Dmitry Dovidenko's Blog » Linux http://rootit.org "A flatterer is a friend who is your inferior, or pretends to be so." - Aristotle Thu, 17 Dec 2009 13:23:01 +0000 http://wordpress.org/?v=2.8.6 en hourly 1 Secure /tmp, /var/tmp, /dev/shm http://rootit.org/2009/05/secure-tmp-vartmp-devshm/ http://rootit.org/2009/05/secure-tmp-vartmp-devshm/#comments Thu, 07 May 2009 23:20:51 +0000 admin http://rootit.org/?p=182 By default CentOS and RHEL are not very secure when it comes to temporary directories. This is a big problem because an exploitable PHP script can be used to launch many nasty processes such as an FTP brute force scanner. If you have many clients its inevitable that some of them will have such exploitable scripts at some point. This also means that you will have to deal with the abuse complaints resulting from such exploits which will cost you time that you and your staff could spend on marketing or helping customers. You should use this guide to secure all new RHEL/CentOS installs. I may release a full security script at some point when it’s further tested.

[[ Dmitry's TMP Security Script ]]
Checking if /dev/tempFS exists… it does not.. creating!
204800+0 records in
204800+0 records out
209715200 bytes (210 MB) copied, 0.70351 seconds, 298 MB/s
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
51200 inodes, 204800 blocks
10240 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
25 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729

Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
/dev/tmpFS has been created!
Backing up current /tmp!
Setting up /etc/fstab and mounting!
Restoring old /tmp data and cleaning up!
Checking if /var/tmp is a symlink… it does not.. creating!
Backing up current /var/tmp!
Setting up /var/tmp as symlink to secured /tmp!
Restoring old /var/tmp data and cleaning up!
Making sure /dev/shm is secured in /etc/fstab!

Download the script and try it out. I recommend using it on a new or unmodified CentOS/RHEL install.

Download Script

]]> http://rootit.org/2009/05/secure-tmp-vartmp-devshm/feed/ 3 NFS Shares on CentOS http://rootit.org/2008/07/nfs-shares-on-centos/ http://rootit.org/2008/07/nfs-shares-on-centos/#comments Sun, 06 Jul 2008 01:10:06 +0000 admin http://rootit.org/?p=9 Many situations require a “share” of some sort where data is accessible on several machines from a common source. This way data does not have to be duplicated every time and can be accessed over network. The two popular methods are NFS and Samba. For this tutorial we will try to use NFS. Setting up NFS shares on CentOS is fairly easy and mounting them is even simpler!

I. The server that holds the content to be shared:

First you will want to install the needed apps and libraries:

yum install -y nfs-utils nfs-utils-lib nfs-utils-lib-devel

Then you should edit /etc/exports and setup your shares. The format is “/path/to/share ip.ad.dre.ss(options,options) ip.ad.dre.ss(options,options) etc…” You should end up with a file like this:

/home/something/content1/ 192.168.1.101(async,no_subtree_check,rw) 192.168.1.102(async,no_subtree_check,rw)
/home/something/content2/ 192.168.1.101(async,no_subtree_check,rw) 192.168.1.102(async,no_subtree_check,rw)
/home/something/content3/ 192.168.1.101(async,no_subtree_check,rw) 192.168.1.102(async,no_subtree_check,rw)

Then you will want to edit /etc/hosts.allow and add something like:

portmap: 192.168.1.101, 192.168.1.102

Then start services:

/etc/init.d/portmap start
/etc/init.d/nfs start

Then make sure the services start on boot:

chkconfig nfs on
chkconfig portmap on

II. The servers that are pulling the content over NFS:

This is the easy part. You just have to mount the share via /etc/fstab. The format is “nfshost:/nfs/share /path/to/mount/to nfs option,option,option 0 0″. So go ahead and open /etc/fstab and add something like this:

192.168.1.1:/home/something/content1/    /home/mydomain/public_html/mycontent1    nfs    rw,hard,intr    0 0

Then you just need to run:

mount -a

Which should mount everything in fstab. If there are errors re-read the tutorial and make sure they are nfs related errors, not other errors in your fstab! Google is your friend!

]]> http://rootit.org/2008/07/nfs-shares-on-centos/feed/ 0 Installing FFmpeg & Dependencies For FLV Conversion http://rootit.org/2008/06/installing-ffmpeg-ffmpeg-php-other-dependencies-for-clipshare/ http://rootit.org/2008/06/installing-ffmpeg-ffmpeg-php-other-dependencies-for-clipshare/#comments Mon, 30 Jun 2008 04:57:09 +0000 admin http://rootit.org/?p=8 This is my original guide for installing ffmpeg and all of these dependencies. I originally wrote this guide while working for HostGator in order to save myself time installing. I posted a copy of this guide in our company notes which was later copied by one of our employees into his own blog which he failed to credit me for :-( and now it’s all over the internet. You should use this guide as it’s probably the most up to date as I still use this script on a semi-regular basis and update the links whenever new versions come out.

