Search This Blog

Wednesday, October 27, 2010

dmesg

A very good article over dmesg can be found here.


http://www.thegeekstuff.com/2010/10/dmesg-command-examples/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+TheGeekStuff+%28The+Geek+Stuff%29

Friday, October 22, 2010

Interesting Linux Commands.

Index:

1)Command to find the Installation date of O.S.

2)How to find Most Used Linux commands of your machine?
3)
Blink LED of Network Card to find physical port
4)Command to scare people.
5)Prevent accident Play safe use Echo.

===================================================
1)Command to find the Installation date of O.S.

Still dont remember last time you have installed an OS.
Dont worry Following command can help you get the exact date.

Method 1:

# tune2fs -l /dev/root | grep created
Filesystem created: Wed Oct 13 19:08:13 2010


Method 2:
First find the location of install.log in your machine.
# find / -name install.log
/root/install.log
then you can check the detail using ls -ltr /root/install.log.
# ls -ltr /root/install.log
-rw-r--r-- 1 root root 14038 Oct 13 13:40 /root/install.log
in above example install.log is created on Oct 13 So the OS is installed on 13th Oct.
===================================================
2)How to find Most Used Linux commands of your machine?

I know the question is quite simple but yet interesting.You can use following command to find out which is the most used command of your Linux Machine .

# cut -f1 -d" " .bash_history | sort | uniq -c | sort -nr | head -n 10
113 cd
98 ls
83 xm
64 cat
59 dir
59 df
55 find
48 sysctl
42 vi
36 mount

other way of doing the same thing.

# history | awk '{print $2}' | awk 'BEGIN {FS="|"}{print $1}' | sort | uniq -c | sort -n | tail | sort -nr
113 cd
98 ls
80 xm
64 cat
59 dir
59 df
55 find
48 sysctl
42 vi
36 mount


from above output its very clear that "cd" is the most used command in my distribution.
I know there are no practical usage of this command but sometime its good to know which command stress your fingers :)

===================================================

3) Blink LED of Network Card to find physical port corresponds network interfaces(eth0,eth1,...)... (Use this in-case of multiple network ports).

If you want to make sure which physical interface is eth0 and which is eth1 or eth2 and so on

run:

#ethtool -p eth0 20

This blinks the LED on the interface for five seconds–without interrupting network traffic.
More commands will be updated soon.

===================================================
4)Command to scare people.

Well this one is one of my favorite.

It just produces random sound from your machine.
I use this command for following usage.
1)To scare people.
2)To find the machine location especially when you dont know the physical location.

how it works ?
Just type
#dd if=/dev/urandom of=/dev/dsp
The random sound will start coming up from your machine.
Well this may not be the fun but imagine if you can scare your
colleague who sits in same LAN of yours.

Just use SSH to do this.

# ssh username@Ipaddressofmachine dd if=/dev/urandom of=/dev/dsp

It will then ask you the password just type it and you are done.

To stop the noise you can find the process using following steps.
Step 1: Find process id of dd command.
# ps -ef |grep dd
root 4861 1 0 11:35 ? 00:00:00 /usr/bin/hidd --server
68 5318 5311 0 11:36 ? 00:00:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
68 5323 5311 0 11:36 ? 00:00:00 hald-addon-keyboard: listening on /dev/input/event0
root 5556 1 0 11:58 ? 00:00:00 dd if /dev/urandom of /dev/dsp
root 5597 5571 0 11:59 pts/0 00:00:00 grep dd

As you can see from above output the process ID is
5556.

Step 2: Just kill it using.

# kill 5556
---Process id can be different please run step 1 to check whats your process id and substitute in front of kill.



5)Prevent accident Play safe use Echo.

Its always a good idea to foresee what would be the impact of your command.
for example
# echo rm *.txt

above command will not delete all the txt files but will display what files will get deleted if you run
#rm *.txt


===================================================

Sunday, October 17, 2010

How Create link for additional local hard drives

This is applicable where you have a server with more than 1 hard disk.

The default /OVS is created using manager.
Now its time you have to create link for /OVS1 and /OVS2 (Considering you are having 3 local hard disks and you have created /OVS /OVS1 /OVS2 partitions with o2fs file system during installation).


First check the repositories.
# /opt/ovs-agent-latest/utils/repos.py -l
[ ] 1302f1d0-0617-45f1-b214-513594cd11f1 => /dev/sdc1
[ * ] a7d5463b-288f-4c14-b28a-5e999c987a29 => /dev/sda5
[ ] 0c6e6bf5-406e-4775-92bd-d2e8b3ce2af5 => /dev/sdb1

(Dont proceed if you are not getting your repositories listed
Please reffer following post for more details. How to add a new repository to Oracle Virtual Server.
)

In above output its clear that the root repository is
a7d5463b-288f-4c14-b28a-5e999c987a29 => /dev/sda5
If this get full then the others will be utilized.


