Mirror directory with mirrordir command

Posted on in Categories Backup, Howto, Linux, UNIX last updated November 29, 2007

rsyn is the best tool for mirroring servers and data. However, there is also mirrordir tool. As name suggest it can mirror directories and do lots of other things. It offers lots of options for die hard shell scripting fans. It can copy, mirror directory trees via a minimal set of changes, locally or over FTP, or over a secure tcp connection.

From the man page:

mirrordir copies files that are different between the directories control and mirror to the directory mirror. Files whose modification times or sizes differ are copied. File permissions, ownerships, modification times, access times (only if –access-times is used), sticky bits, and device types are duplicated. Symlinks are duplicated without any translation. Symlink modification and access times (of the symlink itself, not the file it points to) are not preserved. Hard linked files are merely copied.

mirrordir command supports strong stream cipher encryption and Diffie-Hellman key exchanges with several possible key sizes.

Install mirrordir

Use apt-get or ports system command:
$ sudo apt-get install mirrordir

mirrordir examples

Mirror ~/scripts to ~/scripts.backup:
$ mkdir ~/scripts.backup
$ mirrordir -v ~/scripts ~/scripts.backup

If you rerun mirrordir again, only the updated files are copied.

You can mirroring FTP sites:
$ mirrordir -v ftp://ftp.nixcraft.in/pub /home/backup/nixcraft.in/ftp/pub

mirrordir offers tons of option, refer mirrordir man page for more examples and options:
$ man mirrordir

Linux mobile phone manager – Wammu

Posted on in Categories Backup, Download of the day, Howto, Linux, Linux desktop last updated November 29, 2007

Wammu is mobile phone manager running on Linux, Windows and possibly other platforms, where Gammu and wxPython works. The communication is made by Gammu library. With this software you can:
=> Edit / delete contacts, todo, calendar etc
=> Send files
=> Text (sms) composer for multi part smses
=> Search phone
=> Backup etc

Phones supported by Gammu:

* Nokia DCT3 (3210, 3310, 3330, 3390, 3410, 5110, 5110i, 5130, 5190, 5210, 5510, 6110, 6130, 6150, 6190, 8210, 8250, 8290, 8850, 8855, 8890 6210, 6250, 7110, 9110) and compatible

* Nokia DCT4 (3510, 3510i, 3530, 5100, 6100, 6310, 6310i, 6510, 6610, 7210, 8310, 8910) and compatible

* Siemens M20, MC35, SL45 and compatible

* Alcatel One Touch 501, 701, 715, 535, 735

* Sony Ericsson phones

* AT compatible phones

* Symbian phones up to Symbian 9.0 are supported through gnapplet

Install wammu – Phone manager

Debian / Ubuntu Linux user, enter:
$ sudo apt-get install wammu

Download Wammu

Visit official project home page here

Please note that wammu also works under Windows XP.

Measure Network Performance: Find Bandwidth, Jitter, Datagram Loss With Iperf

Posted on in Categories Howto, Linux, Networking, Sys admin, Troubleshooting, UNIX, Windows, Windows server last updated November 27, 2007

Typically, your user sends network throughput problems reports as they see problem with their applications such as:

[a] FTP Transfer

[b] NFS Performance

[c] HTTP / SMTP / POP3 etc

As a sys admin you should able confirm the throughput problem. iperf is the tool you are looking to find out:

a) Network throughput problem

b) Packet loss problem

c) Datagram loss

d) Delay jitter

From the man page:

iperf is a tool to measure maximum TCP bandwidth, allowing the tuning of various parameters and UDP characteristics.

iperf works on client / server model. You need to install iperf on both client computer and server computer to measure network performance between two nodes.

Continue reading “Measure Network Performance: Find Bandwidth, Jitter, Datagram Loss With Iperf”

Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only

Posted on in Categories Security, Sys admin, Tips, Ubuntu Linux, UNIX last updated November 27, 2007

rssh support chrooting option. If you want to chroot users, use chrootpath option. It is used to set the directory where the root of the chroot jail will be located. This is a security feature.

A chroot on Linux or Unix OS is an operation that changes the root directory. It affects only the current process and its children. If your default home directory is /home/vivek normal user can access files in /etc, /sbin or /bin directory. This allows an attacker to install programs / backdoor via your web server in /tmp. chroot allows to restrict file system access and locks down user to their own directory.

Configuring rssh chroot

=> Chroot directory: /users.
Tip: If possible mount /users filesystem with the noexec/nosuid option to improve security.

=> Required directories in jail:

  • /users/dev – Device file
  • /users/etc – Configuration file such as passwd
  • /users/lib – Shared libs
  • /users/usr – rssh and other binaries
  • /users/bin – Copy default shell such as /bin/csh or /bin/bash

=> Required files in jail at /users directory (default for RHEL / CentOS / Debian Linux):

  • /etc/ld.so.cache
  • /etc/ld.so.cache.d/*
  • /etc/ld.so.conf
  • /etc/nsswitch.conf
  • /etc/passwd
  • /etc/group
  • /etc/hosts
  • /etc/resolv.conf
  • /usr/bin/scp
  • /usr/bin/rssh
  • /usr/bin/sftp
  • /usr/libexec/openssh/sftp-server OR /usr/lib/openssh/sftp-server
  • /usr/libexec/rssh_chroot_helper OR /usr/lib/rssh/rssh_chroot_helper (suid must be set on this binary)
  • /bin/sh or /bin/bash (default shell)

Tip: Limit the binaries which live in the jail to the absolute minimum required to improve security. Usually /bin/bash and /bin/sh is not required but some system may give out error.

A note about jail file system

Note: The files need to be placed in the jail directory (such as /users) in directories that mimic their placement in the root (/) file system. So you need to copy all required files. For example, /usr/bin/rssh is located on / file system. If your jail is located at /users, then copy /usr/bin/rssh to /users/usr/bin/rssh. Following instuctions are tested on:

  • FreeBSD
  • Solaris UNIX
  • RHEL / Redhat / Fedora / CentOS Linux
  • Debian Linux

Building the Chrooted Jail

Create all required directories:
# mkdir -p /users/{dev,etc,lib,usr,bin}
# mkdir -p /users/usr/bin
# mkdir -p /users/libexec/openssh

Create /users/dev/null:
# mknod -m 666 /users/dev/null c 1 3
Copy required /etc/ configuration files, as described above to your jail directory /users/etc:
# cd /users/etc
# cp /etc/ld.so.cache .
# cp -avr /etc/ld.so.cache.d/ .
# cp /etc/ld.so.conf .
# cp /etc/nsswitch.conf .
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/resolv.conf .

Open /usres/group and /users/passwd file and remove root and all other accounts.

Copy required binary files, as described above to your jail directory /users/bin and other locations:
# cd /users/usr/bin
# cp /usr/bin/scp .
# cp /usr/bin/rssh .
# cp /usr/bin/sftp .
# cd /users/usr/libexec/openssh/
# cp /usr/libexec/openssh/sftp-server .

OR
# cp /usr/lib/openssh/sftp-server .
# cd /users/usr/libexec/
# cp /usr/libexec/rssh_chroot_helper

OR
# cp /usr/lib/rssh/rssh_chroot_helper
# cd /users/bin/
# cp /bin/sh .

OR
# cp /bin/bash .

Copy all shared library files

The library files that any of these binary files need can be found by using the ldd / strace command. For example, running ldd against /usr/bin/sftp provides the following output:
ldd /usr/bin/sftp
Output:

     linux-gate.so.1 =>  (0x00456000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x0050e000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x0013e000)
        libutil.so.1 => /lib/libutil.so.1 (0x008ba000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00110000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x0080e000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00a8c000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00656000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00271000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00304000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x00777000)
        libdl.so.2 => /lib/libdl.so.2 (0x00123000)
        libnss3.so => /usr/lib/libnss3.so (0x00569000)
        libc.so.6 => /lib/libc.so.6 (0x00b6c000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00127000)
        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00130000)
        /lib/ld-linux.so.2 (0x00525000)
        libplc4.so => /usr/lib/libplc4.so (0x008c9000)
        libplds4.so => /usr/lib/libplds4.so (0x00133000)
        libnspr4.so => /usr/lib/libnspr4.so (0x00d04000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x0032a000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x00341000)
        libsepol.so.1 => /lib/libsepol.so.1 (0x00964000)

