Sunday, August 26, 2012

How to Control the Iptables ip_conntrack: table full, dropping packet ?

    If Linux server handle lots of connections, then you get the problem with ip_conntrack iptables module. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size.

To View Current Limit :   

# sysctl net.ipv4.netfilter.ip_conntrack_max
   8192
or
# cat /proc/sys/net/ipv4/ip_conntrack_max
   8192

To increase the Limit:

  Generally, the ip_conntrack_max is set to the total MB of RAM installed multiplied by 16. If you have  2GB of RAM, then ip_conntrack_max was set to 32768
# sysctl -w net.ipv4.netfilter.ip_conntrack_max=32768

Or we can add in /etc/sysctl.conf

net.ipv4.netfilter.ip_conntrack_max=32768

To View Current Open Session:

# wc -l /proc/net/ip_conntrack

  2520 /proc/net/ip_conntrack

Thursday, August 16, 2012

How to fix the NO_PUBKEY / GPG error ?

When updating the Debian based system, apt-get may display an error message like:

W: GPG error: ftp://ftp.debian.org/ testing Release:     
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 127908312D230C5F

W: There is no public key available for the following key IDs:  127908312D230C5F    

To solve this problem, get the key using gpg command and add it to the local apt repository using apt-key add command as shown below:

#gpg --keyserver pgpkeys.mit.edu --recv-key  127908312D230C5F         
#gpg -a --export 127908312D230C5F | sudo apt-key add -
#apt-get update

Sunday, August 12, 2012

What is SYN Flood?

The SYN flood attack sends TCP connections requests faster than a machine can process them.
  • attacker creates a random source address for each packet
  • SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP address
  • victim responds to spoofed IP address, then waits for confirmation that never arrives (waits about 3 minutes)
  • victim's connection table fills up waiting for replies
  • after table fills up, all new connections are ignored
  • legitimate users are ignored as well, and cannot access the server
  • once attacker stops flooding server, it usually goes back to normal state (SYN floods rarely crash servers)
  • newer operating systems manage resources better, making it more difficult to overflow tables, but still are vulnerable
  • SYN flood can be used as part of other attacks, such as disabling one side of a connection in TCP hijacking, or by preventing authentication or logging between servers.

Thursday, August 9, 2012

What is MariaDB? Quick Comparison with MYSQL.


    Monty Widenius, creator of mysql left after acquiring it by Oracle and SUN in 2009. And he started the new project, MariaDB to be a replacement for mysql server.

   MariaDB and Mysql are very near to each other as brother and sister. in other words, if you have mysql 5.1, you can switch to use MariaDb 5.1 and preserve all of your stuff and configuration. On top of that all MySQL connectors , api, etc. are the same (your PHP script that works on mysql will work normally on MariaDB)

Advantages of MariaDB over Mysql:
  • More storage engines like Aria
  • It uses the XtraDB (InnoDB improved) storage engine from Percona as default.
  • Improvements on speed, specially that the optimizer had been greatly improved to handle big data with Subqueries, derived tables and views, Index Merge, and Join queries.
  • Replication is a magnitude faster in MariaDB if you have lots of concurrent updates to InnoDB

Installation of PDF support in PHP of Linux

    PDF functions in PHP can create PDF files using the PDFlib library which was initially created by Thomas Merz and is now maintained by  PDFlib GmbH. Here is the below procedure to enable the PDFlib-lite and PDFlib in the linux

#cd /usr/src/
#wget http://www.pdflib.com/binaries/PDFlib/705/PDFlib-Lite-7.0.5p3.tar.gz
#tar xvf PDFlib-Lite-7.0.5p3.tar.gz
#cd PDFlib-Lite-7.0.5p3
#./configure --prefix=/usr/local/pdflib --without-java
#make && make install

After installing the PDFLite, we have to built PDFlib DSO as below.
#cd /usr/src/
#wget http://pecl.php.net/get/pdflib-2.1.9.tgz
#tar xvf pdflib-2.1.9.tgz
#cd pdflib-2.1.9

Monday, August 6, 2012

List of Apache Error Code


Successful Client Requests:

200 OK
201 Created
202 Accepted
203 Non-Authorative Information
204 No Content
205 Reset Content
206 Partial Content

Client Request Redirected:

300 Multiple Choices
301 Moved Permanently
302 Moved Temporarily
303 See Other
304 Not Modified
305 Use Proxy