Saturday, November 15, 2008

Installing & Running VNC on Redhat/RPM Linux

What is VNC? - A practical introduction
VNC stands for Virtual Network Computing. It is, in essence, a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures.

The VNC system allows you to access the same desktop from a wide variety of platforms.

Many of us, for example, use a VNC viewer running on a PC on our desks to display our Unix environments, which are running on a large server in the machine room downstairs.
(What is VNC? A practical introduction - taken from http://www.uk.research.att.com/vnc/ all rights reserved)


Obtaining VNC
VNC is freely available from the official VNC homepage: http://www.uk.research.att.com/vnc/ the version we will cover in this tutorial is RealVNC version 3.3.6, which can be downloaded from http://www.realvnc.com/download.html

If you prefer to use the command line as opposed to a GUI for installation, run the following command from your Linux CLI. When run, this command will download the RPM package to your current working directory. The file is 700k approx:

 
Code:
$  wget http://www.realvnc.com/dist/vnc-3.3.6-2.i386.rpm


The Installation
Installing from RPM is straightforward enough, simply run the following command:

 
Code:
$  rpm vnc-3.3.6-2.i386.rpm -i
Now you have the core VNC files installed on your system. The first time you run VNC server, you be required to set a password. Remember that it is good practice to choose a password that is not in the dictionary, contains a combination of numbers, letters, and other characters.

To start VNC server, at the command prompt type:

 
Code:
$  vncserver
If you wish to change the VNC password at any time, enter vncpasswd at the command prompt. The VNC password is not integrated with the standard Linux passwords (any thing inside /etc/passwd), so changing the VNC password will leave all other passwords on the system intact. That also applies the other way round; changing the password on a user account will not affect the VNC password.


You will need to edit the configuration script found in $home/.vnc/xstartup. Any standard text file editor such as vim, emacs or pico will suffice.

For Gnome:
 
Code:
xrdb $HOME/.Xresources
xsetroot -solid grey
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &
For KDE
 
Code:
xrdb $HOME/.Xresources
xsetroot -solid grey
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &
startkde &
The key line in the sample file above is the last one, which in this case is set to twm. This controls which window manager you wish VNC to use. By default, Redhat systems use gnome, but you may be using kde. The twm should only be used if you do not have a window manager setup on your system. If you are using kde, you should change twm to startkde and if you are using gnome, you should change it to gnome-session.

You should also understand how to kill existing desktops, shutting VNC down. To do this, you should type vncserver -kill :1 at the CLI, where 1 is the desktop you wish to kill off.

That's it. VNC should now be successfully setup on your system. The last piece of information you need is the ports VNC uses. For the VNC viewer, 5901 is used by default, and for java based VNC access, 5801 is used. You will need to add rules to your firewall to allow traffic into either or both of these port numbers.



Check If VNC is running
You can check at anytime to see if you have a VNC server currently running. To do so, I recommend that you use netstat a tool designed to give you information about what ports are listening for connections on your machine. The following output is an example of what you can expect to see from a netstat command. The important part of this output is highlighted in bold:
 
Code:
[root@server root]# netstat -an | more
Active Internet connections (servers and established)
Proto   Recv-Q   Send-Q   Local Address   Foreign Address  State
Tcp     0            0     0.0.0.0:22   0.0.0.0:*             LISTEN
Tcp     0            0     0.0.0.0:5801 0.0.0.0:*           LISTEN
Tcp     0            0     0.0.0.0:5901 0.0.0.0:*           LISTEN
[root@server root]#
The 2 lines that have 0.0.0.0:5801 & 0.0.0.0:5901 indicate we have VNC listening for incoming connections on all interfaces (0.0.0.0). If you find that you cannot connect to VNC, I would recommend that you check it is running. If you see that VNC is running from a netstat command, then I would check your firewall is not blocking your connection attempts.


The VNC Viewer
From within you X desktop, you will have access to a VNC viewer, which you may use to remotely control other machines. To access this, open a command terminal, and type in vncviewer. You will be prompted for an IP address to connect to. Enter this, and click ok. You should now have remote control of another PC.


Troubleshooting VNC installations
For troubleshooting, remember that most answers can be found lurking inside your favourite search engine. As the first port of call, I would recommend that you see the following URL:
http://www.uk.research.att.com/vnc/faq.html you can post any VNC questions at www.linuxforums.org

If you have Redhat your firewall in the GUI may always appear to be on, even when its not.

Drop to a command prompt, and run: "iptables -L". If the firewall is really off, then you should see:

 
Code:
Chain INPUT (policy ACCEPT) 
target prot opt source destination 

Chain FORWARD (policy ACCEPT) 
target prot opt source destination 

Chain OUTPUT (policy ACCEPT) 
target prot opt source destination
When using Winvnc to vnc (linux) remember when connecting with the vnc client to use x.x.x.x:1, where x.x.x.x is the ipaddress. The ":1" is important, as it tells the VNC client the server is listening on tcp/5901 as opposed to 5900 (default on windows).
 

Guide for people new to linux command line

Basic command line stuff for non-programmer Newbies (like me)

Last update 09/08/03 by flw/Dan and www.linuxforums.org This content is copywrited
==================================================
Manual

man {command}, Type man ls to read the manual for the ls command.
==================================================
Read

read This is an old trick to keep a telnet session from timing out on you.
==================================================
fdisk -l

The minus lower case "l" displays the names of all physical and logical drives. You'll need this if you wish to work with other drives like mounting a windows drive etc... The output on a RedHat box is like:

/dev/hda1 
/dev/hda2
/dev/hda3

and so on. In the above output hda1 is the c: drive for windows and hda2 is a fat32 logical partition for Windows with hda3 being linux.
==================================================
List

ls {path} It's ok to combine attributes, eg ls -laF gets a long listing of all files with types.

ls {path_1} {path_2} List both {path_1} and {path_2}.

ls -l {path} Long listing, with date, size and permisions.

ls -a {path} Show all files, including important .dot files that don't otherwise show.

ls -F {path} Show type of each file. "/" = directory, "*" = executable.

ls -R {path} Recursive listing, with all subdirs.

ls {path} > {filename} Redirect directory to a file.

ls {path} | more Show listing one screen at a time.
==================================================
Change directory

cd {dirname} There must be a space between.

cd ~ Go back to home directory, useful if you're lost.

cd .. Go back one directory.
==================================================
Make directory

mkdir {dirname} To make a new directory
==================================================
Remove directory

rmdir {dirname} Only works if {dirname} is empty.

rm -r {dirname} Remove all files and subdirs. Careful!
rm -rf {dirname} Remove all file and subdir with force.
==================================================
Print working directory to screen

pwd Show where you are as full path.
==================================================
Copy

cp {file1} {file2}

cp -r {dir1} {dir2} Recursive, copy directory and all subdirs.

cat {newfile} >> {oldfile} Append newfile to end of oldfile.
==================================================
Move

mv {oldfile} {newfile} Moving a file and renaming it are the same thing.
==================================================
Remove

rm {filespec} ? and * wildcards work like DOS should. "?" is any character; "*" is any string of

characters.

==================================================
Date

date Shows sys date and time.
==================================================
Apps for basic configuration

Changes services installed or changes them:
Ntsysv or linuxconf
==================================================
Check dir sizes of homes (or any dir) use the following:

Cd /home
Du –s * | sort –rn |head –30

30 is the number of directories starting from the largest.
===================================================
Backup the dir's on a server run the following from /:

Tar -cfz /dir/filename.tgz /var/qmail/ /etc

Verify file is in /home and correct size/date.
Tar and Gunzip
Tar switches /source/ destination

1. Compress. Tar –cvzf filename.tar.gz /sourceoftar
Tar – cvzf etc.tar.gz /etc

2. Decompress

gunzip filename.tar.gz
gunzip etc.tar.gz
or
tar –xf etc.tar
=====================================================
RPM's (Redhat Package Manager)

To install a package: rpm –ivh
ex. rpm -ivh somepackage.1.1-4.i386.rpm

To upgrade a package: rpm -Uvh [filename]
ex. rpm -Uvh somepackage.1.1-5.i386.rpm

To remove a package: rpm -e [packagename only no .rpm or version number]
ex. rpm -evh somepackage
=====================================================

To see if a package is installed: rpm -q [packagename]
ex. rpm -q somepackage
Rpm –q webadmin
=====================================================

To get info on an installed package: rpm -qi [packagename]
ex. rpm -qi somepackage
=====================================================
Disk free space


df amount of free disk space df –I by drives
=====================================================
Disk usage

du amount of used disk space du –s or du -s*
=====================================================
Date

Date shows/sets current date date MMDDhhmmYYYY (sets date/time)
=====================================================
Who is online

Who users currently on system
=====================================================
Free

Free how much RAM and cache is free
=====================================================
Who is online

w users online and what files are being used
=====================================================
Touch

Touch create a empty file
=====================================================
Emacs-nox text editor

Cntrl/x cntrl/s saves document
Cntrl/x cntrl/c closes document
Cntrl/k cut a individual text line
Cntrl/y paste the previously cut test line
Su - Login as root w/root profile via telnet or ssh i.e. paths for root is not the same as

user
=====================================================
VI text editor

I or esc =insert
:=preface all commands
:w= save (:w!)
:u= undo
:q= quit
:d= delete line
:p= pastes at cursor
= pastes after cursor
:yy= copies line where cursor is
:dd = deletes line at cursor
=====================================================
Change access permissions

chmod determines file rights, Chmod 0777 file.txt all can r/w/x, chmod 0755 file.txt public or

grp can only r/x, chmod 0644 test.txt public or grp can only read,
chmd 0711 file.txt public or grp can only x

Another to look at it is:
chmod 600 {filespec} You can read and write; the world can't. Good for files.

chmod 700 {filespec} You can read, write, and execute; the world can't. Good for scripts.

chmod 644 {filespec} You can read and write; the world can only read. Good for web pages.

chmod 755 {filespec} You can read, write, and execute; the world can read and execute. Good for

programs you want to share, and your public_html directory.


=====================================================
To locate file

find –name filename –print
=====================================================
Grep searches a file(s) for matching pattern such as text search.

grep 'text string' -r /home | awk '{print$2}' This goes to the monitor.

grep 'text string' -r /home > textstring.txt For redirect to file.

-r is recursive/home/usrname is starting point
=====================================================
Add a user

Adduser username
=====================================================
Change a password

passwd to set or change password
=====================================================
Delete a user

Userdel username
=====================================================
Modifiy user name

usermod to change username, Usermod -l newname oldname

=====================================================
Enable floppy disk or CD access

mount –t vfat /dev/fd0 /mnt/dos or floppy (for DOS file system) or mount /dev/fd0 (working dir is /mnt/floppy) or mount –t iso9660 /dev/cdrom /mnt/cdrom
=====================================================
Remove floppy disk or CD access

umount /dev/fd0 or /mnt/floppy
=====================================================
To mount a share:

1. Type "mkdir /mnt/name_of_share" and press enter.

2. Type "mount -tsmbfs //servername/sharename /mnt/name_of_share -o username=<USERNAME_HERE>,password=<PASSWORD_HERE>"

3. Replace <USERNAME_HERE> and <PASSWORD_HERE> with a valid username/password that can be used to access that share.

Note: //server/share is the NETBIOS name of the pc (in example, "server" and the sharename "/share".

4. To locate where your statup files are , run "updatedb".

5. Then run "locate rc.local". Put your commands in the rc.local file it finds.

All your files on the share will be accessable like normal files on the local system from /mnt/name_of _share

6. If you edit the .bashrc file located in the /home/username/
and type the command mount -t there. Each user with that setting in .bashrc will have that mounted drive.
=====================================================
How to unmount a drive :

From command line type "umount /mnt/name_of_ share" and enter.
=====================================================
Mount a Windows FAT32 drive:

As root, at the command line create the location for the windows partition: "mkdir /mnt/windows"

Then mount the windows partition with: "mount -t vfat /dev/hda* /mnt/windows" *=the partition you wish to mount as determined by "fdisk -l".

If you want this partition mount permanently then edit your /etc/fstab file and add the partitions to be mounted at boot up.
=====================================================
Process identification number and name

ps or ps –ax for all services running or ps –ef > file.txt
=====================================================
Stop Process idendification number and name

kill ps#, kill 188 or kill Kill 188, or kill -9 188
=====================================================
Start or Restart a process

ServiceName , then enter i.e. sshd or httpd etc...
=====================================================
Startup dir(s)

rc3.d is the normal multi user startup (non gui) bootup file in RH.
rc5.d is the normal GUI bootup file in RH.

To stop a service at bootup, you can remove the start instruction from there and that would stop the service starting.
=====================================================
Last

last monitors logins
=====================================================
Last bad logins

lastb monitors bad logins
=====================================================
Make a bootable disk


Bootable disk, Mkbootdisk –device /dev/.fd0 2.0.34-1 (kernal version)
=====================================================
Uname

uname –r is to determine kernal ver
=====================================================
Top

top –c To see cpu usage overall and by sevices
=====================================================
clear cmd line history

rm /home/joe/.bash_history (from home dir of user)
rm /.hash_history (this is for the root user)
=====================================================
ifconfig for status of active interfaces.

ifconfig To get the currently active interfaces.

ifconfig -a Displays the status of all interfaces, even those that are down.
=====================================================
Apache httpd.conf syntax checker (typo's)

apachectl configtest
=====================================================
Samba smb.conf syntax checker (typo's)

Command SwitchOptional FileLocation_Name

testparm /etc/samba/smb.conf
=====================================================
Telnet command to stop from being timed out of your session due to lack of activity (like your looking something up or going to the head).

Type "read" then press enter and when ready to start back just press enter again.

=====================================================
How to tell linux system time?

Use the `-R' option to output the date in the format described in RFC822 (see section Word Lists and Reference Files): day of week followed by day of month, month name, year, time, and time zone in numeric format. This is the date format used in email messages.

To output the current date and time in RFC822 format, type:
$ date -R RET
Fri, 11 May 2001 11:10:29 -0400
$

You can also use the `-d' option to specify the precise fields to output, and the order in which to output them. For more information, see the date man page
=====================================================

Directory Structure basics

/ The 'root' directory; reference point for all directories.

/bin Binaries which are absolutely essential to run Linux.

/boot All the files required for booting Linux on a system.

/dev All the devices have their corresponding files here.

/etc All the configuration files for the various software are stored here. Don't play with this directory.

/home All users will have their 'My Documents' under this directory. If your id is tomh, your 'My Documents' (called home-directory) /home/tomh.

/lib The libraries required by system-applications. (Just like DLLs in Windows.)

/lost+found When a disk-check finds files which are damaged or which are not linked to any directory, they are recovered to this directory. Such damages are almost always due to incorrect shutdown.

/misc Miscellaneous files!

/mnt The directory where peripherals and other file-systems are mounted.

/opt The directory where optional software are installed.

/proc proc houses a pseudo-filesystem. Its contents really do not exist anywhere on the disk, and are made available only when you cd to this directory and look at some file. Don't worry about it, anyway.

/root The home-directory for the super-user: root.

/sbin The system-administration binaries exist here.

/tmp The directory where temporary files are created and stored.

/usr Everything related to users!
/usr/bin /bin houses critical binaries, whereas /usr/bin stores other binaries: not so critical but required nevertheless.
/usr/include The header-files required by programs for compilation.
/usr/lib The libraries required by user-applications.
/usr/local Files peculiar to this particular machine.
/usr/sbin User-administration binaries.
/usr/share Information that can be shared by most users.
/usr/src The source-code for the Linux kernel.
/usr/X11R6 Files needed by the X Window system.

/var Files whose contents vary frequently are in this directory.
/var/log The log-files of the system.
/var/spool Directories for mail, news, printing and other queued work.
 

Security Guide for people new to Apache Web Server

New users guide to securing an Apache Web Server

Last updated 05/06/03 Copyrighted 2003 flw/Dan, Jason Lambert

Why use Apache Web Server 2.x instead of 1.3? See http://httpd.apache.org/docs-2.0/new_features_2_0.html If you don’t need the new features then there is no strong reason to use 2.x except any new features in the future will be in the 2.x version and not the 1.3.27 version.

This guide is intended for new users of Apache Web Server and how to take some security steps to make it harder (or slow down) for hackers to deface your hard work. It is also based on RedHat version 7.x for default file location purposes only. Your file locations and names may vary. We also are assuming you are logged in as root or logged in with the root privileges. If you’re not sure, then from the command line type in “whoami” and press enter. The steps below are not in any priority order and you don’t have to implement all of them but every step in insuring your web servers security makes it that much harder to break in.

Step 1. Always use the most current version. If your using 1.3.26 then upgrade to 1.3.27 and the same for Version 2.44 upgrade to 2.45 which are the current versions as of this writing. It very easy for people to find out weaknesses in older version because they are listed at public locations like http://www.apacheweek.com/features/security-13 or here http://www.apacheweek.com/features/security-20 . To upgrade, copy all your web html/cgi etc… files and graphics to a temporary directory which will include a copy of the current httpd.conf and .htaccess if used. Then follow the directions for the install and copy back all your web site content and httpd.conf and .htaccess if used. Reboot your computer. Remember this is only a simplistic example.

Step 1a. Where do I get the upgrade? You can get the current versions of 1.3.27 and 2.4.x at http://httpd.apache.org/

Step 2. My opinion only, always used the current version of your Linux distribution. An example is if you’re using Redhat 7.0 then upgrade to 7.2. I don’t recommend upgrading from your 7.2 to major release like 8.0 or a 9.0 until the versions has been on the market long enough for Redhat to come out with a minor 9.1 release. There are always lots of bugs in the initial versions. To upgrade from one version of Redhat to another you'll have to choose “upgrade” to Red Hat Linux 7.2 (instead of performing a full installation). You must choose “Upgrade”.

Step 3. Change your document root (main page or starting page on your web site like /home/mywebsite, if it doesn’t exist you have to go to the cmd line and type mkdir /home/mywebsite) to a non-default location by editing the httpd conf file. You’ll be looking for “documentroot”. Feel free to use whatever text editor you prefer (VI, EMACS, etc…). In Redhat 7.0 it is in /var/www/html, in older versions it may be in /home/httpd/html or /usr/local/Apache/htdocs. If you still can’t find it, try from the command line at the / directory by using the following:

“find –name httpd.conf”

You’ll also want to check for obvious errors that Apache Web Server see’s. So from the command line use “apachectl configtest “ and any syntax errors will be reported.

Step 4. Verify and if needed correct all your files for viewing only. They should be set as read only by Apache Web Server.

Step 5. Verify only files or graphics that are used or viewed at your site are the only files in your web directories. I.e. don’t put password files or your configuration notes in the same directory as index.html or where your graphics are.

Step 6. Any temporary files created by content generators like cgi scripts be located in a single directory where they have “write” access outside your content area to protect a script from deleting your web content.

Step 7. Create visible and imbedded copyright notices. Imbedded notices should be toward the top of the web page so it is very visible. You’ll want to edit any original graphics with the same copyright notice.

Step 8. Disable directory view from displaying your web page as a view only file manager. This is done from httpd.conf. You can just comment out the “directory view” by using the # symbol.

Step 9. This is for cgi only so if your not using cgi skip ahead. CGI is a how to all by itself. So for here I’m only going to list the commonly known issue you should be aware of and look into.

User input crashes the cgi app.
User input creates system calls that are unsafe.
User sees hidden data.
User input causes denial of service (DOS). A good practice is to limit how much memory and CPU usage Apache Web Server web gets to use. This is in case you are under a DOS that you still have some memory and cpu power to start a session with the server and kill the problem process or user connection.

The commands you would use within httpd.conf to limit a DOS are “<Limit RLimitCPU > </Limit>” and “RLimitMEM”. RLimitCPU

RLimitCPU
Syntax: RLimitCPU n|max [n|max]
RLimitCPU sets the CPU resource limit for all server processes. It can have one or two values, and the values are either n or "max," where n is seconds per process "max" is the maximum resource limit allowed by the operating system. Whether this directive is given one value or two, the first value is always the soft resource limit. If there are two values, the second is the hard resource limit.

