Académique Documents
Professionnel Documents
Culture Documents
Index
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
SwitchingTerminals(23)
Fdisk(35)
Format(67)
Runlevels(88)
Symlinks&Hardlinks(916)
Archiving&Compression(1728)
Daemons&Process(2938)
FilePermissions(3941)
Umask(4243)
AdministarativecmndsandLowlevelcmnds(4444)
UnderstandingUNIX/Linuxfilesystem(4549)
FSTAB(5056)
Bash(5763)
ShellScripting(6473)
RPM(7476)
UserAdministration(7783)
PAM(8490)
LVM(9198)
TheLinuxSchedulers(99106)
QUOTA(107110)
KernelCompilation(111119)
KernelTuning(120128)
Networking(129138)
FTP(139145)
NFS(146154)
NetworkInfoService(NIS)(155160)
Installationofautofs(161162)
DHCP:DynamicHostConfigurationProtocol(163171)
TcpWrappers(172176)
Xinetd(177179)
SAMBA(180194)
FIREWALL/IPTABLES(195212)
DNS(213227)
APACHE(228248)
SendMail(249262)
SQUID(263274)
Vi/VimExamples(275282)
b.sadhiq
www.altnix.com
LinuxPracticals
SwitchingTerminals
Linuxhave6ttysbydefault,whichwecallasvcs&driver
assignedtoitistty(/dev/tty*)
ToswitchfromguiuseCTRLALTF1&toswitchbetweenthe
terminalsuseALTF2,F3...
Tocheckcurrentterminaluse$pscommand.
BasicCommands
$dfh
>sameasmycomputerinwindows
$fdsikl
>listpartition
$man<cmd> >manual
$clear
>clearthescreen
$^l
>clearthescreen
$ls
>listcontent
$lsl
>listcontentinlonglistingformat
$lsal
>listallsubcontentinlonglistingformat
$ll
>analiasfortheabove
$lsR
>listcontentrecursively
$l.
>listhiddenfiles
$lsF
>listcontentandclassifythem
$alias
>displayallaliasesforcurrentuser
$alias<statement> >makealiasegaliasc='clear'
$unalias<alias>
>removealiasegunaliasc
$exit
>logoutfromthesystem
$logout
>logoutfromthesystem
$^d
>logoutfromthesystem
$tree
>listcontentinatree(hierarchial)diagram
$treed
>listsubdirectoriesonlynofiles
$treep
>listcontentwiththeirpermissions
$cd<directory>
>changedirectoryto...
$cd..
>changetoparentdirectory
$cd
>changetopreviousdirectory
$cd
>changetohomedirectory
$cd~
>changetohomedirectory
$pushd
>changedirwithpwd
$cat
>displayacontentofafile
$pwd
>printwork(current)directory
$pwdP
>printparentworkingdirofthissymlinkdir
$mkdir<directory> >makedirectory
$mkdirp<directory>
>makeparentdirectoriesalsoifitdoes
2
b.sadhiq
www.altnix.com
notexist
$touch
>makea0bytefileifitdoesnotexist
$cp
>copy(forfiles)
$cpa
>copy(fordirectories)
$cpp
>copyandpreservedateandtime
$mv
>moveORrename
$rmdir
>removeemptydirectory
$rm
>remove
(forfiles)
$rmf
>removeforcefully ("")
$rmr
>removerecursively
(fordirectories)
$rmrf
>removerecursivelyandforcefully("")
$cat
>displaycontentofthefile
$catn
>displaycontentofthefileandnumberthelines
$cal
>displaycalendarforcurrentmonth
$date
>displaysystemdateandtime
$dates'<value>' >changesystemdateandtimeinmm/dd/yy
$hwclock
>displaythehardwareclock
$hwclockhctosys
>setthesystemtimefromthehardwareclock
$lns
>makeasoft/sym/symboliclink
$ln
>makeahardlink
$history
>displaythelistofthelast1000commands
$!100
>Runcommand100inhistory
$vi
>texteditor
$vimtutor
>vimanualwithexercise
$pico
>picomanualwithexercise
$mcedit
>mceditmanualwithexercise
$joe
>joemanualwithexercise
$aspellc<filename>
>checkthespellinginthefile
$elinks
>checktheweblinks
$file
>displaythetypeoffile
$which
>displaythepathofthebinary
$whereis
>displayallpaths
$hostname
>displaysystemnamewithdomain
$id
>displayidinfoofcurrentuser
$idu
>displayuseridofcurrentuser
$idun
>displayusernameofcurrentuser
$idg
>displaygroupidofcurrentuser
$idgn
>displaygroupnameofcurrentuser
$uptime
>displayforhowlongthesystemhasbeenrunning
$tty
>displaycurrentterminalnumber
$users
>displayno.ofuserscurrentlyloggedin
$whoami
>displayusernameofcurrentuser
$who
>displayusersloggedinthesystemwiththeir
respectiveterminalsandtimesinceloggedin
$whoamI
>displaycurrentuser,terminalanduptime
$w
>displayisdetailswhichfilesareopenonwhich
3
b.sadhiq
www.altnix.com
terminal
http://www.oraclehome.co.uk/linuxcommands.htm
$mkdirp/opt/funny/test
$cd/opt/funny/testabsolutepath
$cd/opt/funny
$pwd
/opt/funny
$cdtestrelativepath
Fdisk
Partitioningwithfdisk
Thissectionshowsyouhowtoactuallypartitionyourharddrive
withthefdiskutility.Linuxallowsonly4primarypartitions.You
canhaveamuchlargernumberoflogicalpartitionsbysubdividing
oneoftheprimarypartitions.Onlyoneoftheprimarypartitions
canbesubdivided.
Examples:
1.
2.
Fourprimarypartitions
Mixedprimaryandlogicalpartitions
fdiskusage
fdiskisstartedbytyping(asroot)fdiskdeviceatthecommand
prompt.devicemightbesomethinglike/dev/hdaor/dev/sda(see
Section2.1.1).Thebasicfdiskcommandsyouneedare:
pprintthepartitiontable
ncreateanewpartition
ddeleteapartition
qquitwithoutsavingchanges
wwritethenewpartitiontableandexit
Changesyoumaketothepartitiontabledonottakeeffectuntil
youissuethewrite(w)command.Hereisasamplepartitiontable:
b.sadhiq
www.altnix.com
Disk/dev/hdb:64heads,63sectors,621cylinders
Units=cylindersof4032*512bytes
DeviceBootStartEndBlocksIdSystem
/dev/hdb1*1184370912+83Linux
/dev/hdb218536837094483Linux
/dev/hdb336955237094483Linux
/dev/hdb455362113910482Linuxswap
Thefirstlineshowsthegeometryofyourharddrive.Itmaynotbe
physicallyaccurate,butyoucanacceptitasthoughitwere.The
harddriveinthisexampleismadeof32doublesidedplatterswith
oneheadoneachside(probablynottrue).Eachplatterhas621
concentrictracks.A3dimensionaltrack(thesametrackonall
disks)iscalledacylinder.Eachtrackisdividedinto63sectors.
Eachsectorcontains512bytesofdata.Thereforetheblocksizein
thepartitiontableis64heads*63sectors*512bytes
er...dividedby1024.(See4fordiscussiononproblemswiththis
calculation.)Thestartandendvaluesarecylinders.
$fdisk/dev/hdxx
ncreateanewpartition
press<|atfirstcylinder
definesize+100MatLastcylinder
wwriteandquit
$sync
$partprobes/dev/hdxx
rereadsthepartitiontableandupdatesthekerneltable.
stoshowtheoutput
b.sadhiq
www.altnix.com
Format
forext2formatuse$mke2fsforext3use$mke2fsj
$mke2fsj/dev/hdxx
jstandsforjournalingasext3isajournalingfilesystem.
$mkdir/newdir
$mount/dev/hdxx/newdir
forpermanentmountusefstab
$vi/etc/fstab
Append/dev/hdxx/mntext3defaults00
fstabis9thoutofthe10mostcriticalandimportant
configurationfileswhichisstoredin/etcdirectory,whereall
theconfigurationfilesarestored.
fstabstandsfor"FileSystemTABle"andthisfilecontains
informationofharddiskpartitionsandremoveabledevicesinthe
system.Itcontainsinformationofwherethepartitionsand
removeabledevicesaremountedandwhichdevicedriversareused
formountingthem,whichfilesystemtheyareusingandwhat
permissionsareassignedtothem.
1stfielddevice
2ndfieldmountpoint
3rdfieldfilesystem
4thfiledpermisson
5thfieldbackupforsixthfield
6thfieldfscksequence(sameaschkdskinwindows)
6
b.sadhiq
www.altnix.com
Task
create100mbpartitionforLinux.
Followstepssameasabove
ext3isajournalingwhichmaintainsrecordinitsjournal.
Fastrecovery&recoverysuccessful
Ext2doesntmaintainsjournal.Slowrecovery&noguarantee.
Task
create100000kbpartitionforext2.
Followstepssameasabove.
Task
create96mbpartitionforwindows.
Followstepssameasabove.
Mountallthecreatedpartitionsunderfstab.
Ext2vsExt3
Atsomepointinyourinstall,you'llprobablywanttoswitchfilesystemtypes.Inthebaseinstall,
you'reonlygivenachoiceofext2(shortforext2fs,or``secondextendedfilesystem,''whichisthe
``standard''UNIXfilesystem7.Ext3fs8isthesameasext2,butprovidesjournaling.Forthoseas
sketchyonfilesystemtypesasIam,itseemstobeprettybasic.IntheREADMEontheoriginalext3
downloadpage,theauthoranswersthejournalingquestion:
Q: What is journaling?
A: It means you don't have to fsck after a crash. Basically.
This is useful, because it means that every time your screen whites out
and crashes while choosing the right video card (Section 1.2.1), you
don't have to sit through an entire filesystem check of every inode. The
filesystem still fscks itself every X mounts or Y days, but doesn't put
you through the entire wait every time you crash it.To convert
partition,s to the ext3 filesystem, you need to cleanly unmount them,
boot something else (like the Debian CD you installed from -- see
Section 6.2 on how to do this), and then, on a console, do:
tune2fs -j /dev/hdaX
b.sadhiq
www.altnix.com
b.sadhiq
www.altnix.com
Runlevels
RedHatLinux/FedorarunlevelsID
Description
0Halt
1SingleUsermode
2MultiUsermodewithnetwork
enabled,butmostnetworkservices
disabled
3MultiUsermode,consolelogins
only
4Notused/Userdefinable
5MultiUsermode,withdisplay
manageraswellasconsolelogins
6Reboot
b.sadhiq
www.altnix.com
Symlinks&Hardlinks
Filesarearrangedindirectories(orfoldersifyoupreferthat
term),andeachfilecanbereachedthroughaseriesofdirectories
andsubdirectoriesfromtherootcorrect?Yes...BUT...there
aresometimesthatthesamefilecanbereachedthroughseveral
names,andonUnixandLinuxsystemsthisisknownasa"link".
Therearetwowaysalinkcanbesetup.
HardLink
AHardLinkiswhereafilehastwonames
whicharebothonanequalweighting,and
bothofthefilenamesinthe"inode
table"pointdirectlytotheblocksonthe
discthatcontainthedata.Seediagramto
theleft.
Yousetupahardlinkwithanlncommand
withoutoptionsifthefileab.txt
alreadyexistsandyouwanttogivean
additionalname(hardlink)toit,you'llwritelnab.txtcd.txt
andthenbothnameswillhaveequalranking.Theonlywayyou'll
knowthatthere'salinkthereisbydoingalonglistingand
you'llseealinkcountof2ratherthan1,andifyouneedtofind
outwhat'slinkedtowhat,usetheioptiontols.
SymbolicLink
ASymbolicLinkiswhereafilehasonemainname,butthere'san
extraentryinthefilenametablethatrefersanyaccessesbackto
themainname.Thisisslighlysloweratruntimethatahardlink,
butit'smoreflexibleandmuchmoreoftenusedindaytodayadmin
work.
Symboliclinksaresetupusingthelncommandwiththesoption
soforexample
lnsab.txtcd.txt
willsetupanewnamecd.txtthatpointstothe(existing)file
ab.txt.Ifyoudoaloglisting(lsl)ofadirectorythat
containsasymboliclink,you'llbetoldthatit'sasymboliclink
withan"l"inthefirstcolumn,andyou'llbetoldwherethefile
linkstointhefilenamecolumn.Veryeasytospot!
10
b.sadhiq
www.altnix.com
SoftLinks(SymbolicLinks):
1.Linkshavedifferentinodenumbers.
2.lslcommandshowsalllinkswithsecondcolumnvalue1andthe
linkpointstooriginalfile.
3.Linkhasthepathfororiginalfileandnotthecontents.
4.Removingsoftlinkdoesn'taffectanythingbutremovingoriginal
filethelinkbecomesdanglinglinkwhichpointstononexistant
file.
InSoftlinkInodeisdiffandthelinkedfilewillbashortcutof
firstfile
HardLinks:
1.AllLinkshavesameinodenumber.
2.lslcommandshowsallthelinkswiththelinkcolumn(Second)
showsNo.oflinks.
3.Linkshaveactualfilecontents
4.Removinganylinkjustreducesthelinkcountbutdoesn'taffect
otherlinks.
InHardlinkInodeissameandbothareindependent
Softlinkcancreatedirectoriesbuthardlinkcan't.Hardlinks
createdwithinthatparticularfilesystembutsoftlinkcrossthat
filesystem
Hardlinkscanotcrosspartition
Asingleinodenumberusetorepresentfileineachfilesystem.
Allhardlinks
baseduponinodenumber.
b.sadhiq
11
www.altnix.com
Solinkingacrossfilesystemwillleadintoconfusingreferences
forUNIXor
Linux.Forexample,considerfollowingscenario
*Filesystem:/home
*Directory:/home/sadhiq
*Hardlink:/home/sadhiq/file2
*Originalfile:/home/sadhiq/file1
Nowyoucreateahardlinkasfollows:
$touchfile1
$lnfile1file2
$lsl
Output:
rwrr2sadhiqsadhiq02006013013:28file1
rwrr2sadhiqsadhiq02006013013:28file2
Nowjustseeinodeofbothfile1andfile2:
$lsifile1
782263
$lsifile2
782263
Asyoucanseeinodenumberissameforhardlinkfilecalledfile2
ininode
tableunder/homefilesystem.Nowifyoutrytocreateahardlink
for/tmp
filesystemitwillleadtoconfusingreferencesforUNIXorLinux
filesystem.
Isthatalinkno.782263inthe/homeor/tmpfilesystem?To
avoidthis
problemUNIXorLinuxdoesnotallowcreatinghardlinksacross
filesystem
boundaries.ContinuereadingrestoftheUnderstandingLinuxfile
systemseries
Practical
$mkdir/opt/newfile
$mkdir/usr/local/linkfile
$vi/opt/newfile/abc
12
b.sadhiq
www.altnix.com
Appendsomecontent&savetheabovefile
Nowcreateasoftlinkforabcasxyzunder/usr/local/linkfile
$pushd/usr/local/linkfile
$pwd
$lns/opt/newfile/abcxyz
Or
Ifuwanttocreatesymlinkasfrom/homethen
$pushd/home
$lns/opt/newfile/abc/usr/loal/linkfile/xyz
Nowcheckwiththefollowing&alsonotesymlinkfilesalwayshave
777perm
$ll|grep^l
Alsochkthesizeofbothfileanditsselfexpalinatory
Now
$Appendsomedatainxyzfileuwillgetthesameunderabc
Nowtryremovingtheparentfileinourcaseabc
$rmrf/opt/newfile/abc
Nowverifythesymblink
$ll/usr/local/linkfile/
Yourfilehasbrokensymlinksoitscalledorphaned
Sowheneverudeleteaparentfileitwilleffect&ifsoftlinkis
deletedthereisnoeffectinsoftlinks
Softlinkfileshavedifferentinodesofparent
Softlinkcanalsocrosspartitions.
Nowwhatifuwantrunabinaryfromdifferentpathandwith
differentname
$whichmount
$lns/sbin/mount/opt/mapping
$pushd/opt/
$./mapping
$lns/bin/pwd/usr/bin/prntworkdir
13
b.sadhiq
www.altnix.com
Nowucanrunthefollowforpwd
$prntworkdir
$mkdir/opt/hardlink
$pushd/opt/linkfile
Createanewfilenamefile1andaapenddata
$echoThisisannewfile>file1
$catfile1
Nowcreateahardlinkfromcurrentpathfile1tofile2
$lnfile1/opt/hardlink/file2
Nowtrydeletingandappendingandtryudoneasaboveforsoft
link
Hardlinksaretypeofbackupifparent&childisdeletednoeffect
Hardlinkshavesameinodenumbers
Harslinkscannotcrossparttitons,Alsotrycrossingpartitions
Alsotrycreating2to3linksforasingleparentfileinsoftlink
andhardlink.
More
17.HardLinksandSymbolicLinks
Todaywe'regoingtotestyourvirtualimaginationability!You're
probablyfamiliarwithshortcutsinMicrosoftWindowsoraliaseson
theMac.Linuxhassomething,oractuallysomethingssimilar,
calledhardlinksandsymboliclinks.
Symboliclinks(alsocalledsymlinksorsoftlinks)mostresemble
Windowsshortcuts.Theycontainapathnametoatargetfile.Hard
linksareabitdifferent.Theyarelistingsthatcontain
informationaboutthefile.Linuxfilesdon'tactuallylivein
directories.Theyareassignedaninodenumber,whichLinuxusesto
locatefiles.Soafilecanhavemultiplehardlinks,appearingin
multipledirectories,butisn'tdeleteduntilthereareno
remaininghardlinkstoit.Herearesomeotherdifferencesbetween
hardlinksandsymlinks:
14
b.sadhiq
www.altnix.com
1.Youcannotcreateahardlinkforadirectory.
2.Ifyouremovetheoriginalfileofahardlink,thelinkwill
stillshowyouthecontentofthefile.
3.Asymlinkcanlinktoadirectory.
4.Asymlink,likeaWindowsshortcut,becomesuselesswhenyou
removetheoriginalfile.
Hardlinks
Let'sdoalittleexperimenttodemonstratethecase.Makeanew
directorycalledTestandthenmoveintoit.todothat,type:
$mkdirTest
$cdTest
ThenmakeafilecalledFileA:
$viFileA
PresstheIkeytoenterInsertmode:
i
Thentypeinsomefunnylinesoftext(like"Whydidthechicken
crosstheroad?")andsavethefilebytyping:
Esc
ZZ
So,youmadeafilecalledFileAinanewdirectorycalled"Test"
inyour/home.Itcontainsanoldandmaybenotsofunnyjoke.Now,
let'smakeahardlinktoFileA.We'llcallthehardlinkFileB.
$lnFileAFileB
Thenusethe"i"argumenttolisttheinodesforbothFileAandits
hardlink.Type:
$lsilFileAFileB
Thisiswhatyouget:
1482256rwrr2sadhiqsadhiq21May515:55FileA
1482256rwrr2sadhiqsadhiq21May515:55FileB
YoucanseethatbothFileAandFileBhavethesameinodenumber
(1482256).Alsobothfileshavethesamefilepermissionsandthe
samesize.Becausethatsizeisreportedforthesameinode,it
doesnotconsumeanyextraspaceonyourHD!
15
b.sadhiq
www.altnix.com
Next,removetheoriginalFileA:
$rmFileA
Andhavealookatthecontentofthe"link"FileB:
$catFileB
Youwillstillbeabletoreadthefunnylineoftextyoutyped.
Hardlinksarecool.
Symlinks
Stayinginthesametestdirectoryasabove,let'smakeasymlink
toFileB.CallthesymlinkFileC:
$lnsFileBFileC
Thenusetheiargumentagaintolisttheinodes.
$lsilFileBFileC
Thisiswhatyou'llget:
1482256rwrr1sadhiqsadhiq21May515:55FileB
1482226lrwxrwxrwx1sadhiqsadhiq5May516:22FileC>FileB
You'llnoticetheinodesaredifferentandthesymlinkgota"l"beforetherwxrwxrwx.Thelinkhas
differentpermissionsthantheoriginalfilebecauseitisjustasymboliclink.Itsrealcontentisjusta
stringpointingtotheoriginalfile.Thesizeofthesymlink(5)isthesizeofitsstring.(The">FileB"
attheendshowsyouwherethelinkpointsto.
Nowlistthecontents:
$catFileB
$catFileC
Theywillshowthesamefunnytext.
Nowifweremovetheoriginalfile:
$rmFileB
andchecktheTestdirectory:
16
b.sadhiq
www.altnix.com
$ls
You'llseethesymlinkFileCisstillthere,butifyoutrytolist
thecontents:
$catFileC
Itwilltellyouthatthereisnosuchfileordirectory.Youcan
stilllisttheinode.Typing:
$lsilFileC
willstillgiveyou:
1482226lrwxrwxrwx1sadhiqsadhiq5May516:22FileC>FileB
Butthesymlinkisobsoletebecausetheoriginalfilewasremoved,
aswereallthehardlinks.Sothefilewasdeletedeventhoughthe
symlinkremains.(Hopeyou'restillfollowing.)
OK.Thetestisover,soyoucandeletetheTestdirectory:
$cd..
$rmrfTest(rstandsforrecursiveandfisforforce)
Note:Becautioususing"rmrf";it'sverypowerful.Ifsomeone
tellsyoutodo"rmrf/"asroot,youmightlooseallyourfiles
anddirectoriesonyour/partition!Notgoodadvice.
Nowyouknowhowtocreate(andremove)hardlinksandsymlinksto
makeiteasiertoaccessfilesandrunprograms.Seeyouonthe
links!
17
b.sadhiq
www.altnix.com
Archiving&Compression
Archivingmeansthatyoutake10filesandcombinethemintoone
file,withnodifferenceinsize.Ifyoustartwith10100KBfiles
andarchivethem,theresultingsinglefileis1000KB.Ontheother
hand,ifyoucompressthose10files,youmightfindthatthe
resultingfilesrangefromonlyafewkilobytestoclosetothe
originalsizeof100KB,dependingupontheoriginalfiletype.
llofthearchiveandcompressionformatsinthischapterzip,
gzip,bzip2,andtararepopular,but
Zip
zipisprobablytheworld'smostwidelyusedformat.That'sbecause
ofitsalmostuniversaluseonWindows,butzipandunziparewell
supportedamongallmajor(andmostminor)operatingsystems,
Gzip
gzipwasdesignedasanopensourcereplacementforanolderUnix
program,compress.It'sfoundonvirtuallyeveryUnixbasedsystem
intheworld,includingLinuxandMacOSX,butitismuchless
commononWindows.Ifyou'resendingfilesbackandforthtousers
ofUnixbasedmachines,gzipisasafechoice.
Bzip2
18
b.sadhiq
www.altnix.com
Thebzip2commandisthenewkidontheblock.Designedto
supersedegzip,bzip2createssmallerfiles,butatthecostof
speed.Thatsaid,computersaresofastnowadaysthatmostusers
won'tnoticemuchofadifferencebetweenthetimesittakesgzip
orbzip2tocompressagroupoffiles.
Practical
zipbotharchivesandcompressesfiles,thusmakingitgreatfor
sendingmultiplefilesasemailattachments,backingupitems,or
forsavingdiskspace.
Create
$mkdirp/opt/test/zip_dir;cd/opt/test/zip_dir
Appendmanpagestoafile
$manls>filels;cat/etc/fstab>filefstab;cat
/root/anaconda.cfg>fileanaconda
$lslh
$lsal
Zipthefilestomanfile.zip
$zipmanfile.zip*
$lslF
$manls>filels.txt;cat/etc/fstab>file.txt;cat
/root/anaconda.cfg>fileanaconda.txt;manfdisk>file1.cfg;man
fstab>fstab.cfg;manman>man.cfg
Trycompressingthefilescreatedusingzipandverifythesizeof
moby.zipfiles
$zip0moby.zip1*.txt
$lsl
$zip1moby.zip2*.cfg
$lsl
$zip9moby.zip3*.cfg
$lsl
Youcanalsotry
$aliaszip='zip9'
Createbackupdirundermnt$mkdir/mnt/backup
19
b.sadhiq
www.altnix.com
Copy/opt/testcontentswithrsync
$rsyncparv/opt/test/*/mnt/backup/
Excludemoby.zipunder/mnt/backupandcreatebackup.zipunder
/usr/local/
$zipr/usrlocal/backup.zip/mnt/backupx
"/mnt/backup/zip_dir/moby.zip1"
Changedirto/usr/localbypushdcmd(manpushd)
$pushd/usr/local/
TryPasswordprotectedzip
$zipP12345678backup.zip*.txt
$zipebackup.zip*.txt
$unzipl
$unzipqlbackup.zip
verbose
unzipvmoby2.zip
listzippedfiles
$unziplmoby3.zip
Listtype
$unziptmoby2.zip
Nowtryanythefollowingsameaszipunderanydir
gzipparadise_lost.txt
$lsl
Notgood.Instead,outputtoafile.
$lsl
20
b.sadhiq
www.altnix.com
$gzipcparadise_lost.txt>paradise_lost.txt.gz
$gzipc1mobydick.txt>mobydick.txt.gz
$lsl
$gzipc9mobydick.txt>mobydick.txt.gz
$lsl
$gziptparadise_lost.txt.gz
$gunzipcparadise_lost.txt.gz>paradise_lost.txt
$bzip2mobydick.txt
$lsl
$bzip2cmobydick.txt>mobydick.txt.bz2
$lsl
$bzip2c1mobydick.txt>mobydick.txt.bz2
$bzip2c9mobydick.txt>mobydick.txt.bz2
$lsl
$bunzip2mobydick.txt.bz2
$bunzip2cmobydick.txt.bz2>mobydick.txt
$bunzip2tparadise_lost.txt.gz
GettheBestCompressionPossiblewithzip
[09]
It'spossibletoadjustthelevelofcompressionthatzipuseswhen
itdoesitsjob.Thezipcommandusesascalefrom0to9,inwhich
0means"nocompressionatall"(whichisliketar,asyou'llsee
later),1means"dothejobquickly,butdon'tbothercompressing
verymuch,"and9means"compresstheheckoutofthefiles,andI
don'tmindwaitingabitlongertogetthejobdone."Thedefault
is6,butmoderncomputersarefastenoughthatit'sprobablyjust
finetouse9allthetime.
Intabularformat,theresultslooklikethis:
Book
zip0
MobyDick
0%
ParadiseLost
0%
Job
0%
Total(inbytes) 1848444
zip1
54%
50%
58%
869946
zip9
61%
56%
65%
747730
PasswordProtectCompressedZipArchives
P
e
21
b.sadhiq
www.altnix.com
TheZipprogramallowsyoutopasswordprotectyourZiparchives
usingthePoption.Youshouldn'tusethisoption.It'scompletely
insecure,asyoucanseeinthefollowingexample(theactual
passwordis12345678):
unzip
ExpandingaZiparchiveisn'thardatall.Tocreateazipped
archive,usethezipcommand;toexpandthatarchive,usetheunzip
command.
ArchivewithTar
ArchiveandCompressFileswithtarandgzip
zcvf
Ifyoulookbackat"ArchiveandCompressFilesUsinggzip"and
"ArchiveandCompressFilesUsingbzip2"andthinkaboutwhatwas
discussedthere,you'llprobablystarttofigureoutaproblem.
Whatifyouwanttocompressadirectorythatcontains100files,
containedinvarioussubdirectories?Ifyouusegziporbzip2with
ther(forrecursive)option,you'llendupwith100individually
compressedfiles,eachstoredneatlyinitsoriginalsubdirectory.
Thisisundoubtedlynotwhatyouwant.Howwouldyouliketoattach
100.gzor.bz2filestoanemail?Yikes!
That'swheretarcomesin.Firstyou'dusetartoarchivethe
directoryanditscontents(those100filesinsidevarious
subdirectories)andthenyou'dusegziporbzip2tocompressthe
resultingtarball.Becausegzipisthemostcommoncompression
programusedinconcertwithtar,we'llfocusonthat.
Youcoulddoitthisway:
$mkdirp/mnt/common/mobydick
22
b.sadhiq
www.altnix.com
$cd/mnt/common/mobydick
$manls>filels.txt;cat/etc/fstab>file.txt;cat
/root/anaconda.cfg>fileanaconda.txt;manfdisk>file1.cfg;man
fstab>fstab.cfg;manman>man.cfg
$cd..
$pwd
/mnt/common/
$lslmobydick/*
$tarcfmoby1.tarmobydick/|gzipc>moby1.tar.gz
$lsl
Thatmethodworks,butit'sjusttoomuchtyping!There'samuch
easierwaythatshouldbeyourdefault.Itinvolvestwonewoptions
fortar:z(orgzip),whichinvokesgzipfromwithintarsoyou
don'thavetodosomanually,andv(orverbose),whichisn't
requiredherebutisalwaysuseful,asitkeepsyounotifiedasto
whattarisdoingasitruns.
$lslmobydick/*
$lsl
Theusualextensionforafilethathashadthetarandthenthe
gzipcommandsusedonitis.tar.gz;however,youcoulduse.tgz
and.tar.gzipifyoulike.
NoteIt'sentirelypossibletousebzip2withtarinsteadof
gzip.Yourcommandwouldlooklikethis(notethejoption,which
iswherebzip2comesin):
$tarcvzfmoby.tar.gzmobydick
$tarjcvfmoby.tar.bz2mobydick/
Inthatcase,theextensionshouldbe.tar.bz2,althoughyoumay
alsouse.tar.bzip2,.tbz2,or.tbz.Yes,it'sveryconfusingthat
usinggziporbzip2mightbothresultinafileendingwith.tbz.
Thisisastrongargumentforusinganythingbutthatparticular
extensiontokeepconfusiontoaminimum.
TestFilesThatWillBeUntarredandUncompressed
$tarjvtfmoby.tar.bz2
23
b.sadhiq
www.altnix.com
Beforeyoutakeapartatarball(whetherornotitwasalso
compressedusinggzip),it'sareallygoodideatotestit.First,
you'llknowifthetarballiscorrupted,savingyourselfhair
pullingwhenfilesdon'tseemtowork.Second,you'llknowifthe
personwhocreatedthetarballthoughtfullytarredupadirectory
containing100files,orinsteadthoughtlesslytarredup100
individualfiles,whichyou'rejustabouttospewalloveryour
desktop.
Totestyourtarball(onceagainassumingitwasalsozippedusing
gzip),usethet(orlist)option.
$tarzvtfmoby.tar.gz
Thistellsyouthepermissions,ownership,filesize,andtimefor
eachfile.Inaddition,becauseeverylinebeginswithmobydick/,
youcanseethatyou'regoingtoendupwithadirectorythat
containswithinitallthefilesandsubdirectoriesthataccompany
thetarball,whichisarelief.
Besurethatthefisthelastoptionbecauseafterthatyou're
goingtospecifythenameofthe.tar.gzfile.Ifyoudon't,tar
complains:
$tarzvftmoby.tar.gz
tar:Youmustspecifyoneofthe'Acdtrux'options
Try'tarhelp'or'tarusage'formoreinformation.
Nowthatyou'veensuredthatyour.tar.gzfileisn'tcorrupted,
it'stimetoactuallyopenitup,asyou'llseeinthefollowing
section.
NoteIfyou'retestingatarballthatwascompressedusingbzip2,
justusethiscommandinstead:
$tarjvtfmoby.tar.bz2
UntarandUncompressFiles
zxvf
Tocreatea.tar.gzfile,youusedasetofoptions:zcvf.To
untaranduncompresstheresultingfile,youonlymakeone
substitution:x(orextract)forc(orcreate).
$lsl
$tarzxvfmoby.tar.gz
$lsl
Makesureyoualwaystestthefilebeforeyouopenit,ascovered
24
b.sadhiq
www.altnix.com
intheprevioussection,"TestFilesThatWillBeUntarredand
Uncompressed."Thatmeanstheorderofcommandsyoushouldrunwill
looklikethis:
$tarzvtfmoby.tar.gz
$tarzxvfmoby.tar.gz
NoteIfyou'reopeningatarballthatwascompressedusingbzip2,
justusethiscommandinstead:
$tarjxvfmoby.tar.bz2
Repeatwithdifferentpath
$tarcvf/mnt/backup/sam.tar/opt/test/zip_dir/*
Archive&compresswithgzip
$tarcvf/mnt/backup/ramu.tar.gz/opt/test/zip_dir/*
$pushd/mnt/backup
Listbeforeextracting
$tartvframu.tar.gz
Understandthefollowing
$mkdirramu;tarzxvframu.tar.gzramu/
$lsramu/
$rmramu/*
Alsotryandunderstand
$catramu.tar.gz|gunzipd|tarxvf/mnt/backup/ramu
$ls/mnt/backup/ramu/
$rmrf/mnt/backup/ramu/*
$gzcatramu.tar.gz|tarxvf/mnt/backup/ramu
Findingfilesandarchivingthem
Youcanmakeatarballofonlycertaintypesoffilesfroma
directorywiththefollowingoneliner:
$mkdir/mnt/common/test
$find/mnt/common/mobydick/name"*.txt"|xargstarzcpf
b.sadhiq
25
www.altnix.com
reports.tar.gz
$find/mnt/common/mobydick/name"*.txt"|xargstarjcpf
reports.tar.bz2
Nowcheck
untarinadifferentdirectory
Ifyou'vegotagzippedtarballandyouwanttountaritina
directoryotherthantheoneyou'rein,dothefollowing:
$cd/mnt/backup
$zcatreports.tar.gz|(cd./otherdir;tarzxvf)
$ls
Understandtheabovecmd,note:isusedinafterthe
argumentsgiventotar.
Extractindividualfilesfromatarball
Ifyouneedafilethatyou'veputintoatarballandyoudon't
wanttoextractthewholefile,youcandothefollowing.
First,getalistofthefilesandfindtheoneyouwant
$cd/mnt/common/mobydick
$tarzltfmoby1.tar.gz
Thenextracttheoneyouwant
$tarzxvfmoby1.tar.gzfileanaconda.txt
Backupeverythingwithtar
Tomakeabackupofeverythinginaparticulardirectory,firstdo
this
$cd/mnt/common/mobydick/
$lsa>backup.all
Ifyoudon'treallywant*everything*,youcanalsoeditbackup.all
andgetridofthingsyoudon'twant
Tomakethetarball,justdothis:
$tarcvfnewtarfile.tar`catbackup.all`
(remember,thosearebacktics)
ExtractingSpecificFiles
Extractafilecalledetc/default/sysstatfromconfig.tar.gz
26
b.sadhiq
www.altnix.com
tarball:
$tarcvzf/opt/test/config.tar.gz/mnt/backup/ramu
$tarztvfconfig.tar.gz
$tarzxvfconfig.tar.gz<anyfile>
$tarxvf{tarball.tar}{path/to/file}
Somepeopleprefersfollowingsyntax:
$tarextractfile={tarball.tar}{file}
Extractadirectorycalledcssfromcbz.tar:
$tarextractfile=cbz.tarcss
Wildcardbasedextracting
Youcanalsoextractthosefilesthatmatchaspecificglobbing
pattern(wildcards).Forexample,toextractfromcbz.tarallfiles
thatbeginwithpic,nomattertheirdirectoryprefix,youcould
type:
Notebeforeattemptingthefollowingyouhavetocreatetarfiles
ascbz.tarwithhefilesyouaregoingtoextract.
$tarxfcbz.tarwildcardsnoanchored'pic*'
Toextractallphpfiles,enter:
$tarxfcbz.tarwildcardsnoanchored'*.php'
x:instructstartoextractfiles.
f:specifiesfilename/tarballname.
v:Verbose(showprogresswhileextractingfiles).
j:filterarchivethroughbzip2,usetodecompress.bz2
files.
z:filterarchivethroughgzip,usetodecompress.gzfiles.
wildcards:instructstartotreatcommandlineargumentsas
globbingpatterns.
noanchored:informsitthatthepatternsapplytomember
namesafterany/delimiter.
27
b.sadhiq
www.altnix.com
Haveyoueverseenthiserrorwhenusingtar?
$tarczfetc.tgz/etc
Removingleading`/'frommembernames
Tarisremovingtheleading/fromthearchivefile,andwarning
youaboutit.AlthoughyoucanredirectSTDERRto/dev/null,doing
socanresultinmissederrors.Instead,usetarwiththePor
absolutenamesswitch.Theydothesamething:leavethe
leading/inthearchivedfiles.
$tarczPfetc.tgz/etc
WhenyouuntarthearchivewithoutP,theleading/willstill
equatetoyourcurrentworkingdirectory.UsethePwhenuntarring
torestorefromarchivetotheabsolutepathname.Forexample:
Thefollowingcreates./etc(dot,slash,etc)
$tarxzfetc.tgz
Thisoverwrites/etc(slash,etc)!
$tarxzPfetc.tgz
PATHisanenvironmentalvariableinLinuxandotherUnixlike
operatingsystemsthattellstheshellwhichdirectoriestosearch
forexecutablefiles(i.e.,readytorunprograms)inresponseto
commandsissuedbyauser.Itincreasesboththeconvenienceand
thesafetyofsuchoperatingsystemsandiswidelyconsideredtobe
thesinglemostimportantenvironmentalvariable.
Environmentalvariablesareaclassofvariables(i.e.,itemswhose
valuescanbechanged)thattelltheshellhowtobehaveasthe
userworksatthecommandline(i.e.,inatextonlymode)orwith
shellscripts(i.e.,shortprogramswritteninashellprogramming
language).Ashellisaprogramthatprovidesthetraditional,
textonlyuserinterfaceforUnixlikeoperatingsystems;its
primaryfunctionistoreadcommandsthataretypedinatthe
commandlineandthenexecute(i.e.,run)them.
PracticalSettingPath
Loginasroot
28
b.sadhiq
www.altnix.com
$id
$echo$PATH
$useraddjohn
$passwdjohn
$sujohn
$id
Verifyjohn'sPATH
$echo$PATH
youcantfind:/sbin:/usr/sbinsoucantruncmnd'sfdisk,
shredunderthesame.
$fdiskl
willgetcommandnotfound.
Soucansetpath,butit'stemporaryfortheshell.
$PATH=$PATH=:/sbin:/usr/sbin
Tosetunderenvironmentrun
$exportPATH
Forpermanent
youcanlocatetheabovetwocmndsunder/etc/profilefile,
whichrun'salwaysafterlogin.
Nowchkyouwillgettheaboveaddeddirunderjohnspath.
$echo$PATH
Nowtry
$fdiskl
Note:Thecmdisexecutedbutfdiskbinarywillworkonlyby
b.sadhiq
29
www.altnix.com
uid0(root),bcozit'sprogrammedlikethat.
Sosearchforthecmdin/sbin&/usr/sbin,whichcanrunby
otheruid's.
Nowcreateatestscriptunder/optandexecutethescript
$vi/opt/testscript
#Appendthefollowing
echoTHISISMYSCRIPT
#Save
$cd/opt
setexecutepermisson
$chmod+x/opt/testscript
$./testscript#(./meanscurrentpathexecution)
Butwhatifuwanttorunthescriptfromanyotherdirectories
underyourfilesystemhiriearchy.
Thensetthe/optdirtotheuserspathasmentionedaboveor
copythescriptunderthefollowingPATH.(whichisalready
set)
set.Foreg:
$PATH=$PATH:/opt
$cd/
$testscript
or
$cp/opt/testscript/binor/usr/local/binetc...
Nowtryrunningthescript
$cd/
$testscript
30
b.sadhiq
www.altnix.com
Daemons&Process
Application Daemon are those which can be killed & will have no
effect to the sysytem
$ kill -15 <appd-pid>
For eg. firefox, openoffice, X server, etc...
System Daemons are those which can be killed & will effect the
system.
$ kill -9 <sysd-pid>
For eg init, kerneld, ksoftirqd, khelper, kthread, kblockd
OBJECTIVES
Defining a process
Process states
Process management
Job control
System Information
Performance Related Information
What is a Process?
A process has many components and properties
exec thread
PID
priority
memory context
environment
file descriptors
security credentials
How Processes Are Created
One process forks a child, pointing to the same pages of memory,
and marking the area as read-only.Then, the child execs the new
command, causing a copy-on-write fault, thus copying to a new area
of memory. A process can exec, without forking. The child maintains
the process ID of the parent.
31
b.sadhiq
www.altnix.com
Process Ancestry
init is the first process started at boot time - always has PID 1.
Except init, every process has a parent.
Processes can be both a parent and a child at the same time.
Understand the Multiuser Environment.
One of the goals of UNIX was to enable a number of users to use the
system simultaneously (multiuser capability). Because several users
might also want to use several different programs simultaneously,
mechanisms must be available to allow these programs to run
simultaneously (multitasking capability).
The implementation of a multiuser and multitasking system appears
to be simultaneous in a single processor system, but this is only
possible in a multiprocessor system.
Even in a single-processor system, advantages can be gained through
multitasking because waiting times for input or output from
processes can be used for other processes.
UNIX implements preemptive multitaskingeach process is allowed a
maximum time with which it can work. When this time has expired,
the operating system takes processor time away from the process and
assigns it to another process waiting to run. Other operating
systems (such as versions older than the MAC OS version X) do not
intervene in this process cycle. Instead, control over the
processor must be released by the running process before another
process can run.
This can lead to one process hijacking the processor, leaving other
processes without processing time and blocking the system. The
operating system coordinates access to the resources available in
the system (hard drives, tapes, interfaces). If there is
competition among processes, e.g., for access to a tape device,
only one process can be granted access. The others must be
rejected. This coordination task is very complex and no operating
system is able to implement an ideal solution. The classic problem
involves a situation in which two or more processes exclusively
need the same resources, as illustrated in the following resource
conflict:
The following describes the resource conflict:
Process A needs resources Res.1 and Res.2.
Process B needs resources Res.2 and Res.1.
Process A has received access to Res.1 and would now also like
access to Res.2. In the meantime, however, B has already gained
access to Res.2 and, in turn, would like access to Res.1 as well.
32
b.sadhiq
www.altnix.com
Ties for priority are broken by time spent waiting (also known
as Round-Robin scheduling)
34
b.sadhiq
www.altnix.com
$ uptime
18:18:16 up 3 days, 7:37, 5 users, load average: 0.00, 0.00, 0.00
Tells you exactly how long your system is been running from
1mt 5mt 15mt
load average: 0.00, 0.00, 0.00
$ cat /proc/meminfo
/proc
Virutal Directory created in RAM. It runs whenever the system is
running. It represents real time information and values stored in
are accurate. It doesnt occupy space on the disk
$ cat /proc/cpuinfo CPU Information A process has many
components and properties.
Display and update information about the top cpu processes
$ top
Top displays the top 10 processes on the system and periodically
updates this information. Top command is a combination of various
commands to display CPU stats, memory, real time processes running
in the system Top refresh every 5 seconds Process States. Unix uses
several process states to determine the current condition of a
process.
Runnable
Stopped
Page Wait
Non-Interruptable wait
Sleeping
Idle
Terminated
OPTIONS
-q Renice top to -20 so that it will run faster. This can be used
when the system is being very sluggish to improve the possibility
of discovering the problem.
-dcount Show only count displays, then exit. A display is
considered to be one update of the screen. This option allows the
user to select the number of displays he wants to see before top
automatically exits. For intelligent terminals, no upper limit is
b.sadhiq
35
www.altnix.com
THE DISPLAY
PID every process runs have the process ID USER owner of the
process
PRI Current priority of the process.
NICE Nice amount in the range -20 to 20, as established by the use
of the command nice.
RES Resident memory: current amount of process memory that resides
in physical memory, given in kilobytes.
STATE
Current state (typically one of "sleep", "run", "idl",
"zomb", or "stop").
TIME Number of system and user cpu seconds that the process has
used.
SIZE Amount of memory the process needs
CPU Percentage of available cpu time used by this process.
COMMAND
Name of the command that the process is currently running
PROCESS STATE CODES
Here are the different values that the s, stat and state output
specifiers (header "STAT" or "S") will display to describe the
state of a process.
D
Uninterruptible sleep (usually IO)
R
Running or runnable (on run queue)
S
Interruptible sleep (waiting for an event to complete)
T
Stopped, either by a job control signal or because it is being
traced.
W
paging (not valid since the 2.6.xx kernel)
X
dead (should never be seen)
Z
Defunct ("zombie") process, terminated but not reaped by its
36
b.sadhiq
www.altnix.com
37
b.sadhiq
www.altnix.com
Signals
Signals are a software mechanism that are similar to a message of
some sort. They can be trapped and handled or ignored
Signals operate through two different system calls
1)
The kill system call
2)
The signal system call
1) The kill System Call
The kill system call sends a signal to a process kill is generally
used to terminate a process. It requires the PID of the process to
be terminated and the signal number to send as arguments.
2) The Signal System Call
The signal system call is much more diverse. When a signal occurs,
the kernel checks to see if the user had executed a signal system
call and was therefor expecting a signal. If the call was to ignore
the signal, the kernel returns
Otherwise, it checks to see if it was a trap or kill signal If not,
it processes the signal If it was a trap or kill signal, the kernel
checks to see if core should be dumped and then calls the exit
routine to terminate the user process.
Common Unix Signals
$kill -l
SIGHUP
SIGINT
SIGQIT
SIGINS
SIGTRAP
SIGKILL
SIGSYS
SIGPIPE
SIGTERM
SIGSTOP
Hang-up
Interrupt
Quit
Illegal Instruction
Trace Trap
Kill
Bad argument to system call
Write on pipe with no one to read it
Software termination signal from kill
Stop signal
See /usr/include/sys/signal.h
38
b.sadhiq
www.altnix.com
Signal Acceptance
There are a couple of possible actions to take when a signal occurs
Ignore it
Process it
Terminate
The superuser can send signals to any process.
