Linux (/ˈlɪnəks/ LIN-uks or, less frequently used, /ˈlaɪnəks/ LYN-uks) is a Unix-like and mostly POSIX-compliant computer operating system assembled under the model of free and open-source software development and distribution. [read more at]

  • nginx (pronounced “engine-x”) is an open source Web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. It is licensed under a BSD-like license and it runs on Unix, Linux, BSD variants, Mac OS X, Solaris, AIX and Microsoft Windows [WikiPedia]

    Instructs proxy servers to cache two versions of the resource: one compressed, and one uncompressed. This helps avoid issues with public proxies that do not detect the presence of a Content-Encoding header properly.

    Configuration files are provided using Gist and are CONSTANTLY updated for added security and speed. Gist is a simple way to share snippets and pastes with others. All gists are git repositories, so they are automatically versioned, forkable and usable as a git repository. I recommend you to starred them to stay up to date.


    Just Add in /etc/nginx/nginx.conf in the http { … } section the following

     # Gzip Settings
     gzip  on;
     gzip_http_version 1.1;
     gzip_vary on;
     gzip_comp_level 6;
     gzip_proxied any;
     gzip_types text/plain text/html text/css application/json \
    application/x-javascript text/xml application/xml \
    application/xml+rss text/javascript application/javascript \
    text/x-js; gzip_buffers 16 8k; gzip_disable "MSIE [1-6]\.(?!.*SV1)";


    from LeverageProxyCaching">

  • Developers have gotten the kernel booted on the Nintendo DS as well as a simple sash shell and some text games. More at and in their forums.

  • Legally Binding Commitment Not to Assert Nokia Patents against the Linux Kernel
    Nokia hereby commits not to assert any of its Patents (as defined herein below) against any Linux Kernel (as defined herein below) existing as of 25 May 2005. The aforesaid non-assertion shall extend to any future Linux Kernel to the extent that Nokia does not declare any new functionality embodied in such Linux Kernel to be outside the scope of this Patent Statement. Nokia shall issue such declaration through its website no later than one hundred and twenty (120) days after the official release of such Linux Kernel.
  • Official Novell Press release here, due mid april 2005
    • A complete Linux Operating System: SUSE LINUX OS built upon the Linux kernel 2.6.11, 6.8.2
    • Multiple intuitive desktop environments: Latest KDE 3.4 and GNOME* 2.10,
    • A comprehensive set of Internet tools: Firefox* 1.0 Web browser; e-mail and instant messaging clients (supporting AOL, Yahoo!, MSN, Novell® GroupWise® Instant Messenger, and more),
    • A complete office suite: 2.0 (works with Microsoft* Office documents) ,
    • Leading graphics and multimedia applications: F-Spot photo organizer, the GIMP 2.2 and Inkscape graphics programs, multimedia viewers, CD/DVD burners and more,
    • Fully integrated system security: integrated firewall, spam blocker and virus scanner,
    • World class advanced networking services: Apache Web server, SAMBA, CUPS, DHCP, DNS and popular open source databases
    • Cutting edge new Mobility Support: Improved Wifi connections and Bluetooth devices, PDA and phone synchronization
    • Robust Virtualization: based on XEN (what is XEN?)
    • Voice over IP support
    • Multiple development Tools: Mono® ; KDevelop; Eclipse

    SUSE LINUX 9.3 Professional Review by Novell : not a very neutral review, but with some screenshots...
    Novell Packs Apps Into SuSE Linux 9.3 By David Worthington, BetaNews


  • ORA-00054: resource busy and acquire with NOWAIT specified
    Cause: Resource interested is busy.
    Action: Retry if necessary.

    I show you here how to get around this error and kill the sessions that are preventing the exclusive lock.

    Note that you could also (preferred)

    • Run your changes later when the database is idle.
    • Do all DDL during a maintenance window when all users are not logged in

    Run in SQL*Plus or SQL developer

    select a.sid, a.serial#  from v$session a, v$locked_object b, dba_objects c 
    where b.object_id = c.object_id 
    and a.sid = b.session_id
    and OBJECT_NAME='YouTableName';

    Then note both the sid and serial and run

    alter system kill  session 'sid,serial#' IMMEDIATE;

    If this still do not work, your last bullet is to kill the Unix process which is still hanging on your database server!

    here is how to find the unix process to kill

    Run in SQL*Plus or SQL developer

    select p.spid,s.sid,s.serial#,s.username,s.status,s.last_call_et,
    p.program,p.terminal,logon_time,module,s.osuser from V$process p,V$session s where s.paddr = p.addr and s.status = 'ACTIVE' and
    s.username not like '%SYS%';

    and finally run a

    kill –9 spid

    if this still don’t not work, your best friend is Google

  • if you encounter this error while starting oracle

    /etc/init.d/oraemctl start Starting Oracle EM DB Console:
    Environment variable ORACLE_UNQNAME not defined. 
    Please set ORACLE_UNQNAME to database unique name. OK
    One possible solution is to edit the script
    # vi /etc/init.d/oraemctl

