How-To LINUX

How-To LINUX-www.linuxboxadmin.com

Configure serial ports

View serial ports/multi-port boards (must be root)

setserial /dev/ttyS0
setserial /dev/ttyS1

Set a serial port to 115k (must be root)

This only configures the port, not any attached modem or serial device.Other speeds:spd_normal 38.4 k spd_hi 57.6kspd_shi 230kspd_warp 460k setserial /dev/ttyS0 spd_vhi

----------------------------------------------------------

Set ethernet to full duplex

Set an ethernet adapter to full duplex (must be root):

mii-tool --force=100baseTx-FD eth0

If you want to force full duplex as boot time, add the above command to one of the startup scripts, such as /etc/rc.d/boot.local.

----------------------------------------------------------


Set the real time clock

Set the real time clock

----------------------------------------------------------Tune IDE disks hwclock --set --date="3/21/02 01:10:00"

See IDE disk settings (must be root) hdparm /dev/hd? (hda, hdb, etc.)

Set DMA for IDE disks (must be root)

Usually big performance gains, especially for DVD drives. hdparm -d1 /dev/hd? (hda, hdb, etc.)

Tune additional IDE disk settings (must be root)

The -c3 option turns on the 32-bit EIDE interface. The -m16 option sets the read ahead buffer to 16 sectors. Fairly non-agressive settings for modern EIDE disk. hdparm -d1 -c3 -m16 /dev/hd? (hda, hdb, etc.)

Test IDE disk performance (must be root) ---------------------------------------------------------- hdparm -tT /dev/hd? (hda, hdb, etc.)




View detected hardware

General

The Linux kernel stores all hardware settings in the virtual directory /proc.

See IO ports cat /proc/ioports

See IRQs cat /proc/interrupts

See PCI devices also cat /proc/pci

/sbin/lspci

See USB hubs and devices also cat /proc/bus/usb/devices

usbview (gui program)

See IDE disk settings (must be root) hdparm /dev/hd? (hda, hdb, etc.)

View serial ports/multi-port boards (must be root) setserial /dev/ttyS0 setserial /dev/ttyS1

Active network cards also /sbin/ifconfig

/sbin/ip addr

Boot time hardware detection messages (kernel ring buffer) ---------------------------------------------------------- dmesg | less


Apt and dpkg commands

To update the local cache from apt repositories apt-get update

To download and install a package (including dependencies): apt-get install package-name

To install a single .deb package: dpkg --install package.deb

To remove a package: apt-get remove package-name

To find all available packages that match a pattern: apt-cache searches the package names and descriptions. apt-cache search pattern

To display package information: apt-cache show package-name

To show all installed packages: dpkg --list

To show all files that belong to a package: ----------------------------------------------------------dpkg --listfile package-name





Cron fields

Crontab fields

Here is how the fields are defined:

minute

hour

day of the month

month of the year

day of the week

program or command to run

An asterisk (*) in any field means run every time for this field. Ranges (X-Y) and steps (X-Y/Z) can also be defined.

User crontabs

To edit a user crontab (including root):
crontab -e

To delete a crontab:
crontab -r

System crontab

The system crontab is stored in /etc/crontab. It can be changed (as root) with a text editor.

The system crontab has one extra field before the program to run, which is the user to run the command as (usually root).
----------------------------------------------------------
Default gateway

To set the default gateway:

For example, route add default gw ip-addressinterface

route add default gw 10.1.1.1 eth0

To view the current routing table:

Here is a typical routing table: route -n

Kernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface10.241.1.118 0.0.0.0 255.255.255.255 UH 0 0 0 eth1192.168.1.203 0.0.0.0 255.255.255.255 UH 0 0 0 eth0127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0




The entry with a destination of 0.0.0.0 is the default gateway.----------------------------------------------------------





Disk quotas

The Linux kernel supports disk quotas if the support for quotas is compiled into it. The kernel configuration option is . Most distributions include this option in their kernels. CONFIG_QUOTA=y

There are four steps to enabling quotas on a file system.

Add the option to the entry

usrquota/etc/fstab

Use to create initial quota files

quotacheck filesystem

Use to set quota limits for users/groups

edquota

Enable quotas with

quotaon filesystem

Quota files (binary)

Two quota files are stored in the root of the file system where they apply. They are:

quota.user (v1) or aquota.user (v2)/li>

quota.group (v1) or aquota.group (v2)

To set quotas for a user: edquota -u user

To set quotas for a many users based on a another user: edquota -p -u protouseruser [user]

To set quotas for a group: edquota -g group

To see a summary report on all quotas repquota -a

To disable quotas: quotaoff filesystem

To scan/update/repair quota files (unmount file system first): quotacheck -u -g

Hard and Soft Limits

There are two limits that are enforced in the quota system. The first is a limit on the total amount of space used by all files owned by the user (block limit). The second is a limit on the maximum number of inodes used (file limit). Each limit has a soft (warning level) and hard limit (stop level). If a user exceeds the soft level, they have a grace period (7 days) to correct the problem. When they hit the hard limit, the system will not allocate any more space to them until they remove some files. ----------------------------------------------------------



File Timestamps

Each file has three dates associated with it (stored as the number of seconds since the epoch, Jan 1, 1970). The three timestamps are

Access time (atime) - the last time the file was read

Modify time (mtime) - the last time the file contents were changed

Change time (ctime) - the last time the file permissions were changed

In a long directory listing, the timestamp shown is the Modify time (mtime). To see all timestamps, use:
stat filename

Here is sample output from stat:

File: `apache.php'Size: 9791 Blocks: 24 IO Block: 4096 Regular FileDevice: 302h/770d Inode: 1818841 Links: 1Access: (0644/-rw-r--r--) Uid: (32045/ wileyjb) Gid: (32045/ wileyjb)Access: 2006-03-08 13:48:55.000000000 -0500Modify: 2006-03-04 14:33:37.000000000 -0500Change: 2006-03-04 14:33:37.000000000 -0500








