Jan
24
Posted on 24-01-2011
Filed Under (Redhat & Fedora, RPM & Deb Packages, UNIX/Linux) by Ravi Bhure

Introduction –
Fedora’s package management tools — including yum, pup, and pirut  — are all based on the RPM package format and management system. One little-known secret about RPM is that it can be configured to repackage  files from an RPM package during package uninstallation, saving the (possibly modified) files into a new RPM package. The repackaged RPM incorporates any changes that you have made to the configuration files, scripts, and data files that were originally included with the software. This means that it’s possible to rollback the uninstallation of software, which will restore the package to the state it was in before it was removed.

The rollback mechanism can also undo package installations by uninstalling the newly-installed packages, and since a software update is a performed by installing a new package version and then removing the old one, the rollback mechanism can also undo package updates.

Open /etc/yum.conf file and put below two line

#yum rollback select enable
tsflags=repackage

or append it a simple way 🙂

[root@testbed ~]# echo “tsflags=repackage” >> /etc/yum.conf

Now create or edit /etc/rpm/macros and put “%_repackage_all_erasures 1” entry in it.

[root@testbed ~]# echo “%_repackage_all_erasures 1” >> /etc/rpm/macros

[root@testbed ~]# cat /etc/rpm/macros
%_repackage_all_erasures 1

Repackaged files are stored in /var/spool/repackage

[root@testbed ~]# ll -ld /var/spool/repackage
drwxr-xr-x 2 root root 4096 Sep  4  2009 /var/spool/repackage

Now we are test it with python packages, (I have used centos 5.5 for it)

[root@testbed ~]# yum -y install python*

Installed:
python-dmidecode.i386 0:3.10.13-1.el5_5.1           python-docs.noarch 0:2.4.3-1.1                    python-exo.i386 0:0.3.4-1.el5.centos
python-imaging.i386 0:1.1.5-5.el5                   python-imaging-devel.i386 0:1.1.5-5.el5           python-lcms.i386 0:1.18-0.1.beta1.el5_3.2
python-pyblock.i386 0:0.26-4.el5                    python-setuptools.noarch 0:0.6c5-2.el5            python-tools.i386 0:2.4.3-27.el5_5.3

Dependency Installed:
exo.i386 0:0.3.4-1.el5.centos                     libbdevid-python.i386 0:5.1.19.6-61.el5_5.2            libxfce4mcs.i386 0:4.4.2-1.el5.centos
libxfce4util.i386 0:4.4.2-1.el5.centos            libxfcegui4.i386 0:4.4.2-1.el5.centos                  tix.i386 1:8.4.0-11.fc6
tkinter.i386 0:2.4.3-27.el5_5.3

Updated:
python.i386 0:2.4.3-27.el5_5.3                python-devel.i386 0:2.4.3-27.el5_5.3                python-virtinst.noarch 0:0.400.3-9.el5_5.1

Dependency Updated:
mkinitrd.i386 0:5.1.19.6-61.el5_5.2                                             nash.i386 0:5.1.19.6-61.el5_5.2

Complete!
[root@testbed ~]# ls /var/spool/repackage/
mkinitrd-5.1.19.6-61.i386.rpm  python-2.4.3-27.el5.i386.rpm        python-virtinst-0.400.3-9.el5.noarch.rpm
nash-5.1.19.6-61.i386.rpm      python-devel-2.4.3-27.el5.i386.rpm

Yum Roll Back options available:

* rpm -Uhv –rollback ‘9:00 am’
* rpm -Uhv –rollback ‘4 hours ago’
* rpm -Uhv –rollback ‘december 25’

[root@testbed ~]# date
Mon Jan 24 12:10:19 IST 2011

Now we reverting package rollback to a previous state.

[root@testbed ~]# rpm -Uhv –rollback ‘9:00 am’
Rollback packages (+5/-21) to Mon Jan 24 11:58:17 2011 (0x4d3d1c01):
Preparing…                ########################################### [100%]
1:nash                   ########################################### [ 10%]
2:python                 ########################################### [ 20%]
3:mkinitrd               ########################################### [ 30%]
4:python-devel           ########################################### [ 40%]
5:python-virtinst        ########################################### [ 50%]
Cleaning up repackaged packages:
Removing /var/spool/repackage/mkinitrd-5.1.19.6-61.i386.rpm:
Removing /var/spool/repackage/nash-5.1.19.6-61.i386.rpm:
Removing /var/spool/repackage/python-2.4.3-27.el5.i386.rpm:
Removing /var/spool/repackage/python-devel-2.4.3-27.el5.i386.rpm:
Removing /var/spool/repackage/python-virtinst-0.400.3-9.el5.noarch.rpm:

Now you can check your previous versions of python & mkinitrd, nash packages.

[root@testbed ~]# rpm -qa|grep -E ‘python|mkinitrd|nash’

The repackage/rollback approach is far from perfect — for example, data files created and used with a package (but not in files provided as part of the package) are not saved during repackaging, and some RPM scripts assume that packages are only upgraded and never downgraded. Nonetheless, package rollback can be a very useful feature, especially when an update breaks something that used to work.
Repackaging can take a lot of space, so it’s disabled by default, and there is no way to enable it or to perform a rollback from the command line. Here, in a nutshell, are instructions for using this feature:

Ref: http://dailypackage.fedorabook.com/index.php?/archives/17-Wednesday-Why-Repackaging-and-Rollbacks.html

-Ravi

(1) Comment    Read More   
Jan
08
Posted on 08-01-2011

** What is oprofile

In short “oprofile is a system-wide profiler”
need to profile an application and its shared libraries, examine hardware effects such as cache misses and capture the performance behaviour of entire system, then surely you need go with oprofile.

There is to many options and conditions spcefied, where we use only simple and easy one for further details, Please Read Man Pages 😉

Many CPUs provide “performance counters”, hardware registers that can count “events”; for example, cache misses, or CPU cycles. OProfile provides profiles of code based on the number of these occurring events: repeatedly, every time a certain (configurable) number of events has occurred, the PC value is recorded. This information is aggregated into profiles for each binary image.

