Wednesday, July 22, 2009

Linux Interview Q's part 2

15. Predict the output of the following program code

main()
{
fork();
printf("Hello World!");
}


Answer:

Hello World!Hello World!


Explanation:
The fork creates a child that is a duplicate of the parent process. The child begins from the fork().All the statements after the call to fork() will be executed twice.(once by the parent process and other by child). The statement before fork() is executed only by the parent process.

16. Predict the output of the following program code

main()
{
fork(); fork(); fork();
printf("Hello World!");
}


Answer:
"Hello World" will be printed 8 times.
Explanation:
2^n times where n is the number of calls to fork()

17. List the system calls used for process management:

System calls Description

fork() To create a new process
exec() To execute a new program in a process
wait() To wait until a created process completes its execution
exit() To exit from a process execution
getpid() To get a process identifier of the current process
getppid() To get parent process identifier
nice() To bias the existing priority of a process
brk() To increase/decrease the data segment size of a process.
18. How can you get/set an environment variable from a program?

Getting the value of an environment variable is done by using `getenv()'. Setting the value of an environment variable is done by using `putenv()'.

19. How can a parent and child process communicate?

A parent and child can communicate through any of the normal inter-process communication schemes (pipes, sockets, message queues, shared memory), but also have some special ways to communicate that take advantage of their relationship as a parent and child. One of the most obvious is that the parent can get the exit status of the child.

20. What is a zombie?

When a program forks and the child finishes before the parent, the kernel still keeps some of its information about the child in case the parent might need it - for example, the parent may need to check the child's exit status. To be able to get this information, the parent calls `wait()'; In the interval between the child terminating and the parent calling `wait()', the child is said to be a `zombie' (If you do `ps', the child will have a `Z' in its status field to indicate this.)

21. What are the process states in Unix?

As a process executes it changes state according to its circumstances. Unix processes have the following states:
Running : The process is either running or it is ready to run .
Waiting : The process is waiting for an event or for a resource.
Stopped : The process has been stopped, usually by receiving a signal.
Zombie : The process is dead but have not been removed from the process table.

You need to see the last fifteen lines of the files dog, cat and horse. What command should you use?
tail -15 dog cat horse

The tail utility displays the end of a file. The -15 tells tail to display the last fifteen lines of each specified file.

Who owns the data dictionary?
The SYS user owns the data dictionary. The SYS and SYSTEM users are created when the database is created.

You routinely compress old log files. You now need to examine a log from two months ago. In order to view its contents without first having to decompress it, use the _________ utility.
zcat

The zcat utility allows you to examine the contents of a compressed file much the same way that cat displays a file.
You suspect that you have two commands with the same name as the command is not producing the expected results. What command can you use to determine the location of the command being run?
which

The which command searches your path until it finds a command that matches the command you are looking for and displays its full path.

You locate a command in the /bin directory but do not know what it does. What command can you use to determine its purpose.
whatis

The whatis command displays a summary line from the man page for the specified command.

You wish to create a link to the /data directory in bob's home directory so you issue the command ln /data /home/bob/datalink but the command fails. What option should you use in this command line to be successful.
Use the -F option

In order to create a link to a directory you must use the -F option.

When you issue the command ls -l, the first character of the resulting display represents the file's ___________.
type

The first character of the permission block designates the type of file that is being displayed.

What utility can you use to show a dynamic listing of running processes_________?
top

The top utility shows a listing of all running processes that is dynamically updated.

Where is standard output usually directed?
to the screen or display

By default, your shell directs standard output to your screen or display.

You wish to restore the file memo.ben which was backed up in the tarfile MyBackup.tar. What command should you type?
tar xf MyBackup.tar memo.ben

This command uses the x switch to extract a file. Here the file memo.ben will be restored from the tarfile MyBackup.tar.

You need to view the contents of the tarfile called MyBackup.tar. What command would you use?
tar tf MyBackup.tar

The t switch tells tar to display the contents and the f modifier specifies which file to examine.

You want to create a compressed backup of the users' home directories. What utility should you use?
tar

You can use the z modifier with tar to compress your archive at the same time as creating it.

What daemon is responsible for tracking events on your system?
syslogd

The syslogd daemon is responsible for tracking system information and saving it to specified log files.

You have a file called phonenos that is almost 4,000 lines long. What text filter can you use to split it into four pieces each 1,000 lines long?
split

The split text filter will divide files into equally sized pieces. The default length of each piece is 1,000 lines.

You would like to temporarily change your command line editor to be vi. What command should you type to change it?
set -o vi

The set command is used to assign environment variables. In this case, you are instructing your shell to assign vi as your command line editor. However, once you log off and log back in you will return to the previously defined command line editor.

What account is created when you install Linux?
root

Whenever you install Linux, only one user account is created. This is the superuser account also known as root.

What command should you use to check the number of files and disk space used and each user's defined quotas?

repquota

n order to run fsck on the root partition, the root partition must be mounted as
readonly

You cannot run fsck on a partition that is mounted as read-write.

In order to improve your system's security you decide to implement shadow passwords. What command should you use?
pwconv

The pwconv command creates the file /etc/shadow and changes all passwords to 'x' in the /etc/passwd file.

Bob Armstrong, who has a username of boba, calls to tell you he forgot his password. What command should you use to reset his command?
passwd boba

The passwd command is used to change your password. If you do not specify a username, your password will be changed.

The top utility can be used to change the priority of a running process? Another utility that can also be used to change priority is ___________?
nice

Both the top and nice utilities provide the capability to change the priority of a running process.

What command should you type to see all the files with an extension of 'mem' listed in reverse alphabetical order in the /home/ben/memos directory.
ls -r /home/ben/memos/*.mem

The -c option used with ls results in the files being listed in chronological order. You can use wildcards with the ls command to specify a pattern of filenames.

What file defines the levels of messages written to system log files?
kernel.h

To determine the various levels of messages that are defined on your system, examine the kernel.h file.

What command is used to remove the password assigned to a group?
gpasswd -r

The gpasswd command is used to change the password assigned to a group. Use the -r option to remove the password from the group.

What command would you type to use the cpio to create a backup called backup.cpio of all the users' home directories?
find /home | cpio -o > backup.cpio

The find command is used to create a list of the files and directories contained in home. This list is then piped to the cpio utility as a list of files to include and the output is saved to a file called backup.cpio.

What can you type at a command line to determine which shell you are using?
echo $SHELL

The name and path to the shell you are using is saved to the SHELL environment variable. You can then use the echo command to print out the value of any variable by preceding the variable's name with $. Therefore, typing echo $SHELL will display the name of your shell.

What type of local file server can you use to provide the distribution installation materials to the new machine during a network installation?
A) Inetd
B) FSSTND
C) DNS
D) NNTP
E) NFS

E - You can use an NFS server to provide the distribution installation materials to the machine on which you are performing the installation. Answers a, b, c, and d are all valid items but none of them are file servers. Inetd is the superdaemon which controls all intermittently used network services. The FSSTND is the Linux File System Standard. DNS provides domain name resolution, and NNTP is the transfer protocol for usenet news.

If you type the command cat dog & > cat what would you see on your display? Choose one:
a. Any error messages only.
b. The contents of the file dog.
c. The contents of the file dog and any error messages.
d. Nothing as all output is saved to the file cat.

d

When you use & > for redirection, it redirects both the standard output and standard error. The output would be saved to the file cat.

You are covering for another system administrator and one of the users asks you to restore a file for him. You locate the correct tarfile by checking the backup log but do not know how the directory structure was stored. What command can you use to determine this?
Choose one:
a. tar fx tarfile dirname
b. tar tvf tarfile filename
c. tar ctf tarfile
d. tar tvf tarfile


d

The t switch will list the files contained in the tarfile. Using the v modifier will display the stored directory structure.

