theres nowhere like 127.0.0.1

Restricting downloads with squid!

2008-06-30T12:35:00.003+05:30

Many times you may want to deny users from downloading huge files
using the proxy server. This blog will help you do that with squid
in GNU/Linux.

To Readers: All those starting with # are run by root user and ;'s are comments inside the configuration files

Here we are using reply_body_max_size TAG in squid.conf

#vim /etc/squid/squid.conf

acl limitme src 10.0.0.1-10.0.0.50
reply_body_max_size 2097152 allow limitme
reply_body_max_size 0 allow all

By default, there is no restriction on the maximum
file that can be downloaded.

Here limitme acl is allowed only a maximum
of 2 MB download.

2097152 bytes = 2097152/1024 Kbytes => 2048 KB => 2 MB

~mj0vy (sreejith dot anujan at gmail dot com)

Use your bandwidth effectively

2008-06-30T12:07:00.006+05:30

This blog tries to help you use your ISP bandwidth wisely! You might be the system administrator of a company who always wanted to limit your fellow workers from downloading the media files, limiting the access of streaming videos which are available in YouTube and wanted to share adequate bandwidth to your SMTP and HTTP Servers. This blog is for those persons.

To Readers: All those starting with # are run by root user and ;'s are comments inside the configuration files

We are going to use the delay_pools TAG in squid.
Before going straight into the configuration, I would like to write some theory.

What exactly are delay pools?

They are simply pools which make a delayed response.
They are essentially bandwidth buckets!
Some of you might have quizzically raised your eyebrows when you read buckets, I know! I too was very much confused about this bucket concept! But I think I can clarify the whole concept for you!

Imagine bandwidth bucket has a normal plastic bucket used to storing water! Instead of water these buckets store bandwidth! Initially it will be full! Initially means when no one is using your bandwidth. When a user requests a page, he will get the respone only if theres enough bandwidth available from the bucket he is using. Bucket actually stores traffic! Bandwidth is expressed in terms of how much data is available in one second, like 1Mb/s (1Mbps)
Traffic is expressed in terms of total data, like 1MB.

Size of bucket determines how much bandwidth is available to a client(s). If a bucket starts out full, a client can take as much traffic as it needs until the bucket becomes empty. Client then recieves bucket allotment at the 'fill rate'. (I will tell about the fill rate later, just remember that word in mind).

There are three types of delay pools.

Class 1 => Single aggregate bucket (Totally shared among the members of the bucket)

Class 2 => To understand it better, assume its applied to Class C networks.
Theres one bucket for each network and 256 individual buckets for each ips of every network. Size of individual bucket cannot exceed the network bucket!

Class 3 => One aggregate bucket, 256 network buckets, 65536 individual buckets. (Class B networks)

Now into configuration,

Firstly we need to define how many delay pools we are doing to declare.

delay_pools 2
This means that we have two delay pools.

delay_class 1 3
This means that the first pool is a class 3 pool (Class B networks)

delay_class 2 1
This means that the second pool is a class 1 pool (Single aggregate bucket)

For each pool we should have a delay_class line.

Now we need to define each pools parameters, like the capacity of each pool and fill rate.

delay_parameters 1 7000/15000 3000/4000 1000/2000
this is delay pool parameters for the pool 1
Pool 1 was a class 3 pool. Class 3 pool has 3 buckets, one aggregate bucket, one for 256 networks and one for 65536 individual ips!

delay_parameters 2 2000/8000
The second pool of type class 1. Class 1 has only one aggregate bucket!

Now whats this 2000/8000?
Each bucket is recognized by its rate/size
Here 8000 means that the maximum capacity of the bucket!
And it refills at the rate of 2000 bytes/second
This means that if the bucket is empty, it takes 4 seconds for the bucket to get full if no clients are accessing it!

If you find a declaration like this,
delay_paramters 2 -1/-1
This means theres no limitation to the bucket!

Now lets take an example.

Our ISP connection is 12Mbps and we want our machines to have a maximum of 4 Mbps at peak time.
The rest we dedicate for SMTP or other production servers. We are going to define only one delay pool of class 1

What is actually 12Mbps?

1Mbps = 1 Megabits per second => 1/8 Megabytes per second (8 bits = 1 byte)
1/8 Megabytes per second => 1/8 * 1024 Kilobytes per second => 128Kilobytes per second => 128KBps
so 1 Mbps => 128 KBps
so 12 Mbps => 128 * 12 = 1536 KBps => 1.5 MBps
To sum up
so 12 Mbps = 12/8 MBps => 1.5 MBps

So with this ISP connection we can download a 6 MB file in 4 seconds!

So here the maximum bandwidth available to machines must be 4 Mbps only! (4Mbps ~ 0.5 MBps ~ 512 KBps)

delay_pools 1
delay_class 1 1
delay_parameters 1 524288/1048576

524288 => 524288/1024 KB => 512 KB => 512/1024 MB => 0.5 MB => 0.5*8 => 4Mb

1048576 => 1048576/1024 KB => 1024 KB => 1 MB

Initially the bucket will be full (1 MB traffic). Now a client makes a request to download a 5 MB file.
It will get the maximum speed(12 Mbps) until it downloads 1 MB, but after that it gets only 0.5 MBps
For 1 MB, it takes 1 second as full bucket is available at first. As the bucket drains, it fills at the rate of 0.5 MBps only.
So 0.5 MBps will only be available after 1 MB has been downloaded!
So the file will get downloaded in 9 seconds. (This is all in theory :P)

There another TAG associated with delay_pools.
delay_initial_bucket_level => this parametes expects a value in percentage(%)
This parameter specifies how much bandwidth is put in each bucket when squid service starts.
By default, the value will be 50%, which means that in the previous example, the client will
download at full speed till the download reaches 0.5 MB

eg:

acl throttled src 10.0.0.1-10.0.0.50
delay_pools 1
delay_class 1 1
delay_parameters 1 524288/1048576
delay_access 1 allow throttled

Note: delay_access is very similar to http_access. It determines which delay pool a request falls into!

