Sie sind auf Seite 1von 300

LinuxPracticals

Index
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.

SwitchingTerminals(23)
Fdisk(35)
Format(67)
Runlevels(88)
Symlinks&Hardlinks(916)
Archiving&Compression(1728)
Daemons&Process(2938)
FilePermissions(3941)
Umask(4243)
AdministarativecmndsandLowlevelcmnds(4444)
UnderstandingUNIX/Linuxfilesystem(4549)
FSTAB(5056)
Bash(5763)
ShellScripting(6473)
RPM(7476)
UserAdministration(7783)
PAM(8490)
LVM(9198)
TheLinuxSchedulers(99106)
QUOTA(107110)
KernelCompilation(111119)
KernelTuning(120128)
Networking(129138)
FTP(139145)
NFS(146154)
NetworkInfoService(NIS)(155160)
Installationofautofs(161162)
DHCP:DynamicHostConfigurationProtocol(163171)
TcpWrappers(172176)
Xinetd(177179)
SAMBA(180194)
FIREWALL/IPTABLES(195212)
DNS(213227)
APACHE(228248)
SendMail(249262)
SQUID(263274)
Vi/VimExamples(275282)

b.sadhiq
www.altnix.com

LinuxPracticals
SwitchingTerminals
Linuxhave6ttysbydefault,whichwecallasvcs&driver
assignedtoitistty(/dev/tty*)
ToswitchfromguiuseCTRLALTF1&toswitchbetweenthe
terminalsuseALTF2,F3...
Tocheckcurrentterminaluse$pscommand.
BasicCommands
$dfh
>sameasmycomputerinwindows
$fdsikl
>listpartition
$man<cmd> >manual
$clear
>clearthescreen
$^l
>clearthescreen
$ls
>listcontent
$lsl
>listcontentinlonglistingformat
$lsal
>listallsubcontentinlonglistingformat
$ll
>analiasfortheabove
$lsR
>listcontentrecursively
$l.
>listhiddenfiles
$lsF
>listcontentandclassifythem
$alias
>displayallaliasesforcurrentuser
$alias<statement> >makealiasegaliasc='clear'
$unalias<alias>
>removealiasegunaliasc
$exit
>logoutfromthesystem
$logout
>logoutfromthesystem
$^d
>logoutfromthesystem
$tree
>listcontentinatree(hierarchial)diagram
$treed
>listsubdirectoriesonlynofiles
$treep
>listcontentwiththeirpermissions
$cd<directory>
>changedirectoryto...
$cd..
>changetoparentdirectory
$cd
>changetopreviousdirectory
$cd
>changetohomedirectory
$cd~
>changetohomedirectory
$pushd
>changedirwithpwd
$cat
>displayacontentofafile
$pwd
>printwork(current)directory
$pwdP
>printparentworkingdirofthissymlinkdir
$mkdir<directory> >makedirectory
$mkdirp<directory>
>makeparentdirectoriesalsoifitdoes
2

b.sadhiq
www.altnix.com

notexist
$touch
>makea0bytefileifitdoesnotexist
$cp
>copy(forfiles)
$cpa
>copy(fordirectories)
$cpp
>copyandpreservedateandtime
$mv
>moveORrename
$rmdir
>removeemptydirectory
$rm
>remove
(forfiles)
$rmf
>removeforcefully ("")
$rmr
>removerecursively
(fordirectories)
$rmrf
>removerecursivelyandforcefully("")
$cat
>displaycontentofthefile
$catn
>displaycontentofthefileandnumberthelines
$cal
>displaycalendarforcurrentmonth
$date
>displaysystemdateandtime
$dates'<value>' >changesystemdateandtimeinmm/dd/yy
$hwclock
>displaythehardwareclock
$hwclockhctosys
>setthesystemtimefromthehardwareclock
$lns
>makeasoft/sym/symboliclink
$ln
>makeahardlink
$history
>displaythelistofthelast1000commands
$!100
>Runcommand100inhistory
$vi
>texteditor
$vimtutor
>vimanualwithexercise
$pico
>picomanualwithexercise
$mcedit
>mceditmanualwithexercise
$joe
>joemanualwithexercise
$aspellc<filename>
>checkthespellinginthefile
$elinks
>checktheweblinks
$file
>displaythetypeoffile
$which
>displaythepathofthebinary
$whereis
>displayallpaths
$hostname
>displaysystemnamewithdomain
$id
>displayidinfoofcurrentuser
$idu
>displayuseridofcurrentuser
$idun
>displayusernameofcurrentuser
$idg
>displaygroupidofcurrentuser
$idgn
>displaygroupnameofcurrentuser
$uptime
>displayforhowlongthesystemhasbeenrunning
$tty
>displaycurrentterminalnumber
$users
>displayno.ofuserscurrentlyloggedin
$whoami
>displayusernameofcurrentuser
$who
>displayusersloggedinthesystemwiththeir
respectiveterminalsandtimesinceloggedin
$whoamI
>displaycurrentuser,terminalanduptime
$w
>displayisdetailswhichfilesareopenonwhich
3

b.sadhiq
www.altnix.com

terminal
http://www.oraclehome.co.uk/linuxcommands.htm
$mkdirp/opt/funny/test
$cd/opt/funny/testabsolutepath
$cd/opt/funny
$pwd
/opt/funny
$cdtestrelativepath

Fdisk
Partitioningwithfdisk
Thissectionshowsyouhowtoactuallypartitionyourharddrive
withthefdiskutility.Linuxallowsonly4primarypartitions.You
canhaveamuchlargernumberoflogicalpartitionsbysubdividing
oneoftheprimarypartitions.Onlyoneoftheprimarypartitions
canbesubdivided.
Examples:
1.
2.

Fourprimarypartitions
Mixedprimaryandlogicalpartitions

fdiskusage
fdiskisstartedbytyping(asroot)fdiskdeviceatthecommand
prompt.devicemightbesomethinglike/dev/hdaor/dev/sda(see
Section2.1.1).Thebasicfdiskcommandsyouneedare:
pprintthepartitiontable
ncreateanewpartition
ddeleteapartition
qquitwithoutsavingchanges
wwritethenewpartitiontableandexit

Changesyoumaketothepartitiontabledonottakeeffectuntil
youissuethewrite(w)command.Hereisasamplepartitiontable:

b.sadhiq
www.altnix.com

Disk/dev/hdb:64heads,63sectors,621cylinders
Units=cylindersof4032*512bytes

DeviceBootStartEndBlocksIdSystem
/dev/hdb1*1184370912+83Linux
/dev/hdb218536837094483Linux
/dev/hdb336955237094483Linux
/dev/hdb455362113910482Linuxswap
Thefirstlineshowsthegeometryofyourharddrive.Itmaynotbe
physicallyaccurate,butyoucanacceptitasthoughitwere.The
harddriveinthisexampleismadeof32doublesidedplatterswith
oneheadoneachside(probablynottrue).Eachplatterhas621
concentrictracks.A3dimensionaltrack(thesametrackonall
disks)iscalledacylinder.Eachtrackisdividedinto63sectors.
Eachsectorcontains512bytesofdata.Thereforetheblocksizein
thepartitiontableis64heads*63sectors*512bytes
er...dividedby1024.(See4fordiscussiononproblemswiththis
calculation.)Thestartandendvaluesarecylinders.
$fdisk/dev/hdxx
ncreateanewpartition
press<|atfirstcylinder
definesize+100MatLastcylinder
wwriteandquit
$sync
$partprobes/dev/hdxx
rereadsthepartitiontableandupdatesthekerneltable.
stoshowtheoutput

b.sadhiq
www.altnix.com

Format
forext2formatuse$mke2fsforext3use$mke2fsj
$mke2fsj/dev/hdxx
jstandsforjournalingasext3isajournalingfilesystem.
$mkdir/newdir
$mount/dev/hdxx/newdir
forpermanentmountusefstab
$vi/etc/fstab
Append/dev/hdxx/mntext3defaults00
fstabis9thoutofthe10mostcriticalandimportant
configurationfileswhichisstoredin/etcdirectory,whereall
theconfigurationfilesarestored.
fstabstandsfor"FileSystemTABle"andthisfilecontains
informationofharddiskpartitionsandremoveabledevicesinthe
system.Itcontainsinformationofwherethepartitionsand
removeabledevicesaremountedandwhichdevicedriversareused
formountingthem,whichfilesystemtheyareusingandwhat
permissionsareassignedtothem.
1stfielddevice
2ndfieldmountpoint
3rdfieldfilesystem
4thfiledpermisson
5thfieldbackupforsixthfield
6thfieldfscksequence(sameaschkdskinwindows)
6

b.sadhiq
www.altnix.com

Task

create100mbpartitionforLinux.
Followstepssameasabove
ext3isajournalingwhichmaintainsrecordinitsjournal.
Fastrecovery&recoverysuccessful
Ext2doesntmaintainsjournal.Slowrecovery&noguarantee.
Task
create100000kbpartitionforext2.
Followstepssameasabove.
Task
create96mbpartitionforwindows.
Followstepssameasabove.
Mountallthecreatedpartitionsunderfstab.
Ext2vsExt3
Atsomepointinyourinstall,you'llprobablywanttoswitchfilesystemtypes.Inthebaseinstall,
you'reonlygivenachoiceofext2(shortforext2fs,or``secondextendedfilesystem,''whichisthe
``standard''UNIXfilesystem7.Ext3fs8isthesameasext2,butprovidesjournaling.Forthoseas
sketchyonfilesystemtypesasIam,itseemstobeprettybasic.IntheREADMEontheoriginalext3
downloadpage,theauthoranswersthejournalingquestion:
Q: What is journaling?
A: It means you don't have to fsck after a crash. Basically.
This is useful, because it means that every time your screen whites out
and crashes while choosing the right video card (Section 1.2.1), you
don't have to sit through an entire filesystem check of every inode. The
filesystem still fscks itself every X mounts or Y days, but doesn't put
you through the entire wait every time you crash it.To convert
partition,s to the ext3 filesystem, you need to cleanly unmount them,
boot something else (like the Debian CD you installed from -- see
Section 6.2 on how to do this), and then, on a console, do:

tune2fs -j /dev/hdaX

b.sadhiq
www.altnix.com

wherein /dev/hdaX is the partition you want to add journaling to (hence


the `-j' flag).Don't forget to modify the lines in your /etc/fstab to
reflect that the partitions in question are to be mounted as ext3, not
ext2. When cleanly unmounted, they can still be mounted as ext2, but the
whole point of changing them was so they wouldn't be.
That's it. When you reboot, your partitions should come up as ext3.

b.sadhiq
www.altnix.com

Runlevels

RedHatLinux/FedorarunlevelsID
Description
0Halt
1SingleUsermode
2MultiUsermodewithnetwork
enabled,butmostnetworkservices
disabled
3MultiUsermode,consolelogins
only
4Notused/Userdefinable
5MultiUsermode,withdisplay
manageraswellasconsolelogins
6Reboot

b.sadhiq
www.altnix.com

Symlinks&Hardlinks
Filesarearrangedindirectories(orfoldersifyoupreferthat
term),andeachfilecanbereachedthroughaseriesofdirectories
andsubdirectoriesfromtherootcorrect?Yes...BUT...there
aresometimesthatthesamefilecanbereachedthroughseveral
names,andonUnixandLinuxsystemsthisisknownasa"link".
Therearetwowaysalinkcanbesetup.
HardLink
AHardLinkiswhereafilehastwonames
whicharebothonanequalweighting,and
bothofthefilenamesinthe"inode
table"pointdirectlytotheblocksonthe
discthatcontainthedata.Seediagramto
theleft.
Yousetupahardlinkwithanlncommand
withoutoptionsifthefileab.txt
alreadyexistsandyouwanttogivean
additionalname(hardlink)toit,you'llwritelnab.txtcd.txt
andthenbothnameswillhaveequalranking.Theonlywayyou'll
knowthatthere'salinkthereisbydoingalonglistingand
you'llseealinkcountof2ratherthan1,andifyouneedtofind
outwhat'slinkedtowhat,usetheioptiontols.

SymbolicLink
ASymbolicLinkiswhereafilehasonemainname,butthere'san
extraentryinthefilenametablethatrefersanyaccessesbackto
themainname.Thisisslighlysloweratruntimethatahardlink,
butit'smoreflexibleandmuchmoreoftenusedindaytodayadmin
work.
Symboliclinksaresetupusingthelncommandwiththesoption
soforexample
lnsab.txtcd.txt
willsetupanewnamecd.txtthatpointstothe(existing)file
ab.txt.Ifyoudoaloglisting(lsl)ofadirectorythat
containsasymboliclink,you'llbetoldthatit'sasymboliclink
withan"l"inthefirstcolumn,andyou'llbetoldwherethefile
linkstointhefilenamecolumn.Veryeasytospot!

10

b.sadhiq
www.altnix.com


SoftLinks(SymbolicLinks):
1.Linkshavedifferentinodenumbers.
2.lslcommandshowsalllinkswithsecondcolumnvalue1andthe
linkpointstooriginalfile.
3.Linkhasthepathfororiginalfileandnotthecontents.
4.Removingsoftlinkdoesn'taffectanythingbutremovingoriginal
filethelinkbecomesdanglinglinkwhichpointstononexistant
file.
InSoftlinkInodeisdiffandthelinkedfilewillbashortcutof
firstfile
HardLinks:
1.AllLinkshavesameinodenumber.
2.lslcommandshowsallthelinkswiththelinkcolumn(Second)
showsNo.oflinks.
3.Linkshaveactualfilecontents
4.Removinganylinkjustreducesthelinkcountbutdoesn'taffect
otherlinks.
InHardlinkInodeissameandbothareindependent
Softlinkcancreatedirectoriesbuthardlinkcan't.Hardlinks
createdwithinthatparticularfilesystembutsoftlinkcrossthat
filesystem
Hardlinkscanotcrosspartition
Asingleinodenumberusetorepresentfileineachfilesystem.
Allhardlinks
baseduponinodenumber.
b.sadhiq
11
www.altnix.com

Solinkingacrossfilesystemwillleadintoconfusingreferences
forUNIXor
Linux.Forexample,considerfollowingscenario
*Filesystem:/home
*Directory:/home/sadhiq
*Hardlink:/home/sadhiq/file2
*Originalfile:/home/sadhiq/file1
Nowyoucreateahardlinkasfollows:
$touchfile1
$lnfile1file2
$lsl
Output:
rwrr2sadhiqsadhiq02006013013:28file1
rwrr2sadhiqsadhiq02006013013:28file2
Nowjustseeinodeofbothfile1andfile2:
$lsifile1
782263
$lsifile2
782263
Asyoucanseeinodenumberissameforhardlinkfilecalledfile2
ininode
tableunder/homefilesystem.Nowifyoutrytocreateahardlink
for/tmp
filesystemitwillleadtoconfusingreferencesforUNIXorLinux
filesystem.
Isthatalinkno.782263inthe/homeor/tmpfilesystem?To
avoidthis
problemUNIXorLinuxdoesnotallowcreatinghardlinksacross
filesystem
boundaries.ContinuereadingrestoftheUnderstandingLinuxfile
systemseries
Practical
$mkdir/opt/newfile
$mkdir/usr/local/linkfile
$vi/opt/newfile/abc
12

b.sadhiq
www.altnix.com

Appendsomecontent&savetheabovefile
Nowcreateasoftlinkforabcasxyzunder/usr/local/linkfile
$pushd/usr/local/linkfile
$pwd
$lns/opt/newfile/abcxyz

Or
Ifuwanttocreatesymlinkasfrom/homethen
$pushd/home
$lns/opt/newfile/abc/usr/loal/linkfile/xyz
Nowcheckwiththefollowing&alsonotesymlinkfilesalwayshave
777perm
$ll|grep^l
Alsochkthesizeofbothfileanditsselfexpalinatory
Now
$Appendsomedatainxyzfileuwillgetthesameunderabc
Nowtryremovingtheparentfileinourcaseabc
$rmrf/opt/newfile/abc
Nowverifythesymblink
$ll/usr/local/linkfile/
Yourfilehasbrokensymlinksoitscalledorphaned
Sowheneverudeleteaparentfileitwilleffect&ifsoftlinkis
deletedthereisnoeffectinsoftlinks
Softlinkfileshavedifferentinodesofparent
Softlinkcanalsocrosspartitions.
Nowwhatifuwantrunabinaryfromdifferentpathandwith
differentname
$whichmount
$lns/sbin/mount/opt/mapping
$pushd/opt/
$./mapping
$lns/bin/pwd/usr/bin/prntworkdir
13

b.sadhiq
www.altnix.com

Nowucanrunthefollowforpwd
$prntworkdir
$mkdir/opt/hardlink
$pushd/opt/linkfile
Createanewfilenamefile1andaapenddata
$echoThisisannewfile>file1
$catfile1
Nowcreateahardlinkfromcurrentpathfile1tofile2
$lnfile1/opt/hardlink/file2
Nowtrydeletingandappendingandtryudoneasaboveforsoft
link
Hardlinksaretypeofbackupifparent&childisdeletednoeffect
Hardlinkshavesameinodenumbers
Harslinkscannotcrossparttitons,Alsotrycrossingpartitions
Alsotrycreating2to3linksforasingleparentfileinsoftlink
andhardlink.
More
17.HardLinksandSymbolicLinks
Todaywe'regoingtotestyourvirtualimaginationability!You're
probablyfamiliarwithshortcutsinMicrosoftWindowsoraliaseson
theMac.Linuxhassomething,oractuallysomethingssimilar,
calledhardlinksandsymboliclinks.
Symboliclinks(alsocalledsymlinksorsoftlinks)mostresemble
Windowsshortcuts.Theycontainapathnametoatargetfile.Hard
linksareabitdifferent.Theyarelistingsthatcontain
informationaboutthefile.Linuxfilesdon'tactuallylivein
directories.Theyareassignedaninodenumber,whichLinuxusesto
locatefiles.Soafilecanhavemultiplehardlinks,appearingin
multipledirectories,butisn'tdeleteduntilthereareno
remaininghardlinkstoit.Herearesomeotherdifferencesbetween
hardlinksandsymlinks:

14

b.sadhiq
www.altnix.com

1.Youcannotcreateahardlinkforadirectory.
2.Ifyouremovetheoriginalfileofahardlink,thelinkwill
stillshowyouthecontentofthefile.
3.Asymlinkcanlinktoadirectory.
4.Asymlink,likeaWindowsshortcut,becomesuselesswhenyou
removetheoriginalfile.
Hardlinks

Let'sdoalittleexperimenttodemonstratethecase.Makeanew
directorycalledTestandthenmoveintoit.todothat,type:
$mkdirTest
$cdTest
ThenmakeafilecalledFileA:
$viFileA
PresstheIkeytoenterInsertmode:
i
Thentypeinsomefunnylinesoftext(like"Whydidthechicken
crosstheroad?")andsavethefilebytyping:
Esc
ZZ
So,youmadeafilecalledFileAinanewdirectorycalled"Test"
inyour/home.Itcontainsanoldandmaybenotsofunnyjoke.Now,
let'smakeahardlinktoFileA.We'llcallthehardlinkFileB.
$lnFileAFileB
Thenusethe"i"argumenttolisttheinodesforbothFileAandits
hardlink.Type:
$lsilFileAFileB
Thisiswhatyouget:
1482256rwrr2sadhiqsadhiq21May515:55FileA
1482256rwrr2sadhiqsadhiq21May515:55FileB
YoucanseethatbothFileAandFileBhavethesameinodenumber
(1482256).Alsobothfileshavethesamefilepermissionsandthe
samesize.Becausethatsizeisreportedforthesameinode,it
doesnotconsumeanyextraspaceonyourHD!

15

b.sadhiq
www.altnix.com

Next,removetheoriginalFileA:
$rmFileA
Andhavealookatthecontentofthe"link"FileB:
$catFileB
Youwillstillbeabletoreadthefunnylineoftextyoutyped.
Hardlinksarecool.

Symlinks

Stayinginthesametestdirectoryasabove,let'smakeasymlink
toFileB.CallthesymlinkFileC:
$lnsFileBFileC
Thenusetheiargumentagaintolisttheinodes.
$lsilFileBFileC
Thisiswhatyou'llget:
1482256rwrr1sadhiqsadhiq21May515:55FileB
1482226lrwxrwxrwx1sadhiqsadhiq5May516:22FileC>FileB
You'llnoticetheinodesaredifferentandthesymlinkgota"l"beforetherwxrwxrwx.Thelinkhas
differentpermissionsthantheoriginalfilebecauseitisjustasymboliclink.Itsrealcontentisjusta
stringpointingtotheoriginalfile.Thesizeofthesymlink(5)isthesizeofitsstring.(The">FileB"
attheendshowsyouwherethelinkpointsto.
Nowlistthecontents:
$catFileB
$catFileC
Theywillshowthesamefunnytext.
Nowifweremovetheoriginalfile:
$rmFileB
andchecktheTestdirectory:

16

b.sadhiq
www.altnix.com

$ls
You'llseethesymlinkFileCisstillthere,butifyoutrytolist
thecontents:
$catFileC
Itwilltellyouthatthereisnosuchfileordirectory.Youcan
stilllisttheinode.Typing:
$lsilFileC
willstillgiveyou:
1482226lrwxrwxrwx1sadhiqsadhiq5May516:22FileC>FileB
Butthesymlinkisobsoletebecausetheoriginalfilewasremoved,
aswereallthehardlinks.Sothefilewasdeletedeventhoughthe
symlinkremains.(Hopeyou'restillfollowing.)
OK.Thetestisover,soyoucandeletetheTestdirectory:
$cd..
$rmrfTest(rstandsforrecursiveandfisforforce)
Note:Becautioususing"rmrf";it'sverypowerful.Ifsomeone
tellsyoutodo"rmrf/"asroot,youmightlooseallyourfiles
anddirectoriesonyour/partition!Notgoodadvice.
Nowyouknowhowtocreate(andremove)hardlinksandsymlinksto
makeiteasiertoaccessfilesandrunprograms.Seeyouonthe
links!

17

b.sadhiq
www.altnix.com

Archiving&Compression
Archivingmeansthatyoutake10filesandcombinethemintoone
file,withnodifferenceinsize.Ifyoustartwith10100KBfiles
andarchivethem,theresultingsinglefileis1000KB.Ontheother
hand,ifyoucompressthose10files,youmightfindthatthe
resultingfilesrangefromonlyafewkilobytestoclosetothe
originalsizeof100KB,dependingupontheoriginalfiletype.
llofthearchiveandcompressionformatsinthischapterzip,
gzip,bzip2,andtararepopular,but
Zip
zipisprobablytheworld'smostwidelyusedformat.That'sbecause
ofitsalmostuniversaluseonWindows,butzipandunziparewell
supportedamongallmajor(andmostminor)operatingsystems,
Gzip
gzipwasdesignedasanopensourcereplacementforanolderUnix
program,compress.It'sfoundonvirtuallyeveryUnixbasedsystem
intheworld,includingLinuxandMacOSX,butitismuchless
commononWindows.Ifyou'resendingfilesbackandforthtousers
ofUnixbasedmachines,gzipisasafechoice.
Bzip2

18

b.sadhiq
www.altnix.com

Thebzip2commandisthenewkidontheblock.Designedto
supersedegzip,bzip2createssmallerfiles,butatthecostof
speed.Thatsaid,computersaresofastnowadaysthatmostusers
won'tnoticemuchofadifferencebetweenthetimesittakesgzip
orbzip2tocompressagroupoffiles.
Practical
zipbotharchivesandcompressesfiles,thusmakingitgreatfor
sendingmultiplefilesasemailattachments,backingupitems,or
forsavingdiskspace.
Create
$mkdirp/opt/test/zip_dir;cd/opt/test/zip_dir
Appendmanpagestoafile
$manls>filels;cat/etc/fstab>filefstab;cat
/root/anaconda.cfg>fileanaconda
$lslh
$lsal
Zipthefilestomanfile.zip
$zipmanfile.zip*
$lslF
$manls>filels.txt;cat/etc/fstab>file.txt;cat
/root/anaconda.cfg>fileanaconda.txt;manfdisk>file1.cfg;man
fstab>fstab.cfg;manman>man.cfg
Trycompressingthefilescreatedusingzipandverifythesizeof
moby.zipfiles
$zip0moby.zip1*.txt
$lsl
$zip1moby.zip2*.cfg
$lsl
$zip9moby.zip3*.cfg
$lsl
Youcanalsotry
$aliaszip='zip9'
Createbackupdirundermnt$mkdir/mnt/backup

19

b.sadhiq
www.altnix.com

Copy/opt/testcontentswithrsync
$rsyncparv/opt/test/*/mnt/backup/
Excludemoby.zipunder/mnt/backupandcreatebackup.zipunder
/usr/local/
$zipr/usrlocal/backup.zip/mnt/backupx
"/mnt/backup/zip_dir/moby.zip1"
Changedirto/usr/localbypushdcmd(manpushd)
$pushd/usr/local/
TryPasswordprotectedzip
$zipP12345678backup.zip*.txt
$zipebackup.zip*.txt
$unzipl
$unzipqlbackup.zip
verbose
unzipvmoby2.zip
listzippedfiles
$unziplmoby3.zip
Listtype
$unziptmoby2.zip
Nowtryanythefollowingsameaszipunderanydir
gzipparadise_lost.txt
$lsl

Notgood.Instead,outputtoafile.
$lsl
20

b.sadhiq
www.altnix.com

$gzipcparadise_lost.txt>paradise_lost.txt.gz
$gzipc1mobydick.txt>mobydick.txt.gz
$lsl
$gzipc9mobydick.txt>mobydick.txt.gz
$lsl
$gziptparadise_lost.txt.gz
$gunzipcparadise_lost.txt.gz>paradise_lost.txt
$bzip2mobydick.txt
$lsl
$bzip2cmobydick.txt>mobydick.txt.bz2
$lsl
$bzip2c1mobydick.txt>mobydick.txt.bz2
$bzip2c9mobydick.txt>mobydick.txt.bz2
$lsl
$bunzip2mobydick.txt.bz2
$bunzip2cmobydick.txt.bz2>mobydick.txt
$bunzip2tparadise_lost.txt.gz
GettheBestCompressionPossiblewithzip
[09]
It'spossibletoadjustthelevelofcompressionthatzipuseswhen
itdoesitsjob.Thezipcommandusesascalefrom0to9,inwhich
0means"nocompressionatall"(whichisliketar,asyou'llsee
later),1means"dothejobquickly,butdon'tbothercompressing
verymuch,"and9means"compresstheheckoutofthefiles,andI
don'tmindwaitingabitlongertogetthejobdone."Thedefault
is6,butmoderncomputersarefastenoughthatit'sprobablyjust
finetouse9allthetime.
Intabularformat,theresultslooklikethis:

Book
zip0
MobyDick
0%
ParadiseLost
0%
Job
0%
Total(inbytes) 1848444

zip1
54%
50%
58%
869946

zip9
61%
56%
65%
747730

PasswordProtectCompressedZipArchives
P
e
21

b.sadhiq
www.altnix.com

TheZipprogramallowsyoutopasswordprotectyourZiparchives
usingthePoption.Youshouldn'tusethisoption.It'scompletely
insecure,asyoucanseeinthefollowingexample(theactual
passwordis12345678):
unzip
ExpandingaZiparchiveisn'thardatall.Tocreateazipped
archive,usethezipcommand;toexpandthatarchive,usetheunzip
command.

ArchivewithTar
ArchiveandCompressFileswithtarandgzip
zcvf
Ifyoulookbackat"ArchiveandCompressFilesUsinggzip"and
"ArchiveandCompressFilesUsingbzip2"andthinkaboutwhatwas
discussedthere,you'llprobablystarttofigureoutaproblem.
Whatifyouwanttocompressadirectorythatcontains100files,
containedinvarioussubdirectories?Ifyouusegziporbzip2with
ther(forrecursive)option,you'llendupwith100individually
compressedfiles,eachstoredneatlyinitsoriginalsubdirectory.
Thisisundoubtedlynotwhatyouwant.Howwouldyouliketoattach
100.gzor.bz2filestoanemail?Yikes!
That'swheretarcomesin.Firstyou'dusetartoarchivethe
directoryanditscontents(those100filesinsidevarious
subdirectories)andthenyou'dusegziporbzip2tocompressthe
resultingtarball.Becausegzipisthemostcommoncompression
programusedinconcertwithtar,we'llfocusonthat.
Youcoulddoitthisway:
$mkdirp/mnt/common/mobydick
22

b.sadhiq
www.altnix.com

$cd/mnt/common/mobydick
$manls>filels.txt;cat/etc/fstab>file.txt;cat
/root/anaconda.cfg>fileanaconda.txt;manfdisk>file1.cfg;man
fstab>fstab.cfg;manman>man.cfg
$cd..
$pwd
/mnt/common/
$lslmobydick/*
$tarcfmoby1.tarmobydick/|gzipc>moby1.tar.gz
$lsl
Thatmethodworks,butit'sjusttoomuchtyping!There'samuch
easierwaythatshouldbeyourdefault.Itinvolvestwonewoptions
fortar:z(orgzip),whichinvokesgzipfromwithintarsoyou
don'thavetodosomanually,andv(orverbose),whichisn't
requiredherebutisalwaysuseful,asitkeepsyounotifiedasto
whattarisdoingasitruns.
$lslmobydick/*
$lsl
Theusualextensionforafilethathashadthetarandthenthe
gzipcommandsusedonitis.tar.gz;however,youcoulduse.tgz
and.tar.gzipifyoulike.

NoteIt'sentirelypossibletousebzip2withtarinsteadof
gzip.Yourcommandwouldlooklikethis(notethejoption,which
iswherebzip2comesin):
$tarcvzfmoby.tar.gzmobydick
$tarjcvfmoby.tar.bz2mobydick/

Inthatcase,theextensionshouldbe.tar.bz2,althoughyoumay
alsouse.tar.bzip2,.tbz2,or.tbz.Yes,it'sveryconfusingthat
usinggziporbzip2mightbothresultinafileendingwith.tbz.
Thisisastrongargumentforusinganythingbutthatparticular
extensiontokeepconfusiontoaminimum.
TestFilesThatWillBeUntarredandUncompressed
$tarjvtfmoby.tar.bz2

23

b.sadhiq
www.altnix.com

Beforeyoutakeapartatarball(whetherornotitwasalso
compressedusinggzip),it'sareallygoodideatotestit.First,
you'llknowifthetarballiscorrupted,savingyourselfhair
pullingwhenfilesdon'tseemtowork.Second,you'llknowifthe
personwhocreatedthetarballthoughtfullytarredupadirectory
containing100files,orinsteadthoughtlesslytarredup100
individualfiles,whichyou'rejustabouttospewalloveryour
desktop.
Totestyourtarball(onceagainassumingitwasalsozippedusing
gzip),usethet(orlist)option.
$tarzvtfmoby.tar.gz
Thistellsyouthepermissions,ownership,filesize,andtimefor
eachfile.Inaddition,becauseeverylinebeginswithmobydick/,
youcanseethatyou'regoingtoendupwithadirectorythat
containswithinitallthefilesandsubdirectoriesthataccompany
thetarball,whichisarelief.
Besurethatthefisthelastoptionbecauseafterthatyou're
goingtospecifythenameofthe.tar.gzfile.Ifyoudon't,tar
complains:
$tarzvftmoby.tar.gz
tar:Youmustspecifyoneofthe'Acdtrux'options
Try'tarhelp'or'tarusage'formoreinformation.
Nowthatyou'veensuredthatyour.tar.gzfileisn'tcorrupted,
it'stimetoactuallyopenitup,asyou'llseeinthefollowing
section.
NoteIfyou'retestingatarballthatwascompressedusingbzip2,
justusethiscommandinstead:
$tarjvtfmoby.tar.bz2

UntarandUncompressFiles
zxvf
Tocreatea.tar.gzfile,youusedasetofoptions:zcvf.To
untaranduncompresstheresultingfile,youonlymakeone
substitution:x(orextract)forc(orcreate).
$lsl
$tarzxvfmoby.tar.gz
$lsl
Makesureyoualwaystestthefilebeforeyouopenit,ascovered
24

b.sadhiq
www.altnix.com

intheprevioussection,"TestFilesThatWillBeUntarredand
Uncompressed."Thatmeanstheorderofcommandsyoushouldrunwill
looklikethis:
$tarzvtfmoby.tar.gz
$tarzxvfmoby.tar.gz
NoteIfyou'reopeningatarballthatwascompressedusingbzip2,
justusethiscommandinstead:
$tarjxvfmoby.tar.bz2
Repeatwithdifferentpath
$tarcvf/mnt/backup/sam.tar/opt/test/zip_dir/*
Archive&compresswithgzip
$tarcvf/mnt/backup/ramu.tar.gz/opt/test/zip_dir/*
$pushd/mnt/backup
Listbeforeextracting
$tartvframu.tar.gz
Understandthefollowing
$mkdirramu;tarzxvframu.tar.gzramu/
$lsramu/
$rmramu/*
Alsotryandunderstand
$catramu.tar.gz|gunzipd|tarxvf/mnt/backup/ramu
$ls/mnt/backup/ramu/
$rmrf/mnt/backup/ramu/*
$gzcatramu.tar.gz|tarxvf/mnt/backup/ramu

Findingfilesandarchivingthem
Youcanmakeatarballofonlycertaintypesoffilesfroma
directorywiththefollowingoneliner:
$mkdir/mnt/common/test
$find/mnt/common/mobydick/name"*.txt"|xargstarzcpf
b.sadhiq
25
www.altnix.com

reports.tar.gz
$find/mnt/common/mobydick/name"*.txt"|xargstarjcpf
reports.tar.bz2
Nowcheck
untarinadifferentdirectory
Ifyou'vegotagzippedtarballandyouwanttountaritina
directoryotherthantheoneyou'rein,dothefollowing:
$cd/mnt/backup
$zcatreports.tar.gz|(cd./otherdir;tarzxvf)
$ls
Understandtheabovecmd,note:isusedinafterthe
argumentsgiventotar.
Extractindividualfilesfromatarball
Ifyouneedafilethatyou'veputintoatarballandyoudon't
wanttoextractthewholefile,youcandothefollowing.
First,getalistofthefilesandfindtheoneyouwant
$cd/mnt/common/mobydick
$tarzltfmoby1.tar.gz
Thenextracttheoneyouwant
$tarzxvfmoby1.tar.gzfileanaconda.txt
Backupeverythingwithtar
Tomakeabackupofeverythinginaparticulardirectory,firstdo
this
$cd/mnt/common/mobydick/
$lsa>backup.all
Ifyoudon'treallywant*everything*,youcanalsoeditbackup.all
andgetridofthingsyoudon'twant
Tomakethetarball,justdothis:
$tarcvfnewtarfile.tar`catbackup.all`
(remember,thosearebacktics)
ExtractingSpecificFiles
Extractafilecalledetc/default/sysstatfromconfig.tar.gz
26

b.sadhiq
www.altnix.com

tarball:
$tarcvzf/opt/test/config.tar.gz/mnt/backup/ramu
$tarztvfconfig.tar.gz
$tarzxvfconfig.tar.gz<anyfile>
$tarxvf{tarball.tar}{path/to/file}
Somepeopleprefersfollowingsyntax:
$tarextractfile={tarball.tar}{file}
Extractadirectorycalledcssfromcbz.tar:
$tarextractfile=cbz.tarcss
Wildcardbasedextracting
Youcanalsoextractthosefilesthatmatchaspecificglobbing
pattern(wildcards).Forexample,toextractfromcbz.tarallfiles
thatbeginwithpic,nomattertheirdirectoryprefix,youcould
type:
Notebeforeattemptingthefollowingyouhavetocreatetarfiles
ascbz.tarwithhefilesyouaregoingtoextract.
$tarxfcbz.tarwildcardsnoanchored'pic*'
Toextractallphpfiles,enter:
$tarxfcbz.tarwildcardsnoanchored'*.php'
x:instructstartoextractfiles.
f:specifiesfilename/tarballname.
v:Verbose(showprogresswhileextractingfiles).
j:filterarchivethroughbzip2,usetodecompress.bz2
files.
z:filterarchivethroughgzip,usetodecompress.gzfiles.
wildcards:instructstartotreatcommandlineargumentsas
globbingpatterns.
noanchored:informsitthatthepatternsapplytomember
namesafterany/delimiter.

27

b.sadhiq
www.altnix.com

Haveyoueverseenthiserrorwhenusingtar?
$tarczfetc.tgz/etc
Removingleading`/'frommembernames
Tarisremovingtheleading/fromthearchivefile,andwarning
youaboutit.AlthoughyoucanredirectSTDERRto/dev/null,doing
socanresultinmissederrors.Instead,usetarwiththePor
absolutenamesswitch.Theydothesamething:leavethe
leading/inthearchivedfiles.
$tarczPfetc.tgz/etc
WhenyouuntarthearchivewithoutP,theleading/willstill
equatetoyourcurrentworkingdirectory.UsethePwhenuntarring
torestorefromarchivetotheabsolutepathname.Forexample:
Thefollowingcreates./etc(dot,slash,etc)
$tarxzfetc.tgz
Thisoverwrites/etc(slash,etc)!
$tarxzPfetc.tgz

PATHisanenvironmentalvariableinLinuxandotherUnixlike
operatingsystemsthattellstheshellwhichdirectoriestosearch
forexecutablefiles(i.e.,readytorunprograms)inresponseto
commandsissuedbyauser.Itincreasesboththeconvenienceand
thesafetyofsuchoperatingsystemsandiswidelyconsideredtobe
thesinglemostimportantenvironmentalvariable.
Environmentalvariablesareaclassofvariables(i.e.,itemswhose
valuescanbechanged)thattelltheshellhowtobehaveasthe
userworksatthecommandline(i.e.,inatextonlymode)orwith
shellscripts(i.e.,shortprogramswritteninashellprogramming
language).Ashellisaprogramthatprovidesthetraditional,
textonlyuserinterfaceforUnixlikeoperatingsystems;its
primaryfunctionistoreadcommandsthataretypedinatthe
commandlineandthenexecute(i.e.,run)them.
PracticalSettingPath
Loginasroot

28

b.sadhiq
www.altnix.com

$id
$echo$PATH
$useraddjohn
$passwdjohn
$sujohn
$id
Verifyjohn'sPATH
$echo$PATH
youcantfind:/sbin:/usr/sbinsoucantruncmnd'sfdisk,
shredunderthesame.
$fdiskl
willgetcommandnotfound.
Soucansetpath,butit'stemporaryfortheshell.
$PATH=$PATH=:/sbin:/usr/sbin
Tosetunderenvironmentrun
$exportPATH
Forpermanent
youcanlocatetheabovetwocmndsunder/etc/profilefile,
whichrun'salwaysafterlogin.
Nowchkyouwillgettheaboveaddeddirunderjohnspath.
$echo$PATH

Nowtry
$fdiskl
Note:Thecmdisexecutedbutfdiskbinarywillworkonlyby
b.sadhiq
29
www.altnix.com

uid0(root),bcozit'sprogrammedlikethat.
Sosearchforthecmdin/sbin&/usr/sbin,whichcanrunby
otheruid's.
Nowcreateatestscriptunder/optandexecutethescript
$vi/opt/testscript
#Appendthefollowing
echoTHISISMYSCRIPT
#Save
$cd/opt
setexecutepermisson
$chmod+x/opt/testscript
$./testscript#(./meanscurrentpathexecution)
Butwhatifuwanttorunthescriptfromanyotherdirectories
underyourfilesystemhiriearchy.

Thensetthe/optdirtotheuserspathasmentionedaboveor
copythescriptunderthefollowingPATH.(whichisalready
set)
set.Foreg:
$PATH=$PATH:/opt
$cd/
$testscript
or
$cp/opt/testscript/binor/usr/local/binetc...
Nowtryrunningthescript
$cd/
$testscript

30

b.sadhiq
www.altnix.com

Daemons&Process
Application Daemon are those which can be killed & will have no
effect to the sysytem
$ kill -15 <appd-pid>
For eg. firefox, openoffice, X server, etc...
System Daemons are those which can be killed & will effect the
system.
$ kill -9 <sysd-pid>
For eg init, kerneld, ksoftirqd, khelper, kthread, kblockd
OBJECTIVES
Defining a process
Process states
Process management
Job control
System Information
Performance Related Information

What is a Process?
A process has many components and properties
exec thread
PID
priority
memory context
environment
file descriptors
security credentials
How Processes Are Created
One process forks a child, pointing to the same pages of memory,
and marking the area as read-only.Then, the child execs the new
command, causing a copy-on-write fault, thus copying to a new area
of memory. A process can exec, without forking. The child maintains
the process ID of the parent.

31

b.sadhiq
www.altnix.com

Process Ancestry
init is the first process started at boot time - always has PID 1.
Except init, every process has a parent.
Processes can be both a parent and a child at the same time.
Understand the Multiuser Environment.
One of the goals of UNIX was to enable a number of users to use the
system simultaneously (multiuser capability). Because several users
might also want to use several different programs simultaneously,
mechanisms must be available to allow these programs to run
simultaneously (multitasking capability).
The implementation of a multiuser and multitasking system appears
to be simultaneous in a single processor system, but this is only
possible in a multiprocessor system.
Even in a single-processor system, advantages can be gained through
multitasking because waiting times for input or output from
processes can be used for other processes.
UNIX implements preemptive multitaskingeach process is allowed a
maximum time with which it can work. When this time has expired,
the operating system takes processor time away from the process and
assigns it to another process waiting to run. Other operating
systems (such as versions older than the MAC OS version X) do not
intervene in this process cycle. Instead, control over the
processor must be released by the running process before another
process can run.
This can lead to one process hijacking the processor, leaving other
processes without processing time and blocking the system. The
operating system coordinates access to the resources available in
the system (hard drives, tapes, interfaces). If there is
competition among processes, e.g., for access to a tape device,
only one process can be granted access. The others must be
rejected. This coordination task is very complex and no operating
system is able to implement an ideal solution. The classic problem
involves a situation in which two or more processes exclusively
need the same resources, as illustrated in the following resource
conflict:
The following describes the resource conflict:
Process A needs resources Res.1 and Res.2.
Process B needs resources Res.2 and Res.1.
Process A has received access to Res.1 and would now also like
access to Res.2. In the meantime, however, B has already gained
access to Res.2 and, in turn, would like access to Res.1 as well.

32

b.sadhiq
www.altnix.com

If these two processes wait until what they need is available,


nothing more will happen-they are deadlocked.
Multithreading is an extension of multitasking, and helps solve
this problem. In multithreading, a number of parts independent from
one another (threads) can be produced within a process.
Multithreading increases the level of parallel processes with each
thread needing to be administered, which makes the use of a
multiprocessor system more valuable.
A clear distinction should be made here between programs and
processes: as a rule, a program exists only once in the system, but
there can be several processes that perform the same program.If a
number of users are active, both programs and processes can be used
independently of one another (such as a program used to display
directories).

Processes and Multitasking


Terminology can be confusing
Multiuser:
system can simultaneously service more than one
online terminal
Multiprogramming:
the system can execute more than one program at
the same time
Multitasking: system can execute two or more tasks at the same
time
In common usage, these all refer to the same thing

Multitasking Operating Systems


Multitasking OSs are designed to perform a complex juggling trick
They must:
Allocate resources, such as CPU cycles and memory, and assign
priorities so each process receives adequate attention
Higher priority jobs need more or larger CPU time-slices without
neglecting lower priority jobs
Jobs that are waiting for some resource (such as user input, input
from disk, or a shared output such as a printer) need to handled
without wasting CPU time
Multitasking on a Single CPU
Obviously, a single CPU cannot run multiple process simultaneously.
The OS simulates simultaneity by switching between tasks at a high
rate. Each switch is a time-slice Since thousands or hundreds of
b.sadhiq
33
www.altnix.com

thousands of CPU cycles can go by between user keystrokes, this


gives the appearance of simultaneous operation.
This resource allocation, priority processing, and time-slicing is
all done by the scheduler Unix Scheduling Algorithm
Unix schedules tasks in this order:

Highest priority task that is Ready-to-Run and loaded in


memory and preempted

Ties for priority are broken by time spent waiting (also known
as Round-Robin scheduling)

If no one is ready to run, the kernel idles until the next


time-slice Unix Images and Processes
Each process receives a unique numerical process identifier (pid)
when it is started. Even if the same program is run multiple times,
each instance will have a unique PID. A process has an image in
RAM.
Forks and Spawns:

When a process A is running, it can spawn another process B

It does this using the fork system call

B is said to be the child of A and A is known as the parent of


B

Initially, the child and parent are virtually identical


They each start with identical but independent copies of the RAM
image, but being separate processes, they have unique PIDs.
The child then calls the system call exec using the command name
and arguments inherited from the parent. From this point on, the
child and parent can go their separate ways. However, since they
both have access to the same open files and pipes, there is a
potential for communication between them (interprocess
communication). The shell is the parent of most of your processes
The Shell is a Process. The principle process you interact with is
the shell. The shell can run some commands (builtins) itself but
for most commands, it forks a separate process. It usually waits
for the command process to finish and then gives you a new shell
prompt.
What if you could tell the shell not to wait? You could then
instruct the shell to do something else while the first command was
running in the background Voila! Multiprocessing in action!
Redhat Linux comparing with other Unices/Linuces, its shipped with
plethora of options for monitoring system, utilization with regards
to CPU, Memory and Disk etc.

34

b.sadhiq
www.altnix.com

$ uptime
18:18:16 up 3 days, 7:37, 5 users, load average: 0.00, 0.00, 0.00
Tells you exactly how long your system is been running from
1mt 5mt 15mt
load average: 0.00, 0.00, 0.00
$ cat /proc/meminfo
/proc
Virutal Directory created in RAM. It runs whenever the system is
running. It represents real time information and values stored in
are accurate. It doesnt occupy space on the disk
$ cat /proc/cpuinfo CPU Information A process has many
components and properties.
Display and update information about the top cpu processes
$ top
Top displays the top 10 processes on the system and periodically
updates this information. Top command is a combination of various
commands to display CPU stats, memory, real time processes running
in the system Top refresh every 5 seconds Process States. Unix uses
several process states to determine the current condition of a
process.

Runnable
Stopped
Page Wait
Non-Interruptable wait

Typically for disk I/O or NFS requests

Sleeping

Idle

Terminated
OPTIONS
-q Renice top to -20 so that it will run faster. This can be used
when the system is being very sluggish to improve the possibility
of discovering the problem.
-dcount Show only count displays, then exit. A display is
considered to be one update of the screen. This option allows the
user to select the number of displays he wants to see before top
automatically exits. For intelligent terminals, no upper limit is
b.sadhiq
35
www.altnix.com

set. The default is 1 for dumb terminals.


-stime Set the delay between screen updates to time seconds. The
default delay between updates is 5 seconds.
INTERACTIVE MODE
h or ?
Display a summary of the commands (help screen). Version
information is included in this display.
Q
Quit top.
K
Send a signal ("kill" by default) to a list of processes
R
Change the priority (the "nice") of a list of processes.
S
Change the number of seconds to delay between displays (prompt
for new number).
O
Change the order in which the display is sorted. This command
is not available on all systems. The sort key names vary from
system to system but usually include: "cpu", "res", "size", "time".
The default is cpu.

THE DISPLAY
PID every process runs have the process ID USER owner of the
process
PRI Current priority of the process.
NICE Nice amount in the range -20 to 20, as established by the use
of the command nice.
RES Resident memory: current amount of process memory that resides
in physical memory, given in kilobytes.
STATE
Current state (typically one of "sleep", "run", "idl",
"zomb", or "stop").
TIME Number of system and user cpu seconds that the process has
used.
SIZE Amount of memory the process needs
CPU Percentage of available cpu time used by this process.
COMMAND
Name of the command that the process is currently running
PROCESS STATE CODES
Here are the different values that the s, stat and state output
specifiers (header "STAT" or "S") will display to describe the
state of a process.
D
Uninterruptible sleep (usually IO)
R
Running or runnable (on run queue)
S
Interruptible sleep (waiting for an event to complete)
T
Stopped, either by a job control signal or because it is being
traced.
W
paging (not valid since the 2.6.xx kernel)
X
dead (should never be seen)
Z
Defunct ("zombie") process, terminated but not reaped by its
36

b.sadhiq
www.altnix.com

parent. zombie -- dead process


For BSD formats and when the stat keyword is used, additional
characters may
be displayed:
high-priority (not nice to other users)
N
L
s
l
+

low-priority (nice to other users)


has pages locked into memory (for real-time and custom IO)
is a session leader
is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)
is in the foreground process group

Each process has a unique identification number (PID) which


characterises the process. The command top allows you to kill
processes using the k interactive command and entering the PID of
the relevant process. To leave top to just press the q key.
Free
$ free m
$ free c 5 s 3
$ free -m
total used free shared buffers cached
Mem: 1003 981 22 0 91 688
-/+ buffers/cache: 201 802
Swap: 1058 0 1058
As you can see, my system has 1 GB of ram and 981 MB are in use
leaving 22MB free. If you look at the cached column, it shows 688
MB free. This is a good thing as cached memory is basically free
memory. This is where programs a user may have used earlier and
then quit are stored, just on the off chance that the user might
start up the program again. On the other hand, if the user starts
up a new program, this cache can be replaced for the new program
that is running. It should be mentioned that the caching works not
just for recently loaded programs but also for data, i.e. recently
used files and directories. Program loading is just a special case
of loading a file.
The -/+ buffers/cache section is will show you what is really going
on. In my example, it shows that only 201 MB are in use and that
802 MB are free. The rest is just cached. What a user really needs
to worry about is that last line. If you start seeing the swap file
go into use that means that you are out of free ram and you are now
using space on your hard disk to help out. If this starts
happening, the best thing to do is run the top command and see what
is taking up all the memory. Then, if it is an unneeded program,
shut it down.

