My Notes

Top Ten SEO Steps recommended for a successful web campaign

Keyword Research Tools:

Top Ten Google AdWords Keywords Quality Score Tips

Hallway Page

DESIGN AND CONTENT GUIDELINES:

Long Tail SEO Strategy

Authority of a Page or Web site

• Essential Habits of an Effective Professional Freelancer (Rob Smith)
• Common Questions of Web Designers (Andy Rutledge)
• The Designer Who Delivers (Aurimas Adomavicius)
• Critical Mistakes Freelancers Make (Robert Bowen)
• The Importance of Customer Service (Robert Bowen)
• Creatively Handling the Admin Side of Freelancing (Robert Bowen)
• Pitching Like a Pro (Cameron Chapman)
• The Finances of Freelancing (Luke Reimer)
• How to Identify and Deal With Different Types of Clients (Robert Bowen)
• How to Improve Designer-Client Relationships (Aaron Griffith)
• How to Communicate with Developers Effectively (Ryan Scherf)
• How to Educate Your Clients on Web Development (Aurimas Adomavicius)
• How to Explain to Clients That They Are Wrong (Sam Barnes)
• How to Respond Effectively to Design Criticism (Andrew Follett)
• How to Persuade Your Users, Boss or Clients (Paul Boag)
• How to Create the Perfect Client Questionnaire (Cameron Chapman)
• Getting Clients: Approaching the Company (Peter Smart)
• Converting Prospects into Clients (Alyssa Gregory)
• Marketing Rules and Principles for Freelancers (Jeff Gardner)
• How Many Ideas Do You Show Your Clients? (Graham Smith)
• Freelance Contracts: Do’s And Don’ts (Robert Bowen)
• What’s in a Price: Guidelines for Pricing Web Designs (Thursday Bram)
• Quality-Price Ratio in Web Design (Jeff Gardner)

http://www.noupe.com/tools/15-helpful-blogs-no-freelancer-should-forget.html

http://freelancefolder.com/

http://www.smashingmagazine.com/2009/12/21/essential-habits-of-an-effective-professional-freelancer/

http://www.smashingmagazine.com/2010/03/08/common-questions-about-design-professionalism/

http://www.smashingmagazine.com/2010/04/16/the-designer-who-delivers/

http://www.smashingmagazine.com/2009/11/28/critical-mistakes-freelancers-make/

http://www.noupe.com/how-tos/the-importance-of-customer-service-to-your-freelance-business.html

http://www.smashingmagazine.com/2010/01/11/creatively-handling-the-admin-side-of-freelancing/

http://www.smashingmagazine.com/2009/07/09/the-roadmap-to-becoming-a-professional-freelance-web-designer/

http://sixrevisions.com/user-interface/the-future-of-user-interfaces/

http://www.smashingmagazine.com/2009/08/14/how-to-effectively-communicate-with-developers/

http://www.smashingmagazine.com/2009/10/15/identifying-and-dealing-with-different-types-of-clients/

http://www.smashingmagazine.com/2010/04/23/educating-your-client-on-web-development-successfully/

http://www.smashingmagazine.com/2009/12/10/how-to-explain-to-clients-that-they-are-wrong/

http://www.smashingmagazine.com/2009/10/01/how-to-respond-effectively-to-design-criticism/

http://www.smashingmagazine.com/2009/10/11/how-to-persuade-your-users-boss-or-clients/

http://www.noupe.com/how-tos/how-to-create-the-perfect-client-questionnaire.html

http://www.smashingmagazine.com/2009/11/09/getting-clients-approaching-the-company/

http://www.ehow.com/how_2317357_convert-prospects-clients.html

http://www.theremsengroup.com/82

http://www.smashingmagazine.com/2009/08/24/marketing-rules-and-principles-for-freelancers/

http://www.smashingmagazine.com/2009/12/28/discuss-how-many-ideas-do-you-show-clients/

http://www.smashingmagazine.com/2009/10/06/freelance-contracts-dos-and-donts/

http://www.noupe.com/freelance/what-s-in-a-price-the-guidelines-for-pricing-web-designs.html

http://www.smashingmagazine.com/2009/07/14/quality-price-ratio-in-web-design-pricing-design-work/

http://designm.ag/resources/freelance-designers/

http://www.smashingmagazine.com/2010/03/24/a-short-guide-to-open-source-and-similar-licenses/

http://www.noupe.com/how-tos/12-secrets-of-effective-business-communication.html

http://www.smashingmagazine.com/2010/01/28/color-theory-for-designers-part-1-the-meaning-of-color/

http://www.smashingmagazine.com/2010/02/02/color-theory-for-designers-part-2-understanding-concepts-and-terminology/

http://www.smashingmagazine.com/2010/02/08/color-theory-for-designer-part-3-creating-your-own-color-palettes/

http://www.smashingmagazine.com/2009/09/16/how-to-find-time-for-everything/

http://www.smashingmagazine.com/2009/07/21/45-excellent-code-snippet-resources-and-repositories/

http://www.smashingmagazine.com/2009/06/29/45-incredibly-useful-web-design-checklists-and-questionnaires/

http://www.smashingmagazine.com/2008/11/13/15-useful-project-management-tools/

http://www.smashingmagazine.com/2009/06/12/effective-maintenance-pages-examples-and-best-practices/

http://www.smashingmagazine.com/2009/05/21/web-design-industry-jargon-glossary-and-resources/

http://www.noupe.com/design/simplicity-in-good-web-design-advantages-how-to.html

http://www.heinmaas.com/40-resources-to-become-a-successful-freelance-graphicweb-designer/

http://www.noupe.com/design/10-things-clients-look-for-in-a-design-portfolio.html

http://www.noupe.com/freelance/how-to-make-yourself-stand-out-as-a-freelancer.html

http://freelancefolder.com/3-steps-to-creating-a-freelancing-brand-that-sells/

http://www.noupe.com/how-tos/how-to-create-the-perfect-client-questionnaire.html

http://www.noupe.com/design/systematizing-the-design-build-process.html

Better Communication with Employees and Peers

http://www.inc.com/guides/growth/23032.html

SEO Frequently Asked Questions

Questions about Google’s PageRank, and ranking in general, and how to gain some points, by natural ways, without to use bad practices as cloaking and spamming and other forbidden artifacts that may lead you to the black list…

General questions

• How do I know if my pages are indexed by Google?
• How to exclude a page from the index?
• Is the duplicate content penalized?
• Why a second indented link for the same site in results page?
• Is the domain extension important for PageRank?
• My page is not indexed by search engines
• Can I force a Web page to be indexed?
• Where can I get more information about Googlebot?
• What is lemmatisation?
• What is hilltop?
• What is SERP?
• How to avoid cloaking?
• What is the bounce rate?
• How can I leave the sandbox?
• What is minus thirty?
• My site has disappeared from Google’s index, what can I do?
• How to type google.com without being redirected to my country version?
• How to be a trusted site?
• Should we add content frequently?
• Which percentage of users click on the first link in search page results?
• How to change domain without losing its ranking.

SEO tools

• Is it really useful to provide a sitemap to Google?
• Is robots.txt helpful? How does Google use it?
• Are RSS feeds useful for SEO?
• Is the description meta used by Google?
• Should I fill the meta keyword?
• Why the link command on Google gives only a few backlinks?

Improving ranking

• How to improve the SEO of my site?
• How many keywords can I put into a URL?
• How can we overshoot Wikipedia?
• Can I modify the snippets?
• Compliance to W3C standard is it important for the ranking?

Links and backlinks

• Are internal links helpful?
• Are social bookmark links giving less weight than other back links?
• Are nofollow links followed by crawlers?
• How many links can I put into a page?
• Several links on a page to the same page are they useful?
• Javascript links are they taken into account?

Questions about the PageRank

• Why the link: operator from Google returns only a few backlinks?
• What is PageRank?
• Is PageRank important?
• Is PageRank used against duplicate content?
• How is PageRank calculated by Google?
• What is cloaking?
• What is spamming?
• What is spoofing?
• How to know my PageRank?
• A company guarantees me a 10 points PR
• Is the PageRank the first factor for the position?
• What means a graybar PR? Is this a penalty?
• How to improve my PageRank?
• Other factors for the position in results.
• Does a 301 redirect mean a lost in PageRank?
• When the PageRank is it updated?

Answers

Is it really useful to provide a sitemap to Google?

The site map, is a standard file in XML format to search engines that allow them to index all pages of a site. It is particularly useful when the engines can not reach internal pages by following links on the site.

The sitemap can be generated automatically by a CMS or with a script as simple map on a static site.

More: Should we generate a sitemap of our website for Google?

How do I know if my pages are indexed by Google?

If your site is called “www.sabinshrestha.com.np” for example (this is impossible), type this in the search window:

site:www.sabinshresth.com.np

Google will display your indexed pages and so allows you to check the title and description of the pages.

How to exclude a page from the index?

Insert a meta tag within <head> </head> into the HTML page:

 <meta name="robots" content="noindex" />

A robots.txt at the root of the site may also contain rules to search engines for excluding files or directories.

Is the duplicate content penalized?

Duplicate content is the presence of same contents on page in the same site or in different site, or contents indexed twice. This could happen with different URLs pointing on the same page or with copies of pages. This would be a way for a site that would try to monopolize the top or result pages, but this never happen in the real world, so it can be concluded that engines penalize effectively duplicate content.
In a post on its blog, Google has clarified the rules about

duplicate content.

Is robots.txt helpful? How does Google use it?

This file is stored at root of any website by the webmaster. He said to search engines which pages should be indexed or which pages or directories must not be added to the index.
There is no standard but common rule to follow. Even if a page is excluded in the robots.txt file, that does not imply it will be removed from the index.
More about robots.txt.

Are RSS feeds useful for SEO?

It is a way to get visitors and amounts of backlinks. The RSS file contains a list of links on your articles and it can be replicated on other sites, as well as in directories. To find out how easily achieve an RSS file, and how to use it, consult the RSS tutorial or the RSS section on this site.
The backlinks provided by the RSS feeds which are echoed by many sites are temporary, they will disappear with the renewal of the content of the feed, therefore RSS is best suited for blogs.

Is the description meta used by Google?

The answer is given by Google on his blog for webmasters, in the article entitled “Improve snippets with a meta description makeover”.
Snippets are the descriptions in search results under the titles.
The description in the meta must be unique and must give details on the page. It should contain keywords related to its contents.

Should I fill the meta keywords?

The meta keyword is not used by Google. It may be used by other search engines. Some webmasters performed a successful experience with the meta keyword and Yahoo.
If you need for additonnal trafic from Yahoo, fill the meta keyword.

Why the link Google gives only a few backlinks?

The operator link in the search bar (link: site-name) is a command to display the number of links pointing to a site. In fact this command provides only a fraction of backlinks, in order to save servers bandwich.
The choice of outcome is totally random, this was confirmed by Matt Cutts in a video on Youtube. They have nothing to do with PR or with the quality of the pages, they are taken randomly.

Why a second indented link for the same site in results page?

The result of a query displays for a site, a link, and then a second, which is shifted. This means that the same site appears twice among the same search results page, in which case the two pairs title and descriptions are combined with no respect to the score of the second one.

Are internal links helpful?

Internal links, mainly on the home page, facilitate the indexing of the pages, and also tend to spread the PageRank of a page to another. Put a maximum of internal links in the content of the pages, when a term refers to the content of another page of course.
The anchor of the link must be descriptive, it helps search engines to define the content of a target page and therefore favors its rank.
Several links to the same page may be even added, as explained further.

Are social bookmark links giving less weight than other back links?

For Matt Cutts, (see interview in references at bottom), a link is a link. And so links gained from social bookmark sites have same weight as other link in regular webpages.
But the weight of a link depends upon the PageRank of the page where it is added.

Is the domain extension important for PageRank?

No, the extension may be either .com, .edu or .org, this has no importance, only the PageRank of the page is important for backlinks. Links from these sites are not more trusted and do not pass more PageRank.
Référence in interview.

Are nofollow links followed by crawlers?

It is sometimes admitted that even if nofollowed links do not pass PageRank, they are used for discovery of new pages. This is denied by Google.
- Nofollow links do not pass PageRank.
- They are not used to discover new pages.
- The anchor is not used to define the content of the linked page.
They are totally ignored.
Référence in interview.

Several links on a page to the same page are they useful?

When multiple links point to the same page, only the first is taken into account by Google. But this is not the case if the links point to different sections of the page, determined by a fragment with the #xxxxxx format.
In this case, the anchor of each link is considered to index the target page. Whether it links to another site or on the same site.
It appears even that the first link on the page and not a section is ignored.
Tests have been made by seomoz to verify that.

Javascript links are they taken into account?

If they are easy to interpret they are considered as HTML tags and may even pass PageRank to the page that is linked.
Javascript links and search engines.

How many keywords can I put into a URL?

In the directory + filename, you can put until 5 keywords with no problem. Beyond that, your URL look as spam and the algorithm weights these words less. You can get spam report with lot of keyword in URLs (Matt Cutts in references).

How many links can I put into a page?

The guidelines recommend to put less than 100 links. You can bypass this number, technically, there is no problem as Google can parse a page up to 500 KB, but it is bad practice and it is better to split the page into smaller ones.

My page is not indexed by search engines

Perhaps the HTML format is not correct and therefore not recognized by crawlers…
Check your syntax with the validator of the W3 Consortium.
If the page is new, it takes several days or weeks for it to be taken into account. See also paragraph on sitemaps.
It is also possible that Google or another search engine decides not to index your site because robots.txt is empty or malformed.

See at robot.txt.

Can I force a Web page to be indexed?

If robots do not come frequenlty enough on your site (the date of the last visit is indicated on the home page of webmaster tools), you can still force the indexing by getting a link to the page on another site that is frequently crawled.
See the article How to obtain backlinks and similar article on this site for details.

How to improve the SEO of my site?

Several page here are dedicated to SEO, see the SEO summary.
This page is dedicated to the optimization for search engines.

Where can I get more information about Googlebot?

Googlebot is the crawler of Google. It could parse some pages on your site every day. This Googlebot FAQ gives details of how it works.

What is lemmatisation?

An expected progress for search engines to identify the root of words and retrieve pages sharing same roots of words. Do not really seem yet implemented in 2007.

What is hilltop?

A theoretical extension to the PageRank, and that could prevent manipulations by an algorithm which classifies a page solely on the basis of links from authoritative sites. This is partially used by search engines according to the Google’s patent.

What is SERP?

Search Engine Result Pages, ie results pages provided by search engines in response to a query.

How to avoid cloaking?

Cloaking is presenting to search engines text that is not visible to visitors. It may not be intentional when you add text unnecessary to visitors to index pages made of flash or images or dynamic text that are not scanned by robots. But this is not allowed.
You should use an alt attributes dedicated for images instead. And for text displayed by JavaScript and not seen by robots, it can be submitted into thenoscript tag, it is permitted.

How to type google.com without being redirected to my country version?

When you want to access the search engine, it automatically redirects you to the regional version of the engine. This is suitable for most users but not to the webmaster or the user who wants to do a search on google.com.
To reach google.com, type in the URL bar:

www.google.com/ncr

What can be placed in bookmark. “ncr” could mean “no country redirect”.

What is the bounce rate?

Definition from Google: “Specifies in what percentage visitors left the site without viewing any other pages.” The bounce is the fact that a visitor leaves the site as soon as he read the page on which it arrives. So if three out of four visitors do read a single page and leave the site without to read others, the bounce rate will be 75%.
It is generally preferable to have a low bounce rate, it means that there is interest in the content of the site and that one read so many pages, but on the other hand, when a visitor searches for something very precise he will leave the site after having found it and the bounce in this case is a positive factor!

How to improve the bounce factor

How can we overshoot Wikipedia?

Wikipedia, the big wiki, sort of online encyclopedia, tends to arrive at the top in Google, although before websites with more comprehensive article and with more backlinks!
One of the reasons is that this site is favored and another is in the impressive number of links between articles and sub-domains.
But there is room to move ahead and achieve top results in search engines. The weakness of the wiki is that all articles have a single word for name and thus anchor are also a single keyword.
The solution is to make articles based on two keywords, for example, grape + health, or health + diet. The title of the article include two keywords, as well as the file name, and the anchors of internal links…
Searches made on two keywords should return your page rather the one keyword page of the wiki.

Can I modify the snippets?

A snippet is the name that Google gives tos the description under the title of the page in search results.
It is actually possible to change this text and make it more attractive, especially with the meta description

How to improve snippets

How can I leave the sandbox?

A site enters the sandbox, because it is penalized by Google, the crawlers of the search engine have calculated that the content on the site is intended to artificially obtain a good ranking in results.
The first thing to do to get out of the sandbox is to delete from the content all possible causes of penalties, then you must work to obtain quality backlinks.

How to leave the sandbox.

What is minus thirty?

Many webmasters believe they have suffered a penalty that is called minus 30 or -30. Their site is bumped from #1 to #31 in results of Google, and it is very clear with the URL of the site. In general, a site ranks first on its name with the extension, or the sites are now found in 31th position.

My site has disappeared from Google’s index, what can I do?

The first thing to check is the robots.txt file to see if it does not block robots. Robots are blocked with a directive of the form Disallow: /
They are not blocked if nothing follows Disallow.
Then see the list of errors to not commit in SEO. If your site is in no case you must wait until it is inserted in the index again.

Why the link: operator from Google returns only a few backlinks?

The link operator in the search bar (link: site-name) is a command to display the number of links pointing to a site. In fact this command provides only a fraction of backlinks, in order to save bandwich of servers.
The choice of outcomes is totally random, this was confirmed by Matt Cutts in a video on Youtube. They have nothing to do with PR or with the quality of the pages, they are taken randomly.

How to be a trusted site?

Your site can become trusted in two phases. In a first step you have to gain authority among readers. Then it will be readers who will make your site trusted for Google, by citing its content. A list of ways to achieve this objective is given by Google.

Google tells you how to be a trusted site.

Should we add content frequently?

Continuously adding new pages can it not be harmful since it increases the number of links on the homepage?

Adding content is good but you we must follow some rules of organization. The homepage does not link to all articles but only a few. Each page must have a link on the home page and links to related articles: links should always be relevant.

That said, Google promotes new content, so assuming that your new articles are related to the actuality, or your change in previous articles update them, it is good for SEO.
The changes that are not of actuality have little interest, it serves mostly Adsense which targets preferentially pages that evolve.

Which percentage of users click on the first link in search page results?

A statistical study by a university on the one hand and a leaked document from AOL on the other give an answer, at least 70% of clicks are on the first three links and about 50% over the first.

Distribution of clicks in the results pages of search engines.

How to improve naturally the PageRank

PageRank, or website ranking, is a notation from 0 to 10, given by Google to each page of a website.The higher is this value, the better will be the position of the page in results of searches, among other pages that match the request.A 5 points PageRank is Good. 7 points may be reached with valuable backlinks. The number of 10 points PageRank websites is very short!The word PageRank comes both from “page ranking” and “Page” that is the name of one of the two authors of the algorithm (Serguey Brin and Larry Page).

Is PageRank important?

According to Google, PageRank is the more important among 100 criteria to order pages in results of searches.
Thus, it is not the only one. But for websites that match a same group of keywords, it is very important.

Is PageRank used against duplicate content?

When two pages are identical, and if the date of indexing is not sufficient to know what is the original and what is the copy, Google considers that the page with the higher PageRank is the original. This was clearly stated in an interview of Matt Cuts by Stephan Spencer and confirmed by a post on the Google’s blog about duplicate content.

How is calculated PageRank by Google?

The value of PageRank doesn’t depend upon the content of the page, but only of links to the page instead.
Links in the page towards other website is important also.
Links to a page are considered as a vote for this page. But the value of this vote depend of the PageRank of the page that emits it.
The PageRank of a page is transmitted to linked page but the added value is divided by the number of links. If a page links to ten pages, the added value of the vote is divided by ten.
The ranking of a page depends upon of ranking of backlinks, and also ranking of other pages it links.

(From the article “Deeper inside PageRank” by A.N. Langville et C.D. Meyer)

PageRank, or website ranking, is a notation from 0 to 10, given by Google to each page of a website.The higher is this value, the better will be the position of the page in results of searches, among other pages that match the request.A 5 points PageRank is Good. 7 points may be reached with valuable backlinks. The number of 10 points PageRank websites is very short!The word PageRank comes both from “page ranking” and “Page” that is the name of one of the two authors of the algorithm (Serguey Brin and Larry Page).

========================================================================

Libarary

source
|
compiler
|
Object code
|
linkear
|
staticlibrary,Dynamic library,statically linked executable code,
Dynamically linked executablecode
|
loader
|
shared library, executable code

/lib
/usr/lib
/usr/i486-linux-libc5/lib
/usr/X11R6/lib
/usr/i486-linuxout/lib

libname.so / libname.so.major

lld progfile

$lld /bin/rm

LD_LIBRARY_PATH
ldconfig -V
========================================================================
SSH
vi /etc/ssh/sshd_config
ssh 192.168.1.100 “uname -a”

scp /etc/hosts root@192.168.1.103:/tmp
scp root@smallfry:/tmp/software.rpm /usr/rpm
(http://winscp.vse.cz/eng/)

$sftp 192.168.1.200
SSH without password
Client
ssh-keygen -t dsa
cd ~/.ssh
scp id_dsa.pub sabin@192.168.59.7:public-key.tmp

Server
mkdir /root/.ssh
chmod 700 /root/.ssh
cd .ssh
cat ~/public-key.tmp >>authorized_keys
rm ~/public-key.tmp
========================================================================

SysLog
0 emergencies System unusable
1 alerts Immediate action required
2 critical Critical condition
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant conditions
6 informational Informational messages
7 debugging Debugging messages

.info;mail.none;authpriv.none;cron.none           /var/log/messages
1) vi /etc/sysconfig/syslog
SYSLOGD_OPTIONS=”-r -m0″
service syslog restart

2) vi /etc/syslog.conf
user.*    @stationX
service syslog restart
logger -i -t yourname “this is test”

/etc/logrotate.d
ogrotate -f /etc/logrotate.d/syslog
zcat /var/log/messages.1.gz
==========================================================================
Quota
quota.user,quota.group
1)vi /etc/fstab
/home defaults,userquota,groupquota 1 2
2)mount -o remount /home
3)to verify
quotacheck -acug /home
quotacheck -avug /home
edquota -u user
edquota -g group
edquota -t grace
edquota -p kiran sab
quotaon/quotaoff -av
quotaon/quotaoff -avu
quotaon/quotaoff -avg

repquota -a
==========================================================================
NFS
1. You can only export directories beneath the “/” directory.
2. You cannot export a subdirectory of a directory that has already
been exported. The exception being when the subdirectory is on a different
physical device. Likewise you cannot export the parent of a subdirectory
unless it is on a separate device too.
3. You can only export local file systems.

Caching= “read ahead”

RPM=nfs-utils,portmap-4.0-57

Daemon=Portmap,NFS,NFSlock,NetFS

(async,atime,auto,dev,exec,noatime,noauto,nodev,noexec,
nosuid,nouser,remountro,rw,suid,sync,user)
defaults(rw,suid,dev,exec,auto nouser,async)

x = rsigw = n , number of bytes nfs uses when reading
n = 1024 (default)
x = wsize = n
timeo= n (7)
retry = n number of minutes to nfs mount retry
soft = if the file cannot be mounted and time
out occurs then reutrn an I/O error
hard = if timeout occurs it will display the message
but it will keep on trying unless retry time is over
intr=if nfs file operation has timeout and is
hard mounted then it allow signals to
intrrupt the operations
it uses udp by default
if want tcp then give tcp
optimum=8192
rw,ro(default),sync,async(defualt),no_subtree_check,
subtree_check,root_squash
no_root_squash – when a client connects to the server run as a root
all_squash

1) vi /etc/exports
/temp          *(rw)
/data/files           *(ro,sync)
/home                 192.168.1.0/24(rw,sync)
/data/test            *.my-site.com(rw,sync)
/data/database        192.168.1.203/32(rw,sync)

2)chkconfig –level 35 nfs on
chkconfig –level 35 nfslock on
chkconfig –level 35 portmap on

3) For Client
chkconfig –level 35 netfs on
chkconfig –level 35 nfslock on
chkconfig –level 35 portmap on

4) rpcinfo -p localhost
nfsstat
df -F nfs
showmount -a
exportfs -a (new share)
exportfs -v (refresh)
exportfs -ua(reload)
exportfs -a (new share)

5)vi /etc/fstab
#Directory                  Mount Point    Type   Options         Dump   FSCK
192.168.1.100:/data/files   /mnt/nfs        nfs    soft,nfsvers=2  0      0

6) mount -t nfs 192.168.1.1:/data/files /mnt/nfs

7)Auto Mount
$vi /etc/auto.master
# File: /etc/auto.master
#
/home   /etc/auto.home –timeout=300
/-      /etc/auto.direct

8)-Indrect map
$vi /etc/auto.home
peter   bigboy:/home/peter
bob     ochorios:/home/bob
bunny   waitabit:/home/bunny

-Direct Map
$vi /etc/auto.direct
/data/sales          -rw           bigboy:/disk1/data/sales
/sql/database        -ro,soft      waitabit:/var/mysql/database

-Using the Ampersand Wildcard
$vi /etc/auto.home
peter   bigboy:/home/&

9)chkconfig autofs on

Option Description
Bg Retry mounting in the background if mounting initially fails
Fg Mount in the foreground
soft Use soft mounting
hard Use hard mounting
rsize=n The amount of data NFS will attempt to access per read operation.
The default is dependent on the kernel. For NFS version 2 set it
to 8192 to assure maximum throughput.
wsize=n The amount of data NFS will attempt to access per write operation.
The default is dependent on the kernel. For NFS version 2 set it to 8192
to assure maximum throughput.
nfsvers=n The version of NFS the mount command should attempt to use
Tcp Attempt to mount the filesystem using TCP packets, the default is UDP.
intr If the filesystem is hard mounted and the mount times out, allow
for the process to be aborted using the usual methods such as <CTRL-C>
and the “kill” command.

===========================================================
SQUID
/var/spool/squid
/var/log/squid/access.log

1) vi /etc/squid/squid.conf
visible_hostname server1.nepal.com

acl home_network src 192.168.1.0/24
acl home_network src “/root/allow”
acl business_hours time MTWHF 9:00-17:00
http_access allow homenetwork business_hour
cache_dir
===========================================================
Bind

cp -f /etc/rndc.* /var/named/chroot/etc/
cp /etc/named.conf /var/named/chroot/etc/

1) vi /etc/named.conf
zone “nepal.com” IN {
type master;
notify no;
allow-update { none; };
allow-query { any; };
file “nepal.com.zone”;
};

2) cp /var/named/localhost.zone /var/named/nepal.com.zone
cp /var/named/localhost.   /var/named/nepal.rev

3) vi /var/named/nepal.com.zone

ns1.nepal.com. IN SOA root.nepal.com.(
1;
1H;
1H;
1H;
1H;
);
ns1.nepal.com.   IN NS 192.168.0.5
ns1.nepal.com.  IN A  192.168.0.5
nepal.com.       IN MX 9 mail.nepal.com.
nepal.com.       IN MX 10 mail1.nepal.com.
nepal.com.        IN A  192.168.0.9
nepal.com.        IN A  192.168.0.10
mail.nepal.com.  IN A  192.168.0.7
mail1.nepal.com. IN A  192.168.0.8
www.nepal.com.   IN A  192.168.0.9
www.nepal.com IN A  192.168.0.10
nis1.nepal.com   IN A  192.168.0.11
nis2.nepal.com   IN A  192.168.0.12
file.nepal.com   IN A  192.168.0.13
zone “0.168.196.in-addr.arpa” {
type master;
allow-update { none; };
notify no;
file “nepal.rev”;
};
$TTL 3D
@       IN        SOA        ns1.nepal.com.  hostmaster.nepal.com. (
200303301          ; serial number
8H                 ; refresh, seconds
2H                 ; retry, seconds
4W                 ; expire, seconds
1D )               ; minimum, seconds
NS         ns1.nepal.com.
5                PTR        ns1.nepal.com.
6                PTR        ns2.nepal.com.
7                PTR        mail.nepal.com.
8                PTR        mail1.nepal.com.
4) chkconfig named on

5) service named restart
6) named-checkconfig /etc/named.conf
named-checkzone /var/named.nepal.com.zone

7) nslookup www.nepal.com
dig @nepal.com www.nepal.com
dig @nepal.com MX
host nepal.com
========================================================================
Apache(httpd)
RPM= httpd-2.0.48-1.2.rpm

1) adduser nepal
2) passwd nepal
3) chmod 755 /home/nepal

4) vi /etc/httpd/conf/httpd.conf
ServerAdmin webmaster@nepal.com
servername  nepal.com
DocumentRoot “/home/nepal”(default)
<Directory “/home/nepal”> [/var/www/html]
Options All Indexes Includes FollowSymLinks ExecCGI MultiViews
[MultiViews -Indexes SymLinksIfOwnerMatch IncludesNoExec]
AllowOverride None (.htaccess)

Order allow,deny
Allow from all(Deny from all/[ip])
</Directory

<Directory /home/*/public_html>
</Directory>

DirectoryIndex index.html

Alias /sabin “/home/nepal/sabin”
<Directory “/home/nepal/sabin”>
</Directory>

ScriptAlias /cgi-bin “/home/nepal/cgi-bin”
<Directory “/home/nepal/cgi-bin”>
</Directory>

AddHandler cgi-script .cgi
AddHandler send-as-is asis

ErrorDocument 404 /missing.htm

5) Named Based Hosting
NameVirtualHost 192.168.0.9
NameVirtualHost 192.168.0.10

<VirtualHost *>
Default Directives. (In other words, not site #1 or site #2)
</VirtualHost>

<VirtualHost 192.168.0.9>
servername www.nepal.com
DocumentRoot /home/nepal
ServerAdmin sabin@nepal.com
ErrorLog logs/error.log
CustomLog logs/access.log
Directives for site #1
</VirtualHost>

<VirtualHost 192.168.0.9>
DocumentRoot /home/sabin
servername www.sabin.com
ServerAdmin sabin@nepal.com
ErrorLog logs/error.log
CustomLog logs/access.log
Directives for site #2
</VirtualHost>

<VirtualHost 192.168.0.10>
DocumentRoot /home/www/site2
ServerName www.nepal.com
ServerAlias nepal.com, www.arati.com arati.com
</VirtualHost>

options=
<Directory “/home/*”>
Order allow,deny
Allow from all

AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
6) IP based Hosting

<VirtualHost *>
DocumentRoot /home/nepal
</VirtualHost>

<VirtualHost 192.168.0.9>
DocumentRoot /home/sabin
servername 192.168.0.9
ServerAdmin sabin@nepal.com
ErrorLog logs/error.log
CustomLog logs/access.log

</VirtualHost>

<VirtualHost 192.168.0.10>
DocumentRoot /home/arati
servername 192.168.0.10
ServerAdmin arati@nepal.com
ErrorLog logs/error.log
CustomLog logs/access.log
</VirtualHost>

Compression of static pages
(before virtual hosting)
LoadModule deflate_module modules/mod_deflate.so
<Location />
# Insert filter
SetOutputFilter DEFLATE
# Netscape 4.x has some problems…
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# Don’t compress images
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png)$ no-gzip dont-vary
# Make sure proxies don’t deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</Location>

7) Proctecting Site
htpasswd -c /home/nepal/.htpasswd sabin
htpasswd  /home/nepal/.htpasswd arati
chmod 644 /home/nepal/.htpasswd

vi .htpasswd (or <Directory>)

AuthUserFile /home/nepal/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user valid-user

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -x509 -out server.crt
cp server.{key,crt} /etc/httpd/conf/
or
/etc/httpd/conf/make testcert
/etc/httpd/conf/make certreq

vi /etc/httpd/conf.d/ssl.conf
<VirtualHost 192.168.0.7:443>
ServerAdmin
DocumentRoot
ServerName
ServerAlias
SSLEngine on
SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key
</VirtualHost>
========================================================================

Web mail (squriell mail)www.hotscripts.com
$vi /var/www/html/webmail/config/config.php

$org_name      = “Microtech International”;
$org_logo      = SM_PATH . ‘images/mtechlogo.jpg.new’;
#$org_logo      = ‘/home/chehen/mtechlogo.jpg’;
$org_logo_width  = ’308′;
$org_logo_height = ’111′;
$org_title     = “Microtech International”;
$signout_page  = ‘http://portal.mtech.com.np’;
$frame_top     = ‘_top’;

$provider_uri     = ‘http://www.microtech.com.np’;

$provider_name     = ‘www.microtech.com.np’;

$motd = ” “;

$squirrelmail_default_language = ‘en_US’;

$domain                 = ‘microtech.com.np’;
$imapServerAddress      = ’192.168.59.1′;
#$imapServerAddress      = ’192.168.59.7′;
$imapPort               = 143;
$useSendmail            = false;
#$useSendmail            = true;
$smtpServerAddress      = ’192.168.59.1′;
$smtpPort               = 25;
$sendmail_path          = ‘/usr/sbin/sendmail’;
$pop_before_smtp        = false;
$imap_server_type       = ‘other’;
$invert_time            = false;
$optional_delimiter     = ‘detect’;

vi /etc/httpd/conf.d/squriellmail
========================================================================
Webmin (Web Administration) www.webmin.com

Installed Directory (/var/libexec/mrtg)
$./setup.sh

http://192.168.59.7:10000
=========================================================================
PostFix
/etc/postfix/main.cf
/etc/postfix/master.cf
Daemon=master,qmgr,smtpd,pikup(others)

1)alternatives  -set mta /usr/sbin/sendmail.posfix
2)vi /etc/postfix/main.cf
myorigin=nepal.com
mydestination= nepal.com mail.nepal.com
mynetworks=192.168.0.0/24,127.0.0.1
inet_interfaces=all

3)service postfix start
4)aliases,virtual,access
5)postmap /etc/postfix/access
=========================================================================
SendMail

1) vi /etc/mail/sendmail.cf or vi /etc/mail/sendmail.mc
copy define(“Daemon Port Options = Port=smtp; Addr=127.0.0.1,Name MTA”)
Paste define(“Daemon Port Options = Port=smtp; Addr=192.168.0.7,Name MTA”)

define(MAIL_HUB’, ‘nepal.com’)
define(‘SMART_HOST’,'nepal.com’)
define(‘MASQUERADE_AS’,'nepal.com’)
EXPOSED_USER(‘root’)

MASQUERADE_AS(`nepal.com.’)
MASQUERADE_DOMAIN(`nepal.com.’)
MASQUERADE_AS(nepal.com)
FEATURE(`accept_unresolvable_domains’)dnl
FEATURE(delay_checks)dnl
FEATURE(always_add_domain)dnl
FEATURE(`masquerade_entire_domain’)dnl
FEATURE(`masquerade_envelope’)dnl
FEATURE(`allmasquerade’)dnl
MASQUERADE_AS(`my-site.com’)dnl
MASQUERADE_DOMAIN(`my-site.com.’)dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl

For LDAP
LDAPROUTE_DOMAIN
LDAP_ROUTIN
2)m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

3)vi /etc/mail/local-host-names(Receive mail of domain, To receive)
nepal.com
mail.nepal.com

4)vi /etc/mail/access (To allow to send mail )
localhost.localdomain RELAY
localhost             RELAY
127.0.0.1             RELAY
nepal.com             RELAY
mail.nepal.com        RELAY
192.168.0             RELAY
mail1.nepal.com       RELAY (for backup email)
spam.com              REJECT

5) vi /etc/mail/virtusertable (to redirect emails)
@nepal.com          sabin
info@nepal.com sabin

6) make all

7) vi /etc/aliases
hardware: sabin,subash,arati,rakesh,shyam

newaliases

9) vi /etc/mail/relay-domains
nepal.com  RELAY

10)chkconfig sendmail on
chkconfig ipop3 on
chkconfig imapd on

11) service sendmail restart
service xinetd restart

12) sendmail -d0.1 </dev/null (to check)

13) mail -s hello sabin@nepal.com
hello
.

echo “helooo”|mail -v -s hello sabin@nepal.com
mail -s hello sabin@nepal.com < /root/a.txt
14)mailq or sendmail -bd -q 30m
sendmail -bd -q
sendmail -q

15) nmap nepal.com (check 25 and 110 port is open)

16) mail, pine , mutt

17) Check SMTP
telnet 192.168.0.7 25
helo nepal.com
mail from: sabin@nepal.com
rcpt to: arati@nepal.com
data
hello
there
.
quit

18) To check POP
telnet 192.168.0.7 110
user sabin
pass shrestha
stat
top 1 99999
dele 1
quit

19 tail -f /var/log/maillog

===============================================================
Spam Controling
spamassassing / mimedefang
1)$vi /etc/mail/spamassassin/local.cf
Required_hits 6
rewrite_subject 1
subject_tag [SPAM]
report_safe 0

# How many hits before a message is considered spam.
required_hits           6.0

# Whether to change the subject of suspected spam
rewrite_subject         1

# Text to prepend to subject if rewrite_subject is used
subject_tag             [SPAM]

# Encapsulate spam in an attachment
report_safe             1

# Use terse version of the spam report
use_terse_report        0

# Enable the Bayes system
use_bayes               1

# Enable Bayes auto-learning
auto_learn              0

# Enable or disable network checks
skip_rbl_checks         1
use_razor2              0
use_dcc                 0
use_pyzor               0

auto_whitelist_path     /etc/mail/spamassassin/auto-whitelist
bayes_path              /etc/mail/spamassassin/bayes

score SPAM_PHRASE_34_55              3.516
score SPAM_PHRASE_55_XX              1.505
score SPAM_PHRASE_21_34              2.856
score SPAM_PHRASE_13_21              2.337
score SPAM_PHRASE_08_13              2.385
score SPAM_PHRASE_05_08              2.640
score SPAM_PHRASE_03_05              2.084
score SPAM_PHRASE_00_01              0.781
score SPAM_PHRASE_02_03              0.758
score SPAM_PHRASE_01_02              0.500
score LINES_OF_YELLING_2             1.500
score FORGED_RCVD_FOUND              4.000
score MAY_BE_FORGED                  1.000
score UPPERCASE_50_75                2.000
score HTML_FONT_FACE_ODD             1.500
score NIGERIAN_TRANSACTION_1         3.000
score LINES_OF_YELLING               1.500
score WEB_BUGS                       2.500
score FORGED_YAHOO_RCVD              2.500
score SUBJ_HAS_UNIQ_ID               2.000
score JAVASCRIPT_VERY_UNSAFE         3.500
score HTML_FONT_INVISIBLE            2.000
score CTYPE_JUST_HTML                4.000
score FROM_NO_USER                   2.500
score BILLION_DOLLARS                1.000
score CLICK_BELOW                    2.000
score RELAYING_FRAME                 2.000
score MIME_SUSPECT_NAME              2.000
score MIME_HTML_NO_CHARSET           3.000
score MICROSOFT_EXECUTABLE           2.000
score MISSING_MIMEOLE                2.000
score ONLINE_PHARMACY                2.000
score SAVE_UP_TO                     2.000
score SAVE_MONEY                     2.000
score MIME_HTML_ONLY                 2.000
score MONEY_BACK                     2.000
score HTML_FONT_FACE_BAD             3.000
score VIAGRA                         4.000
score VIAGRA_ONLINE                  4.000
score SUBJ_HI                        2.500
score HTML_WEB_BUGS                  2.500
score HTML_IMAGE_ONLY_02             3.000
score HTML_IMAGE_ONLY_04             2.500
score HTML_IMAGE_ONLY_06             2.000
score HTML_IMAGE_ONLY_08             1.500
score HTML_IMAGE_ONLY_10             1.000
score RATWARE_HASH_2                 2.000
score RATWARE_HASH_2_V2              2.000
score MISSING_OUTLOOK_NAME           2.000
score HTML_FONTCOLOR_UNKNOWN         2.000
score NORMAL_HTTP_TO_IP              2.000
score GAPPY_SUBJECT                  3.500
score HTML_FONT_BIG                  2.000
score REMOVE_PAGE                    1.500
score HTML_SHOUTING4                 2.000
score HTML_SHOUTING3                 2.000
score HTML_SHOUTING2                 2.000
score HTML_SHOUTING                  2.000
score NO_REAL_NAME                   2.000
score HGH                            3.000
score MIME_MISSING_BOUNDARY          2.000
score SAVINGS                        3.000
score AMAZING_STUFF                  2.000
score HTML_MESSAGE                   2.500

