Posts Tagged 'Linux'

November 15, 2011

UNIX Sysadmin Boot Camp: User Management

Now that you're an expert when it comes to bash, logs, SSH, and passwords, you're probably foaming at the mouth to learn some new skills. While I can't equip you with the "nunchuck skills" or "bowhunting skills" Napoleon Dynamite reveres, I can help you learn some more important — though admittedly less exotic — user management skills in UNIX.

Root User

The root user — also known as the "super user" — has absolute control over everything on the server. Nothing is held back, nothing is restricted, and anything can be done. Only the server administrator should have this kind of access to the server, and you can see why. The root user is effectively the server's master, and the server accordingly will acquiesce to its commands.

Broad root access should be avoided for the sake of security. If a program or service needs extensive abilities that are generally reserved for the root user, it's best to grant those abilities on a narrow, as-needed basis.

Creating New Users

Because the Sysadmin Boot Camp series is geared toward server administration from a command-line point of view, that's where we'll be playing today. Tasks like user creation can be performed fairly easily in a control panel environment, but it's always a good idea to know the down-and-dirty methods as a backup.

The useradd command is used for adding users from shell. Let's start with an example and dissect the pieces:

useradd -c "admin" -d /home/username -g users\ -G admin,helpdesk -s\ /bin/bash userid

-c "admin" – This command adds a comment to the user we're creating. The comment in this case is "admin," which may be used to differentiate the user a little more clearly for better user organization.
-d /home/username – This block sets the user's home directory. The most common approach is to replace username with the username designated at the end of the command.
-g users\ – Here, we're setting the primary group for the user we're creating, which will be users.
-G admin,helpdesk – This block specifies other user groups the new user may be a part of.
-s\ /bin/bash userid – This command is in two parts. It says that the new user will use /bin/bash for its shell and that userid will be the new user's username.

Changing Passwords

Root is the only user that can change other users' passwords. The command to do this is:

passwd userid

If you are a user and want to change your own password, you would simply issue the passwd command by itself. When you execute the command, you will be prompted for a new entry. This command can also be executed by the root user to change the root password.

Deleting Users

The command for removing users is userdel, and if we were to execute the command, it might look like this:

userdel -r username

The –r designation is your choice. If you choose to include it, the command will remove the home directory of the specified user.

Where User Information is Stored

The /etc/passwd file contains all user information. If you want to look through the file one page at a time — the way you'd use /p in Windows — you can use the more command:

more /etc/passwd

Keep in mind that most of your important configuration files are going to be located in the /etc folder, commonly spoken with an "et-see" pronunciation for short. Each line in the passwd file has information on a single user. Arguments are segmented with colons, as seen in the example below:

username:password:12345:12345::/home/username:/bin/bash

Argument 1 – username – the user's username
Argument 2 – password – the user's password
Argument 3 – 12345 – the user's numeric ID
Argument 4 – 12345 – the user group's numeric ID
Argument 5 – "" – where either a comment or the user's full name would go
Argument 6 - /home/username – the user's home directory
Argument 7 - /bin/bash – the user's default console shell

Now that you've gotten a crash course on user management, we'll start going deeper into group management, more detailed permissions management and the way shadow file relates to the passwd usage discussed above.

-Ryan

November 14, 2011

My Road to LPIC-1 Certification

I've been a Linux user for many years, but for various reasons I never bothered to get a certification even though it's a fantastic validation of Linux skills. When I moved up in the world by joining SoftLayer, my attitude quickly changed.

As a new Systems Administrator at SoftLayer, one of the first challenges I was presented with was to try for my LPIC-1 certification. True to SoftLayer's motto of "Challenging, but not Overwhelming," I was given 3 months, a practice environment and reimbursement for my fees if I passed the tests. With an offer like that, it was impossible to refuse.