Normal users can only send signals to their own processes
Process Termination
A process is terminated by executing an exit system call or as a
result of a kill signal. When a process executes an exit system
call, it is first placed in a zombie state. In this state, it
doesn't exist anymore but may leave timing information and exit
status for its parent process. A zombie process is removed by
executing a wait system call by the parent process.
Process Cleanup
The termination of a process requires a number of cleanup actions
These actions include:
Releasing all memory used by the process
Reducing reference counts for all files used by the process
Closing any files that have reference counts of zero
Releasing shared text areas, if any
Releasing the associated process table entry, the proc structure
This happens when the parent issues the wait system call, which
returns the
terminated child's PID
kill - signal a process
kill is somewhat strangely named
Sends the specified signal to a process
Syntax: kill [-sig_no] pid
kill -l (display list of signals)
-sig_no - signal number to send
pid - process id of process to receive signal
39
b.sadhiq
www.altnix.com
kill -9 <PID>
kill l -> lists all available signals
killall
pidof <pidname>
pgrep <pidname>
pkill <pidname>
Job Control
Job control refers to the ability to selectively stop (suspend) the
execution of processes and continue (resume) their execution at a
later point. A job is one or more processes started from a single
command line. By default, only one job can be run in the
foreground. This means that when a job is being executed in the
foreground the command line is unavailable. When the job
has finished executing the command prompt is reissued.
It is also possible to suspend jobs and/or run multiple jobs in the
background, in which case the command line is still available in
the foreground, although any output from running background jobs
will still be displayed at the terminal. You can see the jobs
currently running or stopped in the background using the jobs
command.
The syntax for the jobs command is shown below:
jobs option(s)
Common jobs options are:
Option Explanation:
l
Shows the job number, its PID, its status, and its name
p
Shows just the PID of running jobs
Issuing the jobs command without any options will show a list of
all running, stopped and
suspended background jobs.
An example of using the job command is illustrated below:
$ jobs -l
[1]- 1229 Running tail -n5 -f /var/log/secure
[2]+ 1230 Stopped joe fred
In the above example there are two jobs in the background, one
running and one stopped.
40
b.sadhiq
www.altnix.com
File Permissions
File permissions are assigned to:
1.
the owner of a file
2.
the members of the group the file is assigned to
3.
all other users
4.
Permissions under Linux are configured for each file and
directory.
There are three levels of permissions:
1.
The permissions that apply to the owner of the file. The owner
of a file is by default the user that created the file1.
2.
The permissions that apply to all members of the group that is
associated with the file.
3.
The permissions that apply to all other users on the system.
4.
Permissions can only be changed by the owner, and root of
course.
For a file, these permissions mean the following:
read allow the user to read the contents of the file, for instance
with cat or less.
write
allow the user to modify the contents of the file,for
instance with vi.
execute
allow the user to execute the file as a program, provided
that the file is indeed an executable program (such as a shell
script).
For a directory, these permissions have a slightly different
meaning:
read allow the user to view the contents of the directory, for
instance with ls.
write
allow the user to modify the contents of the directory.
In other words: allow the user to create and delete files, and to
modify the names of the files. Note: Having write permissions on a
directory thus allows you to delete files, even if you have no
write permissions on that file!
41
b.sadhiq
www.altnix.com
execute
allow the user to use this directory as its current
working directory. In other words: allow the user to cd into it.
r
w
x
u
g
o
a
read
write
execute
for the
for the
for all
for all
b.sadhiq
www.altnix.com
$ ll d data2
$ chmod Rv o+w,o-r data2
$ ll d data2
Octal way
$ ll file1
-rw-r--r- 1 root root 0 Jul 29 20:15 file1
$ chmod 777 file1
$ ll file1
$ chmod 666 file2
$ ll file1
$ chmod 467 file3
$ ll file1
$ chmod 541 file4
$ ll file1
$ chmod 724 file5
$ ll file1
$ chmod 000 file6
$ chmod 0 file6
Text
equivalent
Binary
value
---
000
--x
001
-w-
010
-wx
011
r--
100
r-x
101
rw-
110
rwx
111
43
Meaning
All types of access are
denied
Execute access is allowed
only
Write access is allowed only
Write and execute access are
allowed
Read access is allowed only
Read and execute access are
allowed
Read and write access are
allowed
Everything is allowed
b.sadhiq
www.altnix.com
Umask
User Mask
New files should not be created with 666! To avoid this problem a
permission mask exists. It is obviously important to know with what
permissions new files and directories are created. Under Linux,
its not really easy to tell, since the default permissions can be
modified by setting a umask (with the umask command).
If no umask were set (which never happens, by the way), a file
would always be created with permissions 666 (rw-rw-rw-) and a
directory would get 777 (rwxrwxrwx). In actual practice however, a
umask is set, and this number is subtracted from these permissions.
So, with a umask of 022, the default permissions for a file will
become 644 (rw-r--r--, 666-022) and the default permissions for a
directory will become 755 (rwx-r-xr-x, 777-022).
The default umask depends on your distribution, and whether your
distribution uses something called User Private Groups.
Red Hat assigns a umask of 002 to regular users, and 022 to root.
SUSE assigns a umask of 022 to all users, including root.
- What is your current default permission (umask)
- How do you set your default permission?
- Umask defines what permissions, in octal, cannot be set
- Umask stands for user file creation mode mask
- In essence, system sets the default permission on the file and
directory
- If i would have no "umask:, the default permission on the file
would be "777"
- Usually set in a login script
- it is the inverse of the normal octal permissions
- "umask -S" shows your umask in symbolic form
- linux removes the "x" permissions (or the 1) so 777 is the same
as 666
- here are
--> 000 =
--> 006 =
--> 022 =
--> 066 =
-
44
b.sadhiq
www.altnix.com
Normally, you can subtract from 666 but be very careful as it may
be 777. In Fedora Linux, it is 666 but lets test it out...
--> View the current umask setting
$umask
--> shows your umask in symbolic form
$ umask S
- Umask on directory should be subtract from 777
777
- 022
-----755
System-wide umask for all users in /etc/profile
Individual umask in $HOME/.bash_profile or $HOME/.profile
Default value of umask is:
For root 022
For user 002 (if user private groups are used) or 022 (otherwise)
The umask specifies what permission bits will be set on a new file
when it is created. The umask is an octal number that specifies the
which of the permission bits will not be set. On Task
I
change
1.Give
2.Give
3.Give
4.give
Symbolic way
704 to abc file
417 to abc file
006 to abc file
707 to abc file
II
change Octal way
1.change to octal
2.change to octal
3.change to octal
4.change to octal
III
symbolic
1.change
2.change
3.change
4.change
way
r-xrw-r-x
--xr-xr-rw----rwx
---r-x---
mode
mode
mode
mode
to
to
to
to
r-xrw-r-x
--xr-xr-rw----rwx
---r-x---
rw--wxrwx
rwxrwxrw--x----wx
rwx-w-rwx
45
to
to
to
to
to
to
to
to
abc
abc
abc
abc
abc
abc
abc
abc
chmod
chmod
chmod
chmod
565
154
607
050
chmod u+w,u-x,g-r,g+x,o+w
chmod u+rw,g+w,o+w
chmod u-rw,u+x,o-r
chmo u+rwx,g-rx,g+w,o+rwx
b.sadhiq
www.altnix.com
AdministarativecmndsandLowlevelcmnds
Lowlevel
/binThisdirectorycontainsexecutableprogramswhichareneeded
in
singleusermodeandtobringthesystemuporrepairit.
Administrative
/sbinLike/bin,Thisdirectoryholdscommandsneededtobootthe
sys
tem,butwhichareusuallynotexecutedbynormalusers.
Lowlevel
/usr/binThisistheprimarydirectoryforexecutableprograms.
Most
programsexecutedbynormaluserswhicharenotneededforboot
ingorforrepairingthesystemandwhicharenotinstalled
locallyshouldbeplacedinthisdirectory.
Administrative
/usr/sbinThisdirectorycontainsprogrambinariesforsystem
administra
tionwhicharenotessentialforthebootprocess,formounting
/usr,orforsystemrepair.
46
b.sadhiq
www.altnix.com
UnderstandingUNIX/Linuxfilesystem
Aconceptualunderstandingoffilesystem,especiallydatastructureandrelatedtermswillhelpyou
becomeasuccessfulsystemadministrator.IhaveseenmanynewLinuxsystemadministratorw/o
anyclueaboutfilesystem.Theconceptualknowledgecanbeappliedtorestorefilesysteminan
emergencysituation.
WhatisaFile?
Filearecollectionofdataitemsstoredondisk.Oritsdevicewhichcanstoretheinformation,data,
music(mp3),picture,movie,sound,booketc.Infactwhateveryoustoreincomputeritmustbe
informoffile.Filesarealwaysassociatedwithdeviceslikeharddisk,floppydisketc.Fileisthelast
objectinyourfilesystemtree.SeeLinux/UNIXrulesfornamingfileanddirectorynames.
Whatisadirectory?
Directoryisgroupoffiles.Directoryisdividedintotwotypes:RootdirectoryStrictly
speaking,thereisonlyonerootdirectoryinyoursystem,whichis
denotedby/(forwardslash).Itisrootofyourentirefilesystem
andcannotberenamedordeleted.
SubdirectoryDirectoryunderroot(/)directoryis
subdirectorywhichcanbecreated,renamedbytheuser.
Directoriesareusedtoorganizeyourdatafiles,programsmoreefficiently.
Linuxsupportsnumerousfilesystemtypes
3.
Ext2:ThisislikeUNIXfilesystem.Ithastheconceptsof
blocks,inodesanddirectories.
4.
Ext3:Itisext2filesystemenhancedwithjournalling
capabilities.Journallingallowsfastfilesystemrecovery.
SupportsPOSIXACL(AccessControlLists).
5.
Isofs(iso9660):UsedbyCDROMfilesystem.
6.
Sysfs:Itisarambasedfilesysteminitiallybasedonramfs.
Itisusetoexportingkernelobjectssothatendusercanuseit
easily.
7.
Procfs:Theprocfilesystemactsasaninterfacetointernal
47
b.sadhiq
www.altnix.com
datastructuresinthekernel.Itcanbeusedtoobtaininformation
aboutthesystemandtochangecertainkernelparametersatruntime
usingsysctlcommand.Forexampleyoucanfindoutcpuinfowith
followingcommand:
WhatisaUNIX/LinuxFilesystem?
AUNIXfilesystemisacollectionoffilesanddirectoriesstored.
Eachfilesystemisstoredinaseparatewholediskpartition.The
followingareafewofthefilesystem:
/Specialfilesystemthatincorporatesthefilesunder
severaldirectoriesincluding/dev,/sbin,/tmpetc
/usrStoresapplicationprograms
/varStoreslogfiles,mailsandotherdata
/tmpStorestemporaryfiles
ExploringLinuxFileSystemHierarchy
AtypicalLinuxsystemhasthefollowingdirectories:
=>/:Thisistherootdirectory.
=>/bin:Thisdirectorycontainsexecutableprogramswhichare
neededinsingleusermodeandtobringthesystemuporrepairit.
=>/boot:Containsstaticfilesforthebootloader.This
directoryonlyholdsthefileswhichareneededduringtheboot
process.
=>/dev:Specialordevicefiles,whichrefertophysicaldevices
suchasharddisk,keyboard,monitor,mouseandmodemetc
=>/etc:Containsconfigurationfileswhicharelocaltothe
machine.Somelargersoftwarepackages,likeApache,canhavetheir
ownsubdirectoriesbelow/etci.e./etc/httpd.Someimportant
subdirectoriesin/etc:
=>/home:Yoursweethometostoredataandotherfiles.However
in
b.sadhiq
48
www.altnix.com
largeinstallationyhestructureof/homedirectorydependson
local
administrationdecisions.
=>/lib:Thisdirectoryshouldholdthosesharedlibrariesthat
are
necessarytobootthesystemandtorunthecommandsintheroot
filesystem.
=>/lib64:64bitsharedlibrariesthatarenecessarytobootthe
systemandtorunthecommandsintherootfilesystem.
=>/mnt:Thisdirectorycontainsmountpointsfortemporarily
mounted
filesystems
=>/opt:Thisdirectoryshouldcontainaddonpackagessuchas
installdownloadfirefoxorstaticfiles
=>/proc:Thisisamountpointfortheprocfilesystem,which
providesinformationaboutrunningprocessesandthekernel.
=>/root:Thisdirectoryisusuallythehomedirectoryforthe
rootuser.
=>/sbin:Like/bin,thisdirectoryholdscommandsneededtoboot
the
system,butwhichareusuallynotexecutedbynormalusers,root/
adminuserspecificcommandsgoeshere.
=>/tmp:Thisdirectorycontainstemporaryfileswhichmaybe
deleted
withnonotice,suchasbyaregularjoboratsystembootup.
=>/usr:Thisdirectoryisusuallymountedfromaseparate
partition.
Itshouldholdonlysharable,readonlydata,sothatitcanbe
mountedbyvariousmachinesrunningLinux(usefulfordiskless
client
ormultiuserLinuxnetworksuchasuniversitynetwork).Programs,
libraries,documentationetc.foralluserrelatedprograms.
=>/var:Thisdirectorycontainsfileswhichmaychangeinsize,
such
asspoolandlogfiles.
49
b.sadhiq
www.altnix.com
=>/lost+found:Everypartitionhasalost+foundinitsupper
directory.Filesthatweresavedduringfailuresarehere,
fore.g
ext2/ext3fsckrecovery.
/etc/skel:Whenanewuseraccountiscreated,filesfromthisdirectoryareusuallycopied
intotheusershomedirectory.
/etc/X11:ConfigurationfilesfortheX11windowsystem.
*/etc/sysconfig:ImportantconfigurationfileusedbySysVscript
storedin/etc/init.dand/etc.rcXdirectories
/etc/cron.*:crondaemonconfigurationfileswhichisusedto
executescheduledcommands
CommonLinuxlogfilesnameandusage
*/var/log/message:Generalmessageandsystemrelatedstuff
*/var/log/auth.log:Authenicationlogs
*/var/log/kern.log:Kernellogs
*/var/log/cron.log:Crondlogs(cronjob)
*/var/log/maillog:Mailserverlogs
*/var/log/qmail/:Qmaillogdirectory(morefilesinsidethis
directory)
*/var/log/httpd/:Apacheaccessanderrorlogsdirectory
*/var/log/lighttpd:Lighttpdaccessanderrorlogsdirectory
*/var/log/boot.log:Systembootlog
*/var/log/mysqld.log:MySQLdatabaseserverlogfile
*/var/log/secure:Authenticationlog
*/var/log/utmpor/var/log/wtmp:Loginrecordsfile
*/var/log/yum.log:Yumlogfiles
Goto/var/logsdirectory:#
$cd/var/logsViewcommonlogfile/var/log/messagesusinganyone
ofthe
followingcommand:
$tailf/var/log/messages
$less/var/log/messages
$moref/var/log/messages
$vi/var/log/messagesOutput:
50
b.sadhiq
www.altnix.com
DeviceDrivercharacter,block,socket
. Type field: The first character in the field indicates a file type of one of the following:
* d = directory.
* l = symbolic link.
* s = socket sockets are special files offering a type of network interface.
* p = named pipe handling other programme other than kernel driver.
* - = regular file.
* c= character (unbuffered) device file special.
* b=block (buffered) device file special.
*D=doorAdoorisaspecialfileforinterprocesscommunicationbetweenaclientandserver.
Ref
http://www.securityfocus.com/infocus/1872
http://tldp.org/LDP/LinuxFilesystemHierarchy/html/index.html
http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
http://www.comptechdoc.org/os/linux/howlinuxworks/linux_hlfilesyste
ms.html
51
b.sadhiq
www.altnix.com
FSTAB
fstabis9thoutofthe10mostcriticaland
importantconfigurationfileswhichisstoredin/etc
directory,wherealltheconfigurationfilesarestored.
fstabstandsfor"FileSystemTABle"andthisfile
containsinformationofharddiskpartitionsand
removeabledevicesinthesystem.Itcontainsinfor
mationofwherethepartitionsandremoveabledevicesare
mountedandwhichdevicedriversareusedformounting
them,whichfilesystemtheyareusingandwhat
permissionsareassignedtothem.
Thefilefstabcontainsdescriptiveinformationabout
thevariousfilesystems.fstabisonlyreadbyprograms,
andnotwritten;itisthedutyofthesystem
administratortoproperlycreateandmaintainthisfile.
Eachfilesystemisdescribedonaseparateline;fields
oneachlineareseparatedbytabsorspaces.Lines
startingwith'#'arecomments.Theorderofrecordsin
fstabisimportantbecausefsck,mount,andumount
52
b.sadhiq
www.altnix.com
sequentiallyiteratethroughfstabdoingtheirthing.
Exampleofafstabfilecontent:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LABEL=/
/ext3
defaults
1
LABEL=/boot/bootext3 defaults
2
none/dev/ptsdevpts gid=5,mode=620
0
LABEL=/home/homeext3 defaults
2
none/procproc defaults
0
none/dev/shmtmpfs defaults
0
LABEL=/tmp/tmpext3 defaults
2
LABEL=/u01/u01ext3 defaults
2
LABEL=/usr/usrext3 defaults
2
LABEL=/var/varext3 defaults
2
/dev/hda6swapswap defaults
0
/dev/cdrom/mnt/cdromudf,iso9660 noauto,ro
0
/dev/fd0/mnt/floppyauto noauto,owner,kudzu
53
1
1
0
1
0
0
1
1
1
1
0
0
0
b.sadhiq
www.altnix.com
0
/dev/sda1/mnt/usb_hddvfat noauto
0
0
\________/\___________/\_________/\____________/
\_/\_/
|| ||
|
|
1st2nd3rd4th 5th
6th
Therearetotalsixcolumnsinthefstabfileseparatedby
spacesortabs.Eachcolumnholdsdifferentinformationaboutthe
device.Foraddinganynewdeviceaddafreshrow.Eachrowstands
forapartitionorremoveabledeviceinthesystem.
1stColumn:
~~~~~~~~~~
Thefirstcolumncontainsthepartitions'slabel,eg.
"LABEL=/boot"ordriver'spath,eg."/dev/cdrom".Devicedriver's
pathtellsthesystemtomountthedevicewiththementioneddevice
driver.
2ndColumn:
~~~~~~~~~~
Thesecondfield(fs_file)describesthemountpointfor
thefilesystem.
Forswappartitions,thisfieldshouldbespecifiedas`none'.If
thenameof
themountpointcontainsspacesthesecanbeescapedas`\040'.
Thesecondcolumnshowsthemountpointspecifiedforadevice
inthefstabfile.Themountpointsactuallyisthedirectorywhere
thatparticulardevice(mentionedinthefirstcolumn)willbe
mountedandthroughwhichwecanviewandmodifythecontentof
thatpartition.Youcanchangethedefaultmountpointlistedin
thecolumn,ifyouarenotsatisfiedwiththeoneyoursystemhas
givenyou.
3rdColumn:
54
b.sadhiq
www.altnix.com
~~~~~~~~~~
Thethirdcolumninthefilespecifiesthefilesystemtypeof
thedeviceorpartition.Manydiffrentfilesystemsaresupportedby
Linuxandmostcommononesare,
1)autofs
2)devpts
3)ext2
4)ext3
5)iso9660
6)nfs
7)ntfs
8)proc
9)swap
10)tmpfs
11)udf
12)ufs
13)vfat
14)xfs
Ifyouarenotsureofthefilesystemtypeofthedevicethen
setthevalueto"auto"andthesystemwillitselfdeterminethe
filesystemtypeandwillmountthedevicewiththatfilesystem.
4thColumn:
~~~~~~~~~~
Thefourthcolumnisforpermissionstobegiventothe
partitionatthetimeofbooting.Therearemanyoptionswhich
constitutestheforthcolumn.Theyareasfollows:
1)ro
ReadOnly
2)rw
ReadWrite
3)auto
Mountonstartup
4)noauto
Donotmountonstartup
5)user
6)nouser
7)users
8)owner
Anyusercanmount,butonlyunmountdevice
mountedbyhim
Onlyrootcanmount&unmountthedevice
Everyusercanmountandalsounmountthedevice
mountedbyothers
Sameasuser(aboveno.5)
55
b.sadhiq
www.altnix.com
9)dev
Usercanusedevicedrivertomountthedevice
10)nodev
Usercannotusedevicedrivertomountthedevice
11)exec
Userscanexecutebinariesonthepartition
12)noexec
Userscannotexecutebinariesonthepartition
13)async
Asynchronous,wheneverafileissaveditwillbe
firstsavedintheRAMandafter30secondsallthe
queuedfileswillbewrittenontheharddisk
14)sync
Synchronous,wheneverafileissaveditwillbe
directlywrittentotheharddisk
15)suit
Allowsetuseridentifierforthedevicewhere
usersareallowedtorunbinarieseventhoughthey
donothaveexecutepermissions.Thesebinariesare
temporarilymadeavailableto themtoperformcertain
tasks
16)nosuid
Donotallowsetuseridentifier
17)defaults
auto,rw,dev,async,suid,exec&nouser
5thColumn:
~~~~~~~~~~
The5thcolumnisforbackupoption.Thiscolumncontains
either0or1.Where"0"standsfor"NO"and"1"standsfor
"YES".Thesystemchecksitatthetimeofbooting,ifit's"0",
dumpwillignorethatfilesystembutifits"1"thenitwill
enablebackupoption.Backupissupportedononlyext3filesystem,
henceonlyforext3filesystemitshouldbeenabledandforrest
ofthefilesystemsitshouldbedisabled.
6thColumn:
~~~~~~~~~~
The6thcolumnisfor"fsck"option.fsckstandsforfile
systemcheck.Thiscolumndefinestheorderinwhichthesystem
shouldscanthepartitionsonstartup.The/partitionisassigned
toppriorityi.e.1andtherestofthepartitionsareassigned
secondpriorityi.e.2.Ifvalueissetto0meansnoscanning
56
b.sadhiq
www.altnix.com
willbedoneatthetimeofstartup.Ifsamenumberisgivento
differentpartitionsthenthepartitionsarescannedtogetherwith
equalpriority.Thisminimizeserrorbecauseifalinkispresent
ononepartitionwithhigherpriorityandthesourcefilein
anotherpartitionwithaprioritylowerthanthelink,itwill
giveanerror.
ThedmesgcommandisusedtowritethekernelmessagesinLinuxand
otherUnixlikeoperatingsystemstostandardoutput(whichby
defaultisthedisplayscreen).
Akernelisthecoreofanoperatingsystem.Itisthefirstpart
oftheoperatingsystemthatisloadedintomemorywhenacomputer
bootsup(i.e.,startsup),anditcontrolsvirtuallyeverythingon
asystem.Thenumerousmessagesgeneratedbythekernelthatappear
onthedisplayscreenasacomputerbootsupshowthehardware
devicesthatthekerneldetectsandindicatewhetheritisableto
configurethem.
dmesgobtainsitsdatabyreadingthekernelringbuffer.Abuffer
isaportionofacomputer'smemorythatissetasideasa
temporaryholdingplacefordatathatisbeingsenttoorreceived
fromanexternaldevice,suchasaharddiskdrive(HDD),printer
orkeyboard.Aringbufferisabufferoffixedsizeforwhichany
newdataaddedtoitoverwritestheoldestdatainit.
dmesgcanbeveryusefulwhentroubleshootingorjusttryingtoobtaininformationaboutthe
hardwareonasystem.Itsbasicsyntaxisdmesg[options]
Invokingdmesgwithoutanyofitsoptions(whicharerarelyused)
causesittowriteallthekernelmessagestostandardoutput.This
usuallyproducesfartoomanylinestofitintothedisplayscreen
allatonce,andthusonlythefinalmessagesarevisible.However,
theoutputcanberedirectedtothelesscommandthroughtheuseof
apipe(designatedbytheverticalbarcharacter),therebyallowing
thestartupmessagestobeviewedonescreenfulatatime:
dmesg|less
lessallowstheoutputtobemovedforwardonescreenfulatatime
bypressingtheSPACEbar,backwardbypressingthebkeyand
removedbypressingtheqkey.(Themorecommandcouldhavebeen
usedhereinsteadofthelesscommand;however,lessisnewerthan
moreandhasadditionalfunctions,includingtheabilitytoreturn
topreviouspagesoftheoutput.)
Whenauserencountersaproblemwiththesystem,itcanbe
57
b.sadhiq
www.altnix.com
convenienttowritetheoutputofdmesgtoafileandthensend
thatfilebyemailtoasystemadministratororother
knowledgeablepersonforassistance.Forexample,theoutputcould
beredirectedtoafilenamedboot_messagesusingtheoutput
redirectionoperator(designatedbyarightwardfacingangle
bracket)asfollows:
dmesg>boot_messages
Becauseofthelengthoftheoutputofdmesg,itcanbeconvenient
topipeitsoutputtogrep,afilterwhichsearchesforanylines
thatcontainthestring(i.e.,sequenceofcharacters)following
it.Theioptioncanbeusedtotellgreptoignorethecase
(i.e.,lowercaseoruppercase)ofthelettersinthestring.For
example,thefollowingcommandlistsallreferencestoUSB
(universalserialbus)devicesinthekernelmessages:
dmesg|grepiusb
Andthefollowingtellsdmesgtoshowallserialports(whichare
representedbythestringtty):
dmesg|grepitty
Thedmesgandgrepcombinationcanalsobeusedtoshowhowmuch
physicalmemory(i.e.,RAM)isavailableonthesystem:
dmesg|grepimemory
ThefollowingcommandcheckstoconfirmthattheHDD(s)isrunning
inDMA(directmemoryaccess)mode:
dmesg|grepidma
Theoutputofdmesgismaintainedinthelogfile/var/log/dmesg,
anditcanthusalsobeeasilyviewedbyreadingthatfilewitha
texteditor,suchasviorgedit,orwithacommandsuchascat,
e.g.,
cat/var/log/dmesg|less
http://linuxgazette.net/issue59/nazario.html
lspciisacommandonUnixlikeoperatingsystemsthatprints
detailedinformationaboutallPCIbusesanddevicesinthesystem.
Itisbasedonacommonportablelibrarylibpciwhichoffersaccess
tothePCIconfigurationspaceonavarietyofoperatingsystems.
ExampleoutputonaLinuxsystem:
#lspci
00:00.0Hostbridge:IntelCorporation82815815ChipsetHost
58
b.sadhiq
www.altnix.com
BridgeandMemoryControllerHub(rev11)
00:02.0VGAcompatiblecontroller:IntelCorporation82815CGC
[ChipsetGraphicsController](rev11)
00:1e.0PCIbridge:IntelCorporation82801MobilePCIBridge(rev
03)
00:1f.0ISAbridge:IntelCorporation82801BAMISABridge(LPC)
(rev03)
00:1f.1IDEinterface:IntelCorporation82801BAMIDEU100(rev03)
00:1f.2USBController:IntelCorporation82801BA/BAMUSB(Hub#1)
(rev03)
00:1f.3SMBus:IntelCorporation82801BA/BAMSMBus(rev03)
00:1f.4USBController:IntelCorporation82801BA/BAMUSB(Hub#2)
(rev03)
00:1f.5Multimediaaudiocontroller:IntelCorporation82801BA/BAM
AC'97Audio(rev03)
01:03.0CardBusbridge:O2Micro,Inc.OZ6933/711E1
CardBus/SmartCardBusController(rev01)
01:03.1CardBusbridge:O2Micro,Inc.OZ6933/711E1
CardBus/SmartCardBusController(rev01)
01:0b.0PCIbridge:ActiontecElectronicsIncMiniPCIbridge(rev
11)
02:04.0Ethernetcontroller:IntelCorporation82557/8/9[Ethernet
Pro100](rev08)
02:08.0Communicationcontroller:AgereSystemsWinModem56k(rev
01)
Ifmanydevicesareshownasunknown(e.g."Unknowndevice2830
(rev02)),issuingthecommand'updatepciids'willusuallydothe
trick.
DetailInformation
$lspcivv
Toupdatepciidsinformationto/usr/share/hwdata/pci.ids
$updatepciids
Bash
Bash
DescendedfromtheBourneShell,BashisaGNUproduct,the"Bourne
AgainSHell."It'sthestandardcommandlineinterfaceonmost
Linux
machines.Itexcelsatinteractivity,supportingcommandline
editing,
completion,andrecall.Italsosupportsconfigurableprompts
most
peoplerealizethis,butdon'tknowhowmuchcanbedone.
59
b.sadhiq
www.altnix.com
Bashconvertsthetextscripttobinary(0,1).
ThischapterisbasedonChapters6through8oftheSieverbook,
LinuxinaNutshell[Siever2003].
Figure1illustratessomeoftheshellsfoundonUNIX/Linux
systems.
Shell
bash
csh
jsh
ksh
rc
rsh
sh
tcsh
zsh
Description
Bourneagainshell(GNU)
Cshell(BSD)
Jobcontrolshell(SVR4)
Kornshell(BellLabs)
Plan9shell(BellLabs)
Remoteshell(TCP/IP)
Bourneshell(UNIX7th
Edition)
Popularextensionofthe
Cshell
Popularextensionofthe
Kornshell
Figure1:SomeUNIX/LinuxShells
StandardGNU/Linuxsystemsusebashasthedefaultshell.Some
distributions,e.g.RedHatLinux,have/bin/shasasymboliclink
to/bin/bashand/bin/cshasasymboliclinkto/bin/tcsh.
CommonFeatures
Figure2illustratessomefeaturesthatarecommontobothbashand
tcsh.
Symbol
>
>>
<
<<
|
&
;
*
Description
Redirectoutput
Appendoutputtoafile
Redirectinput
Redirectinput("Here"document)
Pipeoutput
Runprocessinbackground
Separatecommandsononeline
Matchcharacter(s)infilename
60
b.sadhiq
www.altnix.com
Symbol
?
!n
[...]
(...)
"..."
'...'
`...`
\
$var
$$
$0
$n
$*
$?
Description
Matchsinglecharacterinfilename
Repeatcommandnumbern
Matchanycharactersenclosed
Executecommandsinasubshell
Quoteallowingvariableandcommand
expansion
Literalstring
Commandsubstitution
Quotefollowingcharacter
Variableexpansion
ProcessID
Commandname
nthargument(0...9)
Allarguments
Exitstatus
Begincomment
Figure2:Commonsymbols
Inadditiontothesesymbols,bothshellshavesomecommon
commands,asillustratedinFigure3.
Command
bg
break
cd
continue
echo
eval
exec
fg
jobs
kill
shift
stop
suspend
umask
unset
wait
Description
Backgroundexecution
Breakoutofaloop
Changedirectory
Resumealoop
Displayoutput
Evaluatearguments
Executeanewprogram
Foregroundexecution
Showactivejobs
Terminaterunningjob(s)
Shiftpositionalparameters
Suspendabackgroundjob
Suspendaforegroundjob
Setorlistfilepermissions
Erasevariableorfunctiondefinition
Waitforabackgroundjobtofinish
61
b.sadhiq
www.altnix.com
Refrence
http://en.wikipedia.org/wiki/Bash
Practical
BASH
Loginroot
passwd*****
whenyouloginugetvcs(virtualkonsole)withthehelpof
ttydriver(/dev/tty*)andashell(/bin/bash)
InLinuxdefaultshellisbash(/bin/bash)
TochecktheshellssupportedbyyourOS
$cat/etc/shells
Toswapinothershell
$sh
$kshetc....
checkyourbash
$ps
tostartanotherbashjustrunthefollowing,whichisinherited
$bash
Nowchkwith
$psyouwillhavetwobash(parentandchild)ifuwillkill
thechildbashitwonteffecttoparentbutifudoviceversa
thenchkwhathappens.
$Listthebashshellpid
$psel|grepbash
Nowtryloadingbashandcankillwiththecmd
$kill9<pidofbash>
Bash
Here'saneatBashprompttrick.AtabasicBashprompt,pressthe
uparrowkeyandyou'llseethelastcommandyoutypedin.Press
againandagaintorotatethroughallthecommandsyoutyped
previously,storedforyouinBashhistory.
b.sadhiq
62
www.altnix.com
Youwillonlyseethecommandsyoutypedinforyourlogin,whether
that'sforaspecificuserorforroot.
HerearesomeadditionalBashtips,allofwhicharecommandsthatyoutypeattheBashprompt:
Todisplayafullnumberedlistofallstoredcommands,type:
history
Toretrievetheeighthcommandpreviouslyentered,type:
!8
TogetthelastcommandthatstartedwiththeletterV,type:
!v
Bashhistoryisn'tlostwhenyourebootorshutdowneither.Clever
isn'tit?
BashShortcuts
TogoalongwithBashbasicsabove,herearesomebasicshorthand
commands:
Togobackonestepinthedirectorytree,type:
cd..
Tochangetothe/home/{loggedinusername}directory,type:
cd~
Tochangetothedirectoryofaspecificuserwhenyouhavemore
thanone,typethepreviouscommandfollowedbythenameofthe
user:
cd~bruno
cd~anna
Tochangethedirectory/home/{loggedin
username}/Downloads/Backgrounds,type:
cd~/Downloads/Backgrounds
Forreallyfasttypingdon'tforgettousetheTabkeyforauto
completion.
Typingthefollowingdoesthesameasthepreviousexample,alot
faster:
cd~/D{pressTabKey}/B{pressTabkey}
BashScript
Youprobablyknowthatthe"rm"commandremoves(ordeletes)afile
permanently.Wouldn'titbeniceifwecouldmoveittotherecycle
binwithasimplecommandinstead?Youcan.Todothat,youcan
makeyourowncommandcalledDelwithabriefscript.
63
b.sadhiq
www.altnix.com
Tobuildthescript,openaterminalandtypethefollowinglines:
su
{typeyourrootpassword}(Note:youshouldseethe#prompt)
kedit/usr/bin/del
Thisopensanewwindowinthekeditorintowhichyoushouldtype
thefollowingscript:
#!/bin/bash
mv$1~/Desktop/Trash
#Endscript
Thenextstepistosavethefileusingkedit'sFile,SaveAsmenu
command.Then,backattheBashpromptloggedinasroot,typethis
linetomakethenewscriptexecutable:
$chmod0775/usr/bin/del
Nowwheneveryoutypethedelcommand,itwillrunyourscript.For
example,ifyoucameacrossthe"tessst"fileandyouwantedto
moveittothetrash,youcouldjusttypethisattheBashprompt:
$deltessst
Thatwillperformthesameactionas:
$mvtessst/home/{loggedinusername}/Desktop/Trash
Surethiswasaveryshortexample,athreelinescript,itonly
holdsonecommand,butyoucouldaddasmanylinestothescriptas
youwantedtoandexecuteitwithasimplethreeletterword.If
therearemorecommandsinthescriptitwillexecutetheminthe
orderthattheyappear.Because/usr/binisinyourpathyouonly
havetotype"del"toexecuteitfromanywhereinthefilesystem.
TabCompletionTip
DidyouknowyoucanusetheTabkeytoautocompletecommandson
thecommandline?Justtypeafewcharactersthatstartacommand
andpresstheTabkey.Thecommandornameofanexistingdirectory
orfilewillbecompleted.
Trythis.TypethefollowingandthenpresstheTabkey:
$cd/u
Nowaddan"s"andpressTab,type"h"andpressTab.Theresult
shouldbe:
$cd/usr/share/
64
b.sadhiq
www.altnix.com
Nowtype"f""o""n"andpressTab,"t"pressTab,"d"Tab,and
presstheEnterkey.Thatshouldputyouin:
/usr/share/fonts/ttf/decoratives
TypethefollowingandpressEnter:
ls
That'llbringupalistofallthefancyttffontsonyoursystem.
Sonexttimeyouhavetotypealongcommandlikethis:
#cpsynthesis.hdlist.update_source.cz
/var/lib/urpmi/synthesis.hdlist.update_source.cz
...tryitthiswayinstead:
#cpsy(Tabkey),/v(Tabkey),li(Tabkey),u(Tabkey),sy(Tab
key)
Andbecausethefullcommandisonyourscreen,thelightwillgo
onifithasn'talready!(Note:Thiscommandworksonlyifthefile
"synthesis.hdlist.update_source.cz"isinyour/homedirectory)
HowaboutalittlemoreontheTabkeyandcommands.Ifyoudon't
rememberexactlyhowacommandwaswritten,typeinthefirst
characterortwoandhittheTabkey.You'llgetalistofallthe
commandsthatstartwiththesamecharacter(s).
Ifyouwishtoknowwhatacertaincommanddoessay,mkmanifest
usethewhatiscommand,likethis:
$whatismkmanifest
mkmanifest(1)MakeslistoffilenamesandtheirDOS8+3
equivalents.
IntroductiontoBASH
*DevelopedbyGNUproject.
*ThedefaultLinuxshell.
*BackwardcompatiblewiththeoriginalshUNIXshell.
*Bashislargelycompatiblewithshandincorporatesuseful
featuresfromtheKornshellkshandtheCshellcsh.
*BashisthedefaultshellforLinux.However,itdoesrunson
everyversionofUnixandafewotheroperatingsystemssuchasms
dos,os/2,andWindowsplatforms.
QuotingfromtheofficialBashhomepage:
Bashistheshell,orcommandlanguageinterpreter,thatwill
appearintheGNUoperatingsystem.Itisintendedtoconformto
theIEEEPOSIXP1003.2/ISO9945.2ShellandToolsstandard.It
offersfunctionalimprovementsovershforbothprogrammingand
65
b.sadhiq
www.altnix.com
interactiveuse.Inaddition,mostshscriptscanberunbyBash
withoutmodification.
TheimprovementsofferedbyBASHinclude:
TheBashsyntaxisanimprovedversionoftheBourneshellsyntax.
InmostcasesBourneshellscriptscanbeexecutedbyBashwithout
anyproblems.
*Commandlineediting.
*Commandlinecompletion.
*Unlimitedsizecommandhistory.
*Promptcontrol.
*Indexedarraysofunlimitedsize(Arrays).
*Integerarithmeticinanybasefromtwotosixtyfour.
*BashstartupfilesYoucanrunbashasaninteractivelogin
shell,orinteractivenonloginshell.SeeBashstartupfilesfor
moreinformation.
*Bashconditionalexpressions:Usedincomposingvarious
expressionsforthetestbuiltinor[[or[commands.
*TheDirectoryStackHistoryofvisiteddirectories.
*TheRestrictedShell:Amorecontrolledmodeofshell
execution.
*BashPOSIXMode:MakingBashbehavemorecloselytowhatthe
POSIXstandardspecifies.
InLinux,alotofworkisdoneusingacommandlineshell.Linux
comespreinstalledwithBash.Manyothershellsareavailableunder
Linux:
*tcshAnenhancedversionofcsh,theCshell.
*kshThereal,AT&TversionoftheKornshell.
*cshShellwithClikesyntax,standardloginshellonBSD
systems.
*zshApowerfulinteractiveshell.
*scshAnopensourceUnixshellembeddedwithinScheme
programminglanguage.
66
b.sadhiq
www.altnix.com
ShellScripting
StartingaScriptWith#!
1.Itiscalledashebangora"bang"line.
2.ItisnothingbuttheabsolutepathtotheBashinterpreter.
3.Itconsistsofanumbersignandanexclamationpoint
character(#!),followedbythefullpathtotheinterpretersuch
as/bin/bash.
4.AllscriptsunderLinuxexecuteusingtheinterpreter
specifiedonafirstline[1].
5.Almostallbashscriptsoftenbeginwith#!/bin/bash
(assumingthatBashhasbeeninstalledin/bin)
6.ThisensuresthatBashwillbeusedtointerpretthescript,
evenifitisexecutedunderanothershell[2].
7.TheshebangwasintroducedbyDennisRitchiebetweenVersion
7Unixand8atBellLaboratories.Itwasthenalsoaddedtothe
BSDlineatBerkeley[3].
IgnoringAnInterpreterLine(shebang)
*Ifyoudonotspecifyaninterpreterline,thedefaultis
usuallythe/bin/sh.But,itisrecommendedthatyouset
#!/bin/bashline.
/bin/sh
Forasystembootscript,use/bin/sh:
#!/bin/sh
shisthestandardcommandinterpreterforthesystem.Thecurrent
versionofshisintheprocessofbeingchangedtoconformwith
thePOSIX1003.2and1003.2aspecificationsfortheshell.
Didyouknow?
*Itistheshellthatletsyourundifferentcommandswithout
havingtotypethefullpathnametothemevenwhentheydonot
existinthecurrentdirectory.
*Itistheshellthatexpandswildcardcharacters,suchas*
or?,thussavingyoulaborioustyping.
67
b.sadhiq
www.altnix.com
*Itistheshellthatgivesyoutheabilitytorunpreviously
runcommandswithouthavingtotypethefullcommandagainby
pressingtheuparrow,orpullingupacompletelistwiththe
historycommand.
*Itistheshellthatdoesinput,outputanderror
redirection.
Whyshellscripting?
*Shellscriptscantakeinputfromauserorfileandoutput
themtothescreen.
*Wheneveryoufindyourselfdoingthesametaskoverandover
againyoushoulduseshellscripting,i.e.,repetitivetask
automation.
oCreatingyourownpowertools/utilities.
oAutomatingcommandinputorentry.
oCustomizingadministrativetasks.
oCreatingsimpleapplications.
oSincescriptsarewelltested,thechancesoferrors
arereducedwhileconfiguringservicesorsystemadministration
taskssuchasaddingnewusers.
Practicalexampleswhereshellscriptingactivelyused
*MonitoringyourLinuxsystem.
*Databackupandcreatingsnapshots.
*DumpingOracleorMySQLdatabaseforbackup.
*Creatingemailbasedalertsystem.
*Findoutwhatprocessesareeatingupyoursystemresources.
*Findoutavailableandfreememory.
Listofcommandbashkeywordsandbuiltincommands
*JOB_SPEC&
*((expression))
*.filename
*[[:]]
*[arg...]
*expression
*alias
*bg
*bind
*builtin
68
b.sadhiq
www.altnix.com
*caller
*case
*command
*compgen
*complete
*continue
*declare
*dirs
*disown
*echo
*enable
*eval
*exec
*exit
*export
*false
*fc
*fg
command1&&command2
OR
First_command&&Second_command
command2isexecutedif,andonlyif,command1returnsanexit
statusofzero(true).Inotherwords,runcommand1andifitis
successfull,thenruncommand2.
Example
Typethefollowingatashellprompt:
$rm/tmp/filename&&echo"Filedeleted."
Theechocommandwillonlyrunifthermcommandexitssuccessfully
withastatusofzero.Iffileisdeletedsuccessfullytherm
commandsettheexitstatstozeroandechocommandgetexecuted.
Lookupausernamein/etc/passwdfile
grep"^champu"/etc/passwd&&echo"champufoundin/etc/passwd"
Exitifadirectory/tmp/foodoesnotexist
test!d/tmp/foo&&{readp"Directory/tmp/foonotfound.Hit
[Enter]toexit..."enter;exit1;}
69
b.sadhiq
www.altnix.com
Syntax:
command1||command2
OR
First_command||Second_command
command2isexecutedif,andonlyif,command1returnsanonzero
exitstatus.Inotherwords,runcommand1successfullyorrun
command2.
Example
$cat/etc/shadow2>/dev/null||echo"Failedtoopenfile"
Thecatcommandwilltrytodisplay/etc/shadowfileandit(the
catcommand)setstheexitstatstononzerovalueifitfailedto
open/etc/shadowfile.Therefore,'Failedtoopenfile'willbe
displayedcatcommandfailedtoopenthefile.
Findusernameelsedisplayanerror
$grep"^champu"/etc/passwd||echo"Userchampunotfoundin
/etc/passwd"
HowDoICombineBothLogicalOperators?
Tryitasfollows:
$cat/etc/shadow2>/dev/null&&echo"Filesuccessfullyopened."||
echo"Failedtoopenfile."
Makesureonlyrootcanrunthisscript:
$test$(idu)eq0&&echo"Youareroot"||echo"YouareNOT
root"
OR
$test$(idu)eq0&&echo"Rootusercanrunthisscript."||
70
b.sadhiq
www.altnix.com
echo"Usesudoorsutobecomearootuser."
Shellfunctions
*Sometimeshellscriptsgetcomplicated.
*Toavoidlargeandcomplicatedscriptsusefunctions.
*Youdividelargescriptsintoasmallchunks/entitiescalled
functions.
*Functionsmakesshellscriptmodularandeasytouse.
*Functionavoidsrepetitivecode.Forexample,is_root_user()
functioncanbereusedbyvariousshellscriptstodetermine
whetherloggedonuserisrootornot.
*Functionperformsaspecifictask.Forexample,addordeletea
useraccount.
*Functionusedlikenormalcommand.
*Inotherhighlevelprogramminglanguagesfunctionisalso
knownasprocedure,method,subroutine,orroutine.
Writingthehello()function
Typethefollowingcommandatashellprompt:
hello(){echo'Helloworld!';}
Invokingthehello()function
hello()functioncanbeusedlikenormalcommand.Toexecute,
simplytype:
hello
Passingtheargumentstothehello()function
Youcanpasscommandlineargumentstouserdefinedfunctions.
Definehelloasfollows:
hello(){echo"Hello$1,letusbeafriend.";}
Youcanhellofunctionandpassanargumentasfollows:
hellochampu
Sampleoutputs:
71
b.sadhiq
www.altnix.com
Hellochampu,letusbeafriend.
*Onelinefunctionsinside{...}mustendwithasemicolon.
Otherwiseyougetanerroronscreen:
$xrpm(){rpm2cpio"$1"|cpioidmv}
Abovewillnotwork.However,thefollowingwillwork(notice
semicolonattheend):
$xrpm(){rpm2cpio"$1"|cpioidmv;}
Todisplaydefinedfunctionnamesusethedeclarecommand.Typethe
followingcommandatashellprompt:
$declaref
Sampleoutputs:
declarefcommand_not_found_handle
declarefgenpasswd
declarefgrabmp3
declarefhello
declarefmp3
declarefxrpm
DisplayFunctionSourceCode
Toviewfunctionnamesandsourcecode,enter:
declaref
OR
declaref|less
Thetestcommandisusedtocheckfiletypesandcomparevalues.