Then run df -h command to validate them.
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 39G 948M 36G 3% /
/dev/sda1 99M 45M 49M 48% /boot
tmpfs 277M 0 277M 0% /dev/shm
/dev/sda5 888G 84G 804G 10% /var/ovs/mount/A7D5463B288F4C14B28A5E999C987A29
/dev/sdc1 932G 299M 932G 1% /var/ovs/mount/1302F1D0061745F1B214513594CD11F1
/dev/sdb1 932G 299M 932G 1% /var/ovs/mount/0C6E6BF5406E477592BDD2E8B3CE2AF5

As you can see the current utilized one is
/dev/sda5 888G 84G 804G 10% /var/ovs/mount/A7D5463B288F4C14B28A5E999C987A29

Just go to / and type
# ls -ltr | grep ^l
lrwxrwxrwx 1 root root 47 Oct 15 14:51 OVS -> /var/ovs/mount/A7D5463B288F4C14B28A5E999C987A29

Only one file will be returned.

Make sure there is no /OVS1 and /OVS2 folders (if exists then delete them).
Now make a link for /OVS1 and /OVS2

#ln -s /var/ovs/mount/1302F1D0061745F1B214513594CD11F1 /OVS1
# ln -s /var/ovs/mount/0C6E6BF5406E477592BDD2E8B3CE2AF5 /OVS2

Now you should be able to see 3 softlinks in / directory.
# ls -ltr | grep ^l
lrwxrwxrwx 1 root root 47 Oct 15 14:51 OVS -> /var/ovs/mount/A7D5463B288F4C14B28A5E999C987A29
lrwxrwxrwx 1 root root 47 Oct 18 10:04 OVS1 -> /var/ovs/mount/1302F1D0061745F1B214513594CD11F1
lrwxrwxrwx 1 root root 47 Oct 18 10:11 OVS2 -> /var/ovs/mount/0C6E6BF5406E477592BDD2E8B3CE2AF5

Saturday, October 16, 2010

XUBUNTU

Windows look and feel:


http://www.ubuntu.online02.com/node/14

Above patch modifies gnome and make it look like window xp.

Please Leave us with your comments and Queries/Suggestions.
I will try to reply asap.

Monday, October 11, 2010

Disable SSH Version 1

For a best practice it is recommended to disable SSH version 1 and instead use version 2.

A good article over how to disable SSH version 1 is given in following link.

http://www.skullbox.net/disablessh1.php

Sunday, October 10, 2010

changing Kernal parameters for security reasons.

Disable Source Routing:

The kernel parameter net.ipv4.conf.all.accept_source_route must be set to "0" (zero) to disallow source routing.

IP Forwarding:

The kernel parameter net.ipv4.ip_forward must be set to "0" (zero) to disallow IP Forwarding.

ICMP Broadcast Response:

The kernel parameter icmp_echo_ignore_broadcasts must be set to "1" (one).

Syn Flood Protection:

The kernel parameter net.ipv4.tcp_syncookies must be set to "1" (one) in order to defend against Syn Flood attacks .

Reverse Path Filter:

The kernel parameter net.ipv4.conf.all.rp_filter must be set to “1” so that the network subsystem will validate source addresses against the Routing Table.

Accepting ICMP redirects:

The kernel parameter net.ipv4.conf.default.accept_redirects must be set to “0” so that the network subsystem will not accept ICMP redirects.

Sending ICMP Redirects

The kernel parameters net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects must both be set to “0” so that the network subsystem will not send out ICMP redirects.

Tuesday, October 5, 2010

Message of the day (/etc/motd)

It would be nice to inform the users of the machine that you are going to make it shutdown for some time .

Being a Linux System administrator You have several ways of informing users.
/etc/motd file is one of them.

Just edit the file with whatever content you want to display .

once some user logged into machine using terminal session.He will be greeted with message in /etc/motd.

Remove rsh, rcp and rlogin

It is highly recommended to remove following command on production server .
There are several ways of not using the command choose one that is suitable for your need.

Method 1:

Just try to find the rpm for the above command.
This can be done using.

rpm -qa | grep -i rsh
rsh-0.17-38.el5
rpm -qa | grep -i rcp
rpm -qa | grep -i rlogin

As you can see only first command return any output.

We need to further see what command rsh-0.17-38.el5 contains.

This can be done using

# rpm -ql rsh-0.17-38.el5
/usr/bin/rcp
/usr/bin/rexec
/usr/bin/rlogin
/usr/bin/rsh
/usr/share/man/man1/rcp.1.gz
/usr/share/man/man1/rexec.1.gz
/usr/share/man/man1/rlogin.1.gz
/usr/share/man/man1/rsh.1.gz


From the output you can assume that by uninstalling the rpm you can achieve the removal of those command from production server.


Method 2:

Change the file permisisons:

(First check the location of command using which command name.Below examples are given considering the commands are located under /usr/bin/rcp This could be different for different Linux Distributions.)

chmod 000 /usr/bin/rcp

chmod 000 /usr/bin/rsh

chmod 000 /usr/bin/rlogin

Method 3:

just remove execute bit of the command using.


