LINUX TASKS:

THE PROJECT

To document some of the basic Linux tasks I completed.

X CONFIG

The configuration files X.org-X11 is called xorg.conf and located in /etc/X11. Binaries and libraries are stored under /etc/X11R6. You may configure the file manually or use a X Configuration tool. The easiest approach in Fedora is to run the GUI tool.

# system-config-display

Another approach to getting X working is entering a mode where X is not started, modify the configuration file and test the config. If everything works return to the desired run level.

# telinit 3
# vi /etc/X11/xorg.conf
# startx
# telnet 5

To restart X while maintaining a X-enabled runlevel you need to kill the X server. The X server can be killed with Ctrl+Alt+Backspace or issuing the kill command.

# ps ax | grep X
2644 tty7     SLs+  15:18 /usr/bin/Xorg :0 -audit 0 -auth /var/gdm/:0.Xauth vt7
# kill 2644

To allow other uses access to X Server run gdmsetup. Select the security tab and uncheck the "Deny TCP connections to X Server.

# gdmsetup

From remote connections when running IP Tables allow port 6000. On Fedora run system-config-securitylevel, click other ports add 6000.

# system-config-securitylevel
# iptables -L -t filter
Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:telnet
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:x11 REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

For remote X Server access you may need to update the .Xauthority file. Running "xauth add" creates a cookie in the .Xauthority file which is basically the password to your local X server.

linux% xhost +
linux% /usr/bin/xauth list
d1de0199.cpships.com:0  MIT-MAGIC-COOKIE-1  d700206a15452c64d6c471f82da78f83

sun1# /usr/openwin/bin/xauth add $DISPLAY MIT-MAGIC-COOKIE-1  d700206a15452c64d6c471f82da78f83
sun1# ls -l /.Xauthority
-rw-------   1 root     other         49 Aug 11 18:17 /.Xauthority

VIRTUAL TERMINALS

Linux supports multiple X logins sessions via virtual terminals. By default the first X session runs on VT7. Press Ctrl+Alt+F1 switches you from X to the first text-mode VT. If you login into the text mode session you can start another X session running a startx command. You can then switch back and forth between X sessions via Ctrl+Alt+F7 and Ctrl+Alt+F8. See steps below.

Ctrl+Alt+F1
Returns you a text based console login prompt Virtual Terminal number 1.

$ startx -- :1 vt8
Another X Session is started on Virtual Terminal number 8.

PAM ACCESS

You can use PAM to control access to your system via the pam_access.so module. This allows you to prevent users from logging in. On Fedora you modify the system-auth file to include the pam_access.so module and update the /etc/security/access.conf file. The access.conf has three fields - first + or - to allow or restrict access, second contains the user, third hostname or domain name. For ssh ensure that "UsePam yes" is set in /etc/ssh/sshd_config file. See an example below for file configurations (extract) and response from telnet or ssh.

# cat /etc/pam.d/system-auth
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_access.so

# cat /etc/security/access.conf
+ : drstemp : ALL
- : ALL : ALL

# grep UsePAM /etc/ssh/sshd_config
UsePAM yes

$ ssh -l drstemp d1de0199
drstemp@d1de0199's password:
Connection closed by 10.152.30.50

$ telnet d1de0199
login: drstemp
Password:
Permission denied
Connection to d1de0199.cpships.com closed by foreign host.

ROOT ACCESS

The user root is denied access by default to remote login server that uses the login program. The file /etc/securetty contains a list of terminals from which root is permitted to log in. The appropriate entries are tty1 through tty6 and vc/1 through vc/6. To use a serial connect terminal add ttyS0 to /etc/securetty and /etc/inittab. To allow access via SSH modify the /etc/ssh/sshd_config file to include PermitRootLogin yes.

NFS START

Modify the /etc/exports file. See example of format that contains share, client and options. The main options are read only ("ro"), read write ("rw"), and ("no_root_squash") that allows root user on the client to have root access on the NFS server. The default access for root user on the client is user "nobody" on the NFS server.

# cat /etc/exports
/media/CXSERIES         10.70.80.164(ro)

Prevent hosts for accessing your shares.