72
b.sadhiq
www.altnix.com
Testisusedinconditionalexecution.Itisusedfor:
*Fileattributescomparisons
*Performstringcomparisons.
*Arithmeticcomparisons.
testcommandsyntax
testcondition
OR
testcondition&&truecommand
OR
testcondition||falsecommand
OR
testcondition&&truecommand||falsecommand
Typethefollowingcommandatashellprompt(is5greaterthan
2?):
$test5>2&&echo"Yes"
$test1>2&&echo"Yes"
SampleOutput:
Yes
Yes
Ratherthantestwhetheranumberisgreaterthan2,youhaveused
redirectiontocreateanemptyfilecalled2(seeshell
redirection).Totestforgreaterthan,usethegtoperator(see
numericoperatorsyntax):
test5gt2&&echo"Yes"
test1gt2&&echo"Yes"
Yes
73
b.sadhiq
www.altnix.com
Youneedtousethetestcommandwhilemakedecision.Trythe
followingexamplesandnotedownitsoutput:
$test5=5&&echoYes||echoNo
$test5=15&&echoYes||echoNo
$test5!=10&&echoYes||echoNo
$testf/etc/resolv.conf&&echo"File/etc/resolv.conffound."||
echo"File/etc/resolv.confnotfound."
testf/etc/resolv1.conf&&echo"File/etc/resolv1.conffound."
||echo"File/etc/resolv1.confnotfound."
WriteScripts
1.
#!/bin/bash
readp"Enter#5:"number
iftest$number==5
then
echo"Thanksforentering#5"
fi
iftest$number!=5
then
echo"Itoldyoutoenter#5.Pleasetryagain."
fi
2.
#!/bin/bash
clear
echoe"Whatisyourname:\c"
readname
echohello$name.WelcometoShellprogramming
sleep2
clear
echoe"Wouldyouliketoseealistingofyourfiles?[y/n]:\c"
readyn
if[$yn=y]
then
ls
fi
sleep1
echoe"Wouldyouliketoseewhoallareloggedin?[y/n]:\c"
readyn
if[$yn=y]
then
74
b.sadhiq
www.altnix.com
who
fi
sleep1
echoWouldyouliketoseewhichdiryouarein\?
readyn
if[$yn=y]
then
pwd
fi
3.
#!/bin/sh
clear
echoEnterfilenametocopy
readapple
echoEnterfilenametocopyto
readmango
ifcp$apple$mango>/dev/null2>&1
then
echoFilescopiedokCongrats!!
else
echoError!!!!!!!!!!!!!!!ContactMrABCatExt101
fi
4.
#!/bin/bash
#lt,le,gt,ge,ne,eq:Usethisfornumerical
comparisions
#<,<=,>,>=,<>,=:UsethisforStringcomparisions
clear
tputcup1010
echoe"Enteranofrom1to5:\c"
readnum
iftest$numlt6
then
tputcup1210
echo"Good"
else
tputcup1210
echo"Sorryonlybetween1to6"
fi
75
b.sadhiq
www.altnix.com
5.
#!/bin/bash
##seemantest
clear
echoEnterfilename
readfilename
if[z$filename]
then
echoYouhavetoentersomefilename
echoExiting....
sleep2
exit
fi
if[f$filename]
then
echoThefilenameyouenteredexists!!
echoDeleting$filename.....
sleep2
rmf$filename
echoDeleted$filename.....
sleep1
cls
else
echoThefilenameyouentereddoesnotexist!!!
fi
6.
#!/bin/bash
readp"Enteranumber:"n
if[$ngt0];then
echo"$nisapositive."
elif[$nlt0]
then
echo"$nisanegative."
elif[$neq0]
then
echo"$niszeronumber."
else
echo"Oops!$nisnotanumber."
fi
76
b.sadhiq
www.altnix.com
7.
#!/bin/bash
clear
echoe"Enteranumberfrom1to3:\c"
readnum
case$numin
1)echoYouhaveentered1
;;
2)echoYouhaveentered2
;;
3)echoYouhaveentered3
;;
*)echoBetween1to3only!!
;;
esac
8.
#!/bin/sh
echoEnterdog/cat/parrot
readanimal
case$animalin
cat|kat)echoYouhaveenteredcat
;;
dog)echoYouhaveentereddog
;;
parrot|crow)echoYouhaveenteredparrotorcrow
;;
*)echoInvalidentry!!
;;
esac
RPM
Rpm is a powerful Package Manager for Red Hat, Suse and Fedora
Linux. It can be used to build, install, query, verify, update, and
remove/erase individual software packages. A Package consists of an
archive of files, and package information, including name, version,
and description:
The RPM Package Manager
-------------------------------- RPM is a recursive acronym for RPM Package Manager.
77
b.sadhiq
www.altnix.com
It used to be called the Red Hat Package Manager, but Red Hat
changed its name to emphasis that other distributions use it too.
The new official name is RPM Package Manager, and yes, thats a
self-referencing acronym (SRA), just like GNU.
- RPM is the default package manager for Red Hat Linux systems.
- RPM system consists of a local database, the rpm executable, rpm
package files.
- It deals with .rpm files, which contain the actual programs as
well as various bits of meta-information about the package: what it
is, where it came from, version information and info about package
dependencies.
- RPMs are the files (called packages) which contain the
installable software; typically they have
the .rpm suffix.
RPM FACTS
-------------------------------1. RPM is free - GPL
The RPM Package Manager or RPM is a tool which was developed by Red
Hat Software, who still maintain it, but released under the GNU
General Public Licence (GPL) and has proven to be so popular, that
a lot of other distribution manufacturers use it as well.
RPM is a very versatile program which solves a lot of problems that
a distributor of software typically faces:
Management of source files
Management of the build process
A distribution method and format for binary files, including preand
postinstall scripts. RPMs can be created by anyone, not only the
manufacturer of your distribution.
2. stores info about packages in a database /var/lib/rpm
/var/lib/rpm contains all the database necessary for managing all
of the packages installed on your system in the form of rpm
The database stores information about installed packages such as
file attributes and package prerequisites.
When a certain system uses RPMs to install packages, a database of
installed packages is stored in /var/lib/rpm. The database itself
is in rpm format too, so it cannot be read directly. You will have
to access the database using the rpm command.
78
b.sadhiq
www.altnix.com
b.sadhiq
www.altnix.com
80
b.sadhiq
www.altnix.com
UserAdministration
Only root (i.e. system administrator)can use adduser command
To create new users. It is not allow to other users.
Adduser is symlink of Useradd which is binary in /usr/sbin.
We(root)can
customise adduser by using another word(champu) & make it
symlink of useradd.
Let's see
[root@localhost root]$ cd /usr/sbin
[root@localhost sbin]$ ln -s useradd uad
Now uad is symlink of useradd.
81
b.sadhiq
www.altnix.com
82
b.sadhiq
www.altnix.com
/etc/login.defs
<1> /etc/login.defs : It keep the information of directory where
mailboxes reside or name of file relative to the home directory,
Password duration & how many users can login.
"Passwd file" & "Group file" get the information of userid &
groupid from this file.
"shadow file" & "Gshadow file" get the information of user login &
password duration of user from this file.
Min/max values for automatic uid selection in useradd.
UID-MIN 500
UID-MAX 60000
The id of user start from 500 & max it is 60000 which is default
according to REDHAT but we can customise it.
If there are two department ACCOUNTANT & MARKETING in one office
then I can start userid to ACCOUNTANT from 1000 & to MARKETING from
2000 which is reliable.
Similar way to Groupid
GID-MIN 500
GID-MAX 60000
PASSWORD AGING CONTROLS:
1.
PASS-MAX-DAYS 99999 : The maximum number of days a password
can be used. i.e max 99999 days.
2.
PASS-MIN-DAYS 0 : The minimum number of days allowed between
password can change.
3.
PASS-MIN-LEN 5 : The minimum length of the password. i.e. 5
character.
4.
PASS-WARN-AGE 7 : Specifies the number of days warning given
to user before the password expire. ie 7 days.
The above PASSWORD AGING information is default according to REDHAT
which we can customise it.
/etc/default/useradd
<2> /etc/default/useradd : It has information of no. of groups,
directory
of users & user using which shell in following way.
83
b.sadhiq
www.altnix.com
1.
Group=100 ----> It's default no. of groups according to Redhat
which can customise.
2.
Home=/home ----> It's default dir of user as Redhat say to
which we can give any name i.e. we can make `ghar'instead of `home'
by making directory under /
3.
Inactive ----> It's number of days after password expire of
user.
4.
Expire ----> It's number of days for the account of user will
expire.
5.
Shell=/bin/bash --> It's path of user shell.
Skel=/etc/skel ---> When user create there is zero dir or file but
when give command `l.' it shows some hidden files which comes
from /etc/skel.
/etc/passwd
<3> /etc/passwd : * It keeps the record of new user when create by
superuser. Each line is entry of new user. It is
text file & has details of all system users.
* It has 7 fields for each user in each line so
it is called `system passwd database' & each field
is separted : (colon) also called "Internal field
separator".
champu:x:500:500::/home/champu:/bin/bash
\____/\_/\__/\_/||\___________/\______/
|
|
| | ||
|
|
1
2
3 4 5
6
7
1.
2.
field (x) : It contain user password which is somewhere else
if exist.
If we put * inplace of x then user can't login.
If we keep second field blank then user can login without password.
i.e. (x) --- password somewhere else.
84
b.sadhiq
www.altnix.com
85
b.sadhiq
www.altnix.com
2.
field (x) : It contain group password which is somewhere else
if exist & it's password is same of first member of group.
3.
field (500) : It contain group id which is same of first
member's id of group.
4.
field : It contains list of members of group. By default
Redhat it is blank but user can fill it by put the name of members
of group.
One user can makes members of his group by using command `usermod
-G' which is run by only root.
$usermod -G groupname username
when system admin first time creates users he can send message
like `Thanku for using redhat linux' through this & user get this
mail whenever he login.
Commandlineoptions
Option
-c comment
Description
Comment for the user
Home directory to be used instead of
default /home/username/
Date for the account to be disabled in
the format YYYY-MM-DD
Number of days after the password
expires until the account is disabled.
(If 0 is specified, the account is
disabled immediately after the password
expires. If -1 is specified, the
account is not be disabled after the
password expires.)
Group name or group number for the
user's default group (The group must
exist prior to being specified here.)
List of additional (other than default)
group names or group numbers, separated
by commas, of which the user is a
member. (The groups must exist prior to
being specified here.)
Create the home directory if it does
-d home-dir
-e date
-f days
-g group-name
-G group-list
-m
86
b.sadhiq
www.altnix.com
Option
Description
not exist
Do not create the home directory
Do not create a user private group for
the user
Create a system account with a UID less
than 500 and without a home directory
The password encrypted with crypt
User's login shell, which defaults to
/bin/bash
User ID for the user, which must be
unique and greater than 499
-M
-n
-r
-p password
-s
-u uid
groupadd <group-name>
Option
Description
-g gid
-r
-f
Password aging
$chage l root
$chage -d 0 username
Change shell
$chsh <username>
FingerInformation
$chfn <username>
$finger
87
b.sadhiq
www.altnix.com
PAM
PAMlibraryparsestheconfigfileandloadsmodulestoit
WhatoperatingsystemssupportPAM?
PAMwasfirstdevelopedbySunMicrosystemsin1995andis
supportedbythefollowingoperatingsystemversions(andhigher):
RedHat5.0
SUSE6.2
Debian2.2
Mandrake5.2
Caldera1.3
TurboLinux3.6
PAMisthePluggableAuthenticationModule,inventedbySun.It'sa
beautifulconcept,butitcanbeconfusingandevenintimidatingat
first.We'regoingtolookatitonaRedHatsystem,butother
Linuxeswillbesimilarsomedetailsmayvary,butthebasic
ideaswillbethesame.
ThefirstthingtounderstandisthatPAMisNOTsomethinglike
tcpd(tcpwrappers)orxinetdthatenclosesandrestrictsaccessto
someservice.Anapplicationneedstobe"PAMaware";itneedsto
havebeenwrittenandcompiledspecificallytousePAM.Thereare
tremendousadvantagesindoingso,andmostapplicationswithany
interestinsecuritywillbePAMaware.
PAMisaboutsecuritycheckingtoseethataserviceshouldbe
usedornot.MostofusfirstlearnedaboutPAMwhenweweretold
thatloginwasusingit,butPAMcandomuchmorethanjust
validatepasswords.AlotofapplicationsnowusePAMeventhings
likeSAMBAcancallonPAMforauthentication.
Thebigadvantagehereisthatsecurityisnolongerthe
application'sconcern:ifPAMsaysitsOK,itsOK.Thatmakes
thingseasierfortheapplication,anditmakesthingseasierfor
88
b.sadhiq
www.altnix.com
thesystemadministrator.PAMconsultstextconfigurationfilesto
seewhatsecurityactionstotakeforanapplication,andthe
administratorcanaddandsubtractnewrulesatanytime.PAMis
alsoextensible:shouldsomeoneinventadevicethatcanreadyour
brainwavesanddetermineillintent,allweneedisaPAMmodule
thatcanusethatdevice.Changeafewfiles,andloginnowreads
yourmindandgrantsordeniesaccessappropriately.We'reabit
awayfromthatfeature,butthereareatremendousnumberof
availablePAMmodulesthatadministratorscanuse.
ConfigurationFiles
OnmodernRedHatsystems,theconfigurationfilesarefoundin
/etc/pam.d,onefileforeachPAMawareapplication(plusaspecial
"other"filewe'llgettolater).Onewordofwarning:changesto
thesefilestakeeffectinstantly.Youaren'tgoingtogetlogged
outifyoumakeamistakehere.butifyouDOscrewupandblithely
logout,youmaynotbeabletologbackin.Sotestchangesbefore
youexit.
We'regoingtouseaverysimpleexampletogetstartedhere.Ina
numberofarticleshere,we'vetalkedaboutSSHSecurity.Mostof
thosearticleshavebeenaboutchangestossh'sconfiguration
files,butherewe'llusePAMtoaddsomeadditionalrestriction:
thetimeofdayyouareallowedtousessh.Todothis,weneeda
PAMmodulecalledpam_time.soit'sprobablyinyour
/lib/security/directoryalready.Itusesaconfigurationfile
"/etc/security/time.conf".Thatfileisprettywellcommented,so
I'mnotgoingtogointodetailaboutitandwilljustsaythatI
addedtheline
sshd;*;*;!Al22000400
whichsaysthatsshdcannotbeusedbetween10:00PMand4:00AM.
I'musuallyrathersoundlyasleepbetweenthosetimes,sowhylet
sshbeused?IcouldstillloginattheconsoleifIwokeupwith
anurgentneedtoseeanlsofmy/tmpdirectory,butIcouldn't
sshin,period.Configuringthetime.conffilebyitselfdoesn't
affectssh;weneedtoaddthepammoduleto/etc/pam.d/sshd.My
fileendsuplookinglikethis:
#%PAM1.0
accountrequiredpam_time.so
authrequiredpam_stack.soservice=systemauth
authrequiredpam_nologin.so
accountrequiredpam_stack.soservice=systemauth
passwordrequiredpam_stack.soservice=systemauth
89
b.sadhiq
www.altnix.com
sessionrequiredpam_stack.soservice=systemauth
sessionrequiredpam_limits.so
sessionoptionalpam_console.so
Iputthetime.somodulefirstsothatitistheveryfirstthing
thatischecked.Ifthatmoduledoesn'tgivesshdagreenlight,
that'stheendofit:noaccess.That'sthemeaningof"required":
themoduleHAStosaythatitishappy.The"account"typeis
specifiedhere.That'sabitofaconfusingthing:wehave
"account","auth","password"and"session".Themanpageisn'tall
thathelpful:
accountprovideaccountverificationtypesofservice:has
theuser's
passwordexpired?;isthisuserpermittedaccesstothe
requestedser
vice?
authenticationestablishtheuseriswhotheyclaimto
be.Typically
thisisviasomechallengeresponserequestthattheuser
mustsatisfy:ifyouarewhoyouclaimtobepleaseenteryour
password.Notallauthenticationsareofthistype,thereexist
hardwarebasedauthenti
cationschemes(suchastheuseofsmartcardsand
biometricdevices),withsuitablemodules,thesemaybe
substitutedseamlesslyformorestandardapproachesto
authenticationsuchistheflexibilityof
LinuxPAM.
passwordthisgroup'sresponsibilityisthetaskof
updatingauthenticationmechanisms.Typically,suchservices
arestronglycoupledtothoseoftheauthgroup.Some
authenticationmechanismslendthemselves
welltobeingupdatedwithsuchafunction.StandardUN*X
password
basedaccessistheobviousexample:pleaseentera
replacementpassword.
sessionthisgroupoftaskscoverthingsthatshouldbe
donepriortoaservicebeinggivenandafteritiswithdrawn.Such
tasksincludethe
maintenanceofaudittrailsandthemountingoftheuser'shome
directory.Thesessionmanagementgroupisimportantasit
providesbothanopeningandclosinghookformodulesto
90
b.sadhiq
www.altnix.com
affecttheservicesavailabletoauser.
Ithinkthatthedistinctionbetweenaccountandsessioninthat
manpageisalittleconfusing.Ithinkitwouldbequite
reasonabletothinkyoushoulduse"session"forthismodule.Now,
sometimesyouhaveamanpageforthemodulethatshowsyouwhatto
use,butpam_timedoesn'thelpusthere.Technically,it'snotup
tothelibrary:theapplicationistheonethatischeckingwith
accountorsession,butkeepthisinmind:sessionhappensAFTER
authentication.IlikedtheolderPAMmanualbetter,whichsaid:
authmodulesprovidetheactualauthentication,perhaps
asking
forandcheckingapassword,andtheyset"credentials"such
asgroupmembershiporkerberos"tickets."
accountmoduleschecktomakesurethattheauthentication
isallowed(theaccounthasnotexpired,theuserisallowed
tologinatthistimeofday,andsoon).
passwordmodulesareusedtosetpasswords.
sessionmodulesareusedonceauserhasbeenauthenticatedto
allowthemtousetheiraccount,perhapsmountingtheuser'shome
directoryormakingtheirmailboxavailable.
Forme,thatwasmoreclear.
Stacking
Inthiscase,Ionlywantedtoapplythisrestrictiontossh.If
I'mphysicallyatthebox,Iwantnotimerestrictions.IfIDID
wantthesesamerestrictions,I'dmakethesamechangeto
/etc/pam.d/login.ButwhatifthereareawholebunchofthingsI
wanttoapplythesamerulesto?RedHathasaspecialmodule
"pam_stack".Itfunctionsmuchlikean"include"statementinany
programminglanguage.Wesawitinmy/etc/pamd/sshdfile:
authrequiredpam_stack.soservice=systemauth
Thatsaystolookin/etc/pam.d/systemauthforothermodulesto
use.Bothloginandsshdhavethisline(asdoesjustaboutevery
otherfilein/etc/pam.d/),sowecanlookinsystemauthtosee
whatgetscalledbythem:
91
b.sadhiq
www.altnix.com
#%PAM1.0
#Thisfileisautogenerated.
#Userchangeswillbedestroyedthenexttimeauthconfigisrun.
authrequired/lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.so
likeauthnullok
authrequired/lib/security/$ISA/pam_deny.so
authrequired/lib/security/$ISA/pam_tally.so
no_magic_rootonerr=fail
accountrequired/lib/security/$ISA/pam_unix.so
accountrequired/lib/security/$ISA/pam_tally.so
onerr=failfile=/var/log/faillogdeny=1no_magic_root
even_deny_root_account
passwordrequired/lib/security/$ISA/pam_cracklib.so
retry=3type=
passwordsufficient/lib/security/$ISA/pam_unix.sonullok
use_authtokmd5shadow
passwordrequired/lib/security/$ISA/pam_deny.so
sessionrequired/lib/security/$ISA/pam_limits.so
sessionrequired/lib/security/$ISA/pam_unix.so
Therefor,ifwereallywantedourtimerestrictionstoapplyto
justabouteverything,wecouldaddittosystemauth.Notethe
warningaboutauthconfigthough,andalsoconsiderthatyouwillbe
makingsuddensweepingchangestoaLOTofapplicationsand
services.
Other
WhatifaPAMawareappdoesn'thaveafilein/etc/pam.d?Inthat
case,itusesthe"other"file,whichlookslikethisbydefault:
#%PAM1.0
authrequired/lib/security/$ISA/pam_deny.so
accountrequired/lib/security/$ISA/pam_deny.so
passwordrequired/lib/security/$ISA/pam_deny.so
sessionrequired/lib/security/$ISA/pam_deny.so
That"deny"moduleisaflatoutnoaccess,redlight,stopyou
deadrightheremodulethatisalwaysgoingtosayno.That's
excellentfromasecuritypointofview,butcanbeabitharsh
shouldyouaccidentallydeletesomethinglike"login".Loginwould
b.sadhiq
92
www.altnix.com
nowusethe"other"file,andyoucouldn'tlogin.Thatcouldbe
unpleasant.
Therearemany,manyusefulandcleverPAMmodules.Whileourbrain
waveinterpreterdoesn'texistyet,manyotherpossibilitiesare
availabletoyou.Therearemodulestoautomaticallyblacklist
hoststhathavemanyfailedlogins,andmuchmore.See
http://www.kernel.org/pub/linux/libs/pam/modules.html.
Useofpam_listfile.somodule
ThisPAMmoduleauthenticatesusersbasedonthecontentsofa
specifiedfile.Forexample,ifusernameexistsinafile
/etc/sshd/ssh.allow,sshdwillgrantloginaccess.
HowdoIconfigurepam_listfile.somoduletodenyaccess?
Youwanttoblockauser,ifusernameexistsinafile
/etc/sshd/sshd.denyfile.
Open/etc/pam.d/ssh(or/etc/pam.d/sshdforRedHatandfriends)
#vi/etc/pam.d/ssh
Appendfollowingline:
authrequiredpam_listfile.soitem=usersense=deny
file=/etc/sshd/sshd.denyonerr=succeed
Saveandclosethefile
Nowaddallusernamesto/etc/sshd/sshd.denyfile.Nowauseris
deniedtologinviasshdiftheyarelistedinthisfile:
#vi/etc/sshd/sshd.deny
Appendusernameperline:
user1
user2
...
Restartsshdservice:
#/etc/init.d/sshdrestart
Understandingtheconfigdirectives:
authrequiredpam_listfile.so:Nameofmodulerequiredwhile
authenticatingusers.
93
b.sadhiq
www.altnix.com
item=user:Checktheusername
sense=deny:Denyuserifexistinginspecifiedfile
file=/etc/sshd/sshd.deny:Nameoffilewhichcontainsthe
listofuser(oneuserperline)
onerr=succeed:IfanerrorisencounteredPAMwillreturn
statusPAM_SUCCESS.
HowdoIconfigurepam_listfile.somoduletoallowaccess?
YouwanttoALLOWausertousessh,ifusernameexistsina
file/etc/sshd/sshd.allowfile.
Open/etc/pam.d/ssh(or/etc/pam.d/sshdforRedHatandfriends)
#vi/etc/pam.d/ssh
Appendfollowingline:
authrequiredpam_listfile.soitem=usersense=allow
file=/etc/sshd/sshd.allowonerr=fail
Saveandclosethefile.
Nowaddallusernamesto/etc/sshd/sshd.allowfile.Nowauseris
allowedtologinviasshdiftheyarelistedinthisfile.
#vi/etc/sshd/sshd.allow
Appendusernameperline:
tony
om
rocky
Restartsshdservice(optional):
#/etc/init.d/sshdrestart
Nowifpaultrytologinusingsshhewillgetanerror:
Permissiondenied(publickey,keyboardinteractive).
Followinglogentryrecordedintomylogfile(/var/log/secure
or/var/log/auth.logfile)
tailf/var/log/auth.log
Output:
Jul3023:07:40p5www2sshd[12611]:PAMlistfile:Refuseduserpaul
forservicessh
Jul3023:07:42p5www2sshd[12606]:error:PAM:Authentication
failureforpaulfrom125.12.xx.xx
Understandingtheconfigdirectives:
8.
authrequiredpam_listfile.so:Nameofmodulerequiredwhile
94
b.sadhiq
www.altnix.com
authenticatingusers.
9.
item=user:Checkorspecifytheusername
10. sense=allow:Allowuserifexistinginspecifiedfile
11. file=/etc/sshd/sshd.allow:Nameoffilewhichcontainsthe
listofuser(oneuserperline)
12. onerr=fail:Iffilenamedoesnotexistsorusername
formattingisnotcoreectitwillnotallowtologin.
http://www.kernel.org/pub/linux/libs/pam/LinuxPAMhtml/
http://www.kernel.org/pub/linux/libs/pam/LinuxPAMhtml/Linux
PAM_MWG.html
LVM
Create Partitions
For this Linux lvm example you need an unpartitioned hard disk
/dev/sdb. First you need to create physical volumes. To do this you
need partitions or a whole disk. It is possible to run pvcreate
command on /dev/sdb, but I prefer to use partitions and from
partitions I later create physical volumes.
95
b.sadhiq
www.altnix.com
96
b.sadhiq
www.altnix.com
97
b.sadhiq
www.altnix.com
98
b.sadhiq
www.altnix.com
b.sadhiq
www.altnix.com
100
b.sadhiq
www.altnix.com
$ lvremove /dev/mynew_vg/vol02
More workAround
1.
After Creating all the Partition,change the ID of that
particular partition from ID 83 to ID 8e which is assign for LVM
2.
Dont format LVM partition
101
b.sadhiq
www.altnix.com
3.
As we can see that to access the partition in Linux, we have
to go through /dev/had, Similarly in LVM one cannot access the
partition directly, you have to go through
4.
PvPhysical Volume
5.
Since we have /dev/hda5 is our /home LVM partition so we have
to create physical volume of /dev/hda5
6.
$ pvdisplay
7.
$ pvcreate /dev/hda5
8.
$ vgscan
9.
$ vgcreate myvol /dev/hda5
vgdisplay --10. $ lvcreate L <+lvsize> -n lv1 myvol
11. $ lvdisplay
12. $ mke2fs j /dev/myvol/lv1
13. $ mount /dev/myvol/lv1 /home
14. $ df h
More Workaround
$ fdisk /dev/hdb
default
1 2
$mount a
$ df h
102
b.sadhiq
www.altnix.com
(a)
umount /home
e2fsck yc /dev/myvol/lv1
resize2fs /dev/myvol/lv1 1000M
lvreduce L 1000M /dev/myvol/lv1
mount a
df h
103
b.sadhiq
www.altnix.com
TheLinuxSchedulerscroncronologysequence
cronologicalorderdatewise
Cronjobareusedtoschedulecommandstobeexecutedperiodically
i.e.tosetupcommandswhichwillrepeatedlyrunatasettime,you
canusethecronjobs.
crontabisthecommandusedtoinstall,deinstallorlistthe
tablesusedtodrivethecrondaemoninVixieCron.Eachusercan
havetheirowncrontab,andthoughthesearefilesin
/var/spool/cron/crontabs,theyarenotintendedtobeedited
directly.Youneedtousecrontabcommandforeditingorsettingup
yourowncronjobs.
Toedityourcrontabfile,typethefollowingcommand:
$crontabe
Syntaxofcrontab
Yourcronjoblookslikeasfollows:
12345/path/to/commandarg1arg2
Where,
1:Minute(059)
2:Hours(023)
3:Day(031)
4:Month(012[12==December])
5:Dayoftheweek(07[7or0==sunday])
/path/to/commandScriptorcommandnametoschedule
Sameabovefivefieldsstructurecanbeeasilyrememberedwith
followingdiagram:
*****commandtobeexecuted
|||||
||||Dayofweek(07)(Sunday=0or7)
|||Month(112)
104
b.sadhiq
www.altnix.com
||Dayofmonth(131)
|Hour(023)
Minute(059)
Example(s)
Ifyouwishedtohaveascriptnamed/root/backup.shruneveryday
at3am,mycrontabentrywouldlooklikeasfollows:
crond*>BinaryorAppserverdaemon
/etc/rc.d/init.d/crond>Initscripttostartcrondserver
/etc/crontab>Systemcrontabfile
minshrsDOMMOYDOW
0059002313111207(0=Sun1=Mon,2=Tue,3=Wed,4=Thu,
5=Fri,6=Satand7=Sun)
Eachofthetimerelatedfieldsmaycontain:
A'*',whichmatcheseverything,ormatchesanyvalue
Asingleinteger,whichmatchesexactly
Twointegersseperatedbyadash,matchingarangeofvalues
ie
810inthehrfieldwouldmatch8am,9amand10am.
810,13wouldmatch8am,9am,10amand1pm
Acommaseperatedseriesofintsorranges,matchingany
listedvalue
*/2inthehrfieldreferstomidnote,2am,4amandsoforth
iethecmdisexecutedevery2hrs
010/2inthehrfieldreferstomidnite,2am,4am,6am,8am
and10am
Note:
Acrontabentryisconsideredtomatchthecurrenttimewhen
theminandhrfieldsmatchthecurrtimeandthemthfieldmatches
thecurrentmonth
105
b.sadhiq
www.altnix.com
Anentryisconsideredtomatchthecurrentdatewhentheday
ofmonthfield[3rd]matchesthecurrentdayofthemthORtheday
ofweek[5th]fieldmatchesthecurrentdayoftheweek:
ITISNOTNECESSARYTHATBOTHTHEDAYOFTHEMTHANDDAYOFTHEWEEK
MATCH!
Ifboththetimeanddatematchthecurrenttimeanddatethe
cmdisexecuted!
Neverputa'*'inthefirstfieldunlessuwantthecmdto
runeveryminute
YouMAYhandeditthisfilebutitisnevernecessarysince
runpartsdoeseverything.Simplyputashellscriptinthe
appropriate/etc/cron.*/dirs
Alsothecrond*daemonneednotberestart.Itwilldojustthat
everyminuteanyway
Example: Usersoftenforgettoshutdowntheirmachinesandgo
home.Hence,machineshouldautoshutdownat11pm
/etc/crontab
Installyourcronjob:#crontabe
0023***root/sbin/shutdownhnow
b)Appendfollowingentry:
03***/root/backup.sh
Runfiveminutesaftermidnight,everyday:
50***/path/to/command
Runat2:15pmonthefirstofeverymonth:
15141**/path/to/command
Runat10pmonweekdays:
022**15/path/to/command
Run23minutesaftermidnigbt,2am,4am...,everyday:
23023/2***/path/to/command
Runat5after4everysunday:
54**sun/path/to/command
106
b.sadhiq
www.altnix.com
Ifyourunmanysites,youcanusethistiptomakemanagingyour
cronjobseasier.Tominimizetheclutter,createa/etc/cron.5min
directoryandhavecrontabreadthisdirectoryeveryfiveminutes.
*/5****rootrunparts/etc/cron.5min
45****/usr/bin/lynxsourcehttp://example.com/cron.php
45****/usr/bin/wgetOqt1http://www.example.com/cron.php
45****curlsilentcompressedhttp://example.com/cron.php
0011,16***/home/sadhiq/bin/incrementalbackup
000thMinute(Topofthehour)
11,1611AMand4PM
*Everyday
*Everymonth
000918***/home/ramesh/bin/checkdbstatus
*Everydayoftheweek
000thMinute(Topofthehour)
09189am,10am,11am,12am,1pm,2pm,3pm,4pm,5
pm,6pm
*Everyday
*Everymonth
*Everydayoftheweek
*/10****/home/sadhiq/checkdiskspace
Cronjobssavedinto/var/spool/cron/$username
$crontabl>Tolistyourcrontabjobs
$crontabr>Toremoveoreraseallcrontabjobs
107
b.sadhiq
www.altnix.com
Usespecialstringtosavetime
Insteadofthefirstfivefields,youcanuseanyoneofeight
specialstrings.Itwillnotjustsaveyourtimebutitwill
improvereadability.
Specialstring
Meaning
@reboot
Runonce,atstartup.
@yearly
Runonceayear,"0011*".
@annually
(sameas@yearly)
@monthly
Runonceamonth,"001**".
@weekly
Runonceaweek,"00**0".
@daily
Runonceaday,"00***".
@midnight
(sameas@daily)
@hourly
Runonceanhour,"0****".
Runntpdateeveryhour:
@hourly/path/to/ntpdate
Typical/etc/crontabfileentries:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
$runparts
01****rootrunparts/etc/cron.hourly
024***rootrunparts/etc/cron.daily
224**0rootrunparts/etc/cron.weekly
108
b.sadhiq
www.altnix.com
4241**rootrunparts/etc/cron.monthly
Directory
Description
/etc/cron.d/
Putallscriptshereandcallthemfrom
/etc/crontabfile.
/etc/cron.daily/
Runallscriptsonceaday
/etc/cron.hourly/
Runallscriptsonceanhour
/etc/cron.monthly/ Runallscriptsonceamonth
/etc/cron.weekly/
Runallscriptsonceaweek
HowdoIuseabovedirectoriestoputscripts?
Hereisasampleshellscript(clean.cache)tocleanupcached
filesevery10days.Thisscriptisdirectlycreatedat
/etc/cron.daliy/directoryi.e.createafilecalled
/etc/cron.daily/clean.cache:
#!/bin/bash
CROOT="/tmp/cachelighttpd/"
DAYS=10
LUSER="lighttpd"
LGROUP="lighttpd"
#startcleaning
/usr/bin/find${CROOT}typefmtime+${DAYS}|xargsr/bin/rm
109
b.sadhiq
www.altnix.com
#ifdirectorydeletedbysomeotherscriptjustgetitback
if[!d$CROOT]
then
/bin/mkdirp$CROOT
/bin/chown${LUSER}:${LGROUP}${CROOT}
fi
CronAccessPerms
/etc/cron.allowand/etc/cron.deny
Ifauserisonlyin/etc/cron.allow,thenallothersaredenied
Ifauserisonlyin/etc/cron.denythenallothersareallowed/not
affected
Ifcron.denyistouched,thennousersisallowedtocreatea
crontab
Ifcron.allowistouched,thennousersisallowedtocreatea
crontab
AT
'at'executesacommandonceonaparticularday,ataparticular
time.atwilladdaparticularcommandtobeexecuted.
Examples:
$at21:30
Youthentypethecommandsyouwantexecutedthenpresstheendof
filecharacter(normallyCTRLD).Alsotry:
$atnow+time
Thiswillrunatatthecurrenttime+thehours/mins/secondsyou
specify(useatnow+1hourtohavecommand(s)runin1hourfrom
now...)
Youcanalsousethefoptiontohaveatexecuteaparticularfile
(ashellscript).
110
b.sadhiq
www.altnix.com
$atfshell_scriptnow+1hour
Thiswouldruntheshellscript1hourfromnow.
atqWilllistjobscurrentlyinqueuefortheuserwhoexecutedit,
ifrootexecutesatitwilllistalljobsinqueuefortheat
daemon.Doesn'tneedortakeanyoptions.
atrmWillremoveajobfromthe'at'queue.
Commandsyntax:
$atrmjob_no
Willdeletethejob"job_no"(useatqtofindoutthenumberofthe
job)
$atfmyjobs.txtnow+1hour
$atfmyjobnow+1min
$at10amtomorrow
$at11:00nextmonth
$at22:00today
$atnow+1week
$atnoon
Anacron
anacronisanothertooldesignedforsystemswhicharenotalways
on,suchashomecomputers.
Whilecronwillnotrunifthecomputerisoff,anacronwillsimply
runthecommandwhenthecomputerisnexton(itcatchesupwith
things).
111
b.sadhiq
www.altnix.com
Quota
ImportantNote:
1.
Quotascanonlybecreatedforpartitions.
2.
Quotaisoftwotypes,userandgroup.
3.
If1MBquotaissetforthepartition/home,thenevery
directoryunder/homeoreveryuseronthesystem,sinceeach
directoryin/homerepresentsanuser,canuseamaxof1MB.
EnablingQuotas
1.Goto/etc/fstabandinthepermissionsfield,enter"usrquota"
followedbya","forthepartitionwhereyouwanttoenablequota
inourcase/home.
Note:Ifyouwanttoenablegroupquotathenenter"grpquota"
insteadof"usrquota"
Rebootanddirectlyjumptostep5!else...
2.Unmountandmount/homeforthechangestotakeeffect
$umount/home
$mount/home
or
$mountoremount/home
Note:Ifthesystemisrebootedafterstep2skipstep3&4andjump
tostep5.
112
b.sadhiq
www.altnix.com
3.Toscan/homeandenablequota
$quotacheckvcu/home
4.Toturnonquotaon/home
$quotaonv/home
5.Tocheckifquotaisonornot
$repquotaa
ImplementingQuotas
6.Toeditquotaforauser
$edquotau<username>
Note:ustandsforuser,forgrouptypegandgivegroupname
7.Toeditgraceperiod
$edquotat
8.Tocopyaquotasettingofoneusertoanotheruser
$edquotap<source_user><user>OR
Forallusers
$edquotap<source_user>`awkF:'$3>499{print$1}'
/etc/passwd`
Repairingaquota.userfile
9.Bootinsinglemode
10.Turnoffquotas
$quotaoffv/home
EnableQuotaonFilesytem>/home
Cond:ifthereisno/homepartition,implyquotaon/filesystem
Practical
$vi/etc/fstab
/dev/hda7/homeext3defaults,usrquota00
Remountthe/homefilesystemwithusrquotaparameters
$mountoremount/home
113
b.sadhiq
www.altnix.com
Confirmwhetherusrquotaisimplied
$mount
Itshouldlikethis:
/dev/hda7on/hometypeext3(rw,usrquota)
Createquotadatabasefilei.eaquota.useron/home
$quotacheckcuv/home >Thiscreatesaquota.userunder/home
Enablethequotaon/home
$quotaon/home
Setuserlevelquotaonuserneorestrictingthesizebelow70k
$edquotauneo
Thisopensupatempfileunder/tmpandviasaeditor
Diskquotasforuserneo(uid529):
<filesizequota>|<No.offilesquota>
Filesystemblockssofthardinodessoft
hard
/dev/hda7115069110
0
QuotaImplementedfortheusergetsupdatedin/home/aquota.user
Confirmquotareallyworksornot
Loginasneo
$suneo
$ddif=/dev/zeroof=/home/neo/data.tmpbs=1kcount=70
Thisshouldshowthebelowerror
warning,userblockquotaexceeded.
dd:writingdata.tmp:Diskquotaexceeded
114
b.sadhiq
www.altnix.com
Ifuserneowantstoviewhisownquota
$quota
Asarootuseryouwouldbeinterestedinviewingthequota
statisticsonuserlevelbasis.
#repquotaa
Howtoenablegrpquotai.e.GroupQuota
$vi/etc/fstab
/dev/hda7/homeext3defaults,usrquota,grpquota00
Remountthe/homefilesystemwithusrquotaandgrpquotaparameters
$mountoremount/home
Confirmwhetherusrquotaisimplied
$mount
Itshouldlooklikethis:
/dev/hda7on/hometypeext3(rw,usrquota,grpquota)
Createquotadatabasefilei.eaquota.group,aquota.useron/home
$quotacheckcugv/home
>Thiscreatesaquota.group,aquota.userunder/home
Howtosetgrpquota
$edquotagADMINS
Howtodisablequota
#quotaoff/home
115
b.sadhiq
www.altnix.com
Howtoimplythequotasettingsmeantforuserneoontouserchampu
#edquotapneojane
Commands
quotadisplaydiskusageandlimits
rquotaimplementquotasonremotemachines
fstabstaticinformationaboutthefilesystems
edquotaedituserquotas
setquotasetdiskquotas(Commandlineeditor)
quotacheckscanafilesystemfordiskusage,create,check
andrepairquotafiles
quotaonturnfilesystemquotason
quotaoffturnfilesystemquotasoff
KernelCompilation
ifyouwanttoupdatethekernelfromnewsourcecodeyouhave
downloaded,oryouhaveappliedapatchtoaddnewfunctionalityor
hardwaresupport,youwillneedtocompileandinstallanewkernel
toactuallyusethatnewfunctionality.Compilingthekernel
involvestranslatingthekernel'scontentsfromhumanreadablecode
tobinaryform.Installingthekernelinvolvesputtingallthe
compiledfileswheretheybelongin/bootand/libandmaking
changestothebootloader.
Theprocessofcompilingthekernelisalmostcompletelyautomated
bythemakeutilityasistheprocessofinstalling.Byproviding
thenecessaryargumentsandfollowingthestepscoverednext,you
canrecompileandinstallacustomkernelforyouruse.
Basically,therearethreetypesofkernel:
MonolithicKernelMicroKernelExoKernel
Monolithic:Asthenameitselfsuggests,thekernelhasevery
serviceslike,FSManagement,MM,ProcessManagement,etc.inthe
116
b.sadhiq
www.altnix.com
kernelspace.Itdoesnotrunasaseperateprocess.So,asyou
guess,thereisnocontextswitching,whenyouaskforaservice.
But,theprobabilityofamonolithickernelgettingstruckismore.
Because,ifthereisabuginthekernelitself,nothingcanrescue
it.LinuxandWindowsaregoodexamplesofMonolithickernel.
Linux,beingamonolithickernel,youcaninsertmodulesintothe
kerneldynamicallyusinginsmodcommand.
MicroKernel:Microkernelrunsalltheservicesasadaemoninthe
userspace.So,ifaproblemoccursinanyoftheservice,the
kernelwillbeabletodecidewhattodonext.But,youpayoffthe
timetoswitchtoaserviceinthistypeofkernel.Microkernels
aresomewhatdifficulttodesignandbuildthanthemonolithic
kernel.Therearealwaysadiscussionovertheinternet,talking
abouttheadvantageanddisadvantagesofmonolithicandmicro
kernel.
ExoKernel:Exokernelisnotyetstabilized.It'sunderdesignand
research.Theusermodeprocessesrunninginthistypeofkernel
hastheabilitytoaccesskernelresourceslikeprocesstables,etc
directly.
Structureofmonolithicandmicrokernelbasedoperatingsystems,
respectively
Compilation
StepstocompilekernelRedhat9
Installdep
kernelsource2.4.208.i386.rpm
binutils2.13.90.0.189.i386.rpm
glibckernheaders2.48.10.i386.rpm
cpp3.2.25.i386.rpm
117
b.sadhiq
www.altnix.com
gcc3.2.25.i386.rpm
glibc2.3.211.9.i386.rpm
libgcc3.2.25.i386.rpm
glibccommon2.3.211.9.i386.rpm
ncurses5.34.i386.rpm
glibcdevel2.3.211.9.i386.rpm
ncursesdevel5.34.i386.rpm
Oncethesealldependenciesareinstalled:
1)Goto/usr/src/linux2.4/
2)editMakefile[TopLevel]
parameterEXTRAVERSION=8champu
3)makemrproper[deletethe.config]
architecture
4)cp/usr/src/linux2.4/configs/kernel2.4.18i686.config[see
unamem]
/usr/src/linux2.4/.config
orsimply
cppconfigs/kernel2.4.18i686.config.config
5)makeoldconfigToupdatethe.configwithrunningkernel
parameters
6)makeconfig/makemenuconfig(forText)/makexconfigmake
necessarychangesenablentfsdisablesound&bluetooth
7)makedepchecksdependecies&construtsMAKEFILE.
8)makecleancleansunwantedfilesformmemoryloadedby
abovecommands.
9)makebzImageActualkernelcompilationprocess
10)makemodulesActualKLMcompilationprocess
11)makemodules_install#checkin/lib/modules/2.4.208champu/
118
b.sadhiq
www.altnix.com
12)cp/usr/src/linux2.4.208/arch/i386/boot/bzImage
/boot/vmlinuz2.4.208champu
13)cp/usr/src/linux2.4.1814/System.map
/boot/System.map2.4.208champu
14)cp/usr/src/linux2.4.208/.config/boot/config2.4.208champu
[OPTIONAL]
15)mkintrd/boot/initrd2.4.208champu.img2.4.208champu
16)vi/etc/grub.conf#Addthenewcustomizedkernelentries
titleREDHAT9champu(customized)
root(hd0,8)
kernel/vmlinuz2.4.208champuroroot=/dev/hda11rhgb
quiet
initrd/initrd2.4.208champu.img
notehd0,8forbootpartition(/dev/hda91=hda8)(/de/hda11
is/)
17)reboot
Centos5Stepstocompilekernel2.6:
1>copykerneltarballfileino/usr/src/kernels/location&untar
intothatlocation
2>tarjxvf/usr/src/kernels/linux2.6.18.2.tar.bz2
3>cd/usr/src/kernels/linux2.6.18.2
4>makegconfig(graphical)
makemenuconfig(text)
5>makeclean
6>makebzImage
7>makemodules
8>makemodules_install
9>cparch/i386/boot/bzImage/boot/vmlinuz2.6.182
10>cp/usr/src/kernels/linux2.6.18.2/System.map/boot/System.
119
b.sadhiq
www.altnix.com
map2.6.182
11>lns/boot/System.map2.6.182/boot/System.map
12>Createinitrd:
$firstcheckinto/lib/modules/2.6.18.2>thisiscreatedornot
thenexecutenextcommand
mkinitrd/boot/initrd2.6.18.2.img2.6.18.2
FinalSteps
$vi/etc/grub.conf
default=0
timeout=77
splashimage=(hd0,0)/grub/splash.xpm.gz
titleRedHatEnterpriseLinuxAS(2.6.934.EL)
root(hd0,0)
kernel/vmlinuz2.6.934.ELroroot=LABEL=/rhgbquiet
initrd/initrd2.6.934.EL.img
titleRedHatEnterpriseLinuxAS(2.6.18.2)
root(hd0,0)
kernel/vmlinuz2.6.182roroot=LABEL=/rhgbquiet
initrd/initrd2.6.18.2.img
KernelDefinition
http://www.linfo.org/kernel.html
Kernelcompilation
http://www.cyberciti.biz/tips/compilinglinuxkernel26.html
http://book.opensourceproject.org.cn/distrib/ubuntu/unleashed/opens
ource/0672329093/ch35lev1sec7.html
http://wiki.centos.org/HowTos/Custom_Kernel
Thisisonetheessentialandimportanttask.Manytimeweupgrade
ourkernelandsomeprecompileddriverswon'tworkwithLinux.
