Give access of a super user to a normal user—Sudo user

Normally when you are installing RHEL in one system in post installation stage it asks you to create a normal user and if you are not creating it give a warning massage. Root user is the most powerful user in the system and it can do everything. So in real time environment it is advised that if you have installed Linux in server you shouldn’t give root access to any user even though he may be a giant in Linux. If you are giving root access to someone else that means you don’t have any control on the server. If tomorrow server crashes server reboots because of a wrong usage of command you will be helpless.

But saying that sometimes people may need root access to the server for some particular task like restarting apache service or for running some scripts etc. . . . Here as a system admin you have to provide them some specific access so that it won’t affect the whole server.

To achieve this purpose we use the concept of sudo user.

So what is a sudo user?

A sudo user is a root like user who can be permitted to execute specific commands or all commands executed by superuser.

You may think now if will give all permission to a sudo user then what will be the difference between the sudo user and root?

The only difference I can think of is whenever we are executing a command using sudo the system keeps a log for that command which is not in case of root.

Also one more thing is the system asks for password when we run a command as sudo.That means a user is getting time to verify its command which is helpful when we are running command like rm –rf *.

Mainly sudo concept is used only if there is some situation where a normal user wants to do some administrative operations but not all operations.

Now how can we make a normal user as sudouser?

To make a user sudo user login as root to the server and execute following command.


This command will open a read-only file /etc/sudoers where you can define the access for normal user.

There are two scenarios for a user to be a sudo user.

    1. Give all access as root user
    2. Give specific access to a user to run on specific mach

Give all access as root user:-

To do this in /etc/sudoers file search for a line

     root       ALL=(ALL)            ALL

This lines means that the user root can execute from ALL terminals, acting as ALL  users, and run ALL  command.

And append a line for the user let’s say bob

     bob     ALL=(ALL)     ALL

you can separate by comma for multiple users.

     bob , chalres   ALL=(ALL)    ALL

To give a user specific permission let’s say user bob can only restart apache server append the blow line to /etc/sudoers file.

     bob localhost=/etc/init.d/apache restart

To give user permission to do multiple operations we can append a line like following

     bob ALL= /bin/kill, /etc/init.d/httpd

As we told above for each command run under sudo user  gets looged into the system.To see that run a command as a sudo user and check the log file /var/log/secure.

As bob user execute

     #sudo /etc/init.d/httpd restart

Then check the log file by

     #tail –f /var/log/secure
     Output:- Aug 28 03:21:30 sudo:       bob : TTY=pts/3 ; PWD=/home/bob ; USER=root ; COMMAND=/etc/init.d/httpd restart

For advances users,

Concept of Sudo:-

Try to do this experiment

1) Login as root in tty1, Login as bob in tty2.
2) In tty2 execute a sample command ‘# vi abc’ . Go to tty1 and excute # ps -Alf
3) In tty2 execute a sample command ‘#  sudo vi abc’ . Go to tty1 and excute # ps -Alf

Now examine third field for the output of step 1 & 2

You will see when a user with is running something as sudo user practically it is running that command with root users gid.


Install GNOME or KDE desktop environment from the CLI mode

September 21, 2010 2 comments

Install GNOME or KDE desktop environment from the CLI mode

Yesterday I got a request from my user that they need graphical interface to be installed in the server as they require this for their project work. I knew that this is very simple to install using yum groupinstall but the problem I faced was terrific. As this was our internal server it was not connected the internet and it was a VM on VMware. Hence no physical optical drive was present. I am giving below the steps how I got that thing to work.

  1. Mount the ISO image of CD/DVD to your system. If you have a physical system you can insert the CD/DVD and mount or else you have to virtually mount this.

    mount /dev/cdrom /mnt
  2. Create one directory and put all the contents of the Server directory into it.

    mkdir /repository

    cp  -rvf  /mnt/Server/*  /repository/
  3. Unmount the CD/DVD drive.        
    umount /mnt

    If you face any problem in unmounting you can use the command        

    umount   -l /mnt

  4. Go inside the /repositories folder and install all the createrepo packages.

    rpm –ivh createrepo*
  5. Now go inside the folder/etc/yum.repos.d/ and create a file called myrepo and put the following contents to the file
           name=Red Hat Enterprise Linux $releasever - $basearch - Debug
  6. Now Go inside /repository folder and check for a specific package yum-utils is present there or not.
          cd /repository
            ls –l| grep yum-utils

    This package is responsible for making group of packages.

  7. If it is not there you have to download this, keep inside this folder (/repository) and install it. You can download it from .This website has the option of advanced search where you can download packages specific to particular OS version.
  8. Use createrepo command to create your repository
    createrepo   /repository/
  9. Now after creation of repository and installation of the package yum-utils you can try the command

    yum grouplist

    The output will list you some groups like given below

     Loading "rhnplugin" plugin
     Loading "installonlyn" plugin
     Setting up Group Process
     Setting up repositories
     rhel-debuginfo            100% |=========================| 1.1 kB    00:00
     Installed Groups:
               MySQL Database
               System Tools
               FTP Server
               Network Servers
               Printing Support
               Mail Server
               Server Configuration Tools
     Available Groups:
               Administration Tools
               GNOME Software Development
               X Software Development
               GNOME Desktop Environment
               Authoring and Publishing
               Games and Entertainment
               X Window System
               KDE Software Development
               KDE (K Desktop Environment)
               Sound and Video
               Graphical Internet
  10. If you are not able to see output like given above then you need one xml file called comp.xml to create your own group.Below.If you don’t know how to create the xml file you can use the following link to create the comp.xml file.

  12. After placing the comp.xml file inside /repository directories you have to recreate the repository.createrepo /repository
  13. Now run the command yum grouplist and you will see the output as below
    yum grouplist

    Sample output:

     Setting up Group Process
     Setting up repositories
     rhel-debuginfo            100% |=========================| 1.1 kB    00:00
     Installed Groups:
              Printing Support
     Available Groups:
              GNOME Desktop Environment
              X Window System
              Graphical Internet
  14. Now you can install the groups listed above. To install GNOME desktop Environment you can use the simple command
yum groupinstall "GNOME Desktop Environment"

Now you can use startx to see your graphical GNOME desktop screen.

Simillarly you can install KDE desktop environment.Just you need to change the xml file and give the command

yum groupinstall "KDE (K Desktop Environment)"

Categories: Linux Tags: , , , , ,

Complete open source based web development

Today I will discuss about some open source software’s/tools which are not only good but give you the best choice to do your work if you are a startup company who is willing to get into web development work without spending much in software’s .Also If you are a individual like me who wants its place in web space you can try these tools. I will discuss all the tools required everything from setting up a server to putting your application to monitoring your application.

As we are discussing about cheapest solution I don’t want to spend anything on Operating system cost rather I can spend that in getting more advanced hardware. If you don’t want to take the hardware maintainace cost you can go for cloud based service provided by Amazon EC2 or Rack space cloud. I assume that to achieve better cost management everybody will go for Linux based server. For me I will go for red hat /fedora based server with updated kernel module.

Basically before installing any tools I assume that you have got the following setup with latest version.

  • Operating System for server: Linux(Any flavor of your choice)
  • Database: MySQL
  • Web server: Apache/Tomcat(As per your requirement)
  • Application: PHP
  • Mail Transfer Agent: Send Mail/Postfix(I like postfix for easy configuration)
  1. WinSCP/Bitvise Tunnelier: To access remote systems via SSH and SFTP protocol.
  2. Webmin: Graphical Interface to administer linux servers through browser
  3. Usermin: web-based interface for  managing your mail-server through browser
  4. Subversion: an open-source, centralized version control system.
      –>Tortoise SVN: Subversion client for windows to manage subversion
  5. Spam assassin: Open-Source Spam Filter for incoming/outgoing e-mail.
  6. Pfsense: Linux based open source firewall
  7. Google apps:Standard version is free to 50 users which can be integrated to mail server for outgoing email
  8. Zimbra:Open source alternative to Microsoft Exchange server.You can also configure blackberry so stay connected all the time
  9. phpMyAdmin:GUI tool to administer MySQL databases from a browser
  10. Mantis: Bug tracking system with access control
  11. PHPBB:Open source tool to create forum of your own
  12. Word press blog:Using this we can create our own blog.It has rich support base.
  13. Aptana Studio  :IDE to write programs in html,php,mysql etc and also has a strong userbase to support
  14. Firebug:Its an extension to firefox in order to analyze website performance.
    1. YSlow: An extension to firebug to analyze website performance provided by yahoo
    2. Pagespeed: extension to firebug to analyze website performance provided by google
  15. Open inviter:It fetches the contacts from almost all the mail providers and social networking sites
  16. Nagios: It’s  a monitoring tool which can be used to check various system and network states and it can send alerts through SMS and email.

