Explains how to use netstat command to display current connections and find out if your server is under DoS attack or not.
For security reason you may need to find out current working directory of a process. You can obtained this information by visiting /proc/pid/cwd directory or using the pwdx command. The pwdx command reports the current working directory of a process or processes.
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.
It also includes the openssl command, which provides a rich variety of commands You can use the same command to debug problems with SSL certificates.
To test the secure connections to a server, type the following command at a shell prompt:
openssl s_client -connect ssl.servername.com:443
- s_client : This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. Itâ€™s intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. You can also connect to secure mail server (such as POP3S ~ 995) / web server port (443) and issue commands.
For example connect to www.cyberciti.biz at port 443, enter:
openssl s_client -connect www.cyberciti.biz:443
CONNECTED(00000003) depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddressfirstname.lastname@example.org verify error:num=18:self signed certificate verify return:1 depth=0 /C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddressemail@example.com verify return:1 --- Certificate chain 0 s:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddressfirstname.lastname@example.org i:/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddressemail@example.com --- Server certificate -----BEGIN CERTIFICATE----- MIIDhDCCAu2gAwIBAgIJAMgof8IIjdD9MA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD VQQGEwJJTjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw FQYDVQQKEw5NeSBDb21wYW55IEx0ZDEYMBYGA1UEAwwPKi5jeWJlcmNpdGkuYml6 MSEwHwYJKoZIhvcNAQkBFhJ2aXZla0BuaXhjcmFmdC5jb20wHhcNMDcwOTIwMTEw MzExWhcNMDgwOTE5MTEwMzExWjCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJl cmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBM dGQxGDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2 ZWtAbml4Y3JhZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzYIxz 2JGAgYUJhLnmDbtC5kc+S4AHJHGTZmFuxVZDFOacHPitS4ohwzDadruUONucVZJY Gi1M9j1jPUBX7oZ7F/Y7pbEO/YMfEPPDGq6uEkkwHDTXRH1qgL6v7q9XtP9Dafck n3+YeTO0eYk0Or9a6xBqJmuN6M+ajprfXmQ9cwIDAQABo4HxMIHuMB0GA1UdDgQW BBQH94MQusbxTH8UxH83EpmMz5v5UjCBvgYDVR0jBIG2MIGzgBQH94MQusbxTH8U xH83EpmMz5v5UqGBj6SBjDCBiTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUJlcmtz aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx GDAWBgNVBAMMDyouY3liZXJjaXRpLmJpejEhMB8GCSqGSIb3DQEJARYSdml2ZWtA bml4Y3JhZnQuY29tggkAyCh/wgiN0P0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B AQUFAAOBgQActMUY+8CbFCcxGWvmN95/LsVxZMWWqOGoiFOgqKI9t1T/nBN6TrW5 MYeMwcMbI4OoBo5vnp6mHzcZNoMPiK9DITgb8O/P0EUhjL+QdARJYZX6lLB3qJkP ts65VY0rFxjIhndtixKP1fLC/K2ovzo+43pE1EQB6UhjhHlHV2v34w== -----END CERTIFICATE----- subject=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddressfirstname.lastname@example.org issuer=/C=IN/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=*.cyberciti.biz/emailAddressemail@example.com --- No client certificate CA names sent --- SSL handshake has read 1066 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 989C62FBF87884C9F6904DD216A9A36189BE660059F419DAA16711AF2A7F42D4 Session-ID-ctx: Master-Key: 9A01374F14D7300E8DD02BE2AA3C3567F26E1BB00267D5AB0156C6C11A10EB0D8424FBD06D3B15013B4FBA0F121EC99D Key-Arg : None Start Time: 1192732059 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
Using grep you can see the SSL and TLS connection handshaking, security negotiate, public keys and transfer of digital certificates and key information to the client:
$ openssl s_client -state -nbio -connect www.cyberciti.biz:443 2>&1 | grep "^SSL"
SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:error in SSLv3 read finished A SSL_connect:error in SSLv3 read finished A SSL_connect:SSLv3 read finished A SSL handshake has read 1066 bytes and written 316 bytes SSL-Session:
=> OpenSSL man pages and documentation.
I use ps command to find out all running process on my Linux and Unix system. The ps command shows information about a selection of the active processes on shell. You may also pipe out ps command output through grep command to pick up desired output.
grep command is the de facto tool for searching text files. However when there are too many matches, it can be difficult to find the requested text in the search results. grep comes with –color=’auto’ option. It surrounds the matching string with the colour, thus resulting enhanced output.
Finding string with color highlighting
Pass –color option to grep command:
# grep --color='auto' -i error /var/log/messages
............ ... Oct 9 16:12:14 vivek-desktop kernel: [ 11.555442] bt878: probe of 0000:05:00.1 failed with error -22 Oct 10 17:35:28 vivek-desktop kernel: [ 10.564710] bt878: probe of 0000:05:00.1 failed with error -22 Oct 11 10:15:34 vivek-desktop kernel: [ 12.187477] bt878: probe of 0000:05:00.1 failed with error -22 Oct 11 14:29:56 vivek-desktop kernel: [ 11.135309] bt878: probe of 0000:05:00.1 failed with error -22 .......... ... ....
Now all matched text displayed using red color. The –color option to matches in the input in red color by default. Color is added via ANSI escape sequences. To change color use environment variable GREP_COLOR. Following will set background to red and foreground to white:
$ export GREP_COLOR='1;37;41'
$ egrep --color=auto -i '(error|fatal|warn|drop)' /var/log/messages
I recommend putting following in ~/.bash_profile OR ~/.bashrc file:
$ vi ~/.bash_profile
Append following alias:
alias grep='grep --color=auto'
Save and close the file. Please note that –color option works with many GNU text utilities, so feel free to use the same.
This is a reader contributed article.
These days almost all server / laptop / desktop system has a gigabit Ethernet card (NIC) pre installed. Most servers are directly connected to internet using 100Mbps connections. You can save real power on your Linux server or desktop by operating at 100Mbps Ethernet speed. For example 1 gigabit link is going to consume more power than the power used at 100Mbps speed. Also note that not all systems actually use gigabit speed. For example my desktop system only used for browsing or chatting purpose or Linux web server used to display just static web pages. Now just calculate power consumption for 100 servers or 1000 desktop systems. Bottom line use Gigabit Ethernet speeds only when needed. Did you know – you can save 2 watts or more per Linux/UNIX/Windows server/desktop by just setting a correct speed 🙂
See current Ethernet card speed
Use ethtool comment to display current speed:
ethtool eth0 | grep -i speed
Set new speed and save power
Following command will set card speed to 100Mbps:
ethtool -s eth0 autoneg off speed 100
=> For more information see ethtool command and network interface speed, duplex . auto negotiate settings on Linux
About the author: Rocky Jr., is an engineer with VSNL – a leading ISP / global telecom company in India and a good friend of nixCraft.
While administrating a box, you may wanted to find out what a processes is doing and find out how many file descriptors (fd) are being used. You will surprised to find out that process does open all sort of files:
=> Actual log file
=> /dev files
=> UNIX Sockets
=> Network sockets
=> Library files /lib /lib64
=> Executables and other programs etc
In this quick post, I will explain how to to count how many file descriptors are currently in use on your Linux server system.
I have already written a shell script to check/monitor domain renew / expiration date here. Now I have modified matty’s domain-check script to support additional C/TLDs .in, .biz, .org and .info domains. I’ve also added 5 seconds delay to avoid whois server rejecting the query. This script checks to see if a domain has expired. It can be run in interactive and batch mode and provides facilities to alarm if a domain is about to expire in advance.
As I said earlier you need to tweak few things to run this monitor with Intel 810 or 845 based chip-set under Ubuntu Linux.
In order to use higher resolution install updated Intel i8xx, i9xx display driver. It is provided by a package called xserver-xorg-video-intel. This package provides the driver for the Intel i8xx and i9xx family of chipsets, including i810, i815, i830, i845, i855, i865, i915, and i945 series chips.
Replace driver by running the apt-get command. Open your terminal and type command:
$ sudo apt-get install xserver-xorg-video-intel
Now run ddcprobe command to get monitor VertRefresh values and HorizSync rate:
$ sudo ddcprobe | grep monitorrange
monitorrange: 24-82, 50-75
24-82 is your HorizSync rates and the second pair is your VertRefresh (50-75) values.
Next reconfigure xserver (X.org) video and monitor using auto detect feature:
$ sudo dpkg-reconfigure xserver-xorg
Set monitor resolution 1440 x 900 and others as per your requirement. Save the changes and reboot the system.
After login you can adjust screen resolution by visiting System > Preferences > Screen Resolution > Select desired screen resolution such as 1440 x 900 and save the changes.