Eu buntu nix

Google
 
Web Eu Buntu nix

Sunday, April 30, 2006

How-To LINUX

How-To LINUX-www.linuxboxadmin.com

Configure serial ports

View serial ports/multi-port boards (must be root)

setserial /dev/ttyS0
setserial /dev/ttyS1

Set a serial port to 115k (must be root)

setserial /dev/ttyS0 spd_vhi
This only configures the port, not any attached modem or serial device.
Other speeds:
spd_normal 38.4 k
spd_hi 57.6k
spd_shi 230k
spd_warp 460k


----------------------------------------------------------

Set ethernet to full duplex

Set an ethernet adapter to full duplex (must be root):

mii-tool --force=100baseTx-FD eth0

If you want to force full duplex as boot time, add the above command to one of the startup scripts, such as /etc/rc.d/boot.local.



----------------------------------------------------------


Set the real time clock

Set the real time clock

hwclock --set --date="3/21/02 01:10:00"


----------------------------------------------------------

Tune IDE disks

See IDE disk settings (must be root)

hdparm /dev/hd? (hda, hdb, etc.)

Set DMA for IDE disks (must be root)

hdparm -d1 /dev/hd? (hda, hdb, etc.)
Usually big performance gains, especially for DVD drives.

Tune additional IDE disk settings (must be root)

hdparm -d1 -c3 -m16 /dev/hd? (hda, hdb, etc.)
The -c3 option turns on the 32-bit EIDE interface. The -m16 option sets the read ahead buffer to 16 sectors. Fairly non-agressive settings for modern EIDE disk.

Test IDE disk performance (must be root)

hdparm -tT /dev/hd? (hda, hdb, etc.)


----------------------------------------------------------

View detected hardware

General

The Linux kernel stores all hardware settings in the virtual directory /proc.

See IO ports

cat /proc/ioports

See IRQs

cat /proc/interrupts

See PCI devices

cat /proc/pci
also
/sbin/lspci

See USB hubs and devices

cat /proc/bus/usb/devices
also
usbview (gui program)

See IDE disk settings (must be root)

hdparm /dev/hd? (hda, hdb, etc.)

View serial ports/multi-port boards (must be root)

setserial /dev/ttyS0 setserial /dev/ttyS1

Active network cards

/sbin/ifconfig
also
/sbin/ip addr

Boot time hardware detection messages (kernel ring buffer)

dmesg | less

----------------------------------------------------------

Apt and dpkg commands



To update the local cache from apt repositories

apt-get update

To download and install a package (including dependencies):

apt-get install package-name

To install a single .deb package:

dpkg --install package.deb

To remove a package:

apt-get remove package-name

To find all available packages that match a pattern:

apt-cache search pattern

apt-cache searches the package names and descriptions.

To display package information:

apt-cache show package-name

To show all installed packages:

dpkg --list

To show all files that belong to a package:

dpkg --listfile package-name



----------------------------------------------------------

Cron fields


Crontab fields

Here is how the fields are defined:

  1. minute
  2. hour
  3. day of the month
  4. month of the year
  5. day of the week
  6. program or command to run

An asterisk (*) in any field means run every time for this field. Ranges (X-Y) and steps (X-Y/Z) can also be defined.

User crontabs

To edit a user crontab (including root):
crontab -e

To delete a crontab:
crontab -r

System crontab

The system crontab is stored in /etc/crontab. It can be changed (as root) with a text editor.

The system crontab has one extra field before the program to run, which is the user to run the command as (usually root).


----------------------------------------------------------
Default gateway

To set the default gateway:

route add default gw ip-address interface

For example, route add default gw 10.1.1.1 eth0

To view the current routing table:

route -n
Here is a typical routing table:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.241.1.118 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
192.168.1.203 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
The entry with a destination of 0.0.0.0 is the default gateway.


----------------------------------------------------------


Disk quotas


The Linux kernel supports disk quotas if the support for quotas is compiled into it. The kernel configuration option is CONFIG_QUOTA=y. Most distributions include this option in their kernels.

There are four steps to enabling quotas on a file system.

  1. Add the usrquota option to the /etc/fstab entry
  2. Use quotacheck filesystem to create initial quota files
  3. Use edquota to set quota limits for users/groups
  4. Enable quotas with quotaon filesystem

Quota files (binary)

Two quota files are stored in the root of the file system where they apply. They are:

  • quota.user (v1) or aquota.user (v2)/li>
  • quota.group (v1) or aquota.group (v2)

To set quotas for a user:

edquota -u user

To set quotas for a many users based on a another user:

edquota -p protouser -u user [user]

To set quotas for a group:

edquota -g group

To see a summary report on all quotas

repquota -a

To disable quotas:

quotaoff filesystem

To scan/update/repair quota files (unmount file system first):

quotacheck -u -g

Hard and Soft Limits

There are two limits that are enforced in the quota system. The first is a limit on the total amount of space used by all files owned by the user (block limit). The second is a limit on the maximum number of inodes used (file limit). Each limit has a soft (warning level) and hard limit (stop level). If a user exceeds the soft level, they have a grace period (7 days) to correct the problem. When they hit the hard limit, the system will not allocate any more space to them until they remove some files.



