May 5, 2013

Connect to a Cisco VPN via VPNC using .pcf configurations file

If you want to connect to a Cisco VPN from a Linux host, its better to use the Cisco AnyConnect VPN client for Linux. It is a free client tool but you need to login to the Cisco website.

VPNC is a free VPN client which is capable of connecting to Cisco VPNs (3000).

Use yum to install vpnc.

# yum install vpnc NetworkManager-vpnc vpnc-consoleuser -y

It will install all necessary packages. In the installation it create a default configurations file in the configurations directory. You need to backup that.

# mv  /etc/vpnc/default.conf  /etc/vpnc/default.conf.bak

Then you need to convert the .pcf file into a vpnc configurations file. To do that you need to run a script.

# perl   /usr/share/doc/vpnc-*/pcf2vpnc   your.pcf   /etc/vpnc/default.conf

After creating the configurations file you can try to connect to the VPN by;

# vpnc

It will ask for the user password;

# Enter password for youusername@your.vpn.server :

Give the password. If that succeed you can see a message like this.

# VPNC started in background (pid: 18957)

If you want to disconnect from the VPN, simply type ;

# vpnc-disconnect

Then it will try to disconnect your session from the VPN and will give a message like this.

# Terminating vpnc daemon (pid: 18957)

Apr 22, 2013

Setup a RedHat PXE server

You need to have following packages and services installed and running.
Note: It is better to switch off IPTables untill you complete the hole process.

First mount the RHEL DVD to the system.

Then install the vsftpd system. I will use the vsftpd-* package in the RHEL6 instalation DVD.
# cd /media/rhel6/Packages
# yum localinstall vsftpd-* -y
Then start the service and switch it on at the startup
# service vsftpd start
# chkconfig vsftpd on
This will install the vsftp on the system. In the installation it will create a directory in "/var/ftp/pub". We can create the OS installation repository on this location. It is the public folder of our FTP server.
mkdir /var/ftp/pub/rhel6
I copy the full image to that location so we can use a FTP connection to do the installation.
cp -r /media/rhel6/* /var/ftp/pub/rhel6
Change a repo to use that location as a local repository
# vim /etc/yum.repos.d/local.repo
on that;
name= local repository
Then install the tftp service
# yum install -y tftp* xinetd*
Then you need to install the "system-config-netboot" package.
# wget
# wget
# wget
"system-config-netboot" depends on "alchemist-" package and it depends on "python-abi" package. Then again "python-abi" requires python-2.4 to install it, but RHEL6 almost have the latest python-2.6. So we install the "alchemist-" with --nodeps flag.
# rpm -ivh alchemist-1.0.36-2.el5.x86_64.rpm --nodeps
# rpm -ivh system-config-netboot-*
tftpd-server create this "/tftpboot/linux-install/" directory. Now we need to edit this "/etc/xinetd.d/tftp" file to point the tftpboot path to this automatically created directory.
# vim /etc/xinetd.d/tftp
on that file;
server_args = -s /tftpboot # change the original "/var/lib/tftpboot" to "/tftpboot"
Now run this command to generate the PXE boot item
pxeos -a -i "RedHat EL 6" -p FTP -D 0 -s -L /pub/rhel6 RHEL6
This command will create a directory called as "/tftpboot/linux-install/RHEL6".

Then restart the xinetd and tftp services.
# service xinetd restart
# chkconfig xinetd on
# chkconfig tftp on
Now you need to install the DHCP service. This will forward the tftp server details to the required server.
# yum install dhcp -y
Then edit the dhcp configurations file.
# vim /etc/dhcp/dhcpd.conf
on that file;
option domain-name-servers;
allow bootp;
allow booting;

subnet netmask {
  option routers;

next-server; # name of your TFTP server
filename "linux-install/pxelinux.0"; # name of the boot loader program
Then restart the dhcp serice.
# service dhcpd restart
# chkconfig dhcpd on