Hope this was useful for you!

~mj0vy (sreejith dot anujan at gmail dot com)

User/Group authentication in squid

2008-06-28T16:32:00.002+05:30

User authentication in squid:
------------------------------------------
To Readers: All those starting with # are run by root user and ;'s are comments inside the configuration files

User authentication can be done with the help of the ncsa_auth module and with PAM

With ncsa_aith:
----------------------
This module resides in /usr/lib/squid/ in the name nsca_auth.

edit squid.conf and add the following entries

#vim /etc/squid/squid.conf

acl all src 0.0.0.0/0.0.0.0
;inbuilt acl in squid.conf

acl clients src 10.0.0.1-10.0.0.150
;Here we are declaring an acl in the name
;clients which catches all the ip from 10.0.0.1 to 10.0.0.150

acl users proxy_auth REQUIRED
;another acl in the name users of type proxy_auth
;REQUIRED => accept any valid user.
;proxy_auth works only with the help of external authenticators.
;Here we are going to try, ncsa_auth and PAM.

http_access allow clients users
;Logical AND-ing here, both acls must be satisfied
;for access to be allowed.

http_access deny clients
;If the criteria is not met, deny clients immediately
;instead of traversing till acl 'all'

http_access deny all
;eventually deny all
;Note: by default squid denies all with the acl 'all'

auth_param basic program /var/lib/squid/ncsa_auth /etc/squid/.passwd
;Here we are using the authentication program nsca_auth
;basic => scheme which is used.
;/var/lib/squid/ncsa-auth => external authenticator
;/etc/squid/.passwd => file which contains
; username/password credentials.

save squid.conf and exit

Check the syntax of squid.conf
#squid -k parse /etc/squid/squid.conf
If it shows some problem, rectify it :P

Now we need to make the file which acts as the
username/password database!
Use the htpasswd command from httpd-tools-* rpm.

#htpasswd -c /etc/squid/.passwd mj0vy

enter the password for user mj0vy
when htpasswd is done for the first time we need to give the -c flag so that
it would create the password file. For adding more users to this password file
we should not give the -c flag as it would overwrite the existing users'
accounts.

#htpasswd /etc/squid/.passwd sreejith

restart the squid service and configure clients' browser to listen to squid server
and check whether username and password are prompted while accessing the sites.
Note: Squid is a very heavy service. So instead of going for restarting the squid
with init script, do it like this
#squid -k reconfigure

With PAM Module:
---------------------------
One of the beauty with using PAM is that we can group level deny too!

#vim /etc/squid/squid.conf

auth_param basic program /usr/lib/squid/pam_auth
;Here we dont need to specify the username/password file as its declared
;in the PAM file associated with squid.

#vim /etc/pam.d/squid
Its a single line
auth required pam_listfile.so item=user sense=allow
file=/etc/squid/squid_users onerr=fail

Make sure that /usr/lib/squid/pam_auth is setUID to root!
If not do it
#chmod +s /usr/lib/squid/pam_auth

Now add the UNIX users' name to /etc/squid/squid_users who you want to allow proxy access!

If you want to grant access using UNIX groups, change the PAM file as

Its a single line
auth required pam_listfile.so item=group sense=allow
file=/etc/squid/squid_groups onerr=fail

Make the file /etc/squid/squid_groups and enter the groups who you want to allow access!
Note: Make sure the users who are trying to connect MUST be member of this UNIX group!

Note: As PAM checks /etc/passwd, /etc/group and /etc/shadow, the authentication process will be a bit slow!

chroot vsFTPd

2008-06-28T15:18:00.003+05:30

Restricting FTP Users in a chroot-ed Jail:
----------------------------------------------------------
We can specify an explicit list of local users to
chroot to their home directories by specifying,

chroot_list_enable=YES

in /etc/vsftpd/vsftpd.conf
more over we need to specify the list of
users which are to be chroot-ed,
in a file specified by

chroot_list_file.

If chroot_list_file=/etc/vsftpd/chroot_users

then we need to enter the users' names in /etc/vsftpd/chroot_users.
Restart the ftp server and login as those users.
Check whether they CD to other
directories. Theres an additional syntax in vsftpd.conf
which just reverse the default configuration just like
userlist_deny=NO does for access rights.
If, chroot_local_user=YES,
then users who are NOT listed in /etc/vsftpd/chroot_users would only be chrooted.

GNU/Linux as an ADC member

2008-06-16T14:34:00.005+05:30

Configuring GNU/Linux as an active directory member:
-----------------------------------------------------------------------------
This time we are doing the reverse of what we did in the last blog. Adding a GNU/Linux machine (RHEL 5.0) to an Win 2k3 Domain Controller.

Configure a M$ Windows 2003 Server as a Domain Controller(DC)
for the domain JOINME.COM. The Active Directory Server name is ads.joinme.com with an ip address of 172.24.10.1
Note: Active Directory howto can be found here
Samba server machine is RHEL 5.0 with SELinux in permissive mode.

