Wednesday, March 29, 2006

Commands for Monitoring the System

pstree Processes and parent-child relationships
top Show top processes
ps -auxw process status
vmstat Monitor virtual memory
free Display amount of free and used memory in the system. (Also: cat /proc/meminfo)
pmap Display/examine memory map and libraries (so). Usage: pmap pid
cat /proc/sys/vm/freepages Display virtual memory "free pages".
One may increase/decrease this limit: echo 300 400 500 > /proc/sys/vm/freepages
uname -a print system information
cat /proc/version Display Linux kernel version in use.
cat /etc/redhat-release Display Red Hat Linux Release. (also /etc/issue)
uptime Tell how long the system has been running. Also number of users and system's load average.
w Show who is logged on and what they are doing.
/sbin/lsmod List all currently loaded kernel modules.
Same as cat /proc/modules
/sbin/runlevel Displays the system's current runlevel.
hostname Displays/changes the system's node name. (Must also manually change hostname setting in /etc/sysconfig/network. Command will change entry in /etc/hosts)
serviceRed Hat/Fedora command to display status of system services.
Example: service --status-all
Help: service --help

Friday, March 24, 2006

Configure LDAP Address Book for your Mail Server


This document is written by me to configure global address
book using OpenLDAP

Softwares needed

OpenLDAP

perl-Kolab-LDAP-Backend-slurpd-0.9.3-0.20050801.1mdk
openldap-2.3.6-4mdk
libldap2.3_0-2.3.6-4mdk
openldap-servers-2.3.6-4mdk
perl-ldap-0.31-2mdk
perl-Kolab-LDAP-0.9.3-0.20050801.1mdk
openldap-clients-2.3.6-4mdk

Database - Berkley DB

libdbus-glib-1_0-0.23.4-5mdk
libdbus-qt-1_0-0.23.4-5mdk
libdbus-1_0-0.23.4-5mdk
libdb4.2-4.2.52-7mdk


INSTALL LDAP Server


[root@mybox openldap-2.3.20]# urpmi openldap-server
To satisfy dependencies, the following 2 packages are going to be installed (3 MB):
db42-utils-4.2.52-7mdk.i586
openldap-servers-2.3.6-4mdk.i586
Is this OK? (Y/n) Y

installing db42-utils-4.2.52-7mdk.i586.rpm from /var/cache/urpmi/rpms
Preparing... #############################################
1/2: db42-utils #############################################

ftp://gd.tuwien.ac.at/pub/linux/Mandriva/official/2006.0/i586/media/
main/openldap-servers-2.3.6-4mdk.i586.rpm
installing openldap-servers-2.3.6-4mdk.i586.rpm from /var/cache/urpmi/rpms
Preparing... #############################################
1/1: openldap-servers #############################################


Now to get Ldap Commands, I have downloaded openldap-client

[root@localhost openldap]# urpmi openldap-client
ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/MandrivaLinux/official/
2006.0/i586/media/main/openldap-clients-2.3.6-4mdk.i586.rpm
installing openldap-clients-2.3.6-4mdk.i586.rpm from /var/cache/urpmi/rpms
Preparing... #############################################
1/1: openldap-clients #############################################


Configuration Files :
/etc/openldap/slapd.conf
/etc/openldap/ldap.conf

Will also need to create a .ldif file where address informations are stored.




Heres one good Tutorial on LDAP

Will Complete this next Week

Thursday, March 23, 2006

Incremental Backup Using Rsync

In one of my previous post have written about DR Plans, Further to that I am Just
adding the Incremental Backup using Rsync.

In a nutshell heres the overview of the scenario :

1) We have a bunch of users on a Mail Server, called mail1,which runs Red Hat Enterprise 3.
we need to backup the daily mails of users stored in /var/qmail/users/

2) We have a second linux machine, backup, with good IP connectivity to mail1.

3)
Backups are desired every day during the night when the load is low.

4)
The backups should be incremental - minimising storage requirements by only keeping 'diffs' from one backup to the next.

Rsync executed in mail1 as follows :

/usr/local/bin/rsync -a --update --delete /var/qmail/users/ backup:/backups/home.0

This causes /backups/home.0 on backup to be updated to reflect the set of directories and files under /var/qmail/users/ on mail1. The update process will recurse down each branch of the directory tree under /var/qmail/users/ on mail1and:
  • delete entries under backup:/backups/home.0 that no longer exist under mail1:/var//qmail/users/
  • add entries to backup:/backups/home.0 that have appeared under mail1:/var/qmail/users/
  • update entries in backup:/backups/home.0 that have changed under mail1:/var/qmail/users
(The source directory is specified as "/var/qmail/users/" with a trailing slash to ensure rsync synchronises the sub-directories of /var/qmail/users/, rather than /var/qmail/users itself. If the trailing slash had been omitted rsync would create /backups/home.0/var/qmail/users/gja rather than /backups/home.0/gja, etc... on backup.)