    and add the following code in blue

    # oraemctl Starting and stopping Oracle Enterprise Manager Database Control.
    # Script is valid for 10g and 11g versions.
    # chkconfig: 35 80 30
    # description: Enterprise Manager DB Control startup script
    # Source function library.
    . /etc/rc.d/init.d/functions
    case "$1" in
      echo -n $"Starting Oracle EM DB Console:"
      su - $ORACLE_OWNER -c "ORACLE_SID=$ORACLE_SID $ORACLE_HOME/bin/emctl start dbconsole"
      echo "OK"
      echo -n $"Stopping Oracle EM DB Console:"
      su - $ORACLE_OWNER -c "ORACLE_SID=$ORACLE_SID $ORACLE_HOME/bin/emctl stop dbconsole"
      echo "OK"
     echo $"Usage: $0 {start|stop}"

    Use of course the right SID, after that Oracle Enterprise manager will start correctly

    # /etc/init.d/oraemctl start
    Starting Oracle EM DB Console:Oracle Enterprise Manager 11g Database Control Release
    Copyright (c) 1996, 2009 Oracle Corporation.&160; All rights reserved.
    - An instance of Oracle Enterprise Manager 11g Database Control is already running.

  • SuSE Linux 9 November 13 2003 SuSE Linux 9, the latest release from Nuremberg, Germany-based SuSE Linux, was released at the end of last month. I put SuSE Linux Professional through its paces, and found it to be the most user-friendly Linux distribution on the market. It's not a "must" update for users of previous versions, but it does have some nice perks.more SUSE 9.0: A Distro Worth Paying For By Ross M. Greenberg Europeans are different from North Americans. They have all this cool, colorful money with lots of zeroes. They can smoke where they want to. And they are trendsetters, listening to strange new music and buying cars with heated seats. more A Week with SuSE 9 January 25 by GotrootWelcome to the second installment of a new series. As mentioned in the last installment, during this project, I'll be installing several Linux distributions, running them each for a 5 day week, and keeping a daily journal.more OPTED TO THE NINESSUSE unwraps a must-have desktop distribution for power-hungry power users wanting more than the latest and greatest in 32 bits.more SuSE Linux 9.0 Professional Review by Steve Barnhart 2003-11-18 "I recently picked up a copy of SuSE 9.0 Professional. I have never used or been familiar with a SuSE product before as I've only used Mandrake, Red Hat, and a bit of Debian. After using Red Hat for a while I decided to evaluate SuSE and I am now sorry for not having tried it sooner."more Linux Professional version 9.0 Review 2003-12-30 "A1-Electronics reviews the latest version 9.0 from SuSE of their Linux operating system."more SuSe - Linux 9.0 review 18/01/2004 "The subtitle of this review could so easily be 'a tale of two operating systems.' That one of them is good and the other bad should not be surprising; that they are both the same operating system might raise more of an eyebrow."more Suse 9.0 Professional Review "This is a review of SUSE Linux 9.0 Professional Edition."more SuSE Linux Professional 9.0By Oliver Kaven November 25, 2003 "With an attractive interface and a unique, comprehensive configuration tool, SuSE Linux Professional 9.0 offers rich features and simplicity for mainstream users and small businesses alike."more Review Cornermore

  • Novell Releases First Commercial Linux Featuring 2.6 KernelSuSE LINUX 9.1 Personal andSuSE LINUX 9.1 Professional (German) First Look at SUSE LINUX 9.1 Professional "With the upcoming release of SUSE Linux 9.1, I thought we'd take a few moments out of the day to look at their Personal release, including the Live CD that comes in the box, which will allow users to take their SUSE Linux desktop anywhere they go and be able to feel right at home on any PC with a CDROM drive. Is it worth the lowered $29.95 price tag? SUSE is a great desktop distro, but will the features stack up? We'll see..."review 1 andreview 2

    An In-Depth Look at SUSE 9.1 RC2 by Joe Barr"Here is our promised in-depth look at the latest SUSE 9.1 beta. I found a little more flakiness than I would be comfortable with long-term, but I have been using this near-final version in my day-to-day work for nearly a week now and see no reason to go back to my previous installation."
  • This article shows you how to improve the boot speed of your Linux system without compromising usability. Essentially, the technique involves understanding system services and their dependencies, and having them start up in parallel, rather than sequentially, when possible.
    Although undoubtedly an excellent system, a common criticism of Linux -- voiced particularly by those from a Microsoft Windows background -- is that it takes a long time between pressing the "on" button and actually being able to use a Linux system. In essence, their argument goes, Linux takes a long time to boot. More here
  • Interesting, after 100 lines I stop reading this promotionnal articles, really good FUD (wikipedia):
    Microsoft is hosting a discussion on Windows and Linux between its two top Linux consultants. Martin Taylor and Bill Hilf talk about the various OS

