To increase Kernal Memory run the following command in Terminal. How to increase Kernel Memory

To increase Kernal Memory run the following command in Terminal:

> su
> "Type root password"
> echo 2147483648 > /proc/sys/kernel/shmmax
> sysctl -w kernel.shmmax=2147483648
> echo "kernel.shmmax=2147483648" >> /etc/sysctl.conf

If problem occur (service stop) in approval application when user approve a transaction. Then follow below two steps to correct that problem.

First step:

> sed -i 's/XINERAMA/FAKEEXTN/g' /usr/java/j2sdk1.4.2_18/jre/lib/i386/libawt.so 
> sed -i 's/XINERAMA/FAKEEXTN/g' /usr/java/j2sdk1.4.2_18/jre/lib/i386/libjawt.so
Note : In above tow comamnds I have given jre path for java 1.4.2 if you have higher version then path may differ.

Second step:   Add the following line in "/etc/init.d/Streamline_Approval" file as 1st line

export LIBXCB_ALLOW_SLOPPY_LOCK=1

Read more...

Replication Implementation pg-pool Installation for PostgreSQL Replication.

After Download the pgpool file copy the tar file to home location then  we need to extract that as following.

                            

tar ­xvf pgpool­II pgpool­II­2.3.3.tar.gz

   * After extracting the source tar ball, execute the configure script.

Configure

                              >su

                              > “type the root password”

                              >cd pgpool­II­2.2.3

                              >./configure

                              >make

                              >make install

      will install pgpool­II...

After Installation copy the pgpool.conf and pcp.conf files to

following location

                  /usr/local/etc/

     

Then create the new database like “replicatedb” in both Master and Slave servers:

#/usr/local/pgsql/bin/createdb ­p 9999 ­Ustreamline  replicatedb

Restore the database backup to the replicatedb:

#/usr/local/pgsql/bin/pg_restore ­p 9999 ­Ustreamline  ­v ­Fc ­d

replicatedb  /home/erpsupport/demo.Backup

              

Note: Database's names and their passwords should same in both master and

slave servers.

Read more...

Important Instructions For Replication using postgres (PGsql), java in fedora machine.

Here we are testing replication using streamline ERP system (One largest ERP system for Garments), Postgrea 8.2, Java , PGPool and Fedora 9. 

1.  Restarting  Streamline Services:

When you need to restart Streamline Services you should restart pgpool also.

Follow below setup to restart steamline services and pgpool

Step-1: Stop the Streamline Services
Step-2: Stop the pgpool
-->pgpool -m fast stop

Step-3: Start the pgpool
-->pgpool -n &
Step-4: Start the Streamline Services


2.  Restarting  pgpool:

When you need to restart the pgpool you should follow the same procedure.

Step-1: Stop the Streamline Services
Step-2: Stop the pgpool
-->pgpool -m fast stop
Step-3: Start the pgpool
-->pgpool -n &
Step-4: Start the Streamline Services



3.  Restarting Master Server:

If you need to Restart the Master server then do the following procedures
Step-1: Stop the Streamline Services
Step-2: Stop the pgpool
-->pgpool -m fast stop
Step-3: Stop the postgres service in Master server

--> su
-->
--> su postgres
--> /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data/ -m fast stop

Step-4: Then Restart the Master Server Machine
Step-5: Then start pgostgres services in master and check slave postgres also running
Step-6: Start the pgpool
-->pgpool -n &
Step-7: And Start the Streamline Services

4.  Restarting Slave Server:
If you want to Restart the Slave server means do the following procedures
Step-1: Stop the Streamline Services
Step-2: Stop the pgpool in mainserver
-->pgpool -m fast stop
Step-3: Stop the postgres service in Slave server
--> su
-->
--> su postgres
--> /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data/ -m fast stop
Step-4: Then Restart the Slave Server Machine
Step-5: Then start postgres services in slave and check master postgres also running
Step-6: Start the pgpool in mainserver
-->pgpool -n &
Step-7: And Start the Streamline Services

5.  If Slave server connection faild due to Network problem or Slave Machine Crashed.
*  Restart Streamline and Pgpool services in Mainserver.  So that reports will get data from Mainserver.
*  Once Slave Server ready follow below steps to enable replication.
Step-1: Stop the Streamline Services
Step-2: Stop the pgpool
-->pgpool -m fast stop
Step-3: Stop the postgres service in Slave server
--> su
-->
--> su postgres
--> /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data/ -m fast stop

