May be you are not aware of these LVM commands..
You must be bore of running these commands:
pvdisplay
vgdisplay
lvdisplay
Lets learn the quick LVM commands:
[root@localhost ~]# pvs
PV VG Fmt Attr PSize PFree
/dev/sda9 VolGroup lvm2 a- 95.97G 0
[root@localhost ~]# vgs
VG #PV #LV #SN Attr VSize VFree
VolGroup 1 2 0 wz--n- 95.97G 0
[root@localhost ~]# lvs
LV VG Attr LSize Origin Snap% Move Log Copy% Convert
lv_root VolGroup -wi-ao 92.05G
lv_swap VolGroup -wi-ao 3.92G
Hope you will definitely like these stuffs.
Happy LVMing !!!
Friday, February 26, 2010
OpenSSH: In-sight into OpenSSH on Linux?
OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. Here are a few things you need to tweak in order to improve OpenSSH server security.
Default Config Files and SSH Port
* /etc/ssh/sshd_config - OpenSSH server configuration file.
* /etc/ssh/ssh_config - OpenSSH client configuration file.
* ~/.ssh/ - Users ssh configuration directory.
* ~/.ssh/authorized_keys or ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user’s account
* /etc/nologin - If this file exists, sshd refuses to let anyone except root log in.
* /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
* SSH default port : TCP 22
SSH Session in Action
#1: Disable OpenSSH Server
Workstations and laptop can work without OpenSSH server. If you need not to provide the remote login and file transfer capabilities of SSH, disable and remove the SSHD server. CentOS / RHEL / Fedora Linux user can disable and remove openssh-server with yum command:
# chkconfig sshd off
# yum erase openssh-server
Debian / Ubuntu Linux user can disable and remove the same with apt-get command:
# apt-get remove openssh-server
You may need to update your iptables script to remove ssh exception rule. Under CentOS / RHEL / Fedora edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Once done restart iptables service:
# service iptables restart
# service ip6tables restart
#2: Only Use SSH Protocol 2
SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:
Protocol 2
#3: Limit Users' SSH Access
By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn't in AllowUsers.
Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:
AllowUsers root vivek jerry
Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:
DenyUsers saroj anjali foo
You can also configure Linux PAM allows or deny login via the sshd server. You can allow list of group name to access or deny access to the ssh.
#4: Configure Idle Log Out Timeout Interval
User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:
ClientAliveInterval 300
ClientAliveCountMax 0
You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out). See how to automatically log BASH / TCSH / SSH users out after a period of inactivity for more details.
#5: Disable .rhosts Files
Don't read the user's ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:
IgnoreRhosts yes
SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.
#6: Disable Host-Based Authentication
To disable host-based authentication, update sshd_config with the following option:
HostbasedAuthentication no
#7: Disable root Login via SSH
There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:
PermitRootLogin no
However, bob made excellent point:
Saying "don't login as root" is h******t. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You'd get your password spoofed but not root's pw. Gimme a break. this is 2005 - We have ssh, used properly it's secure. used improperly none of this 1989 will make a damn bit of difference. -Bob
#8: Enable a Warning Banner
Set a warning banner by updating sshd_config with the following line:
Banner /etc/issue
Sample /etc/issue file:
----------------------------------------------------------------------------------------------
You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),
law enforcement (LE), and counterintelligence (CI) investigations.
+ At any time, the XYZG may inspect and seize data stored on this IS.
+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,
interception, and search, and may be disclosed or used for any XYZG authorized purpose.
+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests--not
for your personal benefit or privacy.
+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching
or monitoring of the content of privileged communications, or work product, related to personal representation
or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
----------------------------------------------------------------------------------------------
Above is standard sample, consult your legal team for exact user agreement and legal notice details.
#8: Firewall SSH Port # 22
You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.
Netfilter (Iptables) Configuration
Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT
If you've dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:
-A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT
Replace ipv6network::/ipv6mask with actual IPv6 ranges.
*BSD PF Firewall Configuration
If you are using PF firewall update /etc/pf.conf as follows:
pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state
#9: Change SSH Port and Limit IP Binding
By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:
Port 300
ListenAddress 192.168.1.5
ListenAddress 202.54.1.5
A better approach to use proactive approaches scripts such as fail2ban or denyhosts (see below).
#10: Use Strong SSH Passwords and Passphrase
It cannot be stressed enough how important it is to use strong user passwords and passphrase for your keys. Brute force attack works because you use dictionary based passwords. You can force users to avoid passwords against a dictionary attack and use john the ripper tool to find out existing weak passwords. Here is a sample random password generator (put in your ~/.bashrc):
genpasswd() {
local l=$1
[ "$l" == "" ] && l=20
tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${l} | xargs } Run it: genpasswd 16 Output: uw8CnDVMwC6vOKgW #11: Use Public Key Based Authentication Use public/private key pair with password protection for the private key. See how to use RSA and DSA key based authentication. Never ever use passphrase free key (passphrase key less) login. #12: Use Keychain Based Authentication keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use keychain software. #13: Chroot SSHD (Lock Down Users To Their Home Directories) By default users are allowed to browse the server directories such as /etc/, /bin and so on. You can protect ssh, using os based chroot or use special tools such as rssh. With the release of OpenSSH 4.8p1 or 4.9p1, you no longer have to rely on third-party hacks such as rssh or complicated chroot(1) setups to lock users to their home directories. See this blog post about new ChrootDirectory directive to lock down users to their home directories. #14: Use TCP Wrappers TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 : sshd : 192.168.1.2 172.16.23.12 See this FAQ about setting and using TCP wrappers under Linux / Mac OS X and UNIX like operating systems. #15: Disable Empty Passwords You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line: PermitEmptyPasswords no #16: Thwart SSH Crackers (Brute Force Attack) Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares: * DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. * Explains how to setup DenyHosts under RHEL / Fedora and CentOS Linux. * Fail2ban is a similar program that prevents brute force attacks against SSH. * security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf. * security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw. * security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter. * security/sshblock block abusive SSH login attempts. * security/sshit checks for SSH/FTP bruteforce and blocks given IPs. * BlockHosts Automatic blocking of abusive IP hosts. * Blacklist Get rid of those bruteforce attempts. * Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format. * IPQ BDB filter May be considered as a fail2ban lite. #17: Rate-limit Incoming Port # 22 Connections Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22. Iptables Example The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds: #!/bin/bash inet_if=eth1 ssh_port=22 $IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent --set $IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP Call above script from your iptables scripts. Another config option: $IPT -A INPUT -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT $IPT -A INPUT -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT # another one line example # $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 5-j ACCEPT See iptables man page for more details. *BSD PF Example The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits. sshd_server_ip="202.54.1.5" table persist
block in quick from
pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload flush)
#18: Use Port Knocking
Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:
$IPT -N stage1
$IPT -A stage1 -m recent --remove --name knock
$IPT -A stage1 -p tcp --dport 3456 -m recent --set --name knock2
$IPT -N stage2
$IPT -A stage2 -m recent --remove --name knock2
$IPT -A stage2 -p tcp --dport 2345 -m recent --set --name heaven
$IPT -N door
$IPT -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2
$IPT -A door -m recent --rcheck --seconds 5 --name knock -j stage1
$IPT -A door -p tcp --dport 1234 -m recent --set --name knock
$IPT -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name heaven -j ACCEPT
$IPT -A INPUT -p tcp --syn -j doo
* fwknop is an implementation that combines port knocking and passive OS fingerprinting.
* Multiple-port knocking Netfilter/IPtables only implementation.
#19: Use Log Analyzer
Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:
LogLevel INFO
#20: Patch OpenSSH and Operating Systems
It is recommended that you use tools such as yum, apt-get, freebsd-update and others to keep systems up to date with the latest security patches.
Other Options
To hide openssh version, you need to update source code and compile openssh again. Make sure following options are enabled in sshd_config:
# Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
# Specifies whether password authentication is allowed. The default is yes.
PasswordAuthentication no
Verify your sshd_config file before restarting / reloading changes:
# /usr/sbin/sshd -t
Tighter SSH security with two-factor or three-factor (or more) authentication.
Default Config Files and SSH Port
* /etc/ssh/sshd_config - OpenSSH server configuration file.
* /etc/ssh/ssh_config - OpenSSH client configuration file.
* ~/.ssh/ - Users ssh configuration directory.
* ~/.ssh/authorized_keys or ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user’s account
* /etc/nologin - If this file exists, sshd refuses to let anyone except root log in.
* /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
* SSH default port : TCP 22
SSH Session in Action
#1: Disable OpenSSH Server
Workstations and laptop can work without OpenSSH server. If you need not to provide the remote login and file transfer capabilities of SSH, disable and remove the SSHD server. CentOS / RHEL / Fedora Linux user can disable and remove openssh-server with yum command:
# chkconfig sshd off
# yum erase openssh-server
Debian / Ubuntu Linux user can disable and remove the same with apt-get command:
# apt-get remove openssh-server
You may need to update your iptables script to remove ssh exception rule. Under CentOS / RHEL / Fedora edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Once done restart iptables service:
# service iptables restart
# service ip6tables restart
#2: Only Use SSH Protocol 2
SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:
Protocol 2
#3: Limit Users' SSH Access
By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn't in AllowUsers.
Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:
AllowUsers root vivek jerry
Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:
DenyUsers saroj anjali foo
You can also configure Linux PAM allows or deny login via the sshd server. You can allow list of group name to access or deny access to the ssh.
#4: Configure Idle Log Out Timeout Interval
User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:
ClientAliveInterval 300
ClientAliveCountMax 0
You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out). See how to automatically log BASH / TCSH / SSH users out after a period of inactivity for more details.
#5: Disable .rhosts Files
Don't read the user's ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:
IgnoreRhosts yes
SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.
#6: Disable Host-Based Authentication
To disable host-based authentication, update sshd_config with the following option:
HostbasedAuthentication no
#7: Disable root Login via SSH
There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:
PermitRootLogin no
However, bob made excellent point:
Saying "don't login as root" is h******t. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You'd get your password spoofed but not root's pw. Gimme a break. this is 2005 - We have ssh, used properly it's secure. used improperly none of this 1989 will make a damn bit of difference. -Bob
#8: Enable a Warning Banner
Set a warning banner by updating sshd_config with the following line:
Banner /etc/issue
Sample /etc/issue file:
----------------------------------------------------------------------------------------------
You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),
law enforcement (LE), and counterintelligence (CI) investigations.