Some hardware setups do not allow OProfile to use performance counters: in these cases, no events are available, and OProfile operates in timer/RTC mode

** All Docs, Examples and Bugs you will find @ http://oprofile.sourceforge.net

# download tar from http://oprofile.sourceforge.net/download/ or you can install it using yum also

[root@ravi.com ~]# yum install oprofile

Before you can use OProfile, you must set it up. The minimum setup required for this is to tell OProfile where the vmlinux file corresponding to the running kernel is, for example :

[root@ravi.com ~]#  opcontrol –vmlinux=/boot/vmlinux-`uname -r`

If you don’t want to profile the kernel itself, you can tell OProfile you don’t have a vmlinux file :

[root@ravi.com ~]# opcontrol –no-vmlinux

Here we used –no-vmlinux and specified other session directory than default location (/var/lib/oprofile)

[root@ravi.com ~]# opcontrol –no-vmlinux –session-dir=/home/prod/tmpsession

Now we are ready to start the daemon (oprofiled) which collects the profile data :

[root@ravi.com ~]# opcontrol –start –session-dir=/home/prod/tmpsession
Using default event: GLOBAL_POWER_EVENTS:100000:1:1:1
Using 2.6+ OProfile kernel interface.
Using log file /home/prod/tmpsession/samples/oprofiled.log
Daemon started.
Profiler running.

When I want to stop profiling, I can do so with :
(Here I have ran opcontrol only 1 min)
[root@ravi.com ~]# opcontrol –shutdown
Stopping profiling.
Killing daemon.

Lets see what your system & apps tell you 🙂
ophelp : This utility lists the available events and short descriptions.

[root@ravi.com ~]# opreport –session-dir=/home/prod/tmpsession
CPU: P4 / Xeon with 2 hyper-threads, speed 2992.73 MHz (estimated)
Counted GLOBAL_POWER_EVENTS events (time during which processor is not stopped) with a unit mask of 0x01 (mandatory) count 100000
GLOBAL_POWER_E…|
samples|      %|
——————
1109031 51.2560 no-vmlinux
479089 22.1420 libc-2.5.so
207263  9.5791 libperl.so
97973  4.5280 libpython2.4.so.1.0
91993  4.2516 nagios
35979  1.6628 php
35765  1.6529 libz.so.1.2.3
25203  1.1648 ld-2.5.so
21412  0.9896 mysqld
11566  0.5345 libgd.so.2.0.0
10008  0.4625 oprofiled
7661  0.3541 libpthread-2.5.so
6736  0.3113 libnetsnmp.so.10.0.3
5698  0.2633 libpng12.so.0.10.0
4488  0.2074 rateup
3500  0.1618 libcrypto.so.0.9.8e
2138  0.0988 bash
1556  0.0719 libm-2.5.so
1234  0.0570 libmysqlclient.so.15.0.0
606  0.0280 libpcre.so.0.0.1
328  0.0152 mysql.so
316  0.0146 librrd.so.4.1.3
290  0.0134 atop
272  0.0126 sendmail.sendmail
243  0.0112 grep
176  0.0081 nscd
172  0.0079 ping
153  0.0071 nebmodBY0Y2I (deleted)
144  0.0067 libgnutls.so.13.0.6
121  0.0056 init
106  0.0049 gawk

with using symbols you can simply find which apps supporting module takes high load
[root@ravi.com ~]#  opreport –exclude-dependent –symbols –long-filenames –session-dir=/home/prod/tmpsession
CPU: P4 / Xeon with 2 hyper-threads, speed 2992.73 MHz (estimated)
Counted GLOBAL_POWER_EVENTS events (time during which processor is not stopped) with a unit mask of 0x01 (mandatory) count 100000
samples  %        app name                 symbol name
1109031  51.2560  /no-vmlinux              /no-vmlinux
209506    9.6827  /lib64/libc-2.5.so       _int_free
207263    9.5791  /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so
97973     4.5280  /usr/lib64/libpython2.4.so.1.0 /usr/lib64/libpython2.4.so.1.0
91993     4.2516  /usr/local/nagios/bin/nagios /usr/local/nagios/bin/nagios
44574     2.0601  /lib64/libc-2.5.so       free
35765     1.6529  /usr/lib64/libz.so.1.2.3 /usr/lib64/libz.so.1.2.3
35032     1.6191  /lib64/libc-2.5.so       vfprintf
22061     1.0196  /lib64/libc-2.5.so       _IO_vfscanf
21412     0.9896  /usr/libexec/mysqld      /usr/libexec/mysqld
16883     0.7803  /lib64/libc-2.5.so       _int_malloc
13631     0.6300  /lib64/libc-2.5.so       memcpy
13165     0.6084  /lib64/libc-2.5.so       _IO_file_xsputn@@GLIBC_2.2.5
1560      0.0721  /lib64/ld-2.5.so         _dl_relocate_object
1462      0.0676  /usr/bin/php             lstep
1385      0.0640  /usr/bin/php             zend_do_fcall_common_helper_SPEC
1258      0.0581  /lib64/libc-2.5.so       rawmemchr
1234      0.0570  /usr/lib64/mysql/libmysqlclient.so.15.0.0 /usr/lib64/mysql/libmysqlclient.so.15.0.0
1226      0.0567  /lib64/libc-2.5.so       realloc
1180      0.0545  /lib64/libc-2.5.so       __tzfile_compute
1156      0.0534  /lib64/ld-2.5.so         check_match.8509
1146      0.0530  /usr/bin/php             _zend_mm_free_int
1084      0.0501  /usr/bin/php             zend_hash_quick_find
1029      0.0476  /lib64/libc-2.5.so       __mpn_mul_1
747       0.0345  /lib64/libc-2.5.so       fgets
738       0.0341  /usr/bin/php             _zval_ptr_dtor

Ref: http://oprofile.sourceforge.net/doc/index.html

-Ravi

(0) Comments    Read More   
Dec
30
Posted on 30-12-2010
Filed Under (Nagios Monitoring, UNIX/Linux) by Arun Bagul

Introduction –

Nagios log file print the time in epoch time format. To convert that nagios log with normal time/date format you can use the following perl script.