----------------------------------------------------------


File Timestamps



Each file has three dates associated with it (stored as the number of seconds since the epoch, Jan 1, 1970). The three timestamps are

  • Access time (atime) - the last time the file was read
  • Modify time (mtime) - the last time the file contents were changed
  • Change time (ctime) - the last time the file permissions were changed

In a long directory listing, the timestamp shown is the Modify time (mtime). To see all timestamps, use:
stat filename

Here is sample output from stat:

  File: `apache.php'
Size: 9791 Blocks: 24 IO Block: 4096 Regular File
Device: 302h/770d Inode: 1818841 Links: 1
Access: (0644/-rw-r--r--) Uid: (32045/ wileyjb) Gid: (32045/ wileyjb)
Access: 2006-03-08 13:48:55.000000000 -0500
Modify: 2006-03-04 14:33:37.000000000 -0500



Change: 2006-03-04 14:33:37.000000000 -0500


----------------------------------------------------------



Find suid/sgid files



Find all SUID root files:

find / -user root -perm -4000 -print

Find all SGID root files:

find / -group root -perm -2000 -print

Find all SUID and SGID files owned by anyone:

find / -perm -4000 -o -perm -2000 -print

Find all files that are not owned by any user:

find / -nouser -print

Find all files that are not owned by any group:

find / -nogroup -print

Find all symlinks and what they point to:

find / -type l -ls


----------------------------------------------------------

Fstab fields


Each line in /etc/fstab contains infomaton on one filesystem. For example,

/dev/hda7 / ext3 defaults 0 0

There are 6 fields:

  1. device name (e.g., /dev/hda)
  2. mount point
  3. filesysem type (ext2, reiser, iso9660, etc.)
  4. options (ro, noauto, user, usrquota)
  5. dump should backup this filesystem (0=no, 1=yes)
  6. fsck order on reboots (0=dont check, 1=root filesystem, 2=other filesystems)



----------------------------------------------------------


Iptables




Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.

If any routing or forwarding is to be done with iptables, set the ip_forward kernel value:
echo "1" > /proc/sys/net/ipv4/ip_forward

Here is the general syntax for iptables commands:
iptables -t table -[ADC] chain rule-specification [options]

The -ADC is for append, delete, or change the rule. The -t table can be either filter (default), nat, or mangle.

Rules are processed in order until they match, then they are either sent to another chain or are handled immediately through one of four targets (ACCEPT, DROP, QUEUE, or RETURN). The jump (-j) option at the end of a rule determines the fate of a packet.

Meaning of targets:

  • ACCEPT means to let the packet through.
  • DROP means to drop the packet on the floor.
  • QUEUE means to pass the packet to userspace (if supported by the kernel).
  • RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain.

Each of the main kernel tables has a fixed number of chains where rules can be applied:

  1. filter (default)
    1. INPUT (for packets destined for the box itself)
    2. FORWARD (for packets being routed through the box)
    3. OUTPUT (for locally-generated packets)
  2. nat (masquerading)
    1. PREROUTING (for altering packets as soon as they come in)
    2. OUTPUT (for altering locally-generated packets before routing)
    3. POSTROUTING (for altering packets as they are about to go out)
  3. mangle (special processing)
    1. PREROUTING (for altering incoming packets before routing)
    2. OUTPUT (for altering locally-generated packets before routing)
    3. INPUT (kernel >= 2.4.18)
    4. FORWARD (kernel >= 2.4.18)
    5. POSTROUTING (kernel >= 2.4.18)

To save the current iptables rules to a file:

iptables-save > firewall-rules.txt

To restore saved iptables rules from a file:

iptables-restore <>

To clear (flush) all rules for the filter table:

iptables -F -t filter

To list all rules currently in effect for the filter table:

iptables -L

To list all rules currently in effect for the nat table:

iptables -t nat -L

To blacklist an IP (drop all incoming packets from that IP):

iptables -t filter -A INPUT -i eth0 --source 1.2.3.4 -j DROP

To port forward SMTP to an internal IP:

iptables -t nat -A PREROUTING --destination 64.14.241.55 -p tcp --dport 25 -j DNAT --to-destination 10.0.1.9

To masquerade outbound traffic from the internal network (traditional NAT):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To delete rule 4 from the PREROUTING chain of the nat table:

iptables -t nat -D PREROUTING 4



----------------------------------------------------------


Kernel Modules



Kernel module dependencies are stored in:
/lib/modules/kernel-version/modules.dep

To show loaded kernel modules:
lsmod

To display information about a module:
modinfo module-name

To load a module (and dependent modules):
modprobe module-name

To unload a module (and dependent modules):
rmmod -r module-name

Altering how kernel modules are loaded

The /etc/modules.conf file can be used to alter how kernel modules are loaded. The most common entry is an alias mapping a generic name to an actual module. For example:
alias eth0 e100
The above line loads the e100 module if modprobe eth0 is executed.

It can also be used to pass parameters to modules, or force loading a module stack not defined in normal dependencies.

Kernel sources

Installing the kernel sources varies considerably since most distributions ship heavily patched kernels. Follow the docs of the distribution.


----------------------------------------------------------

RPM commands



Location of RPM database files:

/var/lib/rpm/

To install a package (i=install v=verbose h=show hash marks):

rpm -ivh package.rpm

To uninstall (erase) a package:

rpm -e package-name

To upgrade a package:

rpm -Uvh package.rpm

To test a package without installing (checks dependencies):

rpm -Uvh --test package.rpm

To verify a package:

rpm -Vvv package-name

To verify ALL installed packages:

rpm -Va

To find installed package names matching a pattern:

rpm -qa | grep pattern

To see what files a new package is going to install:

rpm -qpl package.rpm

To see what files belong to an installed package:

rpm -ql package-name

To see what package owns a file:

rpm -qf filename

To rebuild the RPM database:

rpm --rebuilddb

To bypass running the install/uninstall scripts in a package:

rpm -ivh --no-scripts package.rpm
also
rpm -e --no-scripts package-name

Mass install:

rpm -ivh *.rpm

Mass uninstall of packages that match a pattern:

rpm -qa | grep pattern | xargs rpm -e



----------------------------------------------------------


Sar - System Activity Report



Sar is the "system activity report" program. In Linux, it is often found in the sysstat package. The package includes the sadc program that gathers stats and stores them in binary files in /var/log/sa/, and the report programs, sar, mpstat, and iostat. It also includes the sa1 and sa2 shell scripts that execute sadc and produce daily summaries of the data.