Especiallyifyouhaveweirdhardware;thenvendormaysendyou
drivercodeakaCfilestocompile.Orevenyoucanwriteyourown
Linuxkerneldriver.Compilingkerneldriveriseasy.Kernel2.6.xx
makesitevenmuchmoreeasier.Followingstepsarerequiredto
compiledriverasmodule:
1)Youneedrunningkernelsourcecode;ifyoudon'thaveasource
codedownloaditfromkernel.org.Untarkernelsourcecode(tar
ball)in/usr/srcusingtarcommand:
$tarzxvfkernel*C/usr/src
Tobefrankkernelheadersaremorethansufficienttocompile
kernelmodules/drivers.Seehowtoinstallkernelheadersunder
Debian/UbuntuLinuxorRHEL/CentOS/FedoraLinux.
120
b.sadhiq
www.altnix.com
Nextgotoyourkernelmodulesourcecodedirectoryandsimply
createtheMakefilefileasfollows(assumingyourkernelmodule
nameisfoo):
$viMakefile
3)Addfollowingtexttoit:
objm=foo.o
KVERSION=$(shellunamer)
all:
makeC/lib/modules/$(KVERSION)/buildM=$(PWD)modules
clean:
makeC/lib/modules/$(KVERSION)/buildM=$(PWD)clean
4)Compilemoduleusingmakecommand(modulebuildcanbedoneby
anyuser):
$make
Itwillfinallycreatesthefoo.komoduleincurrentdirectory.You
canseeallactualcompilecommandstoredin.foo*filesinsame
directory.
5)Oncemodulecompiledsuccessfully,loaditusinginsmodor
modprobecommand.Youneedtoberootuserorprivilegeduserto
runinsmod:
#insmodfoo.ko
Example:hello.cmodule
1)hello.cCsourcecode.Copyfollowingcodeandsavetohello.c
$mkdirdemo;cddemo
$vihello.c
2)Addfollowingcsourcecodetoit:
#include<linux/module.h>/*Neededbyallmodules*/
#include<linux/kernel.h>/*NeededforKERN_INFO*/
#include<linux/init.h>/*Neededforthemacros*/
staticint__inithello_start(void)
{
printk(KERN_INFO"Loadinghellomodule...\n");
printk(KERN_INFO"Helloworld\n");
return0;
}
121
b.sadhiq
www.altnix.com
staticvoid__exithello_end(void)
{
printk(KERN_INFO"GoodbyeMr.\n");
}
module_init(hello_start);
module_exit(hello_end);
Thisisanexamplemodifiedfromoriginalsourcefordemonstration
purpose.
3)Savethefile.CreatenewMakefileasfollows:
$viMakefile
Appendfollowingmakecommands:
objm=hello.o
KVERSION=$(shellunamer)
all:
makeC/lib/modules/$(KVERSION)/buildM=$(PWD)modules
clean:
makeC/lib/modules/$(KVERSION)/buildM=$(PWD)clean
4)Saveandclosethefile.
5)
Compilehello.cmodule:
$make
6)Becomearootuser(usesuorsudo)andloadthemodule:
$su
$insmodhello.ko
Noteyoucanseemessageonscreenifyouareloggedinasroot
underrunlevel3.
7)Verifythatmoduleloaded:
$lsmod|less
8)Seemessagein/var/log/messagefile:
$tailf/var/log/message
9)Unloadthemodule:
$rmmodhello
122
b.sadhiq
www.altnix.com
10)LoadmodulewhenLinuxsystemcomesup.File/etc/modulesuse
toloadkernelboottime.Thisfileshouldcontainthenamesof
kernelmodulesthataretobeloadedatboottime,oneperline.
Firstcopyyourmoduleto/lib/modules/$(unamer)/kernel/drivers.
Followingaresuggestedsteps:
(a)Createdirectoryforhellomodule:
$mkdirp/lib/modules/$(unamer)/kernel/drivers/hello
(b)Copymodule:
$cphello.ko/lib/modules/$(unamer)/kernel/drivers/hello/
(c)Edit/etc/modulesfileunderDebianLinux:
$vi/etc/modules
(d)Addfollowinglinetoit:
hello
(e)Reboottoseechanges.Uselsmodordmesgcommandtoverify
moduleloadedornot.
$cat/proc/modules
OR
$lsmod|less
Mostpeoplehaveafairlyrecentkernel.Butsincethekernelis
constantlybeingupdated,peopleonmodems(suchasmyself)don't
likedownloadingthewholesourceeverytimeanewversionofthe
kernelcomesout...Itisapaintodownload14+megsofstuffwhen
95%ofitisthesamestuffthatyoualreadyhaveinyourkernel
sourcediectory.
Forthisreason,kernelpatchesarereleased.Kernelpatches
containonlythefilesthathavechangedsincethelastkernel,
hencemakingitlessofapaintoupgrade.
Itisagoodideatobackupyouroldkerneltreebeforeyoudo
anythingtoit,justincasesomethingmessesup.Todothis,do
thefollowing:
Becomerootandthengointoyourkernelsourcedirectory(forme
itwas/usr/src/linux2.2.10)anddoa'makeclean'tocleanitup
soyoudon'tcompressalotofcrapyoudon'tneedasfollows
#cd/usr/src/linux2.2.10
#makeclean
Nowyouneedtogotobackupthetree,Ididthisbydoingthe
following:
#cd/usr/src/
#tarzcvflinux2.2.10tree.tar.gzlinux2.2.10
123
b.sadhiq
www.altnix.com
Nowwiththatbackedup,youcangoaheadandchangethestuffwith
lessworrying...
Ifyouhavekernel2.2.10,likeIdid,and2.2.12isthecurrent
stablerelease(oratleastitisasIamwritingthis)youneed
allofthepatchfilesafter2.2.10.Soinmycase,Ineededtoget
patch2.2.11.gzandpatch2.2.12.gz
http://www.kernelnotes.orgiswhereIgotminefrom,butI'msure
therearemirrorswhereyoucangetthepatchesfrom,moreonthis
isonwww.kernelnotes.org.
Note:WhenIdownloadedthisfileusingnetscape,itungzippedit
formeasitwasdownloading...soIdidn'thavetodothe
followingstepthatyouwouldhavetodoifyouwereusinga
programsuchas'ftp'
ungzipthefilebydoingthefollowing:
#gzipdpatch2.2.11.gz
#gzipdpatch2.2.12.gz
Thiswillleaveyouwithpatch2.2.11andpatch2.2.12(unlessyou
downloadedthefilewithnetscape,andthisstepwouldalreadyhave
beendoneforyou)
Nowmovethefilestoyourkernelsourcedirectory(usingthemv
command,
mvpatch2.2.*/usr/src/linux2.2.10
Nowchangeintoyourkernelsourcedirectory(/usr/src/linux2.2.10
inmycase)
Nowyouneedtoapplythepatchthethesource...Orderis
importanthere.Startwiththelowestandgotothehighest,like
thefollowing:
#patchp1<patch2.2.11
#patchp1<patch2.2.12
Bothofthesecommandswillgiveyoulotsofoutputtellingyou
whatfilesarebeingpatched,etc.
AfterIappliedthepatches,Iwentaheadandrenamedmysource
directorytoreflectthepatchesapplied(mv/usr/src/linux
2.2.10/usr/src/linux2.2.12)andthenIremovedtheold
/usr/src/linuxlinkandreplaceditwiththenewlocation(rm
/usr/src/linuxandthenlns/usr/src/linux2.2.12/usr/src/linux)
Nowjustcompileyourkernel
KernelPatchwith.KO
124
b.sadhiq
www.altnix.com
http://wiki.centos.org/HowTos/BuildingKernelModules
http://www.cyberciti.biz/tips/compilinglinuxkernelmodule.html
Patch
http://www.cyberciti.biz/tips/howtopatchrunninglinux
kernel.html
PatchOMatic
http://www.fifi.org/doc/iptablesdev/html/netfilterextensions
HOWTO2.html
PatchwithoutrebootsKsplice
http://www.cyberciti.biz/tips/debiancentosredhathotfixpatch
linuxkernel.html
Faq
http://kernelnewbies.org/FAQ
KernelTuning
125
b.sadhiq
www.altnix.com
Kerneltuningwithsysctl
TheLinuxkernelisflexible,andyoucanevenmodifythewayit
worksontheflybydynamicallychangingsomeofitsparameters,
thankstothesysctlcommand.Sysctlprovidesaninterfacethat
allowsyoutoexamineandchangeseveralhundredkernelparameters
inLinuxorBSD.Changestakeeffectimmediately,andthere'seven
awaytomakethempersistafterareboot.Byusingsysctl
judiciously,youcanoptimizeyourboxwithouthavingtorecompile
yourkernel,andgettheresultsimmediately.
Tostartgettingatasteofwhatsysctlcanmodify,runsysctla
andyouwillseeallthepossibleparameters.Thelistcanbequite
long:inmycurrentboxthereare712possiblesettings.
$sysctla
kernel.panic=0
kernel.core_uses_pid=0
kernel.core_pattern=core
kernel.tainted=129
...manylinessnipped...
Ifyouwanttogetthevalueofjustasinglevariable,use
somethinglikesysctlvm.swappiness,orjustsysctlvmtolistall
variablesthatstartwith"vm."Addthenoptiontooutputjust
thevariablevalues,withoutthenames;Nhastheoppositeeffect,
andproducesthenamesbutnotthevalues.
Youcanchangeanyvariablebyusingthewoptionwiththesyntax
sysctlwvariable=value.Forexample,sysctlw
net.ipv6.conf.all.forwarding=1setsthecorrespondingvariableto
true(0equals"no"or"false";1means"yes"or"true")thus
allowingIP6forwarding.Youmaynotevenneedthewoptionit
seemstobedeprecated.Dosomeexperimentingonyourownto
confirmthat.
sysctlvaluesareloadedatboottimefromthe/etc/sysctl.conf
file.Thisfilecanhaveblanklines,comments(linesstarting
eitherwitha"#"characterorasemicolon),andlinesinthe
"variable=value"format.Forexample,myownsysctl.conffileis
listedbelow.Ifyouwanttoapplyitatanytime,youcandoso
withthecommandsysctlp.
#Disableresponsetobroadcasts.
net.ipv4.icmp_echo_ignore_broadcasts=1
#enablerouteverificationonallinterfaces
126
b.sadhiq
www.altnix.com
net.ipv4.conf.all.rp_filter=1
#enableipV6forwarding
net.ipv6.conf.all.forwarding=1
#increasethenumberofpossibleinotify(7)watches
fs.inotify.max_user_watches=65536
sysctlandthe/procdirectory
The/proc/sysvirtualdirectoryalsoprovidesaninterfacetothe
sysctlparameters,allowingyoutoexamineandchangethem.For
example,the/proc/sys/vm/swappinessfileisequivalenttothe
vm.swappinessparameterinsysctl.conf;justforgettheinitial
"/proc/sys/"part,substitutedotsfortheslashes,andyougetthe
correspondingsysctlparameter.(Bytheway,thesubstitutionis
notactuallyrequired;slashesarealsoaccepted,thoughitseems
everybodygoesforthenotationwiththedotsinstead.)Thus,echo
10>/proc/sys/vm/swappinessisexactlythesameassysctlw
vm.swappiness=10.Butasaruleofthumb,ifa/proc/sysfileis
readonly,youcannotsetitwithsysctleither.
linuxnetworkoptimizewithsysctl
DisablingtheTCPoptionsreducestheoverheadofeachTCPpacket
andmighthelptogetthelastfewpercentofperformanceoutof
theserver.Beawarethatdisablingtheseoptionsmostlikely
decreasesperformanceforhighlatencyandlossylinks.
*net.ipv4.tcp_sack=0
*net.ipv4.tcp_timestamps=0
IncreasingtheTCPsendandreceivebufferswillincreasethe
performancealotif(andonlyif)youhavealotoflargefilesto
send.
*net.ipv4.tcp_wmem=409665536524288
*net.core.wmem_max=1048576
Ifyouhavealotoflargefileuploads,increasingthereceive
bufferswillhelp.
*net.ipv4.tcp_rmem=409687380524288
*net.core.rmem_max=1048576
#TheseensurethatTIME_WAITportseithergetreusedorclosed
fast.
net.ipv4.tcp_fin_timeout=1
net.ipv4.tcp_tw_recycle=1
#TCPmemory
127
b.sadhiq
www.altnix.com
net.core.rmem_max=16777216
net.core.rmem_default=16777216
net.core.netdev_max_backlog=262144
net.core.somaxconn=262144
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_orphans=262144
net.ipv4.tcp_max_syn_backlog=262144
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_syn_retries=2
#youshouldntbeusingconntrackonaheavilyloadedserver
anyway,buttheseare
#suitablyhighforouruses,insuringthatifconntrackgets
turnedon,theboxdoesntdie
net.ipv4.ip_conntrack_max=1048576
net.nf_conntrack_max=1048576
#increaseLinuxTCPbufferlimits
echo8388608>/proc/sys/net/core/rmem_max
echo8388608>/proc/sys/net/core/wmem_max
#increaseLinuxautotuningTCPbufferlimits
echo"4096873808388608">/proc/sys/net/ipv4/tcp_rmem
echo"4096655368388608">/proc/sys/net/ipv4/tcp_wmem
#echo65536>/proc/sys/fs/filemax#physicalRAM*256/4
echo"102465000">/proc/sys/net/ipv4/ip_local_port_range
#echo1>/proc/sys/net/ipv4/tcp_syncookies
echo8192>/proc/sys/net/ipv4/tcp_max_syn_backlog
#Decreasethetimedefaultvaluefortcp_fin_timeoutconnection
#echo30>/proc/sys/net/ipv4/tcp_fin_timeout
#echo3>/proc/sys/net/ipv4/tcp_syn_retries
#echo2>/proc/sys/net/ipv4/tcp_retries1
#Decreasethetimedefaultvaluefortcp_keepalive_timeconnection
#echo1800>/proc/sys/net/ipv4/tcp_keepalive_time
#Turnofftcp_window_scaling
echo0>/proc/sys/net/ipv4/tcp_window_scaling
#echo"67108864">/proc/sys/kernel/shmmax
#Turnoffthetcp_sack
echo0>/proc/sys/net/ipv4/tcp_sack#ThisdisablesRFC2018TCP
SelectiveAcknowledgements
#Turnofftcp_timestamps
echo0>/proc/sys/net/ipv4/tcp_timestamps#ThisdisablesRFC1323
TCPtimestamps
echo5>/proc/sys/kernel/panic#reboot5minuteslaterthen
kernelpanic
128
b.sadhiq
www.altnix.com
thethird:
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_syncookies=1
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=40968738016777216
net.ipv4.tcp_wmem=40966553616777216
Refrence
http://shebangme.blogspot.com/2010/07/kernelsysctlconfiguration
filefor.html
swappiness
http://www.linux.com/archive/feature/146599
Devicedriver
http://en.wikipedia.org/wiki/Device_driver
Lsmod
http://en.wikipedia.org/wiki/Lsmod
Modprobe
http://en.wikipedia.org/wiki/Modprobe
Oracle+sysctl
http://www.puschitz.com/TuningLinuxForOracle.shtml
http://www.puschitz.com/TuningLinuxForOracle.shtml#SettingSHMMAXPar
ameter
http://www.puschitz.com/TuningLinuxForOracle.shtml#TheSEMMSLParamet
er
Refrence
http://www.linux.com/archive/feature/126718
http://www.fcicq.net/wp/?p=197
http://www.cyberciti.biz/tips/linuxprocfsfiledescriptors.html
http://en.opensuse.org/Kernel_module_configuration
http://www.cyberciti.biz/tips/bladeserverdisablefloppydriver
module.html
Blacklist
Justopenyour/etc/modprobe.conffileandturnofautoloading
using
followingsyntax:
aliasdrivernameoff
IfyouareusingDebian/UbuntuLinux...
129
b.sadhiq
www.altnix.com
open/etc/modprobe.d/blacklistfileandadddrivernameusing
followingsyntax:
blacklistdrivername
LinuxKernelMagicSysRqkeys
Kerneloffersyousomethingthatallowsyoutorecoveryoursystem
fromacrashorattheleastletsyoutoperformapropershutdown
usingtheMagicSysRqKeys.ThemagicSysRqkeyisaselectkey
combinationintheLinuxkernelwhichallowstheusertoperform
variouslowlevelcommandsregardlessofthesystemsstateusing
theSysRqkey.Itisoftenusedtorecoverfromfreezes,orto
rebootacomputerwithoutcorruptingthefilesystem.
HowdoIusethemagicSysRqkeysinemergency?
Youneedtousefollowingkeycombinationinorderto
reboot/halt/syncfilesystemetc:
ALT+SysRq+COMMANDKEY
The'SysRq'keyisalsoknownasthe'PrintScreen'key.COMMAND
KEYcanbeanyoneofthefollowing(allkeysneedtohit
simultaneously):
'b':Willimmediatelyrebootthesystemwithoutsyncingor
unmountingyourdisks.
'o':Willshutdownyoursystemoff(ifconfiguredand
supported).
's':Willattempttosyncallmountedfilesystems.
'u':Willattempttoremountallmountedfilesystemsread
only.
'e':SendaSIGTERMtoallprocesses,exceptforinit.
'h':Showhelp,indeedthistheoneyouneedtoremember.
SowheyyouneedtotellyourLinuxcomputertorebootorwhenyour
Xserveriscrashedoryoudon'tseeanythinggoingacrossthe
screenthenjustpress:
ALT+SysRQ+s:(PressandholddownALT,thenSysRQ(PrintScreen)
keyandpress's')Willtrytosynallmountedsystem
130
b.sadhiq
www.altnix.com
ALT+SysRQ+r:(PressandholddownALT,thenSysRQ(PrintScreen)
keyandpress'r')Willrebootthesystem.
Ifyouwishtoshutdownthesysteminsteadofrebootthenpress
followingkeycombination:
ALT+SysRQ+o
ipt_sysrqisanewiptablestargetthatallowsyoutodothesame
asthemagicsysrqkeyonakeyboarddoes,butoverthenetwork.
Sometimesaremoteserverhangsandonlyrespondstoicmpecho
request(ping).Everyadministratorofsuchmachineisveryunhappy
because(s)hemustgothereandpresstheresetbutton.Ittakesa
longtimeandit'sinconvenient.SousetheNetworkMagicSysRqand
youwillbeabletodomorethanjustpressingaresetbutton.You
canremotelysyncdisks,remountthemreadonly,thendoareboot.
Andeverythingcomfortablyandonlyinafewseconds.Pleasesee
MarekZelempagetoenableIPTablesnetworkmagicSysRqfunction.
ThemagicSysrqkeybasicallyhasakeycombinationof<ALT>+
<SysRqorPrntScrn>+<Commandkey>.
Thecommandkeycanbeoneofthefollowingprovidingaspecific
functionality
bWillimmediatelyrebootthesystemwithoutsyncingor
unmountingyourdisks.
cWillperformakexecrebootinordertotakeacrashdump.
dShowsalllocksthatareheld.
eSendaSIGTERMtoallprocesses,exceptforinit.
fWillcalloom_killtokillamemoryhogprocess.
gUsedbykgdbonppcandshplatforms.
hWilldisplayhelp(actuallyanyotherkeythanthose
listedherewilldisplayhelp.buthiseasytoremember
iSendaSIGKILLtoallprocesses,exceptforinit.
kSecureAccessKey(SAK)Killsallprogramsonthecurrent
virtualconsole.NOTE:SeeimportantcommentsbelowinSAK
section.
mWilldumpcurrentmemoryinfotoyourconsole.
131
b.sadhiq
www.altnix.com
nUsedtomakeRTtasksniceable
oWillshutyoursystemoff(ifconfiguredandsupported).
pWilldumpthecurrentregistersandflagstoyour
console.
qWilldumpalistofallrunningtimers.
rTurnsoffkeyboardrawmodeandsetsittoXLATE.
sWillattempttosyncallmountedfilesystems.
tWilldumpalistofcurrenttasksandtheirinformation
toyourconsole.
uWillattempttoremountallmountedfilesystemsread
only.
vDumpsVoyagerSMPprocessorinfotoyourconsole.
wDumpstasksthatareinuninterruptable(blocked)state.
xUsedbyxmoninterfaceonppc/powerpcplatforms.
09Setstheconsoleloglevel,controllingwhichkernel
messageswillbeprintedtoyourconsole.(0,forexample
wouldmakeitsothatonlyemergencymessageslikePANICsor
OOPSeswouldmakeittoyourconsole.)
Ref
http://www.susegeek.com/general/linuxkernelmagicsysrqkeysin
opensuseforcrashrecovery/
http://www.cyberciti.biz/tips/rebootlinuxboxafterakernel
panic.html
http://www.cyberciti.biz/tips/rebootorhaltlinuxsystemin
emergency.html
Incomputing,adevicedriverorsoftwaredriverisacomputer
programallowinghigherlevelcomputerprogramstointeractwitha
hardwaredevice.
b.sadhiq
132
www.altnix.com
Adrivertypicallycommunicateswiththedevicethroughthe
computerbusorcommunicationssubsystemtowhichthehardware
connects.Whenacallingprograminvokesaroutineinthedriver,
thedriverissuescommandstothedevice.Oncethedevicesends
databacktothedriver,thedrivermayinvokeroutinesinthe
originalcallingprogram.Driversarehardwaredependentand
operatingsystemspecific.Theyusuallyprovidetheinterrupt
handlingrequiredforanynecessaryasynchronoustimedependent
hardwareinterface.
Operatingsystems
Themknodcommand
MAKEDEVisthepreferredwayofcreatingdevicefileswhicharenot
present.HoweversometimestheMAKEDEVscriptwillnotknowabout
thedevicefileyouwishtocreate.Thisiswherethemknodcommand
comesin.Inordertousemknodyouneedtoknowthemajorand
minornodenumbersforthedeviceyouwishtocreate.The
devices.txtfileinthekernelsourcedocumentationisthe
canonicalsourceofthisinformation.
Totakeanexample,letussupposethatourversionoftheMAKEDEV
scriptdoesnotknowhowtocreatethe/dev/ttyS0devicefile.We
needtousemknodtocreateit.Weknowfromlookingatthe
devices.txtfilethatitshouldbeacharacterdevicewithmajor
number4andminornumber64.Sowenowknowallweneedtocreate
thefile.
133
b.sadhiq
www.altnix.com
#mknod/dev/ttyS0c464
#chownroot.dialout/dev/ttyS0
#chmod0644/dev/ttyS0
#lsl/dev/ttyS0
crwrw1rootdialout4,64Oct2318:23/dev/ttyS0
Asyoucansee,manymorestepsarerequiredtocreatethefile.In
thisexampleyoucanseetheprocessrequiredhowever.Itis
unlikelyintheextremethatthettyS0filewouldnotbeprovided
bytheMAKEDEVscript,butitsufficestoillustratethepoint.
$mknod/opt/champub310
$mount/opt/champu/home
1.
lsmod
2.
insmod
3.
rmmod
4.
modprobe
5.
modinfo
6.
depmod
lsmod
isacommandon
Linux
systemswhichprintsthecontentsof
the
/proc/modules
file.Itshowswhich
loadablekernelmodules
are
currentlyloaded.
Abridgedexampleoutput:
#lsmod
ModuleSizeUsedby
af_packet273922
8139too
305920
snd_cs46xx968723
snd_pcm_oss558081
snd_mixer_oss217602snd_pcm_oss
ip6table_filter
74241
ip6_tables
197281ip6table_filter
ipv6
29040422
xfs
5683844
sis900
180525
134
b.sadhiq
www.altnix.com
libata
1699201pata_sis
scsi_mod
1583163usb_storage,sd_mod,libata
usbcore
1553126
ohci_hcd
usb_storage
,
usbhid
lsmod
FirstcolumnisModulenameandsecondcolumnissizeofmodules
i..e
theoutputformatismodulename,size,usecount,listof
referring
modules.
modprobe
isa
Linux
programoriginallywrittenby
RustyRussell
usedtoadda
loadablekernelmodule
(LKM)tothe
Linuxkernel
or
removeanLKMfromthekernel.Itiscommonlyusedindirectlyas
udev
reliesuponmodprobetoloaddriversforautomatically
detectedhardware.
Networking
Tools
$ifconfig
$neattui
$/etc/sysconfig/networkscripts/ifcfgeth0
$netconfig
$ethtool
$iprl
$telnet
$nmap
$netstat
$ping
$route
$traceroute
$tcpdump n/wtraffictool
$iptraf Monitorn/wtraffic.cursesbasedtoolSelf
explanatory
135
b.sadhiq
www.altnix.com
$etheral NetworkAnalyzerswhichdoesdatacaptureand
filtering
$tethral Capturesanddisplaysonlythehighlevelprotocols
$ifconfig>Statusofallinterfaces
eth0Linkencap:EthernetHWaddr00:50:FC:2A:2C:48
inetaddr:192.0.34.7Bcast:192.0.34.255
Mask:255.255.255.0
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:0errors:0dropped:0overruns:0frame:0
TXpackets:4errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:100
RXbytes:0(0.0b)TXbytes:240(240.0b)
Interrupt:11Baseaddress:0xf000
eth1Linkencap:EthernetHWaddr00:60:CC:AA:2C:9C
inetaddr:192.168.0.20Bcast:192.168.0.255
Mask:255.255.255.0
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:0errors:0dropped:0overruns:0frame:0
TXpackets:4errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:100
RXbytes:0(0.0b)TXbytes:240(240.0b)
Interrupt:11Baseaddress:0xc000
loLinkencap:LocalLoopback
inetaddr:127.0.0.1Mask:255.0.0.0
UPLOOPBACKRUNNINGMTU:16436Metric:1
RXpackets:1407errors:0dropped:0overruns:0frame:0
TXpackets:1407errors:0dropped:0overruns:0carrier:0
136
b.sadhiq
www.altnix.com
collisions:0txqueuelen:0
RXbytes:149180(145.6Kb)TXbytes:149180(145.6Kb)
$ifconfigeth0
>Statusofeth0interface
eth0Linkencap:EthernetHWaddr00:50:FC:2A:2C:48
inetaddr:192.0.34.7Bcast:192.0.34.255
Mask:255.255.255.0
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:0errors:0dropped:0overruns:0frame:0
TXpackets:4errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:100
RXbytes:0(0.0b)TXbytes:240(240.0b)
Interrupt:11Baseaddress:0xf000
$ifconfigeth0IP
>Seteth0toIP
$ifconfigeth0IP:x
>Seteth0tomultiplexedIP
$ifconfigeth0down
>Bringeth0down
$ifdowneth0
>ditto
$ifconfigeth0up
>Bringeth0up
$ifupeth0
>ditto
$ifconfigeth0arp
interface
>Disableuseofarpprotocolonthis
$ifconfigeth0allmulti
Enableordisableallmulticastmode.Ifselected,allmulticast
packetsonthenetworkwillbereceivedbytheinterface.
$ifconfigeth0promisc
137
b.sadhiq
www.altnix.com
Turnoffpromiscuousmodeoftheinterfaceeth0.Ifon,tellsthe
interfacetosendalltrafficontheNWtothekernel,notjust
trafficaddressedtothem/cCheckwithifconfigornetstati
$ifconfigeth0hwetherCC:CC:CC:CC:CC:CC
ChangestheMACaddress.Doa'ifconfigeth0down'first,change,
then'ifconfigeth0up'.MACaddrischanged.
$ifconfigeth0172.16.1.77broadcast172.16.1.255netmask
255.255.0.0
ChangesIP/BC/netmaskallinonego!
$ifconfigeth0mtu800
Changemtuto800
ethtoolDisplayorchangeethernetcardsettings
$ethtoolethX
$ethtoolh
$ethtoolaethX
$ethtoolAethX[autonegon|off][rxon|off][txon|off]
$ethtoolcethX
$ethtoolCethX[adaptiverxon|off][adaptivetxon|off][rx
usecsN][rxframesN][rxusecsirqN][rxframesirqN]
[txusecsN][txframesN][txusecsirqN][txframesirqN]
[statsblockusecsN][pktratelowN][rxusecslowN][rxframes
lowN][txusecslowN][txframeslowN][pktratehighN]
[rxusecshighN][rxframeshighN][txusecshighN]
[txframeshighN][sampleintervalN]
$ethtoolgethX
138
b.sadhiq
www.altnix.com
$ethtoolGethX[rxN][rxminiN][rxjumboN][txN]
$ethtooliethX
$ethtooldethX
$ethtooleethX
$ethtoolkethX
$ethtoolKethX[rxon|off][txon|off][sgon|off]
$ethtoolpethX[N]
$ethtoolrethX
$ethtoolSethX
$ethtooltethX[offline|online]
$manethtool
pingTCP/IPDiagnosticTool
SendICMPECHO_REQUESTtonetworkhosts
Therearetwotypesofping
ThestdUnixpingwhichsendsaICMPECHOREQUESTandreceivesa
ICMPECHOREPLYfrimtheremotehostifitisUPandrunning
TheotheristosendaUDPorTCPpkttoport7[echo]ofthe
remotehostandseethatwhateveryoutypeisechoedback.The
hostisUP.
$telnetremotehostechoor7
139
b.sadhiq
www.altnix.com
andwhateveryoutypewillbeechoedbacktoyou.systemis
alive!
$pingcanIP/Hostname[Count/AudiblePing/NoNameResolution]
pingsendapacketof64bytesbydef.Thesizeif56ICMPdata
bytes+8bytesfortheheaderdata.
$pings1600203.12.10.20
SendalargerpktsizethantheMTUofEthernet[1500],youcan
forcefragmentation.Youcanthenidentifylowlevelmediaissueor
acongestedNW.SincepingworksattheIPlayer,noserverprocess
[HTTP/DNS]isreqdtoberunningonthetargethost.Justarunning
kernel.
ChecktheICMPseqnotoseethatnopktsaredroppedandarein
sequence.
Run
$traceroute>togetthepaththepktistakingandthen
trackdownthe
offendingmidwayroutersbypingingeachinsuccession.
$route['add'/'del'][net|host]'addr'{gw'IP'}{netmask
'mask'}
'interface'
Defaultroute:
/etc/sysconfig/network
GATEWAY=IP
or
routeadddefaultgwgatewayIPaddr
Routingdeterminespathapkttakesfromitssourcethruamazeof
NWstodest.
Likeaskingfordirectionsinanunfamiliarplace.Apersonmay
pointyoutotherightcity,anothertoastreet,anothertothe
rightbldg.
RoutingisdoneattheIPlayer.
Whenapktboundforsomeotherhostarrives,thepathisfoundby
matchingthedestIPaddragainsttheKernelRoutingTable[KRT].
140
b.sadhiq
www.altnix.com
IfitmatchesarouteintheKRT,thepktisfwd'edtothe'next
hopgateway'IPaddrassociatedwiththeroute.
Twospecialcasesarepossiblehere:
CaseI:
pktmaybedestinedforsomehostonadirectlyconnected
NW.Inthiscasethe'nexthopgateway'IPaddrintheKRTwillbe
oneofthelocalhostsowninterfacesandthepktissentdirectly
toitsdest.Thetypeofrouteiswhatyounormallydowiththe
ifconfigcmdwhenyouconfigureandinterface.
CaseII: NorouteintheKRTmatchesthedestaddrthatthepkt
wishestoreach.Thedefaultroute[Gateway]isinvoked.Oran
error.MostNWshaveonlyonewayoutandthatisthedefault
route.OntheInternetbackbone,theroutersdonothavedefault
routes.Thebuckstopshere.Iftheydonothavearoutingentry
foradest,thedestcannotbereachedanda"networkunreachable"
ICMPerrorissenttothesender
TheKRTcontainsinfolike"TogettoNWXfromm/cY,sendpktto
m/cZwithacostof1[metric],alongwithTTLandreliability
valuesforthatroute.
RoutingPolicy:
Staticroutes:ForsmallunconnectedNWs
Dynamicroutes:Manysubnets,largeNWs,connectedtothe
Internet
Static/Dyn:
$route
KernelIProutingtable
DestinationGatewayGenmaskFlagsMetricRef
UseIface
192.0.34.00.0.0.0.255.255.255.0U00
0eth0
192.168.0.00.0.0.0.255.255.255.0U00
0eth1
127.0.0.10.0.0.0255.255.255.0U00
0lo
141
b.sadhiq
www.altnix.com
0.0.0.0.192.0.34.10.0.0.0UG00
0eth0
$routen
KernelIProutingtable
DestinationGatewayGenmaskFlagsMetricRef
UseIface
1.132.236.227.0132.236.227.93255.255.255.0U00
0eth0
2.132.236.212.0132.236.212.1255.255.255.192U00
0eth1
3.127.0.0.10.0.0.0255.255.255.0U00
0lo
4.default132.236.227.10.0.0.0UG00
0eth0
5.132.236.220.64132.236.212.6255.255.255.192UG00
0eth1
Routes1and2wereaddedbyifconfigwhentheeth0andeth1
interfaceswereconfiguredatbootup
Thismeanstoreachmachine132.236.227.93ontheNW132.236.227.0
theGWismachine132.236.227.93themachineitselfisitsGW
whichimpliesitcanbereacheddirectlyonthisNWandonehasto
gotonootherm/ctoconsult.
Dittoforthenextone.
Route3istheloopbackinterface,apseudodevicethatprevents
pktssentfromthehosttoitselffromgoingoutontheNW;
instead,theyaretransferreddirectlyrouteadddefaultgw
132.236.227.1eth0
Route4isthedefaultroute.
Itsays:
Pktsnotexplicitlyaddressedtoanyofthe3NWslisted[or
tothem/citself]willbesenttothedefaultGWhost,
132.236.227.1
142
b.sadhiq
www.altnix.com
Route5says:
ToreachNW132.236.220.64/26,pktsmustbesentGWhost
132.236.212.6thrueth1.
netstatMonitoringyourTCP/IPNW
Printnetworkconnections,routingtables,interfacestatistics,
masqueradeconnections,andmulticastmemberships.
$netstata:
Displaysstatusofallactiveconnections,includingInactive
[listening]serverswaitingforconnects
$netstatl:
Showonlyinactiveorlisteningconnections,notestablised
$netstatp:
ShowthePIDandnameoftheprogramtowhicheachsocket
belongs
$netstato:
Includeinformationrelatedtonetworkingtimers
$netstatr:
Showthekernelroutingtable
$netstatvatnp|grep<servicename>
$netstattulnp|grep<servicename>
State:TCP/IPconnection[socket]state
ESTABLISHED
Thesockethasanestablishedconnection.
SYN_SENT
Thesocketisactivelyattemptingtoestablisha
connectionto theremotehost
143
b.sadhiq
www.altnix.com
DebugNote:
Ifyoufindaconnectionthatstaysinthisstate,then
alocalprocessistryingveryhardtocontactanonexistentor
inaccessibleNWserver.
SYN_RECV
Aconnectionrequesthasbeenreceivedfromaremote
hostandisbeinginitialized
FIN_WAIT1
Thesocketisclosed,andtheconnectionisshutting
down.
FIN_WAIT2
Connectionisclosed,andthesocketiswaitingfora
shutdownfromtheremoteend.
TIME_WAIT
Thesocketiswaitingafterclosetohandlepackets
stillinthenetwork.
CLOSEDThesocketisnotbeingused.
CLOSE_WAIT
Theremotehostendhasshutdownitsconnection,and
thelocalhostiswaitingforthesockettoclose.
LAST_ACK
Theremoteendhasshutdown,andthesocketisclosed.
Waitingforacknowledgement.
LISTENThesocketislisteningforincomingconnections.Specifyl
optiontoseethis.
CLOSING
144
b.sadhiq
www.altnix.com
Bothsocketsareshutdownbutwestilldonthave
allourdatasent.
UNKNOWN
Thestateofthesocketisunknown.
USERTheloginIDoftheuserwhoownsthesocket
145
b.sadhiq
www.altnix.com
FTP
ActiveFTP
PassiveFTP
Users
RegularFTP
AnonymousFTP
Vsftpd.conf
anon_root=/data/directory
#AllowanonymousFTP?
anonymous_enable=YES
#Thedirectorywhichvsftpdwilltrytochangeintoafteran
anonymouslogin.(Default=/var/ftp)
anon_root=/data/directory
#Uncommentthistoallowlocaluserstologin.
local_enable=YES
#UncommentthistoenableanyformofFTPwritecommand.
#(Neededevenifyouwantlocaluserstobeabletouploadfiles)
write_enable=YES
#UncommenttoallowtheanonymousFTPusertouploadfiles.This
only
#hasaneffectifglobalwriteenableisactivated.Also,youwill
#obviouslyneedtocreateadirectorywritablebytheFTPuser.
#anon_upload_enable=YES
#UncommentthisifyouwanttheanonymousFTPusertobeableto
create
#newdirectories.
#anon_mkdir_write_enable=YES
146
b.sadhiq
www.altnix.com
#Activateloggingofuploads/downloads.
xferlog_enable=YES
#Youmayoverridewherethelogfilegoesifyoulike.
#Thedefaultisshownbelow.
xferlog_file=/var/log/vsftpd.log
Othervsftpd.confOptions
Therearemanyotheroptionsyoucanaddtothisfile:
Limitingthemaximumnumberofclientconnections
(max_clients)
LimitingthenumberofconnectionsbysourceIPaddress
(max_per_ip)
Themaximumrateofdatatransferperanonymouslogin.
(anon_max_rate)
Themaximumrateofdatatransferpernonanonymouslogin.
(local_max_rate)
Descriptionsonthisandmorecanbefoundinthevsftpd.confman
pages.
Anonymousupload
mkdir/var/ftp/pub/upload
chmod722/var/ftp/pub/upload
ftpd_banner=NewBannerHere
write_enable=NO
Checkfilesunderthefollowing
$cd/etc/vsftpd/
$ls
ftpusersusers_listvsftpd.confvsftpd.conf_migrate.sh
147
b.sadhiq
www.altnix.com
TypesofFTP
Fromanetworkingperspective,thetwomaintypesofFTPareactive
andpassive.InactiveFTP,theFTPserverinitiatesadata
transferconnectionbacktotheclient.ForpassiveFTP,the
connectionisinitiatedfromtheFTPclient.Theseareillustrated
inFigure151.
Figure151ActiveandPassiveFTPIllustrated
FromausermanagementperspectivetherearealsotwotypesofFTP:
regularFTPinwhichfilesaretransferredusingtheusernameand
passwordofaregularuserFTPserver,andanonymousFTPinwhich
generalaccessisprovidedtotheFTPserverusingawellknown
universalloginmethod.
Takeacloserlookateachtype.
ActiveFTP
ThesequenceofeventsforactiveFTPis:
1.
YourclientconnectstotheFTPserverbyestablishinganFTP
controlconnectiontoport21oftheserver.Yourcommandssuchas
'ls'and'get'aresentoverthisconnection.
2.
Whenevertheclientrequestsdataoverthecontrolconnection,
theserverinitiatesdatatransferconnectionsbacktotheclient.
Thesourceportofthesedatatransferconnectionsisalwaysport
20ontheserver,andthedestinationportisahighport(greater
than1024)ontheclient.
148
b.sadhiq
www.altnix.com
3.
Thusthelslistingthatyouaskedforcomesbackoverthe
port20tohighportconnection,nottheport21control
connection.
FTPactivemodethereforetransfersdatainacounterintuitiveway
totheTCPstandard,asitselectsport20asit'ssourceport(not
arandomhighportthat'sgreaterthan1024)andconnectsbackto
theclientonarandomhighportthathasbeenprenegotiatedon
theport21controlconnection.
ActiveFTPmayfailincaseswheretheclientisprotectedfromthe
InternetviamanytooneNAT(masquerading).Thisisbecausethe
firewallwillnotknowwhichofthemanyserversbehinditshould
receivethereturnconnection.
PassiveFTP
PassiveFTPworksdifferently:
1.
YourclientconnectstotheFTPserverbyestablishinganFTP
controlconnectiontoport21oftheserver.Yourcommandssuchas
lsandgetaresentoverthatconnection.
2.
Whenevertheclientrequestsdataoverthecontrolconnection,
theclientinitiatesthedatatransferconnectionstotheserver.
Thesourceportofthesedatatransferconnectionsisalwaysahigh
portontheclientwithadestinationportofahighportonthe
server.
PassiveFTPshouldbeviewedastheservernevermakinganactive
attempttoconnecttotheclientforFTPdatatransfers.Because
clientalwaysinitiatestherequiredconnections,passiveFTPworks
betterforclientsprotectedbyafirewall.
AsWindowsdefaultstoactiveFTP,andLinuxdefaultstopassive,
you'llprobablyhavetoaccommodatebothformswhendecidingupona
securitypolicyforyourFTPserver.
RegularFTP
Bydefault,theVSFTPDpackageallowsregularLinuxuserstocopy
filestoandfromtheirhomedirectorieswithanFTPclientusing
theirLinuxusernamesandpasswordsastheirlogincredentials.
VSFTPDalsohastheoptionofallowingthistypeofaccesstoonly
agroupofLinuxusers,enablingyoutorestricttheadditionof
newfilestoyoursystemtoauthorizedpersonnel.
ThedisadvantageofregularFTPisthatitisn'tsuitablefor
generaldownloaddistributionofsoftwareaseveryoneeitherhasto
149
b.sadhiq
www.altnix.com
getauniqueLinuxuseraccountorhastouseasharedusernameand
password.AnonymousFTPallowsyoutoavoidthisdifficulty.
AnonymousFTP
AnonymousFTPisthechoiceofWebsitesthatneedtoexchange
fileswithnumerousunknownremoteusers.Commonusesinclude
downloadingsoftwareupdatesandMP3sanduploadingdiagnostic
informationforatechnicalsupportengineers'attention.Unlike
regularFTPwhereyouloginwithapreconfiguredLinuxusernameand
password,anonymousFTPrequiresonlyausernameofanonymousand
youremailaddressforthepassword.OnceloggedintoaVSFTPD
server,youautomaticallyhaveaccesstoonlythedefaultanonymous
FTPdirectory(/var/ftpinthecaseofVSFTPD)andallits
subdirectories.
GoodGUIftpclients
1.1.kasablanca
1.2.ftpcube
1.3.gftp
1.4.iglooftp
1.5.konqueror
1.6.filezilla
Consoleftpclients
2.1.GNUMidnightCommander
2.2.ftp
2.3.yafc
2.4.ncftp
ProblemsWithFTPAndFirewalls
FTPfrequentlyfailswhenthedatahastopassthroughafirewall,
becausefirewallsaredesignedtolimitdataflowstopredictable
TCPportsandFTPusesawiderangeofunpredictableTCPports.You
haveachoiceofmethodstoovercomethis.
Note:TheAppendixII,"Codes,Scripts,andConfigurations",
containsexamplesofhowtoconfiguretheVSFTPDLinuxfirewallto
functionwithbothactiveandpassiveFTP.
ClientProtectedByAFirewallProblem
Typicallyfirewallsdon'tallowanyincomingconnectionsatall,
whichfrequentlyblocksactiveFTPfromfunctioning.Withthistype
150
b.sadhiq
www.altnix.com
ofFTPfailure,theactiveFTPconnectionappearstoworkwhenthe
clientinitiatesanoutboundconnectiontotheserveronport21.
Theconnectionthenappearstohang,however,assoonasyouuse
thels,dir,orgetcommands.Thereasonisthatthefirewallis
blockingthereturnconnectionfromtheservertotheclient(from
port20ontheservertoahighportontheclient).Ifafirewall
allowsalloutboundconnectionstotheInternet,thenpassiveFTP
clientsbehindafirewallwillusuallyworkcorrectlyasthe
clientsinitiatealltheFTPconnections.
Solution
Tableshowsthegeneralrulesyou'llneedtoallowFTPclients
throughafirewall:
ClientProtectedbyFirewallRequiredRulesforFTP
Destination
Destination
ConnectionType
Address
Port
Allowoutgoingcontrolconnectionstoserver
ChannelFTP
High1
FTPserver2
21
New
2
client/network
FTPserver
21
FTP
High
Established3
client/network
Allowtheclienttoestablishdatachannelstoremoteserver
Active FTPserver2
20
FTPclient/
High
New
FTP
network
FTP
High
FTPserver2
20
Established3
client/network
FTP
FTP
High
FTPserver2
High
New
2
client/network High
FTP
High
Established3
FTPserver
client/network
method SourceAddress
cePort
Greaterthan1024.
Insomecases,youmaywanttoallowallInternetuserstohave
access,notjustaspecificclientserverornetwork.
Manyhomebasedfirewall/routersautomaticallyallowtrafficforalreadyestablishedconnections.
Thisrulemaynotbenecessaryinallcases.
3
ServerProtectedByAFirewallProblem
151
b.sadhiq
www.altnix.com
Typicallyfirewallsdon'tletanyconnectionscomeinatall.When
aanincorrectlyconfiguredfirewallprotectsanFTPserver,the
FTPconnectionfromtheclientdoesn'tappeartoworkatallfor
bothactiveandpassiveFTP.
Solution
Table152RulesneededtoallowFTPserversthroughafirewall.
Method
SourceAddress
source Destination
Port
Address
Destination Connection
Port
Type
Allowincomingcontrolconnectionstoserver
control
Channel
FTP
client/network2
High1
FTPserver
21
New
FTPserver
21
FTP
client/network2
High
Established3
Allowservertoestablishdatachanneltoremoteclient
FTP
Passive
FTP
FTPserver
20
FTP
client/network2
High
New
FTP
client/network2
High
FTPserver
20
Established3
FTP
client/network2
High
FTPserver
High
New
FTPserver
High
FTP
client/network2
High
Established3
Greaterthan1024.
Insomecases,youmaywanttoallowallInternetuserstohave
access,notjustaspecificclientserverornetwork.
3
Manyhomebasedfirewall/routersautomaticallyallowtrafficfor
alreadyestablishedconnections.Thisrulemaynotbenecessaryin
allcases.
chrootedftp
users
uncomment&editvsftpd.conf
152
b.sadhiq
www.altnix.com
local_enable=YES
chroot_local_user=YES
theabovelinewillenableforuserstobechrootedunder
theirhome
thisisforchrootlist
local_enable=YES
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
createvsftpd.chroot_listfileunder/etcandaddtheuserswhich
uwanttochroot
NFS
NFSv2usestheUserDatagramProtocol(UDP)toprovideastateless
networkconnectionbetweentheclientandserver.NFSv3canuse
eitherUDPorTransmissionControlProtocol(TCP)runningoveran
IPnetwork
/lib/modules/2.4.208/kernel/fs/nfsd/nfsd.
NFSport2049
NFSreliesonRemoteProcedureCalls(RPC)torouterequests
betweenclientsandservers.RPCservicesunderLinuxare
controlledbytheportmapservice.ToshareormountNFSfile
systems,thefollowingservicesworktogether:
nfsStartstheappropriateRPCprocessestoservicerequests
forsharedNFSfilesystems.
nfslockAnoptionalservicethatstartstheappropriateRPC
processestoallowNFSclientstolockfilesontheserver.
portmapTheRPCserviceforLinux;itrespondstorequests
forRPCservicesandsetsupconnectionstotherequestedRPC
service.
ThefollowingRPCprocessesworktogetherbehindthescenesto
facilitateNFSservices:
rpc.mountdThisprocessreceivesmountrequestsfromNFS
clientsandverifiestherequestedfilesystemiscurrently
153
b.sadhiq
www.altnix.com
exported.Thisprocessisstartedautomaticallybythenfsservice
anddoesnotrequireuserconfiguration.
rpc.nfsdThisprocessistheNFSserver.Itworkswiththe
LinuxkerneltomeetthedynamicdemandsofNFSclients,suchas
providingserverthreadseachtimeanNFSclientconnects.This
processcorrespondstothenfsservice.
rpc.lockdAnoptionalprocessthatallowsNFSclientsto
lockfilesontheserver.Thisprocesscorrespondstothenfslock
service.
rpc.statdThisprocessimplementstheNetworkStatusMonitor
(NSM)RPCprotocolwhichnotifiesNFSclientswhenanNFSserveris
restartedwithoutbeinggracefullybroughtdown.Thisprocessis
startedautomaticallybythenfslockserviceanddoesnotrequire
userconfiguration.
rpc.rquotadThisprocessprovidesuserquotainformationfor
remoteusers.Thisprocessisstartedautomaticallybythenfs
serviceanddoesnotrequireuserconfiguration.
NFSandportmap
TheportmapserviceunderLinuxmapsRPCrequeststothecorrect
services.RPCprocessesnotifyportmapwhentheystart,revealing
theportnumbertheyaremonitoringandtheRPCprogramnumbers
theyexpecttoserve.Theclientsystemthencontactsportmapon
theserverwithaparticularRPCprogramnumber.Theportmap
serviceredirectstheclienttotheproperportnumbersoitcan
communicatewiththerequestedservice.
BecauseRPCbasedservicesrelyonportmaptomakeallconnections
withincomingclientrequests,portmapmustbeavailablebeforeany
oftheseservicesstart.
TheportmapserviceusesTCPwrappersforaccesscontrol,and
accesscontrolrulesforportmapaffectallRPCbasedservices.
Alternatively,itispossibletospecifyaccesscontrolrulesfor
eachoftheNFSRPCdaemons.Themanpagesforrpc.mountdand
rpc.statdcontaininformationregardingtheprecisesyntaxfor
theserul
/etc/hosts
1./var/lib/nfs/xtab
154
b.sadhiq
www.altnix.com
2./var/lib/nfs/rmtab
rpc.mountd
Therpc.mountdprogramimplementstheNFSmountprotocol.When
receivingaMOUNTrequestfromanNFSclient,itcheckstherequest
againstthelistofcurrentlyexportedfilesystems.Ifthe
clientispermittedtomountthefilesystem,rpc.mountd
obtainsafilehandleforrequesteddirectoryandreturnsit
totheclient.
Alternatively,youcanexportindividualdirectoriestemporarily
usingexportfshost:/directorysyntax.uidmatchingand
readonlyfilesystem
PortmapisaserverthatconvertsRPCprogramnumbersintoDARPA
protocolportnumbers.ItmustberunninginordertomakeRPC
calls.
WhenanRPCserverisstarted,itwilltellportmapwhatport
numberitislisteningto,andwhatRPCprogramnumbersitis
preparedtoserve.WhenaclientwishestomakeanRPCcalltoa
givenprogramnumber,itwillfirstcontactportmapontheserver
machinetodeterminetheportnumberwhereRPCpacketsshouldbe
sent.
$/etc/exports
/data/files*(ro,sync)
/home192.168.1.0/24(rw,sync)
/data/test*.mysite.com(rw,sync)
/data/database192.168.1.203/32(rw,sync)
/etc/exportsoption
$cat/proc/fs/nfs/exports(runtimecheck)
Trythefollowing
Editexportsfile
/opt/data
192.168.1.65(rw,wdelay,root_squash,no_subtree_check,anonuid=65534,a
nongid=65534)
192.168.1.45(rw,no_root_squash,)
155
b.sadhiq
www.altnix.com
trymountingfromtheclient,inmycaseclientipis
192.168.1.65andcheckthepermissonsbyrootanduseralsotry
fromtheclient192.168.1.45andchkpermissions
Client
Mount192.168.1.75:/opt/data/data
Moreoptions
/opt/datastation1(rw,wdelay,all_squash,anonuid=150,anongid=100)
Nowtrymountingfrom192.168.1.65(pointstation1>
192.168.1.65in/etc/hostsfile)andchkthepermissonbylogin
userandroot.
Moreoptions
wecanalsorestrictbydomain.
/opt/deploy/stic*.example.com(rw)*.workgroup.com(ro,sync)
Heresthecompletelistofmappingoptions:
root_squash
Maprequestsfromuid/gid0totheanonymousuid/gid.Notethat
thisdoesnotapplytoanyotheruidsthatmightbeequallysen
sitive,suchasuserbin.
no_root_squash
Turnoffrootsquashing.Thisoptionismainlyusefulfordisk
lessclients.
all_squash
Mapalluidsandgidstotheanonymoususer.UsefulforNFS
exportedpublicFTPdirectories,newsspooldirectories,etc.The
oppositeoptionisno_all_squash,whichisthedefaultsetting.
anonuidandanongid
Theseoptionsexplicitlysettheuidandgidoftheanonymous
account.ThisoptionisprimarilyusefulforPC/NFS
clients,whereyoumightwantallrequestsappeartobefromone
user.Asanexample,considertheexportentryfor/home/joeinthe
examplesectionbelow,whichmapsallrequeststouid150(which
issupposedlythatofuserjoe).
156
b.sadhiq
www.altnix.com
GeneralOptions
exportfsunderstandsthefollowingexportoptions:
secure
Thisoptionrequiresthatrequestsoriginateonaninternetport
lessthanIPPORT_RESERVED(1024).Thisoptionisonbydefault.To
turnitoff,specifyinsecure.
rw
AllowbothreadandwriterequestsonthisNFSvolume.The
defaultistodisallowanyrequestwhichchangesthefilesystem.
Thiscanalsobemadeexplicitbyusingtherooption.
async
ThisoptionallowstheNFSservertoviolatetheNFSprotocol
andreplytorequestsbeforeanychangesmadebythatrequest
havebeencommittedtostablestorage(e.g.discdrive).Usingthis
optionusuallyimprovesperformance,butatthecostthatan
uncleanserverrestart(i.e.acrash)cancausedatatobelostor
corrupted.
sync
Replytorequestsonlyafterthechangeshavebeencommittedto
stablestorage(seeasyncabove).Inreleasesofnfsutilsuptoand
including1.0.0,thisoptionwasthedefault.Inthisandfuture
releases,syncisthedefault,andasyncmustbeexplicitrequested
ifneeded.Tohelpmakesystemadminstratorsawareofthischange,
exportfswillissueawarningifneithersyncnorasyncis
specified.
no_wdelay
Thisoptionhasnoeffectifasyncisalsoset.TheNFSserver
willnormallydelaycommittingawriterequesttodiscslightlyif
itsuspectsthatanotherrelatedwriterequestmaybein
progressormayarrivesoon.Thisallowsmultiplewrite
requeststobecommittedtodiscwiththeoneoperationwhich
canimproveperformance.IfanNFSserverreceivedmainlysmall
unrelatedrequests,thisbehaviourcouldactuallyreduceperfor
mance,sono_wdelayisavailabletoturnitoff.Thedefault
canbeexplicitlyrequestedwiththewdelayoption.
157
b.sadhiq
www.altnix.com
subtree_check
Thisoptionenablessubtreechecking,whichdoesaddanother
levelofsecurity,butcanbeunreliabilityinsomecircum
stances.Ifasubdirectoryofafilesystemisexported,butthe
wholefilesystemisntthenwheneveraNFSrequestarrives,the
servermustchecknotonlythattheaccessedfileisinthe
appropriatefilesystem(whichiseasy)butalsothatitisinthe
exportedtree(whichisharder).Thischeckiscalledthe
subtree_check.
Inordertoperformthischeck,theservermustincludesome
informationaboutthelocationofthefileinthe"filehandle"
thatisgiventotheclient.Thiscancauseproblemswith
accessingfilesthatarerenamedwhileaclienthasthemopen
(thoughinmanysimplecasesitwillstillwork).
TryMountOptionsinfstab
192.168.1.33:/opt/deploy/stic/mntnfs
rw,hard,intr,rsize=8192,wsize=819200
bg
Retrymountinginthebackgroundifmountinginitiallyfails
fg
Mountintheforeground
soft
Usesoftmounting
IfanNFSfileoperationhasamajortimeoutthenreportanI/O
errortothecallingprogram.Thedefaultistocontinueretrying
NFSfileoperationsindefinitely.
hard
Usehardmounting
IfanNFSfileoperationhasamajortimeoutthenreport"server
notresponding"ontheconsoleandcontinueretryingindefinitely.
Thisisthedefault.
rsize=n
TheamountofdataNFSwillattempttoaccessperreadoperation.
Thedefaultisdependentonthekernel.ForNFSversion2,setit
to8192toassuremaximumthroughput.
wsize=n
TheamountofdataNFSwillattempttoaccessperwriteoperation.
158
b.sadhiq
www.altnix.com
Thedefaultisdependentonthekernel.ForNFSversion2,setit
to8192toassuremaximumthroughput.
nfsvers=n
TheversionofNFSthemountcommandshouldattempttousetcp
AttempttomountthefilesystemusingTCPpackets:thedefault
isUDP.
intr
Ifthefilesystemishardmountedandthemounttimesout,allow
fortheprocesstobeabortedusingtheusualmethodssuchasCTRL
Candthekillcommand.
nolock
DisableNFSlocking.Donotstartlockd.Thishastobeusedwith
someoldNFSserversthatdontsupportlocking.
SomeimportantnfsmountoptionsinLinux.
tcpSpecifiesfortheNFSmounttousetheTCPprotocolinstead
ofUDP.
rsize=8192 and wsize=8192 These settings speed up NFS
communication for reads (rsize) and writes (wsize) by setting a
largerdatablocksize,inbytes,tobetransferredatonetime.Do
performancetestsbeforechangingthesevalues.
hardorsoftSpecifieswhethertheprogramusingafileviaan
NFSconnectionshouldstopandwait(hard)fortheservertocome
back online if the host serving the exported file system is
unavailable, or if it should report an error (soft). If hard is
specified, the user cannot terminate the process waiting for the
NFScommunicationtoresumeunlesstheintrsoft,isspecified,the
user can set an additional timeo=<value> option, where <value>
specifies the number of seconds to pass before the error is
reported.optionisalsospecified.
nolockDisablesfilelocking.Thissettingisoccasionally
requiredwhenconnectingtoolderNFSservers.
159
b.sadhiq
www.altnix.com
intrAllowsNFSrequeststobeinterruptediftheservergoes
downorcannotbereached.
nfsvers=2ornfsvers=3SpecifieswhichversionoftheNFS
protocoltouse.
nosuidDisablessetuseridentifierorsetgroupidentifierbits.
This prevents remote users from gaining higher privileges by
runningasetuidprogram.
Therearemanyotheroptions.Buttheaboveonesarevery
important.
Practicals:
Onserverpc(serverip192.168.1.40)
Firstchecknfsinstallornot
$rpmqa|grepinfs
nfsutils1.0.944.el5
nfsutilslib1.0.87.6.el5
ifyouhaveinstallationdvdthenrunfollowingcommand:
$rpmivhnfsutils1.0.944.el5
$rpmivhnfsutilslib1.0.87.6.el5
ifnottheninstallthroughinternet
$yuminstallnfs*
Thenstartnfsservice
$servicenfsstart
StartingNFSservices:[OK
]
StartingNFSquotas:[OK
]
b.sadhiq
160
www.altnix.com
StartingNFSdaemon:[OK
]
StartingNFSmountd:[OK
]
NFSmajorfilecall/etc/exports
$exports>thiscommandbecameblankyourexportsfile
$vi/etc/exports
Typefollowinglineinexportsfile
/mnt/test
/opt/funny
*(sync,rw)
*(sync,rw)
$exportfsa>thiscmndreread/etc/exportsfile
$showmountelocalhost
Exportlistforlocalhost:
/mnt/test*
/opt/funny*
$nfsstatnfsstatistics.
Fromclientside(clientip192.168.1.50)
$servicenfsstart(asaroot)
$showmounte192.168.1.40
/mnt/test*
/opt/funny*
Mountthesharedpartitionasfollow:
$mount192.168.1.40:/mnt/test/mnt/
$cd/mnt/
$ls
161
b.sadhiq
www.altnix.com
Createanyfileinclientsideandcheckonserverpcyoucansee
thesame.
Forpermanentmountthedirectorytypefollowingentryinfstab
file:
$vi/etc/fstab
192.168.1.40:/mnt/test /mnt
192.168.1.40:/opt/funny /opt
nfs _netdev,defaults
nfs _netdev,defaults
0
0
0
0
Checkwiththefollowingcmds
$rpcinfop>checkwhichrpcbasedserviceson,pmeansprint
$rpcinfop192.168.1.40>whichserviceonserversite
$telnet192.168.1.402049>checknfsportopenornotonserver
side
162
b.sadhiq
www.altnix.com
AdvantagesofNIS:
1.
CentralInformationStore
2.
Securitybecauseofencryptedmaps[dbs]
3.
Performancebcosofindexedmaps
4.
CanbeusedforDNS
5.
AuthenticationforSamba,ApacheetcandalsoLocalinsteadof
/etc/hostsand/etc/passwd,whichcanthenbedeleted
Alert:DisableFirewallsorNISwillnotworksince,bydefault,
RPCservicesareblockedbyFWs[inRHL]
ExamAlert:
1.
MakesureyouputFWsoffbeforedoinganythinginNIS
2.
MakesureyoustartportmapBEFOREyoustartNFS
3.
Makesureyouuse'showmounte'beforeyoudoany'mount'
4.
Allerrorsaremostlyduetoincorrectsyntaxin/etc/exports
andespeciallywatchoutforthespacebetweentheoptions()
5.
Ifyouuse'authconfig' forclientconfig,makesureyou
disableitin'ntsysv'imasap
6.
Check/etc/securenetsifyouarebeingblockedorwishto
7.
Check/etc/ypserv.confifyoucannotquerymapsorwishto
DaemonName
Purpose
portmap
ThefoundationRPCdaemonuponwhichNISruns.
yppasswdd
LetsuserschangetheirpasswordsontheNISserver
fromNISclients
ypserv
MainNISserverdaemon
ypbind
MainNISclientdaemon
163
b.sadhiq
www.altnix.com
ypxfrd
UsedtospeedupthetransferofverylargeNIS
maps
164
b.sadhiq
www.altnix.com
rpcinfoplocalhost
programversprotoport
1000002tcp111portmapper
1000002udp111portmapper
1000091udp681yppasswdd
1000042udp698ypserv
1000041udp698ypserv
1000042tcp701ypserv
1000041tcp701ypserv
NISServerpartI
1.
$vi/etc/sysconfig/network#putNISDOMAIN=altnix
2.
$domainnamealtnix
3.
Configure/etc/yp.conf
altnixserverserver1.altnix.local
4.
$serviceypservstart
5.
$serviceyppasswddstart[OPTIONAL]
6.
$domainname
7.
$nisdomainname
Theabove2commandsMUSTshowtherightoutput
8.
$cd/var/yp/
9.
$/usr/lib/yp/ypinitm
CtrlD
SowhatisanNISdomain?
A:Agroupofhoststhatusethesamesetofmaps,formanNIS
domain
Allofthem/csinanNISdomainwillsharethesamepwd,hosts
andgrp
info.
I.NFSServerpart
1.
Configure/etc/exports
$vi/etc/exports
/home*(rw,sync)
$exportfsa
2.
$serviceportmaprestart
3.
$servicenfsrestart
Testing:Checkifallisokwith
165
b.sadhiq
www.altnix.com
$rpcinfop
$showmountelocalhost
II.NISClientpart
1.
serviceportmaprestart
2.
showmounteNFSServer
3.
mountNFSserver:/home/home
4.
Configureyp.conf
Doexactlythesameasforserver
5.
serviceypbindrestart
or
useauthconfig*whichwilldo4,5,6automatically
TestingtheNISServerfromtheClient
Loginasfoo
$ypwhich
<WhereistheNISMasterDatabase
$ypwhichm
<WhereistheNISMasterDatabase+maps
$ypcatx
<ShowslistofNISmapsfromNISserver
$ypcatpasswd
<ShowsdetailsofNISpasswdmapdb
/var/yp/altnix/passwd.byname
$ypmatchfoopasswd
<CheckifuserfooexistsintheNISpwd
db
$yppollpasswd.byname <Infoaboutaspecificmap[rootonly]
Youhavetohavethe'serviceyppasswdd'runningontheserverto
dothefoll:
$ypchfnfoo
<ChangefingerinfooffooinNISpwddb
map
$yppasswdfoo<Changefoo'spwdinNISpwddbmap
i.e./var/yp/altnix/passwd.bynamepasswd.byuid
Note:Hislocalsystemloginpwdchangesaccordinglybcos
yppasswd*actuallychangesthepasswdoffooin/etc/passwdand
thenpushesthechangesto2otherfile:
/var/yp/altnix/passwd.byname
/var/yp/altnix/passwd.byuid
$ypmatchnisuserpasswd
$getentpasswdnisuser
166
b.sadhiq
www.altnix.com
IIIMoreNISServerSecurity
/etc/ypserv.conf[OnNISServer]
*onserver
*Thisfileisusedtocontrolhosts/userswhocanuseyourNIS
server
syntax:host:domain:map:security
*Thereisoneentryperline.
*Allrulesaretriedonebyone.Ifnomatchisfound,accessto
amapisallowed.
*Followingoptionsexist:
files:30
Thisoptionspecifies,howmanydatabasefilesshouldbe
cachedbyypserv.If0isspecified,cachingisdisabled.
Decreasingthisnumberisonlypossible,ifypservisrestarted.
xfr_check_port:[<yes>|no]
Withthisoptionenabled,theNISmasterserverhavetorun
onaport<1024.Thedefaultis"yes"(enabled).Thefield
descriptionsfortheaccessrulelinesare:
hostIPaddress.Wildcardsareallowed.
Examples:
131.234.=131.234.0.0/255.255.0.0
131.234.214.0/255.255.254.0
domainspecifiesthedomain,forwhichthisruleshouldbe
applied.Anasterixaswildcardisallowed.
mapnameofthemap,orasteriskforallmaps.
securityoneofnone,port,deny:
nonealwaysallowaccess.
167
b.sadhiq
www.altnix.com
portallowaccessiffromport<1024.Otherwisedonotallow
access.
denydenyaccesstothismap.
EXAMPLE:Trytheseentriesin/etc/ypserv.conf
eg192.168.0.10:*:*:deny
eg*:*:passwd.byname:deny<Allhosts/userswillbe
deniedaccessfromanydomaintothefollmap
****************
LoggingInViaTelnet
TryloggingintotheNISclientviatelnetifitisenabled
[root@bigboytmp]#telnet192.168.1.201
Trying192.168.1.201...
Connectedto192.168.1.201.
Escapecharacteris'^]'.
RedHatLinuxrelease9(Shrike)
Kernel2.4.206onani686
login:nisuser
Password:
Lastlogin:SunNov1622:03:51from1921681100.simiya.com
[nisuser@smallfrynisuser]$
yppasswdpnisuser
ChangingNISaccountinformationfornisuseronbigboy.mysite.com.
Pleaseenterrootpassword:
ChangingNISpasswordfornisuseronbigboy.mysite.com.
Pleaseenternewpassword:
Pleaseretypenewpassword:
TheNISpasswordhasbeenchangedonbigboy.mysite.com.
NISTroubleshooting
Troubleshootingisalwaysrequiredasanypartofyourdaily
routine,NISisnoexception.Herearesomesimplestepstofollow
togetitworkingagain.
1.TherpcinfoprovidesalistofTCPportsthatyourNISclientor
168
b.sadhiq
www.altnix.com
serverisusing.MakesureyoucanTELNETtotheseportsfromthe
clienttotheserverandviceversa.Ifthisfails,makesureall
thecorrectNISdaemonsarerunningandthattherearenofirewalls
blockingtrafficonthenetworkorontheserversthemselves.These
portschangefromtimetotime,somemorizingthemwon'thelpmuch.
Theexampletestsfromtheclienttotheserver.
[root@bigboytmp]#rpcinfop
programversprotoport
1000002tcp111portmapper
1000002udp111portmapper
1000241udp32768status
1000241tcp32768status
3910022tcp32769sgi_fam
1000091udp1018yppasswdd
1000042udp611ypserv
1000041udp611ypserv
1000042tcp614ypserv
1000041tcp614ypserv
1000072udp855ypbind
1000071udp855ypbind
1000072tcp858ypbind
1000071tcp858ypbind
6001000691udp874fypxfrd
6001000691tcp876fypxfrd
[root@bigboytmp]#
[root@smallfrytmp]#telnet192.168.1.100858
Trying10.41.32.71...
Connectedto10.41.32.71.
Escapecharacteris'^]'.
^]
telnet>quit
Connectionclosed.
[root@smallfrytmp]#
2.Alwaysusetheypmatch,getent,andypwhichcommandstocheck
169
b.sadhiq
www.altnix.com
yourNISconnectivity.Ifthereisanyfailure,checkyoursteps
overagainandyoushouldbeabletofindthesourceofyour
problem.
3.Donotfailtocreateauser'shomedirectory,setits
permissions,andcopythe/etc/skelfilescorrectly.Ifyouforget,
whichisacommonerror,yourusersmayhaveincorrectlogin
promptsandnoabilitytocreatefilesintheirhomedirectories.
Itcanneverbeoveremphasizedthatoneofthebestplacestostart
troubleshootingisbylookinginyourerrorlogfilesinthe
/var/logdirectory.You'llsavealotoftimeandeffortifyou
alwaysrefertothemwhenevertheproblemdoesn'tappeartobe
obvious.
170
b.sadhiq
www.altnix.com
Installationofautofs.
Installautofsusingrpmpackage.
[root@tenouk~]#mount/dev/cdrom
[root@tenouk~]#cd/mnt/cdrom/RedHat/RPMS
[root@tenouk~]#rpmUhvautofs3.1.728.i386.rpm
[root@tenouk~]#cd/
[root@tenouk~]#umont/dev/cdrom
Start,stopandrestartautofs.
[root@tenouk~]#/sbin/serviceautofsstart
[root@tenouk~]#/sbin/serviceautofsstop
[root@tenouk~]#/sbin/serviceautofsrestart
Settingofautofsautomaticstart.
[root@tenouk~]#/sbin/chkconfiglevel35autofson
Confirmationofautofsautomaticstart
[root@tenouk~]#/sbin/chkconfiglistautofs
SettingwhichusesNIS
TheconfigurationontheNISserver
[root@tenouk~]#vi/etc/auto.master
/nfs/etc/auto.hometimeout60
[root@tenouk~]#vi/etc/auto.home
homerw,hard,intr,nolockcompaq:/home
[root@tenouk~]#vi/var/yp/Makefile
all:passwdgrouphostsrpcservicesnetidprotocolsmail\
shadowauto.home\
#netgrpshadowpublickeynetworksethersbootparamsprintcap\
#amd.homeauto.masterauto.homeauto.localpasswd.adjunct\
#timezonelocalenetmasks
Allownormalusertomountlinuxpartitions,usbstick/pendevice
bynixcraft
171
b.sadhiq
www.altnix.com
Youneedtouseautofs.Itisusetomountfilesystemondemand.
Usuallyautofsisinvokedatsystemboottimewiththestart
parameterandatshutdowntimewiththestopparameter.Theautofs
scriptcanalsomanuallybeinvokedbythesystemadministratorto
shutdown,restartorreloadtheautomounters.
autofswillconsultaconfigurationfile/etc/auto.mastertofind
mountpointsonthesystem.
i)Installautofsifnotinstalled.ifyouareusingDebian/
UbuntuLinux,enter:
#aptgetinstallautofs
ii)Createdekstopgroupandadduserjimmytothisgroup:
#groupadddesktop
#usermodGvideo,desktopjimmy
#chmodRa+rx/var/autofs/misc
iii)Configureautofssothatusbstickcanbeaccessed:
#vi/etc/auto.misc
iv)Appendfollowingtexttoauto.misc:
usbfstype=auto,user,sync,nodev,nosuid,gid=desktop,umask=002
:/dev/sda1
dfstype=vfat,user,sync,nodev,nosuid,gid=desktop,
umask=002:/dev/hda2
Where,
usb:Isdirectoryname,whichcanbeaccessedvia
/var/autofs/misc/usbdirectory.Userindesktopgroupjustneedto
typecdcommand(cd/var/autofs/misc/usb)tochangethedirectory.
fstypeauto,user,sync,nodev,nosuid,giddesktop,umask
002:Alltheseareoptionsusedtomountthefilesystemby
automounter.
auto:Filesystemisautomaticallydeterminedbykernel.
user:Normaluserareallowedtomountdevices
nodev:Donotinterpretcharacterorblockspecialdeviceson
thefilesystem.
nosuid:Donotallowsetuseridentifierorsetgroup
identifierbitstotakeeffect.Thisissecurityfeature.
gid=desktop:Thisallowsfilesystemmountedasasgroup
dekstop.Aswehaveaddeduserjimmytothisgroupalready.
umask=002:Setupumasksothatusersingroupdesktopcan
writedatatodevice.
Pleasenotethatwithoutgidandumaskoptionnormalusercannot
writedatatodevice.
v)Restarttheautofs:
#/etc/init.d/autofsrestart
172
b.sadhiq
www.altnix.com
vi)Testitasuserjimmy(makesureusbstick/penisinsertedinto
usbport):
$ls/var/autofs/misc/usb
$cd/var/autofs/misc/usb
$mkdirtestdir
$lsl
DHCP:DynamicHostConfiguration
Protocol
*ADHCPrelayagent
These tools all use a modular API which is designed to be
sufficientlygeneralthatitcaneasilybemadetoworkonPOSIX
compliantoperatingsystemsandalsononPOSIXsystemslikeWindows
NTandMacOS.
The DHCP server, client and relay agent are provided both as
reference implementations of the protocol and as working, fully
featuredsampleimplementations.
Boththeclientandtheserverprovidefunctionalitythat,whilenot
strictlyrequiredbytheprotocol,isveryusefulinpractice.The
DHCP server also makes allowances for noncompliant clients which
onemightstillliketosupport.
ThistutorialdescribeshowtosetupaDHCPserver(ISCDHCP)for
yourlocalnetwork.
DHCP is short for "Dynamic Host Configuration Protocol",it's a
protocolthathandlestheassignmentofIPaddresses,subnetmasks,
defaultrouters,andotherIPparameterstoclientPCsthatdon't
haveastaticIPaddress.SuchcomputerstrytofindaDHCPserver
in their local network which in turn assigns them an IP
address,gateway,etc.sothattheycanconnecttotheinternetor
othercomputersfromthelocalnetwork.
currentsituation:
*network192.168.10.0,subnetmask255.255.255.0,broadcastaddress
192.168.10.255.
*gatewaytotheinternetis192.168.10.10;onthegatewaythere's
noDHCPserver.
*DNSserversIcanuseare202.88.130.15and202.88.130.67
173
b.sadhiq
www.altnix.com
*Ihaveapoolof30IPaddresses(192.168.10.200192.168.10.229)
thatcanbe dynamicallyassignedtoclientPCsandthatarenot
alreadyinuse.
IPaddress192.168.10.10whichwillactasDHCPserver.
2DownloadandInstalltheDHCPPackage
NOTE:
BydefaultdhcppackagesareinstalledinRHEL
SeethatthefollowingisinstalledontheServer:dhcp3.0pl26.14
$rpmqdhcp
On the client side, this package "dhclient3.0pl26.14" is
installed.
$rpmqdhclient
IfDHCPpackagesaren'tinstalled,downloaditfrom
http://www.rpmseek.comandinstall.
3.ConfigurationPart:ISCDHCPServer
CopytheDHCPconfigurationfilke
$cp/usr/share/doc/dhcp3.0pl2/dhcpd.conf.sample/etc/dhcpd.conf
/etc/dhcpd.conf
ddnsupdatestyle: You can tell the DHCP server to update a DNS
server if the IP address of a server in your LAN has changed
(becauseithasbeenassignedadifferentIPbyDHCP).
AswedonotrunserversinourLANoralwaysgivethemstaticIP
addresses(whichisa
goodideaforservers...)wedon'twanttoupdateDNSrecordssowe
setthistonone.
ddnsupdatestyleinterim;
ignoreclientupdates;
#Definethescope
174
b.sadhiq
www.altnix.com
subnet192.168.10.0netmask255.255.255.0
{
rangedynamicbootp192.168.10.177192.168.10.188;
rangedynamicbootp192.168.10.124192.168.10.130;
#SettheamountoftimeinsecondsthataclientmaykeeptheIP
address
#AclientcantelltheDHCPserverforhowlongitwouldliketo
getanIPaddress.
#optionnisdomain"altnix.com";
optiondomainname"altnix.com";
#SettheDNSservertobeusedbytheDHCPclients
optiondomainnameservers192.168.10.10192.168.10.20;
#IfyouspecifyaWINSserverforyourWindowsclients,
#youneedtoincludethefollowingoptioninthedhcpd.conffile:
175
b.sadhiq
www.altnix.com
optionnetbiosnameservers192.168.10.66;
optionnetbiosnodetype8;
#YoucanalsoassignspecificIPaddressesbasedontheclients'
ethernetMACaddress
#asfollows(Host'snameis"fcfive.altnix.com"
hostwin2k3box.altnix.com{
nextserverwin2k3box.altnix.com#Youcouldassignyourown
hostname
hardwareethernet12:34:56:78:AB:CD;
fixedaddress192.168.10.100;
}
}
Ifyouwannapeekintomorestuff,Checkthedhcpoptionsmanpage
4.HowtoGetDHCPStarted
$touch/var/lib/dhcpd/dhcpd.leases
>TestwhetheryourconfigfileisOK.
$dhcpdt
>TestwhetheryourleasesfilefileisAOK.
$dhcpdT
This lease ascii db is vital and documents acquired, renewed or
releasedleasesotherwisetheDHCPserverwillnotfunction.
>Startthedhcpservice[/usr/sbin/dhcpd]
$servicedhcpdrestart
>Checkwhetherdhcpdserviceisstartedwiththefollowing:
176
b.sadhiq
www.altnix.com
$dhcpdf
$psax|grepdhcpd
5.ConfigurationPart:ISCDHCPClient
sends a standardized DHCP broadcast request packet to the DHCP
serverwithasourceIPaddressof255.255.255.255.
Editfile/etc/sysconfig/networkscripts/ifcfgeth0:
changeBOOTPROTO=noneorstatictoBOOTPROTO=dhcp
OR
$netconfig
ChecktheboxwithUsedynamicIPconfiguration(BOOTP/DHCP)
Thiswilleventuallymakechangeautotothefileabove.
Restartnetwork
4servicenetworkrestart
ChecktoseeifDHCPserverisup
$dhcpdfDHCPserverIP/Hostname
CheckyourIP:
$ifconfig
NotethatthenewIPaddressassignedtotheclientisreassigned
dynamicallybytheserverfromtherangesgivenin/etc/dhcpd.conf
ontheserver
NOTE:
DHCP uses the BOOTP protocol for its communication between the
clientandserver.
Makesuretherearenofirewallsblockingthistraffic.DHCPservers
expectrequestsonUDPport67andtheDHCPclientsexpectresponses
onUDPport68.
TheDHCPserverwritesallcurrentIPaddress"leases"tothefile
/var/lib/dhcp3/dhcpd.leasessoyoushouldalsofindtheleasethere:
$cat/var/lib/dhcp3/dhcpd.leases
177
b.sadhiq
www.altnix.com
lease192.168.10.229{
starts22006/09/1914:01:31;
ends32006/09/2014:01:31;
bindingstateactive;
nextbindingstatefree;
hardwareethernet00:0c:76:8b:c4:16;
uid"\001\000\014v\213\304\026";
clienthostname"trinity";
}
WhatallcanaDHCPserverprovideClients?
1.IPrange
2.netmaskoptionsubnetmask
3.BC
4.nameserver'optiondomainnameservers'
5.domain'optiondomainname'
6.NISdomain'optionnisdomainname'
6.MACaddrbasedIP'hardwareethernet'and'fixedaddress'
7.defaultleasetime'defaultleasetime'
8.maxleasetime'maxleasetime'
9gateway'optionrouters'
Fornetbios/Sambaoptionnetbiosnodetype2
optionnetbiosnameserver
AdvantagesofDHCP:
1.Easyconfigurationifmanymanyclients
2.SavesIPs
2.fixedIPforcertainclients
178
b.sadhiq
www.altnix.com
3.Automaticconfigoftheabove9points
Disadvantages:
Notevenone
ddnsupdatestyleinterim;
ignoreclientupdates;
Selectspointtopointnode(defaultishybrid).Don'tchangethis
unlessyouunderstandNetbiosverywell
DHCPClientsObtaining169.254.0.0Addresses
WheneverMicrosoftDHCPclientsareunabletocontacttheirDHCP
servertheydefaulttoselectingtheirownIPaddressfromthe
169.254.0.0networkuntiltheDHCPserverbecomesavailableagain.
ThisisfrequentlyreferredtoasAutomaticPrivateIPAddressing
(APIPA).Herearesomestepsyoucangothroughtoresolvethe
problem:
EnsurethatyourDHCPserverisconfiguredcorrectlyanduse
thepgrepcommanddiscussedearliertomakesuretheDHCPprocess
isrunning.Payspecialattentiontoyour255.255.255.255route,
especiallyifyourDHCPserverhasmultipleinterfaces.
GiveyourDHCPclientastaticIPaddressfromthesamerange
thattheDHCPserverissupposedtoprovide.Seewhetheryoucan
pingtheDHCPserver.Ifyoucannot,doublecheckyourcablingand
yourNICcards.
DHCPusestheBOOTPprotocolforitscommunicationbetweenthe
clientandserver.Makesuretherearenofirewallsblockingthis
traffic.DHCPserversexpectrequestsonUDPport67andtheDHCP
clientsexpectresponsesonUDPport68.Usetcpdumponthe
server'sNICtoverifythecorrecttrafficflows.
OtherDHCPFailures
IftheDHCPserverfailstostartthenuseyourregular
troubleshootingtechniquesoutlinedinChapter4,"SimpleNetwork
Troubleshooting",tohelprectifyyourproblems.Mostproblemswith
aninitialsetupareoftendueto:
Incorrectsettingsinthe/etc/dhcpd.conffilesuchasnot
definingthenetworksforwhichtheDHCPserverisresponsible;
FirewallrulesthatblocktheDHCPbootpprotocolonUDPports
67and68;
179
b.sadhiq
www.altnix.com
RoutersfailingtoforwardthebootppacketstotheDHCP
serverwhentheclientsresideonaseparatenetwork.
Alwayscheckyour/var/logs/messagesfilefordhcpderrorsand
rememberthatmandatorykeywordsinyourconfigurationfilemay
changewhenyouupgradeyouroperatingsystem.Alwaysreadthe
releasenotestobesure.
Whenaclientistobebooted,itsbootparametersaredetermined
byconsultingthatclient'shostdeclaration(ifany),andthen
consultinganyclassdeclarationsmatchingtheclient,followedby
thepool,subnetandsharednetworkdeclarationsfortheIPaddress
assignedtotheclient.Eachofthesedeclarationsitselfappears
withinalexicalscope,andalldeclarationsatlessspecific
lexicalscopesarealsoconsultedforclientoptiondeclarations.
Scopesareneverconsideredtwice,andifparametersaredeclared
inmorethanonescope,theparameterdeclaredinthemostspecific
scopeistheonethatisused.
Whendhcpdtriestofindahostdeclarationforaclient,itfirst
looksforahostdeclarationwhichhasafixedaddressdeclaration
thatlistsanIPaddressthatisvalidforthesubnetorshared
networkonwhichtheclientisbooting.Ifitdoesn'tfindanysuch
entry,ittriestofindanentrywhichhasnofixedaddress
declaration.
EXAMPLES
Atypicaldhcpd.conffilewilllooksomethinglikethis:
globalparameters...
subnet204.254.239.0netmask255.255.255.224{
subnetspecificparameters...
range204.254.239.10204.254.239.30;
}
subnet204.254.239.32netmask255.255.255.224{
subnetspecificparameters...
range204.254.239.42204.254.239.62;
}
subnet204.254.239.64netmask255.255.255.224{
subnetspecificparameters...
180
b.sadhiq
www.altnix.com
range204.254.239.74204.254.239.94;
}
group{
groupspecificparameters...
hostzappo.test.isc.org{
hostspecificparameters...
}
hostbeppo.test.isc.org{
hostspecificparameters...
}
hostharpo.test.isc.org{
hostspecificparameters...
}
}
Noticethatatthebeginningofthefile,there'saplacefor
globalparameters.Thesemightbethingsliketheorganization's
domainname,theaddressesofthenameservers(iftheyarecommon
totheentireorganization),andsoon.So,forexample:
optiondomainname"isc.org";
optiondomainnameserversns1.isc.org,ns2.isc.org;
AsyoucanseeinFigure2,youcanspecifyhostaddressesin
parametersusingtheirdomainnamesratherthantheirnumericIP
addresses.IfagivenhostnameresolvestomorethanoneIPaddress
(forexample,ifthathosthastwoethernetinterfaces),thenwhere
possible,bothaddressesaresuppliedtotheclient.
Themostobviousreasonforhavingsubnetspecificparametersas
showninFigure1isthateachsubnet,ofnecessity,hasitsown
router.Soforthefirstsubnet,forexample,thereshouldbe
somethinglike:
optionrouters204.254.239.1;
Notethattheaddresshereisspecifiednumerically.Thisisnot
requiredifyouhaveadifferentdomainnameforeachinterface
b.sadhiq
181
www.altnix.com
onyourrouter,it'sperfectlylegitimatetousethedomainname
forthatinterfaceinsteadofthenumericaddress.However,inmany
casestheremaybeonlyonedomainnameforallofarouter'sIP
addresses,anditwouldnotbeappropriatetousethatnamehere.
InFigure1thereisalsoagroupstatement,whichprovidescommon
parametersforasetofthreehostszappo,beppoandharpo.As
youcansee,thesehostsareallinthetest.isc.orgdomain,soit
mightmakesenseforagroupspecificparametertooverridethe
domainnamesuppliedtothesehosts:
optiondomainname"test.isc.org";
Also,giventhedomainthey'rein,theseareprobablytest
machines.IfwewantedtotesttheDHCPleasingmechanism,wemight
settheleasetimeoutsomewhatshorterthanthedefault:
maxleasetime120;defaultleasetime120;
TcpWrappers
AlmostallBSD/UNIX/Linuxlikeoperatingsystemsarecompiled
withTCPWrapperssupport.Fore.g.Solaris9,variousLinux/*BSD
distributions,andMacOSXhaveTCPWrappersconfiguredtorun
outofthebox.Itisalibrarywhichprovidessimpleaccess
controlandstandardizedloggingforsupportedapplicationswhich
acceptconnectionsoveranetwork.
TCPWrapperisahostbasedNetworkingACLsystem,usedtofilter
networkaccesstoInternet.TCPwrapperswasoriginalwrittento
monitorandstopcrackingactivitiesontheUNIXworkstationin
90s.Itwasbestsolutionin90stoprotecttheUNIXworkstations
overtheInternet.Howeverithasfewdisadvantages:
1.
AllUNIXappsmustbecompiledwiththelibwraplibrary.
2.
ThewrappersdonotworkwithRPCservicesoverTCP.
3.
TheusernamelookupfeatureofTCPWrappersusesidentdto
identifytheusernameoftheremotehost.Bydefault,thisfeature
isdisabled,asidentdmayappearhungwhentherearelargenumber
ofTCPconnections.
182
b.sadhiq
www.altnix.com
However,ithasonestrongadvantageoverfirewall.Itworksonthe
applicationlayer.Itcanfilterrequestswhenencryptionisused.
Basically,youneedtousebothhostbasedandnetworkbased
security.Commonservicessuchaspop3,ftp,sshd,telnet,r
servicesaresupportedbyTCPWrappers.
TCPDBenefits
1.
LoggingConnectionsthataremonitoredbytcpdarereported
throughthesyslogfacility.
2.
AccessControltcpdsupportsasimpleformofaccesscontrol
thatisbasedonpatternmatching.Youcanevernhooktheexecution
ofshellcommands/scriptwhenapatternmatches.
3.
HostNameVerificationtcpdverifiestheclienthostname
thatisreturnedbytheaddress>nameDNSserverbylookingatthe
hostnameandaddressthatarereturnedbythename>addressDNS
server.
4.
SpoofingProtection
HowdoIFindOutIfProgramIsCompiledWithTCPWrappersOrNot?
Todeterminewhetheragivenexecutabledaemon/path/to/daemon
supportsTCPWrapper,checkthemanpage,orennter:
$ldd/path/to/daemon|greplibwrap.so
Ifthiscommandreturnsanyoutput,thenthedaemonprobably
supportsTCPWrapper.Inthisexample,findoutofifsshdsupports
tcpwrappersonnot,enter:
$whereissshd
SampleOutput:
sshd:/usr/sbin/sshd/usr/share/man/man8/sshd.8.gz
$ldd/usr/sbin/sshd|greplibwrap.so
SampleOutput:
libwrap.so.0=>/lib64/libwrap.so.0(0x00002b759b381000)
lddisusedtoseeiflibwrap.soisadependencyornot.An
alternativetoTCPWrappersupportispacketfilteringusing
iptables.
ImportantFiles
tcpdaccesscontrolfacilityforinternetservices.
/etc/hosts.allowThisfiledescribesthenamesofthehosts
b.sadhiq
183
www.altnix.com
whichareallowedtousethelocalINETservices,asdecidedbythe
/usr/sbin/tcpdserver.
/etc/hosts.denyThisfiledescribesthenamesofthehosts
whichareNOTallowedtousethelocalINETservices,asdecidedby
the/usr/sbin/tcpdserver.
Ifthesameclient/user/ipislistedinbothhosts.allow
andhosts.deny,thenhosts.allowtakesprecedenceandaccessis
permitted.Iftheclientislistedinhosts.allow,thenisaccess
permitted.Iftheclientislistedinhosts.deny,thenaccessis
denied.
tcpdchkandtcpdmatchtestprogramsfortcpd
Syntax(format)OfHostAccessControlFiles
Both/etc/hosts.allowand/etc/hosts.denyusesthefollowing
format:
daemon_list:client_list[:shell_command]
Where,
daemon_listalistofoneormoredaemonprocessnames.
client_listalistofoneormorehostnames,host
addresses,patternsorwildcardsthatwillbematchedagainstthe
clienthostnameoraddress.
WildCards
Theaccesscontrollanguagesupportsexplicitwildcards(quoting
fromthemanpage):
ALLTheuniversalwildcard,alwaysmatches.
LOCALMatchesanyhostwhosenamedoesnotcontainadot
character.
UNKNOWN
Matchesanyuserwhosenameisunknown,and
matchesanyhost
whosenameoraddressareunknown.Thispattern
shouldbeused
withcare:hostnamesmaybeunavailabledueto
temporaryname
serverproblems.Anetworkaddresswillbe
unavailablewhenthe
softwarecannotfigureoutwhattypeofnetworkit
184
b.sadhiq
www.altnix.com
istalking
to.
KNOWNMatchesanyuserwhosenameisknown,andmatchesany
hostwhose
nameandaddressareknown.Thispatternshould
beusedwith
care:hostnamesmaybeunavailableduetotemporary
nameserver
problems.Anetworkaddresswillbeunavailable
whenthesoft
warecannotfigureoutwhattypeofnetworkitis
talkingto.
PARANOID
Matchesanyhostwhosenamedoesnotmatchits
address.When
tcpdisbuiltwithDPARANOID(defaultmode),it
dropsrequests
fromsuchclientsevenbeforelookingatthe
accesscontrol
tables.BuildwithoutDPARANOIDwhenyouwant
morecontrol
oversuchrequests.
TCPDConfigurationExamples
Setdefaultpolicytotodenyaccess.Onlyexplicitlyauthorized
hostsarepermittedtoaccess.Update/etc/hosts.denyasfollows:
#Thedefaultpolicy(noaccess)isimplementedwithatrivial
denyfile
ALL:ALL
Abovewilldeniesallservicetoallhosts,unlesstheyare
permittedaccessbyentriesintheallowfile.Forexample,allow
accessasfollowsvia/etc/hosts.allow:
ALL:LOCAL@devels
ALL:.nixcraft.net.inEXCEPTboobytrap.nixcraft.net.in
Loganddenyaccess(boobytraps)wedonotallowconnections
fromcrackers.com:
185
b.sadhiq
www.altnix.com
ALL:.crackers.com\
:spawn(/bin/echo%afrom%hattemptedtoaccess%d>>\
/var/log/connections.log)\
:deny
ATypicalUNIXExample
AllowaccesstovariousserviceinsideLANonlyvia
/etc/hosts.allow:
popd:192.168.1.200192.168.1.104
imapd:192.168.1.0/255.255.255.0
sendmail:192.168.1.0/255.255.255.0
sshd:192.168.1.2172.16.23.12
Denyeverythingvia/etc/hosts.deny:
ALL:ALL
RejectAllConnections
Restrictallconnectionstononpublicservicestolocalhostonly.
Supposesshdandftpdarethenamesofservicewhichmustbe
accessedremotely.Edit/etc/hosts.allow.Addthefollowinglines:
sshd,ftpd:ALL
ALL:localhost
Saveandclosethefile.Edit/etc/hosts.deny.Addthefollowing
line:
ALL:ALL
DefaultLogFiles
TCPWrapperswilldoallitsloggingviasyslogaccordingto
your/etc/syslog.conffile.Thefollowingtableliststhestandard
locationswheremessagesfromTCPWrapperswillappear:
1.
2.
3.
4.
5.
6.
AIX/var/adm/messages
HPUX/usr/spool/mqueue/syslog
Linux/var/log/messages
FreeBSD/OpenBSD/NetBSD/var/log/messages
MacOSX/var/log/system.log
Solaris/var/log/syslog
Usethefollowingcommandtoviewlogs:
#tailf/path/to/log/file
#grep'ip'/path/to/log/file
186
b.sadhiq
www.altnix.com
#egrepi'ip|hostname'/path/to/log/file
HowDoIPredictsHowTheTcpWrapperWouldHandleaSpecific
RequestForService?
Usetcpdmatchcommand.predicthowtcpdwouldhandleasshdrequest
fromthelocalsystem:
tcpdmatchsshdlocalhost
Thesamerequest,pretendingthathostnamelookupfailed:
tcpdmatchsshd192.168.1.5
Topredictwhattcpdwoulddowhentheclientnamedoesnotmatch
theclientaddress:
tcpdmatchsshdparanoid
Replacesshdwithin.telnetd,orftpdandsoon.Youcanuseall
daemonnamesspecifiedininetd.conforxinetd.conffile.
HowdoIExaminesMyTCPWrapperConfigFile?
Usetcpdchkcommandtoexaminesyourtcpwrapperconfigurationand
reportsallpotentialandrealproblemsitcanfind.
tcpdchk
tcpdchkv
ANoteAboutTCPWrappersandFirewall
Youneedtouseboth(firewallandtcpd)tofightagainst
crackers.
TCPWrappersaremostcommonlyemployedtomatchagainstIP
addressesandhostlevelprotection.
NeverconfigureTCPWrappersonfirewallhost.
PutTCPWrappersonallUNIX/Linux/BSDworkstations.
DonotuseNIS(YP)netgroupsinTCPWrappersrules.
PutTCPWrappersbehindafirewallsystemsasTCPWrappersis
nosubstitutefornetfilterorpffirewall.
TCPWrappersdoesprovideincreasedsecurityasfirewall
cannotexamineencryptedconnections(readaspackets).
Xinetd
xinetd,theeXtendedInterNETDaemon,isanopensourcedaemon
whichrunsonmanyLinuxandUnixsystemsandmanagesInternet
187
b.sadhiq
www.altnix.com
basedconnectivity.Itoffersamoresecureextensiontoorversion
ofinetd,theInternetdaemon.
xinetdperformsthesamefunctionasinetd:itstartsprogramsthat
provideInternetservices.Insteadofhavingsuchserversstarted
atsysteminitializationtime,andbedormantuntilaconnection
requestarrives,xinetdisheonlydaemonprocessstartedandit
listensonallserviceportsfortheserviceslistedinits
configurationfile.Whenarequestcomesin,xinetdstartsthe
appropriateserver.Becauseofthewayitoperates,xinetd(aswell
asinetd)isalsoreferredtoasasuperserver.
Task:xinetdConfigurationfileslocation
Followingareimportantconfigurationfilesforxinetd:
/etc/xinetd.confTheglobalxinetdconfigurationfile.
/etc/xinetd.d/directoryThedirectorycontainingall
servicespecificfilessuchasftp
Task:Understandingdefaultconfigurationfile
Youcanviewdefaultconfigurationfilewithlessorcatcommand:
#less/etc/xinetd.confOR#cat/etc/xinetd.confOutput:
#Simpleconfigurationfileforxinetd
#
#Somedefaults,andinclude/etc/xinetd.d/
defaults
{
instances=60
log_type=SYSLOGauthpriv
log_on_success=HOSTPID
log_on_failure=HOST
cps=2530
}
includedir/etc/xinetd.d
Where,
instances=60:Determinesthenumberofserversthatcanbe
simultaneouslyactiveforaservice.So60isthemaximumnumberof
188
b.sadhiq
www.altnix.com
requestsxinetdcanhandleatonce.
log_type=SYSLOGauthpriv:Determineswheretheservicelog
outputissent.YoucansendittoSYSLOGatthespecifiedfacility
(authprivwillsendlogto/var/log/securefile).
log_on_success=HOSTPID:Forcexinetdtologifthe
connectionissuccessful.ItwilllogHOSTnameandProcessID
to/var/log/securefile.
log_on_failure=HOST:Forcexinetdtologifthereisa
connectiondroppedoriftheconnectionisnotallowedto
/var/log/securefile
cps=2530:Limitstherateofincomingconnections.Takes
twoarguments.Thefirstargumentisthenumberofconnectionsper
secondtohandle.Iftherateofincomingconnectionsishigher
thanthis,theservicewillbetemporarilydisabled.Thesecond
argumentisthenumberofsecondstowaiteforereenablingthe
serviceafterithasbeendisabled.Thedefaultforthissettingis
50incomingconnectionsandtheintervalis10seconds.Thisis
goodtoavoidDOSattackagainstyourservice.
includedir/etc/xinetd.d:Readotherservicespecific
configurationfilethisdirectory.
Task:Howtocreatemyownservicecalledfoo
Hereissampleconfigfileforservicecalledfoolocatedat
/etc/xinetd.d/foo
#vi/etc/xinetd.d/foo
Andappendfollowingtext:
servicelogin
{
socket_type=stream
protocol=tcp
wait=no
user=root
server=/usr/sbin/foo
instances=20
}
Where,
189
b.sadhiq
www.altnix.com
socket_type:Setsthenetworksockettypetostream.
protocol:SetstheprotocoltypetoTCP
wait:Youcansetthevaluetoyesornoonly.ItDefines
whethertheserviceissinglethreaded(ifsettoyes)ormulti
threaded(ifsettono).
user:Userwhowillrunfooserver
Task:Stoporrestartxinetd
Torestartxinetdservicetypethecommand:
#/etc/init.d/xinetdrestart
Tostopxinetdservicetypethecommand:
#/etc/init.d/xinetdstop
Tostopxinetdservicetypethecommand:
#/etc/init.d/xinetdstart
Task:Verifythatxinetdisrunning
Typethefollowingcommandtoverifyxinetdserviceisrunningor
NOT:
#/etc/init.d/xinetdstatusOutput:
xinetd(pid6059)isrunning...
190
b.sadhiq
www.altnix.com
SAMBA
SAMBAsmbprotocolServerMsgBlockakanetbios/tcpip
[c]AndrewTridgell
CIFSADS
History:1.IBMPCDOSM$DOScalledMSDOSPCBIOS1985
2.PCBIOS>NetBEUI
3.SoontheydiscardedNETBEUIbcositdidnotsupport
TCP/IP
4.PCBIOS>NetBEUI>NETBIOS/TCPIPakaNBNT
5.ChangednameofNETBIOS/TCPIPtoSMBtoCIFStoADS
[CommonInternetFilesystem]
IPX/SPXNovellInterNWPktExchange/SequentialPktExchange
sawtimber
samba
Lastest:LongHornWhistler2005Vista2006
UsesofSamba:
1.
AsaFileServer[FileSharing]/HW/SW
ResourcesharinglikeNFSbutacrossOS'
2.
AsaWINS[WindowsInternetNameServer]
orNBNSserver
3.
AsaPDC[SAMSecurityAccessModule]
4.
AsaPrintServerusingCUPS
ConfigFile:/etc/samba/smb.conf
Program1
[funny]
#shareorsectionorservice
path=/opt/funny
#directive
191
b.sadhiq
www.altnix.com
$servicesmbrestart
$testparm
192
b.sadhiq
www.altnix.com
Windows
$netview
$netviewIP
$netuse*\\<ip>\funny
$netuse*/d
$nbtstataIP
$rpmqlsamba
/etc/logrotate.d/sambaLogRotationFile
>LogFiles:/var/log/samba
/etc/pam.d/samba
Sambareliesheavilyuponauthenticationbeforeprovidingaccessto
theuserssuchasfileandprinters.ItsintegratedwithSamba
Authentication,Accountingaswellassessionmanagementishandled
viathesambaentriesinpam.d
/etc/samba/smbusers
Providesamappingbetweenwindowsusersandlocallinuxbased
usersAlthoughsambacanintegrateinWindowsWorldbefore
providingaccesstolocalresourcessuchasfilesonthefile
system,usersmustbeauthenticatedbythelocallinuxsystem.
Defaultsmbusersfilecontainsmappingforlocallinux
administratorwhichisrootandroot'sequivalentuserinwindows
worldisadministrator.Howeversomecallitasadmin.Ifeitherof
twouserstrytoconnecttosharetheyshouldbeequatedtothe
localunixuserrootprovidingtheyknowthepassword.Thepassword
shouldbesameasofadministratorandrootuser,otherwiseitwould
promptforthepassword,whentheyconnecttothesambashare.
Iflocalwindowsuserslogsinthroughguest,pcguestandsmbguest
theyareequatedwith"nobody"useronlinuxsystem
/etc/sysconfig/samba
Whichspecifiestheparametertorunsmbdandnmbdasadeamon
/var/spool/samba
Ifremoteusersattempttospoolprintjobtooursambaserver,they
aregenerallyspooledtothisdirectorySambanicelyintegrates
withCUPS(defautmodularPrintingSystem)
193
b.sadhiq
www.altnix.com
SMBservicesareprovidedbytheNetBIOSprotocol.NetBIOSmakes
itsownnamespaceavailable,whichiscompletelydifferentfrom
thedomainnamesystem.
ThisnamespacecanbeaccessedwiththeUniqueNamingConvention
(UNC)notation:allservicesprovidedbyaserverareaddressed
as\\Server\Servicename.
Fileorprintservicesofferedbyaserverarealsocalledshares.
TheserversideofSambaconsistsof2parts:
smbd.SMB/CIFSserver
Thisdaemonprovidesfileandprintservicesforclientsin
thenetwork.
authenticationandauthorization
Fileandprintersharing
nmbd.NetBIOSnameserver
ThisdaemonhandlesallNetBIOSrelatedtasks.
resourcebrowsing
WINSserver
TointegrateLinuxasclientinaWindowsenvironment,Samba
provides2tools:
winbind.ThisdaemonintegratesaLinuxsystemintoaWindows
authentication system(ActiveDirectory).
nmblookup.ThistoolcanbeusedforNetBIOSnameresolutionand
testing.
smbclient.ThistoolprovidesaccesstoSMBfileandprint
services.
Sambaversion3.0.22.Animportantnewfeatureinthisversionis
theKerberossupportinwinbind.ThisallowsaKerberosbased
integrationintoActiveDirectorydomains.Novellisanimportant
contributoroftheSambaproject.
PackagesinstalledinRHELAS4:
194
b.sadhiq
www.altnix.com
$rpmqa|grepsamba
samba3.0.101.4E.2
representsthefilesthatareincludedintoyoursystemasSamba
Server
sambaclient3.0.101.4E.2
containsclientbasedcomponent
systemconfigsamba1.2.211
tooltoconfigureSamba
sambacommon3.0.101.4E.2
containssharedcomponents
$rpmqlsambacommon
/etc/samba/smb.conf
MainConfigurationFile
/etc/samba/lmhosts
Thehostname"localhost"consideredtobeasnetbios
hostnamelmhostsissimilartolmhostsofwindowsworld.Inthe
eventwhenyouattempttoaccesswindowsbasedsystemorsamba
basedsystembyname,translationcanoccurspeciallywhenyouare
usingsambabasedclientswiththeaideoflmhostsfileOneofthe
optionsbutnotonlytheoptionSincesambabasedclientscanalso
relyupon/etc/hostsaswellasDNSandWINS(CentralizeName
Repository)
/usr/bin/net
Itcanbeusedforjoiningsambasystemtoaremotedomainsuchas
NT4Styledomainorwindows2000styleActivedirectorydomain net
commandallowsustojointhosedomains
/usr/bin/smbpasswd
allowsustoequatepasswordforlocallystoredusers,sothatwhen
weattempttoauthenticateremoteuserstheyareabletodoso
through
$smbpasswd
$/usr/bin/testparm
Ifyouchangemanuallytosmb.conffilewhichresidesin
/etc/samba,testparmwhichchecktoinsurethattheparametersare
195
b.sadhiq
www.altnix.com
correct
/var/log/samba
LogfilespertainingtoSambaServer
TheSambaConfigurationFile
The/etc/samba/smb.conffileisthemainconfigurationfileyou'll
needtoedit.
Threewaystoapproachthisfile:
systemconfigsamba(Redhat'sTool)
SWAT
Manually
Itissplitintofivemajorsection
FileFormatsmb.conf
Section
Description
[global]
GeneralSambaconfigurationparameters
[printers]
UsedforconfiguringprintersUsedfor
configuringprinters
[homes]
Definestreatmentofuserlogins
[netlogon]
Ashareforstoringlogonscripts.
(Notcreatedbydefault.)
[profile]
Ashareforstoringdomainlogon
informationsuchas"favorites"and
desktopicons.(Notcreatedby
default.)
smb.confMinimumSettings,"Global"Section
Parameter
value
domainlogons
Yes
TellsSambatobecome
thePDC
preferredmaster
Yes
MakesthePDCactas
thecentralstorefor
thenamesofall
windowsclients,
serversandprinters
onthenetwork.Very
helpfulwhenyouneed
196
Description
b.sadhiq
www.altnix.com
to"browse"yourlocal
networkforresources.
Alsoknownasalocal
masterbrowser.
domainmaster
Yes
TellsSambatobecome
themasterbrowser
acrossmultiple
networksalloverthe
domain.Thelocal
masterbrowsers
registerthemselves
withthedomainmaster
tolearnabout
resourcesonother
networks.
oslevel
65
Setstheprioritythe
Sambaservershould
usewhennegotiating
tobecomethePDCwith
otherWindowsservers.
Avalueof65will
usuallymaketheSamba
serverwin.
winssupport
Yes
AllowstheSamba
servertoprovidename
servicesforthe
network.Inother
wordskeepstrackof
theIPaddressesof
allthedomain's
serversandclients.
timeserver
Yes
Letsthesambaserver
providetimeupdates
forthedomain's
clients.
workgroup
"homenet"
Thenameofthe
Windowsdomainwe'll
create.Thenameyou
selectisyourchoice.
I'vedecidedtouse
"homenet".
security
user
Makedomainlogins
querytheSamba
197
b.sadhiq
www.altnix.com
passworddatabase
locatedonthesamba
serveritself.
smbpasswdfile
/
etc/samba/smb
passwd
Itisusefulto
specifythenameand
locationoftheSamba
passwordfile.This
helpstomakeSamba
versionupgradeswhere
thedefaultlocations
maychange.
privatedir
/etc/samba
Specifiesdefault
directoryforsome
supportingtemporary
files.Aswiththe
passwordfile,itisa
goodpracticeto
specifythisvalue.
SecurityLevels
user(user,server,ADS,domain)
user
Inusermodewecanauthenticateagainstlocalunix/etc/passwd
file
server
Wepassauthenticationoff
Servermodesimplypassesoffauthenticationtothepassword
authenticationserversuchasNT4orWIN2Kdomain
controller
Domain
ThisisusedtojoinNT4styledomain.Youneedacomputeraccount
inNT4styledomain
ADS
SameasDomainbutjustdifferentbehaviour
IFADSisinnativemode,theyyouwillneedtojointhedomain
AndyouneedtoknowkerberosRealm,sothatwecanacceptkerberos
tickets
share
Thismodewhereyoutieapasswordtoshare,andifauserknows
thepasswordtheygrantedasreadonlyreadwriteshare.Thiswillbe
b.sadhiq
198
www.altnix.com
implementedwheretheeveryoneknowsthepassword
CreatingUser
$useraddchampu
$passwdchampu
Assigningsmbpasswordtouserchampu
$smbpasswdachampu
editingconfigurationfile
$vi/etc/samba/smb.conf
[myshare]
comment=Windozechampu
path=/home/champu
validusers=champu
public=yes
writable=yes
printable=no
createmask=0765
public
Thisparameterisasynonymforguestok.
$servicesmbrestart
gatheringinformation:
$smbclientL192.168.10.66Uchampu
TheLoptionshouldbeusedtodetermineiftheSambaserveris
even
runningandlisteningfornetworkrequests.
AccessingSambaServer
$smbclient//192.168.10.66/myshareUchampu
smb:\>ls
smb:\>mkdirdocs
smb:\>ls
smb:\>quit
AcessingSambaServerFromWindows
AcessingSambaServerFromXWindows
OpenNautilus
inLocationsection
199
b.sadhiq
www.altnix.com
smb://192.168.10.66
PermanentMountingwithLinuxSambaClients
$mkdir/bill
$vi/etc/samba/pass
username=champu
password=x
$vi/etc/fstab
//192.168.10.60/myshare /billsmbfscredentials=/etc/samba/pass
00
$mounta
$dfh
$cd/bill
PermanentMountingLinuxSambaClientUsingAutoMounter
$vi/etc/auto.master
/misc
/etc/auto.smb
timeout=60
$vi/etc/auto.smb
samba
fstype=smbfs,username=champu,password=x//192.168.10.60/myshare
$serviceautofsrestart
$cd/misc/samba
$lsl
$vi/etc/samba/smb.conf
[myshare]
hostsdeny=192.168.10.100
comment=Windozechampu
path=/home/champu
validusers=champu
public=yes
writable=yes
printable=no
200
b.sadhiq
www.altnix.com
createmask=0765
$servicesmbrestart
[hpcolor]
comment=TheHP4500N
path=/usr/spool/lpd/hpcolor
browseable=yes
printable=yes
public=yes
writable=yes
createmode=0700
Usage:smbmount
$smbmount//192.168.10.60/myshare/billo
username=champu,password=x
$cd/bill
Therearebasicallytwowaysinwhichthiscanhappen:
TheLMBsregisterthemselveswithaWINSserverandthusareable
todeterminethatotherLMBsservethesameworkgroup.
Theworkgroupisadomain:Allsystemsinthedomainmakeuse
ofonePrimaryDomainController(PDC)forauthentication.Sucha
PDCisrequiredalsotobetheDMB.SinceallsystemsknowtheIP
addressofthePDC,theyalsoknowwhichDMBtouse.
Lbmhhists:staticmapping
WINSserver:dynamicmapping
SambaasaNTDomainMember
SambaemulatesaNTworkstationwhenbecomingpartofthedomain.
So,thefirstthingyouneedtodoiscreateamachineaccountfor
yourSambamachineonthedomaincontroller.InNTyouwoulduse
theprogramServerManagerforDomainstocreatetheaccount.Once
theaccountiscreated,allyouneedtoaddarethefollowinglines
toyoursmb.conffileundertheglobalsection.
YourWorkgrouporDomainthatyouwant
tologintoworkgroup=FREEOS
TellSambatotalktodomaincontroller
201
b.sadhiq
www.altnix.com
forauthentication
security=domain
Specifytheservertogetauthenticatefrom.Youcanspecify
theNetBIOSnamesoftheserversorsimplyputina*heretolet
Sambafindtheserverthroughbroadcastpasswordserver=PS1PS2
MakesureSambaisusingencryptedpasswords
encryptpasswords=yes
NowstoptheSambadaemons
$/etc/rc.d/init.d/smbstop
GivethefollowingcommandtojointheNTDomain
$smbpasswdjDOMAINrDOMAINPDC
SambaPdc
Wewillsetup1domain"mydomain1"onalinuxmachinewith
samba.
1.Createasambaconfigfilesin/etc/samba/andcopypastethe
contentin2ndstep.
a.smb.conf
2.Yoursmb.confwilllooklikebelow:
[global]
workgroup=mydomain1
netbiosname=server1
timeserver=Yes
domainlogons=Yes
oslevel=65
preferredmaster=Yes
domainmaster=Yes
encryptpasswords=yes
smbpasswdfile=/etc/samba/smbpasswd
security=user
manglingmethod=hash
addmachinescript=/usr/sbin/useraddd/dev/nullg
202
b.sadhiq
www.altnix.com
trusts/bin/falseM%u
logfile=/var/log/samba/log.%m
loglevel=3passdb:5auth:10winbind:2
logonpath=\\%L\profiles\%U
logondrive=H:
logonhome=\\%L\%U\.profile
logonscript=logon.cmd
interfaces=192.168.2.249/24##putyoursambaserver
IPaddress
bindinterfacesonly=yes
lockdirectory=/var/lib/samba/locks/server1
[homes]
readonly=No
browseable=Yes
createmask=0644
directorymask=0755
[netlogon]
path=/var/lib/samba/netlogon
guestok=yes
[profiles]
path=/var/lib/samba/profiles
browseable=yes
readonly=No
createmask=0600
directorymask=0700
rootpreexec=PROFILE=/var/lib/samba/profiles/%u;if[
!e$PROFILE];\
thenmkdirpm700$PROFILE;chown%u:%g$PROFILE;fi
3.Thencreatebelowdirectory:
/var/lib/samba/locks/server1
4.Startsambaserver:
/etc/init.d/smbstart
5.Checksmbstartedornot.
psef|grepsmb
6.Addtrustaccount(forNTmachinesonly)
groupaddtrust
203
b.sadhiq
www.altnix.com
useraddgtrustd/dev/nulls/bin/false<machinename>\$
passwdl<machinename>\$
====>NOTE:PLEASEDONTFORGETTOGIVE'\$'INABOVE2
COMMANDS
smbpasswdma<machinename>
7.Addingadministratoraccount
smbpasswdaroot
(GIVESambaPasswdforroot)
8.FORWINXPPROFusersNOTforWIN98otXPHOME
logintothatwindowsmachine(machinename)withadministrator.
Rightclickto"MyComputer"andclickon"Properties"
Clickon"ComputerName"Tab
Clickon"Change"
PutDomain"mydomain1"
ClickOK
ItwillaskforDomainadminusername&passwd.Giveusername:
rootandsmbpasswdofroot
Ifeverythingisgoodthenitwillshowyou"Welcometo
mydomain1"
SAMBAPDCWITHLINUX/WINDOWSCLIENT
SAMBAPDC
makedir:/var/lib/samba/locks/server
smb.conf
[global]
workgroup=MYDOMAIN
netbiosname=server
#timeserver=Yes
domainlogons=Yes
oslevel=33
preferredmaster=Yes
#localmaster=Yes
localmaster=no
domainmaster=Yes
encryptpasswords=yes
smbpasswdfile=/etc/samba/smbpasswd
204
b.sadhiq
www.altnix.com
security=user
passdbbackend=tdbsam
#whenuusepassdbbackend=tdbsam;whensambauseriscreated,it
storestheusernameandpasswdinpasswd.tdbfileratherthan
smbpasswdfile
manglingmethod=hash
addmachinescript=/usr/sbin/useraddd/dev/nullgtrust
s/bin/falseM%u
#addmachinescript=/usr/sbin/useraddnc"Workstation(%u)"
Md/nohomes/bin/false"%u"
logfile=/var/log/samba/log.%m
loglevel=3passdb:5auth:10winbind:2
#forloginwindowsmachines
logonpath=\\%L\profiles\%U
logondrive=H:
logonhome=\\%L\%U\.profile
logonscript=%m.bat
logonscript=%U.bat
##putyoursambaserverIPaddress:eth0(optional)
interfaces=eth0192.168.1.0/24
bindinterfacesonly=yes
lockdirectory=/var/lib/samba/locks/server
[homes]
readonly=No
browseable=Yes
createmask=0644
directorymask=0755
validusers=%S
validusers=MYDOMAIN\%S
##
[netlogon]
path=/var/lib/samba/netlogon
guestok=yes
[profiles]
path=/var/lib/samba/profiles
browseable=yes
205
b.sadhiq
www.altnix.com
readonly=No
createmask=0600
directorymask=0700
rootpreexec=PROFILE=/var/lib/samba/profiles/%u;if
[!e$PROFILE];thenmkdirpm700$PROFILE;chown%u:%g
$PROFILE;fi
Clientsideconfiguration
1>.smb.conf
[global]
netbiosname=station
workgroup=MYDOMAIN
security=domain
passwordserver=192.168.1.2
#realm=AVTECH.LOCAL
encryptpasswords=yes
idmapuid=1677721633554431
idmapgid=1677721633554431
#idmapbackend=ad
templatehomedir=/home/%D/%U
templateshell=/bin/bash
winbindusedefaultdomain=true
~
~
2>.systemconfigauthentication
onlycheckthewinbindsettingandspecifythedomainnamenother
reqparameters
itwildothereq.winbindchangesinthefollowingfiles:
a>/etc/nsswitch
b>/etc/pam.d/systemauth
/etc/pam.d/systemauth
sessionrequiredpam_mkhomedir.soskel=/etc/skelumask=0077
insertthislineatthebottomofthesystemauthfilejustbefore
sessionrequiredpam_unix.so
3.>Trytojointhedomainusingfoll
netrpcjoindomainnameUroot
alsowecanjoinusing
systemconfigauthentication
guiauthenticationwindowopens
selectdomainjoin
206
b.sadhiq
www.altnix.com
enteradministratornameierootandpasswd
clickjoin
FIREWALL/IPTABLES
What'safirewall?
Withoutgettingintotechnicalexplanations,afirewallissimplya
host whose main purpose is to protect your network. A firewall
207
b.sadhiq
www.altnix.com
restrictscertaintypesofnetworktrafficfromtheInternettoyour
protectednetwork(s)thereverseisalsooftentrue.
FirewallshavealwaysreferredtoasLayer3Securitybecausefrom
manyyears.Firewallswereonlybeabletounderstandinformationas
it passed over the network layer 3. Now the technology has moved
forward, Firewalls have become more flexible, more intelligent
ultimatelyearningthenamesuchasLayer7firewallorapplication
levelfirewalls.
Sothetermfirewallisnotnecessarilyasaccurate,Todayasitis
alwaysbeenbecausetherearevariouslevelsoffirewalls.
Lets peek into concepts of firewall, how they might apply to
securitypracticesinlinuxenvironment
FirstwegonnalookatIPTABLES,defactostandardforsecuringlinux
at the firewall level. So it pretty much comes bundled with
everythingacrosstheboardanditisprettyeasytoconfigureand
offersalotofflexibility.
Whatafirewallisnot?
MagicAfirewallcannotmakeyournetworkabsolutelysecure.
A bastion host In an ideal world, this would be true.
However,afirewallisonlyassecure asthe workyouputinto
securingit.
Typesofexploits
RemoteYourhostislisteningonaportthattheattackeris
able to connect to remotely over a network and exploit a
208
b.sadhiq
www.altnix.com
vulnerabilitysomehow.Thisistheonlytypeofattackafirewall
can (hopefully) protect you against. There is another important
pointherethatmostfirewallhowtosneglect.Inorderforsomeone
toexploityourboxremotely,ithastobelisteningonsomeports
(i.e. providing a way for an attacker to connect). Therefore, if
your host isn't listening on any ports, you are safe from remote
exploits(unlesstheattackermanagestoattackthenetworkstack
itself).
Whydoyouneedafirewall?
* Increase your network security Some services are inherently
insecureandimpossibletosecureonindividualhosts.Afirewall
canhelpyousegmentandcontainpartsofyournetworktoincrease
security.
* Network access control A firewall can help you enforce your
networksecuritypoliciesbyselectivelyallowingnetworkservices
(toallorselectedhosts).
* Logging Because a firewall must examine all inbound/outbound
networktraffic,itcanhelpyoulognetworkactivity(thatpasses
throughthefirewall).
SoWhat'sAPacketFilter?
Apacketfilterisapieceofsoftwarewhichlooksatthe header
ofpacketsastheypassthrough,anddecidesthefateoftheentire
packet.ItmightdecidetoDROPthepacket(i.e.,discardthepacket
asifithadneverreceivedit),ACCEPTthepacket(i.e.,letthe
packetgothrough),orsomethingmorecomplicated.
UnderLinux,packetfilteringisbuiltintothekernel(asakernel
module,orbuiltrightin),andthereareafewtrickierthingswe
can do with packets, but the general principle of looking at the
headersanddecidingthefateofthepacketisstillthere.
IPTABLES
replacesolderIPchainsfirewallinlinux
availablesince2.4kernel
Allows configuration of builtin firewall rules for hostbased
protection
IPtablescanbeusedforrouting,forwarding,filtering
ipfwadmforlinuxkernel2.0
209
b.sadhiq
www.altnix.com
ipchainsforlinuxkernel2.2
iptablesforlinuxkernel2.4/2.6
WhatisNetfilter/Iptables?
Netfilter is the framework in Linux kernels that allow for
firewalling,NAT,andpacketmangling.
Iptables is the userspace tools that works with the Netfilter
framework (technically a lie; Iptables is also a part of the
Netfilter framework in the kernel). Think of Netfilter as kernel
space,andIptablesasuserspace.
Iptables is merely user space tool provides the administrator,
meansofconfiguringthecorenetfilterservicesthatactuallypart
ofthekernel
IPtablesisStatefullpacketfilteringfirewall
We can monitor the states of communication process and make
decisionsbasedonthat Defintelyausefulfeature.Inthepast,
peoplewereabletobypassfirewallrulesbyskippingthebeginning
partofTCPcommunicationprocess.
A stateful firewall (any firewall that performs stateful packet
inspection(SPI)orstatefulinspection)isafirewallthatkeeps
trackofthestateofnetworkconnections(suchasTCPstreams,UDP
communication)travellingacrossit.Thefirewallisprogrammedto
distinguishlegitimatepacketsfordifferenttypesofconnections.
Onlypacketsmatchingaknownconnectionstatewillbeallowedby
thefirewall;otherswillberejected.
Before the advent of stateful firewalls, a stateless firewall, a
firewallthattreatseachnetworkframe(orpacket)inisolation,
was normal. Such a firewall has no way of knowing if any given
packetispartofanexistingconnection,istryingtoestablisha
new connection, or is just a rogue packet. Modern firewalls are
connectionaware(orstateaware),affordingnetworkadministrators
finergrainedcontrolofnetworktraffic.
210
b.sadhiq
www.altnix.com
canfilterbaseduponsource
IPAddress, protocol, port and connection state connection state
whichdefinesiptablesasastatefullpacketfilteringfirewall
CanfilterbaseduponMACAddresss
This is obviously used very less. But in some of DMZ environment
whereyouhavecontrolsetofMACsthismightbealittlebiteasier
ormakesmoresensetousethisfeature
CanfilteroutmalformedpacketsbaseduponTCPFlagssetin
packets
Soweknowthatparticularmachinewillneverbeseeingachristmas
treepacketwhereprettymucheverythingisturnedon,sowecanset
outfilterstoprotectagainstthesetypeofattacks
PacketProcessingIniptables
Allpacketsinspectedbyiptablespassthroughasequenceofbuilt
intables(queues)forprocessing.Eachofthesequeuesis
dedicatedtoaparticulartypeofpacketactivityandiscontrolled
byanassociatedpackettransformation/filteringchain.
Therearethreetablesintotal.Thefirstisthemangletable
whichisresponsibleforthealterationofqualityofservicebits
intheTCPheader.ThisishardlyusedinahomeorSOHO
environment.
Thesecondtableisthefilterqueuewhichisresponsiblefor
packetfiltering.Ithasthreebuiltinchainsinwhichyoucan
placeyourfirewallpolicyrules.Thesearethe:
Forwardchain:Filterspacketstoserversprotectedbythe
firewall.
Inputchain:Filterspacketsdestinedforthefirewall.
211
b.sadhiq
www.altnix.com
Outputchain:Filterspacketsoriginatingfromthefirewall.
Thethirdtableisthenatqueuewhichisresponsiblefornetwork
addresstranslation.Ithastwobuiltinchains;theseare:
Preroutingchain:NATspacketswhenthedestinationaddress
ofthepacketneedstobechanged.
Postroutingchain:NATspacketswhenthesourceaddressof
thepacketneedstobechanged
Packet
Queue Queue
Transformation ChainFunction
Type
Function
ChaininQueue
Filter Packet
FORWARD
Filterspacketstoserversaccessible
filtering
byanotherNIConthefirewall.
INPUT
Filterspacketsdestinedtothe
firewall.
OUTPUT
Filterspacketsoriginatingfromthe
firewall
Nat
Network
PREROUTING
Addresstranslationoccursbefore
Address
routing.Facilitatesthetransformation
Translatio
ofthedestinationIPaddresstobe
n
compatiblewiththefirewall'srouting
table.UsedwithNATofthedestination
IPaddress,alsoknownasdestination
NATorDNAT.
POSTROUTING
Addresstranslationoccursafter
routing.Thisimpliesthattherewasno
needtomodifythedestinationIP
addressofthepacketasinpre
routing.UsedwithNATofthesourceIP
addressusingeitheronetooneor
manytooneNAT.Thisisknownas
sourceNAT,orSNAT.
OUTPUT
Networkaddresstranslationforpackets
generatedbythefirewall.(Rarelyused
inSOHOenvironments)
Mangle TCPheader PREROUTING
ModificationoftheTCPpacketquality
modificati POSTROUTING
ofservicebitsbeforeroutingoccurs.
on
OUTPUT
(RarelyusedinSOHOenvironments)
INPUT
FORWARD
212
b.sadhiq
www.altnix.com
Youneedtospecifythetableandthechainforeachfirewallrule
youcreate.Thereisanexception:Mostrulesarerelatedto
filtering,soiptablesassumesthatanychainthat'sdefined
withoutanassociatedtablewillbeapartofthefiltertable.The
filtertableisthereforethedefault.
Tohelpmakethisclearer,takealookatthewaypacketsare
handledbyiptables.InFigure14.1aTCPpacketfromtheInternet
arrivesatthefirewall'sinterfaceonNetworkAtocreateadata
connection.
Thepacketisfirstexaminedbyyourrulesinthemangle
table'sPREROUTINGchain,ifany.Itistheninspectedby
therulesinthenattable'sPREROUTINGchaintosee
whetherthepacketrequiresDNAT.Itisthenrouted.
Ifthepacketisdestinedforaprotectednetwork,then
itisfilteredbytherulesintheFORWARDchainofthe
filtertableand,ifnecessary,thepacketundergoesSNAT
inthePOSTROUTINGchainbeforearrivingatNetworkB.
Whenthedestinationserverdecidestoreply,thepacket
undergoesthesamesequenceofsteps.BoththeFORWARD
andPOSTROUTINGchainsmaybeconfiguredtoimplement
qualityofservice(QoS)featuresintheirmangletables,
butthisisnotusuallydoneinSOHOenvironments.
Ifthepacketisdestinedforthefirewallitself,then
itpassesthroughthemangletableoftheINPUTchain,if
configured,beforebeingfilteredbytherulesinthe
INPUTchainofthefiltertablebefore.Ifit
successfullypassestheseteststhenitisprocessedby
theintendedapplicationonthefirewall.
Atsomepoint,thefirewallneedstoreply.Thisreplyis
routedandinspectedbytherulesintheOUTPUTchainof
themangletable,ifany.Next,therulesintheOUTPUT
chainofthenattabledeterminewhetherDNATisrequired
andtherulesintheOUTPUTchainofthefiltertableare
theninspectedtohelprestrictunauthorizedpackets.
Finally,beforethepacketissentbacktotheInternet,
SNATandQoSmanglingisdonebythePOSTROUTINGchain
213
b.sadhiq
www.altnix.com
PacketFlowAsFollows
TargetsAndJumps
EachfirewallruleinspectseachIPpacketandthentriesto
b.sadhiq
214
www.altnix.com
identifyitasthetargetofsomesortofoperation.Onceatarget
isidentified,thepacketneedstojumpovertoitforfurther
processing.Table14.2liststhebuiltintargetsthatiptables
uses.
Table142DescriptionsOfTheMostCommonlyUsedTargets
Target
MostCommon
Options
Desciption
ACCEPT
DROP
LOG
Thepacket
informationissent
tothesyslog
daemonforlogging
iptables
continues
processingwiththe
nextruleinthe
table
Asyoucan't
loganddropatthe
sametime,itis
commontohavetwo
similarrulesin
sequence.Thefirst
willlogthe
packet,thesecond
willdropit.
logprefix"string"
Tellsiptablestoprefix
alllogmessageswitha
userdefinedstring.
Frequentlyusedtotell
whytheloggedpacket
wasdropped
REJECT
Workslikethe
DROPtarget,but
willalsoreturnan
errormessageto
thehostsending
rejectwith
qualifier
Thequalifier
tellswhat
typeofreject
iptablesstops N/A
furtherprocessing.
Thepacketis
handedovertothe
endapplicationor
theoperating
systemfor
processing
iptablesstops N/A
furtherprocessing.
Thepacketis
blocked
215
b.sadhiq
www.altnix.com
thepacketthatthe
packetwasblocked
messageis
returned.
Qualifiers
include:
icmpport
unreachable
(default)
icmpnet
unreachable
icmphost
unreachable
icmpproto
unreachable
icmpnet
prohibited
icmphost
prohibited
tcpreset
echoreply
DNAT
Usedtodo
destinationnetwork
address
translation.ie.
rewritingthe
destinationIP
addressofthe
packet
to
destination
ipaddress
Tellsiptables
whatthe
destinationIP
addressshould
be
SNAT
Usedtodo
sourcenetwork
addresstranslation
rewritingthe
sourceIPaddress
ofthepacket
ThesourceIP
addressisuser
defined
tosource
<address>[
<address>]
[:<port>
<port>]
Specifiesthe
sourceIP
addressand
portstobe
usedbySNAT.
MASQUERADE
[toports
<port>[
<port>]]
Specifiesthe
rangeof
sourceports
towhichthe
Usedtodo
SourceNetwork
Address
Translation.
Bydefaultthe
sourceIPaddress
isthesameasthat
216
b.sadhiq
www.altnix.com
usedbythe
firewall's
interface
original
sourceport
canbemapped.
ImportantIptablesCommandSwitchOperations
Eachlineofaniptablesscriptnotonlyhasajump,buttheyalso
haveanumberofcommandlineoptionsthatareusedtoappendrules
tochainsthatmatchyourdefinedpacketcharacteristics,suchthe
sourceIPaddressandTCPport.Therearealsooptionsthatcanbe
usedtojustclearachainsoyoucanstartalloveragain.Tables
14.2through14.6listthemostcommonoptions.
Table142GeneralIptablesMatchCriteria
iptables
commandSwitch
Desciption
t<table>
Ifyoudon'tspecifyatable,thenthe
filtertableisassumed.Asdiscussed
before,thepossiblebuiltintables
include:filter,nat,mangle
j<target>
Jumptothespecifiedtargetchainwhen
thepacketmatchesthecurrentrule.
Appendruletoendofachain
Flush.Deletesalltherulesinthe
selectedtable
p<protocol
type>
Matchprotocol.Typesinclude,icmp,tcp,
udp,andall
s<ip
address>
MatchsourceIPaddress
d<ip
address>
MatchdestinationIPaddress
i<interface
name>
Match"input"interfaceonwhichthe
packetenters.
o<interface
name>
Match"output"interfaceonwhichthe
packetexits
Inthiscommandswitchesexample
iptablesAINPUTs0/0ieth0d192.168.1.1pTCPjACCEPT
217
b.sadhiq
www.altnix.com
iptablesisbeingconfiguredtoallowthefirewalltoacceptTCP
packetscominginoninterfaceeth0fromanyIPaddressdestined
forthefirewall'sIPaddressof192.168.1.1.The0/0
representationofanIPaddressmeansany.
Table144CommonTCPandUDPMatchCriteria
Switch
Desciption
ptcp
sport
<port>
TCPsourceport.Canbeasinglevalueora
rangeintheformat:startport
number:endportnumber
ptcp
dport
<port>
TCPdestinationport.Canbeasinglevalue
orarangeintheformat:starting
port:endingport
ptcpsyn
UsedtoidentifyanewTCPconnection
request.!synmeans,notanew
connectionrequest
pudp
sport
<port>
UDPsourceport.Canbeasinglevalueora
rangeintheformat:startingport:ending
port
pudp
dport
<port>
UDPdestinationport.Canbeasinglevalue
orarangeintheformat:starting
port:endingport
CheckingwhetherIptablesisdefaultinstalledonourserver
$rpmqiptables
$rpmqliptables
/sbin/iptables
thisallowsustoviewtheconfigurationandchangeit
/sbin/iptablesrestore
this allows us to restore the firewall or running firewall
configurationfromasavedconfiguration
/sbin/iptablessave
218
b.sadhiq
www.altnix.com
thisallowsthesavetherunningconfiguration
Modulesarestoredin/lib/iptables/
Iptablesitselfisamodule
$lsmod|grepiiptab
ModulesforIptables:
ip_tables
iptable_filter
iptable_nat
iptable_mangle
$lsmod|grepiipt
ipt_REJECTtarget(fate)
ipt_stateallowstomaintainstateinformation
ip_conntrackkernelcankeeptrackofconnections
SYNTAX
$iptablesttable<Action><Direction/Chains><PacketPattern>j
<fate>
iptablesWon'tStart
Theiptablesstartupscriptexpectstofindthe
/etc/sysconfig/iptablesbeforeitstarts.Ifnoneexists,then
symptomsincludethefirewallstatusalwaysbeingstoppedand
the/etc/init.d/iptablesscriptrunningwithoutthetypical[OK]or
[FAILED]messages.
Ifyouhavejustinstallediptablesandhaveneverapplieda
policy,thenyouwillfacethisproblem.Unfortunately,runningthe
serviceiptablessavecommandbeforerestartingwon'thelpeither.
Youhavetocreatethisfile.
[root@bigboytmp]#serviceiptablesstart
[root@bigboytmp]#
[root@bigboytmp]#touch/etc/sysconfig/iptables
[root@bigboytmp]#chmod600/etc/sysconfig/iptables
[root@bigboytmp]#serviceiptablesstart
Applyingiptablesfirewallrules:[OK]
[root@bigboytmp]#
219
b.sadhiq
www.altnix.com
LinuxIptablesalloworblockICMPpingrequest
TheInternetControlMessageProtocol(ICMP)hasmanymessagesthat
areidentifiedbya"type"field.Youneedtouse0and8ICMPcode
types.
=>Zero(0)isforechoreply
=>Eight(8)isforechorequest.
ToenableICMPpingincomingclientrequestusefollowingiptables
rule(youneedtoaddfollowingrulestoscript).
Mydefaultfirewallpolicyisblockingeverything.
Task:EnableorallowICMPpingincomingclientrequest
RuletoenableICMPpingincomingclientrequest(assumingthat
defaultiptablespolicyistodropallINPUTandOUTPUTpackets)
SERVER_IP="202.54.10.20"
iptablesAINPUTpicmpicmptype8s0/0d$SERVER_IPm
statestateNEW,ESTABLISHED,RELATEDjACCEPT
iptablesAOUTPUTpicmpicmptype0s$SERVER_IPd0/0m
statestateESTABLISHED,RELATEDjACCEPT
Task:Alloworenableoutgoingpingrequest
ToenableICMPpingoutgoingrequestusefollowingiptablesrule:
SERVER_IP="202.54.10.20"
iptablesAOUTPUTpicmpicmptype8s$SERVER_IPd0/0m
statestateNEW,ESTABLISHED,RELATEDjACCEPT
iptablesAINPUTpicmpicmptype0s0/0d$SERVER_IPm
statestateESTABLISHED,RELATEDjACCEPT
HowdoIdisableoutgoingICMPrequest?
Usethefollowingrules:
iptablesAOUTPUTpicmpicmptypeechorequestjDROP
OR
iptablesAOUTPUTpicmpicmptype8jDROP
220
b.sadhiq
www.altnix.com
ICMPechorequesttypewillbeblockbyaboverule.
SeeICMPTYPENUMBERS(typefields).YoucanalsogetlistofICMP
types,justtypefollowingcommandatshellprompt:
$/sbin/iptablespicmph
$iptablestfilterPINPUTDROP
$iptablestfilterPOUTPUTACCEPT
$iptablestfilterPFORWARDACCEPT
$allowlocalloopbackconnections
$iptablestfilterAINPUTilojACCEPT
DropINVALIDconnections
$iptablestfilterAINPUTmstatestateINVALIDjDROP
$iptablestfilterAOUTPUTmstatestateINVALIDjDROP
$iptablestfilterAFORWARDmstatestateINVALIDjDROP
Allowallestablishedandrelated
$iptablestfilterAINPUTmstatestateESTABLISHED,RELATED
jACCEPT
$iptablestfilterAOUTPUTmstatestateESTABLISHED,RELATED
jACCEPT
$iptablestfilterAFORWARDmstatestate
ESTABLISHED,RELATEDjACCEPT
AllowconnectionstomyISP'sDNSservers
iptablestfilterAINPUTs213.73.255.52ptcpmtcp!tcp
flagsSYN,RST,ACKSYNjACCEPT
iptablestfilterAINPUTs213.73.255.52pudpjACCEPT
iptables t filter A INPUT s 213.132.189.250 p tcp m tcp !
tcpflagsSYN,RST,ACKSYNjACCEPT
b.sadhiq
221
www.altnix.com
$iptablestfilterAINPUTs213.132.189.250pudpjACCEPT
$ iptables t filter A INPUT s 213.73.255.53 p tcp m tcp !
tcpflagsSYN,RST,ACKSYNjACCEPT
$iptablestfilterAINPUTs213.73.255.53pudpjACCEPT
openports4662,4672=amule,5900,5901=vnc,22=ssh
$iptablestfilterAINPUTptcpmtcpdport4662jACCEPT
$iptablestfilterAINPUTpudpmudpdport4672jACCEPT
$iptablestfilterAINPUTptcpmtcpdport5900jACCEPT
$iptablestfilterAINPUTptcpmtcpdport5901jACCEPT
$iptablestfilterAINPUTptcpmtcpdport22jACCEPT
bittorrent:
$iptablestfilterAINPUTptcpmtcpdport6881:6889j
ACCEPT
samba(onlyconnectionsfromlanareaccepted)
$iptablestfilterAINPUToeth0s192.168.0.0/255.255.255.0
ptcpmtcpdport137:139jACCEPT
$iptablestfilterAINPUToeth0s192.168.0.0/255.255.255.0
pudpmudpdport137:139jACCEPT
logallotherattemptedingoingconnections
$iptablestfilterAINPUToeth0jLOG
NAT
setupIPforwardingandnat
$iptablestnatPPOSTROUTINGACCEPT
$iptablestnatPPREROUTINGACCEPT
#6891:6900=msnfiletransfers
#192.168.0.1=gateway
#192.168.0.216=clientinnetwork
222
b.sadhiq
www.altnix.com
Tables
$IPTABLESNtcp_packets
$IPTABLESNicmp_packets
$IPTABLESNudpincoming_packets
IPMasquerade
$IPTABLEStnatAPOSTROUTINGo$INET_IFACEjMASQUERADE
Squidtransparentproxy
$ IPTABLES A PREROUTING t nat i eth0 p tcp dport 80 j
REDIRECTtoport3128
$ IPTABLES A PREROUTING t nat i eth2 p tcp dport 80 j
REDIRECTtoport3128
$ IPTABLES A PREROUTING t nat i ppp0 p tcp dport 80 j
REDIRECTtoport3128
smtp
$IPTABLESAtcp_packetspTCPs0/0dport25jACCEPT
www
$IPTABLESAtcp_packetspTCPs0/0dport80jACCEPT
https
223
b.sadhiq
www.altnix.com
$IPTABLESAtcp_packetspTCPs0/0dport443jACCEPT
mail
$IPTABLESAtcp_packetspTCPs0/0dport465jACCEPT
$IPTABLESAtcp_packetspTCPs0/0dport993jACCEPT
$IPTABLESAtcp_packetspTCPs0/0dport995jACCEPT
wlanvpn
$IPTABLESAwlan_packetspUDPs0/0dport5000jACCEPT
$IPTABLESAwlan_packetspALLjDROP
iptablesblockingwithmacaddress
Dropallconnectioncomingfrommacaddress00:0F:EA:91:04:08(add
commandtoyourfirewallscript)
$iptablesAINPUTmmacmacsource00:0F:EA:91:04:08jDROP
iptablesallowingwithmacaddress
Allowport22formacaddress00:0F:EA:91:04:07
$iptablesAINPUTptcpdestinationport22mmacmac
source
00:0F:EA:91:04:07jACCEPT
Generalsyntax:
$iptablesRULEmtimetimestartTIMEtimestopTIMEdays
DAYSjACTION
Where,
timestartTIME:Timestartvalue.Formatis00:0023:59
(24hoursformat)
timestopTIME:Timestopvalue.
daysDAYS:Matchonlyiftodayisoneofthegivendays.
(format:Mon,Tue,Wed,Thu,Fri,Sat,Sun;defaulteveryday)
Anexample
Supposeyouwouldliketoallowincomingsshaccessonlyavailable
fromMondaytoFridaybetween9AMto6.Thenyouneedtouse
iptablesasfollows:
Inputrule:
$iptablesAINPUTptcps0/0sport513:65535d202.54.1.20
dport22mstatestateNEW,ESTABLISHEDmtimetimestart
09:00timestop18:00daysMon,Tue,Wed,Thu,FrijACCEPT
Outputrule:
224
b.sadhiq
www.altnix.com
$iptablesAOUTPUTptcps202.54.1.20sport22d0/0
dport513:655mstatestateESTABLISHEDmtimetimestart
09:00timestop18:00daysMon,Tue,Wed,Thu,FrijACCEPT
ForceSYNpacketscheck
MakesureNEWincomingtcpconnectionsareSYNpackets;otherwise
weneedtodropthem:
$iptablesAINPUTptcp!synmstatestateNEWjDROP
ForceFragmentspacketscheck
Packetswithincomingfragmentsdropthem.Thisattackresultinto
Linuxserverpanicsuchdataloss.
$iptablesAINPUTfjDROP
XMASpackets
IncomingmalformedXMASpacketsdropthem:
$iptablesAINPUTptcptcpflagsALLALLjDROP
DropallNULLpackets
IncomingmalformedNULLpackets:
$iptablesAINPITptcptcpflagsALLNONEjDROP
ProtectagainstSYNfloodsbyratelimitingthenumberofnew
connectionsfromanyhostto60persecond.Thisdoes*not*do
ratelimitingoverall,becausethensomeonecouldeasilyshutus
downbysaturatingthelimit.
$iptablesAINPUTmstatestateNEWptcpmtcpsyn\
mrecentnamesynfloodset
$iptablesAINPUTmstatestateNEWptcpmtcpsyn\
mrecentnamesynfloodupdateseconds1hitcount60j
DROP
Thesamecanbeachievedinipfwusingthedummynetshaper:
DirectSYN
ipfwpipe500configbw64Kbit/squeue5
ipfwadd500pipe500tcpfromanytoanyinsetup
Portscanning
Alotofhoststrytoportscanmyserverthesedays,lookingfor
openservicestheycantrytoexploit.SinceIrunveryfew
225
b.sadhiq
www.altnix.com
servicesonmyserver,whatIliketodoislookforport
connectionstoacommonlyscannedport(port139,forWindowsFile
Sharing),andthenblockthehostswhoattempttheconnectionfrom
talkingtomyserverforanentireday.Theruleisquitesimple
usingtheiptablesrecentmodule:
Anyonewhotriedtoportscanusislockedoutforanentireday.
$iptablesAINPUTmrecentnameportscanrcheckseconds
86400jDROP
$iptablesAFORWARDmrecentnameportscanrcheckseconds
86400jDROP
Oncethedayhaspassed,removethemfromtheportscanlist
$iptablesAINPUTmrecentnameportscanremove
$iptablesAFORWARDmrecentnameportscanremove
CLOSEINCOMINGTCP
$IPTABLESAtcp_packetsmstatestateESTABLISHED,RELATEDj
ACCEPT
$IPTABLESAtcp_packetspTCPs0/0jDROP
CLOSEINCOMINGUDP
$ IPTABLES A udpincoming_packets m state state
ESTABLISHED,RELATEDjACCEPT
$IPTABLESAudpincoming_packetspUDPjDROP
226
b.sadhiq
www.altnix.com
DNS
227
b.sadhiq
www.altnix.com
DNSBasics
FindingasingleserveroutofalloftheserversontheInternet
isliketryingtofindasinglefileondrivewiththousandsof
files.Inbothcasesithelpstohavesomehierarchybuiltintothe
directorytologicallygroupthings.TheDNS"namespace"is
hierarchicalinthesametypeofupsidedowntreestructureseen
withfilesystems.Justasyouhavetherootofapartitionor
drive,theDNSnamespacehasarootwhichissignifiedbyaperiod.
b.sadhiq
www.altnix.com
book.IfyouwanttofindtheIPaddressofthewwwserverinthe
somedomain.comdomain,you'dhavetoquerytheDNSserverthat
storestheDNSrecordsforthatdomain.
Theentriesinthedatabasemapahost/domainnametoanIP
address.Hereisasimplisticlogicalviewofthetypeof
informationthatisstored(we'llgettotheA,CNAME,andMX
designationsinabit).
A
www.theirdomain.com
172.29.183.103
MX
mail.theirdomain.com
172.29.183.217
debian.yourdomain.com
10.177.8.3
CNAME
www.yourdomain.com
10.177.8.3
MX
debian.yourdomain.com
10.177.8.3
ThisiswhyarealInternetserverneedsastatic(unchanging)IP
address.TheIPaddressoftheserver'sNICconnectedtothe
InternethastomatchwhateveraddressisintheDNSdatabase.
DynamicDNSdoesprovideawayaroundthisforhomeservers
however,whichwe'llseelater.
Whenyouwanttobrowsetowww.theirdomain.comyourDNSserver
(theoneyouspecifyintheTCP/IPconfigurationonyourdesktop
computer)mostlikelywon'thaveaDNSrecordforthetheir
domain.comdomainsoithastocontacttheDNSserverthatdoes.
WhenyourDNSservercontactstheDNSserverthathastheDNS
records(referredtoas"resourcerecords"or"zonerecords")for
theirdomain.comyourDNSservergetstheIPaddressofthewww
serverandrelaysthataddressbacktoyourdesktopcomputer.So
whichDNSserverhastheDNSrecordsforaparticulardomain?
WhenyouregisteradomainnamewithsomeonelikeNetwork
Solutions,oneofthethingstheyaskyouforaretheservernames
andaddressesoftwoorthree"nameservers"(DNSservers).These
aretheserverswheretheDNSrecordsforyourdomainwillbe
stored(andqueriedbytheDNSserversofthosebrowsingtoyour
site).Sowheredoyougetthe"nameservers"informationforyour
domain?Typically,whenyouhostyourWebsiteusingaWebhosting
servicetheynotonlyprovideaWebserverforyourdomain'sWeb
sitefilesbuttheywillalsoprovideaDNSservertostoreyour
domain'sDNSrecords.Inotherwords,you'llwanttoknowwhoyour
229
b.sadhiq
www.altnix.com
Webhostingproviderisgoingtobebeforeyouregisteradomain
name(soyoucanentertheprovider'sDNSserverinformationinthe
nameserverssectionofthedomainnameregistrationapplication).
You'llseetheterm"zone"usedinDNSreferences.Mostofthe
timeazonejustequatestoadomain.Theonlytimesthis
wouldn'tbetrueisifyousetupsubdomainsandsetupseparate
DNSserverstohandlejustthosesubdomains.Forexample,a
companywouldsetupthesubdomainsus.theirdomain.comand
europe.theirdomain.comandwould"delegate"aseparateDNS
servertoeachoneofthem.InthecaseofthesetwoDNSservers
theirzonewouldbejustthesubdomains.ThezoneoftheDNS
serverfortheparenttheirdomain.com(whichwouldcontainthe
serverswww.theirdomain.comandmail.theirdomain.com)would
onlycontainrecordsforthosefewmachinesintheparent
domain.
Notethatintheaboveexample"us"and"europe"aresubdomains
while"www"and"mail"arehostnamesofserversintheparent
domain.
Onceyou'vegotyourWebsiteupandrunningonyourWebhosting
provider'sserversandsomeonesurf'stoyoursite,theDNSserver
theyspecifiedintheirlocalTCP/IPconfigurationwillqueryyour
hostingprovider'sDNSserverstogettheIPaddressforyourWeb
site.TheDNSserversthathosttheDNSrecordsforyourdomain,
i.e.theDNSserversyouspecifyinyourdomainnameregistration
application,aretheauthoritativeDNSserversforyourdomain.The
surfer'sDNSserverqueriesoneofyoursite'sauthoritativeDNS
serverstogetanaddressandgetsanauthoritativeresponse.When
thesurfer'sDNSserverrelaystheaddressinformationbacktothe
surfer'slocalPCitisa"nonauthoritaive"responsebecausethe
surfer'sDNSserverisnotanauthoritativeDNSserverforyour
domain.
DomainsandDelegation
The Domain Name System uses a tree (or hierarchical) name
structure.Atthetopofthetreeistherootnodefollowedbythe
TopLevelDomains(TLDs),thentheSecondLevelDomains(SLD)and
anynumberoflowerlevels,eachseparatedwithadot.
sNoteTherootofthetreeisrepresentedmostofthetimeasa
silentdot(.),buttherearetimeswhenit
isVERYimportant.
TLDsaresplitintotwotypes:
1.GenericTopLevelDomains(gTLD):Forexample,.com,.edu,.net,
.org,.mil,etc.
230
b.sadhiq
www.altnix.com
ResolvingDNSnamestoIPaddresses
Whenyoutypewww.yahoo.comintoawebbrowser,theapplicationhas
tofindoutIPaddressassociatedwithwww.yahoo.com.Eachpartof
networkhasDNSserverornameservers.Eachapplicationsenda
requestcalleddnslookuptoDNSserver.EachDNSserverhas
limitedinformationabouthostnamesandipaddress.AlmostallDNS
serverconstantlyqueryeachothertogetinformationusingroot
servers.
Eachcomputerisconfiguredtoqueryspecificnameserver.Usually
homecomputersareconfiguretoqueryISPnameserversorfreedns
nameservers.HereisatypicalUNIX/Linux/etc/resolv.conffile
withnameserverIPaddress:
$cat/etc/resolv.conf
Sampleoutput:
nameserver208.67.222.222
nameserver208.67.220.220
Eachapplicationcanfindwww.yahoo.comIPaddressbysendinga
requestto208.67.222.222or208.67.220.220IPaddress.This
procedureiscalledhostnameresolutionandthealgorithmthat
performsthisoperationiscalledtheresolver.Letusseehowto
findoutIPaddressforfreebsd.nixcraft.inhostname:
1.
Thewebbrowserwillchecklocalcachedatabasetofindout
b.sadhiq
231
www.altnix.com
answer.Ifitcangetananswerdirectlyfromthese,itproceedsno
further.
2.
OtherwiserequestwillbesenttonameserverIP208.67.222.222
tofindIPaddressforfreebsd.nixcraft.inhost.
3.
208.67.222.222serverwilldecideifthatIPhasbeenrecently
lookedupbefore.Ifithas,thereisnoneedtoaskfurther,since
theresultwouldbestoredinalocalcache.
4.
208.67.222.222willseeifthedomainislocal.I.e.ifitis
acomputerthatithasdirectinformationabout.Inthiscasethis
wouldonlybetrueifthe208.67.222.222wereObsidian'sveryown
nameserver.
5.
208.67.222.222willstripouttheTLD(TopLevelDomain).in
Itwillqueryarootnameserver,askingwhatnameserveris
responsiblefor.IN.Dependupontheanswer208.67.222.222will
queryauthoritativeserverforIPaddress.
6.
208.67.222.222willreturntheresulttotheapplication.
7.
208.67.222.222willstoreeachoftheseresultsinalocal
cachewithanexpirydate.Toavoidhavingtolookthemupasecond
time.
Cachingnameserver
Torunacachingonlynameserver,thefollowingfilesarerequired
andmustbecreatedorcopiedtotheappropriatedirectorieson
yourserver.
Copythenamed.conffiletothe/etc/directory.
Copythedb.127.0.0filetothe/var/named/directory.
Copythedb.cachefiletothe/var/named/directory.
Copythenamedscriptfiletothe/etc/rc.d/init.d/directory.
Torunamasternameserver,thefollowingfilesarerequiredand
mustbecreatedorcopiedtotheappropriatedirectoriesonyour
server.
Copythenamed.conffiletothe/etc/directory.
Copythedb.127.0.0filetothe/var/named/directory.
Copythedb.cachefiletothe/var/named/directory.
Copythedb.208.164.186filetothe/var/named/directory.
Copythedb.altnixfiletothe/var/named/directory.
Copythenamedscriptfiletothe/etc/rc.d/init.d/directory.
Torunaslavenameserver,thefollowingfilesarerequiredand
mustbecreatedorcopiedtotheappropriatedirectoriesonyour
server.
Copythenamed.conffiletothe/etc/directory.
232
b.sadhiq
www.altnix.com
Copythedb.127.0.0filetothe/var/named/directory.
Copythedb.cachefiletothe/var/named/directory.
Copythenamedscriptfiletothe/etc/rc.d/init.d/directory.
LinuxDNSandBINDServer
CachingonlynameServer
Settingupacachingserverforclientlocalmachineswillreduce
theloadonthesite'sprimaryserver.Acachingonlynameserver
willfindtheanswertonamequeriesandremembertheanswerthe
nexttimeweneedit.Thiswillshortenthewaitingtimethenext
timesignificantly.Forsecurityreasons,itisveryimportantthat
DNSdoesn'texistbetweenhostsonthecorporatenetworkand
externalhosts;itisfarsafertosimplyuseIPaddressesto
connecttoexternalmachinesfromthecorporatenetworkandvice
versa.
Inourconfigurationandinstallationwe'llrunBIND/DNSasnon
rootuserandinachrootedenvironment.Wealsoprovideyouthree
differentconfigurations;
oneforasimplecachingnameserveronlyclient
oneforaslavesecondaryserver
oneforamasternameserverprimaryserver.
Thesimplecachingnameserverconfigurationwillbeusedforyour
serversthatdon'tactasamasterorslavenameserver,andthe
slaveandmasterconfigurationswillbeusedforyourserversthat
actasamasternameserverandslavenameserver.Usuallyoneof
yourserversactsasmaster,anotheroneactsasslaveandtherest
actassimplecachingclientnameserver.
ThisisagraphicalrepresentationoftheDNSconfigurationweuse
inthisbook.Wetrytoshowyoudifferentsettings
CachingOnlyDNS
233
b.sadhiq
www.altnix.com
MasterDNS
SlaveDNS
ondifferentservers.Alotofpossibilitiesexist,an
Cachingonlynameserversareserversnotauthoritativeforany
domainsexcept0.0.127.inaddr.arpa,thelocalhost.Acachingonly
nameservercanlookupnamesinsideandoutsideyourzone,ascan
primaryandslavenameservers.Thedifferenceisthatwhena
cachingonlynameserverinitiallylooksupanamewithinyour
zone,itendsupaskingoneoftheprimaryorslavenamesservers
foryourzonefortheanswer.
Thenecessaryfilestosetupasimplecachingnameserverare:
named.conf
db.127.0.0
db.cache
namedscript
Toconfigurethe/etc/named.conffileforasimplecachingname
server,usethisforallserversthatdontactasamasterorslave
nameserver.Settingupasimplecachingserverforlocalclient
machineswillreducetheloadonthenetwork'sprimaryserver.Many
usersondialupconnectionsmayusethisconfigurationalongwith
bindforsuchapurpose.Createthenamed.conffile,touch
/etc/named.confandaddthefollowinglinestothefile:
options{
directory"/var/named";
forwarders{208.164.186.1;208.164.186.2;};
forwardonly;
};
//
//acachingonlynameserverconfig
zone"."in{
typehint;
file"db.cache";
};
234
b.sadhiq
www.altnix.com
zone"0.0.127.inaddr.arpa"in{
typemaster;
file"db.127.0.0";
};
Intheforwardersline,208.164.186.1and208.164.186.2arethe
IPaddressesofyourPrimaryMasterandSecondarySlaveDNSserver.
TheycanalsobetheIPaddressesofyourISPsDNSserverand
anotherDNSserver,respectively.
TIP:ToimprovethesecurityofyourBIND/DNSserveryoucanstop
itfromeventryingtocontactanoffsiteserveriftheir
forwarderisdownordoesn'trespond.Withtheforwardonlyoption
setinyournamed.conffile,thenameserverdoesn'ttrytocontact
otherserverstofindoutinformationiftheforwarderdoesn'tgive
itananswer.
Toconfigurethe/var/named/db.127.0.0fileforasimplecaching
nameserver,youcanusethisconfigurationforallmachinesonyour
networkthatdon'tactasamasterorslavenameserver.The
db.127.0.0filecoverstheloopbacknetwork.Createthefollowing
filesin/var/named/,touch/var/named/db.127.0.0andaddthe
followinglinesinthefile:
$TTL345600
@INSOAlocalhost.
root.localhost.(
00
;Serial
86400
;Refresh
7200
;Retry
2592000 ;Expire
345600);Minimum
INNSlocalhost.
1INPTRlocalhost.
Configurethe/var/named/db.cachefileforasimplecachingname
serverbeforestartingyourDNSserver.Youmusttakeacopyof
db.cachefileandcopythisfiletothe/var/named/directory.The
db.cachetellsyourserverwheretheserversfortherootzoneare.
235
b.sadhiq
www.altnix.com
UsethefollowingcommandsonanotherUnixcomputerinyour
organizationtoqueryanewdb.cachefileforyourDNSServeror
pickonefromyourRedHatLinuxCDROMsourcedistribution:
[root@deep]#dig@.arootservers.net.ns>
db.cache
Primary
master
nameServer
Aprimarymasternameserverforazonereadsthedataforthezone
fromafileonit'shostandareauthoritativeforthatzone.The
necessaryfilestosetupaprimarymasternameserverare:
named.conf
db.127.0.0
db.208.164.186
db.altnix
db.cache
namedscript
Toconfigurethe/etc/named.conffileforamasternameserver,use
thisconfigurationfortheserveronyournetworkthatactsasa
masternameserver.AftercompilingDNS,youneedtosetupa
primarydomainnameforyourserver.We'llusealtnix.comasan
exampledomain,andassumeyouareusingIPnetworkaddressof
208.164.186.0.Todothis,addthefollowinglinestoyour
/etc/named.conf.Createthenamed.conffiletouch/etc/named.conf
andadd:
options{
directory"/var/named";
fetchglueno;
recursionno;
allowquery{208.164.186/24;127.0.0/8;};
allowtransfer{208.164.186.2;};
transferformatmanyanswers;
};
236
b.sadhiq
www.altnix.com
//Thesefilesarenotspecifictoanyzone
zone"."in{
typehint;
file"db.cache";
};
zone"0.0.127.inaddr.arpa"in{
typemaster;
file"db.127.0.0";
};
//Theseareourprimaryzonefiles
zone"altnix.com"in{
typemaster;
file"db.altnix";
};
zone"186.164.208.inaddr.arpa"in{
typemaster;
file"db.208.164.186";
};
Thefetchgluenooptioncanbeusedinconjunctionwiththe
optionrecursionnotopreventtheserver'scachefromgrowingor
becomingcorrupted.Also,disablingrecursionputsyourname
serversintoapassivemode,tellingitnevertosendquerieson
behalfofothernameserversorresolvers.Anonrecursivename
serverisverydifficulttospoof,sinceitdoesn'tsendqueries,
andhencedoesn'tcacheanydata.
Intheallowqueryline,208.164.186/24and127.0.0/8aretheIP
addressesallowedtoaskordinaryquestionstotheserver.
Intheallowtransferline,208.164.186.2istheIPaddress
allowedtoreceivezonetransfersfromtheserver.Youmustensure
237
b.sadhiq
www.altnix.com
thatonlyyourrealslavenameserverscantransferzonesfromyour
nameserve,astheinformationprovidedisoftenusedbyspammers
andIPspoofers.
NOTE:Theoptionsrecursionno,allowquery,andallowtransferin
thenamed.conffileabovearesecurityfeatures.
Toconfigurethe/var/named/db.127.0.0fileforamasterandslave
nameserver,youcanusethisconfigurationfilebybothamaster
nameserverandaslavenameserver.Thedb.127.0.0filecoversthe
loopbacknetwork.Createthefollowingfilesin/var/named/.
Createthedb.127.0.0file,touch/var/named/db.127.0.0andadd:
;RevisionHistory:April22,1999
admin@mail.altnix.com
;StartofAuthority(SOA)records.
$TTL345600
@INSOAdeep.altnix.com.
admin.mail.altnix.com.(
00
;Serial
86400
;Refresh
7200
;Retry
2592000 ;Expire
345600);Minimum
;NameServer(NS)records.
NSdeep.altnix.com.
NSmail.altnix.com.
238
b.sadhiq
www.altnix.com
;onlyOnePTRrecord.
1PTRlocalhost.
Toconfigurethe/var/named/db.208.164.186fileforamastername
server,Usethisconfigurationfortheserveronyournetworkthat
actsasamasternameserver.Thefiledb.208.164.186mapshost
namestoaddresses.Createthefollowingfilesin/var/named/.
Createthedb.208.164.186file,touch/var/named/db.208.164.186and
add:
;RevisionHistory:April22,1999
admin@mail.altnix.com
;StartofAuthority(SOA)records.
$TTL345600
@INSOAdeep.altnix.com.
admin.mail.altnix.com.(
00
;Serial
239
b.sadhiq
www.altnix.com
86400
;Refresh
7200
;Retry
2592000 ;Expire
345600);Minimum
;NameServer(NS)records.
NSdeep.altnix.com.
NSmail.altnix.com.
;AddressesPointtoCanonicalNames(PTR)for
Reverselookups
1PTRdeep.altnix.com.
2PTRmail.altnix.com.
3PTRwww.altnix.com.
Toconfigureofthe/var/named/db.altnixfileforamastername
server,usethisconfigurationfortheserveronyournetworkthat
actsasamasternameserver.Thefiledb.altnixmapsaddressesto
hostnames.Createthefollowingfilein/var/named/.
Createthedb.altnixfiletouch/var/named/db.altnixandadd:
;RevisionHistory:April22,1999
admin@mail.altnix.com
;StartofAuthority(SOA)records.
$TTL345600
@INSOAdeep.altnix.com.
admin.mail.altnix.com.(
00
;Serial
86400
;Refresh
7200
;Retry
2592000 ;Expire
345600);Minimum
240
b.sadhiq
www.altnix.com
;NameServer(NS)records.
NSdeep.altnix.com.
NSmail.altnix.com.
;MailExchange(MX)records.
MX0mail.altnix.com.
;Address(A)records.
localhost
A127.0.0.1
deep
A208.164.186.1
A208.164.186.2
www
A208.164.186.3
;AliasesinCanonicalName(CNAME)records.
;wwwCNAME
deep.altnix.com.
Toconfigurethe/var/named/db.cachefileforamasterandslave
nameserversBeforestartingyourDNSserveryoumusttakeacopy
ofthedb.cachefileandcopyitintothe/var/named/directory.
Thedb.cachetellsyourserverwheretheserversfortherootzone
are.
UsethefollowingcommandonanotherUnixcomputerinyour
organizationtoqueryanewdb.cachefileforyourDNSServeror
pickonefromyourRedHatLinuxCDROMsourcedistribution:
[root@deep]/#dig@.arootservers.net.ns>
db.cache
Don'tforgettocopythedb.cachefiletothe/var/named/directory
onyourserverwhereyou'reinstallingDNSserverafterretrieving
itovertheInternet.
Dig
241
b.sadhiq
www.altnix.com
http://www.madboa.com/geek/dig/
NSTrace
http://www.dollardns.net/cgibin/nstrace/index.pl?
DnsCrawler
http://www.dollardns.net/cgibin/dnscrawler/index.pl?
whois
http://whois.dollardns.net/domain.pl?
http://www.dollardns.net/index.html?
http://www.dollardns.net/compare.html
242
b.sadhiq
www.altnix.com
Apache
WhatisApache?
Apacheisanopensourcewebserver(HTTPserver)
Apacheserversupwebpages(HTML)andmostanyothercontent
thatcanbeaccessedviaawebbrowser.
ItrunsonLinuxandWindows
Apacheisthenumberonewebserverontheinternettodayandhas
beensince1996.
Infact,70%ofallInternetwebsitesrunonApachewebserver
Letstalkaboutthehistoryofapachewebserver
ItwasoriginallydevelopedatNationalCenterforSupercomputing
ApplicationsattheuniversityofillinoisbyRobertMcCoolin
around1991.Butitquicklybecamethepublicdomain.
RobertMcCoolleftNCSAin1995andhttpdwebserverwasnot
maintainedofficially,solooselyorganisedgroupofdevelopes
aroundtheworldcametogethertoexchangepatches,updatesand
fixes.
Apachewascreatedaround1995byagroupofwebmasterswhogot
togethertocreatepatchesfortheoldhttpdserverinUnix.
Today,thatgroupiscalledtheApacheSoftwareFoundation.
ThehomepageforApacheishttp://httpd.apache.org
ThesourceandcompiledversionsofApacheareallfree
WhyApache
highPerformance
OpenSource
Free
Unrestrictivelicense
canbemodifiedandredistributewithanothername
i.eCovalentApache,IBMhttpserver
Runsonlinux/unix/windows
ApacheHTTPServer
version1.3
243
b.sadhiq
www.altnix.com
+singlethreadprocessmodel
Version2.0
+multithreadsupport(SMP)
+supportfornonunixplatformsusingMPMmodules
MPM>MultiProcessingModules
+supportsIPV6
+newAPI
meanteasierforwriting3rdpartymodules
Differncebetweeniis&Apache
ApacheFirst,Apachedoesn'tinstallalotofextraprograms.A
defaultApachebuilddoesn'tinstallanyApachemodules
(extensions)atalljustabasicwebserver
IISBydefault,Windows2000andIISinstallsevenexternal
DynamicLinkLibrary(DLL)filesplusFrontPageserverextensions
ApacheApachecomponents,iftheirinstalled,runasa
nonprivilegeduser,soifabufferoverflowoccurs,damageis
minimal.Conversely,MicrosoftIISallowssystemlevelaccess,
therebypotentiallygrantingroot(superuser)permission.Anyuser,
evenaremoteone,whohasrootpermissioncanaccess,change,and
deleteanyfileanywhereonthesystem.
IISIftheInternetInformationServer(IIS)processdiesona
WindowsWebserver,nofurtherrequestsareserveduntilthe
processisrestarted
ApacheIfasingleApacheprocessdies,onlytherequestbeing
servedbythatprocessisaffected.
ThisapproachhasanobviousadvantageoverWebserversthatusea
singleprocesstorespondtoallrequests:IftheInternet
InformationServer(IIS)processdiesonaWindowsWebserver,no
furtherrequestsareserveduntiltheprocessisrestarted.Ifa
singleApacheprocessdies,onlytherequestbeingservedbythat
processisaffected
InstallingApache
RedHatLinuxorFedoraLinuxinstallsApachewebserver,by
default.Youcanofcourse,choosenottoinstallitatinstallation
timeifyouwish.
244
b.sadhiq
www.altnix.com
Apacheis,however,disabledbydefault.Inotherwords,itisnt
running.
RHELorfedoradoesnot,however,installthe31optionalrelated
applicationsthatgoalongwithApache.Youcaninstallthesefrom
thePackageManagerapplication.
AdministeringApache
TheApachewebserverhasitsownconfigurationdirectory,
/etc/httpd/
Insidethisdirectory,therearesubdirectoriesandsoftlinksto
otherdirectories.
TheactualconfigurationfileforApacheisat/etc/httpd/conf/
anditiscalledhttpd.conf
Alllogfilesgoto/var/log/httpd
Thehttpd.confcanbeeditedmanually.
Apachecanbestartedmanuallybytyping"httpd"atthecommand
linebuttherecommendedwaytostartitisusingtheServices
program.
The"DocumentRoot"directory(/var/www/htm/)iswherethedefault
websiteislocated.
Apachecanalsodeliveruser'swebpages.Thisisdefinedwiththe
"UserDir"directiveandusersdirectoriescanbeacccessed,through
Apachelikethis:
http://www.altnix.com/~sadhiq
ApachecanalsosupportVirtualhostingwiththe"VirtualHost"
directive
webserverserversmanydifferentwebsites
ApachecannotberunfromaSuperServerlikeXinetD.
Toadministerapache,GUItoolisavailable:systemconfighttpd
SPECS
Package:httpd
Version:2.2
Conffile:/etc/httpd/conf/httpd.conf
245
b.sadhiq
www.altnix.com
DocumentRootforstoringwebpages:/var/www/html
ApacheModules:/etc/httpd/modules/
/usr/lib/httpd/modules/
Commands:
1.SyntaxCheck
$apachectlconfigtest
OR
$httpdt
2.checkcompiledinmodules
$httpdl
Service:
$servicehttpdstart
OR
$apachectlstart
Fourmaindirectories:
/etc/httpd/conf/
/etc/httpd/conf.d/
/etc/httpd/logs/
>symlinkto/var/log/httpd/
/etc/httpd/modules
PackagesincludedinRHEL:
$rpmqa|grephttpd
httpdmanual2.0.5219.ent
httpd2.0.5219.ent
systemconfighttpd1.3.11
httpdsuexec2.0.5219.ent
ConfigurationFiles
/etc/httpd/conf/httpd.confMainApacheConfigurationFile
/
/etc/logrotate.d/httpdLogrotationFile
/
/etc/httpd/conf.d
Containsitemsthathaveincludedfordifferenttype
ofapplication
Filesunder/etc/httpd/conf.d
perl.conf
246
b.sadhiq
www.altnix.com
php.conf(CGIscriptinglanguage)
python.conf(CGIscriptinglanguage)
ssl.conf(howssltobeimplemented)
webalizer.conf(analysissoftware)
welcome.conf(intheeventattempttoaccesstheURL
whichhasnodefaultdocument)
Quickway:webserverconfiguration
$cd/var/www/html
$viindex.html
<html>
<head>
<title>
Quickway:webserverconfiguration
</title>
<body>
Quickway:webserverconfiguration:IP
</body>
</html>
$servicehttpdrestart
$linkshttp://<IP_of_the_webserver>
Dedicatedwebserverconfiguration:altnix.com
$cp/etc/httpd/conf/httpd.conf/etc/httpd/conf/httpd.conf_ORIG
$vi/etc/httpd/conf/httpd.conf
ServerRoot"/etc/httpd"#default
Listen80#default
ServerNamewww.altnix.com:80
ServerAdminjohn@altnix.com
Userapache#default
Groupapache#default
#setfolderforthewebpages
DocumentRoot"/var/www/html"
247
b.sadhiq
www.altnix.com
#setthenameofthefilethatisfirstread
DirectoryIndexindex.html
apachectlconfigtest
OR
$httpdt
Startthehttpservice
$servicehttpdrestart
OR
$apachectlrestart
Confirmthehttpddaemonrunningonport80
$netstatantp|grep:80
Testfromtheclientmachine
linux>linkshttp://www.altnix.com
makehttpdstartonbootup
$chkconfiglevel35httpdon
WhatisVirtualHosting
VirtualHostingistheabilityhostmultipleseparatewebsites
withoneApacheServer
Eachsiteisseparatefromeachother,withdifferentDocumentRoot,
logfiles,permissions,etc
TwotypesofVirtualHosting
1.IPbasedvirtualHosts
EachIPcorrespondstoitsownindividualwebsite
IPbasedVHiswhereeachvirtualhosthasitsownIP
address
+singleserver
>OneApacheDaemon,handlingmultiplewebsites
+multipleserver
>TwoormoreindependentApachedaemons,eachone
handlingaspecificwebsite
2.Namebasedvirtualhosts
Namebasedvirtualhostsisusedforhostingmultiple
248
b.sadhiq
www.altnix.com
websitesonthesamewebserverIPaddress.
NameBasedVirtualHosting
Scenario:
+champu.local
+funny.local
boththewebsitesrunningonthesameipaddress
inmycase:192.168.10.111
Note:MakesuretheDNS'A'recordofchampu.localandfunny.local
shouldresolveto192.168.10.111
$mkdir/var/www/html/champu.local
$cd/var/www/html/champu.local
$viindex.html
<html>
<head>
<title>
MYFIRSTHTMLPAGE:CHAMPU:NAMEBASED
</title>
<body>
MYFIRSTHTMLPAGE:CHAMPU:NAMEBASED
</body>
</html>
$mkdir/var/www/html/funny.local
$cd/var/www/html/funny.local
$viindex.html
<html>
<head>
<title>
MYFIRSTHTMLPAGE:FUNNY:NAMEBASED
</title>
<body>
MYFIRSTHTMLPAGE:FUNNY:NAMEBASED
<
</body>
</html>
$vi/etc/httpd/conf/httpd.conf
NameVirtualHost192.168.10.111:80
249
b.sadhiq
www.altnix.com
<VirtualHost192.168.10.111:80>
ServerAdminwebmaster@champu.local
DocumentRoot/var/www/html/champu.local/
ServerNamechampu.local
ErrorLoglogs/champu.local_error_log
CustomLoglogs/champu.local_access_logcommon
</VirtualHost>
<VirtualHost192.168.10.111:80>
ServerAdminwebmaster@funny.local
DocumentRoot/var/www/html/funny.local
ServerNamefunny.local
ErrorLoglogs/funny.local_error_log
CustomLoglogs/funny.local_access_logcommon
</VirtualHost>
$httpdt
$servicehttpdrestart
IPBasedVirtualHosting:SingleServerConfiguration
Note:MakesuretheDNS'A'recordofchampu.localshouldresolve
to192.168.10.11
andfunny.localto192.168.10.222
Scenario:
+champu.local
Resolvesto192.168.10.111
+funny.local
R
250
b.sadhiq
www.altnix.com
Resolvesto192.168.10.222
1.CreateIPalias
#cd/etc/sysconfig/networkscripts/
#cpifcfgeth0ifcfgeth0:0
#viifcfgeth0:0
DEVICE=eth0:0
BOOTPROTO=static
BROADCAST=192.168.10.255
IPADDR=192.168.10.222
NETMASK=255.255.255.0
NETWORK=192.168.10.0
O
ONBOOT=yes
2.MaketheAliasIPup
#ifupeth0:0
3.Edithttpd.conffile
#vi/etc/httpd/conf/httpd.conf
NameVirtualHost192.168.10.111:80
<VirtualHost192.168.10.111:80>
ServerAdminwebmaster@champu.local
DocumentRoot/var/www/html/champu.local/
ServerNamechampu.local
ErrorLoglogs/champu.local_error_log
251
b.sadhiq
www.altnix.com
CustomLoglogs/champu.local_access_logcommon
</VirtualHost>
NameVirtualHost192.168.10.222:80
<VirtualHost192.168.10.222:80>
ServerAdminwebmaster@funny.local
DocumentRoot/var/www/html/funny.local
ServerNamefunny.local
ErrorLoglogs/funny.local_error_log
CustomLoglogs/funny.local_access_logcommon
</VirtualHost>
$cd/var/www/html/champu.local
$viindex.html
<html>
<head>
<title>
MYFIRSTHTMLPAGE:CHAMPU:IPBASED:192.168.10.111
</title>
<body>
MYFIRSTHTMLPAGE:CHAMPU:IPBASED:192.168.10.111
</body>
</html>
$cd/var/www/html/funny.local
$viindex.html
<html>
252
b.sadhiq
www.altnix.com
<head>
<title>
MYFIRSTHTMLPAGE:FUNNY:IPBASED:192.168.10.222
</title>
<body>
MYFIRSTHTMLPAGE:FUNNY:IPBASED:192.168.10.222
<
</body>
</html>
$servicehttpdrestart
================================================
IPBasedVirtualHosting:MultipleServerConfiguration
Scenario
+champu.local
Resolvesto192.168.10.111onport80
+funny.local
Resolvesto192.168.10.222onport8080
================================================
1.vi/etc/httpd/conf/httpd.conf
Listen192.168.10.111:80
Listen192.168.10.222:8080
NameVirtualHost192.168.10.111:80
253
b.sadhiq
www.altnix.com
<VirtualHost192.168.10.111:80>
ServerAdminwebmaster@champu.local
DocumentRoot/var/www/html/champu.local/
www.alnix.com
ServerNamechampu.local
ErrorLoglogs/champu.local_error_log
CustomLoglogs/champu.local_access_logcommon
</VirtualHost>
NameVirtualHost192.168.10.222:8080
<VirtualHost192.168.10.222:8080>
ServerAdminwebmaster@funny.local
DocumentRoot/var/www/html/funny.local
ServerNamefunny.local
ErrorLoglogs/funny.local_error_log
CustomLoglogs/funny.local_access_logcommon
</VirtualHost>
$cd/var/www/html/champu.local
$viindex.html
<html>
<head>
<title>
MYFIRSTHTMLPAGE:CHAMPU:IPBASED:192.168.10.111,PORT:80
</title>
<body>
254
b.sadhiq
www.altnix.com
MYFIRSTHTMLPAGE:CHAMPU:IPBASED:192.168.10.111,
PORT:80
</body>
</html>
4.#cd/var/www/html/funny.local
5.#viindex.html
<html>
<head>
<title>
MYFIRSTHTMLPAGE:FUNNY:IPBASED:192.168.10.222,
PORT:8080
</title>
<body>
MYFIRSTHTMLPAGE:FUNNY:IPBASED:192.168.10.222,
PORT:8080
</body>
</html>
Testfromtheclientmachine
linux$>linkshttp://www.champu.local
linux$>linkshttp://www.funny.local:8080
1stWAY:Setuppasswordprotectioninsidehttpd.conf
www.alnix.com
$mkdir/var/www/html/champu.local/noaccess
$viindex.html
255
b.sadhiq
www.altnix.com
<html>
<head>
<title>
CHAMPU:RESTRICTEDACCESSPAGE
</title>
<body>
CHAMPU:RESTRICTEDACCESSPAGE
</body>
</html>
$vi/etc/httpd/conf/httpd.conf
<VirtualHost192.168.10.111:80>
ServerAdminwebmaster@champu.local
DocumentRoot/var/www/html/champu.local/
ServerNamechampu.local
<Directory/var/www/html/champu.local/noaccess>
AuthName"RestrictedSite"
AuthTypeBasic
AuthUserFile/var/www/html/champu.local/.passwords
requirevaliduser
</Directory>
ErrorLoglogs/champu.local_error_log
CustomLoglogs/champu.local_access_logcommon
</VirtualHost>
Notes:
BasicStandardusername/passwordcombination.
256
b.sadhiq
www.altnix.com
DigestMD5encryptedusername/passwordcombinations.
$htpasswdc/var/www/html/champu.local/.passwordschampu
>Giveaccesstouserjohnalso
>addstheuser"john"tothepasswordfile
/var/www/html/champu.local/.passwords
$htpasswdm/var/www/html/champu.local/.passwordsjohn
Test
$linkshttp://www.champu.local/noaccess
>Promptsforusername/passwd
TroubleshootingApache
CheckingtheLogs
IfthereissomethingwrongwithyourApache,butyouhavenoidea
howtofigureoutwhat'swrong,
yourfirstclueswillbeinthelogfiles.
Thereareafewlogfilesaround.Allofthemarelocatedinside
/var/log/httpd/
access_log
67.185.0.236[18/Jun/2005:12:05:500700]"GET/HTTP/1.0"200
721
10.0.1.80[18/Jun/2005:12:11:070700]"GET
/~jaspenelle/__journal1.jpgHTTP/1.1"20019079
66.239.233.163[18/Jun/2005:12:15:060700]"GET
/~jaspenelle/avy14.gifHTTP/1.0"2001661
67.185.60.155[18/Jun/2005:12:18:480700]"GET/HTTP/1.0"200
721
67.185.0.236[18/Jun/2005:12:25:390700]"GET/HTTP/1.0"200
721
10.0.1.80[18/Jun/2005:12:28:040700]"GET
/~jaspenelle/avy14.gifHTTP/1.1"2001661
257
b.sadhiq
www.altnix.com
10.0.1.80[18/Jun/2005:12:28:460700]"GET
/~jaspenelle/avy7.pngHTTP/1.1"20013066
Thisfileissimplyalistingofeveryfilerequestedfromyour
server.Unlessyouhavechangedthedefaultconfiguration,itwill
beinCommonLogFormat:
CommonLogFormatsyntax
remotehostrfc931authuser[date]"request"statusbytes
www.altnix.com
remotehostRemotehostnameorIPaddress
rfc931Theremotelognameoftheuser.
authuserTheusernameaswhichtheuserhasauthenticated
himself.
[date]Dateandtimeoftherequest.
"request"Therequestlineexactlyasitcamefromtheclient.
statusTheHTTPstatuscodereturnedtotheclient.
bytesThecontentlengthofthedocumenttransferred.
error_log
[MonFeb0723:33:182005][notice]suEXECmechanismenabled
(wrapper:/usr/sbin/suexec2)
[MonFeb0723:33:182005][notice]Digest:generatingsecretfor
digestauthentication...
[MonFeb0723:33:182005][notice]Digest:done
[MonFeb0723:33:182005][notice]Apache/2.0.52(Gentoo/Linux)
PHP/4.3.10configuredresumingnormal
operations
[SatJun1813:01:542005][error][client10.0.1.80]Filedoesnot
exist:/var/www/localhost/htdocs/favicon.ico
[SatJun1813:02:142005][error][client10.0.1.80]Filedoesnot
exist:/var/www/localhost/htdocs/favicon.ico
[SatJun1813:02:182005][error][client10.0.1.80]Filedoesnot
exist:/var/www/localhost/htdocs/favicon.ico
258
b.sadhiq
www.altnix.com
[SatJun1813:02:212005][error][client10.0.1.80]Filedoesnot
exist:/var/www/localhost/htdocs/favicon.ico
[SatJun1813:02:242005][error][client10.0.1.80]Filedoesnot
exist:/var/www/localhost/htdocs/favicon.ico
Asyoucansee,thisfilecancontainalotofstuff,dependingon
theErrorLeveldirectiveinyour
httpd.conffile.Ittellsyouifapachestartedupcorrectly,what
errorsithasruninto,...Ingeneralit
willtellyouwhatwentwrong.Ifsomethingisn'tworkingright,
thisshouldbethefirstfileyoucheck
formoreinformation.
TipsandTricksofmytrade
RestartApacheServerwithoutaffectingexistingconnections
SometimesyouwanttorestartyourApacheserverafterchanging
someconfigurationinyourvirutualhosts,sitesetc,butyouhave
fewhundredclientscurrentlydownloadingfilesfromyourserver
andyoudontwanttodisconnectthem.
Youneedtousethefollowingcommand
$servicehttpdgraceful
ThiswillgracefullyrestartyourApachewithnewconfiguration
withoutaffectingyourclientsconnections.
Performancetunning
TheApacheHTTPServerisamodularprogramwheretheadministrator
canchoosethefunctionstobeincludedintheserverbyselecting
asetofmodules[2].Themodulescanbecompiledeitherstatically
aspartofthe'httpd'binary,orasDynamicSharedObjects(DSOs).
DSOmodulescaneitherbecompiledwhentheserverisbuilt,or
addedlaterviatheapxsutility,whichallowscompilationata
laterdate.Themod_somodulemustbestaticallycompiledintothe
ApachecoretoenableDSOsupport.
259
b.sadhiq
www.altnix.com
RunApachewithonlytherequiredmodules.Thisreducesthememory
footprint,whichimprovestheserverperformance.Statically
compilingmoduleswillsaveRAMthat'susedforsupporting
dynamicallyloadedmodules,butyouwouldhavetorecompileApache
toaddorremoveamodule.ThisiswheretheDSOmechanismcomes
handy.Oncethemod_somoduleisstaticallycompiled,anyother
modulecanbeaddedordroppedusingthe'LoadModule'commandin
the'httpd.conf'file.Ofcourse,youwillhavetocompilethe
modulesusing'apxs'iftheyweren'tcompiledwhentheserverwas
built.
ChooseappropriateMPM:
TheApacheservershipswithaselectionofMultiProcessing
Modules(MPMs)whichareresponsibleforbindingtonetworkports
onthemachine,acceptingrequests,anddispatchingchildrento
handletherequests[3].OnlyoneMPMcanbeloadedintotheserver
atanytime.
ChoosinganMPMdependsonvariousfactors,suchaswhethertheOS
supportsthreads,howmuchmemoryisavailable,scalabilityversus
stability,whethernonthreadsafethirdpartymodulesareused,
etc.
LinuxsystemscanchoosetouseathreadedMPMlikeworkerora
nonthreadedMPMlikeprefork:
TheworkerMPMusesmultiplechildprocesses.It'smultithreaded
withineachchild,andeachthreadhandlesasingleconnection.
Workerisfastandhighlyscalableandthememoryfootprintis
comparativelylow.It'swellsuitedformultipleprocessors.Onthe
otherhand,workerislesstolerantoffaultymodules,andafaulty
threadcanaffectallthethreadsinachildprocess.
ThepreforkMPMusesmultiplechildprocesses,eachchildhandles
oneconnectionatatime.Preforkiswellsuitedforsingleor
doubleCPUsystems,speediscomparabletothatofworker,andit's
highlytolerantoffaultymodulesandcrashingchildrenbutthe
memoryusageishigh,andmoretrafficleadstogreatermemory
usage.
MultiThread
athreadisaprocesswithinaprocess.Multiplethreadsreside
withinasingleprocess.Threadinghasseveraladvantages:
b.sadhiq
260
www.altnix.com
Resources(memory,etc.)canbesharedbetweenthreads.
Multiplethreadscanexecutesimultaneously.
Apache1.3'scase,thelackofmultiplethreadsmeansthata
separateprocessmustbeusedtorespondtoeachincomingrequest.
ThisapproachhasanobviousadvantageoverWebserversthatusea
singleprocesstorespondtoallrequests:IftheInternet
InformationServer(IIS)processdiesonaWindowsWebserver,no
furtherrequestsareserveduntiltheprocessisrestarted.Ifa
singleApacheprocessdies,onlytherequestbeingservedbythat
processisaffected
Theadministratormustensurethatenoughprocessesareavailable
tohandleincomingrequestswithoutforkingnewones,butnotso
manythatthesystemhitsresourcelimits.Severaldirectivesin
theApacheconfigurationfileaccomplishthis:
TheMaxClientssettinglimitsthenumberofApacheprocesses
thatwillbecreated.Typically,memoryisthelimitationonthis
setting.IfyourApacheprocesstakesup20MBofmemory,andyou
have1000MBoffreeRAM,youcouldhaveupto50Apacheprocesses
(1000MB/20MB=50).
TheMinSpareServersandMaxSpareServerssettingskeepanumber
ofprocesseswaitingaround,toavoidthedelayimposedbyforking
anewprocess.Newprocessesareforkedcontinuallytokeepthe
numberofavailableserversbetweenthesethresholds,butincoming
HTTPrequestsdonothavetowaitforprocessestobeforked
becausesparesareavailable.
Toaccountfordifferencesbetweenplatforms,whileretainingthe
reliabilityofmultipleprocesses,Apache2.0providesseveral
differentmodelsforcontrollingApacheprocessesandthreadsin
theformofMultiProcessingModules(MPMs):
ThepreforkMPMreplicatesthesinglethreadedbehaviorof
Apache1.3.ThisisthedefaultMPMforUNIXsystems.
TheworkerMPM"implementsahybridmultithreadedmulti
processWebserver."Severalprocessesarestarted,eachwitha
fixednumberofthreads.Processesarestartedorstoppedas
necessarytoregulatethetotalnumberofthreads.
TheperchildMPMregulatesthetotalnumberofthreadsby
261
b.sadhiq
www.altnix.com
varyingthenumberofthreadsineachprocess.ThisMPMalsoallows
ApacheprocessestooperateasmultipleuserIDs,whichcanbe
usefulformanagingseveralvirtualhosts.
http://httpd.apache.org/docs/2.0/mpm.html
http://httpd.apache.org/docs/2.0/mod/worker.html
http://httpd.apache.org/docs/2.0/misc/perftuning.html
http://httpd.apache.org/docs/2.2/mod/prefork.html
http://books.google.co.in/books?
id=cnDuw7GV4uYC&pg=PA180&lpg=PA180&dq=Difference+between+
+worker+MPM+
%26+prefork+MPM&source=web&ots=4hKq5VQwf&sig=HocOBWL7lUwRrWjup1cp7s
bf4eI&hl=en&sa=X&oi=book_result&resnum=5&ct=result#PPA186,M1
http://tldp.org/LDP/LGNET/123/vishnu.html#MPM
http://www.howtoforge.com/configuring_apache_for_maximum_performanc
e
keepaliveandkeepalivetimeout:
KeepAlive:
Thisdirectiveistaking"on"/"off"asparameter.Insimpleterm
whetheryouwanttousethefeatureornot.Forexample,onceyou
visitasite(www.someting.com),therewouldbeanumberof
connectionfromyourmachinetotheremotemachine(onport80).
Oncethebrowsefinishedfetcingpages,thesocketwillbeclosed
(ifKeepAliveoff).Ifyouclickonalinkonthatpage,another
connectionwillbeinitiated.Rememberthatopening/closingsocket
willrequiresomeoverheadfromOS,andApacheitself(samething
withclosingthesockets).
KeepAliveTimeout:
KeepAliveTimeoutwilldeterminhowlogapersistentconnectionwill
bekeptopen.
ThenumberofsecondsApachewillwaitforasubsequentrequest
beforeclosingtheconnection.Oncearequesthasbeenreceived,
b.sadhiq
262
www.altnix.com
thetimeoutvaluespecifiedbytheTimeoutdirective
applies.SettingKeepAliveTimeouttoahighvaluemaycause
performanceproblemsinheavilyloadedservers.Thehigherthe
timeout,themoreserverprocesseswillbekeptoccupiedwaitingon
connectionswithidleclients.
Apachemonitoring
wtopsearchforit
isatoolforbenchmarkingyourApacheHTTPserver.
apachectl
isafrontendtotheApacheHTTPserverwhichisdesignedtohelp
theadministratorcontrolthefunctioningoftheApachehttpd
daemon.
apxs
isatoolforbuildingandinstallingextensionmodulesforthe
ApacheHTTPserver.
dbmanage
isusedtocreateandupdatetheDBMformatfilesusedtostore
usernamesandpasswordsforbasicauthenticationofHTTPusers.
htdigest
isusedtocreateandupdatetheflatfilesusedtostore
usernames,realmsandpasswordsfordigestauthenticationofHTTP
users.
htpasswd
isusedtocreateandupdatetheflatfilesusedtostoreusernames
andpasswordsforbasicauthenticationofHTTPusers.
httpd
istheApacheHTTPserverprogram.
263
b.sadhiq
www.altnix.com
instdso.sh
isascriptwhichinstallsApacheDSOmodules.
logresolve
isapostprocessingprogramtoresolveIPaddressesinApache's
accesslogfiles.
rotatelogs
isasimpleprogramforuseinconjunctionwithApache'spipedlog
filefeature.
SendMail
264
b.sadhiq
www.altnix.com
Sendmailqueriesthedatabaseversionofthefilesuchasberkeley
DB
/etc/mail/acesss.db
BerkeleyDBshouldbeinstalledtosupportsendmailtoreadtheDB
files
#file/etc/mail/access*
#rpmqa|grepidb
PackageVersion/Name:db44.2.
/etc/mail/helpfile
SMTPcommands
e.g.telnetlocalhost25
HELP
/etc/mail/localhostnames
Toknowhowtohandlethedomainswhichareconsideredtobe
local
Soithandlesroutingfor
localhost
localhost.domain
FQDN,inmycasepostfix.altnix.com
192.168.10.30
127.0.0.1
DefaultMTAacceptsmessagesforalltheabove
/var/spool/mail/
containsmailboxperuser
e.g./var/spool/mail/~username
TraditionalUnixMbox
265
b.sadhiq
www.altnix.com
Sendmailusesmacrotizelanguagecalledm4,Assendmail
configurationissocomplexitsabstractedtomacroutilityusing
m4
/etc/mail/sendmail.mc
Youcanmakechangesandconfigureinsendmail.mc
Sendmail.mcismucheasiertounderstand
/etc/mail/sendmail.cf
Sendmailsmainconfigurationfile
/etc/mail/sendmail.mc
dnl>wayofcommenting
Sendmailisseparatedintotwodaemons:
$psax|grepisendmail
Onceacceptsconnection
e.g.sendmail:acceptingconnectionsonport25
Otherrunsthequeue
e.g.sendmail:Queuerunner@01:00:00for/var/spool/clientmqueue
01:00>1minute
mailsgetstoredin/var/spool/clientmqueue,queuerunnerdaemon
wakesupevery1minute
/var/spool/clientmqueueownbysmmsp
smsp>sendmailmailsubmissionprogram
Sousersinourlocalsysteminvokesthemailinlocalqueu
/var/spool/clientmqueue,whichgetsscannedevery1minuteby
266
b.sadhiq
www.altnix.com
thequeuerunner
/etc/mail/trustedusers
usersthatcansendmailasotherswithoutawarningAbleto
rewritefromsectionwithoutsendmailcomplaining
/etc/mail/virtusertable
Allowsustosetupvirtualdomains
e.g.
champu@postfix.altnix.comchampu(localaccount)
Sowehavegivenyouabriefintroductiontothedefault
implementationofsendmail
withinRedhatframework
generateamessageandsendmaildeliverthemail
totheuserchampu
#whichmutt
Muttisagreatclientanddefaultitreadsmboxformatbutalso
havetheabilitytointeractwithMaildirswhichisnewerandmore
robustwayofstoringmailmessages.
Howeverthereisanyenvironmentvariablesetwhichmuttrelies
upon
$set|grepimutt
MAIL=/var/spool/mail/root
Thisenvironmentvariableshouldpointtoproperusersmailbox
Asrootyoucanreadanyone'smailbox
$whichsendmail
$lsl/usr/sbin/sendmail
$lsl/etc/alternatives/mta
267
b.sadhiq
www.altnix.com
SENDMAILismonolithic.IthandlesallmessagingbindingtotheMTA
port
aswellaslocaldelivery
$psef|grepsendmail
Youcouldseevariousinstances(process)butallaretiedwith
samebinary
Bydefaultsendmailacceptsmailsfromlocaluseranddeliveritto
localandremoteuser
Configuremailservertoacceptinternetemail
1.AllowingSendmailtoacceptmailsfromnetwork
$vi/etc/mail/sendmail.mc
searchfor127.0,putdnlatthefrontoftheline
dnlDAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA')dnl
2.ConvertMacrobasedfile
$cd/etc/mail
$make
OR
$cd/etc/mail
$m4sendmail.mc>sendmail.cf
3.RestartSendmailService
$servicesendmailrestart
4.
$suchampu
$mailtree
Subject:
<datahere:mailcontent>
.<toendthemail>
telnetlocalhost25
268
b.sadhiq
www.altnix.com
heloaltnix.com
mailfrom:<champu@altnix.com>
rcptto:<tree@lwqmail.altnix.com>
data
HeyTESTMAILFROMTELNET
.
quit
[root@lwqmailmail]#vi/etc/aliases
tree:champu
tree:tree,champu
$newaliases
ACL
Allowforaltnix.com
Allowfor192.168.10.0/24
Denyfordummy.org
$vi/etc/mail/access
@altnix.comRELAY
192.168.10.RELAY
@dummy.orgREJECT
$postmap/etc/mail/access
$servicesendmailrestart
Q:Mailalias
A:modify/etc/aliases,runnewaliases
269
b.sadhiq
www.altnix.com
Q:Receivemailforaltnix.com
A:modifysendmailmcasabove,andadddomainto/etc/mail/local
hostnames
$vi/etc/mail/localhostnames
altnix.com
Debugging:
mailvroot
mailq,mailqAc
sendmailq
tailf/var/log/maillog
Configureforpop3(orimap)
A:1)installdovecot
2)vi/etc/dovcot.conf
protocols=pop3
3)servicedovecotrestart
4)chkconfigdovecoton
Testing:
note:rootisnotpermittedtologin
echo"pop"|mailsteststudent
telnetlocalhost110
userstudent
passstudent
stat
list
retr1
270
b.sadhiq
www.altnix.com
quit
SetupaSMTPserver
john'smailsshouldbespooledto/var/spool/mail/john
Yourservershouldacceptmailsfromremotenetworks[internet]
1.$cd/etc/mail/
2.$cpsendmail.mcsendmail.mc.org
3.$cpsendmail.cfsendmail.cf.org
4.$vi/etc/mail/sendmail.mc
Findthisline:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA')dnl
addtheworddnltothebeginningsoitlookslikethis:
dnlDAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA')dnl
$m4/etc/mail/sendmail.mc>/etc/mail/sendmail.cf
$chkconfiglevel35sendmailon
$servicesendmailrestart
john'smailsshouldbespooledto/var/spool/mail/john
Nothingtodo.Thisisdonebydefaultbysendmail*
$netstatantp|grep:25
271
b.sadhiq
www.altnix.com
127.0.0.1:25
>previousoutputbeforeyourunm4command
0.0.0.1:25
>afterurm4commandoutputwillbelooklikethis
Yourlocaldomainisaltnix.com.Configurethesendmailserverfor
yourlocalLANbyfollowingtheseconditions
Relaythemailfrom192.168.10.0/24network
Ifanymailcomingfromdummy.comdomainblockallmails
user5'smailshouldbegetbyuser2andhimself
1.Edit/etc/mail/localhostnames
altnix.com
2.$vi/etc/mail/sendmail.mc
dnlDAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA')dnl
$m4/etc/mail/sendmail.mc>/etc/mail/sendmail.cf
$vi/etc/mail/access
192.168.10RELAY
@dummy.comREJECT
$chkconfiglevel35sendmailon
$servicesendmailrestart
$Edit/etc/dovecot.conf
protocols=imapimapspop3pop3s
$chkconfiglevel35dovecoton
$servicedovecotrestart
$vi/etc/aliases
user5:user2
$newaliases
272
b.sadhiq
www.altnix.com
Allmailstoaltnix.comshouldgetbydhoniuser
$vi/etc/mail/virtusertable
@altnix.comdhoni
$servicesendmailrestart
$chkconfiglevel35sendmailon
CreateaencapsulatedSSLimapserver\{IMAPS\}.
CreateanIMAPcertificateforyourhostname
In[CN],putchampu.altnix.com
Onlyericshouldbeallowedfrom.altnix.com
andallfrom.dummy.comshouldbedenied
OR
UserericshouldbeabletoaccessmailusingIMAPoverSSL
CreateanIMAPcertificateforyourhostname
Onlyericshouldbeallowedfrom.altnix.com
andallfrom.dummy.comshouldbedenied
$vi/etc/dovecot.conf
protocolspop3pop3simapimaps
$cd/usr/share/ssl/certs
$mvdovecot.pemdovecot.pem_OLD
$makedovecot.pem
CountryName(2lettercode)[GB]:IN
StateorProvinceName(fullname)[Berkshire]:Maharashtra
LocalityName(eg,city)[Newbury]:Mumbai
OrganizationName(eg,company)[MyCompanyLtd]:Altnix
b.sadhiq
273
www.altnix.com
OrganizationalUnitName(eg,section)[]:Admin
CommonName:champu.altnix.com
$cpdovecot.pem/usr/share/ssl/private
$servicedovecotrestart
$netstatantp|grep:143
$netstatantp|grep:110
$netstatantp|grep:993
$netstatantp|grep:995
$chkconfiglevel35dovecoton
Fighting SPAM
Unsolicited Commercial Email (UCE or SPAM) can be annoying, time
consuming to delete and in some cases dangerous when they contain
viruses and worms. Fortunately there are ways you can use your mail
server to combat SPAM
Using Public SPAM Blacklists With Sendmail
There are many publicly available lists of known open mail relay
servers and spam generating mail servers on the Internet. Some are
maintained by volunteers, others are managed by public companies,
but in all cases they rely heavily on complaints from spam victims.
Some spam blacklists simply try to determine whether the e-mail is
coming from a legitimate IP address.
The IP addresses of offenders usually remain on the list for six
months to two years. In some cases, to provide additional pressure
on the spammers, the blacklists include not only the offending IP
address but also the entire subnet or network block to which it
belongs. This prevents the spammers from easily switching their
servers' IP addresses to the next available ones on their networks.
Also, if the spammer uses a public data center, it is possible that
their activities could also cause the IP addresses of legitimate emailers to be black listed too. It is hoped that these legitimate
users will pressure the data center's management to evict the
spamming customer.
274
b.sadhiq
www.altnix.com
You can configure sendmail to use its dnsbl feature to both query
these lists and reject the mail if a match is found. Here are some
sample entries you can add to your /etc/sendmail.mc file; they
should all be on one line.
FEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see
http://spamhaus.org/')dnl
Be sure to visit the URLs listed to learn more about the individual
services.
Spamassassin
Once sendmail receives an e-mail message, it hands the message over
to procmail, which is the application that actually places the email in user mailboxes on the mail server. You can make procmail
temporarily hand over control to another program, such as a spam
filter. The most commonly used filter is spamassassin.
spamassassin doesn't delete spam, it merely adds the word "spam" to
the beginning of the subject line of suspected spam e-mails. You
can then configure the e-mail filter rules in Outlook Express or
any other mail client to either delete the suspect message or store
it in a special Spam folder.
Downloading And Installing Spamassassin
Most RedHat and Fedora Linux software products are available in the
RPM format. When searching for the RPMs, remember that the filename
usually starts with the software package name and is followed by a
b.sadhiq
275
www.altnix.com
Configuring Spamassassin
The spamassassin configuration file is named
/etc/mail/spamassassin/local.cf. A full listing of all the options
available in the local.cf file can be found in the Linux man pages
using the following command:
[root@bigboy tmp]# man Mail::SpamAssassin::Conf
276
b.sadhiq
www.altnix.com
#
# These values can be overridden by editing
# ~/.spamassassin/user_prefs.cf (see spamassassin(1) for details)
#
# How many hits before a message is considered spam. The lower the
# number the more sensitive it is.
required_hits
5.0
b.sadhiq
www.altnix.com
use_dcc
use_pyzor
1
1
en
# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales
en
b.sadhiq
www.altnix.com
SQUID
Squidis...
OffshootoftheHarvestProject
afullfeaturedWeb/FTPProxyandCacheserver
designedtorunonUnixsystems
free,opensourcesoftware
theresultofmanycontributionsbyunpaid(andpaid)volunteers
WithSquidyoucan...
UselessbandwidthonyourconnectionwhensurfingtheWeb
Reducelatency[timetakentoloadawebpage]
Protecthostsonyourintranetbyproxyingtheirwebtraffic
CollectstatisticsaboutwebtrafficonyourNW
Preventusesfromvisitingillegalsites
279
b.sadhiq
www.altnix.com
Ensurethatvalidusersonlysurfthenet
Enhanceuser'sprivacybyfilteringsensitiveinfofromweb
requests
Reducetheloadonyourwebservers
Convertencrypted[HTTPS]requestsononeside,tounencrypted
[HTTP]
requestsontheother
WithSquidyouCANNOT...
Proxyemail[SMTP],instantmessaging,orIRC
Squidsupports...
proxyingandcachingofHTTP,FTP,andother
proxyingforSSLencryptedtraffic
cachehierarchies
ICP,HTCP,CARP,CacheDigests
transparentcaching
WCCP(Squidv2.3andabove)
extensivesophisticatedaccesscontrols
HTTPserveraccelerationakasurrogatemode
HTTPInterceptionCaching
SNMP
cachingofDNSlookups
URLredirection
trafficshaping
numerousexternalauthmodules
advanceddiskstorageoptions
1.
Proxyservers
280
b.sadhiq
www.altnix.com
A proxy serverisamachinewhichactsasanintermediarybetween
the computers of a local area network (sometimes using protocols
otherthanTCP/IP)andtheInternet
Mostofthetimetheproxyserverisusedfortheweb,andwhenit
is, it's an HTTP proxy. However, there can be proxy servers for
everyapplicationprotocol(FTP,etc.).
2.
Theoperatingprincipleofaproxyserver
Thebasicoperatingprincipleofaproxyserverisquitesimple:It
isserverwhichactsasa"proxy"foranapplicationbymakinga
request on the Internet in its stead. This way, whenever a user
connectstotheInternetusingaclientapplicationconfiguredto
useaproxyserver,theapplicationwillfirstconnecttotheproxy
serverandgiveititsrequest.Theproxyserverthenconnectsto
the server which the client application wants to connect to and
sendsthatservertherequest.Next,theservergivesitsreplyto
theproxy,whichthenfinallysendsittotheapplicationclient
3.
Featuresofaproxyserver
Nowadays,byusingTCP/IPwithinlocalareanetworks,therelaying
role that the proxy server plays is handled directly by gateways
androuters.However,proxyserversarestillbeingused,asthey
havesomeotherfeatures.
4.
Caching
281
b.sadhiq
www.altnix.com
Filtering
What'smore,byusingaproxyserver,connectionscanbetrackedby
creating logs forsystematicallyrecordinguserquerieswhenthey
requestconnectionstotheInternet
Becauseofthis,Internetconnectionscanbefiltered,byanalysing
bothclientrequestsandserverreplies.Whenfilteringisdoneby
comparingaclient'srequesttoalistofauthorisedrequests,this
iscalledwhitelisting,andwhenit'sdonewithalistofforbidden
sites,it'scalled blacklisting.Finally,analysingserverreplies
thatcomplywithalistofcriteria(suchaskeywords)iscalled
contentfiltering.
6.
Authentication
Reverseproxyservers
A reverseproxy isa"backwards"proxycacheserver;it'saproxy
server that, rather than allowing internal users to access the
Internet, lets Internet users indirectly access certain internal
servers.
282
b.sadhiq
www.altnix.com
The reverseproxy server is used as an intermediary by Internet
users who want to access an internal website, by sending it
requests indirectly. With a reverseproxy, the web server is
protectedfromdirectoutsideattacks,whichincreasestheinternal
network's strength. What's more, a reverseproxy's cache function
can lower the workload if the server it is assigned to, and for
thisreasonissometimescalledaserveraccelerator.
Finally, with perfected algorithms, the reverseproxy can
distributetheworkloadbyredirectingrequeststoother,similar
servers;thisprocessiscalledloadbalancing.
$squidk
===========>parseCheckifsquid.confisOKand
syntaxfree
===========>checkCheckifSQUIDisrunning
===========>reconfigureReReadsquid.confw/ostopping
[refresh]
akaservicesquidreload
rotaterotatethelogfiles
shutdownShutdownSQUIDgracefully
akaservicesquidstop
interruptKillSQUIDw/owaitingfortrnsto
finish
killKillSQUIDmercilessly
debugPutsSQUIDindebuggingmode
283
b.sadhiq
www.altnix.com
$squidNIsSQUIDrunning?
$squidNd1IsDNSworking?
$squidzXInitthecache/swapdirs.Usedwhenrunning
SQUIDforthefirsttime.
DonebySQUIDinitscriptanyway[start()]
X>Towatchtheprogressofcachecreating
SQUIDshouldnotberunningwhenthisis
done!
$squidFMakeSQUIDrefuseallrequestsuntilit
rebuilds
thestoragemetadata
DonebySQUIDinitscriptanyway[start()]
$squidDDisables/preventsinitialDNStests
DonebySQUIDinitscriptanyway[start()]
Alreadyspecifiedin/etc/sysconfig/squid
whichisreadbysquid'sinitscript
$squidNd1DRunSQUIDwithloggingtostderrinthefg
notbgwithlevel1debugging
N>KeepSQUIDinthefgDoesnotread/etc/sysconfig/squid
d1>Displaylevel1debuggingtostderr
D>Don'tbotherwithDNSanddiesinceSquidtriestodoDNS
lookupsforafewcommondomains,anddieswithanerrorifitis
notabletoresolvethemthru/etc/resolv.confSeeDirective#11
dns_testnames
$squidNPreventSQUIDfrombecomingabgprocess
$squidsEnableloggingtothesyslogddaemonSQUID
uses
284
b.sadhiq
www.altnix.com
LOCAL4
priority
syslogfacilityLevel0debugmsgsareloggedwith
LOG_WARNING
Level1debugmsgsareloggedwithpriority
LOG_NOTICE
AccessControlsarethemostimppartofyourSQUIDconfigfile.Youwillusethemtogrant
accesstoauthorizedusersandkeepoutthebadguys.
Youcanusethemtorestrict,orpreventaccessto,certain
material;tocontrolrequestrewriting;torouterequeststhru
ahierarchy;andtosupportdifferentqualitiesofservice.
WhatisAccessControl?
AccessControl
1.DefineanoofACLElementsorACLELEMENTSorACLE[Theserefer
tospecificaspectsofclientrequestssuchasIPaddrs,URL
hostnames,requestmethodsandoriginserverportnos]
2.AccessControlRulesorRULESorACRs[Theserulesappyto
particularservicesoropswithinSQUIDeghttp_accessrulesare
appliedtoincomingHTTPrequests]
i.eAccessControl=ACLElements+ACRules
=ACLEs+ACRs
=========================
ACCESSCONTROLELEMENTSACLEs
ACLelementsarethebuildingblocksofSQUID'saccesscontrol
implementations.
EachACLhasaname,whichyouusewhenwritingtherules
Eg.
aclWorkstationssrc192.168.0.0/24
YoucanlistmultiplevaluesforoneACLelement
285
b.sadhiq
www.altnix.com
Eg.
aclHttp_ports8080008080
isthesameas
aclHttp_ports80
aclHttp_ports8000
aclHttp_ports8080
SquidknowsaboutthefollowingtypesofACLEs:
1src:Source(client)IPaddresses
2srcdomain:Source(client)domainname
3srcdom_regex:Source(client)domainwithREpatternmatching
4dst:Destination(server)IPaddresses[OriginServer]
5dstdomain:Destination(server)domainname
6dstdom_regex:Destination(server)withREpatternmatching
7url_regex:MatchanypartofarequestedURL
8urlpath_regex:MatchanypartofarequestedURL.Omit
protocol/hostname
9time:CurrentTimeofday,anddayofweek
10port:Destinationserverportno[Dontconfusewith#18
myport]
11proto:Transferprotocol(HTTP,FTP,SSL)
12method:HTTPrequestmethod(GET,PUT,HEAD,POSTFTP,
SSL)
13browser:Allowing/DisallowingBrowsers
14maxconn:Limitonmaxnoofconnectionsfromasingle
clientIP
15arp:Ethernet(MAC)addressmatching.ARPbasedACLEs
16proxy_auth:Username/PasswordauthenticationUsingPAM
17proxy_auth_regex:userauthenticationviaexternalprocesses
18myport:Localportno[cache]thatClientconnectsto
19myip:ThelocalIPaddressofaclient'sconnection
286
b.sadhiq
www.altnix.com
20src_as:Source(client)AutonomousSystemnumber
21dst_as:Destination(server)AutonomousSystemnumber
22ident:Stringmatchingontheuser'sname
23ident_regex:REpatternmatchingontheuser'sname
24referer_regex:
25req_mime_type:
26rep_mime_type:
27snmp_community:SNMPcommunitystringmatching
28req_mime_type:REpatternmatchingontherequestcontenttype
header
29rep_mime_type:REpatternmatchingonthereply(downloaded
content)contenttypeheader.Thisisonly
usableinthehttp_reply_accessdirective,nothttp_access.
30external:lookupviaexternalaclhelperdefinedby
external_acl_type
BaseTypesUsedby
=================
IPaddresses:1.src
2.dst
3.myip
4.src_as
5.dst_as
287
b.sadhiq
www.altnix.com
DomainNames:srcdomain
dstdomain
cache_host_domaindirective
Usernames:ident
ident_regex
proxy_auth
proxy_auth_regex
REs:srcdom_regex
dstdom_regex
url_regex
urlpath_regex
browser
referer_regex
ident_regex
proxyauth_regex
req_mime_type
rep_mime_type
TCPPortNos:port
myport
Restrictsites
Searchfor`AccessControls'andappendfollowingtwolines:
aclblocksitesdstdomain.gmail.com
http_accessdenyblocksites
Saveandclosethefile.RestartSquid:
$/etc/init.d/squidrestart
Restrictword
288
b.sadhiq
www.altnix.com
Letussayyouwouldliketodenyaccessforanyonewhobrowsesto
aURLwiththeword"bar"init.AppendfollowingACL:
aclblockregexurlurl_regexiporn
http_accessdenyblockregexurl
RestrictingWebAccessByTime
Youcancreateaccesscontrollistswithtimeparameters.For
example,youcanallowonlybusinesshouraccessfromthehome
network,whilealwaysrestrictingaccesstohost192.168.1.23.
AddthistothebottomoftheACLsectionofsquid.conf
aclhome_networksrc192.168.1.0/24
aclbusiness_hourstimeMTWHF9:0017:00
aclRestrictedHostsrc192.168.1.23
Addthisatthetopofthehttp_accesssectionofsquid.conf
http_accessdenyRestrictedHost
http_accessallowhome_networkbusiness_hours
Or,youcanallowmorningaccessonly:
AddthistothebottomoftheACLsectionofsquid.conf
aclmorningstime08:0012:00
Addthisatthetopofthehttp_accesssectionofsquid.conf
http_accessallowmornings
289
b.sadhiq
www.altnix.com
Restrict
.exe.mp3.aviwithcustomizederrorpage
NowaddfollowinglinestoyoursquidACLsection:
aclblockfilesurlpath_regex"/etc/squid/blocks.files.acl"
Youwantdisplaycustomerrormessagewhenafileisblocked:
#Denyallblockedextension
deny_infoERR_BLOCKED_FILESblockfiles
http_accessdenyblockfiles
Nowcreate/etc/squid/blocks.files.aclfile:
#vi/etc/squid/blocks.files.acl
Appendfollowingtext:
\.[Ee][Xx][Ee]$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$
CreatecustomerrormessageHTMLfilecalledERR_BLOCKED_FILES
in/etc/squid/error/directoryor/usr/share/squid/errors/English
directory.
#viERR_BLOCKED_FILES
Appendfollowingcontent:
<HTML>
<HEAD>
<TITLE>ERROR:Blockedfilecontent</TITLE>
</HEAD>
<BODY>
<H1>FileisblockedduetonewITpolicy</H1>
<p>Pleasecontacthelpdeskformoreinformation:</p>
Phone:55512435(ext44)<br>
Email:helpdesk@yourcorp.com<br>
Caution:
DonotincludeHTMLclosetags
</HTML>
</BODY>
asitwill
beclosedbysquid.
Saveandclosethefile.RestartSquid:
#/etc/init.d/squidrestart
290
b.sadhiq
www.altnix.com
RestrictPort
LocateyourACLsectionandaddconfigurationdirectiveas
follows:
aclblock_portport1234
http_accessdenyblock_port
http_accessallowall
IfyoujustwanttoskipaparticularIP(192.168.1.5)tryas
follows:
aclblock_portport1234
aclno_block_port_ipsrc192.168.1.5
http_accessdenyblock_port!no_block_port_ip
http_accessallowall
Closeandsavethefile.
Restartsquidproxyserver:
$/etc/init.d/squidrestart
Andfinallydenyallotheraccesstothisproxy
http_accessallowlocalhost
SquidBandwidthLimiting(BandwidthThrotling)
HowtoWriteDelayPoolScriptinSquid
Inthisscenariowearegoingtocreat3pools
128kbp
256kbps
UnlimitedforAdmin
Acl128kbps192.168.0.200/32
Acl256kbps192.168.0.201/32
Acladmin192.168.0.205/32
YoujustcreattheACLNamednet,net2,net3
delay_pools3
delay_class12
delay_access1denyadmin
delay_access1deny256kbps
delay_access1allow128kbps
delay_parameters11/116000/16000
delay_class22
delay_access2denyadmin
delay_access2allow256kbps
delay_parameters21/132000/32000
291
b.sadhiq
www.altnix.com
delay_class32
delay_access3allowadmin
delay_parameters31/11/1
Vi/VimExamples
whatisVIeditor?
WhileinviyoucanrunAIXcommandswithoutexitingtheediting
session.The!createsa
shelltoexecutethecommandthatfollows.
1.:!lswillcreateashell
2.Allfilesinthecurrentdirectoryarelisted.Pressreturnto
exittheshellandreturntothe
visessionor...
3.Whilestillincommandmode,issuethe:rsnackscommand
4.Thecontentsofsnacks,inthiscase,arereadintothevifile.
Bydefault,itwillappear
afterthecurrentline.
Ifyouneedtorunaseriesofcommandswithoutreturningtovi
afterthefirstcommandis
executed,enter:sh.Whenyouhaverunallthecommands,pressto
exittheshell
andreturntovi.
Cursormovement
hmoveleft
jmovedown
kmoveup
lmoveright
wjumpbystartofwords(punctuationconsideredwords)
Wjumpbywords(spacesseparatewords)
ejumptoendofwords(punctuationconsideredwords)
Ejumptoendofwords(nopunctuation)
bjumpbackwardbywords(punctuationconsideredwords)
Bjumpbackwardbywords(nopunctuation)
0(zero)startofline
^firstnonblankcharacterofline
$endofline
GGoTocommand(prefixwithnumber5Ggoestoline5)
292
b.sadhiq
www.altnix.com
Note:Prefixacursormovementcommandwithanumbertorepeatit.
Forexample,4jmovesdown4lines.
InsertModeInserting/Appendingtext
13. istartinsertmodeatcursor
14. Iinsertatthebeginningoftheline
15. aappendafterthecursor
16. Aappendattheendoftheline
17. oopen(append)blanklinebelowcurrentline(noneedto
pressreturn)
18. Oopenblanklineabovecurrentline
19. eaappendatendofword
20. Escexitinsertmode
Editing
rreplaceasinglecharacter(doesnotuseinsertmode)
Jjoinlinebelowtothecurrentone
ccchange(replace)anentireline
cwchange(replace)totheendofword
c$change(replace)totheendofline
sdeletecharacteratcursorandsubsitutetext
Sdeletelineatcursorandsubstitutetext(sameascc)
xptransposetwoletters(deleteandpaste,technically)
uundo
.repeatlastcommand
Markingtext(visualmode)
vstartvisualmode,marklines,thendocommand(suchasyyank)
VstartLinewisevisualmode
omovetootherendofmarkedarea
Ctrl+vstartvisualblockmode
OmovetoOthercornerofblock
awmarkaword
aba()block(withbraces)
aBa{}block(withbrackets)
ibinner()block
293
b.sadhiq
www.altnix.com
iBinner{}block
Escexitvisualmode
Visualcommands
3.
4.
5.
6.
7.
>shiftright
<shiftleft
yyank(copy)markedtext
ddeletemarkedtext
~switchcase
CutandPaste
yyyank(copy)aline
2yyyank2lines
ywyankword
y$yanktoendofline
pput(paste)theclipboardaftercursor
Pput(paste)beforecursor
dddelete(cut)aline
dwdelete(cut)thecurrentword
xdelete(cut)currentcharacter
Exiting
:wwrite(save)thefile,butdon'texit
:wqwrite(save)andquit
:qquit(failsifanythinghaschanged)
:q!quitandthrowawaychanges
Search/Replace
/patternsearchforpattern
?patternsearchbackwardforpattern
nrepeatsearchinsamedirection
Nrepeatsearchinoppositedirection
:%s/old/new/greplacealloldwithnewthroughoutfile
:%s/old/new/gcreplacealloldwithnewthroughoutfilewith
confirmations
Workingwithmultiplefiles
:efilenameEditafileinanewbuffer
:bnext(or:bn)gotonextbuffer
294
b.sadhiq
www.altnix.com
:bprev(of:bp)gotopreviousbuffer
:bddeleteabuffer(closeafile)
:spfilenameOpenafileinanewbufferandsplitwindow
ctrl+wsSplitwindows
ctrl+wwswitchbetweenwindows
ctrl+wqQuitawindow
ctrl+wvSplitwindowsvertically
VIOptions:
vihasmanymodesofoperation.Someof
thesewillaffectthewaytextispresented,while
otherswillmakeeditingeasierfornoviceusers.
:setalldisplayallsettings
:setdisplaysettingsdifferentthanthedefault
:setaisetsautoindenton
:setnoaiturnsautoindentmodeoff
:setnuenableslinenumbers
:setnonuturnslinenumbersoff
:setlistdisplaysnonprintablecharacters
:setnolisthidesnonprintablecharacters
:setshowmodeshowsthecurrentmodeofoperation
:setnoshowmodehidesmodeofoperation
:setts=4setstabsto4characterjumps
:seticignorescasesensitivity
:setnoiccasesensitive
Search
/wordSearchwordfromtoptobottom
?wordSearchwordfrombottomtotop
/jo[ha]nSearchjohnorjoan
/\<theSearchthe,theatreorthen
/the\>Searchtheorbreathe
/\Searchthe
/\Searchallwordsof4letters
/\/Searchfredbutnotalfredorfrederick
295
b.sadhiq
www.altnix.com
/fred\|joeSearchfredorjoe
/\Searchexactly4digits
/^\n\{3}Find3emptylines
:bufdo/searchstr/Searchinallopenfiles
Replace
:%s/old/new/gReplacealloccurencesofoldbynewin
file
:%s/old/new/gwReplacealloccurenceswithconfirmation
:2,35s/old/new/gReplacealloccurencesbetweenlines2and
35
:5,$s/old/new/gReplacealloccurencesfromline5toEOF
:%s/^/hello/gReplacethebeginingofeachlinebyhello
:%s/$/Harry/gReplacetheendofeachlinebyHarry
:%s/onward/forward/giReplaceonwardbyforward,case
unsensitive
:%s/*$//gDeleteallwhitespaces
:g/string/dDeletealllinescontainingstring
:v/string/dDeletealllinescontainingwhichdidn't
containstring
:s/Bill/Steve/ReplacethefirstoccurenceofBillby
Steveincurrentline
:s/Bill/Steve/gReplaceBillbySteveincurrentline
:%s/Bill/Steve/gReplaceBillbySteveinallthefile
:%s/\r//gDeleteDOScarriagereturns(^M)
:%s/\r/\r/gTransformDOScarriagereturnsinreturns
:%s#]\+>##gDeleteHTMLtagsbutkeepstext
:%s/^\(.*\)\n\1$/\1/Deletelineswhichappearstwice
Ctrl+aIncrementnumberunderthecursor
Ctrl+xDecrementnumberundercursor
ggVGg?ChangetexttoRot13
4.
Case
296
b.sadhiq
www.altnix.com
VuLowercaseline
VUUppercaseline
g~~Invertcase
vEUSwitchwordtouppercase
vE~Modifywordcase
ggguGSetalltexttolowercase
:setignorecaseIgnorecaseinsearches
:setsmartcaseIgnorecaseinsearchesexceptedifan
uppercaseletterisused
:%s/\<./\u&/gSetsfirstletterofeachwordtouppercase
:%s/\<./\l&/gSetsfirstletterofeachwordtolowercase
:%s/.*/\u&Setsfirstletterofeachlinetouppercase
:%s/.*/\l&Setsfirstletterofeachlinetolowercase
Read/Writefiles
:1,10woutfileSaveslines1to10inoutfile
:1,10w>>outfileAppendslines1to10tooutfile
:rinfileInsertthecontentofinfile
:23rinfileInsertthecontentofinfileunderline23
Fileexplorer
:e.Openintegratedfileexplorer
:SexSplitwindowandopenintegratedfileexplorer
:browseeGraphicalfileexplorer
:lsListbuffers
:cd..Movetoparentdirectory
:argsListfiles
:args*.phpOpenfilelist
:grepexpression*.phpReturnsalistof.phpfiles
conteningexpression
gfOpenfilenameundercursor
InteractwithUnix
:!pwdExecutethepwdunixcommand,thenreturnstoVi
!!pwdExecutethepwdunixcommandandinsertoutputin
file
:shTemporaryreturnstoUnix
$exitRetournstoVi
297
b.sadhiq
www.altnix.com
Alignment
:%!fmtAlignalllines
!}fmtAlignalllinesatthecurrentposition
5!!fmtAlignthenext5lines
Tabs
:tabnewCreatesanewtab
gtShownexttab
:tabfirstShowfirsttab
:tablastShowlasttab
:tabmn(position)Rearrangetabs
:tabdo%s/foo/bar/gExecuteacommandinalltabs
:tabballPutsallopenfilesintabs
Windowspliting
:efilenameEditfilenameincurrentwindow
:splitfilenameSplitthewindowandopenfilename
ctrlwuparrowPutscursorintopwindow
ctrlwctrlwPutscursorinnextwindow
ctrlw_Maximisecurrentwindow
ctrlw=Givesthesamesizetoallwindows
10ctrlw+Add10linestocurrentwindow
:vsplitfileSplitwindowvertically
:sviewfileSameas:splitinreadonlymode
:hideClosecurrentwindow
:onlyCloseallwindows,exceptedcurrent
:b2Open#2inthiswindow
Autocompletion
Ctrl+nCtrl+p(ininsertmode)Completeword
Ctrl+xCtrl+lCompleteline
:setdictionary=dictDefinedictasadictionnary
Ctrl+xCtrl+kCompletewithdictionary
8.
Marks
mkMarkscurrentpositionask
kMovescursortomarkk
298
b.sadhiq
www.altnix.com
dkDeletealluntilmarkk
Abbreviations
:abprprintf("ThisisaDemoVer\n");Definepras
abbreviationofprintf("ThisisaDemoVer\n");
Textindent
:setautoindentTurnonautoindent
:setsmartindentTurnonintelligentautoindent
:setshiftwidth=4Defines4spacesasindentsize
ctrlt,ctrldIndent/unindentininsertmode
>>Indent
<<Unindent
Syntaxhighlighting
:syntaxonTurnonsyntaxhighlighting
:syntaxoffTurnoffsyntaxhighlighting
:setsyntax=perlForcesyntaxhighlighting
HowtoExit
:q[uit]QuitVim.Thisfailswhenchangeshavebeenmade.
:q[uit]!Quitwithoutwriting.
:cq[uit]Quitalways,withoutwriting.
:wqWritethecurrentfileandexit.
:wq!Writethecurrentfileandexitalways.
:wq{file}Writeto{file}.Exitifnoteditingthelast
:wq!{file}Writeto{file}andexitalways.
:[range]wq[!][file]Sameasabove,butonlywritethe
linesin[range].
ZZWritecurrentfile,ifmodified,andexit.
ZQQuitcurrentfileandexit(sameas":q!").
5.
EditingaFile
:e[dit]Editthecurrentfile.Thisisusefultoreedit
thecurrentfile,whenithasbeenchangedoutside
ofVim.
:e[dit]!Editthecurrentfilealways.Discardanychanges
tothecurrentbuffer.Thisisusefulifyouwant
tostartalloveragain.
:e[dit]{file}Edit{file}.
:e[dit]!{file}Edit{file}always.Discardanychangesto
thecurrentbuffer.
gfEditthefilewhosenameisunderorafterthecursor.
Mnemonic:"gotofile".
299
b.sadhiq
www.altnix.com
InsertingText
aAppendtextafterthecursor[count]times.
AAppendtextattheendoftheline[count]times.
iInserttextbeforethecursor[count]times.
IInserttextbeforethefirstnonblankintheline
[count]times.
gIInserttextincolumn1[count]times.
oBeginanewlinebelowthecursorandinserttext,repeat
[count]times.
OBeginanewlineabovethecursorandinserttext,repeat
[count]times.
Insertingafile
:r[ead][name]Insertthefile[name]belowthecursor.
:r[ead]!{cmd}Execute{cmd}andinsertitsstandardoutput
belowthecursor.
Ref
http://www.catswhocode.com/blog/100vimcommandseveryprogrammer
shouldknow
http://www.fortunecity.com/skyscraper/terminus/435/
http://www.thegeekstuff.com/2010/04/vimeditortutorial/
*******************************************************************
BestOFLuck
*********************************************************************************
300
b.sadhiq
www.altnix.com