-practice time the lab is open
-test is on a Tuesday in 4 weeks
First Stage is available in three supported versions:
boot.iso - used
diskboot.img - is a VFAT file system for use with USB pendrives
pxeboot
The Second Stage is Anaconda
-The Text MOde Installtion Interface can be selected by typing the command 'linux text' at the boot: prompt. This will load an ncurses-based interface. Should only be used if the system is not capable for displaying the GUI.
-The Graphical Installtion Interface is the default interface for Anaconda. This interface will start XOrg
Install Methods
NFS - usually the fastest method
HTTP
FTP
After you have provided Anaconda with the installation method, the installer will detect your hardware, and you will then be prompted...
Virtual Consoles
CTRL + ALT + F1 - text installtion display
CTRL + ALT + F2 - bash shell prompt
CTRL + ALT + F3 - lists a log of installation messages
CTRL + ALT + F4 - lists kernel messages
CTRL + ALT + F5 - lists partition information
CTRL + ALT + F6 - graphical installtion display
note: can change over to the shell to start work early.
Installation Number
NOT a "serial number"
Selects a default set of packages and authorizes the server to offer certain extra "Feature Sets" (package groups) corresponding to things like enhanced virtualization support and the suite of cluster tools.
can be skipped
Disk Partitioning
Types of partitions:
primary - 4
extended - 1
logical - 15
File Systems may be created on primary or logical partitions.
-use disk druid in the install
Software RAID and LVM2 can be used to "combine" multiple partitions into a single virtual unit.
-can switch to the partition screen (CTRL + ALT + F5) to use 'parted' or 'fdisk' to part the disk
Disk Druid
IF you choose not to permit Anaconda to automatically partition your drives, you may manually partition them with the Disk Druid tool.
Only GUI will allow you to do LVM during the install.
File System Types
ext2
ext3
physical volume (LVM)
software RAID
swap
VFAT
Software RAID
RAID 0 : striping without parity
RAID 1 : mirroring
RAID 5 : striping with parity (n+1)
RAID 6 : striping with double parity (n+2)
LVM
Physical partitions can be grouped together into a single logical volume.
The disk space in this logical volume can then be resized and reallocated very easily.
Once a volume has been resized, the file system on that volume can then be resized to take advantage of the new space.
If any physical volume within a logical volume fails, all data on that logical volume will be lost. There is no redundancy with LVM.
-the install will default to a LVM config if left at default
Package Selection
The default package selection has been optimized for workstations.
Minimum Installation: 648M
Default Installation: 1.9GB
Everything: 6.03GB
-watch the space needed during the test; prolly a good idea to leave as stripped as possible.
-in RHEL 5, there is no running ticker of the amount of space needed to install the selected packages
-also, it will not warn you if there is not enough space; it will start the install anyway and error out half way though
Confirming Your Installation
-will be prompted to reboot
-firstboot prog
/root/anaconda-ks.cfg
FIRSTBOOT program
-firewall config, frontend for iptables
-SELinux
Disable
Warn (Permissive)
Active (Enforcing) (default)
-written during kernel 2.4 series by the NSA
-very powerful security software
While SELinux is running, access conrtol is determined based on the Mandatory Access Control (MAC) set by the SELinux policy. This policy controls the rights that processes have to files, directories, and network sockets (objects). This works in combination with traditional Directory Access Control (DAC) provided by Linux permissions.
Lab 1 : Installing RHEL 5
/var/log/messages
/var/log/dmesg
/root/install.log
/root/anaconda-ks.cfg
Section 2 - Boot Process
The processor looks at the end of system memory for the BIOS (Basic Input / Output System).
The BIOS tests the system, looks for and checks peripheral devices, and then looks for a drive to use to boot the system.
The BIOS looks for a Master Book Record (MBR) starting at the first sector on the first hard drive, loads its contents into memory, and then passes control to it. First 512 bytes.
The MBR then find and loads the GRUB Boot Loader
GRUB finds the necessary boot file, which initializes the kernel and the initial ram disk.
Once the kernel has successfully loaded, it executes /sbin/init.
Init parses its connfiguraiton file (/etc/inittab) and finished the boot process according to its configuration.
The Master Boot Record
The Master Boot Record (MBR) occupies the first 512 bytes on the boot drive.
----~~~~
GRUB - The GRand Unified Boot Loaded
2 states - first in MBR, then second in /boot
/boot/grub/grub.conf
-check out the GRUB page!
Installing GRUB
# /sbin/grub-install /dev/hda
If that fails, you can reinstall GRUB manually using the grub shell:
# grub
> root (hd0, 0)
> setup (hd0)
> quit
The GRUB Shell
command line - "c"
editing mode - "e"
append mode - "a"
Esc - previous screen
Kernel Initialization
GRUB loads the initial ram disk
kernel will perform the following functions at boot:
hardware detection and driver initialization
mount the root file system read only
starts the first process (init)
Note: If essentials drivers are compiled as modules (and are not compiled directly into the kernel), they must be included inthe initla ram disk (initrd). The ext module is an example .........
# file /boot/initrd
# gunzip < /boot/initrd-x.x.x.img > initrd.unzipped
# file initrd.unzipped
-cpio pre-dates tar
# cpio -i -d --no-absolute-filenames < init="/bin/bash" init="/bin/bash" networking="yes|no" hostname="
GATEWAY=
NISDOMAIN=
/etc/sysconfig/network-scripts/ifcfg-ethx
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
or static ip address...
DEVICE=eth0
BOOTPROTO=static
IPADDR=
NETMASK=
GATEWAY=
ONBOOT=yes
/etc/resolve.conf holds the configuration for resolving hostnames:
search example.com
nameserver 192.168.0.254
# route -n
# netstat -rn
# ip addr
# ifconfig
# ifdown
# ifup
# service network restart
Printing Overview
RHEL 5 uses CUPS, the Common UNIX Printing System, as it's primary printing system.
CUPS supports IPP protocol (based on HTTP/1.1) and can communicate with LPD print servers.
CUPS can be administered serveral ways:
by manually editing /etc/cups/cupsd.conf and /etc/cups/printers.conf
by using the system-config-printer tool, or
by using the web administration interface on port 631
Helpful printing commands:
lp
lpq - lists print jobs
lprm
lpstat - lists print stats
lpstat -t - lists print stats for all known printers
Task Automation with cron
Cron - The system scheduler
Cron reviews it's configuration files every minutes to determine if it is supposed to do anything.
-make sure crond it turned on!
/etc/crontab is the primary configuration file from which
Cront syntax (man 5 crontab)
minute - 0 - 59
hour - 0 - 23
day of month - 1 - 31
month - 1 - 12 (or names)
day of week - 0 - 7 (0 or 7 is Sun, or use names)
/etc/cron.d - This contains system cron scripts that need to run at times other than those specified in /etc/crontab
/var/spool/cron - This conatinas a copy of the system's user crontabs
/etc/cron.deny - This file can be used to specify which use can not have a cron
Cron Lab
1. Create a cron for root that list availble space on the system every Friday at 12:34pm.
# crontab -e
34 12 * * 5/bin/df -h
-this will get emailed to root from the standard output
-could ">> /var/log/df.log" to redirect output to logs
-or could also create global variable "MAILTO=user@domain.com" at the top
2. Create a cron as a regular user at 3:45am on Sunday, January 2.
# crontab -u rack -e
54 3 2 1 0 ls /tmp
Alert: 3 and 5th field are "optional". This will match 2 different matches
# crontab -r - this will completely remove crontab!!!
#crontab
crontab runs with SUID so regular users can access crontab files in /var/spool/cron, which are owened by root
# run-parts - runs everything in the directory
Key Log Files
dmesg
/bin/dmesg - The binary /bin/dmesg will print the kernel ring buffer, where most all hardware and kernel events are logged. This buffer is 16392 bytes by default.
/var/log/dmesg - The log file
/var/log/messages
/var/log/secure - This log file contains messages and errors from security-relates systems such as login, tcp_wrappers, and xinetd.
wtmp
/var/log/wtmp - This is a binary log of all successful logins (ssh, console, ftp)
/usr/bin/last - This binary will parse the wtmp log for human readable format
Logrotate
/etc/logrotate.conf - This is the main configuration file.
/etc/logrotate.d/
logrotate -vf /etc/logrotate.conf
example:
/var/log/audit/audit.log {
# missingok
create 0600 auditd auditd
monthly
rotate 12
notifempty
postrotate
/bin/kill -HUP `cat /var/run/audit.pid 2>/dev/null` 2> dev/null || true
endscript
}
Automating Installs with Kickstart
Kickstart is a component of the installer that automates installation.
At install, Anaconda must be told where the desired kickstart configuration file is located. This is done by typing the following at the boot: prompt.
If on floppy:
linux ks=floppy
If image is located on a webserver
linux ks=http://server1/path/to/ks.cfg
Creating Kickstart Images
Once an installation has completed, a kickstart file will be created in /root/anaconda.ks. This file may be used as a reference if you wish to create your own kickstart image.
Following Sections:
Commands sections, where keyboard, time zone, root password, and other defaults are configured and your partition scheme is defined
%packages
%pre
%post - this will run the commands after the install
-be sure to comment out partition lines
-"autopart" gives default layout
-on line "clearpart" you need to add the flag "--initlabel" to it will work on new hard drives
-could use "-firefox" to exclude firefox package from @graphical-internet
-could use "user" function in the anaconda.cfg file
-"key --skip" to skip the installation key
# /usr/sbin/useradd student
# /bin/echo "redhat" | /usr/sbin/passwd --stdin student
Google: kickstart script
linux ks=ftp://server1/ks#.cfg
Section 4 - Managing File Systems
Administering Partitions
# fdisk /dev/hda
# partprobe - to recognize the new partitions
# mkfs - to create file systems
The ext3 file system
Ext3 benefits
default file system of 7.x Red Hat release and newer
f
f
Journaling Overview
Deleting a file in LInux requires two steps:
The file's directory entry must be removed
The file's inode must be marked as free in the free space map.
Journaling keeps a journal of the changes that are planned for the file system ahead of time. The journal can then replay the changes in the journal at any time to keep the file system clean.
File System Tools
# fsck - from rc.sysinit; this command will check ext2 and ext3 file systems for inconsistencies and attempt to repair them.
# e2label - change the label of an ext2/ext3 file system
Fstab
-last 2 fields in /etc/fstab are dump frequency
-need to check grub when updating fstab and labels
The Automounter
the autofs service can be configure to monitor certain directories and automatically mount a file system when a call is made to files in that directory.
When autofs starts, it parses it's configuration file /etc/auto.master to determine which directories it should be monitoring. Each directory can then have it's own configuraiton file determining how each file system shoudl be mounted, or the default file /etc/auto.misc can be used.
# man 5 autofs can provide you with sample syntax for these files.
example:
/etc/auto.master
/server1 /etc/auto.server1
/etc/auto.server1
share -ro server1:/var/ftp/pub
-check /etc/sysconfig/autofs for the default config file
Extended File System Attributes
ext2/ext3 support attributes that affect how data can be manipulated
# chattr - change file attributes
# lsattr - list file attributes
Extended att can only be set by the root user unless "user_xattr" is set.
# chattr +i some_file - make file immutable, or unchangable in any way
# chattr +a some_file - makes the file only appendable
+S - syncronous data writing, or writing the data immediately
# for i in `seq 254`; do touch file$i; done
# lsattr -d .
After 254 files, the fs switched to hashed table. initially using linked list for directory.
Access Control Lists (ACLs)
ext3 supports access control lists, which allow for more flexible permissions than standard file system permissions.
ACL's can be listed with getfacl command.
They can be modified with the setfacl command.
To use ACLs, a file system must have the acl mount option.
Use "dumpe2fs -h
# tune2fs -o -acl /dev/sda2
this if going to coorispond with the dumpe2fs -h /dev/sda2, "Default mount options: user_xattr acl" line
# getfacl
# setfacl -m "u:student:rw"
-setting a FACL will place a '+' at the end of permissions string "-rw-rw-r--+ 1 root root 0 file"
# setfacl -x "u:student"
# setfacl -b
-they are not included in one of our backups
examples to save with ACLs in tact:
# tar --acls
# cp -a
# getfacl file > file.acl
# cp file backup
# setfacl -M file.acl backup
- these can use the '-R' flag to run recursively
(DAY 2)
SELinux
SELinux Overview
Every process or object has an SELinux context:
identity:role:domain/type
SELinux policy controls:
-what identities can use which roles
-what roles can enter which domains
-what domains can access which types
first intro in RHEL 5. create by the NSA and included by Linus in the Linux kernel.
SELinux Contexts
Adding the -Z option to severel commands will show how they are running in regards to SELinux.
# ps -Z - lists the process contexts
# ls -Z - lists the file contexts
To change the
# chcon -R --reference=/dir /dir
:virtual file systems: /proc /sys /selinux
# restorecon -F
-still a few files not corrected: /misc
# service autofs restart - this will reset the automounts
# getenforce
# setenforce
Controlling SELinux
The tool system-config-selinux level can be used dto configure SELinux.
The file /etc/sysconfig/selinux can be edited to make these changes persistent across reboots.
The command 'getenforce' and 'setenforce'
To change the SELinux mode during boot, yo ucan pass the enforcing=0 option to the kernel in GRUB.