    "We believe the way to integrate software, and the way to get software to work in a heterogeneous environment, is through promoting open standards"
    a Funny response of a
    slashdotter below.... so true and more to read here
    Can somebody hit Bill with a clue-by-four and ask him about
    1. Samba, and why the Samba project had to reverse-engineer everything?
    2. Microsoft Office, and the hoops had to jump through to reverse-engineer their document storage format?
    3. NTFS, and why Linux still can&39;t support NTFS write natively (without using a MS DLL)?
    4. All the hidden system calls that Microsoft uses internally, and which came up in the anti-trust case?

    shame on You M$
    more comments, all credits to authors on
    a brief synopsys?
    Corporate-speak FUD
    Slick FUD
    Unbelievably clumsy and obvious FUD
    Laughable FUD
    Bone to the FOSS community
    Conclusion: FUD
    Discussion = earnest conversation.
    Propaganda = The systematic propagation of a doctrine or cause or of information reflecting the views and interests of those advocating such a doctrine or cause.
    foreach ($potential_problem) (@linux){
    print "Linux is okay but it has this $potential_problem&92;n";
    print "Yes, and I think you can see that Microsoft addresses this $potential_problem to the benefit of our customers!&92;n";
  • Reverse engineering of the IPOD firmware by using a modem noise attack!

     I got an iPod for christmas. Theipodlinux project was one of the main reasons for my choice and so I started exploring the iPod as far as I was able to. I patched the bootloader and got some basic code to run but there was no way to access any hardware other than the two CPUs yet. To get the LCD, Clickwheel and the harddisk working we needed to reverse engineer the bootloader in the flashrom. But to do that we first had to find a way to get that code. Seems quite impossible without any knowlegde about the IO-Hardware but I found a solution...

    They have in fact use the internal tweeter of the IPOD to dump the result of code execution of the firmware into sound. These people have write a digital sound compression algorithm, an encoder and a decoder!!! Now 64kb of internal code can be examined!! why? just for booting LInux!!! penguin power!!!  read more here...

  • PortableRaspberryPiTorproxy

    Browse anonymously anywhere you go with the Onion Pi Tor proxy. This is fun weekend project that uses a Raspberry Pi, a USB WiFi adapter and Ethernet cable to create a small, low-power and portable privacy Pi. First, plug the Ethernet cable into any Internet provider in your home, work, hotel or conference/event. Next, power up the Pi with the micro USB cable to your laptop or to the wall adapter. The Pi will boot up and create a new secure wireless access point called Onion Pi

    According to the Tor website:

    Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they're in a foreign country, without notifying everybody nearby that they're working with that organization.
    Groups such as Indymedia recommend Tor for safeguarding their members' online privacy and security. Activist groups like the Electronic Frontier Foundation (EFF) recommend Tor as a mechanism for maintaining civil liberties online. Corporations use Tor as a safe way to conduct competitive analysis, and to protect sensitive procurement patterns from eavesdroppers. They also use it to replace traditional VPNs, which reveal the exact amount and timing of communication. Which locations have employees working late? Which locations have employees consulting job-hunting websites? Which research divisions are communicating with the company's patent lawyers?
    A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

    Thanks to Adafruit for this nice little hack, read more Here

  • Suse 10 linux I've done right now the migration to Suse linux 10 on 2 computer

    Novell has killed the SUSE pro version and now offer:

    • A box version, for 59€
    • An Eval version (identical content as the box version but without printed manual or support) this one can be download using http, ftp mirror or better bittorent.
    • A 3rd version, which is open source only (understand without any commercial or closed source apps) can also be downloaded from

    Note that all 3 versions above share the same source code base (open source kernel and extension developped at

    As usual, if You want to try for the first time a linux distribution, I recommend You to try the live DVD version (both 32 bits and 64 bits cpu version is available).

    {mosgoogle center}

    My experience with Update

    1. HP nx7000 has been migrated succesffuly from suse 9.3 to 10 without any pain (reboot ladtop with dvd inside and choose installation then update) Note that before updating I was forced to remove all major (and for me vital application): Videolan, mplayer, amule among others... The wireless and bluetooth card are working perfectly without any intervention (was not the case under 9.3 pro)
    2. My destop during update always hang after 54 minutes (during install of rpm mms (a winamp like) install) I was force to do a fresh install. I am convince it can not be a SUSE fault.

    Quick review:

    • a lot more polished in KDE control center (thanks to KDE 3.4.2)
    • blazing fast during boot time, for sure 5 times faster with my setup (same hardware) - responsiveness desktop as ever, the NVIDIA driver installed after "online update" allow 3D acceleration right out the box
    • Superkaramba has been integrated into KDE, it has never been so easy to locate new themes (so call desktop widget), thanks to an integrated search engine, install or administrate them.
    • The "search box" in start menu is so great that I do not understand why microsoft has not done it before. this "search box" act like a search engine which allow You to queries the start menu with keywords. Example? searching a browser program by "internet", or "browser" highlight matching entries

    A detailled review will follow soon....