Capturing performance data

If you install sar from a package, several scripts may be set up automatically to gather data. Check the cron configuration for sa1 and sa2 scripts. If the scripts are not scheduled to run, here is a typical cron configuration:
# run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib/sa/sa1 1 1
# generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib/sa/sa2 -A

To show CPU performance:

sar -u

To show average IO performance over time:

sar -b

To show average IO performance by device:

iostat

To show average network performance:

sar -n FULL

To show network performance by device:

sar -n DEV

To show network errors by device:

sar -n EDEV

To show memory performance:

sar -R

To show paging (swap file) performance:

sar -W



----------------------------------------------------------

Shared Libraries and Tracing



Many Linux programs use dynamic shared libraries (.so=shared object), similar to Windows DLLs. The list of directories that Linux searches for shared libraries is defined in /etc/ld.so.conf. At run time, Linux uses a cache of available libraries (updated during boot from /etc/ld.so.conf) to determine what to load from where when a call is made to a shared library. The cache file is /etc/ld.so.cache.

Adding or updating libraries

After a change to /etc/ld.so.conf or after new libraries are installed, update the library cache file (as root):
ldconfig

To determine which libraries are used by a program or another library:

ldd [program-name | library-name]

Stack tracing

To see all system calls made by a program, calls to libraries, and signals received, use:
strace program-name
note: see also ltrace

Static linking with gcc

To statically link libraries with a program while compiling, pass the -static flag to gcc:
gcc [other options] -static

If compiling from a Makefile, set the linker options in the LDFLAGS variable:
LDFLAGS = -static




----------------------------------------------------------


SMTP test


To test SMTP from the command line:
  1. telnet host-to-test 25 (connect to port 25 on mail server)
  2. HELO sending-host
  3. MAIL FROM: foo@foo.com
  4. RCPT TO: bar@bar.com
  5. DATA
    (enter one blank line after DATA)
  6. Subject: test
    To: to-user
    From: from-user
    (enter one blank line after From:) test text for email
    . (enter a single period by itself on the last line)
  7. QUIT


----------------------------------------------------------

Special Permissions



In addition to the standard permissions (rwx), there are 3 special permissions that can be set for a file or directory: suid, sgid, and sticky bit.

suid -- this special permission allows the file to be executed with the security permissions of the file owner instead of the permission of the user who ran the program. This can be a source of security problems. Some daemons run as suid root. The suid permission is seen as an "S" in the user executable position a long directory listing (ls -l). Has no effect if the file is not executable.

To set the suid permission:
chmod u+s filename

sgid -- this special permission allows the file to be run with the security permissions of the group instead of the permission of the user who ran the program. This can be a source of security problems. The sgid permission is seen as an "S" in the group executable position a long directory listing (ls -l). Has no effect if the file is not executable.

To set the sgid permission:
chmod g+s filename

Note: If sgid is set on a directory, any file created within that directory will have the same group owner assigned as the directory. Useful when a group of users is sharing the same directory.

sticky bit on a directory -- Prevents any files in a directory from being deleted by anyone but the owner of that file. Often used on the /tmp directory. Good to prevent accidental deletions by rm * commands. The sticky bit is seen as a t in a long directory listing (ls -l). Setting the sticky bit on a file is ignored by Linux.

To set the sticky bit:
chmod o+t dirname




----------------------------------------------------------


Sysctl



Sysctl is used to view and modify kernel parameters at run time. It is slightly more elegant than copying values directly to /proc.

The /etc/sysctl.conf file is the sysctl default file that often contains multiple parameter settings to be loaded at once. It is sometimes used by start up scripts so be careful making changes to it. To modify multiple parameters at once, it is safer to create a new file.

To view all kernel parameters:

sysctl -a

To set a new value for a kernel parameter:

sysctl -w variable.name=xxxx

For example:
sysctl -w net.ipv4.ip_forward=1

To load multiple parameters from a file:

sysctl -p filename



----------------------------------------------------------


Tar and cpio



Create a gzipped tar archive

tar czvf archive files-to-backup

Extract a gzipped tar archive

tar xzvf archive files-to-backup

Create a bzipped tar archive

tar cjvf archive files-to-backup

Extract a bzipped tar archive

tar xjvf archive files-to-backup

List files in a tar archive

tar tf archive

Create a cpio archive

ls /dir/* | cpio -ov > archive.cpio

Extract a cpio archive

cpio -ivd <>

List files in a cpio archive

cpio -it <>

----------------------------------------------------------

TCP wrappers



The TCP wrapper program is /usr/sbin/tcpd. It is typically used to limit access to services in the inetd superserver based on IP address or user name. It is also available as a library, libwrap, that can be linked into a program.

The IP based controls in TCP wrappers have been mostly superceded by the kernel based iptables, which is more flexible. TCP wrappers is compiled into the xinetd superserver used in Red Hat and SUSE.

To protect an inetd service, replace the call to the original service with a call to tcpd and pass the original program name as a parameter. For example, here is a line in /etc/inetd.conf for the proftpd program:
ftp stream tcp nowait root /usr/sbin/proftpd

and here is the line modified to use TCP wrappers:
ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/proftpd

The two files that control access, and are checked in this order. The search stops at the first match.
/etc/hosts.allow
/etc/hosts.deny

If a match is not found in either file, the default is to permit access.

Both files use the same syntax:
daemon_list : client_list [ : shell_command ]

The client list can be a pattern that matches a host name or IP address. Client lists can include the user name, like user@host. The optional shell command allows additional action to be taken after a match.

To set up a default deny policy, use this entry in hosts.deny:
ALL:ALL
Then, anything not explicitly permitted in hosts.allow will be denied.

This is an example for hosts.allow that permits access to the proftpd daemon from localhost and from the company.com domain:
proftpd: LOCAL, .company.com



----------------------------------------------------------

Users and Groups



Shadow Suite

The shadow suite is used in every modern distro. It adds encryption to passwords and moves them, along with expiration dates to /etc/shadow (users) and /etc/gshadow (groups).

The main system account files are:

  • /etc/passwd
  • /etc/shadow
  • /etc/group
  • /etc/gshadow

Another important file in the shadow suite is /etc/login.defs It defines the site-specific configuration for the shadow login suite. It controls how the login program behaves, minimum password length, etc.

