Search This Blog

Tuesday, September 28, 2010

Harddisk failure.

A good article over How to recover a hardisk if Superblock is corrupt is given in following blog.

http://www.gaurishsharma.com/2008/11/linux-ext3-partition-detected.html/comment-page-1#comment-11042

Sunday, September 26, 2010

ls Command.

A good article on ls command can be found at.

http://www.thegeekstuff.com/2009/07/linux-ls-command-examples/

Linux File System.

1) /

Only root user has write access under this directory .


# ls -ld /
drwxr-xr-x 36 root root 4096 Jul 23 13:06 /


many users assume it as root's home directory .
roots home directory is /root and not /.
# echo $HOME
/root


2) /bin

This directory contains the most commonly used commands.
The commands in this directory are used by almost all the users in the linux system.
For example .
ls ,cp,mv,grep.

# which cp
/bin/cp
# which grep
/bin/grep
# which mv
/bin/mv
# which ls
/bin/ls

{
Note : Which used to find the location of command.
In above example cp,grep,mv and ls commands are stored in /bin directory.
}

Therefore they are called as user binaries.

3) /sbin

This directory contains commands that are normally used by system administrators.

Commands like iptables (Used to modify firewall setting),ifconfig (Used to change ip address of machine) , fdisk (Used to make filesystem level changes) and many more.....

# which iptables
/sbin/iptables
# which ifconfig
/sbin/ifconfig
# which fdisk
/sbin/fdisk

Therefore they are called as System binaries.

A good article on linux directory structure can be found here.
http://www.thegeekstuff.com/2010/09/linux-file-system-structure/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+TheGeekStuff+%28The+Geek+Stuff%29

Friday, September 24, 2010

Mount NFS share on ESX

Use following command to mount NFS share on ESX server.
#esxcfg-nas -a -o 10.180.11.111 -s /export/bkp_share NFS02

Above command with mount a NFS share /export/bkp_share @ 10.180.11.111 server with the name as NFS02

Below command will show the list of NFS share mounted .
# esxcfg-nas -l
NFS02 is /export/bkp_share from 10.180.11.111 mounted
Actual location of NFS02 is
/vmfs/volumes/NFS02/


To delete the above mounted share use following command.
# esxcfg-nas -d NFS02

You can view following URL for more details above ESX server commands.

http://b2v.co.uk/b2vguide2vmware3.htm

Wednesday, September 22, 2010

Backup Using Rsync

There are several advantages of using Rsync over cp.

1) Speed :

If you copy a file from Source A to Destination B for very first time ,It will copy the entire file as it is So it may not sound different from using cp for the same purpose.
However for the next time if you try to copy the the Same file from Source A to Destination B,It will first check if the file at source A is modified .Depending upon the check rsync decides whether to copy a file or not.

2) Secure transfer of data:

Rsync allows the user to transfer the data in encrypted fashion using SSH protocol.

Syntax:

rsync options source destination

COPY One file:

rsync -v sourcefile destination

Above command is normally used for copying one file to Destination.

For Syncing the files
rsync -avz source destination 

Good article over rsync can be found at



http://www.thegeekstuff.com/2010/09/rsync-command-examples/

Please Leave us with your comments and Queries/Suggestions.
I will try to reply asap.

Thursday, September 16, 2010

Automatic Logout incase of inactivity.

Consider a scenario where you are working on so many linux terminal at a time.
In this scenario ,It may not advised to open the terminal for a day long .
This can be avoided in following way.

Following command when executed on terminal result a session to log off in case of 5 minutes of inactive session.
#export TMOUT=300

this can be included in /etc/profile file to implement it against every user. However this can be override if users profile file has some other values in it.

This can be avoided by putting readonly TMOUT=300 in /etc/profile file.

Note:
not tested for shells other than Bash or Korn.



Please refer following thread for more information.
http://www.linuxquestions.org/questions/showthread.php?p=4099036

Wednesday, September 15, 2010

Disable Ctr+Alt+Delete.

Disable Ctr+Alt+Delete.
On a window machine this could save you from lot of annoying processes but when it comes to linux When these keys are pressed together ,Your computer get restarted.
While this comes handy rebooting the machine but it is strongly recommended to disable this feature altogether.
This is how you should go about disabling Ctr+Alt+Delete.

All you need to do is modify /etc/inittab file and restart a system.

As we are doing changes to configuration file ,make a backup of /etc/inittab.
#cp /etc/inittab /etc/inittab.old

You will need to comment following line.
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

restart the system
#init 6

Task done.

Tuesday, September 14, 2010

Wednesday, September 8, 2010

Disable FTP Service.

Disable FTP Service.

This can be done by loging into the server or any other machine connected to server.All you need to do is type a command called.

ftp

Example:
If 10.180.18.222 is my server's ip address.

# ftp 10.180.18.222
Connected to 10.180.18.222.
220 TomcatServer FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Unspecified GSS failure. Minor code may provide more information
GSSAPI error minor: No credentials cache found
GSSAPI error: initializing context
GSSAPI authentication failed
334 Using authentication type KERBEROS_V4; ADAT must follow
KERBEROS_V4 accepted as authentication type
Kerberos V4 krb_mk_req failed: You have no tickets cached
Name (10.180.18.222:root):


Above output shows that ftp is running on 10.180.18.222 .

To Disable the ftp you need to edit gssftp file under
/etc/xinetd.d directory.

You should modify disable parameter to yes.

# cat gssftp
# default: off
# description: The kerberized FTP server accepts FTP connections \
# that can be authenticated with Kerberos 5.
service ftp
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/ftpd
server_args = -l -a
log_on_failure += USERID
disable = yes
}

Once you have modified the file you should restart xinetd
#/etc/rc.d/init.d/xinetd restart


To check FTP is running or not:

# ftp 10.180.18.222
ftp: connect: Connection refused
ftp>

Above output shows that ftp is disabled on my server.

