Wednesday, June 30, 2010

LPIC-2 Certified!

Today I officially became LPIC2 certified!
Both exams (117-201&117-202) were not as hard as I expected, still challenging though.
My best advice for people who planning to take the tests in the future is PRACTICE!
Build your own Linux environment of different distro's, install, configure and explore in depth.
Only by practical experience you will understand how things really work.

Some good sources I used for my studying:

Awesome in-depth tutorials focused on LPIC 2 Test (material was re-newed in 2010):

LPI Tutorials by IBM (offering tutorials for all 3 levels).

Saturday, June 19, 2010

Block domains with SQUID

Squid is one of the most popular proxy servers for Linux out there, it offers loads of features making it an excellent choice for organizations wanting to implement traffic policies.
With squid you can block content based on different criterias, also you can cache web content - this is another huge advantage because it helps to minimize WAN traffic. Many ISP's implement this feature to save valuable B/W to abroad.

In this example I will show you one of the most basic features - how to block domains using squid, perhaps I'll add more in the future, so let's start:

The main squid config file is:/etc/squid/squid.conf
The file consists of access lists & rules, it's very well documented and even contains some good examples. Generally, when creating a rule in Squid we need to stick for the following 3 steps:

1 - First we need to make an ACL for the subnet / range we want to block the URL from.

2 - Then, make an ACL for the URLs we want to block.

3 - Finally, create an "http_access deny" rule using those two ACLs.


Let's say we want to deny facebook.com in our organization. The following configuration would deny anybody in the 192.168.0.0/24 subnet access to facebook.com
acl banned_clients src 192.168.0.0/255.255.255.0
acl blocked_url dstdomain .facebook.com
http_access deny banned_clients blocked_url

So when a user tries to access facebook.com from 192.168.0.0/24 range he will get:

Thursday, June 17, 2010

Change MTU size in Linux

Maximum Transmission Unit(MTU), the largest physical packet size, measured in bytes, that a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent .
By optimizing the MTU setting you can gain substantial network performance.
In IPv4 the values range between 576 and 1500 bytes being the max size.

The general syntax is: ifconfig "interface" mtu "size"

For example:ifconfig eth0 mtu 1420


Will change MTU to 1420 bytes.

For permanent change, you can add the MTU parameter into your interface configuration file,
For example in Debian the configuration will look like this:



iface eth0 inet static
address 192.168.0.100
network 192.168.0.0
gateway 192.168.0.254
netmask 255.255.255.0
mtu 1420

Saturday, June 12, 2010

Apache:create password protected directory

In this short tutorial I'll show how to restrict certain folders of your web server for certain users/groups.


Let's say we need to restrict some files that will be located under /var/www/secret (/var/www is our DocumentRoot - aka the place where our site html/java/php stuff is located).

First we need to create (-c flag) a new user and set it a password, pay attention to the file path, it will contain the username and it's encrypted password (somewhat similar to /etc/shadow):

#htpasswd -c /etc/apache2/userslist admin
New password:*****
Retype new password:*****
Adding password for user admin

We can change the password later with htpasswd command (without any flag).

After we've added the user we need to edit our site configuration file, on Debian it's located under: /etc/apache2/sites-available/default

We need to edit our directory block with the proper settings, it should look something like this (pay attention to the last directory block):















If we want to allow more than one user we can add more valid users in the "Require user" line, More elegant approach will be to create group file (like /etc/apache2/groupfile) that will look something like this:

#cat /etc/apache2/groupfile

admins:paul admin bob dave

2 lines will be changed: 
instead of require user , require group.
instead of AuthUserFile /path/to/file, AuthGroupFile /path/to/file

Last thing left is to restart apache:

#apache2ctl restart