Add a new user:

useradd user-name

When a new user is created, the system also copies the files from /etc/skel to the new user home directory, including subdirectories. The system adds them to passwd, group, and shadow files as necessary.

Delete a user:

userdel -r user-name

Deletes the user from account files and removes the home directory. Does not delete other files owned by the user, they must be deleted manually or assigned to another user.

Set an expiration date for a user:

usermod -e MM/DD/YYYY

Change user password:

passwd user-name

Lock a user account:

passwd -l user-name

Unlock a user account:

passwd -u user-name

Add a group:

groupadd group-name

Delete a group:

groupdel group-name

Change group password:

gpasswd group-name

Gpasswd is rarely used since many distros create one group for each new user.

List the groups a user belongs to:

groups user-name

----------------------------------------------------------


Bash Shell


Bash initialization

When you first login, bash reads these initialization files in order (if they exist):

/etc/profile -- systemwide profile applies to all users

Then, it looks for these files and executes the FIRST one it finds:

~/.bash_profile
~/.bash_login
~/.profile

For interactive non-login shells, it executes:

~/.bashrc

At logout, it looks for this file to execute:

~/.bash_logout

The amazing technicolor multiline bash prompt

Set the PS1 environment variable in bash to customize the prompt. This is the prompt I use. It works best with a black background. If you want to keep it, add it to one of your bash startup files (like .bashrc).
PS1='\[\e[32;1m\]\u@\h \[\e[33;1m\][\w]\n\[\e[36;1m\]\t\[\e[0m\] $ '

Built-in shell variables:

$# number of command line arguments
$? exit value of last command
$$ process ID of current process
$! process ID of last background process $0 command name
$n where n=1-9 are the 1st thru 9th command line arguments
$* all command line arguments
$@ all command line arguments, individually quoted ($1 $2 ...)

If statement

if condition ; then
commands
elif condition ; then
commands
else
commands
fi

Test the return status of the previous command:

if [ $? == 0 ] ; then
commands
fi

Loops

while condition; do
commands
done

for var in list; do
commands
done

for (( expr1; expr2; expr3 )); do
commands
done

Case statements

The case statement can be used in place of a complex if statement:
case expression in
pattern)
commands
;;
pattern)
commands
;;
*
commands
esac

Traps

Bash scripts can trap signals to handle error processing better or unexpected events (like the user killing the script).

This traps signal(s) and executes "command" instead:
trap "command" signal [signal ...]

You can list active traps with:
trap -p

You can reset traps with:
trap - signal [signal ...]



----------------------------------------------------------

Rsync


Note: examples that use a shell use ssh

To synchronize a local directory with a remote one, use:

rsync -r -a -v -e "ssh -l username" --delete hostname:/remote/dir/ /local/dir/

To synchronize a remote directory with a local one, use:

rsync -r -a -v -e "ssh -l username" --delete /local/dir/ hostname:/remote/dir/

To synchronize a local file with a remote one, use:

rsync -a -v -e "ssh -l username" hostname:/filename /local/filename

To synchronize a remote file with a local one, use:

rsync -a -v -e "ssh -l username" /local/filename hostname:/filename

To synchronize a local directory with a remote rsync server:

rsync -r -a -v --delete rsync://rsync-server.com/stage/ /home/stage/

To synchronize a local directory with a local directory (make a backup), use:

rsync -r -a -v --delete /local/dir/ /backup/dir/



----------------------------------------------------------


Vi - bare essentials



There may be times when vi is the only text editor available, so it helps to at least know the basics. It is the default editor when changing a crontab. For a while, I used vi as my primary editor, but today I use nano.

On most Linux distributions, when you run vi, you are really running vim (vi improved). For basic editing, you'll never know the difference.

Note: A chunk of this small guide came from a web page I found long ago, but I don't remember where so I can't give proper credit. I've added and changed things from the original text.

Vi has two modes, command and insert (really, three if you count replace mode). Command mode is used to navigate, search, and issue other commands. Insert mode is used to enter text.

Vi starts in command mode.

You can precede most commands with a number indicating how many times to perform a command. For example, entering 99 followed by the down arrow will move the cursor down 99 lines. "99x" will delete 99 characters.

While in command mode (case sensitive)

  • move the cursor with arrow keys; if there aren't any arrow keys, use j,k,h,l
  • i - change to insert mode (before cursor)
  • a - change to insert mode (after cursor)
  • A - change to insert mode (at end of line)
  • r - replace one character
  • R - overwrite text
  • x - delete one character
  • dd - delete one line
  • yy - yank line (copy)
  • p - paste deleted or yanked text after cursor
  • P - paste deleted or yanked text before cursor
  • G - go to end of the file
  • 1G - go to top of the file
  • J - merge next line with this one
  • / - search, follow / with text to find
  • :wq - write file and quit
  • :q! - quit without saving
  • %s/old/new/g - substitute; replace "old" with "new" on all lines

While in insert mode

  • ESC - change to command mode
  • any text typed is entered at the cursor

Typical vi session

  1. Type "vi file.txt" at command prompt
  2. Move cursor to where new text will be added
  3. Type "i" to change to insert mode
  4. Type new text
  5. Type ESC to go back to command mode
  6. type ":wq" and ENTER to write the file and quit



----------------------------------------------------------



MySQL


MySQL communicates through either local unix sockets or over TCP/IP port 3306 (default). Database names, tables, field names, and passwords are case sensitive. SQL Commands are not case sensitive.

The configuration file is /etc/my.cnf. Usually doesn't need tweaking, except when using the InnoDB storage engine.

The main command line utilities are mysql, mysqldump, and mysqladmin. Many people like the phpMyAdmin package to manage MySQL through a web browser.