To Readers: All those starting with # are run by root user and ;'s are comments inside the configuration files

#vim /etc/samba/smb.conf
;for better performance add this
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

;name of the domain we want to join
workgroup = JOINME
server string = Member of JOINME.COM

;this samba server is not the local master browser
;for the subnet. local master browser stores all the
;NetBIOS names of all other machines in the subnet.
local master = no

;this server does not act as a Domain Master Browser too.
;DMB stores the NetBIOS names of all
;machines in the network. DMB collates
;browselists from all local master browsers.
domain master = no

;never force an election on startup of the
;machine to become local/domain master browser.
preferred master = no

;do not act as a wins server. Let some other host take up that burden.
wins support = no

;then who is the WINS Server?
wins server = 172.24.10.1

;never try DNS queries when an unregistered NetBIOS name has been found.
dns proxy = no

;the kerberos realm to use
realm = JOINME.COM

;make this machine a member of domain
;in an ADS realm. Kerberos should be installed
;and properly configured.
;join to ADS using the 'net' command
security = ADS

;do username/password validation using the ADS
password server = 172.24.10.1

;the seperator to be used between the
;domain name and the username.
;used in conjuction with pam_winbind.so
winbind separator = +

;winbind should operate without domain component.
;JOINME/mj0vy should be treated as mj0vy.
winbind use default domain = yes

;userid/grpid allocation for mapping
;windows SIDs to unix userids/grpids
idmap uid = 27000-33000
idmap gid = 27000-33000

;donot know why this parameters are used. Will do some
;R&D and come up with the solution soon.
winbind enum users = yes
winbind enum groups = yes

;home directory to be used by the domain users
;when winbind creates the unix password
;database from the windows SIDs.
template homedir = /home/%U
template shell = /bin/bash
log file = /var/log/samba/%m.log

;maximum log file size in KB (5 MB here)
max log size = 5120
printcap name = /etc/printcap
load printers = no

These are the default shares configured already.

[homes]
comment = Home directories for the users.
browseable = no
writeable = yes

[printers]
comment = Connected Printers
path = /var/spool/samba
browseable = no
guest ok = no
writeable = no
printable = yes

Kerberos Configuration:
----------------------------------
The Kerberos system authenticates individual users in a network environment. After authenticatin yourself to kerberos, we can use network facilities (rcp,rsh) without having to present passwords to remote hosts, provided the remote hosts support Kerberos system.When we authenticate with kerberos, we will get an initial kerberos ticket. Kerberos uses this ticket for network utilies as rlogin and rcp. However the tickets expire, privileged tickets, those with 'root' instance expire in a few minutes, others might live for more than a day depending on the policy.
Commands 'kinit' and 'kdestroy' are used to initiate and destroy tickets respectievely.

#vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5libs.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = JOINME.COM
dns_lookup_realm = yes
dns_lookup_kdc = yes
ticket_lifetime = 24h

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Adding the GNU/Linux machine to Active Directory:
-------------------------------------------------------------------------
Start the samba service.
#/etc/init.d/smb start

Initiate a kerberos ticket
#kinit ADMINISTRATOR@JOINME.COM
enter the administrator password in the DC.
Note: Make sure the GNU/Linux machine and the ADS are
having the same time. Othewise some clock skew error
message may throw up!

Now join the machine to ADS.
#net ads join

Winbind Configuration:
----------------------
#vim /etc/nsswitch.conf
passwd: files winbind
shadow: files
hosts: files winbind

#vim /etc/sysconfig/samba
WINBINDOPTIONS = "-B"

Tweak The Name Service Caching Daemon(NSCD):
----------------------------------------------------------------------
enable-cache passwd no
enable-cache group no
enable-cache hosts no

Now restart the network service
#/etc/init.d/network restart

Configure the pam aware services to use the pam_winbind.so shared object.

#vim /etc/pam.d/login
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022

Now restart the samba and winbind daemon.
#/etc/init.d/smb restart
#/etc/init.d/winbind restart
#chkconfig smb on ; chkconfig winbind on

Testing the whole configuration:
--------------------------------
#getent passwd
#getent group
#wbinfo -u
this will display the domain users
#wbinfo -g
this will display the domain groups
Note: The domain and the users/groups will be
separated by a '+' sign which we specified
with 'winbind separator'

GNU/Linux as PDC for M$ Windows with samba

2008-06-16T13:50:00.011+05:30

This blog throws light on configuring Samba as PDC for M$ Windows machines on your network. The Linux distribution used is RHEL 5.0.
Eventhough, this works quite well, samba developers need to work more to make it compatible with M$ Windows ADC. Hope all will enjoy this...

To Readers: All those starting with # are run by root user and ;'s are comments inside the configuration files

#vim /etc/samba/smb.conf
;start global configuration section.
[global]
netbios name = TIKANGA
;this samba machine is given a NETBIOS name.

workgroup = PSEUDO
;this samba server acts a PDC for the domain PSEUDO

encrypt passwords = yes
;encrypted password negotiation

domain master = yes
;the samba server handles browsing elections for the
;domain across multiple subnets

local master = yes
;this makes samba force an election when it starts up.
;this 'oc level' (follows below) parameters makes it win
;the election, as this value is higher than any other
;M$ server implementations.
;Note: Make sure no other samba machine is set with higher
;'os level' value than this.

preferred master = yes
;this also forces the election at startup

os level = 65

security = user
;samba will prompt for a username and password.
;security = domain | ads is used if another DC
;handles the logons.

domain logons = yes
;this makes samba handle domain logons.

logon path = \\%L\profiles\%u
;this parameter is necessay if we want to support
;roaming profiles for ;win200x/XP/NT clients.
;this actually expands to \\PSEUDO\profiles\username
;we have a sharename profiles coming later
;in the configuration file.

logon script = logon.bat
;name of the MS-DOS batch file which must be executed
;when client logs on to the domain. The path
;specified is relative to the [netlogon] share
;specified later.

logon drive = L:
;this allows the home directory (if exists) of the user
;to be connected to L: drive under My Computer on client.

time server = yes
;this samba machine advertises itself as a
;time server for the domain.

admin users = mj0vy
;this list of users who have administrative
;privilege in this domain, such as joining clients
;to the domain and make work the
;machine add script on the fly.

add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
;each client is considered as a user and
;are added on the fly as each client tries
;to connect with the administrative user account.

