tag:blogger.com,1999:blog-263228342024-02-28T22:11:28.034+08:00ba-zoo-raTech News | Tutorials | More ...Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.comBlogger79125tag:blogger.com,1999:blog-26322834.post-31811331593413495242011-09-23T14:20:00.000+08:002011-09-23T14:20:21.487+08:00Securing OpenSSHOpenSSH (or Secure SHell) has become a de facto standard for remote access replacing the telnet protocol. SSH has made protocols such as telnet redundant due, in most part, to the fact that the connection is encrypted and passwords are no longer sent in plain text for all to see.<br />
<br />
However, a default installation of ssh isn't perfect, and when running an ssh server there are a few simple steps that can dramatically harden an installation.<br />
<br />
1. Use Strong Passwords/Usernames<br />
<br />
One of the first things you'll notice if you have ssh running and exposed to the outside world is that you'll probably log attempts by hackers to guess your username/password. Typically a hacker will scan for port 22 (the default port on which ssh listens) to find machines with ssh running, and then attempt a brute-force attack against it. With strong passwords in place, hopefully any attack will be logged and noticed before it can succeed.<br />
<br />
Hopefully you already use strong passwords, but if you are not then try to choose passwords that contains:<br />
<br />
* Minimum of 8 characters<br />
* Mix of upper and lower case letters<br />
* Mix of letters and numbers<br />
* Non alphanumeric characters (e.g. special characters such as ! " £ $ % ^ etc) <br />
<br />
The benefits of strong passwords aren't specific to ssh, but have an impact on all aspects of systems security. Further information on passwords can be found in the CentOS documentation:<br />
<br />
http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-wstation-pass.html<br />
<br />
If you absolutely can't prevent your users choosing weak passwords, then consider using randomly generated or difficult to guess usernames for your user accounts. If the bad guys can't guess the username then they can't brute force the password. However, this is still security through obscurity and be aware of information leakage of usernames from things such as email sent from user accounts.<br />
<br />
2. Disable Root Logins<br />
<br />
SSH server settings are stored in the /etc/ssh/sshd_config file. To disable root logins, make sure you have the following entry:<br />
<br />
# Prevent root logins:<br />
PermitRootLogin no<br />
<br />
and restart the sshd service:<br />
<br />
service sshd restart<br />
<br />
If you need root access, login as a normal user and use the su command.<br />
<br />
3. Limit User Logins<br />
<br />
SSH logins can be limited to only certain users who need remote access. If you have many user accounts on the system then it makes sense to limit remote access to only those that really need it thus limiting the impact of a casual user having a weak password. Add an AllowUsers line followed by a space separated list of usernames to /etc/ssh/sshd_config. For example:<br />
<br />
AllowUsers alice bob<br />
<br />
and restart the sshd service.<br />
<br />
4. Disable Protocol 1<br />
<br />
SSH has two protocols it may use, protocol 1 and protocol 2. The older protocol 1 is less secure and should be disabled unless you know that you specifically require it. Look for the following line in the /etc/ssh/sshd_config file, uncomment it and amend as shown:<br />
<br />
# Protocol 2,1<br />
Protocol 2<br />
<br />
and restart the sshd service.<br />
<br />
5. Use a Non-Standard Port<br />
<br />
By default, ssh listens for incoming connections on port 22. For a hacker to determine ssh is running on your machine, he'll most likely scan port 22 to determine this. An effective method is to run ssh on a non-standard port. Any unused port will do, although one above 1024 is preferable. Many people choose 2222 as an alternative port (as it's easy to remember), just as 8080 is often known as the alternative HTTP port. For this very reason, it's probably not the best choice, as any hacker scanning port 22 will likely also be scanning port 2222 just for good measure. It's better to pick some random high port that's not used for any known services. To make the change, add a line like this to your /etc/ssh/sshd_config file:<br />
<br />
# Run ssh on a non-standard port:<br />
Port 2345 #Change me<br />
<br />
and restart the sshd service. Don't forget to then make any necessary changes to port forwarding in your router and any applicable firewall rules.<br />
<br />
Because ssh is no longer listening for connections on the standard port, you will need to tell your client what port to connect on. Using the ssh client from the command line, we may specify the port using the -p switch:<br />
<br />
$ ssh -p 2345 myserver<br />
<br />
or if you are using the fish protocol in konqueror, for example:<br />
<br />
fish://myserver:2345/remote/dir<br />
<br />
If you are thinking that this sounds like a pain having to specify the port each time you connect, simply add an entry specifying the port in your local ~/.ssh/config file:<br />
<br />
# Client ~/.ssh/config<br />
Host myserver<br />
HostName 72.232.194.162<br />
User bob<br />
Port 2345<br />
<br />
~/.ssh/config must have the following permissions:<br />
<br />
$ chmod 600 ~/.ssh/config<br />
<br />
6. Filter SSH at the Firewall<br />
<br />
If you only need remote access from one IP address (say from work to your home server), then consider filtering connections at your firewall by either adding a firewall rule on your router or in iptables to limit access on port 22 to only that specific IP address. For example, in iptables this could be achieved with the following type of rule:<br />
<br />
iptables -A INPUT -p tcp -s 72.232.194.162 --dport 22 -j ACCEPT<br />
<br />
SSH also natively supports TCP wrappers and access to the ssh service may be similarly controlled using hosts.allow and hosts.deny.<br />
<br />
If you are unable to limit source IP addresses, and must open the ssh port globally, then iptables can still help prevent brute-force attacks by logging and blocking repeated attempts to login from the same IP address. For example,<br />
<br />
iptables -A INPUT -p tcp --dport 22 -m recent --set --name ssh --rsource<br />
iptables -A INPUT -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT<br />
<br />
The first rule records the IP address of each attempt to access port 22 using the recent module. The second rule checks to see if that IP address has attempted to connect 4 or more times within the last 60 seconds, and if not then the packet is accepted. Note this rule would require a default policy of DROP on the input chain.<br />
<br />
Here's another example, this time using iptables limit module to limit the the number of connections to the ssh port to 3 per minute:<br />
<br />
iptables -A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT<br />
iptables -A INPUT -p tcp --dport 22 --syn -j DROP<br />
<br />
The first line will accept new connections on port 22 provided that IP address hasn't made more than 3 connection attempts in the last minute. If more than 3 connection attempts have been made within the last minute, then the second line will DROP the connection.<br />
<br />
Don't forget to change the port as appropriate if you are running ssh on a non-standard port. Where possible, filtering at the firewall is an extremely effective method of securing access to an ssh server.<br />
<br />
7. Use Public/Private Keys for Authentication<br />
<br />
Using encrypted keys for authentication offers two main benefits. Firstly, it is convenient as you no longer need to enter a password (unless you encrypt your keys with password protection) if you use public/private keys. Secondly, once public/private key pair authentication has been set up on the server, you can disable password authentication completely meaning that without an authorized key you can't gain access - so no more password cracking attempts.<br />
<br />
It's a relatively simple process to create a public/private key pair and install them for use on your ssh server.<br />
<br />
First, create a public/private key pair on the client that you will use to connect to the server (you will need to do this from each client machine from which you connect):<br />
<br />
$ ssh-keygen -t rsa<br />
<br />
This will create two files in your (hidden) ~/.ssh directory called id_rsa and id_rsa.pub. id_rsa is your private key and id_rsa.pub is your public key.<br />
<br />
If you don't want to still be asked for a password each time you connect, just press enter when asked for a password when creating the key pair. It is up to you to decide whether or not you should password encrypt your key when you create it. If you don't password encrypt your key, then anyone gaining access to your local machine will automatically have ssh access to the remote server. Also, root on the local machine has access to your keys although one assumes that if you can't trust root (or root is compromised) then you're in real trouble. Encrypting the key adds additional security at the expense of eliminating the need for entering a password for the ssh server only to be replaced with entering a password for the use of the key.<br />
<br />
Now set permissions on your private key:<br />
<br />
$ chmod 700 ~/.ssh<br />
$ chmod 600 ~/.ssh/id_rsa <br />
<br />
Copy the public key (id_rsa.pub) to the server and install it to the authorized_keys list:<br />
<br />
$ cat id_rsa.pub >> ~/.ssh/authorized_keys<br />
<br />
Note: once you've imported the public key, you can delete it from the server.<br />
<br />
and finally set file permissions on the server:<br />
<br />
$ chmod 700 ~/.ssh<br />
$ chmod 600 ~/.ssh/authorized_keys<br />
<br />
The above permissions are required if StrictModes is set to yes in /etc/ssh/sshd_config (the default).<br />
<br />
Now when you login to the server you won't be prompted for a password (unless you entered a password when you created your key pair). By default, ssh will first try to authenticate using keys. If no keys are found or authentication fails, then ssh will fall back to conventional password authentication.<br />
<br />
Once you've checked you can successfully login to the server using your public/private key pair, you can disable password authentication completely by adding the following setting to your /etc/ssh/sshd_config file:<br />
<br />
# Disable password authentication forcing use of keys<br />
PasswordAuthentication no<br />
<br />
8. Frequently Asked Question (FAQ)<br />
<br />
Q: CentOS uses version X of OpenSSH and the latest version is version Y. Version X contained a serious security flaw, should I upgrade?<br />
<br />
A: No. The Upstream Vendor has a policy of backporting security patches from the latest releases into the current distribution version. As long as you have the latest updates applied for your CentOS distribution you are fully patched. See here for further details of backporting security patches:<br />
<br />
http://www.redhat.com/advice/speaks_backport.html<br />
<br />
9. Links<br />
<br />
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-openssh.html<br />
<br />
http://www.dragonresearchgroup.org/insight/sshpwauth-tac.htmlPerrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-3227305617931172192011-06-09T10:45:00.000+08:002011-06-09T10:45:44.124+08:00How to Save Flash Games & SWF<h2>Saving Flash files from Firefox</h2><b>Firefox for Newbies</b><br />
a. Click <b>Tools - Page Info</b><br />
b. Click the <b>Media Tab</b> on the Page Info Windows<br />
c. The media tab has a complete list (with preview) of Images, CSS Files and Shockwave Flash files that were downloaded by the Firefox browser while rendering (loading) the page.<br />
d. Scroll down the list and locate the swf file.<br />
e. Click the "Save As" button. Select some directory on your hard drive and save the file (No need for a third-party plug-in)<br />
