Tag Archives: server

Resetting the root/postgres password for PostgreSQL

The following is required to reset the root/postgres user password for PostgreSQL. The distribution used in my example is CentOS 5.5 and PostgreSQL 8.4.

Note: By default there’s no password for the postgres user.

In step 2 and 5 you will most likely not be using “ident” but rather “password” or “md5”.

1. Shut down PostgreSQL

# service postgresql stop

2. Reset the authentication mechanism (assuming defaults are already being used)

Edit the /usr/lib/pgsql/data/pg_hba.conf file

# nano /usr/lib/pgsql/data/pg_hba.conf

Navigate down to the line that says

local all all ident

Edit it to

local all postgres trust

And now save the file.

3. Start PostgreSQL

# service postgresql start

4. Log in and change the password

# su - postgres
$ psql -d template1 -U postgres
alter user postgres with password 'new_password';

Or alternatively do it all in one go with the following command

> psql -U postgres template1 -c "alter user postgres with password 'new_password';"

5. Reverse the actions you did in step 2

Edit the /usr/lib/pgsql/data/pg_hba.conf file

# nano /usr/lib/pgsql/data/pg_hba.conf

Navigate down to the line that says

local all all trust

Edit it to

local all postgres ident

And now save the file.

6. Start PostgreSQL

# service postgresql start

Success!

// CrashMAG

Changing the default PostgreSQL data folder (PGDATA)

Installing the PostgreSQL server on RHEL, CentOS, Scientific Linux or Fedora installs the PostgreSQL databases and configuration files in “/var/lib/pgsql/data”.

This may or may not be desirable. Let’s assume for a moment you have a separately crafted partition for PostgreSQL to use, let’s say a RAID10 volume. You’d want to change this.

Change the defaults

Use your favorite text editor, in my case nano to create the following file (must be the same as the name of the service)

# nano /etc/sysconfig/pgsql/postgresql

Add the following

PGDATA=/postgresql/data

Optionally you can also add the following to change the default port (example is the default port)

PGPORT=5432

Adjusting SELinux to permit the new data folder (pgdata) location

Should the following command output “Permissive” or “Disabled” then you may skip the details for SELinux.

# getenforce

Run the semanage command to add a context mapping for /opt/postgresql and any other directories/files within it.

# semanage fcontext -a -t postgresql_db_t "/postgresql/data(/.*)?"

Now use the restorecon command to apply this context mapping to the running system

# restorecon -Rv /postgresql/data

Starting PostgreSQL

# chkconfig --levels 345 postgresql on
# service postgresql initdb
# service postgresql start

You’re all set to go! Keep in mind that PostgreSQL listens to ‘localhost’ by default. To change this you need to alter the “listen_address” parameter in “/var/lib/pgsql/data/postgresql.conf” (change will require restart).

// CrashMAG

RHEL/Centos 5 minimal installation

There’s no option during the CentOS 5 install, for a minimal installation. The purpose is quite simple, to keep the attack surface as small as possible.

A minimal installation is performed by doing the following

  • During the category/task selection, deselect all package categories, and choose the “Customize now” option at the bottom of screen.
  • During the customized package selection, deselect everything ( including the Base group ).

This will yield you 234 packages with the Centos 5.5 installation media. I’ve attached a .txt file containing all the packages for your leisure.

Link: installed-packages

// CrashMAG

Configuring BIND DNS Server to listen only on a specific IP address

This is a short example driven howto on how you can configure BIND to listen on certain IP addresses which can also be an implicit network interface. IPv6 is also included in the examples. You could also say that this how you disable IPv6 for BIND/named, but it’s implicit to the operation.

listen-on default syntax

Note the “-v6” syntax for IPv6.

IPv4

listen-on port 53 { 127.0.0.1; };

IPv6

listen-on-v6 port 53 { ::1; };

you can also combine several IP addresses

listen-on port 53 { 127.0.0.1; 192.168.0.1; };

From the man page

listen-on [ port integer ] { address_match_element; ... };
listen-on-v6 [ port integer ] { address_match_element; ... };

To listen on all interfaces and IP addresses

listen-on { any;};
listen-on-v6 { any;};

That’s all. A few short tips.

// CrashMAG

Guide and hardning tips for RHEL/CentOS 5 from NSA

As I was looking to see if NSA had updated their guides for RHEL 6 and it turns out they haven’t. I decided it would be a good idea to post about them to give them some better coverage.

This is just a small tip of free and useful information in regards to securing your RHEL/CentOS installation. A lot of the information is general in nature and can therefore be applied to any Linux distribution. It’s definitely worth your time.

I take no credit, the credit goes to NSA for creating the documents to begin with.

Guide to the Secure Configuration of Red Hat Enterprise Linux 5
www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

Red Hat Linux 5 Hardening Tips
www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf

I just love how just about every section starts with “Disable ‘insert your service here’ if possible…” 😉

// CrashMAG

Setting up sSMTP with GMail

Let me introduce you to the “extremely simple MTA to get mail off the system to a mailhub”. Particularly useful when you don’t want systems to have a full blown MTA installed. Such as Postfix, Exim or Sendmail. I find ssmtp extremely helpful on standalone servers that use Logwatch.

Getting this up and running requires 4 steps.

  • Installing SSMTP
  • Configuring SSMTP
  • Changing the MTA on your system
  • Testing

Installing the daemon, ssmtp.

Use your favorite package manager, in my example I’ll be using YUM. (Fedora/CentOS/RHEL/Scientific Linux). For Centos/RHEL/Scientific Linux 5.5 or 5.6 you need access to the EPEL repository to install sSMTP. Add EPEL to your system using the following command.

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

You can find eventual new links from http://download.fedora.redhat.com/pub/epel/5/i386/repoview/epel-release.html

yum install ssmtp

Configuring SSMTP

Edit /etc/ssmtp/ssmtp.conf with your favorite text editor. I’ll be using nano.

nano /etc/ssmtp/ssmtp.conf

Remove all the entries and replace it with the ones beneath.

root=insert_your_email_address here
mailhub=smtp.gmail.com:587
UseTLS=YES
UseSTARTTLS=YES
AuthUser=your_gmail_username_which_you'll_be_using_to_send
AuthPass=password

Changing the MTA

For CentOS/Fedora/RHEL

alternatives --config mta

Press the number that equals /usr/sbin/sendmail.ssmtp and you’re done.

Testing

I’m testing this using the verbose mode just to be able to see the dialogue with the Google SMTP server.

cat random_file | sendmail -v your_email_address

// CrashMAG

Correcting the eth0 MAC Address in RHEL or CentOS

Cloning machines in VMWare is really straightforward thing. However once you do clone a machine, you’ll be left with new MAC addresses for the network cards. In a typical scenario the cloned RHEL or CentOS machine will boot up without the local network interface. You’ll typically see the following during boot.

Bringing up interface eth0: Device eth0 has different MAC address than expected, ignoring.

The reason for this is that

/etc/sysconfig/network-scripts/ifcfg-eth0

contains a variable called “HWADDR=”. Do the following to add the appropriate MAC address and restore networking functionality.

  • As the root user (or a user with appropriate permissions)
  • Type “ifconfig -a”
  • From the displayed information, find eth0 (this is the default first Ethernet adapter)
  • Locate the number next to the HWaddr. This is your MAC address

A typical output would be as follows.

eth0      Link encap:Ethernet  HWaddr 00:1B:21:1F:66:88
          inet addr:192.168.0.5  Bcast:192.168.0.255  Mask:255.255.255.0
... the additional output has been removed...

Now you edit

/etc/sysconfig/network-scripts/ifcfg-eth0

and modify the “HWADDR=” variable to include your MAC address. E.g.

HWADDR=00:1B:21:1F:66:88

Save the file. At this point you run

# service network restart

as root from the command prompt. You’ve now restored networking.

// CrashMAG

Disable IPv6 lookups with Bind on RHEL or CentOS

Discovered during a recent project. Bind / Named was constantly spamming the logs about it being unable to reach root servers. The logs revealed that we were talking IPv6 addresses. Which was assumed to be disabled.

The less cool part was that in “/etc/named.conf” the following was commented out.

//      listen-on-v6 port 53 { ::1; };

It turns out that to disable the IPv6 lookups you have to edit “/etc/sysconfig/named” and set

OPTIONS="-4"

The option does the following

Use IPv4 only even if the host machine is capable of IPv6. -4 and -6 are mutually exclusive.

You then run

service named restart

This serves the very practical purpose of not spamming the logs. My ISP has yet to enable IPv6 so it does me no good.

// CrashMAG

How to configure the networking in Fedora 14 when you used a minimal install

Using the minimal Fedora 14 install presented two small challenges.

  1. No networking except for loopback / 127.0.0.1
  2. No nano to edit the relevant configuration files.

In a nutshell, it’s a paradox. I’d like to get nano to edit configuration files. But to do that I need network access. Turned out that I had to use “vi” which I never do to edit the networking files. What a pain. I personally can’t stress how retarded it is with an editor, that requires you to enter text, to be able to enter text.

So the following was done to remedy the matter.

Edit the networking configuration using vi

# vi /etc/sysconfig/networking-scripts/ifcfg-eth0

Used the arrows to navigate to the end of the “ONBOOT=no” line.

  1. Pressed i to enter insert mode.
  2. Modified “ONBOOT=no” to “ONBOOT=yes”.
  3. Pressed ESC to exit insert mode.
  4. Pressed o to add a new line.
  5. Press i to enter insert mode.
  6. Added “BOOTPROTO=dhcp”
  7. Pressed ESC to exit insert mode.
  8. Typed in :wq to exit and save the file.

Or for a static IP

  1. Press i to enter insert mode.
  2. Modify “ONBOOT=no” to “ONBOOT=yes”.
  3. Press ESC to exit insert mode.
  4. Press o to add a new line.
  5. Press i to enter insert mode.
  6. Added “BOOTPROTO=static”
  7. Press o to add a new line.
  8. Add IPADDR=X.X.X.X
  9. Press o to add a new line.
  10. Add NETMASK=X.X.X.X
  11. Press ESC to exit insert mode.
  12. Type in :wq to exit and save the file.

Restart the networking service

# service network restart

Done!

Install nano

# yum install nano

Voila! This way one can edit text files easily, without having to enter text to enter text like in vi. (Made my dizzy just typing it)

// CrashMAG

Setting up Deluge 1.3 on a headless server with Autoadd and Labels.

Deluge has finally joined the ranks of the torrent clients able to run in an easy and efficient way on a headless box. They’ve now included the Autoadd plugin so that you can dump .torrent files into the specified directories and have Deluge add them and label them.

In other words Deluge now handles multiple trackers very well and allows you to effectively organize your downloads.

It’s worth mentioning that the client actually allow you to sort on trackers either way. With favicons even.

In my example I will make use of Arch Linux. The method will in principal be the same on any distribution. Keep in mind that the biggest difference will be if your distribution has included scripts to start the daemons. Arch Linux has.

There are primarily 2 methods that you want to make use of to remote control the Deluge daemon. Either the I’ll use the Deluge GUI client in my example. As the autoadd and labels plugins wont be possible to configure using the web client.

  1. The Deluge GUI client.
  2. The Deluge Web interface.

From here on I’ll provide step-by-step instructions of how to get Deluge installed, running as a daemon and configured to autoadd torrents.

Installing Deluge

# pacman -S deluge

This will install the following dependencies on a clean box:

Targets (12): python-2.6.5-3 pyxdg-0.19.-1 setuptools-0.6.c11-2 boost-libs-1.43.0-1 libtorrent-rasterbar-0.15.2-1 pycrypto-2.1.0-1 zope-interface-3.5.3-1 twisted-10.0.0.-1 pyopenssl-0.10-2 xdg-utils-1.0.2.20100618-1 python-chardet-2.0.1-1 deluge-1.3.0-1

Starting the daemon and defining the user which it will run under

# nano /etc/conf.d/deluged

Edit the

DELUGE_USER=”username”

and change it to your own.
Start the daemon.

# /etc/rc.d/deluged start

Enable remote connections so you can administer the installation

$ deluge-console
$ config -s allow_remote True
exit

We now need to add the user information for authentication
Edit ~/.config/deluge/auth for the user you’re running the Deluge daemon as.
Add the following on a new line after the “localhost…” entry.

username:password:10

Then.

# /etc/rc.d/deluged restart

Now lets connect. Start your Deluge client and enter in your server information in the add host dialogue.
NB: You need to enter Preferences -> Interface and disable the “Classic Mode” to be able to access the connection manager

Once done open up “Preferences” and go to the plugins section. And select them as follows.

Now navigate to the Autoadd section and configure it according to your needs.

You repeat the last step for every tracker and/or type of torrents you want. And I must say, this setup is working very well for me.

Further information can be found at http://dev.deluge-torrent.org/wiki/UserGuide/ThinClient

// CrashMAG