This guide should teach you how to install all the needed dependencies for ClipShare or other flash video conversion scripts. It’s primarily focused on RHEL or CentOS installs for the dependencies of these packages. The links in this guide are fresh as of 08/04/2008. Here is what this guide will help you install:

It assumes you already have Apache and PHP5 installed as those are required dependencies as well. There will also be a guide up for installing PHP5.2.6 from source on CentOS/RHEL soon.

First install subversion and ruby via yum or up2date:

yum -y install subversion ruby

Now we need to install MPlayer & FFmpeg sources from SVN:

cd ~
svn checkout svn://svn.mplayerhq.hu/ffmpeg/trunk ffmpeg
svn checkout svn://svn.mplayerhq.hu/mplayer/trunk mplayer

Now we need some codecs:

wget http://www3.mplayerhq.hu/MPlayer/releases/codecs/essential-20071007.tar.bz2
tar xvjpf essential-20071007.tar.bz2
cd essential-20071007
mkdir /usr/local/lib/codecs
mv * /usr/local/lib/codecs/
chmod -R 755 /usr/local/lib/codecs/
cd ~

Next we will install LAME MP3 encoder:

wget http://internap.dl.sourceforge.net/sourceforge/lame/lame-398.tar.gz
tar xvzpf lame-398.tar.gz
cd lame-398
./configure --prefix=/usr
make
make install
cd ~

Now we install Libogg:

wget http://downloads.xiph.org/releases/ogg/libogg-1.1.3.tar.gz
tar xvzpf libogg-1.1.3.tar.gz
cd libogg-1.1.3
./configure --prefix=/usr
make
make install
cd ~

We need to make sure the correct lib directories are setup in ldconfig. Edit the /etc/ld.so.conf file and add the following lines:

/usr/lib
/usr/local/lib

Now save and run the following command:

ldconfig

To install libvorbis we will run:

wget http://downloads.xiph.org/releases/vorbis/libvorbis-1.2.0.tar.gz
tar xvzpf libvorbis-1.2.0.tar.gz
cd libvorbis-1.2.0
./configure --prefix=/usr
make
make install
cd ~

Now we will install FLVTool2:

wget http://rubyforge.org/frs/download.php/17497/flvtool2-1.0.6.tgz
tar xvzpf flvtool2-1.0.6.tgz
cd flvtool2-1.0.6
ruby setup.rb config
ruby setup.rb setup
ruby setup.rb install
cd ~

Next we should build MPlayer & MEncoder and it will take a while unless you have a nice dual or quad core machine. Note that I’ve seen the SVN version of these packages break before, so you can always download the source code from their site (a stable copy) if it fails on make:

cd mplayer
./configure --prefix=/usr
make
make install
cd ~

We will now build FFmpeg:

mkdir /usr/local/src/tmp
chmod 777 /usr/local/src/tmp
export TMPDIR=/usr/local/src/tmp
cd ffmpeg
./configure --prefix=/usr --enable-libmp3lame --enable-libvorbis --disable-mmx --enable-shared
make
make install
cd ~

Symlink some libraries if needed (ignore file exists errors):

ln -s /usr/local/lib/libavformat.so.50 /usr/lib/libavformat.so.50
ln -s /usr/local/lib/libavcodec.so.51 /usr/lib/libavcodec.so.51
ln -s /usr/local/lib/libavutil.so.49 /usr/lib/libavutil.so.49
ln -s /usr/local/lib/libmp3lame.so.0 /usr/lib/libmp3lame.so.0
ln -s /usr/local/lib/libavformat.so.51 /usr/lib/libavformat.so.51

Now build FFmpeg-PHP:

wget http://voxel.dl.sourceforge.net/sourceforge/ffmpeg-php/ffmpeg-php-0.5.3.1.tbz2
tar xvjpf ffmpeg-php-0.5.3.1.tbz2
cd ffmpeg-php-0.5.3.1
phpize
./configure --prefix=/usr
make
make install
cd ~

Now you need to copy the ffmpeg.so file that was created from it’s location (from the build) to /usr/local/lib/php/extensions/, it should look something like:

cp /usr/local/lib/php/extensions/no-debug-non-zts-????????????/ffmpeg.so /usr/local/lib/php/extensions/

Modify your php.ini. Try /etc/php.ini or /usr/lib/php.ini or /usr/local/Zend/etc/php.ini as they are common locations, you can do php -i | grep -i ini to find the proper location. Change the extension_dir value as seen below and add the extension as seen below:

extension_dir = "/usr/local/lib/php/extensions/"
extension=ffmpeg.so

Now save and restart apache and test php for ffmpeg on both apache via phpinfo() and from shell:

service httpd stop
killall -9 httpd
service httpd start
php -i | grep -i ffmpeg

Let me know via comments if you find some bugs or better ways to do things!

]]> http://rootit.org/2008/06/installing-ffmpeg-ffmpeg-php-other-dependencies-for-clipshare/feed/ 9