The LPIC-1 tests are not easy, and it took a lot of work to pass them, but if you're interested all you need to succeed is a solid background in Linux and the time to dedicate to preparation. Here are some of the things I learned along the way:

  1. Don't attempt the LPIC-1 exam unless you have at least a couple of years' worth of hands-on Linux experience. Seriously, it's not for newbies.
  2. Acquire at least two test-prep books, and read one of them every day. I used O'Reilly's LPIC-1 Certification in a Nutshell and LPIC-1 In Depth by Michael Jang. Both are easy to read, have good explanations of concepts you need to understand, and provide valuable tips in addition to practice exams.
  3. Set up a practice environment. It's essential for reviewing commands you may not be familiar with.
  4. When you think you are ready for the first exam, take a few free practice tests online. There are a number of them available.
  5. I didn't buy any test-prep software, but I did download a couple of trial versions as they offered some free practice questions.
  6. Take all of the practice exams available to you several times each. You'll get more comfortable with the format of the test questions and will also learn which areas you need to revisit before the actual test.

After earning the LPIC-1 certification I received a nice surprise in my mailbox along with my certificate. Apparently Novell and the Linux Professional Institute have a partnership: By earning the LPIC-1 I had also satisfied the requirements for Novell's Certified Linux Administrator (CLA) certification, so now I can enjoy the benefits of having two IT certifications for the price of one and I have SoftLayer to thank for it!

-Todd

November 11, 2011

UNIX Sysadmin Boot Camp: Passwords

It's been a while since our last UNIX Sysadmin Boot Camp ... Are you still with me? Have you kept up with your sysadmin exercises? Are you starting to get comfortable with SSH, bash and your logs? Good. Now I have an important message for you:

Your password isn't good enough.

Yeah, that's a pretty general statement, but it's shocking how many people are perfectly fine with a six- or eight-character password made up of lowercase letters. Your approach to server passwords should be twofold: Stick with it and Be organized.

Remembering a 21-character password like ^@#*!sgsDAtg5t#ghb%!^ may seem daunting, but you really don't have to remember it. For a server, secure passwords are just as vital as any other form of security. You need to get in the habit of documenting every username and password you use and what they apply to. For the sake of everything holy, keep that information in a safe place. Folding it up and shoving it in your socks is not advised (See: blisters).

Want to make your approach to password security even better? Change your passwords every few months, and make sure you and at least one other trusted colleague or friend knows where to find them. You're dealing with sensitive material, but you can never guarantee that you will be available to respond to a server-based emergency. In these cases, your friends and co-workers end up scrambling through bookshelves and computer files to find any trace of useful information.

Having been one of the abovementioned co-workers in this situation, I can attest that it is nearly impossible to convince customer service that you are indeed a representative of the company having no verification information or passwords to provide.

Coming soon: Now you've got some of the basics, what about the not-so-basics? I'll start drafting some slightly more advanced tips for the slightly more advanced administrator. If you have any topics you'd like us to cover, don't hesitate to let us know in a comment below.

-Ryan

August 29, 2011

UNIX Sysadmin Boot Camp: Your Logs and You

We're a few exercises into UNIX Sysadmin Boot Camp, and if you're keeping up, you've learned about SSH and bash. In those sessions, our focus was to tell the server what we wanted it to do. In this session, we're going to look at the logs of what the server has done.

Logs are like an overbearing mother who sneakily follows her teenage son around and writes down the addresses of each house he visits. When he realizes he lost a really important piece of baseball history at one of those houses, he'll be glad he has that list so he can go desperately search for the soon-to-be-noticed missing bat. Ahem.

MAKE BEST FRIENDS WITH THIS DIRECTORY: /var/log/

When something goes wrong – when there's hitch in the flux capacitor or too many gigawatts in the main reactor – your logs will be there to let you know what's going on, and you can pinpoint the error with educated vengeance. So treat your logs with respect.

One of the best places to start harnessing this logged goodness is /var/log/messages. This log file reports all general errors with network and media, among other things. As you add to and learn your server's command line environment, you'll see specific logs for applications as well, so it's a very good idea to keep a keen eye on these. They just might save your life ... or server.