<br />
<b>Firefox for Geeks and Power Users</b><br />
a. Type about:blank in the Firefox address bar<br />
b. Now click List cache entries or directly type <b>about:cache?device=disk</b> (Disk cache device)<br />
c. Press Ctrl+F and try to location the flash file by typing some part of website URL or the flash file name or just .swf. After some hit and trial, you should be able to locate the swf file URL<br />
d. Click the SWF URL to open the Cache Entry Information page. Right click on the link and choose "Save link as"<br />
<br />
<h2>How to save flash in IE browser</h2>a. Click <b>Tools - Internet Options</b><br />
b. In the General Tab, click the Settings button available in the Temporary Internet Files group.<br />
c. Click View Files to open your Temporary Internet Files folder. Depending upon your IE settings, the Temp. folder can contain tens of thousands of files.<br />
d. Click View - Details. Now click View - Arrange Icons By - Internet Address. Depending upon the webpage, there could one or more Flash files (Shockwave Flash Object) under the Inernet Address.<br />
e. Once you find the right flash file, right-click and choose Copy. Then paste the swf file in any other directory. Be sure to<br />
keep the page and IE open to avoid purging of the cache file.<br />
<br />
For newbies, I suggest the following approaches:<br />
1. Get a download accelerator like Flashget and tell it to automatically download the shockwave extention (*.swf)<br />
2. Or download a free IE plug-in for saving flash files.<br />
<br />
<b>How to save Flash files from Opera or Google Chromebrowser</b><br />
Just like IE, these browsers store the flash files in the browser cache.<br />
<br />
<span style="font-size: xx-small;">source:</span><br />
<br />
<span style="font-size: xx-small;">http://labnol.blogspot.com/2005/11/save-flash-from-firefox-and-ie.html</span>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com1tag:blogger.com,1999:blog-26322834.post-382634652789788092011-01-17T14:32:00.002+08:002011-01-17T14:32:58.416+08:00Converting 32bit RRD to 64bit RRD<h1 class="entry-title"><span style="font-size: small;">Converting 32bit RRD to 64bit RRD (moving cacti between architectures)</span></h1>On the 32 bit machine in /var/www/cacti/rra/ run in SSH:<div class="entry-content"> <blockquote>for i in `find -name "*.rrd"`; do rrdtool dump $i > $i.xml; done</blockquote>Transfer xml files to the other 64 bit machine and the same location.<br />
On the 64 bit machine run in SSH:<br />
<blockquote>for i in `find -name "*.xml"`; do rrdtool restore $i `echo $i |sed s/.xml//g`; done</blockquote></div>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-56480036834485084992011-01-13T07:31:00.000+08:002011-01-13T07:31:00.419+08:00Disable memory ballooning in VMWareConnect directly to the ESX Server host where the virtual machine resides on, using Virtual Infrastructure Client (VI Client).<br />
- Shut down the virtual machine.<br />
- Right-click on the virtual machine listed on the Inventory panel and click Edit Settings.<br />
- Click the Options tab and select General.<br />
- Click Configuration Parameters.<br />
- Click Add row and add the parameter sched.mem.maxmemctl in the text box.<br />
- Click on the row next to it and add 0 in the text box.<br />
- Click OK to save changes.Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-70391398241304692772010-08-05T11:40:00.002+08:002010-08-05T11:41:54.763+08:00Backup Cisco IOS stored in diffent directory1. To view flash content:<br />
<br />
<br />
<span style="color: blue;">3550-SW1#dir flash:</span><br />
<br />
<span style="color: blue;">Directory of flash:/</span><br />
<br />
<span style="color: blue;">4 -rwx 796 Mar 01 1993 02:33:32 vlan.dat</span><br />
<span style="color: blue;">5 -rwx 2783 Mar 01 1993 01:25:54 config.text</span><br />
<span style="color: blue;">8 drwx 192 Mar 01 1993 00:04:30 c3550-i5q3l2-mz.121-14.EA1a</span><br />
<span style="color: blue;">7 -rwx 2683 Mar 01 1993 02:35:26 config.old</span><br />
<span style="color: blue;">86 -rwx 5 Mar 01 1993 01:25:54 private-config.text</span><br />
<br />
<br />
2. To view sub-directory content:<br />
<br />
<span style="color: blue;">3550-SW1#dir flash:/c3550-i5q3l2-mz.121-14.EA1a</span><br />
<span style="color: blue;">Directory of flash:/c3550-i5q3l2-mz.121-14.EA1a/</span><br />
<br />
<span style="color: blue;">9 drwx 2304 Mar 01 1993 00:03:03 html</span><br />
<span style="color: blue;">84 -rwx 4086819 Mar 01 1993 00:04:30 c3550-i5q3l2-mz.121-14.EA1a.bin</span><br />
<span style="color: blue;">85 -rwx 255 Mar 01 1993 00:04:30 info</span><br />
<br />
<br />
3. To backup:<br />
<br />
<span style="color: blue;">3550-SW1#copy flash:/c3550-i5q3l2-mz.121-14.EA1a/c3550-i5q3l2-mz.121-14.EA1a.bin tftp</span>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-28643582578123854842010-07-21T08:08:00.000+08:002010-07-21T08:08:19.615+08:00How to SFTP if the default ssh port is changedUsually if the SFTP is enabled in your server, it will try to use the default port SSH port 22 even though the SSH port is changed to some other custom port.<br />
<br />
<div class="box"> <pre><span style="color: #993300;">root@localhost/~$sftp root@<server ip="">
Connecting to <server ip="">...
ssh: connect to host <server ip=""> port 22: Connection refused
Couldn't read packet: Connection reset by peer</server></server></server></span></pre></div><br />
Here the SSH port is changed to 2200 instead of 22. But SFTP tries to connect it with 22. In this case we can connect to SFTP with the custom SSH port by running the following command.<br />
<br />
<div class="box"> <pre><span style="color: #993300;">root@localhost/~$sftp -oPort=2200 root@<server ip="">
Connecting to <server ip="">...
root@<server ip="">'s password:
sftp> </server></server></server></span></pre></div><br />
<span style="font-size: x-small;">http://kb.bobcares.com</span>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-66845984598722673702010-07-21T07:54:00.000+08:002010-07-21T07:54:23.089+08:00Upgrading Openssh on CentOS And Chrooting a User When Connecting via SFTPConsider a scenario, where a user needs to connect to the server via sftp and should restrict the access only to its home directory. The OpenSSH-4.x does not support chrooting facility. We need to upgrade it to OpenSSH-5.x. Before upgrading openssh, we need to make sure that pam, openssl and kerberos packages are installed. If not, run the following command to install it.<br />
<br />
<br />
<div class="box"><span style="color: purple;"><strong>$ rpm -qa | grep -e openssl -e krb -e openssh<br />
openssh-clients-4.3p2-36.el5_4.4<br />
openssh-server-4.3p2-36.el5_4.4<br />
krb5-devel-1.6.1-36.el5_4.1<br />
openssl-0.9.8e-7.el5<br />
openssl-devel-0.9.8e-7.el5<br />
openssh-4.3p2-36.el5_4.4<br />
krb5-libs-1.6.1-36.el5_4.1<br />
<br />
$ yum install pam pam-devel krb5-devel</strong></span><br />
</div><br />
Yum will install all the dependency packages. Now, you are ready to upgrade OpenSSH. <br />
<br />
<span style="color: navy;"><strong>Steps to Upgrade OpenSSH from 4.x - 5.x</strong></span><br />
=================================<br />
<br />
1. Download latest OpenSSH package. You can select any mirror site from this <a href="http://www.openssh.com/portable.html#http">link</a><br />
or You can use the link <a href="http://mirror.mcs.anl.gov/openssh/portable/openssh-5.4p1.tar.gz">OpenSSH</a><br />
2. Run the following commands.<br />
<br />
<div class="box"><span style="color: purple;"><strong>$ tar -zxf openssh-5.4p1.tar.gz<br />
$ cd openssh-5.4p1<br />
$ ./configure --prefix=/usr/local/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-kerberos5 --with-ssl-engine<br />
$ make<br />
$ make install</strong></span></div><br />
Prefix is important. We should not install the latest openssh to the default location.<br />
3. Open the file "<span style="color: #993366;">/usr/local/ssh/etc/sshd_config</span>". <br />
4. Change the default port to a non-standard ssh port, say <span style="color: purple;">1234</span>.<br />
5. Save and quit.<br />
7. Run the following command.<br />
<div class="box"><span style="color: purple;"><strong>$ /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config</strong></span><br />
</div><br />
8. Make sure that both old and new version of SSH are running on the server.<br />
<br />
<div class="box"><span style="color: purple;"><strong>$ ps aux | grep ssh<br />
root 31987 0.0 0.0 7164 1032 ? Ss 22:48 0:00 /usr/sbin/sshd<br />
root 32280 0.0 0.0 5432 996 ? Ss 22:48 0:00 /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config</strong></span><br />
</div><br />
9. OpenSSH upgrade is complete.<br />
<br />
<span style="color: navy;"><strong>Testing Phase</strong></span><br />
============<br />
<br />
You should make sure that the upgraded version does not have any problem. Login to the server from your local konsole.<br />
<br />
<div class="box"><span style="color: purple;"><strong>$ ssh test@my.testserver.com -p 1234</strong></span><br />
</div><br />
You should login without any problem if the installation part went fine. Now, follow the steps given below to make the upgraded openssh to listen on default port.<br />
<br />
<div class="box"><span style="color: purple;"><strong>1. Open /usr/local/ssh/etc/sshd_config<br />
2. Change port to default port, i.e 22.<br />
3. Save and quit<br />
4. Kill or terminate all the instances of sshd running on the server.<br />
5. Start the sshd server using the command "/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config"</strong></span></div><br />
<span style="color: navy;"><strong>Chrooting a User When Connecting via SFTP</strong></span><br />
===================================<br />
<br />
To restrict a user to his home directory when he connects to the server via sftp, follow the steps given below.<br />
<br />
1. Open the configuration file "<span style="color: #993366;">/usr/local/ssh/etc/sshd_config</span>".<br />
2. Append the following lines to the configuration file.<br />
<br />
<div class="box"><span style="color: purple;"><strong>Subsystem sftp internal-sftp</strong></span><br />
<strong><span style="color: purple;">Match User testuser<br />
ChrootDirectory /var/www/html/test<br />
X11Forwarding no<br />
AllowTcpForwarding no<br />
ForceCommand internal-sftp</span></strong><br />
</div><br />
3. You should comment the line: "<span style="color: #993366;">Subsystem sftp /usr/local/ssh/libexec/sftp-server</span>"<br />
4. Save and quit.<br />
5. Terminate the SSH server and start it again using the command:<br />
<br />
<div class="box"><strong><span style="color: purple;">/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config</span></strong><br />
</div><br />
6. Done<br />
<br />
Test it using any FTP clients like WinSCP, FileZilla, CuteFTP and make sure that the user is restricted to his own home directory and he cannot access anything outside his home directory.<br />
<br />
Note:- "<span style="color: #993366;">/usr/local/ssh</span>" is the prefix I used for new openssh installation. You should replace it with your prefix.<br />
<br />
<span style="color: #993366;"><span style="color: black;">With the new openssh running on the server you should not start or restart the ssh using the init script. If you want to manage it via init script, edit the init script accordingly.</span><br />
<br />
<span style="color: black;">Open the file "<span style="color: #993366;">/etc/init.d/sshd</span>". Find the line '<span style="color: #993366;">prog="sshd</span>"'. Below this line add "<span style="color: #993366;">SSH="/usr/local/ssh</span>". And replace the lines:<br />
<br />
<div class="box"><span style="color: purple;"><strong>KEYGEN=/usr/bin/ssh-keygen<br />
SSHD=/usr/sbin/sshd<br />
RSA1_KEY=/etc/ssh/ssh_host_key<br />
RSA_KEY=/etc/ssh/ssh_host_rsa_key<br />
DSA_KEY=/etc/ssh/ssh_host_dsa_key</strong></span><br />
</div><br />
with the following lines:<br />
<br />
<div class="box"><span style="color: purple;"><strong>KEYGEN=$SSH/bin/ssh-keygen<br />
SSHD=$SSH/sbin/sshd<br />
RSA1_KEY=$SSH/etc/ssh_host_key<br />
RSA_KEY=$SSH/etc/ssh_host_rsa_key<br />
DSA_KEY=$SSH/etc/ssh_host_dsa_key</strong></span><br />
</div><br />
Save and quit. Restart the openssh server using the command:<br />
<br />
<div class="box"><span style="color: purple;"><strong>/etc/init.d/sshd restart</strong></span><br />
</div><br />
Confirm that the SSH server is started from the newly installed openssh i.e openssh 5.x.<br />
<br />
<div class="box"><span style="color: purple;"><strong>$ ps aux | grep ssh<br />
root 11791 0.0 0.0 5432 996 ? Ss Mar18 0:00 /usr/local/ssh/sbin/sshd</strong></span><br />
</div><br />
It will be better if you move the old ssh binaries and create a symlink to the new SSH binaries.<br />
<br />
<div class="box"><span style="color: purple;"><strong>$ mv /usr/bin/ssh /usr/bin/ssh-bak<br />
$ mv /usr/sbin/sshd /usr/sbin/sshd-bak<br />
$ mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen-bak<br />
$ mv /usr/bin/ssh-agent /usr/bin/ssh-agent-bak<br />
$ mv /usr/bin/ssh-keyscan /usr/bin/ssh-scan-bak<br />
$ mv /usr/bin/ssh-add /usr/bin/ssh-add-bak<br />
$ ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh<br />
$ ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd<br />
$ ln -s /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen<br />
$ ln -s /usr/local/ssh/bin/ssh-add /usr/bin/ssh-add<br />
$ ln -s /usr/local/ssh/bin/ssh-keyscan /usr/bin/ssh-keyscan<br />
$ ln -s /usr/local/ssh/bin/ssh-agent /usr/bin/ssh-agent</strong></span><br />
</div><br />
The upgrade and setup of OpenSSH is now complete.</span></span><br />
<br />
<span style="color: #993366;"><span style="color: black;"><span style="font-size: x-small;">http://kb.bobcares.com/</span> </span></span>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-15920003119967561492010-07-21T07:53:00.003+08:002010-07-21T07:53:43.906+08:00Turn on DMA mode on a hard drive<strong>DMA</strong><br />
<br />
Direct memory access (DMA) allows certain hardware subsystems within the computer to access system memory for reading and/or writing independently of the central processing unit. It uses a procedure called cycle stealing, where the central processor memory access cycles are delayed for very short times to intersperse DMA controller memory access cycles. DMA is used for transferring data between the local memory and the main memory.<br />
<br />
You can turn On DMA mode on a hard drive<br />
<br />
You can check whether DMA is enabled on a hard drive for the IDE harddrive.<br />
<br />
<br />
<div class="box"><span style="color: #993300;">hdparm -iv /dev/hd</span> </div><br />
If DMA is on, the output should contain the following line,<br />
<br />
<div class="box"><span style="color: #993300;">using_dma = 1 (on)</span></div><br />
If it is off you can enable it as follows,<br />
<br />
<div class="box"><span style="color: #993300;">hdparm -d /dev/hd</span></div><br />
This will toggle the value of "using_dma" (It will turn off the value of "using_dma" if it was already on).<br />
<br />
<span style="font-size: x-small;">http://kb.bobcares.com/</span>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-60697177820632375842010-07-21T07:53:00.000+08:002010-07-21T07:53:13.135+08:00Enable quota in the serverIf quotas are not enabled for the partition, the following error will occur while doing a quotacheck in the server. In case of Cpanel server, /scripts/initquotas will throw the following error.<br />
<br />
<br />
<div class="box"><span style="color: #993300;"><em>/scripts/initquotas<br />
Quotas are now on<br />
Updating Quota Files......<br />
quotacheck: Can't find filesystem to check or filesystem not mounted with quota option.<br />
quotacheck: Can't find filesystem to check or filesystem not mounted with quota option.<br />
....Done</em></span> </div><br />
You need to follow the steps given below:<br />
<br />
<div class="box"><span style="color: #993300;">$ touch /quota.user /quota.group<br />
$ chmod 600 /quota.*<br />
$ mount -o remount /<br />
$ quotaoff -a<br />
$ vi /etc/fstab<br />
( open 'fstab' file and add usrquota,grpquota to the partition where you want to have quota on. That is, for example, add the entry like:<br />
/dev/ubd0 / ext3 defaults,noatime,usrquota,grpquota 1 0 )<br />
$ quotaon -a</span> </div><br />
Then you can execute the script successfully without any errors. You can run a quotacheck in the server. In Cpanel server, you can run <br />
initquotas without any errors.<br />
<br />
<span style="font-size: x-small;"> http://kb.bobcares.com/</span>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-74098958571958324972010-07-21T07:52:00.000+08:002010-07-21T07:52:36.609+08:00Signals, really cool!In short, its the notification sent to a process to notify it of the various events. We are familiar with signal SIGKILL (9) and it is used to terminate a process, especially when the server load becomes abnormal. There are situations where we cannot simply kill the processes away, for example, when a critical backup process overloads the server. <br />
<br />
The kill command has signals to suspend/unsuspend a process temporarily without killing it. Here we go ... <br />
<br />
<span style="color: #993300;">kill -SIGSTOP 17065 ; To suspend it temporarily <br />
kill -SIGCONT 17065 ; To unsuspend ... </span><br />
<br />
If you want to see the other signals available, try <span style="color: #993300;">kill -l</span><br />
<br />
Try it out, when you get a chance<br />
<br />
<span style="font-size: x-small;">http://kb.bobcares.com/</span>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-67318299936818125102010-07-21T07:51:00.003+08:002010-07-21T07:51:51.490+08:00Logging server load to /var/log/messagesThere can be issues when the server goes offline and you can't find any related log entries in the server. One of the issue that can cause is high load in the server. But we wont be able to conclude whether the load was the exact issue after the server reboot.<br />
<br />
The better solution to find the load is set a cronjob to enter the load in the server to /var/log/messages for a particular amount of time. A sample cron is shown below which will log the server load every 10 minutes to /var/log/messages.<br />
<br />
<br />
<div class="box"><span style="color: #993300;">*/10 * * * * uptime | logger -t "SERVER LOAD"</span> </div><br />
Now you will be able to get the load from /var/log/messages<br />
<br />
<span style="color: black; font-size: x-small;">http://kb.bobcares.com/</span>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-80974170189486465952010-07-21T07:51:00.000+08:002010-07-21T07:51:23.144+08:00Splitting a file in GNU/LinuxIf you want to split a file "example" with size 9.6 Mb( 10000000 b) into two, then the command to do the same is:<br />
<br />
<br />
<div class="box"><span style="color: maroon;">$ split -b 5000000 example</span></div><br />
File "example" is now split into two files "xaa" and "xab" by default and these two files will be having the size 5000000 b. Reducing file size will lead to more number of new files generated. You can also specify the output filename. Suppose you want to use output file name as "wxz", then the following command will help you:<br />
<span style="color: maroon;"><br />
</span> <div class="box"><span style="color: maroon;">$ split -b 5000000 example wxz</span></div><br />
Now how to join the splitted files? You can use the cat command to join the splitted files. For example if the new files generated by split are "xaa", "xab" and "xac", use the following command to join the splitted files.<br />
<br />
<div class="box"><span style="color: maroon;">$ cat xa* > filename </span></div><div class="box"><span style="color: maroon;"> </span></div><div class="box"><span style="color: maroon;"> <span style="color: black; font-size: x-small;">http://kb.bobcares.com/</span></span></div>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-48396723879102320292010-07-21T07:50:00.003+08:002010-07-21T07:50:41.442+08:00Useful Kernel manipulation commandsTo find out the kernel version<br />
<br />
<br />
<div class="box"><span style="color: #993300;">$ cat /usr/include/linux/version.h</span></div><br />
To find out the Linux version of the currently executing kernel by,<br />
<br />
<div class="box"><span style="color: #993300;">$ cat /proc/version <br />
$ uname -a</span></div><br />
The command used to check your architecture<br />
<br />
<div class="box"><span style="color: #993300;">$ uname -i</span></div><br />
To find out the current Loadable kernel module from<br />
<br />
<div class="box"><span style="color: #993300;">$ /sbin/lsmod<br />
$ cat /proc/modules</span></div><br />
Load a kernel module (without dependency in to running kernel).<br />
<br />
<div class="box"><span style="color: #993300;">$ rmmod module name<br />
$ insmod module name</span></div><br />
Load a kernel module (with dependency in to running kernel).<br />
<br />
<span style="color: #993300;">$ /sbin/modprobe kernel module name </span><br />
<br />
<span style="color: #993300;"><span style="color: black; font-size: x-small;">http://kb.bobcares.com/</span> </span>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-44642481902424899202010-07-21T07:50:00.000+08:002010-07-21T07:50:09.308+08:00Saturation of open files in the systemIn the server logs, you can see the message as follows.<br />
<br />
<br />
<div class="box"><span style="color: #993300;"><em> Too many open files in system and your server is performing very slowly,try doubling the following proc variable : fs.file-m</em>ax</span></div><br />
1. Find out the current value of the concerned file.<br />
<br />
<div class="box"><span style="color: #993300;">$ sysctl -a|grep file<br />
<br />
OR<br />
<br />
$ cat /proc/sys/fs/file-max</span> </div><br />
2. Increase or double the current value using<br />
<br />
<div class="box"><span style="color: #993300;">echo <your 2="" current="" value="" x=""> > /proc/sys/fs/file-max</your></span></div><div class="box"><span style="color: #993300;"> </span></div><div class="box"><span style="color: #993300;"><span style="color: black; font-size: x-small;">http://kb.bobcares.com/</span> </span></div>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-86323468748059202222010-07-21T07:49:00.000+08:002010-07-21T07:49:20.112+08:00Set up Auto-Logout for root userWe can set up automatic logout for root session so that session gets logged off, if it is idle for a while. It is important to know this as any sneaker can misuse the situation, when a root user leaves the session idle. The method is very simple and as follows:<br />
<br />
<br />
<div class="box"><span style="color: #993300;">1) Login as root<br />
2) vi ~/.bash_profile<br />
3) Add this line: export TMOUT=300<br />
4) Save and quit the file</span><br />
</div><br />
Here TMOUT is an environment variable which instructs the bash shell to exit if the session is idle. Here timeout is set as 300 seconds ( 5 minutes ).<br />
<br />
<span style="font-size: x-small;">http://kb.bobcares.com/</span>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-85377628006730421172010-05-31T15:08:00.000+08:002010-05-31T15:08:39.114+08:0020 Linux System Monitoring Tools Every SysAdmin Should Knowfrom: NixCraft: http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html<br />
<br />
<div class="headline_meta">by <span class="author vcard fn">Vivek Gite</span> </div><div class="headline_meta"><span></span></div><div style="float: right; margin-left: 5px; margin-top: 0px;"><a href="http://www.cyberciti.biz/tips/category/linux" title="See all GNU/Linux related tips/articles"><img alt="" border="0" src="http://figs.cyberciti.biz/3rdparty/linux-logo.png" /></a></div><br />