Please download the script from here- http://www.indiangnu.org/wp-content/uploads/2010/nagios-log-pl.txt

* How to use it –

root@me:~# cat /etc/nagios/var/nagios.log | grep -i  NOTIFICATION | /root/nagmon/nagios-log.pl

* Pasting the code here…

root@me:~#  /root/nagmon/nagios-log.pl
#!/usr/bin/perl

# Author - IndianGNU.org
# Read nagios.log file and show log with
# converted date field in human-readable format
# 

$numArgs = $#ARGV + 1;

if ( $ARGV[0] eq "-h")
{
	print " * Usage: cat   like '/usr/local/nagios/var/nagios.log' | $0 \n"; exit 1;
}

sub epochtime
{
  my $epoch_time = shift;
  ($sec,$min,$hour,$day,$month,$year) = localtime($epoch_time);

  # correct the date and month for humans
  $year = 1900 + $year;
  $month++;

  return sprintf("%02d/%02d/%02d %02d:%02d:%02d", $year, $month, $day, $hour, $min, $sec);
}

while (<>)
{
  my $epoch = substr $_, 1, 10;
  my $remainder = substr $_, 13;
  my $human_date = &epochtime($epoch);
  printf("[%s] %s", $human_date, $remainder);
}
exit;

Thanks you,
Arun

(0) Comments    Read More   
Dec
15
Posted on 15-12-2010
Filed Under (Linux commands, Redhat & Fedora, UNIX/Linux) by Ravi Bhure

Introduction –

Here we are going to create 4G swap file using cmd ‘dd’, later we will activate it.
we are named and create ‘/extraswap’ swap file for additional swap

dd command options
if = input file (read from FILE instead of stdin)
of = output file name (write to FILE instead of stdout)
bs = BYTES rate
count = BLOCKS (copy only number of block)

dd if=/dev/zero of=/extraswap bs=1024 count=4096000

***Adding extraswap Swap file

[root@ravi ~]# dd if=/dev/zero of=/extraswap bs=1024 count=4096000
4096000+0 records in
4096000+0 records out
4194304000 bytes (4.2 GB) copied, 162.277 seconds, 25.8 MB/s

Set up a Linux swap area using ‘mkswap’ command

[root@ravi ~]# mkswap /extraswap
Setting up swapspace version 1, size = 4194299 kB

Activate swap using ‘swapon’ command

[root@ravi ~]# swapon /extraswap

[root@ravi ~]# free -m
total       used       free     shared    buffers     cached
Mem:         16053       6148       9905          0        293       5488
-/+ buffers/cache:        367      15686
Swap:         3999          0       3999

Edit /etc/fstab and put below entry into it to swap on automatic after reboot server

/extraswap              none                    swap    defaults        0 0

*** Remove /extraswap file

[root@ravi ~]# swapoff /extraswap

Remove /extraswap swap file entry from /etc/fstab and run ‘mount -a

Delete /extraswap

[root@ravi ~]# rm /extraswap


-Ravi

(1) Comment    Read More   
Oct
20
Posted on 20-10-2010
Filed Under (Apache, Perl & Python, UNIX/Linux) by Arun Bagul

Introduction –

Almost  2 year back (today also!)  I struggled a lot for implementing session and cookie in Perl CGI application.  So thought to share my work with you all. I wanted to do it in my way…

Assumption, your web server ie Apache is enabled to run CGI scripts

CGI directory location – /var/application/www/cgi-bin/
Htdocs location – /var/application/www/
Perl Module direcotry – /var/application/module/

Step 1] Write Auth.pm Perl module –

Please simply copy following Auth.pm perl module for authentication using Session and Cookies…

[root@arun ~]# cat /var/application/module/Auth.pm

package Auth;

### Subroutine to authenticate user
sub  User
{
my ($ref_page) = (@_);
### Session information
my $sid = $ref_page->cookie("APP_SID") || undef;
my $session = CGI::Session->load(undef,$sid);
if ( $session->is_expired ) { print $ref_page->redirect(-location => '../arun.html');}
elsif ( $session->is_empty) { print $ref_page->redirect(-location => '../arun.html');}
else { print $ref_page->header();}
# don't forget to create dir '/var/tmp'
# with proper ownership/permission
#$session = new CGI::Session(undef, $sid, {Directory=>'/var/tmp'});
#################################################
return($session->param('login_user'));
}

1;
[root@arun ~]#

Step 2] authe_me.pl –

authe_me.pl file is used to set cookies and verify username/password. You may use MySQL DB to store username and password.  In this case you have to this file…

[root@arun ~]# cat /var/application/www/cgi-bin/auth_me.pl
#!/usr/bin/perl

sub BEGIN
{
unshift (@INC, '/var/application/module/');
}

use strict;
use warnings;
use CGI qw(:standard);
use CGI::Session;
use Auth; ## our module

### Header
########################
my $page = CGI->new();
##print $page->header();

##########
if ( $ENV{REQUEST_METHOD} eq "POST" )
{
my %form;
my $session_dir="/var/tmp";
 my ($admin_user,$admin_password) = ("admin","arun123");

foreach my $key (param()) { $form{$key} = param($key);}
##
if (($form{username}) && ($form{password}))
{

### Session Details ###
CGI::Session->name("APP_SID");
## Create new session
my $session = new CGI::Session(undef, undef, {Directory=>$session_dir});
 ## Set cookies
my $cookie = $page->cookie(-name=>$session->name(),-value=>$session->id(),-expires=>'+2h',-path=>'/');
## Store data in session variable and save it
$session->param('login_user',$form{username}); # OR
##$session->param(-name=>'login_user',-value=>$form{username});
$session->save_param($page, ["login_user"]);

## Session and Cookie expiration time is SAME.
$session->expire("+2h");
#### Session Details end ####

## if login successful redirect to main.pl else login page
if (($form{username} eq $admin_user) and ($form{password} eq $admin_password))
{ print $page->redirect(-location => 'main.pl',-cookie=>$cookie);}
else { print $page->redirect(-location => '../arun.html'); }
############################
} else { print $page->redirect(-location => '../arun.html'); }
}

[root@arun ~]#

Step 3] Create Login Page –

[root@arun ~]# cat /var/application/www/arun.html
<html>
<title>Arun Login Page</title>

<!-- Form start -->
<table align='center' border='1'>
<form method="POST" action="cgi-bin/auth_me.pl">
<tr>
<td><label>Login</label></td>
<td><input name="username" type="text"></td>
</tr>
<tr>
<td><label>Password</label></td>
<td><input name="password" type="password"><br/></td>
</tr>
<tr>
<td><input value="Submit" type="submit"></td>
</tr>

</form>
</table>

</html>

[root@arun ~]#

Step 4] Create main page where Session and Cookie authentication verified – main.pl

[root@arun ~]# cat /var/application/www/cgi-bin/main.pl
#!/usr/bin/perl

sub BEGIN
{
unshift (@INC, '/var/application/module/');
}

use strict;
use warnings;
use CGI qw(:standard);
use CGI::Session;
use Auth;

### Header
my $page = CGI->new();
## check authentication
my $login_name=Auth::User($page);
###
print $page->start_html( -title=>'Arun Main Page');

print "<h3>This is Main Page</h3></br>";
print "<br>Login Name - $login_name";

#end
[root@arun ~]#

Step 5] Please access login page and try http://your_ipaddr/arun.html

Thank you,
Arun

(2) Comments    Read More   
Aug
18

Introduction –

In this article we will setup SFTP using rssh with chroot ….

