Showing posts with label LINUX. Show all posts

Friday, August 19, 2016

How To Modify the Sudoers File

You will be presented with the /etc/sudoers file in your selected text editor.

/etc/sudoers

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

root    ALL=(ALL:ALL) ALL

%admin  ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL

#includedir /etc/sudoers.d

Let's take a look at what these lines do.

Code:

%admin ALL=(ALL)NOPASSWD:/usr/bin/apt-get

To break it down:

%admin - All users of the admin group
ALL= - from any Host/IP
(ALL) - can run as any user
NOPASSWD - with no password required
:/usr/bin/apt-get - the list of comma, separated, applications.

User Privilege Lines

The fourth line, , which dictates the root user's sudo privileges, is different from the preceding lines. Let's take a look at what the different fields mean:

root ALL=(ALL:ALL) ALL
The first field indicates the username that the rule will apply to (root).
demo ALL=(ALL:ALL) ALL
The first "ALL" indicates that this rule applies to all hosts.
demo ALL=(ALL:ALL) ALL
This "ALL" indicates that the root user can run commands as all users.
demo ALL=(ALL:ALL) ALL
This "ALL" indicates that the root user can run commands as all groups.
demo ALL=(ALL:ALL) ALL
The last "ALL" indicates these rules apply to all commands.

This means that our root user can run any command using sudo, as long as they provide their password.

Group Privilege Lines

- Names beginning with a "%" indicate group names.

How To Set Up Custom Rules

Now that we have gotten familiar with the general syntax of the file, let's create some new rules.

How To Create Aliases

The sudoers file can be organized more easily by grouping things with various kinds of "aliases".
For instance, we can create three different groups of users, with overlapping membership:

/etc/sudoers

. . .
User_Alias      GROUPONE = abby, brent, carl
User_Alias      GROUPTWO = brent, doris, eric, 
User_Alias      GROUPTHREE = doris, felicia, grant
. . .

Group names must start with a capital letter. We can then allow members of GROUPTWO to update the apt database by creating a rule like this:

/etc/sudoers

. . .
GROUPTWO    ALL = /usr/bin/apt-get update
. . .

If we do not specify a user/group to run as, as above, sudo defaults to the root user.
We can allow members of GROUPTHREE to shutdown and reboot the machine by creating a "command alias" and using that in a rule for GROUPTHREE:

/etc/sudoers

. . .
Cmnd_Alias      POWER = /sbin/shutdown, /sbin/halt, /sbin/reboot, /sbin/restart
GROUPTHREE  ALL = POWER
. . .

We create a command alias called POWER that contains commands to power off and reboot the machine. We then allow the members of GROUPTHREE to execute these commands.
We can also create "Run as" aliases, which can replace the portion of the rule that specifies the user to execute the command as:

/etc/sudoers

. . .
Runas_Alias     WEB = www-data, apache
GROUPONE    ALL = (WEB) ALL
. . .

This will allow anyone who is a member of GROUPONE to execute commands as the www-data user or the apache user.
Just keep in mind that later rules will override earlier rules when there is a conflict between the two.

GROUPONE    ALL = NOPASSWD: /usr/bin/updatedb
. . .

NOPASSWD is a "tag" that means no password will be requested. It has a companion command called

> To find out just exactly what sudo permissions you have on your computer, you would run the following

# sudo -l

That is "sudo" and a lowercase L as the argument.

Code:

%admin jaunty=(ALL)NOPASSWD:/usr/bin/apt-get

So, as long as your hostname remains as 'jaunty', then you can run the sudo command from only your computer.

The second way is by using IP addresses.
Note: This requires for you to be connected to a network! Else you will be denied access

Code:

%admin 192.168.1.0/255.255.255.0=(ALL)NOPASSWD:/usr/bin/apt-get

192.168.1.0 is the IP of your local network.
255.255.255.0 is the subnet of your local network.

So, in this instance, you are restricting the use of sudo only to users with an IP address of 192.168.1.1 through to 192.168.1.254

Restricting User Switching
To run commands as another user (other than root), you would run the following:

sudo -u username command

To prevent this from happening, you can restrict it by using:

Code:

%admin jaunty=(root)NOPASSWD:/usr/bin/apt-get

So now members of the admin group can only run the given commands without a password as root. Doesn't matter how hard they try otherwise.

Note: if a previous permission is set so the user can run the command as any user.
More specifically this line that is the default in Ubuntu:

Code:

%admin ALL=(ALL) ALL

Then they will have to provide their own password to continue.

A more secure method:

Code:

%admin ALL=(root) ALL

Where they will be instead denied if they try to run an application as another user.

Restricting Application Usage
As well, as limiting the applications a user can run using sudo, you can limit the arguments of those applications that the user can use also, for apps that do more than one job.

