Sunday, December 23, 2012

fsck didn't fix the issue with disk error

After rebooting the system, it went to the single user mode. Complaining about /dev/sdb. fsck the device but it failed. remounted the root fs with rw option and removed the entry from fstab. rebooted it.

1. fsck the device in single user mode.
# fsck.ext4 /dev/sdb

Tried to fsck but got the error below.

fsck.ext4: Device or resource busy while trying to open /dev/sdb Filesystem mounted or opened

exclusively by another program?

2. The root file system is currently mounted read -only. remounted the root fs with read/write option
# mount -n -o remount,rw /

3. Edited the fstab and commented out the filesystem entry for /dev/sdb
# vi /etc/fstab
# /dev/sdb /data ext4 defaults 1 2

4. Rebooted the machine
# shutdown -r now

The super block could not e read or does not describe a correc ext2 filesystem. e2fsck -b 8193
(Repair filesystem) 2 #
rsync -bazv -e ssh /home root@destination:

Thursday, November 22, 2012

Mount cdrom/iso image on Redhat

If cdrom is not mounted by default, you can use the following...

[root@sama mnt]# cd /media/
[root@sama media]# ls
[root@sama media]#

[root@sama /]# mount -t iso9660 /dev/cdrom /mnt
mount: block device /dev/sr0 is write-protected, mounting read-only
[root@sama ~]#  dmesg | tail
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
eth0: no IPv6 routers present
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
ISO 9660 Extensions: Microsoft Joliet Level 3
ISO 9660 Extensions: RRIP_1991A
SELinux: initialized (dev sr0, type iso9660), uses genfs_contexts
[root@sama ~]#

[root@sama ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
                       41G  5.6G   33G  15% /
tmpfs                1011M   88K 1011M   1% /dev/shm
/dev/sda2             485M   30M  430M   7% /boot
/dev/sr0              2.9G  2.9G     0 100% /mnt

[root@sama /]# cd /mnt
[root@sama mnt]# ls
# eject -v /dev/cdrom-device && mount -v /dev/cdrom-device && echo $? 
Mounting an ISO Image 
# mount -o ro,loop My_ISO_Image.iso /media/cdrom 

Creating a Shared Mount Pointby default removable media is mounted at /media and /mnt for temporary mount point. Using the shared mount, you can share the same content on both shared.

Now, make /media directory as a shared one,
# mount --bind /media /media
# mount --make-shared /media

now, create duplicate in /mnt 
# mount --bind /media /mnt

Verify the info.

# mount /dev/cdrom /media/cdrom
# ls /media/cdrom
# ls /mnt/cdrom

You can also verify info with USB dirve as well.

# mount /dev/dsc1 /mnt/flashdisk
# ls /media/flashdisk
# ls /mnt/flashdisk 

Thursday, June 14, 2012

How to Configure ACL on a directory?

$ /sbin/ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:56:be:00:41 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
    inet6 fe80::250:56ff:febe:41/64 scope link
       valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit brd
[bhusal@valentine ~]$


Configure the ACL of a directory.

1. as a root

[root@valentine ~]# cd /tmp
[root@valentine tmp]# mkdir acl_test
[root@valentine tmp]# chmod 700 acl_test
[root@valentine tmp]#

2. as a normal user

[bhusal@valentine ~]$ cd /tmp/acl_test/
-bash: cd: /tmp/acl_test/: Permission denied
[bhusal@valentine ~]$

3. as a root,

[root@valentine tmp]# getfacl acl_test
# file: acl_test
# owner: root
# group: root

[root@valentine tmp]#

4. as a root user,

add an extended ACL using the following command as a root.

[root@valentine tmp]# setfacl -m u:bhusal:rwx acl_test/

now, display the extended ACL of the directory,

[root@valentine tmp]# getfacl acl_test
# file: acl_test
# owner: root
# group: root

[root@valentine tmp]#

5. now, try as a normal user,

[bhusal@valentine ~]$  cd /tmp/acl_test/
[bhusal@valentine acl_test]$


Configure default ACL for a directory

6. as a root,

[root@valentine acl_test]# touch without_default_acl
[root@valentine acl_test]# getfacl without_default_acl
# file: without_default_acl
# owner: root
# group: root

[root@valentine acl_test]#

you see, no default ACL of the parent directory was assigned to the file..

now, set the default ACL for the acl_test directory.

