Authorative Dynamic DNS with bind 9
Posted by admin - 04/08/10 at 09:08:19 amThis article describes how to setup a dynamic DNS using bind9. The standard bind server reads the zones information from a conf file; therefore adding a new record requires to edit the conf file and restart the DNS server for the change to take effect. However, for frequent updates, and large number of records, this approach becomes very poor in terms of usability and performance.
Fortunately for linux installations, there is an interesting utility nsupdate that provides functionality to add/edit/delete DNS records on the fly, without having to patch the bind DNS server.
Usage instructions under fedora/centos/redhat:
1- install bind and bind-utils package
#yum install bind bind-utils
2- create a key pair for secure transactions:
#dnssec-keygen -a HMAC-MD5 -b 512 -n USER jadyounan.com.
This creates 2 files : jadyounan.com.XXXXXXX.private and jadyounan.com.XXXXXXX.key. the “.private” suffix is the file containing the private key. Copy this key for using it to configure the bind server later.
3- edit the bind server conf (usually in /etc/named.conf): add the following to the file:
key “mykey.” {
algorithm hmac-md5;
secret “your key that you copied from your private key file”;
};
zone “jadyounan.com” {
type master;
file “/var/named/data/jadyounan.com.db”;
allow-update { key “mykey.”; };
};
and save your conf file, then restart the server with /etc/init.d/named restart.
4- Run the nsupdate utility.
nsupdate -d -k “path to your private key file”
A new process will open, now you are ready to write the commands, ex:
>server localhost
>update add d.jadyounan.com 6000 A 10.10.10.22
>send
>quit
That’s it! bind server has a new record d.jayounan.com 6000 A 10.10.10.22
Test it:
#dig @localhost d.jadyounan.com
;; ANSWER SECTION:
d.jadyounan.com. 6000 IN A 10.10.10.22
5- By default the bind server allows recursive lookups; anyone could use it to request off-site DNS queries. To prevent that, add the following line to the zone section in your conf file:
zone “jadyounan.com” {
type master;
file “/var/named/data/jadyounan.com.db”;
allow-update { key “mykey.”; };
allow-query { localnets; };
};
and restart the server. This will prevent your server from replying to any request outside your zone.
Your dns server is now ready to go.
Human brain vs/ Modern computer
Posted by admin - 16/05/10 at 01:05:38 pmMemory:
It’s been said that human brain has a multi-level cache similar to a modern computer. While a modern computer has multiple levels of cache, CPU Lx cache, memory, disk, tape… The multi-level cache designs offer a convenient way to access data; physically close caches are faster to access, but are more likely to have a limited capacity, due to shear physical reasons. The human short memory is extremely fast, and works like a limited LRU queue, where new sensory data replaces relatively older data. It’s been said that the magic retention index is 7 +/- 2. If there are more than 10 data points in the short memory, the older points are “dumped” to the long term memory; aka “Human memory”. Compared to a network of interconnections -rather than data banks- the long term memory is inaccurate to access, but often survives for many years. It has been proven that different data types are stored in different parts in the brain, (speech, images, shapes).
Processing:
Compared to a CPU, the neural interconnections are sluggish: 100 meters per second, and a maximum of 1000 clock cycles per second, but the parallel design of the neurons is staggering: 10 billion neurons x 25,000 connections per neuron. The parallel nature of the neurons provides a fault-tolerant system capable of solving parallelizable problems -such pattern recognition- in a blink of an eye. However, tasks that cannot be pararallelized like arithmetics are not easily processed. Consequently, the brain is well designed to process probabilistic, rather than deterministic data; since the data is stored as compressed “icons” as opposed to a lossless image.
IPtables howto
Posted by admin - 30/01/10 at 08:01:01 amIn order to block an IP address on a linux server, you need to type the command as follows ( from a superuser shell):
iptables -A INPUT -s IP_ADDRESS -j DROP
To make the changes permanent, add the line -A INPUT -S IP_ADDRESS -j DROP to /etc/sysconfig/iptables, followed by /etc/init.d/iptables restart or service iptables restart.
the service iptables save command also permanently saves the iptables configuration in /etc/sysconfig/iptables file.
