Friday, November 2, 2007
Thursday, November 1, 2007
Basic Linux to manage servers
exim -bpc => to check current mail queue on the server
exim -bp => to check the current frozen mail
exim -bpr | grep "frozen" |awk {'print $3'} | xargs exim -Mrm => It will search the frozen mail and will restart the exim
================
www.linkedin.com
================
-----------------------------------------------------------------
eRROR: ftpd failed @ Tue Aug 21 15:12:16 2007. A restart was attempted
automagically.
Resolution commands:
cd /etc
cd init.d
ls (proftpd)
pidof proftpd
killall proftpd
service proftpd start ok
------------------------
SMTP (red)
1) cd /etc
cd init.d
ls ----------- get the list of all running services
killall -9 exim
pidof exim
service exim restart
2) exim -bpc to check mail q on the server then run -
exim -bpr | grep "frozen" |awk {'print $3'} | xargs exim -Mrm
It will search frozen mail and will delete them so that the mail queue will get low. Number 1 will just kill the process and will restart the SMTP server but number 2 will reduce the mail queue also.
()
==============================
ps aufx "to check the actual load that particular service is having."
-----------------------------------------------
w to check the load status through shell
-----------------------------------
to restart http server
1) service httpd restart (It will start the site which are not having ssl cerificate)
2) service httpd startssl (It will start the site with ssl cerificate)
2 is always better than 1
--------------------------------------------------------------
FTP server down
We can switch ftp to or from pure ftpd to proftpd through WHM
-----------------------------
restart services:
/scripts/restartsrv httpd
/scripts/restartsrv ftpserver
/scripts/restartsrv cppop
/scripts/restartsrv imap for webmail errors
/scripts/restartsrv exim for smtp
/scripts/restartsrv mysql
---------------------------------
to search particular thing (here we have searched ftp string)
ll | grep ftp
-------------------------------------------------------------
iptables
iptables -F (By this command we can unblock/flush the ips)
to block IP etc -
apf -d (IP address)
apf -a (IP address) (It will get allow that particular address)
You can also use following command:
iptables -I INPUT -s 201.28.77.210 -j DROP
service apf restart
-------------------------------------------------------
To get the particular hits detail for http, pop. smtp from any particular IPs
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
netstat -an |grep :80 |wc -l
---------------------------------------------------------
To set the email server setting to default:
/scripts/eximup --force
"But use use it as the last option to up the exim"
--------------------------------------------------------------------------------------------
To trace the email logs
tail -f /var/log/exim_mainlog | grep (domain name)
To get the count of particular cron
cat /var/log/exim_mainlog| grep /home/munin | wc -l
cat /var/log/exim_mainlog| grep /home
----------------------------------------------------------------------------------------
to send an email through shell:
mail -vv (recepients email address)
example of complete email that have sent from server itself
----------------------------------------------------------------------------------------
root@server1 [~]# mail -vv info@wedding-cy.com
Subject: Test Email
This is a test email
Cc:
LOG: MAIN
cwd=/root 4 args: send-mail -i -v info@wedding-cy.com
LOG: MAIN
<= root@server1.24hostingnow.com U=root P=local S=426 T="Test Email"
LOG: MAIN
cwd=/var/spool/exim 4 args: /usr/sbin/exim -v -Mc 1INr6g-00027W-Gp
delivering 1INr6g-00027W-Gp
root@server1 [~]# LOG: MAIN
=> info F= P= R=virtual_user T=virtual_userdelivery S=612 QT=2s DT=0s
LOG: MAIN
Completed QT=2s
-----------------------------------------------------------------------------------------
if var partitionis full then please do following:
cd /var/log
echo > exim_mainlog
--------------------------------------------------------------
to stop mailnull ( mailmain .. mailing list )/usr/local/cpanel/3rdparty/mailman/bin/mailmanctl restart/start/stop
---------------------------------
to get the path of backup on server
login to WHM then please click on configure backup. Here you will get it
-----------------
It will get the details about the directory from where the particular process is running.
lsof -p 14280 | grep cwd
-------------------------------------------
To kill the particular process
kill -9 27022 740 10653 3310 14280 14281 17306 17307
cd /directory name
and
rm -fr * ; /scripts/restartsrv mysql
-------------------------------------------
http log:
user/local/apache/log
-------------------------------------------
to get the backups
cd /backup/cpbackup
-------------------------------------------
commands:
hostname
whoowns domainname
cd ~output of above command
cd ../mail
----------------
To get the email info such as IP and etc
pico /etc/exim.conf
-----------
Mailbox unavailable
strings /var/qmail/users/recipients.cdb |grep
---------------------------
If /var get full then do empty some log files fom /var/log
to do emty "echo > mysqld.log"
------------------
to place an IP address to ban
pico /etc/apf/deny_hosts.rules
---------------
which bash (to get the the bash path)
---------
script to sacan server for iframe (this script will search the iframe tag and will delete the same)
#!/bin/bash
grep -ilr "IFRAME" * |\
while read line
do
replace "" "" -- $line
done
-----------------------
Create a test.sh file and put the above code after that set the permission by chmod 755 test.sh and execute by ./test.sh
Above file should get created in various directories like /home, /usr/local/apache/htdocs and in the /root folder
---------------------------------------
upgrade perl verion
cd /root
wget http://layer1.cpanel.net/perl588installer.tar.gz
tar -zxf perl588installer.tar.gz
cd perl588installer
./install
-----------
If smtp for all the servers are showing red spot, then fire the following command on stophier server :
iptables -F
and restart iptable service.
----------------
fuser -k process path is used to kill the process
-----------------------
ll -lsh
to view files with sizes
------------
cd /etc
exim.conf
after the exim up command, need to set up the Mail server IP address in the exim.conf file
remote_smtp
interface = IP address
--------------
cron
/var/spool/cron
----
sudo /usr/local/bin/rkhunter -c
-------------
echo > /etc/apf/deny_hosts.rules
echo > /etc/hosts.deny
apf -r
---------
send an email to to all users
server0 of 24hostingnow
/home/admin/public_html/cgi-bin/mailinglist
ll
pico email.txt (Text of the mail which is to be sent to client)
pico subscribers.txt (All email ID of client's on server)
pico emailclients.cgi
./emailclients.cgi (to run the script)
---------
to check the size in MB
ls -lah| grep M
---
ll | grep username
-----------------
root@server2 [/usr/local/cpanel/3rdparty/mailman/lists]# ll
--------------
to check the assigned IP (server IP) for the domains
root@server1 [/var/named]# grep -lr '69.72.192.43' .
--------------------
To check available IPs on the server
cd /var/named:- cat /etc/ips
---------
To check the domains which are assigned to particular IP address
cd /var/named:- grep -lr 'IP address'
------------------
path to check the basic info of the server
cd /usr/local/apache/htdocs:- cat /etc/wwwacct.conf
---------------
to check server index page
cd /usr/local/apache/htdocs:- cat index.html
-------------
It will check the syntax of httpdconf file and will show the results
/etc/init.d/httpd configtest
----------------
If there is load on server due to the mailling lists, you can start or stop the mailman using the following cmds:
/usr/local/cpanel/3rdparty/mailman/bin/mailmanctl start or stop ( Shutting down or starting Mailman's master qrunner)
-----------------
To check the status of account whether hosted on server
cat /var/cpanel/accounting.log | grep worldwi (username)
------------------------------
If ticket board is not working, just use, service httpd startssl
If the issue still persists, stop httpd using /etc/init.d/httpd stop and then use /etc/init.d/httpd startssl
-----------------------------
If you see mysql connections in bulk, just restart mysql services as well as httpd services.
---------------------------
To see the error logs :
tail -f /usr/local/apache/logs/error_log
-------------------------
cat/proc/20376
lsof -p 18350 | grep
--------------
to get the version of linux on the server
cat /etc/redhat-release
php -v
perl -v
mysql -V
---------
Account restore
/scripts/restorepkg aaronkar
=============
first of all we need to move th backup file in to the /home
to get the user account details
cat /var/cpanel/users/aaronkar
root@galaxy [/backup/cpbackup/daily]# cat /var/cpanel/users/aaronkar
BWLIMIT=524288000
FEATURELIST=default
MAXADDON=15
MAXPARK=25
OWNER=bostone
PLAN=bostone_50MBbigBW
RS=monsoon
STARTDATE=1074130183
DNS=aaronkarp.com
IP=69.72.128.66
---------------
exim -bpr | grep "M" |awk {'print $2'} => to check the size of emails in MB
tail -f /var/log/exim_mainlog =>to check the logs for exim
=======================================
free -m => to check the status of the memory on server.
mysqladmin proc => to check the status of the databases under the table format.
======================================
Restore backup :
1. To check back up for user under
cd /backup/cpbackup/weekly/for username (bottolfs)
2. check date of back up:
root@server2 [/backup/cpbackup/weekly]# ls -lh bottolfs.tar.gz
3. Then mv bottolfs.tar.gz /home
4. Kill the account which you want to delete:
root@server2 [/backup/cpbackup/weekly]# /scripts/killacct bottolfs
5. Then restore it
root@server2 [/backup/cpbackup/weekly]# /scripts/restorepkg bottolfs
6. The back-up of account for which you have restore backup goes in cd /home/cprestore/
root@server2 [/backup/cpbackup/weekly]# cd /home/cprestore/
7. Then move it under /backup/cpbackup/weakly
root@server2 [/home/cprestore]# mv bottolfs.tar.gz /backup/cpbackup/weekly/
===============================================
server info
cat /proc/cpuinfo
===============================================
cp -R filename1 filename2 ==> to take the backup of a file
ex: cp -R xezro xzero_back
==============================================
chmod 777 filename/filename/filename =>to change the permissions for multiple files at a time
==============================================
mysql -u injaaco_xzero -p
cd /var/lib/mysql/injaaco_xzero/
====================================================
Prevent non-root users from logging
Imagine that for some reason (i.e. maintenance tasks) you want to prevent non-root users from logging into the system. The next tip is a very simple way to achieve this goal.
If a file called /etc/nologin exists login will disable the begin of a session in this system. If you put some text into the file, users will be shown this text and their login attempts will be refused.
vi /etc/nologin
Server under maintenance. No access allowed at this moment.
0 Comments
Bandwidth Monitoring with ipac-ng
Saturday September 09th 2006, 11:17 pm
Filed under: Monitoring
This page details the installation and configuration of ipac-ng for monitoring the network traffic volume through a linux router.
Contents: Background | Requirements | Obtaining | Installing | Defining Rules | Starting Data Collection | Viewing Data | Graphing Data | References
Background
I have a linux router at home, connecting four networks:
eth0: my home ethernet network
eth1: my Smoothwall internet firewall
eth2: my WA Freenet interface
eth3: my home wireless interface
and I wanted to be able to monitor the total traffic passing through each of this interfaces.
I have ipac-ng configured on my Smoothwall box to monitor traffic to and from the internet, but didn’t have a way to monitor my WA Freenet traffic.
This page details how I’ve configured ipac-ng on my linux router, to monitor the network traffic volume through each interface.
Requirements
You’ll need:
a Linux box being used as a router, running iptables
an ipac-ng tarball (version 1.30 or later)
an SCP client (such as WinSCP, or SSH Secure File Transfer Client, part of SSH Secure Shell) for copying files onto your linux box.
a way of getting a command-line prompt on your linux box (either by logging directly onto your linux box, using a SSH client such as PuTTY or SSH Secure Shell).
and optionally
a web server running on the Linux box
Note that I’m using a custom installation of Red Hat 9.0 linux.
If your configuration is different, you may need to adjust some parts of this guide to suit your configuration.
Obtaining ipac-ng
Download the latest version of ipac-ng from the ipac-ng download page.