2)vi /etc/procmailrc

# send mail through spamassassin
:0fw
| /usr/bin/spamc

LOGFILE=/var/log/procmail.log
DROPPRIVS=yes

# Delete all messages with dangerous attachments, as long as below a certain size
# Note: The whitespace in the [ ] below comprises a space and a tab character
:0
* < 256000
* ! ^Content-Type: text/plain
{
:0B
* ^(Content-(Type|Disposition):.*|[     ]*(file)?)name=(“[^"]*|[^ ]*)\.(bat|cmd|com|exe|js|pif|scr|zip)
/dev/null
}

# SpamAssassin sample procmailrc
#
# Pipe the mail through spamassassin (replace ‘spamassassin’ with ‘spamc’
# if you use the spamc/spamd combination)
#
# The condition line ensures that only messages smaller than 250 kB
# (250 * 1024 = 256000 bytes) are processed by SpamAssassin. Most spam
# isn’t bigger than a few k and working with big messages can bring
# SpamAssassin to its knees.
#
# The lock file ensures that only 1 spamassassin invocation happens
# at 1 time, to keep the load down.
#
:0fw
* < 256000
| /usr/bin/spamc

# Delete messages with very high spam level
# Tweak this to your own comfort level!
:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*
/dev/null

# Work around procmail bug: any output on stderr will cause the “F” in “From”
# to be dropped.  This will re-add it.
:0
* ^^rom[ ]
{
LOG=”*** Dropped F off From_ header! Fixing up. ”

:0 fhw
| sed -e ’1s/^/F/’
}
# Klez worm procmail filter
:0 B
* 135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE
/var/log/klez
3)vi ~/.procmailrc file

INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc

:0 Hw
* ^X-Spam-Status: Yes
spam

==========================================================================
4) Procmail (~/.procmailrc)
:0
*^From: test@try.com
!sabin@nepal.com

*^From: *root/root*

*^subjct: .*free.*
/dev/null

:0
*^From: test@try.com
!sabin@abc.com

:0
* ^From: spammer@domain.com
/dev/null

:0:
* ^(From|CC|To).*tux-lug
tuxlug

==========================================================================
Anti virus
http://www.clamav.net/
groupadd clamav
useradd -g clamav -s /bin/false -c “Clam AntiVirus” clamav
cd /usr/local/src
wget http://optusnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.82.tar.gz
tar xzf clamav-0.82.tar.gz
chown -R root.root clamav-0.82
cd clamav-0.82
./configure
make
make install
Customise the clamd configuration file

vi /usr/local/etc/clamd.conf
# make sure you comment out the “example” line
LogSyslog
FixStaleSocket
User qscand  # need to run as user qscand for clamav
to work with recent versions of the qmail-scanner script
Configure clamd so it is running all the time from bootup onwards

cp contrib/init/RedHat/clamd /etc/rc.d/init.d/
chmod 744 /etc/rc.d/init.d/clamd
chkconfig –add clamd
Then I like to use the ntsysv program to double-check
that clamd is set to launch at boot time

If you aren’t ready to reboot the server now, you can
fire up clamd in the mean time with this command :

/etc/rc.d/init.d/clamd start
At this point the clamd software should be running.
A good way to verify this is to use this command :

ps axf
And if all is well, you should be able to see something like this :

18144 ? S 0:00 /usr/local/sbin/clamd
Schedule automatic downloading

touch /var/log/clam-update.log
chmod 600 /var/log/clam-update.log
chown clamav /var/log/clam-update.log
crontab -e
0 * * * *  /usr/local/bin/freshclam –quiet -l /var/log/clam-update.log
Download latest updates now

/usr/local/bin/freshclam -v
=========================================================================
RAZOR V2

http://razor.sourceforge.net/

If Razor is installed, SpamAssassin will automatically include it in the
list of tests run. We found that Razor is quite accurate in identifying
spam, and it only added small amount of extra CPU load on the server, so
it is definitely worth installing.

Compile and install :

# install the pre-requisite modules for razor
perl -MCPAN -e shell
#(enter your way through all the questions. The only one you will likely
have to answer is regarding your Continent/Country)
# tell the cpan shell to follow the dependency tree and automatically grab
any required modules
o conf prerequisites_policy follow
# make sure you have some of the basic tools needed to get the CPAN
downloads working smoothly
install LWP MD5
# install the razor pre-requisites now
install Net::Ping Net::DNS Time::HiRes Digest::SHA1 Getopt::Long File
::Copy Digest::Nilsimsa URI::Escape
quit
# now install the actual razor software
tar xzf razor-agents-2.67.tar.gz
chown -R root.root razor-agents-2.67
cd razor-agents-2.67
perl Makefile.PL
make
make test
make install
cd ..
The Razor programs will now be installed in /usr/bin. In particular,
SpamAssassin makes use of the program called : “razor-check”

Last job is to create the Razor configuration
files (they get put into /etc/razor/) by using these commands :

razor-client
razor-admin -d -create -home=/etc/razor
If your server is going to be busy, then I would recommend
you edit the razor config file and turn down the debugging level a bit :

vi /etc/razor/razor-agent.conf
debuglevel=1

==========================================================================
Fetchmail(offline Mail server)
$vi /root/.fretchmail
#set no bouncemail
poll pop.websurfer.com.np with proto pop3  and options no dns
aka nepal.com
user “info” there with password “catchme” is * here expunge 10

$vi /root/.mailscript
#!/bin/sh
echo “**************************”
/bin/date
/usr/bin/fetchmail -v -a
/usr/sbin/sendmail -bp
/usr/sbin/sendmail -q

crontab
0-59 * * * * /root/.mailscript >> /var/log/fetchmaillog

=================================================================
FTP
$vi /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
ftpd_banner=Welcome to Nepal FTP Server.
chroot_local_user=YES

=================================================================
DHCP
1)vi /etc/dhcpd.conf
(/usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample)
authoritative;
ddns-update-style none; (ad-hoc/interim;)
default-lease-time 604800;
max-lease-time 2592000;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.5;
option domain-name-servers 192.168.0.6;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.200 192.168.0.250;
}

host mailserver {
hardware ethernet 00:02:44:4A:E8:B1;
fixed-address 192.168.0.8;
}

host sabin {
hardware ethernet 00:0C:29:07:8F:2D;
fixed-address 192.168.0.70;

2)vi /etc/sysconfig/dhcpd
# Command line options here
DHCPDARGS=eth0

touch /var/lib/dhcp/dhcpd.leases

3)vi /etc/sysconfig/dhcrelay
(The DHCP Relay Agent (dhcrelay) allows you to relay DHCP
and BOOTP requests from a subnet with no DHCP server on it
to one or more DHCP servers on other subnets)

service dhcrelay start
====================================================================
PPP Server
vi /etc/inittab
S1:2345:respawn:/sbin/mgetty -D /dev/ttyS1

vi /etc/ppp/options.server
-detach
asyncmap 0
modem
crtscts
lock
require-pap
refuse-chap
login
proxyarp
192.168.59.1:192.168.59.100
ms-dns 192.168.59.7

vi /etc/ppp/options
noauth
defaultroute
lock
ipcp-accept-local
ipcp-accept-remote
usepeerdns
passive

vi /etc/ppp/resolv.conf
nameserver 202.52.255.47
nameserver 202.52.255.3

5)vi /etc/syslog.conf
daemon.* /dev/console

6) cat /etc/ppp/pap-secrets

[root@mail ppp]# cat pap-secrets
# Secrets for authentication using PAP
# client        server  secret                  IP addresses
*               *       “”                              *

7) vi /etc/mgetty+sendfax/ login.config
/AutoPPP/ -     -       /usr/sbin/pppd file /etc/ppp/options.server

#Callback conf
back – - /usr/sbin/callback -S 4352548
=======================================================================
Webmin (Web Administration)
Installed Directory (/var/libexec/mrtg)
$./setup.sh

http://192.168.59.7:10000
========================================================================
YP(NIS server)
Daemon: portmap,ypbind,yptools,ypserv,ypxfrd,nfslock,nfs
1) vi /etc/sysconfig/network
NISDOMAIN=nis1.nepal.com
2) domainname nepal.com
/var/yp/Makefile
all:passwd group hosts
nopush=true,merge_groups=files
/var/yp/make [passwd shadow host]
service portmap start
service ypserv start
/usr/lib/yp/ypinit -m [-s masterservers]
/var/yp/ypservers
service yppasswdd start
service ypserv start

rpcinfo -p localhost
if new user added
/var/yp/make

$ypmatch nisuser passwd
getent passwd nisuser

/var/yp/securenets[network security]
/etc/nsswitch.conf[files dns,nis]

# /etc/yp.conf – ypbind configuration file
ypserver 127.0.0.1
Client
portmap,ypbind,yptools
1) /etc/sysconfig/network
NISDOMAIN=server1.sabin.com
authconfig [/etc/yp.conf]
ypcat passwd[must execute when new useris added]
ypwhich,ypcat,ypchfn,ypchsh,yppasswd,ypush

NFS

/etc/exports
/home *(rw)
service nfs restart
exportfs -r
exportfs -v
exportfs -u
exportfs -a

/etc/auto.master
/home /etc/auto.home –timeout 60

/etc/auto.home
* -rw,soft,intr 192.168.0.1:/home/&
or
*   -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp \
192.168.1.100:/home:&

service autofs restart
======================================================================
SAMBA (SWAT Makes Samba Simpler http://localhost:901)
share a linux drive with win machine
share a win datat in linux
share a linux printer with win machine
share a win printer with linux
1.FOR Win 95/98 – regedit hkey_Local_Machine/system/currentcontrol/services/VxD/vnetsup/
Add a new Dword value: EnablePlanTextPassword 0×01
2.NT HKEY_LOCAL_MACHINE/system/CurrentControl/services/Rdr\parameters\
——
Dword
EnablePlanTextPassword 0×01
2000
—-
Hkey_local_machine\system\current\services\Rdr\Parameters
EnablePlainTextPassword ox01

Swat
chkconfig swat on
http://localhost:901

1)vi /etc/samba/smb.conf

Section Description
[global] General Samba configuration parameters
[printers] Used for configuring printers
[homes] Defines treatment of user logins
[netlogon] A share for storing logon scripts.
(Not created by default.)
[profile] A share for storing domain logon information such as
“favorites” and desktop icons.(Not created by default.)

[global]

workgroup = HOMENET
server string = Sabin Server
host allow =192.168.0.
printing = lprng
printcap name =/etc/printcap
security= user share
security=[users,shares,server,domain]
load printers = yes
guest account = sabin
allow hosts = host list
deny hosts = host list
admin users = users list

[global] for domain
workgroup = HOMENET
time server = Yes
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
[homes]
read only = No
browseable = No
create mask = 0644
directory mask = 0755

[netlogon]
path = /home/samba/netlogon
guest ok = Yes

[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
public = yes

[tmp]
comments = sabin share
path = /tmp
valid users = sabin
public = no
writable =yes
printable=no
guest ok = yes
only guest = yes
create mask = 0765
read only = yes
write list= @manager

Authentication from NT
———————–
encrypt password = yes
security = server
password server = <netbios name> of PDC

wins
—–
wins supoort = yes
wins server = IP of wins server

Authentication Server:
———————-
encrypt password = yes
domain logons = yes
OS level = 033
[NET LOGON]
path = <someshare in fs>
read only = yes

SAMBA as a PDC ( primary domian controller)
————————————–
[ global section]
workgroup =
netbios name =
domain logons = yes
security = user
local master = yes
os level = 65 | 64
preferred master = yes
domain master = yes
logon path = \\%N\profiles\%U
logon home = \\<homeserver>\%U
[netlogon]
path = /usr/local/samba/netlogon

root is a Admin user for domain
groupadd sysadmin

domain admin group = @sysadmin
admin users = @sysadmin
printer admin = @sysadmin

Dynamic Creation Of Machine Trust Accounts
[global]
# <…remainder of parameters…>
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u
groupadd samba-clients
2)smbpasswd -a root password

smbclient //192.168.0.1/abc -U sabin
nmblookup server -R sabin| nmb \*
smbmount //server/share /mnt/sab -o username=sabin
fstab
//server/1/public /mnt/smb smbfs defaults,username=sabin 0 0
password file= /etc/samba/samba
smbadduser root:sabin
smbpasswd -U root

smclient //station5 -U <username%password>

smbclient //server1/myshare  -N -Tx backup.tar
smbclient //server1/myshare  -N -TXx backup.tar /users/doc
mount -t smbfs -o username=admin%passwd IP //server/share /mnt/share
smbmount //server/share mnt_pt -o username=xxxx%pass

======================================================================
LDAP
1. /etc/openldap/slapd.config
suffix “dc=example,dc=com”
rootdn “cn =root , dc=examplex,dc=com”
rootpw  secret (crypt)
perl -e ” print crypt (‘passwd’,'a_shell’);”
Migrate all users in LDAP server
2. create users student 1 – student with redhat1 – redhat9
#!/bin/bash
for 1 in `seq 1 9` ; do
useradd student$1
echo “redhat$1″ |passwd –stdin student$1
done
3. /usr/share/openldap/migration
migrate_common.ph
$DEFAULT_MAIL_DOMAIN=”stationX. example.com
$DEFAULT_BASE=”dc=example, dc=com”

/etc/protocols
/etc/services
comment all #+
./migrate_all_offline.sh
./migrate_all_nis_online.sh
“       “   “    ”
file of ldap:
/var/lib/ldap
chown -R ldap.ldap /var/lib/ldap
service ldap restart
———————
client side:
graphical LDAP client
preferences select server tab
Name– stationx.example.com
LDAPHOST:  ”
BASE DN: dc=example,dc=com
=========================================================================
LDAP
Scenario
The I.T. department in a small organization “nepal.com” has
many Linux servers they need to administer.

1. They want a simple, secure, centralized login scheme for all of them.
2. They have decided to use the LDAP domain “example.com” for their LDAP
database in which one domain component (DC) will be “example”, and
the other will be “com”.
3. The database will only have one organizational unit simply called
“People” which is the LDAP default.
4. Each person will have attributes such as a username (User ID or UID),
password, Linux “home” directory and login shell.
5. The Fedora Linux server named “nepal” will act as the LDAP server
containing the database and has the IP address 192.168.1.100.
6. The Fedora Linux server named “sabin” will be used to test the system
as the LDAP client and has the IP address 192.168.1.102.
7. Server “nepal” has a special user account named “ldapuser” that will
be used to test the LDAP logins.

Required LDAP Server RPMS
openldap,openldap-clients,openldap-devel,nss_ldap,openldap-servers
Required LDAP Client RPMS
openldap,openldap-clients,openldap-devel,nss_ldap

1)Create a database directory
mkdir /var/lib/ldap/example.com
chown ldap:ldap /var/lib/ldap/example.com

2)Create an LDAP “root” password
slappasswd
{SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ

3)vi /etc/openldap/slapd.conf
database        ldbm
suffix          ”dc=example,dc=com”
rootdn          ”cn=Manager,dc=example,dc=com”
rootpw          {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ
directory       /var/lib/ldap/example.com
4)service ldap start

5)Create the “ldapuser” test account
useradd -g users ldapuser
passwd ldapuser
grep ldapuser /etc/passwd > /etc/openldap/passwd.ldapusers
grep root /etc/passwd >   /etc/openldap/passwd.root

6)Find the conversion script
slocate -u
locate migrate
(/usr/share/openldap/migration/migrate_passwd.pl)

7) Convert user’s to ldap
/usr/share/openldap/migration/migrate_passwd.pl \
/etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif

/usr/share/openldap/migration/migrate_passwd.pl \
/etc/openldap/passwd.root /etc/openldap/root.ldif

8)Edit the user LDIF file
vi /etc/openldap/ldapusers.ldif
:%s/padl/example/g

vi /etc/openldap/root.ldif
:%s/padl/example/g
under the UID line in the file.
cn: Manager

9) vi etc/openldap/example.com.ldif
dn: dc=example,dc=com
dc: example
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

dn: ou=People, dc=example,dc=com
ou: People
description: All people in organisation
objectClass: organizationalUnit

10)Import the LDIF files into the database

ldapadd -x -D “cn=Manager,dc=example,dc=com” \
-W -f /etc/openldap/example.com.ldif

ldapadd -x -D “cn=Manager,dc=example,dc=com” \
-W -f /etc/openldap/root.ldif

ldapadd -x -D “cn=Manager,dc=example,dc=com” \
-W -f /etc/openldap/ldapusers.ldif
11) Test the LDAP database
ldapsearch -x -b ‘dc=example,dc=com’ ‘(objectclass=*)’

Client
1)vi /etc/openldap/ldap.conf
HOST 192.168.1.100
BASE dc=example,dc=com

2)vi  /etc/nsswitch.conf
$authconfig
[*] Use Shadow Passwords
[*] Use MD5 Passwords
[*] Use LDAP                   [ ] Use TLS
Server: 192.168.1.100
Base DN: dc=example,dc=com
3) Create a home directory for ldap
mkdir /home/ldapuser
chmod 700 /home/ldapuser/
chown ldapuser:users /home/ldapuser/
ll /home
cp /etc/skel/.* /home/ldapuser/
chown ldapuser:users /home/ldapuser/.*

4)vi /usr/local/bin/addldapuser (adduser)
#!/bin/bash
grep $1 /etc/passwd > /tmp/changeldappasswd.tmp
/usr/share/openldap/migration/migrate_passwd.pl \
/tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp
cat /tmp/changeldappasswd.ldif.tmp | sed s/padl/example/ \
> /tmp/changeldappasswd.ldif
ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f \
/tmp/changeldappasswd.ldif
rm -f /tmp/changeldappasswd.*

5)addldapuser ldapuser
Create home directories for the user on all the LDAP client Linux boxes

6) vi/usr/local/bin/deleteldapuser
#!/bin/bash
ldapdelete -x -W -D “cn=Manager,dc=example,dc=com” \
“uid=$1,ou=People,dc=example,dc=com”
7)deleteldapuser ldapuser

8)vi /usr/local/bin/modifyldapuser
#!/bin/bash
grep $1 /etc/passwd > /tmp/modifyldapuser.tmp
/usr/share/openldap/migration/migrate_passwd.pl \
/tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp
cat /tmp/modifyldapuser.ldif.tmp | sed s/padl/example/ \
> /tmp/modifyldapuser.ldif
ldapmodify -x -D “cn=Manager,dc=example,dc=com” -W -f \
/tmp/modifyldapuser.ldif
rm -f /tmp/modifyldapuser.*

9)passwd ldapuser
modifyldapuser ldapuser

LDAP Web Management Tools
The LDAP Account Manager (LAM) available at http://lam.sourceforge.net/
=========================================================================
TOMCAT server(JSP)

=======================================================================
NTP Server
http://www.eecis.udel.edu/~mills/ntp/servers.html
1) vi /etc/ntp.conf
server otherntp.server.org
server ntp.research.gov

restrict otherntp.server.org   mask 255.255.255.255 nomodify notrap noquery
restrict ntp.research.gov      mask 255.255.255.255 nomodify notrap noquery

restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 127.0.0.1

2)ntpdate -u 192.168.1.100
ntpq -p
======================================================
CLOCK
http://www.nixcraft.com/uniqlinuxfeatures/tools/
vivek-tech.com

# $ clock &
#
echo
echo “Digital Clock for Linux”
echo “To stop this clock use command kill pid, see above for pid”
echo “Press a key to continue. . .”

while :
do
ti=`date +”%r”`
echo -e -n “\033[7s"    #save current screen postion & attributes
#
# Show the clock
#

tput cup 0 69          # row 0 and column 69 is used to show clock

echo -n $ti            # put clock on screen

echo -e -n "\033[8u"   #restore current screen postion & attributs
#
#Delay fro 1 second
#
sleep 1
done
find / -type f -perm +6000 -ls
find / -perm -2 ! -type l -ls
find / -nouser -o -nogroup
====================================================================
VPN
ipsec-tools,openswan-2.1.4-1.fc2.i386.rpm
chkconfig ipsec on
ipsec verify

1)vi /etc/sysctl.conf
net/ipv4/ip_forward = 1

2)sysctl -p

VPN Configuration Steps (Using RSA Keys)

Left Internet IP address of the left hand side VPN device
Leftsubnet The network protected by the left hand side VPN device
Leftid Fully Qualified Domain Name in DNS of the left hand side VPN
device preceded by an "@" sign. If DNS hasn't been set up for
the IP addresses, then you'll want to remove this entry as names
that don't resolve correctly will cause the VPN initialization to fail.
Leftrsasigkey The entire "left" RSA sig public key for the left hand side
VPN device. This can be obtained by using the "ipsec showhostkey --left" command.
Leftnexthop The next hop router from the left hand side VPN device when t
trying to reach the right hand side VPN device. You may use an
auto-generated variable "%defaultroute" which will be valid in most
cases, or the actual IP address of the next hop router in cases where
the next hop is not the default router.
Right Internet IP address of the right hand side VPN device
Rightsubnet The network protected by the right hand side VPN device
Rightid Fully Qualified Domain Name in DNS of the right hand side VPN device
preceded by an "@" sign. If DNS hasn't been set up for the IP
addresses, then you'll want to remove this entry as names that don't
resolve correctly will cause the VPN initialization to fail.
Rightrsasigkey The entire "right" RSA sig public key for the right hand side
VPN device. This can be obtained by using the "ipsec showhostkey --right" command.
Rightnexthop The next hop router from the right hand side VPN device when
trying to reach the right hand side VPN device. You may use an auto-generated
variable "%defaultroute" which will be valid in most cases, or the actual
IP address of the next hop router in cases where the next hop is not the default router.

Creating Your Own Keys
ipsec rsasigkey --verbose 2048 > keys.tmp

Get The Left Public Key
ipsec showhostkey --left > /tmp/left.pub

Get The Right Public Key
ipsec showhostkey --right > /tmp/right.pub
1)The /etc/ipsec.conf file
( It is important to maintain the indentation,
The "net-to-net" sub sections must be the same in the
/etc/ipsec.conf for both the left and right hand side VPN devices.
There must be no blank lines in the net-to-net section between
parameters. Lines commented with a "#" are acceptable
Restarting IPSec to reload the configuration file doesn't
necessarily restart the tunnels. If you set the "auto=" parameter
to "add", the tunnel will only be started manually with the "ipsec"
command. If the parameter is commented out then the tunnel will
never start. A value of "start" will cause the tunnel to start
automatically.)
#
# File: /etc/ipsec.conf
#
conn net-to-net
left=97.158.253.25             # Public Internet IP address of the
# LEFT VPN device
leftsubnet=172.16.1.0/24       # Subnet protected by the LEFT VPN device
leftid=@vpn1.my-site.com # FQDN of Public Internet IP address of the
# LEFT VPN device with an "@"
leftrsasigkey=0sAQNrV9AYdaW94FXvIxu5p54+MRaW0wy0+HHQrdGofklZYQ4TCBlL+Ym00Ah
fc8mqXlerZY12Os41G8SIV+zzIO04WZ4wmOvEr8DZaldTbfCuvUvMhrTtCpZdm53yF5rCaUbg+Vmx71
fgyVmGu8/kuhzB7nWtOYqDFO8OHDGePOyOVPQi73KfRoDbdb3ND0EtfnRhRPblKJ239OlIq1
leftnexthop=%defaultroute      # correct in many situations
right=6.25.232.1               # Public Internet IP address of
# the RIGHT VPN device
rightsubnet=10.0.0.0/24        # Subnet protected by the RIGHT VPN device
rightid=@vpn2.another-site.com # FQDN of Public Internet IP address of the
# RIGHT VPN device with an "@"
rightrsasigkey=0sAQNNdxFPWCga+E/AnDgIM+uIDq4UXcZzpomwMFUpyQ9+rhUHT9w8nr3rjU
R/qTZOKR2Vqd4XoBd1HkPDBQ8oNjtA3Oz+UQOU3KTMHN5ydFwe6MpTJV/hL6LvhB0OXQad/NhjMIx8v
OnhM8g8SPRnj7pL3abgu7Sg7eFREV1MJSVBhp0DJ0EbVMVV+Xvwlm9++9zbY3mlc+cSXMPAJZ
rightnexthop=97.158.253.25     # correct in many situations
auto=start                     # authorizes and starts this connection
# on booting
2) service ipsec restart

3)Initialize The New Tunnel
ipsec auto --up net-to-net

4)Possible Changes To IP Tables NAT/Masquerade Rules
If you are running iptables with masquerading/NAT the VPN devices
then you will have to exclude packets traversing the tunnel from
the NAT operation. This example assumes that interface eth0 is the
Internet facing interface on your Linux VPN/firewall.

Left Hand Side VPN Device
Old
iptables -t nat -A POSTROUTING -o eth0 -s 172.168.1.0/24 -j MASQUERADE

New
iptables -t nat -A POSTROUTING -o eth0 -s 172.168.1.0/24 -d \! 10.0.0.0/24 -j MASQUERADE

Right Hand Side VPN Device
Old
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

New
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d \! 176.16.1.0/24 -j MASQUERADE

5)How To Ensure Openswan Starts When Rebooting
If your VPN sub- section in the /etc/ipsec.conf file has the line "auto=add"
in it then IPSec will only authorize but won't establish the connection at
startup. You'll have to use the "ipsec auto --up <vpn-name>" command to start it manually.
You'll need to change this to "auto=start" for openswan to automatically
start the VPN when IPSec restarts or when the system reboots.

6)Using Pre-Shared Keys (PSK)
ipsec ranbits --continuous 128

7)Update /etc/ipsec.secrets
vpn1-ip-address vpn2-ip-address : PSK "key in quotations"
97.158.253.25 6.25.232.6 : PSK "nonebutourselvescanfreeourminds"

8)Update /etc/ipsec.conf
authby=secret                # Key exchange method
auto=start                   # authorizes and starts this connection

=============================================================================
Tripwire
config file= /etc/tripwire/twcfg.txt
policy file= /etc/tripwire/tw.opl
database =/var/lib/tripwire/$hostname.twd

1) /etc//tripwire/twinstall.sh
/sbin/tripwire --init
/sbin/tripwire --start

2)integrity check
/sbin/tripwire --check

Report
twprint -m r --twrfile /var/lib/tripwire/report/<name.twr

viewing  tripwire database
twprint -m -d --print -dbfile |less

updating policy
twadmin --print-palfile>/etc/tripwire/twpol.txt

specific files
twprint -m -d --print -dbfile /etc/hosts

tripwire --update --twfile /var/lib/tripwire/report/name.twr
=======================================================================
PAM
=======================================================================
Process Accounting
pcacct*.rpm
$ac=/var/log/wtmp
$action:process account off or on
$accton /var/log/pacct
lastcomm
sa=summarize
sa /var/log/savacct
sa /var/log/usracct

gtop,kpm,xosview,xload,xsysinfo,top

=======================================================================
TCP Wrappers
vi /etc/host.allow
vi /etc/host.deny
<daemonlist>:<clientlist>[:<option>:<options>...]

<daemonlist>=processname(not service) /ALL
<clientlist>=hostname/IP
<option>=allow,deny,alter

vi /etc/host.allow
vsftpd:.example.com
sshd:.example.com\
:spawn /bin/echo `\bin\date` access denied>>/var/log/sshd.log :deny

WILD CARDS
ALL,LOCAL,KNOWN,UNKNOWN,PARANOID(host &ip donot match)

ALL;.example.com
ALL:192.168.
ALL:192.168.0.0/255.255.255.0
in.telnetd:/etc/telnets.hosts
ALL:.example.com EXCEPT sabin.example.com
ALL EXCEPT vsftpd:192.168.0

deny
sshd:.example.com:servrity emerg
sshd:example.com:severity local0.alert

sshd:client1.nepal.com:allow
sshd:client2.nepal.com:deny

Spawn ,twist
in.telnetd:example.com\
:spawn \bin\echo \bin\date from %h>>/var/log/telnet:allow
vsftpd:.example.com\
twist /bin/echo “bod guy go away”

=======================================================================
Xinetd
/etc/xinetd.conf
/etc/xinetd.d/
LOG_ON_SUCCESS.LOG_ON_FAILURE,
ATTEMPT,DURATION,EXIT,HOST,PID,RECORD,USERID,

only_from,no_access,access_times(HH:MM-HH:MM)
service telnet
{
disable=no
flags=reuse
socket_type=stream
wait =no
user=root
server=/usr/sbin/in/telnet.d
log_on_failure +=USERID
no_access=192.168.0.0/24
log_on_success +=PID HOST EXIT
access_times=9:00-1600
}
NAT
bind =123.123.123.123
redirect=10.10.10.12 21 23

per_source(no of instances)
cps=max connection per second
max_load=cp usage thereshold for a service

=======================================================================
IPtables
=======================================================================
Selinux
*/selinux filesystem
access
context
create
enforce
load
policyvers
relabel
user

*security.selinux
getfattr -m . -d /etc/passwd
1) Permissive mode
2) Rebuilding policies
3) Labeling files
4) Routine system administration (changing roles,
adding users, and checking file contexts)
5) Monitoring SELinux through log files
6) Miscellaneous troubleshooting

1)System Modes and SELinux Tuning
+ permissive mode that’s useful for policy troubleshooting and system maintenance.
permissive mode is used when configuring, testing, and troubleshooting SELinux
and the SELinux security policy. Under permissive mode, SELinux permits all operations,
even those that violate the SELinux security policy.
+ enforcing mode (sometimes called enforcement mode). Enforcing mode is the
normal mode of SELinux operation. Under enforcing mode, operations that violate
the SELinux security policy are prevented.

a) Switching the SELinux mode
kernel /vmlinuz-2.6.4-1.305 ro root=LABEL=/ enforcing=1
append=”enforcing=0″(lilo)

To enter enforcing mode, issue the command:
echo “1″ > /selinux/enforce

Similarly, to enter permissive mode, issue the command:
echo “0″ > /selinux/enforce

setenforce 0
getenforce
vi /etc/selinux
To disable (boot parameter
selinux=0
———————————————–
2) Loading a security policy
rpm=checkpolicy,selinux*
/etc/selinux/src/policy
Make target Compiles the policy from source? Installs the policy? Loads or reloads the policy?
policy Yes No No
install Yes Yes No
load Yes Yes Yes
reload Yes Yes Yes
relabel No No No

a)su -
b)newrole -r sysadm_r
c)cd /etc/selinux/src/policy
d)make target
e)make reload
checkpolicy=The SELinux policy compiler
load_policy=A utility that loads the SELinux binary policy into the running kernel
———————————————–
3) Labeling files
a)su -
newrole -r sysadm_r
cd /etc/selinux/src/policy
make relabel

usr/bin/chcon
Labels one or more files with a specified security context
chcon system_u:object_r:etc_t /etc/hosts /etc/hosts.allow

/sbin/fixfiles
Labels all available filesystems according to the contents of the standard specification
file, src/policy/file_contexts/file_contexts
fixfiles check

/sbin/restorecon
Labels one or more files according to the contents of the standard specification
file, src/policy/file_contexts/file_contexts
restorecon /etc/hosts

/usr/sbin/setfiles
Labels one or more files or filesystems according to the contents of a specification
file
setfiles src/policy/file_contexts/file_contexts /etc/hosts

Tuning Fedora Core 2 SELinux
Fedora Core 2 implementation of
SELinux provides two convenient ways of tailoring SELinux operation:
i) Macros
ii) Policy Booleans

i)Macros
src/policy/tunable.te

Policy macro      Active by default?         Description
allow_user_direct_mouse Yes Allow regular users direct access to the mouse device file
(otherwise allow only the X server to do so).
allow_user_dmesg Yes Allow users to run the dmesg command
allow_user_tcp_server Yes Allow users to run TCP servers (bind to ports and accept
connection from the same domain and outside users).
Disabling this Boolean forces FTP passive mode and may
affect other protocols (including IRC if single_
userdomain is defined).
allow_xserver_home_fonts Yes Allow X server to check for fonts in ~/.gnome or ~/.kde.
allow_ypbind Yes Allow ypbind to run with NIS.
direct_sysadm_daemon Yes Allow sysadm_t to start daemons directly.
ftp_home_dir No Allow FTP to read/write files in user home directories.
ftpd_is_daemon Yes Allow FTP to run from inetd instead of as a stand-alone
daemon.
hide_broken_symptoms No Adds dontaudit rules for broken polices that are not
security risks.
nfs_export_all_ro No Allow reading on any filesystem.
nfs_export_all_rw Yes Allow read/write/create on any filesystem.
nfs_home_dirs Yes Allow NFS home directories.
nscd_all_connect Yes Allow all domains to access NSCD.
read_default_t Yes Allow ordinary users to read any file having type
default_t.
readhome Yes Allow Mozilla to read files in the user home directory.
run_ssh_inetd No Allow SSH to run from inetd instead of as a daemon.
secure_levels No Allow only administrator to log in at the console and forbid
direct access to disk devices.
single_userdomain No Make processes other than newrole and su run by a user
domain stay in the same user domain.
ssh_sysadm_login Yes Allow SSH logins to the sysadm_r:sysadm_t security
context; otherwise, remote SSH users cannot enter this
context.
staff_read_sysadm_file No Allow staff_r users to search the system administrator’s
home directory (generally /root) and read its files.
unlimitedServices Yes Allow processes under initrc and xinetd to run with
all privileges.
unlimitedUsers No Allow users to have full access.
unrestricted_admin Yes Allow sysadm_t to do almost everything.
use_games Yes Allow users to run games.
user_can_mount Yes Allow users to execute mount command.
user_canbe_sysadm Yes Allow normal users to enter sysadm_r role.
user_net_control Yes Allow users to control network interfaces (also needs
USERCTL=true).
user_rw_noexattrfile Yes Allow users to read/write noextattrfile (FAT,
CDROM, FLOPPY).
writehome Yes Allow Mozilla to write files in the user home directory.
xdm_sysadm_login Yes Allow xdm logins as sysadm_r:sysadm_t.

a)vi /etc/selinux/src/policy.
b)edit tunable.te
c)make reload.
ii)Tuning via policy Booleans
change_bool boolean [0|1]
show_bools

change_bool user_ping 0

show_bools
user_ping –> active: 0 pending: 0

echo 0 > /selinux/booleans/user_ping
echo 1 > /selinux/commit_pending_bools
———————————————–
4)Routine SELinux System Use and Administration
a) Entering a role
b) Viewing security contexts
c) Adding users and groups
d) Starting and controlling daemons
e) Tuning SELinux

a) Entering a role
SELinux users have one or more associated
roles and, at any time, are bound to exactly
one of these. Users are initially bound to
a role at login time.
$sestatus
# sestatus -v

The standard SELinux security policy defines four roles:
*staff_r
Used for users permitted to enter the sysadm_r role
*sysadm_r
Used for the system administrator
*system_r
Used for system processes and objects
*user_r
Used for ordinary users

Changing roles
newrole [[-r|--role] ROLE] [[-t|--type] TYPE] [-- [ARGS]…]
newrole -r role
#newrole -r sysadm_r

b) Viewing security contexts
# id -Z
ls –context /etc/hosts
ls –lcontext /etc/hosts
ls –scontext /etc/hosts
ls -Z /etc/hosts
ps -Z
ps –context
ps -Z 1

c) Adding users and groups
users’ home directories are labeled with
the special security context user_home_dir_t.
# id -Z
# newrole -r sysadm_r
# id -Z
# useradd -c “test user” -m -d /home/testuser \
-g users -s /bin/bash testuser
# finger testuser
# ls -ld -Z /home/testuser/

Associating a user with a nondefault role
By default, users are associated with
the SELinux role user_r
i. Edit the src/policy/users file.
ii. Recompile the security policy.
iii. Load the generated binary policy file into the kernel.
cd /etc/selinux/src/policy
vi users
user username roles { staff_r sysadm_r };
make target
make reload

user:role:type.
the src/policy/appconfig/default_contexts file specifies
default roles for user logins, SSH sessions, and cron jobs.
system_r:sulogin_t sysadm_r:sysadm_t
system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
system_r:remote_login_t user_r:user_t staff_r:staff_t
system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t
sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t
system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sudo_t sysadm_r:sysadm_t
staff_r:sudo_t sysadm_r:sysadm_t staff_r:staff_t
user_r:sudo_t sysadm_r:sysadm_t user_r:user_t

Setting user passwords
vipw, vi,
to repair the file label
restorecon /etc/shadow

d) Starting and controlling daemons
run_init script [[arg]…]
run_init /etc/init.d/ntpd start

NOTE
By default, Fedora Core 2 allows a role transition
from sysadm_r to system_r, the role used by init.
Therefore, unless you’ve specially configured Fedora
Core 2 to disable this transition, it’s not necessary
to invoke the run_init command explicitly.

runcon -u system_u -r system_r -t crond_t /usr/sbin/crond
runcon system_u:system_r:crond_t /usr/sbin/crond

e) Tuning SELinux
LOG Format
avc: result { operation } for pid=pid exe=exe
path=opath dev=devno:ptno ino=node
scontext=source tcontext=target tclass=class

*result=The value granted or denied, indicating whether
SELinux permitted or prohibitedthe operation.
*operation=The operation that was attempted, such as
read or write. SELinux defines about 150 operations.
*pid=The process ID of the process that attempted the operation.
*exe=The absolute path of the text file (executable) associated
with the process that attempted the operation.
*path=The absolute path of the object on which the operation was attempted.
*devno=The block device number associated with the
object on which the operation was attempted.
*ptno=The partition number associated with the object
on which the operation was attempted.
*node=The inode number of the object on which the operation was attempted.
*source=The security context of the process that
attempted the operation.
*target=The security context of the target object.
*class=The type of the target object, such as file.