You have the /var directory on its own partition. You have run out of space. What should you do? Choose one:
a. Reconfigure your system to not write to the log files.
b. Use fips to enlarge the partition.
c. Delete all the log files.
d. Delete the partition and recreate it with a larger size.


d

The only way to enlarge a partition is to delete it and recreate it. You will then have to restore the necessary files from backup.

You have a new application on a CD-ROM that you wish to install. What should your first step be?
Choose one:
a. Read the installation instructions on the CD-ROM.
b. Use the mount command to mount your CD-ROM as read-write.
c. Use the umount command to access your CD-ROM.
d. Use the mount command to mount your CD-ROM as read-only.


d

Before you can read any of the files contained on the CD-ROM, you must first mount the CD-ROM.

When you create a new partition, you need to designate its size by defining the starting and ending _____________.
cylinders

When creating a new partition you must first specify its starting cylinder. You can then either specify its size or the ending cylinder.

What key combination can you press to suspend a running job and place it in the background?
ctrl-z

Using ctrl-z will suspend a job and put it in the background.

The easiest, most basic form of backing up a file is to _____ it to another location.
copy

The easiest most basic form of backing up a file is to make a copy of that file to another location such as a floppy disk.

What type of server is used to remotely assign IP addresses to machines during the installation process?
A) SMB
B) NFS
C) DHCP
D) FT
E) HTTP


C - You can use a DHCP server to assign IP addresses to individual machines during the installation process. Answers a, b, d, and e list legitimate Linux servers, but these servers do not provide IP addresses. The SMB, or Samba, tool is used for file and print sharing across multi-OS networks. An NFS server is for file sharing across Linux net-works. FTP is a file storage server that allows people to browse and retrieve information by logging in to it, and HTTP is for the Web.

Which password package should you install to ensure that the central password file couldn't be stolen easily?
A) PAM
B) tcp_wrappers
C) shadow
D) securepass
E) ssh

C - The shadow password package moves the central password file to a more secure location. Answers a, b, and e all point to valid packages, but none of these places the password file in a more secure location. Answer d points to an invalid package.

When using useradd to create a new user account, which of the following tasks is not done automatically.
Choose one:
a. Assign a UID.
b. Assign a default shell.
c. Create the user's home directory.
d. Define the user's home directory.


c

The useradd command will use the system default for the user's home directory. The home directory is not created, however, unless you use the -m option.

You want to enter a series of commands from the command-line. What would be the quickest way to do this?
Choose One
a. Press enter after entering each command and its arguments
b. Put them in a script and execute the script
c. Separate each command with a semi-colon ( and press enter after the last command
d. Separate each command with a / and press enter after the last command


c

The semi-colon may be used to tell the shell that you are entering multiple commands that should be executed serially. If these were commands that you would frequently want to run, then a script might be more efficient. However, to run these commands only once, enter the commands directly at the command line.

You attempt to use shadow passwords but are unsuccessful. What characteristic of the /etc/passwd file may cause this?
Choose one:
a. The login command is missing.
b. The username is too long.
c. The password field is blank.
d. The password field is prefaced by an asterisk.


c

The password field must not be blank before converting to shadow passwords.

When you install a new application, documentation on that application is also usually installed. Where would you look for the documentation after installing an application called MyApp?
Choose one:
a. /usr/MyApp
b. /lib/doc/MyApp
c. /usr/doc/MyApp
d. In the same directory where the application is installed.

c

The default location for application documentation is in a directory named for the application in the /usr/doc directory.

What file would you edit in your home directory to change which window manager you want to use?
A) Xinit
B) .xinitrc
C) XF86Setup
D) xstart
E) xf86init


Answer: B - The ~/.xinitrc file allows you to set which window man-ager you want to use when logging in to X from that account.
Answers a, d, and e are all invalid files. Answer c is the main X server configuration file.

What command allows you to set a processor-intensive job to use less CPU time?
A) ps
B) nice
C) chps
D) less
E) more


Answer: B - The nice command is used to change a job's priority level, so that it runs slower or faster. Answers a, d, and e are valid commands but are not used to change process information. Answer c is an invalid command.

While logged on as a regular user, your boss calls up and wants you to create a new user account immediately. How can you do this without first having to close your work, log off and logon as root?
Choose one:
a. Issue the command rootlog.
b. Issue the command su and type exit when finished.
c. Issue the command su and type logoff when finished.
d. Issue the command logon root and type exit when finished.


Answer: b
You can use the su command to imitate any user including root. You will be prompted for the password for the root account. Once you have provided it you are logged in as root and can do any administrative duties.

There are seven fields in the /etc/passwd file. Which of the following lists all the fields in the correct order?
Choose one:
a. username, UID, GID, home directory, command, comment
b. username, UID, GID, comment, home directory, command
c. UID, username, GID, home directory, comment, command
d. username, UID, group name, GID, home directory, comment

Answer: b
The seven fields required for each line in the /etc/passwd file are username, UID, GID, comment, home directory, command. Each of these fields must be separated by a colon even if they are empty.

Which of the following commands will show a list of the files in your home directory including hidden files and the contents of all subdirectories?
Choose one:
a. ls -c home
b. ls -aR /home/username
c. ls -aF /home/username
d. ls -l /home/username

Answer: b
The ls command is used to display a listing of files. The -a option will cause hidden files to be displayed as well. The -R option causes ls to recurse down the directory tree. All of this starts at your home directory.

In order to prevent a user from logging in, you can add a(n) ________at the beginning of the password field.
Answer: asterick


If you add an asterick at the beginning of the password field in the /etc/passwd file, that user will not be able to log in.

You have a directory called /home/ben/memos and want to move it to /home/bob/memos so you issue the command mv /home/ben/memos /home/bob. What is the results of this action?
Choose one:
a. The files contained in /home/ben/memos are moved to the directory /home/bob/memos/memos.
b. The files contained in /home/ben/memos are moved to the directory /home/bob/memos.
c. The files contained in /home/ben/memos are moved to the directory /home/bob/.
d. The command fails since a directory called memos already exists in the target directory.

Answer: a
When using the mv command to move a directory, if a directory of the same name exists then a subdirectory is created for the files to be moved.

Which of the following tasks is not necessary when creating a new user by editing the /etc/passwd file?
Choose one:
a. Create a link from the user's home directory to the shell the user will use.
b. Create the user's home directory
c. Use the passwd command to assign a password to the account.
d. Add the user to the specified group.

Answer: a
There is no need to link the user's home directory to the shell command. Rather, the specified shell must be present on your system.

You issue the following command useradd -m bobm But the user cannot logon. What is the problem?
Choose one:
a. You need to assign a password to bobm's account using the passwd command.
b. You need to create bobm's home directory and set the appropriate permissions.
c. You need to edit the /etc/passwd file and assign a shell for bobm's account.
d. The username must be at least five characters long.

Answer: a
The useradd command does not assign a password to newly created accounts. You will still need to use the passwd command to assign a password.

You wish to print the file vacations with 60 lines to a page. Which of the following commands will accomplish this? Choose one:
a. pr -l60 vacations | lpr
b. pr -f vacations | lpr
c. pr -m vacations | lpr
d. pr -l vacations | lpr


Answer: a
The default page length when using pr is 66 lines. The -l option is used to specify a different length.

Which file defines all users on your system?
Choose one:
a. /etc/passwd
b. /etc/users
c. /etc/password
d. /etc/user.conf


Answer: a
The /etc/passwd file contains all the information on users who may log into your system. If a user account is not contained in this file, then the user cannot log in.

Which two commands can you use to delete directories?
A) rm
B) rm -rf
C) rmdir
D) rd
E) rd -rf


Answer(s): B, C - You can use rmdir or rm -rf to delete a directory. Answer a is incorrect, because the rm command without any specific flags will not delete a directory, it will only delete files. Answers d and e point to a non-existent command.