Step-4: Stop the postgres service in Master server
--> su
-->
--> su postgres
--> /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data/ -m fast stop

Step-5: Delete the “data”  folder in slave server
--> su
-->
--> rm -rf  /usr/local/pgsql/data
Step-6: Then create the “data” folder in slave server
--> su
-->
--> mkdir  /usr/local/pgsql/data
--> chown postgres /usr/local/pgsql/data

Step-7: Copy the “data” folder from Master server to Slave server “data” folder through rsync.
--> su
-->
-->  rsync -r -v -d -p -o -g -l root@192.168.0.41:/usr/local/pgsql/data/ /usr/local/pgsql/data/

        “While using rsync to each and every time we need to enter the root    
password of Main server. “

Step-8: After Complete the “data” folder copy. Delete the folders from table-spacing drives in Slave server.
--> su
-->
--> rm -rf /d_op_doc/
--> rm -rf /d_planning/
--> rm -rf /d_edi_stores/

Step-9: Then Copy the each table-spacing folders from Master to Slave Machines
--> su
-->
-->rsync -r -v -d -p -o -g -l root@192.168.0.41:/d_op_doc// /d_op_doc
-->rsync -r -v -d -p -o -g -l root@192.168.0.41:/d_planning// /d_op_doc
-->rsync -r -v -d -p -o -g -l root@192.168.0.41:/d_edi_stores// /d_op_doc
Step-10: Start the postgres service in  Master server
Step-11: Start the postgres service in  slave server
Step-12: Start the pgpool
-->pgpool -n &
Step-13: Start the streamline Services.

Read more...

Five ways to protect your Wi-Fi network from hackers. Protect my network. How to protect my network.

1. Set up a password - or even better - an encryption key

Adding some kind of password to your network is a way to immediately discourage probably 99 percent of the people who could jack into your Wi-Fi connection remotely, and it really is just about the easiest thing ever to do to protect yourself. All you need is the Ethernet cable that comes with a router when you pull it out of the box or installed by a cable company, and the manual that comes with the router. By using the cable to plug directly into the router, a computer can access the router’s internal settings using an Internet browser. The address (usually in the form of what’s called an IP address, generally 192.168.1.1 or something similar) gets you into the router’s inner workings, but you need the cable to access it, so it can’t be altered remotely. The router’s manufacturer password is also included in the manual (usually it’s “admin” or “password”), and you should change that too from the settings menu for added internal security to keep prying eyes out.

From there, it’s usually as simple as going to the security settings for your router and activating an encrypted password called a WEP or WPA key. This is presented in the form of a long chain of letters and numbers that the router can generate for you. You can specify a password of your own, but the router’s generated key is a much stronger encryption than using a password someone might be able to guess. Most modern computers will save passwords when you connect to your home Wi-Fi network, so you shouldn’t need to specify the network password again when signing onto the Internet, unless something gets reset.

2. Turn on MAC address filtering and router firewalls

While it is absolutely essential to use a password or encryption key to keep your Wi-Fi network secure, there are a number of other easy steps to make it even more protected.

Each computer that uses your network has a specific number attached to it called a “MAC (Media Access Control) address.” This is actually a physical number assigned to the actual Wi-Fi adapter hardware in your computer or mobile device. From the internal settings of your router, you can determine the MAC addresses of the computers that you want to be able to access your network and specify them to the router. Any device that doesn’t have the right MAC address will be denied access.

In order to set MAC addresses, you’ll need to have the devices you want to be able to use on your network connected so you can see their addresses in the router’s “MAC Address” section. There, you can usually just click a button that turns on the router’s MAC limiting setting, and then select which addresses are allowed access to the network.

Most routers also have an internal firewall program you can enable from the settings menu. This is anti-hacking software that makes a network more difficult to access from the outside, and turning it on is generally really easy. It’s also a good idea to protect your computers and devices with firewall software (Windows has one built in, but it’s not a bad idea to invest in better ones) that you can buy commercially to protect your data even further.

There is a slight inconvenience with MAC address filters, as they can complicate things whenever you want to add a new device to your network. So if your wife's cousin wants to connect to the network, for instance, you'll need to go back and add his MAC address to the router's list. Of course, this is a small price to pay for added security.