----------------------------------------------------------





Find suid/sgid files

Find all SUID root files: find / -user root -perm -4000 -print

Find all SGID root files: find / -group root -perm -2000 -print

Find all SUID and SGID files owned by anyone: find / -perm -4000 -o -perm -2000 -print

Find all files that are not owned by any user: find / -nouser -print

Find all files that are not owned by any group: find / -nogroup -print

Find all symlinks and what they point to: ----------------------------------------------------------find / -type l -ls




Fstab fields

Each line in /etc/fstab contains infomaton on one filesystem. For example,There are 6 fields:

/dev/hda7 / ext3 defaults 0 0

device name (e.g., /dev/hda)

mount point

filesysem type (ext2, reiser, iso9660, etc.)

options (ro, noauto, user, usrquota)

dump should backup this filesystem (0=no, 1=yes)

fsck order on reboots (0=dont check, 1=root filesystem, 2=other filesystems)

----------------------------------------------------------





Iptables

Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.

If any routing or forwarding is to be done with iptables, set the ip_forward kernel value:
echo "1" > /proc/sys/net/ipv4/ip_forward

Here is the general syntax for iptables commands:
iptables -t table -[ADC] chain rule-specification [options]

The is for append, delete, or change the rule. The can be either filter (default), nat, or mangle. -ADC-t table

Rules are processed in order until they match, then they are either sent to another chain or are handled immediately through one of four targets (ACCEPT, DROP, QUEUE, or RETURN). The jump (-j) option at the end of a rule determines the fate of a packet.

Meaning of targets:

ACCEPT means to let the packet through.

DROP means to drop the packet on the floor.

QUEUE means to pass the packet to userspace (if supported by the kernel).

RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain.

Each of the main kernel tables has a fixed number of chains where rules can be applied:

filter (default)

INPUT (for packets destined for the box itself)

FORWARD (for packets being routed through the box)

OUTPUT (for locally-generated packets)

nat (masquerading)

PREROUTING (for altering packets as soon as they come in)

OUTPUT (for altering locally-generated packets before routing)

POSTROUTING (for altering packets as they are about to go out)

mangle (special processing)

PREROUTING (for altering incoming packets before routing)

OUTPUT (for altering locally-generated packets before routing)

INPUT (kernel >= 2.4.18)

FORWARD (kernel >= 2.4.18)

POSTROUTING (kernel >= 2.4.18)

To save the current iptables rules to a file: iptables-save > firewall-rules.txt

To restore saved iptables rules from a file: iptables-restore <>

To clear (flush) all rules for the filter table: iptables -F -t filter

To list all rules currently in effect for the filter table: iptables -L

To list all rules currently in effect for the nat table: iptables -t nat -L

To blacklist an IP (drop all incoming packets from that IP): iptables -t filter -A INPUT -i eth0 --source 1.2.3.4 -j DROP

To port forward SMTP to an internal IP: iptables -t nat -A PREROUTING --destination 64.14.241.55 -p tcp --dport 25 -j DNAT --to-destination 10.0.1.9

To masquerade outbound traffic from the internal network (traditional NAT): iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To delete rule 4 from the PREROUTING chain of the nat table: ---------------------------------------------------------- iptables -t nat -D PREROUTING 4






Kernel Modules

Kernel module dependencies are stored in:
/lib/modules//modules.depkernel-version

To show loaded kernel modules:
lsmod

To display information about a module:
modinfo module-name

To load a module (and dependent modules):
modprobe module-name

To unload a module (and dependent modules):
rmmod -r module-name

Altering how kernel modules are loaded

The file can be used to alter how kernel modules are loaded. The most common entry is an alias mapping a generic name to an actual module. For example:The above line loads the e100 module if is executed. /etc/modules.conf
alias eth0 e100
modprobe eth0

It can also be used to pass parameters to modules, or force loading a module stack not defined in normal dependencies.

Kernel sources

Installing the kernel sources varies considerably since most distributions ship heavily patched kernels. Follow the docs of the distribution.
----------------------------------------------------------


RPM commands

Location of RPM database files: /var/lib/rpm/

To install a package (i=install v=verbose h=show hash marks): rpm -ivh package.rpm

To uninstall (erase) a package: rpm -e package-name

To upgrade a package: rpm -Uvh package.rpm

To test a package without installing (checks dependencies): rpm -Uvh --test package.rpm

To verify a package: rpm -Vvv package-name

To verify ALL installed packages: rpm -Va

To find installed package names matching a pattern: rpm -qa | grep pattern

To see what files a new package is going to install: rpm -qpl package.rpm

To see what files belong to an installed package: rpm -ql package-name

To see what package owns a file: rpm -qf filename

To rebuild the RPM database: rpm --rebuilddb

To bypass running the install/uninstall scripts in a package: also rpm -ivh --no-scripts package.rpm

rpm -e --no-scripts package-name

Mass install: rpm -ivh *.rpm

Mass uninstall of packages that match a pattern: rpm -qa | grep pattern | xargs rpm -e----------------------------------------------------------





Sar - System Activity Report

Sar is the "system activity report" program. In Linux, it is often found in the sysstat package. The package includes the program that gathers stats and stores them in binary files in /var/log/sa/, and the report programs, . It also includes the and shell scripts that execute sadc and produce daily summaries of the data. sadcsar, mpstat, and iostatsa1sa2

Capturing performance data

If you install sar from a package, several scripts may be set up automatically to gather data. Check the cron configuration for and scripts. If the scripts are not scheduled to run, here is a typical cron configuration: sa1sa2
# run system activity accounting tool every 10 minutes*/10 * * * * root /usr/lib/sa/sa1 1 1# generate a daily summary of process accounting at 23:5353 23 * * * root /usr/lib/sa/sa2 -A

To show CPU performance: sar -u

To show average IO performance over time: sar -b

To show average IO performance by device: iostat

To show average network performance: sar -n FULL

To show network performance by device: sar -n DEV

To show network errors by device: sar -n EDEV

To show memory performance: sar -R

To show paging (swap file) performance: sar -W----------------------------------------------------------




Shared Libraries and Tracing

Many Linux programs use dynamic shared libraries (.so=shared object), similar to Windows DLLs. The list of directories that Linux searches for shared libraries is defined in . At run time, Linux uses a cache of available libraries (updated during boot from ) to determine what to load from where when a call is made to a shared library. The cache file is . /etc/ld.so.conf/etc/ld.so.conf/etc/ld.so.cache

Adding or updating libraries

After a change to or after new libraries are installed, update the library cache file (as root): /etc/ld.so.conf
ldconfig

To determine which libraries are used by a program or another library: ldd [program-name | library-name]

Stack tracing

To see all system calls made by a program, calls to libraries, and signals received, use:
strace program-name
note: see also ltrace

Static linking with gcc

To statically link libraries with a program while compiling, pass the flag to gcc: -static
gcc [other options] -static

If compiling from a Makefile, set the linker options in the LDFLAGS variable:
LDFLAGS = -static ---------------------------------------------------------- To test SMTP from the command line:





SMTP test

telnet 25 (connect to port 25 on mail server)

host-to-test

HELO

sending-host

MAIL FROM: foo@foo.com

RCPT TO: bar@bar.com

DATA(enter one blank line after DATA)

Subject: test To: to-user From: from-user (enter one blank line after From:) test text for email . (enter a single period by itself on the last line)

QUIT

----------------------------------------------------------



Special Permissions

In addition to the standard permissions (rwx), there are 3 special permissions that can be set for a file or directory: suid, sgid, and sticky bit.

-- this special permission allows the file to be executed with the security permissions of the file owner instead of the permission of the user who ran the program. This can be a source of security problems. Some daemons run as suid root. The suid permission is seen as an "S" in the user executable position a long directory listing (ls -l). Has no effect if the file is not executable.To set the suid permission: suid


chmod u+s filename

-- this special permission allows the file to be run with the security permissions of the group instead of the permission of the user who ran the program. This can be a source of security problems. The sgid permission is seen as an "S" in the group executable position a long directory listing (ls -l). Has no effect if the file is not executable.To set the sgid permission: sgid


chmod g+s filename

If sgid is set on a directory, any file created within that directory will have the same group owner assigned as the directory. Useful when a group of users is sharing the same directory. Note:

-- Prevents any files in a directory from being deleted by anyone but the owner of that file. Often used on the /tmp directory. Good to prevent accidental deletions by rm * commands. The sticky bit is seen as a t in a long directory listing (ls -l). Setting the sticky bit on a file is ignored by Linux.To set the sticky bit: sticky bit on a directory


chmod o+t dirname ----------------------------------------------------------





Sysctl

Sysctl is used to view and modify kernel parameters at run time. It is slightly more elegant than copying values directly to /proc.

The file is the sysctl default file that often contains multiple parameter settings to be loaded at once. It is sometimes used by start up scripts so be careful making changes to it. To modify multiple parameters at once, it is safer to create a new file. /etc/sysctl.conf

To view all kernel parameters: sysctl -a

To set a new value for a kernel parameter: For example: sysctl -w variable.name=xxxx


sysctl -w net.ipv4.ip_forward=1

To load multiple parameters from a file: ----------------------------------------------------------sysctl -p filename






Tar and cpio

Create a gzipped tar archive tar czvf archive files-to-backup

Extract a gzipped tar archive tar xzvf archive files-to-backup

Create a bzipped tar archive tar cjvf archive files-to-backup

Extract a bzipped tar archive tar xjvf archive files-to-backup

List files in a tar archive tar tf archive

Create a cpio archive ls /dir/* | cpio -ov > archive.cpio

Extract a cpio archive cpio -ivd <>

List files in a cpio archive cpio -it <>----------------------------------------------------------



TCP wrappers

The TCP wrapper program is /usr/sbin/tcpd. It is typically used to limit access to services in the inetd superserver based on IP address or user name. It is also available as a library, , that can be linked into a program. libwrap

The IP based controls in TCP wrappers have been mostly superceded by the kernel based iptables, which is more flexible. TCP wrappers is compiled into the xinetd superserver used in Red Hat and SUSE.

To protect an inetd service, replace the call to the original service with a call to tcpd and pass the original program name as a parameter. For example, here is a line in /etc/inetd.conf for the proftpd program:and here is the line modified to use TCP wrappers:
ftp stream tcp nowait root /usr/sbin/proftpd


ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/proftpd

The two files that control access, and are checked in this order. The search stops at the first match.
/etc/hosts.allow/etc/hosts.deny

If a match is not found in either file, the default is to permit access.

Both files use the same syntax:
daemon_list : client_list [ : shell_command ]

The client list can be a pattern that matches a host name or IP address. Client lists can include the user name, like user@host. The optional shell command allows additional action to be taken after a match.

To set up a default deny policy, use this entry in hosts.deny: Then, anything not explicitly permitted in hosts.allow will be denied.
ALL:ALL

This is an example for hosts.allow that permits access to the proftpd daemon from localhost and from the company.com domain:
proftpd: LOCAL, .company.com ----------------------------------------------------------



Users and Groups

Shadow Suite

The shadow suite is used in every modern distro. It adds encryption to passwords and moves them, along with expiration dates to /etc/shadow (users) and /etc/gshadow (groups).

The main system account files are:

/etc/passwd

/etc/shadow

/etc/group

/etc/gshadow

Another important file in the shadow suite is It defines the site-specific configuration for the shadow login suite. It controls how the login program behaves, minimum password length, etc. /etc/login.defs

Add a new user: useradd user-name

When a new user is created, the system also copies the files from /etc/skel to the new user home directory, including subdirectories. The system adds them to passwd, group, and shadow files as necessary.