A] How to configure rssh + chroot for SFTP

Step 1) Install RSSH Shell ~

* Ubuntu –

root@me:/home/arunb# apt-get install scponly rssh coreutils17

* Redhat/CentOS

[root@arun.me chroot]# yum install  rssh
[root@arun.me chroot]# rpm -qa | grep rssh
rssh-2.3.2-1.2.el5.rf
[root@arun.me chroot]#

Step 2) Your Chroot Setting –

[root@arun.me ~]# cat /etc/rssh.conf
# This is the default rssh config file

logfacility = LOG_USER
###### arun ########
allowsftp
# set the default umask
umask = 022
chrootpath =”/home/chroot”
###### end ########

Step 3) Create user ~

[root@arun.me ~]# mkdir /home/chroot/
[root@arun.me ~]# useradd -d /home/chroot/home/sftp_test -s /usr/bin/rssh sftp_test
[root@arun.me ~]# passwd sftp_test

* Now add following line in “/etc/rssh.conf” file…

user =”sftp_test:022:00010:/home/chroot/sftp_test”

*** [root@arun.me ~]# tail /etc/passwd

sftp_test:x:503:503::/home/chroot/home/sftp_test:/usr/bin/rssh

Step 4) Chroot allow to log via syslogd ~

add following entry in file “/etc/sysconfig/syslog” and restart syslogd

SYSLOGD_OPTIONS=”-m 0 -a /home/chroot/dev/log -a /dev/log”

root@arun.me ~]# /etc/init.d/syslog restart

Step 5) Now setup Chroot ENV –

[root@arun.me ~]# /var/src/arun_rssh_mkchroot.sh /home/chroot/

[root@arun.me ~]# cd /home/chroot/

[root@arun.me chroot]# mknod –mode=600 dev/console c 5 1
[root@arun.me chroot]# mknod –mode=666 dev/null c 1 3

[root@arun.me chroot]# /var/src/arun_shared_lib.sh  usr/libexec/openssh/sftp-server

[root@arun.me chroot]# cp /lib/libnss_files.so.2 lib/libnss_files.so.2
[root@arun.me chroot]# cp /lib64/libnss_files.so.2 lib64/libnss_files.so.2

Step 6) Test now ~

arunb@me:~$ sftp sftp_test@192.168.0.1
Connecting to 192.168.0.1…
sftp_test@192.168.0.1’s password:
sftp> pwd
Remote working directory: /home/sftp_test
sftp> ls
arun manoj mayur ravi
sftp>

sftp> ls /
/dev /etc /home /lib /lib64 /usr
sftp>

Step 7) Process for New user ~

a) [root@arun.me chroot]# useradd -d /home/chroot/home/sftp_tmp -s /usr/bin/rssh sftp_tmp
[root@arun.me chroot]# passwd sftp_tmp

b) Add line in file “/etc/rssh.conf”

user =”sftp_tmp:022:00010:/home/chroot”

c) Copy user entry from /etc/{passwd,group,shadow} files TO CHROOT {passwd,group,shadow} files ~

NOTE ~ be careful…

[root@arun.me chroot]# grep sftp_tmp /etc/passwd >> /home/chroot/etc/passwd
[root@arun.me chroot]# grep sftp_tmp /etc/group >> /home/chroot/etc/group
[root@arun.me chroot]# grep sftp_tmp /etc/shadow >> /home/chroot/etc/shadow

[root@arun.me ~]# cat /home/chroot/etc/{passwd,group,shadow}

sftp_tmp:x:504:504::/home/chroot/home/sftp_tmp:/usr/bin/rssh
bin:x:1:bin,daemon
daemon:x:2:bin,daemon
sftp_test:x:503:
sftp_tmp:x:504:
bin:*:14797:0:99999:7:::
daemon:*:14797:0:99999:7:::
sftp_test:$1$Ei5oj.yu$P5FDHHI1POxIIv5562BIm/:14798:0:99999:7:::
sftp_tmp:$1$wZ6Qk3R/$ANRx5MkBA91pjzE/Dr3vK.:14798:0:99999:7:::
[root@arun.me chroot]#

Step 8) Test it now from other linux host

bagul@me:~$ sftp sftp_tmp@192.168.0.1
Connecting to 192.168.0.1…
sftp_tmp@192.168.0.1’s password:
sftp> pwd
Remote working directory: /home/sftp_tmp
sftp>
sftp> ls
sftp> ls
1 2 3 a b c
sftp> pwd
Remote working directory: /home/sftp_tmp
sftp>
sftp>
sftp> ls /
/dev /etc /home /lib /lib64 /usr
sftp> cd /etc
sftp> pwd
Remote working directory: /etc
sftp> ls
group ld.so.cache ld.so.conf localtime nsswitch.conf passwd shadow
sftp>
sftp> get 1
Fetching /home/sftp_tmp/1 to 1
/home/sftp_tmp/1 100% 14 0.0KB/s 00:00
sftp> mkdir arun
sftp> ls
1 2 3 a arun b c
sftp> version
SFTP protocol version 3
sftp> rm c
Removing /home/sftp_tmp/c
sftp>