Allowing WWW And SSH Access To Your Firewall
This sample snippet is for a firewall that doubles as a web server that is managed remotely by its system administrator via secure shell (SSH) sessions. Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection. It isn’t necessary to specify these ports for the return leg as outbound packets for all established connections are allowed. Connections initiated by persons logged into the Web server will be denied as outbound NEW connection packets aren’t allowed.
iptables -A OUTPUT -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport 22 –sport 1024:65535 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport 80 –sport 1024:65535 -m state –state NEW -j ACCEPT
Allowing only a single IP address to access port 80:
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 –source 74.82.233.105 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT
java.lang.Runtime under – Windows Vista -
Posted by admin - 20/11/09 at 05:11:28 amRunning windows programs under “c:\Program Files\” using java Runtime library is anything but straightforward. Below is an example class used to backup/restore mysql databases. Mysql is usually found under c:\Program Files\Mysql\. The trick is to execute the array of commands [] ={”cmd.exe”,”/c”,”yourprogram”}, instead of “myprogram” only.
package cast;
import java.io.BufferedReader;
import java.io.InputStreamReader;
public class BR {
public final static String DATABASE_PATH=”c:\\Program Files\\Mysql5.0\\bin\\”;
public final static String DATABASE_USER=”root”;
public final static String DATABASE_PASSWORD=”123456″;
public static void main(String [] args){
BR br=new BR();
String file=”c:\\Users\\elie\\data.sql”;
String dbName=”cast”;
//br.backup(dbName,file);
br.restore(file,dbName);
}
public BR() {
}
public void backup(String dbName,String toFile){
String backupCmd=” \”"+DATABASE_PATH+”mysqldump.exe”+”\”"+” -u “+DATABASE_USER+” -p”+DATABASE_PASSWORD+” “+dbName+” > “+toFile;
exec(backupCmd);
}
public void restore(String fromFile,String dbName){
String restoreCmd=” \”"+DATABASE_PATH+”mysql.exe”+”\”"+” -u “+DATABASE_USER+” -p”+DATABASE_PASSWORD+” “+dbName+” < “+fromFile;
exec(restoreCmd);
}
private void exec(String cmd){
try{
String commands [] ={”cmd.exe”,”/c”,cmd};
Runtime r=Runtime.getRuntime();
Process p=r.exec(commands);
BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));
String line=br.readLine();
while(line!=null){
System.out.println(line);
line=br.readLine();
}
br.close();
p.destroy();
}catch(Exception ex){
ex.printStackTrace();
}
}
}
Road Runner Dead.
Posted by admin - 15/11/09 at 01:11:43 pmYes it is confirmed. Road runner dies.
s.
Quick and dirty mysql master-slave replication
Posted by admin - 07/10/09 at 08:10:40 am+Create a user on the master server:
+msyql> grant replication slave on *.* to root@’%’ identified by ‘password’
+Append the following to /etc/my.cnf :
log-bin=mysql-bin
server-id=1
binlog-ignore-db=”mysql
+On the master server: mysql> show master status
+——————+————————–+——————+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+——————+————————–+——————+
| mysql-bin.000112 | 79 | | mysql |
+——————+————————–+——————+
1 row in set (0.00 sec)
+Save those values as you will need to import them into the slave later.
+Dump the master data to a file: mysqldump -u root -ppassword — all-databases > data.sql
+Import dump file on the slave: mysql -u root -ppassword < data.sql
+On the slave server, change the master host and user, by adding the following to /etc/my.cnf
server-id=2
master-host = [IP of Master Server]
master-user = root
master-password = [password]
master-port = 3306
+On the slave: mysql> CHANGE MASTER TO MASTER_LOG_FILE='[filename]', MASTER_LOG_POS=[position];
+On the slave: mysql> slave start
+On the slave: mysql> show slave status;
+CHANGE MASTER TO MASTER_LOG_FILE='[Filename written down]',
How to fix the java.net.SocketException : Too many open files
Posted by admin - 06/10/09 at 04:10:26 amJava applications serving a large number of concurrent client connections will typically
throw a java.io.FileNotFoundException: … (Too many open files). This is because linux file
descriptor is limited in system and shell levels.
To upgrade the limits change/add the following line in the end of /etc/sysctl.conf :
fs.file-max = 100000
Next update shell level in /etc/security/limits.conf, add the following lines:
* soft nofile 4096
* hard nofile 4096
You will have to reboot for the new settings to take effect.
You can check the new limits by typing : ulimit -n , systctl fs.file-max
Configuring several name-based websites on a single IP address, apache 2.0, linux centos 5.x,4.x
Posted by admin - 05/10/09 at 04:10:52 amIn this setup, your machine has a single public IP address and several aliases/cnames pointing to
your IP. Apache’s virtual hosts can be used to run www.website1.com and www.website2.com on
your public IP.
Edit the httpd config file (usually in /etc/httpd/conf/httpd.conf), and add the following snippet
at the end of the file:
NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot /var/website1/html/
ServerName www.website1.com
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/website2/html/
ServerName www.website2.com
</VirtualHost>
Apache Tomcat 6.0 – SSL Configuration
Posted by admin - 02/10/09 at 04:10:55 pmGenerate a key with the jdk’s keytool:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Uncomment the connector:
<Connector port=”8443″ minSpareThreads=”5″ maxSpareThreads=”75″
enableLookups=”true” disableUploadTimeout=”true”
acceptCount=”100″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”${user.home}/.keystore” keystorePass=”changeit”
clientAuth=”false” sslProtocol=”TLS”/>
Turn off the apr SSL, as tomcat will try to autoload the APR connector.
<Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”off” />
Restart.
To install a godaddy certificate, follow the instructions below:
+Generate the key pair: keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
+Generate the CSR (certificate request) : keytool -certreq -keyalg RSA -alias tomcat -file domain.com.csr -keystore tomcat.keystore
+Buy your certificate from godaddy’s site. Unzip the generated file in your home folder.
+Import the certs to your store
#keytool -import -alias root -trustcacerts -file gd_bundle.crt -keystore tomcat.keystore
#keytool -import -alias cross -trustcacerts -file gd_cross_intermediate.crt -keystore tomcat.keystore
#keytool -import -alias intermed -trustcacerts -file gd_intermediate.crt -keystore tomcat.keystore
#keytool -import -alias tomcat -trustcacerts -file domain.com.crt -keystore tomcat.keystore
+Update Server.xml in tomcat\conf folder;
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="tomcat.keystore"
keystorePass="pass"
clientAuth="false" sslProtocol="TLS"/>
+Restart tomcat.
ACL config in HAProxy
Posted by admin - 02/10/09 at 11:10:25 amglobal
maxconn 4096 # Total Max Connections. This is dependent on ulimit
daemon
nbproc 2 # Number of processing cores. Dual Dual-core Opteron is 4 cores for example.
defaults
mode http
clitimeout 60000
srvtimeout 30000
contimeout 4000
option httpclose # Disable Keepalive
listen http_proxy host:port
balance roundrobin # Load Balancing algorithm
option httpchk
option forwardfor # This sets X-Forwarded-For
acl woo.tt hdr_end woo.tt
acl analytics hdr_end analytics.woopra.com
acl glass hdr_end glass.woopra.com
use_backend woo_tt_server if woo.tt
use_backend analytics_server if analytics
use_backend glass_server if glass
backend woo_tt_server
mode http
server woo_tt_1 google.com:80 cookie A check
backend analytics_server
mode http
server analytics_1 72.233.44.22:8080 cookie A check
backend glass_server
mode http
server glass_1 72.233.44.22:8080 cookie A check
More useful ACLs could be found at: http://haproxy.1wt.eu/download/1.3/doc/configuration.txt
Powered by WordPress with GimpStyle Theme design by Horacio Bella.
Entries and comments feeds.
Valid XHTML and CSS.