;Start of shares
[netlogon]
path = /etc/samba/netlogon
writable = no
browseable = no
;the [netlogon] share is necessary for samba
;to handle domain logons as
;M$ clients need to contact it during the
;logon process and if this share is not
;present logon process would fail.
;For security reason, writable and
;browseable permissions are removed.

[profiles]
path = /etc/samba/profiles
browseable = no
writeable = yes
create mask = 0600
directory mask = 0700

;the [profiles] share is used to store
;the roaming profiles of the users.
;The path points to a directory on the samba
;server where the updated profiles are saved
;on each individual user logons.
;Clients must read and write
;to this share.

[homes]
read only = no
browseable = no
guest ok = no
map archive = yes
;guest logons are disabled and there will
;be no path parameter as it will be
;fetched from /etc/passwd.

[backups]
comment = A Test share to check logon scripts!
path = /backups/samba
valid users = mj0vy sujith sreejith
writeable = yes
create mask = 0765
;this share is actually used to check whether
;the logon script has worked successfully or not!
;In logon.bat file, we will be scpecifying to make
;this share available as K: drive in the
;My Computer of every client. Sticky Bit file
;permissions are recommended for file security.

Making the users and shares:
------------------------------------------
Add the administrator (mj0vy) who could add machine users on the fly. [admin users = mj0vy]
#useradd -d /dev/null -s /sbin/nologin mj0vy
Lock down his unix accound password for security reasons.
#passwd -l mj0vy

Make him a samba user.
#smbpasswd -a mj0vy
#smbpasswd -e mj0vy (this is not required in higher samba versions)

Make the domain users.
#useradd sujith
#passwd -l sujith
#smbpasswd -a sujith
#smbpasswd -e sujith

#useradd sreejith
#passwd -l sreejith
#smbpasswd -a sreejith
#smbpasswd -e sreejith

Now make the directories for [netlogon], [profiles] and [backups] shares.

#mkdir -m 777 /etc/samba/{netlogon,profiles}
#mkdir -p -m 1777 /backups/samba

Now make logon.bat file inside /etc/samba/netlogon and make it executable by the root user.
Note: Running dos2unix against this file is recommended.

#vim /etc/samba/netlogon/logon.bat
net use K: \\TIKANGA\backups

Now start the samba service
#/etc/init.d/smb start
#chkconfig smb on

Note: running smbtree command gives you a tree like view of all the domains, servers and shares on the servers.

Adding Windows clients:
-----------------------------------
Right click My Computer, Take Computer Name, click change.
In the 'Member of' field enter the samba domain 'PSEUDO'. This will prompt a username and password who could
add this machine to the domain. (mj0vy here). You will be prompted to restart the machine once you joined the Domain.
When the machine comes up, press Ctrl+Alt+Del (hardcore M$ Windows users must be used to this TRAP) and select PSEUDO insead of This Machine.
Try logging in as the samba users.

Hope you enjoyed reading...

~mj0vy

Mask Me...!?!!!

2007-12-31T14:58:00.000+05:30

echo "2007" > /dev/null
Years are going by... so does my age...! wish i could execute "chage -E never mj0vy"
In a way, 2007 was good for me...! Atleast i have started blogging. This year i could really catch up with linux to some extend...! Nothing more to say..!

Lets get into the matter,
Last week me and my friend Gigith were checking the mask flag in setfacl command...! we did some experimentation and finally came up with a good solution.

I assume you all know how to do basic things with setfacl.

i am starting by creating an empty file

#touch /myfile
Note: touch is used to update the timestamp of a file.
#chmod 750 /myfile
I have given the permission for group as read and write ( 4 + 1 )
I am granting full permission for the user tux in that file.

#setfacl -m u:redhat:rwx /myfile
Now the mask of the file would be assigned the maximum value , is rwx(7), but still the owning group's permission would still be read and write only.

#chmod 700 /myfile
Now i negated the permission of group from that file, resulting in the change of mask value from rw to null. But the important thing to note here is that, the owning groups permission would still be 5(r-x), as it was the permission given at the beginning of this setfacl testing operation. But the effective permission of the owning group and the named user would be the permission common between the owning group and the mask. So here, the effective permission would be - - - for both the owning group and named user.
Here the owning group is the group affiliated to /myfile and the named user is the user tux.

Note: whenever the setfacl command is invoked on the file /myfile, the mask is again changed to its maximum value.

file: DRAG me into CD/RW :)

2007-12-03T10:45:00.000+05:30

Its high time we must bid bye-byes to cdrecord and growisofs...!

Until yesterday were were using the ISO9660 filesystem for burning the CDs and DVDs. But from now, its an oblivion.... welcome UDF.. Universal Disk Format..!
UDF lets us write datas incrementally to a mounted filessytem.

For this to work you should have the udftools package installed on your system, one blank cdrw, distribution of linux with a 2.6 kernel ( i tested in RHEL 5.0 ).

you can get the udftools package from here

here we goooooooo

Step 1:
Insert the blank cdrw into the drive and using the cdrwtool command which
we got from the udftools package, we are doing to blank the cdrw first..
Assuming your cd-burner is connected as secondary master..(/dev/hdc)

#cdrwtool -d /dev/hdc -t 4 -l 3 -q
( man cdrwtool )
this would blank the cdrw. Please be patient, it might take SOME time..!

Step 2:
We need to associate the blank formatted media with a packet device using the command pktsetup.