Step 9) What is required for CHROOT ~

[root@arun.me chroot]# pwd
/home/chroot
[root@arun.me chroot]# ll
drwxr-xr-x 2 root root 4096 Jul 8 07:50 dev
drwxr-xr-x 2 root root 4096 Jul 8 07:50 etc
drwxr-xr-x 4 root root 4096 Jul 8 07:51 home
drwxr-xr-x 2 root root 4096 Jul 8 07:05 lib
drwxr-xr-x 2 root root 4096 Jul 8 07:28 lib64
drwxr-xr-x 5 root root 4096 Jul 8 07:05 usr
[root@arun.me chroot]# ll -ld /home/
drwxr-xr-x 6 root root 4096 Jul 8 08:00 /home/
[root@arun.me chroot]# ll dev/
crw——- 1 root root 5, 1 Jul 8 07:13 console
srw-rw-rw- 1 root root 0 Jul 8 07:50 log
crw-rw-rw- 1 root root 1, 3 Jul 8 07:14 null
[root@arun.me chroot]# ll etc/
-rw-r–r– 1 root root 74 Jul 8 07:55 group
-rw-r–r– 1 root root 81321 Jul 8 07:05 ld.so.cache
-rw-r–r– 1 root root 28 Jul 8 07:05 ld.so.conf
-rw-r–r– 1 root root 3519 Jul 8 07:16 localtime
-rw-r–r– 1 root root 1696 Jul 8 07:16 nsswitch.conf
-rw-r–r– 1 root root 192 Jul 8 07:55 passwd
-r——– 1 root root 180 Jul 8 07:55 shadow
[root@arun.me chroot]# ll lib
-rwxr-xr-x 1 root root 46680 Jul 8 07:28 libnss_files-2.5.so
lrwxrwxrwx 1 root root 19 Jul 8 07:05 libnss_files.so.2 -> libnss_files-2.5.so
[root@arun.me chroot]# ll lib64
-rwxr-xr-x 1 root root 139416 Jul 8 07:10 ld-linux-x86-64.so.2
-rwxr-xr-x 1 root root 10000 Jul 8 07:18 libcom_err.so.2
-rwxr-xr-x 1 root root 1366176 Jul 8 07:18 libcrypto.so.6
-rwxr-xr-x 1 root root 48600 Jul 8 07:18 libcrypt.so.1
-rwxr-xr-x 1 root root 1717800 Jul 8 07:18 libc.so.6
-rwxr-xr-x 1 root root 23360 Jul 8 07:18 libdl.so.2
-rwxr-xr-x 1 root root 9472 Jul 8 07:18 libkeyutils.so.1
-rwxr-xr-x 1 root root 114352 Jul 8 07:18 libnsl.so.1
-rwxr-xr-x 1 root root 53880 Jul 8 07:28 libnss_files.so.2
-rwxr-xr-x 1 root root 145824 Jul 8 07:18 libpthread.so.0
-rwxr-xr-x 1 root root 92736 Jul 8 07:18 libresolv.so.2
-rwxr-xr-x 1 root root 95464 Jul 8 07:18 libselinux.so.1
-rwxr-xr-x 1 root root 247496 Jul 8 07:18 libsepol.so.1
-rwxr-xr-x 1 root root 18152 Jul 8 07:18 libutil.so.1
[root@arun.me chroot]# ll usr/
drwxr-xr-x 2 root root 4096 Jul 8 07:05 bin
drwxr-xr-x 2 root root 4096 Jul 8 07:05 lib64
drwxr-xr-x 3 root root 4096 Jul 8 07:05 libexec
[root@arun.me chroot]# ll usr/bin
-rwxr-xr-x 1 root root 33265 Jul 8 07:05 rssh
-rwxr-xr-x 1 root root 53384 Jul 8 07:05 scp
[root@arun.me chroot]# ll usr/lib64
-rwxr-xr-x 1 root root 190976 Jul 8 07:18 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root 153464 Jul 8 07:18 libk5crypto.so.3
-rwxr-xr-x 1 root root 613896 Jul 8 07:18 libkrb5.so.3
-rwxr-xr-x 1 root root 35728 Jul 8 07:18 libkrb5support.so.0
-rwxr-xr-x 1 root root 229272 Jul 8 07:18 libnspr4.so
-rwxr-xr-x 1 root root 1221496 Jul 8 07:18 libnss3.so
-rwxr-xr-x 1 root root 119696 Jul 8 07:18 libnssutil3.so
-rwxr-xr-x 1 root root 17736 Jul 8 07:18 libplc4.so
-rwxr-xr-x 1 root root 13800 Jul 8 07:18 libplds4.so
-rwxr-xr-x 1 root root 85608 Jul 8 07:18 libz.so.1
[root@arun.me chroot]# ll usr/libexec
drwxr-xr-x 2 root root 4096 Jul 8 07:05 openssh
-rwsr-xr-x 1 root root 69892 Jul 8 07:05 rssh_chroot_helper
[root@arun.me chroot]# ll usr/libexec/openssh
total 56
-rwxr-xr-x 1 root root 53080 Jul 8 07:05 sftp-server
[root@arun.me chroot]#

Thank you,
Arun Bagul

(0) Comments    Read More   
May
14
Posted on 14-05-2010
Filed Under (Redhat & Fedora, UNIX/Linux, Virtualization) by Arun Bagul

Introduction ~

What is Virtualization? ~ virtualization is technique of  running multiple operating system (OS) on same physical hardware at same time.
There are three types of Virtualization technologies

1) Full virtualization –
a) Hardware emulation – KQEMU
b) Binary translation – VirtualBox
c) Classic virtualization – OpenVZ
2) Para-virtualization
3) OS-level virtualization – Linux-VServer and OpenVZ

** Xen is an open-source para-virtualizing virtual machine monitor (VMM), or “hypervisor”,for a variety of processor. Xen can securely execute multiple virtual machines on a single physical system with near native performance.

** Xen Prerequisites –

1) iproute2 package
2) Linux bridge-utils (/sbin/brctl)
3) Linux hotplug system (/sbin/hotplug and related scripts)

Step 1) How to install Xen on Centos ~

[root@arun ~]# yum install xen.i386 xen-devel.i386   xen-libs.i386 libvirt.i386  libvirt-devel.i386  libvirt-python.i386 virt-manager.i386 virt-clone.i386

Step 2) How to install Xen Kernel for Centos ~

[root@arun ~]# yum install kernel-xen.i686  kernel-xen-devel.i686

* Once installation is completed; Please check the CentOS boot loader configuration file ie “/boot/grub/grub.conf”… and make sure that the first boot entry should look like this…

title CentOS (2.6.18-164.15.1.el5xen)
root (hd0,4)
kernel /boot/xen.gz-2.6.18-164.15.1.el5
module /boot/vmlinuz-2.6.18-164.15.1.el5xen ro root=LABEL=/ rhgb quiet
module /boot/initrd-2.6.18-164.15.1.el5xen.img

Step 3) Reboot the system so that system will boot with Xen Kernel….

That’s it Xen infrastructure is installed on CentOS.