This tutorial was originally written for ipac-ng 1.25, but has been updated to incorporate a number of changes for ipac-ng 1.31.
Installing ipac-ng
SCP the tarball into the /usr/src directory on your linux box. From a command prompt, change into the /usr/src directory, and un-tar the tarball:
cd /usr/src
tar -xzvf ipac-ng-1.31.tar.gzChange into the newly created directory:
cd ipac-ng-1.31Compile and install ipac-ng:
./configure --enable-default-storage=gdbm
make
make installCreate a directory to hold the configuration files, and copy the sample configuration file into it:
mkdir /etc/ipac-ng
cp contrib/sample_configs/ipac.conf /etc/ipac-ngThe master configuration file for ipac-ng is /etc/ipac-ng/ipac.conf.
Edit this file, and comment out the following two lines by inserting a “#” character at the beginning of each of these lines:
#classic mode = yes
#access agent = filesDefining Rules
We’ll define the rules to specify what ipac-ng is monitoring in a new file we’ll create, called /etc/ipac-ng/rules.conf.
Note that the sample rules.conf.iptables in /usr/src/ipac-ng-1.31/contrib/sample_configs/ has a fairly descriptive definition of the rules.
The syntax for each rule is:
Name of rule|direction|interface|protocol|source|destination|extension|where
Name of rule Any string to identify this rule
direction ipac~fi - forward in
ipac~fo - forward out
ipac~i - outgoing from machine with ipac-ng to other host(/net)
(or incoming to otherhost)
ipac~o - incoming to machine with ipac-ng
(or outgoing from otherhost)
interface interface name, ‘+’ means all interfaces (dont try to use ip numbers here!)
protocol tcp | udp | icmp | all
source described in ipfwadm(8), or empty
destination described in ipfwadm(8), or empty
I wanted to monitor all incoming and outgoing traffic for each interface on my linux router, so I created a new file called /etc/ipac-ng/rules.conf, with the following contents:
# incoming / outgoing from internet to linux router
incoming from internet|ipac~o|eth1|all||||
outgoing to internet|ipac~i|eth1|all||||
# forwarded traffic from/to internet
incoming from internet|ipac~fi|eth1|all||||
outgoing to internet|ipac~fo|eth1|all||||
# incoming / outgoing from freenet to linux router
incoming from freenet|ipac~o|eth2|all||||
outgoing to freenet|ipac~i|eth2|all||||
# forwarded traffic from/to Freenet
incoming from freenet|ipac~fi|eth2|all||||
outgoing to freenet|ipac~fo|eth2|all||||
# incoming / outgoing from home ethernet to linux router
incoming from home ethernet|ipac~o|eth0|all||||
outgoing to home ethernet|ipac~i|eth0|all||||
# forwarded traffic from/to ethernet
incoming from home ethernet|ipac~fi|eth0|all||||
outgoing to home ethernet|ipac~fo|eth0|all||||
# incoming / outgoing from home wireless to linux router
incoming from home wireless|ipac~o|eth3|all||||
outgoing to home wireless|ipac~i|eth3|all||||
# forwarded traffic from/to home wireless
incoming from home wireless|ipac~fi|eth3|all||||
outgoing to home wireless|ipac~fo|eth3|all||||These rules will configure ipac-ng to monitor all traffic from the linux router to/from any networks connected to that interface, as well as any traffic forwarded by the linux router to/from any PCs on that interface.
You can create rules to monitor traffic to or from a specific PC on your network, or you can monitor traffic on a specific port, so feel free to implement additional rules if desired.
For example, to monitor all internet traffic to/from a specific PC (say, Frodo, with IP 10.60.11.133) on my home network (where eth1 is the internet interface on my router), I would add these rules:
# forwarded internet traffic to and from Frodo
internet to Frodo|ipac~fi|eth1|all||10.60.11.133||
Frodo to internet|ipac~fo|eth1|all|10.60.11.133|||The first rule will monitor all traffic through eth1 (my internet interface) which is destined for 10.60.11.133. The second rule will monitor all traffic through eth1 which originates from 10.60.11.133.
Starting Data Collection
To start ipac-ng (ie, build the rules and chains for monitoring), run:
fetchipac -SvIf everything is correct, you should see a list of the accounting rules as fetchipac builds them.
Note that ipac-ng needs to be (re-)initialised each time your linux box, or each time you restart iptables.
To achieve this, I added the following lines into the start section of my iptables script:
# initialise ip accounting
/usr/local/sbin/fetchipac -SvTo collect data, fetchipac needs to be run periodically. Rather than storing all the raw data, we’ll also sumarise the data periodically. To do so, add these lines to the end of /etc/crontab:
# get data for ipacsum
*/5 * * * * root /usr/local/sbin/fetchipac
# summarize ip accounting info:
2 0 * * * root /usr/local/sbin/ipacsum -r -H `/bin/hostname` -t "the day 7 days ago" >/dev/null
3 0 * * 0 root /usr/local/sbin/ipacsum -r -H `/bin/hostname` -t "the week 11 weeks ago" >/dev/null
4 0 1 1 * root /usr/local/sbin/ipacsum -r -H `/bin/hostname` -t "the year 2 years ago" >/dev/nullThe above configuration will cause fetchipac to fetch and store data every 5 minutes, sumarise data for the day 7 days ago at 00:02 daily, the data for the week 11 weeks ago at 00:03 each Sunday, and for the last year 2 years ago at 00:04 on the 1st January each year.
For more information on crontab configuration, run man 5 crontab from a command prompt on your linux box.
Viewing ipac-ng Data
Sumarized data as recoreded by ipac-ng can be viewed by running ipacsum from the command line.
Running ipacsum without any command line paramters will display the total traffic for each of the rules you’ve defined from the time when you first started running ipac-ng upto the current time.
To view traffic for a specific period of time, you can use the –starttime and –endtime command-line paramters.
Alternatively, if you’re interested in viewing data for the last day, or week, or month, you can use the –timeframe or -t command-line parameters.
For example, to view data for today, use
ipacsum -t todayfor the last month, use
ipacsum -t "this month"For example, on my linux router, to view ipacsum totals for the previous day, I run
ipacsum -t yesterdaywhich results in the following output:
Host: elrond.mpot.mm.wafreenet / Time created: 2003/05/15 16:21:01 WST
Data from 2003/05/14 00:00:00 WST to 2003/05/14 23:59:59 WST
incoming from home ethernet : 336M
incoming from freenet : 658M
incoming from home wireless : 2M
incoming from internet : 958M
incoming from smoothwall : 9M
outgoing to home ethernet : 2G
outgoing to freenet : 20M
outgoing to home wireless : 11M
outgoing to internet : 316MHowever, the results are displayed in varying units, so to display the same results with common units (we’ll use megabytes), use
ipacsum -t yesterday --fixed-quantity Mwhich results in
IP accounting summary
Host: elrond.mpot.mm.wafreenet / Time created: 2003/05/15 16:21:07 WST
Data from 2003/05/14 00:00:00 WST to 2003/05/14 23:59:59 WST
incoming from home ethernet : 336M
incoming from freenet : 658M
incoming from home wireless : 2M
incoming from internet : 958M
incoming from smoothwall : 9M
outgoing to home ethernet : 1623M
outgoing to freenet : 20M
outgoing to home wireless : 11M
outgoing to internet : 316MRun ipacsum –help for usage information, or man ipacsum for more details.
Graphing ipac-ng Data
ipac-ng also includes support for creating graphs of the traffic being monitored. This allows you to monitor the traffic via a web browser.
First of all, create a directory for the ipac-ng images and web pages:
mkdir /var/www/html/ipacCreate a shell script called /usr/local/bin/makegraphs to do the image creation, with the following contents:
#!/bin/sh
/usr/local/sbin/ipacsum --png /var/www/html/ipac/ --png-average-curve 15 \
--png-index index.html --png-caption-in-index --png-width 695 -s 24hMake the script executable:
chmod 755 /usr/local/bin/makegraphsThis script will create png images for each rule, showing the traffic over the last 24 hours, and includes a curve showing the average traffic.
Test the image creation by manually running the script from the command line:
/usr/local/bin/makegraphsTotals for the last 24 hours will be displayed, and the /var/www/html/ipac/ directory should now contain an image for each rule, as well as index.html.
Assuming you’ve got your web server software configured appropriately, you should be able to view the ipac-ng graphs by pointing your browser at http://your_ip/ipac/.
Automate the image creation every half hour by adding these lines into /etc/crontab
# generate some ipac graphs
*/30 * * * * root /usr/local/bin/makegraphs >/dev/nullReferences
ipac-ng - Linux IP accounting package
crontab man page
3 Comments
Tips and tricks
Friday August 11th 2006, 8:34 am
Filed under: Advanced Commands, Linux Administration, Linux General, Linux Security, Linux:- Tips & Tricks, Tuning Linux
———————————————————————–
Q:- Find out top 10 directories eating up your disk space:
A:- du -csh * –max-depth=0 | sort -rn | head -10
———————————————————————–
Q:- Find Harddisk Capacity on the box.
A:- fdisk -l | grep -iE ‘mb|gb|tb’
———————————————————————–
Q:- Find out performance of your hard disk with following command:
A:- hdparm -t -T /dev/hda
———————————————————————–
Q:- You can block all login access with following command:
A:- touch /etc/nologin
———————————————————————–
Q:- It is good idea to encrypt backup made with tar command:
A:- tar -zcvf - *| openssl des3 -salt -k PASSWORD | dd of=mybackup.tbz
tar zcvf - /home |openssl des3 -salt -k PASSWORD | dd of=/dev/st0
To extract encrypted tar file use command:
dd if= mybackup.tbz |openssl des3 -d -k PASSWORD| tar zvxf -
dd if=/dev/st0|openssl des3 -d -k PASSWORD | tar xzf ————————————————————————
Q:- Delete a file securely, first overwriting it to hide its contents.
A:- $ shred -n 200 -z -u personalinfo.tar.gz
A:- srm filename
A:- wipe filename
—————————————
Q:- Delete file by inode:
A:- $ find . -inum 782263 -exec rm -i {} \;
————————————————————————
Q:- Forcefully unmount CD/DVD Rom or any other mounted partitions with
fuser command:
Ans:- fuser -km /dev/cdrom
fuser -km /mnt/cdrom\n
fuser -km /data2
————————————————————————
Q: List open files under user nobody
A:- lsof -u nobody
————————————————————————-
0 Comments
What is /dev/shm and its practical usage ?
Tuesday July 25th 2006, 6:17 am
Filed under: Advanced Commands, Linux Administration, Linux General, Linux:- Tips & Tricks, Tuning Linux
What is /dev/shm and its practical usage ?
/dev/shm is nothing but implementation of traditional shared memory concept. It is an efficient means of passing data between programs. One program will create a memory portion, which other processes (if permitted) can access. This will result into speeding up things on Linux.
If you type mount command you will see /dev/shm as a tempfs file system. Therefore, it is a file system, which keeps all files in virtual memory. Everything in tmpfs is temporary in the sense that no files will be created on your hard drive. If you unmount a tmpfs instance, everything stored therein is lost. By default almost all distro configured to use /dev/shm.
Nevertheless, where can I use /dev/shm?
You can use /dev/shm to improve the performance of application software or overall Linux system performance. On heavily loaded system, it can make tons of difference. For example VMware workstation/server can be optimized to improve your Linux host’s performance (i.e. improve the performance of your virtual machines).
For example, if you have 8GB RAM then remount /dev/shm as follows:
# mount -o remount,size=8G /dev/shm
To be frank if you have more than 2GB RAM and if you running multiple Virtual machines this hack always improves performance.