3. Change your network’s SSID and make it invisible

From within the same settings menus that you adjusted the MAC settings and turned on your encryption key, you can also set whether your Wi-Fi network is “discoverable.” This means that the router won’t broadcast its ID information (called the SSID) over the air for other devices to lock onto. Only devices that know to look for the router, like the ones you’ve already authorized to connect to it, will be able to use your connection.

Generally, you’ll find the ability to alter discoverability in the security tab of your router’s settings browser window. It’s usually a button that discusses making your network discoverable or disabling SSID broadcast. This is also a good opportunity to change your router’s SSID to something other than the manufacturer preset. There’s a reason you see so many networks named "Linksys" or "D-Link" -- those are routers that have their manufacturer defaults still activated, and they suggest to hackers that the passwords are still set to defaults as well. Either way, it’s easier for someone to get into your network when they have more information, and a manufacturer SSID doesn’t help. Change it, then make it invisible. Just remember: You don’t want your network discoverable, and you don’t want your router to broadcast its SSID. Turn those things off.

4. Assign IP addresses to your devices

This gets a bit technical, but like the MAC address filtering, it’s not nearly as complex as it at first seems. Each device that connects to the Internet does so using what’s called an IP address. Most networks use a system called “dynamic IP addresses,” which means that every time you connect to your network, the system assigns a temporary IP address to your system. That’s easy, but it also means anyone jacking into your network can get a temporary address just as easily as you can.

Instead, look for a tab in your router’s setup menu that lets you set “static IP addresses.” Like MAC filtering, you should be able to see the addresses of your devices at the moment; write them down, or specify a series of numbers to the router when you’re prompted to. These look complex (they’re usually long, like the 192.168.1.1 address), but that doesn’t mean they have to be complicated. You can actually set addresses with the same sets of numbers up front, but alter the numbers at the end to keep them consistent and easy to remember for you, but more difficult for intruders to access.

Once you set static IP addresses, you’ll have to use the numbers you wrote down on your computers when they try to connect to the network. In your Network Settings, you can specify a device’s IP address so that it always uses the same number, then you can tell your router to only allow device’s using those specified addresses to connect. While the MAC filtering will keep out some less in-the-know network jumpers, more complex hackers can get around that technology; they’ll have more trouble with your static, filtered IP addresses.

5. Avoid open, unprotected Wi-Fi networks

This is more for when you’re out in the world than at home, using your computer or smartphone to try to access the Internet when you’re at the airport or in other places. Beware of open, access-free networks. If they’re open to you, that means they’re open to other people, too, and your sensitive information can be plucked out of the air by people who have a little bit of expertise in this area.

“Free Public Wi-Fi,” for example, is a network that will often pop up in public places when you’re searching for a network. Don’t connect to it, though, as it isn’t really a free public network, and could very well be a quick and easy way for someone with ill intentions to get access to your computer.

For the most part, the best thing you can do is avoid open networks you don’t trust whenever possible. If you do decide to access an open network, limit what you do on it. Don’t access sensitive websites or use important data like your bank passwords while attached to the network. You should also take steps to keep your computer from saving sensitive Internet information that could be accessed later, like a history or cookies cache. These are bits of data your web browser saves from websites to make accessing them easier later. When you tell a website to save your password, for example, it leaves a “cookie,” or small program, on your browser for use later. You can easily clear these from your browser’s settings menu.

These are simple steps you can take to protect your network, your data and your privacy, but the technical aspect often frightens off people who aren’t familiar with their Internet hardware. Trust us when we say that it’s usually less complicated than it appears. Consult your router’s manual if you need to, and look for the keywords in your router’s settings menu: things like “encryption key,” “firewall,” “disabling broadcasting and IP” and “MAC address filters” are good. Once you set them up and write the numbers down, you should be able to breathe a little easier knowing your access to the Internet is protected.

Read more...

The Default Port Forwarding Guide for the Linksys WRT54G

What is Port Forwarding?

View all Router Screenshots.

To setup port forwarding on this router your computer needs to have a static ip address.
Try our free PF Setup Static IP Address Program which will setup a static ip address for you.

Or you can take alook at our Static IP Address guide to setup a static ip address. When you are finished setting up a static ip address, please come back to this page and enter the ip address you setup in the Static IP Address box below.

Do not skip this step!

192.168.1.

