Archive for category Linux
Updating partition table in Linux
Posted by Lincoln Zuljewic Silva in Linux on March 15, 2010
When you use the "fdisk" to handle the partitions of a disk, depending on the disc, the "fdisk" will bring the following message:
WARNING: Re-reading the partition table failed with error 22: Invalid argument.
The kernel still uses the old table.
The new table will be used at the next reboot.
Syncing disks.
No, you do not have to restart the server for the changes are applied, simply use the following command (example):
kpartx -a /dev/sda
This will re-read the partition table on /dev/sda and create the mapping of the system partitions (/dev/sda1, /dev/sda2, etc).
Martian Friend
Posted by Lincoln Zuljewic Silva in Linux on September 15, 2009
You may find some weird messages indications in your syslog telling you something like “martian source” like the followings:
When a host needs send a package to another host, it can define the route on the network or use the default route. Those “source routed packages” are identified in Linux as martian packages. You can configure your Linux log/do not log those packages:
# echo 0 > /proc/sys/net/ipv4/conf/*/log_martians #do not log
Resizing lvol in Red Hat AS 4
Posted by Lincoln Zuljewic Silva in Linux on August 18, 2009
As incredible as it seems, RHAS4 doesn't came with the resize2fs command (just like the others RH distributions). After some research, I found the tool that replace the resize2fs command and it's the ext2online, for example:
# ext2online /dev/mapper/VG00-vl02
rlogin access denied
Posted by Lincoln Zuljewic Silva in Linux on June 15, 2009
In some specific situations, you need use rlogin to remote access a server, but you can face the following error:
clientServer:~ # rlogin rloginServer
Password:
Password:
Login incorrect
login: root
Password:
Login incorrect
login: root
Password:
Login incorrect
login: root
Password:
Login incorrect
rlogin: connection closed.
If you check the /var/log/secure log on the “rloginServer”, you will find the following messages:
Jun 15 10:44:41 rloginServer rlogind[16640]: pam_securetty(rlogin:auth): access denied: tty 'rlogin' is not secure !
Jun 15 10:44:41 rloginServer rlogind[16640]: pam_rhosts_auth(rlogin:auth): denied to root@10.11.4.9 as root: access not allowed
Jun 15 10:44:47 rloginServer login: pam_securetty(remote:auth): access denied: tty 'pts/0' is not secure !
Jun 15 10:44:51 rloginServer login: FAILED LOGIN 1 FROM 10.11.4.9 FOR root, Authentication failure
Jun 15 10:44:53 rloginServer login: pam_securetty(remote:auth): access denied: tty 'pts/0' is not secure !
Jun 15 10:44:58 rloginServer login: FAILED LOGIN 2 FROM 10.11.4.9 FOR root, Authentication failure
Jun 15 10:44:58 rloginServer login: pam_unix(remote:auth): bad username []
Jun 15 10:44:58 rloginServer login: pam_succeed_if(remote:auth): error retrieving information about user
Jun 15 10:44:58 rloginServer login: FAILED LOGIN 3 FROM 10.11.4.9 FOR , User not known to the underlying authentication module
Jun 15 10:44:59 rloginServer login: pam_unix(remote:auth): bad username []
Jun 15 10:44:59 rloginServer login: pam_succeed_if(remote:auth): error retrieving information about user
Jun 15 10:44:59 rloginServer login: FAILED LOGIN SESSION FROM 10.11.4.9 FOR , User not known to the underlying authentication module
The problem here, is that “rlogin” is not a “secure” shell. To configure it, you should add “rlogin” (without the quotes) to /etc/securetty .
After that, you will be able to access the rlogin server.
Setting session timeout on Linux
Posted by Lincoln Zuljewic Silva in Linux on May 27, 2009
To set an automatically shell timeout on Linux (that Will logoff that session after X seconds), you just need setup the following variable (put it in your /etc/profile):
# echo “TMOUT=300; readonly TMOUT; export TMOUT” >> /etc/profile
The “readonly” option will not allow an normal user change (ou unset) it.
Rotate log files in Linux
Posted by Lincoln Zuljewic Silva in Linux on May 15, 2009
An easy way (shell script) to rotate log files in Linux can be:
#!/bin/bash
# Include the following line in crontab:
#00 5 * * * /bin/rotate_logs.sh > /dev/null 2>&1
#
DATE=`date "+%Y%m%d"`
cd /var/log/
for i in messages secure cron lastlog
do
cp ${i} ${i}.${DATE}
> ${i}
gzip -9 ${i}.${DATE}
done
/etc/init.d/syslog restart
If you have any other log to rotate, you can change the line 8 and 10.