0 Comments
How to install CVS
Friday July 21st 2006, 8:42 am
Filed under: Backup, Linux Administration, Linux General
Installation:
Compile it from source
Download from ftp://ftp.cvshome.org/pub/
$ gunzip cvs-x.x.tar.gz $ tar -xvf cvs-x.x.tar $ cd cvs-x.x/ $ ./configure $ ./make $ su -l (enter password) #switch user to root # ./make installcheck to make certain CVS is installed:
$ which cvs /usr/bin/cvsCreate the cvsroot for a user and master repository:
You can choose to place your cvsroot almost wherever you want. I’ve historically placed it in /home/ to make regular backups easier. You might have your own reasons to place it where you want.
$ su -l # adduser cvs # rm -rf /home/cvs # mkdir /home/cvsIt can be convenient to enable user permissions by creating a ‘cvs’ group in /etc/group, and then adding various users to that group. While adding permissions to the cvsroot directories to the group ‘cvs’.
Set a CVSROOT:
You need to set the environment variables, so that CVS knows where to find the root library.
$ export CVSROOT=/home/cvs/ #for bash users > setenv CVSROOT '/home/cvs' #for csh, or tcsh users # this can also be added to /etc/profile for system-wide accessThis can also be set automatically upon login by adding a line to your ~/.bashrc file (or whichever stores your shell environment variables).
Check to make sure that it’s set properly:
$ echo $CVSROOT /home/cvs/As you may have noticed, the CVSROOT variable is set by the client, and not the server. This enables you to easily use multiple CVSROOTs, based on permissions, partitioning, etc.
Remote access:
The CVS slient can also be configured to use a cvsroot on a remote server, and to tunnel through SSH. The remote client needs to have these entered at the command line, or read in from the .bashrc file:
export CVSROOT="user@host.domain.tld:/pathto/cvsroot" export CVS_RSH="/usr/bin/ssh"All commands should operate as usual, but each will require a password in order to proceed.
Bad CVSROOT error:
A common, and frustrating error to run into while using this method, because it’s not well documented.
cvs checkout: is set for a remote access method but your cvs checkout: CVS executable doesn't support it cvs [checkout aborted]: Bad CVSROOT.Your problem most likely exists with the client version of the cvs binary. It’s probably version 1.11.1 or previous, upgrading to 1.11.2 should take care of this.
0 Comments
How do I Drop or block attackers IP with null routes?
Tuesday July 04th 2006, 3:16 pm
Filed under: Linux Administration, Linux General, Linux Security, Linux:- Tips & Tricks, Tuning Linux
Someone might attack on your system. You can drop attacker IP using IPtables. However one of our sr. sys admin highlighted something new for me. You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system.) stopping various attacks coming from a single IP (read as spammers or hackers):
Suppose that bad IP is 65.21.34.4, type following command at shell:
# route add 65.21.34.4 127.0.0.1
You can verify it with following command:
# netstat -nr
This is cool, as you do not have to play with iptables rules.
0 Comments
Linux or UNIX disable null passwords
Tuesday July 04th 2006, 3:08 pm
Filed under: Uncategorized
Q. How do I disabling logins for user with null passwords?
A. PAM (pluggable authentication modules) is used by both Unixish (Solaris/BSD/AIX/HP-UX) oses and Linux for configuring authentication related services.
A null password allows users to log onto a system without having to supply a valid password. This is a security risk to the system. In case if you are wondering how to setup null password, try command usermod as follows:
# usermod -p “” username
The PAM configuration option that enables null passwords is the nullok module argument passed to pam_unix.so PAM module. You’ll want to remove this argument from any modules of auth type for services that allow login.
Debian Linux
Debian Linux use following two files:
/etc/pam/common-auth: authentication settings common to all services
/etc/pam.d/common-password: password-related modules common to all services
Caution: before modifying below mentioned PAM config files, make the backup of files using cp command.
a) Open /etc/pam/common-auth:
# cp /etc/pam/common-auth /etc/pam/common-auth.ORI
# vi /etc/pam/common-auth
Find out line that read as follows:
password required pam_unix.so nullok obscure min=4 max=8 md5
Remove nullok from above line so that it read as follows:
password required pam_unix.so obscure min=4 max=8 md5
b) Save the file and exit to shell prompt. Open file /etc/pam.d/common-password:
# cp /etc/pam.d/common-password /etc/pam.d/common-password.ORI
# vi /etc/pam.d/common-password
Find out line that read as follows:
auth required pam_unix.so nullok_secure
Remove nullok_secure from above line so that it read as follows:
auth required pam_unix.so
Save the file and exit to shell prompt. Now no one be able to login using null password.
Red Hat / Fedora Linux
You need to modify single file /etc/pam.d/system-auth:
# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.ORI
# vi /etc/pam.d/system-auth
Find out line that read as follows:
auth sufficient /lib/security/pam_unix.so likeauth nullok
Remove nullok from above line so that it read as follows:
auth sufficient /lib/security/pam_unix.so likeauth
Save the file.
0 Comments
Dynamic DNS Setup
Sunday July 02nd 2006, 5:52 pm
Filed under: Linux Administration, Linux General, Linux Networking, Linux Security, Linux:- Tips & Tricks
Notes on setting up a dynamic dns for home with bind-9.x
Generating Secure DNS Keys
On the home/client machine:
# mkdir /etc/bind/tsig
# cd /etc/bind/tsig
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST host.domain.tld.Note the “.” after the tld. This generates the public and the private keys.
named.conf
On the remote server:
Edit “/etc/named.conf” and add the generated key to the conf. (Note the trailing dot):
key host.domain.tld. {
algorithm hmac-md5;
secret "qUSfVtkYf7WLxiZaOTN3Ua==";
};
Grant Authority
Still on the remote server:
Edit the “/etc/bind/zone.domain.tld” file, and modify the current allow-update line to include the key.
allow-update { key "default_key."; key "host.domain.tld."; };This allows full authority to modify any record within the domain (Be Warned).
Restart named and make sure nothing is broken.
nsupdate
Back to the client machine:
Run nsupdate to test that the client can now make updates.
# nsupdate -k /etc/bind/tsig/Khost.domain.tld.*.key
> update delete host.domain.tld A
> update add host.domain.tld. 600 A 1.2.3.4
> send
> quitIt first deletes host.domain.tld if it already exists, then recreates it with the given TTL, type, and IP address. The TTL is the time-to-live, which is a value used by other DNS servers to determine how often they refresh the entry for this host. A smaller values means they’ll refresh more often, which is what you want for a dynamic entry. “send” tells nsupdate to send the updates to the server.
Automate
Create a script and put it in a 10 minute cron to check for changes in the wan ip address and run nsupdate automagically.
# cat /etc/cron.d/ddns
SHELL=/bin/sh
*/10 * * * * root /etc/bind/ddnsBelow is an example script that gets the info from a Belkin wireless router within the home lan.
#!/bin/bash
# ddnsHOSTNAME="host.domain.tld"
KEYFILE="/etc/bind/tsig/Khost.domain.tld.*.key"
TTL=600
#LOG="/tmp/ddns_log"
LOG="/dev/null"
IP_FILE="/tmp/ddns_ip"
NEW_IP=`wget -q -O - 192.168.2.1 | grep "Up.*dw" | tr "\n" " " | awk -F "'" '{print $12}'`
function do_nsupdate {
echo "New IP address (${NEW_IP}) found. Updating..." >> $LOG
echo $NEW_IP > $IP_FILE
nsupdate -k $KEYFILE >> $LOG << EOF
update delete $HOSTNAME A
update add $HOSTNAME $TTL A $NEW_IP
send
quit
EOF
}
if [ ! -f $IP_FILE ]; then
echo "Creating $IP_FILE..." >> $LOG
do_nsupdate
else
OLD_IP=`cat $IP_FILE`
if [ "$NEW_IP" = "$OLD_IP" ]; then
echo "new and old IPs (${OLD_IP}) are same. Exiting..." >> $LOG
exit 0
else
do_nsupdate
fi
fi
exit 00 Comments
Permanently add static IP and default gateway
Sunday July 02nd 2006, 5:50 pm
Filed under: Linux Administration, Linux General, Linux Networking, Linux:- Tips & Tricks
Red Hat Linux has made it fairly easy to set up network so that it will start automatically. There are a series of scripts in /etc/sysconfig/network-scripts that will do most of the work.
1. Binding IP address
In “/etc/sysconfig/network-scripts/ifcfg-eth0″, add your IPADDR (IP address), NETMASK, NETWORK and BROADCAST address
DEVICE=eth0
ONBOOT=yes
IPADDR=192.168.0.x
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.2552. Adding Default Gateway
In “/etc/sysconfig/network” add your default gateway.
GATEWAY=192.168.0.1You can now restart your network:
#/etc/sysconfig/network-scripts/ifdown eth0
#/etc/sysconfig/network-scripts/ifup eth0( please dont run the command remotely.. else you may have shutdown the interface and will be disconnected )or in redhat:
#service network restartor# /etc/init.d/network restartCheck your “/sbin/route” (routing) to verify everything is in place and restarting your computer should hold your new settings.
2 Comments
Linux jail
Sunday July 02nd 2006, 4:35 pm
Filed under: Linux Administration, Linux General, Linux Installation, Linux Networking, Linux Security, Linux:- Tips & Tricks
Introduction to Jail
Basic concepts and supported platforms
Introduction to Jail
Basic concepts and supported platforms
Jail Chroot Project is an attempt of write a tool that builds a chrooted environment. The main goal of Jail is to be as simple as possible, and highly portable. The most difficult step when building a chrooted environment is to set up the right libraries and files. Here, Jail comes to the rescue with a tool to automagically configures & builds all the required files, directories and libraries. Jail is licensed under the GNU General Public License.
Jail program has been written using C, and the setup script has been written using a bash script and perl. Jail has been tested under Linux (Debian 2.1 & 2.2, RedHat 6.1, 6.2 and 7.0 and Caldera Openlinux 7.0), Solaris (2.6), IRIX (6.5) and FreeBSD 4.3. Some people has contributed to jail with patches and ideas. Thanks to all of them.
Jail supports lots of interesting features:
Runs on Linux, Solaris, IRIX and freeBSD (tested) and should run in any of the flavours of these operating systems.
Modular design, so you can port Jail in an easy way.
Support for multiple users in a single chrooted environment.
Fully customizable user shell.
Support for multiple servers: telnetd, sshd, ftpd…
Easy to install thanks to the enviroment creation script.
Should work in any UNIX.
Ease of porting.
Allows run any kind of program as a shell.
An html version of the mailing list has been added to the web site. Now you can read all the user contributions, ideas and patches here.
How Jail works
Jail’s design
How Jail works
Jail’s design
Jail is a login tool. Jail works as a wrapper to the user shell, so when the user log in the machine Jail is launched, and the chrooted environment is activated. Then, Jail execs the real user shell, so he gets his session in the server.
The ’chrooted environment’ is a subtree of the full tree in the filesystem, and the top of this subtree is saw by the chrooted user as the root ’/’ entry of the tree. So Jail is so useful for isolate users from the main filesystem’s directory tree. As you can see in the diagram, the light-gray shaded boxes are the chrooted environment:
So any user configured to be chrooted using Jail (e.g. user3) when log into the machine, he will be changed to his home directory (light-grey shaded box labeled user3) and his ’root’ directory will be ’chroot’ that will be showed just like ’/’. That is, user3 only can see the files under the directory called ’chroot’.
Jail internals
How jail interacts with the login process
by Juan M. Casillas
created at 26/08/2003 17:10:48
last updated at 05/09/2003 23:08:47
Before configure Jail, we have to need how Jail works. As you can see in the following diagram, the first things that Jail does is get the user’s information from the non-chrooted /etc/passwd. In this file there are information about where jail is located (the shell entry of the password file for this user) and which directory will be chrooted (the home directory entry of the password file for this user).
