Recover Reset MySQL root Password
Mysqladmin command to set root password
If you have never set a root password for MySQL server, the server does not require a password at all for connecting as root. To setup root password for first time, use mysqladmin command at shell prompt as follows:
#mysqladmin -u root password NEWPASSWORD
However, if you want to change (or update) a root password, then you need to use the following command:
#mysqladmin -u root -p'oldpassword' password newpass
For example, If the old password is abcdef, you can set the new password to 123456789, enter:
# mysqladmin -u root -p'abcdef' password '123456789'
Change MySQL password for other users
To change a normal user password you need to type (let us assume you would like to change password for user sachin) the following command:
#mysqladmin -u sachin -p oldpassword password newpass
Changing MySQL root user password using MySQL sql command (Without knowing earlier)
This is another method. MySQL stores username and passwords in user table inside MySQL database. You can directly update password using the following method to update or change password for user root or any other user :
1) Login to mysql server, type the following command at shell prompt:
# mysql -u root -p
2) Use mysql database (type command at mysql> prompt):
mysql> use mysql;
3) Change password for user root, enter:
mysql> update user set password=PASSWORD("NEWPASSWORD") where User='root';
4) Finally, reload the privileges:
mysql> flush privileges;
mysql> quit
done !!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Linux : Find Out Maximum RAM Supported By The Server Motherboard
Most modern server supports 16GB, 32GB, 64GB or more RAM and has 4 or more DIMM slots. To find out what is the maximum system can support type the following command as root user:
# dmidecode -t 16
Sample outputs:
# dmidecode 2.11
SMBIOS 2.5 present.
Handle 0x0016, DMI type 16, 15 bytes
Physical Memory Array
Location: System Board Or Motherboard
Use: System Memory
Error Correction Type: None
Maximum Capacity: 64 GB
Error Information Handle: Not Provided
Number Of Devices: 8
This server supports maximum 64 GB and has 8 DIMMslot
However, my old good home server can support max 4GB ram:
# dmidecode -t 16
Sample outputs:
# dmidecode 2.9
SMBIOS 2.6 present.
Handle 0x0008, DMI type 16, 15 bytes
Physical Memory Array
Location: System Board Or Motherboard
Use: System Memory
Error Correction Type: None
Maximum Capacity: 4 GB
Error Information Handle: Not Provided
Number Of Devices: 2
this server supports maximum 4 GB RAM and has total 2 DIMM slots
You can find out currently installed memory information (DIMM and its slots) by typing the following command:
# dmidecode -t 17
Sample outputs:
# dmidecode 2.9
SMBIOS 2.6 present.
Handle 0x000A, DMI type 17, 28 bytes
Memory Device
Array Handle: 0x0008
Error Information Handle: Not Provided
Total Width: 64 bits
Data Width: 64 bits
Size: 2048 MB
Form Factor: DIMM
Set: None
Locator: DIMM0
Bank Locator: BANK0
Type: DDR2
Type Detail: Synchronous
Speed: 667 MHz (1.5 ns)
Manufacturer: Manufacturer00
Serial Number: SerNum00
Asset Tag: AssetTagNum0
Part Number: ModulePartNumber00
Handle 0x000C, DMI type 17, 28 bytes
Memory Device
Array Handle: 0x0008
Error Information Handle: Not Provided
Total Width: Unknown
Data Width: Unknown
Size: No Module Installed
Form Factor: DIMM
Set: None
Locator: DIMM1
Bank Locator: BANK1
Type: Unknown
Type Detail: Unknown
Speed: Unknown
Manufacturer: Manufacturer01
Serial Number: SerNum01
Asset Tag: AssetTagNum1
Part Number: ModulePartNumber01
Find out installed RAM information
Another output from one of my personal server:
# dmidecode -t 17
Sample outputs:
# dmidecode 2.11
SMBIOS 2.5 present.
Handle 0x0013, DMI type 17, 27 bytes
Memory Device
Array Handle: 0x0012
Error Information Handle: No Error
Total Width: 40968 bits
Data Width: 41032 bits
Size: 512 MB
Form Factor: DIMM
Set: 1
Locator: J6G1
Bank Locator: DIMM 0
Type: DDR2
Type Detail: Synchronous
Speed: 667 MHz
Manufacturer: Kingston
Serial Number: 80CC2564
Asset Tag: 00000903
Part Number: 393930353332302D3030322E4130314C4600
Handle 0x0014, DMI type 17, 27 bytes
Memory Device
Array Handle: 0x0012
Error Information Handle: No Error
Total Width: 41480 bits
Data Width: 41544 bits
Size: 512 MB
Form Factor: DIMM
Set: 1
Locator: J6G2
Bank Locator: DIMM 1
Type: DDR2
Type Detail: Synchronous
Speed: 667 MHz
Manufacturer: Kingston
Serial Number: 80CC1E64
Asset Tag: 00000903
Part Number: 393930353332302D3030322E4130314C4600
Handle 0x0015, DMI type 17, 27 bytes
Memory Device
Array Handle: 0x0012
Error Information Handle: No Error
Total Width: 41992 bits
Data Width: 42056 bits
Size: 512 MB
Form Factor: DIMM
Set: 1
Locator: J6H1
Bank Locator: DIMM 2
Type: DDR2
Type Detail: Synchronous
Speed: 667 MHz
Manufacturer: Kingston
Serial Number: BCCCFD8D
Asset Tag: 00000833
Part Number: 393930353332302D3030322E4130314C4600
Handle 0x0016, DMI type 17, 27 bytes
Memory Device
Array Handle: 0x0012
Error Information Handle: No Error
Total Width: 42504 bits
Data Width: 42568 bits
Size: 512 MB
Form Factor: DIMM
Set: 1
Locator: J6H2
Bank Locator: DIMM 3
Type: DDR2
Type Detail: Synchronous
Speed: 667 MHz
Manufacturer: Kingston
Serial Number: BCCCDF8D
Asset Tag: 00000833
Part Number: 393930353332302D3030322E4130314C4600
This server has 512MBx4 Kingston DIMM installed
Posted by SachinBhomale at 4/26/2012 02:49:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook
SUNDAY, MARCH 4, 2012
Enable Postfix blacklist
By default, the Postfix SMTP server accepts any sender address. However you can block / blacklist sender email address easily with Postfix. It has SMTP server access table.
