SSL Certificate on Tomcat

Meaning:-

     SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

    To be able to create an SSL connection a web server requires an SSL Certificate. our web server then creates two cryptographic keys – a “Private Key” and a “Public Key”.

    The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR). You should then submit the CSR, during the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL sertificate containing your details and allowing you to use SSL.

    Your web server will match your issued SSL Certificate to your Private Key, it it matches then it establish an encrypted link between the website and your customer’s web browser. Below are the steps for how to Generate a SSL certificate on Apache and Tomcat.

        -: Generate SSL Certificate on Tomcat :-   

1) Using the “java keytool” command line utility, the first thing you need to do is
   create a keystore and generate the key pair. You can do the same with the
   followingcommand.

    SHELL> keytool -genkey -keysize 1024 -keyalg RSA -alias tomcat -keystore \
           <mykey.keystore>

Here,

    The above command will generate a 1024 bit keystore with the RSA algorithem.
   
    After running the above command it will ask some of the question Which you will
    have to answer. The question are,

    Enter keystore password: 
    Re-enter new password:
    What is your first and last name?
      [Unknown]:  bhavesh.com
    What is the name of your organizational unit?
      [Unknown]:  Information Technology
    What is the name of your organization?
      [Unknown]:  Bhavesh Private Limited
    What is the name of your City or Locality?
      [Unknown]:  Mumbai
    What is the name of your State or Province?
      [Unknown]:  Maharastra
    What is the two-letter country code for this unit?
      [Unknown]:  IN
    Is CN=bhavesh.com, OU=Information Technology, O=Bhavesh Private Limited, L=Mumbai,
    ST=Maharastra, C=IN correct?
      [no]:  yes

    Enter key password for <tomcat>
            (RETURN if same as keystore password): 

2) Now with above generated keystore you need to create a generate new Certificate
   Signing Request (CSR). To create a CSR run the below command at your command prompt.

    SHELL> keytool -certreq -alias tomcat -file <yourdomain.csr> \
       -keystore mykey.keystore

Here,
    The new CSR is generated through KEYSTORE. The content of new generated cSR
    (yourdomain.csr) looks like this,

—–BEGIN NEW CERTIFICATE REQUEST—–
MIICkjCCAk8CAQAwgYwxCzAJBgNVBAYTAklOMRMwEQYDVQQIEwpNYWhhcmFzdHJhMQ8wDQ
EwZNdW1iYWkxIDAeBgNVBAoTF0JoYXZlc2ggUHJpdmF0ZSBMaW1pdGVkMR8wHQYDVQQLEx
cm1hdGlvbiBUZWNobm9sb2d5MRQwEgYDVQQDEwtiaGF2ZXNoLmNvbTCCAbcwggEsBgcqhk
MIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8
y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHs
WhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoI
y7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMo
FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegH
TDv+z0kqA4GEAAKBgGcfNIDo5ggOvrJILRlCLMjEyCzb9+qj3w+/sNgCBYwoWOEte1nzT0
z3EAVKQ2Oev/J6e4ENzTxlIjKagfbcIpSWiUZA1aTI9G0JzbjpRETC7z9sGEvN5YHSel+Z
qVnssBLzdQnJiow5LDu8VkOjaEo9tzmPrHM3oAAwCwYHKoZIzjgEAwUAAzAAMC0CFQCU16
Q7DGzcGblZe+nyNsGgIUNSrNd+VXZYke1MgE7XHj5T5ItHU=
—–END NEW CERTIFICATE REQUEST—–
       
   

3) Now you will need to purchase SSL certificate from the respective Certificate
   Authority like (godaddy.com or Geotrust or Verisign). Where you will get one
   account from which you can upload your CSR. After uploading CSR you will get
   one mail stating email verification where you will be getting the HTTP link from
   which you will approve the order, then after you will get your SSL certificate
   through email.

