Technology , Life & Beyond
php53-common-5.3.3-13.el5_8.x86_64 from installed has depsolving problems
–> php53-common conflicts with php-common
Error: php53-common conflicts with php-common
This issue normally happens when you have upgraded your PHP to new version 5.3 and try to install a old extension
Solution: find the extension which in the same version or install extension from source file
to setup master – slave
ON MASTER SERVER
STEP #1 – set server ID
edit my.cnf and add
server-id=1
STEP #2 – Create slave user
mysql grant replication slave on *.* to ‘slave_username’@192.168.16.5 \ identified by ‘slave-password’;
STEP #3 – restart Mysql
service mysqld restart
ON SLAVE SERVER
STEP #4- Edit my.cnf file and add
server-id = 10
master-host = 192.168.1.1
master-user = slave_username
master-password = slave-password
replicate-ignore-db=mysql
replicate-wild-do-table=mydb.%
STEP #5 – set master host
#mysql -uroot -p
mysql > slave stop; change master to master_host = ‘MASTER_IP’, master_user = ‘USERNAME’, master_password = ‘PASSWORD’ ;
STEP #6 – restart Mysql
Service mysqld restart
STEP #7 – slave start
slave start;
STEP #8 – check status
mysql: show slave status\G
Download latest version of Suhosin, enter:
# cd /opt
# wget http://download.suhosin.org/suhosin-0.9.27.tgz
Make sure you have php-devel installed:
# yum install php-devel
Type the following commands:
# cd suhosin-0.9.27
# phpize
#./configure
# make
# make install
Type the following command to create Suhosin configuration file:
# echo 'extension=suhosin.so' > /etc/php.d/suhosin.ini
Type the following command to restart httpd:
# service httpd restart
If you are using lighttpd, enter:
# service lighttpd restart
Type the following command:
$ php -v
Sample output:
PHP 5.1.6 (cli) (built: Jun 12 2008 05:02:36)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies
with XCache v1.2.2, Copyright (c) 2005-2007, by mOo
with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH
Decide which ports and services to openTo start with, we want to know what services we want to open to public. Let’s use the typical web-hosting server: it is a web and email server, and we also need to let ourselves in by SSH server.
First, we want to leave SSH port open so we can connect to the server remotely: that is port 22. Also, we need port 80 and 443 (SSL port) for web traffic. For sending email, we will open port 25 (regular SMTP) and 465 (secure SMTP). To let users receive email, we will open the usual port 110 (POP3) and 995 (secure POP3 port). Additionally, we’ll open IMAP ports, if we have it installed: 143 for IMAP, and 993 for IMAP over SSL.
Note: It is recommended to only allow secure protocols, but that may not be an option, if we cannot influence the mail service users to change their email clients.
DigitalOcean droplets usually come with the empty configuration: all traffic is allowed. Just to make sure of this, we can flush the firewall rules – that is, erase them all:
iptables -F
We can then add a few simple firewall rules to block the most common attacks, to protect our server from script-kiddies. We can’t really count on iptables alone to protect us from a full-scale DDOS or similar, but we can at least put off the usual network scanning bots that will eventually find our server and start looking for security holes to exploit. First, we start with blocking null packets.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
We told the firewall to take all incoming packets with tcp flags NONE and just DROP them. Null packets are, simply said, recon packets. The attack patterns use these to try and see how we configured the server and find out weaknesses. The next pattern to reject is a syn-flood attack.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever). They just want to take up our servers’ resources. We won’t accept such packages. Now we move on to one more common pattern: XMAS packets, also a recon packet.
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
We have ruled out at least some of the usual patterns that find vulnerabilities in our servers.
Now we can start adding selected services to our firewall filter. The first such thing is a localhost interface:
iptables -A INPUT -i lo -j ACCEPT
We tell iptables to add (-A) a rule to the incoming (INPUT) filter table any trafic that comes to localhost interface (-i lo) and to accept (-j ACCEPT) it. Localhost is often used for, ie. your website or email server communicating with a database locally installed. That way our server can use the database, but the database is closed to exploits from the internet.
Now we can allow web server traffic:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
We added the two ports (http port 80, and https port 443) to the ACCEPT chain – allowing traffic in on those ports. Now, let’s allow users use our SMTP servers:
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
Like stated before, if we can influence our users, we should rather use the secure version, but often we can’t dictate the terms and the clients will connect using port 25, which is much more easier to have passwords sniffed from. We now proceed to allow the users read email on their server:
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
Those two rules will allow POP3 traffic. Again, we could increase security of our email server by just using the secure version of the service. Now we also need to allow IMAP mail protocol:
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
We should also allow SSH traffic, so we can connect to the server remotely. The simple way to do it would be with this command:
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
We now told iptables to add a rule for accepting tcp traffic incomming to port 22 (the default SSH port). It is advised to change the SSH configuration to a different port, and this firewall filter should be changed accordingly, but configuring SSH is not a part of this article. However, we could do one more thing about that with firewall itself. If our office has a permanent IP address, we could only allow connections to SSH from this source. This would allow only people from our location to connect. First, find out your outside IP address. Make sure it is not an address from your LAN, or it will not work. You could do that simply by visiting the whatismyip.com site. Another way to find it out is to type:
w
in the terminal, we should see us logged in (if we’re the only one logged in’ and our IP address written down. The output looks something like this:
root@iptables# w 11:42:59 up 60 days, 11:21, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 213.191.xxx.xxx 09:27 0.00s 0.05s 0.00s w
Now, you can create the firewall rule to only allow traffic to SSH port if it comes from one source: your IP address:
iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 22 -j ACCEPT
Replace YOUR_IP_ADDRESS with the actuall IP, of course.
We could open more ports on our firewall as needed by changing the port numbers. That way our firwall will allow access only to services we want. Right now, we need to add one more rule that will allow us to use outgoing connections (ie. ping from server or run software updates);
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
It will allow any established outgoing connections to receive replies from the server on the other side of that connection. When we have it all set up, we will block everything else, and allow all outgoing connections.
iptables -P OUTPUT ACCEPT iptables -P INPUT DROP
Now we have our firewall rules in place.
Now that we have all the configuration in, we can list the rules to see if anything is missing.
iptables -L -n
The -n switch here is because we need only ip addresses, not domain names. Ie. if there is an IP in the rules like this: 69.55.48.33: the firewall would go look it up and see that it was a digitalocean.com IP. We don’t need that, just the address itself. Now we can finally save our firewall configuration:
iptables-save > /etc/sysconfig/iptables
The iptables configuration file on CentOS is located at /etc/sysconfig/iptables. The above command saved the rules we created into that file. Just to make sure everything works, we can restart the firewall:
service iptables restart
The saved rules will persist even when the server is rebooted.
In Part 1 of the MySQL Tutorial, we did all of the editing in MySQL as the root user, with full access to all of the databases. However, in the cases where more restrictions may be required, there are ways to create users with custom permissions.
Let’s start by making a new user within the MySQL shell:
CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
Sadly, at this point newuser has no permissions to do anything with the databases. In fact, if newuser even tries to login (with the password, password), they will not be able to reach the MySQL shell.
Therefore, the first thing to do is to provide the user with access to the information they will need.
GRANT ALL PRIVILEGES ON * . * TO 'newuser'@'localhost';
The asterisks in this command refer to the database and table (respectively) that they can access—this specific command allows to the user to read, edit, execute and perform all tasks across all the databases and tables.
Once you have finalized the permissions that you want to set up for your new users, always be sure to reload all the privileges.
FLUSH PRIVILEGES;
Your changes will now be in effect.
Here is a short list of other common possible permissions that users can enjoy.
To provide a specific user with a permission, you can use this framework:
GRANT [type of permission] ON [database name].[table name] TO ‘[username]’@'localhost’;
If you want to give them access to any database or to any table, make sure to put an asterisk (*) in the place of the database name or table name.
Each time you update or change a permission be sure to use the Flush Privileges command.
If you need to revoke a permission, the structure is almost identical to granting it:
REVOKE [type of permission] ON [database name].[table name] TO ‘[username]’@‘localhost’;
Just as you can delete databases with DROP, you can use DROP to delete a user altogether:
DROP USER ‘demo’@‘localhost’;
To test out your new user, log out by typing
quit
and log back in with this command in terminal:
mysql -u [username]-p Courtesy: https://www.digitalocean.com/community/articles/how-to-create-a-new-user-and-grant-permissions-in-mysql