Which partitioning tool is available in all distributions?
A) Disk Druid
B) fdisk
C) Partition Magic
D) FAT32
E) System Commander


Answer(s): B - The fdisk partitioning tool is available in all Linux distributions. Answers a, c, and e all handle partitioning, but do not come with all distributions. Disk Druid is made by Red Hat and used in its distribution along with some derivatives. Partition Magic and System Commander are tools made by third-party companies. Answer d is not a tool, but a file system type. Specifically, FAT32 is the file system type used in Windows 98.

Which partitions might you create on the mail server's hard drive(s) other than the root, swap, and boot partitions?
[Choose all correct answers]
A) /var/spool
B) /tmp
C) /proc
D) /bin
E) /home


Answer(s): A, B, E - Separating /var/spool onto its own partition helps to ensure that if something goes wrong with the mail server or spool, the output cannot overrun the file system. Putting /tmp on its own partition prevents either software or user items in the /tmp directory from overrunning the file system. Placing /home off on its own is mostly useful for system re-installs or upgrades, allowing you to not have to wipe the /home hierarchy along with other areas. Answers c and d are not possible, as the /proc portion of the file system is virtual-held in RAM-not placed on the hard drives, and the /bin hierarchy is necessary for basic system functionality and, therefore, not one that you can place on a different partition.

When planning your backup strategy you need to consider how often you will perform a backup, how much time the backup takes and what media you will use. What other factor must you consider when planning your backup strategy? _________
what to backup
Choosing which files to backup is the first step in planning your backup strategy.

What utility can you use to automate rotation of logs?
Answer: logrotate
The logrotate command can be used to automate the rotation of various logs.

In order to display the last five commands you have entered using the history command, you would type ___________ .

Answer: history 5
The history command displays the commands you have previously entered. By passing it an argument of 5, only the last five commands will be displayed.

What command can you use to review boot messages?
Answer: dmesg
The dmesg command displays the system messages contained in the kernel ring buffer. By using this command immediately after booting your computer, you will see the boot messages.

What is the minimum number of partitions you need to install Linux?
Answer: 2
Linux can be installed on two partitions, one as / which will contain all files and a swap partition.

What is the name and path of the main system log?
Answer: /var/log/messages
By default, the main system log is /var/log/messages.

Of the following technologies, which is considered a client-side script?
A) JavaScript
B) Java
C) ASP
D) C++

Answer: A - JavaScript is the only client-side script listed. Java and C++ are complete programming languages. Active Server Pages are parsed on the server with the results being sent to the client in HTML

Linux Interview Q's part 1

Hi frnds, here I will post some nice questions on linux which are usually asked in campus interviews. Hope u will like this, plz do comment :)

1. How are devices represented in UNIX?


All devices are represented by files called special files that are located in/dev directory. Thus, device files and other files are named and accessed in the same way. A 'regular file' is just an ordinary data file in the disk. A 'block special file' represents a device with characteristics similar to a disk (data transfer in terms of blocks). A 'character special file' represents a device with characteristics similar to a keyboard (data transfer is by stream of bits in sequential order).

2. What is 'inode'?

All UNIX files have its description stored in a structure called 'inode'. The inode contains info about the file-size, its location, time of last access, time of last modification, permission and so on. Directories are also represented as files and have an associated inode. In addition to descriptions about the file, the inode contains pointers to the data blocks of the file. If the file is large, inode has indirect pointer to a block of pointers to additional data blocks (this further aggregates for larger files). A block is typically 8k.
Inode consists of the following fields:

File owner identifier
File type
File access permissions
File access times
Number of links
File size
Location of the file data
3. Brief about the directory representation in UNIX

A Unix directory is a file containing a correspondence between filenames and inodes. A directory is a special file that the kernel maintains. Only kernel modifies directories, but processes can read directories. The contents of a directory are a list of filename and inode number pairs. When new directories are created, kernel makes two entries named '.' (refers to the directory itself) and '..' (refers to parent directory).
System call for creating directory is mkdir (pathname, mode).

4. What are the Unix system calls for I/O?

open(pathname,flag,mode) - open file
creat(pathname,mode) - create file
close(filedes) - close an open file
read(filedes,buffer,bytes) - read data from an open file
write(filedes,buffer,bytes) - write data to an open file
lseek(filedes,offset,from) - position an open file
dup(filedes) - duplicate an existing file descriptor
dup2(oldfd,newfd) - duplicate to a desired file descriptor
fcntl(filedes,cmd,arg) - change properties of an open file
ioctl(filedes,request,arg) - change the behaviour of an open file
The difference between fcntl anf ioctl is that the former is intended for any open file, while the latter is for device-specific operations.

5. How do you change File Access Permissions?

Every file has following attributes:
owner's user ID ( 16 bit integer )
owner's group ID ( 16 bit integer )
File access mode word

'r w x -r w x- r w x'


(user permission-group permission-others permission)
r-read, w-write, x-execute
To change the access mode, we use chmod(filename,mode).
Example 1:
To change mode of myfile to 'rw-rw-r–' (ie. read, write permission for user - read,write permission for group - only read permission for others) we give the args as:
chmod(myfile,0664) .
Each operation is represented by discrete values

'r' is 4
'w' is 2
'x' is 1


Therefore, for 'rw' the value is 6(4+2).
Example 2:
To change mode of myfile to 'rwxr–r–' we give the args as:

chmod(myfile,0744).


6. What are links and symbolic links in UNIX file system?

A link is a second name (not a file) for a file. Links can be used to assign more than one name to a file, but cannot be used to assign a directory more than one name or link filenames on different computers.
Symbolic link 'is' a file that only contains the name of another file.Operation on the symbolic link is directed to the file pointed by the it.Both the limitations of links are eliminated in symbolic links.
Commands for linking files are:

Link ln filename1 filename2
Symbolic link ln -s filename1 filename2


7. What is a FIFO?

FIFO are otherwise called as 'named pipes'. FIFO (first-in-first-out) is a special file which is said to be data transient. Once data is read from named pipe, it cannot be read again. Also, data can be read only in the order written. It is used in interprocess communication where a process writes to one end of the pipe (producer) and the other reads from the other end (consumer).

8. How do you create special files like named pipes and device files?

The system call mknod creates special files in the following sequence.
1. kernel assigns new inode,
2. sets the file type to indicate that the file is a pipe, directory or special file,
3. If it is a device file, it makes the other entries like major, minor device numbers.
For example:
If the device is a disk, major device number refers to the disk controller and minor device number is the disk.

9. Discuss the mount and unmount system calls

The privileged mount system call is used to attach a file system to a directory of another file system; the unmount system call detaches a file system. When you mount another file system on to your directory, you are essentially splicing one directory tree onto a branch in another directory tree. The first argument to mount call is the mount point, that is , a directory in the current file naming system. The second argument is the file system to mount to that point. When you insert a cdrom to your unix system's drive, the file system in the cdrom automatically mounts to /dev/cdrom in your system.

10. How does the inode map to data block of a file?

Inode has 13 block addresses. The first 10 are direct block addresses of the first 10 data blocks in the file. The 11th address points to a one-level index block. The 12th address points to a two-level (double in-direction) index block. The 13th address points to a three-level(triple in-direction)index block. This provides a very large maximum file size with efficient access to large files, but also small files are accessed directly in one disk read.

11. What is a shell?

A shell is an interactive user interface to an operating system services that allows an user to enter commands as character strings or through a graphical user interface. The shell converts them to system calls to the OS or forks off a process to execute the command. System call results and other information from the OS are presented to the user through an interactive interface. Commonly used shells are sh,csh,ks etc.

12. Brief about the initial process sequence while the system boots up.

While booting, special process called the 'swapper' or 'scheduler' is created with Process-ID 0. The swapper manages memory allocation for processes and influences CPU allocation. The swapper inturn creates 3 children:

the process dispatcher,
vhand and
dbflush
with IDs 1,2 and 3 respectively.
This is done by executing the file /etc/init. Process dispatcher gives birth to the shell. Unix keeps track of all the processes in an internal data structure called the Process Table (listing command is ps -el).

