Cron restart apache2

As others pointed out, I would also suggest to find out the root cause.
However if you need to add a cronjob, use below

Code:

*/15 * * * * /root/restart_apache > /dev/null 2>&1

Add the entries below to the file /root/restart_apache and chmod it to 755

Code:

#!/bin/bash
/etc/init.d/httpd restart

Note: Use command 'crontab -e' to edit the crontab.

Add logrotate to unbound nameserver

You can add logrotate to your unbound nameserver. Just create a file named unbound and place it in /etc/logrotate.d.

File contents below:

/var/log/unbound.log {
rotate 12
weekly
compress
missingok
notifempty
postrotate
/etc/init.d/unbound restart
endscript
}

http://broceblog.wordpress.com/2012/09/

Apa itu Bug

Setiap program yang di buat pasti di temukan BUG,
Apa itu Bug dalam program ?
Bug adalah Cela kerusakan pada program itu sendiri yang dapat menyebabkan program itu menjadi error,tidak berjalan semestinya/ada cacat pada program tersebut

Solusi bagi kita sebagai newbie adalah melihat informasi bug pada website resmi pembuat program tersebut dan mengupdate program-program yang kita install pada server kita. Untuk menghindari BUG tersebut.

E: Sub-process /usr/bin/dpkg returned an error code (1)

Example you want to install ntp package

apt-get install ntp

Show error like this :

E: Sub-process /usr/bin/dpkg returned an error code (1)

Solution :

mv /var/lib/dpkg/info/ntp.* /tmp/
dpkg --remove --force-remove-reinstreq ntp

Repo Kebo VLSM

Debian 5.0 - Lenny

deb http://kebo.vlsm.org/debian/ lenny main contrib non-free
deb http://kebo.vlsm.org/debian/ lenny-updates main contrib non-free
deb http://kebo.vlsm.org/debian-security/ lenny/updates main contrib non-free

Debian 6.0 – Squeeze

deb http://kebo.vlsm.org/debian/ squeeze main contrib non-free
deb http://kebo.vlsm.org/debian/ squeeze-updates main contrib non-free
deb http://kebo.vlsm.org/debian-security/ squeeze/updates main contrib non-free

Debian 7.0 - Wheezy

deb http://kebo.vlsm.org/debian/ wheezy main contrib non-free
deb http://kebo.vlsm.org/debian/ wheezy-updates main contrib non-free
deb http://kebo.vlsm.org/debian-security/ wheezy/updates main contrib non-free

Linux System and Networking Tuning

= Performance tips =

say a word about network and CPU affinity ...

== load balancing ==

For servers under high load, run one instance of exaproxy per CPU core and load balance traffic with haproxy.

== tune your OS ==

extracted from :

* http://wiki.exaproxy.googlecode.com/hg-history/de72e55facb6d89815b8799d67deb0a5006e043e/performance.wiki
* http://antmeetspenguin.blogspot.co.uk/2011/01/high-performance-linux-router.html
* http://www.speedguide.net/articles/linux-tweaking-121

=== Increasing count of connections tracking ===

To carry out its tasks, NAT-server is "remember" all the connections that pass through it. Whether it’s "ping" or someone’s "ICQ" – NAT-server "remembers" and follows in his memory in a special table all of these sessions. When the session closes, information about it is deleted from the connection tracking table. The size of this table is fixed. That is why, if the traffic through the server is quite a lot but lacks the size of the table, – then NAT-server starts to drop packets and just breaks sessions. To avoid such horrors, it is necessary to adequately increase the size of the connection tracking table – in accordance with the traffic passing through NAT:

Default value is 65536, you may always just double this value or triple this value when necessary.

/sbin/sysctl -w net.netfilter.nf_conntrack_max = 196608

To make it permanent after reboot, please add these values to the sysctl.conf

echo net.ipv4.netfilter.ip_conntrack_max = 196608 >> /etc/sysctl.conf

It is not recommended to put so big value if you have less than 1 gigabyte of RAM in your NAT-server. To show the current value you can use something like this:

/sbin/sysctl net.netfilter.nf_conntrack_max

See how connection tracking table is already full can be like this:

/sbin/sysctl net.netfilter.nf_conntrack_count

=== Increasing the size of hash-table ===

Hash table, which stores lists of conntrack-entries, should be increased proportionately.
Here is the rule of adjusting: hashsize = nf_conntrack_max / 8
Default value will be 16384, and you can't set this value in the /etc/sysctl.conf file.
To change on the fly,

echo 24576 > /sys/module/nf_conntrack/parameters/hashsize

and add to the /etc/modprobe.conf

options ip_conntrack hashsize=24576

=== Decreasing time-out values ===
 
NAT-server only tracks "live" session which pass through it. When the session is closed – information about it is removed so that the connection tracking table does not overflow. Information about the sessions is removed as a timeout. That is, if a session is empty a long time, it is closed and information about it is just removed from the connectionn tracking table.