#pktsetup dragme /dev/hdc

Step 3:
Now we need to format the media with the udf filesystem,

#mkudffs --media-type=cdrw --udfrev=0x0150 /dev/pktcdvd/dragme

Step 4:
Now we need to make a mountpoint, let me give it as /drag-n-drop
#mkdir /drag-n-drop

#mount -t udf -o rw /dev/pktcdvd/dragme /drag-n-drop

#chmod 777 /drag-n-drop
(If you want local uses also to drag-n-drop something into it)

Now try some drag and dropping into that mountpoint

Now about the unmounting,

Its always safe to sync before unmouting,
So,
#sync
#umount /dev/pktcdvd/dragme

Then we can release the device /dev/pktcdvd/dragme from the packet device association.

#pktsetup -d /dev/pktcdvd/dragme

NOTE: Its always good to mount the packet device with noatime mount option if you want to ignore the number of rewrites in your media.

Now if you want to mount this media in other machine,
make a packet device with pktsetup and associate it with the device of your cd-drive

#pktsetup dragger /dev/hdd

This will map /dev/pktcdvd/dragger with /dev/hdd
Now you can mount the packet device and use it
#mount -t udf /dev/pktcdvd/dragger /mnt

~mj0vy

LOG ME IN....!

2007-11-21T10:46:00.000+05:30

This article just illustrates the use of the expect command used for automatic logging to a remote machine
without using the complex ssh key pair exchange and all...!
Make sure you have the expect package installed in your machine...

lets try for telnet login...
make a file by name telnetme
$vi telnetme

#!/usr/bin/expect
eval spawn telnet 10.0.0.27
set timeout 30
expect login:
send "username\r"
expect password:
send "password\r"
interact

Now set execute permission to the script and copy it to any of the directories in your PATH variable

For SSH Login theres a little change...

I am here making a file by nane sshme

$vi sshme

#!/usr/bin/expect
eval spawn ssh 10.0.0.27
set timeout 30
expect password:
send "password\r"
interact

NOTE: change the italicised strings with appropriate username and password
It is recommended that you give read permission only to the user who is using this script , otherwise all users could read the plain password entered

PS: Please extend the features of expect if someone knows it...

#mv cds DVD

2007-10-26T15:25:00.001+05:30

Hollaaaaaaaa....

Yesterday i was trying to make a DVD out of my 5 RHEL 5.0 CDs. During the process i ended up losing my two plain DVD's.
But the most interesting thing is that i finally found the solution :). And i thought i must publish it cause i dont want
any other person to have the same difficulties i encountered.

alrights, lets get started...

I am creating a directory to copy all the RHEL 5.0 CDs

#mkdir /tmp/RHEL5_DVD

Loop mount the individual ISO images to any directory

#mount -o loop /path/to/iso1.iso /mnt

then copy the first CD contents to /tmp/RHEL5_DVD

#cd /mnt
#cp -r * /tmp/RHEL5_DVD

make sure you copied the .discinfo file also

#cp .discinfo /tmp/RHEL5_DVD

now unmount /mnt and mount the second iso.

#mount -o loop /path/to/iso2.iso /mnt

then copy all the rpm files inside /mnt/Server to /tmp/RHEL5_DVD/Server

#cp /mnt/Server/*.rpm /tmp/RHEL5_DVD/Server

we need to append the contents of the TRANS.TBL file found inside /mnt/Server to that inside /tmp/RHEL5_DVD/Server

#cat /mnt/Server/TRANS.TBL >> /tmp/RHEL5_DVD/Server/TRANS.TBL

NOTE:We are going to make a single TRANS.TBL file with all the TRANS.TBL files inside every isos.

Do the same thing for third, fourth and fifth iso files.

while copying the fifth iso file's contents, you should copy the rpm files under /mnt/VT/ to /tmp/RHEL5_DVD/VT
and append the TRANS.TBL file found under /mnt/Server/VT to /tmp/RHEL5_DVD/VT/TRANS.TBL

Now edit the .discinfo file inside the directory /tmp/RHEL5_DVD
to change the fourth line from 1 to 1,2,3,4,5

NOTE: If you miss any cd number, then installation would prompt you to insert that cd.
So you must include all the cd numbers correctly!

Now we must create the ISO image of the /tmp/RHEL5_DVD directory.

Free some 3 GB space in your HDD as the entire build would make an iso file of size
no less than 2.6 GB.

#cd /tmp/RHEL5_DVD

I assume you are creating the iso image inside /DVD directory.

#mkisofs -o /DVD/rhel5dvd.iso -b isolinux/isolinux.bin -c isolinux/boot.cat
-no-emul-boot -boot-load-size 4 -boot-info-table -J -r .

NOTE the . at the end of the previous command which specifies the current directory.

the -b flag to mkisofs command specifies the path and filename of the boot
image to be used when making the bootable iso.

the -c flag specifies the path and filename of the boot
catalog.

Now to burn the DVD, use the growisofs command.

#growisofs -dvd-compat -Z /dev/dvdwriter-hdc=/DVD/rhel5dvd.iso

NOTE: dd (disk duplicator) command can also be used to burn the iso image.
#dd if=/DVD/rhel5dvd.iso of=/dev/dvdwriter-hdc obs=32k seek=0
(plain DVDs and DVD burners are not that cheap here in my locality.. :D)
consult the man page of dd for more information.

make changes to the DVD device. I have plugged the DVD as secondary master in
my desktop PC.

the = sign used in the growisofs command finalized the DVD disc.

linuxly yours....

~mj0vy

Encrypted File Systems

2007-09-09T15:59:00.000+05:30

The need to encrypt filesystems is to make ur data more secure and safe.
The whole steps include
1) Creating a partition with the fdisk utility ( pre-requisite :-( )
2) Selecting a cipher.
3) Setting up a loop device using the losetup command.
4) Detaching the loop back device
5) Mouting the parition

alright... lets get started..!

let me assume u have created the partition /dev/hda7

first of all we need to shred the partition
#shred -n 1 /dev/hda7
this command would overwrite /dev/hda7 only once!
-OR-
we can use the dd command to overwrite the device..
#dd if=/dev/urandom of=/dev/hda7 bs=1M

Now we need to select a cipher for the encyption
u can list the available ciphers by cat /proc/crypto
here i am using the serpent cipher
make sure u have got the serpent cipher modules inbuilt in ur kernel!
otherwise try
#modprobe serpent
#modprobe cryptoloop ( to setup the loop device described in the next step )

the next step is to setup a loop device using the losetup command.

