g00rkha's RedHat Certified Engineer Preparation and Ubuntu Tutorials

How to create ISO image from your Harddisk, CD or DVD

2008-09-20T08:01:00.000-07:00

Sometimes we want to do back up from our CD/DVD even files from our harddrive

Here are the how-to's:
dd if=/dev/dvd of=dvd.iso (if you want to back up from DVD)
dd if=/dev/cdrom of=cd.iso (if you back up from CDROM)
dd if=/dev/scd0 of=cd.iso (if you back up from SCSI CDROM)
mkisofs -o /tmp/cd.iso /tmp/backup/ (to make an ISO image from files on your hard drive)

Install Ubuntu 8.04.1 Hardy on ACER 4530 with Mac4Lin Leopard Desktop

2008-09-19T20:27:00.001-07:00

Here are the captured screen of my laptop just installed Ubuntu 8.04.1 Hardy and tweaked to resemble Mac Leopard Desktop.

Acer 4530 is a great notebook with a good price comes with great graphic controller card GeForce 9100m G. However, you have to install the nvidia driver in order to get the 1280x800 resolution.

Currently, after recompile kernel using 2.6.26.5, I still cannot get the sound and wireless works even they're detected.

Here is for sound using ALSA taken from dmesg:
ALSA sound/pci/hda/hda_codec.c:728: hda_codec_cleanup_stream: NID=0x2 ALSA sound/pci/hda/hda_codec.c:728: hda_codec_cleanup_stream: NID=0x3

For wireless card here is what I've got from ifconfig, however, somehow, I just cannot connect
to my Access Point.

nprasetio@student1:~$ iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

wmaster0 no wireless extensions.

wlan0 IEEE 802.11 ESSID:""
Mode:Managed Frequency:2.412 GHz Access Point: Not-Associated
Tx-Power=27 dBm
Retry min limit:7 RTS thr:off Fragment thr=2352 B
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

Here are the great links to follow in order to tweak your ACER 4530 to resemble Mac.

Recompiling Kernel To Detect Wireless Card, Sound and Other Cool Features

Turning your ACER 4530 to Mac OSX Leopard

Secure Shell: SSH

2008-07-31T01:59:00.000-07:00

The ability to authenticate with ssh keys, is the most powerful feature of SSH. As a result, the user has to produce a key pair and key in the so called public key into the ~/.ssh/authorized_keys file on the server. Basically, the key is protected by a password and controlled by the ssh-agent. Nevertheless if the key is utilized for automating task it must not include a password.

[georgia@georgia ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/georgia/.ssh/id_rsa):
Created directory '/home/georgia/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/georgia/.ssh/id_rsa.
Your public key has been saved in /home/georgia/.ssh/id_rsa.pub.
The key fingerprint is:
67:5a:60:ac:70:95:18:8d:02:1b:e1:c2:da:5c:88:81 georgia@georgia.rhce.test

[georgia@georgia ~]$ cat ~/.ssh/id_rsa.pub | ssh georgia@greg.rhce.test 'cat >>.ssh/authorized_keys'
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Kernel \r on an \m
georgia@greg.rhce.test's password:

Now, check your configuration by do the following:

[georgia@georgia ~]$ ssh georgia@greg.rhce.test
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Kernel \r on an \m
georgia@greg.rhce.test's password:
Last login: Thu Jul 31 16:23:42 2008

It should work as above.

Basic IPv4 Firewall Using iptables

2008-07-18T17:45:00.000-07:00

Scenario: somebody wants to harden his/her stand-alone server using linux built-in firewall application: iptables. The server only has one NIC.

Here are the steps:
1. Create a custom chain named HOME-RULES and insert a rule on top of INPUT that will jump all packets to it. Remember, to save the firewall configuration when you're finished.
[root@greg ~]# iptables -N HOME-RULES
[root@greg ~]# iptables -A INPUT -j HOME-RULES
[root@greg ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@greg ~]# less /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sat Jul 19 07:29:26 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:CLASS-RULES - [0:0]
-A INPUT -j HOME-RULES
COMMIT
# Completed on Sat Jul 19 07:29:26 2008

2. In this tutorial, I am going to show you how to populate the HOME-RULES chain by directly editing /etc/sysconfig/iptables. (Note: I assume you understand how to use vim to edit files).
[root@greg ~]# vim /etc/sysconfig/iptables
Insert the following text below the -A INPUT lines.
-A HOME-RULES -i lo -j ACCEPT --> accepts all traffic on the loopback interface (lo)
-A HOME-RULES -p icmp -j ACCEPT --> accepts ping from other host
-A HOME-RULES -m state --state ESTABLISHED,RELATED -j ACCEPT --> enable stateful replies
-A HOME-RULES -p tcp --dport 22 -j ACCEPT --> accepts packets destined for tcp port 22 (ssh)/accepts other host to ssh to the server
-A HOME-RULES -m state --state NEW -p udp --dport 514 -j ACCEPT --> accepts packets with the NEW state destined for udp port 514 (syslog)
-A HOME-RULES -j LOG --> log all packets not matched by one of the above rules
-A HOME-RULES -j REJECT --> rejects all packets not matched by one of the above rules

3. Save the new configuration.
4. Load the new rules.
[root@greg ~]# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
5. You're all set.

