Skip to main content

Posts

Showing posts from April, 2007

Preventing SSH attacks

One solution is to run sshd on a non-standard port. Most automated attacks only attempt to connect on port 22 and therefore, this can be an effective way to hide from many attackers. To configure this, just change the Port line in /etc/ssh/sshd_config and restart ssh as follows; vi /etc/ssh/sshd_config Port 922 <-- update port number and uncomment if the setting is commented /etc/init.d/sshd restart

passing attributes in nested tiles

Tiles is a great framework to organize site content by constructing a page using multiple tiles. It allows reuse and customization of site content. I ran into a problem of making tiles attribute visible to a nested tile. The attributes defined in tiles definitions are defined in tiles scope and hence only available to the tile associated with the definition. In order to make the attribute available to nested tiles, pass the attribute as follows; <tiles:insert attribute="header" ignore="true"> <tiles:put name="title" beanName="title" beanScope="tile"/> </tiles:insert> If there is a need to access the attribute in struts bean tags or JSTL use <tiles:useAttribute/> or <tiles:importAttribute/> tags in jsp to access the attribute as follows; <tiles:useAttribute name="title" /> You can now access the value of title attribute using struts bean tag <bean:write name="title" /> or usin

no pg_hba.conf entry for host xyz

If you get this error while connecting to a postgres database, most likely you are missing an entry in pg_hba.conf file to allow users from your machine to access the database. You will normally find the pg_hba.conf file in /var/lib/pgsql/data directory. If you don't find it there, look for PGDATA environment variable by doing a login to postgres server as a postgres user and typing env at command prompt. Then edit the file to add following entry ; host all all XYZ 255.255.255.255 trust just below the following entry host all all 127.0.0.1 255.255.255.255 trust and restart the postgres process by typing pg_ctl restart . It should now allow all user from your machine to connect to the database.

MySQL Bad handshake error

I was trying to use tomcat connection pooling to establish a connection to MySQL database. I ran into "Bad handshake" SQLException. After few minutes on internet, I figured out that it was a problem with the driver. However, when I checked WEB-INF/lib directory I found latest mysql driver already placed in that directory. However, I found another older MySQL driver in <tomcat-dir>/common/lib . So tomcat was loading the old driver from classpath ahead of latest drivers in WEB-INF/lib directory. Once I updated the old driver with the latest version, everything worked fine. Note: removing the driver from <tomcat-dir>/common/lib did not fix the problem since tomcat connection pool needs to load the driver from common library location.

setting up cron jobs

In order to setup cron jobs for a user other than the root, use the following command which should open a file in vi editor that schedules cron job for that particular user. crontab -u <user> -e Later, if you wanted to view a list of cron jobs scheduled by a user, use the following command. crontab -u <user> -l

Hibernate MySql Connection timeout

I noticed that a web application deployed on tomcat application server kept throwing JDBC exceptions after every couple of days. So I guessed that it must be a problem with mysql database connection timing out. I did quick search on the issue and found this article explaining the problem. You need to switch from the default Hibernate connection pooling to one of the production grade database connection pooling technology and set appropriate timeout settings. You will also need to create a c3p0.properties file containing following values; # a good mysql test query c3p0.preferredTestQuery=SELECT 1 c3p0.testConnectionOnCheckout=true

Password protecting tomcat web application

Following configuration in web.xml of a web application is useful for password protecting the web application in tomcat servlet engine. <security-constraint> <web-resource-collection> <web-resource-name>portalBase Application</web-resource-name> <url-pattern>/*</url-pattern> <!-- If you list http methods, only those methods are protected --> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>role1</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>portalBase Application</realm-name> </login-config> <!-- Security roles referenced by this

Blocking port 8080

Linux firewall can be managed using iptables command. I setup tomcat with Apache webserver in front using mod_jk2. But tomcat was still accessbile from port 8080. In order to disable direct access to port 8080 I executed following command. iptables -A INPUT -p tcp --dport 8080 -j REJECT You can review the above rule and any other existing rules as follows; iptables -L -n --line-numbers Now, if later you wanted to undo or remove a rule, use the above command to figure out the line number of the rule. A sample output from the previous command looks like below; Chain INPUT (policy DROP) num target prot opt source destination 1 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `NEW NOT SYN: ' 2 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW 3 DROP tcp -- 207.46.249.190 0.0.0.0/0 tcp 4 DROP tcp -- 0.0.0.0/0

MySQL GUI tools over ssh

I was very comfortable using MySQL query and admin GUI tools to connect to MySQL database. However, recently I had to manage a database that was behind a firewall. I found these steps very useful to enable ssh tunneling (or forwarding) to access MySQL database behind the firewall using GUI tools. It is very easy to setup and only took couple of minutes.

Backup of MySql database

Following command can be used to take a dump of an existing MySQL database. mysqldump db-name --host=host-name --user=user-id --password=user-pass > init-db.sql This will create a file called init-db.sql containing sql queries to reinitialize the database.

Creating no-reply@domain.com account in Postfix

If you wanted to send emails to users but did not want to receive any replies to the email, you would need to setup a no-reply@domain.com email account. These kind of email ids are useful when sending emails containing forgotten passwords or activation code. Below are the steps for creating such account in Postfix. 1. Identify the file containing alias for Postfix First, make sure the following line in the ALIAS DATABASE section of the /etc/postfix/main.cf is NOT commented out: alias_maps = hash:/etc/aliases 2. Create an alias that redirects messages to /dev/null Edit /etc/aliases and add following entry devnull: /dev/null 3. Create a virtual email id Edit /etc/postfix/virtual and add following entry no-reply@domain.com devnull 4. refresh postfix alias and postfix cache Execute following commands. (You may require root privileges) > newaliases > postfix reload

Restrict access to IPs in Tomcat

Add following valve to tomcat server.xml to restrict access to the website from limited IPs. <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1,xx.xxx.xxx.xx,xxx.xx.xxx.[6789].,xxx.xx.xx.xx.*,xxx.xx.xx.x[2345]., xxx.xx.xx.xx[4578]"/>