Server Administration


Show all running MySQL processes

mysqladmin --user=root --password=xxx processlist

Show detailed status report

mysqladmin --user=root --password=xxx extended-status

Reload grant tables (after making security table changes)

mysqladmin --user=root --password=xxx reload

Show running configuration settings

mysqladmin --user=root --password=xxx variables

Kill a slow or locked process

First, get the process id using processlist, then
mysqladmin --user=root --password=xxx kill id

Reset the value of an autoincrement field in a table

  1. mysql --user=root database
  2. alter table tablename autoincrement=100;
Note: reset the autoincrement field to 100. Use caution!

Security


Change/set the root password

  1. mysql --user=root mysql (initially no password)
  2. update user set Password=password('new_password')
    where user='root';
  3. flush privileges;

Create a user with remote update authority

  1. mysql --user=root --password=xxx mysql
  2. insert into user (Host, User, Password, Select_priv, Insert_priv,
    Update_priv, Delete_priv) values ('%', 'remote', password('xxx'),
    'Y', 'Y', 'Y', 'Y');
  3. flush privileges;
Note: This creates user 'remote' with global update authority, that can access MySQL from any host (%). In most cases, a remote user should be limited to a single database.

Create a user with access to just the db1 database

  1. mysql --user=root --password=xxx mysql
  2. insert into user (Host, User, Password)
    values ('localhost', 'foo', password('xxx'));
  3. insert into db (Host, Db, User, Select_priv, Insert_priv,
    Update_priv, Delete_priv) values ('localhost', 'db1', 'foo',
    'Y', 'Y', 'Y', 'Y');
  4. flush privileges;

Backup and Restore


Dump all databases (schema and data)

mysqldump --user=root --password=xxx --all-databases > databases.sql

Dump a single database (schema and data)

mysqldump --user=root --password=xxx --databases db1 > db1.sql

Dump a single database (schema only)

mysqldump --all --no-data --user=root --password=xxx --databases db1 > db1.sql

Restore a database from a dump file

mysqldump --user=root --password=xxx <>


----------------------------------------------------------


Postfix


Postfix Administration

Check the configuration and queue directories for the correct security settings and setup:
postfix check

Display all settings:
postconf

Display non-default settings:
postconf -n

Check mail queues for messages pending delivery:
mailq

Display headers and details about a message:
postcat /var/spool/postfix/deferred/message-id

Delete a message in the queue:

  1. mailq (to get the message-id)
  2. postfix stop
  3. find /var/spool/postfix -name message-id -print | xargs rm
  4. postfix start

Configuration files

There are many configuration files used by Postfix located in /etc/postfix. The two main files are:

  • master.cf -- defines how/what slave daemons are called by the master daemon
  • main.cf -- defines all other configuration options and files

Optional but often used configuration files are:

  • alias -- rewrites recipient addresses for local delivery
  • virtual -- rewrites recipient addresses for all local, virtual and remote mail destinations.
  • generic -- rewrites outbound addresses
  • transport -- defines how messages are delivered by email address
  • access -- restrict the messages accepted by host/domain/network/address
Optional files must be converted to a postfix lookup table with postmap. For example, postmap virtual creates the lookup table "virtual.db".

Master.cf

To change the smtpd daemon to only accept mail from the localhost, set the service option for smtpd to this:

        #service        type  ...     command
localhost:smtp inet ... smtpd
To change the smtpd daemon to accept mail on port 8025 instead of 25, set the service option to this:
        #service        type  ...     command
localhost:8025 inet ... smtpd

Set up a catch-all address for a domain

Edit /etc/postfix/main.cf and add a line for the virtual map:
virtual_alias_maps = hash:/etc/postfix/virtual

Edit /etc/postfix/virtual and add the following:

        ###############
# local users #
###############
user1@domain.com user1
user2@domain.com user2
user3@domain.com user3

#############
# catch-all #
#############
@domain.com catch-all

Run postmap virtual, the postfix reload. Now, all email addressed to anyser@domain.com will go to the catch-all address except the explicitly defined local users.

Get BCCed on all email

Add this line to /etc/postfix/main.cf:
always_bcc = foo@user

Bypassing MX lookups for a domain

The transport map can be used to deliver certain email to a different mail server than where the MX record points. This can be useful if the mail server sits in a DMZ and needs to deliver mail to an internal mail server.

Add a line to the /etc/postfix/transport file similar to this:
# the [] skips MX lookups
foo.com smtp:[10.1.5.1]

Then, run postmap transport and postfix reload.

Filtering email based on headers

Add this line to /etc/postfix/main.cf:
header_checks = regexp:/etc/postfix/header_checks

Edit header_checks and define regular expression rules:

        /^From: *@spammer.com/ REJECT
/^Subject: *mortgage*/ REJECT
/^content-(type|disposition):.*name[[:space:]]*=.*\.(exe|vbs)/
REJECT Bad attachment file name extension: $2
Above are blocks based on the From:, Subject:, and file attachment extension.

Debugging Postfix

One way to debug postfix is to increase the verbosity level on a service in the /etc/postfix/master.cf file. Add from one to three -v arguments to the end of a service name, then monitor the mail log for the additional debug messages. For example, this increases verbosity on the smtpd process:
smtp inet n - n - - smtpd -v

If you suspect problems with a remote host instead of the postfix, you can use the debug_peer_list and debug_peer_level options in /etc/postfix/main.cf. This allows you to debug only connections with specific remote hosts. The verbosity level can be set from 1 to 3. For example:
debug_peer_list = foo.com
debug_peer_level = 2

Email related RFPs

  • RFC 821 (SMTP)
  • RFC 822 (email message format)
  • RFC 974 (mail routing)
  • RFC 1855 (netiquette)


----------------------------------------------------------

SMTP benchmarking


The smtp-source program is an SMTP benchmark and load testing program included with Postfix. It has a flexible set of options for testing SMTP servers.

An example of using smtp-source:
smtp-source -c -l 100 -m 200 -f test@foo.com -t test@foo.com mail.foo.com

Here is what the options mean:
-c = show count of sent messages
-l nnnn = length of each message (uses X's for body)
-m = number of messages to send
-f = MAIL FROM
-t = RCPT TO
the last option is the receiving mail server

By timing how many messages a server can receive, you can get an idea of the load it can handle.


