Linux
Commands (Mix of Ubuntu & Suse Stuff)
Ipconfig:
Run
Levels:
Virtual Console
(bash shell but in cmd line)
File
System:
To search
for text in a file:
Virtual
folders:
Logoff:
Kill a
Frozen App:
Network
Folders:
Harddisk:
hda3 = 3rd
partition on first harddisk
General
Problem Solving Solutions:
Some
problems cleared up by running = SuSEconfig (as root) (NOT a config
tool, rather it seems to ‘fix’ things
automatically)
su =
switch user
Change
password:
Help
Information:
Everyday
Cmd’s:
Wildcards:
Shortcuts:
What
Default Apps:
Permissions:
-rw-r—rr-
= letter 1 = type of file (d = dir, - = normal), letters 2.3,4 = user/creator,
letters 4,5,6 = perms for user group to which the file belongs, letters 7,8,9 =
everybody else “the world”.
Users
In gui use Yast –> Users/Groups
This
displays the output from the /etc/passwd (users) and /etc/group (groups) files.
Use app to
make users/add users to spec group (greyed out means system needs user in that
group) – add from the Group section, not the User section.
To add user
to group via cmd line:
To make a
group:
Check /(vi) /etc/group to see all members of that spec group
To see which
groups own the file: ls –l filename The 3rd
and 4th fields show user owner and group owner for that file.
To change
the group ownership of the file:
To change
the use ownership of the file:
Switch
User
Space on
Hard Disk:
df OR
mount (df is clearer) = shows all PHYSICAL disks and their mount points, and
used/free space, etc. Also shows mount points of notable system dirs. Note: hda
= first IDE hard disk, hda1 = first partition on first hard disk, etc.
To Empty
/temp Folder:
(Need to use
init 1 to ensure no other apps using /tmp are running)
To Empty
Yast of RPM Files:
RPM are
downloaded when system is kernel is updated. If compiling kernel, keep them.
Delete afterwards:
Mounting:
Normally automatic in Konqueror. But manual when adding new hard
disk. (Read up)
Sharing
Files:
On a linux
only nw you can use NFS to share dirs/files. Involves
2 steps (p404 Dummies):
1. Run NFS app on pc. Export the dir to
be shared. Can do this via cmd (list dir in /etc/exports file and running
/usr/sbin/exportfs) or Yast -> NW Services, and start NFS server.
2. On each client pc use mount the dirs
the server has exported (need to ensure NFS is running on client – not a
problem with linux, can buy sw for different os. Again, this can be done either
via cmd (use mount) or gui.
Navigating
Linux File System
Linux file
system root is /. From this is a hierarchical system of folers/dirs and files,
which can span different hard disks, floppy, cd roms, etc.
Filenames
are case sensitive.
Structure:
First Level:
Important Sub Dirs:
Navigation
with Konqueror:
Konqueror is
a file manager and a web browser that comes with KDE.
Left had
vertical menu has short cuts to media (cd rom, etc), home, network, root
folder, services (blue tooth browser, devices (cd rom)), etc. View menu has
tree option – useful!
Disk Operations
Benchmarking Harddisk:
Must enter
init 3 first!
Multicount setting shown when benchmarking:
Unmaskirq
Allows linux to attend to other tasks while waiting for your hard disk
to return data. Should be turned ON.
This is all temp and will be lost when rebooted. To
make permanent see p410.
Use Prelink to speed up Loading of Apps and Services:
Can turn off
prelinking for indidual files if probs occur:
To Add Second Hard Disk:
Note =
important to carriage return after cmd lines added/amended to config files.
Backups
(Using tar)
Gui
Version in Kde:
Cmd
Version in All Linux Distros:
Cmd version
available to ALL linux distros, FreeBSD, Unix, etc
(you WILL get your data this way – so worth knowing!)
There are 3
aspects to performing BUs:
1. Backup
2. Restore
3. Maintenance
Backup:
Format of
tar:
Example of a
typical BU script:
tar -zcvpf /archive/backup-`date
'+%d-%B-%Y'`.tar.gz
--directory /home --exclude=*.iso
\
--exclude=proc --exclude=tmp \
--exclude=bufferdir .
First there
is the tar command itself.
Secondly, you need to provide the different options for tar. I use these:
The third
argument is the archive file that needs to be created. This is because I use
the f option with tar. As you can see, I create a filename that contains
the current date. By this it's easy to differentiate between the different
backup-files that exist. You are not obliged to use the .tar.gz extension (in
fact, you can use whatever extension you want) but to keep things simple I
advice you to use the default .tar.gz extension.
The third
argument is the archive file that needs to be created. This is because I use
the f option with tar. As you can see, I create a filename that contains
the current date. By this it's easy to differentiate between the different
backup-files that exist. You are not obliged to use the .tar.gz extension (in
fact, you can use whatever extension you want) but to keep things simple I
advice you to use the default .tar.gz extension.
The fourth argument is the starting directory:
--directory /home
With the
next arguments you can specify which files or directories need to be excluded
from the archive. This can easily been done with this directive:
--exclude=proc
Finally (and
this is often forgotten) you need to specify a dot .
to specify that everything else needs to be backuped.
Instead of creating a new archive you can also add files to the end of an
existing archive. For this you don't need to specify c (create) but r
(append).
Another useful way is updating the archive with only those files that are
newer. This is handled by specifying u (update).