The
# system-config-selinux
# rpm -ql policycoreutils | egrep -w 's?bin'
# getsebool -a
# service setroubleshoot status - this service watches for se alerts
-check /var/log/messages for SELinux messages
# setsebool -P ftp_home_dir=1 - this is from an alert in /var/log/messages
-checked /var/log/messages, got the following
# sealert -l 3a1bf736-48a6-442a-9e98-98d908ffdd83
# chcon -t httpd_sys_content_t./srv/index.html
# chcon -R --reference index.html /srv
Section 5 - Users and Groups
Files Associated with Users and Groups
/etc/passwd - This file contains the configuration information for local users in the following format:
username : x : UID : UPGID : GECOS : homedir : shell
/etc/shadow - This file contains the username (which must match an entry in /etc/passwd) and the user's MD5 encrypted password.
/etc/group - This file contains the configuration information for local groups in the following format:
groupname : x : GID : secondary users
/etc/gshadow - This file contains a list of groups on the server and their MD5 encrypted passwords.
Utilities for Administering Users and Groups
useradd / adduser - This command can be used to add new users to the system.
usermod -
groupadd -
groupmod -
passwd -
chage - This command can be used to create / edit password aging
UNIX Basics : File Permissions
Special Permissions:
Setuid / suid - Set UserID is used on UNIX systems for tasks that require higher privileges than what a common user has, such as changing passwords and pinging.
Setgid / sgid - Set GID is used to change group-based privileges within a process, like the suid flag does for user based privileges.
Stickybit - for world files where only user can remove their files
# find / -perm +4000 - find suid files
# find / -perm +2000 - find guid files
# chmod g+s some_dir
-any new files created inside that directory will be created with that group owner group
suid = 4000
sgid = 2000
The User Environment
/etc/skel - default template for a newly-added user's home directory
/etc/profile - sets environment variables used by all users
/etc/profile.d - contains scripts specific to certain rpms
/etc/bashrc - contains global aliases and system settings
~/.bashrc - contains user aliases and functions
~/.bash_profile - contains user environment settings and can be set to automatically start programs at
login
# chmod 3070 work to set the sticky bit and only owner can remove their files
Pluggable Authenticaiton Modules
Applications which are compiled against libpam.so may use PAM's modules to customize how individual applications verify their users. The each application has it's own configuration file in /etc/pam.d
The first field of the configuration file indicates the type of module to be used:
Authentication management (auth) - Establishes the identity of a user.
Account management (account) - Allows or denies access to the account.
Password management (password) - Enforces password managment policies.
Session management (session) - Starts, stops, and records each session.
cont.
The second field of the configuration file indicates the effect that the module will have on the application:
Required - If this module fails, access will not be granted, but all other modules will still be run.
Requisite - If this module fails, access will not be granted and no other modules will be run.
Sufficient - If this module succeeds, access will be granted and no other modules will be run.
Optional - The result of this module is ignored.
missed some shit....
Important PAM Modules
pam_unix - Authenticates users by UNIX password
pam_security - Only allows root to log in from secure terminals listed in /etc/security
pam_nologin - Will not allow any non-root user to login if /etc/nologin exists
pam_time - can be configured to allow/deny access based on the system time.
-Helpful PAM documentation can be found in /usr/share/doc/pam-
# ldd `which su` - ldd shows which libraries are linked, prints shared library dependencies
PAM LAB
Using PAM, prevent "mike" from being able to login on virtual console 2. He should still be able to login elsewhere.
Hint: configure the pam_access module
# vi /etc/pam.d/login
add: "account required pam_access.so"
# man pam_access
# vi /etc/security/access.conf
add: "- : mike : tty2"
NIS Client Configuration
NIS Servers can be configured to centrally manage system and account information. These servers can share the contents of /etc/passwd, /etc/shadow, /etc/group, and several other files among any number of clients.
To configure a client, you must install the ypbind and portmap RPMs, and then you can run system-config-authentication. This command will make the proper entries in /etc/sys........MISSED SHIT!
- watch out for SELinux stuff!!! check /var/log/messages
/etc/auto.master
/home/nis /etc/auto.nis
/etc/auto.nis
* -rw server1:/home/nis/&
LDAP Client Configuration
LDAP Servers can also be configured to centreally manage system and account information. LDAP is much more secure than default NIS configuration, and as such is becoming much more popular.
to configure a client, you must.....MISSED MORE SHIT!!
The Linux Quota System
Quotas are implemented in the kernel on a per-file system basis.
to enable quotas, you must follow these steps:
update /etc/fstab, adding usrquota/grpquota to the desired file system
mount/remount the updated file system
create/update the quota database with quotacheck
turn on quotas with quotaon
edit a user's quota with setquota or edquota
You can review quotas with either the quota or repquota commands.
Example:
# vi /etc/fstab
add: usrquota
# mount -o remount / - do this to remount the running filesystem
# quotacheck -a -m - the '-m' to force the read, the results could be different when complete
# quotacheck -g - to create the groups database
# quotaon -a
# edquota -u
1 block = 1 kilobyte
there are a limited number of inodes. all inodes are created when the filesystem is created. this is why we must limit the inode usage, they are a limited resource.
soft limit - is THE limit, but the kernel is lienient and will allow up to the hard limit
hard limit - there is nothing higher than this
# repquota -a - to get a report on all user quota's
# setquota - not too good, takes in command line options
# edquota -t - option to set the time or grace period, the "high water mark" will become the new hard limit
To test this:
# dd if=/dev/zero of=waste_space
# for i in `seq 205`; do touch file$i ; done
Section 6 - The Red Hat Kernel
Key Kernel Directories
/boot - contains the vmlinuz and initrd required to boot the system
/usr/src/kernels - directory for kernel sources, RHEL 5
/proc - virtual file system for seeing "into" the kernel
The /proc file system
The /proc file system, your window to the kernel
/proc/1 - A directory with information about process number 1.
/proc/cpuinfo - Information about the processor, including type, make, model, and speed.
/proc/interrupts - Shows which interrupts are in use and by which module.
/proc/kmsg - Messages output by the kernel (these are also routed to syslog)
/proc/loadavg - The load average of the system
/proc/meminfo - Information about memory usage (RAM and swap)
/proc/modules - Information about which modules are currently loaded.
/proc/uptime
/proc/version - The kernel version
/proc/sys -
Sysctl
/proc/sys
The values of /proc/sys can be changed while the system is online, but those changes will not persist across reboots. To make permanent configuration changes, one should modify /etc/sysctl.conf.
sysctl
At boot, sysctl is called by /etc/rc.sysinit. Any parameters listed in /etc/sysctl.conf ....... MISSED
# sysctl -a - a list of variables
edit /etc/sysctl.conf
add: fs.file-max = 543555
net.ipv4.icmp_echo_ignore_all = 1 <----> these translate to /proc/net/ipv4/icmp_ech..
- check out swapiness
Working with Modules
/etc/modprobe.conf - Specifies how a modules will behave when it is loaded and unloaded
depmod -a - This can be run at any time to scan through your modules to determine the dependencies for each one. The results of this scan will be written to modules.dep. Once this has been run, any attempt to load or unload a module will first have to pass a dependency check.
modprobe - This command can be run to load or unload a module and its dependencies.
lsmod - This command will list the currently loaded modules.
-Located: /lib/modules/
Software RAID
Software RAID can be configured, monitored, and modified all with the mdadm command.
To create a RAID array, you can run the following command:
# mdadm -C
To verify the RAID array, you can run the following:
# mdadm --detail
# cat /proc/scsi/scsi
example:
# fdisk /dev/sda
:n
e for extended
Enter
Enter
:n
Enter
+1G Enter
:n
Enter
+1G Enter
:t
5
L - for a list of codes
fd
:t
6
fd
p - to print the partition table
:w - to write or commit the changes to the drive
# partprobe - to inform the system of the partition table changes
# ls /dev/md*
# mdadm -C /dev/md0 -l 1 -n 2 /dev/sda5 /dev/sda6
mdadm: array /dev/md0 started.
# cat /proc/mdstat
Personalities : [raid1]
md0 : active raid1 sda6[1] sda5[0]
987840 blocks [2/2] [UU]
unused devices:
----
Create a file system on this new RAID array
# mkfs.ext3 /dev/md0
Simulate a faulty drive
# mdadm /dev/md0 -f /dev/sda5
mdadm: set /dev/sda5 faulty in /dev/md0
Check the status of the RAID array, even watch it rebulid itself
# cat /prod/mdstat
Personalities : [raid1]
md0 : active raid1 sda6[1] sda5[2] (F)
987840 blocks [2/1] [_U]
unused devices:
----
# mdadm /dev/md0 -r /dev/sda5
mdadm: hot removed /dev/sda5
# mdadm /dev/md0 -a /dev/sda5
mdadm: re-added /dev/sda5
# watch -n 1 cat /proc/mdstat
Software RAID Lab:
Create a RAID-5 array on your machine, consisting of 4 partitions each 512MB in size, one of which should be reserved for use as a hot spare.
Format this array with ext3 and mount it with support for user quotas so that it will persist across reboots.
# fdisk /dev/sda
Do this to find the major and minor numbers, here is "9 and 0".
# ls -l /dev/md0
brw-r----- 1 root disk 9, 0 Aug 12 14:14 /dev/md0
# mknod /dev/md1 b 9 1
# mdadm -C /dev/md1 -l 5 -n 3 -x 1 /dev/sda5 /dev/sda6
-OR-
The --auto=yes will create the device file.
cd
Can add the spare after already created. Will just be added as "spare".
# mdadm /dev/md1 -a /dev/sda10
# cat /proc/mdstat
.....output
Logical Volume Management
Key Terms
Physical Volume (pv) - is simply the partitions/RAID device that you with to use for LVM space.
Physical Extent (pe) - A physical extent in a chunk of disk space. These can be any size, but default to 4MB.
Volume Group (vg) - is a collection of physical volumes.
Logical Volume (lv) - is a grouping of physical extents from your physical volumes. This logical volume is where you can format a file system.
|----FS----| *
|----LV----||----LV---||----LV----| ^
|----------------VG-----------------| ^
|-------PV-------||-------PV-------| ^
---------------------------------------
Device Mapper
Creating Logical Volumes
pvcreate
pvdisplay - to display your physical volumes
vgcreate
vgdisplay - to display your volume groups
lvcreate [ -l
lvdisplay - to display
df
df
example:
# pvcreate /dev/sda11
# vgcreate "rhce_demo" /dev/sda11
# vgdisplay - need to get the "Total PE" or total physical extents to use on the next command (478)
#lvcreate -l 478 -n "MyLV" rhce_demo
# mkfs.ext3 /dev/rhce_demo/MyLV
# mkdir /mnt/LVM
# mount /dev/rhce_demo/MyLV
-The device mapper is a feature of the kernel, an API, used to build on to manage hard drive space in Linux.
# man dmsetup
Adding a disk to the LVM
# fdisk /dev/sda to create another partition
# pvcreate /dev/sda12
# pvdisplay
# vgextend rhce_demo /dev/sda12
# pvdisplay
# vgdisplay - vg has grown in size and in extents
# lvdisplay - lv still has not grown
# lvextend -L +500M /dev/rhce_demo/MyLV
# lvdisplay - lv has now grown, but the file system still has not grown (df -h)
# while sleep 1 ; do echo data >> file ; done &
# resize2fs /dev/rhce_demo/MyLV
# df -h - the file system has grown to the max size, finally
To create a snapshot
# modprobe dm-snapshot
# lvcreate -l 116 -n "lv-snap" -s /dev/rhce_demo/MyLV
# lvdisplay
# mkdir /mnt/snap
# mount /dev/rhce_demo/lv-snap /mnt/snap
# df -h
-this can be use to create a snapshot and then fsck that snapshot to see if there are any errors
# tune2fs -C 0 -T now /dev/rhce_demo/MyLV
-"extents" are little chunks of hard drive space
Resizing Logical Volume
some
more
stuff
LVM Lab
Add logical volume management on top of your raid array. Use half the available space for a logical volume formatted with ext3 and mounted persistently across reboots. Take a snapshot of this logical volume and check the file system for errors. Assuming none are found, reset the counter for days and mounts until a check is forced on the original filesystem.
# pvcreate /dev/md1
# vgcreate "lvm_lab" /dev/md1
# vgdisplay
# lvcreate -L +500M -n "lvmOnRaid" lvm_lab
# mkfs.ext3 /dev/lvm_on_raid
# mkdir /mnt/lvm_on_raid
# lvcreate -l 100 -n "lv_raid_snap" -s /dev/lvm_lab/lvmOnRaid
# lvdisplay
# fsck /dev/lvm_lab/lv_raid_snap
# tune2fs -C 0 -T now /dev/lvm_lab/lvmOnRaid
Section 7 - RPM and YUM
Red Hat Linux : RPM
The RPM Package Manager
An RPM is a collection of files required for a program. These files include binaries, configuration files, documentation, and instructions on where and how each of those files should be installed.
The RPM Database
more....
RPM Query Options
Below are just a few examples of the types of queries you can run against the RPM database.
rpm -qa Queries for the names of all installed rpms.
rpm -qi Queries the rpm database for package information.
rpm -qf Queries
rpm -ql
RPM Verify Options
rpm -Va Verifies the integrity of all installed packages.
rpm -Vi
RPM Verify Output
S file Size differs
M Mode differs
5 MD5 sum differs
D
L
U
G Group ownership differs
T m Time differs
C SELinux Context differs
Intstalling RPMs
The general form of an rpm install command is:
# rpm -i
Upgrading RPMs
# rpm -U
Freshening RPMs
# rpm -F
Technique for extracting package contents:
# cd /temp/dir
# rpm2cpio /path/to/package | cpio -i --make-directories --no-absolute-filenames --preserver-modification-time
YUM
Origianally the "YellowDog Update Manager", this meta- package- manager ca nresolve dependencies and retrieve packages over the network.
# yum
Repositories of packages must be listed in files in the /etc/yum.repos.d directory with names ending in .repo and having a format like:
[label-for-repo]
name = describtive text
baseurl = protocol://path/to/directory/of/packages
Access to the Red Hat Network, including any Satellite Servers, is implemented through a plugin to the yum tool itself, and not as a repository definition in the above format. RHN is still configured in the /etc/sysconfig/rhn/up2date as in RHEL 4.
example of /etc/yum.repos.d/server1.repo:
[server1]
name = server 1 repo
baseurl = file:///net/server1/var/ftp/pub/Server
gpgcheck = 0
To protect sensitive, customized, or locally installed packages from being updated or overwritten by yum, add them in a space separated list to the "exclude" variable in the /etc/yum.conf file. This variable supports shell-style wild-cards, and is the yum equivalent to the "skip list" in up2date.
/etc/yum.conf
exclude = *[mM][yY][sS][qQ][lL]*
# yum shell
> info httpd
> remove nmap
YUM Lab Exercise
Install the "createrepo" package
Download the OpenOffice archive from server1
Extract all of its RPMs to somewhere logical on your machine
Turn that directory into a yum repository
Add that repository to your yum configuration
Install the "openoffice.org-writer" package, and/or any others
# yum install createrepo
# tar -zxvf openoffice.org-packages
# createrepo /path/to/the/rpms
/etc/yum.repos.d/server1.repo
[myrepo]
name = my stuff
baseurl = http://localhost OR file:///var/pub/rpms
gpgcheck = 0
(Day 3)
Section 9 - Xorg
Xorg Overview
RHEL 5 comes with 6.9
Xorg has been designed as a flexible and powerful client/server-based system.
XServer - controls the graphics on the local computer, it draws the images on your screen and takes input from your keyboard and mouse
XClients - local or remote applications such as xclock or firefox that you can run on the local XServer
Functionality of the Xorg server is enhanced via the use of modules.
Configuring Xorg
For initial configuration of Xorg, you can use the command system-config-display. This can be run with the --noui and --reconfig
/etc/X11/xorg.conf
/etc/X11/prefdm
/etc/sysconfig/desktop
DISPLAYMANAGER="KDE"
Making Xorg Pretty
Display Manager - X equivalent of the text-based login program. RHEL 5 ships w/ gdm and kdm Display managers are usually started in run-level 5 from the /etc/X11/prefdm script.
Window Managers - special type of X Clients which encapsulate other clients, allowing them to the moved, resized, or "iconified". They also provide the desktop theme, configurable menus, panel utilities, and session management. RHEL ships with GNOME, KDE, and twm. These window managers provide the core functionality of the GUI.
The display and window managers may be set in /etc/sysconfig/desktop
---- RHCE STUFF STARTS HERE ----
Section 8 - Network Sharing Services
NFS
NFS, or the Network File Service, is used to share data with other servers.
For this service to work properly, postmap and nfs-utils rpms must be installed and portmap and nfs buse be runing.
The command rpcinfo can be run to confirm
# rpcinfo
MISSED SHIT!
NFS (continued)
/etc/exports should be configured as follows:
exportfs -r refreshes the server share list
exportfs -a exports all shares in /etc/exports
exportfs -u un-exports a share name (or all shares with -a)
showmount -e server shows all of the shares on server1
NFS mounts can be made persistent across reboots by adding the following to /etc/fstab:
server1:/var/ftp/pub /mnt/pub nfs defaults 0 0
netfs may be used to mount network file systems that are configured to be mounted in fstab
/etc/exports
/usr/share/doc 192.168.0.9(rw) 192.168.0.0/24(ro)
# service nfs restart
# chkconfig nfs on <------ DON'T FORGET THIS! # showmount -e localhost # man exports options: async - replys to request before any changes made, much faster sync - safer, in the event of power failure the data is more likely safe. replys to requests only after the changes have been committed to stable storage root_squash - prevent root users from connecting all_squash - nobody can use their original and connecting UID by default, the option "root_squash" is enabled to prevent users from being identified as UID 0 or root. NFS Lab Share your /srv directory with your neighbor. Only grant them read-only access to that directory. Mount the NFS share from your neighbor, and add it to your fstab. add to /etc/exports: /srv 192.168.0.43(ro) # service nfs restart # mount 192.168.0.11:/srv /mnt/nfs_share add to /etc/fstab: 192.168.0.11:/srv /mnt/nfs_share /mnt/nfs_share defaults 0 0 # service portmap status # service netfs status VSFTPd the Very Secure FTP daemon As of RHEL 3, VSFTPd is now the default ftp server, and it is no longer managed by xinetd - it is its own service. The primary configuration file is /etc/vsftpd/vsftpd.conf. Provides two levels of user access: Anonymous - by default these users are chrooted to /var/ftp for security. User - these users authenticate with a username/password and can download any file they can read and can upload into any directory in which they have write access. Individual users can be denied by placing their names in /etc/vsftpd/ftpusers. -to chroot just a few users, then leave 'chroot_list_enable=NO' and just place these users in chroot_list # man vsftpd.conf -need to review 'userlist_enable' and the 'chroot_local_user' with the cooresponding list file VSFTPd Lab Configure VSFTPd to only allow the user mike to ftp to your server. Make sure that mike is chrooted to his home directory upon login. the file ftp_users - users not allow to login at all! # cat /etc/pam.d/vsftpd - pam_listfile.so file=/etc/vsftpd/ftpusers SAMBA Overview SAMBA is an open source implemantation of Windows networking protocols. With SAMBA, it is possible to: provide file and print services for various Microsoft Windows clients integrate with a Windows Server domain as a Primary Domain Controller (PDC) or as a Domain Member be part of an Active Directory domain SAMBA provides the following services in Linux: Authentication and authorzations d d d SAMBA Configuration The following four packages must be installed for SAMBA to work as desired: samba - provides basic software for sharing files and printers samba-client - allows server to connect to windows shares (also includes the smbclient command, which functions like a command-line ftp client) system-config-samba - gui configuration tool samba-common - contains samba configuration files For SAMBA to work properly, the following services must be running: smbd (SMB/CIFS Server) for authentication and authoriation and file and printer sharing nmbd (NetBIOS name server) for resoure browsing and possible sharin?? The main configuration file for SAMBA is /etc/samba/smb.conf This file is VERY well commented and has examples for just about anything thaty ou need to do. Once you have made a configuration change, you can test it with the testparm command. SAMBA Users To have a SAMBA user, that user must first be created in /etc/passwd The command smbpasswd -a can then be used to add a user to /etc/samba/smbpasswd for SAMBA authentication. To see the SAMBA share a user has access to, you can use the smbclient as follows: # smbclient -L
To mount a share, you can use the UNC path with the smbmount command:
# mount.cifs //server/share /mount/point -o username=
To configure this mount to happen at boot, add the following to fstab:
//server/share /mount/point cifs credentials=/etc/samba/pub.cred 0 0
(where /etc/samba/pub.cred is a file that only root can read which contains usernames and passwords)
SAMBA Lab
Configure SAMBA to share your /srv directory only to one neighbor who must log in with the SAMBA username of mike.
Make this share read-only for the SAMBA user mike.
Mount the share from your neighbor. Configure it to mount automatically at boot time. Use a credentials file to store the account information securely.
add to /etc/samba/smb.conf:
[srv]
path = /srv
valid users = mike
public = no
writable = no
hosts allow = 192.168.0.11
# smbpasswd -a mike
# man mount.cifs
X.x Web Services
Apache Configuration Files
/etc/httpd/conf/httpd/conf
/etc/httpd/conf.d/ - this directory hold config files specific to Apache modules
Configuring a VirtualHost in Apache
ServerName
ServerAlias
DocumentRoot
CustomLog /path/to/access_log combined
ErrorLog /path/to/error_log
The NameVirtualHost directive is used to specify an IP that can host multiple websites.
-if DocumentRoot is left out then it will assume the DocumentRoot from the main variable
Apache Lab 1
Configure two websites on your server.
wwwX.example.com should be served from /var/www/html and should also respond to requests for wwwX.
vhostX.example.com should be served from /home/mike/html and should also respond to requests for vhostX.
Both should be listening on your primary ip address, but wwwX.example.com should be default site.
ServerName www12.example.com
ServerAlias www12
DocumentRoot /var/www/html
# ldd `which httpd` | grep selinux
libselinux.so.1 => /lib/libselinux.so.1 (0x0099e1000)
Securing Apache
Apache allows for host-based access control on a per-Directory or per-File basis. There is support for statements of the form:
allow from
deny from
These can be applied in the given order:
order allow,deny
allows explicitly allowed clients and denies everyone else. Anyone matching both the allow and deny are denied.
order deny,allow
denies explicitly denied clients and allows everyone else. Anyone matching both the allow and deny are allowed.
goes on the last match
a case that does not match at all, then it
Apache Lab, continued
This stations should be accessible to everyone except for the person sitting to your left.
allow from 192.168.0.0/24
deny from 192.168.0.13
order allow,deny
This site should only be accessible to the person sitting to your right.
allow from 192.168.0.11
deny from 192.168.0.0/24
order deny,allow
Both should be listening on your primary ip address, but wwwX.example.com should be default site
-doing this causes an Error 403 - Forbidden
# curl -i vhost16
Squid Overview
Squid is designed to cache internet objects and can act as a proxy server for HTTP, FTP, and many other types of requests.
The configuration file for Squid is /etc/squid/squid.conf
Key Squid Configuration Settings include:
Squid port # (3128 by default)
visible_hostname # This is the hostname that Squid may broadcase
acl mynet src 192.168.0.0/255.255.255.0 # identifies 192.168.0.0/24 as mynet
acl mynet src 192.168.1.0/255.255.255.0 # identifies 192.168.1.0/24 as mynet
http_access allow mynet # mynet allowed to use Squid
http_access deny yournet # yournet denied access to Squid
Squid Lab
Configure your server to offer Squid proxy service to the person sitting on your right, but not the person sitting on your left.
This service should listen on port 8080.
to test:
# curl -x 192.168.0.12:8080 www.yahoo.com
-Be aware of the "INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS" in squid.conf to place the http_access
Section 13 -- Miscellaneous Services
xinetd
Xinetd is the extended internet services daemon.
This service acts as a super daemon by listening on key ports for certain types of requests. When a request is received, xinetd starts the appropriate service and then hands off the request so that it can be handled correctly.
Xinetd is configured in /etc/xinetd.conf, the services that it controls are configured in /etc/xinetd.d/.
-cps is connections per second 20 per second, rest for 30 seconds if exceeded
# chkconfig chargen-stream off
-Check out the Jargon File
socket_type =
stream = TCP
datagram = UDP
Misc. Services LAB
Configure an anonymous rsync service to share the contents of your /srv directory.
add a file /etc/rsyncd.conf:
[srv]
path = /srv
comment = srv stuff
# chkconfig rsync on
# rsynd -av localhost::srv /tmp
CTRL + R on the command line to revers search
OpenSSH
stuf stuf stuf
in /etc/ssh/sshd_conf
PermitRootLogin without-password - for private key authentication
# man sshd_conf
If users can not login via SSH then consider the following:
PAM
expired or wrong password
wrong shell
home directory permissions
ftp users
sshd_config
permissions on /tmp
quotas
keys
ssh protocol version mismatch
Creating a Public Key for Authentication
# ssh-keygen -t dsa
# scp .ssh/id_dsa.pub student@localhsot:tmp-key
Misc. Services LAB
Configure your box to allow both the 'root' and 'student' users to login locally, but not over ssh.
(Day 4)
Section 11 - BIND
Bind Overview
BIND is the Berkeley Internet Name Domain.
On RHEL 5, this service is chrooted into /var/named/chroot for security.
The configuration file for BIND is /var/named/chroot/etc/named.conf
This configuration file contians a section for global settings, and a section for zone file settings.
