 on Redhat

Method 2 :

To disable ipv6 in the running system :

# echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
# echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6


# sysctl -w net.ipv6.conf.all.disable_ipv6=1
# sysctl -w net.ipv6.conf.default.disable_ipv6=1

2. Update config file in/etc/sysconfig/network-scripts/ifcfg-eth0 and /etc/sysconfig/network-scripts/ifcfg-ens160 :

For CentOS 6 :

# vi /etc/sysconfig/network-scripts/ifcfg-eth0

For CentOS 7 :

# vi /etc/sysconfig/network-scripts/ifcfg-ens160

Disable IPv6 on Redhat

3. Edit /etc/sysconfig/network file and add “no” to NETWORKING_IPV6.

# vi /etc/sysconfig/network

Disable IPv6 on Redhat

I would advise you to restart network configuration as below :

For CentOS 6 :

# service network restart

For CentOS 7 :

# systemctl restart network

Source :

How to Configure Linux TCP keepalive Setting

TCP keepalive Setting

In line with the increase in internet users, the traffic and workload on the web server is also increased. Hence, the webmaster or system administrator needs to make sure that the web server is able to accommodate a sufficient number of TCP connections.

If your web server has begun to show an increase in the number of visitors, you may start planning to perform basic tcp tuning on the linux operating system.

On average, most people that visit the website or blog that comes from search engines only read a page just for 1-2 minutes. After they got the answer for what they really want, they simply leave the page and visit other sites. But the old opened connection still remains and unused for a long time.

For low and average number of website visitors, the default values for the keepalive parameter should be sufficient.

But for high concurrency web server or in a busy server, decrease timeouts on TCP sockets can help to clean up the tcp connections from clients that have been disconnected. This can be done by changing the default value of tcp_keepalive setting in sysctl.conf.

What is TCP Keepalive Setting?

TCP keepalive is a mechanism for TCP connections that help to determine whether the other end has stopped responding or not.

TCP will send the keepalive probe contains null data to the network peer several times after a period of idle time. If the peer does not respond, the socket will be closed automatically.

The application will then receive a notification about the socket closure, which it should handle in the correct manner.

Most of the operating systems and hosts that support TCP also support TCP Keepalive.

Basically, tuning some of the settings in sysctl.conf really help speeding things up under heavy usage.

Tunable TCP settings can be found on /proc/sys/net/ipv4

What are the default values of TCP KeepAlive setting ?

tcp_keepalive_time = 7200 (seconds)
tcp_keepalive_intvl = 75 (seconds)
tcp_keepalive_probes = 9 (number of probes)

TCP keepalive process waits for two hours (7200 secs) for socket activity before sending the first keepalive probe, and then resend it every 75 seconds. As long as there is TCP/IP socket communications going on and active, no keepalive packets are needed.

How to Configure Linux TCP keepalive Settings ?

Please note that the following tuning is for linux operating system only. This steps has been tested in CentOS 5/6/7, RHEL 5/6/7 and Oracle Linux 6/7.

Optionally you can do further tuning of the web applications level such as Apache or Nginx web server.

1. Edit your /etc/sysctl.conf

# vi /etc/sysctl.conf

2. Add the following setting :

net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 6

Explanation for above parameter in section a), b) and c).

3. To load settings, enter the following command :

# sysctl -p

KeepAlive Parameter Details

a) Decrease the time default value for tcp_keepalive_time connection from 7200 seconds to 60 seconds. This determine the time of connection inactivity after which the first keep alive request is sent. Parameter below shows that the TCP will begin sending keepalive null packets after 1 minute.

net.ipv4.tcp_keepalive_time = 60

b) The following parameter (tcp_keepalive_intvl) determines the keepalive probe will resend every 10 seconds after first keep alive probe. This reduce from 75 seconds to 10 seconds gap or time interval between each of the keep alive probes.

net.ipv4.tcp_keepalive_intvl = 10

c) Next parameter (tcp_keepalive_probes) is expressed in the pure number. The following setting determine the number of probes before timing out. We recommend to reduce number of retransmitted from 9 to 6 before the connection is considered broken.

net.ipv4.tcp_keepalive_probes = 6

With this, your application will detect dead TCP connections after 120 seconds (60s + 10s + 10s + 10s + 10s + 10s + 10s).

How to Install and Setup Munin on CentOS 7

Munin on CentOS 7

Munin is open source and free software for monitoring computer system, network monitoring and application infrastructure monitoring software. Munin offers monitoring and alerting for servers, switches, applications, and services.

Munin can help system administrators to analyze the trend of the computer system whether it is experiencing problems or not. It can be an easier alternative to the popular open-source software zabbix monitoring.