#losetup -e serpent /dev/loop0 /dev/hda7

It prompts u for a passphrase. DONOT forget the passphrase as its not easy to change
the passphrase as it is hashed to create the encryption key.

Now create a filesystem on the loopback device and mount it.

#mke2fs -j /dev/loop0

#mkdir /cryptfs

#mount -t ext3 /dev/loop0 /cryptfs

once we have mounted the partition, we can then detach the
loop back device frm the partition.

#umount /cryptfs

#losetup -d /dev/loop0

Now mount the partition,

#mount -o encryption=serpent /dev/hda7 /cryptfs

the passphrase which we have given during the loop device setup will be asked
and u need to enter it correctly to mount the device.

COPY FROM LINUX TO M$ and vice-versa

2007-09-08T07:38:00.000+05:30

SAMBA:
------
Samba acts as a fileserver for windows/linux using the SMB protocol
(Server Message Block), SMB is sometimes referred to as CIFS (Common Internet
File System).

Server Side:
------------
The directory to be shared from a linux server has to be given a sharename.
Clients access server's directory by referring to this sharename.
We can have user level access list and host level access list in samba.
Those users to whom server is granting access shuld be a unix server user
as well, and those users shuld be converted to samba users by giving them a
seperate samba password also. The samba users password database is located
inside /etc/samba directory in the name smbpasswd.
ie, /etc/samba/smbpasswd
Eg:
There is a directory in the server named /backups.
These directory needs to be shared to clients which use windows OS.
First of all we need to give /backups a sharename, by which the windows clients
access our /backups. Let it be UNIXBAKUP.
We are planning to give access to this share only for windows clients
192.168.0.3 and 192.168.0.2 only.
More over, they shuld be granted access if and only if they login as users
jack or jane.

Open the samba configuration file using an editor,
-------------------------------------
#vi /etc/samba/smb.conf
[UNIXBAKUP]
comment = Share for windows clients
path = /backups
valid users = jane jack
hosts allow = 192.168.0.3 192.168.0.2
writeable = yes
create mask = 0765
-------------------------------------
Now we need to add the allowed users
#useradd jane
#useradd jack
#passwd -l jack ; passwd -l jane
this is done to lock their unix password
Now we need to convert these unix users to samba users.
#smbpasswd -a jane
now u will be prompted for a password.
this step only adds the user to the samba password database.
we need to allow this user to use our samba server.
#smbpasswd -e jane
same way add the user jack also.
now we need to give permission to users jane and jack the write permission in
our share
#chmod 777 /backups
#/etc/init.d/smb start
#chkconfig smb on
to make our samba server persistent across reboots.
now we can test whether our samba configuration is correct or not with the
command testparm
#testparm
if any errors are there it will be reported.
--------------------------------------------

Client Side: (in 192.168.0.2 and 192.168.0.3)
------------
#smbclient //sambaserveraddress/sharename -U username
here
#smbclient //192.168.0.4/UNIXBAKUP -U jane/jack
enter the password
u will be put into a samba shell
smb: \>
now u are inside 192.168.0.4's /backups directory
frm here if u want to get some files, frm with in samba shell issue
smb: \>mget filename
file is now copied frm samba server to the client directory frm where we logged into the samba server.
instead if u want to put some files frm the folder where u logged into the
samba server, issue
smb: \>mput file-frm-the-client
smb: \>ls
you will be listed with the file u have just copied frm client to the
samba server.

Using GUI:
------------
Take run in KDE/Gnome and try
smb://sambaserverip
then u will be prompted for the samba username and password!

In M$ Windows u can access the Linux samba share by taking Start>Run and issuing
\\sambaserverip
upon opening any directory u will be asked the samba username and password...!

Manage Logical Volumes

2007-09-08T07:23:00.000+05:30

LVM Creation:
-------------
Create a linux partition, make it a LVM by toggling the linux partitions id to
8e.
Convert it to a physical volume by issuing the command
#pvcreate devicename
Then, make the volume group in that physical volume,
#vgcreate vgname devicename
Then make logical volumes in the volume group,
#lvcreate -L sizeM -n lvname vgname
Make a linux filesystem in the logical volume,
#mkfs.ext3 /dev/vgname/lvname
This device is a softlink to the device /dev/mapper/vgname-lvname
Then mount that logical volume,
#mount /dev/vgname/lvname

LVM Resizing:
-------------
LVM format 2.0 is now implemented which supports online resizing of filesystems.
check the current size of the filesystem by 'df -h'
Extend the above created logical volume BY X MB,
#lvextend -L +XM /dev/vgname/lvname
we are doing it without unmounting the filesystem
Now to make the extension effective, issue
#resize2fs /dev/vgname/lvname
now recheck the filesystem size by 'df -h',
now the filesystem will be extended by X MB.

Now if u want to reduce the logical volume TO X MB,
u must first umount the device, online reducing of logical volumes cannot be done..!
#umount
then u need to scan the filesystem for integrity.
#e2fsck -f /dev/vgname/lvname
now resize the filesystem
#resize2fs /dev/vgname/lvname X MB
then reduce the volume with lvreduce and mount it..
#lvreduce -L XM /dev/vgname/lvname
#mount /dev/vgname/lvname

init-->xinetd

2007-09-05T07:10:00.000+05:30

this is how we can convert the init based service ftp to an xinetd service..
1) First of all we need to make FTP not to listen on port 21 by making 'listen=NO' in
/etc/vsftpd/vsftpd.conf.
2) Then, make a file named ftp inside /etc/xinetd.d
the contents of /etc/xinetd.d/ftp should look like this

service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
server_args = /etc/vsftpd/vsftpd.conf
nice = 10
flags = IPv4
}

3) then restart the xinetd service by
#/etc/init.d/xinetd restart
#chkconfig xinetd on
now if u 'nmap localhost', u can see that the port 21 is now open...!