To limit apt-get usage to just 'update' and 'upgrade', we can have something like this:

Code:

%admin jaunty=(root)NOPASSWD:/usr/bin/apt-get update,/usr/bin/apt-get upgrade

And now everything other apt-get argument (install, remove, dist-upgrade) is denied!

Alternately, we can also use the glob match '*'.

Code:

%admin jaunty=(root)NOPASSWD:/usr/bin/apt-get up*

The '*' match is very powerful, and can apply to anything in the command listing part of the configuration line, ie:

Code:

%admin jaunty=(root)NOPASSWD:/*/sbin/*

This could match anything from all the files in '/usr/sbin/' to '/usr/local/sbin/' and even places such as '/home/user/sbin/' fall into the match. As such, it is advised that you use it wisely.

Restricting use of sudo to Single Users
As well as specifying groups, we can hand out sudo permissions on a 'per-user' basis too. For example, to only allow the user 'iain' (me) to run 'apt-get update' and 'apt-get upgrade', we use the following:

Code:

iain jaunty=(root)NOPASSWD:/usr/bin/apt-get update,/usr/bin/apt-get upgrade

Note: The difference between a user and a group. Groups have the '%' symbol prefixed against their name. So, to change this so only users in the group 'iain' can run 'apt-get', we simply add the '%' symbol:

Code:

%iain jaunty=(root)NOPASSWD:/usr/bin/apt-get update,/usr/bin/apt-get upgrade

Restrict Applications
There is a hidden 5th that I forgot to mention. In some cases, you want to restrict the application once it has been given root powers.

ie: vim, less and some other similar applications can allow you to 'shell out' of the application and run commands using the ! operator, as an example:

Code:

:!aptitude

The risk? If given the permissions to running vim as root, you can carry out any administrative task on the system. Which isn't very good if you just want certain users to run vim as root, but not any other command.

For this, we have the NOEXEC option, with will prevent the command from shelling out.

Code:

%admin ALL=(root)NOEXEC:/usr/bin/vim

Although, bare in mind that for the majority of applications, this isn't the best option for usability, since programs such as 'apt-get' do indeed fork a shell to run applications such as dpkg and wget.

Host Alias Specification
Host aliases are declared as so, to use my hostname as an example:

Code:

Host_Alias HOST = jaunty

If I were to alias the local network:

Code:

Host_Alias LAN = 192.168.1.0/255.255.255.0

User Alias Specification

Code:

User_Alias FUSE_USERS = andy,ellz,matt,jamie

RunAs Alias Specification
The runas alias, are aliases for the users you can sudo as, via the 'sudo -u' command. Again, I won't go into this, but it works like so:

Code:

Runas_Alias USERS = root,andy,ellz,matt,jamie

And put in the following context:

Code:

%admin  ALL=(USERS) ALL

Members of the admin group can run any command as any of the users enlisted in USERS.

Command Alias Specification
And lastly, the command alias, as you may have guessed, are aliases for the command names. To skip any brief talk about them, lets first fufil what my original scenario intended.

Code:

Cmnd_Alias CRYPT   = /usr/bin/truecrypt
Cmnd_Alias USBDEV  = /usr/bin/unetbootin,/usr/bin/gnome-format
Cmnd_Alias APT     = /usr/bin/apt-get update,/usr/bin/apt-get upgrade
Cmnd_Alias UPDATES = /usr/bin/update-manager
Cmnd_Alias FUSE    = /usr/bin/Gmount-iso
Cmnd_Alias MYPROGS = CRYPT,USBDEV,APT,UPDATES,FUSE

Woah, that is alot. Infact, what I've done is split the applications into sub-groups, and shuffled those groups into one, MYPROGS.

Gelling it together
With the above in place, we can now write out lines such as this:

Code:

iain HOME=(root)NOPASSWD:MYPROGS

Which result in a much cleaner, easier to maintain configuration.

The Result
Put that all together, and we have something that looks like this:

Code:

Defaults    env_reset,tty_tickets

# Host alias specification
Host_Alias HOST = jaunty
Host_Alias LAN  = 192.168.1.0/255.255.255.0
Host_Alias HOME = HOST,LAN

# User alias specification

# Cmnd alias specification
Cmnd_Alias CRYPT   = /usr/bin/truecrypt
Cmnd_Alias USBDEV  = /usr/bin/unetbootin,/usr/bin/gnome-format
Cmnd_Alias APT     = /usr/bin/apt-get update,/usr/bin/apt-get upgrade
Cmnd_Alias UPDATES = /usr/bin/update-manager
Cmnd_Alias FUSE    = /usr/bin/Gmount-iso
Cmnd_Alias MYPROGS = CRYPT,USBDEV,APT,UPDATES,FUSE

# User privilege specification
root    ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin HOME=(root) ALL
%admin HOME=(root) NOEXEC:/usr/bin/vim
iain   HOME=(root) NOPASSWD:MYPROGS

Tuesday, May 17, 2016

How to scan new FC LUNS and SCSI disks in Linux ?

HOW TO ARTICLES- LINUX

How to scan new FC LUNS and SCSI disks in Redhat Linux without rebooting the server? Most of the Linux beginners have wondering how to do this and this article will be for them.It may look like very simple as we perform this in daily operation to scan luns but system has many work to do in background when you execute storage scanning commands. Redhat says this type of scan can be distributive,since it can cause delays while I/O operation timeout and remove devices unexpectedly from OS.So perform this scan when really you want to scan the disks and LUNS.

Scanning FC-LUN’s in Redhat Linux

1.First find out how many disks are visible in “fdisk -l” .

# fdisk -l 2>/dev/null | egrep '^Disk' | egrep -v 'dm-' | wc -l

2.Find out how many host bus adapter configured in the Linux box.you can use “systool -fc_host -v” to verify available FC in the system.

# ls /sys/class/fc_host
host0  host1

In this case,you need to scan host0 & host1 HBA.

3.If the system virtual memory is too low ,then do not proceed further.If you have enough free virtual memory,then you can proceed with below command to scan new LUNS.

# echo "1" > /sys/class/fc_host/host0/issue_lip
# echo "- - -" > /sys/class/scsi_host/host0/scan
# echo "1" > /sys/class/fc_host/host1/issue_lip
# echo "- - -" > /sys/class/scsi_host/host1/scan

Note: You need to monitor the “issue_lip” in /var/log/messages to determine when the scan will complete.This operation is an asynchronous operation.

You can also use rescan-scsi-bus.sh script to detect new LUNS.

# yum install sg3_utils
# ./rescan-scsi-bus.sh

4.Verify if the new LUN is visible or not by counting the available disks.

# fdisk -l 2>/dev/null | egrep '^Disk' | egrep -v 'dm-' | wc -l

If any new LUNS added ,then you can see more count is more then before scanning the LUNS.

Scanning SCSI DISKS in Redhat Linux

1.Finding the existing disk from fdisk.

[root@mylinz1 ~]# fdisk -l |egrep '^Disk' |egrep -v 'dm-'
Disk /dev/sda: 21.5 GB, 21474836480 bytes

2.Find out how many SCSI controller configured.

[root@mylinz1 ~]# ls /sys/class/scsi_host/host
host0 host1 host2

In this case,you need to scan host0,host1 & host2.

3.Scan the SCSI disks using below command.

[root@mylinz1 ~]# echo "- - -" > /sys/class/scsi_host/host0/scan
[root@mylinz1 ~]# echo "- - -" > /sys/class/scsi_host/host1/scan
[root@mylinz1 ~]# echo "- - -" > /sys/class/scsi_host/host2/scan

4.Verify if the new disks are visible or not.

[root@mylinz1 ~]# fdisk -l |egrep '^Disk' |egrep -v 'dm-'
Disk /dev/sda: 21.5 GB, 21474836480 bytes
Disk /dev/sdb: 1073 MB, 1073741824 bytes
Disk /dev/sdc: 1073 MB, 1073741824 bytes

From Redhat Linux 5.4 onwards, redhat introduced “/usr/bin/rescan-scsi-bus.sh” script to scan all the SCSI bus and update the SCSI layer to reflect new devices.
But most of the time,script will not be able to scan new disks and you need go with echo command.
Do not forget to check out Redhat Enterprise Linux 7 Tutorial .

Monday, December 21, 2015

Basic NFS Configuration

1. Basic NFS Configuration

1.1. NFS Server configuration

Run the below commands to begin the NFS Server installation:

[nfs-server ]# yum install nfs-utils rpcbind

Next we export some arbitrary directory called /opt/nfs. Create /opt/nfs directory:

[nfs-server ]# mkdir -p /opt/nfs

and edit /etc/exports NFS exports file to add the below line while replacing the IP address with the IP address of your client:

/opt/nfs NFS_client_IP(no_root_squash,rw,sync)

Next make sure to enable 2049 port on your firewall to allow clients requests:

[nfs-server ]# firewall-cmd --zone=public --add-port=2049/tcp --permanent
[nfs-server ]# firewall-cmd --reload

Start rpcbind daemon and NFS server in this order:

[nfs-server ]# service rpcbind start; service nfs start

Check the NFS server status:

[nfs-server ]# service nfs status

1.2. NFS Client configuration

To be able to mount NFS exported directories on your client the following packages needs to be installed. Depending on your client's Linux distribution the installation procedure may be different. On Redhat 7 Linux the installation steps are as follows:

[nfs-client ]# yum install nfs-utils rpcbind
[nfs-client ]# service rpcbind start

What remains is to create a mount point directory eg. /mnt/nfs and mount previously NFS exported /opt/nfs directory:

[nfs-client ]# mkdir -p /mnt/nfs
[nfs-client ]# mount NFS-Server_IP:/opt/nfs /mnt/nfs/

