Friday, December 21, 2001

Cron Job

Cron Fromat Minute,Hour,Date,Month,Day

You can use commas (,) to put more than one time specification in a field. There are other shortcuts, better explained with examples:

  1. To run a job every hour at 0 and 30 minutes:
    0,30 * * *
  2. To run a job at 1AM every Sunday:
    0 1 * * Sun
  3. To run a job every five minutes:
    0-55/5 * * * *
  4. To run a job the first of January at 4PM:
    0 16 1 Jan *
  5. To run a job weekly you can use:

    which is equivalent to
    0 0 * * 0

    Here the last 0 means on Sunday. You can also use other special strings: @yearly, @annualy, @daily, @monthly, @midnight, @hourly (see the manual page with man 5 crontab, that is, a manual page in section 5).

    Now that we hav a little understanding of times we can use cron. This is called with the command crontab -e to edit your cron jobs. A small warning: this command will put you in an editing mode, calling some default editor. If you do not like the editor (quite likely to be vi) you can change it. For example, to use emacs in a bash shell you can do this:

    EDITOR=emacs crontab -e

Once you are in the editing mode you enter your times and the commands to be executed. The commands could be just one simple command, a series of them separated by semicolons (;) or the name of a script. Quitting your editor will save your cron job.

The output of cron, if any, might be mailed to your account. Or you can redirect output to some file (more on this later).

To see what cron jobs are in your account do this:

crontab -l

To delete your cron jobs:

crontab -r

You can use crontab -e to edit existing cron jobs.

Tuesday, December 04, 2001

Executing Commands at a Future time

Some times you might want to execute a command at a certain (future) time where you are not logged on in your computer. The program at allows you do to precisely this. The usage of this command is simple, you give a time and a series of commands to be executed, and when the time comes the system will do what you want. Only thing you have to be careful is that the output of some commands might be lost (although in many system you get an email with the output, if that output should have been written to your terminal/console). But if we forget that for the time begin (I will post later how to redirect output of commands to files) we can start our first trials with the at command.

First of all, how to call at. You have to give a time at which you want your commands to be executed. Here are a few examples (you can find more details in the manual page, man at); most examples are self-explanatory:

  1. at 4pm will execute at 4 in the afternoon/evening today if you give the at command before 4PM, tomorrow otherwise. An equivalent time is at teatime (there are other short names: midnight and noon)
  2. at 10:31am
  3. at 10:30pm Jul 31
  4. at 4pm + 3 days will execute at 4 afternoon/evening three days from today
  5. at 4pm 101005 will execute on the 10th of October of 2005

Once you have given the at command with a time you will get a prompt that looks like this: at> Enter here the commands you want to be executed.

To look at what jobs are waiting in the at queue you can run the program atq. The output will look like this:

4       Wed Sep 28 14:00:00 2005 a pablo

This means thre is a job to be executed at 2PM. The job id is 4.

If you want to remove a job you have to type its id. In the above example we could do:

atrm 4

In a future post I will explain how to use cron to run commands periodically.

Friday, November 30, 2001

Sharing Directies under linux using NFS

Linux (or UNIX in general) can share directories with other machines in a network with the NFS utilities. These are a set of programs (daemons) that might have been installed with you put Linux in your machine. How to make NFS work is a complicated matter that requires a post (or posts). In this post I will only explain how to configure the different options to share directories via NFS. I assume therefore that NFS runs in your machine when it boots.

The configuration file for NFS is /etc/exports There you write which directories have to be shared, with which machines, and the possible options. An example of an entry in that file is the following:

/usr/local/ host1.localnetwork.domain(rw)

This means that the host called host1.localnetwork.domain can access the directory /usr/local from the machine where you are working, and can read and write (rw) in it.

A general entry has the following format (there can be many entries in the file):

directory host(options)

Here directory is the directory from the local machine that you want to share across the network. The host is the name of the host or hosts that are allowed to access the given directory. You can put a single host as in the example above, or you could give a range with something like *.localnetwork.domain which means all hosts whose names end in localnetwork.domain. You can also put * which means any host connected to yours; it could be in the local network, or in any part of the world if you are connected to the Internet without any restricitions like firewall, so be carful when you use the star symbol (called a wild card). You can also specify the hosts with a combination of IP numbers and netmask (don’t worry if you do not know what I mean). For example, a host entry like means all hosts with IP number from to This is equivalent to

Some options you can include are the following:

1. rw the machines authorised can read and write in the given directory
2. ro for read-only
3. async is a technical option that means when a client (a machine that has shared a directory from yours, say) writes something the server (your machine) will not wait for the file to be written in the hard disk and continue the "connection" with the client
4. sync is the opposite of the previous option: the server waits for files to be written to the disk before it informs to the client that the operation is done. If you do not put any of these two options the sync one will be assumed.

For more information you can look at the manual page of exports (man exports) or of the program exportfs. I will post on this program in the future, and more on NFS details too.

Sunday, November 18, 2001

Shared Library Dependency

Check for a particular Program what all library it uses :

[root@mybox unix]# ldd /usr/sbin/grub => /lib/ (0x40023000) => /lib/i686/ (0x40063000) => /usr/lib/ (0x40193000)
/lib/ => /lib/ (0x40000000) => /lib/i686/ (0x4019a000)

This will print the shared library Dependencies

Saturday, November 03, 2001

Memory Status

Processes use memory (RAM) to run. Actually, most Linux computers have two types of memory: RAM and swap space (okay, hard disk and other storage devices are also consider memory, but let’s use this term for things that get erased when you put off the computer). The RAM comes with the computer system as a set of chips that store data as long as the machine is powered. Its access time is much faster than hard disk’s access time, and programs are loaded into memory by the Operating System for execution. Since RAM might not be enough, Linux has one part of the hard disk known as swap space that acts like an extra RAM, though a little slower.

If you want to know how much RAM and swap space is available and used in your machine, type free. The output of this command depends of course on what is running in the system: more processes means less memory free.

Another command related to memory usage is memstat, which tells you what files/processes are using memory, how much and the process number. One possible way of using this command is as this example:

memstat | sort -n

This will sort out the output by the memory usage, so you get the processes using more memory at the end of your output, which can be useful to identify processes that consume resources.

Monday, October 29, 2001


Linux is a multitask Operating System, meaning that it can do many things at the same time. Well, not quite so, as the CPU will do just one thing at a time, but the OS will keep swapping processes into the CPU at high speed, and it will look to humans like the computer is doing many things at a time.

So a process, loosely speaking, is a task that the machine is doing at certain time (I will assume that the computer is doing many things, not getting into which one is actually being executed in the CPU). If you want to check processes you can use the ps command. For example, to see all processes run by you in your terminal (the place where you type your commands) you shold do


Some processes, task, programs, whatever you want to call it, are not started in the command line. What I mean is that you might have started a command with a mouse or some other method, rather than typing it in the terminal. Those processes will not show with just ps. So if you have a browser started with a mouse click, and want to see it in the processes list you have to do the following:

ps x

Ths way ps was called will show you only processes started by you. If you want to see all processes running in the system you will have to do the following:

ps ax

The ps command gives very simple output, which I will explain in some other post. If you want to see how the commands "fight" for resources you can use the top command (use the key q to quit).

