Monday, 28 June 2010
mysql, sendmail, postfix, dovecot
simple mysql command
#yum -y install mysql-server mysql php-mysql
#mysql -u root
#mysqladmin -u root password 'mypassword'
3/6 (Thur) Send mail, postfix, dovecot
Setup sendmail
yum -y install m4 sendmail-cf
vi /var/named/zone.file //add MX record into domain zone file
www A 10.1.1.1
@ A 10.1.1.1
mail CNAME www
MX 10 10.1.1.1
/etc/init.d/named restart
vi /etc/mail/sendmail.mc
DAEMON_OPTIONS('Port=smtp,Addr=0.0.0.0,Name=MTA')dnl //change Addr from 127.0.0.1 to 0.0.0.0
m4 sendmail.mc >sendmail.cf
service sendmail restart
vi /etc/mail/local-host-names
in234.lpi //add hostname to in234.lpi
//test sendmail
mail -u owner
less /var/mail/owner
Setting Postfix
yum -y install postfix
vi /etc/postfix/main.cf
myhostname=in234.lpi
inet_interfaces=all
mydestination=$myhostname,localhost.$mydomain,$mydomain
mynetworks=10.1.1.0/24,127.0.0.0/8
/etc/init.d/postfix restart
//test postfix
mail -s test owner@in234.lpi
less /var/mail/owner
//view mail queue
postqueue -p
postqueue -s //flush all queue mails
Setup a pop3 server - dovecot
#yum -y install dovecot
#service dovecot start
Use X server email client Evolution Mail to test to receive email.
Friday, 18 June 2010
Apache htaccess Digest Authentication config
Step 1
Then create .htaccess file in it
vi /var/www/html/.htaccess
AuthName "myauth"
Authtype Digest
AuthDigestProvider file
AuthUserFile /etc/httpd/conf.d/.digpass
Require valid-user
Step 2
issue the follow command to create login account
htdigest -c /etc/httpd/conf.d/.digpass myauth tom
ps.: Don't forget to change "AllowOverride AuthConfig" in httpd.conf
Thursday, 17 June 2010
How to change the listening port for Remote Desktop
Applied to Windows XP Professional, Windows server 2003
Reference link: http://support.microsoft.com/kb/306759
Tuesday, 15 June 2010
Tomcat5 + Apache on Centos
The easy way is yum install tomcat5 tomcat5-webapps
Testing:
netstat -ntlp <-----------Check the default 8080 port is ready
http://localhost:8080/ <------Test the url
If you don't wanna join tomcat to apache2 you can stop here.
Join Tomcat to Apache2
There are several ways to join tomcat to apache2
jk (mod_jk)
http_proxy (mod_proxy)
proxy_ajp (mod_proxy_ajp)
Now I use the easiest way - ajp_proxy:
vi /etc/httpd/conf.d/proxy_ajp.conf
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
ProxyPass /tomcat/ ajp://localhost:8009/
Double check the proxy_ajp.conf have included in httpd.conf
restart httpd and test with url "http://localhost/tomcat/"
Thursday, 10 June 2010
Clamav install with yum in Centos
vi /etc/yum.repos.d/dag.repo
[dag]
name=Dag RPM Repository for RHEL5
baseurl=http://ftp.riken.jp/Linux/dag/redhat/el5/en/$basearch/dag/
enabled=1
gpgcheck=1
2: Download and import the key
wget http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
rpm --import RPM-GPG-KEY.dag.txt
3: yum install clamd
Tuesday, 8 June 2010
Backing up the Linux master boot record
In the previous three parts of this series you've learned about recovering Linux using a Knoppix rescue CD, how to troubleshoot Linux boot problems and how to fix problems related to the GRUB boot loader, which often is installed in the master boot record (MBR) of your computer. As the MBR is an essential part of your computer that not only contains GRUB, but the partition table as well, it's a good idea to make a backup of it. In this article you'll learn how to do that.
Hopefully you are reading this article before you are in trouble. If that's the case, it is a good idea to make a backup of the MBR of your primary hard disk. This sector of only 512 bytes contains information that is vital to boot your computer and by creating a backup, you make it a lot easier to fix any problem that is related to either GRUB or the partition table. If you have such a backup (don't forget to create it again after making major changes!), you just have to restore the backup if you get into serious trouble.
Finding the master boot record on Linux
To make a backup of your MBR, you need to know what the name is of your primary hard disk. On most Linux computers, this will be /dev/sda, but other names may occur as well. You can find out which name is used for your computers primary hard drive by using the fdisk –l
command. The storage device that is listed first is most likely your computer's primary hard disk.
Backing up the MBR using dd
I'll assume that the name of the hard disk that contains the MBR is /dev/sda. You can use the dd
command to make a backup of it. One of the major benefits of dd
, is that it allows you to copy blocks, no matter where on your computer's hard drive these blocks are. The following command for instance would create a backup of the MBR:
dd if=/dev/sda of=/boot/backup_mbr bs=512 count=1
The structure of this command is not too hard to understand. The dd
command always works with two parts, the input file, which is referred to by using the if
parameter, and the output file, which is referred to by using the of
parameter. The nice thing about dd
is that for both parameters, you can use the name of a regular file, but also the name of a block device. So in the example above, the input file is your computer hard drive and the output file is a file with the name backup_mbr, which is created in the directory /boot. Next, the parameter bs=512
makes sure that a 512 bytes block is written, and by using count=1
you make sure that only one of those blocks is written.
As you can see, in this example I've chosen to write this backup file to the directory /boot. That is on purpose: /boot is always on a traditional partition and cannot be on an LVM logical volume (this will be discussed later in this series of articles), and by putting the backup file on a traditional partition, you make it much easier to access it later in case of trouble.
Restoring the Linux master boot record
Now if you are having boot problems that are related to the MBR, you can boot your computer from a rescue CD, such as a Knoppix CD. Once you have mounted the /boot partition on the appropriate device, you can use the following command to restore the backup of your MBR to hard disk:
dd if=/boot/backup_mbr of=/dev/sda bs=512 count=1
Troubleshooting is much easier if you take some precautionary measures. One of these is making a backup of the MBR of your computer's primary hard disk. In this article you've read how to do that. This back up comes in handy if you're having problems that are related to the MBR, such as GRUB or partition problems. If that occurs, you just have to restore the backup as described in this article.
ABOUT THE AUTHOR: Sander van Vugt is an author and independent technical trainer, specializing in Linux since 1994. Vugt is also a technical consultant for high-availability (HA) clustering and performance optimization, as well as an expert on SLED 10 administration.
Reference link:
http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1362240_mem1,00.html
Fixing Linux boot problems with GRUB
In the previous two parts of this series (Recovering Linux using Knoppix and Troubleshooting Linux boot problems), you have acquired some background knowledge that will help you fix Linux boot problems. Here, you'll read what you can do when your computer doesn't boot because of an error in the bootloader GRUB.
To start Linux, you need GRUB. But you may encounter a problem with GRUB that prevents your computer from booting properly. You will know this has occured because one of the following symptoms will be present:
- GRUB is completely wiped and you see nothing but a blinking cursor when your server boots.
- GRUB generates a generic GRUB error message
- GRUB indicates that it cannot find a file it needs.
If you are having GRUB problems, there are two approaches to fix them. You can re-install GRUB and you can try to start your computer by manually entering GRUB in the command line. Let's start by looking how you can re-install GRUB. After that, you'll read how to manually load GRUB if you encounter a GRUB error.
Reinstalling GRUB
If you have a serious problem with the MBR on your computer, it can happen that you only see a blinking cursor at the moment your computer boots. If you have a serious problem with the MBR it is unlikely you have GRUB, therefore, you don't see a GRUB error message. Basically, in that situation it is impossible to boot your computer, so you need a rescue-CD to start it. You can use Knoppix to boot your computer.