Test correctness of our setup between NFS Server and NFS client. Create an arbitrary file within NFS mounted directory on the client side:

[nfs-client ]# cd /mnt/nfs/
[nfs-client ]# touch NFS.test
[nfs-client ]# ls -l
total 0
-rw-r--r--. 1 root root 0 Dec 11 08:13 NFS.test

Move the the server side and check whether our newly NFS.test file exists:

[nfs-server ]# cd /opt/nfs/
[nfs-server ]# ls -l
total 0
-rw-r--r--. 1 root root 0 Dec 11 08:13 NFS.test

2. Configuring permanent NFS mount

In order to have our NFS exports permanently available after the NFS server system reboot we need to make sure that nfs service starts after reboot:

[nfs-server ]# systemctl enable nfs-server
ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service'

To allow client to mount NFS exported directory permanently after reboot we need to define a mount procedure within /etc/fstab config file. Open /etc/fstab file and add the following line:

NFS-Server_IP:/opt/nfs /mnt/nfs nfs defaults   0 0

Sunday, December 20, 2015

RHEL 7: Install and setup samba server

RHEL 7 : Install and setup samba server ( file sharing)

Operating System : RHEL7/CentOS 7
Arch : x86_64
Samba Version : Samba 4.1.1 (Default from CentOS repo)
Kernel Versio : 3.10.0-123.el7.x86_64
IP Address : 192.168.56.102
Network Subnet : 192.168.56.0/24 or can be written also as 192.168.56.0/255.255.255.0
NOTE: CentOS 7 is installed with minimal packages (minimal installed)

Samba Server port numbers

137/tcp
137/udp
138/tcp
138/udp
139/udp
139/udp
445/tcp
445/udp

Daemon used in Samba server

Samba services are implemented as two daemons:
1. smbd, It provides the file and printer sharing services.
2. nmbd It provides the NetBIOS-to-IP-address name service. NetBIOS over TCP/IP requires some method for mapping NetBIOS computer names to the IP addresses of a TCP/IP network.

How to install and configure samba server

Step 1 : Use yum command to install samba packages
(a) policycoreutils-python = For semanage command
(b) samba-client : For smbpasswd
(c) cups-libs : For printer service
(d) samba and samba-commons : For Samba server

yum install -y samba samba-commons cups-libs policycoreutils-python samba-client

Step 2: create a directory
Create a directory called sharedrepo in / (main root) . This directory will be shared with clients.

mkdir /home/smbshare

Step 3: Add a new group or can use existing group
To provide access on shared directory,Here we are adding new group called staff.

groupadd smb

Step 4: Change the group and permission of sharing folder
Here we are using /sharedrepo in samba server, hence group and permission are changing for this directory.

chgrp -R smb /sharedrepo
chmod -R 777 /sharedrepo

Step 5: Change the selinux security context
Change the selinux security context on sharing directory and set the selinux boolean value for samba.
You can skip this step in case you disable selinux on system.

# semanage fcontext -a -t samba_share_t /home/smbshare/

# restorecon -Rv /home/smbshare/

# setsebool -P samba_enable_home_dirs on

Step 6: create user, add into group and set samba password
create user and add them in group called staff. And set the samba password for this user.

# useradd smbuser
# usermod -aG smb smbuser

# smbpasswd -a smbuser

New SMB password:
Retype new SMB password:
Added user smbuser.

Step 7: Edit /etc/samba/smb.conf file
First take backup of /etc/samba/smb.conf file then edit the smb.conf file.

cd /etc/samba/
cp -p smb.conf smb.conf.orig

And add the below given contents in last line of /etc/samba/smb.conf file.

vi /etc/samba/smb.conf

[smbshare]
comment = shared-directory
path = /home/smbshare
public = no
valid users = sbmuser, @smb
writable = yes
browseable = yes
create mask = 0765

Step 8: Now start the smb and nmb services.

systemctl start smb.service
systemctl start nmb.service

Step 9 : Enable smb and nmb service at booting of system

systemctl enable smb.service
systemctl enable nmb.service

Step 10 : Add firewalld rule to allow samba

# firewall-cmd --add-service=samba --permanent

Now reload firewalld

# firewall-cmd --reload

Note: firewalld service must be runnig for above procedure. To start firewalld use systemd command i.e systemctl start firewalld.service

How to connect to Samba Server

1. Windows :
In Windows Operatig System, open the run by pressing in combination of Start key + r. Then type in this format \\ip-address-of-samba-server\shared-

Direcory-name

\\192.168.56.102\sharedrepo

Give username and password when it will ask.

