2007/07/17

Upgrade from FC4 to FC7

I had one server that needed to be upgraded from FC4 to FC7. I did the DVD upgrade version by version, that is FC4 > FC5, then FC5 > FC6 followed by FC6 > FC7.

At FC5, sendmail failed to start due to some changes in shared objects. This could be remedied by "yum install sendmail". Another process failed was httpd. As I still had serveral upgrades to continue, I decided not to fix this yet.

The upgrades from FC5 > FC6 > FC7 were smooth and easy. Orginally, in FC4, my httpd was running static page with no php and other added modules. At FC7, when httpd start, the first error was :

Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 10 of /etc/httpd/conf.d/perl.conf: API module structure `perl_module' in file /etc/httpd/modules/mod_perl.so is garbled - perhaps this is not an Apache module DSO?

I figured out this could be solved by yum install mod_perl.

Afterward, another failure appeared :

Syntax error on line 6 of /etc/httpd/conf.d/php.conf:
Cannot load /etc/httpd/modules/libphp5.so into server: /usr/lib/libcurl.so.3

This could be due to lack of php. The working solution was yum install php.

Just when I though problems had been cleared, another one came up :

Cannot load /etc/httpd/modules/mod_python.so into server: /etc/httpd/modules/mod_python.so:

The error actually prompted me to do a "yum install mod_python".

The last error was as follows :

Cannot load /etc/httpd/modules/mod_ssl.so into server: /etc/httpd/modules/mod_ssl.so: cannot open shared object file: No such file or directory.

This said I had to found mod_ssl to Apache. I did a yum install mod_ssl.

Finally, httpd 2.2.4 started running on FC7. The whole fault-finding process was full of pain.

2007/07/15

My First Touch on Shorewall

Last week, I performed installation and configuration of Shorewall on Fedora Core 6. I made a host-based firewall and some people called it a one-interface firewall. No difficulties encountered and the documentation gave sufficient details for me to understand.

I try to compare FC6's default installed iptable-based firewall functions with Shorewall. For stateful packet inspection of incoming packets, both are more or less the same. However, Shorewall offers additional functions of whitelists, blacklists and limiting the rates of incoming packets. There is no doubt that Shorewall is a perfect choice for people who find it difficult to learn and write some iptables scripts.

2007/07/10

An Old Unix Proverb

An Old Unix Proverb

"He who has never hacked sendmail.cf has no soul;

he who has hacked sendmail.cf more than once has no brain."

2007/07/08

zen.spamhaus.org


Spamhaus has combined the SBL, XBL and the PBL blocklist into one single powerful and comprehensive DNSBL called zen blocklist to make querying faster and simpler. As advised by Spamhaus, I have changing the settings in my server to query zen instead of SBL and XBL.

There is an interesting story on the name "Zen". Zen was guard dog and for many years it guarded Spamhaus's base in England. After giving the name to the most powerful DNSBL, Zen now guards our networks and customers.

2007/07/07

FTP test

I connected to an FTP Server and uploaded all files in a directory by means of mget *.*. Which file will be uploaded first. At first, I thought the file upload sequence would be in alphabetical order of file names. This is wrong. The upload sequence was in accordance with date and time of the files.

This is an interesting fact re-discovered. I should have learnt this some time ago.

2007/07/02

Fail2ban

Every system administrator is sick of brute force attacks on sshd and ftp daemons. There could be hundreds of thousands attempts to login by random names and guessing passwords. Changing the default listening port numbers will not help as nmap can scan and pinpoint a particular service on an alien port.

This is what I had suffered in the past 5 years. With the help of fail2ban, it is time to say no to brute force attacks. Fail2ban takes out offending IP addresses from system log files and passes them to iptables for denying further access. Here is my fail2ban log after detecting 5 attempts of ftp brute force attacks and then initiating the banning of the IP address.

2007-07-02 20:07:28,345 WARNING: Restoring firewall rules...
2007-07-02 20:08:13,773 WARNING: vsFTPD: Ban 219.77.22.254
2007-07-02 20:18:14,735 WARNING: vsFTPD: Unban 219.77.22.254

The default config bans an offending IP address for 600 seconds and then release it. System administrators can change the config to ban the offending IP addresses permanently.

This is one of the security tools highly recommended by me.