20 ways to Secure your Apache Configuration

Here are 20 things you can do to make your apache configuration more secure.
Disclaimer: The thing about security is that there are no guarantees or absolutes. These suggestions should make your server a bit tighter, but don't think your server is necessarily secure after following these suggestions.
Additionally some of these suggestions may decrease performance, or cause problems due to your environment. It is up to you to determine if any of the changes I suggest are not compatible with your requirements. In other words proceed at your own risk.

First, make sure you've installed latest security patches

There is no sense in putting locks on the windows, if your door is wide open. As such, if you're not patched up there isn't really much point in continuing any longer on this list. Go ahead and bookmark this page  so you can come back later, and patch your server.

Hide the Apache Version number, and other sensitive information.

By default many Apache installations tell the world what version of Apache you're running, what operating system/version you're running, and even what Apache Modules are installed on the server. Attackers can use this information to their advantage when performing an attack. It also sends the message that you have left most defaults alone.
There are two directives that you need to add, or edit in your httpd.conf file:

ServerSignature Off
ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.
The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

Server: Apache

If you're super paranoid you could change this to something other than "Apache" by editing the source code, or by using mod_security (see below).

Make sure apache is running under its own user account and group

Several apache installations have it run as the user nobody. So suppose both Apache, and your mail server were running as nobodyan attack through Apache may allow the mail server to also be compromised, and vise versa.

User apache
Group apache

Ensure that files outside the web root are not served

We don't want apache to be able to access any files out side of its web root. So assuming all your web sites are placed under one directory (we will call this /web), you would set it up as follows:

<Directory />
  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None
</Directory>
<Directory /web>
  Order Allow,Deny
  Allow from all
</Directory>

Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override.

Turn off directory browsing

You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes

Options -Indexes

Turn off server side includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Options -Includes

Turn off CGI execution

If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI

Options -ExecCGI

Don't allow apache to follow symbolic links

This can again can be done using the Options directive inside a Directory tag. Set Options to either None or -FollowSymLinks

Options -FollowSymLinks

Turning off multiple Options

If you want to turn off all Options simply use:

Options None

If you only want to turn off some separate each option with a space in your Options directive:

Options -ExecCGI -FollowSymLinks -Indexes

Turn off support for .htaccess files

This is done in a Directory tag but with the AllowOverride directive. Set it to None.

AllowOverride None

If you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:

AccessFileName .httpdoverride
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

Run mod_security

mod_security is a super handy Apache module written by Ivan Ristic, the author of Apache Security from O'Reilly press.
You can do the following with mod_security:

• Simple filtering
• Regular Expression based filtering
• URL Encoding Validation
• Unicode Encoding Validation
• Auditing
• Null byte attack prevention
• Upload memory limits
• Server identity masking
• Built in Chroot support
• And more

Disable any unnecessary modules

Apache typically comes with several modules installed. Go through the apache module documentation and learn what each module you have enabled actually does. Many times you will find that you don't need to have the said module enabled.
Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line. To search for modules run:

grep LoadModule httpd.conf

Here are some modules that are typically enabled but often not needed: mod_imap, mod_include, mod_info, mod_userdir,mod_status, mod_cgi, mod_autoindex.

Make sure only root has read access to apache's config and binaries

This can be done assuming your apache installation is located at /usr/local/apache as follows:

chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache

Lower the Timeout value

By default the Timeout directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.

Timeout 45

Limiting large requests

Apache has several directives that allow you to limit the size of a request, this can also be useful for mitigating the effects of a denial of service attack.
A good place to start is the LimitRequestBody directive. This directive is set to unlimited by default. If you are allowing file uploads of no larger than 1MB, you could set this setting to something like:

LimitRequestBody 1048576

If you're not allowing file uploads you can set it even smaller.
Some other directives to look at are LimitRequestFields, LimitRequestFieldSize and LimitRequestLine. These directives are set to a reasonable defaults for most servers, but you may want to tweak them to best fit your needs. See the documentation for more info.

