~sagar

Dear All,

I am writing this mail as an information when we do installation of Linux Operating System by considering the manual partitioning (Diskdruid or fdisk).

People get annoyed after using Linux machine for a while by saying ” hey.. I got a Kernel Panic. I am worried about my data” or ” I don’t know where my GUI has gone”

One of the reason for this panic is, your ” / ” file system got squeezed ! ( say used space for / partition is 98% )

Please do comment, if you have got any suggestion.

I suggest; its a good practice to take care of this issue from the scratch; at the time of OS installation.

Here I am considering a 40GB HDD [** workstation specific NOT Server**]

By considering the fact; most of our machines are in dual boot so I don’t wanna deal with 15GB for Windows (15GB is fair enough for viruses to play and flood around :) )

well…the rest 25 GB.

This is just a DIVIDE & RULE Policy for better management and for recovery when we had troubles.

/boot

= 100MB [Make this as the first choice when you do partition, because older BIOS were not able to detect the second part of boot loader beyond 1024 cylinders of the HDD]

/usr

= 8 GB [ Happily we can deal this for a workstations, mine is 6 GB and 73% so far ]

swap

= Rule of Thumb; 2xRAM Size, but not always true [Try to have it on the middle part of the HDD, because its fast to access the middle portion of HDD]

/home

= 12 GB [ If you don’t have a dual boot, add much more or go for a separate user(you) defined partition to keep your data like documents, pdfs, mp3s and other stuffs ]

/

= 2 GB is more than enough. Yes I said 2048 MB *

/var

= 500 MB [ This separate partition avoid the electronic jamming of / by logfiles, mails and other junks..]
If you are using any RedHat distro and trying to configure MySQL, please consider much more space for the growing database which comes under /var/lib/mysql

/opt

= Are ya trying to install any applications like Oracle db &| its client ? Do you have any “optional” application which you don’t have to mess around ?. If the answer is “yes” go ahead and allocate desired space. I feel 3-4GB is okay. The best part is, you can remove the installed package under /opt as such, because all the files will come under that particular directory (directory=pkg-name) even the “bin” files. If you are not sure about this, add up this amount of space to your /usr or /home filesystem.

/tmp

= Normally, this never go beyond 100MB

NOTE:

1. Never log into your system as root. Log into as a normal user and configure your mail, desktop, browser and all other part which makes you comfortable. This way all your mails and other heavy stuff only fall under /home/[normalusr].

2. Do sudo or su - option when needed.

3. If you are in dual boot and have more space; its a good option to create FAT-32 partition by naming /winshare or something. So that we could access the data [pdfs, mp3s and other stuffs] from both OS.

Please do revert for any suggestion which you feel much practical or logical.

Thank You

~vipin

Contrary to popular belief, Unix is user friendly.
It just happens to be selective about who it makes friends with. — Dave Parnas

One of the hot stuff over the surf ajaxWrite (Asynchronous JavaScript and XML). I say this gonna be a killer application….
It silently says ” Killing is my bussiness and the bussiness is good!”

…and the foxY offered a good company for the Ace-Jack.

* Global access, all you need is an internet connection.
* Platform independent, you can use it with any operating system.
* Automatic updates and upgrades, no more computer restarts or missed patches/updates.
* Server side management, all the busywork is done for you.

http://www.ajaxlaunch.com/ajaxwrite/internals/ajaxwrite-noffox.html

Tail: It doesn’t work with internet explorer.
Did we mention it’s free? That’s right…

Microsoft Office Professional 2007TM - $499

ajaxWrite - $0

Hey..if you are a bailiwick and trying to fortify your security chklist, make sure be updated with latest security news and watch weekly advisories. Here I found some updates in one place.

Debian, Fedora, FreeBSD, Mandriva, Red Hat, and Ubuntu released security advisories this week. Affected packages include BMV, GPdf, Xpdf, pdftohtml, tar, Heimdal, PostgreSQL, and irssi-text. Fedora distributed a kernel update addressing several security vulnerabilities in the kernel. No security advisories were issued by Gentoo.
Got interest? go ahead…

When The Open Source rules the world…there will not be any traditional nomenclature for the kingdom other than Hacker, Geek, Guru, Nerd… and its different status….