Note : Rysnc needs root permission to execute the above command.

add the rsync command to cron jobs

#crontab -e

15 3 * * * root /bin/csh /root/bin/updateusers.sh daily

In updateusers.sh have added the rync line that I have mentioned above.

The above command will be excuted a 03:15 am in the night.

Since storing your backup on a Network server its advisable to have a SSH-keygen so that it does not ask for a password while backing up.

Look here for password less logins.

Wednesday, March 22, 2006

Setting up a Sendmail Server

Few points listed to build a Sendmail Mail Server

- Before making any changes to sendmail Stop the Sendmail Service.

/etc/rc.d/init.d/sendmail stop

- Editing Sendmail configuration file using macros :

Copy sendmail.mc to a local sriram.mc file
#cp sendmail.mc sriram.mc

Make modifications to sriram.mc for your local setup
Generate sriram.cf from sriram.mc
#m4 sriram.mc > sriram.cf

Copy sriram.cf as your new sendmail.cf
#cp sriram.cf sendmail.cf


Here we are not editing sendmail.mc, so you can always recreate the original sendmail.cf by way of

#m4 sendmail.mc > sendmail.cf

- For Starting your Smtp Server Edit

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

Find and Copy the Above Line to

DAEMON_OPTIONS(`Port=smtp,Addr=10.10.93.220, Name=MTA')

If you have to receive Mails From a MX pointer then you will need to Configure DNS for your domain.

You first need to make sure that your mail server's name resolves in DNS correctly. For example, if your mail server's name is sriram and it you intend for it to mostly handle mail for the domain my-site.com, then sriram.my-site.com must correctly resolve to the IP address of one of the mail server's interfaces. You can test this using the host command:

[root@smallfry tmp]# host sriram.my-site.com

sriram.my-site.com has address 10.10.93.220

- MX record must point to Public IP Address of your Mail Server

/etc/hosts

127.0.0.1 sriram.my-site.com localhost.localdomain localhost sriram

The entry for 127.0.0.1 must always be followed by the fully qualified domain name (FQDN) of the server. In the case above it would be sriram.my-site.com. Then you must have an entry for localhost and localhost.localdomain. Linux does not function properly if the 127.0.0.1 entry in /etc/hosts doesn't also include localhost and localhost.localdomain. Finally you can add any other aliases your host may have to the end of the line.

- All Linux mail clients in your home or company need to know which server is the mail server. This is configured in the sendmail.mc file by setting the SMART_HOST statement to include the mail server. In the example below, the mail server has been set to mail.my-site.com, the mail server for the my-site.com domain.

define(`SMART_HOST',`mail.my-site.com')

Once this is done, you need to process the sendmail.mc file and restart sendmail

- Determine which NICs sendmail is running on

[root@sriram tmp]# netstat -an | grep :25 | grep tcp
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

If Sendmail Listens on all Interfaces than it shows as below

[root@bigboy tmp]# netstat -an | grep :25 | grep tcp
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN


More Configurations:

- The /etc/mail/relay-domains File

The /etc/mail/relay-domains file is used to determine domains from which it will relay mail. The contents of the relay-domains file should be limited to those domains that can be trusted not to originate spam.

- The /etc/mail/access File

You can make sure that only trusted PCs on your network have the ability to relay mail via your mail server by using the /etc/mail/access file.

The /etc/mail/access file has two columns. The first lists IP addresses and domains from which the mail is coming or going. The second lists the type of action to be taken when mail from these sources or destinations is received. Keywords include RELAY, REJECT, OK (not ACCEPT), and DISCARD. There is no third column to state whether the IP address or domain is the source or destination of the mail, sendmail assumes it could be either and tries to match both. All other attempted relayed mail that doesn't match any of the entries in the /etc/mail/access file, sendmail will reject.

The sample file that follows allows relaying for :

localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
192.168.1.16 RELAY
192.168.1.17 RELAY
192.168.2 RELAY
my-site.com RELAY

You'll then have to convert this text file into a sendmail readable database file named /etc/mail/access.db. Here are the commands you need:

[root@sriram tmp]# cd /etc/mail
[root@sriram mail]# make

or

#makemap hash /etc/mail/access.db < /etc/mail/access

- The /etc/mail/local-host-names File

When sendmail receives mail, it needs a way of determining whether it is responsible for the mail it receives. It uses the /etc/mail/local-host-names file to do this. This file has a list of hostnames and domains for which sendmail accepts responsibility. For example, if this mail server was to accept mail for the domains my-site.com and another-site then the file would look like this:

my-site.com
another-site.com

The /etc/mail/virtusertable file

The /etc/mail/virtusertable file contains a set of simple instructions on what to do with received mail. The first column lists the target email address and the second column lists the local user's mail box, a remote email address, or a mailing list entry in the /etc/aliases file to which the email should be forwarded.