Make sure that everything on your hard disk is mounted as described in the article mentioned before, enter a chroot environment and next use the grub-install
command to install GRUB again. In case you want to install GRUB in the MBR and the hard disk is addressed by the device file /dev/sda, you would use the command grub-install /dev/sda
. This command reads the GRUB configuration file (/boot/grub/menu.lst on most distributions) and based on that, writes the new GRUB bootloader to the MBR.
Here is what you will see when using grub-install
to re-install GRUB
root@Knoppix:/# grub-install /dev/sda
You shouldn't call /sbin/grub-install. Please call /usr/sbin/grub-install instead!
Searching for GRUB installation directory ... found: /boot/grub
Installation finished. No error reported.
This is the contents of the device map /boot/grub/device.map.
Check if this is correct or not. If any of the lines is incorrect,
fix it and re-run the script `grub-install'.
(hd0) /dev/sda
Booting manually with GRUB
It's not always necessary to re-install GRUB. If the GRUB code still exists, but due to an issue in the GRUB configuration file you are unable to boot anymore, you can try to reboot manually. This is the best approach if GRUB gives an error message and stops. By entering all GRUB commands manually, you can see exactly where the problem occurs and that helps you in fixing the problem. In the next procedure, you can read how to manually load the GRUB configuration.
- To enter the GRUB boot menu, watch carefully what your computer is doing when it boots. In most cases, it shows you have to press the Escape key at the moment GRUB is processed. This brings you to the GRUB command line. Alternatively, you can boot from a rescue CD and enter the command grub to open the GRUB command line interface. Here is an example of this interface.
Click on image for larger version
From the GRUB command line interface, it's easy to troubleshoot GRUB.
- Fortunately, the GRUB shell offers you help, so that it's not strictly necessary to remember all the right commands. To get an overview of all commands that are available, just type the help command.
Click on image for larger version
Type "help" to get an overview of all available commands.
- Loading GRUB manually requires entering all of the commands from the /boot/grub/menu.lst file manually. The best approach to do this is to look at the current contents of the menu.lst. You can do that from the GRUB shell by entering the command
cat /boot/grub/menu.lst
. Somewhere in this file (which may contain lots of comments) you will read what your computer needs to boot.
Click on image for larger version
Make sure that you enter the correct commands, display the contents of the menu.lst file to get a good example.
- With the example on your computer's monitor, you can manually enter all the GRUB lines. That means that you have to enter the root, kernel and initrd lines. The following three lines give an example of what this could look like:
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-16-server root=/dev/sda2 ro splash
initrd /boot/initrd-2.6.24-16-server - After entering these commands, your computer awaits further instructions. Basically, that means you have to enter the boot command now. By entering this command, the boot process starts. Monitor it carefully to make sure that there are no errors when booting. As your server refused to boot normally, there are chances that it will give you an error as well if you manually enter the lines from the menu.lst. If it does, make sure to find the error and try booting again, until it works out well.
At the very first stage in the boot procedure, GRUB is loaded. Things can go wrong at that stage, especially if there is an error in the MBR, in the GRUB configuration file itself, or in one of the files that is loaded by GRUB. If that happens, you can enter all the GRUB commands manually to find out what's wrong. If that doesn't work, you can also choose to reinstall GRUB.
ABOUT THE AUTHOR: Sander van Vugt is an author and independent technical trainer, specializing in Linux since 1994. Vugt is also a technical consultant for high-availability (HA) clustering and performance optimization, as well as an expert on SLED 10 administration.
Reference link:
http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1361319_mem1,00.html
Recovering your Linux server with a Knoppix rescue disk
Booting your server using a Knoppix rescue CD is easy. Just put the disk in your server's optical drive and restart the server, next the Knoppix operating system starts loading automatically. But it doesn't immediately give you access to the files on your hard drive. You have to mount all file systems on your server yourself -- assuming you can still mount them. The procedure that is described in this article helps you in fixing boot problems that are not caused by file system errors. If your server's file systems have errors that prevent them from being mounted, the procedure described in this article will help you find a solution, but there may be additional steps required.
Mounting the Linux file systems
To access the root file systems on your server using a Knoppix rescue CD, you'll have to mount it. This is also true for other file systems on your server. When using a rescue system, you'll have to mount the root directory on a temporary directory. Most distributions have a directory /mnt which exists for this purpose, so it's a good idea to use it and mount your file system on it. But, there is a potential problem: most utilities assume that your configuration files are in a very specific directory; if your distribution is looking for /boot/grub/menu.lst for instance, the tools may be incapable of understanding that it is in /mnt/boot/grub/menu.lst instead. Therefore, you need to make sure that everything that is mounted on /mnt, is presented to the operating system as mounted directly in the / directory. The following procedure shows you how to do that.
- Boot your computer, using the Knoppix CD. You'll see the Knoppix welcome screen next. From here, press Enter to start loading Knoppix.
- While loading, Knoppix will wait a while to show you all available languages. If you don't select anything, English is started automatically. Once completely started, you'll get access to the Knoppix desktop.
- To restore access to your server, you'll need to open a terminal window from Knoppix. By default, after opening a terminal window you'll get the access permissions of an ordinary user. To be able to repair your server, you need root permissions. You'll get them using the sudo su command.
- Now use the mount command. This command shows you that currently no file systems are loaded at all, but everything you see is in a RAM drive.
Click on image for larger version
By default, Knoppix loads RAM disks only. - In case you don't know exactly how storage in your server is organized, you'll need to check what partitions and disks are used. The
fdisk -l
command gives a good start for that. This command shows you all disks that are available on your server (also if they are LUN's offered by a SAN), and it will show you which partitions exist on these disks. The disk names typically start with /dev/sd (although other names may be used), and are followed by a letter. The first disk is /dev/sda, the second disk is /dev/sdb and so on. On the disks, you'll find partitions that are numbered as well. For instance, /dev/sda1 is the first partition on the first disk on your server. Here is an example of what a typical disk layout may look like:
Use fdisk -l to show the current disk layout of your server.
ilulissat:/ # fdisk -l
Disk /dev/sda: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 83 Linux
/dev/sda2 14 30 136552+ 82 Linux swap / Solaris
/dev/sda3 31 553 4200997+ 83 Linux
- Now it's time to find out what exactly you are seeing. If it looks like the example above, it's not too hard to find out which is the root file system. You can see that there are two partitions using partition type 83 (which means they contain a Linux file system). One of them however is only 12 cylinders, and as each cylinder is about 8 MB only, it's too small to contain a root file system. The second partition is using partition type 82, so it contains a swap file system. Therefore, the only partition that can possibly contain the root file system, is /dev/sda3.
- Now that you know which partition contains the root file system, it's time to mount it. As mentioned before, it's a good idea to do that on the /mnt directory, Knoppix doesn't use it for anything useful anyway. So in this case, the command to use would be mount /dev/sda3 /mnt
- A quick check should show you at this point that you have correctly mounted the root directory. Before you activate the chroot environment, you'll need access to some system directories as well. Most important of them are /proc and /dev. These directories normally are created automatically when booting. That means they do exist in your Knoppix root directory, but once you've changed /mnt to become your new root directory, you'll find them empty. As you really need /proc and /dev to fix your problems, mount them before doing anything else. The next two commands should help you mounting them.
mount -o bind /dev /mnt/dev
mount -t proc proc /mnt/proc
- Once you are at this point, your entire operating system is accessible from /mnt. You can verify this now, by activating the directory (use cd /mnt). At this point your prompt looks like
root@Knoppix:/mnt#
. Now use the commandchroot .
to make the current directory (.) your new root directory. This brings you to the real root of everything that is installed on your server's hard drive.
- As Linux servers tend to use more than one partition, you may have to mount other partitions as well, before you can really fix all problems. If for instance the directory /usr is on another partition, you won't be able to do anything before you have made that accessible as well. The only task to perform at this moment, is to find out which file system is mounted where exactly. There is however an easy answer to that question: /etc/fstab. In this file you'll see exactly what is mounted when your server normally boots. So check the contents of /etc/fstab and perform all mounts defined in there manually. Or make yourself easy and use mount -a. This command will mount all file systems automatically which haven't been mounted yet.