Open /etc/postfix/sender_access file
# cd /etc/postfix
# vi sender_access
Append sender email id as follows:
user@xyzasdf.com REJECT
Save and close the file. Use postmap command to create a database:
# postmap hash:sender_access
Now open main.cf and add code as follows:
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access
Save and close the file. Restart / reload postfix MTA:
# /etc/init.d/postfix restart
IF spamassassin is installed
You can also use spamassassin to blacklist email address. Just add to your own spamassassin
configuration or to /etc/mail/spamassassin/local.cf file:
# vi /etc/mail/spamassassin/local.cf
Append blacklist as follows:
blacklist_from user@xyzasdf.com
Save and close the file. Restart spamassassin:
# /etc/init.d/spamassassin restart
spamassassin will marke mail as SPAM instead of rejecting the same.
Posted by SachinBhomale at 3/04/2012 10:59:00 PM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook
FRIDAY, FEBRUARY 24, 2012
Create backups for the Linux operating system
This question asked again and again by a new Linux sys admins:
How do I perform backups for my Linux operating system?
So I am putting up all necessary information you ever need to know about backup. The main aim is to provide you necessary software, links and commands to get started as soon as possible.
Backup is essential
First a backup is essential. You need a good backup strategy to:
Minimize time from disaster such as server failure or human error (file deleted) or acts of God
To avoid downtime
Save money and time
And ultimately to save your job ;)
A backup must provide
Restoration of a single/individual files
Restoration of file systems
What to backup?
User files and dynamic data [databases] (stored in /home or specially configured partitions or /var etc).
Application software (stored in /usr)
OS files
Application configuration files (stored in /etc, /usr/local/etc or /home/user/.dotfiles)
Different types of backups
Full backups: Each file and directory is written to backup media
Incremental backups (Full + Incremental backup): This backups are used in conjunction with full backup. These backups will be incremental if each original piece of backed up information is stored only once , and then successive backups only contain the information that changed since the previous one. It use file's modification time to determine which file need to backup.
So when you restore incremental backup:
First restore the last full backup
Next every subsequent incremental backup you need to restore
Preferred Backup Media
Tape (old and trusted method)
Network (ftp, nas, rsync etc)
Disk (hard disk, optical disk etc)
Test backups
Please note that whichever backup media you choose, you need to test your backup. Perform tests to make sure that data can be read from media.
Backup Recommendation
My years of experience show that if you follow following formulas you are most likely to get back your data in worst scenario:
(a) Rotate backup media
(b) Use multiple backup media for same data such as ftp and tape
(c) Keep old copies of backups offsite
In short create good disaster recovery plan.
General procedure to restore a Linux/UNIX box
There is not golden rule or procedure but I follow these two methods:
Method # 1: Reinstall everything, restore everything, and secure everything
Use this method (bare metal recovery) if your server is cracked or hacked or hard drive is totally out of order:
Format everything
Reinstall os
Configure data partitions (if any)
Install drivers
Restore data from backup media
Configure security
Method # 2: Use of recovery CD/DVD rom
Use this method if your box is not hacked and system cannot boot or MBR damaged or accidental file deletion etc:
Boot into rescue mode.
Debug (or troubleshoot) the problem
Verify that disk partitions stable enough (use fsck) to put backup data
Install drivers
Restore data from backup media
Configure security
Linux (and other UNIX oses) backup tools
Luckily Linux/UNIX provides good set of tools for backup. We have almost covered each and every tool mentioned below. Just follow the link to get more information about each command and its usage:
Backing to tape using tar to tape, tar over ssh, cpio, and dump command. tar and friends are good for small backups. For large scale backup or backup that demands large CPU and I/O, use other solution (see below).
Backing to another server using ftp, ftp to NAS, access NAS server using NFS protocol, access NAS from samba/windows, rsync UNIX/Linux server or windows servers
Backing to recordable media such as CDR or DVD
It is also recommended that you use RAID or LVM (see consistent backup with LVM) or combination of both to increase reliability of data.
A note about MySQL or Oracle database backup
Backing up database server such as MySQL or Oracle needs more planning. Generally you can apply a table write lock and use mysql database dump utility to backup database. You can also use LVM volume to save database data.
A note about large scale backup
As I said earlier tar is good if you need to backup small amount of data that does not demands high CPU or I/O. Following are recommended tools for backup that demands high CPU or I/O rate:
(a) amanda - AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup system (open source software) that allows the administrator to set up a single master backup server to back up multiple hosts over network to tape drives/changers or disks or optical media.
(b) Third party commercial proprietary solutions:
Top three excellent commercial solutions:
Veritas Netbackup
IBM Tivoli Storage Manager
Legato Networker
If you are looking to perform the tasks of protecting large-scale computer systems use above solutions and following two books will give you good idea:
Implementing Backup and Recovery: The Readiness Guide for the Enterprise - This gives you an introduction to backup and recovery concepts in the enterprise and covers disaster recovery, and other solutions such as Veritas Netbackup.
Backup & Recovery (UNIX) - This unique book shows you how to ensure data protection without resorting to expensive commercial solutions
Posted by SachinBhomale at 2/24/2012 01:55:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook
Test Hard Disk in Linux
One of our regular sends us a question:
How can I test if my hard disk is going bad? I see few errors in /var/log/messages file.
I/O errors in /var/log/messages indicates that something is wrong with the hard disk and it may be failing.
You can check hard disk errors using smartctl command, which is control and monitor utility for SMART disks under Linux / UNIX like operating systems.
smartctl controls the Self-Monitoring, Analysis and Reporting Technology (SMART) system built into many ATA-3 and later ATA, IDE and SCSI-3 hard drives. The purpose of SMART is to monitor the reliability of the hard drive and predict drive failures, and to carry out different types of drive self-tests.
smartctl is a command line utility designed to perform SMART tasks such as printing the SMART self-test and error logs, enabling and disabling SMART automatic testing, and initiating device self-tests.
Make sure S.M.A.R.T. support is enabled in the BIOS.
Next run following command to see if your hard disks support S.M.A.R.T technology:
# smartctl -i /dev/sdb
Now enable SMART:
# smartctl -s on -d ata /dev/sdb
Output:
smartctl version 5.33 [x86_64-redhat-linux-gnu] Copyright (C) 2002-4 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF ENABLE/DISABLE COMMANDS SECTION ===
SMART Enabled.