If there is no match in the virtusertable file, sendmail checks for the full email address in the /etc/aliases file.

webmaster@another-site.com webmasters
@another-site.com marc
sales@my-site.com sales@another-site.com
paul@my-site.com paul
finance@my-site.com paul
@my-site.com error:nouser User unknown

In this example, mail sent to:

> webmaster@another-site.com will go to local user (or mailing list) webmasters, all other mail to another-site.com will go to local user marc.

> sales at my-site.com will go to the sales department at my-othersite.com.

> paul and finance at my-site.com goes to local user (or mailing list) paul

All other users at my-site.com receive a bounce back message stating "User unknown".

After editing the /etc/mail/virtusertable file, you have to convert it into a sendmail-readable database file named /etc/mail/virtusertable.db with two commands:

[root@bigboy tmp]# cd /etc/mail

[root@bigboy mail]# make

or

#makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable

If these lines look like you've seen them before, you have: They're in your all-purpose sendmail restart script.

- The /etc/aliases File

You can think of the /etc/aliases file as a mailing list file. The first column has the mailing list name (sometimes called a virtual mailbox), and the second column has the members of the mailing list separated by commas.

To start, sendmail searches the first column of the file for a match. If there is no match, then sendmail assumes the recipient is a regular user on the local server and deposits the mail in their mailbox.

If it finds a match in the first column, sendmail notes the nickname entry in the second column. It then searches for the nickname again in the first column to see if the recipient isn't on yet another mailing list.

If sendmail doesn't find a duplicate, it assumes the recipient is a regular user on the local server and deposits the mail in their mailbox.

If the recipient is a mailing list, then sendmail goes through the process all over again to determine if any of the members is on yet another list, and when it is all finished, they all get a copy of the e-mail message.

In the example that follows, you can see that mail sent to users bin, daemon, lp, shutdown, apache, named, and so on by system processes will all be sent to user (or mailing list) root. In this case, root is actually an alias for a mailing list consisting of user marc and webmaster@my-site.com.

Note: The default /etc/aliases file installed with RedHat / Fedora has the last line of this sample commented out with a #, you may want to delete the comment and change user marc to another user. Also after editing this file, you'll have to convert it into a sendmail readable database file named /etc/aliases.db. Here is the command to do that:

[root@sriram tmp]# newaliases

# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: root

# General redirections for pseudo accounts.
bin: root
daemon: root
abuse: root

# trap decode to catch security attacks
decode: root

# Person who should get root's mail
root: marc,webmaster@my-site.com

Notice that there are no spaces between the mailing list entries for root: You will get errors if you add spaces.

aliases can be very useful, here are a few more list examples for your /etc/aliases file.

Mail to "directors@my-site.com" goes to users "peter", "paul" and "mary".

# Directors of my SOHO company
directors: peter,paul,mary

Mail sent to admin-list gets sent to all the users listed in the file /home/mailings/admin-list.
# My mailing list file
admin-list: ":include:/home/mailings/admin-list"

The advantage of using mailing list files is that the admin-list file can be a file that trusted users can edit, user root is only needed to update the aliases file. Despite this, there are some problems with mail reflectors. One is that bounce messages from failed attempts to broadcast go to all users. Another is that all subscriptions and unsubscriptions have to be done manually by the mailing list administrator. If either of these are a problem for you, then consider using a mailing list manager, such as majordomo.

One important note about the /etc/aliases file: By default your system uses sendmail to mail system messages to local user root. When sendmail sends e-mail to a local user, the mail has no To: in the e-mail header. If you then use a mail client with a spam mail filtering rule to reject mail with no To: in the header, such as Outlook Express or Evolution, you may find yourself dumping legitimate mail.

The /var/log/maillog File

- Because sendmail writes all its status messages in the /var/log/maillog file, always monitor this file whenever you are doing changes. Open two TELNET, SSH, or console windows. Work in one of them and monitor the sendmail status output in the other using the command

[root@bigboy tmp]# tail -f /var/log/maillog

Fighting Spam :

- RFC-Ignorant: A valid IP address checker.