[[root@arun ~]# rpm -qa | egrep “xen|virt” | sort
kernel-xen-2.6.18-164.15.1.el5
kernel-xen-devel-2.6.18-164.15.1.el5
libvirt-0.6.3-20.1.el5_4
libvirt-devel-0.6.3-20.1.el5_4
libvirt-python-0.6.3-20.1.el5_4
python-virtinst-0.400.3-5.el5
virt-manager-0.6.1-8.el5
xen-3.0.3-94.el5_4.3
xen-devel-3.0.3-94.el5_4.3
xen-libs-3.0.3-94.el5_4.3
[[root@arun ~]#
Step 4 ) Test Xen setup – make sure that “libvirtd” service is running

Step 5) Install first Guest CentOS –

* Create Disk as file as shown below….

[[root@arun ~]# dd if=/dev/zero  of=/var/xen-disk/centOS.hdd bs=4k seek=2048k count=0
0+0 records in
0+0 records out
0 bytes (0 B) copied, 0.000191 seconds, 0.0 kB/s
[[root@arun ~]#  mke2fs -j /var/xen-disk/centOS.hdd
mke2fs 1.39 (29-May-2006)
/var/xen-disk/centOS.hdd is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
1048576 inodes, 2097152 blocks
104857 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2147483648
64 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 30 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
[[root@arun ~]# mount -o loop /var/xen-disk/centOS.hdd  /mnt/
[[root@arun ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda5              55G   12G   41G  22% /
tmpfs                 829M   12K  829M   1% /dev/shm
/dev/sda2              23G   15G  7.8G  65% /mydata
none                  829M  104K  829M   1% /var/lib/xenstored
/var/xen-disk/centOS.hdd
7.9G  147M  7.4G   2% /mnt
[[root@arun ~]#

* We are going to install guestOS from CD/DVD image so we will export this image via FTP so let us
configure ftp server….

* We have copied Centos CD/DVD in “/home/CentOS5.0/” location….

[root@arun ~]# ls /home/CentOS5.0/
CentOS            RELEASE-NOTES-cz.html  RELEASE-NOTES-fr       RELEASE-NOTES-nl.html     repodata
EULA              RELEASE-NOTES-de       RELEASE-NOTES-fr.html  RELEASE-NOTES-pt          RPM-GPG-KEY-beta
GPL               RELEASE-NOTES-de.html  RELEASE-NOTES-it       RELEASE-NOTES-pt_BR       RPM-GPG-KEY-CentOS-5
images            RELEASE-NOTES-en       RELEASE-NOTES-it.html  RELEASE-NOTES-pt_BR.html  TRANS.TBL
isolinux          RELEASE-NOTES-en.html  RELEASE-NOTES-ja       RELEASE-NOTES-pt.html
NOTES             RELEASE-NOTES-es       RELEASE-NOTES-ja.html  RELEASE-NOTES-ru
RELEASE-NOTES-cz  RELEASE-NOTES-es.html  RELEASE-NOTES-nl       RELEASE-NOTES-ru.html
[root@arun ~]#

* I have changed anonymous FTP home from default one to “/home/CentOS5.0/” Please details below….

[root@arun ~]# grep ftp /etc/passwd
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
[root@arun ~]#  vi /etc/passwd
[root@arun ~]# grep ftp /etc/passwd
ftp:x:14:50:FTP User:/home/CentOS5.0:/sbin/nologin
[root@arun ~]#

* Now, restart FTP server and try to access to ftp with IPaddress assigned to bridge “virbr0”. In my case it is “ftp://192.168.122.1”

* Start installation now using “virt-install”

[root@arun ~]# virt-install –name arunOS –os-type=linux –ram=300 –file /var/xen-disk/centOS.hdd –location ftp://192.168.122.1 –nographics –bridge=virbr0

Starting install…

* Welcome to CentOS

+————–+ Manual TCP/IP Configuration +—————+
|                                                            |
| Enter the IPv4 and/or the IPv6 address and prefix          |
| (address / prefix).  For IPv4, the dotted-quad netmask     |
| or the CIDR-style prefix are acceptable. The gateway and   |
| name server fields must be valid IPv4 or IPv6 addresses.   |
|                                                            |
| IPv4 address: 192.168.122.2___ / 255.255.255.0___          |
| Gateway:      192.168.0.1______________________________    |
| Name Server:  _________________________________________    |
|                                                            |
|            +—-+                      +——+            |
|            | OK |                      | Back |            |
|            +—-+                      +——+            |
|                                                            |
|                                                            |
+————————————————————+

<Tab>/<Alt-Tab> between elements  | <Space> selects | <F12> next screen

* Welcome to CentOS

+—————————–+ Warning +——————————+
|                                                                      |
| /dev/xvda currently has a loop partition layout.  To use this disk   |
| for the installation of CentOS, it must be re-initialized, causing   |
| the loss of ALL DATA on this drive.                                  |
|                                                                      |
| Would you like to format this drive?                                 |
|                                                                      |
|         +————–+                  +————–+           |
|         | Ignore drive |                  | Format drive |           |
|         +————–+                  +————–+           |
|                                                                      |
|                                                                      |
+———————————————————————-+

<Tab>/<Alt-Tab> between elements   |  <Space> selects   |  <F12> next screen

* Welcome to CentOS

+————————-+ Partitioning Type +————————-+
|                                                                       |
|    Installation requires partitioning of your hard drive.  The        |
|    default layout is reasonable for most users.  You can either       |
|    choose to use this or create your own.                             |
|                                                                       |
| Remove all partitions on selected drives and create default layout.   |
| Remove linux partitions on selected drives and create default layout. |
| Use free space on selected drives and create default layout.          |
| Create custom layout.                                                 |
|                                                                       |
|       Which drive(s) do you want to use for this installation?        |
|                              [*] xvda ^                               |
|                                       #                               |
|                                                                       |
|                          +—-+   +——+                            |
|                          | OK |   | Back |                            |
|                          +—-+   +——+                            |
|                                                                       |
|                                                                       |
+———————————————————————–+

<Space>,<+>,<-> selection   |   <F2> Add drive   |   <F12> next screen

* Welcome to CentOS

+—————————-+ Partitioning +—————————-+
|                                                                        |
|      Device        Start    End     Size       Type     Mount Point    |
| /dev/xvda                                                            ^ |
|   Free space            1    1045    8192M  Free space               # |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      v |
|                                                                        |
|    +—–+   +——+   +——–+   +——+   +—-+   +——+      |
|    | New |   | Edit |   | Delete |   | RAID |   | OK |   | Back |      |
|    +—–+   +——+   +——–+   +——+   +—-+   +——+      |
|                                                                        |
|                                                                        |
+————————————————————————+

