Category Archives: blog

How to Samba Network Recycle-Bin?

Samba uses VFS (Virtual File System) Module for network recycle bin.
Various modules VFS modules that samba can use are located at “/usr/lib/samba/vfs”.
For Recycle purpose we are using recycle.so module.
Use VFS object to the Shares for which Recycle-Bin is required as below:
/etc/samba/smb.conf
#==========================================================
[SecAudi-RD]
path = /Apps/Scripts
public = yes
writable = yes
browsable = yes
valid users = user1 user2 user3
vfs object = recycle
recycle:repository = .RecycleBin/%U
recycle:keeptree = Yes
recycle:touch = Yes
recycle:versions = Yes
recycle:maxsize = 0
recycle:exclude = *.tmp
recycle:exclude_dir = /tmp
recycle:noversions = *.ppt
#====================================================
The recycle configuration is only valid for the Directory Path defined in a Share,
i.e. “path = /Apps/Scripts”. Add the configuration to all the share for which
Recycle-Bin is required.
Options are as below:
1. recycle:repository = .RecycleBin/%U
This option defines where deleted files will be stored.
.RecycleBin is the directory where deleted stuff will be moved within a shared path.
%U is user name of the person currently browsing the share.
So a sub-directory will be created under .RecycleBin by the name of the user who is
deleting the files.
Eg. If user1 is browsing the share and deleted any file. The file will moved to .RecycleBin/user1
2. recycle:keeptree = Yes
Specifies whether the directory structure should be kept or if the files in the directory that is being deleted should be ke
pt separately in the recycle bin.
3. recycle:touch = Yes
Specifies whether a file’s access date should be touched when the file is moved to the recycle bin.
4. recycle:versions = Yes
If this option is set, two files with the same name that are deleted will both be kept in the recycle bin. Newer deleted ver
sions of a file will be called “Copy #x of filename”.
5. recycle:maxsize = 0
Files that are larger than the number of bytes specified by this parameter will not be put into the recycle bin.
6. recycle:exclude = *.tmp
List of files that should not be put into the recycle bin when deleted, but deleted in the regular way.
7. recycle:exclude_dir = /tmp
Contains a list of directories. When files from these directories are deleted, they are not put into the recycle bin but are deleted in the regular way.
8. recycle:noversions = *.ppt
Specifies a list of paths (wildcards such as * and ? are supported) for which no versioning should be used. Only useful when recycle:versions is enabled.

How to Prevent MySQL from data Spoofing?

This article explains how to encrypt the clear text mysql data using stunnel. Definitely essential for those who have security as their top priority.Although this tool can be used to encrypt the data for other services like imap and pop, this article of mine basically explains the use of stunnel for mysql. Once learned , it can be easily used for other services.

Why Stunnel?

To have the answer of this , i will show you a practical scenario to explain the essentiality of stunnel to encrypt mysql data.I assume that the readers do have the basic knowledge of Mysql.
Let there be two hosts—Host A and Host B

Host A: 192.168.1.1
Host B: 192.168.1.2

Host A has mysql server running on its default port 3306
Host B has mysql server running on port 3307

Now to allow host B to connect on host A mysql port 3306, we do have to allow permissions for host B on Host A in its mysql database.Run the following command on mysql prompt of host A to grant permissions to host B.

mysql>grant all on *.* to ‘hostB’@’192.168.1.2′ identified by ‘hostB’;

Once done ,connect host B on host A mysql port 3306 by running the following command.

SEC@hostB# mysql -u hostB -h 192.168.1.1 -phostB

If the mysql connection was successful you will get the mysql prompt.Now before running the commands on this mysql prompt,open separate terminal on hostB and use ettercap over there, a tool used to sniff the data.Run the following command over there:

SEC@hostB# ettercap -T /192.168.1.1/3306

This would sniff the data coming and going through port 3306 on hostA.

Now run the command on your mysql prompt in the previous terminal and observer the output of ettercap.Surprised and shocked.You would be able to see clearly the commands being executed on the previous terminal.That’s where the functionality of stunnel comes in.If stunnel would have been in use, then ettercap would have sniff the encrypted data which is of no use.Able to see your clear data, an hacker sniffing the data through your network can easily have the database,rows,columns name and many more things.

How to use stunnel?

Download the latest stunnel package from stunnel.org and untar it.Just run the following commands.

./configure
make
make install

this willl install stunnel.For more options use
./configure –help

For e.g ./configure –prefix=/home/stunnel

will install stunnel in /home/stunnel.

To make use of stunnel we should have ssl certificates.For testing purposes let the default certificate be created during installation.You can purchase ssl certificate if you need to implement for your organization.With the default installation, you would have got a default stunnel configuration file to be used.I made some changes to it and configured it to be used for mysql.Here’s the configuration file that i used.

stunnel sample configuration file
—————————————–

# Sample stunnel configuration file for securing MySQL (server side)

# Provide the full path to your certificate-key pair file
cert = /etc/stunnel/stunnel.pem

#create the PID file

pid = /tmp/stunnel.pid

# change the UID and GID of the process for security reasons
setuid = nobody
setgid = nobody

# Configure secured MySQL server

[mysqls]
accept = 3307
connect = 3306
———————————————————–

That was a simple stunnel configuration file to get the basic functionality of stunnel.As per the configuration file, i do have my certificate-key pair in the specified path and with the stunnel process being run as nobody user and group.The main thing to understand is the mysqls part.This part means that all the mysql connections from outside would be accepted on port 3307 and then decrypted and sent to local mysql service over port 3306.Simmilarly the data to be sent outside would be transmitted from port 3306 to 3307 for encryption and then sent out.

Explanation through a practical scenario:
—————————————————

As in the above example, let us say we have the same two hosts with the same ips as above.Let host A be the mysql server and host B the mysql client.We installed stunnel on both the servers and the clients.Now i used the following server and client configuration files.

Server side stunnel configuration file:(serverside.conf)
———————————————————————–

# Sample stunnel configuration file for securing MySQL (server side)

# Provide the full path to your certificate-key pair file
cert = /etc/stunnel/stunnel.pem

# create the PID file

pid = /tmp/stunnel.pid

# change the UID and GID of the process for security reasons
setuid = nobody
setgid = nobody

# Configure our secured MySQL server

[mysqls]
accept = 3307
connect = 3306

———————————————————————–

Client side configuration file:(clientside.conf)

————————————————————————

# Sample stunnel configuration file for securing MySQL (client side)

# Provide the full path to your certificate-key pair file
cert = /usr/local/etc/stunnel/stunnel.pem

# create the PID file

pid = /stunnel.pid

# change the UID and GID of the process for security reasons
setuid = nobody
setgid = nobody

# enable client mode
client = yes

# Configure our secured MySQL client

[mysqls]
accept = 3306
connect = 192.168.1.1:3307

———————————————————————————

In this case the local stunnel daemon running on the client side(host B) would listen for connections on port 3306 and forward the request to port 3307 on the server(host A) where it would be decrypted and sent to its local port 3306, the same encrypted channel opted for the reverse path.

Now with the server and client configuration files ready, time to run the stunnel daemon.Simply run the following commands on these two hosts.

On host A : stunnel serverside.conf
On host B : stunnel clientside.conf

The two machines should have the stunnel daemons running.Now access the host A mysql server from host B.For this get connected to your stunnel daemon running on port 3306 on hostB by issuing the following command:

SEC@hostB# mysql -h 127.0.0.1 -u hostB -phostB

This should give you the mysql prompt.Run the commands and run ettercap on some other terminal sniffing on hostA port 3307.Simply you have your stunnel working, if you do get encrypted data in ettercap and are not able to view the mysql commands being run on mysql prompt on host B.

Simply the same for other services like imap and pop.In case any queries/suggestions, just post a comment.

”Changing Web Server Identity”

The basic principle of launching an attack against any website is to first get maximum information about the website regarding the web server used at the backend or the modules that have been compiled along with it or something else.This process particularly known as web server fingerprinting or banner grabbing is the basic test module that is run by most of the crawlers or vulnerability scanners based on which it identifies the vulnerabilities.So to secure the websites at the very first end , this article of mine helps to hide the server identity if the web server being used is apache.

What is Web Server Fingerprinting ?

As explained earlier, Web Server Fingerprinting is the process of knowing the basic details about the webserver and other essential options passed along with it during compilation.The information revealed can be helpful to website hackers in the way that through the knowledge of web server and its version being run , they can search for the vulnerabilities that do exist in these web servers and corresponding versions.These vulnerabilities can be easily found on the internet over the websites like www.secunia.com , cve.mitre.org and many more.Having said that much , lets come to the point of hiding the necessary information from being getting revealed.How this server and version informatin is obtained has been explained below:

secaudimachine# telnet localhost 80

HEAD / HTTP/1.0

After you telnet on port 80 of your local machine type the above and press two times enter.You would be getting the server along with version and much more.If you don’t get anything try with any of the following:

secaudimachine#telnet localhost 80
HEAD / HTTP /1.1

or

secaudimachine#telnet localhost 80

OPTIONS / HTTP/1.0

This example using the OPTIONS method even provides you the methods allowed on the web server and on the basis of this , many crawlers or scanners give the vulnerability of TRACE and TRACK method being enabled on the web server.

If you need to know the web server of some other website , just replace localhost with the name of the website.Even if you don’t want to do all this but still need to know the webserver or the version being run on the website , there are websites like www.netcraft.com which give you this basic information.

How to hide ?

Well there are many methods to do the same depending in which environment you feel comfortable making changes on your web server.Just to hide the very basic information play with the ServerTokens and ServerSignature directives , the information for which can be obtained from apache’s official website www.apache.org. However changes made in these directives have information revealed regarding web server used and its version through error pages and definitely through the telnet method explained below. So lets play with source code directly.