Now, you'll have full access to all utilities on your server's hard drive, and more important, to all files -- time to analyze what went wrong and restore access. But make sure that you start by using a backup at this point!
To fix any problems on your computer, you have to make sure to restore full access to your system. You can do this by mounting all file systems on your computer, and after that by making them accessible by using the chroot
command. This way you are ensured that all tools see the server's file system as it really is, and that will make it a lot easier for you to restore access.
ABOUT THE AUTHOR: Sander van Vugt is an author and independent technical trainer, specializing in Linux since 1994. Vugt is also a technical consultant for high-availability (HA) clustering and performance optimization, as well as an expert on SLED 10 administration.
Reference link: http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1358366_mem1,00.html
Thursday, 3 June 2010
Default cluster size for NTFS, FAT, and exFAT
If no cluster size is specified during format, defaults are selected based on the size of the partition. These defaults have been selected to reduce the amount of space lost and to reduce the amount of fragmentation on the partition.
Default cluster sizes for NTFS
The following table describes the default cluster sizes for NTFS.
Volume size | Windows NT 3.51 | Windows NT 4.0 | Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 |
---|---|---|---|
7 MB–512 MB | 512 bytes | 4 KB | 4 KB |
512 MB–1 GB | 1 KB | 4 KB | 4 KB |
1 GB–2 GB | 2 KB | 4 KB | 4 KB |
2 GB–2 TB | 4 KB | 4 KB | 4 KB |
2 TB–16 TB | Not Supported* | Not Supported* | 4 KB |
16TB–32 TB | Not Supported* | Not Supported* | 8 KB |
32TB–64 TB | Not Supported* | Not Supported* | 16 KB |
64TB–128 TB | Not Supported* | Not Supported* | 32 KB |
128TB–256 TB | Not Supported* | Not Supported* | 64 KB |
> 256 TB | Not Supported | Not Supported | Not Supported |
Note
* means not supported due to the limitations of the MBR.
The following table describes the default cluster sizes for FAT16.
Volume size | Windows NT 3.51 | Windows NT 4.0 | Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 |
---|---|---|---|
7 MB–8 MB | Not supported | Not supported | Not supported |
8 MB–32 MB | 512 bytes | 512 bytes | 512 bytes |
32 MB–64 MB | 1 KB | 1 KB | 1 KB |
64 MB–128 MB | 2 KB | 2 KB | 2 KB |
128 MB–256 MB | 4 KB | 4 KB | 4 KB |
256 MB–512 MB | 8 KB | 8 KB | 8 KB |
512 MB–1 GB | 16 KB | 16 KB | 16 KB |
1 GB–2 GB | 32 KB | 32 KB | 32 KB |
2 GB–4 GB | 64 KB | 64 KB | 64 KB |
4 GB–8 GB | Not supported | 128 KB* | Not supported |
8 GB–16 GB | Not supported | 256 KB* | Not supported |
> 16 GB | Not supported | Not supported | Not supported |
* means only available on media with a sector size greater than 512 bytes.
The following table describes the default cluster sizes for FAT32.
Volume size | Windows NT 3.51 | Windows NT 4.0 | Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 |
---|---|---|---|
7 MB–16MB | Not supported | Not supported | Not supported |
16 MB–32 MB | 512 bytes | 512 bytes | Not supported |
32 MB–64 MB | 512 bytes | 512 bytes | 512 bytes |
64 MB–128 MB | 1 KB | 1 KB | 1 KB |
128 MB–256 MB | 2 KB | 2 KB | 2 KB |
256 MB–8GB | 4 KB | 4 KB | 4 KB |
8GB–16GB | 8 KB | 8 KB | 8 KB |
16GB–32GB | 16 KB | 16 KB | 16 KB |
32GB–2TB | 32 KB | Not supported | Not supported |
> 2TB | Not supported | Not supported | Not supported |
The following table describes the default cluster sizes for exFAT.
Volume size | Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 |
---|---|
7 MB–256 MB | 4 KB |
256 MB–32 GB | 32 KB |
32 GB–256 TB | 128 KB |
> 256 TB | Not supported |
APPLIES TO
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows 2000 Datacenter Server
Microsoft Windows NT Workstation 3.5
Microsoft Windows NT Workstation 3.51
Microsoft Windows NT Workstation 4.0 Developer Edition
Microsoft Windows NT Server 3.5
Microsoft Windows NT Server 3.51
Microsoft Windows NT Server 4.0 Standard Edition
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Windows Server 2008 Datacenter without Hyper-V
Windows Server 2008 Enterprise without Hyper-V
Windows Server 2008 for Itanium-Based Systems
Windows Server 2008 Standard without Hyper-V
Windows Server 2008 Datacenter
Windows Server 2008 Enterprise
Windows Server 2008 Standard
Windows Vista Enterprise 64-bit Edition
Windows Vista Home Basic 64-bit Edition
Windows Vista Home Premium 64-bit Edition
Windows Vista Ultimate 64-bit Edition
Windows Vista Business 64-bit Edition
Windows Vista Enterprise
Windows Vista Home Basic
Windows Vista Home Basic Beta
Windows Vista Home Premium
Windows Vista Starter
Windows Vista Ultimate
Ref link: http://support.microsoft.com/kb/140365
Tuesday, 1 June 2010
Cisco router password recovery
step 2:
rommon 1>confreg 0x2142
rommon 2>reset
======================================================
remark:
0x2000 is boot default ROM software
0x0040 is ignore NVRAM
the last 2 is to specifies default boot file name
Router default register is 0x2102, you can check it by "sh version"
RADIUS Issues
Attacker observes a valid access request packet and the associated return packet(access-accept/access-reject packet), then launch offline exhaustive attack on the shared secret.
They can guess shared secret by pre-compute MD5(Code+ID+length+RequestAuth+Attributes) and resume the hash once.
User-Password Attribute Based Shared Secret Attack
Attacker observes the traffic and try to authenticate to client with a known password, and capture the resulting Access-Request packet and XOR the User-password attribute with the password they provided to client. This results in the value of MD5(S+RA). RA is known in the client request packet, so attacker can launch offline exhaustive attack to get shared secret.
User-Password Based Password Attack
As the previous attack method, attacker can get the value of MD5(S+RA), and replay the modified access request packet as pretending a client. If server dosen't impose user based rate limits, this will allow the attacker to get the correct password.
Request Authenticator Based Attacks
The security of RADIUS depends on the generation of the RA(Request Authenticator) field, but a lot of implementations using poor PRNG(pseudo random number generation) to generate the RA. If the client uses a PRNG that repeats values (or has a short cycle), the protocol ceases to provide the intended level of protection.
These attacks require the attacker to cause client to produce a particular identifier value. An attacker can insert a series of extra requests to the client, forcing the desired identifier. Even if the identifier were not generated in a readily attackable way, it would still only increase the work factor by 256 times.
Passive User-Password Compromise Through Repeated Request Authenticator
Build dictionary RA--User Password Attribure
If the attacker can sniff the traffic between the RADIUS client and the RADIUS server, they can passively produce a dictionary of Request Authenticators, and the associated (protected) User-Password attributes. If the attacker observes a repeated Request Authenticator, they can remove any influence of the Shared Secret from the first 16 octets of the passwords by XORing the first 16 octets of the protected passwords together. This yields the first 16 octets of the two (now unprotected) user passwords XORed together.
Active User-Password Compromise through Repeated Request Authenticators
Build dictionary RA--MD(S+RA)
Attacker authenticate many times using known passwords and intercept the generated Access-Request packets, extracting the RA and user-password attribute. Then XOR the known password with user-password attribute and be left with the MD5(S+RA) value. Finally, the attacker generates a dictionary of RA and associated MD5(S+RA) value.
Attacker can use this dictionary(RA--MD(S+RA)) to recover the first 16 octets from the protected region of the user password, since c1=p1 XOR MD5(S+RA).
Replay of Server Responses through Repeated Request Authenticators
Using dictionary RA--ID--associate server response
Attacker observe the client request, check RA and ID from the dictionary, then pretend as server the return the associate response to client.