   Now you have your SSL certificate, so run the below command to import the same on
   you KEYSTORE file.

    SHELL> keytool -import -alias tomcat -keystore mykey.keystore -trustcacerts -file
           <yourdomain.crt>   

Here,
    We have imported the SSL certificate to KEYSTORE.   
   

4) Now add the below mentionedd line to “SSL/TLS Connector configuration” part of your
   tomcat configuration file.

    keystoreFile=”/FOLDER/PATH/conf/mykey.keystore”
    keystorePass=”password”

Here,
    “keystorePass” will be the password which you have given while generating
    “mykey.keystore” file.

5) Let restart the Tomcat service and that’s it.

MySQL’s BLACKHOLE Storage Engine

        The BLACKHOLE storage engine is named as “black hole” because it accepts data and does not store it. If you wiil insert any record it will prompt you that tables are updated nut when you will hit a select query on same table, you will be return an empty result:

Below is the example,


       The BLACKHOLE storage engine comes by default with  in MySQL. If you build MySQL from source, then parse the –with-blackhole-storage-engine option.

      When you create a BLACKHOLE table, only the .frm file is created, because it does not reuire to store data so no .MYD and .MYI file needed. You can check whether the BLACKHOLE storage engine is available by running below MySQL statement on mysql prompt.




      Inserts into a BLACKHOLE table do not store any data, but if the binary log is enabled, the SQL statements are logged and replicated to slave servers.

      If you run in a high volume production system where you may have one or more master databases for writes/updates/deletes and a whole bunch of slaves reading the log from that master which in short increase the network traffic, disk I/O, CPU power and others, this affect the performance of a Master Server.

      So to solve this problem you can take a help of MySQL’s BLACKHOLE storage engine as shown on below example.



      What you then have is the Master only replicating to one database, increasing the Master’s capacity to process  transactions. The slaves consume the log file from the Blackhole server. It acts as a proxy at this point, with the benefit of freeing up resources on the Master’s server.

      The master writes to its binary log. The “Blackhole” server acts as a proxy slave server, it does not actually store any data, so there is little processing overhead incurred and other SLAVE server will read a binary log from this server.

   
Other possible uses for the BLACKHOLE storage engine include:

* Verification of dump file syntax.
* Measurement of the overhead from binary logging, by comparing
  performance using BLACKHOLE with and without binary logging  
  enabled.

MySQL storage engine Sphinx

=> Sphinx Overview

Sphinx is MySQL storage engine which can be compiled with MySQL server 5.X version. It you want to compile with MySQL 5.0 series then you must have MySQL 5.0.22 or higher version, or MySQL 5.1.12 or higher in 5.1.x version.

Sphinx does not actually store any data itself. It is a built-in client which allows MySQL server to talk to searchd, run search queries, and obtain search results. All indexing and searching happen outside the MySQL.

=> Pre-Compile Package Requirements

You will need to install below package before compiling Sphinx

* autoconf
* automake
* libtool
* bison

=> Downloading, Installing and Compiling Sphinx

If you have already have an MySQL on you server then, there is no need to install it again just follow the “Installing Sphinx Add-On for already Installed MySQL”. But if you want to install a fresh copy of MySQl with Sphinx then follow the below stpes.

++  For MySQL 5.1 Series

1. Download the latest stable version of MySQL from “http://dev.mysql.com/downloads/&#8221; snd Sphinx from “http://sphinxsearch.com&#8221;



2. Untar the downloaded package.


3. In MySQL sources directory, create storage/sphinx directory and copy all files from Sphinx’s  mysqlse directory to MySQL’s storage/sphinx folder. E.g,

4. In MySQL sources directory, run below command

5. Now configure MySQL with Sphinx engine on “/usr/local/mysql-5.1″ path.

6. Build and Install MySQL with Sphinx

++  For MySQL 5.0 Series

1. Download the latest stable version of MySQL from “http://dev.mysql.com/downloads/&#8221; snd Sphinx from “http://sphinxsearch.com&#8221;

2. Untar the downloaded package.

3. For MySQL 5.0 series first you wiil have to apply an patach which will be found on path “/usr/local/src/sphinx-0.9.8.1/ysqlse/sphinx.5.0.37.diff”.