SELinux Logging Subtleties(reduce log)
Change to the policy source directory and
reload the security policy:
cd /etc/security/selinux/src/policy
make reload
or
setenforce 1
setenforce 0

Audit2allow=that scans the system log, looking for
entries pertaining to denied operations

(if login,daemon problem problem)
fixfiles restore
cd /etc/security/selinux/src/policy
setfiles file_contexts/file_contexts /home/bill

cd /etc/security/selinux/src/policy
setfiles file_contexts/file_contexts cron_files

cd /etc/security/selinux/src/policy
setfiles file_contexts/file_contexts /etc/init.d/*

Xwindow problem
rm /var/tmp* files

=======================================================================
Instalation Server
1) Make directory
mkdir -p /data/network-install/Fedora/base
mkdir -p /data/network-install/Fedora/RPMS
mkdir -p /data/network-install/ISO

2) Copy the files
cd /mnt/cdrom/Fedora/base
cp -r * /data/network-install/Fedora/base

(copy 4 cd into /data/network-install)

cd /data/network-install/ISO
dd if=/dev/cdrom of=FC2-i386-disc1.iso bs=32k
eject cdrom
dd if=/dev/cdrom of=FC2-i386-disc2.iso bs=32k
eject cdrom
dd if=/dev/cdrom of=FC2-i386-disc3.iso bs=32k
eject cdrom
dd if=/dev/cdrom of=FC2-i386-disc4.iso bs=32k
eject cdrom

another method using mkisofs
mkisofs -J -r -T -o filename.iso /mnt/cdrom

3)Setup Your Webserver ftp & nfs
NameVirtualHost 192.168.1.100
<VirtualHost 192.168.1.100>
DocumentRoot /data/
<Directory /data/network-install>
Options +Indexes
AllowOverride AuthConfig
order allow,deny
allow from all
</Directory>
</VirtualHost>

FTP
vi /etc/vsftpd/vsftpd.conf
anon_root=/data/network-install/

NFS
vi /etc/exports
/data/network-install          *(ro,sync)
exportfs -ra

4)Configure DHCP Server

5)Boot form fedora core cd1
boot:linux askmethod
or boot from boot floppy
Kick Start
1)”ksconfig” command from a GUI console
2)save it in /data/network-install/ks.cfg
or can use /root/anaconda-ks.cfg
3)to veryfy
install
nfs –server=192.16.1.100 –dir=/data/network-install/ISO
install
url –url http://192.168.1.100/network-install/
4) To install
NFS Method
boot: linux ks=nfs:192.168.1.100:/data/network-install/ks.cfg

HTTP Method
boot: linux ks=http://192.168.1.100/network-install/ks.cfg

DHCP
vi /etc/dhcpd.conf
filename “/data/network-install/ks.cfg”;
next-server 192.168.1.100;

boot: linux ks

Floppy
boot:linux ks=floppy

=======================================================================
Encrypting swat or other ports like pop3,smtp
1)useradd stunnel
2)cd /usr/share/ssl/certs
make stunnel.pem
chmod 640 stunnel.pem
chgrp stunnel stunnel.pem

3)vi /etc/stunnel/stunnel.conf
# Configure stunnel to run as user “stunnel” placing temporary
# files in the /home/stunnel/ directory
chroot  = /home/stunnel/
pid     = /stunnel.pid
setuid  = stunnel
setgid  = stunnel

# Log all stunnel messages to /var/log/messages
debug   = 7
output  = /var/log/messages

# Define where the SSL certificates can be found.
client  = no
cert    = /usr/share/ssl/certs/stunnel.pem
key     = /usr/share/ssl/certs/stunnel.pem

# Accept SSL connections on port 901 and funnel it to
# port 902 for swat.
[swat]
accept   = 901
connect  = 902

4) cd /etc/xinetd.d
cp swat swat-stunnel

vi swat-stunnel
service swat-stunnel
{
port            = 902
socket_type     = stream
wait            = no
only_from       = 127.0.0.1
user            = root
server          = /usr/sbin/swat
log_on_failure  += USERID
disable         = no
bind            = 127.0.0.1
}
disable 901 port in /etc/services
chkconfig swat off
chkconfig swat-stunnel on

5)start stunnel
$stunnel
(if problem  rpm -e hwcrypto)

6)Test
https://server-ip-address:901/

========
Stunneling pop
1) /var/share/ssl/certs/stunnel.pem
$openssl -req -new -newkey rsa:1024 -nodes \
-x509 -keyout /tmp/key -out /tmp/cert
cat /tmp/cert>>/tmp/key
mv /tmp/key /usr/share/ssl/certs/stunnel.pem
rm /tmp/cert
chmod 600 /usr/share/ssl/certs/stunnel.pem
or
cd /usr/share/ssl/certs
make stunnel.pem

2) vi /etc/xinet.d/pos3s
server=/usr/sbin/stunnel
server_args= -1 /usr/sbin/ipop3d –ipop3d

telnet
stunnel -d localhost:7023 -r localhost:23

stunnel -c  -d localhost:12345 -r server1.nepal.com:7023
telnet localhost 12345
=======================================================================

User interfaces—the way we interact with our technologies—have evolved a lot over the years.

From the original punch cards and printouts to monitors, mouses, and keyboards, all the way to the track pad, voice recognition, and interfaces designed to make it easier for the disabled to use computers, interfaces have progressed rapidly within the last few decades.

But there’s still a long way to go and there are many possible directions that future interface designs could take. We’re already seeing some start to crop up and its exciting to think about how they’ll change our lives.

In this article are than a dozen potential future user interfaces that we’ll be seeing over the next few years (and some further into the future).

Brain-Computer Interface
Army Mind-Control Projects
The Matrixesque Brain Interface: MEMS-Based Robotic Probe
OCZ’s Neural Impulse Actuator
Biometric and Cybernetic Interfaces
Warfighter Physiological Status Monitoring
Fingerprint Scanners
Digital Paper and Digital Glass
Transparent OLED Display
LG 19″ Flexible Display
E-Ink
Telepresence
Telepresence Surgery
Universal Control System
Space Exploration and Development
Augmented Reality
Augmented Reality in a Contact Lens
Wearable Retinal Display
Heads-Up Display
Privacy Concerns with Augmented Reality
Voice Control
BMW Voice Control System
Google Voice Search
Gesture Recognition
Acceleglove: Gloves that Recognize Sign Language
Gesture-Based Control for TVs
Nintendo Wii
Xbox Project Natal
Head and Eye Tracking
Gran Turismo 5
Pseudo-3D with a Generic Webcam
Artificial Intelligence
Cyber Security Knowledge Transfer Network
AI for Adaptive Gaming
AI for Mission Control
Virtual Assistants
Multi-Touch
Microsoft Surface
Apple Products
Mobile Phones

Every file and process on a Linux/Unix system is owned by a particular user account. Every file has both an owner and a group owner. What this means is that the owner of the file enjoys one special property that is not shared with everyone on the system. This property is the ability to modify the permissions of the file.

Other users on the system can’t access files belonging to others without the owner’s permission, so this restriction helps protect a user’s files against “malicious” users!

Please note that all credits for this article goes to the authors of the book called “LINUX ADMINISTRATION HANDBOOK”. I recommend this book for all levels of system administrators. It can be accessed from the site http://www.admin.com

Having said that, although the owner of a file can always be a single person, many people can be group owners of the file if they are all part of a single Linux/Unix group. Groups are defined in the /etc/group file.

Ownerships of a file can be shown with the ls -l filename command as shown below:

-bash-3.00$ ls -l /export/home/tek/records
-rw-r–r– 1 tek wheel 869 Jan 4 14:43 /export/home/tek/records

As seen above, the file named records is owned by the user “tek” and the group “wheel”.

Linux/Unix in reality keeps track of owners and groups represented by numbers rather than as text names. User identification numbers (UIDs) are mapped to user names in the /etc/passwd file and Group identification numbers (GIDs) are mapped to group names in the /etc/group file.

The text names that corresponds to UIDs and GIDs are designed only for the convenience of the system’s human users! Next time a command such as ls are issued which displays ownership information, then the files /etc/passwd and /etc/group are queried.

Processes

A process is the term used by Linux/Unix to represent a running program through which the running program’s use of memory, processor time, and I/O resources can be managed.

Unlike files, processes have not two but four identities associated with them. They are a real and effective UID and a real and effective GID. The “real” numbers are used for accounting purposes, and the “effective” numbers are used for the determination of access permissions.

Superuser or root privilege UID (SUID) is always equal to 0 (zero).

For example, the Real UID (RUID) is the UID of the process that created the process itself. It can be changed only if the running process has Effective UserID (EUID)=0.

The effective UID (EUID) is used to evaluate privileges of the process to perform a particular action. EUID can be changed either to Real UserID (RUID), or SUID if EUID is not equal to 0. If EUID=0, it can be changed to anything.

Most of the time, the real and effective numbers are the same.

The owner of a process can send the process signals such as kill and can also reduce the process scheduling priority.

Under normal circumstances, it is not possible for a process to change it’s 4 ownership credentials. There is a special situation in which the effective user (EUID) and group ID (EGID) can and needs to be changed.

When a command which has the “setuid” or “setgid” permissions is executed, the effective UID (EUID) or GID (EGID) of the resulting process can be set to the UID or GID of the file containing the program image rather than the UID or GID of the user executing the command.

For example, let us look at the program called “passwd“.

-bash-3.00$ ls -l /usr/bin/passwd
-r-sr-sr-x 1 root sys 22620 Jan 23 2005 /usr/bin/passwd

As you know it, passwd is the command used for changing the passwords for a given user in a Linux/Unix environment.

As can be seen above, the UID and GID permissions are set to root and sys respectively. How is it possible for a normal user to run this program then? Well that’s what we called the “setuid” or “setgid” permissions!

The normal user’s privileges are thus “promoted” for the execution of that specific command only. Hence Linux/Unix’s setuid facility allows programs run by normal users to make use of the root account in a very limited way.

As in the passwd command example below, we can see the “setuid” permissions in action:

-bash-3.00$ /usr/bin/passwd tek
Enter existing login password:
New Password:
Re-enter new Password:
passwd: password successfully changed for tek

Here we see the passwd command that users run to change their login password is a setuid program. The program passwd modifies the /etc/passwd file in a very well-defined way and then terminates. To prevent abuse, the passwd program requires the users to prove that they know the current password before it agrees to make the requested password change. Nice security!

ROOT: The SUPERUSER

What exactly is the root account? Why does it has a very special place in Linux/Unix systems? Well the main defining characteristic property of the root account is that it’s UID is set to 0 (zero).

Linux/Unix systems permit the superuser (that is root) to perform any valid operation on any file or process. In addition, some process issuing system calls or requests directly to the kernel can only be executed by the superuser.

Below are some restricted operations which can only be performed by the superuser (root):

* Creating device files
* Setting the system’s hostname
* Configuring network interfaces
* Setting the system clock
* Raising resource usage limits and process priorities
* Shutting down the system

An example of superuser powers is the ability of a process owned by root to change it’s UID and GID. The login program and it’s window system equivalents like GDM and KDM are a case in point.

The login program that prompts you for your username and password when you log in to the system initially runs as root. If the username and password matches, the login program changes it’s UID and GID to your UID and GID and starts up your user environment. Once a root process has changed it’s ownerships to become a normal user process, it can never recover it’s former privileged state!

Therefore, it is extremely important for any system administrator to choose a very complex and secure password for the root user! I recommend a minimum of 8 characters with a mixture of Capital letters and numerical numbers! A warning has to be issued here, which is not to make the root’s password so complicated that you can’t remember it!

For remote administration, we obviously use the program called the Secure Shell (SSH) to manage our servers. For that matter, it is advisable to disable direct root access via SSH. To disable SSH to root user and set other security restrictions, at least enable/disable it’s parameters as shown below:

vi /etc/ssh/sshd_config

###Recommended values###

# Listen port (Default is 22, but change is to a higher port above 1025!)
Port 2012

# Only v2 (recommended)
Protocol 2

# Port forwarding
AllowTcpForwarding no

# X11 tunneling options
X11Forwarding no

# Ensure secure permissions on users .ssh directory.
StrictModes yes

# Default is 600 seconds. 0 means no time limit.
LoginGraceTime 120

# Maximum number of retries for authentication
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries 4
MaxAuthTriesLog 3

PermitEmptyPasswords no

PermitRootLogin no
###End of sshd_config###

BECOMING ROOT

A better way to access the root account is to use the su command. If invoked without any arguments, su will prompt for the root password and then start up a root shell. The privileges of this shell remain in effect until the shell terminates (Ctrl+D or the exit command).

su does not record the commands executed as root, but it does create a log entry that states who became root and when.

So we have to extra careful as to whom to give root’s password! It is also a good idea to get in the habit of typing the full pathname to the su command rather than relying on the shell to find the command for you!

-bash-3.00$ whereis su
su: /sbin/su /sbin/su.static /usr/bin/su /usr/man/man1m/su.1m

Note: The exact location of the su command may differ from one system to another.

Next time you want to become root, simply type:

/usr/bin/su -

This will give you some protection against programs called su that may have been slipped into your search path with the intention of retrieving passwords.

sudo: a limited su

Since the privileges of the superuser account cannot be subdivided, it is hard to give someone the ability to do one task (backups) without giving that person the root privileges of the root account. Also if the SUPERUSER account is used by several administrators, you will have only a vague idea of who’s using it and doing what?

These types of problems can be resolved to some extent by a program called “sudo“. It is available in Debian, RedHat, SuSE, FreeBSD packages among other distributions.

For installation in Debian, it’s as simple as: apt-get install sudo

For Fedora and Centos, it’s: yum install sudo

For FreeBSD, you just make install in /usr/ports/security/sudo

sudo takes as it’s argument a command line to be executed as root (or as another restricted user). sudo consults the file /etc/sudoers, which lists the people who are authorized to use sudo and the commands they are allowed to run on the system.

If the proposed command is permitted for the user, sudo prompts the user’s own password and executes the command.

For example, suppose we have a normal user called “john” belonging to the “wheel” group. Under normal circumstances, user “john” can’t run the tcpdump command.

To give our normal user “john” the limited sudo access to the tcpdump command, we add the following entry in /etc/sudoers file.

(1.) vi /etc/sudoers

#Add the following

john, %wheel ALL= /sbin/, /usr/sbin, /usr/sbin/tcpdump

(2.) Save and exit.

If user “john” were to run the tcpdump command without sudo, it would resemble as:

john@localhost:~$ /usr/sbin/tcpdump
tcpdump: no suitable device found

But for user “john” to run the tcpdump command, he simply types the following sudo command:

john@localhost:~$ sudo /usr/sbin/tcpdump

Password:
sudo tcpdump

Running tcpdump using sudo

Hence in this way, we can give a normal user some privilege to run a command to which only a superuser is allowed to.

Please note that I have touched only the tip of the sudo program. However below is a summary of what you can achieve using sudo:

1. Accountability is much improved because of command logging
2. Operators can do chores without unlimited root privileges
3. The real root password can only be known to one or few users
4. Privileges can be revoked without the need to change the root password
5. A single file /etc/sudoers can be used to control access for an entire network.

Linux/Unix Filesystem

In the Linux/Unix world, almost everything is represented by the file system. Processes, Serial ports, devices, you name it, is represented and managed via the file system.

In a nutshell, the filesystem can be summarized as:

1. A namespace – a way of naming things and organizing them in a hierarchy
2. An API – a set of system calls for navigating and manipulating objects
3. A security model – a scheme for protecting, hiding, and sharing things
4. An implementation – software that ties the logical model to actual hardware

The filesystem is presented as a single unified hierarchy that starts at the directory / and continues downward through an arbitrary number of subdirectories. / is also called the root directory.

The list of directories that must be traversed to locate a particular file, together with it’s filename, form a “pathname”. Pathnames can be either absolute (/tmp/foo) or relative (mydocs/chap4) . Relative pathnames are interpreted starting at the current directory.

The terms file, filename, pathname, and path are more or less interchangeable. Filename and path can be used for both absolute and relative paths; pathnames generally suggests an absolute path.

The filesystem can be arbitrarily deep. However, each component of a pathname must have a name no more than 255 characters long, and a single path may not contain more than 4095 characters. To access a file with a pathname longer than 4095 characters, you must cd to an intermediate directory and use relative pathname.

There are no restrictions on the naming of files and directories, except that the names are limited in length and must not contain the “/” character or nulls. Spaces are permitted but because of UNIX’s long tradition of separating command-line arguments at whitespace, legacy software tends to break when spaces appear within filenames. However, these cases are very rare nowadays.

In shell and in scripts, spaceful filenames just need to be quoted to keep their pieces together. For example, the command:

-bash-3.00$ more “My very long file.txt”

would preserve My very long file.txt as a single argument to more command.

Below is a graphical summary representing the Linux/Unix File System:
Linux File Structure

MOUNTING AND UNMOUNTING FILESYSTEMS

As seen on the diagram above, the filesystem is composed of smaller chunks – also called filesystems- each of which consists of one directory and it’s subdirectories and files. For clarity, we use the term “file tree” to refer to the overall layout of the filesystem and reserve the word “filesystem” for the chunks attached to the tree!

Most filesystems are disk partitions but they can be anything that obeys the proper API: network file servers, kernel components, memory-based disk emulators, etc.

Filesystems are attached to the tree with the mount command. mount maps a directory within the existing file tree, called the mount point, to the root of the newly attached filesystem.

For example on a Linux host,

root@localhost# mount /dev/hda4 /mbox

The above command will install the filesystem stored on the disk partition represented by /dev/hda4 under the path /mbox. You can then use command “ls /mbox” to see that filesystem’s contents.

On a Solaris host:

# mount /dev/dsk/c2d0s6 /mbox

The above command will mount a secondary hard drive represented by /dev/dsk/c2d0s6 to the path /mbox in Solaris.

A list of the filesystems that are mounted on a particular system is kept in the /etc/fstab file in Linux/FreeBSD machines. On a Solaris machines, it is kept in the /etc/vfstab file.

The information contained in this file allows filesystems to be checked (fsck -A) and mounted (mount -a) automatically at boot time. It also serves as documentation for the layout of the filesystems on disk and enables short commands such as mount /var for which the location of the filesystem to mount is looked up in /etc/fstab or /etc/vfstab.

Filesystems are detached with the umount command. You cannot unmount a filesystem that is “busy” or in use! There must not be any open files or processes whose current directories are located on that filesystem, and if the filesystem contains executable programs, they cannot be running!

When you are trying to umount a filesystem and the kernel complains that the filesystem is busy, you can run fuser to find out why.

For example, running the df -h command below shows:

Linux df command

df -h command

Viewing the contents of /etc/fstab:

Linux /etc/fstab

Linux /etc/fstab

If we try to umount /usr :

umount /usr busy

umount /usr showing as busy!

Running fuser -mv /usr:

fuser -mv /usr

“fuser -mv” command showing why /usr can’t be unmounted

File Types and Permissions

Linux/Unix defines seven (7) types of files. They are defined as follows:

1. Regular files
2. Directories
3. Character device files
4. Block device files
5. Local domain sockets
6. Named pipes (FIFOs)
7. Symbolic links

We can determine the type of an existing file with the ls -ld command. The first (1st) character of the ls output encodes the type of file.

For example,

# ls -ld /etc/ssh

drwxr-xr-x 2 root sys 512 Nov 21 14:28 /etc/ssh

Remembering that the 1st character determines the type of file, the table below are the codes representing various types of files:

Linux/Unix File Types Table

As can be seen from the table above, rm is the universal tool for deleting files you don’t want anymore!

A word of caution: Use rm very carefully. You could mistakenly remove a very important file such needed by your system. If that happens, your system might not boot anymore!

If in doubt, always use the -i option with the rm command.

For example,

# rm -i /etc/rmmount.conf
rm: remove /etc/rmmount.conf (yes/no)?

(1.) Regular files

A regular file is just a file containing certain amount of bytes! Linux/Unix imposes no structure on its contents. Text files, data files, executable programs like gcc, shared libraries are all stored as regular files.

(2.) Directories

A directory contains named references to other files. You can create directories with the mkdir command and delete them with the rmdir command if they are empty. If the directory is not empty, you are wipe it with the rm -r command.

For example, let’s list the contents of the /etc/ssh

# ls -al /etc/ssh

total 208
drwxr-xr-x 2 root sys 512 Nov 21 14:28 .
drwxr-xr-x 87 root sys 4608 Jan 7 11:24 ..
-rw-r–r– 1 root sys 88301 Jan 22 2005 moduli
-rw-r–r– 1 root sys 861 Jan 22 2005 ssh_config
-rw——- 1 root root 668 Nov 21 14:28 ssh_host_dsa_key
-rw-r–r– 1 root root 605 Nov 21 14:28 ssh_host_dsa_key.pub
-rw——- 1 root root 883 Nov 21 14:28 ssh_host_rsa_key
-rw-r–r– 1 root root 225 Nov 21 14:28 ssh_host_rsa_key.pub
-rw-r–r– 1 root sys 5215 Jan 7 15:38 sshd_config

If you have noticed, in every directory, there are two (2) special entries “.” and “..”.

They refer to the directory itself and to its parent directory respectively; hence they cannot be removed! Since the root directory has no parent directory, the path “/..” is equivalent to the path “/.” (and both are equivalent to /).

(3.) Character and Block device files

Device files allow programs to communicate with the system’s hardware and peripherals. When the kernel is configured, modules that know how to communicate with each of the system’s devices are linked in. These days, the kernel can also load modules dynamically.

But what exactly is a kernel module? Modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. Without modules, we would have to build monolithic kernels and add new functionality directly into the kernel image. Besides having larger kernels, this has the disadvantage of requiring us to rebuild and reboot the kernel every time we want new functionality.

Microsoft Windows needs to reboot so often because they lack the support of modules from their NT kernel unlike Linux/Unix!

The module for a particular device, called a device driver, takes care of the messy details of managing the device.

Device drivers present a standard communication interface that looks like a regular file. When the kernel is given a request that refers to a character or block device file, it simply passes the request to the appropriate device driver.

It is important to differentiate between device files and device drivers. The device files are are just ordinary points that are used to communicate with the drivers. They are not the drivers themselves.

But what is the difference between a character device file and a block device file? Character device files allow their associated drivers to do their own input and output (I/O) buffering.

Block device files are used by drivers that handle input and output (I/O) in large chunks and want the kernel to perform the buffering for them.

Simply, a block device would read/write bytes in fixed size blocks, as in disk sectors. Character devices read/write 0 or more bytes, in a stream, such as a TTY or a keyboard.

Device files are characterized by two numbers, called the major and minor device numbers. The major device number tells the kernel which driver the file refers to, and the minor device number tells the driver which physical unit to address.

If we on at the example below,

09:26:57 root@gw-dml-sp:~$ ls -l /dev/lp0

crw-rw—- 1 root lp 6, 0 Jan 4 13:05 /dev/lp0

From above, the major device number is 6 and the minor device number is 0.

We can create device files with the mknod command and remove them with the rm command. Most systems provide a script called /dev/MAKEDEV that creates the appropriate sets of device files for common devices.

(4.) Local domain sockets

Sockets are connections between processes that allow them to communicate in a proper manner. Linux/Unix provides several different kinds of sockets, most of which involve the use of a network. Local domain sockets are accessible only from the local host and are referred to through a filesystem object rather than a network port. They are also known as “UNIX domain sockets“.

Although socket files are visible to other processes as directory entries, they cannot be read from or written to by processes not involved in the connection. Some standard facilities that use local domain sockets are the printing system, the GNOME and KDE Window Systems, and syslog.

Local domain sockets are created with the socket system call and can be removed with the rm command or the unlink system call once they have no more users.

(5.) Named pipes

Like local domain sockets, named pipes allow communication between two processes running on the same host. They are also known as “FIFO files” (FIFO is short form for “First In, First Out”).

You can create named pipes with the mknod command and remove them with rm.

Like local domain sockets, real-world instances of named pipes are very few and rarely need administrative action.

(6.) Symbolic links

Symbolic links consist of a special type of file that serves as a reference to another file or directory. Unix-like operating systems in particular often feature symbolic links. Basically, a symbolic or soft link points to a file by name.

You can think of symbolic links in a similar way when you create “desktop shortcuts” in MS-Windows!
Unlike a hard link, which points directly to data and represents another name for the same file, a symbolic link contains a path which identifies the target of the symbolic link. Thus, when a user removes a symbolic link, the file to which it pointed remains unaffected. Symbolic links may refer to files even on other mounted file systems.

We create symbolic links with the ln -s command and remove them with the rm command.

For example, if we want to make a symbolic link between the file /etc/ssh/sshd_config and /home/tek/myssh_config, we issue the following command:

# ln -s /etc/ssh/sshd_config /home/tek/mysshd_config

# ls -l /home/tek/mysshd_config

lrwxrwxrwx 1 tek tek 20 Jan 8 21:48 /home/tek/mysshd_config -> /etc/ssh/sshd_config

FILE ATTRIBUTES AND PERMISSIONS

Every file has a set of nine (9) permission bits that control who can read, write, and execute the contents of the file. The nine permission bits are used to determine what operations on a file, and by whom.

Linux/Unix does not allow permissions to be set on a per-user basis. Instead, there are sets of permissions for the owner of the file, the group owners of the file, and everyone else. Each set has three bits: a read bit, a write bit, and an execute bit.

In a summary, there are three types of people that can do things to files – the Owner of the file, anyone in the Group that the file belongs to, and Others (everyone else). In UNIX they are referred to using the letters U (for Owner or User), G (for Group), and O (for Others).

Therefore there are three types of permissions:

r – read the file or directory
w – write to the file or directory
x – execute the file or search the directory

Each of these permissions can be set for any one of three types of user:

u – the user who owns the file (you)
g – members of the group to which the owner belongs
o – all other users

Let us look at an example:

-bash-3.00$ ls -l /usr/bin/yelp

-rwxr-xr-x 1 root other 107504 Dec 17 2004 /usr/bin/yelp

As you can see above, there are nine (9) permission bits on the file /usr/bin/yelp

On the left side, you can see the file attributes and permissions:

-rwxr-xr-x
- r w x r - x r - x
Owner Group Other
File Read Write Execute Read No-Write Execute Read No-Write Execute

As can be seen, the following users have the following permissions on the file:

Owner – can read, write, and execute

Group – can read, no-write, and execute

Other – can read, no-write, and execute

Owner of /usr/bin/yelp is root and group owner of /usr/bin/yelp is other.

More examples:

drwxrwxrwx : a folder which has read, write and execute permissions for the owner, the group and for other users.
-rwxr–r– : a file that can be read and written by the user, but only read and executed by the group, and only read by everyone else.

Using numbers (octal) for permissions

We can also use numbers for setting file and folder permissions. Each of the three numbers corresponds to each of the three sections of letters. The first number determines the owner permissions, the second number determines the group permissions and the third number determines the other permissions. Each number can have one of eight values ranging from 0 to 7. Each value corresponds to a certain setting of the read, write and execute permissions.

These values are added together for any one user category:

1 = execute only
2 = write only
3 = write and execute (1+2)
4 = read only
5 = read and execute (4+1)
6 = read and write (4+2)
7 = read and write and execute (4+2+1)

For example:

777 is the same as rwxrwxrwx
755 is the same as rwxr-xr-x

ls output is slightly different for a device file. For example,

09:17:07 root@gw-dml-sp:~$ ls -l /dev/tty0

crw-rw—- 1 root tty 4, 0 Jan 4 13:05 /dev/tty0

crw-rw—-
- r w x r - x r - x
Owner Group Other
Character file Read Write Non-Execute Read Write Non-Execute No-Read No-Write Non-Execute

As can be seen, the file /dev/tty0 is a Character device file whose owner and group owner can read, write but could not execute it since this is a character device file!

The filesystem maintains about forty (40) separate pieces of information for each file! But the good news is that most of them are only useful for the filesystem itself. As a system administrator, we should be concerned mostly with the link count, owner, group, mode, size, last access time, last modification time, and type.

Looking at the next example,

09:32:10 root@gw-dml-sp:~$ ls -l /bin/gzip

-rwxr-xr-x 3 root root 55792 Feb 22 2005 /bin/gzip

Summary:

The first field specifies the file’s type and mode. The first character is a dash, so /bin/gzip is a regular file.

The next nine characters in this field are the three sets of permission bits. I have stressed several times the order of this 3 sets of permission bits. The order is owner-group-other.

In the example of: -rwxr-xr-x 3 root root 55792 Feb 22 2005 /bin/gzip

In this case, the owner can read-write-execute, the Group owner can only execute-read and Others can only execute.

The next field in the listing is the link count for the file. In this case, it is 3, indicating that /bin/gzip is just one of three names for this file (the others are /bin/gunzip and /bin/zcat). Each time a hard link is made to a file, the count link is incremented by 1.

The setuid and setgid bits

The bits with octal values 4000 and 2000 are the setuid and setgid bits. These bits allow programs to access files and processes that would otherwise be off-limits to the user that runs them.

When set on a directory, the setuid bit causes newly created files within the directory to take on the group ownership of the directory rather than the default group of the user of the user that created the file.

The Sticky Bit

The bit with octal value 1000 is called the sticky bit. If a sticky bit is set on a directory, the filesystem won’t allow anyone to delete or rename a file unless that person is the owner of the directory, the owner of the file, or the superuser. This convention helps to make directories like /tmp a little more secure.

If the setuid bit had been set, the x representing the owner’s execute permission would have been replaced with an s, and if the setgid bit had been set, the x for the group would also have been replaced with an s.

The last character of the permissions (execute permission for “other”) is shown as t if the sticky bit of the file is turned on. If either the setuid/setgid bit or the sticky bit is set but the corresponding execute bit is not, these bits appear as S or T.

The filesystem automatically keeps track of modification time stamps, link counts, and file size information. The permission bits, ownership, and group ownership can only be changed by with the chmod, chown, chgrp commands.

chmod: change permissions

The chmod command changes the permissions on a file. Only the owner of the file and the superuser can change its permissions.

The octal notation is generally more convenient for administrators but the mnemonic syntax can be useful for new comers.

The first argument to chmod is a specification of the permissions to be assigned, and the second and subsequent arguments are names of files on which these permissions apply to.

chmod-encoding-table

To see chmod in action,

chmod-711-action

As can be seen above, the original permission of the file /home/tek/myprog was:

-rw-rw-r–

Upon issuing the command chmod 711 /home/tek/myprog, the permission was changed to:

-rwx–x–x

The same effect can be applied using mnemonic syntax instead of octal notation.

For example,

chmod-mnemonic-action

chown: change ownership and group

The chown command changes the file’s ownership and group ownership. It’s syntax mirrors that of chmod, except that the first argument specifies the new owner and group in the form of user.group (user:group). Either of user or group may be left out. If there is no group, you don’t need the dot either.

Looking at the example below:

chown-action

The above command changes the owner:group of the file /home/tek/robots.txt from root:root to tek:wheel.

To change a file’s group, you must either be the owner of the file and belong to the group you’re changing to or be the superuser. However, you must be the superuser to change the file’s owner.

Like chmod, chown offers the recursive -R flag to change the settings of a directory and all the files underneath it. For example, the sequence:

# chmod -755 ~john

# chown -R john:wheel ~john

might be used to setup the home directory of a new user called john after copying the default startup files. The commands above will set the directory /home/john and all it’s files and sub directories to be owned by user john and group wheel.

chgrp

Traditional UNIX uses a separate command called chgrp, to change the group owner of a file. Linux provides the chgrp command too. It works just like chown but chgrp takes just a parameter which is the group owner.

For example:

chgrp-wheel-group

The above chgrp command will change the group owner from tek to wheel.

I hope that the materials above will serve as a basis to understand the file system and structure of your Linux/Unix machines. It should also give you hindsights to avoid common mistakes such as making a important file to be read, written, or executed by everybody. It should also provide you how to protect and give access to important files and directories only to certain users on your system.

$rman target / nocatalog

RMAN> show all;

RMAN>exit;

———————————–

rmanbackupconf.sh

rman target / nocatalog <<EOF
CONFIGURE RETENTION POLICY TO REDUNDANCY 1; # default
CONFIGURE BACKUP OPTIMIZATION OFF; # default
CONFIGURE DEFAULT DEVICE TYPE TO DISK; # default
CONFIGURE CONTROLFILE AUTOBACKUP ON;
CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE DISK TO ‘/orabackup/rman/%F’;
CONFIGURE DEVICE TYPE DISK PARALLELISM 2 BACKUP TYPE TO BACKUPSET;
CONFIGURE DATAFILE BACKUP COPIES FOR DEVICE TYPE DISK TO 1; # default
CONFIGURE ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE DISK TO 1; # default
CONFIGURE CHANNEL 1 DEVICE TYPE DISK CONNECT ‘SYS/redhat@mars1′;
CONFIGURE CHANNEL 2 DEVICE TYPE DISK CONNECT ‘ SYS/redhat@mars1′;
CONFIGURE MAXSETSIZE TO UNLIMITED;
CONFIGURE ENCRYPTION FOR DATABASE OFF; # default
CONFIGURE ENCRYPTION ALGORITHM ‘AES128′; # default
CONFIGURE ARCHIVELOG DELETION POLICY TO NONE; # default
CONFIGURE SNAPSHOT CONTROLFILE NAME TO ‘/orabackup/rman/snapcf_racdbtst1.f’; # default
configure controlfile autobackup format for device type disk to ‘/orabackup/rman/ctrl/%F’;
configure channel device type disk format ‘/orabackup/rman/backup_db_%d_S_%s_P_%p_T_%t’;
exit;
EOF

————————————————————————————–

Check the archive log status and destination:

SQL> archive log list
Database log mode Archive Mode
Automatic archival Enabled
Archive destination +ORCL_DATA1
Oldest online log sequence 82
Next log sequence to archive 83
Current log sequence 83

Check existing tablespaces and datafiles:

SQL> select tablespace_name,file_name from dba_data_files;

TABLESPACE_NAME FILE_NAME
——————————
SYSTEM +ORCL_DATA1/mars/datafile/system.282.648988143
SYSAUX +ORCL_DATA1/mars/datafile/sysaux.283.648988181
UNDOTBS1 +ORCL_DATA1/mars/datafile/undotbs1.284.648988195
UNDOTBS2 +ORCL_DATA1/mars/datafile/undotbs2.286.648988247
USERS +ORCL_DATA1/mars/datafile/users.287.648988271
DATA +ORCL_DATA1/mars/datafile/data01.dbf
OBJECTS +ORCL_DATA1/mars/datafile/objects01.dbf
INDX +ORCL_DATA1/mars/datafile/index01.dbf

Create a test tablespace and a test table to be used to check Restore and Recover:

SQL> create tablespace recop1;
Tablespace created.
SQL> create table restable1 tablespace recop1 as select sysdate timestamp from dual;
Table created.

Check tablespaces and datafiles, note that all of them are located on ASM’s ORCL_DATA1 disk group:

SQL> select tablespace_name,file_name from dba_data_files

Check the timestamp we inserted on the test table, we will recover until this time later:

SQL> select * from restable1;
TIMESTAMP
—————–
01-02-07 15:49:06
————————————————————————————–

Execute backup using script

backup.sh
#!/bin/csh -x
# rman_backup_as_copy_to_FS
# —————————-
# 29-01-07 Alejandro Vargas
# —————————-
# This script make a backup copy to file system
# This backup can be restored on File system as a regular hot backup
# Or can be restored to ASM by using rman
# ——————————————————————————-
# This script does:
# 1) Administrative tasks:
# crosscheck
# delete obsolete
# 2) Archive log current on 1st Instance
# 3) Archive log current on 2nd Instance
# 4) Rman backup as copy to file system including controlfile and archivelogs
# 5) Archive log current on 1st Instance
# 6) Archive log current on 2nd Instance
# 7) Rman backup as copy archivelogs not backed up and print backupset list to log
# ——————————————————————————–
# This script works with 2 nodes only, if you have more than 2 nodes you need to customize it.
#
# This script use aliases and Environment variables set on .cshrc
# to setup the environment to point to the Database:
# setenv DBS_HOME /u01/app01/oracle/product/10gDB
# setenv BASE_PATH /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin
# alias 10db ‘setenv $ORACLE_HOME $DBS_HOME; setenv PATH $ORACLE_HOME/bin:$BASE_PATH’
# This script do require as parameters the 2 instance names
# It will use them to archive all required logs from instances 1 and 2
# ——————————————————————–
set v_inst1=mars1
set v_inst2=mars2
# Rman Backup Location variable
# —————————–
set v_rman_loc=/orabackup/rman
# Step 1: Administrative tasks, crosscheck and delete obsolete
# ————————————————————
#10db
setenv ORACLE_SID $v_inst1
rman target / nocatalog <<EOF
crosscheck backupset;
crosscheck copy;
crosscheck archivelog all;
delete noprompt expired backup ;
delete noprompt obsolete;
exit
EOF
# This script run from 1st node. We use an external identified DBA user, ops$oracle, to execute
# the archive log current. From the same session we connect as ops$oracle into the 2nd instance
# You need remote_os_authent=TRUE on both instances to connect remotely without password
# Step 2: Archive log current on 1st Instance
# Step 3: Archive log current on 2nd Instance
# ——————————————-
sqlplus -s sys/pass@$v_inst1 as sysdba << EOF
select instance_name from v\$instance
/
alter system archive log current
/
connect sys/pass@$v_inst2 as sysdba;
select instance_name from v\$instance
/
alter system archive log current
/
exit
EOF
# On step 4 we use 4 channels. This needs to be customized according the number of cpu’s/IO
# channels available. Rman is invoked in nocatalog mode, we need to have configured
# ORACLE_HOME, ORACLE_SID and PATH on the environment, as we did in the previous steps.
# Step 4: Rman backup as copy to file system including controlfile and archivelogs
# ——————————————————————————–
rman target / nocatalog <<EOF
run {
allocate channel backup_disk1 type disk format ‘$v_rman_loc/%U’;
allocate channel backup_disk2 type disk format ‘$v_rman_loc/%U’;
backup as COPY tag ‘%TAG’ database include current controlfile;
release channel backup_disk1;
release channel backup_disk2;
}
exit
EOF
# Step 5 and 6: Archive log current on 1st and 2nd Instances
# ———————————————————-
sqlplus -s sys/pass@$v_inst1 as sysdba << EOF
select instance_name from v\$instance
/
alter system archive log current
/
connect sys/pass@$v_inst2 as sysdba;
select instance_name from v\$instance
/
alter system archive log current
/
exit
EOF
# Step 7: Rman backup as copy archivelogs not backed up and print backupset list to log
rman target / nocatalog <<EOF
backup as copy archivelog all format ‘$v_rman_loc/%d_AL_%T_%u_s%s_p%p’ ;
list backupset;
exit
EOF
# Redirecting rman output to log will suppress standard output, because of that
# running separately.
rman target / nocatalog log=$v_rman_loc/backupset_info.log <<EOF
list backup summary;
list backupset;
list backup of controlfile;
exit
EOF
# eof backup

————————————————————————————–

This script does:
1) clean up the catalog (crosscheck / delete obsolete)
2) archive log current on both instances
3) backup database as copy to File System
4) archive log current on both instances
5) backup as copy archived logs
6) log actual backups
See the Backup Log.
The Backup generated the following files:
Controlfile and spfile backup:
Datafiles:
Rman Backups list:
backupset_info.log
Backup log:
/tmp/rman_backup.err

Insert some other records into the test table:

Insert into the test table new rows,check its content:
SQL> insert into restable1 select sysdate from dual;
1 row created.
SQL> /
1 row created.
SQL> /
1 row created.
SQL> /
1 row created.
SQL> commit;
Commit complete.
SQL> select * from restable1;

SQL> alter system archive log current;
System altered.