(First check the location of command using which command name.Below examples are given considering the commands are located under /usr/bin/rcp This could be different for different Linux Distributions.)


chmod -x /usr/bin/rcp

chmod -x /usr/bin/rsh

chmod -x /usr/bin/rlogin

Method 4:

Remove the command itself using.

rm -rf `which rcp`
rm -rf `which rlogin`
rm -rf `which rsh`

Monday, October 4, 2010

Display a legal warning before login(SSH).

Create a file called /etc/ssh/sshd-banner.

Paste the customized banner message in it.
For example:
"This Machine is for the exclusive use of XYZ organization and Unauthorized access or breach of these terms may result in termination of your authorization and/or criminal penalties."

edit /etc/ssh/sshd_config with following entry

Banner /etc/ssh/sshd-banner


Restart sshd service using.

#service sshd restart

To validate the changes:
Try to login to the server using putty.
put username and press enter .
You should get banner displaying text under /etc/ssh/sshd-banner file.

For example:

login as: root
"This Machine is for the exclusive use of XYZ organization and Unauthorized access or breach of these terms may result in termination of your authorization and/or criminal penalties."
root@'s password:


Click here for more reference:
http://www.cyberciti.biz/tips/change-openssh-sshd-server-login-banner.html




Sunday, October 3, 2010

Sticky bit

The most common use of the sticky bit today is on directories. When the sticky bit is set, only the item's owner, the directory's owner, or the superuser can rename or delete files. Without the sticky bit set, any user with write and execute permissions for the directory can rename or delete contained files, regardless of owner. Typically this is set on the /tmp directory to prevent ordinary users from deleting or moving other users' files. This feature was introduced in 4.3BSD in 1986 and today it is found in most modern Unix systems.(Source : Wikipedia http://en.wikipedia.org/wiki/Sticky_bit).

How to check if the sticky bit is set or not?
Consider /tmp directory.

# ls -ld /tmp
drwxrwxrwt 3 root root 4096 Oct 4 00:22 /tmp
# ls -ld /var/tmp
drwxrwxrwt 2 root root 4096 Sep 24 03:41 /var/tmp

here d- stands for directory
rwx-permissions for root user
rwx-permission for group
rwx-permission for other user.
t- sticky bit.

This mean any user can read,write and execute files to and from/tmp but he cant modify or delete files of other users.

Make sure The /tmp and /var/tmp filesystems, must be owned by root and have permissions 1777.

Friday, October 1, 2010

/etc/shadow file.

Hardening guidelines for /etc/shadow files are as follows.

1) It should be owned by root and have permission of 600 or more restrictive.
e.g.
# ls -l /etc/shadow
-r-------- 1 root root 890 Sep 28 05:29 /etc/shadow
In above case its more restrictive i.e. 400 even root is not given write access by default.

2) Each Line must contain a unique user name and should not contain any blank line.
3) First two fields i.e username and password should not be blank.
4) Password filed should be more than 13-24 Character long.
e.g.

admin:$1$YSmsjgr7$m3YjwsZNdQ/Z24QXGWj8O1:14879:0:99999:7:::

"$1$" it means the MD5-based algorithm was used while encrypting the password.
5) Password for root account should not be assigned to any other account.
6) All locked accounts must have a single exclamation mark "!" as the first character of the Passwd field.

for example.
following are some lines from /etc/shadow file.

vcsa:!!:14866:0:99999:7:::
sshd:!!:14866:0:99999:7:::
ftp:*:14866:0:99999:7:::
nobody:*:14866:0:99999:7:::
bkpadmin:$1$IgKNf9Xa$fvt5T9rIOzLxe9yvU9i870:14882:0:99999:7:::

There counterparts in /etc/passwd file.
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
bkpadmin:x:500:500::/home/bkpadmin:/sbin/nologin

here are the status of the username.

# passwd -S vcsa
vcsa LK 2010-09-14 0 99999 7 -1 (Password locked.)
# passwd -S sshd
sshd LK 2010-09-14 0 99999 7 -1 (Password locked.)
# passwd -S ftp
ftp LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
# passwd -S nobody
nobody LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
# passwd -S bkpadmin
bkpadmin PS 2010-09-30 0 99999 7 -1 (Password set, MD5 crypt.)


statusStatus of the name:

PS = Passworded
LK = Locked
NP = No Password



as you can see.
vcsa and sshd both have ! as first character in password filed (2nd field).This is well justified using passwd -S .

7) Application accounts which are not locked must contain only an asterisk “*” in the Passwd field.
For example.

ftp:*:14866:0:99999:7:::
nobody:*:14866:0:99999:7:::

Above users are used for application and hence they are locked but Alternate authentication is used for them.
# passwd -S ftp
ftp LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
# passwd -S nobody
nobody LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)

More on this soon...