Thursday, April 22, 2010

Sorting creation date within ls

When trying to find a file/folder in Linux filesystem using the ls command and we want to get when the file/folder is created and which file is the most recent to be listed first, we can basically use the -lUr options to get the exact output that we intend. Below is an example of the command in work.

-l (The lowercase letter ``ell''.) List in long format. (See
below.) If the output is to a terminal, a total sum for all the
file sizes is output on a line before the long listing.


-U Use time of file creation, instead of last modification for sort-
ing (-t) or long output (-l).


-r Reverse the order of the sort to get reverse lexicographical
order or the oldest entries first (or largest files last, if com-
bined with sort by size


jeff-iMac:~ jeff$ ls -lUr
total 0
drwxr-xr-x+ 5 jeff staff 170 Nov 20 12:46 Sites
drwxr-xr-x+ 5 jeff staff 170 Jun 19 2009 Public
drwx------+ 4 jeff staff 136 Nov 20 12:46 Pictures
drwx------+ 4 jeff staff 136 Jun 19 2009 Music
drwx------+ 3 jeff staff 102 Jun 19 2009 Movies
drwx------+ 29 jeff staff 986 Jun 19 2009 Library
drwx------+ 4 jeff staff 136 Jun 19 2009 Downloads
drwx------+ 4 jeff staff 136 Jun 19 2009 Documents
drwx------+ 4 jeff staff 136 Jun 19 2009 Desktop

I hope this helps!

Thursday, April 15, 2010

Building an Open Source based Infrastructure

If you are a seasoned Linux/Unix Adminstrator, you already know how good it is to administer any Unix like Operating system because of its stability and reliability. Fixing any problems that arises will be routine, or if not, you can easily find help by posting into a particular application/service mailing list, no matter where you are and no matter what time is it. You will certainly get any clue if not the answer to the specific problem that you encountered.

With the stablity and reliability of an application, services, or the Operating System itself, and because of this, we have the luxury of enjoying our valuable time this world. It is also a great time to cut the cost off from the proprietary world. With that on mind, you can use those extra budget to hire some junior level IT staff and make employment, and not only that you created some jobs, you also help them understand the important role of Open Source systems not with what it can only do, but that this systems can also meet business objectives.

Once you have your objectives (IT) already defined, we can now start building the infrastructure using Open Source software. In this scenario, we will be configuring numerous Open Source based applications and services and we will also be going to scale them to be inline with IT objectives. Below lists the infrastructure servers that we will going to build and configure along the way.

We will first be going to configure our NFS server, as this server will be going to host our iso installer images (we will be using RHEL 5.4, but any Linux flavor will do. If you dont have a RHEL installer, you can use CentOS to follow the examples easily), eventually we will also install and configure the vsftp server for FTP and yum, this will further make the whole process of installing and configuring services on our next servers later on. 

Security is mandatory, so before this servers will be available online, we already must have IPtables and other access permissions already set in place.

Now its time to configure our Internet gateway using iptables and configure our caching proxy server using squid, a DHCP server using ISC DHCP.

As we are in the intention to cut cost not just on the software side but also in the hardware and server space footprint (this will also inturn lead to lower power and air-conditioning consumption), we will be utilizing the Xen virtualization software. IT's good to be green. :)

Next inline will be to install and configure our own internal caching only local DNS server, and Sendmail as our SMTP server.

Once we have our mailserver configured (sendmail), we will install and configure SpamAssassin and ClamAv services via milter so our users will not be spammed (well, this is not 100% true, but at least we will be able to minimize the situation to a significant degree).

We will also then need to configure our webserver using apache for web presence and web applications like webmail which we will be using roundcube.

A SQL server for our CMS (Drupal) and other valuable web applications, in this case we will be installing and configuring a MySQL server.

Then there comes the need for sharing files via a centralized fileserver in which we will be using Samba to let our *Windows* clients be able to use the centralized file server. We will also need to secure the server like the need for user authentication, antivirus and logging (we will need to audit/track users on the critical files). Linux clients will connect to the fileserver via nfs as usual, but they can also use samba if they want to.

We will also configure a soft PABX using asterisk, so staffs will be able to communicate where ever they are cheaply :). And we will also configure several softphones and integrate it to our asterisk PABX.

As to any business now, there will also be a need to deploy a VPN gateway for our mobile users/staffs that should be able to access resources from anywhere securely.

With all our servers currently up and running, and there be any need to scale the infrastructure, we will again use different Open Source software and techniques that are already proven and in production all over the world.

Friday, April 9, 2010

Using ssh to administer systems behind a firewall

I have a number of clients with all their systems behind a firewall. That's a very good thing in terms of security, and this firewalls are so tight and don't really allow remote administration of the boxes, this ranges from Fibre Chanel switches, manageable Ethernet switches, Storage Array boxes, Firewall GUI frontend and Etc. But the good news is, I am still able to gain administrative access to this machines via ssh port forwarding. Not only this is secure but it just really works and does the job as expected. Below shows how I am able to connect to one of the RAID Arrays controllers when its time to manage them. Please take note that we must have a ssh login account to the ssh frontend server or the firewall itself and this machines shoud be able to reach the machines inside that we need to administer.

ssh -L 8081:192.168.1.6:80 login@example.com -p 20002


The command above does a port forwarding to a machine (RAID Array controller) inside the example. com network with the IP Address of 192.168.1.6 and the port I would want to connect to which is port 80 of the RAID Array controller to be redirected to my local machines port 8081 (the mahine that I use to ssh to expample.com) and using my login account to the ssh frontend server login@example.com and the port is 20002.

Once i gain access with the correct username and password combination, I am certain that the port 80 of the RAID Array controller is now being forwarded to my Local machines port 8081. I will now open my web browser, and type in the following below.

http://localhost:8081

Now, I am able to administer the RAID Array controller as I was still inside the office. :)

Changing the hostname of a RHEL 5.4 server

Sometimes we need to change the hostname of a configured server to reflect its new hostname.  And we will most likely do it if we have just cloned a new drive and connected it to a new server. This can be done with the following steps below.

[root@base ~]# vi /etc/sysconfig/network

NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=nfs00.example.com

The configuration above makes sure that the new hostname (fqdn to be exact) will be persistent and will stick after a reboot.

[root@base ~]# hostname nfs00.example.com
[root@base ~]# uname -a
Linux nfs00.example.com 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux
[root@base ~]# hostname 
nfs00.example.com
[root@base ~]# 

Notice that the output of the uname -a command or hostname already shows the intended hostname for this system. But on the shell, it still says its base. At this point we need to logout and login again in order for us to get the new hostname.

Connection to 192.168.56.101 closed.
motto:~ motto$ ssh root@192.168.56.101
root@192.168.56.101's password: 
Last login: Fri Apr  9 14:32:27 2010 from 192.168.56.1
[root@nfs00 ~]# 

Voila! Our servers hostname is now nfs00.

Configuring NFS server on RHEL 5.4

Here, we are going to configure a NFS service on our RHEL 5.4 system. And this NFS server will be used for installing a new OS on our servers via this service. Make sure that the nfs-utils-1.0.9-42.el5 package is install

[root@nfs00 ~]# rpm -qa | grep nfs
nfs-utils-lib-1.0.8-7.6.el5
nfs-utils-1.0.9-42.el5
[root@nfs00 ~]# rpm -qi nfs-utils-1.0.9-42.el5
Name        : nfs-utils                    Relocations: (not relocatable)
Version     : 1.0.9                             Vendor: Red Hat, Inc.
Release     : 42.el5                        Build Date: Tue 19 May 2009 10:36:44 PM PHT
Install Date: Fri 09 Apr 2010 12:39:42 PM PHT      Build Host: hs20-bc2-5.build.redhat.com
Group       : System Environment/Daemons    Source RPM: nfs-utils-1.0.9-42.el5.src.rpm
Size        : 768535                           License: GPL
Signature   : DSA/SHA1, Mon 27 Jul 2009 10:32:30 PM PHT, Key ID 5326810137017186
Packager    : Red Hat, Inc.
Summary     : NFS utlilities and supporting clients and daemons for the kernel NFS server.
Description :
The nfs-utils package provides a daemon for the kernel NFS server and
related tools, which provides a much higher level of performance than the
traditional Linux NFS server used by most users.

This package also contains the showmount program.  Showmount queries the
mount daemon on a remote host for information about the NFS (Network File
System) server on the remote host.  For example, showmount can display the
clients which are mounted on that host.

This package also contains the mount.nfs and umount.nfs program.

[root@nfs00 ~]# rpm -qi fs-utils-lib-1.0.8-7.6.el5
package fs-utils-lib-1.0.8-7.6.el5 is not installed
[root@base ~]# rpm -qi nfs-utils-lib-1.0.8-7.6.el5
Name        : nfs-utils-lib                Relocations: (not relocatable)
Version     : 1.0.8                             Vendor: Red Hat, Inc.
Release     : 7.6.el5                       Build Date: Tue 03 Mar 2009 11:27:15 PM PHT
Install Date: Fri 09 Apr 2010 12:36:33 PM PHT      Build Host: ls20-bc1-14.build.redhat.com
Group       : System Environment/Libraries   Source RPM: nfs-utils-lib-1.0.8-7.6.el5.src.rpm
Size        : 105265                           License: GPL
Signature   : DSA/SHA1, Mon 27 Jul 2009 07:09:34 PM PHT, Key ID 5326810137017186
Packager    : Red Hat, Inc.
URL         : http://www.citi.umich.edu/projects/nfsv4/linux/
Summary     : Network File System Support Library
Description :
Support libaries that are needed by the commands and
daemons the nfs-utils rpm.


We need to move the CD/DVD installer iso to the /var/ftp/pub directory

[root@nfs00 ~]# mv rhel-server-5.4-i386-dvd.iso /var/ftp/pub/

Then add the folder or directory three that is intended to be shared to the exports configuration file

[root@nfs00 ~]# echo "/var/ftp/pub/ *(ro,no_root_squash)" >> /etc/exports 

Start the NFS service

[root@nfs00 ~]# /etc/init.d/nfs start
Starting NFS services:                                     [  OK  ]
Starting NFS quotas:                                       [  OK  ]
Starting NFS daemon:                                       [  OK  ]
Starting NFS mountd:                                       [  OK  ]
[root@nfs00 ~]# 

Check the exported directory is correct

[root@nfs00 ~]# exportfs 
/var/ftp/pub  

Now we are ready to install the OS on a new machine via NFS.

And oh, finally, we need to make sure that our nfs service starts every time the server is started.

[root@nfs00 ~]# chkconfig --level 345 nfs on
[root@nfs00 ~]# chkconfig --list nfs 
nfs             0:off 1:off 2:off 3:on 4:on 5:on 6:off
[root@nfs00 ~]# 

Thursday, April 8, 2010

Switching SELinux ON/OFF

What is SELinux?

From the FAQ

SELinux is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of a system to define how applications and users can access different resources such as files, devices, networks and inter-process communication.

With SELinux an administrator can differentiate a user from the applications a user runs. For example, the user shell or GUI may have access to do anything he wants with his home directory but if he runs a mail client the client may not be able to access different parts of the home directory, such as his ssh keys.

The way that an administrator sets these permissions is with the centralized SELinux policy. The policy tells the system how different components on the system can interact and use resources. The policy typically comes from your distribution but it can be updated on the end system to reflect different configurations or application behavior.

That just sounds fantastique! But if you don't really understand  it, it may me a bit hard to manage. In that case, you can always enable and disable SELinux on your RHEL system with the following commands below.

Verify the state of SELinux on the RHEL system

[root@base ~]# getenforce 
Enforcing
[root@base ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

The output above shows us that SELinux is enabled and the current mode is "enforcing" on the RHEL system. If the administrator is not familiar with SELinux, this may pose some issues on certain applications or services and may not start. So we may need to disable SELinux "temporarily" for now.

We may first try to make SELinux mode as "permissive" and retry any failing applications or services.

[root@base ~]# echo 0 >/selinux/enforce

[root@base ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

NOTE: The effect of the command above will not persist upon reboot, so if that already fixes some application/services issues, we can now edit the SELinux configuration file so this setting will persist after a reboot.

[root@base ~]# vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX= permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

Once the SELINUX= permissive parameter is set, we can now reboot the server. Or just leave the system alone until its next necessary reboot that this new setting will be applied automatically.

For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf if you're using the GRUB boot loader. On the kernel line, add enforcing=0 at the end. For example,

title SE-Linux Test System
        root (hd0,0)
        kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb enforcing=0
        #initrd /boot/initrd-2.4.20-selinux-2003040709.img


Setting up Auto-reply in qmail-ldap

I have a few email account users that will be away for 10 days. This users are part of the sales group and support group. Emails that will be bound to their respective email address should have be replied ASAP, much more if this is a support email that is very urgent. The sender should at least know that the email was received but replies may take some time due to recipient being still on the air, on a meeting, on training, on leave and etc.

On my Qmail-LDAP mail server installation, I can configure such Auto-reply on the particular users ldif entry as follows:

add: mailReplyText
mailReplyText: Hi, I am on vacation till 19th April 2010. See you when I am back.
-
delete: deliveryMode
deliveryMode: noprogram
-
add: deliveryMode
deliveryMode: reply



NOTE: Even if you don't specify the attribute deliveryMode as reply and the attribute mailReplyText exists it will reply automatically as long as mailReplyText attribute is defined in the ldap entry for the given user.

Wednesday, April 7, 2010

Ethernet Bonding (Linux)

Bonding ethernet channels in Linux is easy. With the right configuration and hardware, it can be done in minutes.