Simulate a crash by manually deleting some datafiles:

Execute on both instances:
SQL> select instance_name from v$instance;
INSTANCE_NAME
—————-
mars1
SQL> shutdown abort
ORACLE instance shut down.
SQL> select instance_name from v$instance;
INSTANCE_NAME
—————-
mars2
SQL> shutdown abort
ORACLE instance shut down.

Inside ASM some files accidentally deleted!!!:

$asmcmd

ASMCMD> cd ORCL_DATA1/mars/datafile/

ASMCMD> ls

ASMCMD> rm USERS.264.606653719 <<<<< Note, only possible because the
ASMCMD> rm RECOP1.273.613410453 <<<<< Database is down!!!
ASMCMD> ls
ASMCMD> EXIT

$sqlplus / as sysdba

Enter user-name: / as sysdba
Connected to an idle instance.
SQL> startup
ORACLE instance started.
Total System Global Area 285212672 bytes
Fixed Size 1218992 bytes
Variable Size 96470608 bytes
Database Buffers 184549376 bytes
Redo Buffers 2973696 bytes
Database mounted.
ORA-01157: cannot identify/lock data file 5 – see DBWR trace file
ORA-01110: data file 5: ‘+ORCL_DATA1/mars/datafile/users.264.606653719′

NOTE: Drop tablespace from inside the database is not recoverable with Rman; Rman will also deleted the backup copy of any deleted tablespace!!!!

—————————————————————————————

RECOVER PROCESS

Execute recover until time using the existing backup:
Set the database to work as single instance to perform the recovery and stop it:

SQL> show parameters cluster_database
NAME TYPE VALUE
———————————— ———– ——————————
cluster_database boolean TRUE
cluster_database_instances integer 2

SQL> alter system set cluster_database=false scope=spfile sid=’*';
System altered.
SQL> shutdown abort
ORACLE instance shut down.

Check the backup files and take note of the Database ID (highlighted):

$cd /orabackup/rman/

$ls

backupset_info.log
cf_D-MARS_id-1122898414_5djc2p5c
ctrl
data_D-MARS_I-1122898414_TS-DATA_FNO-6_4rjc2nqs
data_D-MARS_I-1122898414_TS-DATA_FNO-6_5ajc2p4e
data_D-MARS_I-1122898414_TS-INDX_FNO-8_4tjc2nr1
data_D-MARS_I-1122898414_TS-INDX_FNO-8_5cjc2p5a
data_D-MARS_I-1122898414_TS-OBJECTS_FNO-7_4sjc2nqu
data_D-MARS_I-1122898414_TS-OBJECTS_FNO-7_5bjc2p50
data_D-MARS_I-1122898414_TS-SYSAUX_FNO-2_4njc2nn7
data_D-MARS_I-1122898414_TS-SYSAUX_FNO-2_56jc2p08
data_D-MARS_I-1122898414_TS-SYSTEM_FNO-1_4ojc2nn9
data_D-MARS_I-1122898414_TS-SYSTEM_FNO-1_57jc2p0a
data_D-MARS_I-1122898414_TS-UNDOTBS1_FNO-3_4pjc2npd
data_D-MARS_I-1122898414_TS-UNDOTBS1_FNO-3_58jc2p33
data_D-MARS_I-1122898414_TS-UNDOTBS2_FNO-4_4qjc2npm
data_D-MARS_I-1122898414_TS-UNDOTBS2_FNO-4_59jc2p41
data_D-MARS_I-1122898414_TS-USERS_FNO-5_4vjc2nr8
data_D-MARS_I-1122898414_TS-USERS_FNO-5_5ejc2p5k
MARS_AL_20080324_52jc2ns2_s162_p1
MARS_AL_20080324_54jc2ns6_s164_p1
MARS_AL_20080324_5gjc2p80_s176_p1
MARS_AL_20080324_5hjc2p82_s177_p1
MARS_AL_20080324_5ijc2p88_s178_p1
MARS_AL_20080324_5jjc2p8a_s179_p1
MARS_AL_20080324_5kjc2p8c_s180_p1
MARS_AL_20080324_5ljc2p8e_s181_p1
MARS_AL_20080324_5mjc2p8h_s182_p1
MARS_AL_20080324_5njc2p8j_s183_p1
MARS_AL_20080324_5ojc2p8m_s184_p1
MARS_AL_20080324_5pjc2p8o_s185_p1
MARS_AL_20080324_5qjc2p8q_s186_p1
MARS_AL_20080324_5rjc2p8t_s187_p1

$rman target / nocatalog
Recovery Manager: Release 10.2.0.1.0 – Production on Thu Feb 1 16:34:20 2007
Copyright (c) 1982, 2005, Oracle. All rights reserved.
connected to target database (not started)

RMAN> set dbid=-1122898414
executing command: SET DBID

RMAN> startup nomount;
Oracle instance started
Total System Global Area 285212672 bytes
Fixed Size 1218992 bytes
Variable Size 96470608 bytes
Database Buffers 184549376
Redo Buffers 2973696 bytes

1) we do restore the controlfile from a time previous to the crash:

RMAN> restore controlfile from ‘/orabackup/rman/cf_D-MARS_id-1122898414_5djc2p5c’;
Starting restore at 01/02/2008 16:36:03
allocated channel: ORA_DISK_1
channel ORA_DISK_1: sid=153 devtype=DISK
channel ORA_DISK_1: copied control file copy
output filename=+ORCL_DATA1/mars/controlfile/current.256.606653653
Finished restore at 01/02/2008 16:36:20

2) we mount the database:
RMAN> mount database;
database mounted
released channel: ORA_DISK_1

3) we set until which time we want to recover, using the ‘set until time’ clause, the we do restore and recover, in this example the three commands are passed to Rman within a single block:
RMAN> run { set until time=”to_date(’01-FEB-08 16:14:28′,’DD-MON-YY HH24:MI:SS’)”;
2> restore database;
3> recover database; }

executing command: SET until clause
Starting restore at 01/02/2008 16:40:26
allocated channel: ORA_DISK_1
channel ORA_DISK_1: sid=148 devtype=DISK
allocated channel: ORA_DISK_2
channel ORA_DISK_2: sid=153 devtype=DISK

Finally we need to restablish Cluster Mode and open both instances.
1)Mount instance 1 and set cluster_database=true :
SQL> show parameters cluster_database
NAME TYPE VALUE
———————————— ———– ——————————
cluster_database boolean FALSE
cluster_database_instances integer 2
SQL> alter system set cluster_database=true scope=spfile sid=’*';
System altered.
SQL> shutdown immediate
ORACLE instance shut down.

2) Restart the database in cluster Mode:
srvctl start database -d mars
srvctl start service -d mars
crs_stat –t
chkcrs

3) Check restore point on test table:
SQL> select * from restable1;
TIMESTAMP
—————–
01-02-08 15:49:06

http://www.comp.dit.ie/btierney/Oracle11gDoc/server.111/b28301/backrest002.htm

Note:
1: Enable secret password is encrypted by default. Enable password is not.
2: If both enable secret and enable password are specified, the enable secret overrides the enable password.

1. Set a console password to chicagotech
1) Router(config)#line con 0
Router(config-line)#login
Router(config-line)#password chicagotech

2. Set a telnet password to chicagotech
1) Router(config)#line vty 0 4
2) Router(config-line)#login
3) Router(config-line)#password chicagotech
=================================================

Enable SNMP on PIX
——————-
I just installed Netflow to monitor our Internet traffic rate. I have enabled snmp on our Cisco PIX515. The netflow displays ?No devices have sent NetFlow exports to the software yet?. I am not sure the problem is PIX configuration or Netflow settings. How do I test the snmp settings in PIX?

access-list outside_in permit icmp any any unreachable
access-list outside_in permit tcp any host 192.168.11.253 eq 3389
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit tcp any host 192.168.10.10 eq 3389
access-list 192_splitTunnelAcl permit ip LAN 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip LAN 255.255.255.0 VPN 255.255.255
.240
access-list inside_outbound_nat0_acl permit ip LAN 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any VPN 255.255.255.240
access-list outside_cryptomap_20 permit ip LAN 255.255.255.0 any
pager lines 24
logging on
logging trap errors
logging history informational
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip address outside 192.168.10.254 255.255.255.0
ip address inside 192.168.11.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.21.1-192.168.21.9
pdm location 192.168.11.253 255.255.255.255 inside
pdm location VPN 255.255.255.0 inside
pdm location LAN 255.255.255.0 outside
pdm location VPN 255.255.255.0 outside
pdm location LAN 255.255.255.255 inside
pdm location RDC 255.255.255.255 inside
pdm location 192.168.11.2 255.255.255.255 inside
pdm location 192.168.10.104 255.255.255.255 outside
pdm location 192.168.11.254 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 2 192.168.10.250-192.168.10.253
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.11.253 192.168.11.253 netmask 255.255.255.255 0
0
static (inside,outside) 192.168.10.10 RDC netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http LAN 255.255.255.255 inside
http LAN 255.255.255.0 inside
snmp-server host outside 192.168.11.254
snmp-server host inside 192.168.11.254
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
tftp-server outside 192.168.10.115 c:\
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 206.81.53.106
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 206.81.53.106 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup 192 address-pool VPN
vpngroup 192 dns-server 4.2.2.1
vpngroup 192 split-tunnel 192_splitTunnelAcl
vpngroup 192 idle-time 1800
vpngroup 192 password ********
=====================================================

How to configure ASA to open port 3389 for TS
———————————————-
You need these two lines:

access-list outside_access_out extended permit tcp any host x.x.x.198 eq 3389

static (inside,outside) tcp interface 3389 10.0.3.2 3389 netmask 255.255.255.255

If you use ASDM, id for the Rule and if for the NAT
======================================================

How to view and save PIX/ASA configuration
——————————————
1. “copy run start” and “write terminal” to save running-config to startup-config.
2. “show startup-config to view the configuration in flash memory.
3. “show running-config” and “write terminal” to view the current running configuration .
========================================================

configure Cisco 831 router for two public IP addresse
—————————————————-
The following is the sample of NAT on 831.

ip dhcp excluded-address 172.16.5.1 172.16.5.9
ip dhcp excluded-address 172.16.5.51 172.16.5.254
!
ip dhcp pool sdm-pool1
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
dns-server 4.2.2.1
!
!
no ip bootp server
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 smtp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip inspect name sdm_ins_in_100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$
ip address 172.16.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ETH-WAN$
ip address 192.168.10.70 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect sdm_ins_in_100 in
duplex auto
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 172.16.5.13 3389 192.168.10.70 3389 extendable
ip nat inside source static tcp 172.16.5.13 3389 192.168.10.71 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.1 permanent
ip http server
ip http authentication local
ip http secure-server
!
access-list 1 permit 172.0.0.0 0.255.255.255
no cdp run
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end

831#
===============================================

Reset a Cisco Router Back to Factory Defaults
———————————————-
chicagotech831#conf t
Enter configuration commands, one per line. End with CNTL/Z.
chicagotech831(config)#config-register 0×2102
chicagotech831(config)#end
chicagotech831#wr erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
chicagotech831#reload

System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]
======================================

Router modes
————-
User mode = Router>
Privileged mode = Router#
Global configuration mode = Router(config)#
Interface mode = Router(config-if)#
Subinterface mode = Router(config-subif)#
Line mode = Router(config-line)
Router configuration mode = Router(config-router)#
===============================================

Cisco Router Modes
——————–
Router> User mode

Router# Privileged mode (to chnage to Privileged mode, do Router> enable)

Router(config)# Global configuration mode (Router# conf t)

Router(config-if)# interafce mode (Router(config)# interafce ethernet0)

Router(config-subif)# Subinterface mode
Router(config-line)# Line mode
Router(config-router)# Router configuration mode
================================================

command lines
————–
1. To verify the operation of a routing protocol
show ip protocols

2. Display the IP routing table.
show ip route
=================================================

configure SSH for Secure Access
——————————–
ChicagoTech>En

Password:

ChicagoTech#conf terminal

Enter configuration commands, one per line.  End with CNTL/Z.

ChicagoTech(config)#hostname ChicagoTech

ChicagoTech(config)#ip domain-name howtocisco.com

ChicagoTech(config)#crypto key generate rsa

ChicagoTech(config)#ip ssh time-out 60

ChicagoTech(config)#ip ssh authentication-retries 4

ChicagoTech(config)#end

ChicagoTech#wr mem
===================================================

Create a VTP domain
———————–
chicagotech>en
password:
chicagotech#conf t
chicagotech(config)#vtp mode server
chicagotech(config)#vtp domain ms-mvps
chicagotech(config)#vtp password chicagotech
chicagotech(config)#end
chicagotech>copy running-config startup-config
==================================================

find the Switch and Port You are connecting to
———————————————
1. Find my laptop Mac address by using ipconfig /all. It is 00-16-D4-BA-D7-77
2. Telnet one of the switch and enable it.
3. Type “show mac-address-table address 00-16-D4-BA-D7-77”, it display
====================================================

Limit access #
—————
With Cisco Port Security, you can configure the port to accept certain Mac addresses and an additionl access will be denied. In this case, our maximum access # is 15.

Chicagotech>En
Chicagotech>password:
Chicagotech#conf t
Chicagotech(config)#interface fastethernet 0/9
Chicagotech(config-if)#switchport mode access
Chicagotech(config-if)#switchport port-security
Chicagotech(config-if)#switchport port-security max 15
Chicagotech(config-if)#switchport port-security violation protect
Chicagotech(config-if)#end
====================================================

setup interface
——————
Router#config
Router(config)#interface serial 1/1
Router(config-if)#ip address 10.0.0.10 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#ctrl-Z
Router#
=====================================================

shutdown multiple ports
————————
CHICAGOTECH>EN
CHICAGOTECH>PASSWORD:
CHICAGOTECH>CONF T
CHICAGOTECH(config)#inter range fastethernet 0/11 – 12
CHICAGOTECH(config-if-range)#no shutdown
CHICAGOTECH(config-if-range)#
CHICAGOTECH(config-if-range)#end
=====================================================

Interface command lines
————————–
1. to verify the status of the switch connections
show ip interface brief

2. Configure range interface
Switch(config)#interface range fastethernet 0/# – #, #, # – #
=======================================================

Configure trunking and VLAN routing
———————————–
Switch>en
password:
Switch#configure terminal
Switch(config)#interface fastethernet 0/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#end
====================================================

confiugre Virtual Interface on a VLAN
————————————–
Router>en
passwrod:
Router#configure terminal
Router(config)#interface fastethernet 0/0.2
Router(config-subif)#encapsulation dot1q 2
Router(config-subif)#ip address 192.168.11.2 255.255.255.0
Router(config-subif)#exit
Router(config)#router rip
Router(config-router)#network 10.0.0.0
Router(config-router)#end
======================================================

Configure VLAN Subnets
———————-
Router>en
password:
Router#configure terminal
Router(config)#interface fastethernet 0/1
Router(config-if)#ip address 192.168.11.1 255.255.255.0
Router(config-if)#end
======================================================

How to delete switchport access vlan 200 line
——————————————–
CHICAGOTECH_1#show run inter
CHICAGOTECH_1#sh run interface gi1/0/7
Building configuration…

Current configuration : 151 bytes
!
interface GigabitEthernet1/0/7
switchport access vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
end

CHICAGOTECH_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CHICAGOTECH_1(config)#int
CHICAGOTECH_1(config)#interface gi1/0/7
CHICAGOTECH_1(config-if)#default switchport access vlan
CHICAGOTECH_1(config-if)#no spanning-tree portfast
CHICAGOTECH_1(config-if)#do sh run int
CHICAGOTECH_1(config-if)#do sh run inter
CHICAGOTECH_1(config-if)#do sh run int gi1/0/7
Building configuration…

Current configuration : 99 bytes
!
interface GigabitEthernet1/0/7
switchport trunk encapsulation dot1q
switchport mode trunk
end
====================================================

Re-configure VLAN for AP
————————-
Add or modify VLAN name
————————
chicagotech>en
password:
chicagotech#conf t
chicagotech(config)#vlan 1
chicagotech(config)#name lab1
===================================================

Situation: the client have 4 VLAN and they want to the Access Point to access all 4 VLAN. This is the show mac-address-table address 0019.3033.6a2a command result:

Mac Address Table
——————————————-

Vlan Mac Address Type Ports
—- ———– ——– —–
1 0019.3033.6a2a DYNAMIC Gi1/0/22
Total Mac Addresses for this criterion: 1

Resolution: The port configuration looks l ike this (default is VLAN 1)

interface GigabitEthernet1/0/22
switchport mode access
no ip address
no mdix auto
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable

Change to:
interface GigabitEthernet1/0/22
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
no mdix auto

This is the result after changing:

show mac-address-table address 0019.3033.6a2a
Mac Address Table
——————————————-

Vlan Mac Address Type Ports
—- ———– ——– —–
1 0019.3033.6a2a DYNAMIC Gi1/0/22
100 0019.3033.6a2a DYNAMIC Gi1/0/22
200 0019.3033.6a2a DYNAMIC Gi1/0/22
300 0019.3033.6a2a DYNAMIC Gi1/0/22
Total Mac Addresses for this criterion: 4
=====================================================

VLAN command lines
——————-
1. How to check last modified VTP configuration
show vtp status

2. Verify a Trunk
show interface interface switchport | trunk

3. Verify A VLAN
show vlan brief | id vln_id | name vlan_name

4. Assign switch ports to a vlan
switchport access vlan vlan# | dynamic

5. configure dot1q trunk
switchport mode trunk | access | dynamic desirable | dynamic auto

6. verify STP for a VLAN
show spanning-tree active | detail | vlan_id | summery
==========================================================

How to enable Cisco ASA Web VPN
——————————–
To enable the HTTP Service on the ASA, please follow these steps:
1. Enable the HTTP server.
2. Enable WebVPN on the outside interface.
3. Configure WebVPN group attributes.
4. Configure user authentication.

1. enable.
2. Chicagotech#conf t
3. Chicagotech(config)# http server enable
4. Chicagotech(config)# http redirect outside 80
5. Chicagotech(config)# webvpn
6. Chicagotech(config-webvpn)# enable outside
7. Chicagotech(config-webvpn)#exit
8. Chicagotech(config)# group-policy VPNGroup internal
9. Chicagotech(config)# group-policy VPNGroup attributes
10. Chicagotech(config-group-policy)# vpn-tunnel-protocol webvpn
11. Chicagotech(config-group-policy)# webvpn
12. Chicagotech(config-group-webvpn)# functions file-access file-entry file-browsing
13. Chicagotech(config-group-webvpn)# exit
14. Chicagotech(config)# username chicagotech password ms-mvps
15. Chicagotech(config)# webvpn
16. Chicagotech(config-webvpn)# authentication-server-group LOCAL
========================================================

Configure routing
——————
Configure RIP Routing
Router#configure terminal
Router(config)# router rip
Router(config-router)# network 192.168.11.0
Router(config-router)# network 192.168.22.0
Router(config-router)#end

Configure EIGRP Routing
Router#configure terminal
Router(config)#router eigrp 10
Router(config-router)#network 192.168.11.0
Router(config-router)#network 192.168.22.0
Router(config-router)#end

Configure OSPF Routing
Router#configure terminal
Router(config)#router ospf 100
Router(config-router)#network 192.168.11.0 0.0.0.255 area 0
Router(config-router)#network 192.168.22.0 0.0.0.255 area 0
Router(config-router)#end

Verify the running configuration by displaying the router status at the first line
show running-config | begin router

To dump the routing table type
clear ip route *
====================================================

Sample of configuring Cisco 2955S switch
—————————————-
The Cisco Switch 2955 basic configuration will setup IP address, Subnet, Enable secret password, Enable password, and Telnet password. This is the sample.
Would you like to enter the initial configuration dialog? [yes/no]: Y (press Enter)

Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system.