However, the default value of time-outs are quite large. Therefore, for large flows of traffic even if you stretch nf_conntrack_max to the limit – you can still run the risk of quickly run into the overflow table, and the connection is broken. To this did not happen, you must correctly set the timeout connection tracking on NAT-server. Current values can be seen, for example:

sysctl -a | grep conntrack | grep timeout

As a result, you’ll see something like this:

net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300 net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15

This is the value of timeouts in seconds. As you can see, the value net.netfilter.nf_conntrack_generic_timeout is 600 (10 minutes). Ie NAT-server keeps in mind about the session as long as it is to "run over" anything at least once every 10 minutes.

At first glance, that’s okay – but in fact it is very, very bad. If you look at net.netfilter.nf_conntrack_tcp_timeout_established – you will see there is value 432000. In other words, your NAT-server will support a simple TCP-session as long as it does runs on some bag at least once every 5 days (!).

to adjust,

echo "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 86400" >> /etc/sysctl.conf

This does not requires a reboot, instead, the value will be effective when the timeout value has reached and new value will take effect.

Speaking even more simply, it is just easy to DDOS such NAT-server: his connection-tracking table (nf_conntrack_max) overflows with simple flood – so that he will break the connection and in the worst case quickly turns into a black hole.
The time-outs it is recommended to set within 30-120 seconds. This is quite sufficient for normal users, and this is quite sufficient for the timely clearing NAT-table, which excludes its overflow. And do not forget to enter the appropriate 
changes to /etc/rc.local and /etc/sysctl.conf


The TCP/IP parameters for tweaking a Linux-based machine for fast internet connections are located in /proc/sys/net/... (assuming 2.1+ kernel). This location is volatile, and changes are reset at reboot. There are a couple of methods for reapplying the changes at boot time, ilustrated below.

 

Locating the TCP/IP related parameters

All TCP/IP tunning parameters are located under /proc/sys/net/...  For example, here is a list of the most important tunning parameters, along with short description of their meaning:

/proc/sys/net/core/rmem_max - Maximum TCP Receive Window
/proc/sys/net/core/wmem_max - Maximum TCP Send Window
/proc/sys/net/ipv4/tcp_rmem - memory reserved for TCP receive buffers
/proc/sys/net/ipv4/tcp_wmem - memory reserved for TCP send buffers
/proc/sys/net/ipv4/tcp_timestamps - timestamps (RFC 1323) add 12 bytes to the TCP header...
/proc/sys/net/ipv4/tcp_sack - tcp selective acknowledgements.
/proc/sys/net/ipv4/tcp_window_scaling - support for large TCP Windows (RFC 1323). Needs to be set to 1 if the Max TCP Window is over 65535.

Keep in mind everything under /proc is volatile, so any changes you make are lost after reboot.

 

There are some additional internal memory buffers for the TCP Window, allocated for each connection:
/proc/sys/net/ipv4/tcp_rmem - memory reserved for TCP rcv buffers (reserved memory per connection default)
/proc/sys/net/ipv4/tcp_wmem  - memory reserved for TCP snd buffers (reserved memory per connection default)

The tcp_rmem and tcp_wmem contain arrays of three parameter values: the 3 numbers represent minimum, default and maximum memory values. Those 3 values are used to bound autotunning and balance memory usage while under global memory stress.

 

Applying TCP/IP Parameters at System Boot

You can edit /etc/rc.local, or /etc/boot.local depending on your distribution so the parameters get automatically reapplied at boot time. The TCP/IP parameters should be self-explanatory: we're basically setting the TCP Window to 256960, disabling timestamps (to avoid 12 byte header overhead), enabling tcp window scaling, and selective acknowledgements:

echo 256960 > /proc/sys/net/core/rmem_default
echo 256960 > /proc/sys/net/core/rmem_max
echo 256960 > /proc/sys/net/core/wmem_default
echo 256960 > /proc/sys/net/core/wmem_max




echo 0 > /proc/sys/net/ipv4/tcp_timestamps 
echo 1 > /proc/sys/net/ipv4/tcp_sack 
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
Change the values above as desired, depending on your internet connection and maximum bandwidth/latency. There are other parameters you can change from the default if you're confident in what you're doing - just find the correct syntax of the values in /proc/sys/net/... and add a line in the above code analogous to the others. To revert to the default parameters, you can just comment or delete the above code from /etc/rc.local and restart.

Another method to reapply the values upon boot is to include the following in your /etc/sysctl.conf (adjust RWIN values as needed):

net.core.rmem_default = 256960
net.core.rmem_max = 256960 
net.core.wmem_default = 256960
net.core.wmem_max = 256960 

net.ipv4.tcp_timestamps = 0 
net.ipv4.tcp_sack = 1 
net.ipv4.tcp_window_scaling = 1
Notes:
Execute sysctl -p to make these new settings take effect.
To manually set the MTU value under Linux, use the command: ifconfig eth0 mtu 1500   (where 1500 is the desired MTU size)

 

Changing Current Values without rebooting  

The current TCP/IP parameters can be edited without the need for reboot in the following locations:

/proc/sys/net/core/
rmem_default = Default Receive Window 
rmem_max = Maximum Receive Window 
wmem_default = Default Send Window 
wmem_max = Maximum Send Window

/proc/sys/net/ipv4/
You'll find timestamps, window scalling, selective acknowledgements, etc.

Keep in mind the values in /proc will be reset upon reboot. You still need to add the code in /etc/rc.local or /etc/boot.local in order to have the changes applied at boot time as described above.

 

Other TCP Parameters to consider

TCP_FIN_TIMEOUT
This setting determines the time that must elapse before TCP/IP can release a closed connection and reuse its resources. During this TIME_WAIT state, reopening the connection to the client costs less than establishing a new connection. By reducing the value of this entry, TCP/IP can release closed connections faster, making more resources available for new connections. Addjust this in the presense of many connections sitting in the TIME_WAIT state:

# echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
(default: 60 seconds, recommended 15-30 seconds)

Notes:
You can use any of the earlier described methods to reapply these settings at boot time.
Here is a quick way to view the number of connections and their states:

netstat -tan | grep ':80 ' | awk '{print $6}' | sort | uniq -c

 

TCP_KEEPALIVE_INTERVAL
This determines the wait time between isAlive interval probes. To set:

echo 30 > /proc/sys/net/ipv4/tcp_keepalive_intvl
(default: 75 seconds, recommended: 15-30 seconds)

 

TCP_KEEPALIVE_PROBES
This determines the number of probes before timing out. To set:

echo 5 > /proc/sys/net/ipv4/tcp_keepalive_probes
(default: 9, recommended 5)

 

TCP_TW_RECYCLE
It enables fast recycling of TIME_WAIT sockets. The default value is 0 (disabled). The sysctl documentation incorrectly states the default as enabled. It can be changed to 1 (enabled) in many cases. Known to cause some issues with hoststated (load balancing and fail over) if enabled, should be used with caution.

echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
(boolean, default: 0)  

TCP_TW_REUSE
This allows reusing sockets in TIME_WAIT state for new connections when it is safe from protocol viewpoint. Default value is 0 (disabled). It is generally a safer alternative to tcp_tw_recycle

echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
(boolean, default: 0)

Note: The tcp_tw_reuse setting is particularly useful in environments where numerous short connections are open and left in TIME_WAIT state, such as web servers. Reusing the sockets can be very effective in reducing server load.

 

Kernel Recompile Option

There is another method one can use to set TCP/IP parameters, involving kernel recompile... If you're brave enough. Look for the parameters in the following files: 
/LINUX-SOURCE-DIR/include/linux/skbuff.h 
Look for SK_WMEM_MAX & SK_RMEM_MAX 
/LINUX-SOURCE-DIR/include/net/tcp.h 
Look for MAX_WINDOW & MIN_WINDOW

 

Setup Chroot Unbound

I want to run my own DNS server, while I've done this before it was always a one off that I never spent much time researching or implementing it as well, and securely, as I wanted. When I tried out DNSCrypt from the OpenDNS folks, I emailed them and asked if it was available to run on a server, and sure enough, they have it in their Github repo, ready to compile in Linux. So I knew it was time to take things more seriously so I could properly run DNSCrypt as part of my DNS stack. So, first up, before getting DNSCrypt (and later DNSSEC) I need to have a good install of a local DNS server to handle things, and I've setted on using Unbound. Unbound bills itself as “_…a validating, recursive, and caching DNS resolver. […] Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. The source code is under a BSD License._” Besides that the project has ties to some OpenBSD people, which bodes well for its security focus, and even has an option to chroot the install in the configuration file. In this article I'll share how I've setup Unbound running as a local, caching, recurisve DNS server in chroot. The next article in this series will deal with implementing DNSCrypt, and later DNSSEC.<!– more –>

My install is going to be in Debian 6.0 (Squeeze), but it should be identical for Ubuntu Linux users, and for any other Linux users, after the Unbound is installed. So first we'll install Unbound, it's as easy as…

apt-get install unbound

Thrilling, I know! Next up lets modify unbound's config.

vi /etc/unbound/unbound.conf

It's a long, well commented config file, but all you need to get started is:

interface: 0.0.0.0
interface: ::0
port: 53
access-control: 192.168.1.0/16 allow
chroot: "/var/lib/unbound"
username: "unbound"
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-short-bufsize: no
harden-large-queries: no

Notice we turned on the chroot option, and few other hardening options for security. Next edit the default config for unbound

vi /etc/default/unbound

We'll set it to start up, and set the variable to use the new chroot path

UNBOUND_ENABLE=true
#DAEMON_OPTS="-c /etc/unbound/unbound.conf"
DAEMON_OPTS="-c /var/lib/unbound/etc/unbound/unbound.conf"

Next we'll setup the chroot paths

mkdir /var/lib/unbound/etc/
mkdir /var/lib/unbound/var/run

We'll put the config file in place

mv /etc/unbound.conf /var/lib/unbound/etc

And symlink the pidfile into place

ln -s /var/lib/unbound/var/run/unbound.pid /var/run/unbound.pid

Finally set permissions on the directory to the unbound user

chown -R unbound:unbound /var/lib/unbound

Now even though we have default/unbound defined right, unbound will not start, and it turns out the init.d script is the culprit. I poked around online and found this bug for the package in Debian, but that's not the way I wanted to fix. The problem comes in the line that sets the PIDFILE, where it runs unbound-checkconf to test the config, but it fails to find the config, so it bombs out. I fixed it this way

#PIDFILE=$(${DAEMON}-checkconf -o pidfile)
PIDFILE=/var/run/${NAME}.pid

And now you can start it up

/etc/init.d/unbound start

I set my laptop to use the server for DNS, and saw the difference the caching made

$ dig www.slashdot.org | grep Query
;; Query time: 71 msec

Not bad, run it again, and bam, much quicker.

[~] $ dig www.slashdot.org | grep Query
;; Query time: 1 msec

I've had this setup on my server for a week, and it's worked perfectly. In an upcoming HOWTO I'll improve the setup by running it through DNSCrypt, and later include DNSSEC in the stack. Stay tuned!

https://fak3r.com/2012/03/14/howto-run-a-secure-caching-dns-server-in-chroot/

Drop Sync/DDOS Attack

In /etc/sysctl.conf

Paste the following into the file, you can overwrite the current information.

#Kernel sysctl configuration file for Red Hat Linux

#

# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and

# sysctl.conf(5) for more details.

# Disables packet forwarding

net.ipv4.ip_forward=0

# Disables IP source routing

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.eth0.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.lo.log_martians = 0

net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.eth0.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key

kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection

net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection

net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling

net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack

net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps

net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).

net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size

net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range

net.ipv4.ip_local_port_range = 16384 65536

Run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.

TCP Syncookies

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Some IPTABLES Rules:

iptables -A INPUT -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j RETURN

iptables -A INPUT -p tcp –syn -m state –state ESTABLISHED,RELATED –dport 80 -m limit –limit 1/s –limit-burst 2 -j ACCEPT

Share this: http://linuxstuffs.wordpress.com/2009/10/25/drop-syncddos-attack/