The technology blog that consist of technology updates, How-to Setup, Troubleshoot Problem, Fix Errors on Linux Server
It is best practice to remember passwords, but because too many passwords, sometimes we forget.
We are not encouraged to write the password on any paper or share the password via email. This can lead to more serious security issues. Continue reading “How to Reset the Directory Manager Password on RHEL 7 / CentOS 7”
This article will explain the steps to reset a lost root password or to reset forgotten root password on Linux RHEL 7 or CentOS 7.
Basically, the steps will adding a “rd.break” to the end of the line with kernel parameters in Grub to stops the start up process before the regular root filesystem is mounted, hence the necessity to chroot into sysroot. Continue reading “How to Reset Forgotten Root Password on Linux RHEL 7/CentOS 7”
UUID (Universally Unique IDentifier) should be unique and it is used to identify storage devices on a linux system.
If you cloned a virtual machine from vCenter, the metadata containing information of UUID for the filesystem will be identical for the original and cloned copy, therefore the UUID is no longer unique in /etc/fstab.
The following steps will show how to change UUID of linux partition on CentOS 7. Continue reading “How to Change UUID of Linux Partition on CentOS 7”
If you plan to run high traffic wordpress blog(wordpress nginx), i would suggest to run it in virtual private server (VPS) or dedicated server together with NGINX FastCGI Caching.
Besides the low memory consumption when using Nginx as a web server, it has a fast performance. When you combine Nginx and FastCGI Caching module, you will further enhance the performance of your web application, including a WordPress site.
This can be an alternative to NGINX + Varnish setup that uses caching technology to accelerate the performance of wordpress site. Continue reading “How to Setup WordPress Nginx with FastCGI Caching in CentOS 7”
A web server generally hosts the web content, and responds to requests for this content from web browsers such as Internet explorer, Google chrome and Firefox. The example of web server are apache web server, IIS web server, Nginx webserver and litespeed web server. Continue reading “How to Install and Setup Apache Web Server in Linux”
In this quick guide, i will show you how to install MYSQL on CentOS 7 / RHEL 7 / Oracle Linux 7 instead of MariaDB.
MariaDB is the default implementation of MySQL in Red Hat Enterprise Linux 7 (RHEL 7) or CentOS 7.
MariaDB is a community-developed fork of the MySQL database project, and provides a replacement for MySQL.
However, in some cases, you still need to install MySQL as your deployment database on you linux server.
1. Remove MariaDB installation :
If you server already have MariaDB database server installed, i would suggest you remove it first to avoid conflict.
# sudo yum remove mariadb-server -y
2. Download MySQL 5.7 repo file :
# wget https://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpm
3. Install MySQL 5.7 repo file :
# sudo rpm -ivh mysql57-community-release-el7-8.noarch.rpm
4. Install MySQL 5.7 database server :
# sudo yum install mysql-server -y
5. How to Start MySQL server in linux :
# sudo systemctl start mysqld
6. Enable auto start at boot :
# sudo systemctl enable mysqld
7. At the initial start up of the MySQL database server, the following happens, given that the data directory of the server is empty:
a) The server is initialized.
b) An SSL certificate and key files are generated in the data directory.
c) The validate_password plugin is installed and enabled.
d) A superuser account ‘root’@’localhost is created. The initial root password created can be found in the error log file. You can get the password by issue the following command :
# sudo grep 'temporary password' /var/log/mysqld.log 2016-06-19T23:08:09.439963Z 1 [Note] A temporary password is generated for root@localhost: sj-mMM;o%6Ll
8. Harden MySQL Server
Run the mysql_secure_installation script to address several security concerns in a default MySQL installation.
You will be given the choice to change the MySQL root password, remove anonymous user accounts, disable root logins outside of localhost, and remove test databases. It is recommended that you answer yes to these options.
# sudo mysql_secure_installation Securing the MySQL server deployment. Enter password for user root: The 'validate_password' plugin is installed on the server. The subsequent steps will run with the existing configuration of the plugin. Using existing password for root. Estimated strength of the password: 50 Change the password for root ? ((Press y|Y for Yes, any other key for No) : yes New password: Re-enter new password: Estimated strength of the password: 50 Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? (Press y|Y for Yes, any other key for No) : y Success. Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? (Press y|Y for Yes, any other key for No) : no ... skipping. By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y - Dropping test database... Success. - Removing privileges on test database... Success. Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y Success. All done!