+ At any time, the XYZG may inspect and seize data stored on this IS.
+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,
interception, and search, and may be disclosed or used for any XYZG authorized purpose.
+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests--not
for your personal benefit or privacy.
+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching
or monitoring of the content of privileged communications, or work product, related to personal representation
or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
----------------------------------------------------------------------------------------------
Above is standard sample, consult your legal team for exact user agreement and legal notice details.
#8: Firewall SSH Port # 22
You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.
Netfilter (Iptables) Configuration
Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT
If you've dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:
-A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT
Replace ipv6network::/ipv6mask with actual IPv6 ranges.
*BSD PF Firewall Configuration
If you are using PF firewall update /etc/pf.conf as follows:
pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state
#9: Change SSH Port and Limit IP Binding
By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:
Port 300
ListenAddress 192.168.1.5
ListenAddress 202.54.1.5
A better approach to use proactive approaches scripts such as fail2ban or denyhosts (see below).
#10: Use Strong SSH Passwords and Passphrase
It cannot be stressed enough how important it is to use strong user passwords and passphrase for your keys. Brute force attack works because you use dictionary based passwords. You can force users to avoid passwords against a dictionary attack and use john the ripper tool to find out existing weak passwords. Here is a sample random password generator (put in your ~/.bashrc):
genpasswd() {
local l=$1
[ "$l" == "" ] && l=20
tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${l} | xargs } Run it: genpasswd 16 Output: uw8CnDVMwC6vOKgW #11: Use Public Key Based Authentication Use public/private key pair with password protection for the private key. See how to use RSA and DSA key based authentication. Never ever use passphrase free key (passphrase key less) login. #12: Use Keychain Based Authentication keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use keychain software. #13: Chroot SSHD (Lock Down Users To Their Home Directories) By default users are allowed to browse the server directories such as /etc/, /bin and so on. You can protect ssh, using os based chroot or use special tools such as rssh. With the release of OpenSSH 4.8p1 or 4.9p1, you no longer have to rely on third-party hacks such as rssh or complicated chroot(1) setups to lock users to their home directories. See this blog post about new ChrootDirectory directive to lock down users to their home directories. #14: Use TCP Wrappers TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 : sshd : 192.168.1.2 172.16.23.12 See this FAQ about setting and using TCP wrappers under Linux / Mac OS X and UNIX like operating systems. #15: Disable Empty Passwords You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line: PermitEmptyPasswords no #16: Thwart SSH Crackers (Brute Force Attack) Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares: * DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. * Explains how to setup DenyHosts under RHEL / Fedora and CentOS Linux. * Fail2ban is a similar program that prevents brute force attacks against SSH. * security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf. * security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw. * security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter. * security/sshblock block abusive SSH login attempts. * security/sshit checks for SSH/FTP bruteforce and blocks given IPs. * BlockHosts Automatic blocking of abusive IP hosts. * Blacklist Get rid of those bruteforce attempts. * Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format. * IPQ BDB filter May be considered as a fail2ban lite. #17: Rate-limit Incoming Port # 22 Connections Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22. Iptables Example The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds: #!/bin/bash inet_if=eth1 ssh_port=22 $IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent --set $IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP Call above script from your iptables scripts. Another config option: $IPT -A INPUT -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT $IPT -A INPUT -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT # another one line example # $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 5-j ACCEPT See iptables man page for more details. *BSD PF Example The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits. sshd_server_ip="202.54.1.5" table
block in quick from
pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload
#18: Use Port Knocking
Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:
$IPT -N stage1
$IPT -A stage1 -m recent --remove --name knock
$IPT -A stage1 -p tcp --dport 3456 -m recent --set --name knock2
$IPT -N stage2
$IPT -A stage2 -m recent --remove --name knock2
$IPT -A stage2 -p tcp --dport 2345 -m recent --set --name heaven
$IPT -N door
$IPT -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2
$IPT -A door -m recent --rcheck --seconds 5 --name knock -j stage1
$IPT -A door -p tcp --dport 1234 -m recent --set --name knock
$IPT -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name heaven -j ACCEPT
$IPT -A INPUT -p tcp --syn -j doo
* fwknop is an implementation that combines port knocking and passive OS fingerprinting.
* Multiple-port knocking Netfilter/IPtables only implementation.
#19: Use Log Analyzer
Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:
LogLevel INFO
#20: Patch OpenSSH and Operating Systems
It is recommended that you use tools such as yum, apt-get, freebsd-update and others to keep systems up to date with the latest security patches.
Other Options
To hide openssh version, you need to update source code and compile openssh again. Make sure following options are enabled in sshd_config:
# Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
# Specifies whether password authentication is allowed. The default is yes.
PasswordAuthentication no
Verify your sshd_config file before restarting / reloading changes:
# /usr/sbin/sshd -t
Tighter SSH security with two-factor or three-factor (or more) authentication.
Interview Questions for Linux Hardware !!
One of the most asked interview questions is related to Linux Hardware.
Like:
1. Which command you should run on linux to know its architecture alternative to uname?
2. How you gonna list RAM size?
3. What products have been used in motherboard?
4. How will you know what processor is running on your linux box?
and so on...
Then comes dmidecode for the rescue.
DMIDECODE display the system hardware components that you currently use on your Linux computer system.The dmidecode dump the computer DMI or SMBIOS table contents in a human readable format. This DMI or SMBIOS contains a description of the system hardware components and other useful information such as serial numbers and BIOS revision. The step by step command example below show the use of dmidecode command to show the list of computer hardware system components on Linux Fedora.
The SMBIOS specification defines the following DMI types:
Type Information
0 BIOS
1 System
2 Base Board
3 Chassis
4 Processor
5 Memory Controller
6 Memory Module
7 Cache
8 Port Connector
9 System Slots
10 On Board Devices
11 OEM Strings
12 System Configuration Options
13 BIOS Language
14 Group Associations
15 System Event Log
16 Physical Memory Array
17 Memory Device
18 32-bit Memory Error
19 Memory Array Mapped Address
20 Memory Device Mapped Address
21 Built-in Pointing Device
22 Portable Battery
23 System Reset
24 Hardware Security
25 System Power Controls
26 Voltage Probe
27 Cooling Device
28 Temperature Probe
29 Electrical Current Probe
30 Out-of-band Remote Access
31 Boot Integrity Services
32 System Boot
33 64-bit Memory Error
34 Management Device
35 Management Device Component
36 Management Device Threshold Data
37 Memory Channel
38 IPMI Device
39 Power Supply
Type dmidecode and you could collect each and every information.
Here is an example of my Dell Inspiron Machine running Fedora new Kernel 2.6.33.
e 0x1000, DMI type 16, 15 bytes
Physical Memory Array
Location: System Board Or Motherboard
Use: System Memory
Error Correction Type: None
Maximum Capacity: 4 GB
Error Information Handle: Not Provided
Number Of Devices: 2
Handle 0x1100, DMI type 17, 27 bytes
Memory Device
Array Handle: 0x1000
Error Information Handle: Not Provided
Total Width: 64 bits
Data Width: 64 bits
Size: 1024 MB
Form Factor: DIMM
Set: None
Locator: DIMM_A
Bank Locator: Not Specified
Type: DDR
Type Detail: Synchronous
Speed: 800 MHz
Manufacturer: AD00000000000000
Serial Number: 00004021
Asset Tag: 000845
Part Number: HYMP112S64CP6-S6
Handle 0x1101, DMI type 17, 27 bytes
Memory Device
Array Handle: 0x1000
Error Information Handle: Not Provided
Total Width: 64 bits
Data Width: 64 bits
Size: 1024 MB
Form Factor: DIMM
Set: None
Locator: DIMM_B
Bank Locator: Not Specified
Type: DDR
Type Detail: Synchronous
Speed: 800 MHz
Manufacturer: AD00000000000000
Serial Number: 00003030
Asset Tag: 000845
Part Number: HYMP112S64CP6-S6
Handle 0x1301, DMI type 19, 15 bytes
Memory Array Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Physical Array Handle: 0x1000
Partition Width: 0
Handle 0x1401, DMI type 20, 19 bytes
Memory Device Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Physical Device Handle: 0x1100
Memory Array Mapped Address Handle: 0x1301
Partition Row Position: 1
Interleave Position: 1
Interleaved Data Depth: 8
Handle 0x1411, DMI type 126, 19 bytes
Inactive
Handle 0x1402, DMI type 20, 19 bytes
Memory Device Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Physical Device Handle: 0x1101
Memory Array Mapped Address Handle: 0x1301
Partition Row Position: 1
Interleave Position: 2
Interleaved Data Depth: 8
Handle 0x1412, DMI type 126, 19 bytes
Inactive
Handle 0x1500, DMI type 21, 7 bytes
Built-in Pointing Device
Type: Touch Pad
Interface: Bus Mouse
Buttons: 2
Handle 0x1600, DMI type 22, 26 bytes
Portable Battery
Location: Sys. Battery Bay
Manufacturer:
Name: DELL X409G8A
Design Capacity: 37000 mWh
Design Voltage: 11100 mV
SBDS Version: 1.0
Maximum Error: 4%
SBDS Serial Number: 3A58
SBDS Manufacture Date: 2008-10-06
SBDS Chemistry: LION
OEM-specific Information: 0x00000001
Handle 0x1B00, DMI type 27, 12 bytes
Cooling Device
Type: Fan
Status: OK
OEM-specific Information: 0x0000DD00
Handle 0x1C00, DMI type 28, 20 bytes
Temperature Probe
Description: CPU Internal Temperature
Location: Processor
Status: OK
Maximum Value: 127.0 deg C
Minimum Value: 0.0 deg C
Resolution: 1.000 deg C
Tolerance: 0.5 deg C
Accuracy: Unknown
OEM-specific Information: 0x0000DC00
Handle 0x2000, DMI type 32, 11 bytes
System Boot Information
Status: No errors detected
Handle 0xB000, DMI type 176, 5 bytes
OEM-specific Type
Header and Data:
B0 05 00 B0 00
Handle 0xB100, DMI type 177, 12 bytes
OEM-specific Type
Header and Data:
B1 0C 00 B1 02 00 00 00 00 00 00 00
Handle 0xD000, DMI type 208, 10 bytes
OEM-specific Type
Header and Data:
D0 0A 00 D0 01 04 FE 00 2F 02
Handle 0xD800, DMI type 216, 9 bytes
OEM-specific Type
Header and Data:
D8 09 00 D8 01 03 01 F0 03
Strings:
Intel Corp.
