Restore Debian Linux Grub boot loader

last updated in Categories Debian Linux, Tips, Troubleshooting, Ubuntu Linux

Recently my hard disk went bad (some bad sectors developed), my boot.ini (Windows XP boot file) corrupted. I was using NT boot loader to load Linux. So I need to repair the Grub i.e. restore Grub in master boot record (MBR).

Today is national holiday (I-DAY) and I wanna watch TV. Problem is neither I can boot to Linux nor using XP. So I just took my Debian GNU/Linux DVD and booting started when I had presented installation option (after networking dialog prompt) :
1) Press ALT+F2 (or ALT+CTRL+F2) to get shell prompt
2) Then get the partition tables for the devices using fdisk command:
# fdisk -l

3)When you type fdisk -l, you should see your partition name: /dev/scsi/host0/bus0/target0/lun0/part1 (for IDE disk it display same device file in IDE directory)

4)Once you identified your device file, mount disk using mount command:
# mkdir /mydisk
# mount /dev/scsi/host0/bus0/target0/lun0/part1 /mydisk

5) Next use chroot command to start interactive shell with special root directory i.e. /mydisk will act as root directory.
# chroot /mydisk

6)Use grub-install command to reinstall grub (SCSI disk):
# grub-install /dev/sda

If you have IDE device following command :
# grub-install /dev/hda

Again replace /dev/hda and /dev/sda with your actual device names.

7)Type exit and reboot the system. You should see your GRUB and Linux again.
# exit

Other choice was to use Linux Live CD (e.g. Mepis) and do the above procedure. Well, I could have used the Mepis to watch TV but I had some data and emails in Tunderbird so I opted to restore the Grub; watched TV, took backup of emails and now I will put new 120 GiB hard disk tomorrow 😀

Linux Iptables block or open DNS / bind service port 53

last updated in Categories BIND Dns, Debian Linux, Gentoo Linux, Howto, Iptables, Linux, Networking, RedHat/Fedora Linux, Security, Suse Linux, Tips, Troubleshooting

The domain name service provided by BIND (named) software. It uses both UDP and TCP protocol and listen on port 53. DNS queries less than 512 bytes are transferred using UDP protocol and large queries are handled by TCP protocol such as zone transfer.

i) named/bind server – TCP/UDP port 53

ii)Client (browser, dig etc) – port > 1023

Allow outgoing DNS client request:

Following iptables rules can be added to your shell script.

SERVER_IP is your server ip address

DNS_SERVER stores the nameserver (DNS) IP address provided by ISP or your own name servers.

Following rules are useful when you run single web/smtp server or even DSL/LL/dialup Internet connections:

SERVER_IP="202.54.10.20"
DNS_SERVER="202.54.1.5 202.54.1.6"
for ip in $DNS_SERVER
do
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT-p tcp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
done

(B) Allow incoming DNS request at port 53:

Use following rules only if you are protecting dedicated DNS server.

SERVER_IP is IP address where BIND(named) is listing on port 53 for incoming DNS queries.

Please note that here I’m not allowing TCP protocol as I don’t have secondary DNS server to do zone transfer.

SERVER_IP="202.54.10.20"
iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT

Please note if you have secondary server, add following rules to above rules so that secondary server can do zone transfer from primary DNS server:

DNS2_IP="202.54.10.2"
iptables -A INPUT -p tcp -s $DNS2_IP --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d $DNS2_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Linux / UNIX: Scanning network for open ports with nmap command

last updated in Categories CentOS, Debian Linux, Download of the day, FreeBSD, Gentoo Linux, GNU/Open source, Howto, Linux, Monitoring, Networking, OpenBSD, RedHat/Fedora Linux, Security, Sys admin, Tips, Troubleshooting, Tuning, UNIX, Windows, Windows server

You can use nmap tool for this job. It is flexible in specifying targets. User can scan entire network or selected host or single server. Nmap is also useful to test your firewall rules. namp is metwork exploration tool and security / port scanner. According to nmap man page:
It is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

nmap port scanning

TCP Connect scanning for localhost and network 192.168.0.0/24
# nmap -v -sT localhost
# nmap -v -sT 192.168.0.0/24

nmap TCP SYN (half-open) scanning

# nmap -v -sS localhost
# nmap -v -sS 192.168.0.0/24

nmap TCP FIN scanning

# nmap -v -sF localhost
# nmap -v -sF 192.168.0.0/24

nmap TCP Xmas tree scanning

Useful to see if firewall protecting against this kind of attack or not:
# nmap -v -sX localhost
# nmap -v -sX 192.168.0.0/24

