Apache Httpd web page authentication

this command for create user and password access file:
htpasswd -c /etc/httpd/conf/.htpasswd xxxx

chown root:apache /etc/httpd/conf/.htpasswd
chmod 640 /etc/httpd/conf/.htpasswd

In my vhost configuration file:


ServerName sm.saic.it
RewriteEngine On
DocumentRoot /usr/local/sendmailanalyzer/www
Options ExecCGI
AddHandler cgi-script .cgi
DirectoryIndex sa_report.cgi

AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/conf/.htpasswd
Require valid-user

# Apache 2.4
# Require all granted
#Require host example.com


# Apache 2.2
Order deny,allow
#Allow from all
#Allow from 127.0.0.1
#Allow from ::1
# Allow from .example.com


How to test if the email address exists

Source Link

To check if user entered email mailbox.does.not.exist@webdigiapps.com really exists go through the following in command prompt on windows / terminal on mac. The commands you type in are in green and the server response is in blue. Please refer to MAC & PC screenshots towards the end of this post.

Step 1 – Find mail exchanger or mail server of webdigiapps.com

COMMAND:
nslookup -q=mx webdigiapps.com
RESPONSE:
Non-authoritative answer:
webdigiapps.com mail exchanger = 0 mx2.sub3.homie.mail.dreamhost.com.
webdigiapps.com mail exchanger = 0 mx1.sub3.homie.mail.dreamhost.com.

Step 2 – Now we know the mail server address so let us connect to it. You can connect to one of the exchanger addresses in the response from Step 1.

COMMAND:
telnet mx2.sub3.homie.mail.dreamhost.com 25
RESPONSE:
Connected to mx2.sub3.homie.mail.dreamhost.com.
Escape character is ‘^]’.
220 homiemail-mx7.g.dreamhost.com ESMTP

COMMAND:
helo hi
RESPONSE:
250 homiemail-mx8.g.dreamhost.com

COMMAND:
mail from: <youremail@gmail.com>
RESPONSE:
250 2.1.0 Ok

COMMAND:
rcpt to: <mailbox.does.not.exist@webdigiapps.com>
RESPONSE:
550 5.1.1 <mailbox.does.not.exist@webdigiapps.com>: Recipient address rejected: User unknown in virtual alias table

COMMAND:
quit
RESPONSE:
221 2.0.0 Bye

Screenshots – MAC Terminal & Windows

MAC email verification
Windows email verification

NOTES:

1) the 550 response indicates that the email address is not valid and you have caught a valid but wrong email address. This code can be on the server and called on AJAX when user tabs out of the email field.  The entire check will take less than 2 seconds to run and you can make sure that the email is correct.
2) If email was present the server will respond with a 250 instead of 550
3) There are certain servers with a CATCH ALL email and this means all email address are accepted as valid on their servers (RARE but some servers do have this setting).
4) Please do not use this method to continuously to check for availability of gmail / yahoo / msn accounts etc as this may cause your IP to be added to a blacklist.
5) This is to supplement the standard email address javascript validation.

IPTables – Load Balance Incoming Web Traffic

First of ALL

The important thing to remember as we go forward is that ORDER MATTERS! Rules are executed from top to bottom.

Note that Rules are applied in order of appearance, and the inspection ends immediately when there is a match. Therefore, for example, if a Rule rejecting ssh connections is created, and afterward another Rule is specified allowing ssh, the Rule to reject is applied and the later Rule to accept the ssh connection is not.

At the top of the /etc/sysconfig/iptables (Centos 7) the rules are more important !!

 

Instead of using the default policy, I normally recommend making an explicit DROP/REJECT rule at the bottom of your chain that matches everything. You can leave your default policy set to ACCEPT and this should reduce the chance of blocking all access to the server.

Load Balance Incoming Web Traffic

This uses the iptables nth extension. The following example load balances the HTTPS traffic to three different ip-address. For every 3th packet, it is load balanced to the appropriate server (using the counter 0).

iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

Allow Loopback Access

You should allow full loopback access on your servers. i.e access using 127.0.0.1

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Allow Internal Network to External network.

On the firewall server where one ethernet card is connected to the external, and another ethernet card connected to the internal servers, use the following rules to allow internal network talk to external network.

In this example, eth1 is connected to external network (internet), and eth0 is connected to internal network (For example: 192.168.1.x).

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Allow outbound DNS

The following rules allow outgoing DNS connections.

iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

Prevent DoS Attack

The following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver.

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

In the above example:

  • -m limit: This uses the limit iptables extension
  • –limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement
  • –limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

Port Forwarding

The following example routes all traffic that comes to the port 442 to 22. This means that the incoming ssh connection can come from both port 22 and 422.

iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22

If you do the above, you also need to explicitly allow incoming connection on the port 422.

iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT

Log Dropped Packets

You might also want to log all the dropped packets. These rules should be at the bottom.

First, create a new chain called LOGGING.

iptables -N LOGGING

Next, make sure all the remaining incoming connections jump to the LOGGING chain as shown below.

iptables -A INPUT -j LOGGING

Next, log these packets by specifying a custom “log-prefix”.

iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7

Finally, drop these packets.

iptables -A LOGGING -j DROP

(most of the rules from here)

Example:

iptables -A INPUT --jump ACCEPT --protocol all   --source 127.0.0.1
iptables -A INPUT --jump ACCEPT --protocol tcp   --dport 22
iptabels -A INPUT --jump ACCEPT --protocol icmp
iptables -A INPUT --jump ACCEPT --match state    --state ESTABLISHED,RELATED
iptables -A INPUT --jump REJECT --protocol all

 

 

How to create a deamon service for java program

Here the link I used for create the service script:

vim service.name.sh

insert this:

#!/bin/sh
SERVICE_NAME=MyService
PATH_TO_JAR=/usr/local/MyProject/MyJar.jar
PID_PATH_NAME=/tmp/MyService-pid
case $1 in
start)
echo “Starting $SERVICE_NAME …”
if [ ! -f $PID_PATH_NAME ]; then
nohup java -jar $PATH_TO_JAR /tmp 2>> /dev/null >> /dev/null &
echo $! > $PID_PATH_NAME
echo “$SERVICE_NAME started …”
else
echo “$SERVICE_NAME is already running …”
fi
;;
stop)
if [ -f $PID_PATH_NAME ]; then
PID=$(cat $PID_PATH_NAME);
echo “$SERVICE_NAME stoping …”
kill $PID;
echo “$SERVICE_NAME stopped …”
rm $PID_PATH_NAME
else
echo “$SERVICE_NAME is not running …”
fi
;;
restart)
if [ -f $PID_PATH_NAME ]; then
PID=$(cat $PID_PATH_NAME);
echo “$SERVICE_NAME stopping …”;
kill $PID;
echo “$SERVICE_NAME stopped …”;
rm $PID_PATH_NAME
echo “$SERVICE_NAME starting …”
nohup java -jar $PATH_TO_JAR /tmp 2>> /dev/null >> /dev/null &
echo $! > $PID_PATH_NAME
echo “$SERVICE_NAME started …”
else
echo “$SERVICE_NAME is not running …”
fi
;;
esac

modify the environment variable

SERVICE_NAME=MyService
PATH_TO_JAR=/usr/local/MyProject/MyJar.jar
PID_PATH_NAME=/tmp/MyService-pid

 

 

Install nmap and check which ports are open.Centos 7

yum install nmap

now scan the ports with :

nmap -sT -O localhost

result:

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000083s latency).

rDNS record for 127.0.0.1: localhost.localdomain

Not shown: 972 closed ports

PORT      STATE SERVICE

21/tcp    open  ftp

22/tcp    open  ssh

25/tcp    open  smtp

53/tcp    open  domain

80/tcp    open  http

110/tcp   open  pop3

111/tcp   open  rpcbind

143/tcp   open  imap

443/tcp   open  https

783/tcp   open  spamassassin

993/tcp   open  imaps

995/tcp   open  pop3s

1080/tcp  open  socks

1081/tcp  open  pvuniwien

2005/tcp  open  deslogin

2009/tcp  open  news

3005/tcp  open  deslogin

3306/tcp  open  mysql

5432/tcp  open  postgresql

8009/tcp  open  ajp13

8080/tcp  open  http-proxy

8081/tcp  open  blackice-icecap

9009/tcp  open  pichat

9080/tcp  open  glrpc

9090/tcp  open  zeus-admin

9100/tcp  open  jetdirect

10024/tcp open  unknown

10025/tcp open  unknown

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=6.40%E=4%D=7/23%OT=21%CT=1%CU=41542%PV=N%DS=0%DC=L%G=Y%TM=59744F1

OS:C%P=x86_64-redhat-linux-gnu)SEQ(SP=101%GCD=1%ISR=105%TI=Z%TS=A)SEQ(SP=10

OS:1%GCD=1%ISR=106%TI=Z%II=I%TS=A)OPS(O1=MFFD7ST11NW7%O2=MFFD7ST11NW7%O3=MF

OS:FD7NNT11NW7%O4=MFFD7ST11NW7%O5=MFFD7ST11NW7%O6=MFFD7ST11)WIN(W1=AAAA%W2=

OS:AAAA%W3=AAAA%W4=AAAA%W5=AAAA%W6=AAAA)ECN(R=Y%DF=Y%T=40%W=AAAA%O=MFFD7NNS

OS:NW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%

OS:DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%

OS:O=%RD=0%Q=)T6(R=N)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D

OS:F=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=4

OS:0%CD=S)

Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 12.22 seconds

now scan from external :

nmap -sT -O <ip>

result

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-23 09:30 CEST

Nmap scan report for web.site (<ip>)

Host is up (0.035s latency).

rDNS record for <ip>: mail. web.site

Not shown: 978 closed ports

PORT     STATE    SERVICE

21/tcp   open     ftp

22/tcp   open     ssh

25/tcp   open     smtp

53/tcp   open     domain

80/tcp   open     http

110/tcp  open     pop3

111/tcp  open     rpcbind

135/tcp  filtered msrpc

139/tcp  filtered netbios-ssn

143/tcp  open     imap

443/tcp  open     https

445/tcp  filtered microsoft-ds

993/tcp  open     imaps

995/tcp  open     pop3s

1080/tcp open     socks

1081/tcp open     pvuniwien

2009/tcp open     news

3306/tcp filtered mysql

8009/tcp open     ajp13

8081/tcp open     blackice-icecap

9009/tcp open     pichat

9080/tcp open     glrpc

Device type: general purpose|media device|WAP|storage-misc

Running (JUST GUESSING): Linux 3.X|4.X|2.6.X (89%), Asus embedded (86%), Synology DiskStation Manager 5.X (86%)

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:3.x cpe:/h:asus:rt-n56u cpe:/o:linux:linux_kernel:3.4 cpe:/o:linux:linux_kernel:3.10 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:linux:linux_kernel:2.6.32

Aggressive OS guesses: Linux 3.2 – 4.8 (89%), Linux 3.18 (88%), Linux 3.16 (87%), Linux 3.13 or 4.2 (87%), XBMCbuntu Frodo v12.2 (Linux 3.X) (87%), ASUS RT-N56U WAP (Linux 3.4) (86%), Linux 3.13 (86%), Linux 3.12 (86%), Linux 3.8 – 3.11 (86%), Linux 4.10 (86%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 6 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 15.47 seconds

 

check now for LISTENING port:

Next, check for information about the port using netstat or lsof. To check for port 834 using netstat, use the following command:

netstat -anp | grep 834

result :

tcp        0      0 127.0.0.1:9168          127.0.0.1:47834         TIME_WAIT                      

unix  2      [ ACC ]     STREAM     LISTENING     397083455 343/amavisd (ch1-av  /var/spool/amavisd/amavisd.sock

unix  2      [ ]         STREAM     CONNECTED     481728342 25062/ruby           

unix  3      [ ]         STREAM     CONNECTED     407881834 4920/dovecot         

unix  2      [ ]         STREAM     CONNECTED     481808349 25062/ruby   

The lsof command reveals similar information since it is also capable of linking open ports to services:

lsof -i | grep 834

To check if the port is associated with the official list of known services, type:

cat /etc/services

 

to check the users log in use command : who

Linux Centos 7 – Startup Services – Functions

systemctl disable httpd
Running systemctl disable removes the symlink to the service in /etc/systemd/system/*

systemctl status httpd

systemctl list-unit-files

systemctl start application.service

systemctl list-units –type=service
systemctl list-units –all –state=inactive

systemctl mask nginx.service
systemctl unmask nginx.service

systemctl edit nginx.service

To remove any additions you have made, either delete the unit’s .d configuration directory or the modified service file from /etc/systemd/system. For instance, to remove a snippet, we could type:

sudo rm -r /etc/systemd/system/nginx.service.d
To remove a full modified unit file, we would type:

sudo rm /etc/systemd/system/nginx.service
After deleting the file or directory, you should reload the systemd process so that it no longer attempts to reference these files and reverts back to using the system copies. You can do this by typing:

sudo systemctl daemon-reload

very usefull
https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units