1. If you have been configuring any new server installing apache over it , then before compiling it just make the following changes:

For apache 1: In file httpd.h

Change the values of the following macros:

#define SERVER_BASEVENDOR “Apache Group”
#define SERVER_BASEPRODUCT “Apache”
#define SERVER_BASEREVISION “1.3.29″
#define SERVER_BASEVERSION SERVER_BASEPRODUCT “/” SERVER_BASEREVISION
#define SERVER_PRODUCT SERVER_BASEPRODUCT
#define SERVER_REVISION SERVER_BASEREVISION
#define SERVER_VERSION SERVER_PRODUCT “/” SERVER_REVISION

Make changes as you desire.For instance to get the name of webserver as SUMI on scanning ,just change the macro SERVER_BASEPRODUCT value to “SUMI” instead of “APACHE”. Similar for others.

For apache 2: In file ap_release.h

If you don’t want to change the identity in this manner ,then the another method is to make changes in a particular function which is :

For Apache 1 : ap_set_version() function in file http_main.c

static void ap_set_version(void)
{
/* set the server name */
ap_add_version_component(”Microsoft-IIS/5.0″);
/* do not allow other modules to add to it */
version_locked++;
}
Change the server name to whatever you desire

For Apache 2 : ap_set_version in file core.c

static void ap_set_version(apr_pool_t *pconf)
{
/* set the server name */
ap_add_version_component(pconf, “Microsoft-IIS/5.0″);
/* do not allow other modules to add to it */
version_locked++;
}
2. For those who have alredy thier web servers in running state and can’t afford the downtime involved in the above method , this method gonna work for them.

Through mod_securitymodule,the same information can be changed in runtime.The modules can be easily compiled in runtime using apxs binary and if you have already given the DSO functionality during compilation.As talked earlier about ServerTokens, this method requires its value to be set to Full , thus allowing full information from being revealed. Now what mod_security actually does is that it searches for the whole information in the memory and replaces it with the corresponding information provided by us.The ServerTokens when set to Full causes the webserver to allocate enough space for the name , giving mod_security enough space to make its changes later. Hence enter the following in the configuration file after the mod_security module has been loaded :

ServerTokens Full

SecServerSignature “Fogi”

All the product information is getting revealed since ServerTokens has been set to Full.But because of mod_security module , this value kept in the memory is replaced by the information provided in the SecServerSignature directive. Its simply that easy.

All the methods have been explained to hide the webserver identity.So go for the method which suits best for your web environment.

How to use Linux as Novell-Netware Client

IPX Protocol: IPX stands for Internetwork Packet Exchange. It is a networking protocol used by the Novell NetWare operating systems. Like UDP, IPX is a datagram protocol used for connectionless communications.

The IPX protocol stack is supported by Novell’s NetWare network operating system. Because of Netware’s popularity through the late 1980s into the mid 1990s, IPX became a popular internetworking protocol. Novell derived IPX from Xerox Network Services’ IDP protocol.

IPX Addressing: Logical networks are assigned a unique 32-bit hexadecimal address in the range of 0×1 – 0xFFFFFFFE.

Hosts have a 48-bit node address which by default is set to the network interface card’s MAC address. The node address is appended to the network address to create a unique identifier for the host on the network.

Similarities wih IP: The IPX network address is conceptually identical to the network part of the IP address (the parts with netmask bits set to 1); the node address then has the same meaning as the bits of IP address with netmask bits set to 0. As the node address is usually identical to the MAC address of the network adapter, the Address Resolution Protocol is not needed.

For routing, the entries in the IPX routing table are similar to IP routing tables; routing is done by network address, and for each network address a network:node of the next router is specified in a similar fashion an IP address/netmask is specified in IP routing tables.

IPX over Ethernet

IPX can be transmitted over Ethernet using one of the following 4 encapsulation types:

802.3 (raw)

802.2 (Novell)

802.2 (SNAP)

Ethernet II

For Linux to work as Novel Client we need a Kernel with IPX support. I have used kernel-2.6.20 but many previous versions have IPX support.

For IPX protocol we need ipx utilities to be installed on our Linux system. These utilities can be installed using rpm named “ipxutils”. I have used “ipxutils-2.2.6-7”.

NCPFS

Ncpfs is a filesystem which understands the Novell NetWare(TM) NCP protocol. Functionally, NCP is used for NetWare the way NFS is used in the TCP/IP world

For ncpfs functionality on Linux we need rpm named “ncpfs”. I have used “ncpfs-2.2.6-7”.

Configure the IPX network software

There are two ways of configuring the IPX network software. You can manually configure all of your IPX network information or you can choose to let the software determine for itself some reasonable settings using the command:

# ipx_configure –auto_interface=on –auto_primary=on
After your IPX network is configured you should be able to use the slist command to see a list of all of the Novell fileserver on your network:

# slist
If the slist command displays a message like: ncp_connect: Invalid argument then your kernel probably does not support IPX. In this case patch-up your kernel for IPX support or Install new kernal with IPX support. When you boot with kernel having IPX support you should see messages about ‘IPX‘ and ‘ncpfs‘ in the system startup messages.

If the slist command does not list all of your fileservers then you may need to use the manual network configuration method.

Or

Have a look at output of “ifconfig” command

eth1 Link encap:Ethernet HWaddr 00:C0:26:32:A2:11

inet addr:10.0.0.123 Bcast:10.0.0.255 Mask:255.255.255.0

inet6 addr: fe80::2c0:26ff:fe32:a211/64 Scope:Link

IPX/Ethernet 802.3 addr:00C02632A211

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:8538 errors:0 dropped:0 overruns:0 frame:0

TX packets:4622 errors:0 dropped:0 overruns:0 carrier:0

collisions:3 txqueuelen:1000

RX bytes:1347923 (1.2 MiB) TX bytes:4959973 (4.7 MiB)

Interrupt:20 Base address:0xdc00

Mount a Novell(TM) Volume

If your IPX network software is configured properly, you should now be able to mount a Novell volume into your Linux filesystem. The ncpmount command is used for this purpose you have to specify following information:

The fileserver name
The fileserver directory to mount (Optional)

The fileserver User id. If it is protected with a password then Password is also required.

The mount point. This will be an existing directory on your machine.

There is an equivalent ncpumount command to unmount a mounted NCP filesystem.

Various options of ncpmount command are as follows:

usage: ncpmount [options] mount-point

-S server Server name to be used

-A dns_name DNS server name to be used when mounting over TCP or UDP

-U username Username sent to server

-V volume Volume to mount, for NFS re-export

-u uid uid the mounted files get

-g gid gid the mounted files get

-f mode permission the files get (octal notation)

-d mode permission the dirs get (octal notation)

-c uid uid to identify the connection to mount on Only makes sense for root

-t time_out Waiting time (in 1/100s) to wait for an answer from the server. Default: 60

-r retry_count Number of retry attempts. Default: 5

-C Don’t convert password to uppercase

-P password Use this password

-n Do not use any password

If neither -P nor -n are given, you are asked for a password.

-s Enable renaming/deletion of read-only files

-h print this help text

-v print ncpfs version number

-b Force bindery login to NDS servers

-i level Signature level, 0=never, 1=supported, 2=preferred, 3=required

-m Allow multiple logins to server

-N os2,nfs Do not use specified namespaces on mounted volume

-y charset character set used for input and display

-p codepage codepage used on volume, including letters `cp’

Example:

Example command to mount fileserver SUMI_WEB, with a login id of “guest” with no password, under the “/mnt/web” directory

# ncpmount -S SUMI_WEB /mnt/web -U guest -n
Example command to mount fileserver SUMI_DEV, with a login id of “rdeep” with password, “secret” under the “/mnt/dev” directory

# ncpmount -S SUMI_DEV /mnt/dev -U rdeep -P secret
Configure mounts to be automatically performed
Make the following entries in file “/etc/rc.local”
————————————————–
# configure the IPX network
ipx_configure –auto_interface=on –auto_primary=on
# guest login to the Accounting fileserver
ncpmount -S SUMI_WEB /mnt/web -U guest -n

Protecting SAMBA PDC Share from viruses

Generally domain controller share is used by a user to store its documents, spread sheets, presentations etc… etc..

If a user is a programmer, then he has to save executable file (*.exe, *.com, *.dll). But we know that files with such extensions are having more chances to get infected by viruses.
For a normal user which is not a programmer there is no need of *.exe *.com *.dll etc.. file in his share, So we can prevent such users to have such file in his share.

This can reduce the risk of viruses at least in the user shares which do not require executable file.

If you wanted to disallow EXE files, COM files, or DLL files, you could have a veto files attribute that looked like this:

Veto files = /*.exe/*.com/*.dll/

This will prevent access to or storage of these types of files and effectively prevent a Samba PDC from spreading most types of Windows worms and viruses. You may want to veto other file types to effectively exclude all of the file extensions that are used by viruses to propagate.