All processes are competing for the system resources, as you can see in the output of top, their priorities set up by the Operating System based on a bunch of algorithms and certain hardware constrains. But you can be nice and start a process with low priority, if you are not in a hurry to get the output. That can be done with a command like the following:

nice command

where command means exactly that, the command you want to execute.

As explained in my previous post, in a Linux computer many processes can run at the same time. I wrote how to use the nice command to start a process with priority lower than usual. This simple means that the Operating System will consider that process as something that can wait for execution, in case several processes are competing for resources (memory, CPU, hard disk writing/reading, etc).

But suppose you have started a process (a command) and you want to make it run with lower priority than the current one. How do you do that? Well, first of all, why would you want to do that? One reasons could be because you want another process to finish fast, so you need to put other processes in low priority. Well, one possible way to do it is by using the top command. Start it as follows, so you see only your processes:

top -u your-use-name

Look for the name of the process you want to slow down in the last column, then type r; the computer will ask you for the PID of the process, which is the first column in the output; type it. Then the computer will ask for the priority you want to give to that process. Here you have to give a positive integer. The bigger the integer the slower the process will run.

Another way of making a process slow down is with a command as this:

renice integer process-number

Here integer is again the priority. To get the process number use ps x as explained in the previous post.

What about making processes run faster? You would think that is natural, and giving a negative integer to top or renice will do that. Unfortunately only the superuser (root account) can do that.

Saturday, October 20, 2001

Converting Files to Postscript

a2ps (Anything to PS) is a program that converts files to PostScript, the language used for graphics and understood by many printers, especially laser printers. You might want to use a2ps for example to print "text files" (like email) in both sides of the paper in a printer with duplex option. Or you can also use it to print "two pages in one," that is, reduce the size of each page by 50% and print two of them in one single sheet of paper.

Without any options you can use the command like this:

a2ps file-name

This will convert the file file-name into a PS file; the output will come to the terminal, which is not very useful unless you can either save it or process it further. To save the output in a file you can do the following:

a2ps -o output-file file-name

To print the file directly (in a printer that understands PS) you could do this:

a2ps file-name | lpr -Pprinter-name

(I have not explained yet the lpr command; I will do it in a future post).

The above option (sending the file to a printer) can be done with an option of a2ps as follows:

a2ps -P printer-name file-name

There are many different options for a2ps. Here are some useful ones.

  1. -r to print in landscape mode, -R in portrait mode
  2. -1, -2,…, -9 to have 1, 2,…, 9 pages printed in a single sheet of paper (I find -2 and -4 the most useful options).
  3. -j to print borders around columns, –borders=no for no borders
  4. -B (or –no-header) for no header information (which usually contains the file name, user, date and things like that, printed at the top of the pages).
  5. –font-size=SIZE to use fonts of certain SIZE
  6. -L NUM to scale fonts to print NUM of lines per page
  7. -l NUM to scale fonts to print NUM of colums per page
  8. -b TEXT to put TEXT as the header of the pages
  9. –left-title TITLE and –right-title TITLE to set titles at the left and right ends of the pages
  10. -c or –truncate-lines=no to cut or not long lines
  11. -i or –interpret=no to understand TABS or not
  12. –print-anyway=yes or –print-anyway=no to force or not binary printing
  13. -P printer-name to send output directly to the printer (via the printing program of your machine)
  14. -n NUM to print NUM of copies of each page

You can look at the manual page for more information. I use a2ps in two different ways:

a2ps -r -2 -j –no-header -i


a2ps -r -2 -j -i

to print with and without headers respetively, "two pages in one" in landscape mode.

Wednesday, October 03, 2001

Crytographic File System

Here I will explain how to use, cfs, the Cryptographic Filesystem. This is a filesystem (that is, a way of organizing file in the hard disk or other storage device) where all files are encrypted. I will not explain how to install cfs, since it requires a bit of background, and thus I leave it for a future post. But I will explain how to use it, assuming that is installed in your machine.

To check if cfs is installed execute the command mount. You should get some file system with the name cfs or similar. For example, in my machine I get the following among many other output lines (output is split so you can easily read it):

localhost:/var/lib/cfs/.cfsfs on /var/cfs type nfs

This means that the cfs is in the directory called /var/cfs.

To store files in the cfs you need to make a directory with a special command, for example:

cmkdir crypted

This will create a directory called crypted that you can use under cfs. You will be ask to enter (and confirm) a key that will be needed any time you want to work in that directory. The key should be at least 16 characters long (at least in my system). Warning: if you forget the key you will not be able to recover your files, not even the superuser can do it. So put a complicated key, but something you can remember.

To write or edit files in encrypted form first you need to make the directory crypted "available" to cfs. That is done as in this example:

cattach crypted directory12345

The last word should be a unique name for cfs to work on your directory. You can put some arbitrary thing, or a name based on a PID (whatever that is :-) ), etc.

Now you can save files in encrypted form under the directory /var/cfs/directory12345. Do not work on the directory crypted but in the name you gave in the attach command. Actually, the full name of the directory is also has the part where cfs "lives" as you can see in the above example: /var/cfs is the cfs parent directory (the result of mount) and directory12345 is the name you gave.

Work on files in that directory as you work on files in any other directory. When you finish saving, editing, removing your files, you have to detach the directory with a command like this:

cdetach directory12345

Then all your files in that directory will get actually saved in the crypted directory, encrypted, so your data is safe from other users’ eyes.

Tuesday, September 25, 2001

File names with Special Characters

Some times, either by mistake, downloading something from the Internet or other reasons, you get files with non-standard characters in their names that can give you problems. Let me be more specific with a particular example: suppose you have a file called Important file, that is, the full name of the file is the words Important and file separated by a single space (I will also assume that this is the only file in the current directory, to avoid particular cases where the commands given below do not behave as I explain). If you want to see the file contents, say with less, the following command will not work:

less Important file

Instead of the contents of the file you will get an error from the system telling you that the files Important and file do not exist. This is because the space character is also used by the system to separate words in the command line. So, inthe above example, what the system understand is the command less applied to two files, called Important and file, which do not exist in your directory (remember I’m assuming that there is only one file in the currect directory, with that "funny" name).

How can you get around this problem? Well, what you need to do is to give the space character as part of the file name, and not as a separation character between file names. This is called escaping the space character. One possible way is by enclosing the file name in double quotation marks:

less "Important file"

You can do this with any other command, not only less. Another possible way is by putting a slash (\) before the space, so the Operating System (rather, the shell) knows that the space is understood as that. The command in this case will be like this:

less Important\ file

There are other characters in file names that give trouble, for example names starting with hyphens (-). This is because most options for commands in Linux are given by the hyphen, for example rm -v and things like that. For example, a file called -myfile cannot be removed with this command:

rm -myfile

You will get an error message saying invalid option – m to the command rm. What can you do? Here is another way out:

rm — -myfile

The two hyphens tell the system that what comes after them are not options any longer but rather the argument to the command rm, that is, the name of the file that you want to remove.

Tuesday, September 18, 2001

Comparing Files

Many times you have two versions of a file (eg. if you edited and saved it under different names, or one one version from your system and another version of the file from another machine) and you need to know whether they are equal or no, and where they differ. There are a couple of commands that can help you with that: cmp and diff. Let’s look at them.

The command cmp compares (thus the name) two files byte by byte and tells you whether they are equal or not. Use it like this:

cmp file-1 file-2

If the files are identical the output will be empty, meaning that no message is printed, nothing comes, you go back to your (shell) prompt. On the other hand, if the files are different, your output will be the first character where they differ, something like this:

file-1 file-2 differ: char5, line 1

Used without options cmp stops once it finds a different character (actually byte, you can use it on "binary" files) between the two files. You can give an option to cmp to get all differences, but the output might be a little more complicated to understand. Here is an example:

cmp -l file-1 file-2

The output in the files I was testing to write this is the following:

2 145 105
6 141 101

which tells me that bytes number 2 and 6 are different. This is not much of an use, but you can get a nicer output with this:

cmp -b -l file-1 file-2

The output in my case was the following:

2 145 e    105 E
6 141 a 101 A

That is much better: it says that byte 2 in the first file is a lower case e and an upper case E in the second file, and byte 6 in the first file is a lower case a while in the second file is an upper case A.

Another option to cmp is -n use like this:

cmp -n 10 file-1 file-2

which will compare at most 10 bytes from each file (true, not much of use if you are not used to bytes and all that, but you can think in terms of characters, 1 byte = 1 character).

The other function to compare (see differences) files is diff. The output of this command is more useful than the ouput of cmp (however, you might find the output a little strange, with information that you do not want/understand, but that is because it can be used in programming, in things like patches and stuff like that, which I will not deal with for the time being). So if we forget for the time being the output information we do not understand, we can use diff to check the differences between to files. Here is a basic example of how to use it:

diff file-1 file-2

The output will show the lines that are different between the two files. It prepends a <> sign to those in the second file, for example here is the output of my test files:


If your files are long I recommend you use diff together with less to be able to read the whole output, in this manner:

diff file-1 file-2 | less

The command diff has many useful options; here are some:

  1. -i: to ignore cases; in the above example you will not get any difference, since one file contains the work test and the other the word tEst, which differ just in a upper/lower case.
  2. -E: will ignore differences due to TABS
  3. -b: will ignore differences in the number of spaces
  4. -w: will ignore all white spaces, including TABS
  5. -B: will not see differences coming from blank lines (that is, will compare only lines that have characters)
  6. -q: output only whether the file are different (so diff will behave like cmp)
  7. -y: will put the output in two columns, one for each file
  8. –suppress-common-lines: will remove common lines from output, showing only the lines that are different
  9. -l: will pass the output trhough the programm pr, similar to the example shown above with less (but a different "pager")
  10. -s: report when two files are identical (again, behaviour similar to cmp)

Your distribution might have another command called diff3 that can be used to compare three files. If you have the tk packages your distributions might have installed also tkdiff which is a very nice, graphical interface to diff (you have to use this in X-windows).

Wednesday, September 12, 2001

File Settings

Here are a couple of commands, tac and touch.

I have never used the first one, but according to the manual page, and the tests I have done, tac is the reverse of cat, as the name suggest. It is used like this:

tac file-name

It will print the file in the screen (I mean, the terminal from which you are working, known as standard output) with lines in reverse order, from the last line to the first.

The second command, touch is more useful. It changes the dates of a file. Here is an example:

touch file-name

This will change the access time and the modification time to the current date in the computer. If you want to change only the access time you should give the option -a; for the modification time change you have to give the option -m.

If the file does not exist, then the command will create an empty file with the corresponding times.

You can change to any time (within the limits of the Operating System) with a command like this:

touch -t 200502011323 file-name

The format of the time (the number 200502011323 above) is of this type: YYYYMMDDhhmm. Here is the explanation:

  1. YYYY: the year
  2. MM: the month
  3. DD: the day of the month
  4. hh: the hour
  5. mm: the minute

So the time given in the string 200502011323 is translated to 1st (DD=01) of February (MM=02) of 2005 (YYYY=2005), 1 PM (hh=13), 23 minutes (mm=23).

Why would you want to change the date of a file? Well, some times programs depend on the date (modification/access) of a file, and they will not run if the file is too new or too old. So using touch you can make the program work. It happens, for example, if your machine’s time gets messed, and the file has a modification time in the future. The program make uses a file called Makefile; if the time of that file is in the future, make will not work; using touch you can change the date of the Makefile and get to business.

Monday, September 03, 2001

Compressing files

Although nowadays computers come with lots of disk space, more than a regular user will ever need, some times it is good to be able to compress files to save disk space. That will give you more space for movies and other stuff :-) And many utilites are able to read and operate on compressed files, so it does not make a difference to daily usage. Below are a few ways of compressing files.

  1. gzip, the GNU "zip" facility: use it as tt. Creates a compressed file with the name file-name.gz (original file is removed). Uncompress with gunzip file-name.gz
  2. bzip or bzip2: the command is bzip2 file-name; the compressed file will be called or file-name.bz2 (original file is deleted). Uncompress with bunzip2 file-name.bz2
  3. tar: to archive lots of files, use as

    tar tar-file.tar file1 file2 file3 ….

    Will put the files file1 file2 file3 … in a single archive file called tar-file.tar, without removing the original files (although you should delete them since, after all, you are trying to save disk space). The files in the archive can be extracted with the following command:

    tar xkvf tar-file.tar
  4. tar and gzip: you can use gzip to compress a tar file, obtaining a file called something like tar-file.tar.gz. You can extract the individual files in the archive with this command:

    tar zxkvf tar-file.tar.gz
    zip: the utility quite used in Windows machines, similar to tar just mentioned. You create zipped files with

    zip file1 file2 file3 …

    and recover the original files (which, again, you should have deleted) with


    tar -tvf filename will list the files under .tar

I will explain in a future posts a little more about tar and perhaps another archiving utility, ar, but now time to work on something else.

Friday, August 24, 2001

Split files

Some times you need to split a big file into a set of smaller ones, for example to send them by email. If the file is a "text" one and not too huge you can always try with an editor. But if the file contains non-standard characters (I mean, the one used in daily life) or it is too big, an editor is not a good way of dividing the file. There is a UNIX command that does this job: split. Used simply as in the example below will divide the file into smaller ones, named in a pattern like xaa, xab, etc. Here is the example:

split file-name

There are options to split to control the way the file is divided:

  1. -b number-of-bytes will put at most that number of bytes on each of the smaller output files;
  2. -l number-of-lines is similar to the previous option, but with lines;
  3. -a number will use number of characters for the names of the output files, for example, if you do -a 3 your files will be called xaaa, xaab, etc;
  4. -d will use numbers for the names of the output files, like x00, x01, etc;
  5. –verbose will show you what output files are being written.