Now run overall-health self-assessment test:
# smartctl -d ata -H /dev/sdb
Output:
smartctl version 5.33 [x86_64-redhat-linux-gnu] Copyright (C) 2002-4 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
A sample output from failing hard disk:
smartctl version 5.38 [i686-pc-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
Please note the following marginal Attributes:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
190 Airflow_Temperature_Cel 0x0022 044 033 045 Old_age Always FAILING_NOW 56 (96 110 58 25)
The following will provide even more information about failing hard disk:
# smartctl --attributes --log=selftest /dev/sda
Sample outputs:
smartctl version 5.38 [i686-pc-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF READ SMART DATA SECTION ===
SMART Attributes Data Structure revision number: 10
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x000f 098 092 006 Pre-fail Always - 238320363
3 Spin_Up_Time 0x0003 100 100 000 Pre-fail Always - 0
4 Start_Stop_Count 0x0032 100 100 020 Old_age Always - 587
5 Reallocated_Sector_Ct 0x0033 100 100 036 Pre-fail Always - 9
7 Seek_Error_Rate 0x000f 077 060 030 Pre-fail Always - 51672328
9 Power_On_Hours 0x0032 095 095 000 Old_age Always - 4805
10 Spin_Retry_Count 0x0013 100 100 097 Pre-fail Always - 0
12 Power_Cycle_Count 0x0032 100 100 020 Old_age Always - 586
184 Unknown_Attribute 0x0032 100 100 099 Old_age Always - 0
187 Reported_Uncorrect 0x0032 001 001 000 Old_age Always - 417
188 Unknown_Attribute 0x0032 100 099 000 Old_age Always - 4295032833
189 High_Fly_Writes 0x003a 094 094 000 Old_age Always - 6
190 Airflow_Temperature_Cel 0x0022 044 033 045 Old_age Always FAILING_NOW 56 (96 122 58 25)
194 Temperature_Celsius 0x0022 056 067 000 Old_age Always - 56 (0 23 0 0)
195 Hardware_ECC_Recovered 0x001a 043 026 000 Old_age Always - 238320363
197 Current_Pending_Sector 0x0012 100 100 000 Old_age Always - 49
198 Offline_Uncorrectable 0x0010 100 100 000 Old_age Offline - 49
199 UDMA_CRC_Error_Count 0x003e 200 200 000 Old_age Always - 0
240 Head_Flying_Hours 0x0000 100 253 000 Old_age Offline - 172082159686339
241 Unknown_Attribute 0x0000 100 253 000 Old_age Offline - 2155546016
242 Unknown_Attribute 0x0000 100 253 000 Old_age Offline - 3048586928
SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Extended offline Completed: read failure 90% 4789 1746972641
You can read more data from hard disk by typing following command:
# smartctl -d ata -a /dev/sdb
Output:
smartctl version 5.33 [x86_64-redhat-linux-gnu] Copyright (C) 2002-4 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF INFORMATION SECTION ===
Device Model: WDC WD2500YS-01SHB0
Serial Number: WD-WCANY1729333
Firmware Version: 20.06C03
User Capacity: 251,000,193,024 bytes
Device is: Not in smartctl database [for details use: -P showall]
ATA Version is: 7
ATA Standard is: Exact ATA specification draft version not indicated
Local Time is: Wed Jul 4 15:04:38 2007 CDT
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
General SMART Values:
Offline data collection status: (0x82) Offline data collection activity
was completed without error.
Auto Offline Data Collection: Enabled.
Self-test execution status: ( 0) The previous self-test routine completed
without error or no self-test has ever
been run.
Total time to complete Offline
data collection: (7800) seconds.
Offline data collection
capabilities: (0x7b) SMART execute Offline immediate.
Auto Offline data collection on/off support.
Suspend Offline collection upon new
command.
Offline surface scan supported.
Self-test supported.
Conveyance Self-test supported.
Selective Self-test supported.
SMART capabilities: (0x0003) Saves SMART data before entering
power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging supported.
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 2) minutes.
Extended self-test routine
recommended polling time: ( 92) minutes.
Conveyance self-test routine
recommended polling time: ( 6) minutes.
SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x000f 200 200 051 Pre-fail Always - 0
3 Spin_Up_Time 0x0003 190 187 021 Pre-fail Always - 5500
4 Start_Stop_Count 0x0032 100 100 000 Old_age Always - 24
5 Reallocated_Sector_Ct 0x0033 200 200 140 Pre-fail Always - 0
7 Seek_Error_Rate 0x000f 200 200 051 Pre-fail Always - 0
9 Power_On_Hours 0x0032 092 092 000 Old_age Always - 6382
10 Spin_Retry_Count 0x0013 100 253 051 Pre-fail Always - 0
11 Calibration_Retry_Count 0x0013 100 253 051 Pre-fail Always - 0
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always - 23
194 Temperature_Celsius 0x0022 127 096 000 Old_age Always - 23
196 Reallocated_Event_Count 0x0032 200 200 000 Old_age Always - 0
197 Current_Pending_Sector 0x0012 200 200 000 Old_age Always - 0
198 Offline_Uncorrectable 0x0010 200 200 000 Old_age Offline - 0
199 UDMA_CRC_Error_Count 0x003e 200 200 000 Old_age Always - 0
200 Multi_Zone_Error_Rate 0x0009 200 200 051 Pre-fail Offline - 0
SMART Error Log Version: 1
No Errors Logged
SMART Self-test log structure revision number 1
No self-tests have been logged. [To run self-tests, use: smartctl -t]
SMART Selective self-test log data structure revision number 1
SPAN MIN_LBA MAX_LBA CURRENT_TEST_STATUS
1 0 0 Not_testing
2 0 0 Not_testing
3 0 0 Not_testing
4 0 0 Not_testing
5 0 0 Not_testing
Selective self-test flags (0x0):
After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.
A note about RAID controller
To look at ATA disks behind 3ware SCSI RAID controllers, use syntax such as:
# smartctl -a -d 3ware,2 /dev/sda
# smartctl -a -d 3ware,0 /dev/twe0
Extended self-test of drive
You need to begin an extended self-test of drive /dev/hdc. You can issue this command on a running system. The results can be seen in the self-test log visible with the '-l selftest' option after it has completed.
# smartctl -d ata -t long /dev/sdb
Sample Failing Hard Disk Detailed Report
# smartctl -a /dev/sda
Sample outputs:
smartctl version 5.38 [i686-pc-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF INFORMATION SECTION ===
Device Model: ST31500341AS
Serial Number: 9VS0TG4B
Firmware Version: CC1H
User Capacity: 1,500,301,910,016 bytes
Device is: Not in smartctl database [for details use: -P showall]
ATA Version is: 8
ATA Standard is: ATA-8-ACS revision 4
Local Time is: Mon Oct 26 21:16:15 2009 IST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
See vendor-specific Attribute list for marginal Attributes.
