Pages

Welcome to My Blog

This is to share my IT experience with friends all around the world.
I have been working in Linux Fedora Systems for more than 8 years. Its fun to share knowledge and learn..
As everyone knows when a problem arises in your systems "googling" is the way that many depend on..

All the posts here are my working experiences during my working life.. So you can count on it..

I have added the references where I got help in solving IT issues

Tuesday, September 20, 2011

Run Postfix in both IPv6 and IPv4

If you want to set your Postfix server to listen on its IPv4 and IPv6 addresses, please add the following line to /etc/postfix/main.cf

inet_protocols = ipv4, ipv6

Restart the server (/etc/init.d/portfix restart) - reload will not work for this setting

Check whether the service is listen on both IPv4 and IPv6
Use netstat -nat command and you should get all services including following lines
tcp        0      0 0.0.0.0:25     0.0.0.0:*                   LISTEN     
tcp        0      0 :::25              :::*                    LISTEN

Note
Hope you have properly configured an IPv6 and IPv4 addresses to the server interface card with proper routing/GW settings
Posted by at 3:24 AM 0 comments
Labels:

Friday, September 16, 2011

Simple NAT64 Setup


Configuring a Proxy server with IPv6/IPv4 connectivity will not enable IPv6 only users to access resources other that web (http, https, ftp etc). For example a printer with Ipv4 only connectivity or a POP server with Ipv4 only will not be accessible through a proxy server. What you can do to enable IPv4 accessibility from IPv6 only network?

When we had this issue we thought of implementing NAT-PT server in our IPv6 network but as stated NAT -PT is depreciate by RFC 4966 due to number of issues in NAT-PT

Then we tried NAT64 with DNS64. We obtained an open source NAT64 gateway live CD from Ecdysis http://ecdysis.viagenie.ca/ and installed it on a server. It is running on a customized fedora OS. The system architecture of NAT64 can be given as follows.
+-------------+
                            +-------------------------+IPv6 Internet|
                            |                         +-------------+
                            |          +-----+
                 +------+   |     +----+NAT64+----+
       IPv6 host-+      |   |    /     +-----+     \  +-------------+
                 | CPE  +--IPv6-<                   >-+IPv4 Internet|
       IPv6 host-+router|        \ +-------------+ /  +-------------+
                 +------+         ++DNS rewriting|+
                                   +-------------+
This is from http://www.viagenie.ca/ietf/draft/draft-wing-nat-pt-replacement-comparison-02.txt 
 
The steps we followed in configuring NAT64/DNS64 are as follows


Settings at the NAT64/DNS64 Gateway

  • Install the NAT64 server on a PC with 2 interface cards
    • 

  • Login to the server and configure the interfaces with IPv4 and IPv6 addresses according to the network setup
    • 

  • Run the provided script magic-quick-start.sh
    • 

  • Check the network configurations 
    • 

    • You should observe a nat64 interface when you run ifconfig 
      • 

  • Set the firewall rules in iptables and ip6tables
    • 

  • This is important as many attacks may come thro 
    • 



Settings at your IPv6 clients


  • Set the DNS server as the NAT64 servers IPv6 address
    • 

  • Add a route for 64:ff9b::/64 to the NAT64 gateway IPv6 address 
    • 

After all you can verify the settings at the clients end by querying IPv4 only resource with AAAA 



 e.g. dig chamaradisanayake.blogspot.com AAAA


(Here chamaradisanayake.blogspot.com does not have IPv6 address but we are asking to get an IPv6 address from the NAT64/DNS64 gateway)


If every thing is fine you should get an answer as  



chamaradisanayake.blogspot.com. 929 IN CNAME blogspot.l.google.com. 



blogspot.l.google.com. 139 IN AAAA  64:ff9b::d155:af84 






Here 64:ff9b:: is the DNS prefix added by the DNS64 server and d155:af84 is hexadecimal representation of IPv4 address of chamaradisanayake.blogspot.com  





  













Posted by





at
12:40 AM


3
comments

















Labels:
,








Location:
Moratuwa, Sri Lanka










          

        

          

        

Thursday, September 15, 2011


          

        







Surfing IPv4 Web from IPv6 Only Network











            


A user having IPv6 only connectivity limits the accessing of IPv4 resources. He can surf IPv6 Internet (i.e. Web resources having IPv6 address) and  other resources having IPv6 connectivity. As of today, the percentage of Ipv4 resources on the web,  is much higher than the resources of IPv6. 
             
A simple scenario to enable IPv4 surfing for IPv6 only clients is to use a dual stack proxy server (Having both IPv6 atd IPv4 connectivity). When the client request a website through his web browser, the request will forwarded to the proxy server as the browser configured to use it. The proxy server will  resolve the domain name and normaly it will first check for AAAA record of the website. If it is available it will connect with its IPv6 connection and served for client. If AAAA record is not available for the website (i.e. the website is not IPv6 enabled) it will check for A record and connect it with its IPv4 connectivity.



This will support protocols like http, https, ftp etc depending on the support of the proxy server. Steps you may follow to enable such proxy server is given below.







  •  Install latest OS (We used Fedora 13) and enable dual stack (IPv4 and IPv6)
    • 

  • Assign resolvable IPs 
    • 

  • Get and install Squid IPv6 support version (> Squid 3.x) http://www.squid-cache.org/Versions/
    • 

  • Compile and install Squid with required parameters (You need to enable Squid to listen on IPv6, Add IPv6 network block to enable access from clients etc )
    • 

  • Add AAAA record for your squid proxy server in your domain.
    • 

  • Assign proxy server in clients browsers
    • 







That's all.. We did that in our network and works fine..