FEATURE(`dnsbl', `ipwhois.rfc-ignorant.org',`"550 Mail from " $&{client_addr} " refused. Rejected for bad WHOIS info on IP of your SMTP server - see http://www.rfc-ignorant.org/"')

- Easynet: An open proxy list.

FEATURE(`dnsbl', `proxies.blackholes.easynet.nl', `"550 5.7.1 ACCESS DENIED to OPEN PROXY SERVER "$&{client_name}" by easynet.nl DNSBL (http://proxies.blackholes.easynet.nl/errors.html)"', `')dnl
The Open Relay Database: An open mail relay list

-The Open Relay Database: An open mail relay list.

FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to sending server misconfiguration - see http://www.ordb.org/faq/\#why_rejected"')dnl

- Spamcop: A spammer blacklist.

FEATURE(`dnsbl', `bl.spamcop.net', `"450 Mail from " $`'&{client_addr} " refused - see http://spamcop.net/bl.shtml"')

- Spamhaus: A spammer blacklist.


Can find more here

Monday, March 20, 2006

Load Balancing Applications on Linux

A server is limited in how many users it can serve in a given period of time, and once it hits that limit, the only options are to replace it with a newer, faster machine, or add another server and share the load between them. A load balancer can distribute connections among two or more servers, proportionally cutting the work each has to do. Load balancing can help with almost any kind of service, including HTTP, DNS, FTP, POP/IMAP, and SMTP. There are a number of open source load balancing applications, but one simple command-line load balancer, balance, remains one of the most popular available.

Ideally you should install a load balancer on a dedicated machine that can handle all the incoming connections, with a separate network interface for internal and external connections. However, none of this is necessary for the purposes of this article. To start testing balance, download the latest version from the project's Web site. Unpack it, build it, and install it as follows:

# tar -zxvf balance-3.34.tar.gz
# cd balance-3.34
# make
# make install

Note : Read the README file before Installation

Keep in mind that you'll need to be running as root in order to access ports below 1024.

Let's start with a simple case. We have connections coming in to port 80, the default HTTP port. We'd like to evenly share the work between two computers (although load may be distributed among any number). You specify machines to balance by referencing their IP addresses or hostnames. By default balance will connect to those machines on the same port on which it is listening. You can specify other ports by adding ":port" to the end of the address.

Let's assume we have two machines with hostnames "alpha" and beta". The most basic solution (we'll get to more sophisticated uses in a moment) is just to alternate connections between the two computers, back and forth. This kind of balancing is called round-robin. It simply means each person or device gets an equal share, one after the other.

Balance has a simple command-line interface. We need to tell it where incoming connections will be coming from, and the possible destinations. By running:

# balance -f 80 alpha beta

we can share the load equally between servers alpha and beta. Including the -f parameter will keep balance in the foreground. Without it, balance will fork to the background, but an adminstrator could communicate with it interactively by running balance -i. In this example, if the machines alpha and beta machines happen to be serving different data and you were the only current user, refreshing the page over and over would alternate you between the two sites (although presumably in most cases you would want both computers to serve the same content).

Another thing we can do with balance is set a failover machine. That is, if for some reason a connection fails or times out, balance will establish a connection to the failover. For example, the command:

# balance -f 80 alpha beta ! failover

tells balance to forward a connection to the machine named failover only if both alpha and beta fail. The exclamation point separates the machines into two separate groups. Connections will only be forwarded to the next group if all connections to the first fail.

Another way of telling balance to move to the next group is by setting a limit on the number of connections a machine can handle, as follows:

# balance -f 80 alpha::256 ! beta::64 ! failover

This specifies that alpha can handle up to 256 simultaneous connections, after which point balance will move on to beta, and once beta has 64 connections, we finally move to the failover machine. The basic idea here is that we're filling up one virtual bucket before we move on to the next.

There's one important thing still lacking with these kinds of balancing commands. While sufficient for static HTML content, many real-world Web sites require sessions. User logins, shopping carts, or any kind of "memory" from page to page require session data to be retained when a user clicks onto a different page. Because HTTP is inherently stateless, each time we load a new page we're starting a new connection, which the load balancer might well send to a new machine. This would make preserving session information difficult.

The easiest solution to this problem is to make sure each client always gets forwarded to the same machine. We can tell balance to do this with the command:

# balance -f 80 alpha beta %

The percent symbol denotes that the preceding group will be a "hash" type. Balance will hash the user's IP address and associate it with one of the machines. As long as the IP address remains the same, a connection initiated from it will always go to the same computer. A good hashing algorithm will make sure hashes are evenly spread among the machines.

Where do we go from here?

These techniques will produce a good, workable load balancer, but in cases where load is great, they will not suffice. An application like the Linux Virtual Server is more appropriate for cases like this. The LVS works on the IP level to increase efficiency, in contrast to balance, which works on the application level and thus has increased overhead in that it must deal with the HTTP protocol. In addition, LVS provides many different kinds of scheduling in addition to round-robin and hashing, which are the only methods we can use in the free version of balance. But the basic principles remain the same.

Thanks to load balancing, you can keep your servers' connection and download times high, and seamlessly serve the ever-increasing number of clients using the Internet every day.

Costa Walcott is the co-founder of Draconis Software and a freelance writer.

Sunday, March 19, 2006

Build a Failsafe Cluster using HearBeat in Linux

Reason for having a Failsafe cluster:

A Failsafe clusters can dramatically cut downtime, and since service failovers are fast and automatic, system administrators get to enjoy their weekends and
users get to finish their work. "Sys Ads" and "users" are both happy, even pointy-haired managers are happy, because minimizing work stoppages saves money.

In a Critical environment like datacenter where there are 100's of domain
hosted in a single server and Imagine due to Hardware failure the server
goes down.

A Failsafe Cluster keeps eye on each other and if one goes down than the
other running server starts servicing the request of the failed server.


For example if you have a Web Server running with 202.41.2.10 and it
goes down then immediately another machine in the cluster environment
will be alerted to the fact and it will change its IP Address to the Primary
Server which is 202.41.2.10 and start acting like the Primary server
which is down.

Prerequisites before you build a Cluster environment.

In My Opinion,

- Will need two or more Identical Servers for Optimal Performance.

- If you are installing Redhat Enterprise 3.0 in Primary then install the same
in all other Secondary Servers and so on.

- Make sure you are running all the required Services that you have
configured in your Primary Servers in all other Secondary Cluster Servers.

- Two Network Cards in all the Servers that you want to bring in Cluster
environment.

If you have more than two servers for Clustering then use a Hub to
connect your eth0, Since Hub does not store mac address it will be easier
to switch over. Here, I am assuming eth1 is external World and eth0 is Internal.


In My example I have 2 Systems with Same Hardware, Configuration and
Services running on it.

There are softwares like cfengine and kickstart installation which will help
you build similar systems.

My Configuration : -

Mandrake 2006 Installed on Both Systems.

2 Nic's - eth0/eth1

Cross Over Cable CAT5 connected on eth0-Primary to eth0-Secondary.
This will be used for determining HeartBeat. This Will help to sense
when the primary goes down and brings the other cluster up.


Primary.sriram.com

External - eth1 - 192.168.0.1/255.255.255.0
Internal - eth0 - 10.33.16.1/255.255.255.0

Secondary.sriram.com

External - eth1 - 192.168.0.2/255.255.255.0
Internal - eth0 - 10.33.16.2/255.255.255.0

Here one is Master Node and other the Backup Node.

I have Fully Qualified Domain name :

Primary - primary.sriram.com

Secondary - secondary.sriram.com

Installing Hearbeat in Primary and Secondary Nodes :

For me in Mandrake 2006 I have URPMI Package Manager

#urpmi heartbeat

Its available here :

http://linux-ha.org/download


There are binary RPMs at the website, or you can build heartbeat from source. Grab the tarball (or install the source RPM). Untar it into your favorite source directory. From the top of the source tree, type

"./ConfigureMe configure", followed by "make" and "make install".

If you have problems installing the RPMs found at the website and want a way to make your own, there may be help in the FAQ

Configuring Clusters :

This involves modifying 3 Files in all the Cluster nodes Primary, Secondry etc :

/etc/ha.cf

/etc/haresources

/etc/authkeys

The first file ha.conf contains all the settings for your nodes.

You need to Modify the following tags in both machines.

node primary

node secondary

deadtime 30

warntime 10

bcast eth0

auto_failback on

Point : Instead of Mentioning node Primary , you can also mention Primary eth0
IP Address and same for node secondary , check if you are able to ping
primary and secondary i.e ..ping primary, ping secondary add it to /etc/hosts file.

If you have more than one backup node in the cluster than in ha.cf file in
each machine, you will enter the full list of machines in the cluster.

node primary

node secondary

node secondary1

node secondary2 and so on ...


Next open /etc/haresources , Provide the IP address as follows

primary.sriram.com 192.168.0.3 httpd smb

So, this line dictates that on startup , have Primary node serve the
IP 192.168.0.3 and start apache and samba as well

On shutdown , heartbeat will first stop smb then apache then give up the IP.

Now Comming to Final Part /etc/authkeys :

This will determine the authentication keys

There are three types of Authentication available for this ,

1) CRC------------------Level 1 Security (Simplest).
2) MD5-----------------Level 2 Security (Medium Level).
3) SHA1 ---------------Level 3 Security (Tough to crack).


The Format of the File is a Follows

For CRC sample might be,

auth 2
crc 2

Whatever index you put after the keyword auth must be found below in the keys listed in the file. If you put "auth 4", then there must be an "4 signaturetype" line in the list below.

Make sure its permissions are safe, like 600. And "any text you want" is not quite right. There's a limit to the number of characters you can use.

For sha1, a sample /etc/ha.d/authkeys could be:

auth 1
1 sha1 key-for-sha1-any-text-you-want

For md5, you could use the same as the above, but replace "sha1" with "md5".


Test Heartbeat

/etc/rc.d/init.d/hearbeat start on all nodes.

Shutdown the Primary server and see if the secondary server is up with the
Primary Servers IP address assigned to it.



That's it!




Saturday, March 11, 2006

Netstat - Ports and Programs running

If you want to check the number of ports your system is listenning
to from foreign hosts and the programs used by it.

[root@mybox conf]# netstat -apln --inet

Active Internet connections (servers and established)

Example : This will list,

tcp------0------0--127.0.0.1:10026----0.0.0.0:* -----LISTEN---------4806/master

tcp------0------0--0.0.0.0:139-----------0.0.0.0:* -----LISTEN---------5008/smbd

tcp---0--0--10.10.93.220:1648--216.239.63.104:80--EST---7104/mozilla-firefox


Also Try,

#lsof -i

This will list:

-Running Commands
-User running the command
-PID of the Program
-Internet Protocol Version used- eg IPv4, IPv6
-Name of the Program

Monday, March 06, 2006

VPN Made Easy

Building a Virtual Private Network made easy:

My Scenario :

- My Office PC running Windows 2k is connected to internet 24x7
with out a Static IP

- I connect my Laptop running Linux to internet with out any Static IP provided by
my ISP Sify.

I need to access my Office PC from home as in Local Area Network.

The easiest solution I found for this is using Hamachi

How does Hamchi Work ?
You need to download hamachi Installer for u r respective OS.

Once done you can create a network with installer in Hamachi's Server.

While creating network it will prompt you for Password.

This password needs to be shared with other users connecting to
your network.

Note :

" Hamachi assigns a unique static IP address in the 5.x.x.x range
(e.g., 5.190.65.30) that allows the Hamachi mediation server to
locate your machine and allow it to establish secure peer-to-peer
connections with other PCs. In Windows XP, the software creates
a virtual network interface driver to direct traffic to and from the
5.x.x.x address. Note the Hamachi-assigned IPs are hidden behind
the NAT from public view while allowing configuration-free NAT and
firewall traversal. Creating a network is as simple as designating a
name and password. "


Heres what I did to Create a Network in Linux :

[root@mybox sriram]# cd /usr/local/src/vpn/

[root@mybox vpn]# ls
hamachi-0.9.9.9-15-lnx/ hamachi-0.9.9.9-15-lnx.tar.gz

[root@mybox vpn]# cd hamachi-0.9.9.9-15-lnx/

[root@mybox hamachi-0.9.9.9-15-lnx]# ls
CHANGES LICENSE LICENSE.openssl Makefile tuncfg/
hamachi* LICENSE.openssh LICENSE.tuncfg README

[root@mybox hamachi-0.9.9.9-15-lnx]# make install

Copying hamachi into /usr/bin ..
Creating hamachi-init symlink ..
Compiling tuncfg ..
Copying tuncfg into /sbin ..

Hamachi is installed. See README for what to do next.

[root@mybox hamachi-0.9.9.9-15-lnx]# ham
hamachi hamachi-init

[root@mybox hamachi-0.9.9.9-15-lnx]# hamachi-init
Initializing Hamachi configuration (/root/.hamachi). Please wait ..

generating 2048-bit RSA keypair .. ok
making /root/.hamachi directory .. ok
saving /root/.hamachi/client.pub .. ok
saving /root/.hamachi/client.pri .. ok
saving /root/.hamachi/state .. ok

Authentication information has been created. Hamachi can now
be started with 'hamachi start' command and then brought online
with 'hamachi login'.

Before Starting Hamachi you need to run tuncfg

root@mybox hamachi-0.9.9.9-15-lnx]# cd tuncfg/

[root@mybox tuncfg]# ls
Makefile tuncfg* tuncfg.c

[root@mybox tuncfg]# ./tuncfg

[root@mybox tuncfg]# cd ..

[root@mybox hamachi-0.9.9.9-15-lnx]# hamachi start
Starting Hamachi hamachi-lnx-0.9.9.9-15 .. ok

[root@mybox hamachi-0.9.9.9-15-lnx]# hamachi login
Logging in ....>....... ok

For more hamachi join options type :

[root@mybox hamachi-0.9.9.9-15-lnx]# hamachi join

This will list all options available.

Now Creating a Network :

[root@mybox hamachi-0.9.9.9-15-lnx]# hamachi create sriramsreedhar
password

Creating sriramsreedhar .. ok

[root@mybox hamachi-0.9.9.9-15-lnx]# hamachi list
[sriramsreedhar]

[root@mybox vpn]# ifconfig

ham0 Link encap:Ethernet HWaddr 8A:ED:3B:AA:9D:C8
inet addr:5.24.164.156 Bcast:5.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1200 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:8844 (8.6 KiB)


Now Install Hamachi in your windows System at office and join the
network sriramsreedhar

In Windows XP, the software creates a virtual network interface driver
to direct traffic to and from the 5.x.x.x address

That all you need to do to build a Virtual-Private-LAN

Saturday, March 04, 2006

How to use NT bootloader to boot Linux

Assuming that you are having a dual boot with Linux/Windows OS installed.

You do not want to use the Linux Boot Loader Grub/Lilo.

Reason being : When you delete your Linux you might encounter
the problem where you can’t boot Windows anymore because MBR
is pointing to GRUB or LILO which you have erased or it corrupted
because you have set something wrong.One way to get through this
is to use ntbootloader (default bootloader for windows).

Note : Make sure that you install linux boot loader (GRUB or LILO) in the first sector of Linux Boot partition ( /boot ) or it wouldn’t work at all.

Requirement:-

Windows XP Home or Professional Edition

Windows NT 4.0 or later

GRUB or LILO boot loader(any other Linux boot loader) must
be installed in first sector of Linux Boot partition to do you have
to change make you linux installation to install the boot information
in you linux boot partition (/boot) not the MBR (**Very important).

A Linux Boot Disk

When you have all the above requirements then follow the instruction
below :-

1) Insert you Linux Boot Disk into floppy drive then boot your system.

2) when you successfully boot into linux then launch a console.

3) Type in this command (without the” #”)

# dd if=/dev/
hdaXX bs-512 count=1 of=/mnt/floppy/bootsect.lin

4)
hdaXX is your /boot partition. if your /boot partition is at /dev/hda10 then you must keyin

# dd if=/dev/hda2 bs-512 count=1 of=/mnt/floppy/bootsect.lin

5)
bootsect.lin is the file name that you wanted to create in the floppy disk and you can use anyname you like. in this case i used bootsect.lin as my file name and i will use this name throught out this tutorial.

6) The command above is copying the 1st sector of /boot partition and turn it into a file which then you store it in a floppy disk. (NOTE: you can copy it into floppy disk or any other location where windows can access it)

7) Restart you Operating System into Windows.

8) copy the file bootsect.lin from the floppy disk to you C:
9)
Then click Start\run and keyin this line c:\boot.ini

10)
Add thisline c:\bootsect.lin=”My Linux ” in boot.ini
THIS IS HOW IT WILL LOOK LIKE IN BOOT.INI AFTER ADDING IT

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Microsoft Windows XP Professional” /fastdetect
c:\bootsect.lin=”My Linux”
(This example that i use is Windows XP, if you use other versions of windows,it might be a little bit different)

11) After that save the file and you can now boot into Linux using
NT Bootloader.

12) You can now do anything you like to Linux and still be able to boot
in Windows like normal.





Bastille - Securing Linux

Bastille is a Program that helps you Harden/Secure your Linux Systems
by way of GUI or Console Based Questionaire.

Download Bastille Linux

http://internap.dl.sourceforge.net/sourceforge/bastille-linux/
Bastille-3.0.8-1.0.noarch.rpm

Installing Bastille Linux

[root@mybox Desktop]# rpm -ivh Bastille-3.0.8-1.0.noarch.rpm
Preparing... ########################################### [100%]
1:Bastille ########################################### [100%]

Please make sure perl-Tk and perl-Curses are installed.