General SMART Values:
Offline data collection status: (0x82) Offline data collection activity
was completed without error.
Auto Offline Data Collection: Enabled.
Self-test execution status: ( 0) The previous self-test routine completed
without error or no self-test has ever
been run.
Total time to complete Offline
data collection: ( 617) seconds.
Offline data collection
capabilities: (0x7b) SMART execute Offline immediate.
Auto Offline data collection on/off support.
Suspend Offline collection upon new
command.
Offline surface scan supported.
Self-test supported.
Conveyance Self-test supported.
Selective Self-test supported.
SMART capabilities: (0x0003) Saves SMART data before entering
power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging supported.
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 1) minutes.
Extended self-test routine
recommended polling time: ( 255) minutes.
Conveyance self-test routine
recommended polling time: ( 2) minutes.
SCT capabilities: (0x103f) SCT Status supported.
SCT Feature Control supported.
SCT Data Table supported.
SMART Attributes Data Structure revision number: 10
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x000f 098 092 006 Pre-fail Always - 238338845
3 Spin_Up_Time 0x0003 100 100 000 Pre-fail Always - 0
4 Start_Stop_Count 0x0032 100 100 020 Old_age Always - 587
5 Reallocated_Sector_Ct 0x0033 100 100 036 Pre-fail Always - 9
7 Seek_Error_Rate 0x000f 077 060 030 Pre-fail Always - 51672525
9 Power_On_Hours 0x0032 095 095 000 Old_age Always - 4806
10 Spin_Retry_Count 0x0013 100 100 097 Pre-fail Always - 0
12 Power_Cycle_Count 0x0032 100 100 020 Old_age Always - 586
184 Unknown_Attribute 0x0032 100 100 099 Old_age Always - 0
187 Reported_Uncorrect 0x0032 001 001 000 Old_age Always - 417
188 Unknown_Attribute 0x0032 100 099 000 Old_age Always - 4295032833
189 High_Fly_Writes 0x003a 094 094 000 Old_age Always - 6
190 Airflow_Temperature_Cel 0x0022 044 033 045 Old_age Always FAILING_NOW 56 (96 126 58 25)
194 Temperature_Celsius 0x0022 056 067 000 Old_age Always - 56 (0 23 0 0)
195 Hardware_ECC_Recovered 0x001a 043 026 000 Old_age Always - 238338845
197 Current_Pending_Sector 0x0012 100 100 000 Old_age Always - 49
198 Offline_Uncorrectable 0x0010 100 100 000 Old_age Offline - 49
199 UDMA_CRC_Error_Count 0x003e 200 200 000 Old_age Always - 0
240 Head_Flying_Hours 0x0000 100 253 000 Old_age Offline - 107168023974595
241 Unknown_Attribute 0x0000 100 253 000 Old_age Offline - 2155546480
242 Unknown_Attribute 0x0000 100 253 000 Old_age Offline - 3048590512
SMART Error Log Version: 1
ATA Error Count: 416 (device log contains only the most recent five errors)
CR = Command Register [HEX]
FR = Features Register [HEX]
SC = Sector Count Register [HEX]
SN = Sector Number Register [HEX]
CL = Cylinder Low Register [HEX]
CH = Cylinder High Register [HEX]
DH = Device/Head Register [HEX]
DC = Device Command Register [HEX]
ER = Error register [HEX]
ST = Status register [HEX]
Powered_Up_Time is measured from power on, and printed as
DDd+hh:mm:SS.sss where DD=days, hh=hours, mm=minutes,
SS=sec, and sss=millisec. It "wraps" after 49.710 days.
Error 416 occurred at disk power-on lifetime: 4786 hours (199 days + 10 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 ff ff ff 0f Error: UNC at LBA = 0x0fffffff = 268435455
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
25 00 08 ff ff ff ef 00 00:55:03.917 READ DMA EXT
27 00 00 00 00 00 e0 00 00:55:03.818 READ NATIVE MAX ADDRESS EXT
ec 00 00 00 00 00 a0 00 00:55:03.798 IDENTIFY DEVICE
ef 03 46 00 00 00 a0 00 00:55:03.779 SET FEATURES [Set transfer mode]
27 00 00 00 00 00 e0 00 00:55:03.658 READ NATIVE MAX ADDRESS EXT
Error 415 occurred at disk power-on lifetime: 4786 hours (199 days + 10 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 ff ff ff 0f Error: UNC at LBA = 0x0fffffff = 268435455
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
25 00 08 ff ff ff ef 00 00:55:00.927 READ DMA EXT
27 00 00 00 00 00 e0 00 00:55:00.837 READ NATIVE MAX ADDRESS EXT
ec 00 00 00 00 00 a0 00 00:55:00.817 IDENTIFY DEVICE
ef 03 46 00 00 00 a0 00 00:55:00.800 SET FEATURES [Set transfer mode]
27 00 00 00 00 00 e0 00 00:55:00.747 READ NATIVE MAX ADDRESS EXT
Error 414 occurred at disk power-on lifetime: 4786 hours (199 days + 10 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 ff ff ff 0f Error: UNC at LBA = 0x0fffffff = 268435455
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
25 00 08 ff ff ff ef 00 00:54:57.903 READ DMA EXT
27 00 00 00 00 00 e0 00 00:54:57.807 READ NATIVE MAX ADDRESS EXT
ec 00 00 00 00 00 a0 00 00:54:57.787 IDENTIFY DEVICE
ef 03 46 00 00 00 a0 00 00:54:57.757 SET FEATURES [Set transfer mode]
27 00 00 00 00 00 e0 00 00:54:57.637 READ NATIVE MAX ADDRESS EXT
Error 413 occurred at disk power-on lifetime: 4786 hours (199 days + 10 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 ff ff ff 0f Error: UNC at LBA = 0x0fffffff = 268435455
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
25 00 08 ff ff ff ef 00 00:54:54.862 READ DMA EXT
27 00 00 00 00 00 e0 00 00:54:54.767 READ NATIVE MAX ADDRESS EXT
ec 00 00 00 00 00 a0 00 00:54:54.746 IDENTIFY DEVICE
ef 03 46 00 00 00 a0 00 00:54:54.728 SET FEATURES [Set transfer mode]
27 00 00 00 00 00 e0 00 00:54:54.677 READ NATIVE MAX ADDRESS EXT
Error 412 occurred at disk power-on lifetime: 4786 hours (199 days + 10 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 ff ff ff 0f Error: UNC at LBA = 0x0fffffff = 268435455
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
25 00 08 ff ff ff ef 00 00:54:51.838 READ DMA EXT
27 00 00 00 00 00 e0 00 00:54:51.736 READ NATIVE MAX ADDRESS EXT
ec 00 00 00 00 00 a0 00 00:54:51.716 IDENTIFY DEVICE
ef 03 46 00 00 00 a0 00 00:54:51.685 SET FEATURES [Set transfer mode]
27 00 00 00 00 00 e0 00 00:54:51.566 READ NATIVE MAX ADDRESS EXT
SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Extended offline Completed: read failure 90% 4789 1746972641
SMART Selective self-test log data structure revision number 1
SPAN MIN_LBA MAX_LBA CURRENT_TEST_STATUS
1 0 0 Not_testing
2 0 0 Not_testing
3 0 0 Not_testing
4 0 0 Not_testing
5 0 0 Not_testing
Selective self-test flags (0x0):
After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.