    Links to reviews

    1. Mad penguin

    {mosgoogle center}

  • Just got my order of three Raspberry Pi 2!. Compared to the Raspberry Pi 1 it has:

    • A 900MHz quad-core ARM Cortex-A7 CPU
    • 1GB RAM

    Like the (Pi 1) Model B+, it also has:

    • 4 USB ports
    • 40 GPIO pins
    • Full HDMI port
    • Ethernet port
    • Combined 3.5mm audio jack and composite video
    • Camera interface (CSI)
    • Display interface (DSI)
    • Micro SD card slot
    • VideoCore IV 3D graphics core

    Because it has an ARMv7 processor, it can run the full range of ARM GNU/Linux distributions, including Snappy Ubuntu Core, as well as Microsoft Windows 10! The Raspberry Pi 2 has an identical form factor to the previous (Pi 1) Model B+ and has complete compatibility with Raspberry Pi 1.

  • 20130219_211947

    Some notes about my experience using the Raspberry Pi model B…and you get it running Linux Debian on it!

    The Raspberry Pi is a credit-card sized computer that plugs into your TV and a keyboard. It’s a capable little PC which can be used for many of the things that your desktop PC does, like spreadsheets, word-processing and games. It also plays high-definition video. We want to see it being used by kids all over the world to learn programming.


    We don’t think that the Raspberry Pi is a fix to all of the world’s computing issues; we do believe that we can be a catalyst. We want to see cheap, accessible, programmable computers everywhere; we actively encourage other companies to clone what we’re doing. We want to break the paradigm where without spending hundreds of pounds on a PC, families can’t use the internet. We want owning a truly personal computer to be normal for children. We think that 2012 is going to be a very exciting year. [About Raspberry PI]

  • Hans Reiser, author of the ReiserFS program, created benchmarking tests designed to be fairly representative of the file-size distribution of most users. "Reiser4 does quite well on all benchmarks," he said. "With Reiser4, we took five different technical gambles, and all of them worked.
    • Official homepage of reiserfs v4 (very technical)
    • Lindows, Suse, Darpa (The Defense Advanced Research Projects Agency) are major supporter of Namesys and reiserfs
    I plan to use this fantastic file system (3 to 4 times faster than NTFS) as soon I have more report on its stability.  Anyway it is already in use on a small partition (10Gb) on my Suse 9.2 box (but do not contains any critical data)

  • Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:
    • MD5 hash compare
    • Look for default files used by rootkits
    • Wrong file permissions for binaries
    • Look for suspected strings in LKM and KLD modules
    • Look for hidden files
    • Optional scan within plaintext and binary files
    Rootkit Hunter is released as GPL licensed project and free for everyone to use. # wget
    # tar -xzvf rkhunter-1.1.4.tar.gz
    # cd rkhunter
    # ./

    Receive e-mail everyday with the result Rootkit Hunter
    For Root user
    # crontab -e
    For any user
    # crontab -e -u username

    and add

    •0 3 * * * (./usr/local/bin/rkhunter –checkall 2>&1 | mail -s "chkrootkit output" -c This email address is being protected from spambots. You need JavaScript enabled to view it.,This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.)

    * the correct path can be found with which rkhunter 
    This will run Rootkit Hunter at 3:00 am every day, and e-mail the output to This email address is being protected from spambots. You need JavaScript enabled to view it. and copies to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it.

    If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed....)

  • A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system. Rootkits have their origin in benign applications, but in recent years have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules. [WikiPedia]

    Rootkit scanner is scanning tool which scans for rootkits, backdoors and local exploits by running tests like:
    • MD5 hash compare
    • Look for default files used by rootkits
    • Wrong file permissions for binaries
    • Look for suspected strings in LKM and KLD modules
    • Look for hidden files
    • Optional scan within plaintext and binary files
    Rootkit Hunter is released as GPL licensed project and free for everyone to use. You can download it at

    This tools is just a tar with a set of files inside. It is highly recommended to run it from a read only media to avoid hacker tampering attempts.  run
    # ./
    # rkhunter

    h790663:/var/www/vhosts/ # rkhunter

    Rootkit Hunter 1.2.9, Copyright 2003-2006, Michael Boelen

    Under active development by the Rootkit Hunter project team. For reporting
    bugs, updates, patches, comments and questions see:

    Rootkit Hunter comes with ABSOLUTELY NO WARRANTY. This is free software,
    and you are welcome to redistribute it under the terms of the GNU General
    Public License. See LICENSE for details.

    Valid parameters:
    --checkall (-c)           : Check system
    --createlogfile <file>*   : Create logfile (file is optional, defaults to
                              : /var/log/rkhunter.log)
    --cronjob                 : Run as cronjob (removes colored layout)
    --display-logfile         : Show logfile at end of the output
    --help (-h)               : Show this help
    --nocolors*               : Don't use colors for output
    --report-mode*            : Don't show uninteresting information for reports
    --report-warnings-only*   : Show only warnings (lesser output than --report-mode,
                              : more than --quiet)
    --skip-application-check* : Don't run application version checks
    --skip-keypress (-sk)*    : Don't wait after every test (non-interactive)
    --quick*                  : Perform quick scan (instead of full scan)
    --quiet*                  : Be quiet (only show warnings)
    --update                  : Run update tool and check for database updates
    --version                 : Show version and quit
    --versioncheck            : Check for latest version