Need to monitor Linux server performance? Try these built-in command and a few add-on tools. Most Linux distributions are equipped with tons of monitoring. These tools provide metrics which can be used to get information about system activities. You can use these tools to find the possible causes of a performance problem. The commands discussed below are some of the most basic commands when it comes to system analysis and debugging server issues such as:<br />
<ol><li>Finding out bottlenecks.</li>
<li>Disk (storage) bottlenecks.</li>
<li>CPU and memory bottlenecks.</li>
<li>Network bottlenecks.</li>
</ol><span id="more-4934"></span><br />
<a href="" name="1"></a><br />
<h2>#1: top - Process Activity Command</h2>The top program provides a dynamic real-time view of a running system i.e. actual process activity. By default, it displays the most CPU-intensive tasks running on the server and updates the list every five seconds.<br />
<div class="wp-caption aligncenter" id="attachment_5179" style="width: 269px;"> <a href="http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html/top-output" rel="attachment wp-att-5179"><img alt="Fig.01: Linux top command" class="size-medium wp-image-5179" height="300" src="http://files.cyberciti.biz/uploads/tips/2009/06/top-output-269x300.png" title="Fig.01: Linux top command" width="269" /></a> <div class="wp-caption-text">Fig.01: Linux top command</div></div><h3>Commonly Used Hot Keys</h3>The top command provides several useful hot keys:<br />
<table border="0"><tbody>
<tr> <th>Hot Key</th> <th>Usage</th> </tr>
<tr> <td>t</td> <td>Displays summary information off and on.</td> </tr>
<tr> <td>m</td> <td>Displays memory information off and on.</td> </tr>
<tr> <td>A</td> <td>Sorts the display by top consumers of various system resources. Useful for quick identification of performance-hungry tasks on a system.</td> </tr>
<tr> <td>f</td> <td>Enters an interactive configuration screen for top. Helpful for setting up top for a specific task.</td> </tr>
<tr> <td>o</td> <td>Enables you to interactively select the ordering within top.</td> </tr>
<tr> <td>r</td> <td>Issues renice command.</td> </tr>
<tr> <td>k</td> <td>Issues kill command.</td> </tr>
<tr> <td>z</td> <td>Turn on or off color/mono</td> </tr>
</tbody> </table><br />
<strong><span style="color: #003366;">=> Related:</span></strong> <a href="http://www.cyberciti.biz/tips/how-do-i-find-out-linux-cpu-utilization.html">How do I Find Out Linux CPU Utilization?</a><br />
<a href="" name="2"></a><br />
<h2>#2: vmstat - System Activity, Hardware and System Information</h2>The command vmstat reports information about processes, memory, paging, block IO, traps, and cpu activity.<br />
<code># vmstat 3</code><br />
Sample Outputs:<br />
<pre>procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------
r b swpd free buff cache si so bi bo in cs us sy id wa st
0 0 0 2540988 522188 5130400 0 0 2 32 4 2 4 1 96 0 0
1 0 0 2540988 522188 5130400 0 0 0 720 1199 665 1 0 99 0 0
0 0 0 2540956 522188 5130400 0 0 0 0 1151 1569 4 1 95 0 0
0 0 0 2540956 522188 5130500 0 0 0 6 1117 439 1 0 99 0 0
0 0 0 2540940 522188 5130512 0 0 0 536 1189 932 1 0 98 0 0
0 0 0 2538444 522188 5130588 0 0 0 0 1187 1417 4 1 96 0 0
0 0 0 2490060 522188 5130640 0 0 0 18 1253 1123 5 1 94 0 0</pre><h3>Display Memory Utilization Slabinfo</h3><code># vmstat -m</code><br />
<h3>Get Information About Active / Inactive Memory Pages</h3><code># vmstat -a</code><br />
<strong><span style="color: #003366;">=> Related:</span></strong> <a href="http://www.cyberciti.biz/tips/linux-resource-utilization-to-detect-system-bottlenecks.html">How do I find out Linux Resource utilization to detect system bottlenecks?</a><br />
<a href="" name="3"></a><br />
<h2>#3: w - Find Out Who Is Logged on And What They Are Doing</h2>w command displays information about the users currently on the machine, and their processes.<br />
<code># w username<br />
# w vivek</code><br />
Sample Outputs:<br />
<pre>17:58:47 up 5 days, 20:28, 2 users, load average: 0.36, 0.26, 0.24
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.1.3.145 14:55 5.00s 0.04s 0.02s vim /etc/resolv.conf
root pts/1 10.1.3.145 17:43 0.00s 0.03s 0.00s w</pre><a href="" name="4"></a><br />
<h3>#4: uptime - Tell How Long The System Has Been Running</h3>The uptime command can be used to see how long the server has been running. The current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.<br />
<code># uptime</code><br />
Output:<br />
<pre>18:02:41 up 41 days, 23:42, 1 user, load average: 0.00, 0.00, 0.00</pre>1 can be considered as optimal load value. The load can change from system to system. For a single CPU system 1 - 3 and SMP systems 6-10 load value might be acceptable.<br />
<a href="" name="5"></a><br />
<h2>#5: ps - Displays The Processes</h2>ps command will report a snapshot of the current processes. To select all processes use the -A or -e option:<br />
<code># ps -A</code><br />
Sample Outputs:<br />
<pre>PID TTY TIME CMD
1 ? 00:00:02 init
2 ? 00:00:02 migration/0
3 ? 00:00:01 ksoftirqd/0
4 ? 00:00:00 watchdog/0
5 ? 00:00:00 migration/1
6 ? 00:00:15 ksoftirqd/1
....
.....
4881 ? 00:53:28 java
4885 tty1 00:00:00 mingetty
4886 tty2 00:00:00 mingetty
4887 tty3 00:00:00 mingetty
4888 tty4 00:00:00 mingetty
4891 tty5 00:00:00 mingetty
4892 tty6 00:00:00 mingetty
4893 ttyS1 00:00:00 agetty
12853 ? 00:00:00 cifsoplockd
12854 ? 00:00:00 cifsdnotifyd
14231 ? 00:10:34 lighttpd
14232 ? 00:00:00 php-cgi
54981 pts/0 00:00:00 vim
55465 ? 00:00:00 php-cgi
55546 ? 00:00:00 bind9-snmp-stat
55704 pts/1 00:00:00 ps</pre>ps is just like top but provides more information.<br />
<h3>Show Long Format Output</h3><code># ps -Al</code><br />
To turn on extra full mode (it will show command line arguments passed to process):<br />
<code># ps -AlF</code><br />
<h3>To See Threads ( LWP and NLWP)</h3><code># ps -AlFH</code><br />
<h3>To See Threads After Processes</h3><code># ps -AlLm</code><br />
<h3>Print All Process On The Server</h3><code># ps ax<br />
# ps axu</code><br />
<h3>Print A Process Tree</h3><code># ps -ejH<br />
# ps axjf<br />
# pstree</code><br />
<h3>Print Security Information</h3><code># ps -eo euser,ruser,suser,fuser,f,comm,label<br />
# ps axZ<br />
# ps -eM</code><br />
<h3>See Every Process Running As User Vivek</h3><code># ps -U vivek -u vivek u</code><br />
<h3>Set Output In a User-Defined Format</h3><code># ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm<br />
# ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm<br />
# ps -eopid,tt,user,fname,tmout,f,wchan</code><br />
<h3>Display Only The Process IDs of Lighttpd</h3><code># ps -C lighttpd -o pid=</code><br />
OR<br />
<code># pgrep lighttpd</code><br />
OR<br />
<code># pgrep -u vivek php-cgi</code><br />
<h3>Display The Name of PID 55977</h3><code># ps -p 55977 -o comm=</code><br />
<h3>Find Out The Top 10 Memory Consuming Process</h3><code># ps -auxf | sort -nr -k 4 | head -10</code><br />
<h3>Find Out top 10 CPU Consuming Process</h3><code># ps -auxf | sort -nr -k 3 | head -10</code><br />
<a href="" name="6"></a><br />
<h2>#6: free - Memory Usage</h2>The command free displays the total amount of free and used physical and swap memory in the system, as well as the buffers used by the kernel.<br />
<code># free </code><br />
Sample Output:<br />
<pre>total used free shared buffers cached
Mem: 12302896 9739664 2563232 0 523124 5154740
-/+ buffers/cache: 4061800 8241096
Swap: 1052248 0 1052248</pre><strong><span style="color: #003366;">=> Related:</span></strong> :<br />
<ol><li><a href="http://www.cyberciti.biz/faq/linux-check-the-size-of-pagesize/">Linux Find Out Virtual Memory PAGESIZE</a></li>
<li><a href="http://www.cyberciti.biz/faq/cpu-usage-limiter-for-linux/">Linux Limit CPU Usage Per Process</a></li>
<li><a href="http://www.cyberciti.biz/tips/how-much-ram-does-my-linux-system.html">How much RAM does my Ubuntu / Fedora Linux desktop PC have?</a></li>
</ol><a href="" name="7"></a><br />
<h2>#7: iostat - Average CPU Load, Disk Activity</h2>The command iostat report Central Processing Unit (CPU) statistics and input/output statistics for devices, partitions and network filesystems (NFS).<br />
<code># iostat </code><br />
Sample Outputs:<br />
<pre>Linux 2.6.18-128.1.14.el5 (www03.nixcraft.in) 06/26/2009
avg-cpu: %user %nice %system %iowait %steal %idle
3.50 0.09 0.51 0.03 0.00 95.86
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn
sda 22.04 31.88 512.03 16193351 260102868
sda1 0.00 0.00 0.00 2166 180
sda2 22.04 31.87 512.03 16189010 260102688
sda3 0.00 0.00 0.00 1615 0</pre><strong><span style="color: #003366;">=> Related:</span></strong> : <a href="http://www.cyberciti.biz/faq/howto-linux-track-nfs-client-disk-metrics/">Linux Track NFS Directory / Disk I/O Stats</a><br />
<a href="" name="8"></a><br />
<h2>#8: sar - Collect and Report System Activity</h2>The sar command is used to collect, report, and save system activity information. To see network counter, enter:<br />
<code># sar -n DEV | more</code><br />
To display the network counters from the 24th:<br />
<code># sar -n DEV -f /var/log/sa/sa24 | more</code><br />
You can also display real time usage using sar:<br />
<code># sar 4 5</code><br />
Sample Outputs:<br />
<pre>Linux 2.6.18-128.1.14.el5 (www03.nixcraft.in) 06/26/2009
06:45:12 PM CPU %user %nice %system %iowait %steal %idle
06:45:16 PM all 2.00 0.00 0.22 0.00 0.00 97.78
06:45:20 PM all 2.07 0.00 0.38 0.03 0.00 97.52
06:45:24 PM all 0.94 0.00 0.28 0.00 0.00 98.78
06:45:28 PM all 1.56 0.00 0.22 0.00 0.00 98.22
06:45:32 PM all 3.53 0.00 0.25 0.03 0.00 96.19
Average: all 2.02 0.00 0.27 0.01 0.00 97.70</pre><strong><span style="color: #003366;">=> Related:</span></strong> : <a href="http://www.cyberciti.biz/tips/howto-write-system-utilization-data-to-file.html">How to collect Linux system utilization data into a file</a><br />
<a href="" name="9"></a><br />
<h2>#9: mpstat - Multiprocessor Usage</h2>The mpstat command displays activities for each available processor, processor 0 being the first one. mpstat -P ALL to display average CPU utilization per processor:<br />
<code># mpstat -P ALL</code><br />
Sample Output:<br />
<pre>Linux 2.6.18-128.1.14.el5 (www03.nixcraft.in) 06/26/2009
06:48:11 PM CPU %user %nice %sys %iowait %irq %soft %steal %idle intr/s
06:48:11 PM all 3.50 0.09 0.34 0.03 0.01 0.17 0.00 95.86 1218.04
06:48:11 PM 0 3.44 0.08 0.31 0.02 0.00 0.12 0.00 96.04 1000.31
06:48:11 PM 1 3.10 0.08 0.32 0.09 0.02 0.11 0.00 96.28 34.93
06:48:11 PM 2 4.16 0.11 0.36 0.02 0.00 0.11 0.00 95.25 0.00
06:48:11 PM 3 3.77 0.11 0.38 0.03 0.01 0.24 0.00 95.46 44.80
06:48:11 PM 4 2.96 0.07 0.29 0.04 0.02 0.10 0.00 96.52 25.91
06:48:11 PM 5 3.26 0.08 0.28 0.03 0.01 0.10 0.00 96.23 14.98
06:48:11 PM 6 4.00 0.10 0.34 0.01 0.00 0.13 0.00 95.42 3.75
06:48:11 PM 7 3.30 0.11 0.39 0.03 0.01 0.46 0.00 95.69 76.89</pre><strong><span style="color: #003366;">=> Related:</span></strong> : <a href="http://www.cyberciti.biz/faq/linux-mpstat-command-report-processors-related-statistics/">Linux display each multiple SMP CPU processors utilization individually</a>.<br />
<a href="" name="10"></a><br />
<h2>#10: pmap - Process Memory Usage</h2>The command pmap report memory map of a process. Use this command to find out causes of memory bottlenecks.<br />
<code># pmap -d PID</code><br />
To display process memory information for pid # 47394, enter:<br />
<code># pmap -d 47394</code><br />
Sample Outputs:<br />
<pre>47394: /usr/bin/php-cgi
Address Kbytes Mode Offset Device Mapping
0000000000400000 2584 r-x-- 0000000000000000 008:00002 php-cgi
0000000000886000 140 rw--- 0000000000286000 008:00002 php-cgi
00000000008a9000 52 rw--- 00000000008a9000 000:00000 [ anon ]
0000000000aa8000 76 rw--- 00000000002a8000 008:00002 php-cgi
000000000f678000 1980 rw--- 000000000f678000 000:00000 [ anon ]
000000314a600000 112 r-x-- 0000000000000000 008:00002 ld-2.5.so
000000314a81b000 4 r---- 000000000001b000 008:00002 ld-2.5.so
000000314a81c000 4 rw--- 000000000001c000 008:00002 ld-2.5.so
000000314aa00000 1328 r-x-- 0000000000000000 008:00002 libc-2.5.so
000000314ab4c000 2048 ----- 000000000014c000 008:00002 libc-2.5.so
.....
