Archive | March 2, 2014

User and Group Disk Quota on UNIX / Linux

User and Group Disk Quota on UNIX / Linux

On Linux, you can setup disk quota using one of the following methods:

File system base disk quota allocation

User or group based disk quota allocation

On the user or group based quota, following are three important factors to consider:

Hard limit – For example, if you specify 2GB as hard limit, user will not be able to create new files after 2GB

Soft limit – For example, if you specify 1GB as soft limit, user will get a warning message “disk quota exceeded”, once they reach 1GB limit. But, they’ll still be able to create new files until they reach the hard limit

Grace Period – For example, if you specify 10 days as a grace period, after user reach their hard limit, they would be allowed additional 10 days to create new files. In that time period, they should try to get back to the quota limit.

Required Package:

quota-devel-3.17-20.el6.i686

quota-3.17-20.el6.i686

/etc/quotagrpadmins

/etc/quotatab

/etc/sysconfig/quota_nld

/etc/warnquota.confonfiguration

/etc/fstab

Commands:

quota – display disk usage and limits

rquota – implement quotas on remote machines

fstab – static information about the filesystems

edquota – edit user quotas

setquota – set disk quotas (Command line editor)

quotacheck – scan a filesystem for disk usage, create, check and repair quota files

quotaon – turn filesystem quotas on

quotaoff – turn filesystem quotas off

repquota – produce a summary of quota information for a file system

convertquota – convert quota from old file format to new one. Convert quota.user to aquota.user

quotactl – manipulate disk quotas (C programmer interface)

Enter Single-User Mode

As you’ll need to remount the /home filesystem, you make sure that no other users or processes are using it by first entering single-user mode from the console. If you are certain that you’re the only user on the system, you might be able to skip this step. Entering single-user mode automatically logs off all users and stops cron jobs, so wait until after hours to do in a business environment. The procedure is quick:

1) Use the who command to see which users are logged in. If there are any, besides yourself, send a message stating that the system is about to shutdown with the wall command:

[root@bigboy tmp]# who

root pts/0 Nov 6 14:46 (192-168-1-242.my-site.com)

bob pts/0 Nov 6 12:01 (192-168-1-248.my-site.com)

bunny pts/0 Nov 6 16:25 (192-168-1-250.my-site.com)

[root@bigboy tmp]# wall The system is shutting down now!

Broadcast message from root (pts/0) (Sun Nov 7 15:04:27 2004):

The system is shutting down now!

[root@bigboy tmp]#

2) Log into the VGA console and enter single user mode.

[root@bigboy tmp]# init 1

1. Enable quota check on filesystem

First, you should specify which filesystem are allowed for quota check.

Modify the /etc/fstab, and add the keyword usrquota and grpquota to the corresponding filesystem that you would like to monitor.

The following example indicates that both user and group quota check is enabled on /home filesystem

# cat /etc/fstab

LABEL=/home /home ext2 defaults,usrquota,grpquota 1 2

Reboot the server after the above change.

2. Initial quota check on Linux filesystem using quotacheck

Once you’ve enabled disk quota check on the filesystem, collect all quota information initially as shown below.

# quotacheck -avug

quotacheck: Scanning /dev/sda3 [/home] done

quotacheck: Checked 5182 directories and 31566 files

quotacheck: Old file not found.

In the above command:

a: Check all quota-enabled filesystem

v: Verbose mode

u: Check for user disk quota

g: Check for group disk quota

The above command will create a aquota file for user and group under the filesystem directory as shown below.

# ls -l /home/

-rw——- 1 root root 11264 Jun 21 14:49 aquota.user

-rw——- 1 root root 11264 Jun 21 14:49 aquota.group

3. Assign disk quota to a user using edquota command

Use the edquota command as shown below, to edit the quota information for a specific user.

For example, to change the disk quota for user ‘ramesh’, use edquota command, which will open the soft, hard limit values in an editor as shown below.

# edquota ramesh

Disk quotas for user ramesh (uid 500):

Filesystem blocks soft hard inodes soft hard

/dev/sda3 1419352 0 0 1686 0 0

Once the edquota command opens the quota settings for the specific user in a editor, you can set the following limits:

soft and hard limit for disk quota size for the particular user.

soft and hard limit for the total number of inodes that are allowed for the particular user.

4. Report the disk quota usage for users and group using repquota

Use the repquota command as shown below to report the disk quota usage for the users and groups.

# repquota /home

*** Report for user quotas on device /dev/sda3

Block grace time: 7days; Inode grace time: 7days

Block limits File limits

User used soft hard grace used soft hard grace

———————————————————————-

root — 566488 0 0 5401 0 0

nobody — 1448 0 0 30 0 0

ramesh — 1419352 0 0 1686 0 0

john — 26604 0 0 172 0 0

5. Add quotacheck to daily cron job

Add the quotacheck to the daily cron job. Create a quotacheck file as shown below under the /etc/cron.daily directory, that will run the quotacheck command everyday. This will send the output of the quotacheck command to root email address.

# cat /etc/cron.daily/quotacheck

quotacheck –avug

RPM (REDHAT Package Management)

Mar2

RPM has five basic modes of operation (not including package building)

1. Installing – i

2. Upgrading – U

3. Freshening – F

4. Uninstalling – e

5. Querying – q

6. Verifying – V

7. Check signature – K

Installing

rpm –i

v – Verbose

h – The package archive is unpacked

–force – force

–test – install simulate

–nodeps – don’t check dependency

Upgrading

rpm –Uvh

–force

–replacepkgs

–replacefiles

–oldpackage

Freshening

rpm –Fvh

Unistalling

rpm –ev

–force

–nodeps

Querying

rpm –q[options]

a – query all installed packages

c – List only configuration files (-l)

f – Query package owning file

d – List only documents file (-l)

g – Query packages with the group of GROUP

p – Package file (to specify the package name

l – List

i – Display packages information

s – Display the states of files (normal, not installed, replaced)

R – Requires

–last – listing by install time such

–whatprovides

Verifying

rpm –V

a – all

p – Specify the package

f – Specify the file

Check the signature

rpm –Kv

Examples

1. How to install the rpm package

[root@linux Packages]# rpm -ivh firefox-3.6.24-3.el6_1.x86_64.rpm

warning: firefox-3.6.24-3.el6_1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY

Preparing… ########################################### [100%]

1:firefox ########################################### [100%]

2. How uninstall the rpm package

[root@linux yum.repos.d]# rpm -ev firefox

3. How to check the last installed rpm package with time and date

[root@linux Packages]# rpm -qa –last | head

firefox-3.6.24-3.el6_1 Sun 16 Sep 2012 07:48:07 PM IST

ftp-0.17-51.1.el6 Sat 15 Sep 2012 09:21:23 AM IST

ypserv-2.19-22.el6 Sat 15 Sep 2012 08:16:55 AM IST

tree-1.5.3-2.el6 Sat 15 Sep 2012 08:11:46 AM IST

words-3.0-17.el6 Fri 20 Jul 2012 03:02:11 AM IST

man-pages-3.22-17.el6 Fri 20 Jul 2012 03:02:11 AM IST

zd1211-firmware-1.4-4.el6 Fri 20 Jul 2012 03:02:06 AM IST

xorg-x11-drv-ati-firmware-6.14.2-7.el6 Fri 20 Jul 2012 03:02:06 AM IST

rt73usb-firmware-1.8-7.el6 Fri 20 Jul 2012 03:02:06 AM IST

rt61pci-firmware-1.2-7.el6 Fri 20 Jul 2012 03:02:06 AM IST

4. How to reinstall the package

[root@linux Packages]# rpm -Uvh firefox-3.6.24-3.el6_1.x86_64.rpm

warning: firefox-3.6.24-3.el6_1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY

Preparing… ########################################### [100%]

package firefox-3.6.24-3.el6_1.x86_64 is already installed

[root@linux Packages]# rpm -Uvh –replacepkgs firefox-3.6.24-3.el6_1.x86_64.rpm

warning: firefox-3.6.24-3.el6_1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY

Preparing… ########################################### [100%]

1:firefox ########################################### [100%]

5. Which rpm package does file belong to?

[root@linux Packages]# rpm -qf /etc/vsftpd/vsftpd.conf

vsftpd-2.2.2-6.el6_0.1.x86_64

6. Locate documentation of a package that owns file using rpm –qdf and rpm -qdp

[root@linux Packages]# rpm -qdp firefox-3.6.24-3.el6_1.x86_64.rpm

warning: firefox-3.6.24-3.el6_1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY

/usr/lib64/firefox-3.6/LICENSE

/usr/lib64/firefox-3.6/README.txt

/usr/share/man/man1/firefox.1.gz

[root@linux Packages]# rpm -qdf /usr/bin/createrepo

/usr/share/doc/createrepo-0.9.8/COPYING

/usr/share/doc/createrepo-0.9.8/ChangeLog

/usr/share/doc/createrepo-0.9.8/README

/usr/share/man/man1/mergerepo.1.gz

/usr/share/man/man1/modifyrepo.1.gz

/usr/share/man/man8/createrepo.8.gz

7. How to check the configuration files

[root@linux Packages]# rpm -Kv vsftpd-2.2.2-6.el6_0.1.x86_64.rpm

vsftpd-2.2.2-6.el6_0.1.x86_64.rpm:

Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY

Header SHA1 digest: OK (8005076799a57ab5c13045b5dd0c2aa890c8ac03)

V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY

MD5 digest: OK (25e1511c9e217d9d345dd2fb5f92503d)

8. Information about installed RPM package using rpm –qi, rpm –qip, rpm –qfi

[root@linux ~]# rpm -qi vsftpd

Name : vsftpd Relocations: (not relocatable)

Version : 2.2.2 Vendor: Red Hat, Inc.

Release : 6.el6_0.1 Build Date: Fri 04 Mar 2011 03:35:10 PM IST

Install Date: Thu 19 Jul 2012 09:58:04 PM IST Build Host: hs20-bc2-3.build.redhat.com

Group : System Environment/Daemons Source RPM: vsftpd-2.2.2-6.el6_0.1.src.rpm

Size : 338480 License: GPLv2 with exceptions

Signature : RSA/8, Wed 09 Mar 2011 07:39:28 PM IST, Key ID 199e2f91fd431d51

Packager : Red Hat, Inc.

URL : http://vsftpd.beasts.org/

Summary : Very Secure Ftp Daemon

Description :

vsftpd is a Very Secure FTP daemon. It was written completely from

scratch.

[root@linux ~]# cd /var/ftp/pub/rhel6.2/Packages/

[root@linux Packages]# rpm -qip vsftpd-2.2.2-6.el6_0.1.x86_64.rpm

warning: vsftpd-2.2.2-6.el6_0.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY

Name : vsftpd Relocations: (not relocatable)

Version : 2.2.2 Vendor: Red Hat, Inc.

Release : 6.el6_0.1 Build Date: Fri 04 Mar 2011 03:35:10 PM IST

Install Date: (not installed) Build Host: hs20-bc2-3.build.redhat.com

Group : System Environment/Daemons Source RPM: vsftpd-2.2.2-6.el6_0.1.src.rpm

Size : 338480 License: GPLv2 with exceptions

Signature : RSA/8, Wed 09 Mar 2011 07:39:28 PM IST, Key ID 199e2f91fd431d51

Packager : Red Hat, Inc.

URL : http://vsftpd.beasts.org/

Summary : Very Secure Ftp Daemon

Description :

vsftpd is a Very Secure FTP daemon. It was written completely from

scratch.

9. Verify a particular RPM package using rpm –Vp

[root@linux Packages]# rpm -Vp firefox-3.6.24-3.el6_1.x86_64.rpm

warning: firefox-3.6.24-3.el6_1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY

10. How to check the signature

[root@linux Packages]# rpm -Kv vsftpd-2.2.2-6.el6_0.1.x86_64.rpm

vsftpd-2.2.2-6.el6_0.1.x86_64.rpm:

Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY

Header SHA1 digest: OK (8005076799a57ab5c13045b5dd0c2aa890c8ac03)

V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY

MD5 digest: OK (25e1511c9e217d9d345dd2fb5f92503d)

11. How to check the dependency rpm

[root@linux Packages]# rpm -qRp createrepo-0.9.8-4.el6.noarch.rpm

warning: createrepo-0.9.8-4.el6.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY

/bin/sh

/usr/bin/env

/usr/bin/python

deltarpm

libxml2-python

python >= 2.1

python(abi) = 2.6

python-deltarpm

rpm >= 4.1.1

rpm-python

rpmlib(CompressedFileNames) <= 3.0.4-1

rpmlib(FileDigests) <= 4.6.0-1

rpmlib(PartialHardlinkSets) <= 4.0.4-1

rpmlib(PayloadFilesHavePrefix) <= 4.0-1

yum >= 3.2.23-10

yum-metadata-parser

rpmlib(PayloadIsXz) <= 5.2-1

Review Questions

1. What two commands are used for package management?

2. What are the three modes in which the rpm command can operate?

3. What option would you use to query an installed package using the rpm

command?

4. How would you install a group of packages all at a single time?

5. What options with the yum command would you use to remove a package?

6. Where are Yum repository config files located?

7. What command can you use to create your own repositories?

8. What command is used to create an RPM package?

9. What are the five required directories when building RPMS?

10. If a package is built on an RHEL6 system and deployed to a custom RHEL5

repository, are RHEL5 systems able to use it?

Answers to Review Questions

1. The yum and rpm commands are used for package management.

2. The rpm command can operate in install, query, or verify modes.

3. You can use the -q option to query an installed package. Combining grep and

the -qa options, you can search among all installed packages on the system.

4. Use the yum groupinstall command to install multiple packages in a single

group at once.

5. You can use the remove or erase options with yum to remove a package.

6. Yum repository config files (.repo files) are located in the /etc/yum.repos.d directory.

You can also make direct entries into the main /etc/yum.conf file.