Would you like to enter basic management setup? [yes/no]: Y (press Enter)

Enter host name [Switch]: chicagotech

Enter enable secret: switch

Enter enable password: cisco

Enter virtual terminal password: ms-mvps

Configure SNMP Network Management? [no]: n

Enter interface name used to connect to the
management network from the above interface summary: vlan1

Configuring interface vlan1:
Configure IP on this interface? [yes]: y
IP address for this interface: 10.0.20.51
Subnet mask for this interface [255.0.0.0]: 255.255.0.0

Would you like to enable as a cluster command switch? [yes/no]: n

The following configuration command script was created:
hostname host_name
enable secret 5 #3$Max7$Qgr2rXBhtcYJw4KK7ac650
enable password cisco
line vty 0 15 password ms-mvps
snmp-server community public
……

[0] Go to the IOS command prompt without saving this config.

[1] Return back to the setup without saving this config.

[2] Save this configuration to nvram and exit.

If you want to save the configuration and use it the next time the switch reboots,
save it in nonvolatile RAM (NVRAM) by selecting option 2.

Enter your selection [2]:2
=====================================================

Introduction of Cisco Network Assistant
—————————————-
Cisco Network Assistant (CNA)  is a free, simple, smart, and  secure graphic tool to manage your Cisco network. With CNA, you can manage all your Cisco devices such as switches, routers, PIX 515 firewalls, IP phones, and wireless access-points in one software.. To me this is the greatest benefit to using Cisco Network Assistant. the following lists some of the features the tool offers.
1. Toolbar Icons
2. Checking Total Power Usage of the IP Phones and Wireless Access Points
3. Topology View
4. Checking Link Properties from the Topology View
5. Configuring VLANs or Applying Port Configurations to Multiple Ports Across Switches
6. Cisco IOS® Software Upgrade
7. Need Help?
8. Saving and Restoring Configuration Files
9. Smartports Advisor
10. Creating a Community
=============================================================

change time in Cisco
———————

1. show time information:
chicagotech1#sh clock
chicagotech1#*20:10:59.033 UTC Fri Mar 1 2002

2. Change to Central time:
chicagotech1#1(config)#clock timezone CST -6

3. Reset to current time:
clock set 10:50:00 Oct 26 2006
===========================================================

clear configuration
—————————
1. “clear configuration all” clears the current running configuration and is reset to the default running configuration.
2. To restore the startup configuration, go “copy st run”.
3. “write erase” clears startup configuration and is reset to the factory default configuration with “reload” command.
============================================================

load a new code for ASA
————————
1. Downlaod the code first.
2. Run ASDM and then choose tools/upgrade software.
3. Select the code from Local File Path by using Browse Local Files.
4. In the Flash File System Path, type or Browse Flash: disk0:/asa722-22-8k.bin
5. Click Upload Image.
===========================================================

show and modify Cisco Wireless Bridge date and time
—————————————————
1. “show clock” to display the time and date.
2. For following are examples how to modify the time and date.

config terminal
clock set 14:20:00 31 december 2007
clock timezone central -6.
=========================================================

SHOW COMMANDS
————–
Show access-lists – all access lists on the router
Show cdp – cdp timer and holdtime frequency
Show cdp entry * – same as next
Show cdp neighbors detail – details of neighbor with ip add and ios version
Show cdp neighbors – id, local interface, holdtime, capability, platform portid
Show cdp interface – int’s running cdp and their encapsulation
Show cdp traffic – cdp packets sent and received
Show clock – displays time set on the router
Show controllers serial 0 – DTE or DCE status
Show dialer – number of times dialer string has been reached, other stats
Show flash – files in flash
Show frame-relay lmi – lmi stats
Show frame-relay map – static and dynamic maps for PVC’s
Show frame-relay pvc – pvc’s and dlci’s
Show history – commands entered
Show hosts – contents of host table
Show interface – displays statistics of all interfaces
Show int f0/26 – stats of f0/26
Show interface Ethernet 0 – show stats of Ethernet 0
Show interface brief – displays a summary of all interface, includng status and IP address assigned
Show ip – ip config of switch
Show ip access-lists – ip access-lists on switch
Show ip interface – ip config of interface
Show ip protocols – routing protocols and timers
Show ip route – Displays IP routing table
Show ipx access-lists – same, only ipx
Show ipx interfaces – RIP and SAP info being sent and received, IPX addresses
Show ipx route – ipx routes in the table
Show ipx servers – SAP table
Show ipx traffic – RIP and SAP info
Show isdn active – number with active status
Show isdn status – shows if SPIDs are valid, if connected
Show mac-address-table – contents of the dynamic table
Show protocols – routed protocols and net_addresses of interfaces
Show running-config – dram config file
Show sessions – connections via telnet to remote device
Show startup-config – nvram config file
Show terminal – shows history size
Show trunk a/b – trunk stat of port 26/27
Show users – displays all users connected to the router
Show version – ios info, uptime, address of switch
Show vlan – all configured vlan’s
Show vlan-membership – vlan assignments
Show vtp – vtp configs
=================================================

What’s it Overloading?

Overloadingis a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. Known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.

=================================================

ASA 5510 backup and restore using TFTP
————————————-
Backup:

1. Run TFTP server.
2. Run telnet to access ASA.
3. Type enable, then the password..
5. Then follow the this procedure:
chicagotechpix# copy startup-config tftp:
Address or name of remote host []? 192.168.0.2

Destination filename [startup-config]? 072406
!!!
8507 bytes copied in 0.40 secs

Restore:
1. Run TFTP server.
2. Run telnet to access ASA.
3. Enable.
5. Then follow the this procedure:

chiacgotechpix# copy tftp start

Address or name of remote host []? 192.168.0.2

Source filename []? 072306tftp

Accessing tftp://192.168.0.2/072306tftp…!!!
Writing system file…
!!!
8507 bytes copied in 0.260 secs
ciscoasa# wr mem

Note: 1. to copy TFTP file to running-config, do copy tftp run, give tftp Ip, source file name and press enter to confirm Running-config.
2. show run to display running-config.
3. show start to display start config.
===================================================

backup/restore switch configuration using TFTP
———————————————
1. Telnet the switch.
2. Issue enable command.
3. Issue copy running-config tftp: command.

This is the example.

chicagotech01#copy running-config tftp:
Address or name of remote host []? 10.0.0.11
Destination filename [chicagotech1-confg]? chicagotech1
!!
1825 bytes copied in 1.780 secs (1025 bytes/sec)

To Rstore, run copy tftp: running-configand then follow the instruction.
=============================================================

backup/restore Cisco PIX
————————-
Cisco pix backup

It depends on the PIX version. You may try the following commands.

To copy configuration to tftp
chicagotechpix (config)#configure net 10.0.0.254:/filename

Note: You may be able to do that in enable mode
or

chicagotechpix #write net 10.0.0.254:/filename
Note: You may be able to do that in config mode

or

To copy the PIX image from Flash to the TFTP server:
chicagotechpix #copy flash tftp

To copy the image from TFTP to Flash without intervention.
chicagotechpix(config)#copy tftp: flash
===========================================================

copy config.txt to Cisco switch
——————————–
1. Copy and save the configuration as config.txtx
2. Download and install TFTP32.
3. Run TFTP32 and Browse the config.txt.
4. Telnet the switch.
5. Use copy tftp: command to downalod the configuration
===========================================================

Copy configuration from TFTP
—————————-
To erase the running configuration and re-load the configuration file from FTFP, follow theses steps:

Chicagotech>en
Chicagotech>password:
Chicagotech#erase startup-config
Erasing the nvram filesystem will remove all configuration files!
Continue? [confirm]
[OK]
Erase of nvram: complete
Chicagotech#show startup-config
startup-config is not present
Chicagotech#copy tftp://192.168.2.254/Chicagotech startup-config
===============================================================

restore config.txt from tftp
—————————-
1. Run the tftpd32.
2. Browse the file and click OK.
3. Check Show Dir to make sure the config.txt is there.
4. Login the wireless router/switch and enable mode.
5. Type this command: copy tftp://ipaddress/config.txt flash: config.txt.

Note: To check the flash files, use this command: sh flash.
=================================================================

restore Cisco config from TFTP
——————————
1. Run a TFTP program.
2. Telnet to the Cisco router and enable it. Then follow these steps:

chicagotech831#copy tftp: running-config
Address or name of remote host []? 192.168.10.100
Source filename []? chicagotech831-config
Destination filename [running-config]?
Accessing tftp://192.168.10.100/chicagotech831-config…
Loading 121306-internetok from 192.168.10.100 (via Ethernet1): !
[OK - 2115 bytes]

2115 bytes copied in 10.284 secs (206 bytes/sec)
================================================================

Save cisco router configuration to TFTP
—————————————
1. Run a TFTP program.
2. Telnet to the Cisco router and enable it. Then follow these steps:

chicagotech831#copy running-config tftp:
Address or name of remote host []? 192.168.10.100
Destination filename [chicagotech831-confg]?
!!
2115 bytes copied in 1.512 secs (1399 bytes/sec)
chicagotech831#
==============================================================

Use an FTP server to restore Cisco config
—————————————–
1. Make sure the FTP is running and let you uploag.
2. Telnet to the Cisco router and enable it.
3. Configure the FTP username and password.
CHICAGOTECH831#conf t
CHICAGOTECH831(config)#ip ftp username chicagotech
CHICAGOTECH831(config)#ip ftp password chicagotech
CHICAGOTECH831(config)#end
CHICAGOTECH831#

4. Router#copy ftp: running-config
5. Address or name of remote host [192.168.10.100]?
6. Source filename [CHICAGOTECH831_confg]?
7. Destination filename [running-config]?
8. Accessing ftp:// 192.168.10.100/ CHICAGOTECH831_confg…
9. Loading CHICAGOTECH831_confg!
10. [OK - 1423/4764 bytes] 1425 bytes copied in 13.423 secs (76 bytes/sec)
================================================================

Restore config issue

Situation: the client had a Cisco consultant to setup Outdoor wireless 1310 bridge. After finishing the configuration, the consultant save the config file as word format. When the client tries to restore the config using the word file, he losses the configuration in the ridge. After rebooting it, the bridge shows hostname\par>. He can’t logon using the enable password.

Solution: Turn off the bridge and turn it on while hold esc key. That will restore to the manufacturer default settings. Then restore the config using text format instead of word format.

==============================================================

How to upgrade Cisco IOS for 2900 and 3500 Switch
————————————————
1. Check the Flash memory.

chicagotech#dir flash:

Directory of flash:/

2  drwx         704   Feb 28 1993 18:03:50  html

4  -rwx         109   Feb 28 1993 18:01:57  info

5  -rwx     1751867   Feb 28 1993 18:03:00  c3500XL-c3h2s-mz.120-5.WC3b.bin

16  -rwx         109   Feb 28 1993 18:03:50  info.ver

17  -rwx       94680   Feb 28 1993 18:04:08  c3500XL-hdiag-mz-120.5.2-XU

18  -rwx         355   Dec 31 1969 18:00:08  env_vars

19  -rwx         616   Jan 22 2008 15:21:16  vlan.dat

21  -rwx        2462   Jun 19 1993 18:02:13  config.text

3612672 bytes total (358912 bytes free)

2. Delete the existing image since the file to be loaded is larger than the available capacity.

chicagotech#delete flash:c3500XL-c3h2s-mz.120-5.WC3b.bin

Delete filename [c3500XL-c3h2s-mz.120-5.WC3b.bin]?

Delete flash:c3500XL-c3h2s-mz.120-5.WC3b.bin? [confirm]

3. Delete access to the switch HTML pages.

chicagotech#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

chicagotech(config)#no ip http server

chicagotech(config)#end

chicagotech#delete flash:html/*

Delete filename [html/*]?

Delete flash:html/Snmp? [confirm]

%Error deleting flash:html/Snmp (Is a directory)

Delete flash:html/homepage.htm? [confirm]

Delete flash:html/not_supported.html? [confirm]

Delete flash:html/common.js? [confirm]

Delete flash:html/cms_splash.gif? [confirm]

Delete flash:html/cms_12.html? [confirm]

Delete flash:html/cms_13.html? [confirm]

Delete flash:html/cluster.html? [confirm]

Delete flash:html/CMS.jar? [confirm]

Delete flash:html/CiscoChartPanel.jar? [confirm]

Delete flash:html/Redirect.jar? [confirm]

4. Us etar command to copy the combined .tar file to the switch.

chicagotech#tar /x tftp://10.0.0.11/c3500xl-c3h2s-tar.120-5.WC17.tar flash:

Loading c3500xl-c3h2s-tar.120-5.WC17.tar from 10.0.0.11 (via VLAN1): !

extracting c3500xl-c3h2s-mz.120-5.WC17.bin (1811552 bytes)!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!

html/ (directory)

extracting html/homepage.htm (3988 bytes)!

extracting html/not_supported.html (1392 bytes)

extracting html/common.js (9449 bytes)!!

extracting html/cms_splash.gif (22152 bytes)!!!!

extracting html/cms_13.html (1211 bytes)!

extracting html/cluster.html (2823 bytes)!

extracting html/Redirect.jar (4229 bytes)!

extracting html/c4v4_disc.sgz (9806 bytes)!!

extracting html/CMS.sgz (955595 bytes)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

extracting html/CiscoChartPanel.sgz (58784 bytes)!!!!!!!!!!!!

extracting html/cms_boot.jar (44484 bytes)!!!!!!!!!

extracting info (109 bytes)

extracting info.ver (109 bytes)

[OK - 2938368 bytes]

chicagotech#

5. Use dir flash command to make sure the new image in the Flash.

chicagotech#dir flash:

Directory of flash:/

2  drwx         768   Jan 22 2008 16:12:20  html

4  -rwx         109   Jan 22 2008 16:12:22  info

5  -rwx     1811552   Jan 22 2008 16:11:36  c3500xl-c3h2s-mz.120-5.WC17.bin

16  -rwx         109   Jan 22 2008 16:12:22  info.ver

17  -rwx       94680   Feb 28 1993 18:04:08  c3500XL-hdiag-mz-120.5.2-XU

18  -rwx         355   Dec 31 1969 18:00:08  env_vars

19  -rwx         616   Jan 22 2008 16:12:16  vlan.dat

21  -rwx        2462   Jun 19 1993 18:02:13  config.text

3612672 bytes total (582144 bytes free)

6. Set the boot parameter so that the switch will boots with the new image after reloading.

chicagotech#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

chicagotech(config)#boot system flash:c3500xl-c3h2s-mz.120-5.WC17.bin

7. Re-enable access to the switch HTTP pages.

chicagotech(config)#ip http server

chicagotech(config)#end

8. Reload the new image.

chicagotech#reload

System configuration has been modified. Save? [yes/no]: y

Building configuration…

[OK]

Proceed with reload? [confirm]
===================================================================

test certificate is working using Cisco command
———————————————
The command line is

test aaa gr r username password l.

When using test aaa to test windows IAS, you may receive Event ID 2: Reason-Code = 66. That means the Cisco router is talking to the IAS server, but don’t recognize the non-domain user.

=============================================================

TROUBLESHOOT
—————

Problem: We have a used Cisco 1720 router. No one knows the password. I am trying to recover the password, but I can’t. I press Break on the terminal (windows XP, 2000) keyboard within 60 seconds while turn on the router, but the router still loads the image and asks for the password. I have tried Ctrl+Break, Shift+Break, Shift+F5. I also tried 3 computers. Any suggestions.

A: Try TeraTerm.

Q: Downloaded TeraTerm that helps me to recover the password. These are the steps:

1. Turn on the power while hold Alt+B.
2. Type confreg 0×2142 at the rommon 1>
3. Type reset at the rommon 2>
4. You will have
— System Configuration Dialog —

Would you like to enter the initial configuration dialog? [yes/no]:

5. Type yes to continue and you will see

“Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system”.

Would you like to enter basic management setup? [yes/no]:

6. Type yes to continue and follow the instruction to configure the router.

Related Topic

Password Recovery Procedures [Cisco IOS Software Releases 12.1 Mainline] – This … o Password Recovery Procedure for the Cisco 806, 827, and 837 Routers …
=======================================================

http://www.howtocisco.com/

http://www.chicagotech.net/netforums/

# yum info xmms
# yum install xmms-mp3

http://rpm.pbone.net/index.php3/stat/4/idpl/1703961/com/bmp-0.9.7-0.lvn.3.3.i386.rpm.html

None of RedHat distributions ships with MP3 support because patent issues.

In CentOS 4 you have 3 choices:

a) Use Rhythmbox: in my opinion, I don’t recomended this option. This program crash a lot !. For put MP3 support download and install this RPM:
http://ftp.freshrpms.net/pub/freshrpms/fedora/linux/3/gstreamer-plugins-extra/gstreamer-plugins-extra-audio-0.8.6-2.1.fc3.fr.i386.rpm

You will need other packages like gsm that you found in Dag repository (look b option).

b) Install XMMS and MP3 support, download APT from Dag website, it’s here :
http://dag.wieers.com/packages/apt/apt-0.5.15cnc6-4.2.el4.rf.i386.rpm

After open a terminal and run:
apt-get update
apt-get install xmms xmms-mp3

c) Install Beep Media Player, it’s a XMMS fork written in GTK2. It looks better than XMMS. You find the packages here:
http://newrpms.sunsite.dk/apt/redhat/en/i386/fc3/RPMS.newrpms/bmp-0.9.7-2.rhfc3.nr.i386.rpm
http://newrpms.sunsite.dk/apt/redhat/en/i386/fc3/RPMS.newrpms/bmp-extra-plugins-0.2.2-3.rhfc3.nr.i386.rpm
http://newrpms.sunsite.dk/apt/redhat/en/i386/fc3/RPMS.newrpms/bmp-mp3-0.9.7-2.rhfc3.nr.i386.rpm

=====================================
Most of the libraries that are not in CentOS, are in Dag repository.

For example liblirc is here
http://dag.wieers.com/packages/lirc/lirc-0.6.6-4.2.el4.rf.i386.rpm

You can find more packages here:
http://dag.wieers.com/home-made/apt/packages.php
===============================================

Install the Dag repo into Yum using the instruction found at http://dag.wieers.com/home-made/apt/FAQ.php#B
http://dag.wieers.com/home-made/apt/
http://dag.wieers.com/home-made/apt/FAQ.php#B

http://rpm.greysector.net/yum.html
http://rpm.greysector.net/mplayer/yum.html
http://linux.softpedia.com/get/Multimedia/Video/MPlayer-020.shtml

http://apt.sw.be/redhat/el4/en/i386/RPMS.dag/

2) skip mounting and go to command prompt

3) Run the following command to activate the LVM partition

lvm vgchange -a y

5)You should be able to address the activated LVMs. If you have trouble with their naming, run:

lvm lvscan

6) check the partition

fdisk -l

7) Check and repair each logical volume’s filesystem by running something like this:

fsck -f /dev/VolGroup00/LogVol00

reboot you system