DOS arising from the prediction of the Request Authenticators
Build dictionary predict RA values and associated server response, then response the client's valid request with access-reject packets, implement DOS.
RADIUS authentication procedure
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
The code establishes the type of RADIUS packet. The codes are:
Value
Description
1
Access-Request
2
Access-Accept
3
Access-Reject
4
Accounting-Request
5
Accounting-Response
11
Access-Challenge
12
Status-Server (experimental)
13
Status-Client (experimental)
255
Reserved
The identifier is a one octet value that allows the RADIUS client to match a RADIUS response with the correct outstanding request. it is usually implemented as a simple counter that is incremented for each request.
The attributes section is where an arbitrary number of attribute fields are stored. The only pertinent attributes for this discussion are the User-Name and User-Password attributes.
Initial client processing
The client creates an Access-Request RADIUS packet, including at least the User-Name and User-Password attributes.
The Access-Request packet's identifier field is generated by the client.
The Access-Request packet contains a 16 octet Request Authenticator in the authenticator field. This Request authenticator is a randomly chosen 16 octet string.
This packet is completely unprotected, except for the User-Password attribute, which is protected as follows:
c1 = p1 XOR MD5(S + RA)
c2 = p2 XOR MD5(S + c1)
.
.
.
cn = pn XOR MD5(S + cn-1)
The User-Password attribute contains c1+c2+...+cn, Where + denotes concatenation.
Here S is shared secret in server or client, RA is psuedo-random 128bit request authenticator, p1,p2 and so on is 16 octet block by breaking the password
Server processing
Extract the username and password using the same shared secret
Validate the account
Compute response authenticator which is MD5(code+ID+Length+RequestAuth+Attribute+secret), and send back the response packet to client
The server receives the RADIUS Access-Request packet and verifies the packet with shared secret first, it can go through a slightly modified version of the client's protection process on the User-Password attribute and obtain the unprotected password. It then uses its authentication database to validate the username and password. If the password is valid, the server creates an Access-Accept packet to send back to the client, otherwise, send back with Access-Reject packet. Both the Access-Accept packet and the Access-Reject packet use the same identifier value from the client's Access-Request packet, and put a Response Authenticator in the Authenticator field. The response authenticator = MD5(Code+ID+Length+RequestAuth+Attributes+Secret)
Client post processing
Match ID
Compute the Response Authenticator as the server performed
Check the code field for the result
When the client receives a response packet, it attempts to match it with an outstanding request using the identifier field, then verifies the Response Authenticator by performing the same Response Authenticator calculation the server performed, and then comparing the result with the Authenticator field.
If the client received a verified Access-Accept packet, the username and password are considered to be correct, and the user is authenticated.
Linux - Ubuntu general shortcut
Ctrl+A = Select all (In Documents, Firefox, Nautilus, etc, not Terminal)
Ctrl+C = Copy (In Documents, Firefox, Nautilus, etc, not Terminal)
Ctrl+V = Paste (In Documents, Firefox, Nautilus, etc, not Terminal)
Ctrl+N = New (Create a new document, not in terminal)
Ctrl+O = Open (Open a document, not in terminal)
Ctrl+S = Save (Save the current document, not in terminal)
Ctrl+P = Print (Print the current document, not in terminal)
Ctrl+E = Send To... (Send the current document to an email recipient or remote location, not in terminal)
Ctrl+W = Close (Close the current document, not in terminal)
Ctrl+Q = Quit (Quit the application, not in terminal)
Ctrl + Alt + F1 = Switch to the first virtual terminal
Ctrl + Alt + F2(F3)(F4)(F5)(F6) = Select the different virtual terminals
Ctrl + Alt + F7 = Switch to current terminal session with X
Ctrl+Alt++ = Switch to next X resolution (Depends of your X configuration)
Ctrl+Alt+- = Switch to previous X resolution (Depends of your X configuration)
Ctrl + Alt + Backspace = Kill X server
Alt+Tab = Switch between open programs
Printscrn = Print sreen
Setup Openssl + freeRADIUS
1. Create ca certification by openssl
#cd /etc/ssl/
#/usr/lib/ssl/misc/CA.pl -newca -- ubuntu directory
or
#/usr/share/ssl/misc/CA.pl -newca -- opensuse directory
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..........................++++++
..........++++++
writing new private key to './CA/private/cakey.pem'
Enter PEM pass phrase: 12345
Verifying - Enter PEM pass phrase: 12345
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taipei
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:QMI
Organizational Unit Name (eg, section) []:DQA
Common Name (eg, YOUR name) []:rootca
Email Address []:bryan.yu@qmitw.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: don't need to input
An optional company name []: don't need to input
Using configuration from /usr/lib/ssl/openssl.cnf
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: 12345
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
91:23:c3:97:8a:c5:d8:e5
Validity
Not Before: Mar 17 14:38:09 2008 GMT
Not After : Mar 17 14:38:09 2011 GMT
Subject:
countryName = TW
stateOrProvinceName = LinKou
organizationName = QMI
organizationalUnitName = DQA
commonName = rootca
emailAddress = bryan.yu@qmitw.com
X509v3 extensions:
X509v3 Subject Key Identifier:
FF:DA:F6:63:4E:6F:20:16:85:BC:CE:E4:6E:EA:17:48:B5:DE:87:25
X509v3 Authority Key Identifier:
keyid:FF:DA:F6:63:4E:6F:20:16:85:BC:CE:E4:6E:EA:17:48:B5:DE:87:25
DirName:/C=TW/ST=LinKou/O=QMI/OU=DQA/CN=rootca/emailAddress=
bryan.yu@qmitw.com
serial:91:23:C3:97:8A:C5:D8:E5
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Mar 17 14:38:09 2011 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
2. Let's start to create a server certificate signing request using OpenSSL's req command:
#openssl req -new -nodes -keyout server_key.pem -out server_req.pem -days 730 -config ./openssl.cnf
3. Next step, let's use our CA key to sign the request by using OpenSSL's ca command:
#openssl ca -config ./openssl.cnf -policy policy_anything -out server_cert.pem -infiles ./server_req.pem
4. Open your signed certificate with the text editor ( example: vi ) of your choice and delete everything before the line -----BEGIN CERTIFICATE-----. Concatenate it and your key into a single file, like this:
#cat server_key.pem server_cert.pem > server_keycert.pem
5. We need to create a client certificate signing request now. The OpenSSL command to do this is similar to that used to create server certificates:
#openssl req -new -keyout client_key.pem -out client_req.pem -days 730 -config ./openssl.cnf
6. Next step -- we sign the client certificate's signing request:
#openssl ca -config ./openssl.cnf -policy policy_anything -out client_cert.pem -infiles ./client_req.pem
7. If your certificate is to be used by Windows XP or Vista client, you need to do one more step.
You need to convert the certificate file(s) to a PKCS12-format file, with this command:
#openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 -clcerts
8. Before we dive into FreeRADIUS' configuration files, we need to create two files that FreeRADIUS must have in order to use TLS. The first is a Diffie-Hellman parameters file, or dh file, which is used for negotiating TLS session keys. To create a dh file, issue this command:
#openssl dhparam -check -text -5 512 -out dh
9. The second file you need is a data file that contains a random bitstream that also is used in TLS operations. Do not simply stick the current timestamp or any other similarly nonrandom string into a file called random, as is suggested in at least one WPA procedure I've seen on the Internet. Rather, use the kernel's high-quality random number generator. Run this command:
#dd if=/dev/urandom of=random count=2
FreeRadius Configuration Step
1. Check permission of radius directory and then modify parameter what you need in radiusd.conf
#cd /etc/raddb/
#vi radiusd.conf
2. Changes in eap.conf
eap {
default_eap_type = tls
tls {
# The following parameters tell radiusd where to
# find its certs and keys, plus dh & random files:
private_key_password = 12345
private_key_file = /etc/ssl/server_keycert.pem
certificate_file = /etc/ssl/server_keycert.pem
CA_file = /etc/ssl/CA/cacert.pem
dh_file = /etc/ssl/dh
random_file = /etc/ssl/random
}
}
3. Access Point Entry in clients.conf
client 192.168.1.1/32 {
secret = 12345678
shortname = test ap
}
Configuring Windows XP Clients Step
And that brings us to configuring a Windows XP wireless client to use your newly WPA-enabled access point. This being a Linux magazine, I'm not going to describe this process in painstaking detail-for that you can see section 4.3 of Ken Roser's HOWTO, listed in the on-line Resources. In summary, you need to:
1. Run the command mmc from Start --> Run
2. In Microsoft Management Console, select File?Add/Remove Snap-in, add the Certificates snap-in and set it to manage certificates for My user account and, on the next screen, only for the Local computer.