Following is the example for User Share in which we have to disallow such kind of files:

[MIKE]
comment = Mike’s Share
path = /home/mike
public = yes
writable = yes
printable = no
valid users = mike @hr
browseable = yes
Veto files = /*.exe/*.com/*.dll/*.sh/*.py/

We see that valid users of the above share are mike & group members of hr group, the share is browse able, the users do not have access or storage permissions to the files with extensions .exe, .com, .dll, .sh, .py

 

Website Traffic Statistics for Multiple virtual Hosts

This article of mine is dedicated towards the log processing for multiple virtual hosts (Name Based Sites). As we know almost every hosting server is having at least one hosting control panel installed on it, to control hosting services. Which will make all the jobs easy for maintaining each site on the server, including the per site based logging. But what if there is no control panel on the server and site owner is demanding for individual traffic statistics of its site.
There are different ways of doing that, but simplest one is configuring webalizer for multiple virtual hos. Let us design a simple scenario to proceed:
Assume that we have some virtual hosts (Name based sites)
1. alpha.secaudi.com with server access log file /var/log/httpd/access_log_alpha
2. beta.secaudi.com with server access log file /var/log/httpd/access_log_beta
3. gama.secaudi.com with server access log file /var/log/httpd/access_log_gama
and required is the individual traffic statistics for all these sites.
Create a centralized folder for webalizer configuration
# mkdir /etc/webalizer
Create individual webalizer configuration files for each site using sample configuration file
# cp /etc/webalizer.conf /etc/webalizer/alpha.secaudi.com.conf
# cp /etc/webalizer.conf /etc/webalizer/beta.secaudi.com.conf
# cp /etc/webalizer.conf /etc/webalizer/gama.secaudi.com.conf
Now create individual directories for usage for each site
# mkdir -p /var/www/usage/{alpha,beta,gama}
Modify individual webalizer configuration file for each site, for example: alpha.secaudi.com.conf
LogFile /var/log/httpd/access_log_alpha
OutputDir /var/www/usage/alpha
HostName alpha.secaudi.com
Similarly modify files for the other sites.
Run the following command to process webalizer statistics for each site
# webalizer -c alpha.secaudi.com
# webalizer -c beta.secaudi.com
# webalizer -c gama.secaudi.com
Required output will be in
/var/www/usage/alpha for alpha.secaudi.com
/var/www/usage/beta for beta.secaudi.com
/var/www/usage/gama for gama.secaudi.com
You can simplify this task if you are having large number of sites on your server
Write a small script named webstats.sh
# vi webstats.sh
for x in /etc/webalizer/*.conf
do
webalizer -c $x
done
required you should have configured webalizer configuration file for each virtual host.
Now you have to provide the URL to website owner by making soft link of usage directory in the DocumentRoot of that particular site.
For example: For alpha.secaudi.com, DocumentRoot is /var/www/html/aplha.secaudi.com
# ln -s /var/www/usage/alpha /var/www/html/aplha.secaudi.com/stats
So the usage URL is http://alpha.secaudi.com/stats
Do it for other virtual hosts accordingly.
!!! AND YOU HAVE DONE IT !!!

htaccess Tricks

htaccess is used for many custom configurations for a web site. This is a plain text file that should be placed in DocumentRoot of your web site to achieve variety of effects.

Various directives can be used in this file to different things. Generally htaccess is used for the password protection of the directories on a web site.

To use these features on a site, we need to create a file named .htaccess in plain test. It will take single directive per line. upload this file to your DocumentRoot and get the desired results according to the use of directives used.

This articles is about advance htaccess techniques such as redirection and php directives.

PHP & HTACCESS

In case of shared hosting, The site owner do not have root or administrator rights to change the php directives according to his site code. e.g Some developers like to use “safe_mode on” while others like “safe_mode off”.

Now what if in /etc/php.ini file has “safe_mode off” you need “safe_mode on” for your site. Since you don’t have root/administrator rights on shared server, you cannot change this in /etc/php.ini file on the server.

In this case .htaccess file is very important for you.

You have to use php_flag directive to set desired php flags for your sites DocumentRoot, no matter what is there in /etc/php.ini file.

If you want to use “safe_mode on” just use the following directive in .htaccess file

php_flag safe_mode on

similarly,

php_flag magic_quotes_gpc on

php_value register_globals on

Not only this you can also customize your DocumentRoot options other than the globle settings for your apache web server.

# AddEncoding x-gzip gz

i.e. your webserver is not using directive through its main configuration file, but you want to use this for your site, again .htaccess file will help you in this, just enter following to this file:

AddEncoding x-gzip gz

AddEncoding x-compress Z

Many such Directives can be used to enhanced the working features of your site.

Some important Directives, I am going to explain here.

Action

Syntax: Action mime-type cgi-script

This directive adds an action, which will activate cgi-script when a file of content type mime-type is requested. It sends the URL and file path of the requested document using the standard CGI PATH_INFO and PATH_TRANSLATED environment variables.

AddDescription

Syntax: AddDescription string file file …..

This sets the description to display for a file, for FancyIndexing. File is a file extension, partial filename, wild-card expression or full filename for files to describe. String is enclosed in double quotes (”).
Example:

AddDescription “The mother” /pics/earth.gif

AddEncoding

Syntax: AddEncoding mime-enc extension extension….

The AddEncoding directive adds to the list of filename extensions which filenames may end in for the specified encoding type. Mime-enc is the mime encoding to use for documents ending in extension.

Examples:

AddEncoding x-gzip gz
AddEncoding x-compress Z

This will cause files ending in .gz to be marked as encoded using the x-gzip encoding, and .Z files to be marked as encoded with x-compress.

AddIcon

Syntax: AddIcon icon name name ….

This sets the icon to display next to a file ending in name for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Name is either ^^DIRECTORY^^ for directories, ^^BLANKICON^^ for blank lines (to format the list correctly), a file extension, a wildcard expression, a partial filename or a complete filename.
Examples:

AddIcon (IMG,/icons/image.xbm) .gif .xbm
AddIcon /icons/dir.xbm ^^DIRECTORY^^
AddIcon /icons/backup.xbm *~

AddIconByType should be used in preference to AddIcon, when possible.

AddIconByType

This sets the icon to display next to files of type mime-type for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Mime-type is a wildcard expression matching required the mime types.
Example:

AddIconByType (IMG,/icons/sd.xbm) image/*

AddType

Syntax: AddType type ext

Context:.htaccess

The AddType directive allows you to add a mime type to your site.

Example:

AddType application/x-httpd-xx xx

ErrorDocument

Syntax: ErrorDocument error-code document

In the event of a problem or error, Apache can be configured to do one of four things,

behave like NCSA httpd 1.3
output a customized message
redirect to a local URL to handle the problem/error
redirect to an external URL to handle the problem/error
2-4 are configured using ErrorDocument, which is followed by the HTTP response code and a message or URL.

Messages in this context, begin with a single quote (”), which does not form part of the message itself. Apache will sometime offer additional information regarding the problem/error.

URLs will begin with a slash (/) for local URLs, or will be a full URL which the client can resolve.

Examples:

ErrorDocument 500 /cgi-bin/tester
ErrorDocument 404 /cgi-bin/bad_urls.pl
ErrorDocument 401 http://www2.foo.bar/subscription_info.html
ErrorDocument 403 “Sorry can’t allow you access today
The directive provides for access control by filename. It is comparable to the directive and directives. It should be matched with a directive. Directives that apply to the filename given should be listed within. sections are processed in the order they appear in the configuration file, after the sections and .htaccess files are read, but before sections.

unlike and sections, sections can be used inside .htaccess files. This allows users to control access to their own files, at a file-by-file level. When used in an .htaccess file, if the filename does not begin with a / character, the directory being applied will be prefixed automatically.

Redirect

Syntax: Redirect url-path url

The Redirect directive maps an old URL into a new one. The new URL is returned to the client which attempts to fetch it again with the new address.

Example:

Redirect /service http://foo2.bar.com/service

If the client requests http://myserver/service/foo.txt, it will be told to access http://foo2.bar.com/service/foo.txt instead.

RedirectTemp

Syntax: RedirectTemp url-path url

This directive makes the client know that the Redirect is only temporary. (Status 302). Exactly equivalent to Redirect temporary

RedirectPermanent

Syntax: RedirectPermanent url-path url

Context: directory, .htaccess

This directive makes the client know that the Redirect is permanent. (Status 301). Exactly equivalent to Redirect permanent

XBitHack

Syntax: XBitHack status

The XBitHack directives controls the parsing of ordinary html documents. Status can have the following values:

off

No special treatment of executable files.
on
Any file that has the user-execute bit set will be treated as a server-parsed html document.
full

As for on but also test the group-execute bit. If it is set, then set the Last-modified date of the returned file to be the last modified time of the file. If it is not set, then no last-modified date is sent. Setting this bit allows clients and proxies to cache the result of the request.htaccess is used for many custom configurations for a web site. This is a plain text file that should be placed in DocumentRoot of your web site to achieve variety of effects.
Various directives can be used in this file to different things. Generally htaccess is used for the password protection of the directories on a web site.

To use these features on a site, we need to create a file named .htaccess in plain test. It will take single directive per line. upload this file to your DocumentRoot and get the desired results according to the use of directives used.

This articles is about advance htaccess techniques such as redirection and php directives.

PHP & HTACCESS

In case of shared hosting, The site owner do not have root or administrator rights to change the php directives according to his site code. e.g Some developers like to use “safe_mode on” while others like “safe_mode off”.

Now what if in /etc/php.ini file has “safe_mode off” you need “safe_mode on” for your site. Since you don’t have root/administrator rights on shared server, you cannot change this in /etc/php.ini file on the server.

In this case .htaccess file is very important for you.

You have to use php_flag directive to set desired php flags for your sites DocumentRoot, no matter what is there in /etc/php.ini file.

If you want to use “safe_mode on” just use the following directive in .htaccess file

php_flag safe_mode on

similarly,

php_flag magic_quotes_gpc on

php_value register_globals on

Not only this you can also customize your DocumentRoot options other than the globle settings for your apache web server.

# AddEncoding x-gzip gz

i.e. your webserver is not using directive through its main configuration file, but you want to use this for your site, again .htaccess file will help you in this, just enter following to this file:

AddEncoding x-gzip gz

AddEncoding x-compress Z

Many such Directives can be used to enhanced the working features of your site.