Delete a user: userdel -r user-name

Deletes the user from account files and removes the home directory. Does not delete other files owned by the user, they must be deleted manually or assigned to another user.

Set an expiration date for a user: usermod -e MM/DD/YYYY

Change user password: passwd user-name

Lock a user account: passwd -l user-name

Unlock a user account: passwd -u user-name

Add a group: groupadd group-name

Delete a group: groupdel group-name

Change group password: gpasswd group-name

Gpasswd is rarely used since many distros create one group for each new user.

List the groups a user belongs to: ----------------------------------------------------------groups user-name




Bash Shell

Bash initialization

When you first login, bash reads these initialization files in order (if they exist):

/etc/profile -- systemwide profile applies to all users

Then, it looks for these files and executes the FIRST one it finds:

~/.bash_profile~/.bash_login~/.profile

For interactive non-login shells, it executes:

~/.bashrc

At logout, it looks for this file to execute:

~/.bash_logout

The amazing technicolor multiline bash prompt

Set the PS1 environment variable in bash to customize the prompt. This is the prompt I use. It works best with a black background. If you want to keep it, add it to one of your bash startup files (like .bashrc).
PS1='\[\e[32;1m\]\u@\h \[\e[33;1m\][\w]\n\[\e[36;1m\]\t\[\e[0m\] $ '

Built-in shell variables:

$# number of command line arguments$? exit value of last command$$ process ID of current process$! process ID of last background process $0 command name$n where n=1-9 are the 1st thru 9th command line arguments$* all command line arguments$@ all command line arguments, individually quoted ($1 $2 ...)

If statement

if condition ; then commands elif condition ; then commands else commands fi

Test the return status of the previous command:

if [ $? == 0 ] ; then commands fi

Loops

while condition; do commandsdone

for var in list; do commandsdone

for (( expr1; expr2; expr3 )); do commandsdone

Case statements

The case statement can be used in place of a complex if statement:
case expression in pattern) commands ;; pattern) commands ;; * commands esac

Traps

Bash scripts can trap signals to handle error processing better or unexpected events (like the user killing the script).

This traps signal(s) and executes "command" instead:
trap "command" signal [signal ...]

You can list active traps with:
trap -p
You can reset traps with:----------------------------------------------------------
trap - signal [signal ...]





Rsync


Note: examples that use a shell use ssh

To synchronize a local directory with a remote one, use: rsync -r -a -v -e "ssh -l username" --delete hostname:/remote/dir/ /local/dir/

To synchronize a remote directory with a local one, use: rsync -r -a -v -e "ssh -l username" --delete /local/dir/ hostname:/remote/dir/

To synchronize a local file with a remote one, use: rsync -a -v -e "ssh -l username" hostname:/filename /local/filename

To synchronize a remote file with a local one, use: rsync -a -v -e "ssh -l username" /local/filename hostname:/filename

To synchronize a local directory with a remote rsync server: rsync -r -a -v --delete rsync://rsync-server.com/stage/ /home/stage/

To synchronize a local directory with a local directory (make a backup), use: ---------------------------------------------------------- rsync -r -a -v --delete /local/dir/ /backup/dir/






Vi - bare essentials

There may be times when vi is the only text editor available, so it helps to at least know the basics. It is the default editor when changing a crontab. For a while, I used vi as my primary editor, but today I use nano.

On most Linux distributions, when you run vi, you are really running vim (vi improved). For basic editing, you'll never know the difference.

A chunk of this small guide came from a web page I found long ago, but I don't remember where so I can't give proper credit. I've added and changed things from the original text. Note:

Vi has two modes, command and insert (really, three if you count replace mode). Command mode is used to navigate, search, and issue other commands. Insert mode is used to enter text.

Vi starts in command mode.

You can precede most commands with a number indicating how many times to perform a command. For example, entering 99 followed by the down arrow will move the cursor down 99 lines. "99x" will delete 99 characters.

While in command mode (case sensitive)

move the cursor with arrow keys; if there aren't any arrow keys, use j,k,h,l

i - change to insert mode (before cursor)

a - change to insert mode (after cursor)

A - change to insert mode (at end of line)

r - replace one character

R - overwrite text

x - delete one character

dd - delete one line

yy - yank line (copy)

p - paste deleted or yanked text after cursor

P - paste deleted or yanked text before cursor

G - go to end of the file

1G - go to top of the file

J - merge next line with this one

/ - search, follow / with text to find

:wq - write file and quit

:q! - quit without saving

%s/old/new/g - substitute; replace "old" with "new" on all lines

While in insert mode

ESC - change to command mode

any text typed is entered at the cursor

Typical vi session

Type "vi file.txt" at command prompt

Move cursor to where new text will be added

Type "i" to change to insert mode

Type new text

Type ESC to go back to command mode

type ":wq" and ENTER to write the file and quit

----------------------------------------------------------






MySQL

MySQL communicates through either local unix sockets or over TCP/IP port 3306 (default). Database names, tables, field names, and passwords are case sensitive. SQL Commands are not case sensitive.

The configuration file is . Usually doesn't need tweaking, except when using the InnoDB storage engine. /etc/my.cnf

The main command line utilities are mysql, mysqldump, and mysqladmin. Many people like the phpMyAdmin package to manage MySQL through a web browser.

Server Administration

---

Show all running MySQL processes mysqladmin --user=root --password=xxx processlist

Show detailed status report mysqladmin --user=root --password=xxx extended-status

Reload grant tables (after making security table changes) mysqladmin --user=root --password=xxx reload

Show running configuration settings mysqladmin --user=root --password=xxx variables

Kill a slow or locked process First, get the process id using processlist, then
mysqladmin --user=root --password=xxx kill id

Reset the value of an autoincrement field in a table

mysql --user=root database

alter table tablename autoincrement=100; Note: reset the autoincrement field to 100. Use caution!