......
..
00002af8d48fd000 4 rw--- 0000000000006000 008:00002 xsl.so
00002af8d490c000 40 r-x-- 0000000000000000 008:00002 libnss_files-2.5.so
00002af8d4916000 2044 ----- 000000000000a000 008:00002 libnss_files-2.5.so
00002af8d4b15000 4 r---- 0000000000009000 008:00002 libnss_files-2.5.so
00002af8d4b16000 4 rw--- 000000000000a000 008:00002 libnss_files-2.5.so
00002af8d4b17000 768000 rw-s- 0000000000000000 000:00009 zero (deleted)
00007fffc95fe000 84 rw--- 00007ffffffea000 000:00000 [ stack ]
ffffffffff600000 8192 ----- 0000000000000000 000:00000 [ anon ]
mapped: 933712K writeable/private: 4304K shared: 768000K</pre>The last line is very important:<br />
<ul><li><strong>mapped: 933712K</strong> total amount of memory mapped to files</li>
<li><strong>writeable/private: 4304K</strong> the amount of private address space</li>
<li><strong>shared: 768000K</strong> the amount of address space this process is sharing with others</li>
</ul><strong><span style="color: #003366;">=> Related:</span></strong> : <a href="http://www.cyberciti.biz/tips/howto-find-memory-used-by-program.html">Linux find the memory used by a program / process using pmap command</a><br />
<a href="" name="11"></a><br />
<h2>#11 and #12: netstat and ss - Network Statistics</h2>The command netstat displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. ss command is used to dump socket statistics. It allows showing information similar to netstat. See the following resources about ss and netstat commands:<br />
<ul><li><a href="http://www.cyberciti.biz/tips/linux-investigate-sockets-network-connections.html">ss: Display Linux TCP / UDP Network and Socket Information</a></li>
<li><a href="http://www.cyberciti.biz/tips/netstat-command-tutorial-examples.html">Get Detailed Information About Particular IP address Connections Using netstat Command</a></li>
</ul><a href="" name="13"></a><br />
<h2>#13: iptraf - Real-time Network Statistics</h2>The iptraf command is interactive colorful IP LAN monitor. It is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. It can provide the following info in easy to read format:<br />
<ul><li>Network traffic statistics by TCP connection</li>
<li>IP traffic statistics by network interface</li>
<li>Network traffic statistics by protocol</li>
<li>Network traffic statistics by TCP/UDP port and by packet size</li>
<li>Network traffic statistics by Layer2 address</li>
</ul><div class="wp-caption aligncenter" id="attachment_5196" style="width: 600px;"> <a href="http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html/iptraf3" rel="attachment wp-att-5196"><img alt="Fig.02: General interface statistics: IP traffic statistics by network interface " class="size-full wp-image-5196" height="347" src="http://files.cyberciti.biz/uploads/tips/2009/06/iptraf3.png" title="Fig.02: General interface statistics: IP traffic statistics by network interface " width="600" /></a> <div class="wp-caption-text">Fig.02: General interface statistics: IP traffic statistics by network interface </div></div><div class="wp-caption aligncenter" id="attachment_5195" style="width: 600px;"> <a href="http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html/iptraf2" rel="attachment wp-att-5195"><img alt="Fig.03 Network traffic statistics by TCP connection" class="size-full wp-image-5195" height="416" src="http://files.cyberciti.biz/uploads/tips/2009/06/iptraf2.png" title="Fig.03 Network traffic statistics by TCP connection" width="600" /></a> <div class="wp-caption-text">Fig.03 Network traffic statistics by TCP connection</div></div><a href="" name="14"></a><br />
<h2>#14: tcpdump - Detailed Network Traffic Analysis</h2>The tcpdump is simple command that dump traffic on a network. However, you need good understanding of TCP/IP protocol to utilize this tool. For.e.g to display traffic info about DNS, enter:<br />
<code># tcpdump -i eth1 'udp port 53'</code><br />
To display all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets, enter:<br />
<code># tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'</code><br />
To display all FTP session to 202.54.1.5, enter:<br />
<code># tcpdump -i eth1 'dst 202.54.1.5 and (port 21 or 20'</code><br />
To display all HTTP session to 192.168.1.5:<br />
<code># tcpdump -ni eth0 'dst 192.168.1.5 and tcp and port http'</code><br />
Use <a href="http://www.cyberciti.biz/faq/linux-unix-bsd-apache-tcpdump-http-packets-sniffing/">wireshark to view detailed</a> information about files, enter:<br />
<code># tcpdump -n -i eth1 -s 0 -w output.txt src or dst port 80</code><br />
<a href="" name="15"></a><br />
<h2>#15: strace - System Calls</h2>Trace system calls and signals. This is useful for debugging webserver and other server problems. See how to use to <a href="http://www.cyberciti.biz/tips/linux-strace-command-examples.html">trace the process and</a> see What it is doing.<br />
<a href="" name="16"></a><br />
<h2>#16: /Proc file system - Various Kernel Statistics</h2>/proc file system provides detailed information about various hardware devices and other Linux kernel information. See <a href="http://www.cyberciti.biz/files/linux-kernel/Documentation/filesystems/proc.txt">Linux kernel /proc</a> documentations for further details. Common /proc examples:<br />
<code># cat /proc/cpuinfo<br />
# cat /proc/meminfo<br />
# cat /proc/zoneinfo<br />
# cat /proc/mounts</code><br />
<a href="" name="17"></a><br />
<h2>17#: Nagios - Server And Network Monitoring</h2><a href="http://www.nagios.org/" target="_blank">Nagios</a> is a popular open source computer system and network monitoring application software. You can easily monitor all your hosts, network equipment and services. It can send alert when things go wrong and again when they get better. <a href="http://fannagioscd.sourceforge.net/drupal/" target="_blank">FAN is</a> "Fully Automated Nagios". FAN goals are to provide a Nagios installation including most tools provided by the Nagios Community. FAN provides a CDRom image in the standard ISO format, making it easy to easilly install a Nagios server. Added to this, a wide bunch of tools are including to the distribution, in order to improve the user experience around Nagios.<br />
<a href="" name="18"></a><br />
<h2>18#: Cacti - Web-based Monitoring Tool</h2>Cacti is a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices. It can provide data about network, CPU, memory, logged in users, Apache, DNS servers and much more. See how <a href="http://www.cyberciti.biz/faq/fedora-rhel-install-cacti-monitoring-rrd-software/">to install and configure Cacti network graphing</a> tool under CentOS / RHEL.<br />
<a href="" name="19"></a><br />
<h2>#19: KDE System Guard - Real-time Systems Reporting and Graphing</h2>KSysguard is a network enabled task and system monitor application for KDE desktop. This tool can be run over ssh session. It provides lots of features such as a client/server architecture that enables monitoring of local and remote hosts. The graphical front end uses so-called sensors to retrieve the information it displays. A sensor can return simple values or more complex information like tables. For each type of information, one or more displays are provided. Displays are organized in worksheets that can be saved and loaded independently from each other. So, KSysguard is not only a simple task manager but also a very powerful tool to control large server farms.<br />
<div class="wp-caption aligncenter" id="attachment_5215" style="width: 600px;"> <a href="http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html/kde-systemguard-screenshot" rel="attachment wp-att-5215"><img alt="Fig.05 KDE System Guard" class="size-full wp-image-5215" height="462" src="http://files.cyberciti.biz/uploads/tips/2009/06/kde-systemguard-screenshot.png" title="Fig.05 KDE System Guard KDE task manager and performance monitor." width="600" /></a> <div class="wp-caption-text">Fig.05 KDE System Guard {Image credit: Wikipedia}</div></div>See <a href="http://docs.kde.org/stable/en/kdebase-workspace/ksysguard/index.html">the KSysguard handbook</a> for detailed usage.<br />
<a href="" name="20"></a><br />
<h2>#20: Gnome System Monitor - Real-time Systems Reporting and Graphing</h2>The System Monitor application enables you to display basic system information and monitor system processes, usage of system resources, and file systems. You can also use System Monitor to modify the behavior of your system. Although not as powerful as the KDE System Guard, it provides the basic information which may be useful for new users:<br />
<ul><li> Displays various basic information about the computer's hardware and software.</li>
<li> Linux Kernel version</li>
<li> GNOME version</li>
<li> Hardware</li>
<li> Installed memory</li>
<li> Processors and speeds</li>
<li> System Status</li>
<li> Currently available disk space</li>
<li> Processes</li>
<li> Memory and swap space</li>
<li> Network usage</li>
<li> File Systems</li>
<li> Lists all mounted filesystems along with basic information about each.</li>
</ul><div class="wp-caption aligncenter" id="attachment_5220" style="width: 600px;"> <a href="http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html/gnome-system-monitor" rel="attachment wp-att-5220"><img alt="Fig.06 The Gnome System Monitor application" class="size-full wp-image-5220" height="451" src="http://files.cyberciti.biz/uploads/tips/2009/06/gnome-system-monitor.png" title="Fig.06 The Gnome System Monitor application" width="600" /></a> <div class="wp-caption-text">Fig.06 The Gnome System Monitor application</div></div><h2>Bounce: Additional Tools</h2>A few more tools: <br />
<ul><li><a href="http://www.cyberciti.biz/tips/linux-scanning-network-for-open-ports.html">nmap</a> - scan your server for open ports.</li>
<li><a href="http://www.cyberciti.biz/tips/tag/lsof-command">lsof</a> - list open files, network connections and much more.</li>
<li><a class="broken_link" href="http://www.cyberciti.biz/tips/Debian%20/%20Ubuntu%20Linux%20Install%20ntop%20To%20See%20Network%20Usage%20/%20Network%20Status">ntop</a> web based tool - ntop is the best tool to see network usage in a way similar to what top command does for processes i.e. it is network traffic monitoring software. You can see network status, protocol wise distribution of traffic for UDP, TCP, DNS, HTTP and other protocols.</li>
<li><a href="http://conky.sourceforge.net/" target="_blank">Conky</a> - Another good monitoring tool for the X Window System. It is highly configurable and is able to monitor many system variables including the status of the CPU, memory, swap space, disk storage, temperatures, processes, network interfaces, battery power, system messages, e-mail inboxes etc. </li>
<li><a href="http://members.dslextreme.com/users/billw/gkrellm/gkrellm.html" target="_blank">GKrellM</a> - It can be used to monitor the status of CPUs, main memory, hard disks, network interfaces, local and remote mailboxes, and many other things.</li>
<li><a href="http://www.cyberciti.biz/tips/keeping-a-log-of-daily-network-traffic-for-adsl-or-dedicated-remote-linux-box.html">vnstat</a> - vnStat is a console-based network traffic monitor. It keeps a log of hourly, daily and monthly network traffic for the selected interface(s).</li>
<li><a href="http://htop.sourceforge.net/" target="_blank">htop</a> - htop is an enhanced version of top, the interactive process viewer, which can display the list of processes in a tree form.</li>
<li><a href="http://www.cyberciti.biz/tips/finding-out-a-bad-or-simply-overloaded-network-link-with-linuxunix-oses.html">mtr</a> - mtr combines the functionality of the traceroute and ping programs in a single network diagnostic tool.</li>
</ul>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-42754395883372362692010-01-26T14:32:00.001+08:002010-01-26T14:32:38.086+08:00How to send email from the Linux command lineThe Linux command line can be very powerful once you know how to use it. You can parse data, monitor processes, and do a lot of other useful and cool things using it. There often comes a need to generate a report and mail it out. It could be as simple a requirement as a notification that the day’s backup went through fine, or did not. I’ll help you get started with sending mails from the Linux command line and in shell scripts. We will also cover sending attachments from the command line. We will begin with the “mail” command. <br />
MAIL<br />
First run a quick test to make sure the “sendmail” application is installed and working correctly. Execute the following command, replacing “you@youremailid.com” with your e-mail address.<br />
<br />
# mail -s “Hello world” you@youremailid.com<br />
<br />
Hit the return key and you will come to a new line. Enter the text “This is a test from my server”. Follow up the text by hitting the return key again. Then hit the key combination of Control+D to continue. The command prompt will ask you if you want to mark a copy of the mail to any other address, hit Control+D again. Check your mailbox. This command will send out a mail to the email id mentioned with the subject, “Hello world”.<br />
<br />
To add content to the body of the mail while running the command you can use the following options. If you want to add text on your own:<br />
<br />
# echo “This will go into the body of the mail.” | mail -s “Hello world” you@youremailid.com<br />
<br />
And if you want mail to read the content from a file:<br />
<br />
# mail -s “Hello world” you@youremailid.com < /home/calvin/application.log
Some other useful options in the mail command are:
-s subject (The subject of the mail)
-c email-address (Mark a copy to this “email-address”, or CC)
-b email-address (Mark a blind carbon copy to this “email-address”, or BCC)
Here’s how you might use these options:
# echo “Welcome to the world of Calvin n Hobbes” | mail -s “Hello world” calvin@cnh.com -c hobbes@cnh.com -b susie.derkins@cnh.com
MUTT
One of major drawbacks of using the mail command is that it does not support the sending of attachments. mutt, on the other hand, does support it. I’ve found this feature particularly useful for scripts that generate non-textual reports or backups which are relatively small in size which I’d like to backup elsewhere. Of course, mutt allows you to do a lot more than just send attachments. It is a much more complete command line mail client than the “mail” command. Right now we’ll just explore the basic stuff we might need often. Here’s how you would attach a file to a mail:
# echo “Sending an attachment.” | mutt -a backup.zip -s “attachment” calvin@cnh.com
This command will send a mail to calvin@cnh.com with the subject (-s) “attachment”, the body text “Sending an attachment.”, containing the attachment (-a) backup.zip. Like with the mail command you can use the “-c” option to mark a copy to another mail id.
SENDING MAIL FROM A SHELL SCRIPT
Now, with the basics covered you can send mails from your shell scripts. Here’s a simple shell script that gives you a reading of the usage of space on your partitions and mails the data to you.
#!/bin/bash
df -h | mail -s “disk space report” calvin@cnh.com
Save these lines in a file on your Linux server and run it. You should receive a mail containing the results of the command. If, however, you need to send more data than just this you will need to write the data to a text file and enter it into the mail body while composing the mail. Here’s and example of a shell script that gets the disk usage as well as the memory usage, writes the data into a temporary file, and then enters it all into the body of the mail being sent out:
#!/bin/bash
df -h > /tmp/mail_report.log<br />
free -m >> /tmp/mail_report.log<br />
mail -s “disk and RAM report” calvin@cnh.com < /tmp/mail_report.log<br />
<br />
Now here’s a more complicated problem. You have to take a backup of a few files and mail then out. First the directory to be mailed out is archived. Then it is sent as an email attachment using mutt. Here’s a script to do just that:<br />
<br />
#!/bin/bash<br />
tar -zcf /tmp/backup.tar.gz /home/calvin/files<br />
echo | mutt -a /tmp/backup.tar.gz -s “daily backup of data” calvin@cnh.com<br />
<br />
The echo at the start of the last line adds a blank into the body of the mail being set out.<br />
<br />
This should get you started with sending mails form the Linux command line and from shell scripts. Read up the “man page” for both mail and mutt for more options.<br />
<br />
<br />
<br />
By Sukrit Dhandhania – December 1, 2008Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com1tag:blogger.com,1999:blog-26322834.post-79324719489556363002009-12-04T11:38:00.002+08:002009-12-04T11:41:18.025+08:00Installing rrdtool using yum on CentOS<span style="font-size:100%;"><span style="font-style: italic; font-family: arial;" id="fullpost">1. Create a file called dag.repo in /etc/yum.repos.d/ just like below<br /><br /># vi </span><span style="font-style: italic; font-family: arial;" id="fullpost">/etc/yum.repos.d/</span><span style="font-style: italic; font-family: arial;" id="fullpost">dag.repo<br /><br />[dag]<br />name=Dag RPM Repository for Red Hat Enterprise Linux<br />baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag<br />gpgcheck=1<br />gpgkey=http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt<br />enabled=1<br /><br /><br />and then install the package<br /><br /># yum install rrdtool<br /><br />That's it!<br /></span></span>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-74855953276658515992009-06-22T14:13:00.000+08:002009-06-22T14:14:54.809+08:00How to configure TCP/IP filtering in Windows 2000This step-by-step article describes how to configure TCP/IP Filtering on Microsoft Windows 2000-based computers. Windows 2000-based computers support several methods of controlling inbound access. One of the most simple and most powerful methods of controlling inbound access is by using the TCP/IP Filtering feature. TCP/IP Filtering is available on all Windows 2000-based computers that have the TCP/IP stack installed. TCP/IP Filtering is useful from a security standpoint because it works in Kernel mode. In contrast, other methods of controlling inbound access to Windows 2000-based computers, such as by using the IPSec Policy filter and the Routing and Remote Access server, depend on User-mode processes or the Workstation and Server service. You can layer your TCP/IP inbound access control scheme by using TCP/IP Filtering with IPSec filters and Routing and Remote Access packet filtering. This approach is especially useful if you want to control inbound and outbound TCP/IP access. TCP/IP Security controls only inbound access.<br /><a href="http://support.microsoft.com/kb/309798#top">Back to the top</a><br /><a id="3"></a>How to configure TCP/IP security<br />loadTOCNode(2, 'summary');<br /><br />To configure TCP/IP security:<br />Click Start , point to Settings , click Control Panel , and then double-click Network and Dial-up Connections .<br />Right-click the interface on which you want to configure inbound access control, and then click Properties .<br />In the Components checked are used by this connection box, click Internet Protocol (TCP/IP) , and then click Properties .<br />In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced .<br />Click the Options tab.<br />Click TCP/IP filtering , and then click Properties .<br />Select the Enable TCP/IP Filtering (All adapters) check box. When you select this check box, you enable filtering for all adapters, but you configure the filters on a per-adapter basis. The same filters do not apply to all adapters.<br />There are three columns with the following labels:<br />TCP PortsUDP PortsIP ProtocolsIn each column, you must select either of the following options:<br />Permit All . If you want to permit all packets for TCP or UDP traffic, leave Permit All activated. Permit Only . If you want to allow only selected TCP or UDP traffic, click Permit Only , click Add , and then type the appropriate port in the Add Filter dialog box. If you want to block all UDP or TCP traffic, click Permit Only , but do not add any port numbers in the UDP Ports or TCP Port column. You cannot block UDP or TCP traffic by selecting Permit Only for IP Protocols and excluding IP protocols 6 and 17. Note that you cannot block ICMP messages, even if you select Permit Only in the IP Protocols column and you do not include IP protocol 1. TCP/IP Filtering can filter only inbound traffic. This feature does not affect outbound traffic or response ports that are created to accept responses from outbound requests. Use IPSec Policies or packet filtering if you require more control over outbound access.Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-35568905575710699042009-05-17T09:02:00.000+08:002009-05-17T09:03:21.048+08:00Hardening CentOS 5<span style="font-weight: bold;">Configure user account</span>. logout and relogin as user. su wherever required.<br /> useradd <username><br />eg. useradd myodduser<br /><br /> passwd myodduser <new><br /><br /><span style="font-weight: bold;"> Configure Default runlevel to runlevel 3</span><br /> Use your favorite text editor to edit /etc/inittab<br /> Find a line that is similar to the following:<br /> <span style="font-weight: bold;">id:3:initdefault:</span><br /><br />Verify the no. after “id:” id-colon is 3. If it is not make it three.<br /><br /><span style="font-weight: bold;">To restrict virtual terminals to two:</span><br />Find out following stanza to enable only two virtual terminals available:<br /><br /># Run gettys in standard runlevels<br />1:2345:respawn:/sbin/mingetty tty1<br />2:2345:respawn:/sbin/mingetty tty2<br />3:2345:respawn:/sbin/mingetty tty3<br />4:2345:respawn:/sbin/mingetty tty4<br />5:2345:respawn:/sbin/mingetty tty5<br />6:2345:respawn:/sbin/mingetty tty6<br /><br />Make it to:<br /><br /># Run gettys in standard runlevels<br />1:2345:respawn:/sbin/mingetty tty1<br />2:2345:respawn:/sbin/mingetty tty2<br />#3:2345:respawn:/sbin/mingetty tty3<br />#4:2345:respawn:/sbin/mingetty tty4<br />#5:2345:respawn:/sbin/mingetty tty5<br />#6:2345:respawn:/sbin/mingetty tty6<br /><br />Save /etc/inittab and exit<br /><br /><span style="font-weight: bold;">Edit /etc/fstab </span>. For the file systems /tmp, /var, and /home replace the "defaults" with "noexec,nodev,nosuid"<br /><br />noexec : Binaries are not allowed to be executed. NEVER use this option for your root file system!<br />nosuid : Blocks the operation of suid, and sgid bits.<br />nodev : Prevent any user to mount the file system.<br /><br /><br /><span style="font-weight: bold;">Disable unused services</span> in order to save on resources and minimize potential security holes.<br />These Services that are to be stopped are mentioned here, check appendix A in case of custom requirements.<br /><br /><br />NetworkManager<br />NetworkManagerDispatacpid<br />apmd<br />autofs<br />avahi-daemon<br />avahi-dnsconfd<br />bluetooth<br />conman<br />cpuspeed<br />cups<br />dc_client<br />dc_server<br />dhcdbd<br />dund<br />firstboot<br />gpm<br />haldaemon<br />hidd<br />ibmasm<br />ip6tables<br />ipmi<br />irda<br />irqbalance<br />kdump<br />kudzu<br />mcstrans<br />mdmonitor<br />mdmpd<br />microcode_ctl<br />netfs<br />netplugd<br />nfs<br />nfslock<br />nscd<br />oddjobd<br />pand<br />pcscd<br />portmap<br />rdisc<br />restorecond<br />rpcgssd<br />rpcidmapd<br />rpcsvcgssd<br />saslauthd<br />setroubleshoot<br />smartd<br />smb<br />squid<br />tux<br />winbind<br />wpa_supplicant<br />xfs<br />ypbind<br />yum-updatesd<br /><br /><br /><br />With following command format:<br /><br />chkconfig –level 12345 <servicename_to_be_disabled> off<br /><br />To stop if any of the service is running:<br />service <servicename_to_be_stopped> stop<br /><br /><span style="font-weight: bold;"> check /etc/hosts</span><br />It must be in the format. (See the 127.0.0.1 line)<br />127.0.0.1 localhost.localdomain localhost<br />IP.AD.DR.ESS machine.domain.name machine<br /><br /><br /><br /><span style="font-weight: bold;">Edit /etc/host.conf</span><br />order bind,hosts<br />multi on<br />nospoof on<br /><br /><br /><span style="font-weight: bold;">Edit /etc/sysctl.conf - tighten</span><br />1. net.ipv4.tcp_syncookies = 1 # Enable TCP SYN Cookie Protection<br />2. net.ipv4.conf.all.accept_source_route = 0 # Disables IP source routing<br />3. net.ipv4.conf.all.accept_redirects = 0 # Disable ICMP Redirect Acceptance<br />4. net.ipv4.conf.all.rp_filter = 1 # Enable IP spoofing protection, turn on source route verification <br />5. net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable ignoring broadcasts request<br />6. net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable bad error message Protection<br />7 net.ipv4.conf.all.log_martians = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets<br /><br /><span style="font-weight: bold;">Edit /etc/hosts.deny</span><br />portmap: ALL<br /><br /><span style="font-weight: bold;">Edit /etc/hosts.allow</span><br />portmap: localhost<br />portmap: 127.0.0.1<br /><br /><span style="font-weight: bold;">SSH:</span><br />Disable RootLogin, force protocol 2, (explore restricting SSH to users/groups )<br />Protocol 2<br />HostbasedAuthentication no<br />PermitRootLogin no<br />PermitEmptyPasswords no<br />UsePrivilegeSeparation yes<br />AllowTcpForwarding no<br />X11Forwarding no<br />StrictModes yes<br />AllowUsers admin user1 user2 user3 (put actual users here in place of userN)<br /><br /><br /><br /> <div style="text-align: center;"> <span style="font-weight: bold; text-decoration: underline;">Stripping It Down</span><br /> </div><br />Following rpms are to be removed (You may add or remove some packages from this list in order to satisfy your environment.)