venkat scribblings

What is NAT ??

2008-04-26T07:50:00.000-07:00

NAT is nothing but the network address translation. It is an IETF standard. What NAT will do?
Nat enables the LAN- local area network to use the two set of IP address, one is for internal traffic and another is for external traffic. All the address translation are taking place in the LAN interface with the Internet. It will keep track on each session.

What is GNU?

2007-12-31T22:19:00.000-08:00

The GNU Project was launched in 1984 to develop a complete Unix-like operating system.

GNU's kernel wasn't finished, so GNU is used with the kernel Linux. The combination of GNU and Linux is the GNU/Linux operating system, now used by millions. (Sometimes this combination is incorrectly called Linux.)

There are many distributions of GNU/Linux. The GNU/Linux distributions that are 100% free software; in other words, entirely freedom-respecting.

The name “GNU” is a recursive acronym for “GNU's Not Unix”; it is pronounced g-noo, as one syllable with no vowel sound between the g and the n.

Secure the Apache HTTP server

2007-12-31T21:41:00.001-08:00

The Apache HTTP Server is one of the most stable and secure services that ships with Red Hat Enterprise Linux. There are an overwhelming number of options and techniques available to secure the Apache HTTP Server.

FollowSymLinks

This directive is enabled by default, so be careful when creating symbolic links to the document root of the Web server. For instance, it is a bad idea to provide a symbolic link to /.

The Indexes Directive

This directive is enabled by default, but may not be desirable. To prevent visitors from browsing files on the server, remove this directive.

The UserDir Directive

The UserDir directive is disabled by default because it can confirm the presence of a user account on the system. To enable user directory browsing on the server, use the following directives:

UserDir enabled
UserDir disabled root

These directives activate user directory browsing for all user directories other than /root/. To add users to the list of disabled accounts, add a space delimited list of users on the UserDir disabled line.

Do Not Remove the IncludesNoExec Directive

By default, the server-side includes module cannot execute commands. It is ill advised to change this setting unless absolutely necessary, as it could potentially enable an attacker to execute commands on the system.

Restrict Permissions for Executable Directories

Be certain to only assign write permissions to the root user for any directory containing scripts or CGIs. This can be accomplished by typing the following commands:

chown root chmod 755

Also, always verify that any scripts running on the system work as intended before putting them into production.

Changing extensions and files to lowecase!!

2007-12-25T00:20:00.000-08:00

change extensions from .abc to .123, use one of the following:

for i in *.abc; do mv $i `echo $i|sed 's/.abc$/.123$/'`; done # ©2007 dsplabs.com.au
for i in *; do mv $i `basename $i .abc`.123; done # ©2007 dsplabs.com.au

The following bash one-liners convert filenames to lowercase:

for f in `find *`; do mv "$f" "`echo "$f" | tr A-Z a-z`"; done # ©2007 dsplabs.com.au
for f in `find . -type f -name "*[A-Z]*"`; do mv "$f" "`echo "$f" | tr A-Z a-z`"; done # ©2007 dsplabs.com.au

tar — how to create and extract tar.gz and tar.bz2 archives

2007-12-25T00:18:00.000-08:00

Creating archives

To create a tar archive the c switch is used. To further encode it using gzip compression the j option is also added, or for bzip2 compression the j switch is included. Note that tar program pipes its output into gzip and bzip2 tools in order to create the tar.gz and tar.bz2 archives, respectively. OK, to compress a directory called dir into dir.tar, dir.tar.gz and dir.tar.bz2 archives, the following commands are used, respectively.

tar cf dir.tar dir/  # ©2007 linux.dsplabs.com.au
tar czf dir.tar.gz dir/  # ©2007 linux.dsplabs.com.au
tar cjf dir.tar.bz2 dir/



Extracting archives

Extracting archives is also very simple. Instead of the c switch the x is used and the archive name is given as the only other parameter. The commands for archive extraction shown below correspond to the archive creation commands given earlier.

tar xf dir.tar
tar xzf dir.tar.gz
tar xjf dir.tar.bz2

The verbose mode

The v switch can be used to enable the verbose mode. This can be useful if you would like to see a list of files being compressed or extracted. For example, lets extract the dir.tar.gz archive, with verbose mode enabled, using the following command.

tar xvzf dir.tar.gz

The above command produces a list of inflated files as shown in the following output.

dir/
dir/NVIDIA_DRIVER_README.txt
dir/NVIDIA_LICENSE.txt
dir/readme.txt

cat /etc/*-release — finding out Linux release version

2007-12-25T00:15:00.000-08:00

cat /etc/*-release — finding out Linux release version">

If you have a lot of different Linux distributions installed on many different machines it is easy to forget what distribution version runs on which PC. Well worry not! It is easy enough to findout. On Novell’s Open SuSE Linux, the distribution release information is contained in the /etc/SuSE-release file. Simply cat it to see its content in your terminal.

cat /etc/SuSE-release  # ©2007 dsplabs.com.au

The above command produced the following output on one of our Linux boxes.

SUSE LINUX 10.0 (X86-64) OSS
VERSION = 10.0

The following command is used to findout the release version on RedHat’s Fedora Linux.

cat /etc/redhat-release  # ©2007 dsplabs.com.au

The output will look something like this

Fedora Core release 6 (Zod)

or like this

Fedora release 8 (Werewolf)

depending on what version of Fedora you are running. Thus, the naming convention used should be quite clear by now. If you do not even know what type of the distribution is installed, simply run the following command.

cat /etc/*-release  # ©2007 dsplabs.com.au

On our Ubuntu Linux box the output is as follows.

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=7.10
DISTRIB_CODENAME=gutsy
DISTRIB_DESCRIPTION="Ubuntu 7.10"

If you really want to know in which file the above information is contained in, then simply run the following find command from shell.

find /etc -iname "*release*"  # ©2007 dsplabs.com.au

For an Ubuntu distribution, the above command produces the following output.

/etc/lsb-release

cat of this file produces same output as above.

Linux and Unix useful command list, mini version, ping, netstat, ifconfig iptables

2007-12-22T22:23:00.001-08:00

Unix/Linux useful commands,

For troubleshooting a Linux system you might,
want to try one of the following Linux commands.
These commands and flags might not be viable on everyones system.

# lspci list all your pci devices
# dhclient eth0 renew your dhcp release
# ifconfig wlan0 check your wireless network configuration
# netstat -arn show your network route information
# netstat -ap 2 | grep EST show established connections, updates every 2 sec
# netstat -Cr print routing information from routing cache
# iptables -nL show your current iptables configuration in numeric form
# ping ping 127.0.0.1 or network ip address for ICMP replies
# ping -c ping X times.
# ping6 ping ipv6 addresses
# dmesg print or control the kernel ring buffer, bootup messages
# dmesg | grep eth0 if you missed the bootup sequence, and need to check eth0
# nmap -vvv localhost scan yourself for open ports, vvv = extra verbose
# ssh secure shell, encrypted remote login program, client
# ssh -l user host ssh as user to host, ssh -l donald server1.sshexample.com
# uptime check your linux servers uptime and load

Unix Linux Install Command List

2007-12-22T22:19:00.000-08:00

This mini guide is ment to be of some help for rookies on Linux/Unix started on
installing applications and software on Unix/Linux systems.

Install Howto, commands, mini guide.