Security

---

Change/set the root password

(initially no password)

mysql --user=root mysql

update user set Password=password('new_password') where user='root';

flush privileges;

Create a user with remote update authority

mysql --user=root --password=xxx mysql

insert into user (Host, User, Password, Select_priv, Insert_priv, Update_priv, Delete_priv) values ('%', 'remote', password('xxx'), 'Y', 'Y', 'Y', 'Y');

flush privileges; Note: This creates user 'remote' with global update authority, that can access MySQL from any host (%). In most cases, a remote user should be limited to a single database.

Create a user with access to just the db1 database

mysql --user=root --password=xxx mysql

insert into user (Host, User, Password) values ('localhost', 'foo', password('xxx'));

insert into db (Host, Db, User, Select_priv, Insert_priv, Update_priv, Delete_priv) values ('localhost', 'db1', 'foo', 'Y', 'Y', 'Y', 'Y');

flush privileges;

Backup and Restore

---

Dump all databases (schema and data) mysqldump --user=root --password=xxx --all-databases > databases.sql

Dump a single database (schema and data) mysqldump --user=root --password=xxx --databases db1 > db1.sql

Dump a single database (schema only) mysqldump --all --no-data --user=root --password=xxx --databases db1 > db1.sql

Restore a database from a dump file mysqldump --user=root --password=xxx <>----------------------------------------------------------





Postfix

Postfix Administration

Check the configuration and queue directories for the correct security settings and setup:
postfix check

Display all settings:
postconf

Display non-default settings:
postconf -n

Check mail queues for messages pending delivery:
mailq

Display headers and details about a message:
postcat /var/spool/postfix/deferred/message-id

Delete a message in the queue:

(to get the message-id)

mailq

postfix stop

find /var/spool/postfix -name -print | xargs rmmessage-id

postfix start

Configuration files

There are many configuration files used by Postfix located in /etc/postfix. The two main files are:

master.cf -- defines how/what slave daemons are called by the master daemon

main.cf -- defines all other configuration options and files

Optional but often used configuration files are:

alias -- rewrites recipient addresses for local delivery

virtual -- rewrites recipient addresses for all local, virtual and remote mail destinations.

generic -- rewrites outbound addresses

transport -- defines how messages are delivered by email address

access -- restrict the messages accepted by host/domain/network/address

Optional files must be converted to a postfix lookup table with . For example, creates the lookup table "virtual.db". postmappostmap virtual

Master.cf

To change the smtpd daemon to only accept mail from the localhost, set the service option for smtpd to this:

#service type ... commandlocalhost:smtp inet ... smtpd
To change the smtpd daemon to accept mail on port 8025 instead of 25, set the service option to this:

#service type ... commandlocalhost:8025 inet ... smtpd

Set up a catch-all address for a domain

Edit and add a line for the virtual map: /etc/postfix/main.cf
virtual_alias_maps = hash:/etc/postfix/virtual

Edit and add the following: /etc/postfix/virtual

################ local users ################user1@domain.com user1user2@domain.com user2user3@domain.com user3############## catch-all ##############@domain.com catch-all

Run , the . Now, all email addressed to anyser@domain.com will go to the catch-all address except the explicitly defined local users. postmap virtualpostfix reload

Get BCCed on all email

Add this line to /etc/postfix/main.cf:
always_bcc = foo@user

Bypassing MX lookups for a domain

The transport map can be used to deliver certain email to a different mail server than where the MX record points. This can be useful if the mail server sits in a DMZ and needs to deliver mail to an internal mail server.

Add a line to the file similar to this: /etc/postfix/transport
# the [] skips MX lookups foo.com smtp:[10.1.5.1]

Then, run and . postmap transportpostfix reload

Filtering email based on headers

Add this line to /etc/postfix/main.cf:
header_checks = regexp:/etc/postfix/header_checks

Edit header_checks and define regular expression rules:

/^From: *@spammer.com/ REJECT/^Subject: *mortgage*/ REJECT/^content-(type|disposition):.*name[[:space:]]*=.*\.(exe|vbs)/ REJECT Bad attachment file name extension: $2


Above are blocks based on the From:, Subject:, and file attachment extension.

Debugging Postfix

One way to debug postfix is to increase the verbosity level on a service in the file. Add from one to three arguments to the end of a service name, then monitor the mail log for the additional debug messages. For example, this increases verbosity on the smtpd process: /etc/postfix/master.cf-v
smtp inet n - n - - smtpd -v

If you suspect problems with a remote host instead of the postfix, you can use the debug_peer_list and debug_peer_level options in . This allows you to debug only connections with specific remote hosts. The verbosity level can be set from 1 to 3. For example:/etc/postfix/main.cf
debug_peer_list = foo.comdebug_peer_level = 2

Email related RFPs

RFC 821 (SMTP)

RFC 822 (email message format)

RFC 974 (mail routing)

RFC 1855 (netiquette)

----------------------------------------------------------



SMTP benchmarking

The program is an SMTP benchmark and load testing program included with Postfix. It has a flexible set of options for testing SMTP servers. smtp-source

An example of using smtp-source:
smtp-source -c -l 100 -m 200 -f test@foo.com -t test@foo.com mail.foo.com

Here is what the options mean:-c = show count of sent messages-l nnnn = length of each message (uses X's for body)-m = number of messages to send-f = MAIL FROM-t = RCPT TO the last option is the receiving mail server

By timing how many messages a server can receive, you can get an idea of the load it can handle. ----------------------------------------------------------


SSH

SSH server

The first time sshd runs, it generates three cryptographic key pairs and stores the keys in /etc/ssh.