4. In MySQL sources directory, run below command

5. IN MySQL sources directory, create sql/sphinx directory in and copy all files in mysqlse directory from Sphinx sources there.

6. Now configure MySQL with Sphinx engine on “/usr/local/mysql-5.0″ path.

7. Build and Install MySQL with Sphinx



++ Installing Sphinx Add-On for already Installed MySQL

    *  For MySQL 5.1 and MySQL 5.0 series skip 1st and 2nd steps, but make sure you have latest copy of Sphinx.

=>  Checking Sphinx installation

To check whether Sphinx has been succesfully compiled into MySQL, run SHOW ENGINES query on MySQL SHELL. You should see a Sphinx to be present and “Support” column should contain “YES”.

Make Data unrecoverable after formating HDD

         Every few months, a slow news day leads to somebody, somewhere, buying an old PC, hard drive, or flash memory card off ebay, and then writing a story about how they were able to restore all the files that the previous owner had tried to erase prior to selling.

         If you want to sell hardware and you’re not sure how some people can recover data from supposedly-erased hard drives, this article is for you.

         I’m going to use this diagram to explain the whole thing: It represents data stored on a PC filesystem, such as a hard drive or Flash memory such as you get in digital cameras. It’s hugely reduced in size (even a floppy disk would be more than 2000 times bigger than this!) to simplify the explanations, but it’s good enough to illustrate the principles:


   a b c d e f g h i j k l m n o p q r s t u v w x y z

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
c  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
d  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
f  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
g  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
h  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
i  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
j  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
k  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
l  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
m  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
n  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
o  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
p  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
q  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
s  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
t  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
u  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
v  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
w  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
x  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
y  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
z  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

It’s currently a totally blank disk. Each zero represents one byte of data.

         Now, no working disk drive looks like this, even when it’s empty. The first thing that a disk has is a partition table. Most Windows PCs only have one partition, very slightly smaller than the capacity of the hard drive. But you can have up to four partitions on a normal disk drive (or even more, depending on your operating system.)

         So we partition our disk drive, and now the computer knows where it can store data:

   a b c d e f g h i j k l m n o p q r s t u v w x y z

p a r t i t i o n 1 = b a – z z 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
c  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
d  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
f  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
g  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
h  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
i  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
j  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
k  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
l  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
m  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
n  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
o  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
p  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
q  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
s  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
t  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
u  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
v  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
w  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
x  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
y  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
z  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

         We’ve defined a single partition that occupies the disk from the start of the second row (ba) to the end of the last row (zz). We can’t start storing data before ‘ba’, because hard drives devote a certain amount of space to partition tables, and in our case, it’s the whole of the first row.

         Next, we need to format our partition – in Windows, that means either NTFS or FAT. Other OSes use other filesystems. We’re going to use an imaginary one to keep things simple. (To save space, I’m not going to show all the empty lines in the following diagrams)

   a b c d e f g h i j k l m n o p q r s t u v w x y z

p a r t i t i o n 1 = b a – z z 0 0 0 0 0 0 0 0 0 0
f o r m a t = c a – z z 0 0 0 0 0 0 0 0 0 0 0 0 0 0
c  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
d  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
f  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

         Again, we’ve devoted a complete row, this time to information about our formatted partition. However, the remaining 24 lines of space are now ready for writing. With this particular filesystem, the first row of the partition tells the computer where the files’ contents are stored. We’re going to add a file “credit.txt”, a text file that holds our credit-card number.

    a b c d e f g h i j k l m n o p q r s t u v w x y z

p a r t i t i o n 1 = b a – z z 0 0 0 0 0 0 0 0 0 0
f o r m a t = c a – z z 0 0 0 0 0 0 0 0 0 0 0 0 0 0
c  c r e d i t . t x t = d a – d s 0 0 0 0 0 0 0 0 0 0
d  1 2 3 4 – 3 2 1 2 – 3 4 5 6 – 5 4 3 2 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
f  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

         The file and its location are now added (in green), and the contents (in orange) clearly visible from a simple scan of the disk.

