Patching using with yum on Linux

Linux has different methods to update all packages.  Before updating the packages we may need to take backup. The exact command depends upon your Linux distribution:

1. Debian/Ubuntu – apt-get command
2. CentOS/RedHat/Fedora – yum command

Debian/Ubuntu – apt-get command
Run the following command to update the packages.

$ sudo apt-get update
$ sudo apt-get upgrade

CentOS/RedHat/Fedora – yum command

Note:  for Kernel Update, some places we may need to disable exclude kernel from /etc/yum.conf

Run yum command to update all the packages in CentOS/RedHat/Fedora.

# yum -y update

Basic Linux Firewall IP Tables

iptables is a command-line firewall utility that uses the policy chains to allow or block the traffic.  iptables is the rule-based firewall and it is pre-installed on most of Linux operating system. By default, it runs without any rules. Iptables uses a set of tables which have chains that contain set of built-in or user-defined rules.

IP tables (Linux Firewall) Tables and Chains:

IPTables has the following 4 types of tables.

a) Filter Table:

The filter table is one of the most widely used tables in iptables. The filter table is used to make decisions about whether packet continues to its destination or to deny its request. Iptables’s filter table has the following built-in chains.

INPUT chain: Incoming to the firewall. For packets coming to the local server.
OUTPUT chain: Outgoing from the firewall. For packets generated locally and going out of the local server.
FORWARD chain: Packet for another NIC on the local server. For packets routed through the local server.

To view the Filter table rules run the following command.

#iptables -t filter –list
# iptables –list

b) NAT Table:
The nat table is used to implement network address translation rules. A table that is consulted when a packet tries to create a new connection. This is often used to route packets to networks when direct access is not possible.

PREROUTING chain: It is used for altering a packet as soon as it’s received. This helps to translate the destination ip address of the packets to something that matches the routing on the local server.
POSTROUTING chain: It is used for altering packets as they are about to go out. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server.
OUTPUT chain: It is used for locally generated packets on the firewall.
To view the NAT table rules run the following command.

# iptables -t nat –list

c) Mangle Table:
The mangle table is used to alter the IP headers of the packet in various ways. This alters QOS bits in the TCP header. Mangle table has the following built-in chains.

OUTPUT chain
INPUT chain
To view the Mangle table rules run the following command.

# iptables -t mangle –list

d) Raw Table:
The raw table has a very narrowly defined function. Its only purpose is to provide a mechanism for marking packets in order to opt-out of connection tracking.

OUTPUT chain
To view, the Raw table rules run the following command.

# iptables -t raw –list
The rules in the iptables list command output contain the following fields:

num: Rule number within the particular chain
target: Special target variable that we discussed above
prot: Protocols. tcp, udp, icmp, etc.,
opt: Special options for that specific rule.
source: Source ip-address of the packet
destination: Destination IP-address for the packet

Generating SSL Certificate Signing Request (CSR) in Linux

Certificate Signing Request (CSR) is the intermediate form of SSL certificate that enables a Certificate Authority (CA) to generate a signed SSL certificate and verify the identity of a domain’s owner. A CSR has encoded a file that provides you with a standardized way to send us your public key along with some information that identifies your company and domain name.

Install Required Packages:
First, we need to install the required packages. If the required packages are already installed then ignore this step.

# yum install openssl mod_ssl
Generate Private Key:
Before generating the CSR we need to generate the private key file. Run the below command to generate the key.

# openssl genrsa -out 2048

Generating RSA private key, 2048 bit long modulus
…………………. …….. …….++++++
………………………… … … .. ++++++
e is 61764 (0x01001)
Enter passphrase for
Verifying – Enter pass phrase for
Generate a Certificate Signing Request (CSR):
After generating the private key, next you need to generate CSR using the above key. The command will ask some information regarding the domain.

# openssl req -new -key -out

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Bangalore
Locality Name (eg, city) [Default City]:Bangalore
Organization Name (eg, company) [Default Company Ltd]
Organizational Unit Name (eg, section) []:BLOGSITE
Common Name (eg, your name or your server’s hostname) []
Email Address []

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
You can also create the private key and CSR file using single command. The command first generate the private key then it will generate the CSR.

# openssl req -new -newkey rsa:2048 -nodes -keyout -out
Now CSR has been generated successfully, use this file to order the SSL certificate.

Configuration of SSH Key Authentication on Linux

SSH Key Authentication allows users to SSH into the server without entering their passwords. SSH keys are additionally secure than passwords because the private key used to secure the connection is never shared. Private keys can also be encoded so their content can’t be read as easily. While SSH passwords are not required once keys are set up, passwords for decrypting the private keys locally are as yet required.