In this article, I will explain how you can monitor your linux CentOS with Munin and the simple steps to install and setup Munin on CentOS 7.

Steps to Install and Setup Munin on CentOS 7

1. Enable or install the EPEL Repository into CentOS 7. Read more on how to Enable EPEL Repository on CentOS 7 / RHEL 7

2. Munin requires a web server to run. In this article, we will use apache. Install apache, Munin and Munin Node with yum command :

# yum install httpd munin munin-node -y

3. Start and enable apache and munin at boot.

# systemctl start httpd
# systemctl enable httpd
# systemctl start munin-node
# systemctl enable munin-node

4. We want munin to use the name centos72.ehowstuff.local instead of localhost. Please open edit the setting in /etc/munin/munin.conf

# vim /etc/munin/munin.conf

Original :

    use_node_name yes

Change to :

    use_node_name yes

5. You also have optional to change the munin node hostname :

# vim /etc/munin/munin-node.conf

Original :

host_name localhost.localdomain

Change to :

host_name centos72.ehowstuff.local

6. Next go to the Apache virtual host configuration file to add the permission to access your network.

# vim /etc/httpd/conf.d/munin.conf

Add network segment that you allow to access to the CentOS server.

AuthUserFile /etc/munin/munin-htpasswd
AuthName "Munin"
AuthType Basic
require valid-user

Order Deny,Allow
Deny from all
Allow from

7. Munin statistics page shall be protected by a username and password. We can add the new user (admin) and password to /etc/munin/munin-htpasswd with htpasswd command line. So we have to setup basic Apache authentication before we can start access the munin statistic page.

# htpasswd /etc/munin/munin-htpasswd admin
New password:
Re-type new password:
Adding password for user admin

8. Allow port 80 in the firewalld permanently. learn more how to configure Firewalld on CentOS 7.

a) Get default zone :

# firewall-cmd --get-active-zones
  interfaces: ens160

b) Allow port 80 permanently in firewalld :

# firewall-cmd --permanent --zone=public --add-port=80/tcp

c) reload the setting to take effect immediately :

# firewall-cmd --reload

d) List all active firewalld configuration :

# firewall-cmd --list-all
public (default, active)
  interfaces: ens160
  services: dhcpv6-client ssh
  ports: 80/tcp
  masquerade: no
  rich rules:

9. Try access munin statistic page from client.

Munin on CentOS 7

How to Prevent SSH Timing out from Server and Client

Prevent SSH Timing out

As a system administrator, you manage linux servers and for some others may have their own virtual private server (VPS).  In some cases you will need to spend a lot of time on the SSH connection to resolve any issues and do the routine work through command line. Some of you may have encountered an annoying issue where your session is disconnected after a period of inactivity.

SSH connection that is inactive or idle usually disconnected by the server after a specified period of time. It depends on the configuration in the SSH server(remote server) or the SSh client.  After the connection is cut, the client SSH / putty connection you will be presented with a message saying SSH time out or connection closed or message similar to below :

Read from remote host Connection reset by peer Connection to closed

In order to prevent SSH timing out from the server, you need to configure /etc/ssh/sshd_config or /etc/ssh/ssh_config. If we keep the setting a value of 0 (the default) for both (ServerAliveInterval and ClientAliveInterval) will disable these features so your connection could drop if it is idle for too long. This article will

As the reference, i will explains how you can stop and prevent SSH timing out from server and client. This steps has been tested on CentOS 6 / CentOS 7 / RHEL 6 / RHEL 7 / Oracle Linux 6 / Oracle Linux 7.

What is /etc/ssh/sshd_config ?

sshd_config is a system configuration file for OpenSSH which allows you to set options that modify the operation of the daemon (SSH server/service)

What is /etc/ssh/ssh_config ?

ssh_config is a system configuration file for OpenSSH which allows you to set options that modify the operation of the linux client programs. If you are running windows client program you should configure it in Putty client.

Option 1 : How to Prevent SSH Timing out from OpenSSH Server :

a) As a root user, open sshd_config file :

# vi /etc/ssh/sshd_config

b) Find the ClientAliveInterval option to 60 (in seconds) or add the value if it is not there.

ClientAliveInterval 60

Note : ClientAliveInterval: number of seconds that the server will wait before sending a null packet to the client (to keep the connection alive).

c) Restart sshd daemon :
In CentOS 7 / RHEL 7

# sudo systemctl restart sshd.service

In CentOS 5/6 / RHEL 5/6

# service sshd restart

In above example, we sets a timeout interval to 60 seconds after idle time (which if no data has been received from the client), the ssh server will send a message through the encrypted channel to request
a response from the client. If no response, ssh server will let ssh client to exit (timeout) automatically.