# vi /etc/hosts.deny
portmap:ALL
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL

Modify the hosts that are allowed access.

# vi /etc/hosts.allow
portmap: 10.70.80.164
lockd: 10.70.80.164
rquotad: 10.70.80.164
mountd: 10.70.80.164
statd: 10.70.80.164

Set the ports that NFS will use.

# vi /etc/sysconfig/nfs
LOCKD_TCPPORT=48620
LOCKD_UDPPORT=48620
MOUNTD_PORT=48621
STATD_PORT=48622
RQUOTAD=no
RQUOTAD_PORT=48623

Open the firewall to allow access for NFS and portmap.

/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48620 -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48621 -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48622 -j ACCEPT 
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48623 -j ACCEPT 
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT 
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48620 -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48621 -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48622 -j ACCEPT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48623 -j ACCEPT

Start the NFS services.

# /etc/init.d/portmap start
Starting portmap:                                          [  OK  ]

# /etc/init.d/nfs start
Starting NFS services:                                     [  OK  ]
Starting NFS daemon:                                       [  OK  ]
Starting NFS mountd:                                       [  OK  ]

See list of NFS shares available.

# showmount -e localhost
Export list for localhost:
/media/CXSERIES 10.70.80.164

Connect client.

# mount 10.152.3.236:/media/CXSERIES /mnt

Close the firewall after NFS access completed.

/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j REJECT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j REJECT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48620 -j REJECT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48621 -j REJECT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48622 -j REJECT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48623 -j REJECT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j REJECT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j REJECT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48620 -j REJECT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48621 -j REJECT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48622 -j REJECT
/sbin/iptables -I RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48623 -j REJECT

Stop the NFS services.

# /etc/init.d/portmap stop
Stopping portmap:                                          [  OK  ]

# /etc/init.d/nfs stop
Shutting down NFS mountd:                                  [  OK  ]
Shutting down NFS daemon:                                  [  OK  ]
Shutting down NFS services:                                [  OK  ]

NFS MOUNT

General NAS Example

# mount -t nfs -o rw,bg,hard,nointr,rsize=1048576,wsize=1048576,tcp,nfsvers=3,timeo=600 ivan-ar:/export/testnfs /mnt

Single Instance Linux Mount Point Options

Datafiles		rw,bg,hard,rsize=1048576,wsize=1048576,vers=3,nointr,timeo=600,tcp,actimeo=0
Binaries		rw,bg,hard,rsize=1048576,wsize=1048576,vers=3,nointr,timeo=600,tcp

SAMBA

Samba provides services for Server Message Block/Common Internet File System (SMB/CIFS). Security on SAMBA is contained within the applications own password database as the program does not use PAM for authentication. Controls similar to that provided by PAM are contained within the samba smb.conf file.

# cat /etc/samba/smbpasswd
spi0004:500:ADD06A7E537F719AC2265B23734E0DAC:314FE31A3785CE5F626E21CE7E15942A:

# smbpasswd -a drstemp 
New SMB password:
Retype new SMB password:
Added user drstemp.

# smbpasswd -x drstemp
Deleted user drstemp.

To mount a cifs share via /etc/fstab file and protect the username and password.

# cat /etc/fstab
//tpaunixdev/temp      /test	cifs    rw,credentials=/etc/creds       0 0

# cat /etc/creds
username=adcpscorp/dspink
password=fhdkdlla

QUOTAS

To enable quotas per file system you first need to modify the /etc/fstab file to include the mount option usrquota and grpquota. If no process is using the file system run umount / mount, else reboot.

# cat /etc/fstab
/dev/sda2	/	ext3	rw,acl,usrquota,grpquota	1 1

Once this is complete you have a file system capable of supporting quotas. Next run the quotacheck command (with the create option) to examine and build a table of current disk usage per file system. For the root file system you may receive the following error "quotacheck: Cannot remount filesystem mounted on / read-only so counted values might not be right. Please stop all programs writing to filesystem or use -m flag to force checking.". Hence use the -m option.

# quotacheck -cugm /

The remaining task is to assign disk quotas for the user. The command edquota creates a temporary asci file that allows you to modify the quotas per user.