<br /><br /><br />xkeyboard-config-0.8-7.fc6<br />dosfstools-2.11-6.2.el5<br />finger-0.17-32.2.1.1<br />dos2unix-3.1-27.1<br />esound-0.2.36-3<br />system-config-securitylevel-1.6.29.1-1.el5<br />NetworkManager-0.6.4-6.el5<br />OpenIPMI-2.0.6-5.el5.3<br />apmd-3.2.2-5<br />acpid-1.0.4-5<br />system-config-network-1.3.99-1.el5<br />gnome-python2-gtkhtml2-2.14.2-4.fc6<br />gnome-python2-bonobo-2.16.0-1.fc6<br />xorg-x11-drv-mouse-1.1.1-1.1<br />system-config-display-1.0.48-2.el5<br />xorg-x11-server-Xorg-1.1.1-48.13.0.1.el5<br />xorg-x11-server-Xvfb-1.1.1-48.13.0.1.el5<br />gnome-mime-data-2.4.2-3.1<br />centos-release-notes-5.0.0-2<br />xorg-x11-filesystem-7.1-2.fc6<br />xorg-x11-xauth-1.0.1-2.1<br />xorg-x11-xkb-utils-1.0.2-2.1<br />talk-0.17-29.2.2<br />cpuspeed-1.2.1-1.45.el5<br />hicolor-icon-theme-0.9-2.1<br />alsa-lib-1.0.12-3.el5<br />GConf2-2.14.0-9.el5<br />xorg-x11-utils-7.1-2.fc6<br />bluez-gnome-0.5-5.fc6<br />xorg-x11-xinit-1.0.2-13.el5<br />ypbind-1.19-7.el5<br />firstboot-tui-1.4.27.2-1.el5.centos.1<br />system-config-soundcard-2.0.6-1.el5<br />yp-tools-2.9-0.1<br />system-config-samba-1.2.39-1.el5<br />system-config-kdump-1.0.9-3.el5<br />tux-3.2.18-9.fc6<br />xorg-x11-fonts-base-7.1-2.1.el5<br />gnome-python2-canvas-2.16.0-1.fc6<br />gnome-mount-0.5-3.el5<br />xorg-x11-drv-vesa-1.2.1-5.2.el5<br />xorg-x11-drv-keyboard-1.1.0-2.1<br />xorg-x11-drv-evdev-1.0.0.5-2.el5<br />samba-common-3.0.23c-2.el5.2.0.2<br />xorg-x11-xfs-1.0.2-4<br />samba-client-3.0.23c-2.el5.2.0.2<br />xorg-x11-server-Xnest-1.1.1-48.13.0.1.el5<br />samba-3.0.23c-2.el5.2.0.2<br />gpm-1.20.1-74.1<br />xorg-x11-server-utils-7.1-4.fc6<br />redhat-menus-6.7.8-1.el5<br />metacity-2.16.0-8.el5<br />alsa-utils-1.0.12-3.fc6<br />OpenIPMI-libs-2.0.6-5.el5.3<br />portmap-4.0-65.2.2.1<br />nfs-utils-1.0.9-16.el5<br />system-config-nfs-1.3.23-1.el5<br />subversion-1.4.2-2.el5<br />gnome-python2-gconf-2.16.0-1.fc6<br />gnome-python2-extras-2.14.2-4.fc6<br />gnome-python2-gnomevfs-2.16.0-1.fc6<br />xorg-x11-drv-void-1.1.0-3.1<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /> <div style="text-align: center;"> <span style="font-weight: bold;">Security and management tool installations and fine tuning:</span><br /> </div><br />Security Tools Download, install and run:<br /><br /><span style="font-weight: bold;">a. chkrootkit - http://www.chkrootkit.org/download/</span><br />Download to /usr/local/src<br />Extract using "tar -zxf"<br />Compile & Install using "make sense"<br />Run chkrootkit<br /><br /><span style="font-weight: bold;">b. rkhunter - http://www.rootkit.nl/projects/rootkit_hunter.html</span><br />Download to /usr/local/src<br />Extract using "tar -zxf"<br />Install using ./install.sh<br />./installer.sh --layout /usr/local –install<br />rkhunter --update<br />Run "rkhunter -c --createlogfile"<br /><br /><br /><br /><span style="font-weight: bold;">Management Tool:. Download, install, configure: Webmin with SSL</span><br /><br />Package Dependencies<br />Ensure openssl and openssl-devel are installed<br />rpm -q openssl<br />rpm -q openssl-devel<br />If they are not installed, install them using:<br />yum install openssl openssl-devel -y<br />(Mention ONLY those packages that need to be installed).<br /><br /><span style="font-weight: bold;">Download the Webmin</span> RPM - http://www.webmin.com/<br />Download the RPM to /usr/local/src<br />Install using rpm -Uvh<br />Go to https://IP.AD.DR.ESS:10000 to configure. Login with user root, and password<br />1. Under Webmin -> Users -> Edit the root user. Rename root user to "admin"<br />2. Under Logging ensure all events by all users are logged<br />3. Change the port from 10000 to a suitable one above 50000 (and below 60000).<br />4. Under Authntication - set the idle time-out to 5 minutes.<br /><br /><span style="font-weight: bold;">d. Perl Libraries</span><br /><br />Net::SSLeay - http://www.cpan.org/modules/by-module/Net/Net_SSLeay.pm-1.30.tar.gz<br />Download to /usr/local/src/<br />Extract with tar -xzf<br />Prepare with "perl Makefile.PL"<br />Compile & Install with "make install"<br />Test installation with "perl -e 'use Net::SSLeay'". You should be returned to the prompt. If you get errors, the installation did not succeed.<br /><br /><br /><br /><span style="font-weight: bold;">e. Portsentry -</span>ftp://194.199.20.114/linux/freshrpms/fedora/linux/1/portsentry/portsentry-1.1-11.fr.i386.rpm<br />Download the RPM to /usr/local/src<br />Install using rpm -Uvh<br />Edit /etc/portsentry/portsentry.conf<br />Edit /etc/portsentry/portsentry.modes<br />Edit /etc/portsentry/portsentry.ignore<br />Start portsentry.<br /><br /><span style="font-weight: bold;">f. Checksuite - http://checksuite.sourceforge.net/</span><br />Download the RPM to /usr/local/src<br />Install using rpm -Uvh<br /><br /><br /><span style="font-weight: bold;">g. Fine Tuning IPTABLES:</span><br />edit /etc/sysconfig/iptables<br /><br />Insert rules for trusted ip addresses only which should access ssh port.<br /><br />-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s <trusted> -j ACCEPT<br /><br />These rules are to be added before following rule:<br />-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited<br /><br /><br />Also you will have to make sure other ports are kept open (Those considered under Pre-Installation preparation)Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-51630067428572156562009-05-04T13:52:00.001+08:002009-05-04T13:53:36.831+08:00PacMan: THE LAST FIGHT<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGnz_5mulf578q9fimDlA6dx8pXmoYCI4aEwwjdQ1V3mGvxoBn2A8iFtt1bSflRB0HpEMH9vqBZlNKHFr1PDgM_dbZO7TdUFsQtYJiVGkx7eNiqt_2bMpmuWVvw9aweTUycYln/s1600-h/Pacquiao+VS+Logan.jpg"><img style="cursor: pointer; width: 497px; height: 397px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGnz_5mulf578q9fimDlA6dx8pXmoYCI4aEwwjdQ1V3mGvxoBn2A8iFtt1bSflRB0HpEMH9vqBZlNKHFr1PDgM_dbZO7TdUFsQtYJiVGkx7eNiqt_2bMpmuWVvw9aweTUycYln/s400/Pacquiao+VS+Logan.jpg" alt="" id="BLOGGER_PHOTO_ID_5331842794364442578" border="0" /></a>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-48233698012737331152009-04-26T07:37:00.001+08:002009-04-26T07:38:26.249+08:00How To: Transfer your PuTTY settings between computers<span style="font-weight: bold;">Exporting Your PuTTy Configuration</span><br /><br />Putty stores its settings in the Windows registry. To save a backup of your Putty settings, you'll need to export this registry key to a file.<br /><br />HKEY_CURRENT_USER\Software\SimonTatham<br /><br />(<a href="http://www.chiark.greenend.org.uk/%7Esgtatham/putty/team.html" style="">Simon Tatham is the original developer responsible for PuTTy</a>)<br /><br />1. Click Start->Run and type "RegEdt32" in the "Open" dialog. Click "Ok"<br /><br /><div style="text-align: center;"><img src="http://www.blogcdn.com/www.downloadsquad.com/media/2007/02/run-dialog-regedt32.jpg" alt="" vspace="4" width="347" border="0" height="186" hspace="4" /><br /></div><br />2. One RegEdt32 starts, you'll be presented with an application which looks something like:<br /><br /><div style="text-align: center;"><img src="http://www.blogcdn.com/www.downloadsquad.com/media/2007/02/regedt32-425px.jpg" alt="" vspace="4" width="425" border="0" height="309" hspace="4" /><br /></div><br />3. Press "Ctrl+F" to bring up the Find dialog. Enter the name of the key, "SimonTratham" in the "Find What" field, and make sure only "Keys" is checked in the "Look At" section of the dialog. Finally, click "Find Next"<br /><br /><img src="http://www.blogcdn.com/www.downloadsquad.com/media/2007/02/regedt32-find-dialog.jpg" alt="" vspace="4" width="402" border="0" height="188" hspace="4" /><br /><div style="text-align: left;"><br />4. The search may take a while, reminding us that the Windows Registry is a large and mysterious place where dragons be. Let's use these few seconds to reflect on the fact that <span style="font-style: italic; font-weight: bold;">you should never, ever, never change things in the registry unless you are absolutely, positively, totally, completely</span><span style="font-style: italic; font-weight: bold;">, 100%</span><span style="font-style: italic; font-weight: bold;"> dead sure that you know exactly what you're doing</span>. When the search completes we'll see the key name for which we're looking.<br /><br /><div style="text-align: center;"><img src="http://www.blogcdn.com/www.downloadsquad.com/media/2007/02/the-simontatham-key-400px.jpg" alt="" vspace="4" width="400" border="1" height="165" hspace="4" /><br /><div style="text-align: left;"><br />5. Click File->Export. Give your file an appropriate name like, "putty.reg" and click "Save"<br /><br /><div style="text-align: center;"><img src="http://www.blogcdn.com/www.downloadsquad.com/media/2007/02/export-registry-file-400px.jpg" alt="" vspace="4" width="425" border="1" height="389" hspace="4" /></div> </div> </div> </div> <div style="text-align: left;"><br />6. We're done! Save the putty.reg file somewhere safe. The file doesn't contain any passwords or actual SSH key values so, it's relatively safe from prying eyes. Still, it does contain your configuration and that kind of data is a private matter. </div> <div style="text-align: left;"><br /><span style="font-weight: bold; text-decoration: underline;">Importing Your PuTTy Configuration</span><br /><br />To import your saved PuTTy configuration on any other Windows computer simply copy your exported registry key, right click on the file and click "Merge"<br /><br /><div style="text-align: center;"><img src="http://www.blogcdn.com/www.downloadsquad.com/media/2007/02/putty_registry_import-425px.jpg" alt="" vspace="4" border="1" hspace="4" /><br /><div style="text-align: left;"><br />Windows will ask you for confirmation that you want to import this set of registry values. We know this file is safe, because we created it but, <span style="font-weight: bold; font-style: italic;">you should never import registry information from an unknown source</span>.