Option 2 : How to Prevent SSH Timing out from Linux OpenSSH Client :

a) As a root user, open ssh_config file :

# vi /etc/ssh/ssh_config

b) Find the ServerAliveInterval option to 60 (in seconds) or add the value if it is not there.

ServerAliveInterval 60

Note : ServerAliveInterval: number of seconds that the client will wait before sending a null packet to the server (to keep the connection alive).

In above example, we set a timeout interval to 60 seconds after idle time, ssh client will send a message through the encrypted channel to request a response from the server, so that the server won’t disconnect the client.

Option 3 : How to Prevent SSH Timing out from Windows Putty Client :

a) Open Putty
b) Click on Connection tab
c) Check the box for Enable TCP keepalives (SO_KEEPALIVE option)
d) Input the second in between keepalives.

Prevent SSH Timing out


All of above settings will let the server or client send a packet to its partner every 60 seconds. After the configuration is done, SSH connection will remain active even if the user does not perform any activity at the command line or idle.


Linux Machines Can Be Hacked by Pressing Backspace 28 Times

Linux Machines Can Be Hacked

A Pair of Spanish cybersecurity researchers have discovered a Linux vulnerability that could allow anyone with physical access to a system to log in without a password and launch a variety of attacks. The vulnerability, found in versions of the commonly used Grub2 (GNU Grand Unified Bootloader) bootloader released since 2009, can be exploited by hitting the backspace key 28 times. Named CVE-2015-8370, the vulnerability has a medium severity rating, according to the National Institute of Standards and Technology’s National Cyber Awareness System notice. The bug can be easily fixed, according to the researchers who discovered it, and a number of patches are now available.

Introduced into the Grub coding in December 2009, the vulnerability has raised some suspicions that it might be the work of the National Security Agency or a similar organization. A commenter on reddit’s Linux thread, for instance, noted, “This is exactly the kind of highly-useful bug with plausible deniability that I’d expect to be introduced ‘accidentally by governmental agencies’s agents.”

‘Incalculable Number of Affected Devices’

Hector Marco-Gisbert and Ismael Ripoll, members of the cybersecurity group at Spain’s Polytechnic University of València, published their description of the Grub2 authentication bypass zero-day vulnerability on December 14, several days after disclosing it to CCN-CERT, the Spanish National Cryptologic Center.

“Grub2 is the bootloader used by most Linux systems including some embedded systems,” Marco-Gisbert and Ripoll said in their description of the vulnerability. “This results in an incalculable number of affected devices.”

The researchers said they were able to exploit the vulnerability using QEMU (short for Quick Emulator) running Debian 7.5. The bug allowed them to obtain a Grub rescue shell, from which they could gain entry to the system without a username or password, and potentially introduce malware, destroy data or launch a denial of service attack.

Easy Check for Bug

Users can quickly and easily check for the vulnerability in their systems by pressing the backspace key 28 times when Grub asks for a username, according to Marco-Gisbert and Ripoll. “If your machine reboots or you get a rescue shell then your Grub is affected,” they said.

In addition to fixes being made available by GNU/Linux vendors, an emergency patch was also posted by the researchers on the main Grub2 Git repository. Any GNU/Linux user with Grub2 using password protection should update to a patched version, even if the attack described by the researchers is not easily launched without physical access to a system and could require significantly different approaches on different systems.

“As can be seen, the successful exploitation depends on many things: the BIOS version, the GRUB version, the amount of RAM, and whatever that modifies the memory layout,” Marco-Gisbert and Ripoll noted. “And each system requires a deep analysis to build the specific exploit.”

Original Article

How to Setup SSH Login Without Password CentOS / RHEL

SSH Login Without Password

As a system administrator, you plan on using OpenSSH for Linux and automate your daily tasks such as transferring files or database dump file for the backup to another server. To achieve this goal, you need to log in automatically from the host A to host B. Login automatically mean you do not want to enter any password because you want to use ssh from a shell script.

In this article we’ll show you how to Setup SSH Login without Password on CentOS / RHEL. After automatic login has been configured, you can use it to move the file using SSH (Secure Shell) and secure copy (SCP).

SSH is open source and the most trusted network protocol which is used to login to the remote server. It is used by system administrators to execute commands, also used to transfer files from one computer to another over a network using SCP protocol.

After you setup SSH login without password, you can get the following advantages :

a) Automate your daily task via scripts.
b) If you login to your linux server using ssh key instead of normal loging using any user, it will enhance security of your linux server. This is one of the recommended method to prevent a brute force attack on virtual private server (VPS), SSH keys are nearly impossible to decipher by brute force alone.