In this example, I have a 4 port intel Gigabit card and I wanted to utilize this and my Network switches LACP/LAG capability. Lets assume we have the Network switch part already configured to have its ports utilize LACP/LAG.

On the RHEL 4.3 server that is hosting my samba file server below are the steps outlined to configure ethernet channel bonding/teaming on the RHEL 4.3 server.


Edit the /etc/modprobe.conf file and add the bonding kernel module and its mode.

# vi /etc/modprobe.conf

#regular network card (built-in)
alias eth0 e1000
alias eth1 e1000
#the bond interface 
alias bond0 bonding
#bond interface mode. mode=4 (802.3ad/link aggregation)
options bond0 mode=4 miimon=100 
#Intel 4 port Gigabit ethernet card
alias eth5 e1000
alias eth3 e1000
alias eth4 e1000
alias eth2 e1000
alias scsi_hostadapter ahci
alias usb-controller ehci-hcd
alias usb-controller1 uhci-hcd


Now make sure to edit the /etc/sysconfig/network-scripts/ifcfg-ethX (where X are the ethernet ports that will be part of the bond0 LACP interface) 

# vi /etc/sysconfig/network-scripts/ifcfg-eth2

DEVICE=eth2
USERCTL=no
ONBOOT=yes
MASTER=bond0
SLAVE=yes
BOOTPROTO=none
TYPE=Ethernet


Now we don't want to edit every single file as its a boring and error prone process

# for i in {3..5} ; do cp /etc/sysconfig/network-scripts/ifcfg-eth2 /etc/sysconfig/network-scripts/ifcfg-eth$i ; done

#for i in {3..5} ; do sed -i "s/DEVICE=eth2/DEVICE=eth$i/g" /etc/sysconfig/network-scripts/ifcfg-eth$i ; done


Now create the bond0 interface configuration file.

# vi /etc/sysconfig/network-scripts/ifcfg-bond0

DEVICE=bond0
IPADDR=192.168.1.30
NETWORK=192.168.1.0
NETMASK=255.255.255.0
USERCTL=no
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet


Load the bonding kernel module.

# modprobe bonding

Now bring up the bond0 interface

# ifup bond0


Verify the bond0 interface

# cat /proc/net/bonding/bond0 
Ethernet Channel Bonding Driver: v2.6.1 (October 29, 2004)

Bonding Mode: IEEE 802.3ad Dynamic link aggregation
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

802.3ad info
LACP rate: slow
Active Aggregator Info:
        Aggregator ID: 1
        Number of ports: 1
        Actor Key: 17
        Partner Key: 1
        Partner Mac Address: 00:00:00:00:00:00

Slave Interface: eth2
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:15:17:6a:c1:e4
Aggregator ID: 1

Slave Interface: eth3
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:15:17:6a:c1:e5
Aggregator ID: 2

Slave Interface: eth4
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:15:17:6a:c1:e6
Aggregator ID: 3

Slave Interface: eth5
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:15:17:6a:c1:e7
Aggregator ID: 4


You can now try transferring files to/from the samba servers shared folders, once the transfer process is on-going, try unplugging the network cables that are part of the bond/LACP/LAG on the Network switch or on the configured 4 port Intel ethernet card.

Resetting lost password

Resetting lost password

If you've ever forgotten your user account's password in OS X, it is still possible to reset or change your lost password. All you need is to remember your username and then reboot your computer. From there it's command line work

You should know your username in order to perform the password reset as outlined below. The username is usually your computer name.

Hold Apple+S when booting to enter single user mode, then enter the commands below.

#sh /etc/rc
#passwd yourusername
#reboot

Note that the process above will reset all your keychain if you ever have to use it. Anyway, this is better than no password at all -

Saturday, April 3, 2010

Adding clamav-milter antivirus headers to emails

Edit the /etc/clamav-milter.conf and change the configuration to "AddHeader Add".

[root@mail ~]# less /etc/clamav-milter.conf

# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
# "X-Virus-Status" headers will be attached to each processed message, possibly
# replacing existing headers.
# If it is set to Add, the X-Virus headers are added possibly on top of the
# existing ones.
# Note that while "Replace" can potentially break DKIM signatures, "Add" may
# confuse procmail and similar filters.
# Default: no
#AddHeader Replace
AddHeader Add

Restart the clamav-milter daemon after changing the configuration file, then try sending emails from/to your user in your mailserver and check the header if the clamav-milter is already working. This is also one way to check if your clamav-milter integration with your email server is working correctly.
X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.95.3 at mail.example.com Received: (qmail 49613 invoked by uid 60001); 29 Mar 2010 08:59:04 -0000