Security - Install And Configure Advanced Policy Firewall (APF) On CentOS
From Advanced Policy Firewall’s website:
“Advanced Policy Firewall (APF) is an IPTables(Netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.”
Installation
Downloading and extracting.
wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz
cd apf-9.7-1
and Run:
APF will display locations of it’s executable and configuration files as well as ports detected as being used.
Configuration
APF’s basic configuration file is /etc/apf/conf.apf
By default everything is locked and You have to configure APF to open ports You need to use.
DEVEL_MODE=”1″ - be sure to set this option to 1 until You’re satisfied with the settings.
SET_MONOKERN=”0″ - APF supports monolithic kernels.
IFACE_IN=”eth0″ and IFACE_OUT=”eth0″ - untrusted interfaces connected to the network, mostly the Internet.
Testing
Start APF:
We can use the following parameters:
-s - start APF
-r - restart APF
-f - stop APF
-l - list statistics
-st - status of APF
-a host - allow connections from “host”
-d host - deny connections from “host”
Advanced Policy Firewall - http://www.rfxn.com/projects/advanced-policy-firewall
Removing Physical Volumes from a Volume Group
DESCRIPTION
vgreduce allows you to remove one or more unused physical volumes from a volume group.
To remove unused physical volumes from a volume group, use the vgreduce command. The vgreduce command shrinks a volume group’s capacity by removing one or more empty physical volumes. This frees those physical volumes to be used in different volume groups or to be removed from the system.
Before removing a physical volume from a volume group, you can make sure that the physical volume is not used by any logical volumes by using the pvdisplay command.
If the physical volume is still being used you will have to migrate the data to another physical volume using the pvmove command. Then use the vgreduce command to remove the physical volume:
The following command removes the physical volume /dev/hda1 from the volume group my_volume_group.
# vgreduce my_volume_group /dev/hda1
It’s a good idea to run this option with –test first to find out what it would remove before running it for real.
How to replace words/strings in multiple files using sed.
sed - stream editor for filtering and transforming text
The streamline editor (sed) is very useful command for searching and replacing string/texts in multiple files.
Example 1
/var/named/# sed -i ’s/127.0.0.1/192.168.0.0.1/g’ *.com.db
Example 2
Attempt to match regexp against the pattern space. If successful, replace that portion matched with replacement. The replacement may contain the special char?acter & to refer to that portion of the pattern space which matched, and the special escapes \1 through \9 to refer to the corresponding matching sub-expres?sions in the regexp.
In the above command
sed -i is used to for editing.
s is used for subsituite the following text/word.
127.0.0.1 is the string to be replaced.
192.168.0.0.1 is what you would like replace with.
g is used for global search, looking for occurrence of text in all the lines in file.
To replace string 127.0.0.1 with 192.168.0.0.1 in multiple files using sed editor run sed like this :
$ sed -i ’s/127.0.0.1/92.168.0.0.1/g’ *.com.db
In Linux and UNIX sed command is available with default installation.
sed could show me only (say) lines 12-18 of a file and not show me the rest. This was very handy when I needed to review only part of a long file and I didn’t want to alter it.
# the ‘p’ stands for print
sed -n 12,18p myfile
Reference : http://sed.sourceforge.net
How to disable IPv6 in RHEL 5, Fedora, CentOS?
In Red Hat Enterprise 5 Linux internet protocol version 6 (IPv6) module is turned on by default and if your network is not ready to run IPv6 then you need to turn it off on your Linux server.
Steps to disabled IPv6 on RHEL 5:
1. In Fedora, CentOS or RHEL5 Linux modules are loaded using /etc/modprobe.conf file.
Add these line to disable autloading of IPv6 module in /etc/modprobe.conf
alias net-pf-10 off
alias ipv6 off
2. Next edit /etc/sysconfig/network
# vi /etc/sysconfig/network
Change to the following.
3. Also to disable the IPv6 service.
4. permanently disabling.
# chkconfig ip6tables off
Scanning Disks for Volume Groups to Build the Cache File
The vgscan command scans all supported disk devices in the system looking for LVM physical volumes and volume groups. This builds the LVM cache in the /etc/lvm/.cache file, which maintains a listing of current LVM devices.
LVM runs the vgscan command automatically at system startup and at other times during LVM operation, such as when you execute a vgcreate command or when LVM detects an inconsistency. You may need to run the vgscan command manually when you change your hardware configuration, causing new devices to be visible to the system that were not present at system bootup. This may be necessary, for example, when you add new disks to the system on a SAN or hotplug a new disk that has been labeled as a physical volume.
You can define a filter in the lvm.conf file to restrict the scan to avoid specific devices.
SYNOPSIS
DESCRIPTION
lvm.conf is loaded during the initialisation phase of lvm (8). This file can in turn lead to other files being loaded - settings read in later override earlier settings. File timestamps are checked between commands and if any have changed, all the files are reloaded.
Use lvm dumpconfig to check what settings are in use.
# lvm dumpconfig
devices {
dir=”/dev”
scan=”/dev”
preferred_names=[]
filter=”a/.*/”
cache_dir=”/etc/lvm/cache”
cache_file_prefix=”"
write_cache_state=1
sysfs_scan=1
md_component_detection=1
ignore_suspended_devices=0
}
