How to start apache uisng worker MPM?

■ Purpose : Start Apache using worker MPM
■ OS Environment : Linux[RHEL, Centos]
■ Application: httpd
■ Implementation Steps:

1. Check if apache is running with MPM :

$ /usr/sbin/apachectl -l

If it's seen that worker.c in the list of loaded modules, then Apache is running with worker MPM. If  it's seen prefork.c, then it is running as prefork.

2. To determine if apache has worker MPM compiled in:

$ /usr/sbin/httpd.worker -l

If it's seen worker.c in the list of compiled-in modules, Apache can run Worker MPM.

3. Un-Comment following line in /etc/sysconfig/httpd : 

HTTPD=/usr/sbin/httpd.worker in 

4. Restart httpd :

$ service httpd restart

Note : Please recompile php with thread-safe option(php still doesn't support worker MPM. It's required mod_fcgid ), else it will throw error.

How to create reverse DNS record in bind?

■ Purpose: Create reverse DNS record 
■ OS Environment: Linux
■ Application : bind
■ Assumption: Used C class address
■ Implementation Steps :

1. Add following lines in /etc/named.conf :

zone "0.168.192.in-addr.arpa" IN {
type master;
file "0.168.192.in-addr.arpa";
allow-update { none; };
};

2. Create zone for this reverse record :

$ vi  /var/named/0.168.192.in-addr.arpa  & put below entries

$TTL 600
@ IN SOA ns1.example.com. host.example.com. (
2012013001 ;Serial Number
86400 ;refresh
7200 ;retry
3600000 ;expire
86400 ;minimum

)

0.168.192.in-addr.arpa. IN NS ns1.example.com.
0.168.192.in-addr.arpa. IN NS ns2.example.com.
201 IN PTR example.com.

Which command will provide IO details of all processes in the system?

■ Requirement : Command which provides IO details of process
■ OS Environment : Linux
■ Solution : 

$ for i in {1..65353}; do if [ -f /proc/$i/io ] ; then echo "---------------------------------------------------"; echo "Process name :" ; cat /proc/$i/cmdline; echo "PID : $i" ; echo "IO Details:" ; cat /proc/$i/io ; fi; done

NOTE : To dig the IO issue, one can use "iostat, sar, nfsstat -x" commands.

How to generate CA certificate for server & client communication?

■ Requirement : Generate CA certificate for server & client communication.
■ OS Environment : Linux
■ Application : openssl 
■ Implementation Steps :

1. Create certification authority :

$ cd /etc/newcerts
$ openssl genrsa 2048 > ca-key.pem
$ openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

NOTE: Last command will ask for details of certificate provider. So, provide short names

2. Creating certificate for server using above CA certificate :

$ openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
$ openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

NOTE: First command may ask for a password. Don't provide it. Just press enter key for two times.

3. Creating certificate for client using above CA certificate(similar like server) :

$openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem .
$openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

NOTE : Provide details of client owner who will contact server.  Client will be able to contact to server using client-cert.pem and server will consult it its server-cert.pem and approve encryption.

How to install mysql server and configure SSL with it on linux?

■ Requirement: Install mysql-server & configure SSL for secure communication
■ OS Environment : Linux
■ Application : 

• perl-DBD-MySQL-3.0007-2.el5
• perl-DBI-1.52-2.el5
• mysql-server-5.0.77-4.el5_6.6
• mysql-5.0.77-4.el5_6.6
• mysql-5.0.77-4.el5_6.6
• openssl

■ Symptoms encountered : 

•  ERROR 2026 (HY000): SSL connection error

■  Implementation Steps :

1. Download all above packages & install them :  

$ yum install mysql mysql-server openssl perl-DBD-MySQL perl-DBI -y
$ rpm -ivh  

2. Start mysql service :

$ service mysqld start

4. Change mysql root password :

$/usr/bin/mysqladmin -u root password 'mysql'

5. Configure SSL for mysql server and client(who will access server) :

$ mkdir -p /etc/mysql/newcerts
$ chown -R mysql:mysql /etc/mysql/newcerts

6. Creating certificate authority :

$cd /etc/mysql/newcerts
$ openssl genrsa 2048 > ca-key.pem
$ openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

7. Creating certificate for server using above CA certificate :

$ openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem
$ openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

8. Creating certificate for client using above CA certificate(similar like server) :

$ openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem
$ openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

9. Make sure following entries are present in /etc/my.cnf file :

[mysqld]

datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
old_passwords=1
ssl 

10. Restart mysqld & Grant mysql user to use ssl :

$service mysqld restart
$ mysql
$ GRANT ALL ON *.* TO 'mysql'@'%' IDENTIFIED BY 'mysql' REQUIRE SSL;

11. Verification / Testing :

$cd /etc/mysql/newcerts
$ mysql --ssl-cert=/etc/mysql/newcerts/ca-cert.pem --ssl-key=/etc/mysql/newcerts/client-key.pem --ssl-cert=/etc/mysql/newcerts/client-cert.pem -u root -p -v -v -v

Enter password: <<
 pw = mysql 

Output will look like below :

 Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 Server version: 5.0.77 Source distribution Reading history-file /root/.mysql_history Type 'help;' or '\h' for help. Type '\c' to clear the buffer. 

 mysql> show variables like '%%ssl%%';

--------------
show variables like '%%ssl%%'
--------------

+---------------+-------------------------------------+
| Variable_name | Value |
+---------------+-------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/newcerts/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/newcerts/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/mysql/newcerts/server-key.pem |
+---------------+-------------------------------------+
7 rows in set (0.01 sec)

mysql> SHOW STATUS LIKE 'Ssl_cipher';
--------------
SHOW STATUS LIKE 'Ssl_cipher'
--------------
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA | << Confirmed +---------------+--------------------+ 1 row in set (0.00 sec) mysql>
mysql> quit

How to configure rndc key with chrooted bind on linux?

■ Requirement : Configure rndc key with chrooted bind
■ OS Environment : Linux, RHEL 6.2, Centos
■ Implementation Steps :

1. Edit /etc/rndc.conf and add following lines :

options {
default-server 127.0.0.1;
default-key "rndckey";
};

server 127.0.0.1 {
key "rndckey";
};

key "rndckey" {
algorithm "hmac-md5";
secret "secret key will be placed here";
};

$ cd /var/named/chroot/etc/
$ dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 256 -n HOST rndc

5. Copy the key from private file and put it in /etc/rndc.conf at "secret" line.
6. Create a soft link :

$ln -s /var/named/chroot/etc/rndc.conf /etc/rndc.conf

8. Restart named and check status :

$service named restart

9. Verification : 

$rndc status

Output will look like :

version: 9.7.3-P3-RedHat-9.7.3-2.el6_1.P3.2
CPUs found: 1
worker threads: 1
number of zones: 20
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

How to rotate sudo log?

■ Requirement : Rotate sudo log messages
■ OS Environment : Linux, RHEL, Centos
■ Assumption : 

•    sudo log file = /var/log/sudolog
•    log retention = 90 days

■ Implementation Steps :

1. Edit /etc/sudoers and add following lines :

Defaults !syslog
Defaults logfile = /var/log/sudolog

2. Rotating this log file :

edit /etc/logrotate.d/sudolog and put following :

/var/log/sudolog {
rotate 90
size 5M
postrotate
/usr/bin/killall -HUP syslogd
endscript
}

4. Restart syslogd service :

$service syslogd restart