Posted by





at
11:32 PM


1 comments

















Labels:
,


















          

        

          

        

Tuesday, September 13, 2011


          

        







Secure Your Apache Web Server














Hacking your web server is a disaster for you. Most of the times, the hacker uses the information reads from your server to attack it. (i.e. the version details, installed modules, configuration parameters etc).



So it is very essential to harden your web server and prevent publishing unnecessary information about the web server by it self.



Following given settings prevent publishing such information.



Hiding Apache Version



Impact: Exposing apache version may help to use exploits against the server.

Setting: In Apache/Httpd conf file

Methodology


    

  •  Open your httpd.conf file using text editor such as vi:
    
e.g. vi httpd.conf
    • 

  •  Append/modify config directive as follows:
    • 

      

    • Set ServerTokens parameter at apache config file section 1 to ProductOnly
      
ServerTokens ProductOnly
      

      

      • 

    • Set ServerSignature at apache config file Section 2: 'Main' server configuration to  Off
      • 

    


                 ServerSignature Off 




    

  • Save and close the file. Restart Apache web server:
    • 





      

    •  e.g. # /etc/init.d/httpd restar
      • 

    






Hiding PHP version 

Settings: PHP configuration file (i.e. php.ini) 



Note: The location of the php.ini is depending on the PHP version that you are using. Following are the possible locations


    

  • /etc/php.ini
    • 

  •  /etc/php4/apache/php.ini(For php4)
    • 

  • /etc/php5/apache/php.ini (For php5)  
    • 




Methodology:

Change the following option


      

    • expose_php Off
      • 

    


 Turn Off Directory Indexing 



Setting: In Apache/Httpd conf file



Methodology:

Change the Option setting inside the <Directory/>___</Directory> tags to restrictive setting;



e.g.



<Directory />

    Options FollowSymLinks

    AllowOverride None

</Directory>

More details at httpd.apache.org/docs/2.2/mod/core.html#options




      

    


Good Reference

 http://www.petefreitag.com/item/505.cfm




      

    
















Posted by





at
1:55 AM


1 comments

















Labels:
,


















          

        

          

        

Monday, September 12, 2011


          

        







Two Postfix Instances in One Server












Actually this was required to me to configure a server


    

  • to work as a mail relay for my domain say chamara.xy (External people/mail servers should send emails to someone@chamara.xy to this server) 
    • 

  • to work as the submission server for my clients (someone@chamara.xy should send mail to any outside domain after authenticated by the server) 
    • 


There are several mechanisms to implement this and following given are some important references;

http://www.postfix.org/MULTI_INSTANCE_README.html

http://www.howtoforge.com/forums/showthread.php?t=4788



When I reading the details I found following link (http://linuxpoison.blogspot.com/2008/02/howto-make-two-instance-of-postfix.html) which was quite easy and interesting. I configured the server referring the above document. The steps I followed is as given below;



Consider the main instance of Postfix is having its configurations in /etc/postfix


    

  • Copy the /etc/postfix directory and all files to another directory (Say /etc/postfix_smtp)
    • 

  • Change the parameters in the /etc/postfix_smtp/main.cf according to the new instance of the postfix
    • 


                   Here the spool folder should be different and should be created.

                 The document says Each instance of Postfix must have it's own mail spool directory.
          To avoid file conflicts, the default directory /var/spool/postfix must not  be shared among instances.


    

  • Edit the master.cf file in /etc/postfix-smtp and enable it to run on port 25
    • 


smtp inet n       -       n       -       -       smtpd


    

  • Edit the master.cf in /etc/postfix and enable the submission port for the smtpd daemon
    • 


submission inet n       -       n       -       -       smtpd


    

  • Edit the file /etc/postfix/main.cf and add the following near the bottom of the file:                         
    • 


alternate_config_directories = /etc/postfix-smtp


      The above setting is required to inform the Postfix daemons about the second   instance

Now you have 2 instances with 2 different configuration settings (i.e. /etc/postfix and /etc/postfix_smtp). You need to create startup scripts to both. One instance can run postfix in port 587 with relevant authentication configurations while other can run on port 25 as a mail relay server for your domain)









Posted by





at
2:41 AM


0
comments

















Labels:
,








Location:
Moratuwa, Sri Lanka
















Add IPv6 route in Windows 7












In Windows XP you can add IPv6 route easily using the GUI provided at the network configuration.

Following given a good reference on how to set a IPv6 route in XP

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_pro_rt_add.mspx?mfr=true





But for Widows7 it is not that easy.. Or I was not able to add a IPv6 route as for XP through the GUI. So, I tried the command line interface to add another route (Other than the default route which is automatically configured with the IPv6 settings)





Assume you have a network 2001:df0:12:a00::/64 and

your IP is 2001:df0:12:a00::1 and

your default gateway is 2001:df0:12:a00::ffff. 

So your default route will be

::/0 --> 2001:df0:12:a00::ffff



Assume you want to add another router to forward 64:eeb9::/96 (Which is NAT64 default network) to 2001:df0:12:a00::20 (Which is the NAT64 server of the network).



Now run the command line interface as the administrator (or a user with admin privileges)





'netsh interface ipv6 add route 64:eeb9::/64 "Local Area Connection" 2001:df0:12:a00::20' 



If the command is accepted it will display 'OK'



To check the routing entries type the following command





'netsh interface ipv6 show route'



It will display all routing related to IPv6 interface.





Please note that you have to give the interface name properly which I have given here as "Local Area Connection". It depend on the network interface that you want to use for IPv6 communication. By issuing the command ipconfig /all you can see the names of all the interfaces in your PC.  















Posted by





at
2:36 AM


0
comments

















Labels:
,


















        

      









Subscribe to:
Posts (Atom)