iptables ddos limit configuration, prevent denial of service attacks on Linux (Match extension limit)

When we operate a web server, it should apply basic protection to avoid any possibility that a “good” person (with all the sarcasm), is dedicated to run JMeter (excellent software designed for load tests) with the idea of saturate our server.

These are things that really happens, it is nothing paranoid.

One way to avoid these attacks is through iptables (I have a broader input on iptables), a configuration example would be:

Continue reading

Configuring iptables firewall RedHat/CentOS 6 from command line

IPTABLES is the firewall kernel-level included in Linux distributions, it’s very powerful (once understood its operation), very useful and flexible. This post has been made on a CentOS 6 (clone of RedHat), almost all should be able to apply to any distribution.

The basic operation of iptables is the following:

  1. Exist chains of rules. Basically 3: INPUT, OUTPUT and FORWARD.
  2. The rules within a chain are evaluated in order. This is where there is a multitude of filtering options.
  3. When a rule is evaluated positively, it is directed at a TARGET. It can be accepted, rejected, deleted, written in a log or other much more (see man TARGET EXTENSIONS iptables).

We can list the current rules:

Continue reading

Linux LVM howto, Creation, expansion and reduction of volumes

I will show how to create, expand and reduce LVM volumes, all these actions have been performed with RedHat 6 LVM directly from the console. I think it goes without saying, but it is advisable to make a backup of the original disks.

The first thing is to understand the structure that follows LVM works with 3 types of elements:

  • Volume groups, all related commands that begin with vg*, a volume group can contain one or more logical volumes. And it is composed of physical volumes.
  • Logical volumes, all related commands begin with lv*, a logical volume resides within a volume group.
  • Physical volumes, in this case all commands start with pv*, a volume group are composed of one or more physical volumes.

There are a number of commands to manage LVM volumes:

Continue reading

Install Linux from USB, preparing USB drive to start a installation over net (Red Hat or Fedora)

More and more frequently, we can meet the need to install an OS (Red Hat or Fedora) on a physical server without DVD drive.

In these cases from the DVD ISO we can prepare a USB flash drive to perform a network installation.

The steps are:

  1. We mount the iso with:
    mount -o loop DVD.iso /mnt
  2. Assuming that the pendrive you have clicked on /dev/sdd, copy the image (eye that will erase everything you have):
    dd if=/mnt/images/efidisk.img of=/dev/sdd
  3. Umount the iso:
    umount /mnt

We have the pendrive ready to start.

Install Linux in text mode, forcing text mode installation (RedHat / Centos)

In some cases it is interesting to make the complete installation in text mode. Sometimes I have found it impossible to work with mouse (life seems to move) during setting of a machine in a Blade (do not know if it will be for the browser configuration or Blade …).

Anyway in these situations it is better to install in text mode and ready. This can be forced in the first welcome screen during installation, if we get above “Install or upgrade an existing system” and press tab appears:

vmlinuz initrd=initrd.img

Then we added at the end:

vmlinuz initrd=initrd.img text

And press return and gotten.

Automatic start Oracle database linux RedHat

A small script to automatically start an Oracle DB:

Source   
# chkconfig: 2345 80 20
# description: Oracle Database
#!/bin/bash
start() {
su - oracle <<EOF
lsnrctl start
sqlplus / as sysdba<<EOO
startup
EOO
EOF
}
stop() {
su - oracle <<EOF
sqlplus / as sysdba<<EOO
shutdown immediate
EOO
lsnrctl stop
EOF
}
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo $"Usage: $0 {start|stop}"
esac

Start the database as “oracle” user, you have to have all correctemente configured environment variables.

You can install this script with chkconfig, because the head is prepared for this