Monday, August 17, 2009

How to use "noatime" option in linux ext3 filesystem for better performance of I/O

use the 'noatime' option:
  • Edit the file '/etc/fstab'
  • Add the option 'noatime', separated with a comma, to the fourth field of every disk based filesystem entry
  • Save the file and reboot (or remount all the filesystems corresponding to the modified entries (using the command: mount -o remount ))

Most Linux desktop and server is hurt by a noticeable IO performance slowdown due
to the constant atime updates, while there's just two or three real users of it:
tmpwatch [which can be configured to use ctime so it's not a big issue]
and some backup tools.
and mail-notify.

proc /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
/dev/md0 /boot ext3 defaults 0 0
/dev/md1 none swap sw 0 0
/dev/md2 / ext3 defaults,noatime 0 0

Also in addition to this

if you put your swap partition at the beginning of the drive it will give some improvement.
The beginning of the drive is physically located on the outer portion of the cylinder, and the read/write head can cover
much more ground per revolution.
You can check that with /sbin/hdparm -t /dev/sda1 or sda2 etc etc command.

Tuesday, August 11, 2009

DoS-denial attacks

How to Prevent it in linux

Add these lines to the end of /etc/rc.d/rc.local

######## shut some DoS stuff down
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# increase the SYN backlog queue
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

echo 64000 > /proc/sys/fs/file-max

ulimit -n 64000

# increase the local port range
echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range

# stop source routing
for i in /proc/sys/net/ipv4/conf/*/accept_source_route
echo 0 > $i

# enable reverse-path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter
echo 1 > $i

##### End


1. Add a user
#useradd -g users admin
#passwd admin

2. #visudo
here insert the below line in the end.

with NOPASSWD it will not prompt for admin users password

Now if you want to give permissions to just few services instead of full privilege

1. #visudo
2. admin ALL=(root) NOPASSWD: /etc/init.d/postgresql

Save and Exit as :wq
# sudo /etc/init.d/postgresql start
will start the postgresql service without asking your password.

Now if you want to prohibit a users for accessing few services say shell, su,passwd or visudo


Monday, August 3, 2009

Folder Access outside document root in apache

Say you have a folder with name "web" under /home

Give permission to that folder with the Apache user and group and under httpd.conf file add the below lines.

“Directories need to be executable by the Apache user, so that Apache can get listings of the files in the directory, and display the documents located in that directory”

Alias /web /home/web

Directory "/home/web">
Options Indexes SymLinksIfOwnerMatch IncludesNoExec
AllowOverride None
Allow from all
Order allow,deny