So the main three actions for creating or updating archive files are:
Used to
backup/restore files to a tape drive. Tar can be used to archive a group of files into another
file or more commonly to write/restore a group of files to a tape drive.
|
Options |
Description |
|
c |
create a archive
(write to tape) |
|
t |
display
files on archive (view only) |
|
x |
extract
from archive (read from tape and write to disk) |
|
v |
verbose -
display filenames |
|
z |
compress
files (using gzip) |
|
f |
device
name or file name to write to |
|
directory or file |
directory
or file to use |
Examples of Usage:
Note: The following
examples assume the device name of your tape drive is /dev/st0.
|
Command |
What it does |
|
tar cvf
/dev/st0 / |
backup the entire system to tape |
|
tar cvzf
/dev/st0 /bin |
only
backup the /bin
directory to tape and compress |
|
tar tvf
/dev/st0 |
view the contents of a tape |
|
tar xvf
/dev/st0 |
restore the entire contents of the tape |
|
tar xvf
/dev/st0 /etc/sendmail.cf |
only
restore the file
'/etc/sendmail.cf' from tape |
|
tar
xvzf /dev/st0 /bin |
restore
and uncompress the
directory /bin from tape |
Restore:
Example of
restore cmd:
tar -zxvpf test-backup.tar.gz
--directory /home/test/
This command restores the file 'test.backup.tar.gz' into the
directory '/home/test/'.
Please beware
when executing this command! Any existing file that also exists in the archive
will be overwritten.
Instead of using the x for extracting, you could also use t to
check the archive (get a complete list of the files that are in the archive).
If you're not sure whether a file exists in the backup this is easily done
with:
tar -ztvpf test-backup.tar.gz | grep
"checkforthisfile
Maintenance:
I've placed
the different backup jobs in a cron-job. This way the backup is done every
night. After a while though, you will end up with a whole bunch of backups that
are out-dated. You can remove the unwanted old files with this command (this
will remove all files not accessed in 7 days):
find /archive/backup* -mtime +7 -exec rm
-r {} \
or you
could use this for files modified more than 30 days ago:
find /archive -name 'backup-*' -mtime +30
| xargs rm -f
Further
Examples of Using tar:
To create tar files from cmd:
Tar lets you
backup to a device. Creates an archive file that can optionally be compressed
(p408 Dummies).
tar
options destination source.
To Compress tar File: see page 429
Extracting Files:
Viewing tar Archive Files:
Using
Crontab to Schedule Tasks (notably BU tasks)
First, need
to make a script, and it is this script that the Crontab application runs.
How to
Write a Script:
To successfully write a
shell script, you have to do three things:
1. Write a script (preferably a Shell
Script, and specify that Shell (Bash) must run it (use #!)).
2. Give the shell permission to execute
it
3. Put it somewhere the shell can find
it
Write a
Script:
A shell
script is a file that contains ASCII text. To create a shell script, you use a
text editor. A text editor is a program, like a word processor, that reads and
writes ASCII text files. There are many, many text editors available for your
Linux system, both for the command line environment and the GUI environment (vi, kwrite, etc).
An example
of a script:
The first line of the script, starting with "#!" (called
pound-bang), is special--it tells the shell what program should be used to
interpret my script. In this example, the script is to be interpreted by the
bash shell /bin/bash . The first line must start with
#! or the script will never run (the file will be
interpreted as just a text file). Other lines starting with # are comments for
the author (readers, users) of the shell and are totally ignored by the
computer. To summarise: Put #! In first line of script/file, this will CONVERT
the text file into a shell script, and will be saved as such.
The $0, $1,
$2 ... in my script are the parameters passed to my
script. For example, if I ran a script called "myscript" with seven
parameters like this:
…then $0
would be seen inside "myscript" as having the value
"myscript", $1 would have the value "a", $2 would be
"b", $3 would be "c", etc.
On the
second and third line of my example script, the command echo prints on the
screen everything that follows on the same line, expanding $0 and $1 to the
values of the parameters passed to the script. The fourth and fifth line
contains a comment I wrote to myself to remind myself what I was trying to
achieve, just in case I ever had to modify my script. The last line performs
the actual work.
Give the
Shell Permission to Execute it:
Can do this via GUI if using GUI desktop. Ensure owner has Read, Write and
Execute perms.
OR:
Once the
script is written, I make the file executable to the file owner
("u"=user):
OR:
The next thing we have to do
is give the shell permission to execute your script. This is done with the chmod
command as follows:
The "755" will
give you read, write, and execute permission. Everybody else will get only read
and execute permission. If you want your script to be private (i.e., only you
can read and execute), use "700" instead.
Put it Somewhere the Shell can Find it:
At this point, your script
will run. Try this:
If this doesn’t work, see
what directory you really saved your script in, go there and try again.
Before we go any further, I
have to stop and talk a while about paths. When you type in the name of a
command, the system does not search the entire computer to find where the
program is located. That would take a long time. You have noticed that you
don't usually have to specify a complete path name to the program you want to
run, the shell just seems to know.
Well, you are right. The
shell does know. Here's how: the shell maintains a list of directories where
executable files (programs) are kept, and just searches the directories in that
list. If it does not find the program after searching each directory in the
list, it will issue the famous command not found error message.
This list of directories is
called your path. You can view the list of directories with the following
command:
This will return a colon
separated list of directories that will be searched if a specific path name is
not given when a command is attempted. In our first attempt to execute your new
script, we specified a pathname ("./") to
the file.