ssh_host_key and ssh_host_key.pub (v1)

ssh_host_dsa_key and ssh_host_dsa_key.pub (v2 DSA)

ssh_host_rsa_key and ssh_host_rsa_key.pub (v2 RSA)

SSH communicates over TCP port 22 by default. The global server configuration file is . /etc/ssh/sshd_config

To deny all root logins, set this value in the the sshd_config file:
PermitRootLogin no

To disable the less secure v1 SSH protocol, use:
Protocol 2

To disable X forwading, use:
X11Forwarding no

To disable password logins (force public/private key authentication), use:
PasswordAuthentication no

SSH client

Note: because of their sensitive nature, the directory and most of the files in it be read/write for the user and not accessible to group or other. For example:Otherwise, SSH will ignore them. If you copy personal SSH files to a new system and they don't work, check the permissions. ~/.ssh/MUST
-rw-------

The default client configuration file is . The user configuration file, takes precedence over the default configuration. /etc/ssh/ssh_config~/.ssh/config

To connect to an SSH server using a different user ID:
ssh userid@server-name-or-IP

To securely copy file(s), use scp:
scp localfile userid@server-name-or-IP:remotefilealsoscp userid@server-name-or-IP:remotefile localfile

To generate an SSH keypair for logins without passwords: The system will prompt you for the secret key passphrase, then create the keys: Next, append the v2 public key to the
ssh-keygen -t dsa

id_dsa (v2 private key)id_dsa.pub (v2 public key)

~/.ssh/authorized_keys2 file on the where you want to login. To bypass the passphrase every time the secret key is needed, load the key into ssh-agent. server(s)

SSH-Agent

To load secret keys in the ssh-agent manually, execute:

ssh-agent

ssh-add keyfile (once for each key)

It is usually more convenient to run ssh-agent and load keys in the X startup script or the startup script for your window manager. Another option is to use the keychain script

Port Forwarding

SSH can port forward local and remote connections securely. Only root can forward privileged ports (<=1024).

To redirect a local port to a remote host port:
ssh userid@remotehost -L localport:remotehost:remoteport

To redirect a remote port to a local or remote host port:
ssh userid@remotehost -R remoteport:host:localport ----------------------------------------------------------




Apache

Basic Authentication

---

To use basic authentication, the AllowOverride directive must be set at the current directory (or higher up in the document root). This sets AllowOverride at the document root:

AllowOverride All

Create a password file outside the Document Root using the htpasswd program, and add the first user (will prompt for the new user password):For example, this file could be created in /etc/httpd/passwords.
htpasswd -c passwords username

Add a user to an existing password file (will prompt for new user password):
htpasswd passwords username

To prevent someone from reading .htaccess files, set this global files directive at the document root:

Order allow,denyDeny from all


Many distributions include this in the default httpd.conf file.

Simple example of an .htaccess file placed in the directory it will protect. It only requires a valid user:

AuthName "Foo Web Directory"AuthType BasicAuthUserFile /etc/httpd/passwordsRequire valid-user

Name Based Virtual Hosts

---

Virtual hosts allow multiple web sites to be served from one instance of Apache. Named based virtual hosts make the decision of what to serve based on the name of the site requested in the incoming HTTP header. IP virtual hosts make the decision based on the IP address the request came from, usually from a NIC with multiple IP addresses.

The first virtual host defined is the default web site, so that site is served if the name in the HTTP header does not match any other virtual host.

Sample virtual host definition with domain wildcards and separate log file:

NameVirtualHost *
DocumentRoot /var/www/virtuals/foo.com ServerName foo.com ServerAlias *.foo.com ScriptAlias /cgi-bin/ "/var/www/virtuals/foo.com/cgi-bin/" CustomLog /var/www/logs/foo.com/access_log combined





DirectoryIndex index.php index.html

Aliases and Redirects

---

Redirects can be done using either mod_alias or mod_rewrite modules. These examples use mod_alias; mod_rewrite is beyond the scope of this micro how-to.

Aliases can be used if the new location is in the same document root and virtual hosts are not used. Here is an alias to serve the /new directory when /old is requested:
Alias /old /new

Redirects are needed when redirecting the location to a new domain, even if both domains are virtual hosts served from the same physical box. Here is a simple redirect:
Redirect /old http://foo2.com/new

SSL

---

SSL uses crytographic key pairs to secure data transferred between server and clients (in this case, apache and a web browser). In many distributions, the SSL private key is created automatically.If not, use: Enter the passphrase when prompted.


openssl genrsa -des3 -rand randfile1:randfile2:randfile3: 1024 > /path/to/ssl.key/server.key

The key must be signed by a third party Certificate Authority (CA), such as Entrust or Verisign. In order to get a signed key, or certificate, a Certificate Signing Request (CSR) must be created and sent to a CA. Of course, CAs charge money for this.

To create a CSR: Answer the prompts regarding Country, Common Name, etc. Some CAs may want specific answers to be blank or answered a particular way. Check the instructions for your CA.
openssl req -new -key /path/to/server.key -out /path/to/ssl.csr/server.csr

When the signed certificate comes back, save it to:
/path/to/ssl.crt/server.crt

To enable SSL in Apache, use a virtual host definition on port 443 in httpd.conf:

DocumentRoot "/var/www"ServerName www.servername.com:443ServerAdmin root@localhostSSLEngine onSSLCertificateFile /path/to/server.crtSSLCertificateKeyFile /path/to/server.key






This is not a complete configuration. There are many more SSL directives available. The distribution may have reasonable defaults set, so these may be the only directives that have to be updated.

Domain wildcards

---

To configure domain wildcards so that any subdomain name displays the content of the main site, use the ServerAlias directive:
ServerName foo.comServerAlias *.foo.com

The asterisk will match all subdomain names for the domain and return the document root page for foo.com. This also works with virtual hosts. ----------------------------------------------------------note: Apache is only half of setting up domain wildcards, the DNS server must also be set up to direct all subdomains to the web server IP address. See the DNS micro how-to for details.