Put a kickstart configurations file in the ftp pub location "/var/ftp/pub/ks.cfg".
# vim /tftpboot/linux-install/pxelinux.cfg/default
and add the kernel parameter (ks= for the kickstart file.
label 1
  kernel RHEL6/vmlinuz
  append initrd=RHEL6/initrd.img ramdisk_size=16000 method= ip=dhcp ks=

Feb 10, 2013

Create a repo file for yum

You can see yum repo files in this location.

cd /etc/yum.repo.d/

Create a new file with the extention .repo.

touch local.repo

The open it using vim and add these lines.

name=my local repo

Feb 9, 2013

SSH with no password

On client:

First check that the user have almost generate a public and a private key pair. To do that;

ls ~/.ssh/

If there is a key do not try to regenerate keys.

If there is no "id_*" in that location you need to genarate a key pair by;


Then you need to copy your public key to the server. To do that you can use this command.

ssh-copy-id user@server

If this process sucessfully completes you can do ssh without giving your password.

ssh user@server

Now this will connect to the server without asking the password.

Jan 30, 2013

SSH port forwarding

Symantec PGP decrypt a WDE drive using boot.iso

What we can do if a bootable PGP WDE drive fail to boot the OS correctly? Initially we can try to do a recovery operation using the OS bootable CD/DVD or restore to a previous known best configurations point. But think if those operations also fail to recover the OS boot process. Then the option is to reinstall the  OS. But as the drive is encrypted, we can't simply reinstall the OS on the same drive. If we do it, it will cause a data lost. Therefore, we need to decrypt the drive and install the OS. Then again encrypt the drive.

We can do two things in such a scenario.
1. Remove the drive and connect it to another PGP installed machine as a slave drive and decrypt it via the PGP desktop.
2. Use the boot.iso to boot the machine and decrypt the drive using bootable cd.

In this post I will describe how to do it using the boot.iso or bootable PGP CD.

First you need to get the correct version of the boot image (boot.iso). It is important to have the same version of the Symantec PGP software to avoid any data lost.

Best way to find the boot.iso is to burn a CD image after initial PGP desktop installation. You can get the image file from these location according to the OS.

32-bit :- C:\Program Files\PGP Corporation\PGP Desktop\bootg.iso
64-bit :- C:\Program Files (x86)\PGP Corporation\PGP Desktop\bootg.iso

Or you can download it from the Symantec website.

Then boot from the CD drive. It will prompt the initial PGP login screen. Do not enter the user name and passphrase. If you can go to the "Advance panel" go to it and try to decrypt the drive. (But in my case I haven't got a advance panel.). But if not, press F4. It will direct you to the WDRT window. Get the WDRT from the server and type it. After submitting the WDRT boot disk (CD) will try to decrypt the encrypted drive. This process will take some time (very high). Don't stop it and make sure power supply is OK.

Keep in mind if something goes wrong, it will cause a data lost and you wan't be able to reverse the operation.

Jan 24, 2013

Clean URL using .htaccess

These days most websites use databases or a content management system (CMS). Some of those web sites or systems have nice URLs like;

But some systems have URLs like;

Both URLs give the same output, but the clean URL is good for search engine optimizations and easy to remember.

If you want to retrieve data from a database according to a input given in the URL you need to use a GET request. So how a clean URL works ?

In a clean URL scenario, web server need to do a redirection. Server will redirect the clean URL request to a not clean URL. Then from the not clean URL, index page will generates the relevant content. But this redirection will not be visible to the user. =>

So if you change the URL into something else, it will change the value of the parameter in to that like; =>

Then the index page will generate the relevant content according to that value.

TO do these things you need to enable some web server options. First you need to enable '.htaccess'. Then you need to enable 'mode rewrite' mode. '.htaccess' is a part of a server settings file. you can specifically set web server settings via this file and if you do something wrong, that can cause a damage to the webserver too.