nmap TCP Null scanning

Useful to see if firewall protecting against this kind attack or not:
# nmap -v -sN localhost
# nmap -v -sN 192.168.0.0/24

nmap TCP Windows scanning

# nmap -v -sW localhost
# nmap -v -sW 192.168.0.0/24

nmap TCP RPC scanning

Useful to find out RPC (such as portmap) services
# nmap -v -sR localhost
# nmap -v -sR 192.168.0.0/24

nmap UDP scanning

Useful to find out UDP ports
# nmap -v -O localhost
# nmap -v -O 192.168.0.0/24

nmap remote software version scanning

You can also find out what software version opening the port.
# nmap -v -sV localhost
# nmap -v -sV 192.168.0.0/24

A note about Windows XP / 2003 / Vista version

Windows user can find ipEye and IPSecScan utilities useful. Please note that Nmap also runes on Windows OS.

Read the man page of nmap for more information:
$ man nmap

Solaris UNIX: How to Setup DNS Client configuration / name server

last updated in Categories Solaris, Sys admin, Troubleshooting, UNIX

So how do you set DNS namserver under Sun Solaris UNIX system? The resolver is a set of routines in the C library that provide access to the Internet Domain Name System (DNS). The resolver configuration file contains information that is read by the resolver routines the first time they are invoked by a process. The file is designed to be human readable and contains a list of keywords with values that provide various types of resolver information.

Internet address (in dot notation) of a name server that the resolver should query. Up to MAXNS (currently 3, see ) name servers may be listed, one per keyword. If there are multiple servers, the resolver library queries them in the order listed. To configure Solaris nameserver edit or modify /etc/resolv.conf file.

DNS Client Setup

First Create the file called /etc/resolv.conf – which includes the primary and secondary DNS server IP address for Solaris system, it can be your own DNS server or your ISPs DNS server:
# touch /etc/resolv.conf

Open /etc/resolv.conf using vi text editor:
# vi /etc/resolv.conf
Add the following lines to it:

search nixcraft.in
nameserver 202.54.1.30
nameserver 202.54.1.18

Where,

  • nameserver IP : It is IP of first DNS server
  • search nixcraft.in : Default domain name to search. For example, if you type command nslookup www, it will search it as www.nixcraft.in

2) Enable the name resolving using DNS as follows:
# cp /etc/nsswitch.dns /etc/nsswitch.conf
3) Test new name server by running the nslookup command as follows:
# nslookup nixcraft.in
OR
# /usr/sfw/sbin/nslookup nixcraft.in
Output:

Server:  gwbsd2vsnl.nixcraft.in
Address:  192.168.1.202

Non-authoritative answer:
Name:    nixcraft.in
Address:  202.71.128.225

FreeBSD: Customize Home, Del, Insert keys for BASH shell

last updated in Categories FreeBSD, Howto, Sys admin, Tips, Troubleshooting

By default when you use FreeBSD’s BASH shell and if you hit Home, Del, Insert keys all of them just prints ~ (some garbage is printed ). To get rid of this problem, edit /etc/profile file and define key binding.

1) Open your bash global profile file:
# vi /etc/profile

2) Add following line to it:
export INPUTRC=/usr/local/etc/inputrc

3) Close and save the file

4) Open the file /usr/local/etc/inputrc and define / modify key binding:
# vi /usr/local/etc/inputrc

5) Append following config data:

set meta-flag on
set input-meta on
set convert-meta off
set output-meta on

"\e[1~": beginning-of-line
"\e[4~": end-of-line
"\e[5~": beginning-of-history
"\e[6~": end-of-history
"\e[3~": delete-char
"\e[2~": quoted-insert
"\e[5C": forward-word
"\e[5D": backward-word

6) Close and save the file

7) Now logout and login back again to test your new key settings.

How to: Troubleshoot UNIX / Linux BIND DNS server problems

last updated in Categories BIND Dns, CentOS, Debian Linux, FreeBSD, Gentoo Linux, GNU/Open source, Howto, Linux, OpenBSD, RedHat/Fedora Linux, Suse Linux, Sys admin, Troubleshooting, Tuning, UNIX

BIND is the Berkeley Internet Name Domain, DNS server. It is wildly used on UNIX and Linux like oses. You can use following tools to troubleshoot bind related problems under UNIX or Linux oses.

Task: Port 53 open and listing requests

By default BIND listen DNS queries on port 53. So make sure port 53 is open and listing user requests. by running any one of the following tests. See if you can telnet to port 53 from remote computer:
$ telnet remote-server-ip 53
OR
telnet ns1.nixcraft.org domain
Output:

Trying 192.168.0.5...
Connected to ns1.nixcraft.org.
Escape character is '^]'.

If you cannot connect make sure firewall is not blocking your requests. Next use netstat command to list open and listing port 53 on server itself:
$ netstat -tulpn | grep :53
OR
# netstat -atve
Output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode
tcp        0      0 ns1.nixcraft.org:domain *:*                     LISTEN      named      10386
tcp        0      0 rhx.test.com:domain     *:*                     LISTEN      named      10384
tcp        0      0 *:ssh                   *:*                     LISTEN      root       1785
tcp        0      0 rhx.test.com:rndc       *:*                     LISTEN      named      10388
tcp        0      0 rhx.test.com:smtp       *:*                     LISTEN      root       1873
tcp        0      0 ns1.nixcraft.org:ssh    w2k.nixcraft.org:1057   ESTABLISHED root       10501
tcp        0      0 rhx.test.com:32773      rhx.test.com:domain     TIME_WAIT   root       0
tcp        0      0 ns1.nixcraft.org:32775  ns1.nixcraft.org:domain TIME_WAIT   root       0
tcp        0      0 rhx.test.com:32774      rhx.test.com:domain     TIME_WAIT   root       0

Make sure iptables firewall is not blocking request on server:
# iptables -L -n
OR
# iptables -L -n | less
Make sure named is running:
# /etc/init.d/named status
If not start named:
# chkconfig named on
# service named start

Task: Use log files

You can use log files after starting/restarting bind to see error messages:
# tail –f /var/log/message
Output:

Nov 17 16:50:25 rhx named[3539]: listening on IPv4 interface lo, 127.0.0.1#53
Nov 17 16:50:25 rhx named[3539]: listening on IPv4 interface eth0, 192.168.0.5#53
Nov 17 16:50:25 rhx named[3539]: command channel listening on 127.0.0.1#953
Nov 17 16:50:25 rhx named[3539]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
Nov 17 16:50:25 rhx named[3539]: nixcraft.org.rev:1: no TTL specified; using SOA MINTTL instead
Nov 17 16:50:25 rhx named[3539]: zone 0.168.192.in-addr.arpa/IN: loaded serial 12
Nov 17 16:50:25 rhx named[3539]: zone localhost/IN: loaded serial 42
Nov 17 16:50:25 rhx named[3539]: zone nixcraft.org/IN: loaded serial 12
Nov 17 16:50:25 rhx named[3539]: running

Task: Check zone file for errors

You can check zone file syntax and /etc/named.conf file using following utilities. named-checkconf command is named (BIND) configuration file syntax checking tool.
# named-checkconf /etc/named.conf
Output:

/etc/named.conf:32: missing ';' before 'zone'

Plesse note that if named-checkconf did not find any errors it will not display in output on screen.

Check zone file syntax for errors. named-checkzone is zone file validity checking tool. named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a zone. This makes named checkzone useful for checking zone files before configuring them into a name server.
# named-checkzone localhost /var/named/localhost.zone
OR
#named-checkzone nixcraft.org /var/named/nixcraft.org.zone
Output:

zone nixcraft.org/IN: loaded serial 12
OK

Task: Testing BIND/DNS with utilities

You can use host and dig utilties to test your bind configuration.

  • host: host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa.
  • dig: dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.

List IP address associated with host names:
# host nixcraft.org
OR
# host www
Output:

www.nixcraft.org has address 192.168.0.6

Perform a zone transfer for zone name using -l option:
# host -l nixcraft.org

nixcraft.org SOA ns1.nixcraft.org. admin.nixcraft.org. 12 10800 900 604800 86400
nixcraft.org name server ns1.nixcraft.org.
nixcraft.org mail is handled by 10 mail.nixcraft.org.
nixcraft.org has address 192.168.0.5
gw.nixcraft.org has address 192.168.0.254
mail.nixcraft.org has address 192.168.0.7
ns1.nixcraft.org has address 192.168.0.5
w2k.nixcraft.org has address 192.168.0.1
www.nixcraft.org has address 192.168.0.6
nixcraft.org SOA ns1.nixcraft.org. admin.nixcraft.org. 12 10800 900 604800 86400

Other examples
# dig mail.nixcraft.org
# dig 192.168.0.5