2. Linux :
smbclient must be installed on system .

(A) List the shared files or directory available in samba server

smbclient -L \\192.168.56.102 -U smbuser

In above command,
-L = For listing shared objects.
Samba Server IP Address = 192.168.56.102
User Name =smbuser

Below given is sample output

sharad@linuxworld:~$ smbclient -L \\192.168.56.102 -U smbuser
Enter test's password: 
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]

 Sharename       Type      Comment
 ---------       ----      -------
 IPC$            IPC       IPC Service (Samba Server Version 4.1.1)
 sharedrepo      Disk      shared-directory
 test            Disk      Home Directories
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]

 Server               Comment
 ---------            -------
 LOCALHOST            Samba Server Version 4.1.1

 Workgroup            Master
 ---------            -------
 MYGROUP              LOCALHOST
sharad@linuxworld:~$

(B) Access using smb console

smbclient //192.168.56.102/sharedrepo -U smbuser

After login, you will get smb console. You can use get and put command for getting/putting the file. There are other commands you can use also.
Sample output

sharad@linuxworld:~$ smbclient //192.168.56.102/sharedrepo -U smbuser
Enter test's password: 
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> 
smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            dir            du             
echo           exit           get            getfacl        geteas         
hardlink       help           history        iosize         lcd            
link           lock           lowercase      ls             l              
mask           md             mget           mkdir          more           
mput           newer          notify         open           posix          
posix_encrypt  posix_open     posix_mkdir    posix_rmdir    posix_unlink   
print          prompt         put            pwd            q              
queue          quit           readlink       rd             recurse        
reget          rename         reput          rm             rmdir          
showacls       setea          setmode        stat           symlink        
tar            tarmode        timeout        translate      unlock         
volume         vuid           wdel           logon          listconnect    
showconnect    tcon           tdis           tid            logoff         
..             !              
smb: \>

(C) Mount the samba shared directory
Mount the samba shared directory in machine , your system must support cifs file system

mount -t cifs //192.168.56.102/sharedrepo -o username=test /mnt/

In Ubuntu, Click on dash home and simply access the samba server

smb://192.168.56.102/

See the sample screenshot of dash home.

Tuesday, December 15, 2015

Dynamically detecting new SAN disks in Linux

When you have new LUNs created on the SAN fabric, zoned & mapped it to the server; how can you detect the luns on the linux server online, without rebooting it?.

When you dynamically add new disks to a Linux VM running on ESX server, how do you detect that disks on the Linux virtual machine?.

Here are the steps to do that :

Install sg3_utils and lsscsi package. [root@fedora01 ~]# # yum install –y sg3_utils lsscsi
The “lsscsi” command will list the disks attached to it. If you have just attached a disk, you will not be able to see it. You can also list this using “fdisk –l”
[root@fedora01 ~]# lsscsi
[0:0:0:0] disk VMware Virtual disk 1.0 /dev/sda
[root@fedora01 ~]#
As you can see above, I currently have one disk connected to the system. To scan for a new device I just added, we should run rescan-scsi-bus.sh from the host.
Run the command “/usr/bin/rescan-scsi-bus.sh” , to dynamically detect and activate the new disk.

You see the new disk is visible. Now you can create a partition or filesystem on it.

After running those commands, check dmesg and /var/log/messages to see if there are any device detections. You can also do “fdisk -l” or “cat /proc/scsi/scsi” to see the attached LUNs. This works fine in RHEL5/6, SuSE 10, CentOS5, OEL5.

Thursday, November 5, 2015

Adding a Swap File to an RHEL6 System

Identifying Current Swap Space Usage

The current amount of swap used by an RHEL 6 system may be identified in a number of ways.

# free -k
             total       used       free     shared    buffers     cached
Mem:       3082356    2043700    1038656          0      50976    1646268
-/+ buffers/cache:     346456    2735900
Swap:      4192956          0    4192956

Swapon command with option -s, displays the current swap space in KB.

# swapon -s
Filename                        Type            Size    Used    Priority
/dev/sda2                       partition       4192956 0       -1

# cat /proc/swaps
Filename                        Type            Size    Used    Priority
/dev/sda2                       partition       4192956 0       -1

Adding a Swap File to an RHEL 6 System

The following dd command example creates a swap file with the name “myswapfile” under /root directory with a size of 1024MB (1GB).

# dd if=/dev/zero of=/root/myswapfile bs=1M count=1024
1024+0 records in
1024+0 records out

# ls -l /root/myswapfile
-rw-r--r--    1 root     root     1073741824 Aug 14 23:47 /root/myswapfile

Configure the file as swap:
Change the permission of the swap file so that only root can access it.

# chmod 600 /root/myswapfile

Make this file as a swap file using mkswap command.

# swapon /root/myswapfile

Verify whether the newly created swap area is available for your use.