Disable CTRL+C on Linux
Posted by Lincoln Zuljewic Silva in Linux on April 30, 2009
To disable CTRL+C on Linux, you can use the following command:
# stty intr undef
Renaming a network interface on Linux
Posted by Lincoln Zuljewic Silva in Linux on April 29, 2009
Sometimes, when you add/remove a network card in Linux, the system automatically change the name of the interfaces (for example your eth0 became eth1). Depending of the system, it can cause a big problem to you, so you can use the command nameif to rename it back (or just rename your interfaces):
Create a file named /etc/mactab with the interface names and its mac address:
eth0 00:0B:DB:D5:6E:DD
eth1 00:03:47:3b:ef:b9
eth2 00:0B:DB:D5:6E:DE
banana01 00:03:47:3B:EF:B8
After that, you should run the command nameif (/sbin/nameif) to apply your new configuration.
Note 01: you can rename your interfaces to whatever you want.
Note 02a: before run the nameif, you should stop the interfaces.
Note 02b: you can do an ifdown <interface>
Note 03: if you reboot the server, this configuration will be lost, so you can create a simple shell script to rename it automatically on boot:
vi /etc/init.d/nameif
#!/bin/bash
case "$1" in
start)
echo "Renaming the network interfaces..."
/sbin/nameif
;;
stop)
echo "Ok"
;;
esac
chmod 755 /etc/init.d/nameif
ln -s /etc/init.d/nameif /etc/rc3.d/S04nameif
I know that you can use udev to rename an interface, but I believe that nameif is simpler.
Using vi as crontab editor
Posted by Lincoln Zuljewic Silva in Linux on April 22, 2009
The default Debian installation use a non-vi editor when you try to use crontab (ie: “crontab -e”).
To change it to vi, you should do the following:
# rm -f /etc/alternatives/editor ln -s /usr/bin/vi /etc/alternatives/editor
SSH Memory fault(coredump) in HP-UX
Posted by Lincoln Zuljewic Silva in HP-UX, Linux on April 16, 2009
If you try to access from a HP-UX another machine that has a newer version of SSH running, you may get a “SSH Memory fault(coredump)” message like the following one:
# ssh -v server
Debian OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0×0090609f 16153:
debug1: Reading configuration data /opt/ssh/etc/ssh_config16153:
debug1: Rhosts Authentication disabled, originating port will not be trusted.16153:
debug1: ssh_connect: needpriv 0 16153:
debug1: Connecting to serverDebian [10.0.0.1] port 22.16153:
debug1: Connection established.16153: debug1: identity file /.ssh/id_rsa type -116153:
debug1: identity file /.ssh/id_dsa type -116153:
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.2-chrootssh16153:
debug1: match: OpenSSH_4.2-chrootssh pat OpenSSH* 16153:
debug1: Enabling compatibility mode for protocol 2.0 16153: debug1: Local version string SSH-2.0-OpenSSH_3.5p1
Memory fault(coredump)
To solve it, you should create a empty file named /etc/krb5.conf in HP-UX. After that, you will be able to use SSH
Forcing a user changing the password on Linux
Posted by Lincoln Zuljewic Silva in Linux on April 15, 2009
When creating a new user, you can use the following command to force a user changing its password on first logon:
# chage -d 0 <username>
Doing this, the user will receive the following message:
Password change requested. Choose a new password. Old Password:
Locking a Linux account
Posted by Lincoln Zuljewic Silva in Linux on April 9, 2009
Before you remove an account from a system, is a good idea lock it for one week to make sure that no one use it.
To lock, you can use the follow command:
# passwd -l username (where username is the login id).
After that, if someone try to loginusing this account, the system will return:
# su - foobar
This account is currently not available.