Mysql database connection from php in different conditions

In this topic we will discuss about different types of mysql database connection in php.

The general configuration we do to connect a mysql database from PHP is


$dbhost = ‘localhost’;
$dbuser = ‘root’;
$dbpass = ‘password’;

$conn = mysql_connect(‘$dbhost’,’ $dbuser’, ‘$dbpass’) or die (‘Error connecting to mysql’);


So in my discussions below I will be changing the connection statement only in order to connect successfully.Rest will be the same as you know.

Conditions-1:mysql doesnot have password.

Lets say your mysql server does no have any password.So your coinnection statement will be

$conn = mysql_connect(‘$dbhost’,’ $dbuser’, ”) or die (‘Error connecting to mysql’);

Condition-2:-Mysql port changed

Mysql runs on a default port 3306.But for security reasons people change the mysql port.In our case let’s say I have changed the mysql port to 3309.Then my connect statement will be

$conn = mysql_connect(‘$dbhost:3309′,’ $dbuser’, ‘$dbpass’) or die (‘Error connecting to mysql’);

Condition-3:port same but mysql socket file changed.

If in some servers you need to change the default socket file location i.e /var/lib/mysql/mysql.sock

to some other location like /var/lib/mysql-databases/mysqld2/mysql.sock then how would be our connection statement?We get different location for mysql socket file as sometimes we change the mysql default data directory.

$conn = mysql_connect(‘$dbhost:/var/lib/mysql-databases/mysqld2/mysql.sock’,’ $dbuser’, ‘$dbpass’) or die (‘Error connecting to mysql’);

Condition-4:Port and socket changed

Lets say we changed both port and socket for some security reasons.port cahnged to 3309 and socket to /var/lib/mysql-databases/mysqld2/mysql.sock What will be our connection statement?

$conn = mysql_connect(‘$dbhost:/var/lib/mysql-databases/mysqld2/mysql.sock’,’ $dbuser’, ‘$dbpass’) or die (‘Error connecting to mysql’);

Categories: Database Tags: , ,

How To Run Multiple instances of Mysql Server on a Single Linux Server

Yesterday I faced a problem where our developer team wanted to have two mysql server with different root passwords.The problem was I am having only one redhat linux test server.After lots of thinking I searched for “multiple instances of mysql server” in Google.I found lots of different article on this and all are little bit confusing.Finally after lots of testing I succeeded in getting up and running two different instances of mysql in singleserver.Below are the steps you can follow to do the same.

Step-1:Login to your server as root user

Step-2:Login to your mysql server as root and execute the following command

mysql>GRANT SHUTDOWN ON *.* TO 'multi_admin'@'localhost' IDENTIFIED BY 'secret';

It means we are giving shutdown privileges to the user “multi_admin”

step-3:come out of mysql prompt and stop mysql server.To stop you can execute

[root@localhost ~]#	service mysql stop
[root@localhost ~]#/sbin/service mysql stop

Step-4:Now we need to locate the mysql config file “my.cnf” and change it as per our requirement which is located at /etc/my.cnf

N:B:-If you are not finding the my.cnf file then go to your mysql installation folder.In my case it is /usr/share/mysql.You will find four configuration files like “my-small.cnf”,” my-medium.cnf”,” my-large.cnf “,” my-huge.cnf”.You can take any one and put it in /etc and rename it to my.cnf.

You can also execute the command below to get all of the above file.