Limiting the size of an XML Body

If you're running mod_dav (typically used with subversion) then you may want to limit the max size of an XML request body. TheLimitXMLRequestBody directive is only available on Apache 2, and its default value is 1 million bytes (approx 1mb). Many tutorials will have you set this value to 0 which means files of any size may be uploaded, which may be necessary if you're using WebDAV to upload large files, but if you're simply using it for source control, you can probably get away with setting an upper bound, such as 10mb:

LimitXMLRequestBody 10485760

Limiting Concurrency

Apache has several configuration settings that can be used to adjust handling of concurrent requests. The MaxClients is the maximum number of child processes that will be created to serve requests. This may be set too high if your server doesn't have enough memory to handle a large number of concurrent requests.
Other directives such as MaxSpareServers, MaxRequestsPerChild, and on Apache2 ThreadsPerChild, ServerLimit, andMaxSpareThreads are important to adjust to match your operating system, and hardware.

Restricting Access by IP

If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 176.16 network:

Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16

Or by IP:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Adjusting KeepAlive settings

According to the Apache documentation using HTTP Keep Alive's can improve client performance by as much as 50%, so be careful before changing these settings, you will be trading performance for a slight denial of service mitigation.
KeepAlive's are turned on by default and you should leave them on, but you may consider changing the MaxKeepAliveRequestswhich defaults to 100, and the KeepAliveTimeout which defaults to 15. Analyze your log files to determine the appropriate values.

Run Apache in a Chroot environment

chroot allows you to run a program in its own isolated jail. This prevents a break in on one service from being able to effect anything else on the server.
It can be fairly tricky to set this up using chroot due to library dependencies. I mentioned above that the mod_security module has built in chroot support. It makes the process as simple as adding a mod_security directive to your configuration:

SecChrootDir /chroot/apache

There are however some caveats however, so check out the docs for more info.

Acknowledgments

I have found the book Apache Security to be a highly valuable resource for securing an apache web server. Some of the suggestions listed above were inspired by this book.

Suggestions

Please post any suggestions, caveats, or corrections in the comments 

Read More

How do I hide the Apache version number under Linux server?

You can easily hide Apche (httpd) version number and other information. There are two config directives that controls Apache version. The ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to any server-generated documents, such as error messages sent back to clients. ServerSignature is set to on by default. The ServerTokens directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules. By setting this to Prod you only displays back Apache as server name and no version number displayed back.

Open your httpd.conf file using text editor such as vi:vi httpd.conf

Append/modify config directive as follows:ServerSignature Off
ServerTokens Prod

Save and close the file. Restart Apache web server:# /etc/init.d/httpd restart

Read More

Apache Security with SELinux

Security with Apache is an important topic, of which SELinux is a part. The reason for discussing SELInux at this point is so that you have SELinux enabled throughout the discussion and learn how to manage SELinux instead of just turning it off.

View Processes protected by SELinux
You may view processes which are restricted by SELinux with ps.

# ps -ZC httpd

LABEL PID TTY TIME CMD

root:system_r:httpd_t 11759 ? 00:00:00 httpd

root:system_r:httpd_t 15899 ? 00:00:00 httpd

root:system_r:httpd_t 15900 ? 00:00:00 httpd

root:system_r:httpd_t 15901 ? 00:00:00 httpd

root:system_r:httpd_t 15902 ? 00:00:00 httpd

root:system_r:httpd_t 15903 ? 00:00:00 httpd

root:system_r:httpd_t 15918 ? 00:00:00 httpd

root:system_r:httpd_t 15919 ? 00:00:00 httpd

root:system_r:httpd_t 15920 ? 00:00:00 httpd

If you wanted to view the entire list of processes currently protected with SELinux you would use this command:

# ps -eZ

LABEL PID TTY TIME CMD

system_u:system_r:init_t 1 ? 00:00:00 init

system_u:system_r:kernel_t 2 ? 00:00:00 migration/0

system_u:system_r:kernel_t 3 ? 00:00:00 ksoftirqd/0

system_u:system_r:kernel_t 4 ? 00:00:00 watchdog/0

system_u:system_r:kernel_t 5 ? 00:00:00 events/0

system_u:system_r:kernel_t 6 ? 00:00:00 khelper

system_u:system_r:kernel_t 7 ? 00:00:00 kthread

system_u:system_r:kernel_t 10 ? 00:00:00 kblockd/0

system_u:system_r:kernel_t 11 ? 00:00:00 kacpid

—cut—

user: role: type: sensitivity: category

# ls -Z

-rw-r–r– root root root:object_r:httpd_sys_content_t index.html

user: root:

role: object_r:

type: httpd_sys_content_t

sensitivity:

category

If you are going to use the apache web server you will need to know how to adjust the SELinux for that daemon. The first step in this process is to evaluate the booleans that are set for httpd in SELinux.  These booleans allow you to either turn on or off features of SELinux that are useful for protecting Apache.