In some sense split is the opposite of cat

Saturday, August 18, 2001

Joining files

Suppose you have two files, say file1 and file2 which you want to put together in a single file, joint-file. There are two possible ways you might want to do that.
First, if you want file2 to be appended at the end of file1 you can execute this command:

cat file1 file2 > joint-file

On the other hand, if you want to join the files so that the lines of file2 are appended to the lines of file1, line by line, you can do

paste file1 file2 > joint-file

When might you need any of this options? Suppose each file has a list of users in your system and you want to put them together; then you can use cat. On the other hand, if your first file has the name of your users, and the second one the phone numbers (in the same order!), then you can use paste

An interesting option to paste is as follows:

paste -f file1 file2 > joint-file

The program will stop when one of the two files end; if they have the same number of lines, then -f will not make any difference, but if they are of different length (in terms of lines), you will get in the output file as many lines as the shortest file.

Thursday, August 09, 2001

Begining and end of a file

Some times you might want to see only the first or last few lines of a file. The commands head and tail

allows you to do precisely that.

To see the first 10 lines of a file do:

head file-name

If you want any other number of lines, say 15, do as in this example:

head -15 file-name

In case you prefer to see the first 30 bytes of a file you can do

head -c 30 file-name

You can give more than one file name in the command line.

You might wonder why you want to look at the beginning of a file. Let me give you an example: suppose you have several HTML files and you want to know if the first line (in each file) has the DOCTYPE information. Then you can look at the first line of each file with a command similar to this:

head -1 *.html

The command tail behaves in a similar way except that looks at the end of the file. So

tail file-name

will produce the last 10 lines of a file; called as

tail -15 file-name

will give the last 15 lines, while

tail -c 30 file-name

will give you the last 30 bytes of it.

There is one more useful option for tail; for example, if you do

tail +3 file-name

you will get all lines beginning at the 3rd line of the file.

An example of usage of tail is to check that all your HTML files end with . You can check the last line of each file with a command like this:

tail -1 *.html

Friday, August 03, 2001

Finding Duplicate Lines in file ...

uniq file-name

There are some options you can give to uniq:

  1. -c will count the number of repetitions of lines
  2. -d will do the "opposite" of the normal behaviour, namely will print out only the duplicate lines
  3. -i will ignore cases during comparison

You can use this command to get unique lines in the output of other commands as in the case of sort.

Wednesday, August 01, 2001

Word Count in a file

Another command related to the contents of files is wc. It is used to count the number of lines, words and characters in a file. If you use it like this example you will get the number of lines, words and bytes (characters in a "text" file) of a file

wc file-name

For getting the result of only one of the three possible outputs above you have to give some option:

  1. For lines output:

    wc -l file-name
  2. For words output:

    wc -w file-name
  3. For bytes (characters in a "text" file:

    wc -c file-name


    wc -w file-name

Another interesing option allows you to get the length of the longest line in the file:

wc -L file-name

You can give more than one file name in your command line; the output will have the file name appended to the results of the counting.

Tuesday, July 31, 2001

Sorting files

Some times we save the data in certain order but we would like to read it in another order. I mean, we want to sort it :-) So here comes the sort command to the rescue…


This will sort the file and list but will not save it

To save this

sort -o

This will save the output.

Needless to say this last example will overwrite the unsorted (original) file, so be careful when you use it.

You can sort things other than files. What I mean is that you can use sort to sort the output of other commands. For example, if you want to know the disk usage of all your directories you can try something like the following:

du -s * | sort -n

The du -s * tells the computer to find the disk usage of each file/subdirectory (and do not give the output of sub-subdirectories…, just a number per file/directory). Then the vertical line (called pipe) says that the output of du should be considered as the input of the next command. That next command tells to sort numerically. Since du output is a number (disk usage) and the name of the file, the sort will order the directories according to the disk space they use

By default sort uses blanks (spaces, tabs, etc) to differentiate between fields/words. Some times files store data with other characters to separate fields, for example the /etc/passwd file stores uses information with different fields separated by colons (:). You can use the -t option to sort with colons as the separator. For example, entries in the passord file have the following form:

user name: encrypted password:user id:group it:user real name:home directory:logging shell

If you want to sort the password by UIDs then you can try this:

sort -t : +2 -n /etc/passwd

Here is the explanation of the options:
  1. -t : says that the separation of fields is marked by colons;
  2. +2 says that sorting should start at the third field, that is the uid
  3. -n asks for numerical sorting (uids are numbers).

Saturday, July 28, 2001

Understand the Configuration Files in Linux

Understand the Configuration Files in Linux :

This article explains configuration files on a Linux system that control user permissions, system applications, daemons, services, and other administrative tasks in a multi-user, multi-tasking environment. These tasks include managing user accounts, allocating disk quotas, managing e-mails and newsgroups, and configuring kernel parameters. This article also classifies the config files present on a Red Hat Linux system based on their usage and the services they affect.


Every Linux program is an executable file holding the list of opcodes the CPU executes to accomplish specific operations. For instance, the ls command is provided by the file /bin/ls, which holds the list of machine instructions needed to display the list of files in the current directory onto the screen. The behaviour of almost every program can be customized to your preferences or needs by modifying its configuration files.

Is there a standard configuration file format in Linux?

In a word, no. Users who are new to Linux (rightly) feel frustrated that each configuration file looks like a new challenge to figure out. In Linux each programmer is free to choose the configuration file format he or she prefers. Format options range from the /etc/shells file, which contains a list of possible shells separated by a newline, to Apache's complex /etc/httpd.conf file.

What are system configuration files?

The kernel itself may be considered a "program." Why does the kernel need configuration files? The kernel needs to know the list of users and groups in the system, and manage file permissions (that is, determine if a file can be opened by a specific user, according to the permissions, UNIX_USERS). Note that these files are not specifically read by programs, but by a function provided by a system library, and used by the kernel. For instance, a program needing the (encrypted) password of a user should not open the /etc/passwd file. Instead, it should call the system library function getpw(). This kind of function is also known as a system call. It is up to the kernel (through the system library) to open the /etc/passwd file and after that, search for the password of the requested user.

Most of the configuration files in the Red Hat Linux system are in the /etc directory unless otherwise specified. The configuration files can be broadly classified into the following categories:

Access files

/etc/host.confTells the network domain server how to look up hostnames. (Normally /etc/hosts, then name server; it can be changed through netconf.)
/etc/hostsContains a list of known hosts (in the local network). Can be used if the IP of the system is not dynamically generated. For simple hostname resolution (to dotted notation), /etc/hosts.conf normally tells the resolver to look here before asking the network nameserver, DNS or NIS.
/etc/hosts.allowMan page same as hosts_access. Read by tcpd at least.
/etc/hosts.denyMan page same as hosts_access. Read by tcpd at least.