You need to copy all those libraries to /lib and other appropriate location. However, I recommend using my automated script called l2chroot:
# cd /sbin
# wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
# chmod +x l2chroot

Open l2chroot and set BASE variable to point to chroot directory (jail) location:
BASE="/users"
Now copy all shared library files
# l2chroot /usr/bin/scp
# l2chroot /usr/bin/rssh
# l2chroot /usr/bin/sftp
# l2chroot /usr/libexec/openssh/sftp-server

OR
# l2chroot /usr/lib/openssh/sftp-server
# l2chroot /usr/libexec/rssh_chroot_helper

OR
# l2chroot /usr/lib/rssh/rssh_chroot_helper
# l2chroot /bin/sh

OR
# l2chroot /bin/bash

Modify syslogd configuration

The syslog library function works by writing messages into a FIFO file such as /dev/log. You need to pass -a /path/to/chroot/dev/log option. Using this argument you can specify additional sockets from that syslogd has to listen to. This is needed if you’re going to let some daemon run within a chroot() environment. You can use up to 19 additional sockets. If your environment needs even more, you have to increase the symbol MAXFUNIX within the syslogd.c source file. Open /etc/sysconfig/syslog file:
# vi /etc/sysconfig/syslog
Find line that read as follows:
SYSLOGD_OPTIONS="-m 0"
Append -a /users/dev/log
SYSLOGD_OPTIONS="-m 0 -a /users/dev/log"
Save and close the file. Restart syslog:
# /etc/init.d/syslog restart
If you are using Debian / Ubuntu Linux apply changes to /etc/default/syslogd file.

Set chroot path

Open configuration file /etc/rssh.conf:
# vi /etc/rssh.conf
Set chrootpath to /users
chrootpath=/users
Save and close the file. If sshd is not running start it:
# /etc/init.d/sshd start

Add user to jail

As explained eariler, configure rssh user account. For example, add user vivek in chrooted jail with the following command:
# useradd -m -d /users/vivek -s /usr/bin/rssh vivek
# passwd vivek

Now vivek can login using sftp or copy files using scp:

sftp [email protected]
[email protected]'s password:
sftp> ls
sftp> pwd
Remote working directory: /vivek
sftp> cd /tmp
Couldn't canonicalise: No such file or directory

User vivek is allowed to login to server to trasfer files, but not allowed to browse entier file system.

Lighttpd / Apache : Run Xcache in Chrooted Jail

Posted on in Categories CentOS, Debian Linux, Gentoo Linux, Howto, lighttpd, Linux, php, RedHat/Fedora Linux last updated November 26, 2007

Recently I wrote about installing and running Xcache under Red hat enterprise Linux and CentOS Linux. By default Xcache use /dev/zero for caching. All you have to do is create /dev/zero in chrooted jail. Type the following command (assuming that your jail is located at /lighttpd.jail directory):
# mkdir -p /lighttpd.jail/dev
# mknod -m 666 /lighttpd.jail/dev/zero c 1 5

Just restart your web server and xcache should work under chrooted lighttpd web server.

A very interesting map of the IPv4 address space

Posted on in Categories Links, Networking, News last updated November 26, 2007

This is a very interesting map of the IPv4 address space. Following image shows a visualization of BGP routing data taken from the Routeviews project. Here, 1-dimensional IPv4 address space is mapped into a 2-dimensional image using a 12th order This means that CIDR netblocks always appear as squares or rectangles in the image.

Each pixel in the original 4096 x 4096 image represents a single /24 network containing up to 256 hosts. The pixel color shows the size of the route advertisement covering that space ranging from /8 (purple) to /32 (red). Black represents space without a route and grey indicates reserved space.

A very interesting map of the IPv4 address space ~ MAPS OF ROUTVIEWS BGP SNAPSHOTS
(Fig: Map of the IPv4 address space)

You can order this map as a full size poster from project home page. I’m going to ask some one to get this cool map in our data center monitoring facility 😀 Note that most large corporations and government holds large IPv4 address space. I guess with the IPv6 we don’t have to worry about allocation problem as it is a much larger address space that allows greater flexibility in assigning addresses.

=> Visit original project page : MAPS OF ROUTVIEWS BGP SNAPSHOTS [measurement-factory.com]