Posted by SachinBhomale at 2/24/2012 01:52:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook
WEDNESDAY, FEBRUARY 22, 2012
Mount Disk Partition Using LABEL
How do I mount the filesystem (disk partition) using the filesystem label on the ext3/ext4 file system located on USB disk or hard disk under Linux operating systems?
The e2label command will display or set the filesystem label. The mount command has the option to mount partition that has the specified label. To see your current label type the following command:
# e2label /dev/sdc1
Sample outputs:
seagate_2tb_usb
Syntax: Mount Command With Label
The syntax is as follows:
mount -L label_name_here /path/to/mount/point
To mount the /dev/sdc1 using the seagate_2tb_usb label at /media/usb, enter
# mkdir -p /media/usb
# mount -L seagate_2tb_usb /media/usb
# df -H
Sample outputs:
Filesystem Size Used Avail Use% Mounted on
/dev/md0 127G 902M 120G 1% /
tmpfs 1.1G 0 1.1G 0% /lib/init/rw
udev 1.1G 267k 1.1G 1% /dev
tmpfs 1.1G 0 1.1G 0% /dev/shm
/dev/md2 1.6T 81G 1.5T 6% /data
/dev/mapper/cryptvg-mybackup
635G 48G 555G 8% /securebackup
/dev/sdc1 2.0T 858G 1.1T 46% /media/usb
Please note that my actual device name is /dev/sdf1. Feel free to replace actual label names and mount point as per your requirements.
Update /etc/fstab File
You can update the /etc/fstab file as follows to mount it automatically using the disk label:
LABEL=seagate_2tb_usb /media/usb ext3 defaults 0 0
Posted by SachinBhomale at 2/22/2012 03:36:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook
Find Hidden Processes and Ports
Quick Tip: Find Hidden Processes and Ports [ Linux / Unix / Windows ]
Unhide is a little handy forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tools works under both Linux / Unix, and MS-Windows operating systems. From the man page:
It detects hidden processes using three techniques:
The proc technique consists of comparing /proc with the output of /bin/ps.
The sys technique consists of comparing information gathered from /bin/ps with information gathered from system calls.
The brute technique consists of brute-forcing the all process IDs. This technique is only available on Linux 2.6 kernels.
Most rootkits use the power of the kernel to hide themselves, they are only visible from within the kernel. You can use unhide or tool such as rkhunter to scan for rootkits, backdoors and possible local exploits.
How do I Install Unhide?
It is recommended that you run this tool from read-only media. To install the same under Debian or Ubuntu Linux, enter:
# apt-get install unhide
Sample outputs:
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
rkhunter
The following NEW packages will be installed:
unhide
0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded.
Need to get 822 kB of archives.
After this operation, 1,872 kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian/ squeeze/main unhide amd64 20100201-1 [822 kB]
Fetched 822 kB in 5s (162 kB/s)
Selecting previously deselected package unhide.
(Reading database ... 166644 files and directories currently installed.)
Unpacking unhide (from .../unhide_20100201-1_amd64.deb) ...
Processing triggers for man-db ...
Setting up unhide (20100201-1) ...
FreeBSD: Install unhide
Type the following command to install the same using the port, enter:
# cd /usr/ports/security/unhide/
# make install clean
OR, you can install the same using the binary package, enter:
# pkg_add -r unhide
unhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available.
How Do I Use This Tool?
You can use it as follows:
# unhide-posix proc
# unhide-posix sys
OR
# unhide-linux26 proc
# unhide-linux26 sys
# unhide-linux26 brute
Sample outputs:
Unhide 20100201
http://www.securitytests.com/?Unhide
[*]Searching for Hidden processes through kill(..,0) scanning
[*]Searching for Hidden processes through comparison of results of system calls
[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through sysinfo() scanning
HIDDEN Processes Found: 1
( 1 hidden process found using the unhide-linux26 sys command)
# unhide-tcp
Sample outputs:
Unhide 20100201
http://www.securitytests.com/?Unhide
Starting TCP checking
Starting UDP checking
( No hidden ports found using the unhide-tcp command)
However, I found something interesting:
# unhide-tcp
Sample outputs:
Unhide 20100201
http://www.securitytests.com/?Unhide
Starting TCP checking
Found Hidden port that not appears in netstat: 1048
Found Hidden port that not appears in netstat: 1049
Found Hidden port that not appears in netstat: 1050
Starting UDP checking
(Found hidden ports using the unhide-tcp command)
The netstat -tulpn or ss commands displayed nothing about the hidden TCP ports # 1048, 1049, and 1050:
# netstat -tulpn | grep 1048
# ss -lp
# ss -l | grep 1048
Posted by SachinBhomale at 2/22/2012 03:06:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook
TUESDAY, FEBRUARY 21, 2012
Linux define the runlevel
How to define the Linux system runlevel ? How do I determine which run-level my system is currently in?
A. You need to use runlevel command to find the current and previous system runlevel. Usaully 0-6 runlevel are used by all Linux distributions:
=> 0 : Halt system
=> 1 : Take system to single-user mode (good for Linux system maintenance)
=> 2 : User defined or distribution like Debian use it
=> 3 : Full multi-user mode (text mode login)
=> 4 : Not used/user-defined
=> 5 : Full multi-user GUI mode login
=> 6 : Reboot system
Please note that runlevels 0, 1, and 6 are reserved. Runlevel 0 is used to halt the system, runlevel 6 is used to reboot the system, and runlevel 1 is used to get the system down into single user mode.
Task: Determine which runlevel my system is currently in
Type runlevel command:
$ runlevel
Output:
N 3
runlevel command reads the system utmp file (typically /var/run/utmp) to locate the runlevel record, and then prints the previous and current system runlevel on its standard output, separated by a single space. If there is no previous system runlevel, the letter N will be printed instead.
Task: Change runlevel
Use init command to change the runlevel. For example runlevel 1 is used to get the system down into single user mode:
# init 2
Posted by SachinBhomale at 2/21/2012 06:17:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook
FRIDAY, FEBRUARY 17, 2012
VSFTPD FTP Server Configuration CentOS/Red Hat
vsftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.
In this guide you will learn:
Setup vsftpd to Provide FTP Service.
Configure vsftpd.
Configure Firewalls to Protect the FTP Server.
Configure vsftpd with SSL/TLS.
Setup vsftpd as Download Only Anonymous Internet Server.
Setup vsftpd With Virtual Users and Much More.
VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:
Virtual IP configurations
Virtual users
Run as standalone or inetd / xinetd operation
Per-user configuration
Bandwidth throttling
Per-source-IP configurability
Per-source-IP limits
IPv6 ready
Encryption support through SSL integration
And much more.
Install Vsftpd FTP Server
Install the vsftpd package via yum command:
# yum install vsftpd
Vsftpd Defaults
Default port: TCP / UDP - 21 and 20
The main configuration file: /etc/vsftpd/vsftpd.conf
Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers
Configure Vsftpd Server
Open the configuration file, type:
# vi /etc/vsftpd/vsftpd.conf
Turn off standard ftpd xferlog log format:
xferlog_std_format=NO
Turn on verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log:
log_ftp_protocol=YES
Above to directives will enable logging of all FTP transactions. Lock down users to their home directories:
chroot_local_user=YES
Create warning banners for all FTP users:
banner_file=/etc/vsftpd/issue
Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:
NOTICE TO USERS Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address.
Turn On Vsftpd Service
Turn on vsftpd on boot:
# chkconfig vsftpd on
Start the service:
# service vsftpd start
# netstat -tulpn | grep :21
Configure Iptables To Protect The FTP Server
Open file /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Open file /etc/sysconfig/iptables-config, enter:
# vi /etc/sysconfig/iptables-config
Ensure that the space-separated list of modules contains the FTP connection tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"
Save and close the file. Restart firewall:
# service iptables restart
Tip: View FTP Log File
Type the following command:
# tail -f /var/log/vsftpd.log
Sample output:
Thu May 21 11:40:31 2009 [pid 42298] FTP response: Client "10.1.3.108", "530 Please login with USER and PASS." Thu May 21 11:40:36 2009 [pid 42298] FTP command: Client "10.1.3.108", "USER sachin" Thu May 21 11:40:36 2009 [pid 42298] [sachin] FTP response: Client "10.1.3.108", "331 Please specify the password." Thu May 21 11:40:38 2009 [pid 42298] [sachin] FTP command: Client "10.1.3.108", "PASS " Thu May 21 11:40:38 2009 [pid 42297] [sachin] OK LOGIN: Client "10.1.3.108" Thu May 21 11:40:38 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "230 Login successful." Thu May 21 11:40:38 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "SYST" Thu May 21 11:40:38 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "215 UNIX Type: L8" Thu May 21 11:40:39 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,162,253" Thu May 21 11:40:39 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV." Thu May 21 11:41:05 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "150 Ok to send data." Thu May 21 11:41:06 2009 [pid 42299] [sachin] OK UPLOAD: Client "10.1.3.108", "/windows-7-too-many-programs.png", 8957 bytes, 6.70Kbyte/sec Thu May 21 11:41:06 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "226 File receive OK." Thu May 21 11:41:10 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "TYPE A" Thu May 21 11:41:10 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "200 Switching to ASCII mode." Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,217,96" Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV." Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "LIST" Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "150 Here comes the directory listing." Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "226 Directory send OK."
Tip: Restrict Access to Anonymous User Only
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
local_enable=NO
Tip: Disable FTP Uploads
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
write_enable=NO
Security Tip: Place the FTP Directory on its Own Partition
Separation of the operating system files from FTP users files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques. For e.g., use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab enter:
/dev/sda5 /ftp ext3 defaults,nosuid,nodev,noexec,usrquota 1 2
Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:
anon_root=/ftp/ftp/pub
su - getsebool -a | grep ftp setsebool -P ftp_home_dir on getsebool -a | grep ftp
My result:
[root@kiriyamablevins ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
httpd_enable_ftp_server --> off
[root@kiriyamablevins ~]#
Linux Create An FTP User Account
Now your FTP server is up and running. It is time to add additional users to FTP server so that they can login into account to upload / download files. To add a user called tom and set the password, enter:
# adduser -c 'FTP USER sachin' -m sachin
# usermod -d /var/www/html/test.com/ sachin
# passwd sachin
Now tom can login using our ftp server. Make sure the following is set in vsftpd.conf
local_enable=YES
Restart the vftpd:
# service vsftpd restart
Red Hat / CentOS VSFTPD FTP Server Configuration
vsftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.
In this guide you will learn:
Setup vsftpd to Provide FTP Service.
Configure vsftpd.
Configure Firewalls to Protect the FTP Server.
Configure vsftpd with SSL/TLS.
Setup vsftpd as Download Only Anonymous Internet Server.
Setup vsftpd With Virtual Users and Much More.
VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:
Virtual IP configurations
Virtual users
Run as standalone or inetd / xinetd operation
Per-user configuration
Bandwidth throttling
Per-source-IP configurability
Per-source-IP limits
IPv6 ready
Encryption support through SSL integration
And much more.
Install Vsftpd FTP Server
Install the vsftpd package via yum command:
# yum install vsftpd
Vsftpd Defaults
Default port: TCP / UDP - 21 and 20
The main configuration file: /etc/vsftpd/vsftpd.conf
Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers
Configure Vsftpd Server
Open the configuration file, type:
# vi /etc/vsftpd/vsftpd.conf
Turn off standard ftpd xferlog log format:
xferlog_std_format=NO
Turn on verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log:
log_ftp_protocol=YES
Above to directives will enable logging of all FTP transactions. Lock down users to their home directories:
chroot_local_user=YES
Create warning banners for all FTP users:
banner_file=/etc/vsftpd/issue
Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:
NOTICE TO USERS Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address.