# edquota spi0004
Disk quotas for user spi0004 (uid 500):
  Filesystem        blocks       soft       hard      inodes       soft     hard
  /dev/sda2	    6175696       0          0        117793        0        0

You may set limits via the number of blocks and or the number of inodes. The hard limit is as the names suggests, while the soft limit lets the user continue although issues warnings. You set a grace period for these soft limit warnings via edquota -t command.

# edquota -t
Grace period before enforcing soft limits for users:
Time units may be: days, hours, minutes, or seconds
  Filesystem             Block grace period     Inode grace period
  /dev/sda2                  7days                  7days

Verify user quotas are working.

# quota spi0004

You may also assign quotas based on group. The concept is similar to that described for users above.

# edquota -g ecommgp
# quota -g ecommgp

Check what file systems have quotas enabled.

# quotacheck -avug
quotacheck: Quota for users is enabled on mountpoint / so quotacheck might damage the file.
Please turn quotas off or use -f to force checking.

Turn quotas off and on if needed

# quotaoff -vaug
/dev/mapper/VolGroup00-LogVol00 [/]: group quotas turned off
/dev/mapper/VolGroup00-LogVol00 [/]: user quotas turned off

# quotaon -vaug
/dev/mapper/VolGroup00-LogVol00 [/]: group quotas turned on
/dev/mapper/VolGroup00-LogVol00 [/]: user quotas turned on

Report on quota usage for all file systems.

# repquota -a | more
*** Report for user quotas on device /dev/sda2
Block grace time: 7days; Inode grace time: 7days
                        Block limits                File limits
User            used    soft    hard  grace    used  soft  hard  grace
----------------------------------------------------------------------
root      -- 6444140       0       0         193501     0     0
daemon    --      24       0       0              3     0     0
adm       --       8       0       0              1     0     0
lp        --      16       0       0              2     0     0

ADD SWAP

Adding Swap File
Create an empty file specifying a block size and count. Ensure swap file is not created on a fragment file system.

# dd if=/dev/zero of=/swap.swp bs=1024 count=100000

Initialise the swap file for use. This writes data structures to the file that allow it to have memory stored.

# mkswap /swap.swp

Start using the swap file.

# swapon /swap.swp

To make permanent update the /etc/fstab file.

/swap.swp	swap	swap    defaults        0 0

To turn off swap and turn back on once fstab updated.

# swapoff /swap.swp
# swapon -a

To disable all swap used by the system.

# swapoff -a

Adding Swap Partition
Create space for the swap partition is one does not exist. Then create a new partition with type code of 0x82 ("Linux Swap"). Linux uses 0x83 for filesystem partitions.

Prepare the swap partition for usage.

# mkswap /dev/sdb3

Start using the swap file.

# swapon /dev/sdb3

OPTICAL

Collect your source files into a single location.

Create a ISO-9660 filesystem in an image file of your source directory. The -J and -r are for Joliet and Rock Ridge extensions.

# mkisofs -J -r -V "vacation photos" -o ../image.iso /mysource

Burn the disc by copying the image file to the optical disk device.

# cdrecord dev=0,4,0 speed=2 ../image.iso

CRON

System cron jobs are located in /etc/crontab. The directories, for example cron.daily contains scripts that are run once a day.

# cat /etc/crontab
MAILTO=root
HOME=/
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

# ls /etc/cron.daily
00webalizer  0logwatch  cups       makewhatis.cron  my.cron  rpm         tmpwatch
0anacron     certwatch  logrotate  mlocate.cron     prelink  tetex.cron  yum.cron

Every minute cron wakes up and checks entries /var/spool/cron, /etc/cron.d directory and /etc/crontab file.

# cat /var/spool/cron/root
05 * * * * /home/spi0004/test.sh

# cat /etc/cron.d/sysstat
*/10 * * * * root /usr/lib64/sa/sa1 1 1

PERFORMANCE

Disk (block) access.

# iostat -x 5

NFS access.

# nfsstat 5

RPC statisitics.

# mountstat 5

CPU consumption.

# mpstat -P ALL

Network interface.

# sar -n DEV 5

TCP send/receive queue.

# netstat -a 5 or netstat -a 5 | grep NFS

linux 防火牆

LINUX TASKS: