Archive for category Linux
Martian Friend
Posted by Lincoln Zuljewic Silva in Linux on September 15th, 2009
You may find some weird messages indications in your syslog telling you something like “martian source” like the followings:
When a host needs send a package to another host, it can define the route on the network or use the default route. Those “source routed packages” are identified in Linux as martian packages. You can configure your Linux log/do not log those packages:
| echo 0 > /proc/sys/net/ipv4/conf/*/log_martians #do not log |
Resizing lvol in Red Hat AS 4
Posted by Lincoln Zuljewic Silva in Linux on August 18th, 2009
As incredible as it seems, RHAS4 doesn’t came with the resize2fs command (just like the others RH distributions). After some research, I found the tool that replace the resize2fs command and it’s the ext2online, for example:
| ext2online /dev/mapper/VG00-vl02 |
rlogin access denied
Posted by Lincoln Zuljewic Silva in Linux on June 15th, 2009
In some specific situations, you need use rlogin to remote access a server, but you can face the following error:
|
clientServer:~ # rlogin rloginServer Password: Password: Login incorrect
login: root Password: Login incorrect
login: root Password: Login incorrect
login: root Password:
Login incorrect rlogin: connection closed. |
If you check the /var/log/secure log on the “rloginServer”, you will find the following messages:
|
Jun 15 10:44:41 rloginServer rlogind[16640]: pam_securetty(rlogin:auth): access denied: tty ‘rlogin’ is not secure ! Jun 15 10:44:41 rloginServer rlogind[16640]: pam_rhosts_auth(rlogin:auth): denied to root@10.11.4.9 as root: access not allowed Jun 15 10:44:47 rloginServer login: pam_securetty(remote:auth): access denied: tty ‘pts/0′ is not secure ! Jun 15 10:44:51 rloginServer login: FAILED LOGIN 1 FROM 10.11.4.9 FOR root, Authentication failure Jun 15 10:44:53 rloginServer login: pam_securetty(remote:auth): access denied: tty ‘pts/0′ is not secure ! Jun 15 10:44:58 rloginServer login: FAILED LOGIN 2 FROM 10.11.4.9 FOR root, Authentication failure Jun 15 10:44:58 rloginServer login: pam_unix(remote:auth): bad username [] Jun 15 10:44:58 rloginServer login: pam_succeed_if(remote:auth): error retrieving information about user Jun 15 10:44:58 rloginServer login: FAILED LOGIN 3 FROM 10.11.4.9 FOR , User not known to the underlying authentication module Jun 15 10:44:59 rloginServer login: pam_unix(remote:auth): bad username [] Jun 15 10:44:59 rloginServer login: pam_succeed_if(remote:auth): error retrieving information about user Jun 15 10:44:59 rloginServer login: FAILED LOGIN SESSION FROM 10.11.4.9 FOR , User not known to the underlying authentication module
|
The problem here, is that “rlogin” is not a “secure” shell. To configure it, you should add “rlogin” (without the quotes) to /etc/securetty .
After that, you will be able to access the rlogin server.
Setting session timeout on Linux
Posted by Lincoln Zuljewic Silva in Linux on May 27th, 2009
To set an automatically shell timeout on Linux (that Will logoff that session after X seconds), you just need setup the following variable (put it in your /etc/profile):
|
echo “TMOUT=300; readonly TMOUT; export TMOUT” >> /etc/profile |
The “readonly” option will not allow an normal user change (ou unset) it.
Rotate log files in Linux
Posted by Lincoln Zuljewic Silva in Linux on May 15th, 2009
An easy way to rotate log files in Linux can be:
|
#!/bin/bash # Include the following line in crontab: #00 5 * * * /bin/rotate_logs.sh > /dev/null 2>&1 #
DATE=`date “+%Y%m%d”`
cd /var/log/
for i in messages secure cron lastlog do cp ${i} ${i}.${DATE} > ${i} gzip -9 ${i}.${DATE} done
/etc/init.d/syslog restart
|
If you have any other log to rotate, you can change the line 8 and 10.
Disable CTRL+C on Linux
Posted by Lincoln Zuljewic Silva in Linux on April 30th, 2009
To disable CTRL+C on Linux, you can use the following command:
|
stty intr undef |
Renaming a network interface on Linux
Posted by Lincoln Zuljewic Silva in Linux on April 29th, 2009
Sometimes, when you add/remove a network card in Linux, the system automatically change the name of the interfaces (for example your eth0 became eth1). Depending of the system, it can cause a big problem to you, so you can use the command nameif to rename it back (or just rename your interfaces):
Create a file named /etc/mactab with the interface names and its mac address:
|
eth0 00:0B:DB:D5:6E:DD eth1 00:03:47:3b:ef:b9 eth2 00:0B:DB:D5:6E:DE banana01 00:03:47:3B:EF:B8
|
After that, you should run the command nameif (/sbin/nameif) to apply your new configuration.
Note 01: you can rename your interfaces to whatever you want.
Note 02a: before run the nameif, you should stop the interfaces.
Note 02b: you can do an ifdown <interface>
Note 03: if you reboot the server, this configuration will be lost, so you can create a simple shell script to rename it automatically on boot:
|
vi /etc/init.d/nameif #!/bin/bash
case “$1″ in start) echo “Renaming the network interfaces…” /sbin/nameif ;; stop) echo “Ok” ;; esac chmod 755 /etc/init.d/nameif ln -s /etc/init.d/nameif /etc/rc3.d/S04nameif
|
I know that you can use udev to rename an interface, but I believe that nameif is simpler.
Using vi as crontab editor
Posted by Lincoln Zuljewic Silva in Linux on April 22nd, 2009
Hi!
The default Debian installation use a non-vi editor when you try to use crontab (ie: “crontab -e”).
To change it to vi, you should do the following:
|
rm -f /etc/alternatives/editor |
SSH Memory fault(coredump) in HP-UX
Posted by Lincoln Zuljewic Silva in HP-UX, Linux on April 16th, 2009
If you try to access from a HP-UX another machine that has a newer version of SSH running, you may get a “SSH Memory fault(coredump)” message like the following one:
|
root@serverHPUX01:/ > ssh -v serverDebian
|
To solve it, you should create a empty file named /etc/krb5.conf in HP-UX. After that, you will be able to use SSH
Forcing a user changing the password on Linux
Posted by Lincoln Zuljewic Silva in Linux on April 15th, 2009
When creating a new user, you can use the following command to force a user changing its password on first logon:
|
chage -d 0 <username> |
Doing this, the user will receive the following message:
|
Password change requested. Choose a new password. |
Locking a Linux account
Posted by Lincoln Zuljewic Silva in Linux on April 9th, 2009
Before you remove an account from a system, is a good idea lock it for one week to make sure that no one use it.
To lock, you can use the follow command:
|
passwd -l username (where username is the login id). |
After that, if someone try to loginusing this account, the system will return:
|
[root@server root]# su – foobar |
Stop/Start a Guest OS in Vmware Server 2.0
Posted by Lincoln Zuljewic Silva in Linux on April 8th, 2009
The VMWare 2.0 has a command named “vmrun” that can control the state of the VMs. The syntax is:
|
vmrun [AUTHENTICATION-FLAGS] COMMAND [PARAMETERS] |
To list all started VM:
|
[root@host ~]# vmrun -u root -h ‘https://192.168.0.14:8333/sdk’ -p YOURPASSWORD list |
To stop a VM:
|
vmrun -u root -h ‘https://192.168.0.14:8333/sdk’ -p YOURPASSWORD stop “[standard] Apolo/Apolo.vmx” |
To start a VM:
|
vmrun -u root -h ‘https://192.168.0.14:8333/sdk’ -p YOURPASSWORD start “[standard] Apolo/Apolo.vmx” |
Installing OpenSSH from source on SuSe 10
Posted by Lincoln Zuljewic Silva in Linux on April 7th, 2009
Installing OpenSSH 5.2 on a SUSE Linux Enterprise Server 10
