movement3

Install BIND in a chroot environment.

yum install bind bind-chroot bind-libs bind-utils caching-nameserver -y

====
====

[root@hostname etc]# cat named.conf
options
{
                directory “/etc”; // we are in a chroot environment
};

//zone listings

zone “localhost” {
type master;
file “/etc/zones/pri/localhost.zone”;
};

zone “movement3.info” {
type master;
file “/etc/zones/pri/movement3.info”;
};

====
====
[root@hostname etc]# cat zones/pri/movement3.info
$TTL 1H

@ IN SOA dns1.movement3.info. root (
        2012052201      ; serial – YYYYMMDDxx
        1H              ; refresh
        30M             ; retry
        4W              ; expire
        1H )            ; negative TTL
        NS      dns1.movement3.info.
        NS      dns2.movement3.info.

                A       1.1.1.1
dns1            A       2.2.2.2
dns2            A       3.3.3.3
www             A       4.4.4.4
test    600     A       4.2.2.2
test1   600     A       1.1.1.1

service named restart|start|stop
chkconfig –level 2345 named on

vim /etc/sysconfig/iptables
(need to allow both tcp and udp for DNS to work)
service iptables restart

The slave DNS server will check with the master DNS every 1 hour (refresh value). If the slave DNS can’t reach
the master, it will try every 30 mins (retry value) for 4 weeks (expire value). After 4 weeks, it will expire
the zone data and stop answering requests for the zone.

Negative TTL, how long DNS server will remember negative lookups — when there is no DNS entry.

http://linuxgravity.com/configuring-bind9-domain-name-server-on-centos-or-red-hat
http://www.howtoforge.com/creating-your-own-webserver-with-bind-and-apache-centos5
http://www.sorbs.net/faq/dns_primer.shtml

Use these steps if you have SSH keys that were created with PuttyGen and you now wish to use them in SecureCRT. 

Commands to enter if you are requesting a SSL cert and then purchasing from a valid CA.

http://www.rapidssl.com/ssl-certificate-support/generate-csr/apache_mod_ssl.htm

Generate private key
Openssl genrsa –out domainname.key 1024

Create a CSR with the RSA private key (output will be PEM format)
Openssl req –new -key domainname.key –out domainname.csr

Open the CSR file and paste the content in the SSL cert company’s order page.

Generate Self Signed Key
(The SSL company would normally do this part)
Openssl x509 –req –days 365 –in ca.csr –signkey ca.key –out ca.crt

When you receive the web server certificate, you can paste the cert into notepad and save it as domainname.crt.

You can verify the CSR or private key contents
Openssl req –noout –text in domainname.csr
Openssl req –noout –text in domainname.key

Converting a .pfx file for an Apache web server

In Windows use the MMC tool and certificates snap-in to export the pfx file. See the below link for full steps.

http://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm

Private key
openssl pkcs12 -in exported-2010-04-08.pfx -nocerts -out exchange.key
openssl rsa -in exchange.key -out exchange1.key

Public key
openssl pkcs12 -in exported-2010-04-08.pfx -nokeys -out exchange.crt

http://www.digicert.com/ssl-support/apache-ssl-export.htm

openssl pkcs12 -in exported-2010-04-08.pfx -nocerts -out exchange.key
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
Create a private key without an import/export password

openssl rsa -in exchange.key -out exchange1.key
Enter pass phrase for exchange.key:
writing RSA key
Extract the public key
openssl pkcs12 -in exported-2010-04-08.pfx -nokeys -out exchange.crt

Configuring iptables firewall:
vim /etc/sysconfig/iptables
service iptables restart
iptables –vnL –line-numbers

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp –dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

##Added by me on 04/24/2010 for Apache port 443
-A RH-Firewall-1-INPUT -m tcp -p tcp –dport 443 -j ACCEPT
##

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT

The line before the COMMIT rejects all other packets.

Rather than downloading all 7 ISO files, you can install a minimum install that uses only the first ISO file. During the install, unselect all the categories, including “Base”

When you configure the VM in Hyper-V, select the legacy network adapter, once we install the Microsoft Linux Hyper-V drivers, we can remove the legacy adapter and use the regular network adapter.

Minimal install
http://www.montanalinux.org/centos5-debian-style.html

Installing the Linux Hyper-V drivers
http://www.hyper-v-mart.com/Howto/Install_CentOS_5_VM_Step_by_Step.aspx

Search Google for Linux Integration Components for Windows Server 2008 Hyper-V R2 for the latest download link

yum search package name
yum groupinstall “Development Tools”
yum install kernel-devel
yum update
reboot

Mount the Linux_IC ISO

mkdir -p /mnt/cdrom
mount /dev/cdrom /mnt/cdrom
cp -rp /mnt/cdrom /opt/linux_ic
umount /mnt/cdrom

cd /opt/linux_ic
./setup.pl drivers

Use lsmod to check if the drivers installed correctly, you should see something like this:
lsmod | grep vsc
storvsc                67208  0
netvsc                 74088  0
vmbus                  86504  2 storvsc,netvsc
scsi_mod              196697  4 storvsc,scsi_dh,libata,sd_mod

Turn off the machine and remove the legacy network adapter and add a network adapter.

Cd /etc/sysconfig/network-scripts/
vi ifcfg-seth0

# [Name of manufacturer and model of network adapter]
DEVICE=seth0
BOOTPROTO=none
BROADCAST=192.168.1.255
HWADDR=00:xx:xx:xx:xx:xx
IPADDR=192.168.1.24
IPV6INIT=no
IPV6_AUTOCONF=yes
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
GATEWAY=192.168.1.1
TYPE=Ethernet
PEERDNS=yes
USERCTL=no

/etc/init.d/network restart
Or
service network restart
Or
ifdown seth0; ifup seth0

chkconfig –level 0123456 kudzu off
chkconfig –level 0123456 ip6tables off

Add regular users:
useradd username
passwd username

Installing other software
yum install vim-enhanced.x86_64
yum install telnet.x86_64

To install Apache with SSL support:
yum install mod_ssl

I haven’t really played with Knoppix in a while until last nite when I had to fix a laptop with a forgotten admin password. Type knoppix to boot, I was just pressing enter and got the text-to-speech version, which was much slower. Anyhow here are the chntpw commands since they have changed a little since what is in Knoppix Hacks.

Apt-get install chntpw
I didn’t have to mount the Windows partition, Knoppix automagically did that for me already, it was /media/sda2

cd /media/sda2/Windows/System32/Config
chntpw SAM to change the administrator password, select the option to leave it blank
chntpw –u username SAM

My home server, an ASUS P5BV-C (google search E3351_P5BV-C_Series.pdf for the manual) motherboard can output its BIOS to console. This is a pretty handy feature, I would think if I had a Linux box just with a command line installed, I could console into it. I didn’t try…

I had to use a regular Cisco console cable and a ethernet-DB9 adapter.

Remote Access [Disabled]

Enables or disables the remote access feature.
Configuration options: [Disabled] [Enabled]

The following items appear only when the Remote Access item is set to [Enabled].

Serial port number [COM1] Allows you to select a serial port for console redirection. Configuration options: [COM1] [COM2]

Serial Port Mode [115200 8, n,1] Allows you to select a serial port mode. Configuration options: [115200 8,n,1] [57600 8,n,1] [38400 8,n,1] [19200 8,n,1] [09600 8,n,1]

Flow Control [None] Allows you to set the flow control for console redirection. Configuration options: [None] [Hardware] [Software]

Redirection After BIOS POST [Always] Sets the redirection mode after the BIOS Power-On Self-Test (POST). Some operating systems may not work when this item is set to Always. Configuration options: [Disabled] [Boot Loader] [Always]

Terminal Type [ANSI] Allows you to select the target terminal type. Configuration options: [ANSI] [VT100] [VT-UTF8]

VT-UTF8 Combo Key Support [Enabled] Allows you to enable or disable VT-UTF8 Combination Key Support for ANSI/ VT100 terminals. Configuration options: [Enabled] [Disabled]

RDP over SSH

SSH tunneling rocks my socks. Just create a new profile in Putty. Go to SSH > Tunnels, source port 3391, etc. Destination box: type 10.3.3.5:3389 or whatever your internal IP address is. Once the SSH connection is established, mstsc and for the hostname type: localhost:3391. Putty is listening locally on port 3391, it then tunnels all port on 3391 over SSH, then it sends it to port 3389. You can tunnel pretty much any traffic over SSH. Pretty cool.

Updated: 02/16/2010

Don’t use port 3390. Appears the new RDP client has issues when the localport is 3390. I changed it to 3391 and it worked.

http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/198fbb2b-9460-4509-bbcb-6d8d5eea8cfd

We don’t have a license for SCVMM. So when we move a VM to another host, we have to perform these steps:
Delete all the snapshots and allow Hyper-V to merge everything back to the VHD file (about 30 mins). Then copy the VHD file to new host (depending on the size of the VHD file, but about 30 mins for a 25GB file). Create the new VM on the new host with the same settings.

After moving the Linux box it detected the network card as eth1 and not eth0. These are the commands to fix the network interface in Gentoo.

ifconfig -a
vim /etc/conf.d/net
cp /etc/init.d/net.eth0 /etc/init.d/net.eth1
/etc/init.d/net.eth1 start
rc-update -d net.eth0
rc-update add net.eth1 default

The other day, my Linux box’s hard drive filled up. I searched around and saw the /var/lib/mysql directory taking up all the space.

http://forums.theplanet.com/lofiversion/index.php/t86359.html

You can remove them. They are logging binary files for MySQL and really useful if you do any replication.

edit /etc/my.cnf

# log-bin
# server-id=1

save close and stop mysql

remove those bin files in /var/lib/mysql
then restart mysql