Stop/Start a Guest OS in Vmware Server 2.0
Posted by Lincoln Zuljewic Silva in Linux on April 8, 2009
The VMWare 2.0 has a command named “vmrun” that can control the state of the VMs. The syntax is:
vmrun [AUTHENTICATION-FLAGS] COMMAND [PARAMETERS]
To list all started VM:
# vmrun -u root -h ‘https://192.168.0.14:8333/sdk’ -p YOURPASSWORD list
Total running VMs: 3
[standard] Apolo/Apolo.vmx
[standard] Ares - NS01/Ares - NS01.vmx
[standard] hades - NS02/hades - NS02.vmx
To stop a VM:
# vmrun -u root -h ‘https://192.168.0.14:8333/sdk’ -p YOURPASSWORD stop “[standard] Apolo/Apolo.vmx”
To start a VM:
# vmrun -u root -h ‘https://192.168.0.14:8333/sdk’ -p YOURPASSWORD start “[standard] Apolo/Apolo.vmx”
Installing OpenSSH from source on SuSe 10
Posted by Lincoln Zuljewic Silva in Linux on April 7, 2009
The current version of my SuSe is:
# cat /etc/SuSE-release
SUSE Linux Enterprise Server 10 (i586) VERSION = 10 PATCHLEVEL = 1
1 – Download OpenSSH:
# cd /usr/src
# wget http://anga.funkfeuer.at/ftp/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz
2 – Unpack it:
# tar zxvf openssh-5.2p1.tar.gz
3 – Check if you have the necessary packages:
automake-1.9.6-2.i586.rpm
cpp-4.0.2_20050901-3.i586.rpm
gcc-4.0.2_20050901-3.i586.rpm
gcc-c++-4.0.2_20050901-3.i586.rpm
glibc-2.3.5-40.i586.rpm
glibc-devel-2.3.5-40.i586.rpm
libselinux-1.23.11-3.i586.rpm
libstdc++-4.0.2_20050901-3.i586.rpm
libstdc++-devel-4.0.2_20050901-3.i586.rpm
openssl-devel-0.9.8a-18.15.i586.rpm
pam-devel-0.99.6.3-28.8.i586.rpm
pam_ssh-1.91-19.2.i586.rpm
sudo-1.6.8p9-2.i586.rpm
tcpd-devel-7.6-731.2.i586.rpm
zlib-devel-1.2.3-3.i586.rpm
You can check it by typing:
# rpm -qa (example: "rpm -qa |grep openssl-devel")
4 – If there are some packeage missing, I advice you search it in www.filewatcher.com and install using:
# rpm -ivh (example: "rpm -ivh tcpd-devel-7.6-731.2.i586.rpm")
5 – Run configure:
# cd /usr/src/openssh-5.2p1
# ./configure --prefix=/opt/ssh2 --with-libs=-ldl --disable-suid-ssh --with-privsep-user=sshd -with-tcp-wrappers --with-pam
After some time, you should see something like this:
OpenSSH has been configured with the following options:
User binaries: /opt/ssh2/bin
System binaries: /opt/ssh2/sbin
Configuration files: /opt/ssh2/etc
Askpass program: /opt/ssh2/libexec/ssh-askpass
Manual pages: /opt/ssh2/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh2/bin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: no
libedit support: no
Solaris process contract support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Host: i686-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -std=gnu99
Preprocessor flags:
Linker flags:
Libraries: -lresolv -lcrypto -lutil -lz -lnsl -ldl -lcrypt +for sshd: -lwrap -lpam
PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory
6 – Install contrib scripts. Check into /usr/src/openssh-5.2p1/contrib some files that we can use to setup our server:
# cp sshd.pam.generic /etc/pam.d/sshd
# cp rc.sshd /etc/init.d/sshd
# cp sysconfig.ssh /etc/sysconfig/ssh
# cp rc.config.sshd /etc/rc.d/sshd
# chmod 755 /etc/init.d/sshd /etc/rc.d/sshd
# ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S20-sshd
7 – Configure some parameters. Edit the main SSHD configuration file
# vi /opt/ssh2/etc/sshd_config
Ensure that some lines are uncommented:
Line 21: Protocol 2 -> Enable just the protocol version 2 (more secure)
Line 41: PermitRootLogin no -> Do not enable root login
Line 46: RSAAuthentication yes -> enable authentication thru auth-keys
Line 47: PubkeyAuthentication yes -> enable authentication thru auth-keys
Line 48: AuthorizedKeysFile .ssh/authorized_keys -> enable authentication thru auth-keys (keys location - user's home)
Line 86: UsePAM yes -> enable PAM authentication
Line 113: Subsystem sftp /opt/ssh2/libexec/sftp-server -> enable the sftp subsystem (for secure file transfer - NOT SCP)
8 – Start the server:
# /etc/init.d/sshd start
9 – Place a login test
10 – Check in your /var/log/message. If you see the following message:
Apr 7 10:02:48 localhost sshd[8388]: pam_unix(sshd:setcred): Unknown option: `shadow'
Apr 7 10:02:48 localhost sshd[8388]: pam_unix(sshd:setcred): Unknown option: `nodelay'
Apr 7 10:02:48 localhost sshd[8390]: pam_unix(sshd:setcred): Unknown option: `shadow'
Apr 7 10:02:48 localhost sshd[8390]: pam_unix(sshd:setcred): Unknown option: `nodelay'
Edit your /etc/pam.d/sshd and change the following lines:
auth required /lib/security/pam_unix.so shadow nodelay
to
auth required /lib/security/pam_unix.so
and
password required /lib/security/pam_unix.so shadow nullok use_authtok
to
password required /lib/security/pam_unix.so use_authtok
Thats it!