Open a web browser like Internet Explorer or Firefox. Enter the internal IP address of your router in the address bar of your browser. If you do not know your routers internal IP address please read our How To Find Your Routers IP Address guide.

In the picture above the address bar has http://www.google.com in it. Just replace all of that with the internal IP address of your router. By default the IP address should be set to 192.168.1.1.
You should see a box prompting you for your username and password. Enter your username and password now. By default the username is blank, and the password is admin. Click the Ok button to log in to your router.

Please visit our Default Router Passwords page if the username and password shown above did not work for you.
Click the Security link near the top of the page.
Remove the checkmark from the Block Anonymous Internet Requests checkbox.
Click the Save Settings button near the bottom of the page.
Click the Applications & Gaming link near the top of the page.
You should now see a new menu. In this new menu, click Port Range Forward.
Enter the name of the program into the Application box. It doesn't really matter what you put into this box, but something that will remind you why these ports are being forwarded would be a good idea.
If you are forwarding a single port, enter that port number into the Start and the End boxes. If you are forwarding a range of ports, enter the lowest number of that range into the Start box. Then enter the highest number of that range into the End box.
Use the Protocol drop down box to select the protocol type of the ports you are forwarding.
Enter the ip address to forward these ports to into the IP Address box. If you are forwarding ports so you can run a program on your computer, you should enter your computer's ip address into that box.
Put a checkmark in the Enable checkbox.
When you're finished, click Save Settings near the bottom of the screen to save your changes.

And that's it! You're done!

Read more...

Tuning Windows systems. How to tuneWindows XP, and Windows 2003 operating systems to optimize the performance.

This topic describes how to tune Windows 2000, Windows XP, and Windows 2003 operating systems to optimize the performance of WebSphere Application Server. Because Windows operating systems are not WebSphere Application Server products, be aware that the products can change and results can vary.

About this task

When you have a performance concern, check the operating system settings to determine if they are appropriate for your application.

Procedure

Configure the following settings or variables according to your specific tuning needs:

• TcpTimedWaitDelay
  • Description: Determines the time that must elapse before TCP/IP can release a closed connection and reuse its resources. This interval between closure and release is known as the TIME_WAIT state or twice the maximum segment lifetime (2MSL) state. During this time, reopening the connection to the client and server costs less than establishing a new connection. By reducing the value of this entry, TCP/IP can release closed connections faster and provide more resources for new connections. Adjust this parameter if the running application requires rapid release, the creation of new connections, or an adjustment because of a low throughput caused by multiple connections in the TIME_WAIT state.
  • How to view or set:
    1. Use the regedit command, access the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\TCPIP\Parameters registry subkey, and create a new REG_DWORD value named TcpTimedWaitDelay.
    2. Set the value to decimal 30, which is Hex 0x0000001e. This value sets the wait time to 30 seconds.
    3. Stop and restart the system.
  • Default value: 0xF0, which sets the wait time to 240 seconds (4 minutes).
  • Recommended value: A minimum value of 0x1E, which sets the wait time to 30 seconds.
• MaxUserPort
  • Description: Determines the highest port number that TCP/IP can assign when an application requests an available user port from the system.
  • How to view or set:
    1. Use the regedit command, access the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\TCPIP\Parameters registry subkey, and create a new REG_DWORD value named MaxUserPort.
    2. Set this value to at least decimal 32768.
    3. Stop and restart the system.
  • Default value: None
  • Recommended value: At least decimal 32768.
• MaxConnect Backlog
  • Description: If many connection attempts are received simultaneously, increase the default number of pending connections that are supported by the operating system.
  • How to view or set:
    1. Use the regedit command and access the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters registry subkey
    2. Create and set (and create if necessary) the following values:

       "EnableDynamicBacklog"=dword:00000001
       
       "MinimumDynamicBacklog"=dword:00000020
       
       "MaximumDynamicBacklog"=dword:00001000
       
       "DynamicBacklogGrowthDelta"=dword:00000010

    3. These values request a minimum of 20 and a maximum of 1000 available connections. The number of available connections is increased by 10 each time that there are fewer than the minimum number of available connections.
    4. Stop and restart the system.
• TPC/IP acknowledgements
  • TCP/IP can be the source of some significant remote method delays. You can increase TCP performance by immediately acknowledging incoming TCP segments, in all situations.
    Complete the following steps to immediately acknowledge incoming TCP segments on a server that runs a Microsoft Windows 2000 operating system:
    
    1. Start the Registry Editor (regedit.exe).
    2. Locate and click the following registry subkey:

       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

    3. On the Edit menu, click Add Value, and create the following registry value:

       Value name: TcpDelAckTicks 
       Data type: REG_DWORD 
       Value data: 0 
       Quit Registry Editor. 
       