3. Copy your CA (cacert.pem) certificate to your Windows system's hard drive, for example, to C:\cacert.pem.
4. From within MMC, expand Console Root and Certificates - Current User and right-click on Trusted Root Certification Authorities. In the pop-up menu, select All Tasks-->Import. Tell the subsequent wizard to import the file C:\cacert.pem and to store it in Trusted Root Certification Authorities.
5. Copy your client certificate/key file to your Windows system, for example, to C:\client_cert.p12.
6. From within MMC?Console Root?Certificates, expand Personal and right-click on Certificates. In the pop-up menu, select All Tasks-->Import. Tell the subsequent wizard to import the file C:\client_cert.p12.
7. The certificate-import wizard then prompts you for the certificate's passphrase. In the same dialog, it offers the option to enable strong private key protection. Unfortunately, enabling this breaks WPA, so be sure to leave this option unchecked. Also, leave the option to mark this key as exportable unchecked--you're better off backing up the password-protected file you just imported rather than allowing the imported nonprotected version to be exportable.
Ubuntu pppoe dialup problem with Network Manager
Step2: >sudo service network-manager stop
Step3: >sudo pppoeconf
Step4(optional): add nameserver to /etc/resolv.conf
Linux simple shell commands
command [-option] parameter1 parameter2 ...
startx - start x window system ()
init 3 - 關閉圖形介面, 進入純文字介面的環境
uname - 顯示linux kernel版本
[root@localhost ~]# uname -r
2.6.31.9-174.fc12.i686
shutdown - 關閉系統
[root@localhost ~]# shutdown -h now <---現在關閉系統
[root@localhost ~]# shutdown -r +1 <---一分鐘後reboot
pwd - 顯示所在目錄位置
ls - 顯示當前目錄檔案
man - 顯示指令說明
cat,more,less - 顯示檔案內容
echo - 在螢幕上面顯示變數
[root@localhost ~]# echo $PATH /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
[root@localhost ~]# myname=ray <---等號兩邊不能直接接空白字元
[root@localhost ~]# echo $myname ray
env - 觀察環境變數與常見環境變數說明
set - 觀察所有變數 (含環境變數與自訂變數)
export - 自訂變數轉成環境變數
history - 顯示執行過的指令
Linux Bootup Process
> hardware test, load BIOS
> Find boot device (harddisk, cdrom, usb...)
2. Load harddisk & Boot loader (GRUB)
> Execute boot loader in MBR
> Boot menu select OS
> The MBR then needs to know which partitions on the disk have boot loader code specific to their operating systems in their boot sectors and then attempts to boot one of them.
3. Load kernel
> Load kernel into memory
> Detect hardware and load the driver
> pass control on to the kernel
4. Kernel init task
> Establish memory management
> detects the type of CPU
> any additional functionality
5. Run the /sbin/init program
> system check
> verify the integrity of the file systems
> start vital programs for operating system to function properly.
> Inspects the /etc/inittab file to determine operation mode or runlevel
> launch process depend on runlevel
6. System initialization
> run /etc/rc.d/rc.sysinit
7. Init run level service
8. Init run file in /etc/rc.d/rc.local
9. Init prepare login environment and wait user login
Basic file management commands
cd Sets location in filesystem
ls Displays contents of directory
file Determines file’s type
cat Displays file’s contents
more Displays file’s contents one screen at a time
less Displays file’s contents one screen at a time
wc Shows character, word, and line counts
head Displays first few lines of a file
tail Displays last few lines of a file
touch Changes file’s timestamp; create an empty file
cp Copies a file
dd Copies a file from one device to another
mv Changes a file’s name or location in the filesystem
rm Deletes a file
mkdir Creates a directory
rmdir Deletes a directory
cd
Example:
$ cd /home/hadden/letters <---using absolute path
$ cd letters <---using relative path
$ pwd
/home/hadden/letters/Aug
$ cd
$ pwd
/home/hadden
=====================================
file
The file utility enables you to get information about the contents of a file without having to examine the file directly.
The syntax for file is
file [options] filename
Example
$ file home
home: directory
======================================
cat
The cat (concatenate file) command can be used to create new files; however, it is primarily used to send the contents of one or more files to your display or other output device. cat’s functionality can be increased by using either > or >>.
Example:
To create a new file, type
$ cat > newfilename
file contents
Ctrl-D
To display the contents of one or more files to the standard output, type
$ cat file1 file2
To combine multiple files into one, type
cat file1 file2 file3 > newfile
To add the contents of file1 to the end of file2, type
$ cat file1 >> file2
==============================
wc
The output appears as the number of lines, number of words, number of characters, and filename
Example:
$ wc /etc/passwd
33 45 1564/etc/passwd
==================================
head and tail
Like their names imply, these two commands let you look at either the beginning or end
of one or more files.
Example:
To show the first seven line of the file
$ head -7 /etc/passwd
To show the last five line of the file.
$ tail -5 /var/log/messages
if no option, default is 10 line.
=======================================
touch
touch is used to change the date and time of the last access or modification. The syntax is
touch [options] [date] filename
If the file does not exist, touch will create a new file of 0 length. If no date or time is specified, the current system time is used.
touch -d '14:24' file1
================================================
cp
The cp command copies both files and directories. The copy operation will overwrite any existing file with the same name, so be careful. To prevent this, you can use the -b (backup target file) or the -i (interactive) option.
To recursively copy one directory’s contents to another, use either the -r or -R option. This also will recursively copy the directory structure.
For example:
cp -r /home/peter /root
================================================
dd
The dd (device to device copy) is a special kind of copy utility.
example:
full hard disk copy
dd if=/dev/hdx of=/path/to/image
Restore Backup of hard disk copy
dd if=/path/to/image of=/dev/hdx
=============================
mv
The mv command is used to rename or move files to another location on the directory tree.
The syntax for mv is
mv [option] [source file] [target file]
=============================
rm
The rm command can be used to remove individual or multiple files and directories. After a file has been deleted, it is gone, so use it cautiously.
Use the -i option to require confirmation before files are deleted.
Otherwise, you might be left with a nonbootable system. The -f option will force deletion of write-protected files.
Be careful when you do this
rm -rf myfolder
=============================
mkdir
The mkdir command is used to create one or more directories. If no options are used, the parent directory must exist to create a child directory, as in the following examples
mkdir testing
mkdir testing/child
It also can create the parent and child directories in a single command by using the -p option.
mkdir -p testing/parent/child
============================
rmdir
The rmdir command will delete only empty directories.
Use the parent (-p) option to remove directory hierarchies.
rmdir -p testing/parent/child
This command deletes the child directory only. If there are more subdirectories in the parent directory, they will not be deleted.
However, if you type
rmdir -p testing/parent/*
all empty subdirectories of the directory parent will be deleted.
===================================
editor - vi
==============
vi 提供兩種操作模式:輸入模式(insert mode)和指令模式(command mode)
。當使用者進入 vi 後,即處在指令模式下,此刻鍵入之任何字元皆被視為
指令。在此模式下可進行刪除、修改等動作。若要輸入資料,則需進入輸入
模式。
.輸入模式
=========
如何進入輸入模式
a (append) 由游標之後加入資料。
A 由該行之末加入資料。
i (insert) 由游標之前加入資料。
I 由該行之首加入資料。
o (open) 新增一行於該行之下供輸入資料之用。
O 新增一行於該行之上供輸入資料之用。
如何離開輸入模式
《 ESC》 結束輸入模式。
.指令模式
=========
游標之移動
h 向左移一個字元。
j 向上移一個字元。
k 向下移一個字元。
l 向右移一個字元。
0 移至該行之首
$ 移至該行之末。
^ 移至該行的第一個字元處。
H 移至視窗的第一列。
M 移至視窗的中間那列。
L 移至視窗的最後一列。
G 移至該檔案的最後一列。
+ 移至下一列的第一個字元處。
- 移至上一列的第一個字元處。
( 移至該句之首。 (註一)
) 移至該句之末。
{ 移至該段落之首。 (註二)
} 移至該段落之末。
nG 移至該檔案的第 n 列。
n+ 移至游標所在位置之後的第 n 列。
n- 移至游標所在位置之前的第 n 列。
< Ctrl>< g> 會顯示該行之行號、檔案名稱、檔案中最末行之行號、游標
所在行號佔總行號之百分比。
註一:句子(sentence)在vi中是指以『!』、『.』或『?』結束的一串字。
註二:段落(paragraph)在vi中是指以空白行隔開的文字。
.視窗的移動
===========
< Ctrl>< f> 視窗往下捲一頁。
< Ctrl>< b> 視窗往上捲一頁。
< Ctrl>< d> 視窗往下捲半頁。
< Ctrl>< u> 視窗往上捲半頁。
< Ctrl>< e> 視窗往下捲一行。
< Ctrl>< y> 視窗往上捲一行。
.刪除、複製及修改指令介紹 (此單元較少使用)
=========================
d(delete)、c(change)和y(yank)這一類的指令在 vi 中的指令格式為:
Operator + Scope = command
(運算子) (範圍)
運算子:
d 刪除指令。刪除資料,但會將刪除資料複製到記憶體緩衝區。
y 將資料(字組、行列、句子或段落)複製到緩衝區。
p 放置(put)指令,與 d 和 y 配和使用。可將最後delete或yank的資
料放置於游標所在位置之行列下。
c 修改(change)指令,類似delete與insert的組和。刪除一個字組、句
子等之資料,並插入新鍵資料。
範圍:
e 由游標所在位置至該字串的最後一個字元。
w 由游標所在位置至下一個字串的第一個字元。
b 由游標所在位置至前一個字串的第一個字元。
$ 由游標所在位置至該行的最後一個字元。
0 由游標所在位置至該行的第一個字元。
) 由游標所在位置至下一個句子的第一個字元。
( 由游標所在位置至該句子的第一個字元。
{ 由游標所在位置至該段落的最後一個字元。
} 由游標所在位置至該段落的第一個字元。
整行動作
dd 刪除整行。
D 以行為單位,刪除游標後之所有字元。
cc 修改整行的內容。
yy yank整行,使游標所在該行複製到記憶體緩衝區。
.刪除與修改
===========
x 刪除游標所在該字元。
X 刪除游標所在之前一字元。
dd 刪除游標所在該行。
r 用接於此指令之後的字元取代(replace)游標所在字元。
如: ra 將游標所在字元以 a 取代之。
R 進入取代狀態,直到《ESC》為止。
s 刪除游標所在之字元,並進入輸入模式直到《ESC》。
S 刪除游標所在之該行資料,並進入輸入模式直到《ESC》。
.搬移與複製
==========
利用 delete 及 put 指令可完成資料搬移之目的。
利用 yank 及 put 指令可完成資料複製之目的。
yank 和 delete 可將指定的資料複製到記憶體緩衝區,而藉由 put 指令
可將緩衝區內的資料複製到螢幕上。
例:
搬移一行 ‧在該行執行 dd
‧游標移至目的地
‧執行 p
複製一行 ‧在該行執行 yy
‧游標移至目的地
‧執行 p
.指令重複
=========
在指令模式中,可在指令前面加入一數字 n,則此指令動作會重複執行 n
次。
例:
刪除10行 ‧10dd
複製10行 ‧10yy
‧游標移至目的地
‧p
指標往下移10行 ‧10j
.取消前一動作(Undo)
===================
即復原執行上一指令前的內容。
u 恢復最後一個指令之前的結果。
U 恢復游標該行之所有改變。
.搜尋
=====
在vi中可搜尋某一字串,使游標移至該處。
/字串 往游標之後尋找該字串。
?字串 往游標之前尋找該字串。
n 往下繼續尋找下一個相同的字串。
N 往上繼續尋找下一個相同的字串。
.資料的連接
===========
J 句子的連接。將游標所在之下一行連接至游標該行的後面。
若某行資料太長亦可將其分成兩行,只要將游標移至分開點,進入輸入模式
(可利用 a、i等指令)再按《Enter》即可。
.環境的設定
===========
:set nu 設定資料的行號。
:set nonu 取消行號設定。
:set ai 自動內縮。
:set noai 取消自動內縮。
自動內縮(automatic indentation)
在編輯文件或程式時,有時會遇到需要內縮的狀況,『:set ai』即提供自
動內縮的功能,用下例解釋之:
‧vi test
‧(進入編輯視窗後)
this is the test for auto indent
《Tab》start indent ← :set ai (設自動內縮)
《Tab》data
《Tab》data
《Tab》data ← :set noai (取消自動內縮)
the end of auto indent.
‧註:< Ctrl>< d> 可刪除《Tab》字元。
.ex指令
=======
讀寫資料
:w 將緩衝區的資料寫入磁碟中。
:10,20w test 將第10行至第20行的資料寫入test檔案。
:10,20w >> test 將第10行至第20行的資料加在test檔案之後。
:r test 將test檔案的資料讀入編輯緩衝區的最後。
刪除、複製及搬移
:10,20d 刪除第10行至第20行的資料。
:10d 刪除第10行的資料。
:%d 刪除整個編輯緩衝區。
:10,20co30 將第10行至第20行的資料複製至第30行之後。
:10,20mo30 將第10行至第20行的資料搬移至第30行之後。
字串搜尋與取代
s(substitute)指令可搜尋某行列範圍。
g(global)指令則可搜尋整個編輯緩衝區的資料。
s指令以第一個滿足該條件的字串為其取代的對象,若該行有數個滿足該條
件的字串,也僅能取代第一個,若想取代所有的字串則需加上g參數。
:1,$s/old/new/g 將檔案中所有的『old』改成『new』。
:10,20s/^/ / 將第10行至第20行資料的最前面插入5個空白。
:%s/old/new/g 將編輯緩衝區中所有的『old』改成『new』。
.恢復編輯時被中斷的檔案
=======================
在編輯過程中,若系統當掉或連線中斷,而緩衝區的資料並還未
被寫回磁碟時,當再度回到系統,執行下列指令即可回復中斷前
的檔案內容。
%vi -r filename
.編輯多個檔案
=============
vi亦提供同時編輯多個檔案的功能,方法如下:
%vi file1 file2 ..
當第一個檔案編修完成後,可利用『:w』將該緩衝區存檔,而後
再利用 『:n』載入下一個檔案。
Fine tune your VM - Extend vm disk size in Linux
Step2: Eg: Extend your vm to 40GB
vmware-vdiskmanager -x 40GB winxp.vmdk
Then your disk space would be expanded, but the free space is not assigned to your system.
Step3: List your registered vm, check the ID
vmware-vim-cmd vmsvc/getallvms
Step4: Poweron your vm
vmware-vim-cmd vmsvc/power.on 96
Step5: If you the vm is windows, then go to computer manager to assign the free space to C: or D: as you like.
To expand system driver (such as C: which holding winxp) then you may need to do it with thrid party partition tools. Here you can get more information: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004071
Linux command - cut, sed, awk
cut -c 1-7 f1 will output the first 7 characters in each line of file 'f1'.
cut -c 2,4-7,10- f1 will output the character 2, characters 4 – 7, characters 10 until the end of line in each line of file 'f1'.
cut -f 1,4,5 f1 will output 'fields' 1, 4 and 5 in file 'f1'. The fields are assumed to be separated by tab in 'f1'.
cut -d ' ' -f 1,4,5 f1 will output 'fields' 1, 4 and 5 in file 'f1'. The fields are assumed to be separated by a single space in 'f1'.
Sed
Let's make a test file
ls -l /etc > testsed
"d" means delete
sed '1,4d' testsed
sed '/yum/d' testsed
sed '/yum/!d' testsed
"s" is replace, -n means hide the other output, p is display
sed -n 's/pass/xxxxx/p' testsed
Awk
Make another file to test awk
ps aux > testawk
Show column 11
awk '{print $11}' testawk
awk '/sbin/{print $2,$11}' testawk
Checking system status
ps auxf <----show all process as tree format
ps a -l <----here -l means long format, see detail
pstree <----show process as tree format
pstree -p <----display with pid
pstree -H 1974 <----high light the 1974 process
top
top -d 2 <----Change data with 2 second.
top -b -n 2 > /home/ray/topresult <----run top 2 times and redirect the result to a file
in top interface:
press q is exit
press M is sort by memory
press < or > means sort by previous or next column
free -m <----Check memory status
netstat -ntlp <----Show the network status, here "l" means those listening process
vmstat 2 <----Check CPU status, take snapshot with 2 seconds
vmstat 2 4 <----Check CPU status, take snapshot with 2 seconds and do it 4 times
vmstat -d <----Show disk read write status
df -h <----Show harddisk space size
runlevel <----Show previous and current runlevel
Change process priority - nice and renice
• Range: -20 ~ +19
• User process default: 0
• + no. lower the priority
• - no. raise the priority
• Only root can lower the no.
• Don’t assign +no. to fg jobs -- sluggish
Syntax
• Just nice shows current priority
• nice [-n no.] [command]
• nice [-no.] [command]
• Normal user: no. = 1~19
• Root: no. = -20~19
• Not specified no.: default to 10
Examples
[law@localhost ~]$ nice seq 1000000&
Using default nice# 10 to reduce priority
[law@localhost ~]$ nice -n -10 vi /etc/hosts.deny
Start vi at high priority (-10)
renice
Modify nice no. of a running program
Syntax:
Renice [+|-]nicenumber [option] targets
Examples
[law@localhost ~]$ renice 19 501
Lower process 501's priority
[law@localhost ~]$ renice -10 -u law -p 501
Increase all law's process and process 501
Linux - Compression and Uncompression Example
compress bigfile <--------- compress bigfile to be bigfile.Z, bigfile will be disappear.
compress -r myfolder <---------compress all file to be .Z file in myfolder
compress -c bigfile <---------display the result to stdout
compress -c bigfile > smallfile.Z <---------by which, unchange bigfile but saveas another compressed file(smallfile.Z).
uncompress
uncompress smallfile.Z
gzip
gzip bigfile <--------- compress bigfile to be bigfile.gz
gzip -9 bigfile <--------- compress bigfile to be bigfile.gz, -9 is best quality but slowest, -1 is the fastest but low compress, default is -6.
gzip -c bigfile > smallfile.gz <--------- unchange bigfile but save as another compressed file(smallfile.gz).
gunzip
gunzip smallfile.gz <--------- extract the gz file
gunzip -c smallfile.gz > file <--------- extract smallfile.gz to a file,and don't smallfile.gz
zcat
zcat smallfile.gz <---------see the file content without unzip
bzip2, bunzip2, bzcat
bzip2 default compress level 2
the usage is like gzip, gunzip, zcat
(Hints: gzip is better than compress, bzip2 is the best)
tar
option:
-c create, write tarfile
-t list content
-z use gzip compress
-j use bzip2 compress
-x extract or restore
-v view progress
-p Restore the named files to their original modes, and ACLs if applicable
Example
tar -cf testfolder.tar /path/to/testfolder <---------------Create tar file
tar -xvf testfolder.tar -C /path/to/folder <-----------Extract tar file to another folder
Tar & gzip
tar -zpcvf testfolder.tar.gz /path/to/testfolder <----------Tar and gzip a folder
tar -zpcvf testfolder.tar.gz --exclude=/path/to/testfolder/subfolder1 /path/to/testfolder <----------Tar and gzip a folder except subfolder1
tar -zxvf testfolder.tar.gz -C /path/to/folder <----------Extract the file to another
tar -ztf testfolder.tar.gz <----------View the content
Tar & bzip2
tar -jpcvf testfolder.tar.bz2 /path/to/testfolder <----------Tar and gzip a folder
tar -jpcvf testfolder.tar.bz2 --exclude=/path/to/testfolder/subfolder1 /path/to/testfolder <----------Tar and bzip2 a folder except subfolder1
tar -jxvf testfolder.tar.bz2 -C /path/to/folder <----------Extract the file to another
tar -jtf testfolder.tar.bz2 <----------View the content
dump
for example: lets backup the partition /boot
dump -S /boot <---------------------Show how many size will be used
dump -0uf /home/myfolder/boot.dump /boot <-----------dump the whole partition, 0 is compress level, u means update record to /etc/dumpupdate, f is specify the file name
dump -0j -f /home/myfolder/boot.dump /boot <-----------bump the whole partition with bzip2 compress.
restore
restore -tf /home/myfolder/boot.dump <---------------- View the dump file content
restore -rf /home/myfolder/boot.dump <---------------- Restore with dump file.
ps aux 各欄位的意義
* USER:該 process 屬於那個使用者帳號的?
* PID :該 process 的程序識別碼。
* %CPU:該 process 使用掉的 CPU 資源百分比;
* %MEM:該 process 所佔用的實體記憶體百分比;
* VSZ :該 process 使用掉的虛擬記憶體量 (Kbytes)
* RSS :該 process 佔用的固定的記憶體量 (Kbytes)
* TTY :該 process 是在那個終端機上面運作,若與終端機無關則顯示 ?,另外, tty1-tty6 是本機上面的登入者程序,若為 pts/0 等等的,則表示為由網路連接進主機的程序。
* STAT:該程序目前的狀態,狀態顯示與 ps -l 的 S 旗標相同 (R/S/T/Z)
* START:該 process 被觸發啟動的時間;
* TIME :該 process 實際使用 CPU 運作的時間。
* COMMAND:該程序的實際指令為何?
Apache+SSL in Debian Quick Setup
Step2: (Generate cert file)
mkdir /etc/apache2/ssl
RANDFILE=/dev/random openssl req $@ -new -x509 -days 365 -nodes \
-out /etc/apache2/ssl/apache.pem \
-keyout /etc/apache2/ssl/apache.pem
chmod 600 /etc/apache2/ssl/apache.pem
Step3: (Config for apache2)
cd /etc/apache2/sites-available/
cp default ssl
Step4: (Enable the site. This is done by making a sym-link to the configuration
from /etc/apache2/sites-enabled/.)
a2ensite ssl
Step5: (To enable the ssl module from /etc/apache2/mods-available)
a2enmod ssl
Step6: (Add 443 port to /etc/apache2/ports.conf)
Listen 443
Step7: (Edit /etc/apache2/sites-available/ssl)
NameVirtualHost *:443
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
Step8: Restart apache2 /etc/init.d/apache2 restart
Simple logrotate - make your log file archieve
Here is the file sample:
/var/log/linuxserver/linux.log {
rotate 7
daily
compress
delaycompress
missingok
notifempty
create 660 linuxuser linuxuser }
This config file will run daily, create maximum 7 archives owned by linuxuser
and linuxuser group with 660 permissions,compress all logs and exclude only yesterdays and empty log files.