-BIND thinks it is jsut /etc/named.conf
-symbolic link /etc/named -> /var/named/chroot/etc/named.conf
BIND Configuration
/var/named/chroot/etc/named.conf Global Settings
acl "mynet" { 192.168.0.0/24 ;};
options {
directory "/var/named";
forwarders { 192.168.0.254 ;};
allow-query { mynet; };
allow-transfer { mynet; };
};
acl - defines a network (similar to Squid)
Directory - based directory for named
Forwarders - where to send queries this server can't answer
Allow-query - defines hosts that can use this server
Allow-transfer define hosts that can copy the database
BIND Zone Configuration
To configure a new domain,
zone "mike.com" IN {
type master;
file "mike.com.zone";
};
For a slave configuration:
zone "mike.com" IN {
type slave;
file "slave.mike.com.zone";
masters {
192.168.2.254;
};
};
BIND Forward Zone File
A typical zone file would usually include items such as:
$TTL 600
mike.com. IN SOA ns.rackspace.com. michael\.roberts.rackspace.com. (
2007080101 ; Serial
10800 ; Refresh 3 hours
3600 ; Retry 1 hour
604800 ; Expire 1 week
86400 ); Minimum 24 hours
IN A 192.168.0.1
IN NS ns.rackspace.com.
www IN A 192.168.0.1
web IN CNAME www.somewhereelse.com.
@ IN MX 10 www.mike.com.
BIND Reverse Zone Configuration
Should you need to configure a reverse zone outside of our network, you may do so first by adding the following to named.conf:
Zone "2.168.192.in-addr.arpa" IN {
type master;
file "mike.com.reverse.zone";
allow-update { none; };
};
BINE Reverse Zone File
The following record will then need to be created as /var/named/chroot/var/named/mike.com.reverse.zone:
$TTL 600
2.168.192.in-addr.arpa. IN SOA ns.rackspace.com. hostmaster.rackspace.com. (
2008 serials and stuff.....
8966
7878
IN NS ns.ra
1 IN PTR www.example.com
Setting this up from Scratch
# yum install caching-nameserver.i386 - this for example config files
# cd /usr/share/doc/bind-9.3.3/sample/var/named/ - for more zone file examples
-Split Horizon DNS is where a name server can give different responces depending on the network the request is coming from.
# nslookup
# host - reverse lookup,
# host 192.168.0.254 server - directs queries to 'server1'
# dig
# dig +short - only reports a short answer
# dig +trace - a recursive lookup from the root nameservesrs
# dig @server1.example.com station16.example.com
# named-checkconf
# named-checkzone
# echo $?
BIND Lab
Configure your machine to act as the authoritative nameserver fo a "demoX.example.com" domain and a "rhceX.example.com" domain, where X is your station number.
For both domains, configure these records:
All of the following should resolve to your IP address:
"www", "mail", "ns"
"web" should resolve to "www"
"mail" should be listed as the primary MTA for the domain
"ns" should be listed as the DNS server for the domain
Also configure your machine to respond to reverse DNS lookups, such as that your own IP address will resolve to "www.rhceX.example.com"
# cd /var/named/chroot/etc
# vi named.conf
options
{
directory "/var/named";
allow-query { 127.0.0.1; 192.168.0.0/24; };
};
zone "demo12.example.com" IN {
type master;
file "demo12.example.com.zone";
};
zone "rhce12.example.com" IN {
type master;
file "rhce12.example.com.zone";
};
-------------------
# cp /usr/share/doc/bind-9.3.3/sample/var/named/localdomain.zone ./demo.zone
- because of "glue records" we know of these "chicken and egg" situations where a DNS server is serving for itself :)
------------------------------------------------------my-example-----------------------------------------------------------
$TTL 600
demo12.example.com. IN SOA ns.demo12.example.com. eric\.hernandez.rackspace.com. (
2007081402 ; Serial
10800 ; Refresh 3 hours
3600 ; Retry 1 hour
604800 ; Expire 1 week
86400 ); Minimum 24 hours
IN A 192.168.0.12
IN NS 192.168.0.12
www IN A 192.168.0.12
ns IN A 192.168.0.12
mail IN A 192.168.0.12
web IN CNAME www
@ IN MX 10 mail
-----------------------------------------------------end-example------------------------------------------------------------
-------------a more generic example---------------
$TTL 86400
@ IN SOA station12.example.com. root (
2008081401 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
www IN A 192.168.0.12
mail IN A 192.168.0.12
ns IN A 192.168.0.12
web IN CNAME www
@ IN MX 50 mail
@ IN NS ns
@ IN A 192.168.0.12
-----------END a more generic example-------------
-now we can use this 1 zone for all zones that are like this, because it does not actually reference the zone name (FQDM)
-check the permissions on the zone files, need to be either world readable or owned by 'named'
# named-checkzone -D rhce12.example.com demo.zone - to check the zone file
# named-checkconf /var/named/chroot/etc/named.conf
# host web.demo12.example.com localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:
web.demo12.example.com is an alias for www.demo12.example.com.
www.demo12.example.com has address 192.168.0.12
-------------
Now, the reverse entries:
# vi /var/named/chroot/etc/named.conf
zone "0.168.192.in-addr.arpa" IN {
type master;
file "0.168.192.in-addr.arpa.zone";
allow-update { none; };
};
# vi 0.168.192.in-addr.arpa.zone
$TTL 86400
@ IN SOA station12.example.com. root (
2008081401 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS ns.rhce12.example.com.
12 IN PTR www.rhce12.example.com.
-----------------
To test this reverse PTR record:
# host 192.168.0.12 localhost
# dig @192.168.0.12 -x 192.168.0.12
-check /etc/sysconfig/named
-check to be sure we have the rpm package "bind-chroot"
-------------------------
-------new module--------
-------------------------
Section 12 - Email Services
Sendmail Overview
What is sendmail?
MUA versus MTA
# mutt - a great message user agent
Sendmail Configuration
-/etc/mail/sendmail.cf
Sendmail's main config
-/etc/mail/sendmail.mc
make changes here
-be sure to have the rmp package 'sendmail-cf'
# ls -lrt - listed in reverse order based on time stamp
# m4 <> sendmail.cf - service sendmail restart does this
/etc/mail/local-host-names
- domains that sendmail is responcible for
To test sending an email message:
# echo this is a test messages | mail mike@rhce12.example.com
Ctrl + D = end of input
Telnet Test:
# telnet localhost 25
HELO localhost
MAIL FROM:
RCPT TO: <>
DATA
subject: this is the subject
from: root@domainl.com
my message
.
250 2.0.0 m7EGV0ov014932 Message accepted for delivery
-"250" responce code for a success
-could check mail log for "m7EGV0ov014932"
quit
-can check mail, mbox file, at /var/spool/mail 'mike' file
Virtusertable
/etc/mail/virtusertable - can be used to map accounts to different users
sales@rhce12.example.com mike
sales@demo12.example.com easye.h@gmail.com
# makemap hash virtusertable < myorigin =" redhat.com" mydestination =" redhat.com" networks =" 192.168.0.0/24," inet_interfaces =" all" inet_interfaces =" all" mydestination =" mydestination">
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[root@station12 postfix]# cat /var/spool/mail/student
From root@station12.example.com Thu Aug 14 11:57:47 2008
Return-Path:
Received: from station12.example.com (localhost.localdomain [127.0.0.1])
by station12.example.com (8.13.8/8.13.8) with ESMTP id m7EGvlAu015126
for
Received: (from root@localhost)
by station12.example.com (8.13.8/8.13.8/Submit) id m7EGvlbM015125
for rstops@rhce12.example.com; Thu, 14 Aug 2008 11:57:47 -0500
Date: Thu, 14 Aug 2008 11:57:47 -0500
From: root
Message-Id: <200808141657.m7egvlbm015125@station12.example.com>
To: rstops@rhce12.example.com
Hi Team
From root@station12.example.com Thu Aug 14 13:44:14 2008
Return-Path:
X-Original-To: student@rhce12.example.com
Delivered-To: student@rhce12.example.com
Received: by station12.example.com (Postfix, from userid 0)
id E639A19889B; Thu, 14 Aug 2008 13:44:14 -0500 (CDT)
To: student@rhce12.example.com
Subject: postfix rocks
Message-Id: <20080814184414.e639a19889b@station12.example.com>
Date: Thu, 14 Aug 2008 13:44:14 -0500 (CDT)
From: root@station12.example.com (root)
this is a postfix messagse
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Virtual Tables in Postfix
-------------------------
# vi virtual - to see help on setting this up
# postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual"
-add to /etc/postfix/virtual:
sales@rhce12.example.com marisa
sales@demo12.example.com mike,stuart,marisa
@rhce12.example.com /dev/null
# postmap virtual
# ls -lrt
-Postfix does support the use of the /etc/alises file
Dovecot and mutt
----------------
Dovecot is the default POP/IMAP server for RHEL 5.
the configuration file is /etc/dovecot.conf
Usually, the only changes that need to be made are the enabling of the desired protocols.
mutt is a full-featured MUA for your terminal. You can use it to test pop3s and imaps:
# mutt -f protocol://server
Email Lab
---------
Configure Postfix to receive mail for stationX.example.com, and store user mailboxes in Maildir format.
When mail is received for rstops@stationX.example.com, that mail should be forwarded to the users mike and stuart.
Configure dovecot to serve user Maildirs on both imap and pop3. Generate a new key and self signed certificate for use with ssl encrypted imaps and pop3s and then enable those protocols to use it.
Test your secure mail server with mutt.
# cd /etc/pki/tls/certs
# make-dummy-cert
# postfix stop/start
pem = privacy enhanced mail
# mv server.pem /etc
in /etc/dovecot.conf:
protocols = imap imaps pop3 pop3s
ssl_cert_file = /etc/server.pem
ssl_key_file = /etc/server.pem
mail_location = ~/Maildir
# mutt -f imap://station12.example.com
Section 14 - Securing Services
tcpwrappers
/etc/hosts.allow
/etc/hosts.deny
sshd: 192.168.2.200
1. first, hosts.allow
2. then, hosts.deny
3. finally, allow the reset
To determine if an application is compiled with support for tcp_wrappers, you can run the following steps:
1. Determine which binary the application runs as
# which sendmail
/usr/bin/sendmail
2. Check for libwrap support in the binary. If you see 'libwrap' support in the output, then you can configure access to the service with tcp_wrappers.
# ldd /usr/sbin/sendmail | grep wrap
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x890324)
# vi /etc/hosts.deny
vsftpd: 127.0.0.0/255.255.255.0 EXCEPT 127.0.0.1
"mostly closed configuration" = sshd: ALL except 1.2.3.4
-Services that use tcp_wrappers: sshd, xinetd, vsftpd, portmap, sendmail
# man hosts.allow/hosts.deny
IPTables Chains
---------------
IPTables works at the kernel level. (since kernel 2.4) The "filter" table has the following chains:
- INPUT is responsible for filtering traffic destined for the local system.
- OUTPUT for handling traffice after it has left the sending process.
- FORWARD for controlling traffic routed between interfaces.
NAT, MANGLE tables
IPTables Configuration files
----------------------------
# iptables -L - displays the tables
# iptables-save - displays the rules in the same format to feed into IPTables
IPTables parses the file /etc/sysconfig/iptables for last minute configurations before......
IPTables Matching Policies
---------------------------
The iptables configuration is parsed from top to bottom.
IPTABLES will respond based on the first match that it finds.
If there is no specific match, the chain policy will apply.
IPTables Targets
----------------
IPTables uses targets to determine what action will be taken if traffic matches an existing rule. The basic targets are:
DROP - will drop the packet and send no information to the sender.
REJECT - will send a connection refused notice back to the sender.
ACCEPT - will allow the connection.
LOG - will log the connection attempt.
*on the exam use reject instead of drop, as we would normally.
Syntax
------
in /etc/sysconfig/iptables
-A INPUT -s 192.168.2.100 -j REJECT
# /sbin/iptables -A INPUT -s 192.168.2.100 -j REJECT
can match:
incoming interface (-i)
protocol (-p)
source ip address (-s)
destination ip address (-d)
destination port (--dport)
Helpful commands
----------------
iptables -L
iptables-save
iptables -D INPUT 3 - To delete rule by line number.
iptables -D INPUT
iptables -F - This command will flush the iptables rule set.
-m state --state ESTABLISHED, RELATED --- this is so the server can respond
# iptables-save > /etc/sysconfig/iptables
OR
# service iptables save
examples:
1208 iptables -A INPUT -s 192.168.0.12 -p tcp --dport 21 -j ACCEPT
1200 iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 21 -j REJECT
# service iptables panic
# iptables -P INPUT ACCEPT
Network Security LAB
--------------------
Configure your mail server NOT to accept connections from the 192.168.1.0/24 network, EXCEPT for the 192.168.1.2 host.
Dovecot ports = 993, 995, 110, 143
port 587 = sumission port
port 24 = SMTP
# iptables -A INPUT -s 192.168.1.2 -p tcp --dport 25 -j ACCEPT
# iptables -A INPUT -s 192.168.1.2 -p tcp --dport 993 -j ACCEPT
# iptables -A INPUT -s 192.168.1.2 -p tcp --dport 995 -j ACCEPT
# iptables -A INPUT -s 192.168.1.2 -p tcp --dport 110 -j ACCEPT
# iptables -A INPUT -s 192.168.1.2 -p tcp --dport 143 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 25 -j DROP
...and the rest to deny all those ports from above.