    4. Restart your Windows operating system.
    Similarly, to immediately acknowledge incoming TCP segments on a server that runs a Microsoft Windows XP or Windows Server 2003 operating system:
    
    1. Start the Registry Editor (regedit.exe).
    2. Locate and then click the following registry subkey:

       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

    3. On the Edit menu, click New > DWORD Value.
    4. Name the new value, TcpAckFrequency, and assign it a value of 1.
    5. Close the Registry Editor.
    6. Restart your Windows operating system.

Read more...

Tuning Linux systems. Increase Linux system performance using Method.

This topic describes how to tune the Linux operating system to optimize the performance of your WebSphere Application Server.

About this task

When you have a performance concern, check the operating system settings to determine if these settings are appropriate for your application. Because the Linux operating system is not a WebSphere Application Server product, be aware that it can change and results can vary.

Procedure

Configure the following settings and variables according to your tuning needs:

• timeout_timewait parameter
  • Description: Determines the time that must elapse before TCP/IP can release a closed connection and reuse its resources. This interval between closure and release is known as the TIME_WAIT state or twice the maximum segment lifetime (2MSL) state. During this time, reopening the connection to the client and server cost less than establishing a new connection. By reducing the value of this entry, TCP/IP can release closed connections faster, providing more resources for new connections. Adjust this parameter if the running application requires rapid release, the creation of new connections, and a low throughput due to many connections sitting in the TIME_WAIT state.
  • How to view or set: Issue the following command to set the timeout_timewait parameter to 30 seconds:
    

    echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

• SUSE Linux Enterprise Server 8 (SLES 8) SP2A - sched_yield_scale tuning
  • Description: The Linux scheduler is very sensitive to excessive context switching, so fixes are integrated into the SLES 8 kernel distribution to introduce delay when a thread yields processing. This fix is automatically enabled in SLES 8 SP3, but must be enabled explicitly in SLES 8 SP2A or later.
  • How to view or set:
    1. Upgrade your SLES 8 service pack to SP2A.
    2. Issue the sysctl -w sched_yield_scale=1 command .
  • Default value: 0
  • Recommended value: 1
• RedHat Advanced Server 2.1 kernel update
  • Description: Kernel updates for RedHat Advanced Server 2.1 implemented changes that affect WebSphere Application Server performance, especially memory-to-memory HTTP session replication.
  • How to view or set:
    1. Issue the uname -a command
    2. If you are running any kernel prior to 2.4.9-e.23, upgrade at least to the RedHat Advanced Server 2.1 kernel, but preferably to the latest supported.
  • Default value: 2.4.9-e.3
  • Recommended value: 2.4.9-e.23
• Linux file descriptors (ulimit)
  • Description: Specifies the number of open files that are supported. The default setting is typically sufficient for most applications. If the value set for this parameter is too low, a file open error, memory allocation failure, or connection establishment error might be displayed.
  • How to view or set: Check the UNIX reference pages on the ulimit command for the syntax of different shells. To set the ulimit command to 8000 for the KornShell shell (ksh), issue the ulimit -n 8000 command. Use the ulimit -a command to display the current values for all limitations on system resources.
  • Default value: For SUSE Linux Enterprise Server 9 (SLES 9), the default is 1024.
  • Recommended value: 8000
• Connection backlog
  • Description: Change the following parameters when a high rate of incoming connection requests result in connection failures:

    echo 3000 > /proc/sys/net/core/netdev_max_backlog
    echo 3000 > /proc/sys/net/core/somaxconn
    

• TCP_KEEPALIVE_INTERVAL
  • Description: Determines the wait time between isAlive interval probes.
  • How to view or set: Issue the following command to set the value:

    echo 15 > /proc/sys/net/ipv4/tcp_keepalive_intvl

  • Default value: 75 seconds
  • Recommended value: 15 seconds
• TCP_KEEPALIVE_PROBES
  • Description: Determines the number of probes before timing out.
  • How to view or set: Issue the following command to set the value:

    echo 5  > /proc/sys/net/ipv4/tcp_keepalive_probes

  • Default value: 9 seconds
  • Recommended value: 5 seconds
• Allocating large pages for Java virtual machine (JVM) heap (tested with SLES 9) Some applications require a very large heap for optimal performance. The CPU overhead of managing a large heap can be reduced by using the "large page" support that is provided by the CPU and operating system. The following example assumes a large page size of 4MB and a desired heap size of 2300MB.
  