I had the Following installed :

perl-Tk-804.027-4mdk

I did not have perl-Curses, So I had to install as below

[root@mybox Documents]# urpmi perl-Curses

ftp://gd.tuwien.ac.at/pub/linux/Mandriva/official/
2006.0/i586/media/main/perl-Curses-1.07-1mdk.i586.rpm

installing perl-Curses-1.07-1mdk.i586.rpm from /var/cache/urpmi/rpms
Preparing... #############################################
1/1: perl-Curses #############################################


Now Running the Bastille Commands :

bastille -x     (for Graphical Mode Hardening)
bastille -c (for Text Mode Hardening)
bastille --report (for Assesment and Reporting)

For complete list of options use bastille -h

For eg. the below command generates report

[root@mybox Documents]# bastille --assess

___-----____-----_____------_____--------
Bastille Hardening Assessment Completed

You can find a report in HTML format at:

/var/log/Bastille/Assessment/assessment-report.html

You can find a report in text format at:

/var/log/Bastille/Assessment/assessment-report.txt

You can find a more machine-parseable report at:

/var/log/Bastille/Assessment/assessment-log.txt

___-----____-----_____------_____-------____-----


Thursday, March 02, 2006

Klik - Installing Softwares from Browser

Till now I have been using urpmi (software manager for Mandriva),
Until I found klik a browser based installation which works with kde.

Klik focuses on application bundles that contains all the basic libraries
needed to execute the program.

Installation of softwares can be done by way of typing

klik://packagename in the browser

You can check the list of packages available here

Now Installing klik:

Please note I am using Mandriva 2006

1) Login to your KDE Desktop as Normal User(sriram).

2) GNU C++ library is needed on Mandriva 2006

#urpmi libstdc++5

This will install all the needed dependency.

3) Install the klik client:

press [Alt]+[F2] and paste:
wget klik.atekon.de/client/install -O - sh

In Console it will show up like this :

--17:56:21-- http://klik.atekon.de/client/install
=> `-'
Resolving klik.atekon.de... 134.169.172.48
Connecting to klik.atekon.de134.169.172.48:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14,890 (15K) [text/plain]

100%[====================================>] 14,890 12.19K/s

17:56:24 (12.18 KB/s) - `-' saved [14890/14890]

8514 ? 00:00:00 mozilla-firefox
8527 ? 00:00:00 run-mozilla.sh
8532 ? 00:04:26 mozilla-firefox


Follow the instructions that pop up on your screen.

4) Now in the console login as root and run the below command:

/home/sriram/klik-cmg-install-root

This is bcoz your /etc/fstab need to be setup to use cmg files.

Sometimes you wont find this file - No worries, you can carry ahead.

5) If you have mozilla browser opened pls close it and reopen it once.

Now type the below in your Mozilla-firefox browser.

klik://xvier

xvier - is a game of 600kb.



If you are bit security concerned, you may want to know what klik does to your system. Here's the pitch:

  • Its .cmg files are self-contained AppDirs (applications directories), compressed into a cramfs or zisofs file system.
  • To run the contained app, klik mounts the bundle file underneath /tmp/app/1/ and runs it from there; if mounted, the bundle looks like it is a subdirectory expanded into the real directory structure of the host.


If you are even more cautious, or paranoid, you surely want to investigate more closely and see how klik operates on your system. Follow these steps to find out more details:

wget klik.atekon.de/client/install

(this downloads the install file without executing it).

less install

(this lets you look at the installer code: fear not -- it's pure shell).

less $HOME/.klik

(this lets you look at the "commandline client+klik protocol handler" code, of course only after running the klik client install).

less $HOME/.zAppRun

(this lets you look at the commandline starter for klik-ified AppDir bundles, also executed if you just click on one of the .cmg files).

less {$KDEHOME,$HOME/.kde}/share/services/klik.protocol (the secret behind the klik://my_cool_app links, part 1).

less {$KDEHOME,$HOME/.kde}/share/applnk/klik/klik.desktop (the secret behind the klik://my_cool_app links, part 2).

less {$KDEHOME,$HOME/.kde}/share/applnk/klik/.directory (why there is now a klik icon and a klik entry in the K Menu).

less {$KDEHOME,$HOME/.kde}/share/mimelnk/all/cmg.desktop (why klik is now responsible for handling clicks on files that happen to have a .cmg suffix, part 1).

less {$KDEHOME,$HOME/.kde}/share/applnk/.hidden/AppRun.desktop (why klik is now responsible for handling clicks on files that happen to have a .cmg suffix, part 1).

less /etc/fstab (why klik can now find mountpoints in the file system to mount the .cmg AppDirs on execution).

ls -lR /tmp/app/{7,6,5,4,3,2,1} (list the directories underneath the mountpoints while one of the .cmg AppDirs is executed).

Faq's

A few applications don’t open or crash. Some place the .cmg file in your home directory instead of your desktop, and some never move the .cmg file from the /tmp/klik directory, so you’ll have to move them yourself. Others necessitate that you run the klik package via the command-line, using ~/.zAppRun /path/to/package.cmg

You can find the logs for klik in /tmp/klik/klik.log