Some important Directives, I am going to explain here.

Action

Syntax: Action mime-type cgi-script

This directive adds an action, which will activate cgi-script when a file of content type mime-type is requested. It sends the URL and file path of the requested document using the standard CGI PATH_INFO and PATH_TRANSLATED environment variables.

AddDescription

Syntax: AddDescription string file file …..

This sets the description to display for a file, for FancyIndexing. File is a file extension, partial filename, wild-card expression or full filename for files to describe. String is enclosed in double quotes (”).
Example:

AddDescription “The mother” /pics/earth.gif

AddEncoding

Syntax: AddEncoding mime-enc extension extension….

The AddEncoding directive adds to the list of filename extensions which filenames may end in for the specified encoding type. Mime-enc is the mime encoding to use for documents ending in extension.

Examples:

AddEncoding x-gzip gz
AddEncoding x-compress Z

This will cause files ending in .gz to be marked as encoded using the x-gzip encoding, and .Z files to be marked as encoded with x-compress.

AddIcon

Syntax: AddIcon icon name name ….

This sets the icon to display next to a file ending in name for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Name is either ^^DIRECTORY^^ for directories, ^^BLANKICON^^ for blank lines (to format the list correctly), a file extension, a wildcard expression, a partial filename or a complete filename.
Examples:

AddIcon (IMG,/icons/image.xbm) .gif .xbm
AddIcon /icons/dir.xbm ^^DIRECTORY^^
AddIcon /icons/backup.xbm *~

AddIconByType should be used in preference to AddIcon, when possible.

AddIconByType

This sets the icon to display next to files of type mime-type for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Mime-type is a wildcard expression matching required the mime types.
Example:

AddIconByType (IMG,/icons/sd.xbm) image/*

AddType

Syntax: AddType type ext

Context:.htaccess

The AddType directive allows you to add a mime type to your site.

Example:

AddType application/x-httpd-xx xx

ErrorDocument

Syntax: ErrorDocument error-code document

In the event of a problem or error, Apache can be configured to do one of four things,

behave like NCSA httpd 1.3
output a customized message
redirect to a local URL to handle the problem/error
redirect to an external URL to handle the problem/error
2-4 are configured using ErrorDocument, which is followed by the HTTP response code and a message or URL.

Messages in this context, begin with a single quote (”), which does not form part of the message itself. Apache will sometime offer additional information regarding the problem/error.

URLs will begin with a slash (/) for local URLs, or will be a full URL which the client can resolve.

Examples:

ErrorDocument 500 /cgi-bin/tester
ErrorDocument 404 /cgi-bin/bad_urls.pl
ErrorDocument 401 http://www2.foo.bar/subscription_info.html
ErrorDocument 403 “Sorry can’t allow you access today
The directive provides for access control by filename. It is comparable to the directive and directives. It should be matched with a directive. Directives that apply to the filename given should be listed within. sections are processed in the order they appear in the configuration file, after the sections and .htaccess files are read, but before sections.

unlike and sections, sections can be used inside .htaccess files. This allows users to control access to their own files, at a file-by-file level. When used in an .htaccess file, if the filename does not begin with a / character, the directory being applied will be prefixed automatically.

Redirect

Syntax: Redirect url-path url

The Redirect directive maps an old URL into a new one. The new URL is returned to the client which attempts to fetch it again with the new address.

Example:

Redirect /service http://foo2.bar.com/service

If the client requests http://myserver/service/foo.txt, it will be told to access http://foo2.bar.com/service/foo.txt instead.

RedirectTemp

Syntax: RedirectTemp url-path url

This directive makes the client know that the Redirect is only temporary. (Status 302). Exactly equivalent to Redirect temporary

RedirectPermanent

Syntax: RedirectPermanent url-path url

Context: directory, .htaccess

This directive makes the client know that the Redirect is permanent. (Status 301). Exactly equivalent to Redirect permanent

XBitHack

Syntax: XBitHack status

The XBitHack directives controls the parsing of ordinary html documents. Status can have the following values:

off

No special treatment of executable files.
on
Any file that has the user-execute bit set will be treated as a server-parsed html document.
full

As for on but also test the group-execute bit. If it is set, then set the Last-modified date of the returned file to be the last modified time of the file. If it is not set, then no last-modified date is sent. Setting this bit allows clients and proxies to cache the result of the request.

Koala

ARP SPOOFING

This paper deals with the subject of ARP spoofing. Spoofing basically means to deceive someone.Now in what ways this has been done , gives it a name.For instance IP Spoofing ,ARP spoofing etc.In this article i would be explaining what exactly is ARP(Address Resolution Protocol), ARP Spoofing and how this is done.One more thing, this article has been written with the assumption that the reader has the basic knowledge of OSI(OPEN SYSTEMS INTERCONNECTION) reference model.
BASICS
Before getting into ARP Spoofing, let us understand how two machines connected to intranet communicate. A computer connected to an IP/Ethernet LAN has two addresses. One is the address of the lan card called the MAC address. The MAC(Media Access Control) is a globally unique and unchangeable address which is stored on the network card itself. This address is unique just like your public IP addresses.No two machines can have the same MAC address on their lan cards.The concept of MAC address comes at the 2nd layer(Data Link Layer) of OSI model. MAC addresses are necessary so that the Ethernet protocol can send data back and forth, independent of whatever application protocols are used on top of it. Ethernet builds frames of data, consisting of 1500 byte blocks. Each frame has an Ethernet header, containing the MAC address of the source and the destination computer.
The second address is the IP address. IP is a protocol used by applications, independent of whatever network technology operates underneath it. Each computer on a network must have a unique IP address to communicate.The concept of IP Addresses come at the 3rd layer(Network Layer) of OSI model.
IP Addresses basically have two parts —host and the network portions which helps one machine to determine the network of other machine and then finally the host with which it is communicating.MAC addresses, unlike IP addresses are not divided into “host” and “network” portions, so a host cannot determine, from the MAC address of another host, whether that host is on the same layer 2 network segment as the sending host or a network segment bridged to that network segment and, if it’s not, cannot determine the MAC address of a router that is on the same network segment as the sending host or a segment bridged to that network segment and that can help route the packet to the destination host.For this IP and Ethernet must work together. IP communicates by constructing “packets” which are similar to frames, but have a different structure. These packets cannot be delivered without the data link layer. Hence they are delivered by Ethernet which splits the packets into frames, adds an Ethernet header for delivery, and sends them down the cable to the switch. The switch then decides which port to send the frame to, by comparing the destination address of the frame to an internal table which maps port numbers to MAC addresses.When an Ethernet frame is constructed, it must be built from an IP packet. However, at the time of construction, Ethernet has no idea what the MAC address of the destination machine is, which it needs to create an Ethernet header. The only information it has available is the destination IP from the packet’s header. Hence there has to be a way for the Ethernet protocol to find the MAC address of the destination machine, given a destination IP. This is where ARP, the Address Resolution Protocol, comes in.
What is ADDRESS RESOLUTION PROTOCOL (ARP)?
ARP is commonly used to convert from addresses in a layer 3 protocol such as Internet Protocol (IP) to the layer 2 MAC address. ARP operates by sending out “ARP request” packets. An ARP request asks the question, “Is your IP address x.x.x.x? If so, send your MAC back to me.” These packets are broadcast to all computers on the LAN, even on a switched network. Each computer examines the ARP request, checks if it is currently assigned the specified IP, and sends an ARP reply containing its MAC address.Operating systems keep a cache of ARP replies to minimize the number of ARP Requests being broadcast.When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association.
To explain all the above here’s an example.Run the following command on your linux machine.
secaudi@secaudi.com# arp -an
which gives the output in the following syntax
— IP ADDR at MAC ADDR on Ethernet device
The output you receive should be in the above format which shows that your system has the entry of the MAC Address of this particular IP address in its cache.Now try to ping some another host in your intranet and then again run the same above command.You will be able to see the entry of this IP with its MAC Address in your system cache.
Having explained all that, how does that result in ARP Spoofing and what exactly is it.
What is ARP SPOOFING ?
ARP spoofing involves constructing forged ARP replies. By sending forged ARP replies, a target computer could be convinced to send frames destined for computer A to instead go to computer B. When done properly, computer A will have no idea that this redirection took place. The process of updating a target computer’s ARP cache with a forged entry is referred to as “poisoning”.Switches determine which frames go to which ports by comparing the destination MAC on a frame against a table. This table contains a list of ports and the attached MAC address. The table is built when the switch is powered on, by examining the source MAC from the first frame transmitted on each port. Network cards can enter a state called “promiscuous mode” where they are allowed to examine frames that are destined for MAC addresses other than their own. On switched networks this is not a concern, because the switch routes frames based on the table described above. This prevents sniffing of other people’s frames.
However, using ARP spoofing, there are several ways that sniffing can be performed on a switched network.
A “man-in-the-middle” attack is one of these. When a MiM is performed, a malicious user inserts his computer between the communications path of two target computers. Sniffing can then be performed. The malicious computer will forward frames between the two target computers so communications are not interrupted. The attack is performed as follows (where X is the attacking computer, and T1 and T2 are targets):
A poisons the ARP cache of C1 and C2.
-
C1 associates C2’s IP with A’s MAC.
-
C2 associates C1’s IP with A’s MAC.
-
All of C1 and C2’s IP traffic will then go to A first, instead of directly to each other.
-
To get this whole stuff lets play with an example.
HOST IP ADDR MAC ADDR