Unix Systems/Dialects

Solaris/SunOS Examples: As user root. ( # sign = root, $ sign = user )

# pkgadd -d gcc-2.95.2-sol7-sparc-local (Installs solaris package)
# pkginfo -l (Verify installation)
# pkgrm (Remove package, you will have to answer yes/no)
# patchadd /var/spool/patch/104945-02

Linux Systems/Dialects

Red Hat, Examples: As user root. (# symbolizes user root)

# rpm -ivh kernel-2.6.9-5.EL.rpm (Install command)
# rpm -q kernel-2.6.9-5.EL.rpm (Query/Verify)
# rpm -e kernel-2.6.9-5.EL.rpm (Remove/Delete)

Debian, Examples: As user root.

# apt-get install xchat
# apt-get remove gnome-panel
# apt-get update (update to the latest package info)
# apt-get -u upgrade

# apt-get -u dist-upgrade (upgrade to a new release)

SuSE

Same as Red Hat.

GCC Gnu Cross Compiler

When downloading the source code in a tarball format, you will
usually need to decompress the files. This is done with tar, bunzip,
gunzip, or unzip, depending on how the file is packed.

Enhancing security on Linux and Unix systems.

2007-12-22T21:58:00.000-08:00

Here are some applications and tools that can help you harden and tighten the security on your Linux or Unix box. Examples will follow for each application, tool or module in separate blog posts.

bastille System hardening. OS lock down program. Configures daemons, system settings and firewalls to be more secure.

tcpwrapper Add some security to your system with tcwrapper. /etc/hosts.allow and /etc/hosts.deny
samhain File integrity checks on the fly!
tripwire File integrity checks and much more.

SELinux Security-Enhanced Linux. Implements mandatory access control using Linux Security Modules in the Linux kernel. NSA started the development, and the project was later released to the open source community for further development.

Apparmor (Novell, SuSE). Discretionary access control (DAC) model by providing mandatory access control. (MAC)

iptables/netfilter

Packet filter for IPv4 and NAT. Packet filter rules in in the kernel.
The iptables command is for administration of the packet filtering rules and NAT. (Network Address Translation).

Andutteye
Monitor your systems in a most excellent way.

These are just a few of the security tools and programs out there, but if you master these, you will most definitely have a more secure system or server.

Three Linux Modules Commands

2007-12-22T21:14:00.000-08:00

lsmod - program to show the status of modules in the Linux Kernel
rmmod - simple program to remove a module from the Linux Kernel
modprobe - program to add and remove modules from the Linux Kernel
See /etc/modprobe.conf

Playing mp3 files on a Linux system

2007-12-22T20:43:00.000-08:00

Due to patent issues, many of the Linux distributions does not support mp3 files out of the box.
This is old news, but if you want to support for playing mp3 files, you can simply download xmms-mp3 for the xmms player, or use the excellent mplayer (movie player) from http://www3.mplayerhq.hu. The mplayer is movie player but it can use several kinds of codecs, and is usable from the command line for playing mp3 fles etc.

Make sure you download the Windows Codec Binaries and add them to your /usr/lib/codecs or what ever directory that fits your Linux system. You will need to be root user if you choose the /usr directory.

mp3 support to xmms for Fedora or Red Hat.
# yum install xmms-mp3

Command line syntax for playing mp3 files with xmms or mplayer

$ xmms file.mp3
$ mplayer file.mp3

Bash Shell Shortcuts

2007-12-22T20:29:00.001-08:00

Bash, which is the default shell in Linux contains a whole lot of key bindings which makes it really easy to use . The most commonly used shortcuts are listed below :

____________CTRL Key Bound_____________
Ctrl + a - Jump to the start of the line
Ctrl + b - Move back a char
Ctrl + c - Terminate the command
Ctrl + d - Delete from under the cursor
Ctrl + e - Jump to the end of the line
Ctrl + f - Move forward a char
Ctrl + k - Delete to EOL
Ctrl + l - Clear the screen
Ctrl + r - Search the history backwards
Ctrl + R - Search the history backwards with multi occurrence
Ctrl + u - Delete backward from cursor
Ctrl + xx - Move between EOL and current cursor position
Ctrl + x @ - Show possible hostname completions
Ctrl + z - Suspend/ Stop the command
____________ALT Key Bound___________
Alt + < - Move to the first line in the history
Alt + > - Move to the last line in the history
Alt + ? - Show current completion list
Alt + * - Insert all possible completions
Alt + / - Attempt to complete filename
Alt + . - Yank last argument to previous command
Alt + b - Move backward
Alt + c - Capitalize the word
Alt + d - Delete word
Alt + f - Move forward
Alt + l - Make word lowercase
Alt + n - Search the history forwards non-incremental
Alt + p - Search the history backwards non-incremental
Alt + r - Recall command
Alt + t - Move words around
Alt + u - Make word uppercase
Alt + back-space - Delete backward from cursor

----------------More Special Keybindings-------------------

Here "2T" means Press TAB twice

$ 2T - All available commands(common)
$ (string)2T - All available commands starting with (string)
$ /2T - Entire directory structure including Hidden one
$ 2T - Only Sub Dirs inside including Hidden one
$ *2T - Only Sub Dirs inside without Hidden one
$ ~2T - All Present Users on system from "/etc/passwd"
$ $2T - All Sys variables
$ @2T - Entries from "/etc/hosts"
$ =2T - Output like ls or dir

RHCE Study Guide for RHEL5

2007-12-22T20:17:00.000-08:00

RHCE Study Guide for RHEL5

I hope people find it useful. Please feel free to comment below. I want to make sure the information is complete and accurate.

Here is the complete guide:

PDF format:
----------------

http://www.systemnotes.org/download/RHCE_Notes_RHEL5.pdf -- pdf, 104k

HTML format (single page):
----------------------------------

-------------------------------------------------------------------------------
---- Systemnotes.org RHCE Study Guide for RHEL 5 ----

-- by scottm, v1.0 2007/12/02 --
-------------------------------------------------------------------------------

It is very important to study the official objectives for any exam, as that is the only way to know what to expect. This is not meant to replace official training courses and manuals, but is meant to help students quickly review, so they can determine where to focus their efforts and study in more detail.

-------------------------------------------------------------------------------

This guide is based on the official redhat objectives for the RHEL5 exam. see:
https://www.redhat.com/certification/rhce/prep_guide/

This guide is freely available from systemnotesorg.blogspot.com at this permalink:
http://systemnotesorg.blogspot.com/2007/12/rhce-study-guide-for-rhel5.html

For more detailed study info on each objective see:
http://systemnotesorg.blogspot.com/search/label/RHCE
-------------------------------------------------------------------------------

This guide was prepared by looking at each objective, and asking the questions:
-- What could they ask in order to test for knowledge of this objective?, or
-- What kind of troubleshooting might be required?
-- How can this requirement be met?

Q: is used to denote possible questions, and
A: for possible answers.

Note that there may be more than one answer based on what the objective is, or depending which method is preferred to meet the objective. Some items and ideas were taken from labs in the RHCE course book, and great care was taken to not give away any hints about what might be on the exam, other than what the labs and official objectives lead one to infer.

-------------------------------------------------------------------------------

RHCT skills

Troubleshooting and System Maintenance

RHCTs should be able to:

1) boot systems into different run levels for troubleshooting and system maintenance

boot single to set root password, or fix mounting, or init problem

Q: Machine won't boot

A: modify /boot/grub/grub.conf

root (hd0,0)

A: Check files

/etc/rc.local

/etc/inittab

A: Fix initrd

mkinitrd initrd-`uname -r`.img `uname -r`

Q: root password not known

A: 1) boot single (at grub screen, "a", "space", "1", enter),

2) passwd root

Items to study: grub, initrd,vmlinuz, inittab, rc.sysinit...