13. What are various IDs associated with a process?

Unix identifies each process with a unique integer called ProcessID. The process that executes the request for creation of a process is called the 'parent process' whose PID is 'Parent Process ID'. Every process is associated with a particular user called the 'owner' who has privileges over the process. The identification for the user is 'UserID'. Owner is the user who executes the process. Process also has 'Effective User ID' which determines the access privileges for accessing resources like files.

getpid() -process id
getppid() -parent process id
getuid() -user id
geteuid() -effective user id
14. Explain fork() system call.

The `fork()' used to create a new process from an existing process. The new process is called the child process, and the existing process is called the parent. We can tell which is which by checking the return value from `fork()'. The parent gets the child's pid returned to him, but the child gets 0 returned to him.

Monday, May 4, 2009

Ubuntu 9.04 Released !!!

Ubuntu sponsors, Canonical , announce the release of Ubuntu 9.04 destop version that can be downloaded for free now!

Ubuntu is an open source operating system with the intention of supplying an up-to-date, stable operating system for the normal computer user. In addition to stablility Ubuntu try to target ease of use and installation. Ubuntu can be used on almost anything including Desktops, Business PC’s, Notebooks and many others that are able to support x86 CPU or ARM CPUs, this has only been adapted in the 9.04 version.

One standard, but remarkable (because it outdoes Vista) feature of Ubuntu is the Compiz Fusion 3D desktop, which has enables some really cool effects. Of course, for this feature to function you need a 3D accelerated graphics card.


Upgrading from Ubuntu 8.10

To upgrade from Ubuntu 8.10 on a desktop system, press Alt+F2 and type in "update-manager -d" (without the quotes) into the command box. Update Manager should open up and tell you: New distribution release '9.04' is available. Click Upgrade and follow the on-screen instructions.

To upgrade from Ubuntu 8.10 on a server system: install the update-manager-core package if it is not already installed; edit /etc/update-manager/release-upgrades and set Prompt=normal; launch the upgrade tool with the command sudo do-release-upgrade; and follow the on-screen instructions.

Download

Get it while it's hot. ISOs and torrents are available at:

New Features since Ubuntu 8.10
GNOME 2.26

Ubuntu 9.04 Beta includes the latest GNOME 2.26 desktop environment with a number of great new features, including:

  • brasero, developed by Philippe Rouquier and Luis Medinas, as an all-in-one CD burning application

  • Improved handling of multiple monitors with an updated gnome-display-properties by Federico Mena Quintero.

X.Org server 1.6

The latest X.Org server, version 1.6, is available in Jaunty. A number of video cards have been transitioned to free drivers as part of this update.

The -ati driver has received numerous fixes and performance improvements. It now uses the EXA acceleration method by default. 2D acceleration support for the newest R6xx/R7xx family of cards is also available. 3D support is available up to R5xx cards for -ati. An updated -fglrx proprietary driver is available for R6xx/R7xx users who need 3D support.

Linux kernel 2.6.28

Ubuntu 9.04 Beta includes the 2.6.28-11.37 kernel based on 2.6.28.8.

Ext4 filesystem support

Ubuntu 9.04 Beta supports the option of installing the new ext4 file system. ext3 will remain the default filesystem for Jaunty, and we will consider ext4 as the default for the next release based on user feedback. There has been extensive discussion about the reliability of applications running on ext4 in the face of sudden system outages. Applications that use the conventional approach of writing data to a temporary file and renaming it to its final location will have their reliability expectations met in Ubuntu 9.04 beta; further discussion is ongoing in the kernel community.

Ext4 support in GRUB was provided by Colin King. If you choose to upgrade your / or /boot filesystem in place from ext2 or ext3 to ext4 (as documented on the ext4 wiki), then you must also use the grub-install command after upgrading to Ubuntu 9.04 Beta to reinstall your boot loader. If you do not do this, then the version of GRUB installed in your boot sector will not be able to read the kernel from the ext4 filesystem and your system will fail to boot.

Ext4 support in gparted has been provided by Curtis Gedak.


Participate in Ubuntu

If you would like to help shape Ubuntu, take a look at the list of ways you can participate at

More Information

You can find out more about Ubuntu on the Ubuntu website and Ubuntu wiki.

To sign up for future Ubuntu development announcements, please subscribe to Ubuntu's development announcement list at:




Tuesday, December 30, 2008

Eleven SSH Tricks

Run remote GUI applications and tunnel any Net connection securely using a free utility that's probably already installed on your system.

SSH is the descendant of rsh and rlogin, which are non-encrypted programs for remote shell logins. Rsh and rlogin, like telnet, have a long lineage but now are outdated and insecure. However, these programs evolved a surprising number of nifty features over two decades of UNIX development, and the best of them made their way into SSH. Following are the 11 tricks I have found useful for squeezing the most power out of SSH.

Installation and Versions

OpenSSH is the most common free version of SSH and is available for virtually all UNIX-like operating systems. It is included by default with Debian, SuSE, Red Hat, Mandrake, Slackware, Caldera and Gentoo Linux, as well as OpenBSD, Cygwin for Windows and Mac OS X. This article is based on OpenSSH, so if you are using some other version, check your documentation before trying these tricks.

X11 Forwarding

You can encrypt X sessions over SSH. Not only is the traffic encrypted, but the DISPLAY environment variable on the remote system is set properly. So, if you are running X on your local computer, your remote X applications magically appear on your local screen.

Turn on X11 forwarding with ssh -X host. You should use X11 forwarding only for remote computers where you trust the administrators. Otherwise, you open yourself up to X11-based attacks.

A nifty trick using X11 forwarding displays images within an xterm window. Run the web browser w3m with the in-line image extension on the remote machine; see the Debian package w3m-img or the RPM w3m-imgdisplay. It uses X11 forwarding to open a borderless window on top of your xterm. If you read your e-mail remotely using SSH and a text-based client, it then is possible to bring up in-line images over the same xterm window.

Config File

SSH looks for the user config file in ~/.ssh/config. A sample might look like:

ForwardX11 yes
Protocol 2,1

Using ForwardX11 yes is the same as specifying -X on the command line. The Protocol line tells SSH to try SSH2 first and then fall back to SSH1. If you want to use only SSH2, delete the ,1.

The config file can include sections that take effect only for certain remote hosts by using the Host option. Another useful config file option is User, which specifies the remote user name. If you often log in to a machine with ssh -l remoteuser remotehost or ssh remoteuser@remotehost, you can shorten this by placing the following lines in your config file:

Host remotehost
ForwardX11 yes
User remoteuser

Host *
ForwardX11 no

Now, you can type ssh remotehost to log on as user remoteuser with the ForwardX11 option turned on. Otherwise, ForwardX11 is turned off, as recommended above. The asterisk matches all hosts, including hosts already matched in a Host section, but only the first matching option is used. Put specific Host sections before generic sections in your config file.

A system-wide SSH config file, /etc/ssh/ssh_config, also is available. SSH obtains configuration data in the following order: command-line options, user's configuration file and system-wide configuration file. All of the options can be explored by browsing man ssh_config.

Speeding Things Up: Compression and Ciphers

SSH can use gzip compression on any connection. The default compression level is equivalent to approximately 4× compression for text. Compression is a great idea if you are forwarding X sessions on a dial-up or slow network. Turn on compression with ssh -C or put Compression yes in your config file.

Another speed tweak involves changing your encryption cipher. The default cipher on many older systems is triple DES (3DES), which is slower than Blowfish and AES. New versions of OpenSSH default to Blowfish. You can change the cipher to blowfish with ssh -c blowfish.

Cipher changes to your config file depend on whether you are connecting with SSH1 or SSH2. For SSH1, use Cipher blowfish; for SSH2, use:

Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

Port Forwarding

Ports are the numbers representing different services on a server; such as port 80 for HTTP and port 110 for POP3. You can find the list of standard port numbers and their services in /etc/services. SSH can translate transparently all traffic from an arbitrary port on your computer to a remote server running SSH. The traffic then can be forwarded by SSH to an arbitrary port on another server. Why would you want to do this? Two reasons: encryption and tunneled connections.

Encryption

Many applications use protocols where passwords and data are sent as clear text. These protocols include POP3, IMAP, SMTP and NNTP. SSH can encrypt these connections transparently. Say your e-mail program normally connects to the POP3 port (110) on mail.example.net. Also, say you can't SSH directly to mail.example.net, but you have a shell login at shell.example.net. You can instruct SSH to encrypt traffic from port 9110 (chosen arbitrarily) on your local computer and send it to port 110 on mail.example.net, using the SSH server at shell.example.net:

ssh -L 9110:mail.example.net:110 shell.example.net

That is, send local port 9110 to mail.example.net port 110, over an SSH connection to shell.example.net.

Then, simply tell your e-mail program to connect to port 9110 on localhost. From there, data is encrypted, transmitted to shell.example.net over the SSH port, then decrypted and passed to mail.example.net over port 110. As a neat side effect, as far as the POP3 dæmon on mail.example.net knows, it is accepting traffic from shell.example.net.

Tunneled Connections

SSH can act as a bridge through a firewall whether the firewall is protecting your computer, a remote server or both. All you need is an SSH server exposed to the other side of the firewall. For example, many DSL and cable-modem companies forbid sending e-mail from your own machine over port 25 (SMTP).

Our next example is sending mail to your company's SMTP server through your cable-modem connection. In this example, we use a shell account on the SMTP server, which is named mail.example.net. The SSH command is:

ssh -L 9025:mail.example.net:25 mail.example.net

Then, tell your mail transport agent to connect to port 9025 on localhost to send mail. This exercise should look quite similar to the last example; we are tunneling from local port 9025 to mail.example.net port 25 over mail.example.net. As far as the firewall sees, it is passing normal SSH data on the normal SSH port, 22, between you and mail.example.net.

A final example is connecting through an ISP firewall to a mail or news server inside a restricted network. What would this look like? In fact, it would be the same as the first example; mail.example.net can be walled away inside the network, inaccessible to the outside world. All you need is an SSH connection to a server that can see it, such as shell.example.net. Is that neat or what?

Limitations/Refinements to Port Forwarding

If a port is reassigned on a computer (the local port in the examples above), every user of that computer sees the reassigned port. If the local system has multiple users, tunnel only from unused, high-numbered ports to avoid confusion. If you want to forward a privileged local port (lower than 1024), you need to do so as root. Forwarding a lower-numbered port might be useful if a program won't let you change its port, such as standard BSD FTP.

By default, a tunneled local port is accessible only to local users and not by remote connection. However, any user can make the tunneled port available remotely by using the -g option. Again, you can do this to privileged ports only if you are root.

Any user who can log in with SSH can expose any port inside a private network to the outside world using port forwarding. As an administrator, if you allow incoming SSH connections, you're really allowing incoming connections of any kind. You can configure the OpenSSH dæmon to refuse port forwarding with AllowTcpForwarding no, but a determined user can forward anyway.

A config file option is available to forward ports; it is called LocalForward. The first port-forwarding example given above could be written as:

Host forwardpop
Hostname shell.example.com
LocalForward 9110 mail.example.com:110

This way, if you type ssh forwardpop you receive the same result as in the first example. This example uses the Host command described above and the HostName command, which specifies a real hostname with which to connect.

Finally, a command similar to LocalForward, called RemoteForward, forwards a port from the computer to which you are connected, to your computer. Please read the ssh_config man pages to find out how.

Piping Binary Data to a Remote Shell

Piping works transparently through SSH to remote shells. Consider:

cat myfile | ssh user@desktop lpr

tar -cf - source_dir | \
ssh user@desktop 'cat > dest.tar'

The first example pipes myfile to lpr running on the machine named desktop. The second example creates a tar file and writes it to the terminal (because the tar file name is specified as dash), which is then piped to the machine named desktop and redirected to a file.

Running Remote Shell Commands

With SSH, you don't need to open an interactive shell if you simply want some output from a remote command, such as:

ssh user@host w

This command runs the command w on host as user and displays the result. It can be used to automate commands, such as:

perl -e 'foreach $i (1 .. 12) \
{print `ssh server$i "w"`}'

Notice the back-ticks around the SSH command. This uses Perl to call SSH 12 times, each time running the command w on a different remote host, server1 through server12. In addition, you need to enter your password each time SSH makes a connection. However, read on for a way to eliminate the password requirement without sacrificing security.

Authentication

How does SSH authenticate that you should be allowed to connect? Here are some options:

  • By hostnames only: uses .rhosts file; insecure; disabled by default.

  • By hostnames and host-key checking.

  • The S/Key one-time password system.

  • Kerberos: private-key encryption with time-expired “tickets”.

  • Smart card.

  • Password prompt.

  • Public key.

The most common authentication method is by password prompt, which is how most SSH installations are run out of the box.

However, public key encryption is worth investigating; it is considerably more secure than passwords, and by using it you can do away with all or most of your password typing.

Briefly, public key encryption relies on two keys: a public key to encrypt, which you don't keep secret, and a private key to decrypt, which is kept private on your local computer. The general idea is to run ssh-keygen to generate your keys. Press Return when it asks you for a passphrase. Then copy your public key to the remote computer's authorized_keys file.

The details depend on whether the computer to which you are connecting uses SSH1 or SSH2. For SSH1 type ssh-keygen -t rsa1, and copy ~/.ssh/identity.pub to the end of the file ~/.ssh/authorized_keys on the remote computer. For SSH2, type ssh-keygen -t rsa, and copy ~/.ssh/id_rsa.pub to the end of the file ~/.ssh/authorized_keys on the remote computer. This file might be called ~/.ssh/authorized_keys2, depending on your OpenSSH version. If the first one doesn't work, try the second. The payoff is you can log in without typing a password.

You can use a passphrase that keeps the private key secret on your local computer. The passphrase encrypts the private key using 3DES. At no time is your passphrase or any secret information sent over the network. You still have to enter the passphrase when connecting to a remote computer.

Authentication Agent

You might wonder: if we want to use a passphrase, are we stuck back where we started, typing in a passphrase every time we log in? No. Instead, you can use a passphrase, but type it only once instead of every time you use the private key. To set up this passphrase, execute ssh-agent when you first start your session. Then execute ssh-add, which prompts for your passphrase and stores it in memory, not on disk. From then on, all connections authenticating with your private key use the version in memory, and you won't be asked for a password.

Your distribution may be set up to start ssh-agent when you start X. To see if it's already running, enter ssh-add -L. If the agent is not running already, you need to start it, which you can do by adding it to your .bash_login, logging out and logging back in again.

Authentication Agent Forwarding

If you connect from one server to another using public key authentication, you don't need to run an authentication agent on both. SSH automatically can pass any authentication requests coming from other servers, back to the agent running on your own computer. This way, it never passes your secret key to the remote computer; rather, it performs authentication on your computer and sends the results back to the remote computer.

To set up authentication agent forwarding, simply run ssh -A or add the following line to your config file:

ForwardAgent yes

You should use authentication agent forwarding only if you trust the administrators of the remote computer; you risk them using your keys as if they were you. Otherwise, it is quite secure.

Traveling with SSH Java Applet

Many people carry a floppy with PuTTY or another Windows SSH program, in case they need to use an unsecured computer while traveling. This method works if you have the ability to run programs from the floppy drive. You also can download PuTTY from the web site and run it.

Another alternative is putting an SSH Java applet on a web page that you can use from a browser. An excellent Java SSH client is Mindterm, which is free for noncommercial use. You can find it at www.appgate.com/mindterm.

Conclusion

An SSH configuration can go wrong in a few places if you are using these various tricks. You can catch many problems by using ssh -v and watching the output. Of course, none of these tricks is essential to using SSH. Eventually, though, you may encounter situations where you're glad you know them. So give a few of them a try.