----------------------------------------------------------

SSH

SSH server

The first time sshd runs, it generates three cryptographic key pairs and stores the keys in /etc/ssh.

  • ssh_host_key and ssh_host_key.pub (v1)
  • ssh_host_dsa_key and ssh_host_dsa_key.pub (v2 DSA)
  • ssh_host_rsa_key and ssh_host_rsa_key.pub (v2 RSA)

SSH communicates over TCP port 22 by default. The global server configuration file is /etc/ssh/sshd_config.

To deny all root logins, set this value in the the sshd_config file:
PermitRootLogin no

To disable the less secure v1 SSH protocol, use:
Protocol 2

To disable X forwading, use:
X11Forwarding no

To disable password logins (force public/private key authentication), use:
PasswordAuthentication no

SSH client

Note: because of their sensitive nature, the ~/.ssh/ directory and most of the files in it MUST be read/write for the user and not accessible to group or other. For example:
-rw-------
Otherwise, SSH will ignore them. If you copy personal SSH files to a new system and they don't work, check the permissions.

The default client configuration file is /etc/ssh/ssh_config. The user configuration file, ~/.ssh/config takes precedence over the default configuration.

To connect to an SSH server using a different user ID:
ssh userid@server-name-or-IP

To securely copy file(s), use scp:
scp localfile userid@server-name-or-IP:remotefile
also
scp userid@server-name-or-IP:remotefile localfile

To generate an SSH keypair for logins without passwords:
ssh-keygen -t dsa
The system will prompt you for the secret key passphrase, then create the keys:
id_dsa (v2 private key)
id_dsa.pub (v2 public key)
Next, append the v2 public key to the ~/.ssh/authorized_keys2 file on the server(s) where you want to login. To bypass the passphrase every time the secret key is needed, load the key into ssh-agent.

SSH-Agent

To load secret keys in the ssh-agent manually, execute:

  1. ssh-agent
  2. ssh-add keyfile (once for each key)

It is usually more convenient to run ssh-agent and load keys in the X startup script or the startup script for your window manager. Another option is to use the keychain script

Port Forwarding

SSH can port forward local and remote connections securely. Only root can forward privileged ports (<=1024).

To redirect a local port to a remote host port:
ssh userid@remotehost -L localport:remotehost:remoteport

To redirect a remote port to a local or remote host port:
ssh userid@remotehost -R remoteport:host:localport




----------------------------------------------------------

Apache


Basic Authentication


To use basic authentication, the AllowOverride directive must be set at the current directory (or higher up in the document root). This sets AllowOverride at the document root:

        
AllowOverride All

Create a password file outside the Document Root using the htpasswd program, and add the first user (will prompt for the new user password):
htpasswd -c passwords username
For example, this file could be created in /etc/httpd/passwords.

Add a user to an existing password file (will prompt for new user password):
htpasswd passwords username

To prevent someone from reading .htaccess files, set this global files directive at the document root:

        
Order allow,deny
Deny from all
Many distributions include this in the default httpd.conf file.

Simple example of an .htaccess file placed in the directory it will protect. It only requires a valid user:

        AuthName "Foo Web Directory"
AuthType Basic
AuthUserFile /etc/httpd/passwords
Require valid-user

Name Based Virtual Hosts


Virtual hosts allow multiple web sites to be served from one instance of Apache. Named based virtual hosts make the decision of what to serve based on the name of the site requested in the incoming HTTP header. IP virtual hosts make the decision based on the IP address the request came from, usually from a NIC with multiple IP addresses.

The first virtual host defined is the default web site, so that site is served if the name in the HTTP header does not match any other virtual host.

Sample virtual host definition with domain wildcards and separate log file:

        NameVirtualHost *

DocumentRoot /var/www/virtuals/foo.com
ServerName foo.com
ServerAlias *.foo.com
ScriptAlias /cgi-bin/ "/var/www/virtuals/foo.com/cgi-bin/"
CustomLog /var/www/logs/foo.com/access_log combined

DirectoryIndex index.php index.html

Aliases and Redirects


Redirects can be done using either mod_alias or mod_rewrite modules. These examples use mod_alias; mod_rewrite is beyond the scope of this micro how-to.

Aliases can be used if the new location is in the same document root and virtual hosts are not used. Here is an alias to serve the /new directory when /old is requested:
Alias /old /new

Redirects are needed when redirecting the location to a new domain, even if both domains are virtual hosts served from the same physical box. Here is a simple redirect:
Redirect /old http://foo2.com/new

SSL


SSL uses crytographic key pairs to secure data transferred between server and clients (in this case, apache and a web browser). In many distributions, the SSL private key is created automatically.

If not, use:
openssl genrsa -des3 -rand randfile1:randfile2:randfile3: 1024 > /path/to/ssl.key/server.key
Enter the passphrase when prompted.

The key must be signed by a third party Certificate Authority (CA), such as Entrust or Verisign. In order to get a signed key, or certificate, a Certificate Signing Request (CSR) must be created and sent to a CA. Of course, CAs charge money for this.

To create a CSR:
openssl req -new -key /path/to/server.key -out /path/to/ssl.csr/server.csr
Answer the prompts regarding Country, Common Name, etc. Some CAs may want specific answers to be blank or answered a particular way. Check the instructions for your CA.

When the signed certificate comes back, save it to:
/path/to/ssl.crt/server.crt

To enable SSL in Apache, use a virtual host definition on port 443 in httpd.conf:

        
DocumentRoot "/var/www"
ServerName www.servername.com:443
ServerAdmin root@localhost
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
This is not a complete configuration. There are many more SSL directives available. The distribution may have reasonable defaults set, so these may be the only directives that have to be updated.

Domain wildcards


To configure domain wildcards so that any subdomain name displays the content of the main site, use the ServerAlias directive:
ServerName foo.com
ServerAlias *.foo.com

The asterisk will match all subdomain names for the domain and return the document root page for foo.com. This also works with virtual hosts.

note: Apache is only half of setting up domain wildcards, the DNS server must also be set up to direct all subdomains to the web server IP address. See the DNS micro how-to for details.


----------------------------------------------------------

Apache Bench


Apache bench, (ab) is a benchmarking program that ships with the Apache web server. While it may not be the most sophisticated tool, it is still very useful.

Apache bench should be run from a remote client since running it on the web server will skew the results down. Ideally, it should be run from multiple remote clients at the same time from different networks to better simulate actual web traffic.

To measure HTTP GET performance, use:

ab -n 10000 -c 25 URL

The -n is the number of requests to make and -c is the number of concurrent requests to make.

To measure HTTP PUT performance (form submissions), use:

ab -n 10000 -c 25 -p postfile.txt URL

The test PUT file, postfile.txt, does not have a to be a formatted as a valid PUT request, it can be a plain text file of the length you want to test.

Here is a sample report:

This is ApacheBench, Version 1.3d <$Revision: 1.73 $> apache-1.3
Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/

Benchmarking linuxboxadmin.com (be patient).....done
Server Software:
Server Hostname: linuxboxadmin.com
Server Port: 80

Document Path: /
Document Length: 15738 bytes

Concurrency Level: 4
Time taken for tests: 14.986 seconds
Complete requests: 100
Failed requests: 0
Broken pipe errors: 0
Total transferred: 1599796 bytes
HTML transferred: 1576465 bytes
Requests per second: 6.67 [#/sec] (mean)
Time per request: 599.44 [ms] (mean)
Time per request: 149.86 [ms] (mean, all requests)
Transfer rate: 106.75 [Kbytes/sec] received

Connnection Times (ms)
min mean[+/-sd] median max
Connect: 79 93 9.7 93 122
Processing: 403 503 32.1 509 564
Waiting: 322 503 32.1 509 564
Total: 403 597 28.5 599 654
Percentage of the requests served within a certain time (ms)
50% 599
66% 605
75% 613
80% 619
90% 628
95% 638
98% 648
99% 654
100% 654 (last request)

----------------------------------------------------------


DHCP


DHCP clients

The dhcp client in most distributions comes from the Internet Software Consortium (ISC). The program is dhclient and uses the /etc/dhclient.conf configuration file. The DHCP client will attempt to configure all network interfaces unless specified otherwise on the command line or in the configuration file.

To obtain an IP address lease for eth0:
dhclient eth0

To release the current IP lease:
dhclient -r eth0

Current lease information is stored in:
/var/lib/dhcp/dhclient.leases.

Some distributions use dhcpcd or pump as their dhcp client.

DHCP server

The ISC DHCP server is dhcpd. It implements the DHCP and BOOTP protocols.

The configuration file is:
/etc/dhcpd.conf

The lease file is:
/var/lib/dhcp/dhcpd.leases

Sample DHCP subnet configuration:
subnet 10.1.4.0 netmask 255.255.255.0 {
range 10.1.4.100 10.1.4..250;
default-lease-time 86400;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 10.1.4.255;
option routers 10.1.4.1;
option domain-name-servers 10.1.5.1, 10.1.5.2;
option domain-name "foo.com";
}

Sample fixed IP assigned by MAC address:
host tk421 {
hardware ethernet 00:00:45:12:EE:F4;
fixed-address 10.1.4.99;
option subnet-mask 255.255.255.0;
option broadcast-address 10.1.4.255;
option routers 10.1.4.1;
option domain-name-servers 10.1.5.1, 10.1.5.2;
option domain-name "foo.com";
}



----------------------------------------------------------

DNS


DNS client name resolution

When a DNS name lookup is requested, it calls the resolver library (gethostbyname() C function). Programs linked against glibc will search using the order defined on the hosts line in /etc/nsswitch.conf. Typically, the hosts line is defined as:
hosts: files dns
This tells the resolver to look in /etc/hosts first, then ask DNS. Sometimes, NIS or a central database is included on the hosts line.

The resolver uses the name servers defined in /etc/resolv.conf. Most distributions use some kind of configuration tool to manage this file, so be careful of manual modifications.

DNS client utilities

The dig program (Domain Internet Groper) sends domain name query packets to name servers and can be used to test DNS configuration.

Dig queries use this format:
dig @server domain query-type query-class
where query-type is one of all, mx, ns, soa, txt or axfr (zone transfer).

For reverse DNS lookups:
dig -x 1.2.3.4

DNS/BIND server

There are 13 root servers that are the master servers for the whole system. The latest root server file can be downloaded from FTP.RS.INTERNIC.NET.

The DNS/BIND server daemon is "named". By default, named listens on UDP port 53.

The named configuration file is:
/etc/named.conf.

Within /etc/named.conf, the location of the zone files is specified with the directory option. For example:

        options {
directory "/var/named";
};
And here is a typical authoritative zone definition:
        zone "foo.com" {
type master;
file "foo.com";
allow-transfer { 1.2.3.4; };
allow-query { any; };
};

Here is the minimal zone file (/var/named/foo.com) defined above:

    $TTL 3600
@ IN SOA ns1.foo.com. hostmaster.foo.com. (
2005092601 ; serial, todays date + serial #
3600 ; refresh, seconds
900 ; retry, seconds
1209600 ; expire, seconds
3600 ) ; minimum, seconds

IN NS ns1.foo.com.
IN NS ns2.foo.com.
IN MX 10 mail.foo.com. ; Primary Mail

localhost A 127.0.0.1
ns1 A 1.2.3.4
ns2 A 1.2.3.5
foo.com. A 1.2.3.6
mail A 1.2.3.6
www A 1.2.3.6

When updating a zone file, the serial number must be incremented or named will not load the new configuration.

Here is a typical reverse lookup zone file (always in domain in-addr.arpa):

    $TTL 3600
4.3.2.in-addr.arpa. IN SOA ns1.foo.com. hostmaster.foo.com. (
2005092601 ; serial, todays date + serial #
3600 ; refresh, seconds
900 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum, seconds

; name servers
3.2.1.in-addr.arpa. IN NS ns1.foo.com.
3.2.1.in-addr.arpa. IN NS ns2.foo.com.

; reverse DNS mapping
6.3.2.1.in-addr.arpa. IN PTR mail.foo.com.

Turning off or limiting recursion

Recursive lookups (allowed by default) can create security risks and performance issues, specifically DNS cache poisoning attacks. To turn off recursion altogether, use this option in named.conf:

        options {
recursion no;
};

To allow recursion for certain hosts, use an access control list to define the IP addresses of hosts that can use recursion. Use this to allow recursion for internal hosts while denying recursion for the public:

        acl recursionok { 192.168.1.0/24; 192.168.2.100; };
options {
allow-recursion { recursionok; };
};
This would only allow hosts with source IP addresses of 192.168.1.0/24 or 192.168.2.100 to query about domains the server is not authoritative for.

Setting up a caching only name server

If you don't want to host your own DNS zones, but do want to centralize name lookups to reduce DNS overhead, you can set up a caching only name server. This server accepts DNS requests and forwards all requests that are not cached to another DNS server to resolve, passing the result back to the client.

To set up a caching only server, do NOT define any authoritative zones in the /etc/named.conf file, just enter valid DNS servers in the forwarders option. For example:

        options {
forward first;
forwarders {
1.2.3.4; 1.2.3.5;
};
};

The "forward first" option tells the server to try the forwarders first, then do a lookup itself if the forwarders fail to resolve the name. The "forward only" option tells the server to try the forwarders, then fail if it does not get an answer.

DNS domain wildcards

To configure DNS wildcards so that any subdomain name resolves to the main site, use an "*" in the CNAME record:
www IN A 1.2.3.4
* IN CNAME www

The asterisk will match all subdomain names for the domain and return the IP address of www, sending the browser to the main web site. This technique is often used in marketing programs where you want everyone to arrive at the same web site, but want to track who sent them there by the HTTP REFERRER.

note: DNS is only half of setting up domain wildcards, the web server must also be set up to accept all subdomains and show the same content. See the Apache micro how-to for details.

Testing your DNS configuration

A good tool that runs many tests against your DNS server can be found at:
DNSreport.com



----------------------------------------------------------



NFS

NFS Server

The Network File System is a TCP/IP file sharing protocol invented by Sun Microsystems. The daemons that implement the server are nfsd, mountd, and if quotas are needed rquotad. Since NFS relies on remote procedure calls, the portmapper daemon must also be running.

Shared files systems are defined in the /etc/exports file.

Each line describes a file system to export and which client machines can mount it with what permissions. By default, the user ID of the mounting user is used for file level permissions on the server machine. So, if you mount a remote file system as user "foo", then the permissions of the user "foo" on the server machine control what can be done on the mounted file system (within the limits of the /etc/exports definition). This is considered a weakness of NFS security because if a remote user gains root access, he has root permissions on NFS shared files. However, root connections can be blocked in the /etc/exports file.

Here is a simple example of /etc/exports:

        /dir1       (rw)
/dir3 *.localdomain(ro, root_squash)
/dir2 (rw,all_squash)
dir1 is shared read/write to all machines; dir2 is shared read-only to all machines in localdomain, and root connections are mapped to the anonymous uid/gid; dir3 is shared read/write to all machines, and all connections are mapped to the anonymous uid/gid.

NFS Client

To mount a remote NFS filesystem, use:
mount -t nfs servername:/exported-file-system /local-mount-point

To allow all users to mount the NFS filesystem, add this to /etc/hosts:
nfssrv:/exported /mnt/local nfs noauto,user,exec 0 0
where nfssrv:/exported is the remote NFS server and filesystem and /mnt/local is the local mount point.

NFS Utilities

Check NFS traffic on the server with nfsstat.

Show server statistics:
nfsstat -s

Show client statistics:
nfsstat -c

Show exported filesystems on a remote server:
showmount --exports nfs-server

Show all mounted filesystems:
showmount --all nfs-server

NFS Performance

The NFS HOW-TO recommends mounting all NFS shares with these options:
hard,intr,rsize=8192,wsize-8192
The read size and write size buffers will greatly increase performance in most cases. The hard option tells the system to lock an app that is using an NFS mount if communication is lost between server and client. The intr lets you kill such an app with the Interrupt signal (don't have to use kill -9).


----------------------------------------------------------

Postgresql


By default, Postgres listens on TCP port 5432.

Dump all databases

pg_dumpall --clean > databases.sql

Dump a database with compression (-Fc)

pg_dump -Fc --file=database.sql --clean database

Restore a database from a dump file

pg_restore -Fc database.sql

Start the postgres interactive terminal

psql

Psql - show all databases

select * from pg_database;

Psql - show all tables

select * from pg_tables;

Psql - copy a table to a tab delimeted file

COPY table TO 'table.txt';

Psql - load a table from a tab delimeted file

COPY table FROM 'table.txt';

Run the vacuum utility

vacuumdb --verbose --analyze --all
Note: vacuum reclaims space from deleted records and updates indexes. It should be set up in cron. Newer versions of postgresql may run vacuum automatically.

Increase perfomance with shared memory

One effective performance tuning tip for Postgresql is to increase the shared memory buffers. This might require adding RAM to the server. Many Linux distros default to 32MB of shared memory, controlled by two kernel parameters:
/proc/sys/kernel/shmmax
/proc/sys/kernel/shmall

These values can be changed at run time, but it is better to set them at boot using the /etc/sysctl.conf file. This increases shared memory to 1GB:
# increase shared buffers for postgres at boot
kernel.shmmax=1073741824
kernel.shmall=1073741824

Then, tell Postgres to use 768MB of the 1GB available in the /var/lib/pgsql/data/postgresql.conf file:
shared_buffers = 98304 # min 16, at least max_connections*2, 8KB each

Restart postgres for the change to take effect.

0 Comments:

Post a Comment

<< Home