Resource : http://dev.mysql.com/
389 Directory Server (previously Fedora Directory Server) is an open source enterprise class LDAP server for Linux. It is developed by Red Hat community-supported Fedora Project. The name 389 is derived from the port number for LDAP.
In this article we will guide you through the steps on how to install and setup 389 directory server on CentOS 7.
1. Turn off selinux :
vi /etc/sysconfig/selinux
Change SELINUX to disabled then reboot the server :
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
2. Perform basic performance and Security tuning for LDAP server :
# vi /etc/sysctl.conf
Add the following :
net.ipv4.tcp_keepalive_time = 300 net.ipv4.ip_local_port_range = 1024 65000 fs.file-max = 64000
# vi /etc/security/limits.conf
Add the following :
* soft nofile 524288 * hard nofile 524288
3. Reboot the server. This is to take effect the SELINUX and performance tuning setting :
# reboot
4. Install 389 directory packages :
# yum install https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-6.noarch.rpm # yum install 389-* -y
5. Create ldap user and set its password :
# useradd ldap # passwd ldap
6. Start 389 installation :
# setup-ds-admin.pl
==============================================================================
This program will set up the 389 Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]:
==============================================================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
389 Directory Server system tuning analysis version 23-FEBRUARY-2012.
NOTICE : System is x86_64-unknown-linux3.10.0-327.4.5.el7.x86_64 (2 processors).
Would you like to continue? [yes]:
==============================================================================
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]:
==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
.
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly. If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:
General.FullMachineName=your.hostname.domain.name
Computer name [centos72.ehowstuff.local]:
==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
System User [nobody]: ldap
System Group [nobody]: ldap
==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server. To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
.(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [no]:
==============================================================================
Please enter the administrator ID for the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]:
Password:
Password (confirm):
==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
Administration Domain [ehowstuff.local]:
==============================================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]:
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [centos72]:
==============================================================================
The suffix is the root of your directory tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=ehowstuff, dc=local]:
==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.
Directory Manager DN [cn=Directory Manager]:
Password:
Password (confirm):
==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.
Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
Administration port [9830]:
==============================================================================
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'centos72' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
7. Start the dirsrv admin service and dirsrv instance :
# systemctl start dirsrv-admin # systemctl start dirsrv@centos72
8. Configure dirsrv admin service and all dirsrv instance auto start at boot :
# systemctl enable dirsrv.target && systemctl enable dirsrv-admin
9. Allow management and directory service ports :
# firewall-cmd --permanent --add-port=389/tcp # firewall-cmd --permanent --add-port=636/tcp # firewall-cmd --permanent --add-port=9830/tcp # firewall-cmd --reload
10. Verify all the allowed ports :
# firewall-cmd --list-all public (default, active) interfaces: ens160 sources: services: dhcpv6-client ssh ports: 389/tcp 9830/tcp 80/tcp 636/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
11. Login to your 389 directory from console.
12. Your 389 directory administration console will look as below :
Munin is open source and free software for monitoring computer system, network monitoring and application infrastructure monitoring software. Munin offers monitoring and alerting for servers, switches, applications, and services.
Munin can help system administrators to analyze the trend of the computer system whether it is experiencing problems or not. It can be an easier alternative to the popular open-source software zabbix monitoring.
In this article, I will explain how you can monitor your linux CentOS with Munin and the simple steps to install and setup Munin on CentOS 7.
1. Enable or install the EPEL Repository into CentOS 7. Read more on how to Enable EPEL Repository on CentOS 7 / RHEL 7
2. Munin requires a web server to run. In this article, we will use apache. Install apache, Munin and Munin Node with yum command :
# yum install httpd munin munin-node -y
3. Start and enable apache and munin at boot.
# systemctl start httpd # systemctl enable httpd # systemctl start munin-node # systemctl enable munin-node
4. We want munin to use the name centos72.ehowstuff.local instead of localhost. Please open edit the setting in /etc/munin/munin.conf
# vim /etc/munin/munin.conf
Original :
[localhost]
address 127.0.0.1
use_node_name yes
Change to :
[centos72.ehowstuff.local]
address 127.0.0.1
use_node_name yes
5. You also have optional to change the munin node hostname :
# vim /etc/munin/munin-node.conf
Original :
host_name localhost.localdomain
Change to :
host_name centos72.ehowstuff.local
6. Next go to the Apache virtual host configuration file to add the permission to access your network.
# vim /etc/httpd/conf.d/munin.conf
Add network segment that you allow to access to the CentOS server.