Enable FTP Service.

Enable FTP Service:

To check FTP is running or not:
This can be done by loging into the server or any other machine connected to server.All you need to do is type a command called.
ftp
Example:
If 10.180.18.222 is my server's ip address.

# ftp 10.180.18.222
ftp: connect: Connection refused
ftp>

Above output shows that ftp is not enabled on my server.

To enable the ftp you need to edit gssftp file under
/etc/xinetd.d directory.

You should modify disable parameter to no.

# cat gssftp
# default: off
# description: The kerberized FTP server accepts FTP connections \
# that can be authenticated with Kerberos 5.
service ftp
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/ftpd
server_args = -l -a
log_on_failure += USERID
disable = no
}

Once you have modified the file you should restart xinetd
#/etc/rc.d/init.d/xinetd restart


To check if FTP is running or not:
# ftp 10.180.18.222
Connected to 10.180.18.222.
220 TomcatServer FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Unspecified GSS failure. Minor code may provide more information
GSSAPI error minor: No credentials cache found
GSSAPI error: initializing context
GSSAPI authentication failed
334 Using authentication type KERBEROS_V4; ADAT must follow
KERBEROS_V4 accepted as authentication type
Kerberos V4 krb_mk_req failed: You have no tickets cached
Name (10.180.18.222:root):


Above output shows now you can able to use ftp.

Disable Telnet Service in Linux

Telnet is a service using which we can remotely communicate with server.However ssh is more secure alternative to it.Therefore we should disable this service by default.

Here is what you need to do if you are using redhat/centos 4,5.

This service is usually named as krb5-telnet.
You just need to edit file under /etc/xinetd.d/krb5-telnet.
Following is the content of file where telnet is disabled .
# cat /etc/xinetd.d/krb5-telnet
# default: off
# description: The kerberized telnet server accepts normal telnet sessions, \
# but can also use Kerberos 5 authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
log_on_failure += USERID
disable = yes
}
Just restart xinetd service.
#/etc/rc.d/init.d/xinetd restart

Telnet should be disabled now.

Enable telnet service

Note:
First, telnet is insecure, and allowing root login, is just plain stupid.
Use su or sudo, and even better, use ssh.

By default ,Telnet service is disabled in many distributions (Which is highly recommended).

in redhat/centos4,5 telnet service is can be enabled by modifying following file
/etc/xinetd.d/krb5-telnet.

You just need to change disable parameter to no as below.

# cat /etc/xinetd.d/krb5-telnet
# default: off
# description: The kerberized telnet server accepts normal telnet sessions, \
# but can also use Kerberos 5 authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
log_on_failure += USERID
disable = no
}
Just restart xinetd service.
#/etc/rc.d/init.d/xinetd restart
and now you are able to get the telnet session of the server.However it will still not allow you to login using root.


However, if you need to allow access to the terminal that telnet uses for root
Add the following lines to /etc/securetty
pts/0
pts/1
pts/2
pts/3
pts/4
pts/5
pts/6
pts/7
pts/8
pts/9
Now you can able to login with root using telnet.

Tuesday, September 7, 2010

Linux Server hardening.

Today i have decided to put some more security for my linux machine.

Linux Hardening is a term used to do the same.

So how would i achieve linux hardening?

Well This question has different answers depending on which operating system,What level of security needed and Budget requirement (You heard it right).

Though there are lot of free tools available but when it comes to enterprise wide Server hardening you might need to shell out more money to buy firewall server and a softwares or resources to manage them.
Additionally you may need to deploy some other well known security tools to make your system intruder proof.Much like installing McAfee enterprise suite for your window based network.

Well In this article I m not going to talk about expensive ways to harden your system rather i will try to teach the hardening process in much simple and educational format.

So here we begin.

As the Hardening process requires you to modify configuration files Its a best practice to make a backup of configuration file with a name as .old.
This way if you make any mistake you can rollback later.
It is also advised to maintain the steps that are performed during hardening.


1) Decide on which service to start and stop.
Description:
This decision can play much important role.

If you are not going to transfer your files from your server to another server using FTP protocol,you are better to turn FTP service off.

Similarly other services can be made off.
How it works:
Please read the blog for more information.
http://www.governmentsecurity.org/forum/index.php?showtopic=1695

Use of firewall to block the port.

In typical linux block firewall setting can be invoked using.(This can be different depending upon your distribution)
#system-config-securitylevel


Disable the service itself.

Even though the port for particular service is blocked it is recommended to disable the service.

Telnet Service:
It is highly recommended to Disable this service However i have given a guide on how to enable the service.

Enable Telnet Service:
Disable telnet service :

FTP Service:
This service is used to tranfer files from your server to another machine.

Enable FTP Service:
Disable FTP Service:

SMTP Service:

Enable SMTP Service:
Disable SMTP service:

This service is used to send a mail .However hacker may use this service to JAM the network traffic or send spam mails.It is recommended to block this service if you are not using your server as mail server.
For disabling SMTP service you have to first know what message transfer agent (MTA) you are using?
This can be done using following bash

#ps -ef| grep -iE "sendmail|postfix|exim|courier|james|lotus|qmail|xmail|postmaster"

More on this coming soon.

Best thread for getting Additional useful information.

http://www.linuxquestions.org/questions/linux-newbie-8/how-to-block-ftp-and-smtp-service-830902/



Disable Ctr+Alt+Delete.

Disable Ctr+Alt+Delete.

Automatic logout in case of inactivity.

Automatic Logout incase of inactivity.

Display a legal warning before login(SSH).


“Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months” – Clifford Stoll