So do ya wanna be a hacker…. or wanna know how to become a hacker…? or ya gotta a Q..?

Q: How can I get the password for someone else’s account?
A: This is cracking. Go away, idiot.

esr [ Eric Steven Raymond ]
….if you had watch the movie, “Revolution OS” probably no chance to forget his facial expression when he narrates about the incident happened inside a lift
(mnky..mnky)…I’ll be your worst nightmare…

That was my first time I came across to know about him in a Linux meet where they played the movie and later on I have read some of his essays from The C&B [ The Cathedral and the Bazaar ] and its worth.

This was another workaround I have done to set-up a gateway between the internal and external network to access the internal resource from outside.

Yes, there is no change, it’s a dedicated Linux machine for the Gateway installed with RedHat Advanced Server-4.

Setting Up The Gateway

I will just brief the set-up before I start into the configuration part.
Well… The machine has two NIC and configured accordingly:

eth0: 192.168.1.1/24 connecting to internal network.
Gateway: 192.168.1.254

eth1: 10.1.0.1/28 Connected to a Layer-3 switch(WAN Connection) and then it terminate at the users end whom gonna access the internal resource.
Gateway: 10.1.0.3.
The resource is in 192.168.2.0/24 network. Note not on the same network.

Yes.. thats a Q..! Dude why don’t you set it up on the Layer-3 Switch ?

hmmm… I don’t have the access to the CPE and that is dealt by the Service Provider. (We should always keep an alternate way to run out of the heck….) and moreover its a temporary set-up for a short period of time.

Next step enable the IP_forwarding between the NIC.

camel # vi /etc/sysctl.conf
net.ipv4.ip_forward = 0 # change this 0 to 1

You have done with the IP_forwarding and now the beauty; restart the system to apply the change…

â€?hey…I don’t wanna restart my system…â€?

Oho..really, then please talk to the kernel.

To pass the information to the kernel on the fly without restarting
camel # echo “1″ > /proc/sys/net/ipv4/ip_forward
or more easily by updating the sysctl by
camel # /sbin/sysctl -p

And now keep talking to the kernel about the routing table.

camel # netstat -nr shows the current kernel routing table.

I configured in the following

camel # route del default
camel # route add -net 192.168.2.0/24 gw 192.168.1.254 #now kernel knows all the request to the destination192.168.2.0 network should go via192.168.1.254 and the rest will taken care by internal routing table.
camel # route add default gw 10.1.0.3 #anythin else should go via 10.1.0.3

Now the external people has the access only to the 192.168.2.0 network after they logged into the gateway and get authenticated, thats the Security Hardening part. Yes.. the rest of the hardening part is coming right away…

After setting up the Gateway, the next Q was how could I H4RD3N this machine ?

Hardening A Linux Machine…huhh… You can write a book for that. Securing a Linux system called hardening can be done using both manual methods and open source security solutions. So I ask some Q to
myself:

0. What am I supposed to do with the system.
It should act as a gateway to access my resources from outside (dedicated) networks.

1. Does it has any wild connection to meet up any unknown people.
No; so far it is not connected to the Internet

2. How about users.
I am going to provide a common usrname and passwd, yeah…but I don’t know them personaly.

3. Should I allow the users to play with the system and keep their files.
NO, not even the execute permission. Please, no junk/bulky files.

4. After all, how do I monitor this box.
iptraf [its just a breeze]
…so my hardening process focuses on the operating system than any extra powerful tools.

STEPS TAKEN TO HARDENED THE LINUX BOX (GATEWAY)

0. The message before get authenticated.
Access to this computer system is restricted to personnel of the
[your wish is my command]. All connections are logged.
By attempting connection without permission, you are in violation of law and ethics.

1.a Edited /etc/motd
ACCESS RESTRICTED TO AUTHORIZED USERS ONLY

1. No: of users to access the system
a) root
b) admin (enable sudo)
c) Let there be users :)
2. Iptables and TCP wrappers enabled ( Allow access to SSH and HTTPD)

/etc/hosts.deny
sshd:ALL EXCEPT 10. 192.168.
httpd:ALL EXCEPT 10. 192.168.