Thursday, December 11, 2008

SQUID ( Proxy Server )

.Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS and other computer network lookups for a group of people sharing network resources, to aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including TLS, SSL, Internet Gopher and HTTPS.[1] The development version of Squid (3.1) includes IPv6 and ICAP support.

Squid is the default proxy server in RHEL5. In this article I will show how to configure squid proxy server on RHEL5.


SQUID (PROXY SERVER)

Purpose: Web caching, bandwidth management, URL surf control etc.
Service Type: Standalone
Dependency: Network Service
Ports: 8080 / 3128 TCP

RECOMMENDATIONS FOR A GOOD PROXY SERVER:

RAM: Min 1.0 GB
Processor: Min Pentium 4 D at least 2.8 GHz
Hard Drives: SCSI OR SATA-I, 3 HDs, 80GB each (SATA comes min in 80GB)

Partition Scheme:

To distribute I/O load among al hard drives use folowing partition scheme. You can use remaining space as
you like. There are three main directories where I/O load is very much in a proxy server

1. Operating system (/)
2. Log Directory (/var/log)
3. Cache Directory (/cache1 and /cache2)

And we have created these directories as a separate partition on diferent directories.

HD1:
/boot 500MB
/ 30GB

HD2:
/var/log 80GB

HD3:
/cache1 15GB
/cache2 15GB

The proxy server should be suficient for 1000 users (1000/3=330 active users)

Directory and File Location:

/etc/squid: Contains al Squid configuration files.
/etc/squid/squid.conf: Main proxy server’s configuration file.
/var/log/squid: Squid log directory
/var/log/squid/cache.log: Squid service log directory
/var/log/squid/access.log: Squid acess log directory
/var/log/message: Main system log file
/var/spool/squid: Default cache directory

Required Packages:

Squid-version.number: Main rpm package

SIMPLE WEB-CACHE SETUP WITH SQUID:

End Result: A proxy server performing web-cache.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080


Internal Network: 192.168.0.0/24

Like apache web server squid proxy server comes almost pre-configured. You just have to configure proxy port
and ACLs and start squid service that’s al.

Step 1:

Configure htpd service to start at boot time.
chkconfig squid on

Step 2:

Configure /etc/hosts file. In this scenario /etc/hosts file should look like

192.168.0.14 linuxbox4

Step 3:

Note: squid.conf file is checked in sequence upper part is read first then lower part by squid service. Therefore
you must define parameters at their defined places. Sample configuration is present in default squid
configuration file.

Open /etc/squid/squid.conf file and change http_port parameter as.

From:
htp_port 3128

To:
htp_port 8080
Find “visible_hostname” section and define visible_hostname as.

visible_hostname linuxbox4

Note: /etc/hosts file must be configured.

Find ACL section and define folowing two lines at the beginning of that section.

acl internal src 192.168.0.0/255.255.255.0
http_access alow internal

Here:
Acl: is key word for ACL

Internal: ACL name.

src: ACL type is src (source address). Means we have specified source addresses in
this acl. ACLs are group of source address, URLs, time and MAC addresses etc.
After making such groups we configure their access either they are alowed or
denied access to access htp using this proxy server .

192.168.0.0/255.255.255.0:
IP address and subnet mask of clients which wil use this proxy server for
Internet access.
htp_access alow internal:
Alow web access to Source IP Group internal.

Step 4:

Save and exit and reload squid service.

service squid reload

Checking: In client system open Internet explorer and define Proxy server’s address and port and browse
some site.

BLOCK SITES WITH SQUID:

End Result: A proxy server performing web-cache and blocking certain sites.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Internal Network: 192.168.0.0/24
Blocked Sites: hotmail.com & yahoo.com sites

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Add folowing ACL lines

acl blk url_regex hotmail.com yahoo.com
htp_access deny blk

Above these lines

acl internal src 192.168.0.0/255.255.255.0
htp_access alow internal

Save and exit and reload squid service.

service squid reload
Checking: In client system open Internet explorer and define Proxy server’s address and port and browse
hotmail.com and yahoo.com and you wil get “Acess Denied” eror from proxy.

BLOCK CLIENTS BASED ON MAC ADDRESS:

End Result: A proxy server performing web-cache and blocking certain MAC addresses.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Blocked MAC: 00:B0:D0:A1:68:06
Alowed MAC: 17:FF:C3:A1:68:A0

Note: MAC based setings can only be used in squid.conf file if we have compiled squid with
enable-arp-acl” configure option. Squid does not come precompiled with this option.

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Add folowing ACL lines

acl deny-macs arp 00:50:04:99:C4:1D
http_access deny deny-macs

acl alow-macs arp 17:FF:C3:A1:68:A0
http_access allow allow-macs


Here:
deny-macs & alow-macs: are ACL names.

arp: ACL type is ARP (MAC address). Means we have created group of clients/PCs
based on MAC addresses. And after that we alow or deny access based on
these ACLs.

http_access deny deny-macs:
We have denied web (htp_access) acess to MAC addres specified in “deny-macs”
ACL.

htp_access alow alow-macs:
We have alowed web (htp_acces) acess to MAC addres specified in “alow-macs”
ACL.

Save and exit and reload squid service.

service squid reload

CONFIGURE SQUID IN IVS ENVIRONMENT:

End Result: A proxy server performing web-cache sending outgoing data from modem/DSL and
geting incoming data from satelite.

Scenario:
Proxy Server: linuxbox5
Proxy Server Port: 8080
IP address Assigned by ISP: 210.56.5.22/255.255.255.252
IP Address Given by Satelite Company: 64.32.5.88/255.255.255.252
Internal Network: 192.168.0.0/24
Number of NICs in Proxy Server: One

Assumptions:

1. Proxy server is connected with ISP and 210.56.5.22 is assigned as primary IP address to proxy server
and 64.32.5.88 is asigned as secondary IP addres to proxy server.
2. Proxy server’s gateway is configured as provided by ISP, so outgoing trafic go out using ISP
(DSL/Dialup).
3. Satelite interface card is instaled and configured and sync.

Perform all steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Add folowing lines in squid.conf file.

tcp_outgoing_address 64.32.5.88
udp_outgoing_address 64.32.5.88

Save and exit and reload squid service.

service squid reload

Checking: Instal ipterf package on proxy server and monitor packets on satelite interface

TRANSPARENT PROXY SETUP:

End Result: A proxy server performing transparent web-cache.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Internal Network: 192.168.0.0/24

Note: Squid can not be configured with authentication and as a transparent proxy at the same
time.

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Add folowing lines under “htpd_accel” section.

htpd_accel_host virtual
htpd_accel_port 80
htpd_accel_with_proxy on
htpd_accel_uses_host_header on

Save and exit and reload squid service.

service squid reload

Add the folowing line at the end of /etc/rc.local file and reboot the server.

iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -dport 80 -j REDIRECT --to-port 8080


SQUID ATHENTICATION SETUP:

End Result: A proxy server performing web-cache with user authentication.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Internal Network: 192.168.0.0/24
Alowed Users: u1 and u2

Step 1:


Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Step 2:

Create squid password file and add users in it.

touch /etc/squid/squidpasswd
htpasswd /etc/squid/squidpasswd u1
htpasswd /etc/squid/squidpasswd u2

Step 3:

Add folowing lines under “auth_param” section in squid.conf file.

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squidpasswd
auth_param basic children 15

Here:

auth_param: This parameter tels proxy to require authentication from clients.

basic: This is authentication type. Username and Passwords travel in clear text over the network.

program /usr/lib/squid/ncsa_auth:
Use this program to authenticate users. ncsa_auth only supports basic auth type.

/etc/squid/squidpasswd:
User name and passwords wil be kept in this file. We have to create this file and add users in it
by htpasswd command

auth_param basic children 15:
Start 15 authentication processes if 16 users logs in at the same time the last user wil have to
wait until a authentication programs becomes available.