# swapon -s
Filename                        Type            Size    Used    Priority
/dev/sda2                       partition       4192956 0       -1
/root/myswapfile                file            1048568 0       -2

# free -k
             total       used       free     shared    buffers     cached
Mem:       3082356    3022364      59992          0      52056    2646472
-/+ buffers/cache:     323836    2758520
Swap:      5241524          0    5241524

Finally, modify the /etc/fstab file to automatically add the new swap at system boot time by adding the following line:

/root/myswapfile    swap    swap   defaults 0 0

Thursday, October 1, 2015

NFS Cheat Sheet

LINUX

NFS Cheat Sheet

NFS Shares

Update Exports

After editing /etc/exports run

exportfs -a

List Exports

# showmount -e
Export list for myserver:
/export/home       10.1.0.0/24
#

Show Clients

On the NFS server run 'showmount' to see mounting clients

# showmount 
Hosts on myserver:
10.1.0.15
#

List Protocols/Services

To list local services run:

# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  48555  status
    100024    1   tcp  49225  status
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049
    100227    3   tcp   2049
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049
    100227    3   udp   2049
    100021    1   udp  51841  nlockmgr
    100021    3   udp  51841  nlockmgr
    100021    4   udp  51841  nlockmgr
    100021    1   tcp  37319  nlockmgr
    100021    3   tcp  37319  nlockmgr
    100021    4   tcp  37319  nlockmgr
    100005    1   udp  57376  mountd
    100005    1   tcp  37565  mountd
    100005    2   udp  36255  mountd
    100005    2   tcp  36682  mountd
    100005    3   udp  54897  mountd
    100005    3   tcp  51122  mountd

Above output is from an NFS server. You can also run it for remote servers by passing an IP. NFS clients usually just run status and portmapper:

# rpcinfo -p 10.1.0.15
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  44152  status
    100024    1   tcp  53182  status

NFSv4

Mounting NFSv4 Shares

The difference in mounting is that you need to provide "nfs4" and transport and port options like this:

mount -t nfs4 -o proto=tcp,port=2049 server:/export/home /mnt

Ensure Running Id Mapper

When using NFSv4 share ensure to have the id mapper running on all clients. On Debian you need to explicitely start it:

service idmapd start

Mapping Users

You might want to set useful NFSv4 default mappings and some explicit mappings for unknown users:

#cat /etc/idmapd.conf
[...]
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

[Static]
someuser@otherserver = localuser

Tuning

Tuning NFS Clients

When optimizing for performance try the following client mount option changes:

Use "hard" instead of "soft"
Add "intr" to allow for dead server and killable client programs
Increase "mtu" to maximum
Increase "rsize" and "wsize" to maximum supported by clients and server
Remove "sync"

After changing and remounting check for effective options using "nfsstat -m" which will give you a list like this:

$ nfsstat -m
/data from 10.1.0.16:/data
 Flags: rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.1.0.16,local_lock=none,addr=10.1.0.15
$

When synchronous shares are important try the "noac" mount option.

Tuning NFS Server

For the exported filesystem mount options:

Use "noatime"
Use "async" if you can (risk of data corruption)
Use "no_subtree_check"

Other than that:

Use CFQ I/O scheduler
Increase /sys/block/sda/device/block/sda/queue/max_sectors_kb
Check /sys/block/sda/device/block/sda/queue/read_ahead_kb
Increase number of nfsd threads

Getting NFS Statistics

Use "nfsstat" for detailed NFS statistics! The options are "-c" for client and "-s" for server statistics. On the server caching statistics are most interesting,

# nfsstat -o rc
Server reply cache:
hits       misses     nocache
0          63619      885550  
#

on the client probably errors and retries. Also note that you can get live per-interval results when running with "--sleep=". For example

# nfsstat -o fh --sleep=2

Linux-Networking Cheat Sheet

Basics

Resolve a name via nsswitch
```
getent hosts 
```
```
 
```

DNS Lookup

dig 
dig  +noall +answer
dig  +short
dig MX 
dig NS 
dig ANY 

dig -x 
dig -x  +short

dig @8.8.8.8 

dig -f input.txt +noall +answer

netcat Commands

nc -l -p   # Listen on port
nc -w3   # Listen for connection from IP on port

# Search banners
echo | nc -v -n -w1  -

# Port scan
nc –v –n –z –w1  -

ethtool - Usage

ethtool eth0                       # Print general info on eth0
ethtool -i eth0                    # Print kernel module info
ethtool -S eth0                    # Print eth0 traffic statistics
ethtool -a eth0                    # Print RX, TX and auto-negotiation settings
ethtool -p eth0                    # Blink LED

# Changing NIC settings...
ethtool -s eth0 speed 100
ethtool -s eth0 autoneg off
ethtool -s eth0 duplex full
ethtool -s eth0 wol g               # Turn on wake-on-LAN

Do not forget to make changes permanent in e.g. /etc/network/interfaces.

ip - Usage

ip link show
ip link set eth0 up
ip addr show
ip neigh show

miitool - Show Link Infos

# mii-tool -v
eth0: negotiated 100baseTx-FD flow-control, link ok
  product info: vendor 00:07:32, model 17 rev 4
  basic mode:   autonegotiation enabled
  basic status: autonegotiation complete, link ok
  capabilities: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
  advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
  link partner: 1000baseT-HD 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control

Enable Jumbo Frames
```
ifconfig eth1 mtu 9000
```

ipsets - Using IP sets for simpler iptables rules

ipset create smtpblocks hash:net counters
ipset add smtpblocks 27.112.32.0/19
ipset add smtpblocks 204.8.87.0/24
iptables -A INPUT -p tcp --dport 25 -m set --match-set smtpblocks src -j DROP

iptables - Loopback Routing:

iptables -t nat -A POSTROUTING -d  -s  -p tcp --dport 80 -j SNAT --to-source

iptables - Show active rules:
```
iptables -S
iptables -L 
iptables -L 
```

iptables - Full flush:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables - Allow established:

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables - Log failed requests:

iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

iptables - Persistency on Debian:

apt-get install iptables-persistent

# Set some rules and call
invoke-rc.d iptables-persistent save

iptables - Persistency on Ubuntu: UFW (Uncomplicated FireWall)

ufw enable
ufw status
ufw allow ssh/tcp
ufw allow from  proto tcp to any port 
ufw delete allow from  proto tcp to any port

fail2ban CLI Commands

fail2ban-client status
fail2ban-client status

Troubleshooting

Black Hole Route: To block IPs create route on loopback

route add -net 91.65.16.0/24 gw 127.0.0.1 lo   # for a subnet
route add  91.65.16.4 gw 127.0.0.1 lo   # for a single IP

Quick Access Log IP Top List

tail -100000 access.log | awk '{print $1}' | sort | uniq -c |sort -nr|head -25

Find out if IP is used before configuring it
```
arping 
```
Traceroute with AS and network name lookup
```
lft -AN www.google.de
```
Manually lookup AS

Measuring

vnstat - Short term measurement bytes/packets min/avg/max:

vnstat -l      # Live listing until Ctrl-C and summary
vnstat -tr     # 5s automatic traffic sample

vnstat - Long term statistics:

vnstat -h      # last hours (including ASCII graph)
vnstat -d      # last days
vnstat -w      # last weeks
vnstat -m     # last months

vnstat -t       # top 10 days

curl - Time details on HTTP requests:

curl -w "DNS: %{time_namelookup} Connect: %{time_connect} start:  %{time_starttransfer} total:  %{time_total}\n" -o /dev/null -s http://example.com

Discovery

LLDP
```
lldpctl
lldpctl eth0
```

nmap commands

# Network scan
nmap -sP 192.168.0.0/24

# Host scan
nmap 
nmap -F       # fast
nmap -O      # detect OS
nmap -sV      # detect services and versions
nmap -sU      # detect UDP services

# Alternative host discovery
nmap -PS      # TCP SYN scan
nmap -PA      # TCP ACK scan
nmap -PO      # IP ping
nmap -PU      # UDP ping

# Alternative service discovery
nmap -sS       
nmap -sT 
nmap -sA 
nmap -sW 

# Checking firewalls
nmap -sN 
nmap -sF 
nmap -sX

Debugging

iptraf - Real-time statistics in ncurses interfaces
mtr - Debug routing/package loss issues

netstat - The different modes

# Typically used modes
netstat -rn          # List routes
netstat -tlnp       # List all open TCP connections
netstat -tlnpc      # Continuously do the above
netstat -tulpen    # Extended connection view
netstat -a           # List all sockets

# And more rarely used
netstat -s            # List per protocol statistics
netstat -su          # List UDP statistics
netstat -M           # List masqueraded connections
netstat -i            # List interfaces and counters
netstat -o           # Watch time/wait handling

nttcp - TCP performance testing

# On sending host
nttcp -t -s

# On receiving host
nttcp -r -s

List Kernel Settings
```
sysctl net
```
```
 
```
SNMP - Dump all MIBs: When you need to find the MIB for an object known only by name try
```
snmpwalk -c public -v 1 -O s  .iso | grep 
```
tcpdump - Be verbose and print full package hex dumps:
```
 tcpdump -i eth0 -nN -vvv -xX -s 1500 port 
```
tcpdump - Non-promiscuous mode to list only traffic that the network stack processes:
```
tcpdump -e ...
```

tcpdump - : Many usage examples.

# Filter port
tcpdump port 80
tcpdump src port 1025 
tcpdump dst port 389
tcpdump portrange 21-23

# Filter source or destination IP
tcpdump src 10.0.0.1
tcpdump dest 10.0.0.2

# Filter  everything on network 
tcpdump net 1.2.3.0/24

# Logically operators
tcpdump src port 1025 and tcp 

# Provide full hex dump of captured HTTP packages
tcpdump -s0 -x port 80

# Filter TCP flags (e.g. RST)
tcpdump 'tcp[13] & 4!=0'

Basic Linux Commands

Command	Example	Description
cat		Sends file contents to standard output. This is a way to list the contents of short files to the screen. It works well with piping.
	cat .bashrc	Sends the contents of the ".bashrc" file to the screen.
cd		Change directory
	cd /home	Change the current working directory to /home. The '/' indicates relative to root, and no matter what directory you are in when you execute this command, the directory will be changed to "/home".
	cd httpd	Change the current working directory to httpd, relative to the current location which is "/home". The full path of the new working directory is "/home/httpd".
	cd ..	Move to the parent directory of the current directory. This command will make the current working directory "/home.
	cd ~	Move to the user's home directory which is "/home/username". The '~' indicates the users home directory.
cp		Copy files
	cp myfile yourfile	Copy the files "myfile" to the file "yourfile" in the current working directory. This command will create the file "yourfile" if it doesn't exist. It will normally overwrite it without warning if it exists.
	cp -i myfile yourfile	With the "-i" option, if the file "yourfile" exists, you will be prompted before it is overwritten.
	cp -i /data/myfile .	Copy the file "/data/myfile" to the current working directory and name it "myfile". Prompt before overwriting the file.
	cp -dpr srcdir destdir	Copy all files from the directory "srcdir" to the directory "destdir" preserving links (-p option), file attributes (-p option), and copy recursively (-r option). With these options, a directory and all it contents can be copied to another directory.
dd	dd if=/dev/hdb1 of=/backup/	Disk duplicate. The man page says this command is to "Convert and copy a file", but although used by more advanced users, it can be a very handy command. The "if" means input file, "of" means output file.
df		Show the amount of disk space used on each mounted filesystem.
less	less textfile	Similar to the more command, but the user can page up and down through the file. The example displays the contents of textfile.
ln		Creates a symbolic link to a file.
	ln -s test symlink	Creates a symbolic link named symlink that points to the file test Typing "ls -i test symlink" will show the two files are different with different inodes. Typing "ls -l test symlink" will show that symlink points to the file test.
locate		A fast database driven file locator.
	slocate -u	This command builds the slocate database. It will take several minutes to complete this command. This command must be used before searching for files, however cron runs this command periodically on most systems.
	locate whereis	Lists all files whose names contain the string "whereis".
logout		Logs the current user off the system.
ls		List files
	ls	List files in the current working directory except those starting with . and only show the file name.
	ls -al	List all files in the current working directory in long listing format showing permissions, ownership, size, and time and date stamp
more		Allows file contents or piped output to be sent to the screen one page at a time.
	more /etc/profile	Lists the contents of the "/etc/profile" file to the screen one page at a time.
	ls -al \|more	Performs a directory listing of all files and pipes the output of the listing through more. If the directory listing is longer than a page, it will be listed one page at a time.
mv		Move or rename files
	mv -i myfile yourfile	Move the file from "myfile" to "yourfile". This effectively changes the name of "myfile" to "yourfile".
	mv -i /data/myfile .	Move the file from "myfile" from the directory "/data" to the current working directory.
pwd		Show the name of the current working directory
	more /etc/profile	Lists the contents of the "/etc/profile" file to the screen one page at a time.
shutdown		Shuts the system down.
	shutdown -h now	Shuts the system down to halt immediately.
	shutdown -r now	Shuts the system down immediately and the system reboots.
whereis		Show where the binary, source and manual page files are for a command
	whereis ls	Locates binaries and manual pages for the ls command.

Editors: emacs, vi, pico, jed, vim

Wednesday, February 17, 2010

Free up Cache memory in Linux

Kernels 2.6.16 and newer provide a mechanism to have the kernel drop the page cache and/or inode and dentry caches on command, which can help free up a lot of memory.

To use /proc/sys/vm/drop_caches, just echo a number to it.

To free pagecache:

# echo 1 > /proc/sys/vm/drop_caches

To free dentries and inodes:

# echo 2 > /proc/sys/vm/drop_caches

To free pagecache, dentries and inodes:

echo 3 > /proc/sys/vm/drop_caches

This is a non-destructive operation and will only free things that are completely unused. Dirty objects will continue to be in use until written out to disk and are not freeable. If you run "sync" first to flush them out to disk, these drop operations will tend to free more memory.

Saturday, August 9, 2008

CHANGING HOST NAME - Linux

/etc/hosts

/etc/sysconfig/network

/etc/sysconfig/network-scripts/ifcfg-eth0 (depends on NIC name)

Then reboot.

or-

Use sysctl to change the hostname

Use:

sysctl kernel.hostname

to read the current hostname, and

sysctl kernel.hostname=NEW_HOSTNAME

to change it.

CHAGING IP ADDRESS IN LINUX.

vi /etc/sysconfig/network-scripts/ifcfg-eth0

vi /etc/sysconfig/network

And restart the interfaces...

/etc/init.d/network restart

Try /sbin/setup or /usr/sbin/setup

or edit /etc/network/interfaces