1566
Handle 0xD900, DMI type 217, 8 bytes
OEM-specific Type
Header and Data:
D9 08 00 D9 01 02 01 03
Strings:
US-101
Proprietary
Handle 0xDB00, DMI type 219, 9 bytes
OEM-specific Type
Header and Data:
DB 09 00 DB 03 01 02 03 FF
Strings:
System Device Bay
Floppy, Battery, CD-ROM, CD-RW, DVD, DVD+RW, DVD+/-RW, Hard Disk, BLU-RAY
DVD+/-RW
Handle 0xDC00, DMI type 220, 22 bytes
OEM-specific Type
Header and Data:
DC 16 00 DC 01 F0 00 00 02 F0 00 00 00 00 03 F0
04 F0 00 00 00 00
Handle 0xDD00, DMI type 221, 19 bytes
OEM-specific Type
Header and Data:
DD 13 00 DD 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
Handle 0xD400, DMI type 212, 37 bytes
OEM-specific Type
Header and Data:
D4 25 00 D4 74 00 75 00 00 10 2D 2E 5C 00 78 BF
40 5D 00 78 BF 00 08 00 1D DF 00 03 00 1D DF 00
FF FF 00 00 00
Handle 0xD401, DMI type 212, 17 bytes
OEM-specific Type
Header and Data:
D4 11 01 D4 74 00 75 00 03 40 49 4A FF FF 00 00
00
Handle 0xDE00, DMI type 222, 16 bytes
OEM-specific Type
Header and Data:
DE 10 00 DE 01 02 FF FF 00 00 00 00 00 00 00 01
Handle 0x7F00, DMI type 127, 4 bytes
End Of Table
[root@localhost ~]# dmidecode -q
BIOS Information
Vendor: Dell Inc.
Version: A16
Release Date: 10/16/2008
Address: 0xF0000
Runtime Size: 64 kB
ROM Size: 2048 kB
Characteristics:
ISA is supported
PCI is supported
PC Card (PCMCIA) is supported
PNP is supported
BIOS is upgradeable
BIOS shadowing is allowed
Boot from CD is supported
Selectable boot is supported
3.5"/720 kB floppy services are supported (int 13h)
Print screen service is supported (int 5h)
8042 keyboard services are supported (int 9h)
Serial services are supported (int 14h)
Printer services are supported (int 17h)
CGA/mono video services are supported (int 10h)
ACPI is supported
USB legacy is supported
AGP is supported
Smart battery is supported
BIOS boot specification is supported
Function key-initiated network boot is supported
Targeted content distribution is supported
BIOS Revision: 1.6
Firmware Revision: 1.6
System Information
Manufacturer: Dell Inc.
Product Name: Inspiron 1525
Version: Not Specified
Serial Number: GHRM2BS
UUID: 44454C4C-4800-1052-804D-C7C04F324253
Wake-up Type: Power Switch
SKU Number: Not Specified
Family:
Base Board Information
Manufacturer: Dell Inc.
Product Name: 0U990C
Version:
Serial Number: .GHRM2BS.CN701668A70TCK.
Asset Tag:
Chassis Information
Manufacturer: Dell Inc.
Type: Portable
Lock: Not Present
Version: Not Specified
Serial Number: GHRM2BS
Asset Tag: Not Specified
Boot-up State: Safe
Power Supply State: Safe
Thermal State: Safe
Security Status: None
Processor Information
Socket Designation: Microprocessor
Type: Central Processor
Family: Core 2 Duo
Manufacturer: Intel
ID: FD 06 00 00 FF FB EB BF
Signature: Type 0, Family 6, Model 15, Stepping 13
Flags:
FPU (Floating-point unit on-chip)
VME (Virtual mode extension)
DE (Debugging extension)
PSE (Page size extension)
TSC (Time stamp counter)
MSR (Model specific registers)
PAE (Physical address extension)
MCE (Machine check exception)
CX8 (CMPXCHG8 instruction supported)
APIC (On-chip APIC hardware supported)
SEP (Fast system call)
MTRR (Memory type range registers)
PGE (Page global enable)
MCA (Machine check architecture)
CMOV (Conditional move instruction supported)
PAT (Page attribute table)
PSE-36 (36-bit page size extension)
CLFSH (CLFLUSH instruction supported)
DS (Debug store)
ACPI (ACPI supported)
MMX (MMX technology supported)
FXSR (Fast floating-point save and restore)
SSE (Streaming SIMD extensions)
SSE2 (Streaming SIMD extensions 2)
SS (Self-snoop)
HTT (Hyper-threading technology)
TM (Thermal monitor supported)
PBE (Pending break enabled)
Version: Not Specified
Voltage: 3.3 V
External Clock: 200 MHz
Max Speed: 2000 MHz
Current Speed: 2000 MHz
Status: Populated, Enabled
Upgrade: None
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified
Core Count: 2
Core Enabled: 2
Thread Count: 2
Characteristics:
64-bit capable
Cache Information
Socket Designation: Not Specified
Configuration: Enabled, Not Socketed, Level 1
Operational Mode: Write Back
Location: Internal
Installed Size: 32 kB
Maximum Size: 32 kB
Supported SRAM Types:
Unknown
Installed SRAM Type: Unknown
Speed: Unknown
Error Correction Type: None
System Type: Data
Associativity: 4-way Set-associative
Cache Information
Socket Designation: Not Specified
Configuration: Enabled, Not Socketed, Level 2
Operational Mode: Varies With Memory Address
Location: Internal
Installed Size: 2048 kB
Maximum Size: 2048 kB
Supported SRAM Types:
Pipeline Burst
Installed SRAM Type: Pipeline Burst
Speed: 15 ns
Error Correction Type: None
System Type: Unified
Associativity: Other
Port Connector Information
Internal Reference Designator: USB
Internal Connector Type: None
External Reference Designator: Not Specified
External Connector Type: Access Bus (USB)
Port Type: USB
Port Connector Information
Internal Reference Designator: MONITOR
Internal Connector Type: None
External Reference Designator: Not Specified
External Connector Type: DB-15 female
Port Type: Video Port
Port Connector Information
Internal Reference Designator: FireWire
Internal Connector Type: None
External Reference Designator: Not Specified
External Connector Type: IEEE 1394
Port Type: Firewire (IEEE P1394)
Port Connector Information
Internal Reference Designator: Modem
Internal Connector Type: None
External Reference Designator: Not Specified
External Connector Type: RJ-11
Port Type: Modem Port
Port Connector Information
Internal Reference Designator: Ethernet
Internal Connector Type: None
External Reference Designator: Not Specified
External Connector Type: RJ-45
Port Type: Network Port
System Slot Information
Designation: PCMCIA 0
Type: 32-bit PC Card (PCMCIA)
Current Usage: Available
Length: Other
ID: Adapter 0, Socket 0
Characteristics:
5.0 V is provided
3.3 V is provided
PC Card-16 is supported
Cardbus is supported
Zoom Video is supported
Modem ring resume is supported
On Board Device Information
Type: Video
Status: Enabled
Description: Intel Crestline Graphics
On Board Device Information
Type: Sound
Status: Enabled
Description: Sigmatel 9205
OEM Strings
String 1: Dell System
String 2: 5[0003]
String 3: 13[PP22L]
BIOS Language Information
Installable Languages: 1
en|US|iso8859-1
Currently Installed Language: en|US|iso8859-1
Physical Memory Array
Location: System Board Or Motherboard
Use: System Memory
Error Correction Type: None
Maximum Capacity: 4 GB
Number Of Devices: 2
Memory Device
Total Width: 64 bits
Data Width: 64 bits
Size: 1024 MB
Form Factor: DIMM
Set: None
Locator: DIMM_A
Bank Locator: Not Specified
Type: DDR
Type Detail: Synchronous
Speed: 800 MHz
Manufacturer: AD00000000000000
Serial Number: 00004021
Asset Tag: 000845
Part Number: HYMP112S64CP6-S6
Memory Device
Total Width: 64 bits
Data Width: 64 bits
Size: 1024 MB
Form Factor: DIMM
Set: None
Locator: DIMM_B
Bank Locator: Not Specified
Type: DDR
Type Detail: Synchronous
Speed: 800 MHz
Manufacturer: AD00000000000000
Serial Number: 00003030
Asset Tag: 000845
Part Number: HYMP112S64CP6-S6
Memory Array Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Partition Width: 0
Memory Device Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Partition Row Position: 1
Interleave Position: 1
Interleaved Data Depth: 8
Memory Device Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Partition Row Position: 1
Interleave Position: 2
Interleaved Data Depth: 8
Built-in Pointing Device
Type: Touch Pad
Interface: Bus Mouse
Buttons: 2
Portable Battery
Location: Sys. Battery Bay
Manufacturer:
Name: DELL X409G8A
Design Capacity: 37000 mWh
Design Voltage: 11100 mV
SBDS Version: 1.0
Maximum Error: 4%
SBDS Serial Number: 3A58
SBDS Manufacture Date: 2008-10-06
SBDS Chemistry: LION
OEM-specific Information: 0x00000001
Cooling Device
Type: Fan
Status: OK
OEM-specific Information: 0x0000DD00
Temperature Probe
Description: CPU Internal Temperature
Location: Processor
Status: OK
Maximum Value: 127.0 deg C
Minimum Value: 0.0 deg C
Resolution: 1.000 deg C
Tolerance: 0.5 deg C
Accuracy: Unknown
OEM-specific Information: 0x0000DC00
System Boot Information
Status: No errors detected
[root@localhost ~]#
Like:
1. Which command you should run on linux to know its architecture alternative to uname?
2. How you gonna list RAM size?
3. What products have been used in motherboard?
4. How will you know what processor is running on your linux box?
and so on...
Then comes dmidecode for the rescue.
DMIDECODE display the system hardware components that you currently use on your Linux computer system.The dmidecode dump the computer DMI or SMBIOS table contents in a human readable format. This DMI or SMBIOS contains a description of the system hardware components and other useful information such as serial numbers and BIOS revision. The step by step command example below show the use of dmidecode command to show the list of computer hardware system components on Linux Fedora.
The SMBIOS specification defines the following DMI types:
Type Information
0 BIOS
1 System
2 Base Board
3 Chassis
4 Processor
5 Memory Controller
6 Memory Module
7 Cache
8 Port Connector
9 System Slots
10 On Board Devices
11 OEM Strings
12 System Configuration Options
13 BIOS Language
14 Group Associations
15 System Event Log
16 Physical Memory Array
17 Memory Device
18 32-bit Memory Error
19 Memory Array Mapped Address
20 Memory Device Mapped Address
21 Built-in Pointing Device
22 Portable Battery
23 System Reset
24 Hardware Security
25 System Power Controls
26 Voltage Probe
27 Cooling Device
28 Temperature Probe
29 Electrical Current Probe
30 Out-of-band Remote Access
31 Boot Integrity Services
32 System Boot
33 64-bit Memory Error
34 Management Device
35 Management Device Component
36 Management Device Threshold Data
37 Memory Channel
38 IPMI Device
39 Power Supply
Type dmidecode and you could collect each and every information.
Here is an example of my Dell Inspiron Machine running Fedora new Kernel 2.6.33.
e 0x1000, DMI type 16, 15 bytes
Physical Memory Array
Location: System Board Or Motherboard
Use: System Memory
Error Correction Type: None
Maximum Capacity: 4 GB
Error Information Handle: Not Provided
Number Of Devices: 2
Handle 0x1100, DMI type 17, 27 bytes
Memory Device
Array Handle: 0x1000
Error Information Handle: Not Provided
Total Width: 64 bits
Data Width: 64 bits
Size: 1024 MB
Form Factor: DIMM
Set: None
Locator: DIMM_A
Bank Locator: Not Specified
Type: DDR
Type Detail: Synchronous
Speed: 800 MHz
Manufacturer: AD00000000000000
Serial Number: 00004021
Asset Tag: 000845
Part Number: HYMP112S64CP6-S6
Handle 0x1101, DMI type 17, 27 bytes
Memory Device
Array Handle: 0x1000
Error Information Handle: Not Provided
Total Width: 64 bits
Data Width: 64 bits
Size: 1024 MB
Form Factor: DIMM
Set: None
Locator: DIMM_B
Bank Locator: Not Specified
Type: DDR
Type Detail: Synchronous
Speed: 800 MHz
Manufacturer: AD00000000000000
Serial Number: 00003030
Asset Tag: 000845
Part Number: HYMP112S64CP6-S6
Handle 0x1301, DMI type 19, 15 bytes
Memory Array Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Physical Array Handle: 0x1000
Partition Width: 0
Handle 0x1401, DMI type 20, 19 bytes
Memory Device Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Physical Device Handle: 0x1100
Memory Array Mapped Address Handle: 0x1301
Partition Row Position: 1
Interleave Position: 1
Interleaved Data Depth: 8
Handle 0x1411, DMI type 126, 19 bytes
Inactive
Handle 0x1402, DMI type 20, 19 bytes
Memory Device Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Physical Device Handle: 0x1101
Memory Array Mapped Address Handle: 0x1301
Partition Row Position: 1
Interleave Position: 2
Interleaved Data Depth: 8
Handle 0x1412, DMI type 126, 19 bytes
Inactive
Handle 0x1500, DMI type 21, 7 bytes
Built-in Pointing Device
Type: Touch Pad
Interface: Bus Mouse
Buttons: 2
Handle 0x1600, DMI type 22, 26 bytes
Portable Battery
Location: Sys. Battery Bay
Manufacturer:
Name: DELL X409G8A
Design Capacity: 37000 mWh
Design Voltage: 11100 mV
SBDS Version: 1.0
Maximum Error: 4%
SBDS Serial Number: 3A58
SBDS Manufacture Date: 2008-10-06
SBDS Chemistry: LION
OEM-specific Information: 0x00000001
Handle 0x1B00, DMI type 27, 12 bytes
Cooling Device
Type: Fan
Status: OK
OEM-specific Information: 0x0000DD00
Handle 0x1C00, DMI type 28, 20 bytes
Temperature Probe
Description: CPU Internal Temperature
Location: Processor
Status: OK
Maximum Value: 127.0 deg C
Minimum Value: 0.0 deg C
Resolution: 1.000 deg C
Tolerance: 0.5 deg C
Accuracy: Unknown
OEM-specific Information: 0x0000DC00
Handle 0x2000, DMI type 32, 11 bytes
System Boot Information
Status: No errors detected
Handle 0xB000, DMI type 176, 5 bytes
OEM-specific Type
Header and Data:
B0 05 00 B0 00
Handle 0xB100, DMI type 177, 12 bytes
OEM-specific Type
Header and Data:
B1 0C 00 B1 02 00 00 00 00 00 00 00
Handle 0xD000, DMI type 208, 10 bytes
OEM-specific Type
Header and Data:
D0 0A 00 D0 01 04 FE 00 2F 02
Handle 0xD800, DMI type 216, 9 bytes
OEM-specific Type
Header and Data:
D8 09 00 D8 01 03 01 F0 03
Strings:
Intel Corp.
1566
Handle 0xD900, DMI type 217, 8 bytes
OEM-specific Type
Header and Data:
D9 08 00 D9 01 02 01 03
Strings:
US-101
Proprietary
Handle 0xDB00, DMI type 219, 9 bytes
OEM-specific Type
Header and Data:
DB 09 00 DB 03 01 02 03 FF
Strings:
System Device Bay
Floppy, Battery, CD-ROM, CD-RW, DVD, DVD+RW, DVD+/-RW, Hard Disk, BLU-RAY
DVD+/-RW
Handle 0xDC00, DMI type 220, 22 bytes
OEM-specific Type
Header and Data:
DC 16 00 DC 01 F0 00 00 02 F0 00 00 00 00 03 F0
04 F0 00 00 00 00
Handle 0xDD00, DMI type 221, 19 bytes
OEM-specific Type
Header and Data:
DD 13 00 DD 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
Handle 0xD400, DMI type 212, 37 bytes
OEM-specific Type
Header and Data:
D4 25 00 D4 74 00 75 00 00 10 2D 2E 5C 00 78 BF
40 5D 00 78 BF 00 08 00 1D DF 00 03 00 1D DF 00
FF FF 00 00 00
Handle 0xD401, DMI type 212, 17 bytes
OEM-specific Type
Header and Data:
D4 11 01 D4 74 00 75 00 03 40 49 4A FF FF 00 00
00
Handle 0xDE00, DMI type 222, 16 bytes
OEM-specific Type
Header and Data:
DE 10 00 DE 01 02 FF FF 00 00 00 00 00 00 00 01
Handle 0x7F00, DMI type 127, 4 bytes
End Of Table
[root@localhost ~]# dmidecode -q
BIOS Information
Vendor: Dell Inc.
Version: A16
Release Date: 10/16/2008
Address: 0xF0000
Runtime Size: 64 kB
ROM Size: 2048 kB
Characteristics:
ISA is supported
PCI is supported
PC Card (PCMCIA) is supported
PNP is supported
BIOS is upgradeable
BIOS shadowing is allowed
Boot from CD is supported
Selectable boot is supported
3.5"/720 kB floppy services are supported (int 13h)
Print screen service is supported (int 5h)
8042 keyboard services are supported (int 9h)
Serial services are supported (int 14h)
Printer services are supported (int 17h)
CGA/mono video services are supported (int 10h)
ACPI is supported
USB legacy is supported
AGP is supported
Smart battery is supported
BIOS boot specification is supported
Function key-initiated network boot is supported
Targeted content distribution is supported
BIOS Revision: 1.6
Firmware Revision: 1.6
System Information
Manufacturer: Dell Inc.
Product Name: Inspiron 1525
Version: Not Specified
Serial Number: GHRM2BS
UUID: 44454C4C-4800-1052-804D-C7C04F324253
Wake-up Type: Power Switch
SKU Number: Not Specified
Family:
Base Board Information
Manufacturer: Dell Inc.
Product Name: 0U990C
Version:
Serial Number: .GHRM2BS.CN701668A70TCK.
Asset Tag:
Chassis Information
Manufacturer: Dell Inc.
Type: Portable
Lock: Not Present
Version: Not Specified
Serial Number: GHRM2BS
Asset Tag: Not Specified
Boot-up State: Safe
Power Supply State: Safe
Thermal State: Safe
Security Status: None
Processor Information
Socket Designation: Microprocessor
Type: Central Processor
Family: Core 2 Duo
Manufacturer: Intel
ID: FD 06 00 00 FF FB EB BF
Signature: Type 0, Family 6, Model 15, Stepping 13
Flags:
FPU (Floating-point unit on-chip)
VME (Virtual mode extension)
DE (Debugging extension)
PSE (Page size extension)
TSC (Time stamp counter)
MSR (Model specific registers)
PAE (Physical address extension)
MCE (Machine check exception)
CX8 (CMPXCHG8 instruction supported)
APIC (On-chip APIC hardware supported)
SEP (Fast system call)
MTRR (Memory type range registers)
PGE (Page global enable)
MCA (Machine check architecture)
CMOV (Conditional move instruction supported)
PAT (Page attribute table)
PSE-36 (36-bit page size extension)
CLFSH (CLFLUSH instruction supported)
DS (Debug store)
ACPI (ACPI supported)
MMX (MMX technology supported)
FXSR (Fast floating-point save and restore)
SSE (Streaming SIMD extensions)
SSE2 (Streaming SIMD extensions 2)
SS (Self-snoop)
HTT (Hyper-threading technology)
TM (Thermal monitor supported)
PBE (Pending break enabled)
Version: Not Specified
Voltage: 3.3 V
External Clock: 200 MHz
Max Speed: 2000 MHz
Current Speed: 2000 MHz
Status: Populated, Enabled
Upgrade: None
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified
Core Count: 2
Core Enabled: 2
Thread Count: 2
Characteristics:
64-bit capable
Cache Information
Socket Designation: Not Specified
Configuration: Enabled, Not Socketed, Level 1
Operational Mode: Write Back
Location: Internal
Installed Size: 32 kB
Maximum Size: 32 kB
Supported SRAM Types:
Unknown
Installed SRAM Type: Unknown
Speed: Unknown
Error Correction Type: None
System Type: Data
Associativity: 4-way Set-associative
Cache Information
Socket Designation: Not Specified
Configuration: Enabled, Not Socketed, Level 2
Operational Mode: Varies With Memory Address
Location: Internal
Installed Size: 2048 kB
Maximum Size: 2048 kB
Supported SRAM Types:
Pipeline Burst
Installed SRAM Type: Pipeline Burst
Speed: 15 ns
Error Correction Type: None
System Type: Unified
Associativity: Other
Port Connector Information
Internal Reference Designator: USB
Internal Connector Type: None
External Reference Designator: Not Specified
External Connector Type: Access Bus (USB)
Port Type: USB
Port Connector Information
Internal Reference Designator: MONITOR
Internal Connector Type: None
External Reference Designator: Not Specified
External Connector Type: DB-15 female
Port Type: Video Port
Port Connector Information
Internal Reference Designator: FireWire
Internal Connector Type: None
External Reference Designator: Not Specified
External Connector Type: IEEE 1394
Port Type: Firewire (IEEE P1394)
Port Connector Information
Internal Reference Designator: Modem
Internal Connector Type: None
External Reference Designator: Not Specified
External Connector Type: RJ-11
Port Type: Modem Port
Port Connector Information
Internal Reference Designator: Ethernet
Internal Connector Type: None
External Reference Designator: Not Specified
External Connector Type: RJ-45
Port Type: Network Port
System Slot Information
Designation: PCMCIA 0
Type: 32-bit PC Card (PCMCIA)
Current Usage: Available
Length: Other
ID: Adapter 0, Socket 0
Characteristics:
5.0 V is provided
3.3 V is provided
PC Card-16 is supported
Cardbus is supported
Zoom Video is supported
Modem ring resume is supported
On Board Device Information
Type: Video
Status: Enabled
Description: Intel Crestline Graphics
On Board Device Information
Type: Sound
Status: Enabled
Description: Sigmatel 9205
OEM Strings
String 1: Dell System
String 2: 5[0003]
String 3: 13[PP22L]
BIOS Language Information
Installable Languages: 1
en|US|iso8859-1
Currently Installed Language: en|US|iso8859-1
Physical Memory Array
Location: System Board Or Motherboard
Use: System Memory
Error Correction Type: None
Maximum Capacity: 4 GB
Number Of Devices: 2
Memory Device
Total Width: 64 bits
Data Width: 64 bits
Size: 1024 MB
Form Factor: DIMM
Set: None
Locator: DIMM_A
Bank Locator: Not Specified
Type: DDR
Type Detail: Synchronous
Speed: 800 MHz
Manufacturer: AD00000000000000
Serial Number: 00004021
Asset Tag: 000845
Part Number: HYMP112S64CP6-S6
Memory Device
Total Width: 64 bits
Data Width: 64 bits
Size: 1024 MB
Form Factor: DIMM
Set: None
Locator: DIMM_B
Bank Locator: Not Specified
Type: DDR
Type Detail: Synchronous
Speed: 800 MHz
Manufacturer: AD00000000000000
Serial Number: 00003030
Asset Tag: 000845
Part Number: HYMP112S64CP6-S6
Memory Array Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Partition Width: 0
Memory Device Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Partition Row Position: 1
Interleave Position: 1
Interleaved Data Depth: 8
Memory Device Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Partition Row Position: 1
Interleave Position: 2
Interleaved Data Depth: 8
Built-in Pointing Device
Type: Touch Pad
Interface: Bus Mouse
Buttons: 2
Portable Battery
Location: Sys. Battery Bay
Manufacturer:
Name: DELL X409G8A
Design Capacity: 37000 mWh
Design Voltage: 11100 mV
SBDS Version: 1.0
Maximum Error: 4%
SBDS Serial Number: 3A58
SBDS Manufacture Date: 2008-10-06
SBDS Chemistry: LION
OEM-specific Information: 0x00000001
Cooling Device
Type: Fan
Status: OK
OEM-specific Information: 0x0000DD00
Temperature Probe
Description: CPU Internal Temperature
Location: Processor
Status: OK
Maximum Value: 127.0 deg C
Minimum Value: 0.0 deg C
Resolution: 1.000 deg C
Tolerance: 0.5 deg C
Accuracy: Unknown
OEM-specific Information: 0x0000DC00
System Boot Information
Status: No errors detected
[root@localhost ~]#
Saturday, February 20, 2010
LVM: How to recover deleted LVM?
Guys,
This could be something very informative for all LVM experts !!
The lvm system maintains backup copies of the lvm configuration in the /etc/lvm/archive folder. I found the backup copy from just before my lvm volume was deleted. By using "vgcfgrestore" and the archive file i was able to restore the lvm configuration as it was before the lvm volume was deleted.
The command:
"vgcfgrestore -l VolGroup00"
shows a list of backed up configurations.
I found that the correct configuration was in the file "/etc/lvm/archive/VolGroup00_00054.vg".
Running "vgcfgrestore -f /etc/lvm/archive/VolGroup00_00054.vg" did the trick.
This could be something very informative for all LVM experts !!
The lvm system maintains backup copies of the lvm configuration in the /etc/lvm/archive folder. I found the backup copy from just before my lvm volume was deleted. By using "vgcfgrestore" and the archive file i was able to restore the lvm configuration as it was before the lvm volume was deleted.
The command:
"vgcfgrestore -l VolGroup00"
shows a list of backed up configurations.
I found that the correct configuration was in the file "/etc/lvm/archive/VolGroup00_00054.vg".
Running "vgcfgrestore -f /etc/lvm/archive/VolGroup00_00054.vg" did the trick.
Thursday, February 18, 2010
Automounting on Linux !!
Let's learn the concept of automounting quickly.
To enable a Samba share to be mounted when a machine boots,
edit the /etc/fstab file to include the following:
//server/share /mount/point smbfs username=[username],password=[password] 0 0
Where server is the Samba server name, share is the Samba share and /mount/point is the directoy on the local machine to mount to. The username and password options are of a valid user on the Samba server who has access to the Samba share you are trying to access.
Edit the /etc/fstab file
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda3 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0
/dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0
//server/share /mount/point smbfs username=[username],password=[password] 0 0
Substitue [username] and [password] with the appropriate credentials of a valid user on the Samba server.
If you want to use the autofs service to mount SMB shares then follow the instructions below.
Edit the /etc/auto.master file
# $Id: auto.master,v 1.2 1997/10/06 21:52:03 hpa Exp $
# Sample auto.master file
# Format of this file:
# mountpoint map options
# For details of the format look at autofs(8).
/misc /etc/auto.misc --timeout=60
Edit the /etc/auto.misc file
# $Id: auto.misc,v 1.2 1997/10/06 21:52:04 hpa Exp $
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# Details may be found in the autofs(5) manpage
cd -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom
samba -fstype=smbfs,username=[username],password=[password] ://server/share
# the following entries are samples to pique your imagination
#linux -ro,soft,intr ftp.example.org:/pub/linux
#boot -fstype=ext2 :/dev/hda1
#floppy -fstype=auto :/dev/fd0
#floppy -fstype=ext2 :/dev/fd0
#e2floppy -fstype=ext2 :/dev/fd0
#jaz -fstype=ext2 :/dev/sdc1
#removable -fstype=ext2 :/dev/hdd
Issue the command service autofs restart so that the new changes will take effect.
Browsing to the /misc/samba directory should reveal the Samba mount.
To enable a Samba share to be mounted when a machine boots,
edit the /etc/fstab file to include the following:
//server/share /mount/point smbfs username=[username],password=[password] 0 0
Where server is the Samba server name, share is the Samba share and /mount/point is the directoy on the local machine to mount to. The username and password options are of a valid user on the Samba server who has access to the Samba share you are trying to access.
Edit the /etc/fstab file
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda3 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0
/dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0
//server/share /mount/point smbfs username=[username],password=[password] 0 0
Substitue [username] and [password] with the appropriate credentials of a valid user on the Samba server.
If you want to use the autofs service to mount SMB shares then follow the instructions below.
Edit the /etc/auto.master file
# $Id: auto.master,v 1.2 1997/10/06 21:52:03 hpa Exp $
# Sample auto.master file
# Format of this file:
# mountpoint map options
# For details of the format look at autofs(8).
/misc /etc/auto.misc --timeout=60
Edit the /etc/auto.misc file
# $Id: auto.misc,v 1.2 1997/10/06 21:52:04 hpa Exp $
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# Details may be found in the autofs(5) manpage
cd -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom
samba -fstype=smbfs,username=[username],password=[password] ://server/share
# the following entries are samples to pique your imagination
#linux -ro,soft,intr ftp.example.org:/pub/linux
#boot -fstype=ext2 :/dev/hda1
#floppy -fstype=auto :/dev/fd0
#floppy -fstype=ext2 :/dev/fd0
#e2floppy -fstype=ext2 :/dev/fd0
#jaz -fstype=ext2 :/dev/sdc1
#removable -fstype=ext2 :/dev/hdd
Issue the command service autofs restart so that the new changes will take effect.
Browsing to the /misc/samba directory should reveal the Samba mount.
Tuesday, February 16, 2010
Sendmail: How to setup Sendmail Client?
I've central e-mail server. Other servers does not need to operate as a mail server. How do I configure Sendmail as submission-only e-mail server (mail client) under CentOS / Fedora / RHEL / Debian Linux / UNIX like operating systems?
Sendmail or any MTA can work in two different modes. It can accept incoming SMTP e-mail requests and send mail from the local machine / workstation or server (cluster node). This is called outbound MTA and it always runes in a queue-only mode.
Step # 1: Disable Sendmail Daemon In a Listing Mode
Edit the file /etc/sysconfig/sendmail using the text editor such as vi, enter:
# vi /etc/sysconfig/sendmail
Modify the line:
DAEMON=no
Save and close the file.
Setting DAEMON=no tells Sendmail to execute only the queue runner on this machine, and never to receive SMTP mail requests on port # 25.
Step #2: Configure Mail Submission
You need to tell sedmail about a central MTA which will accept mail on port # 25 for all your domains. For e.g. mail.nixcraft.net act as a central MTA. Edit /etc/mail/submit.cf, enter:
# vi /etc/mail/submit.cf
Find the line beginning with D{MTAHost}, and update it to read as follows:
D{MTAHost}mail.nixcraft.net
Save and close the file. mail.nixcraft.net is the hostname of the server to which this machine should forward its all outgoing mail. Please note that mail.nixcraft.net must be configured to accept mail from your other workstations or server. Once done reload sendmail.
Sendmail or any MTA can work in two different modes. It can accept incoming SMTP e-mail requests and send mail from the local machine / workstation or server (cluster node). This is called outbound MTA and it always runes in a queue-only mode.
Step # 1: Disable Sendmail Daemon In a Listing Mode
Edit the file /etc/sysconfig/sendmail using the text editor such as vi, enter:
# vi /etc/sysconfig/sendmail
Modify the line:
DAEMON=no
Save and close the file.
Setting DAEMON=no tells Sendmail to execute only the queue runner on this machine, and never to receive SMTP mail requests on port # 25.
Step #2: Configure Mail Submission
You need to tell sedmail about a central MTA which will accept mail on port # 25 for all your domains. For e.g. mail.nixcraft.net act as a central MTA. Edit /etc/mail/submit.cf, enter:
# vi /etc/mail/submit.cf
Find the line beginning with D{MTAHost}, and update it to read as follows:
D{MTAHost}mail.nixcraft.net
Save and close the file. mail.nixcraft.net is the hostname of the server to which this machine should forward its all outgoing mail. Please note that mail.nixcraft.net must be configured to accept mail from your other workstations or server. Once done reload sendmail.
Sendmail Relaying : Understanding what's the Relaying all about?
My Overall architectural setup resembles as shown below:
langille.org [NEW DOMAIN] <=== freebsddiary[MAIL SERVER] <== INTERNET <== fred.logic.com[ ANY FOREIGN CLIENT]
I use langille.org as an example domain.
Just registered this domain few days back.
My Mail server is freebsddiary.
As of now my sendmail doesnt know about that domain.
I will have to tell the server about this new domain.
My Mail server doesn't accept incoming mail for that domain(langile.org).However may mail is registered as the mail host for that domain.
Type the following command :
host langille.org
langille.org mail is handled (pri=5) by freebsddiary.yi.org
If someone tried to send mail to langille.org, it will arrive at freebsddiary.org(my mail server) but it will be refused.
Logs will report:
Oct 30 11:04:44 ducky sendmail[98224]: LAA98224: ruleset=check_rcpt,
arg1=, relay=mta1-rme.xtra.co.nz [203.96.92.1], reject=550
... Relaying denied
Oct 30 11:04:44 ducky sendmail[98224]: LAA98224: from=, SIZE=938,
class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=mta1-rme.xtra.co.nz [203.96.92.1]
Note that above example represents mail being sent to langille.org from an external domain. It is incoming mail.
To allow sendmail to receive mail for langille.org, I added the following entry to
/etc/mail/sendmail.cw (after sendmail version 8.10, this file is local-host-names).
langille.org
Then I told sendmail to re-read it's configuration files by issuing the following commands.
# killall -hup sendmail
Example:
Your friend's domain is retch.org. You wish to allow your friend to use your mail server. The box he will be sending mail from is dry.retch.org.
You would add the following entries to the files on your mail server:
File: /etc/mail/relay-domains
dry.retch.org
The above tells your mail server to accept outgoing mail from the host dry.retch.org.
File: /etc/mail/sendmail.cw
retch.org
The above tells your mail server to accept incoming mail for the domain retch.org (after sendmail version 8.10, this file is local-host-names).
Final Conclusion:
/etc/mail/relay-domains contains a list of hosts which are allowed to relay mail through your mail server. This list may consist of either specific hosts or whole domains.
/etc/mail/sendmail.cw (after sendmail version 8.10, this file is local-host-names) contains a list of domains for which your mail server will accept mail. This list is usually the domains hosted by your machine.
langille.org [NEW DOMAIN] <=== freebsddiary[MAIL SERVER] <== INTERNET <== fred.logic.com[ ANY FOREIGN CLIENT]
I use langille.org as an example domain.
Just registered this domain few days back.
My Mail server is freebsddiary.
As of now my sendmail doesnt know about that domain.
I will have to tell the server about this new domain.
My Mail server doesn't accept incoming mail for that domain(langile.org).However may mail is registered as the mail host for that domain.
Type the following command :
host langille.org
langille.org mail is handled (pri=5) by freebsddiary.yi.org
If someone tried to send mail to langille.org, it will arrive at freebsddiary.org(my mail server) but it will be refused.
Logs will report:
Oct 30 11:04:44 ducky sendmail[98224]: LAA98224: ruleset=check_rcpt,
arg1=
Oct 30 11:04:44 ducky sendmail[98224]: LAA98224: from=
class=0, pri=0, nrcpts=0, proto=ESMTP,
relay=mta1-rme.xtra.co.nz [203.96.92.1]
Note that above example represents mail being sent to langille.org from an external domain. It is incoming mail.
To allow sendmail to receive mail for langille.org, I added the following entry to
/etc/mail/sendmail.cw (after sendmail version 8.10, this file is local-host-names).
langille.org
Then I told sendmail to re-read it's configuration files by issuing the following commands.
# killall -hup sendmail
Example:
Your friend's domain is retch.org. You wish to allow your friend to use your mail server. The box he will be sending mail from is dry.retch.org.
You would add the following entries to the files on your mail server:
File: /etc/mail/relay-domains
dry.retch.org
The above tells your mail server to accept outgoing mail from the host dry.retch.org.
File: /etc/mail/sendmail.cw
retch.org
The above tells your mail server to accept incoming mail for the domain retch.org (after sendmail version 8.10, this file is local-host-names).
Final Conclusion:
/etc/mail/relay-domains contains a list of hosts which are allowed to relay mail through your mail server. This list may consist of either specific hosts or whole domains.
/etc/mail/sendmail.cw (after sendmail version 8.10, this file is local-host-names) contains a list of domains for which your mail server will accept mail. This list is usually the domains hosted by your machine.
Wednesday, February 10, 2010
NFS : Important Interveiw Questions !!
Here I would like to share few of NFS Questions generally asked in the Interview.
1. What RPM you need for NFS server?
rpm -qa nfs*
nfs-utils-1.0.9-33.el5
nfs-utils-lib-1.0.8-7.2.z2
2. What daemon is need for NFS to start?
NFS depends on the portmapper daemon, either called portmap or rpc.portmap. It will need to be started first. It should be located in /sbin but is sometimes in /usr/sbin. Most recent Linux distributions start this daemon in the boot scripts, but it is worth making sure that it is running before you begin working with NFS (just type ps aux | grep portmap)
3.What daemons takes care of NFS serving?
NFS serving is taken care of by five daemons:
rpc.nfsd, which does most of the work;
rpc.lockd and rpc.statd, which handle file locking;
rpc.mountd, which handles the initial mount requests, and
rpc.rquotad, which handles user file quotas on exported volumes.
Starting with 2.2.18, lockd is called by nfsd upon demand, so you do not need to worry about starting it yourself. statd will need to be started separately. Most recent Linux distributions will have startup scripts for these daemons.
The daemons are all part of the nfs-utils package, and may be either in the /sbin directory or the /usr/sbin directory.
If your distribution does not include them in the startup scripts, then then you should add them, configured to start in the following order:
rpc.portmap
rpc.mountd, rpc.nfsd
rpc.statd, rpc.lockd (if necessary), and rpc.rquotad
4.You made some changes in /etc/exports. Does it show effect immediately?
No.
You should run the command exportfs -ra to force nfsd to re-read the /etc/exports file. If you can't find the exportfs command, then you can kill nfsd with the -HUP flag (see the man pages for kill for details).
If that still doesn't work, don't forget to check hosts.allow to make sure you haven't forgotten to list any new client machines there
5.What software you need for NFS Client setup running? ( Very Important)
To begin using machine as an NFS client, you will need the portmapper running on that machine, and to use NFS file locking, you will also need rpc.statd and rpc.lockd running on both the client and the server.
With portmap, lockd, and statd running, you should now be able to mount the remote directory from your server just the way you mount a local hard drive
with the mount command
6.How to get NFS File Systems to Be Mounted at Boot Time?
An Entry in /etc/fstab is enough
master.foo.com:/home /mnt nfs rw 0 0
7.What is Hard Mounting and Soft Mounting in NFS terminology?
There are some options you should consider adding at once. They govern the way the NFS client handles a server crash or network outage. One of the cool things about NFS is that it can handle this gracefully. If you set up the clients right. There are two distinct failure modes:
soft
If a file request fails, the NFS client will report an error to the process on the client machine requesting the file access. Some programs can handle this with composure, most won't. We do not recommend using this setting; it is a recipe for corrupted files and lost data. You should especially not use this for mail disks --- if you value your mail, that is.
hard
The program accessing a file on a NFS mounted file system will hang when the server crashes. The process cannot be interrupted or killed (except by a "sure kill") unless you also specify intr. When the NFS server is back online the program will continue undisturbed from where it was.
8. Whats the solution for NFS then?
We recommend using hard,intr on all NFS mounted file systems.
Picking up the from previous example, the fstab entry would now look like:
# device mountpoint fs-type options dump fsckord
...
master.foo.com:/home /mnt/home nfs rw,hard,intr 0 0
9.How to do NFS performance optimization?
Follow the link http://www.linux.org/docs/ldp/howto/NFS-HOWTO/performance.html for better understanding.
Hope it helps you attending overall important interview questions.
Read this space again. I will add up more in future.
1. What RPM you need for NFS server?
rpm -qa nfs*
nfs-utils-1.0.9-33.el5
nfs-utils-lib-1.0.8-7.2.z2
2. What daemon is need for NFS to start?
NFS depends on the portmapper daemon, either called portmap or rpc.portmap. It will need to be started first. It should be located in /sbin but is sometimes in /usr/sbin. Most recent Linux distributions start this daemon in the boot scripts, but it is worth making sure that it is running before you begin working with NFS (just type ps aux | grep portmap)
3.What daemons takes care of NFS serving?
NFS serving is taken care of by five daemons:
rpc.nfsd, which does most of the work;
rpc.lockd and rpc.statd, which handle file locking;
rpc.mountd, which handles the initial mount requests, and
rpc.rquotad, which handles user file quotas on exported volumes.
Starting with 2.2.18, lockd is called by nfsd upon demand, so you do not need to worry about starting it yourself. statd will need to be started separately. Most recent Linux distributions will have startup scripts for these daemons.
The daemons are all part of the nfs-utils package, and may be either in the /sbin directory or the /usr/sbin directory.
If your distribution does not include them in the startup scripts, then then you should add them, configured to start in the following order:
rpc.portmap
rpc.mountd, rpc.nfsd
rpc.statd, rpc.lockd (if necessary), and rpc.rquotad
4.You made some changes in /etc/exports. Does it show effect immediately?
No.
You should run the command exportfs -ra to force nfsd to re-read the /etc/exports file. If you can't find the exportfs command, then you can kill nfsd with the -HUP flag (see the man pages for kill for details).
If that still doesn't work, don't forget to check hosts.allow to make sure you haven't forgotten to list any new client machines there
5.What software you need for NFS Client setup running? ( Very Important)
To begin using machine as an NFS client, you will need the portmapper running on that machine, and to use NFS file locking, you will also need rpc.statd and rpc.lockd running on both the client and the server.
With portmap, lockd, and statd running, you should now be able to mount the remote directory from your server just the way you mount a local hard drive
with the mount command
6.How to get NFS File Systems to Be Mounted at Boot Time?
An Entry in /etc/fstab is enough
master.foo.com:/home /mnt nfs rw 0 0
7.What is Hard Mounting and Soft Mounting in NFS terminology?
There are some options you should consider adding at once. They govern the way the NFS client handles a server crash or network outage. One of the cool things about NFS is that it can handle this gracefully. If you set up the clients right. There are two distinct failure modes:
soft
If a file request fails, the NFS client will report an error to the process on the client machine requesting the file access. Some programs can handle this with composure, most won't. We do not recommend using this setting; it is a recipe for corrupted files and lost data. You should especially not use this for mail disks --- if you value your mail, that is.
hard
The program accessing a file on a NFS mounted file system will hang when the server crashes. The process cannot be interrupted or killed (except by a "sure kill") unless you also specify intr. When the NFS server is back online the program will continue undisturbed from where it was.
8. Whats the solution for NFS then?
We recommend using hard,intr on all NFS mounted file systems.
Picking up the from previous example, the fstab entry would now look like:
# device mountpoint fs-type options dump fsckord
...
master.foo.com:/home /mnt/home nfs rw,hard,intr 0 0
9.How to do NFS performance optimization?
Follow the link http://www.linux.org/docs/ldp/howto/NFS-HOWTO/performance.html for better understanding.
Hope it helps you attending overall important interview questions.
Read this space again. I will add up more in future.
Tuesday, February 9, 2010
Apache:How to install ANT tool under Linux
In this tutorial I will show you how you can install ant tool on your linux box. This installing ant in linux is based on the practical work.
Step 1:
Download ant from http://ant.apache.org/bindownload.cgi. I have downloaded apache-ant-1.7.1-bin.zip for this tutorial.
Step 2:
Login to your Linux box and create a directory "ant" under /usr/local.
[root@RoseIndiaLinux local]# mkdir ant
[root@RoseIndiaLinux local]# cd ant
[root@RoseIndiaLinux ant]# pwd
/usr/local/ant
[root@RoseIndiaLinux ant]#
Step 3:
Copy apache-ant-1.7.1-bin.zip onto your Linux box in /usr/local/ant directory.
Step 4:
Extract the zip file apache-ant-1.7.1-bin.zip) using unzip command.
[root@RoseIndiaLinux ant]# unzip apache-ant-1.7.1-bin.zip
above command will extract the content of the zip file and will create a new directory apache-ant-1.7.1
Step 5:
Set path in the .bash_profile
Open the file /root/.bash_profile and add the following codes:
export ANT_HOME=/usr/local/ant/apache-ant-1.7.1
export JAVA_HOME=/opt/java/jdk1.6.0_06
export PATH=${PATH}:${ANT_HOME}/bin
Step 6:
Logout and login again to your Linux box. Now ant available on your box.
Step 1:
Download ant from http://ant.apache.org/bindownload.cgi. I have downloaded apache-ant-1.7.1-bin.zip for this tutorial.
Step 2:
Login to your Linux box and create a directory "ant" under /usr/local.
[root@RoseIndiaLinux local]# mkdir ant
[root@RoseIndiaLinux local]# cd ant
[root@RoseIndiaLinux ant]# pwd
/usr/local/ant
[root@RoseIndiaLinux ant]#
Step 3:
Copy apache-ant-1.7.1-bin.zip onto your Linux box in /usr/local/ant directory.
Step 4:
Extract the zip file apache-ant-1.7.1-bin.zip) using unzip command.
[root@RoseIndiaLinux ant]# unzip apache-ant-1.7.1-bin.zip
above command will extract the content of the zip file and will create a new directory apache-ant-1.7.1
Step 5:
Set path in the .bash_profile
Open the file /root/.bash_profile and add the following codes:
export ANT_HOME=/usr/local/ant/apache-ant-1.7.1
export JAVA_HOME=/opt/java/jdk1.6.0_06
export PATH=${PATH}:${ANT_HOME}/bin
Step 6:
Logout and login again to your Linux box. Now ant available on your box.
Port Redirection: Howto?
You can easily redirect incoming traffic by inserting rules into PREROUTING chain of the nat table. You can set destination port using the REDIRECT target.
Syntax
The syntax is as follows to redirect tcp $srcPortNumber port to $dstPortNumber:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumbe
The syntax is as follows to redirect udp $srcPortNumber port to $dstPortNumber:
iptables -t nat -A PREROUTING -i eth0 -p udp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumbe
Replace eth0 with your actual interface name. The following syntax match for source and destination ips:
iptables -t nat -I PREROUTING --src $SRC_IP_MASK --dst $DST_IP -p tcp --dport $portNumber -j REDIRECT --to-ports $rediectPort
Examples:
The following example redirects TCP port 25 to port 2525:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525
In this example all incoming traffic on port 80 redirect to port 8123
iptables -t nat -I PREROUTING --src 0/0 --dst 192.168.1.5 -p tcp --dport 80 -j REDIRECT --to-ports 8123
Quoting from the iptables man page:
This target is only valid in the nat table, in the PREROUTING and OUTPUT
chains, and user-defined chains which are only called from those
chains. It redirects the packet to the machine itself by changing the
destination IP to the primary address of the incoming interface
(locally-generated packets are mapped to the 127.0.0.1 address). It
takes one option:
--to-ports port[-port]
This specifies a destination port or range of ports to use:
without this, the destination port is never altered. This is
only valid if the rule also specifies -p tcp or -p udp.
The OUTPUT chain example:
iptables -t nat -I OUTPUT --src 0/0 --dst 192.168.1.5 -p tcp --dport 80 -j REDIRECT --to-ports 8123
How Do I View NAT Rules?
Type the following command:
iptables -t nat -L -n -v
How Do I Save NAT Redirect Rules?
Type the following command:
iptables-save
Syntax
The syntax is as follows to redirect tcp $srcPortNumber port to $dstPortNumber:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumbe
The syntax is as follows to redirect udp $srcPortNumber port to $dstPortNumber:
iptables -t nat -A PREROUTING -i eth0 -p udp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumbe
Replace eth0 with your actual interface name. The following syntax match for source and destination ips:
iptables -t nat -I PREROUTING --src $SRC_IP_MASK --dst $DST_IP -p tcp --dport $portNumber -j REDIRECT --to-ports $rediectPort
Examples:
The following example redirects TCP port 25 to port 2525:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525
In this example all incoming traffic on port 80 redirect to port 8123
iptables -t nat -I PREROUTING --src 0/0 --dst 192.168.1.5 -p tcp --dport 80 -j REDIRECT --to-ports 8123
Quoting from the iptables man page:
This target is only valid in the nat table, in the PREROUTING and OUTPUT
chains, and user-defined chains which are only called from those
chains. It redirects the packet to the machine itself by changing the
destination IP to the primary address of the incoming interface
(locally-generated packets are mapped to the 127.0.0.1 address). It
takes one option:
--to-ports port[-port]
This specifies a destination port or range of ports to use:
without this, the destination port is never altered. This is
only valid if the rule also specifies -p tcp or -p udp.
The OUTPUT chain example:
iptables -t nat -I OUTPUT --src 0/0 --dst 192.168.1.5 -p tcp --dport 80 -j REDIRECT --to-ports 8123
How Do I View NAT Rules?
Type the following command:
iptables -t nat -L -n -v
How Do I Save NAT Redirect Rules?
Type the following command:
iptables-save
Connecting RHEL to Active Directory Server through Winbind
You have a RHEL system and you want to authenticate it against your active directory. The good news is that Red Hat has made it easy for you to do this. The bad news is that they only get the most basic structure working for you.
Here I will show you how to get WinBind authentication working using Authconfig, and how make it a little more seamless than this utility leaves it off.
It should be noted that while this works perfectly well, it is really not the best way to authenticate users against a UNIX host. Given the option, having your users in OpenLDAP and PAM authenticating them against that would be a much better option. However, we don’t live in a perfect world, and sometimes we just have to make things work.
Let’s start by using authconfig to join your machine to the domain. This should all be done as the root user.
# authconfig
* Select “Use Winbind” and Use “Winbind Authentication”. Remember to leave “Cache Information”, “Use MD5 Passwords” and “Use Shadow Passwords” selected.
* Select “Next”
* Under “Security Model” select “ads”
* “Domains:” examplead (substatute with the name of your Active Directory)
* “Domain Controllers:” adserver.domain.com (Again, substitute with the name of your Active Directory server)
* “ADS Realm:” ADSERVER.DOMAIN.COM
* “Template Shell:” /bin/bash
* Select “Join Domain”
* Select “OK”
Now your machine should be be on the domain. Test it to make sure you can see your AD users:
# wbinfo -u
You should see your users in the list.
The only problem is that to do anything with them, you have to express their user name in that annoying way Windows likes you to. Something like this:
“EXAMPLEAD\\username”
Not very usefull. To get around this, simply edit “/etc/samba/smb.conf” and change this line:
winbind use default domain = no
to this:
winbind use default domain = yes
You should now be able to express AD usernames without the domain nonsense before it. Try it:
# finger username
Login: username Name: Username
Directory: /home/EXAMPLEAD/username Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Finally check your “/etc/nsswhich.conf” file to make sure RHEL knows to use WinBind. Authconfig should have set this up for you, and it should have lines that look like this:
passwd: files winbind
shadow: files winbind
group: files winbind
Note:Follow these instructions to have your users directories automatically created….
http://kbase.redhat.com/faq/FAQ_43_5367.shtm
Here I will show you how to get WinBind authentication working using Authconfig, and how make it a little more seamless than this utility leaves it off.