Add folowing ACL lines

acl authchk proxy_auth REQUIRED
htp_access alow authchk

Above these lines

acl internal src 192.168.0.0/255.255.255.0
htp_access alow internal

Step 4:

Save and exit and reload squid service.

service squid reload

BLOCK CLIENTS BASED ON TIME SETTINGS:

End Result: A proxy server performing web-cache and implementing time based restrictions.
Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Alowed Time: 9:00 AM to 09:00 PM

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the

additional steps given below.

Add folowing ACL line

acl timechk time 09:00-21:00

Above this line

acl internal src 192.168.0.0/255.255.255.0

And change folowing line

From:
htp_access alow internal

To:
htp_access alow internal timechk

Here:
timechk : ACL name.

time: ACL type is time. Means we have set group of times and based on these time
groups we wil alow or deny clients.

htp_access alow internal timechk:
Tells squid to implement time restrictions on clients what belongs to internal group

(whose source IP addres is in between 192.168.0.1 – 253)

Save and exit and reload squid service.

service squid reload

BANDWIDTH MANAGEMENT:

End Result: A proxy server with bandwidth management assigning 256Kbps to two clients and
64Kbps to al other users of 192.168.0.0/24 network.
Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Bandwidth Group1: 192.168.0.1 and 192.168.0.10 (256Kbps)
Bandwidth Group2: 192.168.0.0/24 (64Kbps) Except 192.168.0.1 and 192.168.0.10

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Define folowing lines in squid.conf file.

acl bw256k src 192.168.0.1
acl bw256k src 192.168.0.10

Above these lines

acl internal src 192.168.0.0/255.255.255.0
htp_access alow internal

In delay pool section add folowing.

delay_pools 2
delay_class 1 2
delay_parameters 1 32000/32000 -1/-1
delay_access 1 alow bw256k

delay_class 2 2
delay_parameters 2 8100/8100 -1/-1
delay_access 2 alow internal

Here:
delay_pools 2 : There are two types of setings / groups of people one delay pool handle one
type of setings that’s y define two delay pool.

delay_class 1 2: Delay pool 1 belongs to delay clas 2. There are three delay classes. In class we
can limit bandwidth for only subnet. In class 2 we can configure bandwidth for a
client and subnet as wel. And in clas 3 we can configure bandwidth for a client
and subnet and complete network.

delay_parameters 1 32000/32000 -1/-1:
For delay pool 1 we are providing 32000/32000 (256Kbps OR 32000 Kilo Bytes)
for one user min and max 256Kbps. -1/-1 means no limit on network.

delay_access 1 alow bw256k:
We are alowing bw256k (192.168.0.1 & 192.168.0.10) group/ACL to use
setings of delay pool 1.

Save and exit and reload squid service.

service squid reload

DEFINE A DIFFERENT CACHE DIRECTORY THEN DEFAULT:

End Result: A proxy server keeping web cache in customized directory.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080
Cache Directory: /cache partition (10GB in size)

Note: It is recommended that you should create /cache as a separate partition.

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

Create a squid directory in /cache partition. And set it’s owner and group to squid user and group.

mkdir /cache/squid
chown squid.squid /cache/squid

Under cache_dir section add the folowing line

cache_dir ufs /cache/squid 8500 16 256

We left 1500 space for swap.state file that keep status of cache directory. Save and exit and run folowing
commands.

squid –z reconfigure
service squid restart



SQUID PERFORMANCE TUNNING:

End Result: A perfect squid proxy server.

Scenario:
Proxy Server: linuxbox5 (192.168.0.15)
Proxy Server Port: 8080

Perform al steps given above under the heading “Simple Web-cache Setup with Squid”. And do the
additional steps given below.

And configure folowing parameters under their sections

maximum_object_size 10000 KB
maximum_object_size_in_memory 16 KB
dns_timeout 3 minutes
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

Tuesday, December 9, 2008

Preboot Execution Environment(PXE) Booting

The Preboot eXecution Environment (PXE, aka Pre-Execution Environment, or 'pixie') is an environment to boot computers using a network interface independently of available data storage devices (like hard disks) or installed operating systems.

PXE was introduced as part of the Wired for Management framework by Intel and is described in the specification (v2.1) published by Intel and Systemsoft on September 20, 1999. It makes use of several network protocols like IP, UDP, DHCP and TFTP and of concepts like GUID/UUID and Universal Network Device Interface and extends the firmware of the PXE client (the computer to be bootstrapped via PXE) with a set of predefined APIs.

The term PXE client only refers to the role that the machine takes in the PXE boot process. A PXE client can be a server, desktop, laptop or any other machine that is equipped with a PXE boot code.

In this article I will show how to configure a Server for PXE booting and also a client for the same in RHEl5.

Diskless installation/PXE installation-Article :

Server hostname Name - station1
Server IP Address - 192.168.1.100
DHCP Server - 192.168.1.100
----------------------------------------

Step-1 --> Set up DHCP Server on 192.168.1.100
# vi /etc/dhcpd.conf
ddns-update-style none;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.200;
option routers 192.168.1.100;
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.1.100;
default-lease-time 21600;
max-lease-time 43200;
next-server 192.168.1.100;
option root-path "/tftpboot/";
filename "pxelinux.0";
}
:wq (Save this file)
# service dhcpd restart
# chkconfig dhcpd on

Step-2 --> Now Setup PEX boot.
# mkdir /tftpboot
# cp /root/pxelinux.0 /tftpboot/.
# cp /root/memdisk/ /tftpboot/.
Note: Pl scrap your mail Id's for -- ("pxelinux.0", "memdisk") files.

Step-3 --> Configure 'tftp' server
# chkconfig tftp on ( This will enable tftp from /etc/xinetd.d/tftp file )
# service xinetd restart
# /etc/init.d/dhcpd restart

Step-4 --> Setup PXE file's from the RedHat 1st cd. Insert RedHat 1st disk and copy the 'initrd.img' and 'vmlinuz' to /root directory.
# cd /root
# cp initrd.img /tftpboot/.
# cp vmlinuz /tftpboot/.
also copy and rename to
# cp initrd.img /tftpboot/fc2-initrd.img
# cp vmlinuz /tftpboot/fc2-vmlinuz
# cd /tftpboot
# mkdir pxelinux.cfg
# cd pxelinux.cfg
# touch default
# vi default
default install
# Always prompt
prompt 1
display pxeboot.msg
# Boot automatically after 30 seconds in tenths of a second
timeout 300
label local
localboot 0
label install
kernel vmlinuz
append initrd=initrd.img
:wq ( save this file )

Step-5 --> Now mount the ISO

Let's copt the RedHat ISO to /tmp directory ( ISO Name ->RHEL5.0_1.iso)

# mount -o loop -t iso9660 /tpm/RHEL5.0_1.iso /media/cdrom
# mount /dev/cdrom /media/cdrom


Step-6 --> Make NFS Share

# vi /etc/exportfs

/media/cdrom *(rw,sync)

:wq (Save the file)

# service nfs restart
# chkconfig nfs on
# service dhcpd restart

Step-7 --> Now just set your client to boot from network(F12)

boot: PRESS Enter.....
----------------------------------------
---------------------------------------





Saturday, December 6, 2008

Configuring Firewall using IPTABLES


In this article I will show how to configure firewall in linux using IPtables.

IPTABLES (FIREWALL):
SENDMAIL SMTP SERVER:

Purpose: A modular command based state-ful firewal.
Service Type: Standalone
Directory and File Location:

/sbin/iptables: Main iptables binary file.
/lib/iptables: iptables modules directory.

Required Packages:


iptables-version.number: Single package provides al modules and main iptables binary.

Prerequisite: IP packet forwarding should be enabled fist if your Linux box is acting as a
gateway for other PCs and you want to filter forwarded packets as wel.

Open “/etc/sysctl.conf” and set.