Turn On Vsftpd Service
Turn on vsftpd on boot:
# chkconfig vsftpd on
Start the service:
# service vsftpd start
# netstat -tulpn | grep :21
Configure Iptables To Protect The FTP Server
Open file /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Open file /etc/sysconfig/iptables-config, enter:
# vi /etc/sysconfig/iptables-config
Ensure that the space-separated list of modules contains the FTP connection tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"
Save and close the file. Restart firewall:
# service iptables restart
Tip: View FTP Log File
Type the following command:
# tail -f /var/log/vsftpd.log
Sample output:
Thu May 21 11:40:31 2009 [pid 42298] FTP response: Client "10.1.3.108", "530 Please login with USER and PASS." Thu May 21 11:40:36 2009 [pid 42298] FTP command: Client "10.1.3.108", "USER sachinda" Thu May 21 11:40:36 2009 [pid 42298] [sachin] FTP response: Client "10.1.3.108", "331 Please specify the password." Thu May 21 11:40:38 2009 [pid 42298] [sachin] FTP command: Client "10.1.3.108", "PASS " Thu May 21 11:40:38 2009 [pid 42297] [sachin] OK LOGIN: Client "10.1.3.108" Thu May 21 11:40:38 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "230 Login successful." Thu May 21 11:40:38 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "SYST" Thu May 21 11:40:38 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "215 UNIX Type: L8" Thu May 21 11:40:39 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,162,253" Thu May 21 11:40:39 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV." Thu May 21 11:41:05 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "150 Ok to send data." Thu May 21 11:41:06 2009 [pid 42299] [sachin] OK UPLOAD: Client "10.1.3.108", "/windows-7-too-many-programs.png", 8957 bytes, 6.70Kbyte/sec Thu May 21 11:41:06 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "226 File receive OK." Thu May 21 11:41:10 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "TYPE A" Thu May 21 11:41:10 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "200 Switching to ASCII mode." Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,217,96" Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV." Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "LIST" Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "150 Here comes the directory listing." Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "226 Directory send OK."
Tip: Restrict Access to Anonymous User Only
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
local_enable=NO
Tip: Disable FTP Uploads
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
write_enable=NO
Security Tip: Place the FTP Directory on its Own Partition
Separation of the operating system files from FTP users files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques. For e.g., use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab enter:
/dev/sda5 /ftp ext3 defaults,nosuid,nodev,noexec,usrquota 1 2
Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:
anon_root=/ftp/ftp/pub
su - getsebool -a | grep ftp setsebool -P ftp_home_dir on getsebool -a | grep ftp
My result:
[root@kiriyamablevins ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
httpd_enable_ftp_server --> off
[root@kiriyamablevins ~]#
Linux Create An FTP User Account
Now your FTP server is up and running. It is time to add additional users to FTP server so that they can login into account to upload / download files. To add a user called tom and set the password, enter:
# adduser -c 'FTP USER Tom' -m tom
# passwd tom
Now tom can login using our ftp server. Make sure the following is set in vsftpd.conf
local_enable=YES
Restart the vftpd:
# service vsftpd restart
Posted by SachinBhomale at 2/17/2012 04:01:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook
Linux Change User Home Directory
Default values for account creation defined in /etc/default/useradd file under CentOS / RHEL / Fedora / Debian / Ubuntu and other Linux distros. Simply open this file using a text editor:
# vi /etc/default/useradd
The default home directory defined by HOME variable, find line that read as follows:
HOME=/home
Replace with:
HOME=/iscsi/user
Save and close the file. Now you can add user using regular useradd command:
# useradd sachin
# passwd sachin
Verify user information:
# finger sachin
Output:
Login: sachin Name: sachin Directory: /iscsi/user/sachin Shell: /bin/bash Last login Thu Jan 13 01:58 2012 (IST) on pts/1 from 192.168.0.1 No mail. No Plan.
OR
# usermod -d /var/www/html/test.com/ test1
# passwd test1
Posted by SachinBhomale at 2/17/2012 03:56:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook
FRIDAY, FEBRUARY 10, 2012
Setup Iptable Rules
Linux comes with a host based firewall called Netfilter. Here some examples
IPTABLES Rules Example
Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Do not type commands on remote system as it will disconnect your access.
For demonstration purpose I've used RHEL 6.x, but the following command should work with any modern Linux distro.
This is NOT a tutorial on how to set iptables.
#1: Displaying the Status of Your Firewall
Type the following command as root:
# iptables -L -n -v
Sample outputs:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Above output indicates that the firewall is not active. The following sample shows an active firewall:
# iptables -L -n -v
Sample outputs:
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 394 43586 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 93 17292 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 1 142 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0 0 0 wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 425 packets, 113K bytes) pkts bytes target prot opt in out source destination Chain wanin (1 references) pkts bytes target prot opt in out source destination Chain wanout (1 references) pkts bytes target prot opt in out source destination
Where,
-L : List rules.
-v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
-n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.
#1.1: To inspect firewall with line numbers, enter:
# iptables -n -L -v --line-numbers
Sample outputs:
Chain INPUT (policy DROP) num target prot opt source destination 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 3 TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 wanin all -- 0.0.0.0/0 0.0.0.0/0 6 wanout all -- 0.0.0.0/0 0.0.0.0/0 7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain wanin (1 references) num target prot opt source destination Chain wanout (1 references) num target prot opt source destination
You can use line numbers to delete or insert new rules into the firewall.
#1.2: To display INPUT or OUTPUT chain rules, enter:
# iptables -L INPUT -n -v
# iptables -L OUTPUT -n -v --line-numbers
#2: Stop / Start / Restart the Firewall
If you are using CentOS / RHEL / Fedora Linux, enter:
# service iptables stop
# service iptables start
# service iptables restart
You can use the iptables command itself to stop the firewall and delete all rules:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
Where,
-F : Deleting (flushing) all the rules.
-X : Delete chain.
-t table_name : Select table (called nat or mangle) and delete/flush rules.
-P : Set the default policy (such as DROP, REJECT, or ACCEPT).