[root@localhost ~]# find / -name mysql*.cnf

Step-5:open my.cnf and comment out the following lines in [mysql] section

# The MySQL server
#port           = 3306
#socket         = /var/run/mysql/mysql.sock
# Change following line if you want to store your database elsewhere
#datadir        = /var/lib/mysql

Step-6:Now just below [mysqld] section put the following lines

mysqld     = /usr/bin/mysqld_safe
mysqladmin = /usr/bin/mysqladmin
log        = /var/log/mysqld_multi.log
user       = multi_admin
password   = admin123

Step -7:Then to create our desired two instances add the below lines after [mysql_multi] section. We have to define different unique values for each server instance or else the data and socket files for both servers collide and as a result mysql server will fail to start or your data could be corrupted.

port       = 3306
datadir    = /var/lib/mysql
pid-file   = /var/lib/mysql/
socket     = /var/lib/mysql/mysql.sock
user       = mysql
log-error  = /var/log/mysql1.err

port       = 3307
datadir    = /var/lib/mysql-databases/mysqld2
pid-file   = /var/lib/mysql-databases/mysqld2/
socket     = /var/lib/mysql-databases/mysqld2/mysql.sock
user       = mysql
log-error  = /var/log/mysql2.err

Step-8:Save the configuration file and now create the files and folders as we have mentioned in the above configuration.To do that execute the following commands.

[root@localhost ~]#  mkdir -P /var/lib/mysql-databases/myqld2

Step-9:For mysql instance 1 we are using the defaults for previously running mysql server But we need to Create the data directory for instance2.Create it by

[root@localhost ~]# mkdir /var/lib/mysql-databases/mysql

Step-10:Copy the mysql database files from the original instance to the second instances database directory and change the ownership of the data directory to the mysql user so the instance can read them.

[root@localhost ~]# cp -r /var/lib/mysql/mysql/ /var/lib/mysql-databases/mysqld2/mysql
[root@localhost ~]# chown -R mysql:mysql /var/lib/mysql-databases

Step-11:Now the two instances are ready to run.We can start them by the folowing command

[root@localhost ~]#mysqld_multi start
To view the status of the instances you can run
[root@localhost ~]# mysqld_multi report
Reporting MySQL servers
MySQL server from group: mysqld1 is running
MySQL server from group: mysqld2 is running

You can see that the mysqld_multi script has started multiple mysql processes with the following commands.

ps -e | grep "mysql"

To stop both instances just execute the below command.

rhys@linux-n0sm:~> mysqld_multi stop

We are also able to control individual instances by referring to the assigned number.

rhys@linux-n0sm:~> mysqld_multi stop 1

To verify this
rhys@linux-n0sm:~> mysqld_multi report

Reporting MySQL servers
MySQL server from group: mysqld1 is not running
MySQL server from group: mysqld2 is running

rhys@linux-n0sm:~> mysqld_multi start 1
rhys@linux-n0sm:~> mysqld_multi report
Reporting MySQL servers
MySQL server from group: mysqld1 is running
MySQL server from group: mysqld2 is running

Here you need to remember that both the instances running on different port and also having different socket files.You can refer to the topic how to connect to mysql in php in case you are facing any problem to connect ot mysql through some script

Pass command line arguments to perl in EPIC

I am really getting more and more involved to EPIC now a days for editing my perl programs as it has lots of killer features.I would say if you will use this you will really get addicted to it.Already I have discussed about the EPIC INTEGRATION WITH ECLIPSE . Before three days I had a nightmare in finding a solution in eclipse.The question was

Can we pass command line argument in EPIC?

I searched in google but not found any relevant topic.Then after going through the documentation of EPIC given in their website I got some clue and after some R&D I found out how to do.If you are facing the same problem please follow the following steps to pass command line argument in EPIC.

Step-1:Open Eclipse and write your program and save it using some name.For me its

Run–>Run Configurations as shown in fugure 1

Figure-1:Run command tool in EPIC

Step-2:Afer running the configuration you will get a screen like the below image.

Figure-2: EPIC Run tool configuration window

Here myproject name in testperl and file name is which will varry on your case.

Step-3:Now navigate to the Arguments tab and add your argument shown in figure-3

Figure-3:Argument passing window in EPIC

In my case I need to pass a filename as argument which is “abc.txt” .Keep in mind to provide the arguments under program arguments only.Now click on Apply and then click on Run.