You can add directories to
your path with the following command, where directory is the name of the
directory you want to add:
A better way would be to
edit your .bash_profile file to include the above command. That way, it would
be done automatically every time you log in.
Most modern Linux
distributions encourage a practice in which each user has a specific directory
for the programs he/she personally uses. This directory is called bin and is a
subdirectory of your home directory. If you do not already have one, create it
with the following command:
Move your script into your new bin directory and you're all
set. Now you just have to type:
and your script will run.
No need for
the initial "pound bang" or executable permission
Note: OR
just specify full path to script location, OR ./ScriptName
Using
Crontab to Schedule Tasks
Linux has a powerful task
scheduler called Cron. Cron will allow you to run commands automatically at
times specified by you. Cron is similar to the task scheduler you find in
Windows. To keep track of the schedules and tasks it has to run, Cron requires
a file called Crontab (CRON TABle). All the Cron schedules and tasks should be
stored in this table. The Crontab files cannot be directly edited. You can add
or delete entries in the crontab file using the crontab command.
What's
Cron and Crontab ?
You must be wondering what the difference between cron and crontab or whether
they are the same. Cron is a process or program which wakes up every minute and
looks for jobs it has to execute at that moment. Crontab is the list of jobs
and times at which they have to execute.
By default,
all users can set up their own crontab files. However, the root user can use
two files to control access:
All crontab
files are stored in the /var/spool/cron/crontabs/ directory. However, since
regular users do not have read or write permission to this directory, they must
use the crontab command to schedule jobs.
Cron, as
supplied in Debian, has two purposes:
To run system
jobs on a daily/weekly/monthly basis.
To allow users to setup their own schedules.
The system schedules
are setup when the package is installed, via the creation of some special
directories:
Except for the first one which is special, these directories allow scheduling
of system-wide jobs in a coarse manner. Any script which is executable and
placed inside them will run at the frequency which its name suggests. For
example if you place a script inside /etc/cron.daily it will be executed once
per day, every day. The time that the scripts run in those system-wide
directories is not something that an administration typically changes, but the
times can be adjusted by editing the file /etc/crontab. The format of this file
will be explained shortly. The normal manner which people use cron is via the
crontab command. This allows you to view or edit your crontab file, which is a per-user file containing entries describing commands to
execute and the time to execute them.
To
View Crontab File for a User:
To
display user crontab file you run the following command:
root can view any users crontab file by adding "-u username", for
example:
Format
of a Cron Job:
Here is the
format of a cron job file:
[min] [hour] [day
of month] [month] [day of
week] [program to be run]
Where each
field is defined as:
|
[min] |
Minutes
that program should be executed on. 0-59. Do not set as * or the program will
be run once a minute. |
|
[hour] |
Hour that program
should be executed on. 0-23. * for every hour. |
|
[day of month] |
Day of the
month that process should be executed on. 1-31. * for every day. |
|
[month] |
Month that
program would be executed on. 1-12 * for every month. |
|
[day of week] |
Day of the
week. 0-6 where Sunday = 0, Monday = 1, ....,
Saturday = 6. * for every day of the week. |
[program]
Program to be executed. Include full path information.
Making an
Entry:
Now let's see
how to make a crontab entry. Let's say you want to run a scrip backup.sh every
day at 6:00pm.The entry would look like this:
The asterisk
(*) is used to indicate that every instance of the particular time period will
be used (i.e. every hour, every weekday, etc.). I've used to full path to the
script /home/user/backup.sh instead of just using backup.sh. This is because
cron runs as root, you should fully qualify your path
names to any scripts that will be run. Let's see some more examples
:
* Let's schedule the script printinvoices.sh to run every sunday at 12:45pm.
* How about
clearaccount.sh every month beginning at 1:32am ?
* Let's see
how to schedule a task to run only on weekdays(monday
to friday)
Adding and Editing Entries in Crontab:
Now that you know how crontab entries are formatted, it's time to put some of
your entries into the crontab list. To do this, you can use the crontab
command. By specifying the -e option, you'll be taken to the default text
editor to add and edit your crontab list. [crontab -e]
Another method of manipulating your crontab entries is to create and save a
text file with your crontab entries. You can load your list into crontab by
using the following command: [crontab mycrontablist] where mycrontablist is the
file containing your entries.
Note that
all crontab jobs should be submitted using crontab ; you should not add jobs by
just editing the crontab file because cron will not be aware of changes made
this way.
Viewing Crontab: [crontab -l]
You can view your current crontab list by specifying the –l option. Issuing
this command will print out a list of all your current jobs in the crontab
list.
root can
view any users crontab file by adding "-u username", for example:
Removing
Crontab: [crontab -r]
The -r option removes your current crontab file. Issuing this command will
empty the contents of the current user's crontab file.
Admin
Crontab Options:
Crontab
Examples:
For example, 0 12 * * * /usr/share/bin/alarm would run a script called alarm
every day at noon.
The sixth column is the command to run, including options and arguments. No
quotation marks are need to enclose the command.
For example, 0 12 * * * /usr/share/bin/alarm would run a script called alarm
every day at noon.
Some
more examples:
Run the `something` command every hour on the hour
Run the
`nightly` command at ten minutes past midnight every day
Run the
`monday` command every monday at 2 AM
Use a
range of hours matching 1, 2, 3 and 4AM
Use a
set of hours matching 1, 2, 3 and 4AM
Disable
Email notifications in Crontab:
There are a couple of ways you can remedy this behaviour
At the top of the crontab file, place the following command:
Redirect the
output of the offending program in your crontab:
Method #1
will suppress ALL email from your crontab. It does this by telling cron to mail
your output to nobody. It will simply vanish from your system. You may want
this, you may not. If you’re debugging a script that keeps acting up, the
output cron mails will definitely be of some help.
Method #2 allows you to selectively redirect particular programs output to the
bitbucket. /dev/null is the *NIX equivalent to a “Big Black Hole”™ on your
computer. So if, say, you want the output from your alarm, but not from your
email reminders just append >& /dev/null to the affected commands.
Alternately, if you’d still like to receive mail about execution errors but not
standard output you could append 1> /dev/null instead of >&
/dev/null. This is an either/or situation. You just want one or the other, not
both.
Edit
Text Files in Bash
Vi Cmd Summary:
As a brief introduction to vi, go
through the following: First, type:
at the Unix prompt. Assuming you
did not already have a file named x, this command will create one. (If
you have tried this example before, x will already exist, and vi will work on it. If you wish to start the example
from scratch, simply remove x first.) The file will of course initially be
empty. To put something in it, type the letter `i' (it stands for
``insert-text mode''), and type the following (including hitting the Enter key
at the end of each of the three lines):
Then hit the
Escape key, to end insert-text-mode. This mode-oriented aspect of the vi editor differs from many other editors in this
respect. With modeless editors such as joe and
emacs, for instance, to insert text at the cursor position, one simply starts
typing, and to stop inserting, one just stops typing! However, that means that
in order to perform most commands, one needs to use the Control key (in order
to distinguish a command from text to be inserted). This has given rise
to jokes that heavy users of modeless editors develop gnarled fingers.
Now save the file and exit vi, by
typing:
Again, the key to learning vi is to
keep in mind always the difference between insert-text mode and command
mode. In the latter mode, as its name implies, one issues commands, such
as the ZZ above, which we issued to save the file and exit vi. The
characters you type will appear on the screen if you are in insert-text mode,
whereas they will not appear on the screen while you are in command mode.
By far the most frequent problem new vi users have is
that they forget they are in insert-text mode, and so their commands are not
obeyed.
You now have
a file named x. You can check its contents by typing (at the Unix shell prompt)
First, suppose we wish to say the fox will not return:
We need to first move the cursor to the word ``return''. To do this, type
`/re' and hit the Enter key, which instructs vi to
move the cursor to the first instance of `re' relative to the current cursor
position. (Note that typing only `/r' would have moved the cursor to the
first instance
of `r', which would be the `r' in
`brown', not what we want.)
Now use the `i' command again: Hit `i', then type `not
' (note the space), and then hit Escape.
Next, let's delete the word `brown'. Type `/b' to move
the cursor there, and then hit `x' five times, to delete each of the five
letters in `brown'. (This will still leave us with a blank line.
If we did not want this, we could have used the `dd'
command,
which would have deleted the entire line.)
Now type `ZZ' to save the file and exit vi.
Use `more' again to convince yourself that you did indeed modify the file.
Installing
and Updating Applications
Normally 1
of 2 file formats:
If in source
code form, you have to unpack it, build it and install it.
All files
can be used in all distros.
Working
with RPM Files:
versatile
app/cmd. P422 (Dummies) for more.
Working
with DEB Files:
Not used
in Suse. P428 (Dummies) for more.
Use dpkg or
dselect cmds to manage deb packages (dselect is a front end to the dpkg cmd
app).
apt is a
higher level cmd app that can manage deb packages. Typing apt –get will
download and install deb package from an online deb repository.
None of
these cmds are supported in Suse, but are supported in Debian & Ubuntu.
Building
Software Packages from Source Files:
Source files
don’t inc executable binaries, so you have to build
and install the package. They are normally in .tar format.
1. Download source files via ftp or
browser.
2. Save in /usr/local/src dir.
3. Examine contents with tar ztf
file.ext ¦ more (lists what is in archive)
4. Extract contents of compressed tar
file with tar zxtf file*.ext
Now need to
build the software:
1. Files tend to be extracted to a dir
spec in filename (ie xmms version 1.2.10 extracts to xmms-1.2.10)
2. cd to location of extracted files.
3. Read the Readme or Install file for
instructions. Normally need to ./configure
to run a script that configs the file. Then need to run make to build
the software. And lastly need to make install to install the software.
Updating
Linux Apps:
Use Yast
Online Update (YOU). Seems all 9.1 updates have been stopped!
Note:
System Update means to update from a cd/dvd.
Accessing
Linux Remotely:
When ssh session closed, connection and triggered apps close as
well.
Using gui remotely:
Running
KDE remotely:
On local pc:
On Remote
pc:
Remote
Admin:
See p443
(also need to configure firewall on pcs concerned and any routers/firewalls en
route. Same section in book)
VNC
Viewer:
Is an app in
Debian that allows user to remote connect to a linux
computer running vnc server. Ideal for running headless box.
To install:
To run:
Network
Packet Sniffing
View headers
for all packets on network segment:
Useful
Suse Apps in OS
System –
Monitor –
Kde
System Guard:
System – Monitor – Kde System Guard. = Very similar to Task Manager in
Windows.
System
Monitor:
System –
More Programs – System Monitor = Similar to above.
Remote
Access:
System –
Remote = R.A. stuff. (Desktop Sharing and Remote Desktop
Connection). (Also in Yast – Internet & Network – Desktop Sharing)
Kcron:
System – Service
Configuration – Kcron = Scheduler (inc tasks)
Kuser:
System –
Configuration – Kuser = Manages Users and Groups (also shows gid’s)
Sax2:
Systems –
Configuration – Sax2 = All displays options (inc
monitor, graphics card, resolution, 3d, and input devices)
Yast2:
Systems –
Configuration – Yast = But better to go via
Security
Security
on the Host:
Security
on the Network:
Firewalls:
Different
types of firewall:
Using
Nats:
Allows you
to hide lan addresses behind the public address. Allows you to share an ip address. Different types of nats, inc Static, Hiding, and PAT. The most common is PAT.
Configuring
the firewall via the gui is to config a packet filter
firewall. All gui configs in linux distros have
different default behaviours for certain actions – so be aware of these. Can
config via cmds using iptables which uses the chain concepts. (p512, Dummies).
Last Word
on Security:
Use scanners
(Nessus, Nmap, both in Knoppix Live) and other software to test firewall and
any machines outside firewall (p527, Dummies).
GUI on
the Desktop
X Windows is
a client server architecture. X Windows is the
server, and the client is the Windows Manager and the gui
on top of this, normally Gnome or KDE. Actually there are 3 parts, the X
server, the Windows Manager, and the Desktop (gnome/kde. The x server is rarely
changed, but users experiment with different Windows Managers and Desktops). On
cmd line only systems such as Debian, you can install the gui,
but the first stage is to install the X Windows Server first:
You might need
to configure screen resolution, mouse, keyboard etc to get X Server working
properly. To reconfigure X Server:
After the X
Windows Server is installed, to install gnome on Debian:
This
installs all the gnome apps (games, terminal, multi media, file manager, etc).
To install
kde:
To get X
Windows Server and GUI at same time:
To remove
specific gui:
Can install
the complete X Windows system if needed, but not recommended if you are going
to install kde or gnome on top of this.
To install complete X Windows system:
Lastly, you can
install BOTH gnome and KDE.
Install
xserver, and gnome desktop, and then kde desktop, using apt-get install in each
case.
From this
point the first desktop –gnome, will be the default
desktop. At the login window you have an option to change the desktop using the
‘Session’ option. Choose either gnome or kde!
The login
window itself is managed by the login manager, of which there are 2 main types,
xdm and kdm. Xdm is installed with xserver by default, if you want to change to
kdm:
Can
configure either of the login managers with:
Can also change desktops WITHIN the desktop itself. You need to install the window
manager package such as Progeny. Haven’t tried this yet as I have had success
with using the Session option at the login prompt.
Note: I
cannot get the xdm login manager to use a ‘Session’ option, and it always
defaults to the gnome desktop. To have the option of either desktop at login,
use the kdm login manager. Note that the kdm login manager won’t let you log in
as root, but the xdm manager does!
NFS
Sharing
files via NFS involves 2 basic steps:
1. On the Linux system that runs the NFS
server you must export (share) 1 or more dirs by listing them in the
/etc/exports file and by running the exports cmd. You must also start the NFS
server.
2. On each client system you must use
the
Only
drawback is that each client must support NFS. Linux does, Unix
with built in NFS support does, Windows doesn’t. Have to buy 3rd
party software.
NFS has
security vulnerabilities so don’t set it up on systems directly connected to
i/n.
Install
NFS Server:
Also install
portmap:
Or both at
same time:
After this
the /exports file appears in /etc.
When configuring portmap do =not= bind loopback. If you do you can
either edit /etc/default/portmap by hand or run:
Exporting
a File System:
In my case I
made a spec dir to share, but you can share any, inc
home dir.
Edit the /etc/exports
file on the server to export/share dir. Examples of additions to /etc/exports
file to configure user access:
For
Full Read Write Permissions allowing any computer from 192.168.1.1 through
192.168.1.255
Or
for Read Only from a single machine:
To
export the /home dir and want to enable host named Test1 to mount this file
system for Read & Write:
To
give same access to all hosts on lan such as 192.168.0.0:
Every
line in /etc/exports has following general format:
Options
in () also show how user/groups on client are MAPPED to user on NFS server, ie,
if a file is owned by root on the server, what owner is that on the client?
General Options in /etc/exports:
(more options p 625 Dummies).
User Mapping Options:
save this file.
After making changes to /etc/exports in a terminal you must manually export the
file system:
This cmd
exports all file systems defined in the /etc/exports file.
Now
need to START the NFS server processes:
To ensure
NFS server starts at boot:
NFS server
should be running! Now you can mount exported file system from clients.
If you make changes to /etc/exports, remember to RESTART the NFS service. To
restart a service, invoke the script in /etc/init.d dir with restart, NOT
start.
Mounting
an NFS File System:
Install NFS
client so you can mount NFS drives:
Ubuntu:
Mounting manually
Example to mount servername:/files to /files. In this
example servername is the name of the server containing the nfs share, and
files is the name of the share on the nfs server
The mount point /files must first exist on the client machine:
To
mount the share from a terminal type:
Note
you may need to restart above services:
To
confirm the NFS system is indeed mounted, on client, as root:
Mounting at boot using /etc/fstab
You can config
the /etc/fstab file to mount dirs. CD Roms, etc are already config here, all
you do is add your own exported dirs to it. After you’ve done so you can mount
dirs with a simple cmd after boot (/mountpointname, or mount -a to mount everything that should
be mounted at boot, if they have the ‘noauto’ option set, or they can be config
to mount auto at boot if the ‘noauto’ option isn’t set)
This follows
the same format as adding mountpoints to the /etc/exports file, except you also
need to add the file system TYPE. ie:
OR,
in this example my /etc/fstab was like this:
Documentation for these can be found in the Mount options for nfs
section of man mount.
The filesystems can now be mounted with mount /mountpointname,
or mount -a
to mount everything that should be mounted at
boot.
Can also
What is
Portmap?
It is server software running under Unix-like
systems that converts RPC program numbers into DARPA protocol port
numbers. It must be running in order to make RPC calls. When a client
wishes to make an RPC call to a given program number, it will first contact
portmap on the server machine to determine the port number where RPC packets
should be sent.
Portmap Lockdown
optional
Add the following line to /etc/hosts.deny:
By blocking all clients first, only clients in /etc/hosts.allow below will
be allowed to access the server.
Now add the following line to /etc/hosts.allow:
Where the "list of IP addresses" string is, you need to make a
list of IP addresses that consists of the server and all clients. These have to
be IP addresses because of a limitation in portmap (it doesn't like hostnames).
Note that if you have
Samba
Samba is a set of tools which to
share files and printers with Windows. It uses the SMB protocol which is at the
heart of windows networking, and acts as a Smba server for windows or samba
equipped clients. Over time it has grown so it can now act as a DC and
authenticate windows users/clients, it can use a Windows DC to authenticate
*nix clients, etc.
Do you need Samba? Maybe not…
Installing Samba (Server):
Install Samba (Client):
Install Both:
Settings Needed for Config:
In Ubuntu & Debian you can get following
info via ‘Network Settings’ with GUI.
Host Settings:
Hostname (your computer), Domain Name.
Windows Networking: Domain/workgroup
(typical names for workgroup are ‘workgroup’ or ‘mshome’), consider WINS.
The file to config with this info is:
When modifying this file, restart
Samba service:
Some of the values to config in
/etc/samba/smb.conf:
Sub Headings in smb.conf:
Global =
The settings in the [global]
section set the name of the host, the workgroup of the host and the string that
appears next to the host in the browse list. The security parameter tells Samba
to use ‘user level’ security. SMB has two modes of security: share, which
associates passwords with specific resources, and user, which assigns access
rights to specific users. There isn't enough space here to describe the
subtleties of the two modes, but in nearly every case you will want to use
user-level security. Global settings are the ‘base’ settings for all SMB
shares, unless over ridden by specific config for a given share.
Homes = is just a method of sharing
home directores.
Can Create Simple Shares:
Create Folder to be shared. Place
perms on this folder.
Note: read only = no, writeable =
yes, writable = yes, write ok = yes – all mean the same thing. You can add a
Read List = user1, @groupname entry after writeable = yes entry to deny write
access to specific users.
Now need to add users who can access
these shares:
In bash = smbpasswd –a username
(This will invoke new password
prompt)
This user should be an existing, real
user on the server.
Testparm:
After making dir, installing and
config SMB, adding users, you need to run testparm at prompt to ensure no
errors result from current config.
Accessing your Samba Shares:
In a browser (Konqueror, etc) = smb://name/ipofserver
Note: Can config ‘Samba Config’ in
On a Windows pc = \\Servername\sharename. Or can ‘map’
a network drive to SMB share. Or Net Use cmd.
Can use Samba
server as basis of nw. Create shares. Config user perms. User accesses
shares using configured perms. Can use Linux features to add scheduled back
ups, remote access, etc. No need for AD. But can still use MS pcs as well as
Linux boxes. Additionally Linux is cheap (free!), stable, can run on low end
machines, and is immune to Windows viruses.
How to connect to windows share from
SMB client?
Need to install smbclient.
The smbclient is an ftp-like command
line program that allows you to list, get, put, and do other stuff similar to
what you can do with an ftp client. There are many options to smbclient; see
man smbclient for a complete listing.
This syntax will connect to a Windows
share:
To access a share in a domain:
A handy way to list the shares available
on a Windows host is:
Connecting to a Windows share with
smbclient gives the following prompt:
at which you can do ftp-like stuff.
When you enter…
…in the konqueror address bar, you
are running smbclient in the background.
Can use GUI apps
such as ‘Network Servers’ in Ubuntu to access shares from linux client (uses
smbclient in background).
How to connect to windows share from
using ‘smbmount’ (in this case for backing up data from a Windows box):
Install smbfs:
In order to make a Windows share a
(nearly) seamless part of your filesystem, you need to mount it using smbmount
or plain mount.
For example (requires root access):
OR
Make sure you have a directory for
the mount point:
The machine should then ask for a
password; just type in the password for the user that you are connecting as. If
you get an authentication error after entering the password, make sure that the
username you specified is a valid local user (or a valid domain user if the
server is attached to a Windows NT/2000 domain) that has permission to connect.
Also, you will not need to pre-append the username with the domain name.
After successfully mounting the share,
to back up the entire share onto the default BU device (which should be
/dev/???) you will need to run:
To backup to a tar file, just run:
To restore from device to the mounted
share, run:
To restore from a tar file to the
mounted share, run:
SSH
This is only a brief description of
SSH, for a step by step setup and users guide to
SSH, go to http://kimmo.suominen.com/docs/ssh/ OR
http://www.suso.org/docs/shell/ssh.sdf
Public Key Cryptography
Public key
cryptography uses a public key to encrypt data and a private key to decrypt it.
The name public key comes from the fact that you can make the encryption key
public without compromising the secrecy of the data or the decryption key.
What this
means is that it is safe to send your public key (i.e. the contents of the ~/.ssh/id_rsa.pub
file) in electronic mail or by other means e.g. to have a system administrator
of a remote site install that key into your ~/.ssh/authorized_keys file. For
anyone to actually gain access they need the corresponding private key (i.e.
the decrypted contents of ~/.ssh/id_rsa) to identify themselves.
To further
protect your private key you should enter a passphrase to encrypt the key when
it is stored in the filesystem. This will prevent people from using it even if
they gain access to your files.
Why SSH?
There are a couple of ways that you
can access a shell remotely on most Linux/Unix systems. One of the older ways
is to use the telnet program, which is available on most network capable
operating systems. Accessing a shell account through telnet method though poses
a danger in that everything that you send or receive over that telnet session
is visible in plain text on your local network, and the local network of the
machine you are connecting to. So anyone who can "sniff" the connection
inbetween can see your username, password, email that you read and commands that you run. For these reasons you need a more
sophisticated program to connect to a remote host.
SSH, which is an acronym for Secure
SHell, was designed and created to provide the best security when accessing
another computer remotely. Not only does it encrypt the session, it also
provides better authentication facilities as well as features like X session
forwarding, port forwarding and more so that you can increase the security of
other protocols. It can use different forms of encryption ranging anywhere from
512 bit on up to as high as 32768 bits and includes ciphers like AES (Advanced
Encryption Scheme), Triple DES, Blowfish, CAST128 or Arcfour. Of course, the
higher the bits, the longer it will take to generate and use keys as well as
the longer it will take to pass data over the connection.
Install & Starting SSH
Download yourself a copy of the
latest ssh at ftp://ftp.cs.hut.fi/pub/ssh/ to begin
with (version 1.2.26 as of this writing). After untarring the package type:
./configure
make
make
install
…standard
installation procedure for any good GNU source package. All you have to do now is run sshd
to start up the standalone ssh daemon listening on
port 22 of your server. There's your basic ssh setup,
type ssh host to login to host with your standard unix password. Xclients are
automatically exported through the encrypted channel to your display and you
can get a help screen of ssh escape sequences by typing ~?.
If you get adventurous and try sshing
to other servers, be warned that you'll be told that the host key is not found
from the list of known hosts. This is the public key found in the host's
/etc/ssh_host_key.pub file. If you continue to connect, this key will be added to
your $HOME/.ssh/known_hosts file. The rationale behind this is that if somebody
else ever masquerades as this host, the host key would be different to the
entry in known_hosts and ssh will instantly notice and
tell you so. The ssh package comes with a script called make-ssh-known-hosts
which looks up all the hosts in a DNS domain and adds their host keys to the
/etc/ssh_known_hosts file which is also checked by ssh.
Sshd is configured via the /etc/sshd_config
file. I recommend you look at the man page to pick out all the gory details, it
lets you do stuff like only allow/deny certain hosts or users login access
using ssh, set idle timeouts, specify what kind of authentication you want
(unix password, rhost or RSA which I'll come back to later) and kerberos
authentication. Most of these options are already in the default config file so
you can just modify that as you like.
ssh reads $HOME/.ssh/config and the
global configuration file /etc/ssh_config when it starts up. Yet again read the
man page for details, most of it is pretty straight forward except for the TCP
forwarding options -L and -R. This assumes that you can login to a remote host
via ssh. If so then you can use ssh
as a secure channel to access unencrypted remote network services such as ftp
or pop (it's also a handy way of getting around firewalls).
example:
ssh-keygen is the program used for generating
RSA key pairs. Run ssh-keygen -f /etc/ssh_host_key -N '' if you need to
generate new /etc/ssh_host_key and /etc/ssh_host_key.pub files (make install
generates these for you by default). Running ssh-keygen on it's own you are
asked for a passphrase, this can allegedly be any length you want and it
is the passphrase you use to login to a host if you enable RSA authentication
in the sshd configuration file. It generates two files, $HOME/.ssh/identity and
$HOME/.ssh/identity.pub. These are your default RSA identity keys (you can
create different identities by running ssh-keygen -f identity_file then use
them by running ssh -i identity_file host). Appending
identity.pub to $HOME/.ssh/authorized_keys of any account on any computer
allows you the luxury of logging into that account with your RSA passphrase. It
also has the added security that somebody must also possess your identity file
before the passphrase would work. Another cool thing with authorized_keys is
that you can prepend options to the start of a public key so that if somebody
logs into an account with the corresponding passphrase and identity file, those
options can do things like allow connections only from certain hosts, deny
certain types of ssh forwardings, set environment
variables or just execute certain commands.
Example:
from="localhost",command="echo potatoes" 1024 37
1508741801398651929640224012546
535610929088627123641067454302800019367830331042978392793032882068267356835208
5596452813266000213480475567422647179234364246663801261753180562216515773813903
5417432487556956228238884121546196774730626451213382495086778016310334685244396
958654066227875380523910928543591111215801 root@poo.smooch
…the above line in my $HOME/.ssh/authorized_keys will allow only people logging
in from localhost to use that identity and it'll simply say potatoes and log
you off. The root@poo.smooch part is just a comment that ssh-keygen puts in, it
doesn't do anything.
ssh-agent is a daemon that stores a user's
authentication keys and passphrase so that when that user runs ssh, ssh-agent automatically
does the RSA authentication for that user saving him the bother of entering the
password himself. What you do is run ssh-agent with an arbitrary command
(usually a shell) as it's argument. Now command and
all its' child ssh sessions can be automatically authenticated by ssh-agent,
but ssh-agent authenticates nothing by default . You
need to run ssh-add [file] where file contains a
private identity key such as those generated by ssh-keygen ($HOME/.ssh/identity
is the default if no files are specified). You'll be asked to enter the
passphrase for that private key. From now on, any ssh
session that uses that identity will be automatically authenticated. You can
add as many identities as you like, ssh-add -l lists
the ones currently loaded in ssh-agent.
scp is the ssh version of rcp which lets you copy a file to a remote host.
slogin is just a symlink to ssh
Common Uses of SSH:
Security
Cautions:
Since SSH-1
has inherent design flaws which make it vulnerable to, e.g., man in the middle
attacks, it is now generally considered obsolete and should be avoided by
explicitly disabling fallback to SSH-1. While most modern servers and clients
support SSH-2, some organizations still use software with no support for SSH-2
making it hard to avoid the use of SSH-1.
In all
versions of SSH, it is important to verify unknown public keys before accepting
them as valid. Accepting an attacker's public key as a valid public key has the
effect of disclosing the transmitted password and allowing man in the middle
attacks.
As with any
encrypted protocol SSH can be considered a security risk by companies or
governments who do not trust their users. Furthermore SSH has built in
tunnelling features which make it easier for users to achieve passage of large volumes
of information or to establish an entry point for unauthorized inward access
over a SSH link than with other protocols.
Updating the Linux Kernel
(Referencing Ubuntu & Debian)
So why would you want to mess with
the kernel? Well, all the people that work on the Linux kernel are constantly
adding support for new hardware, new technologies, new bug fixes, and making
myriad other improvements to the Linux kernel. By upgrading our kernel, we
increase the abilities and support of our Linux system. Also, a computer has
not been built, that I know of anyway, which utilizes all the hardware and
other support available in the Linux Kernel. Therefore, why carry around
support for a lot of things you don't need if you don't have to.
Knowing what hardware is in your
system is absolutely necessary if you want to optimize your kernel specifically
for the hardware you have. For example, to compile in support for your sound
card, you must know what kind of sound card you have. Often times you can find
this information in the manuals that came with your computer, from Windows
Device Manager (if you run Windows), or from the manufacturer's web site if you
bought your computer from a company such as Gateway, HP or Dell.
Please don't be completely
discouraged if you don't know what hardware you have in your machine. While you
may be out of luck as far as configuring the kernel for your motherboard's
specific chipset, there are still many improvements you can make to your
system, such as support for the EXT3 journaling file system, which will be
worth while.
Find Out Existing Kernel Version:
(uname =
certain system info. Uname –help for more info)
Note on Ubuntu Kernel:
On Ubuntu 6.10, /bin/sh is a
symlink to /bin/dash by default. /bin/dash seems to make problems
when you compile software from the sources, at least I
had that impression. That's why I make /bin/sh a symlink to /bin/bash
instead.
If you are on Ubuntu 6.10, you should
do this now:
Install Required Packages For Kernel
Compilation:
First we update our package database:
Then we install all needed packages
like this:
Next we download our desired kernel
to /usr/src. Go to www.kernel.org
and select the kernel you want to install, e.g. linux-2.6.18.1.tar.bz2 (you can
find all 2.6 kernels here: http://www.kernel.org/pub/linux/kernel/v2.6/).
Then you can download it to /usr/src like this:
Then we unpack the kernel sources and
create a symlink linux to the kernel sources directory:
OR can download it directly to /home
folder.
Sometimes you need drivers for
hardware that isn't supported by the new kernel by default, or you need support
for virtualization techniques or some other bleeding-edge technology that hasn't
made it to the kernel yet. In all these cases you have to patch the kernel
sources (provided there is a patch available...).
Now let's assume you have downloaded
the needed patch (I call it patch.bz2 in this example) to /usr/src.
This is how you apply it to your kernel sources (you must still be in the /usr/src/linux
directory):
The first command is just a test, it does nothing to your sources. If it doesn't show
errors, you can run the second command which actually applies the patch. Don't
do it if the first command shows errors!
You can also apply kernel prepatches
to your kernel sources. For example, if you need a feature that is available
only in kernel 2.6.19-rc4, but the full sources haven't been released yet for
this kernel. Instead, a patch-2.6.19-rc4.bz2 is available. You can apply
that patch to the 2.6.18 kernel sources, but not to kernel 2.6.18.1 or
2.6.18.2, etc. This is explained on http://kernel.org/patchtypes/pre.html:
Prepatches are the equivalent to
alpha releases for Linux; they live in the testing directories in the archives.
They should be applied using the patch(1) utility to
the source code of the previous full release with a 3-part version number (for
example, the 2.6.12-rc4 prepatch should be applied to the 2.6.11 kernel
sources, not, for example, 2.6.11.10.)
So if you want to compile a
2.6.19-rc4 kernel, you must download the 2.6.18 kernel sources (http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.18.tar.bz2)
in step 3 instead of kernel 2.6.18.1!
This is how you apply the 2.6.19-rc4
patch to kernel 2.6.18:
It's a good idea to use the
configuration of your current working kernel as a basis for your new kernel. Therefore
we copy the existing configuration to /usr/src/linux: