"The unexamined life is not worth living." --Socrates--
Friday, May 25, 2012
Debug
Here's an excellent and short primer on Linux debugging.
http://www.cyberciti.biz/tips/linux-core-dumps.html
Example excerpt-
How Do I Read Core Files?
Use the gdb command as follows:
$ gdb /path/to/application /path/to/corefile
Wednesday, May 16, 2012
WikiMatrix
Looking for a website to sift through the myriad of available wikis? Check out www.wikimatrix.org. No fluff here. Instead, its a very comprehsive matrix showing how wiki features compare. Great stuff!
Saturday, May 5, 2012
OpenSSL
http://www.madboa.com/geek/openssl/is a blog that contains really good explanations and examples of how to use OpenSSL.
For example, here's how to encrypt a text string-
It’s also possible to do a quick command-line encoding of a string value:
$ echo "encode me" | openssl enc -base64
ZW5jb2RlIG1lCg==
Note that echo will silently attach a newline character to your string. Consider using its -n option if you want to avoid that situation, which could be important if you’re trying to encode a password or authentication string.
$ echo -n "encode me" | openssl enc -base64
ZW5jb2RlIG1l
Use the -d (decode) option to reverse the process.
$ echo "ZW5jb2RlIG1lCg==" | openssl enc -base64 -d
encode me
For example, here's how to encrypt a text string-
It’s also possible to do a quick command-line encoding of a string value:
$ echo "encode me" | openssl enc -base64
ZW5jb2RlIG1lCg==
Note that echo will silently attach a newline character to your string. Consider using its -n option if you want to avoid that situation, which could be important if you’re trying to encode a password or authentication string.
$ echo -n "encode me" | openssl enc -base64
ZW5jb2RlIG1l
Use the -d (decode) option to reverse the process.
$ echo "ZW5jb2RlIG1lCg==" | openssl enc -base64 -d
encode me
Thursday, May 3, 2012
Sunday, April 22, 2012
Pvcreate
How to resize existing partitions on a vm.
1)add a new virtual drive to vm within vserver.
2)use fdisk to create a new disk device. type Extended, id 8e, use all space, start cyl.-1 and end with
highest cyl.
[root@cms40dev4 ~]# fdisk /dev/sdb
Command (m for help): t
Selected partition 1
Hex code (type L to list codes): 8e
Changed system type of partition 1 to 8e (Linux LVM)
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@cms40dev4 ~]# fdisk /dev/sdb
The number of cylinders for this disk is set to 13054.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): p
Disk /dev/sdb: 107.3 GB, 107374182400 bytes
255 heads, 63 sectors/track, 13054 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sdb1 1 13054 104856223+ 8e Linux LVM
Command (m for help): q
3)confirm os sees new hd
[root@cms40dev4 ~]# ls -l /dev/sd*
brw-r----- 1 root disk 8, 0 Apr 11 01:55 /dev/sda
brw-r----- 1 root disk 8, 1 Apr 11 01:56 /dev/sda1
brw-r----- 1 root disk 8, 2 Apr 11 01:55 /dev/sda2
brw-r----- 1 root disk 8, 16 Apr 12 12:31 /dev/sdb
brw-r----- 1 root disk 8, 17 Apr 12 12:31 /dev/sdb1
4)create one, new big phys. volume
[root@cms40dev4 ~]# pvcreate /dev/sdb1
Physical volume "/dev/sdb1" successfully created
Check it-
[root@cms40dev4 ~]# pvscan
PV /dev/sda2 VG VolGroup00 lvm2 [49.75 GB / 0 free]
PV /dev/sdb1 lvm2 [100.00 GB]
Total: 2 [149.75 GB] / in use: 1 [49.75 GB] / in no VG: 1 [100.00 GB]
5)extend existing vol grp with new one.
[root@cms40dev4 ~]# vgextend VolGroup00 /dev/sdb1
Volume group "VolGroup00" successfully extended
[root@cms40dev4 ~]# pvscan
PV /dev/sda2 VG VolGroup00 lvm2 [49.75 GB / 0 free]
PV /dev/sdb1 VG VolGroup00 lvm2 [99.97 GB / 99.97 GB free]
Total: 2 [149.72 GB] / in use: 2 [149.72 GB] / in no VG: 0 [0 ]
6)extend each partition as needed using free space
[root@cms40dev4 ~]# lvextend -L 45000M /dev/VolGroup00/LogVol02
Rounding up size to full physical extent 43.97 GB
Extending logical volume LogVol02 to 43.97 GB
Logical volume LogVol02 successfully resized
[root@cms40dev4 ~]# lvextend -l +100%FREE /dev/VolGroup00/LogVol03
Extending logical volume LogVol03 to 100.91 GB
Logical volume LogVol03 successfully resized
Check it
[root@cms40dev4 ~]# lvscan
ACTIVE '/dev/VolGroup00/LogVol02' [43.97 GB] inherit
ACTIVE '/dev/VolGroup00/LogVol03' [100.91 GB] inherit
ACTIVE '/dev/VolGroup00/LogVol00' [2.91 GB] inherit
ACTIVE '/dev/VolGroup00/LogVol01' [1.94 GB] inherit
7)expand both partition's file systems to match the larger partition sizes.
[root@cms40dev4 ~]# /sbin/resize2fs /dev/VolGroup00/LogVol03
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/VolGroup00/LogVol03 is mounted on /opt; on-line resizing required
Performing an on-line resize of /dev/VolGroup00/LogVol03 to 26451968 (4k) blocks.
The filesystem on /dev/VolGroup00/LogVol03 is now 26451968 blocks long.
[root@cms40dev4 ~]# /sbin/resize2fs /dev/VolGroup00/LogVol02
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/VolGroup00/LogVol02 is mounted on /; on-line resizing required
Performing an on-line resize of /dev/VolGroup00/LogVol02 to 11526144 (4k) blocks.
The filesystem on /dev/VolGroup00/LogVol02 is now 11526144 blocks long.
[root@cms40dev4 ~]# pvscan
PV /dev/sda2 VG VolGroup00 lvm2 [49.75 GB / 0 free]
PV /dev/sdb1 VG VolGroup00 lvm2 [99.97 GB / 0 free]
Total: 2 [149.72 GB] / in use: 2 [149.72 GB] / in no VG: 0 [0 ]
[root@cms40dev4 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol02
43G 3.7G 37G 10% /
/dev/mapper/VolGroup00-LogVol03
98G 35G 59G 38% /opt
/dev/mapper/VolGroup00-LogVol00
2.9G 70M 2.7G 3% /tmp
/dev/sda1 244M 20M 211M 9% /boot
tmpfs 3.9G 0 3.9G 0% /dev/shm
1)add a new virtual drive to vm within vserver.
2)use fdisk to create a new disk device. type Extended, id 8e, use all space, start cyl.-1 and end with
highest cyl.
[root@cms40dev4 ~]# fdisk /dev/sdb
Command (m for help): t
Selected partition 1
Hex code (type L to list codes): 8e
Changed system type of partition 1 to 8e (Linux LVM)
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@cms40dev4 ~]# fdisk /dev/sdb
The number of cylinders for this disk is set to 13054.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): p
Disk /dev/sdb: 107.3 GB, 107374182400 bytes
255 heads, 63 sectors/track, 13054 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sdb1 1 13054 104856223+ 8e Linux LVM
Command (m for help): q
3)confirm os sees new hd
[root@cms40dev4 ~]# ls -l /dev/sd*
brw-r----- 1 root disk 8, 0 Apr 11 01:55 /dev/sda
brw-r----- 1 root disk 8, 1 Apr 11 01:56 /dev/sda1
brw-r----- 1 root disk 8, 2 Apr 11 01:55 /dev/sda2
brw-r----- 1 root disk 8, 16 Apr 12 12:31 /dev/sdb
brw-r----- 1 root disk 8, 17 Apr 12 12:31 /dev/sdb1
4)create one, new big phys. volume
[root@cms40dev4 ~]# pvcreate /dev/sdb1
Physical volume "/dev/sdb1" successfully created
Check it-
[root@cms40dev4 ~]# pvscan
PV /dev/sda2 VG VolGroup00 lvm2 [49.75 GB / 0 free]
PV /dev/sdb1 lvm2 [100.00 GB]
Total: 2 [149.75 GB] / in use: 1 [49.75 GB] / in no VG: 1 [100.00 GB]
5)extend existing vol grp with new one.
[root@cms40dev4 ~]# vgextend VolGroup00 /dev/sdb1
Volume group "VolGroup00" successfully extended
[root@cms40dev4 ~]# pvscan
PV /dev/sda2 VG VolGroup00 lvm2 [49.75 GB / 0 free]
PV /dev/sdb1 VG VolGroup00 lvm2 [99.97 GB / 99.97 GB free]
Total: 2 [149.72 GB] / in use: 2 [149.72 GB] / in no VG: 0 [0 ]
6)extend each partition as needed using free space
[root@cms40dev4 ~]# lvextend -L 45000M /dev/VolGroup00/LogVol02
Rounding up size to full physical extent 43.97 GB
Extending logical volume LogVol02 to 43.97 GB
Logical volume LogVol02 successfully resized
[root@cms40dev4 ~]# lvextend -l +100%FREE /dev/VolGroup00/LogVol03
Extending logical volume LogVol03 to 100.91 GB
Logical volume LogVol03 successfully resized
Check it
[root@cms40dev4 ~]# lvscan
ACTIVE '/dev/VolGroup00/LogVol02' [43.97 GB] inherit
ACTIVE '/dev/VolGroup00/LogVol03' [100.91 GB] inherit
ACTIVE '/dev/VolGroup00/LogVol00' [2.91 GB] inherit
ACTIVE '/dev/VolGroup00/LogVol01' [1.94 GB] inherit
7)expand both partition's file systems to match the larger partition sizes.
[root@cms40dev4 ~]# /sbin/resize2fs /dev/VolGroup00/LogVol03
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/VolGroup00/LogVol03 is mounted on /opt; on-line resizing required
Performing an on-line resize of /dev/VolGroup00/LogVol03 to 26451968 (4k) blocks.
The filesystem on /dev/VolGroup00/LogVol03 is now 26451968 blocks long.
[root@cms40dev4 ~]# /sbin/resize2fs /dev/VolGroup00/LogVol02
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/VolGroup00/LogVol02 is mounted on /; on-line resizing required
Performing an on-line resize of /dev/VolGroup00/LogVol02 to 11526144 (4k) blocks.
The filesystem on /dev/VolGroup00/LogVol02 is now 11526144 blocks long.
[root@cms40dev4 ~]# pvscan
PV /dev/sda2 VG VolGroup00 lvm2 [49.75 GB / 0 free]
PV /dev/sdb1 VG VolGroup00 lvm2 [99.97 GB / 0 free]
Total: 2 [149.72 GB] / in use: 2 [149.72 GB] / in no VG: 0 [0 ]
[root@cms40dev4 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol02
43G 3.7G 37G 10% /
/dev/mapper/VolGroup00-LogVol03
98G 35G 59G 38% /opt
/dev/mapper/VolGroup00-LogVol00
2.9G 70M 2.7G 3% /tmp
/dev/sda1 244M 20M 211M 9% /boot
tmpfs 3.9G 0 3.9G 0% /dev/shm
Friday, April 13, 2012
Just-Ping
http://www.just-ping.com/ is a useful tool. It quickly checks whether remote hosts are responding to ICMP ping checks.
Sunday, April 1, 2012
Iptables
Use the following to harden any CentOS install by configuring iptables.
http://wiki.centos.org/HowTos/OS_Protection#head-b3126b7267f04dc869a18f3547468727e82308d1
Beefing up IPTables
The default iptables ruleset in CentOS is a little too lenient. The policy defaults are to allow traffic, there are open ports, and no real accountability for the traffic. We can do a better job.
Open up /etc/sysconfig/iptables in a text editor, and lets have a look. In the first 3 lines, there are already two problems. The INPUT and FORWARD tables are set to accept everything. Further down we see that ports, 50, 51, 5353, 631 and 22 are open. Now port 22 I don't have a problem with. The rest of them need to go, unless you want mDNS, cups, and ipsec talking to the outside world. I generally don't like strangers using my printer.
There's also no real logging of any malicious scanning or other unsavory behavior. A stronger ruleset might look like this:
#Drop anything we aren't explicitly allowing. All outbound traffic is okay
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
# Accept Pings
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Log anything on eth0 claiming it's from a local or non-routable network
# If you're using one of these local networks, remove it from the list below
-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "
# Accept any established connections
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept ssh traffic. Restrict this to known ips if possible.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#Log and drop everything else
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT
Now arguably since we're responding to pings, dropping the traffic instead of rejecting it isn't fooling anyone. It's really personal preference. If you would rather reject the traffic, you could change the last line before COMMIT to read this way instead:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
http://wiki.centos.org/HowTos/OS_Protection#head-b3126b7267f04dc869a18f3547468727e82308d1
Beefing up IPTables
The default iptables ruleset in CentOS is a little too lenient. The policy defaults are to allow traffic, there are open ports, and no real accountability for the traffic. We can do a better job.
Open up /etc/sysconfig/iptables in a text editor, and lets have a look. In the first 3 lines, there are already two problems. The INPUT and FORWARD tables are set to accept everything. Further down we see that ports, 50, 51, 5353, 631 and 22 are open. Now port 22 I don't have a problem with. The rest of them need to go, unless you want mDNS, cups, and ipsec talking to the outside world. I generally don't like strangers using my printer.
There's also no real logging of any malicious scanning or other unsavory behavior. A stronger ruleset might look like this:
#Drop anything we aren't explicitly allowing. All outbound traffic is okay
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
# Accept Pings
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Log anything on eth0 claiming it's from a local or non-routable network
# If you're using one of these local networks, remove it from the list below
-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "
# Accept any established connections
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept ssh traffic. Restrict this to known ips if possible.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#Log and drop everything else
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT
Now arguably since we're responding to pings, dropping the traffic instead of rejecting it isn't fooling anyone. It's really personal preference. If you would rather reject the traffic, you could change the last line before COMMIT to read this way instead:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Subscribe to:
Posts (Atom)