Place a '.htaccess' file in the root of you website and add these lines to it.

RewriteEngine On
RewriteRule ^([a-zA-Z0-9]+)$ index.php?q=$1
RewriteRule ^([a-zA-Z0-9]+)/$ index.php?q=$1

Jan 19, 2013

Resume Symantec PGP whole disk encryption.

Some time when your encrypting a disk using Symantec PGP whole disk encryption tool it get paused. But when you try to resume the PGP encryption via the graphical user interface it won't work. In such a scenario you need to use the command line PGP tool. Using the command line tool you can resume the encryption.

First you need go to the command line by pressing windows key + R (it will open the Run) and type "cmd" without quotes.

Then change the working directory by using;
if the system is 32 bit :-  
 cd C:\Program Files\PGP Corporation\PGP Desktop\ 

or if the system is 64 bit :-
 cd C:\Program Files (x86)\PGP Corporation\PGP Desktop\ 

Then type ;

PGPWDE --disk 0 --stop -p  

PGPWDE --disk 0 --resume -p 
Now you can check the progress via the graphical user interface. Also you can use this tool to do all the things same as the GUI.

Jan 17, 2013

Encrypt a portable drive using TrueCrypt

TrueCrypt is a good free and open source disk encryption software which support all major operating systems. There are two ways to encrypt data in a portable disk. One way is to encrypt the whole disk. But if you encrypt the whole disk you need to have TrueCrypt in your host machine to view data on it. But if you chose the other way, you can keep a portable TrueCrypt in the same disk with the encrypted data.

I will describe how to do this in the second way. I think it is more user friendly to have a portable TrueCrypt with encrypted data file. First we need to download and create a portable version of TrueCrypt.

You can download it from : (> 4 MB)

Double click on the downloaded executable;

1. Accept the license regalement.  
2. Select the second option - "Extract" and click next.
3. Accept both warnings and proceed.
4. Browse the portable disk and set a folder name to store TrueCrypt. ( I:\TrueCrypt\ )

Now you have a portable version of TrueCrypt. Now you need to create an encrypted disk. But in this scenario we are not going to encrypt the whole disk. We can create an encrypted container and put our valuable data into that. Then the container and the TrueCrypt portable can be stored in the portable device.

To create the encrypted container;

1. Run the "TrueCrypt Format.exe".
2. Select the first option - "Create a encrypted file container"
3. Select the first option - "Standard TrueCrypt volume"
4. Set the file with in the portable device ( I:\TrueCrypt\encrypted_datafile ) and save.
5. Set the encryption algorithm.
6. Give the volume size you need.
7. Give a strong password. This will be your to access the encrypted data in the container.
8. Format the volume and continue the wizard.

Now we need to mount the encrypted container to the system. To do that;

1. Run the "TrueCrypt.exe".
2. Select a available driver letter to mount the container to the system.
3. Press on "Select File ..." button and browse the created container in the portable device.
4 Click on "Mount" button.
5. Give the relevant password.
6. Brows the mounted drive and store valuable information in that.
7. Click on "Dismount" to dismount the container.

Note: You need  to have Administrator rights or (rights to mount a disk to the OS) to run TrueCrypt in portable mode.

Jan 15, 2013

Set proxy settings on apt

Apt is the default package manager in most debian distributions including Ubuntu. If the system in behind a proxy and a firewall, systems administrator need to set proxy settings on the system in order to connect that system to the Internet. Systems administrator can user the method that I describe in a previous post to set proxy settings on the system. But apt will not use that settings when it try to connect to the Internet. Therefore, systems administrator need to set those proxy settings in its configurations file. To do that;

You need to edit the '/etc/apt/apt.conf ' file or if that file does not exist, you need to add a new file in '/etc/apt/apt.conf.d/01proxy'

Then you need to add the following line to one of these files.

Acquire::http::Proxy "http://[proxy server ip]:[proxy listening port]";

You need root level privileges to do this task. After editing the you can run a "apt-get update" command to update the apt database.