Step-4:-Now you should be able to get your desired output.

Best Practices to secure a OPENSSH/SSH Server

What are you using for remote connection?
For linux users there are two protocols which regulate remote connection. One is telnet and the other is ssh.
People use telnet to connect to remote host but problem with telnet is the whole communication between the local host and the remote host is sent in clear text which any one can see if he will put a packet sniffer and start capture the packets. Hence Telnet is not secure.
To avoid this security risk we are using OpenSSH protocol. OpenSSH uses SSH (Secure Shell) protocol which is fully secure as it uses strong encryption like 3DES, Blowfish, AES and also it uses public/private key pair for authentication.
N:B-Whatever steps given below has to be done by following the steps given below.

a.Open two terminals, One for experiment and other for safety if sshd show some problem

b.Take the backup of configuration files

c.After each change reload SSH service only after testing the configuration. You can test it by executing

                         /usr/sbin/sshd –t

d.If you are finding some error in configuration file after executing the above command you should revert back to original config file in order to prevent yourself from getting disconnected.

When configuring SSH the default files we need to edit are

i. /etc/ssh/sshd_config –configuration file for SSH server side.

ii. etc/ssh/ssh_config – Configuration file for client side.

iii.~/.ssh/ -This is the directory where all ssh keypair and authorization file stays

iii./etc/nologin – If this file exists then sshd protocol refuses all login except root login

Now we will come to our topic on configuring a secure SSH server. To make your server secure you can follow the following points. Before changing anything in the default configuration file  always make a backup copy of config files you wish to edit.
1.Change the default port number

By default SSHD protocol runs on port 22. The vast majority of ssh attacks are directed by compromised zombie machines against ssh servers listening on the default port of “22”.Your first task is to change the port for ssh. To do this follow steps below

a. open /etc/ssh/sshd_config file

b. Search for line containing Port 22

c.  Edit that line as Port 2222  //here 2222 port is my choice you can use yours

d.  Save

2.Listen to specific IP Address

In most case you need to connect to your server from your office network or from some specific machine. If you can make your SSHD protocol to listen to those specific IP address and reject others then you will minimize risk of getting attacked from outside world. To do this

a. open /etc/ssh/sshd_config file

b. Search for the line which says

ListenAddress *

c.  Now comment the above line and make entry as per your criteria. Lets say if I will give access to and to access then I have to add following two line



3. Now you need to update IP table rule to allow your allowed IP’s (, to           communicate with the custom port (port 2222 in my case).

4. You can also use IP table throttling feature to throttle the incoming connections

5.    Limit the users(allow or deny) who can access by username
We have already seen how we can limit the number of IP address which can connect to SSH server. We may have multiple users in single system from which some users do not need to access. So we have to restrict that user’s access.  To do sowe can follow the steps

a. Open  /etc/ssh/sshd_config file

b. Add the following line to allow specific user.For example allow users root ,hari,prit

AllowUsers root hari prit

c.        Also we can allow specific groups. To allow a group called ssh access add the line

AllowGroups sshaccess

d. similarly if we want to deny some specific users or groups to use ssh we can add the deny lines .Ex:-If I want to deny users navin,amiya and group kopex then I have to add lines

     DenyUsers navin amiya

     DenyGroups kopex

It all depend upon you how you want to put user access control

6.    Do not allow root login
As we know the power of root we should not allow root users to log in rather we should create some sudo users and we can limit them to doing specific task. Also if someone needs to work as root they can use su command. To disable root login

a. Open /etc/ssh/sshd_config file

b.Uncomment the following line

        PermitRootLogin no

7.Disable Empty Passwords
You should not allow remote login from accounts with empty passwords. If you do this there is chance that some bots will try to log in continuously and damage your system.To do this

a.Open /etc/ssh/sshd_config file

b.Edit the line containing PermitEmptyPasswords  to no

        PermitEmptyPasswords no

8. Configure client idle Timeout Interval
You can set idle time interval for the users who are logging through SSH so that if someone has forgotten to logout from a session the system will log him out immediately. To do this

a. Open /etc/ssh/sshd_config file

b. Set these two lines as per your requirement

               ClientAliveInterval 180         //180 is in seconds
               ClientAliveCountMax 0

9.Disable Host-Based Authentication
Avoid using this method as if you add one host it does not ask for any kind of password to login.To disable host based authentication you can do the following steps

a. Open /etc/ssh/sshd_config file

b. Edit the entry HostbasedAuthentication in the file as below

                     HostbasedAuthentication   no

10. Always use Latest version of SSH as always latest version will be having patches and more security features which makes your job easy or else you have to patch with the latest patch from the vendor.