Services - XINETD and INIT

2007-09-04T22:43:00.000+05:30

Services in Linux:
------------------
Services in linux are classified into TWO.
XINETD and INIT based services.
XINETD is itself an INIT based service.
All INIT based services are invoked by the command,
#/etc/init.d/service start
XINETD services' configuration file resides in /etc/xinetd.d directory.
All the services are made persistent across reboots by
#chkconfig servicename on , for all init based services.
#chkconfig xinetd on , for all xinetd based services.

XINETD services: e(X)tended (I)(N)tern(E)(T) services (D)aemon
--------------------------------------------------------------
xinetd service is called a super server as it serves as the daemon for a number of seperate services.
For all the services which use xinetd, we need to start the xinetd daemon only. xinetd services' configuration files can be found at /etc/xinetd.d/servicename
All the xinetd services are having the same syntax facilitating the administration of xinetd services very easy.
Extensive logging and fine grained access control can be implemented with xinetd
Xinetd service forks process ids only when a client requests the service.
Only one process is necessary to invoke process ids for individual xinetd services, ie the xinetd super daemon itself.
Logging based on hostname are not supported in XINETD

INIT based services:
--------------------
INIT based services are having individual configuration files under
/etc/service/servicename.
Their starting scripts are placed under /etc/init.d/servicename.
Each individual services can be started by
#/etc/init.d/servicename start

and to sum up... the more the processes .. the lesser the performance of the machine..
so it is advisable to have more xinetd based services than init based ones..!

INODES,LINKS

2007-09-03T22:45:00.001+05:30

Inode Table:
All files in linux are having an inode number which is residing inside the inode table of a partition. For every partition there is an inode table, so an inode number will be unique for a partition, and thats the reason why we cannot hardlink between two partitions. Inode number contains a file's uid, gid, access time, modification time, change time and size of the file. inode number DOESNT hold a file's NAME. we can retrieve the contents of a file even if the file is deleted unless and until the inode number corresponding to that file is overwritten.
The inode number can be viewed with the -i switch with the 'ls' command..!
$ls -i filename

softlinks:
softlinks are similar to shortcuts in Microsoft Windows. softlinks' size is determined by the number of characters in the absolute path to the original file it is linking to. Softlinks are apparently having full permissions. Soft links are effective as we can link files among different partitions. If the orignal file is removed ( or renamed )the soft links become dead, meaning softlinks refer only to the NAME of the original file. Soft links will be having a different inode number frm the original file. Soft links cannot be touched (means... their timestamps cannot be updated).
hardlinks:
hardlinks are pointers to the inode number of a file. hardlink will be having the same inode number as that of the original file. The contents will be there in the hardlink if we delete the original file as hardlink points to the same inode number in the inode table. We cannot hardlink between two partitions. same way... we cannot hardlink a directory. if some updates are done in the original file, it is reflected to hardlinks also as the updates are done in the inode number. Hardlink is not at all an overhead as they are pointers to the same inode number.

SSL - Concepts Simplified...!?!!!

2007-09-02T21:16:00.000+05:30

Secure Socket Layer:
--------------------
The Secure Socket Layer protocol was first introduced by Netscape to ensure secure transations between
webservers and browsers. The protocol uses a third party Certificate Authority (CA) to identify the both end
of the transactions

SSL philosophy:
---------------

1. Client using some browser requests a secure page (https://www.gmail.com)
2. www.gmail.com sends its public key with its certificate
signed by (Thawte Consulting Pty Limited) (dated: 02/09/2007, 20:48)
3. Our browser checks that the certificate was issued by a trusted party (Thawte here), that the certificate is
still valid and the certificate is related to site we just contacted (www.gmail.com here).
4. The Browser then uses the public key send by www.gmail.com to encrypt some random symmetric
encryption key and sends it to www.gmail.com along with the encrypted URL requested as well as other
encrypted data.
5. www.gmail.com decrypts the encrypted symmetric key send by the browser (in step 4) with its private key and uses this
symmetric key to decrypt the URL and http data.
6. www.gmail.com sends back the requested html data encrypted with the symmetric encrytion key send by the
browser in step 4.
7. Our browser decrypts the http data and html document using symmetric key and displays the information.

With this symmetric key the further communication between www.gmail.com and our browser takes place.
Here asymmetric encryption machanism is taking place between browser and www.gmail.com.

Our browser encrypted some key with public key of www.gmail.com and www.gmail.com on recieval of
this encrypted key, decrypted it with its private key. This mechanisms works with public/private key pairs.

This way www.gmail.com sends its public key to every browser requesting its first page and SSL mechanism
undergoes like the above 7 steps.

vsFTPd configuration in RHEL 5.0

2007-09-02T20:47:00.000+05:30

FTP:
conf file: /etc/vsftpd/vsftpd.conf
Unlike SSH we are having two files to allow/deny users via FTP ( in SSH we did it in the main configuration file itself by AllowUsers/DenyUsers)
The main file for denial is /etc/vsftpd/ftpusers
The other file is /etc/vsftpd/user_list
But if we need to make our FTP check user_list file we need to say it in the main configuration file, like
userlist_enable=YES

If, userlist_enable=NO, ftp doesnt check user_list file

The behaviour of user_list depends upon the declaration inside the vsftpd.conf file

if its declared like,
userlist_deny=YES , those usernames inside user_list is denied even without prompting for a password
if its declared like,
userlist_deny=NO, those in user_list are ONLY allowed to login.