AuthUserFile /etc/munin/munin-htpasswd AuthName "Munin" AuthType Basic require valid-user Order Deny,Allow Deny from all Allow from 127.0.0.1 192.168.0.0/24 .. ..
7. Munin statistics page shall be protected by a username and password. We can add the new user (admin) and password to /etc/munin/munin-htpasswd with htpasswd command line. So we have to setup basic Apache authentication before we can start access the munin statistic page.
# htpasswd /etc/munin/munin-htpasswd admin New password: Re-type new password: Adding password for user admin
8. Allow port 80 in the firewalld permanently. learn more how to configure Firewalld on CentOS 7.
a) Get default zone :
# firewall-cmd --get-active-zones public interfaces: ens160
b) Allow port 80 permanently in firewalld :
# firewall-cmd --permanent --zone=public --add-port=80/tcp success
c) reload the setting to take effect immediately :
# firewall-cmd --reload success
d) List all active firewalld configuration :
# firewall-cmd --list-all public (default, active) interfaces: ens160 sources: services: dhcpv6-client ssh ports: 80/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
9. Try access munin statistic page from client.
http://192.168.0.14/munin
Many have asked me, did Zimbra Collaboration (ZCS) 8.6.0 Patch4 will include Patch1 to Patch3? Actually, if you read the release notes document, the answer is there. ZCS patches are cumulative, meaning ZCS 8.6.0 Patch4 includes ZCS 8.6.0 Patch3, ZCS 8.6.0 Patch2 and ZCS 8.6.0 Patch1. These patch release notes provide information about the Zimbra Collaboration (ZCS) 8.6.0 Patch4, including the enhancements, bug fixes, security fixes, considerations, Known issues, preparation before installing the Patch, step to install the patch, example of the Patch script and revision history information. This step to install zimbra patch has been tested on RHEL6, CentOS6, Oracle Linux 6, RHEL7, CentOS7 and Oracle Linux 7.
In release notes document (preparation before patch), one of the steps we need to take into consideration is to perform a full backup before applied any patch. This is because there is no automatic roll-back if anything goes wrong. If your environment is currently using VMware Vsphere, you can do a virtual machine snapshot before start installing any patch.
1. Before begin, you should get ready the following:
a) Zimbra Collaboration 8.6.0 GA installed (Tested in RHEL6/CentOS6/OL6/RHEL7/CentOS7/OL7)
# zmcontrol -v Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
b) Zimbra Collaboration 8.6.0 Patch4 TGZ file already downloaded.
2. Copy the patch.tgz file(s) to your server.
# ls | grep zcs-patch zcs-patch-8.6.0_GA_1182.tgz
3. Install Zimbra Collaboration 8.6.0 Patch4
a. Log in as root and cd to the directory where the tar file is saved. Type :
# tar xzvf zcs-patch-8.6.0_GA_1182.tgz # cd zcs-patch-8.6.0_GA_1182
b. Switch to user zimbra :
c. The ZCS mailbox service must be stopped to install the patch. Type the following command :
# zmmailboxdctl stop
d. As root, install the patch. Type
# ./installPatch.sh .. .. .. Updating files for package zimbra-core /opt/zimbra/lib/jars/zimbraclient.jar... copied. /opt/zimbra/lib/jars/zimbrastore.jar... copied. /opt/zimbra/conf/timezones.ics... copied. /opt/zimbra/lib/jars/zimbracommon.jar... copied. /opt/zimbra/libexec/zmfixperms... copied. /opt/zimbra/bin/zmtrainsa... copied. /opt/zimbra/lib/jars/zimbrasoap.jar... copied.
e. Switch to user zimbra
# su – zimbra
f. ZCS must be restarted to changes to take effect.
# zmcontrol restart
I hope this article gives you some ideas and quick guide on how to install Zimbra Patch on RHEL6, CentOS6, Oracle Linux 6, RHEL7, CentOS7 and Oracle Linux 7.
Most system administrators have applied linux login banner on their servers. The purpose of this linux login banner is to show some messages or warnings when ssh session connected and before entry. The message displayed in the linux login banner is dedicated either to the system administrator who wants to perform routine system maintenance or intruders who want to launch brute force attacks on the server.
To enable this in ssh you have to follow this simple steps:
1. Create a /etc/mybanner file and fill it with your desired message as below
# vi /etc/mybanner
Unauthorized access to this machine is prohibited Only authorized System Administrator can access to this system Press if you are not an authorized user
Save and Quit the mybanner file.
Optionally you can give warning as below if it is involved a server with highly confidential information:
This service is restricted to authorized System Administrator only. All activities on this system are logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies.
2. Edit /etc/ssh/sshd_config, to look like this Banner /etc/mybanner
113 114 115 # default banner path 116 Banner /etc/mybanner 117 118
3. Restart sshd service sshd restart
4. Test your session
login as: root Unauthorized access to this machine is prohibited Only authorized System Administrator can access to this system Press if you are not an authorized user root@192.168.2.5's password:
I hope this article gives you some ideas and essential guidance on how to setup linux Login Banner on RHEL 7 / CentOS 7/ Oracle Linux 7
This article will explain and share how to add and remove user account with useradd(add) and userdel (remove) from the command-line on linux RHEL 6/7, CentOS 6/7, Oracle Linux 6/7 server.
1. Adding a New User to an Linux System.
a) Get the useradd manual :
# man useradd
useradd - create a new user or update default new user information
b) To creates the new account and the /home/john home directory :
# useradd --home /home/ehowstuff ehowstuff
c) useraddd command does not set any valid password by default, and user cannot log in until a password is set.To set the password user the following command :
# passwd ehowstuff Changing password for user ehowstuff. New password: Retype new password: passwd: all authentication tokens updated successfully.
d) Verify the values in /etc/password :
# cat /etc/passwd | grep ehowstuff ehowstuff:x:501:501::/home/ehowstuff:/bin/bash
e) Verify the values in /etc/group :
# cat /etc/group | grep ehowstuff ehowstuff:x:501:
f) Verify email user created for id ehowstuff :
# ls /var/spool/mail | grep ehowstuff ehowstuff
More useradd options :
-c, –comment COMMENT
Add a value, such as a full name, to the GECOS field.
-g, –gid GROUP
Specify the primary group for the user account.
-G, –groups GROUPS
Specify a list if supplementary groups for the user account.
-a, –append
Used with the -G option to append the user to the supplemental groups mentioned without removing the user from other groups.
-d, –home HOME_DIR
Specify a new home directory to a new location. Must be used with the -d option.
-m, –move-home
Move a user home directory to a new location. Must be used with the -d option.
-s, –shell SHELL
Specify a new login shell for the user account.
-L, –lock
Lock a user account.
-U, –unlock
Unlock a user account.
2. Deleting a User from an Linux System.
a) Get userdel manual :
# man userdel
userdel - delete a user account and related files
b) userdel username removes the user from /etc/passwd, but leaves the home directory intact by default. Proper command to remove the user’s account, user’s home directory and mail spool as part of the deletion process :
# userdel --remove ehowstuff
or
# userdel -r ehowstuff
Warning :
When a user is removed with userdel without the -r option specified, the system will have files that are owned by an unassigned user ID number. This can also happen when files created by a deleted user exist outside their home directory. This situation can lead to information leakage and other security issues.
This post assume that you have just finished the Gnome GUI installation on CentOS 7 by using “yum groupinstall “GNOME Desktop” “Graphical Administration Tools” -y” command. Previously you are running a minimum CentOS 7, only with command line via terminal. But after you reboot the server you get the following screen.
Initial setup of CentOS Linux 7 (core) 1) [x] Creat user 2) [!] License information (no user will be created) (license not accepted) Please make your choice from above ['q' to quit | 'c' to continue | 'r' to refresh]:
To fix the issue, you have to perform the following :
a) Press 1
b) Press 2 in order to change [ ] to [x] in front of 2) I accept the license agreement
c) Press q
d) Accept license menu does not prompt anymore at boot.