3. Disable remote ssh as root; only console access.
4. ssh service enabled only for usr xxx and local networks.

Changes done on /etc/ssh/sshd_config
Protocol 2 restriction [Protocol 2]
PermitRootLogin no
Banner /etc/warn.txt [The file which contains the message,
that displays before get authenticated]
RhostsAuthentication no
IgnoreRhosts yes
RhostsRSAAuthentication no

5. Disable creating an executables, a device or a set-uid executables in /home directory

Changes done on /etc/fstab
LABEL=/home /home ext3 noexec,nodev,nosuid,usrquota 1 2
6. Set-up quota for usr xxx.
Soft limit 200MB and can be used 250MB maximum (grace period for 50 MB is 7 days)

7. Disable GCC for normal users; including Admin :) chmod 750

7-5-0 2 root root 94800 Feb 30 2004 /usr/bin/gcc

8. Disable all un-wanted service.

camel # chkconfig –list | grep on
camel # chkconfig –list | awk ‘/xinetd based services/,/”"/’
9. enable syslog service and configure iptraf
10. Keep updated with latest security news and watch weekly advisories were issued by vendors.
11. Rule of Thumb: click OO here
12. Reference - 0

UNIX System Hardening Checklist

SELinux
Unix Articles
Reference +1
Linux System Security: The Administrator’s Guide to Open Source Security Tools [ I own this book]

Since I am a shadowman certified; all my testing and workout happening with my x-86 workstation loaded with RedHat Advanced Server-4 (2.6.9-5)

Well… before start off the session; I want to share one thing which I have read on a Performance Tuning book (System Performance Tuning-second edition by Gian Paolo & Mike). The book says five rules that we should keep in mind before going for the analysis.

0. Understand Your Environment
1. TANSTAAFL :- There is Ain’t No Such Thing As A Free Lunch
2. Throughput vs Latencey
3. Do Not Over Utilize A Resource *
4. Design Test Carefully

*Over Utilization is a dangerous thing. As a general rule of thumb, something should be not greater than 70% busy or consumed at any given time : this will provide a margin of safety before serious degradation occures.

So give your own thought to know how well the above rule gonna gel with the Performance Analysis.

Talking about performance on a Linux box mainly deals with its Processor/CPU, Main Memory, Block Device (I/O) and Network etc…

Here I am trying to use some of the basic commands which help to know where the performance gone wrong.

0. Processor/CPU

command $ vmstat 5

proc

(r) - The number of process in runnable and un-interruptable state
(b) - The number of process in blocking or sleep state

memory

swapd - Amount of memory swpped
free - Amount of free memory
buff - used for buffers
cache - used for filesystem cache

swap

Si - Amount of memory swapped in
So - swapped out

io

bi - Blocks of data received (in) from a block device/sec
bo - sent (out) to a block device/sec

System

in - Number of interrupts/sec
cs - Number of context switches/sec

cpu

us - The percentage of cpu time spent in user space
sy - The percentage of cpu time spent in Kernel space
wa - waiting for I/O
id - Idle time

++ In the case of multiple cpu; the command “vmstat” shows the average and if it is not accurate (when a single threaded heavy process is running)

command $ mpstat -P ALL 5 can be used to show the cpus statistics on an aggregated and on a per cpu basis.

1. Main Memory

Adding more memory to the system may help ya out, if the system shows high availability of Swap Memory but free and cache memory values shows low. To make sure, have a look into swap-in (So) and swap-out (So) numbers.

2. Block Device

If the Block Device is the culprit for the systems performance, you may see many processes are in blocking state (b), the cpu wait (wa) times are high and I/O numbers (bi/bo) are consistently high.

The commands ” iostat -x 5 ” or “lostat -x ” help us to dig more into the I/O details

%util - The percentage of cpu time used to issue the requests to the device.
await - The average time (request) taken to complete the result; including the time spent in the queue.
svctm - Service Access Time, the time which the device takes to service the requests.