-m mport --dports 25,993,995,110,143
--------------------------
empulsegroup.com
Level 3 Test Review
Level 3 Test Review
To Study
Regular Expressions
Boot Up Issues - initrd, journal, grub
MySQL - replication
PLesk Hacker and database schema
thirdshift wiki
research questions
-check out the VMs that paul set up
http://alexalmazan.com/
Research Questions
1. configure postfix to pass mail through spamassassin. the rack user should have all spam filtered into a seperate spam folder
http://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix
1. Edit /etc/postfix/main.cf, add: virtual_alias_maps = pcre:/etc/postfix/virtual
2. Edit /etc/aliases, add: scripttarget: "| /path/to/program/to/execute"
3. Edit /etc/postfix/virtual, add: /^[0-9]{10,11}@dev.mblst.com/ scripttarget
4. Restart postfix: service sendmail restart
5. That's it.
2. create an svn repository named 'wp' that contains the wordpress source code in /home/svn. Configure your web server to properly handle svn connections to http://domain/wp
3. configure http://domain (192.168.0.1) to load balance across 192.168.0.2 and 192.168.0.3 with web content out of /home/major and /home/minor respectively. Using iptables 60% of the traffic should be served from /home/major
4. configure vsftpd to listen on ports 21, 2121, 8888. no iptables.
- need to use multiple process each with different vsftpd.conf files
5. install wordpress into /home/rackwp and setup http://wp.domain.com on 192.168.0.1. Configure squid in reverse proxy configuration on port 9999 to be the front end for the wordpress blog.
6. configure a second instance of mysql to listen on port 3307. create and configure the 'rackdb' to be replicated from mysql server on port 3306 to new instance on 3307
Break Fix #1
(error)
root (hda)
Error 23: Error while parsing number
Boot to: linux rescue
# fdisk -l
# e2label // to see labels used in fstab & to find boot and /
-check /etc/fstab to see mount points
// grub.conf
title CentOS (2.6.18-53.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-53.el5 ro root=LABEL=/1
initrd /initrd-2.6.18-53.el5.img
THEN, a new issue came up on boot.
(error)
Creating root device.
Mounting root filesystem.
ext3: No journal on filesystem on sda6
mount: error mounting /dev/root on /sysroot as ext3: Invalid Argument
Setting up new filesystem.
Setting up new root fs.
setuproot: error mounting
Switching to new root and run init.
SOLUTION: Rebuild the journal on /dev/sda6
Break Fix 2
(error)
RAMDISK: Couldn't find valid RAM disk image starting at 0.
VSF: Cannot open root device "LABEL=/" or unknown-block(0,0)
Please append a correct "root=" boot option
Kernel panic - not syncing : VPS : Unable to mount root fs on unknow-block(0,0)
# mkinitrd -f /boot/initrd-`uname -r`.img `umane -r`
-Check /etc/inittab for the right runlevel
id:3:initdefault:
Break Fix 4
(error)
mount: count not find file system '/dev/root'
# fdisk -l
# parted /dev/sda print // for partition sizes
# e2label /dev/sd1
# cat /etc/fstab
LABEL=/ /
# e2label /dev/sda6 /
Issue 2: check the permissions on /bin/sh (/bin/bash); they were set to 000.
Break Fix 5
(error)
_
(just a black screen with curser)
- Nothing in /boot, no GRUB installed
# grub-install --root-directory=/ /dev/sda
OR
Alternative grub setup. see link.
Boot Up Issues
POST
BIOS - basic I/O
checks access to RAM
checks processors
scans hardware
addressings
plug & play
CMOS
overrides are applied
boot order
Start CPU in real mode
1MB of memory
no memory protection
like 286 Intel processor -> GRUB starts here at Stage 1
no features; multi-user mode
Booting
Stage 1 = first 512bytes of MBR (Master Boot Record)
- will reset CPU to 32-bit protected mode
- GRUB Stage 1.5 = file system driver is loade; main diff of LILO
Stage 2 = candy
- GRUB Stage 2 = GUI
-files held in /boot/grub
- /menu.lst
- /grub.conf
- /1.5files
- /backup
grub.conf file
Title=
kernel=
initrd=
root (hd0,0) - this is the disk and slice number for this config, is from BIOS
# grub-install
Kernel Files
1. vmlinuz - compressed gzip
2. system.map - addresses to system calls
3. config - actual configuration of the kernel
4. initrd - holds modules for hardware;
* Kernel modules in /lib/modules
initrd
-pivot root kernel panic
# modprobe - inserts modules into kernel
-ext3 is ext2 with journaling
# depmod -a
# mkinitrd -f /boot/initrd-`uname -r`.img `uname -r`
init
/etc/inittab
-first uncommented line will be default runlevel
runlevels
chkconfig for each runlevel
Removing and re-enabling journal for ext3
GRUB
Regular Expressions
Regular Expressions
-Perl Reg Ex
-UNIX Reg ex
^ - begin line
$ - end line
. - any 1 character
? - 0 or 1 times
* - 0 or more times
+ - 1 or more times
| - OR
[ ] - set of characters
[^pattern] - not
{ } - repitition
Groupings
\d - digit
\w - word is alphe-numeric
\s - space
# netstat -npa --inet | sed 's/:/ /g' | grep -P '[0-9]+\.'
/i - case insensative
Perl uses '~' before regex
Print Only Filenames w/o Extensions
# ls -l | awk '{print $9}' | sed 's/\./ /g' | awk '{print $1}'
# ls -l | awk '{print $9}' | sed 's/\.[^\.]*$//g'
sed 's/-[^-]*-[^-]*$//'
replace anything that begins with - (but not --) and 0+ chars, follwed by -(but not --) followed by 0+ chars.
bash-3.0-19.7
--------------------------
empulsegroup.com
Plesk
The Plesk Control Panel
-install a new vhost.conf file
# /usr/local/psa/admin/bin/websrvmng --install-vhost --vhost-name=www2.harvestating.com
# cat vhost.conf
Options +FollowSymLinks
# pwd
/home/httpd/vhosts/harvesteating.com/subdomains/www2/conf
----------
UPGRADING
-Plesk Update to 8.x
edit /etc/sysconfig/rhn/sources
yum plesk8 http://autoinstall.plesk.com/PSA_8.4.0/dist-rpm-RedHat-el4-i386/
yum plesk8_thirdparty http://autoinstall.plesk.com/PSA_8.4.0/thirdparty-rpm-RedHat-el4-i386/
^change Plesk and RHEL version!
# up2date -u --dry-run // if no errors then punch it
# cat up2date | grep GPG
// change GPG to 0 to not use keys
useGPG=0
$ edit sa-learn with just "1" onthe second line to speed up the last process of the install
"bayes: synced database..."
# which sa-learn
/usr/bin/sa-learn
--------------
Top mail traffic domains
Domains with most mail traffic for date='2008-01-01' (change date as needed):
# mysql -uadmin -p$(select * from data_bases where dom_id=7;
>update data_bases set dom_id=13 where id=15;
IP_Addresses - list of ip addresses
hosting -
Repository - relation table to components table (component_id)
dns_zone - name of domains
dns_recs - records
# dnsmng
misc - various settings, periodic Apache restarts
Parameters -
key_history - history of all keys ever used
key_history_params -
[mail utilities and tables]
mail - everything about mail, account_id is password from accounts table
mail_aliases - mail aliases
spamfilter -
spamfilter_prefrences -
# cd /usr/local/psa/
# less /etc/psa/psa.conf
bin/spamassassin.sh - to change spam assassin configs on per user basis, set up users in /var/qmail/mailnames and loop
admin/bin/spammng - train spam assassin on certain email messages
admin/bin/mailmng - set max mail messages size on user
admin/bin/mchk - rebuild all mail configurations with or with out spam assassin; regens .qmail files
> /domain/users/.qmail - holds spam assassin settings; a pipe to spam assassin (|)
[dns]
./dnsmng update domain.com
dns.sh - add, set, delete; set ttls
[web server]
admin/websrvmng -
bin/domain.sh -
----------
Horde Webmail Left Menu Not Showing
edit files:
/usr/share/psa-horde/ingo/lib/Storage.php
/usr/share/psa-horde/lib/Horde/IMAP/Tree.php
Old files...
require_once 'Horde/SessionObjects.php';
New files...
require_once '/usr/share/psa-horde/Horde/SessionObjects.php';
Plesk Version Issues
mysql> use psa;
mysql> update misc set val='0840' where param='version';
# cp /usr/local/psa/version{,.old}
echo "8.4.0 RedHat el4 84080514.18" > /usr/local/psa/version
----
vhost.conf:
php_admin_value open_basedir none
if vhost.conf is new, then run websrvmng -a
Removing and re-enabling journal for ext3
Removing and re-enabling ext3
https://engineering.rackspace.com/dcops/operating_systems/linux/howto-s/removing-and-re-enabling-ext3?searchterm=journal+ab
https://core.rackspace.com/py/ticket/view.pt?ref_no=080709-06684
If you have to remove and then re-enable a corrupt or aborted ext3 filesystem. Try this for single user, read-only mode.
1. tune2fs -O ^has_journal /dev/*** <------ strips the journal 2. fsck the partition 3. tune2fs -j /dev/*** <----- adds back the journal Once this is done, remount the filesystem as read-write (mount -o remount,rw /) and create a test file (touch test.txt) to see if the filesystem is indeed writeable. If this doesn't work then a trickier option is also available to you. 1. debugfs -w -R "feature ^has_journal, ^needs_recovery" /dev/*** 2. fsck the partition e2fsck -y /dev/*** 3. tune2fs -j /dev/*** If that doesn't work the drive is probably hosed. -------- tune2fs: Attempt to read block from filesystem resulted in short read while trying to open /dev/sda5 Can't find valid filesystem superblock. hardware error! -------- Indications e100: eth1: e100_watchdog: link up, 100Mbps, full-duplex journal_bmap_R3246d747: journal block not found at offset 1036 on ide0(3,2) Aborting journal on device ide0(3,2). ext3_abort called. EXT3-fs abort (device ide0(3,2)): ext3_journal_start: Detected aborted journal Remounting filesystem read-only Error (-5) on journal on device 03:02 journal commit I/O error EXT3-fs error (device ide0(3,2)) in start_transaction: Journal has aborted EXT3-fs error (device ide0(3,2)) in start_transaction: Journal has aborted EXT3-fs error (device ide0(3,2)) in start_transaction: Journal has aborted EXT3-fs error (device ide0(3,2)) in ext3_delete_inode: Journal has aborted EXT3-fs error (device ide0(3,2)) in start_transaction: Journal has aborted EXT3-fs error (device ide0(3,2)) in start_transaction: Journal has aborted EXT3-fs error (device ide0(3,2)) in start_transaction: Journal has aborted ip_tables: (C) 2000-2002 Netfilter core team EXT3-fs error (device ide0(3,2)) in start_transaction: Journal has aborted Linux Performance Tuning Performance tuning -check server status # sar -u # mysqladmin status # df -h // check /tmp is full # uptime // check server load for past 1, 5, and 15 minutes to see improvements # free -m APACHE: Performance Tuning -resources: http://2bits.com/ (search apache) MaxClients - defines how many simultaneous requests can be served. Any connection requests from browsers that come in after that will be queued. Default hard limit of 256. Is ok to set high for static content, but bad for rendered pages. MaxSpareServers MinSpareServers StartServers ServerLimit Thrashing - where the system is just swapping pages from physical memory to virtual memory (on disk), and vice versa, without doing any real work. Apache processes with modules (mod_perl, mod_python, mod_php) can easily be 21MB per process. Can improve with PHP op-code cache/accelerator, then you can make each Apache process take as little as 12MB. -this is where one_liner for RSS -sort processes by mem usage # ps auwxx --sort rss # icps "semiphores" -if apache is high mem usage, check MaxRequestsPerChild and keepalives qMail # qmHandle -s /etc/init.d/smtp_psa cps = We started by adding the following to the smtp_psa xinet.d config file: per_source = 1 cps = 20 25 in /var/qmail/control/ concurrencylocal concurrencyremote MySQL mySqltuner.pl slow queries Indexing - if table has no primary keys and indexes at all and every query is doing the table scanning which is very I/O intensive. When indexes are created on MySQL tables the database builds another block of information that needs to be updated every time there are changes made to the table. This could have a negative impact on performance if you are constantly updating, inserting and removing entries. Indexes will be needed for those fields that are used in a WHERE clause. Creating an Index - New Table CREATE TABLE students ( name VARCHAT(50), studentID INT, INDEX (studentID) ) Creating an Index - Existing Table CREATE INDEX id_index ON students(employeeID) Find any slow queries and investigate. Queries that return large results must write to a temp table in temp space, usually /tmp. mysql> show processlist;
# mysqladmin processlist
# watch -i 1 mysqladmin processlist
mysql> show create table tableName;
-use EXPLAIN to see if queries are using indexes
mysql> EXPLAIN SELECT * FROM students WHERE studentID='45334';
-impact of having IDE vs. SCSI drives
-------
-check what is using the most mem
-sort processes by mem usage
# ps auwxx --sort rss
# icps "semiphores"
sar -r
APACHE
APACHE
-resources:
http://2bits.com/ (search apache)
http://www.devside.net/articles/apache-performance-tuning
MaxClients - defines how many simultaneous requests can be served. Any connection requests from browsers that come in after that will be queued. Default hard limit of 256. Is ok to set high for static content, but bad for rendered pages.
MaxSpareServers
MinSpareServers
StartServers
ServerLimit
Thrashing - where the system is just swapping pages from physical memory to virtual memory (on disk), and vice versa, without doing any real work.
Apache processes with modules (mod_perl, mod_python, mod_php) can easily be 21MB per process.
Can improve with PHP op-code cache/accelerator, then you can make each Apache process take as little as 12MB.
-this is where one_liner for RSS
-sort processes by mem usage
# ps auwxx --sort rss
# icps "semiphores"
-if apache is high mem usage, check MaxRequestsPerChild and keepalives
------
REAL WORLD
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# ServerLimit: maximum value for MaxClients for the lifetime of the server
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 128
MaxClients 128
MaxRequestsPerChild 4000
------
Rewrites
Rewrite to force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Rewrite to force WWW.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^domain.com [NC]
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]
The following will redirect '.com' site to the SSL enabled '.co.uk' site; then force a rewrite of non-SSL requests to the '.co.uk' will be forced to the 'https' version of the site:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.pruhealthrewards\.com$ [NC]
RewriteRule ^(.*)$ https://www.pruhealthrewards.co.uk/$1 [R=301,L]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301]
--------
Apache Password Protect Directory
// .htaccess file
AuthType Basic
AuthUserFile /path/to/.htpasswd
AuthName "Restricted Access"
require valid-user
# htpasswd -c /path/to/.htpasswd username
AllowOverride AuthConfig
Order allow,deny
Allow from all
----------
RewriteEngine On
RewriteCond %{HTTP_HOST} ^domain.net [NC]
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=301,L]
Redirect using .htaccess file
By File:
Redirect /old/directory/oldFile.html http://domain.com/newdirectory/newfile.html
By Directory:
Redirect /oldDirectory/ http://domain.com/newDirectory
By Domain:
Redirect / http://domain.com/
----------
Adding a directory alias
add to httpd.conf:
Alias /phpma/ "/usr/share/phpMyAdmin-2.8.2/"
Now, domain.com/phpma will go to phpMyAdmin directory.
-------
PHP STUFF
http://www.radinks.com/upload/config.php
http://us3.php.net/manual/en/ini.core.php - this document describe core php.ini directives
http://bugs.php.net/bug.php?id=28625 this describes limit in post_max_size to 2GB
; Maximum allowed size for uploaded files.
upload_max_filesize = 50M
; Maximum size of POST data that PHP will accept.
post_max_size = 50M
Add the below to your .htaccess file
* php_value upload_max_filesize 10M
* php_value post_max_size 20M
----
disable TRACE and TRACK methods
http://publib.boulder.ibm.com/httpserv/ihsdiag/http_trace.html
transcendlinux.com
empulsegroup.com
MySQL
MySQL
Users and Privileges
[edit] Show User Grants
mysql> select User,Host from mysql.user
mysql> SHOW GRANTS FOR user;
mysql> DROP USER user;
mysql> FLUSH PRIVILEGES;
mysql> USE database;
mysql> SHOW processlist;
mysql> grant all privileges on databasename.* to 'user'@'host' identified by 'password';
[edit] Update User Password
mysql> SET PASSWORD FOR 'user'@'host'=PASSWORD('newpass');
mysql> FLUSH PRIVILEGES;
[edit] USAGE
No privileges are granted. The USAGE privilege in the GRANT statement enables you to create an
account without giving it any privileges. It has the effect of setting all the global privileges
to 'N'. It is assumed that you will grant specific privileges to the account later.
[edit] Backup & Restore
# mysqldump -u [username] -p [password] [databasename] > [backupfile.sql]
# mysql -u [username] -p [password] [database_to_restore] < [backupfile] [edit] mysqldump flags --opt: This option is shorthand; it is the same as specifying --add-drop-table --add-locks --create-options --disable-keys --extended-insert --lock-tables --quick --set-charset. * to set the date as the name: `date +%Y%m%d`.sql.gz To backup all databases: # mysqldump --all-databases > alldatabases.sql
To only backup table structures:
# mysqldump --no-data --databases Customers Orders Comments > structurebackup.sql
To compress on the fly:
# mysqldump --all-databases | bzip2 -c >databasebackup.sql.bz2
# mysqldump --all-databases | gzip >databasebackup.sql.gz
To set up a mysqldump via crontab, example shows everyday at midnight:
# crontab -e
0 0 * * * /usr/bin/mysqldump --all-databases | gzip > /root/mysql/`date +%Y%m%d`.sql.gz
[edit] Password Recovery
# mysqld_safe --skip-grant-tables &
# log in as root
mysql> GRANT ALL ON *.* TO 'root'@'localhost' IDENTIFIED BY 'password';
mysql> FLUSH PRIVILEGES;
# mysqladmin processlist
mysql> show full processlist;
> explain
> show
> describe
> repair table [table name]
> check table [table name]
these only work with Isam tables
bash$ myisamcheck /path/to/table
bash$ myisamchk -r /path/to/table
------------------------------------------------------------------------------
This link has information on altering a table to add primary/foreign keys:
http://dev.mysql.com/doc/refman/4.1/en/alter-table.html
This link has information on creating indexes on an existing table:
http://dev.mysql.com/doc/refman/4.1/en/create-index.html
This link has some information explaining unique/primary keys:
http://en.wikipedia.org/wiki/Primary_key
------------------------------------------------------------------------------
[root@124720-www1 ~]# cat /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
#tmpdir=/var/lib/mysqltmp
#old_passwords=1
#skip-grant-tables
#skip-networking
skip-locking
key_buffer = 64M
max_allowed_packet = 16M
table_cache = 2048
sort_buffer_size = 1M
read_buffer_size = 1M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 64M
thread_cache_size = 16
thread_concurrency = 8
query_cache_size = 32M
tmp_table_size=64M
max_heap_table_size=64M
back_log = 100
max_connect_errors = 10000
join_buffer_size=1M
open-files = 20000
interactive_timeout = 600
wait_timeout = 600
#max_connections=200
# The following directives should be commented out
# but included as they are things that get added
# very frequently on tickets. These are more in a
# need-this-feature basis.
# The below 2 cannot be set on the fly. If the customer already has
# InnoDB tables and wants to change the size of the InnoDB tablespace
# and InnoDB logs, then:
# 1. Run a full backup with mysqldump
# 2. Stop MySQL
# 3. Move current ibdata and ib_logfiles out of /var/lib/mysql
# 4. Uncomment the below innodb_data_file_path and innodb_log_file_size
# 5. Start MySQL (it will recreate new InnoDB files)
# 6. Restore data from backup
#innodb_data_file_path = ibdata1:2000M;ibdata2:10M:autoextend
#innodb_log_file_size = 100M
#innodb_buffer_pool_size = 384M
#innodb_additional_mem_pool_size = 20M
#log-slow-queries=/var/lib/mysqllogs/slow-log
#long_query_time=2
#log-queries-not-using-indexes
#log-bin=/var/lib/mysqllogs/bin-log
#log-slave-updates
#expire_logs_days = 14
server-id = 1
[mysql.server]
user=mysql
#basedir=/var/lib
[mysqld_safe]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
open_files_limit=65536
------------------------------------------------------------------------------
empulsegroup.com
PostgreSQL
http://thirdshift.intra.rackspace.com/wiki/PostgreSQL_information
http://yoderdev.com/photos/postgres.html
Intro to PostgreSQL
* Relational SQL database, like MySQL
* ACID compliant (like MySQL InnoDB)
o Atomicity -- Guarantees that all statements in a transaction are performed, or none of them are
o Consistency -- Database is always in a consistent state
o Isolation -- Partially completed transactions are invisible to other queries or transactions
o Durability -- Once the user is notified of success, the transaction's changes are guaranteed to be recorded permanently
* Widely considered the most advanced open source RDBMS
o Can write stored procedures in many languages -- Perl, Python, Java, TCL, PL/PgSQL, even C!
o Triggers
o Cool built in types like geometric objects and network addresses
o Can implement custom data types and operators
* Excellent, very readable documentation
* Large, helpful community
Installation
Yum is your friend. Important packages:
* postgresql-libs -- libraries, the bare minimum requirement for a client program to connect to PostgreSQL
* postgresql -- contains client programs themselves, such as the command line client, dump utility, etc
* postgresql-server -- the PostgreSQL server binaries
* postgresql-contrib -- cool additional things like data structures and utilities
* postgresql-plperl/-plpython -- supports stored procedure languages
* postgresql-devel -- needed to compile C software against PostgreSQL libraries
Assuming the server is installed, this should get it running:
# service postgresql initdb
# service postgresql start
Test login, remembering that the default authentication is 'ident'. The PostgreSQL superuser is called 'postgres'.
# su - postgres
$ psql template1
Welcome to psql 8.3.3, the PostgreSQL interactive terminal.
The latest version is 8.3. RHEL 5 comes with PostgreSQL 8.1, which is OK. RHEL 4 comes with 7.4, which is nasty old. Never start a new PostgreSQL user with 7.4.
Fortunately an excellent YUM repository is available for RHEL 4 and 5, supporting all recent PostgreSQL versions.
http://yum.pgsqlrpms.org/
Click on "Yum Howto". Couldn't be much easier.
Configuration
Main directory: /var/lib/pgsql/data
Main configuration file is postgresql.conf
* max_connections -- number of client connections, same as MySQL
* listen_addresses -- localhost by default, change to '*' if it should be accessible to other computers
* port -- 5432 by default, the standard PostgreSQL port
* more parameters for tuning ...
Authentication configuration is in pg_hba.conf. Default configuration is "ident", meaning the system user is assumed to be the same as the database user. More on this later.
PG_VERSION contains the database major version number that must be used on this data store.
Connecting and Creating Users and Databases
On a new PostgreSQL install, you need to su - postgres before doing anything with it, because it checks that the database user is the same as the system user. System users do not automatically exist in the database. For example, as user micah:
$ psql
psql: FATAL: Ident authentication failed for user "micah"
This means the user doesn't exist. Let's create it, as user postgres:
$ createuser micah
Shall the new role be a superuser? (y/n) y
Now, as micah:
$ psql
psql: FATAL: database "micah" does not exist
$ createdb
$ psql -l
List of databases
Name | Owner | Encoding
-----------+----------+----------
postgres | postgres | UTF8
template0 | postgres | UTF8
template1 | postgres | UTF8
micah | micah | UTF8
$ psql
Welcome to psql 8.3.3, the PostgreSQL interactive terminal.
The client utilities assume the DB name is the same as the user name, unless another DB name is presented on the command line. First, the 'micah' database did not exist, but the createdb command created it. Now we can connect.
Often it is a good idea to create users with fewer privileges. Again as the postgres user:
$ createuser bozo
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
Demonstration of Use
Creating tables works as expected. Let's create some to play with, as user micah:
create table names (
id serial primary key,
first varchar not null,
last varchar not null
);
Table names is straightforward, except for the serial type. This is sort of like auto_increment in MySQL but with a difference. Instead of automatically choosing a number higher than the maximum, it uses a sequence. Sequences are separate entities in PostgreSQL and can be independently manipulated. Of course, if you set a sequence to a value such that it will choose a number which already exists in a primary key column, you will hit an error! Let's demonstrate inserts and sequences:
micah=# insert into names (first, last) values ('Lanham', 'Napier');
INSERT 0 1
micah=# select * from names;
id | first | last
----+--------+--------
1 | Lanham | Napier
(1 row)
micah=# select currval('names_id_seq');
currval
---------
1
(1 row)
micah=# insert into names (first, last) values ('Graham', 'Weston');
INSERT 0 1
micah=# select currval('names_id_seq');
currval
---------
2
(1 row)
micah=# select setval('names_id_seq', 1);
setval
--------
1
(1 row)
micah=# insert into names (first, last) values ('Mickey', 'Mouse');
ERROR: duplicate key value violates unique constraint "names_pkey"
micah=# select currval('names_id_seq');
currval
---------
2
(1 row)
micah=# insert into names (first, last) values ('Mickey', 'Mouse');
INSERT 0 1
micah=# select * from names;
id | first | last
----+--------+--------
1 | Lanham | Napier
2 | Graham | Weston
3 | Mickey | Mouse
(3 rows)
micah=# delete from names where id=3;
DELETE 1
micah=# insert into names (first, last) values ('Frederick', 'Mendler');
INSERT 0 1
micah=# select * from names;
id | first | last
----+-----------+---------
1 | Lanham | Napier
2 | Graham | Weston
4 | Frederick | Mendler
(3 rows)
Let's add another table to play with:
create table kudos (
id int not null references names on delete cascade,
kudo varchar
);
Here we see that the id field is a foreign key. Its value must exist in the names table. Furthermore, if the corresponding row in the names table is deleted, all corresponding kudos will also be deleted!
micah=# insert into kudos values (1, 'Great job!!!');
INSERT 0 1
micah=# insert into kudos values (2, 'Yeah!!!');
INSERT 0 1
micah=# insert into kudos values (3, 'Way to be Fanatical');
ERROR: insert or update on table "kudos" violates foreign key constraint "kudos_id_fkey"
DETAIL: Key (id)=(3) is not present in table "names".
micah=# insert into kudos values (4, 'Way to be Fanatical');
INSERT 0 1
micah=# insert into names (first, last) values ('Bozo', 'Clown');
INSERT 0 1
micah=# insert into kudos values (5, 'Nice!');
INSERT 0 1
micah=# insert into kudos values (5, 'Sweet!!!');
INSERT 0 1
micah=# select * from kudos;
id | kudo
----+---------------------
1 | Great job!!!