F1-Help     F2-New      F3-Edit   F4-Delete    F5-Reset    F12-OK

* Welcome to CentOS

+—————————-+ Partitioning +—————————-+
|                                                                        |
|      Device        Start    End     Size       Type     Mount Point    |
| /dev/xvda                                                            ^ |
|   xvda1                 1     829    6502M  ext3        /            # |
|   xvda2               830     893     502M  swap                     : |
|   Free space          894    1044    1184M  Free space               : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      : |
|                                                                      v |
|                                                                        |
|    +—–+   +——+   +——–+   +——+   +—-+   +——+      |
|    | New |   | Edit |   | Delete |   | RAID |   | OK |   | Back |      |
|    +—–+   +——+   +——–+   +——+   +—-+   +——+      |
|                                                                        |
|                                                                        |
+————————————————————————+

F1-Help     F2-New      F3-Edit   F4-Delete    F5-Reset    F12-OK


* Same way configure TZ,root password,packages,boot loader options etc…

* Welcome to CentOS

+———————+ Formatting +———————-+
|                                                         |
| Formatting / file system…                             |
|                                                         |
|                           70%                           |
|                                                         |
+———————————————————+

<Tab>/<Alt-Tab> between elements   |  <Space> selects   |  <F12> next screen

That’s it!

Thank you,
Arun Bagul

(0) Comments    Read More   
Apr
19
Posted on 19-04-2010

Introduction ~ GRUB is perfect boot loader for Linux/Unix system! GRUB-2 supports several features that are important for every system admin.

* Platform support – GRUB 2 is intended to work across a wider range of architectures.
* Partition tables – GRUB-2 supports MBR partitioning scheme and GUID Partition Table (GPT).
* RAID and LVM – Now GRUB is supports both redundant array of independent disks (RAID) and Logical Volume Manager (LVM).
* File system support – GRUB 2 supports some additional non-Linux file systems, such as Apple’s Hierarchical File System Plus, NTFS  and  ZFS file systems…

* Configuring GRUB 2 –

GRUB 2 configuration file is different from legacy GRUB….

The default location for the GRUB 2 configuration file is /boot/grub/grub.cfg

* Sample GRUB 2 configuration file

root@me:~# cat /boot/grub/grub.cfg

set timeout=10
set default=0

menuentry “Ubuntu, Linux 2.6.31-20-generic” {
set quiet=1
insmod ext2
set root=(hd0,6)
search –no-floppy –fs-uuid –set 7699852c-2a04-4da2-82e8-a69969f16bf2
linux /boot/vmlinuz-2.6.31-20-generic root=UUID=7699852c-2a04-4da2-82e8-a69969f16bf2 ro quiet splash
initrd /boot/initrd.img-2.6.31-20-generic
}

Thanks,
Arun Bagul

(0) Comments    Read More   
Feb
25

*** Introduction –

All you know about the haproxy, that its the one of the good opensource load balancing software and to check the fun stats of haproxy here we using ‘socat’ – Multipurpose relay (SOcket CAT)


* What is socat?

Socat  is  a  command  line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address  types),  and  because  lots  of address options may be applied to the streams, socat can be used for many different purposes. (see more info at ‘man socat’ 🙂 or at http://www.dest-unreach.org/socat/)
* How to use ‘socat’ with haproxy stat

Step 1) Download ‘socat’ from http://www.dest-unreach.org/socat/download/  latest version ~ “socat-2.0.0-b3.tar.gz”

ravi@arun:~$ wget http://www.dest-unreach.org/socat/download/socat-1.7.1.2.tar.gz

ravi@arun:~$ tar xvzf socat-1.7.1.2.tar.gz

ravi@arun:~$ cd socat-1.7.1.2

NOTE ~ No need to install the ‘fipsld’ package if you got the below msg after running the ‘make’ just following steps for

compiling socat….

FIPSLD_CC=gcc fipsld -O -D_GNU_SOURCE -Wall -Wno-parentheses  -DHAVE_CONFIG_H -I.  -I.   -c -o socat.o socat.c
/bin/sh: fipsld: command not found
make: *** [socat.o] Error 127

ravi@arun:~$ ./configure –disable-fips
ravi@arun:~$ make

To install it login as root
ravi@arun:~$ su –

ravi@arun:~# make install

Step 2) Now you need to add stats socket PATH in Haproxy configuration and restart haproxy as per shown in following example,

where I have added it under in ‘global’ setting –

ravi@arun:~# more /etc/haproxy/myhaproxy.cfg

#———–Start of haproxy Config file————–
global
log 127.0.0.1   local0
log 127.0.0.1   local1 notice
#log loghost    local0 info
maxconn 25000
#debug
#quiet
user ravi
group ravi
stats socket    /tmp/haproxy
defaults
option          contstats
timeout         connect 5s
timeout         client 25s
timeout         server 25s
maxconn         100

listen ravitestbed      0.0.0.0:80 ##ravi.com IP
mode            tcp
balance         roundrobin
server          web1 192.168.19.117
server          web2 192.168.19.122

listen stats
bind            0.0.0.0:8081
mode            http
#stats          uri /stat  #Comment this if you need to specify diff stat path for viewing stat page
stats enable
stats auth admin:admin ##Auth user pass

#———–End of haproxy Config file————–

Step 3) Used /tmp/haproxy. Now you can send the commands to get stats from HAProxy –

Now time to use socat

ravi@arun:~# echo “”  | socat unix-connect:/tmp/haproxy stdio
Unknown command. Please enter one of the following commands only :
show info   : report information about the running process
show stat   : report counters for each proxy and server
show errors : report last request and response errors for each proxy
show sess   : report the list of current sessions

This will dump (possibly huge) info about all know sessions.