    --bindir <bindir>*        : Use <bindir> instead of using default binaries
    --configfile <file>*      : Use different configuration file
    --dbdir <dir>*            : Use <dbdir> as database directory
    --rootdir <rootdir>*      : Use <rootdir> instead of / (slash at end)
    --tmpdir <tempdir>*       : Use <tempdir> as temporary directory

    Explicit scan options:
    --allow-ssh-root-user*    : Allow usage of SSH root user login
    --disable-md5-check*      : Disable MD5 checks
    --disable-passwd-check*   : Disable passwd/group checks
    --scan-knownbad-files*    : Perform besides 'known good' check a 'known bad' check
    --check-deleted           : Perform 'deleted files' check
    --check-listen            : Perform 'listening applications' check

    Multiple parameters are allowed
    *) Parameter can only be used with other parameters

    False alarms:

    * Filesystem checks
       Checking /dev for suspicious files...                      [ OK ]
       Scanning for hidden files...                               [ Warning! ]
    /etc/.pwd.lock /dev/.udevdb
    Please inspect:  /dev/.udevdb (directory)

    /dev normally contains only device names and hence udev stores its private configuration information in a hidden directory. Rkhunter
    complains because rootkits are known to create such directories.
  • Docker is a powerful tool for managing containers and run-time environments and, besides its many advantages, Docker can also be handy to keep your server tidy and secure.

    Docker allows to run operating systems, applications and tools in so called Containers. A #Container is an isolated environments that represents a autonomous host on its own – a bit in the same way a Virtual Machine does. Yet, Docker Containers are much lighter. They do not start an entire full-blown operating system for each Container instance. Instead, Docker uses Linux kernel isolation mechanisms to run applications on the top of the host’s operating systems, yet keeping them isolated.

    The Ethereum Go (language) team builds a Docker image of a “geth” node as part of their continuous build chain. Their Howto is more then enough to run your full node, mine below is just an enhanced example with volume, name, .. nothing fancy.

    # i want to persist the blockchain in a volume

    docker volume create --name=ethereum-data

    # and limit cpu usage to 20% of all 8 cores --cpus=".2", give a name to container, more command line options

    docker run --cpus=".2" -d -p 8545:8545 -p 30303:30303 \
    --name=ethereum-node \
    -v ethereum-data:/root/.ethereum ethereum/client-go \
    --rpc --rpcaddr ""

    to stop and recreate the container

    docker stop ethereum-node && docker rm ethereum-node

    to go inside the container

    docker exec -it ethereum-node bash

    to test the RPC api

    curl -X POST --data '{"jsonrpc":"2.0","method":"eth_syncing","params":[],"id":1}' localhost:8545


    curl -H "Content-Type: application/json" -X POST \
     --data '{"jsonrpc":"2.0","method":"eth_getBlockByNumber","params":["latest", true],"id":1}'


    You may want to register your node at The Ethereum (centralised) network status monitor , in that case just follow 

    My Ethereum node is now running at

    A better status page is in development using PHP with RPC

  • I know that Secure, Safe, Fast Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and Linux.

    This list is an ongoing work, thta is why it has also a version number in it (v1.0). As soon as I will learn new tricks, the list will be updated.

    By clicking read more, You'll be able to go through the checklist, or maybe you'll prefer the mindmap version HERE


  • This list is an ongoing work and since the version 1.0 (01 March 2008), a lot of nodes/ideas have been added.

    Secure, Safe, Fast Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and Linux.

    By clicking read more, You'll be able to go through the checklist, or maybe you'll prefer the mindmap version HERE

    The next mind map will be a how to forensic a hacked Linux server...

  • This list is an ongoing work and since the version 1.0 (01 March 2008), a lot of nodes/ideas and now links have been added. The tree is also now a  lot more structured...

    Secure, Safe, Fast Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and Linux.

    By clicking read more, You'll be able to go through the checklist as HTML, or maybe you'll prefer the mindmap version HERE



    powered by Freemind, free mind mapping

  • Here is the latest version of my growing mind map that will help you to secure your Linux box. While some node are clearly targeted toward Joomla!, you can still safely apply a lot of my recommendations to any LAMP (Linux, Apache, MySQL, PHP) server.


    This mind map is an ongoing work, that is why it has also a version number in it (v1.6). As soon as I will learn new tricks, the mind map will be updated.


    Added Crash – Kernel Panic / Password / Intrusion Detection / Joomla! links / PHP settings / mod security

    New mind map are currently in development:

    • Linux Compromised Server Checklist
    • Linux Server What to monitor

    By clicking read more, You'll be able to go through the checklist as text, or download the mind map as a PDF (2MB)


  • &160;linux-tux core2extreme_quad_cpu
    Cpufreqd is a small daemon to adjust cpu speed and voltage (and not only) for kernels using any of the cpufreq drivers available. Cpufreqd is not a userspace governor.

    Cpufreqd allows you to apply governor profiles from rules based on battery level, ac status, temperature (ACPI or sensors), running programs, cpu usage and (maybe) more. You can also change your nforce FSB clock and video card frequency (NVidia only) or execute arbitrary commands when a specific rule is applied.