It should be noted that while this works perfectly well, it is really not the best way to authenticate users against a UNIX host. Given the option, having your users in OpenLDAP and PAM authenticating them against that would be a much better option. However, we don’t live in a perfect world, and sometimes we just have to make things work.
Let’s start by using authconfig to join your machine to the domain. This should all be done as the root user.
# authconfig
* Select “Use Winbind” and Use “Winbind Authentication”. Remember to leave “Cache Information”, “Use MD5 Passwords” and “Use Shadow Passwords” selected.
* Select “Next”
* Under “Security Model” select “ads”
* “Domains:” examplead (substatute with the name of your Active Directory)
* “Domain Controllers:” adserver.domain.com (Again, substitute with the name of your Active Directory server)
* “ADS Realm:” ADSERVER.DOMAIN.COM
* “Template Shell:” /bin/bash
* Select “Join Domain”
* Select “OK”
Now your machine should be be on the domain. Test it to make sure you can see your AD users:
# wbinfo -u
You should see your users in the list.
The only problem is that to do anything with them, you have to express their user name in that annoying way Windows likes you to. Something like this:
“EXAMPLEAD\\username”
Not very usefull. To get around this, simply edit “/etc/samba/smb.conf” and change this line:
winbind use default domain = no
to this:
winbind use default domain = yes
You should now be able to express AD usernames without the domain nonsense before it. Try it:
# finger username
Login: username Name: Username
Directory: /home/EXAMPLEAD/username Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Finally check your “/etc/nsswhich.conf” file to make sure RHEL knows to use WinBind. Authconfig should have set this up for you, and it should have lines that look like this:
passwd: files winbind
shadow: files winbind
group: files winbind
Note:Follow these instructions to have your users directories automatically created….
http://kbase.redhat.com/faq/FAQ_43_5367.shtm
Tuesday, February 2, 2010
Linux: How to create a new Partition on Linux?
Linux Partitioning follows a simple step which can be executed post installation.Below mentioned steps creates a new partition called /u02 and needed to be mounted therein.
Hope it helps understandign clear cut steps to linux partitioning:
[root@ajeet ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 11G 479M 9.1G 5% /
/dev/sda7 4.9G 139M 4.5G 3% /home
/dev/sda6 4.9G 230M 4.4G 5% /var
/dev/sda5 7.6G 2.4G 4.9G 33% /usr
/dev/sda2 11G 155M 9.4G 2% /opt
/dev/sda1 99M 24M 71M 25% /boot
tmpfs 1010M 0 1010M 0% /dev/shm
/dev/sda9 9.2G 150M 8.6G 2% /u01
[root@ajeet ~]# fdisk /dev/sda
The number of cylinders for this disk is set to 9729.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): p
Disk /dev/sda: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 83 Linux
/dev/sda2 14 1364 10851907+ 83 Linux
/dev/sda3 1365 2715 10851907+ 83 Linux
/dev/sda4 2716 9729 56339955 5 Extended
/dev/sda5 2716 3738 8217216 83 Linux
/dev/sda6 3739 4388 5221093+ 83 Linux
/dev/sda7 4389 5038 5221093+ 83 Linux
/dev/sda8 5039 5560 4192933+ 82 Linux swap / Solaris
/dev/sda9 5561 6777 9775521 83 Linux
Command (m for help): n
First cylinder (6778-9729, default 6778):
Using default value 6778
Last cylinder or +size or +sizeM or +sizeK (6778-9729, default 9729): +10000M
Command (m for help): p
Disk /dev/sda: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 83 Linux
/dev/sda2 14 1364 10851907+ 83 Linux
/dev/sda3 1365 2715 10851907+ 83 Linux
/dev/sda4 2716 9729 56339955 5 Extended
/dev/sda5 2716 3738 8217216 83 Linux
/dev/sda6 3739 4388 5221093+ 83 Linux
/dev/sda7 4389 5038 5221093+ 83 Linux
/dev/sda8 5039 5560 4192933+ 82 Linux swap / Solaris
/dev/sda9 5561 6777 9775521 83 Linux
/dev/sda10 6778 7994 9775521 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.
Syncing disks.
[root@ajeet ~]# partprobe
[root@ajeet ~]# mkfs.ext3 /dev/sda10
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
1224000 inodes, 2443880 blocks
122194 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2503999488
75 block groups
32768 blocks per group, 32768 fragments per group
16320 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 26 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
[root@ajeet ~]# e2label /dev/sda10 /u02
[root@ajeet ~]# vi /etc/fstab
[root@ajeet ~]# mkdir /u02
[root@ajeet ~]# mount -a
[root@ajeet ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 11G 479M 9.1G 5% /
/dev/sda7 4.9G 139M 4.5G 3% /home
/dev/sda6 4.9G 230M 4.4G 5% /var
/dev/sda5 7.6G 2.4G 4.9G 33% /usr
/dev/sda2 11G 155M 9.4G 2% /opt
/dev/sda1 99M 24M 71M 25% /boot
tmpfs 1010M 0 1010M 0% /dev/shm
/dev/sda9 9.2G 150M 8.6G 2% /u01
/dev/sda10 9.2G 150M 8.6G 2% /u02
[root@ajeet ~]# mount
/dev/sda3 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda7 on /home type ext3 (rw)
/dev/sda6 on /var type ext3 (rw)
/dev/sda5 on /usr type ext3 (rw)
/dev/sda2 on /opt type ext3 (rw)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
/dev/sda9 on /u01 type ext3 (rw)
/dev/sda10 on /u02 type ext3 (rw)
[root@ajeet ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 11G 479M 9.1G 5% /
/dev/sda7 4.9G 139M 4.5G 3% /home
/dev/sda6 4.9G 230M 4.4G 5% /var
/dev/sda5 7.6G 2.4G 4.9G 33% /usr
/dev/sda2 11G 155M 9.4G 2% /opt
/dev/sda1 99M 24M 71M 25% /boot
tmpfs 1010M 0 1010M 0% /dev/shm
/dev/sda9 9.2G 150M 8.6G 2% /u01
/dev/sda10 9.2G 150M 8.6G 2% /u02
[root@ajeet ~]#
Hope it helps understandign clear cut steps to linux partitioning:
[root@ajeet ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 11G 479M 9.1G 5% /
/dev/sda7 4.9G 139M 4.5G 3% /home
/dev/sda6 4.9G 230M 4.4G 5% /var
/dev/sda5 7.6G 2.4G 4.9G 33% /usr
/dev/sda2 11G 155M 9.4G 2% /opt
/dev/sda1 99M 24M 71M 25% /boot
tmpfs 1010M 0 1010M 0% /dev/shm
/dev/sda9 9.2G 150M 8.6G 2% /u01
[root@ajeet ~]# fdisk /dev/sda
The number of cylinders for this disk is set to 9729.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): p
Disk /dev/sda: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 83 Linux
/dev/sda2 14 1364 10851907+ 83 Linux
/dev/sda3 1365 2715 10851907+ 83 Linux
/dev/sda4 2716 9729 56339955 5 Extended
/dev/sda5 2716 3738 8217216 83 Linux
/dev/sda6 3739 4388 5221093+ 83 Linux
/dev/sda7 4389 5038 5221093+ 83 Linux
/dev/sda8 5039 5560 4192933+ 82 Linux swap / Solaris
/dev/sda9 5561 6777 9775521 83 Linux
Command (m for help): n
First cylinder (6778-9729, default 6778):
Using default value 6778
Last cylinder or +size or +sizeM or +sizeK (6778-9729, default 9729): +10000M
Command (m for help): p
Disk /dev/sda: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 83 Linux
/dev/sda2 14 1364 10851907+ 83 Linux
/dev/sda3 1365 2715 10851907+ 83 Linux
/dev/sda4 2716 9729 56339955 5 Extended
/dev/sda5 2716 3738 8217216 83 Linux
/dev/sda6 3739 4388 5221093+ 83 Linux
/dev/sda7 4389 5038 5221093+ 83 Linux
/dev/sda8 5039 5560 4192933+ 82 Linux swap / Solaris
/dev/sda9 5561 6777 9775521 83 Linux
/dev/sda10 6778 7994 9775521 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.
Syncing disks.
[root@ajeet ~]# partprobe
[root@ajeet ~]# mkfs.ext3 /dev/sda10
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
1224000 inodes, 2443880 blocks
122194 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2503999488
75 block groups
32768 blocks per group, 32768 fragments per group
16320 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 26 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
[root@ajeet ~]# e2label /dev/sda10 /u02
[root@ajeet ~]# vi /etc/fstab
[root@ajeet ~]# mkdir /u02
[root@ajeet ~]# mount -a
[root@ajeet ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 11G 479M 9.1G 5% /
/dev/sda7 4.9G 139M 4.5G 3% /home
/dev/sda6 4.9G 230M 4.4G 5% /var
/dev/sda5 7.6G 2.4G 4.9G 33% /usr
/dev/sda2 11G 155M 9.4G 2% /opt
/dev/sda1 99M 24M 71M 25% /boot
tmpfs 1010M 0 1010M 0% /dev/shm
/dev/sda9 9.2G 150M 8.6G 2% /u01
/dev/sda10 9.2G 150M 8.6G 2% /u02
[root@ajeet ~]# mount
/dev/sda3 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda7 on /home type ext3 (rw)
/dev/sda6 on /var type ext3 (rw)
/dev/sda5 on /usr type ext3 (rw)
/dev/sda2 on /opt type ext3 (rw)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
/dev/sda9 on /u01 type ext3 (rw)
/dev/sda10 on /u02 type ext3 (rw)
[root@ajeet ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 11G 479M 9.1G 5% /
/dev/sda7 4.9G 139M 4.5G 3% /home
/dev/sda6 4.9G 230M 4.4G 5% /var
/dev/sda5 7.6G 2.4G 4.9G 33% /usr
/dev/sda2 11G 155M 9.4G 2% /opt
/dev/sda1 99M 24M 71M 25% /boot
tmpfs 1010M 0 1010M 0% /dev/shm
/dev/sda9 9.2G 150M 8.6G 2% /u01
/dev/sda10 9.2G 150M 8.6G 2% /u02
[root@ajeet ~]#
Subscribe to:
Posts (Atom)