2 | Yeah!!!
4 | Way to be Fanatical
5 | Nice!
5 | Sweet!!!
(5 rows)
micah=# delete from names where id=5;
DELETE 1
micah=# select * from kudos;
id | kudo
----+---------------------
1 | Great job!!!
2 | Yeah!!!
4 | Way to be Fanatical
(3 rows)
And yet another table ...
create table salaries (
id int not null primary key references names on delete cascade,
salary int not null,
check ( salary > 25000 )
);
This introduces constraints.
micah=# insert into salaries values (1, 10000);
ERROR: new row for relation "salaries" violates check constraint "salaries_salary_check"
micah=# insert into salaries values (1, 1000000);
INSERT 0 1
Access and Authentication
Before we can continue, we need to discuss the various ways of authentication for users. Done in pg_hba.conf.
There are two types of rows (besides comments and blanks): host and local rows. Rows that start with "local" relate to UNIX socket connections and those that start with "host" relate to TCP/IP connections. Local rows have four fields and host rows have five:
* local or host
* database name or all
* user/role name or all
* (host connections only) CIDR address such as 127.0.0.1/32 or 192.168.1.0/24
* authentication method
The authentication method tells how it authenticates.
* ident sameuser is the default, mapping the DB user to the Unix user
* trust accepts the login, no questions asked. Convenient for testing on a local computer, but be sure you are the only one with access to it, and never do this on a publically available network interface!
* password requires a password but sends it in plain text. Don't use.
* md5 is preferrable in nearly all cases. Encrypts the password.
* crypt encrypts it with the weaker crypt() function
* pam is available to tie into any authentication type supported by PAM
* reject rejects the connection
For non-production systems with non-critical data, this seems reasonable:
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 md5
If system has sensitive data or untrusted local users, local connections should probably use md5 also, just in case of a system compromise. Apply with:
# service postgresql reload
Roles
"Users" are actually called roles in PostgreSQL, and they can be inherited. Some simple examples:
micah=# grant select on names to bozo;
micah=# grant select,insert on kudos to bozo;
Switching to user 'bozo':
$ psql -U bozo micah
micah=> insert into names (first, last) values ('Test', 'User');
ERROR: permission denied for relation names
micah=> insert into kudos values (2, 'Is there a rating higher than Fanatical?');
INSERT 0 1
You can change the password for a role, as any superuser:
micah=> ALTER USER bozo WITH ENCRYPTED PASSWORD 'pgrocks';
$ psql -h 127.0.0.1 -U bozo micah
With that it should let you connect as bozo only if you type the right password. It will prompt here because of the 'md5' authentication in pg_hba.conf for 'host' connections. If you connect without the -h, it will still not prompt because it would be using UNIX domain socket connections, which we have configured to 'trust'.
Upgrading PostgreSQL
Minor point releases, such as 8.3.2 to 8.3.3:
# yum update
# service postgresql restart
Major releases, such as 8.2 to 8.3 (the second digit is considered major). From the aforementioned Yum repository, replace the currently installed pgdg-redhat RPM with that of the version you want to install. Then:
# su - postgres
$ mkdir pre-upgrade
$ cp data/postgresql.conf pre-upgrade
$ cp data/pg_hba.conf pre-upgrade
$ pg_dumpall > pre-upgrade/dump.sql
$ exit
# service postgresql stop
# rm -rf /var/lib/pgsql/data
# yum update
# service postgresql initdb
# service postgresql start
$ su - postgresql
$ psql template1 < micah="#" micah="#" micah="#" micah="#" micah="#" id =" kudos.id;" micah="#" id =" kudos.id;" cost="28.68..67.89" rows="1230" width="64)" id =" names.id)"> Seq Scan on kudos (cost=0.00..22.30 rows=1230 width=36)
-> Hash (cost=18.30..18.30 rows=830 width=36)
-> Seq Scan on names (cost=0.00..18.30 rows=830 width=36)
(5 rows)
micah=# CREATE INDEX kud_idx ON kudos (id);
CREATE INDEX
micah=# explain select names.first, kudos.kudo from names, kudos where names.id = kudos.id;
QUERY PLAN
------------------------------------------------------------------
Hash Join (cost=1.09..22.54 rows=4 width=64)
Hash Cond: (names.id = kudos.id)
-> Seq Scan on names (cost=0.00..18.30 rows=830 width=36)
-> Hash (cost=1.04..1.04 rows=4 width=36)
-> Seq Scan on kudos (cost=0.00..1.04 rows=4 width=36)
(5 rows)
GRUB
GRUB Fix
How to fix a broken GRUB.
Often after using Norton Ghost to copy a Linux box that uses Grub, you will get the scrolling 'Grub' error. Here's how to fix this:
1. PXE boot server into the rescue environment
2. Chroot into /mnt/sysimage
3. Make certain the boot partition is mounted to /boot
4. Type: 'grub' This will bring you to a prompt
grub>
5. At the prompt, type:
root (hd0,0)
* This is the 1st partition of the 1st drive. Please adjust accordingly.
6. Next, type:
setup (hd0)
7. After some verbose output, it should tell you if it was successful.
8. Type:
quit
9. Reboot.
Similarly, 'grub-install /dev/boot-partition' is an automated way of accomplishing the same as above. However, the manual way has been found to be more reliable.
// grub.conf
title CentOS (2.6.18-53.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-53.el5 ro root=LABEL=/1
initrd /initrd-2.6.18-53.el5.img
One Liners
One Liners
Notes:
-check bounce headers for spam injections
-cross check maillogs and processed logs for ip addresses found in headers
-check for the user logging in and the domain if listed in the file
Example: Received: from 64-60-103-180.static-ip.telepacific.net (HELO User) (64.60.103.180)
Example: maillog.processed.3.gz:May 30 10:35:43 125212-www1 smtp_auth: smtp_auth: SMTP user info : /var/qmail/mailnames/charlesromancatering.com/info logged in from unknown@64-60-103-180.static-ip.telepacific.net [64.60.103.180]
- Plesk box mail log checks
# mysql -uadmin -p$( list
# cd /usr/local/psa/var/log
# for i in `cat /root/list`; do cat maillog* | grep $i | grep LOGIN | wc -l; done
# zgrep LOGIN *.gz | grep mbryan | wc -l
- Search mail logs for log in attempts
# for i in `ls /var/spool/mail`; do echo $i; cat /var/log/maillog* | grep LOGIN | grep $i | wc -l; done
# for i in `ls /var/spool/mail`; do echo $i; cat /var/log/maillog* | grep LOGIN | grep "authid="$i | wc -l; done
- Check for dead services
# for i in `chkconfig --list | awk '{print $1}' | grep -v :`; do service $i status; done | grep dead | awk '{print $1}'
- Top Apache connections
# netstat -anpt|egrep -v ^Active\|^Proto\|LISTEN |awk '{ print $4":"$5 }' |cut -f 3,2 -d ':'|sort |uniq -c|sort -n
-sort processes by mem usage
# ps auwxx --sort rss
# icps "semiphores"
if apache is high mem usage, check MaxRequestsPerChild and keepalives
----------------
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
-effective user name. This will be the textual user ID, if it can be obtained and the field width permits, or a decimal representation otherwise. The n option can be used to force the decimal representation. (alias uname, user).
-PID process ID number of the process.
-%CPU cpu utilization of the process in "##.#" format. Currently, it is the CPU timeused divided by the time the process has been running (cputime/realtime ratio), expressed as a percentage. It will not add up to 100% unless you are lucky. (alias pcpu).
-%MEM ratio of the process's resident set size to the physical memory on the machine, expressed as a percentage. (alias pmem).
-VSZ virtual memory usage of entire process. vm_lib + vm_exe + vm_data + vm_stack
-RSS Resident set size, the non-swapped physical memory that a task has used (in kiloBytes).
-TTY controlling tty (terminal). (alias tname, tt).
-STAT multi-character process state. See section PROCESS STATE CODES for the different values meaning. See also s and state if you just want the first character displayed.
-START start
-TIME cumulative CPU time, "[dd-]hh:mm:ss" format. (alias cputime).
--------------
Check Top Connections
# PORT=110;netstat -antp | awk '$4 ~ /:'$PORT'$/ {c++;print $5|"cut -f1 -d:|sort |uniq -c|sort -n"} END {print c}'
List Top Processes
# ps -eo user,pid,pcpu,cmd,args --sort -pcpu | head -n20
Run SpamAssassin on messages in queue and delete (from lovepig.org)
# count=0; cd /var/qmail/queue/mess; /etc/init.d/qmail stop; for i in `` . -type f`; do spammess=`cat $i | spamassassin | grep 'X-Spam-Status: Yes' | wc -l | awk '{print $1}'`; if [ $spammess = 1 ]; then messname=`echo $i | sed 's/\//\ /g' | awk '{print $3}'`; echo Deleting $messname...; count=`expr $count + 1`; qmHandle -d$messname > /dev/null; fi; done; service qmail start; echo $count emails have been removed.
Inflated:
count=0;
cd /var/qmail/queue/mess;
/etc/init.d/qmail stop;
for i in `find . -type f`;
do spammess=`cat $i | spamassassin | grep 'X-Spam-Status: Yes' | wc -l | awk '{print $1}'`;
if [ $spammess = 1 ];
then messname=`echo $i | sed 's/\//\ /g' | awk '{print $3}'`;
echo Deleting $messname...;
count=`expr $count + 1`;
qmHandle -d$messname > /dev/null;
fi;
done;
service qmail start;
echo $count emails have been removed.
SAR Bandwidth
# sar -n DEV -f /var/log/sa/sa27 | grep -E eth0\|IFACE
SAR Memory
# sar -r
SMTP and IMAP traffic (change $2 to the date you desire)
# awk '$2 =="9" { if ($5 == "imapd:" && $7 == "LOGOUT,") {rcvd[$1" "$2" "substr($3,1,2)"."substr($3,4,1)]+=substr($12,6,length($12)-1);sent[$1" "$2" "substr($3,1,2)"."substr($3,4,1)]+=substr($13,6,length($13)-1)}; if ($5 ~ /^imapd-ssl/ && $7 == "LOGOUT,") {rcvd[$1" "$2" "substr($3,1,2)"."substr($3,4,1)]+=substr($9,6,length($9)-1);sent[$1" "$2" "substr($3,1,2)"."substr($3,4,1)]+=substr($10,6,length($10)-1)}; if ($5 == "qmail:" && $10 == "bytes"){size[$1" "$2" "substr($3,1,2)"."substr($3,4,1)]+=$11}} END {for (i in sent){ print i"\t"sprintf("%2.2f",size[i]/1024)"K\tsmtp\t"sprintf("%2.2d",sent[i]/1024)"K\timap-out\t"sprintf("%2.2f",rcvd[i]/1024)"K\timap-in"|"sort -k 3,3n"} }' maillog
MySQL Database Check
mysqlcheck --auto-repair -A
$ curl --cipher SSLv2 https://www.rackspace.com
$ curl --cipher SSLv3 https://www.rackspace.com
# dmesg | grep Treason | awk '{print $5}' | sed s/:/" "/ | awk '{print $1}' | uniq -c | sort -nr
# echo 1.2.3.4:2345 | sed 's/:.*/ /'
# The command below creates the initrd image file
mkinitrd ./initrd-2.4.18-19.8.0custom.img 2.4.18-19.8.0custom
# tar -pczf name_of_your_archive.tar.gz /path/to/directory
# alternatives --config mta
Check Plesk mail accounts with autoresponders
for i in `mysql -uadmin -p$( MIN | HOUR | DAY OF MONTH | MONTH | DAY OF WEEK
Memory Usage
vmstat
free
pmap
top
sar -B
time -v date
cat /proc/meminfo
FileSystem & Storage Devices
df -k
du -sh
mount
showmount
fdisk -l
parted
/etc/fstab
Spam Assassin
# sa-learn
#head
# sort
# chattr +i myfile
-i Immutable
-a Append only for writing.
-u Undeletable
# lschattr
# host -t mx domain.com
# pam_abl
http://www.linux.com/articles/60955
/etc/security/pam_abl.conf
-CPU Limit
http://cpulimit.sourceforge.net
sort -nr
uniq -c
head
tail
awk
sed
DELL'S OSMA SNMP issues
http://www.planetmy.com/blog/how-to-installuninstall-omsa-in-sles9-or-sles10/
http://www.planetmy.com/blog/snmp-error-during-omsa-5x-installation-on-suse-910/
# fuser -n tcp 80
# rkhunter -c
# chkrootkit
# pflogsumm -d yesterday /var/log/maillog
----------
(error)
[root@roy rhn]# yum list
Loading "security" plugin
Loading "downloadonly" plugin
Loading "rhnplugin" plugin
rhel-i386-server-5 100% |=========================| 1.2 kB 00:00
Error: Cannot retrieve repository metadata (repomd.xml) for repository: rackspace-rhel-i386-server-5-php-5.2. Please verify its path and try again
(fix)
# rhn-profile-sync
# yum grouplist
----------
Networking
------------------
Checking the route table in Linux
netstat -rn
route
Adding and Removing a Network in Linux
route add -net 10.10.10.0/24 gw 192.168.0.1
route del -net 10.10.10.0/24 gw 192.168.0.1
Adding and Removing a specific host in Linux
route add -host 10.10.10.45 gw 192.168.0.1
route del -host 10.10.10.45 gw 192.168.0.1
SSH Tips
SSH with Private Key
1. Type vi
2. Hit the letter ‘i’ to enter insert mode
3. Copy and Paste the private key into vi, including these:
-----BEGIN DSA PRIVATE KEY-----
Blah blah blah blah blah blah blah blah
-----END DSA PRIVATE KEY-----
4. Press ESC
5. Then type ‘:wq’ to save the file
6. Next, type ‘chmod 600
7. Lastly, to logon type ‘ssh –i
-ACPI establishes industry-standard interfaces enabling OS-directed configuration, power management, and thermal management of mobile, desktop, and server platforms.