After that, Jail changes to the user directory and then it calls chroot in this directory, creating the chrooted environment. After this call, Jail only can see the files under the chrooted directory. Now, Jail setups some environment variables (the HOME and the SHELL variable that will be used by the real shell).
Now, Jail gets the users’ information from the /etc/passwd file in the chrooted environment, and checks if the user home directory is the same that the user home directory information readed from the non-chrooted file. If they are the same, the HOME variable is set to / else, Jail changes to this directory, and changes the HOME variable to this one.
Last, Jail set up again enviroment variables, SHELL is set up with the information readed from the chrooted /etc/passwd file. Now Jail replaces itsef with the shell program stored in the SHELL variable, runing the shell.
Configuring Jail
Overview of the installation process
Jail is launched as a login shell for any of the servers that allows access to the machine from the net, e.g. sshd, telnetd, ftpd, etc. So Jail is the shell of the chrooted users. To build a chrooted user, four steps are required:
Build user’s passwd entries in the non-chrooted environment.
Setup chrooted environment.
Add the software to the chrooted environment.
Add the users to the chrooted environment.
The first one is required to allow the user launch jail when a login process is invoked. The second, three and four steps are required to built the chrooted enviroment (create the required directories, copying the library and binary files, changing chrooted /etc/passwd file, and so on).
So these are the required steps in order to setup jail:
Setup Entries
Create directories
Adding users
Adding software
Configuring Jail entries
The non-chrooted /etc/passwd file
To build the user’s password entries we can use a user creation script (just one like adduser) or to add the entries by hand. I usually prefer the second way, but first is also fine. If you choose the first method, when the creation scripts ends its work, you have to edit the files by hand. Here, I will use the second. Our nick name for the test user used in the examples will be user3.
All the magic resides on the /etc/passwd file. We have to add a line in this file to create a user in this machine. You have to setup also /etc/group and /etc/shadow if you have shadow passwords installed. Note also that you have to fit the uid an gid fields password, etc.
user3:x:101:101:Jail Test User:/var/chroot:/usr/local/bin/jailNote the /var/chroot field. This is the root directory of the chroot environment for this user.
Creating the Jail environment
Or how to invoke mkjailenv
Creating the Jail environment
Or how to invoke mkjailenv
mkjailenv creates the directories, and generates the basic filesystem layout with the special devices. mkjailenv has been written in perl. This are the command line arguments:
mkjailenv chrootdir
Argument
Description
chrootdir
The directory where the chrooted environment will live. It its the home entry in the non-chrooted /etc/passwd file
Invocation example:
mkjailenv /home/chrootThis will create the chrooted enviroment under the directory /home/chroot.
Adding users to the Jail
Or how to invoke addjailuser
Adding users to the Jail
Or how to invoke addjailuser
addjailuser edit the chrooted /etc/passwd automatically, creates the user directories, addjailuser has been written in perl script. This are the command line arguments:
addjailuser chrootdir userdir usershell username
Argument
Description
chrootdir
The directory where the chrooted environment will live. It its the home entry in the non-chrooted /etc/passwd file
userdir
The directory inside the chrooted enviroment when the user will live, in our example, /home/user3.
usershell
The user’s shell full path (e.g. /bin/bash)
username
The user’s name. In our example, user3
Invocation example:
addjailuser /var/chroot /home/user3 /bin/bash user3This will add a user under the directory /var/chroot setups the home directory of the user3 into /home/user3, and selects /bin/bash as default shell for user3. Also edits the chrooted /etc/passwd, /etc/group and /etc/shadow to configure propertly jail.
Adding software to Jail
Or how to invoke addjailsw
Adding software to Jail
Or how to invoke addjailsw
addjailsw will copy the programs and the dependencies (libraries, auxiliar files, special devices) into the right places in the chrooted environment. addjailsw has been written in perl script. This are the command line arguments:
addjailsw chrootdir [-D] [-P program args]
Argument
Description
chrootdir
The directory where the chrooted environment will live. It its the home entry in the non-chrooted /etc/passwd file
-P program args (optional)
installs the specific program “program” into the chrooted environment. The script uses the “args” parameter to launch the program where doing the strace command, to allows the program exit nicely, so the strace can do its work. If this parameter isn’t specified, the standard programs included in the file will be installed. See addjailsw’s code for in-deep details.
Invocation examples:
addjailsw /var/chrootaddjailsw /var/chroot -Daddjailsw /var/chroot -P vi "-c q"The first invocation will add the standard programs under the /var/choot directory. The second invocation will do the same that first’s but also will show what files are going to be copied in /var/chroot. Last, the third invocation will install only the program vi, and when launched in the strace call, the arguments “-c q” will be passed to it (so vi will exit inmediatly).
Jail install HOWTO
Installation quick guide
Jail install HOWTO
Installation quick guide
Index
Compiling and installing
Creating the chrooted environment
Adding software into the chrooted environment
Adding users into the chrooted environment
Troubleshooting
Porting, improvements and hacks
Copyright
Compiling and installing
Just untar the package, cd to ./src and edit the makefile and do a ’make’. Now you can choose your architecture from Linux, FreeBSD, Solaris and IRIX. then configure the installation directory (default /usr/local) and you’re ready !. Perhaps you need to tune some of the compiler directives, if you are in a different platform than these ones supported by Jail. After a while, you will have the jail binary created. Then, issue a ’make install’, to do this, you have to be root (the default path to install is /usr/local). Now you are ready to play with jail.
Creating the chrooted environment
Now choose where directory will be your chroot environment. In my example, I choose /var/chroot for the chrooted environment. Now become root, and launch the mkjailenv command:
/usr/local/bin/mkjailenv /var/chrootThe output should look like this:
mkjailenv A component of Jail http://www.gsyc.inf.uc3m.es/~assman/jail/ Juan M. Casillas Making chrooted environment into /var/chroot Doing preinstall() Doing special_devices() Doing gen_template_password() Doing postinstall() Done. After that, you will have the basic chrooted environment installed under /var/chroot.
Adding software into the chrooted environment
After the chrooted environment has been created, we have to add some software inside it. To do this, we will use addjailsw. This scripts, if called without -P argument, will install a default set of programs into the chrooted environment. First of all, were are going to install the basic set of programs, an then we will install the less command.
To install the basic set of programs, we will issue the following command:
/usr/local/bin/addjailsw /var/chrootThe output of the program should look like this:
addjailsw A component of Jail http://www.gsyc.inf.uc3m.es/~assman/jail/ Juan M. Casillas Guessing head args() Guessing bash args() Guessing cat args() Guessing pwd args() Guessing ln args() Guessing mkdir args() Guessing rmdir args() Guessing ls args() Guessing sh args() Guessing mv args() Guessing rm args() Guessing more args() Guessing grep args() Guessing vi args() Guessing id args() Guessing cp args() Guessing tail args() Guessing touch args() creating /var/chroot//bin/ln creating /var/chroot//etc/nsswitch.conf creating /var/chroot//var/tmp/vi.recover/vi.wTrhwB creating /var/chroot//etc/group Warning: not allowed to overwrite /var/chroot/etc/group creating /var/chroot//lib/libncurses.so.5 creating /var/chroot//bin/ls creating /var/chroot//etc/mtab creating /var/chroot//bin/mkdir creating /var/chroot//bin/rmdir creating /var/chroot//bin/bash creating /var/chroot//bin/sh creating /var/chroot//etc/passwd Warning: not allowed to overwrite /var/chroot/etc/passwd creating /var/chroot//tmp/vi.UrdLM7 creating /var/chroot//bin/mv creating /var/chroot//etc/ld.so.cache creating /var/chroot//etc/terminfo/x/xterm creating /var/chroot//bin/rm creating /var/chroot//usr/bin/vi creating /var/chroot//lib/libdl.so.2 creating /var/chroot//usr/bin/id creating /var/chroot//lib/ld-linux.so.2 creating /var/chroot//usr/bin/tail creating /var/chroot//bin/cp creating /var/chroot//lib/libc.so.6 creating /var/chroot//usr/bin/head creating /var/chroot//bin/cat creating /var/chroot//lib/libnsl.so.1 creating /var/chroot//bin/touch creating /var/chroot//lib/libnss_compat.so.2 creating /var/chroot//bin/pwd creating /var/chroot//bin/more creating /var/chroot//bin/grep creating /var/chroot//proc/meminfo creating /var/chroot/null:c:1:3 creating /var/chroot/tty:c:5:0 Done. As you can see in the output there are some temporal files, and also, there are some files that are begin overwritten, and other that are not allowed to be overwritted. This files are the passwd, group and shadow files of the chrooted environment. When the scripts ends, it cleans all the temporal directories in the chrooted environment.
Now, we are going to install the ’awk’ program into the chrooted environment. We need to call the addjailsw script with the -P argument:
/usr/local/bin/addjailsw /var/chroot -P awkThe output for the script will be something like this:
addjailsw A component of Jail http://www.gsyc.inf.uc3m.es/~assman/jail/ Juan M. Casillas Guessing awk args(0) creating /var/chroot//lib/libc.so.6 Warning: file /var/chroot/lib/libc.so.6 exists. Overwritting it creating /var/chroot//usr/bin/awk creating /var/chroot//etc/ld.so.cache Warning: file /var/chroot/etc/ld.so.cache exists. Overwritting it creating /var/chroot//lib/libm.so.6 creating /var/chroot//lib/ld-linux.so.2 Warning: file /var/chroot/lib/ld-linux.so.2 exists. Overwritting it Done. Now, you have awk installed into the chroot environment. You should use this script to install all the software into the chrooted environment
Adding users into the chrooted environment
Now, it is time to add some users into the chroot environment. First of all we need to have the users created in the system, so you can add them by hand, or using adduser. For this example, I will create a new user called chroottest with adduser To do this:
/usr/local/bin/addjailuser /var/chroot /home/chroottest /bin/bash chroottest
After answer all the questions and set the user password, we are ready to add this users to the chrooted environment. This program accepts some parameters:
the first parameter is the full path to the chrooted environment (in my example, is /var/chroot)
the full path of the directory under the user will live. This path will be created under the chrooted environment, and when the user logs into, it will see it as the full path. (e.g, in our example, /home/chroottest is the home directory. addjailuser will create /var/chroot/home/chrootest, and when the user logs into, he will see /home/chroottest. Because it lives under the chrooted environment, he will see a ’virtual’ home directory).
The full path to the shell that the user will use. (e.g, I like to use bash, so I use the /bin/bash parameter. NOTE: if you want yo use some other shell (or program) you will need to add it to the list of the installed programs (see section 2 to see how to do that).
The name of the user, in my example, chroottest
After that, we are ready to launch the program (always as root):
/usr/local/bin/addjailuser /var/chroot /home/chroottest /bin/bash chroottestThe inverted slashes are to allow us insert carriage returns because the line is too long to type it in a single shell line. After launch the command, the output should look like this:
addjailuser A component of Jail http://www.gsyc.inf.uc3m.es/~assman/jail/ Juan M. Casillas Adding user pruebas in chrooted environment /var/chroot Done.That’s all. You have the user added into the chrooted environment. Now is time to try it:
su - chroottestAs you can see, you are in the new created chrooted environment, Congratulations !
Troubleshooting
Setting up SSH & scp
Now jail support terminal handling and parameter-passing, so configure ssh & scp now is possible. You only have to install a standard chrooted environment (just as described in this section) and then, install the two programs with the addjailsw script. First of all, install ssh:
/usr/local/bin/addjailsw /var/chroot -P ssh --versionTo finish, install scp in the same way:
/usr/local/bin/addjailsw /var/chroot -P scp --versionNow you have the two programs installed in the chrooted environment; you can test it doing a ssh form in and out the chrooted environment, and a scp.