Here are some selected logrotate configuration keywords.
daily Log files are rotated every day.
weekly Log files are rotated if the current weekday is less than the weekday of the last rotation or if more than a week has passed since the last rotation. This is normally the same as rotating logs on the first day of the week, but if logrotate is not being run every night a log rotation will happen at the first valid opportunity.
monthly Log files are rotated the first time logrotate is run in a month (this is normally on the first day of the month).
notifempty Do not rotate the log if it is empty (this overrides the ifempty option).
nocompress Old versions of log files are not compressed.
delaycompress Postpone compression of the previous log file to the next rotation cycle. This only has effect when used in combination with compress. It can be used when some program cannot be told to close its logfile and thus might continue writing to the previous log file for some time.
compress Old versions of log files are compressed with gzip by default.
mail address When a log is rotated out of existence, it is mailed to address. If no mail should be generated by a particular log, the nomail directive may be used.
missingok If the log file is missing, go on to the next one without issuing an error message.
To run the logrotate manually, issue the command:
logrotate -v /etc/logrotate.conf
No Password login - SSH
jsmith@local-host$ [Note: You are on local-host here]
jsmith@local-host$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):[Enter key]
Enter passphrase (empty for no passphrase): [Press enter key]
Enter same passphrase again: [Pess enter key]
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is:
33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9
jsmith@local-host
Step 2: Copy the public key to remote-host using ssh-copy-id
jsmith@local-host$ ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host
jsmith@remote-host's password:
Now try logging into the machine, with "ssh 'remote-host'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Step 3: Login to remote-host without entering the password
jsmith@local-host$ ssh remote-host
Last login: Sun Nov 16 17:22:33 2008 from 192.168.1.2
[Note: SSH did not ask for password.]
jsmith@remote-host$ [Note: You are on remote-host here]
ref.: http://www.thegeekstuff.com/2008/11/3-steps-to-perform-ssh-login-without-password-using-ssh-keygen-ssh-copy-id/
vsftpd simple config
Basic Setup
To disable anonymous login and to enable local users login and give them write permissions:
Code:
# No anonymous login
anonymous_enable=NO
# Let local users login
# If you connect from the internet with local users, you should enable TLS/SSL/FTPS
local_enable=YES
# Write permissions
write_enable=YES
NOTE: It is not advisable to use FTP without TLS/SSL/FTPS over the internet because the FTP protocol does not encrypt passwords. If you do need to transfer files over FTP, consider the use of virtual users (same system users but with non system passwords) or TLS/SSL/FTPS (see below).
To chroot users
To jail/chroot users (not the vsftpd service), there are three choices. Search for "chroot_local_users" on the file and consider one of the following:
Code:
# 1. All users are jailed by default:
chroot_local_user=YES
chroot_list_enable=NO
# 2. Just some users are jailed:
chroot_local_user=NO
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the jailed users.
# 3. Just some users are "free":
chroot_local_user=YES
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the "free" users.
To deny (or allow) just some users to login
To deny some users to login, add the following options in the end of the file:
Code:
userlist_deny=YES
userlist_file=/etc/vsftpd.denied_users
In the file /etc/vsftpd.denied_users add the username of the users that can't login. One username per line.
To allow just some users to login:
Code:
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.allowed_users
In the file /etc/vsftpd.allowed_users add the username of the users that can login.
The not allowed users will get an error that they can't login before they type their password.
TLS/SSL/FTPS
NOTE: you definitely have to use this if you connect from the Internet.
To use vsftpd with encryption (it's safer), change or add the following options (some options aren't on the original config file, so add them):
Code:
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
#listen_port=990
No need to create a certificate. vstfpd uses the certificate Ubuntu creates upon it's installation, the "snake-oil" certificate (openssl package, installed by default).
iptables general configuration
[root@linux ~]# iptables -L -n
[root@linux ~]# iptables -L -nv
[root@linux ~]# iptables -t nat -L -n
Flush iptables contents
[root@linux ~]# iptables -F
[root@linux ~]# iptables -t nat -F
[root@linux ~]# iptables -F FORWARD
[root@linux ~]# iptables -X MYCHAIN
Set policy for chain
Example:
[root@linux ~]# iptables -P INPUT DROP
Result:
Chain INPUT (policy DROP)
target prot opt source destination
Add rules to the chain
Template:
iptables [-AI Chain] [-io interface] [-p protocal] [-s source ip] [-d destination ip] -j [ACCEPT|DROP]
Example:
[root@linux ~]# iptables -A INPUT -i eth0 -s 192.168.0.1 -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
[root@linux ~]# iptables -A INPUT -s 192.168.2.200 -j LOG
(log all traffic from 192.168.2.200 and record to /var/log/messages)
[root@linux ~]# iptables -A INPUT -p icmp -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP
[root@linux ~]# iptables -A INPUT -i eth0 -p udp --dport 137:138 -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 \
> --sport 1024:65534 --dport ssh -j DROP
[root@linux ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
(Accept the response packet, here state can be NEW,RELATED,ESTABLISHED,INVALID)
[root@linux ~]# iptables -A INPUT -m state --state INVALID -j DROP
[root@linux ~]# iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT
Insert a rule to the chain
[root@linux ~]# iptables -I INPUT 2 -i eth0 -p tcp --dport 21 -j DROP
(Insert to the 2rd rule)
Replace a rule
[root@linux ~]# iptables -R INPUT 2 -i eth0 -p tcp --dport 21 -j DROP
(Replace the 2rd rule)
Delete rules
[root@linux ~]# iptables -D INPUT -i eth0 -p tcp --dport 21 -j DROP
[root@linux ~]# iptables -D INPUT 2
(Delete the 2rd rule)
Save and Restore
Whatever you did in command, it will lost after system reboot, so we need to save
to the file that will load when system bootup. For redhat distribution, it will
save in /etc/sysconfig/iptables
Two command used to backup and restore.
Example:
[root@linux ~]# iptables-save > filename
(Save iptables from running config to a file)
[root@linux ~]# iptables-save > /etc/sysconfig/iptables
(Save iptables from running config to startup config)
[root@linux ~]# iptables-restore < filename
iptables in NAT (MASQUERADE, SNAT, DNAT)
eth0 connection to external network
eth1 connection to internal network
Enable ip route
echo 1 > /proc/sys/net/ipv4/ip_forward
Set up IP FORWARDing and Masquerading
(this is the most simple method to config NAT for internal users)
[root@linux ~]#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[root@linux ~]#iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@linux ~]#iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
For this case using MASQUERADE, there is alternative
[root@linux ~]#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
(suppose ppp0 is ready for external network)
More information (Just sample for your reference):
SNAT
Example: Internal users access external network with private IP
[root@linux ~]#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 202.175.12.34
(Map source addresses to 202.175.12.34)
[root@linux ~]#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 202.175.12.34-202.175.12.39
(Map source addresses to the range of 202.175.12.34~202.175.12.39)
DNAT
Example: External users access internal server
[root@linux ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.1.10
[root@linux ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.1.5-192.168.1.10
[root@linux ~]# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.10:80
[root@linux ~]# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.10:8080
[root@linux ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
Apache htaccess simple config
Sample config:
httpd.conf
====================================
Options FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
AccessFileName .htaccess
====================================
/var/www/html/.htaccess
====================================
AuthName "htaccess protect"
Authtype Basic
AuthUserFile /var/www/.htpasswd <---the .htpasswd file will be created later
require valid-user
(or you can change to specify user "require user tom")
====================================
Create .htpasswd file:
htpasswd -c /var/www/.htpasswd owner
Add another account:htpasswd /var/www/.htpasswd tom
Apache SSL in Centos
1. Install package
yum install mod_ssl openssl
2. Create CA and generate Cert
# Generate private key
openssl genrsa -out ca.key 1024
# Generate CSR
openssl req -new -key ca.key -out ca.csr
# Generate Self Signed Key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
# Move the files to the correct locations
mv ca.crt /etc/pki/tls/certs
mv ca.key /etc/pki/tls/private/ca.key
mv ca.csr /etc/pki/tls/private/ca.csr
3. Config SSL for httpd
Setup the path for the cert and ca key
vi /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
4. Setup Virtual Host in Apache
< VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
< Directory /var/www/vhosts/yoursite.com/httpsdocs>
AllowOverride All
< /Directory>
DocumentRoot /var/www/vhosts/yoursite.com/httpsdocs
ServerName yoursite.com
< /VirtualHost>
/etc/init.d/httpd restart