37

b.sadhiq
www.altnix.com

Signals
Signals are a software mechanism that are similar to a message of
some sort. They can be trapped and handled or ignored
Signals operate through two different system calls
1)
The kill system call
2)
The signal system call
1) The kill System Call
The kill system call sends a signal to a process kill is generally
used to terminate a process. It requires the PID of the process to
be terminated and the signal number to send as arguments.
2) The Signal System Call
The signal system call is much more diverse. When a signal occurs,
the kernel checks to see if the user had executed a signal system
call and was therefor expecting a signal. If the call was to ignore
the signal, the kernel returns
Otherwise, it checks to see if it was a trap or kill signal If not,
it processes the signal If it was a trap or kill signal, the kernel
checks to see if core should be dumped and then calls the exit
routine to terminate the user process.
Common Unix Signals
$kill -l
SIGHUP
SIGINT
SIGQIT
SIGINS
SIGTRAP
SIGKILL
SIGSYS
SIGPIPE
SIGTERM
SIGSTOP

Hang-up
Interrupt
Quit
Illegal Instruction
Trace Trap
Kill
Bad argument to system call
Write on pipe with no one to read it
Software termination signal from kill
Stop signal

See /usr/include/sys/signal.h

38

b.sadhiq
www.altnix.com

Signal Acceptance
There are a couple of possible actions to take when a signal occurs
Ignore it
Process it
Terminate
The superuser can send signals to any process.
Normal users can only send signals to their own processes
Process Termination
A process is terminated by executing an exit system call or as a
result of a kill signal. When a process executes an exit system
call, it is first placed in a zombie state. In this state, it
doesn't exist anymore but may leave timing information and exit
status for its parent process. A zombie process is removed by
executing a wait system call by the parent process.

Process Cleanup
The termination of a process requires a number of cleanup actions
These actions include:
Releasing all memory used by the process
Reducing reference counts for all files used by the process
Closing any files that have reference counts of zero
Releasing shared text areas, if any
Releasing the associated process table entry, the proc structure
This happens when the parent issues the wait system call, which
returns the
terminated child's PID
kill - signal a process
kill is somewhat strangely named
Sends the specified signal to a process
Syntax: kill [-sig_no] pid
kill -l (display list of signals)
-sig_no - signal number to send
pid - process id of process to receive signal

39

b.sadhiq
www.altnix.com

Default signal is TERM sig_no is 15, or request-process-termination


kill -9 pid terminates the process with extreme prejudice. As
usual, you can only kill your own processes unless you are the
superuser.
$
$
$
$
$
$

kill -9 <PID>
kill l -> lists all available signals
killall
pidof <pidname>
pgrep <pidname>
pkill <pidname>

Job Control
Job control refers to the ability to selectively stop (suspend) the
execution of processes and continue (resume) their execution at a
later point. A job is one or more processes started from a single
command line. By default, only one job can be run in the
foreground. This means that when a job is being executed in the
foreground the command line is unavailable. When the job
has finished executing the command prompt is reissued.
It is also possible to suspend jobs and/or run multiple jobs in the
background, in which case the command line is still available in
the foreground, although any output from running background jobs
will still be displayed at the terminal. You can see the jobs
currently running or stopped in the background using the jobs
command.
The syntax for the jobs command is shown below:
jobs option(s)
Common jobs options are:
Option Explanation:
l
Shows the job number, its PID, its status, and its name
p
Shows just the PID of running jobs
Issuing the jobs command without any options will show a list of
all running, stopped and
suspended background jobs.
An example of using the job command is illustrated below:
$ jobs -l
[1]- 1229 Running tail -n5 -f /var/log/secure
[2]+ 1230 Stopped joe fred
In the above example there are two jobs in the background, one
running and one stopped.
40

b.sadhiq
www.altnix.com

File Permissions
File permissions are assigned to:
1.
the owner of a file
2.
the members of the group the file is assigned to
3.
all other users
4.
Permissions under Linux are configured for each file and
directory.
There are three levels of permissions:
1.
The permissions that apply to the owner of the file. The owner
of a file is by default the user that created the file1.
2.
The permissions that apply to all members of the group that is
associated with the file.
3.
The permissions that apply to all other users on the system.
4.
Permissions can only be changed by the owner, and root of
course.
For a file, these permissions mean the following:
read allow the user to read the contents of the file, for instance
with cat or less.
write
allow the user to modify the contents of the file,for
instance with vi.
execute
allow the user to execute the file as a program, provided
that the file is indeed an executable program (such as a shell
script).
For a directory, these permissions have a slightly different
meaning:
read allow the user to view the contents of the directory, for
instance with ls.
write
allow the user to modify the contents of the directory.
In other words: allow the user to create and delete files, and to
modify the names of the files. Note: Having write permissions on a
directory thus allows you to delete files, even if you have no
write permissions on that file!

41

b.sadhiq
www.altnix.com

execute
allow the user to use this directory as its current
working directory. In other words: allow the user to cd into it.
r
w
x

u
g
o
a

read
write
execute
for the
for the
for all
for all

owner (user) of the file


group assigned to the file
other users
(owner+group+others)

<operator> can be:


+ to add permissions
- to delete permissions
= to clear all permissions and set to the permissions specified
Symbolic way
$ useradd sachin
$ passwd sachin
$ useradd dhoni
$ passwd dhoni
$ groupadd market;usermod G market dhoni
$ useradd shewag
$ passwd shewag
$ groupadd market;usermod G market shewag
$ mkdir /opt/perm/;touch /opt/perm/file{1..6}
$ mkdir /opt/perm/{data1,data2}
$ cd /opt/perm
$ ll d data1
drwxr-xr-x 2 root root 4096 Jul 29 20:15 data1
$ chown sachin data1
$ ll d data1
$ chgrp market data1
$ ll d data1
$ chmod u-w data1
$ ll d data1
$ chmod g+w data1
$ ll d data1
$ chmod o+w,o-rx data1
$ ll d data1
$ ll d data2
drwxr-xr-x 2 root root 4096 Jul 29 20:15 data2
$ chown Rv sachin.market data2
$ ll d data2
$ chmod u-rwx data2
$ ll d data2
$ chmod g+w,g-x data2
42

b.sadhiq
www.altnix.com

$ ll d data2
$ chmod Rv o+w,o-r data2
$ ll d data2

Octal way
$ ll file1
-rw-r--r- 1 root root 0 Jul 29 20:15 file1
$ chmod 777 file1
$ ll file1
$ chmod 666 file2
$ ll file1
$ chmod 467 file3
$ ll file1
$ chmod 541 file4
$ ll file1
$ chmod 724 file5
$ ll file1
$ chmod 000 file6
$ chmod 0 file6

This table shows what numeric values mean:


Octal
digit

Text
equivalent

Binary
value

---

000

--x

001

-w-

010

-wx

011

r--

100

r-x

101

rw-

110

rwx

111

43

Meaning
All types of access are
denied
Execute access is allowed
only
Write access is allowed only
Write and execute access are
allowed
Read access is allowed only
Read and execute access are
allowed
Read and write access are
allowed
Everything is allowed

b.sadhiq
www.altnix.com

Umask
User Mask
New files should not be created with 666! To avoid this problem a
permission mask exists. It is obviously important to know with what
permissions new files and directories are created. Under Linux,
its not really easy to tell, since the default permissions can be
modified by setting a umask (with the umask command).
If no umask were set (which never happens, by the way), a file
would always be created with permissions 666 (rw-rw-rw-) and a
directory would get 777 (rwxrwxrwx). In actual practice however, a
umask is set, and this number is subtracted from these permissions.
So, with a umask of 022, the default permissions for a file will
become 644 (rw-r--r--, 666-022) and the default permissions for a
directory will become 755 (rwx-r-xr-x, 777-022).
The default umask depends on your distribution, and whether your
distribution uses something called User Private Groups.
Red Hat assigns a umask of 002 to regular users, and 022 to root.
SUSE assigns a umask of 022 to all users, including root.
- What is your current default permission (umask)
- How do you set your default permission?
- Umask defines what permissions, in octal, cannot be set
- Umask stands for user file creation mode mask
- In essence, system sets the default permission on the file and
directory
- If i would have no "umask:, the default permission on the file
would be "777"
- Usually set in a login script
- it is the inverse of the normal octal permissions
- "umask -S" shows your umask in symbolic form
- linux removes the "x" permissions (or the 1) so 777 is the same
as 666
- here are
--> 000 =
--> 006 =
--> 022 =
--> 066 =
-

the common umask values:


full access (r+w) to everyone, or 666
no access to other, or 660
full access (r+w) to user and r to g and 0, or 644
full access (r+w) to user and no access to g + o, or 600

44

b.sadhiq
www.altnix.com

Normally, you can subtract from 666 but be very careful as it may
be 777. In Fedora Linux, it is 666 but lets test it out...
--> View the current umask setting
$umask
--> shows your umask in symbolic form
$ umask S
- Umask on directory should be subtract from 777
777
- 022
-----755
System-wide umask for all users in /etc/profile
Individual umask in $HOME/.bash_profile or $HOME/.profile
Default value of umask is:
For root 022
For user 002 (if user private groups are used) or 022 (otherwise)
The umask specifies what permission bits will be set on a new file
when it is created. The umask is an octal number that specifies the
which of the permission bits will not be set. On Task
I
change
1.Give
2.Give
3.Give
4.give

Symbolic way
704 to abc file
417 to abc file
006 to abc file
707 to abc file

II
change Octal way
1.change to octal
2.change to octal
3.change to octal
4.change to octal
III
symbolic
1.change
2.change
3.change
4.change

way
r-xrw-r-x
--xr-xr-rw----rwx
---r-x---

mode
mode
mode
mode

to
to
to
to

r-xrw-r-x
--xr-xr-rw----rwx
---r-x---

rw--wxrwx
rwxrwxrw--x----wx
rwx-w-rwx

45

to
to
to
to

to
to
to
to

abc
abc
abc
abc

abc
abc
abc
abc

chmod
chmod
chmod
chmod

565
154
607
050

chmod u+w,u-x,g-r,g+x,o+w
chmod u+rw,g+w,o+w
chmod u-rw,u+x,o-r
chmo u+rwx,g-rx,g+w,o+rwx

b.sadhiq
www.altnix.com

AdministarativecmndsandLowlevelcmnds
Lowlevel
/binThisdirectorycontainsexecutableprogramswhichareneeded
in
singleusermodeandtobringthesystemuporrepairit.

Administrative
/sbinLike/bin,Thisdirectoryholdscommandsneededtobootthe
sys
tem,butwhichareusuallynotexecutedbynormalusers.

Lowlevel
/usr/binThisistheprimarydirectoryforexecutableprograms.
Most
programsexecutedbynormaluserswhicharenotneededforboot
ingorforrepairingthesystemandwhicharenotinstalled
locallyshouldbeplacedinthisdirectory.

Administrative
/usr/sbinThisdirectorycontainsprogrambinariesforsystem
administra
tionwhicharenotessentialforthebootprocess,formounting
/usr,orforsystemrepair.

46

b.sadhiq
www.altnix.com

UnderstandingUNIX/Linuxfilesystem
Aconceptualunderstandingoffilesystem,especiallydatastructureandrelatedtermswillhelpyou
becomeasuccessfulsystemadministrator.IhaveseenmanynewLinuxsystemadministratorw/o
anyclueaboutfilesystem.Theconceptualknowledgecanbeappliedtorestorefilesysteminan
emergencysituation.
WhatisaFile?
Filearecollectionofdataitemsstoredondisk.Oritsdevicewhichcanstoretheinformation,data,
music(mp3),picture,movie,sound,booketc.Infactwhateveryoustoreincomputeritmustbe
informoffile.Filesarealwaysassociatedwithdeviceslikeharddisk,floppydisketc.Fileisthelast
objectinyourfilesystemtree.SeeLinux/UNIXrulesfornamingfileanddirectorynames.
Whatisadirectory?
Directoryisgroupoffiles.Directoryisdividedintotwotypes:RootdirectoryStrictly
speaking,thereisonlyonerootdirectoryinyoursystem,whichis
denotedby/(forwardslash).Itisrootofyourentirefilesystem
andcannotberenamedordeleted.

SubdirectoryDirectoryunderroot(/)directoryis
subdirectorywhichcanbecreated,renamedbytheuser.
Directoriesareusedtoorganizeyourdatafiles,programsmoreefficiently.

Linuxsupportsnumerousfilesystemtypes
3.
Ext2:ThisislikeUNIXfilesystem.Ithastheconceptsof
blocks,inodesanddirectories.
4.
Ext3:Itisext2filesystemenhancedwithjournalling
capabilities.Journallingallowsfastfilesystemrecovery.
SupportsPOSIXACL(AccessControlLists).
5.
Isofs(iso9660):UsedbyCDROMfilesystem.
6.
Sysfs:Itisarambasedfilesysteminitiallybasedonramfs.
Itisusetoexportingkernelobjectssothatendusercanuseit
easily.
7.
Procfs:Theprocfilesystemactsasaninterfacetointernal
47

b.sadhiq
www.altnix.com

datastructuresinthekernel.Itcanbeusedtoobtaininformation
aboutthesystemandtochangecertainkernelparametersatruntime
usingsysctlcommand.Forexampleyoucanfindoutcpuinfowith
followingcommand:

WhatisaUNIX/LinuxFilesystem?
AUNIXfilesystemisacollectionoffilesanddirectoriesstored.
Eachfilesystemisstoredinaseparatewholediskpartition.The
followingareafewofthefilesystem:

/Specialfilesystemthatincorporatesthefilesunder
severaldirectoriesincluding/dev,/sbin,/tmpetc

/usrStoresapplicationprograms

/varStoreslogfiles,mailsandotherdata

/tmpStorestemporaryfiles

ExploringLinuxFileSystemHierarchy
AtypicalLinuxsystemhasthefollowingdirectories:
=>/:Thisistherootdirectory.
=>/bin:Thisdirectorycontainsexecutableprogramswhichare
neededinsingleusermodeandtobringthesystemuporrepairit.
=>/boot:Containsstaticfilesforthebootloader.This
directoryonlyholdsthefileswhichareneededduringtheboot
process.
=>/dev:Specialordevicefiles,whichrefertophysicaldevices
suchasharddisk,keyboard,monitor,mouseandmodemetc
=>/etc:Containsconfigurationfileswhicharelocaltothe
machine.Somelargersoftwarepackages,likeApache,canhavetheir
ownsubdirectoriesbelow/etci.e./etc/httpd.Someimportant
subdirectoriesin/etc:

=>/home:Yoursweethometostoredataandotherfiles.However
in
b.sadhiq
48
www.altnix.com

largeinstallationyhestructureof/homedirectorydependson
local
administrationdecisions.
=>/lib:Thisdirectoryshouldholdthosesharedlibrariesthat
are
necessarytobootthesystemandtorunthecommandsintheroot
filesystem.

=>/lib64:64bitsharedlibrariesthatarenecessarytobootthe
systemandtorunthecommandsintherootfilesystem.
=>/mnt:Thisdirectorycontainsmountpointsfortemporarily
mounted
filesystems
=>/opt:Thisdirectoryshouldcontainaddonpackagessuchas
installdownloadfirefoxorstaticfiles
=>/proc:Thisisamountpointfortheprocfilesystem,which
providesinformationaboutrunningprocessesandthekernel.
=>/root:Thisdirectoryisusuallythehomedirectoryforthe
rootuser.
=>/sbin:Like/bin,thisdirectoryholdscommandsneededtoboot
the
system,butwhichareusuallynotexecutedbynormalusers,root/
adminuserspecificcommandsgoeshere.
=>/tmp:Thisdirectorycontainstemporaryfileswhichmaybe
deleted
withnonotice,suchasbyaregularjoboratsystembootup.
=>/usr:Thisdirectoryisusuallymountedfromaseparate
partition.
Itshouldholdonlysharable,readonlydata,sothatitcanbe
mountedbyvariousmachinesrunningLinux(usefulfordiskless
client
ormultiuserLinuxnetworksuchasuniversitynetwork).Programs,
libraries,documentationetc.foralluserrelatedprograms.
=>/var:Thisdirectorycontainsfileswhichmaychangeinsize,
such
asspoolandlogfiles.
49

b.sadhiq
www.altnix.com

=>/lost+found:Everypartitionhasalost+foundinitsupper
directory.Filesthatweresavedduringfailuresarehere,
fore.g
ext2/ext3fsckrecovery.

/etc/skel:Whenanewuseraccountiscreated,filesfromthisdirectoryareusuallycopied
intotheusershomedirectory.

/etc/X11:ConfigurationfilesfortheX11windowsystem.

*/etc/sysconfig:ImportantconfigurationfileusedbySysVscript
storedin/etc/init.dand/etc.rcXdirectories
/etc/cron.*:crondaemonconfigurationfileswhichisusedto
executescheduledcommands
CommonLinuxlogfilesnameandusage
*/var/log/message:Generalmessageandsystemrelatedstuff
*/var/log/auth.log:Authenicationlogs
*/var/log/kern.log:Kernellogs
*/var/log/cron.log:Crondlogs(cronjob)
*/var/log/maillog:Mailserverlogs
*/var/log/qmail/:Qmaillogdirectory(morefilesinsidethis
directory)
*/var/log/httpd/:Apacheaccessanderrorlogsdirectory
*/var/log/lighttpd:Lighttpdaccessanderrorlogsdirectory
*/var/log/boot.log:Systembootlog
*/var/log/mysqld.log:MySQLdatabaseserverlogfile
*/var/log/secure:Authenticationlog
*/var/log/utmpor/var/log/wtmp:Loginrecordsfile
*/var/log/yum.log:Yumlogfiles
Goto/var/logsdirectory:#
$cd/var/logsViewcommonlogfile/var/log/messagesusinganyone
ofthe
followingcommand:
$tailf/var/log/messages
$less/var/log/messages
$moref/var/log/messages
$vi/var/log/messagesOutput:
50

b.sadhiq
www.altnix.com

DeviceDrivercharacter,block,socket
. Type field: The first character in the field indicates a file type of one of the following:

* d = directory.
* l = symbolic link.
* s = socket sockets are special files offering a type of network interface.
* p = named pipe handling other programme other than kernel driver.
* - = regular file.
* c= character (unbuffered) device file special.
* b=block (buffered) device file special.
*D=doorAdoorisaspecialfileforinterprocesscommunicationbetweenaclientandserver.
Ref
http://www.securityfocus.com/infocus/1872
http://tldp.org/LDP/LinuxFilesystemHierarchy/html/index.html
http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
http://www.comptechdoc.org/os/linux/howlinuxworks/linux_hlfilesyste
ms.html

51

b.sadhiq
www.altnix.com

FSTAB

fstabis9thoutofthe10mostcriticaland
importantconfigurationfileswhichisstoredin/etc
directory,wherealltheconfigurationfilesarestored.

fstabstandsfor"FileSystemTABle"andthisfile
containsinformationofharddiskpartitionsand
removeabledevicesinthesystem.Itcontainsinfor
mationofwherethepartitionsandremoveabledevicesare
mountedandwhichdevicedriversareusedformounting
them,whichfilesystemtheyareusingandwhat
permissionsareassignedtothem.

Thefilefstabcontainsdescriptiveinformationabout
thevariousfilesystems.fstabisonlyreadbyprograms,
andnotwritten;itisthedutyofthesystem
administratortoproperlycreateandmaintainthisfile.
Eachfilesystemisdescribedonaseparateline;fields
oneachlineareseparatedbytabsorspaces.Lines
startingwith'#'arecomments.Theorderofrecordsin
fstabisimportantbecausefsck,mount,andumount
52

b.sadhiq
www.altnix.com

sequentiallyiteratethroughfstabdoingtheirthing.

Exampleofafstabfilecontent:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LABEL=/
/ext3
defaults
1
LABEL=/boot/bootext3 defaults
2
none/dev/ptsdevpts gid=5,mode=620
0
LABEL=/home/homeext3 defaults
2
none/procproc defaults
0
none/dev/shmtmpfs defaults
0
LABEL=/tmp/tmpext3 defaults
2
LABEL=/u01/u01ext3 defaults
2
LABEL=/usr/usrext3 defaults
2
LABEL=/var/varext3 defaults
2
/dev/hda6swapswap defaults
0
/dev/cdrom/mnt/cdromudf,iso9660 noauto,ro
0
/dev/fd0/mnt/floppyauto noauto,owner,kudzu
53

1
1
0
1
0
0
1
1
1
1
0
0
0

b.sadhiq
www.altnix.com

0
/dev/sda1/mnt/usb_hddvfat noauto
0
0
\________/\___________/\_________/\____________/
\_/\_/
|| ||
|
|
1st2nd3rd4th 5th
6th
Therearetotalsixcolumnsinthefstabfileseparatedby
spacesortabs.Eachcolumnholdsdifferentinformationaboutthe
device.Foraddinganynewdeviceaddafreshrow.Eachrowstands
forapartitionorremoveabledeviceinthesystem.

1stColumn:
~~~~~~~~~~
Thefirstcolumncontainsthepartitions'slabel,eg.
"LABEL=/boot"ordriver'spath,eg."/dev/cdrom".Devicedriver's
pathtellsthesystemtomountthedevicewiththementioneddevice
driver.

2ndColumn:
~~~~~~~~~~
Thesecondfield(fs_file)describesthemountpointfor
thefilesystem.
Forswappartitions,thisfieldshouldbespecifiedas`none'.If
thenameof
themountpointcontainsspacesthesecanbeescapedas`\040'.
Thesecondcolumnshowsthemountpointspecifiedforadevice
inthefstabfile.Themountpointsactuallyisthedirectorywhere
thatparticulardevice(mentionedinthefirstcolumn)willbe
mountedandthroughwhichwecanviewandmodifythecontentof
thatpartition.Youcanchangethedefaultmountpointlistedin
thecolumn,ifyouarenotsatisfiedwiththeoneyoursystemhas
givenyou.

3rdColumn:
54

b.sadhiq
www.altnix.com

~~~~~~~~~~
Thethirdcolumninthefilespecifiesthefilesystemtypeof
thedeviceorpartition.Manydiffrentfilesystemsaresupportedby
Linuxandmostcommononesare,
1)autofs
2)devpts
3)ext2
4)ext3
5)iso9660
6)nfs
7)ntfs
8)proc
9)swap
10)tmpfs
11)udf
12)ufs
13)vfat
14)xfs
Ifyouarenotsureofthefilesystemtypeofthedevicethen
setthevalueto"auto"andthesystemwillitselfdeterminethe
filesystemtypeandwillmountthedevicewiththatfilesystem.
4thColumn:
~~~~~~~~~~
Thefourthcolumnisforpermissionstobegiventothe
partitionatthetimeofbooting.Therearemanyoptionswhich
constitutestheforthcolumn.Theyareasfollows:

1)ro

ReadOnly

2)rw

ReadWrite

3)auto

Mountonstartup

4)noauto

Donotmountonstartup

5)user

6)nouser
7)users

8)owner

Anyusercanmount,butonlyunmountdevice
mountedbyhim
Onlyrootcanmount&unmountthedevice
Everyusercanmountandalsounmountthedevice
mountedbyothers
Sameasuser(aboveno.5)
55

b.sadhiq
www.altnix.com

9)dev

Usercanusedevicedrivertomountthedevice

10)nodev

Usercannotusedevicedrivertomountthedevice

11)exec

Userscanexecutebinariesonthepartition

12)noexec

Userscannotexecutebinariesonthepartition

13)async

Asynchronous,wheneverafileissaveditwillbe
firstsavedintheRAMandafter30secondsallthe
queuedfileswillbewrittenontheharddisk

14)sync

Synchronous,wheneverafileissaveditwillbe
directlywrittentotheharddisk

15)suit

Allowsetuseridentifierforthedevicewhere
usersareallowedtorunbinarieseventhoughthey
donothaveexecutepermissions.Thesebinariesare
temporarilymadeavailableto themtoperformcertain
tasks

16)nosuid

Donotallowsetuseridentifier

17)defaults

auto,rw,dev,async,suid,exec&nouser

5thColumn:
~~~~~~~~~~
The5thcolumnisforbackupoption.Thiscolumncontains
either0or1.Where"0"standsfor"NO"and"1"standsfor
"YES".Thesystemchecksitatthetimeofbooting,ifit's"0",
dumpwillignorethatfilesystembutifits"1"thenitwill
enablebackupoption.Backupissupportedononlyext3filesystem,
henceonlyforext3filesystemitshouldbeenabledandforrest
ofthefilesystemsitshouldbedisabled.

6thColumn:
~~~~~~~~~~
The6thcolumnisfor"fsck"option.fsckstandsforfile
systemcheck.Thiscolumndefinestheorderinwhichthesystem
shouldscanthepartitionsonstartup.The/partitionisassigned
toppriorityi.e.1andtherestofthepartitionsareassigned
secondpriorityi.e.2.Ifvalueissetto0meansnoscanning
56

b.sadhiq
www.altnix.com

willbedoneatthetimeofstartup.Ifsamenumberisgivento
differentpartitionsthenthepartitionsarescannedtogetherwith
equalpriority.Thisminimizeserrorbecauseifalinkispresent
ononepartitionwithhigherpriorityandthesourcefilein
anotherpartitionwithaprioritylowerthanthelink,itwill
giveanerror.

ThedmesgcommandisusedtowritethekernelmessagesinLinuxand
otherUnixlikeoperatingsystemstostandardoutput(whichby
defaultisthedisplayscreen).
Akernelisthecoreofanoperatingsystem.Itisthefirstpart
oftheoperatingsystemthatisloadedintomemorywhenacomputer
bootsup(i.e.,startsup),anditcontrolsvirtuallyeverythingon
asystem.Thenumerousmessagesgeneratedbythekernelthatappear
onthedisplayscreenasacomputerbootsupshowthehardware
devicesthatthekerneldetectsandindicatewhetheritisableto
configurethem.
dmesgobtainsitsdatabyreadingthekernelringbuffer.Abuffer
isaportionofacomputer'smemorythatissetasideasa
temporaryholdingplacefordatathatisbeingsenttoorreceived
fromanexternaldevice,suchasaharddiskdrive(HDD),printer
orkeyboard.Aringbufferisabufferoffixedsizeforwhichany
newdataaddedtoitoverwritestheoldestdatainit.
dmesgcanbeveryusefulwhentroubleshootingorjusttryingtoobtaininformationaboutthe
hardwareonasystem.Itsbasicsyntaxisdmesg[options]
Invokingdmesgwithoutanyofitsoptions(whicharerarelyused)
causesittowriteallthekernelmessagestostandardoutput.This
usuallyproducesfartoomanylinestofitintothedisplayscreen
allatonce,andthusonlythefinalmessagesarevisible.However,
theoutputcanberedirectedtothelesscommandthroughtheuseof
apipe(designatedbytheverticalbarcharacter),therebyallowing
thestartupmessagestobeviewedonescreenfulatatime:
dmesg|less
lessallowstheoutputtobemovedforwardonescreenfulatatime
bypressingtheSPACEbar,backwardbypressingthebkeyand
removedbypressingtheqkey.(Themorecommandcouldhavebeen
usedhereinsteadofthelesscommand;however,lessisnewerthan
moreandhasadditionalfunctions,includingtheabilitytoreturn
topreviouspagesoftheoutput.)
Whenauserencountersaproblemwiththesystem,itcanbe
57

b.sadhiq
www.altnix.com

convenienttowritetheoutputofdmesgtoafileandthensend
thatfilebyemailtoasystemadministratororother
knowledgeablepersonforassistance.Forexample,theoutputcould
beredirectedtoafilenamedboot_messagesusingtheoutput
redirectionoperator(designatedbyarightwardfacingangle
bracket)asfollows:
dmesg>boot_messages
Becauseofthelengthoftheoutputofdmesg,itcanbeconvenient
topipeitsoutputtogrep,afilterwhichsearchesforanylines
thatcontainthestring(i.e.,sequenceofcharacters)following
it.Theioptioncanbeusedtotellgreptoignorethecase
(i.e.,lowercaseoruppercase)ofthelettersinthestring.For
example,thefollowingcommandlistsallreferencestoUSB
(universalserialbus)devicesinthekernelmessages:
dmesg|grepiusb
Andthefollowingtellsdmesgtoshowallserialports(whichare
representedbythestringtty):
dmesg|grepitty
Thedmesgandgrepcombinationcanalsobeusedtoshowhowmuch
physicalmemory(i.e.,RAM)isavailableonthesystem:
dmesg|grepimemory
ThefollowingcommandcheckstoconfirmthattheHDD(s)isrunning
inDMA(directmemoryaccess)mode:
dmesg|grepidma
Theoutputofdmesgismaintainedinthelogfile/var/log/dmesg,
anditcanthusalsobeeasilyviewedbyreadingthatfilewitha
texteditor,suchasviorgedit,orwithacommandsuchascat,
e.g.,
cat/var/log/dmesg|less
http://linuxgazette.net/issue59/nazario.html
lspciisacommandonUnixlikeoperatingsystemsthatprints
detailedinformationaboutallPCIbusesanddevicesinthesystem.
Itisbasedonacommonportablelibrarylibpciwhichoffersaccess
tothePCIconfigurationspaceonavarietyofoperatingsystems.
ExampleoutputonaLinuxsystem:
#lspci
00:00.0Hostbridge:IntelCorporation82815815ChipsetHost
58

b.sadhiq
www.altnix.com

BridgeandMemoryControllerHub(rev11)
00:02.0VGAcompatiblecontroller:IntelCorporation82815CGC
[ChipsetGraphicsController](rev11)
00:1e.0PCIbridge:IntelCorporation82801MobilePCIBridge(rev
03)
00:1f.0ISAbridge:IntelCorporation82801BAMISABridge(LPC)
(rev03)
00:1f.1IDEinterface:IntelCorporation82801BAMIDEU100(rev03)
00:1f.2USBController:IntelCorporation82801BA/BAMUSB(Hub#1)
(rev03)
00:1f.3SMBus:IntelCorporation82801BA/BAMSMBus(rev03)
00:1f.4USBController:IntelCorporation82801BA/BAMUSB(Hub#2)
(rev03)
00:1f.5Multimediaaudiocontroller:IntelCorporation82801BA/BAM
AC'97Audio(rev03)
01:03.0CardBusbridge:O2Micro,Inc.OZ6933/711E1
CardBus/SmartCardBusController(rev01)
01:03.1CardBusbridge:O2Micro,Inc.OZ6933/711E1
CardBus/SmartCardBusController(rev01)
01:0b.0PCIbridge:ActiontecElectronicsIncMiniPCIbridge(rev
11)
02:04.0Ethernetcontroller:IntelCorporation82557/8/9[Ethernet
Pro100](rev08)
02:08.0Communicationcontroller:AgereSystemsWinModem56k(rev
01)
Ifmanydevicesareshownasunknown(e.g."Unknowndevice2830
(rev02)),issuingthecommand'updatepciids'willusuallydothe
trick.
DetailInformation
$lspcivv
Toupdatepciidsinformationto/usr/share/hwdata/pci.ids

$updatepciids

Bash
Bash
DescendedfromtheBourneShell,BashisaGNUproduct,the"Bourne
AgainSHell."It'sthestandardcommandlineinterfaceonmost
Linux
machines.Itexcelsatinteractivity,supportingcommandline
editing,
completion,andrecall.Italsosupportsconfigurableprompts
most
peoplerealizethis,butdon'tknowhowmuchcanbedone.
59

b.sadhiq
www.altnix.com

Bashconvertsthetextscripttobinary(0,1).
ThischapterisbasedonChapters6through8oftheSieverbook,
LinuxinaNutshell[Siever2003].
Figure1illustratessomeoftheshellsfoundonUNIX/Linux
systems.
Shell
bash
csh
jsh
ksh
rc
rsh
sh
tcsh
zsh

Description
Bourneagainshell(GNU)
Cshell(BSD)
Jobcontrolshell(SVR4)
Kornshell(BellLabs)
Plan9shell(BellLabs)
Remoteshell(TCP/IP)
Bourneshell(UNIX7th
Edition)
Popularextensionofthe
Cshell
Popularextensionofthe
Kornshell

Figure1:SomeUNIX/LinuxShells
StandardGNU/Linuxsystemsusebashasthedefaultshell.Some
distributions,e.g.RedHatLinux,have/bin/shasasymboliclink
to/bin/bashand/bin/cshasasymboliclinkto/bin/tcsh.
CommonFeatures
Figure2illustratessomefeaturesthatarecommontobothbashand
tcsh.
Symbol
>
>>
<
<<
|
&
;
*

Description
Redirectoutput
Appendoutputtoafile
Redirectinput
Redirectinput("Here"document)
Pipeoutput
Runprocessinbackground
Separatecommandsononeline
Matchcharacter(s)infilename
60

b.sadhiq
www.altnix.com

Symbol
?
!n
[...]
(...)
"..."
'...'
`...`
\
$var
$$
$0
$n
$*
$?

Description
Matchsinglecharacterinfilename
Repeatcommandnumbern
Matchanycharactersenclosed
Executecommandsinasubshell
Quoteallowingvariableandcommand
expansion
Literalstring
Commandsubstitution
Quotefollowingcharacter
Variableexpansion
ProcessID
Commandname
nthargument(0...9)
Allarguments
Exitstatus
Begincomment
Figure2:Commonsymbols

Inadditiontothesesymbols,bothshellshavesomecommon
commands,asillustratedinFigure3.
Command
bg
break
cd
continue
echo
eval
exec
fg
jobs
kill
shift
stop
suspend
umask
unset
wait

Description
Backgroundexecution
Breakoutofaloop
Changedirectory
Resumealoop
Displayoutput
Evaluatearguments
Executeanewprogram
Foregroundexecution
Showactivejobs
Terminaterunningjob(s)
Shiftpositionalparameters
Suspendabackgroundjob
Suspendaforegroundjob
Setorlistfilepermissions
Erasevariableorfunctiondefinition
Waitforabackgroundjobtofinish

61

b.sadhiq
www.altnix.com

Refrence
http://en.wikipedia.org/wiki/Bash
Practical

BASH
Loginroot
passwd*****
whenyouloginugetvcs(virtualkonsole)withthehelpof
ttydriver(/dev/tty*)andashell(/bin/bash)
InLinuxdefaultshellisbash(/bin/bash)
TochecktheshellssupportedbyyourOS
$cat/etc/shells
Toswapinothershell
$sh
$kshetc....
checkyourbash
$ps
tostartanotherbashjustrunthefollowing,whichisinherited
$bash
Nowchkwith
$psyouwillhavetwobash(parentandchild)ifuwillkill
thechildbashitwonteffecttoparentbutifudoviceversa
thenchkwhathappens.
$Listthebashshellpid
$psel|grepbash
Nowtryloadingbashandcankillwiththecmd
$kill9<pidofbash>
Bash
Here'saneatBashprompttrick.AtabasicBashprompt,pressthe
uparrowkeyandyou'llseethelastcommandyoutypedin.Press
againandagaintorotatethroughallthecommandsyoutyped
previously,storedforyouinBashhistory.
b.sadhiq
62
www.altnix.com

Youwillonlyseethecommandsyoutypedinforyourlogin,whether
that'sforaspecificuserorforroot.
HerearesomeadditionalBashtips,allofwhicharecommandsthatyoutypeattheBashprompt:
Todisplayafullnumberedlistofallstoredcommands,type:
history
Toretrievetheeighthcommandpreviouslyentered,type:
!8
TogetthelastcommandthatstartedwiththeletterV,type:
!v
Bashhistoryisn'tlostwhenyourebootorshutdowneither.Clever
isn'tit?
BashShortcuts
TogoalongwithBashbasicsabove,herearesomebasicshorthand
commands:
Togobackonestepinthedirectorytree,type:
cd..
Tochangetothe/home/{loggedinusername}directory,type:
cd~
Tochangetothedirectoryofaspecificuserwhenyouhavemore
thanone,typethepreviouscommandfollowedbythenameofthe
user:
cd~bruno
cd~anna
Tochangethedirectory/home/{loggedin
username}/Downloads/Backgrounds,type:
cd~/Downloads/Backgrounds
Forreallyfasttypingdon'tforgettousetheTabkeyforauto
completion.
Typingthefollowingdoesthesameasthepreviousexample,alot
faster:
cd~/D{pressTabKey}/B{pressTabkey}
BashScript
Youprobablyknowthatthe"rm"commandremoves(ordeletes)afile
permanently.Wouldn'titbeniceifwecouldmoveittotherecycle
binwithasimplecommandinstead?Youcan.Todothat,youcan
makeyourowncommandcalledDelwithabriefscript.
63

b.sadhiq
www.altnix.com

Tobuildthescript,openaterminalandtypethefollowinglines:
su
{typeyourrootpassword}(Note:youshouldseethe#prompt)
kedit/usr/bin/del
Thisopensanewwindowinthekeditorintowhichyoushouldtype
thefollowingscript:
#!/bin/bash
mv$1~/Desktop/Trash
#Endscript
Thenextstepistosavethefileusingkedit'sFile,SaveAsmenu
command.Then,backattheBashpromptloggedinasroot,typethis
linetomakethenewscriptexecutable:
$chmod0775/usr/bin/del
Nowwheneveryoutypethedelcommand,itwillrunyourscript.For
example,ifyoucameacrossthe"tessst"fileandyouwantedto
moveittothetrash,youcouldjusttypethisattheBashprompt:
$deltessst
Thatwillperformthesameactionas:
$mvtessst/home/{loggedinusername}/Desktop/Trash
Surethiswasaveryshortexample,athreelinescript,itonly
holdsonecommand,butyoucouldaddasmanylinestothescriptas
youwantedtoandexecuteitwithasimplethreeletterword.If
therearemorecommandsinthescriptitwillexecutetheminthe
orderthattheyappear.Because/usr/binisinyourpathyouonly
havetotype"del"toexecuteitfromanywhereinthefilesystem.

TabCompletionTip
DidyouknowyoucanusetheTabkeytoautocompletecommandson
thecommandline?Justtypeafewcharactersthatstartacommand
andpresstheTabkey.Thecommandornameofanexistingdirectory
orfilewillbecompleted.
Trythis.TypethefollowingandthenpresstheTabkey:
$cd/u
Nowaddan"s"andpressTab,type"h"andpressTab.Theresult
shouldbe:
$cd/usr/share/

64

b.sadhiq
www.altnix.com

Nowtype"f""o""n"andpressTab,"t"pressTab,"d"Tab,and
presstheEnterkey.Thatshouldputyouin:
/usr/share/fonts/ttf/decoratives
TypethefollowingandpressEnter:
ls
That'llbringupalistofallthefancyttffontsonyoursystem.
Sonexttimeyouhavetotypealongcommandlikethis:
#cpsynthesis.hdlist.update_source.cz
/var/lib/urpmi/synthesis.hdlist.update_source.cz
...tryitthiswayinstead:
#cpsy(Tabkey),/v(Tabkey),li(Tabkey),u(Tabkey),sy(Tab
key)
Andbecausethefullcommandisonyourscreen,thelightwillgo
onifithasn'talready!(Note:Thiscommandworksonlyifthefile
"synthesis.hdlist.update_source.cz"isinyour/homedirectory)
HowaboutalittlemoreontheTabkeyandcommands.Ifyoudon't
rememberexactlyhowacommandwaswritten,typeinthefirst
characterortwoandhittheTabkey.You'llgetalistofallthe
commandsthatstartwiththesamecharacter(s).
Ifyouwishtoknowwhatacertaincommanddoessay,mkmanifest
usethewhatiscommand,likethis:
$whatismkmanifest
mkmanifest(1)MakeslistoffilenamesandtheirDOS8+3
equivalents.
IntroductiontoBASH
*DevelopedbyGNUproject.
*ThedefaultLinuxshell.
*BackwardcompatiblewiththeoriginalshUNIXshell.
*Bashislargelycompatiblewithshandincorporatesuseful
featuresfromtheKornshellkshandtheCshellcsh.
*BashisthedefaultshellforLinux.However,itdoesrunson
everyversionofUnixandafewotheroperatingsystemssuchasms
dos,os/2,andWindowsplatforms.
QuotingfromtheofficialBashhomepage:
Bashistheshell,orcommandlanguageinterpreter,thatwill
appearintheGNUoperatingsystem.Itisintendedtoconformto
theIEEEPOSIXP1003.2/ISO9945.2ShellandToolsstandard.It
offersfunctionalimprovementsovershforbothprogrammingand
65

b.sadhiq
www.altnix.com

interactiveuse.Inaddition,mostshscriptscanberunbyBash
withoutmodification.
TheimprovementsofferedbyBASHinclude:
TheBashsyntaxisanimprovedversionoftheBourneshellsyntax.
InmostcasesBourneshellscriptscanbeexecutedbyBashwithout
anyproblems.
*Commandlineediting.
*Commandlinecompletion.
*Unlimitedsizecommandhistory.
*Promptcontrol.
*Indexedarraysofunlimitedsize(Arrays).
*Integerarithmeticinanybasefromtwotosixtyfour.
*BashstartupfilesYoucanrunbashasaninteractivelogin
shell,orinteractivenonloginshell.SeeBashstartupfilesfor
moreinformation.
*Bashconditionalexpressions:Usedincomposingvarious
expressionsforthetestbuiltinor[[or[commands.
*TheDirectoryStackHistoryofvisiteddirectories.
*TheRestrictedShell:Amorecontrolledmodeofshell
execution.
*BashPOSIXMode:MakingBashbehavemorecloselytowhatthe
POSIXstandardspecifies.

InLinux,alotofworkisdoneusingacommandlineshell.Linux
comespreinstalledwithBash.Manyothershellsareavailableunder
Linux:
*tcshAnenhancedversionofcsh,theCshell.
*kshThereal,AT&TversionoftheKornshell.
*cshShellwithClikesyntax,standardloginshellonBSD
systems.
*zshApowerfulinteractiveshell.
*scshAnopensourceUnixshellembeddedwithinScheme
programminglanguage.

66

b.sadhiq
www.altnix.com

ShellScripting
StartingaScriptWith#!
1.Itiscalledashebangora"bang"line.
2.ItisnothingbuttheabsolutepathtotheBashinterpreter.
3.Itconsistsofanumbersignandanexclamationpoint
character(#!),followedbythefullpathtotheinterpretersuch
as/bin/bash.
4.AllscriptsunderLinuxexecuteusingtheinterpreter
specifiedonafirstline[1].
5.Almostallbashscriptsoftenbeginwith#!/bin/bash
(assumingthatBashhasbeeninstalledin/bin)
6.ThisensuresthatBashwillbeusedtointerpretthescript,
evenifitisexecutedunderanothershell[2].
7.TheshebangwasintroducedbyDennisRitchiebetweenVersion
7Unixand8atBellLaboratories.Itwasthenalsoaddedtothe
BSDlineatBerkeley[3].
IgnoringAnInterpreterLine(shebang)
*Ifyoudonotspecifyaninterpreterline,thedefaultis
usuallythe/bin/sh.But,itisrecommendedthatyouset
#!/bin/bashline.
/bin/sh
Forasystembootscript,use/bin/sh:
#!/bin/sh
shisthestandardcommandinterpreterforthesystem.Thecurrent
versionofshisintheprocessofbeingchangedtoconformwith
thePOSIX1003.2and1003.2aspecificationsfortheshell.
Didyouknow?
*Itistheshellthatletsyourundifferentcommandswithout
havingtotypethefullpathnametothemevenwhentheydonot
existinthecurrentdirectory.
*Itistheshellthatexpandswildcardcharacters,suchas*
or?,thussavingyoulaborioustyping.
67

b.sadhiq
www.altnix.com

*Itistheshellthatgivesyoutheabilitytorunpreviously
runcommandswithouthavingtotypethefullcommandagainby
pressingtheuparrow,orpullingupacompletelistwiththe
historycommand.
*Itistheshellthatdoesinput,outputanderror
redirection.

Whyshellscripting?
*Shellscriptscantakeinputfromauserorfileandoutput
themtothescreen.
*Wheneveryoufindyourselfdoingthesametaskoverandover
againyoushoulduseshellscripting,i.e.,repetitivetask
automation.
oCreatingyourownpowertools/utilities.
oAutomatingcommandinputorentry.
oCustomizingadministrativetasks.
oCreatingsimpleapplications.
oSincescriptsarewelltested,thechancesoferrors
arereducedwhileconfiguringservicesorsystemadministration
taskssuchasaddingnewusers.

Practicalexampleswhereshellscriptingactivelyused
*MonitoringyourLinuxsystem.
*Databackupandcreatingsnapshots.
*DumpingOracleorMySQLdatabaseforbackup.
*Creatingemailbasedalertsystem.
*Findoutwhatprocessesareeatingupyoursystemresources.
*Findoutavailableandfreememory.

Listofcommandbashkeywordsandbuiltincommands
*JOB_SPEC&
*((expression))
*.filename
*[[:]]
*[arg...]
*expression
*alias
*bg
*bind
*builtin
68

b.sadhiq
www.altnix.com

*caller
*case
*command
*compgen
*complete
*continue
*declare
*dirs
*disown
*echo
*enable
*eval
*exec
*exit
*export
*false
*fc
*fg
command1&&command2
OR
First_command&&Second_command
command2isexecutedif,andonlyif,command1returnsanexit
statusofzero(true).Inotherwords,runcommand1andifitis
successfull,thenruncommand2.
Example

Typethefollowingatashellprompt:
$rm/tmp/filename&&echo"Filedeleted."
Theechocommandwillonlyrunifthermcommandexitssuccessfully
withastatusofzero.Iffileisdeletedsuccessfullytherm
commandsettheexitstatstozeroandechocommandgetexecuted.
Lookupausernamein/etc/passwdfile
grep"^champu"/etc/passwd&&echo"champufoundin/etc/passwd"
Exitifadirectory/tmp/foodoesnotexist
test!d/tmp/foo&&{readp"Directory/tmp/foonotfound.Hit
[Enter]toexit..."enter;exit1;}
69

b.sadhiq
www.altnix.com

Syntax:
command1||command2
OR
First_command||Second_command

command2isexecutedif,andonlyif,command1returnsanonzero
exitstatus.Inotherwords,runcommand1successfullyorrun
command2.
Example
$cat/etc/shadow2>/dev/null||echo"Failedtoopenfile"

Thecatcommandwilltrytodisplay/etc/shadowfileandit(the
catcommand)setstheexitstatstononzerovalueifitfailedto
open/etc/shadowfile.Therefore,'Failedtoopenfile'willbe
displayedcatcommandfailedtoopenthefile.
Findusernameelsedisplayanerror
$grep"^champu"/etc/passwd||echo"Userchampunotfoundin
/etc/passwd"
HowDoICombineBothLogicalOperators?

Tryitasfollows:
$cat/etc/shadow2>/dev/null&&echo"Filesuccessfullyopened."||
echo"Failedtoopenfile."
Makesureonlyrootcanrunthisscript:
$test$(idu)eq0&&echo"Youareroot"||echo"YouareNOT
root"
OR
$test$(idu)eq0&&echo"Rootusercanrunthisscript."||
70

b.sadhiq
www.altnix.com

echo"Usesudoorsutobecomearootuser."
Shellfunctions
*Sometimeshellscriptsgetcomplicated.
*Toavoidlargeandcomplicatedscriptsusefunctions.
*Youdividelargescriptsintoasmallchunks/entitiescalled
functions.
*Functionsmakesshellscriptmodularandeasytouse.
*Functionavoidsrepetitivecode.Forexample,is_root_user()
functioncanbereusedbyvariousshellscriptstodetermine
whetherloggedonuserisrootornot.

*Functionperformsaspecifictask.Forexample,addordeletea
useraccount.
*Functionusedlikenormalcommand.
*Inotherhighlevelprogramminglanguagesfunctionisalso
knownasprocedure,method,subroutine,orroutine.
Writingthehello()function
Typethefollowingcommandatashellprompt:
hello(){echo'Helloworld!';}
Invokingthehello()function
hello()functioncanbeusedlikenormalcommand.Toexecute,
simplytype:
hello
Passingtheargumentstothehello()function
Youcanpasscommandlineargumentstouserdefinedfunctions.
Definehelloasfollows:
hello(){echo"Hello$1,letusbeafriend.";}
Youcanhellofunctionandpassanargumentasfollows:
hellochampu

Sampleoutputs:

71

b.sadhiq
www.altnix.com

Hellochampu,letusbeafriend.
*Onelinefunctionsinside{...}mustendwithasemicolon.
Otherwiseyougetanerroronscreen:
$xrpm(){rpm2cpio"$1"|cpioidmv}
Abovewillnotwork.However,thefollowingwillwork(notice
semicolonattheend):
$xrpm(){rpm2cpio"$1"|cpioidmv;}

Todisplaydefinedfunctionnamesusethedeclarecommand.Typethe
followingcommandatashellprompt:
$declaref
Sampleoutputs:
declarefcommand_not_found_handle
declarefgenpasswd
declarefgrabmp3
declarefhello
declarefmp3
declarefxrpm

DisplayFunctionSourceCode
Toviewfunctionnamesandsourcecode,enter:
declaref
OR
declaref|less
Thetestcommandisusedtocheckfiletypesandcomparevalues.
72

b.sadhiq
www.altnix.com

Testisusedinconditionalexecution.Itisusedfor:
*Fileattributescomparisons
*Performstringcomparisons.
*Arithmeticcomparisons.

testcommandsyntax
testcondition
OR
testcondition&&truecommand
OR
testcondition||falsecommand
OR
testcondition&&truecommand||falsecommand

Typethefollowingcommandatashellprompt(is5greaterthan
2?):
$test5>2&&echo"Yes"
$test1>2&&echo"Yes"
SampleOutput:
Yes
Yes
Ratherthantestwhetheranumberisgreaterthan2,youhaveused
redirectiontocreateanemptyfilecalled2(seeshell
redirection).Totestforgreaterthan,usethegtoperator(see
numericoperatorsyntax):

test5gt2&&echo"Yes"
test1gt2&&echo"Yes"
Yes

73

b.sadhiq
www.altnix.com

Youneedtousethetestcommandwhilemakedecision.Trythe
followingexamplesandnotedownitsoutput:
$test5=5&&echoYes||echoNo
$test5=15&&echoYes||echoNo
$test5!=10&&echoYes||echoNo
$testf/etc/resolv.conf&&echo"File/etc/resolv.conffound."||
echo"File/etc/resolv.confnotfound."
testf/etc/resolv1.conf&&echo"File/etc/resolv1.conffound."
||echo"File/etc/resolv1.confnotfound."
WriteScripts
1.
#!/bin/bash
readp"Enter#5:"number
iftest$number==5
then
echo"Thanksforentering#5"
fi
iftest$number!=5
then
echo"Itoldyoutoenter#5.Pleasetryagain."
fi
2.
#!/bin/bash
clear
echoe"Whatisyourname:\c"
readname
echohello$name.WelcometoShellprogramming
sleep2
clear
echoe"Wouldyouliketoseealistingofyourfiles?[y/n]:\c"
readyn
if[$yn=y]
then
ls
fi

sleep1
echoe"Wouldyouliketoseewhoallareloggedin?[y/n]:\c"
readyn
if[$yn=y]
then
74

b.sadhiq
www.altnix.com


who
fi
sleep1
echoWouldyouliketoseewhichdiryouarein\?
readyn
if[$yn=y]
then
pwd
fi

3.
#!/bin/sh
clear
echoEnterfilenametocopy
readapple
echoEnterfilenametocopyto
readmango
ifcp$apple$mango>/dev/null2>&1
then
echoFilescopiedokCongrats!!
else
echoError!!!!!!!!!!!!!!!ContactMrABCatExt101
fi
4.
#!/bin/bash
#lt,le,gt,ge,ne,eq:Usethisfornumerical
comparisions
#<,<=,>,>=,<>,=:UsethisforStringcomparisions
clear
tputcup1010
echoe"Enteranofrom1to5:\c"
readnum
iftest$numlt6
then
tputcup1210
echo"Good"
else
tputcup1210
echo"Sorryonlybetween1to6"
fi

75

b.sadhiq
www.altnix.com

5.
#!/bin/bash
##seemantest
clear
echoEnterfilename
readfilename
if[z$filename]
then
echoYouhavetoentersomefilename
echoExiting....
sleep2
exit
fi
if[f$filename]
then
echoThefilenameyouenteredexists!!
echoDeleting$filename.....
sleep2
rmf$filename
echoDeleted$filename.....
sleep1
cls
else
echoThefilenameyouentereddoesnotexist!!!
fi

6.
#!/bin/bash
readp"Enteranumber:"n
if[$ngt0];then
echo"$nisapositive."
elif[$nlt0]
then
echo"$nisanegative."
elif[$neq0]
then
echo"$niszeronumber."
else
echo"Oops!$nisnotanumber."
fi

76

b.sadhiq
www.altnix.com

7.
#!/bin/bash
clear
echoe"Enteranumberfrom1to3:\c"
readnum
case$numin
1)echoYouhaveentered1
;;
2)echoYouhaveentered2
;;
3)echoYouhaveentered3
;;
*)echoBetween1to3only!!
;;
esac
8.
#!/bin/sh
echoEnterdog/cat/parrot
readanimal
case$animalin
cat|kat)echoYouhaveenteredcat
;;
dog)echoYouhaveentereddog
;;
parrot|crow)echoYouhaveenteredparrotorcrow
;;
*)echoInvalidentry!!
;;
esac

RPM
Rpm is a powerful Package Manager for Red Hat, Suse and Fedora
Linux. It can be used to build, install, query, verify, update, and
remove/erase individual software packages. A Package consists of an
archive of files, and package information, including name, version,
and description:
The RPM Package Manager
-------------------------------- RPM is a recursive acronym for RPM Package Manager.

77

b.sadhiq
www.altnix.com

It used to be called the Red Hat Package Manager, but Red Hat
changed its name to emphasis that other distributions use it too.
The new official name is RPM Package Manager, and yes, thats a
self-referencing acronym (SRA), just like GNU.
- RPM is the default package manager for Red Hat Linux systems.
- RPM system consists of a local database, the rpm executable, rpm
package files.
- It deals with .rpm files, which contain the actual programs as
well as various bits of meta-information about the package: what it
is, where it came from, version information and info about package
dependencies.
- RPMs are the files (called packages) which contain the
installable software; typically they have
the .rpm suffix.
RPM FACTS
-------------------------------1. RPM is free - GPL
The RPM Package Manager or RPM is a tool which was developed by Red
Hat Software, who still maintain it, but released under the GNU
General Public Licence (GPL) and has proven to be so popular, that
a lot of other distribution manufacturers use it as well.
RPM is a very versatile program which solves a lot of problems that
a distributor of software typically faces:
Management of source files
Management of the build process
A distribution method and format for binary files, including preand
postinstall scripts. RPMs can be created by anyone, not only the
manufacturer of your distribution.
2. stores info about packages in a database /var/lib/rpm
/var/lib/rpm contains all the database necessary for managing all
of the packages installed on your system in the form of rpm
The database stores information about installed packages such as
file attributes and package prerequisites.
When a certain system uses RPMs to install packages, a database of
installed packages is stored in /var/lib/rpm. The database itself
is in rpm format too, so it cannot be read directly. You will have
to access the database using the rpm command.

78

b.sadhiq
www.altnix.com

Where to get RPMs


http://rpmseek.com
http://rpmfind.net
http://www.redhat.com
http://freshrpms.net
http://rpm.pbone.net
http://dag.wieers.com
http://rpmforge.net
http://filewatcher.com
Common Build Procedures
- source code install - tarball (.tar, .tar.gz, .tgz, tar.bz,
tar.tbz)
- Configure/make/make install
- Binary RPMs (.rpm)
- Source RPMs (.srpm)
Some Query Options
$ rpm -ivh {rpm-file}
Install the package
$ rpm -ivh mozilla-mail-1.7.5-17.i586.rpm
$ rpm -ivh --test mozilla-mail-1.7.5-17.i586.rpm
$ rpm -Uvh {rpm-file}
Upgrade package
$ rpm -Uvh mozilla-mail-1.7.6-12.i586.rpm
$ rpm -Uvh --test mozilla-mail-1.7.6-12.i586.rpm
$ rpm -Fvh upgrades to a later version
$ rpm -ev {package}
Erase/remove/ an installed package
$ rpm -ev mozilla-mail
$ rpm -ev --nodeps {package} Erase/remove/ an installed package
without checking for dependencies
$ rpm -ev --nodeps mozilla-mail
$ rpm -qa
Display list all installed packages
rpm -qa
$ rpm -qa | less
79

b.sadhiq
www.altnix.com

$ rpm -qi {package}


Display installed information along with
package version and short description
$ rpm -qi mozilla-mail
$ rpm -qf {/path/to/file}
Find out what package a file belongs
to i.e. find what package owns the file
$ rpm -qf /etc/passwd
$ rpm -qf /bin/bash
$ rpm -qc {pacakge-name}
Display list of configuration file(s)
for a package
$ rpm -qc httpd
$ rpm -qcf {/path/to/file}
Display list of configuration files
for a command
$ rpm -qcf /usr/X11R6/bin/xeyes
$ rpm -qa --last
Display list of all recently installed RPMs
$ rpm -qa --last
$ rpm -qa --last | less
$ rpm -qpR {.rpm-file}
$ rpm -qR {package}
Find out what dependencies a rpm file has
$ rpm -qpR mediawiki-1.4rc1-4.i586.rpm
$ rpm -qR bash
$ rpm -qlp foo.rpm Which files are installed with foo.rpm?
$ rpm -ivh --nodeps pants.rpm Installing package Ignoring
Dependencies
$ rpm -e foo ('e' for erase)
$ rpm -i --prefix /new/directory package.rpm The --prefix and
--relocate options should make the rpm command relocate a package
to a new
location.
$ rpm -k <.rpm> we could verify the MD5 is OK
$ rpm --rebuilddb
Task
Download xmms-1.2.10-1.i386.rpm & try to install
$ rpm ivh xmms-1.2.10-1.i386.rpm
Will ask for dependency, Download dep from the given sites above &
install the same.
Download
glib-1.2.10-627.i586.rpm
gtk-1.2.10-926.i586.rpm
gtk-32bit-1.2.10-926.x86_64.rpm

80

b.sadhiq
www.altnix.com

UserAdministration
Only root (i.e. system administrator)can use adduser command
To create new users. It is not allow to other users.
Adduser is symlink of Useradd which is binary in /usr/sbin.
We(root)can
customise adduser by using another word(champu) & make it
symlink of useradd.
Let's see
[root@localhost root]$ cd /usr/sbin
[root@localhost sbin]$ ln -s useradd uad
Now uad is symlink of useradd.

There are 3 types of users


|
__________________|____________________
|
|
|
Super user System user
Normal user

<1> Superuser : At the time of linux installation it is create.


He has right to make other users & his`userid'& `groupid' is zero
in `/etc/Passwd' file.
<2> Systemuser: These users create by System. They can't login
becoz their shell `sbin/noloin' is default in seventh field in
`/etc/passwd' file.
<3> Normaluser: These users create by superuser.
Let's see how superuser make normaluser :
[root@localhost root]$ adduser john
[root@localhost root]$ passwd john
Changing password for user john.
New password:(user password)
BAD PASSWORD: it is too short (if password is less than six
character but it doesn't affect so no need to worry)
Retype new password:(user password)
Passwd: all authentication tokens updated succesfully.

81

b.sadhiq
www.altnix.com

[root@localhost root]$ userdel john ---> `userdel' command delete


only name of the user from
/home directory but it's
data remain there. It's
/usr/sbin/userdel
[root@localhost root]$ userdel -r john
---->userdel -r delete name of user as well as data.
[root@localhost root]$ usermod -G groupname username
i.e.
[root@localhost root]$ usermod -G john eric
---->`usermod -G' command makes the user eric member
of the group john. /usr/sbin/usermod.
su ----> with the help of this command root can work as
substitute user.
su -r ---->with the help of this command root come out from
subtitute user.
The information of adduser refers 2 files & updates 4 files.
Config. files
Refers
|----/etc/login.defs
|
|----/etc/default/useradd
Updates
|----/etc/passwd
|
|----/etc/group
|
|----/etc/shadow
|
|----/etc/gshadow

82

b.sadhiq
www.altnix.com

/etc/login.defs
<1> /etc/login.defs : It keep the information of directory where
mailboxes reside or name of file relative to the home directory,
Password duration & how many users can login.
"Passwd file" & "Group file" get the information of userid &
groupid from this file.
"shadow file" & "Gshadow file" get the information of user login &
password duration of user from this file.
Min/max values for automatic uid selection in useradd.
UID-MIN 500
UID-MAX 60000
The id of user start from 500 & max it is 60000 which is default
according to REDHAT but we can customise it.
If there are two department ACCOUNTANT & MARKETING in one office
then I can start userid to ACCOUNTANT from 1000 & to MARKETING from
2000 which is reliable.
Similar way to Groupid
GID-MIN 500
GID-MAX 60000
PASSWORD AGING CONTROLS:
1.
PASS-MAX-DAYS 99999 : The maximum number of days a password
can be used. i.e max 99999 days.
2.
PASS-MIN-DAYS 0 : The minimum number of days allowed between
password can change.
3.
PASS-MIN-LEN 5 : The minimum length of the password. i.e. 5
character.
4.
PASS-WARN-AGE 7 : Specifies the number of days warning given
to user before the password expire. ie 7 days.
The above PASSWORD AGING information is default according to REDHAT
which we can customise it.
/etc/default/useradd
<2> /etc/default/useradd : It has information of no. of groups,
directory
of users & user using which shell in following way.

83

b.sadhiq
www.altnix.com

1.
Group=100 ----> It's default no. of groups according to Redhat
which can customise.
2.
Home=/home ----> It's default dir of user as Redhat say to
which we can give any name i.e. we can make `ghar'instead of `home'
by making directory under /
3.
Inactive ----> It's number of days after password expire of
user.
4.
Expire ----> It's number of days for the account of user will
expire.
5.
Shell=/bin/bash --> It's path of user shell.
Skel=/etc/skel ---> When user create there is zero dir or file but
when give command `l.' it shows some hidden files which comes
from /etc/skel.
/etc/passwd
<3> /etc/passwd : * It keeps the record of new user when create by
superuser. Each line is entry of new user. It is
text file & has details of all system users.
* It has 7 fields for each user in each line so
it is called `system passwd database' & each field
is separted : (colon) also called "Internal field
separator".
champu:x:500:500::/home/champu:/bin/bash
\____/\_/\__/\_/||\___________/\______/
|
|
| | ||
|
|
1
2
3 4 5
6
7
1.

field (champu) : It is username

2.
field (x) : It contain user password which is somewhere else
if exist.
If we put * inplace of x then user can't login.
If we keep second field blank then user can login without password.
i.e. (x) --- password somewhere else.

84

b.sadhiq
www.altnix.com

(*) --- user can't login.


( ) --- user can login without passwd.
3.
field (500) : It contain userid which is unique. Further
userid's are just one greater than last user.
4.
field (500) : It contain groupid which is always same as
userid. It's group of users.
5.
field () : It is comment field or GECOS(General electric
compressive operating system) user can keep his information by
using command `chfn'in this field such as
$ chfn
Name []:
office []:
office phone []:
Home phone []:
6.
field (/home/champu) : It's home of champu. /home is directory
where all users store.
7.
field (/bin/bash) : It contain the full path of shell used by
user. Through shell we can convert shell script into binary format
& whatever get from kernal convert into text format.
/etc/group
<4> /etc/group : This file keep the information of group. It has
four field of each group of each line so it is called `system
group database'.
Member of group has right to enter other member's of system who is
member of same group.
line in this field like follow
Accounts:x:500:
|
| | |
1
2 3 4
1.
field (accounts) : It contain name of group which is always
same as the first member username.

85

b.sadhiq
www.altnix.com

2.
field (x) : It contain group password which is somewhere else
if exist & it's password is same of first member of group.
3.
field (500) : It contain group id which is same of first
member's id of group.
4.
field : It contains list of members of group. By default
Redhat it is blank but user can fill it by put the name of members
of group.
One user can makes members of his group by using command `usermod
-G' which is run by only root.
$usermod -G groupname username
when system admin first time creates users he can send message
like `Thanku for using redhat linux' through this & user get this
mail whenever he login.

Commandlineoptions
Option
-c comment

Description
Comment for the user
Home directory to be used instead of
default /home/username/
Date for the account to be disabled in
the format YYYY-MM-DD
Number of days after the password
expires until the account is disabled.
(If 0 is specified, the account is
disabled immediately after the password
expires. If -1 is specified, the
account is not be disabled after the
password expires.)
Group name or group number for the
user's default group (The group must
exist prior to being specified here.)
List of additional (other than default)
group names or group numbers, separated
by commas, of which the user is a
member. (The groups must exist prior to
being specified here.)
Create the home directory if it does

-d home-dir
-e date

-f days

-g group-name

-G group-list
-m
86

b.sadhiq
www.altnix.com

Option

Description
not exist
Do not create the home directory
Do not create a user private group for
the user
Create a system account with a UID less
than 500 and without a home directory
The password encrypted with crypt
User's login shell, which defaults to
/bin/bash
User ID for the user, which must be
unique and greater than 499

-M
-n
-r
-p password
-s
-u uid
groupadd <group-name>

Command line options

Option

Description

-g gid

Group ID for the group, which must be unique


and greater than 499

-r

Create a system group with a GID less than


500

-f

Exit with an error if the group already


exists (The group is not altered.) If -g and
-f are specified, but the group already
exists, the -g option is ignored

Password aging
$chage l root
$chage -d 0 username
Change shell
$chsh <username>
FingerInformation
$chfn <username>
$finger

87

b.sadhiq
www.altnix.com

PAM
PAMlibraryparsestheconfigfileandloadsmodulestoit

WhatoperatingsystemssupportPAM?
PAMwasfirstdevelopedbySunMicrosystemsin1995andis
supportedbythefollowingoperatingsystemversions(andhigher):
RedHat5.0
SUSE6.2
Debian2.2
Mandrake5.2
Caldera1.3
TurboLinux3.6

PAMisthePluggableAuthenticationModule,inventedbySun.It'sa
beautifulconcept,butitcanbeconfusingandevenintimidatingat
first.We'regoingtolookatitonaRedHatsystem,butother
Linuxeswillbesimilarsomedetailsmayvary,butthebasic
ideaswillbethesame.
ThefirstthingtounderstandisthatPAMisNOTsomethinglike
tcpd(tcpwrappers)orxinetdthatenclosesandrestrictsaccessto
someservice.Anapplicationneedstobe"PAMaware";itneedsto
havebeenwrittenandcompiledspecificallytousePAM.Thereare
tremendousadvantagesindoingso,andmostapplicationswithany
interestinsecuritywillbePAMaware.
PAMisaboutsecuritycheckingtoseethataserviceshouldbe
usedornot.MostofusfirstlearnedaboutPAMwhenweweretold
thatloginwasusingit,butPAMcandomuchmorethanjust
validatepasswords.AlotofapplicationsnowusePAMeventhings
likeSAMBAcancallonPAMforauthentication.
Thebigadvantagehereisthatsecurityisnolongerthe
application'sconcern:ifPAMsaysitsOK,itsOK.Thatmakes
thingseasierfortheapplication,anditmakesthingseasierfor
88

b.sadhiq
www.altnix.com

thesystemadministrator.PAMconsultstextconfigurationfilesto
seewhatsecurityactionstotakeforanapplication,andthe
administratorcanaddandsubtractnewrulesatanytime.PAMis
alsoextensible:shouldsomeoneinventadevicethatcanreadyour
brainwavesanddetermineillintent,allweneedisaPAMmodule
thatcanusethatdevice.Changeafewfiles,andloginnowreads
yourmindandgrantsordeniesaccessappropriately.We'reabit
awayfromthatfeature,butthereareatremendousnumberof
availablePAMmodulesthatadministratorscanuse.
ConfigurationFiles
OnmodernRedHatsystems,theconfigurationfilesarefoundin
/etc/pam.d,onefileforeachPAMawareapplication(plusaspecial
"other"filewe'llgettolater).Onewordofwarning:changesto
thesefilestakeeffectinstantly.Youaren'tgoingtogetlogged
outifyoumakeamistakehere.butifyouDOscrewupandblithely
logout,youmaynotbeabletologbackin.Sotestchangesbefore
youexit.
We'regoingtouseaverysimpleexampletogetstartedhere.Ina
numberofarticleshere,we'vetalkedaboutSSHSecurity.Mostof
thosearticleshavebeenaboutchangestossh'sconfiguration
files,butherewe'llusePAMtoaddsomeadditionalrestriction:
thetimeofdayyouareallowedtousessh.Todothis,weneeda
PAMmodulecalledpam_time.soit'sprobablyinyour
/lib/security/directoryalready.Itusesaconfigurationfile
"/etc/security/time.conf".Thatfileisprettywellcommented,so
I'mnotgoingtogointodetailaboutitandwilljustsaythatI
addedtheline
sshd;*;*;!Al22000400

whichsaysthatsshdcannotbeusedbetween10:00PMand4:00AM.
I'musuallyrathersoundlyasleepbetweenthosetimes,sowhylet
sshbeused?IcouldstillloginattheconsoleifIwokeupwith
anurgentneedtoseeanlsofmy/tmpdirectory,butIcouldn't
sshin,period.Configuringthetime.conffilebyitselfdoesn't
affectssh;weneedtoaddthepammoduleto/etc/pam.d/sshd.My
fileendsuplookinglikethis:
#%PAM1.0
accountrequiredpam_time.so
authrequiredpam_stack.soservice=systemauth
authrequiredpam_nologin.so
accountrequiredpam_stack.soservice=systemauth
passwordrequiredpam_stack.soservice=systemauth
89

b.sadhiq
www.altnix.com

sessionrequiredpam_stack.soservice=systemauth
sessionrequiredpam_limits.so
sessionoptionalpam_console.so

Iputthetime.somodulefirstsothatitistheveryfirstthing
thatischecked.Ifthatmoduledoesn'tgivesshdagreenlight,
that'stheendofit:noaccess.That'sthemeaningof"required":
themoduleHAStosaythatitishappy.The"account"typeis
specifiedhere.That'sabitofaconfusingthing:wehave
"account","auth","password"and"session".Themanpageisn'tall
thathelpful:
accountprovideaccountverificationtypesofservice:has
theuser's
passwordexpired?;isthisuserpermittedaccesstothe
requestedser
vice?
authenticationestablishtheuseriswhotheyclaimto
be.Typically
thisisviasomechallengeresponserequestthattheuser
mustsatisfy:ifyouarewhoyouclaimtobepleaseenteryour
password.Notallauthenticationsareofthistype,thereexist
hardwarebasedauthenti
cationschemes(suchastheuseofsmartcardsand
biometricdevices),withsuitablemodules,thesemaybe
substitutedseamlesslyformorestandardapproachesto
authenticationsuchistheflexibilityof

LinuxPAM.
passwordthisgroup'sresponsibilityisthetaskof
updatingauthenticationmechanisms.Typically,suchservices
arestronglycoupledtothoseoftheauthgroup.Some
authenticationmechanismslendthemselves
welltobeingupdatedwithsuchafunction.StandardUN*X
password
basedaccessistheobviousexample:pleaseentera
replacementpassword.
sessionthisgroupoftaskscoverthingsthatshouldbe
donepriortoaservicebeinggivenandafteritiswithdrawn.Such
tasksincludethe
maintenanceofaudittrailsandthemountingoftheuser'shome
directory.Thesessionmanagementgroupisimportantasit
providesbothanopeningandclosinghookformodulesto
90

b.sadhiq
www.altnix.com

affecttheservicesavailabletoauser.

Ithinkthatthedistinctionbetweenaccountandsessioninthat
manpageisalittleconfusing.Ithinkitwouldbequite
reasonabletothinkyoushoulduse"session"forthismodule.Now,
sometimesyouhaveamanpageforthemodulethatshowsyouwhatto
use,butpam_timedoesn'thelpusthere.Technically,it'snotup
tothelibrary:theapplicationistheonethatischeckingwith
accountorsession,butkeepthisinmind:sessionhappensAFTER
authentication.IlikedtheolderPAMmanualbetter,whichsaid:
authmodulesprovidetheactualauthentication,perhaps
asking
forandcheckingapassword,andtheyset"credentials"such
asgroupmembershiporkerberos"tickets."
accountmoduleschecktomakesurethattheauthentication
isallowed(theaccounthasnotexpired,theuserisallowed
tologinatthistimeofday,andsoon).
passwordmodulesareusedtosetpasswords.
sessionmodulesareusedonceauserhasbeenauthenticatedto
allowthemtousetheiraccount,perhapsmountingtheuser'shome
directoryormakingtheirmailboxavailable.

Forme,thatwasmoreclear.
Stacking
Inthiscase,Ionlywantedtoapplythisrestrictiontossh.If
I'mphysicallyatthebox,Iwantnotimerestrictions.IfIDID
wantthesesamerestrictions,I'dmakethesamechangeto
/etc/pam.d/login.ButwhatifthereareawholebunchofthingsI
wanttoapplythesamerulesto?RedHathasaspecialmodule
"pam_stack".Itfunctionsmuchlikean"include"statementinany
programminglanguage.Wesawitinmy/etc/pamd/sshdfile:
authrequiredpam_stack.soservice=systemauth

Thatsaystolookin/etc/pam.d/systemauthforothermodulesto
use.Bothloginandsshdhavethisline(asdoesjustaboutevery
otherfilein/etc/pam.d/),sowecanlookinsystemauthtosee
whatgetscalledbythem:
91

b.sadhiq
www.altnix.com

#%PAM1.0
#Thisfileisautogenerated.
#Userchangeswillbedestroyedthenexttimeauthconfigisrun.
authrequired/lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.so
likeauthnullok
authrequired/lib/security/$ISA/pam_deny.so
authrequired/lib/security/$ISA/pam_tally.so
no_magic_rootonerr=fail
accountrequired/lib/security/$ISA/pam_unix.so
accountrequired/lib/security/$ISA/pam_tally.so
onerr=failfile=/var/log/faillogdeny=1no_magic_root
even_deny_root_account
passwordrequired/lib/security/$ISA/pam_cracklib.so
retry=3type=
passwordsufficient/lib/security/$ISA/pam_unix.sonullok
use_authtokmd5shadow
passwordrequired/lib/security/$ISA/pam_deny.so
sessionrequired/lib/security/$ISA/pam_limits.so
sessionrequired/lib/security/$ISA/pam_unix.so

Therefor,ifwereallywantedourtimerestrictionstoapplyto
justabouteverything,wecouldaddittosystemauth.Notethe
warningaboutauthconfigthough,andalsoconsiderthatyouwillbe
makingsuddensweepingchangestoaLOTofapplicationsand
services.
Other
WhatifaPAMawareappdoesn'thaveafilein/etc/pam.d?Inthat
case,itusesthe"other"file,whichlookslikethisbydefault:
#%PAM1.0
authrequired/lib/security/$ISA/pam_deny.so
accountrequired/lib/security/$ISA/pam_deny.so
passwordrequired/lib/security/$ISA/pam_deny.so
sessionrequired/lib/security/$ISA/pam_deny.so

That"deny"moduleisaflatoutnoaccess,redlight,stopyou
deadrightheremodulethatisalwaysgoingtosayno.That's
excellentfromasecuritypointofview,butcanbeabitharsh
shouldyouaccidentallydeletesomethinglike"login".Loginwould
b.sadhiq
92
www.altnix.com

nowusethe"other"file,andyoucouldn'tlogin.Thatcouldbe
unpleasant.
Therearemany,manyusefulandcleverPAMmodules.Whileourbrain
waveinterpreterdoesn'texistyet,manyotherpossibilitiesare
availabletoyou.Therearemodulestoautomaticallyblacklist
hoststhathavemanyfailedlogins,andmuchmore.See
http://www.kernel.org/pub/linux/libs/pam/modules.html.

Useofpam_listfile.somodule
ThisPAMmoduleauthenticatesusersbasedonthecontentsofa
specifiedfile.Forexample,ifusernameexistsinafile
/etc/sshd/ssh.allow,sshdwillgrantloginaccess.
HowdoIconfigurepam_listfile.somoduletodenyaccess?
Youwanttoblockauser,ifusernameexistsinafile
/etc/sshd/sshd.denyfile.
Open/etc/pam.d/ssh(or/etc/pam.d/sshdforRedHatandfriends)
#vi/etc/pam.d/ssh
Appendfollowingline:
authrequiredpam_listfile.soitem=usersense=deny
file=/etc/sshd/sshd.denyonerr=succeed
Saveandclosethefile
Nowaddallusernamesto/etc/sshd/sshd.denyfile.Nowauseris
deniedtologinviasshdiftheyarelistedinthisfile:
#vi/etc/sshd/sshd.deny
Appendusernameperline:
user1
user2
...
Restartsshdservice:
#/etc/init.d/sshdrestart
Understandingtheconfigdirectives:

authrequiredpam_listfile.so:Nameofmodulerequiredwhile
authenticatingusers.
93

b.sadhiq
www.altnix.com


item=user:Checktheusername

sense=deny:Denyuserifexistinginspecifiedfile

file=/etc/sshd/sshd.deny:Nameoffilewhichcontainsthe
listofuser(oneuserperline)

onerr=succeed:IfanerrorisencounteredPAMwillreturn
statusPAM_SUCCESS.
HowdoIconfigurepam_listfile.somoduletoallowaccess?
YouwanttoALLOWausertousessh,ifusernameexistsina
file/etc/sshd/sshd.allowfile.
Open/etc/pam.d/ssh(or/etc/pam.d/sshdforRedHatandfriends)
#vi/etc/pam.d/ssh
Appendfollowingline:
authrequiredpam_listfile.soitem=usersense=allow
file=/etc/sshd/sshd.allowonerr=fail
Saveandclosethefile.
Nowaddallusernamesto/etc/sshd/sshd.allowfile.Nowauseris
allowedtologinviasshdiftheyarelistedinthisfile.
#vi/etc/sshd/sshd.allow
Appendusernameperline:
tony
om
rocky
Restartsshdservice(optional):
#/etc/init.d/sshdrestart
Nowifpaultrytologinusingsshhewillgetanerror:
Permissiondenied(publickey,keyboardinteractive).
Followinglogentryrecordedintomylogfile(/var/log/secure
or/var/log/auth.logfile)
tailf/var/log/auth.log
Output:
Jul3023:07:40p5www2sshd[12611]:PAMlistfile:Refuseduserpaul
forservicessh
Jul3023:07:42p5www2sshd[12606]:error:PAM:Authentication
failureforpaulfrom125.12.xx.xx
Understandingtheconfigdirectives:
8.

authrequiredpam_listfile.so:Nameofmodulerequiredwhile
94

b.sadhiq
www.altnix.com

authenticatingusers.
9.
item=user:Checkorspecifytheusername
10. sense=allow:Allowuserifexistinginspecifiedfile
11. file=/etc/sshd/sshd.allow:Nameoffilewhichcontainsthe
listofuser(oneuserperline)
12. onerr=fail:Iffilenamedoesnotexistsorusername
formattingisnotcoreectitwillnotallowtologin.

http://www.kernel.org/pub/linux/libs/pam/LinuxPAMhtml/
http://www.kernel.org/pub/linux/libs/pam/LinuxPAMhtml/Linux
PAM_MWG.html

LVM

Create Partitions
For this Linux lvm example you need an unpartitioned hard disk
/dev/sdb. First you need to create physical volumes. To do this you
need partitions or a whole disk. It is possible to run pvcreate
command on /dev/sdb, but I prefer to use partitions and from
partitions I later create physical volumes.

95

b.sadhiq
www.altnix.com

Use your preferred partitioning tool to create partitions. In this


example I have used cfdisk.

96

b.sadhiq
www.altnix.com

Partitions are ready to use.


3. Create physical volumes
Use the pvcreate command to create physical volumes.
$ pvcreate /dev/sdb1
$ pvcreate /dev/sdb2
The pvdisplay command displays all physical volumes on your system.
$ pvdisplay
Alternatively the following command should be used:
$ pvdisplay /dev/sdb1

97

b.sadhiq
www.altnix.com

4. Create Virtual Group


At this stage you need to create a virtual group which will serve
as a container for your physical volumes. To create a virtual group
with the name "mynew_vg" which will include /dev/sdb1 partition,
you can issue the following command:
$ vgcreate mynew_vg /dev/sdb1
To include both partitions at once you can use this command:
$ vgcreate mynew_vg /dev/sdb1 /dev/sdb2

98

b.sadhiq
www.altnix.com

Feel free to add new physical volumes to a virtual group by using


the vgextend command.
$ vgextend mynew_vg /dev/sdb2

5. Create Logical Volumes


From your big cake (virtual group) you can cut pieces (logical
volumes) which will be treated as a partitions for your linux
99

b.sadhiq
www.altnix.com

system. To create a logical volume, named "vol01", with a size of


400 MB from the virtual group "mynew_vg" use the following command:

create a logical volume of size 400 MB -L 400

create a logical volume of size 4 GB -L 4G

$ lvcreate -L 400 -n vol01 mynew_vg

With a following example you will create a logical volume with a


size of 1GB and with the name vol02:
$ lvcreate -L 1000 -n vol02 mynew_vg

100

b.sadhiq
www.altnix.com

$ lvremove /dev/mynew_vg/vol02

More workAround
1.
After Creating all the Partition,change the ID of that
particular partition from ID 83 to ID 8e which is assign for LVM
2.
Dont format LVM partition

101

b.sadhiq
www.altnix.com

3.
As we can see that to access the partition in Linux, we have
to go through /dev/had, Similarly in LVM one cannot access the
partition directly, you have to go through
4.
PvPhysical Volume
5.
Since we have /dev/hda5 is our /home LVM partition so we have
to create physical volume of /dev/hda5
6.
$ pvdisplay
7.
$ pvcreate /dev/hda5
8.
$ vgscan
9.
$ vgcreate myvol /dev/hda5
vgdisplay --10. $ lvcreate L <+lvsize> -n lv1 myvol
11. $ lvdisplay
12. $ mke2fs j /dev/myvol/lv1
13. $ mount /dev/myvol/lv1 /home
14. $ df h
More Workaround

Add another HDD which is connecting to motherboard as Primary


Slave
Therefore that disk should be readable by Linux as /dev/hdb

$ fdisk /dev/hdb

Create a single primary partition the size of entire disk and


change the ID of that partition to 8e.

Create PV of new drive which will be


$ pvcreate /dev/hdb1

Add this new PV into a existing VG (MYVOL)


$ vgextend myvol /dev/hdb1

Extend your Logical Volume into a existing LV


$ lvextend L +2000M /dev/myvol/lv1
$resize2fs /dev/myvol/lv1

The above command will extend Logical Volume by 2GB, which


mean our /home is above 2gb as its mounting on it by
/dev/myvol/lv1 /home ext3

default

1 2

$mount a
$ df h

102

b.sadhiq
www.altnix.com

(a)

Increase Your LVM size up to 6GB

Note: We have exiting value is 2GB, therefore to increases


LVM up to 6GB
$ lvextend L +4000M /dev/myvol/lv1
$ resize2fs /dev/myvol/lv1
(b)

Reduce Your LVM size up to 1GB

Note: we have now LVM up to is 6GB, which have to decrease


up to 1GB, therefore
$
$
$
$
$
$

umount /home
e2fsck yc /dev/myvol/lv1
resize2fs /dev/myvol/lv1 1000M
lvreduce L 1000M /dev/myvol/lv1
mount a
df h

103

b.sadhiq
www.altnix.com

TheLinuxSchedulerscroncronologysequence
cronologicalorderdatewise
Cronjobareusedtoschedulecommandstobeexecutedperiodically
i.e.tosetupcommandswhichwillrepeatedlyrunatasettime,you
canusethecronjobs.
crontabisthecommandusedtoinstall,deinstallorlistthe
tablesusedtodrivethecrondaemoninVixieCron.Eachusercan
havetheirowncrontab,andthoughthesearefilesin
/var/spool/cron/crontabs,theyarenotintendedtobeedited
directly.Youneedtousecrontabcommandforeditingorsettingup
yourowncronjobs.
Toedityourcrontabfile,typethefollowingcommand:
$crontabe

Syntaxofcrontab
Yourcronjoblookslikeasfollows:
12345/path/to/commandarg1arg2
Where,

1:Minute(059)

2:Hours(023)

3:Day(031)

4:Month(012[12==December])

5:Dayoftheweek(07[7or0==sunday])

/path/to/commandScriptorcommandnametoschedule

Sameabovefivefieldsstructurecanbeeasilyrememberedwith
followingdiagram:
*****commandtobeexecuted

|||||
||||Dayofweek(07)(Sunday=0or7)
|||Month(112)
104

b.sadhiq
www.altnix.com

||Dayofmonth(131)
|Hour(023)
Minute(059)

Example(s)
Ifyouwishedtohaveascriptnamed/root/backup.shruneveryday
at3am,mycrontabentrywouldlooklikeasfollows:

crond*>BinaryorAppserverdaemon
/etc/rc.d/init.d/crond>Initscripttostartcrondserver
/etc/crontab>Systemcrontabfile
minshrsDOMMOYDOW
0059002313111207(0=Sun1=Mon,2=Tue,3=Wed,4=Thu,
5=Fri,6=Satand7=Sun)
Eachofthetimerelatedfieldsmaycontain:

A'*',whichmatcheseverything,ormatchesanyvalue

Asingleinteger,whichmatchesexactly

Twointegersseperatedbyadash,matchingarangeofvalues
ie
810inthehrfieldwouldmatch8am,9amand10am.
810,13wouldmatch8am,9am,10amand1pm

Acommaseperatedseriesofintsorranges,matchingany
listedvalue

*/2inthehrfieldreferstomidnote,2am,4amandsoforth
iethecmdisexecutedevery2hrs

010/2inthehrfieldreferstomidnite,2am,4am,6am,8am
and10am

Note:

Acrontabentryisconsideredtomatchthecurrenttimewhen
theminandhrfieldsmatchthecurrtimeandthemthfieldmatches
thecurrentmonth
105

b.sadhiq
www.altnix.com

Anentryisconsideredtomatchthecurrentdatewhentheday
ofmonthfield[3rd]matchesthecurrentdayofthemthORtheday
ofweek[5th]fieldmatchesthecurrentdayoftheweek:
ITISNOTNECESSARYTHATBOTHTHEDAYOFTHEMTHANDDAYOFTHEWEEK
MATCH!

Ifboththetimeanddatematchthecurrenttimeanddatethe
cmdisexecuted!

Neverputa'*'inthefirstfieldunlessuwantthecmdto
runeveryminute

YouMAYhandeditthisfilebutitisnevernecessarysince
runpartsdoeseverything.Simplyputashellscriptinthe
appropriate/etc/cron.*/dirs

Alsothecrond*daemonneednotberestart.Itwilldojustthat
everyminuteanyway
Example: Usersoftenforgettoshutdowntheirmachinesandgo
home.Hence,machineshouldautoshutdownat11pm

/etc/crontab
Installyourcronjob:#crontabe
0023***root/sbin/shutdownhnow
b)Appendfollowingentry:
03***/root/backup.sh

Runfiveminutesaftermidnight,everyday:
50***/path/to/command

Runat2:15pmonthefirstofeverymonth:
15141**/path/to/command

Runat10pmonweekdays:
022**15/path/to/command

Run23minutesaftermidnigbt,2am,4am...,everyday:
23023/2***/path/to/command

Runat5after4everysunday:
54**sun/path/to/command

106

b.sadhiq
www.altnix.com

Ifyourunmanysites,youcanusethistiptomakemanagingyour
cronjobseasier.Tominimizetheclutter,createa/etc/cron.5min
directoryandhavecrontabreadthisdirectoryeveryfiveminutes.
*/5****rootrunparts/etc/cron.5min
45****/usr/bin/lynxsourcehttp://example.com/cron.php
45****/usr/bin/wgetOqt1http://www.example.com/cron.php
45****curlsilentcompressedhttp://example.com/cron.php

0011,16***/home/sadhiq/bin/incrementalbackup

000thMinute(Topofthehour)

11,1611AMand4PM

*Everyday

*Everymonth

000918***/home/ramesh/bin/checkdbstatus

*Everydayoftheweek

000thMinute(Topofthehour)

09189am,10am,11am,12am,1pm,2pm,3pm,4pm,5
pm,6pm

*Everyday

*Everymonth

*Everydayoftheweek

*/10****/home/sadhiq/checkdiskspace

Cronjobssavedinto/var/spool/cron/$username

$crontabl>Tolistyourcrontabjobs
$crontabr>Toremoveoreraseallcrontabjobs

107

b.sadhiq
www.altnix.com

Usespecialstringtosavetime
Insteadofthefirstfivefields,youcanuseanyoneofeight
specialstrings.Itwillnotjustsaveyourtimebutitwill
improvereadability.
Specialstring

Meaning

@reboot

Runonce,atstartup.

@yearly

Runonceayear,"0011*".

@annually

(sameas@yearly)

@monthly

Runonceamonth,"001**".

@weekly

Runonceaweek,"00**0".

@daily

Runonceaday,"00***".

@midnight

(sameas@daily)

@hourly

Runonceanhour,"0****".

Runntpdateeveryhour:
@hourly/path/to/ntpdate

Typical/etc/crontabfileentries:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
$runparts
01****rootrunparts/etc/cron.hourly
024***rootrunparts/etc/cron.daily
224**0rootrunparts/etc/cron.weekly
108

b.sadhiq
www.altnix.com

4241**rootrunparts/etc/cron.monthly

Directory

Description

/etc/cron.d/
Putallscriptshereandcallthemfrom
/etc/crontabfile.
/etc/cron.daily/

Runallscriptsonceaday

/etc/cron.hourly/

Runallscriptsonceanhour

/etc/cron.monthly/ Runallscriptsonceamonth
/etc/cron.weekly/

Runallscriptsonceaweek

HowdoIuseabovedirectoriestoputscripts?
Hereisasampleshellscript(clean.cache)tocleanupcached
filesevery10days.Thisscriptisdirectlycreatedat
/etc/cron.daliy/directoryi.e.createafilecalled
/etc/cron.daily/clean.cache:
#!/bin/bash

CROOT="/tmp/cachelighttpd/"
DAYS=10
LUSER="lighttpd"
LGROUP="lighttpd"

#startcleaning
/usr/bin/find${CROOT}typefmtime+${DAYS}|xargsr/bin/rm

109

b.sadhiq
www.altnix.com

#ifdirectorydeletedbysomeotherscriptjustgetitback
if[!d$CROOT]
then
/bin/mkdirp$CROOT
/bin/chown${LUSER}:${LGROUP}${CROOT}
fi

CronAccessPerms

/etc/cron.allowand/etc/cron.deny
Ifauserisonlyin/etc/cron.allow,thenallothersaredenied
Ifauserisonlyin/etc/cron.denythenallothersareallowed/not
affected
Ifcron.denyistouched,thennousersisallowedtocreatea
crontab
Ifcron.allowistouched,thennousersisallowedtocreatea
crontab

AT
'at'executesacommandonceonaparticularday,ataparticular
time.atwilladdaparticularcommandtobeexecuted.
Examples:
$at21:30
Youthentypethecommandsyouwantexecutedthenpresstheendof
filecharacter(normallyCTRLD).Alsotry:
$atnow+time
Thiswillrunatatthecurrenttime+thehours/mins/secondsyou
specify(useatnow+1hourtohavecommand(s)runin1hourfrom
now...)
Youcanalsousethefoptiontohaveatexecuteaparticularfile
(ashellscript).
110

b.sadhiq
www.altnix.com

$atfshell_scriptnow+1hour
Thiswouldruntheshellscript1hourfromnow.
atqWilllistjobscurrentlyinqueuefortheuserwhoexecutedit,
ifrootexecutesatitwilllistalljobsinqueuefortheat
daemon.Doesn'tneedortakeanyoptions.
atrmWillremoveajobfromthe'at'queue.

Commandsyntax:
$atrmjob_no
Willdeletethejob"job_no"(useatqtofindoutthenumberofthe
job)
$atfmyjobs.txtnow+1hour
$atfmyjobnow+1min
$at10amtomorrow
$at11:00nextmonth
$at22:00today
$atnow+1week
$atnoon

Anacron
anacronisanothertooldesignedforsystemswhicharenotalways
on,suchashomecomputers.
Whilecronwillnotrunifthecomputerisoff,anacronwillsimply
runthecommandwhenthecomputerisnexton(itcatchesupwith
things).

111

b.sadhiq
www.altnix.com

Quota
ImportantNote:
1.

Quotascanonlybecreatedforpartitions.

2.

Quotaisoftwotypes,userandgroup.

3.
If1MBquotaissetforthepartition/home,thenevery
directoryunder/homeoreveryuseronthesystem,sinceeach
directoryin/homerepresentsanuser,canuseamaxof1MB.

EnablingQuotas
1.Goto/etc/fstabandinthepermissionsfield,enter"usrquota"
followedbya","forthepartitionwhereyouwanttoenablequota
inourcase/home.
Note:Ifyouwanttoenablegroupquotathenenter"grpquota"
insteadof"usrquota"
Rebootanddirectlyjumptostep5!else...
2.Unmountandmount/homeforthechangestotakeeffect
$umount/home
$mount/home
or
$mountoremount/home
Note:Ifthesystemisrebootedafterstep2skipstep3&4andjump
tostep5.

112

b.sadhiq
www.altnix.com

3.Toscan/homeandenablequota
$quotacheckvcu/home
4.Toturnonquotaon/home
$quotaonv/home
5.Tocheckifquotaisonornot
$repquotaa

ImplementingQuotas
6.Toeditquotaforauser
$edquotau<username>
Note:ustandsforuser,forgrouptypegandgivegroupname
7.Toeditgraceperiod
$edquotat
8.Tocopyaquotasettingofoneusertoanotheruser
$edquotap<source_user><user>OR

Forallusers
$edquotap<source_user>`awkF:'$3>499{print$1}'
/etc/passwd`

Repairingaquota.userfile
9.Bootinsinglemode
10.Turnoffquotas
$quotaoffv/home
EnableQuotaonFilesytem>/home
Cond:ifthereisno/homepartition,implyquotaon/filesystem
Practical
$vi/etc/fstab
/dev/hda7/homeext3defaults,usrquota00
Remountthe/homefilesystemwithusrquotaparameters
$mountoremount/home
113

b.sadhiq
www.altnix.com

Confirmwhetherusrquotaisimplied
$mount
Itshouldlikethis:
/dev/hda7on/hometypeext3(rw,usrquota)
Createquotadatabasefilei.eaquota.useron/home
$quotacheckcuv/home >Thiscreatesaquota.userunder/home
Enablethequotaon/home
$quotaon/home

Setuserlevelquotaonuserneorestrictingthesizebelow70k
$edquotauneo
Thisopensupatempfileunder/tmpandviasaeditor
Diskquotasforuserneo(uid529):
<filesizequota>|<No.offilesquota>
Filesystemblockssofthardinodessoft
hard
/dev/hda7115069110
0

QuotaImplementedfortheusergetsupdatedin/home/aquota.user
Confirmquotareallyworksornot
Loginasneo
$suneo
$ddif=/dev/zeroof=/home/neo/data.tmpbs=1kcount=70
Thisshouldshowthebelowerror

warning,userblockquotaexceeded.
dd:writingdata.tmp:Diskquotaexceeded

114

b.sadhiq
www.altnix.com

Ifuserneowantstoviewhisownquota
$quota

Asarootuseryouwouldbeinterestedinviewingthequota
statisticsonuserlevelbasis.
#repquotaa

Howtoenablegrpquotai.e.GroupQuota
$vi/etc/fstab
/dev/hda7/homeext3defaults,usrquota,grpquota00
Remountthe/homefilesystemwithusrquotaandgrpquotaparameters
$mountoremount/home
Confirmwhetherusrquotaisimplied
$mount
Itshouldlooklikethis:
/dev/hda7on/hometypeext3(rw,usrquota,grpquota)

Createquotadatabasefilei.eaquota.group,aquota.useron/home
$quotacheckcugv/home
>Thiscreatesaquota.group,aquota.userunder/home
Howtosetgrpquota
$edquotagADMINS

Howtodisablequota
#quotaoff/home

115

b.sadhiq
www.altnix.com

Howtoimplythequotasettingsmeantforuserneoontouserchampu
#edquotapneojane
Commands

quotadisplaydiskusageandlimits

rquotaimplementquotasonremotemachines

fstabstaticinformationaboutthefilesystems

edquotaedituserquotas

setquotasetdiskquotas(Commandlineeditor)

quotacheckscanafilesystemfordiskusage,create,check
andrepairquotafiles

quotaonturnfilesystemquotason

quotaoffturnfilesystemquotasoff

KernelCompilation
ifyouwanttoupdatethekernelfromnewsourcecodeyouhave
downloaded,oryouhaveappliedapatchtoaddnewfunctionalityor
hardwaresupport,youwillneedtocompileandinstallanewkernel
toactuallyusethatnewfunctionality.Compilingthekernel
involvestranslatingthekernel'scontentsfromhumanreadablecode
tobinaryform.Installingthekernelinvolvesputtingallthe
compiledfileswheretheybelongin/bootand/libandmaking
changestothebootloader.
Theprocessofcompilingthekernelisalmostcompletelyautomated
bythemakeutilityasistheprocessofinstalling.Byproviding
thenecessaryargumentsandfollowingthestepscoverednext,you
canrecompileandinstallacustomkernelforyouruse.
Basically,therearethreetypesofkernel:
MonolithicKernelMicroKernelExoKernel
Monolithic:Asthenameitselfsuggests,thekernelhasevery
serviceslike,FSManagement,MM,ProcessManagement,etc.inthe
116

b.sadhiq
www.altnix.com

kernelspace.Itdoesnotrunasaseperateprocess.So,asyou
guess,thereisnocontextswitching,whenyouaskforaservice.
But,theprobabilityofamonolithickernelgettingstruckismore.
Because,ifthereisabuginthekernelitself,nothingcanrescue
it.LinuxandWindowsaregoodexamplesofMonolithickernel.
Linux,beingamonolithickernel,youcaninsertmodulesintothe
kerneldynamicallyusinginsmodcommand.
MicroKernel:Microkernelrunsalltheservicesasadaemoninthe
userspace.So,ifaproblemoccursinanyoftheservice,the
kernelwillbeabletodecidewhattodonext.But,youpayoffthe
timetoswitchtoaserviceinthistypeofkernel.Microkernels
aresomewhatdifficulttodesignandbuildthanthemonolithic
kernel.Therearealwaysadiscussionovertheinternet,talking
abouttheadvantageanddisadvantagesofmonolithicandmicro
kernel.
ExoKernel:Exokernelisnotyetstabilized.It'sunderdesignand
research.Theusermodeprocessesrunninginthistypeofkernel
hastheabilitytoaccesskernelresourceslikeprocesstables,etc
directly.

Structureofmonolithicandmicrokernelbasedoperatingsystems,
respectively
Compilation
StepstocompilekernelRedhat9
Installdep
kernelsource2.4.208.i386.rpm
binutils2.13.90.0.189.i386.rpm
glibckernheaders2.48.10.i386.rpm
cpp3.2.25.i386.rpm
117

b.sadhiq
www.altnix.com

gcc3.2.25.i386.rpm
glibc2.3.211.9.i386.rpm
libgcc3.2.25.i386.rpm
glibccommon2.3.211.9.i386.rpm
ncurses5.34.i386.rpm
glibcdevel2.3.211.9.i386.rpm
ncursesdevel5.34.i386.rpm
Oncethesealldependenciesareinstalled:
1)Goto/usr/src/linux2.4/
2)editMakefile[TopLevel]
parameterEXTRAVERSION=8champu
3)makemrproper[deletethe.config]
architecture
4)cp/usr/src/linux2.4/configs/kernel2.4.18i686.config[see
unamem]
/usr/src/linux2.4/.config
orsimply
cppconfigs/kernel2.4.18i686.config.config
5)makeoldconfigToupdatethe.configwithrunningkernel
parameters

6)makeconfig/makemenuconfig(forText)/makexconfigmake
necessarychangesenablentfsdisablesound&bluetooth

7)makedepchecksdependecies&construtsMAKEFILE.

8)makecleancleansunwantedfilesformmemoryloadedby
abovecommands.

9)makebzImageActualkernelcompilationprocess

10)makemodulesActualKLMcompilationprocess

11)makemodules_install#checkin/lib/modules/2.4.208champu/
118

b.sadhiq
www.altnix.com

12)cp/usr/src/linux2.4.208/arch/i386/boot/bzImage
/boot/vmlinuz2.4.208champu

13)cp/usr/src/linux2.4.1814/System.map
/boot/System.map2.4.208champu

14)cp/usr/src/linux2.4.208/.config/boot/config2.4.208champu
[OPTIONAL]

15)mkintrd/boot/initrd2.4.208champu.img2.4.208champu

16)vi/etc/grub.conf#Addthenewcustomizedkernelentries
titleREDHAT9champu(customized)
root(hd0,8)
kernel/vmlinuz2.4.208champuroroot=/dev/hda11rhgb
quiet
initrd/initrd2.4.208champu.img
notehd0,8forbootpartition(/dev/hda91=hda8)(/de/hda11
is/)

17)reboot

Centos5Stepstocompilekernel2.6:
1>copykerneltarballfileino/usr/src/kernels/location&untar
intothatlocation
2>tarjxvf/usr/src/kernels/linux2.6.18.2.tar.bz2
3>cd/usr/src/kernels/linux2.6.18.2
4>makegconfig(graphical)
makemenuconfig(text)
5>makeclean
6>makebzImage
7>makemodules
8>makemodules_install
9>cparch/i386/boot/bzImage/boot/vmlinuz2.6.182
10>cp/usr/src/kernels/linux2.6.18.2/System.map/boot/System.
119

b.sadhiq
www.altnix.com

map2.6.182
11>lns/boot/System.map2.6.182/boot/System.map
12>Createinitrd:
$firstcheckinto/lib/modules/2.6.18.2>thisiscreatedornot
thenexecutenextcommand
mkinitrd/boot/initrd2.6.18.2.img2.6.18.2
FinalSteps
$vi/etc/grub.conf
default=0
timeout=77
splashimage=(hd0,0)/grub/splash.xpm.gz
titleRedHatEnterpriseLinuxAS(2.6.934.EL)
root(hd0,0)
kernel/vmlinuz2.6.934.ELroroot=LABEL=/rhgbquiet
initrd/initrd2.6.934.EL.img
titleRedHatEnterpriseLinuxAS(2.6.18.2)
root(hd0,0)
kernel/vmlinuz2.6.182roroot=LABEL=/rhgbquiet
initrd/initrd2.6.18.2.img
KernelDefinition
http://www.linfo.org/kernel.html

Kernelcompilation
http://www.cyberciti.biz/tips/compilinglinuxkernel26.html
http://book.opensourceproject.org.cn/distrib/ubuntu/unleashed/opens
ource/0672329093/ch35lev1sec7.html
http://wiki.centos.org/HowTos/Custom_Kernel

Thisisonetheessentialandimportanttask.Manytimeweupgrade
ourkernelandsomeprecompileddriverswon'tworkwithLinux.
Especiallyifyouhaveweirdhardware;thenvendormaysendyou
drivercodeakaCfilestocompile.Orevenyoucanwriteyourown
Linuxkerneldriver.Compilingkerneldriveriseasy.Kernel2.6.xx
makesitevenmuchmoreeasier.Followingstepsarerequiredto
compiledriverasmodule:
1)Youneedrunningkernelsourcecode;ifyoudon'thaveasource
codedownloaditfromkernel.org.Untarkernelsourcecode(tar
ball)in/usr/srcusingtarcommand:
$tarzxvfkernel*C/usr/src
Tobefrankkernelheadersaremorethansufficienttocompile
kernelmodules/drivers.Seehowtoinstallkernelheadersunder
Debian/UbuntuLinuxorRHEL/CentOS/FedoraLinux.

120

b.sadhiq
www.altnix.com

Nextgotoyourkernelmodulesourcecodedirectoryandsimply
createtheMakefilefileasfollows(assumingyourkernelmodule
nameisfoo):
$viMakefile
3)Addfollowingtexttoit:
objm=foo.o
KVERSION=$(shellunamer)
all:
makeC/lib/modules/$(KVERSION)/buildM=$(PWD)modules
clean:
makeC/lib/modules/$(KVERSION)/buildM=$(PWD)clean

4)Compilemoduleusingmakecommand(modulebuildcanbedoneby
anyuser):
$make
Itwillfinallycreatesthefoo.komoduleincurrentdirectory.You
canseeallactualcompilecommandstoredin.foo*filesinsame
directory.
5)Oncemodulecompiledsuccessfully,loaditusinginsmodor
modprobecommand.Youneedtoberootuserorprivilegeduserto
runinsmod:
#insmodfoo.ko
Example:hello.cmodule
1)hello.cCsourcecode.Copyfollowingcodeandsavetohello.c
$mkdirdemo;cddemo
$vihello.c
2)Addfollowingcsourcecodetoit:
#include<linux/module.h>/*Neededbyallmodules*/
#include<linux/kernel.h>/*NeededforKERN_INFO*/
#include<linux/init.h>/*Neededforthemacros*/
staticint__inithello_start(void)
{
printk(KERN_INFO"Loadinghellomodule...\n");
printk(KERN_INFO"Helloworld\n");
return0;
}

121

b.sadhiq
www.altnix.com

staticvoid__exithello_end(void)
{
printk(KERN_INFO"GoodbyeMr.\n");
}
module_init(hello_start);
module_exit(hello_end);
Thisisanexamplemodifiedfromoriginalsourcefordemonstration
purpose.
3)Savethefile.CreatenewMakefileasfollows:
$viMakefile
Appendfollowingmakecommands:
objm=hello.o
KVERSION=$(shellunamer)
all:
makeC/lib/modules/$(KVERSION)/buildM=$(PWD)modules
clean:
makeC/lib/modules/$(KVERSION)/buildM=$(PWD)clean

4)Saveandclosethefile.
5)
Compilehello.cmodule:
$make
6)Becomearootuser(usesuorsudo)andloadthemodule:
$su
$insmodhello.ko
Noteyoucanseemessageonscreenifyouareloggedinasroot
underrunlevel3.
7)Verifythatmoduleloaded:
$lsmod|less
8)Seemessagein/var/log/messagefile:
$tailf/var/log/message
9)Unloadthemodule:
$rmmodhello

122

b.sadhiq
www.altnix.com

10)LoadmodulewhenLinuxsystemcomesup.File/etc/modulesuse
toloadkernelboottime.Thisfileshouldcontainthenamesof
kernelmodulesthataretobeloadedatboottime,oneperline.
Firstcopyyourmoduleto/lib/modules/$(unamer)/kernel/drivers.
Followingaresuggestedsteps:
(a)Createdirectoryforhellomodule:
$mkdirp/lib/modules/$(unamer)/kernel/drivers/hello
(b)Copymodule:
$cphello.ko/lib/modules/$(unamer)/kernel/drivers/hello/
(c)Edit/etc/modulesfileunderDebianLinux:
$vi/etc/modules
(d)Addfollowinglinetoit:
hello
(e)Reboottoseechanges.Uselsmodordmesgcommandtoverify
moduleloadedornot.
$cat/proc/modules
OR
$lsmod|less
Mostpeoplehaveafairlyrecentkernel.Butsincethekernelis
constantlybeingupdated,peopleonmodems(suchasmyself)don't
likedownloadingthewholesourceeverytimeanewversionofthe
kernelcomesout...Itisapaintodownload14+megsofstuffwhen
95%ofitisthesamestuffthatyoualreadyhaveinyourkernel
sourcediectory.
Forthisreason,kernelpatchesarereleased.Kernelpatches
containonlythefilesthathavechangedsincethelastkernel,
hencemakingitlessofapaintoupgrade.
Itisagoodideatobackupyouroldkerneltreebeforeyoudo
anythingtoit,justincasesomethingmessesup.Todothis,do
thefollowing:
Becomerootandthengointoyourkernelsourcedirectory(forme
itwas/usr/src/linux2.2.10)anddoa'makeclean'tocleanitup
soyoudon'tcompressalotofcrapyoudon'tneedasfollows
#cd/usr/src/linux2.2.10
#makeclean
Nowyouneedtogotobackupthetree,Ididthisbydoingthe
following:
#cd/usr/src/
#tarzcvflinux2.2.10tree.tar.gzlinux2.2.10
123

b.sadhiq
www.altnix.com

Nowwiththatbackedup,youcangoaheadandchangethestuffwith
lessworrying...
Ifyouhavekernel2.2.10,likeIdid,and2.2.12isthecurrent
stablerelease(oratleastitisasIamwritingthis)youneed
allofthepatchfilesafter2.2.10.Soinmycase,Ineededtoget
patch2.2.11.gzandpatch2.2.12.gz
http://www.kernelnotes.orgiswhereIgotminefrom,butI'msure
therearemirrorswhereyoucangetthepatchesfrom,moreonthis
isonwww.kernelnotes.org.
Note:WhenIdownloadedthisfileusingnetscape,itungzippedit
formeasitwasdownloading...soIdidn'thavetodothe
followingstepthatyouwouldhavetodoifyouwereusinga
programsuchas'ftp'
ungzipthefilebydoingthefollowing:
#gzipdpatch2.2.11.gz
#gzipdpatch2.2.12.gz
Thiswillleaveyouwithpatch2.2.11andpatch2.2.12(unlessyou
downloadedthefilewithnetscape,andthisstepwouldalreadyhave
beendoneforyou)
Nowmovethefilestoyourkernelsourcedirectory(usingthemv
command,
mvpatch2.2.*/usr/src/linux2.2.10
Nowchangeintoyourkernelsourcedirectory(/usr/src/linux2.2.10
inmycase)
Nowyouneedtoapplythepatchthethesource...Orderis
importanthere.Startwiththelowestandgotothehighest,like
thefollowing:
#patchp1<patch2.2.11
#patchp1<patch2.2.12
Bothofthesecommandswillgiveyoulotsofoutputtellingyou
whatfilesarebeingpatched,etc.
AfterIappliedthepatches,Iwentaheadandrenamedmysource
directorytoreflectthepatchesapplied(mv/usr/src/linux
2.2.10/usr/src/linux2.2.12)andthenIremovedtheold
/usr/src/linuxlinkandreplaceditwiththenewlocation(rm
/usr/src/linuxandthenlns/usr/src/linux2.2.12/usr/src/linux)
Nowjustcompileyourkernel
KernelPatchwith.KO
124

b.sadhiq
www.altnix.com

http://wiki.centos.org/HowTos/BuildingKernelModules
http://www.cyberciti.biz/tips/compilinglinuxkernelmodule.html
Patch
http://www.cyberciti.biz/tips/howtopatchrunninglinux
kernel.html
PatchOMatic
http://www.fifi.org/doc/iptablesdev/html/netfilterextensions
HOWTO2.html

PatchwithoutrebootsKsplice
http://www.cyberciti.biz/tips/debiancentosredhathotfixpatch
linuxkernel.html
Faq
http://kernelnewbies.org/FAQ

KernelTuning
125

b.sadhiq
www.altnix.com

Kerneltuningwithsysctl
TheLinuxkernelisflexible,andyoucanevenmodifythewayit
worksontheflybydynamicallychangingsomeofitsparameters,
thankstothesysctlcommand.Sysctlprovidesaninterfacethat
allowsyoutoexamineandchangeseveralhundredkernelparameters
inLinuxorBSD.Changestakeeffectimmediately,andthere'seven
awaytomakethempersistafterareboot.Byusingsysctl
judiciously,youcanoptimizeyourboxwithouthavingtorecompile
yourkernel,andgettheresultsimmediately.
Tostartgettingatasteofwhatsysctlcanmodify,runsysctla
andyouwillseeallthepossibleparameters.Thelistcanbequite
long:inmycurrentboxthereare712possiblesettings.
$sysctla
kernel.panic=0
kernel.core_uses_pid=0
kernel.core_pattern=core
kernel.tainted=129
...manylinessnipped...
Ifyouwanttogetthevalueofjustasinglevariable,use
somethinglikesysctlvm.swappiness,orjustsysctlvmtolistall
variablesthatstartwith"vm."Addthenoptiontooutputjust
thevariablevalues,withoutthenames;Nhastheoppositeeffect,
andproducesthenamesbutnotthevalues.
Youcanchangeanyvariablebyusingthewoptionwiththesyntax
sysctlwvariable=value.Forexample,sysctlw
net.ipv6.conf.all.forwarding=1setsthecorrespondingvariableto
true(0equals"no"or"false";1means"yes"or"true")thus
allowingIP6forwarding.Youmaynotevenneedthewoptionit
seemstobedeprecated.Dosomeexperimentingonyourownto
confirmthat.
sysctlvaluesareloadedatboottimefromthe/etc/sysctl.conf
file.Thisfilecanhaveblanklines,comments(linesstarting
eitherwitha"#"characterorasemicolon),andlinesinthe
"variable=value"format.Forexample,myownsysctl.conffileis
listedbelow.Ifyouwanttoapplyitatanytime,youcandoso
withthecommandsysctlp.
#Disableresponsetobroadcasts.
net.ipv4.icmp_echo_ignore_broadcasts=1
#enablerouteverificationonallinterfaces
126

b.sadhiq
www.altnix.com

net.ipv4.conf.all.rp_filter=1
#enableipV6forwarding
net.ipv6.conf.all.forwarding=1
#increasethenumberofpossibleinotify(7)watches
fs.inotify.max_user_watches=65536
sysctlandthe/procdirectory
The/proc/sysvirtualdirectoryalsoprovidesaninterfacetothe
sysctlparameters,allowingyoutoexamineandchangethem.For
example,the/proc/sys/vm/swappinessfileisequivalenttothe
vm.swappinessparameterinsysctl.conf;justforgettheinitial
"/proc/sys/"part,substitutedotsfortheslashes,andyougetthe
correspondingsysctlparameter.(Bytheway,thesubstitutionis
notactuallyrequired;slashesarealsoaccepted,thoughitseems
everybodygoesforthenotationwiththedotsinstead.)Thus,echo
10>/proc/sys/vm/swappinessisexactlythesameassysctlw
vm.swappiness=10.Butasaruleofthumb,ifa/proc/sysfileis
readonly,youcannotsetitwithsysctleither.

linuxnetworkoptimizewithsysctl
DisablingtheTCPoptionsreducestheoverheadofeachTCPpacket
andmighthelptogetthelastfewpercentofperformanceoutof
theserver.Beawarethatdisablingtheseoptionsmostlikely
decreasesperformanceforhighlatencyandlossylinks.
*net.ipv4.tcp_sack=0
*net.ipv4.tcp_timestamps=0
IncreasingtheTCPsendandreceivebufferswillincreasethe
performancealotif(andonlyif)youhavealotoflargefilesto
send.
*net.ipv4.tcp_wmem=409665536524288
*net.core.wmem_max=1048576
Ifyouhavealotoflargefileuploads,increasingthereceive
bufferswillhelp.
*net.ipv4.tcp_rmem=409687380524288
*net.core.rmem_max=1048576
#TheseensurethatTIME_WAITportseithergetreusedorclosed
fast.
net.ipv4.tcp_fin_timeout=1
net.ipv4.tcp_tw_recycle=1
#TCPmemory
127

b.sadhiq
www.altnix.com

net.core.rmem_max=16777216
net.core.rmem_default=16777216
net.core.netdev_max_backlog=262144
net.core.somaxconn=262144
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_orphans=262144
net.ipv4.tcp_max_syn_backlog=262144
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_syn_retries=2
#youshouldntbeusingconntrackonaheavilyloadedserver
anyway,buttheseare
#suitablyhighforouruses,insuringthatifconntrackgets
turnedon,theboxdoesntdie
net.ipv4.ip_conntrack_max=1048576
net.nf_conntrack_max=1048576
#increaseLinuxTCPbufferlimits
echo8388608>/proc/sys/net/core/rmem_max
echo8388608>/proc/sys/net/core/wmem_max
#increaseLinuxautotuningTCPbufferlimits
echo"4096873808388608">/proc/sys/net/ipv4/tcp_rmem
echo"4096655368388608">/proc/sys/net/ipv4/tcp_wmem
#echo65536>/proc/sys/fs/filemax#physicalRAM*256/4
echo"102465000">/proc/sys/net/ipv4/ip_local_port_range
#echo1>/proc/sys/net/ipv4/tcp_syncookies
echo8192>/proc/sys/net/ipv4/tcp_max_syn_backlog
#Decreasethetimedefaultvaluefortcp_fin_timeoutconnection
#echo30>/proc/sys/net/ipv4/tcp_fin_timeout
#echo3>/proc/sys/net/ipv4/tcp_syn_retries
#echo2>/proc/sys/net/ipv4/tcp_retries1
#Decreasethetimedefaultvaluefortcp_keepalive_timeconnection
#echo1800>/proc/sys/net/ipv4/tcp_keepalive_time
#Turnofftcp_window_scaling
echo0>/proc/sys/net/ipv4/tcp_window_scaling
#echo"67108864">/proc/sys/kernel/shmmax
#Turnoffthetcp_sack
echo0>/proc/sys/net/ipv4/tcp_sack#ThisdisablesRFC2018TCP
SelectiveAcknowledgements
#Turnofftcp_timestamps
echo0>/proc/sys/net/ipv4/tcp_timestamps#ThisdisablesRFC1323
TCPtimestamps
echo5>/proc/sys/kernel/panic#reboot5minuteslaterthen
kernelpanic

128

b.sadhiq
www.altnix.com

thethird:
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_syncookies=1
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=40968738016777216
net.ipv4.tcp_wmem=40966553616777216

Refrence
http://shebangme.blogspot.com/2010/07/kernelsysctlconfiguration
filefor.html
swappiness
http://www.linux.com/archive/feature/146599
Devicedriver
http://en.wikipedia.org/wiki/Device_driver
Lsmod
http://en.wikipedia.org/wiki/Lsmod
Modprobe
http://en.wikipedia.org/wiki/Modprobe
Oracle+sysctl
http://www.puschitz.com/TuningLinuxForOracle.shtml
http://www.puschitz.com/TuningLinuxForOracle.shtml#SettingSHMMAXPar
ameter
http://www.puschitz.com/TuningLinuxForOracle.shtml#TheSEMMSLParamet
er
Refrence
http://www.linux.com/archive/feature/126718
http://www.fcicq.net/wp/?p=197
http://www.cyberciti.biz/tips/linuxprocfsfiledescriptors.html
http://en.opensuse.org/Kernel_module_configuration
http://www.cyberciti.biz/tips/bladeserverdisablefloppydriver
module.html
Blacklist
Justopenyour/etc/modprobe.conffileandturnofautoloading
using
followingsyntax:
aliasdrivernameoff
IfyouareusingDebian/UbuntuLinux...
129

b.sadhiq
www.altnix.com

open/etc/modprobe.d/blacklistfileandadddrivernameusing
followingsyntax:
blacklistdrivername

LinuxKernelMagicSysRqkeys
Kerneloffersyousomethingthatallowsyoutorecoveryoursystem
fromacrashorattheleastletsyoutoperformapropershutdown
usingtheMagicSysRqKeys.ThemagicSysRqkeyisaselectkey
combinationintheLinuxkernelwhichallowstheusertoperform
variouslowlevelcommandsregardlessofthesystemsstateusing
theSysRqkey.Itisoftenusedtorecoverfromfreezes,orto
rebootacomputerwithoutcorruptingthefilesystem.

HowdoIusethemagicSysRqkeysinemergency?
Youneedtousefollowingkeycombinationinorderto
reboot/halt/syncfilesystemetc:
ALT+SysRq+COMMANDKEY
The'SysRq'keyisalsoknownasthe'PrintScreen'key.COMMAND
KEYcanbeanyoneofthefollowing(allkeysneedtohit
simultaneously):

'b':Willimmediatelyrebootthesystemwithoutsyncingor
unmountingyourdisks.

'o':Willshutdownyoursystemoff(ifconfiguredand
supported).

's':Willattempttosyncallmountedfilesystems.

'u':Willattempttoremountallmountedfilesystemsread
only.

'e':SendaSIGTERMtoallprocesses,exceptforinit.

'h':Showhelp,indeedthistheoneyouneedtoremember.
SowheyyouneedtotellyourLinuxcomputertorebootorwhenyour
Xserveriscrashedoryoudon'tseeanythinggoingacrossthe
screenthenjustpress:
ALT+SysRQ+s:(PressandholddownALT,thenSysRQ(PrintScreen)
keyandpress's')Willtrytosynallmountedsystem
130

b.sadhiq
www.altnix.com

ALT+SysRQ+r:(PressandholddownALT,thenSysRQ(PrintScreen)
keyandpress'r')Willrebootthesystem.
Ifyouwishtoshutdownthesysteminsteadofrebootthenpress
followingkeycombination:
ALT+SysRQ+o
ipt_sysrqisanewiptablestargetthatallowsyoutodothesame
asthemagicsysrqkeyonakeyboarddoes,butoverthenetwork.
Sometimesaremoteserverhangsandonlyrespondstoicmpecho
request(ping).Everyadministratorofsuchmachineisveryunhappy
because(s)hemustgothereandpresstheresetbutton.Ittakesa
longtimeandit'sinconvenient.SousetheNetworkMagicSysRqand
youwillbeabletodomorethanjustpressingaresetbutton.You
canremotelysyncdisks,remountthemreadonly,thendoareboot.
Andeverythingcomfortablyandonlyinafewseconds.Pleasesee
MarekZelempagetoenableIPTablesnetworkmagicSysRqfunction.
ThemagicSysrqkeybasicallyhasakeycombinationof<ALT>+
<SysRqorPrntScrn>+<Commandkey>.
Thecommandkeycanbeoneofthefollowingprovidingaspecific
functionality
bWillimmediatelyrebootthesystemwithoutsyncingor
unmountingyourdisks.
cWillperformakexecrebootinordertotakeacrashdump.
dShowsalllocksthatareheld.
eSendaSIGTERMtoallprocesses,exceptforinit.
fWillcalloom_killtokillamemoryhogprocess.
gUsedbykgdbonppcandshplatforms.
hWilldisplayhelp(actuallyanyotherkeythanthose
listedherewilldisplayhelp.buthiseasytoremember
iSendaSIGKILLtoallprocesses,exceptforinit.
kSecureAccessKey(SAK)Killsallprogramsonthecurrent
virtualconsole.NOTE:SeeimportantcommentsbelowinSAK
section.
mWilldumpcurrentmemoryinfotoyourconsole.

131

b.sadhiq
www.altnix.com

nUsedtomakeRTtasksniceable
oWillshutyoursystemoff(ifconfiguredandsupported).
pWilldumpthecurrentregistersandflagstoyour
console.
qWilldumpalistofallrunningtimers.
rTurnsoffkeyboardrawmodeandsetsittoXLATE.
sWillattempttosyncallmountedfilesystems.
tWilldumpalistofcurrenttasksandtheirinformation
toyourconsole.
uWillattempttoremountallmountedfilesystemsread
only.
vDumpsVoyagerSMPprocessorinfotoyourconsole.
wDumpstasksthatareinuninterruptable(blocked)state.
xUsedbyxmoninterfaceonppc/powerpcplatforms.
09Setstheconsoleloglevel,controllingwhichkernel
messageswillbeprintedtoyourconsole.(0,forexample
wouldmakeitsothatonlyemergencymessageslikePANICsor
OOPSeswouldmakeittoyourconsole.)
Ref
http://www.susegeek.com/general/linuxkernelmagicsysrqkeysin
opensuseforcrashrecovery/
http://www.cyberciti.biz/tips/rebootlinuxboxafterakernel
panic.html
http://www.cyberciti.biz/tips/rebootorhaltlinuxsystemin
emergency.html

Incomputing,adevicedriverorsoftwaredriverisacomputer
programallowinghigherlevelcomputerprogramstointeractwitha
hardwaredevice.
b.sadhiq
132
www.altnix.com

Adrivertypicallycommunicateswiththedevicethroughthe
computerbusorcommunicationssubsystemtowhichthehardware
connects.Whenacallingprograminvokesaroutineinthedriver,
thedriverissuescommandstothedevice.Oncethedevicesends
databacktothedriver,thedrivermayinvokeroutinesinthe
originalcallingprogram.Driversarehardwaredependentand
operatingsystemspecific.Theyusuallyprovidetheinterrupt
handlingrequiredforanynecessaryasynchronoustimedependent
hardwareinterface.

Operatingsystems

Themknodcommand
MAKEDEVisthepreferredwayofcreatingdevicefileswhicharenot
present.HoweversometimestheMAKEDEVscriptwillnotknowabout
thedevicefileyouwishtocreate.Thisiswherethemknodcommand
comesin.Inordertousemknodyouneedtoknowthemajorand
minornodenumbersforthedeviceyouwishtocreate.The
devices.txtfileinthekernelsourcedocumentationisthe
canonicalsourceofthisinformation.
Totakeanexample,letussupposethatourversionoftheMAKEDEV
scriptdoesnotknowhowtocreatethe/dev/ttyS0devicefile.We
needtousemknodtocreateit.Weknowfromlookingatthe
devices.txtfilethatitshouldbeacharacterdevicewithmajor
number4andminornumber64.Sowenowknowallweneedtocreate
thefile.
133

b.sadhiq
www.altnix.com

#mknod/dev/ttyS0c464
#chownroot.dialout/dev/ttyS0
#chmod0644/dev/ttyS0
#lsl/dev/ttyS0
crwrw1rootdialout4,64Oct2318:23/dev/ttyS0

Asyoucansee,manymorestepsarerequiredtocreatethefile.In
thisexampleyoucanseetheprocessrequiredhowever.Itis
unlikelyintheextremethatthettyS0filewouldnotbeprovided
bytheMAKEDEVscript,butitsufficestoillustratethepoint.
$mknod/opt/champub310
$mount/opt/champu/home
1.

lsmod

2.

insmod

3.

rmmod

4.

modprobe

5.

modinfo

6.

depmod

lsmod
isacommandon

Linux

systemswhichprintsthecontentsof

the
/proc/modules

file.Itshowswhich

loadablekernelmodules

are
currentlyloaded.
Abridgedexampleoutput:
#lsmod
ModuleSizeUsedby
af_packet273922

8139too
305920
snd_cs46xx968723
snd_pcm_oss558081
snd_mixer_oss217602snd_pcm_oss

ip6table_filter
74241

ip6_tables
197281ip6table_filter

ipv6
29040422

xfs
5683844

sis900
180525
134

b.sadhiq
www.altnix.com


libata
1699201pata_sis

scsi_mod
1583163usb_storage,sd_mod,libata

usbcore

1553126

ohci_hcd

usb_storage

,
usbhid

lsmod
FirstcolumnisModulenameandsecondcolumnissizeofmodules
i..e
theoutputformatismodulename,size,usecount,listof
referring
modules.

modprobe
isa

Linux

programoriginallywrittenby

RustyRussell

usedtoadda
loadablekernelmodule

(LKM)tothe

Linuxkernel

or
removeanLKMfromthekernel.Itiscommonlyusedindirectlyas

udev
reliesuponmodprobetoloaddriversforautomatically
detectedhardware.

Networking
Tools
$ifconfig
$neattui
$/etc/sysconfig/networkscripts/ifcfgeth0
$netconfig
$ethtool
$iprl
$telnet
$nmap
$netstat
$ping
$route
$traceroute
$tcpdump n/wtraffictool
$iptraf Monitorn/wtraffic.cursesbasedtoolSelf
explanatory
135

b.sadhiq
www.altnix.com

$etheral NetworkAnalyzerswhichdoesdatacaptureand
filtering
$tethral Capturesanddisplaysonlythehighlevelprotocols

$ifconfig>Statusofallinterfaces
eth0Linkencap:EthernetHWaddr00:50:FC:2A:2C:48
inetaddr:192.0.34.7Bcast:192.0.34.255
Mask:255.255.255.0
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:0errors:0dropped:0overruns:0frame:0
TXpackets:4errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:100
RXbytes:0(0.0b)TXbytes:240(240.0b)
Interrupt:11Baseaddress:0xf000
eth1Linkencap:EthernetHWaddr00:60:CC:AA:2C:9C
inetaddr:192.168.0.20Bcast:192.168.0.255
Mask:255.255.255.0
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:0errors:0dropped:0overruns:0frame:0
TXpackets:4errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:100
RXbytes:0(0.0b)TXbytes:240(240.0b)
Interrupt:11Baseaddress:0xc000

loLinkencap:LocalLoopback
inetaddr:127.0.0.1Mask:255.0.0.0
UPLOOPBACKRUNNINGMTU:16436Metric:1
RXpackets:1407errors:0dropped:0overruns:0frame:0
TXpackets:1407errors:0dropped:0overruns:0carrier:0
136

b.sadhiq
www.altnix.com

collisions:0txqueuelen:0
RXbytes:149180(145.6Kb)TXbytes:149180(145.6Kb)

$ifconfigeth0

>Statusofeth0interface

eth0Linkencap:EthernetHWaddr00:50:FC:2A:2C:48
inetaddr:192.0.34.7Bcast:192.0.34.255
Mask:255.255.255.0
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:0errors:0dropped:0overruns:0frame:0
TXpackets:4errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:100
RXbytes:0(0.0b)TXbytes:240(240.0b)
Interrupt:11Baseaddress:0xf000
$ifconfigeth0IP

>Seteth0toIP

$ifconfigeth0IP:x

>Seteth0tomultiplexedIP

$ifconfigeth0down

>Bringeth0down

$ifdowneth0

>ditto

$ifconfigeth0up

>Bringeth0up

$ifupeth0

>ditto

$ifconfigeth0arp
interface

>Disableuseofarpprotocolonthis

$ifconfigeth0allmulti
Enableordisableallmulticastmode.Ifselected,allmulticast
packetsonthenetworkwillbereceivedbytheinterface.

$ifconfigeth0promisc

137

b.sadhiq
www.altnix.com

Turnoffpromiscuousmodeoftheinterfaceeth0.Ifon,tellsthe
interfacetosendalltrafficontheNWtothekernel,notjust
trafficaddressedtothem/cCheckwithifconfigornetstati

$ifconfigeth0hwetherCC:CC:CC:CC:CC:CC
ChangestheMACaddress.Doa'ifconfigeth0down'first,change,
then'ifconfigeth0up'.MACaddrischanged.

$ifconfigeth0172.16.1.77broadcast172.16.1.255netmask
255.255.0.0
ChangesIP/BC/netmaskallinonego!

$ifconfigeth0mtu800
Changemtuto800

ethtoolDisplayorchangeethernetcardsettings
$ethtoolethX
$ethtoolh
$ethtoolaethX
$ethtoolAethX[autonegon|off][rxon|off][txon|off]
$ethtoolcethX
$ethtoolCethX[adaptiverxon|off][adaptivetxon|off][rx
usecsN][rxframesN][rxusecsirqN][rxframesirqN]
[txusecsN][txframesN][txusecsirqN][txframesirqN]
[statsblockusecsN][pktratelowN][rxusecslowN][rxframes
lowN][txusecslowN][txframeslowN][pktratehighN]
[rxusecshighN][rxframeshighN][txusecshighN]
[txframeshighN][sampleintervalN]
$ethtoolgethX
138

b.sadhiq
www.altnix.com

$ethtoolGethX[rxN][rxminiN][rxjumboN][txN]
$ethtooliethX
$ethtooldethX
$ethtooleethX
$ethtoolkethX
$ethtoolKethX[rxon|off][txon|off][sgon|off]
$ethtoolpethX[N]
$ethtoolrethX
$ethtoolSethX
$ethtooltethX[offline|online]

$manethtool

pingTCP/IPDiagnosticTool
SendICMPECHO_REQUESTtonetworkhosts

Therearetwotypesofping
ThestdUnixpingwhichsendsaICMPECHOREQUESTandreceivesa
ICMPECHOREPLYfrimtheremotehostifitisUPandrunning
TheotheristosendaUDPorTCPpkttoport7[echo]ofthe
remotehostandseethatwhateveryoutypeisechoedback.The
hostisUP.

$telnetremotehostechoor7

139

b.sadhiq
www.altnix.com

andwhateveryoutypewillbeechoedbacktoyou.systemis
alive!
$pingcanIP/Hostname[Count/AudiblePing/NoNameResolution]
pingsendapacketof64bytesbydef.Thesizeif56ICMPdata
bytes+8bytesfortheheaderdata.

$pings1600203.12.10.20
SendalargerpktsizethantheMTUofEthernet[1500],youcan
forcefragmentation.Youcanthenidentifylowlevelmediaissueor
acongestedNW.SincepingworksattheIPlayer,noserverprocess
[HTTP/DNS]isreqdtoberunningonthetargethost.Justarunning
kernel.
ChecktheICMPseqnotoseethatnopktsaredroppedandarein
sequence.
Run
$traceroute>togetthepaththepktistakingandthen
trackdownthe
offendingmidwayroutersbypingingeachinsuccession.
$route['add'/'del'][net|host]'addr'{gw'IP'}{netmask
'mask'}
'interface'
Defaultroute:
/etc/sysconfig/network
GATEWAY=IP
or
routeadddefaultgwgatewayIPaddr
Routingdeterminespathapkttakesfromitssourcethruamazeof
NWstodest.
Likeaskingfordirectionsinanunfamiliarplace.Apersonmay
pointyoutotherightcity,anothertoastreet,anothertothe
rightbldg.
RoutingisdoneattheIPlayer.
Whenapktboundforsomeotherhostarrives,thepathisfoundby
matchingthedestIPaddragainsttheKernelRoutingTable[KRT].
140

b.sadhiq
www.altnix.com

IfitmatchesarouteintheKRT,thepktisfwd'edtothe'next
hopgateway'IPaddrassociatedwiththeroute.
Twospecialcasesarepossiblehere:
CaseI:
pktmaybedestinedforsomehostonadirectlyconnected
NW.Inthiscasethe'nexthopgateway'IPaddrintheKRTwillbe
oneofthelocalhostsowninterfacesandthepktissentdirectly
toitsdest.Thetypeofrouteiswhatyounormallydowiththe
ifconfigcmdwhenyouconfigureandinterface.
CaseII: NorouteintheKRTmatchesthedestaddrthatthepkt
wishestoreach.Thedefaultroute[Gateway]isinvoked.Oran
error.MostNWshaveonlyonewayoutandthatisthedefault
route.OntheInternetbackbone,theroutersdonothavedefault
routes.Thebuckstopshere.Iftheydonothavearoutingentry
foradest,thedestcannotbereachedanda"networkunreachable"
ICMPerrorissenttothesender
TheKRTcontainsinfolike"TogettoNWXfromm/cY,sendpktto
m/cZwithacostof1[metric],alongwithTTLandreliability
valuesforthatroute.
RoutingPolicy:

Staticroutes:ForsmallunconnectedNWs

Dynamicroutes:Manysubnets,largeNWs,connectedtothe
Internet

Static/Dyn:

$route

KernelIProutingtable
DestinationGatewayGenmaskFlagsMetricRef
UseIface
192.0.34.00.0.0.0.255.255.255.0U00
0eth0
192.168.0.00.0.0.0.255.255.255.0U00
0eth1
127.0.0.10.0.0.0255.255.255.0U00
0lo
141

b.sadhiq
www.altnix.com

0.0.0.0.192.0.34.10.0.0.0UG00
0eth0

$routen
KernelIProutingtable
DestinationGatewayGenmaskFlagsMetricRef
UseIface
1.132.236.227.0132.236.227.93255.255.255.0U00
0eth0
2.132.236.212.0132.236.212.1255.255.255.192U00
0eth1
3.127.0.0.10.0.0.0255.255.255.0U00
0lo
4.default132.236.227.10.0.0.0UG00
0eth0
5.132.236.220.64132.236.212.6255.255.255.192UG00
0eth1

Routes1and2wereaddedbyifconfigwhentheeth0andeth1
interfaceswereconfiguredatbootup
Thismeanstoreachmachine132.236.227.93ontheNW132.236.227.0
theGWismachine132.236.227.93themachineitselfisitsGW
whichimpliesitcanbereacheddirectlyonthisNWandonehasto
gotonootherm/ctoconsult.
Dittoforthenextone.
Route3istheloopbackinterface,apseudodevicethatprevents
pktssentfromthehosttoitselffromgoingoutontheNW;
instead,theyaretransferreddirectlyrouteadddefaultgw
132.236.227.1eth0
Route4isthedefaultroute.
Itsays:
Pktsnotexplicitlyaddressedtoanyofthe3NWslisted[or
tothem/citself]willbesenttothedefaultGWhost,
132.236.227.1

142

b.sadhiq
www.altnix.com

Route5says:
ToreachNW132.236.220.64/26,pktsmustbesentGWhost
132.236.212.6thrueth1.

netstatMonitoringyourTCP/IPNW
Printnetworkconnections,routingtables,interfacestatistics,
masqueradeconnections,andmulticastmemberships.
$netstata:
Displaysstatusofallactiveconnections,includingInactive
[listening]serverswaitingforconnects
$netstatl:
Showonlyinactiveorlisteningconnections,notestablised
$netstatp:
ShowthePIDandnameoftheprogramtowhicheachsocket
belongs
$netstato:
Includeinformationrelatedtonetworkingtimers
$netstatr:
Showthekernelroutingtable
$netstatvatnp|grep<servicename>
$netstattulnp|grep<servicename>

State:TCP/IPconnection[socket]state
ESTABLISHED
Thesockethasanestablishedconnection.
SYN_SENT
Thesocketisactivelyattemptingtoestablisha
connectionto theremotehost
143

b.sadhiq
www.altnix.com


DebugNote:

Ifyoufindaconnectionthatstaysinthisstate,then
alocalprocessistryingveryhardtocontactanonexistentor
inaccessibleNWserver.
SYN_RECV
Aconnectionrequesthasbeenreceivedfromaremote
hostandisbeinginitialized

FIN_WAIT1
Thesocketisclosed,andtheconnectionisshutting
down.
FIN_WAIT2
Connectionisclosed,andthesocketiswaitingfora
shutdownfromtheremoteend.
TIME_WAIT
Thesocketiswaitingafterclosetohandlepackets
stillinthenetwork.
CLOSEDThesocketisnotbeingused.
CLOSE_WAIT

Theremotehostendhasshutdownitsconnection,and
thelocalhostiswaitingforthesockettoclose.
LAST_ACK
Theremoteendhasshutdown,andthesocketisclosed.
Waitingforacknowledgement.

LISTENThesocketislisteningforincomingconnections.Specifyl
optiontoseethis.

CLOSING

144

b.sadhiq
www.altnix.com

Bothsocketsareshutdownbutwestilldonthave
allourdatasent.
UNKNOWN
Thestateofthesocketisunknown.
USERTheloginIDoftheuserwhoownsthesocket

145

b.sadhiq
www.altnix.com

FTP
ActiveFTP
PassiveFTP
Users
RegularFTP
AnonymousFTP
Vsftpd.conf
anon_root=/data/directory
#AllowanonymousFTP?
anonymous_enable=YES
#Thedirectorywhichvsftpdwilltrytochangeintoafteran
anonymouslogin.(Default=/var/ftp)
anon_root=/data/directory
#Uncommentthistoallowlocaluserstologin.
local_enable=YES
#UncommentthistoenableanyformofFTPwritecommand.
#(Neededevenifyouwantlocaluserstobeabletouploadfiles)
write_enable=YES
#UncommenttoallowtheanonymousFTPusertouploadfiles.This
only
#hasaneffectifglobalwriteenableisactivated.Also,youwill
#obviouslyneedtocreateadirectorywritablebytheFTPuser.
#anon_upload_enable=YES
#UncommentthisifyouwanttheanonymousFTPusertobeableto
create
#newdirectories.
#anon_mkdir_write_enable=YES

146

b.sadhiq
www.altnix.com

#Activateloggingofuploads/downloads.
xferlog_enable=YES
#Youmayoverridewherethelogfilegoesifyoulike.
#Thedefaultisshownbelow.
xferlog_file=/var/log/vsftpd.log

Othervsftpd.confOptions
Therearemanyotheroptionsyoucanaddtothisfile:

Limitingthemaximumnumberofclientconnections
(max_clients)

LimitingthenumberofconnectionsbysourceIPaddress
(max_per_ip)

Themaximumrateofdatatransferperanonymouslogin.
(anon_max_rate)

Themaximumrateofdatatransferpernonanonymouslogin.
(local_max_rate)

Descriptionsonthisandmorecanbefoundinthevsftpd.confman
pages.
Anonymousupload
mkdir/var/ftp/pub/upload
chmod722/var/ftp/pub/upload
ftpd_banner=NewBannerHere
write_enable=NO
Checkfilesunderthefollowing
$cd/etc/vsftpd/
$ls
ftpusersusers_listvsftpd.confvsftpd.conf_migrate.sh

147

b.sadhiq
www.altnix.com

TypesofFTP
Fromanetworkingperspective,thetwomaintypesofFTPareactive
andpassive.InactiveFTP,theFTPserverinitiatesadata
transferconnectionbacktotheclient.ForpassiveFTP,the
connectionisinitiatedfromtheFTPclient.Theseareillustrated
inFigure151.
Figure151ActiveandPassiveFTPIllustrated

FromausermanagementperspectivetherearealsotwotypesofFTP:
regularFTPinwhichfilesaretransferredusingtheusernameand
passwordofaregularuserFTPserver,andanonymousFTPinwhich
generalaccessisprovidedtotheFTPserverusingawellknown
universalloginmethod.
Takeacloserlookateachtype.
ActiveFTP
ThesequenceofeventsforactiveFTPis:
1.
YourclientconnectstotheFTPserverbyestablishinganFTP
controlconnectiontoport21oftheserver.Yourcommandssuchas
'ls'and'get'aresentoverthisconnection.
2.
Whenevertheclientrequestsdataoverthecontrolconnection,
theserverinitiatesdatatransferconnectionsbacktotheclient.
Thesourceportofthesedatatransferconnectionsisalwaysport
20ontheserver,andthedestinationportisahighport(greater
than1024)ontheclient.

148

b.sadhiq
www.altnix.com

3.
Thusthelslistingthatyouaskedforcomesbackoverthe
port20tohighportconnection,nottheport21control
connection.
FTPactivemodethereforetransfersdatainacounterintuitiveway
totheTCPstandard,asitselectsport20asit'ssourceport(not
arandomhighportthat'sgreaterthan1024)andconnectsbackto
theclientonarandomhighportthathasbeenprenegotiatedon
theport21controlconnection.
ActiveFTPmayfailincaseswheretheclientisprotectedfromthe
InternetviamanytooneNAT(masquerading).Thisisbecausethe
firewallwillnotknowwhichofthemanyserversbehinditshould
receivethereturnconnection.
PassiveFTP
PassiveFTPworksdifferently:
1.
YourclientconnectstotheFTPserverbyestablishinganFTP
controlconnectiontoport21oftheserver.Yourcommandssuchas
lsandgetaresentoverthatconnection.
2.
Whenevertheclientrequestsdataoverthecontrolconnection,
theclientinitiatesthedatatransferconnectionstotheserver.
Thesourceportofthesedatatransferconnectionsisalwaysahigh
portontheclientwithadestinationportofahighportonthe
server.
PassiveFTPshouldbeviewedastheservernevermakinganactive
attempttoconnecttotheclientforFTPdatatransfers.Because
clientalwaysinitiatestherequiredconnections,passiveFTPworks
betterforclientsprotectedbyafirewall.
AsWindowsdefaultstoactiveFTP,andLinuxdefaultstopassive,
you'llprobablyhavetoaccommodatebothformswhendecidingupona
securitypolicyforyourFTPserver.
RegularFTP
Bydefault,theVSFTPDpackageallowsregularLinuxuserstocopy
filestoandfromtheirhomedirectorieswithanFTPclientusing
theirLinuxusernamesandpasswordsastheirlogincredentials.
VSFTPDalsohastheoptionofallowingthistypeofaccesstoonly
agroupofLinuxusers,enablingyoutorestricttheadditionof
newfilestoyoursystemtoauthorizedpersonnel.
ThedisadvantageofregularFTPisthatitisn'tsuitablefor
generaldownloaddistributionofsoftwareaseveryoneeitherhasto
149

b.sadhiq
www.altnix.com

getauniqueLinuxuseraccountorhastouseasharedusernameand
password.AnonymousFTPallowsyoutoavoidthisdifficulty.
AnonymousFTP
AnonymousFTPisthechoiceofWebsitesthatneedtoexchange
fileswithnumerousunknownremoteusers.Commonusesinclude
downloadingsoftwareupdatesandMP3sanduploadingdiagnostic
informationforatechnicalsupportengineers'attention.Unlike
regularFTPwhereyouloginwithapreconfiguredLinuxusernameand
password,anonymousFTPrequiresonlyausernameofanonymousand
youremailaddressforthepassword.OnceloggedintoaVSFTPD
server,youautomaticallyhaveaccesstoonlythedefaultanonymous
FTPdirectory(/var/ftpinthecaseofVSFTPD)andallits
subdirectories.

GoodGUIftpclients

1.1.kasablanca
1.2.ftpcube
1.3.gftp
1.4.iglooftp
1.5.konqueror
1.6.filezilla

Consoleftpclients

2.1.GNUMidnightCommander
2.2.ftp
2.3.yafc
2.4.ncftp

ProblemsWithFTPAndFirewalls
FTPfrequentlyfailswhenthedatahastopassthroughafirewall,
becausefirewallsaredesignedtolimitdataflowstopredictable
TCPportsandFTPusesawiderangeofunpredictableTCPports.You
haveachoiceofmethodstoovercomethis.
Note:TheAppendixII,"Codes,Scripts,andConfigurations",
containsexamplesofhowtoconfiguretheVSFTPDLinuxfirewallto
functionwithbothactiveandpassiveFTP.
ClientProtectedByAFirewallProblem
Typicallyfirewallsdon'tallowanyincomingconnectionsatall,
whichfrequentlyblocksactiveFTPfromfunctioning.Withthistype
150

b.sadhiq
www.altnix.com

ofFTPfailure,theactiveFTPconnectionappearstoworkwhenthe
clientinitiatesanoutboundconnectiontotheserveronport21.
Theconnectionthenappearstohang,however,assoonasyouuse
thels,dir,orgetcommands.Thereasonisthatthefirewallis
blockingthereturnconnectionfromtheservertotheclient(from
port20ontheservertoahighportontheclient).Ifafirewall
allowsalloutboundconnectionstotheInternet,thenpassiveFTP
clientsbehindafirewallwillusuallyworkcorrectlyasthe
clientsinitiatealltheFTPconnections.

Solution
Tableshowsthegeneralrulesyou'llneedtoallowFTPclients
throughafirewall:

ClientProtectedbyFirewallRequiredRulesforFTP

Destination
Destination
ConnectionType
Address
Port
Allowoutgoingcontrolconnectionstoserver
ChannelFTP
High1
FTPserver2
21
New
2
client/network
FTPserver
21
FTP
High
Established3
client/network
Allowtheclienttoestablishdatachannelstoremoteserver
Active FTPserver2
20
FTPclient/
High
New
FTP
network
FTP
High
FTPserver2
20
Established3
client/network
FTP
FTP
High
FTPserver2
High
New
2
client/network High
FTP
High
Established3
FTPserver
client/network
method SourceAddress

cePort

Greaterthan1024.

Insomecases,youmaywanttoallowallInternetuserstohave
access,notjustaspecificclientserverornetwork.
Manyhomebasedfirewall/routersautomaticallyallowtrafficforalreadyestablishedconnections.
Thisrulemaynotbenecessaryinallcases.
3

ServerProtectedByAFirewallProblem

151

b.sadhiq
www.altnix.com

Typicallyfirewallsdon'tletanyconnectionscomeinatall.When
aanincorrectlyconfiguredfirewallprotectsanFTPserver,the
FTPconnectionfromtheclientdoesn'tappeartoworkatallfor
bothactiveandpassiveFTP.

Solution

Table152RulesneededtoallowFTPserversthroughafirewall.
Method

SourceAddress

source Destination
Port
Address

Destination Connection
Port
Type

Allowincomingcontrolconnectionstoserver
control
Channel

FTP
client/network2

High1

FTPserver

21

New

FTPserver

21

FTP
client/network2

High

Established3

Allowservertoestablishdatachanneltoremoteclient
FTP

Passive
FTP

FTPserver

20

FTP
client/network2

High

New

FTP
client/network2

High

FTPserver

20

Established3

FTP
client/network2

High

FTPserver

High

New

FTPserver

High

FTP
client/network2

High

Established3

Greaterthan1024.

Insomecases,youmaywanttoallowallInternetuserstohave
access,notjustaspecificclientserverornetwork.
3

Manyhomebasedfirewall/routersautomaticallyallowtrafficfor
alreadyestablishedconnections.Thisrulemaynotbenecessaryin
allcases.

chrootedftp

users
uncomment&editvsftpd.conf
152

b.sadhiq
www.altnix.com

local_enable=YES
chroot_local_user=YES
theabovelinewillenableforuserstobechrootedunder
theirhome
thisisforchrootlist
local_enable=YES
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
createvsftpd.chroot_listfileunder/etcandaddtheuserswhich
uwanttochroot

NFS
NFSv2usestheUserDatagramProtocol(UDP)toprovideastateless
networkconnectionbetweentheclientandserver.NFSv3canuse
eitherUDPorTransmissionControlProtocol(TCP)runningoveran
IPnetwork
/lib/modules/2.4.208/kernel/fs/nfsd/nfsd.
NFSport2049
NFSreliesonRemoteProcedureCalls(RPC)torouterequests
betweenclientsandservers.RPCservicesunderLinuxare
controlledbytheportmapservice.ToshareormountNFSfile
systems,thefollowingservicesworktogether:

nfsStartstheappropriateRPCprocessestoservicerequests
forsharedNFSfilesystems.

nfslockAnoptionalservicethatstartstheappropriateRPC
processestoallowNFSclientstolockfilesontheserver.

portmapTheRPCserviceforLinux;itrespondstorequests
forRPCservicesandsetsupconnectionstotherequestedRPC
service.
ThefollowingRPCprocessesworktogetherbehindthescenesto
facilitateNFSservices:

rpc.mountdThisprocessreceivesmountrequestsfromNFS
clientsandverifiestherequestedfilesystemiscurrently

153

b.sadhiq
www.altnix.com

exported.Thisprocessisstartedautomaticallybythenfsservice
anddoesnotrequireuserconfiguration.

rpc.nfsdThisprocessistheNFSserver.Itworkswiththe
LinuxkerneltomeetthedynamicdemandsofNFSclients,suchas
providingserverthreadseachtimeanNFSclientconnects.This
processcorrespondstothenfsservice.

rpc.lockdAnoptionalprocessthatallowsNFSclientsto
lockfilesontheserver.Thisprocesscorrespondstothenfslock
service.

rpc.statdThisprocessimplementstheNetworkStatusMonitor
(NSM)RPCprotocolwhichnotifiesNFSclientswhenanNFSserveris
restartedwithoutbeinggracefullybroughtdown.Thisprocessis
startedautomaticallybythenfslockserviceanddoesnotrequire
userconfiguration.

rpc.rquotadThisprocessprovidesuserquotainformationfor
remoteusers.Thisprocessisstartedautomaticallybythenfs
serviceanddoesnotrequireuserconfiguration.

NFSandportmap
TheportmapserviceunderLinuxmapsRPCrequeststothecorrect
services.RPCprocessesnotifyportmapwhentheystart,revealing
theportnumbertheyaremonitoringandtheRPCprogramnumbers
theyexpecttoserve.Theclientsystemthencontactsportmapon
theserverwithaparticularRPCprogramnumber.Theportmap
serviceredirectstheclienttotheproperportnumbersoitcan
communicatewiththerequestedservice.

BecauseRPCbasedservicesrelyonportmaptomakeallconnections
withincomingclientrequests,portmapmustbeavailablebeforeany
oftheseservicesstart.
TheportmapserviceusesTCPwrappersforaccesscontrol,and
accesscontrolrulesforportmapaffectallRPCbasedservices.
Alternatively,itispossibletospecifyaccesscontrolrulesfor
eachoftheNFSRPCdaemons.Themanpagesforrpc.mountdand
rpc.statdcontaininformationregardingtheprecisesyntaxfor
theserul
/etc/hosts
1./var/lib/nfs/xtab
154

b.sadhiq
www.altnix.com

2./var/lib/nfs/rmtab
rpc.mountd
Therpc.mountdprogramimplementstheNFSmountprotocol.When
receivingaMOUNTrequestfromanNFSclient,itcheckstherequest
againstthelistofcurrentlyexportedfilesystems.Ifthe
clientispermittedtomountthefilesystem,rpc.mountd
obtainsafilehandleforrequesteddirectoryandreturnsit
totheclient.
Alternatively,youcanexportindividualdirectoriestemporarily
usingexportfshost:/directorysyntax.uidmatchingand
readonlyfilesystem
PortmapisaserverthatconvertsRPCprogramnumbersintoDARPA
protocolportnumbers.ItmustberunninginordertomakeRPC
calls.
WhenanRPCserverisstarted,itwilltellportmapwhatport
numberitislisteningto,andwhatRPCprogramnumbersitis
preparedtoserve.WhenaclientwishestomakeanRPCcalltoa
givenprogramnumber,itwillfirstcontactportmapontheserver
machinetodeterminetheportnumberwhereRPCpacketsshouldbe
sent.
$/etc/exports
/data/files*(ro,sync)
/home192.168.1.0/24(rw,sync)
/data/test*.mysite.com(rw,sync)
/data/database192.168.1.203/32(rw,sync)
/etc/exportsoption
$cat/proc/fs/nfs/exports(runtimecheck)
Trythefollowing
Editexportsfile

/opt/data
192.168.1.65(rw,wdelay,root_squash,no_subtree_check,anonuid=65534,a
nongid=65534)
192.168.1.45(rw,no_root_squash,)

155

b.sadhiq
www.altnix.com

trymountingfromtheclient,inmycaseclientipis
192.168.1.65andcheckthepermissonsbyrootanduseralsotry
fromtheclient192.168.1.45andchkpermissions
Client
Mount192.168.1.75:/opt/data/data
Moreoptions
/opt/datastation1(rw,wdelay,all_squash,anonuid=150,anongid=100)
Nowtrymountingfrom192.168.1.65(pointstation1>
192.168.1.65in/etc/hostsfile)andchkthepermissonbylogin
userandroot.
Moreoptions
wecanalsorestrictbydomain.
/opt/deploy/stic*.example.com(rw)*.workgroup.com(ro,sync)

Heresthecompletelistofmappingoptions:
root_squash
Maprequestsfromuid/gid0totheanonymousuid/gid.Notethat
thisdoesnotapplytoanyotheruidsthatmightbeequallysen
sitive,suchasuserbin.
no_root_squash
Turnoffrootsquashing.Thisoptionismainlyusefulfordisk
lessclients.
all_squash
Mapalluidsandgidstotheanonymoususer.UsefulforNFS
exportedpublicFTPdirectories,newsspooldirectories,etc.The
oppositeoptionisno_all_squash,whichisthedefaultsetting.
anonuidandanongid
Theseoptionsexplicitlysettheuidandgidoftheanonymous
account.ThisoptionisprimarilyusefulforPC/NFS
clients,whereyoumightwantallrequestsappeartobefromone
user.Asanexample,considertheexportentryfor/home/joeinthe
examplesectionbelow,whichmapsallrequeststouid150(which
issupposedlythatofuserjoe).

156

b.sadhiq
www.altnix.com

GeneralOptions
exportfsunderstandsthefollowingexportoptions:
secure
Thisoptionrequiresthatrequestsoriginateonaninternetport
lessthanIPPORT_RESERVED(1024).Thisoptionisonbydefault.To
turnitoff,specifyinsecure.
rw
AllowbothreadandwriterequestsonthisNFSvolume.The
defaultistodisallowanyrequestwhichchangesthefilesystem.
Thiscanalsobemadeexplicitbyusingtherooption.

async
ThisoptionallowstheNFSservertoviolatetheNFSprotocol
andreplytorequestsbeforeanychangesmadebythatrequest
havebeencommittedtostablestorage(e.g.discdrive).Usingthis
optionusuallyimprovesperformance,butatthecostthatan
uncleanserverrestart(i.e.acrash)cancausedatatobelostor
corrupted.

sync
Replytorequestsonlyafterthechangeshavebeencommittedto
stablestorage(seeasyncabove).Inreleasesofnfsutilsuptoand
including1.0.0,thisoptionwasthedefault.Inthisandfuture
releases,syncisthedefault,andasyncmustbeexplicitrequested
ifneeded.Tohelpmakesystemadminstratorsawareofthischange,
exportfswillissueawarningifneithersyncnorasyncis
specified.
no_wdelay
Thisoptionhasnoeffectifasyncisalsoset.TheNFSserver
willnormallydelaycommittingawriterequesttodiscslightlyif
itsuspectsthatanotherrelatedwriterequestmaybein
progressormayarrivesoon.Thisallowsmultiplewrite
requeststobecommittedtodiscwiththeoneoperationwhich
canimproveperformance.IfanNFSserverreceivedmainlysmall
unrelatedrequests,thisbehaviourcouldactuallyreduceperfor
mance,sono_wdelayisavailabletoturnitoff.Thedefault
canbeexplicitlyrequestedwiththewdelayoption.
157

b.sadhiq
www.altnix.com

subtree_check
Thisoptionenablessubtreechecking,whichdoesaddanother
levelofsecurity,butcanbeunreliabilityinsomecircum
stances.Ifasubdirectoryofafilesystemisexported,butthe
wholefilesystemisntthenwheneveraNFSrequestarrives,the
servermustchecknotonlythattheaccessedfileisinthe
appropriatefilesystem(whichiseasy)butalsothatitisinthe
exportedtree(whichisharder).Thischeckiscalledthe
subtree_check.
Inordertoperformthischeck,theservermustincludesome
informationaboutthelocationofthefileinthe"filehandle"
thatisgiventotheclient.Thiscancauseproblemswith
accessingfilesthatarerenamedwhileaclienthasthemopen
(thoughinmanysimplecasesitwillstillwork).
TryMountOptionsinfstab
192.168.1.33:/opt/deploy/stic/mntnfs
rw,hard,intr,rsize=8192,wsize=819200
bg
Retrymountinginthebackgroundifmountinginitiallyfails
fg
Mountintheforeground
soft

Usesoftmounting

IfanNFSfileoperationhasamajortimeoutthenreportanI/O
errortothecallingprogram.Thedefaultistocontinueretrying
NFSfileoperationsindefinitely.
hard

Usehardmounting

IfanNFSfileoperationhasamajortimeoutthenreport"server
notresponding"ontheconsoleandcontinueretryingindefinitely.
Thisisthedefault.
rsize=n
TheamountofdataNFSwillattempttoaccessperreadoperation.
Thedefaultisdependentonthekernel.ForNFSversion2,setit
to8192toassuremaximumthroughput.
wsize=n
TheamountofdataNFSwillattempttoaccessperwriteoperation.
158

b.sadhiq
www.altnix.com

Thedefaultisdependentonthekernel.ForNFSversion2,setit
to8192toassuremaximumthroughput.
nfsvers=n
TheversionofNFSthemountcommandshouldattempttousetcp
AttempttomountthefilesystemusingTCPpackets:thedefault
isUDP.
intr
Ifthefilesystemishardmountedandthemounttimesout,allow
fortheprocesstobeabortedusingtheusualmethodssuchasCTRL
Candthekillcommand.
nolock
DisableNFSlocking.Donotstartlockd.Thishastobeusedwith
someoldNFSserversthatdontsupportlocking.

SomeimportantnfsmountoptionsinLinux.
tcpSpecifiesfortheNFSmounttousetheTCPprotocolinstead
ofUDP.
rsize=8192 and wsize=8192 These settings speed up NFS
communication for reads (rsize) and writes (wsize) by setting a
largerdatablocksize,inbytes,tobetransferredatonetime.Do
performancetestsbeforechangingthesevalues.
hardorsoftSpecifieswhethertheprogramusingafileviaan
NFSconnectionshouldstopandwait(hard)fortheservertocome
back online if the host serving the exported file system is
unavailable, or if it should report an error (soft). If hard is
specified, the user cannot terminate the process waiting for the
NFScommunicationtoresumeunlesstheintrsoft,isspecified,the
user can set an additional timeo=<value> option, where <value>
specifies the number of seconds to pass before the error is
reported.optionisalsospecified.
nolockDisablesfilelocking.Thissettingisoccasionally
requiredwhenconnectingtoolderNFSservers.

noexec Prevents execution of binaries on mounted file systems.


ThisisusefulifthesystemismountinganonLinuxfilesystem
viaNFScontainingincompatiblebinaries.

159

b.sadhiq
www.altnix.com

intrAllowsNFSrequeststobeinterruptediftheservergoes
downorcannotbereached.
nfsvers=2ornfsvers=3SpecifieswhichversionoftheNFS
protocoltouse.
nosuidDisablessetuseridentifierorsetgroupidentifierbits.
This prevents remote users from gaining higher privileges by
runningasetuidprogram.
Therearemanyotheroptions.Buttheaboveonesarevery
important.

Practicals:
Onserverpc(serverip192.168.1.40)
Firstchecknfsinstallornot
$rpmqa|grepinfs
nfsutils1.0.944.el5
nfsutilslib1.0.87.6.el5
ifyouhaveinstallationdvdthenrunfollowingcommand:
$rpmivhnfsutils1.0.944.el5
$rpmivhnfsutilslib1.0.87.6.el5
ifnottheninstallthroughinternet
$yuminstallnfs*

Thenstartnfsservice
$servicenfsstart
StartingNFSservices:[OK
]
StartingNFSquotas:[OK
]
b.sadhiq
160
www.altnix.com

StartingNFSdaemon:[OK
]
StartingNFSmountd:[OK
]

NFSmajorfilecall/etc/exports
$exports>thiscommandbecameblankyourexportsfile
$vi/etc/exports
Typefollowinglineinexportsfile
/mnt/test
/opt/funny

*(sync,rw)
*(sync,rw)

$exportfsa>thiscmndreread/etc/exportsfile
$showmountelocalhost
Exportlistforlocalhost:
/mnt/test*
/opt/funny*

$nfsstatnfsstatistics.
Fromclientside(clientip192.168.1.50)
$servicenfsstart(asaroot)
$showmounte192.168.1.40
/mnt/test*
/opt/funny*
Mountthesharedpartitionasfollow:
$mount192.168.1.40:/mnt/test/mnt/
$cd/mnt/
$ls

161

b.sadhiq
www.altnix.com

Createanyfileinclientsideandcheckonserverpcyoucansee
thesame.
Forpermanentmountthedirectorytypefollowingentryinfstab
file:
$vi/etc/fstab
192.168.1.40:/mnt/test /mnt
192.168.1.40:/opt/funny /opt

nfs _netdev,defaults
nfs _netdev,defaults

0
0

0
0

Checkwiththefollowingcmds
$rpcinfop>checkwhichrpcbasedserviceson,pmeansprint
$rpcinfop192.168.1.40>whichserviceonserversite
$telnet192.168.1.402049>checknfsportopenornotonserver
side

162

b.sadhiq
www.altnix.com

Network Info Service (NIS)


[DirectoryServices]likeLDAPandDNS
bySunMicroSystems
Whatdoesitdo?
*Providesunifiedloginandauthentication,NSforagroupof
machines.
*LikeLDAP,ithandlespasswords,groups,protocols,networks,
services.

AdvantagesofNIS:
1.
CentralInformationStore
2.
Securitybecauseofencryptedmaps[dbs]
3.
Performancebcosofindexedmaps
4.
CanbeusedforDNS
5.
AuthenticationforSamba,ApacheetcandalsoLocalinsteadof
/etc/hostsand/etc/passwd,whichcanthenbedeleted
Alert:DisableFirewallsorNISwillnotworksince,bydefault,
RPCservicesareblockedbyFWs[inRHL]
ExamAlert:
1.
MakesureyouputFWsoffbeforedoinganythinginNIS
2.
MakesureyoustartportmapBEFOREyoustartNFS
3.
Makesureyouuse'showmounte'beforeyoudoany'mount'
4.
Allerrorsaremostlyduetoincorrectsyntaxin/etc/exports
andespeciallywatchoutforthespacebetweentheoptions()
5.
Ifyouuse'authconfig' forclientconfig,makesureyou
disableitin'ntsysv'imasap
6.
Check/etc/securenetsifyouarebeingblockedorwishto
7.
Check/etc/ypserv.confifyoucannotquerymapsorwishto
DaemonName

Purpose

portmap

ThefoundationRPCdaemonuponwhichNISruns.

yppasswdd

LetsuserschangetheirpasswordsontheNISserver
fromNISclients

ypserv

MainNISserverdaemon

ypbind

MainNISclientdaemon
163

b.sadhiq
www.altnix.com

ypxfrd

UsedtospeedupthetransferofverylargeNIS
maps

164

b.sadhiq
www.altnix.com

rpcinfoplocalhost
programversprotoport
1000002tcp111portmapper
1000002udp111portmapper
1000091udp681yppasswdd
1000042udp698ypserv
1000041udp698ypserv
1000042tcp701ypserv
1000041tcp701ypserv

NISServerpartI
1.
$vi/etc/sysconfig/network#putNISDOMAIN=altnix
2.
$domainnamealtnix
3.
Configure/etc/yp.conf
altnixserverserver1.altnix.local
4.
$serviceypservstart
5.
$serviceyppasswddstart[OPTIONAL]
6.
$domainname
7.
$nisdomainname
Theabove2commandsMUSTshowtherightoutput
8.
$cd/var/yp/
9.
$/usr/lib/yp/ypinitm
CtrlD

SowhatisanNISdomain?
A:Agroupofhoststhatusethesamesetofmaps,formanNIS
domain
Allofthem/csinanNISdomainwillsharethesamepwd,hosts
andgrp
info.

I.NFSServerpart
1.
Configure/etc/exports
$vi/etc/exports
/home*(rw,sync)
$exportfsa
2.
$serviceportmaprestart
3.
$servicenfsrestart
Testing:Checkifallisokwith
165

b.sadhiq
www.altnix.com

$rpcinfop
$showmountelocalhost
II.NISClientpart
1.
serviceportmaprestart
2.
showmounteNFSServer
3.
mountNFSserver:/home/home
4.
Configureyp.conf
Doexactlythesameasforserver
5.
serviceypbindrestart
or
useauthconfig*whichwilldo4,5,6automatically

TestingtheNISServerfromtheClient
Loginasfoo
$ypwhich
<WhereistheNISMasterDatabase
$ypwhichm
<WhereistheNISMasterDatabase+maps
$ypcatx
<ShowslistofNISmapsfromNISserver
$ypcatpasswd
<ShowsdetailsofNISpasswdmapdb
/var/yp/altnix/passwd.byname
$ypmatchfoopasswd
<CheckifuserfooexistsintheNISpwd
db
$yppollpasswd.byname <Infoaboutaspecificmap[rootonly]
Youhavetohavethe'serviceyppasswdd'runningontheserverto
dothefoll:
$ypchfnfoo
<ChangefingerinfooffooinNISpwddb
map
$yppasswdfoo<Changefoo'spwdinNISpwddbmap
i.e./var/yp/altnix/passwd.bynamepasswd.byuid
Note:Hislocalsystemloginpwdchangesaccordinglybcos
yppasswd*actuallychangesthepasswdoffooin/etc/passwdand
thenpushesthechangesto2otherfile:
/var/yp/altnix/passwd.byname
/var/yp/altnix/passwd.byuid
$ypmatchnisuserpasswd
$getentpasswdnisuser

166

b.sadhiq
www.altnix.com

IIIMoreNISServerSecurity
/etc/ypserv.conf[OnNISServer]
*onserver
*Thisfileisusedtocontrolhosts/userswhocanuseyourNIS
server
syntax:host:domain:map:security
*Thereisoneentryperline.
*Allrulesaretriedonebyone.Ifnomatchisfound,accessto
amapisallowed.
*Followingoptionsexist:
files:30
Thisoptionspecifies,howmanydatabasefilesshouldbe
cachedbyypserv.If0isspecified,cachingisdisabled.
Decreasingthisnumberisonlypossible,ifypservisrestarted.
xfr_check_port:[<yes>|no]
Withthisoptionenabled,theNISmasterserverhavetorun
onaport<1024.Thedefaultis"yes"(enabled).Thefield
descriptionsfortheaccessrulelinesare:
hostIPaddress.Wildcardsareallowed.
Examples:
131.234.=131.234.0.0/255.255.0.0
131.234.214.0/255.255.254.0
domainspecifiesthedomain,forwhichthisruleshouldbe
applied.Anasterixaswildcardisallowed.
mapnameofthemap,orasteriskforallmaps.
securityoneofnone,port,deny:
nonealwaysallowaccess.

167

b.sadhiq
www.altnix.com

portallowaccessiffromport<1024.Otherwisedonotallow
access.

denydenyaccesstothismap.
EXAMPLE:Trytheseentriesin/etc/ypserv.conf
eg192.168.0.10:*:*:deny
eg*:*:passwd.byname:deny<Allhosts/userswillbe
deniedaccessfromanydomaintothefollmap

****************
LoggingInViaTelnet
TryloggingintotheNISclientviatelnetifitisenabled
[root@bigboytmp]#telnet192.168.1.201
Trying192.168.1.201...
Connectedto192.168.1.201.
Escapecharacteris'^]'.
RedHatLinuxrelease9(Shrike)
Kernel2.4.206onani686
login:nisuser
Password:
Lastlogin:SunNov1622:03:51from1921681100.simiya.com
[nisuser@smallfrynisuser]$
yppasswdpnisuser
ChangingNISaccountinformationfornisuseronbigboy.mysite.com.
Pleaseenterrootpassword:
ChangingNISpasswordfornisuseronbigboy.mysite.com.
Pleaseenternewpassword:
Pleaseretypenewpassword:

TheNISpasswordhasbeenchangedonbigboy.mysite.com.
NISTroubleshooting
Troubleshootingisalwaysrequiredasanypartofyourdaily
routine,NISisnoexception.Herearesomesimplestepstofollow
togetitworkingagain.
1.TherpcinfoprovidesalistofTCPportsthatyourNISclientor
168

b.sadhiq
www.altnix.com

serverisusing.MakesureyoucanTELNETtotheseportsfromthe
clienttotheserverandviceversa.Ifthisfails,makesureall
thecorrectNISdaemonsarerunningandthattherearenofirewalls
blockingtrafficonthenetworkorontheserversthemselves.These
portschangefromtimetotime,somemorizingthemwon'thelpmuch.

Theexampletestsfromtheclienttotheserver.
[root@bigboytmp]#rpcinfop
programversprotoport
1000002tcp111portmapper
1000002udp111portmapper
1000241udp32768status
1000241tcp32768status
3910022tcp32769sgi_fam
1000091udp1018yppasswdd
1000042udp611ypserv
1000041udp611ypserv
1000042tcp614ypserv
1000041tcp614ypserv
1000072udp855ypbind
1000071udp855ypbind
1000072tcp858ypbind
1000071tcp858ypbind
6001000691udp874fypxfrd
6001000691tcp876fypxfrd

[root@bigboytmp]#

[root@smallfrytmp]#telnet192.168.1.100858
Trying10.41.32.71...
Connectedto10.41.32.71.
Escapecharacteris'^]'.
^]
telnet>quit
Connectionclosed.
[root@smallfrytmp]#
2.Alwaysusetheypmatch,getent,andypwhichcommandstocheck
169

b.sadhiq
www.altnix.com

yourNISconnectivity.Ifthereisanyfailure,checkyoursteps
overagainandyoushouldbeabletofindthesourceofyour
problem.
3.Donotfailtocreateauser'shomedirectory,setits
permissions,andcopythe/etc/skelfilescorrectly.Ifyouforget,
whichisacommonerror,yourusersmayhaveincorrectlogin
promptsandnoabilitytocreatefilesintheirhomedirectories.
Itcanneverbeoveremphasizedthatoneofthebestplacestostart
troubleshootingisbylookinginyourerrorlogfilesinthe
/var/logdirectory.You'llsavealotoftimeandeffortifyou
alwaysrefertothemwhenevertheproblemdoesn'tappeartobe
obvious.

170

b.sadhiq
www.altnix.com

Installationofautofs.

Installautofsusingrpmpackage.

[root@tenouk~]#mount/dev/cdrom
[root@tenouk~]#cd/mnt/cdrom/RedHat/RPMS
[root@tenouk~]#rpmUhvautofs3.1.728.i386.rpm
[root@tenouk~]#cd/
[root@tenouk~]#umont/dev/cdrom

Start,stopandrestartautofs.

[root@tenouk~]#/sbin/serviceautofsstart
[root@tenouk~]#/sbin/serviceautofsstop
[root@tenouk~]#/sbin/serviceautofsrestart

Settingofautofsautomaticstart.

[root@tenouk~]#/sbin/chkconfiglevel35autofson

Confirmationofautofsautomaticstart

[root@tenouk~]#/sbin/chkconfiglistautofs

SettingwhichusesNIS

TheconfigurationontheNISserver

[root@tenouk~]#vi/etc/auto.master
/nfs/etc/auto.hometimeout60

[root@tenouk~]#vi/etc/auto.home
homerw,hard,intr,nolockcompaq:/home

[root@tenouk~]#vi/var/yp/Makefile
all:passwdgrouphostsrpcservicesnetidprotocolsmail\
shadowauto.home\
#netgrpshadowpublickeynetworksethersbootparamsprintcap\
#amd.homeauto.masterauto.homeauto.localpasswd.adjunct\
#timezonelocalenetmasks

Allownormalusertomountlinuxpartitions,usbstick/pendevice

bynixcraft
171

b.sadhiq
www.altnix.com

Youneedtouseautofs.Itisusetomountfilesystemondemand.
Usuallyautofsisinvokedatsystemboottimewiththestart
parameterandatshutdowntimewiththestopparameter.Theautofs
scriptcanalsomanuallybeinvokedbythesystemadministratorto
shutdown,restartorreloadtheautomounters.
autofswillconsultaconfigurationfile/etc/auto.mastertofind
mountpointsonthesystem.
i)Installautofsifnotinstalled.ifyouareusingDebian/
UbuntuLinux,enter:
#aptgetinstallautofs
ii)Createdekstopgroupandadduserjimmytothisgroup:
#groupadddesktop
#usermodGvideo,desktopjimmy
#chmodRa+rx/var/autofs/misc
iii)Configureautofssothatusbstickcanbeaccessed:
#vi/etc/auto.misc
iv)Appendfollowingtexttoauto.misc:
usbfstype=auto,user,sync,nodev,nosuid,gid=desktop,umask=002
:/dev/sda1
dfstype=vfat,user,sync,nodev,nosuid,gid=desktop,
umask=002:/dev/hda2
Where,
usb:Isdirectoryname,whichcanbeaccessedvia
/var/autofs/misc/usbdirectory.Userindesktopgroupjustneedto
typecdcommand(cd/var/autofs/misc/usb)tochangethedirectory.

fstypeauto,user,sync,nodev,nosuid,giddesktop,umask
002:Alltheseareoptionsusedtomountthefilesystemby
automounter.

auto:Filesystemisautomaticallydeterminedbykernel.

user:Normaluserareallowedtomountdevices

nodev:Donotinterpretcharacterorblockspecialdeviceson
thefilesystem.

nosuid:Donotallowsetuseridentifierorsetgroup
identifierbitstotakeeffect.Thisissecurityfeature.

gid=desktop:Thisallowsfilesystemmountedasasgroup
dekstop.Aswehaveaddeduserjimmytothisgroupalready.

umask=002:Setupumasksothatusersingroupdesktopcan
writedatatodevice.

Pleasenotethatwithoutgidandumaskoptionnormalusercannot
writedatatodevice.
v)Restarttheautofs:
#/etc/init.d/autofsrestart
172

b.sadhiq
www.altnix.com

vi)Testitasuserjimmy(makesureusbstick/penisinsertedinto
usbport):
$ls/var/autofs/misc/usb
$cd/var/autofs/misc/usb
$mkdirtestdir
$lsl

DHCP:DynamicHostConfiguration
Protocol

*ADHCPrelayagent
These tools all use a modular API which is designed to be
sufficientlygeneralthatitcaneasilybemadetoworkonPOSIX
compliantoperatingsystemsandalsononPOSIXsystemslikeWindows
NTandMacOS.
The DHCP server, client and relay agent are provided both as
reference implementations of the protocol and as working, fully
featuredsampleimplementations.
Boththeclientandtheserverprovidefunctionalitythat,whilenot
strictlyrequiredbytheprotocol,isveryusefulinpractice.The
DHCP server also makes allowances for noncompliant clients which
onemightstillliketosupport.
ThistutorialdescribeshowtosetupaDHCPserver(ISCDHCP)for
yourlocalnetwork.
DHCP is short for "Dynamic Host Configuration Protocol",it's a
protocolthathandlestheassignmentofIPaddresses,subnetmasks,
defaultrouters,andotherIPparameterstoclientPCsthatdon't
haveastaticIPaddress.SuchcomputerstrytofindaDHCPserver
in their local network which in turn assigns them an IP
address,gateway,etc.sothattheycanconnecttotheinternetor
othercomputersfromthelocalnetwork.
currentsituation:
*network192.168.10.0,subnetmask255.255.255.0,broadcastaddress
192.168.10.255.
*gatewaytotheinternetis192.168.10.10;onthegatewaythere's
noDHCPserver.
*DNSserversIcanuseare202.88.130.15and202.88.130.67
173

b.sadhiq
www.altnix.com

*Ihaveapoolof30IPaddresses(192.168.10.200192.168.10.229)
thatcanbe dynamicallyassignedtoclientPCsandthatarenot
alreadyinuse.
IPaddress192.168.10.10whichwillactasDHCPserver.

2DownloadandInstalltheDHCPPackage
NOTE:
BydefaultdhcppackagesareinstalledinRHEL
SeethatthefollowingisinstalledontheServer:dhcp3.0pl26.14
$rpmqdhcp
On the client side, this package "dhclient3.0pl26.14" is
installed.
$rpmqdhclient
IfDHCPpackagesaren'tinstalled,downloaditfrom
http://www.rpmseek.comandinstall.
3.ConfigurationPart:ISCDHCPServer
CopytheDHCPconfigurationfilke
$cp/usr/share/doc/dhcp3.0pl2/dhcpd.conf.sample/etc/dhcpd.conf
/etc/dhcpd.conf
ddnsupdatestyle: You can tell the DHCP server to update a DNS
server if the IP address of a server in your LAN has changed
(becauseithasbeenassignedadifferentIPbyDHCP).
AswedonotrunserversinourLANoralwaysgivethemstaticIP
addresses(whichisa
goodideaforservers...)wedon'twanttoupdateDNSrecordssowe
setthistonone.
ddnsupdatestyleinterim;
ignoreclientupdates;
#Definethescope

174

b.sadhiq
www.altnix.com

subnet192.168.10.0netmask255.255.255.0
{
rangedynamicbootp192.168.10.177192.168.10.188;
rangedynamicbootp192.168.10.124192.168.10.130;
#SettheamountoftimeinsecondsthataclientmaykeeptheIP
address
#AclientcantelltheDHCPserverforhowlongitwouldliketo
getanIPaddress.

# If it doesn't do this, the server assigns an IP address for


defaultleasetimeseconds;
#ifitdoes,theservergrantstherequestedtime,butonlyupto
maxleasetimeseconds.
defaultleasetime10;#Insecs.Ifthisisnotexplictlygiven,
thenthedefaultis1day.
maxleasetime12;
#SetthebroadcastaddressandsubnetmasktobeusedbytheDHCP
clients
optionbroadcastaddress192.168.10.255;
optionsubnetmask255.255.255.0;
optionrouters192.168.10.10;

#optionnisdomain"altnix.com";
optiondomainname"altnix.com";

#SettheDNSservertobeusedbytheDHCPclients
optiondomainnameservers192.168.10.10192.168.10.20;

#IfyouspecifyaWINSserverforyourWindowsclients,
#youneedtoincludethefollowingoptioninthedhcpd.conffile:
175

b.sadhiq
www.altnix.com

optionnetbiosnameservers192.168.10.66;
optionnetbiosnodetype8;

#YoucanalsoassignspecificIPaddressesbasedontheclients'
ethernetMACaddress
#asfollows(Host'snameis"fcfive.altnix.com"
hostwin2k3box.altnix.com{
nextserverwin2k3box.altnix.com#Youcouldassignyourown
hostname
hardwareethernet12:34:56:78:AB:CD;
fixedaddress192.168.10.100;
}
}

Ifyouwannapeekintomorestuff,Checkthedhcpoptionsmanpage

4.HowtoGetDHCPStarted
$touch/var/lib/dhcpd/dhcpd.leases
>TestwhetheryourconfigfileisOK.
$dhcpdt
>TestwhetheryourleasesfilefileisAOK.
$dhcpdT
This lease ascii db is vital and documents acquired, renewed or
releasedleasesotherwisetheDHCPserverwillnotfunction.
>Startthedhcpservice[/usr/sbin/dhcpd]
$servicedhcpdrestart
>Checkwhetherdhcpdserviceisstartedwiththefollowing:

176

b.sadhiq
www.altnix.com

$dhcpdf
$psax|grepdhcpd
5.ConfigurationPart:ISCDHCPClient
sends a standardized DHCP broadcast request packet to the DHCP
serverwithasourceIPaddressof255.255.255.255.
Editfile/etc/sysconfig/networkscripts/ifcfgeth0:
changeBOOTPROTO=noneorstatictoBOOTPROTO=dhcp
OR
$netconfig
ChecktheboxwithUsedynamicIPconfiguration(BOOTP/DHCP)
Thiswilleventuallymakechangeautotothefileabove.
Restartnetwork
4servicenetworkrestart

ChecktoseeifDHCPserverisup
$dhcpdfDHCPserverIP/Hostname
CheckyourIP:
$ifconfig
NotethatthenewIPaddressassignedtotheclientisreassigned
dynamicallybytheserverfromtherangesgivenin/etc/dhcpd.conf
ontheserver

NOTE:
DHCP uses the BOOTP protocol for its communication between the
clientandserver.
Makesuretherearenofirewallsblockingthistraffic.DHCPservers
expectrequestsonUDPport67andtheDHCPclientsexpectresponses
onUDPport68.
TheDHCPserverwritesallcurrentIPaddress"leases"tothefile
/var/lib/dhcp3/dhcpd.leasessoyoushouldalsofindtheleasethere:
$cat/var/lib/dhcp3/dhcpd.leases
177

b.sadhiq
www.altnix.com

lease192.168.10.229{
starts22006/09/1914:01:31;
ends32006/09/2014:01:31;
bindingstateactive;
nextbindingstatefree;
hardwareethernet00:0c:76:8b:c4:16;
uid"\001\000\014v\213\304\026";
clienthostname"trinity";
}
WhatallcanaDHCPserverprovideClients?
1.IPrange
2.netmaskoptionsubnetmask
3.BC
4.nameserver'optiondomainnameservers'
5.domain'optiondomainname'
6.NISdomain'optionnisdomainname'
6.MACaddrbasedIP'hardwareethernet'and'fixedaddress'
7.defaultleasetime'defaultleasetime'
8.maxleasetime'maxleasetime'
9gateway'optionrouters'
Fornetbios/Sambaoptionnetbiosnodetype2
optionnetbiosnameserver

AdvantagesofDHCP:
1.Easyconfigurationifmanymanyclients
2.SavesIPs
2.fixedIPforcertainclients
178

b.sadhiq
www.altnix.com

3.Automaticconfigoftheabove9points

Disadvantages:
Notevenone
ddnsupdatestyleinterim;
ignoreclientupdates;
Selectspointtopointnode(defaultishybrid).Don'tchangethis
unlessyouunderstandNetbiosverywell
DHCPClientsObtaining169.254.0.0Addresses
WheneverMicrosoftDHCPclientsareunabletocontacttheirDHCP
servertheydefaulttoselectingtheirownIPaddressfromthe
169.254.0.0networkuntiltheDHCPserverbecomesavailableagain.
ThisisfrequentlyreferredtoasAutomaticPrivateIPAddressing
(APIPA).Herearesomestepsyoucangothroughtoresolvethe
problem:

EnsurethatyourDHCPserverisconfiguredcorrectlyanduse
thepgrepcommanddiscussedearliertomakesuretheDHCPprocess
isrunning.Payspecialattentiontoyour255.255.255.255route,
especiallyifyourDHCPserverhasmultipleinterfaces.

GiveyourDHCPclientastaticIPaddressfromthesamerange
thattheDHCPserverissupposedtoprovide.Seewhetheryoucan
pingtheDHCPserver.Ifyoucannot,doublecheckyourcablingand
yourNICcards.

DHCPusestheBOOTPprotocolforitscommunicationbetweenthe
clientandserver.Makesuretherearenofirewallsblockingthis
traffic.DHCPserversexpectrequestsonUDPport67andtheDHCP
clientsexpectresponsesonUDPport68.Usetcpdumponthe
server'sNICtoverifythecorrecttrafficflows.
OtherDHCPFailures
IftheDHCPserverfailstostartthenuseyourregular
troubleshootingtechniquesoutlinedinChapter4,"SimpleNetwork
Troubleshooting",tohelprectifyyourproblems.Mostproblemswith
aninitialsetupareoftendueto:

Incorrectsettingsinthe/etc/dhcpd.conffilesuchasnot
definingthenetworksforwhichtheDHCPserverisresponsible;

FirewallrulesthatblocktheDHCPbootpprotocolonUDPports
67and68;
179

b.sadhiq
www.altnix.com


RoutersfailingtoforwardthebootppacketstotheDHCP
serverwhentheclientsresideonaseparatenetwork.
Alwayscheckyour/var/logs/messagesfilefordhcpderrorsand
rememberthatmandatorykeywordsinyourconfigurationfilemay
changewhenyouupgradeyouroperatingsystem.Alwaysreadthe
releasenotestobesure.
Whenaclientistobebooted,itsbootparametersaredetermined
byconsultingthatclient'shostdeclaration(ifany),andthen
consultinganyclassdeclarationsmatchingtheclient,followedby
thepool,subnetandsharednetworkdeclarationsfortheIPaddress
assignedtotheclient.Eachofthesedeclarationsitselfappears
withinalexicalscope,andalldeclarationsatlessspecific
lexicalscopesarealsoconsultedforclientoptiondeclarations.
Scopesareneverconsideredtwice,andifparametersaredeclared
inmorethanonescope,theparameterdeclaredinthemostspecific
scopeistheonethatisused.
Whendhcpdtriestofindahostdeclarationforaclient,itfirst
looksforahostdeclarationwhichhasafixedaddressdeclaration
thatlistsanIPaddressthatisvalidforthesubnetorshared
networkonwhichtheclientisbooting.Ifitdoesn'tfindanysuch
entry,ittriestofindanentrywhichhasnofixedaddress
declaration.
EXAMPLES
Atypicaldhcpd.conffilewilllooksomethinglikethis:
globalparameters...
subnet204.254.239.0netmask255.255.255.224{

subnetspecificparameters...
range204.254.239.10204.254.239.30;
}
subnet204.254.239.32netmask255.255.255.224{
subnetspecificparameters...
range204.254.239.42204.254.239.62;
}
subnet204.254.239.64netmask255.255.255.224{
subnetspecificparameters...
180

b.sadhiq
www.altnix.com

range204.254.239.74204.254.239.94;
}
group{
groupspecificparameters...
hostzappo.test.isc.org{
hostspecificparameters...
}
hostbeppo.test.isc.org{
hostspecificparameters...
}
hostharpo.test.isc.org{
hostspecificparameters...
}
}
Noticethatatthebeginningofthefile,there'saplacefor
globalparameters.Thesemightbethingsliketheorganization's
domainname,theaddressesofthenameservers(iftheyarecommon
totheentireorganization),andsoon.So,forexample:
optiondomainname"isc.org";
optiondomainnameserversns1.isc.org,ns2.isc.org;
AsyoucanseeinFigure2,youcanspecifyhostaddressesin
parametersusingtheirdomainnamesratherthantheirnumericIP
addresses.IfagivenhostnameresolvestomorethanoneIPaddress
(forexample,ifthathosthastwoethernetinterfaces),thenwhere
possible,bothaddressesaresuppliedtotheclient.

Themostobviousreasonforhavingsubnetspecificparametersas
showninFigure1isthateachsubnet,ofnecessity,hasitsown
router.Soforthefirstsubnet,forexample,thereshouldbe
somethinglike:
optionrouters204.254.239.1;
Notethattheaddresshereisspecifiednumerically.Thisisnot
requiredifyouhaveadifferentdomainnameforeachinterface
b.sadhiq
181
www.altnix.com

onyourrouter,it'sperfectlylegitimatetousethedomainname
forthatinterfaceinsteadofthenumericaddress.However,inmany
casestheremaybeonlyonedomainnameforallofarouter'sIP
addresses,anditwouldnotbeappropriatetousethatnamehere.
InFigure1thereisalsoagroupstatement,whichprovidescommon
parametersforasetofthreehostszappo,beppoandharpo.As
youcansee,thesehostsareallinthetest.isc.orgdomain,soit
mightmakesenseforagroupspecificparametertooverridethe
domainnamesuppliedtothesehosts:
optiondomainname"test.isc.org";
Also,giventhedomainthey'rein,theseareprobablytest
machines.IfwewantedtotesttheDHCPleasingmechanism,wemight
settheleasetimeoutsomewhatshorterthanthedefault:
maxleasetime120;defaultleasetime120;

TcpWrappers
AlmostallBSD/UNIX/Linuxlikeoperatingsystemsarecompiled
withTCPWrapperssupport.Fore.g.Solaris9,variousLinux/*BSD
distributions,andMacOSXhaveTCPWrappersconfiguredtorun
outofthebox.Itisalibrarywhichprovidessimpleaccess
controlandstandardizedloggingforsupportedapplicationswhich
acceptconnectionsoveranetwork.
TCPWrapperisahostbasedNetworkingACLsystem,usedtofilter
networkaccesstoInternet.TCPwrapperswasoriginalwrittento
monitorandstopcrackingactivitiesontheUNIXworkstationin
90s.Itwasbestsolutionin90stoprotecttheUNIXworkstations
overtheInternet.Howeverithasfewdisadvantages:
1.
AllUNIXappsmustbecompiledwiththelibwraplibrary.
2.
ThewrappersdonotworkwithRPCservicesoverTCP.
3.
TheusernamelookupfeatureofTCPWrappersusesidentdto
identifytheusernameoftheremotehost.Bydefault,thisfeature
isdisabled,asidentdmayappearhungwhentherearelargenumber
ofTCPconnections.
182

b.sadhiq
www.altnix.com

However,ithasonestrongadvantageoverfirewall.Itworksonthe
applicationlayer.Itcanfilterrequestswhenencryptionisused.
Basically,youneedtousebothhostbasedandnetworkbased
security.Commonservicessuchaspop3,ftp,sshd,telnet,r
servicesaresupportedbyTCPWrappers.
TCPDBenefits
1.
LoggingConnectionsthataremonitoredbytcpdarereported
throughthesyslogfacility.
2.
AccessControltcpdsupportsasimpleformofaccesscontrol
thatisbasedonpatternmatching.Youcanevernhooktheexecution
ofshellcommands/scriptwhenapatternmatches.
3.
HostNameVerificationtcpdverifiestheclienthostname
thatisreturnedbytheaddress>nameDNSserverbylookingatthe
hostnameandaddressthatarereturnedbythename>addressDNS
server.
4.
SpoofingProtection
HowdoIFindOutIfProgramIsCompiledWithTCPWrappersOrNot?
Todeterminewhetheragivenexecutabledaemon/path/to/daemon
supportsTCPWrapper,checkthemanpage,orennter:
$ldd/path/to/daemon|greplibwrap.so

Ifthiscommandreturnsanyoutput,thenthedaemonprobably
supportsTCPWrapper.Inthisexample,findoutofifsshdsupports
tcpwrappersonnot,enter:
$whereissshd
SampleOutput:
sshd:/usr/sbin/sshd/usr/share/man/man8/sshd.8.gz
$ldd/usr/sbin/sshd|greplibwrap.so
SampleOutput:
libwrap.so.0=>/lib64/libwrap.so.0(0x00002b759b381000)
lddisusedtoseeiflibwrap.soisadependencyornot.An
alternativetoTCPWrappersupportispacketfilteringusing
iptables.
ImportantFiles

tcpdaccesscontrolfacilityforinternetservices.
/etc/hosts.allowThisfiledescribesthenamesofthehosts
b.sadhiq
183
www.altnix.com

whichareallowedtousethelocalINETservices,asdecidedbythe
/usr/sbin/tcpdserver.

/etc/hosts.denyThisfiledescribesthenamesofthehosts
whichareNOTallowedtousethelocalINETservices,asdecidedby
the/usr/sbin/tcpdserver.

Ifthesameclient/user/ipislistedinbothhosts.allow
andhosts.deny,thenhosts.allowtakesprecedenceandaccessis
permitted.Iftheclientislistedinhosts.allow,thenisaccess
permitted.Iftheclientislistedinhosts.deny,thenaccessis
denied.

tcpdchkandtcpdmatchtestprogramsfortcpd
Syntax(format)OfHostAccessControlFiles
Both/etc/hosts.allowand/etc/hosts.denyusesthefollowing
format:
daemon_list:client_list[:shell_command]
Where,
daemon_listalistofoneormoredaemonprocessnames.
client_listalistofoneormorehostnames,host
addresses,patternsorwildcardsthatwillbematchedagainstthe
clienthostnameoraddress.

WildCards
Theaccesscontrollanguagesupportsexplicitwildcards(quoting
fromthemanpage):

ALLTheuniversalwildcard,alwaysmatches.
LOCALMatchesanyhostwhosenamedoesnotcontainadot
character.
UNKNOWN
Matchesanyuserwhosenameisunknown,and
matchesanyhost
whosenameoraddressareunknown.Thispattern
shouldbeused
withcare:hostnamesmaybeunavailabledueto
temporaryname
serverproblems.Anetworkaddresswillbe
unavailablewhenthe
softwarecannotfigureoutwhattypeofnetworkit
184

b.sadhiq
www.altnix.com

istalking
to.
KNOWNMatchesanyuserwhosenameisknown,andmatchesany
hostwhose
nameandaddressareknown.Thispatternshould
beusedwith
care:hostnamesmaybeunavailableduetotemporary
nameserver
problems.Anetworkaddresswillbeunavailable
whenthesoft
warecannotfigureoutwhattypeofnetworkitis
talkingto.
PARANOID
Matchesanyhostwhosenamedoesnotmatchits
address.When
tcpdisbuiltwithDPARANOID(defaultmode),it
dropsrequests
fromsuchclientsevenbeforelookingatthe
accesscontrol
tables.BuildwithoutDPARANOIDwhenyouwant
morecontrol
oversuchrequests.
TCPDConfigurationExamples
Setdefaultpolicytotodenyaccess.Onlyexplicitlyauthorized
hostsarepermittedtoaccess.Update/etc/hosts.denyasfollows:
#Thedefaultpolicy(noaccess)isimplementedwithatrivial
denyfile
ALL:ALL

Abovewilldeniesallservicetoallhosts,unlesstheyare
permittedaccessbyentriesintheallowfile.Forexample,allow
accessasfollowsvia/etc/hosts.allow:

ALL:LOCAL@devels
ALL:.nixcraft.net.inEXCEPTboobytrap.nixcraft.net.in

Loganddenyaccess(boobytraps)wedonotallowconnections
fromcrackers.com:

185

b.sadhiq
www.altnix.com

ALL:.crackers.com\
:spawn(/bin/echo%afrom%hattemptedtoaccess%d>>\
/var/log/connections.log)\
:deny

ATypicalUNIXExample
AllowaccesstovariousserviceinsideLANonlyvia
/etc/hosts.allow:
popd:192.168.1.200192.168.1.104
imapd:192.168.1.0/255.255.255.0
sendmail:192.168.1.0/255.255.255.0
sshd:192.168.1.2172.16.23.12
Denyeverythingvia/etc/hosts.deny:
ALL:ALL
RejectAllConnections
Restrictallconnectionstononpublicservicestolocalhostonly.
Supposesshdandftpdarethenamesofservicewhichmustbe
accessedremotely.Edit/etc/hosts.allow.Addthefollowinglines:
sshd,ftpd:ALL
ALL:localhost
Saveandclosethefile.Edit/etc/hosts.deny.Addthefollowing
line:
ALL:ALL
DefaultLogFiles
TCPWrapperswilldoallitsloggingviasyslogaccordingto
your/etc/syslog.conffile.Thefollowingtableliststhestandard
locationswheremessagesfromTCPWrapperswillappear:
1.
2.
3.
4.
5.
6.

AIX/var/adm/messages
HPUX/usr/spool/mqueue/syslog
Linux/var/log/messages
FreeBSD/OpenBSD/NetBSD/var/log/messages
MacOSX/var/log/system.log
Solaris/var/log/syslog

Usethefollowingcommandtoviewlogs:
#tailf/path/to/log/file
#grep'ip'/path/to/log/file
186

b.sadhiq
www.altnix.com

#egrepi'ip|hostname'/path/to/log/file
HowDoIPredictsHowTheTcpWrapperWouldHandleaSpecific
RequestForService?
Usetcpdmatchcommand.predicthowtcpdwouldhandleasshdrequest
fromthelocalsystem:
tcpdmatchsshdlocalhost
Thesamerequest,pretendingthathostnamelookupfailed:
tcpdmatchsshd192.168.1.5
Topredictwhattcpdwoulddowhentheclientnamedoesnotmatch
theclientaddress:
tcpdmatchsshdparanoid
Replacesshdwithin.telnetd,orftpdandsoon.Youcanuseall
daemonnamesspecifiedininetd.conforxinetd.conffile.
HowdoIExaminesMyTCPWrapperConfigFile?
Usetcpdchkcommandtoexaminesyourtcpwrapperconfigurationand
reportsallpotentialandrealproblemsitcanfind.
tcpdchk
tcpdchkv
ANoteAboutTCPWrappersandFirewall
Youneedtouseboth(firewallandtcpd)tofightagainst
crackers.

TCPWrappersaremostcommonlyemployedtomatchagainstIP
addressesandhostlevelprotection.

NeverconfigureTCPWrappersonfirewallhost.

PutTCPWrappersonallUNIX/Linux/BSDworkstations.

DonotuseNIS(YP)netgroupsinTCPWrappersrules.

PutTCPWrappersbehindafirewallsystemsasTCPWrappersis
nosubstitutefornetfilterorpffirewall.

TCPWrappersdoesprovideincreasedsecurityasfirewall
cannotexamineencryptedconnections(readaspackets).

Xinetd
xinetd,theeXtendedInterNETDaemon,isanopensourcedaemon
whichrunsonmanyLinuxandUnixsystemsandmanagesInternet
187

b.sadhiq
www.altnix.com

basedconnectivity.Itoffersamoresecureextensiontoorversion
ofinetd,theInternetdaemon.

xinetdperformsthesamefunctionasinetd:itstartsprogramsthat
provideInternetservices.Insteadofhavingsuchserversstarted
atsysteminitializationtime,andbedormantuntilaconnection
requestarrives,xinetdisheonlydaemonprocessstartedandit
listensonallserviceportsfortheserviceslistedinits
configurationfile.Whenarequestcomesin,xinetdstartsthe
appropriateserver.Becauseofthewayitoperates,xinetd(aswell
asinetd)isalsoreferredtoasasuperserver.

Task:xinetdConfigurationfileslocation
Followingareimportantconfigurationfilesforxinetd:
/etc/xinetd.confTheglobalxinetdconfigurationfile.
/etc/xinetd.d/directoryThedirectorycontainingall
servicespecificfilessuchasftp

Task:Understandingdefaultconfigurationfile
Youcanviewdefaultconfigurationfilewithlessorcatcommand:
#less/etc/xinetd.confOR#cat/etc/xinetd.confOutput:
#Simpleconfigurationfileforxinetd
#
#Somedefaults,andinclude/etc/xinetd.d/
defaults
{
instances=60
log_type=SYSLOGauthpriv
log_on_success=HOSTPID
log_on_failure=HOST
cps=2530
}
includedir/etc/xinetd.d
Where,
instances=60:Determinesthenumberofserversthatcanbe
simultaneouslyactiveforaservice.So60isthemaximumnumberof

188

b.sadhiq
www.altnix.com

requestsxinetdcanhandleatonce.

log_type=SYSLOGauthpriv:Determineswheretheservicelog
outputissent.YoucansendittoSYSLOGatthespecifiedfacility
(authprivwillsendlogto/var/log/securefile).

log_on_success=HOSTPID:Forcexinetdtologifthe
connectionissuccessful.ItwilllogHOSTnameandProcessID
to/var/log/securefile.

log_on_failure=HOST:Forcexinetdtologifthereisa
connectiondroppedoriftheconnectionisnotallowedto
/var/log/securefile

cps=2530:Limitstherateofincomingconnections.Takes
twoarguments.Thefirstargumentisthenumberofconnectionsper
secondtohandle.Iftherateofincomingconnectionsishigher
thanthis,theservicewillbetemporarilydisabled.Thesecond
argumentisthenumberofsecondstowaiteforereenablingthe
serviceafterithasbeendisabled.Thedefaultforthissettingis
50incomingconnectionsandtheintervalis10seconds.Thisis
goodtoavoidDOSattackagainstyourservice.

includedir/etc/xinetd.d:Readotherservicespecific
configurationfilethisdirectory.

Task:Howtocreatemyownservicecalledfoo
Hereissampleconfigfileforservicecalledfoolocatedat
/etc/xinetd.d/foo
#vi/etc/xinetd.d/foo
Andappendfollowingtext:
servicelogin
{
socket_type=stream
protocol=tcp
wait=no
user=root
server=/usr/sbin/foo
instances=20
}
Where,
189

b.sadhiq
www.altnix.com

socket_type:Setsthenetworksockettypetostream.
protocol:SetstheprotocoltypetoTCP

wait:Youcansetthevaluetoyesornoonly.ItDefines
whethertheserviceissinglethreaded(ifsettoyes)ormulti
threaded(ifsettono).

user:Userwhowillrunfooserver

Task:Stoporrestartxinetd
Torestartxinetdservicetypethecommand:
#/etc/init.d/xinetdrestart
Tostopxinetdservicetypethecommand:
#/etc/init.d/xinetdstop
Tostopxinetdservicetypethecommand:
#/etc/init.d/xinetdstart

Task:Verifythatxinetdisrunning
Typethefollowingcommandtoverifyxinetdserviceisrunningor
NOT:
#/etc/init.d/xinetdstatusOutput:
xinetd(pid6059)isrunning...

190

b.sadhiq
www.altnix.com

SAMBA
SAMBAsmbprotocolServerMsgBlockakanetbios/tcpip
[c]AndrewTridgell
CIFSADS

History:1.IBMPCDOSM$DOScalledMSDOSPCBIOS1985
2.PCBIOS>NetBEUI
3.SoontheydiscardedNETBEUIbcositdidnotsupport
TCP/IP
4.PCBIOS>NetBEUI>NETBIOS/TCPIPakaNBNT
5.ChangednameofNETBIOS/TCPIPtoSMBtoCIFStoADS
[CommonInternetFilesystem]
IPX/SPXNovellInterNWPktExchange/SequentialPktExchange
sawtimber
samba
Lastest:LongHornWhistler2005Vista2006
UsesofSamba:
1.
AsaFileServer[FileSharing]/HW/SW
ResourcesharinglikeNFSbutacrossOS'
2.
AsaWINS[WindowsInternetNameServer]
orNBNSserver
3.
AsaPDC[SAMSecurityAccessModule]
4.
AsaPrintServerusingCUPS

ConfigFile:/etc/samba/smb.conf
Program1
[funny]
#shareorsectionorservice
path=/opt/funny
#directive

191

b.sadhiq
www.altnix.com

$servicesmbrestart
$testparm

192

b.sadhiq
www.altnix.com

Windows
$netview
$netviewIP
$netuse*\\<ip>\funny
$netuse*/d
$nbtstataIP
$rpmqlsamba
/etc/logrotate.d/sambaLogRotationFile
>LogFiles:/var/log/samba
/etc/pam.d/samba
Sambareliesheavilyuponauthenticationbeforeprovidingaccessto
theuserssuchasfileandprinters.ItsintegratedwithSamba
Authentication,Accountingaswellassessionmanagementishandled
viathesambaentriesinpam.d
/etc/samba/smbusers
Providesamappingbetweenwindowsusersandlocallinuxbased
usersAlthoughsambacanintegrateinWindowsWorldbefore
providingaccesstolocalresourcessuchasfilesonthefile
system,usersmustbeauthenticatedbythelocallinuxsystem.
Defaultsmbusersfilecontainsmappingforlocallinux
administratorwhichisrootandroot'sequivalentuserinwindows
worldisadministrator.Howeversomecallitasadmin.Ifeitherof
twouserstrytoconnecttosharetheyshouldbeequatedtothe
localunixuserrootprovidingtheyknowthepassword.Thepassword
shouldbesameasofadministratorandrootuser,otherwiseitwould
promptforthepassword,whentheyconnecttothesambashare.
Iflocalwindowsuserslogsinthroughguest,pcguestandsmbguest
theyareequatedwith"nobody"useronlinuxsystem
/etc/sysconfig/samba
Whichspecifiestheparametertorunsmbdandnmbdasadeamon
/var/spool/samba
Ifremoteusersattempttospoolprintjobtooursambaserver,they
aregenerallyspooledtothisdirectorySambanicelyintegrates
withCUPS(defautmodularPrintingSystem)
193

b.sadhiq
www.altnix.com

SMBservicesareprovidedbytheNetBIOSprotocol.NetBIOSmakes
itsownnamespaceavailable,whichiscompletelydifferentfrom
thedomainnamesystem.
ThisnamespacecanbeaccessedwiththeUniqueNamingConvention
(UNC)notation:allservicesprovidedbyaserverareaddressed
as\\Server\Servicename.
Fileorprintservicesofferedbyaserverarealsocalledshares.

TheserversideofSambaconsistsof2parts:
smbd.SMB/CIFSserver

Thisdaemonprovidesfileandprintservicesforclientsin
thenetwork.

authenticationandauthorization

Fileandprintersharing

nmbd.NetBIOSnameserver

ThisdaemonhandlesallNetBIOSrelatedtasks.

resourcebrowsing

WINSserver

TointegrateLinuxasclientinaWindowsenvironment,Samba
provides2tools:
winbind.ThisdaemonintegratesaLinuxsystemintoaWindows
authentication system(ActiveDirectory).
nmblookup.ThistoolcanbeusedforNetBIOSnameresolutionand
testing.
smbclient.ThistoolprovidesaccesstoSMBfileandprint
services.
Sambaversion3.0.22.Animportantnewfeatureinthisversionis
theKerberossupportinwinbind.ThisallowsaKerberosbased
integrationintoActiveDirectorydomains.Novellisanimportant
contributoroftheSambaproject.
PackagesinstalledinRHELAS4:

194

b.sadhiq
www.altnix.com

$rpmqa|grepsamba
samba3.0.101.4E.2
representsthefilesthatareincludedintoyoursystemasSamba
Server
sambaclient3.0.101.4E.2
containsclientbasedcomponent
systemconfigsamba1.2.211
tooltoconfigureSamba
sambacommon3.0.101.4E.2
containssharedcomponents
$rpmqlsambacommon
/etc/samba/smb.conf
MainConfigurationFile
/etc/samba/lmhosts
Thehostname"localhost"consideredtobeasnetbios
hostnamelmhostsissimilartolmhostsofwindowsworld.Inthe
eventwhenyouattempttoaccesswindowsbasedsystemorsamba
basedsystembyname,translationcanoccurspeciallywhenyouare
usingsambabasedclientswiththeaideoflmhostsfileOneofthe
optionsbutnotonlytheoptionSincesambabasedclientscanalso
relyupon/etc/hostsaswellasDNSandWINS(CentralizeName
Repository)
/usr/bin/net
Itcanbeusedforjoiningsambasystemtoaremotedomainsuchas
NT4Styledomainorwindows2000styleActivedirectorydomain net
commandallowsustojointhosedomains
/usr/bin/smbpasswd
allowsustoequatepasswordforlocallystoredusers,sothatwhen
weattempttoauthenticateremoteuserstheyareabletodoso
through
$smbpasswd
$/usr/bin/testparm
Ifyouchangemanuallytosmb.conffilewhichresidesin
/etc/samba,testparmwhichchecktoinsurethattheparametersare
195

b.sadhiq
www.altnix.com

correct
/var/log/samba
LogfilespertainingtoSambaServer
TheSambaConfigurationFile
The/etc/samba/smb.conffileisthemainconfigurationfileyou'll
needtoedit.
Threewaystoapproachthisfile:

systemconfigsamba(Redhat'sTool)
SWAT
Manually

Itissplitintofivemajorsection
FileFormatsmb.conf
Section

Description

[global]

GeneralSambaconfigurationparameters

[printers]

UsedforconfiguringprintersUsedfor
configuringprinters

[homes]

Definestreatmentofuserlogins

[netlogon]

Ashareforstoringlogonscripts.
(Notcreatedbydefault.)

[profile]

Ashareforstoringdomainlogon
informationsuchas"favorites"and
desktopicons.(Notcreatedby
default.)

smb.confMinimumSettings,"Global"Section
Parameter

value

domainlogons

Yes

TellsSambatobecome
thePDC

preferredmaster

Yes

MakesthePDCactas
thecentralstorefor
thenamesofall
windowsclients,
serversandprinters
onthenetwork.Very
helpfulwhenyouneed
196

Description

b.sadhiq
www.altnix.com

to"browse"yourlocal
networkforresources.
Alsoknownasalocal
masterbrowser.
domainmaster

Yes

TellsSambatobecome
themasterbrowser
acrossmultiple
networksalloverthe
domain.Thelocal
masterbrowsers
registerthemselves
withthedomainmaster
tolearnabout
resourcesonother
networks.

oslevel

65

Setstheprioritythe
Sambaservershould
usewhennegotiating
tobecomethePDCwith
otherWindowsservers.
Avalueof65will
usuallymaketheSamba
serverwin.

winssupport

Yes

AllowstheSamba
servertoprovidename
servicesforthe
network.Inother
wordskeepstrackof
theIPaddressesof
allthedomain's
serversandclients.

timeserver

Yes

Letsthesambaserver
providetimeupdates
forthedomain's
clients.

workgroup

"homenet"

Thenameofthe
Windowsdomainwe'll
create.Thenameyou
selectisyourchoice.
I'vedecidedtouse
"homenet".

security

user

Makedomainlogins
querytheSamba

197

b.sadhiq
www.altnix.com

passworddatabase
locatedonthesamba
serveritself.
smbpasswdfile

/
etc/samba/smb
passwd

Itisusefulto
specifythenameand
locationoftheSamba
passwordfile.This
helpstomakeSamba
versionupgradeswhere
thedefaultlocations
maychange.

privatedir

/etc/samba

Specifiesdefault
directoryforsome
supportingtemporary
files.Aswiththe
passwordfile,itisa
goodpracticeto
specifythisvalue.

SecurityLevels
user(user,server,ADS,domain)
user
Inusermodewecanauthenticateagainstlocalunix/etc/passwd
file
server
Wepassauthenticationoff
Servermodesimplypassesoffauthenticationtothepassword
authenticationserversuchasNT4orWIN2Kdomain
controller
Domain
ThisisusedtojoinNT4styledomain.Youneedacomputeraccount
inNT4styledomain
ADS
SameasDomainbutjustdifferentbehaviour
IFADSisinnativemode,theyyouwillneedtojointhedomain
AndyouneedtoknowkerberosRealm,sothatwecanacceptkerberos
tickets
share
Thismodewhereyoutieapasswordtoshare,andifauserknows
thepasswordtheygrantedasreadonlyreadwriteshare.Thiswillbe
b.sadhiq
198
www.altnix.com

implementedwheretheeveryoneknowsthepassword
CreatingUser
$useraddchampu
$passwdchampu
Assigningsmbpasswordtouserchampu
$smbpasswdachampu
editingconfigurationfile
$vi/etc/samba/smb.conf
[myshare]
comment=Windozechampu
path=/home/champu
validusers=champu
public=yes
writable=yes
printable=no
createmask=0765
public
Thisparameterisasynonymforguestok.
$servicesmbrestart
gatheringinformation:
$smbclientL192.168.10.66Uchampu
TheLoptionshouldbeusedtodetermineiftheSambaserveris
even
runningandlisteningfornetworkrequests.
AccessingSambaServer
$smbclient//192.168.10.66/myshareUchampu
smb:\>ls
smb:\>mkdirdocs
smb:\>ls
smb:\>quit
AcessingSambaServerFromWindows
AcessingSambaServerFromXWindows
OpenNautilus
inLocationsection
199

b.sadhiq
www.altnix.com

smb://192.168.10.66

PermanentMountingwithLinuxSambaClients
$mkdir/bill
$vi/etc/samba/pass
username=champu
password=x
$vi/etc/fstab
//192.168.10.60/myshare /billsmbfscredentials=/etc/samba/pass
00
$mounta
$dfh
$cd/bill

PermanentMountingLinuxSambaClientUsingAutoMounter
$vi/etc/auto.master
/misc

/etc/auto.smb

timeout=60

$vi/etc/auto.smb
samba
fstype=smbfs,username=champu,password=x//192.168.10.60/myshare
$serviceautofsrestart
$cd/misc/samba
$lsl
$vi/etc/samba/smb.conf
[myshare]
hostsdeny=192.168.10.100
comment=Windozechampu
path=/home/champu
validusers=champu
public=yes
writable=yes
printable=no
200

b.sadhiq
www.altnix.com

createmask=0765
$servicesmbrestart
[hpcolor]
comment=TheHP4500N
path=/usr/spool/lpd/hpcolor
browseable=yes
printable=yes
public=yes
writable=yes
createmode=0700

Usage:smbmount
$smbmount//192.168.10.60/myshare/billo
username=champu,password=x
$cd/bill

Therearebasicallytwowaysinwhichthiscanhappen:
TheLMBsregisterthemselveswithaWINSserverandthusareable
todeterminethatotherLMBsservethesameworkgroup.
Theworkgroupisadomain:Allsystemsinthedomainmakeuse
ofonePrimaryDomainController(PDC)forauthentication.Sucha
PDCisrequiredalsotobetheDMB.SinceallsystemsknowtheIP
addressofthePDC,theyalsoknowwhichDMBtouse.
Lbmhhists:staticmapping
WINSserver:dynamicmapping
SambaasaNTDomainMember
SambaemulatesaNTworkstationwhenbecomingpartofthedomain.
So,thefirstthingyouneedtodoiscreateamachineaccountfor
yourSambamachineonthedomaincontroller.InNTyouwoulduse
theprogramServerManagerforDomainstocreatetheaccount.Once
theaccountiscreated,allyouneedtoaddarethefollowinglines
toyoursmb.conffileundertheglobalsection.

YourWorkgrouporDomainthatyouwant

tologintoworkgroup=FREEOS

TellSambatotalktodomaincontroller

201

b.sadhiq
www.altnix.com

forauthentication
security=domain

Specifytheservertogetauthenticatefrom.Youcanspecify
theNetBIOSnamesoftheserversorsimplyputina*heretolet
Sambafindtheserverthroughbroadcastpasswordserver=PS1PS2
MakesureSambaisusingencryptedpasswords
encryptpasswords=yes
NowstoptheSambadaemons
$/etc/rc.d/init.d/smbstop
GivethefollowingcommandtojointheNTDomain
$smbpasswdjDOMAINrDOMAINPDC

SambaPdc

Wewillsetup1domain"mydomain1"onalinuxmachinewith
samba.
1.Createasambaconfigfilesin/etc/samba/andcopypastethe
contentin2ndstep.
a.smb.conf
2.Yoursmb.confwilllooklikebelow:
[global]
workgroup=mydomain1
netbiosname=server1
timeserver=Yes
domainlogons=Yes
oslevel=65
preferredmaster=Yes
domainmaster=Yes
encryptpasswords=yes
smbpasswdfile=/etc/samba/smbpasswd
security=user
manglingmethod=hash
addmachinescript=/usr/sbin/useraddd/dev/nullg
202

b.sadhiq
www.altnix.com

trusts/bin/falseM%u
logfile=/var/log/samba/log.%m
loglevel=3passdb:5auth:10winbind:2
logonpath=\\%L\profiles\%U
logondrive=H:
logonhome=\\%L\%U\.profile
logonscript=logon.cmd
interfaces=192.168.2.249/24##putyoursambaserver
IPaddress
bindinterfacesonly=yes
lockdirectory=/var/lib/samba/locks/server1

[homes]
readonly=No
browseable=Yes
createmask=0644
directorymask=0755

[netlogon]
path=/var/lib/samba/netlogon
guestok=yes

[profiles]
path=/var/lib/samba/profiles
browseable=yes
readonly=No
createmask=0600
directorymask=0700
rootpreexec=PROFILE=/var/lib/samba/profiles/%u;if[
!e$PROFILE];\
thenmkdirpm700$PROFILE;chown%u:%g$PROFILE;fi

3.Thencreatebelowdirectory:
/var/lib/samba/locks/server1
4.Startsambaserver:
/etc/init.d/smbstart

5.Checksmbstartedornot.
psef|grepsmb
6.Addtrustaccount(forNTmachinesonly)
groupaddtrust
203

b.sadhiq
www.altnix.com

useraddgtrustd/dev/nulls/bin/false<machinename>\$
passwdl<machinename>\$

====>NOTE:PLEASEDONTFORGETTOGIVE'\$'INABOVE2
COMMANDS
smbpasswdma<machinename>
7.Addingadministratoraccount
smbpasswdaroot
(GIVESambaPasswdforroot)
8.FORWINXPPROFusersNOTforWIN98otXPHOME
logintothatwindowsmachine(machinename)withadministrator.
Rightclickto"MyComputer"andclickon"Properties"
Clickon"ComputerName"Tab
Clickon"Change"
PutDomain"mydomain1"
ClickOK
ItwillaskforDomainadminusername&passwd.Giveusername:
rootandsmbpasswdofroot
Ifeverythingisgoodthenitwillshowyou"Welcometo
mydomain1"

SAMBAPDCWITHLINUX/WINDOWSCLIENT
SAMBAPDC
makedir:/var/lib/samba/locks/server
smb.conf
[global]
workgroup=MYDOMAIN
netbiosname=server
#timeserver=Yes
domainlogons=Yes
oslevel=33
preferredmaster=Yes
#localmaster=Yes
localmaster=no
domainmaster=Yes
encryptpasswords=yes
smbpasswdfile=/etc/samba/smbpasswd
204

b.sadhiq
www.altnix.com

security=user
passdbbackend=tdbsam

#whenuusepassdbbackend=tdbsam;whensambauseriscreated,it
storestheusernameandpasswdinpasswd.tdbfileratherthan
smbpasswdfile
manglingmethod=hash
addmachinescript=/usr/sbin/useraddd/dev/nullgtrust
s/bin/falseM%u
#addmachinescript=/usr/sbin/useraddnc"Workstation(%u)"
Md/nohomes/bin/false"%u"
logfile=/var/log/samba/log.%m
loglevel=3passdb:5auth:10winbind:2
#forloginwindowsmachines
logonpath=\\%L\profiles\%U
logondrive=H:
logonhome=\\%L\%U\.profile
logonscript=%m.bat
logonscript=%U.bat
##putyoursambaserverIPaddress:eth0(optional)
interfaces=eth0192.168.1.0/24
bindinterfacesonly=yes
lockdirectory=/var/lib/samba/locks/server
[homes]
readonly=No
browseable=Yes
createmask=0644
directorymask=0755
validusers=%S
validusers=MYDOMAIN\%S
##
[netlogon]
path=/var/lib/samba/netlogon
guestok=yes
[profiles]
path=/var/lib/samba/profiles
browseable=yes
205

b.sadhiq
www.altnix.com

readonly=No
createmask=0600
directorymask=0700
rootpreexec=PROFILE=/var/lib/samba/profiles/%u;if
[!e$PROFILE];thenmkdirpm700$PROFILE;chown%u:%g
$PROFILE;fi

Clientsideconfiguration

1>.smb.conf
[global]
netbiosname=station
workgroup=MYDOMAIN
security=domain
passwordserver=192.168.1.2
#realm=AVTECH.LOCAL
encryptpasswords=yes
idmapuid=1677721633554431
idmapgid=1677721633554431
#idmapbackend=ad
templatehomedir=/home/%D/%U
templateshell=/bin/bash
winbindusedefaultdomain=true
~
~
2>.systemconfigauthentication
onlycheckthewinbindsettingandspecifythedomainnamenother
reqparameters
itwildothereq.winbindchangesinthefollowingfiles:
a>/etc/nsswitch
b>/etc/pam.d/systemauth
/etc/pam.d/systemauth
sessionrequiredpam_mkhomedir.soskel=/etc/skelumask=0077
insertthislineatthebottomofthesystemauthfilejustbefore
sessionrequiredpam_unix.so
3.>Trytojointhedomainusingfoll
netrpcjoindomainnameUroot
alsowecanjoinusing
systemconfigauthentication
guiauthenticationwindowopens
selectdomainjoin
206

b.sadhiq
www.altnix.com

enteradministratornameierootandpasswd
clickjoin

FIREWALL/IPTABLES

What'safirewall?
Withoutgettingintotechnicalexplanations,afirewallissimplya
host whose main purpose is to protect your network. A firewall
207

b.sadhiq
www.altnix.com

restrictscertaintypesofnetworktrafficfromtheInternettoyour
protectednetwork(s)thereverseisalsooftentrue.
FirewallshavealwaysreferredtoasLayer3Securitybecausefrom
manyyears.Firewallswereonlybeabletounderstandinformationas
it passed over the network layer 3. Now the technology has moved
forward, Firewalls have become more flexible, more intelligent
ultimatelyearningthenamesuchasLayer7firewallorapplication
levelfirewalls.
Sothetermfirewallisnotnecessarilyasaccurate,Todayasitis
alwaysbeenbecausetherearevariouslevelsoffirewalls.
Lets peek into concepts of firewall, how they might apply to
securitypracticesinlinuxenvironment
FirstwegonnalookatIPTABLES,defactostandardforsecuringlinux
at the firewall level. So it pretty much comes bundled with
everythingacrosstheboardanditisprettyeasytoconfigureand
offersalotofflexibility.

Whatafirewallisnot?

MagicAfirewallcannotmakeyournetworkabsolutelysecure.
A bastion host In an ideal world, this would be true.
However,afirewallisonlyassecure asthe workyouputinto
securingit.

A bastion host is a special purpose computer on a network


specificallydesignedandconfiguredtowithstandattack

A replacement for host security Every service you allow


throughthefirewallisapotentialrisk.

Typesofexploits

Local There is no security without physical security. If


someonehasphysicalaccesstoyourbox,you'velost.Obviously,a
firewallwon'thelpyouhere.

Local privilege escalation The trojan horse attack. The


attackeralreadyhasalocalaccountonyourbox(insidethegates)
andobtainsrootbysomemeans(vulnerabilityormisconfiguration).
Afirewallcannotprotectagainthistypeofattacks.

RemoteYourhostislisteningonaportthattheattackeris
able to connect to remotely over a network and exploit a
208

b.sadhiq
www.altnix.com

vulnerabilitysomehow.Thisistheonlytypeofattackafirewall
can (hopefully) protect you against. There is another important
pointherethatmostfirewallhowtosneglect.Inorderforsomeone
toexploityourboxremotely,ithastobelisteningonsomeports
(i.e. providing a way for an attacker to connect). Therefore, if
your host isn't listening on any ports, you are safe from remote
exploits(unlesstheattackermanagestoattackthenetworkstack
itself).

Whydoyouneedafirewall?
* Increase your network security Some services are inherently
insecureandimpossibletosecureonindividualhosts.Afirewall
canhelpyousegmentandcontainpartsofyournetworktoincrease
security.
* Network access control A firewall can help you enforce your
networksecuritypoliciesbyselectivelyallowingnetworkservices
(toallorselectedhosts).
* Logging Because a firewall must examine all inbound/outbound
networktraffic,itcanhelpyoulognetworkactivity(thatpasses
throughthefirewall).
SoWhat'sAPacketFilter?
Apacketfilterisapieceofsoftwarewhichlooksatthe header
ofpacketsastheypassthrough,anddecidesthefateoftheentire
packet.ItmightdecidetoDROPthepacket(i.e.,discardthepacket
asifithadneverreceivedit),ACCEPTthepacket(i.e.,letthe
packetgothrough),orsomethingmorecomplicated.
UnderLinux,packetfilteringisbuiltintothekernel(asakernel
module,orbuiltrightin),andthereareafewtrickierthingswe
can do with packets, but the general principle of looking at the
headersanddecidingthefateofthepacketisstillthere.

IPTABLES
replacesolderIPchainsfirewallinlinux
availablesince2.4kernel
Allows configuration of builtin firewall rules for hostbased
protection
IPtablescanbeusedforrouting,forwarding,filtering

ipfwadmforlinuxkernel2.0
209

b.sadhiq
www.altnix.com

ipchainsforlinuxkernel2.2
iptablesforlinuxkernel2.4/2.6

WhatisNetfilter/Iptables?
Netfilter is the framework in Linux kernels that allow for
firewalling,NAT,andpacketmangling.
Iptables is the userspace tools that works with the Netfilter
framework (technically a lie; Iptables is also a part of the
Netfilter framework in the kernel). Think of Netfilter as kernel
space,andIptablesasuserspace.
Iptables is merely user space tool provides the administrator,
meansofconfiguringthecorenetfilterservicesthatactuallypart
ofthekernel

IPtablesisStatefullpacketfilteringfirewall
We can monitor the states of communication process and make
decisionsbasedonthat Defintelyausefulfeature.Inthepast,
peoplewereabletobypassfirewallrulesbyskippingthebeginning
partofTCPcommunicationprocess.
A stateful firewall (any firewall that performs stateful packet
inspection(SPI)orstatefulinspection)isafirewallthatkeeps
trackofthestateofnetworkconnections(suchasTCPstreams,UDP
communication)travellingacrossit.Thefirewallisprogrammedto
distinguishlegitimatepacketsfordifferenttypesofconnections.
Onlypacketsmatchingaknownconnectionstatewillbeallowedby
thefirewall;otherswillberejected.
Before the advent of stateful firewalls, a stateless firewall, a
firewallthattreatseachnetworkframe(orpacket)inisolation,
was normal. Such a firewall has no way of knowing if any given
packetispartofanexistingconnection,istryingtoestablisha
new connection, or is just a rogue packet. Modern firewalls are
connectionaware(orstateaware),affordingnetworkadministrators
finergrainedcontrolofnetworktraffic.

210

b.sadhiq
www.altnix.com

canfilterbaseduponsource
IPAddress, protocol, port and connection state connection state
whichdefinesiptablesasastatefullpacketfilteringfirewall

CanfilterbaseduponMACAddresss
This is obviously used very less. But in some of DMZ environment
whereyouhavecontrolsetofMACsthismightbealittlebiteasier
ormakesmoresensetousethisfeature

CanfilteroutmalformedpacketsbaseduponTCPFlagssetin
packets
Soweknowthatparticularmachinewillneverbeseeingachristmas
treepacketwhereprettymucheverythingisturnedon,sowecanset
outfilterstoprotectagainstthesetypeofattacks

PacketProcessingIniptables
Allpacketsinspectedbyiptablespassthroughasequenceofbuilt
intables(queues)forprocessing.Eachofthesequeuesis
dedicatedtoaparticulartypeofpacketactivityandiscontrolled
byanassociatedpackettransformation/filteringchain.
Therearethreetablesintotal.Thefirstisthemangletable
whichisresponsibleforthealterationofqualityofservicebits
intheTCPheader.ThisishardlyusedinahomeorSOHO
environment.
Thesecondtableisthefilterqueuewhichisresponsiblefor
packetfiltering.Ithasthreebuiltinchainsinwhichyoucan
placeyourfirewallpolicyrules.Thesearethe:

Forwardchain:Filterspacketstoserversprotectedbythe
firewall.

Inputchain:Filterspacketsdestinedforthefirewall.

211

b.sadhiq
www.altnix.com

Outputchain:Filterspacketsoriginatingfromthefirewall.

Thethirdtableisthenatqueuewhichisresponsiblefornetwork
addresstranslation.Ithastwobuiltinchains;theseare:

Preroutingchain:NATspacketswhenthedestinationaddress
ofthepacketneedstobechanged.

Postroutingchain:NATspacketswhenthesourceaddressof
thepacketneedstobechanged

Packet
Queue Queue
Transformation ChainFunction
Type
Function
ChaininQueue
Filter Packet
FORWARD
Filterspacketstoserversaccessible
filtering
byanotherNIConthefirewall.
INPUT
Filterspacketsdestinedtothe
firewall.
OUTPUT
Filterspacketsoriginatingfromthe
firewall
Nat
Network
PREROUTING
Addresstranslationoccursbefore
Address
routing.Facilitatesthetransformation
Translatio
ofthedestinationIPaddresstobe
n
compatiblewiththefirewall'srouting
table.UsedwithNATofthedestination
IPaddress,alsoknownasdestination
NATorDNAT.
POSTROUTING
Addresstranslationoccursafter
routing.Thisimpliesthattherewasno
needtomodifythedestinationIP
addressofthepacketasinpre
routing.UsedwithNATofthesourceIP
addressusingeitheronetooneor
manytooneNAT.Thisisknownas
sourceNAT,orSNAT.
OUTPUT
Networkaddresstranslationforpackets
generatedbythefirewall.(Rarelyused
inSOHOenvironments)
Mangle TCPheader PREROUTING
ModificationoftheTCPpacketquality
modificati POSTROUTING
ofservicebitsbeforeroutingoccurs.
on
OUTPUT
(RarelyusedinSOHOenvironments)
INPUT
FORWARD
212

b.sadhiq
www.altnix.com

Youneedtospecifythetableandthechainforeachfirewallrule
youcreate.Thereisanexception:Mostrulesarerelatedto
filtering,soiptablesassumesthatanychainthat'sdefined
withoutanassociatedtablewillbeapartofthefiltertable.The
filtertableisthereforethedefault.
Tohelpmakethisclearer,takealookatthewaypacketsare
handledbyiptables.InFigure14.1aTCPpacketfromtheInternet
arrivesatthefirewall'sinterfaceonNetworkAtocreateadata
connection.

Thepacketisfirstexaminedbyyourrulesinthemangle
table'sPREROUTINGchain,ifany.Itistheninspectedby
therulesinthenattable'sPREROUTINGchaintosee
whetherthepacketrequiresDNAT.Itisthenrouted.
Ifthepacketisdestinedforaprotectednetwork,then
itisfilteredbytherulesintheFORWARDchainofthe
filtertableand,ifnecessary,thepacketundergoesSNAT
inthePOSTROUTINGchainbeforearrivingatNetworkB.
Whenthedestinationserverdecidestoreply,thepacket
undergoesthesamesequenceofsteps.BoththeFORWARD
andPOSTROUTINGchainsmaybeconfiguredtoimplement
qualityofservice(QoS)featuresintheirmangletables,
butthisisnotusuallydoneinSOHOenvironments.
Ifthepacketisdestinedforthefirewallitself,then
itpassesthroughthemangletableoftheINPUTchain,if
configured,beforebeingfilteredbytherulesinthe
INPUTchainofthefiltertablebefore.Ifit
successfullypassestheseteststhenitisprocessedby
theintendedapplicationonthefirewall.
Atsomepoint,thefirewallneedstoreply.Thisreplyis
routedandinspectedbytherulesintheOUTPUTchainof
themangletable,ifany.Next,therulesintheOUTPUT
chainofthenattabledeterminewhetherDNATisrequired
andtherulesintheOUTPUTchainofthefiltertableare
theninspectedtohelprestrictunauthorizedpackets.
Finally,beforethepacketissentbacktotheInternet,
SNATandQoSmanglingisdonebythePOSTROUTINGchain

213

b.sadhiq
www.altnix.com

PacketFlowAsFollows

TargetsAndJumps
EachfirewallruleinspectseachIPpacketandthentriesto
b.sadhiq
214
www.altnix.com

identifyitasthetargetofsomesortofoperation.Onceatarget
isidentified,thepacketneedstojumpovertoitforfurther
processing.Table14.2liststhebuiltintargetsthatiptables
uses.
Table142DescriptionsOfTheMostCommonlyUsedTargets
Target

MostCommon
Options

Desciption

ACCEPT

DROP

LOG

Thepacket
informationissent
tothesyslog
daemonforlogging

iptables
continues
processingwiththe
nextruleinthe
table

Asyoucan't
loganddropatthe
sametime,itis
commontohavetwo
similarrulesin
sequence.Thefirst
willlogthe
packet,thesecond
willdropit.

logprefix"string"
Tellsiptablestoprefix
alllogmessageswitha
userdefinedstring.
Frequentlyusedtotell
whytheloggedpacket
wasdropped

REJECT

Workslikethe
DROPtarget,but
willalsoreturnan
errormessageto
thehostsending

rejectwith
qualifier
Thequalifier
tellswhat
typeofreject

iptablesstops N/A
furtherprocessing.

Thepacketis
handedovertothe
endapplicationor
theoperating
systemfor
processing
iptablesstops N/A
furtherprocessing.

Thepacketis
blocked

215

b.sadhiq
www.altnix.com

thepacketthatthe
packetwasblocked

messageis
returned.
Qualifiers
include:
icmpport
unreachable
(default)
icmpnet
unreachable
icmphost
unreachable
icmpproto
unreachable
icmpnet
prohibited
icmphost
prohibited
tcpreset
echoreply

DNAT

Usedtodo
destinationnetwork
address
translation.ie.
rewritingthe
destinationIP
addressofthe
packet

to
destination
ipaddress
Tellsiptables
whatthe
destinationIP
addressshould
be

SNAT

Usedtodo
sourcenetwork
addresstranslation
rewritingthe
sourceIPaddress
ofthepacket

ThesourceIP
addressisuser
defined

tosource
<address>[
<address>]
[:<port>
<port>]
Specifiesthe
sourceIP
addressand
portstobe
usedbySNAT.

MASQUERADE

[toports
<port>[
<port>]]
Specifiesthe
rangeof
sourceports
towhichthe

Usedtodo
SourceNetwork
Address
Translation.

Bydefaultthe
sourceIPaddress
isthesameasthat

216

b.sadhiq
www.altnix.com

usedbythe
firewall's
interface

original
sourceport
canbemapped.

ImportantIptablesCommandSwitchOperations
Eachlineofaniptablesscriptnotonlyhasajump,buttheyalso
haveanumberofcommandlineoptionsthatareusedtoappendrules
tochainsthatmatchyourdefinedpacketcharacteristics,suchthe
sourceIPaddressandTCPport.Therearealsooptionsthatcanbe
usedtojustclearachainsoyoucanstartalloveragain.Tables
14.2through14.6listthemostcommonoptions.
Table142GeneralIptablesMatchCriteria
iptables
commandSwitch

Desciption

t<table>

Ifyoudon'tspecifyatable,thenthe
filtertableisassumed.Asdiscussed
before,thepossiblebuiltintables
include:filter,nat,mangle

j<target>

Jumptothespecifiedtargetchainwhen
thepacketmatchesthecurrentrule.

Appendruletoendofachain

Flush.Deletesalltherulesinthe
selectedtable

p<protocol
type>

Matchprotocol.Typesinclude,icmp,tcp,
udp,andall

s<ip
address>

MatchsourceIPaddress

d<ip
address>

MatchdestinationIPaddress

i<interface
name>

Match"input"interfaceonwhichthe
packetenters.

o<interface
name>

Match"output"interfaceonwhichthe
packetexits

Inthiscommandswitchesexample
iptablesAINPUTs0/0ieth0d192.168.1.1pTCPjACCEPT

217

b.sadhiq
www.altnix.com

iptablesisbeingconfiguredtoallowthefirewalltoacceptTCP
packetscominginoninterfaceeth0fromanyIPaddressdestined
forthefirewall'sIPaddressof192.168.1.1.The0/0
representationofanIPaddressmeansany.

Table144CommonTCPandUDPMatchCriteria
Switch

Desciption

ptcp
sport
<port>

TCPsourceport.Canbeasinglevalueora
rangeintheformat:startport
number:endportnumber

ptcp
dport
<port>

TCPdestinationport.Canbeasinglevalue
orarangeintheformat:starting
port:endingport

ptcpsyn

UsedtoidentifyanewTCPconnection
request.!synmeans,notanew
connectionrequest

pudp
sport
<port>

UDPsourceport.Canbeasinglevalueora
rangeintheformat:startingport:ending
port

pudp
dport
<port>

UDPdestinationport.Canbeasinglevalue
orarangeintheformat:starting
port:endingport

CheckingwhetherIptablesisdefaultinstalledonourserver

$rpmqiptables
$rpmqliptables
/sbin/iptables
thisallowsustoviewtheconfigurationandchangeit
/sbin/iptablesrestore
this allows us to restore the firewall or running firewall
configurationfromasavedconfiguration
/sbin/iptablessave

218

b.sadhiq
www.altnix.com

thisallowsthesavetherunningconfiguration
Modulesarestoredin/lib/iptables/
Iptablesitselfisamodule
$lsmod|grepiiptab
ModulesforIptables:

ip_tables
iptable_filter
iptable_nat
iptable_mangle

$lsmod|grepiipt

ipt_REJECTtarget(fate)
ipt_stateallowstomaintainstateinformation
ip_conntrackkernelcankeeptrackofconnections

SYNTAX
$iptablesttable<Action><Direction/Chains><PacketPattern>j
<fate>
iptablesWon'tStart
Theiptablesstartupscriptexpectstofindthe
/etc/sysconfig/iptablesbeforeitstarts.Ifnoneexists,then
symptomsincludethefirewallstatusalwaysbeingstoppedand
the/etc/init.d/iptablesscriptrunningwithoutthetypical[OK]or
[FAILED]messages.
Ifyouhavejustinstallediptablesandhaveneverapplieda
policy,thenyouwillfacethisproblem.Unfortunately,runningthe
serviceiptablessavecommandbeforerestartingwon'thelpeither.
Youhavetocreatethisfile.
[root@bigboytmp]#serviceiptablesstart
[root@bigboytmp]#
[root@bigboytmp]#touch/etc/sysconfig/iptables
[root@bigboytmp]#chmod600/etc/sysconfig/iptables
[root@bigboytmp]#serviceiptablesstart
Applyingiptablesfirewallrules:[OK]
[root@bigboytmp]#

219

b.sadhiq
www.altnix.com

LinuxIptablesalloworblockICMPpingrequest
TheInternetControlMessageProtocol(ICMP)hasmanymessagesthat
areidentifiedbya"type"field.Youneedtouse0and8ICMPcode
types.
=>Zero(0)isforechoreply
=>Eight(8)isforechorequest.
ToenableICMPpingincomingclientrequestusefollowingiptables
rule(youneedtoaddfollowingrulestoscript).
Mydefaultfirewallpolicyisblockingeverything.

Task:EnableorallowICMPpingincomingclientrequest
RuletoenableICMPpingincomingclientrequest(assumingthat
defaultiptablespolicyistodropallINPUTandOUTPUTpackets)
SERVER_IP="202.54.10.20"
iptablesAINPUTpicmpicmptype8s0/0d$SERVER_IPm
statestateNEW,ESTABLISHED,RELATEDjACCEPT
iptablesAOUTPUTpicmpicmptype0s$SERVER_IPd0/0m
statestateESTABLISHED,RELATEDjACCEPT
Task:Alloworenableoutgoingpingrequest
ToenableICMPpingoutgoingrequestusefollowingiptablesrule:
SERVER_IP="202.54.10.20"
iptablesAOUTPUTpicmpicmptype8s$SERVER_IPd0/0m
statestateNEW,ESTABLISHED,RELATEDjACCEPT
iptablesAINPUTpicmpicmptype0s0/0d$SERVER_IPm
statestateESTABLISHED,RELATEDjACCEPT
HowdoIdisableoutgoingICMPrequest?
Usethefollowingrules:
iptablesAOUTPUTpicmpicmptypeechorequestjDROP
OR
iptablesAOUTPUTpicmpicmptype8jDROP
220

b.sadhiq
www.altnix.com

ICMPechorequesttypewillbeblockbyaboverule.
SeeICMPTYPENUMBERS(typefields).YoucanalsogetlistofICMP
types,justtypefollowingcommandatshellprompt:
$/sbin/iptablespicmph
$iptablestfilterPINPUTDROP
$iptablestfilterPOUTPUTACCEPT
$iptablestfilterPFORWARDACCEPT

$allowlocalloopbackconnections
$iptablestfilterAINPUTilojACCEPT

DropINVALIDconnections
$iptablestfilterAINPUTmstatestateINVALIDjDROP
$iptablestfilterAOUTPUTmstatestateINVALIDjDROP
$iptablestfilterAFORWARDmstatestateINVALIDjDROP

Allowallestablishedandrelated
$iptablestfilterAINPUTmstatestateESTABLISHED,RELATED
jACCEPT
$iptablestfilterAOUTPUTmstatestateESTABLISHED,RELATED
jACCEPT
$iptablestfilterAFORWARDmstatestate
ESTABLISHED,RELATEDjACCEPT
AllowconnectionstomyISP'sDNSservers
iptablestfilterAINPUTs213.73.255.52ptcpmtcp!tcp
flagsSYN,RST,ACKSYNjACCEPT
iptablestfilterAINPUTs213.73.255.52pudpjACCEPT
iptables t filter A INPUT s 213.132.189.250 p tcp m tcp !
tcpflagsSYN,RST,ACKSYNjACCEPT
b.sadhiq
221
www.altnix.com

$iptablestfilterAINPUTs213.132.189.250pudpjACCEPT
$ iptables t filter A INPUT s 213.73.255.53 p tcp m tcp !
tcpflagsSYN,RST,ACKSYNjACCEPT
$iptablestfilterAINPUTs213.73.255.53pudpjACCEPT
openports4662,4672=amule,5900,5901=vnc,22=ssh
$iptablestfilterAINPUTptcpmtcpdport4662jACCEPT
$iptablestfilterAINPUTpudpmudpdport4672jACCEPT
$iptablestfilterAINPUTptcpmtcpdport5900jACCEPT
$iptablestfilterAINPUTptcpmtcpdport5901jACCEPT
$iptablestfilterAINPUTptcpmtcpdport22jACCEPT

bittorrent:
$iptablestfilterAINPUTptcpmtcpdport6881:6889j
ACCEPT

samba(onlyconnectionsfromlanareaccepted)
$iptablestfilterAINPUToeth0s192.168.0.0/255.255.255.0
ptcpmtcpdport137:139jACCEPT
$iptablestfilterAINPUToeth0s192.168.0.0/255.255.255.0
pudpmudpdport137:139jACCEPT
logallotherattemptedingoingconnections
$iptablestfilterAINPUToeth0jLOG
NAT
setupIPforwardingandnat
$iptablestnatPPOSTROUTINGACCEPT
$iptablestnatPPREROUTINGACCEPT
#6891:6900=msnfiletransfers
#192.168.0.1=gateway
#192.168.0.216=clientinnetwork

222

b.sadhiq
www.altnix.com

$ iptables t nat A PREROUTING i eth1 p tcp m tcp dport


6891:6900jDNATtodestination192.168.0.216:68916900
$ iptables t nat A PREROUTING i eth1 p udp m udp dport
6891:6900jDNATtodestination192.168.0.216:68916900
$iptablestnatAPOSTROUTINGoeth1jMASQUERADE
Policy
$IPTABLESPINPUTACCEPT
$IPTABLESPOUTPUTACCEPT
$IPTABLESPFORWARDACCEPT

Tables
$IPTABLESNtcp_packets
$IPTABLESNicmp_packets
$IPTABLESNudpincoming_packets

IPMasquerade
$IPTABLEStnatAPOSTROUTINGo$INET_IFACEjMASQUERADE

Squidtransparentproxy
$ IPTABLES A PREROUTING t nat i eth0 p tcp dport 80 j
REDIRECTtoport3128
$ IPTABLES A PREROUTING t nat i eth2 p tcp dport 80 j
REDIRECTtoport3128
$ IPTABLES A PREROUTING t nat i ppp0 p tcp dport 80 j
REDIRECTtoport3128
smtp
$IPTABLESAtcp_packetspTCPs0/0dport25jACCEPT
www
$IPTABLESAtcp_packetspTCPs0/0dport80jACCEPT
https
223

b.sadhiq
www.altnix.com

$IPTABLESAtcp_packetspTCPs0/0dport443jACCEPT
mail
$IPTABLESAtcp_packetspTCPs0/0dport465jACCEPT
$IPTABLESAtcp_packetspTCPs0/0dport993jACCEPT
$IPTABLESAtcp_packetspTCPs0/0dport995jACCEPT
wlanvpn
$IPTABLESAwlan_packetspUDPs0/0dport5000jACCEPT
$IPTABLESAwlan_packetspALLjDROP
iptablesblockingwithmacaddress
Dropallconnectioncomingfrommacaddress00:0F:EA:91:04:08(add
commandtoyourfirewallscript)
$iptablesAINPUTmmacmacsource00:0F:EA:91:04:08jDROP
iptablesallowingwithmacaddress
Allowport22formacaddress00:0F:EA:91:04:07
$iptablesAINPUTptcpdestinationport22mmacmac
source
00:0F:EA:91:04:07jACCEPT
Generalsyntax:
$iptablesRULEmtimetimestartTIMEtimestopTIMEdays
DAYSjACTION
Where,

timestartTIME:Timestartvalue.Formatis00:0023:59
(24hoursformat)

timestopTIME:Timestopvalue.

daysDAYS:Matchonlyiftodayisoneofthegivendays.
(format:Mon,Tue,Wed,Thu,Fri,Sat,Sun;defaulteveryday)
Anexample
Supposeyouwouldliketoallowincomingsshaccessonlyavailable
fromMondaytoFridaybetween9AMto6.Thenyouneedtouse
iptablesasfollows:
Inputrule:
$iptablesAINPUTptcps0/0sport513:65535d202.54.1.20
dport22mstatestateNEW,ESTABLISHEDmtimetimestart
09:00timestop18:00daysMon,Tue,Wed,Thu,FrijACCEPT
Outputrule:
224

b.sadhiq
www.altnix.com

$iptablesAOUTPUTptcps202.54.1.20sport22d0/0
dport513:655mstatestateESTABLISHEDmtimetimestart
09:00timestop18:00daysMon,Tue,Wed,Thu,FrijACCEPT
ForceSYNpacketscheck
MakesureNEWincomingtcpconnectionsareSYNpackets;otherwise
weneedtodropthem:
$iptablesAINPUTptcp!synmstatestateNEWjDROP
ForceFragmentspacketscheck
Packetswithincomingfragmentsdropthem.Thisattackresultinto
Linuxserverpanicsuchdataloss.
$iptablesAINPUTfjDROP
XMASpackets
IncomingmalformedXMASpacketsdropthem:
$iptablesAINPUTptcptcpflagsALLALLjDROP
DropallNULLpackets
IncomingmalformedNULLpackets:
$iptablesAINPITptcptcpflagsALLNONEjDROP
ProtectagainstSYNfloodsbyratelimitingthenumberofnew
connectionsfromanyhostto60persecond.Thisdoes*not*do
ratelimitingoverall,becausethensomeonecouldeasilyshutus
downbysaturatingthelimit.
$iptablesAINPUTmstatestateNEWptcpmtcpsyn\
mrecentnamesynfloodset
$iptablesAINPUTmstatestateNEWptcpmtcpsyn\
mrecentnamesynfloodupdateseconds1hitcount60j
DROP
Thesamecanbeachievedinipfwusingthedummynetshaper:
DirectSYN
ipfwpipe500configbw64Kbit/squeue5
ipfwadd500pipe500tcpfromanytoanyinsetup
Portscanning
Alotofhoststrytoportscanmyserverthesedays,lookingfor
openservicestheycantrytoexploit.SinceIrunveryfew
225

b.sadhiq
www.altnix.com

servicesonmyserver,whatIliketodoislookforport
connectionstoacommonlyscannedport(port139,forWindowsFile
Sharing),andthenblockthehostswhoattempttheconnectionfrom
talkingtomyserverforanentireday.Theruleisquitesimple
usingtheiptablesrecentmodule:
Anyonewhotriedtoportscanusislockedoutforanentireday.
$iptablesAINPUTmrecentnameportscanrcheckseconds
86400jDROP
$iptablesAFORWARDmrecentnameportscanrcheckseconds
86400jDROP
Oncethedayhaspassed,removethemfromtheportscanlist
$iptablesAINPUTmrecentnameportscanremove
$iptablesAFORWARDmrecentnameportscanremove
CLOSEINCOMINGTCP
$IPTABLESAtcp_packetsmstatestateESTABLISHED,RELATEDj
ACCEPT
$IPTABLESAtcp_packetspTCPs0/0jDROP
CLOSEINCOMINGUDP
$ IPTABLES A udpincoming_packets m state state
ESTABLISHED,RELATEDjACCEPT
$IPTABLESAudpincoming_packetspUDPjDROP

226

b.sadhiq
www.altnix.com

DNS

227

b.sadhiq
www.altnix.com

DNSBasics
FindingasingleserveroutofalloftheserversontheInternet
isliketryingtofindasinglefileondrivewiththousandsof
files.Inbothcasesithelpstohavesomehierarchybuiltintothe
directorytologicallygroupthings.TheDNS"namespace"is
hierarchicalinthesametypeofupsidedowntreestructureseen
withfilesystems.Justasyouhavetherootofapartitionor
drive,theDNSnamespacehasarootwhichissignifiedbyaperiod.

Whenspecifyingtheabsolutepathtoa file inafilesystemyou


startattherootandgotothefile:
/etc/bind/named.conf
WhenspecifyingtheabsolutepathtoaserverintheDNSnamespace
youstartattheserverandgototheroot:
www.aboutdebian.com.
Notethatperiodafterthe'com'asit'simportant.It'showyou
specifytherootofthenamespace.AnabsolutepathintheDNS
namespaceiscalledaFQDN(FullyQualifiedDomainName).Theuse
ofFQDNsareprevalentinDNSconfigurationfilesandit's
importantthatyoualwaysusethattrailingperiod.
Internetresourcesareusuallyspecifiedbyadomainnameanda
serverhostname.ThewwwpartofaURLisoftenthehostnameofthe
Webserver(oritcouldbeanaliastoaserverwithadifferent
hostname).DNSisbasicallyjustadatabasewithrecordsforthese
hostnames.Thedirectoryfortheentiretelephonesystemisnot
storedinonehugephonebook.Rather,itisbrokenupintomany
pieceswitheachcityhaving,andmaintaining,itspieceofthe
entiredirectoryinitsphonebook.Bythesametoken,piecesof
theDNSdirectorydatabase(the"zones")arestored,and
maintained,onmanydifferentDNSserverslocatedaroundthe
Internet.Ifyouwanttofindthetelephonenumberforapersonin
Poughkeepsie,you'dhavetolookinthePoughkeepsietelephone
228

b.sadhiq
www.altnix.com

book.IfyouwanttofindtheIPaddressofthewwwserverinthe
somedomain.comdomain,you'dhavetoquerytheDNSserverthat
storestheDNSrecordsforthatdomain.

Theentriesinthedatabasemapahost/domainnametoanIP
address.Hereisasimplisticlogicalviewofthetypeof
informationthatisstored(we'llgettotheA,CNAME,andMX
designationsinabit).
A

www.theirdomain.com

172.29.183.103

MX

mail.theirdomain.com

172.29.183.217

debian.yourdomain.com

10.177.8.3

CNAME

www.yourdomain.com

10.177.8.3

MX

debian.yourdomain.com

10.177.8.3

ThisiswhyarealInternetserverneedsastatic(unchanging)IP
address.TheIPaddressoftheserver'sNICconnectedtothe
InternethastomatchwhateveraddressisintheDNSdatabase.
DynamicDNSdoesprovideawayaroundthisforhomeservers
however,whichwe'llseelater.
Whenyouwanttobrowsetowww.theirdomain.comyourDNSserver
(theoneyouspecifyintheTCP/IPconfigurationonyourdesktop
computer)mostlikelywon'thaveaDNSrecordforthetheir
domain.comdomainsoithastocontacttheDNSserverthatdoes.
WhenyourDNSservercontactstheDNSserverthathastheDNS
records(referredtoas"resourcerecords"or"zonerecords")for
theirdomain.comyourDNSservergetstheIPaddressofthewww
serverandrelaysthataddressbacktoyourdesktopcomputer.So
whichDNSserverhastheDNSrecordsforaparticulardomain?
WhenyouregisteradomainnamewithsomeonelikeNetwork
Solutions,oneofthethingstheyaskyouforaretheservernames
andaddressesoftwoorthree"nameservers"(DNSservers).These
aretheserverswheretheDNSrecordsforyourdomainwillbe
stored(andqueriedbytheDNSserversofthosebrowsingtoyour
site).Sowheredoyougetthe"nameservers"informationforyour
domain?Typically,whenyouhostyourWebsiteusingaWebhosting
servicetheynotonlyprovideaWebserverforyourdomain'sWeb
sitefilesbuttheywillalsoprovideaDNSservertostoreyour
domain'sDNSrecords.Inotherwords,you'llwanttoknowwhoyour
229

b.sadhiq
www.altnix.com

Webhostingproviderisgoingtobebeforeyouregisteradomain
name(soyoucanentertheprovider'sDNSserverinformationinthe
nameserverssectionofthedomainnameregistrationapplication).
You'llseetheterm"zone"usedinDNSreferences.Mostofthe
timeazonejustequatestoadomain.Theonlytimesthis
wouldn'tbetrueisifyousetupsubdomainsandsetupseparate
DNSserverstohandlejustthosesubdomains.Forexample,a
companywouldsetupthesubdomainsus.theirdomain.comand
europe.theirdomain.comandwould"delegate"aseparateDNS
servertoeachoneofthem.InthecaseofthesetwoDNSservers
theirzonewouldbejustthesubdomains.ThezoneoftheDNS
serverfortheparenttheirdomain.com(whichwouldcontainthe
serverswww.theirdomain.comandmail.theirdomain.com)would
onlycontainrecordsforthosefewmachinesintheparent
domain.
Notethatintheaboveexample"us"and"europe"aresubdomains
while"www"and"mail"arehostnamesofserversintheparent
domain.
Onceyou'vegotyourWebsiteupandrunningonyourWebhosting
provider'sserversandsomeonesurf'stoyoursite,theDNSserver
theyspecifiedintheirlocalTCP/IPconfigurationwillqueryyour
hostingprovider'sDNSserverstogettheIPaddressforyourWeb
site.TheDNSserversthathosttheDNSrecordsforyourdomain,
i.e.theDNSserversyouspecifyinyourdomainnameregistration
application,aretheauthoritativeDNSserversforyourdomain.The
surfer'sDNSserverqueriesoneofyoursite'sauthoritativeDNS
serverstogetanaddressandgetsanauthoritativeresponse.When
thesurfer'sDNSserverrelaystheaddressinformationbacktothe
surfer'slocalPCitisa"nonauthoritaive"responsebecausethe
surfer'sDNSserverisnotanauthoritativeDNSserverforyour
domain.
DomainsandDelegation
The Domain Name System uses a tree (or hierarchical) name
structure.Atthetopofthetreeistherootnodefollowedbythe
TopLevelDomains(TLDs),thentheSecondLevelDomains(SLD)and
anynumberoflowerlevels,eachseparatedwithadot.
sNoteTherootofthetreeisrepresentedmostofthetimeasa
silentdot(.),buttherearetimeswhenit
isVERYimportant.
TLDsaresplitintotwotypes:
1.GenericTopLevelDomains(gTLD):Forexample,.com,.edu,.net,
.org,.mil,etc.
230

b.sadhiq
www.altnix.com

2. Country Code TopLevel Domains (ccTLD): For example, .us,


.ca, .tv, .uk, etc. Country Code TLDs use a standard twoletter
sequencedefinedbyISO3166.2Figure11
DNS name resolution is nothing but resolving host names, such as
www.nixcraft.com,totheircorrespondingIPaddresses.DNSworksas
the"phonebook"fortheInternetbytranslatinghostnameintoIP
address or vise versa. Most DNS server stores following
information:
a)HostnameandtheirIPaddress
b)ListofmailserverandtheirIPaddressforgivendomainname
c)Antispamconfigurationandmuchmore.
WithoutDNSnameresolution,nothingwillworkontheInternet.
NobodylikestorememberIPaddress,soDNSisfoundationofmany
Internetservicessuchasweb,proxy,emailandsoon.

ResolvingDNSnamestoIPaddresses
Whenyoutypewww.yahoo.comintoawebbrowser,theapplicationhas
tofindoutIPaddressassociatedwithwww.yahoo.com.Eachpartof
networkhasDNSserverornameservers.Eachapplicationsenda
requestcalleddnslookuptoDNSserver.EachDNSserverhas
limitedinformationabouthostnamesandipaddress.AlmostallDNS
serverconstantlyqueryeachothertogetinformationusingroot
servers.
Eachcomputerisconfiguredtoqueryspecificnameserver.Usually
homecomputersareconfiguretoqueryISPnameserversorfreedns
nameservers.HereisatypicalUNIX/Linux/etc/resolv.conffile
withnameserverIPaddress:
$cat/etc/resolv.conf
Sampleoutput:
nameserver208.67.222.222
nameserver208.67.220.220
Eachapplicationcanfindwww.yahoo.comIPaddressbysendinga
requestto208.67.222.222or208.67.220.220IPaddress.This
procedureiscalledhostnameresolutionandthealgorithmthat
performsthisoperationiscalledtheresolver.Letusseehowto
findoutIPaddressforfreebsd.nixcraft.inhostname:
1.

Thewebbrowserwillchecklocalcachedatabasetofindout
b.sadhiq
231
www.altnix.com

answer.Ifitcangetananswerdirectlyfromthese,itproceedsno
further.
2.
OtherwiserequestwillbesenttonameserverIP208.67.222.222
tofindIPaddressforfreebsd.nixcraft.inhost.
3.
208.67.222.222serverwilldecideifthatIPhasbeenrecently
lookedupbefore.Ifithas,thereisnoneedtoaskfurther,since
theresultwouldbestoredinalocalcache.
4.
208.67.222.222willseeifthedomainislocal.I.e.ifitis
acomputerthatithasdirectinformationabout.Inthiscasethis
wouldonlybetrueifthe208.67.222.222wereObsidian'sveryown
nameserver.
5.
208.67.222.222willstripouttheTLD(TopLevelDomain).in
Itwillqueryarootnameserver,askingwhatnameserveris
responsiblefor.IN.Dependupontheanswer208.67.222.222will
queryauthoritativeserverforIPaddress.
6.
208.67.222.222willreturntheresulttotheapplication.
7.
208.67.222.222willstoreeachoftheseresultsinalocal
cachewithanexpirydate.Toavoidhavingtolookthemupasecond
time.

Cachingnameserver
Torunacachingonlynameserver,thefollowingfilesarerequired
andmustbecreatedorcopiedtotheappropriatedirectorieson
yourserver.

Copythenamed.conffiletothe/etc/directory.

Copythedb.127.0.0filetothe/var/named/directory.

Copythedb.cachefiletothe/var/named/directory.

Copythenamedscriptfiletothe/etc/rc.d/init.d/directory.
Torunamasternameserver,thefollowingfilesarerequiredand
mustbecreatedorcopiedtotheappropriatedirectoriesonyour
server.
Copythenamed.conffiletothe/etc/directory.
Copythedb.127.0.0filetothe/var/named/directory.
Copythedb.cachefiletothe/var/named/directory.
Copythedb.208.164.186filetothe/var/named/directory.
Copythedb.altnixfiletothe/var/named/directory.
Copythenamedscriptfiletothe/etc/rc.d/init.d/directory.
Torunaslavenameserver,thefollowingfilesarerequiredand
mustbecreatedorcopiedtotheappropriatedirectoriesonyour
server.

Copythenamed.conffiletothe/etc/directory.
232

b.sadhiq
www.altnix.com

Copythedb.127.0.0filetothe/var/named/directory.
Copythedb.cachefiletothe/var/named/directory.
Copythenamedscriptfiletothe/etc/rc.d/init.d/directory.

LinuxDNSandBINDServer
CachingonlynameServer
Settingupacachingserverforclientlocalmachineswillreduce
theloadonthesite'sprimaryserver.Acachingonlynameserver
willfindtheanswertonamequeriesandremembertheanswerthe
nexttimeweneedit.Thiswillshortenthewaitingtimethenext
timesignificantly.Forsecurityreasons,itisveryimportantthat
DNSdoesn'texistbetweenhostsonthecorporatenetworkand
externalhosts;itisfarsafertosimplyuseIPaddressesto
connecttoexternalmachinesfromthecorporatenetworkandvice
versa.
Inourconfigurationandinstallationwe'llrunBIND/DNSasnon
rootuserandinachrootedenvironment.Wealsoprovideyouthree
differentconfigurations;

oneforasimplecachingnameserveronlyclient
oneforaslavesecondaryserver
oneforamasternameserverprimaryserver.

Thesimplecachingnameserverconfigurationwillbeusedforyour
serversthatdon'tactasamasterorslavenameserver,andthe
slaveandmasterconfigurationswillbeusedforyourserversthat
actasamasternameserverandslavenameserver.Usuallyoneof
yourserversactsasmaster,anotheroneactsasslaveandtherest
actassimplecachingclientnameserver.
ThisisagraphicalrepresentationoftheDNSconfigurationweuse
inthisbook.Wetrytoshowyoudifferentsettings

CachingOnlyDNS

233

b.sadhiq
www.altnix.com

MasterDNS
SlaveDNS
ondifferentservers.Alotofpossibilitiesexist,an
Cachingonlynameserversareserversnotauthoritativeforany
domainsexcept0.0.127.inaddr.arpa,thelocalhost.Acachingonly
nameservercanlookupnamesinsideandoutsideyourzone,ascan
primaryandslavenameservers.Thedifferenceisthatwhena
cachingonlynameserverinitiallylooksupanamewithinyour
zone,itendsupaskingoneoftheprimaryorslavenamesservers
foryourzonefortheanswer.
Thenecessaryfilestosetupasimplecachingnameserverare:

named.conf
db.127.0.0
db.cache
namedscript

Toconfigurethe/etc/named.conffileforasimplecachingname
server,usethisforallserversthatdontactasamasterorslave
nameserver.Settingupasimplecachingserverforlocalclient
machineswillreducetheloadonthenetwork'sprimaryserver.Many
usersondialupconnectionsmayusethisconfigurationalongwith
bindforsuchapurpose.Createthenamed.conffile,touch
/etc/named.confandaddthefollowinglinestothefile:
options{
directory"/var/named";
forwarders{208.164.186.1;208.164.186.2;};
forwardonly;
};
//
//acachingonlynameserverconfig
zone"."in{
typehint;
file"db.cache";
};

234

b.sadhiq
www.altnix.com

zone"0.0.127.inaddr.arpa"in{
typemaster;
file"db.127.0.0";
};
Intheforwardersline,208.164.186.1and208.164.186.2arethe
IPaddressesofyourPrimaryMasterandSecondarySlaveDNSserver.
TheycanalsobetheIPaddressesofyourISPsDNSserverand
anotherDNSserver,respectively.
TIP:ToimprovethesecurityofyourBIND/DNSserveryoucanstop
itfromeventryingtocontactanoffsiteserveriftheir
forwarderisdownordoesn'trespond.Withtheforwardonlyoption
setinyournamed.conffile,thenameserverdoesn'ttrytocontact
otherserverstofindoutinformationiftheforwarderdoesn'tgive
itananswer.
Toconfigurethe/var/named/db.127.0.0fileforasimplecaching
nameserver,youcanusethisconfigurationforallmachinesonyour
networkthatdon'tactasamasterorslavenameserver.The
db.127.0.0filecoverstheloopbacknetwork.Createthefollowing
filesin/var/named/,touch/var/named/db.127.0.0andaddthe
followinglinesinthefile:
$TTL345600
@INSOAlocalhost.
root.localhost.(
00

;Serial

86400

;Refresh

7200

;Retry

2592000 ;Expire
345600);Minimum
INNSlocalhost.
1INPTRlocalhost.
Configurethe/var/named/db.cachefileforasimplecachingname
serverbeforestartingyourDNSserver.Youmusttakeacopyof
db.cachefileandcopythisfiletothe/var/named/directory.The
db.cachetellsyourserverwheretheserversfortherootzoneare.

235

b.sadhiq
www.altnix.com

UsethefollowingcommandsonanotherUnixcomputerinyour
organizationtoqueryanewdb.cachefileforyourDNSServeror
pickonefromyourRedHatLinuxCDROMsourcedistribution:
[root@deep]#dig@.arootservers.net.ns>
db.cache

Primary
master

nameServer
Aprimarymasternameserverforazonereadsthedataforthezone
fromafileonit'shostandareauthoritativeforthatzone.The
necessaryfilestosetupaprimarymasternameserverare:
named.conf
db.127.0.0
db.208.164.186
db.altnix
db.cache
namedscript
Toconfigurethe/etc/named.conffileforamasternameserver,use
thisconfigurationfortheserveronyournetworkthatactsasa
masternameserver.AftercompilingDNS,youneedtosetupa
primarydomainnameforyourserver.We'llusealtnix.comasan
exampledomain,andassumeyouareusingIPnetworkaddressof
208.164.186.0.Todothis,addthefollowinglinestoyour
/etc/named.conf.Createthenamed.conffiletouch/etc/named.conf
andadd:

options{
directory"/var/named";
fetchglueno;
recursionno;
allowquery{208.164.186/24;127.0.0/8;};
allowtransfer{208.164.186.2;};
transferformatmanyanswers;
};

236

b.sadhiq
www.altnix.com

//Thesefilesarenotspecifictoanyzone
zone"."in{
typehint;
file"db.cache";
};
zone"0.0.127.inaddr.arpa"in{
typemaster;
file"db.127.0.0";
};

//Theseareourprimaryzonefiles
zone"altnix.com"in{
typemaster;
file"db.altnix";
};

zone"186.164.208.inaddr.arpa"in{
typemaster;
file"db.208.164.186";
};
Thefetchgluenooptioncanbeusedinconjunctionwiththe
optionrecursionnotopreventtheserver'scachefromgrowingor
becomingcorrupted.Also,disablingrecursionputsyourname
serversintoapassivemode,tellingitnevertosendquerieson
behalfofothernameserversorresolvers.Anonrecursivename
serverisverydifficulttospoof,sinceitdoesn'tsendqueries,
andhencedoesn'tcacheanydata.
Intheallowqueryline,208.164.186/24and127.0.0/8aretheIP
addressesallowedtoaskordinaryquestionstotheserver.
Intheallowtransferline,208.164.186.2istheIPaddress
allowedtoreceivezonetransfersfromtheserver.Youmustensure
237

b.sadhiq
www.altnix.com

thatonlyyourrealslavenameserverscantransferzonesfromyour
nameserve,astheinformationprovidedisoftenusedbyspammers
andIPspoofers.
NOTE:Theoptionsrecursionno,allowquery,andallowtransferin
thenamed.conffileabovearesecurityfeatures.
Toconfigurethe/var/named/db.127.0.0fileforamasterandslave
nameserver,youcanusethisconfigurationfilebybothamaster
nameserverandaslavenameserver.Thedb.127.0.0filecoversthe
loopbacknetwork.Createthefollowingfilesin/var/named/.

Createthedb.127.0.0file,touch/var/named/db.127.0.0andadd:
;RevisionHistory:April22,1999
admin@mail.altnix.com
;StartofAuthority(SOA)records.
$TTL345600
@INSOAdeep.altnix.com.
admin.mail.altnix.com.(
00

;Serial

86400

;Refresh

7200

;Retry

2592000 ;Expire
345600);Minimum

;NameServer(NS)records.
NSdeep.altnix.com.
NSmail.altnix.com.
238

b.sadhiq
www.altnix.com

;onlyOnePTRrecord.
1PTRlocalhost.

Toconfigurethe/var/named/db.208.164.186fileforamastername
server,Usethisconfigurationfortheserveronyournetworkthat
actsasamasternameserver.Thefiledb.208.164.186mapshost
namestoaddresses.Createthefollowingfilesin/var/named/.

Createthedb.208.164.186file,touch/var/named/db.208.164.186and
add:
;RevisionHistory:April22,1999
admin@mail.altnix.com
;StartofAuthority(SOA)records.
$TTL345600
@INSOAdeep.altnix.com.
admin.mail.altnix.com.(
00

;Serial

239

b.sadhiq
www.altnix.com

86400

;Refresh

7200

;Retry

2592000 ;Expire
345600);Minimum
;NameServer(NS)records.
NSdeep.altnix.com.
NSmail.altnix.com.
;AddressesPointtoCanonicalNames(PTR)for
Reverselookups
1PTRdeep.altnix.com.
2PTRmail.altnix.com.
3PTRwww.altnix.com.

Toconfigureofthe/var/named/db.altnixfileforamastername
server,usethisconfigurationfortheserveronyournetworkthat
actsasamasternameserver.Thefiledb.altnixmapsaddressesto
hostnames.Createthefollowingfilein/var/named/.
Createthedb.altnixfiletouch/var/named/db.altnixandadd:

;RevisionHistory:April22,1999
admin@mail.altnix.com
;StartofAuthority(SOA)records.
$TTL345600
@INSOAdeep.altnix.com.
admin.mail.altnix.com.(
00

;Serial

86400

;Refresh

7200

;Retry

2592000 ;Expire
345600);Minimum
240

b.sadhiq
www.altnix.com

;NameServer(NS)records.
NSdeep.altnix.com.
NSmail.altnix.com.
;MailExchange(MX)records.
MX0mail.altnix.com.
;Address(A)records.
localhost

A127.0.0.1

deep

A208.164.186.1

mail

A208.164.186.2

www

A208.164.186.3

;AliasesinCanonicalName(CNAME)records.
;wwwCNAME
deep.altnix.com.

Toconfigurethe/var/named/db.cachefileforamasterandslave
nameserversBeforestartingyourDNSserveryoumusttakeacopy
ofthedb.cachefileandcopyitintothe/var/named/directory.
Thedb.cachetellsyourserverwheretheserversfortherootzone
are.

UsethefollowingcommandonanotherUnixcomputerinyour
organizationtoqueryanewdb.cachefileforyourDNSServeror
pickonefromyourRedHatLinuxCDROMsourcedistribution:

[root@deep]/#dig@.arootservers.net.ns>
db.cache

Don'tforgettocopythedb.cachefiletothe/var/named/directory
onyourserverwhereyou'reinstallingDNSserverafterretrieving
itovertheInternet.
Dig

241

b.sadhiq
www.altnix.com

http://www.madboa.com/geek/dig/
NSTrace
http://www.dollardns.net/cgibin/nstrace/index.pl?
DnsCrawler
http://www.dollardns.net/cgibin/dnscrawler/index.pl?
whois
http://whois.dollardns.net/domain.pl?
http://www.dollardns.net/index.html?
http://www.dollardns.net/compare.html

242

b.sadhiq
www.altnix.com

Apache
WhatisApache?
Apacheisanopensourcewebserver(HTTPserver)
Apacheserversupwebpages(HTML)andmostanyothercontent
thatcanbeaccessedviaawebbrowser.
ItrunsonLinuxandWindows
Apacheisthenumberonewebserverontheinternettodayandhas
beensince1996.
Infact,70%ofallInternetwebsitesrunonApachewebserver
Letstalkaboutthehistoryofapachewebserver
ItwasoriginallydevelopedatNationalCenterforSupercomputing
ApplicationsattheuniversityofillinoisbyRobertMcCoolin
around1991.Butitquicklybecamethepublicdomain.
RobertMcCoolleftNCSAin1995andhttpdwebserverwasnot
maintainedofficially,solooselyorganisedgroupofdevelopes
aroundtheworldcametogethertoexchangepatches,updatesand
fixes.
Apachewascreatedaround1995byagroupofwebmasterswhogot
togethertocreatepatchesfortheoldhttpdserverinUnix.
Today,thatgroupiscalledtheApacheSoftwareFoundation.
ThehomepageforApacheishttp://httpd.apache.org

ThesourceandcompiledversionsofApacheareallfree

WhyApache

highPerformance
OpenSource
Free
Unrestrictivelicense
canbemodifiedandredistributewithanothername
i.eCovalentApache,IBMhttpserver
Runsonlinux/unix/windows

ApacheHTTPServer

version1.3
243

b.sadhiq
www.altnix.com

+singlethreadprocessmodel
Version2.0
+multithreadsupport(SMP)
+supportfornonunixplatformsusingMPMmodules
MPM>MultiProcessingModules
+supportsIPV6
+newAPI
meanteasierforwriting3rdpartymodules

Differncebetweeniis&Apache
ApacheFirst,Apachedoesn'tinstallalotofextraprograms.A
defaultApachebuilddoesn'tinstallanyApachemodules
(extensions)atalljustabasicwebserver
IISBydefault,Windows2000andIISinstallsevenexternal
DynamicLinkLibrary(DLL)filesplusFrontPageserverextensions
ApacheApachecomponents,iftheirinstalled,runasa
nonprivilegeduser,soifabufferoverflowoccurs,damageis
minimal.Conversely,MicrosoftIISallowssystemlevelaccess,
therebypotentiallygrantingroot(superuser)permission.Anyuser,
evenaremoteone,whohasrootpermissioncanaccess,change,and
deleteanyfileanywhereonthesystem.
IISIftheInternetInformationServer(IIS)processdiesona
WindowsWebserver,nofurtherrequestsareserveduntilthe
processisrestarted
ApacheIfasingleApacheprocessdies,onlytherequestbeing
servedbythatprocessisaffected.
ThisapproachhasanobviousadvantageoverWebserversthatusea
singleprocesstorespondtoallrequests:IftheInternet
InformationServer(IIS)processdiesonaWindowsWebserver,no
furtherrequestsareserveduntiltheprocessisrestarted.Ifa
singleApacheprocessdies,onlytherequestbeingservedbythat
processisaffected
InstallingApache
RedHatLinuxorFedoraLinuxinstallsApachewebserver,by
default.Youcanofcourse,choosenottoinstallitatinstallation
timeifyouwish.

244

b.sadhiq
www.altnix.com

Apacheis,however,disabledbydefault.Inotherwords,itisnt
running.
RHELorfedoradoesnot,however,installthe31optionalrelated
applicationsthatgoalongwithApache.Youcaninstallthesefrom
thePackageManagerapplication.
AdministeringApache
TheApachewebserverhasitsownconfigurationdirectory,
/etc/httpd/
Insidethisdirectory,therearesubdirectoriesandsoftlinksto
otherdirectories.
TheactualconfigurationfileforApacheisat/etc/httpd/conf/
anditiscalledhttpd.conf
Alllogfilesgoto/var/log/httpd
Thehttpd.confcanbeeditedmanually.
Apachecanbestartedmanuallybytyping"httpd"atthecommand
linebuttherecommendedwaytostartitisusingtheServices
program.
The"DocumentRoot"directory(/var/www/htm/)iswherethedefault
websiteislocated.
Apachecanalsodeliveruser'swebpages.Thisisdefinedwiththe
"UserDir"directiveandusersdirectoriescanbeacccessed,through
Apachelikethis:
http://www.altnix.com/~sadhiq
ApachecanalsosupportVirtualhostingwiththe"VirtualHost"
directive
webserverserversmanydifferentwebsites
ApachecannotberunfromaSuperServerlikeXinetD.
Toadministerapache,GUItoolisavailable:systemconfighttpd
SPECS
Package:httpd
Version:2.2
Conffile:/etc/httpd/conf/httpd.conf

245

b.sadhiq
www.altnix.com

DocumentRootforstoringwebpages:/var/www/html
ApacheModules:/etc/httpd/modules/
/usr/lib/httpd/modules/
Commands:
1.SyntaxCheck
$apachectlconfigtest
OR
$httpdt
2.checkcompiledinmodules
$httpdl
Service:
$servicehttpdstart
OR
$apachectlstart
Fourmaindirectories:
/etc/httpd/conf/
/etc/httpd/conf.d/
/etc/httpd/logs/
>symlinkto/var/log/httpd/

/etc/httpd/modules

PackagesincludedinRHEL:
$rpmqa|grephttpd
httpdmanual2.0.5219.ent
httpd2.0.5219.ent
systemconfighttpd1.3.11
httpdsuexec2.0.5219.ent
ConfigurationFiles
/etc/httpd/conf/httpd.confMainApacheConfigurationFile
/
/etc/logrotate.d/httpdLogrotationFile
/
/etc/httpd/conf.d
Containsitemsthathaveincludedfordifferenttype
ofapplication
Filesunder/etc/httpd/conf.d
perl.conf
246

b.sadhiq
www.altnix.com

php.conf(CGIscriptinglanguage)
python.conf(CGIscriptinglanguage)
ssl.conf(howssltobeimplemented)
webalizer.conf(analysissoftware)
welcome.conf(intheeventattempttoaccesstheURL
whichhasnodefaultdocument)

Quickway:webserverconfiguration
$cd/var/www/html
$viindex.html

<html>
<head>
<title>
Quickway:webserverconfiguration
</title>
<body>
Quickway:webserverconfiguration:IP
</body>

</html>

$servicehttpdrestart
$linkshttp://<IP_of_the_webserver>
Dedicatedwebserverconfiguration:altnix.com
$cp/etc/httpd/conf/httpd.conf/etc/httpd/conf/httpd.conf_ORIG
$vi/etc/httpd/conf/httpd.conf

ServerRoot"/etc/httpd"#default
Listen80#default
ServerNamewww.altnix.com:80
ServerAdminjohn@altnix.com
Userapache#default
Groupapache#default
#setfolderforthewebpages
DocumentRoot"/var/www/html"
247

b.sadhiq
www.altnix.com

#setthenameofthefilethatisfirstread
DirectoryIndexindex.html
apachectlconfigtest
OR
$httpdt
Startthehttpservice
$servicehttpdrestart
OR
$apachectlrestart
Confirmthehttpddaemonrunningonport80
$netstatantp|grep:80
Testfromtheclientmachine
linux>linkshttp://www.altnix.com
makehttpdstartonbootup
$chkconfiglevel35httpdon
WhatisVirtualHosting

VirtualHostingistheabilityhostmultipleseparatewebsites
withoneApacheServer
Eachsiteisseparatefromeachother,withdifferentDocumentRoot,
logfiles,permissions,etc
TwotypesofVirtualHosting
1.IPbasedvirtualHosts
EachIPcorrespondstoitsownindividualwebsite
IPbasedVHiswhereeachvirtualhosthasitsownIP
address
+singleserver
>OneApacheDaemon,handlingmultiplewebsites
+multipleserver
>TwoormoreindependentApachedaemons,eachone
handlingaspecificwebsite
2.Namebasedvirtualhosts
Namebasedvirtualhostsisusedforhostingmultiple
248

b.sadhiq
www.altnix.com

websitesonthesamewebserverIPaddress.
NameBasedVirtualHosting
Scenario:
+champu.local
+funny.local
boththewebsitesrunningonthesameipaddress
inmycase:192.168.10.111
Note:MakesuretheDNS'A'recordofchampu.localandfunny.local
shouldresolveto192.168.10.111
$mkdir/var/www/html/champu.local
$cd/var/www/html/champu.local
$viindex.html

<html>
<head>
<title>
MYFIRSTHTMLPAGE:CHAMPU:NAMEBASED
</title>
<body>
MYFIRSTHTMLPAGE:CHAMPU:NAMEBASED
</body>
</html>
$mkdir/var/www/html/funny.local
$cd/var/www/html/funny.local
$viindex.html

<html>
<head>
<title>
MYFIRSTHTMLPAGE:FUNNY:NAMEBASED
</title>
<body>
MYFIRSTHTMLPAGE:FUNNY:NAMEBASED
<
</body>
</html>

$vi/etc/httpd/conf/httpd.conf

NameVirtualHost192.168.10.111:80

249

b.sadhiq
www.altnix.com

<VirtualHost192.168.10.111:80>
ServerAdminwebmaster@champu.local
DocumentRoot/var/www/html/champu.local/
ServerNamechampu.local
ErrorLoglogs/champu.local_error_log
CustomLoglogs/champu.local_access_logcommon
</VirtualHost>
<VirtualHost192.168.10.111:80>
ServerAdminwebmaster@funny.local
DocumentRoot/var/www/html/funny.local
ServerNamefunny.local
ErrorLoglogs/funny.local_error_log
CustomLoglogs/funny.local_access_logcommon
</VirtualHost>

$httpdt
$servicehttpdrestart
IPBasedVirtualHosting:SingleServerConfiguration
Note:MakesuretheDNS'A'recordofchampu.localshouldresolve
to192.168.10.11
andfunny.localto192.168.10.222
Scenario:
+champu.local
Resolvesto192.168.10.111
+funny.local
R
250

b.sadhiq
www.altnix.com

Resolvesto192.168.10.222

1.CreateIPalias
#cd/etc/sysconfig/networkscripts/
#cpifcfgeth0ifcfgeth0:0
#viifcfgeth0:0
DEVICE=eth0:0
BOOTPROTO=static
BROADCAST=192.168.10.255
IPADDR=192.168.10.222
NETMASK=255.255.255.0
NETWORK=192.168.10.0
O
ONBOOT=yes

2.MaketheAliasIPup
#ifupeth0:0

3.Edithttpd.conffile
#vi/etc/httpd/conf/httpd.conf

NameVirtualHost192.168.10.111:80
<VirtualHost192.168.10.111:80>
ServerAdminwebmaster@champu.local
DocumentRoot/var/www/html/champu.local/
ServerNamechampu.local
ErrorLoglogs/champu.local_error_log
251

b.sadhiq
www.altnix.com

CustomLoglogs/champu.local_access_logcommon
</VirtualHost>
NameVirtualHost192.168.10.222:80
<VirtualHost192.168.10.222:80>
ServerAdminwebmaster@funny.local
DocumentRoot/var/www/html/funny.local
ServerNamefunny.local
ErrorLoglogs/funny.local_error_log
CustomLoglogs/funny.local_access_logcommon
</VirtualHost>

$cd/var/www/html/champu.local
$viindex.html

<html>
<head>
<title>
MYFIRSTHTMLPAGE:CHAMPU:IPBASED:192.168.10.111
</title>
<body>
MYFIRSTHTMLPAGE:CHAMPU:IPBASED:192.168.10.111

</body>
</html>
$cd/var/www/html/funny.local
$viindex.html

<html>
252

b.sadhiq
www.altnix.com

<head>
<title>
MYFIRSTHTMLPAGE:FUNNY:IPBASED:192.168.10.222
</title>
<body>
MYFIRSTHTMLPAGE:FUNNY:IPBASED:192.168.10.222
<
</body>
</html>
$servicehttpdrestart
================================================

IPBasedVirtualHosting:MultipleServerConfiguration
Scenario
+champu.local
Resolvesto192.168.10.111onport80
+funny.local
Resolvesto192.168.10.222onport8080
================================================

1.vi/etc/httpd/conf/httpd.conf

Listen192.168.10.111:80
Listen192.168.10.222:8080
NameVirtualHost192.168.10.111:80
253

b.sadhiq
www.altnix.com

<VirtualHost192.168.10.111:80>
ServerAdminwebmaster@champu.local
DocumentRoot/var/www/html/champu.local/
www.alnix.com
ServerNamechampu.local
ErrorLoglogs/champu.local_error_log
CustomLoglogs/champu.local_access_logcommon
</VirtualHost>
NameVirtualHost192.168.10.222:8080
<VirtualHost192.168.10.222:8080>
ServerAdminwebmaster@funny.local
DocumentRoot/var/www/html/funny.local
ServerNamefunny.local
ErrorLoglogs/funny.local_error_log
CustomLoglogs/funny.local_access_logcommon
</VirtualHost>
$cd/var/www/html/champu.local
$viindex.html

<html>
<head>
<title>

MYFIRSTHTMLPAGE:CHAMPU:IPBASED:192.168.10.111,PORT:80
</title>
<body>

254

b.sadhiq
www.altnix.com

MYFIRSTHTMLPAGE:CHAMPU:IPBASED:192.168.10.111,
PORT:80
</body>
</html>
4.#cd/var/www/html/funny.local
5.#viindex.html

<html>
<head>
<title>
MYFIRSTHTMLPAGE:FUNNY:IPBASED:192.168.10.222,
PORT:8080
</title>
<body>
MYFIRSTHTMLPAGE:FUNNY:IPBASED:192.168.10.222,
PORT:8080
</body>
</html>

Testfromtheclientmachine
linux$>linkshttp://www.champu.local
linux$>linkshttp://www.funny.local:8080

1stWAY:Setuppasswordprotectioninsidehttpd.conf
www.alnix.com
$mkdir/var/www/html/champu.local/noaccess
$viindex.html

255

b.sadhiq
www.altnix.com


<html>
<head>
<title>
CHAMPU:RESTRICTEDACCESSPAGE
</title>
<body>
CHAMPU:RESTRICTEDACCESSPAGE
</body>
</html>
$vi/etc/httpd/conf/httpd.conf

<VirtualHost192.168.10.111:80>
ServerAdminwebmaster@champu.local
DocumentRoot/var/www/html/champu.local/
ServerNamechampu.local
<Directory/var/www/html/champu.local/noaccess>
AuthName"RestrictedSite"
AuthTypeBasic
AuthUserFile/var/www/html/champu.local/.passwords
requirevaliduser
</Directory>
ErrorLoglogs/champu.local_error_log
CustomLoglogs/champu.local_access_logcommon
</VirtualHost>

Notes:
BasicStandardusername/passwordcombination.
256

b.sadhiq
www.altnix.com

DigestMD5encryptedusername/passwordcombinations.
$htpasswdc/var/www/html/champu.local/.passwordschampu
>Giveaccesstouserjohnalso
>addstheuser"john"tothepasswordfile
/var/www/html/champu.local/.passwords
$htpasswdm/var/www/html/champu.local/.passwordsjohn
Test
$linkshttp://www.champu.local/noaccess
>Promptsforusername/passwd

TroubleshootingApache
CheckingtheLogs
IfthereissomethingwrongwithyourApache,butyouhavenoidea
howtofigureoutwhat'swrong,
yourfirstclueswillbeinthelogfiles.
Thereareafewlogfilesaround.Allofthemarelocatedinside
/var/log/httpd/
access_log
67.185.0.236[18/Jun/2005:12:05:500700]"GET/HTTP/1.0"200
721
10.0.1.80[18/Jun/2005:12:11:070700]"GET
/~jaspenelle/__journal1.jpgHTTP/1.1"20019079
66.239.233.163[18/Jun/2005:12:15:060700]"GET
/~jaspenelle/avy14.gifHTTP/1.0"2001661
67.185.60.155[18/Jun/2005:12:18:480700]"GET/HTTP/1.0"200
721
67.185.0.236[18/Jun/2005:12:25:390700]"GET/HTTP/1.0"200
721
10.0.1.80[18/Jun/2005:12:28:040700]"GET
/~jaspenelle/avy14.gifHTTP/1.1"2001661

257

b.sadhiq
www.altnix.com

10.0.1.80[18/Jun/2005:12:28:460700]"GET
/~jaspenelle/avy7.pngHTTP/1.1"20013066
Thisfileissimplyalistingofeveryfilerequestedfromyour
server.Unlessyouhavechangedthedefaultconfiguration,itwill
beinCommonLogFormat:
CommonLogFormatsyntax
remotehostrfc931authuser[date]"request"statusbytes
www.altnix.com
remotehostRemotehostnameorIPaddress
rfc931Theremotelognameoftheuser.
authuserTheusernameaswhichtheuserhasauthenticated
himself.
[date]Dateandtimeoftherequest.
"request"Therequestlineexactlyasitcamefromtheclient.
statusTheHTTPstatuscodereturnedtotheclient.
bytesThecontentlengthofthedocumenttransferred.
error_log
[MonFeb0723:33:182005][notice]suEXECmechanismenabled
(wrapper:/usr/sbin/suexec2)
[MonFeb0723:33:182005][notice]Digest:generatingsecretfor
digestauthentication...
[MonFeb0723:33:182005][notice]Digest:done
[MonFeb0723:33:182005][notice]Apache/2.0.52(Gentoo/Linux)
PHP/4.3.10configuredresumingnormal
operations
[SatJun1813:01:542005][error][client10.0.1.80]Filedoesnot
exist:/var/www/localhost/htdocs/favicon.ico
[SatJun1813:02:142005][error][client10.0.1.80]Filedoesnot
exist:/var/www/localhost/htdocs/favicon.ico
[SatJun1813:02:182005][error][client10.0.1.80]Filedoesnot
exist:/var/www/localhost/htdocs/favicon.ico
258

b.sadhiq
www.altnix.com

[SatJun1813:02:212005][error][client10.0.1.80]Filedoesnot

exist:/var/www/localhost/htdocs/favicon.ico
[SatJun1813:02:242005][error][client10.0.1.80]Filedoesnot
exist:/var/www/localhost/htdocs/favicon.ico
Asyoucansee,thisfilecancontainalotofstuff,dependingon
theErrorLeveldirectiveinyour
httpd.conffile.Ittellsyouifapachestartedupcorrectly,what
errorsithasruninto,...Ingeneralit
willtellyouwhatwentwrong.Ifsomethingisn'tworkingright,
thisshouldbethefirstfileyoucheck
formoreinformation.

TipsandTricksofmytrade
RestartApacheServerwithoutaffectingexistingconnections
SometimesyouwanttorestartyourApacheserverafterchanging
someconfigurationinyourvirutualhosts,sitesetc,butyouhave
fewhundredclientscurrentlydownloadingfilesfromyourserver
andyoudontwanttodisconnectthem.
Youneedtousethefollowingcommand
$servicehttpdgraceful
ThiswillgracefullyrestartyourApachewithnewconfiguration
withoutaffectingyourclientsconnections.

Performancetunning
TheApacheHTTPServerisamodularprogramwheretheadministrator
canchoosethefunctionstobeincludedintheserverbyselecting
asetofmodules[2].Themodulescanbecompiledeitherstatically
aspartofthe'httpd'binary,orasDynamicSharedObjects(DSOs).
DSOmodulescaneitherbecompiledwhentheserverisbuilt,or
addedlaterviatheapxsutility,whichallowscompilationata
laterdate.Themod_somodulemustbestaticallycompiledintothe
ApachecoretoenableDSOsupport.

259

b.sadhiq
www.altnix.com

RunApachewithonlytherequiredmodules.Thisreducesthememory
footprint,whichimprovestheserverperformance.Statically
compilingmoduleswillsaveRAMthat'susedforsupporting
dynamicallyloadedmodules,butyouwouldhavetorecompileApache
toaddorremoveamodule.ThisiswheretheDSOmechanismcomes
handy.Oncethemod_somoduleisstaticallycompiled,anyother
modulecanbeaddedordroppedusingthe'LoadModule'commandin
the'httpd.conf'file.Ofcourse,youwillhavetocompilethe
modulesusing'apxs'iftheyweren'tcompiledwhentheserverwas
built.

ChooseappropriateMPM:
TheApacheservershipswithaselectionofMultiProcessing
Modules(MPMs)whichareresponsibleforbindingtonetworkports
onthemachine,acceptingrequests,anddispatchingchildrento
handletherequests[3].OnlyoneMPMcanbeloadedintotheserver
atanytime.
ChoosinganMPMdependsonvariousfactors,suchaswhethertheOS
supportsthreads,howmuchmemoryisavailable,scalabilityversus
stability,whethernonthreadsafethirdpartymodulesareused,
etc.
LinuxsystemscanchoosetouseathreadedMPMlikeworkerora
nonthreadedMPMlikeprefork:
TheworkerMPMusesmultiplechildprocesses.It'smultithreaded
withineachchild,andeachthreadhandlesasingleconnection.
Workerisfastandhighlyscalableandthememoryfootprintis
comparativelylow.It'swellsuitedformultipleprocessors.Onthe
otherhand,workerislesstolerantoffaultymodules,andafaulty
threadcanaffectallthethreadsinachildprocess.
ThepreforkMPMusesmultiplechildprocesses,eachchildhandles
oneconnectionatatime.Preforkiswellsuitedforsingleor
doubleCPUsystems,speediscomparabletothatofworker,andit's
highlytolerantoffaultymodulesandcrashingchildrenbutthe
memoryusageishigh,andmoretrafficleadstogreatermemory
usage.

MultiThread
athreadisaprocesswithinaprocess.Multiplethreadsreside
withinasingleprocess.Threadinghasseveraladvantages:
b.sadhiq
260
www.altnix.com

Resources(memory,etc.)canbesharedbetweenthreads.

Multiplethreadscanexecutesimultaneously.

Apache1.3'scase,thelackofmultiplethreadsmeansthata
separateprocessmustbeusedtorespondtoeachincomingrequest.
ThisapproachhasanobviousadvantageoverWebserversthatusea
singleprocesstorespondtoallrequests:IftheInternet
InformationServer(IIS)processdiesonaWindowsWebserver,no
furtherrequestsareserveduntiltheprocessisrestarted.Ifa
singleApacheprocessdies,onlytherequestbeingservedbythat
processisaffected
Theadministratormustensurethatenoughprocessesareavailable
tohandleincomingrequestswithoutforkingnewones,butnotso
manythatthesystemhitsresourcelimits.Severaldirectivesin
theApacheconfigurationfileaccomplishthis:

TheMaxClientssettinglimitsthenumberofApacheprocesses
thatwillbecreated.Typically,memoryisthelimitationonthis
setting.IfyourApacheprocesstakesup20MBofmemory,andyou
have1000MBoffreeRAM,youcouldhaveupto50Apacheprocesses
(1000MB/20MB=50).

TheMinSpareServersandMaxSpareServerssettingskeepanumber
ofprocesseswaitingaround,toavoidthedelayimposedbyforking
anewprocess.Newprocessesareforkedcontinuallytokeepthe
numberofavailableserversbetweenthesethresholds,butincoming
HTTPrequestsdonothavetowaitforprocessestobeforked
becausesparesareavailable.
Toaccountfordifferencesbetweenplatforms,whileretainingthe
reliabilityofmultipleprocesses,Apache2.0providesseveral
differentmodelsforcontrollingApacheprocessesandthreadsin
theformofMultiProcessingModules(MPMs):

ThepreforkMPMreplicatesthesinglethreadedbehaviorof
Apache1.3.ThisisthedefaultMPMforUNIXsystems.

TheworkerMPM"implementsahybridmultithreadedmulti
processWebserver."Severalprocessesarestarted,eachwitha
fixednumberofthreads.Processesarestartedorstoppedas
necessarytoregulatethetotalnumberofthreads.

TheperchildMPMregulatesthetotalnumberofthreadsby
261

b.sadhiq
www.altnix.com

varyingthenumberofthreadsineachprocess.ThisMPMalsoallows
ApacheprocessestooperateasmultipleuserIDs,whichcanbe
usefulformanagingseveralvirtualhosts.
http://httpd.apache.org/docs/2.0/mpm.html
http://httpd.apache.org/docs/2.0/mod/worker.html
http://httpd.apache.org/docs/2.0/misc/perftuning.html
http://httpd.apache.org/docs/2.2/mod/prefork.html
http://books.google.co.in/books?
id=cnDuw7GV4uYC&pg=PA180&lpg=PA180&dq=Difference+between+
+worker+MPM+
%26+prefork+MPM&source=web&ots=4hKq5VQwf&sig=HocOBWL7lUwRrWjup1cp7s
bf4eI&hl=en&sa=X&oi=book_result&resnum=5&ct=result#PPA186,M1
http://tldp.org/LDP/LGNET/123/vishnu.html#MPM
http://www.howtoforge.com/configuring_apache_for_maximum_performanc
e
keepaliveandkeepalivetimeout:

KeepAlive:
Thisdirectiveistaking"on"/"off"asparameter.Insimpleterm
whetheryouwanttousethefeatureornot.Forexample,onceyou
visitasite(www.someting.com),therewouldbeanumberof
connectionfromyourmachinetotheremotemachine(onport80).
Oncethebrowsefinishedfetcingpages,thesocketwillbeclosed
(ifKeepAliveoff).Ifyouclickonalinkonthatpage,another
connectionwillbeinitiated.Rememberthatopening/closingsocket
willrequiresomeoverheadfromOS,andApacheitself(samething
withclosingthesockets).

KeepAliveTimeout:
KeepAliveTimeoutwilldeterminhowlogapersistentconnectionwill
bekeptopen.
ThenumberofsecondsApachewillwaitforasubsequentrequest
beforeclosingtheconnection.Oncearequesthasbeenreceived,
b.sadhiq
262
www.altnix.com

thetimeoutvaluespecifiedbytheTimeoutdirective
applies.SettingKeepAliveTimeouttoahighvaluemaycause
performanceproblemsinheavilyloadedservers.Thehigherthe
timeout,themoreserverprocesseswillbekeptoccupiedwaitingon
connectionswithidleclients.

Apachemonitoring
wtopsearchforit
isatoolforbenchmarkingyourApacheHTTPserver.
apachectl
isafrontendtotheApacheHTTPserverwhichisdesignedtohelp
theadministratorcontrolthefunctioningoftheApachehttpd
daemon.
apxs
isatoolforbuildingandinstallingextensionmodulesforthe
ApacheHTTPserver.

dbmanage
isusedtocreateandupdatetheDBMformatfilesusedtostore
usernamesandpasswordsforbasicauthenticationofHTTPusers.

htdigest
isusedtocreateandupdatetheflatfilesusedtostore
usernames,realmsandpasswordsfordigestauthenticationofHTTP
users.

htpasswd
isusedtocreateandupdatetheflatfilesusedtostoreusernames
andpasswordsforbasicauthenticationofHTTPusers.

httpd
istheApacheHTTPserverprogram.

263

b.sadhiq
www.altnix.com

instdso.sh
isascriptwhichinstallsApacheDSOmodules.

logresolve
isapostprocessingprogramtoresolveIPaddressesinApache's
accesslogfiles.

rotatelogs
isasimpleprogramforuseinconjunctionwithApache'spipedlog
filefeature.

SendMail
264

b.sadhiq
www.altnix.com

Sendmailqueriesthedatabaseversionofthefilesuchasberkeley
DB
/etc/mail/acesss.db
BerkeleyDBshouldbeinstalledtosupportsendmailtoreadtheDB
files
#file/etc/mail/access*
#rpmqa|grepidb
PackageVersion/Name:db44.2.
/etc/mail/helpfile
SMTPcommands
e.g.telnetlocalhost25
HELP
/etc/mail/localhostnames
Toknowhowtohandlethedomainswhichareconsideredtobe
local
Soithandlesroutingfor
localhost
localhost.domain
FQDN,inmycasepostfix.altnix.com
192.168.10.30
127.0.0.1
DefaultMTAacceptsmessagesforalltheabove
/var/spool/mail/
containsmailboxperuser
e.g./var/spool/mail/~username
TraditionalUnixMbox

265

b.sadhiq
www.altnix.com

Sendmailusesmacrotizelanguagecalledm4,Assendmail
configurationissocomplexitsabstractedtomacroutilityusing
m4
/etc/mail/sendmail.mc
Youcanmakechangesandconfigureinsendmail.mc
Sendmail.mcismucheasiertounderstand

/etc/mail/sendmail.cf
Sendmailsmainconfigurationfile
/etc/mail/sendmail.mc
dnl>wayofcommenting

Sendmailisseparatedintotwodaemons:
$psax|grepisendmail
Onceacceptsconnection
e.g.sendmail:acceptingconnectionsonport25
Otherrunsthequeue
e.g.sendmail:Queuerunner@01:00:00for/var/spool/clientmqueue
01:00>1minute

mailsgetstoredin/var/spool/clientmqueue,queuerunnerdaemon
wakesupevery1minute
/var/spool/clientmqueueownbysmmsp
smsp>sendmailmailsubmissionprogram
Sousersinourlocalsysteminvokesthemailinlocalqueu
/var/spool/clientmqueue,whichgetsscannedevery1minuteby

266

b.sadhiq
www.altnix.com

thequeuerunner
/etc/mail/trustedusers
usersthatcansendmailasotherswithoutawarningAbleto
rewritefromsectionwithoutsendmailcomplaining

/etc/mail/virtusertable
Allowsustosetupvirtualdomains
e.g.
champu@postfix.altnix.comchampu(localaccount)

Sowehavegivenyouabriefintroductiontothedefault
implementationofsendmail
withinRedhatframework

generateamessageandsendmaildeliverthemail
totheuserchampu
#whichmutt
Muttisagreatclientanddefaultitreadsmboxformatbutalso
havetheabilitytointeractwithMaildirswhichisnewerandmore
robustwayofstoringmailmessages.
Howeverthereisanyenvironmentvariablesetwhichmuttrelies
upon
$set|grepimutt
MAIL=/var/spool/mail/root
Thisenvironmentvariableshouldpointtoproperusersmailbox
Asrootyoucanreadanyone'smailbox
$whichsendmail
$lsl/usr/sbin/sendmail
$lsl/etc/alternatives/mta

267

b.sadhiq
www.altnix.com

SENDMAILismonolithic.IthandlesallmessagingbindingtotheMTA
port
aswellaslocaldelivery
$psef|grepsendmail
Youcouldseevariousinstances(process)butallaretiedwith
samebinary
Bydefaultsendmailacceptsmailsfromlocaluseranddeliveritto
localandremoteuser

Configuremailservertoacceptinternetemail
1.AllowingSendmailtoacceptmailsfromnetwork
$vi/etc/mail/sendmail.mc
searchfor127.0,putdnlatthefrontoftheline
dnlDAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA')dnl

2.ConvertMacrobasedfile
$cd/etc/mail
$make
OR
$cd/etc/mail
$m4sendmail.mc>sendmail.cf
3.RestartSendmailService
$servicesendmailrestart
4.

$suchampu
$mailtree
Subject:
<datahere:mailcontent>
.<toendthemail>
telnetlocalhost25
268

b.sadhiq
www.altnix.com

heloaltnix.com
mailfrom:<champu@altnix.com>
rcptto:<tree@lwqmail.altnix.com>
data

HeyTESTMAILFROMTELNET
.
quit
[root@lwqmailmail]#vi/etc/aliases
tree:champu
tree:tree,champu
$newaliases

ACL
Allowforaltnix.com
Allowfor192.168.10.0/24
Denyfordummy.org

$vi/etc/mail/access
@altnix.comRELAY
192.168.10.RELAY
@dummy.orgREJECT
$postmap/etc/mail/access
$servicesendmailrestart

Q:Mailalias
A:modify/etc/aliases,runnewaliases
269

b.sadhiq
www.altnix.com

Q:Receivemailforaltnix.com
A:modifysendmailmcasabove,andadddomainto/etc/mail/local
hostnames
$vi/etc/mail/localhostnames
altnix.com
Debugging:
mailvroot
mailq,mailqAc
sendmailq
tailf/var/log/maillog

Configureforpop3(orimap)
A:1)installdovecot
2)vi/etc/dovcot.conf
protocols=pop3
3)servicedovecotrestart
4)chkconfigdovecoton

Testing:
note:rootisnotpermittedtologin
echo"pop"|mailsteststudent

telnetlocalhost110
userstudent
passstudent
stat
list
retr1
270

b.sadhiq
www.altnix.com

quit

SetupaSMTPserver
john'smailsshouldbespooledto/var/spool/mail/john
Yourservershouldacceptmailsfromremotenetworks[internet]
1.$cd/etc/mail/
2.$cpsendmail.mcsendmail.mc.org
3.$cpsendmail.cfsendmail.cf.org
4.$vi/etc/mail/sendmail.mc

Findthisline:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA')dnl
addtheworddnltothebeginningsoitlookslikethis:
dnlDAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA')dnl

$m4/etc/mail/sendmail.mc>/etc/mail/sendmail.cf
$chkconfiglevel35sendmailon
$servicesendmailrestart

john'smailsshouldbespooledto/var/spool/mail/john
Nothingtodo.Thisisdonebydefaultbysendmail*
$netstatantp|grep:25
271

b.sadhiq
www.altnix.com

127.0.0.1:25
>previousoutputbeforeyourunm4command
0.0.0.1:25
>afterurm4commandoutputwillbelooklikethis
Yourlocaldomainisaltnix.com.Configurethesendmailserverfor
yourlocalLANbyfollowingtheseconditions
Relaythemailfrom192.168.10.0/24network
Ifanymailcomingfromdummy.comdomainblockallmails
user5'smailshouldbegetbyuser2andhimself

1.Edit/etc/mail/localhostnames
altnix.com
2.$vi/etc/mail/sendmail.mc
dnlDAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA')dnl
$m4/etc/mail/sendmail.mc>/etc/mail/sendmail.cf
$vi/etc/mail/access
192.168.10RELAY
@dummy.comREJECT
$chkconfiglevel35sendmailon
$servicesendmailrestart
$Edit/etc/dovecot.conf
protocols=imapimapspop3pop3s
$chkconfiglevel35dovecoton
$servicedovecotrestart
$vi/etc/aliases
user5:user2
$newaliases

272

b.sadhiq
www.altnix.com

Allmailstoaltnix.comshouldgetbydhoniuser
$vi/etc/mail/virtusertable
@altnix.comdhoni
$servicesendmailrestart
$chkconfiglevel35sendmailon

CreateaencapsulatedSSLimapserver\{IMAPS\}.
CreateanIMAPcertificateforyourhostname
In[CN],putchampu.altnix.com
Onlyericshouldbeallowedfrom.altnix.com
andallfrom.dummy.comshouldbedenied
OR
UserericshouldbeabletoaccessmailusingIMAPoverSSL
CreateanIMAPcertificateforyourhostname
Onlyericshouldbeallowedfrom.altnix.com
andallfrom.dummy.comshouldbedenied
$vi/etc/dovecot.conf
protocolspop3pop3simapimaps
$cd/usr/share/ssl/certs
$mvdovecot.pemdovecot.pem_OLD
$makedovecot.pem
CountryName(2lettercode)[GB]:IN
StateorProvinceName(fullname)[Berkshire]:Maharashtra
LocalityName(eg,city)[Newbury]:Mumbai
OrganizationName(eg,company)[MyCompanyLtd]:Altnix
b.sadhiq
273
www.altnix.com

OrganizationalUnitName(eg,section)[]:Admin
CommonName:champu.altnix.com

$cpdovecot.pem/usr/share/ssl/private
$servicedovecotrestart
$netstatantp|grep:143
$netstatantp|grep:110
$netstatantp|grep:993
$netstatantp|grep:995
$chkconfiglevel35dovecoton

Fighting SPAM
Unsolicited Commercial Email (UCE or SPAM) can be annoying, time
consuming to delete and in some cases dangerous when they contain
viruses and worms. Fortunately there are ways you can use your mail
server to combat SPAM
Using Public SPAM Blacklists With Sendmail

There are many publicly available lists of known open mail relay
servers and spam generating mail servers on the Internet. Some are
maintained by volunteers, others are managed by public companies,
but in all cases they rely heavily on complaints from spam victims.
Some spam blacklists simply try to determine whether the e-mail is
coming from a legitimate IP address.
The IP addresses of offenders usually remain on the list for six
months to two years. In some cases, to provide additional pressure
on the spammers, the blacklists include not only the offending IP
address but also the entire subnet or network block to which it
belongs. This prevents the spammers from easily switching their
servers' IP addresses to the next available ones on their networks.
Also, if the spammer uses a public data center, it is possible that
their activities could also cause the IP addresses of legitimate emailers to be black listed too. It is hoped that these legitimate
users will pressure the data center's management to evict the
spamming customer.
274

b.sadhiq
www.altnix.com

You can configure sendmail to use its dnsbl feature to both query
these lists and reject the mail if a match is found. Here are some
sample entries you can add to your /etc/sendmail.mc file; they
should all be on one line.

RFC-Ignorant: A valid IP address checker.

FEATURE(`dnsbl', `ipwhois.rfc-ignorant.org',`"550 Mail from "


$&{client_addr} " refused. Rejected for bad WHOIS info on IP of
your SMTP server - see http://www.rfc-ignorant.org/"')

Easynet: An open proxy list.

FEATURE(`dnsbl', `proxies.blackholes.easynet.nl', `"550 5.7.1


ACCESS DENIED to OPEN PROXY SERVER "$&{client_name}" by easynet.nl
DNSBL (http://proxies.blackholes.easynet.nl/errors.html)"', `')dnl

Spamcop: A spammer blacklist.

FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from "


$`'&{client_addr} " refused - see http://spamcop.net/bl.shtml"')

Spamhaus: A spammer blacklist.

FEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see
http://spamhaus.org/')dnl

Be sure to visit the URLs listed to learn more about the individual
services.
Spamassassin
Once sendmail receives an e-mail message, it hands the message over
to procmail, which is the application that actually places the email in user mailboxes on the mail server. You can make procmail
temporarily hand over control to another program, such as a spam
filter. The most commonly used filter is spamassassin.
spamassassin doesn't delete spam, it merely adds the word "spam" to
the beginning of the subject line of suspected spam e-mails. You
can then configure the e-mail filter rules in Outlook Express or
any other mail client to either delete the suspect message or store
it in a special Spam folder.
Downloading And Installing Spamassassin
Most RedHat and Fedora Linux software products are available in the
RPM format. When searching for the RPMs, remember that the filename
usually starts with the software package name and is followed by a
b.sadhiq
275
www.altnix.com

version number, as in spamassassin-2.60-2.i386.rpm. (For help


downloading, see Chapter 6, "Installing RPM Software").
Starting Spamassassin
You can use the chkconfig command to get spamassassin configured to
start at boot:
[root@bigboy tmp]# chkconfig --level 35 spamassassin on
To start, stop, and restart spamassassin after booting:
[root@bigboy tmp]# service spamassassin start
[root@bigboy tmp]# service spamassassin stop
[root@bigboy tmp]# service spamassassin restart

Configuring procmail for spamassassin


The /etc/procmailrc file is used by procmail to determine the
procmail helper programs that should be used to filter mail. This
file isn't created by default.
spamassassin has a template you can use called
/etc/mail/spamassassin/spamassassin-spamc.rc. Copy the template to
the /etc directory.
[root@bigboy tmp]# cp /etc/mail/spamassassin/spamassassinspamc.rc /etc/procmailrc

Configuring Spamassassin
The spamassassin configuration file is named
/etc/mail/spamassassin/local.cf. A full listing of all the options
available in the local.cf file can be found in the Linux man pages
using the following command:
[root@bigboy tmp]# man Mail::SpamAssassin::Conf

276

b.sadhiq
www.altnix.com

You can customize this fully commented sample configuration file to


meet your needs.
###################################################################
# See 'perldoc Mail::SpamAssassin::Conf' for
# details of what can be adjusted.
###################################################################

#
# These values can be overridden by editing
# ~/.spamassassin/user_prefs.cf (see spamassassin(1) for details)
#
# How many hits before a message is considered spam. The lower the
# number the more sensitive it is.
required_hits

5.0

# Whether to change the subject of suspected spam (1=Yes, 0=No)


rewrite_subject
1
# Text to prepend to subject if rewrite_subject is used
subject_tag
*****SPAM*****

# Encapsulate spam in an attachment (1=Yes, 0=No)


report_safe
1
# Use terse version of the spam report (1=Yes, 0=No)
use_terse_report
0
# Enable the Bayes system (1=Yes, 0=No)
use_bayes
1
# Enable Bayes auto-learning (1=Yes, 0=No)
auto_learn
1
# Enable or disable network checks (1=Yes, 0=No)
skip_rbl_checks
0
use_razor2
1
277

b.sadhiq
www.altnix.com

use_dcc
use_pyzor

1
1

# Mail using languages used in these country codes will not be


marked
# as being possibly spam in a foreign language.
# - english
ok_languages

en

# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales

en

Be sure to restart spamassassin for your changes to take effect.


Testing spamassassin
You can test the validity of your local.cf file by using the
spamassassin command with the --lint option. This will list any
syntax problems that may exist. In this example two errors were
found and corrected before the command was run again.
[root@bigboy tmp]# spamassassin -d --lint
Created user preferences file: /root/.spamassassin/user_prefs
config: SpamAssassin failed to parse line, skipping:
use_terse_report
0
config: SpamAssassin failed to parse line, skipping: auto_learn
1
lint: 2 issues detected. please rerun with debug enabled for more
information.
[root@bigboy tmp]# vi /etc/mail/spamassassin/local.cf
...
...
...
[root@bigboy tmp]# spamassassin -d --lint
[root@bigboy tmp]
Startup spamassassin
The final steps are to configure spamassassin to start on booting
and then to start it.
[root@bigboy tmp]# chkconfig spamassassin on
[root@bigboy tmp]# service spamassassin start
278

b.sadhiq
www.altnix.com

SQUID
Squidis...
OffshootoftheHarvestProject
afullfeaturedWeb/FTPProxyandCacheserver
designedtorunonUnixsystems
free,opensourcesoftware
theresultofmanycontributionsbyunpaid(andpaid)volunteers

WithSquidyoucan...
UselessbandwidthonyourconnectionwhensurfingtheWeb
Reducelatency[timetakentoloadawebpage]
Protecthostsonyourintranetbyproxyingtheirwebtraffic
CollectstatisticsaboutwebtrafficonyourNW
Preventusesfromvisitingillegalsites
279

b.sadhiq
www.altnix.com

Ensurethatvalidusersonlysurfthenet
Enhanceuser'sprivacybyfilteringsensitiveinfofromweb
requests
Reducetheloadonyourwebservers
Convertencrypted[HTTPS]requestsononeside,tounencrypted
[HTTP]
requestsontheother

WithSquidyouCANNOT...
Proxyemail[SMTP],instantmessaging,orIRC

Squidsupports...
proxyingandcachingofHTTP,FTP,andother
proxyingforSSLencryptedtraffic
cachehierarchies
ICP,HTCP,CARP,CacheDigests
transparentcaching
WCCP(Squidv2.3andabove)
extensivesophisticatedaccesscontrols
HTTPserveraccelerationakasurrogatemode
HTTPInterceptionCaching
SNMP
cachingofDNSlookups
URLredirection
trafficshaping
numerousexternalauthmodules
advanceddiskstorageoptions
1.

Proxyservers

280

b.sadhiq
www.altnix.com

A proxy serverisamachinewhichactsasanintermediarybetween
the computers of a local area network (sometimes using protocols
otherthanTCP/IP)andtheInternet
Mostofthetimetheproxyserverisusedfortheweb,andwhenit
is, it's an HTTP proxy. However, there can be proxy servers for
everyapplicationprotocol(FTP,etc.).

2.

Theoperatingprincipleofaproxyserver

Thebasicoperatingprincipleofaproxyserverisquitesimple:It
isserverwhichactsasa"proxy"foranapplicationbymakinga
request on the Internet in its stead. This way, whenever a user
connectstotheInternetusingaclientapplicationconfiguredto
useaproxyserver,theapplicationwillfirstconnecttotheproxy
serverandgiveititsrequest.Theproxyserverthenconnectsto
the server which the client application wants to connect to and
sendsthatservertherequest.Next,theservergivesitsreplyto
theproxy,whichthenfinallysendsittotheapplicationclient

3.

Featuresofaproxyserver

Nowadays,byusingTCP/IPwithinlocalareanetworks,therelaying
role that the proxy server plays is handled directly by gateways
androuters.However,proxyserversarestillbeingused,asthey
havesomeotherfeatures.
4.

Caching
281

b.sadhiq
www.altnix.com

Most proxies have a cache, the ability to keep pages commonly


visited by users in memory (or "in cache"), so they can provide
themasquicklyaspossible.Indeed,theterm"cache"isusedoften
in computer science to refer to a temporary data storage space
(alsosometimescalleda"buffer.")
Aproxyserverwiththeabilitytocacheinformationisgenerally
calleda"proxycacheserver".
The feature, implemented on some proxy servers, is used both to
reduceInternetbandwidthuseandtoreducedocumentloadingtime
forusers.
Nevertheless,toachievethis,theproxymustcomparethedatait
storesincachedmemorywiththeremotedataonaregularbasis,in
ordertoensurethatthecacheddataisstillvalid.
5.

Filtering

What'smore,byusingaproxyserver,connectionscanbetrackedby
creating logs forsystematicallyrecordinguserquerieswhenthey
requestconnectionstotheInternet
Becauseofthis,Internetconnectionscanbefiltered,byanalysing
bothclientrequestsandserverreplies.Whenfilteringisdoneby
comparingaclient'srequesttoalistofauthorisedrequests,this
iscalledwhitelisting,andwhenit'sdonewithalistofforbidden
sites,it'scalled blacklisting.Finally,analysingserverreplies
thatcomplywithalistofcriteria(suchaskeywords)iscalled
contentfiltering.
6.

Authentication

As a proxy is an indispensable intermediary tool for internal


network users who want to access external resources, it can
sometimes be used to authenticate users, meaning to ask them to
identify themselves, such as with a username and password. It is
alsoeasytograntaccesstoexternalresourcesonlytoindividuals
authorisedtodoso,andtorecordeachuseofexternalresources
inlogfiles.
This type of mechanism, when implemented, obviously raises many
issuesrelatedtoindividuallibertiesandpersonalrights.
7.

Reverseproxyservers

A reverseproxy isa"backwards"proxycacheserver;it'saproxy
server that, rather than allowing internal users to access the
Internet, lets Internet users indirectly access certain internal
servers.
282

b.sadhiq
www.altnix.com


The reverseproxy server is used as an intermediary by Internet
users who want to access an internal website, by sending it
requests indirectly. With a reverseproxy, the web server is
protectedfromdirectoutsideattacks,whichincreasestheinternal
network's strength. What's more, a reverseproxy's cache function
can lower the workload if the server it is assigned to, and for
thisreasonissometimescalledaserveraccelerator.
Finally, with perfected algorithms, the reverseproxy can
distributetheworkloadbyredirectingrequeststoother,similar
servers;thisprocessiscalledloadbalancing.
$squidk
===========>parseCheckifsquid.confisOKand
syntaxfree
===========>checkCheckifSQUIDisrunning
===========>reconfigureReReadsquid.confw/ostopping
[refresh]
akaservicesquidreload
rotaterotatethelogfiles

shutdownShutdownSQUIDgracefully
akaservicesquidstop
interruptKillSQUIDw/owaitingfortrnsto
finish
killKillSQUIDmercilessly
debugPutsSQUIDindebuggingmode

283

b.sadhiq
www.altnix.com

$squidNIsSQUIDrunning?
$squidNd1IsDNSworking?
$squidzXInitthecache/swapdirs.Usedwhenrunning
SQUIDforthefirsttime.
DonebySQUIDinitscriptanyway[start()]
X>Towatchtheprogressofcachecreating
SQUIDshouldnotberunningwhenthisis
done!
$squidFMakeSQUIDrefuseallrequestsuntilit
rebuilds
thestoragemetadata
DonebySQUIDinitscriptanyway[start()]
$squidDDisables/preventsinitialDNStests
DonebySQUIDinitscriptanyway[start()]
Alreadyspecifiedin/etc/sysconfig/squid
whichisreadbysquid'sinitscript

$squidNd1DRunSQUIDwithloggingtostderrinthefg
notbgwithlevel1debugging
N>KeepSQUIDinthefgDoesnotread/etc/sysconfig/squid
d1>Displaylevel1debuggingtostderr
D>Don'tbotherwithDNSanddiesinceSquidtriestodoDNS
lookupsforafewcommondomains,anddieswithanerrorifitis
notabletoresolvethemthru/etc/resolv.confSeeDirective#11
dns_testnames

$squidNPreventSQUIDfrombecomingabgprocess

$squidsEnableloggingtothesyslogddaemonSQUID
uses

284

b.sadhiq
www.altnix.com

LOCAL4
priority

syslogfacilityLevel0debugmsgsareloggedwith

LOG_WARNING

Level1debugmsgsareloggedwithpriority

LOG_NOTICE
AccessControlsarethemostimppartofyourSQUIDconfigfile.Youwillusethemtogrant
accesstoauthorizedusersandkeepoutthebadguys.
Youcanusethemtorestrict,orpreventaccessto,certain
material;tocontrolrequestrewriting;torouterequeststhru
ahierarchy;andtosupportdifferentqualitiesofservice.

WhatisAccessControl?
AccessControl
1.DefineanoofACLElementsorACLELEMENTSorACLE[Theserefer
tospecificaspectsofclientrequestssuchasIPaddrs,URL
hostnames,requestmethodsandoriginserverportnos]
2.AccessControlRulesorRULESorACRs[Theserulesappyto
particularservicesoropswithinSQUIDeghttp_accessrulesare
appliedtoincomingHTTPrequests]
i.eAccessControl=ACLElements+ACRules
=ACLEs+ACRs
=========================

ACCESSCONTROLELEMENTSACLEs
ACLelementsarethebuildingblocksofSQUID'saccesscontrol
implementations.
EachACLhasaname,whichyouusewhenwritingtherules
Eg.

aclWorkstationssrc192.168.0.0/24

YoucanlistmultiplevaluesforoneACLelement

285

b.sadhiq
www.altnix.com

Eg.

aclHttp_ports8080008080

isthesameas
aclHttp_ports80
aclHttp_ports8000
aclHttp_ports8080
SquidknowsaboutthefollowingtypesofACLEs:
1src:Source(client)IPaddresses
2srcdomain:Source(client)domainname
3srcdom_regex:Source(client)domainwithREpatternmatching
4dst:Destination(server)IPaddresses[OriginServer]
5dstdomain:Destination(server)domainname
6dstdom_regex:Destination(server)withREpatternmatching
7url_regex:MatchanypartofarequestedURL
8urlpath_regex:MatchanypartofarequestedURL.Omit
protocol/hostname
9time:CurrentTimeofday,anddayofweek
10port:Destinationserverportno[Dontconfusewith#18
myport]
11proto:Transferprotocol(HTTP,FTP,SSL)
12method:HTTPrequestmethod(GET,PUT,HEAD,POSTFTP,
SSL)
13browser:Allowing/DisallowingBrowsers
14maxconn:Limitonmaxnoofconnectionsfromasingle
clientIP
15arp:Ethernet(MAC)addressmatching.ARPbasedACLEs
16proxy_auth:Username/PasswordauthenticationUsingPAM
17proxy_auth_regex:userauthenticationviaexternalprocesses
18myport:Localportno[cache]thatClientconnectsto
19myip:ThelocalIPaddressofaclient'sconnection

286

b.sadhiq
www.altnix.com

20src_as:Source(client)AutonomousSystemnumber
21dst_as:Destination(server)AutonomousSystemnumber
22ident:Stringmatchingontheuser'sname
23ident_regex:REpatternmatchingontheuser'sname
24referer_regex:
25req_mime_type:
26rep_mime_type:
27snmp_community:SNMPcommunitystringmatching
28req_mime_type:REpatternmatchingontherequestcontenttype
header

29rep_mime_type:REpatternmatchingonthereply(downloaded
content)contenttypeheader.Thisisonly
usableinthehttp_reply_accessdirective,nothttp_access.
30external:lookupviaexternalaclhelperdefinedby
external_acl_type

BaseTypesUsedby
=================
IPaddresses:1.src
2.dst
3.myip
4.src_as
5.dst_as

287

b.sadhiq
www.altnix.com

DomainNames:srcdomain
dstdomain
cache_host_domaindirective
Usernames:ident
ident_regex
proxy_auth
proxy_auth_regex
REs:srcdom_regex
dstdom_regex
url_regex
urlpath_regex
browser
referer_regex
ident_regex
proxyauth_regex
req_mime_type
rep_mime_type
TCPPortNos:port
myport

Restrictsites
Searchfor`AccessControls'andappendfollowingtwolines:
aclblocksitesdstdomain.gmail.com
http_accessdenyblocksites
Saveandclosethefile.RestartSquid:
$/etc/init.d/squidrestart

Restrictword
288

b.sadhiq
www.altnix.com

Letussayyouwouldliketodenyaccessforanyonewhobrowsesto
aURLwiththeword"bar"init.AppendfollowingACL:
aclblockregexurlurl_regexiporn
http_accessdenyblockregexurl
RestrictingWebAccessByTime
Youcancreateaccesscontrollistswithtimeparameters.For
example,youcanallowonlybusinesshouraccessfromthehome
network,whilealwaysrestrictingaccesstohost192.168.1.23.
AddthistothebottomoftheACLsectionofsquid.conf
aclhome_networksrc192.168.1.0/24
aclbusiness_hourstimeMTWHF9:0017:00
aclRestrictedHostsrc192.168.1.23

Addthisatthetopofthehttp_accesssectionofsquid.conf
http_accessdenyRestrictedHost
http_accessallowhome_networkbusiness_hours
Or,youcanallowmorningaccessonly:

AddthistothebottomoftheACLsectionofsquid.conf
aclmorningstime08:0012:00

Addthisatthetopofthehttp_accesssectionofsquid.conf
http_accessallowmornings

289

b.sadhiq
www.altnix.com


Restrict

.exe.mp3.aviwithcustomizederrorpage
NowaddfollowinglinestoyoursquidACLsection:
aclblockfilesurlpath_regex"/etc/squid/blocks.files.acl"
Youwantdisplaycustomerrormessagewhenafileisblocked:
#Denyallblockedextension
deny_infoERR_BLOCKED_FILESblockfiles
http_accessdenyblockfiles
Nowcreate/etc/squid/blocks.files.aclfile:
#vi/etc/squid/blocks.files.acl
Appendfollowingtext:
\.[Ee][Xx][Ee]$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$
CreatecustomerrormessageHTMLfilecalledERR_BLOCKED_FILES
in/etc/squid/error/directoryor/usr/share/squid/errors/English
directory.
#viERR_BLOCKED_FILES
Appendfollowingcontent:
<HTML>
<HEAD>
<TITLE>ERROR:Blockedfilecontent</TITLE>
</HEAD>
<BODY>
<H1>FileisblockedduetonewITpolicy</H1>
<p>Pleasecontacthelpdeskformoreinformation:</p>
Phone:55512435(ext44)<br>
Email:helpdesk@yourcorp.com<br>

Caution:
DonotincludeHTMLclosetags

</HTML>

</BODY>
asitwill
beclosedbysquid.

Saveandclosethefile.RestartSquid:

#/etc/init.d/squidrestart

290

b.sadhiq
www.altnix.com

RestrictPort
LocateyourACLsectionandaddconfigurationdirectiveas
follows:
aclblock_portport1234
http_accessdenyblock_port
http_accessallowall
IfyoujustwanttoskipaparticularIP(192.168.1.5)tryas
follows:
aclblock_portport1234
aclno_block_port_ipsrc192.168.1.5
http_accessdenyblock_port!no_block_port_ip
http_accessallowall
Closeandsavethefile.
Restartsquidproxyserver:
$/etc/init.d/squidrestart
Andfinallydenyallotheraccesstothisproxy
http_accessallowlocalhost
SquidBandwidthLimiting(BandwidthThrotling)
HowtoWriteDelayPoolScriptinSquid
Inthisscenariowearegoingtocreat3pools
128kbp
256kbps
UnlimitedforAdmin
Acl128kbps192.168.0.200/32
Acl256kbps192.168.0.201/32
Acladmin192.168.0.205/32
YoujustcreattheACLNamednet,net2,net3
delay_pools3
delay_class12
delay_access1denyadmin
delay_access1deny256kbps
delay_access1allow128kbps
delay_parameters11/116000/16000
delay_class22
delay_access2denyadmin
delay_access2allow256kbps
delay_parameters21/132000/32000

291

b.sadhiq
www.altnix.com

delay_class32
delay_access3allowadmin
delay_parameters31/11/1

Vi/VimExamples
whatisVIeditor?
WhileinviyoucanrunAIXcommandswithoutexitingtheediting
session.The!createsa
shelltoexecutethecommandthatfollows.
1.:!lswillcreateashell
2.Allfilesinthecurrentdirectoryarelisted.Pressreturnto
exittheshellandreturntothe
visessionor...
3.Whilestillincommandmode,issuethe:rsnackscommand
4.Thecontentsofsnacks,inthiscase,arereadintothevifile.
Bydefault,itwillappear
afterthecurrentline.
Ifyouneedtorunaseriesofcommandswithoutreturningtovi
afterthefirstcommandis
executed,enter:sh.Whenyouhaverunallthecommands,pressto
exittheshell
andreturntovi.
Cursormovement

hmoveleft
jmovedown
kmoveup
lmoveright
wjumpbystartofwords(punctuationconsideredwords)
Wjumpbywords(spacesseparatewords)
ejumptoendofwords(punctuationconsideredwords)
Ejumptoendofwords(nopunctuation)
bjumpbackwardbywords(punctuationconsideredwords)
Bjumpbackwardbywords(nopunctuation)
0(zero)startofline
^firstnonblankcharacterofline
$endofline
GGoTocommand(prefixwithnumber5Ggoestoline5)

292

b.sadhiq
www.altnix.com

Note:Prefixacursormovementcommandwithanumbertorepeatit.
Forexample,4jmovesdown4lines.

InsertModeInserting/Appendingtext
13. istartinsertmodeatcursor
14. Iinsertatthebeginningoftheline
15. aappendafterthecursor
16. Aappendattheendoftheline
17. oopen(append)blanklinebelowcurrentline(noneedto
pressreturn)
18. Oopenblanklineabovecurrentline
19. eaappendatendofword
20. Escexitinsertmode
Editing

rreplaceasinglecharacter(doesnotuseinsertmode)
Jjoinlinebelowtothecurrentone
ccchange(replace)anentireline
cwchange(replace)totheendofword
c$change(replace)totheendofline
sdeletecharacteratcursorandsubsitutetext
Sdeletelineatcursorandsubstitutetext(sameascc)
xptransposetwoletters(deleteandpaste,technically)
uundo
.repeatlastcommand

Markingtext(visualmode)
vstartvisualmode,marklines,thendocommand(suchasyyank)
VstartLinewisevisualmode
omovetootherendofmarkedarea
Ctrl+vstartvisualblockmode
OmovetoOthercornerofblock
awmarkaword
aba()block(withbraces)
aBa{}block(withbrackets)
ibinner()block
293

b.sadhiq
www.altnix.com

iBinner{}block
Escexitvisualmode
Visualcommands
3.
4.
5.
6.
7.

>shiftright
<shiftleft
yyank(copy)markedtext
ddeletemarkedtext
~switchcase

CutandPaste

yyyank(copy)aline
2yyyank2lines
ywyankword
y$yanktoendofline
pput(paste)theclipboardaftercursor
Pput(paste)beforecursor
dddelete(cut)aline
dwdelete(cut)thecurrentword
xdelete(cut)currentcharacter

Exiting

:wwrite(save)thefile,butdon'texit
:wqwrite(save)andquit
:qquit(failsifanythinghaschanged)
:q!quitandthrowawaychanges

Search/Replace

/patternsearchforpattern

?patternsearchbackwardforpattern

nrepeatsearchinsamedirection

Nrepeatsearchinoppositedirection

:%s/old/new/greplacealloldwithnewthroughoutfile

:%s/old/new/gcreplacealloldwithnewthroughoutfilewith
confirmations
Workingwithmultiplefiles

:efilenameEditafileinanewbuffer
:bnext(or:bn)gotonextbuffer
294

b.sadhiq
www.altnix.com

:bprev(of:bp)gotopreviousbuffer
:bddeleteabuffer(closeafile)
:spfilenameOpenafileinanewbufferandsplitwindow
ctrl+wsSplitwindows
ctrl+wwswitchbetweenwindows
ctrl+wqQuitawindow
ctrl+wvSplitwindowsvertically

VIOptions:

vihasmanymodesofoperation.Someof
thesewillaffectthewaytextispresented,while
otherswillmakeeditingeasierfornoviceusers.
:setalldisplayallsettings
:setdisplaysettingsdifferentthanthedefault
:setaisetsautoindenton
:setnoaiturnsautoindentmodeoff
:setnuenableslinenumbers
:setnonuturnslinenumbersoff
:setlistdisplaysnonprintablecharacters
:setnolisthidesnonprintablecharacters
:setshowmodeshowsthecurrentmodeofoperation
:setnoshowmodehidesmodeofoperation
:setts=4setstabsto4characterjumps
:seticignorescasesensitivity
:setnoiccasesensitive

Search

/wordSearchwordfromtoptobottom
?wordSearchwordfrombottomtotop
/jo[ha]nSearchjohnorjoan
/\<theSearchthe,theatreorthen
/the\>Searchtheorbreathe
/\Searchthe
/\Searchallwordsof4letters
/\/Searchfredbutnotalfredorfrederick
295

b.sadhiq
www.altnix.com

/fred\|joeSearchfredorjoe
/\Searchexactly4digits
/^\n\{3}Find3emptylines
:bufdo/searchstr/Searchinallopenfiles

Replace

:%s/old/new/gReplacealloccurencesofoldbynewin
file
:%s/old/new/gwReplacealloccurenceswithconfirmation
:2,35s/old/new/gReplacealloccurencesbetweenlines2and
35
:5,$s/old/new/gReplacealloccurencesfromline5toEOF
:%s/^/hello/gReplacethebeginingofeachlinebyhello
:%s/$/Harry/gReplacetheendofeachlinebyHarry
:%s/onward/forward/giReplaceonwardbyforward,case
unsensitive
:%s/*$//gDeleteallwhitespaces
:g/string/dDeletealllinescontainingstring
:v/string/dDeletealllinescontainingwhichdidn't
containstring
:s/Bill/Steve/ReplacethefirstoccurenceofBillby
Steveincurrentline
:s/Bill/Steve/gReplaceBillbySteveincurrentline
:%s/Bill/Steve/gReplaceBillbySteveinallthefile
:%s/\r//gDeleteDOScarriagereturns(^M)
:%s/\r/\r/gTransformDOScarriagereturnsinreturns
:%s#]\+>##gDeleteHTMLtagsbutkeepstext
:%s/^\(.*\)\n\1$/\1/Deletelineswhichappearstwice
Ctrl+aIncrementnumberunderthecursor
Ctrl+xDecrementnumberundercursor
ggVGg?ChangetexttoRot13
4.

Case

296

b.sadhiq
www.altnix.com

VuLowercaseline
VUUppercaseline
g~~Invertcase
vEUSwitchwordtouppercase
vE~Modifywordcase
ggguGSetalltexttolowercase
:setignorecaseIgnorecaseinsearches
:setsmartcaseIgnorecaseinsearchesexceptedifan
uppercaseletterisused
:%s/\<./\u&/gSetsfirstletterofeachwordtouppercase
:%s/\<./\l&/gSetsfirstletterofeachwordtolowercase
:%s/.*/\u&Setsfirstletterofeachlinetouppercase
:%s/.*/\l&Setsfirstletterofeachlinetolowercase

Read/Writefiles

:1,10woutfileSaveslines1to10inoutfile
:1,10w>>outfileAppendslines1to10tooutfile
:rinfileInsertthecontentofinfile
:23rinfileInsertthecontentofinfileunderline23

Fileexplorer

:e.Openintegratedfileexplorer
:SexSplitwindowandopenintegratedfileexplorer
:browseeGraphicalfileexplorer
:lsListbuffers
:cd..Movetoparentdirectory
:argsListfiles
:args*.phpOpenfilelist
:grepexpression*.phpReturnsalistof.phpfiles
conteningexpression
gfOpenfilenameundercursor

InteractwithUnix

:!pwdExecutethepwdunixcommand,thenreturnstoVi
!!pwdExecutethepwdunixcommandandinsertoutputin
file
:shTemporaryreturnstoUnix
$exitRetournstoVi

297

b.sadhiq
www.altnix.com

Alignment

:%!fmtAlignalllines
!}fmtAlignalllinesatthecurrentposition
5!!fmtAlignthenext5lines

Tabs

:tabnewCreatesanewtab
gtShownexttab
:tabfirstShowfirsttab
:tablastShowlasttab
:tabmn(position)Rearrangetabs
:tabdo%s/foo/bar/gExecuteacommandinalltabs
:tabballPutsallopenfilesintabs

Windowspliting

:efilenameEditfilenameincurrentwindow
:splitfilenameSplitthewindowandopenfilename
ctrlwuparrowPutscursorintopwindow
ctrlwctrlwPutscursorinnextwindow
ctrlw_Maximisecurrentwindow
ctrlw=Givesthesamesizetoallwindows
10ctrlw+Add10linestocurrentwindow
:vsplitfileSplitwindowvertically
:sviewfileSameas:splitinreadonlymode
:hideClosecurrentwindow
:onlyCloseallwindows,exceptedcurrent
:b2Open#2inthiswindow

Autocompletion

Ctrl+nCtrl+p(ininsertmode)Completeword
Ctrl+xCtrl+lCompleteline
:setdictionary=dictDefinedictasadictionnary
Ctrl+xCtrl+kCompletewithdictionary

8.

Marks

mkMarkscurrentpositionask
kMovescursortomarkk
298

b.sadhiq
www.altnix.com

dkDeletealluntilmarkk
Abbreviations
:abprprintf("ThisisaDemoVer\n");Definepras
abbreviationofprintf("ThisisaDemoVer\n");

Textindent

:setautoindentTurnonautoindent
:setsmartindentTurnonintelligentautoindent
:setshiftwidth=4Defines4spacesasindentsize
ctrlt,ctrldIndent/unindentininsertmode
>>Indent
<<Unindent

Syntaxhighlighting

:syntaxonTurnonsyntaxhighlighting
:syntaxoffTurnoffsyntaxhighlighting
:setsyntax=perlForcesyntaxhighlighting

HowtoExit

:q[uit]QuitVim.Thisfailswhenchangeshavebeenmade.
:q[uit]!Quitwithoutwriting.
:cq[uit]Quitalways,withoutwriting.
:wqWritethecurrentfileandexit.
:wq!Writethecurrentfileandexitalways.
:wq{file}Writeto{file}.Exitifnoteditingthelast
:wq!{file}Writeto{file}andexitalways.
:[range]wq[!][file]Sameasabove,butonlywritethe
linesin[range].
ZZWritecurrentfile,ifmodified,andexit.
ZQQuitcurrentfileandexit(sameas":q!").
5.

EditingaFile

:e[dit]Editthecurrentfile.Thisisusefultoreedit
thecurrentfile,whenithasbeenchangedoutside
ofVim.
:e[dit]!Editthecurrentfilealways.Discardanychanges
tothecurrentbuffer.Thisisusefulifyouwant
tostartalloveragain.
:e[dit]{file}Edit{file}.
:e[dit]!{file}Edit{file}always.Discardanychangesto
thecurrentbuffer.
gfEditthefilewhosenameisunderorafterthecursor.
Mnemonic:"gotofile".

299

b.sadhiq
www.altnix.com

InsertingText

aAppendtextafterthecursor[count]times.
AAppendtextattheendoftheline[count]times.
iInserttextbeforethecursor[count]times.
IInserttextbeforethefirstnonblankintheline
[count]times.
gIInserttextincolumn1[count]times.
oBeginanewlinebelowthecursorandinserttext,repeat
[count]times.
OBeginanewlineabovethecursorandinserttext,repeat
[count]times.

Insertingafile

:r[ead][name]Insertthefile[name]belowthecursor.
:r[ead]!{cmd}Execute{cmd}andinsertitsstandardoutput
belowthecursor.
Ref
http://www.catswhocode.com/blog/100vimcommandseveryprogrammer
shouldknow
http://www.fortunecity.com/skyscraper/terminus/435/
http://www.thegeekstuff.com/2010/04/vimeditortutorial/

*******************************************************************
BestOFLuck
*********************************************************************************

300

b.sadhiq
www.altnix.com