Jan 14, 2013

Run a specific command as root without root password

In most Linux/Unix systems users need special privileges to run some command. Specially to stop a service, mount a device likewise. In these scenarios most old Linux/Unix systems used the command 'su -'. But this command requires the root users password. Sharing a root password with other users is not a good practice. Therefore, we need to use some other way to do this task.

'Sudo' command allows non-privileged users to run various commands as a root user without the root password. Root user can specify which user or the user group can run command(s) as root or any other user. Those information will be saved in a configurations file in '/etc/sudoers'. But I strongly advice you not to edit that file directly. Because if there is an error, that will cause a system malfunctioning. The best way to do these changes is to use the 'visudo' command. Though you edit the same file via this command, it will check the syntax before it save those changes to the configurations file permanently.

For an example, think that there is a Linux based proxy server running on your office environment. Normally you do lots of changes upon requests. (It's not a very good practice.) So you want to get the help of a new trainee person to handle the proxy server. But there are few problems. One is you need to restart the proxy service to activate a configuration change. And also you may have some other services running on the same host server. So the server is critical but you need to provide some high level privileges to a non-experienced user.

Now you need to provide some high privileges to the user but only to run some identified commands. According to the example you need to provide privileges to edit the "squid.conf" file, restart the squid service. So you can do this things in many different ways on the "sudoes" file.

Run 'visudo' and go to the line "root  ALL=(ALL) ALL". Add those commands on the next line.

bob squidhost= NOPASSWD: /usr/bin/vim /etc/squid/squid.conf, /sbin/service squid

In the first part you need to set the user name. In this case it's Bob. If you want to set a group you need to add a "%" sign in front of the group name.

Oh the second part you need to specify the hostname.

Then you can add " NOPASSWD: " in between the equal (=) sign and the command to not to ask the password when the user run that command. If you remove that, system will ask user to give the his/her password each time he/she runs a command out of these.

Then you can specify commands that you need to provide to the user. Absolute path is required when specifying commands and configuration files.

Jan 13, 2013

Why we use GitHub in our final project?

As an undergraduate we need to do a project to complete our degree. According to my institute that should be a group project. After few reviews and discussions we select to build a secure and redundant backup system for a enterprise network. In the initial planning stage we realize that this project will have a heavy codding part.

Although we had a heavy codding part, no one had time to do the source code management because all four members of the team did a job while doing the degree. From the design we divide the project into several modules and assign each module to a particular member. But we knew at some point we need to merge those modules into a single unit. With work experience we knew that though a member develop a module, in some occasions others also need to edit the same module to make it interactive with the main system. Then we need to manage those changes and revisions.

Now we need to use some sort of a system to do this source code management task. Most of companies we work use Subversion or SVN, CVS and few use Git to do this task. But there was problem. All these tools required a centralized location to store the source code (repository). (Git works in a slightly different way as it is a distributed version controlling system.) We didn't have a public IP to host a small server or a Amazon-EC2 free tier cloud instance to use as a centralized location.

I remember that I heard something called Github while working. I almost had an account on but I haven't done anything with that. We did some basic testing and agreed to use as our central repository. In GitHub you can select a free or a paid service. As our project is a free and a open source project we decide to go with the free option.

GitHub or is a web base hosting service for Git repositories. Simply it host or store your source code managed by the Git system. Git is a distributed version controlling system designed to handle everything from small to very large projects with speed and efficiency. The Linux kernel development project which is the biggest community driven project in the world is also managed by Git. GitHub converts this power tool in to a very user friendly and interesting tool to use by beginners. Even without prior experience any IT person can use this web base service to so the majority of tasks that performed by Git.

So we create a temporary repository and did some basic testing. Then I initialize new repository for the project and add other members in to that. I was responsible of developing the system core module. I did the initial coding and push it to github. Most of the IDEs support to do this task via the IDE itself. Others take a clone of the repository and they build their modules on top of that. We commit each change we made. It helps us to revert the changes if there was an error after the change. As commits are locally to the user, after a successful change each person push their changes to the central repository (github). Time to time we take updates from the central repository to make sure that the local copy is up to date. In few scenarios we had conflicts but we manage those easily with the help of IDEs.

Via the GitHubs web GUI we easily identify the changes made by each member. It have some graphs to provide information about the project and each members involvements. Anyone other than the specified team members can get a clone of the project but they want be able to push to the main repository. Only thing they can do is to submit a pull request. As the repository owner he/she can view the changes and have the authority to allow or deny the request. With that flexibility we can get more help from others without getting any trouble.

For more info :

Linus Torvalds visits Google to share his thoughts on Git :

GitHub help :

Our project on GitHub :

Jan 11, 2013

Cisco VPN error - 442: Failed to enable Virtual Adapter

If you install the Cisco VPN client in a Windows 7 OS some times you may see an error saying that;

Reason 442: Failed to enable Virtual Adapter

In such a scenario try to do following thing.

First go to services or type services on the search and  find the "Internet Connection Sharing (ICS)" service. Stop that service and change the service start-up option to manual. Then try to restart the "Cisco Systems, Inc. VPN Service" service.

Now try to use the VPN client.

Jan 10, 2013

Access a windows share from CentOS

Sometimes Linux users wants to connect to a windows share and copy something from it. To do this, we have two options. One is to use the graphical user interface (GUI). The second option is to use the terminal or the command line. Both of these have there own good and bad.

What ever the method is, you need to install two packages to do this task. Those are "samba-client" and "samba-common". You can use yum to install those packages.

If you want to access '\\host\folder' Windows share from the command line, do it like this.

smbclient //host/folder -U username

if it prompt something like this "smb:\>", you have successfully connected to the share folder. Then type help to get more information.

If you want to access the same folder via the GUI, you need to open a nautilus window and type;


Then it will prompt you to give the doman/workgroup and the password. If those are correct you can use the windows share successfully.

Jan 9, 2013

Install Key Management Service (KMS)

In windows, when ever you install a new software you need to activate it with Microsoft over the internet. In a large network doing that is a hard work. Most of the time large organizations use 'Volume License' when they purchase Microsoft products. Then managing those volume license is another problem. We can use this Key Management Service to handle this problem.

First of all you need to get the KMS key from your "Microsoft Volume License Service Center". Assume that we are going to install KMS in a windows server 2008 R2 which is almost in the domain and logged in as a domain administrator. (If not, you need to add a DNS entry to the DNS server manually) Then you need to locate the KMS key "Windows Server 2008 Std/Ent KMS B".

Then log in to that server and try to change the product key to this KMS B key by doing this.
Right click on "My Computer" -> Properties. Click on 'Change Product Key" link. It will open another window. You can add the "KMS B" key in to that and continue it.It will give a warning saying that "You have entered a Key Management Service Key ... ". Click on OK on that.

Then you need to open the KMS port on the local firewall to the domain.To do that, open the windows firewall and select "Allow programs to communicate through windows firewall" and set the "Key Management Service" tick. Then press OK button to save the changed settings.

Now you have almost install the KMS. To verify the installation we can type;

nslookup -type=srv _vlmcs._tcp

in a client machine. If it gives the correct IP/domain address of the KMS installation system you have successfully install the key management service for your network.

Now you can use these ( KMS dummy keys to active other clients using this installed KMS service.

