Make changes to .bash_profile and need to update the current session?

$ source .bash_profile


With the above command, the user does not have to logout.

Symbolic links

namei can be used to trace the endpoint of a cascaded symbolic link

Eg.,

$ namei /dev/cdrw
f: /dev/cdrw
 d /
 d dev
 l cdrw -> scd0
   b scd0
$

Fault tolerance for NIC

More and more data centers are in the process of setting up unmaned data centers.Admins are trying their best to have a fault tolerance solution for each software and Hardware component.
Here is a fault tolerance soultion for a Network interface via bonding in Linux

1.Create a file ifcfg-bond under /etc/sysconfig/network-scripts where is the binding number.
2.cat ifcfg-bond0

DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
NETWORK=192.168.41.0
NETMASK=255.255.255.0
IPADDR=192.168.41.250
USERCTL=no

3.Network interfaces to be bound together must be configured by adding MASTER= and SLAVE= directives to their configuration files.

4.Configuration files for the two interface files

DEVICE=eth<0/1>
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no

5.Configuring alias in modprobe.conf
alias bond0 bonding
options bond0 milmon=80 mode=1

modprobe to activate the aliases and restart the network service.

6. Now bond0 will be up.Output of ifconfig will show the same ip-address for bond0,eth0 & eth1.

Soft limit & Hard limit

Most of us encountered to increase the limit of file descriptors while installing a high end 3pp(party product).In doing so we will encounter with two different kinds of limits i.e.soft vs hard.

Hard limits are a kernel-configurable item and users can't exceed them. Soft limits are the user defaults and users can change that using the ulimit command.

Basically, soft limits can be changed to anything up to the hard limit. Soft limits are warning barrier. When a user reaches the soft limit they will get an warning message but are still allowed to use more space up to the hard limit.

Since its a kernel tunable we have to define the value in /etc/system and /etc/sysctl.conf for Pre-Solaris 10 and Linux respectively.

E.g.,

To set a hard limit of 4096 and soft limit of 1024 in Solaris 8.

set rlim_fd_max=4096 [Refers Hard limit]
set rlim_fd_cur=1024 [Refers Soft limit]

To raise the allowed limit in Linux based distributions update either /etc/limits.conf or /etc/security/limits.conf

How to Password Protect GRUB Boot loader

The main reason to password protect the GRUB boot loder is to prevent access to single user mode — If attackers can boot the system into single user mode, they are logged in automatically as root without being prompted for the root password.

To do this, open a shell prompt, log in as root, and type:

/sbin/grub-md5-crypt


When prompted, type the GRUB password and press Enter. This returns an MD5 hash of the password.

Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the file and below the timeout line in the main section of the document, add the following line:

password --md5


Replace with the value returned by /sbin/grub-md5-crypt

Relative vs. Absolute Pathnames

Commands can be given file name arguments in two ways.

If you are in the same directory as the file (i.e., the file is in the current directory), then you can just enter the file name on its own (e.g., cp my_file new_file). Otherwise, you can enter the full path name, like cp /home/john/my_file /home/jack/new_file.

Very often administrators use the notation ./my_file to be clear about the distinction, for instance, cp ./my_file ./new_file. The leading ./ makes it clear that both files are relative to the current directory.

File names not starting with a / are called relative path names, and otherwise, absolute path names.

How to Make USB Pen drive as a bootable device (RedHat)

If you cannot boot from the DVD/CD-ROM drive, but you can boot using a USB device, such as a USB pen drive, the following alternative boot method is available:

To boot using a USB pen drive, use the dd command to copy the diskboot.img image file from the /images/ directory on the DVD or CD-ROM. For example:

dd if=diskboot.img of=/dev/sda

Note: Your BIOS must support booting from a USB device in order for this boot method to work

What is umask in Linux/Unix?

The User file-creation mode mask (umask) is use to determine the file permission for newly created files. It can be used to control the default file permission for new files. It is a four-digit octal number .

Default umask for normal user is 0002.
Default umask for root user is 0022.
Default base permission for directories & files are 0777 (rwxrwxrwx) & 0666 (rw-rw-rw-) respectively.
To calculate directory permission for root user
Default Permissions : 777
Subtract umask value: 022 (-)
Allowed Permissions : 755
To calculate file permission for root user
Default Permissions : 666
Subtract umask value: 022 (-)
Allowed Permissions : 644
The following example explains the steps needed to set umask for permissions 700 for user files. The idea very simply only user is allowed to read or write file.
Default Permissions: 777
Subtract umask value: 077 (-)
Allowed Permissions: 700
$ umask 077
$ touch file.txt
$ ls -l file.txt
Output:

-rw------- 1 demo demo 0 2008-10-10 12:21 demo.txt

How to Limit user access based on timings in Linux

To limit the access to a Linux operating

system in a time range, you would like to use pam_time.so.

1.Open the file /etc/security/time.conf

Format of the file is:
Service;ttys;users;time

To limit ssh access from 23:00 PM and 08:00 AM.

sshd;*;*;!Al2300-0800

the !Al means, anything except "All the days".

To permit people from 4 to 8 PM all the days, except root:login;*;!root;!Al1600-2000

Password Policy on Linux Systems

Password policy is a part of security policy in an organization.It focuses mainly on below areas

1.Password aging information.
2.Password strength.
3.Monitoring failed login attempts.

Format of /etc/shadow file

/etc/shadow file stores actual password in encrypted format and password aging information for user's account.

test1:$1$zT1YmCtj$NL67d.yN/gL9eVgyimhL./:13899:20:30:7:::

All fields are separated by a colon(:) symbol

1. User name : It is your login name
2. Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
4. Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
5. Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed
7. Inactive : The number of days after password expires that account is disabled
8. Expire : Days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used

The last 6 fields provides password aging and account lockout features.Password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z, A through Z, 0 through 9, \. and /. Optionally it can start with a “$” character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with “$1$” it means the MD5-based algorithm was used.

Output of chage command:
# chage -l test1
Minimum: 20
Maximum: 30
Warning: 7
Inactive: -1
Last Change: Jan 21, 2008
Password Expires: Feb 20, 2008
Password Inactive: Never
Account Expires: Never

How to block mp3, mpg, mpeg, exe files in Squid proxy server

1.Open the squid configuration file in /etc/squid/squid.conf

2.Add a acl to block the required filetypes

acl blockfileset urlpath_regex "/etc/squid/block.acl"
http_access deny blockfileset


3.Create the file block.acl and update the below contents

\.[Ee][Xx][Ee]$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$

Limit number of simultaneous connections for a single IP address in VSFTPD

1.Open the vsftpd configuration file in /etc/vsftpd/vsftpd.conf

2.Setup the limitation

max_per_ip=4

This will limit to 4 simultaneous connection per IP.

3.Restart the vsftpd daemon.

Set default password expiry policy for all users in Linux

The /etc/login.defs file defines the site-wide configuration for password expiry.

Each line of the file describing one configuration parameter.The lines consist of a configuration name and value, separated by whitespace.
We need to set default password expiry using /etc/login.defs file:

1. PASS_MAX_DAYS : Maximum number of days a password may be used. If the password is older than this, a password change will be forced.
2. PASS_MIN_DAYS : Minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected
3. PASS_WARN_AGE : Number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.

E.g.,

PASS_MAX_DAYS 30
PASS_MIN_DAYS 15
PASS_WARN_AGE 7

SUDO

sudo is a package which will allow priveleged users to run commands as other users. This is sort of like assigning users(delegation) to different groups to give them special permissions to files. However, this can allow users acccess to specific commands on specific machines, making it a more effective and more organized way of giving special priveleges to users.

It is often a server needs to be administered by a number of people and it is not a good idea for all them to use root account.This is because it becomes difficult to determine exactly who did what,when and where if everyone logs in with the same credentials.The sudo utility was designed to overcome this facility.

The /etc/sudoers file contains all the configuration and permission parameters needed for sudo to work.
Format of /etc/sudoers file
"usernames/group" "Run on Host" = "Run command as" "Comma separated list of commands"
There are some general guidelines when editing this file:

• Groups are the same as user groups and are differentiated from regular users by a % at the beginning. E.g., Linux user group "users" would be represented by %users.
• You can have multiple usernames per line separated by commas.
• Multiple commands also can be separated by commas. Spaces are considered part of the command.
• Keyword ALL can mean all usernames, groups, commands and servers.
• If you run out of space on a line, you can end it with a back slash (\) and continue on the next line.
• sudo assumes that the sudoers file will be used network wide, and therefore offers the option to specify the names of servers which will be using it in the "Run on Host" position. In most cases, the file is used by only one server and the keyword ALL suffices for the Host name.
• The NOPASSWD keyword provides access without prompting for your password.

Granting All Access to Specific Users

You can grant users bob and bunny full access to all privileged commands, with this sudoers entry.

bob, bunny  ALL=(ALL) ALL

This is generally not a good idea because this allows bob and bunny to use the su command to grant themselves permanent root privileges thereby bypassing the command logging features of sudo. The example on using aliases in the sudoers file shows how to eliminate this prob

Granting Access To Specific Users To Specific Files

This entry allows user peter and all the members of the group operator to gain access to all the program files in the /sbin and /usr/sbin directories, plus the privilege of running the command /usr/local/apps/check.pl. Notice how the trailing slash (/) is required to specify a directory location:

peter, %operator ALL= /sbin/, /usr/sbin, /usr/local/apps/check.pl

Notice also that the lack of any username entries within parentheses () after the = sign prevents the users from running the commands automatically masquerading as another user. This is explained further in the next example.

Granting Access to Specific Files as Another User

The sudo -u entry allows allows you to execute a command as if you were another user, but first you have to be granted this privilege in the sudoers file.
This feature can be convenient for programmers who sometimes need to kill processes related to projects they are working on. For example, programmer peter is on the team developing a financial package that runs a program called monthend as user accounts. From time to time the application fails, requiring "peter" to stop it with the /bin/kill, /usr/bin/kill or /usr/bin/pkill commands but only as user "accounts". The sudoers entry would look like this:

peter ALL=(accounts) /bin/kill, /usr/bin/kill, /usr/bin/pkill

User peter is allowed to stop the monthend process with this command:

[peter@bigboy peter]# sudo -u accounts pkill monthend

Granting Access Without Needing Passwords

This example allows all users in the group operator to execute all the commands in the /sbin directory without the need for entering a password. This has the added advantage of being more convenient to the user:

%operator ALL= NOPASSWD: /sbin/

Using Aliases in the sudoers File

Sometimes you'll need to assign random groupings of users from various departments very similar sets of privileges. The sudoers file allows users to be grouped according to function with the group and then being assigned a nickname or alias which is used throughout the rest of the file. Groupings of commands can also be assigned aliases too.
In the next example, users peter, bob and bunny and all the users in the operator group are made part of the user alias ADMINS. All the command shell programs are then assigned to the command alias SHELLS. Users ADMINS are then denied the option of running any SHELLS commands and su:

Cmnd_Alias    SHELLS = /usr/bin/sh,  /usr/bin/csh, \
                       /usr/bin/ksh, /usr/local/bin/tcsh, \
                       /usr/bin/rsh, /usr/local/bin/zsh
 
 
User_Alias    ADMINS = peter, bob, bunny, %operator
ADMINS        ALL    = !/usr/bin/su, !SHELLS

This attempts to ensure that users don't permanently su to become root, or enter command shells that bypass sudo's command logging. It doesn't prevent them from copying the files to other locations to be run. The advantage of this is that it helps to create an audit trail, but the restrictions can be enforced only as part of the company's overall security policy.

How to restrict users to SFTP only instead of SSH?

Scenarios:

* You want to give file upload/download access to your users.
* You don't want to give shell access to your users.

For the above scenarios,

Method 1:

To give a user account SFTP access without SSH access,set the user shell to /usr/libexec/openssh/sftp-server instead of /bin/bash.


Method 2:

Restrict the shell access by rssh.

"init: Id "x" respawning too fast: disabled for 5 minutes."

In most distributions this means that the system is booting by default into runlevel 5, which is supposed to respawn (re-start again after it's been exited) a graphical login via xdm, kdm, gdm, or whatever,and the system can't locate the program.

However, "Id" can also indicate the absence or misconfiguration of another program, like mingetty, if init tries to respawn itself more than 10 times in 2 minutes.

Id "x" is the number in the leftmost column of the /etc/inittab file:

# Run gettys in standard runlevels

1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6

Commenting the offending line out and then fixing the errant program and testing on the command line will allow you to see any error messages that go to standard error output (console) if the errors are not going to the system log file. Uncomment the line and restart init with "kill -SIGHUP 1" or "telinit q" to cause init to reinitialize and reread the /etc/inittab file.

Nautilus opens a new window every time I click a folder. How can I change it back to the old behavior?