Some of the most commonly used logs (may vary with different Linux distributions):

  • /var/log/message – General message- and system-related info
  • /var/log/cron.log – Cron job logs
  • /var/log/maillog – Mail server logs
  • /var/log/kern.log – Kernel logs
  • /var/log/httpd/ – Apache access and error logs
  • /var/log/boot.log – System boot logs
  • /var/log/mysqld.log – MySQL database server logs
  • /var/log/secure – SSH authentication logs
  • /var/log/auth.log – Authentication logs
  • /var/log/qmail/ – Qmail log directory (more files inside this directory)
  • /var/log/utmp or /var/log/wtmp – Login records file
  • /var/log/yum.log – Yum log files

There are plenty more in-depth logs – particularly involving raw system components – and others that act similarly to logs but are a bit more active like tcpdumps. Those are a little more advanced to interpret, so I'll save them for another guide and another day.

At this point in our UNIX workout series, you're familiar with the command line, you know the basics of how to tell your server what to do and you just learned how to let the server tell you what it's done. There's still a bit of work to be done before you can call yourself a UNIX ninja, but you're well on your way. In our next installment, we're going to take a step back and talk about p455w0rd5.

Keep learning.

-Ryan

January 24, 2011

5 Steps to Start Using IPv6 (not IPv5)

As Kevin mentioned on Friday, we are less than 45 days from "doomsday." The IANA only has about 3% of the resources required to sustain our current way of life. 6.8 billion people with only 4.3 billion addresses in existence. It's the 2012 saga in 2011: The exhaustion of the Internet's available IP version 4 (IPv4) addresses. What are we going to do?!

Luckily, a lot of people have been hard at work to mitigate the impending Internet crisis. IP version 6 (IPv6) is on the horizon and is already supported by most modern internet enabled devices. If you're like me, the fact that we went from IPv4 to IPv6 might make you wonder, "What happened to IPv5?"

The powers that be didn't decide to rid the number system of the number five because of its mixture of curves and right angles, and it wasn't because they only wanted to use round numbers. IP version 5 (IPv5) was a work in progress and part of a family of experimental protocols by the name of ST (Internet Stream Protocol). ST and later ST-II were connection-oriented protocols that were intended to support the efficient delivery of data streams to applications that required guaranteed data throughput.

An ST packet looks very similar to its IPv4 sibling, and both use the first 8 bits to identify a version number. IPv4 uses those 8 bits to identify IPv4 packets, and ST used the same 8 bits to identify IPv5 packets. Since "version 5" was spoken for, the next iteration in IP advancement became version 6.

If you've been around the SoftLayer blog for a while, you already know a fair bit about IPv6, but you're probably wondering, "What’s next?" How do you actually start using IPv6 yourself?

1. Get a Block of IPv6 Addresses

Lucky for you, the SoftLayer platform is IPv6 ready, and we're already issuing and routing IPv6 traffic. Obtaining a block of public IPs from us is as easy as logging into the portal, pulling up the hardware page of a server and ordering a /64 block of IPv6 IPs for $4/mo per subnet ($10 if you want a portable subnet)!

For those of you that have ordered IPs from us in the past, IPv4 addresses are usually $0.50-$1.00 each. To get a /64 of public static IPv6 addresses, it’s a whopping $0.00 for the entire range. So just how many IPs is in a /64? 256? Try again. 512? Keep going. 1 Million? You’re still cold. Let's try 18.4 quintillion. For those that understand scientific notation better, that is 1.84 x 1019. If you just want to see the number written in long form, it's 18,446,744,073,709,551,616 IP addresses. That allocation should probably tide you over for a little while.

2. Make Sure Your Server is IPv6 Ready

Most current server operating systems are ready to take the IPv6 leap. This includes Windows 2003 SP1 and most Linux OSes with 2.6.x Linux kernels. We'll focus on Windows and RedHat/CentOS here.

To ready your Windows 2003 server for IPv6, do this:

  1. In Control Panel, double-click Network Connections.
  2. Right-click any local area connection, and then click Properties.
  3. Click Install.
  4. In the "Select Network Component Type" dialog box, click Protocol, then Add.
  5. In the "Select Network Protocol" dialog box, click Microsoft TCP/IP version 6, then OK.
  6. Click Close to save changes to your network connection.

Once IPv6 is installed, IIS will automatically support IPv6 on your web server. If a website was running when you installed the IPv6 stack, you must restart the IIS service before the site begins to listen for IPv6 requests. Sites that you create after you enable IPv6 automatically listen for IPv6. Windows 2008 server should have IPv6 enabled by default.

When your Windows server is ready for IPv6, you will add IPv6 addresses to the server just as you'd add IPv4 addresses ... The only difference is you will edit the properties to the Internet Protocol Version 6 (TCP/IPv6) network protocol.

To ready your RedHat/CentOS servers, do this:

  1. Using your favorite editor, edit /etc/sysconfig/network and enable NETWORKING_IPV6 by changing the "no" to a "yes."

    Example:

    NETWORKING=yes
    HOSTNAME=ipv6test.yourdomain.com
    GATEWAY=10.13.40.1
    NETWORKING_IPV6=yes
  2. Next edit /etc/sysconfig/network-scripts/ifcfg-eth1 to add IPv6 parameters.

    Add the following to end of the file:

    IPV6INIT=yes
    IPV6ADDR=YOURIPV6ADDRESS
    IPV6_DEFAULTGW=YOURGATEWAY

    Example:

    IPV6INIT=yes
    IPV6ADDR=2607:f0d0:2001:0000:0000:0000:0000:0010/64
    IPV6_DEFAULTGW=2607:f0d0:2001:0000:0000:0000:0000:0001
  3. Once you have successfully added your assigned IP addresses, you must restart networking with this command:
    [root@ipv6test /]# service network restart

Once you have completed these steps on your respective OS, you should be able to communicate over the IPv6 stack. To test, you can ping ipv6.google.com and see if it works.

3. Bind Your New IPv6 Address to Apache/IIS

Now that you have more IPv6 addresses for your server(s) than what's available to the entire world in IPv4 space, you must bind them to IIS or Apache. This is done the similarly to the way you bind IPv4 addresses.

In IIS, all IPs that have been added to the system will now be available for use in the website properties. Within Apache, you will add a few directives to ensure your web servers is listening on the IPv6 stack ... which brings us to a very important point when it comes to discussing IPv6. Due to the fact that it's full of colons (:), you can’t just write out the IP as you would a 32-bit address.

IPv6 addresses must be specified in square brackets or the optional port number could not be determined. To enable Apache to listen to both stacks on separate sockets you will need to add a new "Listen" directive:

Listen [::]:80
Listen 0.0.0.0:80

And for your Virtual Hosts, the will look like this:

<VirtualHost [2101:db8::a00:200f:fda7:00ea]>
ServerAdmin webmaster@yourdomain.com
DocumentRoot /www/docs/ipv6test.yourdomain.com
ServerName ipv6test.yourdomain.com
ErrorLog logs/ipv6test.yourdomain.com-error_log
TransferLog logs/ipv6test.yourdomain.com-access_log
<VirtualHost>

4. Add Addresses to DNS

The final step in getting up and running is to add your new IPv6 addresses to your DNS server. If you're using a IPv6 enabled DNS server, you will simply insert an 'AAAA' resource record (aka quad-A record) for your host.

5. Test Your Server's IPv6 Accessibility

While your DNS is propagating, you can still test your webserver to see if it responds to the IP you assigned by using square brackets in your browser: http://[2101:db8::a00:200f:fda7:00ea]

This test, of course, will only work if your computer is on a IPv6 network. If you are limited to IPv4, you will need sign up with a tunnel broker or switch to an ISP that offers IPv6 connectivity.

After about 24 hours, your server and new host should be ready to serve websites on the IPv6 stack.

Good luck!

-Harold

January 11, 2011

Jurassic Park, Uptime, And You!

Some of you may remember in the movie Jurassic Park where the park founder's granddaughter Lex, played by Ariana Richards, sits down at a computer terminal, gasps, and says "This is Unix. I know this!" That particular film moment has always resonated with me as a victory for realistic depiction of computer systems - the interface used in the movie is called fsn and was an actual Unix file manager - in an industry rife with horrific exaggerations; Swordfish, anyone? I'm sure there's an unwritten story as to how she (or her brother if you follow the book) gained her skills at a computer system that in 1993 was almost exclusively relegated to universities. However, I digress.

Shortly before that scene was another scene and catchphrase that should resound with familiarity to system administrators around the world. In the face of marauding dinosaurs and computer sabotage, the character John Arnold, played by Samuel L. Jackson, must sacrifice what I'm sure was an absurd amount of uptime by killing the power and rebooting the mainframe. Would the system come back up? Would everything load up as needed to get the park's systems back online? John's mantra was simple: "Hold on to your butts!"

Every day as a Systems Administrator I'm faced with a comparable (though far less exhilarating) situation. Linux is an extremely stable operating system, and I have logged into systems that have been online for quite literally years. Eventually, though, kernel updates or stray mounts necessitate a reboot. Will the server's filesystems need a check on reboot? Will the server even come back up? When a server's been online for that long, the only way to know is to "throw the switch" and cross your fingers.

One way to have a better idea of how your system will behave during reboots in a production environment is to take the time to update your kernel once a month or so and perform a reboot to make sure the update sticks. This allows routine file system checks to take place as necessary and keeps your system abreast of the latest kernel updates. It also familiarizes you with how long the process takes, what sort of caveats you may run into, and reduces the overall surface area of your server to outside attackers.

In the last year, I have seen at least two exploits that can give an attacker root access to a server running an outdated kernel using common toolkits that can attack commonly deployed Content Management Systems with trivial effort. Compromising an unprivileged user account gives an attacker even more leverage against unpatched systems. Google CVE-2009-2695 and CVE-2010-3081 if you don't believe me.

If you run a production system or even a backend system that is exposed to the big, bad Internet, it is absolutely essential to make sure that your kernel, software, and security measures are up to date. Today's Slashdot article is tomorrow's exploit.

What lesson can we learn from the unfortunate folks at Jurassic Park? Don't assume your server is safe and don't wait until there are velociraptors roaming your halls looking for a snack to perform proper maintenance on your system.

-Adam

May 29, 2008

Plot Course to Vulcan, Warp Factor 8. Engage!

Resolutely pointing off into the starry void of space on the bridge of the Enterprise, klieg lights gleaming off his majestic dome, Captain Picard causes the Starship Enterprise to leap off on another mission. Once asked how the “warp drive” worked on Star Trek, Patrick Stewart claimed that “I say Engage and we go.” Best explanation of warp drive I’ve ever heard.

I find I miss my Linux install. Due to circumstances beyond my control (i.e. I’m too lazy to stop being lazy), and the fact that few games work well on Linux without lots of under-the-hood tweaking, I broke down and bought a Windows installation for my PC. In between mining asteroids in my Retriever Mining Ship and solving 3D puzzles with a transdimensional gun, I do normal work with my computer; programming, web design, web browsing, video editing, file management, the whole deal.

Windows Vista, however, has a new feature that makes my work awesome. No, I’m not talking about the 3D accelerated desktop with semitransparent windows (although that IS awesome). I’m talking about the new Start Menu search box.

In Windows XP (I’m doing this right now), hitting the Windows key opens up the start menu. I can either use the mouse to navigate the menu (why use the start key if you’re going to mouse the menu?), or navigate with the keyboard arrows. However, this can be quite tedious and slow. If I remember the program’s “.EXE” name and the program is on the Windows System Path, I can select “Run…” and type in the name, like wmplayer for Windows Media Player. But the names are funky and again, the cool programs aren’t on the path.

In Windows Vista, however, when you bump the start menu, a new device, the SEARCH BOX, is automatically engaged in the start menu! So, when I want to use, say, Notepad, I type ‘windows key notepad enter’. Goldwave (sound recording) is ‘windows key goldwave enter’. When I want to use a Open Office tool, I bump the Windows key, type “open office” and then select the tool I want with the arrow keys, as the search box narrows down the huge Start Menu to just the entries that make sense. Even cooler: when it’s budget time, I hit the Windows key then type “budget”. Search brings up “Apartment Budget.ods”. Select that with the arrow keys, and it opens Open Office Calc (spreadsheet) for me.

It’s like having a command line in Windows. Any program is just a few keystrokes away, and for a Linux nut and a touch typer like me, means that my computer is that much more efficient. I don’t need muscle memory with the mouse to navigate the start menu, I don’t have to squint at the menu items and find my program. I just have to remember the name!

Try it some time. It’s almost as awesome as saying “Engage” and going to Vulcan.

-Zoey

Categories: 
Subscribe to linux