nixCraft » fedora linux

HowTo: Create sar Graphs With kSar [ Identifying Linux Bottlenecks ]

Vivek Gite — Tue, 15 Dec 2009 06:33:21 +0000

The sar command collect, report, or save UNIX / Linux system activity information. It will save selected counters in the operating system to the /var/log/sa/sadd file. From the collected data, you get lots of information about your server:

CPU utilization
Memory paging and its utilization
Network I/O, and transfer statistics
Process creation activity
All block devices activity
Interrupts/sec etc.

sar output can be used for identifying server bottlenecks. However, analyzing information provided by sar can be difficult, so use kSar, which can take sar output and plot a nice easy to understand graph over period of time.

Download Fedora 12 CD / DVD ISO

Vivek Gite — Tue, 24 Nov 2009 10:08:01 +0000

Fedora Linux version 12 has been released and available for download ( jump to download link ). Fedora Linux is a community-based Linux distribution. Fedora is sponsored by Red Hat, Inc. Fedora is considered as the second most popular distro, behind Ubuntu Linux.

20 Linux Server Hardening Security Tips

Vivek Gite — Fri, 30 Oct 2009 07:52:11 +0000

Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for security Linux box. In this first part of a Linux server security series, I will provide 20 hardening tips for default installation of Linux system.

BIND 9 Dynamic Update DoS Security Update

Vivek Gite — Wed, 29 Jul 2009 15:47:12 +0000

BIND 9 is an implementation of the Domain Name System (DNS) protocols. named daemon is an Internet Domain Name Server for UNIX like operating systems. Dynamic update messages may be used to update records in a master zone on a nameserver. When named receives a specially crafted dynamic update message an internal assertion check is triggered which causes named to exit. An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. configuring named to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. This exploit is public. Please upgrade immediately.

Top 20 OpenSSH Server Best Security Practices

Vivek Gite — Fri, 24 Jul 2009 21:49:43 +0000

OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. Here are a few things you need to tweak in order to improve OpenSSH server security.

Vmware Linux Guest Add a New Hard Disk Without Rebooting Guest

Vivek Gite — Sat, 18 Jul 2009 06:55:53 +0000

As a system admin, I need to use additional hard drives for to provide more storage space or to separate system data from user data. This procedure, adding physical block devices to virtualized guests, describes how to add a hard drive on the host to a virtualized guest using VMWare software running Linux as guest.

It is possible to add or remove a SCSI device explicitly, or to re-scan an entire SCSI bus without rebooting a running Linux VM guest. This how to is tested under Vmware Server and Vmware Workstation v6.0 (but should work with older version too). All instructions are tested on RHEL, Fedora, CentOS and Ubuntu Linux guest / hosts operating systems.

20 Linux System Monitoring Tools Every SysAdmin Should Know

Vivek Gite — Sat, 27 Jun 2009 02:26:39 +0000

Need to monitor Linux server performance? Try these built-in command and a few add-on tools. Most Linux distributions are equipped with tons of monitoring. These tools provide metrics which can be used to get information about system activities. You can use these tools to find the possible causes of a performance problem. The commands discussed below are some of the most basic commands when it comes to system analysis and debugging server issues such as:

Finding out bottlenecks.
Disk (storage) bottlenecks.
CPU and memory bottlenecks.
Network bottlenecks.

Lighttpd Traffic Shaping: Throttle Connections Per Single IP (Rate Limit)

Vivek Gite — Sun, 21 Jun 2009 00:02:13 +0000

If you do not control or throttle end users, your server may run out of resources. Spammers, abuser and badly written bots can eat up all your bandwidth. A webserver must keep an eye on connections and limit connections per second. This is serving 101. The default is no limit. Lighttpd can limit the throughput for each single connection (per IP) or for all connections. You also need to a use firewall to limit connections per second. In this article I will cover firewall and lighttpd web server settings to throttle end users. The firewall settings can be applied to other web servers such as Apache / Nginx and IIS server behind PF / netfilter based firewall.

Download Fedora 11 CD / DVD ISO

Vivek Gite — Wed, 10 Jun 2009 07:06:24 +0000

Fedora Linux version 11 has been released and available for download ( jump to download link ). Fedora Linux is a community-based Linux distribution. Fedora is sponsored by Red Hat, Inc.

One of Fedora's main objectives is not only to contain free and open source software, but also to be on the leading edge of such technologies. Fedora 11, codenamed "Leonidas", was released on June 9, 2009. The features include ext4, a 20-second startup, and the latest GNOME, KDE and XFCE releases. Firefox 3.5 and Thunderbird 3's latest pre-releases are available as well.

Linux Find Out If PCI Hardware Supported or Not In The Current Running Kernel

Vivek Gite — Wed, 03 Jun 2009 15:05:04 +0000

From my mailbag:

How do I find out if a given PCI hardware is supported of by the current CentOS / Debian / RHEL / Fedora Linux kernel?

You can easily find out find out if a given piece of PCI hardware such as RAID, network, sound, graphics card is supported or not by the current Linux kernel using the following utilities under any Linux distributions.

Linux x86_64: Detecting Hardware Errors

Vivek Gite — Tue, 02 Jun 2009 21:54:58 +0000

The Blue Screen of Death (BSoD) is used for the error screen displayed by Microsoft Windows, after encountering a critical system. Linux / UNIX like operating system may get a kernel panic. It is just like BSoD. The BSoD and a kernel panic generated using a Machine Check Exception (MCE). MCE is nothing but feature of AMD / Intel 64 bit systems which is used to detect an unrecoverable hardware problem.

Program such mcelog decodes machine check events (hardware errors) on x86-64 machines running a 64-bit Linux kernel. It should be run regularly as a cron job on any x86-64 Linux system. This is useful for predicting server hardware failure before actual server crash.

Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)

Vivek Gite — Wed, 27 May 2009 22:29:17 +0000

Linux kernel is the central component of Linux operating systems. It is responsible for managing the system's resources, the communication between hardware and software and security. Kernel play a critical role in supporting security at higher levels. Unfortunately, stock kernel is not secured out of box. There are some important Linux kernel patches to secure your box. They differ significantly in how they are administered and how they integrate into the system. They also allow for easy control of access between processes and objects, processes and other processes, and objects and other objects. The following pros and cons list is based upon my personal experience.

Lighttpd mod_rrdtool: Monitor The Load, Requests Per Seconds and Traffic

Vivek Gite — Sat, 23 May 2009 09:53:22 +0000

The round-robin database tool aims to handle time-series data like network bandwidth, temperatures, CPU load etc. The data gets stored in round-robin database so that system storage footprint remains constant over time. Lighttpd comes with mod_rrdtool to monitor the server load and other details. This is useful for debugging and tuning lighttpd / fastcgi server performance.

How To Use Gmail Account To Relay Email From a Shell Prompt

Vivek Gite — Sun, 05 Apr 2009 19:29:28 +0000

Usually, you do not need to setup an email server under Linux desktop operating system. Most GUI email clients (such as Thunderbird) supports Gmail POP3 and IMAP configurations. But, how do you send mail via the standard or /usr/bin/mail user agents or a shell script? Programs such as sendmail / postfix / exim can be configured as a gmail smarthost but they are largely overkill for this use.

Security Through Obscurity: MAC Address Filtering ( Layer 2 Filtering )

Vivek Gite — Tue, 17 Feb 2009 18:37:21 +0000

MAC Filtering (layer 2 address filtering) refers to a security access control methodology whereby the 48-bit address assigned to each network card is used to determine access to the network. Iptables, pf, and IPFW can block a certain MAC address on a network, just like an IP. One can deny or allow from MAC address like 00:1e:2a:47:42:8d using open source firewalls. MAC address filtering is often used to secure LAN or wireless network / devices. Is this technique effective?

How To Tail (View) Multiple Files on UNIX / Linux Console

Vivek Gite — Mon, 09 Feb 2009 19:28:32 +0000

tail is one of the best tool to view log files in a real time (tail -f /path/to/log.file). The program MultiTail lets you view one or multiple files like the original tail program. The difference is that it creates multiple windows on your console (with ncurses). This is one of those dream come true program for UNIX sys admin job. You can browse through several log files at once and do various operations like search for errors and much more.

Vsftpd Set Download Only Anonymous Internet Server

Vivek Gite — Wed, 21 Jan 2009 14:34:11 +0000

This example shows how you might set up a large internet facing FTP site for distributing file or software updates. The emphasis will be on security and performance. VSFTPD will make sure only world-readable files and directories are served to the world via anonymous / ftp account. You force to originates FTP port connections from a secure port - so users on the FTP server cannot try and fake file content. You will hide the FTP server user IDs and just display ftp in directory listings. This is also a performance boost. Set a 40000-60000 port range for passive connections. This will help firewall setup.

Tutorial: OpenOffice.Org Mail Merge

Vivek Gite — Wed, 14 Jan 2009 20:14:35 +0000

Mail merge is a software function describing the production of multiple documents from a single template form and a structured data source. This helps to create personalized letters and pre-addressed envelopes or mailing labels for mass mailings from a word processing document which contains fixed text, which will be the same in each output document, and variables, which act as placeholders that are replaced by text from the data source. The data source is typically a spreadsheet or a database which has a field or column matching each variable in the template. When the mail merge is run, the word processing system creates an output document for each row in the database, using the fixed text exactly as it appears in the template, but substituting the data variables in the template with the values from the matching columns.

This technique of merging data to create mailshots gave rise to the term mail merge. OpenOffice.Org has a in built software mail merge feature.

If you haven't tried OpenOffice.org's mail merge feature because you find it confusing or difficult to use, you are in luck. Mail Merges in OpenOffice.org and StarOffice provides a detailed description of the mail merge feature from start to finish. Among other things, it shows how you can use the mail merge to create letters, labels, and envelopes.

=> You can download this excellent PDF ebook for your persusal or read the article online - Mail Merge in Openoffice.org: Everything You Need to Know.

Important: Openssl Security Update [CVE-2008-5077]

Vivek Gite — Thu, 08 Jan 2009 21:58:45 +0000

Linux / BSD and UNIX like operating systems includes software from the OpenSSL Project. The OpenSSL is commercial-grade, industry-strength, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as general purpose cryptography library.

The Google security team discovered a flaw in the way OpenSSL checked the verification of certificates. An attacker in control of a malicious server, or able to effect a "man in the middle" attack, could present a malformed SSL/TLS signature from a certificate chain to a vulnerable client and bypass validation.

This update has been rated as having important security impact on FreeBSD, all version of Ubuntu / Debian, Red Hat (RHEL), CentOS, Fedora and other open source operating system that depends upon OpenSSL.

BIND Named: Set a Zone Transfer IP Address For Master DNS Server

Vivek Gite — Thu, 08 Jan 2009 20:08:01 +0000

I've three nameserver load-balanced (LB) in three geo locations. Each LB has a front end public IP address and two backend IP address (one for BIND and another for zone transfer) are assigned to actual bind 9 server running Linux. So when a zone transfer initiates from slave server, all I get errors. A connection cannot be established, it tries again with the servers main ip or LB2 / LB3 ip. This is a problem because my servers are geo located and load balanced. However, there is a small workaround for this problem.