Booting and login/logout

/etc/issue & /etc/issue.netThese files are read by mingetty (and similar programs) to display a "welcome" string to the user connecting from a terminal (issue) or through a telnet session ( They include a few lines stating the Red Hat release number, name, and Kernel ID. They are used by rc.local.
/etc/redhat-releaseIncludes one line stating the Red Hat release number and name. Used by rc.local.
/etc/rc.d/rcNormally run for all run levels with level passed as argument. For example, to boot your machine in the Graphics mode (X-Server), run the following command from your command line: init 5. The runlevel 5 is starts the system in graphics mode.
/etc/rc.d/rc.localNot official. May be called from rc, rc.sysinit, or /etc/inittab.
/etc/rc.d/rc.sysinitNormally the first script run for all run levels.
/etc/rc.d/rc/rcX.dScripts run from rc (X stands for any number from 1 to 5). These directories are "run-level" specific directories. When a system starts up, it identifies the run-level to be initiated, and then it calls all the startup scripts present in the specific directory for that run-level. For example, the system usually starts up and the message "entering run-level 3" is shown after the boot messages; this means that all the init scripts in the directory /etc/rc.d/rc3.d/ will be called.

File system

The kernel provides an interface to display some of its data structures that can be useful for determining the system parameters like interrupts used, devices initialised, memory statistics, etc. This interface is provided as a separate but dummy filesystem known as the /proc filesystem. Many system utilities use the values present in this filesystemf or displaying the system statistics. For example, the file /proc/modules lists the currently loaded modules in the system. This information is read by the command lsmod, which then displays it in a human readable format. In the same way, the file mtab specified in the following table reads the /proc/mount file, which contains the currently mounted filesystems.

/etc/mtabThis changes continuously as the file /proc/mount changes. In other words, when filesystems are mounted and unmounted, the change is immediately reflected in this file.
/etc/fstabLists the filesystems currently "mountable" by the computer. This is important because when the computer boots, it runs the command mount -a, which takes care of mounting every file system marked with a "1" in the next-to-last column of fstab.
/etc/mtools.confConfiguration for all the operations (mkdir, copy, format, etc.) on a DOS-type filesystem.

System administration

/etc/groupContains the valid group names and the users included in the specified groups. A single user can be present in more than one group if he performs multiple tasks. For example, is a "user" is the administrator as well as a member of the project group "project 1", then his entry in the group file will look like: user: * : group-id : project1
/etc/nologinIf the file /etc/nologin exists, login(1) will allow access only to root. Other users will be shown the contents of this file and their logins refused.
etc/passwdSee "man passwd". Holds some user account info including passwords (when not "shadowed").
/etc/rpmrcrpm command configuration. All the rpm command line options can be set together in this file so that all of the options apply globally when any rpm command is run on that system.
/etc/securettyContains the device names of tty lines (one per line, without leading /dev/) on which root is allowed to login.
Contains the encrypted password information for users' accounts and optionally the password aging information. Included fields are:
  • Login name
  • Encrypted password
  • Days since Jan 1, 1970 that password was last changed
  • Days before password may be changed
  • Days after which password must be changed
  • Days before password is to expire that user is warned
  • Days after password expires that account is disabled
  • Days since Jan 1, 1970 that account is disabled
/etc/shellsHolds the list of possible "shells" available to the system.
/etc/motdMessage Of The Day; used if an administrator wants to convey some message to all the users of a Linux server.


/etc/gated.confConfiguration for gated. Used only by the gated daemon.
/etc/gated.versionContains the version number of the gated daemon.
/etc/gatewayOptionally used by the routed daemon.
/etc/networksLists names and addresses of networks accessible from the network to which the machine is connected. Used by route command. Allows use of name for network.
/etc/protocolsLists the currently available protocols. See the NAG (Network Administrators Guide) and man page.
C interface is getprotoent. Should never change.
/etc/resolv.confTells the kernel which name server should be queried when a program asks to "resolve" an IP Address.
/etc/rpcContains instructions/rules for RPC, which can be used in NFS calls, remote file system mounting, etc.
/etc/exportsThe file system to be exported (NFS) and permissions for it.
/etc/servicesTranslates network service names to port number/protocol. Read by inetd, telnet, tcpdump, and some other programs. There are C access routines.
/etc/inetd.confConfig file for inetd. See the inetd man page. Holds an entry for each network service for which inetd must control daemons or other servicers. Note that services will be running, but comment them out in /etc/services so they will not be available even if running. Format:
/etc/sendmail.cfThe Mail program sendmail's configuration file. Cryptic to understand.
/etc/sysconfig/networkIndicates NETWORKING=yes or no. Read by rc.sysinit at least.
/etc/sysconfig/network-scripts/if*Red Hat network configuration scripts.

System commands

System commands are meant exclusively to control the system, and make everything work properly. All the programs like login (performing the authentication phase of a user on the console) or bash (providing the interaction between a user and the computer) are system commands. The files associated with them are therefore particularly important. This category has the following files of interest to users and administrators.

/etc/lilo.confContains the system's default boot command line parameters and also the different images to boot with. You can see this list by pressing Tab at the LILO prompt.
/etc/logrotate.confMaintains the log files present in the /var/log directory.
/etc/identd.confIdentd is a server that implements the TCP/IP proposed standard IDENT user identification protocol as specified in the RFC 1413 document. identd operates by looking up specific TCP/IP connections and returning the user name of the process owning the connection. It can optionally return other information instead of a user name. See the identd man page.
/etc/ for the Dynamic Linker.
/etc/inittabThis is chronologically the first configuration file in UNIX. The first program launched after a UNIX machine is switched on is init, which knows what to launch, thanks to inittab. It is read by init at run level changes, and controls the startup of the main process.
/etc/termcapA database containing all of the possible terminal types and their capabilities.


A daemon is a program running in non-interactive mode. Typically, daemon tasks are related to the networking area: they wait for connections, so that they can provide services through them. Many daemons are available for Linux, ranging from Web servers to ftp servers.

/etc/syslogd.confThe configuration file for the syslogd daemon. syslogd is the daemon that takes care of logging (writing to disk) messages coming from other programs to the system. This service, in particular, is used by daemons that would not otherwise have any means of signaling the presence of possible problems or sending messages to users.

The configuration file for Apache, the Web server. This file is typically not in /etc. It may be in /usr/local/httpd/conf/ or /etc/httpd/conf/, but to make sure, you need to check the particular Apache installation.
/etc/conf.modules or /etc/modules.confThe configuration file for kerneld. Ironically, it is not the kernel "as a daemon". It is rather a daemon that takes care of loading additional kernel modules "on the fly" when needed.

User programs

In Linux (and UNIX in general), there are countless "user" programs. A most common user program config file is /etc/lynx.cfg. This is the configuration file for lynx, the well-known textual browser. Through this file you can define the proxy server, the character set to use, and so on. The following code sample shows a part of the lynx.cfg file that can be modified to change the proxy settings of the Linux system. These settings apply (by default) to all the users running lynx in their respective shells, unless a user overrides the default config file by specifying --cfg = "mylynx.cfg.