Note: You have to have at least the minimum number of computers of virtual instances to use this service. We can get those activation thresholds details from:

Jan 7, 2013

Copy files using SCP

SCP is a very basic command that use to copy files between two systems securely. Basic command is like this;

scp /local/file/goingto.copy  remoteuser@remotehost:/remote/location/

I want to copy a file called 'mydoc.txt' in my home directory to a web folder in web server. That will be like;

scp /home/thilina/documents/mydoc.txt  webuser@websvr:/var/www/html/

Think that you need to copy a hole directory to some other place using this. You only need to add a '-r' to the previous command.

scp -r /home/thilina/documents/ webuser@websvr:/var/www/html/

Jan 6, 2013

Schedule tasks in Linux using cron

Cron is used to schedule tasks in Linux/Unix systems. It needs to runs as a daemon on the system. In most systems crond (cron daemon) is available and configured to run at the startup by default. You can check it by using;

ps -ef  | grep cron

If it is not running at the startup, start the daemon

service crond start

and set it to start at the system startup.

chkconfig crond on

Then you can do scheduling. If you view the '/etc/crontab' file you can get all the information needed to provide to automate an execution of a command.


# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed

You can run these commands as ether root or a normal user. Type 'crontab -e' to add/edit crons. If you type 'crontab -e' as a normal user, it will open a user specific cron list. If you need to schedule a task which require admin privileges, you need to login as root and type the 'crontab -e'.

Do a task in every 15 min.

*/15 * * * * root /usr/bin/command


0,15,30,45 * * * *  root /usr/bin/command

There are some more keywords you can when scheduling tasks. Those are;

@yearly or @annually
@daily or @midnight

You can use it like this;

@reboot  /root/scripts/

You can modify a command to log the output of the execution to a specific file by;

@reboot  /root/scripts/  >>/var/log/mystartupcron.log 2>&1

Note: Try to use absolute paths when editing commands in crontab.

Jan 5, 2013

Open a Linux firewall port - IPTables

IPTables is the default firewall in any unix/linux system. If we host a service such as FTP or web server, we need to open some ports in order to use that service from remote hosts. For that we need to edit the configurations in this firewall.

First we can check the status of IPTables by running this command;

service iptables status

By default most systems open the ssh port 22. Now we need to get the running configurations to edit it. To do that;

iptables-save > /tmp/iptables

This command will dump the running iptables configurations in to a file and it will be like this.

# Generated by iptables-save v1.4.7 on ...
:OUTPUT ACCEPT [39:2878]
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
# Completed on ...

Assume that we need to run a web server on this host. Web servers usually runs on port 80. Therefore, we need to allow port 80. To allow that we can add a line similar to the ssh rule.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 

Then you need to feed this configurations to the iptables. To do that;

iptables-restore < /tmp/iptables

Now if you run the 'service iptables status' command, you can see port 80 is also allowed in it. But if you restart the service (service iptables restart) or reboot the machine, those changes will be not there. That's because it use a default configuration file on the service initialization. This default file is different from system to system. In CentOS systems that file is locates in '/etc/sysconfig/iptables'. After all the things are complete, you can save the running iptables configurations on that file it self.

But it is better if you use an alternative method like 'cron job' to run modify this iptables configurations. To do that you need to add a cron job as root by;

crontab -e

and add;

@reboot /sbin/iptables-restore < /root/myiptables

 The modified iptables rule set must be located on that location.

Note: In few Linux distributions there is a another firewall called 'SELinux'. If you have an issue even after changing those settings in IPTables, it is better to check SELinux settings too.

Jan 4, 2013

Deny Youtube in office hours using Squid proxy

We can use Squid-cache as a internet access controlling system. In this post I will show you how to configure squid-cache to do access controlling on website.

You need to edit the '/etc/squid/squid.conf' file to these changes.