# getsebool -a | grep httpd

allow_httpd_anon_write –> off

allow_httpd_mod_auth_pam –> off

allow_httpd_sys_script_anon_write –> off

httpd_builtin_scripting –> on

httpd_can_network_connect –> off

httpd_can_network_connect_db –> off

httpd_can_network_relay –> off

httpd_disable_trans –> off

httpd_enable_cgi –> on

httpd_enable_ftp_server –> off

httpd_enable_homedirs –> on

httpd_rotatelogs_disable_trans –> off

httpd_ssi_exec –> off

httpd_suexec_disable_trans –> off

httpd_tty_comm –> off

httpd_unified –> on

httpd_sys_content_t

Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon.

httpd_sys_script_exec_t

Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.

httpd_sys_script_ro_t

Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access.

httpd_sys_script_rw_t

Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.

httpd_sys_script_ra_t

Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.

httpd_unconfined_script_exec_t

Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.

SELinux policy is customizable based on least access required. So by default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.  The -P sets a policy that will carry over after a reboot.

Enable cgi

# setsebool -P httpd_enable_cgi 1

Enable User home Directories and Change Context

# setsebool -P httpd_enable_homedirs 1

# chcon -R -t httpd_sys_content_t ~user/public_html

Enable Access to Terminal
httpd may need to prompt for a password on a certificate file

# setsebool -P httpd_tty_comm 1

Disable File Control Contexts

# setsebool -P httpd_unified 0

Disable PHP

# setsebool -P httpd_builtin_scripting 0

Enable Network Connections from httpd
Disabled to prevent hackers from attacking other machines from httpd.

# setsebool -P httpd_can_network_connect 1

Disable suexec Transition

# setsebool -P httpd_suexec_disable_trans 1

Disable Protection for httpd DaemonThis is the option that you could use if yoou wanted to turn everyting off for protection of apache but you wanted to use SELinux to protect the rest of the box.

# setsebool -P httpd_disable_trans 1

# service httpd restart

Changing a http Port

You may want to change a port number for http. You cannot do this without editing the configuration for SELinux.

# semanage port -l | grep http

http_cache_port_t tcp 3128, 8080, 8118

http_cache_port_t udp 3130

http_port_t tcp 80, 443, 488, 8008, 8009, 8443

pegasus_http_port_t tcp 5988

pegasus_https_port_t tcp 5989

Change httpd to port 81 in the httpd.conf file.

Listen 81

Now restart, and you will see that it will fail to restart. Check /var/log/messages for output.

Dec 10 08:03:46 cent2 setroubleshoot: SELinux is preventing the /usr/sbin/httpd (httpd_t) from binding to port 81. For complete SELinux messages. run sealert -l 9d1872a0-da1f-48b3-b7bc-4ed7094387e5

In order to fix this you will need to use the semanage command to add port 81 to the ports allowed by SELinux.

# semanage port -a -t http_port_t -p tcp 81

Restart httpd and you will find that it works. Now verify that port 81 was added to the default allowed ports.

# semanage port -l | grep http

http_cache_port_t tcp 3128, 8080, 8118

http_cache_port_t udp 3130

http_port_t tcp 81, 80, 443, 488, 8008, 8009, 8443

pegasus_http_port_t tcp 5988

pegasus_https_port_t tcp 5989

Read More

SVN Server on RHEL6

Subversion (SVN) is a version control system initiated in 2000 by CollabNet Inc. It is used to maintain current and historical versions of files such as source code, web pages, and documentation. Its goal is to be a mostly-compatible successor to the widely used Concurrent Versions System (CVS).

Subversion is well-known in the open source community and is used on many open source projects, including Apache Software Foundation, KDE, Free Pascal, FreeBSD, GCC, Python, Django, Ruby, Mono, SourceForge.net, ExtJS and Tigris.org. Google Code also provides Subversion hosting for their open source projects. BountySource systems use it exclusively. Codeplex offers access to both Subversion as well as other types of clients.

