To prevent an apt package from auto updating

Using apt

you can hold a package using

sudo apt-mark hold package_name

and remove the hold with

sudo apt-mark unhold package_name

Posted in Linux | Comments Off on To prevent an apt package from auto updating

Preventing access to a website from specific IP addresses with Deny/Allow

Configure the Virtual Host as follows:


Order Deny,Allow
Deny from all
Allow from 11.211.0.0/15
Allow from 12.212.0.0/15
Require valid-user
Satisfy all
AuthName “Restricted Area”
AuthType Basic
AuthUserFile /home/web/.htpasswd
Require valid-user

Create file with the following command:

htpaddwd /home/web/.htpasswd

Another option:

1. Type the following text into your VirtualHost file:

Order Allow,Deny
Allow from all
Deny from [Enter IP address here]

2. Save the file.

Alternatively, you may specify the directory by using:

Order Allow,Deny
Allow from all
Deny from [Enter IP address here]

Posted in Linux | Comments Off on Preventing access to a website from specific IP addresses with Deny/Allow

Password Protecting a web site

Add the following to .htaccess:

CentOS:

AuthType Basic
AuthName “Restricted”
AuthUserFile /etc/httpd/htaccess-pass
Require valid-user
#Order deny,allow
#Deny from All
#Satisfy any

Create the file as follows:

htpasswd /etc/httpd/htaccess-pass username
You will then be prompted for a password

Ubuntu:

AuthType Basic
AuthName “Restricted”
AuthUserFile /etc/apache2/htaccess-pass
Require valid-user
#Order deny,allow
#Deny from All
#Satisfy any

Create the file as follows:

htpasswd /etc/apache2/htaccess-pass username
You will then be prompted for a password

 

Posted in Linux | Comments Off on Password Protecting a web site

Useful netstat commands

To show which IP addresses are currently connected to your server:
netstat -nt

Posted in Linux | Comments Off on Useful netstat commands

Connecting to an external MySQL server through an SSH tunnel

Scenario: You’re at home, and you want to connect to a mysql server on the other side of a firewall. There is a machine with ssh open on it that you can use as a gateway.

  1. On your home machine:
    ssh -L 3307:domain.name.of.mysqlserver:3306 username@domain.name.of.gatewayserver

     

    This will open a tunnel, listening on localhost:3307 and forwarding everything to mysqlserver:3306, and doing it all via the ssh service on the gateway machine.

    This example shows us specifying port 3307 on the local end of the tunnel; I did this because I run a MySQL server on my home machine, so I can’t re-use the default MySQL port.

    You’ll now have a terminal open on the gateway machine, but you don’t need it for this procedure, so set it aside.

     

  2. Now, on your local machine, execute a mysql connection like so:
    mysql -u username -p -h 127.0.0.1 -P 3307 databasename

    In other words, mysql thinks it’s connecting to localhost, but on a different port. In fact, the connection is being made securely to the remote mysql server, via the gateway machine and the local “mouth” of the ssh tunnel on your own machine. 

  3. When you’re finished with your mysql session, log out of the session on the gateway machine. That will properly close the tunnel.
Posted in Linux, SSH | Comments Off on Connecting to an external MySQL server through an SSH tunnel

Rsync Commands

rsync -avnh source target

#Use rsync to sync to remote system as user over remote shell compressing transfer and without crossing filesystem boundaries
rsync -avzx -e ssh /var/www/ user@remote_host:/var/www/

#Use rsync to sync to remote system as user over remote shell skipping files that are newer on the remote server
rsync -avzxu -e ssh /var/www/ user@remote_host:/var/www/

Pushing files with rsync
rsync -a ~/dir1 user@remote_host:/var/www/

Pulling files with rsync
rsync -a user@remote_host:/home/user/dir1 /var/www

#To see which files need to be synced:
rsync -n –dry-run -av /var/www/vhosts/domain.com/. remote_host:/var/www/vhosts/domain.com/.

 

-a = archive which basically means use recursion and preserve symbolic links, devices, attributes, permissions, ownerships, etc.(not hard links)
-v = verbose
-z = compression
-n = dry run
-h = human readable
-P = progress bar for the transfers and allows you to resume interrupted transfers
-u = skip files that are newer on the receiver
–delete option allows deletions from destination if not in source
–dry-run
–exclude=pattern_to_exclude excludes items matching the pattern (Good practice to run with –dry-run first to be sure)

* By default, rsync does not delete anything from the destination directory.
 

Posted in Linux | Comments Off on Rsync Commands

Using grub

It is relatively easy to boot GNU/Linux from GRUB, because it somewhat resembles to boot a Multiboot-compliant OS.

Set GRUB’s root device to the same drive as GNU/Linux’s. The command search –set=root –file /vmlinuz or similar may help you (see search).
Load the kernel using the command linux (see linux):

grub> linux /vmlinuz root=/dev/sda1

If you need to specify some kernel parameters, just append them to the command. For example, to set acpi to ‘off’, do this:

grub> linux /vmlinuz root=/dev/sda1 acpi=off

See the documentation in the Linux source tree for complete information on the available options.

With linux GRUB uses 32-bit protocol. Some BIOS services like APM or EDD aren’t available with this protocol. In this case you need to use linux16

grub> linux16 /vmlinuz root=/dev/sda1 acpi=off

If you use an initrd, execute the command initrd (see initrd) after linux:

grub> initrd /initrd

If you used linux16 you need to use initrd16:

grub> initrd16 /initrd

Finally, run the command boot (see boot).

**Totally stolen from http://www.gnu.org/software/grub/manual/grub.html#Loading-an-operating-system-directly

Posted in Linux | Comments Off on Using grub

Stuff to review

http://www.codinghorror.com/blog/2007/10/a-visual-explanation-of-sql-joins.html

rpm -V output:
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs

Posted in Linux | Comments Off on Stuff to review

Best Practices for WordPress sites

Best practice from my experience when it comes to WordPress and permissions is:
• Owner: SFTP/site user
• Group: apache
• Directory Permissions: 02775 (drwxrwsr-x)
• File Permissions: 0664 (-rw-rw-r–)
• Directory ACLs: default:user:siteUser:rwx, default:user:apache:rwx, user:siteUser:rwx, user:apache:rwx
• File ACLs: user:siteUser:rw-, user:apache:rw-

The following lines added to wp-config.php help as well:
define(‘FS_METHOD’,’direct’);
will allow you to update any part of the WordPress installation from within the control panel without having to log in manually
define(‘FS_CHMOD_DIR’,02775);
define(‘FS_CHMOD_FILE’,0664);

The reason for the ACLs are that new files are created with a umask of 0022 on CentOS5 when utilizing SFTP (SSH FTP) so Apache would slowly lose write capability on these files as you created new ones via SFTP otherwise. This is also the optimum configuration for allowing WordPress to update itself via the control panel. If that is unnecessary or undesired, you can remove the group write and ACL write fields for Apache on files and directories that should not be able to be modified by the PHP code.

The allow_url_fopen option does not need to be set to enabled for fopen()s on files, by the way. Only if you need to do something along the lines of fopen(http://…) to pull in a resource from another site (and this is strongly deprecated as it builds a dependency on that other resource that can cause timeouts in rendering your page if the site that resource exists on goes down or such.)

Posted in Linux | Comments Off on Best Practices for WordPress sites

Verifying port 443

openssl s_client -connect localhost:443

CONNECTED(00000003)
4504:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

Posted in Linux, OPENSSL and TLS | Comments Off on Verifying port 443