----
AWStats
http://forum.swsoft.com/showthread.php?t=49950&highlight=awstats
http://awstats.sourceforge.net/docs/awstats_contrib.html#plugin_standards
http://forum.swsoft.com/showthread.php?t=51460
/usr/local/psa/admin/bin/webstatmng --set-configs --stat-prog=awstats --domain-name=
/usr/local/psa/admin/sbin/statistics --calculate-one --domain-name=
----
Sample PHP Mail Script
--------------------------
Removing Server and PHP information from HTTP headesrs
http://www.mydigitallife.info/2007/07/22/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/
Here, we are trying to remove HTTP headers that identify the server and it's software versions.
$ curl -I empulsegroup.com
HTTP/1.1 301 Moved Permanently
Date: Mon, 18 Aug 2008 16:52:25 GMT
Server: Apache/2.0.52 (Red Hat) <--- We don't want this. X-Powered-By: PHP/5.1.6 <--- We don't want this, either. X-Pingback: http://www.empulsegroup.com/xmlrpc.php Location: http://www.empulsegroup.com/ Connection: close Content-Type: text/html; charset=UTF-8 in /etc/php.in expose_php Off in /etc/httpd/conf/httpd.conf ServerTokens Prod ServerSignature Off # service httpd restart Now we get: $ curl -I http://www.apps.nokia.co.uk HTTP/1.1 301 Moved Permanently Date: Mon, 18 Aug 2008 17:05:54 GMT Server: Apache <--- Now just reports "Apache", and no "X-Powered-By" line Location: http://www.nokia.co.uk Connection: close Content-Type: text/html ------------------------------------------------- Qmail queue lifetime control http://www.qmailrocks.org/maintain.php queuelifetime - The "queuelifetime" setting for qmail determines how long messages can stay in the queue. By default, your qmail server will keep messages in the queue for 604,800 seconds, or 7 days. However, you can set a custom queuelifetime by creating a file called /var/qmail/control/queuelifetime. The content of that file is a single line containing a number which represents the number of seconds the queue will hold any given message. If you want to set a custom queuelifetime, you might want to whip out the old calculator. --------------------------- Setting the default umask http://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html The user file-creation mode mask (umask) is use to determine the file permission for newly created files. It can be used to control the default file permission for new files. It is a four-digit octal number . You can setup umask in /etc/bashrc or /etc/profile file for all users. By default most Linux distro set it to 0022 (022) or 0002 (002). -add: umask 022 ------------------------------------- To remove the reserved space in the file system: # tune2fs -m 0 /dev/sda1 to see if the partition has journaling: [root@91858-app2 ~]# tune2fs -l /dev/sda1 tune2fs 1.35 (28-Feb-2004) Filesystem volume name: /boot Last mounted on:
Filesystem UUID: d57e4642-b1a8-4812-8c26-91874eed6374
Filesystem magic number: 0xEF53
Filesystem revision #: 1 (dynamic)
Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super
Default mount options: (none)
Filesystem state: clean
Errors behavior: Continue
Filesystem OS type: Linux
-------------------------------------
Removing a large number of file in Linux
find . -type f -exec rm -v {} \;
find . -type f -delete
Find and run files though sed
find . -type f -exec sed -i -e 's/pattern/replace/g' {} \;
The same thing with Perl
find . -name settings.xml -exec perl -e /s/pattern/replace/g' -p -i {} \;
---------------------------
Bandwidth tracking in Apache
for i in `cat vsftpd.log | grep "Aug 21" | grep DOWNLOAD | awk '{print $14}'`; do
count=0; for i in `cat /home/rack/aug21.http`; do count=$(( $count + $i )); done; echo $count
27,554,060,508
grab out GET requests and the size of the data
cat httpd/access_log* | grep "21/Aug" | grep GET | grep "HTTP/1.1" | awk '{print $10}'
count number in a file:
count=0; for i in `cat /home/rack/aug21.http`; do count=$(( $count + $i )); done; echo $count
--------------------------
-rwxrwsr-x means that the setgid bit is set on this executable file. This means that the user invoking the script (probably Apache in this case) can execute the script with an effective group ID of the group that owns the file ( psacln ).
-rwsrwxrwx means that the setuid bit is set. This means that the user executing the script (Apache) has the same privileges as the owner pickinart
---------------------------
wiki.empulsegroup.com
Write about Mail here.
Spam Assassin
here is some information on Spam Assassin mail filtering.
http://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix
http://www.5dollarwhitebox.org/wiki/index.php/Howtos_Spam_Assassin_Rules_Du_Jour_Configuration
http://spamassassin.apache.org/gtube/
http://spammin.sourceforge.net/
---
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on s74938.tsunami.ch
X-Spam-Flag: YES
X-Spam-Level: **************************************************
X-Spam-Prev-Subject: spam test 01
X-Spam-Report: * 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email * 0.0 HTML_MESSAGE BODY: HTML included in message
X-Spam-Status: Yes, score=1000.0 required=7.0 tests=GTUBE,HTML_MESSAGE autolearn=no version=3.2.4
---
Enable spamassassin rules for all addresses:
cd /var/qmail/mailnames;
for i in `find . -maxdepth 1 -type d`;
do find $i -maxdepth 1 -type d ;
done | sed 's/\.\///' | grep '/' | sed 's/\// /' | awk '{print $2, $1}' | sed 's/ /@/' | sed 's/^/\/usr\/local\/psa\/bin\/spamassassin.sh --update /' | sed 's/$/ -status true/' > spamon;
chmod +x spamon;
./spamon;
rm -f spamon;
/usr/local/psa/admin/bin/mchk --with-spam
--------
-creates a script spamon that runs
# /usr/local/psa/bin/spamassassin.sh --update username -status true
/usr/local/psa/bin/spamassassin.sh --update
then.... mchk --with-spam
-----
-to run through qmail's mail list
cd /var/qmail/mailnames; for i in `find . -maxdepth 1 -type d`; do find $i -maxdepth 1 -type d; done | sed 's/\.\///' | grep '/' | sed 's/\// /' | awk '{print $2, $1}' | sed 's/ /@/'; cd -
--------
Recommendation for slow Mail in Plesk
http://forum.swsoft.com/showthread.php?t=48002&highlight=slow+mail+delivery
You can run this command for a while and see if there is any application that trying to send emails via the web server. This may be a vulnerable application so after disabling it check to see if your qmail remote queue improves. phpBB is the usual suspect.
/usr/sbin/lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php
Files: /etc/xinetd.conf
Modification: If you have lots of spare memory you can increase the number of instances and restart xinetd
instances = 200
Files: /etc/xinetd.d/smtp_psa and /etc/xinetd.d/smtps_psa
Modification: you can add -Rt0 to the start as below and restart qmail. This should stop qmail checking for reverse DNS
server_args = -Rt0 /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
You may want to log into your Plesk and go to Server > Mail > White List If you have the default 127.0.0.1/8 in your White List you are effectively running an open relay. Remove that one and change it to 127.0.0.1/32 (changing the subnet mask to 32 from 8). Why SWsoft have not fixed this yet is unknown.
I still have not found a good way to stop double-bounce messages filling up the qmail queue. This is something that I think SWsoft must address. IMHO, there should be a setting such that rejected emails are sent to /dev/null. At the moment the best solution I have is to install qmHandle.
http://sourceforge.net/projects/qmhandle
and run a cronjob say every 2 hrs to qmHandle -S"failure notice" qmHandle may have a problem finding the pidof command so I edited it to include a direct path to pidof. At any rate qmHandle is a very useful tool for working with qmail.
my ($pidcmd) = '/sbin/pidof qmail-send';
We also added
nameserver 127.0.0.1
as the first nameserver in /etc/resolv.conf and I think it improved performance.
Other useful security fixes you may consider are:
If in /etc/named.conf there is no option for
allow-recursion {
localnets;
};
Then you could add the following line to the options section in your file:
allow-recursion {127.0.0.1; ... all the server ips ....;};
and add this to the options section stop version being broadcast:
version "Dunno";
and add this to stop logging lame servers
// Logging
logging {
category lame-servers { null; };
};
Also you can stop root login. Be careful with this so you don't lock yourself out! Make sure you can login as the wheel user and su from that user to root before you proceed. We added a new user to the wheel group and then I edited /etc/ssh/sshd_config and made the following changes
Protocol 2
PermitRootLogin no
AllowUsers thewheeluseryousetup
-----
Plesk RBLs
Firstly, you can instead of using the individual lists just use zen.spamhaus.org, which encompasses SBL, XBL and PBL. I see that you are also rejecting any mails that return SPF fail.
-----------------------------------
Sendmail
-To enable the submissions port 587 add the following to the sendmail.mc file:
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
$ make
$ service sendmail restart
-To enable AUTH LOGIN
http://www.madboa.com/geek/sendmail-auth/
edit the sendmail.mc file:
define(`confAUTH_OPTIONS', `A p')dnl
dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
....and be sure 'saslauthd' is running!
-Telnet SMTP test with Authentication
http://www.webpan.com/customers/email/smtp_authentication_telnet_test.htm
Study:
1. Rebuild RPM Database
2. Change Mysql root Password
3. Setup Grants in Mysql
4. HT password (htpasswd) add new user and then add another without blowing away 1st one
a. then, change a password of an existing user
b. what encryption methods are available?
c. make passwords with each of the encryption methods.
d. can you recognize the encryption method based on the way the result looks like?
5. Mod rewrite: basic redirect setup 301 and rewrite Engine
a. what are the minimum directives needed to enable mod_rewrite?
6. wc -l what ways can this be used and practice it
a. how can you feed input to wc?
b. why is the "-l" used so frequently? What does it do differently than the default "wc" output?
c. what constitutes a line or a word and how can you change that?
7. Mysql check - proper usage on single tables and or whole databases
a. list the methods of checking and repairing tables
b. which methods can be run with the MySQL server running?
c. which methods work with MyISAM files?
d. which methods work with InnoDB files?
8. Display permissions in Mysql
a. create a new database, give a new user full permissions to the database
b. add permissions to an existing user to an existing database
c. give a user privileges only if coming from localhost
d. give a user privileges only if coming from IPs 192.168.1.1 - 192.168.1.254
9. PHP settings in Apache - where and what can be changed (explore all avenues of this)
a. enable 200M file uploads from a dial-up user
b. disable persistent mysql connections
10. Raid Levels - Raid 0, 1, 5 and 10
a. which are redundant
b. how many drives are required at a minimum for each level?
c. how many drives are required at a minimum for each level to also have a hot spare?
d. which speed up performance?
e. how many drives in (b) can be lost before data is lost?
11. Chrooting FTP users
a. vsftpd
- what controls default policy
- how do you override default?
b. proftpd
- what controls default policy
- how do you override the default
cat
c. Practice:
set default chroot / make non-chrooted user
set default no chroot / make chrooted user
12. Plesk
a. what is mchk and what do the options mean?
b. how does Plesk enforce quotas for clients, domains, etc?
c. Plesk reports quota information in the control panel:
- where does that information come from
- is it live?
d. where do Updater failures get written?
e. what are the Plesk provided system groups
f. How can a regular system account have rights to DocumentRoot of a Plesk domain via FTP?
g. Can a Plesk server run non-plesk controlled web sites?
- if so, can you provide an example of one?
- what would you need to do to allow this without Plesk removing the custom site on a rebuild?
- (Hint: squirrelmail)
h. Make a database out side of Plesk, add it to Plesk domain
- from mysql client (not Plesk)
- create user * grant perms
- Now, add it to a Plesk domain (so Plesk can manage it)
13. Tell me if sshd can use /etc/hosts.allow and /etc/hosts.deny.
a. use ldd - print shared library dependencies
# ldd `which sshd`
b. look for the library that enables hosts.allow/deny use (TCP Wrappers -- libwrap)
RPM Packaging
RPM Packaging Brown Bag
Wednesday, October 1, 2008 2:21:44 PM US/Central
Presented by: BJ Dierkes
start here.
A bit about v4 and v5
rpm.org's v4
rpm5.org's v5
The Spec File
-Tells rpmbuild the Who, What,
* CVE in Errata
https://rhn.redhat.com/errata
dsdf
rhn.redhat.com/erreta
check /usr/share/doc/rpm-4.2.2
//yum.repo
epel
http://mirrors.kernel.org/fedora-epel/5Server/x86_64