<br /><br /><div style="text-align: center;"><img src="http://www.blogcdn.com/www.downloadsquad.com/media/2007/02/putty-import-confirm-425px.jpg" alt="" vspace="4" width="425" border="0" height="87" hspace="4" /></div> </div> </div> </div><br />That's all you need to know about moving your PuTTy configuration from one machine to another. This can be really useful information when upgrading to a new PC or, if you're an office IT guy where your users all have a standard list of servers they need to connect via SSH, you can create a reference configuration on once machine and "share" it between every computer in the office.<br /><br /><br /><span style="font-weight: bold; font-style: italic;font-size:78%;" ><span style="font-family: arial;">source: http://www.downloadsquad.com/2007/02/01/howto-transfer-your-putty-settings-between-computers/</span></span>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-42950931532160972342009-04-14T07:07:00.004+08:002009-04-15T09:13:34.057+08:00ip_conntrack: table full, dropping packet.<pre><span style="font-weight: bold;">www kernel: printk: 1 messages suppressed.</span><br /><span style="font-weight: bold;">www kernel: ip_conntrack: table full, dropping packet.</span><br /><br /><br /><strong>Reason behind this error:<br /><br /></strong>Iptables under Linux maintains a list of connections passing<br />through the router. Each connection tracking entry contains defined<br />characteristics of the packet, including the source and destination<br />IP address and port number. The connection tracking entries are<br />ultimately stored in a hash table with a fixed size. If the router<br />reaches the maximum number of connection tracking entries,it will<br />log an error:<br /><br />"ip_conntrack: table full, dropping packet"<br /><br />The maximum size of the connection tracking table can be increased.<br />The maximum size value is stored in the router's proc filesystem<br />in the file /proc/sys/net/ipv4/ip_conntrack_max. Increasing the<br />maximum size of the connection tracking table to a value larger than<br />the total number of connections will eliminate the error message<br />and prevent the router from dropping connections due to a lack of<br />space in the connection tracking table.<br /><br /><br /># This tell you how many sessions arte open right now.<br />cat /proc/net/ip_conntrack | wc -l<br /># This tells you the maximum number of conntrack entries you can have<br />in total<br />cat /proc/sys/net/ipv4/ip_conntrack_max<br /><br />Once the previous number hits beyond the latter, you should start<br />seeing these messages. I would increase the latter number by calling:<br /><br />echo "<some_bigger_number>" > /proc/sys/net/ipv4/ip_conntrack_max<br /><br />or if you want it to span reboots, you can place the following in<br />/etc/sysctl.conf<br /><br />sys.net.ipv4.ip_conntrack_max =3D <some_big_number><br /></some_big_number></some_bigger_number></pre>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-66418608025184357472009-04-13T08:52:00.002+08:002009-04-13T08:54:04.525+08:00Install Squid on CentOS / RHEL 5<p>Use yum command as follows:<br /><code># yum install squid</code><br /></p> <pre>Loading "installonlyn" plugin<br />Setting up Install Process<br />Setting up repositories<br />Reading repository metadata in from local files<br />Parsing package install arguments<br />Resolving Dependencies<br />--> Populating transaction set with selected packages. Please wait.<br />--> Package squid.i386 7:2.6.STABLE6-4.el5 set to be updated<br />--> Running transaction check<br /><br />Dependencies Resolved<br /><br />=============================================================================<br />Package Arch Version Repository Size<br />=============================================================================<br />Installing:<br />squid i386 7:2.6.STABLE6-4.el5 updates 1.2 M<br /><br />Transaction Summary<br />=============================================================================<br />Install 1 Package(s)<br />Update 0 Package(s)<br />Remove 0 Package(s) <br /><br />Total download size: 1.2 M<br />Is this ok [y/N]: y<br />Downloading Packages:<br />Running Transaction Test<br />Finished Transaction Test<br />Transaction Test Succeeded<br />Running Transaction<br />Installing: squid ######################### [1/1]<br /><br />Installed: squid.i386 7:2.6.STABLE6-4.el5<br />Complete!</pre> <h2>Squid Basic Configuration</h2> <p>Squid configuration file located at /etc/squid/squid.conf. Open file using a text editor:<br /><code># vi /etc/squid/squid.conf</code><br />At least you need to define ACL (access control list) to work with squid. The defaults port is TCP 3128. Following example ACL allowing access from your local networks 192.168.1.0/24 and 192.168.2.0/24. Make sure you adapt to list your internal IP networks from where browsing should be allowed:<br /><code>acl our_networks src 192.168.1.0/24 192.168.2.0/24<br />http_access allow our_networks</code></p> <p>Save and close the file. Start squid proxy server:<br /><code># chkconfig squid on<br /># /etc/init.d/squid start</code><br /></p> <pre>init_cache_dir /var/spool/squid... Starting squid: . [ OK ]</pre> <p>Verify port 3128 is open:<br /><code># netstat -tulpn | grep 3128</code><br /></p><pre>tcp 0 0 0.0.0.0:<span style="color: rgb(255, 0, 0);">3128</span> 0.0.0.0:* <span style="color: rgb(255, 0, 0);">LISTEN</span> 20653/(squid)</pre> <h2>Open TCP port 3128</h2> <p>Finally make sure iptables is allowing to access squid proxy server. Just open /etc/sysconfig/iptables file:<br /><code># vi /etc/sysconfig/iptables</code><br />Append configuration:<br /><code>-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT</code><br />Restart iptables based firewall:<br /><code># /etc/init.d/iptables restart</code><br /></p><pre>Flushing firewall rules: [ OK ]<br />Setting chains to policy ACCEPT: filter [ OK ]<br />Unloading iptables modules: [ OK ]<br />Applying iptables firewall rules: [ OK ]<br />Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]</pre> <h2>Client configuration</h2> <p>Open a webbrowser > Tools > Internet option > Network settings > and setup Squid server IP address and port # 3128.</p>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0tag:blogger.com,1999:blog-26322834.post-59020734404430395552009-03-25T07:26:00.002+08:002009-03-25T07:28:58.180+08:00Update The Root Hints Data File for BIND Named Server<p>Use <a href="http://www.cyberciti.biz/faq/wget-command-with-username-password/">wget command to retrieve file</a> and store to /etc/bind/db.root (Debian / Ubuntu Linux), enter:<br /><code style="font-weight: bold;"># wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /etc/bind/db.root</code><br /> </p><p>Under Red Hat / CentOS / Fedora Linux, default location is /var/named/named.root, enter:<br /><code># wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/named.root</code><br /></p><p>Reload rndc to update information, enter:<br /><code># rndc reload</code><br /></p><p>Another option is run dig command to fetch information:<br /><code style="font-weight: bold;"># dig +bufsize=1200 +norec NS . @a.root-servers.net > /var/named/named.root</code></p> <p>The root zone's nameservers change over time, don't assume this list is current. Always download a new version of db.cache once or twice year is sufficient. You can also schedule cron jon to update file. The best place to get update about this file is bind-users mailing list.</p><p><br /></p> <h2>Sample updated root hints data file</h2> <pre>; This file holds the information on root name servers needed to<br />; initialize cache of Internet domain name servers<br />; (e.g. reference this file in the "cache . <file>"<br />; configuration file of BIND domain name servers).<br />;<br />; This file is made available by InterNIC<br />; under anonymous FTP as<br />; file /domain/db.cache<br />; on server FTP.INTERNIC.NET<br />; -OR- RS.INTERNIC.NET<br />;<br />; last update: Feb 04, 2008<br />; related version of root zone: 2008020400<br />;<br />; formerly NS.INTERNIC.NET<br />;<br />. 3600000 IN NS A.ROOT-SERVERS.NET.<br />A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4<br />A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30<br />;<br />; formerly NS1.ISI.EDU<br />;<br />. 3600000 NS B.ROOT-SERVERS.NET.<br />B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201<br />;<br />; formerly C.PSI.NET<br />;<br />. 3600000 NS C.ROOT-SERVERS.NET.<br />C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12<br />;<br />; formerly TERP.UMD.EDU<br />;<br />. 3600000 NS D.ROOT-SERVERS.NET.<br />D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90<br />;<br />; formerly NS.NASA.GOV<br />;<br />. 3600000 NS E.ROOT-SERVERS.NET.<br />E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10<br />;<br />; formerly NS.ISC.ORG<br />;<br />. 3600000 NS F.ROOT-SERVERS.NET.<br />F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241<br />F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f<br />;<br />; formerly NS.NIC.DDN.MIL<br />;<br />. 3600000 NS G.ROOT-SERVERS.NET.<br />G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4<br />;<br />; formerly AOS.ARL.ARMY.MIL<br />;<br />. 3600000 NS H.ROOT-SERVERS.NET.<br />H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53<br />H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803f:235<br />;<br />; formerly NIC.NORDU.NET<br />;<br />. 3600000 NS I.ROOT-SERVERS.NET.<br />I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17<br />;<br />; operated by VeriSign, Inc.<br />;<br />. 3600000 NS J.ROOT-SERVERS.NET.<br />J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30<br />J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30<br />;<br />; operated by RIPE NCC<br />;<br />. 3600000 NS K.ROOT-SERVERS.NET.<br />K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129<br />K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1<br />;<br />; operated by ICANN<br />;<br />. 3600000 NS L.ROOT-SERVERS.NET.<br />L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42<br />;<br />; operated by WIDE<br />;<br />. 3600000 NS M.ROOT-SERVERS.NET.<br />M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33<br />M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35<br />; End of File<br /></file></pre>Perrydoohttp://www.blogger.com/profile/03741959447885094425noreply@blogger.com0