    The nice things with Linux is that you have a total, absolute, full control!

    Defining new profiles

    Look for cpufreqd.conf

    My profile settings are in /etc/sysconfig/powersave

    Example of a profile

    name=On Demand High

    Defining Rules:

    Examples of the flexibility offered:

    • If temperature is too high, throttle CPU speed lower
    • if some application are running, lets say your anti-virus, you may want more CPU:

    There is a lot more settings, as usual, just read the manual

    # man cpufreqd.conf&160;

    Querying the CPU

    To list all available profile, just run as root

    # cpufreqd-get -l


    # cpufreq-info

    analyzing CPU 0:
    &160; driver: powernow-k8
    &160; CPUs which need to switch frequency at the same time: 0
    &160; hardware limits: 1000 MHz - 2.00 GHz
    &160; available frequency steps: 2.00 GHz, 1.80 GHz, 1000 MHz
    &160; available cpufreq governors: ondemand, userspace, powersave, performance
    &160; current policy: frequency should be within 2.00 GHz and 2.00 GHz.
    &160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160; The governor "ondemand" may decide which speed to use
    &160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160; within this range.
    &160; current CPU frequency is 2.00 GHz (asserted by call to hardware).&160;

    Changing the CPU speed


    Now lets change the speed. As a server, I don't see any reason to try to minimize the speed except in order to save electricity. The profile onDemand should be able to provide the best compromise, changing CPU speed based on server load and thus be more green. For the sake of this article, I will forbid the CPU to downgrade its speed...
    Attention you'll have to respect the hardware limit of you processor. In my case I use currently an AMD K8 Opteron 146 rated at maximum 2GHz

    So depending on your processor, you'll have to either

    • Query the Internet to find the CPU speed range or
    • Use cpufreqd-info that's for sure the fastest and safest
    • Extracting the info from where they are (for every cpu):
      cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_frequencies
      cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_frequencies

    I was shocked to discover that my current max speed was set at 1Ghz, leading to a server consuming 80 to 250% of CPU load.

    By running, this command cpufreq, I force the system to never go below 2GHz.

    cpufrequtils 0.4: cpufreq-set (C) Dominik Brodowski 2004
    Report errors and bugs to This email address is being protected from spambots. You need JavaScript enabled to view it., please.
    Usage: cpufreq-set [options]
    &160; -c CPU, --cpu CPU&160;&160;&160;&160;&160;&160;&160; number of CPU where cpufreq settings shall be modified
    &160; -d FREQ, --min FREQ&160;&160;&160;&160;&160; new minimum CPU frequency the governor may select
    &160; -u FREQ, --max FREQ&160;&160;&160;&160;&160; new maximum CPU frequency the governor may select
    &160; -g GOV, --governor GOV&160;&160; new cpufreq governor
    &160; -f FREQ, --freq FREQ&160;&160;&160;&160; specific frequency to be set. Requires userspace
    &160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160; governor to be available and loaded
    &160; -h, --help&160;&160;&160;&160;&160;&160;&160;&160;&160;&160; Prints out this screen

    1. Omitting the -c or --cpu argument is equivalent to setting it to zero
    2. The -f FREQ, --freq FREQ parameter cannot be combined with any other parameter
    &160;&160; except the -c CPU, --cpu CPU parameter
    3. FREQuencies can be passed in Hz, kHz (default), MHz, GHz, or THz
    &160;&160; by postfixing the value with the wanted unit name, without any space
    &160;&160; (FREQuency in kHz =^ Hz * 0.001 =^ MHz * 1000 =^ GHz * 1000000).

    # cpufreqd-set -c 0 -d 2GHz

    The BogoMips make a jump and also the server load is greatly reduce, this can be confirmed by executing:

    # cat /proc/cpuinfo

    processor&160;&160;&160;&160;&160;&160; : 0
    vendor_id&160;&160;&160;&160;&160;&160; : AuthenticAMD
    cpu family&160;&160;&160;&160;&160; : 15
    model&160;&160;&160;&160;&160;&160;&160;&160;&160;&160; : 39
    model name&160;&160;&160;&160;&160; : AMD Opteron(tm) Processor 146
    stepping&160;&160;&160;&160;&160;&160;&160; : 1
    cpu MHz&160;&160;&160;&160;&160;&160;&160;&160; : 1995.468
    cache size&160;&160;&160;&160;&160; : 1024 KB
    fdiv_bug&160;&160;&160;&160;&160;&160;&160; : no
    hlt_bug&160;&160;&160;&160;&160;&160;&160;&160; : no
    f00f_bug&160;&160;&160;&160;&160;&160;&160; : no
    coma_bug&160;&160;&160;&160;&160;&160;&160; : no
    fpu&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160; : yes
    fpu_exception&160;&160; : yes
    cpuid level&160;&160;&160;&160; : 1
    wp&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160; : yes
    flags&160;&160;&160;&160;&160;&160;&160;&160;&160;&160; : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov
    &160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160; pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext
    &160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160;&160; fxsr_opt lm 3dnowext 3dnow pni lahf_lm
    bogomips&160;&160;&160;&160;&160;&160;&160; : 3994.29

    Back to my Linux desktop

    I really enjoy using OpenSuse 11.1 powered by KDE 4.2, changing CPU settings has never been easier thanks to the applet KPowersave

    KPowersave is the KDE front end for power management. It provides battery monitoring, suspend/ standby triggers and many more power management features for KDE (and GNOME).

    You'll find the same applet in all version of KDE

    powersave KPowersave is great ad very intuitive in KDE 4.2
  • SIM is a system and services monitor for ‘SysVinit’ systems. It is designed to be intuitive and modular in nature, and to provide a clean and informative status system.
    It does this by consistently verifying that services are online, load averages are in check, and log files are at reasonable sizes. Many other SIM modules sport different and in-depth features to bring a well rounded tool to your disposal to stop otherwise common issues daunting internet hosts.

    - Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more
    - Event tracking and alert system
    - Auto restart ability for downed services
    - Checks against network sockets & process list to ensure services are online
    - Advanced HTTP service monitoring, to prevent commonly encountered issues
    - System load monitor with customizable warnings & actions
    - Ability to auto restart system with definable critical load level
    - Priority change configurable for services, at warning or critical load level
    - Informative command line status display
    - Easily customizable configuration file
    - Auto configuration script
    - Auto cronjob setup feature
    - Simple & Informative installation script
    - Integrated auto-update feature
    - And more...


    Installation is one more time straightforward:

    # wget
    # tar xvf sim-current.tar.gz
    # cd sim-*

    The installation of sim is easily acomplished, a simple shell script named  'setup' is included with SIM. Running this script will tend to all the install tasks for SIM.

    # ./setup -i
    -i     Install
    -q     Quick install
    -u     Uninstall
    -c     Install/Uninstall cronjob

    Press "SPACE" to go to the next page when you read the licence.

    Press "RETURN" to quit

    The readme is then displayed, press "SPACE", then "RETURN"

    Ideally once SIM is configured it is best to run from a cronjob. The 'setup'
    SIM 2.5-4 <This email address is being protected from spambots. You need JavaScript enabled to view it.>
    Creating installation paths:            [##########]
    Installing SIM 2.5-4 to /usr/local/sim:         [##########]

    SIM 2.5-4 installation completed, related notes:
    Executable:             /usr/local/sim/sim
    Executable symlink:     /usr/local/sbin/sim
    Config file:            /usr/local/sim/conf.sim
    Autoconf script:        /usr/local/sim/autoconf
    Autoconf symlink:       /usr/local/sbin/sim-autoconf
    Cronjob setup:          /usr/local/sim/sim -j

    SIM 2.5-4 must now be configured for use on this system, Press
    return to run the autoconf script (/usr/local/sim/autoconf).

    SIM 2.5-4 Auto-Config Script

    All questions default to value in brackets if no answer is given. If you
    make a typo during the autoconf process, hit CTRL+C (^C) to abort and
    rerun the autoconf script (/usr/local/sim/autoconf).

    The below are general configuration options for SIM:
    press return to continue...

    Where is SIM installed ?

    Where should the sim.log file be created ?

    Max size of sim.log before rotated ? (value in KB)

    What is the location of your kernel log ?
    Found kernel log at /var/log/messages

    Where should alerts be emailed to ? (e.g: root, user@domain)
    [root]:  This email address is being protected from spambots. You need JavaScript enabled to view it.  
    "RETURN" enter a external email, not one from the mail server domain!

    Disable alert emails after how many events, to avoid email flood ?
    (Note: events stats are cleared daily)

    The below are configuration options for Service modules:
    press return to continue...

    Auto-restart services found to be offline ? (true=enable, false=disable)

    Enforce laxed service checking ? (true=enable, false=disable)

    Disable auto-restart after how many downed service events ?
    (Note: events stats are cleared daily)

    Enable FTP service monitoring ? (true=enable, false=disable)

    Name of the FTP service as appears in 'ps' ?
    Warning: bad ps syntax, perhaps a bogus '-'? See
    Found service name as proftpd

    TCP/IP port that FTP operates on ?

    Path to FTP service init script ?

    Enable HTTP service monitoring ? (true=enable, false=disable)

    Name of the HTTP service as appears in 'ps' ?
    Warning: bad ps syntax, perhaps a bogus '-'? See
    Found service name as httpd

    TCP/IP port that HTTP operates on ?

    Path to HTTP service init script ?

    Enable DNS service monitoring ? (true=enable, false=disable)

    Name of the DNS service as appears in 'ps' ?
    Warning: bad ps syntax, perhaps a bogus '-'? See
    Found service name as named

    TCP/IP port that DNS operates on ?
    Found service port as 53

    Path to DNS service init script ?
    Found service init script at /etc/init.d/named

    Enable SSH service monitoring ? (true=enable, false=disable)

    Name of the SSH service as appears in 'ps' ?
    Warning: bad ps syntax, perhaps a bogus '-'? See
    Found service name as sshd

    TCP/IP port that SSH operates on ?
    Found service port as 22

    Path to SSH service init script ?
    Found service init script at /etc/init.d/sshd

    Enable MYSQL service monitoring ? (true=enable, false=disable)

    Name of the MYSQL service as appears in 'ps' ?
    Warning: bad ps syntax, perhaps a bogus '-'? See
    Found service name as mysqld

    TCP/IP port that MYSQL operates on ?
    Found service port as 3306

    Path to MYSQL service init script ?
    Found service init script at /etc/init.d/mysql

    Enable SMTP service monitoring ? (true=enable, false=disable)

    Enable XINET service monitoring ? (true=enable, false=disable)

    Name of the XINET service as appears in 'ps' ?
    Warning: bad ps syntax, perhaps a bogus '-'? See
    Found service name as xinetd

    TCP/IP port that any XINET service operates on (e.g: pop3, 110) ?

    In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source daemon which runs on many Unix systems and manages Internet-based connectivity. It offers a more secure extension to or version of inetd, the Internet daemon.

    xinetd features access control mechanisms such as TCP Wrapper ACLs, extensive logging capabilities, and the ability to make services available based on time. It can place limits on the number of servers that the system can start, and has deployable defence mechanisms to protect against port scanners, among other things. from WikiPedia

    Path to XINET service init script ?  and 
    Found service init script at /etc/init.d/xinetd

    Enable ENSIM service monitoring ? (true=enable, false=disable)

    Enable PGSQL service monitoring ? (true=enable, false=disable)

    The below are configuration options for Service Specific features:
    press return to continue...
    After an unclean HTTP shutdown, semaphore array's may remain allocated
    and cause the service to fall into a looping restart cycle. Using this
    feature clears semaphore arrays on HTTP restart.
    Enable semaphore cleanup ?

    This is an implamented feature in the http module, its purpose is to
    determine if/when the apache server locks up or otherwise stops
    Enable URL aware monitoring ?

    HTTP log files can grow large and cause the service to crash
    (segfault), this feature will keep the main HTTP logs incheck.
    Enable HTTP log monitor ?

    What is the location of your HTTP servers, log files ?
    (should point to a directory, not file)

    Max size of HTTP log files, before cleared ? (value in MB)

    MySQL uses a /tmp symlink of its mysql.sock socket file. This
    feature verifies that the symlink exists from the main mysql.sock
    file, and if not it is recreated.
    Enable MySQL Socket correction ?

    The below are configuration options for System modules:
    press return to continue...

    Enable NETWORK monitoring ? (true=enable, false=disable)

    interface to monitor ?

    Path to NETWORK init script ?
    Found service init script at /etc/init.d/network

    Enable LOAD monitor ? (true=enable, false=disable)

    Configuration completed, saving conf.sim...
    Done, conf.sim saved to /usr/local/sim.

    Now the SIM (System Integrity Monitor) has been configured! add it as cron

    # ./setup -c
    SIM 2.5-4 <This email address is being protected from spambots. You need JavaScript enabled to view it.>
    Removed SIM cronjob.
    # ./setup -c
    SIM 2.5-4 <This email address is being protected from spambots. You need JavaScript enabled to view it.>
    Installed SIM cronjob.

    if everything goes well, you can check the installation by typing:

    # /etc/init.d/mysqld stop

    This will stop mysql daemon!, You will receive an email  at the same time, showing that mysql has been stopped and restarted

    System integrity monitor on xxxxx has taken action in responce to an event. Recent event logs are enclosed below for your inspection. There has been 1 events today, if an average of 8 events is reached, e-mail alerts will be terminated for the duration of the day.

    - Events Summary:
    Total event count:   1
    Average event count: 0

    - Service Summary:
    [online - 0 events]
    HTTP      [online - 0 events]
    DNS       [online - 0 events]
    SSH       [online - 0 events]
    MYSQL     [
    restart success1 events]
    XINET     [online - 0 events]

    - System Summary:
    NETWORK   [eth0 - online - 0 events]

    - SIM Log:
    [07/21/07 12:10:01]: touched log file.
    [07/21/07 12:10:01]: sim.dat not found, created.
    [07/21/07 12:10:01]: no .chk modules enabled.
    [07/21/07 12:15:03]: no .chk modules enabled.
    [07/21/07 12:20:01]: no .chk modules enabled.
    [07/21/07 12:25:01]: NETWORK is online.
    [07/21/07 12:25:01]: FTP service is offline.
    [07/21/07 12:25:01]: FTP service is offline.
    [07/21/07 12:25:01]: FTP restart failed, could not find /etc/init.d/proftpd.
    [07/21/07 12:25:01]: FTP restart failed, could not find /etc/init.d/proftpd.
    [07/21/07 12:25:01]: HTTP service is online.
    [07/21/07 12:25:01]: DNS service is online.
    [07/21/07 12:25:01]: SSH service is online.
    [07/21/07 12:25:01]: MYSQL service is online.
    [07/21/07 12:25:01]: XINET service is online.