What is ssh-keygen

ssh-keygen is a Unix utility that is used to generate, create, manage the public and private keys for ssh authentication. With the help of the ssh-keygen tool, a user can create passphrase keys for both SSH protocol version 1 and version 2. ssh-keygen creates RSA keys for SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2.

What is ssh-copy-id

ssh-copy-id is a script that copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also append the indicated identity file to that machine’s ~/.ssh/authorized_keys file and assigns proper permission to the remote-host’s home.

SSH keys

SSH keys provide better and secure way of logging into a linux server with SSH. After you run ssh-keygen, you will generate public key and private key. You can place the public key on any server, and then unlock it by connecting to it with a client that already has the private key. When the two match up, the system unlocks without the need for a password.

Setup SSH Login Without Password on CentOS and RHEL.

This steps tested on CentOS 5/6/7, RHEL 5/6/7 and Oracle Linux 6/7.

Node1 :
Node2 :

Step One :
Test the connection and access from node1 to node2 :

[root@node1 ~]# ssh root@
The authenticity of host ' (' can't be established.
RSA key fingerprint is 6d:8f:63:9b:3b:63:e1:72:b3:06:a4:e4:f4:37:21:42.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
root@'s password:
Last login: Thu Dec 10 22:04:55 2015 from
[root@node2 ~]#

Step Two :
Generate public and private keys using ssh-key-gen. Please take note that you can increase security by protecting the private key with a passphrase.

[root@node1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
b4:51:7e:1e:52:61:cd:fb:b2:98:4b:ad:a1:8b:31:6d root@node1.ehowstuff.local
The key's randomart image is:
+--[ RSA 2048]----+
|          . ++   |
|         o o  o  |
|        o o o  . |
|       . o + ..  |
|        S   .  . |
|         .   .. .|
|        o E oo.o |
|         = ooo.  |
|        . o.o.   |

Step Three :
Copy or transfer the public key to remote-host using ssh-copy-id command. It will append the indicated identity file to ~/.ssh/authorized_keys on node2 :

[root@node1 ~]# ssh-copy-id -i ~/.ssh/
root@'s password:
Now try logging into the machine, with "ssh ''", and check in:


to make sure we haven't added extra keys that you weren't expecting.

Step Four :
Try SSH login without Password to node2 :

[root@node1 ~]# ssh root@
Last login: Sun Dec 13 14:03:20 2015 from www.ehowstuff.local

I hope this article gives you some ideas and quick guide on how to setup SSH login without password on Linux CentOS / RHEL.



How to Remove Banned IP from Fail2ban on CentOS 6 / CentOS 7

Remove Banned IP from Fail2ban

Fail2ban is an intrusion prevention software framework that able to protect your server from brute-force attacks. Fail2ban written in the Python programming language and is widely used by most of the VPS servers. Fail2ban will scan log files and IP blacklists that shows signs of malicious, too many password failures, web server exploitation, WordPress plugin attacks and other vulnerabilities. If you already installed and used fail2ban to protect your web server, you may be wondering how to find the IP banned or blocked by Fail2ban, or you may want to remove banned ip from fail2ban jail on CentOS 6, CentOS 7, RHEL 6, RHEL 7 and Oracle Linux 6/7.

How to List of Banned IP address

To see all the blocked ip addresses, run the following command :

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-AccessForbidden  tcp  --  anywhere             anywhere            tcp dpt:http
f2b-WPLogin  tcp  --  anywhere             anywhere            tcp dpt:http
f2b-ConnLimit  tcp  --  anywhere             anywhere            tcp dpt:http
f2b-ReqLimit  tcp  --  anywhere             anywhere            tcp dpt:http
f2b-NoAuthFailures  tcp  --  anywhere             anywhere            tcp dpt:http
f2b-SSH    tcp  --  anywhere             anywhere            tcp dpt:ssh
f2b-php-url-open  tcp  --  anywhere             anywhere            tcp dpt:http
f2b-nginx-http-auth  tcp  --  anywhere             anywhere            multiport dports http,https
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:EtherNet/IP-1
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-NoAuthFailures (1 references)
target     prot opt source               destination
REJECT     all  --         anywhere            reject-with icmp-port-unreachable
REJECT     all  --       anywhere            reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

How to Remove Banned IP from Fail2ban jail

# iptables -D f2b-NoAuthFailures -s banned_ip -j REJECT

I hope this article gives you some ideas and quick guide on remove banned IP from Fail2ban jail on on CentOS 6, CentOS 7, RHEL 6, RHEL 7 and Oracle Linux 6/7.