2) diagnose and correct misconfigured networking

system-config-network, or

vi /etc/sysconfig/network-scripts/ifcfg-eth0

check IPADDR, NETMASK, GATEWAY

ONBOOT=yes

PEERDNS=no

vi /etc/sysconfig/network

3) diagnose and correct hostname resolution problems

/etc/resolv.conf

/etc/hosts

4) configure the X Window System and a desktop environment

Remember X troubleshooting should be done from the command prompt, and

not within X.

Files:

/etc/X11/xinit/xinitrc.d

/etc/X11/xorg.conf

Q: Boot to X

A: Set runlevel 5 in /etc/inittab

vi /etc/inittab

change

id:3:initdefault:

id:5:initdefault:

Q: X won't load

A: Check config files

A: system-config-display --reconfig

A: /tmp or /home is full

5) add new partitions, filesystems, and swap to existing systems

This one is a little hard to explain. It just takes some practice to understand.

Tools available:

fdisk /dev/hda

t / fd (raid)

partprobe

mdadm -C /dev/md0 -l 5 -n 3 /dev/hda6 /dev/hda7 /dev/hda8

mke2fs -j /dev/md0

Q: mount something, such as: /dev/hda7 on /data

A: make directory, mount, modify /etc/fstab

1) mkdir /data

2) mount -t ext3 /dev/hda7 /data

3) vi /etc/fstab

/data /data ext3 defaults 1 2

view or change label:

e2label /dev/hda2

e2label /dev/vg0/data0 /data

6) use standard command-line tools to analyze problems and configure system

ls, cp, mv, rm, tail, cat, etc

system-config-

Installation and Configuration

RHCTs must be able to:

1) perform network OS installation

Enter the nfs, or ftp server address and path

2) implement a custom partitioning scheme

Probably easiest during GUI install

3) configure printing

probably the easiest thing to do is use:

system-config-printer

/etc/cups/cupsd.conf

lpadmin

lpstat, lpq

reject disable

accept /usr/bin/enable

4) configure the scheduling of tasks using cron and at

Understand how cron fields work:

min hr month_day month weekday

copy script to /etc/cron.daily, /etc.cron.monthly, etc. or

Modify /etc/crontab: crontab -e

List cron jobs: crontab -l

Add an at job: at [-f file] TIME

View at queue: atq

Remove at jog: atrm job

5) attach system to a network directory service, such as NIS or LDAP

1) Install ypbind, portmap

2) system-config-authentication

check: Enable NIS Support, or Enable LDAP Support

click: Configure NIS..., or Configure LDAP...

3) configure firewall, if required

iptables -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 835:837 -j ACCEPT

service iptables save

test:

ypwhich

nisdomainname -y

genent services

getent passwd smith

rpcinfo -p

files:

/etc/yp.conf

/etc/sysconfig/network

/etc/pam.d/system-auth

/etc/nsswitch.conf

6) configure autofs

/etc/auto.master

/home/guests /etc/auto.guests --timeout=60

/etc/auto.guests

* -rw,soft,intr server1:/home/guests/&

service autofs restart

chkconfig portmap on

chkconfig autofs on

7) add and manage users, groups, quotas, and File Access Control Lists

Q: Create group, add users, set primary group

A: Use groupadd, useradd, usermod

groupadd -g 1000 groupname

useradd username

usermod -G groupname username

(-G for primary group)

quotas

Q: Setup a 70kb hard block user quota for user tim on /home/tim:

A: Use a Hard Block user quota (or Soft depending on question).

1) modify /etc/fstab

change defaults to usrquota for /home

2) mount -o remount /home

3) quotacheck -cuf /home

4) quotaon /home

5) setquota -u tim 0 60 0 0 /home

5a) edquota tim

Disk quotas for user tim (uid 502):

Filesystem blocks soft hard inodes soft hard

/dev/hda5 16 0 0 8 0 0

6) repquota /home

quota tim

7) test

a) quota tim

b) su - tim

c) dd if=/dev/zero of=/home/tim/somefile bs=1024 count=70

d) ls -l

file should be less than 70 kilobytes

Quota Command to remember:

quotacheck -cuf /home

quotaon /home

edquota tim

quota tim

repquota /home

*** Lab: Set a user soft block quota of 1MB for user diskhog on /blackhole,

(or hard block, hard / soft inode). Know when to use each type of quota ***

Enable quotas:

quotacheck -cuf /blackhole

quotaon /blackhole

Set Quota:

block inode

h s h s

setquota -u diskhog 0 1024 0 0 /blackhole

edquota -u diskhog

Report on Quota for user or directory:

quota -u diskhog

repquota /blackhole

Password

defaults:

/etc/login.defs

chage [options] username

password files:

/etc/passwd

/etc/shadow

/etc/group

8) configure filesystem permissions for collaboration

Q: Make user alex a member of sales with write permissions to /depts/sales

Q: Make user sales, hr, and web groups in /depts/

mkdir -p /depts/{sales,hr,web}

for GROUP in sales hr web;do chgrp $GROUP /depts/$GROUP;done

chmod 770 /depts/*

chmod g+s /depts/*

Test permissions as alex:

su - alex

9) install and update packages using rpm

You may have to mount a directory over nfs, or install directly from http://

rpm -Uvh filenamex.i386.rpm

rpm --import /usr/share/rhn/RPM-GPG-KEY

rpm -K /tmp/rpmversion.i386.rpm

10) properly update the kernel package

Just remember to use rpm -i, so the old kernel will still be there.

1) mkdir /server1

2) mount server1:/var/ftp/pub /server1

3) cd /server1/Redhat/RPMS

4) rpm -ivh kernel-*

5) vi /boot/grub/grub.conf

default=0

11) configure the system to update/install packages from remote repositories using yum or pup

/etc/yum.conf

12) modify the system bootloader

/boot/grub/grub.conf

13) implement software RAID at install-time and run-time

fdisk /dev/hda

fd (raid)

partprobe

mdadm -C /dev/md0 -l 5 -n 3 /dev/hda6 /dev/hda7 /dev/hda8

mke2fs -j /dev/md0

mount

/etc/fstab

mdadm --detail /dev/md0

recover

mdadm /dev/md0 -a /dev/sda1

14) use /proc/sys and sysctl to modify and set kernel run-time parameters

Q: turn on ip forwardarding

A: 1) vi /etc/sysctl.conf

net.ipv4.ip_forward=1

2) sysctl -p

echo 1 > /proc/sys/net/ipv4/ip_forward

to view:

sysctl -a | grep ipv4

to find available options for ipv4:

ls /proc/sys/net/ipv4

15) use scripting to automate system maintenance tasks

Maybe put a script in /etc/cron.daily?

/etc/profile

/etc/profile.d/*.sh

~/.bash_profile

~/.bashrc

/etc/bashrc

RHCE skills

Troubleshooting and System Maintenance

RHCEs must demonstrate the RHCT skills listed above, and should be able to:

1) use the rescue environment provided by first installation CD

linux rescue

2) diagnose and correct boot failures arising from bootloader, module, and filesystem errors

init

/etc/rc.d/rc.sysinit

/etc/rc.d/rc adn /etc/rc.d/rc?.d

/etc/rc.d/rc.local

grub

/boot/grub/grub.conf

filesystem

/etc/fstab

fsck /dev/hda

3) diagnose and correct problems with network services (see Installation and Configuration below for a list of these services)

4) add, remove, and resize logical volumes

LVM -

Hint: use apropos quota, or just lvm to find commands.

Q: expand or shrink logical volume (RHCE)

A: Make sure there is enough space, and volume is online, use vgconvert if necessary

ext2online /dev/vg0/data0 120M

lvextend -L +100M /dev/vg0/data0

lvreduce -L 120M /dev/vg0/data0

vgdisplay -v vg0

pvdisplay

lvdisplay

Q: Create a logical volume

A: First create physical volume, then volume group, then logical volume

PV -> VG -> LV

pvcreate /dev/hda6 /dev/hda7 /dev/hda8

vgcreate vg0 /dev/hda6 /dev/hda7

lvcreate -L 50M -n data0 vg0

ext2online /dev/vg0/data0

lvextend -L +6M /dev/vg0/data0

resize2fs -L /dev/vg0/data0 40M

lvreduce -L 40M /dev/vg0/data0

vgconvert

5) diagnose and correct networking services problems where SELinux contexts are interfering with proper operation.

SELinux

getenforce

setenforce 1

check context with ls -Z

Q: Set up directory to use context of another directory

A: Use the other directory as a reference

chcon -R --reference /var/www/html /var/www/html/www1

Installation and Configuration

RHCEs must demonstrate the RHCT-level skills listed above, and they must be capable of configuring the following network services:

1) HTTP/HTTPS

install httpd, check context with ls -Z

Q: Create a virtual host www1.example.com w/ subdirectory /var/www/html/www1

1) install httpd, modify /etc/httpd/conf/httpd.conf file

ServerName www1.example.com

DocumentRoot /var/www/html/www1

2) chcon -R --reference /var/www/html /var/www/html/www1

3) service httpd restart

4) chkconfig httpd on

Testing

service httpd configtest

2) SMB

Q: Configure Samba share /home/depts/legal

1) install samba

rpm -Uvh samba-* system-config-samba*(optional)

2) vi /etc/samba/smb.conf

[sharename]

path = /home/depts/legal

browseable = no

writeable = no

3) configure firewall

port 445, 137-139

3) NFS

Q: Export /data directory with nfs

The nfs server is an RPC service, and thus requires portmap

A: Modify /etc/exports, start nfs & portmap (make sure /data directory exists)

1) modify /etc/exports

/data *(sync,rw)

2) start services

service nfs start

service portmap start

chkconfig nfs on

chkconfig portmap on

3) verify config, & check mounts

exportfs -v

showmount -e localhost

rpcinfo -p localhost

4) restart

exportfs -r, or

service nfs reload

Q: Mount server1:/var/ftp/pub with nfs on /server1

1) mkdir /server1

2) vi /etc/fstab

192.168.2.254:/var/ftp/pub /server1 nfs soft,defaults 0 0

3) mount -a

* configure autofs

Automount

Q: Configure automount for nfs mount from nis domain on server1

1) mkdir /net

2) vi /etc/auto.master

# uncomment /net line

/net /etc/auto.net

3) start services

service portmap start

service autofs start

chkconfig autofs on

chkconfig portmap on

Q: Configure automount for nfs mount of /rhome directories from nis domain on server1

A: Create base directory

1) mkdir /rhome

2) vi /etc/auto.master

# copy and modify /misc line

/rhome /etc/auto.rhome

3) vi /etc/auto.rhome

* -rw,soft.intr server1:/home/guests/&

4) start services

service portmap start

service autofs start

chkconfig autofs on

chkconfig portmap on

4) FTP

Q: Configure ftp with /var/ftp/incoming directory

install vsftpd

1) rpm -Uvh vsftpd*

2) service vsftpd start

3) chkconfig vsftpd on

4) create incoming directory

cd /var/ftp

mkdir incoming

chown root:ftp fincoming

chmod 730 incoming

5) vi /etc/vsftpd/vsftpd.conf

uncomment the lines --

#anon_upload_enable=YES

#chown_uploads=YES

#chown_username=whoever

add

anon_umask=077

6) service vsftpd restart

7) configure firewall

iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 21 -j ACCEPT

service iptables save

5) Web proxy

Q: Install a web proxy and allow a certain network to access it

A: Install & configure squid

1) install squid, and start the service

rpm -ivh --aid squid*

service squid start

chkconfig squid on

2) vi /etc/squid

acl example src 192.168.0.0/24

http_access allow example

3) service squid reload

4) Configure browser to test:

Edit / Preferences /General / Connection Settings

Manual proxy configuration / HTTP Proxy: localhost Port: 3128

Enable port in firewall, if required

iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 3128 -j ACCEPT

service iptables save

Useful parameters:

http_port 3128

cache_mem 8 MB

cache_dir ufs /var/spool/squid 100 16 256

acl all src 0.0.0.0/0.0.0.0

http_access allow localhost

http_access deny all

hint: find out that port number is 3128

grep squid /etc/services

6) SMTP

install sendmail, sendmail-cf, sendmail-doc (optional)

Q: Configure mail server to accept internet email

A: modify /etc/mail/sendmail.mc

1) cd /etc/mail

2) vi /etc/mail/sendmail.mc

search for 127.0, put dnl at the front of the line

3) make

or m4 sendmail.mc > sendmail.cf

service sendmail restart

Q: Mail alias

A: modify /etc/aliases, run newaliases

Q: Receive mail for DomainX.example.com

A: modify sendmail mc as above, and add domain to /etc/mail/local-host-names

domainx.example.com

Debugging:

mail -v root

mailq, mailq -Ac

sendmail -q

tail -f /var/log/maillog

7) IMAP, IMAPS, and POP3

Q: Configure for pop3 (or imap)

A: 1) install dovecot

2) vi /etc/dovcot.conf

protocols = pop3

3) service dovecot restart

4) chkconfig dovecot on

Testing:

note: root is not permitted to login

echo "pop" | mail -s test student

telnet localhost 110

user student

pass student

stat

list

retr 1

quit

8) SSH

/etc/ssh/

~/.ssh/

9) DNS (caching name server, slave name server)

Q: Setup a slave name server

1) install bind, bind-utils, and caching-nameserver

2) when configuring a slave name server, start with caching, and modify

3) vi /etc/named.conf

comment out dump-file section

add:

zone "example.com" {

type slave;

masters { 192.168.0.254 };

file "slaves/slave-example.com.zone";

};

4) vi 0.168.192.in-addr.arpa

add:

zone "0.168.192.in-addr.arpa" {

type slave;

masters { 192.168.0.254 };

file "slaves/0.168.192.zone";

};

To verify:

named-checkconf

named-checkconf -t /var/named

named-checkzone example.com example.com.zone

5) start named, and make it start at boot

service named restart; tail -f /var/log/messages | grep named

chkconfig named on

Remember to check /etc/resolv.conf on all client machines.

10) NTP

/etc/ntp.conf

For each of these services, RHCEs must be able to:

1) install the packages needed to provide the service

rpm -Uvh packagename.rpm, or

yum install packagename

2) configure SELinux to support the service

getenforce

setenforce 1

check context with ls -Z

chcon -R --reference /var/www/html /var/www/html/www1

3) configure the service to start when the system is booted

chkconfig servicename on

4) configure the service for basic operation

different for each service

5) Configure host-based and user-based security for the service

setuid?

/etc/xinet.d/

RHCEs must also be able to:

1) configure hands-free installation using Kickstart

2) implement logical volumes at install-time

3) use iptables to implement packet filtering and/or NAT

iptables is usually configured to be as restrictive as possible, but this

may be difficult to implement in an exam environment. Read the instructions

carefully, and try to find the best way to implement it.

--- commands ---

iptables -L

iptables -F

service iptables save

service iptables restart

chkconfig iptables on

--- starting config ---

iptables -P INPUT DROP

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

--- sample file ---

cat /etc/sysconfig/iptables

*filter

:INPUT DROP [67:11217]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [58:6450]

-A INPUT -s 192.168.0.10 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 192.168.0.1 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -s 192.168.0.254 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 192.168.0.254 -p udp -m udp --sport 53 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 53 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 445 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 2049 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 2049 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 25 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 110 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 3128 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 835:837 -j ACCEPT

COMMIT

4) use PAM to implement user-level restrictions

/lib/security/

/etc/pam.d/

what is python??????

2007-12-22T18:20:00.000-08:00

Python is a interpreted, interactive, object oriented language. It is same as like Tcl, Perl, Scheme or Java programming language.

Features:
1. Python comprise of classes, exceptions, very high level dynamic data types, and dynamic typing.
2. Bulit in modules are written in C, C++.
3. Python runs in UNIX, on Windows, OS/2, Mac, Amiga, and many other platforms.

Printing readable man pages

2007-12-19T10:03:00.000-08:00

Below command will get you the man page in to read and printable format

____________
man command | col -x -b > command.txt
______________

Mysql Auto Installer Version 1 for i386 system and x86 bit based oS

2007-12-17T12:20:00.000-08:00

Description about script : Installing mysql for X86 and i386 architecture (with dependency- all libraries).

You may please send me the request for mysql auto installer script to the Email address "venkatachalam@poornam.com" or "venkata.natarajan@gmail.com" and make use of it.

Why is python ??

2007-12-17T11:49:00.000-08:00

Python is a open source software. It is developed in C. Python is a interpreter language so there is no need to convert the code in to binary format.

Python is a platform independent (it runs on windows and linux, mac os , unix etc).

Syntax also very simple(easy to learn).

You refer the link http://python.org for further reading insight...

Linux Success Story: New York Stock Exchange Moves to Linux

2007-12-16T02:29:00.000-08:00

The New York Stock Exchange is investing heavily in x86-based Linux systems and blade servers as it builds out the NYSE Hybrid Market trading system that it launched last year. Flexibility and lower cost are among the goals. But one of the things that NYSE Euronext CIO Steve Rubinow says he most wants from the new computing architecture is technology independence.

"What we want is to be able to take advantage of technology advances when they happen," Rubinow said. "We're trying to be as independent of any technologies as we can be."

The Hybrid Market system lets NYSE traders buy and sell stocks electronically or on the exchange's trading floor. The NYSE has been turning to x86 technology to power the trading system, largely using servers from Hewlett-Packard Co., the two companies announced this week.

The NYSE has installed about 200 of HP's ProLiant DL585 four-processor servers and 400 of its ProLiant BL685c blades, all running Linux and based on dual-core Opteron processors from Advanced Micro Devices Inc. In addition, the stock exchange is using HP's Integrity NonStop servers, which are based on Intel Corp.'s Itanium processors and run the fault-tolerant NonStop OS operating system, as well as its OpenView management software.

Rubinow said that Linux is mature enough to meet his needs. The open-source operating system may not have all the polish of Unix technologies with 20-plus years of history behind them, "but it's polished enough for us," he said.

The NYSE's shift toward Linux and x86-based hardware illustrates why consulting firm Gartner Inc. is predicting a slight decline in Unix server revenues over the next five years. In comparison, Gartner forecasts strong sales growth for both Windows and Linux servers.

Although Rubinow has the option of using HP-UX, HP's version of Unix, he said that he'd prefer not to. "We don't want to be closely aligned with proprietary Unix," he said. "No offense to HP-UX, but we feel the same way about [IBM's] AIX, and we feel the same way to some extent about Solaris."

The NYSE still runs numerous Unix systems, especially ones with Solaris, which is Sun Microsystems Inc.'s Unix derivative. Rubinow acknowledged that Solaris has the ability to run on multiple hardware platforms, including x86-based systems from Sun server rivals such as HP. But he added that he thinks Linux "affords us a lot of flexibility."

One technology that the NYSE isn't adopting so eagerly is server virtualization, which comes with a system latency price that Rubinow said he can't afford to pay. In a system that is processing hundreds of thousands of transactions per second, virtualization produces "a noticeable overhead" that can slow down throughput, according to Rubinow. "Virtualization is not a free technology from a latency perspective, so we don't use it in the core of what we do," he said.

Charles King, an analyst at Pund-IT Inc. in Hayward, Calif., believes there is a broader concern among IT managers about virtualization overhead and its impact on transaction processing. "It's one of the reasons why even the staunchest advocates of x86 virtualization recommend extensive testing prior to moving systems into production," King said.

Fedora Core 6 No More

2007-12-14T10:46:00.000-08:00

As of this last Friday, December 7th Fedora Core 6 is no more. With it goes the last release the Fedora Project had seen the split between “Community” (Extras) and Red Hat sponsored (Core). Those not intimately involved in Fedora might be interested to learn that when the merge happened it was the core packages that ended up having to follow the former “Extras” packaging guidelines and not the other way around. Yet another testament to the power of community.

Fedora often takes a bit of flack over not maintaining a longer release / support cycle. I think the main reason for this is simply because it allows Fedora to take bigger risks then any other operating system out there. By releasing often (now every 6 months) we can take any number of large risks. The worst case is having to fix it during the next release in 6 months, the best case is we integrate yet another killer technology before anyone else. Having been involved in Fedora for about 2 years I can say, 6 months is not very long.

At the same time not having to worry about updates for very long (current release + 1 release + 1 month) allows our developers to be more focused on innovation. Other groups and businesses are taking note of this as well as they integrate software into Fedora. It has become the perfect platform for a company to present new software to the world. Our setup allows us to be incredibly dynamic.

I think it’s best not to think of Fedora as a stand alone distribution but rather as part of a family of Red Hat compatible products. I mean that in terms of the technical specifications, not Red Hat the company. When Fedora is combined with RHEL and CentOS that family can fit into just about any market imaginable and I think that’s the key to the success of each of these distributions.

Fedora 9 is on the horizon and the recently announced FUDCon will be even more exciting then the last one. Those interested in helping just check out: http://fedoraproject.org/join-fedora

Disable ping responses from the system

2007-12-13T16:33:00.000-08:00

To configure a Linux system to not respond to a ICMP (ping), run the following
command as the root user.

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

To make the changes persistent across reboots, add the following line to
your /etc/sysctl.conf file.

# Ignore all to ICMP (ping)
net.ipv4.icmp_echo_ignore_all = 1

log the iptables messages to a different log file

2007-12-13T16:29:00.001-08:00

In this example, we will create a new logfile within the /var/log directory called iptables.

Make a backup of /etc/syslog.conf before making any changes to it.

# cp /etc/syslog.conf /etc/syslog.conf.bak

Edit /etc/syslog.conf with an editor such as vi and add lines:

# comment iptables log
kern.warning   /var/log/iptables

Make sure the iptables rule is logging at the appropriate level.

This can be done by using the �log-level switch. Default log-level is warning.

This example will log ssh attempts:

# iptables -I INPUT -p tcp - - dport 22 -j LOG �log-level 4

Log Levels can be found using command:

$ man syslog.conf

Log Levels
0  emerg or panic
1  alert
2  crit
3  err or error
4  warn or warning

Note: Consider adding a prefix to your iptables rule. This makes it easier to separate the firewall message from the few random messages that the kernel puts out.

This example will log ping and add the prefix "#### Firewall ####".

# iptables -I INPUT -p icmp �icmp-type ping -j LOG �log-prefix ' #### Firewall #### '

Verify which ports are listening

2007-12-13T16:27:00.000-08:00

After configuring network services, it is important to pay attention to which ports are actually listening on the system's network interfaces. Any open ports can be evidence of an intrusion.

There are two basic approaches for listing the ports that are listening on the network. The less reliable approach is to query the network stack by typing commands such as netstat -an or lsof -i. This method is less reliable since these programs do not connect to the machine from the network, but rather check to see what is running on the system. For this reason, these applications are frequent targets for replacement by attackers. In this way, crackers attempt to cover their tracks if they open unauthorized network ports.

A more reliable way to check which ports are listening on the network is to use a port scanner such as nmap .

The following command issued from the console determines which ports are listening for TCP connections from the network:

nmap -sT -O localhost

The output of this command looks like the following:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
111/tcp open sunrpc
515/tcp open printer
834/tcp open unknown
6000/tcp open X11
Remote OS guesses: Linux Kernel 2.4.0 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

This output shows the system is running portmap due to the presence of the sunrpc service. However, there is also a mystery service on port 834. To check if the port is associated with the official list of known services, type:

cat /etc/services | grep 834

This command returns no output. This indicates that while the port is in the reserved range (meaning 0 through 1023) and requires root access to open, it is not associated with a known service.

Next, check for information about the port using netstat or lsof. To check for port 834 using netstat, use the following command:

netstat -anp | grep 834

The command returns the following output:

tcp      0        0  0.0.0.0:834          0.0.0.0:*        LISTEN     653/ypbind

The presence of the open port in netstat is reassuring because a cracker opening a port surreptitiously on a hacked system would likely not allow it to be revealed through this command. Also, the [p] option reveals the process id (PID) of the service which opened the port. In this case the open port belongs to ypbind (NIS), which is an RPC service handled in conjunction with the portmap service.

The lsof command reveals similar information since it is also capable of linking open ports to services:

lsof -i | grep 834

Below is the relevant portion of the output for this command:

ypbind 653 0 7u IPv4 1319 TCP *:834 (LISTEN)
ypbind 655 0 7u IPv4 1319 TCP *:834 (LISTEN)
ypbind 656 0 7u IPv4 1319 TCP *:834 (LISTEN)
ypbind 657 0 7u IPv4 1319 TCP *:834 (LISTEN)

These tools reveal a great deal about the status of the services running on a machine. These tools are flexible and can provide a wealth of information about network services and configuration. Consulting the man pages for lsof, netstat, nmap, and services is therefore highly recommended.

specify a range of IP addresses or ports using iptables

2007-12-13T15:51:00.000-08:00

To specify a range of IP addresses or ports, use a dash. When using IP addresses and ports in conjunction, use a colon to separate. For example:


IP-IP:Port-Port

IP address ranges are only valid in the nat table, using the options --to-source and --to-destination. When a range is given, a simple round-robin (one after another in cycle) takes place between these adresses.

For example, when using NAT you can map to a range of possible IP addresses with:


# iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.45-1.2.3.55

and you can map to a range of possible ports with:


# iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.45:1234-1334

Features and benefits of using SSH

2007-12-13T15:47:00.000-08:00

SSH™ - (or Secure SHell) is a protocol which facilitates secure communications between two systems using a client/server architecture and allowing users to log into server host systems remotely. But unlike other remote communication protocols such as FTP or Telnet, SSH encrypts the login session, making it impossible for intruders to collect unencrypted passwords.

SSH is designed to replace older, less secure terminal applications used to log into remote hosts, such as telnet or rsh. A related program called scp replaces older programs designed to copy files between hosts, such as rcp. Because these older applications do not encrypt passwords transmitted between the client and the server, avoid them whenever possible. Using secure methods to log into remote systems decreases the risks for both the client system and the remote host.

Features of SSH

The SSH protocol provides the following safeguards:

After an initial connection, the client can verify that it is connecting to the same server it had connected to previously.
The client transmits its authentication information to the server using strong, 128-bit encryption.
All data sent and received during a session is transferred using 128-bit encryption, making intercepted transmissions extremely difficult to decrypt and read.
The client can forward X111 applications from the server. This technique, called X11 forwarding, provides a secure means to use graphical applications over a network.
Note: X11 refers to the X11R6 windowing display system, traditionally referred to as the X Window System or X. Red Hat Enterprise Linux includes XFree86, an open source X Window System.

Because the SSH protocol encrypts everything it sends and receives, it can be used to secure otherwise insecure protocols. Using a technique called port forwarding, an SSH server can become a conduit to secure otherwise insecure protocols, like POP, and increasing overall system and data security.

Red Hat Enterprise Linux includes the general OpenSSH package (openssh) as well as the OpenSSH server (openssh-server) and client (openssh-clients) packages. Refer to the chapter titled OpenSSH in the Red Hat Enterprise Linux System Administration Guide for instructions on installing and deploying OpenSSH. Also note that the OpenSSH packages require the OpenSSL package (openssl) which installs several important cryptographic libraries, enabling OpenSSH to provide encrypted communications.

Why Use SSH?

Nefarious computer users have a variety of tools at their disposal enabling them to disrupt, intercept, and re-route network traffic in an effort to gain access to a system. In general terms, these threats can be categorized as follows:

Interception of communication between two systems - In this scenario, the attacker can be somewhere on the network between the communicating entities, copying any information passed between them. The attacker may intercept and keep the information, or alter the information and send it on to the intended recipient.
This attack can be mounted through the use of a packet sniffer - a common network utility.
Impersonation of a particular host - Using this strategy, an attacker's system is configured to pose as the intended recipient of a transmission. If this strategy works, the user's system will remain unaware that it is communicating with the wrong host.

This attack can be mounted through techniques known as DNS poisoning or IP spooling.

Note:
DNS poisoning occurs when an intruder cracks a DNS server, pointing client systems to a maliciously duplicated host.

IP spoofing occurs when an intruder sends network packets which falsely appear to be from a trusted host on the network.

Both techniques intercept potentially sensitive information, and if the interception is made for hostile reasons, the results can be disastrous.

If SSH is used for remote shell login and file copying, these security threats can be greatly diminished. This is because the SSH client and server use digital signatures to verify their identity. Additionally, all communication between the client and server systems is encrypted. Attempts to spoof the identity of either side of a communication will not work, since each packet is encrypted using a key known only by the local and remote systems.

Pluggable Authentication Modules (PAM)

2007-12-13T15:46:00.000-08:00

Programs which grant users access to a system verify each user's identity through a process called authentication. Historically, each such program had its own way of performing the task of authentication. Under Red Hat Enterprise Linux, many such programs are configured to use a centralized authentication mechanism called Pluggable Authentication Modules or PAM.

PAM uses a pluggable, modular architecture, which affords the system administrator a great deal of flexibility in setting authentication policies for the system.

In most situations, the default PAM configuration file for a PAM-aware application is sufficient. However, sometimes it may become necessary to edit a PAM configuration file. Because misconfiguration of PAM can compromise system security, it is important to understand the structure of these files before making any modifications.

Advantages of PAM

PAM offers the following advantages:

It provides a common authentication scheme that can be used with a wide variety of applications.
It allows a large amount of flexibility and control over authentication for both system administrators and application developers.
It allows application developers to develop programs without creating their own authentication scheme.

More detailed information about Pluggable Authentication Module can be found in below link

2007-12-13T15:45:00.001-08:00

http://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswords

change the default password length

2007-12-13T15:38:00.001-08:00

The default password length is usually 8 characters. In order to improve security longer passwords can be enforced. Pluggable Authentication Module (PAM) is used for login authentication. We will make changes to the pam_cracklib module to control how the user authenticates.

Important: Make sure to make a backup of your /lib/security directory and your /etc/pam.d/system-auth before making any changes. Making changes to PAM can cause a system to become inaccessible.

Create backup then list contents of the tar file:

# tar -cvf backup.tar /etc/pam.d/system-auth /lib/security/*
# tar -tf backup.tar

Open file /etc/pam.d/system-auth file with an editor such as vi. Inside the /etc/pam.d/system-auth file you will find line:

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 type=

Replace the line with:

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3  minlen=10

Notes:

Make the changes carefully. If a change is made and the system becomes inaccessible, go into rescue mode and replace the files with the backup files previously created.
Once the proper changes have been made to the system-auth file and everything is working as desired, a backup of the new system-auth should be made. If the authconfig command is used, it will overwrite the system-auth file.
If a single digit number is used in the password, an extra character must be used in the password.

blocking network access for a single user

2007-12-13T15:35:00.000-08:00

You can use the iptables userid match and block all outgoing traffic initiated by that user.

iptables -I OUTPUT -o -m owner --uid-owner -j REJECT
service iptables save

How To Back Up MySQL Databases Without Interrupting MySQL

2007-12-13T15:23:00.001-08:00

Normally, when you want to create a MySQL backup, you either have to stop MySQL or issue a read lock on your MySQL tables in order to get a correct backup; if you don't do it this way, you can end up with an inconsistent backup. To get consistent backups without interrupting MySQL, I use a little trick: I replicate my MySQL database to a second MySQL server, and on the second MySQL server I use a cron job that creates regular backups of the replicated database.

Preliminary Note

To follow this tutorial, you need a second MySQL server (the slave), and you have to set up MySQL replication from your first MySQL server (the system from where you want to take backups, the master) to the slave, e.g. as described in this tutorial: http://www.howtoforge.com/mysql_database_replication. Setting up MySQL replication is beyond the scope of this document.

The whole setup that I describe here has to be done on the slave MySQL server!

I have tested this on a Debian system; this should work on other distributions as well, but it's possible that some paths differ (in the script /usr/local/sbin/mysqlbackup.sh).

Doing Automated Backups Of The Replicated Databases On The Slave

After you have set up a working MySQL replication from the master to the slave, I assume that you want to do automatic backups of the slave database to the directory /home/sqlbackup. First, we must create that directory:

mkdir /home/sqlbackup

Next we create the shell script /usr/local/sbin/mysqlbackup.sh that stops the slave, makes an SQL dump of the whole MySQL database in /home/sqlbackup (the file name of the SQL dump will look like this: backup-20070423-18.sql; this is a dump taken on April 23, 2007, at 18.00h), restarts the slave afterwards (the slave will then catch up on everything that has happened on the master in the meantime so that no data is lost), and deletes all SQL dumps in /home/sqlbackup that are older than two days:

vi /usr/local/sbin/mysqlbackup.sh

#!/bin/sh

datum=`/bin/date +%Y%m%d-%H`

/usr/bin/mysqladmin --user=root --password=yourrootsqlpassword stop-slave

/usr/bin/mysqldump --user=root --password=yourrootsqlpassword --lock-all-tables \
--all-databases > /home/sqlbackup/backup-${datum}.sql

/usr/bin/mysqladmin --user=root --password=yourrootsqlpassword start-slave

for file in "$( /usr/bin/find /home/sqlbackup -type f -mtime +2 )"
do
/bin/rm -f $file
done

exit 0

(Please make sure that you replace yourrootsqlpassword with the password of the root MySQL user on the slave!)

Now we must make the script executable:

chmod 755 /usr/local/sbin/mysqlbackup.sh

Of course, we don't want to run the /usr/local/sbin/mysqlbackup.sh manually; instead, we create a cron job that runs the script automatically every three hours:

crontab -e

0 */3 * * * /usr/local/sbin/mysqlbackup.sh &> /dev/null

Of course, you are free to modify the cron job to run as often as you need it.

That's it, using this method you can now back up your MySQL database without interrupting the MySQL service on the master server.

The Google Story.....

2007-12-13T15:04:00.001-08:00

Know about google...

Just completed reading " The google story" by David Wise. Quite an eyeopener on how Serjey and Larry managed to make their dreams into a $80 billion giant. The journey from the Stanford lab to the gates building to the garage to googleplex is worth a read however, some portion of the book might have been better with a more detailed take. Take the case where Overture sues Google for infringement of its propriety ad selling mechanism. Felt somehow lost as I had no idea who was Overture and why on earth did they not capitalize on their patented solution or the case where the founders had no interest in hiring a CEO but were being forced by Kleiner Perkins and Sequoia Capital. Somewhere the seriousness and implications of Larry's and Brin's decision on Googles future was not really discussed to extent that would have made a serious reader satisfied. Anyway's heres my 10 point gyan to anyone interested in knowing a bit about Google and its founders.

1)Google is a mis-spelt word. The original word is Googol which means 1 followed by 100 zeroes.

2)Larry Page's brother Carl page also sold his internet company during the dot com era for an eye popping $500 million.

3)Google's ad model was originally developed by a company named Overture ( Now a Yahoo company)

4)From their original hostel at Stanford, Larry Page and Sergey Brin were shifted to a newly constructed building named William Gates building.

5)Though a tech company Google followed the practices of media companies during its IPO. To protect itself from unwanted takeover threats the company issued class A and B types of shares. Valued similarly the two classes of shares differed only in their voting rights. The company also developed an auction based system of allotting its stake to prevent unwanted volatility just after listing.

6)Google had lost the Amazon Europe ad deal to Yahoo. Larry and Serjey were traveling on their private jet when they got this news. With much persuation the founders arranged a secret meeting with Amazon's CEO. Google raised its bid to such a level that Yahoo was eventually forced to back out of the deal saying that it did not make business sense for the latter.

7)Google's inhouse chef Charlie Ayers is one of the few chefs in the world who became a millionaire by selling personal Google shares given to him.

8)Its very rare to find Kleiner Perkins and sequoia capital investing in the same venture. Larry and Sergie played a sleek game pitting the two VC'c against each other resulting in the two firms investing $12.5 million each.

9)Google has a policy where employees are allowed to spend 20% of their time persuing their interests. Googlenews, Gmail and a host of other applications are a result of employee ideas which originated during this 20% time.

10)Google has one of the largest hardware infrastructure and computing power in the world. This can be gauged from the fact that the company crawl the entire web and saves it in its computers. When a user searches for something, the google computers searches through the saved pages and throws out relevant results within seconds.

cpanel Useful scripts

2007-09-10T07:13:00.000-07:00

Install Zend Optimizer /scripts/installzendopt
Hostname A Entry Missing! /scripts/fixndc then restart bind and apache
Install Cron on New Server /scripts/installrpm anacron vixie-cron ; /etc/rc.d/init.d/crond start
Bandwidth issues /scripts/cleanbw
/scripts/fixwebalizer (To fix problem in webalizer that stop updating stats)
/scripts/fixcommonproblems
/scripts/fixeverything
Fixing Mail List MailMan /usr/local/cpanel/bin/convertmailman2
Reinstall MailMan /scripts/reinstallmailman
Fix Permissions on accounts: /scripts/fixhome
Edit mySQL conf file: pico /etc/my.cnf
Edit php.ini: pico /usr/local/lib/php.ini
Edit Apache Conf: pico /etc/httpd/conf/httpd.conf
Checking Real Time Top Processes Login to SSH and run: top
Run cpanel backup /scripts/cpbackup
To try and fix domain controller: /scripts/fixndc

Quotas /scripts/initquotas - takes a while to run
/scripts/resetquotas
/scripts/fixquotas - takes a while to run

/scripts/adddns Add a Dns Entry
/scripts/addfpmail Install Frontpage Mail Exts
/scripts/addservlets Add JavaServlets to an account (jsp plugin required)
/scripts/adduser Add a User
/scripts/admin Run WHM Lite
/scripts/apachelimits Add Rlimits (cpu and mem limits) to apache.
/scripts/dnstransfer Resync with a master DNS Server
/scripts/editquota Edit A User’s Quota
/scripts/finddev Search For Trojans in /dev
/scripts/findtrojans Locate Trojan Horses
Suggest Usage
/scripts/findtrojans > /var/log/trojans
/scripts/fixtrojans /var/log/trojans
/scripts/fixcartwithsuexec Make Interchange work with suexec
/scripts/fixinterchange Fix Most Problems with Interchange
/scripts/fixtrojans Run on a trojans horse file created by findtrojans to remove them
/scripts/fixwebalizer Run this if a user’s stats stop working
/scripts/fixvaliases Fix a broken valias file
/scripts/hdparamify Turn on DMA and 32bit IDE hard drive access (once per boot)
/scripts/initquotas Re-scan quotas. Usually fixes Disk space display problems
/scripts/initsuexec Turn on SUEXEC (probably a bad idea)
/scripts/installzendopt Fetch + Install Zend Optimizer
/scripts/ipusage Display Ipusage Report
/scripts/killacct Terminate an Account
/scripts/killbadrpms Delete “Security Problem Infested RPMS”
/scripts/mailperm Fix Various Mail Permission Problems
/scripts/mailtroubleshoot Attempt to Troubleshoot a Mail Problem
/scripts/mysqlpasswd Change a Mysql Password
/scripts/quicksecure Kill Potential Security Problem Services
/scripts/rebuildippool Rebuild Ip Address Pool
/scripts/remdefssl Delete Nasty SSL entry in apache default httpd.conf
/scripts/restartsrv Restart a Service (valid services: httpd,proftpd,exim,sshd,cppop,bind,mysql)
/scripts/rpmup Syncup Security Updates from RedHat/Mandrake
/scripts/runlogsnow Force a webalizer/analog update.
/scripts/secureit Remove non-important suid binaries
/scripts/setupfp4 Install Frontpage 4+ on an account.
/scripts/simpleps Return a Simple process list. Useful for finding where cgi scripts are running from.
/scripts/suspendacct Suspend an account
/scripts/sysup Syncup Cpanel RPM Updates
/scripts/unblockip Unblock an IP
/scripts/unsuspendacct UnSuspend an account
/scripts/upcp Update Cpanel
/scripts/updatenow Update /scripts
/scripts/wwwacct Create a New Account

/scripts/runweblogs account username for awstats to run manually

Sometimes such behavior of apache/httpd (taking more and more memory until it dies or crashes the server) can be caused by corrupted MySQL database. Try to do the following:
1) Kill the mysql server
/etc/rc.d/init.d/mysql stop

2) Repair all SQL databases:
myisamchk -r /var/lib/mysql/*/*.MYI

3) Start mysql again:
/etc/rc.d/init.d/mysql start

Why Dell Is Really Saying No to Linux

2007-05-31T20:59:00.000-07:00

By now, many of you may be wondering why Dell is passing up such a great niche market by not offering Linux as an alternative OS option to Windows. We have talked about how this would only prove to benefit a company like Dell, but we have also acknowledged the fact that it will likely never happen.

Then I came across this piece from ArsTechnica. They rightfully point out that Dell is not equipped to handle Linux support for the desktop. And they continue their proper understanding in stating that Dell can barely handle supporting Windows issues. Then it occurred to me: why must Dell "support" Linux at all? Check this out...

This Excuse Smells of Swiss Cheese. The belief that Dell can't sell Linux based on support concerns is absurd. It’s not because problems won’t arise, but they could easily outsource this kind support to...Linux vendors themselves.

Obviously, the simple answer is to offer known-to-work hardware in Dell Linux boxes, but make it clear that on the support front, the users are on their own. Instead, Dell appears afraid of this. Why? Because they might be giving their customers over to someone competent that can actually answer the questions being asked without being put on hold 15 times? Come on, give me a break. Let's make this as easy as pie for Dell, shall we?

The "You are on Your Own" Disclaimer. Dell could force buyers, who are interested in buying the Linux alternative, to digitally sign an agreement stating that they understand that the hardware is known to work and that a list of Linux support agencies will be provided with the order. Boom, Dell just conquered the support issue.

So enough of the hot air. The reason why we will not see Dell selling desktop Linux boxes is simple - Microsoft's OEM department would come unhinged. Why? Because HP would soon follow suit. And if HP and Dell are both selling desktop Linux boxes as an alternative to Vista, the market would shift a great deal. Curiosity would prevail.

Like Linux, Vista presents a set of challenges to the PC user. And unless they dump the PC completely and just go with a Mac, most users are no worse off with Linux than with Vista. Outside of power users who need specialty apps, most people would honestly not care, so long as everything works out of the box.

The Time is Now, But Will it Even Matter? My reason to see Dell become more open to offering Linux is rather simple. If they offer it, HP will follow them, and before long, new PC buyers will be exposed to Linux offerings.

Linux is most certainly not for everyone. I get this. However, if Dell is willing to take a slight risk to look at the fact that Vista is not ready yet, they might then realize that Linux offers a viable alternative to banging-your-head-against-the-wall with Vista compatibility.

Understand this, though. Once Vista gets its issues worked out, this small window of opportunity with Dell and HP will indeed close. The time is now, so hopefully we will see enough profit margins hurting to where Dell is really ready to take a chance in offering yet, another OS option to provide along side Vista. Only time will tell, I suppose.

LPI Releases Top-Level Linux Certification

2007-02-05T16:20:00.001-08:00

"After years in the making--and after some people had given up on ever seeing it--the distribution-neutral Linux Professional Institute (LPI) and its affiliate, LPI-Japan, have finally jointly launched the LPIC-3 certification program...

Linux in Brazil: Brazilian Government Will Update Its Tax-Exempt Linux Computers Initiative

2007-02-05T16:20:00.000-08:00

"A nice idea turned into a pirated software magnet? Users were replacing their pre-installed Linux with unlicensed Windows copies, and some of the reasons for these defections were addressed by today announcement..."

Flash News

2006-12-31T13:47:00.000-08:00

'''''China launches Linux-based smartphone'''''

pink to read the hot topic regard Linux.

http://www.linuxdevices.com/news/NS5033717348.html

French Parliament migrates to Linux

2006-12-31T13:46:00.003-08:00

http://compu-world.blogspot.com/2006/11/french-parliament-migrates-to-linux.html

BSNL Broad band rocks

2006-12-31T13:43:00.000-08:00

BSNL Broad band rocks

BSNL broadband rocks with its speed, i could experience this update right from 12am in this new year 2007. To see your download speed look this page --> culcuttatelephones <--