From
net.ipv4.ip_forward = 0
To
net.ipv4.ip_forward = 1

Save and exit and run folowing command.

sysctl –p

WHAT CAN IPTABLS DO?:

1. iptables can perform Static and Dynamic Filtering.
2. iptables can perform Quality of Service
3. iptables can perform Addres and Port Redirection
4. iptables can perform Nating
5. iptables can do much more by adding available modules.

STRUCTURE OF IPTABLES:

Iptables is consists of three tables

1. Filter Table
Filter table is used for blocking IP address and ports.

2. Nat Table
Nat table is used for Nating and Address and Port redirection

3. Mangle Table
Mangle is special purpose table used for QOS (quality of service) etc.

WORKING MECHANISM:
(Refer the image at the top of the article)

1. As soon as packets enters the system first PREROUTING is checked of MANGLE table and
then NAT table.
2. After that system checks its routing table and find out that if this packet is for itself or for
some other system (If system is acting as a network firewal and is a part of two networks,
normaly a system connected to internet).
3. If the packet’s destination is firewal system itself then INPUT chain of MANGLE table and
then INPUT chain of FILTER table is checked. And packet is given to concerned
service/process.
4. If packet’s destination is some other system and system has to forward this packet to
another system then:
a. FORWARD chain of MANGLE table and then FORWARD chain of FILTER table is
checked.
b. Then POSTROUTING chain of MANGLE table and then POSTROUTING chain of NAT table is checked.

5. If packet is generated by firewal itself then:
a.
First routing decision is made first that packet wil go out using which interface. After routing decision OUTPUT chain of first MANGLE table then NAT table and finaly FILTER
table is checked.
b. Then POSTROUTING chain of MANGLE table then NAT table is checked.

RULES CREATION:
In iptables we have to create rules in chains to do a particular task.

iptables TABLE CHAIN CHECKING_CRITERIA ACTION

Example:

Folowing rule tels iptables to block FTP access from host 192.168.0.10

iptables –t filter –A INPUT –s 192.168.0.10 –p tcp –dport 20:21 –j DROP

Note: Filter table is default table of iptables if we do not specify any table in our rule then filter table is
assumed

Options Used in Rule Creation:

-A Defines the chain name to which the rule belongs to
-t Defines the table name to which the rule belongs to
-D To delete a single Rule
-F To Flush iptables al rules
-Z To set rule counters to zero
-n Do not resolve IPs to name from DNS used with –L option
-L Display curent firewal rules
-P To configure Policy Rule (default rule)

-p To define protocol (tcp, udp and icmp)
-s To define source address
-d To define destination addres
-o To define exit / out interface
-i To define incoming interface
-s-port To define source port
-d-port To define destination port
-m state –state To define status of packet
! To inverse the mentioned criteria
-j To define action to be taken on matched packet (DROP, ACCEPT, REJECT, MASQUERADE, and
REDIRECT)

COFIGURE IPTABLES AS A STATIC FIREWALL:

Scenario 1 (Filter Table, INPUT Chain Implementation):

End Result: A FTP server with firewal configured, ofering web services to only selected clients.
Server: linuxbox4 (192.168.0.14)
Alowed Clients: 192.168.0.15 and 192.168.0.16

Firewal Rules:

iptables –A INPUT –s 192.168.0.15 –p tcp –-d-port 20:21 –j ACCEPT
iptables –A INPUT –s 192.168.0.16 –p tcp –-d-port 20:21 –j ACCEPT
iptables –A INPUT –p tcp –port 20:21 –j DROP

Save Changes and set iptables service to start at boot time:

service iptables save
chkconfig iptables on

Scenario 2 (Filter Table, OUTPUT Chain Implementation):

End Result: A Client computer that is not alowed to telnet or SSH to a telnet and SSH server.
Server IP: linuxbox4 (192.168.0.14)

Firewal Rule Configured on Client PC:

iptables –A OUTPUT –d 192.168.0.14 –p tcp –-d-port 22:23 –j DROP

Save Changes and set iptables service to start at boot time:

service iptables save
chkconfig iptables on

Scenario 3 (Filter Table, FORWARD Chain Implementation):
End Result: A Gateway Server part of two networks (192.168.0.0 and 10.10.10.0) filtering incoming and
outgoing trafic only alowing 10.10.10.253 IP to acess file and print service on any PC in
192.168.0.0 network while not a single client PC in 192.168.0.0 network is alowed to acces
any service from 10.10.10.0 network.

Firewal Rule For Gateway Server:

iptables –A FORWARD –s 10.10.10.253 –p tcp –-d-port 135:139 –j ACCEPT
iptables –A FORWARD –s 10.10.10.253 –p tcp –-d-port 445 –j ACCEPT
iptables –A FORWARD –p tcp -d-port :1024 –j DROP

NAT CONFIGURATION / INTERNET SHARING:

Scenario 1 (Nat Table, POSTROUTING Chain Implementation):

End Result: An Internet gateway server converting internal private IP
addreses in to public IP addres.
Server: linuxbox4 (192.168.0.14)
Internet Clients: 192.168.0.0/24 Network
Server Interface Connected to Internet: Modem / Linux interface name ppp0

Firewal Rules:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

OR

iptables -t nat -A POSTROUTING –o ppp0 -j MASQUERADE

Note: -i option cannot be used with POSTROUTING CHAIN

For net sharing purpose you must complete the Prerequisite as mentioned at the beginning of this document.

PORT REDIRECTION (Used for T-Proxy Setup):

Scenario 1 (Nat Table, PREROUTING Chain Implementation):

End Result: A proxy server changing, destination port in incoming packets for T-Proxy.
Server: linuxbox4 (192.168.0.14)
Internet Clients: 192.168.0.0/24 Network
Server Interface Connected to Clients: NIC / Linux interface name eth0

Firewal Rules:

iptables -t nat -A PREROUTING -p tcp --dport 80 -s 192.168.0.0/24 -j REDIRECT --to-port 8080

OR

iptables -t nat -A PREROUTING -p tcp --dport 80 –i eth0 -j REDIRECT --to-port 8080

Note: -o option cannot be used with PREROUTING CHAIN

PRIORITIZE MSN TRAFFIC :

End Result: An Internet gateway server performing QOS MSN.
Server: linuxbox4 (192.168.0.14)
Alowed Clients: 192.168.0.0/24

Firewal Rules:

iptables -t mangle -A FORWARD –s 192.168.0.0/24 -p tcp -dport 1863 -j TOS -set-tos Minimize-Delay

This wil forward MSN trafic without delay and MSN service wil get improved.

DYNAMIC FIREWALL CONFIGURATION :

End Result: A FTP server with dynamic firewal configured, ofering web services to only selected clients.
Server: linuxbox4 (192.168.0.14)
Alowed Clients: 192.168.0.15 and 192.168.0.16

Firewal Rules:

iptables -A INPUT –s 192.168.0.15 -p tcp -dport 20:21 -m state -state NEW -j ACCEPT
iptables -A INPUT –s 192.168.0.16 -p tcp -dport 20:21 -m state -state NEW -j ACCEPT

iptables -A INPUT –s 192.168.0.16 -p tcp --dport 20:21 -m state -state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT –s 192.168.0.16 -p tcp --dport 20:21 -m state-state ESTABLISHED,RELATED -j
ACCEPT

iptables -A INPUT -p tcp -dport 20:21 -j DROP

Here:
-m state –state:
Is an iptables parameter, which is used to define a packet’s state.

NEW: NEW state means that the packet has started a new connection Such packets
has special TCP flag set in it (SYN)

ESTABLISHED: ESTABLISHED means that the packet is asociated with a connection that has
already been made by a NEW state packet.

RELATED: Means that the packet is starting a new connection, but is asociated with an
existing connection, such as an FTP data transfer, or an ICMP erorr.

INVALID: INVALID means that the packet is associated with an unknown connection.
Connection was not already created for this packets and neither this is an
associated packet with another connection.