#3: Delete Firewall Rules
To display line number along with other information for existing rules, enter:
# iptables -L INPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 202.54.1.0
You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:
# iptables -D INPUT 4
OR find source IP 202.54.1.1 and delete from rule:
# iptables -D INPUT -s 202.54.1.0 -j DROP
Where,
-D : Delete one or more rules from the selected chain
#4: Insert Firewall Rules
To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter:
# iptables -L INPUT -n --line-numbers
Sample outputs:
Chain INPUT (policy DROP) num target prot opt source destination 1 DROP all -- 202.54.1.1 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
To insert rule between 1 and 2, enter:
# iptables -I INPUT 2 -s 202.54.1.2 -j DROP
To view updated rules, enter:
# iptables -L INPUT -n --line-numbers
Sample outputs:
Chain INPUT (policy DROP) num target prot opt source destination 1 DROP all -- 202.54.1.1 0.0.0.0/0 2 DROP all -- 202.54.1.2 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
#5: Save Firewall Rules
To save firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables save
In this example, drop an IP and save firewall rules:
# iptables -A INPUT -s 202.5.4.1 -j DROP
# service iptables save
For all other distros use the iptables-save command:
# iptables-save > /root/my.active.firewall.rules
# cat /root/my.active.firewall.rules
#6: Restore Firewall Rules
To restore firewall rules form a file called /root/my.active.firewall.rules, enter:
# iptables-restore < /root/my.active.firewall.rules
To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables restart
#7: Set the Default Firewall Policies
To drop all traffic:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# iptables -L -v -n
#### you will not able to connect anywhere as all traffic is dropped ###
# ping cyberciti.biz
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2
#7.1: Only Block Incoming Traffic
To drop all incoming / forwarded packets, but allow outgoing traffic, enter:
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -L -v -n
### *** now ping and wget should work *** ###
# ping cyberciti.biz
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2
#8:Drop Private Network Address On Public Interface
IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:
# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
#8.1: IPv4 Address Ranges For Private Networks (make sure you block them on public interface)
10.0.0.0/8 -j (A)
172.16.0.0/12 (B)
192.168.0.0/16 (C)
224.0.0.0/4 (MULTICAST D)
240.0.0.0/5 (E)
127.0.0.0/8 (LOOPBACK)
#9: Blocking an IP Address (BLOCK IP)
To block an attackers ip address called 1.2.3.4, enter:
# iptables -A INPUT -s 1.2.3.4 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP
#10: Block Incoming Port Requests (BLOCK PORT)
To block all service requests on port 80, enter:
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
To block port 80 only for an ip address 1.2.3.4, enter:
# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP
#11: Block Outgoing IP Address
To block outgoing traffic to a particular host or domain such as linuxadmin.co.in enter:
# host -t a linuxadmin.co.in
Sample outputs:
linuxadmin.co.in has address 202.52.134.110
Note down its ip address and type the following to block all outgoing traffic to
202.52.134.110
# iptables -A OUTPUT -d 202.52.134.110 -j DROP
You can use a subnet as follows:
# iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
# iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP
#11.1: Example - Block Facebook.com Domain
First, find out all ip address of facebook.com, enter:
# host -t a www.facebook.com
Sample outputs:
www.facebook.com has address 69.171.228.40
Find CIDR for 69.171.228.40, enter:
# whois 69.171.228.40 | grep CIDR
Sample outputs:
CIDR: 69.171.224.0/19
To prevent outgoing access to www.facebook.com, enter:
# iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP
You can also use domain name, enter:
# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
# iptables -A OUTPUT -p tcp -d facebook.com -j DROP
From the iptables man page:
... specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with /mask), or a plain IP address ...
#12: Log and Drop Packets
Type the following to log and block IP spoofing on public interface called eth1
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
By default everything is logged to /var/log/messages file.
# tail -f /var/log/messages
# grep --color 'IP SPOOF' /var/log/messages
#13: Log and Drop Packets with Limited Number of Log Entries
The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries .
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
#14: Drop or Accept Traffic From Mac Address
Use the following syntax:
# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
## *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
#15: Block or Allow ICMP Ping Request
Type the following command to block ICMP ping requests:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
Ping responses can also be limited to certain networks or hosts:
# iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
The following only accepts limited type of ICMP requests:
### ** assumed that default INPUT policy set to DROP ** #############
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** all our server to respond to pings ** ##
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#16: Open Range of Ports
Use the following syntax to open a range of ports:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT
#17: Open Range of IP Addresses
Use the following syntax to open a range of IP address:
## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.100 and 192.168.1.200 ##
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
## nat example ##
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25
#17: Established Connections and Restaring The Firewall
When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:
IPTABLES_MODULES_UNLOAD = no
#18: Help Iptables Flooding My Server Screen
Use the crit log level to send messages to a log file instead of console:
iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit
#19: Block or Open Common Ports
The following shows syntax for opening and closing common TCP and UDP ports:
Replace ACCEPT with DROP to block port: ## open port ssh tcp port 22 ## iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT ## open cups (printing service) udp/tcp port 631 for LAN users ## iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT ## allow time sync via NTP for lan users (open udp port 123) ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT ## open tcp port 25 (smtp) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT # open dns server ports for all ## iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT ## open http/https (Apache) server port to all ## iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT ## open tcp port 110 (pop3) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT ## open tcp port 143 (imap) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT ## open access to Samba file server for lan users only ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT ## open access to proxy server for lan users only ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT ## open access to mysql server for lan users only ## iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
#20: Restrict the Number of Parallel Connections To a Server Per Client IP
You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:
# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
Set HTTP requests to 20:
# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
Where,
--connlimit-above 3 : Match if the number of existing connections is above 3.
--connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.
#21: HowTO: Use iptables Like a Pro
For more information about iptables, please see the manual page by typing man iptables from the command line:
$ man iptables
You can see the help using the following syntax too:
# iptables -h
To see help with specific commands and targets, enter:
# iptables -j DROP -h
#21.1: Testing Your Firewall
Find out if ports are open or not, enter:
# netstat -tulpn
Find out if tcp port 80 open or not, enter:
# netstat -tulpn | grep :80
If port 80 is not open, start the Apache, enter:
# service httpd start
Make sure iptables allowing access to the port 80:
# iptables -L INPUT -v -n | grep 80
Otherwise open port 80 using the iptables for all users:
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# service iptables save
Use the telnet command to see if firewall allows to connect to port 80:
$ telnet www.linuxadmin.co.in 80
Sample outputs:
Trying 202.52.134.110... Connected to www.linuxadmin.co.in. Escape character is '^]'. ^] telnet> quit Connection closed.
You can use nmap to probe your own server using the following syntax:
$ nmap -sS -p 80 www.linuxadmin.co.in
No comments:
Post a Comment