The high in numbers for the above parameters tells the device is too dump for the current load.

3. Network

command $ netstat -ci

The output of the command shows the traffic in each interface. The first set of result shows the aggregate total since the last system boot and the subsequent ones are deltas/sec.

The switches
-i : Interface
-c : Continuous
-s : Display summary statistics for each protocol
-r : Kernel routing table

4. Hard Drive Access Tuning

command # hdparm (Hard Disk Parameters)

The following techniques can be applied to (E) IDE drives to utilize 32 bit I/O and DMA more effectively but carefully.

# hdparm /dev/hda for a breif info.
#hdparm -I /dev/hda for a detailed info.
#hdparm -tT /dev/hda for the testing and reading the speed.

[-t] : Timing buffered disk reads; xxMB/sec
[-T] : Timing buffered-cache reads; xxMB/sec (Results normally in 02 seconds)

To increase the speed :-

#hdparm -d1 -c3 -u1 /dev/hda

-d1 : Turn on DMA [ 0 for OFF]
-c3 : IDE chipset support [0 - DISABLE, 1 - ENABLE, 3 - 32 BIT TRANSFER]
-u1 : Get/set interrupt ‘umask’. Drive ignores other interrupts during processing of interrupts [0 - OFF]

file : /etc/sysconfig/harddisk

switches:
[-r] : Get/set read-only flag for device.
[-R] : Register an IDE device {careful} (expected hwif-ctrl).
[-U] : Un-register an IDE device {careful}
[-C] : Check the current IDE power mode status, normally “active/idle”
[-S] : Set standby (spindown) timeout for the drive. The value is used by the drive to determine, how long to wait (with no disk activity) before turnig off the spindle motor to save the power.
[-Y] : Force to “sleep mode” (soft/hard reset needed but not for linux IDE HDD).
[-y] : Force to “standby mode” (spind down).

5. Kerenel Level

If you still hanging on Linux kernel-2.2, changing the ‘min_percent’ variable may help you to some extend. This variable represents the system memory available for caching.

#cat /proc/sys/vm/buffermem

2 10 60

To change the default value

# echo “5 10 60″ > /proc/sys/vm/buffermem

5 – min-percent.
10 – max-percent.
60 – borrow-percent.

Its always acceptable, have a try. I tried it and I know there are much more powerful tools to workaround.

I gotta something… something wacky this time….

When one of our dear employee asked ” Is there any script to know the disk
usage of the system I am using….”

well….I snip one and it’s working fine…

++ Those who S [ ] I T before GATE, please excUse…

=====================================================

This shell script will help us to monitor the disk usage
If any of the disk partiotion space is more than 95%, all the users who were
logged into the system will get an ALERT message
Add the below line to “crontab -e” to run the program for every minute
*/1 * * * * sh /ya/path/to/diskUsage.sh
YMMV and if ya find any issue; please..try it out by yourself ‘/ ‘
tfeLYpoC

#! /bin/bash

df -h | grep -iv used |grep -iv media | awk ‘{print $6″ ” $5}’ |
while read ROW;
do PERCY=`echo $ROW | cut -d”%” -f1 | awk ‘{print $2}’`
if [ $PERCY -gt 95 ]; then
wall -n “ALERT..! from `hostname`
$ROW of the partition is FULL…! ”
fi
done

When I heard this Q for the second time today at my office…
I thought of writing this a mail to my dear colleagues… :)

0. Linux

$ uname -a

If the command throws ia64 (Intel Architecture-64) OR x86_64 GNU/Linux.
Guess what it is..??

..if ya seen only i686 i586 i386 GNU/Linux >> I am sure the kernel should not support 64 bit.

1. IBM-AiX

$ file /usr/lib/boot/unix*

2. SUN OS/Solaris

$ isainfo -v

If ya couldn’t find the above command…Try

$ uname -a

SUN OS 5.7 or greater is 64 bit compliant

solaris 2.7 or greater is 64 bit compliant.

x. windows

hmmm… Live free… or die….