11. User strong SSH passwords and paraphrases so that it won’t be easy for someone to crack. You can check your password strength using john the ripper tool

12. Use Authentication based on only public/private keys
You can also disable the password and use public/private key pairs to login to remote system. But it is advisable to protect your keys by giving strong paraphrases so that if someone takes your key still he needs to know paraphrase to login

To disable password logins, add the following to sshd_config:
                                                   PasswordAuthentication no

13.  Restrict users to their home directories
Using some tools or chroot concept you can restrict users to their home directories so that they cannot move or delete the configuration and system files.

14. Allow/Deny using TCP Wrappers
As ssh is associated with the library we can implement TCP wrapper concept. So we can allow/deny some specific IP/Host by putting entries into /etc/hosts.allow and /etc/hosts.deny file. For that we need to put an entry at the end of the file like
               sshd : 192.168.1. 8

to allow or deny the IP and to connect the server using SSH.

15. Disable .rhosts Files
The rhosts file specifies which remote computer or users can access a local account using rsh or
rcp commands. So you can disable this. To disable this

a. Open /etc/ssh/ sshd_config file

b. Search for the line containing IgnoreRhosts and make it to yes

         IgnoreRhosts  yes

16. Reduce MaxStartups
MaxStartup means the ability of SSH server to handle unauthorized access to a server at a given instance. This will help in coordinated attack from different server at same time. To achieve this

a. Open /etc/ssh/ sshd_config file

b. Search for the line containing MaxStartup and replace it as

MaxStartups 4:10:8

Here the 4:10:8 tells the ssh server to, “allow 4 users to attempt logging in at the same time, and to randomly and increasingly drop connection attempts between 4 and the maximum of 8”. Note: this should be increased on servers with substantial numbers of valid ssh users logging in.

17. Hide openssh version
This step is not only applicable for SSH but also applicable for all the services running on the system. As no tools/software/packages is free of bugs. This is why people release different versions. If you are running an older version of SSH and hacker knows this he will first try to find out the bugs in this version and using those info he may attack on the particular port. To achive this you have to make changes in source code of ssh and recompile it.

18.  Forward X11 only  if needed
By default, the X11Forwarding directive is set to yes. If you don’t need this, set it to no. If you don’t need this you should disable this. To disable this

a.Open /etc/ssh/ sshd_config file

b.Search for X11Forwarding  and edit as

X11Forwarding   no

For X11 forwarding to work, the ForwardX11 declaration or the ForwardX11Trusted declaration must also be set to yes in /etc/ssh/ssh_config client configuration file.SO to disable you can make it no from this file.

19.  Enable a Warning Banner
Set a warning banner for ssh connection in consultation with your legal advisor in order to warn authorized user what legel action you can take against them. To do this defines a text file location in sshd_config file which contains the warning messages. To do this

a. Open /etc/ssh/ sshd_config file

b. Search for the line containing Banner and edit as given below

Banner /etc/issue

Now you can edit the /etc/issue file to put your warnings.

20. Use Logwatch
Make sure to set LogLevel to INFO or DEBUG in sshd_config. I recommend keeping it INFO as it will give you more details. You can use logwatch to manage the SSH logs. To do this

a.Open /etc/ssh/ sshd_config file

b.Change the line containing LogLevel to info

LogLevel INFO

What else you can do?

–Install some security tools to protect your server from brute force attack

–Patch your operating system

–Remove unnecessary packages / software.

–Harden the kernel against synflood and basic DOS attacks.

–Remove common user access to compilers and fetching software (wget, fetch, lynx, etc.).

— Ensure /tmp is in its own partition with noexec, nosuid.   

–Ensure kernel and software is up to date.

–Remove unnecessary users and groups.

–Install chkrootkit and tripwire.