A 192.168.0.1 ABCDEF000001
B 192.168.0.2 ABCDEF000002
C 192.168.0.3 ABCDEF000003
Let host C is my machine and i do have to cause the all explained above. As explained above , pinging these two hosts will give me an entry of their MAC Addresses in my cache.Once got the MAC Addresses for the corresponding IP’s of hosts A and B ,now I do have to spoof their caches in such a way that for host A IP it has the entry of my(host C) MAC Address.Similarly for Host B.This can be easily done with many tools being available, one of them being arpoison.With arpoison installed on the system , execute it in this manner on HOST C.
hostC@secaudi.com# arpoison -i eth0 -d 192.168.0.1 -s 192.168.0.2 -t ABCERF000001 -r ABCDEF000003 (poisoning host A)
hostC@secaudi.com# arpoison -i eth0 -d 192.168.0.2 -s 192.168.0.1 -t ABCDEF000002 -r ABCDEF000003 (poisoning host B)
where arpoison usage as: arpoison -i -d -s -t -r
With arpoison what we have done is simply pointed the host B IP entry on host A to MAC address of host C and host A entry on host B to MAC address of host C. So when these two machines would be communicating , say when host A is sending data to host B it will check out the MAC address of host B in its cache which has been poisoned to point to host C. So both will be directing their traffic to host C. Simply that easy.Normally the cache entries are flushed out every 60 or 30 seconds , so you do have to send continuous packets to keep poisoning the caches of these two hosts.
However it is to be noted that Host C must allow the data from Host A to pass to Host B and from Host B to Host A so that communication prevails between the two hosts.This type of attack is in particular called man in the middle attack.If you do have to cause this attack simply as DOS attack then point the mac addresses of these two hosts to something which is not valid, hence no ip found bound to that MAC , no data could be delivered.
To have a visual lesson of all the above visit the following URL

http://www.oxid.it/downloads/apr-intro.swf

Conclusion
With ARP poisoning you can do various things, first of all is sniffing at switched based segments by poisoning the remote hosts or switches.
Second, and most times much worse is altering ARP tables of routers, which renders LAN segments isolated from the other segments.
I strongly believe that in short time these kind of attacks will grow in number fast worldwide.
There are defense methods against ARP spoofing, one of the most probable being ARPWATCH which is a tool that listens for arp replies on a network. It basically builds a table of IP/MAC associations and store them in a file. Whenever the MAC address associated with an IP changes, an email is sent to the administrator.

Posted in Network Edit
htaccess Tricks
Posted on April 10, 2011
htaccess is used for many custom configurations for a web site. This is a plain text file that should be placed in DocumentRoot of your web site to achieve variety of effects.

Various directives can be used in this file to different things. Generally htaccess is used for the password protection of the directories on a web site.

To use these features on a site, we need to create a file named .htaccess in plain test. It will take single directive per line. upload this file to your DocumentRoot and get the desired results according to the use of directives used.

This articles is about advance htaccess techniques such as redirection and php directives.

PHP & HTACCESS

In case of shared hosting, The site owner do not have root or administrator rights to change the php directives according to his site code. e.g Some developers like to use “safe_mode on” while others like “safe_mode off”.

Now what if in /etc/php.ini file has “safe_mode off” you need “safe_mode on” for your site. Since you don’t have root/administrator rights on shared server, you cannot change this in /etc/php.ini file on the server.

In this case .htaccess file is very important for you.

You have to use php_flag directive to set desired php flags for your sites DocumentRoot, no matter what is there in /etc/php.ini file.

If you want to use “safe_mode on” just use the following directive in .htaccess file

php_flag safe_mode on

similarly,

php_flag magic_quotes_gpc on

php_value register_globals on

Not only this you can also customize your DocumentRoot options other than the globle settings for your apache web server.

# AddEncoding x-gzip gz

i.e. your webserver is not using directive through its main configuration file, but you want to use this for your site, again .htaccess file will help you in this, just enter following to this file:

AddEncoding x-gzip gz

AddEncoding x-compress Z

Many such Directives can be used to enhanced the working features of your site.

Some important Directives, I am going to explain here.

Action

Syntax: Action mime-type cgi-script

This directive adds an action, which will activate cgi-script when a file of content type mime-type is requested. It sends the URL and file path of the requested document using the standard CGI PATH_INFO and PATH_TRANSLATED environment variables.

AddDescription

Syntax: AddDescription string file file …..

This sets the description to display for a file, for FancyIndexing. File is a file extension, partial filename, wild-card expression or full filename for files to describe. String is enclosed in double quotes (”).
Example:

AddDescription “The mother” /pics/earth.gif

AddEncoding

Syntax: AddEncoding mime-enc extension extension….

The AddEncoding directive adds to the list of filename extensions which filenames may end in for the specified encoding type. Mime-enc is the mime encoding to use for documents ending in extension.

Examples:

AddEncoding x-gzip gz
AddEncoding x-compress Z

This will cause files ending in .gz to be marked as encoded using the x-gzip encoding, and .Z files to be marked as encoded with x-compress.

AddIcon

Syntax: AddIcon icon name name ….

This sets the icon to display next to a file ending in name for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Name is either ^^DIRECTORY^^ for directories, ^^BLANKICON^^ for blank lines (to format the list correctly), a file extension, a wildcard expression, a partial filename or a complete filename.
Examples:

AddIcon (IMG,/icons/image.xbm) .gif .xbm
AddIcon /icons/dir.xbm ^^DIRECTORY^^
AddIcon /icons/backup.xbm *~

AddIconByType should be used in preference to AddIcon, when possible.

AddIconByType

This sets the icon to display next to files of type mime-type for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Mime-type is a wildcard expression matching required the mime types.
Example:

AddIconByType (IMG,/icons/sd.xbm) image/*

AddType

Syntax: AddType type ext

Context:.htaccess

The AddType directive allows you to add a mime type to your site.

Example:

AddType application/x-httpd-xx xx

ErrorDocument

Syntax: ErrorDocument error-code document

In the event of a problem or error, Apache can be configured to do one of four things,

behave like NCSA httpd 1.3
output a customized message
redirect to a local URL to handle the problem/error
redirect to an external URL to handle the problem/error
2-4 are configured using ErrorDocument, which is followed by the HTTP response code and a message or URL.

Messages in this context, begin with a single quote (”), which does not form part of the message itself. Apache will sometime offer additional information regarding the problem/error.

URLs will begin with a slash (/) for local URLs, or will be a full URL which the client can resolve.

Examples:

ErrorDocument 500 /cgi-bin/tester
ErrorDocument 404 /cgi-bin/bad_urls.pl
ErrorDocument 401 http://www2.foo.bar/subscription_info.html
ErrorDocument 403 “Sorry can’t allow you access today
The directive provides for access control by filename. It is comparable to the directive and directives. It should be matched with a directive. Directives that apply to the filename given should be listed within. sections are processed in the order they appear in the configuration file, after the sections and .htaccess files are read, but before sections.

unlike and sections, sections can be used inside .htaccess files. This allows users to control access to their own files, at a file-by-file level. When used in an .htaccess file, if the filename does not begin with a / character, the directory being applied will be prefixed automatically.

Redirect

Syntax: Redirect url-path url

The Redirect directive maps an old URL into a new one. The new URL is returned to the client which attempts to fetch it again with the new address.

Example:

Redirect /service http://foo2.bar.com/service

If the client requests http://myserver/service/foo.txt, it will be told to access http://foo2.bar.com/service/foo.txt instead.

RedirectTemp

Syntax: RedirectTemp url-path url

This directive makes the client know that the Redirect is only temporary. (Status 302). Exactly equivalent to Redirect temporary

RedirectPermanent

Syntax: RedirectPermanent url-path url

Context: directory, .htaccess

This directive makes the client know that the Redirect is permanent. (Status 301). Exactly equivalent to Redirect permanent

XBitHack

Syntax: XBitHack status

The XBitHack directives controls the parsing of ordinary html documents. Status can have the following values:

off

No special treatment of executable files.
on
Any file that has the user-execute bit set will be treated as a server-parsed html document.
full

As for on but also test the group-execute bit. If it is set, then set the Last-modified date of the returned file to be the last modified time of the file. If it is not set, then no last-modified date is sent. Setting this bit allows clients and proxies to cache the result of the request.htaccess is used for many custom configurations for a web site. This is a plain text file that should be placed in DocumentRoot of your web site to achieve variety of effects.
Various directives can be used in this file to different things. Generally htaccess is used for the password protection of the directories on a web site.

To use these features on a site, we need to create a file named .htaccess in plain test. It will take single directive per line. upload this file to your DocumentRoot and get the desired results according to the use of directives used.

This articles is about advance htaccess techniques such as redirection and php directives.

PHP & HTACCESS

In case of shared hosting, The site owner do not have root or administrator rights to change the php directives according to his site code. e.g Some developers like to use “safe_mode on” while others like “safe_mode off”.

Now what if in /etc/php.ini file has “safe_mode off” you need “safe_mode on” for your site. Since you don’t have root/administrator rights on shared server, you cannot change this in /etc/php.ini file on the server.

In this case .htaccess file is very important for you.

You have to use php_flag directive to set desired php flags for your sites DocumentRoot, no matter what is there in /etc/php.ini file.

If you want to use “safe_mode on” just use the following directive in .htaccess file

php_flag safe_mode on

similarly,

php_flag magic_quotes_gpc on

php_value register_globals on

Not only this you can also customize your DocumentRoot options other than the globle settings for your apache web server.

# AddEncoding x-gzip gz

i.e. your webserver is not using directive through its main configuration file, but you want to use this for your site, again .htaccess file will help you in this, just enter following to this file:

AddEncoding x-gzip gz

AddEncoding x-compress Z

Many such Directives can be used to enhanced the working features of your site.

Some important Directives, I am going to explain here.