  1. Set the following three settings by a sysctl.conf file, typically located at /etc/sysctl.conf.
     Note: You must have root privilege access to modify this file. Also, verify the file is not marked as read-only before attempting to make changes.
     1. Set the number of large pages (2300MB = 575 * 4MB) by issuing the following command:

        vm.nr_hugepages = 575

     2. Set the maximum shared segment size to 2300MB plus a little more (about 95MB) (2511724800 = 2300MB * 1048576 bytes/MB + 100000000 bytes) by issuing the following command:

        kernel.shmmax = 2511724800
        

     3. Set the total amount of memory to be shared by issuing the following command:

        kernel.shmall = 2511724800
        

  2. Set the Xmx JVM option to 2300MB.
  3. Relocate the program text to a lower virtual memory address (0x10000000) to provide more address space for a larger heap. On SUSE Linux Enterprise Server 9 , run the following command to relocate the text in the script that invokes the JVM or in a .profile file:

     echo "0x10000000" > /proc/self/mapped_base

Read more...

ISP Sever configuration on Fedara 9.Apache server,PHP5,Ruby,Postfix,MySQL, Dovecot,Quota, Firewall.

I will use the following software:

• Web Server: Apache 2.2.8
• PHP 5.2.5
• Ruby
• Database Server: MySQL 5.0.51
• Mail Server: Postfix
• DNS Server: BIND9 (chrooted)
• FTP Server: proftpd
• POP3/IMAP server: Dovecot
• Webalizer for web site statistics

In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig(i.e., ISPConfig runs on it out of the box).
I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Requirements

To install such a system you will need the following:

• Download the Fedora 9 DVD iso image from a mirror near you (the list of mirrors can be found here:http://mirrors.fedoraproject.org/mirrorlists/publiclist/Fedora/9), e.g. http://ftp-stud.hs-esslingen.de/pub/fedora/linux/releases/9/Fedora/i386/iso/Fedora-9-i386-DVD.iso
• an internet connection...

2 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.

3 Install The Base System

Boot from your Fedora 9 DVD. Select Install or upgrade an existing system:

4 Fix The Network

When I booted the system, I noticed that I could connect to and from it within my LAN, but the system could not connect to the internet. The output of
ifconfig
revealed that eth0 was up and has the correct IP address, however
route -nee
showed that no gateway had been set although I specified the correct gateay during the setup. I took a look at
chkconfig --list
and found that the network init script was set to off in all runlevels, however there was another init script, NetworkManager, which was set to on. NetworkManager is a tool that figures out the best network connection for the system and sets it up - in my case, it seems to have forgotten the gateway. Anyway, as we only have one network connection, we don't need the NetworkManager. I disabled it and set network to on, restarted the network, and violà, networking is working as expected, also after a reboot:
chkconfig NetworkManager off
chkconfig --levels 35 network on
/etc/init.d/network restart

5 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:
vi /etc/hosts

# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 192.168.0.100 server1.example.com server1 ::1 localhost6.localdomain6 localhost6

It is important that you add a line for server1.example.com and remove server1.example.com and server1 from the 127.0.0.1line.

6 Configure The Firewall

(You can skip this chapter if you have already disabled the firewall at the end of the basic system installation.)
I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default Fedora firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the Fedora firewall).
Run
system-config-firewall

Select Disabled and press OK.
To check that the firewall has really been disabled, you can run
iptables -L
afterwards. The output should look like this:
[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@server1 ~]#

7 Disable SELinux

SELinux is a security extension of Fedora that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).
Edit /etc/selinux/config and set SELINUX=disabled:
vi /etc/selinux/config

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted

Afterwards we must reboot the system:
reboot

8 Install Some Software

First we import the GPG keys for software packages:
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
Then we update our existing packages on the system:
yum update
Now we install some software packages that are needed later on:
yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++

9 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)
To install quota, we run this command:
yum install quota
Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00):
vi /etc/fstab

/dev/VolGroup00/LogVol00 / ext3 defaults,usrquota,grpquota 1 1 UUID=03b23ff4-4dda-47a8-a23f-2f530df157b2 /boot ext3 defaults 1 2 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 /dev/VolGroup00/LogVol01 swap swap defaults 0 0

Then run
touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug
to enable quota.

10 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:
yum install bind-chroot
Next, we change a few permissions and start BIND:
chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
chkconfig --levels 235 named on
/etc/init.d/named start
BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).

11 MySQL (5.0)

To install MySQL, we do this:
yum install mysql mysql-devel mysql-server
Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
Now check that networking is enabled. Run
netstat -tap | grep mysql
It should show something like this:
[root@server1 ~]# netstat -tap | grep mysql
tcp        0      0 *:mysql                     *:*                         LISTEN      2407/mysqld
[root@server1 ~]#
If it does not, edit /etc/my.cnf and comment out the option skip-networking:
vi /etc/my.cnf

[...] #skip-networking [...]

and restart your MySQL server:
/etc/init.d/mysqld restart
Run
mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword
to set a password for the user root (otherwise anybody can access your MySQL database!).

12 Postfix With SMTP-AUTH And TLS

Now we install Postfix and Dovecot (Dovecot will be our POP3/IMAP server):
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot
Now we configure SMTP-AUTH and TLS:
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks = 127.0.0.0/8'
We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins (on 64bit systems, this file is in/usr/lib64/sasl2/smtpd.conf). It should look like this:
vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd mech_list: plain login

Afterwards we create the certificates for TLS:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Next we configure Postfix for TLS:
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
Then we set the hostname in our Postfix installation (make sure you replace server1.example.com with your own hostname):
postconf -e 'myhostname = server1.example.com'
After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it):
cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.5.1/samples readme_directory = /usr/share/doc/postfix-2.5.1/README_FILES inet_protocols = all smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination mynetworks = 127.0.0.0/8 smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom myhostname = server1.example.com

Now start Postfix, saslauthd, and Dovecot:
chkconfig --levels 235 sendmail off
chkconfig --levels 235 postfix on
chkconfig --levels 235 saslauthd on
chkconfig --levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your Postfix mail server type
ehlo localhost
If you see the lines
250-STARTTLS
and
250-AUTH PLAIN LOGIN
everything is fine.
[root@server1 ssl]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@server1 ssl]#
Type
quit
to return to the system's shell.

12.1 Maildir

Dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir underManagement -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.
If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user's Maildir (you can also do this if you use ISPConfig - it doesn't hurt ;-)):
postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

13 Apache2 With PHP5

Now we install Apache with PHP5 (this is PHP 5.2.5):
yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-eaccelerator php-magickwand php-magpierss php-mapserver php-mbstring php-mcrypt php-mhash php-mssql php-shout php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel
Then edit /etc/httpd/conf/httpd.conf:
vi /etc/httpd/conf/httpd.conf
and change DirectoryIndex to

[...] DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl [...]

Now configure your system to start Apache at boot time:
chkconfig --levels 235 httpd on
Start Apache:
/etc/init.d/httpd start

13.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)
In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.
To disable PHP globally, we edit /etc/httpd/conf.d/php.conf and comment out the AddHandler and AddType lines:
vi /etc/httpd/conf.d/php.conf

# # PHP is an HTML-embedded scripting language which attempts to make it # easy for developers to write dynamically generated webpages. # LoadModule php5_module modules/libphp5.so # # Cause the PHP interpreter to handle files with a .php extension. # #AddHandler php5-script .php #AddType text/html .php # # Add index.php to the list of files that will be served as directory # indexes. # DirectoryIndex index.php # # Uncomment the following line to allow PHP to pretty-print .phps # files as PHP source code: # #AddType application/x-httpd-php-source .phps

Afterwards we restart Apache:
/etc/init.d/httpd restart

14 Ruby

Starting with version 2.2.20, ISPConfig has built-in support for Ruby. Instead of using CGI/FastCGI, ISPConfig depends onmod_ruby being available in the server's Apache.
For Fedora 9, there's no mod_ruby package available, so we must compile it ourselves. First we install some prerequisites:
yum install httpd-devel ruby ruby-devel
Next we download and install mod_ruby as follows:
cd /tmp
wget http://www.modruby.net/archive/mod_ruby-1.2.6.tar.gz
tar zxvf mod_ruby-1.2.6.tar.gz
cd mod_ruby-1.2.6/
./configure.rb --with-apr-includes=/usr/include/apr-1
make
make install
Finally we must add the mod_ruby module to the Apache configuration, so we create the file /etc/httpd/conf.d/ruby.conf...
vi /etc/httpd/conf.d/ruby.conf

LoadModule ruby_module modules/mod_ruby.so

... and restart Apache:
/etc/init.d/httpd restart

15 ProFTPd (Part 1)

ISPConfig has better support for proftpd than vsftpd, so let's remove vsftpd and install proftpd:
yum remove vsftpd
yum install proftpd
Now we can create the system startup links for Proftpd and start it:
chkconfig --levels 235 proftpd on
/etc/init.d/proftpd start

16 Webalizer

To install webalizer, just run
yum install webalizer

17 Synchronize The System Clock

If you want to have the system clock synchronized with an NTP server do the following:
yum install ntp
chkconfig --levels 235 ntpd on
ntpdate 0.pool.ntp.org
/etc/init.d/ntpd start

18 Install Some Perl Modules

ISPConfig comes with SpamAssassin which needs a few Perl modules to work. We install the required Perl modules with a single command:
yum install perl-HTML-Parser perl-DBI perl-Net-DNS perl-Digest-SHA1

19 ISPConfig

The configuration of the server is now finished.
If you want to install ISPConfig, there's one more thing you need to do. Fedora 9 comes with the gcc version 4.3, but the ISPConfig installation (the OpenSSL part, to be specific) fails with this gcc version. Therefore we install gcc 3.4...

yum install compat-gcc-34
... and create a symlink from /usr/bin/gcc to /usr/bin/gcc34:
cd /usr/bin
mv gcc gcc43
ln -s gcc34 gcc
You can now install ISPConfig on it, following these instructions: http://www.ispconfig.org/manual_installation.htm

19.1 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the web root for websites created by ISPConfig as Fedora's suExec is compiled with /var/www as Doc_Root. Run
/usr/sbin/suexec -V
and the output should look like this:
[root@server1 ~]# /usr/sbin/suexec -V
 -D AP_DOC_ROOT="/var/www"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="apache"
 -D AP_LOG_EXEC="/var/log/httpd/suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=500
 -D AP_USERDIR_SUFFIX="public_html"
[root@server1 ~]#
So if you want to use suExec with ISPconfig, don't change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can't change the web root anyway so you'll be able to use suExec in any case).

19.2 ProFTPd (Part 2)

(This chapter applies only if you have installed ISPConfig!)
After you have installed ISPConfig, you must modify the template file for /etc/proftpd_ispconfig.conf which is called/root/ispconfig/isp/conf/proftpd_ispconfig.conf.master, because otherwise the users that you create with ISPConfig won't be able to log in using FTP. Instead of modifying /root/ispconfig/isp/conf/proftpd_ispconfig.conf.master (which gets overwritten each time you update ISPConfig) we copy /root/ispconfig/isp/conf/proftpd_ispconfig.conf.master to/root/ispconfig/isp/conf/customized_templates/ and modify that one. If ISPConfig finds a template in/root/ispconfig/isp/conf/customized_templates/, it will use that one instead of the default template in /root/ispconfig/isp/conf/. Templates in /root/ispconfig/isp/conf/customized_templates/ don't get overwritten when you update ISPConfig.
cp /root/ispconfig/isp/conf/proftpd_ispconfig.conf.master /root/ispconfig/isp/conf/customized_templates/
Now open /root/ispconfig/isp/conf/customized_templates/proftpd_ispconfig.conf.master and comment out the DefaultAddress 127.0.0.1 line:
vi /root/ispconfig/isp/conf/customized_templates/proftpd_ispconfig.conf.master

################################### # # ISPConfig proftpd Configuration File # Version 1.0 # ################################### #DefaultAddress 127.0.0.1 DefaultRoot ~ AllowOverwrite on Umask 002 {ANON_FTP}

20 Links

• Fedora: http://fedoraproject.org
• ISPConfig: http://www.ispconfig.org

Read more...