RLimitMEM
Syntax: RLimitMEM n|max [n|max]
RLimitMEM sets the memory resource limit for all server processes. It can have one or two values, and the values are either n or "max," where
n is bytes per process "max" is the maximum resource limits allowed by the operating system Whether you give this directive one value or two, the first value is always the soft resource limit. If there are two values, the second is the hard resource limit. User input gets posted to the web site.

Note: you can reduce the risks involved by the use of a cgi wrappers which runs the cgi as the user that owns the file rather than as the Apache Web Server user. Some cgi wrappers will do additional security checks as well.

Step 10. This is really just for fun. Change the authentication error message to get a unauthorized user thinking if he should really continue or not. Put the following code inside the htttpd.conf:

ErrorDocument 401 “Your message goes here”.

You can create a special page like “While you were busy trying to get into my server, I was busy tracking your ip to your ISP. “Just so you are aware, after three failed attempts to authenticate successfully, my server forwards your information with the details to your ISP under the ‘violation of the terms of service agreement’ you opted in for to get your service. Good luck and have a nice day :>”

The key to the above is they really don’t know if it true or not and will steer some away. Security is not always locks and keys. Sometimes it’s the fear of the unknown.

Step 11. Do not use Java Script or ASP to secure your web site. There are many weaknesses to these methods are not recommended. Use basic authentication instead that is part of Apache Web Server.

Step 12. If you want to require user authentication for your whole site or just a section of there are several things that must be done and if one is not right it will fail. All of the following is from the command line and assumes your logged in a root or a user with root privileges.

a. Use .htpasswd to create a username and password for each user or one for a group of people to use.

At the cmd line type: “htpasswd -c /usr/local/etc/httpd/.htpasswd martin”.

The -c argument tells htpasswd to create new .htpasswd file. When you run this command, you will be prompted to enter a password for martin, and confirm it by entering it again. Other users can be added to the existing file in the same way, except that the -c argument is not needed. The same command can also be used to modify the password of an existing user.
After adding a few users, the /usr/local/etc/.htpasswd file might look like this:

martin:WrU808BHQai36
jane:iABCQFQs40E8M
accounting:FAdHN3W753sSU

The first field is the username, and the second field is the encrypted or hashed password.

The .htpasswd file goes into the same directory as the httpd.conf file. Such as etc/httpd/conf/.htpasswd

b. To get the server to use the usernames and passwords in this file, you need to configure a realm. This is a section of your site that is to be restricted to some or all of the users listed in this file. This is typically done on a per-directory basis, with a directory (and all its subdirectories) being protected (Apache Web Server 1.2 and later also let you protect individual files). The directives to create the protected area can be placed in a httpd.conf file.

To allow a directory to be restricted within another directory you first need to ensure that the httpd.conf file allows user authentication to be set up in a .htaccess file. This is controlled by the AuthConfig override. The httpd.conf file should include AllowOverride AuthConfig to allow the authentication directives to be used in a .htaccess file.

c. To restrict a directory to any user listed in the users file just created (.htaccess), you should create a .htaccess file containing:
(The .htaccess file goes into the target dir unless changed in the httpd.conf file)

Such as /home/httpd/html/.htaccess
authname "mycompany’s secured site"
authtype basic
authuserfile /etc/httpd/conf/.htpasswd
require valid-user

Since all web content in located in /home/mywebsite all configuration and Apache Web Server application files are located outside of your sites directory and as only as secure as you Linux machine is. This is a tutorial by itself.

The first directive, AuthName, specifies a realm name for this protection. Once a user has entered a valid username and password, any other resources within the same realm name can be accessed with the same username and password. This can be used to create two areas, which share the same username and password.

The AuthType directive tells the server what protocol is to be used for authentication. At the moment, Basic is the simplest method available but also transmits username and passwords in clear text which is its security weakness.
AuthUserFile tells the server the location of the user file created by htpasswd. A similar directive, AuthGroupFile, can be used to tell the server the location of a groups file (see below).

These four directives have between them tell the server where to find the usernames and passwords and what authentication protocol to use. The server now knows that this resource is restricted to valid users. The final stage is to tell the server which usernames from the file are valid for particular access methods. This is done with the require directive. In this example, the argument valid-user tells the server that any username in the users file can be used. But it could be configured to allow only certain users in:

“require user martin jane” would only allow users martin and jane access (after they entered a correct password). If user art (or any other user) tried to access this directory, even with the correct password, they would be denied. This is useful to restrict different areas of your server to different people with the same users file. If a user is allowed to access the different areas, they only have to remember a single password.

Note that if the realm name differs in the different areas, the user will have to re-enter their password.

