Category Archives: Linux System Admin

#!/bin/bash – or #!/bin/bash — In A Shell Script

Question: I know #!/bin/bash is shebang line. But, I noticed a few shell script shebang line ends with a single dash ( #!/bin/bash - ) or double dash ( #!/bin/bash -- ). Can you explains me purpose of such shebang line?

Answer: A - or -- signals the end of options and disables further option processing i.e. bash will not accept any of its option. Any arguments after the -- are treated as filenames and arguments. An argument of - is equivalent to --. This is done to improve script security. Some user may perform setuid based script root spoofing. To avoid interpreter spoofing you need to add -- to #!/bin/bash. This is rare but possible attack.

Red Hat Enterprise Linux / CentOS Linux Enable EPEL (Extra Packages for Enterprise Linux) Repository

Question: How do I enable EPEL (Extra Packages for Enterprise Linux) repo and install the packages under RHEL / CentOS Linux?

Answer: EPEL (Extra Packages for Enterprise Linux) is a volunteer-based community effort from the Fedora project to create a repository of high-quality add-on packages that complement the Fedora-based Red Hat Enterprise Linux (RHEL) and its compatible spinoffs, such as CentOS and Scientific Linux.

EPEL provide lots of packages for CentOS / RHEL, It is not part of RedHat or CentOS but is designed to work with these major distributions. Please note that EPEL only provides free and open source software unencumbered by patents or any legal issues. In short you will not find mp3, dvd and music / media player under EPEL. However, you will find many programs related to networking, monitoring, sys admin, programming and so on.

Packages are supplied in RPM format and in most cases are ready to use. Beware that some packages may break something and you should not blindly install those packages.

Question: How do I enable EPEL?

Answer: Simply type the following command as root user:
Command: rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm

List new repo:
command: yum repolist

Sample output:
Loading "skip-broken" plugin
Loading "fastestmirror" plugin
repo id repo name status
addons CentOS-5 - Addons enabled
base CentOS-5 - Base enabled
epel Extra Packages for Enterprise Linux 5 - enabled
extras CentOS-5 - Extras enabled
updates CentOS-5 - Updates enabled

Using vnstat for simple traffic accounting

vnStat is a network traffic monitor for Linux that keeps a log of daily network traffic for the selected interface(s). vnStat isn’t a packet sniffer. The traffic information is analyzed from the /proc -filesystem, so vnStat can be used without root permissions. However at least a 2.2.x kernel is required.
vnstat

Quick install guide (I have set it up on a Centos 5.3 box):
[[email protected]] $ wget http://tinyurl.com/mx9yrf
[[email protected]] $ tar zxvf vnstat-1.7.tar.gz
[[email protected]] $ cd vnstat-1.7
[[email protected]] $ make
[[email protected]] $ su
Password:
[[email protected]] # make install

#create databases for NICs
[[email protected]] # vnstat -u -i eth0
[[email protected]] # vnstat -u -i eth1
[[email protected]] # crontab -e


Add the following entry in the crontab:
*/5 * * * * /usr/bin/vnstat -u

Install the frontend:
[[email protected]] # cd /var/www/htdocs
[[email protected]] # wget -O http://tinyurl.com/kmn3u8
[[email protected]] # tar zxvf vnstat_php_frontend-1.4.1.tar.gz
[[email protected]] # mv vnstat_php_frontend-1.4.1 vnstat

Edit vnstat/config.php and adjust the following lines to your preference:
$iface_list = array('eth0', 'eth1');
$iface_title['eth0'] = 'Extern';
$iface_title['eth1'] = 'Intern';
$vnstat_bin = '/usr/bin/vnstat';

That’s all, assuming apache is properly configured with php enabled, you can access the interface at http://your-domain.com/vnstat/

Generate Apache SSL certificates

To use https for web traffic, you will need to obtain a valid Apache SSL certificate.

When generating an Apache (mod_ssl) SSL certificate, you have two options:

  • Purchase a SSL certificate from a certificate authority (CA). Searching the Web for “certificate authority” will present several choices.
  • Generate a self-signed certificate. This option costs nothing and provides the same level of encryption as a certificate purchased from a certificate authority (CA). However, this option can be a mild annoyance to some users, because Internet Explorer (IE) issues a harmless warning each time a user visits a site that uses a self-signed certificate.

Regardless of which option you select, the process is almost identical.

Know the fully qualified domain name (FQDN) of the website for which you want to request a certificate. If you want to access your site through https://www.domain.tld., then the FQDN of your website is www.domain.tld.

Note: This is also known as your common name.

Generate the key with the SSL genrsa command.
openssl genrsa -out www.domain.tld.key 1024

This command generates a 1024 bit RSA private key and stores it in the file www.domain.tld.key. Back up your www.domain.tld.key file, because without this file your SSL certificate will not be valid.

Generate the CSR with SSL req command.
openssl req -new -key www.domain.tld.key -out www.domain.tld.csr

This command will prompt you for the X.509 attributes of your certificate. Give the fully qualified domain name, such as www.domain.tld, when prompted for Common Name.

Note: Do not enter your personal name here. It is requesting a certificate for a webserver, so the Common Name has to match the FQDN of your website.

Generate a self-signed certificate.
openssl x509 -req -days 370 -in www.domain.tld.csr -signkey www.domain.tld.key -out www.domain.tld.crt

This command will generate a self-signed certificate in www.domain.tld.crt.
You will now have an RSA private key in www.domain.tld.key, a Certificate Signing Request in www.domain.tld.csr, and an SSL certificate in www.domain.tld.crt. The self-signed SSL certificate that you generated will be valid for 370 days.