Action

Syntax: Action mime-type cgi-script

This directive adds an action, which will activate cgi-script when a file of content type mime-type is requested. It sends the URL and file path of the requested document using the standard CGI PATH_INFO and PATH_TRANSLATED environment variables.

AddDescription

Syntax: AddDescription string file file …..

This sets the description to display for a file, for FancyIndexing. File is a file extension, partial filename, wild-card expression or full filename for files to describe. String is enclosed in double quotes (”).
Example:

AddDescription “The mother” /pics/earth.gif

AddEncoding

Syntax: AddEncoding mime-enc extension extension….

The AddEncoding directive adds to the list of filename extensions which filenames may end in for the specified encoding type. Mime-enc is the mime encoding to use for documents ending in extension.

Examples:

AddEncoding x-gzip gz
AddEncoding x-compress Z

This will cause files ending in .gz to be marked as encoded using the x-gzip encoding, and .Z files to be marked as encoded with x-compress.

AddIcon

Syntax: AddIcon icon name name ….

This sets the icon to display next to a file ending in name for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Name is either ^^DIRECTORY^^ for directories, ^^BLANKICON^^ for blank lines (to format the list correctly), a file extension, a wildcard expression, a partial filename or a complete filename.
Examples:

AddIcon (IMG,/icons/image.xbm) .gif .xbm
AddIcon /icons/dir.xbm ^^DIRECTORY^^
AddIcon /icons/backup.xbm *~

AddIconByType should be used in preference to AddIcon, when possible.

AddIconByType

This sets the icon to display next to files of type mime-type for FancyIndexing. Icon is either a (%-escaped) relative URL to the icon, or of the format (alttext,url) where alttext is the text tag given for an icon for non-graphical browsers.

Mime-type is a wildcard expression matching required the mime types.
Example:

AddIconByType (IMG,/icons/sd.xbm) image/*

AddType

Syntax: AddType type ext

Context:.htaccess

The AddType directive allows you to add a mime type to your site.

Example:

AddType application/x-httpd-xx xx

ErrorDocument

Syntax: ErrorDocument error-code document

In the event of a problem or error, Apache can be configured to do one of four things,

behave like NCSA httpd 1.3
output a customized message
redirect to a local URL to handle the problem/error
redirect to an external URL to handle the problem/error
2-4 are configured using ErrorDocument, which is followed by the HTTP response code and a message or URL.

Messages in this context, begin with a single quote (”), which does not form part of the message itself. Apache will sometime offer additional information regarding the problem/error.

URLs will begin with a slash (/) for local URLs, or will be a full URL which the client can resolve.

Examples:

ErrorDocument 500 /cgi-bin/tester
ErrorDocument 404 /cgi-bin/bad_urls.pl
ErrorDocument 401 http://www2.foo.bar/subscription_info.html
ErrorDocument 403 “Sorry can’t allow you access today
The directive provides for access control by filename. It is comparable to the directive and directives. It should be matched with a directive. Directives that apply to the filename given should be listed within. sections are processed in the order they appear in the configuration file, after the sections and .htaccess files are read, but before sections.

unlike and sections, sections can be used inside .htaccess files. This allows users to control access to their own files, at a file-by-file level. When used in an .htaccess file, if the filename does not begin with a / character, the directory being applied will be prefixed automatically.

Redirect

Syntax: Redirect url-path url

The Redirect directive maps an old URL into a new one. The new URL is returned to the client which attempts to fetch it again with the new address.

Example:

Redirect /service http://foo2.bar.com/service

If the client requests http://myserver/service/foo.txt, it will be told to access http://foo2.bar.com/service/foo.txt instead.

RedirectTemp

Syntax: RedirectTemp url-path url

This directive makes the client know that the Redirect is only temporary. (Status 302). Exactly equivalent to Redirect temporary

RedirectPermanent

Syntax: RedirectPermanent url-path url

Context: directory, .htaccess

This directive makes the client know that the Redirect is permanent. (Status 301). Exactly equivalent to Redirect permanent

XBitHack

Syntax: XBitHack status

The XBitHack directives controls the parsing of ordinary html documents. Status can have the following values:

off

No special treatment of executable files.
on
Any file that has the user-execute bit set will be treated as a server-parsed html document.
full

As for on but also test the group-execute bit. If it is set, then set the Last-modified date of the returned file to be the last modified time of the file. If it is not set, then no last-modified date is sent. Setting this bit allows clients and proxies to cache the result of the request.

TCP SYN DOS Attack

INTRODUCTION
This article discusses a form of Denial of Service Attack—-TCP SYN DOS Attack , a method to conduct denial-of-service attacks by creating TCP “half-open” connections.This method is actively used to attack sites connected to the Internet by leaving no resources for legitimate requests, the resources being the backlog queue(explained later) in this case. There is, as yet, no complete solution for this problem, but there are steps that can be taken to lessen its impact. Although discovering the origin of the attack is difficult, it is possible to do; we have received reports of attack origins being identified.
Any system connected to the Internet and providing TCP-based network services (such as a Web server, FTP server, or mail server) is potentially subject to this attack. Note that in addition to attacks launched at specific hosts, these attacks could also be launched against your routers or other network server systems if these hosts enable (or turn on) other TCP services (e.g., echo). The consequences of the attack may vary depending on the system; however, the attack itself is fundamental to the TCP protocol used by all systems.
This advisory provides a brief outline of the problem and a partial solution. We will update this advisory as we receive new information.
DESCRIPTION
When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections–telnet, Web,email, etc.
The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Here is a view of this message flow:
Client Server
—— ——
SYN——————–>

<—————SYN-ACK

ACK——————–>
Client and server can now send service-specific data.The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but
has not yet received the ACK message. This is what we mean by half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system.The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections.
In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections nor the ability to originate outgoing network connections.However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative.
The location of the attacking system is obscured because the source addresses in the SYN packets are often implausible. When the packet arrives at the victim server system, there is no way to determine its true source. Since the network forwards packets based on destination address, the only way to validate the source of a packet is to use input source filtering.
IMPACT
Systems providing TCP-based services to the Internet community may be unable to provide those services while under attack and for some time after the attack ceases. The service itself is not harmed by the attack; usually only the ability to provide the service is impaired. In some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative.
How to detect a SYN attack
It is very simple to detect SYN attacks. The netstat command shows us how many connections are currently in the half-open state. The half-open state is described as SYN_RECEIVED in Windows and as SYN_RECV in Unix systems.
# netstat -n -p TCP
tcp 0 0 10.150.0.200:21 237.177.154.8:25882 SYN_RECV -
tcp 0 0 10.150.0.200:21 236.15.133.204:2577 SYN_RECV -
tcp 0 0 10.150.0.200:21 127.160.6.129:51748 SYN_RECV -
tcp 0 0 10.150.0.200:21 230.220.13.25:47393 SYN_RECV -
tcp 0 0 10.150.0.200:21 227.200.204.182:60427 SYN_RECV -
tcp 0 0 10.150.0.200:21 232.115.18.38:278 SYN_RECV -
tcp 0 0 10.150.0.200:21 229.116.95.96:5122 SYN_RECV -
tcp 0 0 10.150.0.200:21 236.219.139.207:49162 SYN_RECV -
tcp 0 0 10.150.0.200:21 238.100.72.228:37899 SYN_RECV -

We can also count how many half-open connections are in the backlog queue at the moment. In the example below, 769 connections (for TELNET) in the SYN RECEIVED state are kept in the backlog queue.
# netstat -n -p TCP | grep SYN_RECV | grep :23 | wc -l
769
The other method for detecting SYN attacks is to print TCP statistics and look at the TCP parameters which count dropped connection requests. While under attack, the values of these parameters grow rapidly.
In this example we watch the value of the TcpHalfOpenDrop parameter on a Sun Solaris machine.
# netstat -s -P tcp | grep tcpHalfOpenDrop
tcpHalfOpenDrop = 473
It is important to note that every TCP port has its own backlog queue, but only one variable of the TCP/IP stack controls the size of backlog queues for all ports.
The backlog queue
The backlog queue is a large memory structure used to handle incoming packets with the SYN flag set until the moment the three-way handshake process is completed. An operating system allocates part of the system memory for every incoming connection. We know that every TCP port can handle a defined number of incoming requests. The backlog queue controls how many half-open connections can be handled by the operating system at the same time. When a maximum number of incoming connections is reached, subsequent requests are silently dropped by the operating system.
As mentioned before, when we detect a lot of connections in the SYN RECEIVED state, host is probably under a SYN flooding attack. Moreover, the source IP addresses of these incoming packets can be spoofed. To limit the effects of SYN attacks we should enable some built-in protection mechanisms. Additionally, we can sometimes use techniques such as increasing the backlog queue size and minimizing the total time where a pending connection is kept in allocated memory (in the backlog queue).
Built-in protection mechanisms
Operating system: Windows 2000
The most important parameter in Windows 2000 and also in Windows Server 2003 is SynAttackProtect. Enabling this parameter allows the operating system to handle incoming connections more efficiently. The protection can be set by adding a SynAttackProtect DWORD value to the following registry key:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
In general, when a SYN attack is detected the SynAttackProtect parameter changes the behavior of the TCP/IP stack. This allows the operating system to handle more SYN requests. It works by disabling some socket options, adding additional delays to connection indications and changing the timeout for connection requests.
When the value of SynAttackProtect is set to 1, the number of retransmissions is reduced and according to the vendor, the creation of a route cache entry is delayed until a connection is made. The recommended value of SynAttackProtect is 2, which additionally delays the indication of a connection to the Windows Socket until the three-way handshake is completed. During an attack, better performance in handling connections is achieved by disabling the use of a few parameters (these parameters are usually used by the system during the process of creating new connections). The TCPInitialRTT parameter, which defines the time of the first retransmission, will no longer work. It’s impossible to negotiate the window size value. Also, the scalable windows option is disabled on any socket.
As we can see, by enabling the SynAttackProtect parameter we don’t change the TCP/IP stack behavior until under a SYN attack. But even then, when SynAttackProtect starts to operate, the operating system can handle legitimate incoming connections.
The operating system enables protection against SYN attacks automatically when it detects that values of the following three parameters are exceeded. These parameters are TcpMaxHalfOpen, TcpMaxHalfOpenRetried and TcpMaxPortsExhausted.To change the values of these parameters, first we have to add them to the same registry key as we made for SynAttackProtect.
The TcpMaxHalfOpen registry entry defines the maximum number of SYN RECEIVED states which can be handled concurrently before SYN protection starts working. The recommended value of this parameter is 100 for Windows 2000 Server and 500 for Windows 2000 Advanced Server.
TcpMaxHalfOpenRetried defines the maximum number of half-open connections, for which the operating system has performed at least one retransmission, before SYN protection begins to operate. The recommended value is 80 for Windows 2000 Server, and 400 for Advanced Server.
The TcpMaxPortsExhausted registry entry defines the number of dropped SYN requests, after which the protection against SYN attacks starts to operate. Recommended value is 5.
Operating system: Linux RedHat
RedHat, like other Linux operating systems, has implemented a SYN cookies mechanism which can be enabled in the following way:
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Note that to make this change permanent we need to create a startup file that sets this variable. We must do the same operation for other UNIX variables described in this paper because the values for these variables will return to default upon system reboot.Optionally the same can be enabled in the sysctl.conf file in /etc directory by specifying the following:
net.ipv4.tcp_syncookies = 1
What are SYN cookies?
SYN cookies are an implementation of TCP that can respond to the TCP SYN request with a cookie. Following the descriptions above, in normal TCP implementation, when the server received a SYN packet, it responds with a SYN-ACK to acknowledge, and enter the TCP_SYN_RECV state (half-open connection) to wait the last ACK. The server uses a data structure describing all pending connections, and the data structure is of finite size. Therefore, the attacker may fill up the structure.
In the SYN cookies implementation of TCP, when the server received a SYN packet, it responds a SYN-ACK packet with the ACK sequence number calculated from source address, source port, source sequence, destination address, destination port and a secret seed. Then the server releases state. If an ACK comes from the client, the server can recalculate it to determine if it is a response to the former SYN-ACK. If it is, the server can directly enter the TCP_ESTABLISHED state and open the connection. In this way, the server avoids to keep half-open connections.This is just the basic idea of SYN cookies. There are still many mechanics in the implementation.
SYN cookies protection is especially useful when the system is under a SYN flood attack and source IP addresses of SYN packets are also forged (a SYN spoofing attack). This mechanism allows construction of a packet with the SYN and ACK flags set and which has a specially crafted initial sequence number (ISN), called a cookie. The value of the cookie is not a pseudo-random number generated by the system but instead is the result of a hash function. This hash result is generated from information like: source IP, source port, destination IP, destination port plus some secret values. During a SYN attack , when the backlog queue is about to fill, the system generates a response by sending back a packet with a cookie, instead of making an entry of half open connection in the queue and does n’t reject the connection. When a server receives a packet with the ACK flag set (the last stage of the three-way handshake process) then it verifies the cookie. When its value is correct, it creates the connection, even though there is no corresponding entry in the SYN queue. Then we know that it is a legitimate connection and that the source IP address was not spoofed. It is important to note that the SYN cookie mechanism works by not using the backlog queue at all, so we don’t need to change the backlog queue size.
Also note that the SYN cookies mechanism works only when the CONFIG_SYNCOOKIES option is set during kernel compilation.The next section will describe other useful methods of protection against SYN attacks. I would like to emphasize that under heavy SYN attacks (like Distributed SYN flooding attack) these methods may help but still not solve the problem.
Increasing the backlog queue
Under a SYN attack, we can modify the backlog queue to support more connections in the half-open state without denying access to legitimate clients. In some operating systems, the value of the backlog queue is very low and vendors often recommend increasing the SYN queue when a system is under attack.Increasing the backlog queue size requires that a system reserve additional memory resources for incoming requests. If a system has not enough memory for this operation, it will have an impact on system performance. We should also make sure that network applications like Apache or IIS can accept more connections.
Operating system: Windows 2000
Aside from described above TcpMaxHalfOpen and TcpMaxHalfOpenRetried variables, in Windows 2000 the number of connections handled in the half-open state can be set through a dynamic backlog. Configuration of this dynamic backlog is accomplished via the AFD.SYS driver. This kernel-mode driver is used to support Windows Socket applications like FTP and Telnet. To increase the number of half-open connections, AFD.SYS provides four registry entries. All of these values, corresponding to AFD.SYS, are located under the following registry key:
HKLM\System\CurrentControlSet\Services\AFD\Parameters
The EnableDynamicBacklog registry value is a global switch to enable or disable a dynamic backlog. Setting it to 1 enables the dynamic backlog queue.
MinimumDynamicBacklog controls the minimum number of free connections allowed on a single TCP port. If the number of free connections drops below this value, then additional free connections are created automatically. Recommended value is 20.
The MaximumDynamicBacklog registry value defines the sum of active half-open connections and the maximum number of free connections. When this value is exceeded, no more free connections will be created by a system. Microsoft suggests that this value should not exceed 20000.
The last DynamicBacklogGrowthDelta parameter controls the number of free connections to be created when additional connections are necessary. Recommended value: 10.
Operating system: Linux
A tcp_max_syn_backlog variable defines how many half-open connections can be kept by the backlog queue. For instance 256 is a total number of half-open connections handled in memory by Linux RedHat 7.3. The TCP/IP stack variables can be configured by sysctl or standard Unix commands. The following example shows how to change the default size of the backlog queue by the sysctl command:
# sysctl -w net.ipv4.tcp_max_syn_backlog=”2048″
Operating system: Sun Solaris
In Sun Solaris there are two parameters which control the maximum number of connections. The first parameter controls the total number of full connections. The second tcp_conn_req_max_q0 parameter defines how many half-open connections are allowed without the dropping of incoming requests. In Sun Solaris 8, the default value is set to 1024. Using the ndd command we can modify this value.
# ndd -set /dev/tcp tcp_conn_req_max_q0 2048
Operating system: HP-UX
In HP-UX, a tcp_syn_rcvd_max TCP/IP stack variable is responsible for control of the maximum number of half-open connections in the SYN RECEIVE state. In HP-UX 11.00 this value is set to 500. We can change this value by using the ndd command, similar to the one used in a Sun Solaris system.
# ndd -set /dev/tcp tcp_syn_rcvd_max 2048
Decreasing total time of handling connection request
As we know, SYN flooding/spoofing attacks are simply a series of SYN packets, mostly from forged IP addresses. In the last section we tried to increase the backlog queue. Now that our systems can handle more SYN requests, we should decrease the total time we keep half-open connections in the backlog queue. When a server receives a request, it immediately sends a response with the SYN and ACK flags set, puts this half-open connection into the backlog queue, and then waits for a packet with the ACK flag set from the client. When no response is received from the client, the server retransmits a response packet (with the SYN and ACK flags set) several times (depending on default value in each operating system) by giving the client a chance to send the ACK packet again. It is clear that when the source IP address of client was spoofed, the ACK packet will never arrive. After a few minutes the server removes this half-open connection. We can speed up this time of removing connections in the SYN RECEIVED state from the backlog queue by changing time of first retransmission and by changing the total number of retransmissions.
Another technique of protection against SYN attacks is switching off some TCP parameters that are always negotiated during the three-way handshake process. Some of these parameters are automatically turned off by mechanisms described in the first section (SynAttackProtect and Syncookies).Now, I will describe TCP/IP stack variables which allow a decrease in the time half-open connections are kept in the backlog queue.
Operating system: Windows 2000
In Windows 2000, the default time for a first retransmission is set to 3 seconds (3000 milliseconds) and can be changed by modifying the value of the TcpInitialRtt registry entry (for every interface). For example, to decrease time of a first retransmission to 2 seconds we have to set this registry value to 2000 milliseconds in decimal format. The number of retransmissions (packets with the SYN and ACK flags set) is controlled by a TcpMaxConnectResponseRetransmissions registry parameter which has to be added to HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key.
Operating system: Sun Solaris
In this operating system it is impossible to turn off retransmissions of packets directly using the ndd command. Moreover, in Sun Solaris there are parameters which are non-configurable by ndd and which control the number of retransmissions (at least 3) and total time of packet retransmissions (at least 3 minutes).
Operating system: HP-UX
For HP-UX, the time spent handling half-open connections in the backlog queue is controlled by the tcp_ip_abort_cinterval parameter. By using the ndd command we can define how long a HP-UX operating system will be waiting for the ACK packet. We can control how many retransmissions will be performed indirectly by changing this value. We can change the time of a first retransmission by modifying tcp_rexmit_interval_initial. Intervals of subsequent retransmissions are controlled by two parameters: tcp_rexmit_interval and tcp_rexmit_interval_min. These three variables are the same as in a Sun Solaris operating system.
Summary
The methods of hardening the TCP/IP stack that are presented in this article make servers more resistant to SYN flooding and SYN spoofing – Denial of Service attacks. A modification of your default TCP/IP stack settings is also recommended during the process of securing of the operating system.