Well, there are not troubleshooting section Im writting some documentation, and improving the code for jail, mkjailenv, addjailsw and addjailuser. Also we have a mailinglist with some of the tricks and recipes to have jail working:
exim -bp => to check the current frozen mail
exim -bpr | grep "frozen" |awk {'print $3'} | xargs exim -Mrm => It will search the frozen mail and will restart the exim
================
www.linkedin.com
================
-----------------------------------------------------------------
eRROR: ftpd failed @ Tue Aug 21 15:12:16 2007. A restart was attempted
automagically.
Resolution commands:
cd /etc
cd init.d
ls (proftpd)
pidof proftpd
killall proftpd
service proftpd start ok
------------------------
SMTP (red)
1) cd /etc
cd init.d
ls ----------- get the list of all running services
killall -9 exim
pidof exim
service exim restart
2) exim -bpc to check mail q on the server then run -
exim -bpr | grep "frozen" |awk {'print $3'} | xargs exim -Mrm
It will search frozen mail and will delete them so that the mail queue will get low. Number 1 will just kill the process and will restart the SMTP server but number 2 will reduce the mail queue also.
()
==============================
ps aufx "to check the actual load that particular service is having."
-----------------------------------------------
w to check the load status through shell
-----------------------------------
to restart http server
1) service httpd restart (It will start the site which are not having ssl cerificate)
2) service httpd startssl (It will start the site with ssl cerificate)
2 is always better than 1
--------------------------------------------------------------
FTP server down
We can switch ftp to or from pure ftpd to proftpd through WHM
-----------------------------
restart services:
/scripts/restartsrv httpd
/scripts/restartsrv ftpserver
/scripts/restartsrv cppop
/scripts/restartsrv imap for webmail errors
/scripts/restartsrv exim for smtp
/scripts/restartsrv mysql
---------------------------------
to search particular thing (here we have searched ftp string)
ll | grep ftp
-------------------------------------------------------------
iptables
iptables -F (By this command we can unblock/flush the ips)
to block IP etc -
apf -d (IP address)
apf -a (IP address) (It will get allow that particular address)
You can also use following command:
iptables -I INPUT -s 201.28.77.210 -j DROP
service apf restart
-------------------------------------------------------
To get the particular hits detail for http, pop. smtp from any particular IPs
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
netstat -an |grep :80 |wc -l
---------------------------------------------------------
To set the email server setting to default:
/scripts/eximup --force
"But use use it as the last option to up the exim"
--------------------------------------------------------------------------------------------
To trace the email logs
tail -f /var/log/exim_mainlog | grep (domain name)
To get the count of particular cron
cat /var/log/exim_mainlog| grep /home/munin | wc -l
cat /var/log/exim_mainlog| grep /home
----------------------------------------------------------------------------------------
to send an email through shell:
mail -vv (recepients email address)
example of complete email that have sent from server itself
----------------------------------------------------------------------------------------
root@server1 [~]# mail -vv info@wedding-cy.com
Subject: Test Email
This is a test email
Cc:
LOG: MAIN
cwd=/root 4 args: send-mail -i -v info@wedding-cy.com
LOG: MAIN
<= root@server1.24hostingnow.com U=root P=local S=426 T="Test Email"
LOG: MAIN
cwd=/var/spool/exim 4 args: /usr/sbin/exim -v -Mc 1INr6g-00027W-Gp
delivering 1INr6g-00027W-Gp
root@server1 [~]# LOG: MAIN
=> info
LOG: MAIN
Completed QT=2s
-----------------------------------------------------------------------------------------
if var partitionis full then please do following:
cd /var/log
echo > exim_mainlog
--------------------------------------------------------------
to stop mailnull ( mailmain .. mailing list )/usr/local/cpanel/3rdparty/mailman/bin/mailmanctl restart/start/stop
---------------------------------
to get the path of backup on server
login to WHM then please click on configure backup. Here you will get it
-----------------
It will get the details about the directory from where the particular process is running.
lsof -p 14280 | grep cwd
-------------------------------------------
To kill the particular process
kill -9 27022 740 10653 3310 14280 14281 17306 17307
cd /directory name
and
rm -fr * ; /scripts/restartsrv mysql
-------------------------------------------
http log:
user/local/apache/log
-------------------------------------------
to get the backups
cd /backup/cpbackup
-------------------------------------------
commands:
hostname
whoowns domainname
cd ~output of above command
cd ../mail
----------------
To get the email info such as IP and etc
pico /etc/exim.conf
-----------
Mailbox unavailable
strings /var/qmail/users/recipients.cdb |grep
---------------------------
If /var get full then do empty some log files fom /var/log
to do emty "echo > mysqld.log"
------------------
to place an IP address to ban
pico /etc/apf/deny_hosts.rules
---------------
which bash (to get the the bash path)
---------
script to sacan server for iframe (this script will search the iframe tag and will delete the same)
#!/bin/bash
grep -ilr "IFRAME" * |\
while read line
do
replace "" "" -- $line
done
-----------------------
Create a test.sh file and put the above code after that set the permission by chmod 755 test.sh and execute by ./test.sh
Above file should get created in various directories like /home, /usr/local/apache/htdocs and in the /root folder
---------------------------------------
upgrade perl verion
cd /root
wget http://layer1.cpanel.net/perl588installer.tar.gz
tar -zxf perl588installer.tar.gz
cd perl588installer
./install
-----------
If smtp for all the servers are showing red spot, then fire the following command on stophier server :
iptables -F
and restart iptable service.
----------------
fuser -k process path is used to kill the process
-----------------------
ll -lsh
to view files with sizes
------------
cd /etc
exim.conf
after the exim up command, need to set up the Mail server IP address in the exim.conf file
remote_smtp
interface = IP address
--------------
cron
/var/spool/cron
----
sudo /usr/local/bin/rkhunter -c
-------------
echo > /etc/apf/deny_hosts.rules
echo > /etc/hosts.deny
apf -r
---------
send an email to to all users
server0 of 24hostingnow
/home/admin/public_html/cgi-bin/mailinglist
ll
pico email.txt (Text of the mail which is to be sent to client)
pico subscribers.txt (All email ID of client's on server)
pico emailclients.cgi
./emailclients.cgi (to run the script)
---------
to check the size in MB
ls -lah| grep M
---
ll | grep username
-----------------
root@server2 [/usr/local/cpanel/3rdparty/mailman/lists]# ll
--------------
to check the assigned IP (server IP) for the domains
root@server1 [/var/named]# grep -lr '69.72.192.43' .
--------------------
To check available IPs on the server
cd /var/named:- cat /etc/ips
---------
To check the domains which are assigned to particular IP address
cd /var/named:- grep -lr 'IP address'
------------------
path to check the basic info of the server
cd /usr/local/apache/htdocs:- cat /etc/wwwacct.conf
---------------
to check server index page
cd /usr/local/apache/htdocs:- cat index.html
-------------
It will check the syntax of httpdconf file and will show the results
/etc/init.d/httpd configtest
----------------
If there is load on server due to the mailling lists, you can start or stop the mailman using the following cmds:
/usr/local/cpanel/3rdparty/mailman/bin/mailmanctl start or stop ( Shutting down or starting Mailman's master qrunner)
-----------------
To check the status of account whether hosted on server
cat /var/cpanel/accounting.log | grep worldwi (username)
------------------------------
If ticket board is not working, just use, service httpd startssl
If the issue still persists, stop httpd using /etc/init.d/httpd stop and then use /etc/init.d/httpd startssl
-----------------------------
If you see mysql connections in bulk, just restart mysql services as well as httpd services.
---------------------------
To see the error logs :
tail -f /usr/local/apache/logs/error_log
-------------------------
cat/proc/20376
lsof -p 18350 | grep
--------------
to get the version of linux on the server
cat /etc/redhat-release
php -v
perl -v
mysql -V
---------
Account restore
/scripts/restorepkg aaronkar
=============
first of all we need to move th backup file in to the /home
to get the user account details
cat /var/cpanel/users/aaronkar
root@galaxy [/backup/cpbackup/daily]# cat /var/cpanel/users/aaronkar
BWLIMIT=524288000
FEATURELIST=default
MAXADDON=15
MAXPARK=25
OWNER=bostone
PLAN=bostone_50MBbigBW
RS=monsoon
STARTDATE=1074130183
DNS=aaronkarp.com
IP=69.72.128.66
---------------
exim -bpr | grep "M" |awk {'print $2'} => to check the size of emails in MB
tail -f /var/log/exim_mainlog =>to check the logs for exim
=======================================
free -m => to check the status of the memory on server.
mysqladmin proc => to check the status of the databases under the table format.
======================================
Restore backup :
1. To check back up for user under
cd /backup/cpbackup/weekly/for username (bottolfs)
2. check date of back up:
root@server2 [/backup/cpbackup/weekly]# ls -lh bottolfs.tar.gz
3. Then mv bottolfs.tar.gz /home
4. Kill the account which you want to delete:
root@server2 [/backup/cpbackup/weekly]# /scripts/killacct bottolfs
5. Then restore it
root@server2 [/backup/cpbackup/weekly]# /scripts/restorepkg bottolfs
6. The back-up of account for which you have restore backup goes in cd /home/cprestore/
root@server2 [/backup/cpbackup/weekly]# cd /home/cprestore/
7. Then move it under /backup/cpbackup/weakly
root@server2 [/home/cprestore]# mv bottolfs.tar.gz /backup/cpbackup/weekly/
===============================================
server info
cat /proc/cpuinfo
===============================================
cp -R filename1 filename2 ==> to take the backup of a file
ex: cp -R xezro xzero_back
==============================================
chmod 777 filename/filename/filename =>to change the permissions for multiple files at a time
==============================================
mysql -u injaaco_xzero -p
cd /var/lib/mysql/injaaco_xzero/
====================================================
Prevent non-root users from logging
Imagine that for some reason (i.e. maintenance tasks) you want to prevent non-root users from logging into the system. The next tip is a very simple way to achieve this goal.
If a file called /etc/nologin exists login will disable the begin of a session in this system. If you put some text into the file, users will be shown this text and their login attempts will be refused.
vi /etc/nologin
Server under maintenance. No access allowed at this moment.
0 Comments
Bandwidth Monitoring with ipac-ng
Saturday September 09th 2006, 11:17 pm
Filed under: Monitoring
This page details the installation and configuration of ipac-ng for monitoring the network traffic volume through a linux router.
Contents: Background | Requirements | Obtaining | Installing | Defining Rules | Starting Data Collection | Viewing Data | Graphing Data | References
Background
I have a linux router at home, connecting four networks:
eth0: my home ethernet network
eth1: my Smoothwall internet firewall
eth2: my WA Freenet interface
eth3: my home wireless interface
and I wanted to be able to monitor the total traffic passing through each of this interfaces.
I have ipac-ng configured on my Smoothwall box to monitor traffic to and from the internet, but didn’t have a way to monitor my WA Freenet traffic.
This page details how I’ve configured ipac-ng on my linux router, to monitor the network traffic volume through each interface.
Requirements
You’ll need:
a Linux box being used as a router, running iptables
an ipac-ng tarball (version 1.30 or later)
an SCP client (such as WinSCP, or SSH Secure File Transfer Client, part of SSH Secure Shell) for copying files onto your linux box.
a way of getting a command-line prompt on your linux box (either by logging directly onto your linux box, using a SSH client such as PuTTY or SSH Secure Shell).
and optionally
a web server running on the Linux box
Note that I’m using a custom installation of Red Hat 9.0 linux.
If your configuration is different, you may need to adjust some parts of this guide to suit your configuration.
Obtaining ipac-ng
Download the latest version of ipac-ng from the ipac-ng download page.
This tutorial was originally written for ipac-ng 1.25, but has been updated to incorporate a number of changes for ipac-ng 1.31.
Installing ipac-ng
SCP the tarball into the /usr/src directory on your linux box. From a command prompt, change into the /usr/src directory, and un-tar the tarball:
cd /usr/src
tar -xzvf ipac-ng-1.31.tar.gzChange into the newly created directory:
cd ipac-ng-1.31Compile and install ipac-ng:
./configure --enable-default-storage=gdbm
make
make installCreate a directory to hold the configuration files, and copy the sample configuration file into it:
mkdir /etc/ipac-ng
cp contrib/sample_configs/ipac.conf /etc/ipac-ngThe master configuration file for ipac-ng is /etc/ipac-ng/ipac.conf.
Edit this file, and comment out the following two lines by inserting a “#” character at the beginning of each of these lines:
#classic mode = yes
#access agent = filesDefining Rules
We’ll define the rules to specify what ipac-ng is monitoring in a new file we’ll create, called /etc/ipac-ng/rules.conf.
Note that the sample rules.conf.iptables in /usr/src/ipac-ng-1.31/contrib/sample_configs/ has a fairly descriptive definition of the rules.
The syntax for each rule is:
Name of rule|direction|interface|protocol|source|destination|extension|where
Name of rule Any string to identify this rule
direction ipac~fi - forward in
ipac~fo - forward out
ipac~i - outgoing from machine with ipac-ng to other host(/net)
(or incoming to otherhost)
ipac~o - incoming to machine with ipac-ng
(or outgoing from otherhost)
interface interface name, ‘+’ means all interfaces (dont try to use ip numbers here!)
protocol tcp | udp | icmp | all
source described in ipfwadm(8), or empty
destination described in ipfwadm(8), or empty
I wanted to monitor all incoming and outgoing traffic for each interface on my linux router, so I created a new file called /etc/ipac-ng/rules.conf, with the following contents:
# incoming / outgoing from internet to linux router
incoming from internet|ipac~o|eth1|all||||
outgoing to internet|ipac~i|eth1|all||||
# forwarded traffic from/to internet
incoming from internet|ipac~fi|eth1|all||||
outgoing to internet|ipac~fo|eth1|all||||
# incoming / outgoing from freenet to linux router
incoming from freenet|ipac~o|eth2|all||||
outgoing to freenet|ipac~i|eth2|all||||
# forwarded traffic from/to Freenet
incoming from freenet|ipac~fi|eth2|all||||
outgoing to freenet|ipac~fo|eth2|all||||
# incoming / outgoing from home ethernet to linux router
incoming from home ethernet|ipac~o|eth0|all||||
outgoing to home ethernet|ipac~i|eth0|all||||
# forwarded traffic from/to ethernet
incoming from home ethernet|ipac~fi|eth0|all||||
outgoing to home ethernet|ipac~fo|eth0|all||||
# incoming / outgoing from home wireless to linux router
incoming from home wireless|ipac~o|eth3|all||||
outgoing to home wireless|ipac~i|eth3|all||||
# forwarded traffic from/to home wireless
incoming from home wireless|ipac~fi|eth3|all||||
outgoing to home wireless|ipac~fo|eth3|all||||These rules will configure ipac-ng to monitor all traffic from the linux router to/from any networks connected to that interface, as well as any traffic forwarded by the linux router to/from any PCs on that interface.
You can create rules to monitor traffic to or from a specific PC on your network, or you can monitor traffic on a specific port, so feel free to implement additional rules if desired.
For example, to monitor all internet traffic to/from a specific PC (say, Frodo, with IP 10.60.11.133) on my home network (where eth1 is the internet interface on my router), I would add these rules:
# forwarded internet traffic to and from Frodo
internet to Frodo|ipac~fi|eth1|all||10.60.11.133||
Frodo to internet|ipac~fo|eth1|all|10.60.11.133|||The first rule will monitor all traffic through eth1 (my internet interface) which is destined for 10.60.11.133. The second rule will monitor all traffic through eth1 which originates from 10.60.11.133.
Starting Data Collection
To start ipac-ng (ie, build the rules and chains for monitoring), run:
fetchipac -SvIf everything is correct, you should see a list of the accounting rules as fetchipac builds them.
Note that ipac-ng needs to be (re-)initialised each time your linux box, or each time you restart iptables.
To achieve this, I added the following lines into the start section of my iptables script:
# initialise ip accounting
/usr/local/sbin/fetchipac -SvTo collect data, fetchipac needs to be run periodically. Rather than storing all the raw data, we’ll also sumarise the data periodically. To do so, add these lines to the end of /etc/crontab:
# get data for ipacsum
*/5 * * * * root /usr/local/sbin/fetchipac
# summarize ip accounting info:
2 0 * * * root /usr/local/sbin/ipacsum -r -H `/bin/hostname` -t "the day 7 days ago" >/dev/null
3 0 * * 0 root /usr/local/sbin/ipacsum -r -H `/bin/hostname` -t "the week 11 weeks ago" >/dev/null
4 0 1 1 * root /usr/local/sbin/ipacsum -r -H `/bin/hostname` -t "the year 2 years ago" >/dev/nullThe above configuration will cause fetchipac to fetch and store data every 5 minutes, sumarise data for the day 7 days ago at 00:02 daily, the data for the week 11 weeks ago at 00:03 each Sunday, and for the last year 2 years ago at 00:04 on the 1st January each year.
For more information on crontab configuration, run man 5 crontab from a command prompt on your linux box.
Viewing ipac-ng Data
Sumarized data as recoreded by ipac-ng can be viewed by running ipacsum from the command line.
Running ipacsum without any command line paramters will display the total traffic for each of the rules you’ve defined from the time when you first started running ipac-ng upto the current time.
To view traffic for a specific period of time, you can use the –starttime and –endtime command-line paramters.
Alternatively, if you’re interested in viewing data for the last day, or week, or month, you can use the –timeframe or -t command-line parameters.
For example, to view data for today, use
ipacsum -t todayfor the last month, use
ipacsum -t "this month"For example, on my linux router, to view ipacsum totals for the previous day, I run
ipacsum -t yesterdaywhich results in the following output:
Host: elrond.mpot.mm.wafreenet / Time created: 2003/05/15 16:21:01 WST
Data from 2003/05/14 00:00:00 WST to 2003/05/14 23:59:59 WST
incoming from home ethernet : 336M
incoming from freenet : 658M
incoming from home wireless : 2M
incoming from internet : 958M
incoming from smoothwall : 9M
outgoing to home ethernet : 2G
outgoing to freenet : 20M
outgoing to home wireless : 11M
outgoing to internet : 316MHowever, the results are displayed in varying units, so to display the same results with common units (we’ll use megabytes), use
ipacsum -t yesterday --fixed-quantity Mwhich results in
IP accounting summary
Host: elrond.mpot.mm.wafreenet / Time created: 2003/05/15 16:21:07 WST
Data from 2003/05/14 00:00:00 WST to 2003/05/14 23:59:59 WST
incoming from home ethernet : 336M
incoming from freenet : 658M
incoming from home wireless : 2M
incoming from internet : 958M
incoming from smoothwall : 9M
outgoing to home ethernet : 1623M
outgoing to freenet : 20M
outgoing to home wireless : 11M
outgoing to internet : 316MRun ipacsum –help for usage information, or man ipacsum for more details.
Graphing ipac-ng Data
ipac-ng also includes support for creating graphs of the traffic being monitored. This allows you to monitor the traffic via a web browser.
First of all, create a directory for the ipac-ng images and web pages:
mkdir /var/www/html/ipacCreate a shell script called /usr/local/bin/makegraphs to do the image creation, with the following contents:
#!/bin/sh
/usr/local/sbin/ipacsum --png /var/www/html/ipac/ --png-average-curve 15 \
--png-index index.html --png-caption-in-index --png-width 695 -s 24hMake the script executable:
chmod 755 /usr/local/bin/makegraphsThis script will create png images for each rule, showing the traffic over the last 24 hours, and includes a curve showing the average traffic.
Test the image creation by manually running the script from the command line:
/usr/local/bin/makegraphsTotals for the last 24 hours will be displayed, and the /var/www/html/ipac/ directory should now contain an image for each rule, as well as index.html.
Assuming you’ve got your web server software configured appropriately, you should be able to view the ipac-ng graphs by pointing your browser at http://your_ip/ipac/.
Automate the image creation every half hour by adding these lines into /etc/crontab
# generate some ipac graphs
*/30 * * * * root /usr/local/bin/makegraphs >/dev/nullReferences
ipac-ng - Linux IP accounting package
crontab man page
3 Comments
Tips and tricks
Friday August 11th 2006, 8:34 am
Filed under: Advanced Commands, Linux Administration, Linux General, Linux Security, Linux:- Tips & Tricks, Tuning Linux
———————————————————————–
Q:- Find out top 10 directories eating up your disk space:
A:- du -csh * –max-depth=0 | sort -rn | head -10
———————————————————————–
Q:- Find Harddisk Capacity on the box.
A:- fdisk -l | grep -iE ‘mb|gb|tb’
———————————————————————–
Q:- Find out performance of your hard disk with following command:
A:- hdparm -t -T /dev/hda
———————————————————————–
Q:- You can block all login access with following command:
A:- touch /etc/nologin
———————————————————————–
Q:- It is good idea to encrypt backup made with tar command:
A:- tar -zcvf - *| openssl des3 -salt -k PASSWORD | dd of=mybackup.tbz
tar zcvf - /home |openssl des3 -salt -k PASSWORD | dd of=/dev/st0
To extract encrypted tar file use command:
dd if= mybackup.tbz |openssl des3 -d -k PASSWORD| tar zvxf -
dd if=/dev/st0|openssl des3 -d -k PASSWORD | tar xzf ————————————————————————
Q:- Delete a file securely, first overwriting it to hide its contents.
A:- $ shred -n 200 -z -u personalinfo.tar.gz
A:- srm filename
A:- wipe filename
—————————————
Q:- Delete file by inode:
A:- $ find . -inum 782263 -exec rm -i {} \;
————————————————————————
Q:- Forcefully unmount CD/DVD Rom or any other mounted partitions with
fuser command:
Ans:- fuser -km /dev/cdrom
fuser -km /mnt/cdrom\n
fuser -km /data2
————————————————————————
Q: List open files under user nobody
A:- lsof -u nobody
————————————————————————-
0 Comments
What is /dev/shm and its practical usage ?
Tuesday July 25th 2006, 6:17 am
Filed under: Advanced Commands, Linux Administration, Linux General, Linux:- Tips & Tricks, Tuning Linux
What is /dev/shm and its practical usage ?
/dev/shm is nothing but implementation of traditional shared memory concept. It is an efficient means of passing data between programs. One program will create a memory portion, which other processes (if permitted) can access. This will result into speeding up things on Linux.
If you type mount command you will see /dev/shm as a tempfs file system. Therefore, it is a file system, which keeps all files in virtual memory. Everything in tmpfs is temporary in the sense that no files will be created on your hard drive. If you unmount a tmpfs instance, everything stored therein is lost. By default almost all distro configured to use /dev/shm.
Nevertheless, where can I use /dev/shm?
You can use /dev/shm to improve the performance of application software or overall Linux system performance. On heavily loaded system, it can make tons of difference. For example VMware workstation/server can be optimized to improve your Linux host’s performance (i.e. improve the performance of your virtual machines).
For example, if you have 8GB RAM then remount /dev/shm as follows:
# mount -o remount,size=8G /dev/shm
To be frank if you have more than 2GB RAM and if you running multiple Virtual machines this hack always improves performance.
0 Comments
How to install CVS
Friday July 21st 2006, 8:42 am
Filed under: Backup, Linux Administration, Linux General
Installation:
Compile it from source
Download from ftp://ftp.cvshome.org/pub/
$ gunzip cvs-x.x.tar.gz $ tar -xvf cvs-x.x.tar $ cd cvs-x.x/ $ ./configure $ ./make $ su -l (enter password) #switch user to root # ./make installcheck to make certain CVS is installed:
$ which cvs /usr/bin/cvsCreate the cvsroot for a user and master repository:
You can choose to place your cvsroot almost wherever you want. I’ve historically placed it in /home/ to make regular backups easier. You might have your own reasons to place it where you want.
$ su -l # adduser cvs # rm -rf /home/cvs # mkdir /home/cvsIt can be convenient to enable user permissions by creating a ‘cvs’ group in /etc/group, and then adding various users to that group. While adding permissions to the cvsroot directories to the group ‘cvs’.
Set a CVSROOT:
You need to set the environment variables, so that CVS knows where to find the root library.
$ export CVSROOT=/home/cvs/ #for bash users > setenv CVSROOT '/home/cvs' #for csh, or tcsh users # this can also be added to /etc/profile for system-wide accessThis can also be set automatically upon login by adding a line to your ~/.bashrc file (or whichever stores your shell environment variables).
Check to make sure that it’s set properly:
$ echo $CVSROOT /home/cvs/As you may have noticed, the CVSROOT variable is set by the client, and not the server. This enables you to easily use multiple CVSROOTs, based on permissions, partitioning, etc.
Remote access:
The CVS slient can also be configured to use a cvsroot on a remote server, and to tunnel through SSH. The remote client needs to have these entered at the command line, or read in from the .bashrc file:
export CVSROOT="user@host.domain.tld:/pathto/cvsroot" export CVS_RSH="/usr/bin/ssh"All commands should operate as usual, but each will require a password in order to proceed.
Bad CVSROOT error:
A common, and frustrating error to run into while using this method, because it’s not well documented.
cvs checkout: is set for a remote access method but your cvs checkout: CVS executable doesn't support it cvs [checkout aborted]: Bad CVSROOT.Your problem most likely exists with the client version of the cvs binary. It’s probably version 1.11.1 or previous, upgrading to 1.11.2 should take care of this.
0 Comments
How do I Drop or block attackers IP with null routes?
Tuesday July 04th 2006, 3:16 pm
Filed under: Linux Administration, Linux General, Linux Security, Linux:- Tips & Tricks, Tuning Linux
Someone might attack on your system. You can drop attacker IP using IPtables. However one of our sr. sys admin highlighted something new for me. You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system.) stopping various attacks coming from a single IP (read as spammers or hackers):
Suppose that bad IP is 65.21.34.4, type following command at shell:
# route add 65.21.34.4 127.0.0.1
You can verify it with following command:
# netstat -nr
This is cool, as you do not have to play with iptables rules.
0 Comments
Linux or UNIX disable null passwords
Tuesday July 04th 2006, 3:08 pm
Filed under: Uncategorized
Q. How do I disabling logins for user with null passwords?
A. PAM (pluggable authentication modules) is used by both Unixish (Solaris/BSD/AIX/HP-UX) oses and Linux for configuring authentication related services.
A null password allows users to log onto a system without having to supply a valid password. This is a security risk to the system. In case if you are wondering how to setup null password, try command usermod as follows:
# usermod -p “” username
The PAM configuration option that enables null passwords is the nullok module argument passed to pam_unix.so PAM module. You’ll want to remove this argument from any modules of auth type for services that allow login.
Debian Linux
Debian Linux use following two files:
/etc/pam/common-auth: authentication settings common to all services
/etc/pam.d/common-password: password-related modules common to all services
Caution: before modifying below mentioned PAM config files, make the backup of files using cp command.
a) Open /etc/pam/common-auth:
# cp /etc/pam/common-auth /etc/pam/common-auth.ORI
# vi /etc/pam/common-auth
Find out line that read as follows:
password required pam_unix.so nullok obscure min=4 max=8 md5
Remove nullok from above line so that it read as follows:
password required pam_unix.so obscure min=4 max=8 md5
b) Save the file and exit to shell prompt. Open file /etc/pam.d/common-password:
# cp /etc/pam.d/common-password /etc/pam.d/common-password.ORI
# vi /etc/pam.d/common-password
Find out line that read as follows:
auth required pam_unix.so nullok_secure
Remove nullok_secure from above line so that it read as follows:
auth required pam_unix.so
Save the file and exit to shell prompt. Now no one be able to login using null password.
Red Hat / Fedora Linux
You need to modify single file /etc/pam.d/system-auth:
# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.ORI
# vi /etc/pam.d/system-auth
Find out line that read as follows:
auth sufficient /lib/security/pam_unix.so likeauth nullok
Remove nullok from above line so that it read as follows:
auth sufficient /lib/security/pam_unix.so likeauth
Save the file.
0 Comments
Dynamic DNS Setup
Sunday July 02nd 2006, 5:52 pm
Filed under: Linux Administration, Linux General, Linux Networking, Linux Security, Linux:- Tips & Tricks
Notes on setting up a dynamic dns for home with bind-9.x
Generating Secure DNS Keys
On the home/client machine:
# mkdir /etc/bind/tsig
# cd /etc/bind/tsig
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST host.domain.tld.Note the “.” after the tld. This generates the public and the private keys.
named.conf
On the remote server:
Edit “/etc/named.conf” and add the generated key to the conf. (Note the trailing dot):
key host.domain.tld. {
algorithm hmac-md5;
secret "qUSfVtkYf7WLxiZaOTN3Ua==";
};
Grant Authority
Still on the remote server:
Edit the “/etc/bind/zone.domain.tld” file, and modify the current allow-update line to include the key.
allow-update { key "default_key."; key "host.domain.tld."; };This allows full authority to modify any record within the domain (Be Warned).
Restart named and make sure nothing is broken.
nsupdate
Back to the client machine:
Run nsupdate to test that the client can now make updates.
# nsupdate -k /etc/bind/tsig/Khost.domain.tld.*.key
> update delete host.domain.tld A
> update add host.domain.tld. 600 A 1.2.3.4
> send
> quitIt first deletes host.domain.tld if it already exists, then recreates it with the given TTL, type, and IP address. The TTL is the time-to-live, which is a value used by other DNS servers to determine how often they refresh the entry for this host. A smaller values means they’ll refresh more often, which is what you want for a dynamic entry. “send” tells nsupdate to send the updates to the server.
Automate
Create a script and put it in a 10 minute cron to check for changes in the wan ip address and run nsupdate automagically.
# cat /etc/cron.d/ddns
SHELL=/bin/sh
*/10 * * * * root /etc/bind/ddnsBelow is an example script that gets the info from a Belkin wireless router within the home lan.
#!/bin/bash
# ddnsHOSTNAME="host.domain.tld"
KEYFILE="/etc/bind/tsig/Khost.domain.tld.*.key"
TTL=600
#LOG="/tmp/ddns_log"
LOG="/dev/null"
IP_FILE="/tmp/ddns_ip"
NEW_IP=`wget -q -O - 192.168.2.1 | grep "Up.*dw" | tr "\n" " " | awk -F "'" '{print $12}'`
function do_nsupdate {
echo "New IP address (${NEW_IP}) found. Updating..." >> $LOG
echo $NEW_IP > $IP_FILE
nsupdate -k $KEYFILE >> $LOG << EOF
update delete $HOSTNAME A
update add $HOSTNAME $TTL A $NEW_IP
send
quit
EOF
}
if [ ! -f $IP_FILE ]; then
echo "Creating $IP_FILE..." >> $LOG
do_nsupdate
else
OLD_IP=`cat $IP_FILE`
if [ "$NEW_IP" = "$OLD_IP" ]; then
echo "new and old IPs (${OLD_IP}) are same. Exiting..." >> $LOG
exit 0
else
do_nsupdate
fi
fi
exit 00 Comments
Permanently add static IP and default gateway
Sunday July 02nd 2006, 5:50 pm
Filed under: Linux Administration, Linux General, Linux Networking, Linux:- Tips & Tricks
Red Hat Linux has made it fairly easy to set up network so that it will start automatically. There are a series of scripts in /etc/sysconfig/network-scripts that will do most of the work.
1. Binding IP address
In “/etc/sysconfig/network-scripts/ifcfg-eth0″, add your IPADDR (IP address), NETMASK, NETWORK and BROADCAST address
DEVICE=eth0
ONBOOT=yes
IPADDR=192.168.0.x
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.2552. Adding Default Gateway
In “/etc/sysconfig/network” add your default gateway.
GATEWAY=192.168.0.1You can now restart your network:
#/etc/sysconfig/network-scripts/ifdown eth0
#/etc/sysconfig/network-scripts/ifup eth0( please dont run the command remotely.. else you may have shutdown the interface and will be disconnected )or in redhat:
#service network restartor# /etc/init.d/network restartCheck your “/sbin/route” (routing) to verify everything is in place and restarting your computer should hold your new settings.
2 Comments
Linux jail
Sunday July 02nd 2006, 4:35 pm
Filed under: Linux Administration, Linux General, Linux Installation, Linux Networking, Linux Security, Linux:- Tips & Tricks
Introduction to Jail
Basic concepts and supported platforms
Introduction to Jail
Basic concepts and supported platforms
Jail Chroot Project is an attempt of write a tool that builds a chrooted environment. The main goal of Jail is to be as simple as possible, and highly portable. The most difficult step when building a chrooted environment is to set up the right libraries and files. Here, Jail comes to the rescue with a tool to automagically configures & builds all the required files, directories and libraries. Jail is licensed under the GNU General Public License.
Jail program has been written using C, and the setup script has been written using a bash script and perl. Jail has been tested under Linux (Debian 2.1 & 2.2, RedHat 6.1, 6.2 and 7.0 and Caldera Openlinux 7.0), Solaris (2.6), IRIX (6.5) and FreeBSD 4.3. Some people has contributed to jail with patches and ideas. Thanks to all of them.
Jail supports lots of interesting features:
Runs on Linux, Solaris, IRIX and freeBSD (tested) and should run in any of the flavours of these operating systems.
Modular design, so you can port Jail in an easy way.
Support for multiple users in a single chrooted environment.
Fully customizable user shell.
Support for multiple servers: telnetd, sshd, ftpd…
Easy to install thanks to the enviroment creation script.
Should work in any UNIX.
Ease of porting.
Allows run any kind of program as a shell.
An html version of the mailing list has been added to the web site. Now you can read all the user contributions, ideas and patches here.
How Jail works
Jail’s design
How Jail works
Jail’s design
Jail is a login tool. Jail works as a wrapper to the user shell, so when the user log in the machine Jail is launched, and the chrooted environment is activated. Then, Jail execs the real user shell, so he gets his session in the server.
The ’chrooted environment’ is a subtree of the full tree in the filesystem, and the top of this subtree is saw by the chrooted user as the root ’/’ entry of the tree. So Jail is so useful for isolate users from the main filesystem’s directory tree. As you can see in the diagram, the light-gray shaded boxes are the chrooted environment:
So any user configured to be chrooted using Jail (e.g. user3) when log into the machine, he will be changed to his home directory (light-grey shaded box labeled user3) and his ’root’ directory will be ’chroot’ that will be showed just like ’/’. That is, user3 only can see the files under the directory called ’chroot’.
Jail internals
How jail interacts with the login process
by Juan M. Casillas
created at 26/08/2003 17:10:48
last updated at 05/09/2003 23:08:47
Before configure Jail, we have to need how Jail works. As you can see in the following diagram, the first things that Jail does is get the user’s information from the non-chrooted /etc/passwd. In this file there are information about where jail is located (the shell entry of the password file for this user) and which directory will be chrooted (the home directory entry of the password file for this user).
After that, Jail changes to the user directory and then it calls chroot in this directory, creating the chrooted environment. After this call, Jail only can see the files under the chrooted directory. Now, Jail setups some environment variables (the HOME and the SHELL variable that will be used by the real shell).
Now, Jail gets the users’ information from the /etc/passwd file in the chrooted environment, and checks if the user home directory is the same that the user home directory information readed from the non-chrooted file. If they are the same, the HOME variable is set to / else, Jail changes to this directory, and changes the HOME variable to this one.
Last, Jail set up again enviroment variables, SHELL is set up with the information readed from the chrooted /etc/passwd file. Now Jail replaces itsef with the shell program stored in the SHELL variable, runing the shell.
Configuring Jail
Overview of the installation process
Jail is launched as a login shell for any of the servers that allows access to the machine from the net, e.g. sshd, telnetd, ftpd, etc. So Jail is the shell of the chrooted users. To build a chrooted user, four steps are required:
Build user’s passwd entries in the non-chrooted environment.
Setup chrooted environment.
Add the software to the chrooted environment.
Add the users to the chrooted environment.
The first one is required to allow the user launch jail when a login process is invoked. The second, three and four steps are required to built the chrooted enviroment (create the required directories, copying the library and binary files, changing chrooted /etc/passwd file, and so on).
So these are the required steps in order to setup jail:
Setup Entries
Create directories
Adding users
Adding software
Configuring Jail entries
The non-chrooted /etc/passwd file
To build the user’s password entries we can use a user creation script (just one like adduser) or to add the entries by hand. I usually prefer the second way, but first is also fine. If you choose the first method, when the creation scripts ends its work, you have to edit the files by hand. Here, I will use the second. Our nick name for the test user used in the examples will be user3.
All the magic resides on the /etc/passwd file. We have to add a line in this file to create a user in this machine. You have to setup also /etc/group and /etc/shadow if you have shadow passwords installed. Note also that you have to fit the uid an gid fields password, etc.
user3:x:101:101:Jail Test User:/var/chroot:/usr/local/bin/jailNote the /var/chroot field. This is the root directory of the chroot environment for this user.
Creating the Jail environment
Or how to invoke mkjailenv
Creating the Jail environment
Or how to invoke mkjailenv
mkjailenv creates the directories, and generates the basic filesystem layout with the special devices. mkjailenv has been written in perl. This are the command line arguments:
mkjailenv chrootdir
Argument
Description
chrootdir
The directory where the chrooted environment will live. It its the home entry in the non-chrooted /etc/passwd file
Invocation example:
mkjailenv /home/chrootThis will create the chrooted enviroment under the directory /home/chroot.
Adding users to the Jail
Or how to invoke addjailuser
Adding users to the Jail
Or how to invoke addjailuser
addjailuser edit the chrooted /etc/passwd automatically, creates the user directories, addjailuser has been written in perl script. This are the command line arguments:
addjailuser chrootdir userdir usershell username
Argument
Description
chrootdir
The directory where the chrooted environment will live. It its the home entry in the non-chrooted /etc/passwd file
userdir
The directory inside the chrooted enviroment when the user will live, in our example, /home/user3.
usershell
The user’s shell full path (e.g. /bin/bash)
username
The user’s name. In our example, user3
Invocation example:
addjailuser /var/chroot /home/user3 /bin/bash user3This will add a user under the directory /var/chroot setups the home directory of the user3 into /home/user3, and selects /bin/bash as default shell for user3. Also edits the chrooted /etc/passwd, /etc/group and /etc/shadow to configure propertly jail.
Adding software to Jail
Or how to invoke addjailsw
Adding software to Jail
Or how to invoke addjailsw
addjailsw will copy the programs and the dependencies (libraries, auxiliar files, special devices) into the right places in the chrooted environment. addjailsw has been written in perl script. This are the command line arguments:
addjailsw chrootdir [-D] [-P program args]
Argument
Description
chrootdir
The directory where the chrooted environment will live. It its the home entry in the non-chrooted /etc/passwd file
-P program args (optional)
installs the specific program “program” into the chrooted environment. The script uses the “args” parameter to launch the program where doing the strace command, to allows the program exit nicely, so the strace can do its work. If this parameter isn’t specified, the standard programs included in the file will be installed. See addjailsw’s code for in-deep details.
Invocation examples:
addjailsw /var/chrootaddjailsw /var/chroot -Daddjailsw /var/chroot -P vi "-c q"The first invocation will add the standard programs under the /var/choot directory. The second invocation will do the same that first’s but also will show what files are going to be copied in /var/chroot. Last, the third invocation will install only the program vi, and when launched in the strace call, the arguments “-c q” will be passed to it (so vi will exit inmediatly).
Jail install HOWTO
Installation quick guide
Jail install HOWTO
Installation quick guide
Index
Compiling and installing
Creating the chrooted environment
Adding software into the chrooted environment
Adding users into the chrooted environment
Troubleshooting
Porting, improvements and hacks
Copyright
Compiling and installing
Just untar the package, cd to ./src and edit the makefile and do a ’make’. Now you can choose your architecture from Linux, FreeBSD, Solaris and IRIX. then configure the installation directory (default /usr/local) and you’re ready !. Perhaps you need to tune some of the compiler directives, if you are in a different platform than these ones supported by Jail. After a while, you will have the jail binary created. Then, issue a ’make install’, to do this, you have to be root (the default path to install is /usr/local). Now you are ready to play with jail.
Creating the chrooted environment
Now choose where directory will be your chroot environment. In my example, I choose /var/chroot for the chrooted environment. Now become root, and launch the mkjailenv command:
/usr/local/bin/mkjailenv /var/chrootThe output should look like this:
mkjailenv A component of Jail http://www.gsyc.inf.uc3m.es/~assman/jail/ Juan M. Casillas Making chrooted environment into /var/chroot Doing preinstall() Doing special_devices() Doing gen_template_password() Doing postinstall() Done. After that, you will have the basic chrooted environment installed under /var/chroot.
Adding software into the chrooted environment
After the chrooted environment has been created, we have to add some software inside it. To do this, we will use addjailsw. This scripts, if called without -P argument, will install a default set of programs into the chrooted environment. First of all, were are going to install the basic set of programs, an then we will install the less command.
To install the basic set of programs, we will issue the following command:
/usr/local/bin/addjailsw /var/chrootThe output of the program should look like this:
addjailsw A component of Jail http://www.gsyc.inf.uc3m.es/~assman/jail/ Juan M. Casillas Guessing head args() Guessing bash args() Guessing cat args() Guessing pwd args() Guessing ln args() Guessing mkdir args() Guessing rmdir args() Guessing ls args() Guessing sh args() Guessing mv args() Guessing rm args() Guessing more args() Guessing grep args() Guessing vi args() Guessing id args() Guessing cp args() Guessing tail args() Guessing touch args() creating /var/chroot//bin/ln creating /var/chroot//etc/nsswitch.conf creating /var/chroot//var/tmp/vi.recover/vi.wTrhwB creating /var/chroot//etc/group Warning: not allowed to overwrite /var/chroot/etc/group creating /var/chroot//lib/libncurses.so.5 creating /var/chroot//bin/ls creating /var/chroot//etc/mtab creating /var/chroot//bin/mkdir creating /var/chroot//bin/rmdir creating /var/chroot//bin/bash creating /var/chroot//bin/sh creating /var/chroot//etc/passwd Warning: not allowed to overwrite /var/chroot/etc/passwd creating /var/chroot//tmp/vi.UrdLM7 creating /var/chroot//bin/mv creating /var/chroot//etc/ld.so.cache creating /var/chroot//etc/terminfo/x/xterm creating /var/chroot//bin/rm creating /var/chroot//usr/bin/vi creating /var/chroot//lib/libdl.so.2 creating /var/chroot//usr/bin/id creating /var/chroot//lib/ld-linux.so.2 creating /var/chroot//usr/bin/tail creating /var/chroot//bin/cp creating /var/chroot//lib/libc.so.6 creating /var/chroot//usr/bin/head creating /var/chroot//bin/cat creating /var/chroot//lib/libnsl.so.1 creating /var/chroot//bin/touch creating /var/chroot//lib/libnss_compat.so.2 creating /var/chroot//bin/pwd creating /var/chroot//bin/more creating /var/chroot//bin/grep creating /var/chroot//proc/meminfo creating /var/chroot/null:c:1:3 creating /var/chroot/tty:c:5:0 Done. As you can see in the output there are some temporal files, and also, there are some files that are begin overwritten, and other that are not allowed to be overwritted. This files are the passwd, group and shadow files of the chrooted environment. When the scripts ends, it cleans all the temporal directories in the chrooted environment.
Now, we are going to install the ’awk’ program into the chrooted environment. We need to call the addjailsw script with the -P argument:
/usr/local/bin/addjailsw /var/chroot -P awkThe output for the script will be something like this:
addjailsw A component of Jail http://www.gsyc.inf.uc3m.es/~assman/jail/ Juan M. Casillas Guessing awk args(0) creating /var/chroot//lib/libc.so.6 Warning: file /var/chroot/lib/libc.so.6 exists. Overwritting it creating /var/chroot//usr/bin/awk creating /var/chroot//etc/ld.so.cache Warning: file /var/chroot/etc/ld.so.cache exists. Overwritting it creating /var/chroot//lib/libm.so.6 creating /var/chroot//lib/ld-linux.so.2 Warning: file /var/chroot/lib/ld-linux.so.2 exists. Overwritting it Done. Now, you have awk installed into the chroot environment. You should use this script to install all the software into the chrooted environment
Adding users into the chrooted environment
Now, it is time to add some users into the chroot environment. First of all we need to have the users created in the system, so you can add them by hand, or using adduser. For this example, I will create a new user called chroottest with adduser To do this:
/usr/local/bin/addjailuser /var/chroot /home/chroottest /bin/bash chroottest
After answer all the questions and set the user password, we are ready to add this users to the chrooted environment. This program accepts some parameters:
the first parameter is the full path to the chrooted environment (in my example, is /var/chroot)
the full path of the directory under the user will live. This path will be created under the chrooted environment, and when the user logs into, it will see it as the full path. (e.g, in our example, /home/chroottest is the home directory. addjailuser will create /var/chroot/home/chrootest, and when the user logs into, he will see /home/chroottest. Because it lives under the chrooted environment, he will see a ’virtual’ home directory).
The full path to the shell that the user will use. (e.g, I like to use bash, so I use the /bin/bash parameter. NOTE: if you want yo use some other shell (or program) you will need to add it to the list of the installed programs (see section 2 to see how to do that).
The name of the user, in my example, chroottest
After that, we are ready to launch the program (always as root):
/usr/local/bin/addjailuser /var/chroot /home/chroottest /bin/bash chroottestThe inverted slashes are to allow us insert carriage returns because the line is too long to type it in a single shell line. After launch the command, the output should look like this:
addjailuser A component of Jail http://www.gsyc.inf.uc3m.es/~assman/jail/ Juan M. Casillas Adding user pruebas in chrooted environment /var/chroot Done.That’s all. You have the user added into the chrooted environment. Now is time to try it:
su - chroottestAs you can see, you are in the new created chrooted environment, Congratulations !
Troubleshooting
Setting up SSH & scp
Now jail support terminal handling and parameter-passing, so configure ssh & scp now is possible. You only have to install a standard chrooted environment (just as described in this section) and then, install the two programs with the addjailsw script. First of all, install ssh:
/usr/local/bin/addjailsw /var/chroot -P ssh --versionTo finish, install scp in the same way:
/usr/local/bin/addjailsw /var/chroot -P scp --versionNow you have the two programs installed in the chrooted environment; you can test it doing a ssh form in and out the chrooted environment, and a scp.
Well, there are not troubleshooting section Im writting some documentation, and improving the code for jail, mkjailenv, addjailsw and addjailuser. Also we have a mailinglist with some of the tricks and recipes to have jail working:
Subscribe to:
Posts (Atom)