Installing a Simplistic DNS Server Using BIND

2008-07-17T16:05:00.000-07:00

1. Install the required packages (please ignore the warning of a missing named.conf as this one is expected)

bind, bind-utils, bind-chroot, caching-nameserver

[root@greg ~]# yum -y install bind bind-utils bind-chroot caching-nameserver
... output omitted ...
2. Turn the iptables
[root@greg ~]# service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
3. Enforcing the selinux
[root@greg ~]# vim /etc/selinux/config
Make sure the following line appears in your configuration
SELINUX=enforcing
4. Inspect what ports are usually used for domain name servers:
[root@greg ~]# grep domain /etc/services
domain 53/tcp # name-domain server
domain 53/udp
domaintime 9909/tcp # domaintime
domaintime 9909/udp # domaintime
5. Inspect if named affected by libwrapped. The result is supposed to be no result.
[root@greg ~]# ldd $(which named) | grep libwrap
6. Review the configuration at /etc/named.caching-nameserver.conf to see the default access control options. Pay attention to the listen on and allow-query directives. And if you forget a directive such as "allow", please go find in man 5 named.conf.
7. Prepare for a minimal configuration to meet the access requirements. First run the following commands to track the system messages when restarting a service after you change a configuration.
[root@greg ~]# tail -f /var/log/messages
... output omitted ...
[root@greg ~]# tail -f /var/log/audit/audit.log
... output omitted ...
8. Determine what directory is installed as the chroot:
[root@greg ~]# cat /etc/sysconfig/named
Look for the following output for the location of the chroot directory
ROOTDIR=/var/named/chroot
9. Use the named.caching-nameserver.conf as a starting configuration:
[root@greg ~]# cd /var/named/chroot/etc/
[root@greg etc]# ls
localtime named.caching-nameserver.conf named.rfc1912.zones rndc.key
[root@greg etc]# cp named.caching-nameserver.conf named.conf
10. Test the current configuration, check for the errors in the configuration in /var/log/messages:
[root@greg etc]# service named configtest
zone localdomain/IN: loaded serial 42
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
zone 255.in-addr.arpa/IN: loaded serial 42
zone 0.in-addr.arpa/IN: loaded serial 42
The above output means our initial config is OK.
11. Start the named service and make it automatically start
[root@greg etc]# service named start ; chkconfig named on
Starting named: [FAILED]
If you had the above output as mine, use tail -f /var/log/messages to see the message ERROR. Here is what I got from my screen:
Jul 18 06:50:20 greg named[3874]: loading configuration from '/etc/named.conf'
Jul 18 06:50:20 greg named[3874]: none:0: open: /etc/named.conf: permission denied
Jul 18 06:50:20 greg named[3874]: loading configuration: permission denied
Jul 18 06:50:20 greg named[3874]: exiting (due to fatal error)
19. It means the named service does not have a permission to load the configuration.
[root@greg etc]# ls -l /var/named/chroot/etc/named.conf
-rw-r----- 1 root root 1100 Jul 18 06:46 /var/named/chroot/etc/named.conf
20. Run this command
[root@greg etc]# chgrp named /var/named/chroot/etc/named.conf
[root@greg etc]# ls -l /var/named/chroot/etc/named.conf
-rw-r----- 1 root named 1100 Jul 18 06:46 /var/named/chroot/etc/named.conf
21. There you go the nameserver is running.
[root@greg etc]# service named start ; chkconfig named on
Starting named: [ OK ]
Check the log as well, supposed to be no error.
22. Try to use dig or nslookup for querying site like www.google.com, but remember to edit /etc/resolv.conf so for name server resolution it points to localhost.
[root@greg etc]# nslookup www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 209.85.175.99
Name: www.l.google.com
Address: 209.85.175.104
Name: www.l.google.com
Address: 209.85.175.147

How to Configure Kernel Persistently

2008-07-11T00:24:00.000-07:00

To adjust the functioning of the Linux Kernel, there are parameters in kernel that can provide such a mechanism. The followings are some of the example:

1. To list all of the parameters and their values, we can use sysctl command and set kernel parameters:
# sysctl -a

2. To set a parameter, to control IP packet forwarding, default setting is net.ipv4.ip_forward = 0
# sysctl -w net.ipv4.ip_forward = 1
or
# echo 1 > /proc/sys/net/ipv4/ip_forward

3. We need to change the parameter to /etc/sysctl.conf in order to make this setting permanent otherwise after we restart the change will be gone. After we finished setting up, we need to synchronize the new config file with the kernel with the following command:
# sysctl -p

Some Caveats Regarding BIOS and Boot Loader

2008-07-07T23:52:00.000-07:00

1. The default boot loader is GRUB, and the first part of it is installed in the MBR of the default drive. Normally, the BIOS should automatically start the boot loader, with a message similar to:

Booting Red Hat Enterprise Linux Server (2.6.18-8.el5) in 5 seconds...

2. For an older PC, unless it's located within the first 1024 cylinders of the hard disk, the BIOS can't find your boot loader that is why the /boot partition installed is normally a primary partition.

3. The workaround for this problem is using logical block addressing, which is also recognized as LBA mode.
LBA mode reads "logical" values for the cylinder, head, and sector, which allows the BIOS to "see" a larger disk drive.

For multiple hard drives:
Here is the caveat:
a. For IDE (PATA) hard drives, the /boot directory must be on a hard drive attached to the primary IDE controller.
b. For all SCSI hard drives, the /boot directory must be located on a hard drive with SCSI ID 0 or ID 1.
c. For a mix of hard drives, the /boot directory must be located on either the first IDE drive or a SCSI drive with ID 0.

The Fundamentals of the Boot Process

2008-07-07T23:34:00.000-07:00

Many people ignore learning about this process, including me as well. When I started learning Linux at the first time, I did not care that this boot process is very important especially for troubleshooting Linux server; in case, the grub is corrupt or forgotten password. Normally, the shortcut will be erasing or formatting the whole hard disk and start installing all over again.

Steps of Boot Process:

1. If your CentOS or RHEL is properly installed, the BIOS points to the GRUB boot loader.
Most of the time, GRUB boot loader is located in the appropriate master boot record (MBR).
2. Then the next step is GRUB points to and initializes the Linux kernel.
3. Starting init as the first Linux process.
4. The init process then initializes the system and moves into appropriate runlevels.
5. When Linux boots into a specific runlevel, it starts a series of services.
6. The good news is we can customize this process.

Installing and Configuring Chrooted VSFTPD in CentOS 5.0 or RHEL 5.0

2008-07-07T02:19:00.000-07:00

Setting vsftpd is not hard but not easy either, if you want to make it secure. Here is some of my notes:

1. Install vsftpd
# yum install vsftpd
2. Start the service
# /etc/init.d/vsftpd start or # service vsftpd start
3. Edit the vsftpd.conf
# vim /etc/vsftpd/vsftpd.conf
4. Uncomment the following directives:
chroot_local_user=YES - to chroot local user
passwd_chroot_enable=YES - prompt the password for the local user
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list - users in this list will be non-chrooted so be careful

Creating Local Repo for RHEL 5.0 or CentOS 5.0

2008-07-07T01:43:00.001-07:00

Dependencies is very troublesome when we use rpm to install packages. Sometimes, it becomes never ending loop until we give up. Packages like dovecot, httpd and so forth are the best installed using yum commands, while installing local repo itself is quite tricky job.
In this post, I try to explain as short and brief as I can:

1. Copy the whole content of the DVD or CDs that you have to folder /var/ftp/pub. In this case we are going to create repo using ftp.
Do this command to copy:
# mount /mnt/cdrom /media/CentOS
# cp -af /media/CentOS/* /var/ftp/pub

2. After you've done copying all of those files (please, note to answer yes when it asked about replacing some files), install createrepo .rpm
# rpm -ivh /var/ftp/pub/createrepo*.rpm

3. After you install createrepo then run this command
# createrepo -v /var/ftp/pub

4. To enable useful yum commands, please, check my previous post like:
yum -y groupinstall "MySQL Database" and so forth, you have to run the following command
# cp /var/ftp/pub/Server/repodata/comps*.xml /tmp
# createrepo -g /tmp/comps*.xml /var/ftp/pub

5. Done and remember to reboot the server.

6. On your client machine please, create a repo file (for example: server1.repo)

7. Here is the content of server1.repo

# Main server
[base]
name=Server1 Server Repository # This could be anything
baseurl=ftp://192.168.0.91/pub/Server # This is the IP address of our ftp server
enabled=1
gpgcheck=0 # Just make it zero if you haven't or don't want to import the GPG key

8. Copy the file server1.repo to your client machine folder under /etc/yum.repos.d/
if you did right the following is the output after you run: yum grouplist

Loading "security" plugin
Loading "rhnplugin" plugin
Setting up Group Process
Installed Groups:
Office/Productivity
MySQL Database
Editors
System Tools
Text-based Internet
Legacy Network Server
DNS Name Server
GNOME Desktop Environment
FTP Server
Network Servers
Windows File Server
X Window System
Web Server
................................................
................................................

Using FTP in the Safe Way

2008-07-07T00:34:00.000-07:00

a. Using ssh to do port forwarding.
b. Using the following command means that:
c. You are connecting to computer benjamin using ssh, with account username using local port 1234 to connect to port 21 (ftp) at computer abigail.

benjamin$ ssh -l username -g -L1234:abigail:21 benjamin

d. You’ll be asked by the password of username.
e. Then, you need to open another terminal to do ftp session to abigail using the following command

benjamin$ ftp benjamin 1234

Note:
You seem like opening ftp session to your own computer (benjamin); however, what happens is that you are opening a session to port 1234 on benjamin (your computer) which then using its ssh program now forwarding on to abigail. But this time, this forwarded connection is encrypted.

Using scp To Safely Transfer File

2008-03-08T17:02:00.000-08:00

scp is safer compared to rcp, as it encrypts the whole file. However, it will cause a considerable load on the server.
Scp functions pretty much like cp command used for copying files.

Here is the format for scp command:

$ scp user@source.hostname:source_filename user@destination.hostname:dest_dir/dest_filename

Most of the time, there’s no need to put the hostname if you’re copying the local file.

$ scp source_filename user@destination.hostname:dest_dir/dest_filename

There is also no need to put user@, if the source and the destination is the same machine.

Some more examples:

You are logged into abigail and transferring a file from benjamin to abigail. You’re in your home directory in abigail, the file.dat is the filename.

abigail$ scp username@benjamin.hostname:file.dat .

Transferring file.dat in your current directory on benjamin to abigail in the data directory and not changing the name of the file.

benjamin$ scp file.dat username@abigail.hostname:data/

The following is the same of above but changing the file.dat name at the destination directory

benjamin$ scp file.dat username@abigail.hostname:data/

You’ll be asked for your password, like you’re logging in to the remote machine. The tranfer will run right after the correct password keyed-in.

Some Useful Yum Commands

2008-03-06T20:02:00.000-08:00

The yum utility keeps downloaded data files and packages for reuse. You may copy packages from the repository cache directories under /var/cache/yum/, and use them elsewhere if you wish. If you remove a package from the cache, you do not affect the copy of the software installed on your system.

To install the package tsclient, enter the command:
su -c 'yum install tsclient'

To install the package group MySQL Database, enter the command:
su -c 'yum groupinstall "MySQL Database"'

To remove the tsclient package from your system, use the command
su -c 'yum remove tsclient'

To remove all of the packages in the package group MySQL Database, enter the command:

su -c 'yum groupremove "MySQL Database"'

Using vipw for Creating A New User

2008-02-26T16:47:00.000-08:00

Creating a new user by editing the /etc/passwd file with the vi text editor.
This exercise assists you to verify skills of using vi at the command line interface, while there are other ways to create new Linux users.

[root@ephraim Desktop]# useradd test

[root@ephraim Desktop]# mkdir -p /home/np

[root@ephraim Desktop]# ls /home
nicop np nprasetio test

[root@ephraim Desktop]# cd /etc/skel

[root@ephraim skel]# cp .bash_logout .bash_profile .bashrc /home/np

[root@ephraim skel]# ls -la
total 48
drwxr-xr-x 2 root root 4096 Feb 22 05:17 .
drwxr-xr-x 97 root root 12288 Feb 27 07:56 ..
-rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout
-rw-r--r-- 1 root root 176 Jan 6 2007 .bash_profile
-rw-r--r-- 1 root root 124 Jan 6 2007 .bashrc

[root@ephraim skel]# vipw
nprasetio:x:500:500:Nico Prasetio:/home/nprasetio:/bin/bash
nicop:x:502:502::/home/nicop:/bin/bash
test:x:504:504::/home/test:/bin/bash

Move your cursor and use x to delete test and change to np, also UID and GID (504) change to 505. Use i for adding or typing new character. Change /home/test to /home/np. After finished type :wq to save. You will have this warning "Would you like to edit /etc/shadow now [y/n]?" type y. Then change the test to np as well in /etc/shadow, otherwise you will get this warning "passwd: Authentication token manipulation error"

Last part ;-)
[root@ephraim skel]# passwd np
Changing password for user np.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

Last check:
[root@ephraim skel]# su - nicop
[nicop@ephraim ~]$

Done. You're successfully demonstrated how to use vi to edit /etc/passwd.