[root@valentine acl_test]# touch with_default_acl
[root@valentine acl_test]# getfacl with_default_acl
# file: with_default_acl
# owner: root
# group: root

[root@valentine acl_test]# ls -l
total 8
-rw-rw----+ 1 root root 0 Jun 14 15:09 with_default_acl
-rw-------  1 root root 0 Jun 14 15:07 without_default_acl
[root@valentine acl_test]#

7. Delete an ACL

[root@valentine acl_test]# setfacl -x u:bhusal with_default_acl

Display the acl,

[root@valentine acl_test]# getfacl with_default_acl
# file: with_default_acl
# owner: root
# group: root

[root@valentine acl_test]#

8. now, you see the ACL for the user bhusal has been removed...

View the file attributes,
[root@valentine acl_test]# ls -l
total 8
-rw-------+ 1 root root 0 Jun 14 15:09 with_default_acl
-rw-------  1 root root 0 Jun 14 15:07 without_default_acl
[root@valentine acl_test]#

9. here, you see the extended attribute "+" still on the output.
To remove all the ACLs

[root@valentine acl_test]# setfacl -b with_default_acl
[root@valentine acl_test]# ls -l
total 8
-rw------- 1 root root 0 Jun 14 15:09 with_default_acl
-rw------- 1 root root 0 Jun 14 15:07 without_default_acl
[root@valentine acl_test]#

[root@valentine acl_test]# getfacl with_default_acl
# file: with_default_acl
# owner: root
# group: root

[root@valentine acl_test]#

Now, you see ACL has been removed.

Tuesday, May 15, 2012

Linux Server Monitoring Commands You Really Need To Know

iostat - shows in detail about storage subsystem

meminfo and free -

Meminfo - gives you a detailed list of what's going on in memory.

# cat /proc/meminfo
gives you the details of what's going on in your server’s memory at any given moment.

# free
For a quick “just the facts” look at memory, you can use the free command.
In short, free gives you the overview; meminfo gives you the details.

# mpstat
it reports on the activities of each of the available CPUs on a multi-processor server.

# netstat

displays a lot of network related information, such as socket usage, routing, interface, protocol, network statistics, and more. Some of the most commonly used options are:

    -a Show all socket information
    -r Show routing information
    -i Show network interface statistics
    -s Show network protocol statistics

# nmon

short for Nigel's Monitor, is a popular open-source tool to monitor Linux systems performance. Nmon watches the performance information for several subsystems, such as processor utilization, memory utilization, run queue information, disk I/O statistics, network I/O statistics, paging activity, and process metrics.

# pmap

reports the amount of memory that your server's processes are using. You can use this tool to determine which processes on the server are being allocated memory and whether any of these processes are being piggy with RAM.

# ps and pstree

The ps and pstree commands are two of the Linux administrator’s best friends. They both provide a list of all currently running processes. Ps tells you how much memory and processor time the server’s programs are using. Pstree shows less information, but highlights which processes are the children of other processes.

# sar

The sar command is actually made up of three programs: sar, which displays the data, and sa1 and sa2, which collect and store it. Once installed, sar creates a detailed overview of CPU utilization, memory paging, network I/O and transfer statistics, process creation activity, and storage device activity.

# strace
It intercepts and records the system calls that are called by a process. This makes it a useful diagnostic, instructional, and debugging tool. For example, you can use strace to find out which configuration file a program is actually using when it starts up.

# tcpdump
is a simple, robust network monitoring utility. Its basic protocol analyzing capability enables you to get a rough view of what is happening on your network. To really dig into what's going on with your network.

# top

it displays the most CPU-intensive tasks running on the server and updates the list every five seconds. You can sort the processes by PID (Process ID); age, newest first; time, by cumulative time; and resident memory usage and total time it's been using the CPU since startup.

# uptime

to see how long the server has been running and how many users are logged on. It also gives you an overview of the average server load. The optimal value of the load is 1 or less, which means that each process has immediate access to the CPU and there are no CPU cycles lost.

# vmstat
monitors what's going on with virtual memory. Linux constantly uses virtual memory to get the best possible storage performance.

If your applications are taking up too much memory you get excessive page-outs — programs moving from RAM to your system's swap space, which is on the hard drive. Your server can reach a point where it's spending more time managing memory paging than running your applications, a condition called thrashing. When your computer is thrashing, its performance falls through the floor. Vmstat, which can display either average data or actual samples, can help you spot memory pig programs and processes before they bring your server to a crawl.

# Wireshark
formerly known as Ethereal (and still often referred to that way), is tcpdump's big brother, though it is more sophisticated and with far more advanced protocol analyzing and reporting. Wireshark has both a GUI interface and a shell interface.


Tuesday, April 24, 2012

Step-by-step OpenLDAP Installation and Configuration

Step-by-step OpenLDAP Installation and Configuration
(also check:

This tutorial describes how to install and configure an OpenLDAP server and also an OpenLDAP client.

Step by Step Installation and Configuration OpenLDAP Server

Software:  OS-Cent OS 4.4, openldap 2.2.13-6.4E
System name:
Domain name:
System IP:

Note: Use your domain name and IP instead of adminmart.

Easy steps for adding users:
    1. Create unix user
    2. Create unix user's ldap passwd file
    3. Convert passwd.file to ldif file
    4. Add ldap file to LDAP Directory using ldapadd

Step #1. Requirements

    compat-openldap.i386 0:2.1.30-6.4E
    openldap-clients.i386 0:2.2.13-6.4E
    openldap-devel.i386 0:2.2.13-6.4E
    openldap-servers.i386 0:2.2.13-6.4E
    openldap-servers-sql.i386 0:2.2.13-6.4E

You can install them using the command:

yum install *openldap* -y

Step #2. Start the service

[root@ldap ~]# chkconfig --levels 235 ldap on
[root@ldap ~]# service ldap start

Step #3. Create LDAP root user password

[root@ldap ~]# slappasswd
    New password:
    Re-enter new password:
[root@ldap ~]#

Step #4. Update /etc/openldap/slapd.conf for the root password

[root@ldap ~]# vi /etc/openldap/slapd.conf

    #68 database        bdb
    #69 suffix          "dc=adminmart,dc=com"
    #70 rootdn          "cn=Manager,dc=adminmart,dc=com"
    #71 rootpw          {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW

Step #5. Apply Changes

[root@ldap ~]# service ldap restart

Step #6. Create test users

[root@ldap ~]# useradd test1
[root@ldap ~]# passwd test1
    Changing password for user test1.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
[root@ldap ~]# useradd test2
[root@ldap ~]# passwd test2
    Changing password for user test2.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
[root@ldap ~]#

Note: Repeat the same for the rest of users

Step #7. Migrate local users to LDAP

[root@ldap ~]# grep root /etc/passwd > /etc/openldap/passwd.root
[root@ldap ~]# grep test1 /etc/passwd > /etc/openldap/passwd.test1
[root@ldap ~]# grep test2 /etc/passwd > /etc/openldap/passwd.test2

Note: Repeat the same for the rest of users
Step #8. Update default settings on file /usr/share/openldap/migration/

    #71 $DEFAULT_MAIL_DOMAIN = "";
    #74 $DEFAULT_BASE = "dc=adminmart,dc=com";

Step #9. Convert passwd.file to ldif (LDAP Data Interchange Format) file

[root@ldap ~]# /usr/share/openldap/migration/ /etc/openldap/passwd.root /etc/openldap/root.ldif
[root@ldap ~]# /usr/share/openldap/migration/ /etc/openldap/passwd.test1 /etc/openldap/test1.ldif
[root@ldap ~]# /usr/share/openldap/migration/ /etc/openldap/passwd.test2 /etc/openldap/test2.ldif

Note: Repeat the same for the rest of users
Step #10. Update root.ldif file for the "Manager" of LDAP Server

[root@ldap ~]# vi /etc/openldap/root.ldif

    #1 dn: uid=root,ou=People,dc=adminmart,dc=com
    #2 uid: root
    #3 cn: Manager
    #4 objectClass: account

Step #11. Create a domain ldif file (/etc/openldap/

[root@ldap ~]# cat /etc/openldap/

    dn: dc=adminmart,dc=com
    dc: adminmart
    description: LDAP Admin
    objectClass: dcObject
    objectClass: organizationalUnit
    ou: rootobject
    dn: ou=People, dc=adminmart,dc=com
    ou: People
    description: Users of adminmart
    objectClass: organizationalUnit

Step #12. Import all users in to the LDAP

Add the Domain ldif file

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f  /etc/openldap/
    Enter LDAP Password:
    adding new entry "dc=adminmart,dc=com"
    adding new entry "ou=People, dc=adminmart,dc=com"
[root@ldap ~]#

Add the users:

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f  /etc/openldap/root.ldif
    Enter LDAP Password:
    adding new entry "uid=root,ou=People,dc=adminmart,dc=com"
    adding new entry "uid=operator,ou=People,dc=adminmart,dc=com"
[root@ldap ~]#

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f  /etc/openldap/test1.ldif
    Enter LDAP Password:
    adding new entry "uid=test1,ou=People,dc=adminmart,dc=com"
[root@ldap ~]#

[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=adminmart,dc=com" -W -f  /etc/openldap/test2.ldif
    Enter LDAP Password:
    adding new entry "uid=test2,ou=People,dc=adminmart,dc=com"
 [root@ldap ~]#

Note: Repeat the same for the rest of users
Step #13. Apply Changes

[root@ldap ~]# service ldap restart
Step #14. Test LDAP Server

It prints all the user information:

[root@ldap ~]# ldapsearch -x -b 'dc=adminmart,dc=com' '(objectclass=*)'

Step-by-step OpenLDAP Installation and Configuration of Client System

LDAP Client Configuration
Step #1. Installation

[root@ldapclient ~]#  yum install authconfig
Step #2. Run the command

[root@ldapclient ~]# authconfig
Step #3. Settings

         [*] Use LDAP     [*] Use LDAP Authentication

    [Both should be checked]

Click "Next".

        [ ] Use TLS  
        Base DN: dc=adminmart,dc=com

        Click "Ok" to confirm.

Note: Use your domain name instead of adminmart.

Friday, March 30, 2012

How to transfer file on remove host using tar, rsync over SSH?

How to transfer file on remove host using tar, rsync over SSH?

a. Copying files from remote machine to your local machine

$ ssh user@remote_server "tar -czpf - /files/to_copy" | tar -xzpf - -C /files_to_extract
$ ssh filetran@goyouk "tar -czpf - /opt/datafile" | tar xzpf - -C /opt/importfile

b. Copying files from your machine to your remove machine.

$ tar -cXpf - /Files/To_transfer | ssh user@what_machine_to_transfer "tar -xpf - -C /where?to_transfer
$ tar -cXpf - /opt/datafile | ssh filetran@baypak "tar -xpf - -C /opt/exportfile

Without compression,
$tar -cf - /opt/datafile | ssh remote_host tar -xf - -C /destination

with compression,
$ tar -czf - /opt/datafile | ssh remote_host tar -xzf - -C /destination

if you have ssh key set up, you can use,
$ tar -czf - /opt/datafile | ssh remote_hostname tar -xzf - -C /some/destination

To copy locally within the server,

$ tar cf - /opt/datafile | (cd /export/data/tab; tar xf -)


Using rsync

rsync -e ssh [-avz] /some/file [ more ... ]
rsync -e ssh /opt/dd_data remove_host:/opt/dd_data


rsync -ave ssh source_server:/path/to/source /destination/dir

Thursday, February 23, 2012

SSH security hardening

The configuration file for ssh server security hardening is located at /etc/ssh/sshd_config
There are couple of entries you would like to pay little attention. Please go through each entries and try to understand what they do. Based on the requirement of your organization, you add/remove/modify the values.

1. Link a banner file.
Banner /etc/issue
Note: issue file contains the banner entry. it can be /etc/ssh-banner or something..

2. Set Maximum number of retries for authentication
MaxAuthTriesLog 3

3. Are logins to accounts with empty passwords allowed?
PermitEmptyPasswords no

4. Are root logins permitted using sshd ?
PermitRootLogin no

Thursday, February 9, 2012

packet filtering and configure network address translation using iptable

Use iptables to implement packet filtering and configure network address translation (NAT)

Install and use "system-config-network-tui" to create the basic "/etc/sysconfig/iptables" file, then edit the file with vi.


man iptables

iptables -I INPUT -s -p tcp --dport 22 -j ACCEPT

-I insert (Can include a rule number, for example "-I 4" which means "insert as 4th rule")
-A append
-D delete (include rule number)
-m Specify a module to use (ex: Use "-m multiport" to specify multiple ports)
-s source
-d destination
--dport destination port
--sport source port
-j jump to target (ACCEPT, DENY, DROP)

The last rule should be (to reject all others):

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

Block a host:
iptables -I INPUT -p tcp --dport 80 -s -j REJECT

Block a subnet:
iptables -I INPUT -p tcp -s -j REJECT

Accept reply packets:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Accept anything on the loopback interface:
iptables -i lo -j ACCEPT


Allow the gateway to forward IP packets by modifying /etc/sysctl.conf

net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1

Then execute: sysctl -p

iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE

iptables -I FORWARD -i eth1 -o eth1 -j ACCEPT -m comment --comment "accept everything on the way out"

iptables -I FORWARD -o eth1 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "accept related or established on the way back"


Forward all incomming tcp traffic on port 8800 to port 80:

iptables -t nat -I PREROUTING -p tcp --dport 8800 -j DNAT -to

From the web, sorry forgot the source ...

Thursday, February 2, 2012

Create, lock, and unlock user account on Redhat

User account activities on Redhat

1. Lock the user password
# usermod -L username

2. Force password change upon initial login.
# chage -d 0 username

3. Unlock the account
There are two common approaches to this step.
The administrator can assign an initial password or assign a null password.

Note: passwd disables the immediate password expiration just configured.

a. Assign a null password instead of an initial password.
# usermod -p "" username

b. Using Python interpreter with the python command and usermod.
# python
at the prompt, type the following commands. Replace with the password to encrypt and with a random combination of at least 2 of the following: any alphanumeric character, the slash (/) character or a dot (.).

# import crypt; print crypt.crypt("","")

The output is the encrypted password, similar to '12CsGd8FRcMSM'.
Press Ctrl-D to exit the Python interpreter.

At the shell, enter the following command (replacing with the encrypted output of the Python interpreter):

# usermod -p ""

4. Adding a new user account
# useradd myuser
# passwd myuser


Wednesday, February 1, 2012

Delegation of task: shutdown the system by non-root user

Delegation of task: shutdown the system by non-root user.

When you have to give access to the folks from help desk to only shutdown the system, you can do so by following the procedure below.

1. Create a group/users for that particular group list. [ group=shutgroup, user=nocuser
# groupadd shutgroup
# adduser -G shutgroup nocuser

3. Allow the user and group to execute the shutdown permission by editing the sudoers file.
# vi /etc/sudoers #

adn add the following Line.
%shutgroup ALL=NOPASSWD:/sbin/shutdown

Now, any member of the group shutgroup will be able to shutdown the server.

To execute the command use as follows,
# sudo shutdown -h now

How to set up web site on Redhat

Deploy Web Service on Redhat (httpd service)

1. Install httpd package
# yum install httpd* -y

2. Edit the configuration file and look for the ServeName and DocumentRoot

# vi /etc/httpd/conf/httpd.conf

DocumentRoot /var/www/html

3. create index file on doc root directory.
# cd /var/www/html
# echo "Welcome to my First web page on this web server" > index.htm

4. start the httpd service
# service httpd start

5. make httpd service persistent
# chkconfig httpd on

6. check web service

go to

How to Install and Configure Nagios on Redhat/Centos.

Install and configure Nagios on Centos 5.
Note: This procedure works on centos and assume work on Redhat 5 as well.

Planning: download and install apache, nagios on the system.

A. Install RPMforge package for your distribution and architecture.
[ ]

1.a. For x86 - 32-bit systems
# rpm -Uhv

1.b. For x64 - 64-bit systems
# rpm -Uhv

B. Install Apache.

1. Install Apache
# yum install httpd php gcc glibc glibc-common gd gd-devel

2. Configure Apache to start on boot
# chkconfig --levels 345 httpd on

3. Configure iptables to allow Apache traffic
# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
# /etc/init.d/iptables save
# /etc/init.d/iptables restart

C. Install & Configure Nagios

1. Install Nagios and Plugins
# yum install nagios nagios-plugins nagios-plugins-setuid

2. Create the default Nagios web access user & set a password
# htpasswd -c /etc/nagios/htpasswd.users nagiosadmin

3. Verify default config files
# nagios -v /etc/nagios/nagios.cfg

4. Start Nagios
# service nagios start/restart

5. Start Apache
# service httpd start/restart

6. Verify the installation.
Login to the nagios page by going to the site with nagiosadmin and password.

Good to go ...