7. createrepo

8. rpmbuild

9. The five directories are BUILD, RPMS, SOURCES, SPECS, and SRPMS.

10. No. Red Hat Enterprise Linux 6 uses a different key to sign its packages.

YUM Server and Client Configuration in RHEL 6

Mar2

Server configuration steps

Yum server IP = 192.168.1.100
Yum server hostname = linux.example.com
Should be flush the iptables and restart the network service

iptables -L

iptables -F

service iptables save

service iptables restart

service network restart

Step 1: Insert the RHEL 6 CD

[root@server Desktop]# cd /media/RHEL_6.1\ x86_64\ Disc\ 1/Packages/

Yum server required packages

[root@server Packages]# rpm -ivh vsftpd*

[root@server Packages]# rpm -ivh deltarpm-3.5-0.5.20090913git.el6.x86_64.rpm

[root@server Packages]# rpm -ivh python-deltarpm-3.5-0.5.20090913git.el6.x86_64.rpm

[root@server Packages]# rpm -ivh createrepo-0.9.8-4.el6.noarch.rpm

Step 2: Check the installed packages

[root@server1 Desktop]# rpm -qa vsftp*
vsftpd-2.2.2-6.el6_0.1.x86_64
[root@server1 Desktop]# rpm -qa deltarpm*
deltarpm-3.5-0.5.20090913git.el6.x86_64
[root@server1 Desktop]# rpm -qa python-deltarpm*
python-deltarpm-3.5-0.5.20090913git.el6.x86_64
[root@server1 Desktop]# rpm -qa createrepo*
createrepo-0.9.8-4.el6.noarch

Step 3 : FTP service start

[root@server Packages]# service vsftpd status

[root@server Packages]# service vsftpd start

[root@server Packages]# service vsftpd status

[root@server Packages]# chkconfig vsftpd on

Step 4: Copy the rhel6 dvd content

[root@server Packages]# cd

[root@server ~]# cp -rf /media/RHEL_6.1\ x86_64\ Disc\ 1/ /var/ftp/pub/

[root@server ~]# cd /var/ftp/pub/

[root@server pub]# ls

RHEL_6.1 x86_64 Disc 1

[root@server pub]# mv RHEL_6.1\ x86_64\ Disc\ 1/ rhel6.1

[root@server pub]# ls

rhel6.1

Step 5: Single mode installation createrepo

[root@server ~]# createrepo -v /var/ftp/pub/

[root@server ~]# cd /var/ftp/pub/

[root@server pub]# ls

repodata rhel6.1

Step 6: Group installation createrepo

[root@server repodata]# cp –rf /var/ftp/pub/rhel6.1/repodata/5819e9580b5a81a9eec9e2c6e91fc9992a7ccadaa3bcd5ecb2e87a8669eefcec-comps-rhel6-Server.xml /var/ftp/pub/repodata/

[root@server ~]# createrepo -g /var/ftp/pub/repodata/5819e9580b5a81a9eec9e2c6e91fc9992a7ccadaa3bcd5ecb2e87a8669eefcec-comps-rhel6-Server.xml /var/ftp/pub/

The above command creates the support files necessary for our yum repository and all supported files will be placed into repodata subdirectory. The createrepo command will create following files:

1. repod.xml: This file keeps information about timestamps and checksum values for below three files

2. primary.xml.gz: This file keeps list of the all the RPMs in the repository and dependency information.

3. filelists.xml.gz: This file keeps a list of all the files in all the RPMs.

4. other.xml.gz: This file contains additional information, including the changes logs for the RPMs.

5. comps*.xml: This file keeps information about packages groups. This allows group installation.

If we add new rpms to the database, we will need to repeat the above command and this will create rpms group database with createrepo command.

Before, we re-run createrepo command to update the yum database, we need to create backup of comps*.xml file. This file can be backed up anywhere on the system, however, in this case We are backing up this file in /tmp folder. That can be done with following:

#cd /var/ftp/pub/Packages/repodata

#cp *comps* /tmp/

Now, the file has been backed up, we will start updating the database. We will rebuild the yum repository with createrepo command. And then, we will update comps*.xml file for package group database.

#createrepo /var/ftp/pub/Packages/

#createrepo -g /tmp/*comps* /var/ftp/pub/Packages/

Step 7 : Create the repo file.

[root@server ~]# vim /etc/yum.repos.d/server.repo

[server]

name=rhel6.1 yum server 64bit

baseurl=file:///var/ftp/pub

enabled=1

gpgcheck=0

gpgcheck This field tells yum server to check for packages signatures for its originality. 1 for “Yes” and 0 for “No”.

gpgkey if you choose 1 or “Yes” for gpgcheck then you need to specify key to check signatures of the packages.

enabled Either ‘1’ or ‘0’. This tells YUM whether or not to use this repository.

[root@server ~]# yum clean all

[root@server ~]# yum makecache

[root@server ~]# yum list all

[root@server ~]# yum grouplist

—————————————————————————————————————————-

Yum client repo configuring

Yum client IP = 192.168.1.101

Yum client hostname = client1.example.com

[root@client~]# vim /etc/yum.repos.d/client.repo

[client]

name=rhel6.1 yum client 64bit

baseurl=ftp://192.168.1.100/pub

enabled=1

gpgcheck=0

[root@client~]# yum clean all

[root@server ~]# yum makecahe

[root@client~]# yum list all

[root@server ~]# yum grouplist

Iptables

Mar2

IPTABLES RHEL 6

Netfilter and IPTables

The Linux kernel features a powerful networking subsystem called Netfilter. The Netfilter subsystem provides stateful or stateless packet filtering as well as NAT and IP masquerading services. Netfilter also has the ability to mangle IP header information for advanced routing and connection state management. Netfilter is controlled using the iptables tool.

The IPTables similar to IPChains.

Note:

The IPTables cannot be used if IPChains is already running. If IPChains is present at boot time, the kernel issues an error and fails to start IPTables.

Firewall Configuration Tool

The Firewall Configuration Tool only configures a basic firewall. If the system needs more complex rules, refer to “IPTables” for details on configuring specific iptables rules.

System → Administration → Firewall

system-config-firewall

IPTables Required Package

[root@server1 Desktop]# rpm -qa iptables

iptables-1.4.7-4.el6.x86_64

IPTables Service start | stop etc..,

/etc/rc.d/init.d/iptables {start|stop|restart|condrestart|status|panic|save}

service iptables {start|stop|restart|condrestart|status|panic|save}

chkconfig iptables on | off | –list

IPTables Configuration File

[root@server1 Desktop]# rpm -qlc iptables

/etc/sysconfig/iptables-config

[root@server1 Desktop]# grep -v ‘#’ /etc/sysconfig/iptables-config

IPTABLES_MODULES=”nf_conntrack_ftp”

IPTABLES_MODULES_UNLOAD=”yes”

IPTABLES_SAVE_ON_STOP=”no”

IPTABLES_SAVE_ON_RESTART=”no”

IPTABLES_SAVE_COUNTER=”no”

IPTABLES_STATUS_NUMERIC=”yes”

IPTABLES_STATUS_VERBOSE=”no”

IPTABLES_STATUS_LINENUMBERS=”yes”

Backup and Restore IPTables

By default, firewall rules are saved in the /etc/sysconfig/iptables or /etc/sysconfig/ip6tables files.

[root@server1 ~]# ll /etc/sysconfig/iptables*

-rw——-. 1 root root 272 Sep 17 19:41 /etc/sysconfig/iptables

-rw——-. 1 root root 1756 Jul 19 21:58 /etc/sysconfig/iptables-config

-rw——-. 1 root root 1740 Jan 7 2011 /etc/sysconfig/iptables-config.old

-rw——-. 1 root root 476 Jul 20 03:03 /etc/sysconfig/iptables.old

-rw——-. 1 root root 184 Sep 17 19:41 /etc/sysconfig/iptables.save

[root@server1 ~]#cp -rf /etc/sysconfig/iptables /etc/sysconfig/iptables.backup

[root@server1 ~]# iptables-restore -c /etc/sysconfig/iptables.backup

Understanding IPTables

The IPTables three built-in rules

Filter – The default table for handling network packets.

Nat – Used to alter packets that create a new connection and used for Network Address Translation

Mangle – Used for specific types of packet alteration.

Each table has a group of built-in chains, which corresponding to the actions performed on the packet by netfilter. There are five predefine chains INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING

Filter built-in chains

INPUT — Applies to network packets that are targeted for the host.

OUTPUT— Applies to locally-generated network packets.

FORWARD — Applies to network packets routed through the host.

Nat built-in chains

PREROUTING — Alters network packets when they arrive.

OUTPUT — Alters locally-generated network packets before they are sent out.

POSTROUTING — Alters network packets before they are sent out.

Mangle built-in chains

INPUT — Alters network packets targeted for the host.

OUTPUT — Alters locally-generated network packets before they are sent out.

FORWARD— Alters network packets routed through the host.

PREROUTING — Alters incoming network packets before they are routed.

POSTROUTING — Alters network packets before they are sent out.

Every chain has a default policy to ACCEPT, DROP, REJECT or QUEUE

IPTables rules processing flow

1. Rules are processed from upper to lower.

2. Once rules matched criteria no further processing would be done and it goes to the rules specified in the target (or) executes the special values mentioned in the target.

3. If the criteria are not matched, it moves on the next rule.

4. At the end of list default value is ACCEPT so if a packet do not meet any criteria it would pass the packet.

Table	Table Function	Chain	Chain Function
Filter	Packet filtering	INPUT	Incoming to firewall. For packets coming to the local server.
		OUTPUT	Filters packets originating from the firewall
		FORWARD	Packet for another NIC on the local server. For packets routed through the local server.
Nat	Network Address Translation	PREROUTING	Packets will enter this chain before a routing decision is made.
		POSTROUTING	Routing decision has been made. Packets enter this chain just before handing them off to the hardware.
		OUTPUT	NAT for locally generated packets on the firewall.
Mangle	TCP header modification	PREROUTING, POSTROUTING, OUTPUT, INPUT, FORWARD	Modification of the TCP packet quality of service bits before routing occurs.

Structure of IPTables Command Options

Syntax:

iptables –t [Table-types] [options] [chain] –j [target]

Table-types

filter, nat, mangle

Options

-A – Append a rule to the end of a chain

-I – Insert in chain as rulenum (default1=first)

-R – Replace chain rulenum

-L – List the all chains

-S – List all rules in the selected chain

-D – Delete chain rulenum (1=first)

-F – Flushes all of the rules in the current iptables chain.

–N – Create a new user-defined chain

-P – Policy rules change

-p – protocol (tcp,udp,icmp,all)

-s – source (hostname, ipaddress, with /mask (24 or 255.255.255.0). A “!” argument before the address specification inverts the sense of the address.

-d – destination

–sport – source port [–sport X | –sport X:X]

–dport – destination port [–dport X | –dport X:X]

-i – input-interface (eth0)

-o – output-interface (eth0)

-n – numeric

–line-numbers – listing rules with line number

Chain

INPUT

OUTPUT

FORWARD

PREROUTING

POSTROUTING

Target

ACCEPT – Allow the packets

DROP – Drops the packets and give no response

REJECT – Rejects the packets and sends a rejection response

Iptables examples

1. iptables chain rules listening types

[root@server1 Desktop]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT udp — anywhere anywhere udp dpt:domain

ACCEPT tcp — anywhere anywhere tcp dpt:domain

DROP icmp — client1.example.com server1.example.com icmp echo-request

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@server1 Desktop]# iptables -L -n

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:53

ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:53

DROP icmp — 192.168.1.101 192.168.1.100 icmp type 8

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@server1 Desktop]# iptables -L -n –line-numbers

Chain INPUT (policy ACCEPT)

num target prot opt source destination

1 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:53

2 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:53

3 DROP icmp — 192.168.1.101 192.168.1.100 icmp type 8

Chain FORWARD (policy ACCEPT)

num target prot opt source destination

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination

[root@server1 Desktop]# iptables -t filter -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT udp — anywhere anywhere udp dpt:domain

ACCEPT tcp — anywhere anywhere tcp dpt:domain

DROP icmp — client1.example.com server1.example.com icmp echo-request

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@server1 Desktop]# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@server1 Desktop]# iptables -t mangle -L

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

2. Delete the particular iptables chain rule

[root@server1 Desktop]# iptables -L INPUT –line-numbers

Chain INPUT (policy ACCEPT)

num target prot opt source destination

1 ACCEPT udp — anywhere anywhere udp dpt:domain

2 ACCEPT tcp — anywhere anywhere tcp dpt:domain

3 DROP icmp — client1.example.com server1.example.com icmp echo-request

[root@server1 Desktop]# iptables -D INPUT 3

[root@server1 Desktop]# iptables -L INPUT –line-numbers

Chain INPUT (policy ACCEPT)

num target prot opt source destination

1 ACCEPT udp — anywhere anywhere udp dpt:domain

2 ACCEPT tcp — anywhere anywhere tcp dpt:domain

3. How to flush the all iptables chain rules

[root@server1 Desktop]# iptables –F

[root@server1 Desktop]# service iptables save

[root@server1 Desktop]# service iptables restart

[root@server1 Desktop]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

4. Block all incoming and outgoing packets on a network gateway

[root@server1 Desktop]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@server1 Desktop]# iptables -P INPUT DROP

[root@server1 Desktop]# iptables -P OUTPUT DROP

[root@server1 Desktop]# iptables -P FORWARD DROP

[root@server1 Desktop]# iptables -L

Chain INPUT (policy DROP)

target prot opt source destination

Chain FORWARD (policy DROP)

target prot opt source destination

Chain OUTPUT (policy DROP)

target prot opt source destination

[root@server1 Desktop]# service iptables save

[root@server1 Desktop]# service iptables restart

[root@server1 Desktop]# ping 192.168.1.101

PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.

ping: sendmsg: Operation not permitted

5. I have a two linux system

a> Server1.example.com – 192.168.1.100

b> Client1.example.com – 192.168.1.101

Practice 1

I have decided server1.example.com block icmp echo request service from client1.example.com.

Ping 192.168.1.100

Destination

Source

[root@server1 Desktop]# iptables -t filter -I INPUT -s 192.168.1.101

-d 192.168.1.100 -p icmp –icmp-type echo-request -j REJECT

[root@server1 Desktop]# iptables -L INPUT –line-numbers

Chain INPUT (policy ACCEPT)

num target prot opt source destination

1 REJECT icmp — client1.example.com server1.example.com icmp echo-request reject-with icmp-port-unreachable

[root@server1 Desktop]# service iptables save

[root@server1 Desktop]# service iptables restart

[root@server1 Desktop]# ping -c 3 192.168.1.101

PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.

64 bytes from 192.168.1.101: icmp_seq=1 ttl=64 time=0.283 ms

64 bytes from 192.168.1.101: icmp_seq=2 ttl=64 time=0.166 ms

64 bytes from 192.168.1.101: icmp_seq=3 ttl=64 time=0.171 ms

[root@client1 Desktop]# ping -c 3 192.168.1.100

PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.

From 192.168.1.100 icmp_seq=1 Destination Port Unreachable

From 192.168.1.100 icmp_seq=2 Destination Port Unreachable

From 192.168.1.100 icmp_seq=3 Destination Port Unreachable

Practice 2

Now I have decided server1.example.com block icmp ping request to client1.example.com

Source

Destination

Ping 192.168.1.101

[root@server1 Desktop]# ping -c 3 client1.example.com

PING client1.example.com (192.168.1.101) 56(84) bytes of data.

64 bytes from client1.example.com (192.168.1.101): icmp_seq=1 ttl=64 time=0.193 ms

64 bytes from client1.example.com (192.168.1.101): icmp_seq=2 ttl=64 time=0.244 ms

64 bytes from client1.example.com (192.168.1.101): icmp_seq=3 ttl=64 time=0.218 ms

[root@server1 Desktop]# iptables -t filter -I OUTPUT -s 192.168.1.100 -d 192.168.1.101 -p icmp –icmp-type echo-request -j REJECT

[root@server1 Desktop]# iptables -L OUTPUT

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

REJECT icmp — server1.example.com client1.example.com icmp echo-request reject-with icmp-port-unreachable

[root@server1 Desktop]# service iptables save

[root@server1 Desktop]# service iptables restart

[root@server1 Desktop]# ping -c 3 client1.example.com

PING client1.example.com (192.168.1.101) 56(84) bytes of data.

From server1.example.com (192.168.1.100) icmp_seq=1 Destination Port Unreachable

6. I have a three system lap setup details.

System 1 – server1.example.com – 192.168.1.100

System 2 – client1.example.com – 192.168.1.101

System 3 – client2.example.com – 192.168.1.102

Practise 1

System 1 configured as an ftp server. I have decided client1.example.com not access ftp server using iptables.

[root@server1 Desktop]# iptables -t filter -I INPUT -s client1.example.com -p tcp –dport 21 -j REJECT

[root@server1 Desktop]# iptables -L INPUT

Chain INPUT (policy ACCEPT)

target prot opt source destination

REJECT tcp — client1.example.com anywhere tcp dpt:ftp reject-with icmp-port-unreachable

[root@server1 Desktop]# service iptables save

[root@server1 Desktop]# service iptables restart

[root@client1 ~]# ftp server1.example.com

ftp: connect: Connection refused

ftp> bye

[root@client2 ~]# ftp server1.example.com

Connected to server1.example.com (192.168.1.100).

220 (vsFTPd 2.2.2)

Name (server1.example.com:root): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> bye

Practice 2

System 1 configured as an ftp server block all network except client1.example.com

[root@server1 Desktop]# iptables -t filter -I INPUT -s ! client1.example.com -p tcp –dport 21 -j REJECT

Using intrapositioned negation (`–option ! this`) is deprecated in favor of extrapositioned (`! –option this`).

[root@server1 Desktop]# iptables -L INPUT

Chain INPUT (policy ACCEPT)

target prot opt source destination

REJECT tcp — !client1.example.com anywhere tcp dpt:ftp reject-with icmp-port-unreachable

[root@client1 ~]# ftp server1.example.com

Connected to server1.example.com (192.168.1.100).

220 (vsFTPd 2.2.2)

Name (server1.example.com:root): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> bye

221 Goodbye.

[root@client2 ~]# ftp server1.example.com

ftp: connect: Connection refused

ftp> bye

[root@client2 ~]# logout

Connection to client2.example.com closed.

[root@server1 Desktop]#

Practice 3

System 1 server1.example.com ftp and ssh services does not access from system 2 client1.example.com in a single iptables chain rules

[root@server1 Desktop]# iptables -t filter -I INPUT -s 192.168.1.101 -p tcp –dport 21:22 -j REJECT

[root@server1 Desktop]# service iptables save

[root@server1 Desktop]# service iptables restart

[root@client1 ~]# ssh server1.example.com

ssh: connect to host server1.example.com port 22: Connection refused

[root@client1 ~]# ftp server1.example.com

ftp: connect: Connection refused

ftp> bye

[root@client1 ~]#

Patch Management in Linux using YUM

Mar2

Pre-requisites:

Installation of Red Hat Enterprise Linux 5.
Premium/Standard License for RHEL 5 32-bit or 64-bit servers (Note: RHEL 32-bit YUM Server will let you apply patches on RHEL 32-bit OS. For 64-bit OS, you required YUM Server on RHEL 64-bit).
Createrepo, yum-downloadonly, httpd packages to be installed on the server.
Installation and configuration of apache web server.
Copying the rpm’s from RHEL CD to the defined DocumentRoot Path mentioned in httpd configuration file.

Installation and Configuration of YUM Server:

Step 1: Creating a Repository using apache.

Installation of apache web server.
# rpm –ivh httpd

Modify httpd configuration file as mentioned below.
# vi /etc/httpd/conf/httpd.conf

ServerAdmin root@192.168.0.5
ServerName 192.168.0.5:80
DocumentRoot “/var/www/html”

Create folders as mentioned below.
# cd /var/www/html
# mkdir Server
# mkdir VT
# mkdir images

Copy all RHEL 5 RPM’s from CD to the Server, VT & images folders on the server.

Step 2: Create Database of RPM’s

Run createrepo command to create database of the rpm’s.
# cd /var/www/html/Server
# createrepo .
# cd /var/www/html/VT
# createrepo .
# cd /var/www/html/images
# createrepo .

Create group of RPM’s for installing group of packages.
# createrepo -g /var/www/html/Server/repodata/comps-rhel5-server-core.xml
# createrepo -g /var/www/html/VT/repodata/comps-rhel5-VT-core.xml

Step 3: Register your YUM Server with Red hat Network.

Ensure that the following entries have been added in host file and the URLs are accessible from the server.
# vi /etc/hosts
209.132.183.44 xmlrpc.rhn.redhat.com
209.132.183.43 satellite.rhn.redhat.com
209.132.183.42 rhn.redhat.com
Run rhn_register command and follow the instructions as printed on screen, create a system profile. (Note: You should have a valid subscription key)
De-select Location aware updates from RHN website of the registered machine. (Note: You should have a valid RHN login id.)

Yum is commonly used in major RPM based Linux distributions such as CentOS and Redhat, it can help us perform automatic dependency checking. If you’d like to only download the RPM packages via yum and do not install/update them, it’s nearly impossible by default.

How can we download a RPM package using YUM? Generally, there are two ways, you can use either yum-downloadonly or yum-utils. 1, yum-downloadonly installation and usage example You just need to install a plugin called yum-downloadonly. This plugin supplies a new parameter called –downloadonly so that yum can download the package s without an further installation/upgrade. It’s much like apt-get‘s -d option in Ubuntu/Debian:

$ yum --help| grep download
Loaded plugins: downloadonly, fastestmirror
  --downloadonly        don't update, just download
  --downloaddir=DLDIR   specifies an alternate directory to store package
A further question is How can I install the download-only plugin for Yum? It’s as simple as a normal install, you just need to run:

yum install yum-downloadonly

Step 4: Download required updates & hot fixes from Red hat

Run below command to download RPM’s to configured repository.
# yum update -y –downloadonly –downloaddir=/var/www/html/Server/

2.yum-utils.noarch installation and usage example

Yum-utils is a collection of utilities and plugins extending and supplementing yum in different ways, and all the utilities are contained in yum-utils package, including the one that we need which is called yumdownloader.

# yum -y install yum-utils.noarch

Now we can use the yumdownloader command to download packages from yum repositories. Here’s an example:

# yumdownloader httpd

Re-run below command after downloading any new packages into repository.
# cd /var/www/html/Server
# createrepo –update .

Note : If any patch is released, First download it via download command as mentioned in step 4 and then only install on YUM Server using yum update command. Else, you won’t be able to download same patch again.

Configuration of YUM Client:

Step 1: Creation of Repo file for pointing the client to server for updates.
# vi /etc/yum.repos.d/Server.repo
[rhel-i386-server-5]
name=rhel-i386-server-5
baseurl=http://192.168.0.5/Server
enabled=1
gpgcheck=0

[rhel-i386-server-vt-5]
name=rhel-i386-server-vt-5
baseurl=http://192.168.0.5/VT
enabled=1
gpgcheck=0

Step 2: Configure Mail alerts for pending patches on client.
Note: You have to enable SMTP relay on the server.
# yum check-update | mailx -s “PATCHES PENDING on $HOSTNAME” abc@tcs.com

Step 3: Run Yum update command on quarterly basis to make your system up2date with latest patches and hot fixes.
# yum update

Note: Before updating the system, have a proper backup for the same.

Rollback Package updates/Installation on YUM Server and Client:

Step 1: To configure yum to save rollback information, add the line tsflags=repackage to /etc/yum.conf.

Step 2: To configure command-line rpm to do the same thing, add the line %_repackage_all_erasures 1 to /etc/rpm/macros. If /etc/rpm/macros. Does not exist, just create it.

Step 3: You can now install, erase and update packages with yum and/or rpm, and they will save roll back information.

Step 4: When you want to roll back, use rpm to do so.
You do this by specifying the –rollback switch and a date/time, like the examples below:
rpm -Uhv –rollback ’19:00′
rpm -Uhv –rollback ‘8 hours ago’
rpm -Uhv –rollback ‘december 31’
rpm -Uhv –rollback ‘yesterday’

Job Scheduling Cron, Anacron and at, batch

Mar2

Automated System Tasks

Linux Job Scheduling Command

RHEL 6 comes with the following automated task utilities command:

1. cron,

2. anacron

3. at

4. batch

“cron” and “anacron” difference

Both, cron and anacron, are daemons that can schedule execution of recurring tasks to certain point in time defined by the exact time, day of the month, month, day of the week, and week

Cron	anacron
“cron” will not execute the schedule job if system goes down.	“anacron” will resume the scheduled job (if system is down) and execute it when system is up.
Required Package [root@server1 Desktop]# rpm -qa cronie cronie-1.4.4-7.el6.x86_64	Required Package [root@server1 Desktop]# rpm -qa cronie-anacron cronie-anacron-1.4.4-7.el6.x86_64
Configuring “cron” job file /etc/crontab	Configuring “anacron” jon file /etc/anacrontab
Minimum granularity is minute (i.e Jobs can be scheduled to be executed every minute)	Minimum granularity is only in days
Cron job can be scheduled by any normal user ( if not restricted by super user	Anacron can be used only by super user ( but there are workarounds to make it usable by normal user )
Ideal for servers	Ideal for desktops and laptops
Use cron when a job has to be executed at a particular hour and minute	Use anacron when a job has to be executed irrespective of hour and minute

Starting and Stopping the “cron” service

The “cron” and “anacron” jobs are both picked by the “crond” service.

chkconfig crond on | off | –list

crontab command

1. crontab -l – job list

2. crontab -u – user based

3. crontab -e – edit or new cron job

4. crontab -r – remove cron job

Controlling Access to “cron”

To restrict access the cron file by user

/etc/cron.allow

/etc/cron.deny

· If the cron.allow file exists, only users listed in the file are allowed to use cron, and the cron.deny file is ignored.

· If the cron.allow file does not exist, users listed in the cron.deny file are not allowed to use Cron.

· The root user can always use cron, regardless of the usernames listed in the access control files.

You can control the access also through Pluggable Authentication Modules (PAM). The settings are stored in the /etc/security/access.conf file. For example, after adding the following line to the file, no other user but the root user can create crontabs:

-:ALL EXCEPT root :cron

The forbidden jobs are logged in an appropriate log file or, when using “crontab -e”, returned to the standard output. For more information, refer to access.conf.5 (that is, man 5 access.conf).

Configuring “cron” job file

[root@server1 Desktop]# cat /etc/crontab

SHELL=/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAILTO=root

HOME=/

# For details see man 4 crontabs

# Example of job definition:

# .—————- minute (0 – 59)

# | .————- hour (0 – 23)

# | | .———- day of month (1 – 31)

# | | | .——- month (1 – 12) OR jan,feb,mar,apr …

# | | | | .—- day of week (0 – 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat

# | | | | |

# * * * * * user-name command to be executed

Configuring “anacron” job file

[root@server1 Desktop]# cat /etc/anacrontab

# /etc/anacrontab: configuration file for anacron

# See anacron(8) and anacrontab(5) for details.

SHELL=/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAILTO=root

# the maximal random delay added to the base delay of the jobs

RANDOM_DELAY=45

# the jobs will be started during the following hours only

START_HOURS_RANGE=3-22

#period in days delay in minutes job-identifier command

1 5 cron.daily nice run-parts /etc/cron.daily

7 25 cron.weekly nice run-parts /etc/cron.weekly

@monthly 45 cron.monthly nice run-parts /etc/cron.monthly

Cron job example backup script

# record the memory usage of the system every monday

# at 3:30AM in the file /tmp/meminfo

30 3 * * mon cat /proc/meminfo >> /tmp/meminfo

# run custom script the first day of every month at 4:10AM

10 4 1 * * /root/scripts/backup.sh

“cron” jab examples

1. The user mugu must configure a cron jon that runs daily at 15:25 locate time and execute /bin/echo hiya

[root@server1 Desktop]# crontab -u mugu -e

no crontab for mugu – using an empty one

crontab: installing new crontab

25 15 * * * /bin/echo hiya

:wq!

[root@server1 Desktop]# crontab -u mugu -l

25 15 * * * /bin/echo hiya

Remove the cron job schedule particular user

[root@server1 Desktop]# crontab -u mugu -l

25 15 * * * /bin/echo hiya

[root@server1 Desktop]# crontab -u mugu –r

[root@server1 Desktop]# crontab -u mugu -l

no crontab for mugu

2. How to set the every 1 min /bin/echo hiya

[root@server1 Desktop]# crontab -e

no crontab for root – using an empty one

crontab: installing new crontab

[root@server1 Desktop]# crontab -l

*/1 * * * * /bin/echo hiya

[root@server1 Desktop]# mail

Heirloom Mail version 12.4 7/29/08. Type ? for help.

“/var/spool/mail/root”: 1 message 1 new

>N 1 Cron Daemon Thu Oct 25 18:35 21/706 “Cron /”

& 1

Message 1:

From root@server1.example.com Thu Oct 25 18:35:02 2012

Return-Path:

X-Original-To: root

Delivered-To: root@server1.example.com

From: root@server1.example.com (Cron Daemon)

To: root@server1.example.com

Subject: Cron /bin/echo hiya

Content-Type: text/plain; charset=UTF-8

Auto-Submitted: auto-generated

X-Cron-Env:

Date: Thu, 25 Oct 2012 18:35:01 +0530 (IST)

Status: R

hiya

& q

Held 1 message in /var/spool/mail/root

You have mail in /var/spool/mail/root

3. Restrict user babu not access cron or modifiy the job file.

[root@server1 Desktop]# vim /etc/cron.deny

babu

:wq!

[root@server1 Desktop]# su – babu

[babu@server1 ~]$ crontab -e

You (babu) are not allowed to use this program (crontab)

See crontab(1) for more information

[babu@server1 ~]$ logout

4. Deny to all users except root to run cron schedule.

[root@server1 Desktop]# vim /etc/security/access.conf

Shift+g

– : ALL EXCEPT root : cron

:wq!

[root@server1 Desktop]# su – mugu

[mugu@server1 ~]$ crontab -e

Permission denied

You (mugu) are not allowed to access to (crontab) because of pam configuration.

[mugu@server1 ~]$ logout

[root@server1 Desktop]# su – babu

[babu@server1 ~]$ crontab -e

Permission denied

You (babu) are not allowed to access to (crontab) because of pam configuration.

[babu@server1 ~]$ logout

[root@server1 Desktop]# crontab -e

no crontab for root – using an empty one

crontab: no changes made to crontab

5. Install the Cron Schedule for jeff user to display “Hello” on daily 5:30

Crontab –u jeff –e

30 05 * * * /bin/echo “hello”

:wq!

6. Add a job on Cron schedule to display Hello World on every two Seconds in terminal 8

Crontab –e

*/2 * * * * /bin/echo “Hello World” > /dev/tty8

7. Add a cron schedule to take full backup of /home on every day at 5:30 pm to /dev/st0 device

[root@server1 Desktop]# rpm -qa dump

dump-0.4-0.6.b42.el6.x86_64

Crontab –e

30 05 * * * /sbin/dump -0u /dev/st0 /dev/sda7

30 05 * * * /sbin/dump -0u –f /dev/st0 /home

Anacron Example

1. Anacron joy daily start 6am to 7am each job delay time 1min

RANDOM_DELAY — maximum number of minutes that will be added to the delay in minutes variable which is specified for each job

The minimum delay value is set, by default, to 6 minutes.

If RANDOM_DELAY is, for example, set to 12, then between 6 and 12 minutes are added to the delay in minutes for each job in that particular anacrontab.

RANDOM_DELAY can also be set to a value below 6, including 0. When set to 0, no random delay is added. This proves to be useful when, for example, more computers that share one network connection need to download the same data every day.

START_HOURS_RANGE — interval, when scheduled jobs can be run, in hours

In case the time interval is missed, for example due to a power failure, the scheduled jobs are not executed that day.

[root@server1 Desktop]# touch script.sh

[root@server1 Desktop]# touch test.txt

[root@server1 Desktop]# chmod 755 script.sh

[root@server1 Desktop]# echo “date >> /root/Desktop/test.txt” > script.sh

[root@server1 Desktop]# cat script.sh

date >> /root/Desktop/test.txt

[root@server1 Desktop]# ./script.sh

[root@server1 Desktop]# cat test.txt

Fri Oct 26 07:03:56 IST 2012

[root@server1 Desktop]# anacron -u

[root@server1 Desktop]# vim /etc/anacrontab

SHELL=/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAILTO=root

RANDOM_DELAY=1

START_HOURS_RANGE=7-8

1 0 cron.daily /bin/sh /root/Desktop/script.sh

1 5 cron.daily nice run-parts /etc/cron.daily

7 25 cron.weekly nice run-parts /etc/cron.weekly

@monthly 45 cron.monthly nice run-parts /etc/cron.monthly

:wq!

[root@server1 Desktop]# updatedb

[root@server1 Desktop]# anacron –u – update date

[root@server1 Desktop]# anacron –n – job start now

[root@server1 Desktop]# anacron –f – force job start

[root@server1 Desktop]# anacron -f

[root@server1 Desktop]# cat test.txt

Fri Oct 26 07:03:56 IST 2012

Fri Oct 26 07:12:24 IST 2012

“at” and “batch” command

The “at” command is used to schedule a one-time task at a specific time.

The “batch” command is used to schedule a one-time task to be executed when the systems load average drops below 0.8.

Both “at” and “batch” required package and service

[root@server1 Desktop]# rpm -qa at

at-3.1.10-43.el6.x86_64

service atd status | start | restart | force-restart | stop

atd (pid 2505) is running…

[root@server1 Desktop]# chkconfig atd –list | on | off

atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

Controlling access “at”

/etc/at.deny

“at” utility command

atd – run jobs queued for later execution

atq – list queue

atrm – delete the job

atrun- run jobs queued for later execution

“at” command example

1. Script start 7:46 am

[root@server1 Desktop]# at 7:46

at> /bin/sh /root/Desktop/script.sh

at> press->ctrl+d

job 2 at 2012-10-26 07:46

[root@server1 Desktop]# atq

2 2012-10-26 07:46 a root

[root@server1 Desktop]# cat test.txt

Fri Oct 26 07:46:00 IST 2012

2. How to Remove the job

[root@server1 Desktop]# at 07:59

at> cat /etc/fstab >> test.txt

at>

job 3 at 2012-10-26 07:59

[root@server1 Desktop]# atq

3 2012-10-26 07:59 a root

[root@server1 Desktop]# atrm 3

[root@server1 Desktop]# atq

3. The job run immediately

[root@server1 Desktop]# at now

at> uptime >> /root/Desktop/test.txt

at>

job 4 at 2012-10-26 07:53

[root@server1 Desktop]# cat test.txt

07:54:09 up 1:24, 2 users, load average: 0.00, 0.00, 0.00

4. The job run 1 minutes lately current time

[root@server1 Desktop]# at now + 1 minutes

at> uptime > /root/Desktop/test.txt

at>

job 6 at 2012-10-26 07:59

[root@server1 Desktop]# atq

6 2012-10-26 07:59 a root

[root@server1 Desktop]# cat test.txt

07:57:00 up 1:27, 2 users, load average: 0.00, 0.00, 0.00

5. “batch” command example

[root@server1 Desktop]# batch

at> uptime >> /root/Desktop/test.txt

at>

job 7 at 2012-10-26 08:00

Linux Networking

Mar2

Network Configuration Files

1. /etc/hosts – local name resolve configuration file

IP address hostname alias

Reference “man hosts”

[root@server1 Desktop]# cat /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.1.100 server1.example.com server1

2. /etc/resolv.conf – DNS server resolver configuration file

Reference “man resolv.conf”

[root@server1 Desktop]# cat /etc/resolv.conf

# Generated by NetworkManager

search example.com

nameserver 192.168.1.100

3. /etc/sysconfig/network

[root@server1 Desktop]# cat /etc/sysconfig/network

NETWORKING=yes

HOSTNAME=server1.example.com

NISDOMAIN=nisserver

4. /etc/sysconfig/networking/scripts/ifcfg-eth0

cat /etc/sysconfig/network-scripts/ifcfg-eth0

[root@server1 Desktop]# cat /etc/sysconfig/networking/devices/ifcfg-eth0

DEVICE=eth0

NM_CONTROLLED=yes

ONBOOT=yes

IPADDR=192.168.1.100

BOOTPROTO=none

NETMASK=255.255.255.0

TYPE=Ethernet

GATEWAY=192.168.1.1

DNS1=192.168.1.100

IPV6INIT=no

USERCTL=no

HWADDR=00:0C:29:D5:D2:1F

PREFIX=24

DEFROUTE=yes

IPV4_FAILURE_FATAL=yes

NAME=”System eth0″

UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03

Check the hostname, IP address and interface down and up

ifconfig

ifconfig eth0 up or ifup eth0

ifconfig eht0 down or ifdown eth0

iwconfig – wireless interface display IP address

ip a

arp

dhclient – renew new IP from DHCP server

hostname, domainname, dnsdomainname, nisdomainname, ypdomainname

-a – aliase

-d – domain name

-f – fully qualified domain name (fqdn)

-i – IP address

-y – NIS domain name

ethtool eth0 – information

ethtool –i eth0 – display driver settings

ethtool –p eth0 – Blink LAN LED

mii-tool eth0

ip link show eth0

ip addr

ping 192.168.1.100 – test connectivity

host 192.168.1.100 or host server1.example.com

nslookup 192.168.1.100 or nslookup server1.example.com

dig server1.example.com

Assign IP addrss and restart the service

system-config-network

system-config-network-tui

system-config-network-cmd

service network status | start | restart

service NetworkManager status | start | restart

chkconfig network –list | on | off

chkconfig NetworkManager –list | on | off

Check the port number and routing command

route

traceroute

netstat

-r – display the routing rable

-i – display interface statistics

-t – shows tcp connection

-u – shows udp connection

-a – display all sockets (tcp,udp or local)

-p – display process IDs

-e – display extended information

-l – listening

-n – numerical

Network monitoring command

nmap

tcpdump

Examples

[root@server1 Desktop]# ifconfig

eth0 Link encap:Ethernet HWaddr 00:0C:29:D5:D2:1F

inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fed5:d21f/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:96 errors:0 dropped:0 overruns:0 frame:0

TX packets:426 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:7584 (7.4 KiB) TX bytes:28359 (27.6 KiB)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:531 errors:0 dropped:0 overruns:0 frame:0

TX packets:531 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:45677 (44.6 KiB) TX bytes:45677 (44.6 KiB)

[root@server1 Desktop]# ip a

1: lo: mtu 16436 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:d5:d2:1f brd ff:ff:ff:ff:ff:ff

inet 192.168.1.100/24 brd 192.168.1.255 scope global eth0

inet6 fe80::20c:29ff:fed5:d21f/64 scope link

valid_lft forever preferred_lft forever

3: pan0: mtu 1500 qdisc noop state DOWN

link/ether 92:90:4e:e1:44:90 brd ff:ff:ff:ff:ff:ff

[root@server1 Desktop]# ip addr

1: lo: mtu 16436 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:d5:d2:1f brd ff:ff:ff:ff:ff:ff

inet 192.168.1.100/24 brd 192.168.1.255 scope global eth0

inet6 fe80::20c:29ff:fed5:d21f/64 scope link

valid_lft forever preferred_lft forever

3: pan0: mtu 1500 qdisc noop state DOWN

link/ether 92:90:4e:e1:44:90 brd ff:ff:ff:ff:ff:ff

[root@server1 Desktop]# hostname

server1.example.com

[root@server1 Desktop]# hostname -d

example.com

[root@server1 Desktop]# hostname -s

server1

[root@server1 Desktop]# hostname -a

server1

[root@server1 Desktop]# hostname -f

server1.example.com

[root@server1 Desktop]# hostname -i

192.168.1.100

[root@server1 Desktop]# hostname -y

(none)

[root@server1 Desktop]# iwconfig

lo no wireless extensions.

eth0 no wireless extensions.

pan0 no wireless extensions.

[root@server1 Desktop]# ethtool eth0

Settings for eth0:

Supported ports: [ TP ]

Supported link modes: 10baseT/Half 10baseT/Full

100baseT/Half 100baseT/Full

1000baseT/Full

Supports auto-negotiation: Yes

Advertised link modes: 10baseT/Half 10baseT/Full

100baseT/Half 100baseT/Full

1000baseT/Full

Advertised pause frame use: No

Advertised auto-negotiation: Yes

Speed: 1000Mb/s

Duplex: Full

Port: Twisted Pair

PHYAD: 0

Transceiver: internal

Auto-negotiation: on

MDI-X: Unknown

Supports Wake-on: d

Wake-on: d

Current message level: 0x00000007 (7)

Link detected: yes

[root@server1 Desktop]# ethtool -i eth0

driver: e1000

version: 7.3.21-k6-1-NAPI

firmware-version: N/A

bus-info: 0000:02:01.0

ethtool –s eth0 speed 100 autoneg off

ethtool –S eth0

[root@server1 Desktop]# mii-tool eth0

eth0: negotiated 100baseTx-FD, link ok

[root@server1 Desktop]# host 192.168.1.100

100.1.168.192.in-addr.arpa domain name pointer server1.example.com.

[root@server1 Desktop]# host server1.example.com

server1.example.com has address 192.168.1.100

[root@server1 Desktop]# nslookup server1.example.com

Server: 192.168.1.100

Address: 192.168.1.100#53

Name: server1.example.com

Address: 192.168.1.100

[root@server1 Desktop]# nslookup 192.168.1.100

Server: 192.168.1.100

Address: 192.168.1.100#53

100.1.168.192.in-addr.arpa name = server1.example.com.

[root@server1 Desktop]# dig server1.example.com

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6 <<>> server1.example.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- 11399=”” id:=”” noerror=”” opcode:=”” query=”” span=”” status:=””>

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;server1.example.com. IN A

;; ANSWER SECTION:

server1.example.com. 86400 IN A 192.168.1.100

;; AUTHORITY SECTION:

example.com. 86400 IN NS server1.example.com.

;; Query time: 0 msec

;; SERVER: 192.168.1.100#53(192.168.1.100)

;; WHEN: Sun Dec 2 21:56:55 2012

;; MSG SIZE rcvd: 67

[root@server1 Desktop]# route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

192.168.1.0 * 255.255.255.0 U 1 0 0 eth0

default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

[root@server1 Desktop]# netstat -r

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

192.168.1.0 * 255.255.255.0 U 0 0 0 eth0

default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

[root@server1 Desktop]# netstat -tulnp | grep 22

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2184/sshd

tcp 0 0 :::22 :::* LISTEN 2184/sshd

[root@server1 Desktop]# nmap -sTU -p 21 192.168.1.100

Starting Nmap 5.21 ( http://nmap.org ) at 2012-12-02 22:05 IST

Nmap scan report for server1.example.com (192.168.1.100)

Host is up (0.00020s latency).

PORT STATE SERVICE

21/tcp open ftp

21/udp closed ftp

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

[root@server1 Desktop]# nmap -sTU -p 22 192.168.1.100

Starting Nmap 5.21 ( http://nmap.org ) at 2012-12-02 22:05 IST

Nmap scan report for server1.example.com (192.168.1.100)

Host is up (0.00042s latency).

PORT STATE SERVICE

22/tcp open ssh

22/udp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

Apntechunix

This Blog is intended to collect information of my various Intrests,pen my opinion on the information gathered and not intended to educate any one of the information posted,but are most welcome to share there view on them.

Archive | March 2, 2014

User and Group Disk Quota on UNIX / Linux

RPM (REDHAT Package Management)

YUM Server and Client Configuration in RHEL 6

Iptables

Patch Management in Linux using YUM

Job Scheduling Cron, Anacron and at, batch

Linux Networking