         Now this is where the problems start. We want to sell this drive, so we need to delete our credit card details from it. We delete the file, and this, we think, will delete the credit card details.

Right. . ?

Wrong. This is our filesystem after we delete the file:

   a b c d e f g h i j k l m n o p q r s t u v w x y z

p a r t i t i o n 1 = b a – z z 0 0 0 0 0 0 0 0 0 0
f o r m a t = c a – z z 0 0 0 0 0 0 0 0 0 0 0 0 0 0
c 
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
d  1 2 3 4 – 3 2 1 2 – 3 4 5 6 – 5 4 3 2 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

         The file’s entry has been removed from row ‘c’ – The computer is presented with what it thinks is a blank disk. But the contents of the file are left untouched: Only row ‘c’ has been altered. The file has been logically deleted, because to the computer, the disk appears empty. But it has not been physically deleted: It’s still there.

         Perhaps, instead, we should have simply deleted the whole partition? Let’s see what this would have achieved:

  a b c d e f g h i j k l m n o p q r s t u v w x y z

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
f o r m a t = c a – z z 0 0 0 0 0 0 0 0 0 0 0 0 0 0
c  c r e d i t . t x t = d a – d s 0 0 0 0 0 0 0 0 0 0
d  1 2 3 4 – 3 2 1 2 – 3 4 5 6 – 5 4 3 2 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
f  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0


         Oh dear, this is even worse! The partition is gone, but all the information about the formatted filesystem and its contents are still there. It’s very easy, with the data we’ve got, to simply re-create the partition table and restore all files within it. This makes it even easier for our malicious buyer to grab our credit card details!

         The problem, in a nutshell, is that deleting never actually deletes the information. At best, it removes references to the information while leaving the information itself untouched.

         In order to delete a file safely, what we really need to do is get at the actual contents. At this point, my bias starts to show through, because I think Linux users are considerably better off than Windows users here: Linux usually comes with a tool that does this very thing. It’s called shred. If you’re a Windows user, either get hold of a Linux LiveCD such as Knoppix, or look up a Windows-specific secure deletion program on Google. I’m going to continue by talking about shred, but the principles are the same whatever you use.

         Shred and its brethen simply over-write file contents with random data. As an example, let’s see what would happen if we shred credit.txt

   a b c d e f g h i j k l m n o p q r s t u v w x y z

p a r t i t i o n 1 = b a – z z 0 0 0 0 0 0 0 0 0 0
f o r m a t = c a – z z 0 0 0 0 0 0 0 0 0 0 0 0 0 0
c  c r e d i t . t x t = d a – d s 0 0 0 0 0 0 0 0 0 0

d  k 2 v @ ( j 5 Z £ ^ ! k a 8 * N 8 A ,
0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
f  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

         That’s better! The file is still there, but the contents are of no use to anybody. Shred learned from the green row, ‘c’, that credit.txt’s data was located from ‘da’ to ‘ds’ and then wrote random data to that area of the disk. If we now delete the file as usual, we can be sure that this disk drive has no clue as to our credit card number.

But what if we had a file with our credit card details in it that we deleted several months ago? What if its contents are still there, somewhere?

         The only way to make absolutely sure that no recoverable data is left on the disk at all is to shred the whole thing. This does what we really wanted to do right at the start: Removes absolutely everything from the disk. Because Windows locks the files that it is currently using, and all OSes tend to write to the disk from time to time, you can’t do this from within a normal OS. You need to use something that can function independantly: Knoppix is really handy at this point! Do, of course, bear in mind that what you’re doing here is permanently and irreversibly wiping a disk drive completely, so make sure you remove or at least unplug any drives that you don’t want wiped! Accidents do happen. . .