Proxy settings in /etc/lynx.cfg

.h1 proxy
# Lynx version 2.2 and beyond supports the use of proxy servers that can act as
# firewall gateways and caching servers. They are preferable to the older
# gateway servers. Each protocol used by Lynx can be mapped separately using
# PROTOCOL_proxy environment variables (see Lynx Users Guide). If you have
# not set them externally, you can set them at run time via this configuration file.
# They will not override external settings. The no_proxy variable can be used
# to inhibit proxying to selected regions of the Web (see below). Note that on
# VMS these proxy variables are set as process logicals rather than symbols, to
# preserve lowercasing, and will outlive the Lynx image.
.ex 15

# The no_proxy variable can be a comma-separated list of strings defining
# no-proxy zones in the DNS domain name space. If a tail substring of the
# domain-path for a host matches one of these strings, transactions with that
# node will not be proxied.
.ex, demiurge

Changing configuration files

When changing a configuration file, make sure that the program using that configuration is restarted if it's not controlled by the system administrator or the kernel. A normal user doesn't usually have privileges to start or stop system programs and/or daemons.

The kernel

Changing configuration files in the kernel immediately affects the system. For example, changing the passwd file to add a user immediately enables that user. Also there are some kernel tunable parameters in the /proc/sys directory on any Linux system. The write-access to all these files is given only to the super-user; other users have only readonly access. The files in this directory are classified in the same manner as the Linux kernel source. Every file in this directory represents a kernel data structure that can be dynamically modified to change the system performance.

Note: Before changing any value in any of these files, make sure you know everything about the file to avoid irreparable damage to the system.
Files in the /proc/sys/kernel/ directory

File name Description
threads-maxThe maximum number of tasks the kernel can run.
ctrl-alt-delIf 1, then pressing this key sequence cleanly reboots the system.
sysrqIf 1, then Alt-SysRq is active.
osreleaseDisplays the release of the operating system.
ostypeDisplays the type of the operating system.
hostnameThe host name of the system.
domainnameNetwork domain of which the system is a part.
modprobeSpecifies whether modprobe should be automatically run at startup, and load the necessary modules.

Daemons and system programs

A daemon is a program that is always running in background, quietly carrying out its task. Common ones are in.ftpd (ftp server daemon), in.telnetd (telnet server daemon), and syslogd (system logging daemon). Some daemons, while running, keep a close watch on the configuration file and reload it automatically when it changes. But most of the daemons do not reload automatically. We need to "tell" them somehow that the configuration file has changed and that it should be reloaded. This can be achieved (on Red Hat Linux systems) by restarting the services using the service command.

For example, if we have changed the network configuration, we need to issue:
service network restart.

Note: The services are most commonly the scripts present in the /etc/rc.d/init.d/* directory and are started by the init when the system is booted. So, to restart the service you can also do the following:
/etc/rc.d/init.d/ start | stop | status
start, stop, and status are the values that these scripts take as input to perform the action.

User programs

A user or system program reads its configuration file every time it is launched. Remember, though, that some system programs are spawned when the computer is turned on, and their behaviour depends on what they read in the configuration files in /etc/. So, the first time a user program is started, the default configuration is read from the files present in the /etc/ directory. Later, the user can customise the programs by using rc and . (dot) files as explained in the next section.

User configuration files: . (dot) files and rc files

We have seen how programs can be easily configured. But what if someone does not like the way a program has been configured in /etc/? A "normal" user cannot simply go into /etc and change the configuration files; they are owned -- from the filesystem's point of view -- by root! This is why most user programs define two configuration files: the first one at a "system" level, located in /etc/; and the other one, "private" to the user, that can be found in his or her home directory.

For example, in my system I have installed the very useful wget utility. In /etc/ there is an /etc/wgetrc file. In my home directory, there is a file named .wgetrc, which describes my customised configuration (which will be loaded only when I, the user run the wget command). Other users may also have the .wgetrc file in their home directory (/home/other); this file will be read, of course, only when the user runs the wget command. In other words, the /etc/wgetrc file provides "default" values for wget, while the /home/xxx/.wgetrc file lists the "customisations" for a certain user. It is important to understand that this is the "general rule," and is not necessarily true for all cases. A program like pine, for instance, does not have any files in /etc/, but only the custom configuration in the users' home directory, in a file named .pinerc. Other programs may only have a default configuration file in /etc/, and may not let users "customize" them (it's the case with only a few of the config. files in the /etc dir.).

Commonly used rc and . (dot) files

Filename Description
~/.bash_login Look at "man bash". Treated by bash like ~/.bash_profile if that doesn't exist.
~/.bash_logout Look at "man bash".Sourced by bash login shells at exit.
~/.bash_profile Sourced by bash login shells after /etc/profile.
~/.bash_history The list of commands executed previously.
~/.bashrc Look at "man bash". Sourced by bash non-login interactive shells (no other files are). Non-interactive shells source nothing unless BASH_ENV or ENV are set.
~/.emacs Read by emacs at startup.
If this contains an e-mail address, then all mail to owner of ~ will be forwarded to that e-mail address.
~/.fvwmrc ~/.fvwm2rc Config files for fvwm and fvwm2 (the basic X Window manager).
~/.hushlogin Look at "man login". Causes a "quiet" login (no mail notice, last login info, or MOD).
~/.mail.rc User init file for mail program.
~/.ncftp/ Directory for ncftp program; contains bookmarks, log, macros, preferences, trace. See man ncftp. The purpose of ncftp is to provide a powerful and flexible interface to the Internet standard File Transfer Protocol. It is intended to replace the stock ftp program that comes with the system.
~/.profile Look at "man bash". Treated by bash like ~/.bash_profile if that and ~/.bash_login don't exist, and used by other Bourn-heritage shells too.
~/.pinerc Pine configuration
~/.muttrc Mutt configuration
~/.exrc Configuration of vi can be controlled by this file.
Example: set ai sm ruler
Writing the above line in this file makes vi set the auto-indentation, matching brackets and displaying line number and rows-columns options.
~/.vimrc Default "Vim" configuration file. Same as .exrc.
~/.gtkrc GNOME Toolkit.
~/.kderc KDE configuration.
~/.netrc Default login names and passwords for ftp.
~/.rhosts Used by the r-tools: rsh, rlogin, etc. Very weak security since host impersonation is easy.
  1. Must be owned by user (owner of ~/) or superuser.
  2. Lists hosts from which users may access this account.
  3. Ignored if it is a symbolic link.
~/.rpmrc See "man rpm". Read by rpm if /etc/rpmrc is not present.
~/.signature Message text that will be appended automatically to the mail sent from this account.
~/.twmrc Config file for twm (The Window Manager).
~/.xinitrc Read by X at startup (not by xinit script). Mostly starts some progs.
Example: exec /usr/sbin/startkde
If the above line is present in this file, then the KDE Window Manager is started in when the startx command is issued from this account.
~/.xmodmaprc This file is passed to the xmodmap program, and could be named anything (~/.Xmodmap and ~/, for example).
~/.xserverrc Run by xinit as the X server if it can find X to execute.
~/News/Sent-Message-IDs Default mail history file for gnus.
~/.Xauthority Read and written by xdm program to handle authorization. See the X, xdm, and xauth man pages.
Read by X applications during startup on hostname. If the -hostname file can't be found, .Xdefaults is looked for.
~/.Xmodmap Points to .xmodmaprc; Red Hat had (has) .xinitrc using this name.
~/.Xresources Usually the name for the file passed to xrdb to load the X resources database, to avoid the need for applications to read a long .Xdefaults file. (~/.Xres has been used by some.)


User's old mail.

Friday, July 13, 2001

Vi Editor Quick Reference

vi editor quick reference

n = number
c = character
(cr) = Return
del = delete

Cursor Movement Through Text:

l = character right h = character left
j = down a line k = up a line
w = word right b = word left
0 = beginning of line $ = end of line
( = beginning of sentence ) = end of sentence
{ = beginning of paragraph } = end paragraph
[[ = beginning of section ]] = end section
G = end of file nG = move to line n
- = beginning of next line up + or cr = start, next line down

Cursor Movement Through File:

nH = to top line down offset
nL = to bottom line up offset
M = to middle line
CTRL d = scroll down
CTRL u = scroll up
CTRL f = scroll forward 1 screen
CTRL b = scroll back 1 screen
CTRL e = scroll forward 1 line
CTRL y = scroll back 1 line
CTRL E = scroll forward,leave cursor
CTRL Y = scroll back,leave cursor

Text Operations:

d( = delete, cursor to start(sentence)
d) = delete, cursor to end(sentence)
x or dSPACE = delete a character
db = delete previous word
dw = delete a word
d0 = delete, cursor to start(line)
dd = delete a line
D = delete, cursor to end(line)
nJ = join n lines
i(cr) or a(cr) = split a line
. = repeat last command
u = undo last command
U = undo all commands to this line

Text Block Moving in Command Mode:

Marking and Returning:
mx = mark current line (x=some letter a-t)
`x = return to position prior to present position
'x = return to space of line marked x
" = return to position prior to commands. /,?, or G
d`x or d"x = del from here to mark x

Placing in buffer (unnamed & named)
y = yank from here to endpoint, if # given include lines
nyw = yank n words
nyy or nY = yank n lines
"anY = yank n lines, place in named buffer a, (a thru t)

Retrieving from buffer
p = put buffer contents after/below cursor
P = put buffer contents before/above cursor
"ap = put buffer a 's contents after cursor (a -t)
"np = recover the last 1-9 deletions of text
p = recover last deleted text, place after cursor
P = recover last deleted text, place before cursor

Buffer types
% = current buffer
# = alternate buffer
1 - 9 = buffers holding last 9 yanks/deletions
a - z = buffers holding explicit yanks/deletions
A - Z = buffers holding explicit yanks/deletions;
contents appended to
:m,nco# = copy lines m thru n after line #
:m,nm# = move lines m thru n after line #
>L = shift lines right 1 shiftwidth (23 line max,
cursor line and below)

cursor line and below)
>> = shift 1 line right 1 shiftwidth
#>> = shift # lines right 1 shiftwidth
<< = shift 1 line left 1 shiftwidth
#<< = shift # lines left 1 shiftwidth

Insert Mode or Text Mode from Command Mode:

r = replace a single character
R = replace; text overwrite from here to
i = insert before cursor
I = insert at front of line
a = append after cursor
A = append at end of line
o = open a line below
O = open a line above
s = substitute a character
S = substitute text with text
c = change from here to
cc= change # of lines
C = change from here to rest of line; if # given, then # following
lines also
CTRL t = shift right 1 shiftwidth (ai set)
CTRL d = shift left 1 shiftwidth (ai set)
CTRL v = quote(esc) next special character

Adding Text, Command Mode to Text Mode:

ncw = changes n words after cursor
C = change from cursor to end of line
ncc = changes n lines beginning with cursor linen

Search Commands from Command Mode:

CTRL g = find current line status
/word = find next occurrence of word, forward search
/ = find last requested searched for word
// or n = find next occurrence of the last searched for word
?word = find previous occurrence of word, backward search
N = search backwards for previous occurrence of last searched word
fc = find character c on current line
Fc = find previous c on current line
; = go to next/previous character on same line

Search patterns:

^ = first word of line $ = end of line
. = any one character .* = any characters
\< = beginning of word \> = end of word
\ = next char literally [a-z] = any character in range a-z
[str] = any chars in string [^str] = any char not in string

Global Substitution from Command Mode:

:g/s1/p = prints all lines with string "s1"
:g/^/s//string = prepend to each line
:g/$/s//string = append to each line
:g/s1/s//s2/ = sub 1st occurrence "s1" with "s2" on all lines
:g/s1/s//s2/g = sub all occurrences, all lines
:g/s1/s//s2/gc = " " " / " " , interactively
:g/\(ab\)\(cd\)/s//\2\1/g = swap patterns using numeric
position variable,all
:g/\(ab\)\(.\)/s//\2\1/g = swap patterns using numeric
position variable, all, without naming 2nd
variable ( . = any character)

File Manipulation from Command Mode:

!}fmt = format this paragraph
:w filename = writes contents to specified file
:w ! spell | fmt = To just see spelling errors:
:$r !spell % | fmt = To append spelling errors to buffer
:w !lpr = print the version currently in the edit buffer
:r filename = reads contents of filename into buffer after cursor
:r !cmd = read output of a command into buffer after cursor
:!cmd = execute ULTRIX commands in vi/ex mode
:!! = execute last shell cmd
:!lpr % = print it without leaving the editor
:pre } use this when OUT of file system space and can't write
:w /var/tmp} file normally, or look for owner id in
/usr/preserve or /var/tmp

To Exit:

Insert Mode to Command Mode: ESC
To save text and QUIT: ESC then ZZ
ESC then :wq (cr)
ESC then :x (cr)
To rename file: ESC then :f (cr)
To save text only: ESC then :w (cr)
To overwrite file ESC then :w! (cr)
To abort text: ESC then :q! (cr)
To edit next file in queue: ESC then ZZ then :n

File recovery after editor, system, or disk full crash, return to directory where file was opened and enter:

vi -r file

To start vi at line #x:

vi +x filename

To start vi at string, first occurrence:
vi +/string file

The following options can be setup in an .exrc file, or for each vi session (only):

noautoindent nonumber
autoprint open
noautowrite nooptimize
nobeautify paragraphs=IPLPPPQPP LIpplpipbp
directory=/tmp prompt
noedcompatible noreadonly
noerrorbells redraw
hardtabs=8 remap
ignorecase report=5
nolisp scroll=11
nolist sections=NHSHH HUnhsh
magic shell=/bin/csh
mesg shiftwidth=8
nomodeline noshowmatch
noslowopen tags=tags /usr/lib/tags
tabstop=8 taglength=0
term=vt100 noterse
ttytype=vt100 timeout
window=23 warn
wrapscan wrapmargin=1
nosourceany nowriteany

Wednesday, July 04, 2001

Brodacast Messages from Linux Server to Windows Host

Oh ;)

You can use samba and smbclient to do this:

Brodacast Messages from Linux Server to Windows Host

cat message.txt | smbclient -M COMPUTERNAME

I don't think you can do a workgroup-wide broadcast message; you have to
specify each windows box in the workgroup by name, but that should be easy
enough with a simple script.