The new Nautilus uses a spatial mode, where each folder that is clicked on opens a new folder. Many people believe that this is an improvement in usability while others do not like the way that the new Nautilus works.
It is easy to revert Nautilus back to its old "Browser mode" by issuing the command below as the current user:

gconftool-2 --type bool --set /apps/nautilus/preferences/always_use_browser true 

You may have to log out, then back in again for the changes to take effect.
To change this back to its original behavior issue the command:

gconftool-2 --type bool --set /apps/nautilus/preferences/always_use_browser false

Nautilus can be further customized by using the "Configuration Editor" in the System Tools menu.

How to setup cronjobs

cron is a utility that allows tasks to be automatically run in the background at regular intervals by the cron daemon. These tasks are often termed as cron jobs in unix/Linux.

Crontab (CRON TABle) is a file which contains the schedule of cron entries to be run and at specified times.

Following points sum up the crontab functionality :

1. Crontab Restrictions
2. Crontab Commands
3. Crontab file - syntax
4. Crontab Example
5. Crontab Environment
6. Disable Email
7. Generate log file for crontab activity

1. Crontab Restrictions

* You can execute crontab if your name appears in the file /usr/lib/cron/cron.allow. If that file does not exist, you can use
crontab if your name does not appear in the file /usr/lib/cron/cron.deny.

* If only cron.deny exists and is empty, all users can use crontab. If neither file exists, only the root user can use crontab.
The allow/deny files consist of one user name per line.

2. Crontab Commands

export EDITOR=vi ;to specify a editor to open crontab file.

crontab -e Edit your crontab file, or create one if it doesn't already exist.
crontab -l Display your crontab file.
crontab -r Remove your crontab file.
crontab -v Display the last time you edited your crontab file. (This option is only available on a few systems.)

3. Crontab file

Crontab syntax :-

A crontab file has five fields for specifying day , date and time followed by the command to be run at that interval.

* * * * * command to be executed
- - - - -
| | | | |
| | | | +----- day of week (0 - 6) (Sunday=0)
| | | +------- month (1 - 12)
| | +--------- day of month (1 - 31)
| +----------- hour (0 - 23)
+------------- min (0 - 59)


* in the value field above means all legal values as in braces for that column.
The value column can have a * or a list of elements separated by commas. An element is either a number in the ranges shown above or two numbers in the range separated by a hyphen (meaning an inclusive range).

Note: The specification of days can be made in two fields: month day and weekday. If both are specified in an entry, they are cumulative meaning both of the entries will get executed .

4. Crontab Example

A line in crontab file like below removes the tmp files from /home/someuser/tmp each day at 6:30 PM.

30 18 * * * rm /home/someuser/tmp/*

Changing the parameter values as below will cause this command to run at different time schedule below :

min hour day/month month day/week Execution time

30 0 1 1,6,12 * -- 00:30 Hrs on 1st of Jan, June & Dec.


0 20 * 10 1-5 -- 8.00 PM every weekday (Mon-Fri) only in Oct.


0 0 1,10,15 * * -- midnight on 1st ,10th & 15th of month

5,10 0 10 * 1 -- At 12.05,12.10 every Monday & on 10th of every month


Note: If you inadvertently enter the crontab command with no argument(s), do not attempt to get out with Control-d. This removes all entries in your crontab file. Instead, exit with Control-c.

5. Crontab Environment

cron invokes the command from the user's HOME directory with the shell, (/usr/bin/sh).cron supplies a default environment for every shell, defining:

HOME=user's-home-directory
LOGNAME=user's-login-id
PATH=/usr/bin:/usr/sbin:.
SHELL=/usr/bin/sh

Users who desire to have their .profile executed must explicitly do so in the crontab entry or in a script called by the entry.

6. Disable Email

By default cron jobs sends a email to the user account executing the cronjob. If this is not needed put the following command At the end of the cron job line .

/&gt;/dev/null 2&gt;&1

7. Generate log file

To collect the cron execution execution log in a file :

30 18 * * * rm /home/someuser/tmp/* &gt; /home/someuser/cronlogs/clean_tmp_dir.log

'df' command says partition is full, while 'du' reports free space

The standard cause for this is some user process keeping a deleted file open.

When this happens, the space is not visible via 'du', since the file is no longer visible in the directory tree. However, the space is still used by the file until it is deallocated, and that can only happen once the last process which has the file open either closes its file descriptor to the file, or the process exits.

You can use the lsof program to try to find which process is keeping an open file. Usually it's some log file, or some large data base file which gets rotated out, but some older process are still keeping the log file open.