Experience sharing of Linux and Open Source Software.

Linux File System with Data Encryption

To create a encrypted key,

# mkdir /etc/key
# dd if=/dev/random of=/etc/key/usbbackup-key bs=1 count=256
# chmod 600 /etc/key/usbbackup-key

To load necessary encryption Linux kernel modules,

# modprobe dm-crypt
# modprobe sha256
# modprobe aes

and add the following lines at /etc/modprobe.d/aliases to load above modules at system startup.

alias sha256 sha256_generic
alias aes aes_generic

Creaation of encrypted file system with cryptsetup

# cryptsetup --verbose --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sdf1 /etc/key/usbbackup-key
# cryptsetup --key-file=/etc/key/usbbackup-key luksOpen /dev/sdf1 cryptousb
# mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/cryptousb

An alternative command to make a ext3 filesystem with largefile support.
# mke2fs -j -T largefile -L "usbbackup" /dev/mapper/cryptousb 

Add passphrase access to encrypted partition in case partition which holding the key becomes unusable. Otherwise data will be inaccessible.
# cryptsetup --key-file=/etc/key/usbbackup-key luksAddKey /dev/sdf1

Protect DDoS attach to Apache on Debian Lenny

DDoS (Distributed Denial of Service) attack is a nightmare of system admins. It makes your internet services or systems are out of service at the end by producing a lot of service requests.

Apache module mod_evasive

mod_evasive is a good Apache module to provide some protection to Apache servers from DDoS attacks. It becomes a package in main section of Debian repos from Lenny.

Installation of mod_evasive on Lenny

To install mod_evasive for Apache 2 on Debian Lenny, simply run aptitude install as following.

# aptitude install libapache2-mod-evasive

During package installation, Apache service will be restarted on your system, and mod_evasive is already enabled.

You may add additional parameters for mod_evasive, edit /etc/apache2/mods-available/mod-evasive.load file, and add the following lines.

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 600
</IfModule>
 

Upgrading from Debian Etch to Lenny

Debian GNU/Linux 5.0 (Lenny) becomes stable version on Valentine Day. We upgraded old stable 4.0 Etch server remotely and successfully.

Summary of upgrading procedures:

  1. Update list of apt sources to Lenny release.
  2. Use aptitude to update local list of available packages.
  3. Use aptitude to upgrade apt, dpkg and aptitude first.
  4. Use UUID insteads of old IDE device names to identify root filesystem for grub and filesystem table.
  5. Use aptitude to do full upgrade.
  6. Reboot the system.
  7. Use aptitude to do package upgrades if any.

Slightly increare of Apache HTTP server market share

Apache web server is a long-time leader in web server market share. According netcraft survey in January 2009, its market share is slightly increasing by 1% last month in current global financial problem.

 

Non-FQDN in email HELO command

Sometimes we received enquiries from our client when one of their business partners/customers could not send emails to them successfully. And we found that the problem is normally caused from opposite Windows email system, which is not configurated well in internet RFC document.

The following line of email reject information is found in email log file.

May 28 17:03:47 mail postfix/smtpd[30547]: NOQUEUE: reject: RCPT from smtp.xxxxxx.com[xxx.xxx.xxx.xxx]: 504 swhkg0111: Helo command rejected: need fully-qualified hostname; from=xxxxxx@xxxxxx.com to=someone@our_client.com proto=ESMTP helo=swhkg0111

It means when this poorly configurated Windows email system (or spammer sometimes) says "Hello" to our client's email system with their non-full-qualified hostname, so the email system is rejected from sending emails to us.

Syndicate content