Linux Administration Notes
<< | AdminNotes | >>
On this page... (hide)
- 1. Other Pages
- 2. Random Password Generator
- 3. Attansic L2 Ethernet driver for the psidaq PC at ithemba
- 4. Misc
- 5. ACL (Access Control Lists) on Linux
- 6. SELinux
- 7. To make sure things start after a reboot
- 8. Text-mode screensaver
- 9. printconf
- 10. Enabling ssh access from a new IP address range
- 11. limiting the rights of an SSH login
- 12. get the SSHd fingerprint on the server:
- 13. Enable Java Web Start (for JANIS)
- 14. Enable Java Plugin for Firefox on SL4
- 15. Server Backup
- 16. History of incidents
1. Other Pages
2. Random Password Generator
On PSI is installed APG (using the DAG rpm), a password generator that makes 'readable' passwords. Please use it to generate your new password...
$ apg -M NsCL SloFlewk7 Skyrolg9 6Okqueg3 AtNeenCyt6 Dewpaij8 efKoolt6
Remember that you can change your password from any PSI pc using yppasswd.
3. Attansic L2 Ethernet driver for the psidaq PC at ithemba
4. Misc
- shmux distributed shell
sudo yum --enablerepo=dag install shmux - http://www.rpm.org/
5. ACL (Access Control Lists) on Linux
(for 2.6 kernels only)
6. SELinux
SELinux, or Security Enhanced Linux, is a system to define more fine-grained permissions for files, programs, users, etc. In brief, it is based on a concept of "types" - a program subject to SELinux, like httpd, will have a certain "type". Certain program types will then be able to access only certain types of files - even if these files are "world readable" in terms of Unix permissions.
- http://wiki.centos.org/HowTos/SELinux
- http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
If you have SElinux enabled, and you have problems with permissions,
- read the how-to above
- look at /var/log/audit/audit.log
- use
ls -laZto see Unix and SELinux permissions - use
chconto change SEL permissions
See for example Web Pages.
There are many switches that can be tuned with getsebool / setsebool, like httpd_enable_homedirs. Please check those before going to the next, more complicated step.
If you have more "permanent" problems,
- use
audit2allow -l -i /var/log/audit/audit.log yum install selinux-policy-targeted-sources
- use
7. To make sure things start after a reboot
Just as an example ....
sudo chkconfig mysqld on
8. Text-mode screensaver
to activate full DPMS screen saver in text mode like you get in X11, you can put this in /etc/rc.local:
for n in 1 2 3 4 5 6 7 8 9 10 11; do
setterm -powersave powerdown > /dev/tty$n
setterm -powerdown 1 > /dev/tty$n
setterm -store > /dev/tty$n
done
9. printconf
printconf supports command line options to export/import the full printers configuration to/from XML files, making it quite easy to copy the same configuration to a number of PCs:
# printconf-tui --Xexport > printconf.xml # printconf-tui --Ximport < printconf.xml
I was being unable to stop the browsing; it did work after adding a Browsing Off line to /etc/cups/cupsd.conf
10. Enabling ssh access from a new IP address range
Each IP address has to be explicitly allowed by the firewall. This is done by editing the iptables by editing and running the script.
/home/admpsi/bin/fw.psi.sh
Then if it's OK
/sbin/service iptables save
11. limiting the rights of an SSH login
- http://www.sublimation.org/scponly/
- http://mail.incredimail.com/howto/openssh/index.html
- http://www.brandonhutchinson.com/chroot_ssh.html
- http://chrootssh.sourceforge.net/index.php
12. get the SSHd fingerprint on the server:
[sergio@psi ~]$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 1024 38:95:1c:67:03:35:e4:1d:10:46:2c:76:e2:5b:1e:b7 /etc/ssh/ssh_host_rsa_key.pub
13. Enable Java Web Start (for JANIS)
cd /usr/bin; sudo ln -sf /usr/java/j2sdk1.4.2_12/jre/javaws/javawsbin javaws
/etc/mailcap:
# Java Web Start application/x-java-jnlp-file; javaws %s
14. Enable Java Plugin for Firefox on SL4
cd /usr/lib/firefox-1.5.0.7/plugins/; sudo ln -sf /usr/lib/mozilla/plugins/* .
15. Server Backup
In oder to backup the server, we need a place to put the data. This is one of the other machines in the group. If it is one of the Sun machines, format the extra space on the machine using: mkfs.ext3 /dev/sda3
Then make the backups mount point mkdir /BACKUPS
Then mount that partition by adding the following line to /etc/mtab /dev/sda3 /BACKUPS ext3 rw,defaults 0 0
And export it by adding the following line to /etc/exports /BACKUPS 146.141.41.19(rw,sync,no_root_squash)
and then reexport everythingexportfs -ra
and restart the nfs daemon/etc/init.d/nfs restart
and keep it goingchkconfig nfs on
The final step is to allow connections from the file server to this machine by altering the iptables.sudo iptables -I INPUT 6 -s psi -j ACCEPT
16. History of incidents
Power Failure
Unfortunately, power failure is commonplace at the university. This can lead to a number problems in a machine that was rudely dumped.
- Panel problems: The panel icons are unresponsive or they appear to respond but no program is loaded or there are no icons, or there is no panel.
- Delete the .gconf, .gconfd, and .gnome2/panel2.d directories
- Restart the nfs server on psi:
sudo /sbin/service nfs restart
- Now that we have a battery backup on the server, it will not come up immediately when the power returns. The clients will boot BEFORE the nfs and yp server are running. This will require the following commands to be used to start these client services once the server is up.
sudo service ypbind start sudo service autofs start
2006 Feb 21: Schonlan Firewall
2005 Nov 14: Squirrelmail error
imap was verified to be listening with
[root@SchonLAN log]# netstat -tl | grep -i imap \\ tcp 0 0 *:imaps *:* LISTEN \\ tcp 0 0 *:imap *:* LISTEN
imapproxy. It appears that imapproxy didn't come up again properly after a related to a power failure early Sunday morning. Restarted the imapproxy server which repaired the error.