Step 13. Disguise or limit the information Apache “server” header gives out
When a HTTP request is sent to a webserver, the server will respond with any necessary page content, and also, depending on how the server is configured, it will provide some information about the type of server software being used. For example, what I have typed appears in bold:

jason@london:~$ telnet www.example.com 80
Trying x.x.x.x...
Connected to www.example.com.
Escape character is '^]'.
GET /filethatdoesnotexist HTTP/1.0
HOST: www.example.com

HTTP/1.1 404 Not Found
Date: Sun, 04 May 2003 15:22:53 GMT
Server: Apache/1.3.19 (Unix) FrontPage/4.0.4.3 mod_ssl/2.8.2 OpenSSL/0.9.6g Auth
MySQL/2.20
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /filethatdoesnotexist was not found on this server.


<HR>
<ADDRESS>Apache/1.3.19 Server at www.example.com Port 80</ADDRESS>
</BODY></HTML>
Connection closed by foreign host.
jason@london:~$

If you look closely, you can see the server has passed back some vital information about itself in the line:

Server: Apache/1.3.19 (Unix) FrontPage/4.0.4.3 mod_ssl/2.8.2 OpenSSL/0.9.6g Auth MySQL/2.20

We can see that the server is Apache, Version 1.3.19, running on a UNIX system. We can also see modules that are loaded into the server, for example Frontpage and mod_ssl. With this information an attacker can begin attacking your system, with precision.

So… How do you stop this information being divulged?

There are 2 ways, the first, ideal if you are not really comfortable with editing the Apache source, then you can use “ServerTokens” to control what level of information is sent to the client with a HTTP response. Beware that some applications can still give away free information like phpbb , mysql, ssh that Apache cannot stop. You would need to fine tune these apps or use a firewall for that.

To use server tokens, you need to edit your httpd.conf file, and, firstly see if you already have a line/section called ServerTokens. If not, you can add it. A ServerTokens directive for the server we looked at earlier will probably look like:

ServerTokens Full

If a server tokens line is not specified, it will Apache will default to “Full” setting. Depending on what you set “ServerTokens” to, will control how much information revealed. Some newer versions of Apache come in "Prod" configuration by default, you need to check and see how your httpd.conf file is setup. Here is a quick table of the settings you can use, and the response that will be shown to the client:

ServerTokens Prod
Server sends (e.g.): Server: Apache

ServerTokens Min
Server sends (e.g.): Server: Apache/1.3.0

ServerTokens OS
Server sends (e.g.): Server: Apache/1.3.0 (Unix)

ServerTokens Full
Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2

Don’t forget, after changing your httpd.conf file to restart apache for the settings to take effect.

If you want to go to extremes, then the 2nd method is for you. What we will attempt to do is to change the Server header to impersonate a Microsoft IIS server, ie, so instead of server: apache, we now display: “Server: Microsoft-IIS/5.0”.

To make this change you will need to re-compile your apache server. At this stage, make a backup of your httpd.conf, and all of your webpages and graphics.

Download the apache source tarball from httpd.apache.org and unpack, then change to the directory that you unzipped to.

For version 1.3.27, open the file src/include/httpd.h (2.x users, edit include/ap_release.h), and change these lines:
#define SERVER_BASEPRODUCT “Apache”
#define SERVER_BASEREVISION “1.3.27”

to:

#define SERVER_BASEPRODUCT “Microsoft-IIS”
#define SERVER_BASEREVISION “5.0”

Then proceed to recompile apache, and test.

For further questions on web server security see: http://www.w3.org/Security/Faq/
http://httpd.apache.org/docs-2.0/mis...rity_tips.html
http://httpd.apache.org/docs/misc/security_tips.html
 

make space for linux in dual boot without repartitioning

NOTE: if you read the tutorial and are still experiencing difficulties and would like help, you are asked to start a new topic on the forums.
Please do NOT reply to this thread to ask a technical question. Replies to THIS thread should be corrections and enhancements on the tutorial/howto only.
Thanks in advance for your co-operation.
LinuxForums.org

------------------------------------------

Note: I am not a linux expert. So verify these steps.

If you have a dual boot system with windows and your linux partition is falling

short of space this article will help you grab windows partition disk space to

linux (grabbed space will have ext2 filesystem !) WITHOUT REPARTITIONING

I have fedora core 1 and win98 dual boot. LINUX 3.5 GB, WINDOWS 35 gb. Soon my linux

space was insufficient.

Mounting a windows fat32 partition /dev/hdax (/dev/hda1 is your c in /mnt/y using

mount -t msdos /dev/hdax /mnt/y

won't be any good as the files in it does not support long file names .To test : make text files

yourname1 and yourname2 in your ext2/ext3 partiton ie /root or any directory were dos

partitions are not mounted. Now try copying the above files one after the other into /mnt/y

were dos drive is mounted. It will ask for overwriting conformations !!!. That means whenever

you want to use such mounted drives, some files, like above two, cannot be saved in same

directory !!!.

So this is what you have to do : use a loop filesystem.

A loop filesystem is one created in a file in a partiton with any other/same file system.
So you will be creating a file in your mounted dos partiton, make ext2 filesystem in that
file, mount that file as a 'partiton' and use the space in that file to save your linux data.
Thus you are using your dos space but still having ext2 filesystem. None of the above
problems of filename exists here, but it might be a bit slow.

Lets start (i assume you are root):

1. mount your dos partiton (preferably avoid c drive) /dev/hdax in existing path /mnt/y by

mount -t msdos /dev/hdax /mnt/y

2. make a file fedora.img of say 100 mb which acts as loop filesystem

dd if=/dev/zero of=/mnt/y/fedora.img bs=1024 count=102400

'bs' is blocksize. To make 'A' MB filesystem get count value as Ax1024=B formula

3. make ext2 filesystem in that file

mkfs -t ext2 /mnt/y/fedora.img

Press y when asked. This will successfully create the loop filesystem.

4. WARNING: Now we will mount this filesystem only in a newly created directory. Do not

mount in existing paths like /usr or /root etc !

Do 'mkdir /root/test'. Add lines

/dev/hdax /mnt/y msdos defaults

/mnt/y/fedora.img /root/test ext2 loop 0 0

to your /etc/fstab file (please back it up first). The first line is to mount ur /de/hdax.

5. Restart linux or use 'disk management' tool to mount the loop filesystem in /root/test.

( /dev/hdax should be mounted first )

6. Now the folder /root/test uses windows partition and not your linux space. Use it to

save files/folders which were occupying large space in linux. I will give you my example:


i had the source of kernel 2.6.7 in /usr/src path in directory linux-2.6.7 occupying 315 MB. So

i copyed the contents of /usr/src/linux-2.6.7/ to /root/test/ (ofcourse my loop was bigger than

created above. It was of 350 Mb). I did not copy linux-2.6.7 directory itself, only whatever is

inside it to /root/test/ Remember to enable view of hidden files and copy them also to /root/test/

Now I deleted the directory /usr/src/linux-2.6.7/ contents (keep the directory linux-2.6.7,

remove its contents only) (remember to backup till you are confident with this method)

Thus i freed my linux space !!!

Then i unmounted the loop filesystem in /root/test by
editing my /etc/fstab to remove line

/mnt/y/fedora.img /root/test ext2 loop 0 0

and adding

/mnt/y/fedora.img /usr/src/linux-2.6.7 ext2 loop 0 0

and restarting my comp.

7: Use 'df' to view the results. I again had my /usr/src/linux-2.6.7/ but now it was using loop

filesystem present in windows partiton.

8. If you want to shift a file/folder to loop filesystem, then create around 20 mb bigger

filesystem than your file/folder. Otherwise you might get disk full errors. I don't know why ?

And thats all. I was able to free around 700 MB of linux space and grab windows space

without repartitioning anything. U can use the mounted loop filesystem in many other ways.

Attaching new harddisk to your system mini-howto

NOTE: if you read the tutorial and are still experiencing difficulties and would like help, you are asked to start a new topic on the forums.
Please do NOT reply to this thread to ask a technical question. Replies to THIS thread should be corrections and enhancements on the tutorial/howto only.
Thanks in advance for your co-operation.
LinuxForums.org

------------------------------------------


For this small tutorial we assume the following.
You have a system with one harddisk in it and as primary OS: Linux.
As this is a 10GB drive and you are running low on diskspace you buy a new, bigger and better one. Instead of replaceing the old one, you want to create several partitions on your new harddrive and mount them on boot time.
(Your CD/DVD is installed as primay on your second IDE controlere and therefore known as : /dev/hdc)

Your primary harddisk is known to linux as /dev/hda
You install you new HD in you machine and connet the cables.
Since it will be a slave to the primary disk it will be known as /dev/hdb

You'll notice that during bootup linux will see the new harddisk and show some information about it:
Here is an example from dmesg:
 
Code:
hda: ST38410A, ATA DISK drive
blk: queue c0402f40, I/O limit 4095Mb (mask 0xffffffff)
hdb: ST38410A, ATA DISK drive
blk: queue c0402f40, I/O limit 4095Mb (mask 0xffffffff)
hdc: SAMSUNG DVD-ROM SD-616F, ATAPI CD/DVD-ROM drive
hdd: R/RW 4x4x32, ATAPI CD/DVD-ROM drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
ide1 at 0x170-0x177,0x376 on irq 15
hda: attached ide-disk driver.
hda: host protected area => 1
hda: 16841664 sectors (8623 MB) w/512KiB Cache, CHS=1048/255/63, UDMA(33)
Partition check:
 hda: hda1 hda2
hdb: attached ide-disk driver.
hdb: host protected area => 1
hdb: 16841664 sectors (8623 MB) w/512KiB Cache, CHS=1048/255/63, UDMA(33)
Partition check:
<none>
ide: late registration of driver.
If you start in graphical mode, login and open a terminal session and su to the user: root.
When booting into text mode, log as root.

Type: fdisk /dev/hdb

 
Quote:
[root@garfield root]# fdisk /dev/hdb

The number of cylinders for this disk is set to 1048.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help):
You'll see something like the above quote.
Our HD is for this example 30GB and we want to create 3 partitions of 10GB each.
Press n to create a new partition,
select if you want to create a primary or extended partition.
For this example we'll now create a primay partition.
Press P to create a primay partition
select the partition number 1 - 4
Select the starting cylinders, usualy : 1
type +10000M to select the ending of the first partition at 10GB.

example:
 
Quote:
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1868, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-1868, default 186: +10000M
You can display partition table information by pressing p


 
Quote:
Command (m for help): p

Disk /dev/hdb: 15.3 GB, 15367790592 bytes
255 heads, 63 sectors/track, 1868 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hdb1 1 1217 9775521 83 Linux

Command (m for help):
As you can see, one partition of 10GB future moutable as /dev/hdb1

To create the second press n again, select primary.
Default the starting cylinder is the previous ending +1,
If the previous partition ended at block 1217 the new one will start at 1218.
For the last cylinder of type: +10000M again.
This will create the second 10GB partition.
Type p to verifiy and view the partition table.
Now do the same for partition 3.

Now we're done, but still need to write the new partition table to disk,
this is done by pressing: w
You'll return to the root prompt when the new partition table information is written to disk.
Reboot the system and login again as user root or as yourself and su - to user root.

Now it's time to format the partitions and select a future mounting position.
We can choose from various filesystems.
EXT2 is the old one, but we want the journaling version; EXT3
To format the partitions type: mkfs.ext3 /dev/hdb1
For the other partitions this would be :
mkfs.ext3 /dev/hdb2
mkfs.ext3 /dev/hdb3

Now it's time to modify the fstab to mount these partitions in the future at boot time.
Let's say that partition1 (/dev/hdb1) will be used to store webpages and you want to mount it under the htdocs directory of apache.
I've installed apache in /opt/apache
but a default installation of Fedora Core will place the www root dir in /var/www
To locate where you web root directory is type : locate htdocs
For this example we'll assume it's locate in /var/www/htdocs
Edit the fstab in the etc directory:
I prefer VI but use any editor you want.
Note:You'll need to be logged in as superuser to modify the fstab.
Insert at the bottom line the following:
 
Code:
/dev/hdb1       /var/www/htdocs        ext3    defaults        1  1
Save and quit.
Next time you boot partition 1 of the new harddisk will be mounted at /var/www/htdocs
check before rebooting that the dir /var/www/htdocs is empty if not make a copy in your /root/ dir so that the next time you boot up you can place all the file that were there are restored.
(There are different way to do the same, but this is the quickest one for the less experienced ones.)
Now we want partition 2 to mount at /opt
(it's default an empty or non-exising dir.)
And entry in the fstab would look like:
 
Code:
/dev/hdb2       /opt        ext3    defaults        1  1
Let's say you want the /home dir to be the mount point of partition 3 ...
But there are 4 users with data in. Mounting it now there will make all that information 'disappear'. We can't have that...
Mount partition 3 behind folder /mnt , so we can copy all information there.
type:mount -t ext3 /dev/hdb3 /mnt
now start up Midnight commander and copy the contents of /home to the just mounted disk at /mnt
Or cd /home and type: cp -R * /mnt
Wait until everything is done.
Now we can modify the fstab.
And a line like the following:
 
Code:
/dev/hdb3       /home        ext3    defaults        1  1
Since you copied the information the next time you boot the system everything is still there.

Okies, this should give you a short insight into how to create partitions, format them and mount them at boot time.
 

CD-Ripping HOWTO

NOTE: if you read the tutorial and are still experiencing difficulties and would like help, you are asked to start a new topic on the forums.
Please do NOT reply to this thread to ask a technical question. Replies to THIS thread should be corrections and enhancements on the tutorial/howto only.
Thanks in advance for your co-operation.
LinuxForums.org

------------------------------------------


The tool I've used for CD ripping is KAudioCreator, but you could use any other ripping tool if you wish.

Permissions
----------------
To avoid initial problems it is best that you sort these out beforehand. in the /dev/ directory there should be a file called hdc, which represents the drive you'll be ripping from (this could be hdd, depending on your setup - so find out which it is first). Right click on this and select 'properties'. Then you click on the permissions tab. To allow you to perform ripping duties as a non root user, you need to put the name of your non-root account in the user box.

CD Data Retrieval
-----------------------
After this is sorted you will need to deal with the data retrieval. Usually this is set so that you can download the CD details from the online database freedb. However, you might not have internet so you'll need an alternative measure. Some CD rippers (like KAudioCreator) fail to work properly if you have no internet and the 'cache and remote' setting is selected.

The alternative is to enter data manually. This means launching your CD Ripper and going to the configuration pages. There you should find a 'cache only option'. This will enable you to enter data manually. Almost there!

File locations
-------------------
In your ripper you may or may not have a wizard to help you select where the files will be placed. If you do, then they will help you through the procedure. If you don't have wizards, go to the configuration pages and you should find two fields - one for the location for the playlist and the other for the ripped files.

The actual ripping and compression
------------------------------------------
Now this will depend on what software you have, but this stage should be self explanatory apart from one thing - file compression. There are three formats - mp3, ogg and FLAC. If you have the LAME program then you can compress wav files to mp3. If you don't, I recommend either getting that or the Ogg Vorbis utility which produces the .ogg files. These can (like mp3s) be played on most media players and are a good alternative.

And finally....
------------------------
If anyone feels anything should be added to this HOWTO or commented on, then please post a message. I'd also like to hear if any of you found this post useful in any way.