Sometimes we want to do back up from our CD/DVD even files from our harddrive
Here are the how-to's:
dd if=/dev/dvd of=dvd.iso (if you want to back up from DVD)
dd if=/dev/cdrom of=cd.iso (if you back up from CDROM)
dd if=/dev/scd0 of=cd.iso (if you back up from SCSI CDROM)
mkisofs -o /tmp/cd.iso /tmp/backup/ (to make an ISO image from files on your hard drive)
Saturday, September 20, 2008
Friday, September 19, 2008
Install Ubuntu 8.04.1 Hardy on ACER 4530 with Mac4Lin Leopard Desktop
Here are the captured screen of my laptop just installed Ubuntu 8.04.1 Hardy and tweaked to resemble Mac Leopard Desktop.
Acer 4530 is a great notebook with a good price comes with great graphic controller card GeForce 9100m G. However, you have to install the nvidia driver in order to get the 1280x800 resolution.
Currently, after recompile kernel using 2.6.26.5, I still cannot get the sound and wireless works even they're detected.
Here is for sound using ALSA taken from dmesg:
ALSA sound/pci/hda/hda_codec.c:728: hda_codec_cleanup_stream: NID=0x2 ALSA sound/pci/hda/hda_codec.c:728: hda_codec_cleanup_stream: NID=0x3
For wireless card here is what I've got from ifconfig, however, somehow, I just cannot connect
to my Access Point.
nprasetio@student1:~$ iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wmaster0 no wireless extensions.
wlan0 IEEE 802.11 ESSID:""
Mode:Managed Frequency:2.412 GHz Access Point: Not-Associated
Tx-Power=27 dBm
Retry min limit:7 RTS thr:off Fragment thr=2352 B
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
Here are the great links to follow in order to tweak your ACER 4530 to resemble Mac.
Recompiling Kernel To Detect Wireless Card, Sound and Other Cool Features
Turning your ACER 4530 to Mac OSX Leopard
Thursday, July 31, 2008
Secure Shell: SSH
The ability to authenticate with ssh keys, is the most powerful feature of SSH. As a result, the user has to produce a key pair and key in the so called public key into the ~/.ssh/authorized_keys file on the server. Basically, the key is protected by a password and controlled by the ssh-agent. Nevertheless if the key is utilized for automating task it must not include a password.
[georgia@georgia ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/georgia/.ssh/id_rsa):
Created directory '/home/georgia/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/georgia/.ssh/id_rsa.
Your public key has been saved in /home/georgia/.ssh/id_rsa.pub.
The key fingerprint is:
67:5a:60:ac:70:95:18:8d:02:1b:e1:c2:da:5c:88:81 georgia@georgia.rhce.test
[georgia@georgia ~]$ cat ~/.ssh/id_rsa.pub | ssh georgia@greg.rhce.test 'cat >>.ssh/authorized_keys'
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Kernel \r on an \m
georgia@greg.rhce.test's password:
Now, check your configuration by do the following:
[georgia@georgia ~]$ ssh georgia@greg.rhce.test
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Kernel \r on an \m
georgia@greg.rhce.test's password:
Last login: Thu Jul 31 16:23:42 2008
It should work as above.
[georgia@georgia ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/georgia/.ssh/id_rsa):
Created directory '/home/georgia/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/georgia/.ssh/id_rsa.
Your public key has been saved in /home/georgia/.ssh/id_rsa.pub.
The key fingerprint is:
67:5a:60:ac:70:95:18:8d:02:1b:e1:c2:da:5c:88:81 georgia@georgia.rhce.test
[georgia@georgia ~]$ cat ~/.ssh/id_rsa.pub | ssh georgia@greg.rhce.test 'cat >>.ssh/authorized_keys'
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Kernel \r on an \m
georgia@greg.rhce.test's password:
Now, check your configuration by do the following:
[georgia@georgia ~]$ ssh georgia@greg.rhce.test
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Kernel \r on an \m
georgia@greg.rhce.test's password:
Last login: Thu Jul 31 16:23:42 2008
It should work as above.
Friday, July 18, 2008
Basic IPv4 Firewall Using iptables
Scenario: somebody wants to harden his/her stand-alone server using linux built-in firewall application: iptables. The server only has one NIC.
Here are the steps:
1. Create a custom chain named HOME-RULES and insert a rule on top of INPUT that will jump all packets to it. Remember, to save the firewall configuration when you're finished.
[root@greg ~]# iptables -N HOME-RULES
[root@greg ~]# iptables -A INPUT -j HOME-RULES
[root@greg ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@greg ~]# less /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sat Jul 19 07:29:26 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:CLASS-RULES - [0:0]
-A INPUT -j HOME-RULES
COMMIT
# Completed on Sat Jul 19 07:29:26 2008
2. In this tutorial, I am going to show you how to populate the HOME-RULES chain by directly editing /etc/sysconfig/iptables. (Note: I assume you understand how to use vim to edit files).
[root@greg ~]# vim /etc/sysconfig/iptables
Insert the following text below the -A INPUT lines.
-A HOME-RULES -i lo -j ACCEPT --> accepts all traffic on the loopback interface (lo)
-A HOME-RULES -p icmp -j ACCEPT --> accepts ping from other host
-A HOME-RULES -m state --state ESTABLISHED,RELATED -j ACCEPT --> enable stateful replies
-A HOME-RULES -p tcp --dport 22 -j ACCEPT --> accepts packets destined for tcp port 22 (ssh)/accepts other host to ssh to the server
-A HOME-RULES -m state --state NEW -p udp --dport 514 -j ACCEPT --> accepts packets with the NEW state destined for udp port 514 (syslog)
-A HOME-RULES -j LOG --> log all packets not matched by one of the above rules
-A HOME-RULES -j REJECT --> rejects all packets not matched by one of the above rules
3. Save the new configuration.
4. Load the new rules.
[root@greg ~]# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
5. You're all set.
Here are the steps:
1. Create a custom chain named HOME-RULES and insert a rule on top of INPUT that will jump all packets to it. Remember, to save the firewall configuration when you're finished.
[root@greg ~]# iptables -N HOME-RULES
[root@greg ~]# iptables -A INPUT -j HOME-RULES
[root@greg ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@greg ~]# less /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sat Jul 19 07:29:26 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:CLASS-RULES - [0:0]
-A INPUT -j HOME-RULES
COMMIT
# Completed on Sat Jul 19 07:29:26 2008
2. In this tutorial, I am going to show you how to populate the HOME-RULES chain by directly editing /etc/sysconfig/iptables. (Note: I assume you understand how to use vim to edit files).
[root@greg ~]# vim /etc/sysconfig/iptables
Insert the following text below the -A INPUT lines.
-A HOME-RULES -i lo -j ACCEPT --> accepts all traffic on the loopback interface (lo)
-A HOME-RULES -p icmp -j ACCEPT --> accepts ping from other host
-A HOME-RULES -m state --state ESTABLISHED,RELATED -j ACCEPT --> enable stateful replies
-A HOME-RULES -p tcp --dport 22 -j ACCEPT --> accepts packets destined for tcp port 22 (ssh)/accepts other host to ssh to the server
-A HOME-RULES -m state --state NEW -p udp --dport 514 -j ACCEPT --> accepts packets with the NEW state destined for udp port 514 (syslog)
-A HOME-RULES -j LOG --> log all packets not matched by one of the above rules
-A HOME-RULES -j REJECT --> rejects all packets not matched by one of the above rules
3. Save the new configuration.
4. Load the new rules.
[root@greg ~]# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
5. You're all set.
Thursday, July 17, 2008
Installing a Simplistic DNS Server Using BIND
1. Install the required packages (please ignore the warning of a missing named.conf as this one is expected)
... output omitted ...
2. Turn the iptables
[root@greg ~]# service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
3. Enforcing the selinux
[root@greg ~]# vim /etc/selinux/config
Make sure the following line appears in your configuration
SELINUX=enforcing
4. Inspect what ports are usually used for domain name servers:
[root@greg ~]# grep domain /etc/services
domain 53/tcp # name-domain server
domain 53/udp
domaintime 9909/tcp # domaintime
domaintime 9909/udp # domaintime
5. Inspect if named affected by libwrapped. The result is supposed to be no result.
[root@greg ~]# ldd $(which named) | grep libwrap
6. Review the configuration at /etc/named.caching-nameserver.conf to see the default access control options. Pay attention to the listen on and allow-query directives. And if you forget a directive such as "allow", please go find in man 5 named.conf.
7. Prepare for a minimal configuration to meet the access requirements. First run the following commands to track the system messages when restarting a service after you change a configuration.
[root@greg ~]# tail -f /var/log/messages
... output omitted ...
[root@greg ~]# tail -f /var/log/audit/audit.log
... output omitted ...
8. Determine what directory is installed as the chroot:
[root@greg ~]# cat /etc/sysconfig/named
Look for the following output for the location of the chroot directory
ROOTDIR=/var/named/chroot
9. Use the named.caching-nameserver.conf as a starting configuration:
[root@greg ~]# cd /var/named/chroot/etc/
[root@greg etc]# ls
localtime named.caching-nameserver.conf named.rfc1912.zones rndc.key
[root@greg etc]# cp named.caching-nameserver.conf named.conf
10. Test the current configuration, check for the errors in the configuration in /var/log/messages:
[root@greg etc]# service named configtest
zone localdomain/IN: loaded serial 42
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
zone 255.in-addr.arpa/IN: loaded serial 42
zone 0.in-addr.arpa/IN: loaded serial 42
The above output means our initial config is OK.
11. Start the named service and make it automatically start
[root@greg etc]# service named start ; chkconfig named on
Starting named: [FAILED]
If you had the above output as mine, use tail -f /var/log/messages to see the message ERROR. Here is what I got from my screen:
Jul 18 06:50:20 greg named[3874]: loading configuration from '/etc/named.conf'
Jul 18 06:50:20 greg named[3874]: none:0: open: /etc/named.conf: permission denied
Jul 18 06:50:20 greg named[3874]: loading configuration: permission denied
Jul 18 06:50:20 greg named[3874]: exiting (due to fatal error)
19. It means the named service does not have a permission to load the configuration.
[root@greg etc]# ls -l /var/named/chroot/etc/named.conf
-rw-r----- 1 root root 1100 Jul 18 06:46 /var/named/chroot/etc/named.conf
20. Run this command
[root@greg etc]# chgrp named /var/named/chroot/etc/named.conf
[root@greg etc]# ls -l /var/named/chroot/etc/named.conf
-rw-r----- 1 root named 1100 Jul 18 06:46 /var/named/chroot/etc/named.conf
21. There you go the nameserver is running.
[root@greg etc]# service named start ; chkconfig named on
Starting named: [ OK ]
Check the log as well, supposed to be no error.
22. Try to use dig or nslookup for querying site like www.google.com, but remember to edit /etc/resolv.conf so for name server resolution it points to localhost.
[root@greg etc]# nslookup www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 209.85.175.99
Name: www.l.google.com
Address: 209.85.175.104
Name: www.l.google.com
Address: 209.85.175.147
- bind, bind-utils, bind-chroot, caching-nameserver
... output omitted ...
2. Turn the iptables
[root@greg ~]# service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
3. Enforcing the selinux
[root@greg ~]# vim /etc/selinux/config
Make sure the following line appears in your configuration
SELINUX=enforcing
4. Inspect what ports are usually used for domain name servers:
[root@greg ~]# grep domain /etc/services
domain 53/tcp # name-domain server
domain 53/udp
domaintime 9909/tcp # domaintime
domaintime 9909/udp # domaintime
5. Inspect if named affected by libwrapped. The result is supposed to be no result.
[root@greg ~]# ldd $(which named) | grep libwrap
6. Review the configuration at /etc/named.caching-nameserver.conf to see the default access control options. Pay attention to the listen on and allow-query directives. And if you forget a directive such as "allow", please go find in man 5 named.conf.
7. Prepare for a minimal configuration to meet the access requirements. First run the following commands to track the system messages when restarting a service after you change a configuration.
[root@greg ~]# tail -f /var/log/messages
... output omitted ...
[root@greg ~]# tail -f /var/log/audit/audit.log
... output omitted ...
8. Determine what directory is installed as the chroot:
[root@greg ~]# cat /etc/sysconfig/named
Look for the following output for the location of the chroot directory
ROOTDIR=/var/named/chroot
9. Use the named.caching-nameserver.conf as a starting configuration:
[root@greg ~]# cd /var/named/chroot/etc/
[root@greg etc]# ls
localtime named.caching-nameserver.conf named.rfc1912.zones rndc.key
[root@greg etc]# cp named.caching-nameserver.conf named.conf
10. Test the current configuration, check for the errors in the configuration in /var/log/messages:
[root@greg etc]# service named configtest
zone localdomain/IN: loaded serial 42
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
zone 255.in-addr.arpa/IN: loaded serial 42
zone 0.in-addr.arpa/IN: loaded serial 42
The above output means our initial config is OK.
11. Start the named service and make it automatically start
[root@greg etc]# service named start ; chkconfig named on
Starting named: [FAILED]
If you had the above output as mine, use tail -f /var/log/messages to see the message ERROR. Here is what I got from my screen:
Jul 18 06:50:20 greg named[3874]: loading configuration from '/etc/named.conf'
Jul 18 06:50:20 greg named[3874]: none:0: open: /etc/named.conf: permission denied
Jul 18 06:50:20 greg named[3874]: loading configuration: permission denied
Jul 18 06:50:20 greg named[3874]: exiting (due to fatal error)
19. It means the named service does not have a permission to load the configuration.
[root@greg etc]# ls -l /var/named/chroot/etc/named.conf
-rw-r----- 1 root root 1100 Jul 18 06:46 /var/named/chroot/etc/named.conf
20. Run this command
[root@greg etc]# chgrp named /var/named/chroot/etc/named.conf
[root@greg etc]# ls -l /var/named/chroot/etc/named.conf
-rw-r----- 1 root named 1100 Jul 18 06:46 /var/named/chroot/etc/named.conf
21. There you go the nameserver is running.
[root@greg etc]# service named start ; chkconfig named on
Starting named: [ OK ]
Check the log as well, supposed to be no error.
22. Try to use dig or nslookup for querying site like www.google.com, but remember to edit /etc/resolv.conf so for name server resolution it points to localhost.
[root@greg etc]# nslookup www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 209.85.175.99
Name: www.l.google.com
Address: 209.85.175.104
Name: www.l.google.com
Address: 209.85.175.147
Friday, July 11, 2008
How to Configure Kernel Persistently
To adjust the functioning of the Linux Kernel, there are parameters in kernel that can provide such a mechanism. The followings are some of the example:
1. To list all of the parameters and their values, we can use sysctl command and set kernel parameters:
# sysctl -a
2. To set a parameter, to control IP packet forwarding, default setting is net.ipv4.ip_forward = 0
# sysctl -w net.ipv4.ip_forward = 1
or
# echo 1 > /proc/sys/net/ipv4/ip_forward
3. We need to change the parameter to /etc/sysctl.conf in order to make this setting permanent otherwise after we restart the change will be gone. After we finished setting up, we need to synchronize the new config file with the kernel with the following command:
# sysctl -p
1. To list all of the parameters and their values, we can use sysctl command and set kernel parameters:
# sysctl -a
2. To set a parameter, to control IP packet forwarding, default setting is net.ipv4.ip_forward = 0
# sysctl -w net.ipv4.ip_forward = 1
or
# echo 1 > /proc/sys/net/ipv4/ip_forward
3. We need to change the parameter to /etc/sysctl.conf in order to make this setting permanent otherwise after we restart the change will be gone. After we finished setting up, we need to synchronize the new config file with the kernel with the following command:
# sysctl -p
Monday, July 7, 2008
Some Caveats Regarding BIOS and Boot Loader
1. The default boot loader is GRUB, and the first part of it is installed in the MBR of the default drive. Normally, the BIOS should automatically start the boot loader, with a message similar to:
Booting Red Hat Enterprise Linux Server (2.6.18-8.el5) in 5 seconds...
2. For an older PC, unless it's located within the first 1024 cylinders of the hard disk, the BIOS can't find your boot loader that is why the /boot partition installed is normally a primary partition.
3. The workaround for this problem is using logical block addressing, which is also recognized as LBA mode.
LBA mode reads "logical" values for the cylinder, head, and sector, which allows the BIOS to "see" a larger disk drive.
For multiple hard drives:
Here is the caveat:
a. For IDE (PATA) hard drives, the /boot directory must be on a hard drive attached to the primary IDE controller.
b. For all SCSI hard drives, the /boot directory must be located on a hard drive with SCSI ID 0 or ID 1.
c. For a mix of hard drives, the /boot directory must be located on either the first IDE drive or a SCSI drive with ID 0.
Booting Red Hat Enterprise Linux Server (2.6.18-8.el5) in 5 seconds...
2. For an older PC, unless it's located within the first 1024 cylinders of the hard disk, the BIOS can't find your boot loader that is why the /boot partition installed is normally a primary partition.
3. The workaround for this problem is using logical block addressing, which is also recognized as LBA mode.
LBA mode reads "logical" values for the cylinder, head, and sector, which allows the BIOS to "see" a larger disk drive.
For multiple hard drives:
Here is the caveat:
a. For IDE (PATA) hard drives, the /boot directory must be on a hard drive attached to the primary IDE controller.
b. For all SCSI hard drives, the /boot directory must be located on a hard drive with SCSI ID 0 or ID 1.
c. For a mix of hard drives, the /boot directory must be located on either the first IDE drive or a SCSI drive with ID 0.
Subscribe to:
Posts (Atom)