Apache Bench

Apache bench, is a benchmarking program that ships with the Apache web server. While it may not be the most sophisticated tool, it is still very useful. (ab)

Apache bench should be run from a remote client since running it on the web server will skew the results down. Ideally, it should be run from multiple remote clients at the same time from different networks to better simulate actual web traffic.

To measure HTTP GET performance, use: ab -n 10000 -c 25 URL

The is the number of requests to make and is the number of concurrent requests to make. -n-c

To measure HTTP PUT performance (form submissions), use: ab -n 10000 -c 25 -p URLpostfile.txt

The test PUT file, postfile.txt, does not have a to be a formatted as a valid PUT request, it can be a plain text file of the length you want to test.

Here is a sample report:

This is ApacheBench, Version 1.3d <$Revision: 1.73 $> apache-1.3Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/Benchmarking linuxboxadmin.com (be patient).....doneServer Software: Server Hostname: linuxboxadmin.comServer Port: 80Document Path: /Document Length: 15738 bytesConcurrency Level: 4Time taken for tests: 14.986 secondsComplete requests: 100Failed requests: 0Broken pipe errors: 0Total transferred: 1599796 bytesHTML transferred: 1576465 bytesRequests per second: 6.67 [#/sec] (mean)Time per request: 599.44 [ms] (mean)Time per request: 149.86 [ms] (mean, all requests)Transfer rate: 106.75 [Kbytes/sec] received

Connnection Times (ms) min mean[+/-sd] median maxConnect: 79 93 9.7 93 122Processing: 403 503 32.1 509 564Waiting: 322 503 32.1 509 564Total: 403 597 28.5 599 654





Percentage of the requests served within a certain time (ms)50% 59966% 60575% 61380% 61990% 62895% 63898% 64899% 654100% 654 (last request)----------------------------------------------------------













DHCP

DHCP clients

The dhcp client in most distributions comes from the (ISC). The program is and uses the configuration file. The DHCP client will attempt to configure all network interfaces unless specified otherwise on the command line or in the configuration file. Internet Software Consortiumdhclient/etc/dhclient.conf

To obtain an IP address lease for eth0:
dhclient eth0

To release the current IP lease:
dhclient -r eth0

Current lease information is stored in:.
/var/lib/dhcp/dhclient.leases

Some distributions use or as their dhcp client. dhcpcdpump

DHCP server

The ISC DHCP server is . It implements the DHCP and BOOTP protocols. dhcpd

The configuration file is:
/etc/dhcpd.conf

The lease file is:
/var/lib/dhcp/dhcpd.leases

Sample DHCP subnet configuration:
subnet 10.1.4.0 netmask 255.255.255.0 { range 10.1.4.100 10.1.4..250; default-lease-time 86400; max-lease-time 86400; option subnet-mask 255.255.255.0; option broadcast-address 10.1.4.255; option routers 10.1.4.1; option domain-name-servers 10.1.5.1, 10.1.5.2; option domain-name "foo.com";}









Sample fixed IP assigned by MAC address:----------------------------------------------------------
host tk421 { hardware ethernet 00:00:45:12:EE:F4; fixed-address 10.1.4.99; option subnet-mask 255.255.255.0; option broadcast-address 10.1.4.255; option routers 10.1.4.1; option domain-name-servers 10.1.5.1, 10.1.5.2; option domain-name "foo.com";}












DNS

DNS client name resolution

When a DNS name lookup is requested, it calls the resolver library (gethostbyname() C function). Programs linked against glibc will search using the order defined on the line in /etc/nsswitch.conf. Typically, the hosts line is defined as:This tells the resolver to look in first, then ask DNS. Sometimes, NIS or a central database is included on the hosts line. hosts
hosts: files dns
/etc/hosts

The resolver uses the name servers defined in . Most distributions use some kind of configuration tool to manage this file, so be careful of manual modifications. /etc/resolv.conf

DNS client utilities

The program (Domain Internet Groper) sends domain name query packets to name servers and can be used to test DNS configuration. dig

Dig queries use this format:where query-type is one of all, mx, ns, soa, txt or axfr (zone transfer).
dig @server domain query-type query-class

For reverse DNS lookups:
dig -x 1.2.3.4

DNS/BIND server

There are 13 root servers that are the master servers for the whole system. The latest root server file can be downloaded from FTP.RS.INTERNIC.NET.

The DNS/BIND server daemon is "named". By default, named listens on UDP port 53.

The named configuration file is:.
/etc/named.conf

Within , the location of the zone files is specified with the directory option. For example:/etc/named.conf

options { directory "/var/named";};

And here is a typical authoritative zone definition:

zone "foo.com" { type master; file "foo.com"; allow-transfer { 1.2.3.4; }; allow-query { any; };};

Here is the minimal zone file defined above:(/var/named/foo.com)

$TTL 3600@ IN SOA ns1.foo.com. hostmaster.foo.com. ( 2005092601 ; serial, todays date + serial # 3600 ; refresh, seconds 900 ; retry, seconds 1209600 ; expire, seconds 3600 ) ; minimum, secondsIN NS ns1.foo.com.IN NS ns2.foo.com.IN MX 10 mail.foo.com. ; Primary Maillocalhost A 127.0.0.1ns1 A 1.2.3.4ns2 A 1.2.3.5foo.com. A 1.2.3.6mail A 1.2.3.6www A 1.2.3.6

When updating a zone file, the serial number must be incremented or named will not load the new configuration.

Here is a typical reverse lookup zone file (always in domain in-addr.arpa):

$TTL 36004.3.2.in-addr.arpa. IN SOA ns1.foo.com. hostmaster.foo.com. ( 2005092601 ; serial, todays date + serial # 3600 ; refresh, seconds 900 ; retry, seconds 3600 ; expire, seconds 3600 ) ; minimum, seconds; name servers3.2.1.in-addr.arpa. IN NS ns1.foo.com.3.2.1.in-addr.arpa. IN NS ns2.foo.com.; reverse DNS mapping6.3.2.1.in-addr.arpa. IN PTR mail.foo.com.

Turning off or limiting recursion

Recursive lookups (allowed by default) can create security risks and performance issues, specifically DNS cache poisoning attacks. To turn off recursion altogether, use this option in named.conf:

options { recursion no;};

To allow recursion for certain hosts, use an access control list to define the IP addresses of hosts that can use recursion. Use this to allow recursion for internal hosts while denying recursion for the public:

acl recursionok { 192.168.1.0/24; 192.168.2.100; };options { allow-recursion { recursionok; };};



This would only allow hosts with source IP addresses of 192.168.1.0/24 or 192.168.2.100 to query about domains the server is not authoritative for.

Setting up a caching only name server

If you don't want to host your own DNS zones, but do want to centralize name lookups to reduce DNS overhead, you can set up a caching only name server. This server accepts DNS requests and forwards all requests that are not cached to another DNS server to resolve, passing the result back to the client.

To set up a caching only server, do NOT define any authoritative zones in the file, just enter valid DNS servers in the forwarders option. For example:/etc/named.conf

options { forward first; forwarders { 1.2.3.4; 1.2.3.5; };};

The "forward first" option tells the server to try the forwarders first, then do a lookup itself if the forwarders fail to resolve the name. The "forward only" option tells the server to try the forwarders, then fail if it does not get an answer.

DNS domain wildcards

To configure DNS wildcards so that any subdomain name resolves to the main site, use an "*" in the CNAME record:
www IN A 1.2.3.4* IN CNAME www

The asterisk will match all subdomain names for the domain and return the IP address of www, sending the browser to the main web site. This technique is often used in marketing programs where you want everyone to arrive at the same web site, but want to track who sent them there by the HTTP REFERRER.

note: DNS is only half of setting up domain wildcards, the web server must also be set up to accept all subdomains and show the same content. See the Apache micro how-to for details.

Testing your DNS configuration

A good tool that runs many tests against your DNS server can be found at:
DNSreport.com ----------------------------------------------------------





NFS

NFS Server

The Network File System is a TCP/IP file sharing protocol invented by Sun Microsystems. The daemons that implement the server are , , and if quotas are needed . Since NFS relies on remote procedure calls, the daemon must also be running. nfsdmountdrquotadportmapper

Shared files systems are defined in the file. /etc/exports

Each line describes a file system to export and which client machines can mount it with what permissions. By default, the user ID of the mounting user is used for file level permissions on the server machine. So, if you mount a remote file system as user "foo", then the permissions of the user "foo" on the server machine control what can be done on the mounted file system (within the limits of the definition). This is considered a weakness of NFS security because if a remote user gains root access, he has root permissions on NFS shared files. However, root connections can be blocked in the file. /etc/exports/etc/exports

Here is a simple example of /etc/exports:

/dir1 (rw)/dir3 *.localdomain(ro, root_squash)/dir2 (rw,all_squash)

dir1 is shared read/write to all machines; dir2 is shared read-only to all machines in localdomain, and root connections are mapped to the anonymous uid/gid; dir3 is shared read/write to all machines, and all connections are mapped to the anonymous uid/gid.

NFS Client

To mount a remote NFS filesystem, use:
mount -t nfs servername:/exported-file-system /local-mount-point

To allow all users to mount the NFS filesystem, add this to /etc/hosts:where nfssrv:/exported is the remote NFS server and filesystem and /mnt/local is the local mount point.
nfssrv:/exported /mnt/local nfs noauto,user,exec 0 0

NFS Utilities

Check NFS traffic on the server with . nfsstat

Show server statistics:
nfsstat -s

Show client statistics:
nfsstat -c

Show exported filesystems on a remote server:
showmount --exports nfs-server

Show all mounted filesystems:
showmount --all nfs-server

NFS Performance

The NFS HOW-TO recommends mounting all NFS shares with these options:The read size and write size buffers will greatly increase performance in most cases. The hard option tells the system to lock an app that is using an NFS mount if communication is lost between server and client. The intr lets you kill such an app with the Interrupt signal (don't have to use kill -9).
hard,intr,rsize=8192,wsize-8192
----------------------------------------------------------


Postgresql

By default, Postgres listens on TCP port 5432.

Dump all databases pg_dumpall --clean > databases.sql

Dump a database with compression (-Fc) pg_dump -Fc --file=database.sql --clean database

Restore a database from a dump file pg_restore -Fc database.sql

Start the postgres interactive terminal psql

Psql - show all databases select * from pg_database;

Psql - show all tables select * from pg_tables;

Psql - copy a table to a tab delimeted file COPY TO 'table.txt';table

Psql - load a table from a tab delimeted file COPY FROM 'table.txt';table

Run the vacuum utility Note: vacuum reclaims space from deleted records and updates indexes. It should be set up in cron. Newer versions of postgresql may run vacuum automatically. vacuumdb --verbose --analyze --all

Increase perfomance with shared memory

One effective performance tuning tip for Postgresql is to increase the shared memory buffers. This might require adding RAM to the server. Many Linux distros default to 32MB of shared memory, controlled by two kernel parameters:
/proc/sys/kernel/shmmax/proc/sys/kernel/shmall

These values can be changed at run time, but it is better to set them at boot using the /etc/sysctl.conf file. This increases shared memory to 1GB:
# increase shared buffers for postgres at bootkernel.shmmax=1073741824kernel.shmall=1073741824

Then, tell Postgres to use 768MB of the 1GB available in the /var/lib/pgsql/data/postgresql.conf file:shared_buffers = 98304 # min 16, at least max_connections*2, 8KB each

Restart postgres for the change to take effect.