ravi@arun:~$ echo “show sess” | socat unix-connect:/tmp/haproxy stdio
0x9ee3520: proto=tcpv4 src=192.168.19.117:4721 fe=ravitestbed be=ravitestbed srv=arun as=0 ts=08 age=4s calls=3
rq[f=009202h,l=0,an=00h,rx=20s,wx=,ax=] rp[f=009202h,l=0,an=00h,rx=20s,wx=,ax=] s0=[7,8h,fd=1,ex=] s1=[7,8h,fd=2,ex=] exp=20s
0x9eeb8e8: proto=tcpv4 src=192.168.19.117:4723 fe=ravitestbed be=ravitestbed srv=arun as=0 ts=08 age=4s calls=3
rq[f=009000h,l=0,an=00h,rx=20s,wx=,ax=] rp[f=009202h,l=0,an=00h,rx=20s,wx=,ax=] s0=[7,8h,fd=8,ex=] s1=[7,8h,fd=9,ex=] exp=20s
0x9ef3d08: proto=tcpv4 src=192.168.19.117:4725 fe=ravitestbed be=ravitestbed srv=arun as=0 ts=08 age=4s calls=3
rq[f=009000h,l=0,an=00h,rx=20s,wx=,ax=] rp[f=009202h,l=0,an=00h,rx=20s,wx=,ax=] s0=[7,8h,fd=12,ex=] s1=[7,8h,fd=13,ex=]
exp=20s
0x9f04548: proto=unix_stream as=2 ts=09 age=0s calls=2 rq[f=00e042h,l=10,an=20h,rx=10s,wx=,ax=]

rp[f=048060h,l=716,an=00h,rx=,wx=10s,ax=] s0=[7,0h,fd=3,ex=] s1=[0,0h,fd=-1,ex=] exp=9s

This will give you information about the running HAProxy process such as pid, uptime and etc.

ravi@arun:~$ echo “show info” | socat unix-connect:/tmp/haproxy stdio
Name: HAProxy
Version: 1.3.23
Release_date: 2010/01/28
Nbproc: 1
Process_num: 1
Pid: 11829
Uptime: 0d 0h42m53s
Uptime_sec: 2573
Memmax_MB: 0
Ulimit-n: 50013
Maxsock: 50013
Maxconn: 25000
Maxpipes: 0
CurrConns: 1
PipesUsed: 0
PipesFree: 0
Tasks: 1
Run_queue: 1
node: ravi.world
description:

This will give you stats on all of your backends and frontends, some of the same stuff you see on the stats page enabled by the stats uri configuration. As an added bonus it’s all in CSV.

ravi@arun:~$ echo “show stat” | socat unix-connect:/tmp/haproxy stdio
#
pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq,dresp,ereq,econ,eresp,wretr,wredis,status,weight,act,bck,chkfail,ch
kdown,lastchg,downtime,qlimit,pid,iid,sid,throttle,lbtot,tracked,type,rate,rate_lim,rate_max,
ravitestbed,FRONTEND,,,0,5,100,30,32582,50616,0,0,0,,,,,OPEN,,,,,,,,,1,1,0,,,,0,0,0,5,
ravitestbed,trupti,0,0,0,2,,15,7020,22722,,0,,0,0,0,0,no check,1,1,0,,,,,,1,1,1,,15,,2,0,,2,
ravitestbed,arun,0,0,0,5,,15,25562,27894,,0,,0,0,0,0,no check,1,1,0,,,,,,1,1,2,,15,,2,0,,3,
ravitestbed,BACKEND,0,0,0,5,100,30,32582,50616,0,0,,0,0,0,0,UP,2,2,0,,0,2710,0,,1,1,0,,30,,1,0,,5,
stats,FRONTEND,,,0,1,100,21,9605,152357,0,0,0,,,,,OPEN,,,,,,,,,1,2,0,,,,0,0,0,9,
stats,BACKEND,0,0,0,1,100,5,9605,152357,0,0,,5,0,0,0,UP,0,0,0,,0,2710,0,,1,2,0,,0,,1,0,,4,

show errors will give you a capture of last error on each backend/frontend.

ravi@arun:~$ echo “show errors” | socat unix-connect:/tmp/haproxy stdio

Reffer:
http://www.dest-unreach.org/socat/
http://haproxy.1wt.eu/download/1.3/doc/configuration.txt

Thanks to Joe (http://www.joeandmotorboat.com)

Thank you,
Ravi

(0) Comments    Read More   
Feb
22
Posted on 22-02-2010
Filed Under (Linux Networking, Security, UNIX/Linux) by Manoj Chauhan

Introduction:-

Access control to services compiled with TCP wrappers support is implemented by the /etc/hosts.allow and /etc/hosts.deny files. When a connection attempt is made, the hosts.allow file is checked. If a line is matched, the connection is allowed. Then the hosts.deny file is consulted, if a line is matched, the connection is denied. If no matches have occurred in either file, the connection is allowed.

Create Authorized Use Only Banners

If configured as described below, TCP wrappers will display a warning banner to any user attempting to connect to a service it monitors. The following set of commands generate the directory /etc/banners, and the files therein contain warning banner text for each service. In this example, the banner text is “Use of this system is restricted to authorized users.” Note that exact wording of a warning banner is site specific; however, it should at least emphasize that the use of the system is restricted to authorized persons and that consent to monitor activities is implied by logging in to the system.

[root@localhost]# /bin/mkdir -p /etc/banners
[root@localhost]# /bin/echo “Use of this system is restricted to authorized users” > /etc/banners/
prototype
[root@localhost]# cd /etc/banners ; /usr/bin/make -f /usr/share/doc/tcp_wrappers-7.6/Banners.Makefile

Deny Everything Except What is Explicitly Allowed

In order to implement the security best practice stance of deny everything except what is explicitly allowed, issue the following command.
[root@localhost]# echo ‘ALL: ALL: spawn (/bin/echo -e ‘/bin/date'”\n%c attempted connection to %s
and was denied” \
> | /bin/mail -s “Connection attempt to %s” root) &’ > /etc/hosts.deny

Any connection attempt not listed in the hosts.allow file will be denied, a message will be logged to the syslog auth facility, and an email will be sent to root.
Allow Access to Those Who Require It

Edit the hosts.allow file and add a line for each service to which access should be allowed. A few examples are shown below (See the man pages for hosts.allow for more detail).

ALL: LOCAL : banners /etc/banners            # All services from local clients (hostnames with no “.”)
sshd: 10.1.1.0/255.255.254.0 : banners /etc/banners # SSH connections from host IP addresses  between 10.1.1.0 and 10.1.2.0

Thanks
Manoj Chauhan

(0) Comments    Read More   

www.flickr.com
arunbagul's photos More of arunbagul's photos
Get Adobe Flash player
-->