         From within Knoppix, you would open up a terminal and use fdisk -l to tell you what disk drives it can detect. It should show you at least two: The CD you booted from, and the drive you want to wipe.

         The naming system is a bit arcane if you’re used to Windows and “C:” and “D:” for the hard drive and CD-ROM, but it’s simple enough to follow. All hard drive names start with “/dev” which simply means “device” – all the PC’s hardware has a name beginning with “/dev”. Typically, a hard drive will be “hd” if it’s IDE, or “sd” if it’s SATA. It will also have a letter following it: The first hard drive will be “a”, the second “b”, and so on.

         So if you have a simple IDE hard drive, it will be called “/dev/hda”. If you have a SATA drive with two partitions, the disk will be “/dev/sda” and the partitions will be “/dev/sda1″ and “/dev/sda2″

Simple enough, once you get the hang of it.

So, if your hard drive is a standard IDE, it will be /dev/hda you want to erase, and you would issue the command shred /dev/hda and then go and find something else to do for a while, because this takes quite some time: There’s a lot of data to write. By default, shred will overwrite the whole drive 25 times! If you have a 100GB disk, that means writing 2500GB of data. To just do it once, you would type shred -n 1 /dev/hda, but bear in mind that this is less secure.

         Eventually, shred will leave you with a filesystem that looks like this:


  
a b c d e f g h i j k l m n o p q r s t u v w x y z

a  n # Y v C n $ } I / . ` b 0 J r n v 9 8 N % I : 3 ?
b  = Y ` K c E b x x f W S p y \ g L l $ C ? ) , 8 k o
c  O ! w | \ 7 2 v A i O I p w 5 v O k 1 \ I ` s T u a
d  N g h j t y – 2 n c k m r 1 ( W 1 r . i < M _ L ‘ +
e  @ } G L ^ ^ f ( t S = ] i ( D q ! r E 5 = K _ y 0 7
f  % _ Z a o g I 2 . K v u O h D q q , A ` 2 0 E ” g ?
g  K | k g 6 A ” j % S ? Z v a p t Z l x z < r P 3 D v
h  > # n ( A e D * < _ [ N e x 7 i r T c a z f R t _ 3
i  9 M i # / K m E Z & k M ; m | C b * - > , _ * f i d
j  | ( \ i m c o 3 k H & 5 G ; Q + ] m M w M 0 ) J E ?
k  u ! T M r c ; 7 ` w < F , M \ 9 } a q # C j 0 Z u <
l  O I p A : , D H } \ q 5 O 9 x z : C t { b > O ` G ;
m  m V [ M p ` U p @ i C v n ' , s P | t I U Y T , / n
h # h n i a J I R y b S y 0 A I W r U C 4 o F # b X
o  - E ^ \ Q [ l U I + # u v { Y ( U _ @ = o ) h J _ m
p  ^ L n t J # A ; V . ] m ! ] c a _ { , ” l m X \ o e
q  % 6 n c g H x G 2 ^ , T ` ” ” / 0 > U X 8 % . 3 / 5
r  ] f H f r h M ! c j W = 3 | I k | 6 J | X K f 3 T ,
s  Y A > U / 0 Z $ y . C n T + & L } K o M m h { | s x
t  _ o p L ] y g > _ N B & H 4 ; Y 3 B – j T m F . F o
u  Q ? / F C ! Z j 3 : t E 9 s a o } _ H ” \ : q ] W #
v  z ; w j W 2 : B * o P Q ! % 6 ” 9 L m z I t r 8 _ +
w  = l V { h n 9 I t Y A r f r L d V H C $ s g ! { s J
x  L ] I r E + q b Q \ y B & Q 3 I # $ W b , y x V Y t
y  f $ ^ ‘ c O } @ 5 B _ 5 \ w 0 N Q j ( b – I w & ( ?
z  ^ . y \ ” 2 F x ` V s # H 5 ; t ! } ! y 5 y ? e w #