How do I send a pop-up message?
A. The syntax of the net send command is:

net send {name | * | /domain[:name] | /users} message
To send a pop-up to all users in your domain, type:

net send /domain This is a message.
Note Windows NT-based client run the Messenger service by default. Other
Windows clients must be running Winpopup.exe to receive the message.

net send sriram hello - will send hello to Sriram, if he is logged

net send /users hello will send hello to all users that are connected
to your computer.

Date reformatting in UNIX (useful when you need to send file with timestamp)

Date reformatting in UNIX (useful when you need to send file with timestamp)

Here is one way of reformatting the date:

date '+ %m%d%Y_ %H%M%S' to get the date in the format, 10052004_114643

The usage takes the format,
$ datetail=`date '+ %m%d%Y_%H%M%S'`
$ echo $datetail

Saturday, June 16, 2001

How To IPtables


1) How do I forward port 21 request from external interface( eth1)/( to a Internal System on my LAN- ?

ie. whenever a request for port 21 comes on external interface it should be forwarded to on my local LAN.

#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to-destination


iptables -t nat -A PREROUTING -p tcp -d --dport 80 -j DNAT --to-destination

here packets will be forwarded from for port 80 to range of ipaddress to

The above command will forward request coming for on port 21 on a different system on lan(

The same way you can add a rule for eth0

You can also redirect to a different port number –to-destination

Redirect ports on internal machine

#iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

ie. request coming on 80 will be forwarded to 8080

Thursday, June 14, 2001

Hardenning a UNIX System

How-TO Harden Linux System

  1. First Step Make sure nobody is able to change any important System Files

Like /etc/passwd, /etc/shadow

#chattr +i /etc/passwd

#chattr +i /etc/shadow

#chattr +i /etc/group

#chattr +i /etc/gshadow

#chattr +i /etc/services

#chattr +i /etc/xinetd.conf or /etc/inetd.conf

#chattr +i /etc/login.defs

#lsattr /etc/passwd

This will list if any chattr permission is set to /etc/passwd file

The +i option immutes the file /etc/passwd ... which means u wont be able to edit the file.

To remove the immute option use

#chattr -i /etc/passwd

After setting the above pemission to passwd and shadow file you wont be able to add any user.

Note : Make sure you run the chattr -i /etc/passwd if you want to add any user or if you run a script that adds users.

Or else it will throw a error like

useradd: Unable to open the passwd file.

  1. Step No 2 : Disable root access

Do not allow root access from any terminal :

Edit the file /etc/securetty

Hash out all the terminals mentioned, this will not allow root access from any terminal.

Will have to login through any normal user then do su to root.

  1. Step No 3 – Reslover Library

If you are not running a DNS server then make sure it resolves /etc/hosts file first then via dns.

For this edit /etc/host.conf file

#Lookup names via /etc/hosts then fall back to DNS

order hosts,bind

#If you have machines with multiple IP Addresses

multi on

#The above option – multi on - specfies if the /etc/hosts file can have multiple IP addresses

# Check for IP Address Spoofing

nospoof on

# The nospoof on specifies not to allow spoofing on this machine. This option must be set to on for all servers.


TCP WRAPPERS is controlled from two files and the search stops at the first match



Edit - /etc/hosts.deny

#Deny Access to everyone.


which means all services, all locations is blocked unless mentioned in hosts.allow

Note: With the option PARANOID, If you intend to run TELNET or FTP service on your server do not forget to add the clients machine name and IP Address in your /etc/hosts file on the server or you can expect to wait several minutes for DNS lookup

to timeout, before you get the login prompt.

Now if you want to allow access for ssh, ftp from particular IP Address

Edit /etc/hosts.allow



telnetd: ALL : deny : twist /bin/echo “ Sriram Says Connection Refused”

Run tcpdchk


tcpdchk is the tcpd wrapper configuration checker. It examines TCP Wrapper configurations and reports any real problems it can find run this after configuring TCP Wrappers

Also check tcpdmatch – Test program

/etc/issue file carries the message displayed while doing a ftp or telnet from outside.

You may change this to reflect something else

STEP 5 – Stopping Unnecessary services like telnet

Services like telnet are run by xinetd, inetd

All the latest linux distribution carries xinetd

#cd /etc/xinetd.d

vi telnet

First line disable should be set to yes

disable = yes

service xinetd restart

If you are still using inetd

Edit /etc/inetd.conf

Hash out any particular service you may not need

Change the permission of this file to chmod 600

#killall -HUP inetd

STEP 6 - Disable root access after particular time if logged in from terminal :

As a Security measure set login timeout for all users including ROOT if inactive.

Edit /etc/profile

add the following line somewhere after the line that read



7200= 2 hrs

60*60=3600*2=7200 seconds

This will timeout for all users.

If you want to put it for individual users then put it in their individual .bashrc file

STEP 7 – SET minimum password length to 10

Edit /etc/login.defs


STEP 8 – Disable RPM installation for all users

chmod 700 /bin/rpm and rename the file to a different directory say /home/cmd

mv /bin/rpm /home/cmd/mpr as this will disallow users from installing trojans.

STEP 9 – Disable SETUID and SETGID for unnecessary files

Find files with SETUID and SETGID enabled

find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls {} \;

SUID -rwsr-xr-x or SGID -r-xr-sr-x bit enabled

To remove

chmod a-s

STEP 10 – Prevent your system responding to ping

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

To turn it back on replace with 0

Put the same in /etc/rc.d/rc.local to take effect during reboot

Edit the /etc/sysctl.conf file and add the following line:

            # Enable ignoring ping request             net.ipv4.icmp_echo_ignore_all = 1  Restart the network services  service network restart  Refuse responding to broadcast request   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

add the same to rc.local

Edit the /etc/sysctl.conf file and add the following line:

# Enable ignoring broadcasts request

              net.ipv4.icmp_echo_ignore_broadcasts = 1   Best way of doing a Port Forward is to use Rinetd Services   Install rinetd and then make the following changes in its config file   /etc/rinetd.conf 80 80  This will forward all the tcp packets for port 80 to's 80 port  Its a very simple to use package  

Instead of port numbers, you can also use service names as defined in /etc/services. Therefore, the above mentioned example could also be written like this: www www