The current version of my SuSe is:
| cat /etc/SuSE-release SUSE Linux Enterprise Server 10 (i586) VERSION = 10 PATCHLEVEL = 1 |
1 – Download OpenSSH:
| cd /usr/src wget http://anga.funkfeuer.at/ftp/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz |
2 – Unpack it:
| tar zxvf openssh-5.2p1.tar.gz |
3 – Check if you have the necessary packages:
| automake-1.9.6-2.i586.rpm cpp-4.0.2_20050901-3.i586.rpm gcc-4.0.2_20050901-3.i586.rpm gcc-c++-4.0.2_20050901-3.i586.rpm glibc-2.3.5-40.i586.rpm glibc-devel-2.3.5-40.i586.rpm libselinux-1.23.11-3.i586.rpm libstdc++-4.0.2_20050901-3.i586.rpm libstdc++-devel-4.0.2_20050901-3.i586.rpm openssl-devel-0.9.8a-18.15.i586.rpm pam-devel-0.99.6.3-28.8.i586.rpm pam_ssh-1.91-19.2.i586.rpm sudo-1.6.8p9-2.i586.rpm tcpd-devel-7.6-731.2.i586.rpm zlib-devel-1.2.3-3.i586.rpm
|
You can check it by typing:
| rpm -qa (example: “rpm -qa |grep openssl-devel“) |
4 – If there are some packeage missing, I advice you search it in www.filewatcher.com and install using:
| rpm -ivh (example: “rpm -ivh tcpd-devel-7.6-731.2.i586.rpm“) |
5 – Run configure:
| cd /usr/src/openssh-5.2p1 ./configure –prefix=/opt/ssh2 –with-libs=-ldl –disable-suid-ssh –with-privsep-user=sshd -with-tcp-wrappers –with-pam |
After some time, you should see something like this:
| OpenSSH has been configured with the following options: User binaries: /opt/ssh2/bin System binaries: /opt/ssh2/sbin Configuration files: /opt/ssh2/etc Askpass program: /opt/ssh2/libexec/ssh-askpass Manual pages: /opt/ssh2/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh2/bin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no libedit support: no Solaris process contract support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-linux-gnu PAM is enabled. You may need to install a PAM control file |
6 – Install contrib scripts. Check into /usr/src/openssh-5.2p1/contrib some files that we can use to setup our server:
| cp sshd.pam.generic /etc/pam.d/sshd cp rc.sshd /etc/init.d/sshd cp sysconfig.ssh /etc/sysconfig/ssh cp rc.config.sshd /etc/rc.d/sshd chmod 755 /etc/init.d/sshd /etc/rc.d/sshd ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S20-sshd |
7 – Configure some parameters. Edit the main SSHD configuration file
| vi /opt/ssh2/etc/sshd_config Ensure that some lines are uncommented: Line 21: Protocol 2 -> Enable just the protocol version 2 (more secure) Line 41: PermitRootLogin no -> Do not enable root login Line 46: RSAAuthentication yes -> enable authentication thru auth-keys Line 47: PubkeyAuthentication yes -> enable authentication thru auth-keys Line 48: AuthorizedKeysFile .ssh/authorized_keys -> enable authentication thru auth-keys (keys location – user’s home) Line 86: UsePAM yes -> enable PAM authentication Line 113: Subsystem sftp /opt/ssh2/libexec/sftp-server -> enable the sftp subsystem (for secure file transfer – NOT SCP) |
8 – Start the server:
| /etc/init.d/sshd start |
9 – Place a login test
10 – Check in your /var/log/message. If you see the following message:
| Apr 7 10:02:48 localhost sshd[8388]: pam_unix(sshd:setcred): Unknown option: `shadow’ Apr 7 10:02:48 localhost sshd[8388]: pam_unix(sshd:setcred): Unknown option: `nodelay’ Apr 7 10:02:48 localhost sshd[8390]: pam_unix(sshd:setcred): Unknown option: `shadow’ Apr 7 10:02:48 localhost sshd[8390]: pam_unix(sshd:setcred): Unknown option: `nodelay’ |
Edit your /etc/pam.d/sshd and change the following lines:
| auth required /lib/security/pam_unix.so shadow nodelay |
to
| auth required /lib/security/pam_unix.so |
and
| password required /lib/security/pam_unix.so shadow nullok use_authtok password required /lib/security/pam_unix.so use_authtok |
Thats it!