RPM compilation (step by step)

(A) Environment:

We are here taking the example of freetype, php and memory cache rpm packages:

Old specs:

freetype-2.2.1-21.el5_3

php-5.2.13-1.virt (and all the packages related of same version)

php-xcache-1.3.0-1.virt & php-pecl-memcache-2.2.5-2.virt

Updated(expected) Specs:

freetype-2.3.12-21.2.virt

php-5.2.14-2.virt (and all the packages related of same version)

php-xcache-1.3.0-2.virt & php-pecl-memcache-2.2.5-2.virt

(B) Procedure & Precautions:

1) The source packages should be from genuine regional sites.

e.g I downloaded freetype-2.2.21.src.rpm from Centos regional site (http://centos.mirrors.skynet.be/pub/centos/5.5/os/SRPMS/).

2) After extracting the src rpm packages, you will see respective tar packages (e.g freetype-2.2.1.tar.gz, freetype-devel-2.2.1.tar.gz etc.). Just replace that particular package with updated one.

3) Afterwards, extract every package (say freetype-2.2.1.tar.gz) and patch all the files with exact destination specified in .spec file in the root directory. Then exclude all the patch files out which have failed or shown confliction (either not compatible to this updated package or they are already patched). Then delete all the extracted packages (say freetype-2.2.1)

This spec file is basically the file that tells the rpm program where everything is, where to put everything, and any other scripts or commands that need to be run.

4)* *Place all the genuine patch files and the unpatched tar packages separately.

5)* *If you receive any ‘rpath_error’ related error then execute the rpm build command with QA_RPATHS=$[ 0x0001|howto:0x0010 ] prefix:

# QA_RPATHS=$[ 0x0001|howto:0x0010 ] rpmbuild -ba freetype.spec

6)* *Always remember whenever you are about to update some package then firstly check how many packages interact with this particular package and how severe its impact on environment after updation. I mean after this updation, other co-related packages might need upgradation or recompilation such that they could become compatible to updated version.

NOTE: Don’t ever perform anything forcefully because sometimes you usually unaware of its future effect.

(C) Common commands:

1) To extract a src rpm:

# rpm2cpio freetype-2.2.1-21.el5_2.src.rpm | cpio -idmv

2) How to install rpm-build utility (vital): # yum groupinstall “Development Tools”
# yum install rpmdevtools

# useradd makerpm

3) How to setup directory hierarchy to build rpms:

su – makerpm
rpmdev-setuptree
(It create five folders under rpmbuild folder which is locate at home directory) SPEC: contain spec file (manual).
SOURCES: * *contain packages, patches etc. except spec file (manual).

BUILD: is the directory where all building occurs by rpm-build command (after execution).

RPMS: is where RPM will put all binary RPMs when built (after execution).

SRPMS: is where all source RPMs will be put (after execution).

4) To build a rpm:

# su – makerpm

# cd rpmbuild/SPECS

# rpmbuild –ba freetype.spec

Note: There shouldn’t be any type of error during execution.

5) *To customize your .spec file:*

You can modify the spec file to behave the build according to your requirement (ie if you want gd support in freetype and in spec file gd support is disabled then you can modify to –enable-gd depending upon the package standards).

Although there are some certain changes:

i) You need to increase the release no. in every modification.

ii) You need to update the package “Version”.

iii) And most important, remove the entries of excludes patches.

(D) Steps for updating freetype:

a) First of all get the src rpm package and extract it.

b) Then replace the tar packages with desired updated packages. And extract them.

c) Now, perform the patch import process on the account of spec file and exclude the corrupted as well as the duplicate one.

d) Remove the extracted packages such that only legitimate patches as well as the intact tar packages should lie inside the directory.

e) Now move the modified spec file to “/home/makerpm/rpmbuild/SPECS” and rest of the content to “/home/makerpm/rpmbuild/SOURCES”

f) Now to produce your coveted rpm package, execute the “rpmbuild –ba freetype.spec” at “/home/makerpm/rpmbuild/SPECS”

g) Consequently, you can get the output rpm packages at “/home/makerpm/rpmbuild/RPMS” and srpms at “/home/makerpm/rpmbuild/RPMS”.

h)* *Now you should have all the freetype packages with updated versions (in my case it is “2.3.12-21.2.virt”)

(E) Steps for updating PHP:

a) Remove the build root directory after storing the RPMS and SRPMS folder:

# rm –rf /home/makerpm/rpmbuild

b) Perform [howto:(D) a-g ] steps and get the updated rpm packages.

c)* *Now you should have all the PHP packages with updated versions (in my case it is “5.2.14-2.virt”)

(F) Steps for updating dependent packages:

a) Repeat [howto:(E) a-b] steps.

Now you should have all the above rpms dependent packages with updated versions (in my case “php-xcache-1.3.0-2.virt” and “php-pecl-memcache-2.2.5-2.virt”)

(G) Updating all the build rpm packages at client end:

a) Execute this command:

rpm –Uvh php*.rpm

(A) Environment:

We are here taking the example of freetype, php and memory cache rpm packages:

Old specs:

freetype-2.2.1-21.el5_3

php-5.2.13-1.virt (and all the packages related of same version)

php-xcache-1.3.0-1.virt & php-pecl-memcache-2.2.5-2.virt

Updated(expected) Specs:

freetype-2.3.12-21.2.virt

php-5.2.14-2.virt (and all the packages related of same version)

php-xcache-1.3.0-2.virt & php-pecl-memcache-2.2.5-2.virt

(B) Procedure & Precautions:

1) The source packages should be from genuine regional sites.

e.g I downloaded freetype-2.2.21.src.rpm from Centos regional site (http://centos.mirrors.skynet.be/pub/centos/5.5/os/SRPMS/).

2) After extracting the src rpm packages, you will see respective tar packages (e.g freetype-2.2.1.tar.gz, freetype-devel-2.2.1.tar.gz etc.). Just replace that particular package with updated one.

3) Afterwards, extract every package (say freetype-2.2.1.tar.gz) and patch all the files with exact destination specified in .spec file in the root directory. Then exclude all the patch files out which have failed or shown confliction (either not compatible to this updated package or they are already patched). Then delete all the extracted packages (say freetype-2.2.1)

This spec file is basically the file that tells the rpm program where everything is, where to put everything, and any other scripts or commands that need to be run.

4)* *Place all the genuine patch files and the unpatched tar packages separately.

5)* *If you receive any ‘rpath_error’ related error then execute the rpm build command with QA_RPATHS=$[ 0x0001|howto:0x0010 ] prefix:

# QA_RPATHS=$[ 0x0001|0x0010 ] rpmbuild -ba freetype.spec

6)* *Always remember whenever you are about to update some package then firstly check how many packages interact with this particular package and how severe its impact on environment after updation. I mean after this updation, other co-related packages might need upgradation or recompilation such that they could become compatible to updated version.

NOTE: Don’t ever perform anything forcefully because sometimes you usually unaware of its future effect.

(C) Common commands:

1) To extract a src rpm:

# rpm2cpio freetype-2.2.1-21.el5_2.src.rpm | cpio –idmv

2) How to install rpm-build utility (vital): # yum groupinstall “Development Tools”
# yum groupinstall “Development Tools”
# useradd makerpm

3) How to setup directory hierarchy to build rpms:

su – makerpm
rpmdev-setuptree
(It create five folders under rpmbuild folder which is locate at home directory) SPEC: contain spec file (manual).
SOURCES: * *contain packages, patches etc. except spec file (manual).

BUILD: is the directory where all building occurs by rpm-build command (after execution).

RPMS: is where RPM will put all binary RPMs when built (after execution).

SRPMS: is where all source RPMs will be put (after execution).

4) To build a rpm:

# su – makerpm

# cd rpmbuild/SPECS

# rpmbuild –ba freetype.spec

Note: There shouldn’t be any type of error during execution.

5) *To customize your .spec file:*

You can modify the spec file to behave the build according to your requirement (ie if you want gd support in freetype and in spec file gd support is disabled then you can modify to –enable-gd depending upon the package standards).

Although there are some certain changes:

i) You need to increase the release no. in every modification.

ii) You need to update the package “Version”.

iii) And most important, remove the entries of excludes patches.

(D) Steps for updating freetype:

a) First of all get the src rpm package and extract it.

b) Then replace the tar packages with desired updated packages. And extract them.

c) Now, perform the patch import process on the account of spec file and exclude the corrupted as well as the duplicate one.

d) Remove the extracted packages such that only legitimate patches as well as the intact tar packages should lie inside the directory.

e) Now move the modified spec file to “/home/makerpm/rpmbuild/SPECS” and rest of the content to “/home/makerpm/rpmbuild/SOURCES”

f) Now to produce your coveted rpm package, execute the “rpmbuild –ba freetype.spec” at “/home/makerpm/rpmbuild/SPECS”

g) Consequently, you can get the output rpm packages at “/home/makerpm/rpmbuild/RPMS” and srpms at “/home/makerpm/rpmbuild/RPMS”.

h)* *Now you should have all the freetype packages with updated versions (in my case it is “2.3.12-21.2.virt”)

(E) Steps for updating PHP:

a) Remove the build root directory after storing the RPMS and SRPMS folder:

# rm –rf /home/makerpm/rpmbuild

b) Perform [howto:(D) a-g ] steps and get the updated rpm packages.

c)* *Now you should have all the PHP packages with updated versions (in my case it is “5.2.14-2.virt”)

(F) Steps for updating dependent packages:

a) Repeat [howto:(E) a-b] steps.

Now you should have all the above rpms dependent packages with updated versions (in my case “php-xcache-1.3.0-2.virt” and “php-pecl-memcache-2.2.5-2.virt”)

(G) Updating all the build rpm packages at client end:

a) Execute this command:

rpm –Uvh php*.rpm