Subversion is also being adopted in the corporate world. In a 2007 report by Forrester Research, Subversion was recognized as the sole leader in the Standalone Software Configuration Management (SCM) category and a strong performer in the Software Configuration and Change Management (SCCM) category.

Here’s how I installed subversion on a machine with RHEL6
For anyone learning or using Subversion, I highly recommend that you read the book.

  [mateen@reuters ~]$ yum install *subversion
now Check version

mateen@reuters ~]$ svn --version
svn, version 1.6.11 (r934486)
   compiled May 31 2011, 05:46:33

Then you’ll need to setup at least one repository. I’m going to need multiple repositories that I can use for different clients so I have a bit of extra admin work ahead of me. You can setup as many repositories as you need, but no matter what you’ll need at least one. Here create the folders…

# mkdir /svn
# mkdir /svn/repos
# mkdir /svn/users
# mkdir /svn/permissions

Now you have to give   proper permissions to folder

chown -R apache.apache /svn

Then need to tell subversion to make a  repository.

svnadmin create /svn/repos

Then, I need to setup a config file for svnserve.

cd  /svn/repos/conf/

 vim svnserve.conf

Then, look for variations of the following code and edit it as necessary. By default any anonymous user can access the code so to disable that you must include anon-access = none, just commenting the value out will not prevent anonymous access.

[general]

anon-access = none
password-db = passwd   <-Passwd file
realm = My SVN Repository
auth-access = write

Please note: don’t just insert these three lines at the very end, like I did. They need to go in the [general] section, not the [sasl] section, otherwise “Authorization failed” type errors will occur whenever you try to check in any new stuff

vim passwd

svnuser = password

Now start SVN Server

$svnserve -d

One side note – svnserve just runs and doesn’t have a way to stop besides killing the process. If you make changes to the svnserve.conf or user file you’ll need to restart svnserve.

To back up a Subversion repository

Don’t try and copy and paste the repository or anything like that. Create a gzipped Subversion file as follows:

$svnadmin dump /MyPath/Repos | gzip > MyBackupRepos.svn.gz

Now, let’s setup apache.

Create a new apache include file that will hold our configurations (You may already have this is subversion was already installed).

vim /etc/httpd/conf.d/subversion.conf

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

DAV svn
SVNPath /svn/repos
AuthType Basic
AuthName “Subversion Repository”
AuthUserFile /svn/users/svnpass
Require valid-user
AuthzSVNAccessFile /svn/permissions/svnauthz

htpasswd -cm  /svn/permissions/svnauthz admin

 password 

Read More

Displays The Processes

ps command will report a snapshot of the current processes. To select all processes use the -A or -e option:


[root@reuters ~]# ps -L
  PID   LWP TTY          TIME CMD
 2212  2212 pts/1    00:00:00 bash
 7585  7585 pts/1    00:00:00 mysql
16063 16063 pts/1    00:00:00 ps

Read More

Tell How Long The System Has Been Running

The uptime command can be used to see how long the server has been running. The current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.

#uptime
 output

18:02:41 up 41 days, 23:42,  1 user,  load average: 0.00, 0.00, 0.00

Read More

TOP - Process Activity Command

The top program provides a dynamic real-time view of a running system i.e. actual process activity. By default, it displays the most CPU-intensive tasks running on the server and updates the list every five seconds.

The top command provides several useful hot keys:

HotKey
t	Displays summary information off and on.
m	Displays memory information off and on.
A	Sorts the display by top consumers of various system resources. Useful for quick identification of performance-hungry tasks on a system.
f	Enters an interactive configuration screen for top. Helpful for setting up top for a specific task.
o	Enables you to interactively select the ordering within top.
r	Issues renice command.
k	Issues kill command.
z	Turn on or off color/mono

Read More

Types of NameServer

                                                        There are four primary nameserver configuration: 
 

• Master Server: The primary master server is the ultimate source of information about a domain. The primary master is an authoritative server configured to be the source of zone transfer for one or more secondary servers. The primary master server obtains data for the zone from a file on disk.

 

• Slave server: slave server, also called a secondary server is an authoritative server that obtains zone information from Master Server using zone transfer mechanism and act as an alternate to master server for name resolution in the event of master server failure to reply to the query due to failure, overloading or any other reason. 

 

• Cache only server: Some servers are caching only servers. This means that the server caches the information that it receives and uses it until the data expires. A caching only server is a server that is not authoritative for any zone. If the information is not in the cache, this server services queries and asks other servers, who have the authority, for the information it needs.

 

• Forwarding: Forwards request to a specific list of nameservers for name resolution. if none of the specified nameservers can perform the name resolution, the query fails.

A Name Server can be master for some zones and slave for others or can be only a master, or only a slave, or can serve no zones and just answer queries via its cache, or may act as forward nameserver for others.

Read More

Configuring ssh Server

                                                     SSH SERVER CONFIGURATIONS

ssh command is a client remote login program to connect remote system and for executing commands on remote system. This program provides secure encrypted communication over an insecure network. By default you can use ssh to login remote system using any user with a valid password.

If your DNS server is configured you can use host name to login, else if not, you need to use ip address of the remote system to login.

Get pid of sshd demon

pgrep command can be used to check the pid of sshd demon

pgrep sshd

Configuring /etc/ssh/sshd_config

Location: /etc/ssh/sshd_config                          Permission: 0600 (rw-------)                          Ownership: root : root

Version

ssh Server by default run as Version 2, but can also run as Version 1 but not recommended.  The Version can be changed by changing the parameter of Protocol in /etc/ssh/sshd_conf from Protocol 2 to Protocol 1.

Changing default port on which sshd demon listens

The port on which sshd demon listen can be changed by editing the value of variable Port to the required port number in /etc/ssh/sshd_config file, say:

Port 123

Before choosing the port you can check if the port you chose is not being used of any other service as:

netstat -an | grep <portnumber to search>

After you have made changes to sshd_config file, you need to restart the sshd demon as service sshd restart. Now to connect to this machine remotely, you need to connect as:

ssh -p 123 192.168.1.25

If you also want to specify the user, you can specify as:

ssh -p 123 sunil@192.168.1.25

Configuring ssh to Listen on specific ip address(s)

By default sshd demon will listen on all the IPs of all the network card. The default entry for this is in /etc/ssh/sshd_conf as:

#ListenAddress 0.0.0.0
#ListenAddress ::

You can note that these entries are # marked meaning there by that they are commented, but are written only to show that what the default value is for ListenAddress.

You can configure your sshd demon to listen on specific IP address, by changing the value of ListenAddress as

ListenAddress 192.168.1.26

If you what your sshd demon to listen on more than one IP address, you need to make ListenAddress <ip-address> for each ip address, one per line as

ListenAddress 192.168.1.26
ListenAddress 192.168.1.24

Configure ssh to Listen on specific port of specific ip address(s)

You can also configure your sshd demon to communication on specific port for a specific ip address. This can be done by changing the value of ListenAddress in /etc/ssh/sshd_config as:

ListenAddress 192.168.1.26:123
ListenAddress 192.168.1.24:456

So, now sshd demon will listen on port 123 for ip address 192.168.1.26, and will listen on port 456 for ip 192.168.1.24.

Displaying Banner when ssh Session starts after successful login

In some jurisdictions, sending a warning message before authentication may be relevant for getting legal protection.  The contents of the specified file are sent to the remote user before authentication is allowed.  This option is only available for protocol version 2.  By default, no banner is displayed.

Edit /etc/ssh/sshd_config file, look for Banner and Edit the the path of Banner. Create a file named /etc/ssh/hackers.banner and the relevant contents you want to display on successfull login and restart sshd demon as

Banner /etc/ssh/hackers.banner
service sshd restart

Permitting ssh to specific user

To permit specific users(s), this keyword can be followed by a list of user name patterns, separated by spaces.  If specified, login is allowed only for user names that match one of the patterns.  ‘*’ and ‘?’ can be used as wildcards in the patterns.  Only user names are valid; a numerical user ID is not recognized.  By default, login is allowed for all users.  If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. More than one user can be specified by separating them with white space.

Example 1:

Add the following on ssh server (192.168.1.250) in /etc/ssh/sshd_config file and restart sshd daemon:

AllowUsers s*a

This will allow all the users having username starting with "s" and ending with "a". No other user is allowed to ssh  to 192.168.1.250.

Example 2:

Add the following on ssh server (192.168.1.250) in /etc/ssh/sshd_config file and restart sshd daemon:

AllowUsers s?????

This will allow all the users having username starting with "s" followed by any but exactly 5 character. No other user is allowed to ssh  to 192.168.1.250.

Example 3:

Add the following on ssh server (192.168.1.250) in /etc/ssh/sshd_config file and restart sshd daemon:

AllowUsers shreya@192.168.1.249
AllowUsers visesh@192.168.1.2

Now, user shreya can ssh only from 192.168.1.249 and user visesh is allowed to ssh only from 192.168.1.2. No other user is allowed to ssh to 192.168.1.250.

Permitting ssh to specific group

This keyword can be followed by a list of group name patterns, separated by spaces.  If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.  ‘*’ and ‘?’ can be used as wildcards in the patterns.  Only group names are valid; a numerical group ID is not recognized.  By default, login is allowed for all groups. More than one group can be specified by separating them with white space.

Example 1:

Add the following on ssh server (192.168.1.250) in /etc/ssh/sshd_config file and restart sshd daemon:

AllowGroups ad*

This will allow all the users whose primary group or supplementary group named begining with "ad". No other user is allowed to ssh  to 192.168.1.250.

Example 2:

Add the following on ssh server (192.168.1.250) in /etc/ssh/sshd_config file and restart sshd daemon:

AllowGroups dba?????

This will allow all the users whose primary group or supplementary group named begining with dba followed by any but exactly 5 character. No other user is allowed to ssh  to 192.168.1.250.

ssh to specific remote user

If you want to ssh to specific user, you can do that as:

ssh sunil@192.168.1.25

where sunil is the user on 192.168.1.25 to who you want to ssh.

Executing command remotely using ssh

You can execute almost any command on remote system as:

ssh 192.168.1.24 "df -h"

sending message using ssh

You can use ssh command to send message to other using on specific console as

ssh 172.24.0.15 ‘echo “hello users” > /dev/pts/0’

Read More

Domain name formulation

The right-most label conveys the top-level domain; for example, the domain name www.example.com belongs to the top-level domain com.

The hierarchy of domains descends from right to left; each label to the left specifies a subdivision, or subdomain of the domain to the right. For example: the label example specifies a subdomain of the com domain, and www is a sub domain of example.com. This tree of subdivisions may consist of 127 levels, although more than four is rare. 

Each label may contain up to 63 characters. The full domain name may not exceed a total length of 253 characters. In practice, some domain registries may have shorter limits.

The characters allowed in a label are a subset of the ASCII character set, and includes the characters a through z, A through Z, digits 0 through 9, and the hyphen.

root domain

The root domain is at the top and is represented by period ".".

Top Level Domain

The com, edu, org and gov portions of these domain names are called the top-level domain or first-level domain. There are several other top-level domain names, including MIL, NET as well as unique two-letter combinations for every country also called Country Code Top-Level Domain (ccTLD). For India the ccTLD is ".in".

Second Level Domain

Within every top-level domain there are several Second-Level Domains. For example, in the COM first-level domain, you've got:

•   opensourcenuts
•   microsoft
•   redhat
•   yahoo
•   plus millions of others

Every Second-Level Domain name in the top-level domain must be unique, but there can be duplication across domains. For example, opensourcenuts.com and opensourcenuts.org are completely different domain name. 

Second level domains are registered to individuals or organisations. 

In some countries few Second-Level Domain are reserved. For example in India domain name are categories as under:

• .co.in (originally for banks, registered companies, and trademarks)
• .firm.in (originally for shops, partnerships, liaison offices, sole proprietorships)
• .net.in (originally for Internet service providers)
• .org.in (originally for non-profit organizations)
• .gen.in (originally for general/miscellaneous use)
• .ind.in (originally for individuals)

Six zones are reserved for use by qualified organizations in India:

• .ac.in (Academic institutions)
• .edu.in (Educational institutions)
• .res.in (Indian research institutes)
• .ernet.in (Older, for both educational and research institutes)
• .gov.in (Indian government)
• .mil.in (Indian military)
• .nic.in is reserved for India's National Informatics Centre, but in practice most Indian government agencies have domains ending in .nic.in.

Third Level Domain

Third Level domain, unlike a domain name, is not registered anywhere because it is associated with a domain name only. It can be created by the web host on the DNS server. Third Level domain are commonly used to categorize portions of the website. sub-domain can be a separate site on the same server. Sub-domain can point to a sub-directory on the same server. Sub-domain can be a separte site on different server which may reside at different geographical location.

Read More