First we need to defined our local network (eg : ). To do that we can edit the 'acl localnet src * ' line in the config file to;

acl localnet src

Then we assume that we need to block youtube access within working hours to all uses in the network. Therefore, we need to set the working hours in the configurations file. This configuration should come soon after defining 'Safe_ports'.

acl officehours time M T W H F 8:00-17:00

Now you can give the host name of the host machine by;


If anyone need to access youtube within office hours we need to have a option for that. For an example, we can set a youtbe allowed IP range and/or some individual IP addressed like this.

acl allowyoutube src
acl allowyoutube src
acl allowyoutube src

Now we can block youtube to all users except special users by setting;

acl youtube dstdomain
http_access deny CONNECT youtube !allowyoutube officehours
http_access deny youtube !allowyoutube officehours

# deny access to not safe and non-ssl ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# allow only local network
http_access allow localnet
http_access deny all

Then restart the squid service  and see the logs on ' /var/log/squid/ ' for more information.

Jan 3, 2013

Set proxy settings on Linux systems

If a system is connected to the internet via a proxy server, we need to give those information to the system. To do that, can use ' /etc/environment ' file to set system wide proxy settings.

You just need to add the proxy server IP or the domain name and the port number.

if you need to avoid some hosts going through the proxy server you need to add this;

Some software products refer to the upper case of those variables therefore it is better to use the upper case copy of the same settings.

Event though you add proxy settings in this, some tools like apt-get will not work. In such a case you need to refer the configurations guide of that tool.
You can set user specific proxy settings by settings those environment variables in '~/.bash_profile' file.

Jan 2, 2013

A Simple Centralized Log Server Using Rsyslog

Logs are very useful when it comes to forensic operations. But most of the systems keep all the logs on the same host machine. But keeping logs in the same host machine is not very useful. Because hacker can destroy all the log on that vulnerable host.

Therefor we use a secure centralized log server to collect all the logs. All the systems and devices on the network will send a copy of each log entry to this centralized log server.

In this post I'm going to setup a simple centralized log using rsyslog. Most of the Linux system have this rsyslog installed by default. You just need to edit some configuration files.

In this setup we have a centralized log server (the server) and a client (simulate a system or a device on the network). First I config the server part and then I will move to the client part.

Server :-

Edit the
to enable the UDP module and rsyslog to listen on UDP port 514.

# provides UDP syslog reception. For TCP, load imtcp.
$ModLoad imudp

# For TCP, InputServerRun 514
$UDPServerRun 514

Then you need to restart the rsyslog service.
service syslogd restart

Now the rsyslog on that host will work as the centralized log server.

Check the firewalls, iptables and SELinux settings and allow the UDP port 514 to receive data from other devices on the network.

You can use
tcpdump -i eth0 port 514
to see all incoming syslog data.

Client :-

You need to edit the same file on the other client in order to forward logs to the centralized log server.

*.* @

In this ' *.* ' means all the logs, a single '@' sign means to use UDP protocal and the server IP and the listning port of the centralized log server.

After editing the configurations file you need to restart the rsyslog.

View collected logs:-

By default all the forwarded logs are append to the message log in the centralized server. You can view those message by viewing the

As logs are in plain text, forwarding it using UDP/TCP is not a good practice.
Add filters and try to manage logs without just logging all into a single file.
Do proper log rotation.
Use log correlation mechanisms to take proactive decisions.

Jan 1, 2013

Celebrating the new year while restoring the website

Fist of all I wish you a happy and prosperous new year ...!!! I would like to say that  I'm back to blogging after couple of months and hope to continue it for a while without failing.
Today is the first day of the year 2013. This year has some special thing to me because from now onward I am not a "Student" any more. Last year I complete my degree and now I am working as an intern. Probably I will get my first job on this year.
With all these hopes I wake up early in the morning as usual. After being a IT student, the first thing I do is to check my online activities while having a cup of tea. I spend few minuets with those websites and then just visit my personal website. I wanted to change that but I skip it as it is a time consuming task. Surprisingly it shows a different web page other than my normal front page. It says that the web site is owned by some group. Oops ..!! What will you feel if you see something like that within first few minutes in a new year? My website was hacked. I checked some links on the website and realize that they have only change the front page. With crossed fingers I replace the front page and luckily that worked. What a new year ...???
With the incident I hope this will be a changing year to me !