Whatever the behaviour of user_list, FTP searches for ftpusers file for users that are DENIED!

ipv4 to ipv6 and vice-versa...

2007-09-02T15:21:00.000+05:30

its been quite a some time that i have started thinking abt switching to ipv6 frm ipv4.... and finally im into configuring an ipv6 dhcp server...
as i was not that good at ipv6... wat i did was to convert the ipv4 addresses to ipv6 using a kool sexy tool available with Red Hat Enterprise editions... 'ipv6calc'

and here it goes...
i need to conver the ipv4 address 172.24.0.7 to ipv6... lets do it now..
$ipv6calc --in ipv4addr 172.24.0.7 --action conv6to4 --out ipv6addr
it will output the ipv6 equivalent of 172.24.0.7
and it will be..

2002:ac18:7::
suppose u want to convert this ipv6 address back to ipv4...
here it goes...
$ipv6calc --in ipv6addr 2002:ac18:7:: --action conv6to4 --out ipv4addr

172.24.0.7

have happy conversions..! :d
~mj0vy
:wq

me is serious now..

2007-05-06T08:04:00.000+05:30

i wasnt able to log into blogger for quite a sometime ... finally fixed the problem... upgraded to firefox 2.0 and did some tweaking.. now i have foxmarks installed...

well.... today.. 6th of may 2007... me going to start a fresh linux session.... in desperate need to garner some advanced knowledge... will come with all in the blogs frm today onwards...

~mj0vy
:wq

theres no patch for human stupidity...!?!!!

2007-03-27T12:18:00.000+05:30

hemmmmmmmmmm,
something new is happening with my computer, bought a new DVD-RW and plugged in to my box...!?!!!
well... realized the fact that i could even dload the youtube videos. But still, a remorse that i cannot concentrate on wat i am learning. i need a constant source of motivation.....
it looks a bit jokin that everyday i end up telling abt my drawbacks... and i am not improving...!
will come up with more in the next edition...!

~mj0vy
:wq

Apache TOMCAT

2007-03-07T07:16:00.000+05:30

just have a read abt Apache and TOMCAT and how they could work together to get good web contents.....

Apahe is a webserver. Tomcat is a java servlet container (J2EE compliant servlet container). Tomcat can independantely work as a webserver, it can be integrated with other webservers like Apache, IIS and NES servers. It facilitates a surface for java programs to run in co-operation with a webserver.

will come up with more soon.......
~mj0vy
:wq

undestanding what i understood was wrong...!?!!!

2007-02-25T14:46:00.000+05:30

its quite amazing to understand that some files work just the opposite wat it was intended once we change the labels...
i was referring to the FTP configuration file, some days back only i got the real usage of the user_list file..

first of all we need to enable FTP service to read the user_list file

userlist_enable=YES
userlist_deny=YES # means that the users inside the vsftpd.user_list are denied, which is the default
userlist_deny=NO # means that the users inside the vsftpd.user_list are only allowed to login via FTP

anyways.. nice to understand that even at this later stage...!?!!!

~sreejith anujan....

never mkfs an extended partition...!?!!!

2007-02-21T06:32:00.000+05:30

i know im on the beginning stages of experience...

and one did happen yday when i tried to mkfs an extended parition... it did try making a filesystem but ended up showing a Segmentation Fault ... and when i reinstalled ...it was gone....

i made a 32 GB extended partition with no logical volumes in it.. it was made as such... and then i tried..

#mke2fs /dev/hda4
it did show me a message... something like its the full harddisk and am i sure abt the filesystem creation...something like that... i simply pressed the 'y' key and proceeded with the process...

and at last.. a Segmentation Fault...

anyways... put the first installation CD and performed an NFS installation...

shell scripting on the process..........

will be out with it soooon..........

~mj0vy
:wq

dig mj0vy.blogspot.com

2007-02-19T22:25:00.000+05:30

well...
configured my pc as a DNS server... leaving me with all kinds of confusions...

i made two zone files... mkfs.zone and reverse.zone for the domain mkfs.com

initially moved the named.local and localhost.zone in /var/named to reverse.zone and mkfs.zone respectievely... making them symlinks to the files inside /var/named/chroot/var/named

it didnt work out...

then i moved the files into /var/named/chroot/var/named and named them as such... reverse.zone and mkfs.zone... and it worked kool..

but.. i think /etc/named.conf fils specifies the zone files to be placed inside /var/named directory only.....

i cant understand myself wat exactly is happening....!!!

anyways... will come with the scripting references soon.............

~mj0vy
:wq

sreejith chrooted

2007-02-19T07:59:00.000+05:30

DNS atlast worked fine here in nascent...
did the same thing which i did last week before leaving to blore..
at times linux behaves strangely... indeed strange...

just copied the zone files to /var/named/chroot/var/named and made symlinks to them inside /var/named... exactly wat i did last week...

anyways..its working fine now... and one more thing.........

never use sendmail with IP.... always use hostnames... that wat i think now...

mail mj0vy@mkfs.tux.com

~mj0vy
:wq

localhost localdomain

2007-02-18T20:30:00.000+05:30

im back....
was at blore...
i know i am not homesick... rather i am trivandrum sick...or am i kerala sick?
blore sucks big time...
yeah u could kill time roaming around... but with the kinda traffic and polution rates... i felt like hell...

unless u are very much interested in female anatomy ...u will lose urself at blore...

and to the matter... im into blogging after a gap...

trying to reestablish as a perseverant student...

want to complete the basics of shell scripting...

will be starting a series on shell scripting frm tomorrow onwards... its just a starting..... everything needs a start... no????

~mj0vy