To improve the system security even further, you can enforce key-based authentication by disabling the standard password authentication.

PasswordAuthentication no
Generate SSH Key Pair:
We can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.

# ssh-keygen -t rsa
# ssh-keygen -t dsa
After this, you will be presented with a message similar to this:

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory ‘/root/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
The key’s randomart image is:
+–[ RSA 2048]—-+
| .+ |
| + o . o |
| E . = + . |
| o . + * . |
| . S o |
| = o |
| . o . |
| + . |
| . o. |
I have created the key using the passphrase. Also, you can create the key without the passphrase

Copying Public Key
Then we need to copy the public key to our remote server. Here I am choosing the default non-root user as remoteuser but you can use the root user also. Use below command to copy the public key.

# ssh-copy-id maddy@
Sample Output:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys
maddy@’s password:

Number of key(s) added: 1

Now try logging into the machine, with “ssh ‘maddy@′”
and check to make sure that only the key(s) you wanted were added.
It will create the authorized_keys file at user .ssh directory.

Note: You can add the public key manually also using following step:

1. Copy the public key.

# cat /root/.ssh/
ssh-rsa BBBBdfdddfdzaC1yc2EAAAADAQABAAABAQDkUPtTzfssbKiH9G7UuzXuKUJrlon3iDNvDXFpsdsdstT766sZaAkM/8TVKuKdT4srP/r0lJUoodevc2kIjUw9LqxM/asdasdasdasdasdasdasqCFAu2YIasdaasdasasdsKA1KxZpfhU/asdaerassdfrfdrgddfdf/asdasdasdasdasdasdasdasdas

2. Access the remote server and follow below steps to copy the public key in user home directory.

# su – maddy
# mkdir .ssh
# chmod 700 .ssh
Now, you can create or modify the authorized_keys file within this directory.

# vim authorized_keys
ssh-rsa BBBBdfdddfdzaC1yc2EAAAADAQABAAABAQDkUPtTzfssbKiH9G7UuzXuKUJrlon3iDNvDXFpsdsdstT766sZaAkM/8TVKuKdT4srP/r0lJUoodevc2kIjUw9LqxM/asdasdasdasdasdasdasqCFAu2YIasdaasdasasdsKA1KxZpfhU/asdaerassdfrfdrgddfdf/asdasdasdasdasdasdasdasdas

And change the authorized_keys file permission.

# chmod 600 authorized_keys

Access Your Server Using SSH Keys
After completing the above procedure, you should be able to login to the remote host without the remote user’s password.

# ssh dennis@

Now it will ask the passphrase which we set at the time of creating the public key.

We hope this article will be very helpful you.

Installing NTP Server on CentOS/RHEL 7/6/5

Network Time Protocol (NTP) is used to synchronize system clocks of different hosts over the network. Most companies will have a local NTP server that they keep in sync with an external timing source and then they have all of their internal servers sync their time with that machine. In this setup, we will configure Linux system as NTP server.

Install the NTP Packages
NTP server package is provided by CentOS/RHEL default repositories and can be installed using yum command.

# yum install ntp

Configure NTP Server
If you have lots of server in the environment and this we will use NTP servers to synchronize time by the ISP or the Public time located at We suggest using any nearby servers also. You can find nearby servers at NTP Public Pool Time Servers (

# vim /etc/ntp.conf
server iburst
server iburst
server iburst
server iburst

Allow LAN Systems
Now, you need to allow clients from your networks to synchronize time with this server. To do it add following entry in configuration file

# vim /etc/ntp.conf
restrict mask nomodify notrap
Enable NTP Log
In case there are problems with your NTP daemon add a log file statement which will record all NTP server issues. Add the following content as below.

# vim /etc/ntp.conf
logfile /var/log/ntp.log

Add Firewall Rules
NTP server listens on UDP port 123. If you are using iptables of the server then run the following command.

# firewall-cmd –add-service=ntp –permanent
# firewall-cmd –reload
CentOS/RHEL 6/5

# iptables -A INPUT -s -p udp –dport 123 -j ACCEPT
# iptables -A INPUT -p udp –dport 123 -j DROP
Restart NTP Server
After all NTP configuration, Let’s restart NTP server using following commands.


# systemctl start ntpd
# systemctl enable ntpd
CentOS/RHEL 6/5

# service ntpd start
# chkconfig ntpd on
Verify Configuration
You can verify the configuration using below command.

# ntpq -p
# date -R