         If you’d rather it was returned to the pristine block of zeros we started with, add -z to the command: shred -z /dev/hda and the final pass of shred will write zeros instead of random data. We thus end up with this:

   a b c d e f g h i j k l m n o p q r s t u v w x y z

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
c  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
d  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
f  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
g  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
h  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
i  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
j  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
k  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
l  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
m  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
n  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
o  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
p  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
q  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
s  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
t  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
u  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
v  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
w  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
x  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
y  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
z  0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

         And your disk is now about as safe as it can be, short of placing it in solvent and leaving it there until it dissolves. In theory, the data can still be recovered after multiple random over-writes, but you’d need very expensive forensic equipment to manage it: Not something the average ebayer is likely to have.

MySQL Inernals

By April of 2000, with some encouragement and sponsorship from Slashdot, master-slave replication capability was added.The old nontransactional storage engine,ISAM, was reworked and released as MyISAM.

By early 2002 the MySQL/InnoDB combo was stable and instantly took MySQL to another level. Version 4.0 was finally declared production stable in March 2003.

One can identify the following modules in the server:

• Server Initialization Module
• Connection Manager
• Thread Manager
• Connection Thread
• User Authentication Module
• Access Control Module
• Parser
• Command Dispatcher
• Query Cache Module
• Optimizer
• Table Manager
• Table Modification Modules
• Table Maintenance Module
• Status Reporting Module
• Abstracted Storage Engine Interface (Table Handler)
• Storage Engine Implementations (MyISAM, InnoDB, MEMORY, Berkeley DB)
• Logging Module
• Replication Master Module
• Replication Slave Module
• Client/Server Protocol API
• Low-Level Network I/O API
• Core API

=> Interaction of the Core Modules

When the server is started on the command line, the Initialization Module takes control. It parses the configuration file and the command-line arguments, allocates global memory buffers, initializes global variables and structures, loads the access control tables, and performs a number of other initialization tasks. Once the initialization job is complete, the initialization Module passes control to the Connection Manager, which starts listening for connections from clients.

When a client connects to the database server, the Connection Manager performs a number of low-level network protocol tasks and then passes control to the Thread Manager, which in turn supplies a thread to handle the connection. Once the Connection Thread receives control, it first invokes the User Authentication Module. The credentials of the connecting user are verified, and the client may now issue requests.

The Connection Thread passes the request data to the Command Dispatcher. In MySQL server terminology, there are two types of client requests: a query and a command. A query is anything that has to go through the parser. A command is a request that can be executed without the need to invoke the parser.

The Command Dispatcher forwards queries to the Parser through the Query Cache Module. The Query Cache Module checks whether the query is of the type that can be cached, and if it is already exist ,then a previously computed cached result that is still valid will be displayed. If the Query Cache Module reports a miss, the query goes to the Parser, which will make a decision on how to transfer control based on the query type.

Select queries are forwarded to the Optimizer; updates, inserts, deletes, and table-creation and schema-altering queries go to the respective Table Modification Modules; queries that check, repair, update key statistics, or defragment the table go to the Table Maintenance module; queries related to replication go to the Replication Module; and status requests go to the Status Reporting Module.

At this point, each of the modules that will receive control from the Parser passes the list of tables involved in the query to the Access Control Module and then, upon success, to the Table Manager, which opens the tables and acquires the necessary locks. Now the table operation module is ready to proceed with its specific task and will issue a number of requests to the Abstracted Storage Engine Module for low-level operations such as inserting or updating a record, retrieving the records based on a key value, or performing an operation on the table level, such as repairing it or updating the index statistics.

If the low-level module has made a modification to the data in some way and if the binary update logging is enabled, the module will be responsible for asking the Logging Module to log the update event to the binary update log, sometimes known as the replication log, or, among MySQL developers and power users, the binlog.

Once the task is completed, the execution flow returns to the Connection Thread, which performs the necessary clean-up and waits for another query or command from the client. The session continues until the client issues the Quit command.

=> Replication

In addition to interacting with regular clients, a server may receive a command from a replication slave to continuously read its binary update log. This command will be handled by the Replication Master Module.

If the server is configured as a replication slave, the Initialization Module will call the Replication Slave Module, which in turn will start two threads, called the SQL Thread and the I/O thread. They take care of propagating updates that happened on the master to the slave. It is possible for the same server to be configured as both a master and a slave.

mysql.jpeg

=> Server Initialization Module

• init_common_variables( )
• init_thread_environment( )
• init_server_components( )
• grant_init( ) in sql/sql_acl.cc
• init_slave( ) in sql/slave.cc
• get_options( )

=> Connection Manager

• handle_connections_sockets( )

=> Thread Manager

• create_new_thread( )
• start_cached_thread( )

=> Connection Thread

• handle_one_connection( )

=> User Authentication Module

• acl_check_host( )
• create_random_string( )
• check_user( )
• acl_getroot( )

=> Access Control Module

• check_grant( )
• check_table_access( )
• check_grant_column( )
• acl_get( )

=> Parser

• mysql_parse( )
• yyparse( )

=> Command Dispatcher

• do_command( )
• dispatch_command( )

=> Query Cache Module

• Query_cache::store_query( )
• Query_cache::send_result_to_client( )

=> Optimizer

• mysql_select( )
• JOIN::prepare( )
• JOIN::optimize( )
• JOIN::exec( )
• make_join_statistics( )
• find_best_combination( )
• optimize_cond( )

=> Table Manager

• openfrm( )
• mysql_create_frm( )
• open_table( )
• open_tables( )
• open_ltable( )
• mysql_lock_table( )

=> Table Modification Modules

• mysql_update( )
• mysql_multi_update( )
• mysql_insert( )
• mysql_create_table( )
• mysql_alter_table( )
• mysql_rm_table( )
• mysql_delete( )

=> Table Maintenance Module

• mysql_check_table( )
• mysql_repair_table( )
• mysql_backup_table( )
• mysql_restore_table( )
• mysql_optimize_table( )
• mysql_analyze_table( )

=> Status Reporting Module

• mysqld_list_processes( )
• mysqld_show( )
• mysqld_show_create( )
• mysqld_show_fields( )
• mysqld_show_open_tables( )
• mysqld_show_warnings( )
• show_master_info( )
• show_binlog_info( )

=> Storage Engine Implementations (MyISAM, InnoDB, MEMORY/HEAP, Berkeley DB, NDB)

=> Replication Master Module

• mysql_binlog_send( )

=> Replication Slave Module

• handle_slave_io( )
• handle_slave_sql( )

NIC Bonding

                             

Meaning:-

        The concept of NIC Bonding (or sometimes called NIC Teaming) is that you have two NICs bonded together to appear as if they are the same physical device. I.e. They will both present the same Hardware (MAC) address. This is accomplished through the ifenslave utility, which enables the kernel to see/use only one device.

NIC Bonding also be known as:

* “NIC Aggregation” (Mainly Linux world)
* “NIC Teaming” (Mainly Windows world)
* “Port Trunking” (Mainly hardware world)
                             
        It provides increased bandwidth by merging the bandwidth of the individual ports/NICs.It’s primary use _is_ to increase a network link speed beyond the limits of any one single cable or port. Although It can also be used for failover, if one link dies all traffic to and from the machine should be routed to the remaining links.

        The “ifenslave” is a tool to attach and detach slave network interfaces to a bonding device. A bonding device will act like a normal Ethernet network device to the kernel, but will send out the packets via the slave devices using a simple round-robin scheduler. This allows you a simple load-balancing.

NIC Bonding Prerequiest :-

      You must have an bonding support in your kernel, so you can check with following.

$ modprobe -l | grep bonding
/lib/modules/2.6.9-55.ELsmp/kernel/drivers/net/bonding/bonding.ko

$ cat /boot/config-2.6.9-55.EL | grep -i bonding
CONFIG_BONDING=m

NIC Bonding Configuration :-

(1) The “modprob.conf” file should include the followings 3 lines.

$ cat /etc/modprobe.conf

alias bond0 bonding
options bond0 max_bonds=2 miimon=100 mode=1
options bond1 miimon=100 mode=1

Here:
      max_bonds = ” The number of bonding devices to create for this instance of the bonding driver e.g., if max_bonds is 3, and the bonding driver is not already loaded, then bond0,
bond1 and bond2 will be created. The default value is 1.”

      miimon = ” Specifies the MII link monitoring frequency in milliseconds.This determines how often the link state of each slave is inspected for link failures. A value of zero
disables MII link monitoring. A value of 100 is a good starting point.”

      mode = ” Specifies one of the bonding policies. The default is balance-rr (round robin).”
      Possible values are:

0 = Round-robin policy: Transmit packets in sequential order from the first slave
through the last.

1 = Active-backup policy: Only one slave in the bond is active. A different slave
becomes active if, and only if, the active slave fails.

2 = Tries to balance traffic by splitting up outgoing packets between the adapters,
using the same one for each specific destination when possible.

3 = Broadcast policy: transmits everything on all slave interfaces. This mode
provides fault tolerance.

(2) You will have to add the following to do a working NIC Bonding.

$ vi /etc/sysconfig/network-scripts/ifcfg-bond0

## Now add the following things to the above file. ##

DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
NETWORK=
NETMASK=
IPADDR=
GATEWAY=
USERCTL=no

(3) Now just append the following lines to (eth0).

$ vi /etc/sysconfig/network-scripts/ifcfg-eth0

## nOW APPEND the following to the above file. ##

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
MASTER=bond0
SLAVE=yes
USERCTL=no

(4) Now just append the following lines to (eth1).

/etc/sysconfig/network-scripts/ifcfg-eth1

## nOW APPEND the following to the above file. ##

DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
MASTER=bond0
SLAVE=yes
USERCTL=no

Secure SHELL (SSH) Hardening

                                       


(1) Change the default Port of ssh from (22) to other which is above (1024) and   the port must be free.
e.g:-
    
          Port 7824

(2) Change the PermitRootLogin setting to (no) . The default is yes.
e.g:-    
          PermitRootLogin no

(3) Change PermitEmptyPasswords setting to (no).
e.g:-    
          PermitEmptyPasswords no

(4) Change Protocol setting to “2″ if it is “1″. The default value is “2″.
e.g:-
    
          Protocol 2

(5) Change LoginGraceTime to lower number. The default is 120  (second).
e.g:-    
          LoginGraceTime 60

(6) Change OR Add the AddressFamily setting to “inet” (for IPv4 only) ,”inet6″ (for IPv6 only) and “any” (for both IPv4 and IPv6).
e.g:-    
          AddressFamily inet

(7) Add ListenAddress to sshd_config if you want to run the SSH  services on particular address.
e.g:-
    
          ListenAddress xxx
.xxx.xxx.xxx

(8) Change MaxAuthTries to 3 ( any one you want ). It specifies the maximum  number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6.
e.g:-
    
          MaxAuthTries 3

(9) Add Banner to config file if you want to give some Message to all user who connect to your server through ssh.
e.g:-    
          Banner /etc/issue.net

(10) Add or Change the AllowUsers , AllowGroups , DenyUsers and DenyGroups to make an access control list to allow or deny Login.

Follow

Get every new post delivered to your Inbox.